--- openldap-2.3.43/libraries/libldap/tls.c.orig 2010-02-08 13:58:47.000000000 +0100
+++ openldap-2.3.43/libraries/libldap/tls.c 2010-02-08 14:10:37.000000000 +0100
@@ -981,7 +981,7 @@ ldap_pvt_tls_check_hostname( LDAP *ld, v
X509 *x;
const char *name;
char *ptr;
- int ntype = IS_DNS;
+ int ntype = IS_DNS, nlen;
#ifdef LDAP_PF_INET6
struct in6_addr addr;
#else
@@ -995,6 +995,7 @@ ldap_pvt_tls_check_hostname( LDAP *ld, v
} else {
name = name_in;
}
+ nlen = strlen(name);
x = tls_get_cert((SSL *)s);
if (!x) {
@@ -1028,15 +1029,14 @@ ldap_pvt_tls_check_hostname( LDAP *ld, v
ex = X509_get_ext(x, i);
alt = X509V3_EXT_d2i(ex);
if (alt) {
- int n, len1 = 0, len2 = 0;
+ int n, len2 = 0;
char *domain = NULL;
GENERAL_NAME *gn;
if (ntype == IS_DNS) {
- len1 = strlen(name);
domain = strchr(name, '.');
if (domain) {
- len2 = len1 - (domain-name);
+ len2 = nlen - (domain-name);
}
}
n = sk_GENERAL_NAME_num(alt);
@@ -1054,7 +1054,7 @@ ldap_pvt_tls_check_hostname( LDAP *ld, v
if (sl == 0) continue;
/* Is this an exact match? */
- if ((len1 == sl) && !strncasecmp(name, sn, len1)) {
+ if ((nlen == sl) && !strncasecmp(name, sn, nlen)) {
break;
}
@@ -1094,13 +1094,28 @@ ldap_pvt_tls_check_hostname( LDAP *ld, v
if (ret != LDAP_SUCCESS) {
X509_NAME *xn;
- char buf[2048];
- buf[0] = '\0';
+ X509_NAME_ENTRY *ne;
+ ASN1_OBJECT *obj;
+ ASN1_STRING *cn = NULL;
+ int navas;
+
+ /* find the last CN */
+ obj = OBJ_nid2obj( NID_commonName );
+ if ( !obj ) goto no_cn; /* should never happen */
xn = X509_get_subject_name(x);
- if( X509_NAME_get_text_by_NID( xn, NID_commonName,
- buf, sizeof(buf)) == -1)
- {
+ navas = X509_NAME_entry_count( xn );
+ for ( i=navas-1; i>=0; i-- ) {
+ ne = X509_NAME_get_entry( xn, i );
+ if ( !OBJ_cmp( ne->object, obj )) {
+ cn = X509_NAME_ENTRY_get_data( ne );
+ break;
+ }
+ }
+
+ if( !cn )
+ {
+no_cn:
Debug( LDAP_DEBUG_ANY,
"TLS: unable to get common name from peer certificate.\n",
0, 0, 0 );
@@ -1111,21 +1126,20 @@ ldap_pvt_tls_check_hostname( LDAP *ld, v
ld->ld_error = LDAP_STRDUP(
_("TLS: unable to get CN from peer certificate"));
- } else if (strcasecmp(name, buf) == 0 ) {
+ } else if ( cn->length == nlen &&
+ strncasecmp( name, (char *) cn->data, nlen ) == 0 ) {
ret = LDAP_SUCCESS;
- } else if (( buf[0] == '*' ) && ( buf[1] == '.' )) {
+ } else if (( cn->data[0] == '*' ) && ( cn->data[1] == '.' )) {
char *domain = strchr(name, '.');
if( domain ) {
- size_t dlen = 0;
- size_t sl;
+ size_t dlen;
- sl = strlen(name);
- dlen = sl - (domain-name);
- sl = strlen(buf);
+ dlen = nlen - (domain-name);
/* Is this a wildcard match? */
- if ((dlen == sl-1) && !strncasecmp(domain, &buf[1], dlen)) {
+ if ((dlen == cn->length-1) &&
+ !strncasecmp(domain, (char *) &cn->data[1], dlen)) {
ret = LDAP_SUCCESS;
}
}
@@ -1133,8 +1147,8 @@ ldap_pvt_tls_check_hostname( LDAP *ld, v
if( ret == LDAP_LOCAL_ERROR ) {
Debug( LDAP_DEBUG_ANY, "TLS: hostname (%s) does not match "
- "common name in certificate (%s).\n",
- name, buf, 0 );
+ "common name in certificate (%.*s).\n",
+ name, cn->length, cn->data );
ret = LDAP_CONNECT_ERROR;
if ( ld->ld_error ) {
LDAP_FREE( ld->ld_error );