Mercurial > hg > freeDiameter
annotate libfdcore/config.c @ 1281:ab6457399be2 1.2.1-rc1
Updated copyright information
author | Sebastien Decugis <sdecugis@freediameter.net> |
---|---|
date | Sat, 03 Jan 2015 02:23:28 +0800 |
parents | 25fad6714991 |
children | afe0ecdb0692 |
rev | line source |
---|---|
8
3e143f047f78
Backup for the week-end
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
1 /********************************************************************************************************* |
3e143f047f78
Backup for the week-end
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
2 * Software License Agreement (BSD License) * |
740
4a9f08d6b6ba
Updated my mail address
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
706
diff
changeset
|
3 * Author: Sebastien Decugis <sdecugis@freediameter.net> * |
8
3e143f047f78
Backup for the week-end
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
4 * * |
1281
ab6457399be2
Updated copyright information
Sebastien Decugis <sdecugis@freediameter.net>
parents:
1268
diff
changeset
|
5 * Copyright (c) 2015, WIDE Project and NICT * |
8
3e143f047f78
Backup for the week-end
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
6 * All rights reserved. * |
3e143f047f78
Backup for the week-end
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
7 * * |
3e143f047f78
Backup for the week-end
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
8 * Redistribution and use of this software in source and binary forms, with or without modification, are * |
3e143f047f78
Backup for the week-end
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
9 * permitted provided that the following conditions are met: * |
3e143f047f78
Backup for the week-end
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
10 * * |
3e143f047f78
Backup for the week-end
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
11 * * Redistributions of source code must retain the above * |
3e143f047f78
Backup for the week-end
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
12 * copyright notice, this list of conditions and the * |
3e143f047f78
Backup for the week-end
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
13 * following disclaimer. * |
3e143f047f78
Backup for the week-end
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
14 * * |
3e143f047f78
Backup for the week-end
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
15 * * Redistributions in binary form must reproduce the above * |
3e143f047f78
Backup for the week-end
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
16 * copyright notice, this list of conditions and the * |
3e143f047f78
Backup for the week-end
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
17 * following disclaimer in the documentation and/or other * |
3e143f047f78
Backup for the week-end
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
18 * materials provided with the distribution. * |
3e143f047f78
Backup for the week-end
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
19 * * |
3e143f047f78
Backup for the week-end
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
20 * * Neither the name of the WIDE Project or NICT nor the * |
3e143f047f78
Backup for the week-end
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
21 * names of its contributors may be used to endorse or * |
3e143f047f78
Backup for the week-end
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
22 * promote products derived from this software without * |
3e143f047f78
Backup for the week-end
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
23 * specific prior written permission of WIDE Project and * |
3e143f047f78
Backup for the week-end
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
24 * NICT. * |
3e143f047f78
Backup for the week-end
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
25 * * |
3e143f047f78
Backup for the week-end
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
26 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED * |
3e143f047f78
Backup for the week-end
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
27 * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A * |
3e143f047f78
Backup for the week-end
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
28 * PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR * |
3e143f047f78
Backup for the week-end
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
29 * ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT * |
3e143f047f78
Backup for the week-end
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
30 * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS * |
3e143f047f78
Backup for the week-end
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
31 * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR * |
3e143f047f78
Backup for the week-end
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
32 * TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF * |
3e143f047f78
Backup for the week-end
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
33 * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. * |
3e143f047f78
Backup for the week-end
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
34 *********************************************************************************************************/ |
3e143f047f78
Backup for the week-end
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
35 |
658
f198d16fa7f4
Initial commit for 1.1.0:
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
578
diff
changeset
|
36 #include "fdcore-internal.h" |
304
ad3c46016584
Added install directives for cmake; also allow default directory to seek for extensions and configuration files
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
258
diff
changeset
|
37 #include <sys/stat.h> |
8
3e143f047f78
Backup for the week-end
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
38 |
3e143f047f78
Backup for the week-end
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
39 /* Configuration management */ |
3e143f047f78
Backup for the week-end
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
40 |
18
e7187583dcf8
Added CA helper script
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
17
diff
changeset
|
41 #ifndef GNUTLS_DEFAULT_PRIORITY |
e7187583dcf8
Added CA helper script
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
17
diff
changeset
|
42 # define GNUTLS_DEFAULT_PRIORITY "NORMAL" |
e7187583dcf8
Added CA helper script
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
17
diff
changeset
|
43 #endif /* GNUTLS_DEFAULT_PRIORITY */ |
e7187583dcf8
Added CA helper script
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
17
diff
changeset
|
44 #ifndef GNUTLS_DEFAULT_DHBITS |
e7187583dcf8
Added CA helper script
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
17
diff
changeset
|
45 # define GNUTLS_DEFAULT_DHBITS 1024 |
e7187583dcf8
Added CA helper script
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
17
diff
changeset
|
46 #endif /* GNUTLS_DEFAULT_DHBITS */ |
e7187583dcf8
Added CA helper script
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
17
diff
changeset
|
47 |
658
f198d16fa7f4
Initial commit for 1.1.0:
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
578
diff
changeset
|
48 /* Initialize the fd_g_config structure to default values -- it should already have been initialized to all-0 */ |
8
3e143f047f78
Backup for the week-end
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
49 int fd_conf_init() |
3e143f047f78
Backup for the week-end
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
50 { |
3e143f047f78
Backup for the week-end
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
51 TRACE_ENTRY(); |
3e143f047f78
Backup for the week-end
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
52 |
10
c5c99c73c2bf
Added some extensions and functions in the daemon
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
8
diff
changeset
|
53 fd_g_config->cnf_eyec = EYEC_CONFIG; |
c5c99c73c2bf
Added some extensions and functions in the daemon
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
8
diff
changeset
|
54 |
c5c99c73c2bf
Added some extensions and functions in the daemon
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
8
diff
changeset
|
55 fd_g_config->cnf_timer_tc = 30; |
c5c99c73c2bf
Added some extensions and functions in the daemon
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
8
diff
changeset
|
56 fd_g_config->cnf_timer_tw = 30; |
8
3e143f047f78
Backup for the week-end
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
57 |
897
d8d0772586ad
Use correct default port for outgoing connections even when local port is not the default one
Sebastien Decugis <sdecugis@freediameter.net>
parents:
820
diff
changeset
|
58 fd_g_config->cnf_port = DIAMETER_PORT; |
d8d0772586ad
Use correct default port for outgoing connections even when local port is not the default one
Sebastien Decugis <sdecugis@freediameter.net>
parents:
820
diff
changeset
|
59 fd_g_config->cnf_port_tls = DIAMETER_SECURE_PORT; |
10
c5c99c73c2bf
Added some extensions and functions in the daemon
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
8
diff
changeset
|
60 fd_g_config->cnf_sctp_str = 30; |
1189
50bf33dc8fe0
Limit number of incoming connections under processing to configurable value
Sebastien Decugis <sdecugis@freediameter.net>
parents:
1184
diff
changeset
|
61 fd_g_config->cnf_thr_srv = 5; |
253
ad6c0118fb50
Configurable number of server threads
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
189
diff
changeset
|
62 fd_g_config->cnf_dispthr = 4; |
10
c5c99c73c2bf
Added some extensions and functions in the daemon
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
8
diff
changeset
|
63 fd_list_init(&fd_g_config->cnf_endpoints, NULL); |
c5c99c73c2bf
Added some extensions and functions in the daemon
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
8
diff
changeset
|
64 fd_list_init(&fd_g_config->cnf_apps, NULL); |
8
3e143f047f78
Backup for the week-end
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
65 #ifdef DISABLE_SCTP |
10
c5c99c73c2bf
Added some extensions and functions in the daemon
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
8
diff
changeset
|
66 fd_g_config->cnf_flags.no_sctp = 1; |
8
3e143f047f78
Backup for the week-end
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
67 #endif /* DISABLE_SCTP */ |
3e143f047f78
Backup for the week-end
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
68 |
10
c5c99c73c2bf
Added some extensions and functions in the daemon
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
8
diff
changeset
|
69 fd_g_config->cnf_orstateid = (uint32_t) time(NULL); |
8
3e143f047f78
Backup for the week-end
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
70 |
10
c5c99c73c2bf
Added some extensions and functions in the daemon
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
8
diff
changeset
|
71 CHECK_FCT( fd_dict_init(&fd_g_config->cnf_dict) ); |
767
c47c16436f71
Added a limit on fifo queues to avoid memory exaustion when messages are received faster than handled
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
740
diff
changeset
|
72 CHECK_FCT( fd_fifo_new(&fd_g_config->cnf_main_ev, 0) ); |
8
3e143f047f78
Backup for the week-end
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
73 |
18
e7187583dcf8
Added CA helper script
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
17
diff
changeset
|
74 /* TLS parameters */ |
e7187583dcf8
Added CA helper script
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
17
diff
changeset
|
75 CHECK_GNUTLS_DO( gnutls_certificate_allocate_credentials (&fd_g_config->cnf_sec_data.credentials), return ENOMEM ); |
e7187583dcf8
Added CA helper script
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
17
diff
changeset
|
76 CHECK_GNUTLS_DO( gnutls_dh_params_init (&fd_g_config->cnf_sec_data.dh_cache), return ENOMEM ); |
805
fb5e0fd923ff
Updated verification of the local certificate following GnuTLS 3.x guideline
Sebastien Decugis <sdecugis@freediameter.net>
parents:
767
diff
changeset
|
77 #ifdef GNUTLS_VERSION_300 |
fb5e0fd923ff
Updated verification of the local certificate following GnuTLS 3.x guideline
Sebastien Decugis <sdecugis@freediameter.net>
parents:
767
diff
changeset
|
78 CHECK_GNUTLS_DO( gnutls_x509_trust_list_init(&fd_g_config->cnf_sec_data.trustlist, 0), return ENOMEM ); |
fb5e0fd923ff
Updated verification of the local certificate following GnuTLS 3.x guideline
Sebastien Decugis <sdecugis@freediameter.net>
parents:
767
diff
changeset
|
79 #endif /* GNUTLS_VERSION_300 */ |
18
e7187583dcf8
Added CA helper script
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
17
diff
changeset
|
80 |
8
3e143f047f78
Backup for the week-end
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
81 return 0; |
3e143f047f78
Backup for the week-end
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
82 } |
3e143f047f78
Backup for the week-end
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
83 |
1085
7d7266115a34
Cleaning of the traces in progress
Sebastien Decugis <sdecugis@freediameter.net>
parents:
1034
diff
changeset
|
84 DECLARE_FD_DUMP_PROTOTYPE(fd_conf_dump) |
8
3e143f047f78
Backup for the week-end
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
85 { |
1093
44f3e48dfe27
Align the behavior of all fd_*dump functions wrt final \n
Sebastien Decugis <sdecugis@freediameter.net>
parents:
1085
diff
changeset
|
86 FD_DUMP_HANDLE_OFFSET(); |
8
3e143f047f78
Backup for the week-end
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
87 |
1119
79dd22145f52
Fix a number of compilation warnings
Sebastien Decugis <sdecugis@freediameter.net>
parents:
1113
diff
changeset
|
88 CHECK_MALLOC_DO( fd_dump_extend( FD_DUMP_STD_PARAMS, "freeDiameter configuration:\n"), return NULL); |
1085
7d7266115a34
Cleaning of the traces in progress
Sebastien Decugis <sdecugis@freediameter.net>
parents:
1034
diff
changeset
|
89 CHECK_MALLOC_DO( fd_dump_extend( FD_DUMP_STD_PARAMS, " Default trace level .... : %+d\n", fd_g_debug_lvl), return NULL); |
7d7266115a34
Cleaning of the traces in progress
Sebastien Decugis <sdecugis@freediameter.net>
parents:
1034
diff
changeset
|
90 CHECK_MALLOC_DO( fd_dump_extend( FD_DUMP_STD_PARAMS, " Configuration file ..... : %s\n", fd_g_config->cnf_file), return NULL); |
1253 | 91 CHECK_MALLOC_DO( fd_dump_extend( FD_DUMP_STD_PARAMS, " Diameter Identity ...... : %s (l:%zi)\n", fd_g_config->cnf_diamid, fd_g_config->cnf_diamid_len), return NULL); |
92 CHECK_MALLOC_DO( fd_dump_extend( FD_DUMP_STD_PARAMS, " Diameter Realm ......... : %s (l:%zi)\n", fd_g_config->cnf_diamrlm, fd_g_config->cnf_diamrlm_len), return NULL); | |
1085
7d7266115a34
Cleaning of the traces in progress
Sebastien Decugis <sdecugis@freediameter.net>
