Mercurial Mercurial > loudmouth / comparison
summary | shortlog | changelog | graph | tags | bookmarks | branches | files | changeset | file | latest | revisions | annotate | diff | comparison | raw | help
Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
loudmouth/lm-ssl-openssl.c
changeset 664 f57b1b61e1fe
parent 661 22492003e3f7
child 682 4a092b834996
equal deleted inserted replaced
663:3697251ef911 664:f57b1b61e1fe 
   219                __FILE__, server, cn);
 
   219                __FILE__, server, cn);
 
   220 
   220 
   221         if (domain != NULL) {
 
   221         if (domain != NULL) {
 
   222 
   222 
   223             if ((cn[0] == '*') && (cn[1] == '.')) {
 
   223             if ((cn[0] == '*') && (cn[1] == '.')) {
 
   224                 /* 
   224                 /*
 
   225                  * FWB: huh? ever tested?
 
   225                  * FWB: huh? ever tested?
 
   226                  * server="sub.domain.tld";
 
   226                  * server="sub.domain.tld";
 
   227                  * cn="*.domain.tld";
 
   227                  * cn="*.domain.tld";
 
   228                  * domain=strstr(cn, server); ???
 
   228                  * domain=strstr(cn, server); ???
 
   229                  */
 
   229                  */
 
   230                 /* domain = strstr (cn, server); */
 
   230                 /* domain = strstr (cn, server); */
 
   231                 server = strchr(server, '.') + 1;
 
   231                 server = strchr(server, '.') + 1;
 
   232                 domain = cn + 2;
 
   232                 domain = cn + 2;
 
   233             }
 
   233             }
 
   234     
   234 
   235             if (strncasecmp (server, domain, LM_SSL_CN_MAX) != 0) {
 
   235             if (strncasecmp (server, domain, LM_SSL_CN_MAX) != 0) {
 
   236                 /* FWB: CN doesn't match, try SANs */
 
   236                 /* FWB: CN doesn't match, try SANs */
 
   237                 int subject_alt_names_nb = -1;
 
   237                 int subject_alt_names_nb = -1;
 
   238                 int san_result = 0;
 
   238                 int san_result = 0;
 
   239                 int san_counter;
 
   239                 int san_counter;
 
   240                 STACK_OF(GENERAL_NAME) *subject_alt_names = NULL;
 
   240                 STACK_OF(GENERAL_NAME) *subject_alt_names = NULL;
 
   241     
   241 
   242                 /* g_log (LM_LOG_DOMAIN, LM_LOG_LEVEL_SSL, "%s: CN does not match server name\n", __FILE__); */
 
   242                 /* g_log (LM_LOG_DOMAIN, LM_LOG_LEVEL_SSL, "%s: CN does not match server name\n", __FILE__); */
 
   243                 // Try to extract the names within the SAN extension from the certificate
 
   243                 // Try to extract the names within the SAN extension from the certificate
 
   244                 subject_alt_names = X509_get_ext_d2i((X509 *) srv_crt, NID_subject_alt_name, NULL, NULL);
 
   244                 subject_alt_names = X509_get_ext_d2i((X509 *) srv_crt, NID_subject_alt_name, NULL, NULL);
 
   245                 if (subject_alt_names != NULL) {
 
   245                 if (subject_alt_names != NULL) {
 
   246     
   246 
   247                     // Check each name within the extension
 
   247                     // Check each name within the extension
 
   248                     subject_alt_names_nb = sk_GENERAL_NAME_num(subject_alt_names);
 
   248                     subject_alt_names_nb = sk_GENERAL_NAME_num(subject_alt_names);
 
   249                     for (san_counter=0; san_counter<subject_alt_names_nb; san_counter++) {
 
   249                     for (san_counter=0; san_counter<subject_alt_names_nb; san_counter++) {
 
   250                         const GENERAL_NAME *current_name = sk_GENERAL_NAME_value(subject_alt_names, san_counter);
 
   250                         const GENERAL_NAME *current_name = sk_GENERAL_NAME_value(subject_alt_names, san_counter);
 
