From: Linus Nordberg <linus@nordu.net>
Date: Thu, 26 Apr 2012 08:19:52 +0000 (+0200)
Subject: Verify certificate CN against configured hostname.
X-Git-Tag: libradsec-0.0.4~63
X-Git-Url: http://www.project-moonshot.org/gitweb/?p=radsecproxy.git;a=commitdiff_plain;h=c562df4b073a288862dd3c4ceaba7d6439f33b45

Verify certificate CN against configured hostname.

NOTE: The subjectAltName check is not well tested.
---

diff --git a/lib/event.c b/lib/event.c
index 2229689..bfb34bc 100644
--- a/lib/event.c
+++ b/lib/event.c
@@ -236,10 +236,22 @@ event_on_disconnect (struct rs_connection *conn)
     conn->callbacks.disconnected_cb (conn->user_data);
 }
 
-void
+/** Internal connect event returning 0 on success or -1 on error.  */
+int
 event_on_connect (struct rs_connection *conn, struct rs_packet *pkt)
 {
   assert (!conn->is_connecting);
+
+#if defined (RS_ENABLE_TLS)
+  if (conn->realm->type == RS_CONN_TYPE_TLS
+      || conn->realm->type == RS_CONN_TYPE_DTLS)
+    if (tls_verify_cert (conn) != RSE_OK)
+      {
+        rs_debug (("%s: server cert verification failed\n", __func__));
+        return -1;
+      }
+#endif	/* RS_ENABLE_TLS */
+
   conn->is_connected = 1;
   rs_debug (("%s: %p connected\n", __func__, conn->active_peer));
 
@@ -248,6 +260,8 @@ event_on_connect (struct rs_connection *conn, struct rs_packet *pkt)
 
   if (pkt)
     packet_do_send (pkt);
+
+  return 0;
 }
 
 int
diff --git a/lib/event.h b/lib/event.h
index e042599..befbd0d 100644
--- a/lib/event.h
+++ b/lib/event.h
@@ -2,7 +2,7 @@
    See the file COPYING for licensing information.  */
 
 void event_on_disconnect (struct rs_connection *conn);
-void event_on_connect (struct rs_connection *conn, struct rs_packet *pkt);
+int event_on_connect (struct rs_connection *conn, struct rs_packet *pkt);
 int event_loopbreak (struct rs_connection *conn);
 int event_init_eventbase (struct rs_connection *conn);
 int event_init_socket (struct rs_connection *conn, struct rs_peer *p);
diff --git a/lib/tcp.c b/lib/tcp.c
index f98e971..c4948c0 100644
--- a/lib/tcp.c
+++ b/lib/tcp.c
@@ -179,7 +179,11 @@ tcp_event_cb (struct bufferevent *bev, short events, void *user_data)
     {
       if (conn->tev)
 	evtimer_del (conn->tev); /* Cancel connect timer.  */
-      event_on_connect (conn, pkt);
+      if (event_on_connect (conn, pkt))
+        {
+          event_on_disconnect (conn);
+          event_loopbreak (conn);
+        }
     }
   else if (events & BEV_EVENT_EOF)
     {