2
0
mirror of https://github.com/xcat2/xcat-dep.git synced 2024-12-25 04:31:40 +00:00

A patch for conserver to enable client certificate authentication.

One final task need be done before I would think it good to submit upstream, 
and that is to specify to fail on lack of client certificates only when 
specified in an option file.  The rest should not change conserver behavior without administrator/user request.
This commit is contained in:
jbjohnso 2008-01-09 22:11:29 +00:00
parent d8c75741ea
commit dfd5def41f

View File

@ -0,0 +1,269 @@
diff -ur conserver-8.1.16/conserver/main.c conserver-8.1.16-ssl/conserver/main.c
--- conserver-8.1.16/conserver/main.c 2007-04-02 13:59:16.000000000 -0400
+++ conserver-8.1.16-ssl/conserver/main.c 2008-01-09 12:46:30.000000000 -0500
@@ -357,7 +357,7 @@
} else {
ciphers = "ALL:!LOW:!EXP:!MD5:@STRENGTH";
}
- SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER, SSLVerifyCallback);
+ SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER|SSL_VERIFY_FAIL_IF_NO_PEER_CERT, SSLVerifyCallback);
SSL_CTX_set_options(ctx,
SSL_OP_ALL | SSL_OP_NO_SSLv2 |
SSL_OP_SINGLE_DH_USE);
@@ -365,6 +365,9 @@
SSL_MODE_ENABLE_PARTIAL_WRITE |
SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER |
SSL_MODE_AUTO_RETRY);
+ if (config->sslauthority != (char *)0) {
+ SSL_CTX_load_verify_locations(ctx,config->sslauthority,"");
+ }
SSL_CTX_set_tmp_dh_callback(ctx, TmpDHCallback);
if (SSL_CTX_set_cipher_list(ctx, ciphers) != 1) {
Error("SetupSSL(): setting SSL cipher list failed");
@@ -1190,6 +1193,12 @@
if ((optConf->secondaryport = StrDup(optarg)) == (char *)0)
OutOfMem();
break;
+ case 'A':
+#if HAVE_OPENSSL
+ if ((optConf->sslauthority = StrDup(optarg)) == (char*)0)
+ OutOfMem();
+#endif
+ break;
case 'c':
#if HAVE_OPENSSL
if ((optConf->sslcredentials =
@@ -1529,6 +1538,12 @@
else
config->sslrequired = defConfig.sslrequired;
+ if (optConf->sslauthority != (char *)0)
+ config->sslauthority = StrDup(optConf->sslauthority);
+ else if (pConfig->sslauthority != (char *)0)
+ config->sslauthority = StrDup(pConfig->sslauthority);
+ else
+ config->sslauthority = StrDup(defConfig.sslauthority);
if (optConf->sslcredentials != (char *)0)
config->sslcredentials = StrDup(optConf->sslcredentials);
else if (pConfig->sslcredentials != (char *)0)
diff -ur conserver-8.1.16/conserver/readcfg.c conserver-8.1.16-ssl/conserver/readcfg.c
--- conserver-8.1.16/conserver/readcfg.c 2007-04-02 13:59:16.000000000 -0400
+++ conserver-8.1.16-ssl/conserver/readcfg.c 2008-01-09 12:41:08.000000000 -0500
@@ -4385,6 +4385,8 @@
#if HAVE_OPENSSL
if (c->sslcredentials != (char *)0)
free(c->sslcredentials);
+ if (c->sslauthority != (char *)0)
+ free(c->sslauthority);
#endif
free(c);
}
@@ -4474,6 +4476,12 @@
parserConfigTemp->secondaryport = (char *)0;
}
#if HAVE_OPENSSL
+ if (parserConfigTemp->sslauthority != (char *)0) {
+ if (pConfig->sslauthority != (char *)0)
+ free(pConfig->sslauthority);
+ pConfig->sslauthority = parserConfigTemp->sslauthority;
+ parserConfigTemp->sslauthority = (char *)0;
+ }
