[Bacula-devel] TLS patch for wildcard certificates

[Jim Raney]

Hello,

I recently had a need to use a wildcard certificate for a client setup 
and ran into issues using it.  I've attached a patch with some 
modifcations I made to the 7.0.4 lib/tls.c source. I'm not really a C 
programmer so it'd be great if someone else could run with it and make a 
patch that could be added to Bacula.

--
Jim
--- bacula-7.0.4-orig/src/lib/tls.c     2014-06-03 03:28:41.000000000 -0500
+++ bacula-7.0.4/src/lib/tls.c  2014-07-19 17:00:26.706433784 -0500
@@ -351,7 +351,20 @@ bool tls_postconnect_verify_host(JCR *jc
             for (j = 0; j < sk_CONF_VALUE_num(val); j++) {
                nval = sk_CONF_VALUE_value(val, j);
                if (strcmp(nval->name, "DNS") == 0) {
-                  if (strcasecmp(nval->value, host) == 0) {
+                  if (strncasecmp(nval->value,"*.",2) == 0) {
+                     Dmsg0(250, "Wildcard Certificate\n");
+                     char cmp1[strlen(nval->value)];
+                     char cmp2[strlen(host)];
+                     const char *cmp_start;
+                     cmp_start = strstr(nval->value,".");
+                     
strncpy(cmp1,cmp_start,strlen(nval->value)-strspn(nval->value,"."));
+                     cmp_start = strstr(host,".");
+                     strncpy(cmp2,cmp_start,strlen(host)-strspn(host,"."));
+                     if (strcasecmp(cmp1,cmp2) == 0) {
+                        auth_success = true;
+                        goto success;
+                     }
+                  } else if (strcasecmp(nval->value, host) == 0) {
                      auth_success = true;
                      goto success;
                   }
@@ -374,7 +387,21 @@ bool tls_postconnect_verify_host(JCR *jc
             }
             neCN = X509_NAME_get_entry(subject, cnLastPos);
             asn1CN = X509_NAME_ENTRY_get_data(neCN);
-            if (strcasecmp((const char*)asn1CN->data, host) == 0) {
+            if (strncasecmp((const char*)asn1CN->data,"*.",2) == 0) {
+            /* wildcard certificate */
+               Dmsg0(250, "Wildcard Certificate\n");
+               char cmp1[strlen((const char*)asn1CN->data)];
+               char cmp2[strlen(host)];
+               const char *cmp_start;
+               cmp_start = strstr((const char*)asn1CN->data,".");
+               strncpy(cmp1,cmp_start,strlen((const 
char*)asn1CN->data)-strspn((const char*)asn1CN->data,"."));
+               cmp_start = strstr(host,".");
+               strncpy(cmp2,cmp_start,strlen(host)-strspn(host,"."));
+               if (strcasecmp(cmp1,cmp2) == 0) {
+                  auth_success = true;
+                  goto success;
+               }
+            } else if (strcasecmp((const char*)asn1CN->data, host) == 0) {
                auth_success = true;
                break;
             }
------------------------------------------------------------------------------
Want fast and easy access to all the code in your enterprise? Index and
search up to 200,000 lines of code with a free copy of Black Duck
Code Sight - the same software that powers the world's largest code
search on Ohloh, the Black Duck Open Hub! Try it now.
http://p.sf.net/sfu/bds_______________________________________________
Bacula-devel mailing list
Bacula-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/bacula-devel