LCOV - code coverage report
Current view: top level - src/server - ca.c (source / functions) Hit Total Coverage
Test: burp-coverage-clean.info Lines: 30 308 9.7 %
Date: 2019-10-06 11:12:28 Functions: 2 13 15.4 %

          Line data    Source code
       1             : #include "../burp.h"
       2             : #include "../alloc.h"
       3             : #include "../asfd.h"
       4             : #include "../async.h"
       5             : #include "../cmd.h"
       6             : #include "../conf.h"
       7             : #include "../conffile.h"
       8             : #include "../fsops.h"
       9             : #include "../handy.h"
      10             : #include "../iobuf.h"
      11             : #include "../log.h"
      12             : #include "../run_script.h"
      13             : #include "auth.h"
      14             : #include "ca.h"
      15             : 
      16             : static int setup_stuff_done=0;
      17             : 
      18           0 : static char *get_ca_dir(const char *ca_conf)
      19             : {
      20           0 :         struct fzp *fzp=NULL;
      21           0 :         char buf[4096]="";
      22           0 :         char *ca_dir=NULL;
      23           0 :         int r=0;
      24             : 
      25           0 :         if(!(fzp=fzp_open(ca_conf, "r")))
      26             :                 goto end;
      27           0 :         while(fzp_gets(fzp, buf, sizeof(buf)))
      28             :         {
      29           0 :                 char *field=NULL;
      30           0 :                 char *value=NULL;
      31           0 :                 if(conf_get_pair(buf, &field, &value, &r)
      32           0 :                   || !field || !value) continue;
      33             : 
      34           0 :                 if(!strcasecmp(field, "CA_DIR"))
      35             :                 {
      36           0 :                         if(!(ca_dir=strdup_w(value, __func__)))
      37             :                                 goto end;
      38           0 :                         break;
      39             :                 }
      40             :         }
      41             : end:
      42           0 :         fzp_close(&fzp);
      43           0 :         return ca_dir;
      44             : }
      45             : 
      46           0 : static char *get_generated_crl_path(const char *ca_dir, const char *ca_name)
      47             : {
      48           0 :         int flen=0;
      49           0 :         char *fname=NULL;
      50           0 :         char *crl_path=NULL;
      51             : 
      52           0 :         flen+=strlen(ca_name);
      53           0 :         flen+=strlen("CA_");
      54           0 :         flen+=strlen(".crl")+1;
      55           0 :         if(!(fname=(char *)malloc_w(flen, __func__)))
      56             :                 goto end;
      57           0 :         snprintf(fname, flen, "CA_%s.crl", ca_name);
      58           0 :         crl_path=prepend_s(ca_dir, fname);
      59             : end:
      60           0 :         free_w(&fname);
      61           0 :         return crl_path;
      62             : }
      63             : 
      64           0 : static char *get_crl_path(struct conf **confs,
      65             :         const char *ca_dir, const char *ca_name)
      66             : {
      67             :         char *crl_path;
      68             :         // If the conf told us the path, use it.
      69           0 :         if((crl_path=get_string(confs[OPT_CA_CRL])))
      70           0 :                 return strdup_w(crl_path, __func__);
      71             : 
      72             :         // Otherwise, build it ourselves.
