freeDiameter: freeDiameter/config.c annotate

annotate freeDiameter/config.c @ 542:0b6cee362f5d

Enforce validation of local certificate upon daemon start.

author	Sebastien Decugis <sdecugis@nict.go.jp>
date	Mon, 13 Sep 2010 18:39:22 +0900
parents	097bae83b07a
children	7c9a00bfd115

rev	line source
8 3e143f047f78 Backup for the week-end Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	1 /*********************************************************************************************************
3e143f047f78 Backup for the week-end Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	2 * Software License Agreement (BSD License) *
3e143f047f78 Backup for the week-end Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	3 * Author: Sebastien Decugis <sdecugis@nict.go.jp> *
3e143f047f78 Backup for the week-end Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	4 * *
258 5df55136361b Updated copyright information Sebastien Decugis <sdecugis@nict.go.jp> parents: 253 diff changeset	5 * Copyright (c) 2010, WIDE Project and NICT *
8 3e143f047f78 Backup for the week-end Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	6 * All rights reserved. *
3e143f047f78 Backup for the week-end Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	7 * *
3e143f047f78 Backup for the week-end Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	8 * Redistribution and use of this software in source and binary forms, with or without modification, are *
3e143f047f78 Backup for the week-end Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	9 * permitted provided that the following conditions are met: *
3e143f047f78 Backup for the week-end Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	10 * *
3e143f047f78 Backup for the week-end Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	11 * * Redistributions of source code must retain the above *
3e143f047f78 Backup for the week-end Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	12 * copyright notice, this list of conditions and the *
3e143f047f78 Backup for the week-end Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	13 * following disclaimer. *
3e143f047f78 Backup for the week-end Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	14 * *
3e143f047f78 Backup for the week-end Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	15 * * Redistributions in binary form must reproduce the above *
3e143f047f78 Backup for the week-end Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	16 * copyright notice, this list of conditions and the *
3e143f047f78 Backup for the week-end Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	17 * following disclaimer in the documentation and/or other *
3e143f047f78 Backup for the week-end Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	18 * materials provided with the distribution. *
3e143f047f78 Backup for the week-end Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	19 * *
3e143f047f78 Backup for the week-end Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	20 * * Neither the name of the WIDE Project or NICT nor the *
3e143f047f78 Backup for the week-end Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	21 * names of its contributors may be used to endorse or *
3e143f047f78 Backup for the week-end Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	22 * promote products derived from this software without *
3e143f047f78 Backup for the week-end Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	23 * specific prior written permission of WIDE Project and *
3e143f047f78 Backup for the week-end Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	24 * NICT. *
3e143f047f78 Backup for the week-end Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	25 * *
3e143f047f78 Backup for the week-end Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	26 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED *
3e143f047f78 Backup for the week-end Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	27 * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A *
3e143f047f78 Backup for the week-end Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	28 * PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR *
3e143f047f78 Backup for the week-end Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	29 * ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT *
3e143f047f78 Backup for the week-end Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	30 * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS *
3e143f047f78 Backup for the week-end Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	31 * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR *
3e143f047f78 Backup for the week-end Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	32 * TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF *
3e143f047f78 Backup for the week-end Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	33 * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. *
3e143f047f78 Backup for the week-end Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	34 *********************************************************************************************************/
3e143f047f78 Backup for the week-end Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	35
3e143f047f78 Backup for the week-end Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	36 #include "fD.h"
304 ad3c46016584 Added install directives for cmake; also allow default directory to seek for extensions and configuration files Sebastien Decugis <sdecugis@nict.go.jp> parents: 258 diff changeset	37 #include <sys/stat.h>
8 3e143f047f78 Backup for the week-end Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	38
3e143f047f78 Backup for the week-end Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	39 /* Configuration management */
3e143f047f78 Backup for the week-end Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	40
18 e7187583dcf8 Added CA helper script Sebastien Decugis <sdecugis@nict.go.jp> parents: 17 diff changeset	41 #ifndef GNUTLS_DEFAULT_PRIORITY
e7187583dcf8 Added CA helper script Sebastien Decugis <sdecugis@nict.go.jp> parents: 17 diff changeset	42 # define GNUTLS_DEFAULT_PRIORITY "NORMAL"
e7187583dcf8 Added CA helper script Sebastien Decugis <sdecugis@nict.go.jp> parents: 17 diff changeset	43 #endif /* GNUTLS_DEFAULT_PRIORITY */
e7187583dcf8 Added CA helper script Sebastien Decugis <sdecugis@nict.go.jp> parents: 17 diff changeset	44 #ifndef GNUTLS_DEFAULT_DHBITS
e7187583dcf8 Added CA helper script Sebastien Decugis <sdecugis@nict.go.jp> parents: 17 diff changeset	45 # define GNUTLS_DEFAULT_DHBITS 1024
e7187583dcf8 Added CA helper script Sebastien Decugis <sdecugis@nict.go.jp> parents: 17 diff changeset	46 #endif /* GNUTLS_DEFAULT_DHBITS */
e7187583dcf8 Added CA helper script Sebastien Decugis <sdecugis@nict.go.jp> parents: 17 diff changeset	47
8 3e143f047f78 Backup for the week-end Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	48 /* Initialize the fd_g_config structure to default values */
3e143f047f78 Backup for the week-end Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	49 int fd_conf_init()
3e143f047f78 Backup for the week-end Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	50 {
3e143f047f78 Backup for the week-end Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	51 TRACE_ENTRY();
3e143f047f78 Backup for the week-end Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	52
10 c5c99c73c2bf Added some extensions and functions in the daemon Sebastien Decugis <sdecugis@nict.go.jp> parents: 8 diff changeset	53 fd_g_config->cnf_eyec = EYEC_CONFIG;
c5c99c73c2bf Added some extensions and functions in the daemon Sebastien Decugis <sdecugis@nict.go.jp> parents: 8 diff changeset	54
c5c99c73c2bf Added some extensions and functions in the daemon Sebastien Decugis <sdecugis@nict.go.jp> parents: 8 diff changeset	55 fd_g_config->cnf_timer_tc = 30;
c5c99c73c2bf Added some extensions and functions in the daemon Sebastien Decugis <sdecugis@nict.go.jp> parents: 8 diff changeset	56 fd_g_config->cnf_timer_tw = 30;
8 3e143f047f78 Backup for the week-end Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	57
10 c5c99c73c2bf Added some extensions and functions in the daemon Sebastien Decugis <sdecugis@nict.go.jp> parents: 8 diff changeset	58 fd_g_config->cnf_port = 3868;
c5c99c73c2bf Added some extensions and functions in the daemon Sebastien Decugis <sdecugis@nict.go.jp> parents: 8 diff changeset	59 fd_g_config->cnf_port_tls = 3869;
c5c99c73c2bf Added some extensions and functions in the daemon Sebastien Decugis <sdecugis@nict.go.jp> parents: 8 diff changeset	60 fd_g_config->cnf_sctp_str = 30;
253 ad6c0118fb50 Configurable number of server threads Sebastien Decugis <sdecugis@nict.go.jp> parents: 189 diff changeset	61 fd_g_config->cnf_dispthr = 4;
10 c5c99c73c2bf Added some extensions and functions in the daemon Sebastien Decugis <sdecugis@nict.go.jp> parents: 8 diff changeset	62 fd_list_init(&fd_g_config->cnf_endpoints, NULL);
