void _load_trusted_certs(SSL_CTX *the_ctx) { netsnmp_container *trusted_certs = NULL; netsnmp_iterator *trusted_cert_iterator = NULL; char *fingerprint; trusted_certs = netsnmp_cert_get_trustlist(); trusted_cert_iterator = CONTAINER_ITERATOR(trusted_certs); if (trusted_cert_iterator) { for (fingerprint = (char *) ITERATOR_FIRST(trusted_cert_iterator); fingerprint; fingerprint = ITERATOR_NEXT(trusted_cert_iterator)) { if (!_trust_this_cert(the_ctx, fingerprint)) snmp_log(LOG_ERR, "failed to load trust cert: %s\n", fingerprint); } ITERATOR_RELEASE(trusted_cert_iterator); } }
SSL_CTX *sslctx_client_setup (const SSL_METHOD * method, _netsnmpTLSBaseData * tlsbase) { netsnmp_cert *id_cert, *peer_cert; SSL_CTX *the_ctx; /*********************************************************************** * Set up the client context */ the_ctx = SSL_CTX_new (NETSNMP_REMOVE_CONST (SSL_METHOD *, method)); if (!the_ctx) { snmp_log (LOG_ERR, "ack: %p\n", the_ctx); LOGANDDIE ("can't create a new context"); } SSL_CTX_set_read_ahead (the_ctx, 1); /* Required for DTLS */ SSL_CTX_set_verify (the_ctx, SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT | SSL_VERIFY_CLIENT_ONCE, &verify_callback); if (tlsbase->our_identity) { DEBUGMSGTL (("sslctx_client", "looking for local id: %s\n", tlsbase->our_identity)); id_cert = netsnmp_cert_find (NS_CERT_IDENTITY, NS_CERTKEY_MULTIPLE, tlsbase->our_identity); } else { DEBUGMSGTL (("sslctx_client", "looking for default local id: %s\n", tlsbase->our_identity)); id_cert = netsnmp_cert_find (NS_CERT_IDENTITY, NS_CERTKEY_DEFAULT, NULL); } if (!id_cert) LOGANDDIE ("error finding client identity keys"); if (!id_cert->key || !id_cert->key->okey) LOGANDDIE ("failed to load private key"); DEBUGMSGTL (("sslctx_client", "using public key: %s\n", id_cert->info.filename)); DEBUGMSGTL (("sslctx_client", "using private key: %s\n", id_cert->key->info.filename)); if (SSL_CTX_use_certificate (the_ctx, id_cert->ocert) <= 0) LOGANDDIE ("failed to set the certificate to use"); if (SSL_CTX_use_PrivateKey (the_ctx, id_cert->key->okey) <= 0) LOGANDDIE ("failed to set the private key to use"); if (!SSL_CTX_check_private_key (the_ctx)) LOGANDDIE ("public and private keys incompatible"); if (tlsbase->their_identity) peer_cert = netsnmp_cert_find (NS_CERT_REMOTE_PEER, NS_CERTKEY_MULTIPLE, tlsbase->their_identity); else peer_cert = netsnmp_cert_find (NS_CERT_REMOTE_PEER, NS_CERTKEY_DEFAULT, NULL); if (peer_cert) { DEBUGMSGTL (("sslctx_client", "server's expected public key: %s\n", peer_cert ? peer_cert->info.filename : "none")); /* Trust the expected certificate */ if (netsnmp_cert_trust_ca (the_ctx, peer_cert) != SNMPERR_SUCCESS) LOGANDDIE ("failed to set verify paths"); } /* trust a certificate (possibly a CA) aspecifically passed in */ if (tlsbase->trust_cert) { if (!_trust_this_cert (the_ctx, tlsbase->trust_cert)) return 0; } return _sslctx_common_setup (the_ctx, tlsbase); }