summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorHakan Olsson <ho@cvs.openbsd.org>2002-08-02 13:10:42 +0000
committerHakan Olsson <ho@cvs.openbsd.org>2002-08-02 13:10:42 +0000
commit998e0da580086a42c5394ae8d4c332a12a8fe0c1 (patch)
treeb3e43e177e5b18427a4f8f73e37813741f39c70a
parent0aef5eb8c84d78d246e662333cf067359a812bbf (diff)
CRL support for isakmpd. From <Thomas.Walpuski@gmx.net> with some minor
modifications by me. ok niklas@.
-rw-r--r--sbin/isakmpd/conf.c3
-rw-r--r--sbin/isakmpd/conf.h3
-rw-r--r--sbin/isakmpd/x509.c43
-rw-r--r--sbin/isakmpd/x509.h3
4 files changed, 48 insertions, 4 deletions
diff --git a/sbin/isakmpd/conf.c b/sbin/isakmpd/conf.c
index e3b65baa31d..081a117b9fc 100644
--- a/sbin/isakmpd/conf.c
+++ b/sbin/isakmpd/conf.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: conf.c,v 1.42 2002/06/09 08:13:06 todd Exp $ */
+/* $OpenBSD: conf.c,v 1.43 2002/08/02 13:10:41 ho Exp $ */
/* $EOM: conf.c,v 1.48 2000/12/04 02:04:29 angelos Exp $ */
/*
@@ -424,6 +424,7 @@ conf_load_defaults (int tr)
0, 1);
conf_set (tr, "X509-certificates", "Private-key", CONF_DFLT_X509_PRIVATE_KEY,
0, 1);
+ conf_set (tr, "X509-certificates", "CRL-file", CONF_DFLT_X509_CRL_FILE, 0, 1);
#endif
#ifdef USE_KEYNOTE
diff --git a/sbin/isakmpd/conf.h b/sbin/isakmpd/conf.h
index 5e590465d65..a3bb3ea6b2e 100644
--- a/sbin/isakmpd/conf.h
+++ b/sbin/isakmpd/conf.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: conf.h,v 1.15 2001/06/29 19:42:16 niklas Exp $ */
+/* $OpenBSD: conf.h,v 1.16 2002/08/02 13:10:41 ho Exp $ */
/* $EOM: conf.h,v 1.13 2000/09/18 00:01:47 ho Exp $ */
/*
@@ -63,6 +63,7 @@
#define CONF_DFLT_X509_CA_DIR "/etc/isakmpd/ca/"
#define CONF_DFLT_X509_CERT_DIR "/etc/isakmpd/certs/"
#define CONF_DFLT_X509_PRIVATE_KEY "/etc/isakmpd/private/local.key"
+#define CONF_DFLT_X509_CRL_FILE "/etc/isakmpd/crl.pem"
#define CONF_DFLT_KEYNOTE_CRED_DIR "/etc/isakmpd/keynote/"
struct conf_list_node {
diff --git a/sbin/isakmpd/x509.c b/sbin/isakmpd/x509.c
index 025b7da254b..fe7967bb2a9 100644
--- a/sbin/isakmpd/x509.c
+++ b/sbin/isakmpd/x509.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: x509.c,v 1.72 2002/06/10 20:45:35 ho Exp $ */
+/* $OpenBSD: x509.c,v 1.73 2002/08/02 13:10:41 ho Exp $ */
/* $EOM: x509.c,v 1.54 2001/01/16 18:42:16 ho Exp $ */
/*
@@ -830,6 +830,44 @@ x509_cert_get (u_int8_t *asn, u_int32_t len)
}
int
+x509_crl_get (X509_STORE_CTX *ctx, X509_CRL **crl, X509 *x)
+{
+ char *crlfile;
+ BIO *in;
+
+ if ((crlfile = conf_get_str ("X509-certificates", "CRL-file")) == NULL)
+ {
+ LOG_DBG ((LOG_MISC, 10, "x509_crl_get: no CRL-file specified"));
+ return 0;
+ }
+
+ if((in = BIO_new (BIO_s_file ())) == NULL)
+ {
+ log_print ("x509_crl_get: BIO_new (BIO_s_file ()) failed");
+ return 0;
+ }
+
+ if (BIO_read_filename (in, crlfile) <= 0)
+ {
+ log_print ("x509_crl_get: BIO_read_filename (in, \"%s\") failed",
+ crlfile);
+ BIO_free (in);
+ return 0;
+ }
+
+ *crl = PEM_read_bio_X509_CRL (in, NULL, NULL, NULL);
+ BIO_free (in);
+ if (*crl == NULL)
+ {
+ log_print ("x509_crl_get: PEM_read_bio_X509_CRL (in, NULL, NULL, NULL)"
+ " failed");
+ return 0;
+ }
+
+ return 1;
+}
+
+int
x509_cert_validate (void *scert)
{
X509_STORE_CTX csc;
@@ -843,6 +881,9 @@ x509_cert_validate (void *scert)
* trust.
*/
X509_STORE_CTX_init (&csc, x509_cas, cert, NULL);
+ X509_STORE_CTX_set_flags (&csc, X509_V_FLAG_CRL_CHECK);
+ X509_STORE_CTX_set_flags (&csc, X509_V_FLAG_CRL_CHECK_ALL);
+ csc.get_crl = x509_crl_get;
res = X509_verify_cert (&csc);
err = csc.error;
X509_STORE_CTX_cleanup (&csc);
diff --git a/sbin/isakmpd/x509.h b/sbin/isakmpd/x509.h
index f2f86f15d4c..e38efdb0d04 100644
--- a/sbin/isakmpd/x509.h
+++ b/sbin/isakmpd/x509.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: x509.h,v 1.15 2002/06/09 08:13:07 todd Exp $ */
+/* $OpenBSD: x509.h,v 1.16 2002/08/02 13:10:41 ho Exp $ */
/* $EOM: x509.h,v 1.11 2000/09/28 12:53:27 niklas Exp $ */
/*
@@ -74,6 +74,7 @@ int x509_cert_get_subjects (void *, int *, u_int8_t ***, u_int32_t **);
int x509_cert_init (void);
int x509_cert_obtain (u_int8_t *, size_t, void *, u_int8_t **, u_int32_t *);
int x509_cert_validate (void *);
+int x509_crl_get (X509_STORE_CTX *, X509_CRL **, X509 *);
void x509_free_aca (void *);
void *x509_cert_dup (void *);
void x509_serialize (void *, u_int8_t **, u_int32_t *);