c5c99c73c2bf Added some extensions and functions in the daemon Sebastien Decugis <sdecugis@nict.go.jp> parents: 8 diff changeset	63 fd_list_init(&fd_g_config->cnf_apps, NULL);
8 3e143f047f78 Backup for the week-end Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	64 #ifdef DISABLE_SCTP
10 c5c99c73c2bf Added some extensions and functions in the daemon Sebastien Decugis <sdecugis@nict.go.jp> parents: 8 diff changeset	65 fd_g_config->cnf_flags.no_sctp = 1;
8 3e143f047f78 Backup for the week-end Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	66 #endif /* DISABLE_SCTP */
3e143f047f78 Backup for the week-end Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	67
10 c5c99c73c2bf Added some extensions and functions in the daemon Sebastien Decugis <sdecugis@nict.go.jp> parents: 8 diff changeset	68 fd_g_config->cnf_orstateid = (uint32_t) time(NULL);
8 3e143f047f78 Backup for the week-end Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	69
10 c5c99c73c2bf Added some extensions and functions in the daemon Sebastien Decugis <sdecugis@nict.go.jp> parents: 8 diff changeset	70 CHECK_FCT( fd_dict_init(&fd_g_config->cnf_dict) );
c5c99c73c2bf Added some extensions and functions in the daemon Sebastien Decugis <sdecugis@nict.go.jp> parents: 8 diff changeset	71 CHECK_FCT( fd_fifo_new(&fd_g_config->cnf_main_ev) );
8 3e143f047f78 Backup for the week-end Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	72
18 e7187583dcf8 Added CA helper script Sebastien Decugis <sdecugis@nict.go.jp> parents: 17 diff changeset	73 /* TLS parameters */
e7187583dcf8 Added CA helper script Sebastien Decugis <sdecugis@nict.go.jp> parents: 17 diff changeset	74 CHECK_GNUTLS_DO( gnutls_certificate_allocate_credentials (&fd_g_config->cnf_sec_data.credentials), return ENOMEM );
e7187583dcf8 Added CA helper script Sebastien Decugis <sdecugis@nict.go.jp> parents: 17 diff changeset	75 CHECK_GNUTLS_DO( gnutls_dh_params_init (&fd_g_config->cnf_sec_data.dh_cache), return ENOMEM );
e7187583dcf8 Added CA helper script Sebastien Decugis <sdecugis@nict.go.jp> parents: 17 diff changeset	76
8 3e143f047f78 Backup for the week-end Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	77 return 0;
3e143f047f78 Backup for the week-end Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	78 }
3e143f047f78 Backup for the week-end Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	79
3e143f047f78 Backup for the week-end Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	80 void fd_conf_dump()
3e143f047f78 Backup for the week-end Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	81 {
3e143f047f78 Backup for the week-end Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	82 if (!TRACE_BOOL(INFO))
3e143f047f78 Backup for the week-end Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	83 return;
3e143f047f78 Backup for the week-end Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	84
3e143f047f78 Backup for the week-end Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	85 fd_log_debug("-- Configuration :\n");
3e143f047f78 Backup for the week-end Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	86 fd_log_debug(" Debug trace level ...... : %+d\n", fd_g_debug_lvl);
10 c5c99c73c2bf Added some extensions and functions in the daemon Sebastien Decugis <sdecugis@nict.go.jp> parents: 8 diff changeset	87 fd_log_debug(" Configuration file ..... : %s\n", fd_g_config->cnf_file);
c5c99c73c2bf Added some extensions and functions in the daemon Sebastien Decugis <sdecugis@nict.go.jp> parents: 8 diff changeset	88 fd_log_debug(" Diameter Identity ...... : %s (l:%Zi)\n", fd_g_config->cnf_diamid, fd_g_config->cnf_diamid_len);
c5c99c73c2bf Added some extensions and functions in the daemon Sebastien Decugis <sdecugis@nict.go.jp> parents: 8 diff changeset	89 fd_log_debug(" Diameter Realm ......... : %s (l:%Zi)\n", fd_g_config->cnf_diamrlm, fd_g_config->cnf_diamrlm_len);
c5c99c73c2bf Added some extensions and functions in the daemon Sebastien Decugis <sdecugis@nict.go.jp> parents: 8 diff changeset	90 fd_log_debug(" Tc Timer ............... : %u\n", fd_g_config->cnf_timer_tc);
c5c99c73c2bf Added some extensions and functions in the daemon Sebastien Decugis <sdecugis@nict.go.jp> parents: 8 diff changeset	91 fd_log_debug(" Tw Timer ............... : %u\n", fd_g_config->cnf_timer_tw);
c5c99c73c2bf Added some extensions and functions in the daemon Sebastien Decugis <sdecugis@nict.go.jp> parents: 8 diff changeset	92 fd_log_debug(" Local port ............. : %hu\n", fd_g_config->cnf_port);
c5c99c73c2bf Added some extensions and functions in the daemon Sebastien Decugis <sdecugis@nict.go.jp> parents: 8 diff changeset	93 fd_log_debug(" Local secure port ...... : %hu\n", fd_g_config->cnf_port_tls);
c5c99c73c2bf Added some extensions and functions in the daemon Sebastien Decugis <sdecugis@nict.go.jp> parents: 8 diff changeset	94 fd_log_debug(" Number of SCTP streams . : %hu\n", fd_g_config->cnf_sctp_str);
253 ad6c0118fb50 Configurable number of server threads Sebastien Decugis <sdecugis@nict.go.jp> parents: 189 diff changeset	95 fd_log_debug(" Number of server threads : %hu\n", fd_g_config->cnf_dispthr);
10 c5c99c73c2bf Added some extensions and functions in the daemon Sebastien Decugis <sdecugis@nict.go.jp> parents: 8 diff changeset	96 if (FD_IS_LIST_EMPTY(&fd_g_config->cnf_endpoints)) {
8 3e143f047f78 Backup for the week-end Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	97 fd_log_debug(" Local endpoints ........ : Default (use all available)\n");
3e143f047f78 Backup for the week-end Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	98 } else {
33 e6fcdf12b9a0 Added a lot of TODOs :) Sebastien Decugis <sdecugis@nict.go.jp> parents: 24 diff changeset	99 fd_log_debug(" Local endpoints ........ : \n");
e6fcdf12b9a0 Added a lot of TODOs :) Sebastien Decugis <sdecugis@nict.go.jp> parents: 24 diff changeset	100 fd_ep_dump( 29, &fd_g_config->cnf_endpoints );
8 3e143f047f78 Backup for the week-end Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	101 }
10 c5c99c73c2bf Added some extensions and functions in the daemon Sebastien Decugis <sdecugis@nict.go.jp> parents: 8 diff changeset	102 if (FD_IS_LIST_EMPTY(&fd_g_config->cnf_apps)) {
c5c99c73c2bf Added some extensions and functions in the daemon Sebastien Decugis <sdecugis@nict.go.jp> parents: 8 diff changeset	103 fd_log_debug(" Local applications ..... : (none)\n");
c5c99c73c2bf Added some extensions and functions in the daemon Sebastien Decugis <sdecugis@nict.go.jp> parents: 8 diff changeset	104 } else {
c5c99c73c2bf Added some extensions and functions in the daemon Sebastien Decugis <sdecugis@nict.go.jp> parents: 8 diff changeset	105 struct fd_list * li = fd_g_config->cnf_apps.next;
c5c99c73c2bf Added some extensions and functions in the daemon Sebastien Decugis <sdecugis@nict.go.jp> parents: 8 diff changeset	106 fd_log_debug(" Local applications ..... : ");
c5c99c73c2bf Added some extensions and functions in the daemon Sebastien Decugis <sdecugis@nict.go.jp> parents: 8 diff changeset	107 while (li != &fd_g_config->cnf_apps) {
c5c99c73c2bf Added some extensions and functions in the daemon Sebastien Decugis <sdecugis@nict.go.jp> parents: 8 diff changeset	108 struct fd_app * app = (struct fd_app *)li;
c5c99c73c2bf Added some extensions and functions in the daemon Sebastien Decugis <sdecugis@nict.go.jp> parents: 8 diff changeset	109 if (li != fd_g_config->cnf_apps.next) fd_log_debug(" ");
106 783964757616 Fix display Sebastien Decugis <sdecugis@nict.go.jp> parents: 105 diff changeset	110 fd_log_debug("App: %u\t%s%s\tVnd: %u\n",
10 c5c99c73c2bf Added some extensions and functions in the daemon Sebastien Decugis <sdecugis@nict.go.jp> parents: 8 diff changeset	111 app->appid,
c5c99c73c2bf Added some extensions and functions in the daemon Sebastien Decugis <sdecugis@nict.go.jp> parents: 8 diff changeset	112 app->flags.auth ? "Au" : "--",
c5c99c73c2bf Added some extensions and functions in the daemon Sebastien Decugis <sdecugis@nict.go.jp> parents: 8 diff changeset	113 app->flags.acct ? "Ac" : "--",
c5c99c73c2bf Added some extensions and functions in the daemon Sebastien Decugis <sdecugis@nict.go.jp> parents: 8 diff changeset	114 app->vndid);
c5c99c73c2bf Added some extensions and functions in the daemon Sebastien Decugis <sdecugis@nict.go.jp> parents: 8 diff changeset	115 li = li->next;
c5c99c73c2bf Added some extensions and functions in the daemon Sebastien Decugis <sdecugis@nict.go.jp> parents: 8 diff changeset	116 }
c5c99c73c2bf Added some extensions and functions in the daemon Sebastien Decugis <sdecugis@nict.go.jp> parents: 8 diff changeset	117 }
18 e7187583dcf8 Added CA helper script Sebastien Decugis <sdecugis@nict.go.jp> parents: 17 diff changeset	118
10 c5c99c73c2bf Added some extensions and functions in the daemon Sebastien Decugis <sdecugis@nict.go.jp> parents: 8 diff changeset	119 fd_log_debug(" Flags : - IP ........... : %s\n", fd_g_config->cnf_flags.no_ip4 ? "DISABLED" : "Enabled");
