11/*
22 * SPDX-License-Identifier: ISC
33 *
4- * Copyright (c) 2019-2025 Todd C. Miller <[email protected] > 4+ * Copyright (c) 2019-2026 Todd C. Miller <[email protected] > 55 *
66 * Permission to use, copy, modify, and distribute this software for any
77 * purpose with or without fee is hereby granted, provided that the above
@@ -1339,14 +1339,13 @@ start_protocol(struct connection_closure *closure)
13391339
13401340#if defined(HAVE_OPENSSL )
13411341static int
1342- verify_peer_identity (int preverify_ok , X509_STORE_CTX * ctx )
1342+ verify_peer (int preverify_ok , X509_STORE_CTX * ctx , bool check_host )
13431343{
1344- HostnameValidationResult result ;
13451344 struct connection_closure * closure ;
13461345 SSL * ssl ;
13471346 X509 * current_cert ;
13481347 X509 * peer_cert ;
1349- debug_decl (verify_peer_identity , SUDO_DEBUG_UTIL );
1348+ debug_decl (verify_peer , SUDO_DEBUG_UTIL );
13501349
13511350 current_cert = X509_STORE_CTX_get_current_cert (ctx );
13521351
@@ -1376,15 +1375,30 @@ verify_peer_identity(int preverify_ok, X509_STORE_CTX *ctx)
13761375 ssl = X509_STORE_CTX_get_ex_data (ctx , SSL_get_ex_data_X509_STORE_CTX_idx ());
13771376 closure = (struct connection_closure * )SSL_get_ex_data (ssl , 1 );
13781377
1379- result = validate_hostname (peer_cert , closure -> name , closure -> ipaddr );
1380- if (result != MatchFound ) {
1381- sudo_debug_printf (SUDO_DEBUG_INFO |SUDO_DEBUG_LINENO ,
1382- "hostname validation failed" );
1383- debug_return_int (0 );
1378+ if (check_host ) {
1379+ const HostnameValidationResult result =
1380+ validate_hostname (peer_cert , closure -> name , closure -> ipaddr );
1381+ if (result != MatchFound ) {
1382+ sudo_debug_printf (SUDO_DEBUG_INFO |SUDO_DEBUG_LINENO ,
1383+ "hostname validation failed" );
1384+ debug_return_int (0 );
1385+ }
13841386 }
13851387 debug_return_int (1 );
13861388}
13871389
1390+ static int
1391+ verify_peer_identity (int preverify_ok , X509_STORE_CTX * ctx )
1392+ {
1393+ return verify_peer (preverify_ok , ctx , true);
1394+ }
1395+
1396+ static int
1397+ verify_peer_identity_nohost (int preverify_ok , X509_STORE_CTX * ctx )
1398+ {
1399+ return verify_peer (preverify_ok , ctx , false);
1400+ }
1401+
13881402/*
13891403 * Set the TLS verify callback to verify_peer_identity().
13901404 */
@@ -1397,9 +1411,15 @@ set_tls_verify_peer(void)
13971411
13981412 if (server_ctx != NULL && logsrvd_conf_server_tls_check_peer ()) {
13991413 /* Verify server cert during the handshake. */
1400- SSL_CTX_set_verify (server_ctx ,
1401- SSL_VERIFY_PEER |SSL_VERIFY_FAIL_IF_NO_PEER_CERT ,
1402- verify_peer_identity );
1414+ if (logsrvd_conf_server_tls_check_host ()) {
1415+ SSL_CTX_set_verify (server_ctx ,
1416+ SSL_VERIFY_PEER |SSL_VERIFY_FAIL_IF_NO_PEER_CERT ,
1417+ verify_peer_identity );
1418+ } else {
1419+ SSL_CTX_set_verify (server_ctx ,
1420+ SSL_VERIFY_PEER |SSL_VERIFY_FAIL_IF_NO_PEER_CERT ,
1421+ verify_peer_identity_nohost );
1422+ }
14031423 }
14041424 if (relay_ctx != NULL && logsrvd_conf_relay_tls_check_peer ()) {
14051425 /* Verify relay cert during the handshake. */
@@ -1552,7 +1572,7 @@ new_connection(int sock, bool tls, const union sockaddr_union *sa_un,
15521572 goto bad ;
15531573 }
15541574
1555- if (logsrvd_conf_server_tls_check_peer ()) {
1575+ if (logsrvd_conf_server_tls_check_host ()) {
15561576 /* Hostname to verify in certificate during handshake. */
15571577 char hbuf [NI_MAXHOST ];
15581578 const int error = getnameinfo (& sa_un -> sa , salen , hbuf ,
0 commit comments