      73           0 :         return get_generated_crl_path(ca_dir, ca_name);
      74             : }
      75             : 
      76             : static void remove_file(const char *path)
      77             : {
      78           0 :         logp("Removing %s\n", path);
      79           0 :         unlink(path);
      80             : }
      81             : 
      82           0 : static int symlink_file(const char *oldpath, const char *newpath)
      83             : {
      84             :         struct stat statp;
      85           0 :         logp("Symlinking %s to %s\n", newpath, oldpath);
      86           0 :         if(lstat(oldpath, &statp))
      87             :         {
      88           0 :                 logp("Could not symlink: %s does not exist\n", oldpath);
      89           0 :                 return -1;
      90             :         }
      91           0 :         if(symlink(oldpath, newpath))
      92             :         {
      93           0 :                 logp("Could not symlink: %s does not exist\n", oldpath);
      94           0 :                 return -1;
      95             :         }
      96             :         return 0;
      97             : }
      98             : 
      99           0 : static int ca_init(struct conf **confs, const char *ca_dir)
     100             : {
     101           0 :         int a=0;
     102             :         const char *args[15];
     103           0 :         char linktarget[1024]="";
     104           0 :         const char *ca_name=get_string(confs[OPT_CA_NAME]);
     105           0 :         const char *ca_conf=get_string(confs[OPT_CA_CONF]);
     106           0 :         const char *ca_burp_ca=get_string(confs[OPT_CA_BURP_CA]);
     107           0 :         const char *ca_server_name=get_string(confs[OPT_CA_SERVER_NAME]);
     108           0 :         const char *ssl_cert=get_string(confs[OPT_SSL_CERT]);
     109           0 :         const char *ssl_cert_ca=get_string(confs[OPT_SSL_CERT_CA]);
     110           0 :         const char *ssl_key=get_string(confs[OPT_SSL_KEY]);
     111             : 
     112           0 :         if(is_dir_lstat(ca_dir)>0) return 0;
     113             : 
     114           0 :         setup_stuff_done++;
     115             : 
     116           0 :         logp("Initialising %s\n", ca_dir);
     117           0 :         logp("Running '%s --init --ca %s --dir %s --config %s'\n",
     118             :                 ca_burp_ca, ca_name, ca_dir, ca_conf);
     119           0 :         args[a++]=ca_burp_ca;
     120           0 :         args[a++]="--init";
     121           0 :         args[a++]="--ca";
     122           0 :         args[a++]=ca_name;
     123           0 :         args[a++]="--dir";
     124           0 :         args[a++]=ca_dir;
     125           0 :         args[a++]="--config";
     126           0 :         args[a++]=ca_conf;
     127           0 :         args[a++]=NULL;
     128           0 :         if(run_script(NULL /* no async yet */, args, NULL, confs, 1 /* wait */,
     129             :                 0, 0 /* do not use logp - stupid openssl prints lots of dots
     130             :                         one at a time with no way to turn it off */))
     131             :         {
     132           0 :                 logp("Error running %s\n", ca_burp_ca);
     133           0 :                 return -1;
     134             :         }
     135             : 
     136           0 :         logp("Generating server key and cert signing request\n");
     137           0 :         logp("Running '%s --key --request --name %s --dir %s --config %s'\n",
     138             :                 ca_burp_ca, ca_server_name, ca_dir, ca_conf);
     139           0 :         a=0;
     140           0 :         args[a++]=ca_burp_ca;
     141           0 :         args[a++]="--key";
     142           0 :         args[a++]="--request";
     143           0 :         args[a++]="--name";
     144           0 :         args[a++]=ca_server_name;
     145           0 :         args[a++]="--dir";
     146           0 :         args[a++]=ca_dir;
     147           0 :         args[a++]="--config";
     148           0 :         args[a++]=ca_conf;
     149           0 :         args[a++]=NULL;
     150           0 :         if(run_script(NULL /* no async yet */, args, NULL, confs, 1 /* wait */,
     151             :                 0, 0 /* do not use logp - stupid openssl prints lots of dots
     152             :                         one at a time with no way to turn it off */))
     153             :         {
     154           0 :                 logp("Error running %s\n", ca_burp_ca);
     155           0 :                 return -1;
     156             :         }
     157             : 
     158           0 :         logp("Signing request\n");
     159           0 :         logp("Running '%s --sign --ca %s --name %s --batch --dir %s --config %s'\n",
     160             :                 ca_burp_ca, ca_name, ca_server_name, ca_dir, ca_conf);
     161           0 :         a=0;
     162           0 :         args[a++]=ca_burp_ca;
     163           0 :         args[a++]="--sign";
     164           0 :         args[a++]="--ca";
     165           0 :         args[a++]=ca_name;
     166           0 :         args[a++]="--name";
