NOEXPORT int verify_checks(int preverify_ok, X509_STORE_CTX *callback_ctx) {
X509 *cert;
int depth;
char *subject;
cert=X509_STORE_CTX_get_current_cert(callback_ctx);
depth=X509_STORE_CTX_get_error_depth(callback_ctx);
subject=X509_NAME2text(X509_get_subject_name(cert));
s_log(LOG_DEBUG, "Verification started at depth=%d: %s", depth, subject);
if(!cert_check(callback_ctx, preverify_ok)) {
s_log(LOG_WARNING, "Rejected by CERT at depth=%d: %s", depth, subject);
str_free(subject);
return 0; /* reject */
}
if(!crl_check(callback_ctx)) {
s_log(LOG_WARNING, "Rejected by CRL at depth=%d: %s", depth, subject);
str_free(subject);
return 0; /* reject */
}
#ifndef OPENSSL_NO_OCSP
if(!ocsp_check(callback_ctx)) {
s_log(LOG_WARNING, "Rejected by OCSP at depth=%d: %s", depth, subject);
str_free(subject);
return 0; /* reject */
}
#endif /* !defined(OPENSSL_NO_OCSP) */
s_log(depth ? LOG_INFO : LOG_NOTICE,
"Certificate accepted at depth=%d: %s", depth, subject);
str_free(subject);
return 1; /* accept */
}
static int verify_callback(int preverify_ok, X509_STORE_CTX *callback_ctx) {
/* our verify callback function */
SSL *ssl;
CLI *c;
X509 *cert;
int depth;
char *subject_name;
/* retrieve application specific data */
ssl=X509_STORE_CTX_get_ex_data(callback_ctx,
SSL_get_ex_data_X509_STORE_CTX_idx());
c=SSL_get_ex_data(ssl, cli_index);
cert=X509_STORE_CTX_get_current_cert(callback_ctx);
depth=X509_STORE_CTX_get_error_depth(callback_ctx);
/* certificate name for logging */
subject_name=X509_NAME_oneline(X509_get_subject_name(cert), NULL, 0);
s_log(LOG_DEBUG, "Starting certificate verification: depth=%d, %s",
depth, subject_name);
if(!cert_check(c, callback_ctx, preverify_ok)) {
s_log(LOG_WARNING, "Certificate check failed: depth=%d, %s",
depth, subject_name);
OPENSSL_free(subject_name);
return 0; /* reject connection */
}
if(!crl_check(c, callback_ctx)) {
s_log(LOG_WARNING, "CRL check failed: depth=%d, %s",
depth, subject_name);
OPENSSL_free(subject_name);
return 0; /* reject connection */
}
#ifdef HAVE_OSSL_OCSP_H
if(c->opt->option.ocsp && !ocsp_check(c, callback_ctx)) {
s_log(LOG_WARNING, "OCSP check failed: depth=%d, %s",
depth, subject_name);
OPENSSL_free(subject_name);
return 0; /* reject connection */
}
#endif /* HAVE_OSSL_OCSP_H */
/* errnum=X509_STORE_CTX_get_error(ctx); */
s_log(LOG_NOTICE, "Certificate accepted: depth=%d, %s",
depth, subject_name);
OPENSSL_free(subject_name);
return 1; /* accept connection */
}
static int verify_callback(int preverify_ok, X509_STORE_CTX *callback_ctx) {
/* our verify callback function */
SSL *ssl;
CLI *c;
char subject_name[STRLEN];
/* retrieve application specific data */
ssl=X509_STORE_CTX_get_ex_data(callback_ctx,
SSL_get_ex_data_X509_STORE_CTX_idx());
c=SSL_get_ex_data(ssl, cli_index);
/* certificate name for logging */
X509_NAME_oneline(X509_get_subject_name(callback_ctx->current_cert),
subject_name, STRLEN);
safestring(subject_name);
s_log(LOG_DEBUG, "Starting certificate verification: depth=%d, %s",
callback_ctx->error_depth, subject_name);
if(!cert_check(c, callback_ctx, preverify_ok)) {
s_log(LOG_WARNING, "Certificate check failed: depth=%d, %s",
callback_ctx->error_depth, subject_name);
return 0; /* reject connection */
}
if(!crl_check(c, callback_ctx)) {
s_log(LOG_WARNING, "CRL check failed: depth=%d, %s",
callback_ctx->error_depth, subject_name);
return 0; /* reject connection */
}
if(c->opt->option.ocsp && !ocsp_check(c, callback_ctx)) {
s_log(LOG_WARNING, "OCSP check failed: depth=%d, %s",
callback_ctx->error_depth, subject_name);
return 0; /* reject connection */
}
/* errnum=X509_STORE_CTX_get_error(ctx); */
s_log(LOG_NOTICE, "Certificate accepted: depth=%d, %s",
callback_ctx->error_depth, subject_name);
return 1; /* accept connection */
}