c5c99c73c2bf Added some extensions and functions in the daemon Sebastien Decugis <sdecugis@nict.go.jp> parents: 8 diff changeset	120 fd_log_debug(" - IPv6 ......... : %s\n", fd_g_config->cnf_flags.no_ip6 ? "DISABLED" : "Enabled");
c5c99c73c2bf Added some extensions and functions in the daemon Sebastien Decugis <sdecugis@nict.go.jp> parents: 8 diff changeset	121 fd_log_debug(" - Relay app .... : %s\n", fd_g_config->cnf_flags.no_fwd ? "DISABLED" : "Enabled");
c5c99c73c2bf Added some extensions and functions in the daemon Sebastien Decugis <sdecugis@nict.go.jp> parents: 8 diff changeset	122 fd_log_debug(" - TCP .......... : %s\n", fd_g_config->cnf_flags.no_tcp ? "DISABLED" : "Enabled");
8 3e143f047f78 Backup for the week-end Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	123 #ifdef DISABLE_SCTP
3e143f047f78 Backup for the week-end Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	124 fd_log_debug(" - SCTP ......... : DISABLED (at compilation)\n");
3e143f047f78 Backup for the week-end Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	125 #else /* DISABLE_SCTP */
10 c5c99c73c2bf Added some extensions and functions in the daemon Sebastien Decugis <sdecugis@nict.go.jp> parents: 8 diff changeset	126 fd_log_debug(" - SCTP ......... : %s\n", fd_g_config->cnf_flags.no_sctp ? "DISABLED" : "Enabled");
8 3e143f047f78 Backup for the week-end Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	127 #endif /* DISABLE_SCTP */
10 c5c99c73c2bf Added some extensions and functions in the daemon Sebastien Decugis <sdecugis@nict.go.jp> parents: 8 diff changeset	128 fd_log_debug(" - Pref. proto .. : %s\n", fd_g_config->cnf_flags.pr_tcp ? "TCP" : "SCTP");
c5c99c73c2bf Added some extensions and functions in the daemon Sebastien Decugis <sdecugis@nict.go.jp> parents: 8 diff changeset	129 fd_log_debug(" - TLS method ... : %s\n", fd_g_config->cnf_flags.tls_alg ? "INBAND" : "Separate port");
18 e7187583dcf8 Added CA helper script Sebastien Decugis <sdecugis@nict.go.jp> parents: 17 diff changeset	130
e7187583dcf8 Added CA helper script Sebastien Decugis <sdecugis@nict.go.jp> parents: 17 diff changeset	131 fd_log_debug(" TLS : - Certificate .. : %s\n", fd_g_config->cnf_sec_data.cert_file ?: "(NONE)");
e7187583dcf8 Added CA helper script Sebastien Decugis <sdecugis@nict.go.jp> parents: 17 diff changeset	132 fd_log_debug(" - Private key .. : %s\n", fd_g_config->cnf_sec_data.key_file ?: "(NONE)");
142 dee0a871abcd Added number of CA certificates for debug Sebastien Decugis <sdecugis@nict.go.jp> parents: 106 diff changeset	133 fd_log_debug(" - CA (trust) ... : %s (%d certs)\n", fd_g_config->cnf_sec_data.ca_file ?: "(none)", fd_g_config->cnf_sec_data.ca_file_nr);
17 ab3c58d88be3 Added proper gcrypt initializer Sebastien Decugis <sdecugis@nict.go.jp> parents: 10 diff changeset	134 fd_log_debug(" - CRL .......... : %s\n", fd_g_config->cnf_sec_data.crl_file ?: "(none)");
18 e7187583dcf8 Added CA helper script Sebastien Decugis <sdecugis@nict.go.jp> parents: 17 diff changeset	135 fd_log_debug(" - Priority ..... : %s\n", fd_g_config->cnf_sec_data.prio_string ?: "(default: '" GNUTLS_DEFAULT_PRIORITY "')");
e7187583dcf8 Added CA helper script Sebastien Decugis <sdecugis@nict.go.jp> parents: 17 diff changeset	136 fd_log_debug(" - DH bits ...... : %d\n", fd_g_config->cnf_sec_data.dh_bits ?: GNUTLS_DEFAULT_DHBITS);
e7187583dcf8 Added CA helper script Sebastien Decugis <sdecugis@nict.go.jp> parents: 17 diff changeset	137
10 c5c99c73c2bf Added some extensions and functions in the daemon Sebastien Decugis <sdecugis@nict.go.jp> parents: 8 diff changeset	138 fd_log_debug(" Origin-State-Id ........ : %u\n", fd_g_config->cnf_orstateid);
8 3e143f047f78 Backup for the week-end Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	139 }
3e143f047f78 Backup for the week-end Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	140
3e143f047f78 Backup for the week-end Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	141 /* Parse the configuration file (using the yacc parser) */
3e143f047f78 Backup for the week-end Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	142 int fd_conf_parse()
3e143f047f78 Backup for the week-end Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	143 {
3e143f047f78 Backup for the week-end Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	144 extern FILE * fddin;
3e143f047f78 Backup for the week-end Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	145
304 ad3c46016584 Added install directives for cmake; also allow default directory to seek for extensions and configuration files Sebastien Decugis <sdecugis@nict.go.jp> parents: 258 diff changeset	146 /* Attempt to find the configuration file */
ad3c46016584 Added install directives for cmake; also allow default directory to seek for extensions and configuration files Sebastien Decugis <sdecugis@nict.go.jp> parents: 258 diff changeset	147 if (!fd_g_config->cnf_file)
ad3c46016584 Added install directives for cmake; also allow default directory to seek for extensions and configuration files Sebastien Decugis <sdecugis@nict.go.jp> parents: 258 diff changeset	148 fd_g_config->cnf_file = FD_DEFAULT_CONF_FILENAME;
8 3e143f047f78 Backup for the week-end Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	149
10 c5c99c73c2bf Added some extensions and functions in the daemon Sebastien Decugis <sdecugis@nict.go.jp> parents: 8 diff changeset	150 fddin = fopen(fd_g_config->cnf_file, "r");
304 ad3c46016584 Added install directives for cmake; also allow default directory to seek for extensions and configuration files Sebastien Decugis <sdecugis@nict.go.jp> parents: 258 diff changeset	151 if ((fddin == NULL) && (*fd_g_config->cnf_file != '/')) {
ad3c46016584 Added install directives for cmake; also allow default directory to seek for extensions and configuration files Sebastien Decugis <sdecugis@nict.go.jp> parents: 258 diff changeset	152 /* We got a relative path, attempt to add the default directory prefix */
ad3c46016584 Added install directives for cmake; also allow default directory to seek for extensions and configuration files Sebastien Decugis <sdecugis@nict.go.jp> parents: 258 diff changeset	153 char * bkp = fd_g_config->cnf_file;
ad3c46016584 Added install directives for cmake; also allow default directory to seek for extensions and configuration files Sebastien Decugis <sdecugis@nict.go.jp> parents: 258 diff changeset	154 CHECK_MALLOC( fd_g_config->cnf_file = malloc(strlen(bkp) + strlen(DEFAULT_CONF_PATH) + 2) ); /* we will not free it, but not important */
ad3c46016584 Added install directives for cmake; also allow default directory to seek for extensions and configuration files Sebastien Decugis <sdecugis@nict.go.jp> parents: 258 diff changeset	155 sprintf( fd_g_config->cnf_file, DEFAULT_CONF_PATH "/%s", bkp );
ad3c46016584 Added install directives for cmake; also allow default directory to seek for extensions and configuration files Sebastien Decugis <sdecugis@nict.go.jp> parents: 258 diff changeset	156 fddin = fopen(fd_g_config->cnf_file, "r");
ad3c46016584 Added install directives for cmake; also allow default directory to seek for extensions and configuration files Sebastien Decugis <sdecugis@nict.go.jp> parents: 258 diff changeset	157 }
8 3e143f047f78 Backup for the week-end Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	158 if (fddin == NULL) {
3e143f047f78 Backup for the week-end Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	159 int ret = errno;
10 c5c99c73c2bf Added some extensions and functions in the daemon Sebastien Decugis <sdecugis@nict.go.jp> parents: 8 diff changeset	160 fprintf(stderr, "Unable to open configuration file %s for reading: %s\n", fd_g_config->cnf_file, strerror(ret));
8 3e143f047f78 Backup for the week-end Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	161 return ret;
3e143f047f78 Backup for the week-end Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	162 }
3e143f047f78 Backup for the week-end Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	163
3e143f047f78 Backup for the week-end Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	164 /* call yacc parser */
304 ad3c46016584 Added install directives for cmake; also allow default directory to seek for extensions and configuration files Sebastien Decugis <sdecugis@nict.go.jp> parents: 258 diff changeset	165 TRACE_DEBUG (FULL, "Parsing configuration file: %s", fd_g_config->cnf_file);
8 3e143f047f78 Backup for the week-end Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	166 CHECK_FCT( fddparse(fd_g_config) );
3e143f047f78 Backup for the week-end Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	167
3e143f047f78 Backup for the week-end Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	168 /* close the file */
3e143f047f78 Backup for the week-end Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	169 fclose(fddin);
3e143f047f78 Backup for the week-end Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	170
