summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorvenaas <venaas>2008-09-26 09:36:21 +0000
committervenaas <venaas@e88ac4ed-0b26-0410-9574-a7f39faa03bf>2008-09-26 09:36:21 +0000
commita3b506a84a3c764ca087a907cc3b415d49cdfb9d (patch)
tree3c9593e665e253a867357de3e28f24a71270e9aa
parent0c6e23211da30daf0cb75549362b16dce279f0a8 (diff)
trying to refresh only ca and crl stuff when tls cache expires
git-svn-id: https://svn.testnett.uninett.no/radsecproxy/branches/release-1.1@407 e88ac4ed-0b26-0410-9574-a7f39faa03bf
-rw-r--r--radsecproxy.c110
1 files changed, 66 insertions, 44 deletions
diff --git a/radsecproxy.c b/radsecproxy.c
index ff7a19a..6271f04 100644
--- a/radsecproxy.c
+++ b/radsecproxy.c
@@ -2610,53 +2610,41 @@ int tlslistener() {
return 0;
}
-SSL_CTX *tlscreatectx(struct tls *conf) {
- SSL_CTX *ctx = NULL;
- STACK_OF(X509_NAME) *calist;
- X509_STORE *x509_s;
+void tlsinit() {
int i;
- unsigned long error;
+ time_t t;
+ pid_t pid;
- if (!ssl_locks) {
- ssl_locks = calloc(CRYPTO_num_locks(), sizeof(pthread_mutex_t));
- ssl_lock_count = OPENSSL_malloc(CRYPTO_num_locks() * sizeof(long));
- for (i = 0; i < CRYPTO_num_locks(); i++) {
- ssl_lock_count[i] = 0;
- pthread_mutex_init(&ssl_locks[i], NULL);
- }
- CRYPTO_set_id_callback(ssl_thread_id);
- CRYPTO_set_locking_callback(ssl_locking_callback);
-
- SSL_load_error_strings();
- SSL_library_init();
-
- while (!RAND_status()) {
- time_t t = time(NULL);
- pid_t pid = getpid();
- RAND_seed((unsigned char *)&t, sizeof(time_t));
- RAND_seed((unsigned char *)&pid, sizeof(pid));
- }
+ ssl_locks = calloc(CRYPTO_num_locks(), sizeof(pthread_mutex_t));
+ ssl_lock_count = OPENSSL_malloc(CRYPTO_num_locks() * sizeof(long));
+ for (i = 0; i < CRYPTO_num_locks(); i++) {
+ ssl_lock_count[i] = 0;
+ pthread_mutex_init(&ssl_locks[i], NULL);
}
+ CRYPTO_set_id_callback(ssl_thread_id);
+ CRYPTO_set_locking_callback(ssl_locking_callback);
- ctx = SSL_CTX_new(TLSv1_method());
- if (!ctx) {
- debug(DBG_ERR, "tlscreatectx: Error initialising SSL/TLS in TLS context %s", conf->name);
- return NULL;
- }
+ SSL_load_error_strings();
+ SSL_library_init();
- if (conf->certkeypwd) {
- SSL_CTX_set_default_passwd_cb_userdata(ctx, conf->certkeypwd);
- SSL_CTX_set_default_passwd_cb(ctx, pem_passwd_cb);
+ while (!RAND_status()) {
+ t = time(NULL);
+ pid = getpid();
+ RAND_seed((unsigned char *)&t, sizeof(time_t));
+ RAND_seed((unsigned char *)&pid, sizeof(pid));
}
- if (!SSL_CTX_use_certificate_chain_file(ctx, conf->certfile) ||
- !SSL_CTX_use_PrivateKey_file(ctx, conf->certkeyfile, SSL_FILETYPE_PEM) ||
- !SSL_CTX_check_private_key(ctx) ||
- !SSL_CTX_load_verify_locations(ctx, conf->cacertfile, conf->cacertpath)) {
