From: Tomas Kuthan <tkuthan@gmail.com>
Date: Mon, 19 May 2014 09:37:07 +0000 (+0200)
Subject: Use case insensitive DNS SAN matching in PKINIT
X-Git-Tag: krb5-1.13-alpha1~136
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=6a77d5e7c8602458e482278195c31cb7a2261232;p=thirdparty%2Fkrb5.git

Use case insensitive DNS SAN matching in PKINIT

Matching Subject Alternative Name from certificate with
pkinit_kdc_hostname value from krb5.conf should disregard case.

ticket: 7913 (new)
---

diff --git a/src/plugins/preauth/pkinit/pkinit_clnt.c b/src/plugins/preauth/pkinit/pkinit_clnt.c
index 2a003700b4..55b38811f7 100644
--- a/src/plugins/preauth/pkinit/pkinit_clnt.c
+++ b/src/plugins/preauth/pkinit/pkinit_clnt.c
@@ -570,7 +570,7 @@ verify_kdc_san(krb5_context context,
         for (j = 0; cfghosts != NULL && cfghosts[j] != NULL; j++) {
             pkiDebug("%s: comparing cert name '%s' with config name '%s'\n",
                      __FUNCTION__, certhosts[i], cfghosts[j]);
-            if (strcmp(certhosts[i], cfghosts[j]) == 0) {
+            if (strcasecmp(certhosts[i], cfghosts[j]) == 0) {
                 TRACE_PKINIT_CLIENT_SAN_MATCH_DNSNAME(context, certhosts[i]);
                 pkiDebug("%s: we have a dnsName match\n", __FUNCTION__);
                 *valid_san = 1;