freeDiameter: libfdcore/config.c annotate

annotate libfdcore/config.c @ 1404:6cc290653ef6

fd_conf_dump: fix formatting of local endpoints

author	Luke Mewburn <luke@mewburn.net>
date	Tue, 11 Feb 2020 20:01:06 +1100
parents	239ba25870d8
children	3d7108b831e1

rev	line source
8 3e143f047f78 Backup for the week-end Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	1 /*********************************************************************************************************
3e143f047f78 Backup for the week-end Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	2 * Software License Agreement (BSD License) *
740 4a9f08d6b6ba Updated my mail address Sebastien Decugis <sdecugis@nict.go.jp> parents: 706 diff changeset	3 * Author: Sebastien Decugis <sdecugis@freediameter.net> *
8 3e143f047f78 Backup for the week-end Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	4 * *
1281 ab6457399be2 Updated copyright information Sebastien Decugis <sdecugis@freediameter.net> parents: 1268 diff changeset	5 * Copyright (c) 2015, WIDE Project and NICT *
8 3e143f047f78 Backup for the week-end Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	6 * All rights reserved. *
3e143f047f78 Backup for the week-end Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	7 * *
3e143f047f78 Backup for the week-end Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	8 * Redistribution and use of this software in source and binary forms, with or without modification, are *
3e143f047f78 Backup for the week-end Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	9 * permitted provided that the following conditions are met: *
3e143f047f78 Backup for the week-end Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	10 * *
3e143f047f78 Backup for the week-end Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	11 * * Redistributions of source code must retain the above *
3e143f047f78 Backup for the week-end Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	12 * copyright notice, this list of conditions and the *
3e143f047f78 Backup for the week-end Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	13 * following disclaimer. *
3e143f047f78 Backup for the week-end Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	14 * *
3e143f047f78 Backup for the week-end Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	15 * * Redistributions in binary form must reproduce the above *
3e143f047f78 Backup for the week-end Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	16 * copyright notice, this list of conditions and the *
3e143f047f78 Backup for the week-end Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	17 * following disclaimer in the documentation and/or other *
3e143f047f78 Backup for the week-end Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	18 * materials provided with the distribution. *
3e143f047f78 Backup for the week-end Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	19 * *
3e143f047f78 Backup for the week-end Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	20 * * Neither the name of the WIDE Project or NICT nor the *
3e143f047f78 Backup for the week-end Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	21 * names of its contributors may be used to endorse or *
3e143f047f78 Backup for the week-end Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	22 * promote products derived from this software without *
3e143f047f78 Backup for the week-end Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	23 * specific prior written permission of WIDE Project and *
3e143f047f78 Backup for the week-end Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	24 * NICT. *
3e143f047f78 Backup for the week-end Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	25 * *
3e143f047f78 Backup for the week-end Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	26 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED *
3e143f047f78 Backup for the week-end Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	27 * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A *
3e143f047f78 Backup for the week-end Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	28 * PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR *
3e143f047f78 Backup for the week-end Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	29 * ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT *
3e143f047f78 Backup for the week-end Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	30 * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS *
3e143f047f78 Backup for the week-end Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	31 * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR *
3e143f047f78 Backup for the week-end Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	32 * TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF *
3e143f047f78 Backup for the week-end Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	33 * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. *
3e143f047f78 Backup for the week-end Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	34 *********************************************************************************************************/
3e143f047f78 Backup for the week-end Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	35
658 f198d16fa7f4 Initial commit for 1.1.0: Sebastien Decugis <sdecugis@nict.go.jp> parents: 578 diff changeset	36 #include "fdcore-internal.h"
304 ad3c46016584 Added install directives for cmake; also allow default directory to seek for extensions and configuration files Sebastien Decugis <sdecugis@nict.go.jp> parents: 258 diff changeset	37 #include <sys/stat.h>
8 3e143f047f78 Backup for the week-end Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	38
3e143f047f78 Backup for the week-end Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	39 /* Configuration management */
3e143f047f78 Backup for the week-end Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	40
18 e7187583dcf8 Added CA helper script Sebastien Decugis <sdecugis@nict.go.jp> parents: 17 diff changeset	41 #ifndef GNUTLS_DEFAULT_PRIORITY
e7187583dcf8 Added CA helper script Sebastien Decugis <sdecugis@nict.go.jp> parents: 17 diff changeset	42 # define GNUTLS_DEFAULT_PRIORITY "NORMAL"
e7187583dcf8 Added CA helper script Sebastien Decugis <sdecugis@nict.go.jp> parents: 17 diff changeset	43 #endif /* GNUTLS_DEFAULT_PRIORITY */
e7187583dcf8 Added CA helper script Sebastien Decugis <sdecugis@nict.go.jp> parents: 17 diff changeset	44 #ifndef GNUTLS_DEFAULT_DHBITS
e7187583dcf8 Added CA helper script Sebastien Decugis <sdecugis@nict.go.jp> parents: 17 diff changeset	45 # define GNUTLS_DEFAULT_DHBITS 1024
e7187583dcf8 Added CA helper script Sebastien Decugis <sdecugis@nict.go.jp> parents: 17 diff changeset	46 #endif /* GNUTLS_DEFAULT_DHBITS */
e7187583dcf8 Added CA helper script Sebastien Decugis <sdecugis@nict.go.jp> parents: 17 diff changeset	47
658 f198d16fa7f4 Initial commit for 1.1.0: Sebastien Decugis <sdecugis@nict.go.jp> parents: 578 diff changeset	48 /* Initialize the fd_g_config structure to default values -- it should already have been initialized to all-0 */
8 3e143f047f78 Backup for the week-end Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	49 int fd_conf_init()
3e143f047f78 Backup for the week-end Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	50 {
3e143f047f78 Backup for the week-end Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	51 TRACE_ENTRY();
3e143f047f78 Backup for the week-end Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	52
10 c5c99c73c2bf Added some extensions and functions in the daemon Sebastien Decugis <sdecugis@nict.go.jp> parents: 8 diff changeset	53 fd_g_config->cnf_eyec = EYEC_CONFIG;
c5c99c73c2bf Added some extensions and functions in the daemon Sebastien Decugis <sdecugis@nict.go.jp> parents: 8 diff changeset	54
c5c99c73c2bf Added some extensions and functions in the daemon Sebastien Decugis <sdecugis@nict.go.jp> parents: 8 diff changeset	55 fd_g_config->cnf_timer_tc = 30;
c5c99c73c2bf Added some extensions and functions in the daemon Sebastien Decugis <sdecugis@nict.go.jp> parents: 8 diff changeset	56 fd_g_config->cnf_timer_tw = 30;
8 3e143f047f78 Backup for the week-end Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	57
897 d8d0772586ad Use correct default port for outgoing connections even when local port is not the default one Sebastien Decugis <sdecugis@freediameter.net> parents: 820 diff changeset	58 fd_g_config->cnf_port = DIAMETER_PORT;
d8d0772586ad Use correct default port for outgoing connections even when local port is not the default one Sebastien Decugis <sdecugis@freediameter.net> parents: 820 diff changeset	59 fd_g_config->cnf_port_tls = DIAMETER_SECURE_PORT;
10 c5c99c73c2bf Added some extensions and functions in the daemon Sebastien Decugis <sdecugis@nict.go.jp> parents: 8 diff changeset	60 fd_g_config->cnf_sctp_str = 30;
1189 50bf33dc8fe0 Limit number of incoming connections under processing to configurable value Sebastien Decugis <sdecugis@freediameter.net> parents: 1184 diff changeset	61 fd_g_config->cnf_thr_srv = 5;
1396 188c82b6690b Add ProcessingPeersPattern and ProcessingPeersMinimum parameters. Thomas Klausner <tk@giga.or.at> parents: 1326 diff changeset	62 fd_g_config->cnf_processing_peers_minimum = 0;
253 ad6c0118fb50 Configurable number of server threads Sebastien Decugis <sdecugis@nict.go.jp> parents: 189 diff changeset	63 fd_g_config->cnf_dispthr = 4;
1397 239ba25870d8 Allow parametrizing the number of threads for routing in/out. Thomas Klausner <tk@giga.or.at> parents: 1396 diff changeset	64 fd_g_config->cnf_rtinthr = 1;
239ba25870d8 Allow parametrizing the number of threads for routing in/out. Thomas Klausner <tk@giga.or.at> parents: 1396 diff changeset	65 fd_g_config->cnf_rtoutthr = 1;
239ba25870d8 Allow parametrizing the number of threads for routing in/out. Thomas Klausner <tk@giga.or.at> parents: 1396 diff changeset	66 fd_g_config->cnf_qin_limit = 20;
239ba25870d8 Allow parametrizing the number of threads for routing in/out. Thomas Klausner <tk@giga.or.at> parents: 1396 diff changeset	67 fd_g_config->cnf_qout_limit = 30;
239ba25870d8 Allow parametrizing the number of threads for routing in/out. Thomas Klausner <tk@giga.or.at> parents: 1396 diff changeset	68 fd_g_config->cnf_qlocal_limit = 25;
10 c5c99c73c2bf Added some extensions and functions in the daemon Sebastien Decugis <sdecugis@nict.go.jp> parents: 8 diff changeset	69 fd_list_init(&fd_g_config->cnf_endpoints, NULL);
c5c99c73c2bf Added some extensions and functions in the daemon Sebastien Decugis <sdecugis@nict.go.jp> parents: 8 diff changeset	70 fd_list_init(&fd_g_config->cnf_apps, NULL);
8 3e143f047f78 Backup for the week-end Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	71 #ifdef DISABLE_SCTP
10 c5c99c73c2bf Added some extensions and functions in the daemon Sebastien Decugis <sdecugis@nict.go.jp> parents: 8 diff changeset	72 fd_g_config->cnf_flags.no_sctp = 1;
8 3e143f047f78 Backup for the week-end Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	73 #endif /* DISABLE_SCTP */
3e143f047f78 Backup for the week-end Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	74
10 c5c99c73c2bf Added some extensions and functions in the daemon Sebastien Decugis <sdecugis@nict.go.jp> parents: 8 diff changeset	75 fd_g_config->cnf_orstateid = (uint32_t) time(NULL);
1326 afe0ecdb0692 Add config option if Route-Record AVPs should be added in Answers. Thomas Klausner <tk@giga.or.at> parents: 1281 diff changeset	76 fd_g_config->cnf_rr_in_answers = 1;
8 3e143f047f78 Backup for the week-end Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	77
10 c5c99c73c2bf Added some extensions and functions in the daemon Sebastien Decugis <sdecugis@nict.go.jp> parents: 8 diff changeset	78 CHECK_FCT( fd_dict_init(&fd_g_config->cnf_dict) );
767 c47c16436f71 Added a limit on fifo queues to avoid memory exaustion when messages are received faster than handled Sebastien Decugis <sdecugis@nict.go.jp> parents: 740 diff changeset	79 CHECK_FCT( fd_fifo_new(&fd_g_config->cnf_main_ev, 0) );
8 3e143f047f78 Backup for the week-end Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	80
18 e7187583dcf8 Added CA helper script Sebastien Decugis <sdecugis@nict.go.jp> parents: 17 diff changeset	81 /* TLS parameters */
e7187583dcf8 Added CA helper script Sebastien Decugis <sdecugis@nict.go.jp> parents: 17 diff changeset	82 CHECK_GNUTLS_DO( gnutls_certificate_allocate_credentials (&fd_g_config->cnf_sec_data.credentials), return ENOMEM );
e7187583dcf8 Added CA helper script Sebastien Decugis <sdecugis@nict.go.jp> parents: 17 diff changeset	83 CHECK_GNUTLS_DO( gnutls_dh_params_init (&fd_g_config->cnf_sec_data.dh_cache), return ENOMEM );
805 fb5e0fd923ff Updated verification of the local certificate following GnuTLS 3.x guideline Sebastien Decugis <sdecugis@freediameter.net> parents: 767 diff changeset	84 #ifdef GNUTLS_VERSION_300
fb5e0fd923ff Updated verification of the local certificate following GnuTLS 3.x guideline Sebastien Decugis <sdecugis@freediameter.net> parents: 767 diff changeset	85 CHECK_GNUTLS_DO( gnutls_x509_trust_list_init(&fd_g_config->cnf_sec_data.trustlist, 0), return ENOMEM );
fb5e0fd923ff Updated verification of the local certificate following GnuTLS 3.x guideline Sebastien Decugis <sdecugis@freediameter.net> parents: 767 diff changeset	86 #endif /* GNUTLS_VERSION_300 */
18 e7187583dcf8 Added CA helper script Sebastien Decugis <sdecugis@nict.go.jp> parents: 17 diff changeset	87
8 3e143f047f78 Backup for the week-end Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	88 return 0;
3e143f047f78 Backup for the week-end Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	89 }
3e143f047f78 Backup for the week-end Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	90
1085 7d7266115a34 Cleaning of the traces in progress Sebastien Decugis <sdecugis@freediameter.net> parents: 1034 diff changeset	91 DECLARE_FD_DUMP_PROTOTYPE(fd_conf_dump)
8 3e143f047f78 Backup for the week-end Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	92 {
1093 44f3e48dfe27 Align the behavior of all fd_dump functions wrt final \n Sebastien Decugis <sdecugis@freediameter.net>* parents: 1085 diff changeset	93 FD_DUMP_HANDLE_OFFSET();
8 3e143f047f78 Backup for the week-end Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	94
1119 79dd22145f52 Fix a number of compilation warnings Sebastien Decugis <sdecugis@freediameter.net> parents: 1113 diff changeset	95 CHECK_MALLOC_DO( fd_dump_extend( FD_DUMP_STD_PARAMS, "freeDiameter configuration:\n"), return NULL);
1085 7d7266115a34 Cleaning of the traces in progress Sebastien Decugis <sdecugis@freediameter.net> parents: 1034 diff changeset	96 CHECK_MALLOC_DO( fd_dump_extend( FD_DUMP_STD_PARAMS, " Default trace level .... : %+d\n", fd_g_debug_lvl), return NULL);
7d7266115a34 Cleaning of the traces in progress Sebastien Decugis <sdecugis@freediameter.net> parents: 1034 diff changeset	97 CHECK_MALLOC_DO( fd_dump_extend( FD_DUMP_STD_PARAMS, " Configuration file ..... : %s\n", fd_g_config->cnf_file), return NULL);
1253 3734341ad03b Fix format string. Thomas Klausner <tk@giga.or.at> parents: 1189 diff changeset	98 CHECK_MALLOC_DO( fd_dump_extend( FD_DUMP_STD_PARAMS, " Diameter Identity ...... : %s (l:%zi)\n", fd_g_config->cnf_diamid, fd_g_config->cnf_diamid_len), return NULL);
3734341ad03b Fix format string. Thomas Klausner <tk@giga.or.at> parents: 1189 diff changeset	99 CHECK_MALLOC_DO( fd_dump_extend( FD_DUMP_STD_PARAMS, " Diameter Realm ......... : %s (l:%zi)\n", fd_g_config->cnf_diamrlm, fd_g_config->cnf_diamrlm_len), return NULL);
1085 7d7266115a34 Cleaning of the traces in progress Sebastien Decugis <sdecugis@freediameter.net> parents: 1034 diff changeset	100 CHECK_MALLOC_DO( fd_dump_extend( FD_DUMP_STD_PARAMS, " Tc Timer ............... : %u\n", fd_g_config->cnf_timer_tc), return NULL);
7d7266115a34 Cleaning of the traces in progress Sebastien Decugis <sdecugis@freediameter.net> parents: 1034 diff changeset	101 CHECK_MALLOC_DO( fd_dump_extend( FD_DUMP_STD_PARAMS, " Tw Timer ............... : %u\n", fd_g_config->cnf_timer_tw), return NULL);
7d7266115a34 Cleaning of the traces in progress Sebastien Decugis <sdecugis@freediameter.net> parents: 1034 diff changeset	102 CHECK_MALLOC_DO( fd_dump_extend( FD_DUMP_STD_PARAMS, " Local port ............. : %hu\n", fd_g_config->cnf_port), return NULL);
7d7266115a34 Cleaning of the traces in progress Sebastien Decugis <sdecugis@freediameter.net> parents: 1034 diff changeset	103 CHECK_MALLOC_DO( fd_dump_extend( FD_DUMP_STD_PARAMS, " Local secure port ...... : %hu\n", fd_g_config->cnf_port_tls), return NULL);
1181 22de21feec64 Preparing for DTLS support Sebastien Decugis <sdecugis@freediameter.net> parents: 1155 diff changeset	104 if (fd_g_config->cnf_port_3436) {
22de21feec64 Preparing for DTLS support Sebastien Decugis <sdecugis@freediameter.net> parents: 1155 diff changeset	105 CHECK_MALLOC_DO( fd_dump_extend( FD_DUMP_STD_PARAMS, " Local SCTP TLS port .... : %hu\n", fd_g_config->cnf_port_3436), return NULL);
22de21feec64 Preparing for DTLS support Sebastien Decugis <sdecugis@freediameter.net> parents: 1155 diff changeset	106 }
1085 7d7266115a34 Cleaning of the traces in progress Sebastien Decugis <sdecugis@freediameter.net> parents: 1034 diff changeset	107 CHECK_MALLOC_DO( fd_dump_extend( FD_DUMP_STD_PARAMS, " Number of SCTP streams . : %hu\n", fd_g_config->cnf_sctp_str), return NULL);
1189 50bf33dc8fe0 Limit number of incoming connections under processing to configurable value Sebastien Decugis <sdecugis@freediameter.net> parents: 1184 diff changeset	108 CHECK_MALLOC_DO( fd_dump_extend( FD_DUMP_STD_PARAMS, " Number of clients thr .. : %d\n", fd_g_config->cnf_thr_srv), return NULL);
50bf33dc8fe0 Limit number of incoming connections under processing to configurable value Sebastien Decugis <sdecugis@freediameter.net> parents: 1184 diff changeset	109 CHECK_MALLOC_DO( fd_dump_extend( FD_DUMP_STD_PARAMS, " Number of app threads .. : %hu\n", fd_g_config->cnf_dispthr), return NULL);
1396 188c82b6690b Add ProcessingPeersPattern and ProcessingPeersMinimum parameters. Thomas Klausner <tk@giga.or.at> parents: 1326 diff changeset	110 CHECK_MALLOC_DO( fd_dump_extend( FD_DUMP_STD_PARAMS, " Minimal processing peers : %hu\n", fd_g_config->cnf_processing_peers_minimum), return NULL);
1397 239ba25870d8 Allow parametrizing the number of threads for routing in/out. Thomas Klausner <tk@giga.or.at> parents: 1396 diff changeset	111 CHECK_MALLOC_DO( fd_dump_extend( FD_DUMP_STD_PARAMS, " Number of rtin threads . : %hu\n", fd_g_config->cnf_rtinthr), return NULL);
239ba25870d8 Allow parametrizing the number of threads for routing in/out. Thomas Klausner <tk@giga.or.at> parents: 1396 diff changeset	112 CHECK_MALLOC_DO( fd_dump_extend( FD_DUMP_STD_PARAMS, " Number of rtout threads : %hu\n", fd_g_config->cnf_rtoutthr), return NULL);
239ba25870d8 Allow parametrizing the number of threads for routing in/out. Thomas Klausner <tk@giga.or.at> parents: 1396 diff changeset	113 CHECK_MALLOC_DO( fd_dump_extend( FD_DUMP_STD_PARAMS, " Incoming queue limit : %hu\n", fd_g_config->cnf_qin_limit), return NULL);
239ba25870d8 Allow parametrizing the number of threads for routing in/out. Thomas Klausner <tk@giga.or.at> parents: 1396 diff changeset	114 CHECK_MALLOC_DO( fd_dump_extend( FD_DUMP_STD_PARAMS, " Outgoing queue limit : %hu\n", fd_g_config->cnf_qout_limit), return NULL);
239ba25870d8 Allow parametrizing the number of threads for routing in/out. Thomas Klausner <tk@giga.or.at> parents: 1396 diff changeset	115 CHECK_MALLOC_DO( fd_dump_extend( FD_DUMP_STD_PARAMS, " Local queue limit : %hu\n", fd_g_config->cnf_qlocal_limit), return NULL);
10 c5c99c73c2bf Added some extensions and functions in the daemon Sebastien Decugis <sdecugis@nict.go.jp> parents: 8 diff changeset	116 if (FD_IS_LIST_EMPTY(&fd_g_config->cnf_endpoints)) {
1085 7d7266115a34 Cleaning of the traces in progress Sebastien Decugis <sdecugis@freediameter.net> parents: 1034 diff changeset	117 CHECK_MALLOC_DO( fd_dump_extend( FD_DUMP_STD_PARAMS, " Local endpoints ........ : Default (use all available)\n"), return NULL);
8 3e143f047f78 Backup for the week-end Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	118 } else {
1113 eb4ce68b6e5c Added calls to remaining hooks Sebastien Decugis <sdecugis@freediameter.net> parents: 1107 diff changeset	119 CHECK_MALLOC_DO( fd_dump_extend( FD_DUMP_STD_PARAMS, " Local endpoints ........ : "), return NULL);
eb4ce68b6e5c Added calls to remaining hooks Sebastien Decugis <sdecugis@freediameter.net> parents: 1107 diff changeset	120 CHECK_MALLOC_DO( fd_ep_dump( FD_DUMP_STD_PARAMS, 0, 0, &fd_g_config->cnf_endpoints ), return NULL);
1404 6cc290653ef6 fd_conf_dump: fix formatting of local endpoints Luke Mewburn <luke@mewburn.net> parents: 1397 diff changeset	121 CHECK_MALLOC_DO( fd_dump_extend( FD_DUMP_STD_PARAMS, "\n"), return NULL);
8 3e143f047f78 Backup for the week-end Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	122 }
10 c5c99c73c2bf Added some extensions and functions in the daemon Sebastien Decugis <sdecugis@nict.go.jp> parents: 8 diff changeset	123 if (FD_IS_LIST_EMPTY(&fd_g_config->cnf_apps)) {
1113 eb4ce68b6e5c Added calls to remaining hooks Sebastien Decugis <sdecugis@freediameter.net> parents: 1107 diff changeset	124 CHECK_MALLOC_DO( fd_dump_extend( FD_DUMP_STD_PARAMS, " Local applications ..... : (none)"), return NULL);
10 c5c99c73c2bf Added some extensions and functions in the daemon Sebastien Decugis <sdecugis@nict.go.jp> parents: 8 diff changeset	125 } else {
c5c99c73c2bf Added some extensions and functions in the daemon Sebastien Decugis <sdecugis@nict.go.jp> parents: 8 diff changeset	126 struct fd_list * li = fd_g_config->cnf_apps.next;
1113 eb4ce68b6e5c Added calls to remaining hooks Sebastien Decugis <sdecugis@freediameter.net> parents: 1107 diff changeset	127 CHECK_MALLOC_DO( fd_dump_extend( FD_DUMP_STD_PARAMS, " Local applications ..... : "), return NULL);
10 c5c99c73c2bf Added some extensions and functions in the daemon Sebastien Decugis <sdecugis@nict.go.jp> parents: 8 diff changeset	128 while (li != &fd_g_config->cnf_apps) {
c5c99c73c2bf Added some extensions and functions in the daemon Sebastien Decugis <sdecugis@nict.go.jp> parents: 8 diff changeset	129 struct fd_app * app = (struct fd_app *)li;
1113 eb4ce68b6e5c Added calls to remaining hooks Sebastien Decugis <sdecugis@freediameter.net> parents: 1107 diff changeset	130 CHECK_MALLOC_DO( fd_dump_extend( FD_DUMP_STD_PARAMS, "App: %u,%s%s,Vnd:%u\t",
10 c5c99c73c2bf Added some extensions and functions in the daemon Sebastien Decugis <sdecugis@nict.go.jp> parents: 8 diff changeset	131 app->appid,
c5c99c73c2bf Added some extensions and functions in the daemon Sebastien Decugis <sdecugis@nict.go.jp> parents: 8 diff changeset	132 app->flags.auth ? "Au" : "--",
c5c99c73c2bf Added some extensions and functions in the daemon Sebastien Decugis <sdecugis@nict.go.jp> parents: 8 diff changeset	133 app->flags.acct ? "Ac" : "--",
1085 7d7266115a34 Cleaning of the traces in progress Sebastien Decugis <sdecugis@freediameter.net> parents: 1034 diff changeset	134 app->vndid), return NULL);
10 c5c99c73c2bf Added some extensions and functions in the daemon Sebastien Decugis <sdecugis@nict.go.jp> parents: 8 diff changeset	135 li = li->next;
c5c99c73c2bf Added some extensions and functions in the daemon Sebastien Decugis <sdecugis@nict.go.jp> parents: 8 diff changeset	136 }
c5c99c73c2bf Added some extensions and functions in the daemon Sebastien Decugis <sdecugis@nict.go.jp> parents: 8 diff changeset	137 }
18 e7187583dcf8 Added CA helper script Sebastien Decugis <sdecugis@nict.go.jp> parents: 17 diff changeset	138
1113 eb4ce68b6e5c Added calls to remaining hooks Sebastien Decugis <sdecugis@freediameter.net> parents: 1107 diff changeset	139 CHECK_MALLOC_DO( fd_dump_extend( FD_DUMP_STD_PARAMS, "\n Flags : - IP ........... : %s\n", fd_g_config->cnf_flags.no_ip4 ? "DISABLED" : "Enabled"), return NULL);
1085 7d7266115a34 Cleaning of the traces in progress Sebastien Decugis <sdecugis@freediameter.net> parents: 1034 diff changeset	140 CHECK_MALLOC_DO( fd_dump_extend( FD_DUMP_STD_PARAMS, " - IPv6 ......... : %s\n", fd_g_config->cnf_flags.no_ip6 ? "DISABLED" : "Enabled"), return NULL);
7d7266115a34 Cleaning of the traces in progress Sebastien Decugis <sdecugis@freediameter.net> parents: 1034 diff changeset	141 CHECK_MALLOC_DO( fd_dump_extend( FD_DUMP_STD_PARAMS, " - Relay app .... : %s\n", fd_g_config->cnf_flags.no_fwd ? "DISABLED" : "Enabled"), return NULL);
7d7266115a34 Cleaning of the traces in progress Sebastien Decugis <sdecugis@freediameter.net> parents: 1034 diff changeset	142 CHECK_MALLOC_DO( fd_dump_extend( FD_DUMP_STD_PARAMS, " - TCP .......... : %s\n", fd_g_config->cnf_flags.no_tcp ? "DISABLED" : "Enabled"), return NULL);
8 3e143f047f78 Backup for the week-end Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	143 #ifdef DISABLE_SCTP
1085 7d7266115a34 Cleaning of the traces in progress Sebastien Decugis <sdecugis@freediameter.net> parents: 1034 diff changeset	144 CHECK_MALLOC_DO( fd_dump_extend( FD_DUMP_STD_PARAMS, " - SCTP ......... : DISABLED (at compilation)\n"), return NULL);
8 3e143f047f78 Backup for the week-end Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	145 #else /* DISABLE_SCTP */
1085 7d7266115a34 Cleaning of the traces in progress Sebastien Decugis <sdecugis@freediameter.net> parents: 1034 diff changeset	146 CHECK_MALLOC_DO( fd_dump_extend( FD_DUMP_STD_PARAMS, " - SCTP ......... : %s\n", fd_g_config->cnf_flags.no_sctp ? "DISABLED" : "Enabled"), return NULL);
8 3e143f047f78 Backup for the week-end Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	147 #endif /* DISABLE_SCTP */
1085 7d7266115a34 Cleaning of the traces in progress Sebastien Decugis <sdecugis@freediameter.net> parents: 1034 diff changeset	148 CHECK_MALLOC_DO( fd_dump_extend( FD_DUMP_STD_PARAMS, " - Pref. proto .. : %s\n", fd_g_config->cnf_flags.pr_tcp ? "TCP" : "SCTP"), return NULL);
7d7266115a34 Cleaning of the traces in progress Sebastien Decugis <sdecugis@freediameter.net> parents: 1034 diff changeset	149 CHECK_MALLOC_DO( fd_dump_extend( FD_DUMP_STD_PARAMS, " - TLS method ... : %s\n", fd_g_config->cnf_flags.tls_alg ? "INBAND" : "Separate port"), return NULL);
18 e7187583dcf8 Added CA helper script Sebastien Decugis <sdecugis@nict.go.jp> parents: 17 diff changeset	150
1085 7d7266115a34 Cleaning of the traces in progress Sebastien Decugis <sdecugis@freediameter.net> parents: 1034 diff changeset	151 CHECK_MALLOC_DO( fd_dump_extend( FD_DUMP_STD_PARAMS, " TLS : - Certificate .. : %s\n", fd_g_config->cnf_sec_data.cert_file ?: "(NONE)"), return NULL);
7d7266115a34 Cleaning of the traces in progress Sebastien Decugis <sdecugis@freediameter.net> parents: 1034 diff changeset	152 CHECK_MALLOC_DO( fd_dump_extend( FD_DUMP_STD_PARAMS, " - Private key .. : %s\n", fd_g_config->cnf_sec_data.key_file ?: "(NONE)"), return NULL);
7d7266115a34 Cleaning of the traces in progress Sebastien Decugis <sdecugis@freediameter.net> parents: 1034 diff changeset	153 CHECK_MALLOC_DO( fd_dump_extend( FD_DUMP_STD_PARAMS, " - CA (trust) ... : %s (%d certs)\n", fd_g_config->cnf_sec_data.ca_file ?: "(none)", fd_g_config->cnf_sec_data.ca_file_nr), return NULL);
7d7266115a34 Cleaning of the traces in progress Sebastien Decugis <sdecugis@freediameter.net> parents: 1034 diff changeset	154 CHECK_MALLOC_DO( fd_dump_extend( FD_DUMP_STD_PARAMS, " - CRL .......... : %s\n", fd_g_config->cnf_sec_data.crl_file ?: "(none)"), return NULL);
7d7266115a34 Cleaning of the traces in progress Sebastien Decugis <sdecugis@freediameter.net> parents: 1034 diff changeset	155 CHECK_MALLOC_DO( fd_dump_extend( FD_DUMP_STD_PARAMS, " - Priority ..... : %s\n", fd_g_config->cnf_sec_data.prio_string ?: "(default: '" GNUTLS_DEFAULT_PRIORITY "')"), return NULL);
7d7266115a34 Cleaning of the traces in progress Sebastien Decugis <sdecugis@freediameter.net> parents: 1034 diff changeset	156 if (fd_g_config->cnf_sec_data.dh_file) {
7d7266115a34 Cleaning of the traces in progress Sebastien Decugis <sdecugis@freediameter.net> parents: 1034 diff changeset	157 CHECK_MALLOC_DO( fd_dump_extend( FD_DUMP_STD_PARAMS, " - DH file ...... : %s\n", fd_g_config->cnf_sec_data.dh_file), return NULL);
7d7266115a34 Cleaning of the traces in progress Sebastien Decugis <sdecugis@freediameter.net> parents: 1034 diff changeset	158 } else {
7d7266115a34 Cleaning of the traces in progress Sebastien Decugis <sdecugis@freediameter.net> parents: 1034 diff changeset	159 CHECK_MALLOC_DO( fd_dump_extend( FD_DUMP_STD_PARAMS, " - DH bits ...... : %d\n", fd_g_config->cnf_sec_data.dh_bits ?: GNUTLS_DEFAULT_DHBITS), return NULL);
7d7266115a34 Cleaning of the traces in progress Sebastien Decugis <sdecugis@freediameter.net> parents: 1034 diff changeset	160 }
18 e7187583dcf8 Added CA helper script Sebastien Decugis <sdecugis@nict.go.jp> parents: 17 diff changeset	161
1085 7d7266115a34 Cleaning of the traces in progress Sebastien Decugis <sdecugis@freediameter.net> parents: 1034 diff changeset	162 CHECK_MALLOC_DO( fd_dump_extend( FD_DUMP_STD_PARAMS, " Origin-State-Id ........ : %u", fd_g_config->cnf_orstateid), return NULL);
7d7266115a34 Cleaning of the traces in progress Sebastien Decugis <sdecugis@freediameter.net> parents: 1034 diff changeset	163
7d7266115a34 Cleaning of the traces in progress Sebastien Decugis <sdecugis@freediameter.net> parents: 1034 diff changeset	164 return *buf;
8 3e143f047f78 Backup for the week-end Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	165 }
3e143f047f78 Backup for the week-end Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	166
805 fb5e0fd923ff Updated verification of the local certificate following GnuTLS 3.x guideline Sebastien Decugis <sdecugis@freediameter.net> parents: 767 diff changeset	167 /* read contents of a file opened in "rb" mode and alloc this data into a gnutls_datum_t (must be freed afterwards) */
fb5e0fd923ff Updated verification of the local certificate following GnuTLS 3.x guideline Sebastien Decugis <sdecugis@freediameter.net> parents: 767 diff changeset	168 int fd_conf_stream_to_gnutls_datum(FILE * pemfile, gnutls_datum_t *out)
fb5e0fd923ff Updated verification of the local certificate following GnuTLS 3.x guideline Sebastien Decugis <sdecugis@freediameter.net> parents: 767 diff changeset	169 {
fb5e0fd923ff Updated verification of the local certificate following GnuTLS 3.x guideline Sebastien Decugis <sdecugis@freediameter.net> parents: 767 diff changeset	170 size_t alloc = 0;
fb5e0fd923ff Updated verification of the local certificate following GnuTLS 3.x guideline Sebastien Decugis <sdecugis@freediameter.net> parents: 767 diff changeset	171
fb5e0fd923ff Updated verification of the local certificate following GnuTLS 3.x guideline Sebastien Decugis <sdecugis@freediameter.net> parents: 767 diff changeset	172 CHECK_PARAMS( pemfile && out );
fb5e0fd923ff Updated verification of the local certificate following GnuTLS 3.x guideline Sebastien Decugis <sdecugis@freediameter.net> parents: 767 diff changeset	173 memset(out, 0, sizeof(gnutls_datum_t));
fb5e0fd923ff Updated verification of the local certificate following GnuTLS 3.x guideline Sebastien Decugis <sdecugis@freediameter.net> parents: 767 diff changeset	174
fb5e0fd923ff Updated verification of the local certificate following GnuTLS 3.x guideline Sebastien Decugis <sdecugis@freediameter.net> parents: 767 diff changeset	175 do {
fb5e0fd923ff Updated verification of the local certificate following GnuTLS 3.x guideline Sebastien Decugis <sdecugis@freediameter.net> parents: 767 diff changeset	176 uint8_t * realloced = NULL;
fb5e0fd923ff Updated verification of the local certificate following GnuTLS 3.x guideline Sebastien Decugis <sdecugis@freediameter.net> parents: 767 diff changeset	177 size_t read = 0;
fb5e0fd923ff Updated verification of the local certificate following GnuTLS 3.x guideline Sebastien Decugis <sdecugis@freediameter.net> parents: 767 diff changeset	178
fb5e0fd923ff Updated verification of the local certificate following GnuTLS 3.x guideline Sebastien Decugis <sdecugis@freediameter.net> parents: 767 diff changeset	179 if (alloc < out->size + BUFSIZ + 1) {
fb5e0fd923ff Updated verification of the local certificate following GnuTLS 3.x guideline Sebastien Decugis <sdecugis@freediameter.net> parents: 767 diff changeset	180 alloc += alloc / 2 + BUFSIZ + 1;
fb5e0fd923ff Updated verification of the local certificate following GnuTLS 3.x guideline Sebastien Decugis <sdecugis@freediameter.net> parents: 767 diff changeset	181 CHECK_MALLOC_DO( realloced = realloc(out->data, alloc),
fb5e0fd923ff Updated verification of the local certificate following GnuTLS 3.x guideline Sebastien Decugis <sdecugis@freediameter.net> parents: 767 diff changeset	182 {
fb5e0fd923ff Updated verification of the local certificate following GnuTLS 3.x guideline Sebastien Decugis <sdecugis@freediameter.net> parents: 767 diff changeset	183 free(out->data);
fb5e0fd923ff Updated verification of the local certificate following GnuTLS 3.x guideline Sebastien Decugis <sdecugis@freediameter.net> parents: 767 diff changeset	184 return ENOMEM;
fb5e0fd923ff Updated verification of the local certificate following GnuTLS 3.x guideline Sebastien Decugis <sdecugis@freediameter.net> parents: 767 diff changeset	185 } )
fb5e0fd923ff Updated verification of the local certificate following GnuTLS 3.x guideline Sebastien Decugis <sdecugis@freediameter.net> parents: 767 diff changeset	186 out->data = realloced;
fb5e0fd923ff Updated verification of the local certificate following GnuTLS 3.x guideline Sebastien Decugis <sdecugis@freediameter.net> parents: 767 diff changeset	187 }
fb5e0fd923ff Updated verification of the local certificate following GnuTLS 3.x guideline Sebastien Decugis <sdecugis@freediameter.net> parents: 767 diff changeset	188
fb5e0fd923ff Updated verification of the local certificate following GnuTLS 3.x guideline Sebastien Decugis <sdecugis@freediameter.net> parents: 767 diff changeset	189 read = fread( out->data + out->size, 1, alloc - out->size - 1, pemfile );
fb5e0fd923ff Updated verification of the local certificate following GnuTLS 3.x guideline Sebastien Decugis <sdecugis@freediameter.net> parents: 767 diff changeset	190 out->size += read;
fb5e0fd923ff Updated verification of the local certificate following GnuTLS 3.x guideline Sebastien Decugis <sdecugis@freediameter.net> parents: 767 diff changeset	191
fb5e0fd923ff Updated verification of the local certificate following GnuTLS 3.x guideline Sebastien Decugis <sdecugis@freediameter.net> parents: 767 diff changeset	192 if (ferror(pemfile)) {
fb5e0fd923ff Updated verification of the local certificate following GnuTLS 3.x guideline Sebastien Decugis <sdecugis@freediameter.net> parents: 767 diff changeset	193 int err = errno;
974 2091bf698fb1 Remove newlines from fd_log_debug, TRACE_DEBUG, TRACE_ERROR, and TRACE_DEBUG_ERROR Thomas Klausner <tk@giga.or.at> parents: 965 diff changeset	194 TRACE_DEBUG(INFO, "An error occurred while reading file: %s", strerror(err));
805 fb5e0fd923ff Updated verification of the local certificate following GnuTLS 3.x guideline Sebastien Decugis <sdecugis@freediameter.net> parents: 767 diff changeset	195 return err;
fb5e0fd923ff Updated verification of the local certificate following GnuTLS 3.x guideline Sebastien Decugis <sdecugis@freediameter.net> parents: 767 diff changeset	196 }
fb5e0fd923ff Updated verification of the local certificate following GnuTLS 3.x guideline Sebastien Decugis <sdecugis@freediameter.net> parents: 767 diff changeset	197 } while (!feof(pemfile));
fb5e0fd923ff Updated verification of the local certificate following GnuTLS 3.x guideline Sebastien Decugis <sdecugis@freediameter.net> parents: 767 diff changeset	198
fb5e0fd923ff Updated verification of the local certificate following GnuTLS 3.x guideline Sebastien Decugis <sdecugis@freediameter.net> parents: 767 diff changeset	199 out->data[out->size] = '\0';
fb5e0fd923ff Updated verification of the local certificate following GnuTLS 3.x guideline Sebastien Decugis <sdecugis@freediameter.net> parents: 767 diff changeset	200 return 0;
fb5e0fd923ff Updated verification of the local certificate following GnuTLS 3.x guideline Sebastien Decugis <sdecugis@freediameter.net> parents: 767 diff changeset	201 }
fb5e0fd923ff Updated verification of the local certificate following GnuTLS 3.x guideline Sebastien Decugis <sdecugis@freediameter.net> parents: 767 diff changeset	202
fb5e0fd923ff Updated verification of the local certificate following GnuTLS 3.x guideline Sebastien Decugis <sdecugis@freediameter.net> parents: 767 diff changeset	203 #ifdef GNUTLS_VERSION_300
fb5e0fd923ff Updated verification of the local certificate following GnuTLS 3.x guideline Sebastien Decugis <sdecugis@freediameter.net> parents: 767 diff changeset	204 /* inspired from GnuTLS manual */
fb5e0fd923ff Updated verification of the local certificate following GnuTLS 3.x guideline Sebastien Decugis <sdecugis@freediameter.net> parents: 767 diff changeset	205 static int fd_conf_print_details_func (gnutls_x509_crt_t cert,
fb5e0fd923ff Updated verification of the local certificate following GnuTLS 3.x guideline Sebastien Decugis <sdecugis@freediameter.net> parents: 767 diff changeset	206 gnutls_x509_crt_t issuer, gnutls_x509_crl_t crl,
fb5e0fd923ff Updated verification of the local certificate following GnuTLS 3.x guideline Sebastien Decugis <sdecugis@freediameter.net> parents: 767 diff changeset	207 unsigned int verification_output)
fb5e0fd923ff Updated verification of the local certificate following GnuTLS 3.x guideline Sebastien Decugis <sdecugis@freediameter.net> parents: 767 diff changeset	208 {
fb5e0fd923ff Updated verification of the local certificate following GnuTLS 3.x guideline Sebastien Decugis <sdecugis@freediameter.net> parents: 767 diff changeset	209 char name[512];
fb5e0fd923ff Updated verification of the local certificate following GnuTLS 3.x guideline Sebastien Decugis <sdecugis@freediameter.net> parents: 767 diff changeset	210 char issuer_name[512];
fb5e0fd923ff Updated verification of the local certificate following GnuTLS 3.x guideline Sebastien Decugis <sdecugis@freediameter.net> parents: 767 diff changeset	211 size_t name_size;
fb5e0fd923ff Updated verification of the local certificate following GnuTLS 3.x guideline Sebastien Decugis <sdecugis@freediameter.net> parents: 767 diff changeset	212 size_t issuer_name_size;
fb5e0fd923ff Updated verification of the local certificate following GnuTLS 3.x guideline Sebastien Decugis <sdecugis@freediameter.net> parents: 767 diff changeset	213
fb5e0fd923ff Updated verification of the local certificate following GnuTLS 3.x guideline Sebastien Decugis <sdecugis@freediameter.net> parents: 767 diff changeset	214 if (!TRACE_BOOL(GNUTLS_DBG_LEVEL))
fb5e0fd923ff Updated verification of the local certificate following GnuTLS 3.x guideline Sebastien Decugis <sdecugis@freediameter.net> parents: 767 diff changeset	215 return 0;
fb5e0fd923ff Updated verification of the local certificate following GnuTLS 3.x guideline Sebastien Decugis <sdecugis@freediameter.net> parents: 767 diff changeset	216
fb5e0fd923ff Updated verification of the local certificate following GnuTLS 3.x guideline Sebastien Decugis <sdecugis@freediameter.net> parents: 767 diff changeset	217 issuer_name_size = sizeof (issuer_name);
fb5e0fd923ff Updated verification of the local certificate following GnuTLS 3.x guideline Sebastien Decugis <sdecugis@freediameter.net> parents: 767 diff changeset	218 gnutls_x509_crt_get_issuer_dn (cert, issuer_name, &issuer_name_size);
fb5e0fd923ff Updated verification of the local certificate following GnuTLS 3.x guideline Sebastien Decugis <sdecugis@freediameter.net> parents: 767 diff changeset	219
fb5e0fd923ff Updated verification of the local certificate following GnuTLS 3.x guideline Sebastien Decugis <sdecugis@freediameter.net> parents: 767 diff changeset	220 name_size = sizeof (name);
fb5e0fd923ff Updated verification of the local certificate following GnuTLS 3.x guideline Sebastien Decugis <sdecugis@freediameter.net> parents: 767 diff changeset	221 gnutls_x509_crt_get_dn (cert, name, &name_size);
fb5e0fd923ff Updated verification of the local certificate following GnuTLS 3.x guideline Sebastien Decugis <sdecugis@freediameter.net> parents: 767 diff changeset	222
974 2091bf698fb1 Remove newlines from fd_log_debug, TRACE_DEBUG, TRACE_ERROR, and TRACE_DEBUG_ERROR Thomas Klausner <tk@giga.or.at> parents: 965 diff changeset	223 fd_log_debug("\tSubject: %s", name);
2091bf698fb1 Remove newlines from fd_log_debug, TRACE_DEBUG, TRACE_ERROR, and TRACE_DEBUG_ERROR Thomas Klausner <tk@giga.or.at> parents: 965 diff changeset	224 fd_log_debug("\tIssuer: %s", issuer_name);
805 fb5e0fd923ff Updated verification of the local certificate following GnuTLS 3.x guideline Sebastien Decugis <sdecugis@freediameter.net> parents: 767 diff changeset	225
fb5e0fd923ff Updated verification of the local certificate following GnuTLS 3.x guideline Sebastien Decugis <sdecugis@freediameter.net> parents: 767 diff changeset	226 if (issuer != NULL)
fb5e0fd923ff Updated verification of the local certificate following GnuTLS 3.x guideline Sebastien Decugis <sdecugis@freediameter.net> parents: 767 diff changeset	227 {
fb5e0fd923ff Updated verification of the local certificate following GnuTLS 3.x guideline Sebastien Decugis <sdecugis@freediameter.net> parents: 767 diff changeset	228 issuer_name_size = sizeof (issuer_name);
fb5e0fd923ff Updated verification of the local certificate following GnuTLS 3.x guideline Sebastien Decugis <sdecugis@freediameter.net> parents: 767 diff changeset	229 gnutls_x509_crt_get_dn (issuer, issuer_name, &issuer_name_size);
fb5e0fd923ff Updated verification of the local certificate following GnuTLS 3.x guideline Sebastien Decugis <sdecugis@freediameter.net> parents: 767 diff changeset	230
974 2091bf698fb1 Remove newlines from fd_log_debug, TRACE_DEBUG, TRACE_ERROR, and TRACE_DEBUG_ERROR Thomas Klausner <tk@giga.or.at> parents: 965 diff changeset	231 fd_log_debug("\tVerified against: %s", issuer_name);
805 fb5e0fd923ff Updated verification of the local certificate following GnuTLS 3.x guideline Sebastien Decugis <sdecugis@freediameter.net> parents: 767 diff changeset	232 }
fb5e0fd923ff Updated verification of the local certificate following GnuTLS 3.x guideline Sebastien Decugis <sdecugis@freediameter.net> parents: 767 diff changeset	233
fb5e0fd923ff Updated verification of the local certificate following GnuTLS 3.x guideline Sebastien Decugis <sdecugis@freediameter.net> parents: 767 diff changeset	234 if (crl != NULL)
fb5e0fd923ff Updated verification of the local certificate following GnuTLS 3.x guideline Sebastien Decugis <sdecugis@freediameter.net> parents: 767 diff changeset	235 {
fb5e0fd923ff Updated verification of the local certificate following GnuTLS 3.x guideline Sebastien Decugis <sdecugis@freediameter.net> parents: 767 diff changeset	236 issuer_name_size = sizeof (issuer_name);
fb5e0fd923ff Updated verification of the local certificate following GnuTLS 3.x guideline Sebastien Decugis <sdecugis@freediameter.net> parents: 767 diff changeset	237 gnutls_x509_crl_get_issuer_dn (crl, issuer_name, &issuer_name_size);
fb5e0fd923ff Updated verification of the local certificate following GnuTLS 3.x guideline Sebastien Decugis <sdecugis@freediameter.net> parents: 767 diff changeset	238
974 2091bf698fb1 Remove newlines from fd_log_debug, TRACE_DEBUG, TRACE_ERROR, and TRACE_DEBUG_ERROR Thomas Klausner <tk@giga.or.at> parents: 965 diff changeset	239 fd_log_debug("\tVerified against CRL of: %s", issuer_name);
805 fb5e0fd923ff Updated verification of the local certificate following GnuTLS 3.x guideline Sebastien Decugis <sdecugis@freediameter.net> parents: 767 diff changeset	240 }
fb5e0fd923ff Updated verification of the local certificate following GnuTLS 3.x guideline Sebastien Decugis <sdecugis@freediameter.net> parents: 767 diff changeset	241
974 2091bf698fb1 Remove newlines from fd_log_debug, TRACE_DEBUG, TRACE_ERROR, and TRACE_DEBUG_ERROR Thomas Klausner <tk@giga.or.at> parents: 965 diff changeset	242 fd_log_debug("\tVerification output: %x", verification_output);
805 fb5e0fd923ff Updated verification of the local certificate following GnuTLS 3.x guideline Sebastien Decugis <sdecugis@freediameter.net> parents: 767 diff changeset	243
fb5e0fd923ff Updated verification of the local certificate following GnuTLS 3.x guideline Sebastien Decugis <sdecugis@freediameter.net> parents: 767 diff changeset	244 return 0;
fb5e0fd923ff Updated verification of the local certificate following GnuTLS 3.x guideline Sebastien Decugis <sdecugis@freediameter.net> parents: 767 diff changeset	245 }
fb5e0fd923ff Updated verification of the local certificate following GnuTLS 3.x guideline Sebastien Decugis <sdecugis@freediameter.net> parents: 767 diff changeset	246 #endif /* GNUTLS_VERSION_300 */
fb5e0fd923ff Updated verification of the local certificate following GnuTLS 3.x guideline Sebastien Decugis <sdecugis@freediameter.net> parents: 767 diff changeset	247
1027 0117a7746b21 Fix a number of errors and warnings introduced/highlighted by recent commits Sebastien Decugis <sdecugis@freediameter.net> parents: 1021 diff changeset	248 #ifndef GNUTLS_VERSION_300
1034 f4a73a991623 Fix warning on old GCC versions Sebastien Decugis <sdecugis@freediameter.net> parents: 1033 diff changeset	249 GCC_DIAG_OFF("-Wdeprecated-declarations")
1027 0117a7746b21 Fix a number of errors and warnings introduced/highlighted by recent commits Sebastien Decugis <sdecugis@freediameter.net> parents: 1021 diff changeset	250 #endif /* !GNUTLS_VERSION_300 */
8 3e143f047f78 Backup for the week-end Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	251 /* Parse the configuration file (using the yacc parser) */
3e143f047f78 Backup for the week-end Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	252 int fd_conf_parse()
3e143f047f78 Backup for the week-end Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	253 {
3e143f047f78 Backup for the week-end Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	254 extern FILE * fddin;
947 cce5d4bace82 Make config file parameter const and convert another fprintf to TRACE_DEBUG_ERROR. Thomas Klausner <tk@giga.or.at> parents: 946 diff changeset	255 const char * orig = NULL;
8 3e143f047f78 Backup for the week-end Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	256
304 ad3c46016584 Added install directives for cmake; also allow default directory to seek for extensions and configuration files Sebastien Decugis <sdecugis@nict.go.jp> parents: 258 diff changeset	257 /* Attempt to find the configuration file */
ad3c46016584 Added install directives for cmake; also allow default directory to seek for extensions and configuration files Sebastien Decugis <sdecugis@nict.go.jp> parents: 258 diff changeset	258 if (!fd_g_config->cnf_file)
ad3c46016584 Added install directives for cmake; also allow default directory to seek for extensions and configuration files Sebastien Decugis <sdecugis@nict.go.jp> parents: 258 diff changeset	259 fd_g_config->cnf_file = FD_DEFAULT_CONF_FILENAME;
8 3e143f047f78 Backup for the week-end Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	260
10 c5c99c73c2bf Added some extensions and functions in the daemon Sebastien Decugis <sdecugis@nict.go.jp> parents: 8 diff changeset	261 fddin = fopen(fd_g_config->cnf_file, "r");
304 ad3c46016584 Added install directives for cmake; also allow default directory to seek for extensions and configuration files Sebastien Decugis <sdecugis@nict.go.jp> parents: 258 diff changeset	262 if ((fddin == NULL) && (*fd_g_config->cnf_file != '/')) {
947 cce5d4bace82 Make config file parameter const and convert another fprintf to TRACE_DEBUG_ERROR. Thomas Klausner <tk@giga.or.at> parents: 946 diff changeset	263 char * new_cnf = NULL;
304 ad3c46016584 Added install directives for cmake; also allow default directory to seek for extensions and configuration files Sebastien Decugis <sdecugis@nict.go.jp> parents: 258 diff changeset	264 /* We got a relative path, attempt to add the default directory prefix */
706 4ffbc9f1e922 Large UNTESTED commit with the following changes: Sebastien Decugis <sdecugis@nict.go.jp> parents: 686 diff changeset	265 orig = fd_g_config->cnf_file;
947 cce5d4bace82 Make config file parameter const and convert another fprintf to TRACE_DEBUG_ERROR. Thomas Klausner <tk@giga.or.at> parents: 946 diff changeset	266 CHECK_MALLOC( new_cnf = malloc(strlen(orig) + strlen(DEFAULT_CONF_PATH) + 2) ); /* we will not free it, but not important */
cce5d4bace82 Make config file parameter const and convert another fprintf to TRACE_DEBUG_ERROR. Thomas Klausner <tk@giga.or.at> parents: 946 diff changeset	267 sprintf( new_cnf, DEFAULT_CONF_PATH "/%s", orig );
cce5d4bace82 Make config file parameter const and convert another fprintf to TRACE_DEBUG_ERROR. Thomas Klausner <tk@giga.or.at> parents: 946 diff changeset	268 fd_g_config->cnf_file = new_cnf;
304 ad3c46016584 Added install directives for cmake; also allow default directory to seek for extensions and configuration files Sebastien Decugis <sdecugis@nict.go.jp> parents: 258 diff changeset	269 fddin = fopen(fd_g_config->cnf_file, "r");
ad3c46016584 Added install directives for cmake; also allow default directory to seek for extensions and configuration files Sebastien Decugis <sdecugis@nict.go.jp> parents: 258 diff changeset	270 }
8 3e143f047f78 Backup for the week-end Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	271 if (fddin == NULL) {
3e143f047f78 Backup for the week-end Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	272 int ret = errno;
1155 d00b5914351e Allow running freeDiameter without TLS credentials if the following conditions are verified: Sebastien Decugis <sdecugis@freediameter.net> parents: 1127 diff changeset	273 LOG_F("Unable to open configuration file for reading; tried the following locations: %s%s%s; Error: %s",
947 cce5d4bace82 Make config file parameter const and convert another fprintf to TRACE_DEBUG_ERROR. Thomas Klausner <tk@giga.or.at> parents: 946 diff changeset	274 orig ?: "", orig? " and " : "", fd_g_config->cnf_file, strerror(ret));
8 3e143f047f78 Backup for the week-end Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	275 return ret;
3e143f047f78 Backup for the week-end Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	276 }
3e143f047f78 Backup for the week-end Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	277
3e143f047f78 Backup for the week-end Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	278 /* call yacc parser */
304 ad3c46016584 Added install directives for cmake; also allow default directory to seek for extensions and configuration files Sebastien Decugis <sdecugis@nict.go.jp> parents: 258 diff changeset	279 TRACE_DEBUG (FULL, "Parsing configuration file: %s", fd_g_config->cnf_file);
8 3e143f047f78 Backup for the week-end Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	280 CHECK_FCT( fddparse(fd_g_config) );
3e143f047f78 Backup for the week-end Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	281
3e143f047f78 Backup for the week-end Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	282 /* close the file */
3e143f047f78 Backup for the week-end Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	283 fclose(fddin);
3e143f047f78 Backup for the week-end Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	284
18 e7187583dcf8 Added CA helper script Sebastien Decugis <sdecugis@nict.go.jp> parents: 17 diff changeset	285 /* Check that TLS private key was given */
e7187583dcf8 Added CA helper script Sebastien Decugis <sdecugis@nict.go.jp> parents: 17 diff changeset	286 if (! fd_g_config->cnf_sec_data.key_file) {
1155 d00b5914351e Allow running freeDiameter without TLS credentials if the following conditions are verified: Sebastien Decugis <sdecugis@freediameter.net> parents: 1127 diff changeset	287 /* If TLS is not enabled, we allow empty TLS configuration */
d00b5914351e Allow running freeDiameter without TLS credentials if the following conditions are verified: Sebastien Decugis <sdecugis@freediameter.net> parents: 1127 diff changeset	288 if ((fd_g_config->cnf_port_tls == 0) && (fd_g_config->cnf_flags.tls_alg == 0)) {
d00b5914351e Allow running freeDiameter without TLS credentials if the following conditions are verified: Sebastien Decugis <sdecugis@freediameter.net> parents: 1127 diff changeset	289 LOG_N("TLS is disabled, this is NOT a recommended practice! Diameter protocol conveys highly sensitive information on your users.");
d00b5914351e Allow running freeDiameter without TLS credentials if the following conditions are verified: Sebastien Decugis <sdecugis@freediameter.net> parents: 1127 diff changeset	290 fd_g_config->cnf_sec_data.tls_disabled = 1;
d00b5914351e Allow running freeDiameter without TLS credentials if the following conditions are verified: Sebastien Decugis <sdecugis@freediameter.net> parents: 1127 diff changeset	291 } else {
d00b5914351e Allow running freeDiameter without TLS credentials if the following conditions are verified: Sebastien Decugis <sdecugis@freediameter.net> parents: 1127 diff changeset	292 LOG_F( "Missing private key configuration for TLS. Please provide the TLS_cred configuration directive.");
d00b5914351e Allow running freeDiameter without TLS credentials if the following conditions are verified: Sebastien Decugis <sdecugis@freediameter.net> parents: 1127 diff changeset	293 return EINVAL;
d00b5914351e Allow running freeDiameter without TLS credentials if the following conditions are verified: Sebastien Decugis <sdecugis@freediameter.net> parents: 1127 diff changeset	294 }
18 e7187583dcf8 Added CA helper script Sebastien Decugis <sdecugis@nict.go.jp> parents: 17 diff changeset	295 }
e7187583dcf8 Added CA helper script Sebastien Decugis <sdecugis@nict.go.jp> parents: 17 diff changeset	296
8 3e143f047f78 Backup for the week-end Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	297 /* Resolve hostname if not provided */
10 c5c99c73c2bf Added some extensions and functions in the daemon Sebastien Decugis <sdecugis@nict.go.jp> parents: 8 diff changeset	298 if (fd_g_config->cnf_diamid == NULL) {
8 3e143f047f78 Backup for the week-end Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	299 char buf[HOST_NAME_MAX + 1];
3e143f047f78 Backup for the week-end Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	300 struct addrinfo hints, *info;
3e143f047f78 Backup for the week-end Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	301 int ret;
3e143f047f78 Backup for the week-end Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	302
3e143f047f78 Backup for the week-end Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	303 /* local host name */
3e143f047f78 Backup for the week-end Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	304 CHECK_SYS(gethostname(buf, sizeof(buf)));
3e143f047f78 Backup for the week-end Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	305
3e143f047f78 Backup for the week-end Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	306 /* get FQDN */
3e143f047f78 Backup for the week-end Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	307 memset(&hints, 0, sizeof hints);
3e143f047f78 Backup for the week-end Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	308 hints.ai_flags = AI_CANONNAME;
3e143f047f78 Backup for the week-end Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	309
3e143f047f78 Backup for the week-end Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	310 ret = getaddrinfo(buf, NULL, &hints, &info);
3e143f047f78 Backup for the week-end Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	311 if (ret != 0) {
994 1e1d6f94cd94 Remove more newlines. Thomas Klausner <tk@giga.or.at> parents: 983 diff changeset	312 TRACE_ERROR( "Error resolving local FQDN : '%s' : %s"
1e1d6f94cd94 Remove more newlines. Thomas Klausner <tk@giga.or.at> parents: 983 diff changeset	313 ". Please provide Identity in configuration file.",
8 3e143f047f78 Backup for the week-end Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	314 buf, gai_strerror(ret));
3e143f047f78 Backup for the week-end Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	315 return EINVAL;
3e143f047f78 Backup for the week-end Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	316 }
706 4ffbc9f1e922 Large UNTESTED commit with the following changes: Sebastien Decugis <sdecugis@nict.go.jp> parents: 686 diff changeset	317 fd_g_config->cnf_diamid = info->ai_canonname;
4ffbc9f1e922 Large UNTESTED commit with the following changes: Sebastien Decugis <sdecugis@nict.go.jp> parents: 686 diff changeset	318 CHECK_FCT( fd_os_validate_DiameterIdentity(&fd_g_config->cnf_diamid, &fd_g_config->cnf_diamid_len, 1) );
8 3e143f047f78 Backup for the week-end Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	319 freeaddrinfo(info);
706 4ffbc9f1e922 Large UNTESTED commit with the following changes: Sebastien Decugis <sdecugis@nict.go.jp> parents: 686 diff changeset	320 } else {
4ffbc9f1e922 Large UNTESTED commit with the following changes: Sebastien Decugis <sdecugis@nict.go.jp> parents: 686 diff changeset	321 CHECK_FCT( fd_os_validate_DiameterIdentity(&fd_g_config->cnf_diamid, &fd_g_config->cnf_diamid_len, 0) );
8 3e143f047f78 Backup for the week-end Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	322 }
3e143f047f78 Backup for the week-end Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	323
3e143f047f78 Backup for the week-end Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	324 /* Handle the realm part */
10 c5c99c73c2bf Added some extensions and functions in the daemon Sebastien Decugis <sdecugis@nict.go.jp> parents: 8 diff changeset	325 if (fd_g_config->cnf_diamrlm == NULL) {
8 3e143f047f78 Backup for the week-end Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	326 char * start = NULL;
3e143f047f78 Backup for the week-end Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	327
3e143f047f78 Backup for the week-end Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	328 /* Check the diameter identity is a fqdn */
10 c5c99c73c2bf Added some extensions and functions in the daemon Sebastien Decugis <sdecugis@nict.go.jp> parents: 8 diff changeset	329 start = strchr(fd_g_config->cnf_diamid, '.');
8 3e143f047f78 Backup for the week-end Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	330 if ((start == NULL) \|\| (start[1] == '\0')) {
994 1e1d6f94cd94 Remove more newlines. Thomas Klausner <tk@giga.or.at> parents: 983 diff changeset	331 TRACE_ERROR( "Unable to extract realm from the Identity '%s'."
1e1d6f94cd94 Remove more newlines. Thomas Klausner <tk@giga.or.at> parents: 983 diff changeset	332 " Please fix your Identity setting or provide Realm.",
10 c5c99c73c2bf Added some extensions and functions in the daemon Sebastien Decugis <sdecugis@nict.go.jp> parents: 8 diff changeset	333 fd_g_config->cnf_diamid);
8 3e143f047f78 Backup for the week-end Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	334 return EINVAL;
706 4ffbc9f1e922 Large UNTESTED commit with the following changes: Sebastien Decugis <sdecugis@nict.go.jp> parents: 686 diff changeset	335 }
8 3e143f047f78 Backup for the week-end Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	336
706 4ffbc9f1e922 Large UNTESTED commit with the following changes: Sebastien Decugis <sdecugis@nict.go.jp> parents: 686 diff changeset	337 fd_g_config->cnf_diamrlm = start + 1;
4ffbc9f1e922 Large UNTESTED commit with the following changes: Sebastien Decugis <sdecugis@nict.go.jp> parents: 686 diff changeset	338 CHECK_FCT( fd_os_validate_DiameterIdentity(&fd_g_config->cnf_diamrlm, &fd_g_config->cnf_diamrlm_len, 1) );
4ffbc9f1e922 Large UNTESTED commit with the following changes: Sebastien Decugis <sdecugis@nict.go.jp> parents: 686 diff changeset	339 } else {
4ffbc9f1e922 Large UNTESTED commit with the following changes: Sebastien Decugis <sdecugis@nict.go.jp> parents: 686 diff changeset	340 CHECK_FCT( fd_os_validate_DiameterIdentity(&fd_g_config->cnf_diamrlm, &fd_g_config->cnf_diamrlm_len, 0) );
8 3e143f047f78 Backup for the week-end Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	341 }
3e143f047f78 Backup for the week-end Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	342
3e143f047f78 Backup for the week-end Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	343 /* Validate some flags */
10 c5c99c73c2bf Added some extensions and functions in the daemon Sebastien Decugis <sdecugis@nict.go.jp> parents: 8 diff changeset	344 if (fd_g_config->cnf_flags.no_ip4 && fd_g_config->cnf_flags.no_ip6) {
994 1e1d6f94cd94 Remove more newlines. Thomas Klausner <tk@giga.or.at> parents: 983 diff changeset	345 TRACE_ERROR( "IP and IPv6 cannot be disabled at the same time.");
8 3e143f047f78 Backup for the week-end Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	346 return EINVAL;
3e143f047f78 Backup for the week-end Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	347 }
10 c5c99c73c2bf Added some extensions and functions in the daemon Sebastien Decugis <sdecugis@nict.go.jp> parents: 8 diff changeset	348 if (fd_g_config->cnf_flags.no_tcp && fd_g_config->cnf_flags.no_sctp) {
994 1e1d6f94cd94 Remove more newlines. Thomas Klausner <tk@giga.or.at> parents: 983 diff changeset	349 TRACE_ERROR( "TCP and SCTP cannot be disabled at the same time.");
8 3e143f047f78 Backup for the week-end Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	350 return EINVAL;
3e143f047f78 Backup for the week-end Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	351 }
3e143f047f78 Backup for the week-end Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	352
22 0b3b46da2c12 Progress on server code Sebastien Decugis <sdecugis@nict.go.jp> parents: 20 diff changeset	353 /* Validate local endpoints */
0b3b46da2c12 Progress on server code Sebastien Decugis <sdecugis@nict.go.jp> parents: 20 diff changeset	354 if ((!FD_IS_LIST_EMPTY(&fd_g_config->cnf_endpoints)) && (fd_g_config->cnf_flags.no_ip4 \|\| fd_g_config->cnf_flags.no_ip6)) {
0b3b46da2c12 Progress on server code Sebastien Decugis <sdecugis@nict.go.jp> parents: 20 diff changeset	355 struct fd_list * li;
0b3b46da2c12 Progress on server code Sebastien Decugis <sdecugis@nict.go.jp> parents: 20 diff changeset	356 for ( li = fd_g_config->cnf_endpoints.next; li != &fd_g_config->cnf_endpoints; li = li->next) {
0b3b46da2c12 Progress on server code Sebastien Decugis <sdecugis@nict.go.jp> parents: 20 diff changeset	357 struct fd_endpoint * ep = (struct fd_endpoint *)li;
23 db6c40b8b307 Added some code in cnxctx.c mainly Sebastien Decugis <sdecugis@nict.go.jp> parents: 22 diff changeset	358 if ( (fd_g_config->cnf_flags.no_ip4 && (ep->sa.sa_family == AF_INET))
db6c40b8b307 Added some code in cnxctx.c mainly Sebastien Decugis <sdecugis@nict.go.jp> parents: 22 diff changeset	359 \|\|(fd_g_config->cnf_flags.no_ip6 && (ep->sa.sa_family == AF_INET6)) ) {
1107 96f2051215c8 Replaced calls to TRACE_sSA and sSA_DUMP_NODE* macros Sebastien Decugis <sdecugis@freediameter.net> parents: 1093 diff changeset	360 char sa_buf[sSA_DUMP_STRLEN];;
22 0b3b46da2c12 Progress on server code Sebastien Decugis <sdecugis@nict.go.jp> parents: 20 diff changeset	361 li = li->prev;
0b3b46da2c12 Progress on server code Sebastien Decugis <sdecugis@nict.go.jp> parents: 20 diff changeset	362 fd_list_unlink(&ep->chain);
1107 96f2051215c8 Replaced calls to TRACE_sSA and sSA_DUMP_NODE* macros Sebastien Decugis <sdecugis@freediameter.net> parents: 1093 diff changeset	363 fd_sa_sdump_numeric(sa_buf, &ep->sa);
96f2051215c8 Replaced calls to TRACE_sSA and sSA_DUMP_NODE* macros Sebastien Decugis <sdecugis@freediameter.net> parents: 1093 diff changeset	364 LOG_N("Info: Removing local address conflicting with the flags no_IP / no_IP6 : %s", sa_buf);
22 0b3b46da2c12 Progress on server code Sebastien Decugis <sdecugis@nict.go.jp> parents: 20 diff changeset	365 free(ep);
0b3b46da2c12 Progress on server code Sebastien Decugis <sdecugis@nict.go.jp> parents: 20 diff changeset	366 }
0b3b46da2c12 Progress on server code Sebastien Decugis <sdecugis@nict.go.jp> parents: 20 diff changeset	367 }
0b3b46da2c12 Progress on server code Sebastien Decugis <sdecugis@nict.go.jp> parents: 20 diff changeset	368 }
0b3b46da2c12 Progress on server code Sebastien Decugis <sdecugis@nict.go.jp> parents: 20 diff changeset	369
18 e7187583dcf8 Added CA helper script Sebastien Decugis <sdecugis@nict.go.jp> parents: 17 diff changeset	370 /* Configure TLS default parameters */
1155 d00b5914351e Allow running freeDiameter without TLS credentials if the following conditions are verified: Sebastien Decugis <sdecugis@freediameter.net> parents: 1127 diff changeset	371 if ((!fd_g_config->cnf_sec_data.tls_disabled) && (!fd_g_config->cnf_sec_data.prio_string)) {
18 e7187583dcf8 Added CA helper script Sebastien Decugis <sdecugis@nict.go.jp> parents: 17 diff changeset	372 const char * err_pos = NULL;
e7187583dcf8 Added CA helper script Sebastien Decugis <sdecugis@nict.go.jp> parents: 17 diff changeset	373 CHECK_GNUTLS_DO( gnutls_priority_init(
e7187583dcf8 Added CA helper script Sebastien Decugis <sdecugis@nict.go.jp> parents: 17 diff changeset	374 &fd_g_config->cnf_sec_data.prio_cache,
e7187583dcf8 Added CA helper script Sebastien Decugis <sdecugis@nict.go.jp> parents: 17 diff changeset	375 GNUTLS_DEFAULT_PRIORITY,
e7187583dcf8 Added CA helper script Sebastien Decugis <sdecugis@nict.go.jp> parents: 17 diff changeset	376 &err_pos),
1006 6ce8322f3b78 Report an error if a problem is big enough to break startup. Thomas Klausner <tk@giga.or.at> parents: 994 diff changeset	377 { TRACE_ERROR("Error in priority string at position : %s", err_pos); return EINVAL; } );
18 e7187583dcf8 Added CA helper script Sebastien Decugis <sdecugis@nict.go.jp> parents: 17 diff changeset	378 }
542 0b6cee362f5d Enforce validation of local certificate upon daemon start. Sebastien Decugis <sdecugis@nict.go.jp> parents: 447 diff changeset	379
0b6cee362f5d Enforce validation of local certificate upon daemon start. Sebastien Decugis <sdecugis@nict.go.jp> parents: 447 diff changeset	380 /* Verify that our certificate is valid -- otherwise remote peers will reject it */
1155 d00b5914351e Allow running freeDiameter without TLS credentials if the following conditions are verified: Sebastien Decugis <sdecugis@freediameter.net> parents: 1127 diff changeset	381 if (!fd_g_config->cnf_sec_data.tls_disabled) {
542 0b6cee362f5d Enforce validation of local certificate upon daemon start. Sebastien Decugis <sdecugis@nict.go.jp> parents: 447 diff changeset	382 int ret = 0, i;
0b6cee362f5d Enforce validation of local certificate upon daemon start. Sebastien Decugis <sdecugis@nict.go.jp> parents: 447 diff changeset	383
0b6cee362f5d Enforce validation of local certificate upon daemon start. Sebastien Decugis <sdecugis@nict.go.jp> parents: 447 diff changeset	384 gnutls_datum_t certfile;
0b6cee362f5d Enforce validation of local certificate upon daemon start. Sebastien Decugis <sdecugis@nict.go.jp> parents: 447 diff changeset	385
0b6cee362f5d Enforce validation of local certificate upon daemon start. Sebastien Decugis <sdecugis@nict.go.jp> parents: 447 diff changeset	386 gnutls_x509_crt_t * certs = NULL;
0b6cee362f5d Enforce validation of local certificate upon daemon start. Sebastien Decugis <sdecugis@nict.go.jp> parents: 447 diff changeset	387 unsigned int cert_max = 0;
0b6cee362f5d Enforce validation of local certificate upon daemon start. Sebastien Decugis <sdecugis@nict.go.jp> parents: 447 diff changeset	388
0b6cee362f5d Enforce validation of local certificate upon daemon start. Sebastien Decugis <sdecugis@nict.go.jp> parents: 447 diff changeset	389
0b6cee362f5d Enforce validation of local certificate upon daemon start. Sebastien Decugis <sdecugis@nict.go.jp> parents: 447 diff changeset	390 /* Read the certificate file */
0b6cee362f5d Enforce validation of local certificate upon daemon start. Sebastien Decugis <sdecugis@nict.go.jp> parents: 447 diff changeset	391 FILE *stream = fopen (fd_g_config->cnf_sec_data.cert_file, "rb");
0b6cee362f5d Enforce validation of local certificate upon daemon start. Sebastien Decugis <sdecugis@nict.go.jp> parents: 447 diff changeset	392 if (!stream) {
0b6cee362f5d Enforce validation of local certificate upon daemon start. Sebastien Decugis <sdecugis@nict.go.jp> parents: 447 diff changeset	393 int err = errno;
974 2091bf698fb1 Remove newlines from fd_log_debug, TRACE_DEBUG, TRACE_ERROR, and TRACE_DEBUG_ERROR Thomas Klausner <tk@giga.or.at> parents: 965 diff changeset	394 TRACE_DEBUG(INFO, "An error occurred while opening '%s': %s", fd_g_config->cnf_sec_data.cert_file, strerror(err));
542 0b6cee362f5d Enforce validation of local certificate upon daemon start. Sebastien Decugis <sdecugis@nict.go.jp> parents: 447 diff changeset	395 return err;
0b6cee362f5d Enforce validation of local certificate upon daemon start. Sebastien Decugis <sdecugis@nict.go.jp> parents: 447 diff changeset	396 }
805 fb5e0fd923ff Updated verification of the local certificate following GnuTLS 3.x guideline Sebastien Decugis <sdecugis@freediameter.net> parents: 767 diff changeset	397 CHECK_FCT( fd_conf_stream_to_gnutls_datum(stream, &certfile) );
542 0b6cee362f5d Enforce validation of local certificate upon daemon start. Sebastien Decugis <sdecugis@nict.go.jp> parents: 447 diff changeset	398 fclose(stream);
0b6cee362f5d Enforce validation of local certificate upon daemon start. Sebastien Decugis <sdecugis@nict.go.jp> parents: 447 diff changeset	399
0b6cee362f5d Enforce validation of local certificate upon daemon start. Sebastien Decugis <sdecugis@nict.go.jp> parents: 447 diff changeset	400 /* Import the certificate(s) */
0b6cee362f5d Enforce validation of local certificate upon daemon start. Sebastien Decugis <sdecugis@nict.go.jp> parents: 447 diff changeset	401 GNUTLS_TRACE( ret = gnutls_x509_crt_list_import(NULL, &cert_max, &certfile, GNUTLS_X509_FMT_PEM, GNUTLS_X509_CRT_LIST_IMPORT_FAIL_IF_EXCEED) );
0b6cee362f5d Enforce validation of local certificate upon daemon start. Sebastien Decugis <sdecugis@nict.go.jp> parents: 447 diff changeset	402 if (ret != GNUTLS_E_SHORT_MEMORY_BUFFER) {
0b6cee362f5d Enforce validation of local certificate upon daemon start. Sebastien Decugis <sdecugis@nict.go.jp> parents: 447 diff changeset	403 CHECK_GNUTLS_DO(ret, return EINVAL);
0b6cee362f5d Enforce validation of local certificate upon daemon start. Sebastien Decugis <sdecugis@nict.go.jp> parents: 447 diff changeset	404 }
0b6cee362f5d Enforce validation of local certificate upon daemon start. Sebastien Decugis <sdecugis@nict.go.jp> parents: 447 diff changeset	405
0b6cee362f5d Enforce validation of local certificate upon daemon start. Sebastien Decugis <sdecugis@nict.go.jp> parents: 447 diff changeset	406 CHECK_MALLOC( certs = calloc(cert_max, sizeof(gnutls_x509_crt_t)) );
820 0eb64b3a3632 Fix compilation with gnutls < 3.x Sebastien Decugis <sdecugis@freediameter.net> parents: 808 diff changeset	407 CHECK_GNUTLS_DO( gnutls_x509_crt_list_import(certs, &cert_max, &certfile, GNUTLS_X509_FMT_PEM,
0eb64b3a3632 Fix compilation with gnutls < 3.x Sebastien Decugis <sdecugis@freediameter.net> parents: 808 diff changeset	408 #ifdef GNUTLS_VERSION_300
0eb64b3a3632 Fix compilation with gnutls < 3.x Sebastien Decugis <sdecugis@freediameter.net> parents: 808 diff changeset	409 GNUTLS_X509_CRT_LIST_FAIL_IF_UNSORTED
0eb64b3a3632 Fix compilation with gnutls < 3.x Sebastien Decugis <sdecugis@freediameter.net> parents: 808 diff changeset	410 #else /* GNUTLS_VERSION_300 */
0eb64b3a3632 Fix compilation with gnutls < 3.x Sebastien Decugis <sdecugis@freediameter.net> parents: 808 diff changeset	411 0
0eb64b3a3632 Fix compilation with gnutls < 3.x Sebastien Decugis <sdecugis@freediameter.net> parents: 808 diff changeset	412 #endif /* GNUTLS_VERSION_300 */
0eb64b3a3632 Fix compilation with gnutls < 3.x Sebastien Decugis <sdecugis@freediameter.net> parents: 808 diff changeset	413 ),
542 0b6cee362f5d Enforce validation of local certificate upon daemon start. Sebastien Decugis <sdecugis@nict.go.jp> parents: 447 diff changeset	414 {
1006 6ce8322f3b78 Report an error if a problem is big enough to break startup. Thomas Klausner <tk@giga.or.at> parents: 994 diff changeset	415 TRACE_ERROR("Failed to import the data from file '%s'", fd_g_config->cnf_sec_data.cert_file);
542 0b6cee362f5d Enforce validation of local certificate upon daemon start. Sebastien Decugis <sdecugis@nict.go.jp> parents: 447 diff changeset	416 free(certfile.data);
0b6cee362f5d Enforce validation of local certificate upon daemon start. Sebastien Decugis <sdecugis@nict.go.jp> parents: 447 diff changeset	417 return EINVAL;
0b6cee362f5d Enforce validation of local certificate upon daemon start. Sebastien Decugis <sdecugis@nict.go.jp> parents: 447 diff changeset	418 } );
0b6cee362f5d Enforce validation of local certificate upon daemon start. Sebastien Decugis <sdecugis@nict.go.jp> parents: 447 diff changeset	419 free(certfile.data);
0b6cee362f5d Enforce validation of local certificate upon daemon start. Sebastien Decugis <sdecugis@nict.go.jp> parents: 447 diff changeset	420
0b6cee362f5d Enforce validation of local certificate upon daemon start. Sebastien Decugis <sdecugis@nict.go.jp> parents: 447 diff changeset	421 ASSERT(cert_max >= 1);
0b6cee362f5d Enforce validation of local certificate upon daemon start. Sebastien Decugis <sdecugis@nict.go.jp> parents: 447 diff changeset	422
0b6cee362f5d Enforce validation of local certificate upon daemon start. Sebastien Decugis <sdecugis@nict.go.jp> parents: 447 diff changeset	423 /* Now, verify the list against the local CA and CRL */
805 fb5e0fd923ff Updated verification of the local certificate following GnuTLS 3.x guideline Sebastien Decugis <sdecugis@freediameter.net> parents: 767 diff changeset	424
fb5e0fd923ff Updated verification of the local certificate following GnuTLS 3.x guideline Sebastien Decugis <sdecugis@freediameter.net> parents: 767 diff changeset	425 #ifdef GNUTLS_VERSION_300
fb5e0fd923ff Updated verification of the local certificate following GnuTLS 3.x guideline Sebastien Decugis <sdecugis@freediameter.net> parents: 767 diff changeset	426
fb5e0fd923ff Updated verification of the local certificate following GnuTLS 3.x guideline Sebastien Decugis <sdecugis@freediameter.net> parents: 767 diff changeset	427 /* We use the trust list for this purpose */
fb5e0fd923ff Updated verification of the local certificate following GnuTLS 3.x guideline Sebastien Decugis <sdecugis@freediameter.net> parents: 767 diff changeset	428 {
fb5e0fd923ff Updated verification of the local certificate following GnuTLS 3.x guideline Sebastien Decugis <sdecugis@freediameter.net> parents: 767 diff changeset	429 unsigned int output;
fb5e0fd923ff Updated verification of the local certificate following GnuTLS 3.x guideline Sebastien Decugis <sdecugis@freediameter.net> parents: 767 diff changeset	430
fb5e0fd923ff Updated verification of the local certificate following GnuTLS 3.x guideline Sebastien Decugis <sdecugis@freediameter.net> parents: 767 diff changeset	431 gnutls_x509_trust_list_verify_named_crt (
fb5e0fd923ff Updated verification of the local certificate following GnuTLS 3.x guideline Sebastien Decugis <sdecugis@freediameter.net> parents: 767 diff changeset	432 fd_g_config->cnf_sec_data.trustlist,
fb5e0fd923ff Updated verification of the local certificate following GnuTLS 3.x guideline Sebastien Decugis <sdecugis@freediameter.net> parents: 767 diff changeset	433 certs[0],
fb5e0fd923ff Updated verification of the local certificate following GnuTLS 3.x guideline Sebastien Decugis <sdecugis@freediameter.net> parents: 767 diff changeset	434 fd_g_config->cnf_diamid,
fb5e0fd923ff Updated verification of the local certificate following GnuTLS 3.x guideline Sebastien Decugis <sdecugis@freediameter.net> parents: 767 diff changeset	435 fd_g_config->cnf_diamid_len,
fb5e0fd923ff Updated verification of the local certificate following GnuTLS 3.x guideline Sebastien Decugis <sdecugis@freediameter.net> parents: 767 diff changeset	436 0,
fb5e0fd923ff Updated verification of the local certificate following GnuTLS 3.x guideline Sebastien Decugis <sdecugis@freediameter.net> parents: 767 diff changeset	437 &output,
fb5e0fd923ff Updated verification of the local certificate following GnuTLS 3.x guideline Sebastien Decugis <sdecugis@freediameter.net> parents: 767 diff changeset	438 fd_conf_print_details_func);
fb5e0fd923ff Updated verification of the local certificate following GnuTLS 3.x guideline Sebastien Decugis <sdecugis@freediameter.net> parents: 767 diff changeset	439
fb5e0fd923ff Updated verification of the local certificate following GnuTLS 3.x guideline Sebastien Decugis <sdecugis@freediameter.net> parents: 767 diff changeset	440 /* if this certificate is not explicitly trusted verify against CAs
fb5e0fd923ff Updated verification of the local certificate following GnuTLS 3.x guideline Sebastien Decugis <sdecugis@freediameter.net> parents: 767 diff changeset	441 */
fb5e0fd923ff Updated verification of the local certificate following GnuTLS 3.x guideline Sebastien Decugis <sdecugis@freediameter.net> parents: 767 diff changeset	442 if (output != 0)
542 0b6cee362f5d Enforce validation of local certificate upon daemon start. Sebastien Decugis <sdecugis@nict.go.jp> parents: 447 diff changeset	443 {
805 fb5e0fd923ff Updated verification of the local certificate following GnuTLS 3.x guideline Sebastien Decugis <sdecugis@freediameter.net> parents: 767 diff changeset	444 gnutls_x509_trust_list_verify_crt (
fb5e0fd923ff Updated verification of the local certificate following GnuTLS 3.x guideline Sebastien Decugis <sdecugis@freediameter.net> parents: 767 diff changeset	445 fd_g_config->cnf_sec_data.trustlist,
fb5e0fd923ff Updated verification of the local certificate following GnuTLS 3.x guideline Sebastien Decugis <sdecugis@freediameter.net> parents: 767 diff changeset	446 certs,
fb5e0fd923ff Updated verification of the local certificate following GnuTLS 3.x guideline Sebastien Decugis <sdecugis@freediameter.net> parents: 767 diff changeset	447 cert_max,
fb5e0fd923ff Updated verification of the local certificate following GnuTLS 3.x guideline Sebastien Decugis <sdecugis@freediameter.net> parents: 767 diff changeset	448 0,
fb5e0fd923ff Updated verification of the local certificate following GnuTLS 3.x guideline Sebastien Decugis <sdecugis@freediameter.net> parents: 767 diff changeset	449 &output,
fb5e0fd923ff Updated verification of the local certificate following GnuTLS 3.x guideline Sebastien Decugis <sdecugis@freediameter.net> parents: 767 diff changeset	450 fd_conf_print_details_func);
fb5e0fd923ff Updated verification of the local certificate following GnuTLS 3.x guideline Sebastien Decugis <sdecugis@freediameter.net> parents: 767 diff changeset	451 }
fb5e0fd923ff Updated verification of the local certificate following GnuTLS 3.x guideline Sebastien Decugis <sdecugis@freediameter.net> parents: 767 diff changeset	452
fb5e0fd923ff Updated verification of the local certificate following GnuTLS 3.x guideline Sebastien Decugis <sdecugis@freediameter.net> parents: 767 diff changeset	453 if (output & GNUTLS_CERT_INVALID)
fb5e0fd923ff Updated verification of the local certificate following GnuTLS 3.x guideline Sebastien Decugis <sdecugis@freediameter.net> parents: 767 diff changeset	454 {
974 2091bf698fb1 Remove newlines from fd_log_debug, TRACE_DEBUG, TRACE_ERROR, and TRACE_DEBUG_ERROR Thomas Klausner <tk@giga.or.at> parents: 965 diff changeset	455 fd_log_debug("TLS: Local certificate chain '%s' is invalid :", fd_g_config->cnf_sec_data.cert_file);
805 fb5e0fd923ff Updated verification of the local certificate following GnuTLS 3.x guideline Sebastien Decugis <sdecugis@freediameter.net> parents: 767 diff changeset	456 if (output & GNUTLS_CERT_SIGNER_NOT_FOUND)
1184 8c340f832127 Remove auto-use of the certificate as CA when CA was not provided, since now TLS_cred can be ignored when TLS is not used. Sebastien Decugis <sdecugis@freediameter.net> parents: 1181 diff changeset	457 TRACE_ERROR(" - The certificate hasn't got a known issuer. Did you forget to specify TLS_CA ?");
805 fb5e0fd923ff Updated verification of the local certificate following GnuTLS 3.x guideline Sebastien Decugis <sdecugis@freediameter.net> parents: 767 diff changeset	458 if (output & GNUTLS_CERT_SIGNER_NOT_CA)
1006 6ce8322f3b78 Report an error if a problem is big enough to break startup. Thomas Klausner <tk@giga.or.at> parents: 994 diff changeset	459 TRACE_ERROR(" - The certificate signer is not a CA, or uses version 1, or 3 without basic constraints.");
805 fb5e0fd923ff Updated verification of the local certificate following GnuTLS 3.x guideline Sebastien Decugis <sdecugis@freediameter.net> parents: 767 diff changeset	460 if (output & GNUTLS_CERT_NOT_ACTIVATED)
1006 6ce8322f3b78 Report an error if a problem is big enough to break startup. Thomas Klausner <tk@giga.or.at> parents: 994 diff changeset	461 TRACE_ERROR(" - The certificate is not yet activated.");
805 fb5e0fd923ff Updated verification of the local certificate following GnuTLS 3.x guideline Sebastien Decugis <sdecugis@freediameter.net> parents: 767 diff changeset	462 if (output & GNUTLS_CERT_EXPIRED)
1006 6ce8322f3b78 Report an error if a problem is big enough to break startup. Thomas Klausner <tk@giga.or.at> parents: 994 diff changeset	463 TRACE_ERROR(" - The certificate is expired.");
542 0b6cee362f5d Enforce validation of local certificate upon daemon start. Sebastien Decugis <sdecugis@nict.go.jp> parents: 447 diff changeset	464 return EINVAL;
805 fb5e0fd923ff Updated verification of the local certificate following GnuTLS 3.x guideline Sebastien Decugis <sdecugis@freediameter.net> parents: 767 diff changeset	465 }
fb5e0fd923ff Updated verification of the local certificate following GnuTLS 3.x guideline Sebastien Decugis <sdecugis@freediameter.net> parents: 767 diff changeset	466
fb5e0fd923ff Updated verification of the local certificate following GnuTLS 3.x guideline Sebastien Decugis <sdecugis@freediameter.net> parents: 767 diff changeset	467 /* Now check the subject matches our hostname */
fb5e0fd923ff Updated verification of the local certificate following GnuTLS 3.x guideline Sebastien Decugis <sdecugis@freediameter.net> parents: 767 diff changeset	468 if (!gnutls_x509_crt_check_hostname (certs[0], fd_g_config->cnf_diamid))
fb5e0fd923ff Updated verification of the local certificate following GnuTLS 3.x guideline Sebastien Decugis <sdecugis@freediameter.net> parents: 767 diff changeset	469 {
1006 6ce8322f3b78 Report an error if a problem is big enough to break startup. Thomas Klausner <tk@giga.or.at> parents: 994 diff changeset	470 TRACE_ERROR("TLS: The certificate owner does not match the hostname '%s'", fd_g_config->cnf_diamid);
805 fb5e0fd923ff Updated verification of the local certificate following GnuTLS 3.x guideline Sebastien Decugis <sdecugis@freediameter.net> parents: 767 diff changeset	471 return EINVAL;
fb5e0fd923ff Updated verification of the local certificate following GnuTLS 3.x guideline Sebastien Decugis <sdecugis@freediameter.net> parents: 767 diff changeset	472 }
fb5e0fd923ff Updated verification of the local certificate following GnuTLS 3.x guideline Sebastien Decugis <sdecugis@freediameter.net> parents: 767 diff changeset	473
542 0b6cee362f5d Enforce validation of local certificate upon daemon start. Sebastien Decugis <sdecugis@nict.go.jp> parents: 447 diff changeset	474 }
0b6cee362f5d Enforce validation of local certificate upon daemon start. Sebastien Decugis <sdecugis@nict.go.jp> parents: 447 diff changeset	475
805 fb5e0fd923ff Updated verification of the local certificate following GnuTLS 3.x guideline Sebastien Decugis <sdecugis@freediameter.net> parents: 767 diff changeset	476
fb5e0fd923ff Updated verification of the local certificate following GnuTLS 3.x guideline Sebastien Decugis <sdecugis@freediameter.net> parents: 767 diff changeset	477 #else /* GNUTLS_VERSION_300 */
fb5e0fd923ff Updated verification of the local certificate following GnuTLS 3.x guideline Sebastien Decugis <sdecugis@freediameter.net> parents: 767 diff changeset	478
fb5e0fd923ff Updated verification of the local certificate following GnuTLS 3.x guideline Sebastien Decugis <sdecugis@freediameter.net> parents: 767 diff changeset	479 /* GnuTLS 2.x way of checking certificates */
542 0b6cee362f5d Enforce validation of local certificate upon daemon start. Sebastien Decugis <sdecugis@nict.go.jp> parents: 447 diff changeset	480 {
805 fb5e0fd923ff Updated verification of the local certificate following GnuTLS 3.x guideline Sebastien Decugis <sdecugis@freediameter.net> parents: 767 diff changeset	481 gnutls_x509_crt_t * CA_list;
fb5e0fd923ff Updated verification of the local certificate following GnuTLS 3.x guideline Sebastien Decugis <sdecugis@freediameter.net> parents: 767 diff changeset	482 int CA_list_length;
542 0b6cee362f5d Enforce validation of local certificate upon daemon start. Sebastien Decugis <sdecugis@nict.go.jp> parents: 447 diff changeset	483
805 fb5e0fd923ff Updated verification of the local certificate following GnuTLS 3.x guideline Sebastien Decugis <sdecugis@freediameter.net> parents: 767 diff changeset	484 gnutls_x509_crl_t * CRL_list;
fb5e0fd923ff Updated verification of the local certificate following GnuTLS 3.x guideline Sebastien Decugis <sdecugis@freediameter.net> parents: 767 diff changeset	485 int CRL_list_length;
fb5e0fd923ff Updated verification of the local certificate following GnuTLS 3.x guideline Sebastien Decugis <sdecugis@freediameter.net> parents: 767 diff changeset	486
fb5e0fd923ff Updated verification of the local certificate following GnuTLS 3.x guideline Sebastien Decugis <sdecugis@freediameter.net> parents: 767 diff changeset	487 unsigned int verify;
fb5e0fd923ff Updated verification of the local certificate following GnuTLS 3.x guideline Sebastien Decugis <sdecugis@freediameter.net> parents: 767 diff changeset	488 time_t now;
fb5e0fd923ff Updated verification of the local certificate following GnuTLS 3.x guideline Sebastien Decugis <sdecugis@freediameter.net> parents: 767 diff changeset	489 GNUTLS_TRACE( gnutls_certificate_get_x509_cas (fd_g_config->cnf_sec_data.credentials, &CA_list, (unsigned int *) &CA_list_length) );
fb5e0fd923ff Updated verification of the local certificate following GnuTLS 3.x guideline Sebastien Decugis <sdecugis@freediameter.net> parents: 767 diff changeset	490 GNUTLS_TRACE( gnutls_certificate_get_x509_crls (fd_g_config->cnf_sec_data.credentials, &CRL_list, (unsigned int *) &CRL_list_length) );
fb5e0fd923ff Updated verification of the local certificate following GnuTLS 3.x guideline Sebastien Decugis <sdecugis@freediameter.net> parents: 767 diff changeset	491 CHECK_GNUTLS_DO( gnutls_x509_crt_list_verify(certs, cert_max, CA_list, CA_list_length, CRL_list, CRL_list_length, 0, &verify),
fb5e0fd923ff Updated verification of the local certificate following GnuTLS 3.x guideline Sebastien Decugis <sdecugis@freediameter.net> parents: 767 diff changeset	492 {
1008 d3d2a32320c4 Fix a compilation warning and protect CHECK_GNUTLS_DO macro Sebastien Decugis <sdecugis@freediameter.net> parents: 1006 diff changeset	493 TRACE_ERROR("Failed to verify the local certificate '%s' against local credentials. Please check your certificate is valid.", fd_g_config->cnf_sec_data.cert_file);
805 fb5e0fd923ff Updated verification of the local certificate following GnuTLS 3.x guideline Sebastien Decugis <sdecugis@freediameter.net> parents: 767 diff changeset	494 return EINVAL;
fb5e0fd923ff Updated verification of the local certificate following GnuTLS 3.x guideline Sebastien Decugis <sdecugis@freediameter.net> parents: 767 diff changeset	495 } );
fb5e0fd923ff Updated verification of the local certificate following GnuTLS 3.x guideline Sebastien Decugis <sdecugis@freediameter.net> parents: 767 diff changeset	496
fb5e0fd923ff Updated verification of the local certificate following GnuTLS 3.x guideline Sebastien Decugis <sdecugis@freediameter.net> parents: 767 diff changeset	497 if (verify) {
974 2091bf698fb1 Remove newlines from fd_log_debug, TRACE_DEBUG, TRACE_ERROR, and TRACE_DEBUG_ERROR Thomas Klausner <tk@giga.or.at> parents: 965 diff changeset	498 fd_log_debug("TLS: Local certificate chain '%s' is invalid :", fd_g_config->cnf_sec_data.cert_file);
805 fb5e0fd923ff Updated verification of the local certificate following GnuTLS 3.x guideline Sebastien Decugis <sdecugis@freediameter.net> parents: 767 diff changeset	499 if (verify & GNUTLS_CERT_INVALID)
1006 6ce8322f3b78 Report an error if a problem is big enough to break startup. Thomas Klausner <tk@giga.or.at> parents: 994 diff changeset	500 TRACE_ERROR(" - The certificate is not trusted (unknown CA? expired?)");
805 fb5e0fd923ff Updated verification of the local certificate following GnuTLS 3.x guideline Sebastien Decugis <sdecugis@freediameter.net> parents: 767 diff changeset	501 if (verify & GNUTLS_CERT_REVOKED)
1006 6ce8322f3b78 Report an error if a problem is big enough to break startup. Thomas Klausner <tk@giga.or.at> parents: 994 diff changeset	502 TRACE_ERROR(" - The certificate has been revoked.");
805 fb5e0fd923ff Updated verification of the local certificate following GnuTLS 3.x guideline Sebastien Decugis <sdecugis@freediameter.net> parents: 767 diff changeset	503 if (verify & GNUTLS_CERT_SIGNER_NOT_FOUND)
1006 6ce8322f3b78 Report an error if a problem is big enough to break startup. Thomas Klausner <tk@giga.or.at> parents: 994 diff changeset	504 TRACE_ERROR(" - The certificate hasn't got a known issuer.");
805 fb5e0fd923ff Updated verification of the local certificate following GnuTLS 3.x guideline Sebastien Decugis <sdecugis@freediameter.net> parents: 767 diff changeset	505 if (verify & GNUTLS_CERT_SIGNER_NOT_CA)
1006 6ce8322f3b78 Report an error if a problem is big enough to break startup. Thomas Klausner <tk@giga.or.at> parents: 994 diff changeset	506 TRACE_ERROR(" - The certificate signer is not a CA, or uses version 1, or 3 without basic constraints.");
805 fb5e0fd923ff Updated verification of the local certificate following GnuTLS 3.x guideline Sebastien Decugis <sdecugis@freediameter.net> parents: 767 diff changeset	507 if (verify & GNUTLS_CERT_INSECURE_ALGORITHM)
1006 6ce8322f3b78 Report an error if a problem is big enough to break startup. Thomas Klausner <tk@giga.or.at> parents: 994 diff changeset	508 TRACE_ERROR(" - The certificate signature uses a weak algorithm.");
542 0b6cee362f5d Enforce validation of local certificate upon daemon start. Sebastien Decugis <sdecugis@nict.go.jp> parents: 447 diff changeset	509 return EINVAL;
0b6cee362f5d Enforce validation of local certificate upon daemon start. Sebastien Decugis <sdecugis@nict.go.jp> parents: 447 diff changeset	510 }
0b6cee362f5d Enforce validation of local certificate upon daemon start. Sebastien Decugis <sdecugis@nict.go.jp> parents: 447 diff changeset	511
805 fb5e0fd923ff Updated verification of the local certificate following GnuTLS 3.x guideline Sebastien Decugis <sdecugis@freediameter.net> parents: 767 diff changeset	512 /* Check the local Identity is valid with the certificate */
fb5e0fd923ff Updated verification of the local certificate following GnuTLS 3.x guideline Sebastien Decugis <sdecugis@freediameter.net> parents: 767 diff changeset	513 if (!gnutls_x509_crt_check_hostname (certs[0], fd_g_config->cnf_diamid)) {
1006 6ce8322f3b78 Report an error if a problem is big enough to break startup. Thomas Klausner <tk@giga.or.at> parents: 994 diff changeset	514 TRACE_ERROR("TLS: Local certificate '%s' is invalid :", fd_g_config->cnf_sec_data.cert_file);
6ce8322f3b78 Report an error if a problem is big enough to break startup. Thomas Klausner <tk@giga.or.at> parents: 994 diff changeset	515 TRACE_ERROR(" - The certificate hostname does not match '%s'", fd_g_config->cnf_diamid);
542 0b6cee362f5d Enforce validation of local certificate upon daemon start. Sebastien Decugis <sdecugis@nict.go.jp> parents: 447 diff changeset	516 return EINVAL;
0b6cee362f5d Enforce validation of local certificate upon daemon start. Sebastien Decugis <sdecugis@nict.go.jp> parents: 447 diff changeset	517 }
805 fb5e0fd923ff Updated verification of the local certificate following GnuTLS 3.x guideline Sebastien Decugis <sdecugis@freediameter.net> parents: 767 diff changeset	518
fb5e0fd923ff Updated verification of the local certificate following GnuTLS 3.x guideline Sebastien Decugis <sdecugis@freediameter.net> parents: 767 diff changeset	519 /* Check validity of all the certificates in the chain */
fb5e0fd923ff Updated verification of the local certificate following GnuTLS 3.x guideline Sebastien Decugis <sdecugis@freediameter.net> parents: 767 diff changeset	520 now = time(NULL);
fb5e0fd923ff Updated verification of the local certificate following GnuTLS 3.x guideline Sebastien Decugis <sdecugis@freediameter.net> parents: 767 diff changeset	521 for (i = 0; i < cert_max; i++)
fb5e0fd923ff Updated verification of the local certificate following GnuTLS 3.x guideline Sebastien Decugis <sdecugis@freediameter.net> parents: 767 diff changeset	522 {
fb5e0fd923ff Updated verification of the local certificate following GnuTLS 3.x guideline Sebastien Decugis <sdecugis@freediameter.net> parents: 767 diff changeset	523 time_t deadline;
fb5e0fd923ff Updated verification of the local certificate following GnuTLS 3.x guideline Sebastien Decugis <sdecugis@freediameter.net> parents: 767 diff changeset	524
fb5e0fd923ff Updated verification of the local certificate following GnuTLS 3.x guideline Sebastien Decugis <sdecugis@freediameter.net> parents: 767 diff changeset	525 GNUTLS_TRACE( deadline = gnutls_x509_crt_get_expiration_time(certs[i]) );
fb5e0fd923ff Updated verification of the local certificate following GnuTLS 3.x guideline Sebastien Decugis <sdecugis@freediameter.net> parents: 767 diff changeset	526 if ((deadline != (time_t)-1) && (deadline < now)) {
1006 6ce8322f3b78 Report an error if a problem is big enough to break startup. Thomas Klausner <tk@giga.or.at> parents: 994 diff changeset	527 TRACE_ERROR("TLS: Local certificate chain '%s' is invalid :", fd_g_config->cnf_sec_data.cert_file);
6ce8322f3b78 Report an error if a problem is big enough to break startup. Thomas Klausner <tk@giga.or.at> parents: 994 diff changeset	528 TRACE_ERROR(" - The certificate %d in the chain is expired", i);
805 fb5e0fd923ff Updated verification of the local certificate following GnuTLS 3.x guideline Sebastien Decugis <sdecugis@freediameter.net> parents: 767 diff changeset	529 return EINVAL;
fb5e0fd923ff Updated verification of the local certificate following GnuTLS 3.x guideline Sebastien Decugis <sdecugis@freediameter.net> parents: 767 diff changeset	530 }
fb5e0fd923ff Updated verification of the local certificate following GnuTLS 3.x guideline Sebastien Decugis <sdecugis@freediameter.net> parents: 767 diff changeset	531
fb5e0fd923ff Updated verification of the local certificate following GnuTLS 3.x guideline Sebastien Decugis <sdecugis@freediameter.net> parents: 767 diff changeset	532 GNUTLS_TRACE( deadline = gnutls_x509_crt_get_activation_time(certs[i]) );
fb5e0fd923ff Updated verification of the local certificate following GnuTLS 3.x guideline Sebastien Decugis <sdecugis@freediameter.net> parents: 767 diff changeset	533 if ((deadline != (time_t)-1) && (deadline > now)) {
1006 6ce8322f3b78 Report an error if a problem is big enough to break startup. Thomas Klausner <tk@giga.or.at> parents: 994 diff changeset	534 TRACE_ERROR("TLS: Local certificate chain '%s' is invalid :", fd_g_config->cnf_sec_data.cert_file);
6ce8322f3b78 Report an error if a problem is big enough to break startup. Thomas Klausner <tk@giga.or.at> parents: 994 diff changeset	535 TRACE_ERROR(" - The certificate %d in the chain is not yet activated", i);
805 fb5e0fd923ff Updated verification of the local certificate following GnuTLS 3.x guideline Sebastien Decugis <sdecugis@freediameter.net> parents: 767 diff changeset	536 return EINVAL;
fb5e0fd923ff Updated verification of the local certificate following GnuTLS 3.x guideline Sebastien Decugis <sdecugis@freediameter.net> parents: 767 diff changeset	537 }
fb5e0fd923ff Updated verification of the local certificate following GnuTLS 3.x guideline Sebastien Decugis <sdecugis@freediameter.net> parents: 767 diff changeset	538 }
542 0b6cee362f5d Enforce validation of local certificate upon daemon start. Sebastien Decugis <sdecugis@nict.go.jp> parents: 447 diff changeset	539 }
805 fb5e0fd923ff Updated verification of the local certificate following GnuTLS 3.x guideline Sebastien Decugis <sdecugis@freediameter.net> parents: 767 diff changeset	540 #endif /* GNUTLS_VERSION_300 */
542 0b6cee362f5d Enforce validation of local certificate upon daemon start. Sebastien Decugis <sdecugis@nict.go.jp> parents: 447 diff changeset	541
0b6cee362f5d Enforce validation of local certificate upon daemon start. Sebastien Decugis <sdecugis@nict.go.jp> parents: 447 diff changeset	542 /* Everything checked OK, free the certificate list */
0b6cee362f5d Enforce validation of local certificate upon daemon start. Sebastien Decugis <sdecugis@nict.go.jp> parents: 447 diff changeset	543 for (i = 0; i < cert_max; i++)
0b6cee362f5d Enforce validation of local certificate upon daemon start. Sebastien Decugis <sdecugis@nict.go.jp> parents: 447 diff changeset	544 {
0b6cee362f5d Enforce validation of local certificate upon daemon start. Sebastien Decugis <sdecugis@nict.go.jp> parents: 447 diff changeset	545 GNUTLS_TRACE( gnutls_x509_crt_deinit (certs[i]) );
0b6cee362f5d Enforce validation of local certificate upon daemon start. Sebastien Decugis <sdecugis@nict.go.jp> parents: 447 diff changeset	546 }
0b6cee362f5d Enforce validation of local certificate upon daemon start. Sebastien Decugis <sdecugis@nict.go.jp> parents: 447 diff changeset	547 free(certs);
1155 d00b5914351e Allow running freeDiameter without TLS credentials if the following conditions are verified: Sebastien Decugis <sdecugis@freediameter.net> parents: 1127 diff changeset	548
d00b5914351e Allow running freeDiameter without TLS credentials if the following conditions are verified: Sebastien Decugis <sdecugis@freediameter.net> parents: 1127 diff changeset	549 #ifdef GNUTLS_VERSION_300
d00b5914351e Allow running freeDiameter without TLS credentials if the following conditions are verified: Sebastien Decugis <sdecugis@freediameter.net> parents: 1127 diff changeset	550 /* Use certificate verification during the handshake */
d00b5914351e Allow running freeDiameter without TLS credentials if the following conditions are verified: Sebastien Decugis <sdecugis@freediameter.net> parents: 1127 diff changeset	551 gnutls_certificate_set_verify_function (fd_g_config->cnf_sec_data.credentials, fd_tls_verify_credentials_2);
d00b5914351e Allow running freeDiameter without TLS credentials if the following conditions are verified: Sebastien Decugis <sdecugis@freediameter.net> parents: 1127 diff changeset	552 #endif /* GNUTLS_VERSION_300 */
d00b5914351e Allow running freeDiameter without TLS credentials if the following conditions are verified: Sebastien Decugis <sdecugis@freediameter.net> parents: 1127 diff changeset	553
542 0b6cee362f5d Enforce validation of local certificate upon daemon start. Sebastien Decugis <sdecugis@nict.go.jp> parents: 447 diff changeset	554 }
0b6cee362f5d Enforce validation of local certificate upon daemon start. Sebastien Decugis <sdecugis@nict.go.jp> parents: 447 diff changeset	555
0b6cee362f5d Enforce validation of local certificate upon daemon start. Sebastien Decugis <sdecugis@nict.go.jp> parents: 447 diff changeset	556 /* gnutls_certificate_set_verify_limits -- so far the default values are fine... */
0b6cee362f5d Enforce validation of local certificate upon daemon start. Sebastien Decugis <sdecugis@nict.go.jp> parents: 447 diff changeset	557
578 7c9a00bfd115 Allow TLS Diffie-Hellmann parameters to be loaded from a file (ticket #17) Sebastien Decugis <sdecugis@nict.go.jp> parents: 542 diff changeset	558 /* DH */
1155 d00b5914351e Allow running freeDiameter without TLS credentials if the following conditions are verified: Sebastien Decugis <sdecugis@freediameter.net> parents: 1127 diff changeset	559 if (!fd_g_config->cnf_sec_data.tls_disabled) {
d00b5914351e Allow running freeDiameter without TLS credentials if the following conditions are verified: Sebastien Decugis <sdecugis@freediameter.net> parents: 1127 diff changeset	560 if (fd_g_config->cnf_sec_data.dh_file) {
d00b5914351e Allow running freeDiameter without TLS credentials if the following conditions are verified: Sebastien Decugis <sdecugis@freediameter.net> parents: 1127 diff changeset	561 gnutls_datum_t dhparams = { NULL, 0 };
d00b5914351e Allow running freeDiameter without TLS credentials if the following conditions are verified: Sebastien Decugis <sdecugis@freediameter.net> parents: 1127 diff changeset	562 size_t alloc = 0;
d00b5914351e Allow running freeDiameter without TLS credentials if the following conditions are verified: Sebastien Decugis <sdecugis@freediameter.net> parents: 1127 diff changeset	563 FILE *stream = fopen (fd_g_config->cnf_sec_data.dh_file, "rb");
d00b5914351e Allow running freeDiameter without TLS credentials if the following conditions are verified: Sebastien Decugis <sdecugis@freediameter.net> parents: 1127 diff changeset	564 if (!stream) {
578 7c9a00bfd115 Allow TLS Diffie-Hellmann parameters to be loaded from a file (ticket #17) Sebastien Decugis <sdecugis@nict.go.jp> parents: 542 diff changeset	565 int err = errno;
1155 d00b5914351e Allow running freeDiameter without TLS credentials if the following conditions are verified: Sebastien Decugis <sdecugis@freediameter.net> parents: 1127 diff changeset	566 TRACE_DEBUG(INFO, "An error occurred while opening '%s': %s", fd_g_config->cnf_sec_data.dh_file, strerror(err));
578 7c9a00bfd115 Allow TLS Diffie-Hellmann parameters to be loaded from a file (ticket #17) Sebastien Decugis <sdecugis@nict.go.jp> parents: 542 diff changeset	567 return err;
7c9a00bfd115 Allow TLS Diffie-Hellmann parameters to be loaded from a file (ticket #17) Sebastien Decugis <sdecugis@nict.go.jp> parents: 542 diff changeset	568 }
1155 d00b5914351e Allow running freeDiameter without TLS credentials if the following conditions are verified: Sebastien Decugis <sdecugis@freediameter.net> parents: 1127 diff changeset	569 do {
d00b5914351e Allow running freeDiameter without TLS credentials if the following conditions are verified: Sebastien Decugis <sdecugis@freediameter.net> parents: 1127 diff changeset	570 uint8_t * realloced = NULL;
d00b5914351e Allow running freeDiameter without TLS credentials if the following conditions are verified: Sebastien Decugis <sdecugis@freediameter.net> parents: 1127 diff changeset	571 size_t read = 0;
d00b5914351e Allow running freeDiameter without TLS credentials if the following conditions are verified: Sebastien Decugis <sdecugis@freediameter.net> parents: 1127 diff changeset	572
d00b5914351e Allow running freeDiameter without TLS credentials if the following conditions are verified: Sebastien Decugis <sdecugis@freediameter.net> parents: 1127 diff changeset	573 if (alloc < dhparams.size + BUFSIZ + 1) {
d00b5914351e Allow running freeDiameter without TLS credentials if the following conditions are verified: Sebastien Decugis <sdecugis@freediameter.net> parents: 1127 diff changeset	574 alloc += alloc / 2 + BUFSIZ + 1;
d00b5914351e Allow running freeDiameter without TLS credentials if the following conditions are verified: Sebastien Decugis <sdecugis@freediameter.net> parents: 1127 diff changeset	575 CHECK_MALLOC_DO( realloced = realloc(dhparams.data, alloc),
d00b5914351e Allow running freeDiameter without TLS credentials if the following conditions are verified: Sebastien Decugis <sdecugis@freediameter.net> parents: 1127 diff changeset	576 {
d00b5914351e Allow running freeDiameter without TLS credentials if the following conditions are verified: Sebastien Decugis <sdecugis@freediameter.net> parents: 1127 diff changeset	577 free(dhparams.data);
d00b5914351e Allow running freeDiameter without TLS credentials if the following conditions are verified: Sebastien Decugis <sdecugis@freediameter.net> parents: 1127 diff changeset	578 return ENOMEM;
d00b5914351e Allow running freeDiameter without TLS credentials if the following conditions are verified: Sebastien Decugis <sdecugis@freediameter.net> parents: 1127 diff changeset	579 } )
d00b5914351e Allow running freeDiameter without TLS credentials if the following conditions are verified: Sebastien Decugis <sdecugis@freediameter.net> parents: 1127 diff changeset	580 dhparams.data = realloced;
d00b5914351e Allow running freeDiameter without TLS credentials if the following conditions are verified: Sebastien Decugis <sdecugis@freediameter.net> parents: 1127 diff changeset	581 }
