Core: added CRL support (crl-verify directive) to PolarSSL module.

openvpn/options/merge.hpp

@@ -340,7 +340,7 @@ namespace openvpn {
 	    case 'a':
 	      return d == "auth-user-pass";
 	    case 'c':
-	      return d == "ca" || d == "cert";
+	      return d == "ca" || d == "cert" || d == "crl-verify";
 	    case 'd':
 	      return d == "dh";
 	    case 'e':

openvpn/polarssl/pki/x509crl.hpp

@@ -0,0 +1,95 @@
+//
+//  x509crl.hpp
+//  OpenVPN
+//
+//  Copyright (c) 2014 OpenVPN Technologies, Inc. All rights reserved.
+//
+
+// Wrap a PolarSSL x509_crl object
+
+#ifndef OPENVPN_POLARSSL_PKI_X509CRL_H
+#define OPENVPN_POLARSSL_PKI_X509CRL_H
+
+#include <string>
+#include <sstream>
+#include <cstring>
+
+#include <polarssl/x509_crl.h>
+
+#include <openvpn/common/types.hpp>
+#include <openvpn/common/exception.hpp>
+#include <openvpn/common/rc.hpp>
+#include <openvpn/polarssl/util/error.hpp>
+
+namespace openvpn {
+  namespace PolarSSLPKI {
+
+    class X509CRL : public RC<thread_unsafe_refcount>
+    {
+    public:
+      typedef boost::intrusive_ptr<X509CRL> Ptr;
+
+      X509CRL() : chain(NULL) {}
+
+      X509CRL(const std::string& crl_txt)
+	: chain(NULL)
+      {
+	try {
+	  parse(crl_txt);
+	}
+	catch (...)
+	  {
+	    dealloc();
+	    throw;
+	  }
+      }
+
+      void parse(const std::string& crl_txt)
+      {
+	alloc();
+
+	const int status = x509_crl_parse(chain,
+					  (const unsigned char *)crl_txt.c_str(),
+					  crl_txt.length());
+	if (status < 0)
+	  {
+	    throw PolarSSLException("error parsing CRL", status);
+	  }
+      }
+
+      x509_crl* get() const
+      {
+	return chain;
+      }
+
+      ~X509CRL()
+      {
+	dealloc();
+      }
+
+    private:
+      void alloc()
+      {
+	if (!chain)
+	  {
+	    chain = new x509_crl;
+	    std::memset(chain, 0, sizeof(x509_crl));
+	  }
+      }
+
+      void dealloc()
+      {
+	if (chain)
+	  {
+	    x509_crl_free(chain);
+	    delete chain;
+	    chain = NULL;
+	  }
+      }
+
+      x509_crl *chain;
+    };
+  }
+}
+
+#endif

openvpn/polarssl/ssl/sslctx.hpp

@@ -38,6 +38,7 @@
 #include <openvpn/ssl/tls_remote.hpp>
 
 #include <openvpn/polarssl/pki/x509cert.hpp>
+#include <openvpn/polarssl/pki/x509crl.hpp>
 #include <openvpn/polarssl/pki/dh.hpp>
 #include <openvpn/polarssl/pki/pkctx.hpp>
 #include <openvpn/polarssl/util/error.hpp>
@@ -87,6 +88,7 @@ namespace openvpn {
       Mode mode;
       PolarSSLPKI::X509Cert::Ptr crt_chain;  // local cert chain (including client cert + extra certs)
       PolarSSLPKI::X509Cert::Ptr ca_chain;   // CA chain for remote verification
+      PolarSSLPKI::X509CRL::Ptr crl_chain;   // CRL chain for remote verification
       PolarSSLPKI::PKContext::Ptr priv_key;  // private key
       std::string priv_key_pwd;              // private key password
       PolarSSLPKI::DH::Ptr dh;               // diffie-hellman parameters (only needed in server mode)
@@ -120,6 +122,13 @@ namespace openvpn {
 	ca_chain = c;
       }
 
+      void load_crl(const std::string& crl_txt)
+      {
+	PolarSSLPKI::X509CRL::Ptr c = new PolarSSLPKI::X509CRL();
+	c->parse(crl_txt);
+	crl_chain = c;
+      }
+
       void load_cert(const std::string& cert_txt)
       {
 	PolarSSLPKI::X509Cert::Ptr c = new PolarSSLPKI::X509Cert();
@@ -161,6 +170,13 @@ namespace openvpn {
 	  load_ca(ca_txt);
 	}
 
+	// CRL
+	{
+	  const std::string crl_txt = opt.cat("crl-verify");
+	  if (!crl_txt.empty())
+	    load_crl(crl_txt);
+	}
+
 	// local cert/key
 	if (local_cert_enabled)
 	  {
@@ -383,7 +399,10 @@ namespace openvpn {
 
 	  // set CA chain
 	  if (c.ca_chain)
-	    ssl_set_ca_chain(ssl, c.ca_chain->get(), NULL, NULL);
+	    ssl_set_ca_chain(ssl,
+			     c.ca_chain->get(),
+			     c.crl_chain ? c.crl_chain->get() : NULL,
+			     NULL);
 	  else
 	    throw PolarSSLException("CA chain not defined");
 

polarssl/config.h

@@ -1851,8 +1851,7 @@
  *
  * This module is required for X.509 CRL parsing.
  */
-// JY removed -- PKI
-//#define POLARSSL_X509_CRL_PARSE_C
+#define POLARSSL_X509_CRL_PARSE_C
 
 /**
  * \def POLARSSL_X509_CSR_PARSE_C