diff options
| author | Adriaan de Jong <dejong@fox-it.com> | 2011-08-03 21:25:57 +0200 |
|---|---|---|
| committer | David Sommerseth <davids@redhat.com> | 2011-10-22 18:20:55 +0200 |
| commit | 8a840d832e9576bdcb7c6819a3a9401e0d9fd545 (patch) | |
| tree | 9396dbaa2a926daea3cfde942f77ac7cce4fd0d8 | |
| parent | 4ce976fb280fc279fc2f9e6478ca55716cf3d081 (diff) | |
| download | openvpn-8a840d832e9576bdcb7c6819a3a9401e0d9fd545.tar.gz openvpn-8a840d832e9576bdcb7c6819a3a9401e0d9fd545.tar.xz openvpn-8a840d832e9576bdcb7c6819a3a9401e0d9fd545.zip | |
Unified verification function return values:
- Now return either SUCCESS or FAILURE.
- SUCCESS is defined as 0.
Signed-off-by: Adriaan de Jong <dejong@fox-it.com>
Acked-by: James Yonan <james@openvpn.net>
Signed-off-by: David Sommerseth <davids@redhat.com>
| -rw-r--r-- | ssl_verify.c | 59 | ||||
| -rw-r--r-- | ssl_verify_backend.h | 39 | ||||
| -rw-r--r-- | ssl_verify_openssl.c | 71 | ||||
| -rw-r--r-- | ssl_verify_polarssl.c | 57 |
4 files changed, 116 insertions, 110 deletions
diff --git a/ssl_verify.c b/ssl_verify.c index 75322d7..f0bc994 100644 --- a/ssl_verify.c +++ b/ssl_verify.c @@ -306,14 +306,14 @@ print_nsCertType (int type) * @param subject the peer's extracted subject name * @param subject the peer's extracted common name */ -static int +static result_t verify_peer_cert(const struct tls_options *opt, x509_cert_t *peer_cert, const char *subject, const char *common_name) { /* verify certificate nsCertType */ if (opt->ns_cert_type != NS_CERT_CHECK_NONE) { - if (x509_verify_ns_cert_type (peer_cert, opt->ns_cert_type)) + if (SUCCESS == x509_verify_ns_cert_type (peer_cert, opt->ns_cert_type)) { msg (D_HANDSHAKE, "VERIFY OK: nsCertType=%s", print_nsCertType (opt->ns_cert_type)); @@ -322,7 +322,7 @@ verify_peer_cert(const struct tls_options *opt, x509_cert_t *peer_cert, { msg (D_HANDSHAKE, "VERIFY nsCertType ERROR: %s, require nsCertType=%s", subject, print_nsCertType (opt->ns_cert_type)); - return 1; /* Reject connection */ + return FAILURE; /* Reject connection */ } } @@ -331,28 +331,28 @@ verify_peer_cert(const struct tls_options *opt, x509_cert_t *peer_cert, /* verify certificate ku */ if (opt->remote_cert_ku[0] != 0) { - if (x509_verify_cert_ku (peer_cert, opt->remote_cert_ku, MAX_PARMS)) + if (SUCCESS == x509_verify_cert_ku (peer_cert, opt->remote_cert_ku, MAX_PARMS)) { msg (D_HANDSHAKE, "VERIFY KU OK"); } else { msg (D_HANDSHAKE, "VERIFY KU ERROR"); - return 1; /* Reject connection */ + return FAILURE; /* Reject connection */ } } /* verify certificate eku */ if (opt->remote_cert_eku != NULL) { - if (x509_verify_cert_eku (peer_cert, opt->remote_cert_eku)) + if (SUCCESS == x509_verify_cert_eku (peer_cert, opt->remote_cert_eku)) { msg (D_HANDSHAKE, "VERIFY EKU OK"); } else { msg (D_HANDSHAKE, "VERIFY EKU ERROR"); - return 1; /* Reject connection */ + return FAILURE; /* Reject connection */ } } @@ -368,11 +368,11 @@ verify_peer_cert(const struct tls_options *opt, x509_cert_t *peer_cert, { msg (D_HANDSHAKE, "VERIFY X509NAME ERROR: %s, must be %s", subject, opt->verify_x509name); - return 1; /* Reject connection */ + return FAILURE; /* Reject connection */ } } - return 0; + return SUCCESS; } /* @@ -434,7 +434,7 @@ verify_cert_set_env(struct env_set *es, x509_cert_t *peer_cert, int cert_depth, /* * call --tls-verify plug-in(s) */ -static int +static result_t verify_cert_call_plugin(const struct plugin_list *plugins, struct env_set *es, int cert_depth, x509_cert_t *cert, char *subject) { @@ -458,10 +458,10 @@ verify_cert_call_plugin(const struct plugin_list *plugins, struct env_set *es, { msg (D_HANDSHAKE, "VERIFY PLUGIN ERROR: depth=%d, %s", cert_depth, subject); - return 1; /* Reject connection */ + return FAILURE; /* Reject connection */ } } - return 0; + return SUCCESS; } static const char * @@ -484,7 +484,7 @@ verify_cert_export_cert(x509_cert_t *peercert, const char *tmp_dir, struct gc_ar return NULL; } - if (x509_write_pem(peercert_file, peercert)) + if (SUCCESS != x509_write_pem(peercert_file, peercert)) msg (M_ERR, "Error writing PEM file containing certificate"); fclose(peercert_file); @@ -495,7 +495,7 @@ verify_cert_export_cert(x509_cert_t *peercert, const char *tmp_dir, struct gc_ar /* * run --tls-verify script */ -static int +static result_t verify_cert_call_command(const char *verify_command, struct env_set *es, int cert_depth, x509_cert_t *cert, char *subject, const char *verify_export_cert) { @@ -532,18 +532,18 @@ verify_cert_call_command(const char *verify_command, struct env_set *es, { msg (D_HANDSHAKE, "VERIFY SCRIPT OK: depth=%d, %s", cert_depth, subject); - return 0; + return SUCCESS; } msg (D_HANDSHAKE, "VERIFY SCRIPT ERROR: depth=%d, %s", cert_depth, subject); - return 1; /* Reject connection */ + return FAILURE; /* Reject connection */ } /* * check peer cert against CRL directory */ -static bool +static result_t verify_check_crl_dir(const char *crl_dir, x509_cert_t *cert) { char fn[256]; @@ -554,7 +554,7 @@ verify_check_crl_dir(const char *crl_dir, x509_cert_t *cert) { msg (D_HANDSHAKE, "VERIFY CRL: filename overflow"); x509_free_serial(serial); - return true; + return FAILURE; } fd = open (fn, O_RDONLY); if (fd >= 0) @@ -562,15 +562,15 @@ verify_check_crl_dir(const char *crl_dir, x509_cert_t *cert) msg (D_HANDSHAKE, "VERIFY CRL: certificate serial number %s is revoked", serial); x509_free_serial(serial); close(fd); - return true; + return FAILURE; } x509_free_serial(serial); - return false; + return SUCCESS; } -int +result_t verify_cert(struct tls_session *session, x509_cert_t *cert, int cert_depth) { char *subject = NULL; @@ -596,7 +596,8 @@ verify_cert(struct tls_session *session, x509_cert_t *cert, int cert_depth) string_replace_leading (subject, '-', '_'); /* extract the username (default is CN) */ - if (x509_get_username (common_name, TLS_USERNAME_LEN, opt->x509_username_field, cert)) + if (SUCCESS != x509_get_username (common_name, TLS_USERNAME_LEN, + opt->x509_username_field, cert)) { if (!cert_depth) { @@ -650,16 +651,16 @@ verify_cert(struct tls_session *session, x509_cert_t *cert, int cert_depth) setenv_untrusted (session); /* If this is the peer's own certificate, verify it */ - if (cert_depth == 0 && verify_peer_cert(opt, cert, subject, common_name)) + if (cert_depth == 0 && SUCCESS != verify_peer_cert(opt, cert, subject, common_name)) goto