static int tls_set_cert(int argc, char *argv[], SInfo *info)
{
static char read_cert[CERT_BUFFER_SIZE];
char *ptr_cert = NULL;
char *src = NULL;
if (cmd_parameter_val(argc, argv, "--cert_file", &src)) {
tr_debug("Root ca certificate read from file: %s", src);
ptr_cert = read_cert;
if (get_cert_from_file(src, &ptr_cert) == CMDLINE_RETCODE_FAIL) {
cmd_printf("Cannot read from url: %s\r\n", src);
return CMDLINE_RETCODE_INVALID_PARAMETERS;
}
} else if (cmd_parameter_index(argc, argv, "--cert_default") != -1) {
cmd_printf("Using default certificate\r\n");
ptr_cert = (char *)cert;
} else {
cmd_printf("No cert specified. Use set_root_ca_cert to set it.\r\n");
// Do not return error, allow the certificate not to be set.
return CMDLINE_RETCODE_SUCCESS;
}
int ret = info->tls_socket()->set_root_ca_cert(ptr_cert);
if (ret != NSAPI_ERROR_OK) {
cmd_printf("Invalid root certificate\r\n");
return CMDLINE_RETCODE_FAIL;
}
return CMDLINE_RETCODE_SUCCESS;
}
/** Returns status of certification: 0 for invalid, 1 for valid. */
static int valid_cert(X509 *cert, char *hostname)
{
int i;
char buf[4096];
X509_STORE *store = X509_STORE_new();
X509_STORE_CTX *ctx = X509_STORE_CTX_new();
for (i = 0; trusted_ca[i] != NULL; i++) {
X509 *cacert = get_cert_from_file(trusted_ca[i]);
if (cacert)
X509_STORE_add_cert(store, cacert);
}
X509_STORE_CTX_init(ctx, store, cert, sk_X509_new_null());
if (X509_verify_cert(ctx) == 0)
return 0;
X509_NAME_get_text_by_NID(X509_get_subject_name(cert), NID_commonName,
buf, sizeof(buf) - 1);
// anal-retentive: make sure the hostname isn't as long as the
// buffer, since we don't want to match only because of truncation
if (strlen(hostname) >= sizeof(buf) - 1)
return 0;
return (!strcmp(buf, hostname));
}
static Cfg *init_wapbox(Cfg *cfg)
{
CfgGroup *grp;
Octstr *s;
Octstr *logfile;
int lf, m;
long value;
lf = m = 1;
cfg_dump(cfg);
/*
* Extract info from the core group.
*/
grp = cfg_get_single_group(cfg, octstr_imm("core"));
if (grp == NULL)
panic(0, "No 'core' group in configuration.");
if (cfg_get_integer(&bearerbox_port,grp,octstr_imm("wapbox-port")) == -1)
panic(0, "No 'wapbox-port' in core group");
#ifdef HAVE_LIBSSL
cfg_get_bool(&bearerbox_ssl, grp, octstr_imm("wapbox-port-ssl"));
#endif /* HAVE_LIBSSL */
/* load parameters that could be later reloaded */
config_reload(0);
conn_config_ssl(grp);
/*
* And the rest of the pull info comes from the wapbox group.
*/
grp = cfg_get_single_group(cfg, octstr_imm("wapbox"));
if (grp == NULL)
panic(0, "No 'wapbox' group in configuration.");
bearerbox_host = cfg_get(grp, octstr_imm("bearerbox-host"));
if (cfg_get_integer(&timer_freq, grp, octstr_imm("timer-freq")) == -1)
timer_freq = DEFAULT_TIMER_FREQ;
logfile = cfg_get(grp, octstr_imm("log-file"));
if (logfile != NULL) {
log_open(octstr_get_cstr(logfile), logfilelevel, GW_NON_EXCL);
info(0, "Starting to log to file %s level %ld",
octstr_get_cstr(logfile), logfilelevel);
}
octstr_destroy(logfile);
if ((s = cfg_get(grp, octstr_imm("syslog-level"))) != NULL) {
long level;
Octstr *facility;
if ((facility = cfg_get(grp, octstr_imm("syslog-facility"))) != NULL) {
log_set_syslog_facility(octstr_get_cstr(facility));
octstr_destroy(facility);
}
if (octstr_compare(s, octstr_imm("none")) == 0) {
log_set_syslog(NULL, 0);
debug("wap", 0, "syslog parameter is none");
} else if (octstr_parse_long(&level, s, 0, 10) > 0) {
log_set_syslog("wapbox", level);
debug("wap", 0, "syslog parameter is %ld", level);
}
octstr_destroy(s);
} else {
log_set_syslog(NULL, 0);
debug("wap", 0, "no syslog parameter");
}
/* determine which timezone we use for access logging */
if ((s = cfg_get(grp, octstr_imm("access-log-time"))) != NULL) {
lf = (octstr_case_compare(s, octstr_imm("gmt")) == 0) ? 0 : 1;
octstr_destroy(s);
}
/* should predefined markers be used, ie. prefixing timestamp */
cfg_get_bool(&m, grp, octstr_imm("access-log-clean"));
/* open access-log file */
if ((s = cfg_get(grp, octstr_imm("access-log"))) != NULL) {
info(0, "Logging accesses to '%s'.", octstr_get_cstr(s));
alog_open(octstr_get_cstr(s), lf, m ? 0 : 1);
octstr_destroy(s);
}
if (cfg_get_integer(&value, grp, octstr_imm("http-timeout")) == 0)
http_set_client_timeout(value);
/* configure the 'wtls' group */
#if (HAVE_WTLS_OPENSSL)
/* Load up the necessary keys */
grp = cfg_get_single_group(cfg, octstr_imm("wtls"));
if (grp != NULL) {
if ((s = cfg_get(grp, octstr_imm("certificate-file"))) != NULL) {
if (octstr_compare(s, octstr_imm("none")) == 0) {
debug("bbox", 0, "certificate file not set");
} else {
/* Load the certificate into the necessary parameter */
get_cert_from_file(s, &x509_cert);
gw_assert(x509_cert != NULL);
debug("bbox", 0, "certificate parameter is %s",
octstr_get_cstr(s));
}
octstr_destroy(s);
} else
panic(0, "No 'certificate-file' in wtls group");
if ((s = cfg_get(grp, octstr_imm("privatekey-file"))) != NULL) {
Octstr *password;
password = cfg_get(grp, octstr_imm("privatekey-password"));
if (octstr_compare(s, octstr_imm("none")) == 0) {
debug("bbox", 0, "privatekey-file not set");
} else {
/* Load the private key into the necessary parameter */
get_privkey_from_file(s, &private_key, password);
gw_assert(private_key != NULL);
debug("bbox", 0, "certificate parameter is %s",
octstr_get_cstr(s));
}
if (password != NULL)
octstr_destroy(password);
octstr_destroy(s);
} else
panic(0, "No 'privatekey-file' in wtls group");
}
#endif
/*
* Check if we have a 'radius-acct' proxy group and start the
* corresponding thread for the proxy.
*/
grp = cfg_get_single_group(cfg, octstr_imm("radius-acct"));
if (grp) {
radius_acct_init(grp);
}
/*
* We pass ppg configuration groups to the ppg module.
*/
grp = cfg_get_single_group(cfg, octstr_imm("ppg"));
if (grp == NULL) {
cfg_destroy(cfg);
return NULL;
}
return cfg;
}
