patch tls_openssl.c
polish
polish
Sun Nov 5 07:57:13 PST 2006
Hello,
patch in attachment change processing altsubject_match configuration
option. Now we can have in altsubject_match option more than one value.
For example we can have two different radius servers :
wpa_supplicant.conf :
network={
ssid="eduroam"
key_mgmt=WPA-EAP
eap=PEAP
pairwise=CCMP TKIP
group=CCMP TKIP WEP104 WEP40
identity="somebody at cesnet.cz"
password="password"
ca_cert="/etc/ssl/certs/cesnet-ca.cz.pem"
#phase1="peaplabelB=1"
phase2="auth=MSCHAPV2"
altsubject_match=" DNS:radius2.cesnet.cz; DNS:radius1.cesnet.cz"
priority=10
}
Patch was written in time, when os_ functions not used (os_strlen,
os_malloc). I rewrite patch for using this new functions, but strtok and
strspn functions not have os equivalent, therefore I used old one.
Patch is against wpa_supplicant-0.5-2006-11-03 snapshot.
Patch also solve hypotetical security problem, because now
altsubject_match is compared by os_strstr function. Somebody can generate
certificate with name "radius1.cesnet.cz.badgyu.com" and match
altsubject_match="radius1.cesnet.cz" in client configuration.
best regards Polish
--
**********************************************************
* starnem a porad nic, rozum jako kdyby se nam vyhybal *
**********************************************************
-------------- next part --------------
--- tls_openssl.c.orig 2006-11-05 15:50:02.000000000 +0100
+++ tls_openssl.c 2006-11-05 16:14:10.000000000 +0100
@@ -952,43 +952,65 @@
int i, found = 0;
size_t len;
- ext = X509_get_ext_d2i(cert, NID_subject_alt_name, NULL, NULL);
+ size_t m_len, m_space;
+ char *m_match, *match_tmp;
+ char *match_copy = os_strdup( match );
+
+ match_tmp = match_copy;
+ while(( m_match = strtok( match_tmp, ";" )) != NULL ) {
+ match_tmp = NULL;
+ m_space = strspn( m_match, " " );
+ m_match = m_match + m_space;
+ m_len = os_strlen( m_match );
+
+ /* printf( "xpl: m_len = %d\n", m_len ); */
+ ext = X509_get_ext_d2i(cert, NID_subject_alt_name, NULL, NULL);
+
+
+ for (i = 0; ext && i < sk_GENERAL_NAME_num(ext); i++) {
+ gen = sk_GENERAL_NAME_value(ext, i);
+ switch (gen->type) {
+ case GEN_EMAIL:
+ field = "EMAIL";
+ break;
+ case GEN_DNS:
+ field = "DNS";
+ break;
+ case GEN_URI:
+ field = "URI";
+ break;
+ default:
+ field = NULL;
+ wpa_printf(MSG_DEBUG, "TLS: altSubjectName: " "unsupported type=%d", gen->type);
+ break;
+ }
+
+ if(!field)
+ continue;
- for (i = 0; ext && i < sk_GENERAL_NAME_num(ext); i++) {
- gen = sk_GENERAL_NAME_value(ext, i);
- switch (gen->type) {
- case GEN_EMAIL:
- field = "EMAIL";
- break;
- case GEN_DNS:
- field = "DNS";
- break;
- case GEN_URI:
- field = "URI";
- break;
- default:
- field = NULL;
- wpa_printf(MSG_DEBUG, "TLS: altSubjectName: "
- "unsupported type=%d", gen->type);
- break;
- }
- if (!field)
- continue;
+ wpa_printf(MSG_DEBUG, "TLS: altSubjectName: %s:%s", field, gen->d.ia5->data);
+ len = os_strlen(field) + 1 + os_strlen((char *) gen->d.ia5->data) + 1;
+ /* printf( "xpl: len = %d , field = %s\n", len, field );
+ * printf( "xpl: data = %s\n", (char *) gen->d.ia5->data ); */
+ if( len == (m_len + 1)) {
+ /* printf( "xpl: length of strings are equal \n" ); */
+ tmp = os_malloc(len);
+ if(tmp == NULL)
+ continue;
+
+ os_snprintf(tmp, len, "%s:%s", field, gen->d.ia5->data);
+ /* printf( "xpl: tmp= %s\nxpl: m_match= %s\n", tmp, m_match ); */
+ if(os_strncmp(tmp, m_match, m_len) == 0) {
+ /* printf( "xpl: test ok\n" ); */
+ found++;
+ }
+ free(tmp);
+ }
+ }
- wpa_printf(MSG_DEBUG, "TLS: altSubjectName: %s:%s",
- field, gen->d.ia5->data);
- len = os_strlen(field) + 1 +
- os_strlen((char *) gen->d.ia5->data) + 1;
- tmp = os_malloc(len);
- if (tmp == NULL)
- continue;
- os_snprintf(tmp, len, "%s:%s", field, gen->d.ia5->data);
- tmp[len - 1] = '\0';
- if (os_strstr(tmp, match))
- found++;
- os_free(tmp);
}
+ free( match_copy );
return found;
}
More information about the Hostap
mailing list