- Now return either SUCCESS or FAILURE.
- SUCCESS is defined as 0.
Signed-off-by: Adriaan de Jong <dejong@fox-it.com>
Acked-by: James Yonan <james@openvpn.net>
Signed-off-by: David Sommerseth <davids@redhat.com>
... | ... |
@@ -306,14 +306,14 @@ print_nsCertType (int type) |
306 | 306 |
* @param subject the peer's extracted subject name |
307 | 307 |
* @param subject the peer's extracted common name |
308 | 308 |
*/ |
309 |
-static int |
|
309 |
+static result_t |
|
310 | 310 |
verify_peer_cert(const struct tls_options *opt, x509_cert_t *peer_cert, |
311 | 311 |
const char *subject, const char *common_name) |
312 | 312 |
{ |
313 | 313 |
/* verify certificate nsCertType */ |
314 | 314 |
if (opt->ns_cert_type != NS_CERT_CHECK_NONE) |
315 | 315 |
{ |
316 |
- if (x509_verify_ns_cert_type (peer_cert, opt->ns_cert_type)) |
|
316 |
+ if (SUCCESS == x509_verify_ns_cert_type (peer_cert, opt->ns_cert_type)) |
|
317 | 317 |
{ |
318 | 318 |
msg (D_HANDSHAKE, "VERIFY OK: nsCertType=%s", |
319 | 319 |
print_nsCertType (opt->ns_cert_type)); |
... | ... |
@@ -322,7 +322,7 @@ verify_peer_cert(const struct tls_options *opt, x509_cert_t *peer_cert, |
322 | 322 |
{ |
323 | 323 |
msg (D_HANDSHAKE, "VERIFY nsCertType ERROR: %s, require nsCertType=%s", |
324 | 324 |
subject, print_nsCertType (opt->ns_cert_type)); |
325 |
- return 1; /* Reject connection */ |
|
325 |
+ return FAILURE; /* Reject connection */ |
|
326 | 326 |
} |
327 | 327 |
} |
328 | 328 |
|
... | ... |
@@ -331,28 +331,28 @@ verify_peer_cert(const struct tls_options *opt, x509_cert_t *peer_cert, |
331 | 331 |
/* verify certificate ku */ |
332 | 332 |
if (opt->remote_cert_ku[0] != 0) |
333 | 333 |
{ |
334 |
- if (x509_verify_cert_ku (peer_cert, opt->remote_cert_ku, MAX_PARMS)) |
|
334 |
+ if (SUCCESS == x509_verify_cert_ku (peer_cert, opt->remote_cert_ku, MAX_PARMS)) |
|
335 | 335 |
{ |
336 | 336 |
msg (D_HANDSHAKE, "VERIFY KU OK"); |
337 | 337 |
} |
338 | 338 |
else |
339 | 339 |
{ |
340 | 340 |
msg (D_HANDSHAKE, "VERIFY KU ERROR"); |
341 |
- return 1; /* Reject connection */ |
|
341 |
+ return FAILURE; /* Reject connection */ |
|
342 | 342 |
} |
343 | 343 |
} |
344 | 344 |
|
345 | 345 |
/* verify certificate eku */ |
346 | 346 |
if (opt->remote_cert_eku != NULL) |
347 | 347 |
{ |
348 |
- if (x509_verify_cert_eku (peer_cert, opt->remote_cert_eku)) |
|
348 |
+ if (SUCCESS == x509_verify_cert_eku (peer_cert, opt->remote_cert_eku)) |
|
349 | 349 |
{ |
350 | 350 |
msg (D_HANDSHAKE, "VERIFY EKU OK"); |
351 | 351 |
} |
352 | 352 |
else |
353 | 353 |
{ |
354 | 354 |
msg (D_HANDSHAKE, "VERIFY EKU ERROR"); |
355 |
- return 1; /* Reject connection */ |
|
355 |
+ return FAILURE; /* Reject connection */ |
|
356 | 356 |
} |
357 | 357 |
} |
358 | 358 |
|
... | ... |
@@ -368,11 +368,11 @@ verify_peer_cert(const struct tls_options *opt, x509_cert_t *peer_cert, |
368 | 368 |
{ |
369 | 369 |
msg (D_HANDSHAKE, "VERIFY X509NAME ERROR: %s, must be %s", |
370 | 370 |
subject, opt->verify_x509name); |
371 |
- return 1; /* Reject connection */ |
|
371 |
+ return FAILURE; /* Reject connection */ |
|
372 | 372 |
} |
373 | 373 |
} |
374 | 374 |
|
375 |
- return 0; |
|
375 |
+ return SUCCESS; |
|
376 | 376 |
} |
377 | 377 |
|
378 | 378 |
/* |
... | ... |
@@ -434,7 +434,7 @@ verify_cert_set_env(struct env_set *es, x509_cert_t *peer_cert, int cert_depth, |
434 | 434 |
/* |
435 | 435 |
* call --tls-verify plug-in(s) |
436 | 436 |
*/ |
437 |
-static int |
|
437 |
+static result_t |
|
438 | 438 |
verify_cert_call_plugin(const struct plugin_list *plugins, struct env_set *es, |
439 | 439 |
int cert_depth, x509_cert_t *cert, char *subject) |
440 | 440 |
{ |
... | ... |
@@ -458,10 +458,10 @@ verify_cert_call_plugin(const struct plugin_list *plugins, struct env_set *es, |
