diff options
| author | Joel Sing <jsing@cvs.openbsd.org> | 2017-07-06 17:12:23 +0000 |
|---|---|---|
| committer | Joel Sing <jsing@cvs.openbsd.org> | 2017-07-06 17:12:23 +0000 |
| commit | 59a80ef0d1e287ae8ec3bd4ae2fa82aeff7cb989 (patch) | |
| tree | d49200863300801cf57bf8a8dfc2e9c75ee716f6 /lib/libtls/tls.c | |
| parent | 3b9e3fbf9979e3bbfb7cb68796af644515bd47c9 (diff) | |
Add support for providing CRLs to libtls - once a CRL is provided we
enable CRL checking for the full certificate chain.
Based on a diff from Jack Burton <jack at saosce dot com dot au>, thanks!
Discussed with beck@
Diffstat (limited to 'lib/libtls/tls.c')
| -rw-r--r-- | lib/libtls/tls.c | 42 |
1 files changed, 41 insertions, 1 deletions
diff --git a/lib/libtls/tls.c b/lib/libtls/tls.c index f64f6d76326..ed857272c46 100644 --- a/lib/libtls/tls.c +++ b/lib/libtls/tls.c @@ -1,4 +1,4 @@ -/* $OpenBSD: tls.c,v 1.67 2017/06/22 18:03:57 jsing Exp $ */ +/* $OpenBSD: tls.c,v 1.68 2017/07/06 17:12:22 jsing Exp $ */ /* * Copyright (c) 2014 Joel Sing <jsing@openbsd.org> * @@ -26,6 +26,8 @@ #include <openssl/err.h> #include <openssl/evp.h> #include <openssl/pem.h> +#include <openssl/safestack.h> +#include <openssl/ssl.h> #include <openssl/x509.h> #include <tls.h> @@ -464,8 +466,15 @@ tls_configure_ssl_verify(struct tls *ctx, SSL_CTX *ssl_ctx, int verify) { size_t ca_len = ctx->config->ca_len; char *ca_mem = ctx->config->ca_mem; + char *crl_mem = ctx->config->crl_mem; + size_t crl_len = ctx->config->crl_len; char *ca_free = NULL; + STACK_OF(X509_INFO) *xis = NULL; + X509_STORE *store; + X509_INFO *xi; + BIO *bio = NULL; int rv = -1; + int i; SSL_CTX_set_verify(ssl_ctx, verify, NULL); SSL_CTX_set_cert_verify_callback(ssl_ctx, tls_ssl_cert_verify_cb, ctx); @@ -499,10 +508,41 @@ tls_configure_ssl_verify(struct tls *ctx, SSL_CTX *ssl_ctx, int verify) goto err; } + if (crl_mem != NULL) { + if (crl_len > INT_MAX) { + tls_set_errorx(ctx, "crl too long"); + goto err; + } + if ((bio = BIO_new_mem_buf(crl_mem, crl_len)) == NULL) { + tls_set_errorx(ctx, "failed to create buffer"); + goto err; + } + if ((xis = PEM_X509_INFO_read_bio(bio, NULL, tls_password_cb, + NULL)) == NULL) { + tls_set_errorx(ctx, "failed to parse crl"); + goto err; + } + store = SSL_CTX_get_cert_store(ssl_ctx); + for (i = 0; i < sk_X509_INFO_num(xis); i++) { + xi = sk_X509_INFO_value(xis, i); + if (xi->crl == NULL) + continue; + if (!X509_STORE_add_crl(store, xi->crl)) { + tls_set_error(ctx, "failed to add crl"); + goto err; + } + xi->crl = NULL; + } + X509_VERIFY_PARAM_set_flags(store->param, + X509_V_FLAG_CRL_CHECK | X509_V_FLAG_CRL_CHECK_ALL); + } + done: rv = 0; err: + sk_X509_INFO_pop_free(xis, X509_INFO_free); + BIO_free(bio); free(ca_free); return (rv); |