From: Kern Sibbald Date: Mon, 1 Feb 2010 09:20:52 +0000 (+0100) Subject: Patch from checks multple CNs when using TLS X-Git-Tag: Release-5.0.1~142 X-Git-Url: https://git.sur5r.net/?a=commitdiff_plain;h=f459de50e2412ecf06ed7c50b72050158342fe54;p=bacula%2Fbacula Patch from checks multple CNs when using TLS --- diff --git a/bacula/src/lib/tls.c b/bacula/src/lib/tls.c index 62a1ecf108..1451371cec 100644 --- a/bacula/src/lib/tls.c +++ b/bacula/src/lib/tls.c @@ -1,7 +1,7 @@ /* Bacula® - The Network Backup Solution - Copyright (C) 2005-2008 Free Software Foundation Europe e.V. + Copyright (C) 2005-2010 Free Software Foundation Europe e.V. The main author of Bacula is Kern Sibbald, with contributions from many others, a complete list can be found in the file AUTHORS. @@ -30,8 +30,6 @@ * * Author: Landon Fuller * - * Version $Id$ - * * This file was contributed to the Bacula project by Landon Fuller * and Three Rings Design, Inc. * @@ -294,9 +292,11 @@ bool tls_postconnect_verify_host(JCR *jcr, TLS_CONNECTION *tls, const char *host X509_NAME *subject; bool auth_success = false; int extensions; - char data[256]; int i, j; + int cnLastPos = -1; + X509_NAME_ENTRY *neCN; + ASN1_STRING *asn1CN; /* Check if peer provided a certificate */ if (!(cert = SSL_get_peer_certificate(ssl))) { @@ -370,11 +370,17 @@ bool tls_postconnect_verify_host(JCR *jcr, TLS_CONNECTION *tls, const char *host /* Try verifying against the subject name */ if (!auth_success) { if ((subject = X509_get_subject_name(cert)) != NULL) { - if (X509_NAME_get_text_by_NID(subject, NID_commonName, data, sizeof(data)) > 0) { - /* NULL terminate data */ - data[255] = 0; - if (strcasecmp(data, host) == 0) { + /* Loop through all CNs */ + for (;;) { + cnLastPos = X509_NAME_get_index_by_NID(subject, NID_commonName, cnLastPos); + if (cnLastPos == -1) { + break; + } + neCN = X509_NAME_get_entry(subject, cnLastPos); + asn1CN = X509_NAME_ENTRY_get_data(neCN); + if (strcasecmp((const char*)asn1CN->data, host) == 0) { auth_success = true; + break; } } }