458 | 458 |
{ |
459 | 459 |
msg (D_HANDSHAKE, "VERIFY PLUGIN ERROR: depth=%d, %s", |
460 | 460 |
cert_depth, subject); |
461 |
- return 1; /* Reject connection */ |
|
461 |
+ return FAILURE; /* Reject connection */ |
|
462 | 462 |
} |
463 | 463 |
} |
464 |
- return 0; |
|
464 |
+ return SUCCESS; |
|
465 | 465 |
} |
466 | 466 |
|
467 | 467 |
static const char * |
... | ... |
@@ -484,7 +484,7 @@ verify_cert_export_cert(x509_cert_t *peercert, const char *tmp_dir, struct gc_ar |
484 | 484 |
return NULL; |
485 | 485 |
} |
486 | 486 |
|
487 |
- if (x509_write_pem(peercert_file, peercert)) |
|
487 |
+ if (SUCCESS != x509_write_pem(peercert_file, peercert)) |
|
488 | 488 |
msg (M_ERR, "Error writing PEM file containing certificate"); |
489 | 489 |
|
490 | 490 |
fclose(peercert_file); |
... | ... |
@@ -495,7 +495,7 @@ verify_cert_export_cert(x509_cert_t *peercert, const char *tmp_dir, struct gc_ar |
495 | 495 |
/* |
496 | 496 |
* run --tls-verify script |
497 | 497 |
*/ |
498 |
-static int |
|
498 |
+static result_t |
|
499 | 499 |
verify_cert_call_command(const char *verify_command, struct env_set *es, |
500 | 500 |
int cert_depth, x509_cert_t *cert, char *subject, const char *verify_export_cert) |
501 | 501 |
{ |
... | ... |
@@ -532,18 +532,18 @@ verify_cert_call_command(const char *verify_command, struct env_set *es, |
532 | 532 |
{ |
533 | 533 |
msg (D_HANDSHAKE, "VERIFY SCRIPT OK: depth=%d, %s", |
534 | 534 |
cert_depth, subject); |
535 |
- return 0; |
|
535 |
+ return SUCCESS; |
|
536 | 536 |
} |
537 | 537 |
|
538 | 538 |
msg (D_HANDSHAKE, "VERIFY SCRIPT ERROR: depth=%d, %s", |
539 | 539 |
cert_depth, subject); |
540 |
- return 1; /* Reject connection */ |
|
540 |
+ return FAILURE; /* Reject connection */ |
|
541 | 541 |
} |
542 | 542 |
|
543 | 543 |
/* |
544 | 544 |
* check peer cert against CRL directory |
545 | 545 |
*/ |
546 |
-static bool |
|
546 |
+static result_t |
|
547 | 547 |
verify_check_crl_dir(const char *crl_dir, x509_cert_t *cert) |
548 | 548 |
{ |
549 | 549 |
char fn[256]; |
... | ... |
@@ -554,7 +554,7 @@ verify_check_crl_dir(const char *crl_dir, x509_cert_t *cert) |
554 | 554 |
{ |
555 | 555 |
msg (D_HANDSHAKE, "VERIFY CRL: filename overflow"); |
556 | 556 |
x509_free_serial(serial); |
557 |
- return true; |
|
557 |
+ return FAILURE; |
|
558 | 558 |
} |
559 | 559 |
fd = open (fn, O_RDONLY); |
560 | 560 |
if (fd >= 0) |
... | ... |
@@ -562,15 +562,15 @@ verify_check_crl_dir(const char *crl_dir, x509_cert_t *cert) |
562 | 562 |
msg (D_HANDSHAKE, "VERIFY CRL: certificate serial number %s is revoked", serial); |
563 | 563 |
x509_free_serial(serial); |
564 | 564 |
close(fd); |
565 |
- return true; |
|
565 |
+ return FAILURE; |
|
566 | 566 |
} |
567 | 567 |
|
568 | 568 |
x509_free_serial(serial); |
569 | 569 |
|
570 |
- return false; |
|
570 |
+ return SUCCESS; |
|
571 | 571 |
} |
572 | 572 |
|
573 |
-int |
|
573 |
+result_t |
|
574 | 574 |
verify_cert(struct tls_session *session, x509_cert_t *cert, int cert_depth) |
575 | 575 |
{ |
576 | 576 |
char *subject = NULL; |
... | ... |
@@ -596,7 +596,8 @@ verify_cert(struct tls_session *session, x509_cert_t *cert, int cert_depth) |
596 | 596 |
string_replace_leading (subject, '-', '_'); |
597 | 597 |
|
598 | 598 |
/* extract the username (default is CN) */ |
599 |
- if (x509_get_username (common_name, TLS_USERNAME_LEN, opt->x509_username_field, cert)) |
|
599 |
+ if (SUCCESS != x509_get_username (common_name, TLS_USERNAME_LEN, |
|
600 |
+ opt->x509_username_field, cert)) |
|
600 | 601 |
{ |
601 | 602 |
if (!cert_depth) |
602 | 603 |
{ |
... | ... |
@@ -650,16 +651,16 @@ verify_cert(struct tls_session *session, x509_cert_t *cert, int cert_depth) |
650 | 650 |
setenv_untrusted (session); |
651 | 651 |
