From: Rik Theys <rik.theys@gmail.com>
To: kernel-tls-handshake@lists.linux.dev
Cc: Rik Theys <Rik.Theys@gmail.com>
Subject: [PATCH 2/3] Add client-side CRL checking
Date: Wed, 11 Jun 2025 09:09:42 +0200 [thread overview]
Message-ID: <20250611070943.235087-3-Rik.Theys@gmail.com> (raw)
In-Reply-To: <20250611070943.235087-1-Rik.Theys@gmail.com>
If an x509.crl option is specifiedin the authenticate.client
section of the configuration file, use it as a certificate
revocation list.
This commit only adds the check for tcp based TLS sessions.
Support for QUIC still needs to be added.
Signed-off-by: Rik Theys <Rik.Theys@gmail.com>
---
src/tlshd/client.c | 28 ++++++++++++++++++++++++++++
src/tlshd/config.c | 33 +++++++++++++++++++++++++++++++++
src/tlshd/tlshd.h | 1 +
3 files changed, 62 insertions(+)
diff --git a/src/tlshd/client.c b/src/tlshd/client.c
index 9c8f512..189452f 100644
--- a/src/tlshd/client.c
+++ b/src/tlshd/client.c
@@ -49,6 +49,7 @@ static void tlshd_tls13_client_anon_handshake(struct tlshd_handshake_parms *parm
gnutls_session_t session;
unsigned int flags;
char *cafile;
+ char *crlfile;
int ret;
ret = gnutls_certificate_allocate_credentials(&xcred);
@@ -77,6 +78,19 @@ static void tlshd_tls13_client_anon_handshake(struct tlshd_handshake_parms *parm
}
tlshd_log_debug("System trust: Loaded %d certificate(s).", ret);
+ if (tlshd_config_get_client_crl(&crlfile)) {
+ ret = gnutls_certificate_set_x509_crl_file(xcred, crlfile,
+ GNUTLS_X509_FMT_PEM);
+ free(crlfile);
+ if (ret < 0 ) {
+ tlshd_log_gnutls_error(ret);
+ goto out_free_creds;
+ }
+ tlshd_log_debug("System CRL: Loaded %d CRL(s).", ret);
+ } else {
+ tlshd_log_debug("System CRL: No CRL file configured.");
+ }
+
flags = GNUTLS_CLIENT;
ret = gnutls_init(&session, flags);
if (ret != GNUTLS_E_SUCCESS) {
@@ -275,6 +289,7 @@ static void tlshd_tls13_client_x509_handshake(struct tlshd_handshake_parms *parm
gnutls_session_t session;
unsigned int flags;
char *cafile;
+ char *crlfile;
int ret;
ret = gnutls_certificate_allocate_credentials(&xcred);
@@ -295,6 +310,19 @@ static void tlshd_tls13_client_x509_handshake(struct tlshd_handshake_parms *parm
}
tlshd_log_debug("System trust: Loaded %d certificate(s).", ret);
+ if (tlshd_config_get_client_crl(&crlfile)) {
+ ret = gnutls_certificate_set_x509_crl_file(xcred, crlfile,
+ GNUTLS_X509_FMT_PEM);
+ free(crlfile);
+ if (ret < 0 ) {
+ tlshd_log_gnutls_error(ret);
+ goto out_free_creds;
+ }
+ tlshd_log_debug("System CRL: Loaded %d CRL(s).", ret);
+ } else {
+ tlshd_log_debug("System CRL: No CRL file configured.");
+ }
+
if (!tlshd_x509_client_get_certs(parms))
goto out_free_creds;
if (!tlshd_x509_client_get_privkey(parms))
diff --git a/src/tlshd/config.c b/src/tlshd/config.c
index 1963116..7041fe9 100644
--- a/src/tlshd/config.c
+++ b/src/tlshd/config.c
@@ -212,6 +212,39 @@ bool tlshd_config_get_client_truststore(char **bundle)
return true;
}
+/**
+ * tlshd_config_get_client_crl - Get CRL for ClientHello from .conf
+ * @bundle: OUT: pathname to CRL
+ *
+ * Return values:
+ * %false: pathname not retrieved
+ * %true: pathname retrieved successfully; caller must free @bundle using free(3)
+ */
+bool tlshd_config_get_client_crl(char **bundle)
+{
+ GError *error = NULL;
+ gchar *pathname;
+
+ pathname = g_key_file_get_string(tlshd_configuration, "authenticate.client",
+ "x509.crl", &error);
+ if (!pathname) {
+ g_error_free(error);
+ return false;
+ } else if (access(pathname, F_OK)) {
+ tlshd_log_debug("client x509.crl pathname \"%s\" is not accessible", pathname);
+ g_free(pathname);
+ return false;
+ }
+
+ *bundle = strdup(pathname);
+ g_free(pathname);
+ if (!*bundle)
+ return false;
+
+ tlshd_log_debug("Client x.509 crl is %s", *bundle);
+ return true;
+}
+
/**
* tlshd_config_get_client_certs - Get certs for ClientHello from .conf
* @certs: OUT: in-memory certificates
diff --git a/src/tlshd/tlshd.h b/src/tlshd/tlshd.h
index 617d1c6..f674cae 100644
--- a/src/tlshd/tlshd.h
+++ b/src/tlshd/tlshd.h
@@ -57,6 +57,7 @@ extern void tlshd_quic_clienthello_handshake(struct tlshd_handshake_parms *parms
bool tlshd_config_init(const gchar *pathname);
void tlshd_config_shutdown(void);
bool tlshd_config_get_client_truststore(char **bundle);
+bool tlshd_config_get_client_crl(char **bundle);
bool tlshd_config_get_client_certs(gnutls_pcert_st *certs,
unsigned int *certs_len);
bool tlshd_config_get_client_privkey(gnutls_privkey_t *privkey);
--
2.49.0
next prev parent reply other threads:[~2025-06-11 7:10 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-06-11 7:09 [PATCH 0/3] Add CRL checking to server and client Rik Theys
2025-06-11 7:09 ` [PATCH 1/3] Add server-side CRL checking Rik Theys
2025-06-11 7:09 ` Rik Theys [this message]
2025-06-11 7:09 ` [PATCH 3/3] Add x509.crl option to man page Rik Theys
2025-06-11 13:49 ` [PATCH 0/3] Add CRL checking to server and client Chuck Lever
2025-06-12 14:28 ` Long Xin
2025-06-16 14:39 ` Chuck Lever
2025-06-17 5:22 ` Rik Theys
2025-06-18 12:37 ` Chuck Lever
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20250611070943.235087-3-Rik.Theys@gmail.com \
--to=rik.theys@gmail.com \
--cc=kernel-tls-handshake@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox