mirror of
https://github.com/xcat2/xcat-dep.git
synced 2024-12-25 04:31:40 +00:00
A patch for conserver to enable client certificate authentication.
One final task need be done before I would think it good to submit upstream, and that is to specify to fail on lack of client certificates only when specified in an option file. The rest should not change conserver behavior without administrator/user request.
This commit is contained in:
parent
d8c75741ea
commit
dfd5def41f
269
conserver/certificate-auth.patch
Normal file
269
conserver/certificate-auth.patch
Normal file
@ -0,0 +1,269 @@
|
||||
diff -ur conserver-8.1.16/conserver/main.c conserver-8.1.16-ssl/conserver/main.c
|
||||
--- conserver-8.1.16/conserver/main.c 2007-04-02 13:59:16.000000000 -0400
|
||||
+++ conserver-8.1.16-ssl/conserver/main.c 2008-01-09 12:46:30.000000000 -0500
|
||||
@@ -357,7 +357,7 @@
|
||||
} else {
|
||||
ciphers = "ALL:!LOW:!EXP:!MD5:@STRENGTH";
|
||||
}
|
||||
- SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER, SSLVerifyCallback);
|
||||
+ SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER|SSL_VERIFY_FAIL_IF_NO_PEER_CERT, SSLVerifyCallback);
|
||||
SSL_CTX_set_options(ctx,
|
||||
SSL_OP_ALL | SSL_OP_NO_SSLv2 |
|
||||
SSL_OP_SINGLE_DH_USE);
|
||||
@@ -365,6 +365,9 @@
|
||||
SSL_MODE_ENABLE_PARTIAL_WRITE |
|
||||
SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER |
|
||||
SSL_MODE_AUTO_RETRY);
|
||||
+ if (config->sslauthority != (char *)0) {
|
||||
+ SSL_CTX_load_verify_locations(ctx,config->sslauthority,"");
|
||||
+ }
|
||||
SSL_CTX_set_tmp_dh_callback(ctx, TmpDHCallback);
|
||||
if (SSL_CTX_set_cipher_list(ctx, ciphers) != 1) {
|
||||
Error("SetupSSL(): setting SSL cipher list failed");
|
||||
@@ -1190,6 +1193,12 @@
|
||||
if ((optConf->secondaryport = StrDup(optarg)) == (char *)0)
|
||||
OutOfMem();
|
||||
break;
|
||||
+ case 'A':
|
||||
+#if HAVE_OPENSSL
|
||||
+ if ((optConf->sslauthority = StrDup(optarg)) == (char*)0)
|
||||
+ OutOfMem();
|
||||
+#endif
|
||||
+ break;
|
||||
case 'c':
|
||||
#if HAVE_OPENSSL
|
||||
if ((optConf->sslcredentials =
|
||||
@@ -1529,6 +1538,12 @@
|
||||
else
|
||||
config->sslrequired = defConfig.sslrequired;
|
||||
|
||||
+ if (optConf->sslauthority != (char *)0)
|
||||
+ config->sslauthority = StrDup(optConf->sslauthority);
|
||||
+ else if (pConfig->sslauthority != (char *)0)
|
||||
+ config->sslauthority = StrDup(pConfig->sslauthority);
|
||||
+ else
|
||||
+ config->sslauthority = StrDup(defConfig.sslauthority);
|
||||
if (optConf->sslcredentials != (char *)0)
|
||||
config->sslcredentials = StrDup(optConf->sslcredentials);
|
||||
else if (pConfig->sslcredentials != (char *)0)
|
||||
diff -ur conserver-8.1.16/conserver/readcfg.c conserver-8.1.16-ssl/conserver/readcfg.c
|
||||
