Unified verification function return values:

- Now return either SUCCESS or FAILURE. - SUCCESS is defined as 0. Signed-off-by: Adriaan de Jong <dejong@fox-it.com>
andj · Aug 3, 2011 · f543aaf · f543aaf
1 parent 25a2452
commit f543aaf
Show file tree

Hide file tree

Showing 4 changed files with 116 additions and 110 deletions.
diff --git a/ssl_verify.c b/ssl_verify.c
@@ -292,14 +292,14 @@ print_nsCertType (int type)
  * @param subject the peer's extracted subject name
  * @param subject the peer's extracted common name
  */
-static int
+static result_t
 verify_peer_cert(const struct tls_options *opt, x509_cert_t *peer_cert,
     const char *subject, const char *common_name)
 {
   /* verify certificate nsCertType */
   if (opt->ns_cert_type != NS_CERT_CHECK_NONE)
     {
-      if (x509_verify_ns_cert_type (peer_cert, opt->ns_cert_type))
+      if (SUCCESS == x509_verify_ns_cert_type (peer_cert, opt->ns_cert_type))
 	{
 	  msg (D_HANDSHAKE, "VERIFY OK: nsCertType=%s",
 	       print_nsCertType (opt->ns_cert_type));
@@ -308,7 +308,7 @@ verify_peer_cert(const struct tls_options *opt, x509_cert_t *peer_cert,
 	{
 	  msg (D_HANDSHAKE, "VERIFY nsCertType ERROR: %s, require nsCertType=%s",
 	       subject, print_nsCertType (opt->ns_cert_type));
-	  return 1;		/* Reject connection */
+	  return FAILURE;		/* Reject connection */
 	}
     }
 
@@ -317,28 +317,28 @@ verify_peer_cert(const struct tls_options *opt, x509_cert_t *peer_cert,
   /* verify certificate ku */
   if (opt->remote_cert_ku[0] != 0)
     {
-      if (x509_verify_cert_ku (peer_cert, opt->remote_cert_ku, MAX_PARMS))
+      if (SUCCESS == x509_verify_cert_ku (peer_cert, opt->remote_cert_ku, MAX_PARMS))
 	{
 	  msg (D_HANDSHAKE, "VERIFY KU OK");
 	}
         else
         {
 	  msg (D_HANDSHAKE, "VERIFY KU ERROR");
-          return 1;		/* Reject connection */
+          return FAILURE;		/* Reject connection */
 	}
     }
 
   /* verify certificate eku */
   if (opt->remote_cert_eku != NULL)
     {
-      if (x509_verify_cert_eku (peer_cert, opt->remote_cert_eku))
+      if (SUCCESS == x509_verify_cert_eku (peer_cert, opt->remote_cert_eku))
         {
 	  msg (D_HANDSHAKE, "VERIFY EKU OK");
 	}
       else
 	{
 	  msg (D_HANDSHAKE, "VERIFY EKU ERROR");
-          return 1;		/* Reject connection */
+          return FAILURE;		/* Reject connection */
 	}
     }
 
@@ -354,11 +354,11 @@ verify_peer_cert(const struct tls_options *opt, x509_cert_t *peer_cert,
 	{
 	  msg (D_HANDSHAKE, "VERIFY X509NAME ERROR: %s, must be %s",
 	       subject, opt->verify_x509name);
-	  return 1;		/* Reject connection */
+	  return FAILURE;		/* Reject connection */
 	}
     }
 
-  return 0;
+  return SUCCESS;
 }
 
 /*
@@ -420,7 +420,7 @@ verify_cert_set_env(struct env_set *es, x509_cert_t *peer_cert, int cert_depth,
 /*
  * call --tls-verify plug-in(s)
  */
-static int
+static result_t
 verify_cert_call_plugin(const struct plugin_list *plugins, struct env_set *es,
     int cert_depth, x509_cert_t *cert, char *subject)
 {
@@ -444,10 +444,10 @@ verify_cert_call_plugin(const struct plugin_list *plugins, struct env_set *es,
 	{
 	  msg (D_HANDSHAKE, "VERIFY PLUGIN ERROR: depth=%d, %s",
 	      cert_depth, subject);
-	  return 1;		/* Reject connection */
+	  return FAILURE;		/* Reject connection */
 	}
     }
-  return 0;
+  return SUCCESS;
 }
 
 static const char *
@@ -470,7 +470,7 @@ verify_cert_export_cert(x509_cert_t *peercert, const char *tmp_dir, struct gc_ar
       return NULL;
     }
 
