X-Git-Url: http://www.project-moonshot.org/gitweb/?a=blobdiff_plain;f=tlscommon.c;h=13a140a62a17df22f5c75eec9390994a7102e2ca;hb=68d851156019f743618b39d31f7674981ed18a71;hp=6260e37b4ba6f21927caab0ada30a20e0a82b5dd;hpb=2e4e8b5fd240d7f3647ba662b43d4e28f62260d7;p=libradsec.git

diff --git a/tlscommon.c b/tlscommon.c
index 6260e37..13a140a 100644
--- a/tlscommon.c
+++ b/tlscommon.c
@@ -1,5 +1,6 @@
 /*
  * Copyright (C) 2006-2009 Stig Venaas <venaas@uninett.no>
+ * Copyright (C) 2010,2011 NORDUnet A/S
  *
  * Permission to use, copy, modify, and distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -32,7 +33,6 @@
 #include <openssl/md5.h>
 #include <openssl/x509v3.h>
 #include "debug.h"
-#include "list.h"
 #include "hash.h"
 #include "util.h"
 #include "hostport.h"
@@ -69,7 +69,7 @@ static int verify_cb(int ok, X509_STORE_CTX *ctx) {
 	debug(DBG_WARN, "verify error: num=%d:%s:depth=%d:%s", err, X509_verify_cert_error_string(err), depth, buf ? buf : "");
 	free(buf);
 	buf = NULL;
-	
+
 	switch (err) {
 	case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT:
 	    if (err_cert) {
@@ -96,9 +96,9 @@ static int verify_cb(int ok, X509_STORE_CTX *ctx) {
 	    break;
 	}
     }
-#ifdef DEBUG  
+#ifdef DEBUG
     printf("certificate verify returns %d\n", ok);
-#endif  
+#endif
     return ok;
 }
 
@@ -135,11 +135,11 @@ static X509_VERIFY_PARAM *createverifyparams(char **poids) {
     X509_VERIFY_PARAM *pm;
     ASN1_OBJECT *pobject;
     int i;
-    
+
     pm = X509_VERIFY_PARAM_new();
     if (!pm)
 	return NULL;
-    
+
     for (i = 0; poids[i]; i++) {
 	pobject = OBJ_txt2obj(poids[i], 0);
 	if (!pobject) {
@@ -203,31 +203,41 @@ static int tlsaddcacrl(SSL_CTX *ctx, struct tls *conf) {
 static SSL_CTX *tlscreatectx(uint8_t type, struct tls *conf) {
     SSL_CTX *ctx = NULL;
     unsigned long error;
+    long sslversion = SSLeay();
 
     switch (type) {
-#ifdef RADPROT_TLS	
+#ifdef RADPROT_TLS
     case RAD_TLS:
 	ctx = SSL_CTX_new(TLSv1_method());
-#ifdef DEBUG	
+#ifdef DEBUG
 	SSL_CTX_set_info_callback(ctx, ssl_info_callback);
-#endif	
+#endif
 	break;
-#endif	
-#ifdef RADPROT_DTLS	
+#endif
+#ifdef RADPROT_DTLS
     case RAD_DTLS:
 	ctx = SSL_CTX_new(DTLSv1_method());
-#ifdef DEBUG	
+#ifdef DEBUG
 	SSL_CTX_set_info_callback(ctx, ssl_info_callback);
-#endif	
+#endif
 	SSL_CTX_set_read_ahead(ctx, 1);
 	break;
-#endif	
+#endif
     }
     if (!ctx) {
 	debug(DBG_ERR, "tlscreatectx: Error initialising SSL/TLS in TLS context %s", conf->name);
 	return NULL;
     }
-    
+
+    if (sslversion < 0x00908100L ||
+        (sslversion >= 0x10000000L && sslversion < 0x10000020L)) {
+        debug(DBG_WARN, "%s: %s seems to be of a version with a "
+	      "certain security critical bug (fixed in OpenSSL 0.9.8p and "
+	      "1.0.0b).  Disabling OpenSSL session caching for context %p.",
+	      __func__, SSLeay_version(SSLEAY_VERSION), ctx);
+        SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_OFF);
+    }
+
     if (conf->certkeypwd) {
 	SSL_CTX_set_default_passwd_cb_userdata(ctx, conf->certkeypwd);
 	SSL_CTX_set_default_passwd_cb(ctx, pem_passwd_cb);
@@ -277,11 +287,11 @@ struct tls *tlsgettls(char *alt1, char *alt2) {
 
