modules_2rlm__ocsp_2conf_8c_source.html

#ifdef HAVE_OPENSSL_OCSP_H

static conf_parser_t ocsp_config[] = {

        { FR_CONF_OFFSET("enable", fr_tls_ocsp_conf_t, enable), .dflt = "no" },


        { FR_CONF_OFFSET_TYPE_FLAGS("virtual_server", FR_TYPE_VOID, CONF_FLAG_REQUIRED | CONF_FLAG_NOT_EMPTY, fr_tls_ocsp_conf_t, virtual_server),

                                    .func = virtual_server_cf_parse,

                                    .uctx = &(virtual_server_cf_parse_uctx_t){ .process_module_name = "ocsp"} },


        { FR_CONF_OFFSET("override_cert_url", fr_tls_ocsp_conf_t, override_url), .dflt = "no" },

        { FR_CONF_OFFSET("url", fr_tls_ocsp_conf_t, url) },

        { FR_CONF_OFFSET("use_nonce", fr_tls_ocsp_conf_t, use_nonce), .dflt = "yes" },

        { FR_CONF_OFFSET("timeout", fr_tls_ocsp_conf_t, timeout), .dflt = "yes" },

        { FR_CONF_OFFSET("softfail", fr_tls_ocsp_conf_t, softfail), .dflt = "no" },

        { FR_CONF_OFFSET("verifycert", fr_tls_ocsp_conf_t, verifycert), .dflt = "yes" },


        CONF_PARSER_TERMINATOR

};

#endif


#ifdef HAVE_OPENSSL_OCSP_H

        { FR_CONF_OFFSET_SUBSECTION("ocsp", 0, fr_tls_conf_t, ocsp, ocsp_config) },


        { FR_CONF_OFFSET_SUBSCTION("staple", 0, fr_tls_conf_t, staple, ocsp_config) },

#endif


#ifdef HAVE_OPENSSL_OCSP_H

        if (conf->ocsp.cache_server) {

                virtual_server_t const *vs;


                vs = virtual_server_find(conf->ocsp.cache_server);

                if (!vs) {

                        ERROR("No such virtual server '%s'", conf->ocsp.cache_server);

                        goto error;

                }


                if (fr_tls_ocsp_state_cache_compile(&conf->ocsp.cache, vs->server_cs) < 0) goto error;

        }


        if (conf->staple.cache_server) {

                virtual_server_t const *vs;


                vs = virtual_server_find(conf->staple.cache_server);

                if (!vs) {

                        ERROR("No such virtual server '%s'", conf->staple.cache_server);

                        goto error;

                }


                if (fr_tls_ocsp_staple_cache_compile(&conf->staple.cache, vs->server_cs) < 0) goto error;

        }

#endif


#ifdef HAVE_OPENSSL_OCSP_H

        /*

         *      @fixme:  This is all pretty terrible.

         *      The stores initialized here are for validating

         *      OCSP responses.  They have nothing to do with

         *      verifying other certificates.

         */


        /*

         *      Initialize OCSP Revocation Store

         */

        if (conf->ocsp.enable) {

                conf->ocsp.store = conf_ocsp_revocation_store(conf);

                if (conf->ocsp.store == NULL) goto error;

        }


        if (conf->staple.enable) {

                conf->staple.store = conf_ocsp_revocation_store(conf);

                if (conf->staple.store == NULL) goto error;

        }

#endif /*HAVE_OPENSSL_OCSP_H*/


static int _conf_server_free(

#if !defined(HAVE_OPENSSL_OCSP_H) && defined(NDEBUG)

                             UNUSED

#endif

                             fr_tls_conf_t *conf)

{

#ifdef HAVE_OPENSSL_OCSP_H

        if (conf->ocsp.store) X509_STORE_free(conf->ocsp.store);

        conf->ocsp.store = NULL;

        if (conf->staple.store) X509_STORE_free(conf->staple.store);

        conf->staple.store = NULL;

#endif


#ifndef NDEBUG

        memset(conf, 0, sizeof(*conf));

#endif

        return 0;

}


/* Session init */

#ifdef HAVE_OPENSSL_OCSP_H

        SSL_set_ex_data(tls_session->ssl, FR_TLS_EX_INDEX_OCSP_STORE, (void *)tls_conf->ocsp.store);

#endif


/* Validation checks */

#ifdef HAVE_OPENSSL_OCSP_H

        /*

         *      Do OCSP last, so we have the complete set of attributes

         *      available for the virtual server.

