Permalink
Browse files

Unified verification function return values:

 - Now return either SUCCESS or FAILURE.
 - SUCCESS is defined as 0.

Signed-off-by: Adriaan de Jong <dejong@fox-it.com>
  • Loading branch information...
1 parent 25a2452 commit f543aafc52d8885c36ced7bf0eb74919dc6bb75f @andj committed Aug 3, 2011
Showing with 116 additions and 110 deletions.
  1. +30 −29 ssl_verify.c
  2. +23 −16 ssl_verify_backend.h
  3. +36 −35 ssl_verify_openssl.c
  4. +27 −30 ssl_verify_polarssl.c
View
@@ -292,14 +292,14 @@ print_nsCertType (int type)
* @param subject the peer's extracted subject name
* @param subject the peer's extracted common name
*/
-static int
+static result_t
verify_peer_cert(const struct tls_options *opt, x509_cert_t *peer_cert,
const char *subject, const char *common_name)
{
/* verify certificate nsCertType */
if (opt->ns_cert_type != NS_CERT_CHECK_NONE)
{
- if (x509_verify_ns_cert_type (peer_cert, opt->ns_cert_type))
+ if (SUCCESS == x509_verify_ns_cert_type (peer_cert, opt->ns_cert_type))
{
msg (D_HANDSHAKE, "VERIFY OK: nsCertType=%s",
print_nsCertType (opt->ns_cert_type));
@@ -308,7 +308,7 @@ verify_peer_cert(const struct tls_options *opt, x509_cert_t *peer_cert,
{
msg (D_HANDSHAKE, "VERIFY nsCertType ERROR: %s, require nsCertType=%s",
subject, print_nsCertType (opt->ns_cert_type));
- return 1; /* Reject connection */
+ return FAILURE; /* Reject connection */
}
}
@@ -317,28 +317,28 @@ verify_peer_cert(const struct tls_options *opt, x509_cert_t *peer_cert,
/* verify certificate ku */
if (opt->remote_cert_ku[0] != 0)
{
- if (x509_verify_cert_ku (peer_cert, opt->remote_cert_ku, MAX_PARMS))
+ if (SUCCESS == x509_verify_cert_ku (peer_cert, opt->remote_cert_ku, MAX_PARMS))
{
msg (D_HANDSHAKE, "VERIFY KU OK");
}
else
{
msg (D_HANDSHAKE, "VERIFY KU ERROR");
- return 1; /* Reject connection */
+ return FAILURE; /* Reject connection */
}
}
/* verify certificate eku */
if (opt->remote_cert_eku != NULL)
{
- if (x509_verify_cert_eku (peer_cert, opt->remote_cert_eku))
+ if (SUCCESS == x509_verify_cert_eku (peer_cert, opt->remote_cert_eku))
{
msg (D_HANDSHAKE, "VERIFY EKU OK");
}
else
{
msg (D_HANDSHAKE, "VERIFY EKU ERROR");
- return 1; /* Reject connection */
+ return FAILURE; /* Reject connection */
}
}
@@ -354,11 +354,11 @@ verify_peer_cert(const struct tls_options *opt, x509_cert_t *peer_cert,
{
msg (D_HANDSHAKE, "VERIFY X509NAME ERROR: %s, must be %s",
subject, opt->verify_x509name);
- return 1; /* Reject connection */
+ return FAILURE; /* Reject connection */
}
}
- return 0;
+ return SUCCESS;
}
/*
@@ -420,7 +420,7 @@ verify_cert_set_env(struct env_set *es, x509_cert_t *peer_cert, int cert_depth,
/*
* call --tls-verify plug-in(s)
*/
-static int
+static result_t
verify_cert_call_plugin(const struct plugin_list *plugins, struct env_set *es,
int cert_depth, x509_cert_t *cert, char *subject)
{
@@ -444,10 +444,10 @@ verify_cert_call_plugin(const struct plugin_list *plugins, struct env_set *es,
{
msg (D_HANDSHAKE, "VERIFY PLUGIN ERROR: depth=%d, %s",
cert_depth, subject);
- return 1; /* Reject connection */
+ return FAILURE; /* Reject connection */
}
}
- return 0;
+ return SUCCESS;
}
static const char *
@@ -470,7 +470,7 @@ verify_cert_export_cert(x509_cert_t *peercert, const char *tmp_dir, struct gc_ar
return NULL;
}
- if (x509_write_pem(peercert_file, peercert))
+ if (SUCCESS != x509_write_pem(peercert_file, peercert))
msg (M_ERR, "Error writing PEM file containing certificate");
fclose(peercert_file);
@@ -481,7 +481,7 @@ verify_cert_export_cert(x509_cert_t *peercert, const char *tmp_dir, struct gc_ar
/*
* run --tls-verify script
*/
-static int
+static result_t
verify_cert_call_command(const char *verify_command, struct env_set *es,