 SSL_CTX *tlsgetctx(uint8_t type, struct tls *t) {
     struct timeval now;
-    
+
     if (!t)
 	return NULL;
     gettimeofday(&now, NULL);
-    
+
     switch (type) {
 #ifdef RADPROT_TLS
     case RAD_TLS:
@@ -320,7 +330,7 @@ SSL_CTX *tlsgetctx(uint8_t type, struct tls *t) {
 X509 *verifytlscert(SSL *ssl) {
     X509 *cert;
     unsigned long error;
-    
+
     if (SSL_get_verify_result(ssl) != X509_V_OK) {
 	debug(DBG_ERR, "verifytlscert: basic validation failed");
 	while ((error = ERR_get_error()))
@@ -340,18 +350,18 @@ static int subjectaltnameaddr(X509 *cert, int family, struct in6_addr *addr) {
     X509_EXTENSION *ex;
     STACK_OF(GENERAL_NAME) *alt;
     GENERAL_NAME *gn;
-    
+
     debug(DBG_DBG, "subjectaltnameaddr");
-    
+
     loc = X509_get_ext_by_NID(cert, NID_subject_alt_name, -1);
     if (loc < 0)
 	return r;
-    
+
     ex = X509_get_ext(cert, loc);
     alt = X509V3_EXT_d2i(ex);
     if (!alt)
 	return r;
-    
+
     n = sk_GENERAL_NAME_num(alt);
     for (i = 0; i < n; i++) {
 	gn = sk_GENERAL_NAME_value(alt, i);
@@ -376,18 +386,18 @@ static int subjectaltnameregexp(X509 *cert, int type, char *exact,  regex_t *reg
     X509_EXTENSION *ex;
     STACK_OF(GENERAL_NAME) *alt;
     GENERAL_NAME *gn;
-    
+
     debug(DBG_DBG, "subjectaltnameregexp");
-    
+
     loc = X509_get_ext_by_NID(cert, NID_subject_alt_name, -1);
     if (loc < 0)
 	return r;
-    
+
     ex = X509_get_ext(cert, loc);
     alt = X509V3_EXT_d2i(ex);
     if (!alt)
 	return r;
-    
+
     n = sk_GENERAL_NAME_num(alt);
     for (i = 0; i < n; i++) {
 	gn = sk_GENERAL_NAME_value(alt, i);
@@ -400,7 +410,7 @@ static int subjectaltnameregexp(X509 *cert, int type, char *exact,  regex_t *reg
 	    continue;
 #ifdef DEBUG
 	printfchars(NULL, gn->type == GEN_DNS ? "dns" : "uri", NULL, v, l);
-#endif	
+#endif
 	if (exact) {
 	    if (memcmp(v, exact, l))
 		continue;
@@ -496,7 +506,7 @@ int certnamecheck(X509 *cert, struct list *hostports) {
 		return 1;
 	    }
 	    debug(DBG_WARN, "certnamecheck: cn not matching host %s", hp->host);
-	}		
+	}
     }
     return 0;
 }
@@ -529,16 +539,16 @@ int verifyconfcert(X509 *cert, struct clsrvconf *conf) {
 int conftls_cb(struct gconffile **cf, void *arg, char *block, char *opt, char *val) {
     struct tls *conf;
     long int expiry = LONG_MIN;
-    
+
     debug(DBG_DBG, "conftls_cb called for %s", block);
-    
+
     conf = malloc(sizeof(struct tls));
     if (!conf) {
 	debug(DBG_ERR, "conftls_cb: malloc failed");
 	return 0;
     }
     memset(conf, 0, sizeof(struct tls));
-    
+
     if (!getgenericconfig(cf, block,
 			  "CACertificateFile", CONF_STR, &conf->cacertfile,
 			  "CACertificatePath", CONF_STR, &conf->cacertpath,
@@ -549,7 +559,7 @@ int conftls_cb(struct gconffile **cf, void *arg, char *block, char *opt, char *v
 			  "CRLCheck", CONF_BLN, &conf->crlcheck,
 			  "PolicyOID", CONF_MSTR, &conf->policyoids,
 			  NULL
-			  )) {
+	    )) {
 	debug(DBG_ERR, "conftls_cb: configuration error in block %s", val);
 	goto errexit;
     }
@@ -567,7 +577,7 @@ int conftls_cb(struct gconffile **cf, void *arg, char *block, char *opt, char *v
 	    goto errexit;
 	}
 	conf->cacheexpiry = expiry;
-    }    
+    }
 
     conf->name = stringcopy(val, 0);
     if (!conf->name) {
@@ -586,7 +596,7 @@ int conftls_cb(struct gconffile **cf, void *arg, char *block, char *opt, char *v
     debug(DBG_DBG, "conftls_cb: added TLS block %s", val);
     return 1;
 
- errexit:
+errexit:
     free(conf->cacertfile);
     free(conf->cacertpath);
     free(conf->certfile);
@@ -600,7 +610,7 @@ int conftls_cb(struct gconffile **cf, void *arg, char *block, char *opt, char *v
 int addmatchcertattr(struct clsrvconf *conf) {
     char *v;
     regex_t **r;
-    
+
     if (!strncasecmp(conf->matchcertattr, "CN:/", 4)) {
 	r = &conf->certcnregex;
 	v = conf->matchcertattr + 4;
@@ -635,3 +645,7 @@ int addmatchcertattr(struct clsrvconf *conf) {
 static void tlsdummy() {
 }
 #endif
+
+/* Local Variables: */
+/* c-file-style: "stroustrup" */
+/* End: */