|
652 | 652 |
/* If this is the peer's own certificate, verify it */ |
653 |
- if (cert_depth == 0 && verify_peer_cert(opt, cert, subject, common_name)) |
|
653 |
+ if (cert_depth == 0 && SUCCESS != verify_peer_cert(opt, cert, subject, common_name)) |
|
654 | 654 |
goto err; |
655 | 655 |
|
656 | 656 |
/* call --tls-verify plug-in(s), if registered */ |
657 |
- if (verify_cert_call_plugin(opt->plugins, opt->es, cert_depth, cert, subject)) |
|
657 |
+ if (SUCCESS != verify_cert_call_plugin(opt->plugins, opt->es, cert_depth, cert, subject)) |
|
658 | 658 |
goto err; |
659 | 659 |
|
660 | 660 |
/* run --tls-verify script */ |
661 |
- if (opt->verify_command && verify_cert_call_command(opt->verify_command, opt->es, |
|
662 |
- cert_depth, cert, subject, opt->verify_export_cert)) |
|
661 |
+ if (opt->verify_command && SUCCESS != verify_cert_call_command(opt->verify_command, |
|
662 |
+ opt->es, cert_depth, cert, subject, opt->verify_export_cert)) |
|
663 | 663 |
goto err; |
664 | 664 |
|
665 | 665 |
/* check peer cert against CRL */ |
... | ... |
@@ -667,12 +668,12 @@ verify_cert(struct tls_session *session, x509_cert_t *cert, int cert_depth) |
667 | 667 |
{ |
668 | 668 |
if (opt->ssl_flags & SSLF_CRL_VERIFY_DIR) |
669 | 669 |
{ |
670 |
- if (verify_check_crl_dir(opt->crl_file, cert)) |
|
670 |
+ if (SUCCESS != verify_check_crl_dir(opt->crl_file, cert)) |
|
671 | 671 |
goto err; |
672 | 672 |
} |
673 | 673 |
else |
674 | 674 |
{ |
675 |
- if (x509_verify_crl(opt->crl_file, cert, subject)) |
|
675 |
+ if (SUCCESS != x509_verify_crl(opt->crl_file, cert, subject)) |
|
676 | 676 |
goto err; |
677 | 677 |
} |
678 | 678 |
} |
... | ... |
@@ -682,7 +683,7 @@ verify_cert(struct tls_session *session, x509_cert_t *cert, int cert_depth) |
682 | 682 |
|
683 | 683 |
done: |
684 | 684 |
x509_free_subject (subject); |
685 |
- return (session->verified == true) ? 1 : 0; |
|
685 |
+ return (session->verified == true) ? SUCCESS : FAILURE; |
|
686 | 686 |
|
687 | 687 |
err: |
688 | 688 |
tls_clear_error(); |
... | ... |
@@ -30,6 +30,11 @@ |
30 | 30 |
#ifndef SSL_VERIFY_BACKEND_H_ |
31 | 31 |
#define SSL_VERIFY_BACKEND_H_ |
32 | 32 |
|
33 |
+/** |
|
34 |
+ * Result of verification function |
|
35 |
+ */ |
|
36 |
+typedef enum { SUCCESS=0, FAILURE=1 } result_t; |
|
37 |
+ |
|
33 | 38 |
/* |
34 | 39 |
* Backend support functions. |
35 | 40 |
* |
... | ... |
@@ -48,9 +53,9 @@ |
48 | 48 |
* @param cert Certificate to process |
49 | 49 |
* @param cert_depth Depth of the current certificate |
50 | 50 |
* |
51 |
- * @return \c 1 if verification was successful, \c 0 on failure. |
|
51 |
+ * @return \c SUCCESS if verification was successful, \c FAILURE on failure. |
|
52 | 52 |
*/ |
53 |
-int verify_cert(struct tls_session *session, x509_cert_t *cert, int cert_depth); |
|
53 |
+result_t verify_cert(struct tls_session *session, x509_cert_t *cert, int cert_depth); |
|
54 | 54 |
|
55 | 55 |
/* |
56 | 56 |
* Remember the given certificate hash, allowing the certificate chain to be |
... | ... |
@@ -118,9 +123,9 @@ void x509_free_sha1_hash (unsigned char *hash); |
118 | 118 |
* @param x509_username_field Name of the field to load from |
119 | 119 |
* @param cert Certificate to retrieve the common name from. |
120 | 120 |
* |
121 |
- * @return \c 1 on failure, \c 0 on success |
|
121 |
+ * @return \c FAILURE, \c or SUCCESS |
|
122 | 122 |
*/ |
123 |
-bool x509_get_username (char *common_name, int cn_len, |
|
123 |
+result_t x509_get_username (char *common_name, int cn_len, |
|
124 | 124 |
char * x509_username_field, x509_cert_t *peer_cert); |
125 | 125 |
|
126 | 126 |
/* |
... | ... |
@@ -201,11 +206,11 @@ void x509_setenv_track (const struct x509_track *xt, struct env_set *es, |
201 | 201 |