--- conserver-8.1.16/conserver/readcfg.c 2007-04-02 13:59:16.000000000 -0400
|
||||
+++ conserver-8.1.16-ssl/conserver/readcfg.c 2008-01-09 12:41:08.000000000 -0500
|
||||
@@ -4385,6 +4385,8 @@
|
||||
#if HAVE_OPENSSL
|
||||
if (c->sslcredentials != (char *)0)
|
||||
free(c->sslcredentials);
|
||||
+ if (c->sslauthority != (char *)0)
|
||||
+ free(c->sslauthority);
|
||||
#endif
|
||||
free(c);
|
||||
}
|
||||
@@ -4474,6 +4476,12 @@
|
||||
parserConfigTemp->secondaryport = (char *)0;
|
||||
}
|
||||
#if HAVE_OPENSSL
|
||||
+ if (parserConfigTemp->sslauthority != (char *)0) {
|
||||
+ if (pConfig->sslauthority != (char *)0)
|
||||
+ free(pConfig->sslauthority);
|
||||
+ pConfig->sslauthority = parserConfigTemp->sslauthority;
|
||||
+ parserConfigTemp->sslauthority = (char *)0;
|
||||
+ }
|
||||
if (parserConfigTemp->sslcredentials != (char *)0) {
|
||||
if (pConfig->sslcredentials != (char *)0)
|
||||
free(pConfig->sslcredentials);
|
||||
@@ -4786,6 +4794,33 @@
|
||||
|
||||
void
|
||||
#if PROTOTYPES
|
||||
+ConfigItemSslauthority(char *id)
|
||||
+#else
|
||||
+ConfigItemSslauthority(id)
|
||||
+ char *id;
|
||||
+#endif
|
||||
+{
|
||||
+ CONDDEBUG((1, "ConfigItemSslauthority(%s) [%s:%d]", id, file, line));
|
||||
+#if HAVE_OPENSSL
|
||||
+ if (parserConfigTemp->sslauthority != (char *)0)
|
||||
+ free(parserConfigTemp->sslauthority);
|
||||
+
|
||||
+ if ((id == (char *)0) || (*id == '\000')) {
|
||||
+ parserConfigTemp->sslauthority = (char *)0;
|
||||
+ return;
|
||||
+ }
|
||||
+ if ((parserConfigTemp->sslauthority = StrDup(id)) == (char *)0)
|
||||
+ OutOfMem();
|
||||
+#else
|
||||
+ if (isMaster)
|
||||
+ Error
|
||||
+ ("sslauthority ignored - encryption not compiled into code [%s:%d]",
|
||||
+ file, line);
|
||||
+#endif
|
||||
+}
|
||||
+
|
||||
+void
|
||||
+#if PROTOTYPES
|
||||
ConfigItemSslcredentials(char *id)
|
||||
#else
|
||||
ConfigItemSslcredentials(id)
|
||||
@@ -4962,6 +4997,7 @@
|
||||
{"secondaryport", ConfigItemSecondaryport},
|
||||
{"setproctitle", ConfigItemSetproctitle},
|
||||
{"sslcredentials", ConfigItemSslcredentials},
|
||||
+ {"sslauthority", ConfigItemSslauthority},
|
||||
{"sslrequired", ConfigItemSslrequired},
|
||||
{"unifiedlog", ConfigItemUnifiedlog},
|
||||
{(char *)0, (void *)0}
|
||||
@@ -5250,6 +5286,27 @@
|
||||
}
|
||||
#endif
|
||||
#if HAVE_OPENSSL
|
||||
+ if (optConf->sslauthority == (char *)0) {
|
||||
+ if (pConfig->sslauthority == (char *)0) {
|
||||
+ if (config->sslauthority != (char *)0) {
|
||||
+ free(config->sslauthority);
|
||||
+ config->sslauthority = (char *)0;
|
||||
+ Msg("warning: `sslauthority' config option changed - you must restart for it to take effect");
|
||||
+ }
|
||||
+ } else {
|
||||
+ if (config->sslauthority == (char *)0 ||
|
||||
+ strcmp(pConfig->sslauthority,
|
||||
