2
0
mirror of https://github.com/xcat2/xcat-dep.git synced 2024-11-25 02:50:10 +00:00
xcat-dep/conserver/debian/patches/certificate-auth.patch

270 lines
8.9 KiB
Diff
Raw Normal View History

diff -ur conserver-8.1.16/conserver/main.c conserver-8.1.16-ssl/conserver/main.c
--- conserver-8.1.16/conserver/main.c 2007-04-02 13:59:16.000000000 -0400
+++ conserver-8.1.16-ssl/conserver/main.c 2008-01-09 12:46:30.000000000 -0500
@@ -357,7 +357,7 @@
} else {
ciphers = "ALL:!LOW:!EXP:!MD5:@STRENGTH";
}
- SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER, SSLVerifyCallback);
+ SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER|SSL_VERIFY_FAIL_IF_NO_PEER_CERT, SSLVerifyCallback);
SSL_CTX_set_options(ctx,
SSL_OP_ALL | SSL_OP_NO_SSLv2 |
SSL_OP_SINGLE_DH_USE);
@@ -365,6 +365,9 @@
SSL_MODE_ENABLE_PARTIAL_WRITE |
SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER |
SSL_MODE_AUTO_RETRY);
+ if (config->sslauthority != (char *)0) {
+ SSL_CTX_load_verify_locations(ctx,config->sslauthority,"");
+ }
SSL_CTX_set_tmp_dh_callback(ctx, TmpDHCallback);
if (SSL_CTX_set_cipher_list(ctx, ciphers) != 1) {
Error("SetupSSL(): setting SSL cipher list failed");
@@ -1190,6 +1193,12 @@
if ((optConf->secondaryport = StrDup(optarg)) == (char *)0)
OutOfMem();
break;
+ case 'A':
+#if HAVE_OPENSSL
+ if ((optConf->sslauthority = StrDup(optarg)) == (char*)0)
+ OutOfMem();
+#endif
+ break;
case 'c':
#if HAVE_OPENSSL
if ((optConf->sslcredentials =
@@ -1529,6 +1538,12 @@
else
config->sslrequired = defConfig.sslrequired;
+ if (optConf->sslauthority != (char *)0)
+ config->sslauthority = StrDup(optConf->sslauthority);
+ else if (pConfig->sslauthority != (char *)0)
+ config->sslauthority = StrDup(pConfig->sslauthority);
+ else
+ config->sslauthority = StrDup(defConfig.sslauthority);
if (optConf->sslcredentials != (char *)0)
config->sslcredentials = StrDup(optConf->sslcredentials);
else if (pConfig->sslcredentials != (char *)0)
diff -ur conserver-8.1.16/conserver/readcfg.c conserver-8.1.16-ssl/conserver/readcfg.c
--- conserver-8.1.16/conserver/readcfg.c 2007-04-02 13:59:16.000000000 -0400
+++ conserver-8.1.16-ssl/conserver/readcfg.c 2008-01-09 12:41:08.000000000 -0500
@@ -4385,6 +4385,8 @@
#if HAVE_OPENSSL
if (c->sslcredentials != (char *)0)
free(c->sslcredentials);
+ if (c->sslauthority != (char *)0)
+ free(c->sslauthority);
#endif
free(c);
}
@@ -4474,6 +4476,12 @@
parserConfigTemp->secondaryport = (char *)0;
}
#if HAVE_OPENSSL
+ if (parserConfigTemp->sslauthority != (char *)0) {
+ if (pConfig->sslauthority != (char *)0)
+ free(pConfig->sslauthority);
+ pConfig->sslauthority = parserConfigTemp->sslauthority;
+ parserConfigTemp->sslauthority = (char *)0;
+ }
if (parserConfigTemp->sslcredentials != (char *)0) {
if (pConfig->sslcredentials != (char *)0)
free(pConfig->sslcredentials);
@@ -4786,6 +4794,33 @@
void
#if PROTOTYPES
+ConfigItemSslauthority(char *id)
+#else
+ConfigItemSslauthority(id)
+ char *id;
+#endif
+{
