Mercurial > hg > freeDiameter
annotate libfdcore/config.c @ 1396:188c82b6690b
Add ProcessingPeersPattern and ProcessingPeersMinimum parameters.
If this is configured, the process will accept all connections from
peers matching ProcessingPeersPattern, but will NOT accept connections
from other peers until ProcessingPeersMinimum peers of the first
type are connected.
This allows relays to only go online if there are enough worker
peers connected behind them.
author | Thomas Klausner <tk@giga.or.at> |
---|---|
date | Fri, 15 Nov 2019 11:38:30 +0100 |
parents | afe0ecdb0692 |
children | 239ba25870d8 |
rev | line source |
---|---|
8
3e143f047f78
Backup for the week-end
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
1 /********************************************************************************************************* |
3e143f047f78
Backup for the week-end
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
2 * Software License Agreement (BSD License) * |
740
4a9f08d6b6ba
Updated my mail address
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
706
diff
changeset
|
3 * Author: Sebastien Decugis <sdecugis@freediameter.net> * |
8
3e143f047f78
Backup for the week-end
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
4 * * |
1281
ab6457399be2
Updated copyright information
Sebastien Decugis <sdecugis@freediameter.net>
parents:
1268
diff
changeset
|
5 * Copyright (c) 2015, WIDE Project and NICT * |
8
3e143f047f78
Backup for the week-end
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
6 * All rights reserved. * |
3e143f047f78
Backup for the week-end
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
7 * * |
3e143f047f78
Backup for the week-end
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
8 * Redistribution and use of this software in source and binary forms, with or without modification, are * |
3e143f047f78
Backup for the week-end
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
9 * permitted provided that the following conditions are met: * |
3e143f047f78
Backup for the week-end
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
10 * * |
3e143f047f78
Backup for the week-end
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
11 * * Redistributions of source code must retain the above * |
3e143f047f78
Backup for the week-end
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
12 * copyright notice, this list of conditions and the * |
3e143f047f78
Backup for the week-end
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
13 * following disclaimer. * |
3e143f047f78
Backup for the week-end
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
14 * * |
3e143f047f78
Backup for the week-end
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
15 * * Redistributions in binary form must reproduce the above * |
3e143f047f78
Backup for the week-end
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
16 * copyright notice, this list of conditions and the * |
3e143f047f78
Backup for the week-end
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
17 * following disclaimer in the documentation and/or other * |
3e143f047f78
Backup for the week-end
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
18 * materials provided with the distribution. * |
3e143f047f78
Backup for the week-end
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
19 * * |
3e143f047f78
Backup for the week-end
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
20 * * Neither the name of the WIDE Project or NICT nor the * |
3e143f047f78
Backup for the week-end
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
21 * names of its contributors may be used to endorse or * |
3e143f047f78
Backup for the week-end
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
22 * promote products derived from this software without * |
3e143f047f78
Backup for the week-end
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
23 * specific prior written permission of WIDE Project and * |
3e143f047f78
Backup for the week-end
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
24 * NICT. * |
3e143f047f78
Backup for the week-end
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
25 * * |
3e143f047f78
Backup for the week-end
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
26 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED * |
3e143f047f78
Backup for the week-end
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
27 * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A * |
3e143f047f78
Backup for the week-end
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
28 * PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR * |
3e143f047f78
Backup for the week-end
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
29 * ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT * |
3e143f047f78
Backup for the week-end
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
30 * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS * |
3e143f047f78
Backup for the week-end
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
31 * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR * |
3e143f047f78
Backup for the week-end
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
32 * TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF * |
3e143f047f78
Backup for the week-end
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
33 * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. * |
3e143f047f78
Backup for the week-end
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
34 *********************************************************************************************************/ |
3e143f047f78
Backup for the week-end
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
35 |
658
f198d16fa7f4
Initial commit for 1.1.0:
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
578
diff
changeset
|
36 #include "fdcore-internal.h" |
304
ad3c46016584
Added install directives for cmake; also allow default directory to seek for extensions and configuration files
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
258
diff
changeset
|
37 #include <sys/stat.h> |
8
3e143f047f78
Backup for the week-end
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
38 |
3e143f047f78
Backup for the week-end
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
39 /* Configuration management */ |
3e143f047f78
Backup for the week-end
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
40 |
18
e7187583dcf8
Added CA helper script
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
17
diff
changeset
|
41 #ifndef GNUTLS_DEFAULT_PRIORITY |
e7187583dcf8
Added CA helper script
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
17
diff
changeset
|
42 # define GNUTLS_DEFAULT_PRIORITY "NORMAL" |
e7187583dcf8
Added CA helper script
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
17
diff
changeset
|
43 #endif /* GNUTLS_DEFAULT_PRIORITY */ |
e7187583dcf8
Added CA helper script
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
17
diff
changeset
|
44 #ifndef GNUTLS_DEFAULT_DHBITS |
e7187583dcf8
Added CA helper script
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
17
diff
changeset
|
45 # define GNUTLS_DEFAULT_DHBITS 1024 |
e7187583dcf8
Added CA helper script
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
17
diff
changeset
|
46 #endif /* GNUTLS_DEFAULT_DHBITS */ |
e7187583dcf8
Added CA helper script
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
17
diff
changeset
|
47 |
658
f198d16fa7f4
Initial commit for 1.1.0:
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
578
diff
changeset
|
48 /* Initialize the fd_g_config structure to default values -- it should already have been initialized to all-0 */ |
8
3e143f047f78
Backup for the week-end
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
49 int fd_conf_init() |
3e143f047f78
Backup for the week-end
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
50 { |
3e143f047f78
Backup for the week-end
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
51 TRACE_ENTRY(); |
3e143f047f78
Backup for the week-end
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
52 |
10
c5c99c73c2bf
Added some extensions and functions in the daemon
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
8
diff
changeset
|
53 fd_g_config->cnf_eyec = EYEC_CONFIG; |
c5c99c73c2bf
Added some extensions and functions in the daemon
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
8
diff
changeset
|
54 |
c5c99c73c2bf
Added some extensions and functions in the daemon
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
8
diff
changeset
|
55 fd_g_config->cnf_timer_tc = 30; |
c5c99c73c2bf
Added some extensions and functions in the daemon
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
8
diff
changeset
|
56 fd_g_config->cnf_timer_tw = 30; |
8
3e143f047f78
Backup for the week-end
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
57 |
897
d8d0772586ad
Use correct default port for outgoing connections even when local port is not the default one
Sebastien Decugis <sdecugis@freediameter.net>
parents:
820
diff
changeset
|
58 fd_g_config->cnf_port = DIAMETER_PORT; |
d8d0772586ad
Use correct default port for outgoing connections even when local port is not the default one
Sebastien Decugis <sdecugis@freediameter.net>
parents:
820
diff
changeset
|
59 fd_g_config->cnf_port_tls = DIAMETER_SECURE_PORT; |
10
c5c99c73c2bf
Added some extensions and functions in the daemon
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
8
diff
changeset
|
60 fd_g_config->cnf_sctp_str = 30; |
1189
50bf33dc8fe0
Limit number of incoming connections under processing to configurable value
Sebastien Decugis <sdecugis@freediameter.net>
parents:
1184
diff
changeset
|
61 fd_g_config->cnf_thr_srv = 5; |
1396
188c82b6690b
Add ProcessingPeersPattern and ProcessingPeersMinimum parameters.
Thomas Klausner <tk@giga.or.at>
parents:
1326
diff
changeset
|
62 fd_g_config->cnf_processing_peers_minimum = 0; |
253
ad6c0118fb50
Configurable number of server threads
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
189
diff
changeset
|
63 fd_g_config->cnf_dispthr = 4; |
10
c5c99c73c2bf
Added some extensions and functions in the daemon
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
8
diff
changeset
|
64 fd_list_init(&fd_g_config->cnf_endpoints, NULL); |
c5c99c73c2bf
Added some extensions and functions in the daemon
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
8
diff
changeset
|
65 fd_list_init(&fd_g_config->cnf_apps, NULL); |
8
3e143f047f78
Backup for the week-end
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
66 #ifdef DISABLE_SCTP |
10
c5c99c73c2bf
Added some extensions and functions in the daemon
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
8
diff
changeset
|
67 fd_g_config->cnf_flags.no_sctp = 1; |
8
3e143f047f78
Backup for the week-end
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
68 #endif /* DISABLE_SCTP */ |
3e143f047f78
Backup for the week-end
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
69 |
10
c5c99c73c2bf
Added some extensions and functions in the daemon
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
8
diff
changeset
|
70 fd_g_config->cnf_orstateid = (uint32_t) time(NULL); |
1326
afe0ecdb0692
Add config option if Route-Record AVPs should be added in Answers.
Thomas Klausner <tk@giga.or.at>
parents:
1281
diff
changeset
|
71 fd_g_config->cnf_rr_in_answers = 1; |
8
3e143f047f78
Backup for the week-end
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
72 |
10
c5c99c73c2bf
Added some extensions and functions in the daemon
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
8
diff
changeset
|
73 CHECK_FCT( fd_dict_init(&fd_g_config->cnf_dict) ); |
767
c47c16436f71
Added a limit on fifo queues to avoid memory exaustion when messages are received faster than handled
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
740
diff
changeset
|
74 CHECK_FCT( fd_fifo_new(&fd_g_config->cnf_main_ev, 0) ); |
8
3e143f047f78
Backup for the week-end
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
75 |
18
e7187583dcf8
Added CA helper script
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
17
diff
changeset
|
76 /* TLS parameters */ |
e7187583dcf8
Added CA helper script
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
17
diff
changeset
|
77 CHECK_GNUTLS_DO( gnutls_certificate_allocate_credentials (&fd_g_config->cnf_sec_data.credentials), return ENOMEM ); |
e7187583dcf8
Added CA helper script
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
17
diff
changeset
|
78 CHECK_GNUTLS_DO( gnutls_dh_params_init (&fd_g_config->cnf_sec_data.dh_cache), return ENOMEM ); |
805
fb5e0fd923ff
Updated verification of the local certificate following GnuTLS 3.x guideline
Sebastien Decugis <sdecugis@freediameter.net>
parents:
767
diff
changeset
|
79 #ifdef GNUTLS_VERSION_300 |
fb5e0fd923ff
Updated verification of the local certificate following GnuTLS 3.x guideline
Sebastien Decugis <sdecugis@freediameter.net>
parents:
767
diff
changeset
|
80 CHECK_GNUTLS_DO( gnutls_x509_trust_list_init(&fd_g_config->cnf_sec_data.trustlist, 0), return ENOMEM ); |
fb5e0fd923ff
Updated verification of the local certificate following GnuTLS 3.x guideline
Sebastien Decugis <sdecugis@freediameter.net>
parents:
767
diff
changeset
|
81 #endif /* GNUTLS_VERSION_300 */ |
18
e7187583dcf8
Added CA helper script
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
17
diff
changeset
|
82 |
8
3e143f047f78
Backup for the week-end
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
83 return 0; |
3e143f047f78
Backup for the week-end
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
84 } |
3e143f047f78
Backup for the week-end
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
85 |
1085
7d7266115a34
Cleaning of the traces in progress
Sebastien Decugis <sdecugis@freediameter.net>
parents:
1034
diff
changeset
|
86 DECLARE_FD_DUMP_PROTOTYPE(fd_conf_dump) |
8
3e143f047f78
Backup for the week-end
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
87 { |
1093
44f3e48dfe27
Align the behavior of all fd_*dump functions wrt final \n
Sebastien Decugis <sdecugis@freediameter.net>
parents:
1085
diff
changeset
|
88 FD_DUMP_HANDLE_OFFSET(); |
8
3e143f047f78
Backup for the week-end
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
89 |
1119
79dd22145f52
Fix a number of compilation warnings
Sebastien Decugis <sdecugis@freediameter.net>
parents:
1113
diff
changeset
|
90 CHECK_MALLOC_DO( fd_dump_extend( FD_DUMP_STD_PARAMS, "freeDiameter configuration:\n"), return NULL); |
1085
7d7266115a34
Cleaning of the traces in progress
Sebastien Decugis <sdecugis@freediameter.net>
parents:
1034
diff
changeset
|
91 CHECK_MALLOC_DO( fd_dump_extend( FD_DUMP_STD_PARAMS, " Default trace level .... : %+d\n", fd_g_debug_lvl), return NULL); |
7d7266115a34
Cleaning of the traces in progress
Sebastien Decugis <sdecugis@freediameter.net>
parents:
1034
diff
changeset
|
92 CHECK_MALLOC_DO( fd_dump_extend( FD_DUMP_STD_PARAMS, " Configuration file ..... : %s\n", fd_g_config->cnf_file), return NULL); |
1253 | 93 CHECK_MALLOC_DO( fd_dump_extend( FD_DUMP_STD_PARAMS, " Diameter Identity ...... : %s (l:%zi)\n", fd_g_config->cnf_diamid, fd_g_config->cnf_diamid_len), return NULL); |
94 CHECK_MALLOC_DO( fd_dump_extend( FD_DUMP_STD_PARAMS, " Diameter Realm ......... : %s (l:%zi)\n", fd_g_config->cnf_diamrlm, fd_g_config->cnf_diamrlm_len), return NULL); | |
1085
7d7266115a34
Cleaning of the traces in progress
Sebastien Decugis <sdecugis@freediameter.net>
parents:
1034
diff
changeset
|
95 CHECK_MALLOC_DO( fd_dump_extend( FD_DUMP_STD_PARAMS, " Tc Timer ............... : %u\n", fd_g_config->cnf_timer_tc), return NULL); |
7d7266115a34
Cleaning of the traces in progress
Sebastien Decugis <sdecugis@freediameter.net>
parents:
1034
diff
changeset
|
96 CHECK_MALLOC_DO( fd_dump_extend( FD_DUMP_STD_PARAMS, " Tw Timer ............... : %u\n", fd_g_config->cnf_timer_tw), return NULL); |
7d7266115a34
Cleaning of the traces in progress
Sebastien Decugis <sdecugis@freediameter.net>
parents:
1034
diff
changeset
|
97 CHECK_MALLOC_DO( fd_dump_extend( FD_DUMP_STD_PARAMS, " Local port ............. : %hu\n", fd_g_config->cnf_port), return NULL); |
7d7266115a34
Cleaning of the traces in progress
Sebastien Decugis <sdecugis@freediameter.net>
parents:
1034
diff
changeset
|
98 CHECK_MALLOC_DO( fd_dump_extend( FD_DUMP_STD_PARAMS, " Local secure port ...... : %hu\n", fd_g_config->cnf_port_tls), return NULL); |
1181
22de21feec64
Preparing for DTLS support
Sebastien Decugis <sdecugis@freediameter.net>
parents:
1155
diff
changeset
|
99 if (fd_g_config->cnf_port_3436) { |
22de21feec64
Preparing for DTLS support
Sebastien Decugis <sdecugis@freediameter.net>
parents:
1155
diff
changeset
|
100 CHECK_MALLOC_DO( fd_dump_extend( FD_DUMP_STD_PARAMS, " Local SCTP TLS port .... : %hu\n", fd_g_config->cnf_port_3436), return NULL); |
22de21feec64
Preparing for DTLS support
Sebastien Decugis <sdecugis@freediameter.net>
parents:
1155
diff
changeset
|
101 } |
1085
7d7266115a34
Cleaning of the traces in progress
Sebastien Decugis <sdecugis@freediameter.net>
parents:
1034
diff
changeset
|
102 CHECK_MALLOC_DO( fd_dump_extend( FD_DUMP_STD_PARAMS, " Number of SCTP streams . : %hu\n", fd_g_config->cnf_sctp_str), return NULL); |
1189
50bf33dc8fe0
Limit number of incoming connections under processing to configurable value
Sebastien Decugis <sdecugis@freediameter.net>
parents:
1184
diff
changeset
|
103 CHECK_MALLOC_DO( fd_dump_extend( FD_DUMP_STD_PARAMS, " Number of clients thr .. : %d\n", fd_g_config->cnf_thr_srv), return NULL); |
50bf33dc8fe0
Limit number of incoming connections under processing to configurable value
Sebastien Decugis <sdecugis@freediameter.net>
parents:
1184
diff
changeset
|
104 CHECK_MALLOC_DO( fd_dump_extend( FD_DUMP_STD_PARAMS, " Number of app threads .. : %hu\n", fd_g_config->cnf_dispthr), return NULL); |
1396
188c82b6690b
Add ProcessingPeersPattern and ProcessingPeersMinimum parameters.
