- Now return either SUCCESS or FAILURE.
- SUCCESS is defined as 0.
Signed-off-by: Adriaan de Jong <dejong@fox-it.com>
Acked-by: James Yonan <james@openvpn.net>
Signed-off-by: David Sommerseth <davids@redhat.com>
* @param subject the peer's extracted subject name
* @param subject the peer's extracted common name
*/
-static int
+static result_t
verify_peer_cert(const struct tls_options *opt, x509_cert_t *peer_cert,
const char *subject, const char *common_name)
{
/* verify certificate nsCertType */
if (opt->ns_cert_type != NS_CERT_CHECK_NONE)
{
- if (x509_verify_ns_cert_type (peer_cert, opt->ns_cert_type))
+ if (SUCCESS == x509_verify_ns_cert_type (peer_cert, opt->ns_cert_type))
{
msg (D_HANDSHAKE, "VERIFY OK: nsCertType=%s",
print_nsCertType (opt->ns_cert_type));
{
msg (D_HANDSHAKE, "VERIFY nsCertType ERROR: %s, require nsCertType=%s",
subject, print_nsCertType (opt->ns_cert_type));
- return 1; /* Reject connection */
+ return FAILURE; /* Reject connection */
}
}
/* verify certificate ku */
if (opt->remote_cert_ku[0] != 0)
{
- if (x509_verify_cert_ku (peer_cert, opt->remote_cert_ku, MAX_PARMS))
+ if (SUCCESS == x509_verify_cert_ku (peer_cert, opt->remote_cert_ku, MAX_PARMS))
{
msg (D_HANDSHAKE, "VERIFY KU OK");
}
else
{
msg (D_HANDSHAKE, "VERIFY KU ERROR");
- return 1; /* Reject connection */
+ return FAILURE; /* Reject connection */
}
}
/* verify certificate eku */
if (opt->remote_cert_eku != NULL)
{
- if (x509_verify_cert_eku (peer_cert, opt->remote_cert_eku))
+ if (SUCCESS == x509_verify_cert_eku (peer_cert, opt->remote_cert_eku))
{
msg (D_HANDSHAKE, "VERIFY EKU OK");
}
else
{
msg (D_HANDSHAKE, "VERIFY EKU ERROR");
- return 1; /* Reject connection */
+ return FAILURE; /* Reject connection */
}
}
{
msg (D_HANDSHAKE, "VERIFY X509NAME ERROR: %s, must be %s",
subject, opt->verify_x509name);
- return 1; /* Reject connection */
+ return FAILURE; /* Reject connection */
}
}
- return 0;
+ return SUCCESS;
}
/*
/*
* call --tls-verify plug-in(s)
*/
-static int
+static result_t
verify_cert_call_plugin(const struct plugin_list *plugins, struct env_set *es,
int cert_depth, x509_cert_t *cert, char *subject)
{
{
msg (D_HANDSHAKE, "VERIFY PLUGIN ERROR: depth=%d, %s",
cert_depth, subject);
- return 1; /* Reject connection */
+ return FAILURE; /* Reject connection */
}
}
- return 0;
+ return SUCCESS;
}
static const char *
return NULL;
}
- if (x509_write_pem(peercert_file, peercert))
+ if (SUCCESS != x509_write_pem(peercert_file, peercert))
msg (M_ERR, "Error writing PEM file containing certificate");
fclose(peercert_file);
/*
* run --tls-verify script
*/
-static int
+static result_t
verify_cert_call_command(const char *verify_command, struct env_set *es,
int cert_depth, x509_cert_t *cert, char *subject, const char *verify_export_cert)
{
{
msg (D_HANDSHAKE, "VERIFY SCRIPT OK: depth=%d, %s",
cert_depth, subject);
- return 0;
+ return SUCCESS;
}
msg (D_HANDSHAKE, "VERIFY SCRIPT ERROR: depth=%d, %s",
cert_depth, subject);
- return 1; /* Reject connection */
+ return FAILURE; /* Reject connection */
}
/*
* check peer cert against CRL directory
*/
-static bool
+static result_t
verify_check_crl_dir(const char *crl_dir, x509_cert_t *cert)
{
char fn[256];
{
msg (D_HANDSHAKE, "VERIFY CRL: filename overflow");
x509_free_serial(serial);
- return true;
+ return FAILURE;
}
fd = open (fn, O_RDONLY);
if (fd >= 0)
msg (D_HANDSHAKE, "VERIFY CRL: certificate serial number %s is revoked", serial);