int cert_depth, x509_cert_t *cert, char *subject, const char *verify_export_cert)
{
@@ -518,18 +518,18 @@ verify_cert_call_command(const char *verify_command, struct env_set *es,
{
msg (D_HANDSHAKE, "VERIFY SCRIPT OK: depth=%d, %s",
cert_depth, subject);
- return 0;
+ return SUCCESS;
}
msg (D_HANDSHAKE, "VERIFY SCRIPT ERROR: depth=%d, %s",
cert_depth, subject);
- return 1; /* Reject connection */
+ return FAILURE; /* Reject connection */
}
/*
* check peer cert against CRL directory
*/
-static bool
+static result_t
verify_check_crl_dir(const char *crl_dir, x509_cert_t *cert)
{
char fn[256];
@@ -540,23 +540,23 @@ verify_check_crl_dir(const char *crl_dir, x509_cert_t *cert)
{
msg (D_HANDSHAKE, "VERIFY CRL: filename overflow");
x509_free_serial(serial);
- return true;
+ return FAILURE;
}
fd = open (fn, O_RDONLY);
if (fd >= 0)
{
msg (D_HANDSHAKE, "VERIFY CRL: certificate serial number %s is revoked", serial);
x509_free_serial(serial);
close(fd);
- return true;
+ return FAILURE;
}
x509_free_serial(serial);
- return false;
+ return SUCCESS;
}
-int
+result_t
verify_cert(struct tls_session *session, x509_cert_t *cert, int cert_depth)
{
char *subject = NULL;
@@ -582,7 +582,8 @@ verify_cert(struct tls_session *session, x509_cert_t *cert, int cert_depth)
string_replace_leading (subject, '-', '_');
/* extract the username (default is CN) */
- if (x509_get_username (common_name, TLS_USERNAME_LEN, opt->x509_username_field, cert))
+ if (SUCCESS != x509_get_username (common_name, TLS_USERNAME_LEN,
+ opt->x509_username_field, cert))
{
if (!cert_depth)
{
@@ -636,29 +637,29 @@ verify_cert(struct tls_session *session, x509_cert_t *cert, int cert_depth)
setenv_untrusted (session);
/* If this is the peer's own certificate, verify it */
- if (cert_depth == 0 && verify_peer_cert(opt, cert, subject, common_name))
+ if (cert_depth == 0 && SUCCESS != verify_peer_cert(opt, cert, subject, common_name))
goto err;
/* call --tls-verify plug-in(s), if registered */
- if (verify_cert_call_plugin(opt->plugins, opt->es, cert_depth, cert, subject))
+ if (SUCCESS != verify_cert_call_plugin(opt->plugins, opt->es, cert_depth, cert, subject))
goto err;
/* run --tls-verify script */
- if (opt->verify_command && verify_cert_call_command(opt->verify_command, opt->es,
- cert_depth, cert, subject, opt->verify_export_cert))
+ if (opt->verify_command && SUCCESS != verify_cert_call_command(opt->verify_command,
+ opt->es, cert_depth, cert, subject, opt->verify_export_cert))
goto err;
/* check peer cert against CRL */
if (opt->crl_file)
{
if (opt->ssl_flags & SSLF_CRL_VERIFY_DIR)
{
- if (verify_check_crl_dir(opt->crl_file, cert))
+ if (SUCCESS != verify_check_crl_dir(opt->crl_file, cert))
goto err;
}
else
{
- if (x509_verify_crl(opt->crl_file, cert, subject))
+ if (SUCCESS != x509_verify_crl(opt->crl_file, cert, subject))
goto err;
}
}
@@ -668,7 +669,7 @@ verify_cert(struct tls_session *session, x509_cert_t *cert, int cert_depth)
done:
x509_free_subject (subject);
- return (session->verified == true) ? 1 : 0;
+ return (session->verified == true) ? SUCCESS : FAILURE;
err:
tls_clear_error();
View
@@ -30,6 +30,11 @@
#ifndef SSL_VERIFY_BACKEND_H_
#define SSL_VERIFY_BACKEND_H_
+/**
+ * Result of verification function
+ */
+typedef enum { SUCCESS=0, FAILURE=1 } result_t;
+
/*
* Backend support functions.
*
@@ -48,9 +53,9 @@
* @param cert Certificate to process
* @param cert_depth Depth of the current certificate
*
- * @return \c 1 if verification was successful, \c 0 on failure.
+ * @return \c SUCCESS if verification was successful, \c FAILURE on failure.
*/
-int verify_cert(struct tls_session *session, x509_cert_t *cert, int cert_depth);
