mirror of
https://gitlab.com/openconnect/ocserv.git
synced 2026-03-14 06:48:16 +08:00
cleaned up TLS code which was moved to tlslib
This commit is contained in:
Nikos Mavrogiannopoulos
135
src/main.c
135
src/main.c
@@ -48,11 +48,6 @@ static unsigned int terminate = 0;
|
||||
static unsigned int need_maintainance = 0;
|
||||
static unsigned int need_children_cleanup = 0;
|
||||
|
||||
static void tls_log_func(int level, const char *str)
|
||||
{
|
||||
syslog(LOG_DEBUG, "TLS[<%d>]: %s", level, str);
|
||||
}
|
||||
|
||||
static
|
||||
int _listen_ports(struct cfg_st* config, struct addrinfo *res, struct listen_list_st *list)
|
||||
{
|
||||
@@ -301,65 +296,6 @@ static void handle_alarm(int signo)
|
||||
}
|
||||
|
||||
|
||||
static void tls_audit_log_func(gnutls_session_t session, const char *str)
|
||||
{
|
||||
worker_st * ws;
|
||||
|
||||
if (session == NULL)
|
||||
syslog(LOG_AUTH, "Warning: %s", str);
|
||||
else {
|
||||
ws = gnutls_session_get_ptr(session);
|
||||
|
||||
oclog(ws, LOG_ERR, "Warning: %s", str);
|
||||
}
|
||||
}
|
||||
|
||||
static int verify_certificate_cb(gnutls_session_t session)
|
||||
{
|
||||
unsigned int status;
|
||||
int ret;
|
||||
worker_st * ws;
|
||||
|
||||
ws = gnutls_session_get_ptr(session);
|
||||
if (ws == NULL) {
|
||||
syslog(LOG_ERR, "%s:%d: Could not obtain worker state.", __func__, __LINE__);
|
||||
return -1;
|
||||
}
|
||||
|
||||
/* This verification function uses the trusted CAs in the credentials
|
||||
* structure. So you must have installed one or more CA certificates.
|
||||
*/
|
||||
ret = gnutls_certificate_verify_peers2(session, &status);
|
||||
if (ret < 0) {
|
||||
oclog(ws, LOG_ERR, "Error verifying client certificate");
|
||||
return GNUTLS_E_CERTIFICATE_ERROR;
|
||||
}
|
||||
|
||||
if (status != 0) {
|
||||
#if GNUTLS_VERSION_NUMBER > 0x030106
|
||||
type = gnutls_certificate_type_get(session);
|
||||
|
||||
ret =
|
||||
gnutls_certificate_verification_status_print(status, type,
|
||||
&out, 0);
|
||||
if (ret < 0)
|
||||
return GNUTLS_E_CERTIFICATE_ERROR;
|
||||
|
||||
oclog(ws, LOG_INFO, "Client certificate verification failed: %s", out.data);
|
||||
|
||||
gnutls_free(out.data);
|
||||
#else
|
||||
oclog(ws, LOG_INFO, "Client certificate verification failed.");
|
||||
#endif
|
||||
|
||||
return GNUTLS_E_CERTIFICATE_ERROR;
|
||||
} else {
|
||||
oclog(ws, LOG_INFO, "Client certificate verification succeeded");
|
||||
}
|
||||
|
||||
/* notify gnutls to continue handshake normally */
|
||||
return 0;
|
||||
}
|
||||
|
||||
static void drop_privileges(main_server_st* s)
|
||||
{
|
||||
@@ -521,13 +457,11 @@ fail:
|
||||
int main(int argc, char** argv)
|
||||
{
|
||||
int fd, pid, e;
|
||||
struct tls_st creds;
|
||||
struct listen_list_st llist;
|
||||
struct proc_list_st clist;
