#endif
-/*
- * Extract a field from an X509 subject name.
- *
- * Example:
- *
- * /C=US/ST=CO/L=Denver/O=ORG/CN=First-CN/CN=Test-CA/Email=jim@yonan.net
- *
- * The common name is 'Test-CA'
- *
- * Return true on success, false on error (insufficient buffer size in 'out'
- * to contain result is grounds for error).
- */
-static bool
-extract_x509_field_ssl (X509_NAME *x509, const char *field_name, char *out, int size)
-{
- int lastpos = -1;
- int tmp = -1;
- X509_NAME_ENTRY *x509ne = 0;
- ASN1_STRING *asn1 = 0;
- unsigned char *buf = (unsigned char *)1; /* bug in OpenSSL 0.9.6b ASN1_STRING_to_UTF8 requires this workaround */
- int nid = OBJ_txt2nid((char *)field_name);
-
- ASSERT (size > 0);
- *out = '\0';
- do {
- lastpos = tmp;
- tmp = X509_NAME_get_index_by_NID(x509, nid, lastpos);
- } while (tmp > -1);
-
- /* Nothing found */
- if (lastpos == -1)
- return false;
-
- x509ne = X509_NAME_get_entry(x509, lastpos);
- if (!x509ne)
- return false;
-
- asn1 = X509_NAME_ENTRY_get_data(x509ne);
- if (!asn1)
- return false;
- tmp = ASN1_STRING_to_UTF8(&buf, asn1);
- if (tmp <= 0)
- return false;
-
- strncpynt(out, (char *)buf, size);
-
- {
- const bool ret = (strlen ((char *)buf) < size);
- OPENSSL_free (buf);
- return ret;
- }
-}
-
-#ifdef ENABLE_X509ALTUSERNAME
-static
-bool extract_x509_extension(X509 *cert, char *fieldname, char *out, int size)
-{
- bool retval = false;
- X509_EXTENSION *pExt;
- char *buf = 0;
- int length = 0;
- GENERAL_NAMES *extensions;
- int nid = OBJ_txt2nid(fieldname);
-
- extensions = (GENERAL_NAMES *)X509_get_ext_d2i(cert, nid, NULL, NULL);
- if ( extensions )
- {
- int numalts;
- int i;
- /* get amount of alternatives,
- * RFC2459 claims there MUST be at least
- * one, but we don't depend on it...
- */
-
- numalts = sk_GENERAL_NAME_num(extensions);
-
- /* loop through all alternatives */
- for (i=0; i<numalts; i++)
- {
- /* get a handle to alternative name number i */
- const GENERAL_NAME *name = sk_GENERAL_NAME_value (extensions, i );
-
- switch (name->type)
- {
- case GEN_EMAIL:
- ASN1_STRING_to_UTF8((unsigned char**)&buf, name->d.ia5);
- if ( strlen (buf) != name->d.ia5->length )
- {
- msg (D_TLS_ERRORS, "ASN1 ERROR: string contained terminating zero");
- OPENSSL_free (buf);
- } else {
- strncpynt(out, buf, size);
- OPENSSL_free(buf);
- retval = true;
- }
- break;
- default:
- msg (D_TLS_ERRORS, "ASN1 ERROR: can not handle field type %i",
- name->type);
- break;
- }
- }
- sk_GENERAL_NAME_free (extensions);
- }
- return retval;
-}
-#endif /* ENABLE_X509ALTUSERNAME */
-
#ifdef ENABLE_X509_TRACK
/*
* setenv_x509_track function -- save X509 fields to environment,
string_replace_leading (subject, '-', '_');
/* extract the username (default is CN) */
-#ifdef ENABLE_X509ALTUSERNAME
- if (strncmp("ext:",x509_username_field,4) == 0)
- {
- if (!extract_x509_extension (ctx->current_cert, x509_username_field+4, common_name, sizeof(common_name)))
- {
- msg (D_TLS_ERRORS, "VERIFY ERROR: could not extract %s extension from X509 subject string ('%s') "
- "-- note that the username length is limited to %d characters",
- x509_username_field+4,
- subject,
- TLS_USERNAME_LEN);
- goto err;
- }
- } else
-#endif
- if (!extract_x509_field_ssl (X509_get_subject_name (cert), x509_username_field, common_name, sizeof(common_name)))
+ if (verify_get_username (common_name, TLS_USERNAME_LEN, x509_username_field, cert))
{
if (!cert_depth)
{
}
}
-
string_mod_sslname (common_name, COMMON_NAME_CHAR_CLASS, opt->ssl_flags);
#if 0 /* print some debugging info */
*/
bool verify_get_subject (char **subject, x509_cert_t *cert);
+/*
+ * Retrieve the certificate's username from the specified field.