Thomas Klausner <tk@giga.or.at>
parents:
1326
diff
changeset
|
105 CHECK_MALLOC_DO( fd_dump_extend( FD_DUMP_STD_PARAMS, " Minimal processing peers : %hu\n", fd_g_config->cnf_processing_peers_minimum), return NULL); |
10
c5c99c73c2bf
Added some extensions and functions in the daemon
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
8
diff
changeset
|
106 if (FD_IS_LIST_EMPTY(&fd_g_config->cnf_endpoints)) { |
1085
7d7266115a34
Cleaning of the traces in progress
Sebastien Decugis <sdecugis@freediameter.net>
parents:
1034
diff
changeset
|
107 CHECK_MALLOC_DO( fd_dump_extend( FD_DUMP_STD_PARAMS, " Local endpoints ........ : Default (use all available)\n"), return NULL); |
8
3e143f047f78
Backup for the week-end
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
108 } else { |
1113
eb4ce68b6e5c
Added calls to remaining hooks
Sebastien Decugis <sdecugis@freediameter.net>
parents:
1107
diff
changeset
|
109 CHECK_MALLOC_DO( fd_dump_extend( FD_DUMP_STD_PARAMS, " Local endpoints ........ : "), return NULL); |
eb4ce68b6e5c
Added calls to remaining hooks
Sebastien Decugis <sdecugis@freediameter.net>
parents:
1107
diff
changeset
|
110 CHECK_MALLOC_DO( fd_ep_dump( FD_DUMP_STD_PARAMS, 0, 0, &fd_g_config->cnf_endpoints ), return NULL); |
8
3e143f047f78
Backup for the week-end
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
111 } |
10
c5c99c73c2bf
Added some extensions and functions in the daemon
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
8
diff
changeset
|
112 if (FD_IS_LIST_EMPTY(&fd_g_config->cnf_apps)) { |
1113
eb4ce68b6e5c
Added calls to remaining hooks
Sebastien Decugis <sdecugis@freediameter.net>
parents:
1107
diff
changeset
|
113 CHECK_MALLOC_DO( fd_dump_extend( FD_DUMP_STD_PARAMS, " Local applications ..... : (none)"), return NULL); |
10
c5c99c73c2bf
Added some extensions and functions in the daemon
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
8
diff
changeset
|
114 } else { |
c5c99c73c2bf
Added some extensions and functions in the daemon
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
8
diff
changeset
|
115 struct fd_list * li = fd_g_config->cnf_apps.next; |
1113
eb4ce68b6e5c
Added calls to remaining hooks
Sebastien Decugis <sdecugis@freediameter.net>
parents:
1107
diff
changeset
|
116 CHECK_MALLOC_DO( fd_dump_extend( FD_DUMP_STD_PARAMS, " Local applications ..... : "), return NULL); |
10
c5c99c73c2bf
Added some extensions and functions in the daemon
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
8
diff
changeset
|
117 while (li != &fd_g_config->cnf_apps) { |
c5c99c73c2bf
Added some extensions and functions in the daemon
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
8
diff
changeset
|
118 struct fd_app * app = (struct fd_app *)li; |
1113
eb4ce68b6e5c
Added calls to remaining hooks
Sebastien Decugis <sdecugis@freediameter.net>
parents:
1107
diff
changeset
|
119 CHECK_MALLOC_DO( fd_dump_extend( FD_DUMP_STD_PARAMS, "App: %u,%s%s,Vnd:%u\t", |
10
c5c99c73c2bf
Added some extensions and functions in the daemon
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
8
diff
changeset
|
120 app->appid, |
c5c99c73c2bf
Added some extensions and functions in the daemon
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
8
diff
changeset
|
121 app->flags.auth ? "Au" : "--", |
c5c99c73c2bf
Added some extensions and functions in the daemon
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
8
diff
changeset
|
122 app->flags.acct ? "Ac" : "--", |
1085
7d7266115a34
Cleaning of the traces in progress
Sebastien Decugis <sdecugis@freediameter.net>
parents:
1034
diff
changeset
|
123 app->vndid), return NULL); |
10
c5c99c73c2bf
Added some extensions and functions in the daemon
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
8
diff
changeset
|
124 li = li->next; |
c5c99c73c2bf
Added some extensions and functions in the daemon
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
8
diff
changeset
|
125 } |
c5c99c73c2bf
Added some extensions and functions in the daemon
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
8
diff
changeset
|
126 } |
18
e7187583dcf8
Added CA helper script
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
17
diff
changeset
|
127 |
1113
eb4ce68b6e5c
Added calls to remaining hooks
Sebastien Decugis <sdecugis@freediameter.net>
parents:
1107
diff
changeset
|
128 CHECK_MALLOC_DO( fd_dump_extend( FD_DUMP_STD_PARAMS, "\n Flags : - IP ........... : %s\n", fd_g_config->cnf_flags.no_ip4 ? "DISABLED" : "Enabled"), return NULL); |
1085
7d7266115a34
Cleaning of the traces in progress
Sebastien Decugis <sdecugis@freediameter.net>
parents:
1034
diff
changeset
|
129 CHECK_MALLOC_DO( fd_dump_extend( FD_DUMP_STD_PARAMS, " - IPv6 ......... : %s\n", fd_g_config->cnf_flags.no_ip6 ? "DISABLED" : "Enabled"), return NULL); |
7d7266115a34
Cleaning of the traces in progress
Sebastien Decugis <sdecugis@freediameter.net>
parents:
1034
diff
changeset
|
130 CHECK_MALLOC_DO( fd_dump_extend( FD_DUMP_STD_PARAMS, " - Relay app .... : %s\n", fd_g_config->cnf_flags.no_fwd ? "DISABLED" : "Enabled"), return NULL); |
7d7266115a34
Cleaning of the traces in progress
Sebastien Decugis <sdecugis@freediameter.net>
parents:
1034
diff
changeset
|
131 CHECK_MALLOC_DO( fd_dump_extend( FD_DUMP_STD_PARAMS, " - TCP .......... : %s\n", fd_g_config->cnf_flags.no_tcp ? "DISABLED" : "Enabled"), return NULL); |
8
3e143f047f78
Backup for the week-end
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
132 #ifdef DISABLE_SCTP |
1085
7d7266115a34
Cleaning of the traces in progress
Sebastien Decugis <sdecugis@freediameter.net>
parents:
1034
diff
changeset
|
133 CHECK_MALLOC_DO( fd_dump_extend( FD_DUMP_STD_PARAMS, " - SCTP ......... : DISABLED (at compilation)\n"), return NULL); |
8
3e143f047f78
Backup for the week-end
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
134 #else /* DISABLE_SCTP */ |
1085
7d7266115a34
Cleaning of the traces in progress
Sebastien Decugis <sdecugis@freediameter.net>
parents:
1034
diff
changeset
|
135 CHECK_MALLOC_DO( fd_dump_extend( FD_DUMP_STD_PARAMS, " - SCTP ......... : %s\n", fd_g_config->cnf_flags.no_sctp ? "DISABLED" : "Enabled"), return NULL); |
8
3e143f047f78
Backup for the week-end
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
136 #endif /* DISABLE_SCTP */ |
1085
7d7266115a34
Cleaning of the traces in progress
Sebastien Decugis <sdecugis@freediameter.net>
parents:
1034
diff
changeset
|
137 CHECK_MALLOC_DO( fd_dump_extend( FD_DUMP_STD_PARAMS, " - Pref. proto .. : %s\n", fd_g_config->cnf_flags.pr_tcp ? "TCP" : "SCTP"), return NULL); |
7d7266115a34
Cleaning of the traces in progress
Sebastien Decugis <sdecugis@freediameter.net>
parents:
1034
diff
changeset
|
138 CHECK_MALLOC_DO( fd_dump_extend( FD_DUMP_STD_PARAMS, " - TLS method ... : %s\n", fd_g_config->cnf_flags.tls_alg ? "INBAND" : "Separate port"), return NULL); |
18
e7187583dcf8
Added CA helper script
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
17
diff
changeset
|
139 |
1085
7d7266115a34
Cleaning of the traces in progress
Sebastien Decugis <sdecugis@freediameter.net>
parents:
1034
diff
changeset
|
140 CHECK_MALLOC_DO( fd_dump_extend( FD_DUMP_STD_PARAMS, " TLS : - Certificate .. : %s\n", fd_g_config->cnf_sec_data.cert_file ?: "(NONE)"), return NULL); |
7d7266115a34
Cleaning of the traces in progress
Sebastien Decugis <sdecugis@freediameter.net>
parents:
1034
diff
changeset
|
141 CHECK_MALLOC_DO( fd_dump_extend( FD_DUMP_STD_PARAMS, " - Private key .. : %s\n", fd_g_config->cnf_sec_data.key_file ?: "(NONE)"), return NULL); |
7d7266115a34
Cleaning of the traces in progress
Sebastien Decugis <sdecugis@freediameter.net>
parents:
1034
diff
changeset
|
142 CHECK_MALLOC_DO( fd_dump_extend( FD_DUMP_STD_PARAMS, " - CA (trust) ... : %s (%d certs)\n", fd_g_config->cnf_sec_data.ca_file ?: "(none)", fd_g_config->cnf_sec_data.ca_file_nr), return NULL); |
7d7266115a34
Cleaning of the traces in progress
Sebastien Decugis <sdecugis@freediameter.net>
parents:
1034
diff
changeset
|
143 CHECK_MALLOC_DO( fd_dump_extend( FD_DUMP_STD_PARAMS, " - CRL .......... : %s\n", fd_g_config->cnf_sec_data.crl_file ?: "(none)"), return NULL); |
7d7266115a34
Cleaning of the traces in progress
Sebastien Decugis <sdecugis@freediameter.net>
parents:
1034
diff
changeset
|
144 CHECK_MALLOC_DO( fd_dump_extend( FD_DUMP_STD_PARAMS, " - Priority ..... : %s\n", fd_g_config->cnf_sec_data.prio_string ?: "(default: '" GNUTLS_DEFAULT_PRIORITY "')"), return NULL); |
7d7266115a34
Cleaning of the traces in progress
Sebastien Decugis <sdecugis@freediameter.net>
parents:
1034
diff
changeset
|
145 if (fd_g_config->cnf_sec_data.dh_file) { |
7d7266115a34
Cleaning of the traces in progress
Sebastien Decugis <sdecugis@freediameter.net>
parents:
1034
diff
changeset
|
146 CHECK_MALLOC_DO( fd_dump_extend( FD_DUMP_STD_PARAMS, " - DH file ...... : %s\n", fd_g_config->cnf_sec_data.dh_file), return NULL); |
7d7266115a34
Cleaning of the traces in progress
Sebastien Decugis <sdecugis@freediameter.net>
parents:
1034
diff
changeset
|
147 } else { |
7d7266115a34
Cleaning of the traces in progress
Sebastien Decugis <sdecugis@freediameter.net>
parents:
1034
diff
changeset
|
148 CHECK_MALLOC_DO( fd_dump_extend( FD_DUMP_STD_PARAMS, " - DH bits ...... : %d\n", fd_g_config->cnf_sec_data.dh_bits ?: GNUTLS_DEFAULT_DHBITS), return NULL); |
7d7266115a34
Cleaning of the traces in progress
Sebastien Decugis <sdecugis@freediameter.net>
parents:
1034
diff
changeset
|
149 } |
18
e7187583dcf8
Added CA helper script
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
17
diff
changeset
|
150 |
1085
7d7266115a34
Cleaning of the traces in progress
Sebastien Decugis <sdecugis@freediameter.net>
parents:
1034
diff
changeset
|
151 CHECK_MALLOC_DO( fd_dump_extend( FD_DUMP_STD_PARAMS, " Origin-State-Id ........ : %u", fd_g_config->cnf_orstateid), return NULL); |
7d7266115a34
Cleaning of the traces in progress
Sebastien Decugis <sdecugis@freediameter.net>
parents:
1034
diff
changeset
|
152 |
7d7266115a34
Cleaning of the traces in progress
Sebastien Decugis <sdecugis@freediameter.net>
parents:
1034
diff
changeset
|
153 return *buf; |
8
3e143f047f78
Backup for the week-end
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
154 } |
3e143f047f78
Backup for the week-end
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
155 |
805
fb5e0fd923ff
Updated verification of the local certificate following GnuTLS 3.x guideline
Sebastien Decugis <sdecugis@freediameter.net>
parents:
767
diff
changeset
|
156 /* read contents of a file opened in "rb" mode and alloc this data into a gnutls_datum_t (must be freed afterwards) */ |
fb5e0fd923ff
Updated verification of the local certificate following GnuTLS 3.x guideline
Sebastien Decugis <sdecugis@freediameter.net>
parents:
767
diff
changeset
|
157 int fd_conf_stream_to_gnutls_datum(FILE * pemfile, gnutls_datum_t *out) |
fb5e0fd923ff
Updated verification of the local certificate following GnuTLS 3.x guideline
Sebastien Decugis <sdecugis@freediameter.net>
parents:
767
diff
changeset
|
158 { |
fb5e0fd923ff
Updated verification of the local certificate following GnuTLS 3.x guideline
Sebastien Decugis <sdecugis@freediameter.net>
parents:
767
diff
changeset
|
159 size_t alloc = 0; |
fb5e0fd923ff
Updated verification of the local certificate following GnuTLS 3.x guideline
Sebastien Decugis <sdecugis@freediameter.net>
parents:
767
diff
changeset
|
160 |
fb5e0fd923ff
Updated verification of the local certificate following GnuTLS 3.x guideline
Sebastien Decugis <sdecugis@freediameter.net>
parents:
767
diff
changeset
|
161 CHECK_PARAMS( pemfile && out ); |
fb5e0fd923ff
Updated verification of the local certificate following GnuTLS 3.x guideline
Sebastien Decugis <sdecugis@freediameter.net>
parents:
767
diff
changeset
|
162 memset(out, 0, sizeof(gnutls_datum_t)); |
fb5e0fd923ff
Updated verification of the local certificate following GnuTLS 3.x guideline
Sebastien Decugis <sdecugis@freediameter.net>
parents:
767
diff
changeset
|
163 |
fb5e0fd923ff
Updated verification of the local certificate following GnuTLS 3.x guideline
Sebastien Decugis <sdecugis@freediameter.net>
parents:
767
diff
changeset
|
164 do { |
fb5e0fd923ff
Updated verification of the local certificate following GnuTLS 3.x guideline
Sebastien Decugis <sdecugis@freediameter.net>
parents:
767
diff
changeset
|
165 uint8_t * realloced = NULL; |
fb5e0fd923ff
Updated verification of the local certificate following GnuTLS 3.x guideline
Sebastien Decugis <sdecugis@freediameter.net>
parents:
767
diff
changeset
|
166 size_t read = 0; |
fb5e0fd923ff
Updated verification of the local certificate following GnuTLS 3.x guideline
Sebastien Decugis <sdecugis@freediameter.net>
parents:
767
diff
changeset
|
167 |
fb5e0fd923ff
Updated verification of the local certificate following GnuTLS 3.x guideline
Sebastien Decugis <sdecugis@freediameter.net>
parents:
767
diff
changeset
|
168 if (alloc < out->size + BUFSIZ + 1) { |
fb5e0fd923ff
Updated verification of the local certificate following GnuTLS 3.x guideline
Sebastien Decugis <sdecugis@freediameter.net>
parents:
767
diff
changeset
|
169 alloc += alloc / 2 + BUFSIZ + 1; |
fb5e0fd923ff
Updated verification of the local certificate following GnuTLS 3.x guideline
Sebastien Decugis <sdecugis@freediameter.net>
parents:
767
diff
changeset
|
170 CHECK_MALLOC_DO( realloced = realloc(out->data, alloc), |
fb5e0fd923ff
Updated verification of the local certificate following GnuTLS 3.x guideline
Sebastien Decugis <sdecugis@freediameter.net>
parents:
767
diff
changeset
|
171 { |
fb5e0fd923ff
Updated verification of the local certificate following GnuTLS 3.x guideline
Sebastien Decugis <sdecugis@freediameter.net>
parents:
767
diff
changeset
|
