From f7825e81b1ebf533c1dba9f84ae9ad36073a89cf Mon Sep 17 00:00:00 2001
From: Nalin Dahyabhai <nalin@dahyabhai.net>
Date: Thu, 17 Apr 2014 17:19:03 -0400
Subject: Check names in the server's cert when using KKDCP

When we connect to a KDC using an HTTPS proxy, check that the naming
information in the certificate matches the name or address which we
extracted from the server URL in the configuration.

ticket: 7929
---
 src/include/k5-trace.h | 5 +++++
 1 file changed, 5 insertions(+)

(limited to 'src/include')

diff --git a/src/include/k5-trace.h b/src/include/k5-trace.h
index 046bc95bb..9e75b2987 100644
--- a/src/include/k5-trace.h
+++ b/src/include/k5-trace.h
@@ -324,6 +324,11 @@ void krb5int_trace(krb5_context context, const char *fmt, ...);
     TRACE(c, "Resolving hostname {str}", hostname)
 #define TRACE_SENDTO_KDC_RESPONSE(c, len, raddr)                        \
     TRACE(c, "Received answer ({int} bytes) from {raddr}", len, raddr)
+#define TRACE_SENDTO_KDC_HTTPS_SERVER_NAME_MISMATCH(c, hostname)        \
+    TRACE(c, "HTTPS certificate name mismatch: server certificate is "  \
+          "not for \"{str}\"", hostname)
+#define TRACE_SENDTO_KDC_HTTPS_SERVER_NAME_MATCH(c, hostname)           \
+    TRACE(c, "HTTPS certificate name matched \"{str}\"", hostname)
 #define TRACE_SENDTO_KDC_HTTPS_NO_REMOTE_CERTIFICATE(c)                 \
     TRACE(c, "HTTPS server certificate not received")
 #define TRACE_SENDTO_KDC_HTTPS_PROXY_CERTIFICATE_ERROR(c, depth,        \
-- 
cgit