[PATCH 1/5] Add server-side CRL checking

[Rik Theys <rik.theys@gmail.com>]

If an x509.crl option is specified in the authenticate.server
section of the configuration file, use it as a certificate
revocation list.

Signed-off-by: Rik Theys <Rik.Theys@gmail.com>
---
 src/tlshd/config.c | 33 +++++++++++++++++++++++++++++++++
 src/tlshd/server.c | 14 ++++++++++++++
 src/tlshd/tlshd.h  |  1 +
 3 files changed, 48 insertions(+)

diff --git a/src/tlshd/config.c b/src/tlshd/config.c
index be5d472..1963116 100644
--- a/src/tlshd/config.c
+++ b/src/tlshd/config.c
@@ -350,6 +350,39 @@ bool tlshd_config_get_server_truststore(char **bundle)
 	return true;
 }
 
+/**
+ * tlshd_config_get_server_crl - Get CRL for ServerHello from .conf
+ * @bundle: OUT: pathname to CRL
+ *
+ * Return values:
+ *   %false: pathname not retrieved
+ *   %true: pathname retrieved successfully; caller must free @bundle using free(3)
+ */
+bool tlshd_config_get_server_crl(char **bundle)
+{
+	GError *error = NULL;
+	gchar *pathname;
+
+	pathname = g_key_file_get_string(tlshd_configuration, "authenticate.server",
+					 "x509.crl", &error);
+	if (!pathname) {
+		g_error_free(error);
+		return false;
+	} else if (access(pathname, F_OK)) {
+		tlshd_log_debug("server x509.crl pathname \"%s\" is not accessible", pathname);
+		g_free(pathname);
+		return false;
+	}
+
+	*bundle = strdup(pathname);
+	g_free(pathname);
+	if (!*bundle)
+		return false;
+
+	tlshd_log_debug("Server x.509 crl is %s", *bundle);
+	return true;
+}
+
 /**
  * tlshd_config_get_server_certs - Get certs for ServerHello from .conf
  * @certs: OUT: in-memory certificates
diff --git a/src/tlshd/server.c b/src/tlshd/server.c
index 72ff6f5..bf4b740 100644
--- a/src/tlshd/server.c
+++ b/src/tlshd/server.c
@@ -219,6 +219,7 @@ static void tlshd_tls13_server_x509_handshake(struct tlshd_handshake_parms *parm
 	gnutls_certificate_credentials_t xcred;
 	gnutls_session_t session;
 	char *cafile;
+	char *crlfile;
 	int ret;
 
 	ret = gnutls_certificate_allocate_credentials(&xcred);
@@ -239,6 +240,19 @@ static void tlshd_tls13_server_x509_handshake(struct tlshd_handshake_parms *parm
 	}
 	tlshd_log_debug("System trust: Loaded %d certificate(s).", ret);
 
+	if (tlshd_config_get_server_crl(&crlfile)) {
+		ret = gnutls_certificate_set_x509_crl_file(xcred, crlfile,
+							   GNUTLS_X509_FMT_PEM);
+		free(crlfile);
+		if (ret < 0 ) {
+			tlshd_log_gnutls_error(ret);
+			goto out_free_creds;
+		}
+		tlshd_log_debug("System CRL: Loaded %d CRL(s).", ret);
+	} else {
+		tlshd_log_debug("System CRL: No CRL file configured.");
+	}
+
 	if (!tlshd_x509_server_get_certs(parms)) {
 		goto out_free_creds;
 	}
diff --git a/src/tlshd/tlshd.h b/src/tlshd/tlshd.h
index 135e1e0..617d1c6 100644
--- a/src/tlshd/tlshd.h
+++ b/src/tlshd/tlshd.h
@@ -61,6 +61,7 @@ bool tlshd_config_get_client_certs(gnutls_pcert_st *certs,
 				   unsigned int *certs_len);
 bool tlshd_config_get_client_privkey(gnutls_privkey_t *privkey);
 bool tlshd_config_get_server_truststore(char **bundle);
+bool tlshd_config_get_server_crl(char **bundle);
 bool tlshd_config_get_server_certs(gnutls_pcert_st *certs,
 				   unsigned int *certs_len);
 bool tlshd_config_get_server_privkey(gnutls_privkey_t *privkey);
-- 
2.49.0