Group :: System/Servers
RPM: conserver
Main Changelog Spec Patches Sources Download Gear Bugs and FR Repocop
Patch: certificate-auth.patch
Download
Download
diff --git a/conserver/main.c b/conserver/main.c
index 282e7be..7005273 100644
--- a/conserver/main.c
+++ b/conserver/main.c
@@ -73,7 +73,7 @@ CONFIG defConfig =
, FLAGFALSE
#endif
#if HAVE_OPENSSL
- , (char *)0, FLAGTRUE, FLAGFALSE, (char *)0
+ , (char *)0, (char *)0, FLAGTRUE, FLAGFALSE, (char *)0
#endif
};
@@ -397,6 +397,9 @@ SetupSSL(void)
SSL_MODE_ENABLE_PARTIAL_WRITE |
SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER |
SSL_MODE_AUTO_RETRY);
+ if (config->sslauthority != (char *)0) {
+ SSL_CTX_load_verify_locations(ctx,config->sslauthority,"");
+ }
SSL_CTX_set_tmp_dh_callback(ctx, TmpDHCallback);
if (SSL_CTX_set_cipher_list(ctx, ciphers) != 1) {
Error("SetupSSL(): setting SSL cipher list failed");
@@ -1303,6 +1306,12 @@ main(int argc, char **argv)
if ((optConf->secondaryport = StrDup(optarg)) == (char *)0)
OutOfMem();
break;
+ case 'A':
+#if HAVE_OPENSSL
+ if ((optConf->sslauthority = StrDup(optarg)) == (char*)0)
+ OutOfMem();
+#endif
+ break;
case 'c':
#if HAVE_OPENSSL
if ((optConf->sslcredentials =
@@ -1676,6 +1685,12 @@ main(int argc, char **argv)
else
config->sslreqclientcert = defConfig.sslreqclientcert;
+ if (optConf->sslauthority != (char *)0)
+ config->sslauthority = StrDup(optConf->sslauthority);
+ else if (pConfig->sslauthority != (char *)0)
+ config->sslauthority = StrDup(pConfig->sslauthority);
+ else
+ config->sslauthority = StrDup(defConfig.sslauthority);
if (optConf->sslcredentials != (char *)0)
config->sslcredentials = StrDup(optConf->sslcredentials);
else if (pConfig->sslcredentials != (char *)0)
diff --git a/conserver/readcfg.c b/conserver/readcfg.c
index 949b9bf..ebc2fc3 100644
--- a/conserver/readcfg.c
+++ b/conserver/readcfg.c
@@ -4375,6 +4375,12 @@ ConfigEnd(void)
parserConfigTemp->secondaryport = (char *)0;
}
#if HAVE_OPENSSL
+ if (parserConfigTemp->sslauthority != (char *)0) {
+ if (pConfig->sslauthority != (char *)0)
+ free(pConfig->sslauthority);
+ pConfig->sslauthority = parserConfigTemp->sslauthority;
+ parserConfigTemp->sslauthority = (char *)0;
+ }
if (parserConfigTemp->sslcredentials != (char *)0) {
if (pConfig->sslcredentials != (char *)0)
free(pConfig->sslcredentials);
@@ -4617,6 +4623,28 @@ ConfigItemSecondaryport(char *id)
OutOfMem();
}
+void
+ConfigItemSslauthority(char *id)
+{
+ CONDDEBUG((1, "ConfigItemSslauthority(%s) [%s:%d]", id, file, line));
+#if HAVE_OPENSSL
+ if (parserConfigTemp->sslauthority != (char *)0)
+ free(parserConfigTemp->sslauthority);
+
+ if ((id == (char *)0) || (*id == '\000')) {
+ parserConfigTemp->sslauthority = (char *)0;
+ return;
+ }
+ if ((parserConfigTemp->sslauthority = StrDup(id)) == (char *)0)
+ OutOfMem();
+#else
+ if (isMaster)
+ Error
+ ("sslauthority ignored - encryption not compiled into code [%s:%d]",
+ file, line);
+#endif
+}
+
void
ConfigItemSslcredentials(char *id)
{
@@ -4980,6 +5008,7 @@ ITEM keyConfig[] = {
{"secondaryport", ConfigItemSecondaryport},
{"setproctitle", ConfigItemSetproctitle},
{"sslcredentials", ConfigItemSslcredentials},
+ {"sslauthority", ConfigItemSslauthority},
{"sslcacertificatefile", ConfigItemSslcacertificatefile},
{"sslrequired", ConfigItemSslrequired},
{"sslreqclientcert", ConfigItemSslreqclientcert},
@@ -5267,6 +5296,27 @@ ReReadCfg(int fd, int msfd)
}
#endif
#if HAVE_OPENSSL
+ if (optConf->sslauthority == (char *)0) {
+ if (pConfig->sslauthority == (char *)0) {
+ if (config->sslauthority != (char *)0) {
+ free(config->sslauthority);
+ config->sslauthority = (char *)0;
+ Msg("warning: `sslauthority' config option changed - you must restart for it to take effect");
+ }
+ } else {
+ if (config->sslauthority == (char *)0 ||
+ strcmp(pConfig->sslauthority,
+ config->sslauthority) != 0) {
+ if (config->sslauthority != (char *)0)
+ free(config->sslauthority);
+ if ((config->sslauthority =
+ StrDup(pConfig->sslauthority))
+ == (char *)0)
+ OutOfMem();
+ Msg("warning: `sslauthority' config option changed - you must restart for it to take effect");
+ }
+ }
+ }
