summaryrefslogtreecommitdiff
path: root/radsecproxy.c
diff options
context:
space:
mode:
Diffstat (limited to 'radsecproxy.c')
-rw-r--r--radsecproxy.c121
1 files changed, 71 insertions, 50 deletions
diff --git a/radsecproxy.c b/radsecproxy.c
index 8baa810..53935f2 100644
--- a/radsecproxy.c
+++ b/radsecproxy.c
@@ -2277,34 +2277,82 @@ void ssl_info_callback(const SSL *ssl, int where, int ret) {
}
#endif
-SSL_CTX *tlscreatectx(uint8_t type, struct tls *conf) {
- SSL_CTX *ctx = NULL;
+void tlsinit() {
+ int i;
+ time_t t;
+ pid_t pid;
+
+ ssl_locks = calloc(CRYPTO_num_locks(), sizeof(pthread_mutex_t));
+ ssl_lock_count = OPENSSL_malloc(CRYPTO_num_locks() * sizeof(long));
+ for (i = 0; i < CRYPTO_num_locks(); i++) {
+ ssl_lock_count[i] = 0;
+ pthread_mutex_init(&ssl_locks[i], NULL);
+ }
+ CRYPTO_set_id_callback(ssl_thread_id);
+ CRYPTO_set_locking_callback(ssl_locking_callback);
+
+ SSL_load_error_strings();
+ SSL_library_init();
+
+ while (!RAND_status()) {
+ t = time(NULL);
+ pid = getpid();
+ RAND_seed((unsigned char *)&t, sizeof(time_t));
+ RAND_seed((unsigned char *)&pid, sizeof(pid));
+ }
+}
+
+int tlsaddcacrl(SSL_CTX *ctx, struct tls *conf) {
STACK_OF(X509_NAME) *calist;
X509_STORE *x509_s;
- int i;
unsigned long error;
- if (!ssl_locks) {
- ssl_locks = calloc(CRYPTO_num_locks(), sizeof(pthread_mutex_t));
- ssl_lock_count = OPENSSL_malloc(CRYPTO_num_locks() * sizeof(long));
- for (i = 0; i < CRYPTO_num_locks(); i++) {
- ssl_lock_count[i] = 0;
- pthread_mutex_init(&ssl_locks[i], NULL);
+ if (!SSL_CTX_load_verify_locations(ctx, conf->cacertfile, conf->cacertpath)) {
+ while ((error = ERR_get_error()))
+ debug(DBG_ERR, "SSL: %s", ERR_error_string(error, NULL));
+ debug(DBG_ERR, "tlsaddcacrl: Error updating TLS context %s", conf->name);
+ return 0;
+ }
+
+ calist = conf->cacertfile ? SSL_load_client_CA_file(conf->cacertfile) : NULL;
+ if (!conf->cacertfile || calist) {
+ if (conf->cacertpath) {
+ if (!calist)
+ calist = sk_X509_NAME_new_null();
+ if (!SSL_add_dir_cert_subjects_to_stack(calist, conf->cacertpath)) {
+ sk_X509_NAME_free(calist);
+ calist = NULL;
+ }
}
- CRYPTO_set_id_callback(ssl_thread_id);
- CRYPTO_set_locking_callback(ssl_locking_callback);
+ }
+ if (!calist) {
+ while ((error = ERR_get_error()))
+ debug(DBG_ERR, "SSL: %s", ERR_error_string(error, NULL));
+ debug(DBG_ERR, "tlsaddcacrl: Error adding CA subjects in TLS context %s", conf->name);
+ return 0;
+ }
+ ERR_clear_error(); /* add_dir_cert_subj returns errors on success */
+ SSL_CTX_set_client_CA_list(ctx, calist);
- SSL_load_error_strings();
- SSL_library_init();
+ SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, verify_cb);
+ SSL_CTX_set_verify_depth(ctx, MAX_CERT_DEPTH + 1);
- while (!RAND_status()) {
- time_t t = time(NULL);
- pid_t pid = getpid();
- RAND_seed((unsigned char *)&t, sizeof(time_t));
