GnuTLS: Add support for domain_suffix_match
This implementation uses GnuTLS function gnutls_x509_crt_check_hostname(). It has a bit different rules regarding matching (allows wildcards in some cases, but does not use suffix matching) compared to the internal implementation used with OpenSSL. However, these rules are sufficiently close to each other to be of reasonable use for most cases. Signed-off-by: Jouni Malinen <j@w1.fi>
This commit is contained in:
parent
4bc13bf709
commit
8ddcd6b9d4
1 changed files with 21 additions and 3 deletions
|
@ -45,6 +45,8 @@ struct tls_connection {
|
||||||
|
|
||||||
int params_set;
|
int params_set;
|
||||||
gnutls_certificate_credentials_t xcred;
|
gnutls_certificate_credentials_t xcred;
|
||||||
|
|
||||||
|
char *suffix_match;
|
||||||
};
|
};
|
||||||
|
|
||||||
|
|
||||||
|
@ -257,6 +259,7 @@ void tls_connection_deinit(void *ssl_ctx, struct tls_connection *conn)
|
||||||
os_free(conn->pre_shared_secret);
|
os_free(conn->pre_shared_secret);
|
||||||
wpabuf_free(conn->push_buf);
|
wpabuf_free(conn->push_buf);
|
||||||
wpabuf_free(conn->pull_buf);
|
wpabuf_free(conn->pull_buf);
|
||||||
|
os_free(conn->suffix_match);
|
||||||
os_free(conn);
|
os_free(conn);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -332,8 +335,11 @@ int tls_connection_set_params(void *tls_ctx, struct tls_connection *conn,
|
||||||
return -1;
|
return -1;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
os_free(conn->suffix_match);
|
||||||
|
conn->suffix_match = NULL;
|
||||||
if (params->suffix_match) {
|
if (params->suffix_match) {
|
||||||
wpa_printf(MSG_INFO, "GnuTLS: suffix_match not supported");
|
conn->suffix_match = os_strdup(params->suffix_match);
|
||||||
|
if (conn->suffix_match == NULL)
|
||||||
return -1;
|
return -1;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -760,7 +766,19 @@ static int tls_connection_verify_peer(gnutls_session_t session)
|
||||||
i + 1, num_certs, buf);
|
i + 1, num_certs, buf);
|
||||||
|
|
||||||
if (i == 0) {
|
if (i == 0) {
|
||||||
/* TODO: validate altsubject_match and suffix_match.
|
if (conn->suffix_match &&
|
||||||
|
!gnutls_x509_crt_check_hostname(
|
||||||
|
cert, conn->suffix_match)) {
|
||||||
|
wpa_printf(MSG_WARNING,
|
||||||
|
"TLS: Domain suffix match '%s' not found",
|
||||||
|
conn->suffix_match);
|
||||||
|
err = GNUTLS_A_BAD_CERTIFICATE;
|
||||||
|
gnutls_x509_crt_deinit(cert);
|
||||||
|
os_free(buf);
|
||||||
|
goto out;
|
||||||
|
}
|
||||||
|
|
||||||
|
/* TODO: validate altsubject_match.
|
||||||
* For now, any such configuration is rejected in
|
* For now, any such configuration is rejected in
|
||||||
* tls_connection_set_params() */
|
* tls_connection_set_params() */
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in a new issue