+ CONDDEBUG((1, "ConfigItemSslauthority(%s) [%s:%d]", id, file, line));
+#if HAVE_OPENSSL
+ if (parserConfigTemp->sslauthority != (char *)0)
+ free(parserConfigTemp->sslauthority);
+
+ if ((id == (char *)0) || (*id == '\000')) {
+ parserConfigTemp->sslauthority = (char *)0;
+ return;
+ }
+ if ((parserConfigTemp->sslauthority = StrDup(id)) == (char *)0)
+ OutOfMem();
+#else
+ if (isMaster)
+ Error
+ ("sslauthority ignored - encryption not compiled into code [%s:%d]",
+ file, line);
+#endif
+}
+
+void
+#if PROTOTYPES
ConfigItemSslcredentials(char *id)
#else
ConfigItemSslcredentials(id)
@@ -4962,6 +4997,7 @@
{"secondaryport", ConfigItemSecondaryport},
{"setproctitle", ConfigItemSetproctitle},
{"sslcredentials", ConfigItemSslcredentials},
+ {"sslauthority", ConfigItemSslauthority},
{"sslrequired", ConfigItemSslrequired},
{"unifiedlog", ConfigItemUnifiedlog},
{(char *)0, (void *)0}
@@ -5250,6 +5286,27 @@
}
#endif
#if HAVE_OPENSSL
+ if (optConf->sslauthority == (char *)0) {
+ if (pConfig->sslauthority == (char *)0) {
+ if (config->sslauthority != (char *)0) {
+ free(config->sslauthority);
+ config->sslauthority = (char *)0;
+ Msg("warning: `sslauthority' config option changed - you must restart for it to take effect");
+ }
+ } else {
+ if (config->sslauthority == (char *)0 ||
+ strcmp(pConfig->sslauthority,
+ config->sslauthority) != 0) {
+ if (config->sslauthority != (char *)0)
+ free(config->sslauthority);
+ if ((config->sslauthority =
+ StrDup(pConfig->sslauthority))
+ == (char *)0)
+ OutOfMem();
+ Msg("warning: `sslauthority' config option changed - you must restart for it to take effect");
+ }
+ }
+ }
if (optConf->sslcredentials == (char *)0) {
if (pConfig->sslcredentials == (char *)0) {
if (config->sslcredentials != (char *)0) {
diff -ur conserver-8.1.16/conserver/readcfg.h conserver-8.1.16-ssl/conserver/readcfg.h
--- conserver-8.1.16/conserver/readcfg.h 2005-06-10 22:30:31.000000000 -0400
+++ conserver-8.1.16-ssl/conserver/readcfg.h 2008-01-09 08:10:54.000000000 -0500
@@ -27,6 +27,7 @@
#endif
#if HAVE_OPENSSL
char *sslcredentials;
+ char *sslauthority;
FLAG sslrequired;
#endif
} CONFIG;
diff -ur conserver-8.1.16/console/console.c conserver-8.1.16-ssl/console/console.c
--- conserver-8.1.16/console/console.c 2006-06-14 23:01:05.000000000 -0400
+++ conserver-8.1.16-ssl/console/console.c 2008-01-09 12:49:39.000000000 -0500
@@ -105,7 +105,7 @@
} else {
ciphers = "ALL:!LOW:!EXP:!MD5:@STRENGTH";
}
- SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER, SSLVerifyCallback);
+ SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER|SSL_VERIFY_FAIL_IF_NO_PEER_CERT, SSLVerifyCallback);
SSL_CTX_set_options(ctx,
SSL_OP_ALL | SSL_OP_NO_SSLv2 |
SSL_OP_SINGLE_DH_USE);
@@ -113,6 +113,9 @@
SSL_MODE_ENABLE_PARTIAL_WRITE |
SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER |
SSL_MODE_AUTO_RETRY);
+ if (config->sslauthority != (char *)0) {
+ SSL_CTX_load_verify_locations(ctx, config->sslauthority,"");
