From d00319faf46e652827177c0a052861279b5e11fc Mon Sep 17 00:00:00 2001
From: Nikos Mavrogiannopoulos <nmav@redhat.com>
Date: Wed, 2 Apr 2014 12:05:18 +0200
Subject: [PATCH] Updates in CRL handling.

Ensure reload on SIGHUP, and do print an appropriate error
when an empty CRL file is encountered.
---
 src/main.c          |  1 +
 src/ocserv-args.def |  8 ++++++++
 src/tlslib.c        | 35 ++++++++++++++++++++++++-----------
 src/tlslib.h        |  1 +
 4 files changed, 34 insertions(+), 11 deletions(-)

diff --git a/src/main.c b/src/main.c
index 0e651fa1..af6a4dc4 100644
--- a/src/main.c
+++ b/src/main.c
@@ -715,6 +715,7 @@ unsigned total = 10;
 	if (reload_conf != 0) {
 		mslog(s, NULL, LOG_INFO, "reloading configuration");
 		reload_cfg_file(s->config);
+		tls_reload_crl(s);
 		reload_conf = 0;
 	}
 
diff --git a/src/ocserv-args.def b/src/ocserv-args.def
index 28b43461..3ca0f9f6 100644
--- a/src/ocserv-args.def
+++ b/src/ocserv-args.def
@@ -172,6 +172,7 @@ server-key = /path/to/key.pem
 #cert-group-oid = 2.5.4.11
 
 # The revocation list of the certificates issued by the 'ca-cert' above.
+# See the manual to generate an empty CRL initially.
 #crl = /path/to/crl.pem
 
 # GnuTLS priority string
@@ -550,6 +551,13 @@ $ certtool --generate-crl --load-ca-privkey ca-key.pem \
 After that you may want to notify ocserv of the new CRL by using
 the HUP signal.
 
+When there are no revoked certificates an empty revocation list
+should be generated as follows.
+@example
+$ certtool --generate-crl --load-ca-privkey ca-key.pem \
+	--load-ca-certificate ca.pem \
+	--outfile crl.pem
+@end example
 _EOT_;
 };
 
diff --git a/src/tlslib.c b/src/tlslib.c
index ab57c267..3df72a29 100644
--- a/src/tlslib.c
+++ b/src/tlslib.c
@@ -599,17 +599,7 @@ unsigned len;
 			mslog(s, NULL, LOG_INFO, "processed %d CA certificate(s)", ret);
 		}
 
-		if (s->config->crl != NULL) {
-			ret =
-			    gnutls_certificate_set_x509_crl_file(s->creds.xcred,
-								 s->config->crl,
-								 GNUTLS_X509_FMT_PEM);
-			if (ret < 0) {
-				mslog(s, NULL, LOG_ERR, "error setting the CRL (%s) file",
-					s->config->crl);
-				exit(1);
-			}
-		}
+		tls_reload_crl(s);
 
 		gnutls_certificate_set_verify_function(s->creds.xcred,
 						       verify_certificate_cb);
@@ -645,6 +635,29 @@ unsigned len;
 	return;
 }
 
+void tls_reload_crl(main_server_st* s)
+{
+int ret;
+
+	if (s->config->cert_req != GNUTLS_CERT_IGNORE && s->config->crl != NULL) {
+		ret =
+		    gnutls_certificate_set_x509_crl_file(s->creds.xcred,
+							 s->config->crl,
+							 GNUTLS_X509_FMT_PEM);
+		if (ret < 0) {
+			/* ignore the CRL file when empty */
+			if (ret == GNUTLS_E_BASE64_DECODING_ERROR) {
+				mslog(s, NULL, LOG_ERR, "empty or unreadable CRL file (%s); check documentation to generate an empty CRL",
+					s->config->crl);
+			} else {
+				mslog(s, NULL, LOG_ERR, "error reading the CRL (%s) file: %s",
+					s->config->crl, gnutls_strerror(ret));
+			}
+			exit(1);
+		}
+	}
+}
+
 void tls_cork(gnutls_session_t session)
 {
 	gnutls_record_cork(session);
diff --git a/src/tlslib.h b/src/tlslib.h
index 4ef460d4..f013ae13 100644
--- a/src/tlslib.h
+++ b/src/tlslib.h
@@ -41,6 +41,7 @@ ssize_t tls_send_nowait(gnutls_session_t session, const void *data,
 void tls_cork(gnutls_session_t session);
 int tls_uncork(gnutls_session_t session);
 
+void tls_reload_crl(struct main_server_st* s);
 void tls_global_init(struct main_server_st* s);
 void tls_global_deinit(struct main_server_st* s);
 void tls_global_init_certs(struct main_server_st* s);