From: Rik Theys <rik.theys@gmail.com>
To: kernel-tls-handshake@lists.linux.dev
Cc: Rik Theys <Rik.Theys@gmail.com>
Subject: [PATCH 4/5] Move server-side CRL code to common function
Date: Wed, 18 Jun 2025 11:00:39 +0200 [thread overview]
Message-ID: <20250618090040.566838-5-Rik.Theys@gmail.com> (raw)
In-Reply-To: <20250618090040.566838-1-Rik.Theys@gmail.com>
The code that configures the CRL is needed in both the TLS
and QUIC setup functions. Move the code that configures the
certificate and CRL into a separate function and call it from
tlshd_tls13_server_x509_handshake for TLS and
tlshd_quic_server_set_x509_session for QUIC.
Signed-off-by: Rik Theys <Rik.Theys@gmail.com>
---
src/tlshd/server.c | 73 +++++++++++++++++++++++++---------------------
1 file changed, 39 insertions(+), 34 deletions(-)
diff --git a/src/tlshd/server.c b/src/tlshd/server.c
index bf4b740..f0e83ff 100644
--- a/src/tlshd/server.c
+++ b/src/tlshd/server.c
@@ -207,27 +207,13 @@ certificate_error:
return GNUTLS_E_CERTIFICATE_ERROR;
}
-static int tlshd_tls13_server_x509_verify_function(gnutls_session_t session)
-{
- struct tlshd_handshake_parms *parms = gnutls_session_get_ptr(session);
-
- return tlshd_server_x509_verify_function(session, parms);
-}
-
-static void tlshd_tls13_server_x509_handshake(struct tlshd_handshake_parms *parms)
+static int tlshd_server_configure_credentials(gnutls_certificate_credentials_t
+ xcred)
{
- gnutls_certificate_credentials_t xcred;
- gnutls_session_t session;
- char *cafile;
char *crlfile;
+ char *cafile;
int ret;
- ret = gnutls_certificate_allocate_credentials(&xcred);
- if (ret != GNUTLS_E_SUCCESS) {
- tlshd_log_gnutls_error(ret);
- return;
- }
-
if (tlshd_config_get_server_truststore(&cafile)) {
ret = gnutls_certificate_set_x509_trust_file(xcred, cafile,
GNUTLS_X509_FMT_PEM);
@@ -235,8 +221,7 @@ static void tlshd_tls13_server_x509_handshake(struct tlshd_handshake_parms *parm
} else
ret = gnutls_certificate_set_x509_system_trust(xcred);
if (ret < 0) {
- tlshd_log_gnutls_error(ret);
- goto out_free_creds;
+ return ret;
}
tlshd_log_debug("System trust: Loaded %d certificate(s).", ret);
@@ -245,22 +230,50 @@ static void tlshd_tls13_server_x509_handshake(struct tlshd_handshake_parms *parm
GNUTLS_X509_FMT_PEM);
free(crlfile);
if (ret < 0 ) {
- tlshd_log_gnutls_error(ret);
- goto out_free_creds;
+ return ret;
}
tlshd_log_debug("System CRL: Loaded %d CRL(s).", ret);
} else {
tlshd_log_debug("System CRL: No CRL file configured.");
}
+ gnutls_certificate_set_retrieve_function2(xcred,
+ tlshd_x509_retrieve_key_cb);
+
+ return GNUTLS_E_SUCCESS;
+}
+
+static int tlshd_tls13_server_x509_verify_function(gnutls_session_t session)
+{
+ struct tlshd_handshake_parms *parms = gnutls_session_get_ptr(session);
+
+ return tlshd_server_x509_verify_function(session, parms);
+}
+
+static void tlshd_tls13_server_x509_handshake(struct tlshd_handshake_parms *parms)
+{
+ gnutls_certificate_credentials_t xcred;
+ gnutls_session_t session;
+ int ret;
+
+ ret = gnutls_certificate_allocate_credentials(&xcred);
+ if (ret != GNUTLS_E_SUCCESS) {
+ tlshd_log_gnutls_error(ret);
+ return;
+ }
+
+ ret = tlshd_server_configure_credentials(xcred);
+ if (ret != GNUTLS_E_SUCCESS) {
+ tlshd_log_gnutls_error(ret);
+ goto out_free_creds;
+ }
+
if (!tlshd_x509_server_get_certs(parms)) {
goto out_free_creds;
}
if (!tlshd_x509_server_get_privkey(parms)) {
goto out_free_creds;
}
- gnutls_certificate_set_retrieve_function2(xcred,
- tlshd_x509_retrieve_key_cb);
ret = gnutls_init(&session, GNUTLS_SERVER);
if (ret != GNUTLS_E_SUCCESS) {
@@ -479,7 +492,6 @@ static int tlshd_quic_server_set_x509_session(struct tlshd_quic_conn *conn)
gnutls_datum_t ticket_key;
gnutls_session_t session;
int ret = -EINVAL;
- char *cafile;
if (!tlshd_x509_server_get_certs(parms) || !tlshd_x509_server_get_privkey(parms)) {
tlshd_log_error("cert/privkey get error %d", -ret);
@@ -489,17 +501,10 @@ static int tlshd_quic_server_set_x509_session(struct tlshd_quic_conn *conn)
ret = gnutls_certificate_allocate_credentials(&cred);
if (ret)
goto err;
- if (tlshd_config_get_server_truststore(&cafile)) {
- ret = gnutls_certificate_set_x509_trust_file(cred, cafile,
- GNUTLS_X509_FMT_PEM);
- free(cafile);
- } else
- ret = gnutls_certificate_set_x509_system_trust(cred);
- if (ret < 0)
- goto err_cred;
- tlshd_log_debug("System trust: Loaded %d certificate(s).", ret);
- gnutls_certificate_set_retrieve_function2(cred, tlshd_x509_retrieve_key_cb);
+ ret = tlshd_server_configure_credentials(cred);
+ if (ret != GNUTLS_E_SUCCESS)
+ goto err;
gnutls_certificate_set_verify_function(cred, tlshd_quic_server_x509_verify_function);
--
2.49.0
next prev parent reply other threads:[~2025-06-18 9:01 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-06-18 9:00 [PATCH 0/3] Add CRL checking to server and client (v2) Rik Theys
2025-06-18 9:00 ` [PATCH 1/5] Add server-side CRL checking Rik Theys
2025-06-18 9:00 ` [PATCH 2/5] Add client-side " Rik Theys
2025-06-18 9:00 ` [PATCH 3/5] Add x509.crl option to man page Rik Theys
2025-06-18 9:00 ` Rik Theys [this message]
2025-06-18 9:00 ` [PATCH 5/5] Move client-side CRL code to common function Rik Theys
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20250618090040.566838-5-Rik.Theys@gmail.com \
--to=rik.theys@gmail.com \
--cc=kernel-tls-handshake@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.