summaryrefslogtreecommitdiff
path: root/sbin/isakmpd/regress
diff options
context:
space:
mode:
authorNiklas Hallqvist <niklas@cvs.openbsd.org>2001-01-26 12:35:48 +0000
committerNiklas Hallqvist <niklas@cvs.openbsd.org>2001-01-26 12:35:48 +0000
commit60b97f8e7e014aee4cd89c6b33da506ee8e0740a (patch)
treec58fd76209fe4401c50c564719ea4db107078c52 /sbin/isakmpd/regress
parente330e56aa56aa7d7d2da12f09e411fc4c6f32a01 (diff)
There is no need to check the subjectAltName anymore, since we are in fact
looking up the certificate via the name. The lookup method already guarantees a match. It is also a problem to look at the subjectAltName should we have got the certificate with no such name in it. Prodded by mickey@ although I solved the problem in a different way.
Diffstat (limited to 'sbin/isakmpd/regress')
-rw-r--r--sbin/isakmpd/regress/x509/x509test.c70
1 files changed, 69 insertions, 1 deletions
diff --git a/sbin/isakmpd/regress/x509/x509test.c b/sbin/isakmpd/regress/x509/x509test.c
index 2fca1cb8449..b14a0591ddf 100644
--- a/sbin/isakmpd/regress/x509/x509test.c
+++ b/sbin/isakmpd/regress/x509/x509test.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: x509test.c,v 1.12 2001/01/26 11:08:25 niklas Exp $ */
+/* $OpenBSD: x509test.c,v 1.13 2001/01/26 12:35:47 niklas Exp $ */
/* $EOM: x509test.c,v 1.9 2000/12/21 15:24:25 ho Exp $ */
/*
@@ -67,6 +67,7 @@
#include "libcrypto.h"
#include "log.h"
#include "ipsec_num.h"
+#include "isakmp_fld.h"
#include "x509.h"
u_int32_t file_sz;
@@ -94,6 +95,73 @@ open_file (char *name)
return addr;
}
+/*
+ * Check that a certificate has a subjectAltName and that it matches our ID.
+ */
+int
+x509_check_subjectaltname (u_char *id, u_int id_len, X509 *scert)
+{
+ u_int8_t *altname;
+ u_int32_t altlen;
+ int type, idtype, ret;
+
+ type = x509_cert_subjectaltname (scert, &altname, &altlen);
+ if (!type)
+ {
+ log_print ("x509_check_subjectaltname: can't access subjectAltName");
+ return 0;
+ }
+
+ /*
+ * Now that we have the X509 certicate in native form, get the
+ * subjectAltName extension and verify that it matches our ID.
+ */
+
+ /* XXX Get type of ID. */
+ idtype = id[0];
+ id += ISAKMP_ID_DATA_OFF - ISAKMP_GEN_SZ;
+ id_len -= ISAKMP_ID_DATA_OFF - ISAKMP_GEN_SZ;
+
+ ret = 0;
+ switch (idtype)
+ {
+ case IPSEC_ID_IPV4_ADDR:
+ if (type == X509v3_IP_ADDR)
+ ret = 1;
+ break;
+ case IPSEC_ID_FQDN:
+ if (type == X509v3_DNS_NAME)
+ ret = 1;
+ break;
+ case IPSEC_ID_USER_FQDN:
+ if (type == X509v3_RFC_NAME)
+ ret = 1;
+ break;
+ default:
+ ret = 0;
+ break;
+ }
+
+ if (!ret)
+ {
+ LOG_DBG ((LOG_CRYPTO, 50,
+ "x509_check_subjectaltname: "
+ "our ID type (%d) does not match X509 cert ID type (%d)",
+ idtype, type));
+ return 0;
+ }
+
+ if (altlen != id_len || memcmp (altname, id, id_len) != 0)
+ {
+ LOG_DBG ((LOG_CRYPTO, 50,
+ "x509_check_subjectaltname: "
+ "our ID does not match X509 cert ID"));
+ return 0;
+ }
+
+ return 1;
+}
+
int
main (int argc, char *argv[])
{