1 files changed, 41 insertions, 1 deletions
diff --git a/src/lib/libtls/tls.c b/src/lib/libtls/tls.c
index f64f6d7632..ed857272c4 100644
--- a/src/lib/libtls/tls.c
+++ b/src/lib/libtls/tls.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls.c,v 1.67 2017/06/22 18:03:57 jsing Exp $ */
+/* $OpenBSD: tls.c,v 1.68 2017/07/06 17:12:22 jsing Exp $ */
 /*
 * Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
 *
@@ -26,6 +26,8 @@
 #include <openssl/err.h>
 #include <openssl/evp.h>
 #include <openssl/pem.h>
+#include <openssl/safestack.h>
+#include <openssl/ssl.h>
 #include <openssl/x509.h>
 #include <tls.h>
@@ -464,8 +466,15 @@ tls_configure_ssl_verify(struct tls *ctx, SSL_CTX *ssl_ctx, int verify)
 {
        size_t ca_len = ctx->config->ca_len;
        char *ca_mem = ctx->config->ca_mem;
+        char *crl_mem = ctx->config->crl_mem;
+        size_t crl_len = ctx->config->crl_len;
        char *ca_free = NULL;
+        STACK_OF(X509_INFO) *xis = NULL;
+        X509_STORE *store;
+        X509_INFO *xi;
+        BIO *bio = NULL;
        int rv = -1;
+        int i;
        SSL_CTX_set_verify(ssl_ctx, verify, NULL);
        SSL_CTX_set_cert_verify_callback(ssl_ctx, tls_ssl_cert_verify_cb, ctx);
@@ -499,10 +508,41 @@ tls_configure_ssl_verify(struct tls *ctx, SSL_CTX *ssl_ctx, int verify)
                goto err;
        }
+        if (crl_mem != NULL) {
+                if (crl_len > INT_MAX) {
+                        tls_set_errorx(ctx, "crl too long");
+                        goto err;
+                }
+                if ((bio = BIO_new_mem_buf(crl_mem, crl_len)) == NULL) {
+                        tls_set_errorx(ctx, "failed to create buffer");
+                        goto err;
+                }
+                if ((xis = PEM_X509_INFO_read_bio(bio, NULL, tls_password_cb,
+                    NULL)) == NULL) {
+                        tls_set_errorx(ctx, "failed to parse crl");
+                        goto err;
+                }
+                store = SSL_CTX_get_cert_store(ssl_ctx);
+                for (i = 0; i < sk_X509_INFO_num(xis); i++) {
+                        xi = sk_X509_INFO_value(xis, i);
+                        if (xi->crl == NULL)
+                                continue;
+                        if (!X509_STORE_add_crl(store, xi->crl)) {
+                                tls_set_error(ctx, "failed to add crl");
+                                goto err;
+                        }
+                        xi->crl = NULL;
+                }
+                X509_VERIFY_PARAM_set_flags(store->param,
+                    X509_V_FLAG_CRL_CHECK | X509_V_FLAG_CRL_CHECK_ALL);
+        }
 done:
        rv = 0;
 err:
+        sk_X509_INFO_pop_free(xis, X509_INFO_free);
+        BIO_free(bio);
        free(ca_free);
        return (rv);

diff --git a/src/lib/libtls/tls.c b/src/lib/libtls/tls.c index f64f6d7632..ed857272c4 100644 --- a/src/lib/libtls/tls.c +++ b/src/lib/libtls/tls.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: tls.c,v 1.67 2017/06/22 18:03:57 jsing Exp $ */	1	/* $OpenBSD: tls.c,v 1.68 2017/07/06 17:12:22 jsing Exp $ */
2	/*	2	/*
3	* Copyright (c) 2014 Joel Sing <jsing@openbsd.org>	3	* Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
4	*	4	*
@@ -26,6 +26,8 @@
26	#include <openssl/err.h>	26	#include <openssl/err.h>
27	#include <openssl/evp.h>	27	#include <openssl/evp.h>
28	#include <openssl/pem.h>	28	#include <openssl/pem.h>
		29	#include <openssl/safestack.h>
		30	#include <openssl/ssl.h>
29	#include <openssl/x509.h>	31	#include <openssl/x509.h>
30		32
31	#include <tls.h>	33	#include <tls.h>
@@ -464,8 +466,15 @@ tls_configure_ssl_verify(struct tls ctx, SSL_CTX ssl_ctx, int verify)
464	{	466	{
465	size_t ca_len = ctx->config->ca_len;	467	size_t ca_len = ctx->config->ca_len;
466	char *ca_mem = ctx->config->ca_mem;	468	char *ca_mem = ctx->config->ca_mem;
		469	char *crl_mem = ctx->config->crl_mem;
		470	size_t crl_len = ctx->config->crl_len;
467	char *ca_free = NULL;	471	char *ca_free = NULL;
		472	STACK_OF(X509_INFO) *xis = NULL;
		473	X509_STORE *store;
		474	X509_INFO *xi;
		475	BIO *bio = NULL;
468	int rv = -1;	476	int rv = -1;
		477	int i;
469		478
470	SSL_CTX_set_verify(ssl_ctx, verify, NULL);	479	SSL_CTX_set_verify(ssl_ctx, verify, NULL);
471	SSL_CTX_set_cert_verify_callback(ssl_ctx, tls_ssl_cert_verify_cb, ctx);	480	SSL_CTX_set_cert_verify_callback(ssl_ctx, tls_ssl_cert_verify_cb, ctx);
@@ -499,10 +508,41 @@ tls_configure_ssl_verify(struct tls ctx, SSL_CTX ssl_ctx, int verify)
499	goto err;	508	goto err;
500	}	509	}
501		510
		511	if (crl_mem != NULL) {
		512	if (crl_len > INT_MAX) {
		513	tls_set_errorx(ctx, "crl too long");
		514	goto err;
		515	}
		516	if ((bio = BIO_new_mem_buf(crl_mem, crl_len)) == NULL) {
		517	tls_set_errorx(ctx, "failed to create buffer");
		518	goto err;
		519	}
		520	if ((xis = PEM_X509_INFO_read_bio(bio, NULL, tls_password_cb,
		521	NULL)) == NULL) {
		522	tls_set_errorx(ctx, "failed to parse crl");
		523	goto err;
		524	}
		525	store = SSL_CTX_get_cert_store(ssl_ctx);
		526	for (i = 0; i < sk_X509_INFO_num(xis); i++) {
		527	xi = sk_X509_INFO_value(xis, i);
		528	if (xi->crl == NULL)
		529	continue;
		530	if (!X509_STORE_add_crl(store, xi->crl)) {
		531	tls_set_error(ctx, "failed to add crl");
		532	goto err;
		533	}
		534	xi->crl = NULL;
		535	}
		536	X509_VERIFY_PARAM_set_flags(store->param,
		537	X509_V_FLAG_CRL_CHECK \| X509_V_FLAG_CRL_CHECK_ALL);
		538	}
		539
502	done:	540	done:
503	rv = 0;	541	rv = 0;
504		542
505	err:	543	err:
		544	sk_X509_INFO_pop_free(xis, X509_INFO_free);
		545	BIO_free(bio);
506	free(ca_free);	546	free(ca_free);
507		547
508	return (rv);	548	return (rv);