18 e7187583dcf8 Added CA helper script Sebastien Decugis <sdecugis@nict.go.jp> parents: 17 diff changeset	171 /* Check that TLS private key was given */
e7187583dcf8 Added CA helper script Sebastien Decugis <sdecugis@nict.go.jp> parents: 17 diff changeset	172 if (! fd_g_config->cnf_sec_data.key_file) {
e7187583dcf8 Added CA helper script Sebastien Decugis <sdecugis@nict.go.jp> parents: 17 diff changeset	173 fprintf(stderr, "Missing private key configuration for TLS. Please provide the TLS_cred configuration directive.\n");
e7187583dcf8 Added CA helper script Sebastien Decugis <sdecugis@nict.go.jp> parents: 17 diff changeset	174 return EINVAL;
e7187583dcf8 Added CA helper script Sebastien Decugis <sdecugis@nict.go.jp> parents: 17 diff changeset	175 }
e7187583dcf8 Added CA helper script Sebastien Decugis <sdecugis@nict.go.jp> parents: 17 diff changeset	176
8 3e143f047f78 Backup for the week-end Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	177 /* Resolve hostname if not provided */
10 c5c99c73c2bf Added some extensions and functions in the daemon Sebastien Decugis <sdecugis@nict.go.jp> parents: 8 diff changeset	178 if (fd_g_config->cnf_diamid == NULL) {
8 3e143f047f78 Backup for the week-end Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	179 #ifndef HOST_NAME_MAX
3e143f047f78 Backup for the week-end Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	180 #define HOST_NAME_MAX 1024
3e143f047f78 Backup for the week-end Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	181 #endif /* HOST_NAME_MAX */
3e143f047f78 Backup for the week-end Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	182 char buf[HOST_NAME_MAX + 1];
3e143f047f78 Backup for the week-end Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	183 struct addrinfo hints, *info;
3e143f047f78 Backup for the week-end Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	184 int ret;
3e143f047f78 Backup for the week-end Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	185
3e143f047f78 Backup for the week-end Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	186 /* local host name */
3e143f047f78 Backup for the week-end Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	187 CHECK_SYS(gethostname(buf, sizeof(buf)));
3e143f047f78 Backup for the week-end Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	188
3e143f047f78 Backup for the week-end Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	189 /* get FQDN */
3e143f047f78 Backup for the week-end Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	190 memset(&hints, 0, sizeof hints);
3e143f047f78 Backup for the week-end Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	191 hints.ai_flags = AI_CANONNAME;
3e143f047f78 Backup for the week-end Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	192
3e143f047f78 Backup for the week-end Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	193 ret = getaddrinfo(buf, NULL, &hints, &info);
3e143f047f78 Backup for the week-end Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	194 if (ret != 0) {
3e143f047f78 Backup for the week-end Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	195 fprintf(stderr, "Error resolving local FQDN :\n"
3e143f047f78 Backup for the week-end Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	196 " '%s' : %s\n"
309 b1a7d6d5dec4 Fix directive names Sebastien Decugis <sdecugis@nict.go.jp> parents: 304 diff changeset	197 "Please provide Identity in configuration file.\n",
8 3e143f047f78 Backup for the week-end Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	198 buf, gai_strerror(ret));
3e143f047f78 Backup for the week-end Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	199 return EINVAL;
3e143f047f78 Backup for the week-end Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	200 }
10 c5c99c73c2bf Added some extensions and functions in the daemon Sebastien Decugis <sdecugis@nict.go.jp> parents: 8 diff changeset	201 CHECK_MALLOC( fd_g_config->cnf_diamid = strdup(info->ai_canonname) );
8 3e143f047f78 Backup for the week-end Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	202 freeaddrinfo(info);
3e143f047f78 Backup for the week-end Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	203 }
3e143f047f78 Backup for the week-end Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	204
3e143f047f78 Backup for the week-end Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	205 /* cache the length of the diameter id for the session module */
10 c5c99c73c2bf Added some extensions and functions in the daemon Sebastien Decugis <sdecugis@nict.go.jp> parents: 8 diff changeset	206 fd_g_config->cnf_diamid_len = strlen(fd_g_config->cnf_diamid);
8 3e143f047f78 Backup for the week-end Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	207
3e143f047f78 Backup for the week-end Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	208 /* Handle the realm part */
10 c5c99c73c2bf Added some extensions and functions in the daemon Sebastien Decugis <sdecugis@nict.go.jp> parents: 8 diff changeset	209 if (fd_g_config->cnf_diamrlm == NULL) {
8 3e143f047f78 Backup for the week-end Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	210 char * start = NULL;
3e143f047f78 Backup for the week-end Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	211
3e143f047f78 Backup for the week-end Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	212 /* Check the diameter identity is a fqdn */
10 c5c99c73c2bf Added some extensions and functions in the daemon Sebastien Decugis <sdecugis@nict.go.jp> parents: 8 diff changeset	213 start = strchr(fd_g_config->cnf_diamid, '.');
8 3e143f047f78 Backup for the week-end Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	214 if ((start == NULL) \|\| (start[1] == '\0')) {
309 b1a7d6d5dec4 Fix directive names Sebastien Decugis <sdecugis@nict.go.jp> parents: 304 diff changeset	215 fprintf(stderr, "Unable to extract realm from the Identity '%s'.\n"
b1a7d6d5dec4 Fix directive names Sebastien Decugis <sdecugis@nict.go.jp> parents: 304 diff changeset	216 "Please fix your Identity setting or provide Realm.\n",
10 c5c99c73c2bf Added some extensions and functions in the daemon Sebastien Decugis <sdecugis@nict.go.jp> parents: 8 diff changeset	217 fd_g_config->cnf_diamid);
8 3e143f047f78 Backup for the week-end Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	218 return EINVAL;
3e143f047f78 Backup for the week-end Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	219 }
3e143f047f78 Backup for the week-end Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	220
10 c5c99c73c2bf Added some extensions and functions in the daemon Sebastien Decugis <sdecugis@nict.go.jp> parents: 8 diff changeset	221 CHECK_MALLOC( fd_g_config->cnf_diamrlm = strdup( start + 1 ) );
8 3e143f047f78 Backup for the week-end Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	222 }
10 c5c99c73c2bf Added some extensions and functions in the daemon Sebastien Decugis <sdecugis@nict.go.jp> parents: 8 diff changeset	223 fd_g_config->cnf_diamrlm_len = strlen(fd_g_config->cnf_diamrlm);
8 3e143f047f78 Backup for the week-end Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	224
3e143f047f78 Backup for the week-end Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	225 /* Validate some flags */
10 c5c99c73c2bf Added some extensions and functions in the daemon Sebastien Decugis <sdecugis@nict.go.jp> parents: 8 diff changeset	226 if (fd_g_config->cnf_flags.no_ip4 && fd_g_config->cnf_flags.no_ip6) {
8 3e143f047f78 Backup for the week-end Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	227 fprintf(stderr, "IP and IPv6 cannot be disabled at the same time.\n");
3e143f047f78 Backup for the week-end Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	228 return EINVAL;
3e143f047f78 Backup for the week-end Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	229 }
10 c5c99c73c2bf Added some extensions and functions in the daemon Sebastien Decugis <sdecugis@nict.go.jp> parents: 8 diff changeset	230 if (fd_g_config->cnf_flags.no_tcp && fd_g_config->cnf_flags.no_sctp) {
8 3e143f047f78 Backup for the week-end Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	231 fprintf(stderr, "TCP and SCTP cannot be disabled at the same time.\n");
3e143f047f78 Backup for the week-end Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	232 return EINVAL;
3e143f047f78 Backup for the week-end Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	233 }
3e143f047f78 Backup for the week-end Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	234
22 0b3b46da2c12 Progress on server code Sebastien Decugis <sdecugis@nict.go.jp> parents: 20 diff changeset	235 /* Validate local endpoints */
0b3b46da2c12 Progress on server code Sebastien Decugis <sdecugis@nict.go.jp> parents: 20 diff changeset	236 if ((!FD_IS_LIST_EMPTY(&fd_g_config->cnf_endpoints)) && (fd_g_config->cnf_flags.no_ip4 \|\| fd_g_config->cnf_flags.no_ip6)) {