parents:
1034
diff
changeset
|
93 CHECK_MALLOC_DO( fd_dump_extend( FD_DUMP_STD_PARAMS, " Tc Timer ............... : %u\n", fd_g_config->cnf_timer_tc), return NULL); |
7d7266115a34
Cleaning of the traces in progress
Sebastien Decugis <sdecugis@freediameter.net>
parents:
1034
diff
changeset
|
94 CHECK_MALLOC_DO( fd_dump_extend( FD_DUMP_STD_PARAMS, " Tw Timer ............... : %u\n", fd_g_config->cnf_timer_tw), return NULL); |
7d7266115a34
Cleaning of the traces in progress
Sebastien Decugis <sdecugis@freediameter.net>
parents:
1034
diff
changeset
|
95 CHECK_MALLOC_DO( fd_dump_extend( FD_DUMP_STD_PARAMS, " Local port ............. : %hu\n", fd_g_config->cnf_port), return NULL); |
7d7266115a34
Cleaning of the traces in progress
Sebastien Decugis <sdecugis@freediameter.net>
parents:
1034
diff
changeset
|
96 CHECK_MALLOC_DO( fd_dump_extend( FD_DUMP_STD_PARAMS, " Local secure port ...... : %hu\n", fd_g_config->cnf_port_tls), return NULL); |
1181
22de21feec64
Preparing for DTLS support
Sebastien Decugis <sdecugis@freediameter.net>
parents:
1155
diff
changeset
|
97 if (fd_g_config->cnf_port_3436) { |
22de21feec64
Preparing for DTLS support
Sebastien Decugis <sdecugis@freediameter.net>
parents:
1155
diff
changeset
|
98 CHECK_MALLOC_DO( fd_dump_extend( FD_DUMP_STD_PARAMS, " Local SCTP TLS port .... : %hu\n", fd_g_config->cnf_port_3436), return NULL); |
22de21feec64
Preparing for DTLS support
Sebastien Decugis <sdecugis@freediameter.net>
parents:
1155
diff
changeset
|
99 } |
1085
7d7266115a34
Cleaning of the traces in progress
Sebastien Decugis <sdecugis@freediameter.net>
parents:
1034
diff
changeset
|
100 CHECK_MALLOC_DO( fd_dump_extend( FD_DUMP_STD_PARAMS, " Number of SCTP streams . : %hu\n", fd_g_config->cnf_sctp_str), return NULL); |
1189
50bf33dc8fe0
Limit number of incoming connections under processing to configurable value
Sebastien Decugis <sdecugis@freediameter.net>
parents:
1184
diff
changeset
|
101 CHECK_MALLOC_DO( fd_dump_extend( FD_DUMP_STD_PARAMS, " Number of clients thr .. : %d\n", fd_g_config->cnf_thr_srv), return NULL); |
50bf33dc8fe0
Limit number of incoming connections under processing to configurable value
Sebastien Decugis <sdecugis@freediameter.net>
parents:
1184
diff
changeset
|
102 CHECK_MALLOC_DO( fd_dump_extend( FD_DUMP_STD_PARAMS, " Number of app threads .. : %hu\n", fd_g_config->cnf_dispthr), return NULL); |
10
c5c99c73c2bf
Added some extensions and functions in the daemon
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
8
diff
changeset
|
103 if (FD_IS_LIST_EMPTY(&fd_g_config->cnf_endpoints)) { |
1085
7d7266115a34
Cleaning of the traces in progress
Sebastien Decugis <sdecugis@freediameter.net>
parents:
1034
diff
changeset
|
104 CHECK_MALLOC_DO( fd_dump_extend( FD_DUMP_STD_PARAMS, " Local endpoints ........ : Default (use all available)\n"), return NULL); |
8
3e143f047f78
Backup for the week-end
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
105 } else { |
1113
eb4ce68b6e5c
Added calls to remaining hooks
Sebastien Decugis <sdecugis@freediameter.net>
parents:
1107
diff
changeset
|
106 CHECK_MALLOC_DO( fd_dump_extend( FD_DUMP_STD_PARAMS, " Local endpoints ........ : "), return NULL); |
eb4ce68b6e5c
Added calls to remaining hooks
Sebastien Decugis <sdecugis@freediameter.net>
parents:
1107
diff
changeset
|
107 CHECK_MALLOC_DO( fd_ep_dump( FD_DUMP_STD_PARAMS, 0, 0, &fd_g_config->cnf_endpoints ), return NULL); |
8
3e143f047f78
Backup for the week-end
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
108 } |
10
c5c99c73c2bf
Added some extensions and functions in the daemon
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
8
diff
changeset
|
109 if (FD_IS_LIST_EMPTY(&fd_g_config->cnf_apps)) { |
1113
eb4ce68b6e5c
Added calls to remaining hooks
Sebastien Decugis <sdecugis@freediameter.net>
parents:
1107
diff
changeset
|
110 CHECK_MALLOC_DO( fd_dump_extend( FD_DUMP_STD_PARAMS, " Local applications ..... : (none)"), return NULL); |
10
c5c99c73c2bf
Added some extensions and functions in the daemon
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
8
diff
changeset
|
111 } else { |
c5c99c73c2bf
Added some extensions and functions in the daemon
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
8
diff
changeset
|
112 struct fd_list * li = fd_g_config->cnf_apps.next; |
1113
eb4ce68b6e5c
Added calls to remaining hooks
Sebastien Decugis <sdecugis@freediameter.net>
parents:
1107
diff
changeset
|
113 CHECK_MALLOC_DO( fd_dump_extend( FD_DUMP_STD_PARAMS, " Local applications ..... : "), return NULL); |
10
c5c99c73c2bf
Added some extensions and functions in the daemon
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
8
diff
changeset
|
114 while (li != &fd_g_config->cnf_apps) { |
c5c99c73c2bf
Added some extensions and functions in the daemon
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
8
diff
changeset
|
115 struct fd_app * app = (struct fd_app *)li; |
1113
eb4ce68b6e5c
Added calls to remaining hooks
Sebastien Decugis <sdecugis@freediameter.net>
parents:
1107
diff
changeset
|
116 CHECK_MALLOC_DO( fd_dump_extend( FD_DUMP_STD_PARAMS, "App: %u,%s%s,Vnd:%u\t", |
10
c5c99c73c2bf
Added some extensions and functions in the daemon
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
8
diff
changeset
|
117 app->appid, |
c5c99c73c2bf
Added some extensions and functions in the daemon
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
8
diff
changeset
|
118 app->flags.auth ? "Au" : "--", |
c5c99c73c2bf
Added some extensions and functions in the daemon
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
8
diff
changeset
|
119 app->flags.acct ? "Ac" : "--", |
1085
7d7266115a34
Cleaning of the traces in progress
Sebastien Decugis <sdecugis@freediameter.net>
parents:
1034
diff
changeset
|
120 app->vndid), return NULL); |
10
c5c99c73c2bf
Added some extensions and functions in the daemon
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
8
diff
changeset
|
121 li = li->next; |
c5c99c73c2bf
Added some extensions and functions in the daemon
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
8
diff
changeset
|
122 } |
c5c99c73c2bf
Added some extensions and functions in the daemon
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
8
diff
changeset
|
123 } |
18
e7187583dcf8
Added CA helper script
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
17
diff
changeset
|
124 |
1113
eb4ce68b6e5c
Added calls to remaining hooks
Sebastien Decugis <sdecugis@freediameter.net>
parents:
1107
diff
changeset
|
125 CHECK_MALLOC_DO( fd_dump_extend( FD_DUMP_STD_PARAMS, "\n Flags : - IP ........... : %s\n", fd_g_config->cnf_flags.no_ip4 ? "DISABLED" : "Enabled"), return NULL); |
1085
7d7266115a34
Cleaning of the traces in progress
Sebastien Decugis <sdecugis@freediameter.net>
parents:
1034
diff
changeset
|
126 CHECK_MALLOC_DO( fd_dump_extend( FD_DUMP_STD_PARAMS, " - IPv6 ......... : %s\n", fd_g_config->cnf_flags.no_ip6 ? "DISABLED" : "Enabled"), return NULL); |
7d7266115a34
Cleaning of the traces in progress
Sebastien Decugis <sdecugis@freediameter.net>
parents:
1034
diff
changeset
|
127 CHECK_MALLOC_DO( fd_dump_extend( FD_DUMP_STD_PARAMS, " - Relay app .... : %s\n", fd_g_config->cnf_flags.no_fwd ? "DISABLED" : "Enabled"), return NULL); |
7d7266115a34
Cleaning of the traces in progress
Sebastien Decugis <sdecugis@freediameter.net>
parents:
1034
diff
changeset
|
128 CHECK_MALLOC_DO( fd_dump_extend( FD_DUMP_STD_PARAMS, " - TCP .......... : %s\n", fd_g_config->cnf_flags.no_tcp ? "DISABLED" : "Enabled"), return NULL); |
8
3e143f047f78
Backup for the week-end
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
129 #ifdef DISABLE_SCTP |
1085
7d7266115a34
Cleaning of the traces in progress
Sebastien Decugis <sdecugis@freediameter.net>
parents:
1034
diff
changeset
|
130 CHECK_MALLOC_DO( fd_dump_extend( FD_DUMP_STD_PARAMS, " - SCTP ......... : DISABLED (at compilation)\n"), return NULL); |
8
3e143f047f78
Backup for the week-end
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
131 #else /* DISABLE_SCTP */ |
1085
7d7266115a34
Cleaning of the traces in progress
Sebastien Decugis <sdecugis@freediameter.net>
parents:
1034
diff
changeset
|
132 CHECK_MALLOC_DO( fd_dump_extend( FD_DUMP_STD_PARAMS, " - SCTP ......... : %s\n", fd_g_config->cnf_flags.no_sctp ? "DISABLED" : "Enabled"), return NULL); |
8
3e143f047f78
Backup for the week-end
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
133 #endif /* DISABLE_SCTP */ |
1085
7d7266115a34
Cleaning of the traces in progress
Sebastien Decugis <sdecugis@freediameter.net>
parents:
1034
diff
changeset
|
134 CHECK_MALLOC_DO( fd_dump_extend( FD_DUMP_STD_PARAMS, " - Pref. proto .. : %s\n", fd_g_config->cnf_flags.pr_tcp ? "TCP" : "SCTP"), return NULL); |
7d7266115a34
Cleaning of the traces in progress
Sebastien Decugis <sdecugis@freediameter.net>
parents:
1034
diff
changeset
|
135 CHECK_MALLOC_DO( fd_dump_extend( FD_DUMP_STD_PARAMS, " - TLS method ... : %s\n", fd_g_config->cnf_flags.tls_alg ? "INBAND" : "Separate port"), return NULL); |
18
e7187583dcf8
Added CA helper script
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
17
diff
changeset
|
136 |
1085
7d7266115a34
Cleaning of the traces in progress
Sebastien Decugis <sdecugis@freediameter.net>
parents:
1034
diff
changeset
|
137 CHECK_MALLOC_DO( fd_dump_extend( FD_DUMP_STD_PARAMS, " TLS : - Certificate .. : %s\n", fd_g_config->cnf_sec_data.cert_file ?: "(NONE)"), return NULL); |
7d7266115a34
Cleaning of the traces in progress
Sebastien Decugis <sdecugis@freediameter.net>
parents:
1034
diff
changeset
|
138 CHECK_MALLOC_DO( fd_dump_extend( FD_DUMP_STD_PARAMS, " - Private key .. : %s\n", fd_g_config->cnf_sec_data.key_file ?: "(NONE)"), return NULL); |
7d7266115a34
Cleaning of the traces in progress
Sebastien Decugis <sdecugis@freediameter.net>
parents:
1034
diff
changeset
|
139 CHECK_MALLOC_DO( fd_dump_extend( FD_DUMP_STD_PARAMS, " - CA (trust) ... : %s (%d certs)\n", fd_g_config->cnf_sec_data.ca_file ?: "(none)", fd_g_config->cnf_sec_data.ca_file_nr), return NULL); |
7d7266115a34
Cleaning of the traces in progress
Sebastien Decugis <sdecugis@freediameter.net>
parents:
1034
diff
changeset
|
140 CHECK_MALLOC_DO( fd_dump_extend( FD_DUMP_STD_PARAMS, " - CRL .......... : %s\n", fd_g_config->cnf_sec_data.crl_file ?: "(none)"), return NULL); |
7d7266115a34
Cleaning of the traces in progress
Sebastien Decugis <sdecugis@freediameter.net>
parents:
1034
diff
changeset
|
141 CHECK_MALLOC_DO( fd_dump_extend( FD_DUMP_STD_PARAMS, " - Priority ..... : %s\n", fd_g_config->cnf_sec_data.prio_string ?: "(default: '" GNUTLS_DEFAULT_PRIORITY "')"), return NULL); |
7d7266115a34
Cleaning of the traces in progress
Sebastien Decugis <sdecugis@freediameter.net>
parents:
1034
diff
changeset
|
142 if (fd_g_config->cnf_sec_data.dh_file) { |
7d7266115a34
Cleaning of the traces in progress
Sebastien Decugis <sdecugis@freediameter.net>
parents:
1034
diff
changeset
|
143 CHECK_MALLOC_DO( fd_dump_extend( FD_DUMP_STD_PARAMS, " - DH file ...... : %s\n", fd_g_config->cnf_sec_data.dh_file), return NULL); |
7d7266115a34
Cleaning of the traces in progress
Sebastien Decugis <sdecugis@freediameter.net>
parents:
1034
diff
changeset
|
144 } else { |
7d7266115a34
Cleaning of the traces in progress
Sebastien Decugis <sdecugis@freediameter.net>
parents:
1034
diff
changeset
|
145 CHECK_MALLOC_DO( fd_dump_extend( FD_DUMP_STD_PARAMS, " - DH bits ...... : %d\n", fd_g_config->cnf_sec_data.dh_bits ?: GNUTLS_DEFAULT_DHBITS), return NULL); |
7d7266115a34
Cleaning of the traces in progress
Sebastien Decugis <sdecugis@freediameter.net>
parents:
1034
diff
changeset
|
146 } |
18
e7187583dcf8
Added CA helper script
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
17
diff
changeset
|
147 |
1085
7d7266115a34
Cleaning of the traces in progress
Sebastien Decugis <sdecugis@freediameter.net>
parents:
1034
diff
changeset
|
148 CHECK_MALLOC_DO( fd_dump_extend( FD_DUMP_STD_PARAMS, " Origin-State-Id ........ : %u", fd_g_config->cnf_orstateid), return NULL); |
7d7266115a34
Cleaning of the traces in progress
Sebastien Decugis <sdecugis@freediameter.net>
parents:
1034
diff
changeset
|
149 |
7d7266115a34
Cleaning of the traces in progress
Sebastien Decugis <sdecugis@freediameter.net>
parents:
1034
diff
changeset
|
150 return *buf; |
8
3e143f047f78
Backup for the week-end
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
151 } |
3e143f047f78
Backup for the week-end
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
152 |
805
fb5e0fd923ff
Updated verification of the local certificate following GnuTLS 3.x guideline
Sebastien Decugis <sdecugis@freediameter.net>
parents:
767
diff
changeset
|
153 /* read contents of a file opened in "rb" mode and alloc this data into a gnutls_datum_t (must be freed afterwards) */ |
fb5e0fd923ff
Updated verification of the local certificate following GnuTLS 3.x guideline
Sebastien Decugis <sdecugis@freediameter.net>
parents:
767
diff
changeset
|
154 int fd_conf_stream_to_gnutls_datum(FILE * pemfile, gnutls_datum_t *out) |
fb5e0fd923ff
Updated verification of the local certificate following GnuTLS 3.x guideline
Sebastien Decugis <sdecugis@freediameter.net>
parents:
767
diff
changeset
|
155 { |
fb5e0fd923ff
Updated verification of the local certificate following GnuTLS 3.x guideline
Sebastien Decugis <sdecugis@freediameter.net>
parents:
767
diff
changeset
|
156 size_t alloc = 0; |
fb5e0fd923ff
Updated verification of the local certificate following GnuTLS 3.x guideline
Sebastien Decugis <sdecugis@freediameter.net>
parents:
767
diff
changeset
|
157 |
fb5e0fd923ff
Updated verification of the local certificate following GnuTLS 3.x guideline
Sebastien Decugis <sdecugis@freediameter.net>
parents:
767
diff
changeset
|
158 CHECK_PARAMS( pemfile && out ); |
fb5e0fd923ff
Updated verification of the local certificate following GnuTLS 3.x guideline
Sebastien Decugis <sdecugis@freediameter.net>
parents:
767
diff
changeset
|
159 memset(out, 0, sizeof(gnutls_datum_t)); |
fb5e0fd923ff
Updated verification of the local certificate following GnuTLS 3.x guideline
Sebastien Decugis <sdecugis@freediameter.net>
parents:
767
diff
changeset
|
160 |
fb5e0fd923ff
Updated verification of the local certificate following GnuTLS 3.x guideline
Sebastien Decugis <sdecugis@freediameter.net>
parents:
767
diff
changeset
|
161 do { |
fb5e0fd923ff
Updated verification of the local certificate following GnuTLS 3.x guideline
Sebastien Decugis <sdecugis@freediameter.net>
parents:
767
diff
changeset
|
162 uint8_t * realloced = NULL; |
fb5e0fd923ff
Updated verification of the local certificate following GnuTLS 3.x guideline
Sebastien Decugis <sdecugis@freediameter.net>
parents:
767
diff
changeset
|
163 size_t read = 0; |
fb5e0fd923ff
Updated verification of the local certificate following GnuTLS 3.x guideline