* @param usage One of \c NS_CERT_CHECK_CLIENT, \c NS_CERT_CHECK_SERVER, |
202 | 202 |
* or \c NS_CERT_CHECK_NONE. |
203 | 203 |
* |
204 |
- * @return \c true if NS_CERT_CHECK_NONE or if the certificate has |
|
205 |
- * the expected bit set. \c false if the certificate does |
|
204 |
+ * @return \c SUCCESS if NS_CERT_CHECK_NONE or if the certificate has |
|
205 |
+ * the expected bit set. \c FAILURE if the certificate does |
|
206 | 206 |
* not have NS cert type verification or the wrong bit set. |
207 | 207 |
*/ |
208 |
-bool x509_verify_ns_cert_type(const x509_cert_t *cert, const int usage); |
|
208 |
+result_t x509_verify_ns_cert_type(const x509_cert_t *cert, const int usage); |
|
209 | 209 |
|
210 | 210 |
#if OPENSSL_VERSION_NUMBER >= 0x00907000L || USE_POLARSSL |
211 | 211 |
|
... | ... |
@@ -216,10 +221,10 @@ bool x509_verify_ns_cert_type(const x509_cert_t *cert, const int usage); |
216 | 216 |
* @param expected_ku Array of valid key usage values |
217 | 217 |
* @param expected_len Length of the key usage array |
218 | 218 |
* |
219 |
- * @return \c true if one of the key usage values matches, \c false |
|
219 |
+ * @return \c SUCCESS if one of the key usage values matches, \c FAILURE |
|
220 | 220 |
* if key usage is not enabled, or the values do not match. |
221 | 221 |
*/ |
222 |
-bool x509_verify_cert_ku (x509_cert_t *x509, const unsigned * const expected_ku, |
|
222 |
+result_t x509_verify_cert_ku (x509_cert_t *x509, const unsigned * const expected_ku, |
|
223 | 223 |
int expected_len); |
224 | 224 |
|
225 | 225 |
/* |
... | ... |
@@ -231,11 +236,11 @@ bool x509_verify_cert_ku (x509_cert_t *x509, const unsigned * const expected_ku, |
231 | 231 |
* (e.g. \c "1.2.3.4", or the descriptive string matching |
232 | 232 |
* the OID. |
233 | 233 |
* |
234 |
- * @return \c true if one of the expected OID matches one of the |
|
235 |
- * extended key usage fields, \c false if extended key |
|
234 |
+ * @return \c SUCCESS if one of the expected OID matches one of the |
|
235 |
+ * extended key usage fields, \c FAILURE if extended key |
|
236 | 236 |
* usage is not enabled, or the values do not match. |
237 | 237 |
*/ |
238 |
-bool x509_verify_cert_eku (x509_cert_t *x509, const char * const expected_oid); |
|
238 |
+result_t x509_verify_cert_eku (x509_cert_t *x509, const char * const expected_oid); |
|
239 | 239 |
|
240 | 240 |
#endif |
241 | 241 |
|
... | ... |
@@ -245,8 +250,10 @@ bool x509_verify_cert_eku (x509_cert_t *x509, const char * const expected_oid); |
245 | 245 |
* @param cert Certificate to store |
246 | 246 |
* @param tmp_dir Temporary directory to store the directory |
247 | 247 |
* @param gc gc_arena to store temporary objects in |
248 |
+ * |
|
249 |
+ * |
|
248 | 250 |
*/ |
249 |
-bool x509_write_pem(FILE *peercert_file, x509_cert_t *peercert); |
|
251 |
+result_t x509_write_pem(FILE *peercert_file, x509_cert_t *peercert); |
|
250 | 252 |
|
251 | 253 |
/* |
252 | 254 |
* Check the certificate against a CRL file. |
... | ... |
@@ -255,11 +262,11 @@ bool x509_write_pem(FILE *peercert_file, x509_cert_t *peercert); |
255 | 255 |
* @param cert Certificate to verify |
256 | 256 |
* @param subject Subject of the given certificate |
257 | 257 |
* |
258 |
- * @return \c 1 if the CRL was not signed by the issuer of the |
|
258 |
+ * @return \c SUCCESS if the CRL was not signed by the issuer of the |
|
259 | 259 |
* certificate or does not contain an entry for it. |
260 |
- * \c 0 otherwise. |
|
260 |
+ * \c FAILURE otherwise. |
|
261 | 261 |
*/ |
262 |
-bool x509_verify_crl(const char *crl_file, x509_cert_t *cert, |
|
262 |
+result_t x509_verify_crl(const char *crl_file, x509_cert_t *cert, |
|
263 | 263 |
const char *subject); |
264 | 264 |
|
265 | 265 |
