#ifdef HAVE_OPENSSL_OCSP_H
/*
- * This function extracts the OCSP Responder URL
+ * This function extracts the OCSP Responder URL
* from an existing x509 certificate.
*/
static int ocsp_parse_cert_url(X509 *cert, char **phost, char **pport,
char **ppath, int *pssl)
{
int i;
-
+
AUTHORITY_INFO_ACCESS *aia;
ACCESS_DESCRIPTION *ad;
-
+
aia = X509_get_ext_d2i(cert, NID_info_access, NULL, NULL);
for (i = 0; i < sk_ACCESS_DESCRIPTION_num(aia); i++) {
ad = sk_ACCESS_DESCRIPTION_value(aia, 0);
if (OBJ_obj2nid(ad->method) == NID_ad_OCSP) {
if (ad->location->type == GEN_URI) {
- if(OCSP_parse_url(ad->location->d.ia5->data,
+ if(OCSP_parse_url(ad->location->d.ia5->data,
phost, pport, ppath, pssl))
return 1;
}
struct timeval when;
#endif
- /*
- * Create OCSP Request
+ /*
+ * Create OCSP Request
*/
certid = OCSP_cert_to_id(NULL, client_cert, issuer_cert);
req = OCSP_REQUEST_new();
if(conf->ocsp_use_nonce){
OCSP_request_add1_nonce(req, NULL, 8);
}
-
- /*
+
+ /*
* Send OCSP Request and get OCSP Response
*/
- /* Get OCSP responder URL */
+ /* Get OCSP responder URL */
if(conf->ocsp_override_url) {
OCSP_parse_url(conf->ocsp_url, &host, &port, &path, &use_ssl);
}
ocsp_ok = 2;
goto ocsp_skip;
}
-
+
DEBUG2("[ocsp] --> Responder URL = http://%s:%s%s", host, port, path);
/* Setup BIO socket to OCSP responder */
BIO_set_conn_port(cbio, port);
#if OPENSSL_VERSION_NUMBER < 0x1000003f
BIO_do_connect(cbio);
-
+
/* Send OCSP request and wait for response */
resp = OCSP_sendreq_bio(cbio, path, req);
if (!resp) {
switch (status) {
case V_OCSP_CERTSTATUS_GOOD:
DEBUG2("[oscp] --> Cert status: good");
- ocsp_ok = 1;
+ ocsp_ok = 1;
break;
default:
DEBUG2("[ocsp] --> Reason: %s", OCSP_crl_reason_str(reason));
BIO_puts(bio_out, "\tRevocation Time: ");
ASN1_GENERALIZEDTIME_print(bio_out, rev);
- BIO_puts(bio_out, "\n");
+ BIO_puts(bio_out, "\n");
break;
}
if (fd < 0) {
RDEBUG("Failed creating file in %s: %s",
conf->verify_tmp_dir, strerror(errno));
- break;
+ break;
}
fp = fdopen(fd, "w");
"TLS-Client-Cert-Filename",
filename, T_OP_SET)) {
RDEBUG("Failed creating TLS-Client-Cert-Filename");
-
+
goto do_unlink;
}
RDEBUG("Verifying client certificate: %s",
conf->verify_client_cert_cmd);
if (radius_exec_program(conf->verify_client_cert_cmd,
- request, 1, NULL, 0,
+ request, 1, NULL, 0,
request->packet->vps,
NULL, 1) != 0) {
radlog(L_AUTH, "rlm_eap_tls: Certificate CN (%s) fails external verification!", common_name);
static X509_STORE *init_revocation_store(EAP_TLS_CONF *conf)
{
X509_STORE *store = NULL;
-
+
store = X509_STORE_new();
/* Load the CAs we trust */
}
#ifdef X509_V_FLAG_CRL_CHECK
- if (conf->check_crl)
+ if (conf->check_crl)
X509_STORE_set_flags(store, X509_V_FLAG_CRL_CHECK);
#endif
return store;
#ifndef OPENSSL_NO_ECDH
static int set_ecdh_curve(SSL_CTX *ctx, const char *ecdh_curve)
{
- int nid;
- EC_KEY *ecdh;
+ int nid;
+ EC_KEY *ecdh;
if (!ecdh_curve || !*ecdh_curve) return 0;
- nid = OBJ_sn2nid(ecdh_curve);
- if (!nid) {
+ nid = OBJ_sn2nid(ecdh_curve);
+ if (!nid) {
radlog(L_ERR, "Unknown ecdh_curve \"%s\"", ecdh_curve);
return -1;
}
- ecdh = EC_KEY_new_by_curve_name(nid);
- if (!ecdh) {
+ ecdh = EC_KEY_new_by_curve_name(nid);
+ if (!ecdh) {
radlog(L_ERR, "Unable to create new curve \"%s\"", ecdh_curve);
return -1;
- }
+ }
- SSL_CTX_set_tmp_ecdh(ctx, ecdh);
+ SSL_CTX_set_tmp_ecdh(ctx, ecdh);
- SSL_CTX_set_options(ctx, SSL_OP_SINGLE_ECDH_USE);
+ SSL_CTX_set_options(ctx, SSL_OP_SINGLE_ECDH_USE);
EC_KEY_free(ecdh);
/*
* We don't want to put the private key password in eap.conf, so check
* for our special string which indicates we should get the password
- * programmatically.
+ * programmatically.
*/
const char* special_string = "Apple:UseCertAdmin";
if (strncmp(conf->private_key_password,
/*
* Callbacks, etc. for session resumption.
- */
+ */
if (conf->session_cache_enable) {
SSL_CTX_sess_set_new_cb(ctx, cbtls_new_session);
SSL_CTX_sess_set_get_cb(ctx, cbtls_get_session);
* Cache it, and DON'T auto-clear it.
*/
SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_SERVER | SSL_SESS_CACHE_NO_AUTO_CLEAR);
-
+
SSL_CTX_set_session_id_context(ctx,
(unsigned char *) conf->session_context_id,
(unsigned int) strlen(conf->session_context_id));
* Our timeout is in hours, this is in seconds.
*/
SSL_CTX_set_timeout(ctx, conf->session_timeout * 3600);
-
+
/*
* Set the maximum number of entries in the
* session cache.
eaptls_handle_idx = SSL_get_ex_new_index(0, "eaptls_handle_idx",
NULL, NULL, NULL);
}
-
+
if (eaptls_conf_idx < 0) {
eaptls_conf_idx = SSL_get_ex_new_index(0, "eaptls_conf_idx",
NULL, NULL, NULL);
* the client can't re-use it.
*/
default:
- if (inst->conf.session_cache_enable) {
+ if (inst->conf.session_cache_enable) {
SSL_CTX_remove_session(inst->ctx,
tls_session->ssl->session);
}
* FIXME: Store miscellaneous data.
*/
RDEBUG2("Adding user data to cached session");
-
+
#if 0
SSL_SESSION_set_ex_data(tls_session->ssl->session,
ssl_session_idx_user_session, session_data);
eaptls_authenticate, /* authentication */
eaptls_detach /* detach */
};
+