Sebastien Decugis <sdecugis@freediameter.net>
parents:
767
diff
changeset
|
164 |
fb5e0fd923ff
Updated verification of the local certificate following GnuTLS 3.x guideline
Sebastien Decugis <sdecugis@freediameter.net>
parents:
767
diff
changeset
|
165 if (alloc < out->size + BUFSIZ + 1) { |
fb5e0fd923ff
Updated verification of the local certificate following GnuTLS 3.x guideline
Sebastien Decugis <sdecugis@freediameter.net>
parents:
767
diff
changeset
|
166 alloc += alloc / 2 + BUFSIZ + 1; |
fb5e0fd923ff
Updated verification of the local certificate following GnuTLS 3.x guideline
Sebastien Decugis <sdecugis@freediameter.net>
parents:
767
diff
changeset
|
167 CHECK_MALLOC_DO( realloced = realloc(out->data, alloc), |
fb5e0fd923ff
Updated verification of the local certificate following GnuTLS 3.x guideline
Sebastien Decugis <sdecugis@freediameter.net>
parents:
767
diff
changeset
|
168 { |
fb5e0fd923ff
Updated verification of the local certificate following GnuTLS 3.x guideline
Sebastien Decugis <sdecugis@freediameter.net>
parents:
767
diff
changeset
|
169 free(out->data); |
fb5e0fd923ff
Updated verification of the local certificate following GnuTLS 3.x guideline
Sebastien Decugis <sdecugis@freediameter.net>
parents:
767
diff
changeset
|
170 return ENOMEM; |
fb5e0fd923ff
Updated verification of the local certificate following GnuTLS 3.x guideline
Sebastien Decugis <sdecugis@freediameter.net>
parents:
767
diff
changeset
|
171 } ) |
fb5e0fd923ff
Updated verification of the local certificate following GnuTLS 3.x guideline
Sebastien Decugis <sdecugis@freediameter.net>
parents:
767
diff
changeset
|
172 out->data = realloced; |
fb5e0fd923ff
Updated verification of the local certificate following GnuTLS 3.x guideline
Sebastien Decugis <sdecugis@freediameter.net>
parents:
767
diff
changeset
|
173 } |
fb5e0fd923ff
Updated verification of the local certificate following GnuTLS 3.x guideline
Sebastien Decugis <sdecugis@freediameter.net>
parents:
767
diff
changeset
|
174 |
fb5e0fd923ff
Updated verification of the local certificate following GnuTLS 3.x guideline
Sebastien Decugis <sdecugis@freediameter.net>
parents:
767
diff
changeset
|
175 read = fread( out->data + out->size, 1, alloc - out->size - 1, pemfile ); |
fb5e0fd923ff
Updated verification of the local certificate following GnuTLS 3.x guideline
Sebastien Decugis <sdecugis@freediameter.net>
parents:
767
diff
changeset
|
176 out->size += read; |
fb5e0fd923ff
Updated verification of the local certificate following GnuTLS 3.x guideline
Sebastien Decugis <sdecugis@freediameter.net>
parents:
767
diff
changeset
|
177 |
fb5e0fd923ff
Updated verification of the local certificate following GnuTLS 3.x guideline
Sebastien Decugis <sdecugis@freediameter.net>
parents:
767
diff
changeset
|
178 if (ferror(pemfile)) { |
fb5e0fd923ff
Updated verification of the local certificate following GnuTLS 3.x guideline
Sebastien Decugis <sdecugis@freediameter.net>
parents:
767
diff
changeset
|
179 int err = errno; |
974
2091bf698fb1
Remove newlines from fd_log_debug, TRACE_DEBUG, TRACE_ERROR, and TRACE_DEBUG_ERROR
Thomas Klausner <tk@giga.or.at>
parents:
965
diff
changeset
|
180 TRACE_DEBUG(INFO, "An error occurred while reading file: %s", strerror(err)); |
805
fb5e0fd923ff
Updated verification of the local certificate following GnuTLS 3.x guideline
Sebastien Decugis <sdecugis@freediameter.net>
parents:
767
diff
changeset
|
181 return err; |
fb5e0fd923ff
Updated verification of the local certificate following GnuTLS 3.x guideline
Sebastien Decugis <sdecugis@freediameter.net>
parents:
767
diff
changeset
|
182 } |
fb5e0fd923ff
Updated verification of the local certificate following GnuTLS 3.x guideline
Sebastien Decugis <sdecugis@freediameter.net>
parents:
767
diff
changeset
|
183 } while (!feof(pemfile)); |
fb5e0fd923ff
Updated verification of the local certificate following GnuTLS 3.x guideline
Sebastien Decugis <sdecugis@freediameter.net>
parents:
767
diff
changeset
|
184 |
fb5e0fd923ff
Updated verification of the local certificate following GnuTLS 3.x guideline
Sebastien Decugis <sdecugis@freediameter.net>
parents:
767
diff
changeset
|
185 out->data[out->size] = '\0'; |
fb5e0fd923ff
Updated verification of the local certificate following GnuTLS 3.x guideline
Sebastien Decugis <sdecugis@freediameter.net>
parents:
767
diff
changeset
|
186 return 0; |
fb5e0fd923ff
Updated verification of the local certificate following GnuTLS 3.x guideline
Sebastien Decugis <sdecugis@freediameter.net>
parents:
767
diff
changeset
|
187 } |
fb5e0fd923ff
Updated verification of the local certificate following GnuTLS 3.x guideline
Sebastien Decugis <sdecugis@freediameter.net>
parents:
767
diff
changeset
|
188 |
fb5e0fd923ff
Updated verification of the local certificate following GnuTLS 3.x guideline
Sebastien Decugis <sdecugis@freediameter.net>
parents:
767
diff
changeset
|
189 #ifdef GNUTLS_VERSION_300 |
fb5e0fd923ff
Updated verification of the local certificate following GnuTLS 3.x guideline
Sebastien Decugis <sdecugis@freediameter.net>
parents:
767
diff
changeset
|
190 /* inspired from GnuTLS manual */ |
fb5e0fd923ff
Updated verification of the local certificate following GnuTLS 3.x guideline
Sebastien Decugis <sdecugis@freediameter.net>
parents:
767
diff
changeset
|
191 static int fd_conf_print_details_func (gnutls_x509_crt_t cert, |
fb5e0fd923ff
Updated verification of the local certificate following GnuTLS 3.x guideline
Sebastien Decugis <sdecugis@freediameter.net>
parents:
767
diff
changeset
|
192 gnutls_x509_crt_t issuer, gnutls_x509_crl_t crl, |
fb5e0fd923ff
Updated verification of the local certificate following GnuTLS 3.x guideline
Sebastien Decugis <sdecugis@freediameter.net>
parents:
767
diff
changeset
|
193 unsigned int verification_output) |
fb5e0fd923ff
Updated verification of the local certificate following GnuTLS 3.x guideline
Sebastien Decugis <sdecugis@freediameter.net>
parents:
767
diff
changeset
|
194 { |
fb5e0fd923ff
Updated verification of the local certificate following GnuTLS 3.x guideline
Sebastien Decugis <sdecugis@freediameter.net>
parents:
767
diff
changeset
|
195 char name[512]; |
fb5e0fd923ff
Updated verification of the local certificate following GnuTLS 3.x guideline
Sebastien Decugis <sdecugis@freediameter.net>
parents:
767
diff
changeset
|
196 char issuer_name[512]; |
fb5e0fd923ff
Updated verification of the local certificate following GnuTLS 3.x guideline
Sebastien Decugis <sdecugis@freediameter.net>
parents:
767
diff
changeset
|
197 size_t name_size; |
fb5e0fd923ff
Updated verification of the local certificate following GnuTLS 3.x guideline
Sebastien Decugis <sdecugis@freediameter.net>
parents:
767
diff
changeset
|
198 size_t issuer_name_size; |
fb5e0fd923ff
Updated verification of the local certificate following GnuTLS 3.x guideline
Sebastien Decugis <sdecugis@freediameter.net>
parents:
767
diff
changeset
|
199 |
fb5e0fd923ff
Updated verification of the local certificate following GnuTLS 3.x guideline
Sebastien Decugis <sdecugis@freediameter.net>
parents:
767
diff
changeset
|
200 if (!TRACE_BOOL(GNUTLS_DBG_LEVEL)) |
fb5e0fd923ff
Updated verification of the local certificate following GnuTLS 3.x guideline
Sebastien Decugis <sdecugis@freediameter.net>
parents:
767
diff
changeset
|
201 return 0; |
fb5e0fd923ff
Updated verification of the local certificate following GnuTLS 3.x guideline
Sebastien Decugis <sdecugis@freediameter.net>
parents:
767
diff
changeset
|
202 |
fb5e0fd923ff
Updated verification of the local certificate following GnuTLS 3.x guideline
Sebastien Decugis <sdecugis@freediameter.net>
parents:
767
diff
changeset
|
203 issuer_name_size = sizeof (issuer_name); |
fb5e0fd923ff
Updated verification of the local certificate following GnuTLS 3.x guideline
Sebastien Decugis <sdecugis@freediameter.net>
parents:
767
diff
changeset
|
204 gnutls_x509_crt_get_issuer_dn (cert, issuer_name, &issuer_name_size); |
fb5e0fd923ff
Updated verification of the local certificate following GnuTLS 3.x guideline
Sebastien Decugis <sdecugis@freediameter.net>
parents:
767
diff
changeset
|
205 |
fb5e0fd923ff
Updated verification of the local certificate following GnuTLS 3.x guideline
Sebastien Decugis <sdecugis@freediameter.net>
parents:
767
diff
changeset
|
206 name_size = sizeof (name); |
fb5e0fd923ff
Updated verification of the local certificate following GnuTLS 3.x guideline
Sebastien Decugis <sdecugis@freediameter.net>
parents:
767
diff
changeset
|
207 gnutls_x509_crt_get_dn (cert, name, &name_size); |
fb5e0fd923ff
Updated verification of the local certificate following GnuTLS 3.x guideline
Sebastien Decugis <sdecugis@freediameter.net>
parents:
767
diff
changeset
|
208 |
974
2091bf698fb1
Remove newlines from fd_log_debug, TRACE_DEBUG, TRACE_ERROR, and TRACE_DEBUG_ERROR
Thomas Klausner <tk@giga.or.at>
parents:
965
diff
changeset
|
209 fd_log_debug("\tSubject: %s", name); |
2091bf698fb1
Remove newlines from fd_log_debug, TRACE_DEBUG, TRACE_ERROR, and TRACE_DEBUG_ERROR
Thomas Klausner <tk@giga.or.at>
parents:
965
diff
changeset
|
210 fd_log_debug("\tIssuer: %s", issuer_name); |
805
fb5e0fd923ff
Updated verification of the local certificate following GnuTLS 3.x guideline
Sebastien Decugis <sdecugis@freediameter.net>
parents:
767
diff
changeset
|
211 |
fb5e0fd923ff
Updated verification of the local certificate following GnuTLS 3.x guideline
Sebastien Decugis <sdecugis@freediameter.net>
parents:
767
diff
changeset
|
212 if (issuer != NULL) |
fb5e0fd923ff
Updated verification of the local certificate following GnuTLS 3.x guideline
Sebastien Decugis <sdecugis@freediameter.net>
parents:
767
diff
changeset
|
213 { |
fb5e0fd923ff
Updated verification of the local certificate following GnuTLS 3.x guideline
Sebastien Decugis <sdecugis@freediameter.net>
parents:
767
diff
changeset
|
214 issuer_name_size = sizeof (issuer_name); |
fb5e0fd923ff
Updated verification of the local certificate following GnuTLS 3.x guideline
Sebastien Decugis <sdecugis@freediameter.net>
parents:
767
diff
changeset
|
215 gnutls_x509_crt_get_dn (issuer, issuer_name, &issuer_name_size); |
fb5e0fd923ff
Updated verification of the local certificate following GnuTLS 3.x guideline
Sebastien Decugis <sdecugis@freediameter.net>
parents:
767
diff
changeset
|
216 |
974
2091bf698fb1
Remove newlines from fd_log_debug, TRACE_DEBUG, TRACE_ERROR, and TRACE_DEBUG_ERROR
Thomas Klausner <tk@giga.or.at>
parents:
965
diff
changeset
|
217 fd_log_debug("\tVerified against: %s", issuer_name); |
805
fb5e0fd923ff
Updated verification of the local certificate following GnuTLS 3.x guideline
Sebastien Decugis <sdecugis@freediameter.net>
parents:
767
diff
changeset
|
218 } |
fb5e0fd923ff
Updated verification of the local certificate following GnuTLS 3.x guideline
Sebastien Decugis <sdecugis@freediameter.net>
parents:
767
diff
changeset
|
219 |
fb5e0fd923ff
Updated verification of the local certificate following GnuTLS 3.x guideline
Sebastien Decugis <sdecugis@freediameter.net>
parents:
767
diff
changeset
|
220 if (crl != NULL) |
fb5e0fd923ff
Updated verification of the local certificate following GnuTLS 3.x guideline
Sebastien Decugis <sdecugis@freediameter.net>
parents:
767
diff
changeset
|
221 { |
fb5e0fd923ff
Updated verification of the local certificate following GnuTLS 3.x guideline
Sebastien Decugis <sdecugis@freediameter.net>
parents:
767
diff
changeset
|
222 issuer_name_size = sizeof (issuer_name); |
fb5e0fd923ff
Updated verification of the local certificate following GnuTLS 3.x guideline
Sebastien Decugis <sdecugis@freediameter.net>
parents:
767
diff
changeset
|
223 gnutls_x509_crl_get_issuer_dn (crl, issuer_name, &issuer_name_size); |
fb5e0fd923ff
Updated verification of the local certificate following GnuTLS 3.x guideline
Sebastien Decugis <sdecugis@freediameter.net>
parents:
767
diff
changeset
|
224 |
974
2091bf698fb1
Remove newlines from fd_log_debug, TRACE_DEBUG, TRACE_ERROR, and TRACE_DEBUG_ERROR
Thomas Klausner <tk@giga.or.at>
parents:
965
diff
changeset
|
225 fd_log_debug("\tVerified against CRL of: %s", issuer_name); |
805
fb5e0fd923ff
Updated verification of the local certificate following GnuTLS 3.x guideline
Sebastien Decugis <sdecugis@freediameter.net>
parents:
767
diff
changeset
|
226 } |
fb5e0fd923ff
Updated verification of the local certificate following GnuTLS 3.x guideline
Sebastien Decugis <sdecugis@freediameter.net>
parents:
767
diff
changeset
|
227 |
974
2091bf698fb1
Remove newlines from fd_log_debug, TRACE_DEBUG, TRACE_ERROR, and TRACE_DEBUG_ERROR
Thomas Klausner <tk@giga.or.at>
parents:
965
diff
changeset
|
228 fd_log_debug("\tVerification output: %x", verification_output); |
805
fb5e0fd923ff
Updated verification of the local certificate following GnuTLS 3.x guideline
Sebastien Decugis <sdecugis@freediameter.net>
parents:
767
diff
changeset
|
229 |
fb5e0fd923ff
Updated verification of the local certificate following GnuTLS 3.x guideline
Sebastien Decugis <sdecugis@freediameter.net>
parents:
767
diff
changeset
|
230 return 0; |
fb5e0fd923ff
Updated verification of the local certificate following GnuTLS 3.x guideline
Sebastien Decugis <sdecugis@freediameter.net>
parents:
767
diff
changeset
|
231 } |
fb5e0fd923ff
Updated verification of the local certificate following GnuTLS 3.x guideline
Sebastien Decugis <sdecugis@freediameter.net>
parents:
767
diff
changeset
|
232 #endif /* GNUTLS_VERSION_300 */ |
fb5e0fd923ff
Updated verification of the local certificate following GnuTLS 3.x guideline
Sebastien Decugis <sdecugis@freediameter.net>
parents:
767
diff
changeset
|
233 |
1027
0117a7746b21
Fix a number of errors and warnings introduced/highlighted by recent commits
Sebastien Decugis <sdecugis@freediameter.net>
parents:
1021
diff
changeset
|
234 #ifndef GNUTLS_VERSION_300 |
1034
f4a73a991623
Fix warning on old GCC versions
Sebastien Decugis <sdecugis@freediameter.net>
parents:
1033
diff
changeset
|
235 GCC_DIAG_OFF("-Wdeprecated-declarations") |
1027
0117a7746b21
Fix a number of errors and warnings introduced/highlighted by recent commits
Sebastien Decugis <sdecugis@freediameter.net>
parents:
1021
diff
changeset
|
236 #endif /* !GNUTLS_VERSION_300 */ |
8
3e143f047f78
Backup for the week-end
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
237 /* Parse the configuration file (using the yacc parser) */ |
3e143f047f78
Backup for the week-end
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
238 int fd_conf_parse() |
3e143f047f78
Backup for the week-end
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
239 { |
3e143f047f78
Backup for the week-end
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
240 extern FILE * fddin; |
947
cce5d4bace82
Make config file parameter const and convert another fprintf to TRACE_DEBUG_ERROR.