+ }
if (SSL_CTX_set_cipher_list(ctx, ciphers) != 1) {
Error("Setting SSL cipher list failed");
Bye(EX_UNAVAILABLE);
@@ -2204,6 +2207,14 @@
config->playback = 0;
#if HAVE_OPENSSL
+ if (optConf->sslauthority != (char *)0 &&
+ optConf->sslauthority[0] != '\000')
+ config->sslauthority = StrDup(optConf->sslauthority);
+ else if (pConfig->sslauthority != (char *)0 &&
+ pConfig->sslauthority[0] != '\000')
+ config->sslauthority = StrDup(pConfig->sslauthority);
+ else
+ config->sslauthority = (char *)0;
if (optConf->sslcredentials != (char *)0 &&
optConf->sslcredentials[0] != '\000')
config->sslcredentials = StrDup(optConf->sslcredentials);
diff -ur conserver-8.1.16/console/readconf.c conserver-8.1.16-ssl/console/readconf.c
--- conserver-8.1.16/console/readconf.c 2006-04-03 09:32:12.000000000 -0400
+++ conserver-8.1.16-ssl/console/readconf.c 2008-01-09 11:14:20.000000000 -0500
@@ -37,6 +37,8 @@
if (c->escape != (char *)0)
free(c->escape);
#if HAVE_OPENSSL
+ if (c->sslauthority != (char *)0)
+ free(c->sslauthority);
if (c->sslcredentials != (char *)0)
free(c->sslcredentials);
#endif
@@ -86,6 +88,13 @@
if (parserConfigDefault->playback != FLAGUNKNOWN)
c->playback = parserConfigDefault->playback;
#if HAVE_OPENSSL
+ if (parserConfigDefault->sslauthority != (char *)0) {
+ if (c->sslauthority != (char *)0)
+ free(c->sslauthority);
+ if ((c->sslauthority =
+ StrDup(parserConfigDefault->sslauthority)) == (char *)0)
+ OutOfMem();
+ }
if (parserConfigDefault->sslcredentials != (char *)0) {
if (c->sslcredentials != (char *)0)
free(c->sslcredentials);
@@ -480,6 +489,32 @@
void
#if PROTOTYPES
+ConfigItemSslauthority(char *id)
+#else
+ConfigItemSslauthority(id)
+ char *id;
+#endif
+{
+ CONDDEBUG((1, "ConfigItemSslauthority(%s) [%s:%d]", id, file, line));
+#if HAVE_OPENSSL
+ if (parserConfigTemp->sslauthority != (char *)0)
+ free(parserConfigTemp->sslauthority);
+
+ if ((id == (char *)0) || (*id == '\000')) {
+ parserConfigTemp->sslauthority = (char *)0;
+ return;
+ }
+ if ((parserConfigTemp->sslauthority = StrDup(id)) == (char *)0)
+ OutOfMem();
+#else
+ Error
+ ("sslauthority ignored - encryption not compiled into code [%s:%d]",
+ file, line);
+#endif
+}
+
+void
+#if PROTOTYPES
ConfigItemSslcredentials(char *id)
#else
ConfigItemSslcredentials(id)
@@ -712,6 +747,7 @@
{"port", ConfigItemPort},
{"replay", ConfigItemReplay},
{"sslcredentials", ConfigItemSslcredentials},
+ {"sslauthority", ConfigItemSslauthority},
{"sslrequired", ConfigItemSslrequired},
{"sslenabled", ConfigItemSslenabled},
{"striphigh", ConfigItemStriphigh},
diff -ur conserver-8.1.16/console/readconf.h conserver-8.1.16-ssl/console/readconf.h
--- conserver-8.1.16/console/readconf.h 2006-04-03 09:32:12.000000000 -0400
+++ conserver-8.1.16-ssl/console/readconf.h 2008-01-09 11:07:41.000000000 -0500
@@ -18,6 +18,7 @@
unsigned short playback;
#if HAVE_OPENSSL
char *sslcredentials;
+ char *sslauthority;
FLAG sslrequired;
FLAG sslenabled;
#endif