Hi Michal,
> >What license do you need the patch to be?
>
> Preferably public domain, but any GPL-compatbile and non-copyleft license
> should be fine.
I hereby release my patches to stunnel for support of muliple client
certificates with the same CN into the public domain.
Best regards,
Leon Winter
diff --git a/src/verify.c b/src/verify.c
index 3519144..066c4ff 100644
--- a/src/verify.c
+++ b/src/verify.c
@@ -233,22 +233,32 @@ static int cert_check(CLI *c, X509_STORE_CTX *callback_ctx, int preverify_ok) {
}
}
if(c->opt->verify_level>=3 && depth==0) {
+ int i = -1;
if(X509_STORE_get_by_subject(callback_ctx, X509_LU_X509,
- X509_get_subject_name(cert), &obj)!=1) {
+ X509_get_subject_name(cert), &obj)==1) {
+ i = X509_OBJECT_idx_by_subject(callback_ctx->ctx->objs,
+ X509_LU_X509, X509_get_subject_name(cert));
+ }
+ if(i == -1) {
s_log(LOG_WARNING,
"CERT: Certificate not found in local repository");
return 0; /* reject connection */
}
+ for (;i<sk_X509_OBJECT_num(callback_ctx->ctx->objs);i++) {
+ X509_OBJECT *pobj = sk_X509_OBJECT_value(callback_ctx->ctx->objs,i);
#if OPENSSL_VERSION_NUMBER>=0x0090700fL
peer_key=X509_get0_pubkey_bitstr(cert);
- local_key=X509_get0_pubkey_bitstr(obj.data.x509);
+ local_key=X509_get0_pubkey_bitstr(pobj->data.x509);
if(!peer_key || !local_key || peer_key->length!=local_key->length ||
memcmp(peer_key->data, local_key->data, local_key->length)) {
- s_log(LOG_WARNING, "CERT: Public keys do not match");
- return 0; /* reject connection */
+ continue;
}
-#endif
s_log(LOG_INFO, "CERT: Locally installed certificate matched");
+ return 1; /* accept connection */
+#endif
+ }
+ s_log(LOG_WARNING, "CERT: Public keys do not match");
+ return 0; /* reject connection */
}
return 1; /* accept connection */
}
diff --git a/src/verify.c b/src/verify.c
index 3519144..066c4ff 100644
--- a/src/verify.c
+++ b/src/verify.c
@@ -233,22 +233,32 @@ NOEXPORT int cert_check(X509_STORE_CTX *callback_ctx, int preverify_ok) {
}
}
if(c->opt->verify_level>=3 && depth==0) {
+ int i = -1;
if(X509_STORE_get_by_subject(callback_ctx, X509_LU_X509,
- X509_get_subject_name(cert), &obj)!=1) {
+ X509_get_subject_name(cert), &obj)==1) {
+ i = X509_OBJECT_idx_by_subject(callback_ctx->ctx->objs,
+ X509_LU_X509, X509_get_subject_name(cert));
+ }
+ if(i == -1) {
s_log(LOG_WARNING,
"CERT: Certificate not found in local repository");
return 0; /* fail */
}
+ for (;i<sk_X509_OBJECT_num(callback_ctx->ctx->objs);i++) {
+ X509_OBJECT *pobj = sk_X509_OBJECT_value(callback_ctx->ctx->objs,i);
#if OPENSSL_VERSION_NUMBER>=0x0090700fL
peer_key=X509_get0_pubkey_bitstr(cert);
- local_key=X509_get0_pubkey_bitstr(obj.data.x509);
+ local_key=X509_get0_pubkey_bitstr(pobj->data.x509);
if(!peer_key || !local_key || peer_key->length!=local_key->length ||
memcmp(peer_key->data, local_key->data, local_key->length)) {
- s_log(LOG_WARNING, "CERT: Public keys do not match");
- return 0; /* fail */
+ continue;
}
-#endif
s_log(LOG_INFO, "CERT: Locally installed certificate matched");
+ return 1; /* accept connection */
+#endif
+ }
+ s_log(LOG_WARNING, "CERT: Public keys do not match");
+ return 0; /* reject connection */
}
return 1; /* success */
}
_______________________________________________
stunnel-users mailing list
[email protected]
https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
