#endif
#ifdef HAVE_OPENSSL_X509_H
#include <openssl/x509.h>
-#include <openssl/x509v3.h>
#include <openssl/x509_vfy.h>
#endif
#include <openssl/bn.h>
*/
#ifdef HAVE_SIGNING_C
-static int cb_check_cert_local __P((int, X509_STORE_CTX *));
-static int cb_check_cert_remote __P((int, X509_STORE_CTX *));
+static int cb_check_cert __P((int, X509_STORE_CTX *));
static void eay_setgentype __P((char *, int *));
static X509 *mem2x509 __P((vchar_t *));
#endif
* this functions is derived from apps/verify.c in OpenSSL0.9.5
*/
int
-eay_check_x509cert(cert, CApath, local)
+eay_check_x509cert(cert, CApath)
vchar_t *cert;
char *CApath;
- int local;
{
X509_STORE *cert_ctx = NULL;
X509_LOOKUP *lookup = NULL;
cert_ctx = X509_STORE_new();
if (cert_ctx == NULL)
goto end;
-
- if (local)
- X509_STORE_set_verify_cb_func(cert_ctx, cb_check_cert_local);
- else
- X509_STORE_set_verify_cb_func(cert_ctx, cb_check_cert_remote);
-
+ X509_STORE_set_verify_cb_func(cert_ctx, cb_check_cert);
lookup = X509_STORE_add_lookup(cert_ctx, X509_LOOKUP_file());
if (lookup == NULL)
if (csc == NULL)
goto end;
X509_STORE_CTX_init(csc, cert_ctx, x509, NULL);
-
-#if OPENSSL_VERSION_NUMBER >= 0x00907000L
- X509_STORE_CTX_set_flags(csc, X509_V_FLAG_CRL_CHECK);
- X509_STORE_CTX_set_flags(csc, X509_V_FLAG_CRL_CHECK_ALL);
-#endif
-
error = X509_verify_cert(csc);
X509_STORE_CTX_cleanup(csc);
#else
/*
* callback function for verifing certificate.
- * Derived from cb() in openssl/apps/s_server.c
- *
- * This one is called for certificates obtained from
- * 'peers_certfile' directive.
+ * this function is derived from cb() in openssl/apps/s_server.c
*/
static int
-cb_check_cert_local(ok, ctx)
+cb_check_cert(ok, ctx)
int ok;
X509_STORE_CTX *ctx;
{
case X509_V_ERR_CERT_HAS_EXPIRED:
case X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT:
#if OPENSSL_VERSION_NUMBER >= 0x00905100L
+ case X509_V_ERR_INVALID_CA:
+ case X509_V_ERR_PATH_LENGTH_EXCEEDED:
case X509_V_ERR_INVALID_PURPOSE:
- case X509_V_ERR_UNABLE_TO_GET_CRL:
#endif
- ok = 1;
- log_tag = LLV_WARNING;
- break;
-
- default:
+ ok = 1;
+ log_tag = LLV_WARNING;
+ break;
+ default:
log_tag = LLV_ERROR;
- }
-
-
-#ifndef EAYDEBUG
- plog(log_tag, LOCATION, NULL,
- "%s(%d) at depth:%d SubjectName:%s\n",
- X509_verify_cert_error_string(ctx->error),
- ctx->error,
- ctx->error_depth,
- buf);
-#else
- printf("%d: %s(%d) at depth:%d SubjectName:%s\n",
- log_tag,
- X509_verify_cert_error_string(ctx->error),
- ctx->error,
- ctx->error_depth,
- buf);
-#endif
- }
- ERR_clear_error();
-
- return ok;
-}
-
-/*
- * Similar to cb_check_cert_local() but this one is called
- * for certificates obtained from the IKE payload.
- */
-static int
-cb_check_cert_remote(ok, ctx)
- int ok;
- X509_STORE_CTX *ctx;
-{
- char buf[256];
- int log_tag;
-
- if (!ok) {
- X509_NAME_oneline(
- X509_get_subject_name(ctx->current_cert),
- buf,
- 256);
- switch (ctx->error) {
- case X509_V_ERR_UNABLE_TO_GET_CRL:
- ok = 1;
- log_tag = LLV_WARNING;
- break;
- default:
- log_tag = LLV_ERROR;
- }
+ }
#ifndef EAYDEBUG
plog(log_tag, LOCATION, NULL,
"%s(%d) at depth:%d SubjectName:%s\n",
evp = X509_get_pubkey(x509);
if (!evp) {
-#ifndef EAYDEBUG
plog(LLV_ERROR, LOCATION, NULL, "X509_get_pubkey: %s\n", eay_strerror());
-#endif
return -1;
}
projects / apple / network_cmds.git / blobdiff