freeDiameter: libfdcore/config.c annotate

annotate libfdcore/config.c @ 1396:188c82b6690b

Add ProcessingPeersPattern and ProcessingPeersMinimum parameters. If this is configured, the process will accept all connections from peers matching ProcessingPeersPattern, but will NOT accept connections from other peers until ProcessingPeersMinimum peers of the first type are connected. This allows relays to only go online if there are enough worker peers connected behind them.

author	Thomas Klausner <tk@giga.or.at>
date	Fri, 15 Nov 2019 11:38:30 +0100
parents	afe0ecdb0692
children	239ba25870d8

rev	line source
8 3e143f047f78 Backup for the week-end Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	1 /*********************************************************************************************************
3e143f047f78 Backup for the week-end Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	2 * Software License Agreement (BSD License) *
740 4a9f08d6b6ba Updated my mail address Sebastien Decugis <sdecugis@nict.go.jp> parents: 706 diff changeset	3 * Author: Sebastien Decugis <sdecugis@freediameter.net> *
8 3e143f047f78 Backup for the week-end Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	4 * *
1281 ab6457399be2 Updated copyright information Sebastien Decugis <sdecugis@freediameter.net> parents: 1268 diff changeset	5 * Copyright (c) 2015, WIDE Project and NICT *
8 3e143f047f78 Backup for the week-end Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	6 * All rights reserved. *
3e143f047f78 Backup for the week-end Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	7 * *
3e143f047f78 Backup for the week-end Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	8 * Redistribution and use of this software in source and binary forms, with or without modification, are *
3e143f047f78 Backup for the week-end Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	9 * permitted provided that the following conditions are met: *
3e143f047f78 Backup for the week-end Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	10 * *
3e143f047f78 Backup for the week-end Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	11 * * Redistributions of source code must retain the above *
3e143f047f78 Backup for the week-end Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	12 * copyright notice, this list of conditions and the *
3e143f047f78 Backup for the week-end Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	13 * following disclaimer. *
3e143f047f78 Backup for the week-end Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	14 * *
3e143f047f78 Backup for the week-end Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	15 * * Redistributions in binary form must reproduce the above *
3e143f047f78 Backup for the week-end Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	16 * copyright notice, this list of conditions and the *
3e143f047f78 Backup for the week-end Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	17 * following disclaimer in the documentation and/or other *
3e143f047f78 Backup for the week-end Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	18 * materials provided with the distribution. *
3e143f047f78 Backup for the week-end Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	19 * *
3e143f047f78 Backup for the week-end Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	20 * * Neither the name of the WIDE Project or NICT nor the *
3e143f047f78 Backup for the week-end Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	21 * names of its contributors may be used to endorse or *
3e143f047f78 Backup for the week-end Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	22 * promote products derived from this software without *
3e143f047f78 Backup for the week-end Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	23 * specific prior written permission of WIDE Project and *
3e143f047f78 Backup for the week-end Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	24 * NICT. *
3e143f047f78 Backup for the week-end Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	25 * *
3e143f047f78 Backup for the week-end Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	26 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED *
3e143f047f78 Backup for the week-end Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	27 * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A *
3e143f047f78 Backup for the week-end Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	28 * PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR *
3e143f047f78 Backup for the week-end Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	29 * ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT *
3e143f047f78 Backup for the week-end Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	30 * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS *
3e143f047f78 Backup for the week-end Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	31 * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR *
3e143f047f78 Backup for the week-end Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	32 * TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF *
3e143f047f78 Backup for the week-end Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	33 * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. *
3e143f047f78 Backup for the week-end Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	34 *********************************************************************************************************/
3e143f047f78 Backup for the week-end Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	35
658 f198d16fa7f4 Initial commit for 1.1.0: Sebastien Decugis <sdecugis@nict.go.jp> parents: 578 diff changeset	36 #include "fdcore-internal.h"
304 ad3c46016584 Added install directives for cmake; also allow default directory to seek for extensions and configuration files Sebastien Decugis <sdecugis@nict.go.jp> parents: 258 diff changeset	37 #include <sys/stat.h>
8 3e143f047f78 Backup for the week-end Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	38
3e143f047f78 Backup for the week-end Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	39 /* Configuration management */
3e143f047f78 Backup for the week-end Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	40
18 e7187583dcf8 Added CA helper script Sebastien Decugis <sdecugis@nict.go.jp> parents: 17 diff changeset	41 #ifndef GNUTLS_DEFAULT_PRIORITY
e7187583dcf8 Added CA helper script Sebastien Decugis <sdecugis@nict.go.jp> parents: 17 diff changeset	42 # define GNUTLS_DEFAULT_PRIORITY "NORMAL"
e7187583dcf8 Added CA helper script Sebastien Decugis <sdecugis@nict.go.jp> parents: 17 diff changeset	43 #endif /* GNUTLS_DEFAULT_PRIORITY */
e7187583dcf8 Added CA helper script Sebastien Decugis <sdecugis@nict.go.jp> parents: 17 diff changeset	44 #ifndef GNUTLS_DEFAULT_DHBITS
e7187583dcf8 Added CA helper script Sebastien Decugis <sdecugis@nict.go.jp> parents: 17 diff changeset	45 # define GNUTLS_DEFAULT_DHBITS 1024
e7187583dcf8 Added CA helper script Sebastien Decugis <sdecugis@nict.go.jp> parents: 17 diff changeset	46 #endif /* GNUTLS_DEFAULT_DHBITS */
e7187583dcf8 Added CA helper script Sebastien Decugis <sdecugis@nict.go.jp> parents: 17 diff changeset	47
658 f198d16fa7f4 Initial commit for 1.1.0: Sebastien Decugis <sdecugis@nict.go.jp> parents: 578 diff changeset	48 /* Initialize the fd_g_config structure to default values -- it should already have been initialized to all-0 */
8 3e143f047f78 Backup for the week-end Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	49 int fd_conf_init()
3e143f047f78 Backup for the week-end Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	50 {
3e143f047f78 Backup for the week-end Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	51 TRACE_ENTRY();
3e143f047f78 Backup for the week-end Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	52
10 c5c99c73c2bf Added some extensions and functions in the daemon Sebastien Decugis <sdecugis@nict.go.jp> parents: 8 diff changeset	53 fd_g_config->cnf_eyec = EYEC_CONFIG;
c5c99c73c2bf Added some extensions and functions in the daemon Sebastien Decugis <sdecugis@nict.go.jp> parents: 8 diff changeset	54
c5c99c73c2bf Added some extensions and functions in the daemon Sebastien Decugis <sdecugis@nict.go.jp> parents: 8 diff changeset	55 fd_g_config->cnf_timer_tc = 30;
c5c99c73c2bf Added some extensions and functions in the daemon Sebastien Decugis <sdecugis@nict.go.jp> parents: 8 diff changeset	56 fd_g_config->cnf_timer_tw = 30;
8 3e143f047f78 Backup for the week-end Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	57
897 d8d0772586ad Use correct default port for outgoing connections even when local port is not the default one Sebastien Decugis <sdecugis@freediameter.net> parents: 820 diff changeset	58 fd_g_config->cnf_port = DIAMETER_PORT;
d8d0772586ad Use correct default port for outgoing connections even when local port is not the default one Sebastien Decugis <sdecugis@freediameter.net> parents: 820 diff changeset	59 fd_g_config->cnf_port_tls = DIAMETER_SECURE_PORT;
10 c5c99c73c2bf Added some extensions and functions in the daemon Sebastien Decugis <sdecugis@nict.go.jp> parents: 8 diff changeset	60 fd_g_config->cnf_sctp_str = 30;
1189 50bf33dc8fe0 Limit number of incoming connections under processing to configurable value Sebastien Decugis <sdecugis@freediameter.net> parents: 1184 diff changeset	61 fd_g_config->cnf_thr_srv = 5;
1396 188c82b6690b Add ProcessingPeersPattern and ProcessingPeersMinimum parameters. Thomas Klausner <tk@giga.or.at> parents: 1326 diff changeset	62 fd_g_config->cnf_processing_peers_minimum = 0;
253 ad6c0118fb50 Configurable number of server threads Sebastien Decugis <sdecugis@nict.go.jp> parents: 189 diff changeset	63 fd_g_config->cnf_dispthr = 4;
10 c5c99c73c2bf Added some extensions and functions in the daemon Sebastien Decugis <sdecugis@nict.go.jp> parents: 8 diff changeset	64 fd_list_init(&fd_g_config->cnf_endpoints, NULL);
c5c99c73c2bf Added some extensions and functions in the daemon Sebastien Decugis <sdecugis@nict.go.jp> parents: 8 diff changeset	65 fd_list_init(&fd_g_config->cnf_apps, NULL);
8 3e143f047f78 Backup for the week-end Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	66 #ifdef DISABLE_SCTP
10 c5c99c73c2bf Added some extensions and functions in the daemon Sebastien Decugis <sdecugis@nict.go.jp> parents: 8 diff changeset	67 fd_g_config->cnf_flags.no_sctp = 1;
8 3e143f047f78 Backup for the week-end Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	68 #endif /* DISABLE_SCTP */
3e143f047f78 Backup for the week-end Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	69
10 c5c99c73c2bf Added some extensions and functions in the daemon Sebastien Decugis <sdecugis@nict.go.jp> parents: 8 diff changeset	70 fd_g_config->cnf_orstateid = (uint32_t) time(NULL);
1326 afe0ecdb0692 Add config option if Route-Record AVPs should be added in Answers. Thomas Klausner <tk@giga.or.at> parents: 1281 diff changeset	71 fd_g_config->cnf_rr_in_answers = 1;
8 3e143f047f78 Backup for the week-end Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	72
10 c5c99c73c2bf Added some extensions and functions in the daemon Sebastien Decugis <sdecugis@nict.go.jp> parents: 8 diff changeset	73 CHECK_FCT( fd_dict_init(&fd_g_config->cnf_dict) );
767 c47c16436f71 Added a limit on fifo queues to avoid memory exaustion when messages are received faster than handled Sebastien Decugis <sdecugis@nict.go.jp> parents: 740 diff changeset	74 CHECK_FCT( fd_fifo_new(&fd_g_config->cnf_main_ev, 0) );
8 3e143f047f78 Backup for the week-end Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	75
18 e7187583dcf8 Added CA helper script Sebastien Decugis <sdecugis@nict.go.jp> parents: 17 diff changeset	76 /* TLS parameters */
e7187583dcf8 Added CA helper script Sebastien Decugis <sdecugis@nict.go.jp> parents: 17 diff changeset	77 CHECK_GNUTLS_DO( gnutls_certificate_allocate_credentials (&fd_g_config->cnf_sec_data.credentials), return ENOMEM );
e7187583dcf8 Added CA helper script Sebastien Decugis <sdecugis@nict.go.jp> parents: 17 diff changeset	78 CHECK_GNUTLS_DO( gnutls_dh_params_init (&fd_g_config->cnf_sec_data.dh_cache), return ENOMEM );
805 fb5e0fd923ff Updated verification of the local certificate following GnuTLS 3.x guideline Sebastien Decugis <sdecugis@freediameter.net> parents: 767 diff changeset	79 #ifdef GNUTLS_VERSION_300
fb5e0fd923ff Updated verification of the local certificate following GnuTLS 3.x guideline Sebastien Decugis <sdecugis@freediameter.net> parents: 767 diff changeset	80 CHECK_GNUTLS_DO( gnutls_x509_trust_list_init(&fd_g_config->cnf_sec_data.trustlist, 0), return ENOMEM );
fb5e0fd923ff Updated verification of the local certificate following GnuTLS 3.x guideline Sebastien Decugis <sdecugis@freediameter.net> parents: 767 diff changeset	81 #endif /* GNUTLS_VERSION_300 */
18 e7187583dcf8 Added CA helper script Sebastien Decugis <sdecugis@nict.go.jp> parents: 17 diff changeset	82
8 3e143f047f78 Backup for the week-end Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	83 return 0;
3e143f047f78 Backup for the week-end Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	84 }
3e143f047f78 Backup for the week-end Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	85
1085 7d7266115a34 Cleaning of the traces in progress Sebastien Decugis <sdecugis@freediameter.net> parents: 1034 diff changeset	86 DECLARE_FD_DUMP_PROTOTYPE(fd_conf_dump)
8 3e143f047f78 Backup for the week-end Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	87 {
1093 44f3e48dfe27 Align the behavior of all fd_dump functions wrt final \n Sebastien Decugis <sdecugis@freediameter.net>* parents: 1085 diff changeset	88 FD_DUMP_HANDLE_OFFSET();
8 3e143f047f78 Backup for the week-end Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	89
1119 79dd22145f52 Fix a number of compilation warnings Sebastien Decugis <sdecugis@freediameter.net> parents: 1113 diff changeset	90 CHECK_MALLOC_DO( fd_dump_extend( FD_DUMP_STD_PARAMS, "freeDiameter configuration:\n"), return NULL);
1085 7d7266115a34 Cleaning of the traces in progress Sebastien Decugis <sdecugis@freediameter.net> parents: 1034 diff changeset	91 CHECK_MALLOC_DO( fd_dump_extend( FD_DUMP_STD_PARAMS, " Default trace level .... : %+d\n", fd_g_debug_lvl), return NULL);
