diff options
Diffstat (limited to 'src/plugins')
-rw-r--r-- | src/plugins/tlsmbedtls/tls_mbedtls.c | 8 | ||||
-rw-r--r-- | src/plugins/tlsopenssl/tls_openssl.c | 65 | ||||
-rw-r--r-- | src/plugins/tlspicotls/tls_picotls.c | 8 |
3 files changed, 56 insertions, 25 deletions
diff --git a/src/plugins/tlsmbedtls/tls_mbedtls.c b/src/plugins/tlsmbedtls/tls_mbedtls.c index 3fccba2ec5a..8d6b7ac5498 100644 --- a/src/plugins/tlsmbedtls/tls_mbedtls.c +++ b/src/plugins/tlsmbedtls/tls_mbedtls.c @@ -558,6 +558,13 @@ mbedtls_app_close (tls_ctx_t * ctx) return 0; } +static int +mbedtls_reinit_ca_chain (void) +{ + /* Not supported Yet */ + return 0; +} + const static tls_engine_vft_t mbedtls_engine = { .ctx_alloc = mbedtls_ctx_alloc, .ctx_free = mbedtls_ctx_free, @@ -572,6 +579,7 @@ const static tls_engine_vft_t mbedtls_engine = { .ctx_stop_listen = mbedtls_stop_listen, .ctx_transport_close = mbedtls_transport_close, .ctx_app_close = mbedtls_app_close, + .ctx_reinit_cachain = mbedtls_reinit_ca_chain, }; int diff --git a/src/plugins/tlsopenssl/tls_openssl.c b/src/plugins/tlsopenssl/tls_openssl.c index 740ba059e77..75494aac6de 100644 --- a/src/plugins/tlsopenssl/tls_openssl.c +++ b/src/plugins/tlsopenssl/tls_openssl.c @@ -27,6 +27,7 @@ #include <ctype.h> #include <tlsopenssl/tls_openssl.h> #include <tlsopenssl/tls_bios.h> +#include <openssl/x509_vfy.h> #define MAX_CRYPTO_LEN 64 @@ -1022,25 +1023,6 @@ openssl_app_close (tls_ctx_t * ctx) return 0; } -const static tls_engine_vft_t openssl_engine = { - .ctx_alloc = openssl_ctx_alloc, - .ctx_alloc_w_thread = openssl_ctx_alloc_w_thread, - .ctx_free = openssl_ctx_free, - .ctx_attach = openssl_ctx_attach, - .ctx_detach = openssl_ctx_detach, - .ctx_get = openssl_ctx_get, - .ctx_get_w_thread = openssl_ctx_get_w_thread, - .ctx_init_server = openssl_ctx_init_server, - .ctx_init_client = openssl_ctx_init_client, - .ctx_write = openssl_ctx_write, - .ctx_read = openssl_ctx_read, - .ctx_handshake_is_over = openssl_handshake_is_over, - .ctx_start_listen = openssl_start_listen, - .ctx_stop_listen = openssl_stop_listen, - .ctx_transport_close = openssl_transport_close, - .ctx_app_close = openssl_app_close, -}; - int tls_init_ca_chain (void) { @@ -1090,6 +1072,39 @@ tls_init_ca_chain (void) } int +openssl_reinit_ca_chain (void) +{ + openssl_main_t *om = &openssl_main; + + /* Remove/free existing x509_store */ + if (om->cert_store) + { + X509_STORE_free (om->cert_store); + } + return tls_init_ca_chain (); +} + +const static tls_engine_vft_t openssl_engine = { + .ctx_alloc = openssl_ctx_alloc, + .ctx_alloc_w_thread = openssl_ctx_alloc_w_thread, + .ctx_free = openssl_ctx_free, + .ctx_attach = openssl_ctx_attach, + .ctx_detach = openssl_ctx_detach, + .ctx_get = openssl_ctx_get, + .ctx_get_w_thread = openssl_ctx_get_w_thread, + .ctx_init_server = openssl_ctx_init_server, + .ctx_init_client = openssl_ctx_init_client, + .ctx_write = openssl_ctx_write, + .ctx_read = openssl_ctx_read, + .ctx_handshake_is_over = openssl_handshake_is_over, + .ctx_start_listen = openssl_start_listen, + .ctx_stop_listen = openssl_stop_listen, + .ctx_transport_close = openssl_transport_close, + .ctx_app_close = openssl_app_close, + .ctx_reinit_cachain = openssl_reinit_ca_chain, +}; + +int tls_openssl_set_ciphers (char *ciphers) { openssl_main_t *om = &openssl_main; @@ -1124,12 +1139,6 @@ tls_openssl_init (vlib_main_t * vm) SSL_library_init (); SSL_load_error_strings (); - if (tls_init_ca_chain ()) - { - clib_warning ("failed to initialize TLS CA chain"); - return 0; - } - vec_validate (om->ctx_pool, num_threads - 1); vec_validate (om->rx_bufs, num_threads - 1); vec_validate (om->tx_bufs, num_threads - 1); @@ -1146,6 +1155,12 @@ tls_openssl_init (vlib_main_t * vm) tls_openssl_set_ciphers ("ALL:!ADH:!LOW:!EXP:!MD5:!RC4-SHA:!DES-CBC3-SHA:@STRENGTH"); + if (tls_init_ca_chain ()) + { + clib_warning ("failed to initialize TLS CA chain"); + return 0; + } + return error; } /* *INDENT-OFF* */ diff --git a/src/plugins/tlspicotls/tls_picotls.c b/src/plugins/tlspicotls/tls_picotls.c index 54a9d19fe65..afb48f1c72e 100644 --- a/src/plugins/tlspicotls/tls_picotls.c +++ b/src/plugins/tlspicotls/tls_picotls.c @@ -722,6 +722,13 @@ picotls_init_client_ptls_ctx (ptls_context_t **client_ptls_ctx) return 0; } +int +picotls_reinit_ca_chain (void) +{ + /* Not supported yet */ + return 0; +} + const static tls_engine_vft_t picotls_engine = { .ctx_alloc = picotls_ctx_alloc, .ctx_free = picotls_ctx_free, @@ -736,6 +743,7 @@ const static tls_engine_vft_t picotls_engine = { .ctx_write = picotls_ctx_write, .ctx_transport_close = picotls_transport_close, .ctx_app_close = picotls_app_close, + .ctx_reinit_cachain = picotls_reinit_ca_chain, }; static clib_error_t * |