From: Rik Theys <rik.theys@gmail.com>
To: kernel-tls-handshake@lists.linux.dev
Cc: Rik Theys <Rik.Theys@gmail.com>
Subject: [PATCH 2/5] Add client-side CRL checking
Date: Wed, 18 Jun 2025 11:00:37 +0200 [thread overview]
Message-ID: <20250618090040.566838-3-Rik.Theys@gmail.com> (raw)
In-Reply-To: <20250618090040.566838-1-Rik.Theys@gmail.com>
If an x509.crl option is specifiedin the authenticate.client
section of the configuration file, use it as a certificate
revocation list.
This commit only adds the check for tcp based TLS sessions.
Support for QUIC still needs to be added.
Signed-off-by: Rik Theys <Rik.Theys@gmail.com>
---
src/tlshd/client.c | 28 ++++++++++++++++++++++++++++
src/tlshd/config.c | 33 +++++++++++++++++++++++++++++++++
src/tlshd/tlshd.h | 1 +
3 files changed, 62 insertions(+)
diff --git a/src/tlshd/client.c b/src/tlshd/client.c
index 9c8f512..189452f 100644
--- a/src/tlshd/client.c
+++ b/src/tlshd/client.c
@@ -49,6 +49,7 @@ static void tlshd_tls13_client_anon_handshake(struct tlshd_handshake_parms *parm
gnutls_session_t session;
unsigned int flags;
char *cafile;
+ char *crlfile;
int ret;
ret = gnutls_certificate_allocate_credentials(&xcred);
@@ -77,6 +78,19 @@ static void tlshd_tls13_client_anon_handshake(struct tlshd_handshake_parms *parm
}
tlshd_log_debug("System trust: Loaded %d certificate(s).", ret);
+ if (tlshd_config_get_client_crl(&crlfile)) {
+ ret = gnutls_certificate_set_x509_crl_file(xcred, crlfile,
+ GNUTLS_X509_FMT_PEM);
+ free(crlfile);
+ if (ret < 0 ) {
+ tlshd_log_gnutls_error(ret);
+ goto out_free_creds;
+ }
+ tlshd_log_debug("System CRL: Loaded %d CRL(s).", ret);
+ } else {
+ tlshd_log_debug("System CRL: No CRL file configured.");
+ }
+
flags = GNUTLS_CLIENT;
ret = gnutls_init(&session, flags);
if (ret != GNUTLS_E_SUCCESS) {
@@ -275,6 +289,7 @@ static void tlshd_tls13_client_x509_handshake(struct tlshd_handshake_parms *parm
gnutls_session_t session;
unsigned int flags;
char *cafile;
+ char *crlfile;
int ret;
ret = gnutls_certificate_allocate_credentials(&xcred);
@@ -295,6 +310,19 @@ static void tlshd_tls13_client_x509_handshake(struct tlshd_handshake_parms *parm
}
tlshd_log_debug("System trust: Loaded %d certificate(s).", ret);
+ if (tlshd_config_get_client_crl(&crlfile)) {
+ ret = gnutls_certificate_set_x509_crl_file(xcred, crlfile,
+ GNUTLS_X509_FMT_PEM);
+ free(crlfile);
+ if (ret < 0 ) {
+ tlshd_log_gnutls_error(ret);
+ goto out_free_creds;
+ }
+ tlshd_log_debug("System CRL: Loaded %d CRL(s).", ret);
+ } else {
+ tlshd_log_debug("System CRL: No CRL file configured.");
+ }
+
if (!tlshd_x509_client_get_certs(parms))
goto out_free_creds;
if (!tlshd_x509_client_get_privkey(parms))
diff --git a/src/tlshd/config.c b/src/tlshd/config.c
index 1963116..7041fe9 100644
--- a/src/tlshd/config.c
+++ b/src/tlshd/config.c
@@ -212,6 +212,39 @@ bool tlshd_config_get_client_truststore(char **bundle)
return true;
}
+/**
+ * tlshd_config_get_client_crl - Get CRL for ClientHello from .conf
+ * @bundle: OUT: pathname to CRL
+ *
+ * Return values:
+ * %false: pathname not retrieved
+ * %true: pathname retrieved successfully; caller must free @bundle using free(3)
+ */
+bool tlshd_config_get_client_crl(char **bundle)
+{
+ GError *error = NULL;
+ gchar *pathname;
+
+ pathname = g_key_file_get_string(tlshd_configuration, "authenticate.client",
+ "x509.crl", &error);
+ if (!pathname) {
+ g_error_free(error);
+ return false;
+ } else if (access(pathname, F_OK)) {
+ tlshd_log_debug("client x509.crl pathname \"%s\" is not accessible", pathname);
+ g_free(pathname);
+ return false;
+ }
+
+ *bundle = strdup(pathname);
+ g_free(pathname);
+ if (!*bundle)
+ return false;
+
+ tlshd_log_debug("Client x.509 crl is %s", *bundle);
+ return true;
+}
+
/**
* tlshd_config_get_client_certs - Get certs for ClientHello from .conf
* @certs: OUT: in-memory certificates
diff --git a/src/tlshd/tlshd.h b/src/tlshd/tlshd.h
index 617d1c6..f674cae 100644
--- a/src/tlshd/tlshd.h
+++ b/src/tlshd/tlshd.h
@@ -57,6 +57,7 @@ extern void tlshd_quic_clienthello_handshake(struct tlshd_handshake_parms *parms
bool tlshd_config_init(const gchar *pathname);
void tlshd_config_shutdown(void);
bool tlshd_config_get_client_truststore(char **bundle);
+bool tlshd_config_get_client_crl(char **bundle);
bool tlshd_config_get_client_certs(gnutls_pcert_st *certs,
unsigned int *certs_len);
bool tlshd_config_get_client_privkey(gnutls_privkey_t *privkey);
--
2.49.0
next prev parent reply other threads:[~2025-06-18 9:01 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-06-18 9:00 [PATCH 0/3] Add CRL checking to server and client (v2) Rik Theys
2025-06-18 9:00 ` [PATCH 1/5] Add server-side CRL checking Rik Theys
2025-06-18 9:00 ` Rik Theys [this message]
2025-06-18 9:00 ` [PATCH 3/5] Add x509.crl option to man page Rik Theys
2025-06-18 9:00 ` [PATCH 4/5] Move server-side CRL code to common function Rik Theys
2025-06-18 9:00 ` [PATCH 5/5] Move client-side " Rik Theys
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20250618090040.566838-3-Rik.Theys@gmail.com \
--to=rik.theys@gmail.com \
--cc=kernel-tls-handshake@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.