fix certificate validated aginst all host entries

dtls.c

@@ -306,10 +306,11 @@ void *dtlsservernew(void *arg) {
     struct timeval timeout;
     struct addrinfo tmpsrvaddr;
     char tmp[INET6_ADDRSTRLEN], *subj;
+    struct hostportres *hp;
 
     debug(DBG_WARN, "dtlsservernew: incoming DTLS connection from %s", addr2string((struct sockaddr *)&params->addr, tmp, sizeof(tmp)));
 
-    conf = find_clconf(handle, (struct sockaddr *)&params->addr, NULL);
+    conf = find_clconf(handle, (struct sockaddr *)&params->addr, NULL, &hp);
     if (!conf)
         goto exit;
 
@@ -343,7 +344,7 @@ void *dtlsservernew(void *arg) {
     accepted_tls = conf->tlsconf;
 
     while (conf) {
-        if (accepted_tls == conf->tlsconf && verifyconfcert(cert, conf)) {
+        if (accepted_tls == conf->tlsconf && verifyconfcert(cert, conf, NULL)) {
             subj = getcertsubject(cert);
             if(subj) {
                 debug(DBG_WARN, "dtlsservernew: DTLS connection from %s, client %s, subject %s up",
@@ -363,9 +364,10 @@ void *dtlsservernew(void *arg) {
             }
             goto exit;
         }
-        conf = find_clconf(handle, (struct sockaddr *)&params->addr, &cur);
+        conf = find_clconf(handle, (struct sockaddr *)&params->addr, &cur, &hp);
     }
-    debug(DBG_WARN, "dtlsservernew: ignoring request, no matching TLS client");
+    debug(DBG_WARN, "dtlsservernew: ignoring request, no matching TLS client for %s", 
+        addr2string((struct sockaddr *)&params->addr, tmp, sizeof(tmp)));
 
     if (cert)
     X509_free(cert);
@@ -468,7 +470,7 @@ void *dtlslistener(void *arg) {
             continue;
         }
 
-        conf = find_clconf(handle, (struct sockaddr *)&from, NULL);
+        conf = find_clconf(handle, (struct sockaddr *)&from, NULL, NULL);
         if (!conf) {
             debug(DBG_INFO, "dtlslistener: got UDP from unknown peer %s, ignoring", addr2string((struct sockaddr *)&from, tmp, sizeof(tmp)));
             if (recv(s, buf, 4, 0) == -1)
@@ -607,7 +609,7 @@ int dtlsconnect(struct server *server, int timeout, char *text) {
         cert = verifytlscert(server->ssl);
         if (!cert)
             continue;
-        if (verifyconfcert(cert, server->conf)) {
+        if (verifyconfcert(cert, server->conf, hp)) {
             subj = getcertsubject(cert);
             if(subj) {
                 debug(DBG_WARN, "dtlsconnect: DTLS connection to %s, subject %s up", server->conf->name, subj);

hostport.c

@@ -258,7 +258,7 @@ static int prefixmatch(void *a1, void *a2, uint8_t len) {
     return (((uint8_t *)a1)[l] & mask[r]) == (((uint8_t *)a2)[l] & mask[r]);
 }
 
-int _internal_addressmatches(struct list *hostports, struct sockaddr *addr, uint8_t prefixlen, uint8_t checkport) {
+int _internal_addressmatches(struct list *hostports, struct sockaddr *addr, uint8_t prefixlen, uint8_t checkport, struct hostportres **hpreturn) {
     struct sockaddr_in6 *sa6 = NULL;
     struct in_addr *a4 = NULL;
     struct addrinfo *res;
@@ -287,16 +287,20 @@ int _internal_addressmatches(struct list *hostports, struct sockaddr *addr, uint
                     !memcmp(&sa6->sin6_addr,
                     &((struct sockaddr_in6 *)res->ai_addr)->sin6_addr, 16) &&
                     (!checkport || ((struct sockaddr_in6 *)res->ai_addr)->sin6_port ==
-                    ((struct sockaddr_in6 *)addr)->sin6_port)))
+                    ((struct sockaddr_in6 *)addr)->sin6_port))) {
 
