summaryrefslogtreecommitdiffstats
path: root/ssl_verify_openssl.c
Commit message (Collapse)AuthorAgeFilesLines
* handle Windows unicode pathsHeiko Hund2012-02-131-5/+1
| | | | | | | | | | | | | | | | | | | | | | Openvpn for Windows is not compiled as a Unicode binary and thus cannot handle paths which contain non-ASCII characters using the argv vector. Characters that are not present in the system codepage are simply replaced with a question mark, e.g. if started as 'openvpn --config домой.ovpn' the file '?????.ovpn' is tried to be opened as configuration. The same applies to paths in config files which need to be UTF-8 encoded if they contain non ASCII characters. The option line 'key лев.pem' will lead to openvpn trying to open 'лев.pem' on a system with codepage 1252. This patch makes openvpn read the command line in UCS-2 and convert it to UTF-8 internally. Windows stores names in the filesystem in UCS-2. When using a paths openvpn converts it from UTF-8 to UCS-2 and uses the wide character Windows API function. Signed-off-by: Heiko Hund <heiko.hund@sophos.com> Acked-by: David Sommerseth <davids@redhat.com> Signed-off-by: David Sommerseth <davids@redhat.com>
* Enhance the error handling in _openssl_get_subject()David Sommerseth2012-02-041-6/+7
| | | | | | | | Avoid an extra goto label and make the code a bit simpler. Signed-off-by: David Sommerseth <davids@redhat.com> Acked-by: Heiko Hund <heiko.hund@sophos.com> Acked-by: Adriaan de Jong <dejong@fox-it.com>
* UTF-8 X.509 distinguished namesHeiko Hund2012-02-041-2/+38
| | | | | | | | | | | | | | | | | | The UTF-8 support that came with commit 2627335 does allow international usernames and passwords. This patch introduces UTF-8 support for X.509 DNs. Additionally, instead of using the legacy openssl format, DNs are now displayed in RFC 2253 format; "/C=ru/L=\xD0\x9C\xD0\xBE\xD1\x81\xD0\xBA\xD0 \xB2\xD0\xB0/O=\xD0\x9A\xD1\x80\xD0\xB5\xD0\xBC\xD0\xBB\xD1\x8C/CN=kreml.ru" becomes "C=ru, L=Москва, O=Кремль, CN=kreml.ru". Since the specific character classes for X.509 names are removed, the "no-name-remapping" configuration option has no use anymore and is removed as well. Signed-off-by: Heiko Hund <heiko.hund@sophos.com> Acked-by: Adriaan de Jong <dejong@fox-it.com> Acked-by: David Sommerseth <davids@redhat.com> Signed-off-by: David Sommerseth <davids@redhat.com>
* Minor cleanup to enable warning-free Windows build:Adriaan de Jong2011-11-211-0/+1
| | | | | | | | | | | | - Changed int32_t to size_t - Removed some unused variables - Added missing include files - changed ordering to ensure variable declarations are before asserts Signed-off-by: Adriaan de Jong <dejong@fox-it.com> Tested-by: Samuli Seppänen <samuli@openvpn.net> Acked-by: David Sommerseth <davids@redhat.com> Signed-off-by: David Sommerseth <davids@redhat.com>
* Fixed disabling crypto and SSLAdriaan de Jong2011-10-241-0/+6
| | | | | | Signed-off-by: Adriaan de Jong <dejong@fox-it.com> Acked-by: David Sommerseth <davids@redhat.com> Signed-off-by: David Sommerseth <davids@redhat.com>
* Fixed a typo: print the subject instead of the serial for verification errorsAdriaan de Jong2011-10-221-1/+1
| | | | | | Signed-off-by: Adriaan de Jong <dejong@fox-it.com> Acked-by: James Yonan <james@openvpn.net> Signed-off-by: David Sommerseth <davids@redhat.com>
* Unified verification function return values:Adriaan de Jong2011-10-221-35/+36
| | | | | | | | | - Now return either SUCCESS or FAILURE. - SUCCESS is defined as 0. Signed-off-by: Adriaan de Jong <dejong@fox-it.com> Acked-by: James Yonan <james@openvpn.net> Signed-off-by: David Sommerseth <davids@redhat.com>
* Fixed a bug in the return value of ssl_verify when pre_verify failedAdriaan de Jong2011-10-221-2/+4
| | | | | | Signed-off-by: Adriaan de Jong <dejong@fox-it.com> Acked-by: James Yonan <james@openvpn.net> Signed-off-by: David Sommerseth <davids@redhat.com>
* Refactored (and disabled for PolarSSL) support for writing external cert ↵Adriaan de Jong2011-10-221-24/+5
| | | | | | | | files in scripts Signed-off-by: Adriaan de Jong <dejong@fox-it.com> Acked-by: James Yonan <james@openvpn.net> Signed-off-by: David Sommerseth <davids@redhat.com>
* Fixed a bug in the hash generation in ssl_verify_openssl.cAdriaan de Jong2011-10-221-1/+1