Thomas Klausner <tk@giga.or.at>
parents:
946
diff
changeset
|
241 const char * orig = NULL; |
8
3e143f047f78
Backup for the week-end
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
242 |
304
ad3c46016584
Added install directives for cmake; also allow default directory to seek for extensions and configuration files
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
258
diff
changeset
|
243 /* Attempt to find the configuration file */ |
ad3c46016584
Added install directives for cmake; also allow default directory to seek for extensions and configuration files
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
258
diff
changeset
|
244 if (!fd_g_config->cnf_file) |
ad3c46016584
Added install directives for cmake; also allow default directory to seek for extensions and configuration files
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
258
diff
changeset
|
245 fd_g_config->cnf_file = FD_DEFAULT_CONF_FILENAME; |
8
3e143f047f78
Backup for the week-end
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
246 |
10
c5c99c73c2bf
Added some extensions and functions in the daemon
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
8
diff
changeset
|
247 fddin = fopen(fd_g_config->cnf_file, "r"); |
304
ad3c46016584
Added install directives for cmake; also allow default directory to seek for extensions and configuration files
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
258
diff
changeset
|
248 if ((fddin == NULL) && (*fd_g_config->cnf_file != '/')) { |
947
cce5d4bace82
Make config file parameter const and convert another fprintf to TRACE_DEBUG_ERROR.
Thomas Klausner <tk@giga.or.at>
parents:
946
diff
changeset
|
249 char * new_cnf = NULL; |
304
ad3c46016584
Added install directives for cmake; also allow default directory to seek for extensions and configuration files
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
258
diff
changeset
|
250 /* We got a relative path, attempt to add the default directory prefix */ |
706
4ffbc9f1e922
Large UNTESTED commit with the following changes:
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
686
diff
changeset
|
251 orig = fd_g_config->cnf_file; |
947
cce5d4bace82
Make config file parameter const and convert another fprintf to TRACE_DEBUG_ERROR.
Thomas Klausner <tk@giga.or.at>
parents:
946
diff
changeset
|
252 CHECK_MALLOC( new_cnf = malloc(strlen(orig) + strlen(DEFAULT_CONF_PATH) + 2) ); /* we will not free it, but not important */ |
cce5d4bace82
Make config file parameter const and convert another fprintf to TRACE_DEBUG_ERROR.
Thomas Klausner <tk@giga.or.at>
parents:
946
diff
changeset
|
253 sprintf( new_cnf, DEFAULT_CONF_PATH "/%s", orig ); |
cce5d4bace82
Make config file parameter const and convert another fprintf to TRACE_DEBUG_ERROR.
Thomas Klausner <tk@giga.or.at>
parents:
946
diff
changeset
|
254 fd_g_config->cnf_file = new_cnf; |
304
ad3c46016584
Added install directives for cmake; also allow default directory to seek for extensions and configuration files
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
258
diff
changeset
|
255 fddin = fopen(fd_g_config->cnf_file, "r"); |
ad3c46016584
Added install directives for cmake; also allow default directory to seek for extensions and configuration files
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
258
diff
changeset
|
256 } |
8
3e143f047f78
Backup for the week-end
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
257 if (fddin == NULL) { |
3e143f047f78
Backup for the week-end
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
258 int ret = errno; |
1155
d00b5914351e
Allow running freeDiameter without TLS credentials if the following conditions are verified:
Sebastien Decugis <sdecugis@freediameter.net>
parents:
1127
diff
changeset
|
259 LOG_F("Unable to open configuration file for reading; tried the following locations: %s%s%s; Error: %s", |
947
cce5d4bace82
Make config file parameter const and convert another fprintf to TRACE_DEBUG_ERROR.
Thomas Klausner <tk@giga.or.at>
parents:
946
diff
changeset
|
260 orig ?: "", orig? " and " : "", fd_g_config->cnf_file, strerror(ret)); |
8
3e143f047f78
Backup for the week-end
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
261 return ret; |
3e143f047f78
Backup for the week-end
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
262 } |
3e143f047f78
Backup for the week-end
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
263 |
3e143f047f78
Backup for the week-end
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
264 /* call yacc parser */ |
304
ad3c46016584
Added install directives for cmake; also allow default directory to seek for extensions and configuration files
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
258
diff
changeset
|
265 TRACE_DEBUG (FULL, "Parsing configuration file: %s", fd_g_config->cnf_file); |
8
3e143f047f78
Backup for the week-end
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
266 CHECK_FCT( fddparse(fd_g_config) ); |
3e143f047f78
Backup for the week-end
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
267 |
3e143f047f78
Backup for the week-end
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
268 /* close the file */ |
3e143f047f78
Backup for the week-end
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
269 fclose(fddin); |
3e143f047f78
Backup for the week-end
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
270 |
18
e7187583dcf8
Added CA helper script
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
17
diff
changeset
|
271 /* Check that TLS private key was given */ |
e7187583dcf8
Added CA helper script
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
17
diff
changeset
|
272 if (! fd_g_config->cnf_sec_data.key_file) { |
1155
d00b5914351e
Allow running freeDiameter without TLS credentials if the following conditions are verified:
Sebastien Decugis <sdecugis@freediameter.net>
parents:
1127
diff
changeset
|
273 /* If TLS is not enabled, we allow empty TLS configuration */ |
d00b5914351e
Allow running freeDiameter without TLS credentials if the following conditions are verified:
Sebastien Decugis <sdecugis@freediameter.net>
parents:
1127
diff
changeset
|
274 if ((fd_g_config->cnf_port_tls == 0) && (fd_g_config->cnf_flags.tls_alg == 0)) { |
d00b5914351e
Allow running freeDiameter without TLS credentials if the following conditions are verified:
Sebastien Decugis <sdecugis@freediameter.net>
parents:
1127
diff
changeset
|
275 LOG_N("TLS is disabled, this is *NOT* a recommended practice! Diameter protocol conveys highly sensitive information on your users."); |
d00b5914351e
Allow running freeDiameter without TLS credentials if the following conditions are verified:
Sebastien Decugis <sdecugis@freediameter.net>
parents:
1127
diff
changeset
|
276 fd_g_config->cnf_sec_data.tls_disabled = 1; |
d00b5914351e
Allow running freeDiameter without TLS credentials if the following conditions are verified:
Sebastien Decugis <sdecugis@freediameter.net>
parents:
1127
diff
changeset
|
277 } else { |
d00b5914351e
Allow running freeDiameter without TLS credentials if the following conditions are verified:
Sebastien Decugis <sdecugis@freediameter.net>
parents:
1127
diff
changeset
|
278 LOG_F( "Missing private key configuration for TLS. Please provide the TLS_cred configuration directive."); |
d00b5914351e
Allow running freeDiameter without TLS credentials if the following conditions are verified:
Sebastien Decugis <sdecugis@freediameter.net>
parents:
1127
diff
changeset
|
279 return EINVAL; |
d00b5914351e
Allow running freeDiameter without TLS credentials if the following conditions are verified:
Sebastien Decugis <sdecugis@freediameter.net>
parents:
1127
diff
changeset
|
280 } |
18
e7187583dcf8
Added CA helper script
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
17
diff
changeset
|
281 } |
e7187583dcf8
Added CA helper script
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
17
diff
changeset
|
282 |
8
3e143f047f78
Backup for the week-end
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
283 /* Resolve hostname if not provided */ |
10
c5c99c73c2bf
Added some extensions and functions in the daemon
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
8
diff
changeset
|
284 if (fd_g_config->cnf_diamid == NULL) { |
8
3e143f047f78
Backup for the week-end
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
285 char buf[HOST_NAME_MAX + 1]; |
3e143f047f78
Backup for the week-end
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
286 struct addrinfo hints, *info; |
3e143f047f78
Backup for the week-end
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
287 int ret; |
3e143f047f78
Backup for the week-end
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
288 |
3e143f047f78
Backup for the week-end
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
289 /* local host name */ |
3e143f047f78
Backup for the week-end
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
290 CHECK_SYS(gethostname(buf, sizeof(buf))); |
3e143f047f78
Backup for the week-end
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
291 |
3e143f047f78
Backup for the week-end
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
292 /* get FQDN */ |
3e143f047f78
Backup for the week-end
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
293 memset(&hints, 0, sizeof hints); |
3e143f047f78
Backup for the week-end
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
294 hints.ai_flags = AI_CANONNAME; |
3e143f047f78
Backup for the week-end
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
295 |
3e143f047f78
Backup for the week-end
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
296 ret = getaddrinfo(buf, NULL, &hints, &info); |
3e143f047f78
Backup for the week-end
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
297 if (ret != 0) { |
994 | 298 TRACE_ERROR( "Error resolving local FQDN : '%s' : %s" |
299 ". Please provide Identity in configuration file.", | |
8
3e143f047f78
Backup for the week-end
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
300 buf, gai_strerror(ret)); |
3e143f047f78
Backup for the week-end
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
301 return EINVAL; |
3e143f047f78
Backup for the week-end
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
302 } |
706
4ffbc9f1e922
Large UNTESTED commit with the following changes:
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
686
diff
changeset
|
303 fd_g_config->cnf_diamid = info->ai_canonname; |
4ffbc9f1e922
Large UNTESTED commit with the following changes:
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
686
diff
changeset
|
304 CHECK_FCT( fd_os_validate_DiameterIdentity(&fd_g_config->cnf_diamid, &fd_g_config->cnf_diamid_len, 1) ); |
8
3e143f047f78
Backup for the week-end
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
305 freeaddrinfo(info); |
706
4ffbc9f1e922
Large UNTESTED commit with the following changes:
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
686
diff
changeset
|
306 } else { |
4ffbc9f1e922
Large UNTESTED commit with the following changes:
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
686
diff
changeset
|
307 CHECK_FCT( fd_os_validate_DiameterIdentity(&fd_g_config->cnf_diamid, &fd_g_config->cnf_diamid_len, 0) ); |
8
3e143f047f78
Backup for the week-end
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
308 } |
3e143f047f78
Backup for the week-end
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
309 |
3e143f047f78
Backup for the week-end
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
310 /* Handle the realm part */ |
10
c5c99c73c2bf
Added some extensions and functions in the daemon
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
8
diff
changeset
|
311 if (fd_g_config->cnf_diamrlm == NULL) { |
8
3e143f047f78
Backup for the week-end
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
312 char * start = NULL; |
3e143f047f78
Backup for the week-end
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
313 |
3e143f047f78
Backup for the week-end
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
314 /* Check the diameter identity is a fqdn */ |
10
c5c99c73c2bf
Added some extensions and functions in the daemon
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
8
diff
changeset
|
315 start = strchr(fd_g_config->cnf_diamid, '.'); |
8
3e143f047f78
Backup for the week-end
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
316 if ((start == NULL) || (start[1] == '\0')) { |
994 | 317 TRACE_ERROR( "Unable to extract realm from the Identity '%s'." |
318 " Please fix your Identity setting or provide Realm.", | |
10
c5c99c73c2bf
Added some extensions and functions in the daemon
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
8
diff
changeset
|
319 fd_g_config->cnf_diamid); |
8
3e143f047f78
Backup for the week-end
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
320 return EINVAL; |
706
4ffbc9f1e922
Large UNTESTED commit with the following changes:
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
686
diff
changeset
|
321 } |
8
3e143f047f78
Backup for the week-end
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
322 |
706
4ffbc9f1e922
Large UNTESTED commit with the following changes:
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
686
diff
changeset
|
323 fd_g_config->cnf_diamrlm = start + 1; |
4ffbc9f1e922
Large UNTESTED commit with the following changes:
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
686
diff
changeset
|
324 CHECK_FCT( fd_os_validate_DiameterIdentity(&fd_g_config->cnf_diamrlm, &fd_g_config->cnf_diamrlm_len, 1) ); |
4ffbc9f1e922
Large UNTESTED commit with the following changes:
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
686
diff
changeset
|
325 } else { |
4ffbc9f1e922
Large UNTESTED commit with the following changes:
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
686
diff
changeset
|
326 CHECK_FCT( fd_os_validate_DiameterIdentity(&fd_g_config->cnf_diamrlm, &fd_g_config->cnf_diamrlm_len, 0) ); |
8
3e143f047f78
Backup for the week-end
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
327 } |
3e143f047f78
Backup for the week-end
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
328 |
3e143f047f78
Backup for the week-end
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
329 /* Validate some flags */ |
10
c5c99c73c2bf
Added some extensions and functions in the daemon
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
8
diff
changeset
|
330 if (fd_g_config->cnf_flags.no_ip4 && fd_g_config->cnf_flags.no_ip6) { |
994 | 331 TRACE_ERROR( "IP and IPv6 cannot be disabled at the same time."); |
8
3e143f047f78
Backup for the week-end
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
332 return EINVAL; |
3e143f047f78
Backup for the week-end
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
333 } |
10
c5c99c73c2bf
Added some extensions and functions in the daemon
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
8
diff
changeset
|
334 if (fd_g_config->cnf_flags.no_tcp && fd_g_config->cnf_flags.no_sctp) { |
994 | 335 TRACE_ERROR( "TCP and SCTP cannot be disabled at the same time."); |
8
3e143f047f78
Backup for the week-end
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
336 return EINVAL; |
3e143f047f78
Backup for the week-end
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
337 } |
3e143f047f78
Backup for the week-end
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
338 |
22
0b3b46da2c12
Progress on server code
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
20
diff
changeset
|
339 /* Validate local endpoints */ |
0b3b46da2c12
Progress on server code
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
20
diff
changeset
|
340 if ((!FD_IS_LIST_EMPTY(&fd_g_config->cnf_endpoints)) && (fd_g_config->cnf_flags.no_ip4 || fd_g_config->cnf_flags.no_ip6)) { |
0b3b46da2c12
Progress on server code
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
20
diff
changeset
|
341 struct fd_list * li; |
0b3b46da2c12
Progress on server code
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
20
diff
changeset
|
342 for ( li = fd_g_config->cnf_endpoints.next; li != &fd_g_config->cnf_endpoints; li = li->next) { |
0b3b46da2c12
Progress on server code
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
20
diff
changeset
|
343 struct fd_endpoint * ep = (struct fd_endpoint *)li; |
23
db6c40b8b307
Added some code in cnxctx.c mainly
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
22
diff
changeset
|
344 if ( (fd_g_config->cnf_flags.no_ip4 && (ep->sa.sa_family == AF_INET)) |
db6c40b8b307
Added some code in cnxctx.c mainly
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
22
diff
changeset
|
345 ||(fd_g_config->cnf_flags.no_ip6 && (ep->sa.sa_family == AF_INET6)) ) { |
1107
96f2051215c8
Replaced calls to TRACE_sSA and sSA_DUMP_NODE* macros
Sebastien Decugis <sdecugis@freediameter.net>
parents:
1093
diff
changeset
|
346 char sa_buf[sSA_DUMP_STRLEN];; |
22
0b3b46da2c12
Progress on server code
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
20
diff
changeset
|
347 li = li->prev; |
0b3b46da2c12
Progress on server code
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
20
diff
changeset
|
348 fd_list_unlink(&ep->chain); |
1107
96f2051215c8
Replaced calls to TRACE_sSA and sSA_DUMP_NODE* macros
Sebastien Decugis <sdecugis@freediameter.net>
parents:
1093
diff
changeset
|
349 fd_sa_sdump_numeric(sa_buf, &ep->sa); |
96f2051215c8
Replaced calls to TRACE_sSA and sSA_DUMP_NODE* macros
Sebastien Decugis <sdecugis@freediameter.net>
parents:
1093
diff
changeset
|
350 LOG_N("Info: Removing local address conflicting with the flags no_IP / no_IP6 : %s", sa_buf); |
22
0b3b46da2c12
Progress on server code
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
20
diff
changeset
|
351 free(ep); |
0b3b46da2c12
Progress on server code
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
20
diff
changeset
|
352 } |
0b3b46da2c12
Progress on server code
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
20
diff
changeset
|
353 } |
0b3b46da2c12
Progress on server code
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
20
diff
changeset
|
354 } |
0b3b46da2c12
Progress on server code
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
20
diff
changeset
|
355 |
18
e7187583dcf8
Added CA helper script
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
17
diff
changeset
|
356 /* Configure TLS default parameters */ |
1155
d00b5914351e
Allow running freeDiameter without TLS credentials if the following conditions are verified:
Sebastien Decugis <sdecugis@freediameter.net>
parents:
1127
diff
changeset
|
357 if ((!fd_g_config->cnf_sec_data.tls_disabled) && (!fd_g_config->cnf_sec_data.prio_string)) { |
18
e7187583dcf8
Added CA helper script
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
17
diff
changeset
|
358 const char * err_pos = NULL; |
e7187583dcf8
Added CA helper script
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
17
diff
changeset
|
359 CHECK_GNUTLS_DO( gnutls_priority_init( |
e7187583dcf8
Added CA helper script
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
17
diff
changeset
|
360 &fd_g_config->cnf_sec_data.prio_cache, |
e7187583dcf8
Added CA helper script
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
17
diff
changeset
|
361 GNUTLS_DEFAULT_PRIORITY, |
e7187583dcf8
Added CA helper script
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
17
diff
changeset
|
362 &err_pos), |
1006
6ce8322f3b78
Report an error if a problem is big enough to break startup.
