diff options
Diffstat (limited to 'radsecproxy.c')
-rw-r--r-- | radsecproxy.c | 121 |
1 files changed, 71 insertions, 50 deletions
diff --git a/radsecproxy.c b/radsecproxy.c index 8baa810..53935f2 100644 --- a/radsecproxy.c +++ b/radsecproxy.c @@ -2277,34 +2277,82 @@ void ssl_info_callback(const SSL *ssl, int where, int ret) { } #endif -SSL_CTX *tlscreatectx(uint8_t type, struct tls *conf) { - SSL_CTX *ctx = NULL; +void tlsinit() { + int i; + time_t t; + pid_t pid; + + ssl_locks = calloc(CRYPTO_num_locks(), sizeof(pthread_mutex_t)); + ssl_lock_count = OPENSSL_malloc(CRYPTO_num_locks() * sizeof(long)); + for (i = 0; i < CRYPTO_num_locks(); i++) { + ssl_lock_count[i] = 0; + pthread_mutex_init(&ssl_locks[i], NULL); + } + CRYPTO_set_id_callback(ssl_thread_id); + CRYPTO_set_locking_callback(ssl_locking_callback); + + SSL_load_error_strings(); + SSL_library_init(); + + while (!RAND_status()) { + t = time(NULL); + pid = getpid(); + RAND_seed((unsigned char *)&t, sizeof(time_t)); + RAND_seed((unsigned char *)&pid, sizeof(pid)); + } +} + +int tlsaddcacrl(SSL_CTX *ctx, struct tls *conf) { STACK_OF(X509_NAME) *calist; X509_STORE *x509_s; - int i; unsigned long error; - if (!ssl_locks) { - ssl_locks = calloc(CRYPTO_num_locks(), sizeof(pthread_mutex_t)); - ssl_lock_count = OPENSSL_malloc(CRYPTO_num_locks() * sizeof(long)); - for (i = 0; i < CRYPTO_num_locks(); i++) { - ssl_lock_count[i] = 0; - pthread_mutex_init(&ssl_locks[i], NULL); + if (!SSL_CTX_load_verify_locations(ctx, conf->cacertfile, conf->cacertpath)) { + while ((error = ERR_get_error())) + debug(DBG_ERR, "SSL: %s", ERR_error_string(error, NULL)); + debug(DBG_ERR, "tlsaddcacrl: Error updating TLS context %s", conf->name); + return 0; + } + + calist = conf->cacertfile ? SSL_load_client_CA_file(conf->cacertfile) : NULL; + if (!conf->cacertfile || calist) { + if (conf->cacertpath) { + if (!calist) + calist = sk_X509_NAME_new_null(); + if (!SSL_add_dir_cert_subjects_to_stack(calist, conf->cacertpath)) { + sk_X509_NAME_free(calist); + calist = NULL; + } } - CRYPTO_set_id_callback(ssl_thread_id); - CRYPTO_set_locking_callback(ssl_locking_callback); + } + if (!calist) { + while ((error = ERR_get_error())) + debug(DBG_ERR, "SSL: %s", ERR_error_string(error, NULL)); + debug(DBG_ERR, "tlsaddcacrl: Error adding CA subjects in TLS context %s", conf->name); + return 0; + } + ERR_clear_error(); /* add_dir_cert_subj returns errors on success */ + SSL_CTX_set_client_CA_list(ctx, calist); - SSL_load_error_strings(); - SSL_library_init(); + SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, verify_cb); + SSL_CTX_set_verify_depth(ctx, MAX_CERT_DEPTH + 1); - while (!RAND_status()) { - time_t t = time(NULL); - pid_t pid = getpid(); - RAND_seed((unsigned char *)&t, sizeof(time_t)); - RAND_seed((unsigned char *)&pid, sizeof(pid)); - } + if (conf->crlcheck) { + x509_s = SSL_CTX_get_cert_store(ctx); + X509_STORE_set_flags(x509_s, X509_V_FLAG_CRL_CHECK | X509_V_FLAG_CRL_CHECK_ALL); } + debug(DBG_DBG, "tlsaddcacrl: updated TLS context %s", conf->name); + return 1; +} + +SSL_CTX *tlscreatectx(uint8_t type, struct tls *conf) { + SSL_CTX *ctx = NULL; + unsigned long error; + + if (!ssl_locks) + tlsinit(); + switch (type) { case RAD_TLS: ctx = SSL_CTX_new(TLSv1_method()); @@ -2331,8 +2379,7 @@ SSL_CTX *tlscreatectx(uint8_t type, struct tls *conf) { } if (!SSL_CTX_use_certificate_chain_file(ctx, conf->certfile) || !SSL_CTX_use_PrivateKey_file(ctx, conf->certkeyfile, SSL_FILETYPE_PEM) || - !SSL_CTX_check_private_key(ctx) || - !SSL_CTX_load_verify_locations(ctx, conf->cacertfile, conf->cacertpath)) { + !SSL_CTX_check_private_key(ctx)) { while ((error = ERR_get_error())) debug(DBG_ERR, "SSL: %s", ERR_error_string(error, NULL)); debug(DBG_ERR, "tlscreatectx: Error initialising SSL/TLS in TLS context %s", conf->name); @@ -2340,34 +2387,10 @@ SSL_CTX *tlscreatectx(uint8_t type, struct tls *conf) { return NULL; } - calist = conf->cacertfile ? SSL_load_client_CA_file(conf->cacertfile) : NULL; - if (!conf->cacertfile || calist) { - if (conf->cacertpath) { - if (!calist) - calist = sk_X509_NAME_new_null(); - if (!SSL_add_dir_cert_subjects_to_stack(calist, conf->cacertpath)) { - sk_X509_NAME_free(calist); - calist = NULL; - } - } - } - if (!calist) { - while ((error = ERR_get_error())) - debug(DBG_ERR, "SSL: %s", ERR_error_string(error, NULL)); - debug(DBG_ERR, "tlscreatectx: Error adding CA subjects in TLS context %s", conf->name); + if (!tlsaddcacrl(ctx, conf)) { SSL_CTX_free(ctx); return NULL; } - ERR_clear_error(); /* add_dir_cert_subj returns errors on success */ - SSL_CTX_set_client_CA_list(ctx, calist); - - SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, verify_cb); - SSL_CTX_set_verify_depth(ctx, MAX_CERT_DEPTH + 1); - - if (conf->crlcheck) { - x509_s = SSL_CTX_get_cert_store(ctx); - X509_STORE_set_flags(x509_s, X509_V_FLAG_CRL_CHECK | X509_V_FLAG_CRL_CHECK_ALL); - } debug(DBG_DBG, "tlscreatectx: created TLS context %s", conf->name); return ctx; @@ -2394,8 +2417,7 @@ SSL_CTX *tlsgetctx(uint8_t type, struct tls *t) { if (t->tlsexpiry && t->tlsctx) { if (t->tlsexpiry < now.tv_sec) { t->tlsexpiry = now.tv_sec + t->cacheexpiry; - SSL_CTX_free(t->tlsctx); - return t->tlsctx = tlscreatectx(RAD_TLS, t); + tlsaddcacrl(t->tlsctx, t); } } if (!t->tlsctx) { @@ -2408,8 +2430,7 @@ SSL_CTX *tlsgetctx(uint8_t type, struct tls *t) { if (t->dtlsexpiry && t->dtlsctx) { if (t->dtlsexpiry < now.tv_sec) { t->dtlsexpiry = now.tv_sec + t->cacheexpiry; - SSL_CTX_free(t->dtlsctx); - return t->dtlsctx = tlscreatectx(RAD_DTLS, t); + tlsaddcacrl(t->dtlsctx, t); } } if (!t->dtlsctx) { |