x509_free_serial(serial);
close(fd);
- return true;
+ return FAILURE;
}
x509_free_serial(serial);
- return false;
+ return SUCCESS;
}
-int
+result_t
verify_cert(struct tls_session *session, x509_cert_t *cert, int cert_depth)
{
char *subject = NULL;
string_replace_leading (subject, '-', '_');
/* extract the username (default is CN) */
- if (x509_get_username (common_name, TLS_USERNAME_LEN, opt->x509_username_field, cert))
+ if (SUCCESS != x509_get_username (common_name, TLS_USERNAME_LEN,
+ opt->x509_username_field, cert))
{
if (!cert_depth)
{
setenv_untrusted (session);
/* If this is the peer's own certificate, verify it */
- if (cert_depth == 0 && verify_peer_cert(opt, cert, subject, common_name))
+ if (cert_depth == 0 && SUCCESS != verify_peer_cert(opt, cert, subject, common_name))
goto err;
/* call --tls-verify plug-in(s), if registered */
- if (verify_cert_call_plugin(opt->plugins, opt->es, cert_depth, cert, subject))
+ if (SUCCESS != verify_cert_call_plugin(opt->plugins, opt->es, cert_depth, cert, subject))
goto err;
/* run --tls-verify script */
- if (opt->verify_command && verify_cert_call_command(opt->verify_command, opt->es,
- cert_depth, cert, subject, opt->verify_export_cert))
+ if (opt->verify_command && SUCCESS != verify_cert_call_command(opt->verify_command,
+ opt->es, cert_depth, cert, subject, opt->verify_export_cert))
goto err;
/* check peer cert against CRL */
{
if (opt->ssl_flags & SSLF_CRL_VERIFY_DIR)
{
- if (verify_check_crl_dir(opt->crl_file, cert))
+ if (SUCCESS != verify_check_crl_dir(opt->crl_file, cert))
goto err;
}
else
{
- if (x509_verify_crl(opt->crl_file, cert, subject))
+ if (SUCCESS != x509_verify_crl(opt->crl_file, cert, subject))
goto err;
}
}
done:
x509_free_subject (subject);
- return (session->verified == true) ? 1 : 0;
+ return (session->verified == true) ? SUCCESS : FAILURE;
err:
tls_clear_error();
#ifndef SSL_VERIFY_BACKEND_H_
#define SSL_VERIFY_BACKEND_H_
+/**
+ * Result of verification function
+ */
+typedef enum { SUCCESS=0, FAILURE=1 } result_t;
+
/*
* Backend support functions.
*
* @param cert Certificate to process
* @param cert_depth Depth of the current certificate
*
- * @return \c 1 if verification was successful, \c 0 on failure.
+ * @return \c SUCCESS if verification was successful, \c FAILURE on failure.
*/
-int verify_cert(struct tls_session *session, x509_cert_t *cert, int cert_depth);
+result_t verify_cert(struct tls_session *session, x509_cert_t *cert, int cert_depth);
/*
* Remember the given certificate hash, allowing the certificate chain to be
* @param x509_username_field Name of the field to load from
* @param cert Certificate to retrieve the common name from.
*
- * @return \c 1 on failure, \c 0 on success
+ * @return \c FAILURE, \c or SUCCESS
*/
-bool x509_get_username (char *common_name, int cn_len,
+result_t x509_get_username (char *common_name, int cn_len,
char * x509_username_field, x509_cert_t *peer_cert);
/*
* @param usage One of \c NS_CERT_CHECK_CLIENT, \c NS_CERT_CHECK_SERVER,
* or \c NS_CERT_CHECK_NONE.
*
- * @return \c true if NS_CERT_CHECK_NONE or if the certificate has
- * the expected bit set. \c false if the certificate does
+ * @return \c SUCCESS if NS_CERT_CHECK_NONE or if the certificate has
+ * the expected bit set. \c FAILURE if the certificate does
* not have NS cert type verification or the wrong bit set.