-  if (x509_write_pem(peercert_file, peercert))
+  if (SUCCESS != x509_write_pem(peercert_file, peercert))
       msg (M_ERR, "Error writing PEM file containing certificate");
 
   fclose(peercert_file);
@@ -481,7 +481,7 @@ verify_cert_export_cert(x509_cert_t *peercert, const char *tmp_dir, struct gc_ar
 /*
  * run --tls-verify script
  */
-static int
+static result_t
 verify_cert_call_command(const char *verify_command, struct env_set *es,
     int cert_depth, x509_cert_t *cert, char *subject, const char *verify_export_cert)
 {
@@ -518,18 +518,18 @@ verify_cert_call_command(const char *verify_command, struct env_set *es,
     {
       msg (D_HANDSHAKE, "VERIFY SCRIPT OK: depth=%d, %s",
 	   cert_depth, subject);
-      return 0;
+      return SUCCESS;
     }
 
   msg (D_HANDSHAKE, "VERIFY SCRIPT ERROR: depth=%d, %s",
        cert_depth, subject);
-  return 1;		/* Reject connection */
+  return FAILURE;		/* Reject connection */
 }
 
 /*
  * check peer cert against CRL directory
  */
-static bool
+static result_t
 verify_check_crl_dir(const char *crl_dir, x509_cert_t *cert)
 {
   char fn[256];
@@ -540,23 +540,23 @@ verify_check_crl_dir(const char *crl_dir, x509_cert_t *cert)
     {
       msg (D_HANDSHAKE, "VERIFY CRL: filename overflow");
       x509_free_serial(serial);
-      return true;
+      return FAILURE;
     }
   fd = open (fn, O_RDONLY);
   if (fd >= 0)
     {
       msg (D_HANDSHAKE, "VERIFY CRL: certificate serial number %s is revoked", serial);
       x509_free_serial(serial);
       close(fd);
-      return true;
+      return FAILURE;
     }
 
   x509_free_serial(serial);
 
-  return false;
+  return SUCCESS;
 }
 
-int
+result_t
 verify_cert(struct tls_session *session, x509_cert_t *cert, int cert_depth)
 {
   char *subject = NULL;
@@ -582,7 +582,8 @@ verify_cert(struct tls_session *session, x509_cert_t *cert, int cert_depth)
   string_replace_leading (subject, '-', '_');
 
   /* extract the username (default is CN) */
-  if (x509_get_username (common_name, TLS_USERNAME_LEN, opt->x509_username_field, cert))
+  if (SUCCESS != x509_get_username (common_name, TLS_USERNAME_LEN,
+      opt->x509_username_field, cert))
     {
       if (!cert_depth)
 	{
@@ -636,29 +637,29 @@ verify_cert(struct tls_session *session, x509_cert_t *cert, int cert_depth)
   setenv_untrusted (session);
 
   /* If this is the peer's own certificate, verify it */
-  if (cert_depth == 0 && verify_peer_cert(opt, cert, subject, common_name))
+  if (cert_depth == 0 && SUCCESS != verify_peer_cert(opt, cert, subject, common_name))
     goto err;
 
   /* call --tls-verify plug-in(s), if registered */
-  if (verify_cert_call_plugin(opt->plugins, opt->es, cert_depth, cert, subject))
+  if (SUCCESS != verify_cert_call_plugin(opt->plugins, opt->es, cert_depth, cert, subject))
     goto err;
 
   /* run --tls-verify script */
-  if (opt->verify_command && verify_cert_call_command(opt->verify_command, opt->es,
+  if (opt->verify_command && SUCCESS != verify_cert_call_command(opt->verify_command,
-      cert_depth, cert, subject, opt->verify_export_cert))
+      opt->es, cert_depth, cert, subject, opt->verify_export_cert))
     goto err;
 
   /* check peer cert against CRL */
   if (opt->crl_file)
     {
       if (opt->ssl_flags & SSLF_CRL_VERIFY_DIR)
       {
-	if (verify_check_crl_dir(opt->crl_file, cert))
+	if (SUCCESS != verify_check_crl_dir(opt->crl_file, cert))
 	  goto err;
       }
       else
       {
-	if (x509_verify_crl(opt->crl_file, cert, subject))
+	if (SUCCESS != x509_verify_crl(opt->crl_file, cert, subject))
 	  goto err;
       }
     }
@@ -668,7 +669,7 @@ verify_cert(struct tls_session *session, x509_cert_t *cert, int cert_depth)
 
  done:
   x509_free_subject (subject);
-  return (session->verified == true) ? 1 : 0;
+  return (session->verified == true) ? SUCCESS : FAILURE;
 
  err:
   tls_clear_error();

diff --git a/ssl_verify_backend.h b/ssl_verify_backend.h
@@ -30,6 +30,11 @@
 #ifndef SSL_VERIFY_BACKEND_H_
 #define SSL_VERIFY_BACKEND_H_
 
