/* Procedure to set the link certificate */
/* */
/********************************************************/
-static int set_certificate(TLSTYP *tls)
+static int set_crypting(TLSTYP *tls)
{
-#define OPEP "unitls.c:set_certificate"
+#define OPEP "unitls.c:set_crypting"
+
+static const char *cenv[]={"CA_KEY","CA_CERT","CA_ROOT"};
-const char *certs[3];
int done;
+const char *certs[sizeof(cenv)/sizeof(char *)];
+const SSL_METHOD *(*tls_methode)();
int mode;
int phase;
_Bool proceed;
done=false;
+tls_methode=TLS_client_method;
+if (tls->server==true)
+ tls_methode=TLS_server_method;
+phase=0;
mode=SSL_VERIFY_NONE;
//mode=SSL_VERIFY_PEER; //to have both end check peer certificate
phase=0;
certs[0]=getenv("CA_KEY");
certs[1]=getenv("CA_CERT");
certs[2]=getenv("CA_ROOT");
+ for (int i=0;i<(sizeof(cenv)/sizeof(char *));i++) {
+ certs[i]=getenv(cenv[i]);
+ if (certs[i]==(char *)0) {
+ (void) rou_alert(0,"%s Missing <%s> environment variable (config?)",
+ OPEP,cenv[i]);
+ phase=999; //missing certificate info.
+ }
+ }
+ break;
+ case 1 : //pre-configure SSL
+ (void) SSL_library_init();
+ (void) SSL_load_error_strings();
+ (void) ERR_clear_error();
+ if ((tls->ctx=SSL_CTX_new(tls_methode()))==(SSL_CTX *)0) {
+ (void) showtlserror(tls,0,"Get CTX");
+ phase=999; //no need to go furter
+ }
break;
- case 1 : //first load certificate key
+ case 2 : //first load certificate key
if (SSL_CTX_use_PrivateKey_file(tls->ctx,certs[0],SSL_FILETYPE_PEM)!=1) {
char msg[200];
phase=999;
}
break;
- case 2 : //load certificate + chain file
+ case 3 : //load certificate + chain file
if (SSL_CTX_use_certificate_chain_file(tls->ctx,certs[1])!=1) {
char msg[200];
phase=999; //no need to go furter
}
break;
- case 3 : //loading root certificate
+ case 4 : //loading root certificate
if (SSL_CTX_load_verify_locations(tls->ctx,certs[2],(const char *)0)!=1) {
char msg[200];
phase=999; //no need to go furter
}
break;
- case 4 : //verify management
+ case 5 : //verify management
if (((mode&SSL_VERIFY_PEER)!=0)||(tls->server==false))
tls->checkpeer=true;
(void) SSL_CTX_set_verify(tls->ctx,mode,(int(*)())0);
phase=999;
}
break;
- case 5 : //allowing partial write
+ case 6 : //allowing partial write
(void) SSL_CTX_set_mode(tls->ctx,SSL_MODE_ENABLE_PARTIAL_WRITE);
break;
- case 6 : //everything fine
+ case 7 : //everything fine
done=true;
break;
default : //SAFE Guard
while (proceed==true) {
switch (phase) {
case 0 : //do we need to check peer
- if (tls->checkpeer==false)
+ if (tls->checkpeer==false) {
+ (void) rou_alert(1,"%s Peer [%s]; certificate not verified",
+ OPEP,tls->peerip);
phase=999; //No need to check certificate
+ }
break;
case 1 : //get remote certificate
if ((peer=SSL_get_peer_certificate(tls->ssl))==(X509 *)0) {
#define OPEP "unitls.c:tls_opentls"
TLSTYP *tls;
-const SSL_METHOD *(*tls_methode)();
int phase;
_Bool proceed;
tls=(TLSTYP *)0;
-tls_methode=TLS_client_method;
-if (server==true)
- tls_methode=TLS_server_method;
phase=0;
proceed=true;
while (proceed==true) {
tls->handle=handle;
tls->server=server;
(void) getnames(tls);
- (void) SSL_library_init();
- (void) SSL_load_error_strings();
- (void) ERR_clear_error();
- if ((tls->ctx=SSL_CTX_new(tls_methode()))==(SSL_CTX *)0) {
- (void) showtlserror(tls,0,"Get CTX");
- phase=999; //no need to go furter
- }
break;
case 1 : //set certificate
- if (set_certificate(tls)==false)
- phase=999; //trouble, trouble no need to go furter
+ if (set_crypting(tls)==false) {
+ (void) rou_alert(1,"%s Unable to open a TLS channel",OPEP);
+ tls=freetls(tls);
+ phase=999;
+ }
break;
case 2 : //Setting the TLS channel
if ((tls->ssl=tls_setsocket(handle,tls->ctx))==(SSL *)0)
vps2: / jmp / mailleur / commitdiff