1. openvpn
  2. Commit 876752aed66a143295d9d0d4e61dc9a8beca2f5e
Browse code

Refactored key usage verification code

Signed-off-by: Adriaan de Jong <dejong@fox-it.com>
Acked-by: James Yonan <james@openvpn.net>
Signed-off-by: David Sommerseth <davids@redhat.com>

Adriaan de Jong authored on 2011/06/29 21:20:43
Showing 4 changed files
ssl.c
History View file @ 876752a
... ... 
@@ -342,49 +342,6 @@ bool verify_cert_eku (X509 *x509, const char * const expected_oid) {
342 342 
 	return fFound;
343 343 
 }
344 344
345 
-bool verify_cert_ku (X509 *x509, const unsigned * const expected_ku, int expected_len) {
346 
-
347 
-	ASN1_BIT_STRING *ku = NULL;
348 
-	bool fFound = false;
349 
-
350 
-	if ((ku = (ASN1_BIT_STRING *)X509_get_ext_d2i (x509, NID_key_usage, NULL, NULL)) == NULL) {
351 
-		msg (D_HANDSHAKE, "Certificate does not have key usage extension");
352 
-	}
353 
-	else {
354 
-		unsigned nku = 0;
355 
-		int i;
356 
-		for (i=0;i<8;i++) {
357 
-			if (ASN1_BIT_STRING_get_bit (ku, i)) {
358 
-				nku |= 1<<(7-i);
359 
-			}
360 
-		}
361 
-
362 
-		/*
363 
-		 * Fixup if no LSB bits
364 
-		 */
365 
-		if ((nku & 0xff) == 0) {
366 
-			nku >>= 8;
367 
-		}
368 
-
369 
-		msg (D_HANDSHAKE, "Validating certificate key usage");
370 
-		for (i=0;!fFound && i<expected_len;i++) {
371 
-			if (expected_ku[i] != 0) {
372 
-				msg (D_HANDSHAKE, "++ Certificate has key usage  %04x, expects %04x", nku, expected_ku[i]);
373 
-
374 
-				if (nku == expected_ku[i]) {
375 
-					fFound = true;
376 
-				}
377 
-			}
378 
-		}
379 
-	}
380 
-
381 
-	if (ku != NULL) {
382 
-		ASN1_BIT_STRING_free (ku);
383 
-	}
384 
-
385 
-	return fFound;
386 
-}
387 
-
388 345 
 #endif	/* OPENSSL_VERSION_NUMBER */
389 346
390 347 
 static void
... ... 
@@ -518,20 +475,6 @@ verify_cert(struct tls_session *session, x509_cert_t *cert, int cert_depth)
518 518
519 519 
 #if OPENSSL_VERSION_NUMBER >= 0x00907000L
520 520
521 
-  /* verify certificate ku */
522 
-  if (opt->remote_cert_ku[0] != 0 &&  cert_depth == 0)
523 
-    {
524 
-      if (verify_cert_ku (cert, opt->remote_cert_ku, MAX_PARMS))
525 
-	{
526 
-	  msg (D_HANDSHAKE, "VERIFY KU OK");
527 
-	}
528 
-        else
529 
-        {
530 
-	  msg (D_HANDSHAKE, "VERIFY KU ERROR");
531 
-          goto err;		/* Reject connection */
532 
-	}
533 
-    }
534 
-
535 521 
   /* verify certificate eku */
536 522 
   if (opt->remote_cert_eku != NULL && cert_depth == 0)
537 523 
     {
ssl_verify.c
History View file @ 876752a
... ... 
@@ -351,6 +351,24 @@ verify_peer_cert(const struct tls_options *opt, x509_cert_t *peer_cert,
351 351 
 	}
352 352 
     }
353 353
354 
+#if OPENSSL_VERSION_NUMBER >= 0x00907000L
355 
+
356 
+  /* verify certificate ku */
357 
+  if (opt->remote_cert_ku[0] != 0)
358 
+    {
359 
