/* verify certificate nsCertType */
if (opt->ns_cert_type != NS_CERT_CHECK_NONE)
{
- if (verify_nsCertType (peer_cert, opt->ns_cert_type))
+ if (x509_verify_ns_cert_type (peer_cert, opt->ns_cert_type))
{
msg (D_HANDSHAKE, "VERIFY OK: nsCertType=%s",
print_nsCertType (opt->ns_cert_type));
/* verify certificate ku */
if (opt->remote_cert_ku[0] != 0)
{
- if (verify_cert_ku (peer_cert, opt->remote_cert_ku, MAX_PARMS))
+ if (x509_verify_cert_ku (peer_cert, opt->remote_cert_ku, MAX_PARMS))
{
msg (D_HANDSHAKE, "VERIFY KU OK");
}
/* verify certificate eku */
if (opt->remote_cert_eku != NULL)
{
- if (verify_cert_eku (peer_cert, opt->remote_cert_eku))
+ if (x509_verify_cert_eku (peer_cert, opt->remote_cert_eku))
{
msg (D_HANDSHAKE, "VERIFY EKU OK");
}
/* Save X509 fields in environment */
#ifdef ENABLE_X509_TRACK
if (x509_track)
- setenv_x509_track (x509_track, es, cert_depth, peer_cert);
+ x509_setenv_track (x509_track, es, cert_depth, peer_cert);
else
#endif
- setenv_x509 (es, cert_depth, peer_cert);
+ x509_setenv (es, cert_depth, peer_cert);
/* export subject name string as environmental variable */
openvpn_snprintf (envname, sizeof(envname), "tls_id_%d", cert_depth);
/* export serial number as environmental variable,
use bignum in case serial number is large */
{
- char *serial = verify_get_serial(peer_cert);
+ char *serial = x509_get_serial(peer_cert);
openvpn_snprintf (envname, sizeof(envname), "tls_serial_%d", cert_depth);
setenv_str (es, envname, serial);
- verify_free_serial(serial);
+ x509_free_serial(serial);
}
}
if (verify_export_cert)
{
gc = gc_new();
- if ((tmp_file=write_peer_cert(cert, verify_export_cert,&gc)))
+ if ((tmp_file=x509_write_cert(cert, verify_export_cert,&gc)))
{
setenv_str(es, "peer_cert", tmp_file);
}
{
char fn[256];
int fd;
- char *serial = verify_get_serial(cert);
+ char *serial = x509_get_serial(cert);
if (!openvpn_snprintf(fn, sizeof(fn), "%s%c%s", crl_dir, OS_SPECIFIC_DIRSEP, serial))
{
msg (D_HANDSHAKE, "VERIFY CRL: filename overflow");
- verify_free_serial(serial);
+ x509_free_serial(serial);
return true;
}
fd = open (fn, O_RDONLY);
if (fd >= 0)
{
msg (D_HANDSHAKE, "VERIFY CRL: certificate serial number %s is revoked", serial);
- verify_free_serial(serial);
+ x509_free_serial(serial);
close(fd);
return true;
}
- verify_free_serial(serial);
+ x509_free_serial(serial);
return false;
}
session->verified = false;
/* get the X509 name */
- subject = verify_get_subject(cert);
+ subject = x509_get_subject(cert);
if (!subject)
{
msg (D_TLS_ERRORS, "VERIFY ERROR: depth=%d, could not extract X509 "
string_replace_leading (subject, '-', '_');
/* extract the username (default is CN) */
- if (verify_get_username (common_name, TLS_USERNAME_LEN, opt->x509_username_field, cert))
+ if (x509_get_username (common_name, TLS_USERNAME_LEN, opt->x509_username_field, cert))
{
if (!cert_depth)
{
}
else
{
- if (verify_check_crl(opt->crl_file, cert, subject))
+ if (x509_verify_crl(opt->crl_file, cert, subject))
goto err;
}
}
session->verified = true;
done:
- verify_free_subject (subject);
+ x509_free_subject (subject);
return (session->verified == true) ? 1 : 0;
err:
*
* @return a string containing the subject
*/
-char *verify_get_subject (X509 *cert);
+char *x509_get_subject (x509_cert_t *cert);
/*
* Free a subjectnumber string as returned by \c verify_get_subject()
*
* @param subject The subject to be freed.
*/
-void verify_free_subject (char *subject);
+void x509_free_subject (char *subject);
/*
* Retrieve the certificate's username from the specified field.
*
* @return \c 1 on failure, \c 0 on success
*/
-bool verify_get_username (char *common_name, int cn_len,
+bool x509_get_username (char *common_name, int cn_len,
char * x509_username_field, x509_cert_t *peer_cert);
/*
*
* @return The certificate's serial number.
*/
-char *verify_get_serial (x509_cert_t *cert);
+char *x509_get_serial (x509_cert_t *cert);
/*
* Free a serial number string as returned by \c verify_get_serial()
*
* @param serial The string to be freed.
