Detect if "verify certificate" section exists when parsing config

author Nick Porter <nick@portercomputing.co.uk>

Tue, 10 Dec 2024 09:46:45 +0000 (09:46 +0000)

committer Nick Porter <nick@portercomputing.co.uk>

Wed, 11 Dec 2024 13:40:26 +0000 (13:40 +0000)
author Nick Porter <nick@portercomputing.co.uk>
Tue, 10 Dec 2024 09:46:45 +0000 (09:46 +0000)
committer Nick Porter <nick@portercomputing.co.uk>
Wed, 11 Dec 2024 13:40:26 +0000 (13:40 +0000)
diff --git a/src/lib/tls/conf-h b/src/lib/tls/conf-h

index ff38fbd467db8d782367461e463398155ab26267..f9c4bd228648c8b720f0a9da52082fa6ec85bbfd 100644 (file)
--- a/src/lib/tls/conf-h
+++ b/src/lib/tls/conf-h
@@ -177,6 +177,8 @@ struct fr_tls_conf_s {
  
         fr_tls_cache_conf_t     cache;                  //!< Session cache configuration.
         fr_tls_verify_conf_t    verify;
+
+       bool            verify_certificate;             //!< Does the "verify certificate" section exist.
  };
  
  fr_tls_conf_t  *fr_tls_conf_alloc(TALLOC_CTX *ctx);
diff --git a/src/lib/tls/conf.c b/src/lib/tls/conf.c

index 8e13f73c06becd6247ac40679c3359e67570156d..d9f5366b61d42137e3409cd9bb19c4bc2021a45b 100644 (file)
--- a/src/lib/tls/conf.c
+++ b/src/lib/tls/conf.c
@@ -45,6 +45,7 @@ USES_APPLE_DEPRECATED_API     /* OpenSSL API has been deprecated by Apple */
  #include "log.h"
  
  static int tls_conf_parse_cache_mode(TALLOC_CTX *ctx, void *out, void *parent, CONF_ITEM *ci, conf_parser_t const *rule);
+static int tls_virtual_server_cf_parse(TALLOC_CTX *ctx, void *out, void *parent, CONF_ITEM *ci, conf_parser_t const *rule);
  
  /** Certificate formats
   *
@@ -154,7 +155,7 @@ static conf_parser_t tls_verify_config[] = {
  };
  
  conf_parser_t fr_tls_server_config[] = {
-       { FR_CONF_OFFSET_TYPE_FLAGS("virtual_server", FR_TYPE_VOID, 0, fr_tls_conf_t, virtual_server), .func = virtual_server_cf_parse },
+       { FR_CONF_OFFSET_TYPE_FLAGS("virtual_server", FR_TYPE_VOID, 0, fr_tls_conf_t, virtual_server), .func = tls_virtual_server_cf_parse },
  
         { FR_CONF_OFFSET_SUBSECTION("chain", CONF_FLAG_MULTI, fr_tls_conf_t, chains, tls_chain_config),
           .subcs_size = sizeof(fr_tls_chain_conf_t), .subcs_type = "fr_tls_chain_conf_t", .name2 = CF_IDENT_ANY },
@@ -242,6 +243,21 @@ conf_parser_t fr_tls_client_config[] = {
         CONF_PARSER_TERMINATOR
  };
  
+static int tls_virtual_server_cf_parse(TALLOC_CTX *ctx, void *out, void *parent, CONF_ITEM *ci, conf_parser_t const *rule)
+{
+       fr_tls_conf_t   *conf = talloc_get_type_abort(parent, fr_tls_conf_t);
+
+       if (virtual_server_cf_parse(ctx, out, parent, ci, rule) < 0) return -1;
+
+       if (!conf->virtual_server) {
+               conf->verify_certificate = false;
+               return 0;
+       }
+
+       conf->verify_certificate = cf_section_find(conf->virtual_server, "verify", "certificate") ? true : false;
+       return 0;
+}
+
  static int tls_conf_parse_cache_mode(TALLOC_CTX *ctx, void *out, void *parent, CONF_ITEM *ci, conf_parser_t const *rule)
  {
         fr_tls_conf_t   *conf = talloc_get_type_abort((uint8_t *)parent - offsetof(fr_tls_conf_t, cache), fr_tls_conf_t);
author	Nick Porter <nick@portercomputing.co.uk>
	Tue, 10 Dec 2024 09:46:45 +0000 (09:46 +0000)
committer	Nick Porter <nick@portercomputing.co.uk>
	Wed, 11 Dec 2024 13:40:26 +0000 (13:40 +0000)
src/lib/tls/conf-h		patch \| blob \| blame \| history
src/lib/tls/conf.c		patch \| blob \| blame \| history