[PATCH 5/5] Move client-side CRL code to common function

public inbox for kernel-tls-handshake@lists.linux.dev
 help / color / mirror / Atom feed

From: Rik Theys <rik.theys@gmail.com>
To: kernel-tls-handshake@lists.linux.dev
Cc: Rik Theys <Rik.Theys@gmail.com>
Subject: [PATCH 5/5] Move client-side CRL code to common function
Date: Wed, 18 Jun 2025 11:00:40 +0200	[thread overview]
Message-ID: <20250618090040.566838-6-Rik.Theys@gmail.com> (raw)
In-Reply-To: <20250618090040.566838-1-Rik.Theys@gmail.com>

The code that configures the CRL is needed in both the TLS and
QUIC setup functions. Move the code that configures the CA
certificates and CRL into a separate function and call it from
the anon/mtls TLS and QUIC setup functions.

Signed-off-by: Rik Theys <Rik.Theys@gmail.com>
---
 src/tlshd/client.c | 94 ++++++++++++++++++++--------------------------
 1 file changed, 40 insertions(+), 54 deletions(-)

diff --git a/src/tlshd/client.c b/src/tlshd/client.c
index 189452f..6fb507a 100644
--- a/src/tlshd/client.c
+++ b/src/tlshd/client.c
@@ -43,29 +43,13 @@
 #include "tlshd.h"
 #include "netlink.h"
 
-static void tlshd_tls13_client_anon_handshake(struct tlshd_handshake_parms *parms)
+static int tlshd_client_configure_credentials(gnutls_certificate_credentials_t
+					      xcred)
 {
-	gnutls_certificate_credentials_t xcred;
-	gnutls_session_t session;
-	unsigned int flags;
 	char *cafile;
 	char *crlfile;
 	int ret;
 
-	ret = gnutls_certificate_allocate_credentials(&xcred);
-	if (ret != GNUTLS_E_SUCCESS) {
-		tlshd_log_gnutls_error(ret);
-		return;
-	}
-
-	/*
-	 * Don't reject self-signed server certificates.
-	 */
-	gnutls_certificate_set_verify_flags(xcred,
-			GNUTLS_VERIFY_ALLOW_SIGN_RSA_MD2 | GNUTLS_VERIFY_ALLOW_SIGN_RSA_MD5);
-	gnutls_certificate_set_flags(xcred,
-			GNUTLS_CERTIFICATE_SKIP_KEY_CERT_MATCH | GNUTLS_CERTIFICATE_SKIP_OCSP_RESPONSE_CHECK);
-
 	if (tlshd_config_get_client_truststore(&cafile)) {
 		ret = gnutls_certificate_set_x509_trust_file(xcred, cafile,
 							     GNUTLS_X509_FMT_PEM);
@@ -73,8 +57,7 @@ static void tlshd_tls13_client_anon_handshake(struct tlshd_handshake_parms *parm
 	} else
 		ret = gnutls_certificate_set_x509_system_trust(xcred);
 	if (ret < 0) {
-		tlshd_log_gnutls_error(ret);
-		goto out_free_creds;
+		return ret;
 	}
 	tlshd_log_debug("System trust: Loaded %d certificate(s).", ret);
 
@@ -83,14 +66,43 @@ static void tlshd_tls13_client_anon_handshake(struct tlshd_handshake_parms *parm
 							   GNUTLS_X509_FMT_PEM);
 		free(crlfile);
 		if (ret < 0 ) {
-			tlshd_log_gnutls_error(ret);
-			goto out_free_creds;
+			return ret;
 		}
 		tlshd_log_debug("System CRL: Loaded %d CRL(s).", ret);
 	} else {
 		tlshd_log_debug("System CRL: No CRL file configured.");
 	}
 
+	return GNUTLS_E_SUCCESS;
+}
+
+static void tlshd_tls13_client_anon_handshake(struct tlshd_handshake_parms *parms)
+{
+	gnutls_certificate_credentials_t xcred;
+	gnutls_session_t session;
+	unsigned int flags;
+	int ret;
+
+	ret = gnutls_certificate_allocate_credentials(&xcred);
+	if (ret != GNUTLS_E_SUCCESS) {
+		tlshd_log_gnutls_error(ret);
+		return;
+	}
+
+	/*
+	 * Don't reject self-signed server certificates.
+	 */
+	gnutls_certificate_set_verify_flags(xcred,
+			GNUTLS_VERIFY_ALLOW_SIGN_RSA_MD2 | GNUTLS_VERIFY_ALLOW_SIGN_RSA_MD5);
+	gnutls_certificate_set_flags(xcred,
+			GNUTLS_CERTIFICATE_SKIP_KEY_CERT_MATCH | GNUTLS_CERTIFICATE_SKIP_OCSP_RESPONSE_CHECK);
+
+	ret = tlshd_client_configure_credentials(xcred);
+	if (ret != GNUTLS_E_SUCCESS) {
+		tlshd_log_gnutls_error(ret);
+		goto out_free_creds;
+	}
+
 	flags = GNUTLS_CLIENT;
 	ret = gnutls_init(&session, flags);
 	if (ret != GNUTLS_E_SUCCESS) {
@@ -288,8 +300,6 @@ static void tlshd_tls13_client_x509_handshake(struct tlshd_handshake_parms *parm
 	gnutls_certificate_credentials_t xcred;
 	gnutls_session_t session;
 	unsigned int flags;
-	char *cafile;
-	char *crlfile;
 	int ret;
 