err; /* call --tls-verify plug-in(s), if registered */ - if (verify_cert_call_plugin(opt->plugins, opt->es, cert_depth, cert, subject)) + if (SUCCESS != verify_cert_call_plugin(opt->plugins, opt->es, cert_depth, cert, subject)) goto err; /* run --tls-verify script */ - if (opt->verify_command && verify_cert_call_command(opt->verify_command, opt->es, - cert_depth, cert, subject, opt->verify_export_cert)) + if (opt->verify_command && SUCCESS != verify_cert_call_command(opt->verify_command, + opt->es, cert_depth, cert, subject, opt->verify_export_cert)) goto err; /* check peer cert against CRL */ @@ -667,12 +668,12 @@ verify_cert(struct tls_session *session, x509_cert_t *cert, int cert_depth) { if (opt->ssl_flags & SSLF_CRL_VERIFY_DIR) { - if (verify_check_crl_dir(opt->crl_file, cert)) + if (SUCCESS != verify_check_crl_dir(opt->crl_file, cert)) goto err; } else { - if (x509_verify_crl(opt->crl_file, cert, subject)) + if (SUCCESS != x509_verify_crl(opt->crl_file, cert, subject)) goto err; } } @@ -682,7 +683,7 @@ verify_cert(struct tls_session *session, x509_cert_t *cert, int cert_depth) done: x509_free_subject (subject); - return (session->verified == true) ? 1 : 0; + return (session->verified == true) ? SUCCESS : FAILURE; err: tls_clear_error(); diff --git a/ssl_verify_backend.h b/ssl_verify_backend.h index f7e0861..2ba3723 100644 --- a/ssl_verify_backend.h +++ b/ssl_verify_backend.h @@ -30,6 +30,11 @@ #ifndef SSL_VERIFY_BACKEND_H_ #define SSL_VERIFY_BACKEND_H_ +/** + * Result of verification function + */ +typedef enum { SUCCESS=0, FAILURE=1 } result_t; + /* * Backend support functions. * @@ -48,9 +53,9 @@ * @param cert Certificate to process * @param cert_depth Depth of the current certificate * - * @return \c 1 if verification was successful, \c 0 on failure. + * @return \c SUCCESS if verification was successful, \c FAILURE on failure. */ -int verify_cert(struct tls_session *session, x509_cert_t *cert, int cert_depth); +result_t verify_cert(struct tls_session *session, x509_cert_t *cert, int cert_depth); /* * Remember the given certificate hash, allowing the certificate chain to be @@ -118,9 +123,9 @@ void x509_free_sha1_hash (unsigned char *hash); * @param x509_username_field Name of the field to load from * @param cert Certificate to retrieve the common name from. * - * @return \c 1 on failure, \c 0 on success + * @return \c FAILURE, \c or SUCCESS */ -bool x509_get_username (char *common_name, int cn_len, +result_t x509_get_username (char *common_name, int cn_len, char * x509_username_field, x509_cert_t *peer_cert); /* @@ -201,11 +206,11 @@ void x509_setenv_track (const struct x509_track *xt, struct env_set *es, * @param usage One of \c NS_CERT_CHECK_CLIENT, \c NS_CERT_CHECK_SERVER, * or \c NS_CERT_CHECK_NONE. * - * @return \c true if NS_CERT_CHECK_NONE or if the certificate has - * the expected bit set. \c false if the certificate does + * @return \c SUCCESS if NS_CERT_CHECK_NONE or if the certificate has + * the expected bit set. \c FAILURE if the certificate does * not have NS cert type verification or the wrong bit set. */ -bool x509_verify_ns_cert_type(const