Merge branch 'radsecproxy-50-sighup'

(RADSECPROXY-78)

ChangeLog

@@ -6,6 +6,7 @@ Changes between 1.6.8 and the master branch
 
 	Enhancements:
 	- Support the use of OpenSSL version 1.1 series (RADSECPROXY-66).
+	- Reload TLS certificate CRLs on SIGHUP
 
 	Misc:
 	- libnettle is now an unconditional dependency.

radsecproxy.c

@@ -3257,6 +3257,9 @@ void *sighandler(void *arg) {
         case SIGHUP:
             debug(DBG_INFO, "sighandler: got SIGHUP");
 	    debug_reopen_log();
+#if defined(RADPROT_TLS) || defined(RADPROT_DTLS)
+	    tlsreloadcrls();
+#endif
             break;
         case SIGPIPE:
             debug(DBG_WARN, "sighandler: got SIGPIPE, TLS write error?");

tlscommon.c

@@ -335,6 +335,32 @@ SSL_CTX *tlsgetctx(uint8_t type, struct tls *t) {
     return NULL;
 }
 
+void tlsreloadcrls() {
+    struct tls *conf;
+    struct hash_entry *entry;
+    struct timeval now;
+
+    gettimeofday(&now, NULL);
+
+    for (entry = hash_first(tlsconfs); entry; entry = hash_next(entry)) {
+	conf = (struct tls *)entry->data;
+#ifdef RADPROT_TLS
+	if (conf->tlsctx) {
+	    if (conf->tlsexpiry)
+		conf->tlsexpiry = now.tv_sec + conf->cacheexpiry;
+	    tlsaddcacrl(conf->tlsctx, conf);
+	}
+#endif
+#ifdef RADPROT_DTLS
+	if (conf->dtlsctx) {
+	    if (conf->dtlsexpiry)
+		conf->dtlsexpiry = now.tv_sec + conf->cacheexpiry;
+	    tlsaddcacrl(conf->dtlsctx, conf);
+	}
+#endif
+    }
+}
+
 X509 *verifytlscert(SSL *ssl) {
     X509 *cert;
     unsigned long error;

tlscommon.h

@@ -33,6 +33,7 @@ X509 *verifytlscert(SSL *ssl);
 int verifyconfcert(X509 *cert, struct clsrvconf *conf);
 int conftls_cb(struct gconffile **cf, void *arg, char *block, char *opt, char *val);
 int addmatchcertattr(struct clsrvconf *conf);
+void tlsreloadcrls();
 #endif
 
 /* Local Variables: */