Signed-off-by: Adriaan de Jong <dejong@fox-it.com>
Acked-by: James Yonan <james@openvpn.net>
Signed-off-by: David Sommerseth <davids@redhat.com>
... | ... |
@@ -342,49 +342,6 @@ bool verify_cert_eku (X509 *x509, const char * const expected_oid) { |
342 | 342 |
return fFound; |
343 | 343 |
} |
344 | 344 |
|
345 |
-bool verify_cert_ku (X509 *x509, const unsigned * const expected_ku, int expected_len) { |
|
346 |
- |
|
347 |
- ASN1_BIT_STRING *ku = NULL; |
|
348 |
- bool fFound = false; |
|
349 |
- |
|
350 |
- if ((ku = (ASN1_BIT_STRING *)X509_get_ext_d2i (x509, NID_key_usage, NULL, NULL)) == NULL) { |
|
351 |
- msg (D_HANDSHAKE, "Certificate does not have key usage extension"); |
|
352 |
- } |
|
353 |
- else { |
|
354 |
- unsigned nku = 0; |
|
355 |
- int i; |
|
356 |
- for (i=0;i<8;i++) { |
|
357 |
- if (ASN1_BIT_STRING_get_bit (ku, i)) { |
|
358 |
- nku |= 1<<(7-i); |
|
359 |
- } |
|
360 |
- } |
|
361 |
- |
|
362 |
- /* |
|
363 |
- * Fixup if no LSB bits |
|
364 |
- */ |
|
365 |
- if ((nku & 0xff) == 0) { |
|
366 |
- nku >>= 8; |
|
367 |
- } |
|
368 |
- |
|
369 |
- msg (D_HANDSHAKE, "Validating certificate key usage"); |
|
370 |
- for (i=0;!fFound && i<expected_len;i++) { |
|
371 |
- if (expected_ku[i] != 0) { |
|
372 |
- msg (D_HANDSHAKE, "++ Certificate has key usage %04x, expects %04x", nku, expected_ku[i]); |
|
373 |
- |
|
374 |
- if (nku == expected_ku[i]) { |
|
375 |
- fFound = true; |
|
376 |
- } |
|
377 |
- } |
|
378 |
- } |
|
379 |
- } |
|
380 |
- |
|
381 |
- if (ku != NULL) { |
|
382 |
- ASN1_BIT_STRING_free (ku); |
|
383 |
- } |
|
384 |
- |
|
385 |
- return fFound; |
|
386 |
-} |
|
387 |
- |
|
388 | 345 |
#endif /* OPENSSL_VERSION_NUMBER */ |
389 | 346 |
|
390 | 347 |
static void |
... | ... |
@@ -518,20 +475,6 @@ verify_cert(struct tls_session *session, x509_cert_t *cert, int cert_depth) |
518 | 518 |
|
519 | 519 |
#if OPENSSL_VERSION_NUMBER >= 0x00907000L |
520 | 520 |
|
521 |
- /* verify certificate ku */ |
|
522 |
- if (opt->remote_cert_ku[0] != 0 && cert_depth == 0) |
|
523 |
- { |
|
524 |
- if (verify_cert_ku (cert, opt->remote_cert_ku, MAX_PARMS)) |
|
525 |
- { |
|
526 |
- msg (D_HANDSHAKE, "VERIFY KU OK"); |
|
527 |
- } |
|
528 |
- else |
|
529 |
- { |
|
530 |
- msg (D_HANDSHAKE, "VERIFY KU ERROR"); |
|
531 |
- goto err; /* Reject connection */ |
|
532 |
- } |
|
533 |
- } |
|
534 |
- |
|
535 | 521 |
/* verify certificate eku */ |
536 | 522 |
if (opt->remote_cert_eku != NULL && cert_depth == 0) |
537 | 523 |
{ |
... | ... |
@@ -351,6 +351,24 @@ verify_peer_cert(const struct tls_options *opt, x509_cert_t *peer_cert, |
351 | 351 |
} |
352 | 352 |
} |
353 | 353 |
|
354 |
+#if OPENSSL_VERSION_NUMBER >= 0x00907000L |
|
355 |
+ |
|
356 |
+ /* verify certificate ku */ |
|
357 |
+ if (opt->remote_cert_ku[0] != 0) |
|
358 |
+ { |
|
359 |
+ if (verify_cert_ku (peer_cert, opt->remote_cert_ku, MAX_PARMS)) |
|
360 |