172 free(out->data); |
fb5e0fd923ff
Updated verification of the local certificate following GnuTLS 3.x guideline
Sebastien Decugis <sdecugis@freediameter.net>
parents:
767
diff
changeset
|
173 return ENOMEM; |
fb5e0fd923ff
Updated verification of the local certificate following GnuTLS 3.x guideline
Sebastien Decugis <sdecugis@freediameter.net>
parents:
767
diff
changeset
|
174 } ) |
fb5e0fd923ff
Updated verification of the local certificate following GnuTLS 3.x guideline
Sebastien Decugis <sdecugis@freediameter.net>
parents:
767
diff
changeset
|
175 out->data = realloced; |
fb5e0fd923ff
Updated verification of the local certificate following GnuTLS 3.x guideline
Sebastien Decugis <sdecugis@freediameter.net>
parents:
767
diff
changeset
|
176 } |
fb5e0fd923ff
Updated verification of the local certificate following GnuTLS 3.x guideline
Sebastien Decugis <sdecugis@freediameter.net>
parents:
767
diff
changeset
|
177 |
fb5e0fd923ff
Updated verification of the local certificate following GnuTLS 3.x guideline
Sebastien Decugis <sdecugis@freediameter.net>
parents:
767
diff
changeset
|
178 read = fread( out->data + out->size, 1, alloc - out->size - 1, pemfile ); |
fb5e0fd923ff
Updated verification of the local certificate following GnuTLS 3.x guideline
Sebastien Decugis <sdecugis@freediameter.net>
parents:
767
diff
changeset
|
179 out->size += read; |
fb5e0fd923ff
Updated verification of the local certificate following GnuTLS 3.x guideline
Sebastien Decugis <sdecugis@freediameter.net>
parents:
767
diff
changeset
|
180 |
fb5e0fd923ff
Updated verification of the local certificate following GnuTLS 3.x guideline
Sebastien Decugis <sdecugis@freediameter.net>
parents:
767
diff
changeset
|
181 if (ferror(pemfile)) { |
fb5e0fd923ff
Updated verification of the local certificate following GnuTLS 3.x guideline
Sebastien Decugis <sdecugis@freediameter.net>
parents:
767
diff
changeset
|
182 int err = errno; |
974
2091bf698fb1
Remove newlines from fd_log_debug, TRACE_DEBUG, TRACE_ERROR, and TRACE_DEBUG_ERROR
Thomas Klausner <tk@giga.or.at>
parents:
965
diff
changeset
|
183 TRACE_DEBUG(INFO, "An error occurred while reading file: %s", strerror(err)); |
805
fb5e0fd923ff
Updated verification of the local certificate following GnuTLS 3.x guideline
Sebastien Decugis <sdecugis@freediameter.net>
parents:
767
diff
changeset
|
184 return err; |
fb5e0fd923ff
Updated verification of the local certificate following GnuTLS 3.x guideline
Sebastien Decugis <sdecugis@freediameter.net>
parents:
767
diff
changeset
|
185 } |
fb5e0fd923ff
Updated verification of the local certificate following GnuTLS 3.x guideline
Sebastien Decugis <sdecugis@freediameter.net>
parents:
767
diff
changeset
|
186 } while (!feof(pemfile)); |
fb5e0fd923ff
Updated verification of the local certificate following GnuTLS 3.x guideline
Sebastien Decugis <sdecugis@freediameter.net>
parents:
767
diff
changeset
|
187 |
fb5e0fd923ff
Updated verification of the local certificate following GnuTLS 3.x guideline
Sebastien Decugis <sdecugis@freediameter.net>
parents:
767
diff
changeset
|
188 out->data[out->size] = '\0'; |
fb5e0fd923ff
Updated verification of the local certificate following GnuTLS 3.x guideline
Sebastien Decugis <sdecugis@freediameter.net>
parents:
767
diff
changeset
|
189 return 0; |
fb5e0fd923ff
Updated verification of the local certificate following GnuTLS 3.x guideline
Sebastien Decugis <sdecugis@freediameter.net>
parents:
767
diff
changeset
|
190 } |
fb5e0fd923ff
Updated verification of the local certificate following GnuTLS 3.x guideline
Sebastien Decugis <sdecugis@freediameter.net>
parents:
767
diff
changeset
|
191 |
fb5e0fd923ff
Updated verification of the local certificate following GnuTLS 3.x guideline
Sebastien Decugis <sdecugis@freediameter.net>
parents:
767
diff
changeset
|
192 #ifdef GNUTLS_VERSION_300 |
fb5e0fd923ff
Updated verification of the local certificate following GnuTLS 3.x guideline
Sebastien Decugis <sdecugis@freediameter.net>
parents:
767
diff
changeset
|
193 /* inspired from GnuTLS manual */ |
fb5e0fd923ff
Updated verification of the local certificate following GnuTLS 3.x guideline
Sebastien Decugis <sdecugis@freediameter.net>
parents:
767
diff
changeset
|
194 static int fd_conf_print_details_func (gnutls_x509_crt_t cert, |
fb5e0fd923ff
Updated verification of the local certificate following GnuTLS 3.x guideline
Sebastien Decugis <sdecugis@freediameter.net>
parents:
767
diff
changeset
|
195 gnutls_x509_crt_t issuer, gnutls_x509_crl_t crl, |
fb5e0fd923ff
Updated verification of the local certificate following GnuTLS 3.x guideline
Sebastien Decugis <sdecugis@freediameter.net>
parents:
767
diff
changeset
|
196 unsigned int verification_output) |
fb5e0fd923ff
Updated verification of the local certificate following GnuTLS 3.x guideline
Sebastien Decugis <sdecugis@freediameter.net>
parents:
767
diff
changeset
|
197 { |
fb5e0fd923ff
Updated verification of the local certificate following GnuTLS 3.x guideline
Sebastien Decugis <sdecugis@freediameter.net>
parents:
767
diff
changeset
|
198 char name[512]; |
fb5e0fd923ff
Updated verification of the local certificate following GnuTLS 3.x guideline
Sebastien Decugis <sdecugis@freediameter.net>
parents:
767
diff
changeset
|
199 char issuer_name[512]; |
fb5e0fd923ff
Updated verification of the local certificate following GnuTLS 3.x guideline
Sebastien Decugis <sdecugis@freediameter.net>
parents:
767
diff
changeset
|
200 size_t name_size; |
fb5e0fd923ff
Updated verification of the local certificate following GnuTLS 3.x guideline
Sebastien Decugis <sdecugis@freediameter.net>
parents:
767
diff
changeset
|
201 size_t issuer_name_size; |
fb5e0fd923ff
Updated verification of the local certificate following GnuTLS 3.x guideline
Sebastien Decugis <sdecugis@freediameter.net>
parents:
767
diff
changeset
|
202 |
fb5e0fd923ff
Updated verification of the local certificate following GnuTLS 3.x guideline
Sebastien Decugis <sdecugis@freediameter.net>
parents:
767
diff
changeset
|
203 if (!TRACE_BOOL(GNUTLS_DBG_LEVEL)) |
fb5e0fd923ff
Updated verification of the local certificate following GnuTLS 3.x guideline
Sebastien Decugis <sdecugis@freediameter.net>
parents:
767
diff
changeset
|
204 return 0; |
fb5e0fd923ff
Updated verification of the local certificate following GnuTLS 3.x guideline
Sebastien Decugis <sdecugis@freediameter.net>
parents:
767
diff
changeset
|
205 |
fb5e0fd923ff
Updated verification of the local certificate following GnuTLS 3.x guideline
Sebastien Decugis <sdecugis@freediameter.net>
parents:
767
diff
changeset
|
206 issuer_name_size = sizeof (issuer_name); |
fb5e0fd923ff
Updated verification of the local certificate following GnuTLS 3.x guideline
Sebastien Decugis <sdecugis@freediameter.net>
parents:
767
diff
changeset
|
207 gnutls_x509_crt_get_issuer_dn (cert, issuer_name, &issuer_name_size); |
fb5e0fd923ff
Updated verification of the local certificate following GnuTLS 3.x guideline
Sebastien Decugis <sdecugis@freediameter.net>
parents:
767
diff
changeset
|
208 |
fb5e0fd923ff
Updated verification of the local certificate following GnuTLS 3.x guideline
Sebastien Decugis <sdecugis@freediameter.net>
parents:
767
diff
changeset
|
209 name_size = sizeof (name); |
fb5e0fd923ff
Updated verification of the local certificate following GnuTLS 3.x guideline
Sebastien Decugis <sdecugis@freediameter.net>
parents:
767
diff
changeset
|
210 gnutls_x509_crt_get_dn (cert, name, &name_size); |
fb5e0fd923ff
Updated verification of the local certificate following GnuTLS 3.x guideline
Sebastien Decugis <sdecugis@freediameter.net>
parents:
767
diff
changeset
|
211 |
974
2091bf698fb1
Remove newlines from fd_log_debug, TRACE_DEBUG, TRACE_ERROR, and TRACE_DEBUG_ERROR
Thomas Klausner <tk@giga.or.at>
parents:
965
diff
changeset
|
212 fd_log_debug("\tSubject: %s", name); |
2091bf698fb1
Remove newlines from fd_log_debug, TRACE_DEBUG, TRACE_ERROR, and TRACE_DEBUG_ERROR
Thomas Klausner <tk@giga.or.at>
parents:
965
diff
changeset
|
213 fd_log_debug("\tIssuer: %s", issuer_name); |
805
fb5e0fd923ff
Updated verification of the local certificate following GnuTLS 3.x guideline
Sebastien Decugis <sdecugis@freediameter.net>
parents:
767
diff
changeset
|
214 |
fb5e0fd923ff
Updated verification of the local certificate following GnuTLS 3.x guideline
Sebastien Decugis <sdecugis@freediameter.net>
parents:
767
diff
changeset
|
215 if (issuer != NULL) |
fb5e0fd923ff
Updated verification of the local certificate following GnuTLS 3.x guideline
Sebastien Decugis <sdecugis@freediameter.net>
parents:
767
diff
changeset
|
216 { |
fb5e0fd923ff
Updated verification of the local certificate following GnuTLS 3.x guideline
Sebastien Decugis <sdecugis@freediameter.net>
parents:
767
diff
changeset
|
217 issuer_name_size = sizeof (issuer_name); |
fb5e0fd923ff
Updated verification of the local certificate following GnuTLS 3.x guideline
Sebastien Decugis <sdecugis@freediameter.net>
parents:
767
diff
changeset
|
218 gnutls_x509_crt_get_dn (issuer, issuer_name, &issuer_name_size); |
fb5e0fd923ff
Updated verification of the local certificate following GnuTLS 3.x guideline
Sebastien Decugis <sdecugis@freediameter.net>
parents:
767
diff
changeset
|
219 |
974
2091bf698fb1
Remove newlines from fd_log_debug, TRACE_DEBUG, TRACE_ERROR, and TRACE_DEBUG_ERROR
Thomas Klausner <tk@giga.or.at>
parents:
965
diff
changeset
|
220 fd_log_debug("\tVerified against: %s", issuer_name); |
805
fb5e0fd923ff
Updated verification of the local certificate following GnuTLS 3.x guideline
Sebastien Decugis <sdecugis@freediameter.net>
parents:
767
diff
changeset
|
221 } |
fb5e0fd923ff
Updated verification of the local certificate following GnuTLS 3.x guideline
Sebastien Decugis <sdecugis@freediameter.net>
parents:
767
diff
changeset
|
222 |
fb5e0fd923ff
Updated verification of the local certificate following GnuTLS 3.x guideline
Sebastien Decugis <sdecugis@freediameter.net>
parents:
767
diff
changeset
|
223 if (crl != NULL) |
fb5e0fd923ff
Updated verification of the local certificate following GnuTLS 3.x guideline
Sebastien Decugis <sdecugis@freediameter.net>
parents:
767
diff
changeset
|
224 { |
fb5e0fd923ff
Updated verification of the local certificate following GnuTLS 3.x guideline
Sebastien Decugis <sdecugis@freediameter.net>
parents:
767
diff
changeset
|
225 issuer_name_size = sizeof (issuer_name); |
fb5e0fd923ff
Updated verification of the local certificate following GnuTLS 3.x guideline
Sebastien Decugis <sdecugis@freediameter.net>
parents:
767
diff
changeset
|
226 gnutls_x509_crl_get_issuer_dn (crl, issuer_name, &issuer_name_size); |
fb5e0fd923ff
Updated verification of the local certificate following GnuTLS 3.x guideline
Sebastien Decugis <sdecugis@freediameter.net>
parents:
767
diff
changeset
|
227 |
974
2091bf698fb1
Remove newlines from fd_log_debug, TRACE_DEBUG, TRACE_ERROR, and TRACE_DEBUG_ERROR
Thomas Klausner <tk@giga.or.at>
parents:
965
diff
changeset
|
228 fd_log_debug("\tVerified against CRL of: %s", issuer_name); |
805
fb5e0fd923ff
Updated verification of the local certificate following GnuTLS 3.x guideline
Sebastien Decugis <sdecugis@freediameter.net>
parents:
767
diff
changeset
|
229 } |
fb5e0fd923ff
Updated verification of the local certificate following GnuTLS 3.x guideline
Sebastien Decugis <sdecugis@freediameter.net>
parents:
767
diff
changeset
|
230 |
974
2091bf698fb1
Remove newlines from fd_log_debug, TRACE_DEBUG, TRACE_ERROR, and TRACE_DEBUG_ERROR
Thomas Klausner <tk@giga.or.at>
parents:
965
diff
changeset
|
231 fd_log_debug("\tVerification output: %x", verification_output); |
805
fb5e0fd923ff
Updated verification of the local certificate following GnuTLS 3.x guideline
Sebastien Decugis <sdecugis@freediameter.net>
parents:
767
diff
changeset
|
232 |
fb5e0fd923ff
Updated verification of the local certificate following GnuTLS 3.x guideline
Sebastien Decugis <sdecugis@freediameter.net>
parents:
767
diff
changeset
|
233 return 0; |
fb5e0fd923ff
Updated verification of the local certificate following GnuTLS 3.x guideline
Sebastien Decugis <sdecugis@freediameter.net>
parents:
767
diff
changeset
|
234 } |
fb5e0fd923ff
Updated verification of the local certificate following GnuTLS 3.x guideline
Sebastien Decugis <sdecugis@freediameter.net>
parents:
767
diff
changeset
|
235 #endif /* GNUTLS_VERSION_300 */ |
fb5e0fd923ff
Updated verification of the local certificate following GnuTLS 3.x guideline
Sebastien Decugis <sdecugis@freediameter.net>
parents:
767
diff
changeset
|
236 |
1027
0117a7746b21
Fix a number of errors and warnings introduced/highlighted by recent commits
Sebastien Decugis <sdecugis@freediameter.net>
parents:
1021
diff
changeset
|
237 #ifndef GNUTLS_VERSION_300 |
1034
f4a73a991623
Fix warning on old GCC versions
Sebastien Decugis <sdecugis@freediameter.net>
parents:
1033
diff
changeset
|
238 GCC_DIAG_OFF("-Wdeprecated-declarations") |
1027
0117a7746b21
Fix a number of errors and warnings introduced/highlighted by recent commits
Sebastien Decugis <sdecugis@freediameter.net>
parents:
1021
diff
changeset
|
239 #endif /* !GNUTLS_VERSION_300 */ |
8
3e143f047f78
Backup for the week-end
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
240 /* Parse the configuration file (using the yacc parser) */ |
3e143f047f78
Backup for the week-end
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
241 int fd_conf_parse() |
3e143f047f78
Backup for the week-end
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
242 { |
3e143f047f78
Backup for the week-end
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
243 extern FILE * fddin; |
947
cce5d4bace82
Make config file parameter const and convert another fprintf to TRACE_DEBUG_ERROR.