Thomas Klausner <tk@giga.or.at>
parents:
994
diff
changeset
|
363 { TRACE_ERROR("Error in priority string at position : %s", err_pos); return EINVAL; } ); |
18
e7187583dcf8
Added CA helper script
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
17
diff
changeset
|
364 } |
542
0b6cee362f5d
Enforce validation of local certificate upon daemon start.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
447
diff
changeset
|
365 |
0b6cee362f5d
Enforce validation of local certificate upon daemon start.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
447
diff
changeset
|
366 /* Verify that our certificate is valid -- otherwise remote peers will reject it */ |
1155
d00b5914351e
Allow running freeDiameter without TLS credentials if the following conditions are verified:
Sebastien Decugis <sdecugis@freediameter.net>
parents:
1127
diff
changeset
|
367 if (!fd_g_config->cnf_sec_data.tls_disabled) { |
542
0b6cee362f5d
Enforce validation of local certificate upon daemon start.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
447
diff
changeset
|
368 int ret = 0, i; |
0b6cee362f5d
Enforce validation of local certificate upon daemon start.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
447
diff
changeset
|
369 |
0b6cee362f5d
Enforce validation of local certificate upon daemon start.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
447
diff
changeset
|
370 gnutls_datum_t certfile; |
0b6cee362f5d
Enforce validation of local certificate upon daemon start.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
447
diff
changeset
|
371 |
0b6cee362f5d
Enforce validation of local certificate upon daemon start.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
447
diff
changeset
|
372 gnutls_x509_crt_t * certs = NULL; |
0b6cee362f5d
Enforce validation of local certificate upon daemon start.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
447
diff
changeset
|
373 unsigned int cert_max = 0; |
0b6cee362f5d
Enforce validation of local certificate upon daemon start.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
447
diff
changeset
|
374 |
0b6cee362f5d
Enforce validation of local certificate upon daemon start.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
447
diff
changeset
|
375 |
0b6cee362f5d
Enforce validation of local certificate upon daemon start.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
447
diff
changeset
|
376 /* Read the certificate file */ |
0b6cee362f5d
Enforce validation of local certificate upon daemon start.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
447
diff
changeset
|
377 FILE *stream = fopen (fd_g_config->cnf_sec_data.cert_file, "rb"); |
0b6cee362f5d
Enforce validation of local certificate upon daemon start.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
447
diff
changeset
|
378 if (!stream) { |
0b6cee362f5d
Enforce validation of local certificate upon daemon start.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
447
diff
changeset
|
379 int err = errno; |
974
2091bf698fb1
Remove newlines from fd_log_debug, TRACE_DEBUG, TRACE_ERROR, and TRACE_DEBUG_ERROR
Thomas Klausner <tk@giga.or.at>
parents:
965
diff
changeset
|
380 TRACE_DEBUG(INFO, "An error occurred while opening '%s': %s", fd_g_config->cnf_sec_data.cert_file, strerror(err)); |
542
0b6cee362f5d
Enforce validation of local certificate upon daemon start.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
447
diff
changeset
|
381 return err; |
0b6cee362f5d
Enforce validation of local certificate upon daemon start.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
447
diff
changeset
|
382 } |
805
fb5e0fd923ff
Updated verification of the local certificate following GnuTLS 3.x guideline
Sebastien Decugis <sdecugis@freediameter.net>
parents:
767
diff
changeset
|
383 CHECK_FCT( fd_conf_stream_to_gnutls_datum(stream, &certfile) ); |
542
0b6cee362f5d
Enforce validation of local certificate upon daemon start.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
447
diff
changeset
|
384 fclose(stream); |
0b6cee362f5d
Enforce validation of local certificate upon daemon start.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
447
diff
changeset
|
385 |
0b6cee362f5d
Enforce validation of local certificate upon daemon start.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
447
diff
changeset
|
386 /* Import the certificate(s) */ |
0b6cee362f5d
Enforce validation of local certificate upon daemon start.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
447
diff
changeset
|
387 GNUTLS_TRACE( ret = gnutls_x509_crt_list_import(NULL, &cert_max, &certfile, GNUTLS_X509_FMT_PEM, GNUTLS_X509_CRT_LIST_IMPORT_FAIL_IF_EXCEED) ); |
0b6cee362f5d
Enforce validation of local certificate upon daemon start.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
447
diff
changeset
|
388 if (ret != GNUTLS_E_SHORT_MEMORY_BUFFER) { |
0b6cee362f5d
Enforce validation of local certificate upon daemon start.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
447
diff
changeset
|
389 CHECK_GNUTLS_DO(ret, return EINVAL); |
0b6cee362f5d
Enforce validation of local certificate upon daemon start.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
447
diff
changeset
|
390 } |
0b6cee362f5d
Enforce validation of local certificate upon daemon start.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
447
diff
changeset
|
391 |
0b6cee362f5d
Enforce validation of local certificate upon daemon start.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
447
diff
changeset
|
392 CHECK_MALLOC( certs = calloc(cert_max, sizeof(gnutls_x509_crt_t)) ); |
820
0eb64b3a3632
Fix compilation with gnutls < 3.x
Sebastien Decugis <sdecugis@freediameter.net>
parents:
808
diff
changeset
|
393 CHECK_GNUTLS_DO( gnutls_x509_crt_list_import(certs, &cert_max, &certfile, GNUTLS_X509_FMT_PEM, |
0eb64b3a3632
Fix compilation with gnutls < 3.x
Sebastien Decugis <sdecugis@freediameter.net>
parents:
808
diff
changeset
|
394 #ifdef GNUTLS_VERSION_300 |
0eb64b3a3632
Fix compilation with gnutls < 3.x
Sebastien Decugis <sdecugis@freediameter.net>
parents:
808
diff
changeset
|
395 GNUTLS_X509_CRT_LIST_FAIL_IF_UNSORTED |
0eb64b3a3632
Fix compilation with gnutls < 3.x
Sebastien Decugis <sdecugis@freediameter.net>
parents:
808
diff
changeset
|
396 #else /* GNUTLS_VERSION_300 */ |
0eb64b3a3632
Fix compilation with gnutls < 3.x
Sebastien Decugis <sdecugis@freediameter.net>
parents:
808
diff
changeset
|
397 0 |
0eb64b3a3632
Fix compilation with gnutls < 3.x
Sebastien Decugis <sdecugis@freediameter.net>
parents:
808
diff
changeset
|
398 #endif /* GNUTLS_VERSION_300 */ |
0eb64b3a3632
Fix compilation with gnutls < 3.x
Sebastien Decugis <sdecugis@freediameter.net>
parents:
808
diff
changeset
|
399 ), |
542
0b6cee362f5d
Enforce validation of local certificate upon daemon start.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
447
diff
changeset
|
400 { |
1006
6ce8322f3b78
Report an error if a problem is big enough to break startup.
Thomas Klausner <tk@giga.or.at>
parents:
994
diff
changeset
|
401 TRACE_ERROR("Failed to import the data from file '%s'", fd_g_config->cnf_sec_data.cert_file); |
542
0b6cee362f5d
Enforce validation of local certificate upon daemon start.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
447
diff
changeset
|
402 free(certfile.data); |
0b6cee362f5d
Enforce validation of local certificate upon daemon start.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
447
diff
changeset
|
403 return EINVAL; |
0b6cee362f5d
Enforce validation of local certificate upon daemon start.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
447
diff
changeset
|
404 } ); |
0b6cee362f5d
Enforce validation of local certificate upon daemon start.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
447
diff
changeset
|
405 free(certfile.data); |
0b6cee362f5d
Enforce validation of local certificate upon daemon start.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
447
diff
changeset
|
406 |
0b6cee362f5d
Enforce validation of local certificate upon daemon start.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
447
diff
changeset
|
407 ASSERT(cert_max >= 1); |
0b6cee362f5d
Enforce validation of local certificate upon daemon start.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
447
diff
changeset
|
408 |
0b6cee362f5d
Enforce validation of local certificate upon daemon start.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
447
diff
changeset
|
409 /* Now, verify the list against the local CA and CRL */ |
805
fb5e0fd923ff
Updated verification of the local certificate following GnuTLS 3.x guideline
Sebastien Decugis <sdecugis@freediameter.net>
parents:
767
diff
changeset
|
410 |
fb5e0fd923ff
Updated verification of the local certificate following GnuTLS 3.x guideline
Sebastien Decugis <sdecugis@freediameter.net>
parents:
767
diff
changeset
|
411 #ifdef GNUTLS_VERSION_300 |
fb5e0fd923ff
Updated verification of the local certificate following GnuTLS 3.x guideline
Sebastien Decugis <sdecugis@freediameter.net>
parents:
767
diff
changeset
|
412 |
fb5e0fd923ff
Updated verification of the local certificate following GnuTLS 3.x guideline
Sebastien Decugis <sdecugis@freediameter.net>
parents:
767
diff
changeset
|
413 /* We use the trust list for this purpose */ |
fb5e0fd923ff
Updated verification of the local certificate following GnuTLS 3.x guideline
Sebastien Decugis <sdecugis@freediameter.net>
parents:
767
diff
changeset
|
414 { |
fb5e0fd923ff
Updated verification of the local certificate following GnuTLS 3.x guideline
Sebastien Decugis <sdecugis@freediameter.net>
parents:
767
diff
changeset
|
415 unsigned int output; |
fb5e0fd923ff
Updated verification of the local certificate following GnuTLS 3.x guideline
Sebastien Decugis <sdecugis@freediameter.net>
parents:
767
diff
changeset
|
416 |
fb5e0fd923ff
Updated verification of the local certificate following GnuTLS 3.x guideline
Sebastien Decugis <sdecugis@freediameter.net>
parents:
767
diff
changeset
|
417 gnutls_x509_trust_list_verify_named_crt ( |
fb5e0fd923ff
Updated verification of the local certificate following GnuTLS 3.x guideline
Sebastien Decugis <sdecugis@freediameter.net>
parents:
767
diff
changeset
|
418 fd_g_config->cnf_sec_data.trustlist, |
fb5e0fd923ff
Updated verification of the local certificate following GnuTLS 3.x guideline
Sebastien Decugis <sdecugis@freediameter.net>
parents:
767
diff
changeset
|
419 certs[0], |
fb5e0fd923ff
Updated verification of the local certificate following GnuTLS 3.x guideline
Sebastien Decugis <sdecugis@freediameter.net>
parents:
767
diff
changeset
|
420 fd_g_config->cnf_diamid, |
fb5e0fd923ff
Updated verification of the local certificate following GnuTLS 3.x guideline
Sebastien Decugis <sdecugis@freediameter.net>
parents:
767
diff
changeset
|
421 fd_g_config->cnf_diamid_len, |
fb5e0fd923ff
Updated verification of the local certificate following GnuTLS 3.x guideline
Sebastien Decugis <sdecugis@freediameter.net>
parents:
767
diff
changeset
|
422 0, |
fb5e0fd923ff
Updated verification of the local certificate following GnuTLS 3.x guideline
Sebastien Decugis <sdecugis@freediameter.net>
parents:
767
diff
changeset
|
423 &output, |
fb5e0fd923ff
Updated verification of the local certificate following GnuTLS 3.x guideline
Sebastien Decugis <sdecugis@freediameter.net>
parents:
767
diff
changeset
|
424 fd_conf_print_details_func); |
fb5e0fd923ff
Updated verification of the local certificate following GnuTLS 3.x guideline
Sebastien Decugis <sdecugis@freediameter.net>
parents:
767
diff
changeset
|
425 |
fb5e0fd923ff
Updated verification of the local certificate following GnuTLS 3.x guideline
Sebastien Decugis <sdecugis@freediameter.net>
parents:
767
diff
changeset
|
426 /* if this certificate is not explicitly trusted verify against CAs |
fb5e0fd923ff
Updated verification of the local certificate following GnuTLS 3.x guideline
Sebastien Decugis <sdecugis@freediameter.net>
parents:
767
diff
changeset
|
427 */ |
fb5e0fd923ff
Updated verification of the local certificate following GnuTLS 3.x guideline
Sebastien Decugis <sdecugis@freediameter.net>
parents:
767
diff
changeset
|
428 if (output != 0) |
542
0b6cee362f5d
Enforce validation of local certificate upon daemon start.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
447
diff
changeset
|
429 { |
805
fb5e0fd923ff
Updated verification of the local certificate following GnuTLS 3.x guideline
Sebastien Decugis <sdecugis@freediameter.net>
parents:
767
diff
changeset
|
430 gnutls_x509_trust_list_verify_crt ( |
fb5e0fd923ff
Updated verification of the local certificate following GnuTLS 3.x guideline
Sebastien Decugis <sdecugis@freediameter.net>
parents:
767
diff
changeset
|
431 fd_g_config->cnf_sec_data.trustlist, |
fb5e0fd923ff
Updated verification of the local certificate following GnuTLS 3.x guideline
Sebastien Decugis <sdecugis@freediameter.net>
parents:
767
diff
changeset
|
432 certs, |
fb5e0fd923ff
Updated verification of the local certificate following GnuTLS 3.x guideline
Sebastien Decugis <sdecugis@freediameter.net>
parents:
767
diff
changeset
|
433 cert_max, |
fb5e0fd923ff
Updated verification of the local certificate following GnuTLS 3.x guideline
Sebastien Decugis <sdecugis@freediameter.net>
parents:
767
diff
changeset
|
434 0, |
fb5e0fd923ff
Updated verification of the local certificate following GnuTLS 3.x guideline
Sebastien Decugis <sdecugis@freediameter.net>
parents:
767
diff
changeset
|
435 &output, |
fb5e0fd923ff
Updated verification of the local certificate following GnuTLS 3.x guideline
Sebastien Decugis <sdecugis@freediameter.net>
parents:
767
diff
changeset
|
436 fd_conf_print_details_func); |
fb5e0fd923ff
Updated verification of the local certificate following GnuTLS 3.x guideline
Sebastien Decugis <sdecugis@freediameter.net>
parents:
767
diff
changeset
|
437 } |
fb5e0fd923ff
Updated verification of the local certificate following GnuTLS 3.x guideline
Sebastien Decugis <sdecugis@freediameter.net>
parents:
767
diff
changeset
|
438 |
fb5e0fd923ff
Updated verification of the local certificate following GnuTLS 3.x guideline
Sebastien Decugis <sdecugis@freediameter.net>
parents:
767
diff
changeset
|
439 if (output & GNUTLS_CERT_INVALID) |
fb5e0fd923ff
Updated verification of the local certificate following GnuTLS 3.x guideline
Sebastien Decugis <sdecugis@freediameter.net>
parents:
767
diff
changeset
|
440 { |
974
2091bf698fb1
Remove newlines from fd_log_debug, TRACE_DEBUG, TRACE_ERROR, and TRACE_DEBUG_ERROR
Thomas Klausner <tk@giga.or.at>
parents:
965
diff
changeset
|
441 fd_log_debug("TLS: Local certificate chain '%s' is invalid :", fd_g_config->cnf_sec_data.cert_file); |
805
fb5e0fd923ff
Updated verification of the local certificate following GnuTLS 3.x guideline
Sebastien Decugis <sdecugis@freediameter.net>
parents:
767
diff
changeset
|
442 if (output & GNUTLS_CERT_SIGNER_NOT_FOUND) |
1184
8c340f832127
Remove auto-use of the certificate as CA when CA was not provided, since now TLS_cred can be ignored when TLS is not used.