7d7266115a34 Cleaning of the traces in progress Sebastien Decugis <sdecugis@freediameter.net> parents: 1034 diff changeset	92 CHECK_MALLOC_DO( fd_dump_extend( FD_DUMP_STD_PARAMS, " Configuration file ..... : %s\n", fd_g_config->cnf_file), return NULL);
1253 3734341ad03b Fix format string. Thomas Klausner <tk@giga.or.at> parents: 1189 diff changeset	93 CHECK_MALLOC_DO( fd_dump_extend( FD_DUMP_STD_PARAMS, " Diameter Identity ...... : %s (l:%zi)\n", fd_g_config->cnf_diamid, fd_g_config->cnf_diamid_len), return NULL);
3734341ad03b Fix format string. Thomas Klausner <tk@giga.or.at> parents: 1189 diff changeset	94 CHECK_MALLOC_DO( fd_dump_extend( FD_DUMP_STD_PARAMS, " Diameter Realm ......... : %s (l:%zi)\n", fd_g_config->cnf_diamrlm, fd_g_config->cnf_diamrlm_len), return NULL);
1085 7d7266115a34 Cleaning of the traces in progress Sebastien Decugis <sdecugis@freediameter.net> parents: 1034 diff changeset	95 CHECK_MALLOC_DO( fd_dump_extend( FD_DUMP_STD_PARAMS, " Tc Timer ............... : %u\n", fd_g_config->cnf_timer_tc), return NULL);
7d7266115a34 Cleaning of the traces in progress Sebastien Decugis <sdecugis@freediameter.net> parents: 1034 diff changeset	96 CHECK_MALLOC_DO( fd_dump_extend( FD_DUMP_STD_PARAMS, " Tw Timer ............... : %u\n", fd_g_config->cnf_timer_tw), return NULL);
7d7266115a34 Cleaning of the traces in progress Sebastien Decugis <sdecugis@freediameter.net> parents: 1034 diff changeset	97 CHECK_MALLOC_DO( fd_dump_extend( FD_DUMP_STD_PARAMS, " Local port ............. : %hu\n", fd_g_config->cnf_port), return NULL);
7d7266115a34 Cleaning of the traces in progress Sebastien Decugis <sdecugis@freediameter.net> parents: 1034 diff changeset	98 CHECK_MALLOC_DO( fd_dump_extend( FD_DUMP_STD_PARAMS, " Local secure port ...... : %hu\n", fd_g_config->cnf_port_tls), return NULL);
1181 22de21feec64 Preparing for DTLS support Sebastien Decugis <sdecugis@freediameter.net> parents: 1155 diff changeset	99 if (fd_g_config->cnf_port_3436) {
22de21feec64 Preparing for DTLS support Sebastien Decugis <sdecugis@freediameter.net> parents: 1155 diff changeset	100 CHECK_MALLOC_DO( fd_dump_extend( FD_DUMP_STD_PARAMS, " Local SCTP TLS port .... : %hu\n", fd_g_config->cnf_port_3436), return NULL);
22de21feec64 Preparing for DTLS support Sebastien Decugis <sdecugis@freediameter.net> parents: 1155 diff changeset	101 }
1085 7d7266115a34 Cleaning of the traces in progress Sebastien Decugis <sdecugis@freediameter.net> parents: 1034 diff changeset	102 CHECK_MALLOC_DO( fd_dump_extend( FD_DUMP_STD_PARAMS, " Number of SCTP streams . : %hu\n", fd_g_config->cnf_sctp_str), return NULL);
1189 50bf33dc8fe0 Limit number of incoming connections under processing to configurable value Sebastien Decugis <sdecugis@freediameter.net> parents: 1184 diff changeset	103 CHECK_MALLOC_DO( fd_dump_extend( FD_DUMP_STD_PARAMS, " Number of clients thr .. : %d\n", fd_g_config->cnf_thr_srv), return NULL);
50bf33dc8fe0 Limit number of incoming connections under processing to configurable value Sebastien Decugis <sdecugis@freediameter.net> parents: 1184 diff changeset	104 CHECK_MALLOC_DO( fd_dump_extend( FD_DUMP_STD_PARAMS, " Number of app threads .. : %hu\n", fd_g_config->cnf_dispthr), return NULL);
1396 188c82b6690b Add ProcessingPeersPattern and ProcessingPeersMinimum parameters. Thomas Klausner <tk@giga.or.at> parents: 1326 diff changeset	105 CHECK_MALLOC_DO( fd_dump_extend( FD_DUMP_STD_PARAMS, " Minimal processing peers : %hu\n", fd_g_config->cnf_processing_peers_minimum), return NULL);
10 c5c99c73c2bf Added some extensions and functions in the daemon Sebastien Decugis <sdecugis@nict.go.jp> parents: 8 diff changeset	106 if (FD_IS_LIST_EMPTY(&fd_g_config->cnf_endpoints)) {
1085 7d7266115a34 Cleaning of the traces in progress Sebastien Decugis <sdecugis@freediameter.net> parents: 1034 diff changeset	107 CHECK_MALLOC_DO( fd_dump_extend( FD_DUMP_STD_PARAMS, " Local endpoints ........ : Default (use all available)\n"), return NULL);
8 3e143f047f78 Backup for the week-end Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	108 } else {
1113 eb4ce68b6e5c Added calls to remaining hooks Sebastien Decugis <sdecugis@freediameter.net> parents: 1107 diff changeset	109 CHECK_MALLOC_DO( fd_dump_extend( FD_DUMP_STD_PARAMS, " Local endpoints ........ : "), return NULL);
eb4ce68b6e5c Added calls to remaining hooks Sebastien Decugis <sdecugis@freediameter.net> parents: 1107 diff changeset	110 CHECK_MALLOC_DO( fd_ep_dump( FD_DUMP_STD_PARAMS, 0, 0, &fd_g_config->cnf_endpoints ), return NULL);
8 3e143f047f78 Backup for the week-end Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	111 }
10 c5c99c73c2bf Added some extensions and functions in the daemon Sebastien Decugis <sdecugis@nict.go.jp> parents: 8 diff changeset	112 if (FD_IS_LIST_EMPTY(&fd_g_config->cnf_apps)) {
1113 eb4ce68b6e5c Added calls to remaining hooks Sebastien Decugis <sdecugis@freediameter.net> parents: 1107 diff changeset	113 CHECK_MALLOC_DO( fd_dump_extend( FD_DUMP_STD_PARAMS, " Local applications ..... : (none)"), return NULL);
10 c5c99c73c2bf Added some extensions and functions in the daemon Sebastien Decugis <sdecugis@nict.go.jp> parents: 8 diff changeset	114 } else {
c5c99c73c2bf Added some extensions and functions in the daemon Sebastien Decugis <sdecugis@nict.go.jp> parents: 8 diff changeset	115 struct fd_list * li = fd_g_config->cnf_apps.next;
1113 eb4ce68b6e5c Added calls to remaining hooks Sebastien Decugis <sdecugis@freediameter.net> parents: 1107 diff changeset	116 CHECK_MALLOC_DO( fd_dump_extend( FD_DUMP_STD_PARAMS, " Local applications ..... : "), return NULL);
10 c5c99c73c2bf Added some extensions and functions in the daemon Sebastien Decugis <sdecugis@nict.go.jp> parents: 8 diff changeset	117 while (li != &fd_g_config->cnf_apps) {
c5c99c73c2bf Added some extensions and functions in the daemon Sebastien Decugis <sdecugis@nict.go.jp> parents: 8 diff changeset	118 struct fd_app * app = (struct fd_app *)li;
1113 eb4ce68b6e5c Added calls to remaining hooks Sebastien Decugis <sdecugis@freediameter.net> parents: 1107 diff changeset	119 CHECK_MALLOC_DO( fd_dump_extend( FD_DUMP_STD_PARAMS, "App: %u,%s%s,Vnd:%u\t",
10 c5c99c73c2bf Added some extensions and functions in the daemon Sebastien Decugis <sdecugis@nict.go.jp> parents: 8 diff changeset	120 app->appid,
c5c99c73c2bf Added some extensions and functions in the daemon Sebastien Decugis <sdecugis@nict.go.jp> parents: 8 diff changeset	121 app->flags.auth ? "Au" : "--",
c5c99c73c2bf Added some extensions and functions in the daemon Sebastien Decugis <sdecugis@nict.go.jp> parents: 8 diff changeset	122 app->flags.acct ? "Ac" : "--",
1085 7d7266115a34 Cleaning of the traces in progress Sebastien Decugis <sdecugis@freediameter.net> parents: 1034 diff changeset	123 app->vndid), return NULL);
10 c5c99c73c2bf Added some extensions and functions in the daemon Sebastien Decugis <sdecugis@nict.go.jp> parents: 8 diff changeset	124 li = li->next;
c5c99c73c2bf Added some extensions and functions in the daemon Sebastien Decugis <sdecugis@nict.go.jp> parents: 8 diff changeset	125 }
c5c99c73c2bf Added some extensions and functions in the daemon Sebastien Decugis <sdecugis@nict.go.jp> parents: 8 diff changeset	126 }
18 e7187583dcf8 Added CA helper script Sebastien Decugis <sdecugis@nict.go.jp> parents: 17 diff changeset	127
1113 eb4ce68b6e5c Added calls to remaining hooks Sebastien Decugis <sdecugis@freediameter.net> parents: 1107 diff changeset	128 CHECK_MALLOC_DO( fd_dump_extend( FD_DUMP_STD_PARAMS, "\n Flags : - IP ........... : %s\n", fd_g_config->cnf_flags.no_ip4 ? "DISABLED" : "Enabled"), return NULL);
1085 7d7266115a34 Cleaning of the traces in progress Sebastien Decugis <sdecugis@freediameter.net> parents: 1034 diff changeset	129 CHECK_MALLOC_DO( fd_dump_extend( FD_DUMP_STD_PARAMS, " - IPv6 ......... : %s\n", fd_g_config->cnf_flags.no_ip6 ? "DISABLED" : "Enabled"), return NULL);
7d7266115a34 Cleaning of the traces in progress Sebastien Decugis <sdecugis@freediameter.net> parents: 1034 diff changeset	130 CHECK_MALLOC_DO( fd_dump_extend( FD_DUMP_STD_PARAMS, " - Relay app .... : %s\n", fd_g_config->cnf_flags.no_fwd ? "DISABLED" : "Enabled"), return NULL);
7d7266115a34 Cleaning of the traces in progress Sebastien Decugis <sdecugis@freediameter.net> parents: 1034 diff changeset	131 CHECK_MALLOC_DO( fd_dump_extend( FD_DUMP_STD_PARAMS, " - TCP .......... : %s\n", fd_g_config->cnf_flags.no_tcp ? "DISABLED" : "Enabled"), return NULL);
8 3e143f047f78 Backup for the week-end Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	132 #ifdef DISABLE_SCTP
1085 7d7266115a34 Cleaning of the traces in progress Sebastien Decugis <sdecugis@freediameter.net> parents: 1034 diff changeset	133 CHECK_MALLOC_DO( fd_dump_extend( FD_DUMP_STD_PARAMS, " - SCTP ......... : DISABLED (at compilation)\n"), return NULL);
8 3e143f047f78 Backup for the week-end Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	134 #else /* DISABLE_SCTP */
1085 7d7266115a34 Cleaning of the traces in progress Sebastien Decugis <sdecugis@freediameter.net> parents: 1034 diff changeset	135 CHECK_MALLOC_DO( fd_dump_extend( FD_DUMP_STD_PARAMS, " - SCTP ......... : %s\n", fd_g_config->cnf_flags.no_sctp ? "DISABLED" : "Enabled"), return NULL);
8 3e143f047f78 Backup for the week-end Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	136 #endif /* DISABLE_SCTP */
1085 7d7266115a34 Cleaning of the traces in progress Sebastien Decugis <sdecugis@freediameter.net> parents: 1034 diff changeset	137 CHECK_MALLOC_DO( fd_dump_extend( FD_DUMP_STD_PARAMS, " - Pref. proto .. : %s\n", fd_g_config->cnf_flags.pr_tcp ? "TCP" : "SCTP"), return NULL);
7d7266115a34 Cleaning of the traces in progress Sebastien Decugis <sdecugis@freediameter.net> parents: 1034 diff changeset	138 CHECK_MALLOC_DO( fd_dump_extend( FD_DUMP_STD_PARAMS, " - TLS method ... : %s\n", fd_g_config->cnf_flags.tls_alg ? "INBAND" : "Separate port"), return NULL);
18 e7187583dcf8 Added CA helper script Sebastien Decugis <sdecugis@nict.go.jp> parents: 17 diff changeset	139
1085 7d7266115a34 Cleaning of the traces in progress Sebastien Decugis <sdecugis@freediameter.net> parents: 1034 diff changeset	140 CHECK_MALLOC_DO( fd_dump_extend( FD_DUMP_STD_PARAMS, " TLS : - Certificate .. : %s\n", fd_g_config->cnf_sec_data.cert_file ?: "(NONE)"), return NULL);
7d7266115a34 Cleaning of the traces in progress Sebastien Decugis <sdecugis@freediameter.net> parents: 1034 diff changeset	141 CHECK_MALLOC_DO( fd_dump_extend( FD_DUMP_STD_PARAMS, " - Private key .. : %s\n", fd_g_config->cnf_sec_data.key_file ?: "(NONE)"), return NULL);
7d7266115a34 Cleaning of the traces in progress Sebastien Decugis <sdecugis@freediameter.net> parents: 1034 diff changeset	142 CHECK_MALLOC_DO( fd_dump_extend( FD_DUMP_STD_PARAMS, " - CA (trust) ... : %s (%d certs)\n", fd_g_config->cnf_sec_data.ca_file ?: "(none)", fd_g_config->cnf_sec_data.ca_file_nr), return NULL);
7d7266115a34 Cleaning of the traces in progress Sebastien Decugis <sdecugis@freediameter.net> parents: 1034 diff changeset	143 CHECK_MALLOC_DO( fd_dump_extend( FD_DUMP_STD_PARAMS, " - CRL .......... : %s\n", fd_g_config->cnf_sec_data.crl_file ?: "(none)"), return NULL);
7d7266115a34 Cleaning of the traces in progress Sebastien Decugis <sdecugis@freediameter.net> parents: 1034 diff changeset	144 CHECK_MALLOC_DO( fd_dump_extend( FD_DUMP_STD_PARAMS, " - Priority ..... : %s\n", fd_g_config->cnf_sec_data.prio_string ?: "(default: '" GNUTLS_DEFAULT_PRIORITY "')"), return NULL);
7d7266115a34 Cleaning of the traces in progress Sebastien Decugis <sdecugis@freediameter.net> parents: 1034 diff changeset	145 if (fd_g_config->cnf_sec_data.dh_file) {
7d7266115a34 Cleaning of the traces in progress Sebastien Decugis <sdecugis@freediameter.net> parents: 1034 diff changeset	146 CHECK_MALLOC_DO( fd_dump_extend( FD_DUMP_STD_PARAMS, " - DH file ...... : %s\n", fd_g_config->cnf_sec_data.dh_file), return NULL);
7d7266115a34 Cleaning of the traces in progress Sebastien Decugis <sdecugis@freediameter.net> parents: 1034 diff changeset	147 } else {
7d7266115a34 Cleaning of the traces in progress Sebastien Decugis <sdecugis@freediameter.net> parents: 1034 diff changeset	148 CHECK_MALLOC_DO( fd_dump_extend( FD_DUMP_STD_PARAMS, " - DH bits ...... : %d\n", fd_g_config->cnf_sec_data.dh_bits ?: GNUTLS_DEFAULT_DHBITS), return NULL);
7d7266115a34 Cleaning of the traces in progress Sebastien Decugis <sdecugis@freediameter.net> parents: 1034 diff changeset	149 }
18 e7187583dcf8 Added CA helper script Sebastien Decugis <sdecugis@nict.go.jp> parents: 17 diff changeset	150
1085 7d7266115a34 Cleaning of the traces in progress Sebastien Decugis <sdecugis@freediameter.net> parents: 1034 diff changeset	151 CHECK_MALLOC_DO( fd_dump_extend( FD_DUMP_STD_PARAMS, " Origin-State-Id ........ : %u", fd_g_config->cnf_orstateid), return NULL);
7d7266115a34 Cleaning of the traces in progress Sebastien Decugis <sdecugis@freediameter.net> parents: 1034 diff changeset	152
7d7266115a34 Cleaning of the traces in progress Sebastien Decugis <sdecugis@freediameter.net> parents: 1034 diff changeset	153 return *buf;
8 3e143f047f78 Backup for the week-end Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	154 }
3e143f047f78 Backup for the week-end Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	155
805 fb5e0fd923ff Updated verification of the local certificate following GnuTLS 3.x guideline Sebastien Decugis <sdecugis@freediameter.net> parents: 767 diff changeset	156 /* read contents of a file opened in "rb" mode and alloc this data into a gnutls_datum_t (must be freed afterwards) */
fb5e0fd923ff Updated verification of the local certificate following GnuTLS 3.x guideline Sebastien Decugis <sdecugis@freediameter.net> parents: 767 diff changeset	157 int fd_conf_stream_to_gnutls_datum(FILE * pemfile, gnutls_datum_t *out)
fb5e0fd923ff Updated verification of the local certificate following GnuTLS 3.x guideline Sebastien Decugis <sdecugis@freediameter.net> parents: 767 diff changeset	158 {
