Re: [exim-dev] TLS OpenSSL CRL Handling

Hi,

attached is the diff for adding the support of crl collections in a file
or for hashed files in a directory.

This works with versions 4.43 up to 4.50 (I've tried it with them). Feel
free to apply the changes and check it out.

Greetings,
Lars
--- src/tls-openssl.c

+++ src/tls-openssl.c    Wed Mar  9 11:54:53 2005
@@ -526,35 +526,41 @@

#if OPENSSL_VERSION_NUMBER > 0x00907000L

-  if (!expand_check(crl, US"tls_crl", &expcrl)) return DEFER;
-  if (expcrl != NULL && *expcrl != 0)
-    {
-    BIO *crl_bio;
-    X509_CRL *crl_x509;
-    X509_STORE *cvstore;
-
-    cvstore = SSL_CTX_get_cert_store(ctx);  /* cert validation store */
+    /* up from here I changed the code to add support for multiple crl's
+     * in pem format in one file or to support hashed directory entries in
+     * pem format instead of a file. This method now uses the library function
+     * X509_STORE_load_locations to add the CRL location to the SSL context.
+     * OpenSSL will then handle the verify against CA certs and CRLs by 
+     * itself in the verify callback. (changes by lmnk) */

-    crl_bio = BIO_new(BIO_s_file_internal());
-    if (crl_bio != NULL)
-      {
-      if (BIO_read_filename(crl_bio, expcrl))
-        {
-        crl_x509 = PEM_read_bio_X509_CRL(crl_bio, NULL, NULL, NULL);
-        BIO_free(crl_bio);
-        X509_STORE_add_crl(cvstore, crl_x509);
-        X509_CRL_free(crl_x509);
-        X509_STORE_set_flags(cvstore,
-          X509_V_FLAG_CRL_CHECK|X509_V_FLAG_CRL_CHECK_ALL);
-        }
-      else
-        {
-        BIO_free(crl_bio);
-        return tls_error(US"BIO_read_filename", host);
-        }
-      }
-    else return tls_error(US"BIO_new", host);
-    }
+  if (!expand_check(crl, US"tls_crl", &expcrl)) return DEFER;
+  if (expcrl != NULL && *expcrl != 0) {
+    struct stat statbufcrl;
+    if (Ustat(expcrl, &statbufcrl) < 0) {
+        log_write(0, LOG_MAIN|LOG_PANIC,
+          "failed to stat %s for certificates revocation lists", expcrl);
+        return DEFER;
+    }
+    else {
+        /* is it a file or directory? */
+        uschar *file, *dir;
+        X509_STORE *cvstore = SSL_CTX_get_cert_store(ctx);  // cert validation store 
+        if ((statbufcrl.st_mode & S_IFMT) == S_IFDIR) { 
+            file = NULL; dir = expcrl; 
+            DEBUG(D_tls) debug_printf("SSL CRL value is a directory %s\n",dir);    
+        }
+        else { 
+            file = expcrl; dir = NULL; 
+              DEBUG(D_tls) debug_printf("SSL CRL value is a file %s\n",file);
+        }
+        if (X509_STORE_load_locations(cvstore,file,dir) == 0) {
+            return tls_error(US"X509_STORE_load_locations",host);
+        }
+        /* setting the flags to check against the complete crl chain */
+        X509_STORE_set_flags(cvstore,X509_V_FLAG_CRL_CHECK|X509_V_FLAG_CRL_CHECK_ALL);
+    }
+    
+  }

#endif /* OPENSSL_VERSION_NUMBER > 0x00907000L */