From cfa4bf5033f4da2cfeffa6608f24562cb5263852 Mon Sep 17 00:00:00 2001 From: Marcel Poul Date: Sun, 3 Feb 2013 12:13:21 +0000 Subject: [PATCH] OCSP off by default, can be switched of by setting CANL_SSL_OCSP_VERIFY_ALL as a flag to canl_ctx_set_ssl_flags() --- emi.canl.canl-c/src/canl_cred.c | 9 ++++---- emi.canl.canl-c/src/canl_ssl.c | 4 ++-- emi.canl.canl-c/src/canl_ssl.h | 1 + emi.canl.canl-c/src/proxy/sslutils.c | 43 +++++++++++++++++++----------------- emi.canl.canl-c/src/proxy/sslutils.h | 2 ++ 5 files changed, 33 insertions(+), 26 deletions(-) diff --git a/emi.canl.canl-c/src/canl_cred.c b/emi.canl.canl-c/src/canl_cred.c index f101c31..18d0a43 100644 --- a/emi.canl.canl-c/src/canl_cred.c +++ b/emi.canl.canl-c/src/canl_cred.c @@ -9,7 +9,7 @@ static STACK_OF(X509)* my_sk_X509_dup(glb_ctx *cc, STACK_OF(X509) *stack); extern int proxy_verify_cert_chain(X509 * ucert, STACK_OF(X509) * cert_chain, proxy_verify_desc * pvd); -extern proxy_verify_desc *pvd_setup_initializers(char *cadir); +extern proxy_verify_desc *pvd_setup_initializers(char *cadir, int flags); extern void pvd_destroy_initializers(void *data); extern canl_error map_verify_result(unsigned long ssl_err, const X509_STORE_CTX *store_ctx, SSL *ssl); @@ -698,7 +698,7 @@ canl_verify_chain(canl_ctx ctx, X509 *ucert, STACK_OF(X509) *cert_chain, int ret = 0; proxy_verify_desc *pvd = NULL; /* verification context */ - pvd = pvd_setup_initializers(cadir); + pvd = pvd_setup_initializers(cadir, 0); ret = proxy_verify_cert_chain(ucert, cert_chain, pvd); pvd_destroy_initializers(pvd); if (ret) @@ -719,7 +719,7 @@ canl_verify_chain_wo_ossl(canl_ctx ctx, char *cadir, unsigned long ssl_err = 0; canl_error canl_err = 0; - pvd = pvd_setup_initializers(cadir); + pvd = pvd_setup_initializers(cadir, 0); X509_STORE_CTX_set_ex_data(store_ctx, PVD_STORE_EX_DATA_IDX, (void *)pvd); #ifdef X509_V_FLAG_ALLOW_PROXY_CERTS X509_STORE_CTX_set_flags(store_ctx, X509_V_FLAG_ALLOW_PROXY_CERTS); @@ -750,7 +750,7 @@ canl_verify_chain_wo_ossl(canl_ctx ctx, char *cadir, return 0; } -proxy_verify_desc *pvd_setup_initializers(char *cadir) +proxy_verify_desc *pvd_setup_initializers(char *cadir, int pvxd_flags) { proxy_verify_ctx_desc *pvxd = NULL; proxy_verify_desc *pvd = NULL; @@ -782,6 +782,7 @@ proxy_verify_desc *pvd_setup_initializers(char *cadir) } else pvd->pvxd->certdir = strdup(cadir); + pvd->pvxd->flags |= pvxd_flags; return pvd; } diff --git a/emi.canl.canl-c/src/canl_ssl.c b/emi.canl.canl-c/src/canl_ssl.c index 9221334..dbbe409 100644 --- a/emi.canl.canl-c/src/canl_ssl.c +++ b/emi.canl.canl-c/src/canl_ssl.c @@ -20,7 +20,7 @@ static canl_error map_proxy_error(int reason); static int setup_SSL_proxy_handler(glb_ctx *cc, SSL_CTX *ssl, char *cadir, int leave_pvd); -extern proxy_verify_desc *pvd_setup_initializers(char *cadir); +extern proxy_verify_desc *pvd_setup_initializers(char *cadir, int flags); extern void pvd_destroy_initializers(void *data); #ifdef DEBUG @@ -392,7 +392,7 @@ static int setup_SSL_proxy_handler(glb_ctx *cc, SSL_CTX *ssl, char *cadir, { proxy_verify_desc *new_pvd = NULL; mech_glb_ctx *m_ctx = (mech_glb_ctx *)cc->mech_ctx; - new_pvd = pvd_setup_initializers(cadir); + new_pvd = pvd_setup_initializers(cadir, m_ctx->flags); if (new_pvd){ SSL_CTX_set_ex_data(ssl, PVD_SSL_EX_DATA_IDX, new_pvd); if (!leave_pvd) diff --git a/emi.canl.canl-c/src/canl_ssl.h b/emi.canl.canl-c/src/canl_ssl.h index a3bf96b..ad8de11 100644 --- a/emi.canl.canl-c/src/canl_ssl.h +++ b/emi.canl.canl-c/src/canl_ssl.h @@ -12,6 +12,7 @@ typedef enum canl_ctx_ssl_flags { CANL_SSL_ACCEPT_SSLv2 = 0x0001, CANL_SSL_DN_OSSL = 0x0002, CANL_SSL_VERIFY_NONE = 0x0004, + CANL_SSL_OCSP_VERIFY_ALL = 0x0008, } canl_ctx_ssl_flags; canl_err_code CANL_CALLCONV diff --git a/emi.canl.canl-c/src/proxy/sslutils.c b/emi.canl.canl-c/src/proxy/sslutils.c index 6b594bd..5ece7f4 100644 --- a/emi.canl.canl-c/src/proxy/sslutils.c +++ b/emi.canl.canl-c/src/proxy/sslutils.c @@ -1500,6 +1500,7 @@ proxy_verify_ctx_init( pvxd->magicnum = PVXD_MAGIC_NUMBER; /* used for debuging */ pvxd->certdir = NULL; pvxd->goodtill = 0; + pvxd->flags = 0; } /********************************************************************** @@ -2191,27 +2192,29 @@ proxy_verify_callback( /* OCSP check */ - if (!ocsp_data) - ocsprequest_init(&ocsp_data); ret = 0; - if (ocsp_data) { - if (ctx->current_cert) - ocsp_data->cert = ctx->current_cert; - if (ctx->current_issuer) - ocsp_data->issuer = ctx->current_issuer; - if (cert_dir) - ocsp_data->store.ca_dir = cert_dir; - - ocsp_data->skew = MAX_VALIDITY_PERIOD; - ocsp_data->maxage = -1; - if (ctx->chain) - ocsp_data->cert_chain = ctx->chain; - /*Timeout should be set here - ocsp_data->timeout = -1; */ - ret = do_ocsp_verify (ocsp_data); - /* TODO sign key and cert */ - ocsprequest_free(ocsp_data); - ocsp_data = NULL; + if (pvd->pvxd->flags & CANL_SSL_OCSP_VERIFY_ALL){ + if (!ocsp_data) + ocsprequest_init(&ocsp_data); + if (ocsp_data) { + if (ctx->current_cert) + ocsp_data->cert = ctx->current_cert; + if (ctx->current_issuer) + ocsp_data->issuer = ctx->current_issuer; + if (cert_dir) + ocsp_data->store.ca_dir = cert_dir; + + ocsp_data->skew = MAX_VALIDITY_PERIOD; + ocsp_data->maxage = -1; + if (ctx->chain) + ocsp_data->cert_chain = ctx->chain; + /*Timeout should be set here + ocsp_data->timeout = -1; */ + ret = do_ocsp_verify (ocsp_data); + /* TODO sign key and cert */ + ocsprequest_free(ocsp_data); + ocsp_data = NULL; + } } EVP_PKEY_free(key); diff --git a/emi.canl.canl-c/src/proxy/sslutils.h b/emi.canl.canl-c/src/proxy/sslutils.h index 016f237..6499bb8 100644 --- a/emi.canl.canl-c/src/proxy/sslutils.h +++ b/emi.canl.canl-c/src/proxy/sslutils.h @@ -61,6 +61,7 @@ EXTERN_C_BEGIN //canl headers #include "canl_ocsp.h" +#include "canl_ssl.h" #if defined(__GNUC__) #if (__GNUC__ > 3 || (__GNUC__ == 3 && __GNUC_MINOR__ >= 4)) @@ -325,6 +326,7 @@ typedef struct proxy_verify_ctx_desc_struct { int magicnum ; char * certdir; time_t goodtill; + int flags; //OCSP flags etc. } proxy_verify_ctx_desc ; /* proxy_verify_desc - allows for recursive verifys with delegation */ -- 1.8.2.3