*/
-void verify_free_serial (char *serial);
+void x509_free_serial (char *serial);
/*
* TODO: document
* @param cert_depth Depth of the certificate
* @param cert Certificate to set the environment for
*/
-void setenv_x509_track (const struct x509_track *xt, struct env_set *es,
+void x509_setenv_track (const struct x509_track *xt, struct env_set *es,
const int depth, x509_cert_t *x509);
/*
* @param cert_depth Depth of the certificate
* @param cert Certificate to set the environment for
*/
-void setenv_x509 (struct env_set *es, int cert_depth, x509_cert_t *cert);
+void x509_setenv (struct env_set *es, int cert_depth, x509_cert_t *cert);
/*
* Check X.509 Netscape certificate type field, if available.
* the expected bit set. \c false if the certificate does
* not have NS cert type verification or the wrong bit set.
*/
-bool verify_nsCertType(const x509_cert_t *cert, const int usage);
+bool x509_verify_ns_cert_type(const x509_cert_t *cert, const int usage);
/*
* Verify X.509 key usage extension field.
* @return \c true if one of the key usage values matches, \c false
* if key usage is not enabled, or the values do not match.
*/
-bool verify_cert_ku (x509_cert_t *x509, const unsigned * const expected_ku,
+bool x509_verify_cert_ku (x509_cert_t *x509, const unsigned * const expected_ku,
int expected_len);
/*
* extended key usage fields, \c false if extended key
* usage is not enabled, or the values do not match.
*/
-bool verify_cert_eku (x509_cert_t *x509, const char * const expected_oid);
+bool x509_verify_cert_eku (x509_cert_t *x509, const char * const expected_oid);
/*
* Store the given certificate in pem format in a temporary file in tmp_dir
* @param tmp_dir Temporary directory to store the directory
* @param gc gc_arena to store temporary objects in
*/
-const char *write_peer_cert(x509_cert_t *cert, const char *tmp_dir,
+const char *x509_write_cert(x509_cert_t *cert, const char *tmp_dir,
struct gc_arena *gc);
/*
* certificate or does not contain an entry for it.
* \c 0 otherwise.
*/
-bool verify_check_crl(const char *crl_file, x509_cert_t *cert,
+bool x509_verify_crl(const char *crl_file, x509_cert_t *cert,
const char *subject);
#endif /* SSL_VERIFY_BACKEND_H_ */
}
bool
-verify_get_username (char *common_name, int cn_len,
+x509_get_username (char *common_name, int cn_len,
char * x509_username_field, X509 *peer_cert)
{
#ifdef ENABLE_X509ALTUSERNAME
}
char *
-verify_get_serial (x509_cert_t *cert)
+x509_get_serial (x509_cert_t *cert)
{
ASN1_INTEGER *asn1_i;
BIGNUM *bignum;
}
void
-verify_free_serial (char *serial)
+x509_free_serial (char *serial)
{
if (serial)
OPENSSL_free(serial);
}
char *
-verify_get_subject (X509 *cert)
+x509_get_subject (X509 *cert)
{
return X509_NAME_oneline (X509_get_subject_name (cert), NULL, 0);
}
void
-verify_free_subject (char *subject)
+x509_free_subject (char *subject)
{
if (subject)
OPENSSL_free(subject);
}
void
-setenv_x509_track (const struct x509_track *xt, struct env_set *es, const int depth, X509 *x509)
+x509_setenv_track (const struct x509_track *xt, struct env_set *es, const int depth, X509 *x509)
{
X509_NAME *x509_name = X509_get_subject_name (x509);
const char nullc = '\0';
* X509_{cert_depth}_{name}={value}
*/
void
-setenv_x509 (struct env_set *es, int cert_depth, x509_cert_t *peer_cert)
+x509_setenv (struct env_set *es, int cert_depth, x509_cert_t *peer_cert)
{
int i, n;
int fn_nid;
}
bool
-verify_nsCertType(const x509_cert_t *peer_cert, const int usage)
+x509_verify_ns_cert_type(const x509_cert_t *peer_cert, const int usage)
{
if (usage == NS_CERT_CHECK_NONE)
return true;
#if OPENSSL_VERSION_NUMBER >= 0x00907000L
bool
-verify_cert_ku (X509 *x509, const unsigned * const expected_ku,
+x509_verify_cert_ku (X509 *x509, const unsigned * const expected_ku,
int expected_len)
{
ASN1_BIT_STRING *ku = NULL;
}
bool
-verify_cert_eku (X509 *x509, const char * const expected_oid)
+x509_verify_cert_eku (X509 *x509, const char * const expected_oid)
{
EXTENDED_KEY_USAGE *eku = NULL;
bool fFound = false;
}
const char *
-write_peer_cert(X509 *peercert, const char *tmp_dir, struct gc_arena *gc)
+x509_write_cert(X509 *peercert, const char *tmp_dir, struct gc_arena *gc)
{
FILE *peercert_file;
const char *peercert_filename="";
* check peer cert against CRL
*/
bool
-verify_check_crl(const char *crl_file, X509 *peer_cert, const char *subject)
+x509_verify_crl(const char *crl_file, X509 *peer_cert, const char *subject)
{
X509_CRL *crl=NULL;
X509_REVOKED *revoked;
projects / thirdparty / openvpn.git / commitdiff