+      if (verify_cert_ku (peer_cert, opt->remote_cert_ku, MAX_PARMS))
360 
+	{
361 
+	  msg (D_HANDSHAKE, "VERIFY KU OK");
362 
+	}
363 
+        else
364 
+        {
365 
+	  msg (D_HANDSHAKE, "VERIFY KU ERROR");
366 
+          return 1;		/* Reject connection */
367 
+	}
368 
+    }
369 
+
370 
+
371 
+#endif /* OPENSSL_VERSION_NUMBER */
354 372 
   return 0;
355 373 
 }
356 374
ssl_verify_backend.h
History View file @ 876752a
... ... 
@@ -154,4 +154,17 @@ void setenv_x509 (struct env_set *es, int cert_depth, x509_cert_t *cert);
154 154 
  */
155 155 
 bool verify_nsCertType(const x509_cert_t *cert, const int usage);
156 156
157 
+/*
158 
+ * Verify X.509 key usage extension field.
159 
+ *
160 
+ * @param cert		Certificate to check.
161 
+ * @param expected_ku	Array of valid key usage values
162 
+ * @param expected_len	Length of the key usage array
163 
+ *
164 
+ * @return 		\c true if one of the key usage values matches, \c false
165 
+ * 			if key usage is not enabled, or the values do not match.
166 
+ */
167 
+bool verify_cert_ku (x509_cert_t *x509, const unsigned * const expected_ku,
168 
+    int expected_len);
169 
+
157 170 
 #endif /* SSL_VERIFY_BACKEND_H_ */
ssl_verify_openssl.c
History View file @ 876752a
... ... 
@@ -392,3 +392,57 @@ verify_nsCertType(const x509_cert_t *peer_cert, const int usage)
392 392
393 393 
   return false;
394 394 
 }
395 
+
396 
+#if OPENSSL_VERSION_NUMBER >= 0x00907000L
397 
+
398 
+bool
399 
+verify_cert_ku (X509 *x509, const unsigned * const expected_ku,
400 
+    int expected_len)
401 
+{
402 
+  ASN1_BIT_STRING *ku = NULL;
403 
+  bool fFound = false;
404 
+
405 
+  if ((ku = (ASN1_BIT_STRING *) X509_get_ext_d2i (x509, NID_key_usage, NULL,
406 
+      NULL)) == NULL)
407 
+    {
408 
+      msg (D_HANDSHAKE, "Certificate does not have key usage extension");
409 
+    }
410 
+  else
411 
+    {
412 
+      unsigned nku = 0;
413 
+      int i;
414 
+      for (i = 0; i < 8; i++)
415 
+	{
416 
+	  if (ASN1_BIT_STRING_get_bit (ku, i))
417 
+	    nku |= 1 << (7 - i);
418 
+	}
419 
+
420 
+      /*
421 
+       * Fixup if no LSB bits
422 
+       */
423 
+      if ((nku & 0xff) == 0)
424 
+	{
425 
+	  nku >>= 8;
426 
+	}
427 
+
428 
+      msg (D_HANDSHAKE, "Validating certificate key usage");
429 
+      for (i = 0; !fFound && i < expected_len; i++)
430 
+	{
431 
+	  if (expected_ku[i] != 0)
432 
+	    {
433 
+	      msg (D_HANDSHAKE, "++ Certificate has key usage  %04x, expects "
434 
+		  "%04x", nku, expected_ku[i]);
435 
+
436 
+	      if (nku == expected_ku[i])
437 
+		fFound = true;
438 
+	    }
439 
+	}
440 
+    }
441 
+
442 
+  if (ku != NULL)
443 
+    ASN1_BIT_STRING_free (ku);
444 
+
445 
+  return fFound;
446 
+}
447 
+
448 
+#endif /* OPENSSL_VERSION_NUMBER */