patch tls_openssl.c

polish polish
Sun Nov 19 12:27:00 PST 2006

 	Hi Jouni,

   perfect work, I will try on our network tomorrow. I had two variant of 
patch 1) with strtok and second without strtok. I sent you first one. 
Please ignore my patch sent to list again. The mail has subject "[PATCH] 

 	thank you Polish

*  starnem a porad nic, rozum jako kdyby se nam vyhybal  *

On Sat, 18 Nov 2006, Jouni Malinen wrote:

> On Sun, Nov 05, 2006 at 04:57:13PM +0100, polish wrote:
>>   patch in attachment change processing altsubject_match configuration
>> option. Now we can have in altsubject_match option more than one value.
>> For example we can have two different radius servers :
>>         altsubject_match=";"
>> Patch was written in time, when os_ functions not used (os_strlen,
>> os_malloc). I rewrite patch for using this new functions, but strtok and
>> strspn functions not have os equivalent, therefore I used old one.
> Thanks! I don't want to add requirement for strtok() or strspn()
> functions at this point (and actually, never for strtok(), it is just
> too broken). I ended up cleaning up the matching code to not require
> allocation of a local copy of the string and not use these functions.
>> Patch also solve hypotetical security problem, because now
>> altsubject_match is compared by os_strstr function. Somebody can generate
>> certificate with name "" and match
>> altsubject_match="" in client configuration.
> Agreed. Though, this was the documented behavior.. I changed
> documentation to match the current behavior, i.e., to require a full
> match of the name component. In addition, I did not include skipping of
> spaces, so the string must be just semicolon separated list of name
> components without extra whitespace. This allows ';' to be included as
> part of the value to match against should someone ever decide to use
> semicolon in subjectAltName.
> -- 
> Jouni Malinen                                            PGP id EFC895FA
> _______________________________________________
> HostAP mailing list
> HostAP at

More information about the Hostap mailing list