odissey: validate tls modes

2017-03-31 13:27:05 +03:00 · 2017-03-31 13:27:05 +03:00 · 947678e0b7
parent 6cb7370553
commit 947678e0b7
2 changed files with 53 additions and 0 deletions
--- a/core/od_scheme.c
+++ b/core/od_scheme.c
@ -37,6 +37,7 @@ void od_schemeinit(od_scheme_t *scheme)
 	scheme->keepalive = 7200;
 	scheme->workers = 1;
 	scheme->client_max = 100;
+	scheme->tls_verify = OD_TDISABLE;
 	scheme->tls_mode = NULL;
 	scheme->tls_ca_file = NULL;
 	scheme->tls_key_file = NULL;
@ -207,6 +208,28 @@ int od_schemevalidate(od_scheme_t *scheme, od_log_t *log)
 	if (scheme->host == NULL)
 		scheme->host = "127.0.0.1";

+	/* tls */
+	if (scheme->tls_mode) {
+		if (strcmp(scheme->tls_mode, "disable") == 0) {
+			scheme->tls_verify = OD_TDISABLE;
+		} else
+		if (strcmp(scheme->tls_mode, "allow") == 0) {
+			scheme->tls_verify = OD_TALLOW;
+		} else
+		if (strcmp(scheme->tls_mode, "require") == 0) {
+			scheme->tls_verify = OD_TREQUIRE;
+		} else
+		if (strcmp(scheme->tls_mode, "verify_ca") == 0) {
+			scheme->tls_verify = OD_TVERIFY_CA;
+		} else
+		if (strcmp(scheme->tls_mode, "verify_full") == 0) {
+			scheme->tls_verify = OD_TVERIFY_FULL;
+		} else {
+			od_error(log, NULL, "unknown tls mode");
+			return -1;
+		}
+	}
+
 	/* servers */
 	if (od_listempty(&scheme->servers)) {
 		od_error(log, NULL, "no servers defined");
@ -221,6 +244,26 @@ int od_schemevalidate(od_scheme_t *scheme, od_log_t *log)
 			         server->name);
 			return -1;
 		}
+		if (server->tls_mode) {
+			if (strcmp(server->tls_mode, "disable") == 0) {
+				server->tls_verify = OD_TDISABLE;
+			} else
+			if (strcmp(server->tls_mode, "allow") == 0) {
+				server->tls_verify = OD_TALLOW;
+			} else
+			if (strcmp(server->tls_mode, "require") == 0) {
+				server->tls_verify = OD_TREQUIRE;
+			} else
+			if (strcmp(server->tls_mode, "verify_ca") == 0) {
+				server->tls_verify = OD_TVERIFY_CA;
+			} else
+			if (strcmp(server->tls_mode, "verify_full") == 0) {
+				server->tls_verify = OD_TVERIFY_FULL;
+			} else {
+				od_error(log, NULL, "unknown server tls mode");
+				return -1;
+			}
+		}
 	}

 	od_schemeroute_t *default_route = NULL;
--- a/core/od_scheme.h
+++ b/core/od_scheme.h
@ -30,11 +30,20 @@ typedef enum {
 	OD_AMD5
 } od_auth_t;

+typedef enum {
+	OD_TDISABLE,
+	OD_TALLOW,
+	OD_TREQUIRE,
+	OD_TVERIFY_CA,
+	OD_TVERIFY_FULL
+} od_tls_t;
+
 struct od_schemeserver_t {
 	int        id;
 	char      *name;
 	char      *host;
 	int        port;
+	od_tls_t   tls_verify;
 	char      *tls_mode;
 	char      *tls_ca_file;
 	char      *tls_key_file;
@ -97,6 +106,7 @@ struct od_scheme_t {
 	int               keepalive;
 	int               workers;
 	int               client_max;
+	od_tls_t          tls_verify;
 	char             *tls_mode;
 	char             *tls_ca_file;
 	char             *tls_key_file;