summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--radsecproxy.c51
-rw-r--r--radsecproxy.h3
2 files changed, 37 insertions, 17 deletions
diff --git a/radsecproxy.c b/radsecproxy.c
index c7dad13..1202dcf 100644
--- a/radsecproxy.c
+++ b/radsecproxy.c
@@ -3146,8 +3146,8 @@ void createlisteners(uint8_t type, char **args) {
createlistener(type, NULL);
}
-SSL_CTX *tlscreatectx(struct tls *conf) {
- SSL_CTX *ctx;
+SSL_CTX *tlscreatectx(uint8_t type, struct tls *conf) {
+ SSL_CTX *ctx = NULL;
STACK_OF(X509_NAME) *calist;
X509_STORE *x509_s;
int i;
@@ -3173,7 +3173,15 @@ SSL_CTX *tlscreatectx(struct tls *conf) {
RAND_seed((unsigned char *)&pid, sizeof(pid));
}
}
- ctx = SSL_CTX_new(TLSv1_method());
+
+ switch (type) {
+ case RAD_TLS:
+ ctx = SSL_CTX_new(TLSv1_method());
+ break;
+ case RAD_DTLS:
+ ctx = SSL_CTX_new(DTLSv1_method());
+ break;
+ }
if (!ctx) {
debug(DBG_ERR, "tlscreatectx: Error initialising SSL/TLS in TLS context %s", conf->name);
return NULL;
@@ -3226,10 +3234,11 @@ SSL_CTX *tlscreatectx(struct tls *conf) {
return ctx;
}
-SSL_CTX *tlsgetctx(char *alt1, char *alt2) {
+SSL_CTX *tlsgetctx(uint8_t type, char *alt1, char *alt2) {
struct list_node *entry;
struct tls *t, *t1 = NULL, *t2 = NULL;
-
+ SSL_CTX *ctx = NULL;
+
pthread_mutex_lock(&tlsconfs_lock);
for (entry = list_first(tlsconfs); entry; entry = list_next(entry)) {
@@ -3243,15 +3252,25 @@ SSL_CTX *tlsgetctx(char *alt1, char *alt2) {
}
t = (t1 ? t1 : t2);
- if (!t) {
- pthread_mutex_unlock(&tlsconfs_lock);
- return NULL;
- }
+ if (!t)
+ goto exit;
- if (!t->ctx)
- t->ctx = tlscreatectx(t);
+ switch (type) {
+ case RAD_TLS:
+ if (!t->tlsctx)
+ t->tlsctx = tlscreatectx(RAD_TLS, t);
+ ctx = t->tlsctx;
+ break;
+ case RAD_DTLS:
+ if (!t->dtlsctx)
+ t->dtlsctx = tlscreatectx(RAD_DTLS, t);
+ ctx = t->dtlsctx;
+ break;
+ }
+
+ exit:
pthread_mutex_unlock(&tlsconfs_lock);
- return t->ctx;
+ return ctx;
}
struct list *addsrvconfs(char *value, char **names) {
@@ -3837,8 +3856,8 @@ int confclient_cb(struct gconffile **cf, void *arg, char *block, char *opt, char
debugx(1, DBG_ERR, "error in block %s, unknown transport %s", block, conftype);
free(conftype);
- if (conf->type == RAD_TLS) {
- conf->ssl_ctx = conf->tls ? tlsgetctx(conf->tls, NULL) : tlsgetctx("defaultclient", "default");
+ if (conf->type == RAD_TLS || conf->type == RAD_DTLS) {
+ conf->ssl_ctx = conf->tls ? tlsgetctx(conf->type, conf->tls, NULL) : tlsgetctx(conf->type, "defaultclient", "default");
if (!conf->ssl_ctx)
debugx(1, DBG_ERR, "error in block %s, no tls context defined", block);
if (conf->matchcertattr && !addmatchcertattr(conf))
@@ -3866,8 +3885,8 @@ int confclient_cb(struct gconffile **cf, void *arg, char *block, char *opt, char
}
int compileserverconfig(struct clsrvconf *conf, const char *block) {
- if (conf->type == RAD_TLS) {
- conf->ssl_ctx = conf->tls ? tlsgetctx(conf->tls, NULL) : tlsgetctx("defaultserver", "default");
+ if (conf->type == RAD_TLS || conf->type == RAD_DTLS) {
+ conf->ssl_ctx = conf->tls ? tlsgetctx(conf->type, conf->tls, NULL) : tlsgetctx(conf->type, "defaultserver", "default");
if (!conf->ssl_ctx) {
debug(DBG_ERR, "error in block %s, no tls context defined", block);
return 0;
diff --git a/radsecproxy.h b/radsecproxy.h
index 55e767e..b38f6f0 100644
--- a/radsecproxy.h
+++ b/radsecproxy.h
@@ -156,7 +156,8 @@ struct tls {
char *certkeyfile;
char *certkeypwd;
uint8_t crlcheck;
- SSL_CTX *ctx;
+ SSL_CTX *tlsctx;
+ SSL_CTX *dtlsctx;
};
struct rewrite {