From e5194fdc6017aa3bc477d304b5611edd6905fa9c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Love=20H=C3=B6rnquist=20=C3=85strand?= <lha@kth.se>
Date: Fri, 28 Apr 2006 11:23:35 +0000
Subject: [PATCH] (pk_verify_host): verify hostname/address

git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@17332 ec53bebd-3082-4978-b11e-865c3cabbd6b
---
 lib/krb5/pkinit.c | 18 +++++++++++++++++-
 1 file changed, 17 insertions(+), 1 deletion(-)

diff --git a/lib/krb5/pkinit.c b/lib/krb5/pkinit.c
index 3d7289e85..7c3de9bf8 100644
--- a/lib/krb5/pkinit.c
+++ b/lib/krb5/pkinit.c
@@ -84,6 +84,7 @@ struct krb5_pk_init_ctx_data {
     int require_binding;
     int require_eku;
     int require_krbtgt_otherName;
+    int require_hostname_match;
 };
 
 void KRB5_LIB_FUNCTION
@@ -524,6 +525,13 @@ _krb5_pk_mk_padata(krb5_context context,
 				     "pkinit_require_krbtgt_otherName",
 				     NULL);
 
+    ctx->require_hostname_match = 
+	krb5_config_get_bool_default(context, NULL,
+				     FALSE,
+				     "realms",
+				     req_body->realm,
+				     "pkinit_require_hostname_match",
+				     NULL);
 
     return pk_mk_padata(context, type, ctx, req_body, nonce, md);
 }
@@ -727,7 +735,6 @@ pk_verify_host(krb5_context context,
     }
     if (ctx->require_krbtgt_otherName) {
 	hx509_octet_string_list list;
-	krb5_error_code ret;
 	int i;
 
 	ret = hx509_cert_find_subjectAltName_otherName(host->cert,
@@ -765,7 +772,16 @@ pk_verify_host(krb5_context context,
 	}
 	hx509_free_octet_string_list(&list);
     }
+    if (ret)
+	return ret;
+    
+    ret = hx509_verify_hostname(ctx->id->hx509ctx, host->cert, 
+				ctx->require_hostname_match,
+				hi->hostname,
+				hi->ai->ai_addr, hi->ai->ai_addrlen);
 
+    if (ret)
+	krb5_clear_error_string(context);
     return ret;
 }