Thomas Klausner <tk@giga.or.at>
parents:
946
diff
changeset
|
244 const char * orig = NULL; |
8
3e143f047f78
Backup for the week-end
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
245 |
304
ad3c46016584
Added install directives for cmake; also allow default directory to seek for extensions and configuration files
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
258
diff
changeset
|
246 /* Attempt to find the configuration file */ |
ad3c46016584
Added install directives for cmake; also allow default directory to seek for extensions and configuration files
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
258
diff
changeset
|
247 if (!fd_g_config->cnf_file) |
ad3c46016584
Added install directives for cmake; also allow default directory to seek for extensions and configuration files
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
258
diff
changeset
|
248 fd_g_config->cnf_file = FD_DEFAULT_CONF_FILENAME; |
8
3e143f047f78
Backup for the week-end
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
249 |
10
c5c99c73c2bf
Added some extensions and functions in the daemon
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
8
diff
changeset
|
250 fddin = fopen(fd_g_config->cnf_file, "r"); |
304
ad3c46016584
Added install directives for cmake; also allow default directory to seek for extensions and configuration files
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
258
diff
changeset
|
251 if ((fddin == NULL) && (*fd_g_config->cnf_file != '/')) { |
947
cce5d4bace82
Make config file parameter const and convert another fprintf to TRACE_DEBUG_ERROR.
Thomas Klausner <tk@giga.or.at>
parents:
946
diff
changeset
|
252 char * new_cnf = NULL; |
304
ad3c46016584
Added install directives for cmake; also allow default directory to seek for extensions and configuration files
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
258
diff
changeset
|
253 /* We got a relative path, attempt to add the default directory prefix */ |
706
4ffbc9f1e922
Large UNTESTED commit with the following changes:
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
686
diff
changeset
|
254 orig = fd_g_config->cnf_file; |
947
cce5d4bace82
Make config file parameter const and convert another fprintf to TRACE_DEBUG_ERROR.
Thomas Klausner <tk@giga.or.at>
parents:
946
diff
changeset
|
255 CHECK_MALLOC( new_cnf = malloc(strlen(orig) + strlen(DEFAULT_CONF_PATH) + 2) ); /* we will not free it, but not important */ |
cce5d4bace82
Make config file parameter const and convert another fprintf to TRACE_DEBUG_ERROR.
Thomas Klausner <tk@giga.or.at>
parents:
946
diff
changeset
|
256 sprintf( new_cnf, DEFAULT_CONF_PATH "/%s", orig ); |
cce5d4bace82
Make config file parameter const and convert another fprintf to TRACE_DEBUG_ERROR.
Thomas Klausner <tk@giga.or.at>
parents:
946
diff
changeset
|
257 fd_g_config->cnf_file = new_cnf; |
304
ad3c46016584
Added install directives for cmake; also allow default directory to seek for extensions and configuration files
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
258
diff
changeset
|
258 fddin = fopen(fd_g_config->cnf_file, "r"); |
ad3c46016584
Added install directives for cmake; also allow default directory to seek for extensions and configuration files
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
258
diff
changeset
|
259 } |
8
3e143f047f78
Backup for the week-end
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
260 if (fddin == NULL) { |
3e143f047f78
Backup for the week-end
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
261 int ret = errno; |
1155
d00b5914351e
Allow running freeDiameter without TLS credentials if the following conditions are verified:
Sebastien Decugis <sdecugis@freediameter.net>
parents:
1127
diff
changeset
|
262 LOG_F("Unable to open configuration file for reading; tried the following locations: %s%s%s; Error: %s", |
947
cce5d4bace82
Make config file parameter const and convert another fprintf to TRACE_DEBUG_ERROR.
Thomas Klausner <tk@giga.or.at>
parents:
946
diff
changeset
|
263 orig ?: "", orig? " and " : "", fd_g_config->cnf_file, strerror(ret)); |
8
3e143f047f78
Backup for the week-end
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
264 return ret; |
3e143f047f78
Backup for the week-end
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
265 } |
3e143f047f78
Backup for the week-end
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
266 |
3e143f047f78
Backup for the week-end
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
267 /* call yacc parser */ |
304
ad3c46016584
Added install directives for cmake; also allow default directory to seek for extensions and configuration files
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
258
diff
changeset
|
268 TRACE_DEBUG (FULL, "Parsing configuration file: %s", fd_g_config->cnf_file); |
8
3e143f047f78
Backup for the week-end
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
269 CHECK_FCT( fddparse(fd_g_config) ); |
3e143f047f78
Backup for the week-end
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
270 |
3e143f047f78
Backup for the week-end
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
271 /* close the file */ |
3e143f047f78
Backup for the week-end
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
272 fclose(fddin); |
3e143f047f78
Backup for the week-end
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
273 |
18
e7187583dcf8
Added CA helper script
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
17
diff
changeset
|
274 /* Check that TLS private key was given */ |
e7187583dcf8
Added CA helper script
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
17
diff
changeset
|
275 if (! fd_g_config->cnf_sec_data.key_file) { |
1155
d00b5914351e
Allow running freeDiameter without TLS credentials if the following conditions are verified:
Sebastien Decugis <sdecugis@freediameter.net>
parents:
1127
diff
changeset
|
276 /* If TLS is not enabled, we allow empty TLS configuration */ |
d00b5914351e
Allow running freeDiameter without TLS credentials if the following conditions are verified:
Sebastien Decugis <sdecugis@freediameter.net>
parents:
1127
diff
changeset
|
277 if ((fd_g_config->cnf_port_tls == 0) && (fd_g_config->cnf_flags.tls_alg == 0)) { |
d00b5914351e
Allow running freeDiameter without TLS credentials if the following conditions are verified:
Sebastien Decugis <sdecugis@freediameter.net>
parents:
1127
diff
changeset
|
278 LOG_N("TLS is disabled, this is *NOT* a recommended practice! Diameter protocol conveys highly sensitive information on your users."); |
d00b5914351e
Allow running freeDiameter without TLS credentials if the following conditions are verified:
Sebastien Decugis <sdecugis@freediameter.net>
parents:
1127
diff
changeset
|
279 fd_g_config->cnf_sec_data.tls_disabled = 1; |
d00b5914351e
Allow running freeDiameter without TLS credentials if the following conditions are verified:
Sebastien Decugis <sdecugis@freediameter.net>
parents:
1127
diff
changeset
|
280 } else { |
d00b5914351e
Allow running freeDiameter without TLS credentials if the following conditions are verified:
Sebastien Decugis <sdecugis@freediameter.net>
parents:
1127
diff
changeset
|
281 LOG_F( "Missing private key configuration for TLS. Please provide the TLS_cred configuration directive."); |
d00b5914351e
Allow running freeDiameter without TLS credentials if the following conditions are verified:
Sebastien Decugis <sdecugis@freediameter.net>
parents:
1127
diff
changeset
|
282 return EINVAL; |
d00b5914351e
Allow running freeDiameter without TLS credentials if the following conditions are verified:
Sebastien Decugis <sdecugis@freediameter.net>
parents:
1127
diff
changeset
|
283 } |
18
e7187583dcf8
Added CA helper script
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
17
diff
changeset
|
284 } |
e7187583dcf8
Added CA helper script
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
17
diff
changeset
|
285 |
8
3e143f047f78
Backup for the week-end
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
286 /* Resolve hostname if not provided */ |
10
c5c99c73c2bf
Added some extensions and functions in the daemon
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
8
diff
changeset
|
287 if (fd_g_config->cnf_diamid == NULL) { |
8
3e143f047f78
Backup for the week-end
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
288 char buf[HOST_NAME_MAX + 1]; |
3e143f047f78
Backup for the week-end
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
289 struct addrinfo hints, *info; |
3e143f047f78
Backup for the week-end
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
290 int ret; |
3e143f047f78
Backup for the week-end
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
291 |
3e143f047f78
Backup for the week-end
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
292 /* local host name */ |
3e143f047f78
Backup for the week-end
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
293 CHECK_SYS(gethostname(buf, sizeof(buf))); |
3e143f047f78
Backup for the week-end
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
294 |
3e143f047f78
Backup for the week-end
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
295 /* get FQDN */ |
3e143f047f78
Backup for the week-end
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
296 memset(&hints, 0, sizeof hints); |
3e143f047f78
Backup for the week-end
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
297 hints.ai_flags = AI_CANONNAME; |
3e143f047f78
Backup for the week-end
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
298 |
3e143f047f78
Backup for the week-end
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
299 ret = getaddrinfo(buf, NULL, &hints, &info); |
3e143f047f78
Backup for the week-end
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
300 if (ret != 0) { |
994 | 301 TRACE_ERROR( "Error resolving local FQDN : '%s' : %s" |
302 ". Please provide Identity in configuration file.", | |
8
3e143f047f78
Backup for the week-end
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
303 buf, gai_strerror(ret)); |
3e143f047f78
Backup for the week-end
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
304 return EINVAL; |
3e143f047f78
Backup for the week-end
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
305 } |
706
4ffbc9f1e922
Large UNTESTED commit with the following changes:
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
686
diff
changeset
|
306 fd_g_config->cnf_diamid = info->ai_canonname; |
4ffbc9f1e922
Large UNTESTED commit with the following changes:
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
686
diff
changeset
|
307 CHECK_FCT( fd_os_validate_DiameterIdentity(&fd_g_config->cnf_diamid, &fd_g_config->cnf_diamid_len, 1) ); |
8
3e143f047f78
Backup for the week-end
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
308 freeaddrinfo(info); |
706
4ffbc9f1e922
Large UNTESTED commit with the following changes:
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
686
diff
changeset
|
309 } else { |
4ffbc9f1e922
Large UNTESTED commit with the following changes:
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
686
diff
changeset
|
310 CHECK_FCT( fd_os_validate_DiameterIdentity(&fd_g_config->cnf_diamid, &fd_g_config->cnf_diamid_len, 0) ); |
8
3e143f047f78
Backup for the week-end
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
311 } |
3e143f047f78
Backup for the week-end
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
312 |
3e143f047f78
Backup for the week-end
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
313 /* Handle the realm part */ |
10
c5c99c73c2bf
Added some extensions and functions in the daemon
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
8
diff
changeset
|
314 if (fd_g_config->cnf_diamrlm == NULL) { |
8
3e143f047f78
Backup for the week-end
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
315 char * start = NULL; |
3e143f047f78
Backup for the week-end
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
316 |
3e143f047f78
Backup for the week-end
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
317 /* Check the diameter identity is a fqdn */ |
10
c5c99c73c2bf
Added some extensions and functions in the daemon
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
8
diff
changeset
|
318 start = strchr(fd_g_config->cnf_diamid, '.'); |
8
3e143f047f78
Backup for the week-end
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
319 if ((start == NULL) || (start[1] == '\0')) { |
994 | 320 TRACE_ERROR( "Unable to extract realm from the Identity '%s'." |
321 " Please fix your Identity setting or provide Realm.", | |
10
c5c99c73c2bf
Added some extensions and functions in the daemon
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
8
diff
changeset
|
322 fd_g_config->cnf_diamid); |
8
3e143f047f78
Backup for the week-end
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
323 return EINVAL; |
706
4ffbc9f1e922
Large UNTESTED commit with the following changes:
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
686
diff
changeset
|
324 } |
8
3e143f047f78
Backup for the week-end
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
325 |
706
4ffbc9f1e922
Large UNTESTED commit with the following changes:
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
686
diff
changeset
|
326 fd_g_config->cnf_diamrlm = start + 1; |
4ffbc9f1e922
Large UNTESTED commit with the following changes:
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
686
diff
changeset
|
327 CHECK_FCT( fd_os_validate_DiameterIdentity(&fd_g_config->cnf_diamrlm, &fd_g_config->cnf_diamrlm_len, 1) ); |
4ffbc9f1e922
Large UNTESTED commit with the following changes:
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
686
diff
changeset
|
328 } else { |
4ffbc9f1e922
Large UNTESTED commit with the following changes:
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
686
diff
changeset
|
329 CHECK_FCT( fd_os_validate_DiameterIdentity(&fd_g_config->cnf_diamrlm, &fd_g_config->cnf_diamrlm_len, 0) ); |
8
3e143f047f78
Backup for the week-end
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
330 } |
3e143f047f78
Backup for the week-end
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
331 |
3e143f047f78
Backup for the week-end
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
332 /* Validate some flags */ |
10
c5c99c73c2bf
Added some extensions and functions in the daemon
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
8
diff
changeset
|
333 if (fd_g_config->cnf_flags.no_ip4 && fd_g_config->cnf_flags.no_ip6) { |
994 | 334 TRACE_ERROR( "IP and IPv6 cannot be disabled at the same time."); |
8
3e143f047f78
Backup for the week-end
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
335 return EINVAL; |
3e143f047f78
Backup for the week-end
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
336 } |
10
c5c99c73c2bf
Added some extensions and functions in the daemon
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
8
diff
changeset
|
337 if (fd_g_config->cnf_flags.no_tcp && fd_g_config->cnf_flags.no_sctp) { |
994 | 338 TRACE_ERROR( "TCP and SCTP cannot be disabled at the same time."); |
8
3e143f047f78
Backup for the week-end
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
339 return EINVAL; |
3e143f047f78
Backup for the week-end
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
340 } |
3e143f047f78
Backup for the week-end
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
341 |
22
0b3b46da2c12
Progress on server code
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
20
diff
changeset
|
342 /* Validate local endpoints */ |
0b3b46da2c12
Progress on server code
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
20
diff
changeset
|
343 if ((!FD_IS_LIST_EMPTY(&fd_g_config->cnf_endpoints)) && (fd_g_config->cnf_flags.no_ip4 || fd_g_config->cnf_flags.no_ip6)) { |
0b3b46da2c12
Progress on server code
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
20
diff
changeset
|
344 struct fd_list * li; |
0b3b46da2c12
Progress on server code
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
20
diff
changeset
|
345 for ( li = fd_g_config->cnf_endpoints.next; li != &fd_g_config->cnf_endpoints; li = li->next) { |
0b3b46da2c12
Progress on server code
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
20
diff
changeset
|
346 struct fd_endpoint * ep = (struct fd_endpoint *)li; |
23
db6c40b8b307
Added some code in cnxctx.c mainly
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
22
diff
changeset
|
347 if ( (fd_g_config->cnf_flags.no_ip4 && (ep->sa.sa_family == AF_INET)) |
db6c40b8b307
Added some code in cnxctx.c mainly
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
22
diff
changeset
|
348 ||(fd_g_config->cnf_flags.no_ip6 && (ep->sa.sa_family == AF_INET6)) ) { |
1107
96f2051215c8
Replaced calls to TRACE_sSA and sSA_DUMP_NODE* macros
Sebastien Decugis <sdecugis@freediameter.net>
parents:
1093
diff
changeset
|
349 char sa_buf[sSA_DUMP_STRLEN];; |
22
0b3b46da2c12
Progress on server code
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
20
diff
changeset
|
350 li = li->prev; |
0b3b46da2c12
Progress on server code
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
20
diff
changeset
|
351 fd_list_unlink(&ep->chain); |
1107
96f2051215c8
Replaced calls to TRACE_sSA and sSA_DUMP_NODE* macros
Sebastien Decugis <sdecugis@freediameter.net>
parents:
1093
diff
changeset
|
352 fd_sa_sdump_numeric(sa_buf, &ep->sa); |
96f2051215c8
Replaced calls to TRACE_sSA and sSA_DUMP_NODE* macros
Sebastien Decugis <sdecugis@freediameter.net>
parents:
1093
diff
changeset
|
353 LOG_N("Info: Removing local address conflicting with the flags no_IP / no_IP6 : %s", sa_buf); |
22
0b3b46da2c12
Progress on server code
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
20
diff
changeset
|
354 free(ep); |
0b3b46da2c12
Progress on server code
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
20
diff
changeset
|
355 } |
0b3b46da2c12
Progress on server code
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
20
diff
changeset
|
356 } |
0b3b46da2c12
Progress on server code
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
20
diff
changeset
|
357 } |
0b3b46da2c12
Progress on server code
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
20
diff
changeset
|
358 |
18
e7187583dcf8
Added CA helper script
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
17
diff
changeset
|
359 /* Configure TLS default parameters */ |
1155
d00b5914351e
Allow running freeDiameter without TLS credentials if the following conditions are verified:
Sebastien Decugis <sdecugis@freediameter.net>
parents:
1127
diff
changeset
|
360 if ((!fd_g_config->cnf_sec_data.tls_disabled) && (!fd_g_config->cnf_sec_data.prio_string)) { |
18
e7187583dcf8
Added CA helper script
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
17
diff
changeset
|
361 const char * err_pos = NULL; |
e7187583dcf8
Added CA helper script
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
17
diff
changeset
|
362 CHECK_GNUTLS_DO( gnutls_priority_init( |
e7187583dcf8
Added CA helper script
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
17
diff
changeset
|
363 &fd_g_config->cnf_sec_data.prio_cache, |
e7187583dcf8
Added CA helper script
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
17
diff
changeset
|
364 GNUTLS_DEFAULT_PRIORITY, |
e7187583dcf8
Added CA helper script
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
17
diff
changeset
|
365 &err_pos), |
1006
6ce8322f3b78
Report an error if a problem is big enough to break startup.