0b3b46da2c12 Progress on server code Sebastien Decugis <sdecugis@nict.go.jp> parents: 20 diff changeset	237 struct fd_list * li;
0b3b46da2c12 Progress on server code Sebastien Decugis <sdecugis@nict.go.jp> parents: 20 diff changeset	238 for ( li = fd_g_config->cnf_endpoints.next; li != &fd_g_config->cnf_endpoints; li = li->next) {
0b3b46da2c12 Progress on server code Sebastien Decugis <sdecugis@nict.go.jp> parents: 20 diff changeset	239 struct fd_endpoint * ep = (struct fd_endpoint *)li;
23 db6c40b8b307 Added some code in cnxctx.c mainly Sebastien Decugis <sdecugis@nict.go.jp> parents: 22 diff changeset	240 if ( (fd_g_config->cnf_flags.no_ip4 && (ep->sa.sa_family == AF_INET))
db6c40b8b307 Added some code in cnxctx.c mainly Sebastien Decugis <sdecugis@nict.go.jp> parents: 22 diff changeset	241 \|\|(fd_g_config->cnf_flags.no_ip6 && (ep->sa.sa_family == AF_INET6)) ) {
22 0b3b46da2c12 Progress on server code Sebastien Decugis <sdecugis@nict.go.jp> parents: 20 diff changeset	242 li = li->prev;
0b3b46da2c12 Progress on server code Sebastien Decugis <sdecugis@nict.go.jp> parents: 20 diff changeset	243 fd_list_unlink(&ep->chain);
0b3b46da2c12 Progress on server code Sebastien Decugis <sdecugis@nict.go.jp> parents: 20 diff changeset	244 if (TRACE_BOOL(INFO)) {
0b3b46da2c12 Progress on server code Sebastien Decugis <sdecugis@nict.go.jp> parents: 20 diff changeset	245 fd_log_debug("Info: Removing local address conflicting with the flags no_IP / no_IP6 : ");
189 497fae9c8b77 Small fix Sebastien Decugis <sdecugis@nict.go.jp> parents: 142 diff changeset	246 sSA_DUMP_NODE( &ep->sa, NI_NUMERICHOST );
22 0b3b46da2c12 Progress on server code Sebastien Decugis <sdecugis@nict.go.jp> parents: 20 diff changeset	247 fd_log_debug("\n");
0b3b46da2c12 Progress on server code Sebastien Decugis <sdecugis@nict.go.jp> parents: 20 diff changeset	248 }
0b3b46da2c12 Progress on server code Sebastien Decugis <sdecugis@nict.go.jp> parents: 20 diff changeset	249 free(ep);
0b3b46da2c12 Progress on server code Sebastien Decugis <sdecugis@nict.go.jp> parents: 20 diff changeset	250 }
0b3b46da2c12 Progress on server code Sebastien Decugis <sdecugis@nict.go.jp> parents: 20 diff changeset	251 }
0b3b46da2c12 Progress on server code Sebastien Decugis <sdecugis@nict.go.jp> parents: 20 diff changeset	252 }
0b3b46da2c12 Progress on server code Sebastien Decugis <sdecugis@nict.go.jp> parents: 20 diff changeset	253
18 e7187583dcf8 Added CA helper script Sebastien Decugis <sdecugis@nict.go.jp> parents: 17 diff changeset	254 /* Configure TLS default parameters */
e7187583dcf8 Added CA helper script Sebastien Decugis <sdecugis@nict.go.jp> parents: 17 diff changeset	255 if (! fd_g_config->cnf_sec_data.prio_string) {
e7187583dcf8 Added CA helper script Sebastien Decugis <sdecugis@nict.go.jp> parents: 17 diff changeset	256 const char * err_pos = NULL;
e7187583dcf8 Added CA helper script Sebastien Decugis <sdecugis@nict.go.jp> parents: 17 diff changeset	257 CHECK_GNUTLS_DO( gnutls_priority_init(
e7187583dcf8 Added CA helper script Sebastien Decugis <sdecugis@nict.go.jp> parents: 17 diff changeset	258 &fd_g_config->cnf_sec_data.prio_cache,
e7187583dcf8 Added CA helper script Sebastien Decugis <sdecugis@nict.go.jp> parents: 17 diff changeset	259 GNUTLS_DEFAULT_PRIORITY,
e7187583dcf8 Added CA helper script Sebastien Decugis <sdecugis@nict.go.jp> parents: 17 diff changeset	260 &err_pos),
e7187583dcf8 Added CA helper script Sebastien Decugis <sdecugis@nict.go.jp> parents: 17 diff changeset	261 { TRACE_DEBUG(INFO, "Error in priority string at position : %s", err_pos); return EINVAL; } );
e7187583dcf8 Added CA helper script Sebastien Decugis <sdecugis@nict.go.jp> parents: 17 diff changeset	262 }
e7187583dcf8 Added CA helper script Sebastien Decugis <sdecugis@nict.go.jp> parents: 17 diff changeset	263 if (! fd_g_config->cnf_sec_data.dh_bits) {
59 067ab3fc6093 Cleanups in debug messages Sebastien Decugis <sdecugis@nict.go.jp> parents: 33 diff changeset	264 TRACE_DEBUG(INFO, "Generating Diffie-Hellman parameters of size %d (this takes a few seconds)... ", GNUTLS_DEFAULT_DHBITS);
18 e7187583dcf8 Added CA helper script Sebastien Decugis <sdecugis@nict.go.jp> parents: 17 diff changeset	265 CHECK_GNUTLS_DO( gnutls_dh_params_generate2(
e7187583dcf8 Added CA helper script Sebastien Decugis <sdecugis@nict.go.jp> parents: 17 diff changeset	266 fd_g_config->cnf_sec_data.dh_cache,
e7187583dcf8 Added CA helper script Sebastien Decugis <sdecugis@nict.go.jp> parents: 17 diff changeset	267 GNUTLS_DEFAULT_DHBITS),
e7187583dcf8 Added CA helper script Sebastien Decugis <sdecugis@nict.go.jp> parents: 17 diff changeset	268 { TRACE_DEBUG(INFO, "Error in DH bits value : %d", GNUTLS_DEFAULT_DHBITS); return EINVAL; } );
e7187583dcf8 Added CA helper script Sebastien Decugis <sdecugis@nict.go.jp> parents: 17 diff changeset	269 }
17 ab3c58d88be3 Added proper gcrypt initializer Sebastien Decugis <sdecugis@nict.go.jp> parents: 10 diff changeset	270
542 0b6cee362f5d Enforce validation of local certificate upon daemon start. Sebastien Decugis <sdecugis@nict.go.jp> parents: 447 diff changeset	271
0b6cee362f5d Enforce validation of local certificate upon daemon start. Sebastien Decugis <sdecugis@nict.go.jp> parents: 447 diff changeset	272 /* Verify that our certificate is valid -- otherwise remote peers will reject it */
0b6cee362f5d Enforce validation of local certificate upon daemon start. Sebastien Decugis <sdecugis@nict.go.jp> parents: 447 diff changeset	273 {
0b6cee362f5d Enforce validation of local certificate upon daemon start. Sebastien Decugis <sdecugis@nict.go.jp> parents: 447 diff changeset	274 int ret = 0, i;
0b6cee362f5d Enforce validation of local certificate upon daemon start. Sebastien Decugis <sdecugis@nict.go.jp> parents: 447 diff changeset	275
0b6cee362f5d Enforce validation of local certificate upon daemon start. Sebastien Decugis <sdecugis@nict.go.jp> parents: 447 diff changeset	276 gnutls_datum_t certfile;
0b6cee362f5d Enforce validation of local certificate upon daemon start. Sebastien Decugis <sdecugis@nict.go.jp> parents: 447 diff changeset	277 size_t alloc = 0;
0b6cee362f5d Enforce validation of local certificate upon daemon start. Sebastien Decugis <sdecugis@nict.go.jp> parents: 447 diff changeset	278
0b6cee362f5d Enforce validation of local certificate upon daemon start. Sebastien Decugis <sdecugis@nict.go.jp> parents: 447 diff changeset	279 gnutls_x509_crt_t * certs = NULL;
0b6cee362f5d Enforce validation of local certificate upon daemon start. Sebastien Decugis <sdecugis@nict.go.jp> parents: 447 diff changeset	280 unsigned int cert_max = 0;
0b6cee362f5d Enforce validation of local certificate upon daemon start. Sebastien Decugis <sdecugis@nict.go.jp> parents: 447 diff changeset	281
0b6cee362f5d Enforce validation of local certificate upon daemon start. Sebastien Decugis <sdecugis@nict.go.jp> parents: 447 diff changeset	282 gnutls_x509_crt_t * CA_list;
0b6cee362f5d Enforce validation of local certificate upon daemon start. Sebastien Decugis <sdecugis@nict.go.jp> parents: 447 diff changeset	283 int CA_list_length;
0b6cee362f5d Enforce validation of local certificate upon daemon start. Sebastien Decugis <sdecugis@nict.go.jp> parents: 447 diff changeset	284
0b6cee362f5d Enforce validation of local certificate upon daemon start. Sebastien Decugis <sdecugis@nict.go.jp> parents: 447 diff changeset	285 gnutls_x509_crl_t * CRL_list;
0b6cee362f5d Enforce validation of local certificate upon daemon start. Sebastien Decugis <sdecugis@nict.go.jp> parents: 447 diff changeset	286 int CRL_list_length;
0b6cee362f5d Enforce validation of local certificate upon daemon start. Sebastien Decugis <sdecugis@nict.go.jp> parents: 447 diff changeset	287
0b6cee362f5d Enforce validation of local certificate upon daemon start. Sebastien Decugis <sdecugis@nict.go.jp> parents: 447 diff changeset	288 unsigned int verify;
0b6cee362f5d Enforce validation of local certificate upon daemon start. Sebastien Decugis <sdecugis@nict.go.jp> parents: 447 diff changeset	289 time_t now;
0b6cee362f5d Enforce validation of local certificate upon daemon start. Sebastien Decugis <sdecugis@nict.go.jp> parents: 447 diff changeset	290
0b6cee362f5d Enforce validation of local certificate upon daemon start. Sebastien Decugis <sdecugis@nict.go.jp> parents: 447 diff changeset	291 memset(&certfile, 0, sizeof(certfile));
0b6cee362f5d Enforce validation of local certificate upon daemon start. Sebastien Decugis <sdecugis@nict.go.jp> parents: 447 diff changeset	292
0b6cee362f5d Enforce validation of local certificate upon daemon start. Sebastien Decugis <sdecugis@nict.go.jp> parents: 447 diff changeset	293 /* Read the certificate file */
0b6cee362f5d Enforce validation of local certificate upon daemon start. Sebastien Decugis <sdecugis@nict.go.jp> parents: 447 diff changeset	294 FILE *stream = fopen (fd_g_config->cnf_sec_data.cert_file, "rb");
0b6cee362f5d Enforce validation of local certificate upon daemon start. Sebastien Decugis <sdecugis@nict.go.jp> parents: 447 diff changeset	295 if (!stream) {
