diff options
| author | Adriaan de Jong <dejong@fox-it.com> | 2011-06-30 14:55:53 +0200 |
|---|---|---|
| committer | David Sommerseth <davids@redhat.com> | 2011-10-22 11:32:40 +0200 |
| commit | 83c49a3ef135141101b71037f315099d32219bbf (patch) | |
| tree | 26ce904090bb6892d39ef1ad552fc5497b7218b9 /ssl.c | |
| parent | 3e44ea55339429ede83857c9e79cc218d6bc297f (diff) | |
| download | openvpn-83c49a3ef135141101b71037f315099d32219bbf.tar.gz openvpn-83c49a3ef135141101b71037f315099d32219bbf.tar.xz openvpn-83c49a3ef135141101b71037f315099d32219bbf.zip | |
Refactored CRL checks
Signed-off-by: Adriaan de Jong <dejong@fox-it.com>
Acked-by: James Yonan <james@openvpn.net>
Signed-off-by: David Sommerseth <davids@redhat.com>
Notes
Notes:
"Doing low-level stuff like verifying CRL issuers and checking serial numbers
is something that's better done by the OpenSSL library directly"
(James Yonan, code review comment)
Diffstat (limited to 'ssl.c')
| -rw-r--r-- | ssl.c | 67 |
1 files changed, 3 insertions, 64 deletions
@@ -410,73 +410,12 @@ verify_cert(struct tls_session *session, x509_cert_t *cert, int cert_depth) { if (opt->ssl_flags & SSLF_CRL_VERIFY_DIR) { - char fn[256]; - int fd; - char *serial = verify_get_serial(cert); - if (!openvpn_snprintf(fn, sizeof(fn), "%s%c%s", opt->crl_file, OS_SPECIFIC_DIRSEP, serial)) - { - msg (D_HANDSHAKE, "VERIFY CRL: filename overflow"); - verify_free_serial(serial); - goto err; - } - fd = open (fn, O_RDONLY); - if (fd >= 0) - { - msg (D_HANDSHAKE, "VERIFY CRL: certificate serial number %s is revoked", serial); - verify_free_serial(serial); - close(fd); - goto err; - } - verify_free_serial(serial); + if (verify_check_crl_dir(opt->crl_file, cert)) + goto err; } else { - X509_CRL *crl=NULL; - X509_REVOKED *revoked; - BIO *in=NULL; - int n,i,retval = 0; - - in=BIO_new(BIO_s_file()); - - if (in == NULL) { - msg (M_ERR, "CRL: BIO err"); - goto end; - } - if (BIO_read_filename(in, opt->crl_file) <= 0) { - msg (M_ERR, "CRL: cannot read: %s", opt->crl_file); - goto end; - } - crl=PEM_read_bio_X509_CRL(in,NULL,NULL,NULL); - if (crl == NULL) { - msg (M_ERR, "CRL: cannot read CRL from file %s", opt->crl_file); - goto end; - } - - if (X509_NAME_cmp(X509_CRL_get_issuer(crl), X509_get_issuer_name(cert)) != 0) { - msg (M_WARN, "CRL: CRL %s is from a different issuer than the issuer of certificate %s", opt->crl_file, subject); - retval = 1; - goto end; - } - - n = sk_X509_REVOKED_num(X509_CRL_get_REVOKED(crl)); - - for (i = 0; i < n; i++) { - revoked = (X509_REVOKED *)sk_X509_REVOKED_value(X509_CRL_get_REVOKED(crl), i); - if (ASN1_INTEGER_cmp(revoked->serialNumber, X509_get_serialNumber(cert)) == 0) { - msg (D_HANDSHAKE, "CRL CHECK FAILED: %s is REVOKED",subject); - goto end; - } - } - - retval = 1; - msg (D_HANDSHAKE, "CRL CHECK OK: %s",subject); - - end: - - BIO_free(in); - if (crl) - X509_CRL_free (crl); - if (!retval) + if (verify_check_crl(opt->crl_file, cert, subject)) goto err; } } |