Thomas Klausner <tk@giga.or.at>
parents:
994
diff
changeset
|
366 { TRACE_ERROR("Error in priority string at position : %s", err_pos); return EINVAL; } ); |
18
e7187583dcf8
Added CA helper script
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
17
diff
changeset
|
367 } |
542
0b6cee362f5d
Enforce validation of local certificate upon daemon start.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
447
diff
changeset
|
368 |
0b6cee362f5d
Enforce validation of local certificate upon daemon start.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
447
diff
changeset
|
369 /* Verify that our certificate is valid -- otherwise remote peers will reject it */ |
1155
d00b5914351e
Allow running freeDiameter without TLS credentials if the following conditions are verified:
Sebastien Decugis <sdecugis@freediameter.net>
parents:
1127
diff
changeset
|
370 if (!fd_g_config->cnf_sec_data.tls_disabled) { |
542
0b6cee362f5d
Enforce validation of local certificate upon daemon start.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
447
diff
changeset
|
371 int ret = 0, i; |
0b6cee362f5d
Enforce validation of local certificate upon daemon start.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
447
diff
changeset
|
372 |
0b6cee362f5d
Enforce validation of local certificate upon daemon start.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
447
diff
changeset
|
373 gnutls_datum_t certfile; |
0b6cee362f5d
Enforce validation of local certificate upon daemon start.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
447
diff
changeset
|
374 |
0b6cee362f5d
Enforce validation of local certificate upon daemon start.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
447
diff
changeset
|
375 gnutls_x509_crt_t * certs = NULL; |
0b6cee362f5d
Enforce validation of local certificate upon daemon start.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
447
diff
changeset
|
376 unsigned int cert_max = 0; |
0b6cee362f5d
Enforce validation of local certificate upon daemon start.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
447
diff
changeset
|
377 |
0b6cee362f5d
Enforce validation of local certificate upon daemon start.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
447
diff
changeset
|
378 |
0b6cee362f5d
Enforce validation of local certificate upon daemon start.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
447
diff
changeset
|
379 /* Read the certificate file */ |
0b6cee362f5d
Enforce validation of local certificate upon daemon start.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
447
diff
changeset
|
380 FILE *stream = fopen (fd_g_config->cnf_sec_data.cert_file, "rb"); |
0b6cee362f5d
Enforce validation of local certificate upon daemon start.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
447
diff
changeset
|
381 if (!stream) { |
0b6cee362f5d
Enforce validation of local certificate upon daemon start.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
447
diff
changeset
|
382 int err = errno; |
974
2091bf698fb1
Remove newlines from fd_log_debug, TRACE_DEBUG, TRACE_ERROR, and TRACE_DEBUG_ERROR
Thomas Klausner <tk@giga.or.at>
parents:
965
diff
changeset
|
383 TRACE_DEBUG(INFO, "An error occurred while opening '%s': %s", fd_g_config->cnf_sec_data.cert_file, strerror(err)); |
542
0b6cee362f5d
Enforce validation of local certificate upon daemon start.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
447
diff
changeset
|
384 return err; |
0b6cee362f5d
Enforce validation of local certificate upon daemon start.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
447
diff
changeset
|
385 } |
805
fb5e0fd923ff
Updated verification of the local certificate following GnuTLS 3.x guideline
Sebastien Decugis <sdecugis@freediameter.net>
parents:
767
diff
changeset
|
386 CHECK_FCT( fd_conf_stream_to_gnutls_datum(stream, &certfile) ); |
542
0b6cee362f5d
Enforce validation of local certificate upon daemon start.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
447
diff
changeset
|
387 fclose(stream); |
0b6cee362f5d
Enforce validation of local certificate upon daemon start.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
447
diff
changeset
|
388 |
0b6cee362f5d
Enforce validation of local certificate upon daemon start.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
447
diff
changeset
|
389 /* Import the certificate(s) */ |
0b6cee362f5d
Enforce validation of local certificate upon daemon start.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
447
diff
changeset
|
390 GNUTLS_TRACE( ret = gnutls_x509_crt_list_import(NULL, &cert_max, &certfile, GNUTLS_X509_FMT_PEM, GNUTLS_X509_CRT_LIST_IMPORT_FAIL_IF_EXCEED) ); |
0b6cee362f5d
Enforce validation of local certificate upon daemon start.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
447
diff
changeset
|
391 if (ret != GNUTLS_E_SHORT_MEMORY_BUFFER) { |
0b6cee362f5d
Enforce validation of local certificate upon daemon start.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
447
diff
changeset
|
392 CHECK_GNUTLS_DO(ret, return EINVAL); |
0b6cee362f5d
Enforce validation of local certificate upon daemon start.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
447
diff
changeset
|
393 } |
0b6cee362f5d
Enforce validation of local certificate upon daemon start.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
447
diff
changeset
|
394 |
0b6cee362f5d
Enforce validation of local certificate upon daemon start.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
447
diff
changeset
|
395 CHECK_MALLOC( certs = calloc(cert_max, sizeof(gnutls_x509_crt_t)) ); |
820
0eb64b3a3632
Fix compilation with gnutls < 3.x
Sebastien Decugis <sdecugis@freediameter.net>
parents:
808
diff
changeset
|
396 CHECK_GNUTLS_DO( gnutls_x509_crt_list_import(certs, &cert_max, &certfile, GNUTLS_X509_FMT_PEM, |
0eb64b3a3632
Fix compilation with gnutls < 3.x
Sebastien Decugis <sdecugis@freediameter.net>
parents:
808
diff
changeset
|
397 #ifdef GNUTLS_VERSION_300 |
0eb64b3a3632
Fix compilation with gnutls < 3.x
Sebastien Decugis <sdecugis@freediameter.net>
parents:
808
diff
changeset
|
398 GNUTLS_X509_CRT_LIST_FAIL_IF_UNSORTED |
0eb64b3a3632
Fix compilation with gnutls < 3.x
Sebastien Decugis <sdecugis@freediameter.net>
parents:
808
diff
changeset
|
399 #else /* GNUTLS_VERSION_300 */ |
0eb64b3a3632
Fix compilation with gnutls < 3.x
Sebastien Decugis <sdecugis@freediameter.net>
parents:
808
diff
changeset
|
400 0 |
0eb64b3a3632
Fix compilation with gnutls < 3.x
Sebastien Decugis <sdecugis@freediameter.net>
parents:
808
diff
changeset
|
401 #endif /* GNUTLS_VERSION_300 */ |
0eb64b3a3632
Fix compilation with gnutls < 3.x
Sebastien Decugis <sdecugis@freediameter.net>
parents:
808
diff
changeset
|
402 ), |
542
0b6cee362f5d
Enforce validation of local certificate upon daemon start.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
447
diff
changeset
|
403 { |
1006
6ce8322f3b78
Report an error if a problem is big enough to break startup.
Thomas Klausner <tk@giga.or.at>
parents:
994
diff
changeset
|
404 TRACE_ERROR("Failed to import the data from file '%s'", fd_g_config->cnf_sec_data.cert_file); |
542
0b6cee362f5d
Enforce validation of local certificate upon daemon start.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
447
diff
changeset
|
405 free(certfile.data); |
0b6cee362f5d
Enforce validation of local certificate upon daemon start.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
447
diff
changeset
|
406 return EINVAL; |
0b6cee362f5d
Enforce validation of local certificate upon daemon start.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
447
diff
changeset
|
407 } ); |
0b6cee362f5d
Enforce validation of local certificate upon daemon start.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
447
diff
changeset
|
408 free(certfile.data); |
0b6cee362f5d
Enforce validation of local certificate upon daemon start.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
447
diff
changeset
|
409 |
0b6cee362f5d
Enforce validation of local certificate upon daemon start.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
447
diff
changeset
|
410 ASSERT(cert_max >= 1); |
0b6cee362f5d
Enforce validation of local certificate upon daemon start.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
447
diff
changeset
|
411 |
0b6cee362f5d
Enforce validation of local certificate upon daemon start.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
447
diff
changeset
|
412 /* Now, verify the list against the local CA and CRL */ |
805
fb5e0fd923ff
Updated verification of the local certificate following GnuTLS 3.x guideline
Sebastien Decugis <sdecugis@freediameter.net>
parents:
767
diff
changeset
|
413 |
fb5e0fd923ff
Updated verification of the local certificate following GnuTLS 3.x guideline
Sebastien Decugis <sdecugis@freediameter.net>
parents:
767
diff
changeset
|
414 #ifdef GNUTLS_VERSION_300 |
fb5e0fd923ff
Updated verification of the local certificate following GnuTLS 3.x guideline
Sebastien Decugis <sdecugis@freediameter.net>
parents:
767
diff
changeset
|
415 |
fb5e0fd923ff
Updated verification of the local certificate following GnuTLS 3.x guideline
Sebastien Decugis <sdecugis@freediameter.net>
parents:
767
diff
changeset
|
416 /* We use the trust list for this purpose */ |
fb5e0fd923ff
Updated verification of the local certificate following GnuTLS 3.x guideline
Sebastien Decugis <sdecugis@freediameter.net>
parents:
767
diff
changeset
|
417 { |
fb5e0fd923ff
Updated verification of the local certificate following GnuTLS 3.x guideline
Sebastien Decugis <sdecugis@freediameter.net>
parents:
767
diff
changeset
|
418 unsigned int output; |
fb5e0fd923ff
Updated verification of the local certificate following GnuTLS 3.x guideline
Sebastien Decugis <sdecugis@freediameter.net>
parents:
767
diff
changeset
|
419 |
fb5e0fd923ff
Updated verification of the local certificate following GnuTLS 3.x guideline
Sebastien Decugis <sdecugis@freediameter.net>
parents:
767
diff
changeset
|
420 gnutls_x509_trust_list_verify_named_crt ( |
fb5e0fd923ff
Updated verification of the local certificate following GnuTLS 3.x guideline
Sebastien Decugis <sdecugis@freediameter.net>
parents:
767
diff
changeset
|
421 fd_g_config->cnf_sec_data.trustlist, |
fb5e0fd923ff
Updated verification of the local certificate following GnuTLS 3.x guideline
Sebastien Decugis <sdecugis@freediameter.net>
parents:
767
diff
changeset
|
422 certs[0], |
fb5e0fd923ff
Updated verification of the local certificate following GnuTLS 3.x guideline
Sebastien Decugis <sdecugis@freediameter.net>
parents:
767
diff
changeset
|
423 fd_g_config->cnf_diamid, |
fb5e0fd923ff
Updated verification of the local certificate following GnuTLS 3.x guideline
Sebastien Decugis <sdecugis@freediameter.net>
parents:
767
diff
changeset
|
424 fd_g_config->cnf_diamid_len, |
fb5e0fd923ff
Updated verification of the local certificate following GnuTLS 3.x guideline
Sebastien Decugis <sdecugis@freediameter.net>
parents:
767
diff
changeset
|
425 0, |
fb5e0fd923ff
Updated verification of the local certificate following GnuTLS 3.x guideline
Sebastien Decugis <sdecugis@freediameter.net>
parents:
767
diff
changeset
|
426 &output, |
fb5e0fd923ff
Updated verification of the local certificate following GnuTLS 3.x guideline
Sebastien Decugis <sdecugis@freediameter.net>
parents:
767
diff
changeset
|
427 fd_conf_print_details_func); |
fb5e0fd923ff
Updated verification of the local certificate following GnuTLS 3.x guideline
Sebastien Decugis <sdecugis@freediameter.net>
parents:
767
diff
changeset
|
428 |
fb5e0fd923ff
Updated verification of the local certificate following GnuTLS 3.x guideline
Sebastien Decugis <sdecugis@freediameter.net>
parents:
767
diff
changeset
|
429 /* if this certificate is not explicitly trusted verify against CAs |
fb5e0fd923ff
Updated verification of the local certificate following GnuTLS 3.x guideline
Sebastien Decugis <sdecugis@freediameter.net>
parents:
767
diff
changeset
|
430 */ |
fb5e0fd923ff
Updated verification of the local certificate following GnuTLS 3.x guideline
Sebastien Decugis <sdecugis@freediameter.net>
parents:
767
diff
changeset
|
431 if (output != 0) |
542
0b6cee362f5d
Enforce validation of local certificate upon daemon start.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
447
diff
changeset
|
432 { |
805
fb5e0fd923ff
Updated verification of the local certificate following GnuTLS 3.x guideline
Sebastien Decugis <sdecugis@freediameter.net>
parents:
767
diff
changeset
|
433 gnutls_x509_trust_list_verify_crt ( |
fb5e0fd923ff
Updated verification of the local certificate following GnuTLS 3.x guideline
Sebastien Decugis <sdecugis@freediameter.net>
parents:
767
diff
changeset
|
434 fd_g_config->cnf_sec_data.trustlist, |
fb5e0fd923ff
Updated verification of the local certificate following GnuTLS 3.x guideline
Sebastien Decugis <sdecugis@freediameter.net>
parents:
767
diff
changeset
|
435 certs, |
fb5e0fd923ff
Updated verification of the local certificate following GnuTLS 3.x guideline
Sebastien Decugis <sdecugis@freediameter.net>
parents:
767
diff
changeset
|
436 cert_max, |
fb5e0fd923ff
Updated verification of the local certificate following GnuTLS 3.x guideline
Sebastien Decugis <sdecugis@freediameter.net>
parents:
767
diff
changeset
|
437 0, |
fb5e0fd923ff
Updated verification of the local certificate following GnuTLS 3.x guideline
Sebastien Decugis <sdecugis@freediameter.net>
parents:
767
diff
changeset
|
438 &output, |
fb5e0fd923ff
Updated verification of the local certificate following GnuTLS 3.x guideline
Sebastien Decugis <sdecugis@freediameter.net>
parents:
767
diff
changeset
|
439 fd_conf_print_details_func); |
fb5e0fd923ff
Updated verification of the local certificate following GnuTLS 3.x guideline
Sebastien Decugis <sdecugis@freediameter.net>
parents:
767
diff
changeset
|
440 } |
fb5e0fd923ff
Updated verification of the local certificate following GnuTLS 3.x guideline
Sebastien Decugis <sdecugis@freediameter.net>
parents:
767
diff
changeset
|
441 |
fb5e0fd923ff
Updated verification of the local certificate following GnuTLS 3.x guideline
Sebastien Decugis <sdecugis@freediameter.net>
parents:
767
diff
changeset
|
442 if (output & GNUTLS_CERT_INVALID) |
fb5e0fd923ff
Updated verification of the local certificate following GnuTLS 3.x guideline
Sebastien Decugis <sdecugis@freediameter.net>
parents:
767
diff
changeset
|
443 { |
974
2091bf698fb1
Remove newlines from fd_log_debug, TRACE_DEBUG, TRACE_ERROR, and TRACE_DEBUG_ERROR
Thomas Klausner <tk@giga.or.at>
parents:
965
diff
changeset
|
444 fd_log_debug("TLS: Local certificate chain '%s' is invalid :", fd_g_config->cnf_sec_data.cert_file); |
805
fb5e0fd923ff
Updated verification of the local certificate following GnuTLS 3.x guideline
Sebastien Decugis <sdecugis@freediameter.net>
parents:
767
diff
changeset
|
445 if (output & GNUTLS_CERT_SIGNER_NOT_FOUND) |
1184
8c340f832127
Remove auto-use of the certificate as CA when CA was not provided, since now TLS_cred can be ignored when TLS is not used.
