Revert "tls-crl: refactored code for automatic certificate revocation…

… list"

This reverts commit 6ad344f.

core/src/console/console_conf.cc

@@ -188,6 +188,9 @@ void FreeResource(CommonResourceHeader *sres, int type)
       if (res->res_cons.tls_cert.CaCertdir) {
          delete res->res_cons.tls_cert.CaCertdir;
       }
+      if (res->res_cons.tls_cert.crlfile) {
+         delete res->res_cons.tls_cert.crlfile;
+      }
       if (res->res_cons.tls_cert.certfile) {
          delete res->res_cons.tls_cert.certfile;
       }
@@ -224,6 +227,9 @@ void FreeResource(CommonResourceHeader *sres, int type)
       if (res->res_dir.tls_cert.CaCertdir) {
          delete res->res_dir.tls_cert.CaCertdir;
       }
+      if (res->res_dir.tls_cert.crlfile) {
+         delete res->res_dir.tls_cert.crlfile;
+      }
       if (res->res_dir.tls_cert.certfile) {
          delete res->res_dir.tls_cert.certfile;
       }

core/src/dird/dird_conf.cc

@@ -2566,6 +2566,9 @@ void FreeResource(CommonResourceHeader *sres, int type)
       if (res->res_dir.tls_cert.CaCertdir) {
          delete res->res_dir.tls_cert.CaCertdir;
       }
+      if (res->res_dir.tls_cert.crlfile) {
+         delete res->res_dir.tls_cert.crlfile;
+      }
       if (res->res_dir.tls_cert.certfile) {
          delete res->res_dir.tls_cert.certfile;
       }
@@ -2622,6 +2625,9 @@ void FreeResource(CommonResourceHeader *sres, int type)
       if (res->res_con.tls_cert.CaCertdir) {
          delete res->res_con.tls_cert.CaCertdir;
       }
+      if (res->res_con.tls_cert.crlfile) {
+         delete res->res_con.tls_cert.crlfile;
+      }
       if (res->res_con.tls_cert.certfile) {
          delete res->res_con.tls_cert.certfile;
       }
@@ -2670,6 +2676,9 @@ void FreeResource(CommonResourceHeader *sres, int type)
       if (res->res_client.tls_cert.CaCertdir) {
          delete res->res_client.tls_cert.CaCertdir;
       }
+      if (res->res_client.tls_cert.crlfile) {
+         delete res->res_client.tls_cert.crlfile;
+      }
       if (res->res_client.tls_cert.certfile) {
          delete res->res_client.tls_cert.certfile;
       }
@@ -2745,6 +2754,9 @@ void FreeResource(CommonResourceHeader *sres, int type)
       if (res->res_store.tls_cert.CaCertdir) {
          delete res->res_store.tls_cert.CaCertdir;
       }
+      if (res->res_store.tls_cert.crlfile) {
+         delete res->res_store.tls_cert.crlfile;
+      }
       if (res->res_store.tls_cert.certfile) {
          delete res->res_store.tls_cert.certfile;
       }

core/src/filed/filed_conf.cc

@@ -261,6 +261,9 @@ void FreeResource(CommonResourceHeader *sres, int type)
       if (res->res_dir.tls_cert.CaCertdir) {
          delete res->res_dir.tls_cert.CaCertdir;
       }
+      if (res->res_dir.tls_cert.crlfile) {
+         delete res->res_dir.tls_cert.crlfile;
+      }
       if (res->res_dir.tls_cert.certfile) {
          delete res->res_dir.tls_cert.certfile;
       }
@@ -359,6 +362,9 @@ void FreeResource(CommonResourceHeader *sres, int type)
       if (res->res_client.tls_cert.CaCertdir) {
          delete res->res_client.tls_cert.CaCertdir;
       }
+      if (res->res_client.tls_cert.crlfile) {
+         delete res->res_client.tls_cert.crlfile;
+      }
       if (res->res_client.tls_cert.certfile) {
          delete res->res_client.tls_cert.certfile;
       }

core/src/lib/parse_conf.h

@@ -111,6 +111,8 @@ struct s_password {
          "Path of a PEM encoded TLS CA certificate(s) file." }, \
    { "TlsCaCertificateDir", CFG_TYPE_STDSTRDIR, ITEM(res.tls_cert.CaCertdir), 0, 0, NULL, NULL, \
          "Path of a TLS CA certificate directory." }, \
+   { "TlsCertificateRevocationList", CFG_TYPE_STDSTRDIR, ITEM(res.tls_cert.crlfile), 0, 0, NULL, NULL, \
+         "Path of a Certificate Revocation List file." }, \
    { "TlsCertificate", CFG_TYPE_STDSTRDIR, ITEM(res.tls_cert.certfile), 0, 0, NULL, NULL, \
          "Path of a PEM encoded TLS certificate." }, \
    { "TlsKey", CFG_TYPE_STDSTRDIR, ITEM(res.tls_cert.keyfile), 0, 0, NULL, NULL, \

core/src/lib/tls_conf_cert.cc

@@ -34,10 +34,12 @@ uint32_t TlsConfigCert::GetPolicy() const
    return result << TlsConfigCert::policy_offset;
 }
 
