[PATCH 5/5] Move client-side CRL code to common function

[Rik Theys <rik.theys@gmail.com>]

The code that configures the CRL is needed in both the TLS and
QUIC setup functions. Move the code that configures the CA
certificates and CRL into a separate function and call it from
the anon/mtls TLS and QUIC setup functions.

Signed-off-by: Rik Theys <Rik.Theys@gmail.com>
---
 src/tlshd/client.c | 94 ++++++++++++++++++++--------------------------
 1 file changed, 40 insertions(+), 54 deletions(-)

diff --git a/src/tlshd/client.c b/src/tlshd/client.c
index 189452f..6fb507a 100644
--- a/src/tlshd/client.c
+++ b/src/tlshd/client.c
@@ -43,29 +43,13 @@
 #include "tlshd.h"
 #include "netlink.h"
 
-static void tlshd_tls13_client_anon_handshake(struct tlshd_handshake_parms *parms)
+static int tlshd_client_configure_credentials(gnutls_certificate_credentials_t
+					      xcred)
 {
-	gnutls_certificate_credentials_t xcred;
-	gnutls_session_t session;
-	unsigned int flags;
 	char *cafile;
 	char *crlfile;
 	int ret;
 
-	ret = gnutls_certificate_allocate_credentials(&xcred);
-	if (ret != GNUTLS_E_SUCCESS) {
-		tlshd_log_gnutls_error(ret);
-		return;
-	}
-
-	/*
-	 * Don't reject self-signed server certificates.
-	 */
-	gnutls_certificate_set_verify_flags(xcred,
-			GNUTLS_VERIFY_ALLOW_SIGN_RSA_MD2 | GNUTLS_VERIFY_ALLOW_SIGN_RSA_MD5);
-	gnutls_certificate_set_flags(xcred,
-			GNUTLS_CERTIFICATE_SKIP_KEY_CERT_MATCH | GNUTLS_CERTIFICATE_SKIP_OCSP_RESPONSE_CHECK);
-
 	if (tlshd_config_get_client_truststore(&cafile)) {
 		ret = gnutls_certificate_set_x509_trust_file(xcred, cafile,
 							     GNUTLS_X509_FMT_PEM);
@@ -73,8 +57,7 @@ static void tlshd_tls13_client_anon_handshake(struct tlshd_handshake_parms *parm
 	} else
 		ret = gnutls_certificate_set_x509_system_trust(xcred);
 	if (ret < 0) {
-		tlshd_log_gnutls_error(ret);
-		goto out_free_creds;
+		return ret;
 	}
 	tlshd_log_debug("System trust: Loaded %d certificate(s).", ret);
 
@@ -83,14 +66,43 @@ static void tlshd_tls13_client_anon_handshake(struct tlshd_handshake_parms *parm
 							   GNUTLS_X509_FMT_PEM);
 		free(crlfile);
 		if (ret < 0 ) {
-			tlshd_log_gnutls_error(ret);
-			goto out_free_creds;
+			return ret;
 		}
 		tlshd_log_debug("System CRL: Loaded %d CRL(s).", ret);
 	} else {
 		tlshd_log_debug("System CRL: No CRL file configured.");
 	}
 
