Changeset 1155:d00b5914351e in freeDiameter for libfdcore
- Timestamp:
- May 28, 2013, 1:11:27 PM (11 years ago)
- Branch:
- default
- Phase:
- public
- Location:
- libfdcore
- Files:
-
- 3 edited
Legend:
- Unmodified
- Added
- Removed
-
libfdcore/config.c
r1127 r1155 252 252 if (fddin == NULL) { 253 253 int ret = errno; 254 TRACE_ERROR("Unable to open configuration file for reading; tried the following locations: %s%s%s; Error: %s",254 LOG_F("Unable to open configuration file for reading; tried the following locations: %s%s%s; Error: %s", 255 255 orig ?: "", orig? " and " : "", fd_g_config->cnf_file, strerror(ret)); 256 256 return ret; … … 266 266 /* Check that TLS private key was given */ 267 267 if (! fd_g_config->cnf_sec_data.key_file) { 268 TRACE_ERROR( "Missing private key configuration for TLS. Please provide the TLS_cred configuration directive."); 269 return EINVAL; 268 /* If TLS is not enabled, we allow empty TLS configuration */ 269 if ((fd_g_config->cnf_port_tls == 0) && (fd_g_config->cnf_flags.tls_alg == 0)) { 270 LOG_N("TLS is disabled, this is *NOT* a recommended practice! Diameter protocol conveys highly sensitive information on your users."); 271 fd_g_config->cnf_sec_data.tls_disabled = 1; 272 } else { 273 LOG_F( "Missing private key configuration for TLS. Please provide the TLS_cred configuration directive."); 274 return EINVAL; 275 } 270 276 } 271 277 272 278 /* If the CA is not provided, let's use the same file (assuming self-signed certificate) */ 273 if ( ! fd_g_config->cnf_sec_data.ca_file) {279 if ((!fd_g_config->cnf_sec_data.tls_disabled) && (!fd_g_config->cnf_sec_data.ca_file)) { 274 280 CHECK_MALLOC( fd_g_config->cnf_sec_data.ca_file = strdup(fd_g_config->cnf_sec_data.cert_file) ); 275 281 CHECK_GNUTLS_DO( fd_g_config->cnf_sec_data.ca_file_nr += gnutls_certificate_set_x509_trust_file( … … 358 364 359 365 /* Configure TLS default parameters */ 360 if ( ! fd_g_config->cnf_sec_data.prio_string) {366 if ((!fd_g_config->cnf_sec_data.tls_disabled) && (!fd_g_config->cnf_sec_data.prio_string)) { 361 367 const char * err_pos = NULL; 362 368 CHECK_GNUTLS_DO( gnutls_priority_init( … … 368 374 369 375 /* Verify that our certificate is valid -- otherwise remote peers will reject it */ 370 {376 if (!fd_g_config->cnf_sec_data.tls_disabled) { 371 377 int ret = 0, i; 372 378 … … 535 541 } 536 542 free(certs); 537 } 538 543 544 #ifdef GNUTLS_VERSION_300 545 /* Use certificate verification during the handshake */ 546 gnutls_certificate_set_verify_function (fd_g_config->cnf_sec_data.credentials, fd_tls_verify_credentials_2); 547 #endif /* GNUTLS_VERSION_300 */ 548 549 } 539 550 540 551 /* gnutls_certificate_set_verify_limits -- so far the default values are fine... */ 541 552 542 #ifdef GNUTLS_VERSION_300543 /* Use certificate verification during the handshake */544 gnutls_certificate_set_verify_function (fd_g_config->cnf_sec_data.credentials, fd_tls_verify_credentials_2);545 #endif /* GNUTLS_VERSION_300 */546 547 553 /* DH */ 548 if (fd_g_config->cnf_sec_data.dh_file) { 549 gnutls_datum_t dhparams = { NULL, 0 }; 550 size_t alloc = 0; 551 FILE *stream = fopen (fd_g_config->cnf_sec_data.dh_file, "rb"); 552 if (!stream) { 553 int err = errno; 554 TRACE_DEBUG(INFO, "An error occurred while opening '%s': %s", fd_g_config->cnf_sec_data.dh_file, strerror(err)); 555 return err; 556 } 557 do { 558 uint8_t * realloced = NULL; 559 size_t read = 0; 560 561 if (alloc < dhparams.size + BUFSIZ + 1) { 562 alloc += alloc / 2 + BUFSIZ + 1; 563 CHECK_MALLOC_DO( realloced = realloc(dhparams.data, alloc), 564 { 565 free(dhparams.data); 566 return ENOMEM; 567 } ) 568 dhparams.data = realloced; 569 } 570 571 read = fread( dhparams.data + dhparams.size, 1, alloc - dhparams.size - 1, stream ); 572 dhparams.size += read; 573 574 if (ferror(stream)) { 554 if (!fd_g_config->cnf_sec_data.tls_disabled) { 555 if (fd_g_config->cnf_sec_data.dh_file) { 556 gnutls_datum_t dhparams = { NULL, 0 }; 557 size_t alloc = 0; 558 FILE *stream = fopen (fd_g_config->cnf_sec_data.dh_file, "rb"); 559 if (!stream) { 575 560 int err = errno; 576 TRACE_DEBUG(INFO, "An error occurred while reading '%s': %s", fd_g_config->cnf_sec_data.dh_file, strerror(err));561 TRACE_DEBUG(INFO, "An error occurred while opening '%s': %s", fd_g_config->cnf_sec_data.dh_file, strerror(err)); 577 562 return err; 578 563 } 579 } while (!feof(stream)); 580 dhparams.data[dhparams.size] = '\0'; 581 fclose(stream); 582 CHECK_GNUTLS_DO( gnutls_dh_params_import_pkcs3( 583 fd_g_config->cnf_sec_data.dh_cache, 584 &dhparams, 585 GNUTLS_X509_FMT_PEM), 586 { TRACE_ERROR("Error in DH bits value : %d", fd_g_config->cnf_sec_data.dh_bits ?: GNUTLS_DEFAULT_DHBITS); return EINVAL; } ); 587 free(dhparams.data); 588 589 } else { 590 LOG_D( "Generating fresh Diffie-Hellman parameters of size %d (this takes some time)... ", fd_g_config->cnf_sec_data.dh_bits ?: GNUTLS_DEFAULT_DHBITS); 591 CHECK_GNUTLS_DO( gnutls_dh_params_generate2( 592 fd_g_config->cnf_sec_data.dh_cache, 593 fd_g_config->cnf_sec_data.dh_bits ?: GNUTLS_DEFAULT_DHBITS), 594 { TRACE_ERROR("Error in DH bits value : %d", fd_g_config->cnf_sec_data.dh_bits ?: GNUTLS_DEFAULT_DHBITS); return EINVAL; } ); 595 } 564 do { 565 uint8_t * realloced = NULL; 566 size_t read = 0; 567 568 if (alloc < dhparams.size + BUFSIZ + 1) { 569 alloc += alloc / 2 + BUFSIZ + 1; 570 CHECK_MALLOC_DO( realloced = realloc(dhparams.data, alloc), 571 { 572 free(dhparams.data); 573 return ENOMEM; 574 } ) 575 dhparams.data = realloced; 576 } 577 578 read = fread( dhparams.data + dhparams.size, 1, alloc - dhparams.size - 1, stream ); 579 dhparams.size += read; 580 581 if (ferror(stream)) { 582 int err = errno; 583 TRACE_DEBUG(INFO, "An error occurred while reading '%s': %s", fd_g_config->cnf_sec_data.dh_file, strerror(err)); 584 return err; 585 } 586 } while (!feof(stream)); 587 dhparams.data[dhparams.size] = '\0'; 588 fclose(stream); 589 CHECK_GNUTLS_DO( gnutls_dh_params_import_pkcs3( 