From 4f2006b77ce1588665ffd3f48b433c7939fc3df2 Mon Sep 17 00:00:00 2001 From: Marcel Poul Date: Tue, 14 Aug 2012 18:31:21 +0000 Subject: [PATCH] initialize SSL STORE and use it to verify OCSP response, (still does not work properly) --- emi.canl.canl-c/src/canl_mech_ssl.h | 1 + emi.canl.canl-c/src/canl_ocsp.c | 8 +++++--- emi.canl.canl-c/src/canl_ocsp.h | 1 + emi.canl.canl-c/src/canl_ssl.c | 35 +++++++++++++++++++++++++++++++++-- emi.canl.canl-c/src/canl_ssl.h | 5 ++++- emi.canl.canl-c/src/proxy/sslutils.c | 14 ++++++++++++-- 6 files changed, 56 insertions(+), 8 deletions(-) diff --git a/emi.canl.canl-c/src/canl_mech_ssl.h b/emi.canl.canl-c/src/canl_mech_ssl.h index 6b16fa0..eb13544 100644 --- a/emi.canl.canl-c/src/canl_mech_ssl.h +++ b/emi.canl.canl-c/src/canl_mech_ssl.h @@ -19,6 +19,7 @@ typedef struct _mech_glb_ctx void *mech_ctx; //like SSL_CTX * unsigned int flags; char *ca_dir; + char *ca_file; char *crl_dir; cert_key_store *cert_key; } mech_glb_ctx; diff --git a/emi.canl.canl-c/src/canl_ocsp.c b/emi.canl.canl-c/src/canl_ocsp.c index b254194..5cc6836 100644 --- a/emi.canl.canl-c/src/canl_ocsp.c +++ b/emi.canl.canl-c/src/canl_ocsp.c @@ -233,21 +233,21 @@ store_dup(canl_x509store_t *store_from) if (store_from->ca_dir) { int len = strlen(store_from->ca_dir); store_to->ca_dir = (char *) malloc((len + 1) * sizeof (char)); - if (store_to->ca_dir) + if (!store_to->ca_dir) return NULL; strncpy (store_to->ca_dir, store_from->ca_dir, len + 1); } if (store_from->crl_dir) { int len = strlen(store_from->crl_dir); store_to->crl_dir = (char *) malloc((len + 1) * sizeof (char)); - if (store_to->crl_dir) + if (!store_to->crl_dir) return NULL; strncpy (store_to->crl_dir, store_from->crl_dir, len + 1); } return store_to; } -static int +int set_ocsp_store(canl_ocsprequest_t *ocspreq, canl_x509store_t *store) { @@ -256,6 +256,8 @@ set_ocsp_store(canl_ocsprequest_t *ocspreq, canl_x509store_t *store) if (!ocspreq) return 1; if (store){ + if (ocspreq->store) + canl_x509store_free(ocspreq->store); ocspreq->store = store_dup(store); if (!ocspreq->store) return 1; diff --git a/emi.canl.canl-c/src/canl_ocsp.h b/emi.canl.canl-c/src/canl_ocsp.h index 3f9bf1f..24c48f2 100644 --- a/emi.canl.canl-c/src/canl_ocsp.h +++ b/emi.canl.canl-c/src/canl_ocsp.h @@ -48,6 +48,7 @@ int set_ocsp_skew(canl_ocsprequest_t *ocspreq, int skew); int set_ocsp_maxage(canl_ocsprequest_t *ocspreq, int maxage); int set_ocsp_url(canl_ocsprequest_t *ocspreq, char *url); int set_ocsp_issuer(canl_ocsprequest_t *ocspreq, X509 *issuer); +int set_ocsp_store(canl_ocsprequest_t *ocspreq, canl_x509store_t *store); int ocsprequest_init(canl_ocsprequest_t **ocspreq); void ocsprequest_free(canl_ocsprequest_t *or); diff --git a/emi.canl.canl-c/src/canl_ssl.c b/emi.canl.canl-c/src/canl_ssl.c index b2c2983..4f298ae 100644 --- a/emi.canl.canl-c/src/canl_ssl.c +++ b/emi.canl.canl-c/src/canl_ssl.c @@ -59,8 +59,23 @@ ssl_initialize(glb_ctx *cc) return set_error(cc, ENOMEM, POSIX_ERROR, "Not enough memory"); err = proxy_get_filenames(0, &ca_cert_fn, &ca_cert_dirn, NULL, NULL, NULL); - if (!err && (ca_cert_fn || ca_cert_dirn)) - SSL_CTX_load_verify_locations(ssl_ctx, ca_cert_fn, ca_cert_dirn); + if (!err){ + /* set ca dir and ca file to SSL_CTX*/ + if (ca_cert_fn || ca_cert_dirn) + SSL_CTX_load_verify_locations(ssl_ctx, ca_cert_fn, ca_cert_dirn); + /* set ca dir and/or ca file to canl glb_ctx*/ + if (!