|
@@ -1,75 +0,0 @@
|
|
|
---- stunnel-5.31.orig/src/verify.c 2016-02-19 20:18:43.000000000 +0100
|
|
|
-+++ stunnel-5.31/src/verify.c 2016-03-13 13:30:11.000000000 +0100
|
|
|
-@@ -51,9 +51,6 @@ NOEXPORT int add_dir_lookup(X509_STORE *
|
|
|
- NOEXPORT int verify_callback(int, X509_STORE_CTX *);
|
|
|
- NOEXPORT int verify_checks(CLI *, int, X509_STORE_CTX *);
|
|
|
- NOEXPORT int cert_check(CLI *, X509_STORE_CTX *, int);
|
|
|
--#if OPENSSL_VERSION_NUMBER>=0x10002000L
|
|
|
--NOEXPORT int cert_check_subject(CLI *, X509_STORE_CTX *);
|
|
|
--#endif /* OPENSSL_VERSION_NUMBER>=0x10002000L */
|
|
|
- NOEXPORT int cert_check_local(X509_STORE_CTX *);
|
|
|
- NOEXPORT int compare_pubkeys(X509 *, X509 *);
|
|
|
- #ifndef OPENSSL_NO_OCSP
|
|
|
-@@ -274,10 +271,6 @@ NOEXPORT int cert_check(CLI *c, X509_STO
|
|
|
- }
|
|
|
-
|
|
|
- if(depth==0) { /* additional peer certificate checks */
|
|
|
--#if OPENSSL_VERSION_NUMBER>=0x10002000L
|
|
|
-- if(!cert_check_subject(c, callback_ctx))
|
|
|
-- return 0; /* reject */
|
|
|
--#endif /* OPENSSL_VERSION_NUMBER>=0x10002000L */
|
|
|
- if(c->opt->verify_level>=3 && !cert_check_local(callback_ctx))
|
|
|
- return 0; /* reject */
|
|
|
- }
|
|
|
-@@ -285,51 +278,6 @@ NOEXPORT int cert_check(CLI *c, X509_STO
|
|
|
- return 1; /* accept */
|
|
|
- }
|
|
|
-
|
|
|
--#if OPENSSL_VERSION_NUMBER>=0x10002000L
|
|
|
--NOEXPORT int cert_check_subject(CLI *c, X509_STORE_CTX *callback_ctx) {
|
|
|
-- X509 *cert=X509_STORE_CTX_get_current_cert(callback_ctx);
|
|
|
-- NAME_LIST *ptr;
|
|
|
-- char *peername=NULL;
|
|
|
--
|
|
|
-- if(c->opt->check_host) {
|
|
|
-- for(ptr=c->opt->check_host; ptr; ptr=ptr->next)
|
|
|
-- if(X509_check_host(cert, ptr->name, 0, 0, &peername)>0)
|
|
|
-- break;
|
|
|
-- if(!ptr) {
|
|
|
-- s_log(LOG_WARNING, "CERT: No matching host name found");
|
|
|
-- return 0; /* reject */
|
|
|
-- }
|
|
|
-- s_log(LOG_INFO, "CERT: Host name \"%s\" matched with \"%s\"",
|
|
|
-- ptr->name, peername);
|
|
|
-- OPENSSL_free(peername);
|
|
|
-- }
|
|
|
--
|
|
|
-- if(c->opt->check_email) {
|
|
|
-- for(ptr=c->opt->check_email; ptr; ptr=ptr->next)
|
|
|
-- if(X509_check_email(cert, ptr->name, 0, 0)>0)
|
|
|
-- break;
|
|
|
-- if(!ptr) {
|
|
|
-- s_log(LOG_WARNING, "CERT: No matching email address found");
|
|
|
-- return 0; /* reject */
|
|
|
-- }
|
|
|
-- s_log(LOG_INFO, "CERT: Email address \"%s\" matched", ptr->name);
|
|
|
-- }
|
|
|
--
|
|
|
-- if(c->opt->check_ip) {
|
|
|
-- for(ptr=c->opt->check_ip; ptr; ptr=ptr->next)
|
|
|
-- if(X509_check_ip_asc(cert, ptr->name, 0)>0)
|
|
|
-- break;
|
|
|
-- if(!ptr) {
|
|
|
-- s_log(LOG_WARNING, "CERT: No matching IP address found");
|
|
|
-- return 0; /* reject */
|
|
|
-- }
|
|
|
-- s_log(LOG_INFO, "CERT: IP address \"%s\" matched", ptr->name);
|
|
|
-- }
|
|
|
--
|
|
|
-- return 1; /* accept */
|
|
|
--}
|
|
|
--#endif /* OPENSSL_VERSION_NUMBER>=0x10002000L */
|
|
|
--
|
|
|
- NOEXPORT int cert_check_local(X509_STORE_CTX *callback_ctx) {
|
|
|
- X509 *cert;
|
|
|
- X509_NAME *subject;
|