Sebastien Decugis <sdecugis@freediameter.net>
parents:
1181
diff
changeset
|
443 TRACE_ERROR(" - The certificate hasn't got a known issuer. Did you forget to specify TLS_CA ?"); |
805
fb5e0fd923ff
Updated verification of the local certificate following GnuTLS 3.x guideline
Sebastien Decugis <sdecugis@freediameter.net>
parents:
767
diff
changeset
|
444 if (output & GNUTLS_CERT_SIGNER_NOT_CA) |
1006
6ce8322f3b78
Report an error if a problem is big enough to break startup.
Thomas Klausner <tk@giga.or.at>
parents:
994
diff
changeset
|
445 TRACE_ERROR(" - The certificate signer is not a CA, or uses version 1, or 3 without basic constraints."); |
805
fb5e0fd923ff
Updated verification of the local certificate following GnuTLS 3.x guideline
Sebastien Decugis <sdecugis@freediameter.net>
parents:
767
diff
changeset
|
446 if (output & GNUTLS_CERT_NOT_ACTIVATED) |
1006
6ce8322f3b78
Report an error if a problem is big enough to break startup.
Thomas Klausner <tk@giga.or.at>
parents:
994
diff
changeset
|
447 TRACE_ERROR(" - The certificate is not yet activated."); |
805
fb5e0fd923ff
Updated verification of the local certificate following GnuTLS 3.x guideline
Sebastien Decugis <sdecugis@freediameter.net>
parents:
767
diff
changeset
|
448 if (output & GNUTLS_CERT_EXPIRED) |
1006
6ce8322f3b78
Report an error if a problem is big enough to break startup.
Thomas Klausner <tk@giga.or.at>
parents:
994
diff
changeset
|
449 TRACE_ERROR(" - The certificate is expired."); |
542
0b6cee362f5d
Enforce validation of local certificate upon daemon start.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
447
diff
changeset
|
450 return EINVAL; |
805
fb5e0fd923ff
Updated verification of the local certificate following GnuTLS 3.x guideline
Sebastien Decugis <sdecugis@freediameter.net>
parents:
767
diff
changeset
|
451 } |
fb5e0fd923ff
Updated verification of the local certificate following GnuTLS 3.x guideline
Sebastien Decugis <sdecugis@freediameter.net>
parents:
767
diff
changeset
|
452 |
fb5e0fd923ff
Updated verification of the local certificate following GnuTLS 3.x guideline
Sebastien Decugis <sdecugis@freediameter.net>
parents:
767
diff
changeset
|
453 /* Now check the subject matches our hostname */ |
fb5e0fd923ff
Updated verification of the local certificate following GnuTLS 3.x guideline
Sebastien Decugis <sdecugis@freediameter.net>
parents:
767
diff
changeset
|
454 if (!gnutls_x509_crt_check_hostname (certs[0], fd_g_config->cnf_diamid)) |
fb5e0fd923ff
Updated verification of the local certificate following GnuTLS 3.x guideline
Sebastien Decugis <sdecugis@freediameter.net>
parents:
767
diff
changeset
|
455 { |
1006
6ce8322f3b78
Report an error if a problem is big enough to break startup.
Thomas Klausner <tk@giga.or.at>
parents:
994
diff
changeset
|
456 TRACE_ERROR("TLS: The certificate owner does not match the hostname '%s'", fd_g_config->cnf_diamid); |
805
fb5e0fd923ff
Updated verification of the local certificate following GnuTLS 3.x guideline
Sebastien Decugis <sdecugis@freediameter.net>
parents:
767
diff
changeset
|
457 return EINVAL; |
fb5e0fd923ff
Updated verification of the local certificate following GnuTLS 3.x guideline
Sebastien Decugis <sdecugis@freediameter.net>
parents:
767
diff
changeset
|
458 } |
fb5e0fd923ff
Updated verification of the local certificate following GnuTLS 3.x guideline
Sebastien Decugis <sdecugis@freediameter.net>
parents:
767
diff
changeset
|
459 |
542
0b6cee362f5d
Enforce validation of local certificate upon daemon start.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
447
diff
changeset
|
460 } |
0b6cee362f5d
Enforce validation of local certificate upon daemon start.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
447
diff
changeset
|
461 |
805
fb5e0fd923ff
Updated verification of the local certificate following GnuTLS 3.x guideline
Sebastien Decugis <sdecugis@freediameter.net>
parents:
767
diff
changeset
|
462 |
fb5e0fd923ff
Updated verification of the local certificate following GnuTLS 3.x guideline
Sebastien Decugis <sdecugis@freediameter.net>
parents:
767
diff
changeset
|
463 #else /* GNUTLS_VERSION_300 */ |
fb5e0fd923ff
Updated verification of the local certificate following GnuTLS 3.x guideline
Sebastien Decugis <sdecugis@freediameter.net>
parents:
767
diff
changeset
|
464 |
fb5e0fd923ff
Updated verification of the local certificate following GnuTLS 3.x guideline
Sebastien Decugis <sdecugis@freediameter.net>
parents:
767
diff
changeset
|
465 /* GnuTLS 2.x way of checking certificates */ |
542
0b6cee362f5d
Enforce validation of local certificate upon daemon start.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
447
diff
changeset
|
466 { |
805
fb5e0fd923ff
Updated verification of the local certificate following GnuTLS 3.x guideline
Sebastien Decugis <sdecugis@freediameter.net>
parents:
767
diff
changeset
|
467 gnutls_x509_crt_t * CA_list; |
fb5e0fd923ff
Updated verification of the local certificate following GnuTLS 3.x guideline
Sebastien Decugis <sdecugis@freediameter.net>
parents:
767
diff
changeset
|
468 int CA_list_length; |
542
0b6cee362f5d
Enforce validation of local certificate upon daemon start.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
447
diff
changeset
|
469 |
805
fb5e0fd923ff
Updated verification of the local certificate following GnuTLS 3.x guideline
Sebastien Decugis <sdecugis@freediameter.net>
parents:
767
diff
changeset
|
470 gnutls_x509_crl_t * CRL_list; |
fb5e0fd923ff
Updated verification of the local certificate following GnuTLS 3.x guideline
Sebastien Decugis <sdecugis@freediameter.net>
parents:
767
diff
changeset
|
471 int CRL_list_length; |
fb5e0fd923ff
Updated verification of the local certificate following GnuTLS 3.x guideline
Sebastien Decugis <sdecugis@freediameter.net>
parents:
767
diff
changeset
|
472 |
fb5e0fd923ff
Updated verification of the local certificate following GnuTLS 3.x guideline
Sebastien Decugis <sdecugis@freediameter.net>
parents:
767
diff
changeset
|
473 unsigned int verify; |
fb5e0fd923ff
Updated verification of the local certificate following GnuTLS 3.x guideline
Sebastien Decugis <sdecugis@freediameter.net>
parents:
767
diff
changeset
|
474 time_t now; |
fb5e0fd923ff
Updated verification of the local certificate following GnuTLS 3.x guideline
Sebastien Decugis <sdecugis@freediameter.net>
parents:
767
diff
changeset
|
475 GNUTLS_TRACE( gnutls_certificate_get_x509_cas (fd_g_config->cnf_sec_data.credentials, &CA_list, (unsigned int *) &CA_list_length) ); |
fb5e0fd923ff
Updated verification of the local certificate following GnuTLS 3.x guideline
Sebastien Decugis <sdecugis@freediameter.net>
parents:
767
diff
changeset
|
476 GNUTLS_TRACE( gnutls_certificate_get_x509_crls (fd_g_config->cnf_sec_data.credentials, &CRL_list, (unsigned int *) &CRL_list_length) ); |
fb5e0fd923ff
Updated verification of the local certificate following GnuTLS 3.x guideline
Sebastien Decugis <sdecugis@freediameter.net>
parents:
767
diff
changeset
|
477 CHECK_GNUTLS_DO( gnutls_x509_crt_list_verify(certs, cert_max, CA_list, CA_list_length, CRL_list, CRL_list_length, 0, &verify), |
fb5e0fd923ff
Updated verification of the local certificate following GnuTLS 3.x guideline
Sebastien Decugis <sdecugis@freediameter.net>
parents:
767
diff
changeset
|
478 { |
1008
d3d2a32320c4
Fix a compilation warning and protect CHECK_GNUTLS_DO macro
Sebastien Decugis <sdecugis@freediameter.net>
parents:
1006
diff
changeset
|
479 TRACE_ERROR("Failed to verify the local certificate '%s' against local credentials. Please check your certificate is valid.", fd_g_config->cnf_sec_data.cert_file); |
805
fb5e0fd923ff
Updated verification of the local certificate following GnuTLS 3.x guideline
Sebastien Decugis <sdecugis@freediameter.net>
parents:
767
diff
changeset
|
480 return EINVAL; |
fb5e0fd923ff
Updated verification of the local certificate following GnuTLS 3.x guideline
Sebastien Decugis <sdecugis@freediameter.net>
parents:
767
diff
changeset
|
481 } ); |
fb5e0fd923ff
Updated verification of the local certificate following GnuTLS 3.x guideline
Sebastien Decugis <sdecugis@freediameter.net>
parents:
767
diff
changeset
|
482 |
fb5e0fd923ff
Updated verification of the local certificate following GnuTLS 3.x guideline
Sebastien Decugis <sdecugis@freediameter.net>
parents:
767
diff
changeset
|
483 if (verify) { |
974
2091bf698fb1
Remove newlines from fd_log_debug, TRACE_DEBUG, TRACE_ERROR, and TRACE_DEBUG_ERROR
Thomas Klausner <tk@giga.or.at>
parents:
965
diff
changeset
|
484 fd_log_debug("TLS: Local certificate chain '%s' is invalid :", fd_g_config->cnf_sec_data.cert_file); |
805
fb5e0fd923ff
Updated verification of the local certificate following GnuTLS 3.x guideline
Sebastien Decugis <sdecugis@freediameter.net>
parents:
767
diff
changeset
|
485 if (verify & GNUTLS_CERT_INVALID) |
1006
6ce8322f3b78
Report an error if a problem is big enough to break startup.
Thomas Klausner <tk@giga.or.at>
parents:
994
diff
changeset
|
486 TRACE_ERROR(" - The certificate is not trusted (unknown CA? expired?)"); |
805
fb5e0fd923ff
Updated verification of the local certificate following GnuTLS 3.x guideline
Sebastien Decugis <sdecugis@freediameter.net>
parents:
767
diff
changeset
|
487 if (verify & GNUTLS_CERT_REVOKED) |
1006
6ce8322f3b78
Report an error if a problem is big enough to break startup.
Thomas Klausner <tk@giga.or.at>
parents:
994
diff
changeset
|
488 TRACE_ERROR(" - The certificate has been revoked."); |
805
fb5e0fd923ff
Updated verification of the local certificate following GnuTLS 3.x guideline
Sebastien Decugis <sdecugis@freediameter.net>
parents:
767
diff
changeset
|
489 if (verify & GNUTLS_CERT_SIGNER_NOT_FOUND) |
1006
6ce8322f3b78
Report an error if a problem is big enough to break startup.
Thomas Klausner <tk@giga.or.at>
parents:
994
diff
changeset
|
490 TRACE_ERROR(" - The certificate hasn't got a known issuer."); |
805
fb5e0fd923ff
Updated verification of the local certificate following GnuTLS 3.x guideline
Sebastien Decugis <sdecugis@freediameter.net>
parents:
767
diff
changeset
|
491 if (verify & GNUTLS_CERT_SIGNER_NOT_CA) |
1006
6ce8322f3b78
Report an error if a problem is big enough to break startup.
Thomas Klausner <tk@giga.or.at>
parents:
994
diff
changeset
|
492 TRACE_ERROR(" - The certificate signer is not a CA, or uses version 1, or 3 without basic constraints."); |
805
fb5e0fd923ff
Updated verification of the local certificate following GnuTLS 3.x guideline
Sebastien Decugis <sdecugis@freediameter.net>
parents:
767
diff
changeset
|
493 if (verify & GNUTLS_CERT_INSECURE_ALGORITHM) |
1006
6ce8322f3b78
Report an error if a problem is big enough to break startup.