x509_cert_t *cert, const int usage); +result_t x509_verify_ns_cert_type(const x509_cert_t *cert, const int usage); #if OPENSSL_VERSION_NUMBER >= 0x00907000L || USE_POLARSSL @@ -216,10 +221,10 @@ bool x509_verify_ns_cert_type(const x509_cert_t *cert, const int usage); * @param expected_ku Array of valid key usage values * @param expected_len Length of the key usage array * - * @return \c true if one of the key usage values matches, \c false + * @return \c SUCCESS if one of the key usage values matches, \c FAILURE * if key usage is not enabled, or the values do not match. */ -bool x509_verify_cert_ku (x509_cert_t *x509, const unsigned * const expected_ku, +result_t x509_verify_cert_ku (x509_cert_t *x509, const unsigned * const expected_ku, int expected_len); /* @@ -231,11 +236,11 @@ bool x509_verify_cert_ku (x509_cert_t *x509, const unsigned * const expected_ku, * (e.g. \c "1.2.3.4", or the descriptive string matching * the OID. * - * @return \c true if one of the expected OID matches one of the - * extended key usage fields, \c false if extended key + * @return \c SUCCESS if one of the expected OID matches one of the + * extended key usage fields, \c FAILURE if extended key * usage is not enabled, or the values do not match. */ -bool x509_verify_cert_eku (x509_cert_t *x509, const char * const expected_oid); +result_t x509_verify_cert_eku (x509_cert_t *x509, const char * const expected_oid); #endif @@ -245,8 +250,10 @@ bool x509_verify_cert_eku (x509_cert_t *x509, const char * const expected_oid); * @param cert Certificate to store * @param tmp_dir Temporary directory to store the directory * @param gc gc_arena to store temporary objects in + * + * */ -bool x509_write_pem(FILE *peercert_file, x509_cert_t *peercert); +result_t x509_write_pem(FILE *peercert_file, x509_cert_t *peercert); /* * Check the certificate against a CRL file. @@ -255,11 +262,11 @@ bool x509_write_pem(FILE *peercert_file, x509_cert_t *peercert); * @param cert Certificate to verify * @param subject Subject of the given certificate * - * @return \c 1 if the CRL was not signed by the issuer of the + * @return \c SUCCESS if the CRL was not signed by the issuer of the * certificate or does not contain an entry for it. - * \c 0 otherwise. + * \c FAILURE otherwise. */ -bool x509_verify_crl(const char *crl_file, x509_cert_t *cert, +result_t x509_verify_crl(const char *crl_file, x509_cert_t *cert, const char *subject); #endif /* SSL_VERIFY_BACKEND_H_ */ diff --git a/ssl_verify_openssl.c b/ssl_verify_openssl.c index 3896417..5f30594 100644 --- a/ssl_verify_openssl.c +++ b/ssl_verify_openssl.c @@ -144,7 +144,7 @@ bool extract_x509_extension(X509 *cert, char *fieldname, char *out, int size) * Return true on success, false on error (insufficient buffer size in 'out' * to contain result is grounds for error). */ -static bool +static result_t extract_x509_field_ssl (X509_NAME *x509, const char *field_name, char *out, int size) { @@ -164,29 +164,29 @@ extract_x509_field_ssl (X509_NAME *x509, const char *field_name, char *out, /* Nothing found */ if (lastpos == -1) - return false; + return FAILURE; x509ne = X509_NAME_get_entry(x509, lastpos); if (!x509ne) - return false; + return FAILURE; asn1 = X509_NAME_ENTRY_get_data(x509ne); if (!asn1) - return false; + return FAILURE; tmp = ASN1_STRING_to_UTF8(&buf, asn1); if (tmp <= 0) - return false; + return FAILURE; strncpynt(out, (char *)buf, size); { - const bool ret = (strlen ((char *)buf) < size); + const result_t ret = (strlen ((char *)buf) < size) ? SUCCESS: FAILURE; OPENSSL_free (buf); return ret; } } -bool +result_t x509_get_username (char *common_name, int cn_len, char * x509_username_field, X509 *peer_cert) { @@ -194,14 +194,14 @@ x509_get_username (char *common_name, int cn_len, if (strncmp("ext:",x509_username_field,4) == 0) { if (!extract_x509_extension (peer_cert, x509_username_field+4, common_name, cn_len)) - return true; + return FAILURE; } else #endif - if (!extract_x509_field_ssl (X509_get_subject_name (peer_cert), + if (FAILURE == extract_x509_field_ssl (X509_get_subject_name (peer_cert), x509_username_field, common_name, cn_len)) - return true; + return FAILURE; - return false; + return SUCCESS; } char * @@ -406,29 +406,29 @@ x509_setenv (struct env_set *es, int cert_depth, x509_cert_t *peer_cert) } } -bool +result_t x509_verify_ns_cert_type(const x509_cert_t *peer_cert, const int usage) { if (usage == NS_CERT_CHECK_NONE) - return true; + return SUCCESS; if (usage == NS_CERT_CHECK_CLIENT) return ((peer_cert->ex_flags & EXFLAG_NSCERT) - && (peer_cert->ex_nscert & NS_SSL_CLIENT)); + && (peer_cert->ex_nscert & NS_SSL_CLIENT)) ? SUCCESS: FAILURE; if (usage == NS_CERT_CHECK_SERVER) return ((peer_cert->ex_flags & EXFLAG_NSCERT) - && (peer_cert->ex_nscert & NS_SSL_SERVER)); + && (peer_cert->ex_nscert & NS_SSL_SERVER)) ? SUCCESS: FAILURE; - return false; + return FAILURE; } #if OPENSSL_VERSION_NUMBER >= 0x00907000L -bool +result_t x509_verify_cert_ku (X509 *x509, const unsigned * const expected_ku, int expected_len) { ASN1_BIT_STRING *ku = NULL; - bool fFound = false; + result_t fFound = FAILURE; if ((ku = (ASN1_BIT_STRING *) X509_get_ext_d2i (x509, NID_key_usage, NULL, NULL)) == NULL) @@ -454,7 +454,7 @@ x509_verify_cert_ku (X509 *x509, const unsigned * const expected_ku, } msg (D_HANDSHAKE, "Validating certificate key usage"); - for (i = 0; !fFound && i < expected_len; i++) + for (i = 0; fFound != SUCCESS && i < expected_len; i++) { if (expected_ku[i] != 0) { @@ -462,7 +462,7 @@ x509_verify_cert_ku (X509 *x509, const unsigned * const expected_ku, "%04x", nku, expected_ku[i]); if (nku == expected_ku[i]) - fFound = true; + fFound = SUCCESS; } } } @@ -473,11 +473,11 @@ x509_verify_cert_ku (X509 *x509, const unsigned * const expected_ku, return fFound; } -bool +result_t x509_verify_cert_eku (X509 *x509, const char * const expected_oid) { EXTENDED_KEY_USAGE *eku = NULL; - bool fFound = false; + result_t fFound = FAILURE; if ((eku = (EXTENDED_KEY_USAGE *) X509_get_ext_d2i (x509, NID_ext_key_usage, NULL, NULL)) == NULL) @@ -489,24 +489,24 @@ x509_verify_cert_eku (X509 *x509, const char * const expected_oid) int i; msg (D_HANDSHAKE, "Validating certificate extended key usage"); - for (i = 0; !fFound && i < sk_ASN1_OBJECT_num (eku); i++) + for (i = 0; SUCCESS != fFound && i < sk_ASN1_OBJECT_num (eku); i++) { ASN1_OBJECT *oid = sk_ASN1_OBJECT_value (eku, i); char szOid[1024]; - if (!fFound && OBJ_obj2txt (szOid, sizeof(szOid), oid, 0) != -1) + if (SUCCESS != fFound && OBJ_obj2txt (szOid, sizeof(szOid), oid, 0) != -1) { msg (D_HANDSHAKE, "++ Certificate has EKU (str) %s, expects %s", szOid, expected_oid); if (!strcmp (expected_oid, szOid)) - fFound = true; + fFound = SUCCESS; } - if (!fFound && OBJ_obj2txt (szOid, sizeof(szOid), oid, 1) != -1) + if (SUCCESS != fFound && OBJ_obj2txt (szOid, sizeof(szOid), oid, 1) != -1) { msg (D_HANDSHAKE, "++ Certificate has EKU (oid) %s, expects %s", szOid, expected_oid); if (!strcmp (expected_oid, szOid)) - fFound = true; + fFound = SUCCESS; } } } @@ -517,15 +517,15 @@ x509_verify_cert_eku (X509 *x509, const char * const expected_oid) return fFound; } -bool +result_t x509_write_pem(FILE *peercert_file, X509 *peercert) { if (PEM_write_X509(peercert_file, peercert) < 0) { msg (M_ERR, "Failed to write peer certificate in PEM format"); - return true; + return FAILURE; } - return false; + return SUCCESS; } #endif /* OPENSSL_VERSION_NUMBER */ @@ -533,13 +533,14 @@ x509_write_pem(FILE *peercert_file, X509 *peercert) /* * check peer cert against CRL */ -bool +result_t x509_verify_crl(const char *crl_file, X509 *peer_cert, const char *subject) { X509_CRL *crl=NULL; X509_REVOKED *revoked; BIO *in=NULL; - int n,i,retval = 0; + int n,i; + result_t retval = FAILURE; in=BIO_new(BIO_s_file()); @@ -560,7 +561,7 @@ x509_verify_crl(const char *crl_file, X509 *peer_cert, const char *subject) if (X509_NAME_cmp(X509_CRL_get_issuer(crl), X509_get_issuer_name(peer_cert)) != 0) { msg (M_WARN, "CRL: CRL %s is from a different issuer than the issuer of " "certificate %s", crl_file, subject); - retval = 1; + retval = SUCCESS; goto end; } @@ -573,7 +574,7 @@ x509_verify_crl(const char *crl_file, X509 *peer_cert, const char *subject) } } - retval = 1; + retval = SUCCESS; msg (D_HANDSHAKE, "CRL CHECK OK: %s",subject); end: @@ -581,5 +582,5 @@ end: if (crl) X509_CRL_free (crl); - return !retval; + return retval; } diff --git a/ssl_verify_polarssl.c b/ssl_verify_polarssl.c index 03a28fe..4cd6383 100644 --- a/ssl_verify_polarssl.c +++ b/ssl_verify_polarssl.c @@ -65,17 +65,18 @@ verify_callback (void *session_obj, x509_cert *cert, int cert_depth, } /* - * verify_cert() returns 1 on success, 0 on failure. - * PolarSSL expects the opposite. + * PolarSSL expects 1 on failure, 0 on success */ - return 0 == verify_cert(session, cert, cert_depth); + if (SUCCESS == verify_cert(session, cert, cert_depth)) + return 0; + return 1; } #ifdef ENABLE_X509ALTUSERNAME # warning "X509 alt user name not yet supported for PolarSSL" #endif -bool +result_t x509_get_username (char *cn, int cn_len, char *x509_username_field, x509_cert *cert) { @@ -96,7 +97,7 @@ x509_get_username (char *cn, int cn_len, /* Not found, return an error if this is the peer's certificate */ if( name == NULL ) - return 1; + return FAILURE; /* Found, extract CN */ if (cn_len > name->val.len) @@ -107,7 +108,7 @@ x509_get_username (char *cn, int cn_len, cn[cn_len-1] = '\0'; } - return 0; + return SUCCESS; } char * @@ -274,26 +275,26 @@ x509_setenv (struct env_set *es, int cert_depth, x509_cert_t *cert) } } -bool +result_t x509_verify_ns_cert_type(const x509_cert *cert, const int usage) { if (usage == NS_CERT_CHECK_NONE) - return true; + return SUCCESS; if (usage == NS_CERT_CHECK_CLIENT) return ((cert->ext_types & EXT_NS_CERT_TYPE) - && (cert->ns_cert_type & NS_CERT_TYPE_SSL_CLIENT)); + && (cert->ns_cert_type & NS_CERT_TYPE_SSL_CLIENT)) ? SUCCESS : FAILURE; if (usage == NS_CERT_CHECK_SERVER) return ((cert->ext_types & EXT_NS_CERT_TYPE) - && (cert->ns_cert_type & NS_CERT_TYPE_SSL_SERVER)); + && (cert->ns_cert_type & NS_CERT_TYPE_SSL_SERVER)) ? SUCCESS : FAILURE; - return false; + return FAILURE; } -bool +result_t x509_verify_cert_ku (x509_cert *cert, const unsigned * const expected_ku, int expected_len) { - bool fFound = false; + result_t fFound = FAILURE; if(!(cert->ext_types & EXT_KEY_USAGE)) { @@ -305,7 +306,7 @@ x509_verify_cert_ku (x509_cert *cert, const unsigned * const expected_ku, unsigned nku = cert->key_usage; msg (D_HANDSHAKE, "Validating certificate key usage"); - for (i=0;!fFound && i<expected_len;i++) + for (i=0; SUCCESS != fFound && i<expected_len; i++) { if (expected_ku[i] != 0) { @@ -314,7 +315,7 @@ x509_verify_cert_ku (x509_cert *cert, const unsigned * const expected_ku, if (nku == expected_ku[i]) { - fFound = true; + fFound = SUCCESS; } } } @@ -322,10 +323,10 @@ x509_verify_cert_ku (x509_cert *cert, const unsigned * const expected_ku, return fFound; } -bool +result_t x509_verify_cert_eku (x509_cert *cert, const char * const expected_oid) { - bool fFound = false; + result_t fFound = FAILURE; if (!(cert->ext_types & EXT_EXTENDED_KEY_USAGE)) { @@ -349,7 +350,7 @@ x509_verify_cert_eku (x509_cert *cert, const char * const expected_oid) oid_str, expected_oid); if (!strcmp (expected_oid, oid_str)) { - fFound = true; + fFound = SUCCESS; break; } } @@ -361,7 +362,7 @@ x509_verify_cert_eku (x509_cert *cert, const char * const expected_oid) oid_num_str, expected_oid); if (!strcmp (expected_oid, oid_num_str)) { - fFound = true; + fFound = SUCCESS; break; } } @@ -372,20 +373,20 @@ x509_verify_cert_eku (x509_cert *cert, const char * const expected_oid) return fFound; } -bool +result_t x509_write_pem(FILE *peercert_file, x509_cert *peercert) { msg (M_WARN, "PolarSSL does not support writing peer certificate in PEM format"); - return true; + return FAILURE; } /* * check peer cert against CRL */ -bool +result_t x509_verify_crl(const char *crl_file, x509_cert *cert, const char *subject) { - int retval = 0; + result_t retval = FAILURE; x509_crl crl = {0}; if (x509parse_crlfile(&crl, crl_file) != 0) @@ -399,7 +400,7 @@ x509_verify_crl(const char *crl_file, x509_cert *cert, const char *subject) { msg (M_WARN, "CRL: CRL %s is from a different issuer than the issuer of " "certificate %s", crl_file, subject); - retval = 1; + retval = SUCCESS; goto end; } @@ -409,14 +410,10 @@ x509_verify_crl(const char *crl_file, x509_cert *cert, const char *subject) goto end; } - retval = 1; + retval = SUCCESS; msg (D_HANDSHAKE, "CRL CHECK OK: %s",subject); end: x509_crl_free(&crl); - - if (!retval) - return true; - - return false; + return retval; } |