*/
-bool x509_verify_ns_cert_type(const x509_cert_t *cert, const int usage);
+result_t x509_verify_ns_cert_type(const x509_cert_t *cert, const int usage);
#if OPENSSL_VERSION_NUMBER >= 0x00907000L || USE_POLARSSL
* @param expected_ku Array of valid key usage values
* @param expected_len Length of the key usage array
*
- * @return \c true if one of the key usage values matches, \c false
+ * @return \c SUCCESS if one of the key usage values matches, \c FAILURE
* if key usage is not enabled, or the values do not match.
*/
-bool x509_verify_cert_ku (x509_cert_t *x509, const unsigned * const expected_ku,
+result_t x509_verify_cert_ku (x509_cert_t *x509, const unsigned * const expected_ku,
int expected_len);
/*
* (e.g. \c "1.2.3.4", or the descriptive string matching
* the OID.
*
- * @return \c true if one of the expected OID matches one of the
- * extended key usage fields, \c false if extended key
+ * @return \c SUCCESS if one of the expected OID matches one of the
+ * extended key usage fields, \c FAILURE if extended key
* usage is not enabled, or the values do not match.
*/
-bool x509_verify_cert_eku (x509_cert_t *x509, const char * const expected_oid);
+result_t x509_verify_cert_eku (x509_cert_t *x509, const char * const expected_oid);
#endif
* @param cert Certificate to store
* @param tmp_dir Temporary directory to store the directory
* @param gc gc_arena to store temporary objects in
+ *
+ *
*/
-bool x509_write_pem(FILE *peercert_file, x509_cert_t *peercert);
+result_t x509_write_pem(FILE *peercert_file, x509_cert_t *peercert);
/*
* Check the certificate against a CRL file.
* @param cert Certificate to verify
* @param subject Subject of the given certificate
*
- * @return \c 1 if the CRL was not signed by the issuer of the
+ * @return \c SUCCESS if the CRL was not signed by the issuer of the
* certificate or does not contain an entry for it.
- * \c 0 otherwise.
+ * \c FAILURE otherwise.
*/
-bool x509_verify_crl(const char *crl_file, x509_cert_t *cert,
+result_t x509_verify_crl(const char *crl_file, x509_cert_t *cert,
const char *subject);
#endif /* SSL_VERIFY_BACKEND_H_ */
* Return true on success, false on error (insufficient buffer size in 'out'
* to contain result is grounds for error).
*/
-static bool
+static result_t
extract_x509_field_ssl (X509_NAME *x509, const char *field_name, char *out,
int size)
{
/* Nothing found */
if (lastpos == -1)
- return false;
+ return FAILURE;
x509ne = X509_NAME_get_entry(x509, lastpos);
if (!x509ne)
- return false;
+ return FAILURE;
asn1 = X509_NAME_ENTRY_get_data(x509ne);
if (!asn1)
- return false;
+ return FAILURE;
tmp = ASN1_STRING_to_UTF8(&buf, asn1);
if (tmp <= 0)
- return false;
+ return FAILURE;
strncpynt(out, (char *)buf, size);
{
- const bool ret = (strlen ((char *)buf) < size);
+ const result_t ret = (strlen ((char *)buf) < size) ? SUCCESS: FAILURE;
OPENSSL_free (buf);
return ret;
}
}
-bool
+result_t
x509_get_username (char *common_name, int cn_len,
char * x509_username_field, X509 *peer_cert)
{
if (strncmp("ext:",x509_username_field,4) == 0)
{
if (!extract_x509_extension (peer_cert, x509_username_field+4, common_name, cn_len))
- return true;
+ return FAILURE;
} else
#endif
- if (!extract_x509_field_ssl (X509_get_subject_name (peer_cert),
+ if (FAILURE == extract_x509_field_ssl (X509_get_subject_name (peer_cert),
x509_username_field, common_name, cn_len))
- return true;
+ return FAILURE;
- return false;
+ return SUCCESS;