- RAND_seed((unsigned char *)&pid, sizeof(pid));
- }
+ if (conf->crlcheck) {
+ x509_s = SSL_CTX_get_cert_store(ctx);
+ X509_STORE_set_flags(x509_s, X509_V_FLAG_CRL_CHECK | X509_V_FLAG_CRL_CHECK_ALL);
}
+ debug(DBG_DBG, "tlsaddcacrl: updated TLS context %s", conf->name);
+ return 1;
+}
+
+SSL_CTX *tlscreatectx(uint8_t type, struct tls *conf) {
+ SSL_CTX *ctx = NULL;
+ unsigned long error;
+
+ if (!ssl_locks)
+ tlsinit();
+
switch (type) {
case RAD_TLS:
ctx = SSL_CTX_new(TLSv1_method());
@@ -2331,8 +2379,7 @@ SSL_CTX *tlscreatectx(uint8_t type, struct tls *conf) {
}
if (!SSL_CTX_use_certificate_chain_file(ctx, conf->certfile) ||
!SSL_CTX_use_PrivateKey_file(ctx, conf->certkeyfile, SSL_FILETYPE_PEM) ||
- !SSL_CTX_check_private_key(ctx) ||
- !SSL_CTX_load_verify_locations(ctx, conf->cacertfile, conf->cacertpath)) {
+ !SSL_CTX_check_private_key(ctx)) {
while ((error = ERR_get_error()))
debug(DBG_ERR, "SSL: %s", ERR_error_string(error, NULL));
debug(DBG_ERR, "tlscreatectx: Error initialising SSL/TLS in TLS context %s", conf->name);
@@ -2340,34 +2387,10 @@ SSL_CTX *tlscreatectx(uint8_t type, struct tls *conf) {
return NULL;
}
- calist = conf->cacertfile ? SSL_load_client_CA_file(conf->cacertfile) : NULL;
- if (!conf->cacertfile || calist) {
- if (conf->cacertpath) {
- if (!calist)
- calist = sk_X509_NAME_new_null();
- if (!SSL_add_dir_cert_subjects_to_stack(calist, conf->cacertpath)) {
- sk_X509_NAME_free(calist);
- calist = NULL;
- }
- }
- }
- if (!calist) {
- while ((error = ERR_get_error()))
- debug(DBG_ERR, "SSL: %s", ERR_error_string(error, NULL));
- debug(DBG_ERR, "tlscreatectx: Error adding CA subjects in TLS context %s", conf->name);
+ if (!tlsaddcacrl(ctx, conf)) {
SSL_CTX_free(ctx);
return NULL;
}
- ERR_clear_error(); /* add_dir_cert_subj returns errors on success */
- SSL_CTX_set_client_CA_list(ctx, calist);
-
- SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, verify_cb);
- SSL_CTX_set_verify_depth(ctx, MAX_CERT_DEPTH + 1);
-
- if (conf->crlcheck) {
- x509_s = SSL_CTX_get_cert_store(ctx);
- X509_STORE_set_flags(x509_s, X509_V_FLAG_CRL_CHECK | X509_V_FLAG_CRL_CHECK_ALL);
- }
debug(DBG_DBG, "tlscreatectx: created TLS context %s", conf->name);
return ctx;
@@ -2394,8 +2417,7 @@ SSL_CTX *tlsgetctx(uint8_t type, struct tls *t) {
if (t->tlsexpiry && t->tlsctx) {
if (t->tlsexpiry < now.tv_sec) {
t->tlsexpiry = now.tv_sec + t->cacheexpiry;
- SSL_CTX_free(t->tlsctx);
- return t->tlsctx = tlscreatectx(RAD_TLS, t);
+ tlsaddcacrl(t->tlsctx, t);
}
}
if (!t->tlsctx) {
@@ -2408,8 +2430,7 @@ SSL_CTX *tlsgetctx(uint8_t type, struct tls *t) {
if (t->dtlsexpiry && t->dtlsctx) {
if (t->dtlsexpiry < now.tv_sec) {
t->dtlsexpiry = now.tv_sec + t->cacheexpiry;
- SSL_CTX_free(t->dtlsctx);
- return t->dtlsctx = tlscreatectx(RAD_DTLS, t);
+ tlsaddcacrl(t->dtlsctx, t);
}
}
if (!t->dtlsctx) {