diff options
| -rw-r--r-- | lib/radsecproxy/tlscommon.c | 75 | ||||
| -rw-r--r-- | lib/radsecproxy/tlscommon.h | 2 |
2 files changed, 0 insertions, 77 deletions
diff --git a/lib/radsecproxy/tlscommon.c b/lib/radsecproxy/tlscommon.c index e7b53bf..a31fa32 100644 --- a/lib/radsecproxy/tlscommon.c +++ b/lib/radsecproxy/tlscommon.c @@ -37,8 +37,6 @@ #include "hostport_types.h" #include "radsecproxy.h" -static struct hash *tlsconfs = NULL; - static int pem_passwd_cb(char *buf, int size, int rwflag, void *userdata) { int pwdlen = strlen(userdata); if (rwflag != 0 || pwdlen > size) /* not for decryption or too large */ @@ -265,15 +263,6 @@ static SSL_CTX *tlscreatectx(uint8_t type, struct tls *conf) { return ctx; } -struct tls *tlsgettls(char *alt1, char *alt2) { - struct tls *t; - - t = hash_read(tlsconfs, alt1, strlen(alt1)); - if (!t) - t = hash_read(tlsconfs, alt2, strlen(alt2)); - return t; -} - SSL_CTX *tlsgetctx(uint8_t type, struct tls *t) { struct timeval now; @@ -461,70 +450,6 @@ int cnregexp(X509 *cert, const char *exact, const regex_t *regex) { return 0; } -/* this is a bit sloppy, should not always accept match to any */ -int certnamecheck(X509 *cert, struct list *hostports) { - struct list_node *entry; - struct hostportres *hp; - int r; - uint8_t type = 0; /* 0 for DNS, AF_INET for IPv4, AF_INET6 for IPv6 */ - struct in6_addr addr; - - for (entry = list_first(hostports); entry; entry = list_next(entry)) { - hp = (struct hostportres *)entry->data; - if (hp->prefixlen != 255) { - /* we disable the check for prefixes */ - return 1; - } - if (inet_pton(AF_INET, hp->host, &addr)) - type = AF_INET; - else if (inet_pton(AF_INET6, hp->host, &addr)) - type = AF_INET6; - else - type = 0; - - r = type ? subjectaltnameaddr(cert, type, &addr) : subjectaltnameregexp(cert, GEN_DNS, hp->host, NULL); - if (r) { - if (r > 0) { - debug(DBG_DBG, "certnamecheck: Found subjectaltname matching %s %s", type ? "address" : "host", hp->host); - return 1; - } - debug(DBG_WARN, "certnamecheck: No subjectaltname matching %s %s", type ? "address" : "host", hp->host); - } else { - if (cnregexp(cert, hp->host, NULL)) { - debug(DBG_DBG, "certnamecheck: Found cn matching host %s", hp->host); - return 1; - } - debug(DBG_WARN, "certnamecheck: cn not matching host %s", hp->host); - } - } - return 0; -} - -int verifyconfcert(X509 *cert, struct clsrvconf *conf) { - if (conf->certnamecheck) { - if (!certnamecheck(cert, conf->hostports)) { - debug(DBG_WARN, "verifyconfcert: certificate name check failed"); - return 0; - } - debug(DBG_WARN, "verifyconfcert: certificate name check ok"); - } - if (conf->certcnregex) { - if (cnregexp(cert, NULL, conf->certcnregex) < 1) { - debug(DBG_WARN, "verifyconfcert: CN not matching regex"); - return 0; - } - debug(DBG_DBG, "verifyconfcert: CN matching regex"); - } - if (conf->certuriregex) { - if (subjectaltnameregexp(cert, GEN_URI, NULL, conf->certuriregex) < 1) { - debug(DBG_WARN, "verifyconfcert: subjectaltname URI not matching regex"); - return 0; - } - debug(DBG_DBG, "verifyconfcert: subjectaltname URI matching regex"); - } - return 1; -} - /* Local Variables: */ /* c-file-style: "stroustrup" */ /* End: */ diff --git a/lib/radsecproxy/tlscommon.h b/lib/radsecproxy/tlscommon.h index ddfba2d..5a6d262 100644 --- a/lib/radsecproxy/tlscommon.h +++ b/lib/radsecproxy/tlscommon.h @@ -26,13 +26,11 @@ struct tls { }; #if defined(RADPROT_TLS) || defined(RADPROT_DTLS) -struct tls *tlsgettls(char *alt1, char *alt2); SSL_CTX *tlsgetctx(uint8_t type, struct tls *t); X509 *verifytlscert(SSL *ssl); int subjectaltnameaddr(X509 *cert, int family, const struct in6_addr *addr); int subjectaltnameregexp(X509 *cert, int type, const char *exact, const regex_t *regex); int cnregexp(X509 *cert, const char *exact, const regex_t *regex); -int verifyconfcert(X509 *cert, struct clsrvconf *conf); #endif #if defined (__cplusplus) |