mirror of
https://gitlab.com/openconnect/ocserv.git
synced 2026-03-16 06:49:19 +08:00
Added ability to specify multiple certificate and key pairs.
This commit is contained in:
Nikos Mavrogiannopoulos
5
NEWS
5
NEWS
@@ -1,3 +1,8 @@
|
||||
* Version 0.0.3 (unreleased)
|
||||
|
||||
- Corrected issue with ocsp-response configuration field.
|
||||
- Added ability to specify multiple certificate and key pairs.
|
||||
|
||||
* Version 0.0.2 (released 2013-03-05)
|
||||
|
||||
- Updated HTTP protocol handling (fixes issue with openconnect < 4).
|
||||
|
||||
14
src/config.c
14
src/config.c
@@ -148,9 +148,9 @@ unsigned j;
|
||||
READ_NUMERIC("dpd", config->dpd, 0);
|
||||
READ_NUMERIC("rate-limit-ms", config->rate_limit_ms, 0);
|
||||
|
||||
READ_STRING("ocsp-response", config->cert, 0);
|
||||
READ_STRING("server-cert", config->cert, 1);
|
||||
READ_STRING("server-key", config->key, 1);
|
||||
READ_STRING("ocsp-response", config->ocsp_response, 0);
|
||||
READ_MULTI_LINE("server-cert", config->cert, config->cert_size, 1);
|
||||
READ_MULTI_LINE("server-key", config->key, config->key_size, 1);
|
||||
READ_STRING("dh-params", config->dh_params_file, 0);
|
||||
READ_STRING("pin-file", config->pin_file, 0);
|
||||
READ_STRING("srk-pin-file", config->srk_pin_file, 0);
|
||||
@@ -245,6 +245,10 @@ static void check_cfg( struct cfg_st *config)
|
||||
exit(1);
|
||||
}
|
||||
|
||||
if (config->cert_size != config->key_size) {
|
||||
fprintf(stderr, "The specified number of keys doesn't match the certificates\n");
|
||||
exit(1);
|
||||
}
|
||||
|
||||
if (config->auth_types & AUTH_TYPE_CERTIFICATE) {
|
||||
if (config->force_cert_auth)
|
||||
@@ -359,6 +363,10 @@ unsigned i;
|
||||
DEL(config->network.ipv6_dns);
|
||||
for (i=0;i<config->network.routes_size;i++)
|
||||
DEL(config->network.routes[i]);
|
||||
for (i=0;i<config->key_size;i++)
|
||||
DEL(config->key[i]);
|
||||
for (i=0;i<config->cert_size;i++)
|
||||
DEL(config->cert[i]);
|
||||
DEL(config->network.routes);
|
||||
memset(config, 0, sizeof(*config));
|
||||
|
||||
|
||||
@@ -2,7 +2,7 @@
|
||||
*
|
||||
* DO NOT EDIT THIS FILE (ocserv-args.c)
