Refactored: removed global x509_username_field

author Adriaan de Jong <dejong@fox-it.com>

Thu, 30 Jun 2011 10:37:33 +0000 (12:37 +0200)

committer David Sommerseth <davids@redhat.com>

Fri, 21 Oct 2011 12:51:45 +0000 (14:51 +0200)
author Adriaan de Jong <dejong@fox-it.com>
Thu, 30 Jun 2011 10:37:33 +0000 (12:37 +0200)
committer David Sommerseth <davids@redhat.com>
Fri, 21 Oct 2011 12:51:45 +0000 (14:51 +0200)
diff --git a/init.c b/init.c

index 54bb2d13ff9fda8744fda5285e546195a88366fa..b809b960de0228a2063a2187c524dfaf011f75fe 100644 (file)
--- a/init.c
+++ b/init.c
@@ -2211,6 +2211,11 @@ do_init_crypto_tls (struct context *c, const unsigned int flags)
    memmove (to.remote_cert_ku, options->remote_cert_ku, sizeof (to.remote_cert_ku));
    to.remote_cert_eku = options->remote_cert_eku;
    to.verify_hash = options->verify_hash;
+#ifdef ENABLE_X509ALTUSERNAME
+  to.x509_username_field = (char *) options->x509_username_field;
+#else
+  to.x509_username_field = X509_USERNAME_FIELD_DEFAULT;
+#endif
    to.es = c->c2.es;
  
  #ifdef ENABLE_DEBUG
diff --git a/ssl.c b/ssl.c

index 17ef478fdf077ea7267df078b361859d3d7afca4..ef0678286a3126f9056e363147ebdc6725ea3e32 100644 (file)
--- a/ssl.c
+++ b/ssl.c
@@ -594,8 +594,6 @@ write_peer_cert(X509 *peercert, const char *tmp_dir, struct gc_arena *gc)
    return peercert_filename;
  }
  
-char * x509_username_field; /* GLOBAL */
-
  int
  verify_cert(struct tls_session *session, x509_cert_t *cert, int cert_depth)
  {
@@ -632,14 +630,14 @@ verify_cert(struct tls_session *session, x509_cert_t *cert, int cert_depth)
    string_replace_leading (subject, '-', '_');
  
    /* extract the username (default is CN) */
-  if (verify_get_username (common_name, TLS_USERNAME_LEN, x509_username_field, cert))
+  if (verify_get_username (common_name, TLS_USERNAME_LEN, opt->x509_username_field, cert))
      {
        if (!cert_depth)
          {
            msg (D_TLS_ERRORS, "VERIFY ERROR: could not extract %s from X509 "
                "subject string ('%s') -- note that the username length is "
                "limited to %d characters",
-                 x509_username_field,
+                opt->x509_username_field,
                   subject,
                   TLS_USERNAME_LEN);
            goto err;
@@ -1045,17 +1043,6 @@ init_ssl (const struct options *options, struct tls_root_ctx *new_ctx)
        tls_ctx_load_extra_certs(new_ctx, options->extra_certs_file, options->extra_certs_file_inline);
      }
  
-#if P2MP_SERVER
-  if (!(options->ssl_flags & SSLF_CLIENT_CERT_NOT_REQUIRED))
-#endif
-    {
-#ifdef ENABLE_X509ALTUSERNAME
-      x509_username_field = (char *) options->x509_username_field;
-#else
-      x509_username_field = X509_USERNAME_FIELD_DEFAULT;
-#endif
-    }
-
    /* Allowable ciphers */
    if (options->cipher_list)
      {
diff --git a/ssl_common.h b/ssl_common.h

index 525a1daf36d956838408510a8f3c52f8ef531620..f3f43be2516b5800b8db8caeda66df17b0523df8 100644 (file)
--- a/ssl_common.h
+++ b/ssl_common.h
@@ -251,6 +251,7 @@ struct tls_options
    unsigned remote_cert_ku[MAX_PARMS];
    const char *remote_cert_eku;
    uint8_t *verify_hash;
+  char *x509_username_field;
  
    /* allow openvpn config info to be
       passed over control channel */
author	Adriaan de Jong <dejong@fox-it.com>
	Thu, 30 Jun 2011 10:37:33 +0000 (12:37 +0200)
committer	David Sommerseth <davids@redhat.com>
	Fri, 21 Oct 2011 12:51:45 +0000 (14:51 +0200)
init.c		patch \| blob \| blame \| history
ssl.c		patch \| blob \| blame \| history
ssl_common.h		patch \| blob \| blame \| history