     167           0 :         args[a++]=ca_server_name;
     168           0 :         args[a++]="--batch";
     169           0 :         args[a++]="--dir";
     170           0 :         args[a++]=ca_dir;
     171           0 :         args[a++]="--config";
     172           0 :         args[a++]=ca_conf;
     173           0 :         args[a++]=NULL;
     174           0 :         if(run_script(NULL /* no async yet */, args, NULL, confs, 1 /* wait */,
     175             :                 0, 0 /* do not use logp - stupid openssl prints lots of dots
     176             :                         one at a time with no way to turn it off */))
     177             :         {
     178           0 :                 logp("Error running %s\n", ca_burp_ca);
     179           0 :                 return -1;
     180             :         }
     181             : 
     182           0 :         snprintf(linktarget, sizeof(linktarget), "%s/CA_%s.crt",
     183             :                 ca_dir, ca_name);
     184           0 :         if(strcmp(linktarget, ssl_cert_ca))
     185             :         {
     186           0 :                 remove_file(ssl_cert_ca);
     187           0 :                 if(symlink_file(linktarget, ssl_cert_ca)) return -1;
     188             :         }
     189             : 
     190           0 :         snprintf(linktarget, sizeof(linktarget), "%s/%s.crt",
     191             :                 ca_dir, ca_server_name);
     192           0 :         if(strcmp(linktarget, ssl_cert))
     193             :         {
     194           0 :                 remove_file(ssl_cert);
     195           0 :                 if(symlink_file(linktarget, ssl_cert)) return -1;
     196             :         }
     197             : 
     198           0 :         snprintf(linktarget, sizeof(linktarget), "%s/%s.key",
     199             :                 ca_dir, ca_server_name);
     200           0 :         if(strcmp(linktarget, ssl_key))
     201             :         {
     202           0 :                 remove_file(ssl_key);
     203           0 :                 if(symlink_file(linktarget, ssl_key)) return -1;
     204             :         }
     205             : 
     206             :         return 0;
     207             : }
     208             : 
     209           0 : static int maybe_make_dhfile(struct conf **confs, const char *ca_dir)
     210             : {
     211           0 :         int a=0;
     212             :         const char *args[12];
     213             :         struct stat statp;
     214           0 :         const char *ca_burp_ca=get_string(confs[OPT_CA_BURP_CA]);
     215           0 :         const char *ssl_dhfile=get_string(confs[OPT_SSL_DHFILE]);
     216           0 :         if(!lstat(ssl_dhfile, &statp))
     217             :                 return 0;
     218             : 
     219           0 :         setup_stuff_done++;
     220             : 
     221           0 :         logp("Creating %s\n", ssl_dhfile);
     222           0 :         logp("Running '%s --dhfile %s --dir %s'\n",
     223             :                 ca_burp_ca, ssl_dhfile, ca_dir);
     224           0 :         a=0;
     225           0 :         args[a++]=ca_burp_ca;
     226           0 :         args[a++]="--dhfile";
     227           0 :         args[a++]=ssl_dhfile;
     228           0 :         args[a++]="--dir";
     229           0 :         args[a++]=ca_dir;
     230           0 :         args[a++]=NULL;
     231           0 :         if(run_script(NULL /* no async yet */, args, NULL, confs, 1 /* wait */,
     232             :                 0, 0 /* do not use logp - stupid openssl prints lots of dots
     233             :                         one at a time with no way to turn it off */))
     234             :         {
     235           0 :                 logp("Error running %s\n", ca_burp_ca);
     236           0 :                 return -1;
     237             :         }
     238             : 
     239             :         return 0;
     240             : }
     241             : 
     242           0 : static int maybe_make_crl(struct conf **confs, const char *ca_dir,
     243             :         const char *ca_conf)
     244             : {
     245           0 :         int a=0;
     246           0 :         int ret=-1;
     247             :         const char *args[12];
     248             :         struct stat statp;
     249           0 :         char *crl_path=NULL;
     250           0 :         const char *ca_name=get_string(confs[OPT_CA_NAME]);
     251           0 :         const char *ca_burp_ca=get_string(confs[OPT_CA_BURP_CA]);
     252           0 :         if(!ca_conf || !*ca_conf
     253           0 :           || !ca_burp_ca || !*ca_burp_ca
     254           0 :           || !ca_name || !*ca_name)
     255             :                 return 0;
     256           0 :         if(!(crl_path=get_crl_path(confs, ca_dir, ca_name)))
     257             :                 goto end;
     258           0 :         if(!lstat(crl_path, &statp))
     259             :         {
     260             :                 ret=0;
     261             :                 goto end;
     262             :         }
     263             :         // Create it even if we are not going to use it because of
     264             :         // OPT_CA_CRL_CHECK = 0.