fb5e0fd923ff Updated verification of the local certificate following GnuTLS 3.x guideline Sebastien Decugis <sdecugis@freediameter.net> parents: 767 diff changeset	159 size_t alloc = 0;
fb5e0fd923ff Updated verification of the local certificate following GnuTLS 3.x guideline Sebastien Decugis <sdecugis@freediameter.net> parents: 767 diff changeset	160
fb5e0fd923ff Updated verification of the local certificate following GnuTLS 3.x guideline Sebastien Decugis <sdecugis@freediameter.net> parents: 767 diff changeset	161 CHECK_PARAMS( pemfile && out );
fb5e0fd923ff Updated verification of the local certificate following GnuTLS 3.x guideline Sebastien Decugis <sdecugis@freediameter.net> parents: 767 diff changeset	162 memset(out, 0, sizeof(gnutls_datum_t));
fb5e0fd923ff Updated verification of the local certificate following GnuTLS 3.x guideline Sebastien Decugis <sdecugis@freediameter.net> parents: 767 diff changeset	163
fb5e0fd923ff Updated verification of the local certificate following GnuTLS 3.x guideline Sebastien Decugis <sdecugis@freediameter.net> parents: 767 diff changeset	164 do {
fb5e0fd923ff Updated verification of the local certificate following GnuTLS 3.x guideline Sebastien Decugis <sdecugis@freediameter.net> parents: 767 diff changeset	165 uint8_t * realloced = NULL;
fb5e0fd923ff Updated verification of the local certificate following GnuTLS 3.x guideline Sebastien Decugis <sdecugis@freediameter.net> parents: 767 diff changeset	166 size_t read = 0;
fb5e0fd923ff Updated verification of the local certificate following GnuTLS 3.x guideline Sebastien Decugis <sdecugis@freediameter.net> parents: 767 diff changeset	167
fb5e0fd923ff Updated verification of the local certificate following GnuTLS 3.x guideline Sebastien Decugis <sdecugis@freediameter.net> parents: 767 diff changeset	168 if (alloc < out->size + BUFSIZ + 1) {
fb5e0fd923ff Updated verification of the local certificate following GnuTLS 3.x guideline Sebastien Decugis <sdecugis@freediameter.net> parents: 767 diff changeset	169 alloc += alloc / 2 + BUFSIZ + 1;
fb5e0fd923ff Updated verification of the local certificate following GnuTLS 3.x guideline Sebastien Decugis <sdecugis@freediameter.net> parents: 767 diff changeset	170 CHECK_MALLOC_DO( realloced = realloc(out->data, alloc),
fb5e0fd923ff Updated verification of the local certificate following GnuTLS 3.x guideline Sebastien Decugis <sdecugis@freediameter.net> parents: 767 diff changeset	171 {
fb5e0fd923ff Updated verification of the local certificate following GnuTLS 3.x guideline Sebastien Decugis <sdecugis@freediameter.net> parents: 767 diff changeset	172 free(out->data);
fb5e0fd923ff Updated verification of the local certificate following GnuTLS 3.x guideline Sebastien Decugis <sdecugis@freediameter.net> parents: 767 diff changeset	173 return ENOMEM;
fb5e0fd923ff Updated verification of the local certificate following GnuTLS 3.x guideline Sebastien Decugis <sdecugis@freediameter.net> parents: 767 diff changeset	174 } )
fb5e0fd923ff Updated verification of the local certificate following GnuTLS 3.x guideline Sebastien Decugis <sdecugis@freediameter.net> parents: 767 diff changeset	175 out->data = realloced;
fb5e0fd923ff Updated verification of the local certificate following GnuTLS 3.x guideline Sebastien Decugis <sdecugis@freediameter.net> parents: 767 diff changeset	176 }
fb5e0fd923ff Updated verification of the local certificate following GnuTLS 3.x guideline Sebastien Decugis <sdecugis@freediameter.net> parents: 767 diff changeset	177
fb5e0fd923ff Updated verification of the local certificate following GnuTLS 3.x guideline Sebastien Decugis <sdecugis@freediameter.net> parents: 767 diff changeset	178 read = fread( out->data + out->size, 1, alloc - out->size - 1, pemfile );
fb5e0fd923ff Updated verification of the local certificate following GnuTLS 3.x guideline Sebastien Decugis <sdecugis@freediameter.net> parents: 767 diff changeset	179 out->size += read;
fb5e0fd923ff Updated verification of the local certificate following GnuTLS 3.x guideline Sebastien Decugis <sdecugis@freediameter.net> parents: 767 diff changeset	180
fb5e0fd923ff Updated verification of the local certificate following GnuTLS 3.x guideline Sebastien Decugis <sdecugis@freediameter.net> parents: 767 diff changeset	181 if (ferror(pemfile)) {
fb5e0fd923ff Updated verification of the local certificate following GnuTLS 3.x guideline Sebastien Decugis <sdecugis@freediameter.net> parents: 767 diff changeset	182 int err = errno;
974 2091bf698fb1 Remove newlines from fd_log_debug, TRACE_DEBUG, TRACE_ERROR, and TRACE_DEBUG_ERROR Thomas Klausner <tk@giga.or.at> parents: 965 diff changeset	183 TRACE_DEBUG(INFO, "An error occurred while reading file: %s", strerror(err));
805 fb5e0fd923ff Updated verification of the local certificate following GnuTLS 3.x guideline Sebastien Decugis <sdecugis@freediameter.net> parents: 767 diff changeset	184 return err;
fb5e0fd923ff Updated verification of the local certificate following GnuTLS 3.x guideline Sebastien Decugis <sdecugis@freediameter.net> parents: 767 diff changeset	185 }
fb5e0fd923ff Updated verification of the local certificate following GnuTLS 3.x guideline Sebastien Decugis <sdecugis@freediameter.net> parents: 767 diff changeset	186 } while (!feof(pemfile));
fb5e0fd923ff Updated verification of the local certificate following GnuTLS 3.x guideline Sebastien Decugis <sdecugis@freediameter.net> parents: 767 diff changeset	187
fb5e0fd923ff Updated verification of the local certificate following GnuTLS 3.x guideline Sebastien Decugis <sdecugis@freediameter.net> parents: 767 diff changeset	188 out->data[out->size] = '\0';
fb5e0fd923ff Updated verification of the local certificate following GnuTLS 3.x guideline Sebastien Decugis <sdecugis@freediameter.net> parents: 767 diff changeset	189 return 0;
fb5e0fd923ff Updated verification of the local certificate following GnuTLS 3.x guideline Sebastien Decugis <sdecugis@freediameter.net> parents: 767 diff changeset	190 }
fb5e0fd923ff Updated verification of the local certificate following GnuTLS 3.x guideline Sebastien Decugis <sdecugis@freediameter.net> parents: 767 diff changeset	191
fb5e0fd923ff Updated verification of the local certificate following GnuTLS 3.x guideline Sebastien Decugis <sdecugis@freediameter.net> parents: 767 diff changeset	192 #ifdef GNUTLS_VERSION_300
fb5e0fd923ff Updated verification of the local certificate following GnuTLS 3.x guideline Sebastien Decugis <sdecugis@freediameter.net> parents: 767 diff changeset	193 /* inspired from GnuTLS manual */
fb5e0fd923ff Updated verification of the local certificate following GnuTLS 3.x guideline Sebastien Decugis <sdecugis@freediameter.net> parents: 767 diff changeset	194 static int fd_conf_print_details_func (gnutls_x509_crt_t cert,
fb5e0fd923ff Updated verification of the local certificate following GnuTLS 3.x guideline Sebastien Decugis <sdecugis@freediameter.net> parents: 767 diff changeset	195 gnutls_x509_crt_t issuer, gnutls_x509_crl_t crl,
fb5e0fd923ff Updated verification of the local certificate following GnuTLS 3.x guideline Sebastien Decugis <sdecugis@freediameter.net> parents: 767 diff changeset	196 unsigned int verification_output)
fb5e0fd923ff Updated verification of the local certificate following GnuTLS 3.x guideline Sebastien Decugis <sdecugis@freediameter.net> parents: 767 diff changeset	197 {
fb5e0fd923ff Updated verification of the local certificate following GnuTLS 3.x guideline Sebastien Decugis <sdecugis@freediameter.net> parents: 767 diff changeset	198 char name[512];
fb5e0fd923ff Updated verification of the local certificate following GnuTLS 3.x guideline Sebastien Decugis <sdecugis@freediameter.net> parents: 767 diff changeset	199 char issuer_name[512];
fb5e0fd923ff Updated verification of the local certificate following GnuTLS 3.x guideline Sebastien Decugis <sdecugis@freediameter.net> parents: 767 diff changeset	200 size_t name_size;
fb5e0fd923ff Updated verification of the local certificate following GnuTLS 3.x guideline Sebastien Decugis <sdecugis@freediameter.net> parents: 767 diff changeset	201 size_t issuer_name_size;
fb5e0fd923ff Updated verification of the local certificate following GnuTLS 3.x guideline Sebastien Decugis <sdecugis@freediameter.net> parents: 767 diff changeset	202
fb5e0fd923ff Updated verification of the local certificate following GnuTLS 3.x guideline Sebastien Decugis <sdecugis@freediameter.net> parents: 767 diff changeset	203 if (!TRACE_BOOL(GNUTLS_DBG_LEVEL))
fb5e0fd923ff Updated verification of the local certificate following GnuTLS 3.x guideline Sebastien Decugis <sdecugis@freediameter.net> parents: 767 diff changeset	204 return 0;
fb5e0fd923ff Updated verification of the local certificate following GnuTLS 3.x guideline Sebastien Decugis <sdecugis@freediameter.net> parents: 767 diff changeset	205
fb5e0fd923ff Updated verification of the local certificate following GnuTLS 3.x guideline Sebastien Decugis <sdecugis@freediameter.net> parents: 767 diff changeset	206 issuer_name_size = sizeof (issuer_name);
fb5e0fd923ff Updated verification of the local certificate following GnuTLS 3.x guideline Sebastien Decugis <sdecugis@freediameter.net> parents: 767 diff changeset	207 gnutls_x509_crt_get_issuer_dn (cert, issuer_name, &issuer_name_size);
fb5e0fd923ff Updated verification of the local certificate following GnuTLS 3.x guideline Sebastien Decugis <sdecugis@freediameter.net> parents: 767 diff changeset	208
fb5e0fd923ff Updated verification of the local certificate following GnuTLS 3.x guideline Sebastien Decugis <sdecugis@freediameter.net> parents: 767 diff changeset	209 name_size = sizeof (name);
fb5e0fd923ff Updated verification of the local certificate following GnuTLS 3.x guideline Sebastien Decugis <sdecugis@freediameter.net> parents: 767 diff changeset	210 gnutls_x509_crt_get_dn (cert, name, &name_size);
fb5e0fd923ff Updated verification of the local certificate following GnuTLS 3.x guideline Sebastien Decugis <sdecugis@freediameter.net> parents: 767 diff changeset	211
974 2091bf698fb1 Remove newlines from fd_log_debug, TRACE_DEBUG, TRACE_ERROR, and TRACE_DEBUG_ERROR Thomas Klausner <tk@giga.or.at> parents: 965 diff changeset	212 fd_log_debug("\tSubject: %s", name);
2091bf698fb1 Remove newlines from fd_log_debug, TRACE_DEBUG, TRACE_ERROR, and TRACE_DEBUG_ERROR Thomas Klausner <tk@giga.or.at> parents: 965 diff changeset	213 fd_log_debug("\tIssuer: %s", issuer_name);
805 fb5e0fd923ff Updated verification of the local certificate following GnuTLS 3.x guideline Sebastien Decugis <sdecugis@freediameter.net> parents: 767 diff changeset	214
fb5e0fd923ff Updated verification of the local certificate following GnuTLS 3.x guideline Sebastien Decugis <sdecugis@freediameter.net> parents: 767 diff changeset	215 if (issuer != NULL)
fb5e0fd923ff Updated verification of the local certificate following GnuTLS 3.x guideline Sebastien Decugis <sdecugis@freediameter.net> parents: 767 diff changeset	216 {
fb5e0fd923ff Updated verification of the local certificate following GnuTLS 3.x guideline Sebastien Decugis <sdecugis@freediameter.net> parents: 767 diff changeset	217 issuer_name_size = sizeof (issuer_name);
fb5e0fd923ff Updated verification of the local certificate following GnuTLS 3.x guideline Sebastien Decugis <sdecugis@freediameter.net> parents: 767 diff changeset	218 gnutls_x509_crt_get_dn (issuer, issuer_name, &issuer_name_size);
fb5e0fd923ff Updated verification of the local certificate following GnuTLS 3.x guideline Sebastien Decugis <sdecugis@freediameter.net> parents: 767 diff changeset	219
974 2091bf698fb1 Remove newlines from fd_log_debug, TRACE_DEBUG, TRACE_ERROR, and TRACE_DEBUG_ERROR Thomas Klausner <tk@giga.or.at> parents: 965 diff changeset	220 fd_log_debug("\tVerified against: %s", issuer_name);
805 fb5e0fd923ff Updated verification of the local certificate following GnuTLS 3.x guideline Sebastien Decugis <sdecugis@freediameter.net> parents: 767 diff changeset	221 }
fb5e0fd923ff Updated verification of the local certificate following GnuTLS 3.x guideline Sebastien Decugis <sdecugis@freediameter.net> parents: 767 diff changeset	222
fb5e0fd923ff Updated verification of the local certificate following GnuTLS 3.x guideline Sebastien Decugis <sdecugis@freediameter.net> parents: 767 diff changeset	223 if (crl != NULL)
fb5e0fd923ff Updated verification of the local certificate following GnuTLS 3.x guideline Sebastien Decugis <sdecugis@freediameter.net> parents: 767 diff changeset	224 {
fb5e0fd923ff Updated verification of the local certificate following GnuTLS 3.x guideline Sebastien Decugis <sdecugis@freediameter.net> parents: 767 diff changeset	225 issuer_name_size = sizeof (issuer_name);
fb5e0fd923ff Updated verification of the local certificate following GnuTLS 3.x guideline Sebastien Decugis <sdecugis@freediameter.net> parents: 767 diff changeset	226 gnutls_x509_crl_get_issuer_dn (crl, issuer_name, &issuer_name_size);
fb5e0fd923ff Updated verification of the local certificate following GnuTLS 3.x guideline Sebastien Decugis <sdecugis@freediameter.net> parents: 767 diff changeset	227
974 2091bf698fb1 Remove newlines from fd_log_debug, TRACE_DEBUG, TRACE_ERROR, and TRACE_DEBUG_ERROR Thomas Klausner <tk@giga.or.at> parents: 965 diff changeset	228 fd_log_debug("\tVerified against CRL of: %s", issuer_name);
805 fb5e0fd923ff Updated verification of the local certificate following GnuTLS 3.x guideline Sebastien Decugis <sdecugis@freediameter.net> parents: 767 diff changeset	229 }
fb5e0fd923ff Updated verification of the local certificate following GnuTLS 3.x guideline Sebastien Decugis <sdecugis@freediameter.net> parents: 767 diff changeset	230
974 2091bf698fb1 Remove newlines from fd_log_debug, TRACE_DEBUG, TRACE_ERROR, and TRACE_DEBUG_ERROR Thomas Klausner <tk@giga.or.at> parents: 965 diff changeset	231 fd_log_debug("\tVerification output: %x", verification_output);
805 fb5e0fd923ff Updated verification of the local certificate following GnuTLS 3.x guideline Sebastien Decugis <sdecugis@freediameter.net> parents: 767 diff changeset	232
fb5e0fd923ff Updated verification of the local certificate following GnuTLS 3.x guideline Sebastien Decugis <sdecugis@freediameter.net> parents: 767 diff changeset	233 return 0;
