trying to refresh only ca and crl stuff when tls cache expires

git-svn-id: https://svn.testnett.uninett.no/radsecproxy/branches/release-1.1@407 e88ac4ed-0b26-0410-9574-a7f39faa03bf
author: venaas <venaas> 2008-09-26 09:36:21 +0000
committer: venaas <venaas@e88ac4ed-0b26-0410-9574-a7f39faa03bf> 2008-09-26 09:36:21 +0000
commit: a3b506a84a3c764ca087a907cc3b415d49cdfb9d (patch)
tree: 3c9593e665e253a867357de3e28f24a71270e9aa /radsecproxy.c
parent: 0c6e23211da30daf0cb75549362b16dce279f0a8 (diff)
1 files changed, 66 insertions, 44 deletions
diff --git a/radsecproxy.c b/radsecproxy.c
index ff7a19a..6271f04 100644
--- a/radsecproxy.c
+++ b/radsecproxy.c
@@ -2610,53 +2610,41 @@ int tlslistener() {
     return 0;
 }
 
-SSL_CTX *tlscreatectx(struct tls *conf) {
-    SSL_CTX *ctx = NULL;
-    STACK_OF(X509_NAME) *calist;
-    X509_STORE *x509_s;
+void tlsinit() {
     int i;
-    unsigned long error;
+    time_t t;
+    pid_t pid;
     
-    if (!ssl_locks) {
-	ssl_locks = calloc(CRYPTO_num_locks(), sizeof(pthread_mutex_t));
-	ssl_lock_count = OPENSSL_malloc(CRYPTO_num_locks() * sizeof(long));
-	for (i = 0; i < CRYPTO_num_locks(); i++) {
-	    ssl_lock_count[i] = 0;
-	    pthread_mutex_init(&ssl_locks[i], NULL);
-	}
-	CRYPTO_set_id_callback(ssl_thread_id);
-	CRYPTO_set_locking_callback(ssl_locking_callback);
-
-	SSL_load_error_strings();
-	SSL_library_init();
-
-	while (!RAND_status()) {
-	    time_t t = time(NULL);
-	    pid_t pid = getpid();
-	    RAND_seed((unsigned char *)&t, sizeof(time_t));
-	    RAND_seed((unsigned char *)&pid, sizeof(pid));
-	}
+    ssl_locks = calloc(CRYPTO_num_locks(), sizeof(pthread_mutex_t));
+    ssl_lock_count = OPENSSL_malloc(CRYPTO_num_locks() * sizeof(long));
+    for (i = 0; i < CRYPTO_num_locks(); i++) {
+	ssl_lock_count[i] = 0;
+	pthread_mutex_init(&ssl_locks[i], NULL);
     }
+    CRYPTO_set_id_callback(ssl_thread_id);
+    CRYPTO_set_locking_callback(ssl_locking_callback);
 
-    ctx = SSL_CTX_new(TLSv1_method());
-    if (!ctx) {
-        debug(DBG_ERR, "tlscreatectx: Error initialising SSL/TLS in TLS context %s", conf->name);
-        return NULL;
-    }
+    SSL_load_error_strings();
+    SSL_library_init();
 
-    if (conf->certkeypwd) {
-	SSL_CTX_set_default_passwd_cb_userdata(ctx, conf->certkeypwd);
-	SSL_CTX_set_default_passwd_cb(ctx, pem_passwd_cb);
+    while (!RAND_status()) {
+	t = time(NULL);
+	pid = getpid();
+	RAND_seed((unsigned char *)&t, sizeof(time_t));
+	RAND_seed((unsigned char *)&pid, sizeof(pid));
     }
-    if (!SSL_CTX_use_certificate_chain_file(ctx, conf->certfile) ||
-	!SSL_CTX_use_PrivateKey_file(ctx, conf->certkeyfile, SSL_FILETYPE_PEM) ||
-	!SSL_CTX_check_private_key(ctx) ||
-	!SSL_CTX_load_verify_locations(ctx, conf->cacertfile, conf->cacertpath)) {
+}
+
+int tlsaddcacrl(SSL_CTX *ctx, struct tls *conf) {
+    STACK_OF(X509_NAME) *calist;
+    X509_STORE *x509_s;
+    unsigned long error;
+    
+    if (!SSL_CTX_load_verify_locations(ctx, conf->cacertfile, conf->cacertpath)) {
 	while ((error = ERR_get_error()))
 	    debug(DBG_ERR, "SSL: %s", ERR_error_string(error, NULL));
-	debug(DBG_ERR, "tlscreatectx: error initialising SSL/TLS in TLS context %s", conf->name);
-	SSL_CTX_free(ctx);
-        return NULL;
+	debug(DBG_ERR, "tlsaddcacrl: Error updating TLS context %s", conf->name);
+	return 0;
     }
 