#endif /* SSL_VERIFY_BACKEND_H_ */ |
... | ... |
@@ -144,7 +144,7 @@ bool extract_x509_extension(X509 *cert, char *fieldname, char *out, int size) |
144 | 144 |
* Return true on success, false on error (insufficient buffer size in 'out' |
145 | 145 |
* to contain result is grounds for error). |
146 | 146 |
*/ |
147 |
-static bool |
|
147 |
+static result_t |
|
148 | 148 |
extract_x509_field_ssl (X509_NAME *x509, const char *field_name, char *out, |
149 | 149 |
int size) |
150 | 150 |
{ |
... | ... |
@@ -164,29 +164,29 @@ extract_x509_field_ssl (X509_NAME *x509, const char *field_name, char *out, |
164 | 164 |
|
165 | 165 |
/* Nothing found */ |
166 | 166 |
if (lastpos == -1) |
167 |
- return false; |
|
167 |
+ return FAILURE; |
|
168 | 168 |
|
169 | 169 |
x509ne = X509_NAME_get_entry(x509, lastpos); |
170 | 170 |
if (!x509ne) |
171 |
- return false; |
|
171 |
+ return FAILURE; |
|
172 | 172 |
|
173 | 173 |
asn1 = X509_NAME_ENTRY_get_data(x509ne); |
174 | 174 |
if (!asn1) |
175 |
- return false; |
|
175 |
+ return FAILURE; |
|
176 | 176 |
tmp = ASN1_STRING_to_UTF8(&buf, asn1); |
177 | 177 |
if (tmp <= 0) |
178 |
- return false; |
|
178 |
+ return FAILURE; |
|
179 | 179 |
|
180 | 180 |
strncpynt(out, (char *)buf, size); |
181 | 181 |
|
182 | 182 |
{ |
183 |
- const bool ret = (strlen ((char *)buf) < size); |
|
183 |
+ const result_t ret = (strlen ((char *)buf) < size) ? SUCCESS: FAILURE; |
|
184 | 184 |
OPENSSL_free (buf); |
185 | 185 |
return ret; |
186 | 186 |
} |
187 | 187 |
} |
188 | 188 |
|
189 |
-bool |
|
189 |
+result_t |
|
190 | 190 |
x509_get_username (char *common_name, int cn_len, |
191 | 191 |
char * x509_username_field, X509 *peer_cert) |
192 | 192 |
{ |
... | ... |
@@ -194,14 +194,14 @@ x509_get_username (char *common_name, int cn_len, |
194 | 194 |
if (strncmp("ext:",x509_username_field,4) == 0) |
195 | 195 |
{ |
196 | 196 |
if (!extract_x509_extension (peer_cert, x509_username_field+4, common_name, cn_len)) |
197 |
- return true; |
|
197 |
+ return FAILURE; |
|
198 | 198 |
} else |
199 | 199 |
#endif |
200 |
- if (!extract_x509_field_ssl (X509_get_subject_name (peer_cert), |
|
200 |
+ if (FAILURE == extract_x509_field_ssl (X509_get_subject_name (peer_cert), |
|
201 | 201 |
x509_username_field, common_name, cn_len)) |
202 |
- return true; |
|
202 |
+ return FAILURE; |
|
203 | 203 |
|
204 |
- return false; |
|
204 |
+ return SUCCESS; |
|
205 | 205 |
} |
206 | 206 |
|
207 | 207 |
char * |
... | ... |
@@ -406,29 +406,29 @@ x509_setenv (struct env_set *es, int cert_depth, x509_cert_t *peer_cert) |
406 | 406 |
} |
407 | 407 |
} |
408 | 408 |
|
409 |
-bool |
|
409 |
+result_t |
|
410 | 410 |
x509_verify_ns_cert_type(const x509_cert_t *peer_cert, const int usage) |
411 | 411 |
{ |
412 | 412 |
if (usage == NS_CERT_CHECK_NONE) |
413 |
- return true; |
|
413 |
+ return SUCCESS; |
|
414 | 414 |
if (usage == NS_CERT_CHECK_CLIENT) |
415 | 415 |
return ((peer_cert->ex_flags & EXFLAG_NSCERT) |
416 |
- && (peer_cert->ex_nscert & NS_SSL_CLIENT)); |
|
416 |
+ && (peer_cert->ex_nscert & NS_SSL_CLIENT)) ? SUCCESS: FAILURE; |
|
417 | 417 |
if (usage == NS_CERT_CHECK_SERVER) |
418 | 418 |
return ((peer_cert->ex_flags & EXFLAG_NSCERT) |
419 |
- && (peer_cert->ex_nscert & NS_SSL_SERVER)); |
|
419 |
+ && (peer_cert->ex_nscert & NS_SSL_SERVER)) ? SUCCESS: FAILURE; |
|
420 | 420 |
|
421 |
- return false; |
|
421 |
+ return FAILURE; |
|
422 | 422 |
} |
423 | 423 |
|
424 | 424 |
#if OPENSSL_VERSION_NUMBER >= 0x00907000L |
425 | 425 |
|
426 |
-bool |
|
426 |
+result_t |
|
427 | 427 |
x509_verify_cert_ku (X509 *x509, const unsigned * const expected_ku, |
428 | 428 |
int expected_len) |
429 | 429 |
{ |
430 | 430 |
ASN1_BIT_STRING *ku = NULL; |
431 |
- bool fFound = false; |
|
431 |