+
 std::shared_ptr<TLS_CONTEXT> TlsConfigCert::CreateClientContext() const
 {
    return new_tls_context((!CaCertfile || CaCertfile->empty()) ? nullptr : CaCertfile->c_str(),
                           (!CaCertdir || CaCertdir->empty()) ? nullptr : CaCertdir->c_str(),
+                          (!crlfile || crlfile->empty()) ? nullptr : crlfile->c_str(),
                           (!certfile || certfile->empty()) ? nullptr : certfile->c_str(),
                           (!keyfile || keyfile->empty()) ? nullptr : keyfile->c_str(),
                           TlsPemCallback,
@@ -51,6 +53,7 @@ std::shared_ptr<TLS_CONTEXT> TlsConfigCert::CreateServerContext() const
 {
    return new_tls_context((!CaCertfile || CaCertfile->empty()) ? nullptr : CaCertfile->c_str(),
                           (!CaCertdir || CaCertdir->empty()) ? nullptr : CaCertdir->c_str(),
+                          (!crlfile || crlfile->empty()) ? nullptr : crlfile->c_str(),
                           (!certfile || certfile->empty()) ? nullptr : certfile->c_str(),
                           (!keyfile || keyfile->empty()) ? nullptr : keyfile->c_str(),
                           TlsPemCallback,

core/src/lib/tls_conf_cert.h

@@ -28,6 +28,7 @@ class DLL_IMP_EXP TlsConfigCert : public TlsConfigBase {
    bool VerifyPeer;           /* TLS Verify Peer Certificate */
    std::string *CaCertfile;   /* TLS CA Certificate File */
    std::string *CaCertdir;    /* TLS CA Certificate Directory */
+   std::string *crlfile;      /* TLS CA Certificate Revocation List File */
    std::string *certfile;     /* TLS Client Certificate File */
    std::string *keyfile;      /* TLS Client Key File */
    std::string *cipherlist;   /* TLS Cipher List */
@@ -38,7 +39,7 @@ class DLL_IMP_EXP TlsConfigCert : public TlsConfigBase {
 
    TlsConfigCert()
       : TlsConfigBase(), authenticate(false), VerifyPeer(0),
-        CaCertfile(nullptr), CaCertdir(nullptr), certfile(nullptr),
+        CaCertfile(nullptr), CaCertdir(nullptr), crlfile(nullptr), certfile(nullptr),
         keyfile(nullptr), cipherlist(nullptr), dhfile(nullptr), AllowedCns(nullptr),
         pem_message(nullptr) {}
    ~TlsConfigCert();

core/src/lib/tls_gnutls.cc

@@ -102,6 +102,7 @@ TLS_CONTEXT *new_tls_context(const char *cipherlist, CRYPTO_TLS_PSK_CB) {}
  */
 TLS_CONTEXT *new_tls_context(const char *CaCertfile,
                              const char *CaCertdir,
+                             const char *crlfile,
                              const char *certfile,
                              const char *keyfile,
                              CRYPTO_PEM_PASSWD_CB *pem_callback,
@@ -166,6 +167,26 @@ TLS_CONTEXT *new_tls_context(const char *CaCertfile,
       goto bail_out;
    }
 
+   /*
+    * Try to load the revocation list file, first in PEM format and if that fails in DER format.
+    */
+   if (crlfile) {
+      error = gnutls_certificate_set_x509_crl_file(ctx->gnutls_cred,
+                                                   crlfile,
+                                                   GNUTLS_X509_FMT_PEM);
+      if (error < GNUTLS_E_SUCCESS) {
+         error = gnutls_certificate_set_x509_crl_file(ctx->gnutls_cred,
+                                                      crlfile,
+                                                      GNUTLS_X509_FMT_DER);
+         if (error < GNUTLS_E_SUCCESS) {
+            Jmsg1(NULL, M_ERROR, 0,
+                  _("Error loading certificate revocation list from %s\n"),
+                  crlfile);
+            goto bail_out;
+         }
+      }
+   }
+
    /*
     * Try to load the certificate and the keyfile, first in PEM format and if that fails in DER format.
     */