   251                         if (current_name->type == GEN_DNS) {
 
   251                         if (current_name->type == GEN_DNS) {
 
   256                             } else {
 
   256                             } else {
 
   257                                 g_log (LM_LOG_DOMAIN, LM_LOG_LEVEL_SSL, "%s: found SAN '%s'\n", __FILE__, current_name->d.dNSName->data);
 
   257                                 g_log (LM_LOG_DOMAIN, LM_LOG_LEVEL_SSL, "%s: found SAN '%s'\n", __FILE__, current_name->d.dNSName->data);
 
   258                             }
 
   258                             }
 
   259                         }
 
   259                         }
 
   260                     }
 
   260                     }
 
   261     
   261 
   262                 }
 
   262                 }
 
   263                 sk_GENERAL_NAME_pop_free(subject_alt_names, GENERAL_NAME_free);
 
   263                 sk_GENERAL_NAME_pop_free(subject_alt_names, GENERAL_NAME_free);
 
   264                 if (!san_result) goto cn_and_san_mismatch;
 
   264                 if (!san_result) goto cn_and_san_mismatch;
 
   265             } /* SAN */
 
   265             } /* SAN */
 
   266         } else {
 
   266         } else {
 
   378     SSL_CTX_set_verify (ssl->ssl_ctx, SSL_VERIFY_PEER, ssl_verify_cb);
 
   378     SSL_CTX_set_verify (ssl->ssl_ctx, SSL_VERIFY_PEER, ssl_verify_cb);
 
   379 }
 
   379 }
 
   380 
   380 
   381 gboolean
 
   381 gboolean
 
   382 _lm_ssl_set_ca (LmSSL       *ssl,
 
   382 _lm_ssl_set_ca (LmSSL       *ssl,
 
   383 		const gchar *ca_path)
 
   383                 const gchar *ca_path)
 
   384 {
 
   384 {
 
   385     struct stat target;
 
   385     struct stat target;
 
   386     int success = 0;
 
   386     int success = 0;
 
   387 
   387 
   388     if (stat (ca_path, &target) != 0) {
 
   388     if (stat (ca_path, &target) != 0) {
 
   389         g_log (LM_LOG_DOMAIN, LM_LOG_LEVEL_SSL,
 
   389         g_log (LM_LOG_DOMAIN, LM_LOG_LEVEL_SSL,
 
   390 	       "ca_path '%s': no such file or directory", ca_path);
 
   390                "ca_path '%s': no such file or directory", ca_path);
 
   391         return FALSE;
 
   391         return FALSE;
 
   392     }
 
   392     }
 
   393 
   393 
   394     if (S_ISDIR (target.st_mode)) {
 
   394     if (S_ISDIR (target.st_mode)) {
 
   395         success = SSL_CTX_load_verify_locations(ssl->ssl_ctx, NULL, ca_path);
 
   395         success = SSL_CTX_load_verify_locations(ssl->ssl_ctx, NULL, ca_path);
 
   396     } else if (S_ISREG (target.st_mode)) {
 
   396     } else if (S_ISREG (target.st_mode)) {
 
   397         success = SSL_CTX_load_verify_locations(ssl->ssl_ctx, ca_path, NULL);
 
   397         success = SSL_CTX_load_verify_locations(ssl->ssl_ctx, ca_path, NULL);
 
   398     }
 
   398     }
 
   399     if (success == 0) {
 
   399     if (success == 0) {
 
   400         g_log (LM_LOG_DOMAIN, LM_LOG_LEVEL_SSL,
 
   400         g_log (LM_LOG_DOMAIN, LM_LOG_LEVEL_SSL,
 
   401 	       "Loading of ca_path '%s' failed: %s",
 
   401                "Loading of ca_path '%s' failed: %s",
 
   402 	       ca_path,
 
   402                ca_path,
 
   403 	       ERR_error_string(ERR_peek_last_error(), NULL));
 
   403                ERR_error_string(ERR_peek_last_error(), NULL));
 
   404         return FALSE;
 
   404         return FALSE;
 
   405     }
 
   405     }
 
   406 
   406 
   407     return TRUE;
 
   407     return TRUE;
 
   408 }
 
   408 }
loudmouth