The FreeRADIUS server $Id: 15bac2a4c627c01d1aa2047687b3418955ac7f00 $
Loading...
Searching...
No Matches
conf.c
Go to the documentation of this file.
1#ifdef HAVE_OPENSSL_OCSP_H
2static conf_parser_t ocsp_config[] = {
3 { FR_CONF_OFFSET("enable", fr_tls_ocsp_conf_t, enable), .dflt = "no" },
4
7 .uctx = &(virtual_server_cf_parse_uctx_t){ .process_module_name = "ocsp"} },
8
9 { FR_CONF_OFFSET("override_cert_url", fr_tls_ocsp_conf_t, override_url), .dflt = "no" },
10 { FR_CONF_OFFSET("url", fr_tls_ocsp_conf_t, url) },
11 { FR_CONF_OFFSET("use_nonce", fr_tls_ocsp_conf_t, use_nonce), .dflt = "yes" },
12 { FR_CONF_OFFSET("timeout", fr_tls_ocsp_conf_t, timeout), .dflt = "yes" },
13 { FR_CONF_OFFSET("softfail", fr_tls_ocsp_conf_t, softfail), .dflt = "no" },
14 { FR_CONF_OFFSET("verifycert", fr_tls_ocsp_conf_t, verifycert), .dflt = "yes" },
15
17};
18#endif
19
20#ifdef HAVE_OPENSSL_OCSP_H
21 { FR_CONF_OFFSET_SUBSECTION("ocsp", 0, fr_tls_conf_t, ocsp, ocsp_config) },
22
23 { FR_CONF_OFFSET_SUBSCTION("staple", 0, fr_tls_conf_t, staple, ocsp_config) },
24#endif
25
26#ifdef HAVE_OPENSSL_OCSP_H
27 if (conf->ocsp.cache_server) {
28 virtual_server_t const *vs;
29
30 vs = virtual_server_find(conf->ocsp.cache_server);
31 if (!vs) {
32 ERROR("No such virtual server '%s'", conf->ocsp.cache_server);
33 goto error;
34 }
35
36 if (fr_tls_ocsp_state_cache_compile(&conf->ocsp.cache, vs->server_cs) < 0) goto error;
37 }
38
39 if (conf->staple.cache_server) {
40 virtual_server_t const *vs;
41
42 vs = virtual_server_find(conf->staple.cache_server);
43 if (!vs) {
44 ERROR("No such virtual server '%s'", conf->staple.cache_server);
45 goto error;
46 }
47
48 if (fr_tls_ocsp_staple_cache_compile(&conf->staple.cache, vs->server_cs) < 0) goto error;
49 }
50#endif
51
52#ifdef HAVE_OPENSSL_OCSP_H
53 /*
54 * @fixme: This is all pretty terrible.
55 * The stores initialized here are for validating
56 * OCSP responses. They have nothing to do with
57 * verifying other certificates.
58 */
59
60 /*
61 * Initialize OCSP Revocation Store
62 */
63 if (conf->ocsp.enable) {
64 conf->ocsp.store = conf_ocsp_revocation_store(conf);
65 if (conf->ocsp.store == NULL) goto error;
66 }
67
68 if (conf->staple.enable) {
69 conf->staple.store = conf_ocsp_revocation_store(conf);
70 if (conf->staple.store == NULL) goto error;
71 }
72#endif /*HAVE_OPENSSL_OCSP_H*/
73
74
76#if !defined(HAVE_OPENSSL_OCSP_H) && defined(NDEBUG)
77 UNUSED
78#endif
79 fr_tls_conf_t *conf)
80{
81#ifdef HAVE_OPENSSL_OCSP_H
82 if (conf->ocsp.store) X509_STORE_free(conf->ocsp.store);
83 conf->ocsp.store = NULL;
84 if (conf->staple.store) X509_STORE_free(conf->staple.store);
85 conf->staple.store = NULL;
86#endif
87
88#ifndef NDEBUG
89 memset(conf, 0, sizeof(*conf));
90#endif
91 return 0;
92}
93
94/* Session init */
95#ifdef HAVE_OPENSSL_OCSP_H
96 SSL_set_ex_data(tls_session->ssl, FR_TLS_EX_INDEX_OCSP_STORE, (void *)tls_conf->ocsp.store);
97#endif
98
99/* Validation checks */
100#ifdef HAVE_OPENSSL_OCSP_H
101 /*
102 * Do OCSP last, so we have the complete set of attributes
103 * available for the virtual server.
104 *
105 * Fixme: Do we want to store the matching TLS-Client-cert-Filename?
106 */
107 if (my_ok && conf->ocsp.enable){
108 X509 *issuer_cert;
109
110 RDEBUG2("Starting OCSP Request");
111
112 /*
113 * If we don't have an issuer, then we can't send
114 * and OCSP request, but pass the NULL issuer in
115 * so fr_tls_ocsp_check can decide on the correct
116 * return code.
117 */
118 issuer_cert = X509_STORE_CTX_get0_current_issuer(x509_ctx);
119 my_ok = fr_tls_ocsp_check(request, ssl, conf->ocsp.store, issuer_cert, cert, &(conf->ocsp), false);
120 }
121#endif
#define UNUSED
Definition build.h:317
#define CONF_PARSER_TERMINATOR
Definition cf_parse.h:662
cf_parse_t func
Override default parsing behaviour for the specified type with a custom parsing function.
Definition cf_parse.h:616
#define FR_CONF_OFFSET(_name, _struct, _field)
conf_parser_t which parses a single CONF_PAIR, writing the result to a field in a struct
Definition cf_parse.h:284
#define FR_CONF_OFFSET_SUBSECTION(_name, _flags, _struct, _field, _subcs)
conf_parser_t which populates a sub-struct using a CONF_SECTION
Definition cf_parse.h:313
@ CONF_FLAG_REQUIRED
Error out if no matching CONF_PAIR is found, and no dflt value is set.
Definition cf_parse.h:434
@ CONF_FLAG_NOT_EMPTY
CONF_PAIR is required to have a non zero length value.
Definition cf_parse.h:452
#define FR_CONF_OFFSET_TYPE_FLAGS(_name, _type, _flags, _struct, _field)
conf_parser_t which parses a single CONF_PAIR, writing the result to a field in a struct
Definition cf_parse.h:241
Defines a CONF_PAIR to C data type mapping.
Definition cf_parse.h:599
#define ERROR(fmt,...)
Definition dhcpclient.c:41
@ FR_TYPE_VOID
User data.
static int _conf_server_free(fr_tls_conf_t *conf)
Definition conf.c:75
int fr_tls_ocsp_check(request_t *request, SSL *ssl, X509_STORE *store, X509 *issuer_cert, X509 *client_cert, fr_tls_ocsp_conf_t *conf, bool staple_response)
int fr_tls_ocsp_state_cache_compile(fr_tls_cache_t *sections, CONF_SECTION *server_cs)
int fr_tls_ocsp_staple_cache_compile(fr_tls_cache_t *sections, CONF_SECTION *server_cs)
OCSP Configuration.
Definition ocsp.h:4
#define RDEBUG2(fmt,...)
Definition radclient.h:54
static rs_t * conf
Definition radsniff.c:53
CONF_SECTION * server_cs
The server section.
int virtual_server_cf_parse(UNUSED TALLOC_CTX *ctx, void *out, UNUSED void *parent, CONF_ITEM *ci, UNUSED conf_parser_t const *rule)
Wrapper for the config parser to allow pass1 resolution of virtual servers.
virtual_server_t const * virtual_server_find(char const *name)
Return virtual server matching the specified name.
Additional validation rules for virtual server lookup.