+                    if (hpreturn) *hpreturn = hp;
                     return 1;
+                }
             } else if (hp->prefixlen <= prefixlen) {
                 if ((a4 && res->ai_family == AF_INET &&
                     prefixmatch(a4, &((struct sockaddr_in *)res->ai_addr)->sin_addr, hp->prefixlen)) ||
                     (sa6 && res->ai_family == AF_INET6 &&
-                    prefixmatch(&sa6->sin6_addr, &((struct sockaddr_in6 *)res->ai_addr)->sin6_addr, hp->prefixlen)))
+                    prefixmatch(&sa6->sin6_addr, &((struct sockaddr_in6 *)res->ai_addr)->sin6_addr, hp->prefixlen))) {
 
+                    if (hpreturn) *hpreturn = hp;
                     return 1;
+                }
             }
         }
     }
@@ -312,18 +316,18 @@ int hostportmatches(struct list *hostports, struct list *matchhostports, uint8_t
         match = (struct hostportres *)entry->data;
 
         for (res = match->addrinfo; res; res = res->ai_next) {
-            if (_internal_addressmatches(hostports, res->ai_addr, match->prefixlen, checkport))
+            if (_internal_addressmatches(hostports, res->ai_addr, match->prefixlen, checkport, NULL))
                 return 1;
         }
     }
     return 0;
 }
 
-int addressmatches(struct list *hostports, struct sockaddr *addr, uint8_t checkport) {
-    return _internal_addressmatches(hostports, addr, 255, checkport);
+int addressmatches(struct list *hostports, struct sockaddr *addr, uint8_t checkport, struct hostportres **hp) {
+    return _internal_addressmatches(hostports, addr, 255, checkport, hp);
 }
 
-int connecttcphostlist(struct list *hostports,  struct addrinfo *src) {
+int connecttcphostlist(struct list *hostports,  struct addrinfo *src, struct hostportres** hpreturn) {
     int s;
     struct list_node *entry;
     struct hostportres *hp = NULL;
@@ -333,6 +337,7 @@ int connecttcphostlist(struct list *hostports,  struct addrinfo *src) {
 	debug(DBG_WARN, "connecttcphostlist: trying to open TCP connection to %s port %s", hp->host, hp->port);
 	if ((s = connecttcp(hp->addrinfo, src, list_count(hostports) > 1 ? 5 : 30)) >= 0) {
 	    debug(DBG_WARN, "connecttcphostlist: TCP connection to %s port %s up", hp->host, hp->port);
+        if (hpreturn) *hpreturn = hp;
 	    return s;
 	}
     }

hostport.h

@@ -2,6 +2,9 @@
  * Copyright (c) 2012, NORDUnet A/S */
 /* See LICENSE for licensing information. */
 
+#ifndef _HOSTPORT_H
+#define _HOSTPORT_H
+
 struct hostportres {
     char *host;
     char *port;
@@ -17,9 +20,10 @@ int resolvehostport(struct hostportres *hp, int af, int socktype, uint8_t passiv
 int resolvehostports(struct list *hostports, int af, int socktype);
 struct addrinfo *resolvepassiveaddrinfo(char **hostport, int af, char *default_port, int socktype);
 int hostportmatches(struct list *hostports, struct list *matchhostports, uint8_t checkport);
-int addressmatches(struct list *hostports, struct sockaddr *addr, uint8_t checkport);
-int connecttcphostlist(struct list *hostports,  struct addrinfo *src);
+int addressmatches(struct list *hostports, struct sockaddr *addr, uint8_t checkport, struct hostportres **hp);
+int connecttcphostlist(struct list *hostports,  struct addrinfo *src, struct hostportres **hpreturn);
 