+ config->sslauthority) != 0) {
|
||||
+ if (config->sslauthority != (char *)0)
|
||||
+ free(config->sslauthority);
|
||||
+ if ((config->sslauthority =
|
||||
+ StrDup(pConfig->sslauthority))
|
||||
+ == (char *)0)
|
||||
+ OutOfMem();
|
||||
+ Msg("warning: `sslauthority' config option changed - you must restart for it to take effect");
|
||||
+ }
|
||||
+ }
|
||||
+ }
|
||||
if (optConf->sslcredentials == (char *)0) {
|
||||
if (pConfig->sslcredentials == (char *)0) {
|
||||
if (config->sslcredentials != (char *)0) {
|
||||
diff -ur conserver-8.1.16/conserver/readcfg.h conserver-8.1.16-ssl/conserver/readcfg.h
|
||||
--- conserver-8.1.16/conserver/readcfg.h 2005-06-10 22:30:31.000000000 -0400
|
||||
+++ conserver-8.1.16-ssl/conserver/readcfg.h 2008-01-09 08:10:54.000000000 -0500
|
||||
@@ -27,6 +27,7 @@
|
||||
#endif
|
||||
#if HAVE_OPENSSL
|
||||
char *sslcredentials;
|
||||
+ char *sslauthority;
|
||||
FLAG sslrequired;
|
||||
#endif
|
||||
} CONFIG;
|
||||
diff -ur conserver-8.1.16/console/console.c conserver-8.1.16-ssl/console/console.c
|
||||
--- conserver-8.1.16/console/console.c 2006-06-14 23:01:05.000000000 -0400
|
||||
+++ conserver-8.1.16-ssl/console/console.c 2008-01-09 12:49:39.000000000 -0500
|
||||
@@ -105,7 +105,7 @@
|
||||
} else {
|
||||
ciphers = "ALL:!LOW:!EXP:!MD5:@STRENGTH";
|
||||
}
|
||||
- SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER, SSLVerifyCallback);
|
||||
+ SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER|SSL_VERIFY_FAIL_IF_NO_PEER_CERT, SSLVerifyCallback);
|
||||
SSL_CTX_set_options(ctx,
|
||||
SSL_OP_ALL | SSL_OP_NO_SSLv2 |
|
||||
SSL_OP_SINGLE_DH_USE);
|
||||
@@ -113,6 +113,9 @@
|
||||
SSL_MODE_ENABLE_PARTIAL_WRITE |
|
||||
SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER |
|
||||
SSL_MODE_AUTO_RETRY);
|
||||
+ if (config->sslauthority != (char *)0) {
|
||||
+ SSL_CTX_load_verify_locations(ctx, config->sslauthority,"");
|
||||
+ }
|
||||
if (SSL_CTX_set_cipher_list(ctx, ciphers) != 1) {
|
||||
Error("Setting SSL cipher list failed");
|
||||
Bye(EX_UNAVAILABLE);
|
||||
@@ -2204,6 +2207,14 @@
|
||||
config->playback = 0;
|
||||
|
||||
#if HAVE_OPENSSL
|
||||
+ if (optConf->sslauthority != (char *)0 &&
|
||||
+ optConf->sslauthority[0] != '\000')
|
||||
+ config->sslauthority = StrDup(optConf->sslauthority);
|
||||
+ else if (pConfig->sslauthority != (char *)0 &&
|
||||
+ pConfig->sslauthority[0] != '\000')
|
||||
+ config->sslauthority = StrDup(pConfig->sslauthority);
|
||||
+ else
|
||||
+ config->sslauthority = (char *)0;
|
||||
if (optConf->sslcredentials != (char *)0 &&
|
||||
optConf->sslcredentials[0] != '\000')
|
||||
config->sslcredentials = StrDup(optConf->sslcredentials);
|
||||
diff -ur conserver-8.1.16/console/readconf.c conserver-8.1.16-ssl/console/readconf.c
|
||||
