diff options
| author | Adriaan de Jong <dejong@fox-it.com> | 2011-06-28 16:22:40 +0200 |
|---|---|---|
| committer | David Sommerseth <davids@redhat.com> | 2011-10-21 14:51:45 +0200 |
| commit | 530af3efa38bd4e1044e5982f1970f5d772dbb48 (patch) | |
| tree | 5628dedbeba9d56660c0b15d6d7940a252d739fe /ssl_verify.c | |
| parent | 82f925b60c0f029295975e64d9acabb53c0a5e3c (diff) | |
| download | openvpn-530af3efa38bd4e1044e5982f1970f5d772dbb48.tar.gz openvpn-530af3efa38bd4e1044e5982f1970f5d772dbb48.tar.xz openvpn-530af3efa38bd4e1044e5982f1970f5d772dbb48.zip | |
Refactored common name locking functions
Signed-off-by: Adriaan de Jong <dejong@fox-it.com>
Acked-by: James Yonan <james@openvpn.net>
Signed-off-by: David Sommerseth <davids@redhat.com>
Diffstat (limited to 'ssl_verify.c')
| -rw-r--r-- | ssl_verify.c | 67 |
1 files changed, 67 insertions, 0 deletions
diff --git a/ssl_verify.c b/ssl_verify.c index 37efafb..b8f66f7 100644 --- a/ssl_verify.c +++ b/ssl_verify.c @@ -49,6 +49,54 @@ tls_deauthenticate (struct tls_multi *multi) } } +void +set_common_name (struct tls_session *session, const char *common_name) +{ + if (session->common_name) + { + free (session->common_name); + session->common_name = NULL; +#ifdef ENABLE_PF + session->common_name_hashval = 0; +#endif + } + if (common_name) + { + session->common_name = string_alloc (common_name, NULL); +#ifdef ENABLE_PF + { + const uint32_t len = (uint32_t) strlen (common_name); + if (len) + session->common_name_hashval = hash_func ((const uint8_t*)common_name, len+1, 0); + else + session->common_name_hashval = 0; + } +#endif + } +} + +const char * +tls_common_name (const struct tls_multi *multi, const bool null) +{ + const char *ret = NULL; + if (multi) + ret = multi->session[TM_ACTIVE].common_name; + if (ret && strlen (ret)) + return ret; + else if (null) + return NULL; + else + return "UNDEF"; +} + +void +tls_lock_common_name (struct tls_multi *multi) +{ + const char *cn = multi->session[TM_ACTIVE].common_name; + if (cn && !multi->locked_cn) + multi->locked_cn = string_alloc (cn, NULL); +} + void cert_hash_remember (struct tls_session *session, const int error_depth, const unsigned char *sha1_hash) @@ -156,6 +204,25 @@ tls_lock_cert_hash_set (struct tls_multi *multi) void verify_final_auth_checks(struct tls_multi *multi, struct tls_session *session) { + /* While it shouldn't really happen, don't allow the common name to be NULL */ + if (!session->common_name) + set_common_name (session, ""); + + /* Don't allow the CN to change once it's been locked */ + if (multi->locked_cn) + { + const char *cn = session->common_name; + if (cn && strcmp (cn, multi->locked_cn)) + { + msg (D_TLS_ERRORS, "TLS Auth Error: TLS object CN attempted to change from '%s' to '%s' -- tunnel disabled", + multi->locked_cn, + cn); + + /* change the common name back to its original value and disable the tunnel */ + set_common_name (session, multi->locked_cn); + tls_deauthenticate (multi); + } + } /* Don't allow the cert hashes to change once they have been locked */ if (multi->locked_cert_hash_set) |