Add configurable x509 chain validation depth.

You can now per domain configure the depth for x509 chain validation: client_verify_depth 1 By default this is 1. While here change around some log messages and properly set the callback for x509 verification rather then via hoops and loops.
2018-06-09 12:50:50 +02:00 · 2018-06-09 12:50:50 +02:00 · e475bd0c92
parent 9e12b2c6dd
commit e475bd0c92
3 changed files with 29 additions and 9 deletions
--- a/include/kore/kore.h
+++ b/include/kore/kore.h
@ -351,6 +351,7 @@ struct kore_domain {
 	char					*certfile;
 	char					*certkey;
 	SSL_CTX					*ssl_ctx;
+	int					x509_verify_depth;
 #endif
 	TAILQ_HEAD(, kore_module_handle)	handlers;
 	TAILQ_ENTRY(kore_domain)		list;
--- a/src/config.c
+++ b/src/config.c
@ -70,6 +70,7 @@ static int		configure_certkey(char *);
 static int		configure_tls_version(char *);
 static int		configure_tls_cipher(char *);
 static int		configure_tls_dhparam(char *);
+static int		configure_client_verify_depth(char *);
 static int		configure_client_certificates(char *);
 #endif

@ -143,6 +144,7 @@ static struct {
 	{ "certfile",			configure_certfile },
 	{ "certkey",			configure_certkey },
 	{ "client_certificates",	configure_client_certificates },
+	{ "client_verify_depth",	configure_client_verify_depth },
 #endif
 #if !defined(KORE_NO_HTTP)
 	{ "static",			configure_static_handler },
@ -434,6 +436,27 @@ configure_tls_dhparam(char *path)
 	return (KORE_RESULT_OK);
 }

+static int
+configure_client_verify_depth(char *value)
+{
+	int	err, depth;
+
+	if (current_domain == NULL) {
+		printf("client_verify_depth not specified in domain context\n");
+		return (KORE_RESULT_ERROR);
+	}
+
+	depth = kore_strtonum(value, 10, 0, INT_MAX, &err);
+	if (err != KORE_RESULT_OK) {
+		printf("bad client_verify_depth value: %s\n", value);
+		return (KORE_RESULT_ERROR);
+	}
+
+	current_domain->x509_verify_depth = depth;
+
+	return (KORE_RESULT_OK);
+}
+
 static int
 configure_client_certificates(char *options)
 {
--- a/src/domain.c
+++ b/src/domain.c
@ -184,6 +184,7 @@ kore_domain_new(char *domain)
 	dom->ssl_ctx = NULL;
 	dom->certfile = NULL;
 	dom->crlfile = NULL;
+	dom->x509_verify_depth = 1;
 #endif
 	dom->domain = kore_strdup(domain);
 	TAILQ_INIT(&(dom->handlers));
@ -245,7 +246,6 @@ kore_domain_tlsinit(struct kore_domain *dom)
 	EVP_PKEY		*pkey;
 	STACK_OF(X509_NAME)	*certs;
 	EC_KEY			*eckey;
-	X509_STORE		*store;
 	const SSL_METHOD	*method;
 #if !defined(OPENSSL_NO_EC)
 	EC_KEY			*ecdh;
@ -370,15 +370,10 @@ kore_domain_tlsinit(struct kore_domain *dom)
 		}

 		SSL_CTX_load_verify_locations(dom->ssl_ctx, dom->cafile, NULL);
-		SSL_CTX_set_verify_depth(dom->ssl_ctx, 1);
+		SSL_CTX_set_verify_depth(dom->ssl_ctx, dom->x509_verify_depth);
 		SSL_CTX_set_client_CA_list(dom->ssl_ctx, certs);
 		SSL_CTX_set_verify(dom->ssl_ctx, SSL_VERIFY_PEER |
-		    SSL_VERIFY_FAIL_IF_NO_PEER_CERT, NULL);
-
-		if ((store = SSL_CTX_get_cert_store(dom->ssl_ctx)) == NULL)
-			fatal("SSL_CTX_get_cert_store(): %s", ssl_errno_s);
-
-		X509_STORE_set_verify_cb(store, domain_x509_verify);
+		    SSL_VERIFY_FAIL_IF_NO_PEER_CERT, domain_x509_verify);
 	}

 	SSL_CTX_set_session_id_context(dom->ssl_ctx,
@ -469,7 +464,8 @@ domain_load_crl(struct kore_domain *dom)
 		return;

 	if (dom->crlfile == NULL) {
-		kore_log(LOG_WARNING, "WARNING: Running without CRL");
+		kore_log(LOG_WARNING, "WARNING: no CRL configured for '%s'",
+		    dom->domain);
 		return;
 	}