diff options
| author | Adriaan de Jong <dejong@fox-it.com> | 2011-06-30 11:19:07 +0200 |
|---|---|---|
| committer | David Sommerseth <davids@redhat.com> | 2011-10-21 14:51:45 +0200 |
| commit | 0a67e4621dea40ff5aa292cebbd271633adbf157 (patch) | |
| tree | 5bc55449a5940f3730e2ca3ac7b7c192bb949270 /ssl_verify_openssl.c | |
| parent | e285cdb0a266fe43c282bc77cda4447d3043fffd (diff) | |
| download | openvpn-0a67e4621dea40ff5aa292cebbd271633adbf157.tar.gz openvpn-0a67e4621dea40ff5aa292cebbd271633adbf157.tar.xz openvpn-0a67e4621dea40ff5aa292cebbd271633adbf157.zip | |
Refactored: split verify_callback into two parts
- One part is the actual callback, and is OpenSSL-specific
- One part, verify_cert(), is called by the callback to process the actual
verification
Signed-off-by: Adriaan de Jong <dejong@fox-it.com>
Acked-by: James Yonan <james@openvpn.net>
Signed-off-by: David Sommerseth <davids@redhat.com>
Diffstat (limited to 'ssl_verify_openssl.c')
| -rw-r--r-- | ssl_verify_openssl.c | 41 |
1 files changed, 41 insertions, 0 deletions
diff --git a/ssl_verify_openssl.c b/ssl_verify_openssl.c index a654e3d..06e1143 100644 --- a/ssl_verify_openssl.c +++ b/ssl_verify_openssl.c @@ -31,3 +31,44 @@ #include "ssl_verify_backend.h" #include "ssl_openssl.h" #include <openssl/x509v3.h> + +int +verify_callback (int preverify_ok, X509_STORE_CTX * ctx) +{ + struct tls_session *session; + SSL *ssl; + + /* get the tls_session pointer */ + ssl = X509_STORE_CTX_get_ex_data (ctx, SSL_get_ex_data_X509_STORE_CTX_idx()); + ASSERT (ssl); + session = (struct tls_session *) SSL_get_ex_data (ssl, mydata_index); + ASSERT (session); + + cert_hash_remember (session, ctx->error_depth, ctx->current_cert->sha1_hash); + + /* did peer present cert which was signed by our root cert? */ + if (!preverify_ok) + { + /* get the X509 name */ + char *subject = X509_NAME_oneline ( + X509_get_subject_name (ctx->current_cert), NULL, 0); + + if (subject) + { + /* Remote site specified a certificate, but it's not correct */ + msg (D_TLS_ERRORS, "VERIFY ERROR: depth=%d, error=%s: %s", + ctx->error_depth, + X509_verify_cert_error_string (ctx->error), + subject); + free (subject); + } + + ERR_clear_error(); + + session->verified = false; + + return 1; + } + + return verify_cert(session, ctx->current_cert, ctx->error_depth); +} |