     265             : 
     266           0 :         setup_stuff_done++;
     267             : 
     268           0 :         logp("Creating %s\n", crl_path);
     269           0 :         logp("Running '%s --name %s --config %s --dir %s --crl'\n",
     270             :                 ca_burp_ca, ca_name, ca_conf, ca_dir);
     271           0 :         a=0;
     272           0 :         args[a++]=ca_burp_ca;
     273           0 :         args[a++]="--name";
     274           0 :         args[a++]=ca_name;
     275           0 :         args[a++]="--config";
     276           0 :         args[a++]=ca_conf;
     277           0 :         args[a++]="--dir";
     278           0 :         args[a++]=ca_dir;
     279           0 :         args[a++]="--crl";
     280           0 :         args[a++]=NULL;
     281           0 :         if(run_script(NULL /* no async yet */, args, NULL, confs, 1 /* wait */,
     282             :                 0, 0 /* do not use logp - stupid openssl prints lots of dots
     283             :                         one at a time with no way to turn it off */))
     284             :         {
     285           0 :                 logp("Error running %s\n", ca_burp_ca);
     286           0 :                 return -1;
     287             :         }
     288             :         ret=0;
     289             : end:
     290           0 :         free_w(&crl_path);
     291           0 :         return ret;
     292             : }
     293             : 
     294           0 : int ca_server_setup(struct conf **confs)
     295             : {
     296           0 :         int ret=-1;
     297           0 :         char *ca_dir=NULL;
     298           0 :         const char *ca_conf=get_string(confs[OPT_CA_CONF]);
     299             : 
     300           0 :         if(!ca_conf)
     301             :         {
     302             :                 ret=0;
     303             :                 goto end;
     304             :         }
     305             : 
     306           0 :         if(!(ca_dir=get_ca_dir(ca_conf)))
     307             :                 goto end;
     308             : 
     309           0 :         if(maybe_make_dhfile(confs, ca_dir))
     310             :                 goto end;
     311             : 
     312           0 :         if(ca_init(confs, ca_dir))
     313             :         {
     314           0 :                 recursive_delete(ca_dir);
     315           0 :                 goto end;
     316             :         }
     317             : 
     318           0 :         if(maybe_make_crl(confs, ca_dir, ca_conf))
     319             :                 goto end;
     320             : 
     321           0 :         ret=0;
     322             : end:
     323           0 :         free_w(&ca_dir);
     324           0 :         if(setup_stuff_done)
     325             :         {
     326           0 :                 if(ret) logp("CA setup failed\n");
     327           0 :                 else logp("CA setup succeeded\n");
     328             :         }
     329           0 :         return ret;
     330             : }
     331             : 
     332           0 : static int check_path_does_not_exist(struct asfd *asfd,
     333             :         const char *client, const char *path)
     334             : {
     335             :         struct stat statp;
     336           0 :         if(!lstat(path, &statp))
     337             :         {
     338           0 :                 char msg[1024]="";
     339           0 :                 snprintf(msg, sizeof(msg), "Will not accept a client certificate request for '%s' - %s already exists!", client, path);
     340           0 :                 log_and_send(asfd, msg);
     341             :                 return -1;
     342             :         }
     343             :         return 0;
     344             : }
     345             : 
     346             : static int csr_done=0;
     347             : 
     348             : // Return 0 for everything OK, signed and returned, -1 for error.