         *

         *      Fixme: Do we want to store the matching TLS-Client-cert-Filename?

         */

        if (my_ok && conf->ocsp.enable){

                X509    *issuer_cert;


                RDEBUG2("Starting OCSP Request");


                /*

                 *      If we don't have an issuer, then we can't send

                 *      and OCSP request, but pass the NULL issuer in

                 *      so fr_tls_ocsp_check can decide on the correct

                 *      return code.

                 */

                issuer_cert = X509_STORE_CTX_get0_current_issuer(x509_ctx);

                my_ok = fr_tls_ocsp_check(request, ssl, conf->ocsp.store, issuer_cert, cert, &(conf->ocsp), false);

        }

#endif

UNUSED
#define UNUSED
Definition build.h:317

CONF_PARSER_TERMINATOR
#define CONF_PARSER_TERMINATOR
Definition cf_parse.h:662

conf_parser_s::func
cf_parse_t func
Override default parsing behaviour for the specified type with a custom parsing function.
Definition cf_parse.h:616

FR_CONF_OFFSET
#define FR_CONF_OFFSET(_name, _struct, _field)
conf_parser_t which parses a single CONF_PAIR, writing the result to a field in a struct
Definition cf_parse.h:284

FR_CONF_OFFSET_SUBSECTION
#define FR_CONF_OFFSET_SUBSECTION(_name, _flags, _struct, _field, _subcs)
conf_parser_t which populates a sub-struct using a CONF_SECTION
Definition cf_parse.h:313

CONF_FLAG_REQUIRED
@ CONF_FLAG_REQUIRED
Error out if no matching CONF_PAIR is found, and no dflt value is set.
Definition cf_parse.h:434

CONF_FLAG_NOT_EMPTY
@ CONF_FLAG_NOT_EMPTY
CONF_PAIR is required to have a non zero length value.
Definition cf_parse.h:452

FR_CONF_OFFSET_TYPE_FLAGS
#define FR_CONF_OFFSET_TYPE_FLAGS(_name, _type, _flags, _struct, _field)
conf_parser_t which parses a single CONF_PAIR, writing the result to a field in a struct
Definition cf_parse.h:241

conf_parser_s
Defines a CONF_PAIR to C data type mapping.
Definition cf_parse.h:599

ERROR
#define ERROR(fmt,...)
Definition dhcpclient.c:41

FR_TYPE_VOID
@ FR_TYPE_VOID
User data.
Definition merged_model.c:127

_conf_server_free
static int _conf_server_free(fr_tls_conf_t *conf)
Definition conf.c:75

fr_tls_ocsp_check
int fr_tls_ocsp_check(request_t *request, SSL *ssl, X509_STORE *store, X509 *issuer_cert, X509 *client_cert, fr_tls_ocsp_conf_t *conf, bool staple_response)

fr_tls_ocsp_state_cache_compile
int fr_tls_ocsp_state_cache_compile(fr_tls_cache_t *sections, CONF_SECTION *server_cs)

fr_tls_ocsp_staple_cache_compile
int fr_tls_ocsp_staple_cache_compile(fr_tls_cache_t *sections, CONF_SECTION *server_cs)

fr_tls_ocsp_conf_t
OCSP Configuration.
Definition ocsp.h:4

RDEBUG2
#define RDEBUG2(fmt,...)
Definition radclient.h:54

conf
static rs_t * conf
Definition radsniff.c:53

virtual_server_s::server_cs
CONF_SECTION * server_cs
The server section.
Definition virtual_servers.c:58

virtual_server_cf_parse
int virtual_server_cf_parse(UNUSED TALLOC_CTX *ctx, void *out, UNUSED void *parent, CONF_ITEM *ci, UNUSED conf_parser_t const *rule)
Wrapper for the config parser to allow pass1 resolution of virtual servers.
Definition virtual_servers.c:1014

virtual_server_find
virtual_server_t const * virtual_server_find(char const *name)
Return virtual server matching the specified name.
Definition virtual_servers.c:971

virtual_server_s
Definition virtual_servers.c:57

virtual_server_cf_parse_uctx_t
Additional validation rules for virtual server lookup.
Definition virtual_servers.h:110