(*m_glb_ctx)->ca_file && ca_cert_fn && !access(ca_cert_fn, R_OK)) { + err = canl_ctx_set_ca_fn(cc, ca_cert_fn); + if (err) + return err; + } + if (!(*m_glb_ctx)->ca_dir && ca_cert_dirn && !access(ca_cert_dirn, R_OK)) { + err = canl_ctx_set_ca_dir(cc, ca_cert_dirn); + if (err) + return err; + } + } + if (ca_cert_fn) free(ca_cert_fn); @@ -1076,6 +1091,22 @@ canl_ctx_set_ca_dir(canl_ctx cc, const char *dir) return ssl_set_dir(glb_cc, &m_ctx->ca_dir, dir); } +canl_err_code +canl_ctx_set_ca_fn(canl_ctx cc, const char *fn) +{ + glb_ctx *glb_cc = (glb_ctx*) cc; + mech_glb_ctx *m_ctx = (mech_glb_ctx *)glb_cc->mech_ctx; + + if (!cc) + return EINVAL; + + if (!m_ctx) + return set_error(glb_cc, EINVAL, POSIX_ERROR, "SSL context not" + " initialized"); + + return ssl_set_dir(glb_cc, &m_ctx->ca_file, fn); +} + static canl_err_code ssl_get_peer(glb_ctx *cc, io_handler *io, void *auth_ctx, canl_principal *peer) { diff --git a/emi.canl.canl-c/src/canl_ssl.h b/emi.canl.canl-c/src/canl_ssl.h index 87a41c7..1ffb0bb 100644 --- a/emi.canl.canl-c/src/canl_ssl.h +++ b/emi.canl.canl-c/src/canl_ssl.h @@ -23,7 +23,10 @@ canl_err_code CANL_CALLCONV canl_ctx_set_ca_dir(canl_ctx, const char *); canl_err_code CANL_CALLCONV -canl_ctx_set_crl_dir(canl_ctx, const char *); +canl_ctx_set_ca_fn(canl_ctx, const char *); + +canl_err_code CANL_CALLCONV +canl_ctx_sfncrl_dir(canl_ctx, const char *); canl_err_code CANL_CALLCONV canl_ctx_set_pkcs11_lib(canl_ctx, const char *); diff --git a/emi.canl.canl-c/src/proxy/sslutils.c b/emi.canl.canl-c/src/proxy/sslutils.c index c972ff5..fbbd03a 100644 --- a/emi.canl.canl-c/src/proxy/sslutils.c +++ b/emi.canl.canl-c/src/proxy/sslutils.c @@ -2081,13 +2081,13 @@ proxy_verify_callback( } #endif /* X509_V_ERR_CERT_REVOKED */ + cert_dir = pvd->pvxd->certdir ? pvd->pvxd->certdir : + getenv(X509_CERT_DIR); /* Do not need to check self signed certs against ca_policy_file */ if (X509_NAME_cmp(X509_get_subject_name(ctx->current_cert), X509_get_issuer_name(ctx->current_cert))) { - cert_dir = pvd->pvxd->certdir ? pvd->pvxd->certdir : - getenv(X509_CERT_DIR); { char * error_string = NULL; @@ -2196,6 +2196,16 @@ proxy_verify_callback( set_ocsp_cert(ocsp_data, ctx->current_cert); if (ctx->current_issuer) set_ocsp_issuer(ocsp_data, ctx->current_issuer); + if (cert_dir){ + canl_x509store_t *c_store = NULL; + if (!canl_x509store_init(&c_store)) { + c_store->ca_dir = strdup(cert_dir); + set_ocsp_store(ocsp_data, c_store); + canl_x509store_free(c_store); + c_store = NULL; + } + } + do_ocsp_verify (ocsp_data); /* TODO sign key and cert */ } -- 1.8.2.3