mirror of
https://github.com/OpenVPN/openvpn.git
synced 2024-09-20 12:02:28 +02:00
Implement inlining of crl files
While crl files can change regulary and it is usually not a good idea to statically include them into config files, handling multiple files and updating files on mobile devices is tiresome/problematic. Inlining a static version of the crl file is better in these use cases than to use no crl at all. OpenVPN 3 already supports inlining crl-verify, so <crl-verify> is already used in config files. V2: Fixed PolarSSL and made formatting respect the 80 column limit V3: Accidentally reverted one change too much in V2 Acked-by: Steffan Karger <steffan.karger@fox-it.com> Message-Id: <1457293149-10526-1-git-send-email-arne@rfc2549.org> URL: http://article.gmane.org/gmane.network.openvpn.devel/11337 Signed-off-by: Gert Doering <gert@greenie.muc.de>
This commit is contained in:
parent
f6608a15ef
commit
7a7a79f62e
@ -6490,7 +6490,8 @@ X509_1_C=KG
|
||||
.\"*********************************************************
|
||||
.SH INLINE FILE SUPPORT
|
||||
OpenVPN allows including files in the main configuration for the
|
||||
.B \-\-ca, \-\-cert, \-\-dh, \-\-extra\-certs, \-\-key, \-\-pkcs12, \-\-secret
|
||||
.B \-\-ca, \-\-cert, \-\-dh, \-\-extra\-certs, \-\-key, \-\-pkcs12, \-\-secret,
|
||||
.B \-\-crl-verify
|
||||
and
|
||||
.B \-\-tls\-auth
|
||||
options.
|
||||
|
@ -2323,6 +2323,7 @@ do_init_crypto_tls (struct context *c, const unsigned int flags)
|
||||
to.verify_x509_type = (options->verify_x509_type & 0xff);
|
||||
to.verify_x509_name = options->verify_x509_name;
|
||||
to.crl_file = options->crl_file;
|
||||
to.crl_file_inline = options->crl_file_inline;
|
||||
to.ssl_flags = options->ssl_flags;
|
||||
to.ns_cert_type = options->ns_cert_type;
|
||||
memmove (to.remote_cert_ku, options->remote_cert_ku, sizeof (to.remote_cert_ku));
|
||||
|
@ -2747,8 +2747,8 @@ options_postprocess_filechecks (struct options *options)
|
||||
errs |= check_file_access_chroot (options->chroot_dir, CHKACC_FILE, options->crl_file, R_OK|X_OK,
|
||||
"--crl-verify directory");
|
||||
else
|
||||
errs |= check_file_access_chroot (options->chroot_dir, CHKACC_FILE, options->crl_file, R_OK,
|
||||
"--crl-verify");
|
||||
errs |= check_file_access_chroot (options->chroot_dir, CHKACC_FILE|CHKACC_INLINE,
|
||||
options->crl_file, R_OK, "--crl-verify");
|
||||
|
||||
errs |= check_file_access (CHKACC_FILE|CHKACC_INLINE, options->tls_auth_file, R_OK,
|
||||
"--tls-auth");
|
||||
@ -6783,12 +6783,17 @@ add_option (struct options *options,
|
||||
VERIFY_PERMISSION (OPT_P_GENERAL);
|
||||
options->cipher_list = p[1];
|
||||
}
|
||||
else if (streq (p[0], "crl-verify") && p[1] && ((p[2] && streq(p[2], "dir")) || !p[2]) && !p[3])
|
||||
else if (streq (p[0], "crl-verify") && p[1] && ((p[2] && streq(p[2], "dir"))
|
||||
|| (p[2] && streq (p[1], INLINE_FILE_TAG) ) || !p[2]) && !p[3])
|
||||
{
|
||||
VERIFY_PERMISSION (OPT_P_GENERAL);
|
||||
if (p[2] && streq(p[2], "dir"))
|
||||
options->ssl_flags |= SSLF_CRL_VERIFY_DIR;
|
||||
options->crl_file = p[1];
|
||||
if (streq (p[1], INLINE_FILE_TAG) && p[2])
|
||||
{
|
||||
options->crl_file_inline = p[2];
|
||||
}
|
||||
}
|
||||
else if (streq (p[0], "tls-verify") && p[1])
|
||||
{
|
||||
|
@ -511,6 +511,7 @@ struct options
|
||||
const char *ca_file_inline;
|
||||
const char *cert_file_inline;
|
||||
const char *extra_certs_file_inline;
|
||||
const char *crl_file_inline;
|
||||
char *priv_key_file_inline;
|
||||
const char *dh_file_inline;
|
||||
const char *pkcs12_file_inline; /* contains the base64 encoding of pkcs12 file */
|
||||
|
@ -247,6 +247,7 @@ struct tls_options
|
||||
int verify_x509_type;
|
||||
const char *verify_x509_name;
|
||||
const char *crl_file;
|
||||
const char *crl_file_inline;
|
||||
int ns_cert_type;
|
||||
unsigned remote_cert_ku[MAX_PARMS];
|
||||
const char *remote_cert_eku;
|
||||
|
@ -690,7 +690,7 @@ verify_cert(struct tls_session *session, openvpn_x509_cert_t *cert, int cert_dep
|
||||
}
|
||||
else
|
||||
{
|
||||
if (SUCCESS != x509_verify_crl(opt->crl_file, cert, subject))
|
||||
if (SUCCESS != x509_verify_crl(opt->crl_file, opt->crl_file_inline, cert, subject))
|
||||
goto cleanup;
|
||||
}
|
||||
}
|
||||
|
@ -248,13 +248,14 @@ result_t x509_write_pem(FILE *peercert_file, openvpn_x509_cert_t *peercert);
|
||||
*
|
||||
* @param crl_file File name of the CRL file
|
||||
* @param cert Certificate to verify
|
||||
* @param crl_inline Contents of the crl file if it is inlined
|
||||
* @param subject Subject of the given certificate
|
||||
*
|
||||
* @return \c SUCCESS if the CRL was not signed by the issuer of the
|
||||
* certificate or does not contain an entry for it.
