From 417f1703c61fc533b394a000480f0e2528826be2 Mon Sep 17 00:00:00 2001
From: "psyc://psyced.org/~lynX" <@>
Date: Tue, 24 May 2011 16:29:39 +0200
Subject: [PATCH] tls crl patch from fippo

---
 src/pkg-tls.c | 70 +++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 70 insertions(+)

diff --git a/src/pkg-tls.c b/src/pkg-tls.c
index 40b741c..94a3761 100644
--- a/src/pkg-tls.c
+++ b/src/pkg-tls.c
@@ -411,6 +411,76 @@ tls_global_init (void)
         goto ssl_init_err;
     }
 
+    if (tls_crlfile != NULL || tls_crldirectory != NULL)
+    {
+	X509_STORE *store = X509_STORE_new();
+	if (store != NULL)
+        {
+	    if (tls_crlfile != NULL)
+            {
+		X509_LOOKUP *lookup = X509_STORE_add_lookup(store, X509_LOOKUP_file());
+		if (lookup != NULL) 
+		    X509_LOOKUP_load_file(lookup, tls_crlfile, X509_FILETYPE_PEM);
+	    }
+	    if (tls_crldirectory != NULL)
+            {
+		X509_LOOKUP *lookup = X509_STORE_add_lookup(store, X509_LOOKUP_hash_dir());
+		if (lookup != NULL) 
+		    X509_LOOKUP_add_dir(lookup, tls_crldirectory, X509_FILETYPE_PEM);
+	    }
+#if OPENSSL_VERSION_NUMBER >= 0x00907000L
+	    X509_STORE_set_flags(store, X509_V_FLAG_CRL_CHECK | X509_V_FLAG_CRL_CHECK_ALL);
+	    SSL_CTX_set_cert_store(context, store);
+	    if (tls_crlfile != NULL && tls_crldirectory != NULL)
+            {
+		printf("%s TLS: (OpenSSL) CRLs from '%s' and '%s'.\n"
+		       , time_stamp(), tls_crlfile, tls_crldirectory);
+		debug_message("%s TLS: (OpenSSL) CRLs from '%s' and '%s'.\n"
+		       , time_stamp(), tls_crlfile, tls_crldirectory);
+	    }
+            else if (tls_crlfile != NULL)
+            {
+		printf("%s TLS: (OpenSSL) CRLs from '%s'.\n"
+		       , time_stamp(), tls_crlfile);
+		debug_message("%s TLS: (OpenSSL) CRLs from '%s'.\n"
+		       , time_stamp(), tls_crlfile);
+	    }
+            else if (tls_crldirectory != NULL)
+            {
+		printf("%s TLS: (OpenSSL) CRLs from '%s'.\n"
+		       , time_stamp(), tls_crldirectory);
+		debug_message("%s TLS: (OpenSSL) CRLs from '%s'.\n"
+		       , time_stamp(), tls_crldirectory);
+	    }
+            else
+            {
+		printf("%s TLS: (OpenSSL) CRL checking disabled.\n"
+		       , time_stamp());
+		debug_message("%s TLS: (OpenSSL) CRL checking disabled.\n"
+		       , time_stamp());
+	    }
+#else
+	    printf("%s TLS: Warning: Your OpenSSL version does not support "
+		   "Certificate revocation list checking\n"
+		  , time_stamp());
+	    debug_message("%s TLS: Warning: Your OpenSSL version does not "
+			  "support Certificate revocation list checking\n"
+		  , time_stamp());
+#endif
+	}
+        else
+        {
+	    printf("%s TLS: Warning: There was a problem getting the "
+		   "storage context from OpenSSL. Certificate revocation "
+		   "list checking is not enabled.\n"
+		  , time_stamp());
+	    debug_message("%s TLS: Warning: There was a problem getting the "
+			  "storage context from OpenSSL. Certificate revocation "
+			  "list checking is not enabled.\n"
+		  , time_stamp());
+	}
+    }
+
     if (!SSL_CTX_load_verify_locations(context, trustfile, trustdirectory))
     {
 #ifdef VERBOSE