}
char *
}
}
-bool
+result_t
x509_verify_ns_cert_type(const x509_cert_t *peer_cert, const int usage)
{
if (usage == NS_CERT_CHECK_NONE)
- return true;
+ return SUCCESS;
if (usage == NS_CERT_CHECK_CLIENT)
return ((peer_cert->ex_flags & EXFLAG_NSCERT)
- && (peer_cert->ex_nscert & NS_SSL_CLIENT));
+ && (peer_cert->ex_nscert & NS_SSL_CLIENT)) ? SUCCESS: FAILURE;
if (usage == NS_CERT_CHECK_SERVER)
return ((peer_cert->ex_flags & EXFLAG_NSCERT)
- && (peer_cert->ex_nscert & NS_SSL_SERVER));
+ && (peer_cert->ex_nscert & NS_SSL_SERVER)) ? SUCCESS: FAILURE;
- return false;
+ return FAILURE;
}
#if OPENSSL_VERSION_NUMBER >= 0x00907000L
-bool
+result_t
x509_verify_cert_ku (X509 *x509, const unsigned * const expected_ku,
int expected_len)
{
ASN1_BIT_STRING *ku = NULL;
- bool fFound = false;
+ result_t fFound = FAILURE;
if ((ku = (ASN1_BIT_STRING *) X509_get_ext_d2i (x509, NID_key_usage, NULL,
NULL)) == NULL)
}
msg (D_HANDSHAKE, "Validating certificate key usage");
- for (i = 0; !fFound && i < expected_len; i++)
+ for (i = 0; fFound != SUCCESS && i < expected_len; i++)
{
if (expected_ku[i] != 0)
{
"%04x", nku, expected_ku[i]);
if (nku == expected_ku[i])
- fFound = true;
+ fFound = SUCCESS;
}
}
}
return fFound;
}
-bool
+result_t
x509_verify_cert_eku (X509 *x509, const char * const expected_oid)
{
EXTENDED_KEY_USAGE *eku = NULL;
- bool fFound = false;
+ result_t fFound = FAILURE;
if ((eku = (EXTENDED_KEY_USAGE *) X509_get_ext_d2i (x509, NID_ext_key_usage,
NULL, NULL)) == NULL)
int i;
msg (D_HANDSHAKE, "Validating certificate extended key usage");
- for (i = 0; !fFound && i < sk_ASN1_OBJECT_num (eku); i++)
+ for (i = 0; SUCCESS != fFound && i < sk_ASN1_OBJECT_num (eku); i++)
{
ASN1_OBJECT *oid = sk_ASN1_OBJECT_value (eku, i);
char szOid[1024];
- if (!fFound && OBJ_obj2txt (szOid, sizeof(szOid), oid, 0) != -1)
+ if (SUCCESS != fFound && OBJ_obj2txt (szOid, sizeof(szOid), oid, 0) != -1)
{
msg (D_HANDSHAKE, "++ Certificate has EKU (str) %s, expects %s",
szOid, expected_oid);
if (!strcmp (expected_oid, szOid))
- fFound = true;
+ fFound = SUCCESS;
}
- if (!fFound && OBJ_obj2txt (szOid, sizeof(szOid), oid, 1) != -1)
+ if (SUCCESS != fFound && OBJ_obj2txt (szOid, sizeof(szOid), oid, 1) != -1)
{
msg (D_HANDSHAKE, "++ Certificate has EKU (oid) %s, expects %s",
szOid, expected_oid);
if (!strcmp (expected_oid, szOid))
- fFound = true;
+ fFound = SUCCESS;
}
}
}
return fFound;
}
-bool
+result_t
x509_write_pem(FILE *peercert_file, X509 *peercert)
{
if (PEM_write_X509(peercert_file, peercert) < 0)
{
msg (M_ERR, "Failed to write peer certificate in PEM format");
- return true;
+ return FAILURE;
}
- return false;
+ return SUCCESS;
}
#endif /* OPENSSL_VERSION_NUMBER */
/*
* check peer cert against CRL
*/
-bool
+result_t
x509_verify_crl(const char *crl_file, X509 *peer_cert, const char *subject)
{
X509_CRL *crl=NULL;
X509_REVOKED *revoked;
BIO *in=NULL;
- int n,i,retval = 0;
+ int n,i;
+ result_t retval = FAILURE;
in=BIO_new(BIO_s_file());
if (X509_NAME_cmp(X509_CRL_get_issuer(crl), X509_get_issuer_name(peer_cert)) != 0) {
msg (M_WARN, "CRL: CRL %s is from a different issuer than the issuer of "
"certificate %s", crl_file, subject);
- retval = 1;
+ retval = SUCCESS;
goto end;
}
}
}
- retval = 1;
+ retval = SUCCESS;
msg (D_HANDSHAKE, "CRL CHECK OK: %s",subject);
end:
if (crl)
X509_CRL_free (crl);
- return !retval;
+ return retval;
}
}
/*
- * verify_cert() returns 1 on success, 0 on failure.
