patch tls_openssl.c

Jouni Malinen jkmaline
Sat Nov 18 20:59:22 PST 2006


On Sun, Nov 05, 2006 at 04:57:13PM +0100, polish wrote:

>   patch in attachment change processing altsubject_match configuration 
> option. Now we can have in altsubject_match option more than one value. 
> For example we can have two different radius servers :

>         altsubject_match="  DNS:radius2.cesnet.cz;  DNS:radius1.cesnet.cz"

> Patch was written in time, when os_ functions not used (os_strlen, 
> os_malloc). I rewrite patch for using this new functions, but strtok and 
> strspn functions not have os equivalent, therefore I used old one.

Thanks! I don't want to add requirement for strtok() or strspn()
functions at this point (and actually, never for strtok(), it is just
too broken). I ended up cleaning up the matching code to not require
allocation of a local copy of the string and not use these functions.

> Patch also solve hypotetical security problem, because now 
> altsubject_match is compared by os_strstr function. Somebody can generate
> certificate with name "radius1.cesnet.cz.badgyu.com" and match 
> altsubject_match="radius1.cesnet.cz" in client configuration.

Agreed. Though, this was the documented behavior.. I changed
documentation to match the current behavior, i.e., to require a full
match of the name component. In addition, I did not include skipping of
spaces, so the string must be just semicolon separated list of name
components without extra whitespace. This allows ';' to be included as
part of the value to match against should someone ever decide to use
semicolon in subjectAltName.

-- 
Jouni Malinen                                            PGP id EFC895FA




More information about the Hostap mailing list