+ result_t fFound = FAILURE; |
|
432 | 432 |
|
433 | 433 |
if ((ku = (ASN1_BIT_STRING *) X509_get_ext_d2i (x509, NID_key_usage, NULL, |
434 | 434 |
NULL)) == NULL) |
... | ... |
@@ -454,7 +454,7 @@ x509_verify_cert_ku (X509 *x509, const unsigned * const expected_ku, |
454 | 454 |
} |
455 | 455 |
|
456 | 456 |
msg (D_HANDSHAKE, "Validating certificate key usage"); |
457 |
- for (i = 0; !fFound && i < expected_len; i++) |
|
457 |
+ for (i = 0; fFound != SUCCESS && i < expected_len; i++) |
|
458 | 458 |
{ |
459 | 459 |
if (expected_ku[i] != 0) |
460 | 460 |
{ |
... | ... |
@@ -462,7 +462,7 @@ x509_verify_cert_ku (X509 *x509, const unsigned * const expected_ku, |
462 | 462 |
"%04x", nku, expected_ku[i]); |
463 | 463 |
|
464 | 464 |
if (nku == expected_ku[i]) |
465 |
- fFound = true; |
|
465 |
+ fFound = SUCCESS; |
|
466 | 466 |
} |
467 | 467 |
} |
468 | 468 |
} |
... | ... |
@@ -473,11 +473,11 @@ x509_verify_cert_ku (X509 *x509, const unsigned * const expected_ku, |
473 | 473 |
return fFound; |
474 | 474 |
} |
475 | 475 |
|
476 |
-bool |
|
476 |
+result_t |
|
477 | 477 |
x509_verify_cert_eku (X509 *x509, const char * const expected_oid) |
478 | 478 |
{ |
479 | 479 |
EXTENDED_KEY_USAGE *eku = NULL; |
480 |
- bool fFound = false; |
|
480 |
+ result_t fFound = FAILURE; |
|
481 | 481 |
|
482 | 482 |
if ((eku = (EXTENDED_KEY_USAGE *) X509_get_ext_d2i (x509, NID_ext_key_usage, |
483 | 483 |
NULL, NULL)) == NULL) |
... | ... |
@@ -489,24 +489,24 @@ x509_verify_cert_eku (X509 *x509, const char * const expected_oid) |
489 | 489 |
int i; |
490 | 490 |
|
491 | 491 |
msg (D_HANDSHAKE, "Validating certificate extended key usage"); |
492 |
- for (i = 0; !fFound && i < sk_ASN1_OBJECT_num (eku); i++) |
|
492 |
+ for (i = 0; SUCCESS != fFound && i < sk_ASN1_OBJECT_num (eku); i++) |
|
493 | 493 |
{ |
494 | 494 |
ASN1_OBJECT *oid = sk_ASN1_OBJECT_value (eku, i); |
495 | 495 |
char szOid[1024]; |
496 | 496 |
|
497 |
- if (!fFound && OBJ_obj2txt (szOid, sizeof(szOid), oid, 0) != -1) |
|
497 |
+ if (SUCCESS != fFound && OBJ_obj2txt (szOid, sizeof(szOid), oid, 0) != -1) |
|
498 | 498 |
{ |
499 | 499 |
msg (D_HANDSHAKE, "++ Certificate has EKU (str) %s, expects %s", |
500 | 500 |
szOid, expected_oid); |
501 | 501 |
if (!strcmp (expected_oid, szOid)) |
502 |
- fFound = true; |
|
502 |
+ fFound = SUCCESS; |
|
503 | 503 |
} |
504 |
- if (!fFound && OBJ_obj2txt (szOid, sizeof(szOid), oid, 1) != -1) |
|
504 |
+ if (SUCCESS != fFound && OBJ_obj2txt (szOid, sizeof(szOid), oid, 1) != -1) |
|
505 | 505 |
{ |
506 | 506 |
msg (D_HANDSHAKE, "++ Certificate has EKU (oid) %s, expects %s", |
507 | 507 |
szOid, expected_oid); |
508 | 508 |
if (!strcmp (expected_oid, szOid)) |
509 |
- fFound = true; |
|
509 |
+ fFound = SUCCESS; |
|
510 | 510 |
} |
511 | 511 |
} |
512 | 512 |
} |
... | ... |
@@ -517,15 +517,15 @@ x509_verify_cert_eku (X509 *x509, const char * const expected_oid) |
517 | 517 |
return fFound; |
518 | 518 |
} |
519 | 519 |
|
520 |
-bool |
|
520 |
+result_t |
|
521 | 521 |
x509_write_pem(FILE *peercert_file, X509 *peercert) |
522 | 522 |
{ |
523 | 523 |
if (PEM_write_X509(peercert_file, peercert) < 0) |
524 | 524 |
{ |
525 | 525 |
msg (M_ERR, "Failed to write peer certificate in PEM format"); |
526 |
- return true; |
|
526 |
+ return FAILURE; |
|
527 | 527 |
} |
528 |
- return false; |
|
528 |
+ return SUCCESS; |
|
529 | 529 |
} |
530 | 530 |
|
531 | 531 |
#endif /* OPENSSL_VERSION_NUMBER */ |
... | ... |
@@ -533,13 +533,14 @@ x509_write_pem(FILE *peercert_file, X509 *peercert) |
533 | 533 |
/* |
534 | 534 |
* check peer cert against CRL |
535 | 535 |
*/ |
536 |
-bool |
|
536 |
+result_t |
|
537 | 537 |
x509_verify_crl(const char *crl_file, X509 *peer_cert, const char *subject) |
538 | 538 |
{ |
539 | 539 |
