From: Michael Friedrich <michael.friedrich@icinga.com>
Date: Wed, 6 Sep 2017 08:54:39 +0000 (+0200)
Subject: Fix ticket hash calculation for indirectly connected clients
X-Git-Tag: v2.8.0~87^2~20
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=88b4a54e6b40c6c71882a0f20fd1797c93904d5a;p=icinga2

Fix ticket hash calculation for indirectly connected clients

refs #5450
---

diff --git a/lib/remote/jsonrpcconnection-pki.cpp b/lib/remote/jsonrpcconnection-pki.cpp
index 2d5ee5edb..1bd68633f 100644
--- a/lib/remote/jsonrpcconnection-pki.cpp
+++ b/lib/remote/jsonrpcconnection-pki.cpp
@@ -118,11 +118,14 @@ Value RequestCertificateHandler(const MessageOrigin::Ptr& origin, const Dictiona
 	boost::shared_ptr<X509> newcert;
 	boost::shared_ptr<EVP_PKEY> pubkey;
 	X509_NAME *subject;
+	String cn;
 	Dictionary::Ptr message;
 
 	if (!Utility::PathExists(GetIcingaCADir() + "/ca.key"))
 		goto delayed_request;
 
+	cn = GetCertificateCN(cert);
+
 	if (!signedByCA) {
 		String salt = listener->GetTicketSalt();
 
@@ -131,9 +134,12 @@ Value RequestCertificateHandler(const MessageOrigin::Ptr& origin, const Dictiona
 		if (salt.IsEmpty() || ticket.IsEmpty())
 			goto delayed_request;
 
-		String realTicket = PBKDF2_SHA1(origin->FromClient->GetIdentity(), salt, 50000);
+		String realTicket = PBKDF2_SHA1(cn, salt, 50000);
 
 		if (ticket != realTicket) {
+			Log(LogWarning, "JsonRpcConnection")
+			    << "Ticket for identity '" << cn << "' is invalid.";
+
 			result->Set("status_code", 1);
 			result->Set("error", "Invalid ticket.");
 			return result;