| | | | | | | Signed-off-by: Adriaan de Jong <dejong@fox-it.com> Acked-by: James Yonan <james@openvpn.net> Acked-by: Gert Doering <gert@greenie.muc.de> Signed-off-by: David Sommerseth <davids@redhat.com>
* Refactored X509 track feature to be contained within the openssl backendAdriaan de Jong2011-10-221-16/+21
| | | | | | Signed-off-by: Adriaan de Jong <dejong@fox-it.com> Acked-by: James Yonan <james@openvpn.net> Signed-off-by: David Sommerseth <davids@redhat.com>
* Final cleanup before PolarSSL addition:Adriaan de Jong2011-10-221-4/+21
| | | | | | | | | | - Remove stray X509 entries - Remove unnecessary USE_OPENSSL ifdefs - Normalised x509_get_sha1_hash to look similar to x509_get_* functions Signed-off-by: Adriaan de Jong <dejong@fox-it.com> Acked-by: James Yonan <james@openvpn.net> Signed-off-by: David Sommerseth <davids@redhat.com>
* Refactored: renamed X509 functions from verify_*Adriaan de Jong2011-10-221-12/+12
| | | | | | Signed-off-by: Adriaan de Jong <dejong@fox-it.com> Acked-by: James Yonan <james@openvpn.net> Signed-off-by: David Sommerseth <davids@redhat.com>
* Minor cleanup in verify_cert:Adriaan de Jong2011-10-221-10/+14
| | | | | | | | | | | - Removed envname variable - Removed debug code - Changed ERR_clear_error to tls_clear_error - Changed verify_get_subject to match verify_get_serial more closely Signed-off-by: Adriaan de Jong <dejong@fox-it.com> Acked-by: James Yonan <james@openvpn.net> Signed-off-by: David Sommerseth <davids@redhat.com>
* Refactored CRL checksAdriaan de Jong2011-10-221-0/+53
| | | | | | | | | | | Signed-off-by: Adriaan de Jong <dejong@fox-it.com> Acked-by: James Yonan <james@openvpn.net> Signed-off-by: David Sommerseth <davids@redhat.com> Notes: "Doing low-level stuff like verifying CRL issuers and checking serial numbers is something that's better done by the OpenSSL library directly" (James Yonan, code review comment)
* Refactored tls-verify script codeAdriaan de Jong2011-10-221-0/+31
| | | | | | Signed-off-by: Adriaan de Jong <dejong@fox-it.com> Acked-by: James Yonan <james@openvpn.net> Signed-off-by: David Sommerseth <davids@redhat.com>
* Refactored EKU verificationAdriaan de Jong2011-10-221-0/+44
| | | | | | Signed-off-by: Adriaan de Jong <dejong@fox-it.com> Acked-by: James Yonan <james@openvpn.net> Signed-off-by: David Sommerseth <davids@redhat.com>
* Refactored key usage verification codeAdriaan de Jong2011-10-211-0/+54
| | | | | | Signed-off-by: Adriaan de Jong <dejong@fox-it.com> Acked-by: James Yonan <james@openvpn.net> Signed-off-by: David Sommerseth <davids@redhat.com>
* Refactored: Netscape certificate type verificationAdriaan de Jong2011-10-211-0/+15
| | | | | | Signed-off-by: Adriaan de Jong <dejong@fox-it.com> Acked-by: James Yonan <james@openvpn.net> Signed-off-by: David Sommerseth <davids@redhat.com>
* Refactored: separated environment setup during verificationAdriaan de Jong2011-10-211-0/+168
| | | | | | Signed-off-by: Adriaan de Jong <dejong@fox-it.com> Acked-by: James Yonan <james@openvpn.net> Signed-off-by: David Sommerseth <davids@redhat.com>
* Added function to verify and extract the usernameAdriaan de Jong2011-10-211-0/+127
| | | | | | Signed-off-by: Adriaan de Jong <dejong@fox-it.com> Acked-by: James Yonan <james@openvpn.net> Signed-off-by: David Sommerseth <davids@redhat.com>
* Added function to extract and verify the subject from a certificateAdriaan de Jong2011-10-211-0/+10
| | | | | | Signed-off-by: Adriaan de Jong <dejong@fox-it.com> Acked-by: James Yonan <james@openvpn.net> Signed-off-by: David Sommerseth <davids@redhat.com>
* Refactored: split verify_callback into two partsAdriaan de Jong2011-10-211-0/+41
| | | | | | | | | | - One part is the actual callback, and is OpenSSL-specific - One part, verify_cert(), is called by the callback to process the actual verification Signed-off-by: Adriaan de Jong <dejong@fox-it.com> Acked-by: James Yonan <james@openvpn.net> Signed-off-by: David Sommerseth <davids@redhat.com>
* Refactored: Added stubs for new filesAdriaan de Jong2011-10-191-0/+33
Signed-off-by: Adriaan de Jong <dejong@fox-it.com> Acked-by: Gert Doering <gert@greenie.muc.de> Signed-off-by: David Sommerseth <davids@redhat.com>
generated by cgit (git 2.34.1) at 2024-05-27 10:32:18 +0000