fb5e0fd923ff Updated verification of the local certificate following GnuTLS 3.x guideline Sebastien Decugis <sdecugis@freediameter.net> parents: 767 diff changeset	234 }
fb5e0fd923ff Updated verification of the local certificate following GnuTLS 3.x guideline Sebastien Decugis <sdecugis@freediameter.net> parents: 767 diff changeset	235 #endif /* GNUTLS_VERSION_300 */
fb5e0fd923ff Updated verification of the local certificate following GnuTLS 3.x guideline Sebastien Decugis <sdecugis@freediameter.net> parents: 767 diff changeset	236
1027 0117a7746b21 Fix a number of errors and warnings introduced/highlighted by recent commits Sebastien Decugis <sdecugis@freediameter.net> parents: 1021 diff changeset	237 #ifndef GNUTLS_VERSION_300
1034 f4a73a991623 Fix warning on old GCC versions Sebastien Decugis <sdecugis@freediameter.net> parents: 1033 diff changeset	238 GCC_DIAG_OFF("-Wdeprecated-declarations")
1027 0117a7746b21 Fix a number of errors and warnings introduced/highlighted by recent commits Sebastien Decugis <sdecugis@freediameter.net> parents: 1021 diff changeset	239 #endif /* !GNUTLS_VERSION_300 */
8 3e143f047f78 Backup for the week-end Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	240 /* Parse the configuration file (using the yacc parser) */
3e143f047f78 Backup for the week-end Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	241 int fd_conf_parse()
3e143f047f78 Backup for the week-end Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	242 {
3e143f047f78 Backup for the week-end Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	243 extern FILE * fddin;
947 cce5d4bace82 Make config file parameter const and convert another fprintf to TRACE_DEBUG_ERROR. Thomas Klausner <tk@giga.or.at> parents: 946 diff changeset	244 const char * orig = NULL;
8 3e143f047f78 Backup for the week-end Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	245
304 ad3c46016584 Added install directives for cmake; also allow default directory to seek for extensions and configuration files Sebastien Decugis <sdecugis@nict.go.jp> parents: 258 diff changeset	246 /* Attempt to find the configuration file */
ad3c46016584 Added install directives for cmake; also allow default directory to seek for extensions and configuration files Sebastien Decugis <sdecugis@nict.go.jp> parents: 258 diff changeset	247 if (!fd_g_config->cnf_file)
ad3c46016584 Added install directives for cmake; also allow default directory to seek for extensions and configuration files Sebastien Decugis <sdecugis@nict.go.jp> parents: 258 diff changeset	248 fd_g_config->cnf_file = FD_DEFAULT_CONF_FILENAME;
8 3e143f047f78 Backup for the week-end Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	249
10 c5c99c73c2bf Added some extensions and functions in the daemon Sebastien Decugis <sdecugis@nict.go.jp> parents: 8 diff changeset	250 fddin = fopen(fd_g_config->cnf_file, "r");
304 ad3c46016584 Added install directives for cmake; also allow default directory to seek for extensions and configuration files Sebastien Decugis <sdecugis@nict.go.jp> parents: 258 diff changeset	251 if ((fddin == NULL) && (*fd_g_config->cnf_file != '/')) {
947 cce5d4bace82 Make config file parameter const and convert another fprintf to TRACE_DEBUG_ERROR. Thomas Klausner <tk@giga.or.at> parents: 946 diff changeset	252 char * new_cnf = NULL;
304 ad3c46016584 Added install directives for cmake; also allow default directory to seek for extensions and configuration files Sebastien Decugis <sdecugis@nict.go.jp> parents: 258 diff changeset	253 /* We got a relative path, attempt to add the default directory prefix */
706 4ffbc9f1e922 Large UNTESTED commit with the following changes: Sebastien Decugis <sdecugis@nict.go.jp> parents: 686 diff changeset	254 orig = fd_g_config->cnf_file;
947 cce5d4bace82 Make config file parameter const and convert another fprintf to TRACE_DEBUG_ERROR. Thomas Klausner <tk@giga.or.at> parents: 946 diff changeset	255 CHECK_MALLOC( new_cnf = malloc(strlen(orig) + strlen(DEFAULT_CONF_PATH) + 2) ); /* we will not free it, but not important */
cce5d4bace82 Make config file parameter const and convert another fprintf to TRACE_DEBUG_ERROR. Thomas Klausner <tk@giga.or.at> parents: 946 diff changeset	256 sprintf( new_cnf, DEFAULT_CONF_PATH "/%s", orig );
cce5d4bace82 Make config file parameter const and convert another fprintf to TRACE_DEBUG_ERROR. Thomas Klausner <tk@giga.or.at> parents: 946 diff changeset	257 fd_g_config->cnf_file = new_cnf;
304 ad3c46016584 Added install directives for cmake; also allow default directory to seek for extensions and configuration files Sebastien Decugis <sdecugis@nict.go.jp> parents: 258 diff changeset	258 fddin = fopen(fd_g_config->cnf_file, "r");
ad3c46016584 Added install directives for cmake; also allow default directory to seek for extensions and configuration files Sebastien Decugis <sdecugis@nict.go.jp> parents: 258 diff changeset	259 }
8 3e143f047f78 Backup for the week-end Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	260 if (fddin == NULL) {
3e143f047f78 Backup for the week-end Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	261 int ret = errno;
1155 d00b5914351e Allow running freeDiameter without TLS credentials if the following conditions are verified: Sebastien Decugis <sdecugis@freediameter.net> parents: 1127 diff changeset	262 LOG_F("Unable to open configuration file for reading; tried the following locations: %s%s%s; Error: %s",
947 cce5d4bace82 Make config file parameter const and convert another fprintf to TRACE_DEBUG_ERROR. Thomas Klausner <tk@giga.or.at> parents: 946 diff changeset	263 orig ?: "", orig? " and " : "", fd_g_config->cnf_file, strerror(ret));
8 3e143f047f78 Backup for the week-end Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	264 return ret;
3e143f047f78 Backup for the week-end Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	265 }
3e143f047f78 Backup for the week-end Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	266
3e143f047f78 Backup for the week-end Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	267 /* call yacc parser */
304 ad3c46016584 Added install directives for cmake; also allow default directory to seek for extensions and configuration files Sebastien Decugis <sdecugis@nict.go.jp> parents: 258 diff changeset	268 TRACE_DEBUG (FULL, "Parsing configuration file: %s", fd_g_config->cnf_file);
8 3e143f047f78 Backup for the week-end Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	269 CHECK_FCT( fddparse(fd_g_config) );
3e143f047f78 Backup for the week-end Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	270
3e143f047f78 Backup for the week-end Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	271 /* close the file */
3e143f047f78 Backup for the week-end Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	272 fclose(fddin);
3e143f047f78 Backup for the week-end Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	273
18 e7187583dcf8 Added CA helper script Sebastien Decugis <sdecugis@nict.go.jp> parents: 17 diff changeset	274 /* Check that TLS private key was given */
e7187583dcf8 Added CA helper script Sebastien Decugis <sdecugis@nict.go.jp> parents: 17 diff changeset	275 if (! fd_g_config->cnf_sec_data.key_file) {
1155 d00b5914351e Allow running freeDiameter without TLS credentials if the following conditions are verified: Sebastien Decugis <sdecugis@freediameter.net> parents: 1127 diff changeset	276 /* If TLS is not enabled, we allow empty TLS configuration */
d00b5914351e Allow running freeDiameter without TLS credentials if the following conditions are verified: Sebastien Decugis <sdecugis@freediameter.net> parents: 1127 diff changeset	277 if ((fd_g_config->cnf_port_tls == 0) && (fd_g_config->cnf_flags.tls_alg == 0)) {
d00b5914351e Allow running freeDiameter without TLS credentials if the following conditions are verified: Sebastien Decugis <sdecugis@freediameter.net> parents: 1127 diff changeset	278 LOG_N("TLS is disabled, this is NOT a recommended practice! Diameter protocol conveys highly sensitive information on your users.");
d00b5914351e Allow running freeDiameter without TLS credentials if the following conditions are verified: Sebastien Decugis <sdecugis@freediameter.net> parents: 1127 diff changeset	279 fd_g_config->cnf_sec_data.tls_disabled = 1;
d00b5914351e Allow running freeDiameter without TLS credentials if the following conditions are verified: Sebastien Decugis <sdecugis@freediameter.net> parents: 1127 diff changeset	280 } else {
d00b5914351e Allow running freeDiameter without TLS credentials if the following conditions are verified: Sebastien Decugis <sdecugis@freediameter.net> parents: 1127 diff changeset	281 LOG_F( "Missing private key configuration for TLS. Please provide the TLS_cred configuration directive.");
d00b5914351e Allow running freeDiameter without TLS credentials if the following conditions are verified: Sebastien Decugis <sdecugis@freediameter.net> parents: 1127 diff changeset	282 return EINVAL;
d00b5914351e Allow running freeDiameter without TLS credentials if the following conditions are verified: Sebastien Decugis <sdecugis@freediameter.net> parents: 1127 diff changeset	283 }
18 e7187583dcf8 Added CA helper script Sebastien Decugis <sdecugis@nict.go.jp> parents: 17 diff changeset	284 }
e7187583dcf8 Added CA helper script Sebastien Decugis <sdecugis@nict.go.jp> parents: 17 diff changeset	285
8 3e143f047f78 Backup for the week-end Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	286 /* Resolve hostname if not provided */
10 c5c99c73c2bf Added some extensions and functions in the daemon Sebastien Decugis <sdecugis@nict.go.jp> parents: 8 diff changeset	287 if (fd_g_config->cnf_diamid == NULL) {
8 3e143f047f78 Backup for the week-end Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	288 char buf[HOST_NAME_MAX + 1];
3e143f047f78 Backup for the week-end Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	289 struct addrinfo hints, *info;
3e143f047f78 Backup for the week-end Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	290 int ret;
3e143f047f78 Backup for the week-end Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	291
3e143f047f78 Backup for the week-end Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	292 /* local host name */
3e143f047f78 Backup for the week-end Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	293 CHECK_SYS(gethostname(buf, sizeof(buf)));
3e143f047f78 Backup for the week-end Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	294
3e143f047f78 Backup for the week-end Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	295 /* get FQDN */
3e143f047f78 Backup for the week-end Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	296 memset(&hints, 0, sizeof hints);
3e143f047f78 Backup for the week-end Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	297 hints.ai_flags = AI_CANONNAME;
3e143f047f78 Backup for the week-end Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	298
3e143f047f78 Backup for the week-end Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	299 ret = getaddrinfo(buf, NULL, &hints, &info);
3e143f047f78 Backup for the week-end Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	300 if (ret != 0) {
994 1e1d6f94cd94 Remove more newlines. Thomas Klausner <tk@giga.or.at> parents: 983 diff changeset	301 TRACE_ERROR( "Error resolving local FQDN : '%s' : %s"
1e1d6f94cd94 Remove more newlines. Thomas Klausner <tk@giga.or.at> parents: 983 diff changeset	302 ". Please provide Identity in configuration file.",
8 3e143f047f78 Backup for the week-end Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	303 buf, gai_strerror(ret));
3e143f047f78 Backup for the week-end Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	304 return EINVAL;
3e143f047f78 Backup for the week-end Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	305 }
706 4ffbc9f1e922 Large UNTESTED commit with the following changes: Sebastien Decugis <sdecugis@nict.go.jp> parents: 686 diff changeset	306 fd_g_config->cnf_diamid = info->ai_canonname;
4ffbc9f1e922 Large UNTESTED commit with the following changes: Sebastien Decugis <sdecugis@nict.go.jp> parents: 686 diff changeset	307 CHECK_FCT( fd_os_validate_DiameterIdentity(&fd_g_config->cnf_diamid, &fd_g_config->cnf_diamid_len, 1) );
8 3e143f047f78 Backup for the week-end Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	308 freeaddrinfo(info);
706 4ffbc9f1e922 Large UNTESTED commit with the following changes: Sebastien Decugis <sdecugis@nict.go.jp> parents: 686 diff changeset	309 } else {
4ffbc9f1e922 Large UNTESTED commit with the following changes: Sebastien Decugis <sdecugis@nict.go.jp> parents: 686 diff changeset	310 CHECK_FCT( fd_os_validate_DiameterIdentity(&fd_g_config->cnf_diamid, &fd_g_config->cnf_diamid_len, 0) );
8 3e143f047f78 Backup for the week-end Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	311 }
3e143f047f78 Backup for the week-end Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	312
3e143f047f78 Backup for the week-end Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	313 /* Handle the realm part */
10 c5c99c73c2bf Added some extensions and functions in the daemon Sebastien Decugis <sdecugis@nict.go.jp> parents: 8 diff changeset	314 if (fd_g_config->cnf_diamrlm == NULL) {
8 3e143f047f78 Backup for the week-end Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	315 char * start = NULL;
3e143f047f78 Backup for the week-end Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	316
3e143f047f78 Backup for the week-end Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	317 /* Check the diameter identity is a fqdn */
10 c5c99c73c2bf Added some extensions and functions in the daemon Sebastien Decugis <sdecugis@nict.go.jp> parents: 8 diff changeset	318 start = strchr(fd_g_config->cnf_diamid, '.');
8 3e143f047f78 Backup for the week-end Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	319 if ((start == NULL) \|\| (start[1] == '\0')) {
994 1e1d6f94cd94 Remove more newlines. Thomas Klausner <tk@giga.or.at> parents: 983 diff changeset	320 TRACE_ERROR( "Unable to extract realm from the Identity '%s'."