+}
+
+int tlsaddcacrl(SSL_CTX *ctx, struct tls *conf) {
+ STACK_OF(X509_NAME) *calist;
+ X509_STORE *x509_s;
+ unsigned long error;
+
+ if (!SSL_CTX_load_verify_locations(ctx, conf->cacertfile, conf->cacertpath)) {
while ((error = ERR_get_error()))
debug(DBG_ERR, "SSL: %s", ERR_error_string(error, NULL));
- debug(DBG_ERR, "tlscreatectx: error initialising SSL/TLS in TLS context %s", conf->name);
- SSL_CTX_free(ctx);
- return NULL;
+ debug(DBG_ERR, "tlsaddcacrl: Error updating TLS context %s", conf->name);
+ return 0;
}
calist = conf->cacertfile ? SSL_load_client_CA_file(conf->cacertfile) : NULL;
@@ -2673,9 +2661,8 @@ SSL_CTX *tlscreatectx(struct tls *conf) {
if (!calist) {
while ((error = ERR_get_error()))
debug(DBG_ERR, "SSL: %s", ERR_error_string(error, NULL));
- debug(DBG_ERR, "tlscreatectx: error initialising SSL/TLS in TLS context %s", conf->name);
- SSL_CTX_free(ctx);
- return NULL;
+ debug(DBG_ERR, "tlsaddcacrl: Error adding CA subjects in TLS context %s", conf->name);
+ return 0;
}
ERR_clear_error(); /* add_dir_cert_subj returns errors on success */
SSL_CTX_set_client_CA_list(ctx, calist);
@@ -2688,6 +2675,42 @@ SSL_CTX *tlscreatectx(struct tls *conf) {
X509_STORE_set_flags(x509_s, X509_V_FLAG_CRL_CHECK | X509_V_FLAG_CRL_CHECK_ALL);
}
+ debug(DBG_DBG, "tlsaddcacrl: updated TLS context %s", conf->name);
+ return 1;
+}
+
+SSL_CTX *tlscreatectx(struct tls *conf) {
+ SSL_CTX *ctx = NULL;
+ unsigned long error;
+
+ if (!ssl_locks)
+ tlsinit();
+
+ ctx = SSL_CTX_new(TLSv1_method());
+ if (!ctx) {
+ debug(DBG_ERR, "tlscreatectx: Error initialising SSL/TLS in TLS context %s", conf->name);
+ return NULL;
+ }
+
+ if (conf->certkeypwd) {
+ SSL_CTX_set_default_passwd_cb_userdata(ctx, conf->certkeypwd);
+ SSL_CTX_set_default_passwd_cb(ctx, pem_passwd_cb);
+ }
+ if (!SSL_CTX_use_certificate_chain_file(ctx, conf->certfile) ||
+ !SSL_CTX_use_PrivateKey_file(ctx, conf->certkeyfile, SSL_FILETYPE_PEM) ||
+ !SSL_CTX_check_private_key(ctx)) {
+ while ((error = ERR_get_error()))
+ debug(DBG_ERR, "SSL: %s", ERR_error_string(error, NULL));
+ debug(DBG_ERR, "tlscreatectx: error initialising SSL/TLS in TLS context %s", conf->name);
+ SSL_CTX_free(ctx);
+ return NULL;
+ }
+
+ if (!tlsaddcacrl(ctx, conf)) {
+ SSL_CTX_free(ctx);
+ return NULL;
+ }
+
debug(DBG_DBG, "tlscreatectx: created tls context %s", conf->name);
return ctx;
}
@@ -2718,8 +2741,7 @@ SSL_CTX *tlsgetctx(struct tls *t) {
if (t->expiry && t->ctx) {
if (t->expiry < now.tv_sec) {
t->expiry = now.tv_sec + t->cacheexpiry;
- SSL_CTX_free(t->ctx);
- return t->ctx = tlscreatectx(t);
+ tlsaddcacrl(t->ctx, t);
}
}
if (!t->ctx) {