From 6b99b3dc0fcce1ebd639c93e9a74c1b61da8befe Mon Sep 17 00:00:00 2001 From: venaas Date: Tue, 29 Apr 2008 11:49:16 +0000 Subject: added certificatenamecheck option to client/server for disabling default altsubjectname/cn check git-svn-id: https://svn.testnett.uninett.no/radsecproxy/trunk@245 e88ac4ed-0b26-0410-9574-a7f39faa03bf --- gconfig.c | 32 ++++++++++++++++++++++---------- gconfig.h | 1 + radsecproxy.c | 20 ++++++++------------ radsecproxy.h | 1 + 4 files changed, 32 insertions(+), 22 deletions(-) diff --git a/gconfig.c b/gconfig.c index 904ad7d..af73db1 100644 --- a/gconfig.c +++ b/gconfig.c @@ -153,6 +153,7 @@ void getgenericconfig(struct gconffile **cf, char *block, ...) { char line[1024]; /* initialise lots of stuff to avoid stupid compiler warnings */ char *tokens[3], *s, *opt = NULL, *val = NULL, *word, *optval, **str = NULL, ***mstr = NULL; + uint8_t *bln; int type = 0, tcount, conftype = 0, n; void (*cbk)(struct gconffile **, char *, char *, char *) = NULL; @@ -230,6 +231,11 @@ void getgenericconfig(struct gconffile **cf, char *block, ...) { if (!mstr) debugx(1, DBG_ERR, "getgenericconfig: internal parameter error"); break; + case CONF_BLN: + bln = va_arg(ap, uint8_t *); + if (!bln) + debugx(1, DBG_ERR, "getgenericconfig: internal parameter error"); + break; case CONF_CBK: cbk = va_arg(ap, void (*)(struct gconffile **, char *, char *, char *)); break; @@ -247,7 +253,7 @@ void getgenericconfig(struct gconffile **cf, char *block, ...) { debugx(1, DBG_ERR, "configuration error, unknown option %s", opt); } - if (((type == CONF_STR || type == CONF_MSTR) && conftype != CONF_STR) || + if (((type == CONF_STR || type == CONF_MSTR || type == CONF_BLN) && conftype != CONF_STR) || (type == CONF_CBK && conftype != CONF_CBK)) { if (block) debugx(1, DBG_ERR, "configuration error in block %s, wrong syntax for option %s", block, opt); @@ -256,10 +262,6 @@ void getgenericconfig(struct gconffile **cf, char *block, ...) { switch (type) { case CONF_STR: - if (block) - debug(DBG_DBG, "getgenericconfig: block %s: %s = %s", block, opt, val); - else - debug(DBG_DBG, "getgenericconfig: %s = %s", opt, val); if (*str) debugx(1, DBG_ERR, "configuration error, option %s already set to %s", opt, *str); *str = stringcopy(val, 0); @@ -267,10 +269,6 @@ void getgenericconfig(struct gconffile **cf, char *block, ...) { debugx(1, DBG_ERR, "malloc failed"); break; case CONF_MSTR: - if (block) - debug(DBG_DBG, "getgenericconfig: block %s: %s = %s", block, opt, val); - else - debug(DBG_DBG, "getgenericconfig: %s = %s", opt, val); if (*mstr) for (n = 0; (*mstr)[n]; n++); else @@ -281,6 +279,16 @@ void getgenericconfig(struct gconffile **cf, char *block, ...) { (*mstr)[n] = stringcopy(val, 0); (*mstr)[n + 1] = NULL; break; + case CONF_BLN: + if (!strcasecmp(val, "on")) + *bln = 1; + else if (!strcasecmp(val, "off")) + *bln = 0; + else if (block) + debugx(1, DBG_ERR, "configuration error in block %s, value for option %s must be on or off, not %s", block, opt, val); + else + debugx(1, DBG_ERR, "configuration error, value for option %s must be on or off, not %s", opt, val); + break; case CONF_CBK: optval = malloc(strlen(opt) + strlen(val) + 2); if (!optval) @@ -288,9 +296,13 @@ void getgenericconfig(struct gconffile **cf, char *block, ...) { sprintf(optval, "%s %s", opt, val); cbk(cf, optval, opt, val); free(optval); - break; + continue; default: debugx(1, DBG_ERR, "getgenericconfig: internal parameter error"); } + if (block) + debug(DBG_DBG, "getgenericconfig: block %s: %s = %s", block, opt, val); + else + debug(DBG_DBG, "getgenericconfig: %s = %s", opt, val); } } diff --git a/gconfig.h b/gconfig.h index 409b1ba..be48165 100644 --- a/gconfig.h +++ b/gconfig.h @@ -1,6 +1,7 @@ #define CONF_STR 1 #define CONF_CBK 2 #define CONF_MSTR 3 +#define CONF_BLN 4 struct gconffile { char *path; diff --git a/radsecproxy.c b/radsecproxy.c index 01d032b..3f78f5b 100644 --- a/radsecproxy.c +++ b/radsecproxy.c @@ -766,7 +766,7 @@ int verifyconfcert(X509 *cert, struct clsrvconf *conf) { uint8_t type = 0; /* 0 for DNS, AF_INET for IPv4, AF_INET6 for IPv6 */ struct in6_addr addr; - if (conf->prefixlen == 255) { + if (conf->certnamecheck && conf->prefixlen == 255) { if (inet_pton(AF_INET, conf->host, &addr)) type = AF_INET; else if (inet_pton(AF_INET6, conf->host, &addr)) @@ -2960,6 +2960,7 @@ void confclient_cb(struct gconffile **cf, char *block, char *opt, char *val) { if (!conf || !list_push(clconfs, conf)) debugx(1, DBG_ERR, "malloc failed"); memset(conf, 0, sizeof(struct clsrvconf)); + conf->certnamecheck = 1; getgenericconfig(cf, block, "type", CONF_STR, &type, @@ -2967,6 +2968,7 @@ void confclient_cb(struct gconffile **cf, char *block, char *opt, char *val) { "secret", CONF_STR, &conf->secret, "tls", CONF_STR, &tls, "matchcertificateattribute", CONF_STR, &matchcertattr, + "CertificateNameCheck", CONF_BLN, &conf->certnamecheck, "rewrite", CONF_STR, &rewrite, "rewriteattribute", CONF_STR, &rewriteattr, NULL @@ -3014,7 +3016,7 @@ void confclient_cb(struct gconffile **cf, char *block, char *opt, char *val) { } void confserver_cb(struct gconffile **cf, char *block, char *opt, char *val) { - char *type = NULL, *tls = NULL, *matchcertattr = NULL, *statusserver = NULL, *rewrite = NULL; + char *type = NULL, *tls = NULL, *matchcertattr = NULL, *rewrite = NULL; struct clsrvconf *conf; debug(DBG_DBG, "confserver_cb called for %s", block); @@ -3023,6 +3025,7 @@ void confserver_cb(struct gconffile **cf, char *block, char *opt, char *val) { if (!conf || !list_push(srvconfs, conf)) debugx(1, DBG_ERR, "malloc failed"); memset(conf, 0, sizeof(struct clsrvconf)); + conf->certnamecheck = 1; getgenericconfig(cf, block, "type", CONF_STR, &type, @@ -3030,9 +3033,10 @@ void confserver_cb(struct gconffile **cf, char *block, char *opt, char *val) { "port", CONF_STR, &conf->port, "secret", CONF_STR, &conf->secret, "tls", CONF_STR, &tls, - "matchcertificateattribute", CONF_STR, &matchcertattr, + "MatchCertificateAttribute", CONF_STR, &matchcertattr, "rewrite", CONF_STR, &rewrite, - "StatusServer", CONF_STR, &statusserver, + "StatusServer", CONF_BLN, &conf->statusserver, + "CertificateNameCheck", CONF_BLN, &conf->certnamecheck, NULL ); @@ -3073,14 +3077,6 @@ void confserver_cb(struct gconffile **cf, char *block, char *opt, char *val) { debugx(1, DBG_ERR, "error in block %s, secret must be specified for UDP", block); conf->secret = stringcopy(DEFAULT_TLS_SECRET, 0); } - - if (statusserver) { - if (!strcasecmp(statusserver, "on")) - conf->statusserver = 1; - else if (strcasecmp(statusserver, "off")) - debugx(1, DBG_ERR, "error in block %s, StatusServer is %s, must be on or off", block, statusserver); - free(statusserver); - } } void confrealm_cb(struct gconffile **cf, char *block, char *opt, char *val) { diff --git a/radsecproxy.h b/radsecproxy.h index f60d3a3..2ba6153 100644 --- a/radsecproxy.h +++ b/radsecproxy.h @@ -84,6 +84,7 @@ struct clsrvconf { regex_t *rewriteattrregex; char *rewriteattrreplacement; uint8_t statusserver; + uint8_t certnamecheck; SSL_CTX *ssl_ctx; struct rewrite *rewrite; struct addrinfo *addrinfo; -- cgit v1.1