Implement the functions needed by the crl-persist logic and
used by the ssl_verify module.
No special data structure has been used to store the CRL as
mbedtls already provides its own object and helper functions.
Tests have been performed by using a CRL file having size 143MB.
Original delay upon client connection was around 4-6 seconds.
With this patch the delay gets close to 0.
Signed-off-by: Antonio Quartulli <a...@unstable.cc>
---
src/openvpn/ssl_verify_mbedtls.c | 102 +++++++++++++++++++++++++++++++--------
1 file changed, 83 insertions(+), 19 deletions(-)
diff --git a/src/openvpn/ssl_verify_mbedtls.c b/src/openvpn/ssl_verify_mbedtls.c
index 92b0804..169f2f3 100644
--- a/src/openvpn/ssl_verify_mbedtls.c
+++ b/src/openvpn/ssl_verify_mbedtls.c
@@ -497,6 +497,88 @@ x509_write_pem(FILE *peercert_file, mbedtls_x509_crt
*peercert)
return FAILURE;
}
+result_t
+x509_verify_crl_cert(const mbedtls_x509_crl *crl, mbedtls_x509_crt *cert,
+ struct gc_arena *gc, const char *crl_file,
+ const char *subject)
+{
+ result_t ret = FAILURE;
+ char *serial;
+
+ ASSERT(crl && cert);
+
+ if((cert->issuer_raw.len != crl->issuer_raw.len) ||
+ (memcmp(crl->issuer_raw.p, cert->issuer_raw.p, crl->issuer_raw.len) != 0))
+ {
+ msg(M_WARN, "CRL: CRL %s is from a different issuer than the issuer of "
+ "certificate %s", crl_file ? crl_file : "[in-memory]", subject);
+ ret = SUCCESS;
+ goto end;
+ }
+
+ if (!mbed_ok(mbedtls_x509_crt_is_revoked(cert, crl)))
+ {
+ serial = backend_x509_get_serial_hex(cert, gc);
+ msg (D_HANDSHAKE, "CRL CHECK FAILED: %s (serial %s) is REVOKED", subject,
+ (serial ? serial : "NOT AVAILABLE"));
+ goto end;
+ }
+
+ ret = SUCCESS;
+ msg(D_HANDSHAKE, "CRL CHECK OK: %s", subject);
+end:
+
+ return ret;
+}
+
+result_t
+x509_verify_crl_mem(const openvpn_x509_crl_t *crl, mbedtls_x509_crt *cert,
+ const char *subject)
+{
+ struct gc_arena gc = gc_new();
+ int ret;
+
+ ASSERT(crl && cert);
+
+ ret = x509_verify_crl_cert(&crl->crl, cert, &gc, NULL, subject);
+
+ gc_free(&gc);
+
+ return ret;
+}
+
+void
+x509_crl_free(openvpn_x509_crl_t *crl)
+{
+ ASSERT(crl);
+
+ mbedtls_x509_crl_free(&crl->crl);
+ memset(&crl->crl, 0, sizeof(crl->crl));
+}
+
+result_t
+x509_load_crl_mem(openvpn_x509_crl_t *crl, const char *crl_file)
+{
+ result_t ret = FAILURE;
+
+ ASSERT(crl && crl_file);
+
+ x509_crl_free(crl);
+
+ msg(D_TLS_DEBUG_LOW, "CRL-persist: loading file: %s", crl_file);
+
+ if (!mbed_ok(mbedtls_x509_crl_parse_file(&crl->crl, crl_file)))
+ {
+ msg(M_WARN, "CRL: cannot read: %s", crl_file);
+ goto end;
+ }
+
+ ret = SUCCESS;
+end:
+
+ return ret;
+}
+
/*
* check peer cert against CRL
*/
@@ -507,7 +589,6 @@ x509_verify_crl(const char *crl_file, const char
*crl_inline,
result_t retval = FAILURE;
mbedtls_x509_crl crl = {0};
struct gc_arena gc = gc_new();
- char *serial;
if (!strcmp (crl_file, INLINE_FILE_TAG) && crl_inline)
{
@@ -527,24 +608,7 @@ x509_verify_crl(const char *crl_file, const char
*crl_inline,
}
}
- if(cert->issuer_raw.len != crl.issuer_raw.len ||
- memcmp(crl.issuer_raw.p, cert->issuer_raw.p, crl.issuer_raw.len) != 0)
- {
- msg (M_WARN, "CRL: CRL %s is from a different issuer than the issuer of "
- "certificate %s", crl_file, subject);
- retval = SUCCESS;
- goto end;
- }
-
- if (!mbed_ok(mbedtls_x509_crt_is_revoked(cert, &crl)))
- {
- serial = backend_x509_get_serial_hex(cert, &gc);
- msg (D_HANDSHAKE, "CRL CHECK FAILED: %s (serial %s) is REVOKED",
subject, (serial ? serial : "NOT AVAILABLE"));
- goto end;
- }
-
- retval = SUCCESS;
- msg (D_HANDSHAKE, "CRL CHECK OK: %s",subject);
+ retval = x509_verify_crl_cert(&crl, cert, &gc, crl_file, subject);
end:
gc_free(&gc);
--
2.10.1
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