     349           0 : static int sign_client_cert(struct asfd *asfd,
     350             :         const char *client, struct conf **confs)
     351             : {
     352           0 :         int a=0;
     353           0 :         int ret=-1;
     354           0 :         char msg[256]="";
     355           0 :         char csrpath[512]="";
     356           0 :         char crtpath[512]="";
     357           0 :         char *ca_dir=NULL;
     358             :         const char *args[15];
     359           0 :         csr_done=0;
     360           0 :         const char *ca_name=get_string(confs[OPT_CA_NAME]);
     361           0 :         const char *ca_conf=get_string(confs[OPT_CA_CONF]);
     362           0 :         const char *ca_burp_ca=get_string(confs[OPT_CA_BURP_CA]);
     363           0 :         const char *ca_server_name=get_string(confs[OPT_CA_SERVER_NAME]);
     364           0 :         const char *ssl_cert_ca=get_string(confs[OPT_SSL_CERT_CA]);
     365           0 :         struct cntr *cntr=get_cntr(confs);
     366             : 
     367           0 :         if(!(ca_dir=get_ca_dir(ca_conf)))
     368             :                 goto error;
     369             : 
     370           0 :         snprintf(csrpath, sizeof(csrpath), "%s/%s.csr", ca_dir, client);
     371           0 :         snprintf(crtpath, sizeof(crtpath), "%s/%s.crt", ca_dir, client);
     372             : 
     373           0 :         if(!strcmp(client, ca_name))
     374             :         {
     375           0 :                 char msg[512]="";
     376           0 :                 snprintf(msg, sizeof(msg), "Will not accept a client certificate request with the same name as the CA (%s)!", ca_name);
     377           0 :                 log_and_send(asfd, msg);
     378             :                 goto error;
     379             :         }
     380             : 
     381           0 :         if(check_path_does_not_exist(asfd, client, crtpath)
     382           0 :           || check_path_does_not_exist(asfd, client, csrpath))
     383             :                 goto error;
     384             : 
     385             :         // Tell the client that we will do it, and send the server name at the
     386             :         // same time.
     387           0 :         snprintf(msg, sizeof(msg), "csr ok:%s", ca_server_name);
     388           0 :         if(asfd->write_str(asfd, CMD_GEN, msg))
     389             :                 goto error;
     390             : 
     391             :         /* After this point, we might have uploaded files, so on error, go
     392             :            to end and delete any new files. */
     393             : 
     394             :         // Get the CSR from the client.
     395           0 :         if(receive_a_file(asfd, csrpath, cntr))
     396             :                 goto del_files;
     397             : 
     398             :         // Now, sign it.
     399           0 :         logp("Signing certificate signing request from %s\n", client);
     400           0 :         logp("Running '%s --name %s --ca %s --sign --batch --dir %s --config %s'\n", ca_burp_ca, client, ca_name, ca_dir, ca_conf);
     401           0 :         a=0;
     402           0 :         args[a++]=ca_burp_ca;
     403           0 :         args[a++]="--name";
     404           0 :         args[a++]=client;
     405           0 :         args[a++]="--ca";
     406           0 :         args[a++]=ca_name;
     407           0 :         args[a++]="--sign";
     408           0 :         args[a++]="--batch";
     409           0 :         args[a++]="--dir";
     410           0 :         args[a++]=ca_dir;
     411           0 :         args[a++]="--config";
     412           0 :         args[a++]=ca_conf;
     413           0 :         args[a++]=NULL;
     414           0 :         if(run_script(asfd, args, NULL, confs, 1 /* wait */,
     415             :                 0, 0 /* do not use logp - stupid openssl prints lots of dots
     416             :                         one at a time with no way to turn it off */))
     417             :         {
     418           0 :                 logp("Error running %s\n", ca_burp_ca);
     419           0 :                 goto del_files;
     420             :         }
     421             : 
     422             :         // Now, we should have a signed certificate.
     423             :         // Need to send it back to the client.
