jkmaline at cc.hut.fi
Sat Nov 18 23:59:22 EST 2006
On Sun, Nov 05, 2006 at 04:57:13PM +0100, polish wrote:
> patch in attachment change processing altsubject_match configuration
> option. Now we can have in altsubject_match option more than one value.
> For example we can have two different radius servers :
> altsubject_match=" DNS:radius2.cesnet.cz; DNS:radius1.cesnet.cz"
> Patch was written in time, when os_ functions not used (os_strlen,
> os_malloc). I rewrite patch for using this new functions, but strtok and
> strspn functions not have os equivalent, therefore I used old one.
Thanks! I don't want to add requirement for strtok() or strspn()
functions at this point (and actually, never for strtok(), it is just
too broken). I ended up cleaning up the matching code to not require
allocation of a local copy of the string and not use these functions.
> Patch also solve hypotetical security problem, because now
> altsubject_match is compared by os_strstr function. Somebody can generate
> certificate with name "radius1.cesnet.cz.badgyu.com" and match
> altsubject_match="radius1.cesnet.cz" in client configuration.
Agreed. Though, this was the documented behavior.. I changed
documentation to match the current behavior, i.e., to require a full
match of the name component. In addition, I did not include skipping of
spaces, so the string must be just semicolon separated list of name
components without extra whitespace. This allows ';' to be included as
part of the value to match against should someone ever decide to use
semicolon in subjectAltName.
Jouni Malinen PGP id EFC895FA
More information about the HostAP