     calist = conf->cacertfile ? SSL_load_client_CA_file(conf->cacertfile) : NULL;
@@ -2673,9 +2661,8 @@ SSL_CTX *tlscreatectx(struct tls *conf) {
     if (!calist) {
 	while ((error = ERR_get_error()))
 	    debug(DBG_ERR, "SSL: %s", ERR_error_string(error, NULL));
-	debug(DBG_ERR, "tlscreatectx: error initialising SSL/TLS in TLS context %s", conf->name);
-	SSL_CTX_free(ctx);
-        return NULL;
+	debug(DBG_ERR, "tlsaddcacrl: Error adding CA subjects in TLS context %s", conf->name);
+        return 0;
     }
     ERR_clear_error(); /* add_dir_cert_subj returns errors on success */
     SSL_CTX_set_client_CA_list(ctx, calist);
@@ -2688,6 +2675,42 @@ SSL_CTX *tlscreatectx(struct tls *conf) {
 	X509_STORE_set_flags(x509_s, X509_V_FLAG_CRL_CHECK | X509_V_FLAG_CRL_CHECK_ALL);
     }
 
+    debug(DBG_DBG, "tlsaddcacrl: updated TLS context %s", conf->name);
+    return 1;
+}
+    
+SSL_CTX *tlscreatectx(struct tls *conf) {
+    SSL_CTX *ctx = NULL;
+    unsigned long error;
+    
+    if (!ssl_locks)
+	tlsinit();
+
+    ctx = SSL_CTX_new(TLSv1_method());
+    if (!ctx) {
+        debug(DBG_ERR, "tlscreatectx: Error initialising SSL/TLS in TLS context %s", conf->name);
+        return NULL;
+    }
+
+    if (conf->certkeypwd) {
+	SSL_CTX_set_default_passwd_cb_userdata(ctx, conf->certkeypwd);
+	SSL_CTX_set_default_passwd_cb(ctx, pem_passwd_cb);
+    }
+    if (!SSL_CTX_use_certificate_chain_file(ctx, conf->certfile) ||
+	!SSL_CTX_use_PrivateKey_file(ctx, conf->certkeyfile, SSL_FILETYPE_PEM) ||
+	!SSL_CTX_check_private_key(ctx)) {
+	while ((error = ERR_get_error()))
+	    debug(DBG_ERR, "SSL: %s", ERR_error_string(error, NULL));
+	debug(DBG_ERR, "tlscreatectx: error initialising SSL/TLS in TLS context %s", conf->name);
+	SSL_CTX_free(ctx);
+        return NULL;
+    }
+
+    if (!tlsaddcacrl(ctx, conf)) {
+	SSL_CTX_free(ctx);
+        return NULL;
+    }
+
     debug(DBG_DBG, "tlscreatectx: created tls context %s", conf->name);
     return ctx;
 }
@@ -2718,8 +2741,7 @@ SSL_CTX *tlsgetctx(struct tls *t) {
     if (t->expiry && t->ctx) {
 	if (t->expiry < now.tv_sec) {
 	    t->expiry = now.tv_sec + t->cacheexpiry;
-	    SSL_CTX_free(t->ctx);
-	    return t->ctx = tlscreatectx(t);
+	    tlsaddcacrl(t->ctx, t);
 	}
     }
     if (!t->ctx) {
author	venaas <venaas>	2008-09-26 09:36:21 +0000
committer	venaas <venaas@e88ac4ed-0b26-0410-9574-a7f39faa03bf>	2008-09-26 09:36:21 +0000
commit	a3b506a84a3c764ca087a907cc3b415d49cdfb9d (patch)
tree	3c9593e665e253a867357de3e28f24a71270e9aa /radsecproxy.c
parent	0c6e23211da30daf0cb75549362b16dce279f0a8 (diff)