* the code there knows what job it needs to push onto
* the unlang stack.
*/
- fr_tls_verify_client_cert_request(tls_session, true);
+ fr_tls_verify_cert_request(tls_session, true);
ASYNC_pause_job(); /* Jumps back to SSL_read() in session.c */
*/
if (unlang_request_is_cancelled(request)) {
tls_cache_load_state_reset(tls_cache); /* Clears any loaded session data */
- fr_tls_verify_client_cert_reset(tls_session);
+ fr_tls_verify_cert_reset(tls_session);
return NULL;
}
* If we couldn't validate the client certificate
* then validation overall fails.
*/
- if (!fr_tls_verify_client_cert_result(tls_session)) {
+ if (!fr_tls_verify_cert_result(tls_session)) {
RDEBUG2("Certificate re-validation failed, denying session resumption via session-id");
goto verify_error;
}
* the code there knows what job it needs to push onto
* the unlang stack.
*/
- fr_tls_verify_client_cert_request(tls_session, true);
+ fr_tls_verify_cert_request(tls_session, true);
ASYNC_pause_job(); /* Jumps back to SSL_read() in session.c */
* a known state.
*/
if (unlang_request_is_cancelled(request)) {
- fr_tls_verify_client_cert_reset(tls_session);
+ fr_tls_verify_cert_reset(tls_session);
return SSL_TICKET_RETURN_ABORT;
}
* give the client the opportunity to send a new
* one, but _don't_ allow session resumption.
*/
- if (!fr_tls_verify_client_cert_result(tls_session)) {
+ if (!fr_tls_verify_cert_result(tls_session)) {
RDEBUG2("Certificate re-validation failed, denying session resumption via session-ticket");
return SSL_TICKET_RETURN_IGNORE_RENEW;
}
* certificate chain.
*
* @note As a byproduct of validation, various OIDs will be extracted from the
- * certificates, and inserted into the session-state. list as fr_pair_t.
+ * certificates, and inserted into the session-state list as fr_pair_t.
*
* @param ok preverify ok. 1 if true, 0 if false.
* @param x509_ctx containing certs to verify.
}
done:
/*
- * This is a client cert, call our
- * virtual server here.
+ * If verification hasn't already failed
+ * and we're meant to verify this cert
+ * then call the virtual server.
*/
- if (depth == 0) {
+ if (my_ok && verify_applies(conf->verify.pair_mode, depth, untrusted)) {
if (conf->virtual_server && tls_session->verify_client_cert) {
RDEBUG2("Requesting certificate validation");
* the code there knows what job it needs to push onto
* the unlang stack.
*/
- fr_tls_verify_client_cert_request(tls_session, SSL_session_reused(tls_session->ssl));
+ fr_tls_verify_cert_request(tls_session, SSL_session_reused(tls_session->ssl));
ASYNC_pause_job(); /* Jumps back to SSL_read() in session.c */
*/
if (unlang_request_is_cancelled(request)) {
X509_STORE_CTX_set_error(x509_ctx, 0);
- fr_tls_verify_client_cert_reset(tls_session);
+ fr_tls_verify_cert_reset(tls_session);
return 1;
}
/*
- * If we couldn't validate the client certificate
+ * If we couldn't validate the certificate
* then validation overall fails.
*/
- if (!fr_tls_verify_client_cert_result(tls_session)) {
+ if (!fr_tls_verify_cert_result(tls_session)) {
REDEBUG("Certificate validation failed");
my_ok = 0;
X509_STORE_CTX_set_error(x509_ctx, X509_V_ERR_APPLICATION_VERIFICATION);
}
}
-
- tls_session->client_cert_ok = (my_ok > 0);
- RDEBUG2("[verify] = %s", my_ok ? "ok" : "invalid");
}
+ tls_session->client_cert_ok = (my_ok > 0);
+ RDEBUG2("[verify] = %s", my_ok ? "ok" : "invalid");
+
return my_ok;
}
DIAG_ON(used-but-marked-unused)
* - 1 if the chain could be validated.
* - 0 if the chain failed validation.
*/
-int fr_tls_verify_client_cert_chain(request_t *request, SSL *ssl)
+int fr_tls_verify_cert_chain(request_t *request, SSL *ssl)
{
int err;
int verify;
* - true if the certificate chain was validated.
* - false if the certificate chain failed validation.
*/
-bool fr_tls_verify_client_cert_result(fr_tls_session_t *tls_session)
+bool fr_tls_verify_cert_result(fr_tls_session_t *tls_session)
{
bool result;
/** Reset the verification state
*
*/
-void fr_tls_verify_client_cert_reset(fr_tls_session_t *tls_session)
+void fr_tls_verify_cert_reset(fr_tls_session_t *tls_session)
{
tls_session->validate.state = FR_TLS_VALIDATION_INIT;
tls_session->validate.resumed = false;
/** Setup a verification request
*
*/
-void fr_tls_verify_client_cert_request(fr_tls_session_t *tls_session, bool session_resumed)
+void fr_tls_verify_cert_request(fr_tls_session_t *tls_session, bool session_resumed)
{
fr_assert(tls_session->validate.state == FR_TLS_VALIDATION_INIT);
* - UNLANG_ACTION_CALCULATE_RESULT - No pending actions
* - UNLANG_ACTION_PUSHED_CHILD - Pending operations to evaluate.
*/
-unlang_action_t fr_tls_verify_client_cert_pending_push(request_t *request, fr_tls_session_t *tls_session)
+unlang_action_t fr_tls_verify_cert_pending_push(request_t *request, fr_tls_session_t *tls_session)
{
if (tls_session->validate.state == FR_TLS_VALIDATION_REQUESTED) {
return tls_verify_client_cert_push(request, tls_session);
int fr_tls_verify_cert_cb(int ok, X509_STORE_CTX *ctx);
-int fr_tls_verify_client_cert_chain(request_t *request, SSL *ssl);
+int fr_tls_verify_cert_chain(request_t *request, SSL *ssl);
-bool fr_tls_verify_client_cert_result(fr_tls_session_t *tls_session);
+bool fr_tls_verify_cert_result(fr_tls_session_t *tls_session);
-void fr_tls_verify_client_cert_reset(fr_tls_session_t *tls_session);
+void fr_tls_verify_cert_reset(fr_tls_session_t *tls_session);
-void fr_tls_verify_client_cert_request(fr_tls_session_t *tls_session, bool resumed);
+void fr_tls_verify_cert_request(fr_tls_session_t *tls_session, bool resumed);
-unlang_action_t fr_tls_verify_client_cert_pending_push(request_t *request, fr_tls_session_t *tls_session);
+unlang_action_t fr_tls_verify_cert_pending_push(request_t *request, fr_tls_session_t *tls_session);
#ifdef __cplusplus
}
projects / thirdparty / freeradius-server.git / commitdiff
