(pk_verify_host): set better error string, only check kdc name/address

when we got a hostname/address passed in the the function.


git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@17349 ec53bebd-3082-4978-b11e-865c3cabbd6b
This commit is contained in:
Love Hörnquist Åstrand
2006-04-29 15:04:42 +00:00
parent 36b923f56a
commit 03276c9ead

View File

@@ -729,7 +729,7 @@ pk_verify_host(krb5_context context,
ret = hx509_cert_check_eku(ctx->id->hx509ctx, host->cert,
oid_id_pkkdcekuoid(), 0);
if (ret) {
krb5_clear_error_string(context);
krb5_set_error_string(context, "No PK-INIT KDC EKU in kdc certificate");
return ret;
}
}
@@ -762,7 +762,8 @@ pk_verify_host(krb5_context context,
strcmp(r.principalName.name_string.val[1], realm) != 0 ||
strcmp(r.realm, realm) != 0)
{
krb5_clear_error_string(context);
krb5_set_error_string(context, "KDC have wrong realm name in "
"the certificate");
ret = EINVAL;
}
@@ -775,13 +776,15 @@ pk_verify_host(krb5_context context,
if (ret)
return ret;
ret = hx509_verify_hostname(ctx->id->hx509ctx, host->cert,
ctx->require_hostname_match,
hi->hostname,
hi->ai->ai_addr, hi->ai->ai_addrlen);
if (hi) {
ret = hx509_verify_hostname(ctx->id->hx509ctx, host->cert,
ctx->require_hostname_match,
hi->hostname,
hi->ai->ai_addr, hi->ai->ai_addrlen);
if (ret)
krb5_clear_error_string(context);
if (ret)
krb5_set_error_string(context, "Address mismatch in the KDC certificate");
}
return ret;
}