diff --git a/conserver/main.c b/conserver/main.c index 282e7be..7005273 100644 --- a/conserver/main.c +++ b/conserver/main.c @@ -73,7 +73,7 @@ CONFIG defConfig = , FLAGFALSE #endif #if HAVE_OPENSSL - , (char *)0, FLAGTRUE, FLAGFALSE, (char *)0 + , (char *)0, (char *)0, FLAGTRUE, FLAGFALSE, (char *)0 #endif }; @@ -397,6 +397,9 @@ SetupSSL(void) SSL_MODE_ENABLE_PARTIAL_WRITE | SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER | SSL_MODE_AUTO_RETRY); + if (config->sslauthority != (char *)0) { + SSL_CTX_load_verify_locations(ctx,config->sslauthority,""); + } SSL_CTX_set_tmp_dh_callback(ctx, TmpDHCallback); if (SSL_CTX_set_cipher_list(ctx, ciphers) != 1) { Error("SetupSSL(): setting SSL cipher list failed"); @@ -1303,6 +1306,12 @@ main(int argc, char **argv) if ((optConf->secondaryport = StrDup(optarg)) == (char *)0) OutOfMem(); break; + case 'A': +#if HAVE_OPENSSL + if ((optConf->sslauthority = StrDup(optarg)) == (char*)0) + OutOfMem(); +#endif + break; case 'c': #if HAVE_OPENSSL if ((optConf->sslcredentials = @@ -1676,6 +1685,12 @@ main(int argc, char **argv) else config->sslreqclientcert = defConfig.sslreqclientcert; + if (optConf->sslauthority != (char *)0) + config->sslauthority = StrDup(optConf->sslauthority); + else if (pConfig->sslauthority != (char *)0) + config->sslauthority = StrDup(pConfig->sslauthority); + else + config->sslauthority = StrDup(defConfig.sslauthority); if (optConf->sslcredentials != (char *)0) config->sslcredentials = StrDup(optConf->sslcredentials); else if (pConfig->sslcredentials != (char *)0) diff --git a/conserver/readcfg.c b/conserver/readcfg.c index 949b9bf..ebc2fc3 100644 --- a/conserver/readcfg.c +++ b/conserver/readcfg.c @@ -4375,6 +4375,12 @@ ConfigEnd(void) parserConfigTemp->secondaryport = (char *)0; } #if HAVE_OPENSSL + if (parserConfigTemp->sslauthority != (char *)0) { + if (pConfig->sslauthority != (char *)0) + free(pConfig->sslauthority); + pConfig->sslauthority = parserConfigTemp->sslauthority; + parserConfigTemp->sslauthority = (char *)0; + } if (parserConfigTemp->sslcredentials != (char *)0) { if (pConfig->sslcredentials != (char *)0) free(pConfig->sslcredentials); @@ -4617,6 +4623,28 @@ ConfigItemSecondaryport(char *id) OutOfMem(); } +void +ConfigItemSslauthority(char *id) +{ + CONDDEBUG((1, "ConfigItemSslauthority(%s) [%s:%d]", id, file, line)); +#if HAVE_OPENSSL + if (parserConfigTemp->sslauthority != (char *)0) + free(parserConfigTemp->sslauthority); + + if ((id == (char *)0) || (*id == '\000')) { + parserConfigTemp->sslauthority = (char *)0; + return; + } + if ((parserConfigTemp->sslauthority = StrDup(id)) == (char *)0) + OutOfMem(); +#else + if (isMaster) + Error + ("sslauthority ignored - encryption not compiled into code [%s:%d]", + file, line); +#endif +} + void ConfigItemSslcredentials(char *id) { @@ -4980,6 +5008,7 @@ ITEM keyConfig[] = { {"secondaryport", ConfigItemSecondaryport}, {"setproctitle", ConfigItemSetproctitle}, {"sslcredentials", ConfigItemSslcredentials}, + {"sslauthority", ConfigItemSslauthority}, {"sslcacertificatefile", ConfigItemSslcacertificatefile}, {"sslrequired", ConfigItemSslrequired}, {"sslreqclientcert", ConfigItemSslreqclientcert}, @@ -5267,6 +5296,27 @@ ReReadCfg(int fd, int msfd) } #endif #if HAVE_OPENSSL + if (optConf->sslauthority == (char *)0) { + if (pConfig->sslauthority == (char *)0) { + if (config->sslauthority != (char *)0) { + free(config->sslauthority); + config->sslauthority = (char *)0; + Msg("warning: `sslauthority' config option changed - you must restart for it to take effect"); + } + } else { + if (config->sslauthority == (char *)0 || + strcmp(pConfig->sslauthority, + config->sslauthority) != 0) { + if (config->sslauthority != (char *)0) + free(config->sslauthority); + if ((config->sslauthority = + StrDup(pConfig->sslauthority)) + == (char *)0) + OutOfMem(); + Msg("warning: `sslauthority' config option changed - you must restart for it to take effect"); + } + } + } if (optConf->sslcredentials == (char *)0) { if (pConfig->sslcredentials == (char *)0) { if (config->sslcredentials != (char *)0) { diff --git a/conserver/readcfg.h b/conserver/readcfg.h index c59ff25..d009d4f 100644 --- a/conserver/readcfg.h +++ b/conserver/readcfg.h @@ -27,6 +27,7 @@ typedef struct config { #endif #if HAVE_OPENSSL char *sslcredentials; + char *sslauthority; FLAG sslrequired; FLAG sslreqclientcert; char *sslcacertificatefile; diff --git a/console/console.c b/console/console.c index e900c2e..f3a7bd6 100644 --- a/console/console.c +++ b/console/console.c @@ -124,7 +124,7 @@ SetupSSL(void) ciphers = "ALL:aNULL:!LOW:!EXP:!MD5:@STRENGTH" CIPHER_SEC0; # endif } - SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER, SSLVerifyCallback); + SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER|SSL_VERIFY_FAIL_IF_NO_PEER_CERT, SSLVerifyCallback); SSL_CTX_set_options(ctx, SSL_OP_ALL | SSL_OP_NO_SSLv2 | SSL_OP_SINGLE_DH_USE); @@ -132,6 +132,9 @@ SetupSSL(void) SSL_MODE_ENABLE_PARTIAL_WRITE | SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER | SSL_MODE_AUTO_RETRY); + if (config->sslauthority != (char *)0) { + SSL_CTX_load_verify_locations(ctx, config->sslauthority,""); + } if (SSL_CTX_set_cipher_list(ctx, ciphers) != 1) { Error("Setting SSL cipher list failed"); Bye(EX_UNAVAILABLE); @@ -2269,6 +2272,14 @@ main(int argc, char **argv) config->playback = 0; #if HAVE_OPENSSL + if (optConf->sslauthority != (char *)0 && + optConf->sslauthority[0] != '\000') + config->sslauthority = StrDup(optConf->sslauthority); + else if (pConfig->sslauthority != (char *)0 && + pConfig->sslauthority[0] != '\000') + config->sslauthority = StrDup(pConfig->sslauthority); + else + config->sslauthority = (char *)0; if (optConf->sslcredentials != (char *)0 && optConf->sslcredentials[0] != '\000') config->sslcredentials = StrDup(optConf->sslcredentials); diff --git a/console/readconf.c b/console/readconf.c index 0c29549..52d1611 100644 --- a/console/readconf.c +++ b/console/readconf.c @@ -30,6 +30,8 @@ DestroyConfig(CONFIG *c) if (c->escape != (char *)0) free(c->escape); #if HAVE_OPENSSL + if (c->sslauthority != (char *)0) + free(c->sslauthority); if (c->sslcredentials != (char *)0) free(c->sslcredentials); if (c->sslcacertificatefile != (char *)0) @@ -78,6 +80,13 @@ ApplyConfigDefault(CONFIG *c) if (parserConfigDefault->playback != FLAGUNKNOWN) c->playback = parserConfigDefault->playback; #if HAVE_OPENSSL + if (parserConfigDefault->sslauthority != (char *)0) { + if (c->sslauthority != (char *)0) + free(c->sslauthority); + if ((c->sslauthority = + StrDup(parserConfigDefault->sslauthority)) == (char *)0) + OutOfMem(); + } if (parserConfigDefault->sslcredentials != (char *)0) { if (c->sslcredentials != (char *)0) free(c->sslcredentials); @@ -411,6 +420,27 @@ ConfigItemReplay(char *id) parserConfigTemp->replay = (unsigned short)atoi(id) + 1; } +void +ConfigItemSslauthority(char *id) +{ + CONDDEBUG((1, "ConfigItemSslauthority(%s) [%s:%d]", id, file, line)); +#if HAVE_OPENSSL + if (parserConfigTemp->sslauthority != (char *)0) + free(parserConfigTemp->sslauthority); + + if ((id == (char *)0) || (*id == '\000')) { + parserConfigTemp->sslauthority = (char *)0; + return; + } + if ((parserConfigTemp->sslauthority = StrDup(id)) == (char *)0) + OutOfMem(); +#else + Error + ("sslauthority ignored - encryption not compiled into code [%s:%d]", + file, line); +#endif +} + void ConfigItemSslcredentials(char *id) { @@ -628,6 +658,7 @@ ITEM keyConfig[] = { {"port", ConfigItemPort}, {"replay", ConfigItemReplay}, {"sslcredentials", ConfigItemSslcredentials}, + {"sslauthority", ConfigItemSslauthority}, {"sslcacertificatefile", ConfigItemSslcacertificatefile}, {"sslcacertificatepath", ConfigItemSslcacertificatepath}, {"sslrequired", ConfigItemSslrequired}, diff --git a/console/readconf.h b/console/readconf.h index 1e9d65d..e34f98a 100644 --- a/console/readconf.h +++ b/console/readconf.h @@ -16,6 +16,7 @@ typedef struct config { unsigned short playback; #if HAVE_OPENSSL char *sslcredentials; + char *sslauthority; char *sslcacertificatefile; char *sslcacertificatepath; FLAG sslrequired;