Thomas Klausner <tk@giga.or.at>
parents:
994
diff
changeset
|
494 TRACE_ERROR(" - The certificate signature uses a weak algorithm."); |
542
0b6cee362f5d
Enforce validation of local certificate upon daemon start.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
447
diff
changeset
|
495 return EINVAL; |
0b6cee362f5d
Enforce validation of local certificate upon daemon start.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
447
diff
changeset
|
496 } |
0b6cee362f5d
Enforce validation of local certificate upon daemon start.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
447
diff
changeset
|
497 |
805
fb5e0fd923ff
Updated verification of the local certificate following GnuTLS 3.x guideline
Sebastien Decugis <sdecugis@freediameter.net>
parents:
767
diff
changeset
|
498 /* Check the local Identity is valid with the certificate */ |
fb5e0fd923ff
Updated verification of the local certificate following GnuTLS 3.x guideline
Sebastien Decugis <sdecugis@freediameter.net>
parents:
767
diff
changeset
|
499 if (!gnutls_x509_crt_check_hostname (certs[0], fd_g_config->cnf_diamid)) { |
1006
6ce8322f3b78
Report an error if a problem is big enough to break startup.
Thomas Klausner <tk@giga.or.at>
parents:
994
diff
changeset
|
500 TRACE_ERROR("TLS: Local certificate '%s' is invalid :", fd_g_config->cnf_sec_data.cert_file); |
6ce8322f3b78
Report an error if a problem is big enough to break startup.
Thomas Klausner <tk@giga.or.at>
parents:
994
diff
changeset
|
501 TRACE_ERROR(" - The certificate hostname does not match '%s'", fd_g_config->cnf_diamid); |
542
0b6cee362f5d
Enforce validation of local certificate upon daemon start.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
447
diff
changeset
|
502 return EINVAL; |
0b6cee362f5d
Enforce validation of local certificate upon daemon start.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
447
diff
changeset
|
503 } |
805
fb5e0fd923ff
Updated verification of the local certificate following GnuTLS 3.x guideline
Sebastien Decugis <sdecugis@freediameter.net>
parents:
767
diff
changeset
|
504 |
fb5e0fd923ff
Updated verification of the local certificate following GnuTLS 3.x guideline
Sebastien Decugis <sdecugis@freediameter.net>
parents:
767
diff
changeset
|
505 /* Check validity of all the certificates in the chain */ |
fb5e0fd923ff
Updated verification of the local certificate following GnuTLS 3.x guideline
Sebastien Decugis <sdecugis@freediameter.net>
parents:
767
diff
changeset
|
506 now = time(NULL); |
fb5e0fd923ff
Updated verification of the local certificate following GnuTLS 3.x guideline
Sebastien Decugis <sdecugis@freediameter.net>
parents:
767
diff
changeset
|
507 for (i = 0; i < cert_max; i++) |
fb5e0fd923ff
Updated verification of the local certificate following GnuTLS 3.x guideline
Sebastien Decugis <sdecugis@freediameter.net>
parents:
767
diff
changeset
|
508 { |
fb5e0fd923ff
Updated verification of the local certificate following GnuTLS 3.x guideline
Sebastien Decugis <sdecugis@freediameter.net>
parents:
767
diff
changeset
|
509 time_t deadline; |
fb5e0fd923ff
Updated verification of the local certificate following GnuTLS 3.x guideline
Sebastien Decugis <sdecugis@freediameter.net>
parents:
767
diff
changeset
|
510 |
fb5e0fd923ff
Updated verification of the local certificate following GnuTLS 3.x guideline
Sebastien Decugis <sdecugis@freediameter.net>
parents:
767
diff
changeset
|
511 GNUTLS_TRACE( deadline = gnutls_x509_crt_get_expiration_time(certs[i]) ); |
fb5e0fd923ff
Updated verification of the local certificate following GnuTLS 3.x guideline
Sebastien Decugis <sdecugis@freediameter.net>
parents:
767
diff
changeset
|
512 if ((deadline != (time_t)-1) && (deadline < now)) { |
1006
6ce8322f3b78
Report an error if a problem is big enough to break startup.
Thomas Klausner <tk@giga.or.at>
parents:
994
diff
changeset
|
513 TRACE_ERROR("TLS: Local certificate chain '%s' is invalid :", fd_g_config->cnf_sec_data.cert_file); |
6ce8322f3b78
Report an error if a problem is big enough to break startup.
Thomas Klausner <tk@giga.or.at>
parents:
994
diff
changeset
|
514 TRACE_ERROR(" - The certificate %d in the chain is expired", i); |
805
fb5e0fd923ff
Updated verification of the local certificate following GnuTLS 3.x guideline
Sebastien Decugis <sdecugis@freediameter.net>
parents:
767
diff
changeset
|
515 return EINVAL; |
fb5e0fd923ff
Updated verification of the local certificate following GnuTLS 3.x guideline
Sebastien Decugis <sdecugis@freediameter.net>
parents:
767
diff
changeset
|
516 } |
fb5e0fd923ff
Updated verification of the local certificate following GnuTLS 3.x guideline
Sebastien Decugis <sdecugis@freediameter.net>
parents:
767
diff
changeset
|
517 |
fb5e0fd923ff
Updated verification of the local certificate following GnuTLS 3.x guideline
Sebastien Decugis <sdecugis@freediameter.net>
parents:
767
diff
changeset
|
518 GNUTLS_TRACE( deadline = gnutls_x509_crt_get_activation_time(certs[i]) ); |
fb5e0fd923ff
Updated verification of the local certificate following GnuTLS 3.x guideline
Sebastien Decugis <sdecugis@freediameter.net>
parents:
767
diff
changeset
|
519 if ((deadline != (time_t)-1) && (deadline > now)) { |
1006
6ce8322f3b78
Report an error if a problem is big enough to break startup.
Thomas Klausner <tk@giga.or.at>
parents:
994
diff
changeset
|
520 TRACE_ERROR("TLS: Local certificate chain '%s' is invalid :", fd_g_config->cnf_sec_data.cert_file); |
6ce8322f3b78
Report an error if a problem is big enough to break startup.
Thomas Klausner <tk@giga.or.at>
parents:
994
diff
changeset
|
521 TRACE_ERROR(" - The certificate %d in the chain is not yet activated", i); |
805
fb5e0fd923ff
Updated verification of the local certificate following GnuTLS 3.x guideline
Sebastien Decugis <sdecugis@freediameter.net>
parents:
767
diff
changeset
|
522 return EINVAL; |
fb5e0fd923ff
Updated verification of the local certificate following GnuTLS 3.x guideline
Sebastien Decugis <sdecugis@freediameter.net>
parents:
767
diff
changeset
|
523 } |
fb5e0fd923ff
Updated verification of the local certificate following GnuTLS 3.x guideline
Sebastien Decugis <sdecugis@freediameter.net>
parents:
767
diff
changeset
|
524 } |
542
0b6cee362f5d
Enforce validation of local certificate upon daemon start.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
447
diff
changeset
|
525 } |
805
fb5e0fd923ff
Updated verification of the local certificate following GnuTLS 3.x guideline
Sebastien Decugis <sdecugis@freediameter.net>
parents:
767
diff
changeset
|
526 #endif /* GNUTLS_VERSION_300 */ |
542
0b6cee362f5d
Enforce validation of local certificate upon daemon start.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
447
diff
changeset
|
527 |
0b6cee362f5d
Enforce validation of local certificate upon daemon start.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
447
diff
changeset
|
528 /* Everything checked OK, free the certificate list */ |
0b6cee362f5d
Enforce validation of local certificate upon daemon start.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
447
diff
changeset
|
529 for (i = 0; i < cert_max; i++) |
0b6cee362f5d
Enforce validation of local certificate upon daemon start.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
447
diff
changeset
|
530 { |
0b6cee362f5d
Enforce validation of local certificate upon daemon start.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
447
diff
changeset
|
531 GNUTLS_TRACE( gnutls_x509_crt_deinit (certs[i]) ); |
0b6cee362f5d
Enforce validation of local certificate upon daemon start.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
447
diff
changeset
|
532 } |
0b6cee362f5d
Enforce validation of local certificate upon daemon start.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
447
diff
changeset
|
533 free(certs); |
1155
d00b5914351e
Allow running freeDiameter without TLS credentials if the following conditions are verified:
Sebastien Decugis <sdecugis@freediameter.net>
parents:
1127
diff
changeset
|
534 |
d00b5914351e
Allow running freeDiameter without TLS credentials if the following conditions are verified:
Sebastien Decugis <sdecugis@freediameter.net>
parents:
1127
diff
changeset
|
535 #ifdef GNUTLS_VERSION_300 |
d00b5914351e
Allow running freeDiameter without TLS credentials if the following conditions are verified:
Sebastien Decugis <sdecugis@freediameter.net>
parents:
1127
diff
changeset
|
536 /* Use certificate verification during the handshake */ |
d00b5914351e
Allow running freeDiameter without TLS credentials if the following conditions are verified:
Sebastien Decugis <sdecugis@freediameter.net>
parents:
1127
diff
changeset
|
537 gnutls_certificate_set_verify_function (fd_g_config->cnf_sec_data.credentials, fd_tls_verify_credentials_2); |
d00b5914351e
Allow running freeDiameter without TLS credentials if the following conditions are verified:
Sebastien Decugis <sdecugis@freediameter.net>
parents:
1127
diff
changeset
|
538 #endif /* GNUTLS_VERSION_300 */ |
d00b5914351e
Allow running freeDiameter without TLS credentials if the following conditions are verified:
Sebastien Decugis <sdecugis@freediameter.net>
parents:
1127
diff
changeset
|
539 |
542
0b6cee362f5d
Enforce validation of local certificate upon daemon start.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
447
diff
changeset
|
540 } |
0b6cee362f5d
Enforce validation of local certificate upon daemon start.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
447
diff
changeset
|
541 |
0b6cee362f5d
Enforce validation of local certificate upon daemon start.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
447
diff
changeset
|
542 /* gnutls_certificate_set_verify_limits -- so far the default values are fine... */ |
0b6cee362f5d
Enforce validation of local certificate upon daemon start.
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
447
diff
changeset
|
543 |
578
7c9a00bfd115
Allow TLS Diffie-Hellmann parameters to be loaded from a file (ticket #17)
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
542
diff
changeset
|
544 /* DH */ |
1155
d00b5914351e
Allow running freeDiameter without TLS credentials if the following conditions are verified:
Sebastien Decugis <sdecugis@freediameter.net>
parents:
1127
diff
changeset
|
545 if (!fd_g_config->cnf_sec_data.tls_disabled) { |
d00b5914351e
Allow running freeDiameter without TLS credentials if the following conditions are verified:
Sebastien Decugis <sdecugis@freediameter.net>
parents:
1127
diff
changeset
|
546 if (fd_g_config->cnf_sec_data.dh_file) { |
d00b5914351e
Allow running freeDiameter without TLS credentials if the following conditions are verified:
Sebastien Decugis <sdecugis@freediameter.net>
parents:
1127
diff
changeset
|
547 gnutls_datum_t dhparams = { NULL, 0 }; |
d00b5914351e
Allow running freeDiameter without TLS credentials if the following conditions are verified:
Sebastien Decugis <sdecugis@freediameter.net>
parents:
1127
diff
changeset
|
548 size_t alloc = 0; |
d00b5914351e
Allow running freeDiameter without TLS credentials if the following conditions are verified:
Sebastien Decugis <sdecugis@freediameter.net>
parents:
1127
diff
changeset
|
549 FILE *stream = fopen (fd_g_config->cnf_sec_data.dh_file, "rb"); |
d00b5914351e
Allow running freeDiameter without TLS credentials if the following conditions are verified:
Sebastien Decugis <sdecugis@freediameter.net>
parents:
1127
diff
changeset
|
550 if (!stream) { |
578
7c9a00bfd115
Allow TLS Diffie-Hellmann parameters to be loaded from a file (ticket #17)
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
542
diff
changeset
|
551 int err = errno; |
1155
d00b5914351e
Allow running freeDiameter without TLS credentials if the following conditions are verified:
Sebastien Decugis <sdecugis@freediameter.net>
parents:
1127
diff
changeset
|
552 TRACE_DEBUG(INFO, "An error occurred while opening '%s': %s", fd_g_config->cnf_sec_data.dh_file, strerror(err)); |
578
7c9a00bfd115
Allow TLS Diffie-Hellmann parameters to be loaded from a file (ticket #17)
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
542
diff
changeset
|
553 return err; |
7c9a00bfd115
Allow TLS Diffie-Hellmann parameters to be loaded from a file (ticket #17)
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
542
diff
changeset
|
554 } |
1155
d00b5914351e
Allow running freeDiameter without TLS credentials if the following conditions are verified:
Sebastien Decugis <sdecugis@freediameter.net>
parents:
1127
diff
changeset
|
555 do { |
d00b5914351e
Allow running freeDiameter without TLS credentials if the following conditions are verified:
Sebastien Decugis <sdecugis@freediameter.net>
parents:
1127
diff
changeset
|
556 uint8_t * realloced = NULL; |
d00b5914351e
Allow running freeDiameter without TLS credentials if the following conditions are verified:
Sebastien Decugis <sdecugis@freediameter.net>
parents:
1127
diff
changeset
|
557 size_t read = 0; |
d00b5914351e
Allow running freeDiameter without TLS credentials if the following conditions are verified:
Sebastien Decugis <sdecugis@freediameter.net>
parents:
1127
diff
changeset
|
558 |
d00b5914351e
Allow running freeDiameter without TLS credentials if the following conditions are verified:
Sebastien Decugis <sdecugis@freediameter.net>
parents:
1127
diff
changeset
|
559 if (alloc < dhparams.size + BUFSIZ + 1) { |
d00b5914351e
Allow running freeDiameter without TLS credentials if the following conditions are verified:
Sebastien Decugis <sdecugis@freediameter.net>
parents:
1127
diff
changeset
|
560 alloc += alloc / 2 + BUFSIZ + 1; |
d00b5914351e
Allow running freeDiameter without TLS credentials if the following conditions are verified:
Sebastien Decugis <sdecugis@freediameter.net>
parents:
1127
diff
changeset
|
561 CHECK_MALLOC_DO( realloced = realloc(dhparams.data, alloc), |
d00b5914351e
Allow running freeDiameter without TLS credentials if the following conditions are verified:
Sebastien Decugis <sdecugis@freediameter.net>
parents:
1127
diff
changeset
|
562 { |
d00b5914351e
Allow running freeDiameter without TLS credentials if the following conditions are verified:
Sebastien Decugis <sdecugis@freediameter.net>
parents:
1127
diff
changeset
|
563 free(dhparams.data); |
d00b5914351e
Allow running freeDiameter without TLS credentials if the following conditions are verified:
Sebastien Decugis <sdecugis@freediameter.net>
parents:
1127
diff
changeset
|
564 return ENOMEM; |
d00b5914351e
Allow running freeDiameter without TLS credentials if the following conditions are verified:
Sebastien Decugis <sdecugis@freediameter.net>
parents:
1127
diff
changeset
|
565 } ) |
d00b5914351e
Allow running freeDiameter without TLS credentials if the following conditions are verified:
Sebastien Decugis <sdecugis@freediameter.net>
parents:
1127
diff
changeset
|
566 dhparams.data = realloced; |
d00b5914351e
Allow running freeDiameter without TLS credentials if the following conditions are verified:
Sebastien Decugis <sdecugis@freediameter.net>
parents:
1127
diff
changeset
|
567 } |
d00b5914351e
Allow running freeDiameter without TLS credentials if the following conditions are verified:
Sebastien Decugis <sdecugis@freediameter.net>
parents:
1127
diff
changeset
|
568 |
d00b5914351e
Allow running freeDiameter without TLS credentials if the following conditions are verified:
Sebastien Decugis <sdecugis@freediameter.net>
parents:
1127
diff
changeset
|
569 read = fread( dhparams.data + dhparams.size, 1, alloc - dhparams.size - 1, stream ); |
