Add CRL (revocation list) checking option to client cert check

Revocation list can be appended to end of pure-ftpd.pem file.

Fixes a bug that revoked client cert can still login.

src/ftpd.c

@@ -5745,6 +5745,9 @@ int pureftpd_start(int argc, char *argv[], const char *home_directory_)
             while (*optarg == '-') {
                 if (strncmp(optarg, "-S:", sizeof "-S:" - (size_t) 1U) == 0) {
                     optarg += sizeof "-S:" - (size_t) 1U;
+                } else if (strncmp(optarg, "-R:", sizeof "-R:" - (size_t) 1U) == 0) {
+                    optarg += sizeof "-R:" - (size_t) 1U;
+                    ssl_verify_client_cert_revocation_list = 1;
                 } else if (strncmp(optarg, "-C:", sizeof "-C:" - (size_t) 1U) == 0) {
                     optarg += sizeof "-C:" - (size_t) 1U;
                     ssl_verify_client_cert = 1;

src/globals.h

@@ -176,6 +176,7 @@ GLOBAL0(int data_protection_level);
 GLOBAL(const char *tlsciphersuite, TLS_DEFAULT_CIPHER_SUITE);
 GLOBAL0(signed char ssl_disabled);
 GLOBAL0(signed char ssl_verify_client_cert);
+GLOBAL0(signed char ssl_verify_client_cert_revocation_list);
 GLOBAL(const char *cert_file, TLS_CERTIFICATE_FILE);
 GLOBAL(const char *key_file, TLS_KEY_FILE);
 GLOBAL0(signed char use_extcert);

src/tls.c

@@ -362,6 +362,14 @@ static void tls_init_client_cert_verification(const char *cert_file)
     if (cert_file == NULL) {
         tls_error(__LINE__, 0);
     }
+
+    if (ssl_verify_client_cert_revocation_list) {
+        X509_VERIFY_PARAM *param = X509_VERIFY_PARAM_new();
+        X509_VERIFY_PARAM_set_flags( param, X509_V_FLAG_CRL_CHECK );
+        SSL_CTX_set1_param( tls_ctx, param );
+        X509_VERIFY_PARAM_free(param);
+    }
+
     SSL_CTX_set_verify(tls_ctx, SSL_VERIFY_FAIL_IF_NO_PEER_CERT |
                        SSL_VERIFY_PEER, NULL);
     if (SSL_CTX_load_verify_locations(tls_ctx, cert_file, NULL) != 1) {