+/**
+ * Result of verification function
+ */
+typedef enum { SUCCESS=0, FAILURE=1 } result_t;
+
 /*
  * Backend support functions.
  *
@@ -48,9 +53,9 @@
  * @param cert		Certificate to process
  * @param cert_depth	Depth of the current certificate
  *
- * @return 		\c 1 if verification was successful, \c 0 on failure.
+ * @return 		\c SUCCESS if verification was successful, \c FAILURE on failure.
  */
-int verify_cert(struct tls_session *session, x509_cert_t *cert, int cert_depth);
+result_t verify_cert(struct tls_session *session, x509_cert_t *cert, int cert_depth);
 
 /*
  * Remember the given certificate hash, allowing the certificate chain to be
@@ -118,9 +123,9 @@ void x509_free_sha1_hash (unsigned char *hash);
  * @param x509_username_field	Name of the field to load from
  * @param cert			Certificate to retrieve the common name from.
  *
- * @return 		\c 1 on failure, \c 0 on success
+ * @return 		\c FAILURE, \c or SUCCESS
  */
-bool x509_get_username (char *common_name, int cn_len,
+result_t x509_get_username (char *common_name, int cn_len,
     char * x509_username_field, x509_cert_t *peer_cert);
 
 /*
@@ -201,11 +206,11 @@ void x509_setenv_track (const struct x509_track *xt, struct env_set *es,
  * @param usage		One of \c NS_CERT_CHECK_CLIENT, \c NS_CERT_CHECK_SERVER,
  * 			or \c NS_CERT_CHECK_NONE.
  *
- * @return		\c true if NS_CERT_CHECK_NONE or if the certificate has
+ * @return		\c SUCCESS if NS_CERT_CHECK_NONE or if the certificate has
- * 			the expected bit set. \c false if the certificate does
+ * 			the expected bit set. \c FAILURE if the certificate does
  * 			not have NS cert type verification or the wrong bit set.
  */
-bool x509_verify_ns_cert_type(const x509_cert_t *cert, const int usage);
+result_t x509_verify_ns_cert_type(const x509_cert_t *cert, const int usage);
 
 #if OPENSSL_VERSION_NUMBER >= 0x00907000L || USE_POLARSSL
 
@@ -216,10 +221,10 @@ bool x509_verify_ns_cert_type(const x509_cert_t *cert, const int usage);
  * @param expected_ku	Array of valid key usage values
  * @param expected_len	Length of the key usage array
  *
- * @return 		\c true if one of the key usage values matches, \c false
+ * @return 		\c SUCCESS if one of the key usage values matches, \c FAILURE
  * 			if key usage is not enabled, or the values do not match.
  */
-bool x509_verify_cert_ku (x509_cert_t *x509, const unsigned * const expected_ku,
+result_t x509_verify_cert_ku (x509_cert_t *x509, const unsigned * const expected_ku,
     int expected_len);
 
 /*
@@ -231,11 +236,11 @@ bool x509_verify_cert_ku (x509_cert_t *x509, const unsigned * const expected_ku,
  * 			(e.g. \c "1.2.3.4", or the descriptive string matching
  * 			the OID.
  *
- * @return 		\c true if one of the expected OID matches one of the
+ * @return 		\c SUCCESS if one of the expected OID matches one of the
- * 			extended key usage fields, \c false if extended key
+ * 			extended key usage fields, \c FAILURE if extended key
  * 			usage is not enabled, or the values do not match.
  */
-bool x509_verify_cert_eku (x509_cert_t *x509, const char * const expected_oid);
+result_t x509_verify_cert_eku (x509_cert_t *x509, const char * const expected_oid);
 
 #endif
 
@@ -245,8 +250,10 @@ bool x509_verify_cert_eku (x509_cert_t *x509, const char * const expected_oid);
  * @param cert		Certificate to store
  * @param tmp_dir	Temporary directory to store the directory
  * @param gc		gc_arena to store temporary objects in
+ *
+ *
  */
-bool x509_write_pem(FILE *peercert_file, x509_cert_t *peercert);
+result_t x509_write_pem(FILE *peercert_file, x509_cert_t *peercert);
 
 /*
  * Check the certificate against a CRL file.
@@ -255,11 +262,11 @@ bool x509_write_pem(FILE *peercert_file, x509_cert_t *peercert);
  * @param cert		Certificate to verify
  * @param subject	Subject of the given certificate
  *
- * @return 		\c 1 if the CRL was not signed by the issuer of the
+ * @return 		\c SUCCESS if the CRL was not signed by the issuer of the
  * 			certificate or does not contain an entry for it.
- * 			\c 0 otherwise.
+ * 			\c FAILURE otherwise.
  */
-bool x509_verify_crl(const char *crl_file, x509_cert_t *cert,
+result_t x509_verify_crl(const char *crl_file, x509_cert_t *cert,
     const char *subject);
 
 #endif /* SSL_VERIFY_BACKEND_H_ */