From 0a67e4621dea40ff5aa292cebbd271633adbf157 Mon Sep 17 00:00:00 2001
From: Adriaan de Jong <dejong@fox-it.com>
Date: Thu, 30 Jun 2011 11:19:07 +0200
Subject: Refactored: split verify_callback into two parts

 - One part is the actual callback, and is OpenSSL-specific
 - One part, verify_cert(), is called by the callback to process the actual
   verification

Signed-off-by: Adriaan de Jong <dejong@fox-it.com>
Acked-by: James Yonan <james@openvpn.net>
Signed-off-by: David Sommerseth <davids@redhat.com>
---
 ssl_verify_openssl.c | 41 +++++++++++++++++++++++++++++++++++++++++
 1 file changed, 41 insertions(+)

(limited to 'ssl_verify_openssl.c')

diff --git a/ssl_verify_openssl.c b/ssl_verify_openssl.c
index a654e3d..06e1143 100644
--- a/ssl_verify_openssl.c
+++ b/ssl_verify_openssl.c
@@ -31,3 +31,44 @@
 #include "ssl_verify_backend.h"
 #include "ssl_openssl.h"
 #include <openssl/x509v3.h>
+
+int
+verify_callback (int preverify_ok, X509_STORE_CTX * ctx)
+{
+  struct tls_session *session;
+  SSL *ssl;
+
+  /* get the tls_session pointer */
+  ssl = X509_STORE_CTX_get_ex_data (ctx, SSL_get_ex_data_X509_STORE_CTX_idx());
+  ASSERT (ssl);
+  session = (struct tls_session *) SSL_get_ex_data (ssl, mydata_index);
+  ASSERT (session);
+
+  cert_hash_remember (session, ctx->error_depth, ctx->current_cert->sha1_hash);
+
+  /* did peer present cert which was signed by our root cert? */
+  if (!preverify_ok)
+    {
+      /* get the X509 name */
+      char *subject = X509_NAME_oneline (
+	  X509_get_subject_name (ctx->current_cert), NULL, 0);
+
+      if (subject)
+	{
+	  /* Remote site specified a certificate, but it's not correct */
+	  msg (D_TLS_ERRORS, "VERIFY ERROR: depth=%d, error=%s: %s",
+	      ctx->error_depth,
+	      X509_verify_cert_error_string (ctx->error),
+	      subject);
+	  free (subject);
+	}
+
+      ERR_clear_error();
+
+      session->verified = false;
+
+      return 1;
+    }
+
+  return verify_cert(session, ctx->current_cert, ctx->error_depth);
+}
-- 
cgit