diff options
-rw-r--r-- | ssl.c | 60 | ||||
-rw-r--r-- | ssl_verify.c | 13 | ||||
-rw-r--r-- | ssl_verify_backend.h | 15 | ||||
-rw-r--r-- | ssl_verify_openssl.c | 44 |
4 files changed, 72 insertions, 60 deletions
@@ -302,48 +302,6 @@ setenv_untrusted (struct tls_session *session) setenv_link_socket_actual (session->opt->es, "untrusted", &session->untrusted_addr, SA_IP_PORT); } -#if OPENSSL_VERSION_NUMBER >= 0x00907000L - -bool verify_cert_eku (X509 *x509, const char * const expected_oid) { - - EXTENDED_KEY_USAGE *eku = NULL; - bool fFound = false; - - if ((eku = (EXTENDED_KEY_USAGE *)X509_get_ext_d2i (x509, NID_ext_key_usage, NULL, NULL)) == NULL) { - msg (D_HANDSHAKE, "Certificate does not have extended key usage extension"); - } - else { - int i; - - msg (D_HANDSHAKE, "Validating certificate extended key usage"); - for(i = 0; !fFound && i < sk_ASN1_OBJECT_num (eku); i++) { - ASN1_OBJECT *oid = sk_ASN1_OBJECT_value (eku, i); - char szOid[1024]; - - if (!fFound && OBJ_obj2txt (szOid, sizeof (szOid), oid, 0) != -1) { - msg (D_HANDSHAKE, "++ Certificate has EKU (str) %s, expects %s", szOid, expected_oid); - if (!strcmp (expected_oid, szOid)) { - fFound = true; - } - } - if (!fFound && OBJ_obj2txt (szOid, sizeof (szOid), oid, 1) != -1) { - msg (D_HANDSHAKE, "++ Certificate has EKU (oid) %s, expects %s", szOid, expected_oid); - if (!strcmp (expected_oid, szOid)) { - fFound = true; - } - } - } - } - - if (eku != NULL) { - sk_ASN1_OBJECT_pop_free (eku, ASN1_OBJECT_free); - } - - return fFound; -} - -#endif /* OPENSSL_VERSION_NUMBER */ - static void string_mod_sslname (char *str, const unsigned int restrictive_flags, const unsigned int ssl_flags) { @@ -473,24 +431,6 @@ verify_cert(struct tls_session *session, x509_cert_t *cert, int cert_depth) if (cert_depth == 0 && verify_peer_cert(opt, cert, subject, common_name)) goto err; -#if OPENSSL_VERSION_NUMBER >= 0x00907000L - - /* verify certificate eku */ - if (opt->remote_cert_eku != NULL && cert_depth == 0) - { - if (verify_cert_eku (cert, opt->remote_cert_eku)) - { - msg (D_HANDSHAKE, "VERIFY EKU OK"); - } - else - { - msg (D_HANDSHAKE, "VERIFY EKU ERROR"); - goto err; /* Reject connection */ - } - } - -#endif /* OPENSSL_VERSION_NUMBER */ - /* verify X509 name or common name against --tls-remote */ if (opt->verify_x509name && strlen (opt->verify_x509name) > 0 && cert_depth == 0) { diff --git a/ssl_verify.c b/ssl_verify.c index 2d8ae49..7c263f8 100644 --- a/ssl_verify.c +++ b/ssl_verify.c @@ -367,6 +367,19 @@ verify_peer_cert(const struct tls_options *opt, x509_cert_t *peer_cert, } } + /* verify certificate eku */ + if (opt->remote_cert_eku != NULL) + { + if (verify_cert_eku (peer_cert, opt->remote_cert_eku)) + { + msg (D_HANDSHAKE, "VERIFY EKU OK"); + } + else + { + msg (D_HANDSHAKE, "VERIFY EKU ERROR"); + return 1; /* Reject connection */ + } + } #endif /* OPENSSL_VERSION_NUMBER */ return 0; diff --git a/ssl_verify_backend.h b/ssl_verify_backend.h index 9b88f71..f54aa04 100644 --- a/ssl_verify_backend.h +++ b/ssl_verify_backend.h @@ -167,4 +167,19 @@ bool verify_nsCertType(const x509_cert_t *cert, const int usage); bool verify_cert_ku (x509_cert_t *x509, const unsigned * const expected_ku, int expected_len); +/* + * Verify X.509 extended key usage extension field. + * + * @param cert Certificate to check. + * @param expected_oid String representation of the expected Object ID. May be + * either the string representation of the numeric OID + * (e.g. \c "1.2.3.4", or the descriptive string matching + * the OID. + * + * @return \c true if one of the expected OID matches one of the + * extended key usage fields, \c false if extended key + * usage is not enabled, or the values do not match. + */ +bool verify_cert_eku (x509_cert_t *x509, const char * const expected_oid); + #endif /* SSL_VERIFY_BACKEND_H_ */ diff --git a/ssl_verify_openssl.c b/ssl_verify_openssl.c index 1a6bb2d..a33b435 100644 --- a/ssl_verify_openssl.c +++ b/ssl_verify_openssl.c @@ -445,4 +445,48 @@ verify_cert_ku (X509 *x509, const unsigned * const expected_ku, return fFound; } +bool +verify_cert_eku (X509 *x509, const char * const expected_oid) +{ + EXTENDED_KEY_USAGE *eku = NULL; + bool fFound = false; + + if ((eku = (EXTENDED_KEY_USAGE *) X509_get_ext_d2i (x509, NID_ext_key_usage, + NULL, NULL)) == NULL) + { + msg (D_HANDSHAKE, "Certificate does not have extended key usage extension"); + } + else + { + int i; + + msg (D_HANDSHAKE, "Validating certificate extended key usage"); + for (i = 0; !fFound && i < sk_ASN1_OBJECT_num (eku); i++) + { + ASN1_OBJECT *oid = sk_ASN1_OBJECT_value (eku, i); + char szOid[1024]; + + if (!fFound && OBJ_obj2txt (szOid, sizeof(szOid), oid, 0) != -1) + { + msg (D_HANDSHAKE, "++ Certificate has EKU (str) %s, expects %s", + szOid, expected_oid); + if (!strcmp (expected_oid, szOid)) + fFound = true; + } + if (!fFound && OBJ_obj2txt (szOid, sizeof(szOid), oid, 1) != -1) + { + msg (D_HANDSHAKE, "++ Certificate has EKU (oid) %s, expects %s", + szOid, expected_oid); + if (!strcmp (expected_oid, szOid)) + fFound = true; + } + } + } + + if (eku != NULL) + sk_ASN1_OBJECT_pop_free (eku, ASN1_OBJECT_free); + + return fFound; +} + #endif /* OPENSSL_VERSION_NUMBER */ |