Implement disable_hostname_check config option

author: Sam Hartman <hartmans@painless-security.com> 2013-10-03 10:54:46 -0400
committer: Sam Hartman <hartmans@painless-security.com> 2013-10-03 10:54:46 -0400
commit: 7f03688a1d429d14e37200f147c07a51c6deb483 (patch)
tree: 42c60eab8ed573753890e6b1cd37ada08c2e2a4c
parent: 501095fff8a1a71fae7850a9a10097c0a90d47d5 (diff)
3 files changed, 6 insertions, 0 deletions
diff --git a/lib/conf.c b/lib/conf.c
index 68da0a5..9dfc4c6 100644
--- a/lib/conf.c
+++ b/lib/conf.c
@@ -31,6 +31,7 @@
       pskhexstr = STRING # Transport pre-shared key, ASCII hex form.
       pskid = STRING
       pskex = "PSK"|"DHE_PSK"|"RSA_PSK"
+      disable_hostname_check = yes|no
   }
 
   # client specific realm config options
@@ -73,6 +74,7 @@ rs_context_read_config(struct rs_context *ctx, const char *config_file)
       CFG_STR ("pskhexstr", NULL, CFGF_NONE),
       CFG_STR ("pskid", NULL, CFGF_NONE),
       CFG_STR ("pskex", "PSK", CFGF_NONE),
+      CFG_BOOL ("disable_hostname_check", cfg_false, CFGF_NONE),
       CFG_SEC ("server", server_opts, CFGF_MULTI),
       CFG_END ()
     };
@@ -150,6 +152,7 @@ rs_context_read_config(struct rs_context *ctx, const char *config_file)
                                 r->name, typestr);
       r->timeout = cfg_getint (cfg_realm, "timeout");
       r->retries = cfg_getint (cfg_realm, "retries");
+      r->disable_hostname_check = cfg_getbool (cfg_realm, "disable_hostname_check");
 
       r->cacertfile = cfg_getstr (cfg_realm, "cacertfile");
       /*r->cacertpath = cfg_getstr (cfg_realm, "cacertpath");*/
diff --git a/lib/include/radsec/radsec-impl.h b/lib/include/radsec/radsec-impl.h
index e472703..0ecd631 100644
--- a/lib/include/radsec/radsec-impl.h
+++ b/lib/include/radsec/radsec-impl.h
@@ -70,6 +70,7 @@ struct rs_realm {
     char *cacertpath;
     char *certfile;
     char *certkeyfile;
+    int disable_hostname_check;
     struct rs_credentials *transport_cred;
     struct rs_peer *peers;
     struct rs_realm *next;
diff --git a/lib/tls.c b/lib/tls.c
index 62e219e..62b281f 100644
--- a/lib/tls.c
+++ b/lib/tls.c
@@ -225,6 +225,8 @@ tls_verify_cert (struct rs_connection *conn)
   if (!success)
     success = (cnregexp (peer_cert, hostname, NULL) == 1);
 
+  if (conn->realm->disable_hostname_check)
+    success = 1;
   if (!success)
     err = rs_err_conn_push (conn, RSE_CERT, "server certificate doesn't "
                             "match configured hostname \"%s\"", hostname);
author	Sam Hartman <hartmans@painless-security.com>	2013-10-03 10:54:46 -0400
committer	Sam Hartman <hartmans@painless-security.com>	2013-10-03 10:54:46 -0400
commit	7f03688a1d429d14e37200f147c07a51c6deb483 (patch)
tree	42c60eab8ed573753890e6b1cd37ada08c2e2a4c
parent	501095fff8a1a71fae7850a9a10097c0a90d47d5 (diff)