diff options
author | Adriaan de Jong <dejong@fox-it.com> | 2011-06-30 14:55:53 +0200 |
---|---|---|
committer | David Sommerseth <davids@redhat.com> | 2011-10-22 11:32:40 +0200 |
commit | 83c49a3ef135141101b71037f315099d32219bbf (patch) | |
tree | 26ce904090bb6892d39ef1ad552fc5497b7218b9 | |
parent | 3e44ea55339429ede83857c9e79cc218d6bc297f (diff) | |
download | openvpn-83c49a3ef135141101b71037f315099d32219bbf.tar.gz openvpn-83c49a3ef135141101b71037f315099d32219bbf.tar.xz openvpn-83c49a3ef135141101b71037f315099d32219bbf.zip |
Refactored CRL checks
Signed-off-by: Adriaan de Jong <dejong@fox-it.com>
Acked-by: James Yonan <james@openvpn.net>
Signed-off-by: David Sommerseth <davids@redhat.com>
Notes
Notes:
"Doing low-level stuff like verifying CRL issuers and checking serial numbers
is something that's better done by the OpenSSL library directly"
(James Yonan, code review comment)
-rw-r--r-- | ssl.c | 67 | ||||
-rw-r--r-- | ssl_verify.c | 29 | ||||
-rw-r--r-- | ssl_verify.h | 1 | ||||
-rw-r--r-- | ssl_verify_backend.h | 14 | ||||
-rw-r--r-- | ssl_verify_openssl.c | 53 |
5 files changed, 100 insertions, 64 deletions
@@ -410,73 +410,12 @@ verify_cert(struct tls_session *session, x509_cert_t *cert, int cert_depth) { if (opt->ssl_flags & SSLF_CRL_VERIFY_DIR) { - char fn[256]; - int fd; - char *serial = verify_get_serial(cert); - if (!openvpn_snprintf(fn, sizeof(fn), "%s%c%s", opt->crl_file, OS_SPECIFIC_DIRSEP, serial)) - { - msg (D_HANDSHAKE, "VERIFY CRL: filename overflow"); - verify_free_serial(serial); - goto err; - } - fd = open (fn, O_RDONLY); - if (fd >= 0) - { - msg (D_HANDSHAKE, "VERIFY CRL: certificate serial number %s is revoked", serial); - verify_free_serial(serial); - close(fd); - goto err; - } - verify_free_serial(serial); + if (verify_check_crl_dir(opt->crl_file, cert)) + goto err; } else { - X509_CRL *crl=NULL; - X509_REVOKED *revoked; - BIO *in=NULL; - int n,i,retval = 0; - - in=BIO_new(BIO_s_file()); - - if (in == NULL) { - msg (M_ERR, "CRL: BIO err"); - goto end; - } - if (BIO_read_filename(in, opt->crl_file) <= 0) { - msg (M_ERR, "CRL: cannot read: %s", opt->crl_file); - goto end; - } - crl=PEM_read_bio_X509_CRL(in,NULL,NULL,NULL); - if (crl == NULL) { - msg (M_ERR, "CRL: cannot read CRL from file %s", opt->crl_file); - goto end; - } - - if (X509_NAME_cmp(X509_CRL_get_issuer(crl), X509_get_issuer_name(cert)) != 0) { - msg (M_WARN, "CRL: CRL %s is from a different issuer than the issuer of certificate %s", opt->crl_file, subject); - retval = 1; - goto end; - } - - n = sk_X509_REVOKED_num(X509_CRL_get_REVOKED(crl)); - - for (i = 0; i < n; i++) { - revoked = (X509_REVOKED *)sk_X509_REVOKED_value(X509_CRL_get_REVOKED(crl), i); - if (ASN1_INTEGER_cmp(revoked->serialNumber, X509_get_serialNumber(cert)) == 0) { - msg (D_HANDSHAKE, "CRL CHECK FAILED: %s is REVOKED",subject); - goto end; - } - } - - retval = 1; - msg (D_HANDSHAKE, "CRL CHECK OK: %s",subject); - - end: - - BIO_free(in); - if (crl) - X509_CRL_free (crl); - if (!retval) + if (verify_check_crl(opt->crl_file, cert, subject)) goto err; } } diff --git a/ssl_verify.c b/ssl_verify.c index d9acae9..2609c1d 100644 --- a/ssl_verify.c +++ b/ssl_verify.c @@ -532,6 +532,35 @@ verify_cert_call_command(const char *verify_command, struct env_set *es, return 1; /* Reject connection */ } +/* + * check peer cert against CRL directory + */ +bool +verify_check_crl_dir(const char *crl_dir, X509 *cert) +{ + char fn[256]; + int fd; + char *serial = verify_get_serial(cert); + + if (!openvpn_snprintf(fn, sizeof(fn), "%s%c%s", crl_dir, OS_SPECIFIC_DIRSEP, serial)) + { + msg (D_HANDSHAKE, "VERIFY CRL: filename overflow"); + verify_free_serial(serial); + return true; + } + fd = open (fn, O_RDONLY); + if (fd >= 0) + { + msg (D_HANDSHAKE, "VERIFY CRL: certificate serial number %s is revoked", serial); + verify_free_serial(serial); + close(fd); + return true; + } + + verify_free_serial(serial); + + return false; +} /* *************************************************************************** * Functions for the management of deferred authentication when using diff --git a/ssl_verify.h b/ssl_verify.h index 5be2627..7e53513 100644 --- a/ssl_verify.h +++ b/ssl_verify.h @@ -253,6 +253,7 @@ int verify_cert_call_plugin(const struct plugin_list *plugins, struct env_set *e int cert_depth, x509_cert_t *cert, char *subject); int verify_cert_call_command(const char *verify_command, struct env_set *es, int cert_depth, x509_cert_t *cert, char *subject, const char *verify_export_cert); +bool verify_check_crl_dir(const char *crl_dir, X509 *cert); #endif /* SSL_VERIFY_H_ */ diff --git a/ssl_verify_backend.h b/ssl_verify_backend.h index a551beb..e6dfc59 100644 --- a/ssl_verify_backend.h +++ b/ssl_verify_backend.h @@ -192,4 +192,18 @@ bool verify_cert_eku (x509_cert_t *x509, const char * const expected_oid); const char *write_peer_cert(x509_cert_t *cert, const char *tmp_dir, struct gc_arena *gc); +/* + * Check the certificate against a CRL file. + * + * @param crl_file File name of the CRL file + * @param cert Certificate to verify + * @param subject Subject of the given certificate + * + * @return \c 1 if the CRL was not signed by the issuer of the + * certificate or does not contain an entry for it. + * \c 0 otherwise. + */ +bool verify_check_crl(const char *crl_file, x509_cert_t *cert, + const char *subject); + #endif /* SSL_VERIFY_BACKEND_H_ */ diff --git a/ssl_verify_openssl.c b/ssl_verify_openssl.c index cde100c..8bc49d7 100644 --- a/ssl_verify_openssl.c +++ b/ssl_verify_openssl.c @@ -521,3 +521,56 @@ write_peer_cert(X509 *peercert, const char *tmp_dir, struct gc_arena *gc) #endif /* OPENSSL_VERSION_NUMBER */ +/* + * check peer cert against CRL + */ +bool +verify_check_crl(const char *crl_file, X509 *peer_cert, const char *subject) +{ + X509_CRL *crl=NULL; + X509_REVOKED *revoked; + BIO *in=NULL; + int n,i,retval = 0; + + in=BIO_new(BIO_s_file()); + + if (in == NULL) { + msg (M_ERR, "CRL: BIO err"); + goto end; + } + if (BIO_read_filename(in, crl_file) <= 0) { + msg (M_ERR, "CRL: cannot read: %s", crl_file); + goto end; + } + crl=PEM_read_bio_X509_CRL(in,NULL,NULL,NULL); + if (crl == NULL) { + msg (M_ERR, "CRL: cannot read CRL from file %s", crl_file); + goto end; + } + + if (X509_NAME_cmp(X509_CRL_get_issuer(crl), X509_get_issuer_name(peer_cert)) != 0) { + msg (M_WARN, "CRL: CRL %s is from a different issuer than the issuer of " + "certificate %s", crl_file, subject); + retval = 1; + goto end; + } + + n = sk_X509_REVOKED_num(X509_CRL_get_REVOKED(crl)); + for (i = 0; i < n; i++) { + revoked = (X509_REVOKED *)sk_X509_REVOKED_value(X509_CRL_get_REVOKED(crl), i); + if (ASN1_INTEGER_cmp(revoked->serialNumber, X509_get_serialNumber(peer_cert)) == 0) { + msg (D_HANDSHAKE, "CRL CHECK FAILED: %s is REVOKED",subject); + goto end; + } + } + + retval = 1; + msg (D_HANDSHAKE, "CRL CHECK OK: %s",subject); + +end: + BIO_free(in); + if (crl) + X509_CRL_free (crl); + + return !retval; +} |