From: Adriaan de Jong Date: Wed, 29 Jun 2011 12:28:44 +0000 (+0200) Subject: Refactored tls-remote checking X-Git-Tag: v2.3-alpha1~119 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=a4c926bb5939d95d9e7c0dfd4b83e61a11f86c90;p=thirdparty%2Fopenvpn.git Refactored tls-remote checking Signed-off-by: Adriaan de Jong Acked-by: James Yonan Signed-off-by: David Sommerseth --- diff --git a/ssl.c b/ssl.c index d7cdd754f..8d1fd7338 100644 --- a/ssl.c +++ b/ssl.c @@ -431,20 +431,6 @@ verify_cert(struct tls_session *session, x509_cert_t *cert, int cert_depth) if (cert_depth == 0 && verify_peer_cert(opt, cert, subject, common_name)) goto err; - /* verify X509 name or common name against --tls-remote */ - if (opt->verify_x509name && strlen (opt->verify_x509name) > 0 && cert_depth == 0) - { - if (strcmp (opt->verify_x509name, subject) == 0 - || strncmp (opt->verify_x509name, common_name, strlen (opt->verify_x509name)) == 0) - msg (D_HANDSHAKE, "VERIFY X509NAME OK: %s", subject); - else - { - msg (D_HANDSHAKE, "VERIFY X509NAME ERROR: %s, must be %s", - subject, opt->verify_x509name); - goto err; /* Reject connection */ - } - } - /* call --tls-verify plug-in(s) */ if (plugin_defined (opt->plugins, OPENVPN_PLUGIN_TLS_VERIFY)) { diff --git a/ssl_verify.c b/ssl_verify.c index 7c263f8c3..9eda092d2 100644 --- a/ssl_verify.c +++ b/ssl_verify.c @@ -382,6 +382,21 @@ verify_peer_cert(const struct tls_options *opt, x509_cert_t *peer_cert, } #endif /* OPENSSL_VERSION_NUMBER */ + + /* verify X509 name or common name against --tls-remote */ + if (opt->verify_x509name && strlen (opt->verify_x509name) > 0) + { + if (strcmp (opt->verify_x509name, subject) == 0 + || strncmp (opt->verify_x509name, common_name, strlen (opt->verify_x509name)) == 0) + msg (D_HANDSHAKE, "VERIFY X509NAME OK: %s", subject); + else + { + msg (D_HANDSHAKE, "VERIFY X509NAME ERROR: %s, must be %s", + subject, opt->verify_x509name); + return 1; /* Reject connection */ + } + } + return 0; }