tls crl patch from fippo

2011-05-24 16:29:39 +02:00 · 2011-05-24 16:29:39 +02:00 · 417f1703c6
parent f90051b4d6
commit 417f1703c6
1 changed files with 70 additions and 0 deletions
--- a/src/pkg-tls.c
+++ b/src/pkg-tls.c
@ -411,6 +411,76 @@ tls_global_init (void)
        goto ssl_init_err;
    }

+    if (tls_crlfile != NULL || tls_crldirectory != NULL)
+    {
+	X509_STORE *store = X509_STORE_new();
+	if (store != NULL)
+        {
+	    if (tls_crlfile != NULL)
+            {
+		X509_LOOKUP *lookup = X509_STORE_add_lookup(store, X509_LOOKUP_file());
+		if (lookup != NULL) 
+		    X509_LOOKUP_load_file(lookup, tls_crlfile, X509_FILETYPE_PEM);
+	    }
+	    if (tls_crldirectory != NULL)
+            {
+		X509_LOOKUP *lookup = X509_STORE_add_lookup(store, X509_LOOKUP_hash_dir());
+		if (lookup != NULL) 
+		    X509_LOOKUP_add_dir(lookup, tls_crldirectory, X509_FILETYPE_PEM);
+	    }
+#if OPENSSL_VERSION_NUMBER >= 0x00907000L
+	    X509_STORE_set_flags(store, X509_V_FLAG_CRL_CHECK | X509_V_FLAG_CRL_CHECK_ALL);
+	    SSL_CTX_set_cert_store(context, store);
+	    if (tls_crlfile != NULL && tls_crldirectory != NULL)
+            {
+		printf("%s TLS: (OpenSSL) CRLs from '%s' and '%s'.\n"
+		       , time_stamp(), tls_crlfile, tls_crldirectory);
+		debug_message("%s TLS: (OpenSSL) CRLs from '%s' and '%s'.\n"
+		       , time_stamp(), tls_crlfile, tls_crldirectory);
+	    }
+            else if (tls_crlfile != NULL)
+            {
+		printf("%s TLS: (OpenSSL) CRLs from '%s'.\n"
+		       , time_stamp(), tls_crlfile);
+		debug_message("%s TLS: (OpenSSL) CRLs from '%s'.\n"
+		       , time_stamp(), tls_crlfile);
+	    }
+            else if (tls_crldirectory != NULL)
+            {
+		printf("%s TLS: (OpenSSL) CRLs from '%s'.\n"
+		       , time_stamp(), tls_crldirectory);
+		debug_message("%s TLS: (OpenSSL) CRLs from '%s'.\n"
+		       , time_stamp(), tls_crldirectory);
+	    }
+            else
+            {
+		printf("%s TLS: (OpenSSL) CRL checking disabled.\n"
+		       , time_stamp());
+		debug_message("%s TLS: (OpenSSL) CRL checking disabled.\n"
+		       , time_stamp());
+	    }
+#else
+	    printf("%s TLS: Warning: Your OpenSSL version does not support "
+		   "Certificate revocation list checking\n"
+		  , time_stamp());
+	    debug_message("%s TLS: Warning: Your OpenSSL version does not "
+			  "support Certificate revocation list checking\n"
+		  , time_stamp());
+#endif
+	}
+        else
+        {
+	    printf("%s TLS: Warning: There was a problem getting the "
+		   "storage context from OpenSSL. Certificate revocation "
+		   "list checking is not enabled.\n"
+		  , time_stamp());
+	    debug_message("%s TLS: Warning: There was a problem getting the "
+			  "storage context from OpenSSL. Certificate revocation "
+			  "list checking is not enabled.\n"
+		  , time_stamp());
+	}
+    }
+
    if (!SSL_CTX_load_verify_locations(context, trustfile, trustdirectory))
    {
 #ifdef VERBOSE