1e1d6f94cd94 Remove more newlines. Thomas Klausner <tk@giga.or.at> parents: 983 diff changeset	321 " Please fix your Identity setting or provide Realm.",
10 c5c99c73c2bf Added some extensions and functions in the daemon Sebastien Decugis <sdecugis@nict.go.jp> parents: 8 diff changeset	322 fd_g_config->cnf_diamid);
8 3e143f047f78 Backup for the week-end Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	323 return EINVAL;
706 4ffbc9f1e922 Large UNTESTED commit with the following changes: Sebastien Decugis <sdecugis@nict.go.jp> parents: 686 diff changeset	324 }
8 3e143f047f78 Backup for the week-end Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	325
706 4ffbc9f1e922 Large UNTESTED commit with the following changes: Sebastien Decugis <sdecugis@nict.go.jp> parents: 686 diff changeset	326 fd_g_config->cnf_diamrlm = start + 1;
4ffbc9f1e922 Large UNTESTED commit with the following changes: Sebastien Decugis <sdecugis@nict.go.jp> parents: 686 diff changeset	327 CHECK_FCT( fd_os_validate_DiameterIdentity(&fd_g_config->cnf_diamrlm, &fd_g_config->cnf_diamrlm_len, 1) );
4ffbc9f1e922 Large UNTESTED commit with the following changes: Sebastien Decugis <sdecugis@nict.go.jp> parents: 686 diff changeset	328 } else {
4ffbc9f1e922 Large UNTESTED commit with the following changes: Sebastien Decugis <sdecugis@nict.go.jp> parents: 686 diff changeset	329 CHECK_FCT( fd_os_validate_DiameterIdentity(&fd_g_config->cnf_diamrlm, &fd_g_config->cnf_diamrlm_len, 0) );
8 3e143f047f78 Backup for the week-end Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	330 }
3e143f047f78 Backup for the week-end Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	331
3e143f047f78 Backup for the week-end Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	332 /* Validate some flags */
10 c5c99c73c2bf Added some extensions and functions in the daemon Sebastien Decugis <sdecugis@nict.go.jp> parents: 8 diff changeset	333 if (fd_g_config->cnf_flags.no_ip4 && fd_g_config->cnf_flags.no_ip6) {
994 1e1d6f94cd94 Remove more newlines. Thomas Klausner <tk@giga.or.at> parents: 983 diff changeset	334 TRACE_ERROR( "IP and IPv6 cannot be disabled at the same time.");
8 3e143f047f78 Backup for the week-end Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	335 return EINVAL;
3e143f047f78 Backup for the week-end Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	336 }
10 c5c99c73c2bf Added some extensions and functions in the daemon Sebastien Decugis <sdecugis@nict.go.jp> parents: 8 diff changeset	337 if (fd_g_config->cnf_flags.no_tcp && fd_g_config->cnf_flags.no_sctp) {
994 1e1d6f94cd94 Remove more newlines. Thomas Klausner <tk@giga.or.at> parents: 983 diff changeset	338 TRACE_ERROR( "TCP and SCTP cannot be disabled at the same time.");
8 3e143f047f78 Backup for the week-end Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	339 return EINVAL;
3e143f047f78 Backup for the week-end Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	340 }
3e143f047f78 Backup for the week-end Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	341
22 0b3b46da2c12 Progress on server code Sebastien Decugis <sdecugis@nict.go.jp> parents: 20 diff changeset	342 /* Validate local endpoints */
0b3b46da2c12 Progress on server code Sebastien Decugis <sdecugis@nict.go.jp> parents: 20 diff changeset	343 if ((!FD_IS_LIST_EMPTY(&fd_g_config->cnf_endpoints)) && (fd_g_config->cnf_flags.no_ip4 \|\| fd_g_config->cnf_flags.no_ip6)) {
0b3b46da2c12 Progress on server code Sebastien Decugis <sdecugis@nict.go.jp> parents: 20 diff changeset	344 struct fd_list * li;
0b3b46da2c12 Progress on server code Sebastien Decugis <sdecugis@nict.go.jp> parents: 20 diff changeset	345 for ( li = fd_g_config->cnf_endpoints.next; li != &fd_g_config->cnf_endpoints; li = li->next) {
0b3b46da2c12 Progress on server code Sebastien Decugis <sdecugis@nict.go.jp> parents: 20 diff changeset	346 struct fd_endpoint * ep = (struct fd_endpoint *)li;
23 db6c40b8b307 Added some code in cnxctx.c mainly Sebastien Decugis <sdecugis@nict.go.jp> parents: 22 diff changeset	347 if ( (fd_g_config->cnf_flags.no_ip4 && (ep->sa.sa_family == AF_INET))
db6c40b8b307 Added some code in cnxctx.c mainly Sebastien Decugis <sdecugis@nict.go.jp> parents: 22 diff changeset	348 \|\|(fd_g_config->cnf_flags.no_ip6 && (ep->sa.sa_family == AF_INET6)) ) {
1107 96f2051215c8 Replaced calls to TRACE_sSA and sSA_DUMP_NODE* macros Sebastien Decugis <sdecugis@freediameter.net> parents: 1093 diff changeset	349 char sa_buf[sSA_DUMP_STRLEN];;
22 0b3b46da2c12 Progress on server code Sebastien Decugis <sdecugis@nict.go.jp> parents: 20 diff changeset	350 li = li->prev;
0b3b46da2c12 Progress on server code Sebastien Decugis <sdecugis@nict.go.jp> parents: 20 diff changeset	351 fd_list_unlink(&ep->chain);
1107 96f2051215c8 Replaced calls to TRACE_sSA and sSA_DUMP_NODE* macros Sebastien Decugis <sdecugis@freediameter.net> parents: 1093 diff changeset	352 fd_sa_sdump_numeric(sa_buf, &ep->sa);
96f2051215c8 Replaced calls to TRACE_sSA and sSA_DUMP_NODE* macros Sebastien Decugis <sdecugis@freediameter.net> parents: 1093 diff changeset	353 LOG_N("Info: Removing local address conflicting with the flags no_IP / no_IP6 : %s", sa_buf);
22 0b3b46da2c12 Progress on server code Sebastien Decugis <sdecugis@nict.go.jp> parents: 20 diff changeset	354 free(ep);
0b3b46da2c12 Progress on server code Sebastien Decugis <sdecugis@nict.go.jp> parents: 20 diff changeset	355 }
0b3b46da2c12 Progress on server code Sebastien Decugis <sdecugis@nict.go.jp> parents: 20 diff changeset	356 }
0b3b46da2c12 Progress on server code Sebastien Decugis <sdecugis@nict.go.jp> parents: 20 diff changeset	357 }
0b3b46da2c12 Progress on server code Sebastien Decugis <sdecugis@nict.go.jp> parents: 20 diff changeset	358
18 e7187583dcf8 Added CA helper script Sebastien Decugis <sdecugis@nict.go.jp> parents: 17 diff changeset	359 /* Configure TLS default parameters */
1155 d00b5914351e Allow running freeDiameter without TLS credentials if the following conditions are verified: Sebastien Decugis <sdecugis@freediameter.net> parents: 1127 diff changeset	360 if ((!fd_g_config->cnf_sec_data.tls_disabled) && (!fd_g_config->cnf_sec_data.prio_string)) {
18 e7187583dcf8 Added CA helper script Sebastien Decugis <sdecugis@nict.go.jp> parents: 17 diff changeset	361 const char * err_pos = NULL;
e7187583dcf8 Added CA helper script Sebastien Decugis <sdecugis@nict.go.jp> parents: 17 diff changeset	362 CHECK_GNUTLS_DO( gnutls_priority_init(
e7187583dcf8 Added CA helper script Sebastien Decugis <sdecugis@nict.go.jp> parents: 17 diff changeset	363 &fd_g_config->cnf_sec_data.prio_cache,
e7187583dcf8 Added CA helper script Sebastien Decugis <sdecugis@nict.go.jp> parents: 17 diff changeset	364 GNUTLS_DEFAULT_PRIORITY,
e7187583dcf8 Added CA helper script Sebastien Decugis <sdecugis@nict.go.jp> parents: 17 diff changeset	365 &err_pos),
1006 6ce8322f3b78 Report an error if a problem is big enough to break startup. Thomas Klausner <tk@giga.or.at> parents: 994 diff changeset	366 { TRACE_ERROR("Error in priority string at position : %s", err_pos); return EINVAL; } );
18 e7187583dcf8 Added CA helper script Sebastien Decugis <sdecugis@nict.go.jp> parents: 17 diff changeset	367 }
542 0b6cee362f5d Enforce validation of local certificate upon daemon start. Sebastien Decugis <sdecugis@nict.go.jp> parents: 447 diff changeset	368
0b6cee362f5d Enforce validation of local certificate upon daemon start. Sebastien Decugis <sdecugis@nict.go.jp> parents: 447 diff changeset	369 /* Verify that our certificate is valid -- otherwise remote peers will reject it */
1155 d00b5914351e Allow running freeDiameter without TLS credentials if the following conditions are verified: Sebastien Decugis <sdecugis@freediameter.net> parents: 1127 diff changeset	370 if (!fd_g_config->cnf_sec_data.tls_disabled) {
542 0b6cee362f5d Enforce validation of local certificate upon daemon start. Sebastien Decugis <sdecugis@nict.go.jp> parents: 447 diff changeset	371 int ret = 0, i;
0b6cee362f5d Enforce validation of local certificate upon daemon start. Sebastien Decugis <sdecugis@nict.go.jp> parents: 447 diff changeset	372
0b6cee362f5d Enforce validation of local certificate upon daemon start. Sebastien Decugis <sdecugis@nict.go.jp> parents: 447 diff changeset	373 gnutls_datum_t certfile;
0b6cee362f5d Enforce validation of local certificate upon daemon start. Sebastien Decugis <sdecugis@nict.go.jp> parents: 447 diff changeset	374
0b6cee362f5d Enforce validation of local certificate upon daemon start. Sebastien Decugis <sdecugis@nict.go.jp> parents: 447 diff changeset	375 gnutls_x509_crt_t * certs = NULL;
0b6cee362f5d Enforce validation of local certificate upon daemon start. Sebastien Decugis <sdecugis@nict.go.jp> parents: 447 diff changeset	376 unsigned int cert_max = 0;
0b6cee362f5d Enforce validation of local certificate upon daemon start. Sebastien Decugis <sdecugis@nict.go.jp> parents: 447 diff changeset	377
0b6cee362f5d Enforce validation of local certificate upon daemon start. Sebastien Decugis <sdecugis@nict.go.jp> parents: 447 diff changeset	378
0b6cee362f5d Enforce validation of local certificate upon daemon start. Sebastien Decugis <sdecugis@nict.go.jp> parents: 447 diff changeset	379 /* Read the certificate file */
0b6cee362f5d Enforce validation of local certificate upon daemon start. Sebastien Decugis <sdecugis@nict.go.jp> parents: 447 diff changeset	380 FILE *stream = fopen (fd_g_config->cnf_sec_data.cert_file, "rb");
0b6cee362f5d Enforce validation of local certificate upon daemon start. Sebastien Decugis <sdecugis@nict.go.jp> parents: 447 diff changeset	381 if (!stream) {
0b6cee362f5d Enforce validation of local certificate upon daemon start. Sebastien Decugis <sdecugis@nict.go.jp> parents: 447 diff changeset	382 int err = errno;
974 2091bf698fb1 Remove newlines from fd_log_debug, TRACE_DEBUG, TRACE_ERROR, and TRACE_DEBUG_ERROR Thomas Klausner <tk@giga.or.at> parents: 965 diff changeset	383 TRACE_DEBUG(INFO, "An error occurred while opening '%s': %s", fd_g_config->cnf_sec_data.cert_file, strerror(err));
542 0b6cee362f5d Enforce validation of local certificate upon daemon start. Sebastien Decugis <sdecugis@nict.go.jp> parents: 447 diff changeset	384 return err;
0b6cee362f5d Enforce validation of local certificate upon daemon start. Sebastien Decugis <sdecugis@nict.go.jp> parents: 447 diff changeset	385 }
805 fb5e0fd923ff Updated verification of the local certificate following GnuTLS 3.x guideline Sebastien Decugis <sdecugis@freediameter.net> parents: 767 diff changeset	386 CHECK_FCT( fd_conf_stream_to_gnutls_datum(stream, &certfile) );
542 0b6cee362f5d Enforce validation of local certificate upon daemon start. Sebastien Decugis <sdecugis@nict.go.jp> parents: 447 diff changeset	387 fclose(stream);
0b6cee362f5d Enforce validation of local certificate upon daemon start. Sebastien Decugis <sdecugis@nict.go.jp> parents: 447 diff changeset	388
0b6cee362f5d Enforce validation of local certificate upon daemon start. Sebastien Decugis <sdecugis@nict.go.jp> parents: 447 diff changeset	389 /* Import the certificate(s) */
0b6cee362f5d Enforce validation of local certificate upon daemon start. Sebastien Decugis <sdecugis@nict.go.jp> parents: 447 diff changeset	390 GNUTLS_TRACE( ret = gnutls_x509_crt_list_import(NULL, &cert_max, &certfile, GNUTLS_X509_FMT_PEM, GNUTLS_X509_CRT_LIST_IMPORT_FAIL_IF_EXCEED) );
0b6cee362f5d Enforce validation of local certificate upon daemon start. Sebastien Decugis <sdecugis@nict.go.jp> parents: 447 diff changeset	391 if (ret != GNUTLS_E_SHORT_MEMORY_BUFFER) {
0b6cee362f5d Enforce validation of local certificate upon daemon start. Sebastien Decugis <sdecugis@nict.go.jp> parents: 447 diff changeset	392 CHECK_GNUTLS_DO(ret, return EINVAL);
0b6cee362f5d Enforce validation of local certificate upon daemon start. Sebastien Decugis <sdecugis@nict.go.jp> parents: 447 diff changeset	393 }
0b6cee362f5d Enforce validation of local certificate upon daemon start. Sebastien Decugis <sdecugis@nict.go.jp> parents: 447 diff changeset	394
0b6cee362f5d Enforce validation of local certificate upon daemon start. Sebastien Decugis <sdecugis@nict.go.jp> parents: 447 diff changeset	395 CHECK_MALLOC( certs = calloc(cert_max, sizeof(gnutls_x509_crt_t)) );
820 0eb64b3a3632 Fix compilation with gnutls < 3.x Sebastien Decugis <sdecugis@freediameter.net> parents: 808 diff changeset	396 CHECK_GNUTLS_DO( gnutls_x509_crt_list_import(certs, &cert_max, &certfile, GNUTLS_X509_FMT_PEM,
0eb64b3a3632 Fix compilation with gnutls < 3.x Sebastien Decugis <sdecugis@freediameter.net> parents: 808 diff changeset	397 #ifdef GNUTLS_VERSION_300
0eb64b3a3632 Fix compilation with gnutls < 3.x Sebastien Decugis <sdecugis@freediameter.net> parents: 808 diff changeset	398 GNUTLS_X509_CRT_LIST_FAIL_IF_UNSORTED
0eb64b3a3632 Fix compilation with gnutls < 3.x Sebastien Decugis <sdecugis@freediameter.net> parents: 808 diff changeset	399 #else /* GNUTLS_VERSION_300 */
0eb64b3a3632 Fix compilation with gnutls < 3.x Sebastien Decugis <sdecugis@freediameter.net> parents: 808 diff changeset	400 0
0eb64b3a3632 Fix compilation with gnutls < 3.x Sebastien Decugis <sdecugis@freediameter.net> parents: 808 diff changeset	401 #endif /* GNUTLS_VERSION_300 */
0eb64b3a3632 Fix compilation with gnutls < 3.x Sebastien Decugis <sdecugis@freediameter.net> parents: 808 diff changeset	402 ),
542 0b6cee362f5d Enforce validation of local certificate upon daemon start. Sebastien Decugis <sdecugis@nict.go.jp> parents: 447 diff changeset	403 {
1006 6ce8322f3b78 Report an error if a problem is big enough to break startup. Thomas Klausner <tk@giga.or.at> parents: 994 diff changeset	404 TRACE_ERROR("Failed to import the data from file '%s'", fd_g_config->cnf_sec_data.cert_file);
542 0b6cee362f5d Enforce validation of local certificate upon daemon start. Sebastien Decugis <sdecugis@nict.go.jp> parents: 447 diff changeset	405 free(certfile.data);
0b6cee362f5d Enforce validation of local certificate upon daemon start. Sebastien Decugis <sdecugis@nict.go.jp> parents: 447 diff changeset	406 return EINVAL;
0b6cee362f5d Enforce validation of local certificate upon daemon start. Sebastien Decugis <sdecugis@nict.go.jp> parents: 447 diff changeset	407 } );
0b6cee362f5d Enforce validation of local certificate upon daemon start. Sebastien Decugis <sdecugis@nict.go.jp> parents: 447 diff changeset	408 free(certfile.data);
0b6cee362f5d Enforce validation of local certificate upon daemon start. Sebastien Decugis <sdecugis@nict.go.jp> parents: 447 diff changeset	409
0b6cee362f5d Enforce validation of local certificate upon daemon start. Sebastien Decugis <sdecugis@nict.go.jp> parents: 447 diff changeset	410 ASSERT(cert_max >= 1);
0b6cee362f5d Enforce validation of local certificate upon daemon start. Sebastien Decugis <sdecugis@nict.go.jp> parents: 447 diff changeset	411
0b6cee362f5d Enforce validation of local certificate upon daemon start. Sebastien Decugis <sdecugis@nict.go.jp> parents: 447 diff changeset	412 /* Now, verify the list against the local CA and CRL */
805 fb5e0fd923ff Updated verification of the local certificate following GnuTLS 3.x guideline Sebastien Decugis <sdecugis@freediameter.net> parents: 767 diff changeset	413
fb5e0fd923ff Updated verification of the local certificate following GnuTLS 3.x guideline Sebastien Decugis <sdecugis@freediameter.net> parents: 767 diff changeset	414 #ifdef GNUTLS_VERSION_300
