From: Adriaan de Jong <dejong@fox-it.com>
Date: Wed, 29 Jun 2011 11:29:33 +0000 (+0200)
Subject: Added function to extract and verify the subject from a certificate
X-Git-Tag: v2.3-alpha1~126
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=971790dae113e4665e1508ab17698047e7321c69;p=thirdparty%2Fopenvpn.git

Added function to extract and verify the subject from a certificate

Signed-off-by: Adriaan de Jong <dejong@fox-it.com>
Acked-by: James Yonan <james@openvpn.net>
Signed-off-by: David Sommerseth <davids@redhat.com>
---

diff --git a/ssl.c b/ssl.c
index fbc99c379..e600ca7bb 100644
--- a/ssl.c
+++ b/ssl.c
@@ -720,8 +720,7 @@ verify_cert(struct tls_session *session, x509_cert_t *cert, int cert_depth)
   session->verified = false;
 
   /* get the X509 name */
-  subject = X509_NAME_oneline (X509_get_subject_name (cert), NULL, 0);
-  if (!subject)
+  if (verify_get_subject(&subject, cert))
     {
         msg (D_TLS_ERRORS, "VERIFY ERROR: depth=%d, could not extract X509 "
             "subject string from certificate", cert_depth);
diff --git a/ssl_verify_backend.h b/ssl_verify_backend.h
index 232a653df..31b521045 100644
--- a/ssl_verify_backend.h
+++ b/ssl_verify_backend.h
@@ -66,4 +66,22 @@ int verify_cert(struct tls_session *session, x509_cert_t *cert, int cert_depth);
 void cert_hash_remember (struct tls_session *session, const int cert_depth,
     const unsigned char *sha1_hash);
 
+/*
+ * Library-specific functions.
+ *
+ * The following functions must be implemented on a library-specific basis.
+ */
+
+/*
+ * Retrieve certificate's subject name, and place it in **subject.
+ *
+ * Memory for subject is allocated in the process, and must be freed.
+ *
+ * @param subject	Pointer to memory to be allocated for the subject
+ * @param cert		Certificate to retrieve the subject from.
+ *
+ * @return 		\c 1 on failure, \c 0 on success
+ */
+bool verify_get_subject (char **subject, x509_cert_t *cert);
+
 #endif /* SSL_VERIFY_BACKEND_H_ */
diff --git a/ssl_verify_openssl.c b/ssl_verify_openssl.c
index 06e114352..64b71c398 100644
--- a/ssl_verify_openssl.c
+++ b/ssl_verify_openssl.c
@@ -72,3 +72,13 @@ verify_callback (int preverify_ok, X509_STORE_CTX * ctx)
 
   return verify_cert(session, ctx->current_cert, ctx->error_depth);
 }
+
+int
+verify_get_subject (char **subject, X509 *cert)
+{
+  *subject = X509_NAME_oneline (X509_get_subject_name (cert), NULL, 0);
+  if (!*subject)
+      return 1;
+
+  return 0;
+}