     424           0 :         if(send_a_file(asfd, crtpath, cntr))
     425             :                 goto del_files;
     426             : 
     427             :         // Also need to send the CA public certificate back to the client.
     428           0 :         if(send_a_file(asfd, ssl_cert_ca, cntr))
     429             :                 goto del_files;
     430             : 
     431           0 :         ret=0;
     432           0 :         csr_done++;
     433             : del_files:
     434           0 :         if(ret<0)
     435             :         {
     436           0 :                 unlink(crtpath);
     437           0 :                 unlink(csrpath);
     438             :         }
     439             : error:
     440           0 :         free_w(&ca_dir);
     441           0 :         return ret;
     442             : }
     443             : 
     444           3 : static enum asl_ret csr_server_func(struct asfd *asfd,
     445             :         struct conf **confs, void *param)
     446             : {
     447             :         struct iobuf *rbuf;
     448             :         const char *ca_conf;
     449             :         const char **cname;
     450             : 
     451           3 :         rbuf=asfd->rbuf;
     452           3 :         cname=(const char **)param;
     453           3 :         ca_conf=get_string(confs[OPT_CA_CONF]);
     454             : 
     455           3 :         if(!strcmp(rbuf->buf, "csr"))
     456             :         {
     457             :                 // Client wants to sign a certificate.
     458           1 :                 logp("Client %s wants a certificate signed\n", *cname);
     459           1 :                 if(!ca_conf)
     460             :                 {
     461           1 :                         logp("But server is not configured to sign client certificate requests.\n");
     462           1 :                         logp("See option 'ca_conf'.\n");
     463           1 :                         asfd->write_str(asfd, CMD_ERROR,
     464             :                           "server not configured to sign client certificates");
     465           1 :                         return ASL_END_ERROR;
     466             :                 }
     467           0 :                 if(sign_client_cert(asfd, *cname, confs))
     468             :                         return ASL_END_ERROR;
     469           0 :                 return ASL_END_OK;
     470             :         }
     471           2 :         else if(!strcmp(rbuf->buf, "nocsr"))
     472             :         {
     473             :                 // Client does not want to sign a certificate.
     474             :                 // No problem, just carry on.
     475           1 :                 logp("Client %s does not want a certificate signed\n", *cname);
     476           1 :                 if(asfd->write_str(asfd, CMD_GEN, "nocsr ok"))
     477             :                         return ASL_END_ERROR;
     478           1 :                 return ASL_END_OK;
     479             :         }
     480             :         else
     481             :         {
     482           1 :                 iobuf_log_unexpected(rbuf, __func__);
     483           1 :                 return ASL_END_ERROR;
     484             :         }
     485             : }
     486             : 
     487             : /* Return 1 for everything OK, signed and returned, -1 for error, 0 for
     488             :    nothing done. */
     489           7 : int ca_server_maybe_sign_client_cert(struct asfd *asfd,
     490             :         struct conf **confs, struct conf **cconfs)
     491             : {
     492           7 :         long min_ver=0;
     493           7 :         long cli_ver=0;
     494           7 :         const char *cname=NULL;
     495             : 
     496           7 :         if((min_ver=version_to_long("1.3.2"))<0
     497           7 :          || (cli_ver=version_to_long(get_string(cconfs[OPT_PEER_VERSION])))<0)
     498             :                 return -1;
     499             :         // Clients before 1.3.2 did not know how to send cert signing requests.
