Commit 8bad57de authored by venaas's avatar venaas Committed by venaas
Browse files

support for checking certificate policy oids

git-svn-id: https://svn.testnett.uninett.no/radsecproxy/trunk@426 e88ac4ed-0b26-0410-9574-a7f39faa03bf
parent 5f17b764
...@@ -189,6 +189,16 @@ int popgconf(struct gconffile **cf) { ...@@ -189,6 +189,16 @@ int popgconf(struct gconffile **cf) {
return 1; return 1;
} }
void freegconfmstr(char **mstr) {
int i;
if (mstr) {
for (i = 0; mstr[i]; i++)
free(mstr[i]);
free(mstr);
}
}
void freegconf(struct gconffile **cf) { void freegconf(struct gconffile **cf) {
int i; int i;
......
...@@ -18,5 +18,6 @@ FILE *pushgconfpath(struct gconffile **cf, const char *path); ...@@ -18,5 +18,6 @@ FILE *pushgconfpath(struct gconffile **cf, const char *path);
FILE *pushgconffile(struct gconffile **cf, FILE *file, const char *description); FILE *pushgconffile(struct gconffile **cf, FILE *file, const char *description);
FILE *pushgconfpaths(struct gconffile **cf, const char *path); FILE *pushgconfpaths(struct gconffile **cf, const char *path);
int popgconf(struct gconffile **cf); int popgconf(struct gconffile **cf);
void freegconfmstr(char **mstr);
void freegconf(struct gconffile **cf); void freegconf(struct gconffile **cf);
struct gconffile *openconfigfile(const char *file); struct gconffile *openconfigfile(const char *file);
...@@ -2359,25 +2359,26 @@ void tlsinit() { ...@@ -2359,25 +2359,26 @@ void tlsinit() {
} }
} }
int setpolicyoids(X509_STORE *store, char **poids) { X509_VERIFY_PARAM *createverifyparams(char **poids) {
X509_VERIFY_PARAM *pm; X509_VERIFY_PARAM *pm;
ASN1_OBJECT *pobject; ASN1_OBJECT *pobject;
int i; int i;
pm = X509_VERIFY_PARAM_new(); pm = X509_VERIFY_PARAM_new();
if (!pm) if (!pm)
return 0; return NULL;
for (i = 0; poids[i]; i++) { for (i = 0; poids[i]; i++) {
pobject = OBJ_txt2obj(poids[i], 0); pobject = OBJ_txt2obj(poids[i], 0);
if (!pobject) if (!pobject) {
return 0; X509_VERIFY_PARAM_free(pm);
return NULL;
}
X509_VERIFY_PARAM_add0_policy(pm, pobject); X509_VERIFY_PARAM_add0_policy(pm, pobject);
} }
X509_VERIFY_PARAM_set_flags(pm, X509_V_FLAG_POLICY_CHECK | X509_V_FLAG_EXPLICIT_POLICY); X509_VERIFY_PARAM_set_flags(pm, X509_V_FLAG_POLICY_CHECK | X509_V_FLAG_EXPLICIT_POLICY);
X509_STORE_set1_param(store, pm); return pm;
return 1;
} }
int tlsaddcacrl(SSL_CTX *ctx, struct tls *conf) { int tlsaddcacrl(SSL_CTX *ctx, struct tls *conf) {
...@@ -2415,14 +2416,12 @@ int tlsaddcacrl(SSL_CTX *ctx, struct tls *conf) { ...@@ -2415,14 +2416,12 @@ int tlsaddcacrl(SSL_CTX *ctx, struct tls *conf) {
SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, verify_cb); SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, verify_cb);
SSL_CTX_set_verify_depth(ctx, MAX_CERT_DEPTH + 1); SSL_CTX_set_verify_depth(ctx, MAX_CERT_DEPTH + 1);
if (conf->crlcheck || conf->policyoids) { if (conf->crlcheck || conf->vpm) {
x509_s = SSL_CTX_get_cert_store(ctx); x509_s = SSL_CTX_get_cert_store(ctx);
if (conf->crlcheck) if (conf->crlcheck)
X509_STORE_set_flags(x509_s, X509_V_FLAG_CRL_CHECK | X509_V_FLAG_CRL_CHECK_ALL); X509_STORE_set_flags(x509_s, X509_V_FLAG_CRL_CHECK | X509_V_FLAG_CRL_CHECK_ALL);
if (conf->policyoids && !setpolicyoids(x509_s, conf->policyoids)) { if (conf->vpm)
debug(DBG_ERR, "tlsaddcacrl: Failed to add policyOIDs in TLS context %s", conf->name); X509_STORE_set1_param(x509_s, conf->vpm);
return 0; /* should free memory */
}
} }
debug(DBG_DBG, "tlsaddcacrl: updated TLS context %s", conf->name); debug(DBG_DBG, "tlsaddcacrl: updated TLS context %s", conf->name);
...@@ -2470,7 +2469,22 @@ SSL_CTX *tlscreatectx(uint8_t type, struct tls *conf) { ...@@ -2470,7 +2469,22 @@ SSL_CTX *tlscreatectx(uint8_t type, struct tls *conf) {
return NULL; return NULL;
} }
if (conf->policyoids) {
if (!conf->vpm) {
conf->vpm = createverifyparams(conf->policyoids);
if (!conf->vpm) {
debug(DBG_ERR, "tlsaddcacrl: Failed to add policyOIDs in TLS context %s", conf->name);
SSL_CTX_free(ctx);
return NULL;
}
}
}
if (!tlsaddcacrl(ctx, conf)) { if (!tlsaddcacrl(ctx, conf)) {
if (conf->vpm) {
X509_VERIFY_PARAM_free(conf->vpm);
conf->vpm = NULL;
}
SSL_CTX_free(ctx); SSL_CTX_free(ctx);
return NULL; return NULL;
} }
...@@ -3491,6 +3505,7 @@ int conftls_cb(struct gconffile **cf, void *arg, char *block, char *opt, char *v ...@@ -3491,6 +3505,7 @@ int conftls_cb(struct gconffile **cf, void *arg, char *block, char *opt, char *v
free(conf->certfile); free(conf->certfile);
free(conf->certkeyfile); free(conf->certkeyfile);
free(conf->certkeypwd); free(conf->certkeypwd);
freegconfmstr(conf->policyoids);
free(conf); free(conf);
return 0; return 0;
} }
......
...@@ -159,6 +159,7 @@ struct tls { ...@@ -159,6 +159,7 @@ struct tls {
uint32_t cacheexpiry; uint32_t cacheexpiry;
uint32_t tlsexpiry; uint32_t tlsexpiry;
uint32_t dtlsexpiry; uint32_t dtlsexpiry;
X509_VERIFY_PARAM *vpm;
SSL_CTX *tlsctx; SSL_CTX *tlsctx;
SSL_CTX *dtlsctx; SSL_CTX *dtlsctx;
}; };
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment