123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475 |
- --- stunnel-5.31.orig/src/verify.c 2016-02-19 20:18:43.000000000 +0100
- +++ stunnel-5.31/src/verify.c 2016-03-13 13:30:11.000000000 +0100
- @@ -51,9 +51,6 @@ NOEXPORT int add_dir_lookup(X509_STORE *
- NOEXPORT int verify_callback(int, X509_STORE_CTX *);
- NOEXPORT int verify_checks(CLI *, int, X509_STORE_CTX *);
- NOEXPORT int cert_check(CLI *, X509_STORE_CTX *, int);
- -#if OPENSSL_VERSION_NUMBER>=0x10002000L
- -NOEXPORT int cert_check_subject(CLI *, X509_STORE_CTX *);
- -#endif /* OPENSSL_VERSION_NUMBER>=0x10002000L */
- NOEXPORT int cert_check_local(X509_STORE_CTX *);
- NOEXPORT int compare_pubkeys(X509 *, X509 *);
- #ifndef OPENSSL_NO_OCSP
- @@ -274,10 +271,6 @@ NOEXPORT int cert_check(CLI *c, X509_STO
- }
-
- if(depth==0) { /* additional peer certificate checks */
- -#if OPENSSL_VERSION_NUMBER>=0x10002000L
- - if(!cert_check_subject(c, callback_ctx))
- - return 0; /* reject */
- -#endif /* OPENSSL_VERSION_NUMBER>=0x10002000L */
- if(c->opt->verify_level>=3 && !cert_check_local(callback_ctx))
- return 0; /* reject */
- }
- @@ -285,51 +278,6 @@ NOEXPORT int cert_check(CLI *c, X509_STO
- return 1; /* accept */
- }
-
- -#if OPENSSL_VERSION_NUMBER>=0x10002000L
- -NOEXPORT int cert_check_subject(CLI *c, X509_STORE_CTX *callback_ctx) {
- - X509 *cert=X509_STORE_CTX_get_current_cert(callback_ctx);
- - NAME_LIST *ptr;
- - char *peername=NULL;
- -
- - if(c->opt->check_host) {
- - for(ptr=c->opt->check_host; ptr; ptr=ptr->next)
- - if(X509_check_host(cert, ptr->name, 0, 0, &peername)>0)
- - break;
- - if(!ptr) {
- - s_log(LOG_WARNING, "CERT: No matching host name found");
- - return 0; /* reject */
- - }
- - s_log(LOG_INFO, "CERT: Host name \"%s\" matched with \"%s\"",
- - ptr->name, peername);
- - OPENSSL_free(peername);
- - }
- -
- - if(c->opt->check_email) {
- - for(ptr=c->opt->check_email; ptr; ptr=ptr->next)
- - if(X509_check_email(cert, ptr->name, 0, 0)>0)
- - break;
- - if(!ptr) {
- - s_log(LOG_WARNING, "CERT: No matching email address found");
- - return 0; /* reject */
- - }
- - s_log(LOG_INFO, "CERT: Email address \"%s\" matched", ptr->name);
- - }
- -
- - if(c->opt->check_ip) {
- - for(ptr=c->opt->check_ip; ptr; ptr=ptr->next)
- - if(X509_check_ip_asc(cert, ptr->name, 0)>0)
- - break;
- - if(!ptr) {
- - s_log(LOG_WARNING, "CERT: No matching IP address found");
- - return 0; /* reject */
- - }
- - s_log(LOG_INFO, "CERT: IP address \"%s\" matched", ptr->name);
- - }
- -
- - return 1; /* accept */
- -}
- -#endif /* OPENSSL_VERSION_NUMBER>=0x10002000L */
- -
- NOEXPORT int cert_check_local(X509_STORE_CTX *callback_ctx) {
- X509 *cert;
- X509_NAME *subject;
|