mirror of
https://github.com/OpenVPN/openvpn3.git
synced 2024-09-20 04:02:15 +02:00
Core: added CRL support (crl-verify directive) to PolarSSL module.
This commit is contained in:
parent
3a5683d820
commit
c77af1e85a
@ -340,7 +340,7 @@ namespace openvpn {
|
||||
case 'a':
|
||||
return d == "auth-user-pass";
|
||||
case 'c':
|
||||
return d == "ca" || d == "cert";
|
||||
return d == "ca" || d == "cert" || d == "crl-verify";
|
||||
case 'd':
|
||||
return d == "dh";
|
||||
case 'e':
|
||||
|
95
openvpn/polarssl/pki/x509crl.hpp
Normal file
95
openvpn/polarssl/pki/x509crl.hpp
Normal file
@ -0,0 +1,95 @@
|
||||
//
|
||||
// x509crl.hpp
|
||||
// OpenVPN
|
||||
//
|
||||
// Copyright (c) 2014 OpenVPN Technologies, Inc. All rights reserved.
|
||||
//
|
||||
|
||||
// Wrap a PolarSSL x509_crl object
|
||||
|
||||
#ifndef OPENVPN_POLARSSL_PKI_X509CRL_H
|
||||
#define OPENVPN_POLARSSL_PKI_X509CRL_H
|
||||
|
||||
#include <string>
|
||||
#include <sstream>
|
||||
#include <cstring>
|
||||
|
||||
#include <polarssl/x509_crl.h>
|
||||
|
||||
#include <openvpn/common/types.hpp>
|
||||
#include <openvpn/common/exception.hpp>
|
||||
#include <openvpn/common/rc.hpp>
|
||||
#include <openvpn/polarssl/util/error.hpp>
|
||||
|
||||
namespace openvpn {
|
||||
namespace PolarSSLPKI {
|
||||
|
||||
class X509CRL : public RC<thread_unsafe_refcount>
|
||||
{
|
||||
public:
|
||||
typedef boost::intrusive_ptr<X509CRL> Ptr;
|
||||
|
||||
X509CRL() : chain(NULL) {}
|
||||
|
||||
X509CRL(const std::string& crl_txt)
|
||||
: chain(NULL)
|
||||
{
|
||||
try {
|
||||
parse(crl_txt);
|
||||
}
|
||||
catch (...)
|
||||
{
|
||||
dealloc();
|
||||
throw;
|
||||
}
|
||||
}
|
||||
|
||||
void parse(const std::string& crl_txt)
|
||||
{
|
||||
alloc();
|
||||
|
||||
const int status = x509_crl_parse(chain,
|
||||
(const unsigned char *)crl_txt.c_str(),
|
||||
crl_txt.length());
|
||||
if (status < 0)
|
||||
{
|
||||
throw PolarSSLException("error parsing CRL", status);
|
||||
}
|
||||
}
|
||||
|
||||
x509_crl* get() const
|
||||
{
|
||||
return chain;
|
||||
}
|
||||
|
||||
~X509CRL()
|
||||
{
|
||||
dealloc();
|
||||
}
|
||||
|
||||
private:
|
||||
void alloc()
|
||||
{
|
||||
if (!chain)
|
||||
{
|
||||
chain = new x509_crl;
|
||||
std::memset(chain, 0, sizeof(x509_crl));
|
||||
}
|
||||
}
|
||||
|
||||
void dealloc()
|
||||
{
|
||||
if (chain)
|
||||
{
|
||||
x509_crl_free(chain);
|
||||
delete chain;
|
||||
chain = NULL;
|
||||
}
|
||||
}
|
||||
|
||||
x509_crl *chain;
|
||||
};
|
||||
}
|
||||
}
|
||||
|
||||
#endif
|
@ -38,6 +38,7 @@
|
||||
#include <openvpn/ssl/tls_remote.hpp>
|
||||
|
||||
#include <openvpn/polarssl/pki/x509cert.hpp>
|
||||
#include <openvpn/polarssl/pki/x509crl.hpp>
|
||||
#include <openvpn/polarssl/pki/dh.hpp>
|
||||
#include <openvpn/polarssl/pki/pkctx.hpp>
|
||||
#include <openvpn/polarssl/util/error.hpp>
|
||||
@ -87,6 +88,7 @@ namespace openvpn {
|
||||
Mode mode;
|
||||
PolarSSLPKI::X509Cert::Ptr crt_chain; // local cert chain (including client cert + extra certs)
|
||||
PolarSSLPKI::X509Cert::Ptr ca_chain; // CA chain for remote verification
|
||||
PolarSSLPKI::X509CRL::Ptr crl_chain; // CRL chain for remote verification
|
||||
PolarSSLPKI::PKContext::Ptr priv_key; // private key
|
||||
std::string priv_key_pwd; // private key password
|
||||
PolarSSLPKI::DH::Ptr dh; // diffie-hellman parameters (only needed in server mode)
|
||||
@ -120,6 +122,13 @@ namespace openvpn {
|
||||
ca_chain = c;
|
||||
}
|
||||
|
||||
void load_crl(const std::string& crl_txt)
|
||||
{
|
||||
PolarSSLPKI::X509CRL::Ptr c = new PolarSSLPKI::X509CRL();
|
||||
c->parse(crl_txt);
|
||||
crl_chain = c;
|
||||
}
|
||||
|
||||
void load_cert(const std::string& cert_txt)
|
||||
{
|
||||
PolarSSLPKI::X509Cert::Ptr c = new PolarSSLPKI::X509Cert();
|
||||
@ -161,6 +170,13 @@ namespace openvpn {
|
||||
load_ca(ca_txt);
|
||||
}
|
||||
|
||||
// CRL
|
||||
{
|
||||
const std::string crl_txt = opt.cat("crl-verify");
|
||||
if (!crl_txt.empty())
|
||||
load_crl(crl_txt);
|
||||
}
|
||||
|
||||
// local cert/key
|
||||
if (local_cert_enabled)
|
||||
{
|
||||
@ -383,7 +399,10 @@ namespace openvpn {
|
||||
|
||||
// set CA chain
|
||||
if (c.ca_chain)
|
||||
ssl_set_ca_chain(ssl, c.ca_chain->get(), NULL, NULL);
|
||||
ssl_set_ca_chain(ssl,
|
||||
c.ca_chain->get(),
|
||||
c.crl_chain ? c.crl_chain->get() : NULL,
|
||||
NULL);
|
||||
else
|
||||
throw PolarSSLException("CA chain not defined");
|
||||
|
||||
|
@ -1851,8 +1851,7 @@
|
||||
*
|
||||
* This module is required for X.509 CRL parsing.
|
||||
*/
|
||||
// JY removed -- PKI
|
||||
//#define POLARSSL_X509_CRL_PARSE_C
|
||||
#define POLARSSL_X509_CRL_PARSE_C
|
||||
|
||||
/**
|
||||
* \def POLARSSL_X509_CSR_PARSE_C
|
||||
|
Loading…
Reference in New Issue
Block a user