oysteikt/heimdal
0
0
Fork 0
Code Issues 5 Pull Requests Releases Activity

(pk_verify_host): set better error string, only check kdc name/address

Browse Source 
when we got a hostname/address passed in the the function.


git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@17349 ec53bebd-3082-4978-b11e-865c3cabbd6b
This commit is contained in:
Love Hörnquist Åstrand
2006-04-29 15:04:42 +00:00
parent 36b923f56a
commit 03276c9ead
1 changed files with 11 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
lib/krb5/pkinit.c
View File

@@ -729,7 +729,7 @@ pk_verify_host(krb5_context context,
ret = hx509_cert_check_eku(ctx->id->hx509ctx, host->cert, ret = hx509_cert_check_eku(ctx->id->hx509ctx, host->cert,
oid_id_pkkdcekuoid(), 0); oid_id_pkkdcekuoid(), 0);
if (ret) { if (ret) {
krb5_clear_error_string(context); krb5_set_error_string(context, "No PK-INIT KDC EKU in kdc certificate");
return ret; return ret;
} }
} }
@@ -762,7 +762,8 @@ pk_verify_host(krb5_context context,
strcmp(r.principalName.name_string.val[1], realm) != 0 || strcmp(r.principalName.name_string.val[1], realm) != 0 ||
strcmp(r.realm, realm) != 0) strcmp(r.realm, realm) != 0)
{ {
krb5_clear_error_string(context); krb5_set_error_string(context, "KDC have wrong realm name in "
"the certificate");
ret = EINVAL; ret = EINVAL;
} }
@@ -775,13 +776,15 @@ pk_verify_host(krb5_context context,
if (ret) if (ret)
return ret; return ret;
if (hi) {
ret = hx509_verify_hostname(ctx->id->hx509ctx, host->cert, ret = hx509_verify_hostname(ctx->id->hx509ctx, host->cert,
ctx->require_hostname_match, ctx->require_hostname_match,
hi->hostname, hi->hostname,
hi->ai->ai_addr, hi->ai->ai_addrlen); hi->ai->ai_addr, hi->ai->ai_addrlen);
if (ret) if (ret)
krb5_clear_error_string(context); krb5_set_error_string(context, "Address mismatch in the KDC certificate");
}
return ret; return ret;
} }