+ { |
|
361 |
+ msg (D_HANDSHAKE, "VERIFY KU OK"); |
|
362 |
+ } |
|
363 |
+ else |
|
364 |
+ { |
|
365 |
+ msg (D_HANDSHAKE, "VERIFY KU ERROR"); |
|
366 |
+ return 1; /* Reject connection */ |
|
367 |
+ } |
|
368 |
+ } |
|
369 |
+ |
|
370 |
+ |
|
371 |
+#endif /* OPENSSL_VERSION_NUMBER */ |
|
354 | 372 |
return 0; |
355 | 373 |
} |
356 | 374 |
|
... | ... |
@@ -154,4 +154,17 @@ void setenv_x509 (struct env_set *es, int cert_depth, x509_cert_t *cert); |
154 | 154 |
*/ |
155 | 155 |
bool verify_nsCertType(const x509_cert_t *cert, const int usage); |
156 | 156 |
|
157 |
+/* |
|
158 |
+ * Verify X.509 key usage extension field. |
|
159 |
+ * |
|
160 |
+ * @param cert Certificate to check. |
|
161 |
+ * @param expected_ku Array of valid key usage values |
|
162 |
+ * @param expected_len Length of the key usage array |
|
163 |
+ * |
|
164 |
+ * @return \c true if one of the key usage values matches, \c false |
|
165 |
+ * if key usage is not enabled, or the values do not match. |
|
166 |
+ */ |
|
167 |
+bool verify_cert_ku (x509_cert_t *x509, const unsigned * const expected_ku, |
|
168 |
+ int expected_len); |
|
169 |
+ |
|
157 | 170 |
#endif /* SSL_VERIFY_BACKEND_H_ */ |
... | ... |
@@ -392,3 +392,57 @@ verify_nsCertType(const x509_cert_t *peer_cert, const int usage) |
392 | 392 |
|
393 | 393 |
return false; |
394 | 394 |
} |
395 |
+ |
|
396 |
+#if OPENSSL_VERSION_NUMBER >= 0x00907000L |
|
397 |
+ |
|
398 |
+bool |
|
399 |
+verify_cert_ku (X509 *x509, const unsigned * const expected_ku, |
|
400 |
+ int expected_len) |
|
401 |
+{ |
|
402 |
+ ASN1_BIT_STRING *ku = NULL; |
|
403 |
+ bool fFound = false; |
|
404 |
+ |
|
405 |
+ if ((ku = (ASN1_BIT_STRING *) X509_get_ext_d2i (x509, NID_key_usage, NULL, |
|
406 |
+ NULL)) == NULL) |
|
407 |
+ { |
|
408 |
+ msg (D_HANDSHAKE, "Certificate does not have key usage extension"); |
|
409 |
+ } |
|
410 |
+ else |
|
411 |
+ { |
|
412 |
+ unsigned nku = 0; |
|
413 |
+ int i; |
|
414 |
+ for (i = 0; i < 8; i++) |
|
415 |
+ { |
|
416 |
+ if (ASN1_BIT_STRING_get_bit (ku, i)) |
|
417 |
+ nku |= 1 << (7 - i); |
|
418 |
+ } |
|
419 |
+ |
|
420 |
+ /* |
|
421 |
+ * Fixup if no LSB bits |
|
422 |
+ */ |
|
423 |
+ if ((nku & 0xff) == 0) |
|
424 |
+ { |
|
425 |
+ nku >>= 8; |
|
426 |
+ } |
|
427 |
+ |
|
428 |
+ msg (D_HANDSHAKE, "Validating certificate key usage"); |
|
429 |
+ for (i = 0; !fFound && i < expected_len; i++) |
|
430 |
+ { |
|
431 |
+ if (expected_ku[i] != 0) |
|
432 |
+ { |
|
433 |
+ msg (D_HANDSHAKE, "++ Certificate has key usage %04x, expects " |
|
434 |
+ "%04x", nku, expected_ku[i]); |
|
435 |
+ |
|
436 |
+ if (nku == expected_ku[i]) |
|
437 |
+ fFound = true; |
|
438 |
+ } |
|
439 |
+ } |
|
440 |
+ } |
|
441 |
+ |
|
442 |
+ if (ku != NULL) |
|
443 |
+ ASN1_BIT_STRING_free (ku); |
|
444 |
+ |
|
445 |
+ return fFound; |
|
446 |
+} |
|
447 |
+ |
|
448 |
+#endif /* OPENSSL_VERSION_NUMBER */ |