summaryrefslogtreecommitdiff
path: root/tls.c
diff options
context:
space:
mode:
authorLinus Nordberg <linus@nordu.net>2012-09-13 15:19:22 +0200
committerLinus Nordberg <linus@nordu.net>2012-09-13 15:19:22 +0200
commitdb965c9bf7cf4acc0830d7b689d69d40b9ecef8c (patch)
tree619a9203dc468d110103fed23ced010a0dc1ee28 /tls.c
parent8d287300f510e0559f01a2e7a4dec90674215f25 (diff)
Don't mix up pre- and post-handshake verification of clients.
When verifying clients, don't consider config blocks with CA settings ('tls') which differ from the one used for verifying the certificate chain. Reported by Ralf Paffrath. Reported and analysed by Ralf Paffrath. Addresses issue RADSECPROXY-43.
Diffstat (limited to 'tls.c')
-rw-r--r--tls.c28
1 files changed, 15 insertions, 13 deletions
diff --git a/tls.c b/tls.c
index ba2c5a3..084c0ce 100644
--- a/tls.c
+++ b/tls.c
@@ -385,6 +385,7 @@ void *tlsservernew(void *arg) {
SSL_CTX *ctx = NULL;
unsigned long error;
struct client *client;
+ struct tls *accepted_tls = NULL;
s = *(int *)arg;
if (getpeername(s, (struct sockaddr *)&from, &fromlen)) {
@@ -412,22 +413,23 @@ void *tlsservernew(void *arg) {
cert = verifytlscert(ssl);
if (!cert)
goto exit;
+ accepted_tls = conf->tlsconf;
}
while (conf) {
- if (verifyconfcert(cert, conf)) {
- X509_free(cert);
- client = addclient(conf, 1);
- if (client) {
- client->ssl = ssl;
- client->addr = addr_copy((struct sockaddr *)&from);
- tlsserverrd(client);
- removeclient(client);
- } else
- debug(DBG_WARN, "tlsservernew: failed to create new client instance");
- goto exit;
- }
- conf = find_clconf(handle, (struct sockaddr *)&from, &cur);
+ if (accepted_tls == conf->tlsconf && verifyconfcert(cert, conf)) {
+ X509_free(cert);
+ client = addclient(conf, 1);
+ if (client) {
+ client->ssl = ssl;
+ client->addr = addr_copy((struct sockaddr *)&from);
+ tlsserverrd(client);
+ removeclient(client);
+ } else
+ debug(DBG_WARN, "tlsservernew: failed to create new client instance");
+ goto exit;
+ }
+ conf = find_clconf(handle, (struct sockaddr *)&from, &cur);
}
debug(DBG_WARN, "tlsservernew: ignoring request, no matching TLS client");
if (cert)