From 40916534e3bc6be103b1cf19f2f976ccbed2b4ed Mon Sep 17 00:00:00 2001
From: jsing <>
Date: Thu, 6 Jul 2017 17:12:22 +0000
Subject: Add support for providing CRLs to libtls - once a CRL is provided we
 enable CRL checking for the full certificate chain.

Based on a diff from Jack Burton <jack at saosce dot com dot au>, thanks!

Discussed with beck@
---
 src/lib/libtls/tls.c | 42 +++++++++++++++++++++++++++++++++++++++++-
 1 file changed, 41 insertions(+), 1 deletion(-)

(limited to 'src/lib/libtls/tls.c')

diff --git a/src/lib/libtls/tls.c b/src/lib/libtls/tls.c
index f64f6d7632..ed857272c4 100644
--- a/src/lib/libtls/tls.c
+++ b/src/lib/libtls/tls.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls.c,v 1.67 2017/06/22 18:03:57 jsing Exp $ */
+/* $OpenBSD: tls.c,v 1.68 2017/07/06 17:12:22 jsing Exp $ */
 /*
  * Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
  *
@@ -26,6 +26,8 @@
 #include <openssl/err.h>
 #include <openssl/evp.h>
 #include <openssl/pem.h>
+#include <openssl/safestack.h>
+#include <openssl/ssl.h>
 #include <openssl/x509.h>
 
 #include <tls.h>
@@ -464,8 +466,15 @@ tls_configure_ssl_verify(struct tls *ctx, SSL_CTX *ssl_ctx, int verify)
 {
 	size_t ca_len = ctx->config->ca_len;
 	char *ca_mem = ctx->config->ca_mem;
+	char *crl_mem = ctx->config->crl_mem;
+	size_t crl_len = ctx->config->crl_len;
 	char *ca_free = NULL;
+	STACK_OF(X509_INFO) *xis = NULL;
+	X509_STORE *store;
+	X509_INFO *xi;
+	BIO *bio = NULL;
 	int rv = -1;
+	int i;
 
 	SSL_CTX_set_verify(ssl_ctx, verify, NULL);
 	SSL_CTX_set_cert_verify_callback(ssl_ctx, tls_ssl_cert_verify_cb, ctx);
@@ -499,10 +508,41 @@ tls_configure_ssl_verify(struct tls *ctx, SSL_CTX *ssl_ctx, int verify)
 		goto err;
 	}
 
+	if (crl_mem != NULL) {
+		if (crl_len > INT_MAX) {
+			tls_set_errorx(ctx, "crl too long");
+			goto err;
+		}
+		if ((bio = BIO_new_mem_buf(crl_mem, crl_len)) == NULL) {
+			tls_set_errorx(ctx, "failed to create buffer");
+			goto err;
+		}
+		if ((xis = PEM_X509_INFO_read_bio(bio, NULL, tls_password_cb,
+		    NULL)) == NULL) {
+			tls_set_errorx(ctx, "failed to parse crl");
+			goto err;
+		}
+		store = SSL_CTX_get_cert_store(ssl_ctx);
+		for (i = 0; i < sk_X509_INFO_num(xis); i++) {
+			xi = sk_X509_INFO_value(xis, i);
+			if (xi->crl == NULL)
+				continue;
+			if (!X509_STORE_add_crl(store, xi->crl)) {
+				tls_set_error(ctx, "failed to add crl");
+				goto err;
+			}
+			xi->crl = NULL;
+		}
+		X509_VERIFY_PARAM_set_flags(store->param,
+		    X509_V_FLAG_CRL_CHECK | X509_V_FLAG_CRL_CHECK_ALL);
+	}
+
  done:
 	rv = 0;
 
  err:
+	sk_X509_INFO_pop_free(xis, X509_INFO_free);
+	BIO_free(bio);
 	free(ca_free);
 
 	return (rv);
-- 
cgit v1.2.3-55-g6feb