d00b5914351e
Allow running freeDiameter without TLS credentials if the following conditions are verified:
Sebastien Decugis <sdecugis@freediameter.net>
parents:
1127
diff
changeset
|
570 dhparams.size += read; |
d00b5914351e
Allow running freeDiameter without TLS credentials if the following conditions are verified:
Sebastien Decugis <sdecugis@freediameter.net>
parents:
1127
diff
changeset
|
571 |
d00b5914351e
Allow running freeDiameter without TLS credentials if the following conditions are verified:
Sebastien Decugis <sdecugis@freediameter.net>
parents:
1127
diff
changeset
|
572 if (ferror(stream)) { |
d00b5914351e
Allow running freeDiameter without TLS credentials if the following conditions are verified:
Sebastien Decugis <sdecugis@freediameter.net>
parents:
1127
diff
changeset
|
573 int err = errno; |
d00b5914351e
Allow running freeDiameter without TLS credentials if the following conditions are verified:
Sebastien Decugis <sdecugis@freediameter.net>
parents:
1127
diff
changeset
|
574 TRACE_DEBUG(INFO, "An error occurred while reading '%s': %s", fd_g_config->cnf_sec_data.dh_file, strerror(err)); |
d00b5914351e
Allow running freeDiameter without TLS credentials if the following conditions are verified:
Sebastien Decugis <sdecugis@freediameter.net>
parents:
1127
diff
changeset
|
575 return err; |
d00b5914351e
Allow running freeDiameter without TLS credentials if the following conditions are verified:
Sebastien Decugis <sdecugis@freediameter.net>
parents:
1127
diff
changeset
|
576 } |
d00b5914351e
Allow running freeDiameter without TLS credentials if the following conditions are verified:
Sebastien Decugis <sdecugis@freediameter.net>
parents:
1127
diff
changeset
|
577 } while (!feof(stream)); |
d00b5914351e
Allow running freeDiameter without TLS credentials if the following conditions are verified:
Sebastien Decugis <sdecugis@freediameter.net>
parents:
1127
diff
changeset
|
578 dhparams.data[dhparams.size] = '\0'; |
d00b5914351e
Allow running freeDiameter without TLS credentials if the following conditions are verified:
Sebastien Decugis <sdecugis@freediameter.net>
parents:
1127
diff
changeset
|
579 fclose(stream); |
d00b5914351e
Allow running freeDiameter without TLS credentials if the following conditions are verified:
Sebastien Decugis <sdecugis@freediameter.net>
parents:
1127
diff
changeset
|
580 CHECK_GNUTLS_DO( gnutls_dh_params_import_pkcs3( |
d00b5914351e
Allow running freeDiameter without TLS credentials if the following conditions are verified:
Sebastien Decugis <sdecugis@freediameter.net>
parents:
1127
diff
changeset
|
581 fd_g_config->cnf_sec_data.dh_cache, |
d00b5914351e
Allow running freeDiameter without TLS credentials if the following conditions are verified:
Sebastien Decugis <sdecugis@freediameter.net>
parents:
1127
diff
changeset
|
582 &dhparams, |
d00b5914351e
Allow running freeDiameter without TLS credentials if the following conditions are verified:
Sebastien Decugis <sdecugis@freediameter.net>
parents:
1127
diff
changeset
|
583 GNUTLS_X509_FMT_PEM), |
d00b5914351e
Allow running freeDiameter without TLS credentials if the following conditions are verified:
Sebastien Decugis <sdecugis@freediameter.net>
parents:
1127
diff
changeset
|
584 { TRACE_ERROR("Error in DH bits value : %d", fd_g_config->cnf_sec_data.dh_bits ?: GNUTLS_DEFAULT_DHBITS); return EINVAL; } ); |
d00b5914351e
Allow running freeDiameter without TLS credentials if the following conditions are verified:
Sebastien Decugis <sdecugis@freediameter.net>
parents:
1127
diff
changeset
|
585 free(dhparams.data); |
d00b5914351e
Allow running freeDiameter without TLS credentials if the following conditions are verified:
Sebastien Decugis <sdecugis@freediameter.net>
parents:
1127
diff
changeset
|
586 |
d00b5914351e
Allow running freeDiameter without TLS credentials if the following conditions are verified:
Sebastien Decugis <sdecugis@freediameter.net>
parents:
1127
diff
changeset
|
587 } else { |
d00b5914351e
Allow running freeDiameter without TLS credentials if the following conditions are verified:
Sebastien Decugis <sdecugis@freediameter.net>
parents:
1127
diff
changeset
|
588 LOG_D( "Generating fresh Diffie-Hellman parameters of size %d (this takes some time)... ", fd_g_config->cnf_sec_data.dh_bits ?: GNUTLS_DEFAULT_DHBITS); |
d00b5914351e
Allow running freeDiameter without TLS credentials if the following conditions are verified:
Sebastien Decugis <sdecugis@freediameter.net>
parents:
1127
diff
changeset
|
589 CHECK_GNUTLS_DO( gnutls_dh_params_generate2( |
d00b5914351e
Allow running freeDiameter without TLS credentials if the following conditions are verified:
Sebastien Decugis <sdecugis@freediameter.net>
parents:
1127
diff
changeset
|
590 fd_g_config->cnf_sec_data.dh_cache, |
d00b5914351e
Allow running freeDiameter without TLS credentials if the following conditions are verified:
Sebastien Decugis <sdecugis@freediameter.net>
parents:
1127
diff
changeset
|
591 fd_g_config->cnf_sec_data.dh_bits ?: GNUTLS_DEFAULT_DHBITS), |
d00b5914351e
Allow running freeDiameter without TLS credentials if the following conditions are verified:
Sebastien Decugis <sdecugis@freediameter.net>
parents:
1127
diff
changeset
|
592 { TRACE_ERROR("Error in DH bits value : %d", fd_g_config->cnf_sec_data.dh_bits ?: GNUTLS_DEFAULT_DHBITS); return EINVAL; } ); |
d00b5914351e
Allow running freeDiameter without TLS credentials if the following conditions are verified:
Sebastien Decugis <sdecugis@freediameter.net>
parents:
1127
diff
changeset
|
593 } |
d00b5914351e
Allow running freeDiameter without TLS credentials if the following conditions are verified:
Sebastien Decugis <sdecugis@freediameter.net>
parents:
1127
diff
changeset
|
594 |
d00b5914351e
Allow running freeDiameter without TLS credentials if the following conditions are verified:
Sebastien Decugis <sdecugis@freediameter.net>
parents:
1127
diff
changeset
|
595 } |
578
7c9a00bfd115
Allow TLS Diffie-Hellmann parameters to be loaded from a file (ticket #17)
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
542
diff
changeset
|
596 |
8
3e143f047f78
Backup for the week-end
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
597 return 0; |
3e143f047f78
Backup for the week-end
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
diff
changeset
|
598 } |
1027
0117a7746b21
Fix a number of errors and warnings introduced/highlighted by recent commits
Sebastien Decugis <sdecugis@freediameter.net>
parents:
1021
diff
changeset
|
599 #ifndef GNUTLS_VERSION_300 |
1034
f4a73a991623
Fix warning on old GCC versions
Sebastien Decugis <sdecugis@freediameter.net>
parents:
1033
diff
changeset
|
600 GCC_DIAG_ON("-Wdeprecated-declarations") |
1027
0117a7746b21
Fix a number of errors and warnings introduced/highlighted by recent commits
Sebastien Decugis <sdecugis@freediameter.net>
parents:
1021
diff
changeset
|
601 #endif /* !GNUTLS_VERSION_300 */ |
447
097bae83b07a
Forgot to cleanup the configuration on exit, spotted by valgrind
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
403
diff
changeset
|
602 |
097bae83b07a
Forgot to cleanup the configuration on exit, spotted by valgrind
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
403
diff
changeset
|
603 |
097bae83b07a
Forgot to cleanup the configuration on exit, spotted by valgrind
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
403
diff
changeset
|
604 /* Destroy contents of fd_g_config structure */ |
097bae83b07a
Forgot to cleanup the configuration on exit, spotted by valgrind
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
403
diff
changeset
|
605 int fd_conf_deinit() |
097bae83b07a
Forgot to cleanup the configuration on exit, spotted by valgrind
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
403
diff
changeset
|
606 { |
097bae83b07a
Forgot to cleanup the configuration on exit, spotted by valgrind
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
403
diff
changeset
|
607 TRACE_ENTRY(); |
097bae83b07a
Forgot to cleanup the configuration on exit, spotted by valgrind
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
403
diff
changeset
|
608 |
686
f83d9878bf66
Fixed in case of termination of several modules (before initialization completed)
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
662
diff
changeset
|
609 if (!fd_g_config) |
f83d9878bf66
Fixed in case of termination of several modules (before initialization completed)
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
662
diff
changeset
|
610 return 0; |
f83d9878bf66
Fixed in case of termination of several modules (before initialization completed)
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
662
diff
changeset
|
611 |
447
097bae83b07a
Forgot to cleanup the configuration on exit, spotted by valgrind
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
403
diff
changeset
|
612 /* Free the TLS parameters */ |
805
fb5e0fd923ff
Updated verification of the local certificate following GnuTLS 3.x guideline
Sebastien Decugis <sdecugis@freediameter.net>
parents:
767
diff
changeset
|
613 #ifdef GNUTLS_VERSION_300 |
fb5e0fd923ff
Updated verification of the local certificate following GnuTLS 3.x guideline
Sebastien Decugis <sdecugis@freediameter.net>
parents:
767
diff
changeset
|
614 gnutls_x509_trust_list_deinit(fd_g_config->cnf_sec_data.trustlist, 1); |
fb5e0fd923ff
Updated verification of the local certificate following GnuTLS 3.x guideline
Sebastien Decugis <sdecugis@freediameter.net>
parents:
767
diff
changeset
|
615 #endif /* GNUTLS_VERSION_300 */ |
447
097bae83b07a
Forgot to cleanup the configuration on exit, spotted by valgrind
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
403
diff
changeset
|
616 gnutls_priority_deinit(fd_g_config->cnf_sec_data.prio_cache); |
097bae83b07a
Forgot to cleanup the configuration on exit, spotted by valgrind
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
403
diff
changeset
|
617 gnutls_dh_params_deinit(fd_g_config->cnf_sec_data.dh_cache); |
097bae83b07a
Forgot to cleanup the configuration on exit, spotted by valgrind
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
403
diff
changeset
|
618 gnutls_certificate_free_credentials(fd_g_config->cnf_sec_data.credentials); |
097bae83b07a
Forgot to cleanup the configuration on exit, spotted by valgrind
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
403
diff
changeset
|
619 |
097bae83b07a
Forgot to cleanup the configuration on exit, spotted by valgrind
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
403
diff
changeset
|
620 free(fd_g_config->cnf_sec_data.cert_file); fd_g_config->cnf_sec_data.cert_file = NULL; |
097bae83b07a
Forgot to cleanup the configuration on exit, spotted by valgrind
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
403
diff
changeset
|
621 free(fd_g_config->cnf_sec_data.key_file); fd_g_config->cnf_sec_data.key_file = NULL; |
097bae83b07a
Forgot to cleanup the configuration on exit, spotted by valgrind
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
403
diff
changeset
|
622 free(fd_g_config->cnf_sec_data.ca_file); fd_g_config->cnf_sec_data.ca_file = NULL; |
097bae83b07a
Forgot to cleanup the configuration on exit, spotted by valgrind
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
403
diff
changeset
|
623 free(fd_g_config->cnf_sec_data.crl_file); fd_g_config->cnf_sec_data.crl_file = NULL; |
097bae83b07a
Forgot to cleanup the configuration on exit, spotted by valgrind
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
403
diff
changeset
|
624 free(fd_g_config->cnf_sec_data.prio_string); fd_g_config->cnf_sec_data.prio_string = NULL; |
578
7c9a00bfd115
Allow TLS Diffie-Hellmann parameters to be loaded from a file (ticket #17)
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
542
diff
changeset
|
625 free(fd_g_config->cnf_sec_data.dh_file); fd_g_config->cnf_sec_data.dh_file = NULL; |
447
097bae83b07a
Forgot to cleanup the configuration on exit, spotted by valgrind
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
403
diff
changeset
|
626 |
097bae83b07a
Forgot to cleanup the configuration on exit, spotted by valgrind
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
403
diff
changeset
|
627 /* Destroy dictionary */ |
097bae83b07a
Forgot to cleanup the configuration on exit, spotted by valgrind
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
403
diff
changeset
|
628 CHECK_FCT_DO( fd_dict_fini(&fd_g_config->cnf_dict), ); |
097bae83b07a
Forgot to cleanup the configuration on exit, spotted by valgrind
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
403
diff
changeset
|
629 |
097bae83b07a
Forgot to cleanup the configuration on exit, spotted by valgrind
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
403
diff
changeset
|
630 /* Destroy the main event queue */ |
097bae83b07a
Forgot to cleanup the configuration on exit, spotted by valgrind
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
403
diff
changeset
|
631 CHECK_FCT_DO( fd_fifo_del(&fd_g_config->cnf_main_ev), ); |
097bae83b07a
Forgot to cleanup the configuration on exit, spotted by valgrind
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
403
diff
changeset
|
632 |
097bae83b07a
Forgot to cleanup the configuration on exit, spotted by valgrind
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
403
diff
changeset
|
633 /* Destroy the local endpoints and applications */ |
097bae83b07a
Forgot to cleanup the configuration on exit, spotted by valgrind
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
403
diff
changeset
|
634 CHECK_FCT_DO(fd_ep_filter(&fd_g_config->cnf_endpoints, 0 ), ); |
097bae83b07a
Forgot to cleanup the configuration on exit, spotted by valgrind
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
403
diff
changeset
|
635 CHECK_FCT_DO(fd_app_empty(&fd_g_config->cnf_apps ), ); |
097bae83b07a
Forgot to cleanup the configuration on exit, spotted by valgrind
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
403
diff
changeset
|
636 |
097bae83b07a
Forgot to cleanup the configuration on exit, spotted by valgrind
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
403
diff
changeset
|
637 /* Destroy the local identity */ |
097bae83b07a
Forgot to cleanup the configuration on exit, spotted by valgrind
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
403
diff
changeset
|
638 free(fd_g_config->cnf_diamid); fd_g_config->cnf_diamid = NULL; |
097bae83b07a
Forgot to cleanup the configuration on exit, spotted by valgrind
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
403
diff
changeset
|
639 free(fd_g_config->cnf_diamrlm); fd_g_config->cnf_diamrlm = NULL; |
097bae83b07a
Forgot to cleanup the configuration on exit, spotted by valgrind
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
403
diff
changeset
|
640 |
097bae83b07a
Forgot to cleanup the configuration on exit, spotted by valgrind
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
403
diff
changeset
|
641 return 0; |
097bae83b07a
Forgot to cleanup the configuration on exit, spotted by valgrind
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
403
diff
changeset
|
642 } |
097bae83b07a
Forgot to cleanup the configuration on exit, spotted by valgrind
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
403
diff
changeset
|
643 |
097bae83b07a
Forgot to cleanup the configuration on exit, spotted by valgrind
Sebastien Decugis <sdecugis@nict.go.jp>
parents:
403
diff
changeset
|
644 |