patch tls_openssl.c

polish polish at pf.ujep.cz
Sun Nov 5 10:57:13 EST 2006


 	Hello,

   patch in attachment change processing altsubject_match configuration 
option. Now we can have in altsubject_match option more than one value. 
For example we can have two different radius servers :
wpa_supplicant.conf :
network={
         ssid="eduroam"
         key_mgmt=WPA-EAP
         eap=PEAP
         pairwise=CCMP TKIP
         group=CCMP TKIP WEP104 WEP40
         identity="somebody at cesnet.cz"
         password="password"
         ca_cert="/etc/ssl/certs/cesnet-ca.cz.pem"
         #phase1="peaplabelB=1"
         phase2="auth=MSCHAPV2"
         altsubject_match="  DNS:radius2.cesnet.cz;  DNS:radius1.cesnet.cz"
         priority=10
}

Patch was written in time, when os_ functions not used (os_strlen, 
os_malloc). I rewrite patch for using this new functions, but strtok and 
strspn functions not have os equivalent, therefore I used old one.

Patch is against wpa_supplicant-0.5-2006-11-03 snapshot.

Patch also solve hypotetical security problem, because now 
altsubject_match is compared by os_strstr function. Somebody can generate
certificate with name "radius1.cesnet.cz.badgyu.com" and match 
altsubject_match="radius1.cesnet.cz" in client configuration.

 	best regards	Polish

-- 
**********************************************************
*  starnem a porad nic, rozum jako kdyby se nam vyhybal  *
**********************************************************
-------------- next part --------------
--- tls_openssl.c.orig	2006-11-05 15:50:02.000000000 +0100
+++ tls_openssl.c	2006-11-05 16:14:10.000000000 +0100
@@ -952,43 +952,65 @@
 	int i, found = 0;
 	size_t len;
 
-	ext = X509_get_ext_d2i(cert, NID_subject_alt_name, NULL, NULL);
+	size_t m_len, m_space;
+  char *m_match,  *match_tmp;
+  char *match_copy = os_strdup( match );
+
+  match_tmp = match_copy;
+  while(( m_match = strtok( match_tmp, ";" )) != NULL ) {
+    match_tmp = NULL;
+    m_space = strspn( m_match, " " );
+    m_match = m_match + m_space;
+    m_len = os_strlen( m_match );
+
+		/*    printf( "xpl: m_len = %d\n", m_len ); */
+    ext = X509_get_ext_d2i(cert, NID_subject_alt_name, NULL, NULL);
+
+
+    for (i = 0; ext && i < sk_GENERAL_NAME_num(ext); i++) {
+      gen = sk_GENERAL_NAME_value(ext, i);
+      switch (gen->type) {
+	      case GEN_EMAIL:
+	        field = "EMAIL";
+	        break;
+	      case GEN_DNS:
+	        field = "DNS";
+	        break;
+	      case GEN_URI:
+	        field = "URI";
+	        break;
+	      default:
+	        field = NULL;
+	        wpa_printf(MSG_DEBUG, "TLS: altSubjectName: " "unsupported type=%d", gen->type);
+	        break;
+			}
+
+			if(!field)
+				continue;
 
-	for (i = 0; ext && i < sk_GENERAL_NAME_num(ext); i++) {
-		gen = sk_GENERAL_NAME_value(ext, i);
-		switch (gen->type) {
-		case GEN_EMAIL:
-			field = "EMAIL";
-			break;
-		case GEN_DNS:
-			field = "DNS";
-			break;
-		case GEN_URI:
-			field = "URI";
-			break;
-		default:
-			field = NULL;
-			wpa_printf(MSG_DEBUG, "TLS: altSubjectName: "
-				   "unsupported type=%d", gen->type);
-			break;
-		}
 
-		if (!field)
-			continue;
+			wpa_printf(MSG_DEBUG, "TLS: altSubjectName: %s:%s", field, gen->d.ia5->data);
+			len = os_strlen(field) + 1 + os_strlen((char *) gen->d.ia5->data) + 1;
+			/* printf( "xpl: len = %d , field = %s\n", len, field ); 
+			 *       printf( "xpl: data = %s\n", (char *) gen->d.ia5->data ); */
+			if( len == (m_len + 1)) {
+			  /* printf( "xpl: length of strings are equal \n" ); */
+			  tmp = os_malloc(len);
+			  if(tmp == NULL)
+			     continue;
+				
+				os_snprintf(tmp, len, "%s:%s", field, gen->d.ia5->data);
+        /* printf( "xpl: tmp= %s\nxpl: m_match= %s\n", tmp, m_match ); */
+        if(os_strncmp(tmp, m_match, m_len) == 0) {
+          /* printf( "xpl: test ok\n" ); */
+					found++;
+				}
+				free(tmp);
+			}
+		}
 
-		wpa_printf(MSG_DEBUG, "TLS: altSubjectName: %s:%s",
-			   field, gen->d.ia5->data);
-		len = os_strlen(field) + 1 +
-			os_strlen((char *) gen->d.ia5->data) + 1;
-		tmp = os_malloc(len);
-		if (tmp == NULL)
-			continue;
-		os_snprintf(tmp, len, "%s:%s", field, gen->d.ia5->data);
-		tmp[len - 1] = '\0';
-		if (os_strstr(tmp, match))
-			found++;
-		os_free(tmp);
 	}
+	free( match_copy );
 
 	return found;
 }


More information about the HostAP mailing list