fb5e0fd923ff Updated verification of the local certificate following GnuTLS 3.x guideline Sebastien Decugis <sdecugis@freediameter.net> parents: 767 diff changeset	415
fb5e0fd923ff Updated verification of the local certificate following GnuTLS 3.x guideline Sebastien Decugis <sdecugis@freediameter.net> parents: 767 diff changeset	416 /* We use the trust list for this purpose */
fb5e0fd923ff Updated verification of the local certificate following GnuTLS 3.x guideline Sebastien Decugis <sdecugis@freediameter.net> parents: 767 diff changeset	417 {
fb5e0fd923ff Updated verification of the local certificate following GnuTLS 3.x guideline Sebastien Decugis <sdecugis@freediameter.net> parents: 767 diff changeset	418 unsigned int output;
fb5e0fd923ff Updated verification of the local certificate following GnuTLS 3.x guideline Sebastien Decugis <sdecugis@freediameter.net> parents: 767 diff changeset	419
fb5e0fd923ff Updated verification of the local certificate following GnuTLS 3.x guideline Sebastien Decugis <sdecugis@freediameter.net> parents: 767 diff changeset	420 gnutls_x509_trust_list_verify_named_crt (
fb5e0fd923ff Updated verification of the local certificate following GnuTLS 3.x guideline Sebastien Decugis <sdecugis@freediameter.net> parents: 767 diff changeset	421 fd_g_config->cnf_sec_data.trustlist,
fb5e0fd923ff Updated verification of the local certificate following GnuTLS 3.x guideline Sebastien Decugis <sdecugis@freediameter.net> parents: 767 diff changeset	422 certs[0],
fb5e0fd923ff Updated verification of the local certificate following GnuTLS 3.x guideline Sebastien Decugis <sdecugis@freediameter.net> parents: 767 diff changeset	423 fd_g_config->cnf_diamid,
fb5e0fd923ff Updated verification of the local certificate following GnuTLS 3.x guideline Sebastien Decugis <sdecugis@freediameter.net> parents: 767 diff changeset	424 fd_g_config->cnf_diamid_len,
fb5e0fd923ff Updated verification of the local certificate following GnuTLS 3.x guideline Sebastien Decugis <sdecugis@freediameter.net> parents: 767 diff changeset	425 0,
fb5e0fd923ff Updated verification of the local certificate following GnuTLS 3.x guideline Sebastien Decugis <sdecugis@freediameter.net> parents: 767 diff changeset	426 &output,
fb5e0fd923ff Updated verification of the local certificate following GnuTLS 3.x guideline Sebastien Decugis <sdecugis@freediameter.net> parents: 767 diff changeset	427 fd_conf_print_details_func);
fb5e0fd923ff Updated verification of the local certificate following GnuTLS 3.x guideline Sebastien Decugis <sdecugis@freediameter.net> parents: 767 diff changeset	428
fb5e0fd923ff Updated verification of the local certificate following GnuTLS 3.x guideline Sebastien Decugis <sdecugis@freediameter.net> parents: 767 diff changeset	429 /* if this certificate is not explicitly trusted verify against CAs
fb5e0fd923ff Updated verification of the local certificate following GnuTLS 3.x guideline Sebastien Decugis <sdecugis@freediameter.net> parents: 767 diff changeset	430 */
fb5e0fd923ff Updated verification of the local certificate following GnuTLS 3.x guideline Sebastien Decugis <sdecugis@freediameter.net> parents: 767 diff changeset	431 if (output != 0)
542 0b6cee362f5d Enforce validation of local certificate upon daemon start. Sebastien Decugis <sdecugis@nict.go.jp> parents: 447 diff changeset	432 {
805 fb5e0fd923ff Updated verification of the local certificate following GnuTLS 3.x guideline Sebastien Decugis <sdecugis@freediameter.net> parents: 767 diff changeset	433 gnutls_x509_trust_list_verify_crt (
fb5e0fd923ff Updated verification of the local certificate following GnuTLS 3.x guideline Sebastien Decugis <sdecugis@freediameter.net> parents: 767 diff changeset	434 fd_g_config->cnf_sec_data.trustlist,
fb5e0fd923ff Updated verification of the local certificate following GnuTLS 3.x guideline Sebastien Decugis <sdecugis@freediameter.net> parents: 767 diff changeset	435 certs,
fb5e0fd923ff Updated verification of the local certificate following GnuTLS 3.x guideline Sebastien Decugis <sdecugis@freediameter.net> parents: 767 diff changeset	436 cert_max,
fb5e0fd923ff Updated verification of the local certificate following GnuTLS 3.x guideline Sebastien Decugis <sdecugis@freediameter.net> parents: 767 diff changeset	437 0,
fb5e0fd923ff Updated verification of the local certificate following GnuTLS 3.x guideline Sebastien Decugis <sdecugis@freediameter.net> parents: 767 diff changeset	438 &output,
fb5e0fd923ff Updated verification of the local certificate following GnuTLS 3.x guideline Sebastien Decugis <sdecugis@freediameter.net> parents: 767 diff changeset	439 fd_conf_print_details_func);
fb5e0fd923ff Updated verification of the local certificate following GnuTLS 3.x guideline Sebastien Decugis <sdecugis@freediameter.net> parents: 767 diff changeset	440 }
fb5e0fd923ff Updated verification of the local certificate following GnuTLS 3.x guideline Sebastien Decugis <sdecugis@freediameter.net> parents: 767 diff changeset	441
fb5e0fd923ff Updated verification of the local certificate following GnuTLS 3.x guideline Sebastien Decugis <sdecugis@freediameter.net> parents: 767 diff changeset	442 if (output & GNUTLS_CERT_INVALID)
fb5e0fd923ff Updated verification of the local certificate following GnuTLS 3.x guideline Sebastien Decugis <sdecugis@freediameter.net> parents: 767 diff changeset	443 {
974 2091bf698fb1 Remove newlines from fd_log_debug, TRACE_DEBUG, TRACE_ERROR, and TRACE_DEBUG_ERROR Thomas Klausner <tk@giga.or.at> parents: 965 diff changeset	444 fd_log_debug("TLS: Local certificate chain '%s' is invalid :", fd_g_config->cnf_sec_data.cert_file);
805 fb5e0fd923ff Updated verification of the local certificate following GnuTLS 3.x guideline Sebastien Decugis <sdecugis@freediameter.net> parents: 767 diff changeset	445 if (output & GNUTLS_CERT_SIGNER_NOT_FOUND)
1184 8c340f832127 Remove auto-use of the certificate as CA when CA was not provided, since now TLS_cred can be ignored when TLS is not used. Sebastien Decugis <sdecugis@freediameter.net> parents: 1181 diff changeset	446 TRACE_ERROR(" - The certificate hasn't got a known issuer. Did you forget to specify TLS_CA ?");
805 fb5e0fd923ff Updated verification of the local certificate following GnuTLS 3.x guideline Sebastien Decugis <sdecugis@freediameter.net> parents: 767 diff changeset	447 if (output & GNUTLS_CERT_SIGNER_NOT_CA)
1006 6ce8322f3b78 Report an error if a problem is big enough to break startup. Thomas Klausner <tk@giga.or.at> parents: 994 diff changeset	448 TRACE_ERROR(" - The certificate signer is not a CA, or uses version 1, or 3 without basic constraints.");
805 fb5e0fd923ff Updated verification of the local certificate following GnuTLS 3.x guideline Sebastien Decugis <sdecugis@freediameter.net> parents: 767 diff changeset	449 if (output & GNUTLS_CERT_NOT_ACTIVATED)
1006 6ce8322f3b78 Report an error if a problem is big enough to break startup. Thomas Klausner <tk@giga.or.at> parents: 994 diff changeset	450 TRACE_ERROR(" - The certificate is not yet activated.");
805 fb5e0fd923ff Updated verification of the local certificate following GnuTLS 3.x guideline Sebastien Decugis <sdecugis@freediameter.net> parents: 767 diff changeset	451 if (output & GNUTLS_CERT_EXPIRED)
1006 6ce8322f3b78 Report an error if a problem is big enough to break startup. Thomas Klausner <tk@giga.or.at> parents: 994 diff changeset	452 TRACE_ERROR(" - The certificate is expired.");
542 0b6cee362f5d Enforce validation of local certificate upon daemon start. Sebastien Decugis <sdecugis@nict.go.jp> parents: 447 diff changeset	453 return EINVAL;
805 fb5e0fd923ff Updated verification of the local certificate following GnuTLS 3.x guideline Sebastien Decugis <sdecugis@freediameter.net> parents: 767 diff changeset	454 }
fb5e0fd923ff Updated verification of the local certificate following GnuTLS 3.x guideline Sebastien Decugis <sdecugis@freediameter.net> parents: 767 diff changeset	455
fb5e0fd923ff Updated verification of the local certificate following GnuTLS 3.x guideline Sebastien Decugis <sdecugis@freediameter.net> parents: 767 diff changeset	456 /* Now check the subject matches our hostname */
fb5e0fd923ff Updated verification of the local certificate following GnuTLS 3.x guideline Sebastien Decugis <sdecugis@freediameter.net> parents: 767 diff changeset	457 if (!gnutls_x509_crt_check_hostname (certs[0], fd_g_config->cnf_diamid))
fb5e0fd923ff Updated verification of the local certificate following GnuTLS 3.x guideline Sebastien Decugis <sdecugis@freediameter.net> parents: 767 diff changeset	458 {
1006 6ce8322f3b78 Report an error if a problem is big enough to break startup. Thomas Klausner <tk@giga.or.at> parents: 994 diff changeset	459 TRACE_ERROR("TLS: The certificate owner does not match the hostname '%s'", fd_g_config->cnf_diamid);
805 fb5e0fd923ff Updated verification of the local certificate following GnuTLS 3.x guideline Sebastien Decugis <sdecugis@freediameter.net> parents: 767 diff changeset	460 return EINVAL;
fb5e0fd923ff Updated verification of the local certificate following GnuTLS 3.x guideline Sebastien Decugis <sdecugis@freediameter.net> parents: 767 diff changeset	461 }
fb5e0fd923ff Updated verification of the local certificate following GnuTLS 3.x guideline Sebastien Decugis <sdecugis@freediameter.net> parents: 767 diff changeset	462
542 0b6cee362f5d Enforce validation of local certificate upon daemon start. Sebastien Decugis <sdecugis@nict.go.jp> parents: 447 diff changeset	463 }
0b6cee362f5d Enforce validation of local certificate upon daemon start. Sebastien Decugis <sdecugis@nict.go.jp> parents: 447 diff changeset	464
805 fb5e0fd923ff Updated verification of the local certificate following GnuTLS 3.x guideline Sebastien Decugis <sdecugis@freediameter.net> parents: 767 diff changeset	465
fb5e0fd923ff Updated verification of the local certificate following GnuTLS 3.x guideline Sebastien Decugis <sdecugis@freediameter.net> parents: 767 diff changeset	466 #else /* GNUTLS_VERSION_300 */
fb5e0fd923ff Updated verification of the local certificate following GnuTLS 3.x guideline Sebastien Decugis <sdecugis@freediameter.net> parents: 767 diff changeset	467
fb5e0fd923ff Updated verification of the local certificate following GnuTLS 3.x guideline Sebastien Decugis <sdecugis@freediameter.net> parents: 767 diff changeset	468 /* GnuTLS 2.x way of checking certificates */
542 0b6cee362f5d Enforce validation of local certificate upon daemon start. Sebastien Decugis <sdecugis@nict.go.jp> parents: 447 diff changeset	469 {
805 fb5e0fd923ff Updated verification of the local certificate following GnuTLS 3.x guideline Sebastien Decugis <sdecugis@freediameter.net> parents: 767 diff changeset	470 gnutls_x509_crt_t * CA_list;
fb5e0fd923ff Updated verification of the local certificate following GnuTLS 3.x guideline Sebastien Decugis <sdecugis@freediameter.net> parents: 767 diff changeset	471 int CA_list_length;
542 0b6cee362f5d Enforce validation of local certificate upon daemon start. Sebastien Decugis <sdecugis@nict.go.jp> parents: 447 diff changeset	472
805 fb5e0fd923ff Updated verification of the local certificate following GnuTLS 3.x guideline Sebastien Decugis <sdecugis@freediameter.net> parents: 767 diff changeset	473 gnutls_x509_crl_t * CRL_list;
fb5e0fd923ff Updated verification of the local certificate following GnuTLS 3.x guideline Sebastien Decugis <sdecugis@freediameter.net> parents: 767 diff changeset	474 int CRL_list_length;
fb5e0fd923ff Updated verification of the local certificate following GnuTLS 3.x guideline Sebastien Decugis <sdecugis@freediameter.net> parents: 767 diff changeset	475
fb5e0fd923ff Updated verification of the local certificate following GnuTLS 3.x guideline Sebastien Decugis <sdecugis@freediameter.net> parents: 767 diff changeset	476 unsigned int verify;
fb5e0fd923ff Updated verification of the local certificate following GnuTLS 3.x guideline Sebastien Decugis <sdecugis@freediameter.net> parents: 767 diff changeset	477 time_t now;
fb5e0fd923ff Updated verification of the local certificate following GnuTLS 3.x guideline Sebastien Decugis <sdecugis@freediameter.net> parents: 767 diff changeset	478 GNUTLS_TRACE( gnutls_certificate_get_x509_cas (fd_g_config->cnf_sec_data.credentials, &CA_list, (unsigned int *) &CA_list_length) );
fb5e0fd923ff Updated verification of the local certificate following GnuTLS 3.x guideline Sebastien Decugis <sdecugis@freediameter.net> parents: 767 diff changeset	479 GNUTLS_TRACE( gnutls_certificate_get_x509_crls (fd_g_config->cnf_sec_data.credentials, &CRL_list, (unsigned int *) &CRL_list_length) );
fb5e0fd923ff Updated verification of the local certificate following GnuTLS 3.x guideline Sebastien Decugis <sdecugis@freediameter.net> parents: 767 diff changeset	480 CHECK_GNUTLS_DO( gnutls_x509_crt_list_verify(certs, cert_max, CA_list, CA_list_length, CRL_list, CRL_list_length, 0, &verify),
fb5e0fd923ff Updated verification of the local certificate following GnuTLS 3.x guideline Sebastien Decugis <sdecugis@freediameter.net> parents: 767 diff changeset	481 {
1008 d3d2a32320c4 Fix a compilation warning and protect CHECK_GNUTLS_DO macro Sebastien Decugis <sdecugis@freediameter.net> parents: 1006 diff changeset	482 TRACE_ERROR("Failed to verify the local certificate '%s' against local credentials. Please check your certificate is valid.", fd_g_config->cnf_sec_data.cert_file);
805 fb5e0fd923ff Updated verification of the local certificate following GnuTLS 3.x guideline Sebastien Decugis <sdecugis@freediameter.net> parents: 767 diff changeset	483 return EINVAL;
fb5e0fd923ff Updated verification of the local certificate following GnuTLS 3.x guideline Sebastien Decugis <sdecugis@freediameter.net> parents: 767 diff changeset	484 } );
fb5e0fd923ff Updated verification of the local certificate following GnuTLS 3.x guideline Sebastien Decugis <sdecugis@freediameter.net> parents: 767 diff changeset	485
fb5e0fd923ff Updated verification of the local certificate following GnuTLS 3.x guideline Sebastien Decugis <sdecugis@freediameter.net> parents: 767 diff changeset	486 if (verify) {
974 2091bf698fb1 Remove newlines from fd_log_debug, TRACE_DEBUG, TRACE_ERROR, and TRACE_DEBUG_ERROR Thomas Klausner <tk@giga.or.at> parents: 965 diff changeset	487 fd_log_debug("TLS: Local certificate chain '%s' is invalid :", fd_g_config->cnf_sec_data.cert_file);
805 fb5e0fd923ff Updated verification of the local certificate following GnuTLS 3.x guideline Sebastien Decugis <sdecugis@freediameter.net> parents: 767 diff changeset	488 if (verify & GNUTLS_CERT_INVALID)
1006 6ce8322f3b78 Report an error if a problem is big enough to break startup. Thomas Klausner <tk@giga.or.at> parents: 994 diff changeset	489 TRACE_ERROR(" - The certificate is not trusted (unknown CA? expired?)");
805 fb5e0fd923ff Updated verification of the local certificate following GnuTLS 3.x guideline Sebastien Decugis <sdecugis@freediameter.net> parents: 767 diff changeset	490 if (verify & GNUTLS_CERT_REVOKED)
1006 6ce8322f3b78 Report an error if a problem is big enough to break startup. Thomas Klausner <tk@giga.or.at> parents: 994 diff changeset	491 TRACE_ERROR(" - The certificate has been revoked.");
805 fb5e0fd923ff Updated verification of the local certificate following GnuTLS 3.x guideline Sebastien Decugis <sdecugis@freediameter.net> parents: 767 diff changeset	492 if (verify & GNUTLS_CERT_SIGNER_NOT_FOUND)
