The FreeRADIUS server  $Id: 15bac2a4c627c01d1aa2047687b3418955ac7f00 $
conf.c
Go to the documentation of this file.
1 #ifdef HAVE_OPENSSL_OCSP_H
2 static conf_parser_t ocsp_config[] = {
3  { FR_CONF_OFFSET("enable", fr_tls_ocsp_conf_t, enable), .dflt = "no" },
4 
5  { FR_CONF_OFFSET("virtual_server", fr_tls_ocsp_conf_t, cache_server) },
6 
7  { FR_CONF_OFFSET("override_cert_url", fr_tls_ocsp_conf_t, override_url), .dflt = "no" },
8  { FR_CONF_OFFSET("url", fr_tls_ocsp_conf_t, url) },
9  { FR_CONF_OFFSET("use_nonce", fr_tls_ocsp_conf_t, use_nonce), .dflt = "yes" },
10  { FR_CONF_OFFSET("timeout", fr_tls_ocsp_conf_t, timeout), .dflt = "yes" },
11  { FR_CONF_OFFSET("softfail", fr_tls_ocsp_conf_t, softfail), .dflt = "no" },
12  { FR_CONF_OFFSET("verifycert", fr_tls_ocsp_conf_t, verifycert), .dflt = "yes" },
13 
14  CONF_PARSER_TERMINATOR
15 };
16 #endif
17 
18 #ifdef HAVE_OPENSSL_OCSP_H
19  { FR_CONF_OFFSET_SUBSECTION("ocsp", 0, fr_tls_conf_t, ocsp, ocsp_config) },
20 
21  { FR_CONF_OFFSET_SUBSCTION("staple", 0, fr_tls_conf_t, staple, ocsp_config) },
22 #endif
23 
24 #ifdef HAVE_OPENSSL_OCSP_H
25  if (conf->ocsp.cache_server) {
26  virtual_server_t const *vs;
27 
28  vs = virtual_server_find(conf->ocsp.cache_server);
29  if (!vs) {
30  ERROR("No such virtual server '%s'", conf->ocsp.cache_server);
31  goto error;
32  }
33 
34  if (fr_tls_ocsp_state_cache_compile(&conf->ocsp.cache, vs->server_cs) < 0) goto error;
35  }
36 
37  if (conf->staple.cache_server) {
38  virtual_server_t const *vs;
39 
40  vs = virtual_server_find(conf->staple.cache_server);
41  if (!vs) {
42  ERROR("No such virtual server '%s'", conf->staple.cache_server);
43  goto error;
44  }
45 
46  if (fr_tls_ocsp_staple_cache_compile(&conf->staple.cache, vs->server_cs) < 0) goto error;
47  }
48 #endif
49 
50 #ifdef HAVE_OPENSSL_OCSP_H
51  /*
52  * @fixme: This is all pretty terrible.
53  * The stores initialized here are for validating
54  * OCSP responses. They have nothing to do with
55  * verifying other certificates.
56  */
57 
58  /*
59  * Initialize OCSP Revocation Store
60  */
61  if (conf->ocsp.enable) {
62  conf->ocsp.store = conf_ocsp_revocation_store(conf);
63  if (conf->ocsp.store == NULL) goto error;
64  }
65 
66  if (conf->staple.enable) {
67  conf->staple.store = conf_ocsp_revocation_store(conf);
68  if (conf->staple.store == NULL) goto error;
69  }
70 #endif /*HAVE_OPENSSL_OCSP_H*/
71 
72 
73 static int _conf_server_free(
74 #if !defined(HAVE_OPENSSL_OCSP_H) && defined(NDEBUG)
75  UNUSED
76 #endif
77  fr_tls_conf_t *conf)
78 {
79 #ifdef HAVE_OPENSSL_OCSP_H
80  if (conf->ocsp.store) X509_STORE_free(conf->ocsp.store);
81  conf->ocsp.store = NULL;
82  if (conf->staple.store) X509_STORE_free(conf->staple.store);
83  conf->staple.store = NULL;
84 #endif
85 
86 #ifndef NDEBUG
87  memset(conf, 0, sizeof(*conf));
88 #endif
89  return 0;
90 }
91 
92 /* Session init */
93 #ifdef HAVE_OPENSSL_OCSP_H
94  SSL_set_ex_data(tls_session->ssl, FR_TLS_EX_INDEX_OCSP_STORE, (void *)tls_conf->ocsp.store);
95 #endif
96 
97 /* Validation checks */
98 #ifdef HAVE_OPENSSL_OCSP_H
99  /*
100  * Do OCSP last, so we have the complete set of attributes
101  * available for the virtual server.
102  *
103  * Fixme: Do we want to store the matching TLS-Client-cert-Filename?
104  */
105  if (my_ok && conf->ocsp.enable){
106  X509 *issuer_cert;
107 
108  RDEBUG2("Starting OCSP Request");
109 
110  /*
111  * If we don't have an issuer, then we can't send
112  * and OCSP request, but pass the NULL issuer in
113  * so fr_tls_ocsp_check can decide on the correct
114  * return code.
115  */
116  issuer_cert = X509_STORE_CTX_get0_current_issuer(x509_ctx);
117  my_ok = fr_tls_ocsp_check(request, ssl, conf->ocsp.store, issuer_cert, cert, &(conf->ocsp), false);
118  }
119 #endif
UNUSED
#define UNUSED
Definition: build.h:313
CONF_PARSER_TERMINATOR
#define CONF_PARSER_TERMINATOR
Definition: cf_parse.h:627
FR_CONF_OFFSET
#define FR_CONF_OFFSET(_name, _struct, _field)
conf_parser_t which parses a single CONF_PAIR, writing the result to a field in a struct
Definition: cf_parse.h:268
FR_CONF_OFFSET_SUBSECTION
#define FR_CONF_OFFSET_SUBSECTION(_name, _flags, _struct, _field, _subcs)
conf_parser_t which populates a sub-struct using a CONF_SECTION
Definition: cf_parse.h:297
conf_parser_s
Defines a CONF_PAIR to C data type mapping.
Definition: cf_parse.h:564
ERROR
#define ERROR(fmt,...)
Definition: dhcpclient.c:41
timeout
static fr_time_delta_t timeout
Definition: dhcpclient.c:54
_conf_server_free
static int _conf_server_free(fr_tls_conf_t *conf)
Definition: conf.c:73
fr_tls_ocsp_check
int fr_tls_ocsp_check(request_t *request, SSL *ssl, X509_STORE *store, X509 *issuer_cert, X509 *client_cert, fr_tls_ocsp_conf_t *conf, bool staple_response)
fr_tls_ocsp_state_cache_compile
int fr_tls_ocsp_state_cache_compile(fr_tls_cache_t *sections, CONF_SECTION *server_cs)
fr_tls_ocsp_staple_cache_compile
int fr_tls_ocsp_staple_cache_compile(fr_tls_cache_t *sections, CONF_SECTION *server_cs)
fr_tls_ocsp_conf_t
OCSP Configuration.
Definition: ocsp.h:4
RDEBUG2
#define RDEBUG2(fmt,...)
Definition: radclient.h:54
conf
static rs_t * conf
Definition: radsniff.c:53
virtual_server_s::server_cs
CONF_SECTION * server_cs
The server section.
Definition: virtual_servers.c:56
virtual_server_find
virtual_server_t const * virtual_server_find(char const *name)
Return virtual server matching the specified name.
Definition: virtual_servers.c:903
virtual_server_s
Definition: virtual_servers.c:55
Generated by   doxygen 1.9.1