Sebastien Decugis <sdecugis@freediameter.net>
parents:
1181
diff
changeset
|
446 TRACE_ERROR(" - The certificate hasn't got a known issuer. Did you forget to specify TLS_CA ?"); |
805
fb5e0fd923ff
Updated verification of the local certificate following GnuTLS 3.x guideline
Sebastien Decugis <sdecugis@freediameter.net>
parents:
767
diff
changeset
|
447 if (output & GNUTLS_CERT_SIGNER_NOT_CA) |
1006
6ce8322f3b78
Report an error if a problem is big enough to break startup.
Thomas Klausner <tk@giga.or.at>
parents:
994
diff
changeset
|
448 TRACE_ERROR(" - The certificate signer is not a CA, or uses version 1, or 3 without basic constraints."); |
805
fb5e0fd923ff
Updated verification of the local certificate following GnuTLS 3.x guideline
Sebastien Decugis <sdecugis@freediameter.net>
parents:
767
diff
changeset
|
449 if (output & GNUTLS_CERT_NOT_ACTIVATED) |
1006
6ce8322f3b78
Report an error if a problem is big enough to break startup.
Thomas Klausner <tk@giga.or.at>
parents:
994
diff
changeset
|
450 TRACE_ERROR(" - The certificate is not yet activated."); |
805
fb5e0fd923ff
Updated verification of the local certificate following GnuTLS 3.x guideline
Sebastien Decugis <sdecugis@freediameter.net>
parents:
767
diff
changeset
|
451 if (output & GNUTLS_CERT_EXPIRED) |
1006
6ce8322f3b78
Report an error if a problem is big enough to break startup.
Thomas Klausner <tk@giga.or.at>
parents:
994
diff
changeset
|
452 TRACE_ERROR(" - The certificate is expired."); |
542
0b6cee362f5d
Enforce validation of local certificate upon daemon start.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
447
diff
changeset
|
453 return EINVAL; |
805
fb5e0fd923ff
Updated verification of the local certificate following GnuTLS 3.x guideline
Sebastien Decugis <sdecugis@freediameter.net>
parents:
767
diff
changeset
|
454 } |
fb5e0fd923ff
Updated verification of the local certificate following GnuTLS 3.x guideline
Sebastien Decugis <sdecugis@freediameter.net>
parents:
767
diff
changeset
|
455 |
fb5e0fd923ff
Updated verification of the local certificate following GnuTLS 3.x guideline
Sebastien Decugis <sdecugis@freediameter.net>
parents:
767
diff
changeset
|
456 /* Now check the subject matches our hostname */ |
fb5e0fd923ff
Updated verification of the local certificate following GnuTLS 3.x guideline
Sebastien Decugis <sdecugis@freediameter.net>
parents:
767
diff
changeset
|
457 if (!gnutls_x509_crt_check_hostname (certs[0], fd_g_config->cnf_diamid)) |
fb5e0fd923ff
Updated verification of the local certificate following GnuTLS 3.x guideline
Sebastien Decugis <sdecugis@freediameter.net>
parents:
767
diff
changeset
|
458 { |
1006
6ce8322f3b78
Report an error if a problem is big enough to break startup.
Thomas Klausner <tk@giga.or.at>
parents:
994
diff
changeset
|
459 TRACE_ERROR("TLS: The certificate owner does not match the hostname '%s'", fd_g_config->cnf_diamid); |
805
fb5e0fd923ff
Updated verification of the local certificate following GnuTLS 3.x guideline
Sebastien Decugis <sdecugis@freediameter.net>
parents:
767
diff
changeset
|
460 return EINVAL; |
fb5e0fd923ff
Updated verification of the local certificate following GnuTLS 3.x guideline
Sebastien Decugis <sdecugis@freediameter.net>
parents:
767
diff
changeset
|
461 } |
fb5e0fd923ff
Updated verification of the local certificate following GnuTLS 3.x guideline
Sebastien Decugis <sdecugis@freediameter.net>
parents:
767
diff
changeset
|
462 |
542
0b6cee362f5d
Enforce validation of local certificate upon daemon start.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
447
diff
changeset
|
463 } |
0b6cee362f5d
Enforce validation of local certificate upon daemon start.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
447
diff
changeset
|
464 |
805
fb5e0fd923ff
Updated verification of the local certificate following GnuTLS 3.x guideline
Sebastien Decugis <sdecugis@freediameter.net>
parents:
767
diff
changeset
|
465 |
fb5e0fd923ff
Updated verification of the local certificate following GnuTLS 3.x guideline
Sebastien Decugis <sdecugis@freediameter.net>
parents:
767
diff
changeset
|
466 #else /* GNUTLS_VERSION_300 */ |
fb5e0fd923ff
Updated verification of the local certificate following GnuTLS 3.x guideline
Sebastien Decugis <sdecugis@freediameter.net>
parents:
767
diff
changeset
|
467 |
fb5e0fd923ff
Updated verification of the local certificate following GnuTLS 3.x guideline
Sebastien Decugis <sdecugis@freediameter.net>
parents:
767
diff
changeset
|
468 /* GnuTLS 2.x way of checking certificates */ |
542
0b6cee362f5d
Enforce validation of local certificate upon daemon start.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
447
diff
changeset
|
469 { |
805
fb5e0fd923ff
Updated verification of the local certificate following GnuTLS 3.x guideline
Sebastien Decugis <sdecugis@freediameter.net>
parents:
767
diff
changeset
|
470 gnutls_x509_crt_t * CA_list; |
fb5e0fd923ff
Updated verification of the local certificate following GnuTLS 3.x guideline
Sebastien Decugis <sdecugis@freediameter.net>
parents:
767
diff
changeset
|
471 int CA_list_length; |
542
0b6cee362f5d
Enforce validation of local certificate upon daemon start.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
447
diff
changeset
|
472 |
805
fb5e0fd923ff
Updated verification of the local certificate following GnuTLS 3.x guideline
Sebastien Decugis <sdecugis@freediameter.net>
parents:
767
diff
changeset
|
473 gnutls_x509_crl_t * CRL_list; |
fb5e0fd923ff
Updated verification of the local certificate following GnuTLS 3.x guideline
Sebastien Decugis <sdecugis@freediameter.net>
parents:
767
diff
changeset
|
474 int CRL_list_length; |
fb5e0fd923ff
Updated verification of the local certificate following GnuTLS 3.x guideline
Sebastien Decugis <sdecugis@freediameter.net>
parents:
767
diff
changeset
|
475 |
fb5e0fd923ff
Updated verification of the local certificate following GnuTLS 3.x guideline
Sebastien Decugis <sdecugis@freediameter.net>
parents:
767
diff
changeset
|
476 unsigned int verify; |
fb5e0fd923ff
Updated verification of the local certificate following GnuTLS 3.x guideline
Sebastien Decugis <sdecugis@freediameter.net>
parents:
767
diff
changeset
|
477 time_t now; |
fb5e0fd923ff
Updated verification of the local certificate following GnuTLS 3.x guideline
Sebastien Decugis <sdecugis@freediameter.net>
parents:
767
diff
changeset
|
478 GNUTLS_TRACE( gnutls_certificate_get_x509_cas (fd_g_config->cnf_sec_data.credentials, &CA_list, (unsigned int *) &CA_list_length) ); |
fb5e0fd923ff
Updated verification of the local certificate following GnuTLS 3.x guideline
Sebastien Decugis <sdecugis@freediameter.net>
parents:
767
diff
changeset
|
479 GNUTLS_TRACE( gnutls_certificate_get_x509_crls (fd_g_config->cnf_sec_data.credentials, &CRL_list, (unsigned int *) &CRL_list_length) ); |
fb5e0fd923ff
Updated verification of the local certificate following GnuTLS 3.x guideline
Sebastien Decugis <sdecugis@freediameter.net>
parents:
767
diff
changeset
|
480 CHECK_GNUTLS_DO( gnutls_x509_crt_list_verify(certs, cert_max, CA_list, CA_list_length, CRL_list, CRL_list_length, 0, &verify), |
fb5e0fd923ff
Updated verification of the local certificate following GnuTLS 3.x guideline
Sebastien Decugis <sdecugis@freediameter.net>
parents:
767
diff
changeset
|
481 { |
1008
d3d2a32320c4
Fix a compilation warning and protect CHECK_GNUTLS_DO macro
Sebastien Decugis <sdecugis@freediameter.net>
parents:
1006
diff
changeset
|
482 TRACE_ERROR("Failed to verify the local certificate '%s' against local credentials. Please check your certificate is valid.", fd_g_config->cnf_sec_data.cert_file); |
805
fb5e0fd923ff
Updated verification of the local certificate following GnuTLS 3.x guideline
Sebastien Decugis <sdecugis@freediameter.net>
parents:
767
diff
changeset
|
483 return EINVAL; |
fb5e0fd923ff
Updated verification of the local certificate following GnuTLS 3.x guideline
Sebastien Decugis <sdecugis@freediameter.net>
parents:
767
diff
changeset
|
484 } ); |
fb5e0fd923ff
Updated verification of the local certificate following GnuTLS 3.x guideline
Sebastien Decugis <sdecugis@freediameter.net>
parents:
767
diff
changeset
|
485 |
fb5e0fd923ff
Updated verification of the local certificate following GnuTLS 3.x guideline
Sebastien Decugis <sdecugis@freediameter.net>
parents:
767
diff
changeset
|
486 if (verify) { |
974
2091bf698fb1
Remove newlines from fd_log_debug, TRACE_DEBUG, TRACE_ERROR, and TRACE_DEBUG_ERROR
Thomas Klausner <tk@giga.or.at>
parents:
965
diff
changeset
|
487 fd_log_debug("TLS: Local certificate chain '%s' is invalid :", fd_g_config->cnf_sec_data.cert_file); |
805
fb5e0fd923ff
Updated verification of the local certificate following GnuTLS 3.x guideline
Sebastien Decugis <sdecugis@freediameter.net>
parents:
767
diff
changeset
|
488 if (verify & GNUTLS_CERT_INVALID) |
1006
6ce8322f3b78
Report an error if a problem is big enough to break startup.
Thomas Klausner <tk@giga.or.at>
parents:
994
diff
changeset
|
489 TRACE_ERROR(" - The certificate is not trusted (unknown CA? expired?)"); |
805
fb5e0fd923ff
Updated verification of the local certificate following GnuTLS 3.x guideline
Sebastien Decugis <sdecugis@freediameter.net>
parents:
767
diff
changeset
|
490 if (verify & GNUTLS_CERT_REVOKED) |
1006
6ce8322f3b78
Report an error if a problem is big enough to break startup.
Thomas Klausner <tk@giga.or.at>
parents:
994
diff
changeset
|
491 TRACE_ERROR(" - The certificate has been revoked."); |
805
fb5e0fd923ff
Updated verification of the local certificate following GnuTLS 3.x guideline
Sebastien Decugis <sdecugis@freediameter.net>
parents:
767
diff
changeset
|
492 if (verify & GNUTLS_CERT_SIGNER_NOT_FOUND) |
1006
6ce8322f3b78
Report an error if a problem is big enough to break startup.
Thomas Klausner <tk@giga.or.at>
parents:
994
diff
changeset
|
493 TRACE_ERROR(" - The certificate hasn't got a known issuer."); |
805
fb5e0fd923ff
Updated verification of the local certificate following GnuTLS 3.x guideline
Sebastien Decugis <sdecugis@freediameter.net>
parents:
767
diff
changeset
|
494 if (verify & GNUTLS_CERT_SIGNER_NOT_CA) |
1006
6ce8322f3b78
Report an error if a problem is big enough to break startup.
Thomas Klausner <tk@giga.or.at>
parents:
994
diff
changeset
|
495 TRACE_ERROR(" - The certificate signer is not a CA, or uses version 1, or 3 without basic constraints."); |
805
fb5e0fd923ff
Updated verification of the local certificate following GnuTLS 3.x guideline
Sebastien Decugis <sdecugis@freediameter.net>
parents:
767
diff
changeset
|
496 if (verify & GNUTLS_CERT_INSECURE_ALGORITHM) |
1006
6ce8322f3b78
Report an error if a problem is big enough to break startup.
