diff options
author | Bartlomiej Grzelewski <b.grzelewski@samsung.com> | 2017-10-17 16:47:59 +0200 |
---|---|---|
committer | Tomasz Swierczek <t.swierczek@samsung.com> | 2017-12-20 05:55:03 +0000 |
commit | 11e039c51bb16e04ced894813a56946bff58c9ac (patch) | |
tree | 269af06e716e7a1cb63f54afe6d83ba9c1d793a6 | |
parent | b5096132b2b5aac5f654cb7a06e6bd5cb044e7dc (diff) | |
download | key-manager-11e039c51bb16e04ced894813a56946bff58c9ac.tar.gz key-manager-11e039c51bb16e04ced894813a56946bff58c9ac.tar.bz2 key-manager-11e039c51bb16e04ced894813a56946bff58c9ac.zip |
Support for http proxy during ocsp check
Change-Id: I4966c6dc08411491b419809be402ac8808027478
-rw-r--r-- | packaging/key-manager.spec | 1 | ||||
-rw-r--r-- | src/CMakeLists.txt | 1 | ||||
-rw-r--r-- | src/manager/service/ocsp.cpp | 73 |
3 files changed, 43 insertions, 32 deletions
diff --git a/packaging/key-manager.spec b/packaging/key-manager.spec index b229120d..e037f122 100644 --- a/packaging/key-manager.spec +++ b/packaging/key-manager.spec @@ -29,6 +29,7 @@ BuildRequires: pkgconfig(cynara-creds-socket) BuildRequires: pkgconfig(libtzplatform-config) BuildRequires: pkgconfig(glib-2.0) BuildRequires: pkgconfig(pkgmgr) +BuildRequires: pkgconfig(vconf) %if 0%{?watchdog_enabled} BuildRequires: pkgconfig(argos_watchdog) %endif diff --git a/src/CMakeLists.txt b/src/CMakeLists.txt index a784d15b..d4dfddbb 100644 --- a/src/CMakeLists.txt +++ b/src/CMakeLists.txt @@ -19,6 +19,7 @@ PKG_CHECK_MODULES(KEY_MANAGER_DEP cynara-client-async cynara-creds-socket pkgmgr + vconf ${EXTRA_KM_DEPS} ) FIND_PACKAGE(Threads REQUIRED) diff --git a/src/manager/service/ocsp.cpp b/src/manager/service/ocsp.cpp index 0b51bf5a..dcccf2ac 100644 --- a/src/manager/service/ocsp.cpp +++ b/src/manager/service/ocsp.cpp @@ -32,6 +32,7 @@ #include <certificate-impl.h> #include <openssl_utils.h> #include <ckm/ckm-error.h> +#include <vconf.h> /* Maximum leeway in validity period: default 5 minutes */ #define MAX_VALIDITY_PERIOD (5 * 60) @@ -134,7 +135,7 @@ int OCSPModule::ocsp_verify(X509 *cert, X509 *issuer, OCSP_CERTID *certid = NULL; BIO *cbio = NULL; SSL_CTX *use_ssl_ctx = NULL; - char *host = NULL, *port = NULL, *path = NULL; + std::string host, port, path; ASN1_GENERALIZEDTIME *rev = NULL; ASN1_GENERALIZEDTIME *thisupd = NULL; ASN1_GENERALIZEDTIME *nextupd = NULL; @@ -151,16 +152,48 @@ int OCSPModule::ocsp_verify(X509 *cert, X509 *issuer, std::vector<char> url(constUrl.begin(), constUrl.end()); url.push_back(0); - if (!OCSP_parse_url(url.data(), &host, &port, &path, &use_ssl)) - /* report error */ - return CKM_API_OCSP_STATUS_INVALID_URL; + { + char *chost = NULL, *cport = NULL, *cpath = NULL; + + if (!OCSP_parse_url(url.data(), &chost, &cport, &cpath, &use_ssl)) + /* report error */ + return CKM_API_OCSP_STATUS_INVALID_URL; + + if (chost) host = chost; + if (cport) port = cport; + if (cpath) path = cpath; + + OPENSSL_free(chost); + OPENSSL_free(cport); + OPENSSL_free(cpath); + } LogDebug("Host: " << host); LogDebug("Port: " << port); LogDebug("Path: " << path); LogDebug("Use_ssl: " << use_ssl); - cbio = BIO_new_connect(host); + std::unique_ptr<char, decltype(free)*> proxy(vconf_get_str(VCONFKEY_NETWORK_PROXY), free); + + if (proxy && strlen(proxy.get()) > 0) { + char *phost = NULL, *pport = NULL, *ppath = NULL; + + LogDebug("Using proxy: " << proxy.get()); + + if (!OCSP_parse_url(proxy.get(), &phost, &pport, &ppath, &use_ssl)) { + return CKM_API_OCSP_STATUS_INVALID_URL; + } + + path = url.data(); + if (phost) host = phost; + if (pport) port = pport; + + OPENSSL_free(phost); + OPENSSL_free(pport); + OPENSSL_free(ppath); + } + + cbio = BIO_new_connect(host.c_str()); if (cbio == NULL) { /*BIO_printf(bio_err, "Error creating connect BIO\n");*/ @@ -168,8 +201,8 @@ int OCSPModule::ocsp_verify(X509 *cert, X509 *issuer, return CKM_API_OCSP_STATUS_INTERNAL_ERROR; } - if (port != NULL) - BIO_set_conn_port(cbio, port); + if (!port.empty()) + BIO_set_conn_port(cbio, port.c_str()); if (use_ssl == 1) { BIO *sbio = NULL; @@ -201,18 +234,6 @@ int OCSPModule::ocsp_verify(X509 *cert, X509 *issuer, ERR_print_errors(bioLogger.get()); /* report error */ - /* free stuff */ - if (host != NULL) - OPENSSL_free(host); - - if (port != NULL) - OPENSSL_free(port); - - if (path != NULL) - OPENSSL_free(path); - - host = port = path = NULL; - if (use_ssl && use_ssl_ctx) SSL_CTX_free(use_ssl_ctx); @@ -245,19 +266,7 @@ int OCSPModule::ocsp_verify(X509 *cert, X509 *issuer, return CKM_API_OCSP_STATUS_INTERNAL_ERROR; } - resp = OCSP_sendreq_bio(cbio, path, req); - - /* free some stuff we no longer need */ - if (host != NULL) - OPENSSL_free(host); - - if (port != NULL) - OPENSSL_free(port); - - if (path != NULL) - OPENSSL_free(path); - - host = port = path = NULL; + resp = OCSP_sendreq_bio(cbio, path.c_str(), req); if (use_ssl && use_ssl_ctx) SSL_CTX_free(use_ssl_ctx); |