0b6cee362f5d Enforce validation of local certificate upon daemon start. Sebastien Decugis <sdecugis@nict.go.jp> parents: 447 diff changeset	296 int err = errno;
0b6cee362f5d Enforce validation of local certificate upon daemon start. Sebastien Decugis <sdecugis@nict.go.jp> parents: 447 diff changeset	297 TRACE_DEBUG(INFO, "An error occurred while opening '%s': %s\n", fd_g_config->cnf_sec_data.cert_file, strerror(err));
0b6cee362f5d Enforce validation of local certificate upon daemon start. Sebastien Decugis <sdecugis@nict.go.jp> parents: 447 diff changeset	298 return err;
0b6cee362f5d Enforce validation of local certificate upon daemon start. Sebastien Decugis <sdecugis@nict.go.jp> parents: 447 diff changeset	299 }
0b6cee362f5d Enforce validation of local certificate upon daemon start. Sebastien Decugis <sdecugis@nict.go.jp> parents: 447 diff changeset	300 do {
0b6cee362f5d Enforce validation of local certificate upon daemon start. Sebastien Decugis <sdecugis@nict.go.jp> parents: 447 diff changeset	301 uint8_t * realloced = NULL;
0b6cee362f5d Enforce validation of local certificate upon daemon start. Sebastien Decugis <sdecugis@nict.go.jp> parents: 447 diff changeset	302 size_t read = 0;
0b6cee362f5d Enforce validation of local certificate upon daemon start. Sebastien Decugis <sdecugis@nict.go.jp> parents: 447 diff changeset	303
0b6cee362f5d Enforce validation of local certificate upon daemon start. Sebastien Decugis <sdecugis@nict.go.jp> parents: 447 diff changeset	304 if (alloc < certfile.size + BUFSIZ + 1) {
0b6cee362f5d Enforce validation of local certificate upon daemon start. Sebastien Decugis <sdecugis@nict.go.jp> parents: 447 diff changeset	305 alloc += alloc / 2 + BUFSIZ + 1;
0b6cee362f5d Enforce validation of local certificate upon daemon start. Sebastien Decugis <sdecugis@nict.go.jp> parents: 447 diff changeset	306 CHECK_MALLOC_DO( realloced = realloc(certfile.data, alloc),
0b6cee362f5d Enforce validation of local certificate upon daemon start. Sebastien Decugis <sdecugis@nict.go.jp> parents: 447 diff changeset	307 {
0b6cee362f5d Enforce validation of local certificate upon daemon start. Sebastien Decugis <sdecugis@nict.go.jp> parents: 447 diff changeset	308 free(certfile.data);
0b6cee362f5d Enforce validation of local certificate upon daemon start. Sebastien Decugis <sdecugis@nict.go.jp> parents: 447 diff changeset	309 return ENOMEM;
0b6cee362f5d Enforce validation of local certificate upon daemon start. Sebastien Decugis <sdecugis@nict.go.jp> parents: 447 diff changeset	310 } )
0b6cee362f5d Enforce validation of local certificate upon daemon start. Sebastien Decugis <sdecugis@nict.go.jp> parents: 447 diff changeset	311 certfile.data = realloced;
0b6cee362f5d Enforce validation of local certificate upon daemon start. Sebastien Decugis <sdecugis@nict.go.jp> parents: 447 diff changeset	312 }
0b6cee362f5d Enforce validation of local certificate upon daemon start. Sebastien Decugis <sdecugis@nict.go.jp> parents: 447 diff changeset	313
0b6cee362f5d Enforce validation of local certificate upon daemon start. Sebastien Decugis <sdecugis@nict.go.jp> parents: 447 diff changeset	314 read = fread( certfile.data + certfile.size, 1, alloc - certfile.size - 1, stream );
0b6cee362f5d Enforce validation of local certificate upon daemon start. Sebastien Decugis <sdecugis@nict.go.jp> parents: 447 diff changeset	315 certfile.size += read;
0b6cee362f5d Enforce validation of local certificate upon daemon start. Sebastien Decugis <sdecugis@nict.go.jp> parents: 447 diff changeset	316
0b6cee362f5d Enforce validation of local certificate upon daemon start. Sebastien Decugis <sdecugis@nict.go.jp> parents: 447 diff changeset	317 if (ferror(stream)) {
0b6cee362f5d Enforce validation of local certificate upon daemon start. Sebastien Decugis <sdecugis@nict.go.jp> parents: 447 diff changeset	318 int err = errno;
0b6cee362f5d Enforce validation of local certificate upon daemon start. Sebastien Decugis <sdecugis@nict.go.jp> parents: 447 diff changeset	319 TRACE_DEBUG(INFO, "An error occurred while reading '%s': %s\n", fd_g_config->cnf_sec_data.cert_file, strerror(err));
0b6cee362f5d Enforce validation of local certificate upon daemon start. Sebastien Decugis <sdecugis@nict.go.jp> parents: 447 diff changeset	320 return err;
0b6cee362f5d Enforce validation of local certificate upon daemon start. Sebastien Decugis <sdecugis@nict.go.jp> parents: 447 diff changeset	321 }
0b6cee362f5d Enforce validation of local certificate upon daemon start. Sebastien Decugis <sdecugis@nict.go.jp> parents: 447 diff changeset	322 } while (!feof(stream));
0b6cee362f5d Enforce validation of local certificate upon daemon start. Sebastien Decugis <sdecugis@nict.go.jp> parents: 447 diff changeset	323 certfile.data[certfile.size] = '\0';
0b6cee362f5d Enforce validation of local certificate upon daemon start. Sebastien Decugis <sdecugis@nict.go.jp> parents: 447 diff changeset	324 fclose(stream);
0b6cee362f5d Enforce validation of local certificate upon daemon start. Sebastien Decugis <sdecugis@nict.go.jp> parents: 447 diff changeset	325
0b6cee362f5d Enforce validation of local certificate upon daemon start. Sebastien Decugis <sdecugis@nict.go.jp> parents: 447 diff changeset	326 /* Import the certificate(s) */
0b6cee362f5d Enforce validation of local certificate upon daemon start. Sebastien Decugis <sdecugis@nict.go.jp> parents: 447 diff changeset	327 GNUTLS_TRACE( ret = gnutls_x509_crt_list_import(NULL, &cert_max, &certfile, GNUTLS_X509_FMT_PEM, GNUTLS_X509_CRT_LIST_IMPORT_FAIL_IF_EXCEED) );
0b6cee362f5d Enforce validation of local certificate upon daemon start. Sebastien Decugis <sdecugis@nict.go.jp> parents: 447 diff changeset	328 if (ret != GNUTLS_E_SHORT_MEMORY_BUFFER) {
0b6cee362f5d Enforce validation of local certificate upon daemon start. Sebastien Decugis <sdecugis@nict.go.jp> parents: 447 diff changeset	329 CHECK_GNUTLS_DO(ret, return EINVAL);
0b6cee362f5d Enforce validation of local certificate upon daemon start. Sebastien Decugis <sdecugis@nict.go.jp> parents: 447 diff changeset	330 }
0b6cee362f5d Enforce validation of local certificate upon daemon start. Sebastien Decugis <sdecugis@nict.go.jp> parents: 447 diff changeset	331
0b6cee362f5d Enforce validation of local certificate upon daemon start. Sebastien Decugis <sdecugis@nict.go.jp> parents: 447 diff changeset	332 CHECK_MALLOC( certs = calloc(cert_max, sizeof(gnutls_x509_crt_t)) );
0b6cee362f5d Enforce validation of local certificate upon daemon start. Sebastien Decugis <sdecugis@nict.go.jp> parents: 447 diff changeset	333 CHECK_GNUTLS_DO( gnutls_x509_crt_list_import(certs, &cert_max, &certfile, GNUTLS_X509_FMT_PEM, 0),
0b6cee362f5d Enforce validation of local certificate upon daemon start. Sebastien Decugis <sdecugis@nict.go.jp> parents: 447 diff changeset	334 {
0b6cee362f5d Enforce validation of local certificate upon daemon start. Sebastien Decugis <sdecugis@nict.go.jp> parents: 447 diff changeset	335 TRACE_DEBUG(INFO, "Failed to import the data from file '%s'", fd_g_config->cnf_sec_data.cert_file);
0b6cee362f5d Enforce validation of local certificate upon daemon start. Sebastien Decugis <sdecugis@nict.go.jp> parents: 447 diff changeset	336 free(certfile.data);
0b6cee362f5d Enforce validation of local certificate upon daemon start. Sebastien Decugis <sdecugis@nict.go.jp> parents: 447 diff changeset	337 return EINVAL;
0b6cee362f5d Enforce validation of local certificate upon daemon start. Sebastien Decugis <sdecugis@nict.go.jp> parents: 447 diff changeset	338 } );
0b6cee362f5d Enforce validation of local certificate upon daemon start. Sebastien Decugis <sdecugis@nict.go.jp> parents: 447 diff changeset	339 free(certfile.data);
0b6cee362f5d Enforce validation of local certificate upon daemon start. Sebastien Decugis <sdecugis@nict.go.jp> parents: 447 diff changeset	340
0b6cee362f5d Enforce validation of local certificate upon daemon start. Sebastien Decugis <sdecugis@nict.go.jp> parents: 447 diff changeset	341 ASSERT(cert_max >= 1);
0b6cee362f5d Enforce validation of local certificate upon daemon start. Sebastien Decugis <sdecugis@nict.go.jp> parents: 447 diff changeset	342
0b6cee362f5d Enforce validation of local certificate upon daemon start. Sebastien Decugis <sdecugis@nict.go.jp> parents: 447 diff changeset	343 /* Now, verify the list against the local CA and CRL */
0b6cee362f5d Enforce validation of local certificate upon daemon start. Sebastien Decugis <sdecugis@nict.go.jp> parents: 447 diff changeset	344 GNUTLS_TRACE( gnutls_certificate_get_x509_cas (fd_g_config->cnf_sec_data.credentials, &CA_list, (unsigned int *) &CA_list_length) );
0b6cee362f5d Enforce validation of local certificate upon daemon start. Sebastien Decugis <sdecugis@nict.go.jp> parents: 447 diff changeset	345 GNUTLS_TRACE( gnutls_certificate_get_x509_crls (fd_g_config->cnf_sec_data.credentials, &CRL_list, (unsigned int *) &CRL_list_length) );