X509_CRL *crl=NULL; |
540 | 540 |
X509_REVOKED *revoked; |
541 | 541 |
BIO *in=NULL; |
542 |
- int n,i,retval = 0; |
|
542 |
+ int n,i; |
|
543 |
+ result_t retval = FAILURE; |
|
543 | 544 |
|
544 | 545 |
in=BIO_new(BIO_s_file()); |
545 | 546 |
|
... | ... |
@@ -560,7 +561,7 @@ x509_verify_crl(const char *crl_file, X509 *peer_cert, const char *subject) |
560 | 560 |
if (X509_NAME_cmp(X509_CRL_get_issuer(crl), X509_get_issuer_name(peer_cert)) != 0) { |
561 | 561 |
msg (M_WARN, "CRL: CRL %s is from a different issuer than the issuer of " |
562 | 562 |
"certificate %s", crl_file, subject); |
563 |
- retval = 1; |
|
563 |
+ retval = SUCCESS; |
|
564 | 564 |
goto end; |
565 | 565 |
} |
566 | 566 |
|
... | ... |
@@ -573,7 +574,7 @@ x509_verify_crl(const char *crl_file, X509 *peer_cert, const char *subject) |
573 | 573 |
} |
574 | 574 |
} |
575 | 575 |
|
576 |
- retval = 1; |
|
576 |
+ retval = SUCCESS; |
|
577 | 577 |
msg (D_HANDSHAKE, "CRL CHECK OK: %s",subject); |
578 | 578 |
|
579 | 579 |
end: |
... | ... |
@@ -581,5 +582,5 @@ end: |
581 | 581 |
if (crl) |
582 | 582 |
X509_CRL_free (crl); |
583 | 583 |
|
584 |
- return !retval; |
|
584 |
+ return retval; |
|
585 | 585 |
} |
... | ... |
@@ -65,17 +65,18 @@ verify_callback (void *session_obj, x509_cert *cert, int cert_depth, |
65 | 65 |
} |
66 | 66 |
|
67 | 67 |
/* |
68 |
- * verify_cert() returns 1 on success, 0 on failure. |
|
69 |
- * PolarSSL expects the opposite. |
|
68 |
+ * PolarSSL expects 1 on failure, 0 on success |
|
70 | 69 |
*/ |
71 |
- return 0 == verify_cert(session, cert, cert_depth); |
|
70 |
+ if (SUCCESS == verify_cert(session, cert, cert_depth)) |
|
71 |
+ return 0; |
|
72 |
+ return 1; |
|
72 | 73 |
} |
73 | 74 |
|
74 | 75 |
#ifdef ENABLE_X509ALTUSERNAME |
75 | 76 |
# warning "X509 alt user name not yet supported for PolarSSL" |
76 | 77 |
#endif |
77 | 78 |
|
78 |
-bool |
|
79 |
+result_t |
|
79 | 80 |
x509_get_username (char *cn, int cn_len, |
80 | 81 |
char *x509_username_field, x509_cert *cert) |
81 | 82 |
{ |
... | ... |
@@ -96,7 +97,7 @@ x509_get_username (char *cn, int cn_len, |
96 | 96 |
|
97 | 97 |
/* Not found, return an error if this is the peer's certificate */ |
98 | 98 |
if( name == NULL ) |
99 |
- return 1; |
|
99 |
+ return FAILURE; |
|
100 | 100 |
|
101 | 101 |
/* Found, extract CN */ |
102 | 102 |
if (cn_len > name->val.len) |
... | ... |
@@ -107,7 +108,7 @@ x509_get_username (char *cn, int cn_len, |
107 | 107 |
cn[cn_len-1] = '\0'; |
108 | 108 |
} |
109 | 109 |
|
110 |
- return 0; |
|
110 |
+ return SUCCESS; |
|
111 | 111 |
} |
112 | 112 |
|
113 | 113 |
char * |
... | ... |
@@ -274,26 +275,26 @@ x509_setenv (struct env_set *es, int cert_depth, x509_cert_t *cert) |
274 | 274 |
} |
275 | 275 |
} |
276 | 276 |
|
277 |
-bool |
|
277 |
+result_t |
|
278 | 278 |
x509_verify_ns_cert_type(const x509_cert *cert, const int usage) |
279 | 279 |
{ |
280 | 280 |
if (usage == NS_CERT_CHECK_NONE) |
281 |
- return true; |
|
281 |
+ return SUCCESS; |
|
282 | 282 |
if (usage == NS_CERT_CHECK_CLIENT) |
283 | 283 |
return ((cert->ext_types & EXT_NS_CERT_TYPE) |
284 |
- && (cert->ns_cert_type & NS_CERT_TYPE_SSL_CLIENT)); |
|
284 |
+ && (cert->ns_cert_type & NS_CERT_TYPE_SSL_CLIENT)) ? SUCCESS : FAILURE; |
|
285 | 285 |
if (usage == NS_CERT_CHECK_SERVER) |
286 | 286 |
return ((cert->ext_types & EXT_NS_CERT_TYPE) |
287 |
- && (cert->ns_cert_type & NS_CERT_TYPE_SSL_SERVER)); |
|
287 |
+ && (cert->ns_cert_type & NS_CERT_TYPE_SSL_SERVER)) ? SUCCESS : FAILURE; |
|
288 | 288 |
|
289 |
- return false; |
|
289 |
+ return FAILURE; |
|
290 | 290 |
} |
291 | 291 |
|
292 |
-bool |
|
292 |
+result_t |
|
293 | 293 |
x509_verify_cert_ku (x509_cert *cert, const unsigned * const expected_ku, |
294 | 294 |
int expected_len) |
