diff options
Diffstat (limited to 'src/openvpn/ssl_verify_mbedtls.c')
-rw-r--r-- | src/openvpn/ssl_verify_mbedtls.c | 65 |
1 files changed, 23 insertions, 42 deletions
diff --git a/src/openvpn/ssl_verify_mbedtls.c b/src/openvpn/ssl_verify_mbedtls.c index 838c217..f01569f 100644 --- a/src/openvpn/ssl_verify_mbedtls.c +++ b/src/openvpn/ssl_verify_mbedtls.c @@ -17,9 +17,10 @@ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * - * You should have received a copy of the GNU General Public License along - * with this program; if not, write to the Free Software Foundation, Inc., - * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. + * You should have received a copy of the GNU General Public License + * along with this program (see the file COPYING included with this + * distribution); if not, write to the Free Software Foundation, Inc., + * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ /** @@ -208,7 +209,7 @@ x509_get_fingerprint(const mbedtls_md_info_t *md_info, mbedtls_x509_crt *cert, { const size_t md_size = mbedtls_md_get_size(md_info); struct buffer fingerprint = alloc_buf_gc(md_size, gc); - mbedtls_md(md_info, cert->raw.p, cert->raw.len, BPTR(&fingerprint)); + mbedtls_md(md_info, cert->raw.p, cert->tbs.len, BPTR(&fingerprint)); ASSERT(buf_inc_len(&fingerprint, md_size)); return fingerprint; } @@ -267,21 +268,11 @@ asn1_buf_to_c_string(const mbedtls_asn1_buf *orig, struct gc_arena *gc) size_t i; char *val; - if (!(orig->tag == MBEDTLS_ASN1_UTF8_STRING - || orig->tag == MBEDTLS_ASN1_PRINTABLE_STRING - || orig->tag == MBEDTLS_ASN1_IA5_STRING)) - { - /* Only support C-string compatible types */ - return string_alloc("ERROR: unsupported ASN.1 string type", gc); - } - for (i = 0; i < orig->len; ++i) - { if (orig->p[i] == '\0') { - return string_alloc("ERROR: embedded null value", gc); + return "ERROR: embedded null value"; } - } val = gc_malloc(orig->len+1, false, gc); memcpy(val, orig->p, orig->len); val[orig->len] = '\0'; @@ -418,7 +409,7 @@ x509_setenv(struct env_set *es, int cert_depth, mbedtls_x509_crt *cert) } result_t -x509_verify_ns_cert_type(mbedtls_x509_crt *cert, const int usage) +x509_verify_ns_cert_type(const mbedtls_x509_crt *cert, const int usage) { if (usage == NS_CERT_CHECK_NONE) { @@ -444,42 +435,32 @@ result_t x509_verify_cert_ku(mbedtls_x509_crt *cert, const unsigned *const expected_ku, int expected_len) { - msg(D_HANDSHAKE, "Validating certificate key usage"); + result_t fFound = FAILURE; if (!(cert->ext_types & MBEDTLS_X509_EXT_KEY_USAGE)) { - msg(D_TLS_ERRORS, - "ERROR: Certificate does not have key usage extension"); - return FAILURE; + msg(D_HANDSHAKE, "Certificate does not have key usage extension"); } - - if (expected_ku[0] == OPENVPN_KU_REQUIRED) + else { - /* Extension required, value checked by TLS library */ - return SUCCESS; - } + int i; + unsigned nku = cert->key_usage; - result_t fFound = FAILURE; - for (size_t i = 0; SUCCESS != fFound && i<expected_len; i++) - { - if (expected_ku[i] != 0 - && 0 == mbedtls_x509_crt_check_key_usage(cert, expected_ku[i])) + msg(D_HANDSHAKE, "Validating certificate key usage"); + for (i = 0; SUCCESS != fFound && i<expected_len; i++) { - fFound = SUCCESS; - } - } + if (expected_ku[i] != 0) + { + msg(D_HANDSHAKE, "++ Certificate has key usage %04x, expects " + "%04x", nku, expected_ku[i]); - if (fFound != SUCCESS) - { - msg(D_TLS_ERRORS, - "ERROR: Certificate has key usage %04x, expected one of:", - cert->key_usage); - for (size_t i = 0; i < expected_len && expected_ku[i]; i++) - { - msg(D_TLS_ERRORS, " * %04x", expected_ku[i]); + if (nku == expected_ku[i]) + { + fFound = SUCCESS; + } + } } } - return fFound; } |