|
||||
*
|
||||
* It has been AutoGen-ed March 7, 2013 at 09:19:14 AM by AutoGen 5.16
|
||||
* It has been AutoGen-ed March 7, 2013 at 09:51:47 AM by AutoGen 5.16
|
||||
* From the definitions ocserv-args.def
|
||||
* and the template file options
|
||||
*
|
||||
|
||||
@@ -115,6 +115,9 @@ try-mtu-discovery = false
|
||||
# The key may be a file, or any URL supported by GnuTLS (e.g.,
|
||||
# tpmkey:uuid=xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxx;storage=user
|
||||
# or pkcs11:object=my-vpn-key;object-type=private)
|
||||
#
|
||||
# There may be multiple certificate and key pairs and each key
|
||||
# should correspond to the preceding certificate.
|
||||
server-cert = /path/to/cert.pem
|
||||
server-key = /path/to/key.pem
|
||||
|
||||
|
||||
@@ -2,7 +2,7 @@
|
||||
*
|
||||
* DO NOT EDIT THIS FILE (ocserv-args.h)
|
||||
*
|
||||
* It has been AutoGen-ed March 7, 2013 at 09:19:14 AM by AutoGen 5.16
|
||||
* It has been AutoGen-ed March 7, 2013 at 09:51:47 AM by AutoGen 5.16
|
||||
* From the definitions ocserv-args.def
|
||||
* and the template file options
|
||||
*
|
||||
|
||||
69
src/tlslib.c
69
src/tlslib.c
@@ -350,6 +350,8 @@ int ret;
|
||||
return;
|
||||
}
|
||||
|
||||
/* Checks, if there is a single certificate specified, whether it
|
||||
* is compatible with all ciphersuites */
|
||||
static void certificate_check(main_server_st *s)
|
||||
{
|
||||
gnutls_datum_t data;
|
||||
@@ -357,11 +359,14 @@ gnutls_x509_crt_t crt;
|
||||
int ret;
|
||||
unsigned usage;
|
||||
|
||||
if (s->config->cert_size > 1)
|
||||
return;
|
||||
|
||||
#if GNUTLS_VERSION_NUMBER > 0x030100
|
||||
if (gnutls_url_is_supported(s->config->cert) == 0) {
|
||||
if (gnutls_url_is_supported(s->config->cert[0]) == 0) {
|
||||
#endif
|
||||
/* no URL */
|
||||
ret = gnutls_load_file(s->config->cert, &data);
|
||||
ret = gnutls_load_file(s->config->cert[0], &data);
|
||||
if (ret < 0)
|
||||
return;
|
||||
|
||||
@@ -418,6 +423,7 @@ int ret;
|
||||
void tls_global_init_certs(main_server_st* s)
|
||||
{
|
||||
int ret;
|
||||
unsigned i;
|
||||
const char* perr;
|
||||
|
||||
if (s->config->tls_debug) {
|
||||
@@ -440,27 +446,29 @@ const char* perr;
|
||||
|
||||
gnutls_certificate_set_pin_function (s->creds.xcred, pin_callback, &s->creds);
|
||||
|
||||
if (s->config->key == NULL || s->config->cert == NULL) {
|
||||
if (s->config->key_size == 0 || s->config->cert_size == 0) {
|
||||
mslog(s, NULL, LOG_ERR, "no certificate or key files were specified.\n");
|
||||
exit(1);
|
||||
}
|
||||
|
||||
certificate_check(s);
|
||||
|
||||
if (strncmp(s->config->key, "pkcs11:", 7) != 0) {
|
||||
ret =
|
||||
gnutls_certificate_set_x509_key_file(s->creds.xcred, s->config->cert,
|
||||
s->config->key, GNUTLS_X509_FMT_PEM);
|
||||
if (ret < 0) {
|
||||
mslog(s, NULL, LOG_ERR, "error setting the certificate (%s) or key (%s) files: %s\n",
|
||||
s->config->cert, s->config->key, gnutls_strerror(ret));
|
||||
exit(1);
|
||||
}
|
||||
} else {
|
||||
for (i=0;i<s->config->key_size;i++) {
|
||||
if (strncmp(s->config->key[i], "pkcs11:", 7) != 0) {
|
||||
ret =
|
||||
gnutls_certificate_set_x509_key_file(s->creds.xcred, s->config->cert[i],
|
||||
s->config->key[i], GNUTLS_X509_FMT_PEM);
|
||||
if (ret < 0) {
|
||||
mslog(s, NULL, LOG_ERR, "error setting the certificate (%s) or key (%s) files: %s\n",
|
||||
s->config->cert[i], s->config->key[i], gnutls_strerror(ret));
|
||||
exit(1);
|
||||
}
|
||||
} else {
|
||||
#ifndef HAVE_PKCS11
|
||||
mslog(s, NULL, LOG_ERR, "cannot load key, GnuTLS is compiled without pkcs11 support\n");
|
||||
exit(1);
|
||||
mslog(s, NULL, LOG_ERR, "cannot load key, GnuTLS is compiled without pkcs11 support\n");
|
||||
exit(1);
|
||||
#endif
|
||||
}
|
||||
}
|
||||
|
||||
if (s->config->cert_req != GNUTLS_CERT_IGNORE) {
|
||||
@@ -512,26 +520,29 @@ int tls_global_init_client(worker_st* ws)
|
||||
{
|
||||
#ifdef HAVE_PKCS11
|
||||
int ret;
|
||||
unsigned i;
|
||||
|
||||
/* when we have PKCS #11 keys we cannot open them and then fork(), we need
|
||||
* to open them at the process they are going to be used. */
|
||||
if (strncmp(ws->config->key, "pkcs11:", 7) == 0) {
|
||||
ret = gnutls_pkcs11_reinit();
|
||||
if (ret < 0) {
|
||||
oclog(ws, LOG_ERR, "could not reinitialize PKCS #11 subsystem: %s\n",
|
||||
gnutls_strerror(ret));
|
||||
return -1;
|
||||
for (i=0;i<ws->config->key_size;i++) {
|
||||
if (strncmp(ws->config->key[i], "pkcs11:", 7) == 0) {
|
||||
ret = gnutls_pkcs11_reinit();
|
||||
if (ret < 0) {
|
||||
oclog(ws, LOG_ERR, "could not reinitialize PKCS #11 subsystem: %s\n",
|
||||
gnutls_strerror(ret));
|
||||
return -1;
|
||||
|
||||
}
|
||||
}
|
||||
|
||||
ret =
|
||||
gnutls_certificate_set_x509_key_file(ws->creds->xcred, ws->config->cert,
|
||||
ws->config->key,
|
||||
ret =
|
||||
gnutls_certificate_set_x509_key_file(ws->creds->xcred, ws->config->cert[i],
|
||||
ws->config->key[i],
|
||||
GNUTLS_X509_FMT_PEM);
|
||||
if (ret < 0) {
|
||||
oclog(ws, LOG_ERR, "error setting the certificate (%s) or key (%s) files: %s\n",
|
||||
ws->config->cert, ws->config->key, gnutls_strerror(ret));
|
||||
return -1;
|
||||
if (ret < 0) {
|
||||
oclog(ws, LOG_ERR, "error setting the certificate (%s) or key (%s) files: %s\n",
|
||||
ws->config->cert[i], ws->config->key[i], gnutls_strerror(ret));
|
||||
return -1;
|
||||
}
|
||||
}
|
||||
}
|
||||
#endif
|
||||
|
||||
Reference in New Issue
Block a user