]> git.sur5r.net Git - bacula/bacula/commitdiff
projects / bacula / bacula / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 438d96c)
Jim Raney's TLS patch
authorKern Sibbald <kern@sibbald.com>
Sat, 26 Jul 2014 13:10:21 +0000 (15:10 +0200)
committerKern Sibbald <kern@sibbald.com>
Sat, 26 Jul 2014 13:10:21 +0000 (15:10 +0200)
bacula/src/lib/tls.c patch | blob | history

diff --git a/bacula/src/lib/tls.c b/bacula/src/lib/tls.c
index 959a559246143ad1d7eba60d71efbf4f3020fcf4..32d4c756de5cb915fdef0d993516350e843f2c20 100644 (file)
--- a/bacula/src/lib/tls.c
+++ b/bacula/src/lib/tls.c
@@ -281,6 +281,7 @@ bool tls_postconnect_verify_host(JCR *jcr, TLS_CONNECTION *tls, const char *host
    bool auth_success = false;
    int extensions;
    int i, j;
+   const char *pval, *phost;
 
    int cnLastPos = -1;
    X509_NAME_ENTRY *neCN;
@@ -351,7 +352,15 @@ bool tls_postconnect_verify_host(JCR *jcr, TLS_CONNECTION *tls, const char *host
             for (j = 0; j < sk_CONF_VALUE_num(val); j++) {
                nval = sk_CONF_VALUE_value(val, j);
                if (strcmp(nval->name, "DNS") == 0) {
-                  if (strcasecmp(nval->value, host) == 0) {
+                  if (strncasecmp(nval->value, "*.", 2) == 0) {
+                     Dmsg0(250, "Wildcard Certificate\n");
+                     pval = strstr(nval->value, ".");
+                     phost = strstr(host, ".");
+                     if (pval && phost && (strcasecmp(pval, phost) == 0)) {
+                        auth_success = true;
+                        goto success;
+                     }
+                  } else if (strcasecmp(nval->value, host) == 0) {
                      auth_success = true;
                      goto success;
                   }
@@ -374,7 +383,16 @@ bool tls_postconnect_verify_host(JCR *jcr, TLS_CONNECTION *tls, const char *host
             }
             neCN = X509_NAME_get_entry(subject, cnLastPos);
             asn1CN = X509_NAME_ENTRY_get_data(neCN);
-            if (strcasecmp((const char*)asn1CN->data, host) == 0) {
+            if (strncasecmp((const char*)asn1CN->data, "*.", 2) == 0) {
+               /* wildcard certificate */
+               Dmsg0(250, "Wildcard Certificate\n");
+               pval = strstr((const char*)asn1CN->data, ".");
+               phost = strstr(host, ".");
+               if (pval && phost && (strcasecmp(pval, phost) == 0)) {
+                  auth_success = true;
+                  goto success;
+               }
+            } else if (strcasecmp((const char*)asn1CN->data, host) == 0) {
                auth_success = true;
                break;
             }
Cloned from http://git.bacula.org/bacula