patch tls_openssl.c

polish polish at pf.ujep.cz
Sun Nov 19 15:27:00 EST 2006


 	Hi Jouni,

   perfect work, I will try on our network tomorrow. I had two variant of 
patch 1) with strtok and second without strtok. I sent you first one. 
Please ignore my patch sent to list again. The mail has subject "[PATCH] 
tls_openssl.c".

 	thank you Polish

-- 
**********************************************************
*  starnem a porad nic, rozum jako kdyby se nam vyhybal  *
**********************************************************

On Sat, 18 Nov 2006, Jouni Malinen wrote:

> On Sun, Nov 05, 2006 at 04:57:13PM +0100, polish wrote:
>
>>   patch in attachment change processing altsubject_match configuration
>> option. Now we can have in altsubject_match option more than one value.
>> For example we can have two different radius servers :
>
>>         altsubject_match="  DNS:radius2.cesnet.cz;  DNS:radius1.cesnet.cz"
>
>> Patch was written in time, when os_ functions not used (os_strlen,
>> os_malloc). I rewrite patch for using this new functions, but strtok and
>> strspn functions not have os equivalent, therefore I used old one.
>
> Thanks! I don't want to add requirement for strtok() or strspn()
> functions at this point (and actually, never for strtok(), it is just
> too broken). I ended up cleaning up the matching code to not require
> allocation of a local copy of the string and not use these functions.
>
>> Patch also solve hypotetical security problem, because now
>> altsubject_match is compared by os_strstr function. Somebody can generate
>> certificate with name "radius1.cesnet.cz.badgyu.com" and match
>> altsubject_match="radius1.cesnet.cz" in client configuration.
>
> Agreed. Though, this was the documented behavior.. I changed
> documentation to match the current behavior, i.e., to require a full
> match of the name component. In addition, I did not include skipping of
> spaces, so the string must be just semicolon separated list of name
> components without extra whitespace. This allows ';' to be included as
> part of the value to match against should someone ever decide to use
> semicolon in subjectAltName.
>
> -- 
> Jouni Malinen                                            PGP id EFC895FA
> _______________________________________________
> HostAP mailing list
> HostAP at shmoo.com
> http://lists.shmoo.com/mailman/listinfo/hostap
>
>



More information about the HostAP mailing list