diff options
author | Heiko Hund <heiko.hund@sophos.com> | 2013-03-07 16:36:41 +0100 |
---|---|---|
committer | Gert Doering <gert@greenie.muc.de> | 2013-03-07 20:23:36 +0100 |
commit | 9f0fc745664fd0fc6a1c6785e101bf912088db16 (patch) | |
tree | c459b41732989a3547ba4014b9fb904369ed57ea /src/openvpn/ssl_verify.c | |
parent | ad532bba896875e56488e69ec16212a77787c57b (diff) | |
download | openvpn-9f0fc745664fd0fc6a1c6785e101bf912088db16.tar.gz openvpn-9f0fc745664fd0fc6a1c6785e101bf912088db16.tar.xz openvpn-9f0fc745664fd0fc6a1c6785e101bf912088db16.zip |
add new option for X.509 name verification
Add the option --verify-x509-name to provide the functionality
of the now deprecated --tls-remote.
The new option accepts RFC 2253 subject DNs only and compares
RDN or RDN prefix only if configured explicitly.
Signed-off-by: Heiko Hund <heiko.hund@sophos.com>
Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: 1362670601-18660-1-git-send-email-heiko.hund@sophos.com
URL: http://article.gmane.org/gmane.network.openvpn.devel/7376
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Diffstat (limited to 'src/openvpn/ssl_verify.c')
-rw-r--r-- | src/openvpn/ssl_verify.c | 15 |
1 files changed, 10 insertions, 5 deletions
diff --git a/src/openvpn/ssl_verify.c b/src/openvpn/ssl_verify.c index cac46e9..e651a8e 100644 --- a/src/openvpn/ssl_verify.c +++ b/src/openvpn/ssl_verify.c @@ -369,16 +369,21 @@ verify_peer_cert(const struct tls_options *opt, openvpn_x509_cert_t *peer_cert, #endif /* OPENSSL_VERSION_NUMBER */ - /* verify X509 name or common name against --tls-remote */ - if (opt->verify_x509name && strlen (opt->verify_x509name) > 0) + /* verify X509 name or username against --verify-x509-[user]name */ + if (opt->verify_x509_type != VERIFY_X509_NONE) { - if (strcmp (opt->verify_x509name, subject) == 0 - || strncmp (opt->verify_x509name, common_name, strlen (opt->verify_x509name)) == 0) + if ( (opt->verify_x509_type == VERIFY_X509_SUBJECT_DN + && strcmp (opt->verify_x509_name, subject) == 0) + || (opt->verify_x509_type == VERIFY_X509_SUBJECT_RDN + && strcmp (opt->verify_x509_name, common_name) == 0) + || (opt->verify_x509_type == VERIFY_X509_SUBJECT_RDN_PREFIX + && strncmp (opt->verify_x509_name, common_name, + strlen (opt->verify_x509_name)) == 0) ) msg (D_HANDSHAKE, "VERIFY X509NAME OK: %s", subject); else { msg (D_HANDSHAKE, "VERIFY X509NAME ERROR: %s, must be %s", - subject, opt->verify_x509name); + subject, opt->verify_x509_name); return FAILURE; /* Reject connection */ } } |