+#endif /* _HOSTPORT_H */
 /* Local Variables: */
 /* c-file-style: "stroustrup" */
 /* End: */

radsecproxy.c

@@ -121,13 +121,13 @@ int prefixmatch(void *a1, void *a2, uint8_t len) {
 }
 
 /* returns next config with matching address, or NULL */
-struct clsrvconf *find_conf(uint8_t type, struct sockaddr *addr, struct list *confs, struct list_node **cur, uint8_t server_p) {
+struct clsrvconf *find_conf(uint8_t type, struct sockaddr *addr, struct list *confs, struct list_node **cur, uint8_t server_p, struct hostportres **hp) {
     struct list_node *entry;
     struct clsrvconf *conf;
 
     for (entry = (cur && *cur ? list_next(*cur) : list_first(confs)); entry; entry = list_next(entry)) {
 	conf = (struct clsrvconf *)entry->data;
-	if (conf->type == type && addressmatches(conf->hostports, addr, server_p)) {
+	if (conf->type == type && addressmatches(conf->hostports, addr, server_p, hp)) {
 	    if (cur)
 		*cur = entry;
 	    return conf;
@@ -136,12 +136,12 @@ struct clsrvconf *find_conf(uint8_t type, struct sockaddr *addr, struct list *co
     return NULL;
 }
 
-struct clsrvconf *find_clconf(uint8_t type, struct sockaddr *addr, struct list_node **cur) {
-    return find_conf(type, addr, clconfs, cur, 0);
+struct clsrvconf *find_clconf(uint8_t type, struct sockaddr *addr, struct list_node **cur, struct hostportres **hp) {
+    return find_conf(type, addr, clconfs, cur, 0, hp);
 }
 
 struct clsrvconf *find_srvconf(uint8_t type, struct sockaddr *addr, struct list_node **cur) {
-    return find_conf(type, addr, srvconfs, cur, 1);
+    return find_conf(type, addr, srvconfs, cur, 1, NULL);
 }
 
 /* returns next config of given type, or NULL */

radsecproxy.h

@@ -11,6 +11,7 @@
 #include "radmsg.h"
 #include "gconfig.h"
 #include "rewrite.h"
+#include "hostport.h"
 
 #include <openssl/asn1.h>
 
@@ -250,7 +251,7 @@ struct protodefs {
 
 #define RADLEN(x) ntohs(((uint16_t *)(x))[1])
 
-struct clsrvconf *find_clconf(uint8_t type, struct sockaddr *addr, struct list_node **cur);
+struct clsrvconf *find_clconf(uint8_t type, struct sockaddr *addr, struct list_node **cur, struct hostportres **hp);
 struct clsrvconf *find_srvconf(uint8_t type, struct sockaddr *addr, struct list_node **cur);
 struct clsrvconf *find_clconf_type(uint8_t type, struct list_node **cur);
 struct client *addclient(struct clsrvconf *conf, uint8_t lock);

tcp.c

@@ -120,7 +120,7 @@ int tcpconnect(struct server *server, int timeout, char *text) {
         pthread_mutex_lock(&server->lock);
 
         debug(DBG_INFO, "tcpconnect: connecting to %s", server->conf->name);
-        if ((server->sock = connecttcphostlist(server->conf->hostports, source ? source : srcres)) < 0)
+        if ((server->sock = connecttcphostlist(server->conf->hostports, source ? source : srcres, NULL)) < 0)
             continue;
         if (server->conf->keepalive)
             enable_keepalive(server->sock);
@@ -339,7 +339,7 @@ void *tcpservernew(void *arg) {
     }
     debug(DBG_WARN, "tcpservernew: incoming TCP connection from %s", addr2string((struct sockaddr *)&from, tmp, sizeof(tmp)));
 
-    conf = find_clconf(handle, (struct sockaddr *)&from, NULL);
+    conf = find_clconf(handle, (struct sockaddr *)&from, NULL, NULL);
     if (conf) {
         client = addclient(conf, 1);
         if (client) {