diff options
author | Emmanuel Deloget | 2017-06-12 15:43:23 +0200 |
---|---|---|
committer | Gert Doering | 2017-06-18 12:01:42 +0200 |
commit | 17d1ab90c228b1efbe774357bd3265b2af006899 (patch) | |
tree | 2bbd76960f384654acca1f90b31f0840d72a9c73 /src/openvpn/openssl_compat.h | |
parent | bd230079d98bfe6aec70b7aedefdffcdbd0e56da (diff) | |
download | openvpn-17d1ab90c228b1efbe774357bd3265b2af006899.zip openvpn-17d1ab90c228b1efbe774357bd3265b2af006899.tar.gz |
OpenSSL: don't use direct access to the internal of X509
OpenSSL 1.1 does not allow us to directly access the internal of
any data type, including X509. We have to use the defined
functions to do so.
In x509_verify_ns_cert_type() in particular, this means that we
cannot directly check for the extended flags to find whether the
certificate should be used as a client or as a server certificate.
We need to leverage the X509_check_purpose() API yet this API is
far stricter than the currently implemented check. So far, I have
not been able to find a situation where this stricter test fails
(although I must admit that I haven't tested that very well).
We double-check the certificate purpose using "direct access" to the
internal of the certificate object (of course, this is not a real
direct access, but we still fetch ASN1 strings within the X509 object
and we check the internal value of these strings). This allow us to
warn the user if there is a discrepancy between the X509_check_purpose()
return value and our internal, less strict check.
We use these changes to make peer_cert a non-const parameter to
x509_verify_ns_cert_type(). The underlying library waits for a
non-const pointer, and forcing it to be a const pointer does not make
much sense (please note that this has an effect on the mbedtls part
too).
Compatibility with OpenSSL 1.0 is kept by defining the corresponding
functions when they are not found in the library.
Signed-off-by: Emmanuel Deloget <logout@free.fr>
Acked-by: Steffan Karger <steffan.karger@fox-it.com>
Message-Id: <20170612134330.20971-2-logout@free.fr>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg14792.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Diffstat (limited to 'src/openvpn/openssl_compat.h')
-rw-r--r-- | src/openvpn/openssl_compat.h | 15 |
1 files changed, 15 insertions, 0 deletions
diff --git a/src/openvpn/openssl_compat.h b/src/openvpn/openssl_compat.h index 811d559..612bfa5 100644 --- a/src/openvpn/openssl_compat.h +++ b/src/openvpn/openssl_compat.h @@ -73,6 +73,21 @@ SSL_CTX_get_default_passwd_cb(SSL_CTX *ctx) } #endif +#if !defined(HAVE_X509_GET0_PUBKEY) +/** + * Get the public key from a X509 certificate + * + * @param x X509 certificate + * @return The certificate public key + */ +static inline EVP_PKEY * +X509_get0_pubkey(const X509 *x) +{ + return (x && x->cert_info && x->cert_info->key) ? + x->cert_info->key->pkey : NULL; +} +#endif + #if !defined(HAVE_X509_STORE_GET0_OBJECTS) /** * Fetch the X509 object stack from the X509 store |