219 __FILE__, server, cn); |
219 __FILE__, server, cn); |
220 |
220 |
221 if (domain != NULL) { |
221 if (domain != NULL) { |
222 |
222 |
223 if ((cn[0] == '*') && (cn[1] == '.')) { |
223 if ((cn[0] == '*') && (cn[1] == '.')) { |
224 /* |
224 /* |
225 * FWB: huh? ever tested? |
225 * FWB: huh? ever tested? |
226 * server="sub.domain.tld"; |
226 * server="sub.domain.tld"; |
227 * cn="*.domain.tld"; |
227 * cn="*.domain.tld"; |
228 * domain=strstr(cn, server); ??? |
228 * domain=strstr(cn, server); ??? |
229 */ |
229 */ |
230 /* domain = strstr (cn, server); */ |
230 /* domain = strstr (cn, server); */ |
231 server = strchr(server, '.') + 1; |
231 server = strchr(server, '.') + 1; |
232 domain = cn + 2; |
232 domain = cn + 2; |
233 } |
233 } |
234 |
234 |
235 if (strncasecmp (server, domain, LM_SSL_CN_MAX) != 0) { |
235 if (strncasecmp (server, domain, LM_SSL_CN_MAX) != 0) { |
236 /* FWB: CN doesn't match, try SANs */ |
236 /* FWB: CN doesn't match, try SANs */ |
237 int subject_alt_names_nb = -1; |
237 int subject_alt_names_nb = -1; |
238 int san_result = 0; |
238 int san_result = 0; |
239 int san_counter; |
239 int san_counter; |
240 STACK_OF(GENERAL_NAME) *subject_alt_names = NULL; |
240 STACK_OF(GENERAL_NAME) *subject_alt_names = NULL; |
241 |
241 |
242 /* g_log (LM_LOG_DOMAIN, LM_LOG_LEVEL_SSL, "%s: CN does not match server name\n", __FILE__); */ |
242 /* g_log (LM_LOG_DOMAIN, LM_LOG_LEVEL_SSL, "%s: CN does not match server name\n", __FILE__); */ |
243 // Try to extract the names within the SAN extension from the certificate |
243 // Try to extract the names within the SAN extension from the certificate |
244 subject_alt_names = X509_get_ext_d2i((X509 *) srv_crt, NID_subject_alt_name, NULL, NULL); |
244 subject_alt_names = X509_get_ext_d2i((X509 *) srv_crt, NID_subject_alt_name, NULL, NULL); |
245 if (subject_alt_names != NULL) { |
245 if (subject_alt_names != NULL) { |
246 |
246 |
247 // Check each name within the extension |
247 // Check each name within the extension |
248 subject_alt_names_nb = sk_GENERAL_NAME_num(subject_alt_names); |
248 subject_alt_names_nb = sk_GENERAL_NAME_num(subject_alt_names); |
249 for (san_counter=0; san_counter<subject_alt_names_nb; san_counter++) { |
249 for (san_counter=0; san_counter<subject_alt_names_nb; san_counter++) { |
250 const GENERAL_NAME *current_name = sk_GENERAL_NAME_value(subject_alt_names, san_counter); |
250 const GENERAL_NAME *current_name = sk_GENERAL_NAME_value(subject_alt_names, san_counter); |
251 if (current_name->type == GEN_DNS) { |
251 if (current_name->type == GEN_DNS) { |
378 SSL_CTX_set_verify (ssl->ssl_ctx, SSL_VERIFY_PEER, ssl_verify_cb); |
378 SSL_CTX_set_verify (ssl->ssl_ctx, SSL_VERIFY_PEER, ssl_verify_cb); |
379 } |
379 } |
380 |
380 |
381 gboolean |
381 gboolean |
382 _lm_ssl_set_ca (LmSSL *ssl, |
382 _lm_ssl_set_ca (LmSSL *ssl, |
383 const gchar *ca_path) |
383 const gchar *ca_path) |
384 { |
384 { |
385 struct stat target; |
385 struct stat target; |
386 int success = 0; |
386 int success = 0; |
387 |
387 |
388 if (stat (ca_path, &target) != 0) { |
388 if (stat (ca_path, &target) != 0) { |
389 g_log (LM_LOG_DOMAIN, LM_LOG_LEVEL_SSL, |
389 g_log (LM_LOG_DOMAIN, LM_LOG_LEVEL_SSL, |
390 "ca_path '%s': no such file or directory", ca_path); |
390 "ca_path '%s': no such file or directory", ca_path); |
391 return FALSE; |
391 return FALSE; |
392 } |
392 } |
393 |
393 |
394 if (S_ISDIR (target.st_mode)) { |
394 if (S_ISDIR (target.st_mode)) { |
395 success = SSL_CTX_load_verify_locations(ssl->ssl_ctx, NULL, ca_path); |
395 success = SSL_CTX_load_verify_locations(ssl->ssl_ctx, NULL, ca_path); |
396 } else if (S_ISREG (target.st_mode)) { |
396 } else if (S_ISREG (target.st_mode)) { |
397 success = SSL_CTX_load_verify_locations(ssl->ssl_ctx, ca_path, NULL); |
397 success = SSL_CTX_load_verify_locations(ssl->ssl_ctx, ca_path, NULL); |
398 } |
398 } |
399 if (success == 0) { |
399 if (success == 0) { |
400 g_log (LM_LOG_DOMAIN, LM_LOG_LEVEL_SSL, |
400 g_log (LM_LOG_DOMAIN, LM_LOG_LEVEL_SSL, |
401 "Loading of ca_path '%s' failed: %s", |
401 "Loading of ca_path '%s' failed: %s", |
402 ca_path, |
402 ca_path, |
403 ERR_error_string(ERR_peek_last_error(), NULL)); |
403 ERR_error_string(ERR_peek_last_error(), NULL)); |
404 return FALSE; |
404 return FALSE; |
405 } |
405 } |
406 |
406 |
407 return TRUE; |
407 return TRUE; |
408 } |
408 } |