diff options
author | Adriaan de Jong <dejong@fox-it.com> | 2011-06-30 14:55:53 +0200 |
---|---|---|
committer | David Sommerseth <davids@redhat.com> | 2011-10-22 11:32:40 +0200 |
commit | 83c49a3ef135141101b71037f315099d32219bbf (patch) | |
tree | 26ce904090bb6892d39ef1ad552fc5497b7218b9 /ssl_verify_openssl.c | |
parent | 3e44ea55339429ede83857c9e79cc218d6bc297f (diff) | |
download | openvpn-83c49a3ef135141101b71037f315099d32219bbf.tar.gz openvpn-83c49a3ef135141101b71037f315099d32219bbf.tar.xz openvpn-83c49a3ef135141101b71037f315099d32219bbf.zip |
Refactored CRL checks
Signed-off-by: Adriaan de Jong <dejong@fox-it.com>
Acked-by: James Yonan <james@openvpn.net>
Signed-off-by: David Sommerseth <davids@redhat.com>
Notes
Notes:
"Doing low-level stuff like verifying CRL issuers and checking serial numbers
is something that's better done by the OpenSSL library directly"
(James Yonan, code review comment)
Diffstat (limited to 'ssl_verify_openssl.c')
-rw-r--r-- | ssl_verify_openssl.c | 53 |
1 files changed, 53 insertions, 0 deletions
diff --git a/ssl_verify_openssl.c b/ssl_verify_openssl.c index cde100c..8bc49d7 100644 --- a/ssl_verify_openssl.c +++ b/ssl_verify_openssl.c @@ -521,3 +521,56 @@ write_peer_cert(X509 *peercert, const char *tmp_dir, struct gc_arena *gc) #endif /* OPENSSL_VERSION_NUMBER */ +/* + * check peer cert against CRL + */ +bool +verify_check_crl(const char *crl_file, X509 *peer_cert, const char *subject) +{ + X509_CRL *crl=NULL; + X509_REVOKED *revoked; + BIO *in=NULL; + int n,i,retval = 0; + + in=BIO_new(BIO_s_file()); + + if (in == NULL) { + msg (M_ERR, "CRL: BIO err"); + goto end; + } + if (BIO_read_filename(in, crl_file) <= 0) { + msg (M_ERR, "CRL: cannot read: %s", crl_file); + goto end; + } + crl=PEM_read_bio_X509_CRL(in,NULL,NULL,NULL); + if (crl == NULL) { + msg (M_ERR, "CRL: cannot read CRL from file %s", crl_file); + goto end; + } + + if (X509_NAME_cmp(X509_CRL_get_issuer(crl), X509_get_issuer_name(peer_cert)) != 0) { + msg (M_WARN, "CRL: CRL %s is from a different issuer than the issuer of " + "certificate %s", crl_file, subject); + retval = 1; + goto end; + } + + n = sk_X509_REVOKED_num(X509_CRL_get_REVOKED(crl)); + for (i = 0; i < n; i++) { + revoked = (X509_REVOKED *)sk_X509_REVOKED_value(X509_CRL_get_REVOKED(crl), i); + if (ASN1_INTEGER_cmp(revoked->serialNumber, X509_get_serialNumber(peer_cert)) == 0) { + msg (D_HANDSHAKE, "CRL CHECK FAILED: %s is REVOKED",subject); + goto end; + } + } + + retval = 1; + msg (D_HANDSHAKE, "CRL CHECK OK: %s",subject); + +end: + BIO_free(in); + if (crl) + X509_CRL_free (crl); + + return !retval; +} |