Refactored tls-remote checking

Signed-off-by: Adriaan de Jong <dejong@fox-it.com> Acked-by: James Yonan <james@openvpn.net> Signed-off-by: David Sommerseth <davids@redhat.com>
author: Adriaan de Jong <dejong@fox-it.com> 2011-06-29 14:28:44 +0200
committer: David Sommerseth <davids@redhat.com> 2011-10-22 11:32:40 +0200
commit: a4c926bb5939d95d9e7c0dfd4b83e61a11f86c90 (patch)
tree: 72a3d6cb0cb70bcdc9d65ca4d7c065c35c2d2672 /ssl_verify.c
parent: 587f419b714d283ad6d5c861d6f1ecf12345b89d (diff)
download: openvpn-a4c926bb5939d95d9e7c0dfd4b83e61a11f86c90.tar.gz
openvpn-a4c926bb5939d95d9e7c0dfd4b83e61a11f86c90.tar.xz
openvpn-a4c926bb5939d95d9e7c0dfd4b83e61a11f86c90.zip
1 files changed, 15 insertions, 0 deletions
diff --git a/ssl_verify.c b/ssl_verify.c
index 7c263f8..9eda092 100644
--- a/ssl_verify.c
+++ b/ssl_verify.c
@@ -382,6 +382,21 @@ verify_peer_cert(const struct tls_options *opt, x509_cert_t *peer_cert,
     }
 
 #endif /* OPENSSL_VERSION_NUMBER */
+
+  /* verify X509 name or common name against --tls-remote */
+  if (opt->verify_x509name && strlen (opt->verify_x509name) > 0)
+    {
+      if (strcmp (opt->verify_x509name, subject) == 0
+	  || strncmp (opt->verify_x509name, common_name, strlen (opt->verify_x509name)) == 0)
+	msg (D_HANDSHAKE, "VERIFY X509NAME OK: %s", subject);
+      else
+	{
+	  msg (D_HANDSHAKE, "VERIFY X509NAME ERROR: %s, must be %s",
+	       subject, opt->verify_x509name);
+	  return 1;		/* Reject connection */
+	}
+    }
+
   return 0;
 }
author	Adriaan de Jong <dejong@fox-it.com>	2011-06-29 14:28:44 +0200
committer	David Sommerseth <davids@redhat.com>	2011-10-22 11:32:40 +0200
commit	a4c926bb5939d95d9e7c0dfd4b83e61a11f86c90 (patch)
tree	72a3d6cb0cb70bcdc9d65ca4d7c065c35c2d2672 /ssl_verify.c
parent	587f419b714d283ad6d5c861d6f1ecf12345b89d (diff)
download	openvpn-a4c926bb5939d95d9e7c0dfd4b83e61a11f86c90.tar.gz openvpn-a4c926bb5939d95d9e7c0dfd4b83e61a11f86c90.tar.xz openvpn-a4c926bb5939d95d9e7c0dfd4b83e61a11f86c90.zip