if (optConf->sslcredentials == (char *)0) {
if (pConfig->sslcredentials == (char *)0) {
if (config->sslcredentials != (char *)0) {
diff --git a/conserver/readcfg.h b/conserver/readcfg.h
index c59ff25..d009d4f 100644
--- a/conserver/readcfg.h
+++ b/conserver/readcfg.h
@@ -27,6 +27,7 @@ typedef struct config {
#endif
#if HAVE_OPENSSL
char *sslcredentials;
+ char *sslauthority;
FLAG sslrequired;
FLAG sslreqclientcert;
char *sslcacertificatefile;
diff --git a/console/console.c b/console/console.c
index e900c2e..f3a7bd6 100644
--- a/console/console.c
+++ b/console/console.c
@@ -124,7 +124,7 @@ SetupSSL(void)
ciphers = "ALL:aNULL:!LOW:!EXP:!MD5:@STRENGTH" CIPHER_SEC0;
# endif
}
- SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER, SSLVerifyCallback);
+ SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER|SSL_VERIFY_FAIL_IF_NO_PEER_CERT, SSLVerifyCallback);
SSL_CTX_set_options(ctx,
SSL_OP_ALL | SSL_OP_NO_SSLv2 |
SSL_OP_SINGLE_DH_USE);
@@ -132,6 +132,9 @@ SetupSSL(void)
SSL_MODE_ENABLE_PARTIAL_WRITE |
SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER |
SSL_MODE_AUTO_RETRY);
+ if (config->sslauthority != (char *)0) {
+ SSL_CTX_load_verify_locations(ctx, config->sslauthority,"");
+ }
if (SSL_CTX_set_cipher_list(ctx, ciphers) != 1) {
Error("Setting SSL cipher list failed");
Bye(EX_UNAVAILABLE);
@@ -2269,6 +2272,14 @@ main(int argc, char **argv)
config->playback = 0;
#if HAVE_OPENSSL
+ if (optConf->sslauthority != (char *)0 &&
+ optConf->sslauthority[0] != '\000')
+ config->sslauthority = StrDup(optConf->sslauthority);
+ else if (pConfig->sslauthority != (char *)0 &&
+ pConfig->sslauthority[0] != '\000')
+ config->sslauthority = StrDup(pConfig->sslauthority);
+ else
+ config->sslauthority = (char *)0;
if (optConf->sslcredentials != (char *)0 &&
optConf->sslcredentials[0] != '\000')
config->sslcredentials = StrDup(optConf->sslcredentials);
diff --git a/console/readconf.c b/console/readconf.c
index 0c29549..52d1611 100644
--- a/console/readconf.c
+++ b/console/readconf.c
@@ -30,6 +30,8 @@ DestroyConfig(CONFIG *c)
if (c->escape != (char *)0)
free(c->escape);
#if HAVE_OPENSSL
+ if (c->sslauthority != (char *)0)
+ free(c->sslauthority);
if (c->sslcredentials != (char *)0)
free(c->sslcredentials);
if (c->sslcacertificatefile != (char *)0)
@@ -78,6 +80,13 @@ ApplyConfigDefault(CONFIG *c)
if (parserConfigDefault->playback != FLAGUNKNOWN)
c->playback = parserConfigDefault->playback;
#if HAVE_OPENSSL
+ if (parserConfigDefault->sslauthority != (char *)0) {
+ if (c->sslauthority != (char *)0)
+ free(c->sslauthority);
+ if ((c->sslauthority =
+ StrDup(parserConfigDefault->sslauthority)) == (char *)0)
+ OutOfMem();
+ }
if (parserConfigDefault->sslcredentials != (char *)0) {
if (c->sslcredentials != (char *)0)
free(c->sslcredentials);
@@ -411,6 +420,27 @@ ConfigItemReplay(char *id)
parserConfigTemp->replay = (unsigned short)atoi(id) + 1;
}
+void
+ConfigItemSslauthority(char *id)
+{
+ CONDDEBUG((1, "ConfigItemSslauthority(%s) [%s:%d]", id, file, line));
+#if HAVE_OPENSSL
+ if (parserConfigTemp->sslauthority != (char *)0)
+ free(parserConfigTemp->sslauthority);
+
+ if ((id == (char *)0) || (*id == '\000')) {
+ parserConfigTemp->sslauthority = (char *)0;
+ return;
+ }
+ if ((parserConfigTemp->sslauthority = StrDup(id)) == (char *)0)
+ OutOfMem();
+#else
+ Error
+ ("sslauthority ignored - encryption not compiled into code [%s:%d]",
+ file, line);
+#endif
+}
+
void
ConfigItemSslcredentials(char *id)
{
@@ -628,6 +658,7 @@ ITEM keyConfig[] = {
{"port", ConfigItemPort},
{"replay", ConfigItemReplay},
{"sslcredentials", ConfigItemSslcredentials},
+ {"sslauthority", ConfigItemSslauthority},
{"sslcacertificatefile", ConfigItemSslcacertificatefile},
{"sslcacertificatepath", ConfigItemSslcacertificatepath},
{"sslrequired", ConfigItemSslrequired},
diff --git a/console/readconf.h b/console/readconf.h
index 1e9d65d..e34f98a 100644
--- a/console/readconf.h
+++ b/console/readconf.h
@@ -16,6 +16,7 @@ typedef struct config {
unsigned short playback;
#if HAVE_OPENSSL
char *sslcredentials;
+ char *sslauthority;
char *sslcacertificatefile;
char *sslcacertificatepath;
FLAG sslrequired;