From 40916534e3bc6be103b1cf19f2f976ccbed2b4ed Mon Sep 17 00:00:00 2001 From: jsing <> Date: Thu, 6 Jul 2017 17:12:22 +0000 Subject: Add support for providing CRLs to libtls - once a CRL is provided we enable CRL checking for the full certificate chain. Based on a diff from Jack Burton , thanks! Discussed with beck@ --- src/lib/libtls/tls_config.c | 18 +++++++++++++++++- 1 file changed, 17 insertions(+), 1 deletion(-) (limited to 'src/lib/libtls/tls_config.c') diff --git a/src/lib/libtls/tls_config.c b/src/lib/libtls/tls_config.c index 8f0bd70508..fe049d1e4e 100644 --- a/src/lib/libtls/tls_config.c +++ b/src/lib/libtls/tls_config.c @@ -1,4 +1,4 @@ -/* $OpenBSD: tls_config.c,v 1.40 2017/05/06 20:59:28 jsing Exp $ */ +/* $OpenBSD: tls_config.c,v 1.41 2017/07/06 17:12:22 jsing Exp $ */ /* * Copyright (c) 2014 Joel Sing * @@ -268,6 +268,7 @@ tls_config_free(struct tls_config *config) free((char *)config->ca_mem); free((char *)config->ca_path); free((char *)config->ciphers); + free((char *)config->crl_mem); free(config); } @@ -299,6 +300,7 @@ tls_config_clear_keys(struct tls_config *config) tls_keypair_clear(kp); tls_config_set_ca_mem(config, NULL, 0); + tls_config_set_crl_mem(config, NULL, 0); } int @@ -578,6 +580,20 @@ tls_config_set_ciphers(struct tls_config *config, const char *ciphers) return -1; } +int +tls_config_set_crl_file(struct tls_config *config, const char *crl_file) +{ + return tls_config_load_file(&config->error, "CRL", crl_file, + &config->crl_mem, &config->crl_len); +} + +int +tls_config_set_crl_mem(struct tls_config *config, const uint8_t *crl, + size_t len) +{ + return set_mem(&config->crl_mem, &config->crl_len, crl, len); +} + int tls_config_set_dheparams(struct tls_config *config, const char *params) { -- cgit v1.2.3-55-g6feb