295 | 295 |
{ |
296 |
- bool fFound = false; |
|
296 |
+ result_t fFound = FAILURE; |
|
297 | 297 |
|
298 | 298 |
if(!(cert->ext_types & EXT_KEY_USAGE)) |
299 | 299 |
{ |
... | ... |
@@ -305,7 +306,7 @@ x509_verify_cert_ku (x509_cert *cert, const unsigned * const expected_ku, |
305 | 305 |
unsigned nku = cert->key_usage; |
306 | 306 |
|
307 | 307 |
msg (D_HANDSHAKE, "Validating certificate key usage"); |
308 |
- for (i=0;!fFound && i<expected_len;i++) |
|
308 |
+ for (i=0; SUCCESS != fFound && i<expected_len; i++) |
|
309 | 309 |
{ |
310 | 310 |
if (expected_ku[i] != 0) |
311 | 311 |
{ |
... | ... |
@@ -314,7 +315,7 @@ x509_verify_cert_ku (x509_cert *cert, const unsigned * const expected_ku, |
314 | 314 |
|
315 | 315 |
if (nku == expected_ku[i]) |
316 | 316 |
{ |
317 |
- fFound = true; |
|
317 |
+ fFound = SUCCESS; |
|
318 | 318 |
} |
319 | 319 |
} |
320 | 320 |
} |
... | ... |
@@ -322,10 +323,10 @@ x509_verify_cert_ku (x509_cert *cert, const unsigned * const expected_ku, |
322 | 322 |
return fFound; |
323 | 323 |
} |
324 | 324 |
|
325 |
-bool |
|
325 |
+result_t |
|
326 | 326 |
x509_verify_cert_eku (x509_cert *cert, const char * const expected_oid) |
327 | 327 |
{ |
328 |
- bool fFound = false; |
|
328 |
+ result_t fFound = FAILURE; |
|
329 | 329 |
|
330 | 330 |
if (!(cert->ext_types & EXT_EXTENDED_KEY_USAGE)) |
331 | 331 |
{ |
... | ... |
@@ -349,7 +350,7 @@ x509_verify_cert_eku (x509_cert *cert, const char * const expected_oid) |
349 | 349 |
oid_str, expected_oid); |
350 | 350 |
if (!strcmp (expected_oid, oid_str)) |
351 | 351 |
{ |
352 |
- fFound = true; |
|
352 |
+ fFound = SUCCESS; |
|
353 | 353 |
break; |
354 | 354 |
} |
355 | 355 |
} |
... | ... |
@@ -361,7 +362,7 @@ x509_verify_cert_eku (x509_cert *cert, const char * const expected_oid) |
361 | 361 |
oid_num_str, expected_oid); |
362 | 362 |
if (!strcmp (expected_oid, oid_num_str)) |
363 | 363 |
{ |
364 |
- fFound = true; |
|
364 |
+ fFound = SUCCESS; |
|
365 | 365 |
break; |
366 | 366 |
} |
367 | 367 |
} |
... | ... |
@@ -372,20 +373,20 @@ x509_verify_cert_eku (x509_cert *cert, const char * const expected_oid) |
372 | 372 |
return fFound; |
373 | 373 |
} |
374 | 374 |
|
375 |
-bool |
|
375 |
+result_t |
|
376 | 376 |
x509_write_pem(FILE *peercert_file, x509_cert *peercert) |
377 | 377 |
{ |
378 | 378 |
msg (M_WARN, "PolarSSL does not support writing peer certificate in PEM format"); |
379 |
- return true; |
|
379 |
+ return FAILURE; |
|
380 | 380 |
} |
381 | 381 |
|
382 | 382 |
/* |
383 | 383 |
* check peer cert against CRL |
384 | 384 |
*/ |
385 |
-bool |
|
385 |
+result_t |
|
386 | 386 |
x509_verify_crl(const char *crl_file, x509_cert *cert, const char *subject) |
387 | 387 |
{ |
388 |
- int retval = 0; |
|
388 |
+ result_t retval = FAILURE; |
|
389 | 389 |
x509_crl crl = {0}; |
390 | 390 |
|
391 | 391 |
if (x509parse_crlfile(&crl, crl_file) != 0) |
... | ... |
@@ -399,7 +400,7 @@ x509_verify_crl(const char *crl_file, x509_cert *cert, const char *subject) |
399 | 399 |
{ |
400 | 400 |
msg (M_WARN, "CRL: CRL %s is from a different issuer than the issuer of " |
401 | 401 |
"certificate %s", crl_file, subject); |
402 |
- retval = 1; |
|
402 |
+ retval = SUCCESS; |
|
403 | 403 |
goto end; |
404 | 404 |
} |
405 | 405 |
|
... | ... |
@@ -409,14 +410,10 @@ x509_verify_crl(const char *crl_file, x509_cert *cert, const char *subject) |
409 | 409 |
goto end; |
410 | 410 |
} |
411 | 411 |
|
412 |
- retval = 1; |
|
412 |
+ retval = SUCCESS; |
|
413 | 413 |
msg (D_HANDSHAKE, "CRL CHECK OK: %s",subject); |
414 | 414 |
|
415 | 415 |
end: |
416 | 416 |
x509_crl_free(&crl); |
417 |
- |
|
418 |
- if (!retval) |
|
419 |
- return true; |
|
420 |
- |
|
421 |
- return false; |
|
417 |
+ return retval; |
|
422 | 418 |
} |