diff options
author | Adriaan de Jong <dejong@fox-it.com> | 2011-06-29 14:20:43 +0200 |
---|---|---|
committer | David Sommerseth <davids@redhat.com> | 2011-10-21 14:51:45 +0200 |
commit | 876752aed66a143295d9d0d4e61dc9a8beca2f5e (patch) | |
tree | 8e189e7bed3ded23b11903aac8798d309fc05d7b /ssl_verify_openssl.c | |
parent | 06d22777e9172efe3b3dc15c1bc2c6ef5d292cfa (diff) | |
download | openvpn-876752aed66a143295d9d0d4e61dc9a8beca2f5e.tar.gz openvpn-876752aed66a143295d9d0d4e61dc9a8beca2f5e.tar.xz openvpn-876752aed66a143295d9d0d4e61dc9a8beca2f5e.zip |
Refactored key usage verification code
Signed-off-by: Adriaan de Jong <dejong@fox-it.com>
Acked-by: James Yonan <james@openvpn.net>
Signed-off-by: David Sommerseth <davids@redhat.com>
Diffstat (limited to 'ssl_verify_openssl.c')
-rw-r--r-- | ssl_verify_openssl.c | 54 |
1 files changed, 54 insertions, 0 deletions
diff --git a/ssl_verify_openssl.c b/ssl_verify_openssl.c index 033af1d..1a6bb2d 100644 --- a/ssl_verify_openssl.c +++ b/ssl_verify_openssl.c @@ -392,3 +392,57 @@ verify_nsCertType(const x509_cert_t *peer_cert, const int usage) return false; } + +#if OPENSSL_VERSION_NUMBER >= 0x00907000L + +bool +verify_cert_ku (X509 *x509, const unsigned * const expected_ku, + int expected_len) +{ + ASN1_BIT_STRING *ku = NULL; + bool fFound = false; + + if ((ku = (ASN1_BIT_STRING *) X509_get_ext_d2i (x509, NID_key_usage, NULL, + NULL)) == NULL) + { + msg (D_HANDSHAKE, "Certificate does not have key usage extension"); + } + else + { + unsigned nku = 0; + int i; + for (i = 0; i < 8; i++) + { + if (ASN1_BIT_STRING_get_bit (ku, i)) + nku |= 1 << (7 - i); + } + + /* + * Fixup if no LSB bits + */ + if ((nku & 0xff) == 0) + { + nku >>= 8; + } + + msg (D_HANDSHAKE, "Validating certificate key usage"); + for (i = 0; !fFound && i < expected_len; i++) + { + if (expected_ku[i] != 0) + { + msg (D_HANDSHAKE, "++ Certificate has key usage %04x, expects " + "%04x", nku, expected_ku[i]); + + if (nku == expected_ku[i]) + fFound = true; + } + } + } + + if (ku != NULL) + ASN1_BIT_STRING_free (ku); + + return fFound; +} + +#endif /* OPENSSL_VERSION_NUMBER */ |