Changeset 805:fb5e0fd923ff in freeDiameter for libfdcore/fdd.y

Timestamp:

Aug 23, 2012, 5:56:22 AM (12 years ago)

Author:

Sebastien Decugis <sdecugis@freediameter.net>

Branch:

default

Phase:

public

Message:

Updated verification of the local certificate following GnuTLS 3.x guideline

File:

• libfdcore/fdd.y (modified) (5 diffs)

libfdcore/fdd.y

@@ -529 +529 @@
                         {
                                 FILE * fd;
-                                fd = fopen($3, "r");
+                                fd = fopen($3, "rb");
                                 if (fd == NULL) {
                                         int ret = errno;
@@ -536 +536 @@
                                         YYERROR;
                                 }
+                                #ifdef GNUTLS_VERSION_300
+                                {
+                                        /* We import these CA in the trust list */
+                                        gnutls_x509_crt_t * calist;
+                                        unsigned int cacount;
+                                        gnutls_datum_t cafile;
+                                        
+                                        CHECK_FCT_DO( fd_conf_stream_to_gnutls_datum(fd, &cafile), 
+                                                        { yyerror (&yylloc, conf, "Error reading CA file."); YYERROR; } );
+                                                        
+                                        CHECK_GNUTLS_DO( gnutls_x509_crt_list_import2(&calist, &cacount, &cafile, GNUTLS_X509_FMT_PEM, 
+                                                                                GNUTLS_X509_CRT_LIST_FAIL_IF_UNSORTED),
+                                                        { yyerror (&yylloc, conf, "Error importing CA file."); YYERROR; } );
+                                        free(cafile.data);
+                                        
+                                        CHECK_GNUTLS_DO( gnutls_x509_trust_list_add_cas (fd_g_config->cnf_sec_data.trustlist, calist, cacount, 0),
+                                                        { yyerror (&yylloc, conf, "Error saving CA in trust list."); YYERROR; } );
+                                }
+                                #endif /* GNUTLS_VERSION_300 */
                                 fclose(fd);
                                 conf->cnf_sec_data.ca_file = $3;
@@ -543 +562 @@
                                                         GNUTLS_X509_FMT_PEM),
                                                 { yyerror (&yylloc, conf, "Error setting CA parameters."); YYERROR; } );
+                                                
                         }
                         ;
@@ -549 +569 @@
                         {
                                 FILE * fd;
-                                fd = fopen($3, "r");
+                                fd = fopen($3, "rb");
                                 if (fd == NULL) {
                                         int ret = errno;
@@ -556 +576 @@
                                         YYERROR;
                                 }
+                                #ifdef GNUTLS_VERSION_300
+                                {
+                                        /* We import these CRL in the trust list */
+                                        gnutls_x509_crl_t * crllist;
+                                        unsigned int crlcount;
+                                        gnutls_datum_t crlfile;
+                                        
+                                        CHECK_FCT_DO( fd_conf_stream_to_gnutls_datum(fd, &crlfile), 
+                                                        { yyerror (&yylloc, conf, "Error reading CRL file."); YYERROR; } );
+                                                        
+                                        CHECK_GNUTLS_DO( gnutls_x509_crl_list_import2(&crllist, &crlcount, &crlfile, GNUTLS_X509_FMT_PEM, 0),
+                                                        { yyerror (&yylloc, conf, "Error importing CRL file."); YYERROR; } );
+                                        free(crlfile.data);
+                                        
+                                        CHECK_GNUTLS_DO( gnutls_x509_trust_list_add_crls (fd_g_config->cnf_sec_data.trustlist, crllist, crlcount, 
+                                                                        GNUTLS_TL_VERIFY_CRL,
+                                                                        0),
+                                                        { yyerror (&yylloc, conf, "Error importing CRL in trust list."); YYERROR; } );
+                                }
+                                #endif /* GNUTLS_VERSION_300 */
                                 fclose(fd);
                                 conf->cnf_sec_data.crl_file = $3;