add new option for X.509 name verification

Add the option --verify-x509-name to provide the functionality
of the now deprecated --tls-remote.

The new option accepts RFC 2253 subject DNs only and compares
RDN or RDN prefix only if configured explicitly.

Signed-off-by: Heiko Hund <heiko.hund@sophos.com>
Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: 1362670601-18660-1-git-send-email-heiko.hund@sophos.com
URL: http://article.gmane.org/gmane.network.openvpn.devel/7376
Signed-off-by: Gert Doering <gert@greenie.muc.de>

1 files changed, 10 insertions, 5 deletions

diff --git a/src/openvpn/ssl_verify.c b/src/openvpn/ssl_verify.c
index cac46e9..e651a8e 100644
--- a/src/openvpn/ssl_verify.c
+++ b/src/openvpn/ssl_verify.c
@@ -369,16 +369,21 @@ verify_peer_cert(const struct tls_options *opt, openvpn_x509_cert_t *peer_cert,
 
 #endif /* OPENSSL_VERSION_NUMBER */
 
-  /* verify X509 name or common name against --tls-remote */
-  if (opt->verify_x509name && strlen (opt->verify_x509name) > 0)
+  /* verify X509 name or username against --verify-x509-[user]name */
+  if (opt->verify_x509_type != VERIFY_X509_NONE)
     {
-      if (strcmp (opt->verify_x509name, subject) == 0
-	  || strncmp (opt->verify_x509name, common_name, strlen (opt->verify_x509name)) == 0)
+      if ( (opt->verify_x509_type == VERIFY_X509_SUBJECT_DN
+            && strcmp (opt->verify_x509_name, subject) == 0)
+        || (opt->verify_x509_type == VERIFY_X509_SUBJECT_RDN
+            && strcmp (opt->verify_x509_name, common_name) == 0)
+        || (opt->verify_x509_type == VERIFY_X509_SUBJECT_RDN_PREFIX
+            && strncmp (opt->verify_x509_name, common_name,
+                        strlen (opt->verify_x509_name)) == 0) )
 	msg (D_HANDSHAKE, "VERIFY X509NAME OK: %s", subject);
       else
 	{
 	  msg (D_HANDSHAKE, "VERIFY X509NAME ERROR: %s, must be %s",
-	       subject, opt->verify_x509name);
+	       subject, opt->verify_x509_name);
 	  return FAILURE;		/* Reject connection */
 	}
     }