 	ret = gnutls_certificate_allocate_credentials(&xcred);
@@ -298,30 +308,11 @@ static void tlshd_tls13_client_x509_handshake(struct tlshd_handshake_parms *parm
 		return;
 	}
 
-	if (tlshd_config_get_client_truststore(&cafile)) {
-		ret = gnutls_certificate_set_x509_trust_file(xcred, cafile,
-							     GNUTLS_X509_FMT_PEM);
-		free(cafile);
-	} else
-		ret = gnutls_certificate_set_x509_system_trust(xcred);
-	if (ret < 0) {
+	ret = tlshd_client_configure_credentials(xcred);
+	if (ret != GNUTLS_E_SUCCESS) {
 		tlshd_log_gnutls_error(ret);
 		goto out_free_creds;
 	}
-	tlshd_log_debug("System trust: Loaded %d certificate(s).", ret);
-
-	if (tlshd_config_get_client_crl(&crlfile)) {
-		ret = gnutls_certificate_set_x509_crl_file(xcred, crlfile,
-							   GNUTLS_X509_FMT_PEM);
-		free(crlfile);
-		if (ret < 0 ) {
-			tlshd_log_gnutls_error(ret);
-			goto out_free_creds;
-		}
-		tlshd_log_debug("System CRL: Loaded %d CRL(s).", ret);
-	} else {
-		tlshd_log_debug("System CRL: No CRL file configured.");
-	}
 
 	if (!tlshd_x509_client_get_certs(parms))
 		goto out_free_creds;
@@ -517,7 +508,6 @@ static int tlshd_quic_client_set_x509_session(struct tlshd_quic_conn *conn)
 	gnutls_certificate_credentials_t cred;
 	gnutls_session_t session;
 	int ret = -EINVAL;
-	char *cafile;
 
 	if (conn->cert_req != TLSHD_QUIC_NO_CERT_AUTH) {
 		if (!tlshd_x509_client_get_certs(parms) || !tlshd_x509_client_get_privkey(parms)) {
@@ -528,14 +518,10 @@ static int tlshd_quic_client_set_x509_session(struct tlshd_quic_conn *conn)
 	ret = gnutls_certificate_allocate_credentials(&cred);
 	if (ret)
 		goto err;
-	if (tlshd_config_get_client_truststore(&cafile)) {
-		ret = gnutls_certificate_set_x509_trust_file(cred, cafile, GNUTLS_X509_FMT_PEM);
-		free(cafile);
-	} else
-		ret = gnutls_certificate_set_x509_system_trust(cred);
-	if (ret < 0)
-		goto err_cred;
-	tlshd_log_debug("System trust: Loaded %d certificate(s).", ret);
+
+	ret = tlshd_client_configure_credentials(cred);
+	if (ret != GNUTLS_E_SUCCESS)
+		goto err;
 
 	if (conn->cert_req == TLSHD_QUIC_NO_CERT_AUTH) {
 		gnutls_certificate_set_verify_flags(cred, GNUTLS_VERIFY_ALLOW_SIGN_RSA_MD2 |
-- 
2.49.0

     prev parent reply	other threads:[~2025-06-18  9:01 UTC|newest]

Thread overview: 6+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2025-06-18  9:00 [PATCH 0/3] Add CRL checking to server and client (v2) Rik Theys
2025-06-18  9:00 ` [PATCH 1/5] Add server-side CRL checking Rik Theys
2025-06-18  9:00 ` [PATCH 2/5] Add client-side " Rik Theys
2025-06-18  9:00 ` [PATCH 3/5] Add x509.crl option to man page Rik Theys
2025-06-18  9:00 ` [PATCH 4/5] Move server-side CRL code to common function Rik Theys
2025-06-18  9:00 ` Rik Theys [this message]

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:189452f dfblob:6fb507a )
 OR (
bs:"[PATCH 5/5] Move client-side CRL code to common function" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20250618090040.566838-6-Rik.Theys@gmail.com \
    --to=rik.theys@gmail.com \
    --cc=kernel-tls-handshake@lists.linux.dev \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox