mirror of
https://gitlab.com/openconnect/ocserv.git
synced 2026-02-10 08:46:58 +08:00
simplified TLS file load and reload.
This commit is contained in:
Nikos Mavrogiannopoulos
@@ -525,6 +525,8 @@ int main(int argc, char** argv)
|
||||
unsigned active_clients = 0, set;
|
||||
main_server_st s;
|
||||
|
||||
memset(&s, 0, sizeof(s));
|
||||
|
||||
list_head_init(&clist.head);
|
||||
tun_st_init(&tun);
|
||||
tls_cache_init(&s.tls_db);
|
||||
|
||||
67
src/tlslib.c
67
src/tlslib.c
@@ -331,7 +331,6 @@ int fd, ret;
|
||||
void tls_global_init(main_server_st* s)
|
||||
{
|
||||
int ret;
|
||||
const char* perr;
|
||||
|
||||
gnutls_global_set_audit_log_function(tls_audit_log_func);
|
||||
if (s->config->tls_debug) {
|
||||
@@ -342,65 +341,7 @@ const char* perr;
|
||||
ret = gnutls_global_init();
|
||||
GNUTLS_FATAL_ERR(ret);
|
||||
|
||||
ret = gnutls_certificate_allocate_credentials(&s->creds.xcred);
|
||||
GNUTLS_FATAL_ERR(ret);
|
||||
|
||||
ret = load_pins(s);
|
||||
if (ret < 0) {
|
||||
exit(1);
|
||||
}
|
||||
|
||||
gnutls_certificate_set_pin_function (s->creds.xcred, pin_callback, &s->creds);
|
||||
|
||||
if (s->config->key != NULL && strncmp(s->config->key, "pkcs11:", 7) != 0) {
|
||||
ret =
|
||||
gnutls_certificate_set_x509_key_file(s->creds.xcred, s->config->cert,
|
||||
s->config->key,
|
||||
GNUTLS_X509_FMT_PEM);
|
||||
if (ret < 0) {
|
||||
mslog(s, NULL, LOG_ERR, "Error setting the certificate (%s) or key (%s) files: %s\n",
|
||||
s->config->cert, s->config->key, gnutls_strerror(ret));
|
||||
exit(1);
|
||||
}
|
||||
} else {
|
||||
#ifndef HAVE_PKCS11
|
||||
mslog(s, NULL, LOG_ERR, "Cannot load key, GnuTLS is compiled without pkcs11 support\n");
|
||||
exit(1);
|
||||
#endif
|
||||
}
|
||||
|
||||
if (s->config->cert_req != GNUTLS_CERT_IGNORE) {
|
||||
if (s->config->ca != NULL) {
|
||||
ret =
|
||||
gnutls_certificate_set_x509_trust_file(s->creds.xcred,
|
||||
s->config->ca,
|
||||
GNUTLS_X509_FMT_PEM);
|
||||
if (ret < 0) {
|
||||
mslog(s, NULL, LOG_ERR, "Error setting the CA (%s) file.\n",
|
||||
s->config->ca);
|
||||
exit(1);
|
||||
}
|
||||
|
||||
mslog(s, NULL, LOG_ERR, "Processed %d CA certificate(s).\n", ret);
|
||||
}
|
||||
|
||||
if (s->config->crl != NULL) {
|
||||
ret =
|
||||
gnutls_certificate_set_x509_crl_file(s->creds.xcred,
|
||||
s->config->crl,
|
||||
GNUTLS_X509_FMT_PEM);
|
||||
GNUTLS_FATAL_ERR(ret);
|
||||
}
|
||||
|
||||
gnutls_certificate_set_verify_function(s->creds.xcred,
|
||||
verify_certificate_cb);
|
||||
}
|
||||
|
||||
ret = gnutls_priority_init(&s->creds.cprio, s->config->priorities, &perr);
|
||||
if (ret == GNUTLS_E_PARSING_ERROR)
|
||||
mslog(s, NULL, LOG_ERR, "Error in TLS priority string: %s\n", perr);
|
||||
GNUTLS_FATAL_ERR(ret);
|
||||
|
||||
tls_global_reinit(s);
|
||||
|
||||
return;
|
||||
}
|
||||
@@ -411,11 +352,17 @@ void tls_global_reinit(main_server_st* s)
|
||||
int ret;
|
||||
const char* perr;
|
||||
|
||||
if (s->creds.xcred != NULL)
|
||||
gnutls_certificate_free_credentials(s->creds.xcred);
|
||||
|
||||
ret = gnutls_certificate_allocate_credentials(&s->creds.xcred);
|
||||
GNUTLS_FATAL_ERR(ret);
|
||||
|
||||
ret = load_pins(s);
|
||||
if (ret < 0) {
|
||||
exit(1);
|
||||
}
|
||||
|
||||
gnutls_certificate_set_pin_function (s->creds.xcred, pin_callback, &s->creds);
|
||||
|
||||
if (s->config->key != NULL && strncmp(s->config->key, "pkcs11:", 7) != 0) {
|
||||
|
||||
Reference in New Issue
Block a user