|
||||
struct listener_st *ltmp;
|
||||
struct proc_st *ctmp, *cpos;
|
||||
struct tun_st tun;
|
||||
const char* perr;
|
||||
fd_set rd;
|
||||
int val, n = 0, ret;
|
||||
struct timeval tv;
|
||||
@@ -579,59 +513,7 @@ int main(int argc, char** argv)
|
||||
}
|
||||
|
||||
/* Initialize GnuTLS */
|
||||
gnutls_global_set_audit_log_function(tls_audit_log_func);
|
||||
if (config.tls_debug) {
|
||||
gnutls_global_set_log_function(tls_log_func);
|
||||
gnutls_global_set_log_level(9);
|
||||
}
|
||||
|
||||
ret = gnutls_global_init();
|
||||
GNUTLS_FATAL_ERR(ret);
|
||||
|
||||
ret = gnutls_certificate_allocate_credentials(&creds.xcred);
|
||||
GNUTLS_FATAL_ERR(ret);
|
||||
|
||||
ret =
|
||||
gnutls_certificate_set_x509_key_file(creds.xcred, config.cert,
|
||||
config.key,
|
||||
GNUTLS_X509_FMT_PEM);
|
||||
if (ret < 0) {
|
||||
fprintf(stderr, "Error setting the certificate (%s) or key (%s) files.\n",
|
||||
config.cert, config.key);
|
||||
exit(1);
|
||||
}
|
||||
|
||||
if (config.cert_req != GNUTLS_CERT_IGNORE) {
|
||||
if (config.ca != NULL) {
|
||||
ret =
|
||||
gnutls_certificate_set_x509_trust_file(creds.xcred,
|
||||
config.ca,
|
||||
GNUTLS_X509_FMT_PEM);
|
||||
if (ret < 0) {
|
||||
fprintf(stderr, "Error setting the CA (%s) file.\n",
|
||||
config.ca);
|
||||
exit(1);
|
||||
}
|
||||
|
||||
printf("Processed %d CA certificate(s).\n", ret);
|
||||
}
|
||||
|
||||
if (config.crl != NULL) {
|
||||
ret =
|
||||
gnutls_certificate_set_x509_crl_file(creds.xcred,
|
||||
config.crl,
|
||||
GNUTLS_X509_FMT_PEM);
|
||||
GNUTLS_FATAL_ERR(ret);
|
||||
}
|
||||
|
||||
gnutls_certificate_set_verify_function(creds.xcred,
|
||||
verify_certificate_cb);
|
||||
}
|
||||
|
||||
ret = gnutls_priority_init(&creds.cprio, config.priorities, &perr);
|
||||
if (ret == GNUTLS_E_PARSING_ERROR)
|
||||
fprintf(stderr, "Error in TLS priority string: %s\n", perr);
|
||||
GNUTLS_FATAL_ERR(ret);
|
||||
tls_global_init(&s);
|
||||
|
||||
memset(&ws, 0, sizeof(ws));
|
||||
|
||||
@@ -717,22 +599,25 @@ int main(int argc, char** argv)
|
||||
|
||||
pid = fork();
|
||||
if (pid == 0) { /* child */
|
||||
|
||||
/* Drop privileges after this point */
|
||||
drop_privileges(&s);
|
||||
|
||||
/* close any open descriptors before
|
||||
* running the server
|
||||
*/
|
||||
close(cmd_fd[0]);
|
||||
clear_lists(&s);
|
||||
|
||||
|
||||
ws.config = &config;
|
||||
ws.cmd_fd = cmd_fd[1];
|
||||
ws.tun_fd = -1;
|
||||
ws.udp_fd = -1;
|
||||
ws.conn_fd = fd;
|
||||
ws.creds = &creds;
|
||||
ws.creds = &s.creds;
|
||||
|
||||
ret = tls_global_init_client(&ws);
|
||||
if (ret < 0)
|
||||
exit(1);
|
||||
|
||||
/* Drop privileges after this point */
|
||||
drop_privileges(&s);
|
||||
|
||||
vpn_server(&ws);
|
||||
exit(0);
|
||||
|
||||
Reference in New Issue
Block a user