Thomas Klausner <tk@giga.or.at>
parents:
994
diff
changeset
|
497 TRACE_ERROR(" - The certificate signature uses a weak algorithm."); |
542
0b6cee362f5d
Enforce validation of local certificate upon daemon start.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
447
diff
changeset
|
498 return EINVAL; |
0b6cee362f5d
Enforce validation of local certificate upon daemon start.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
447
diff
changeset
|
499 } |
0b6cee362f5d
Enforce validation of local certificate upon daemon start.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
447
diff
changeset
|
500 |
805
fb5e0fd923ff
Updated verification of the local certificate following GnuTLS 3.x guideline
Sebastien Decugis <sdecugis@freediameter.net>
parents:
767
diff
changeset
|
501 /* Check the local Identity is valid with the certificate */ |
fb5e0fd923ff
Updated verification of the local certificate following GnuTLS 3.x guideline
Sebastien Decugis <sdecugis@freediameter.net>
parents:
767
diff
changeset
|
502 if (!gnutls_x509_crt_check_hostname (certs[0], fd_g_config->cnf_diamid)) { |
1006
6ce8322f3b78
Report an error if a problem is big enough to break startup.
Thomas Klausner <tk@giga.or.at>
parents:
994
diff
changeset
|
503 TRACE_ERROR("TLS: Local certificate '%s' is invalid :", fd_g_config->cnf_sec_data.cert_file); |
6ce8322f3b78
Report an error if a problem is big enough to break startup.
Thomas Klausner <tk@giga.or.at>
parents:
994
diff
changeset
|
504 TRACE_ERROR(" - The certificate hostname does not match '%s'", fd_g_config->cnf_diamid); |
542
0b6cee362f5d
Enforce validation of local certificate upon daemon start.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
447
diff
changeset
|
505 return EINVAL; |
0b6cee362f5d
Enforce validation of local certificate upon daemon start.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
447
diff
changeset
|
506 } |
805
fb5e0fd923ff
Updated verification of the local certificate following GnuTLS 3.x guideline
Sebastien Decugis <sdecugis@freediameter.net>
parents:
767
diff
changeset
|
507 |
fb5e0fd923ff
Updated verification of the local certificate following GnuTLS 3.x guideline
Sebastien Decugis <sdecugis@freediameter.net>
parents:
767
diff
changeset
|
508 /* Check validity of all the certificates in the chain */ |
fb5e0fd923ff
Updated verification of the local certificate following GnuTLS 3.x guideline
Sebastien Decugis <sdecugis@freediameter.net>
parents:
767
diff
changeset
|
509 now = time(NULL); |
fb5e0fd923ff
Updated verification of the local certificate following GnuTLS 3.x guideline
Sebastien Decugis <sdecugis@freediameter.net>
parents:
767
diff
changeset
|
510 for (i = 0; i < cert_max; i++) |
fb5e0fd923ff
Updated verification of the local certificate following GnuTLS 3.x guideline
Sebastien Decugis <sdecugis@freediameter.net>
parents:
767
diff
changeset
|
511 { |
fb5e0fd923ff
Updated verification of the local certificate following GnuTLS 3.x guideline
Sebastien Decugis <sdecugis@freediameter.net>
parents:
767
diff
changeset
|
512 time_t deadline; |
fb5e0fd923ff
Updated verification of the local certificate following GnuTLS 3.x guideline
Sebastien Decugis <sdecugis@freediameter.net>
parents:
767
diff
changeset
|
513 |
fb5e0fd923ff
Updated verification of the local certificate following GnuTLS 3.x guideline
Sebastien Decugis <sdecugis@freediameter.net>
parents:
767
diff
changeset
|
514 GNUTLS_TRACE( deadline = gnutls_x509_crt_get_expiration_time(certs[i]) ); |
fb5e0fd923ff
Updated verification of the local certificate following GnuTLS 3.x guideline
Sebastien Decugis <sdecugis@freediameter.net>
parents:
767
diff
changeset
|
515 if ((deadline != (time_t)-1) && (deadline < now)) { |
1006
6ce8322f3b78
Report an error if a problem is big enough to break startup.
Thomas Klausner <tk@giga.or.at>
parents:
994
diff
changeset
|
516 TRACE_ERROR("TLS: Local certificate chain '%s' is invalid :", fd_g_config->cnf_sec_data.cert_file); |
6ce8322f3b78
Report an error if a problem is big enough to break startup.
Thomas Klausner <tk@giga.or.at>
parents:
994
diff
changeset
|
517 TRACE_ERROR(" - The certificate %d in the chain is expired", i); |
805
fb5e0fd923ff
Updated verification of the local certificate following GnuTLS 3.x guideline
Sebastien Decugis <sdecugis@freediameter.net>
parents:
767
diff
changeset
|
518 return EINVAL; |
fb5e0fd923ff
Updated verification of the local certificate following GnuTLS 3.x guideline
Sebastien Decugis <sdecugis@freediameter.net>
parents:
767
diff
changeset
|
519 } |
fb5e0fd923ff
Updated verification of the local certificate following GnuTLS 3.x guideline
Sebastien Decugis <sdecugis@freediameter.net>
parents:
767
diff
changeset
|
520 |
fb5e0fd923ff
Updated verification of the local certificate following GnuTLS 3.x guideline
Sebastien Decugis <sdecugis@freediameter.net>
parents:
767
diff
changeset
|
521 GNUTLS_TRACE( deadline = gnutls_x509_crt_get_activation_time(certs[i]) ); |
fb5e0fd923ff
Updated verification of the local certificate following GnuTLS 3.x guideline
Sebastien Decugis <sdecugis@freediameter.net>
parents:
767
diff
changeset
|
522 if ((deadline != (time_t)-1) && (deadline > now)) { |
1006
6ce8322f3b78
Report an error if a problem is big enough to break startup.
Thomas Klausner <tk@giga.or.at>
parents:
994
diff
changeset
|
523 TRACE_ERROR("TLS: Local certificate chain '%s' is invalid :", fd_g_config->cnf_sec_data.cert_file); |
6ce8322f3b78
Report an error if a problem is big enough to break startup.
Thomas Klausner <tk@giga.or.at>
parents:
994
diff
changeset
|
524 TRACE_ERROR(" - The certificate %d in the chain is not yet activated", i); |
805
fb5e0fd923ff
Updated verification of the local certificate following GnuTLS 3.x guideline
Sebastien Decugis <sdecugis@freediameter.net>
parents:
767
diff
changeset
|
525 return EINVAL; |
fb5e0fd923ff
Updated verification of the local certificate following GnuTLS 3.x guideline
Sebastien Decugis <sdecugis@freediameter.net>
parents:
767
diff
changeset
|
526 } |
fb5e0fd923ff
Updated verification of the local certificate following GnuTLS 3.x guideline
Sebastien Decugis <sdecugis@freediameter.net>
parents:
767
diff
changeset
|
527 } |
542
0b6cee362f5d
Enforce validation of local certificate upon daemon start.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
447
diff
changeset
|
528 } |
805
fb5e0fd923ff
Updated verification of the local certificate following GnuTLS 3.x guideline
Sebastien Decugis <sdecugis@freediameter.net>
parents:
767
diff
changeset
|
529 #endif /* GNUTLS_VERSION_300 */ |
542
0b6cee362f5d
Enforce validation of local certificate upon daemon start.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
447
diff
changeset
|
530 |
0b6cee362f5d
Enforce validation of local certificate upon daemon start.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
447
diff
changeset
|
531 /* Everything checked OK, free the certificate list */ |
0b6cee362f5d
Enforce validation of local certificate upon daemon start.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
447
diff
changeset
|
532 for (i = 0; i < cert_max; i++) |
0b6cee362f5d
Enforce validation of local certificate upon daemon start.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
447
diff
changeset
|
533 { |
0b6cee362f5d
Enforce validation of local certificate upon daemon start.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
447
diff
changeset
|
534 GNUTLS_TRACE( gnutls_x509_crt_deinit (certs[i]) ); |
0b6cee362f5d
Enforce validation of local certificate upon daemon start.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
447
diff
changeset
|
535 } |
0b6cee362f5d
Enforce validation of local certificate upon daemon start.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
447
diff
changeset
|
536 free(certs); |
1155
d00b5914351e
Allow running freeDiameter without TLS credentials if the following conditions are verified:
Sebastien Decugis <sdecugis@freediameter.net>
parents:
1127
diff
changeset
|
537 |
d00b5914351e
Allow running freeDiameter without TLS credentials if the following conditions are verified:
Sebastien Decugis <sdecugis@freediameter.net>
parents:
1127
diff
changeset
|
538 #ifdef GNUTLS_VERSION_300 |
d00b5914351e
Allow running freeDiameter without TLS credentials if the following conditions are verified:
Sebastien Decugis <sdecugis@freediameter.net>
parents:
1127
diff
changeset
|
539 /* Use certificate verification during the handshake */ |
d00b5914351e
Allow running freeDiameter without TLS credentials if the following conditions are verified:
Sebastien Decugis <sdecugis@freediameter.net>
parents:
1127
diff
changeset
|
540 gnutls_certificate_set_verify_function (fd_g_config->cnf_sec_data.credentials, fd_tls_verify_credentials_2); |
d00b5914351e
Allow running freeDiameter without TLS credentials if the following conditions are verified:
Sebastien Decugis <sdecugis@freediameter.net>
parents:
1127
diff
changeset
|
541 #endif /* GNUTLS_VERSION_300 */ |
d00b5914351e
Allow running freeDiameter without TLS credentials if the following conditions are verified:
Sebastien Decugis <sdecugis@freediameter.net>
parents:
1127
diff
changeset
|
542 |
542
0b6cee362f5d
Enforce validation of local certificate upon daemon start.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
447
diff
changeset
|
543 } |
0b6cee362f5d
Enforce validation of local certificate upon daemon start.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
447
diff
changeset
|
544 |
0b6cee362f5d
Enforce validation of local certificate upon daemon start.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
447
diff
changeset
|
545 /* gnutls_certificate_set_verify_limits -- so far the default values are fine... */ |
0b6cee362f5d
Enforce validation of local certificate upon daemon start.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
447
diff
changeset
|
546 |
578
7c9a00bfd115
Allow TLS Diffie-Hellmann parameters to be loaded from a file (ticket #17)
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
542
diff
changeset
|
547 /* DH */ |
1155
d00b5914351e
Allow running freeDiameter without TLS credentials if the following conditions are verified:
Sebastien Decugis <sdecugis@freediameter.net>
parents:
1127
diff
changeset
|
548 if (!fd_g_config->cnf_sec_data.tls_disabled) { |
d00b5914351e
Allow running freeDiameter without TLS credentials if the following conditions are verified:
Sebastien Decugis <sdecugis@freediameter.net>
parents:
1127
diff
changeset
|
549 if (fd_g_config->cnf_sec_data.dh_file) { |
d00b5914351e
Allow running freeDiameter without TLS credentials if the following conditions are verified:
Sebastien Decugis <sdecugis@freediameter.net>
parents:
1127
diff
changeset
|
550 gnutls_datum_t dhparams = { NULL, 0 }; |
d00b5914351e
Allow running freeDiameter without TLS credentials if the following conditions are verified:
Sebastien Decugis <sdecugis@freediameter.net>
parents:
1127
diff
changeset
|
551 size_t alloc = 0; |
d00b5914351e
Allow running freeDiameter without TLS credentials if the following conditions are verified:
Sebastien Decugis <sdecugis@freediameter.net>
parents:
1127
diff
changeset
|
552 FILE *stream = fopen (fd_g_config->cnf_sec_data.dh_file, "rb"); |
d00b5914351e
Allow running freeDiameter without TLS credentials if the following conditions are verified:
Sebastien Decugis <sdecugis@freediameter.net>
parents:
1127
diff
changeset
|
553 if (!stream) { |
578
7c9a00bfd115
Allow TLS Diffie-Hellmann parameters to be loaded from a file (ticket #17)
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
542
diff
changeset
|
554 int err = errno; |
1155
d00b5914351e
Allow running freeDiameter without TLS credentials if the following conditions are verified:
Sebastien Decugis <sdecugis@freediameter.net>
parents:
1127
diff
changeset
|
555 TRACE_DEBUG(INFO, "An error occurred while opening '%s': %s", fd_g_config->cnf_sec_data.dh_file, strerror(err)); |
578
7c9a00bfd115
Allow TLS Diffie-Hellmann parameters to be loaded from a file (ticket #17)
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
542
diff
changeset
|
556 return err; |
7c9a00bfd115
Allow TLS Diffie-Hellmann parameters to be loaded from a file (ticket #17)
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
542
diff
changeset
|
557 } |
1155
d00b5914351e
Allow running freeDiameter without TLS credentials if the following conditions are verified:
Sebastien Decugis <sdecugis@freediameter.net>
parents:
1127
diff
changeset
|
558 do { |
d00b5914351e
Allow running freeDiameter without TLS credentials if the following conditions are verified:
Sebastien Decugis <sdecugis@freediameter.net>
parents:
1127
diff
changeset
|
559 uint8_t * realloced = NULL; |
d00b5914351e
Allow running freeDiameter without TLS credentials if the following conditions are verified:
Sebastien Decugis <sdecugis@freediameter.net>
parents:
1127
diff
changeset
|
560 size_t read = 0; |
d00b5914351e
Allow running freeDiameter without TLS credentials if the following conditions are verified:
Sebastien Decugis <sdecugis@freediameter.net>
parents:
1127
diff
changeset
|
561 |
d00b5914351e
Allow running freeDiameter without TLS credentials if the following conditions are verified:
Sebastien Decugis <sdecugis@freediameter.net>
parents:
1127
diff
changeset
|
562 if (alloc < dhparams.size + BUFSIZ + 1) { |
d00b5914351e
Allow running freeDiameter without TLS credentials if the following conditions are verified:
Sebastien Decugis <sdecugis@freediameter.net>
parents:
1127
diff
changeset
|
563 alloc += alloc / 2 + BUFSIZ + 1; |
d00b5914351e
Allow running freeDiameter without TLS credentials if the following conditions are verified:
Sebastien Decugis <sdecugis@freediameter.net>
parents:
1127
diff
changeset
|
564 CHECK_MALLOC_DO( realloced = realloc(dhparams.data, alloc), |
d00b5914351e
Allow running freeDiameter without TLS credentials if the following conditions are verified:
Sebastien Decugis <sdecugis@freediameter.net>
parents:
1127
diff
changeset
|
565 { |
d00b5914351e
Allow running freeDiameter without TLS credentials if the following conditions are verified:
Sebastien Decugis <sdecugis@freediameter.net>
parents:
1127
diff
changeset
|
566 free(dhparams.data); |
d00b5914351e
Allow running freeDiameter without TLS credentials if the following conditions are verified:
Sebastien Decugis <sdecugis@freediameter.net>
parents:
1127
diff
changeset
|
567 return ENOMEM; |
d00b5914351e
Allow running freeDiameter without TLS credentials if the following conditions are verified:
Sebastien Decugis <sdecugis@freediameter.net>
parents:
1127
diff
changeset
|
568 } ) |
d00b5914351e
Allow running freeDiameter without TLS credentials if the following conditions are verified:
Sebastien Decugis <sdecugis@freediameter.net>
parents:
1127
diff
changeset
|
569 dhparams.data = realloced; |
d00b5914351e
Allow running freeDiameter without TLS credentials if the following conditions are verified:
Sebastien Decugis <sdecugis@freediameter.net>
parents:
1127
diff
changeset
|
570 } |
d00b5914351e
Allow running freeDiameter without TLS credentials if the following conditions are verified:
Sebastien Decugis <sdecugis@freediameter.net>
parents:
1127
diff
changeset
|
571 |
d00b5914351e
Allow running freeDiameter without TLS credentials if the following conditions are verified:
Sebastien Decugis <sdecugis@freediameter.net>
parents:
1127
diff
changeset
|
572 read = fread( dhparams.data + dhparams.size, 1, alloc - dhparams.size - 1, stream ); |
