The FreeRADIUS server $Id: 15bac2a4c627c01d1aa2047687b3418955ac7f00 $
All Data Structures Files Functions Variables Typedefs Enumerations Enumerator Macros Modules Pages
conf.c
Go to the documentation of this file.
1#ifdef HAVE_OPENSSL_OCSP_H
2static conf_parser_t ocsp_config[] = {
3 { FR_CONF_OFFSET("enable", fr_tls_ocsp_conf_t, enable), .dflt = "no" },
4
5 { FR_CONF_OFFSET("virtual_server", fr_tls_ocsp_conf_t, cache_server) },
6
7 { FR_CONF_OFFSET("override_cert_url", fr_tls_ocsp_conf_t, override_url), .dflt = "no" },
8 { FR_CONF_OFFSET("url", fr_tls_ocsp_conf_t, url) },
9 { FR_CONF_OFFSET("use_nonce", fr_tls_ocsp_conf_t, use_nonce), .dflt = "yes" },
10 { FR_CONF_OFFSET("timeout", fr_tls_ocsp_conf_t, timeout), .dflt = "yes" },
11 { FR_CONF_OFFSET("softfail", fr_tls_ocsp_conf_t, softfail), .dflt = "no" },
12 { FR_CONF_OFFSET("verifycert", fr_tls_ocsp_conf_t, verifycert), .dflt = "yes" },
13
14 CONF_PARSER_TERMINATOR
15};
16#endif
17
18#ifdef HAVE_OPENSSL_OCSP_H
19 { FR_CONF_OFFSET_SUBSECTION("ocsp", 0, fr_tls_conf_t, ocsp, ocsp_config) },
20
21 { FR_CONF_OFFSET_SUBSCTION("staple", 0, fr_tls_conf_t, staple, ocsp_config) },
22#endif
23
24#ifdef HAVE_OPENSSL_OCSP_H
25 if (conf->ocsp.cache_server) {
26 virtual_server_t const *vs;
27
28 vs = virtual_server_find(conf->ocsp.cache_server);
29 if (!vs) {
30 ERROR("No such virtual server '%s'", conf->ocsp.cache_server);
31 goto error;
32 }
33
34 if (fr_tls_ocsp_state_cache_compile(&conf->ocsp.cache, vs->server_cs) < 0) goto error;
35 }
36
37 if (conf->staple.cache_server) {
38 virtual_server_t const *vs;
39
40 vs = virtual_server_find(conf->staple.cache_server);
41 if (!vs) {
42 ERROR("No such virtual server '%s'", conf->staple.cache_server);
43 goto error;
44 }
45
46 if (fr_tls_ocsp_staple_cache_compile(&conf->staple.cache, vs->server_cs) < 0) goto error;
47 }
48#endif
49
50#ifdef HAVE_OPENSSL_OCSP_H
51 /*
52 * @fixme: This is all pretty terrible.
53 * The stores initialized here are for validating
54 * OCSP responses. They have nothing to do with
55 * verifying other certificates.
56 */
57
58 /*
59 * Initialize OCSP Revocation Store
60 */
61 if (conf->ocsp.enable) {
62 conf->ocsp.store = conf_ocsp_revocation_store(conf);
63 if (conf->ocsp.store == NULL) goto error;
64 }
65
66 if (conf->staple.enable) {
67 conf->staple.store = conf_ocsp_revocation_store(conf);
68 if (conf->staple.store == NULL) goto error;
69 }
70#endif /*HAVE_OPENSSL_OCSP_H*/
71
72
73static int _conf_server_free(
74#if !defined(HAVE_OPENSSL_OCSP_H) && defined(NDEBUG)
75 UNUSED
76#endif
77 fr_tls_conf_t *conf)
78{
79#ifdef HAVE_OPENSSL_OCSP_H
80 if (conf->ocsp.store) X509_STORE_free(conf->ocsp.store);
81 conf->ocsp.store = NULL;
82 if (conf->staple.store) X509_STORE_free(conf->staple.store);
83 conf->staple.store = NULL;
84#endif
85
86#ifndef NDEBUG
87 memset(conf, 0, sizeof(*conf));
88#endif
89 return 0;
90}
91
92/* Session init */
93#ifdef HAVE_OPENSSL_OCSP_H
94 SSL_set_ex_data(tls_session->ssl, FR_TLS_EX_INDEX_OCSP_STORE, (void *)tls_conf->ocsp.store);
95#endif
96
97/* Validation checks */
98#ifdef HAVE_OPENSSL_OCSP_H
99 /*
100 * Do OCSP last, so we have the complete set of attributes
101 * available for the virtual server.
102 *
103 * Fixme: Do we want to store the matching TLS-Client-cert-Filename?
104 */
105 if (my_ok && conf->ocsp.enable){
106 X509 *issuer_cert;
107
108 RDEBUG2("Starting OCSP Request");
109
110 /*
111 * If we don't have an issuer, then we can't send
112 * and OCSP request, but pass the NULL issuer in
113 * so fr_tls_ocsp_check can decide on the correct
114 * return code.
115 */
116 issuer_cert = X509_STORE_CTX_get0_current_issuer(x509_ctx);
117 my_ok = fr_tls_ocsp_check(request, ssl, conf->ocsp.store, issuer_cert, cert, &(conf->ocsp), false);
118 }
119#endif
UNUSED
#define UNUSED
Definition build.h:317
CONF_PARSER_TERMINATOR
#define CONF_PARSER_TERMINATOR
Definition cf_parse.h:658
FR_CONF_OFFSET
#define FR_CONF_OFFSET(_name, _struct, _field)
conf_parser_t which parses a single CONF_PAIR, writing the result to a field in a struct
Definition cf_parse.h:284
FR_CONF_OFFSET_SUBSECTION
#define FR_CONF_OFFSET_SUBSECTION(_name, _flags, _struct, _field, _subcs)
conf_parser_t which populates a sub-struct using a CONF_SECTION
Definition cf_parse.h:313
conf_parser_s
Defines a CONF_PAIR to C data type mapping.
Definition cf_parse.h:595
ERROR
#define ERROR(fmt,...)
Definition dhcpclient.c:41
_conf_server_free
static int _conf_server_free(fr_tls_conf_t *conf)
Definition conf.c:73
fr_tls_ocsp_check
int fr_tls_ocsp_check(request_t *request, SSL *ssl, X509_STORE *store, X509 *issuer_cert, X509 *client_cert, fr_tls_ocsp_conf_t *conf, bool staple_response)
fr_tls_ocsp_state_cache_compile
int fr_tls_ocsp_state_cache_compile(fr_tls_cache_t *sections, CONF_SECTION *server_cs)
fr_tls_ocsp_staple_cache_compile
int fr_tls_ocsp_staple_cache_compile(fr_tls_cache_t *sections, CONF_SECTION *server_cs)
fr_tls_ocsp_conf_t
OCSP Configuration.
Definition ocsp.h:4
RDEBUG2
#define RDEBUG2(fmt,...)
Definition radclient.h:54
conf
static rs_t * conf
Definition radsniff.c:53
virtual_server_s::server_cs
CONF_SECTION * server_cs
The server section.
Definition virtual_servers.c:56
virtual_server_find
virtual_server_t const * virtual_server_find(char const *name)
Return virtual server matching the specified name.
Definition virtual_servers.c:875
virtual_server_s
Definition virtual_servers.c:55
Generated by   doxygen 1.9.8