Commit 8be5ce2b authored by venaas's avatar venaas Committed by venaas
Browse files

trying to refresh only ca and crl stuff when tls cache expires

git-svn-id: https://svn.testnett.uninett.no/radsecproxy/trunk@407 e88ac4ed-0b26-0410-9574-a7f39faa03bf
parent bf093fa8
...@@ -2277,34 +2277,82 @@ void ssl_info_callback(const SSL *ssl, int where, int ret) { ...@@ -2277,34 +2277,82 @@ void ssl_info_callback(const SSL *ssl, int where, int ret) {
} }
#endif #endif
SSL_CTX *tlscreatectx(uint8_t type, struct tls *conf) { void tlsinit() {
SSL_CTX *ctx = NULL; int i;
time_t t;
pid_t pid;
ssl_locks = calloc(CRYPTO_num_locks(), sizeof(pthread_mutex_t));
ssl_lock_count = OPENSSL_malloc(CRYPTO_num_locks() * sizeof(long));
for (i = 0; i < CRYPTO_num_locks(); i++) {
ssl_lock_count[i] = 0;
pthread_mutex_init(&ssl_locks[i], NULL);
}
CRYPTO_set_id_callback(ssl_thread_id);
CRYPTO_set_locking_callback(ssl_locking_callback);
SSL_load_error_strings();
SSL_library_init();
while (!RAND_status()) {
t = time(NULL);
pid = getpid();
RAND_seed((unsigned char *)&t, sizeof(time_t));
RAND_seed((unsigned char *)&pid, sizeof(pid));
}
}
int tlsaddcacrl(SSL_CTX *ctx, struct tls *conf) {
STACK_OF(X509_NAME) *calist; STACK_OF(X509_NAME) *calist;
X509_STORE *x509_s; X509_STORE *x509_s;
int i;
unsigned long error; unsigned long error;
if (!ssl_locks) { if (!SSL_CTX_load_verify_locations(ctx, conf->cacertfile, conf->cacertpath)) {
ssl_locks = calloc(CRYPTO_num_locks(), sizeof(pthread_mutex_t)); while ((error = ERR_get_error()))
ssl_lock_count = OPENSSL_malloc(CRYPTO_num_locks() * sizeof(long)); debug(DBG_ERR, "SSL: %s", ERR_error_string(error, NULL));
for (i = 0; i < CRYPTO_num_locks(); i++) { debug(DBG_ERR, "tlsaddcacrl: Error updating TLS context %s", conf->name);
ssl_lock_count[i] = 0; return 0;
pthread_mutex_init(&ssl_locks[i], NULL); }
calist = conf->cacertfile ? SSL_load_client_CA_file(conf->cacertfile) : NULL;
if (!conf->cacertfile || calist) {
if (conf->cacertpath) {
if (!calist)
calist = sk_X509_NAME_new_null();
if (!SSL_add_dir_cert_subjects_to_stack(calist, conf->cacertpath)) {
sk_X509_NAME_free(calist);
calist = NULL;
}
} }
CRYPTO_set_id_callback(ssl_thread_id); }
CRYPTO_set_locking_callback(ssl_locking_callback); if (!calist) {
while ((error = ERR_get_error()))
debug(DBG_ERR, "SSL: %s", ERR_error_string(error, NULL));
debug(DBG_ERR, "tlsaddcacrl: Error adding CA subjects in TLS context %s", conf->name);
return 0;
}
ERR_clear_error(); /* add_dir_cert_subj returns errors on success */
SSL_CTX_set_client_CA_list(ctx, calist);
SSL_load_error_strings(); SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, verify_cb);
SSL_library_init(); SSL_CTX_set_verify_depth(ctx, MAX_CERT_DEPTH + 1);
while (!RAND_status()) { if (conf->crlcheck) {
time_t t = time(NULL); x509_s = SSL_CTX_get_cert_store(ctx);
pid_t pid = getpid(); X509_STORE_set_flags(x509_s, X509_V_FLAG_CRL_CHECK | X509_V_FLAG_CRL_CHECK_ALL);
RAND_seed((unsigned char *)&t, sizeof(time_t));
RAND_seed((unsigned char *)&pid, sizeof(pid));
}
} }
debug(DBG_DBG, "tlsaddcacrl: updated TLS context %s", conf->name);
return 1;
}
SSL_CTX *tlscreatectx(uint8_t type, struct tls *conf) {
SSL_CTX *ctx = NULL;
unsigned long error;
if (!ssl_locks)
tlsinit();
switch (type) { switch (type) {
case RAD_TLS: case RAD_TLS:
ctx = SSL_CTX_new(TLSv1_method()); ctx = SSL_CTX_new(TLSv1_method());
