1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
|
--- stunnel-5.24.orig/src/verify.c 2015-09-23 12:00:08.000000000 +0200
+++ stunnel-5.24/src/verify.c 2015-10-21 11:17:41.000000000 +0200
@@ -51,9 +51,6 @@ NOEXPORT int add_dir_lookup(X509_STORE *
NOEXPORT int verify_callback(int, X509_STORE_CTX *);
NOEXPORT int verify_checks(CLI *, int, X509_STORE_CTX *);
NOEXPORT int cert_check(CLI *, X509_STORE_CTX *, int);
-#if OPENSSL_VERSION_NUMBER>=0x10002000L
-NOEXPORT int cert_check_subject(CLI *, X509_STORE_CTX *);
-#endif /* OPENSSL_VERSION_NUMBER>=0x10002000L */
NOEXPORT int cert_check_local(X509_STORE_CTX *);
NOEXPORT int compare_pubkeys(X509 *, X509 *);
#ifndef OPENSSL_NO_OCSP
@@ -280,10 +277,6 @@ NOEXPORT int cert_check(CLI *c, X509_STO
}
if(depth==0) { /* additional peer certificate checks */
-#if OPENSSL_VERSION_NUMBER>=0x10002000L
- if(!cert_check_subject(c, callback_ctx))
- return 0; /* reject */
-#endif /* OPENSSL_VERSION_NUMBER>=0x10002000L */
if(c->opt->verify_level>=3 && !cert_check_local(callback_ctx))
return 0; /* reject */
}
@@ -291,51 +284,6 @@ NOEXPORT int cert_check(CLI *c, X509_STO
return 1; /* accept */
}
-#if OPENSSL_VERSION_NUMBER>=0x10002000L
-NOEXPORT int cert_check_subject(CLI *c, X509_STORE_CTX *callback_ctx) {
- X509 *cert=X509_STORE_CTX_get_current_cert(callback_ctx);
- NAME_LIST *ptr;
- char *peername=NULL;
-
- if(c->opt->check_host) {
- for(ptr=c->opt->check_host; ptr; ptr=ptr->next)
- if(X509_check_host(cert, ptr->name, 0, 0, &peername)>0)
- break;
- if(!ptr) {
- s_log(LOG_WARNING, "CERT: No matching host name found");
- return 0; /* reject */
- }
- s_log(LOG_INFO, "CERT: Host name \"%s\" matched with \"%s\"",
- ptr->name, peername);
- OPENSSL_free(peername);
- }
-
- if(c->opt->check_email) {
- for(ptr=c->opt->check_email; ptr; ptr=ptr->next)
- if(X509_check_email(cert, ptr->name, 0, 0)>0)
- break;
- if(!ptr) {
- s_log(LOG_WARNING, "CERT: No matching email address found");
- return 0; /* reject */
- }
- s_log(LOG_INFO, "CERT: Email address \"%s\" matched", ptr->name);
- }
-
- if(c->opt->check_ip) {
- for(ptr=c->opt->check_ip; ptr; ptr=ptr->next)
- if(X509_check_ip_asc(cert, ptr->name, 0)>0)
- break;
- if(!ptr) {
- s_log(LOG_WARNING, "CERT: No matching IP address found");
- return 0; /* reject */
- }
- s_log(LOG_INFO, "CERT: IP address \"%s\" matched", ptr->name);
- }
-
- return 1; /* accept */
-}
-#endif /* OPENSSL_VERSION_NUMBER>=0x10002000L */
-
NOEXPORT int cert_check_local(X509_STORE_CTX *callback_ctx) {
X509 *cert;
X509_NAME *subject;
|