+ *
+ * If the field is prepended with ext: and ENABLE_X509ALTUSERNAME is enabled,
+ * it will be loaded from an X.509 extension
+ *
+ * @param cn Buffer to return the common name in.
+ * @param cn_len Length of the cn buffer.
+ * @param x509_username_field Name of the field to load from
+ * @param cert Certificate to retrieve the common name from.
+ *
+ * @return \c 1 on failure, \c 0 on success
+ */
+bool verify_get_username (char *common_name, int cn_len,
+ char * x509_username_field, X509 *peer_cert);
+
#endif /* SSL_VERIFY_BACKEND_H_ */
return 0;
}
+
+#ifdef ENABLE_X509ALTUSERNAME
+static
+bool extract_x509_extension(X509 *cert, char *fieldname, char *out, int size)
+{
+ bool retval = false;
+ X509_EXTENSION *pExt;
+ char *buf = 0;
+ int length = 0;
+ GENERAL_NAMES *extensions;
+ int nid = OBJ_txt2nid(fieldname);
+
+ extensions = (GENERAL_NAMES *)X509_get_ext_d2i(cert, nid, NULL, NULL);
+ if ( extensions )
+ {
+ int numalts;
+ int i;
+ /* get amount of alternatives,
+ * RFC2459 claims there MUST be at least
+ * one, but we don't depend on it...
+ */
+
+ numalts = sk_GENERAL_NAME_num(extensions);
+
+ /* loop through all alternatives */
+ for (i=0; i<numalts; i++)
+ {
+ /* get a handle to alternative name number i */
+ const GENERAL_NAME *name = sk_GENERAL_NAME_value (extensions, i );
+
+ switch (name->type)
+ {
+ case GEN_EMAIL:
+ ASN1_STRING_to_UTF8((unsigned char**)&buf, name->d.ia5);
+ if ( strlen (buf) != name->d.ia5->length )
+ {
+ msg (D_TLS_ERRORS, "ASN1 ERROR: string contained terminating zero");
+ OPENSSL_free (buf);
+ } else {
+ strncpynt(out, buf, size);
+ OPENSSL_free(buf);
+ retval = true;
+ }
+ break;
+ default:
+ msg (D_TLS_ERRORS, "ASN1 ERROR: can not handle field type %i",
+ name->type);
+ break;
+ }
+ }
+ sk_GENERAL_NAME_free (extensions);
+ }
+ return retval;
+}
+#endif /* ENABLE_X509ALTUSERNAME */
+
+/*
+ * Extract a field from an X509 subject name.
+ *
+ * Example:
+ *
+ * /C=US/ST=CO/L=Denver/O=ORG/CN=First-CN/CN=Test-CA/Email=jim@yonan.net
+ *
+ * The common name is 'Test-CA'
+ *
+ * Return true on success, false on error (insufficient buffer size in 'out'
+ * to contain result is grounds for error).
+ */
+static bool
+extract_x509_field_ssl (X509_NAME *x509, const char *field_name, char *out,
+ int size)
+{
+ int lastpos = -1;
+ int tmp = -1;
+ X509_NAME_ENTRY *x509ne = 0;
+ ASN1_STRING *asn1 = 0;
+ unsigned char *buf = (unsigned char *)1; /* bug in OpenSSL 0.9.6b ASN1_STRING_to_UTF8 requires this workaround */
+ int nid = OBJ_txt2nid((char *)field_name);
+
+ ASSERT (size > 0);
+ *out = '\0';
+ do {
+ lastpos = tmp;
+ tmp = X509_NAME_get_index_by_NID(x509, nid, lastpos);
+ } while (tmp > -1);
+
+ /* Nothing found */
+ if (lastpos == -1)
+ return false;
+
+ x509ne = X509_NAME_get_entry(x509, lastpos);
+ if (!x509ne)
+ return false;
+
+ asn1 = X509_NAME_ENTRY_get_data(x509ne);
+ if (!asn1)
+ return false;
+ tmp = ASN1_STRING_to_UTF8(&buf, asn1);
+ if (tmp <= 0)
+ return false;
+
+ strncpynt(out, (char *)buf, size);
+
+ {
+ const bool ret = (strlen ((char *)buf) < size);
+ OPENSSL_free (buf);
+ return ret;
+ }
+}
+
+bool
+verify_get_username (char *common_name, int cn_len,
+ char * x509_username_field, X509 *peer_cert)
+{
+#ifdef ENABLE_X509ALTUSERNAME
+ if (strncmp("ext:",x509_username_field,4) == 0)
+ {
+ if (!extract_x509_extension (peer_cert, x509_username_field+4, common_name, cn_len))
+ return true;
+ } else
+#endif
+ if (!extract_x509_field_ssl (X509_get_subject_name (peer_cert),
+ x509_username_field, common_name, cn_len))
+ return true;
+
+ return false;
+}
projects / thirdparty / openvpn.git / commitdiff
