From 3035c740aa4dbf9e9680386283a99522841bdaed Mon Sep 17 00:00:00 2001 From: Marcel Poul Date: Sun, 26 Aug 2012 13:06:08 +0000 Subject: [PATCH] Let user choose not to verify client certificate (by CANL_SSL_VERIFY_NONE) Define canl_ctx_set_ssl_flags() --- emi.canl.canl-c/src/canl_ocsp.c | 7 ++++--- emi.canl.canl-c/src/canl_ssl.c | 38 ++++++++++++++++++++++++++++++-------- emi.canl.canl-c/src/canl_ssl.h | 7 ++++--- 3 files changed, 38 insertions(+), 14 deletions(-) diff --git a/emi.canl.canl-c/src/canl_ocsp.c b/emi.canl.canl-c/src/canl_ocsp.c index 2c61e15..5abd034 100644 --- a/emi.canl.canl-c/src/canl_ocsp.c +++ b/emi.canl.canl-c/src/canl_ocsp.c @@ -372,7 +372,7 @@ int do_ocsp_verify (canl_ocsprequest_t *data) OCSP_REQUEST *req = NULL; OCSP_RESPONSE *resp = NULL; OCSP_BASICRESP *basic = NULL; - X509_STORE *store = 0; + X509_STORE *store = NULL; int rc = 0, reason = 0, ssl = 0, status = 0; char *host = NULL, *path = NULL, *port = NULL; OCSP_CERTID *id = NULL; @@ -469,11 +469,12 @@ int do_ocsp_verify (canl_ocsprequest_t *data) goto end; if (USENONCE && OCSP_check_nonce(req, basic) <= 0) goto end; + /* TODO is this compulsory? */ store = canl_create_x509store(data->store); if (!store) goto end; - /* The second parametr (verify_other) and the last one may be used - when OCSP API is fully defined*/ + + /* The last param. may be used when OCSP API is fully defined*/ rc = OCSP_basic_verify(basic, verify_other, store, verify_flags); if (rc < 0) rc = OCSP_basic_verify(basic, NULL, store, 0); diff --git a/emi.canl.canl-c/src/canl_ssl.c b/emi.canl.canl-c/src/canl_ssl.c index 994d2da..6defd42 100644 --- a/emi.canl.canl-c/src/canl_ssl.c +++ b/emi.canl.canl-c/src/canl_ssl.c @@ -187,12 +187,12 @@ ssl_server_init(glb_ctx *cc, void **ctx) return set_error(cc, ERR_get_error(), SSL_ERROR, "Failed to create SSL connection context"); - /* TODO !!!!!!!!!! - * if SSL_VERIFY_NONE, then we cannot extract peer cert. of ssl - * if SSL_VERIFY_PEER, then client cert verification is mandatory!!!*/ - SSL_set_verify(ssl, SSL_VERIFY_PEER, proxy_verify_callback); + if (CANL_SSL_VERIFY_NONE & m_ctx->flags) + SSL_set_verify(ssl, SSL_VERIFY_NONE, proxy_verify_callback); + else + SSL_set_verify(ssl, SSL_VERIFY_PEER, proxy_verify_callback); - if (!(CANL_ACCEPT_SSLv2 & m_ctx->flags)) + if (!(CANL_SSL_ACCEPT_SSLv2 & m_ctx->flags)) SSL_set_options(ssl, SSL_OP_NO_SSLv2); @@ -323,9 +323,13 @@ ssl_client_init(glb_ctx *cc, void **ctx) "Failed to create SSL connection context"); SSL_set_connect_state(ssl); + + if (CANL_SSL_VERIFY_NONE & m_ctx->flags) + SSL_set_verify(ssl, SSL_VERIFY_NONE, proxy_verify_callback); + else + SSL_set_verify(ssl, SSL_VERIFY_PEER, proxy_verify_callback); - SSL_set_verify(ssl, SSL_VERIFY_PEER, proxy_verify_callback); - if (!(CANL_ACCEPT_SSLv2 & m_ctx->flags)) + if (!(CANL_SSL_ACCEPT_SSLv2 & m_ctx->flags)) SSL_set_options(ssl, SSL_OP_NO_SSLv2); if (m_ctx->cert_key) { @@ -1052,6 +1056,24 @@ canl_ctx_set_ssl_cred(canl_ctx cc, char *cert, char *key, char *proxy, return err; } + +canl_err_code +canl_ctx_set_ssl_flags(canl_ctx cc, unsigned int flags) +{ + glb_ctx *glb_cc = (glb_ctx*) cc; + mech_glb_ctx *m_ctx = (mech_glb_ctx *)glb_cc->mech_ctx; + + if (!m_ctx) + return set_error(cc, EINVAL, POSIX_ERROR, "SSL context not" + " initialized"); + + if (!cc) + return EINVAL; + + m_ctx->flags |= flags; + return 0; +} + canl_err_code canl_ctx_set_crl_dir(canl_ctx cc, const char *dir) { @@ -1124,7 +1146,7 @@ ssl_get_peer(glb_ctx *cc, io_handler *io, void *auth_ctx, canl_principal *peer) return set_error(cc, ENOMEM, POSIX_ERROR, "Not enough memory"); subject = X509_get_subject_name(cert); - if (CANL_DN_OSSL & m_ctx->flags) + if (CANL_SSL_DN_OSSL & m_ctx->flags) ret = X509_NAME_print_ex(name_out, subject, 0, 0); else ret = X509_NAME_print_ex(name_out, subject, 0, XN_FLAG_RFC2253); diff --git a/emi.canl.canl-c/src/canl_ssl.h b/emi.canl.canl-c/src/canl_ssl.h index 1ffb0bb..b057dcb 100644 --- a/emi.canl.canl-c/src/canl_ssl.h +++ b/emi.canl.canl-c/src/canl_ssl.h @@ -8,11 +8,12 @@ extern "C" { #endif typedef enum canl_ctx_ssl_flags { - CANL_ACCEPT_SSLv2 = 0x0001, - CANL_DN_OSSL = 0x0002, + CANL_SSL_ACCEPT_SSLv2 = 0x0001, + CANL_SSL_DN_OSSL = 0x0002, + CANL_SSL_VERIFY_NONE = 0x0004, } canl_ctx_ssl_flags; -canl_ctx CANL_CALLCONV +canl_err_code CANL_CALLCONV canl_ctx_set_ssl_flags(canl_ctx, unsigned int); canl_err_code CANL_CALLCONV -- 1.8.2.3