diff options
author | Hakan Olsson <ho@cvs.openbsd.org> | 2002-08-02 13:10:42 +0000 |
---|---|---|
committer | Hakan Olsson <ho@cvs.openbsd.org> | 2002-08-02 13:10:42 +0000 |
commit | 998e0da580086a42c5394ae8d4c332a12a8fe0c1 (patch) | |
tree | b3e43e177e5b18427a4f8f73e37813741f39c70a | |
parent | 0aef5eb8c84d78d246e662333cf067359a812bbf (diff) |
CRL support for isakmpd. From <Thomas.Walpuski@gmx.net> with some minor
modifications by me. ok niklas@.
-rw-r--r-- | sbin/isakmpd/conf.c | 3 | ||||
-rw-r--r-- | sbin/isakmpd/conf.h | 3 | ||||
-rw-r--r-- | sbin/isakmpd/x509.c | 43 | ||||
-rw-r--r-- | sbin/isakmpd/x509.h | 3 |
4 files changed, 48 insertions, 4 deletions
diff --git a/sbin/isakmpd/conf.c b/sbin/isakmpd/conf.c index e3b65baa31d..081a117b9fc 100644 --- a/sbin/isakmpd/conf.c +++ b/sbin/isakmpd/conf.c @@ -1,4 +1,4 @@ -/* $OpenBSD: conf.c,v 1.42 2002/06/09 08:13:06 todd Exp $ */ +/* $OpenBSD: conf.c,v 1.43 2002/08/02 13:10:41 ho Exp $ */ /* $EOM: conf.c,v 1.48 2000/12/04 02:04:29 angelos Exp $ */ /* @@ -424,6 +424,7 @@ conf_load_defaults (int tr) 0, 1); conf_set (tr, "X509-certificates", "Private-key", CONF_DFLT_X509_PRIVATE_KEY, 0, 1); + conf_set (tr, "X509-certificates", "CRL-file", CONF_DFLT_X509_CRL_FILE, 0, 1); #endif #ifdef USE_KEYNOTE diff --git a/sbin/isakmpd/conf.h b/sbin/isakmpd/conf.h index 5e590465d65..a3bb3ea6b2e 100644 --- a/sbin/isakmpd/conf.h +++ b/sbin/isakmpd/conf.h @@ -1,4 +1,4 @@ -/* $OpenBSD: conf.h,v 1.15 2001/06/29 19:42:16 niklas Exp $ */ +/* $OpenBSD: conf.h,v 1.16 2002/08/02 13:10:41 ho Exp $ */ /* $EOM: conf.h,v 1.13 2000/09/18 00:01:47 ho Exp $ */ /* @@ -63,6 +63,7 @@ #define CONF_DFLT_X509_CA_DIR "/etc/isakmpd/ca/" #define CONF_DFLT_X509_CERT_DIR "/etc/isakmpd/certs/" #define CONF_DFLT_X509_PRIVATE_KEY "/etc/isakmpd/private/local.key" +#define CONF_DFLT_X509_CRL_FILE "/etc/isakmpd/crl.pem" #define CONF_DFLT_KEYNOTE_CRED_DIR "/etc/isakmpd/keynote/" struct conf_list_node { diff --git a/sbin/isakmpd/x509.c b/sbin/isakmpd/x509.c index 025b7da254b..fe7967bb2a9 100644 --- a/sbin/isakmpd/x509.c +++ b/sbin/isakmpd/x509.c @@ -1,4 +1,4 @@ -/* $OpenBSD: x509.c,v 1.72 2002/06/10 20:45:35 ho Exp $ */ +/* $OpenBSD: x509.c,v 1.73 2002/08/02 13:10:41 ho Exp $ */ /* $EOM: x509.c,v 1.54 2001/01/16 18:42:16 ho Exp $ */ /* @@ -830,6 +830,44 @@ x509_cert_get (u_int8_t *asn, u_int32_t len) } int +x509_crl_get (X509_STORE_CTX *ctx, X509_CRL **crl, X509 *x) +{ + char *crlfile; + BIO *in; + + if ((crlfile = conf_get_str ("X509-certificates", "CRL-file")) == NULL) + { + LOG_DBG ((LOG_MISC, 10, "x509_crl_get: no CRL-file specified")); + return 0; + } + + if((in = BIO_new (BIO_s_file ())) == NULL) + { + log_print ("x509_crl_get: BIO_new (BIO_s_file ()) failed"); + return 0; + } + + if (BIO_read_filename (in, crlfile) <= 0) + { + log_print ("x509_crl_get: BIO_read_filename (in, \"%s\") failed", + crlfile); + BIO_free (in); + return 0; + } + + *crl = PEM_read_bio_X509_CRL (in, NULL, NULL, NULL); + BIO_free (in); + if (*crl == NULL) + { + log_print ("x509_crl_get: PEM_read_bio_X509_CRL (in, NULL, NULL, NULL)" + " failed"); + return 0; + } + + return 1; +} + +int x509_cert_validate (void *scert) { X509_STORE_CTX csc; @@ -843,6 +881,9 @@ x509_cert_validate (void *scert) * trust. */ X509_STORE_CTX_init (&csc, x509_cas, cert, NULL); + X509_STORE_CTX_set_flags (&csc, X509_V_FLAG_CRL_CHECK); + X509_STORE_CTX_set_flags (&csc, X509_V_FLAG_CRL_CHECK_ALL); + csc.get_crl = x509_crl_get; res = X509_verify_cert (&csc); err = csc.error; X509_STORE_CTX_cleanup (&csc); diff --git a/sbin/isakmpd/x509.h b/sbin/isakmpd/x509.h index f2f86f15d4c..e38efdb0d04 100644 --- a/sbin/isakmpd/x509.h +++ b/sbin/isakmpd/x509.h @@ -1,4 +1,4 @@ -/* $OpenBSD: x509.h,v 1.15 2002/06/09 08:13:07 todd Exp $ */ +/* $OpenBSD: x509.h,v 1.16 2002/08/02 13:10:41 ho Exp $ */ /* $EOM: x509.h,v 1.11 2000/09/28 12:53:27 niklas Exp $ */ /* @@ -74,6 +74,7 @@ int x509_cert_get_subjects (void *, int *, u_int8_t ***, u_int32_t **); int x509_cert_init (void); int x509_cert_obtain (u_int8_t *, size_t, void *, u_int8_t **, u_int32_t *); int x509_cert_validate (void *); +int x509_crl_get (X509_STORE_CTX *, X509_CRL **, X509 *); void x509_free_aca (void *); void *x509_cert_dup (void *); void x509_serialize (void *, u_int8_t **, u_int32_t *); |