|
||||
* \c FAILURE otherwise.
|
||||
*/
|
||||
result_t x509_verify_crl(const char *crl_file, openvpn_x509_cert_t *cert,
|
||||
const char *subject);
|
||||
result_t x509_verify_crl(const char *crl_file, const char *crl_inline,
|
||||
openvpn_x509_cert_t *cert, const char *subject);
|
||||
|
||||
#endif /* SSL_VERIFY_BACKEND_H_ */
|
||||
|
@ -613,7 +613,8 @@ x509_write_pem(FILE *peercert_file, X509 *peercert)
|
||||
* check peer cert against CRL
|
||||
*/
|
||||
result_t
|
||||
x509_verify_crl(const char *crl_file, X509 *peer_cert, const char *subject)
|
||||
x509_verify_crl(const char *crl_file, const char* crl_inline,
|
||||
X509 *peer_cert, const char *subject)
|
||||
{
|
||||
X509_CRL *crl=NULL;
|
||||
X509_REVOKED *revoked;
|
||||
@ -623,7 +624,10 @@ x509_verify_crl(const char *crl_file, X509 *peer_cert, const char *subject)
|
||||
struct gc_arena gc = gc_new();
|
||||
char *serial;
|
||||
|
||||
in = BIO_new_file (crl_file, "r");
|
||||
if (!strcmp (crl_file, INLINE_FILE_TAG) && crl_inline)
|
||||
in = BIO_new_mem_buf ((char *)crl_inline, -1);
|
||||
else
|
||||
in = BIO_new_file (crl_file, "r");
|
||||
|
||||
if (in == NULL) {
|
||||
msg (M_WARN, "CRL: cannot read: %s", crl_file);
|
||||
|
@ -359,18 +359,30 @@ x509_write_pem(FILE *peercert_file, x509_crt *peercert)
|
||||
* check peer cert against CRL
|
||||
*/
|
||||
result_t
|
||||
x509_verify_crl(const char *crl_file, x509_crt *cert, const char *subject)
|
||||
x509_verify_crl(const char *crl_file, const char* crl_inline,
|
||||
x509_crt *cert, const char *subject)
|
||||
{
|
||||
result_t retval = FAILURE;
|
||||
x509_crl crl = {0};
|
||||
struct gc_arena gc = gc_new();
|
||||
char *serial;
|
||||
|
||||
if (!polar_ok(x509_crl_parse_file(&crl, crl_file)))
|
||||
if (!strcmp (crl_file, INLINE_FILE_TAG) && crl_inline)
|
||||
{
|
||||
msg (M_WARN, "CRL: cannot read CRL from file %s", crl_file);
|
||||
goto end;
|
||||
if (!polar_ok(x509_crl_parse(&crl, crl_inline, strlen(crl_inline))))
|
||||
{
|
||||
msg (M_WARN, "CRL: cannot parse inline CRL");
|
||||
goto end;
|
||||
}
|
||||
}
|
||||
else
|
||||
{
|
||||
if (!polar_ok(x509_crl_parse_file(&crl, crl_file)))
|
||||
{
|
||||
msg (M_WARN, "CRL: cannot read CRL from file %s", crl_file);
|
||||
goto end;
|
||||
}
|
||||
}
|
||||
|
||||
if(cert->issuer_raw.len != crl.issuer_raw.len ||
|
||||
memcmp(crl.issuer_raw.p, cert->issuer_raw.p, crl.issuer_raw.len) != 0)
|
||||
|
Loading…
Reference in New Issue
Block a user