--- conserver-8.1.16/console/readconf.c 2006-04-03 09:32:12.000000000 -0400
|
||||
+++ conserver-8.1.16-ssl/console/readconf.c 2008-01-09 11:14:20.000000000 -0500
|
||||
@@ -37,6 +37,8 @@
|
||||
if (c->escape != (char *)0)
|
||||
free(c->escape);
|
||||
#if HAVE_OPENSSL
|
||||
+ if (c->sslauthority != (char *)0)
|
||||
+ free(c->sslauthority);
|
||||
if (c->sslcredentials != (char *)0)
|
||||
free(c->sslcredentials);
|
||||
#endif
|
||||
@@ -86,6 +88,13 @@
|
||||
if (parserConfigDefault->playback != FLAGUNKNOWN)
|
||||
c->playback = parserConfigDefault->playback;
|
||||
#if HAVE_OPENSSL
|
||||
+ if (parserConfigDefault->sslauthority != (char *)0) {
|
||||
+ if (c->sslauthority != (char *)0)
|
||||
+ free(c->sslauthority);
|
||||
+ if ((c->sslauthority =
|
||||
+ StrDup(parserConfigDefault->sslauthority)) == (char *)0)
|
||||
+ OutOfMem();
|
||||
+ }
|
||||
if (parserConfigDefault->sslcredentials != (char *)0) {
|
||||
if (c->sslcredentials != (char *)0)
|
||||
free(c->sslcredentials);
|
||||
@@ -480,6 +489,32 @@
|
||||
|
||||
void
|
||||
#if PROTOTYPES
|
||||
+ConfigItemSslauthority(char *id)
|
||||
+#else
|
||||
+ConfigItemSslauthority(id)
|
||||
+ char *id;
|
||||
+#endif
|
||||
+{
|
||||
+ CONDDEBUG((1, "ConfigItemSslauthority(%s) [%s:%d]", id, file, line));
|
||||
+#if HAVE_OPENSSL
|
||||
+ if (parserConfigTemp->sslauthority != (char *)0)
|
||||
+ free(parserConfigTemp->sslauthority);
|
||||
+
|
||||
+ if ((id == (char *)0) || (*id == '\000')) {
|
||||
+ parserConfigTemp->sslauthority = (char *)0;
|
||||
+ return;
|
||||
+ }
|
||||
+ if ((parserConfigTemp->sslauthority = StrDup(id)) == (char *)0)
|
||||
+ OutOfMem();
|
||||
+#else
|
||||
+ Error
|
||||
+ ("sslauthority ignored - encryption not compiled into code [%s:%d]",
|
||||
+ file, line);
|
||||
+#endif
|
||||
+}
|
||||
+
|
||||
+void
|
||||
+#if PROTOTYPES
|
||||
ConfigItemSslcredentials(char *id)
|
||||
#else
|
||||
ConfigItemSslcredentials(id)
|
||||
@@ -712,6 +747,7 @@
|
||||
{"port", ConfigItemPort},
|
||||
{"replay", ConfigItemReplay},
|
||||
{"sslcredentials", ConfigItemSslcredentials},
|
||||
+ {"sslauthority", ConfigItemSslauthority},
|
||||
{"sslrequired", ConfigItemSslrequired},
|
||||
{"sslenabled", ConfigItemSslenabled},
|
||||
{"striphigh", ConfigItemStriphigh},
|
||||
diff -ur conserver-8.1.16/console/readconf.h conserver-8.1.16-ssl/console/readconf.h
|
||||
--- conserver-8.1.16/console/readconf.h 2006-04-03 09:32:12.000000000 -0400
|
||||
+++ conserver-8.1.16-ssl/console/readconf.h 2008-01-09 11:07:41.000000000 -0500
|
||||
@@ -18,6 +18,7 @@
|
||||
unsigned short playback;
|
||||
#if HAVE_OPENSSL
|
||||
char *sslcredentials;
|
||||
+ char *sslauthority;
|
||||
FLAG sslrequired;
|
||||
FLAG sslenabled;
|
||||
#endif
|
Loading…
Reference in New Issue
Block a user