From deb9644a8ad6f6b7bc2a88ac3a517f9b5add6894 Mon Sep 17 00:00:00 2001 From: Kurt Zeilenga Date: Sat, 19 May 2001 23:07:46 +0000 Subject: [PATCH] Should not be using reverse lookup names to check certificates. --- libraries/libldap/tls.c | 28 +++++++++------------------- 1 file changed, 9 insertions(+), 19 deletions(-) diff --git a/libraries/libldap/tls.c b/libraries/libldap/tls.c index 3e0d55e42b..4b0c02c753 100644 --- a/libraries/libldap/tls.c +++ b/libraries/libldap/tls.c @@ -913,7 +913,7 @@ ldap_pvt_tls_set_option( struct ldapoptions *lo, int option, void *arg ) int ldap_pvt_tls_start ( LDAP *ld, Sockbuf *sb, void *ctx_arg ) { - char *peer_cert_cn, *peer_hostname; + char *peer_cert_cn; void *ssl; (void) ldap_pvt_tls_init(); @@ -926,9 +926,12 @@ ldap_pvt_tls_start ( LDAP *ld, Sockbuf *sb, void *ctx_arg ) } ssl = (void *) ldap_pvt_tls_sb_handle( sb ); + assert( ssl != NULL ); + /* - * compare hostname of server with name in certificate + * compare ld->ld_host with name in certificate */ + peer_cert_cn = ldap_pvt_tls_get_peer_hostname( ssl ); if ( !peer_cert_cn ) { /* could not get hostname from peer certificate */ @@ -937,30 +940,17 @@ ldap_pvt_tls_start ( LDAP *ld, Sockbuf *sb, void *ctx_arg ) 0, 0, 0 ); return LDAP_LOCAL_ERROR; } - - peer_hostname = ldap_host_connected_to( sb ); - if ( !peer_hostname ) { - /* could not lookup hostname */ - Debug( LDAP_DEBUG_ANY, - "TLS: unable to reverse lookup peer hostname.\n", - 0, 0, 0 ); - LDAP_FREE( peer_cert_cn ); - return LDAP_LOCAL_ERROR; - } - if ( strcasecmp(peer_hostname, peer_cert_cn) != 0 ) { + if ( strcasecmp(ld->ld_host, peer_cert_cn) != 0 ) { Debug( LDAP_DEBUG_ANY, "TLS: hostname (%s) does not match " "common name in certificate (%s).", - peer_hostname, peer_cert_cn, 0 ); + ld->ld_host, peer_cert_cn, 0 ); LDAP_FREE( peer_cert_cn ); - LDAP_FREE( peer_hostname ); return LDAP_CONNECT_ERROR; - - } else { - LDAP_FREE( peer_cert_cn ); - LDAP_FREE( peer_hostname ); } + LDAP_FREE( peer_cert_cn ); + /* * set SASL properties to TLS ssf and authid */ -- 2.39.5