+result_t verify_cert(struct tls_session *session, x509_cert_t *cert, int cert_depth);
/*
* Remember the given certificate hash, allowing the certificate chain to be
@@ -118,9 +123,9 @@ void x509_free_sha1_hash (unsigned char *hash);
* @param x509_username_field Name of the field to load from
* @param cert Certificate to retrieve the common name from.
*
- * @return \c 1 on failure, \c 0 on success
+ * @return \c FAILURE, \c or SUCCESS
*/
-bool x509_get_username (char *common_name, int cn_len,
+result_t x509_get_username (char *common_name, int cn_len,
char * x509_username_field, x509_cert_t *peer_cert);
/*
@@ -201,11 +206,11 @@ void x509_setenv_track (const struct x509_track *xt, struct env_set *es,
* @param usage One of \c NS_CERT_CHECK_CLIENT, \c NS_CERT_CHECK_SERVER,
* or \c NS_CERT_CHECK_NONE.
*
- * @return \c true if NS_CERT_CHECK_NONE or if the certificate has
- * the expected bit set. \c false if the certificate does
+ * @return \c SUCCESS if NS_CERT_CHECK_NONE or if the certificate has
+ * the expected bit set. \c FAILURE if the certificate does
* not have NS cert type verification or the wrong bit set.
*/
-bool x509_verify_ns_cert_type(const x509_cert_t *cert, const int usage);
+result_t x509_verify_ns_cert_type(const x509_cert_t *cert, const int usage);
#if OPENSSL_VERSION_NUMBER >= 0x00907000L || USE_POLARSSL
@@ -216,10 +221,10 @@ bool x509_verify_ns_cert_type(const x509_cert_t *cert, const int usage);
* @param expected_ku Array of valid key usage values
* @param expected_len Length of the key usage array
*
- * @return \c true if one of the key usage values matches, \c false
+ * @return \c SUCCESS if one of the key usage values matches, \c FAILURE
* if key usage is not enabled, or the values do not match.
*/
-bool x509_verify_cert_ku (x509_cert_t *x509, const unsigned * const expected_ku,
+result_t x509_verify_cert_ku (x509_cert_t *x509, const unsigned * const expected_ku,
int expected_len);
/*
@@ -231,11 +236,11 @@ bool x509_verify_cert_ku (x509_cert_t *x509, const unsigned * const expected_ku,
* (e.g. \c "1.2.3.4", or the descriptive string matching
* the OID.
*
- * @return \c true if one of the expected OID matches one of the
- * extended key usage fields, \c false if extended key
+ * @return \c SUCCESS if one of the expected OID matches one of the
+ * extended key usage fields, \c FAILURE if extended key
* usage is not enabled, or the values do not match.
*/
-bool x509_verify_cert_eku (x509_cert_t *x509, const char * const expected_oid);
+result_t x509_verify_cert_eku (x509_cert_t *x509, const char * const expected_oid);
#endif
@@ -245,8 +250,10 @@ bool x509_verify_cert_eku (x509_cert_t *x509, const char * const expected_oid);
* @param cert Certificate to store
* @param tmp_dir Temporary directory to store the directory
* @param gc gc_arena to store temporary objects in
+ *
+ *
*/
-bool x509_write_pem(FILE *peercert_file, x509_cert_t *peercert);
+result_t x509_write_pem(FILE *peercert_file, x509_cert_t *peercert);
/*
* Check the certificate against a CRL file.
@@ -255,11 +262,11 @@ bool x509_write_pem(FILE *peercert_file, x509_cert_t *peercert);
* @param cert Certificate to verify
* @param subject Subject of the given certificate
*
- * @return \c 1 if the CRL was not signed by the issuer of the
+ * @return \c SUCCESS if the CRL was not signed by the issuer of the
* certificate or does not contain an entry for it.
- * \c 0 otherwise.
+ * \c FAILURE otherwise.
*/
-bool x509_verify_crl(const char *crl_file, x509_cert_t *cert,
+result_t x509_verify_crl(const char *crl_file, x509_cert_t *cert,
const char *subject);
#endif /* SSL_VERIFY_BACKEND_H_ */
Oops, something went wrong.

0 comments on commit f543aaf

Please sign in to comment.