...@@ -2331,8 +2379,7 @@ SSL_CTX *tlscreatectx(uint8_t type, struct tls *conf) { ...@@ -2331,8 +2379,7 @@ SSL_CTX *tlscreatectx(uint8_t type, struct tls *conf) {
} }
if (!SSL_CTX_use_certificate_chain_file(ctx, conf->certfile) || if (!SSL_CTX_use_certificate_chain_file(ctx, conf->certfile) ||
!SSL_CTX_use_PrivateKey_file(ctx, conf->certkeyfile, SSL_FILETYPE_PEM) || !SSL_CTX_use_PrivateKey_file(ctx, conf->certkeyfile, SSL_FILETYPE_PEM) ||
!SSL_CTX_check_private_key(ctx) || !SSL_CTX_check_private_key(ctx)) {
!SSL_CTX_load_verify_locations(ctx, conf->cacertfile, conf->cacertpath)) {
while ((error = ERR_get_error())) while ((error = ERR_get_error()))
debug(DBG_ERR, "SSL: %s", ERR_error_string(error, NULL)); debug(DBG_ERR, "SSL: %s", ERR_error_string(error, NULL));
debug(DBG_ERR, "tlscreatectx: Error initialising SSL/TLS in TLS context %s", conf->name); debug(DBG_ERR, "tlscreatectx: Error initialising SSL/TLS in TLS context %s", conf->name);
...@@ -2340,34 +2387,10 @@ SSL_CTX *tlscreatectx(uint8_t type, struct tls *conf) { ...@@ -2340,34 +2387,10 @@ SSL_CTX *tlscreatectx(uint8_t type, struct tls *conf) {
return NULL; return NULL;
} }
calist = conf->cacertfile ? SSL_load_client_CA_file(conf->cacertfile) : NULL; if (!tlsaddcacrl(ctx, conf)) {
if (!conf->cacertfile || calist) {
if (conf->cacertpath) {
if (!calist)
calist = sk_X509_NAME_new_null();
if (!SSL_add_dir_cert_subjects_to_stack(calist, conf->cacertpath)) {
sk_X509_NAME_free(calist);
calist = NULL;
}
}
}
if (!calist) {
while ((error = ERR_get_error()))
debug(DBG_ERR, "SSL: %s", ERR_error_string(error, NULL));
debug(DBG_ERR, "tlscreatectx: Error adding CA subjects in TLS context %s", conf->name);
SSL_CTX_free(ctx); SSL_CTX_free(ctx);
return NULL; return NULL;
} }
ERR_clear_error(); /* add_dir_cert_subj returns errors on success */
SSL_CTX_set_client_CA_list(ctx, calist);
SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, verify_cb);
SSL_CTX_set_verify_depth(ctx, MAX_CERT_DEPTH + 1);
if (conf->crlcheck) {
x509_s = SSL_CTX_get_cert_store(ctx);
X509_STORE_set_flags(x509_s, X509_V_FLAG_CRL_CHECK | X509_V_FLAG_CRL_CHECK_ALL);
}
debug(DBG_DBG, "tlscreatectx: created TLS context %s", conf->name); debug(DBG_DBG, "tlscreatectx: created TLS context %s", conf->name);
return ctx; return ctx;
...@@ -2394,8 +2417,7 @@ SSL_CTX *tlsgetctx(uint8_t type, struct tls *t) { ...@@ -2394,8 +2417,7 @@ SSL_CTX *tlsgetctx(uint8_t type, struct tls *t) {
if (t->tlsexpiry && t->tlsctx) { if (t->tlsexpiry && t->tlsctx) {
if (t->tlsexpiry < now.tv_sec) { if (t->tlsexpiry < now.tv_sec) {
t->tlsexpiry = now.tv_sec + t->cacheexpiry; t->tlsexpiry = now.tv_sec + t->cacheexpiry;
SSL_CTX_free(t->tlsctx); tlsaddcacrl(t->tlsctx, t);
return t->tlsctx = tlscreatectx(RAD_TLS, t);
} }
} }
if (!t->tlsctx) { if (!t->tlsctx) {
...@@ -2408,8 +2430,7 @@ SSL_CTX *tlsgetctx(uint8_t type, struct tls *t) { ...@@ -2408,8 +2430,7 @@ SSL_CTX *tlsgetctx(uint8_t type, struct tls *t) {
if (t->dtlsexpiry && t->dtlsctx) { if (t->dtlsexpiry && t->dtlsctx) {
if (t->dtlsexpiry < now.tv_sec) { if (t->dtlsexpiry < now.tv_sec) {
t->dtlsexpiry = now.tv_sec + t->cacheexpiry; t->dtlsexpiry = now.tv_sec + t->cacheexpiry;
SSL_CTX_free(t->dtlsctx); tlsaddcacrl(t->dtlsctx, t);
return t->dtlsctx = tlscreatectx(RAD_DTLS, t);
} }
} }
if (!t->dtlsctx) { if (!t->dtlsctx) {
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment