diff options
author | Arne Schwabe | 2016-03-06 20:39:09 +0100 |
---|---|---|
committer | Gert Doering | 2016-04-04 21:33:09 +0200 |
commit | 7a7a79f62eb04b0089ae304d558f15c5532c0e61 (patch) | |
tree | 0111a4bafa7c4098768675bf88e9752fb49eab0c | |
parent | f6608a15efab027e25553da3026c172dbc3aa73e (diff) | |
download | openvpn-7a7a79f62eb04b0089ae304d558f15c5532c0e61.zip openvpn-7a7a79f62eb04b0089ae304d558f15c5532c0e61.tar.gz |
Implement inlining of crl files
While crl files can change regulary and it is usually not a good idea to
statically include them into config files, handling multiple files and
updating files on mobile devices is tiresome/problematic. Inlining a static
version of the crl file is better in these use cases than to use no crl at
all.
OpenVPN 3 already supports inlining crl-verify, so <crl-verify> is already
used in config files.
V2: Fixed PolarSSL and made formatting respect the 80 column limit
V3: Accidentally reverted one change too much in V2
Acked-by: Steffan Karger <steffan.karger@fox-it.com>
Message-Id: <1457293149-10526-1-git-send-email-arne@rfc2549.org>
URL: http://article.gmane.org/gmane.network.openvpn.devel/11337
Signed-off-by: Gert Doering <gert@greenie.muc.de>
-rw-r--r-- | doc/openvpn.8 | 3 | ||||
-rw-r--r-- | src/openvpn/init.c | 1 | ||||
-rw-r--r-- | src/openvpn/options.c | 11 | ||||
-rw-r--r-- | src/openvpn/options.h | 1 | ||||
-rw-r--r-- | src/openvpn/ssl_common.h | 1 | ||||
-rw-r--r-- | src/openvpn/ssl_verify.c | 2 | ||||
-rw-r--r-- | src/openvpn/ssl_verify_backend.h | 5 | ||||
-rw-r--r-- | src/openvpn/ssl_verify_openssl.c | 8 | ||||
-rw-r--r-- | src/openvpn/ssl_verify_polarssl.c | 20 |
9 files changed, 39 insertions, 13 deletions
diff --git a/doc/openvpn.8 b/doc/openvpn.8 index 628d877..decffc7 100644 --- a/doc/openvpn.8 +++ b/doc/openvpn.8 @@ -6490,7 +6490,8 @@ X509_1_C=KG .\"********************************************************* .SH INLINE FILE SUPPORT OpenVPN allows including files in the main configuration for the -.B \-\-ca, \-\-cert, \-\-dh, \-\-extra\-certs, \-\-key, \-\-pkcs12, \-\-secret +.B \-\-ca, \-\-cert, \-\-dh, \-\-extra\-certs, \-\-key, \-\-pkcs12, \-\-secret, +.B \-\-crl-verify and .B \-\-tls\-auth options. diff --git a/src/openvpn/init.c b/src/openvpn/init.c index 7f54c3c..84fac07 100644 --- a/src/openvpn/init.c +++ b/src/openvpn/init.c @@ -2323,6 +2323,7 @@ do_init_crypto_tls (struct context *c, const unsigned int flags) to.verify_x509_type = (options->verify_x509_type & 0xff); to.verify_x509_name = options->verify_x509_name; to.crl_file = options->crl_file; + to.crl_file_inline = options->crl_file_inline; to.ssl_flags = options->ssl_flags; to.ns_cert_type = options->ns_cert_type; memmove (to.remote_cert_ku, options->remote_cert_ku, sizeof (to.remote_cert_ku)); diff --git a/src/openvpn/options.c b/src/openvpn/options.c index 02def3a..57f3dc5 100644 --- a/src/openvpn/options.c +++ b/src/openvpn/options.c @@ -2747,8 +2747,8 @@ options_postprocess_filechecks (struct options *options) errs |= check_file_access_chroot (options->chroot_dir, CHKACC_FILE, options->crl_file, R_OK|X_OK, "--crl-verify directory"); else - errs |= check_file_access_chroot (options->chroot_dir, CHKACC_FILE, options->crl_file, R_OK, - "--crl-verify"); + errs |= check_file_access_chroot (options->chroot_dir, CHKACC_FILE|CHKACC_INLINE, + options->crl_file, R_OK, "--crl-verify"); errs |= check_file_access (CHKACC_FILE|CHKACC_INLINE, options->tls_auth_file, R_OK, "--tls-auth"); @@ -6783,12 +6783,17 @@ add_option (struct options *options, VERIFY_PERMISSION (OPT_P_GENERAL); options->cipher_list = p[1]; } - else if (streq (p[0], "crl-verify") && p[1] && ((p[2] && streq(p[2], "dir")) || !p[2]) && !p[3]) + else if (streq (p[0], "crl-verify") && p[1] && ((p[2] && streq(p[2], "dir")) + || (p[2] && streq (p[1], INLINE_FILE_TAG) ) || !p[2]) && !p[3]) { VERIFY_PERMISSION (OPT_P_GENERAL); if (p[2] && streq(p[2], "dir")) options->ssl_flags |= SSLF_CRL_VERIFY_DIR; options->crl_file = p[1]; + if (streq (p[1], INLINE_FILE_TAG) && p[2]) + { + options->crl_file_inline = p[2]; + } } else if (streq (p[0], "tls-verify") && p[1]) { diff --git a/src/openvpn/options.h b/src/openvpn/options.h index 23d3992..8a26e14 100644 --- a/src/openvpn/options.h +++ b/src/openvpn/options.h @@ -511,6 +511,7 @@ struct options const char *ca_file_inline; const char *cert_file_inline; const char *extra_certs_file_inline; + const char *crl_file_inline; char *priv_key_file_inline; const char *dh_file_inline; const char *pkcs12_file_inline; /* contains the base64 encoding of pkcs12 file */ diff --git a/src/openvpn/ssl_common.h b/src/openvpn/ssl_common.h index eaf4a91..334ccb0 100644 --- a/src/openvpn/ssl_common.h +++ b/src/openvpn/ssl_common.h @@ -247,6 +247,7 @@ struct tls_options int verify_x509_type; const char *verify_x509_name; const char *crl_file; + const char *crl_file_inline; int ns_cert_type; unsigned remote_cert_ku[MAX_PARMS]; const char *remote_cert_eku; diff --git a/src/openvpn/ssl_verify.c b/src/openvpn/ssl_verify.c index ccfa9d2..ea381f8 100644 --- a/src/openvpn/ssl_verify.c +++ b/src/openvpn/ssl_verify.c @@ -690,7 +690,7 @@ verify_cert(struct tls_session *session, openvpn_x509_cert_t *cert, int cert_dep } else { - if (SUCCESS != x509_verify_crl(opt->crl_file, cert, subject)) + if (SUCCESS != x509_verify_crl(opt->crl_file, opt->crl_file_inline, cert, subject)) goto cleanup; } } diff --git a/src/openvpn/ssl_verify_backend.h b/src/openvpn/ssl_verify_backend.h index 4e9ad60..17e88fb 100644 --- a/src/openvpn/ssl_verify_backend.h +++ b/src/openvpn/ssl_verify_backend.h @@ -248,13 +248,14 @@ result_t x509_write_pem(FILE *peercert_file, openvpn_x509_cert_t *peercert); * * @param crl_file File name of the CRL file * @param cert Certificate to verify + * @param crl_inline Contents of the crl file if it is inlined * @param subject Subject of the given certificate * * @return \c SUCCESS if the CRL was not signed by the issuer of the * certificate or does not contain an entry for it. * \c FAILURE otherwise. */ -result_t x509_verify_crl(const char *crl_file, openvpn_x509_cert_t *cert, - const char *subject); +result_t x509_verify_crl(const char *crl_file, const char *crl_inline, + openvpn_x509_cert_t *cert, const char *subject); #endif /* SSL_VERIFY_BACKEND_H_ */ diff --git a/src/openvpn/ssl_verify_openssl.c b/src/openvpn/ssl_verify_openssl.c index 7046f02..4020fb9 100644 --- a/src/openvpn/ssl_verify_openssl.c +++ b/src/openvpn/ssl_verify_openssl.c @@ -613,7 +613,8 @@ x509_write_pem(FILE *peercert_file, X509 *peercert) * check peer cert against CRL */ result_t -x509_verify_crl(const char *crl_file, X509 *peer_cert, const char *subject) +x509_verify_crl(const char *crl_file, const char* crl_inline, + X509 *peer_cert, const char *subject) { X509_CRL *crl=NULL; X509_REVOKED *revoked; @@ -623,7 +624,10 @@ x509_verify_crl(const char *crl_file, X509 *peer_cert, const char *subject) struct gc_arena gc = gc_new(); char *serial; - in = BIO_new_file (crl_file, "r"); + if (!strcmp (crl_file, INLINE_FILE_TAG) && crl_inline) + in = BIO_new_mem_buf ((char *)crl_inline, -1); + else + in = BIO_new_file (crl_file, "r"); if (in == NULL) { msg (M_WARN, "CRL: cannot read: %s", crl_file); diff --git a/src/openvpn/ssl_verify_polarssl.c b/src/openvpn/ssl_verify_polarssl.c index a2e6a8e..d1b9f02 100644 --- a/src/openvpn/ssl_verify_polarssl.c +++ b/src/openvpn/ssl_verify_polarssl.c @@ -359,18 +359,30 @@ x509_write_pem(FILE *peercert_file, x509_crt *peercert) * check peer cert against CRL */ result_t -x509_verify_crl(const char *crl_file, x509_crt *cert, const char *subject) +x509_verify_crl(const char *crl_file, const char* crl_inline, + x509_crt *cert, const char *subject) { result_t retval = FAILURE; x509_crl crl = {0}; struct gc_arena gc = gc_new(); char *serial; - if (!polar_ok(x509_crl_parse_file(&crl, crl_file))) + if (!strcmp (crl_file, INLINE_FILE_TAG) && crl_inline) { - msg (M_WARN, "CRL: cannot read CRL from file %s", crl_file); - goto end; + if (!polar_ok(x509_crl_parse(&crl, crl_inline, strlen(crl_inline)))) + { + msg (M_WARN, "CRL: cannot parse inline CRL"); + goto end; + } } + else + { + if (!polar_ok(x509_crl_parse_file(&crl, crl_file))) + { + msg (M_WARN, "CRL: cannot read CRL from file %s", crl_file); + goto end; + } + } if(cert->issuer_raw.len != crl.issuer_raw.len || memcmp(crl.issuer_raw.p, cert->issuer_raw.p, crl.issuer_raw.len) != 0) |