1006 6ce8322f3b78 Report an error if a problem is big enough to break startup. Thomas Klausner <tk@giga.or.at> parents: 994 diff changeset	493 TRACE_ERROR(" - The certificate hasn't got a known issuer.");
805 fb5e0fd923ff Updated verification of the local certificate following GnuTLS 3.x guideline Sebastien Decugis <sdecugis@freediameter.net> parents: 767 diff changeset	494 if (verify & GNUTLS_CERT_SIGNER_NOT_CA)
1006 6ce8322f3b78 Report an error if a problem is big enough to break startup. Thomas Klausner <tk@giga.or.at> parents: 994 diff changeset	495 TRACE_ERROR(" - The certificate signer is not a CA, or uses version 1, or 3 without basic constraints.");
805 fb5e0fd923ff Updated verification of the local certificate following GnuTLS 3.x guideline Sebastien Decugis <sdecugis@freediameter.net> parents: 767 diff changeset	496 if (verify & GNUTLS_CERT_INSECURE_ALGORITHM)
1006 6ce8322f3b78 Report an error if a problem is big enough to break startup. Thomas Klausner <tk@giga.or.at> parents: 994 diff changeset	497 TRACE_ERROR(" - The certificate signature uses a weak algorithm.");
542 0b6cee362f5d Enforce validation of local certificate upon daemon start. Sebastien Decugis <sdecugis@nict.go.jp> parents: 447 diff changeset	498 return EINVAL;
0b6cee362f5d Enforce validation of local certificate upon daemon start. Sebastien Decugis <sdecugis@nict.go.jp> parents: 447 diff changeset	499 }
0b6cee362f5d Enforce validation of local certificate upon daemon start. Sebastien Decugis <sdecugis@nict.go.jp> parents: 447 diff changeset	500
805 fb5e0fd923ff Updated verification of the local certificate following GnuTLS 3.x guideline Sebastien Decugis <sdecugis@freediameter.net> parents: 767 diff changeset	501 /* Check the local Identity is valid with the certificate */
fb5e0fd923ff Updated verification of the local certificate following GnuTLS 3.x guideline Sebastien Decugis <sdecugis@freediameter.net> parents: 767 diff changeset	502 if (!gnutls_x509_crt_check_hostname (certs[0], fd_g_config->cnf_diamid)) {
1006 6ce8322f3b78 Report an error if a problem is big enough to break startup. Thomas Klausner <tk@giga.or.at> parents: 994 diff changeset	503 TRACE_ERROR("TLS: Local certificate '%s' is invalid :", fd_g_config->cnf_sec_data.cert_file);
6ce8322f3b78 Report an error if a problem is big enough to break startup. Thomas Klausner <tk@giga.or.at> parents: 994 diff changeset	504 TRACE_ERROR(" - The certificate hostname does not match '%s'", fd_g_config->cnf_diamid);
542 0b6cee362f5d Enforce validation of local certificate upon daemon start. Sebastien Decugis <sdecugis@nict.go.jp> parents: 447 diff changeset	505 return EINVAL;
0b6cee362f5d Enforce validation of local certificate upon daemon start. Sebastien Decugis <sdecugis@nict.go.jp> parents: 447 diff changeset	506 }
805 fb5e0fd923ff Updated verification of the local certificate following GnuTLS 3.x guideline Sebastien Decugis <sdecugis@freediameter.net> parents: 767 diff changeset	507
fb5e0fd923ff Updated verification of the local certificate following GnuTLS 3.x guideline Sebastien Decugis <sdecugis@freediameter.net> parents: 767 diff changeset	508 /* Check validity of all the certificates in the chain */
fb5e0fd923ff Updated verification of the local certificate following GnuTLS 3.x guideline Sebastien Decugis <sdecugis@freediameter.net> parents: 767 diff changeset	509 now = time(NULL);
fb5e0fd923ff Updated verification of the local certificate following GnuTLS 3.x guideline Sebastien Decugis <sdecugis@freediameter.net> parents: 767 diff changeset	510 for (i = 0; i < cert_max; i++)
fb5e0fd923ff Updated verification of the local certificate following GnuTLS 3.x guideline Sebastien Decugis <sdecugis@freediameter.net> parents: 767 diff changeset	511 {
fb5e0fd923ff Updated verification of the local certificate following GnuTLS 3.x guideline Sebastien Decugis <sdecugis@freediameter.net> parents: 767 diff changeset	512 time_t deadline;
fb5e0fd923ff Updated verification of the local certificate following GnuTLS 3.x guideline Sebastien Decugis <sdecugis@freediameter.net> parents: 767 diff changeset	513
fb5e0fd923ff Updated verification of the local certificate following GnuTLS 3.x guideline Sebastien Decugis <sdecugis@freediameter.net> parents: 767 diff changeset	514 GNUTLS_TRACE( deadline = gnutls_x509_crt_get_expiration_time(certs[i]) );
fb5e0fd923ff Updated verification of the local certificate following GnuTLS 3.x guideline Sebastien Decugis <sdecugis@freediameter.net> parents: 767 diff changeset	515 if ((deadline != (time_t)-1) && (deadline < now)) {
1006 6ce8322f3b78 Report an error if a problem is big enough to break startup. Thomas Klausner <tk@giga.or.at> parents: 994 diff changeset	516 TRACE_ERROR("TLS: Local certificate chain '%s' is invalid :", fd_g_config->cnf_sec_data.cert_file);
6ce8322f3b78 Report an error if a problem is big enough to break startup. Thomas Klausner <tk@giga.or.at> parents: 994 diff changeset	517 TRACE_ERROR(" - The certificate %d in the chain is expired", i);
805 fb5e0fd923ff Updated verification of the local certificate following GnuTLS 3.x guideline Sebastien Decugis <sdecugis@freediameter.net> parents: 767 diff changeset	518 return EINVAL;
fb5e0fd923ff Updated verification of the local certificate following GnuTLS 3.x guideline Sebastien Decugis <sdecugis@freediameter.net> parents: 767 diff changeset	519 }
fb5e0fd923ff Updated verification of the local certificate following GnuTLS 3.x guideline Sebastien Decugis <sdecugis@freediameter.net> parents: 767 diff changeset	520
fb5e0fd923ff Updated verification of the local certificate following GnuTLS 3.x guideline Sebastien Decugis <sdecugis@freediameter.net> parents: 767 diff changeset	521 GNUTLS_TRACE( deadline = gnutls_x509_crt_get_activation_time(certs[i]) );
fb5e0fd923ff Updated verification of the local certificate following GnuTLS 3.x guideline Sebastien Decugis <sdecugis@freediameter.net> parents: 767 diff changeset	522 if ((deadline != (time_t)-1) && (deadline > now)) {
1006 6ce8322f3b78 Report an error if a problem is big enough to break startup. Thomas Klausner <tk@giga.or.at> parents: 994 diff changeset	523 TRACE_ERROR("TLS: Local certificate chain '%s' is invalid :", fd_g_config->cnf_sec_data.cert_file);
6ce8322f3b78 Report an error if a problem is big enough to break startup. Thomas Klausner <tk@giga.or.at> parents: 994 diff changeset	524 TRACE_ERROR(" - The certificate %d in the chain is not yet activated", i);
805 fb5e0fd923ff Updated verification of the local certificate following GnuTLS 3.x guideline Sebastien Decugis <sdecugis@freediameter.net> parents: 767 diff changeset	525 return EINVAL;
fb5e0fd923ff Updated verification of the local certificate following GnuTLS 3.x guideline Sebastien Decugis <sdecugis@freediameter.net> parents: 767 diff changeset	526 }
fb5e0fd923ff Updated verification of the local certificate following GnuTLS 3.x guideline Sebastien Decugis <sdecugis@freediameter.net> parents: 767 diff changeset	527 }
542 0b6cee362f5d Enforce validation of local certificate upon daemon start. Sebastien Decugis <sdecugis@nict.go.jp> parents: 447 diff changeset	528 }
805 fb5e0fd923ff Updated verification of the local certificate following GnuTLS 3.x guideline Sebastien Decugis <sdecugis@freediameter.net> parents: 767 diff changeset	529 #endif /* GNUTLS_VERSION_300 */
542 0b6cee362f5d Enforce validation of local certificate upon daemon start. Sebastien Decugis <sdecugis@nict.go.jp> parents: 447 diff changeset	530
0b6cee362f5d Enforce validation of local certificate upon daemon start. Sebastien Decugis <sdecugis@nict.go.jp> parents: 447 diff changeset	531 /* Everything checked OK, free the certificate list */
0b6cee362f5d Enforce validation of local certificate upon daemon start. Sebastien Decugis <sdecugis@nict.go.jp> parents: 447 diff changeset	532 for (i = 0; i < cert_max; i++)
0b6cee362f5d Enforce validation of local certificate upon daemon start. Sebastien Decugis <sdecugis@nict.go.jp> parents: 447 diff changeset	533 {
0b6cee362f5d Enforce validation of local certificate upon daemon start. Sebastien Decugis <sdecugis@nict.go.jp> parents: 447 diff changeset	534 GNUTLS_TRACE( gnutls_x509_crt_deinit (certs[i]) );
0b6cee362f5d Enforce validation of local certificate upon daemon start. Sebastien Decugis <sdecugis@nict.go.jp> parents: 447 diff changeset	535 }
0b6cee362f5d Enforce validation of local certificate upon daemon start. Sebastien Decugis <sdecugis@nict.go.jp> parents: 447 diff changeset	536 free(certs);
1155 d00b5914351e Allow running freeDiameter without TLS credentials if the following conditions are verified: Sebastien Decugis <sdecugis@freediameter.net> parents: 1127 diff changeset	537
d00b5914351e Allow running freeDiameter without TLS credentials if the following conditions are verified: Sebastien Decugis <sdecugis@freediameter.net> parents: 1127 diff changeset	538 #ifdef GNUTLS_VERSION_300
d00b5914351e Allow running freeDiameter without TLS credentials if the following conditions are verified: Sebastien Decugis <sdecugis@freediameter.net> parents: 1127 diff changeset	539 /* Use certificate verification during the handshake */
d00b5914351e Allow running freeDiameter without TLS credentials if the following conditions are verified: Sebastien Decugis <sdecugis@freediameter.net> parents: 1127 diff changeset	540 gnutls_certificate_set_verify_function (fd_g_config->cnf_sec_data.credentials, fd_tls_verify_credentials_2);
d00b5914351e Allow running freeDiameter without TLS credentials if the following conditions are verified: Sebastien Decugis <sdecugis@freediameter.net> parents: 1127 diff changeset	541 #endif /* GNUTLS_VERSION_300 */
d00b5914351e Allow running freeDiameter without TLS credentials if the following conditions are verified: Sebastien Decugis <sdecugis@freediameter.net> parents: 1127 diff changeset	542
542 0b6cee362f5d Enforce validation of local certificate upon daemon start. Sebastien Decugis <sdecugis@nict.go.jp> parents: 447 diff changeset	543 }
0b6cee362f5d Enforce validation of local certificate upon daemon start. Sebastien Decugis <sdecugis@nict.go.jp> parents: 447 diff changeset	544
0b6cee362f5d Enforce validation of local certificate upon daemon start. Sebastien Decugis <sdecugis@nict.go.jp> parents: 447 diff changeset	545 /* gnutls_certificate_set_verify_limits -- so far the default values are fine... */
0b6cee362f5d Enforce validation of local certificate upon daemon start. Sebastien Decugis <sdecugis@nict.go.jp> parents: 447 diff changeset	546
578 7c9a00bfd115 Allow TLS Diffie-Hellmann parameters to be loaded from a file (ticket #17) Sebastien Decugis <sdecugis@nict.go.jp> parents: 542 diff changeset	547 /* DH */
1155 d00b5914351e Allow running freeDiameter without TLS credentials if the following conditions are verified: Sebastien Decugis <sdecugis@freediameter.net> parents: 1127 diff changeset	548 if (!fd_g_config->cnf_sec_data.tls_disabled) {
d00b5914351e Allow running freeDiameter without TLS credentials if the following conditions are verified: Sebastien Decugis <sdecugis@freediameter.net> parents: 1127 diff changeset	549 if (fd_g_config->cnf_sec_data.dh_file) {
d00b5914351e Allow running freeDiameter without TLS credentials if the following conditions are verified: Sebastien Decugis <sdecugis@freediameter.net> parents: 1127 diff changeset	550 gnutls_datum_t dhparams = { NULL, 0 };
d00b5914351e Allow running freeDiameter without TLS credentials if the following conditions are verified: Sebastien Decugis <sdecugis@freediameter.net> parents: 1127 diff changeset	551 size_t alloc = 0;
d00b5914351e Allow running freeDiameter without TLS credentials if the following conditions are verified: Sebastien Decugis <sdecugis@freediameter.net> parents: 1127 diff changeset	552 FILE *stream = fopen (fd_g_config->cnf_sec_data.dh_file, "rb");
d00b5914351e Allow running freeDiameter without TLS credentials if the following conditions are verified: Sebastien Decugis <sdecugis@freediameter.net> parents: 1127 diff changeset	553 if (!stream) {
578 7c9a00bfd115 Allow TLS Diffie-Hellmann parameters to be loaded from a file (ticket #17) Sebastien Decugis <sdecugis@nict.go.jp> parents: 542 diff changeset	554 int err = errno;
1155 d00b5914351e Allow running freeDiameter without TLS credentials if the following conditions are verified: Sebastien Decugis <sdecugis@freediameter.net> parents: 1127 diff changeset	555 TRACE_DEBUG(INFO, "An error occurred while opening '%s': %s", fd_g_config->cnf_sec_data.dh_file, strerror(err));
578 7c9a00bfd115 Allow TLS Diffie-Hellmann parameters to be loaded from a file (ticket #17) Sebastien Decugis <sdecugis@nict.go.jp> parents: 542 diff changeset	556 return err;
7c9a00bfd115 Allow TLS Diffie-Hellmann parameters to be loaded from a file (ticket #17) Sebastien Decugis <sdecugis@nict.go.jp> parents: 542 diff changeset	557 }
1155 d00b5914351e Allow running freeDiameter without TLS credentials if the following conditions are verified: Sebastien Decugis <sdecugis@freediameter.net> parents: 1127 diff changeset	558 do {
d00b5914351e Allow running freeDiameter without TLS credentials if the following conditions are verified: Sebastien Decugis <sdecugis@freediameter.net> parents: 1127 diff changeset	559 uint8_t * realloced = NULL;
d00b5914351e Allow running freeDiameter without TLS credentials if the following conditions are verified: Sebastien Decugis <sdecugis@freediameter.net> parents: 1127 diff changeset	560 size_t read = 0;
d00b5914351e Allow running freeDiameter without TLS credentials if the following conditions are verified: Sebastien Decugis <sdecugis@freediameter.net> parents: 1127 diff changeset	561
d00b5914351e Allow running freeDiameter without TLS credentials if the following conditions are verified: Sebastien Decugis <sdecugis@freediameter.net> parents: 1127 diff changeset	562 if (alloc < dhparams.size + BUFSIZ + 1) {
d00b5914351e Allow running freeDiameter without TLS credentials if the following conditions are verified: Sebastien Decugis <sdecugis@freediameter.net> parents: 1127 diff changeset	563 alloc += alloc / 2 + BUFSIZ + 1;
d00b5914351e Allow running freeDiameter without TLS credentials if the following conditions are verified: Sebastien Decugis <sdecugis@freediameter.net> parents: 1127 diff changeset	564 CHECK_MALLOC_DO( realloced = realloc(dhparams.data, alloc),
d00b5914351e Allow running freeDiameter without TLS credentials if the following conditions are verified: Sebastien Decugis <sdecugis@freediameter.net> parents: 1127 diff changeset	565 {
d00b5914351e Allow running freeDiameter without TLS credentials if the following conditions are verified: Sebastien Decugis <sdecugis@freediameter.net> parents: 1127 diff changeset	566 free(dhparams.data);
d00b5914351e Allow running freeDiameter without TLS credentials if the following conditions are verified: Sebastien Decugis <sdecugis@freediameter.net> parents: 1127 diff changeset	567 return ENOMEM;
d00b5914351e Allow running freeDiameter without TLS credentials if the following conditions are verified: Sebastien Decugis <sdecugis@freediameter.net> parents: 1127 diff changeset	568 } )
d00b5914351e Allow running freeDiameter without TLS credentials if the following conditions are verified: Sebastien Decugis <sdecugis@freediameter.net> parents: 1127 diff changeset	569 dhparams.data = realloced;
d00b5914351e Allow running freeDiameter without TLS credentials if the following conditions are verified: Sebastien Decugis <sdecugis@freediameter.net> parents: 1127 diff changeset	570 }
