diff --git a/platform/include/internal/ssl_trusted_cert_storage.h b/platform/include/internal/ssl_trusted_cert_storage.h index 8e6f4f1..9bb2986 100644 --- a/platform/include/internal/ssl_trusted_cert_storage.h +++ b/platform/include/internal/ssl_trusted_cert_storage.h @@ -6,9 +6,12 @@ enum ssl_X509_obj_type SSL_X509_OBJ_CERT, SSL_X509_OBJ_CRL }; - +struct cert_store_param +{ + unsigned int check_crl; +}; struct ssl_trusted_cert_storage; -struct ssl_trusted_cert_storage* ssl_trusted_cert_storage_create(const char* pem_bundle, const char* pem_dir); +struct ssl_trusted_cert_storage* ssl_trusted_cert_storage_create(const char* pem_bundle, const char* pem_dir, struct cert_store_param* param); void ssl_trusted_cert_storage_destroy(struct ssl_trusted_cert_storage* storage); int ssl_trusted_cert_storage_verify_conn(struct ssl_trusted_cert_storage* storage, const SSL * ssl, char* reason, size_t n_reason); diff --git a/platform/src/ssl_stream.cpp b/platform/src/ssl_stream.cpp index 4319b96..62e271a 100644 --- a/platform/src/ssl_stream.cpp +++ b/platform/src/ssl_stream.cpp @@ -130,11 +130,12 @@ struct ssl_mgr char * ecdhcurve; char * crl_url; + + struct cert_store_param cert_verify_param; uint8_t ssl_mode_release_buffers; char trusted_cert_file[TFE_PATH_MAX]; char trusted_cert_dir[TFE_PATH_MAX]; - char crl_file[TFE_PATH_MAX]; struct ssl_trusted_cert_storage * trust_CA_store; struct key_keeper * key_keeper; @@ -570,7 +571,9 @@ struct ssl_mgr * ssl_manager_init(const char * ini_profile, const char * section MESA_load_profile_string_def(ini_profile, section, "trusted_cert_dir", mgr->trusted_cert_dir, sizeof(mgr->trusted_cert_dir), "./conf/trusted_storage"); - mgr->trust_CA_store = ssl_trusted_cert_storage_create(mgr->trusted_cert_file, mgr->trusted_cert_dir); + MESA_load_profile_uint_def(ini_profile, section, "check_cert_crl", &(mgr->cert_verify_param.check_crl), 0); + + mgr->trust_CA_store = ssl_trusted_cert_storage_create(mgr->trusted_cert_file, mgr->trusted_cert_dir, &(mgr->cert_verify_param)); if (mgr->trust_CA_store == NULL) { TFE_LOG_ERROR(logger, "Failed at creating X509_STORE"); diff --git a/platform/src/ssl_trusted_cert_storage.cpp b/platform/src/ssl_trusted_cert_storage.cpp index 6537431..569803c 100644 --- a/platform/src/ssl_trusted_cert_storage.cpp +++ b/platform/src/ssl_trusted_cert_storage.cpp @@ -26,6 +26,7 @@ static void free_ssl_x509_obj(void* data) } struct ssl_trusted_cert_storage { + struct cert_store_param param; char* pem_bundle, *pem_dir; MESA_htable_handle hash_table; pthread_rwlock_t rwlock; @@ -92,7 +93,7 @@ struct ssl_trusted_cert_storage return 1; } -static X509_STORE* _X509_store_create(const char* pem_bundle, const char* pem_dir) +static X509_STORE* _X509_store_create(const char* pem_bundle, const char* pem_dir, struct cert_store_param* param) { int ret=0, n=0, i=0; @@ -113,12 +114,15 @@ static X509_STORE* _X509_store_create(const char* pem_bundle, const char* pem_di { return NULL; } - X509_VERIFY_PARAM *param=NULL; - param = X509_VERIFY_PARAM_new(); - X509_VERIFY_PARAM_set_flags(param, X509_V_FLAG_CRL_CHECK); - X509_STORE_set1_param(store, param); - X509_VERIFY_PARAM_free(param); - + + X509_VERIFY_PARAM *x509_param=NULL; + if(param->check_crl) + { + x509_param = X509_VERIFY_PARAM_new(); + X509_VERIFY_PARAM_set_flags(x509_param, X509_V_FLAG_CRL_CHECK); + X509_STORE_set1_param(store, x509_param); + X509_VERIFY_PARAM_free(x509_param); + } struct dirent **namelist = NULL; n=tfe_scandir(pem_dir, &namelist, NULL, (int (*)(const void*, const void*))alphasort); if(n < 0) @@ -165,11 +169,13 @@ static MESA_htable_handle _create_mesa_htable(void) ret = MESA_htable_mature(htable); return htable; } -struct ssl_trusted_cert_storage* ssl_trusted_cert_storage_create(const char* pem_bundle, const char* pem_dir) +struct ssl_trusted_cert_storage* ssl_trusted_cert_storage_create(const char* pem_bundle, + const char* pem_dir, struct cert_store_param* param) { int ret=0; struct ssl_trusted_cert_storage* storage=ALLOC(struct ssl_trusted_cert_storage, 1); - storage->effective_store=_X509_store_create(pem_bundle, pem_dir); + storage->param=*param; + storage->effective_store=_X509_store_create(pem_bundle, pem_dir, &(storage->param)); if (storage->effective_store == NULL) { return NULL; @@ -242,7 +248,7 @@ int ssl_trusted_cert_storage_del(struct ssl_trusted_cert_storage* storage, enum ret=-1; goto error_out; } - temp_store=_X509_store_create(storage->pem_bundle, storage->pem_dir); + temp_store=_X509_store_create(storage->pem_bundle, storage->pem_dir, &(storage->param)); MESA_htable_iterate(storage->hash_table, cert_storage_htable_traverse_cb, temp_store); X509_STORE_free(storage->effective_store); storage->effective_store=temp_store; @@ -259,7 +265,7 @@ void ssl_trusted_cert_storage_reset(struct ssl_trusted_cert_storage* storage) MESA_htable_destroy(storage->hash_table, NULL); storage->hash_table=_create_mesa_htable(); - temp_store=_X509_store_create(storage->pem_bundle, storage->pem_dir); + temp_store=_X509_store_create(storage->pem_bundle, storage->pem_dir, &(storage->param)); pthread_rwlock_wrlock(&(storage->rwlock)); X509_STORE_free(storage->effective_store);