commit 15fbc59efa5e6f1f7bea19ab561d03f8852caabb
author roman <xjanot04@fit.vutbr.cz> Tue Jul 02 16:01:23 2024 +0200
committer Michal Vasko <mvasko@cesnet.cz> Thu Jul 04 09:10:49 2024 +0200
tree 2e3b3cb67e8c103c513a46156b7a6b836ae6c7ab
parent 2040b4533ff41c3e7eeefe5fd7cf50e003b67d68

session UPDATE obtain CRLs from cert ext only

Removed the option to obtain CRLs from a file/url.
The following client-side APIs were deprecated:
- nc_client_tls_set_crl_paths
- nc_client_tls_get_crl_paths
- nc_client_tls_ch_set_crl_paths
- nc_client_tls_ch_get_crl_paths

src/session_server_tls.c

diff --git a/src/session_server_tls.c b/src/session_server_tls.c
index 4ac3736..9dc4db0 100644
--- a/src/session_server_tls.c
+++ b/src/session_server_tls.c
@@ -713,180 +713,6 @@
     return 0;
 }
 
-static size_t
-nc_server_tls_curl_cb(char *ptr, size_t size, size_t nmemb, void *userdata)
-{
-    struct nc_curl_data *data;
-
-    size = nmemb;
-
-    data = (struct nc_curl_data *)userdata;
-
-    data->data = nc_realloc(data->data, data->size + size);
-    NC_CHECK_ERRMEM_RET(!data->data, 0);
-
-    memcpy(&data->data[data->size], ptr, size);
-    data->size += size;
-
-    return size;
-}
-
-static int
-nc_server_tls_curl_fetch(CURL *handle, const char *url)
-{
-    char err_buf[CURL_ERROR_SIZE];
-
-    /* set uri */
-    if (curl_easy_setopt(handle, CURLOPT_URL, url)) {
-        ERR(NULL, "Setting URI \"%s\" to download CRL from failed.", url);
-        return 1;
-    }
-
-    /* set err buf */
-    if (curl_easy_setopt(handle, CURLOPT_ERRORBUFFER, err_buf)) {
-        ERR(NULL, "Setting CURL error buffer option failed.");
-        return 1;
-    }
-
-    /* download */
-    if (curl_easy_perform(handle)) {
-        ERR(NULL, "Downloading CRL from \"%s\" failed (%s).", url, err_buf);
-        return 1;
-    }
-
-    return 0;
-}
-
-static int
-nc_server_tls_curl_init(CURL **handle, struct nc_curl_data *data)
-{
-    NC_CHECK_ARG_RET(NULL, handle, data, -1);
-
-    *handle = NULL;
-
-    *handle = curl_easy_init();
-    if (!*handle) {
-        ERR(NULL, "Initializing CURL failed.");
-        return 1;
-    }
-
-    if (curl_easy_setopt(*handle, CURLOPT_WRITEFUNCTION, nc_server_tls_curl_cb)) {
-        ERR(NULL, "Setting curl callback failed.");
-        return 1;
-    }
-
-    if (curl_easy_setopt(*handle, CURLOPT_WRITEDATA, data)) {
-        ERR(NULL, "Setting curl callback data failed.");
-        return 1;
-    }
-
-    return 0;
-}
-
-static int
-nc_server_tls_crl_path(const char *path, void *crl_store)
-{
-    return nc_tls_import_crl_path_wrap(path, crl_store);
-}
-
-static int
-nc_server_tls_crl_url(const char *url, void *crl_store)
-{
-    int ret = 0;
-    CURL *handle = NULL;
-    struct nc_curl_data downloaded = {0};
-
-    /* init curl */
-    ret = nc_server_tls_curl_init(&handle, &downloaded);
-    if (ret) {
-        goto cleanup;
-    }
-
-    VRB(NULL, "Downloading CRL from \"%s\".", url);
-
-    /* download the CRL */
-    ret = nc_server_tls_curl_fetch(handle, url);
-    if (ret) {
-        goto cleanup;
-    }
-
-    /* convert the downloaded data to CRL and add it to the store */
-    ret = nc_server_tls_add_crl_to_store_wrap(downloaded.data, downloaded.size, crl_store);
-    if (ret) {
-        goto cleanup;
-    }
-
-cleanup:
-    curl_easy_cleanup(handle);
-    return ret;
-}
-
-static int
-nc_server_tls_crl_cert_ext(void *cert_store, void *crl_store)
-{
-    int ret = 0;
-    CURL *handle = NULL;
-    struct nc_curl_data downloaded = {0};
-    char **uris = NULL;
-    int uri_count = 0, i;
-
-    /* init curl */
-    ret = nc_server_tls_curl_init(&handle, &downloaded);
-    if (ret) {
-        goto cleanup;
-    }
-
-    /* get all the uris we can, even though some may point to the same CRL */
-    ret = nc_server_tls_get_crl_distpoint_uris_wrap(cert_store, &uris, &uri_count);
-    if (ret) {
-        goto cleanup;
-    }
-
-    for (i = 0; i < uri_count; i++) {
-        VRB(NULL, "Downloading CRL from \"%s\".", uris[i]);
-        ret = nc_server_tls_curl_fetch(handle, uris[i]);
-        if (ret) {
-            /* failed to download the CRL from this entry, try the next entry */
-            WRN(NULL, "Failed to fetch CRL from \"%s\".", uris[i]);
-            continue;
-        }
-
-        /* convert the downloaded data to CRL and add it to the store */
-        ret = nc_server_tls_add_crl_to_store_wrap(downloaded.data, downloaded.size, crl_store);
-        if (ret) {
-            goto cleanup;
-        }
-    }
-
-cleanup:
-    for (i = 0; i < uri_count; i++) {
-        free(uris[i]);
-    }
-    free(uris);
-    curl_easy_cleanup(handle);
-    return ret;
-}
-
-int
-nc_server_tls_load_crl(struct nc_server_tls_opts *opts, void *cert_store, void *crl_store)
-{
-    if (opts->crl_path) {
-        if (nc_server_tls_crl_path(opts->crl_path, crl_store)) {
-            return 1;
-        }
-    } else if (opts->crl_url) {
-        if (nc_server_tls_crl_url(opts->crl_url, crl_store)) {
-            return 1;
-        }
-    } else {
-        if (nc_server_tls_crl_cert_ext(cert_store, crl_store)) {
-            return 1;
-        }
-    }
-
-    return 0;
-}
-
 int
 nc_server_tls_load_trusted_certs(struct nc_cert_grouping *ca_certs, void *cert_store)
 {
@@ -998,18 +824,9 @@
         }
     }
 
-    if (opts->crl_path || opts->crl_url || opts->crl_cert_ext) {
-        /* opaque CRL store */
-        crl_store = nc_tls_crl_store_new_wrap();
-        if (!crl_store) {
-            goto fail;
-        }
-
-        /* load CRLs into one of the stores */
-        if (nc_server_tls_load_crl(opts, cert_store, crl_store)) {
-            ERR(session, "Loading server CRL failed.");
-            goto fail;
-        }
+    if (nc_session_tls_crl_from_cert_ext_fetch(srv_cert, cert_store, &crl_store)) {
+        ERR(session, "Loading server CRL failed.");
+        goto fail;
     }
 
     /* set supported TLS versions */