kore

An easy to use, scalable and secure web application framework for writing web APIs in C.
Commits | Files | Refs | README | LICENSE | git clone https://git.kore.io/kore.git

commit e475bd0c92059abef48c2bfa4643e93163986800
parent 9e12b2c6ddff30f3559e1fe613cacb7930416740
Author: Joris Vink <joris@coders.se>
Date:   Sat,  9 Jun 2018 12:50:50 +0200

Add configurable x509 chain validation depth.

You can now per domain configure the depth for x509 chain validation:
	client_verify_depth	1

By default this is 1.

While here change around some log messages and properly set
the callback for x509 verification rather then via hoops and loops.

Diffstat:
include/kore/kore.h | 1+
src/config.c | 23+++++++++++++++++++++++
src/domain.c | 14+++++---------
3 files changed, 29 insertions(+), 9 deletions(-)

diff --git a/include/kore/kore.h b/include/kore/kore.h @@ -351,6 +351,7 @@ struct kore_domain { char *certfile; char *certkey; SSL_CTX *ssl_ctx; + int x509_verify_depth; #endif TAILQ_HEAD(, kore_module_handle) handlers; TAILQ_ENTRY(kore_domain) list; diff --git a/src/config.c b/src/config.c @@ -70,6 +70,7 @@ static int configure_certkey(char *); static int configure_tls_version(char *); static int configure_tls_cipher(char *); static int configure_tls_dhparam(char *); +static int configure_client_verify_depth(char *); static int configure_client_certificates(char *); #endif @@ -143,6 +144,7 @@ static struct { { "certfile", configure_certfile }, { "certkey", configure_certkey }, { "client_certificates", configure_client_certificates }, + { "client_verify_depth", configure_client_verify_depth }, #endif #if !defined(KORE_NO_HTTP) { "static", configure_static_handler }, @@ -435,6 +437,27 @@ configure_tls_dhparam(char *path) } static int +configure_client_verify_depth(char *value) +{ + int err, depth; + + if (current_domain == NULL) { + printf("client_verify_depth not specified in domain context\n"); + return (KORE_RESULT_ERROR); + } + + depth = kore_strtonum(value, 10, 0, INT_MAX, &err); + if (err != KORE_RESULT_OK) { + printf("bad client_verify_depth value: %s\n", value); + return (KORE_RESULT_ERROR); + } + + current_domain->x509_verify_depth = depth; + + return (KORE_RESULT_OK); +} + +static int configure_client_certificates(char *options) { char *argv[3]; diff --git a/src/domain.c b/src/domain.c @@ -184,6 +184,7 @@ kore_domain_new(char *domain) dom->ssl_ctx = NULL; dom->certfile = NULL; dom->crlfile = NULL; + dom->x509_verify_depth = 1; #endif dom->domain = kore_strdup(domain); TAILQ_INIT(&(dom->handlers)); @@ -245,7 +246,6 @@ kore_domain_tlsinit(struct kore_domain *dom) EVP_PKEY *pkey; STACK_OF(X509_NAME) *certs; EC_KEY *eckey; - X509_STORE *store; const SSL_METHOD *method; #if !defined(OPENSSL_NO_EC) EC_KEY *ecdh; @@ -370,15 +370,10 @@ kore_domain_tlsinit(struct kore_domain *dom) } SSL_CTX_load_verify_locations(dom->ssl_ctx, dom->cafile, NULL); - SSL_CTX_set_verify_depth(dom->ssl_ctx, 1); + SSL_CTX_set_verify_depth(dom->ssl_ctx, dom->x509_verify_depth); SSL_CTX_set_client_CA_list(dom->ssl_ctx, certs); SSL_CTX_set_verify(dom->ssl_ctx, SSL_VERIFY_PEER | - SSL_VERIFY_FAIL_IF_NO_PEER_CERT, NULL); - - if ((store = SSL_CTX_get_cert_store(dom->ssl_ctx)) == NULL) - fatal("SSL_CTX_get_cert_store(): %s", ssl_errno_s); - - X509_STORE_set_verify_cb(store, domain_x509_verify); + SSL_VERIFY_FAIL_IF_NO_PEER_CERT, domain_x509_verify); } SSL_CTX_set_session_id_context(dom->ssl_ctx, @@ -469,7 +464,8 @@ domain_load_crl(struct kore_domain *dom) return; if (dom->crlfile == NULL) { - kore_log(LOG_WARNING, "WARNING: Running without CRL"); + kore_log(LOG_WARNING, "WARNING: no CRL configured for '%s'", + dom->domain); return; }