Refactored tls-remote checking

Signed-off-by: Adriaan de Jong <dejong@fox-it.com>
Acked-by: James Yonan <james@openvpn.net>
Signed-off-by: David Sommerseth <davids@redhat.com>

2 files changed, 15 insertions, 14 deletions

diff --git a/ssl.c b/ssl.c
index d7cdd75..8d1fd73 100644
--- a/ssl.c
+++ b/ssl.c
@@ -431,20 +431,6 @@ verify_cert(struct tls_session *session, x509_cert_t *cert, int cert_depth)
   if (cert_depth == 0 && verify_peer_cert(opt, cert, subject, common_name))
     goto err;
 
-  /* verify X509 name or common name against --tls-remote */
-  if (opt->verify_x509name && strlen (opt->verify_x509name) > 0 && cert_depth == 0)
-    {
-      if (strcmp (opt->verify_x509name, subject) == 0
-	  || strncmp (opt->verify_x509name, common_name, strlen (opt->verify_x509name)) == 0)
-	msg (D_HANDSHAKE, "VERIFY X509NAME OK: %s", subject);
-      else
-	{
-	  msg (D_HANDSHAKE, "VERIFY X509NAME ERROR: %s, must be %s",
-	       subject, opt->verify_x509name);
-	  goto err;		/* Reject connection */
-	}
-    }
-
   /* call --tls-verify plug-in(s) */
   if (plugin_defined (opt->plugins, OPENVPN_PLUGIN_TLS_VERIFY))
     {
diff --git a/ssl_verify.c b/ssl_verify.c
index 7c263f8..9eda092 100644
--- a/ssl_verify.c
+++ b/ssl_verify.c
@@ -382,6 +382,21 @@ verify_peer_cert(const struct tls_options *opt, x509_cert_t *peer_cert,
     }
 
 #endif /* OPENSSL_VERSION_NUMBER */
+
+  /* verify X509 name or common name against --tls-remote */
+  if (opt->verify_x509name && strlen (opt->verify_x509name) > 0)
+    {
+      if (strcmp (opt->verify_x509name, subject) == 0
+	  || strncmp (opt->verify_x509name, common_name, strlen (opt->verify_x509name)) == 0)
+	msg (D_HANDSHAKE, "VERIFY X509NAME OK: %s", subject);
+      else
+	{
+	  msg (D_HANDSHAKE, "VERIFY X509NAME ERROR: %s, must be %s",
+	       subject, opt->verify_x509name);
+	  return 1;		/* Reject connection */
+	}
+    }
+
   return 0;
 }