0b6cee362f5d Enforce validation of local certificate upon daemon start. Sebastien Decugis <sdecugis@nict.go.jp> parents: 447 diff changeset	346 CHECK_GNUTLS_DO( gnutls_x509_crt_list_verify(certs, cert_max, CA_list, CA_list_length, CRL_list, CRL_list_length, 0, &verify),
0b6cee362f5d Enforce validation of local certificate upon daemon start. Sebastien Decugis <sdecugis@nict.go.jp> parents: 447 diff changeset	347 {
0b6cee362f5d Enforce validation of local certificate upon daemon start. Sebastien Decugis <sdecugis@nict.go.jp> parents: 447 diff changeset	348 TRACE_DEBUG(INFO, "Failed to verify the local certificate '%s' against local credentials. Please check your certificate is valid.", fd_g_config->cnf_sec_data.cert_file);
0b6cee362f5d Enforce validation of local certificate upon daemon start. Sebastien Decugis <sdecugis@nict.go.jp> parents: 447 diff changeset	349 return EINVAL;
0b6cee362f5d Enforce validation of local certificate upon daemon start. Sebastien Decugis <sdecugis@nict.go.jp> parents: 447 diff changeset	350 } );
0b6cee362f5d Enforce validation of local certificate upon daemon start. Sebastien Decugis <sdecugis@nict.go.jp> parents: 447 diff changeset	351 if (verify) {
0b6cee362f5d Enforce validation of local certificate upon daemon start. Sebastien Decugis <sdecugis@nict.go.jp> parents: 447 diff changeset	352 fd_log_debug("TLS: Local certificate chain '%s' is invalid :\n", fd_g_config->cnf_sec_data.cert_file);
0b6cee362f5d Enforce validation of local certificate upon daemon start. Sebastien Decugis <sdecugis@nict.go.jp> parents: 447 diff changeset	353 if (verify & GNUTLS_CERT_INVALID)
0b6cee362f5d Enforce validation of local certificate upon daemon start. Sebastien Decugis <sdecugis@nict.go.jp> parents: 447 diff changeset	354 fd_log_debug(" - The certificate is not trusted (unknown CA? expired?)\n");
0b6cee362f5d Enforce validation of local certificate upon daemon start. Sebastien Decugis <sdecugis@nict.go.jp> parents: 447 diff changeset	355 if (verify & GNUTLS_CERT_REVOKED)
0b6cee362f5d Enforce validation of local certificate upon daemon start. Sebastien Decugis <sdecugis@nict.go.jp> parents: 447 diff changeset	356 fd_log_debug(" - The certificate has been revoked.\n");
0b6cee362f5d Enforce validation of local certificate upon daemon start. Sebastien Decugis <sdecugis@nict.go.jp> parents: 447 diff changeset	357 if (verify & GNUTLS_CERT_SIGNER_NOT_FOUND)
0b6cee362f5d Enforce validation of local certificate upon daemon start. Sebastien Decugis <sdecugis@nict.go.jp> parents: 447 diff changeset	358 fd_log_debug(" - The certificate hasn't got a known issuer.\n");
0b6cee362f5d Enforce validation of local certificate upon daemon start. Sebastien Decugis <sdecugis@nict.go.jp> parents: 447 diff changeset	359 if (verify & GNUTLS_CERT_SIGNER_NOT_CA)
0b6cee362f5d Enforce validation of local certificate upon daemon start. Sebastien Decugis <sdecugis@nict.go.jp> parents: 447 diff changeset	360 fd_log_debug(" - The certificate signer is not a CA, or uses version 1, or 3 without basic constraints.\n");
0b6cee362f5d Enforce validation of local certificate upon daemon start. Sebastien Decugis <sdecugis@nict.go.jp> parents: 447 diff changeset	361 if (verify & GNUTLS_CERT_INSECURE_ALGORITHM)
0b6cee362f5d Enforce validation of local certificate upon daemon start. Sebastien Decugis <sdecugis@nict.go.jp> parents: 447 diff changeset	362 fd_log_debug(" - The certificate signature uses a weak algorithm.\n");
0b6cee362f5d Enforce validation of local certificate upon daemon start. Sebastien Decugis <sdecugis@nict.go.jp> parents: 447 diff changeset	363 return EINVAL;
0b6cee362f5d Enforce validation of local certificate upon daemon start. Sebastien Decugis <sdecugis@nict.go.jp> parents: 447 diff changeset	364 }
0b6cee362f5d Enforce validation of local certificate upon daemon start. Sebastien Decugis <sdecugis@nict.go.jp> parents: 447 diff changeset	365
0b6cee362f5d Enforce validation of local certificate upon daemon start. Sebastien Decugis <sdecugis@nict.go.jp> parents: 447 diff changeset	366 /* Check the local Identity is valid with the certificate */
0b6cee362f5d Enforce validation of local certificate upon daemon start. Sebastien Decugis <sdecugis@nict.go.jp> parents: 447 diff changeset	367 if (!gnutls_x509_crt_check_hostname (certs[0], fd_g_config->cnf_diamid)) {
0b6cee362f5d Enforce validation of local certificate upon daemon start. Sebastien Decugis <sdecugis@nict.go.jp> parents: 447 diff changeset	368 fd_log_debug("TLS: Local certificate '%s' is invalid :\n", fd_g_config->cnf_sec_data.cert_file);
0b6cee362f5d Enforce validation of local certificate upon daemon start. Sebastien Decugis <sdecugis@nict.go.jp> parents: 447 diff changeset	369 fd_log_debug(" - The certificate hostname does not match '%s'\n", fd_g_config->cnf_diamid);
0b6cee362f5d Enforce validation of local certificate upon daemon start. Sebastien Decugis <sdecugis@nict.go.jp> parents: 447 diff changeset	370 return EINVAL;
0b6cee362f5d Enforce validation of local certificate upon daemon start. Sebastien Decugis <sdecugis@nict.go.jp> parents: 447 diff changeset	371 }
0b6cee362f5d Enforce validation of local certificate upon daemon start. Sebastien Decugis <sdecugis@nict.go.jp> parents: 447 diff changeset	372
0b6cee362f5d Enforce validation of local certificate upon daemon start. Sebastien Decugis <sdecugis@nict.go.jp> parents: 447 diff changeset	373 /* Check validity of all the certificates in the chain */
0b6cee362f5d Enforce validation of local certificate upon daemon start. Sebastien Decugis <sdecugis@nict.go.jp> parents: 447 diff changeset	374 now = time(NULL);
0b6cee362f5d Enforce validation of local certificate upon daemon start. Sebastien Decugis <sdecugis@nict.go.jp> parents: 447 diff changeset	375 for (i = 0; i < cert_max; i++)
0b6cee362f5d Enforce validation of local certificate upon daemon start. Sebastien Decugis <sdecugis@nict.go.jp> parents: 447 diff changeset	376 {
0b6cee362f5d Enforce validation of local certificate upon daemon start. Sebastien Decugis <sdecugis@nict.go.jp> parents: 447 diff changeset	377 time_t deadline;
0b6cee362f5d Enforce validation of local certificate upon daemon start. Sebastien Decugis <sdecugis@nict.go.jp> parents: 447 diff changeset	378
0b6cee362f5d Enforce validation of local certificate upon daemon start. Sebastien Decugis <sdecugis@nict.go.jp> parents: 447 diff changeset	379 GNUTLS_TRACE( deadline = gnutls_x509_crt_get_expiration_time(certs[i]) );
0b6cee362f5d Enforce validation of local certificate upon daemon start. Sebastien Decugis <sdecugis@nict.go.jp> parents: 447 diff changeset	380 if ((deadline != (time_t)-1) && (deadline < now)) {
0b6cee362f5d Enforce validation of local certificate upon daemon start. Sebastien Decugis <sdecugis@nict.go.jp> parents: 447 diff changeset	381 fd_log_debug("TLS: Local certificate chain '%s' is invalid :\n", fd_g_config->cnf_sec_data.cert_file);
0b6cee362f5d Enforce validation of local certificate upon daemon start. Sebastien Decugis <sdecugis@nict.go.jp> parents: 447 diff changeset	382 fd_log_debug(" - The certificate %d in the chain is expired\n", i);
0b6cee362f5d Enforce validation of local certificate upon daemon start. Sebastien Decugis <sdecugis@nict.go.jp> parents: 447 diff changeset	383 return EINVAL;
0b6cee362f5d Enforce validation of local certificate upon daemon start. Sebastien Decugis <sdecugis@nict.go.jp> parents: 447 diff changeset	384 }
0b6cee362f5d Enforce validation of local certificate upon daemon start. Sebastien Decugis <sdecugis@nict.go.jp> parents: 447 diff changeset	385
0b6cee362f5d Enforce validation of local certificate upon daemon start. Sebastien Decugis <sdecugis@nict.go.jp> parents: 447 diff changeset	386 GNUTLS_TRACE( deadline = gnutls_x509_crt_get_activation_time(certs[i]) );
0b6cee362f5d Enforce validation of local certificate upon daemon start. Sebastien Decugis <sdecugis@nict.go.jp> parents: 447 diff changeset	387 if ((deadline != (time_t)-1) && (deadline > now)) {
0b6cee362f5d Enforce validation of local certificate upon daemon start. Sebastien Decugis <sdecugis@nict.go.jp> parents: 447 diff changeset	388 fd_log_debug("TLS: Local certificate chain '%s' is invalid :\n", fd_g_config->cnf_sec_data.cert_file);
0b6cee362f5d Enforce validation of local certificate upon daemon start. Sebastien Decugis <sdecugis@nict.go.jp> parents: 447 diff changeset	389 fd_log_debug(" - The certificate %d in the chain is not yet activated\n", i);
0b6cee362f5d Enforce validation of local certificate upon daemon start. Sebastien Decugis <sdecugis@nict.go.jp> parents: 447 diff changeset	390 return EINVAL;
0b6cee362f5d Enforce validation of local certificate upon daemon start. Sebastien Decugis <sdecugis@nict.go.jp> parents: 447 diff changeset	391 }
0b6cee362f5d Enforce validation of local certificate upon daemon start. Sebastien Decugis <sdecugis@nict.go.jp> parents: 447 diff changeset	392 }