d00b5914351e Allow running freeDiameter without TLS credentials if the following conditions are verified: Sebastien Decugis <sdecugis@freediameter.net> parents: 1127 diff changeset	582
d00b5914351e Allow running freeDiameter without TLS credentials if the following conditions are verified: Sebastien Decugis <sdecugis@freediameter.net> parents: 1127 diff changeset	583 read = fread( dhparams.data + dhparams.size, 1, alloc - dhparams.size - 1, stream );
d00b5914351e Allow running freeDiameter without TLS credentials if the following conditions are verified: Sebastien Decugis <sdecugis@freediameter.net> parents: 1127 diff changeset	584 dhparams.size += read;
d00b5914351e Allow running freeDiameter without TLS credentials if the following conditions are verified: Sebastien Decugis <sdecugis@freediameter.net> parents: 1127 diff changeset	585
d00b5914351e Allow running freeDiameter without TLS credentials if the following conditions are verified: Sebastien Decugis <sdecugis@freediameter.net> parents: 1127 diff changeset	586 if (ferror(stream)) {
d00b5914351e Allow running freeDiameter without TLS credentials if the following conditions are verified: Sebastien Decugis <sdecugis@freediameter.net> parents: 1127 diff changeset	587 int err = errno;
d00b5914351e Allow running freeDiameter without TLS credentials if the following conditions are verified: Sebastien Decugis <sdecugis@freediameter.net> parents: 1127 diff changeset	588 TRACE_DEBUG(INFO, "An error occurred while reading '%s': %s", fd_g_config->cnf_sec_data.dh_file, strerror(err));
d00b5914351e Allow running freeDiameter without TLS credentials if the following conditions are verified: Sebastien Decugis <sdecugis@freediameter.net> parents: 1127 diff changeset	589 return err;
d00b5914351e Allow running freeDiameter without TLS credentials if the following conditions are verified: Sebastien Decugis <sdecugis@freediameter.net> parents: 1127 diff changeset	590 }
d00b5914351e Allow running freeDiameter without TLS credentials if the following conditions are verified: Sebastien Decugis <sdecugis@freediameter.net> parents: 1127 diff changeset	591 } while (!feof(stream));
d00b5914351e Allow running freeDiameter without TLS credentials if the following conditions are verified: Sebastien Decugis <sdecugis@freediameter.net> parents: 1127 diff changeset	592 dhparams.data[dhparams.size] = '\0';
d00b5914351e Allow running freeDiameter without TLS credentials if the following conditions are verified: Sebastien Decugis <sdecugis@freediameter.net> parents: 1127 diff changeset	593 fclose(stream);
d00b5914351e Allow running freeDiameter without TLS credentials if the following conditions are verified: Sebastien Decugis <sdecugis@freediameter.net> parents: 1127 diff changeset	594 CHECK_GNUTLS_DO( gnutls_dh_params_import_pkcs3(
d00b5914351e Allow running freeDiameter without TLS credentials if the following conditions are verified: Sebastien Decugis <sdecugis@freediameter.net> parents: 1127 diff changeset	595 fd_g_config->cnf_sec_data.dh_cache,
d00b5914351e Allow running freeDiameter without TLS credentials if the following conditions are verified: Sebastien Decugis <sdecugis@freediameter.net> parents: 1127 diff changeset	596 &dhparams,
d00b5914351e Allow running freeDiameter without TLS credentials if the following conditions are verified: Sebastien Decugis <sdecugis@freediameter.net> parents: 1127 diff changeset	597 GNUTLS_X509_FMT_PEM),
d00b5914351e Allow running freeDiameter without TLS credentials if the following conditions are verified: Sebastien Decugis <sdecugis@freediameter.net> parents: 1127 diff changeset	598 { TRACE_ERROR("Error in DH bits value : %d", fd_g_config->cnf_sec_data.dh_bits ?: GNUTLS_DEFAULT_DHBITS); return EINVAL; } );
d00b5914351e Allow running freeDiameter without TLS credentials if the following conditions are verified: Sebastien Decugis <sdecugis@freediameter.net> parents: 1127 diff changeset	599 free(dhparams.data);
d00b5914351e Allow running freeDiameter without TLS credentials if the following conditions are verified: Sebastien Decugis <sdecugis@freediameter.net> parents: 1127 diff changeset	600
d00b5914351e Allow running freeDiameter without TLS credentials if the following conditions are verified: Sebastien Decugis <sdecugis@freediameter.net> parents: 1127 diff changeset	601 } else {
d00b5914351e Allow running freeDiameter without TLS credentials if the following conditions are verified: Sebastien Decugis <sdecugis@freediameter.net> parents: 1127 diff changeset	602 LOG_D( "Generating fresh Diffie-Hellman parameters of size %d (this takes some time)... ", fd_g_config->cnf_sec_data.dh_bits ?: GNUTLS_DEFAULT_DHBITS);
d00b5914351e Allow running freeDiameter without TLS credentials if the following conditions are verified: Sebastien Decugis <sdecugis@freediameter.net> parents: 1127 diff changeset	603 CHECK_GNUTLS_DO( gnutls_dh_params_generate2(
d00b5914351e Allow running freeDiameter without TLS credentials if the following conditions are verified: Sebastien Decugis <sdecugis@freediameter.net> parents: 1127 diff changeset	604 fd_g_config->cnf_sec_data.dh_cache,
d00b5914351e Allow running freeDiameter without TLS credentials if the following conditions are verified: Sebastien Decugis <sdecugis@freediameter.net> parents: 1127 diff changeset	605 fd_g_config->cnf_sec_data.dh_bits ?: GNUTLS_DEFAULT_DHBITS),
d00b5914351e Allow running freeDiameter without TLS credentials if the following conditions are verified: Sebastien Decugis <sdecugis@freediameter.net> parents: 1127 diff changeset	606 { TRACE_ERROR("Error in DH bits value : %d", fd_g_config->cnf_sec_data.dh_bits ?: GNUTLS_DEFAULT_DHBITS); return EINVAL; } );
d00b5914351e Allow running freeDiameter without TLS credentials if the following conditions are verified: Sebastien Decugis <sdecugis@freediameter.net> parents: 1127 diff changeset	607 }
d00b5914351e Allow running freeDiameter without TLS credentials if the following conditions are verified: Sebastien Decugis <sdecugis@freediameter.net> parents: 1127 diff changeset	608
d00b5914351e Allow running freeDiameter without TLS credentials if the following conditions are verified: Sebastien Decugis <sdecugis@freediameter.net> parents: 1127 diff changeset	609 }
578 7c9a00bfd115 Allow TLS Diffie-Hellmann parameters to be loaded from a file (ticket #17) Sebastien Decugis <sdecugis@nict.go.jp> parents: 542 diff changeset	610
8 3e143f047f78 Backup for the week-end Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	611 return 0;
3e143f047f78 Backup for the week-end Sebastien Decugis <sdecugis@nict.go.jp> parents: diff changeset	612 }
1027 0117a7746b21 Fix a number of errors and warnings introduced/highlighted by recent commits Sebastien Decugis <sdecugis@freediameter.net> parents: 1021 diff changeset	613 #ifndef GNUTLS_VERSION_300
1034 f4a73a991623 Fix warning on old GCC versions Sebastien Decugis <sdecugis@freediameter.net> parents: 1033 diff changeset	614 GCC_DIAG_ON("-Wdeprecated-declarations")
1027 0117a7746b21 Fix a number of errors and warnings introduced/highlighted by recent commits Sebastien Decugis <sdecugis@freediameter.net> parents: 1021 diff changeset	615 #endif /* !GNUTLS_VERSION_300 */
447 097bae83b07a Forgot to cleanup the configuration on exit, spotted by valgrind Sebastien Decugis <sdecugis@nict.go.jp> parents: 403 diff changeset	616
097bae83b07a Forgot to cleanup the configuration on exit, spotted by valgrind Sebastien Decugis <sdecugis@nict.go.jp> parents: 403 diff changeset	617
097bae83b07a Forgot to cleanup the configuration on exit, spotted by valgrind Sebastien Decugis <sdecugis@nict.go.jp> parents: 403 diff changeset	618 /* Destroy contents of fd_g_config structure */
097bae83b07a Forgot to cleanup the configuration on exit, spotted by valgrind Sebastien Decugis <sdecugis@nict.go.jp> parents: 403 diff changeset	619 int fd_conf_deinit()
097bae83b07a Forgot to cleanup the configuration on exit, spotted by valgrind Sebastien Decugis <sdecugis@nict.go.jp> parents: 403 diff changeset	620 {
097bae83b07a Forgot to cleanup the configuration on exit, spotted by valgrind Sebastien Decugis <sdecugis@nict.go.jp> parents: 403 diff changeset	621 TRACE_ENTRY();
097bae83b07a Forgot to cleanup the configuration on exit, spotted by valgrind Sebastien Decugis <sdecugis@nict.go.jp> parents: 403 diff changeset	622
686 f83d9878bf66 Fixed in case of termination of several modules (before initialization completed) Sebastien Decugis <sdecugis@nict.go.jp> parents: 662 diff changeset	623 if (!fd_g_config)
f83d9878bf66 Fixed in case of termination of several modules (before initialization completed) Sebastien Decugis <sdecugis@nict.go.jp> parents: 662 diff changeset	624 return 0;
f83d9878bf66 Fixed in case of termination of several modules (before initialization completed) Sebastien Decugis <sdecugis@nict.go.jp> parents: 662 diff changeset	625
447 097bae83b07a Forgot to cleanup the configuration on exit, spotted by valgrind Sebastien Decugis <sdecugis@nict.go.jp> parents: 403 diff changeset	626 /* Free the TLS parameters */
805 fb5e0fd923ff Updated verification of the local certificate following GnuTLS 3.x guideline Sebastien Decugis <sdecugis@freediameter.net> parents: 767 diff changeset	627 #ifdef GNUTLS_VERSION_300
fb5e0fd923ff Updated verification of the local certificate following GnuTLS 3.x guideline Sebastien Decugis <sdecugis@freediameter.net> parents: 767 diff changeset	628 gnutls_x509_trust_list_deinit(fd_g_config->cnf_sec_data.trustlist, 1);
fb5e0fd923ff Updated verification of the local certificate following GnuTLS 3.x guideline Sebastien Decugis <sdecugis@freediameter.net> parents: 767 diff changeset	629 #endif /* GNUTLS_VERSION_300 */
447 097bae83b07a Forgot to cleanup the configuration on exit, spotted by valgrind Sebastien Decugis <sdecugis@nict.go.jp> parents: 403 diff changeset	630 gnutls_priority_deinit(fd_g_config->cnf_sec_data.prio_cache);
097bae83b07a Forgot to cleanup the configuration on exit, spotted by valgrind Sebastien Decugis <sdecugis@nict.go.jp> parents: 403 diff changeset	631 gnutls_dh_params_deinit(fd_g_config->cnf_sec_data.dh_cache);
097bae83b07a Forgot to cleanup the configuration on exit, spotted by valgrind Sebastien Decugis <sdecugis@nict.go.jp> parents: 403 diff changeset	632 gnutls_certificate_free_credentials(fd_g_config->cnf_sec_data.credentials);
097bae83b07a Forgot to cleanup the configuration on exit, spotted by valgrind Sebastien Decugis <sdecugis@nict.go.jp> parents: 403 diff changeset	633
097bae83b07a Forgot to cleanup the configuration on exit, spotted by valgrind Sebastien Decugis <sdecugis@nict.go.jp> parents: 403 diff changeset	634 free(fd_g_config->cnf_sec_data.cert_file); fd_g_config->cnf_sec_data.cert_file = NULL;
097bae83b07a Forgot to cleanup the configuration on exit, spotted by valgrind Sebastien Decugis <sdecugis@nict.go.jp> parents: 403 diff changeset	635 free(fd_g_config->cnf_sec_data.key_file); fd_g_config->cnf_sec_data.key_file = NULL;
097bae83b07a Forgot to cleanup the configuration on exit, spotted by valgrind Sebastien Decugis <sdecugis@nict.go.jp> parents: 403 diff changeset	636 free(fd_g_config->cnf_sec_data.ca_file); fd_g_config->cnf_sec_data.ca_file = NULL;
097bae83b07a Forgot to cleanup the configuration on exit, spotted by valgrind Sebastien Decugis <sdecugis@nict.go.jp> parents: 403 diff changeset	637 free(fd_g_config->cnf_sec_data.crl_file); fd_g_config->cnf_sec_data.crl_file = NULL;
097bae83b07a Forgot to cleanup the configuration on exit, spotted by valgrind Sebastien Decugis <sdecugis@nict.go.jp> parents: 403 diff changeset	638 free(fd_g_config->cnf_sec_data.prio_string); fd_g_config->cnf_sec_data.prio_string = NULL;
578 7c9a00bfd115 Allow TLS Diffie-Hellmann parameters to be loaded from a file (ticket #17) Sebastien Decugis <sdecugis@nict.go.jp> parents: 542 diff changeset	639 free(fd_g_config->cnf_sec_data.dh_file); fd_g_config->cnf_sec_data.dh_file = NULL;
447 097bae83b07a Forgot to cleanup the configuration on exit, spotted by valgrind Sebastien Decugis <sdecugis@nict.go.jp> parents: 403 diff changeset	640
097bae83b07a Forgot to cleanup the configuration on exit, spotted by valgrind Sebastien Decugis <sdecugis@nict.go.jp> parents: 403 diff changeset	641 /* Destroy dictionary */
097bae83b07a Forgot to cleanup the configuration on exit, spotted by valgrind Sebastien Decugis <sdecugis@nict.go.jp> parents: 403 diff changeset	642 CHECK_FCT_DO( fd_dict_fini(&fd_g_config->cnf_dict), );
097bae83b07a Forgot to cleanup the configuration on exit, spotted by valgrind Sebastien Decugis <sdecugis@nict.go.jp> parents: 403 diff changeset	643
097bae83b07a Forgot to cleanup the configuration on exit, spotted by valgrind Sebastien Decugis <sdecugis@nict.go.jp> parents: 403 diff changeset	644 /* Destroy the main event queue */
097bae83b07a Forgot to cleanup the configuration on exit, spotted by valgrind Sebastien Decugis <sdecugis@nict.go.jp> parents: 403 diff changeset	645 CHECK_FCT_DO( fd_fifo_del(&fd_g_config->cnf_main_ev), );
097bae83b07a Forgot to cleanup the configuration on exit, spotted by valgrind Sebastien Decugis <sdecugis@nict.go.jp> parents: 403 diff changeset	646
097bae83b07a Forgot to cleanup the configuration on exit, spotted by valgrind Sebastien Decugis <sdecugis@nict.go.jp> parents: 403 diff changeset	647 /* Destroy the local endpoints and applications */
097bae83b07a Forgot to cleanup the configuration on exit, spotted by valgrind Sebastien Decugis <sdecugis@nict.go.jp> parents: 403 diff changeset	648 CHECK_FCT_DO(fd_ep_filter(&fd_g_config->cnf_endpoints, 0 ), );
097bae83b07a Forgot to cleanup the configuration on exit, spotted by valgrind Sebastien Decugis <sdecugis@nict.go.jp> parents: 403 diff changeset	649 CHECK_FCT_DO(fd_app_empty(&fd_g_config->cnf_apps ), );
097bae83b07a Forgot to cleanup the configuration on exit, spotted by valgrind Sebastien Decugis <sdecugis@nict.go.jp> parents: 403 diff changeset	650
097bae83b07a Forgot to cleanup the configuration on exit, spotted by valgrind Sebastien Decugis <sdecugis@nict.go.jp> parents: 403 diff changeset	651 /* Destroy the local identity */
097bae83b07a Forgot to cleanup the configuration on exit, spotted by valgrind Sebastien Decugis <sdecugis@nict.go.jp> parents: 403 diff changeset	652 free(fd_g_config->cnf_diamid); fd_g_config->cnf_diamid = NULL;
097bae83b07a Forgot to cleanup the configuration on exit, spotted by valgrind Sebastien Decugis <sdecugis@nict.go.jp> parents: 403 diff changeset	653 free(fd_g_config->cnf_diamrlm); fd_g_config->cnf_diamrlm = NULL;
097bae83b07a Forgot to cleanup the configuration on exit, spotted by valgrind Sebastien Decugis <sdecugis@nict.go.jp> parents: 403 diff changeset	654
097bae83b07a Forgot to cleanup the configuration on exit, spotted by valgrind Sebastien Decugis <sdecugis@nict.go.jp> parents: 403 diff changeset	655 return 0;
097bae83b07a Forgot to cleanup the configuration on exit, spotted by valgrind Sebastien Decugis <sdecugis@nict.go.jp> parents: 403 diff changeset	656 }
097bae83b07a Forgot to cleanup the configuration on exit, spotted by valgrind Sebastien Decugis <sdecugis@nict.go.jp> parents: 403 diff changeset	657
097bae83b07a Forgot to cleanup the configuration on exit, spotted by valgrind Sebastien Decugis <sdecugis@nict.go.jp> parents: 403 diff changeset	658

Mercurial > hg > freeDiameter

annotate libfdcore/config.c @ 1404:6cc290653ef6