- * PolarSSL expects the opposite.
+ * PolarSSL expects 1 on failure, 0 on success
*/
- return 0 == verify_cert(session, cert, cert_depth);
+ if (SUCCESS == verify_cert(session, cert, cert_depth))
+ return 0;
+ return 1;
}
#ifdef ENABLE_X509ALTUSERNAME
# warning "X509 alt user name not yet supported for PolarSSL"
#endif
-bool
+result_t
x509_get_username (char *cn, int cn_len,
char *x509_username_field, x509_cert *cert)
{
/* Not found, return an error if this is the peer's certificate */
if( name == NULL )
- return 1;
+ return FAILURE;
/* Found, extract CN */
if (cn_len > name->val.len)
cn[cn_len-1] = '\0';
}
- return 0;
+ return SUCCESS;
}
char *
}
}
-bool
+result_t
x509_verify_ns_cert_type(const x509_cert *cert, const int usage)
{
if (usage == NS_CERT_CHECK_NONE)
- return true;
+ return SUCCESS;
if (usage == NS_CERT_CHECK_CLIENT)
return ((cert->ext_types & EXT_NS_CERT_TYPE)
- && (cert->ns_cert_type & NS_CERT_TYPE_SSL_CLIENT));
+ && (cert->ns_cert_type & NS_CERT_TYPE_SSL_CLIENT)) ? SUCCESS : FAILURE;
if (usage == NS_CERT_CHECK_SERVER)
return ((cert->ext_types & EXT_NS_CERT_TYPE)
- && (cert->ns_cert_type & NS_CERT_TYPE_SSL_SERVER));
+ && (cert->ns_cert_type & NS_CERT_TYPE_SSL_SERVER)) ? SUCCESS : FAILURE;
- return false;
+ return FAILURE;
}
-bool
+result_t
x509_verify_cert_ku (x509_cert *cert, const unsigned * const expected_ku,
int expected_len)
{
- bool fFound = false;
+ result_t fFound = FAILURE;
if(!(cert->ext_types & EXT_KEY_USAGE))
{
unsigned nku = cert->key_usage;
msg (D_HANDSHAKE, "Validating certificate key usage");
- for (i=0;!fFound && i<expected_len;i++)
+ for (i=0; SUCCESS != fFound && i<expected_len; i++)
{
if (expected_ku[i] != 0)
{
if (nku == expected_ku[i])
{
- fFound = true;
+ fFound = SUCCESS;
}
}
}
return fFound;
}
-bool
+result_t
x509_verify_cert_eku (x509_cert *cert, const char * const expected_oid)
{
- bool fFound = false;
+ result_t fFound = FAILURE;
if (!(cert->ext_types & EXT_EXTENDED_KEY_USAGE))
{
oid_str, expected_oid);
if (!strcmp (expected_oid, oid_str))
{
- fFound = true;
+ fFound = SUCCESS;
break;
}
}
oid_num_str, expected_oid);
if (!strcmp (expected_oid, oid_num_str))
{
- fFound = true;
+ fFound = SUCCESS;
break;
}
}
return fFound;
}
-bool
+result_t
x509_write_pem(FILE *peercert_file, x509_cert *peercert)
{
msg (M_WARN, "PolarSSL does not support writing peer certificate in PEM format");
- return true;
+ return FAILURE;
}
/*
* check peer cert against CRL
*/
-bool
+result_t
x509_verify_crl(const char *crl_file, x509_cert *cert, const char *subject)
{
- int retval = 0;
+ result_t retval = FAILURE;
x509_crl crl = {0};
if (x509parse_crlfile(&crl, crl_file) != 0)
{
msg (M_WARN, "CRL: CRL %s is from a different issuer than the issuer of "
"certificate %s", crl_file, subject);
- retval = 1;
+ retval = SUCCESS;
goto end;
}
goto end;
}
- retval = 1;
+ retval = SUCCESS;
msg (D_HANDSHAKE, "CRL CHECK OK: %s",subject);
end:
x509_crl_free(&crl);
-
- if (!retval)
- return true;
-
- return false;
+ return retval;
}
projects / thirdparty / openvpn.git / commitdiff
