Lines 24-29
Link Here
|
24 |
#include "tlscontext.h" |
24 |
#include "tlscontext.h" |
25 |
#include "misc.h" |
25 |
#include "misc.h" |
26 |
#include "messages.h" |
26 |
#include "messages.h" |
|
|
27 |
#include "compat/openssl_support.h" |
27 |
|
28 |
|
28 |
#include <arpa/inet.h> |
29 |
#include <arpa/inet.h> |
29 |
#include <openssl/x509_vfy.h> |
30 |
#include <openssl/x509_vfy.h> |
Lines 31-43
Link Here
|
31 |
#include <openssl/err.h> |
32 |
#include <openssl/err.h> |
32 |
#include <openssl/rand.h> |
33 |
#include <openssl/rand.h> |
33 |
|
34 |
|
34 |
#ifndef SYSLOG_NG_HAVE_SSL_CTX_GET0_PARAM |
|
|
35 |
X509_VERIFY_PARAM *SSL_CTX_get0_param(SSL_CTX *ctx) |
36 |
{ |
37 |
return ctx->param; |
38 |
} |
39 |
#endif |
40 |
|
41 |
gboolean |
35 |
gboolean |
42 |
tls_get_x509_digest(X509 *x, GString *hash_string) |
36 |
tls_get_x509_digest(X509 *x, GString *hash_string) |
43 |
{ |
37 |
{ |
Lines 150-159
tls_session_verify(TLSSession *self, int ok, X509_STORE_CTX *ctx)
Link Here
|
150 |
return 0; |
144 |
return 0; |
151 |
} |
145 |
} |
152 |
|
146 |
|
153 |
if (ok && ctx_error_depth != 0 && (ctx->current_cert->ex_flags & EXFLAG_CA) == 0) |
147 |
X509 *current_cert = X509_STORE_CTX_get_current_cert(ctx); |
|
|
148 |
if (ok && ctx_error_depth != 0 && (X509_get_extension_flags(current_cert) & EXFLAG_CA) == 0) |
154 |
{ |
149 |
{ |
155 |
msg_notice("Invalid certificate found in chain, basicConstraints.ca is unset in non-leaf certificate", NULL); |
150 |
msg_notice("Invalid certificate found in chain, basicConstraints.ca is unset in non-leaf certificate", NULL); |
156 |
ctx->error = X509_V_ERR_INVALID_CA; |
151 |
X509_STORE_CTX_set_error(ctx, X509_V_ERR_INVALID_CA); |
157 |
return 0; |
152 |
return 0; |
158 |
} |
153 |
} |
159 |
|
154 |
|
Lines 161-177
tls_session_verify(TLSSession *self, int ok, X509_STORE_CTX *ctx)
Link Here
|
161 |
if (ok && ctx_error_depth == 0 && !tls_session_verify_dn(ctx)) |
156 |
if (ok && ctx_error_depth == 0 && !tls_session_verify_dn(ctx)) |
162 |
{ |
157 |
{ |
163 |
msg_notice("Certificate valid, but DN constraints were not met, rejecting", NULL); |
158 |
msg_notice("Certificate valid, but DN constraints were not met, rejecting", NULL); |
164 |
ctx->error = X509_V_ERR_CERT_UNTRUSTED; |
159 |
X509_STORE_CTX_set_error(ctx, X509_V_ERR_CERT_UNTRUSTED); |
165 |
return 0; |
160 |
return 0; |
166 |
} |
161 |
} |
167 |
/* if the crl_dir is set in the configuration file but the directory is empty ignore this error */ |
162 |
/* if the crl_dir is set in the configuration file but the directory is empty ignore this error */ |
168 |
if (!ok && ctx->error == X509_V_ERR_UNABLE_TO_GET_CRL) |
163 |
if (!ok && X509_STORE_CTX_get_error(ctx) == X509_V_ERR_UNABLE_TO_GET_CRL) |
169 |
{ |
164 |
{ |
170 |
msg_notice("CRL directory is set but no CRLs found", NULL); |
165 |
msg_notice("CRL directory is set but no CRLs found", NULL); |
171 |
return 1; |
166 |
return 1; |
172 |
} |
167 |
} |
173 |
|
168 |
|
174 |
if (!ok && ctx->error == X509_V_ERR_INVALID_PURPOSE) |
169 |
if (!ok && X509_STORE_CTX_get_error(ctx) == X509_V_ERR_INVALID_PURPOSE) |
175 |
{ |
170 |
{ |
176 |
msg_warning("Certificate valid, but purpose is invalid", NULL); |
171 |
msg_warning("Certificate valid, but purpose is invalid", NULL); |
177 |
return 1; |
172 |
return 1; |
Lines 191-212
tls_session_verify_callback(int ok, X509_STORE_CTX *ctx)
Link Here
|
191 |
*/ |
186 |
*/ |
192 |
if (X509_STORE_CTX_get_current_cert(ctx) == NULL) |
187 |
if (X509_STORE_CTX_get_current_cert(ctx) == NULL) |
193 |
{ |
188 |
{ |
194 |
switch (ctx->error) |
189 |
int ctx_error = X509_STORE_CTX_get_error(ctx); |
195 |
{ |
190 |
switch (ctx_error) |
196 |
case X509_V_ERR_NO_EXPLICIT_POLICY: |
191 |
{ |
197 |
/* NOTE: Because we set the CHECK_POLICY_FLAG if the |
192 |
case X509_V_ERR_NO_EXPLICIT_POLICY: |
198 |
certificate contains ExplicitPolicy constraint |
193 |
/* NOTE: Because we set the CHECK_POLICY_FLAG if the |
199 |
we would get this error. But this error is because |
194 |
certificate contains ExplicitPolicy constraint |
200 |
we do not set the policy what we want to check for. |
195 |
we would get this error. But this error is because |
201 |
*/ |
196 |
we do not set the policy what we want to check for. |
202 |
ok = 1; |
197 |
*/ |
203 |
break; |
198 |
ok = 1; |
204 |
default: |
199 |
break; |
205 |
msg_notice("Error occured during certificate validation", |
200 |
default: |
206 |
evt_tag_int("error", ctx->error), |
201 |
msg_notice("Error occured during certificate validation", |
207 |
NULL); |
202 |
evt_tag_int("error", X509_STORE_CTX_get_error(ctx)), |
208 |
break; |
203 |
NULL); |
209 |
} |
204 |
break; |
|
|
205 |
} |
210 |
} |
206 |
} |
211 |
else |
207 |
else |
212 |
{ |
208 |
{ |