0b6cee362f5d Enforce validation of local certificate upon daemon start. Sebastien Decugis <sdecugis@nict.go.jp> parents: 447 diff changeset	393
0b6cee362f5d Enforce validation of local certificate upon daemon start. Sebastien Decugis <sdecugis@nict.go.jp> parents: 447 diff changeset	394 /* Everything checked OK, free the certificate list */
0b6cee362f5d Enforce validation of local certificate upon daemon start. Sebastien Decugis <sdecugis@nict.go.jp> parents: 447 diff changeset	395 for (i = 0; i < cert_max; i++)
0b6cee362f5d Enforce validation of local certificate upon daemon start. Sebastien Decugis <sdecugis@nict.go.jp> parents: 447 diff changeset	396 {
0b6cee362f5d Enforce validation of local certificate upon daemon start. Sebastien Decugis <sdecugis@nict.go.jp> parents: 447 diff changeset	397 GNUTLS_TRACE( gnutls_x509_crt_deinit (certs[i]) );
0b6cee362f5d Enforce validation of local certificate upon daemon start. Sebastien Decugis <sdecugis@nict.go.jp> parents: 447 diff changeset	398 }
0b6cee362f5d Enforce validation of local certificate upon daemon start. Sebastien Decugis <sdecugis@nict.go.jp> parents: 447 diff changeset	399 free(certs);
0b6cee362f5d Enforce validation of local certificate upon daemon start. Sebastien Decugis <sdecugis@nict.go.jp> parents: 447 diff changeset	400 }
0b6cee362f5d Enforce validation of local certificate upon daemon start. Sebastien Decugis <sdecugis@nict.go.jp> parents: 447 diff changeset	401
0b6cee362f5d Enforce validation of local certificate upon daemon start. Sebastien Decugis <sdecugis@nict.go.jp> parents: 447 diff changeset	402
0b6cee362f5d Enforce validation of local certificate upon daemon start. Sebastien Decugis <sdecugis@nict.go.jp> parents: 447 diff changeset	403 /* gnutls_certificate_set_verify_limits -- so far the default values are fine... */
0b6cee362f5d Enforce validation of local certificate upon daemon start. Sebastien Decugis <sdecugis@nict.go.jp> parents: 447 diff changeset	404
8 3e143f047f78 Backup for the week-end Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	405 return 0;
3e143f047f78 Backup for the week-end Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	406 }
447 097bae83b07a Forgot to cleanup the configuration on exit, spotted by valgrind Sebastien Decugis <sdecugis@nict.go.jp> parents: 403 diff changeset	407
097bae83b07a Forgot to cleanup the configuration on exit, spotted by valgrind Sebastien Decugis <sdecugis@nict.go.jp> parents: 403 diff changeset	408
097bae83b07a Forgot to cleanup the configuration on exit, spotted by valgrind Sebastien Decugis <sdecugis@nict.go.jp> parents: 403 diff changeset	409 /* Destroy contents of fd_g_config structure */
097bae83b07a Forgot to cleanup the configuration on exit, spotted by valgrind Sebastien Decugis <sdecugis@nict.go.jp> parents: 403 diff changeset	410 int fd_conf_deinit()
097bae83b07a Forgot to cleanup the configuration on exit, spotted by valgrind Sebastien Decugis <sdecugis@nict.go.jp> parents: 403 diff changeset	411 {
097bae83b07a Forgot to cleanup the configuration on exit, spotted by valgrind Sebastien Decugis <sdecugis@nict.go.jp> parents: 403 diff changeset	412 TRACE_ENTRY();
097bae83b07a Forgot to cleanup the configuration on exit, spotted by valgrind Sebastien Decugis <sdecugis@nict.go.jp> parents: 403 diff changeset	413
097bae83b07a Forgot to cleanup the configuration on exit, spotted by valgrind Sebastien Decugis <sdecugis@nict.go.jp> parents: 403 diff changeset	414 /* Free the TLS parameters */
097bae83b07a Forgot to cleanup the configuration on exit, spotted by valgrind Sebastien Decugis <sdecugis@nict.go.jp> parents: 403 diff changeset	415 gnutls_priority_deinit(fd_g_config->cnf_sec_data.prio_cache);
097bae83b07a Forgot to cleanup the configuration on exit, spotted by valgrind Sebastien Decugis <sdecugis@nict.go.jp> parents: 403 diff changeset	416 gnutls_dh_params_deinit(fd_g_config->cnf_sec_data.dh_cache);
097bae83b07a Forgot to cleanup the configuration on exit, spotted by valgrind Sebastien Decugis <sdecugis@nict.go.jp> parents: 403 diff changeset	417 gnutls_certificate_free_credentials(fd_g_config->cnf_sec_data.credentials);
097bae83b07a Forgot to cleanup the configuration on exit, spotted by valgrind Sebastien Decugis <sdecugis@nict.go.jp> parents: 403 diff changeset	418
097bae83b07a Forgot to cleanup the configuration on exit, spotted by valgrind Sebastien Decugis <sdecugis@nict.go.jp> parents: 403 diff changeset	419 free(fd_g_config->cnf_sec_data.cert_file); fd_g_config->cnf_sec_data.cert_file = NULL;
097bae83b07a Forgot to cleanup the configuration on exit, spotted by valgrind Sebastien Decugis <sdecugis@nict.go.jp> parents: 403 diff changeset	420 free(fd_g_config->cnf_sec_data.key_file); fd_g_config->cnf_sec_data.key_file = NULL;
097bae83b07a Forgot to cleanup the configuration on exit, spotted by valgrind Sebastien Decugis <sdecugis@nict.go.jp> parents: 403 diff changeset	421 free(fd_g_config->cnf_sec_data.ca_file); fd_g_config->cnf_sec_data.ca_file = NULL;
097bae83b07a Forgot to cleanup the configuration on exit, spotted by valgrind Sebastien Decugis <sdecugis@nict.go.jp> parents: 403 diff changeset	422 free(fd_g_config->cnf_sec_data.crl_file); fd_g_config->cnf_sec_data.crl_file = NULL;
097bae83b07a Forgot to cleanup the configuration on exit, spotted by valgrind Sebastien Decugis <sdecugis@nict.go.jp> parents: 403 diff changeset	423 free(fd_g_config->cnf_sec_data.prio_string); fd_g_config->cnf_sec_data.prio_string = NULL;
097bae83b07a Forgot to cleanup the configuration on exit, spotted by valgrind Sebastien Decugis <sdecugis@nict.go.jp> parents: 403 diff changeset	424
097bae83b07a Forgot to cleanup the configuration on exit, spotted by valgrind Sebastien Decugis <sdecugis@nict.go.jp> parents: 403 diff changeset	425 /* Destroy dictionary */
097bae83b07a Forgot to cleanup the configuration on exit, spotted by valgrind Sebastien Decugis <sdecugis@nict.go.jp> parents: 403 diff changeset	426 CHECK_FCT_DO( fd_dict_fini(&fd_g_config->cnf_dict), );
097bae83b07a Forgot to cleanup the configuration on exit, spotted by valgrind Sebastien Decugis <sdecugis@nict.go.jp> parents: 403 diff changeset	427
097bae83b07a Forgot to cleanup the configuration on exit, spotted by valgrind Sebastien Decugis <sdecugis@nict.go.jp> parents: 403 diff changeset	428 /* Destroy the main event queue */
097bae83b07a Forgot to cleanup the configuration on exit, spotted by valgrind Sebastien Decugis <sdecugis@nict.go.jp> parents: 403 diff changeset	429 CHECK_FCT_DO( fd_fifo_del(&fd_g_config->cnf_main_ev), );
097bae83b07a Forgot to cleanup the configuration on exit, spotted by valgrind Sebastien Decugis <sdecugis@nict.go.jp> parents: 403 diff changeset	430
097bae83b07a Forgot to cleanup the configuration on exit, spotted by valgrind Sebastien Decugis <sdecugis@nict.go.jp> parents: 403 diff changeset	431 /* Destroy the local endpoints and applications */
097bae83b07a Forgot to cleanup the configuration on exit, spotted by valgrind Sebastien Decugis <sdecugis@nict.go.jp> parents: 403 diff changeset	432 CHECK_FCT_DO(fd_ep_filter(&fd_g_config->cnf_endpoints, 0 ), );
097bae83b07a Forgot to cleanup the configuration on exit, spotted by valgrind Sebastien Decugis <sdecugis@nict.go.jp> parents: 403 diff changeset	433 CHECK_FCT_DO(fd_app_empty(&fd_g_config->cnf_apps ), );
097bae83b07a Forgot to cleanup the configuration on exit, spotted by valgrind Sebastien Decugis <sdecugis@nict.go.jp> parents: 403 diff changeset	434
097bae83b07a Forgot to cleanup the configuration on exit, spotted by valgrind Sebastien Decugis <sdecugis@nict.go.jp> parents: 403 diff changeset	435 /* Destroy the local identity */
097bae83b07a Forgot to cleanup the configuration on exit, spotted by valgrind Sebastien Decugis <sdecugis@nict.go.jp> parents: 403 diff changeset	436 free(fd_g_config->cnf_diamid); fd_g_config->cnf_diamid = NULL;
097bae83b07a Forgot to cleanup the configuration on exit, spotted by valgrind Sebastien Decugis <sdecugis@nict.go.jp> parents: 403 diff changeset	437 free(fd_g_config->cnf_diamrlm); fd_g_config->cnf_diamrlm = NULL;
097bae83b07a Forgot to cleanup the configuration on exit, spotted by valgrind Sebastien Decugis <sdecugis@nict.go.jp> parents: 403 diff changeset	438
097bae83b07a Forgot to cleanup the configuration on exit, spotted by valgrind Sebastien Decugis <sdecugis@nict.go.jp> parents: 403 diff changeset	439 return 0;
097bae83b07a Forgot to cleanup the configuration on exit, spotted by valgrind Sebastien Decugis <sdecugis@nict.go.jp> parents: 403 diff changeset	440 }
097bae83b07a Forgot to cleanup the configuration on exit, spotted by valgrind Sebastien Decugis <sdecugis@nict.go.jp> parents: 403 diff changeset	441
097bae83b07a Forgot to cleanup the configuration on exit, spotted by valgrind Sebastien Decugis <sdecugis@nict.go.jp> parents: 403 diff changeset	442

Mercurial > hg > freeDiameter

annotate freeDiameter/config.c @ 542:0b6cee362f5d