if (parserConfigTemp->sslcredentials != (char *)0) {
if (pConfig->sslcredentials != (char *)0)
free(pConfig->sslcredentials);
@@ -4786,6 +4794,33 @@
void
#if PROTOTYPES
+ConfigItemSslauthority(char *id)
+#else
+ConfigItemSslauthority(id)
+ char *id;
+#endif
+{
+ CONDDEBUG((1, "ConfigItemSslauthority(%s) [%s:%d]", id, file, line));
+#if HAVE_OPENSSL
+ if (parserConfigTemp->sslauthority != (char *)0)
+ free(parserConfigTemp->sslauthority);
+
+ if ((id == (char *)0) || (*id == '\000')) {
+ parserConfigTemp->sslauthority = (char *)0;
+ return;
+ }
+ if ((parserConfigTemp->sslauthority = StrDup(id)) == (char *)0)
+ OutOfMem();
+#else
+ if (isMaster)
+ Error
+ ("sslauthority ignored - encryption not compiled into code [%s:%d]",
+ file, line);
+#endif
+}
+
+void
+#if PROTOTYPES
ConfigItemSslcredentials(char *id)
#else
ConfigItemSslcredentials(id)
@@ -4962,6 +4997,7 @@
{"secondaryport", ConfigItemSecondaryport},
{"setproctitle", ConfigItemSetproctitle},
{"sslcredentials", ConfigItemSslcredentials},
+ {"sslauthority", ConfigItemSslauthority},
{"sslrequired", ConfigItemSslrequired},
{"unifiedlog", ConfigItemUnifiedlog},
{(char *)0, (void *)0}
@@ -5250,6 +5286,27 @@
}
#endif
#if HAVE_OPENSSL
+ if (optConf->sslauthority == (char *)0) {
+ if (pConfig->sslauthority == (char *)0) {
+ if (config->sslauthority != (char *)0) {
+ free(config->sslauthority);
+ config->sslauthority = (char *)0;
+ Msg("warning: `sslauthority' config option changed - you must restart for it to take effect");
+ }
+ } else {
+ if (config->sslauthority == (char *)0 ||
+ strcmp(pConfig->sslauthority,
+ config->sslauthority) != 0) {
+ if (config->sslauthority != (char *)0)
+ free(config->sslauthority);
+ if ((config->sslauthority =
+ StrDup(pConfig->sslauthority))
+ == (char *)0)
+ OutOfMem();
+ Msg("warning: `sslauthority' config option changed - you must restart for it to take effect");
+ }
+ }
+ }
if (optConf->sslcredentials == (char *)0) {
if (pConfig->sslcredentials == (char *)0) {
if (config->sslcredentials != (char *)0) {
diff -ur conserver-8.1.16/conserver/readcfg.h conserver-8.1.16-ssl/conserver/readcfg.h
--- conserver-8.1.16/conserver/readcfg.h 2005-06-10 22:30:31.000000000 -0400
+++ conserver-8.1.16-ssl/conserver/readcfg.h 2008-01-09 08:10:54.000000000 -0500
@@ -27,6 +27,7 @@
#endif
#if HAVE_OPENSSL
char *sslcredentials;
+ char *sslauthority;
FLAG sslrequired;
#endif
} CONFIG;
diff -ur conserver-8.1.16/console/console.c conserver-8.1.16-ssl/console/console.c
--- conserver-8.1.16/console/console.c 2006-06-14 23:01:05.000000000 -0400
+++ conserver-8.1.16-ssl/console/console.c 2008-01-09 12:49:39.000000000 -0500
@@ -105,7 +105,7 @@
} else {
ciphers = "ALL:!LOW:!EXP:!MD5:@STRENGTH";
}
- SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER, SSLVerifyCallback);
+ SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER|SSL_VERIFY_FAIL_IF_NO_PEER_CERT, SSLVerifyCallback);
SSL_CTX_set_options(ctx,
SSL_OP_ALL | SSL_OP_NO_SSLv2 |
SSL_OP_SINGLE_DH_USE);
@@ -113,6 +113,9 @@
SSL_MODE_ENABLE_PARTIAL_WRITE |
SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER |
SSL_MODE_AUTO_RETRY);
+ if (config->sslauthority != (char *)0) {
+ SSL_CTX_load_verify_locations(ctx, config->sslauthority,"");
+ }
if (SSL_CTX_set_cipher_list(ctx, ciphers) != 1) {
Error("Setting SSL cipher list failed");
Bye(EX_UNAVAILABLE);
@@ -2204,6 +2207,14 @@
config->playback = 0;
#if HAVE_OPENSSL
+ if (optConf->sslauthority != (char *)0 &&
+ optConf->sslauthority[0] != '\000')
+ config->sslauthority = StrDup(optConf->sslauthority);
+ else if (pConfig->sslauthority != (char *)0 &&
+ pConfig->sslauthority[0] != '\000')
+ config->sslauthority = StrDup(pConfig->sslauthority);
+ else
+ config->sslauthority = (char *)0;
if (optConf->sslcredentials != (char *)0 &&
optConf->sslcredentials[0] != '\000')
config->sslcredentials = StrDup(optConf->sslcredentials);
diff -ur conserver-8.1.16/console/readconf.c conserver-8.1.16-ssl/console/readconf.c
--- conserver-8.1.16/console/readconf.c 2006-04-03 09:32:12.000000000 -0400
+++ conserver-8.1.16-ssl/console/readconf.c 2008-01-09 11:14:20.000000000 -0500
@@ -37,6 +37,8 @@
if (c->escape != (char *)0)
free(c->escape);
#if HAVE_OPENSSL
+ if (c->sslauthority != (char *)0)
+ free(c->sslauthority);
if (c->sslcredentials != (char *)0)
free(c->sslcredentials);
#endif
@@ -86,6 +88,13 @@
if (parserConfigDefault->playback != FLAGUNKNOWN)
c->playback = parserConfigDefault->playback;
#if HAVE_OPENSSL
+ if (parserConfigDefault->sslauthority != (char *)0) {
+ if (c->sslauthority != (char *)0)
+ free(c->sslauthority);
+ if ((c->sslauthority =
+ StrDup(parserConfigDefault->sslauthority)) == (char *)0)
+ OutOfMem();
+ }
if (parserConfigDefault->sslcredentials != (char *)0) {
if (c->sslcredentials != (char *)0)
free(c->sslcredentials);
@@ -480,6 +489,32 @@
void
#if PROTOTYPES
+ConfigItemSslauthority(char *id)
+#else
+ConfigItemSslauthority(id)
+ char *id;
+#endif
+{
+ CONDDEBUG((1, "ConfigItemSslauthority(%s) [%s:%d]", id, file, line));
+#if HAVE_OPENSSL
+ if (parserConfigTemp->sslauthority != (char *)0)
+ free(parserConfigTemp->sslauthority);
+
+ if ((id == (char *)0) || (*id == '\000')) {
+ parserConfigTemp->sslauthority = (char *)0;
+ return;
+ }
+ if ((parserConfigTemp->sslauthority = StrDup(id)) == (char *)0)
+ OutOfMem();
+#else
+ Error
+ ("sslauthority ignored - encryption not compiled into code [%s:%d]",
+ file, line);
+#endif
+}
+
+void
+#if PROTOTYPES
ConfigItemSslcredentials(char *id)
#else
ConfigItemSslcredentials(id)
@@ -712,6 +747,7 @@
{"port", ConfigItemPort},
{"replay", ConfigItemReplay},
{"sslcredentials", ConfigItemSslcredentials},
+ {"sslauthority", ConfigItemSslauthority},
{"sslrequired", ConfigItemSslrequired},
{"sslenabled", ConfigItemSslenabled},
{"striphigh", ConfigItemStriphigh},
diff -ur conserver-8.1.16/console/readconf.h conserver-8.1.16-ssl/console/readconf.h
--- conserver-8.1.16/console/readconf.h 2006-04-03 09:32:12.000000000 -0400
+++ conserver-8.1.16-ssl/console/readconf.h 2008-01-09 11:07:41.000000000 -0500
@@ -18,6 +18,7 @@
unsigned short playback;
#if HAVE_OPENSSL
char *sslcredentials;
+ char *sslauthority;
FLAG sslrequired;
FLAG sslenabled;
#endif