diff options
author | Adriaan de Jong <dejong@fox-it.com> | 2011-06-30 15:44:24 +0200 |
---|---|---|
committer | David Sommerseth <davids@redhat.com> | 2011-10-22 11:32:41 +0200 |
commit | bb53a20a9b678da3acce6b73cb3d6f73ebdbede9 (patch) | |
tree | 7a6c58cab7048715c75083aaca8d2de30292f846 | |
parent | 71ebd84debcea72d5b86861aca33553eb435126c (diff) | |
download | openvpn-bb53a20a9b678da3acce6b73cb3d6f73ebdbede9.tar.gz openvpn-bb53a20a9b678da3acce6b73cb3d6f73ebdbede9.tar.xz openvpn-bb53a20a9b678da3acce6b73cb3d6f73ebdbede9.zip |
Refactored: renamed X509 functions from verify_*
Signed-off-by: Adriaan de Jong <dejong@fox-it.com>
Acked-by: James Yonan <james@openvpn.net>
Signed-off-by: David Sommerseth <davids@redhat.com>
-rw-r--r-- | ssl_verify.c | 32 | ||||
-rw-r--r-- | ssl_verify_backend.h | 24 | ||||
-rw-r--r-- | ssl_verify_openssl.c | 24 |
3 files changed, 40 insertions, 40 deletions
diff --git a/ssl_verify.c b/ssl_verify.c index e82e5c0..804abe7 100644 --- a/ssl_verify.c +++ b/ssl_verify.c @@ -338,7 +338,7 @@ verify_peer_cert(const struct tls_options *opt, x509_cert_t *peer_cert, /* verify certificate nsCertType */ if (opt->ns_cert_type != NS_CERT_CHECK_NONE) { - if (verify_nsCertType (peer_cert, opt->ns_cert_type)) + if (x509_verify_ns_cert_type (peer_cert, opt->ns_cert_type)) { msg (D_HANDSHAKE, "VERIFY OK: nsCertType=%s", print_nsCertType (opt->ns_cert_type)); @@ -356,7 +356,7 @@ verify_peer_cert(const struct tls_options *opt, x509_cert_t *peer_cert, /* verify certificate ku */ if (opt->remote_cert_ku[0] != 0) { - if (verify_cert_ku (peer_cert, opt->remote_cert_ku, MAX_PARMS)) + if (x509_verify_cert_ku (peer_cert, opt->remote_cert_ku, MAX_PARMS)) { msg (D_HANDSHAKE, "VERIFY KU OK"); } @@ -370,7 +370,7 @@ verify_peer_cert(const struct tls_options *opt, x509_cert_t *peer_cert, /* verify certificate eku */ if (opt->remote_cert_eku != NULL) { - if (verify_cert_eku (peer_cert, opt->remote_cert_eku)) + if (x509_verify_cert_eku (peer_cert, opt->remote_cert_eku)) { msg (D_HANDSHAKE, "VERIFY EKU OK"); } @@ -414,10 +414,10 @@ verify_cert_set_env(struct env_set *es, x509_cert_t *peer_cert, int cert_depth, /* Save X509 fields in environment */ #ifdef ENABLE_X509_TRACK if (x509_track) - setenv_x509_track (x509_track, es, cert_depth, peer_cert); + x509_setenv_track (x509_track, es, cert_depth, peer_cert); else #endif - setenv_x509 (es, cert_depth, peer_cert); + x509_setenv (es, cert_depth, peer_cert); /* export subject name string as environmental variable */ openvpn_snprintf (envname, sizeof(envname), "tls_id_%d", cert_depth); @@ -443,10 +443,10 @@ verify_cert_set_env(struct env_set *es, x509_cert_t *peer_cert, int cert_depth, /* export serial number as environmental variable, use bignum in case serial number is large */ { - char *serial = verify_get_serial(peer_cert); + char *serial = x509_get_serial(peer_cert); openvpn_snprintf (envname, sizeof(envname), "tls_serial_%d", cert_depth); setenv_str (es, envname, serial); - verify_free_serial(serial); + x509_free_serial(serial); } } @@ -500,7 +500,7 @@ verify_cert_call_command(const char *verify_command, struct env_set *es, if (verify_export_cert) { gc = gc_new(); - if ((tmp_file=write_peer_cert(cert, verify_export_cert,&gc))) + if ((tmp_file=x509_write_cert(cert, verify_export_cert,&gc))) { setenv_str(es, "peer_cert", tmp_file); } @@ -540,24 +540,24 @@ verify_check_crl_dir(const char *crl_dir, X509 *cert) { char fn[256]; int fd; - char *serial = verify_get_serial(cert); + char *serial = x509_get_serial(cert); if (!openvpn_snprintf(fn, sizeof(fn), "%s%c%s", crl_dir, OS_SPECIFIC_DIRSEP, serial)) { msg (D_HANDSHAKE, "VERIFY CRL: filename overflow"); - verify_free_serial(serial); + x509_free_serial(serial); return true; } fd = open (fn, O_RDONLY); if (fd >= 0) { msg (D_HANDSHAKE, "VERIFY CRL: certificate serial number %s is revoked", serial); - verify_free_serial(serial); + x509_free_serial(serial); close(fd); return true; } - verify_free_serial(serial); + x509_free_serial(serial); return false; } @@ -575,7 +575,7 @@ verify_cert(struct tls_session *session, x509_cert_t *cert, int cert_depth) session->verified = false; /* get the X509 name */ - subject = verify_get_subject(cert); + subject = x509_get_subject(cert); if (!subject) { msg (D_TLS_ERRORS, "VERIFY ERROR: depth=%d, could not extract X509 " @@ -588,7 +588,7 @@ verify_cert(struct tls_session *session, x509_cert_t *cert, int cert_depth) string_replace_leading (subject, '-', '_'); /* extract the username (default is CN) */ - if (verify_get_username (common_name, TLS_USERNAME_LEN, opt->x509_username_field, cert)) + if (x509_get_username (common_name, TLS_USERNAME_LEN, opt->x509_username_field, cert)) { if (!cert_depth) { @@ -657,7 +657,7 @@ verify_cert(struct tls_session *session, x509_cert_t *cert, int cert_depth) } else { - if (verify_check_crl(opt->crl_file, cert, subject)) + if (x509_verify_crl(opt->crl_file, cert, subject)) goto err; } } @@ -666,7 +666,7 @@ verify_cert(struct tls_session *session, x509_cert_t *cert, int cert_depth) session->verified = true; done: - verify_free_subject (subject); + x509_free_subject (subject); return (session->verified == true) ? 1 : 0; err: diff --git a/ssl_verify_backend.h b/ssl_verify_backend.h index ed6e62f..cab847d 100644 --- a/ssl_verify_backend.h +++ b/ssl_verify_backend.h @@ -81,14 +81,14 @@ void cert_hash_remember (struct tls_session *session, const int cert_depth, * * @return a string containing the subject */ -char *verify_get_subject (X509 *cert); +char *x509_get_subject (x509_cert_t *cert); /* * Free a subjectnumber string as returned by \c verify_get_subject() * * @param subject The subject to be freed. */ -void verify_free_subject (char *subject); +void x509_free_subject (char *subject); /* * Retrieve the certificate's username from the specified field. @@ -103,7 +103,7 @@ void verify_free_subject (char *subject); * * @return \c 1 on failure, \c 0 on success */ -bool verify_get_username (char *common_name, int cn_len, +bool x509_get_username (char *common_name, int cn_len, char * x509_username_field, x509_cert_t *peer_cert); /* @@ -116,14 +116,14 @@ bool verify_get_username (char *common_name, int cn_len, * * @return The certificate's serial number. */ -char *verify_get_serial (x509_cert_t *cert); +char *x509_get_serial (x509_cert_t *cert); /* * Free a serial number string as returned by \c verify_get_serial() * * @param serial The string to be freed. */ -void verify_free_serial (char *serial); +void x509_free_serial (char *serial); /* * TODO: document @@ -133,7 +133,7 @@ void verify_free_serial (char *serial); * @param cert_depth Depth of the certificate * @param cert Certificate to set the environment for */ -void setenv_x509_track (const struct x509_track *xt, struct env_set *es, +void x509_setenv_track (const struct x509_track *xt, struct env_set *es, const int depth, x509_cert_t *x509); /* @@ -145,7 +145,7 @@ void setenv_x509_track (const struct x509_track *xt, struct env_set *es, * @param cert_depth Depth of the certificate * @param cert Certificate to set the environment for */ -void setenv_x509 (struct env_set *es, int cert_depth, x509_cert_t *cert); +void x509_setenv (struct env_set *es, int cert_depth, x509_cert_t *cert); /* * Check X.509 Netscape certificate type field, if available. @@ -158,7 +158,7 @@ void setenv_x509 (struct env_set *es, int cert_depth, x509_cert_t *cert); * the expected bit set. \c false if the certificate does * not have NS cert type verification or the wrong bit set. */ -bool verify_nsCertType(const x509_cert_t *cert, const int usage); +bool x509_verify_ns_cert_type(const x509_cert_t *cert, const int usage); /* * Verify X.509 key usage extension field. @@ -170,7 +170,7 @@ bool verify_nsCertType(const x509_cert_t *cert, const int usage); * @return \c true if one of the key usage values matches, \c false * if key usage is not enabled, or the values do not match. */ -bool verify_cert_ku (x509_cert_t *x509, const unsigned * const expected_ku, +bool x509_verify_cert_ku (x509_cert_t *x509, const unsigned * const expected_ku, int expected_len); /* @@ -186,7 +186,7 @@ bool verify_cert_ku (x509_cert_t *x509, const unsigned * const expected_ku, * extended key usage fields, \c false if extended key * usage is not enabled, or the values do not match. */ -bool verify_cert_eku (x509_cert_t *x509, const char * const expected_oid); +bool x509_verify_cert_eku (x509_cert_t *x509, const char * const expected_oid); /* * Store the given certificate in pem format in a temporary file in tmp_dir @@ -195,7 +195,7 @@ bool verify_cert_eku (x509_cert_t *x509, const char * const expected_oid); * @param tmp_dir Temporary directory to store the directory * @param gc gc_arena to store temporary objects in */ -const char *write_peer_cert(x509_cert_t *cert, const char *tmp_dir, +const char *x509_write_cert(x509_cert_t *cert, const char *tmp_dir, struct gc_arena *gc); /* @@ -209,7 +209,7 @@ const char *write_peer_cert(x509_cert_t *cert, const char *tmp_dir, * certificate or does not contain an entry for it. * \c 0 otherwise. */ -bool verify_check_crl(const char *crl_file, x509_cert_t *cert, +bool x509_verify_crl(const char *crl_file, x509_cert_t *cert, const char *subject); #endif /* SSL_VERIFY_BACKEND_H_ */ diff --git a/ssl_verify_openssl.c b/ssl_verify_openssl.c index a1b25d0..f6d27b1 100644 --- a/ssl_verify_openssl.c +++ b/ssl_verify_openssl.c @@ -183,7 +183,7 @@ extract_x509_field_ssl (X509_NAME *x509, const char *field_name, char *out, } bool -verify_get_username (char *common_name, int cn_len, +x509_get_username (char *common_name, int cn_len, char * x509_username_field, X509 *peer_cert) { #ifdef ENABLE_X509ALTUSERNAME @@ -201,7 +201,7 @@ verify_get_username (char *common_name, int cn_len, } char * -verify_get_serial (x509_cert_t *cert) +x509_get_serial (x509_cert_t *cert) { ASN1_INTEGER *asn1_i; BIGNUM *bignum; @@ -216,20 +216,20 @@ verify_get_serial (x509_cert_t *cert) } void -verify_free_serial (char *serial) +x509_free_serial (char *serial) { if (serial) OPENSSL_free(serial); } char * -verify_get_subject (X509 *cert) +x509_get_subject (X509 *cert) { return X509_NAME_oneline (X509_get_subject_name (cert), NULL, 0); } void -verify_free_subject (char *subject) +x509_free_subject (char *subject) { if (subject) OPENSSL_free(subject); @@ -272,7 +272,7 @@ do_setenv_x509 (struct env_set *es, const char *name, char *value, int depth) } void -setenv_x509_track (const struct x509_track *xt, struct env_set *es, const int depth, X509 *x509) +x509_setenv_track (const struct x509_track *xt, struct env_set *es, const int depth, X509 *x509) { X509_NAME *x509_name = X509_get_subject_name (x509); const char nullc = '\0'; @@ -335,7 +335,7 @@ setenv_x509_track (const struct x509_track *xt, struct env_set *es, const int de * X509_{cert_depth}_{name}={value} */ void -setenv_x509 (struct env_set *es, int cert_depth, x509_cert_t *peer_cert) +x509_setenv (struct env_set *es, int cert_depth, x509_cert_t *peer_cert) { int i, n; int fn_nid; @@ -383,7 +383,7 @@ setenv_x509 (struct env_set *es, int cert_depth, x509_cert_t *peer_cert) } bool -verify_nsCertType(const x509_cert_t *peer_cert, const int usage) +x509_verify_ns_cert_type(const x509_cert_t *peer_cert, const int usage) { if (usage == NS_CERT_CHECK_NONE) return true; @@ -400,7 +400,7 @@ verify_nsCertType(const x509_cert_t *peer_cert, const int usage) #if OPENSSL_VERSION_NUMBER >= 0x00907000L bool -verify_cert_ku (X509 *x509, const unsigned * const expected_ku, +x509_verify_cert_ku (X509 *x509, const unsigned * const expected_ku, int expected_len) { ASN1_BIT_STRING *ku = NULL; @@ -450,7 +450,7 @@ verify_cert_ku (X509 *x509, const unsigned * const expected_ku, } bool -verify_cert_eku (X509 *x509, const char * const expected_oid) +x509_verify_cert_eku (X509 *x509, const char * const expected_oid) { EXTENDED_KEY_USAGE *eku = NULL; bool fFound = false; @@ -494,7 +494,7 @@ verify_cert_eku (X509 *x509, const char * const expected_oid) } const char * -write_peer_cert(X509 *peercert, const char *tmp_dir, struct gc_arena *gc) +x509_write_cert(X509 *peercert, const char *tmp_dir, struct gc_arena *gc) { FILE *peercert_file; const char *peercert_filename=""; @@ -529,7 +529,7 @@ write_peer_cert(X509 *peercert, const char *tmp_dir, struct gc_arena *gc) * check peer cert against CRL */ bool -verify_check_crl(const char *crl_file, X509 *peer_cert, const char *subject) +x509_verify_crl(const char *crl_file, X509 *peer_cert, const char *subject) { X509_CRL *crl=NULL; X509_REVOKED *revoked; |