d00b5914351e Allow running freeDiameter without TLS credentials if the following conditions are verified: Sebastien Decugis <sdecugis@freediameter.net> parents: 1127 diff changeset	571
d00b5914351e Allow running freeDiameter without TLS credentials if the following conditions are verified: Sebastien Decugis <sdecugis@freediameter.net> parents: 1127 diff changeset	572 read = fread( dhparams.data + dhparams.size, 1, alloc - dhparams.size - 1, stream );
d00b5914351e Allow running freeDiameter without TLS credentials if the following conditions are verified: Sebastien Decugis <sdecugis@freediameter.net> parents: 1127 diff changeset	573 dhparams.size += read;
d00b5914351e Allow running freeDiameter without TLS credentials if the following conditions are verified: Sebastien Decugis <sdecugis@freediameter.net> parents: 1127 diff changeset	574
d00b5914351e Allow running freeDiameter without TLS credentials if the following conditions are verified: Sebastien Decugis <sdecugis@freediameter.net> parents: 1127 diff changeset	575 if (ferror(stream)) {
d00b5914351e Allow running freeDiameter without TLS credentials if the following conditions are verified: Sebastien Decugis <sdecugis@freediameter.net> parents: 1127 diff changeset	576 int err = errno;
d00b5914351e Allow running freeDiameter without TLS credentials if the following conditions are verified: Sebastien Decugis <sdecugis@freediameter.net> parents: 1127 diff changeset	577 TRACE_DEBUG(INFO, "An error occurred while reading '%s': %s", fd_g_config->cnf_sec_data.dh_file, strerror(err));
d00b5914351e Allow running freeDiameter without TLS credentials if the following conditions are verified: Sebastien Decugis <sdecugis@freediameter.net> parents: 1127 diff changeset	578 return err;
d00b5914351e Allow running freeDiameter without TLS credentials if the following conditions are verified: Sebastien Decugis <sdecugis@freediameter.net> parents: 1127 diff changeset	579 }
d00b5914351e Allow running freeDiameter without TLS credentials if the following conditions are verified: Sebastien Decugis <sdecugis@freediameter.net> parents: 1127 diff changeset	580 } while (!feof(stream));
d00b5914351e Allow running freeDiameter without TLS credentials if the following conditions are verified: Sebastien Decugis <sdecugis@freediameter.net> parents: 1127 diff changeset	581 dhparams.data[dhparams.size] = '\0';
d00b5914351e Allow running freeDiameter without TLS credentials if the following conditions are verified: Sebastien Decugis <sdecugis@freediameter.net> parents: 1127 diff changeset	582 fclose(stream);
d00b5914351e Allow running freeDiameter without TLS credentials if the following conditions are verified: Sebastien Decugis <sdecugis@freediameter.net> parents: 1127 diff changeset	583 CHECK_GNUTLS_DO( gnutls_dh_params_import_pkcs3(
d00b5914351e Allow running freeDiameter without TLS credentials if the following conditions are verified: Sebastien Decugis <sdecugis@freediameter.net> parents: 1127 diff changeset	584 fd_g_config->cnf_sec_data.dh_cache,
d00b5914351e Allow running freeDiameter without TLS credentials if the following conditions are verified: Sebastien Decugis <sdecugis@freediameter.net> parents: 1127 diff changeset	585 &dhparams,
d00b5914351e Allow running freeDiameter without TLS credentials if the following conditions are verified: Sebastien Decugis <sdecugis@freediameter.net> parents: 1127 diff changeset	586 GNUTLS_X509_FMT_PEM),
d00b5914351e Allow running freeDiameter without TLS credentials if the following conditions are verified: Sebastien Decugis <sdecugis@freediameter.net> parents: 1127 diff changeset	587 { TRACE_ERROR("Error in DH bits value : %d", fd_g_config->cnf_sec_data.dh_bits ?: GNUTLS_DEFAULT_DHBITS); return EINVAL; } );
d00b5914351e Allow running freeDiameter without TLS credentials if the following conditions are verified: Sebastien Decugis <sdecugis@freediameter.net> parents: 1127 diff changeset	588 free(dhparams.data);
d00b5914351e Allow running freeDiameter without TLS credentials if the following conditions are verified: Sebastien Decugis <sdecugis@freediameter.net> parents: 1127 diff changeset	589
d00b5914351e Allow running freeDiameter without TLS credentials if the following conditions are verified: Sebastien Decugis <sdecugis@freediameter.net> parents: 1127 diff changeset	590 } else {
d00b5914351e Allow running freeDiameter without TLS credentials if the following conditions are verified: Sebastien Decugis <sdecugis@freediameter.net> parents: 1127 diff changeset	591 LOG_D( "Generating fresh Diffie-Hellman parameters of size %d (this takes some time)... ", fd_g_config->cnf_sec_data.dh_bits ?: GNUTLS_DEFAULT_DHBITS);
d00b5914351e Allow running freeDiameter without TLS credentials if the following conditions are verified: Sebastien Decugis <sdecugis@freediameter.net> parents: 1127 diff changeset	592 CHECK_GNUTLS_DO( gnutls_dh_params_generate2(
d00b5914351e Allow running freeDiameter without TLS credentials if the following conditions are verified: Sebastien Decugis <sdecugis@freediameter.net> parents: 1127 diff changeset	593 fd_g_config->cnf_sec_data.dh_cache,
d00b5914351e Allow running freeDiameter without TLS credentials if the following conditions are verified: Sebastien Decugis <sdecugis@freediameter.net> parents: 1127 diff changeset	594 fd_g_config->cnf_sec_data.dh_bits ?: GNUTLS_DEFAULT_DHBITS),
d00b5914351e Allow running freeDiameter without TLS credentials if the following conditions are verified: Sebastien Decugis <sdecugis@freediameter.net> parents: 1127 diff changeset	595 { TRACE_ERROR("Error in DH bits value : %d", fd_g_config->cnf_sec_data.dh_bits ?: GNUTLS_DEFAULT_DHBITS); return EINVAL; } );
d00b5914351e Allow running freeDiameter without TLS credentials if the following conditions are verified: Sebastien Decugis <sdecugis@freediameter.net> parents: 1127 diff changeset	596 }
d00b5914351e Allow running freeDiameter without TLS credentials if the following conditions are verified: Sebastien Decugis <sdecugis@freediameter.net> parents: 1127 diff changeset	597
d00b5914351e Allow running freeDiameter without TLS credentials if the following conditions are verified: Sebastien Decugis <sdecugis@freediameter.net> parents: 1127 diff changeset	598 }
578 7c9a00bfd115 Allow TLS Diffie-Hellmann parameters to be loaded from a file (ticket #17) Sebastien Decugis <sdecugis@nict.go.jp> parents: 542 diff changeset	599
8 3e143f047f78 Backup for the week-end Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	600 return 0;
3e143f047f78 Backup for the week-end Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	601 }
1027 0117a7746b21 Fix a number of errors and warnings introduced/highlighted by recent commits Sebastien Decugis <sdecugis@freediameter.net> parents: 1021 diff changeset	602 #ifndef GNUTLS_VERSION_300
1034 f4a73a991623 Fix warning on old GCC versions Sebastien Decugis <sdecugis@freediameter.net> parents: 1033 diff changeset	603 GCC_DIAG_ON("-Wdeprecated-declarations")
1027 0117a7746b21 Fix a number of errors and warnings introduced/highlighted by recent commits Sebastien Decugis <sdecugis@freediameter.net> parents: 1021 diff changeset	604 #endif /* !GNUTLS_VERSION_300 */
447 097bae83b07a Forgot to cleanup the configuration on exit, spotted by valgrind Sebastien Decugis <sdecugis@nict.go.jp> parents: 403 diff changeset	605
097bae83b07a Forgot to cleanup the configuration on exit, spotted by valgrind Sebastien Decugis <sdecugis@nict.go.jp> parents: 403 diff changeset	606
097bae83b07a Forgot to cleanup the configuration on exit, spotted by valgrind Sebastien Decugis <sdecugis@nict.go.jp> parents: 403 diff changeset	607 /* Destroy contents of fd_g_config structure */
097bae83b07a Forgot to cleanup the configuration on exit, spotted by valgrind Sebastien Decugis <sdecugis@nict.go.jp> parents: 403 diff changeset	608 int fd_conf_deinit()
097bae83b07a Forgot to cleanup the configuration on exit, spotted by valgrind Sebastien Decugis <sdecugis@nict.go.jp> parents: 403 diff changeset	609 {
097bae83b07a Forgot to cleanup the configuration on exit, spotted by valgrind Sebastien Decugis <sdecugis@nict.go.jp> parents: 403 diff changeset	610 TRACE_ENTRY();
097bae83b07a Forgot to cleanup the configuration on exit, spotted by valgrind Sebastien Decugis <sdecugis@nict.go.jp> parents: 403 diff changeset	611
686 f83d9878bf66 Fixed in case of termination of several modules (before initialization completed) Sebastien Decugis <sdecugis@nict.go.jp> parents: 662 diff changeset	612 if (!fd_g_config)
f83d9878bf66 Fixed in case of termination of several modules (before initialization completed) Sebastien Decugis <sdecugis@nict.go.jp> parents: 662 diff changeset	613 return 0;
f83d9878bf66 Fixed in case of termination of several modules (before initialization completed) Sebastien Decugis <sdecugis@nict.go.jp> parents: 662 diff changeset	614
447 097bae83b07a Forgot to cleanup the configuration on exit, spotted by valgrind Sebastien Decugis <sdecugis@nict.go.jp> parents: 403 diff changeset	615 /* Free the TLS parameters */
805 fb5e0fd923ff Updated verification of the local certificate following GnuTLS 3.x guideline Sebastien Decugis <sdecugis@freediameter.net> parents: 767 diff changeset	616 #ifdef GNUTLS_VERSION_300
fb5e0fd923ff Updated verification of the local certificate following GnuTLS 3.x guideline Sebastien Decugis <sdecugis@freediameter.net> parents: 767 diff changeset	617 gnutls_x509_trust_list_deinit(fd_g_config->cnf_sec_data.trustlist, 1);
fb5e0fd923ff Updated verification of the local certificate following GnuTLS 3.x guideline Sebastien Decugis <sdecugis@freediameter.net> parents: 767 diff changeset	618 #endif /* GNUTLS_VERSION_300 */
447 097bae83b07a Forgot to cleanup the configuration on exit, spotted by valgrind Sebastien Decugis <sdecugis@nict.go.jp> parents: 403 diff changeset	619 gnutls_priority_deinit(fd_g_config->cnf_sec_data.prio_cache);
097bae83b07a Forgot to cleanup the configuration on exit, spotted by valgrind Sebastien Decugis <sdecugis@nict.go.jp> parents: 403 diff changeset	620 gnutls_dh_params_deinit(fd_g_config->cnf_sec_data.dh_cache);
097bae83b07a Forgot to cleanup the configuration on exit, spotted by valgrind Sebastien Decugis <sdecugis@nict.go.jp> parents: 403 diff changeset	621 gnutls_certificate_free_credentials(fd_g_config->cnf_sec_data.credentials);
097bae83b07a Forgot to cleanup the configuration on exit, spotted by valgrind Sebastien Decugis <sdecugis@nict.go.jp> parents: 403 diff changeset	622
097bae83b07a Forgot to cleanup the configuration on exit, spotted by valgrind Sebastien Decugis <sdecugis@nict.go.jp> parents: 403 diff changeset	623 free(fd_g_config->cnf_sec_data.cert_file); fd_g_config->cnf_sec_data.cert_file = NULL;
097bae83b07a Forgot to cleanup the configuration on exit, spotted by valgrind Sebastien Decugis <sdecugis@nict.go.jp> parents: 403 diff changeset	624 free(fd_g_config->cnf_sec_data.key_file); fd_g_config->cnf_sec_data.key_file = NULL;
097bae83b07a Forgot to cleanup the configuration on exit, spotted by valgrind Sebastien Decugis <sdecugis@nict.go.jp> parents: 403 diff changeset	625 free(fd_g_config->cnf_sec_data.ca_file); fd_g_config->cnf_sec_data.ca_file = NULL;
097bae83b07a Forgot to cleanup the configuration on exit, spotted by valgrind Sebastien Decugis <sdecugis@nict.go.jp> parents: 403 diff changeset	626 free(fd_g_config->cnf_sec_data.crl_file); fd_g_config->cnf_sec_data.crl_file = NULL;
097bae83b07a Forgot to cleanup the configuration on exit, spotted by valgrind Sebastien Decugis <sdecugis@nict.go.jp> parents: 403 diff changeset	627 free(fd_g_config->cnf_sec_data.prio_string); fd_g_config->cnf_sec_data.prio_string = NULL;
578 7c9a00bfd115 Allow TLS Diffie-Hellmann parameters to be loaded from a file (ticket #17) Sebastien Decugis <sdecugis@nict.go.jp> parents: 542 diff changeset	628 free(fd_g_config->cnf_sec_data.dh_file); fd_g_config->cnf_sec_data.dh_file = NULL;
447 097bae83b07a Forgot to cleanup the configuration on exit, spotted by valgrind Sebastien Decugis <sdecugis@nict.go.jp> parents: 403 diff changeset	629
097bae83b07a Forgot to cleanup the configuration on exit, spotted by valgrind Sebastien Decugis <sdecugis@nict.go.jp> parents: 403 diff changeset	630 /* Destroy dictionary */
097bae83b07a Forgot to cleanup the configuration on exit, spotted by valgrind Sebastien Decugis <sdecugis@nict.go.jp> parents: 403 diff changeset	631 CHECK_FCT_DO( fd_dict_fini(&fd_g_config->cnf_dict), );
097bae83b07a Forgot to cleanup the configuration on exit, spotted by valgrind Sebastien Decugis <sdecugis@nict.go.jp> parents: 403 diff changeset	632
097bae83b07a Forgot to cleanup the configuration on exit, spotted by valgrind Sebastien Decugis <sdecugis@nict.go.jp> parents: 403 diff changeset	633 /* Destroy the main event queue */
097bae83b07a Forgot to cleanup the configuration on exit, spotted by valgrind Sebastien Decugis <sdecugis@nict.go.jp> parents: 403 diff changeset	634 CHECK_FCT_DO( fd_fifo_del(&fd_g_config->cnf_main_ev), );
097bae83b07a Forgot to cleanup the configuration on exit, spotted by valgrind Sebastien Decugis <sdecugis@nict.go.jp> parents: 403 diff changeset	635
097bae83b07a Forgot to cleanup the configuration on exit, spotted by valgrind Sebastien Decugis <sdecugis@nict.go.jp> parents: 403 diff changeset	636 /* Destroy the local endpoints and applications */
097bae83b07a Forgot to cleanup the configuration on exit, spotted by valgrind Sebastien Decugis <sdecugis@nict.go.jp> parents: 403 diff changeset	637 CHECK_FCT_DO(fd_ep_filter(&fd_g_config->cnf_endpoints, 0 ), );
097bae83b07a Forgot to cleanup the configuration on exit, spotted by valgrind Sebastien Decugis <sdecugis@nict.go.jp> parents: 403 diff changeset	638 CHECK_FCT_DO(fd_app_empty(&fd_g_config->cnf_apps ), );
097bae83b07a Forgot to cleanup the configuration on exit, spotted by valgrind Sebastien Decugis <sdecugis@nict.go.jp> parents: 403 diff changeset	639
097bae83b07a Forgot to cleanup the configuration on exit, spotted by valgrind Sebastien Decugis <sdecugis@nict.go.jp> parents: 403 diff changeset	640 /* Destroy the local identity */
097bae83b07a Forgot to cleanup the configuration on exit, spotted by valgrind Sebastien Decugis <sdecugis@nict.go.jp> parents: 403 diff changeset	641 free(fd_g_config->cnf_diamid); fd_g_config->cnf_diamid = NULL;
097bae83b07a Forgot to cleanup the configuration on exit, spotted by valgrind Sebastien Decugis <sdecugis@nict.go.jp> parents: 403 diff changeset	642 free(fd_g_config->cnf_diamrlm); fd_g_config->cnf_diamrlm = NULL;
097bae83b07a Forgot to cleanup the configuration on exit, spotted by valgrind Sebastien Decugis <sdecugis@nict.go.jp> parents: 403 diff changeset	643
097bae83b07a Forgot to cleanup the configuration on exit, spotted by valgrind Sebastien Decugis <sdecugis@nict.go.jp> parents: 403 diff changeset	644 return 0;
097bae83b07a Forgot to cleanup the configuration on exit, spotted by valgrind Sebastien Decugis <sdecugis@nict.go.jp> parents: 403 diff changeset	645 }
097bae83b07a Forgot to cleanup the configuration on exit, spotted by valgrind Sebastien Decugis <sdecugis@nict.go.jp> parents: 403 diff changeset	646
097bae83b07a Forgot to cleanup the configuration on exit, spotted by valgrind Sebastien Decugis <sdecugis@nict.go.jp> parents: 403 diff changeset	647

Mercurial > hg > freeDiameter

annotate libfdcore/config.c @ 1396:188c82b6690b