diff options
| author | james <james@e7ae566f-a301-0410-adde-c780ea21d3b5> | 2008-01-21 19:09:56 +0000 |
|---|---|---|
| committer | james <james@e7ae566f-a301-0410-adde-c780ea21d3b5> | 2008-01-21 19:09:56 +0000 |
| commit | 7686b1c407f8e78d24669971219f9bc253521744 (patch) | |
| tree | 39e013f5e6bfd6e94a0677c7a759d7e43d51a5a5 | |
| parent | e342be3fcd0bb1208cb2e7dc003042cc14bcdb36 (diff) | |
| download | openvpn-7686b1c407f8e78d24669971219f9bc253521744.tar.gz openvpn-7686b1c407f8e78d24669971219f9bc253521744.tar.xz openvpn-7686b1c407f8e78d24669971219f9bc253521744.zip | |
Rewrote extract_x509_field and modified COMMON_NAME_CHAR_CLASS
to allow forward slash characters ("/") in the X509 common name
(Pavel Shramov).
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@2638 e7ae566f-a301-0410-adde-c780ea21d3b5
| -rw-r--r-- | ssl.c | 48 | ||||
| -rw-r--r-- | ssl.h | 2 |
2 files changed, 48 insertions, 2 deletions
@@ -378,6 +378,51 @@ extract_x509_field (const char *x509, const char *field_name, char *out, int siz } } +/* + * Extract a field from an X509 subject name. + * + * Example: + * + * /C=US/ST=CO/L=Denver/O=ORG/CN=First-CN/CN=Test-CA/Email=jim@yonan.net + * + * The common name is 'Test-CA' + */ +static void +extract_x509_field_ssl (X509_NAME *x509, const char *field_name, char *out, int size) +{ + int lastpos = -1; + int tmp = -1; + X509_NAME_ENTRY *x509ne = 0; + ASN1_STRING *asn1 = 0; + unsigned char *buf = 0; + int nid = OBJ_txt2nid(field_name); + + ASSERT (size > 0); + *out = '\0'; + do { + lastpos = tmp; + tmp = X509_NAME_get_index_by_NID(x509, nid, lastpos); + } while (tmp > 0); + + /* Nothing found */ + if (lastpos == -1) + return; + + x509ne = X509_NAME_get_entry(x509, lastpos); + if (!x509ne) + return; + + asn1 = X509_NAME_ENTRY_get_data(x509ne); + if (!asn1) + return; + tmp = ASN1_STRING_to_UTF8(&buf, asn1); + if (tmp <= 0) + return; + + strncpynt(out, (char *)buf, size); + OPENSSL_free(buf); +} + static void setenv_untrusted (struct tls_session *session) { @@ -538,7 +583,8 @@ verify_callback (int preverify_ok, X509_STORE_CTX * ctx) string_mod (subject, X509_NAME_CHAR_CLASS, 0, '_'); /* extract the common name */ - extract_x509_field (subject, "CN", common_name, TLS_CN_LEN); + extract_x509_field_ssl (X509_get_subject_name (ctx->current_cert), "CN", common_name, TLS_CN_LEN); + //extract_x509_field (subject, "CN", common_name, TLS_CN_LEN); string_mod (common_name, COMMON_NAME_CHAR_CLASS, 0, '_'); #if 0 /* print some debugging info */ @@ -282,7 +282,7 @@ /* Legal characters in an X509 or common name */ #define X509_NAME_CHAR_CLASS (CC_ALNUM|CC_UNDERBAR|CC_DASH|CC_DOT|CC_AT|CC_COLON|CC_SLASH|CC_EQUAL) -#define COMMON_NAME_CHAR_CLASS (CC_ALNUM|CC_UNDERBAR|CC_DASH|CC_DOT|CC_AT) +#define COMMON_NAME_CHAR_CLASS (CC_ALNUM|CC_UNDERBAR|CC_DASH|CC_DOT|CC_AT|CC_SLASH) /* Maximum length of OCC options string passed as part of auth handshake */ #define TLS_OPTIONS_LEN 512 |