openldap2/openldap-2.3.37-libldap-tls_chkhost-its6239.dif

Index: openldap-2.3.32/libraries/libldap/tls.c
===================================================================
--- openldap-2.3.32.orig/libraries/libldap/tls.c
+++ openldap-2.3.32/libraries/libldap/tls.c
@@ -981,7 +981,7 @@ ldap_pvt_tls_check_hostname( LDAP *ld, v
 	X509 *x;
 	const char *name;
 	char *ptr;
-	int ntype = IS_DNS;
+	int ntype = IS_DNS, nlen;
 #ifdef LDAP_PF_INET6
 	struct in6_addr addr;
 #else
@@ -995,6 +995,7 @@ ldap_pvt_tls_check_hostname( LDAP *ld, v
 	} else {
 		name = name_in;
 	}
+	nlen = strlen(name);
 
 	x = tls_get_cert((SSL *)s);
 	if (!x) {
@@ -1028,15 +1029,14 @@ ldap_pvt_tls_check_hostname( LDAP *ld, v
 		ex = X509_get_ext(x, i);
 		alt = X509V3_EXT_d2i(ex);
 		if (alt) {
-			int n, len1 = 0, len2 = 0;
+			int n, len2 = 0;
 			char *domain = NULL;
 			GENERAL_NAME *gn;
 
 			if (ntype == IS_DNS) {
-				len1 = strlen(name);
 				domain = strchr(name, '.');
 				if (domain) {
-					len2 = len1 - (domain-name);
+					len2 = nlen - (domain-name);
 				}
 			}
 			n = sk_GENERAL_NAME_num(alt);
@@ -1054,7 +1054,7 @@ ldap_pvt_tls_check_hostname( LDAP *ld, v
 					if (sl == 0) continue;
 
 					/* Is this an exact match? */
-					if ((len1 == sl) && !strncasecmp(name, sn, len1)) {
+					if ((nlen == sl) && !strncasecmp(name, sn, nlen)) {
 						break;
 					}
 
@@ -1094,13 +1094,27 @@ ldap_pvt_tls_check_hostname( LDAP *ld, v
 
 	if (ret != LDAP_SUCCESS) {
 		X509_NAME *xn;
-		char buf[2048];
-		buf[0] = '\0';
+		X509_NAME_ENTRY *ne;
+		ASN1_OBJECT *obj;
+		ASN1_STRING *cn = NULL;
+		int navas;
+
+		/* find the last CN */
+		obj = OBJ_nid2obj( NID_commonName );
+		if ( !obj ) goto no_cn; /* should never happen */
 
 		xn = X509_get_subject_name(x);
-		if( X509_NAME_get_text_by_NID( xn, NID_commonName,
-			buf, sizeof(buf)) == -1)
-		{
+		navas = X509_NAME_entry_count( xn );
+		for ( i=navas-1; i>=0; i-- ) {
+			ne = X509_NAME_get_entry( xn, i );
+			if ( !OBJ_cmp( ne->object, obj )) {
+				cn = X509_NAME_ENTRY_get_data( ne );
+				break;
+			}
+		}
+		
+		if( !cn ){
+no_cn:
 			Debug( LDAP_DEBUG_ANY,
 				"TLS: unable to get common name from peer certificate.\n",
 				0, 0, 0 );
@@ -1111,21 +1125,20 @@ ldap_pvt_tls_check_hostname( LDAP *ld, v
 			ld->ld_error = LDAP_STRDUP(
 				_("TLS: unable to get CN from peer certificate"));
 
-		} else if (strcasecmp(name, buf) == 0 ) {
+		} else if ( cn->length == nlen &&
+			strncasecmp( name, (char *) cn->data, nlen ) == 0 ) {
 			ret = LDAP_SUCCESS;
 
-		} else if (( buf[0] == '*' ) && ( buf[1] == '.' )) {
+		} else if (( cn->data[0] == '*' ) && ( cn->data[1] == '.' )) {
 			char *domain = strchr(name, '.');
 			if( domain ) {
-				size_t dlen = 0;
-				size_t sl;
+				size_t dlen;
 
-				sl = strlen(name);
-				dlen = sl - (domain-name);
-				sl = strlen(buf);
+				dlen = nlen - (domain-name);
 
 				/* Is this a wildcard match? */
-				if ((dlen == sl-1) && !strncasecmp(domain, &buf[1], dlen)) {
+				if ((dlen == cn->length-1) &&
+					!strncasecmp(domain, (char *) &cn->data[1], dlen)) {
 					ret = LDAP_SUCCESS;
 				}
 			}
@@ -1133,8 +1146,8 @@ ldap_pvt_tls_check_hostname( LDAP *ld, v
 
 		if( ret == LDAP_LOCAL_ERROR ) {
 			Debug( LDAP_DEBUG_ANY, "TLS: hostname (%s) does not match "
-				"common name in certificate (%s).\n", 
-				name, buf, 0 );
+				"common name in certificate (%.*s).\n", 
+				name, cn->length, cn->data );
 			ret = LDAP_CONNECT_ERROR;
 			if ( ld->ld_error ) {
 				LDAP_FREE( ld->ld_error );
- Add systemd style service definition - FATE#315028 remove memory limit for slapd - FATE#315415: LDAP compat packages required for older SLES versions For this reson following patches were applied: openldap-2.3.37-libldap-suid.diff openldap-2.3.37-libldap-ldapi_url.dif openldap-2.3.37-libldap-ntlm.diff openldap-2.3.37-libldap-gethostbyname_r.dif openldap-2.3.37-libldap-sasl-max-buff-size.dif openldap-2.3.37-libldap-utf8-ADcanonical.dif openldap-2.3.37-liblber-length-decoding.dif openldap-2.3.37-libldap-ld_defconn-ldap_free_connection.dif openldap-2.3.37-libldap-tls_chkhost-its6239.dif openldap-2.3.37-libldap-ssl.dif OBS-URL: https://build.opensuse.org/package/show/network:ldap/openldap2?expand=0&rev=106 2014-02-11 13:31:42 +01:00			`Index: openldap-2.3.32/libraries/libldap/tls.c`
			`===================================================================`
			`--- openldap-2.3.32.orig/libraries/libldap/tls.c`
			`+++ openldap-2.3.32/libraries/libldap/tls.c`
			`@@ -981,7 +981,7 @@ ldap_pvt_tls_check_hostname( LDAP *ld, v`
			`X509 *x;`
			`const char *name;`
			`char *ptr;`
			`- int ntype = IS_DNS;`
			`+ int ntype = IS_DNS, nlen;`
			`#ifdef LDAP_PF_INET6`
			`struct in6_addr addr;`
			`#else`
			`@@ -995,6 +995,7 @@ ldap_pvt_tls_check_hostname( LDAP *ld, v`
			`} else {`
			`name = name_in;`
			`}`
			`+ nlen = strlen(name);`

			`x = tls_get_cert((SSL *)s);`
			`if (!x) {`
			`@@ -1028,15 +1029,14 @@ ldap_pvt_tls_check_hostname( LDAP *ld, v`
			`ex = X509_get_ext(x, i);`
			`alt = X509V3_EXT_d2i(ex);`
			`if (alt) {`
			`- int n, len1 = 0, len2 = 0;`
			`+ int n, len2 = 0;`
			`char *domain = NULL;`
			`GENERAL_NAME *gn;`

			`if (ntype == IS_DNS) {`
			`- len1 = strlen(name);`
			`domain = strchr(name, '.');`
			`if (domain) {`
			`- len2 = len1 - (domain-name);`
			`+ len2 = nlen - (domain-name);`
			`}`
			`}`
			`n = sk_GENERAL_NAME_num(alt);`
			`@@ -1054,7 +1054,7 @@ ldap_pvt_tls_check_hostname( LDAP *ld, v`
			`if (sl == 0) continue;`

