@@ -6490,7 +6490,8 @@ X509_1_C=KG

 .\"*********************************************************

 .SH INLINE FILE SUPPORT

 OpenVPN allows including files in the main configuration for the

-.B \-\-ca, \-\-cert, \-\-dh, \-\-extra\-certs, \-\-key, \-\-pkcs12, \-\-secret

+.B \-\-ca, \-\-cert, \-\-dh, \-\-extra\-certs, \-\-key, \-\-pkcs12, \-\-secret,

+.B \-\-crl-verify

 and

 .B \-\-tls\-auth

 options.

@@ -2323,6 +2323,7 @@ do_init_crypto_tls (struct context *c, const unsigned int flags)

   to.verify_x509_type = (options->verify_x509_type & 0xff);

   to.verify_x509_name = options->verify_x509_name;

   to.crl_file = options->crl_file;

+  to.crl_file_inline = options->crl_file_inline;

   to.ssl_flags = options->ssl_flags;

   to.ns_cert_type = options->ns_cert_type;

   memmove (to.remote_cert_ku, options->remote_cert_ku, sizeof (to.remote_cert_ku));

@@ -2747,8 +2747,8 @@ options_postprocess_filechecks (struct options *options)

     errs |= check_file_access_chroot (options->chroot_dir, CHKACC_FILE, options->crl_file, R_OK|X_OK,

                                "--crl-verify directory");

   else

-    errs |= check_file_access_chroot (options->chroot_dir, CHKACC_FILE, options->crl_file, R_OK,

-                               "--crl-verify");

+    errs |= check_file_access_chroot (options->chroot_dir, CHKACC_FILE|CHKACC_INLINE,

+                                      options->crl_file, R_OK, "--crl-verify");

   errs |= check_file_access (CHKACC_FILE|CHKACC_INLINE, options->tls_auth_file, R_OK,

                              "--tls-auth");

@@ -6783,12 +6783,17 @@ add_option (struct options *options,

       VERIFY_PERMISSION (OPT_P_GENERAL);

       options->cipher_list = p[1];

     }

-  else if (streq (p[0], "crl-verify") && p[1] && ((p[2] && streq(p[2], "dir")) || !p[2]) && !p[3])

+  else if (streq (p[0], "crl-verify") && p[1] && ((p[2] && streq(p[2], "dir"))

+		  || (p[2] && streq (p[1], INLINE_FILE_TAG) ) || !p[2]) && !p[3])

     {

       VERIFY_PERMISSION (OPT_P_GENERAL);

       if (p[2] && streq(p[2], "dir"))

 	options->ssl_flags |= SSLF_CRL_VERIFY_DIR;

       options->crl_file = p[1];

+      if (streq (p[1], INLINE_FILE_TAG) && p[2])

+	{

+	  options->crl_file_inline = p[2];

+	}

     }

   else if (streq (p[0], "tls-verify") && p[1])

     {

@@ -511,6 +511,7 @@ struct options

   const char *ca_file_inline;

   const char *cert_file_inline;

   const char *extra_certs_file_inline;

+  const char *crl_file_inline;

   char *priv_key_file_inline;

   const char *dh_file_inline;

   const char *pkcs12_file_inline; /* contains the base64 encoding of pkcs12 file */

@@ -247,6 +247,7 @@ struct tls_options

   int verify_x509_type;

   const char *verify_x509_name;

   const char *crl_file;

+  const char *crl_file_inline;

   int ns_cert_type;

   unsigned remote_cert_ku[MAX_PARMS];

   const char *remote_cert_eku;

@@ -690,7 +690,7 @@ verify_cert(struct tls_session *session, openvpn_x509_cert_t *cert, int cert_dep

       }

       else

       {

-	if (SUCCESS != x509_verify_crl(opt->crl_file, cert, subject))

+	if (SUCCESS != x509_verify_crl(opt->crl_file, opt->crl_file_inline, cert, subject))

 	  goto cleanup;

       }

     }

@@ -248,13 +248,14 @@ result_t x509_write_pem(FILE *peercert_file, openvpn_x509_cert_t *peercert);

  *

  * @param crl_file	File name of the CRL file

  * @param cert		Certificate to verify

+ * @param crl_inline	Contents of the crl file if it is inlined

  * @param subject	Subject of the given certificate

  *

  * @return 		\c SUCCESS if the CRL was not signed by the issuer of the

  * 			certificate or does not contain an entry for it.

  * 			\c FAILURE otherwise.

  */

-result_t x509_verify_crl(const char *crl_file, openvpn_x509_cert_t *cert,

-    const char *subject);

+result_t x509_verify_crl(const char *crl_file, const char *crl_inline,

+                         openvpn_x509_cert_t *cert, const char *subject);

 #endif /* SSL_VERIFY_BACKEND_H_ */

@@ -613,7 +613,8 @@ x509_write_pem(FILE *peercert_file, X509 *peercert)

  * check peer cert against CRL

  */

 result_t

-x509_verify_crl(const char *crl_file, X509 *peer_cert, const char *subject)

+x509_verify_crl(const char *crl_file, const char* crl_inline,

+                X509 *peer_cert, const char *subject)

 {

   X509_CRL *crl=NULL;

   X509_REVOKED *revoked;

@@ -623,7 +624,10 @@ x509_verify_crl(const char *crl_file, X509 *peer_cert, const char *subject)

   struct gc_arena gc = gc_new();

   char *serial;

-  in = BIO_new_file (crl_file, "r");

+  if (!strcmp (crl_file, INLINE_FILE_TAG) && crl_inline)

+    in = BIO_new_mem_buf ((char *)crl_inline, -1);

+  else

+    in = BIO_new_file (crl_file, "r");

   if (in == NULL) {

     msg (M_WARN, "CRL: cannot read: %s", crl_file);

@@ -359,18 +359,30 @@ x509_write_pem(FILE *peercert_file, x509_crt *peercert)

  * check peer cert against CRL

  */

 result_t

-x509_verify_crl(const char *crl_file, x509_crt *cert, const char *subject)

+x509_verify_crl(const char *crl_file, const char* crl_inline,

+                x509_crt *cert, const char *subject)

 {

   result_t retval = FAILURE;

   x509_crl crl = {0};

   struct gc_arena gc = gc_new();

   char *serial;

-  if (!polar_ok(x509_crl_parse_file(&crl, crl_file)))

+  if (!strcmp (crl_file, INLINE_FILE_TAG) && crl_inline)

     {

-      msg (M_WARN, "CRL: cannot read CRL from file %s", crl_file);

-      goto end;

+      if (!polar_ok(x509_crl_parse(&crl, crl_inline, strlen(crl_inline))))

+        {

+           msg (M_WARN, "CRL: cannot parse inline CRL");

+           goto end;

+        }

     }

+  else

+    {

+      if (!polar_ok(x509_crl_parse_file(&crl, crl_file)))

+      {

+          msg (M_WARN, "CRL: cannot read CRL from file %s", crl_file);

+          goto end;

+      }

+  }

   if(cert->issuer_raw.len != crl.issuer_raw.len ||

       memcmp(crl.issuer_raw.p, cert->issuer_raw.p, crl.issuer_raw.len) != 0)