     500           7 :         if(cli_ver<min_ver) return 0;
     501             : 
     502           4 :         if(!asfd)
     503             :         {
     504           1 :                 logp("asfd not set up in %s\n", __func__);
     505           1 :                 return -1;
     506             :         }
     507             : 
     508           3 :         cname=get_string(cconfs[OPT_CNAME]);
     509             : 
     510           3 :         if(asfd->simple_loop(asfd, confs, &cname, __func__, csr_server_func))
     511             :                 return -1;
     512             : 
     513           1 :         return csr_done;
     514             : }
     515             : 
     516           0 : int ca_x509_verify_crl(struct conf **confs,
     517             :         X509 *peer_cert, const char *ssl_peer_cn)
     518             : {
     519             :         int n;
     520             :         int i;
     521           0 :         int ret=-1;
     522           0 :         BIO *in=NULL;
     523           0 :         BIGNUM *bnser=NULL;
     524           0 :         X509_CRL *crl=NULL;
     525             :         X509_REVOKED *revoked;
     526           0 :         ASN1_INTEGER *serial=NULL;
     527           0 :         char *crl_path=NULL;
     528           0 :         char *ca_dir=NULL;
     529           0 :         const char *ca_name=get_string(confs[OPT_CA_NAME]);
     530           0 :         const char *ca_conf=get_string(confs[OPT_CA_CONF]);
     531           0 :         int crl_check=get_int(confs[OPT_CA_CRL_CHECK]);
     532             : 
     533           0 :         if(!crl_check)
     534             :         {
     535             :                 ret=0;
     536             :                 goto end;
     537             :         }
     538             : 
     539           0 :         if(!(ca_dir=get_ca_dir(ca_conf)))
     540             :                 goto end;
     541             : 
     542           0 :         if(!ca_name || !*ca_name  || !ca_dir)
     543             :         {
     544             :                 ret=0;
     545             :                 goto end;
     546             :         }
     547             : 
     548           0 :         if(!(crl_path=get_crl_path(confs, ca_dir, ca_name)))
     549             :                 goto end;
     550             : 
     551           0 :         if(!(in=BIO_new_file(crl_path, "r")))
     552             :         {
     553           0 :                 logp("CRL: cannot read: %s\n", crl_path);
     554           0 :                 goto end;
     555             :         }
     556             : 
     557           0 :         if(!(crl=PEM_read_bio_X509_CRL(in, NULL, NULL, NULL)))
     558             :         {
     559           0 :                 logp_ssl_err("CRL: cannot read CRL from file %s\n", crl_path);
     560           0 :                 goto end;
     561             :         }
     562             : 
     563           0 :         if(X509_NAME_cmp(X509_CRL_get_issuer(crl),
     564           0 :                 X509_get_issuer_name(peer_cert)))
     565             :         {
     566           0 :                 logp_ssl_err("CRL: CRL %s is from a different issuer than the issuer of certificate %s\n", crl_path, ssl_peer_cn);
     567           0 :                 goto end;
     568             :         }
     569             : 
     570           0 :         n=sk_X509_REVOKED_num(X509_CRL_get_REVOKED(crl));
     571           0 :         for(i=0; i<n; i++)
     572             :         {
     573           0 :                 revoked=(X509_REVOKED *)
     574           0 :                         sk_X509_REVOKED_value(X509_CRL_get_REVOKED(crl), i);
     575           0 :                 if(!ASN1_INTEGER_cmp(
     576             : #if OPENSSL_VERSION_NUMBER < 0x1010000fL || defined(LIBRESSL_VERSION_NUMBER)
     577             :                         revoked->serialNumber,
     578             : #else
     579             :                         X509_REVOKED_get0_serialNumber(revoked),
     580             : #endif
     581           0 :                         X509_get_serialNumber(peer_cert)))
     582             :                 {
     583           0 :                         serial=X509_get_serialNumber(peer_cert);
     584           0 :                         bnser=ASN1_INTEGER_to_BN(serial, NULL);
     585           0 :                         logp_ssl_err("CRL check failed: %s (%s) is revoked\n",
     586             :                                 ssl_peer_cn,
     587             :                                 serial ? BN_bn2hex(bnser):"not available");
     588           0 :                         goto end;
     589             :                 }
     590             :         }
     591             : 
     592             :         ret=0;
     593             : end:
     594           0 :         if(in) BIO_free(in);
     595           0 :         if(crl) X509_CRL_free(crl);
     596           0 :         free_w(&crl_path);
     597           0 :         free_w(&ca_dir);
     598           0 :         return ret;
     599             : }

Generated by: LCOV version 1.13