support for checking certificate policy oids

git-svn-id: https://svn.testnett.uninett.no/radsecproxy/trunk@426 e88ac4ed-0b26-0410-9574-a7f39faa03bf

diff --git a/gconfig.c b/gconfig.c
index 53d8c1e..5f16b8c 100644 (file)
--- a/gconfig.c
+++ b/gconfig.c
@@ -189,6 +189,16 @@ int popgconf(struct gconffile **cf) {
     return 1;
 }
 
+void freegconfmstr(char **mstr) {
+    int i;
+
+    if (mstr) {
+       for (i = 0; mstr[i]; i++)
+           free(mstr[i]);
+       free(mstr);
+    }
+}
+
 void freegconf(struct gconffile **cf) {
     int i;
 

diff --git a/gconfig.h b/gconfig.h
index 48e1e94..06dbf30 100644 (file)
--- a/gconfig.h
+++ b/gconfig.h
@@ -18,5 +18,6 @@ FILE *pushgconfpath(struct gconffile **cf, const char *path);
 FILE *pushgconffile(struct gconffile **cf, FILE *file, const char *description);
 FILE *pushgconfpaths(struct gconffile **cf, const char *path);
 int popgconf(struct gconffile **cf);
+void freegconfmstr(char **mstr);
 void freegconf(struct gconffile **cf);
 struct gconffile *openconfigfile(const char *file);

diff --git a/radsecproxy.c b/radsecproxy.c
index 9689d91..a682ead 100644 (file)
--- a/radsecproxy.c
+++ b/radsecproxy.c
@@ -2359,25 +2359,26 @@ void tlsinit() {
     }
 }
 
-int setpolicyoids(X509_STORE *store, char **poids) {
+X509_VERIFY_PARAM *createverifyparams(char **poids) {
     X509_VERIFY_PARAM *pm;
     ASN1_OBJECT *pobject;
     int i;
     
     pm = X509_VERIFY_PARAM_new();
     if (!pm)
-       return 0;
+       return NULL;
     
     for (i = 0; poids[i]; i++) {
-       pobject =  OBJ_txt2obj(poids[i], 0);
-       if (!pobject)
-           return 0;       
+       pobject = OBJ_txt2obj(poids[i], 0);
+       if (!pobject) {
+           X509_VERIFY_PARAM_free(pm);
+           return NULL;
+       }
        X509_VERIFY_PARAM_add0_policy(pm, pobject);
     }
 
     X509_VERIFY_PARAM_set_flags(pm, X509_V_FLAG_POLICY_CHECK | X509_V_FLAG_EXPLICIT_POLICY);
-    X509_STORE_set1_param(store, pm);
-    return 1;
+    return pm;
 }
 
 int tlsaddcacrl(SSL_CTX *ctx, struct tls *conf) {
@@ -2415,14 +2416,12 @@ int tlsaddcacrl(SSL_CTX *ctx, struct tls *conf) {
     SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, verify_cb);
     SSL_CTX_set_verify_depth(ctx, MAX_CERT_DEPTH + 1);
 
-    if (conf->crlcheck || conf->policyoids) {
+    if (conf->crlcheck || conf->vpm) {
        x509_s = SSL_CTX_get_cert_store(ctx);
        if (conf->crlcheck)
            X509_STORE_set_flags(x509_s, X509_V_FLAG_CRL_CHECK | X509_V_FLAG_CRL_CHECK_ALL);
-       if (conf->policyoids && !setpolicyoids(x509_s, conf->policyoids)) {
-           debug(DBG_ERR, "tlsaddcacrl: Failed to add policyOIDs in TLS context %s", conf->name);
-           return 0; /* should free memory */
-       }
+       if (conf->vpm)
+           X509_STORE_set1_param(x509_s, conf->vpm);
     }
 
     debug(DBG_DBG, "tlsaddcacrl: updated TLS context %s", conf->name);
@@ -2470,7 +2469,22 @@ SSL_CTX *tlscreatectx(uint8_t type, struct tls *conf) {
        return NULL;
     }
 
+    if (conf->policyoids) {
+       if (!conf->vpm) {
+           conf->vpm = createverifyparams(conf->policyoids);
+           if (!conf->vpm) {
+               debug(DBG_ERR, "tlsaddcacrl: Failed to add policyOIDs in TLS context %s", conf->name);
+               SSL_CTX_free(ctx);
+               return NULL;
+           }
+       }
+    }
+
     if (!tlsaddcacrl(ctx, conf)) {
+       if (conf->vpm) {
+           X509_VERIFY_PARAM_free(conf->vpm);
+           conf->vpm = NULL;
+       }
        SSL_CTX_free(ctx);
        return NULL;
     }
@@ -3491,6 +3505,7 @@ int conftls_cb(struct gconffile **cf, void *arg, char *block, char *opt, char *v
     free(conf->certfile);
     free(conf->certkeyfile);
     free(conf->certkeypwd);
+    freegconfmstr(conf->policyoids);
     free(conf);
     return 0;
 }

diff --git a/radsecproxy.h b/radsecproxy.h
index a29d733..0061104 100644 (file)
--- a/radsecproxy.h
+++ b/radsecproxy.h
@@ -159,6 +159,7 @@ struct tls {
     uint32_t cacheexpiry;
     uint32_t tlsexpiry;
     uint32_t dtlsexpiry;
+    X509_VERIFY_PARAM *vpm;
     SSL_CTX *tlsctx;
     SSL_CTX *dtlsctx;
 };