Skip to content

Instantly share code, notes, and snippets.

@andj

andj/gist:1123172

Created August 3, 2011 17:11
Show Gist options
  • Save andj/1123172 to your computer and use it in GitHub Desktop.
Save andj/1123172 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
gistfile1.diff
--- /tmp/removed123.txt 2011-08-03 19:10:46.605595802 +0200
+++ /tmp/added123.txt 2011-08-03 19:10:46.625605802 +0200
@@ -1,64 +1,76 @@
--- a/ssl.c
-#if OPENSSL_VERSION_NUMBER >= 0x00907000L
-
-bool verify_cert_eku (X509 *x509, const char * const expected_oid) {
-
+++ b/ssl.c
+++ b/ssl_verify.c
+ /* verify certificate eku */
+ if (opt->remote_cert_eku != NULL)
+ {
+ if (verify_cert_eku (peer_cert, opt->remote_cert_eku))
+ {
+ msg (D_HANDSHAKE, "VERIFY EKU OK");
+ }
+ else
+ {
+ msg (D_HANDSHAKE, "VERIFY EKU ERROR");
+ return 1; /* Reject connection */
+ }
+ }
+++ b/ssl_verify_backend.h
+/*
+ * Verify X.509 extended key usage extension field.
+ *
+ * @param cert Certificate to check.
+ * @param expected_oid String representation of the expected Object ID. May be
+ * either the string representation of the numeric OID
+ * (e.g. \c "1.2.3.4", or the descriptive string matching
+ * the OID.
+ *
+ * @return \c true if one of the expected OID matches one of the
+ * extended key usage fields, \c false if extended key
+ * usage is not enabled, or the values do not match.
+ */
+bool verify_cert_eku (x509_cert_t *x509, const char * const expected_oid);
+
+++ b/ssl_verify_openssl.c
+bool
+verify_cert_eku (X509 *x509, const char * const expected_oid)
+{
EXTENDED_KEY_USAGE *eku = NULL;
bool fFound = false;
- if ((eku = (EXTENDED_KEY_USAGE *)X509_get_ext_d2i (x509, NID_ext_key_usage, NULL, NULL)) == NULL) {
+ if ((eku = (EXTENDED_KEY_USAGE *) X509_get_ext_d2i (x509, NID_ext_key_usage,
+ NULL, NULL)) == NULL)
+ {
msg (D_HANDSHAKE, "Certificate does not have extended key usage extension");
}
- else {
+ else
+ {
int i;
msg (D_HANDSHAKE, "Validating certificate extended key usage");
- for(i = 0; !fFound && i < sk_ASN1_OBJECT_num (eku); i++) {
+ for (i = 0; !fFound && i < sk_ASN1_OBJECT_num (eku); i++)
+ {
ASN1_OBJECT *oid = sk_ASN1_OBJECT_value (eku, i);
char szOid[1024];
- if (!fFound && OBJ_obj2txt (szOid, sizeof (szOid), oid, 0) != -1) {
- msg (D_HANDSHAKE, "++ Certificate has EKU (str) %s, expects %s", szOid, expected_oid);
- if (!strcmp (expected_oid, szOid)) {
+ if (!fFound && OBJ_obj2txt (szOid, sizeof(szOid), oid, 0) != -1)
+ {
+ msg (D_HANDSHAKE, "++ Certificate has EKU (str) %s, expects %s",
+ szOid, expected_oid);
+ if (!strcmp (expected_oid, szOid))
fFound = true;
}
- }
- if (!fFound && OBJ_obj2txt (szOid, sizeof (szOid), oid, 1) != -1) {
- msg (D_HANDSHAKE, "++ Certificate has EKU (oid) %s, expects %s", szOid, expected_oid);
- if (!strcmp (expected_oid, szOid)) {
+ if (!fFound && OBJ_obj2txt (szOid, sizeof(szOid), oid, 1) != -1)
+ {
+ msg (D_HANDSHAKE, "++ Certificate has EKU (oid) %s, expects %s",
+ szOid, expected_oid);
+ if (!strcmp (expected_oid, szOid))
fFound = true;
}
}
}
- }
- if (eku != NULL) {
+ if (eku != NULL)
sk_ASN1_OBJECT_pop_free (eku, ASN1_OBJECT_free);
- }
return fFound;
}
-#endif /* OPENSSL_VERSION_NUMBER */
-
-#if OPENSSL_VERSION_NUMBER >= 0x00907000L
-
- /* verify certificate eku */
- if (opt->remote_cert_eku != NULL && cert_depth == 0)
- {
- if (verify_cert_eku (cert, opt->remote_cert_eku))
- {
- msg (D_HANDSHAKE, "VERIFY EKU OK");
- }
- else
- {
- msg (D_HANDSHAKE, "VERIFY EKU ERROR");
- goto err; /* Reject connection */
- }
- }
-
-#endif /* OPENSSL_VERSION_NUMBER */
-
--- a/ssl_verify.c
--- a/ssl_verify_backend.h
--- a/ssl_verify_openssl.c
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment