diff options
author | Adriaan de Jong <dejong@fox-it.com> | 2011-06-30 12:37:33 +0200 |
---|---|---|
committer | David Sommerseth <davids@redhat.com> | 2011-10-21 14:51:45 +0200 |
commit | 19dd3ef12f45b2c70c0657ea72fbdce5241e45c2 (patch) | |
tree | e840a5c6d385e4aa9031d949157c508484789863 | |
parent | dd4cdb9ee740527f32198ef27b9901e396e045be (diff) | |
download | openvpn-19dd3ef12f45b2c70c0657ea72fbdce5241e45c2.tar.gz openvpn-19dd3ef12f45b2c70c0657ea72fbdce5241e45c2.tar.xz openvpn-19dd3ef12f45b2c70c0657ea72fbdce5241e45c2.zip |
Refactored: removed global x509_username_field
Moved to tls_options.
Signed-off-by: Adriaan de Jong <dejong@fox-it.com>
Acked-by: James Yonan <james@openvpn.net>
Signed-off-by: David Sommerseth <davids@redhat.com>
-rw-r--r-- | init.c | 5 | ||||
-rw-r--r-- | ssl.c | 17 | ||||
-rw-r--r-- | ssl_common.h | 1 |
3 files changed, 8 insertions, 15 deletions
@@ -2211,6 +2211,11 @@ do_init_crypto_tls (struct context *c, const unsigned int flags) memmove (to.remote_cert_ku, options->remote_cert_ku, sizeof (to.remote_cert_ku)); to.remote_cert_eku = options->remote_cert_eku; to.verify_hash = options->verify_hash; +#ifdef ENABLE_X509ALTUSERNAME + to.x509_username_field = (char *) options->x509_username_field; +#else + to.x509_username_field = X509_USERNAME_FIELD_DEFAULT; +#endif to.es = c->c2.es; #ifdef ENABLE_DEBUG @@ -594,8 +594,6 @@ write_peer_cert(X509 *peercert, const char *tmp_dir, struct gc_arena *gc) return peercert_filename; } -char * x509_username_field; /* GLOBAL */ - int verify_cert(struct tls_session *session, x509_cert_t *cert, int cert_depth) { @@ -632,14 +630,14 @@ verify_cert(struct tls_session *session, x509_cert_t *cert, int cert_depth) string_replace_leading (subject, '-', '_'); /* extract the username (default is CN) */ - if (verify_get_username (common_name, TLS_USERNAME_LEN, x509_username_field, cert)) + if (verify_get_username (common_name, TLS_USERNAME_LEN, opt->x509_username_field, cert)) { if (!cert_depth) { msg (D_TLS_ERRORS, "VERIFY ERROR: could not extract %s from X509 " "subject string ('%s') -- note that the username length is " "limited to %d characters", - x509_username_field, + opt->x509_username_field, subject, TLS_USERNAME_LEN); goto err; @@ -1045,17 +1043,6 @@ init_ssl (const struct options *options, struct tls_root_ctx *new_ctx) tls_ctx_load_extra_certs(new_ctx, options->extra_certs_file, options->extra_certs_file_inline); } -#if P2MP_SERVER - if (!(options->ssl_flags & SSLF_CLIENT_CERT_NOT_REQUIRED)) -#endif - { -#ifdef ENABLE_X509ALTUSERNAME - x509_username_field = (char *) options->x509_username_field; -#else - x509_username_field = X509_USERNAME_FIELD_DEFAULT; -#endif - } - /* Allowable ciphers */ if (options->cipher_list) { diff --git a/ssl_common.h b/ssl_common.h index 525a1da..f3f43be 100644 --- a/ssl_common.h +++ b/ssl_common.h @@ -251,6 +251,7 @@ struct tls_options unsigned remote_cert_ku[MAX_PARMS]; const char *remote_cert_eku; uint8_t *verify_hash; + char *x509_username_field; /* allow openvpn config info to be passed over control channel */ |