From 8bad57de823fc72394145f4a29678b4b72b8ed7a Mon Sep 17 00:00:00 2001 From: venaas Date: Mon, 13 Oct 2008 13:04:10 +0000 Subject: support for checking certificate policy oids git-svn-id: https://svn.testnett.uninett.no/radsecproxy/trunk@426 e88ac4ed-0b26-0410-9574-a7f39faa03bf --- gconfig.c | 10 ++++++++++ gconfig.h | 1 + radsecproxy.c | 39 +++++++++++++++++++++++++++------------ radsecproxy.h | 1 + 4 files changed, 39 insertions(+), 12 deletions(-) diff --git a/gconfig.c b/gconfig.c index 53d8c1e..5f16b8c 100644 --- a/gconfig.c +++ b/gconfig.c @@ -189,6 +189,16 @@ int popgconf(struct gconffile **cf) { return 1; } +void freegconfmstr(char **mstr) { + int i; + + if (mstr) { + for (i = 0; mstr[i]; i++) + free(mstr[i]); + free(mstr); + } +} + void freegconf(struct gconffile **cf) { int i; diff --git a/gconfig.h b/gconfig.h index 48e1e94..06dbf30 100644 --- a/gconfig.h +++ b/gconfig.h @@ -18,5 +18,6 @@ FILE *pushgconfpath(struct gconffile **cf, const char *path); FILE *pushgconffile(struct gconffile **cf, FILE *file, const char *description); FILE *pushgconfpaths(struct gconffile **cf, const char *path); int popgconf(struct gconffile **cf); +void freegconfmstr(char **mstr); void freegconf(struct gconffile **cf); struct gconffile *openconfigfile(const char *file); diff --git a/radsecproxy.c b/radsecproxy.c index 9689d91..a682ead 100644 --- a/radsecproxy.c +++ b/radsecproxy.c @@ -2359,25 +2359,26 @@ void tlsinit() { } } -int setpolicyoids(X509_STORE *store, char **poids) { +X509_VERIFY_PARAM *createverifyparams(char **poids) { X509_VERIFY_PARAM *pm; ASN1_OBJECT *pobject; int i; pm = X509_VERIFY_PARAM_new(); if (!pm) - return 0; + return NULL; for (i = 0; poids[i]; i++) { - pobject = OBJ_txt2obj(poids[i], 0); - if (!pobject) - return 0; + pobject = OBJ_txt2obj(poids[i], 0); + if (!pobject) { + X509_VERIFY_PARAM_free(pm); + return NULL; + } X509_VERIFY_PARAM_add0_policy(pm, pobject); } X509_VERIFY_PARAM_set_flags(pm, X509_V_FLAG_POLICY_CHECK | X509_V_FLAG_EXPLICIT_POLICY); - X509_STORE_set1_param(store, pm); - return 1; + return pm; } int tlsaddcacrl(SSL_CTX *ctx, struct tls *conf) { @@ -2415,14 +2416,12 @@ int tlsaddcacrl(SSL_CTX *ctx, struct tls *conf) { SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, verify_cb); SSL_CTX_set_verify_depth(ctx, MAX_CERT_DEPTH + 1); - if (conf->crlcheck || conf->policyoids) { + if (conf->crlcheck || conf->vpm) { x509_s = SSL_CTX_get_cert_store(ctx); if (conf->crlcheck) X509_STORE_set_flags(x509_s, X509_V_FLAG_CRL_CHECK | X509_V_FLAG_CRL_CHECK_ALL); - if (conf->policyoids && !setpolicyoids(x509_s, conf->policyoids)) { - debug(DBG_ERR, "tlsaddcacrl: Failed to add policyOIDs in TLS context %s", conf->name); - return 0; /* should free memory */ - } + if (conf->vpm) + X509_STORE_set1_param(x509_s, conf->vpm); } debug(DBG_DBG, "tlsaddcacrl: updated TLS context %s", conf->name); @@ -2470,7 +2469,22 @@ SSL_CTX *tlscreatectx(uint8_t type, struct tls *conf) { return NULL; } + if (conf->policyoids) { + if (!conf->vpm) { + conf->vpm = createverifyparams(conf->policyoids); + if (!conf->vpm) { + debug(DBG_ERR, "tlsaddcacrl: Failed to add policyOIDs in TLS context %s", conf->name); + SSL_CTX_free(ctx); + return NULL; + } + } + } + if (!tlsaddcacrl(ctx, conf)) { + if (conf->vpm) { + X509_VERIFY_PARAM_free(conf->vpm); + conf->vpm = NULL; + } SSL_CTX_free(ctx); return NULL; } @@ -3491,6 +3505,7 @@ int conftls_cb(struct gconffile **cf, void *arg, char *block, char *opt, char *v free(conf->certfile); free(conf->certkeyfile); free(conf->certkeypwd); + freegconfmstr(conf->policyoids); free(conf); return 0; } diff --git a/radsecproxy.h b/radsecproxy.h index a29d733..0061104 100644 --- a/radsecproxy.h +++ b/radsecproxy.h @@ -159,6 +159,7 @@ struct tls { uint32_t cacheexpiry; uint32_t tlsexpiry; uint32_t dtlsexpiry; + X509_VERIFY_PARAM *vpm; SSL_CTX *tlsctx; SSL_CTX *dtlsctx; }; -- cgit v1.1