From: Rik Theys <rik.theys@gmail.com>
To: kernel-tls-handshake@lists.linux.dev
Cc: Rik Theys <Rik.Theys@gmail.com>
Subject: [PATCH 4/5] Move server-side CRL code to common function
Date: Wed, 18 Jun 2025 11:00:39 +0200 [thread overview]
Message-ID: <20250618090040.566838-5-Rik.Theys@gmail.com> (raw)
In-Reply-To: <20250618090040.566838-1-Rik.Theys@gmail.com>
The code that configures the CRL is needed in both the TLS
and QUIC setup functions. Move the code that configures the
certificate and CRL into a separate function and call it from
tlshd_tls13_server_x509_handshake for TLS and
tlshd_quic_server_set_x509_session for QUIC.
Signed-off-by: Rik Theys <Rik.Theys@gmail.com>
---
src/tlshd/server.c | 73 +++++++++++++++++++++++++---------------------
1 file changed, 39 insertions(+), 34 deletions(-)
diff --git a/src/tlshd/server.c b/src/tlshd/server.c
index bf4b740..f0e83ff 100644
--- a/src/tlshd/server.c
+++ b/src/tlshd/server.c
@@ -207,27 +207,13 @@ certificate_error:
return GNUTLS_E_CERTIFICATE_ERROR;
}
-static int tlshd_tls13_server_x509_verify_function(gnutls_session_t session)
-{
- struct tlshd_handshake_parms *parms = gnutls_session_get_ptr(session);
-
- return tlshd_server_x509_verify_function(session, parms);
-}
-
-static void tlshd_tls13_server_x509_handshake(struct tlshd_handshake_parms *parms)
+static int tlshd_server_configure_credentials(gnutls_certificate_credentials_t
+ xcred)
{
- gnutls_certificate_credentials_t xcred;
- gnutls_session_t session;
- char *cafile;
char *crlfile;
+ char *cafile;
int ret;
- ret = gnutls_certificate_allocate_credentials(&xcred);
- if (ret != GNUTLS_E_SUCCESS) {
- tlshd_log_gnutls_error(ret);
- return;
- }
-
if (tlshd_config_get_server_truststore(&cafile)) {
ret = gnutls_certificate_set_x509_trust_file(xcred, cafile,
GNUTLS_X509_FMT_PEM);
@@ -235,8 +221,7 @@ static void tlshd_tls13_server_x509_handshake(struct tlshd_handshake_parms *parm
} else
ret = gnutls_certificate_set_x509_system_trust(xcred);
if (ret < 0) {
- tlshd_log_gnutls_error(ret);
- goto out_free_creds;
+ return ret;
}
tlshd_log_debug("System trust: Loaded %d certificate(s).", ret);
@@ -245,22 +230,50 @@ static void tlshd_tls13_server_x509_handshake(struct tlshd_handshake_parms *parm
GNUTLS_X509_FMT_PEM);
free(crlfile);
if (ret < 0 ) {
- tlshd_log_gnutls_error(ret);
- goto out_free_creds;
+ return ret;
}
tlshd_log_debug("System CRL: Loaded %d CRL(s).", ret);
} else {
tlshd_log_debug("System CRL: No CRL file configured.");
}
+ gnutls_certificate_set_retrieve_function2(xcred,
+ tlshd_x509_retrieve_key_cb);
+
+ return GNUTLS_E_SUCCESS;
+}
+
+static int tlshd_tls13_server_x509_verify_function(gnutls_session_t session)
+{
+ struct tlshd_handshake_parms *parms = gnutls_session_get_ptr(session);
+
+ return tlshd_server_x509_verify_function(session, parms);
+}
+
+static void tlshd_tls13_server_x509_handshake(struct tlshd_handshake_parms *parms)
+{
+ gnutls_certificate_credentials_t xcred;
+ gnutls_session_t session;
+ int ret;
+
+ ret = gnutls_certificate_allocate_credentials(&xcred);
+ if (ret != GNUTLS_E_SUCCESS) {
+ tlshd_log_gnutls_error(ret);
+ return;
+ }
+
+ ret = tlshd_server_configure_credentials(xcred);
+ if (ret != GNUTLS_E_SUCCESS) {
+ tlshd_log_gnutls_error(ret);
+ goto out_free_creds;
+ }
+
if (!tlshd_x509_server_get_certs(parms)) {
goto out_free_creds;
}
if (!tlshd_x509_server_get_privkey(parms)) {
goto out_free_creds;
}
- gnutls_certificate_set_retrieve_function2(xcred,
- tlshd_x509_retrieve_key_cb);
ret = gnutls_init(&session, GNUTLS_SERVER);
if (ret != GNUTLS_E_SUCCESS) {
@@ -479,7 +492,6 @@ static int tlshd_quic_server_set_x509_session(struct tlshd_quic_conn *conn)
gnutls_datum_t ticket_key;
gnutls_session_t session;
int ret = -EINVAL;
- char *cafile;
if (!tlshd_x509_server_get_certs(parms) || !tlshd_x509_server_get_privkey(parms)) {
tlshd_log_error("cert/privkey get error %d", -ret);
@@ -489,17 +501,10 @@ static int tlshd_quic_server_set_x509_session(struct tlshd_quic_conn *conn)
ret = gnutls_certificate_allocate_credentials(&cred);
if (ret)
goto err;
- if (tlshd_config_get_server_truststore(&cafile)) {
- ret = gnutls_certificate_set_x509_trust_file(cred, cafile,
- GNUTLS_X509_FMT_PEM);
- free(cafile);
- } else
- ret = gnutls_certificate_set_x509_system_trust(cred);
- if (ret < 0)
- goto err_cred;
- tlshd_log_debug("System trust: Loaded %d certificate(s).", ret);
- gnutls_certificate_set_retrieve_function2(cred, tlshd_x509_retrieve_key_cb);
+ ret = tlshd_server_configure_credentials(cred);
+ if (ret != GNUTLS_E_SUCCESS)
+ goto err;
gnutls_certificate_set_verify_function(cred, tlshd_quic_server_x509_verify_function);
--
2.49.0
next prev parent reply other threads:[~2025-06-18 9:01 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-06-18 9:00 [PATCH 0/3] Add CRL checking to server and client (v2) Rik Theys
2025-06-18 9:00 ` [PATCH 1/5] Add server-side CRL checking Rik Theys
2025-06-18 9:00 ` [PATCH 2/5] Add client-side " Rik Theys
2025-06-18 9:00 ` [PATCH 3/5] Add x509.crl option to man page Rik Theys
2025-06-18 9:00 ` Rik Theys [this message]
2025-06-18 9:00 ` [PATCH 5/5] Move client-side CRL code to common function Rik Theys
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20250618090040.566838-5-Rik.Theys@gmail.com \
--to=rik.theys@gmail.com \
--cc=kernel-tls-handshake@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox