Minor cleanup in verify_cert:

 - Removed envname variable
 - Removed debug code
 - Changed ERR_clear_error to tls_clear_error
 - Changed verify_get_subject to match verify_get_serial more closely

Signed-off-by: Adriaan de Jong <dejong@fox-it.com>
Acked-by: James Yonan <james@openvpn.net>
Signed-off-by: David Sommerseth <davids@redhat.com>

diff --git a/ssl.c b/ssl.c
index 310e3cd31e2aec938184e9471a5aeb7704201b64..2858a24334f9cfe1f23f8fe2eb2709c2ed4c05d7 100644 (file)
--- a/ssl.c
+++ b/ssl.c
@@ -315,7 +315,6 @@ int
 verify_cert(struct tls_session *session, x509_cert_t *cert, int cert_depth)
 {
   char *subject = NULL;
-  char envname[64];
   char common_name[TLS_USERNAME_LEN] = {0};
   const struct tls_options *opt;
 
@@ -325,7 +324,8 @@ verify_cert(struct tls_session *session, x509_cert_t *cert, int cert_depth)
   session->verified = false;
 
   /* get the X509 name */
-  if (verify_get_subject(&subject, cert))
+  subject = verify_get_subject(cert);
+  if (!subject)
     {
         msg (D_TLS_ERRORS, "VERIFY ERROR: depth=%d, could not extract X509 "
             "subject string from certificate", cert_depth);
@@ -351,18 +351,9 @@ verify_cert(struct tls_session *session, x509_cert_t *cert, int cert_depth)
         }
     }
 
+  /* enforce character class restrictions in common name */
   string_mod_sslname (common_name, COMMON_NAME_CHAR_CLASS, opt->ssl_flags);
 
-#if 0 /* print some debugging info */
-  {
-    struct gc_arena gc = gc_new ();
-    msg (M_INFO, "LOCAL OPT[%d]: %s", cert_depth, opt->local_options);
-    msg (M_INFO, "X509[%d]: %s", cert_depth, subject);
-    msg (M_INFO, "SHA1[%d]: %s", cert_depth, format_hex(cert->sha1_hash, SHA_DIGEST_LENGTH, 0, &gc));
-    gc_free (&gc);
-  }
-#endif
-
   /* warn if cert chain is too deep */
   if (cert_depth >= MAX_CERT_DEPTH)
     {
@@ -424,11 +415,11 @@ verify_cert(struct tls_session *session, x509_cert_t *cert, int cert_depth)
   session->verified = true;
 
  done:
-  OPENSSL_free (subject);
+  verify_free_subject (subject);
   return (session->verified == true) ? 1 : 0;
 
  err:
-  ERR_clear_error ();
+  tls_clear_error();
   session->verified = false;
   goto done;
 }

diff --git a/ssl_verify_backend.h b/ssl_verify_backend.h
index e6dfc592a11b516efb0cb0bc3c6e378d002a4531..ed6e62f133f81466286e5738cd2107144c9fc78e 100644 (file)
--- a/ssl_verify_backend.h
+++ b/ssl_verify_backend.h
@@ -75,14 +75,20 @@ void cert_hash_remember (struct tls_session *session, const int cert_depth,
 /*
  * Retrieve certificate's subject name, and place it in **subject.
  *
- * Memory for subject is allocated in the process, and must be freed.
+ * The returned string must be freed with \c verify_free_subject()
  *
- * @param subject      Pointer to memory to be allocated for the subject
  * @param cert         Certificate to retrieve the subject from.
  *
- * @return             \c 1 on failure, \c 0 on success
+ * @return             a string containing the subject
+ */
+char *verify_get_subject (X509 *cert);
+
+/*
+ * Free a subjectnumber string as returned by \c verify_get_subject()
+ *
+ * @param subject      The subject to be freed.
  */
-bool verify_get_subject (char **subject, x509_cert_t *cert);
+void verify_free_subject (char *subject);
 
 /*
  * Retrieve the certificate's username from the specified field.
@@ -104,7 +110,7 @@ bool verify_get_username (char *common_name, int cn_len,
  * Return the certificate's serial number.
  *
  * The serial number is returned as a string, since it might be a bignum.
- * The returened string must be freed with \c verify_free_serial()
+ * The returned string must be freed with \c verify_free_serial()
  *
  * @param cert         Certificate to retrieve the serial number from.
  *

diff --git a/ssl_verify_openssl.c b/ssl_verify_openssl.c
index 8bc49d70d33b5104d609e90c545a42d6acc783f1..a1b25d062d820adfd92d459b9f0bc36427379b41 100644 (file)
--- a/ssl_verify_openssl.c
+++ b/ssl_verify_openssl.c
@@ -73,16 +73,6 @@ verify_callback (int preverify_ok, X509_STORE_CTX * ctx)
   return verify_cert(session, ctx->current_cert, ctx->error_depth);
 }
 
-int
-verify_get_subject (char **subject, X509 *cert)
-{
-  *subject = X509_NAME_oneline (X509_get_subject_name (cert), NULL, 0);
-  if (!*subject)
-      return 1;
-
-  return 0;
-}
-
 #ifdef ENABLE_X509ALTUSERNAME
 static
 bool extract_x509_extension(X509 *cert, char *fieldname, char *out, int size)
@@ -232,6 +222,20 @@ verify_free_serial (char *serial)
     OPENSSL_free(serial);
 }
 
+char *
+verify_get_subject (X509 *cert)
+{
+  return X509_NAME_oneline (X509_get_subject_name (cert), NULL, 0);
+}
+
+void
+verify_free_subject (char *subject)
+{
+  if (subject)
+    OPENSSL_free(subject);
+}
+
+
 #ifdef ENABLE_X509_TRACK
 /*
  * setenv_x509_track function -- save X509 fields to environment,