diff options
author | Adriaan de Jong <dejong@fox-it.com> | 2011-06-29 14:24:15 +0200 |
---|---|---|
committer | David Sommerseth <davids@redhat.com> | 2011-10-22 11:32:40 +0200 |
commit | 587f419b714d283ad6d5c861d6f1ecf12345b89d (patch) | |
tree | 78bd0e374c31d04541e36aa05527baafd602138a /ssl_verify_openssl.c | |
parent | 876752aed66a143295d9d0d4e61dc9a8beca2f5e (diff) | |
download | openvpn-587f419b714d283ad6d5c861d6f1ecf12345b89d.tar.gz openvpn-587f419b714d283ad6d5c861d6f1ecf12345b89d.tar.xz openvpn-587f419b714d283ad6d5c861d6f1ecf12345b89d.zip |
Refactored EKU verification
Signed-off-by: Adriaan de Jong <dejong@fox-it.com>
Acked-by: James Yonan <james@openvpn.net>
Signed-off-by: David Sommerseth <davids@redhat.com>
Diffstat (limited to 'ssl_verify_openssl.c')
-rw-r--r-- | ssl_verify_openssl.c | 44 |
1 files changed, 44 insertions, 0 deletions
diff --git a/ssl_verify_openssl.c b/ssl_verify_openssl.c index 1a6bb2d..a33b435 100644 --- a/ssl_verify_openssl.c +++ b/ssl_verify_openssl.c @@ -445,4 +445,48 @@ verify_cert_ku (X509 *x509, const unsigned * const expected_ku, return fFound; } +bool +verify_cert_eku (X509 *x509, const char * const expected_oid) +{ + EXTENDED_KEY_USAGE *eku = NULL; + bool fFound = false; + + if ((eku = (EXTENDED_KEY_USAGE *) X509_get_ext_d2i (x509, NID_ext_key_usage, + NULL, NULL)) == NULL) + { + msg (D_HANDSHAKE, "Certificate does not have extended key usage extension"); + } + else + { + int i; + + msg (D_HANDSHAKE, "Validating certificate extended key usage"); + for (i = 0; !fFound && i < sk_ASN1_OBJECT_num (eku); i++) + { + ASN1_OBJECT *oid = sk_ASN1_OBJECT_value (eku, i); + char szOid[1024]; + + if (!fFound && OBJ_obj2txt (szOid, sizeof(szOid), oid, 0) != -1) + { + msg (D_HANDSHAKE, "++ Certificate has EKU (str) %s, expects %s", + szOid, expected_oid); + if (!strcmp (expected_oid, szOid)) + fFound = true; + } + if (!fFound && OBJ_obj2txt (szOid, sizeof(szOid), oid, 1) != -1) + { + msg (D_HANDSHAKE, "++ Certificate has EKU (oid) %s, expects %s", + szOid, expected_oid); + if (!strcmp (expected_oid, szOid)) + fFound = true; + } + } + } + + if (eku != NULL) + sk_ASN1_OBJECT_pop_free (eku, ASN1_OBJECT_free); + + return fFound; +} + #endif /* OPENSSL_VERSION_NUMBER */ |