d00b5914351e
Allow running freeDiameter without TLS credentials if the following conditions are verified:
Sebastien Decugis <sdecugis@freediameter.net>
parents:
1127
diff
changeset
|
573 dhparams.size += read; |
d00b5914351e
Allow running freeDiameter without TLS credentials if the following conditions are verified:
Sebastien Decugis <sdecugis@freediameter.net>
parents:
1127
diff
changeset
|
574 |
d00b5914351e
Allow running freeDiameter without TLS credentials if the following conditions are verified:
Sebastien Decugis <sdecugis@freediameter.net>
parents:
1127
diff
changeset
|
575 if (ferror(stream)) { |
d00b5914351e
Allow running freeDiameter without TLS credentials if the following conditions are verified:
Sebastien Decugis <sdecugis@freediameter.net>
parents:
1127
diff
changeset
|
576 int err = errno; |
d00b5914351e
Allow running freeDiameter without TLS credentials if the following conditions are verified:
Sebastien Decugis <sdecugis@freediameter.net>
parents:
1127
diff
changeset
|
577 TRACE_DEBUG(INFO, "An error occurred while reading '%s': %s", fd_g_config->cnf_sec_data.dh_file, strerror(err)); |
d00b5914351e
Allow running freeDiameter without TLS credentials if the following conditions are verified:
Sebastien Decugis <sdecugis@freediameter.net>
parents:
1127
diff
changeset
|
578 return err; |
d00b5914351e
Allow running freeDiameter without TLS credentials if the following conditions are verified:
Sebastien Decugis <sdecugis@freediameter.net>
parents:
1127
diff
changeset
|
579 } |
d00b5914351e
Allow running freeDiameter without TLS credentials if the following conditions are verified:
Sebastien Decugis <sdecugis@freediameter.net>
parents:
1127
diff
changeset
|
580 } while (!feof(stream)); |
d00b5914351e
Allow running freeDiameter without TLS credentials if the following conditions are verified:
Sebastien Decugis <sdecugis@freediameter.net>
parents:
1127
diff
changeset
|
581 dhparams.data[dhparams.size] = '\0'; |
d00b5914351e
Allow running freeDiameter without TLS credentials if the following conditions are verified:
Sebastien Decugis <sdecugis@freediameter.net>
parents:
1127
diff
changeset
|
582 fclose(stream); |
d00b5914351e
Allow running freeDiameter without TLS credentials if the following conditions are verified:
Sebastien Decugis <sdecugis@freediameter.net>
parents:
1127
diff
changeset
|
583 CHECK_GNUTLS_DO( gnutls_dh_params_import_pkcs3( |
d00b5914351e
Allow running freeDiameter without TLS credentials if the following conditions are verified:
Sebastien Decugis <sdecugis@freediameter.net>
parents:
1127
diff
changeset
|
584 fd_g_config->cnf_sec_data.dh_cache, |
d00b5914351e
Allow running freeDiameter without TLS credentials if the following conditions are verified:
Sebastien Decugis <sdecugis@freediameter.net>
parents:
1127
diff
changeset
|
585 &dhparams, |
d00b5914351e
Allow running freeDiameter without TLS credentials if the following conditions are verified:
Sebastien Decugis <sdecugis@freediameter.net>
parents:
1127
diff
changeset
|
586 GNUTLS_X509_FMT_PEM), |
d00b5914351e
Allow running freeDiameter without TLS credentials if the following conditions are verified:
Sebastien Decugis <sdecugis@freediameter.net>
parents:
1127
diff
changeset
|
587 { TRACE_ERROR("Error in DH bits value : %d", fd_g_config->cnf_sec_data.dh_bits ?: GNUTLS_DEFAULT_DHBITS); return EINVAL; } ); |
d00b5914351e
Allow running freeDiameter without TLS credentials if the following conditions are verified:
Sebastien Decugis <sdecugis@freediameter.net>
parents:
1127
diff
changeset
|
588 free(dhparams.data); |
d00b5914351e
Allow running freeDiameter without TLS credentials if the following conditions are verified:
Sebastien Decugis <sdecugis@freediameter.net>
parents:
1127
diff
changeset
|
589 |
d00b5914351e
Allow running freeDiameter without TLS credentials if the following conditions are verified:
Sebastien Decugis <sdecugis@freediameter.net>
parents:
1127
diff
changeset
|
590 } else { |
d00b5914351e
Allow running freeDiameter without TLS credentials if the following conditions are verified:
Sebastien Decugis <sdecugis@freediameter.net>
parents:
1127
diff
changeset
|
591 LOG_D( "Generating fresh Diffie-Hellman parameters of size %d (this takes some time)... ", fd_g_config->cnf_sec_data.dh_bits ?: GNUTLS_DEFAULT_DHBITS); |
d00b5914351e
Allow running freeDiameter without TLS credentials if the following conditions are verified:
Sebastien Decugis <sdecugis@freediameter.net>
parents:
1127
diff
changeset
|
592 CHECK_GNUTLS_DO( gnutls_dh_params_generate2( |
d00b5914351e
Allow running freeDiameter without TLS credentials if the following conditions are verified:
Sebastien Decugis <sdecugis@freediameter.net>
parents:
1127
diff
changeset
|
593 fd_g_config->cnf_sec_data.dh_cache, |
d00b5914351e
Allow running freeDiameter without TLS credentials if the following conditions are verified:
Sebastien Decugis <sdecugis@freediameter.net>
parents:
1127
diff
changeset
|
594 fd_g_config->cnf_sec_data.dh_bits ?: GNUTLS_DEFAULT_DHBITS), |
d00b5914351e
Allow running freeDiameter without TLS credentials if the following conditions are verified:
Sebastien Decugis <sdecugis@freediameter.net>
parents:
1127
diff
changeset
|
595 { TRACE_ERROR("Error in DH bits value : %d", fd_g_config->cnf_sec_data.dh_bits ?: GNUTLS_DEFAULT_DHBITS); return EINVAL; } ); |
d00b5914351e
Allow running freeDiameter without TLS credentials if the following conditions are verified:
Sebastien Decugis <sdecugis@freediameter.net>
parents:
1127
diff
changeset
|
596 } |
d00b5914351e
Allow running freeDiameter without TLS credentials if the following conditions are verified:
Sebastien Decugis <sdecugis@freediameter.net>
parents:
1127
diff
changeset
|
597 |
d00b5914351e
Allow running freeDiameter without TLS credentials if the following conditions are verified:
Sebastien Decugis <sdecugis@freediameter.net>
parents:
1127
diff
changeset
|
598 } |
578
7c9a00bfd115
Allow TLS Diffie-Hellmann parameters to be loaded from a file (ticket #17)
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
542
diff
changeset
|
599 |
8
3e143f047f78
Backup for the week-end
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
600 return 0; |
3e143f047f78
Backup for the week-end
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
601 } |
1027
0117a7746b21
Fix a number of errors and warnings introduced/highlighted by recent commits
Sebastien Decugis <sdecugis@freediameter.net>
parents:
1021
diff
changeset
|
602 #ifndef GNUTLS_VERSION_300 |
1034
f4a73a991623
Fix warning on old GCC versions
Sebastien Decugis <sdecugis@freediameter.net>
parents:
1033
diff
changeset
|
603 GCC_DIAG_ON("-Wdeprecated-declarations") |
1027
0117a7746b21
Fix a number of errors and warnings introduced/highlighted by recent commits
Sebastien Decugis <sdecugis@freediameter.net>
parents:
1021
diff
changeset
|
604 #endif /* !GNUTLS_VERSION_300 */ |
447
097bae83b07a
Forgot to cleanup the configuration on exit, spotted by valgrind
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
403
diff
changeset
|
605 |
097bae83b07a
Forgot to cleanup the configuration on exit, spotted by valgrind
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
403
diff
changeset
|
606 |
097bae83b07a
Forgot to cleanup the configuration on exit, spotted by valgrind
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
403
diff
changeset
|
607 /* Destroy contents of fd_g_config structure */ |
097bae83b07a
Forgot to cleanup the configuration on exit, spotted by valgrind
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
403
diff
changeset
|
608 int fd_conf_deinit() |
097bae83b07a
Forgot to cleanup the configuration on exit, spotted by valgrind
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
403
diff
changeset
|
609 { |
097bae83b07a
Forgot to cleanup the configuration on exit, spotted by valgrind
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
403
diff
changeset
|
610 TRACE_ENTRY(); |
097bae83b07a
Forgot to cleanup the configuration on exit, spotted by valgrind
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
403
diff
changeset
|
611 |
686
f83d9878bf66
Fixed in case of termination of several modules (before initialization completed)
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
662
diff
changeset
|
612 if (!fd_g_config) |
f83d9878bf66
Fixed in case of termination of several modules (before initialization completed)
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
662
diff
changeset
|
613 return 0; |
f83d9878bf66
Fixed in case of termination of several modules (before initialization completed)
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
662
diff
changeset
|
614 |
447
097bae83b07a
Forgot to cleanup the configuration on exit, spotted by valgrind
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
403
diff
changeset
|
615 /* Free the TLS parameters */ |
805
fb5e0fd923ff
Updated verification of the local certificate following GnuTLS 3.x guideline
Sebastien Decugis <sdecugis@freediameter.net>
parents:
767
diff
changeset
|
616 #ifdef GNUTLS_VERSION_300 |
fb5e0fd923ff
Updated verification of the local certificate following GnuTLS 3.x guideline
Sebastien Decugis <sdecugis@freediameter.net>
parents:
767
diff
changeset
|
617 gnutls_x509_trust_list_deinit(fd_g_config->cnf_sec_data.trustlist, 1); |
fb5e0fd923ff
Updated verification of the local certificate following GnuTLS 3.x guideline
Sebastien Decugis <sdecugis@freediameter.net>
parents:
767
diff
changeset
|
618 #endif /* GNUTLS_VERSION_300 */ |
447
097bae83b07a
Forgot to cleanup the configuration on exit, spotted by valgrind
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
403
diff
changeset
|
619 gnutls_priority_deinit(fd_g_config->cnf_sec_data.prio_cache); |
097bae83b07a
Forgot to cleanup the configuration on exit, spotted by valgrind
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
403
diff
changeset
|
620 gnutls_dh_params_deinit(fd_g_config->cnf_sec_data.dh_cache); |
097bae83b07a
Forgot to cleanup the configuration on exit, spotted by valgrind
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
403
diff
changeset
|
621 gnutls_certificate_free_credentials(fd_g_config->cnf_sec_data.credentials); |
097bae83b07a
Forgot to cleanup the configuration on exit, spotted by valgrind
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
403
diff
changeset
|
622 |
097bae83b07a
Forgot to cleanup the configuration on exit, spotted by valgrind
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
403
diff
changeset
|
623 free(fd_g_config->cnf_sec_data.cert_file); fd_g_config->cnf_sec_data.cert_file = NULL; |
097bae83b07a
Forgot to cleanup the configuration on exit, spotted by valgrind
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
403
diff
changeset
|
624 free(fd_g_config->cnf_sec_data.key_file); fd_g_config->cnf_sec_data.key_file = NULL; |
097bae83b07a
Forgot to cleanup the configuration on exit, spotted by valgrind
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
403
diff
changeset
|
625 free(fd_g_config->cnf_sec_data.ca_file); fd_g_config->cnf_sec_data.ca_file = NULL; |
097bae83b07a
Forgot to cleanup the configuration on exit, spotted by valgrind
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
403
diff
changeset
|
626 free(fd_g_config->cnf_sec_data.crl_file); fd_g_config->cnf_sec_data.crl_file = NULL; |
097bae83b07a
Forgot to cleanup the configuration on exit, spotted by valgrind
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
403
diff
changeset
|
627 free(fd_g_config->cnf_sec_data.prio_string); fd_g_config->cnf_sec_data.prio_string = NULL; |
578
7c9a00bfd115
Allow TLS Diffie-Hellmann parameters to be loaded from a file (ticket #17)
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
542
diff
changeset
|
628 free(fd_g_config->cnf_sec_data.dh_file); fd_g_config->cnf_sec_data.dh_file = NULL; |
447
097bae83b07a
Forgot to cleanup the configuration on exit, spotted by valgrind
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
403
diff
changeset
|
629 |
097bae83b07a
Forgot to cleanup the configuration on exit, spotted by valgrind
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
403
diff
changeset
|
630 /* Destroy dictionary */ |
097bae83b07a
Forgot to cleanup the configuration on exit, spotted by valgrind
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
403
diff
changeset
|
631 CHECK_FCT_DO( fd_dict_fini(&fd_g_config->cnf_dict), ); |
097bae83b07a
Forgot to cleanup the configuration on exit, spotted by valgrind
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
403
diff
changeset
|
632 |
097bae83b07a
Forgot to cleanup the configuration on exit, spotted by valgrind
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
403
diff
changeset
|
633 /* Destroy the main event queue */ |
097bae83b07a
Forgot to cleanup the configuration on exit, spotted by valgrind
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
403
diff
changeset
|
634 CHECK_FCT_DO( fd_fifo_del(&fd_g_config->cnf_main_ev), ); |
097bae83b07a
Forgot to cleanup the configuration on exit, spotted by valgrind
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
403
diff
changeset
|
635 |
097bae83b07a
Forgot to cleanup the configuration on exit, spotted by valgrind
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
403
diff
changeset
|
636 /* Destroy the local endpoints and applications */ |
097bae83b07a
Forgot to cleanup the configuration on exit, spotted by valgrind
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
403
diff
changeset
|
637 CHECK_FCT_DO(fd_ep_filter(&fd_g_config->cnf_endpoints, 0 ), ); |
097bae83b07a
Forgot to cleanup the configuration on exit, spotted by valgrind
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
403
diff
changeset
|
638 CHECK_FCT_DO(fd_app_empty(&fd_g_config->cnf_apps ), ); |
097bae83b07a
Forgot to cleanup the configuration on exit, spotted by valgrind
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
403
diff
changeset
|
639 |
097bae83b07a
Forgot to cleanup the configuration on exit, spotted by valgrind
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
403
diff
changeset
|
640 /* Destroy the local identity */ |
097bae83b07a
Forgot to cleanup the configuration on exit, spotted by valgrind
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
403
diff
changeset
|
641 free(fd_g_config->cnf_diamid); fd_g_config->cnf_diamid = NULL; |
097bae83b07a
Forgot to cleanup the configuration on exit, spotted by valgrind
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
403
diff
changeset
|
642 free(fd_g_config->cnf_diamrlm); fd_g_config->cnf_diamrlm = NULL; |
097bae83b07a
Forgot to cleanup the configuration on exit, spotted by valgrind
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
403
diff
changeset
|
643 |
097bae83b07a
Forgot to cleanup the configuration on exit, spotted by valgrind
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
403
diff
changeset
|
644 return 0; |
097bae83b07a
Forgot to cleanup the configuration on exit, spotted by valgrind
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
403
diff
changeset
|
645 } |
097bae83b07a
Forgot to cleanup the configuration on exit, spotted by valgrind
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
403
diff
changeset
|
646 |
097bae83b07a
Forgot to cleanup the configuration on exit, spotted by valgrind
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
403
diff
changeset
|
647 |