			`/* Is this an exact match? */`
			`- if ((len1 == sl) && !strncasecmp(name, sn, len1)) {`
			`+ if ((nlen == sl) && !strncasecmp(name, sn, nlen)) {`
			`break;`
			`}`

			`@@ -1094,13 +1094,27 @@ ldap_pvt_tls_check_hostname( LDAP *ld, v`

			`if (ret != LDAP_SUCCESS) {`
			`X509_NAME *xn;`
			`- char buf[2048];`
			`- buf[0] = '\0';`
			`+ X509_NAME_ENTRY *ne;`
			`+ ASN1_OBJECT *obj;`
			`+ ASN1_STRING *cn = NULL;`
			`+ int navas;`
			`+`
			`+ /* find the last CN */`
			`+ obj = OBJ_nid2obj( NID_commonName );`
			`+ if ( !obj ) goto no_cn; /* should never happen */`

			`xn = X509_get_subject_name(x);`
			`- if( X509_NAME_get_text_by_NID( xn, NID_commonName,`
			`- buf, sizeof(buf)) == -1)`
			`- {`
			`+ navas = X509_NAME_entry_count( xn );`
			`+ for ( i=navas-1; i>=0; i-- ) {`
			`+ ne = X509_NAME_get_entry( xn, i );`
			`+ if ( !OBJ_cmp( ne->object, obj )) {`
			`+ cn = X509_NAME_ENTRY_get_data( ne );`
			`+ break;`
			`+ }`
			`+ }`
			`+`
			`+ if( !cn ){`
			`+no_cn:`
			`Debug( LDAP_DEBUG_ANY,`
			`"TLS: unable to get common name from peer certificate.\n",`
			`0, 0, 0 );`
			`@@ -1111,21 +1125,20 @@ ldap_pvt_tls_check_hostname( LDAP *ld, v`
			`ld->ld_error = LDAP_STRDUP(`
			`_("TLS: unable to get CN from peer certificate"));`

			`- } else if (strcasecmp(name, buf) == 0 ) {`
			`+ } else if ( cn->length == nlen &&`
			`+ strncasecmp( name, (char *) cn->data, nlen ) == 0 ) {`
			`ret = LDAP_SUCCESS;`

			`- } else if (( buf[0] == '*' ) && ( buf[1] == '.' )) {`
			`+ } else if (( cn->data[0] == '*' ) && ( cn->data[1] == '.' )) {`
			`char *domain = strchr(name, '.');`
			`if( domain ) {`
			`- size_t dlen = 0;`
			`- size_t sl;`
			`+ size_t dlen;`

			`- sl = strlen(name);`
			`- dlen = sl - (domain-name);`
			`- sl = strlen(buf);`
			`+ dlen = nlen - (domain-name);`

			`/* Is this a wildcard match? */`
			`- if ((dlen == sl-1) && !strncasecmp(domain, &buf[1], dlen)) {`
			`+ if ((dlen == cn->length-1) &&`
			`+ !strncasecmp(domain, (char *) &cn->data[1], dlen)) {`
			`ret = LDAP_SUCCESS;`
			`}`
			`}`
			`@@ -1133,8 +1146,8 @@ ldap_pvt_tls_check_hostname( LDAP *ld, v`

			`if( ret == LDAP_LOCAL_ERROR ) {`
			`Debug( LDAP_DEBUG_ANY, "TLS: hostname (%s) does not match "`
			`- "common name in certificate (%s).\n",`
			`- name, buf, 0 );`
			`+ "common name in certificate (%.*s).\n",`
			`+ name, cn->length, cn->data );`
			`ret = LDAP_CONNECT_ERROR;`
			`if ( ld->ld_error ) {`
			`LDAP_FREE( ld->ld_error );`