+	return GNUTLS_E_SUCCESS;
+}
+
+static void tlshd_tls13_client_anon_handshake(struct tlshd_handshake_parms *parms)
+{
+	gnutls_certificate_credentials_t xcred;
+	gnutls_session_t session;
+	unsigned int flags;
+	int ret;
+
+	ret = gnutls_certificate_allocate_credentials(&xcred);
+	if (ret != GNUTLS_E_SUCCESS) {
+		tlshd_log_gnutls_error(ret);
+		return;
+	}
+
+	/*
+	 * Don't reject self-signed server certificates.
+	 */
+	gnutls_certificate_set_verify_flags(xcred,
+			GNUTLS_VERIFY_ALLOW_SIGN_RSA_MD2 | GNUTLS_VERIFY_ALLOW_SIGN_RSA_MD5);
+	gnutls_certificate_set_flags(xcred,
+			GNUTLS_CERTIFICATE_SKIP_KEY_CERT_MATCH | GNUTLS_CERTIFICATE_SKIP_OCSP_RESPONSE_CHECK);
+
+	ret = tlshd_client_configure_credentials(xcred);
+	if (ret != GNUTLS_E_SUCCESS) {
+		tlshd_log_gnutls_error(ret);
+		goto out_free_creds;
+	}
+
 	flags = GNUTLS_CLIENT;
 	ret = gnutls_init(&session, flags);
 	if (ret != GNUTLS_E_SUCCESS) {
@@ -288,8 +300,6 @@ static void tlshd_tls13_client_x509_handshake(struct tlshd_handshake_parms *parm
 	gnutls_certificate_credentials_t xcred;
 	gnutls_session_t session;
 	unsigned int flags;
-	char *cafile;
-	char *crlfile;
 	int ret;
 
 	ret = gnutls_certificate_allocate_credentials(&xcred);
@@ -298,30 +308,11 @@ static void tlshd_tls13_client_x509_handshake(struct tlshd_handshake_parms *parm
 		return;
 	}
 
-	if (tlshd_config_get_client_truststore(&cafile)) {
-		ret = gnutls_certificate_set_x509_trust_file(xcred, cafile,
-							     GNUTLS_X509_FMT_PEM);
-		free(cafile);
-	} else
-		ret = gnutls_certificate_set_x509_system_trust(xcred);
-	if (ret < 0) {
+	ret = tlshd_client_configure_credentials(xcred);
+	if (ret != GNUTLS_E_SUCCESS) {
 		tlshd_log_gnutls_error(ret);
 		goto out_free_creds;
 	}
-	tlshd_log_debug("System trust: Loaded %d certificate(s).", ret);
-
-	if (tlshd_config_get_client_crl(&crlfile)) {
-		ret = gnutls_certificate_set_x509_crl_file(xcred, crlfile,
-							   GNUTLS_X509_FMT_PEM);
-		free(crlfile);
-		if (ret < 0 ) {
-			tlshd_log_gnutls_error(ret);
-			goto out_free_creds;
-		}
-		tlshd_log_debug("System CRL: Loaded %d CRL(s).", ret);
-	} else {
-		tlshd_log_debug("System CRL: No CRL file configured.");
-	}
 
 	if (!tlshd_x509_client_get_certs(parms))
 		goto out_free_creds;
@@ -517,7 +508,6 @@ static int tlshd_quic_client_set_x509_session(struct tlshd_quic_conn *conn)
 	gnutls_certificate_credentials_t cred;
 	gnutls_session_t session;
 	int ret = -EINVAL;
-	char *cafile;
 
 	if (conn->cert_req != TLSHD_QUIC_NO_CERT_AUTH) {
 		if (!tlshd_x509_client_get_certs(parms) || !tlshd_x509_client_get_privkey(parms)) {
@@ -528,14 +518,10 @@ static int tlshd_quic_client_set_x509_session(struct tlshd_quic_conn *conn)
 	ret = gnutls_certificate_allocate_credentials(&cred);
 	if (ret)
 		goto err;
-	if (tlshd_config_get_client_truststore(&cafile)) {
-		ret = gnutls_certificate_set_x509_trust_file(cred, cafile, GNUTLS_X509_FMT_PEM);
-		free(cafile);
-	} else
-		ret = gnutls_certificate_set_x509_system_trust(cred);
-	if (ret < 0)
-		goto err_cred;
-	tlshd_log_debug("System trust: Loaded %d certificate(s).", ret);
+
+	ret = tlshd_client_configure_credentials(cred);
+	if (ret != GNUTLS_E_SUCCESS)
+		goto err;
 
 	if (conn->cert_req == TLSHD_QUIC_NO_CERT_AUTH) {
 		gnutls_certificate_set_verify_flags(cred, GNUTLS_VERIFY_ALLOW_SIGN_RSA_MD2 |
-- 
2.49.0