590 fd_g_config->cnf_sec_data.dh_cache, 591 &dhparams, 592 GNUTLS_X509_FMT_PEM), 593 { TRACE_ERROR("Error in DH bits value : %d", fd_g_config->cnf_sec_data.dh_bits ?: GNUTLS_DEFAULT_DHBITS); return EINVAL; } ); 594 free(dhparams.data); 595 596 } else { 597 LOG_D( "Generating fresh Diffie-Hellman parameters of size %d (this takes some time)... ", fd_g_config->cnf_sec_data.dh_bits ?: GNUTLS_DEFAULT_DHBITS); 598 CHECK_GNUTLS_DO( gnutls_dh_params_generate2( 599 fd_g_config->cnf_sec_data.dh_cache, 600 fd_g_config->cnf_sec_data.dh_bits ?: GNUTLS_DEFAULT_DHBITS), 601 { TRACE_ERROR("Error in DH bits value : %d", fd_g_config->cnf_sec_data.dh_bits ?: GNUTLS_DEFAULT_DHBITS); return EINVAL; } ); 602 } 603 604 } 596 605 597 606 return 0; -
libfdcore/p_ce.c
r1127 r1155 596 596 if (!fd_cnx_getTLS(cnx)) { 597 597 isi_none = peer->p_hdr.info.config.pic_flags.sec & PI_SEC_NONE; /* we add it even if the peer does not use the old mechanism, it is impossible to distinguish */ 598 isi_tls = peer->p_hdr.info.config.pic_flags.sec & PI_SEC_TLS_OLD; 598 599 if (peer->p_hdr.info.config.pic_flags.sec & PI_SEC_TLS_OLD) { 600 if (fd_g_config->cnf_sec_data.tls_disabled) { 601 LOG_N("TLS disabled locally, so Inband-Security-Id (TLS) not included for peer %s", peer->p_hdr.info.pi_diamid); 602 } else { 603 isi_tls = 1; 604 } 605 } 599 606 } 600 607 … … 771 778 TRACE_DEBUG(INFO, "No TLS protection negotiated with peer '%s'.", peer->p_hdr.info.pi_diamid); 772 779 CHECK_FCT( fd_cnx_start_clear(peer->p_cnxctx, 1) ); 780 781 } else if (fd_g_config->cnf_sec_data.tls_disabled) { 782 LOG_E("Clear connection with remote peer '%s' is not (explicitly) allowed, and TLS is disabled. Giving up...", peer->p_hdr.info.pi_diamid); 783 fd_hook_call(HOOK_PEER_CONNECT_FAILED, NULL, peer, "TLS is disabled and peer is not configured for IPsec", NULL); 784 goto cleanup; 785 773 786 } else { 774 775 787 fd_psm_change_state(peer, STATE_OPEN_HANDSHAKE); 776 788 CHECK_FCT_DO( fd_cnx_handshake(peer->p_cnxctx, GNUTLS_CLIENT, peer->p_hdr.info.config.pic_priority, NULL), … … 900 912 /* We have allowed IPsec */ 901 913 isi = PI_SEC_NONE; 914 } else if (fd_g_config->cnf_sec_data.tls_disabled) { 915 /* We can agree on TLS */ 916 TRACE_DEBUG(INFO, "Remote peer is not allowed for IPsec and TLS is disabled.");; 902 917 } else if (peer->p_hdr.info.runtime.pir_isi & PI_SEC_TLS_OLD) { 903 918 /* We can agree on TLS */ -
libfdcore/p_cnx.c
r1136 r1155 129 129 } 130 130 131 /* Check if we are able to communicate with this peer */ 132 if (fd_g_config->cnf_sec_data.tls_disabled && ( peer->p_hdr.info.config.pic_flags.sec != PI_SEC_NONE)) { 133 LOG_E("Peer '%s' not configured for No_TLS and TLS is locally disabled; giving up connection attempts", 134 peer->p_hdr.info.pi_diamid); 135 fd_psm_terminate( peer, NULL ); 136 return 0; 137 } 138 131 139 /* Cleanup any previous list */ 132 140 empty_connection_list(peer);
Note: See TracChangeset
for help on using the changeset viewer.