From dfd5def41f944c5eeefa662d5eaeea5a02600a45 Mon Sep 17 00:00:00 2001 From: jbjohnso Date: Wed, 9 Jan 2008 22:11:29 +0000 Subject: [PATCH] A patch for conserver to enable client certificate authentication. One final task need be done before I would think it good to submit upstream, and that is to specify to fail on lack of client certificates only when specified in an option file. The rest should not change conserver behavior without administrator/user request. --- conserver/certificate-auth.patch | 269 +++++++++++++++++++++++++++++++ 1 file changed, 269 insertions(+) create mode 100644 conserver/certificate-auth.patch diff --git a/conserver/certificate-auth.patch b/conserver/certificate-auth.patch new file mode 100644 index 0000000..8a12ed3 --- /dev/null +++ b/conserver/certificate-auth.patch @@ -0,0 +1,269 @@ +diff -ur conserver-8.1.16/conserver/main.c conserver-8.1.16-ssl/conserver/main.c +--- conserver-8.1.16/conserver/main.c 2007-04-02 13:59:16.000000000 -0400 ++++ conserver-8.1.16-ssl/conserver/main.c 2008-01-09 12:46:30.000000000 -0500 +@@ -357,7 +357,7 @@ + } else { + ciphers = "ALL:!LOW:!EXP:!MD5:@STRENGTH"; + } +- SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER, SSLVerifyCallback); ++ SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER|SSL_VERIFY_FAIL_IF_NO_PEER_CERT, SSLVerifyCallback); + SSL_CTX_set_options(ctx, + SSL_OP_ALL | SSL_OP_NO_SSLv2 | + SSL_OP_SINGLE_DH_USE); +@@ -365,6 +365,9 @@ + SSL_MODE_ENABLE_PARTIAL_WRITE | + SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER | + SSL_MODE_AUTO_RETRY); ++ if (config->sslauthority != (char *)0) { ++ SSL_CTX_load_verify_locations(ctx,config->sslauthority,""); ++ } + SSL_CTX_set_tmp_dh_callback(ctx, TmpDHCallback); + if (SSL_CTX_set_cipher_list(ctx, ciphers) != 1) { + Error("SetupSSL(): setting SSL cipher list failed"); +@@ -1190,6 +1193,12 @@ + if ((optConf->secondaryport = StrDup(optarg)) == (char *)0) + OutOfMem(); + break; ++ case 'A': ++#if HAVE_OPENSSL ++ if ((optConf->sslauthority = StrDup(optarg)) == (char*)0) ++ OutOfMem(); ++#endif ++ break; + case 'c': + #if HAVE_OPENSSL + if ((optConf->sslcredentials = +@@ -1529,6 +1538,12 @@ + else + config->sslrequired = defConfig.sslrequired; + ++ if (optConf->sslauthority != (char *)0) ++ config->sslauthority = StrDup(optConf->sslauthority); ++ else if (pConfig->sslauthority != (char *)0) ++ config->sslauthority = StrDup(pConfig->sslauthority); ++ else ++ config->sslauthority = StrDup(defConfig.sslauthority); + if (optConf->sslcredentials != (char *)0) + config->sslcredentials = StrDup(optConf->sslcredentials); + else if (pConfig->sslcredentials != (char *)0) +diff -ur conserver-8.1.16/conserver/readcfg.c conserver-8.1.16-ssl/conserver/readcfg.c +--- conserver-8.1.16/conserver/readcfg.c 2007-04-02 13:59:16.000000000 -0400 ++++ conserver-8.1.16-ssl/conserver/readcfg.c 2008-01-09 12:41:08.000000000 -0500 +@@ -4385,6 +4385,8 @@ + #if HAVE_OPENSSL + if (c->sslcredentials != (char *)0) + free(c->sslcredentials); ++ if (c->sslauthority != (char *)0) ++ free(c->sslauthority); + #endif + free(c); + } +@@ -4474,6 +4476,12 @@ + parserConfigTemp->secondaryport = (char *)0; + } + #if HAVE_OPENSSL ++ if (parserConfigTemp->sslauthority != (char *)0) { ++ if (pConfig->sslauthority != (char *)0) ++ free(pConfig->sslauthority); ++ pConfig->sslauthority = parserConfigTemp->sslauthority; ++ parserConfigTemp->sslauthority = (char *)0; ++ } + if (parserConfigTemp->sslcredentials != (char *)0) { + if (pConfig->sslcredentials != (char *)0) + free(pConfig->sslcredentials); +@@ -4786,6 +4794,33 @@ + + void + #if PROTOTYPES ++ConfigItemSslauthority(char *id) ++#else ++ConfigItemSslauthority(id) ++ char *id; ++#endif ++{ ++ CONDDEBUG((1, "ConfigItemSslauthority(%s) [%s:%d]", id, file, line)); ++#if HAVE_OPENSSL ++ if (parserConfigTemp->sslauthority != (char *)0) ++ free(parserConfigTemp->sslauthority); ++ ++ if ((id == (char *)0) || (*id == '\000')) { ++ parserConfigTemp->sslauthority = (char *)0; ++ return; ++ } ++ if ((parserConfigTemp->sslauthority = StrDup(id)) == (char *)0) ++ OutOfMem(); ++#else ++ if (isMaster) ++ Error ++ ("sslauthority ignored - encryption not compiled into code [%s:%d]", ++ file, line); ++#endif ++} ++ ++void ++#if PROTOTYPES + ConfigItemSslcredentials(char *id) + #else + ConfigItemSslcredentials(id) +@@ -4962,6 +4997,7 @@ + {"secondaryport", ConfigItemSecondaryport}, + {"setproctitle", ConfigItemSetproctitle}, + {"sslcredentials", ConfigItemSslcredentials}, ++ {"sslauthority", ConfigItemSslauthority}, + {"sslrequired", ConfigItemSslrequired}, + {"unifiedlog", ConfigItemUnifiedlog}, + {(char *)0, (void *)0} +@@ -5250,6 +5286,27 @@ + } + #endif + #if HAVE_OPENSSL ++ if (optConf->sslauthority == (char *)0) { ++ if (pConfig->sslauthority == (char *)0) { ++ if (config->sslauthority != (char *)0) { ++ free(config->sslauthority); ++ config->sslauthority = (char *)0; ++ Msg("warning: `sslauthority' config option changed - you must restart for it to take effect"); ++ } ++ } else { ++ if (config->sslauthority == (char *)0 || ++ strcmp(pConfig->sslauthority, ++ config->sslauthority) != 0) { ++ if (config->sslauthority != (char *)0) ++ free(config->sslauthority); ++ if ((config->sslauthority = ++ StrDup(pConfig->sslauthority)) ++ == (char *)0) ++ OutOfMem(); ++ Msg("warning: `sslauthority' config option changed - you must restart for it to take effect"); ++ } ++ } ++ } + if (optConf->sslcredentials == (char *)0) { + if (pConfig->sslcredentials == (char *)0) { + if (config->sslcredentials != (char *)0) { +diff -ur conserver-8.1.16/conserver/readcfg.h conserver-8.1.16-ssl/conserver/readcfg.h +--- conserver-8.1.16/conserver/readcfg.h 2005-06-10 22:30:31.000000000 -0400 ++++ conserver-8.1.16-ssl/conserver/readcfg.h 2008-01-09 08:10:54.000000000 -0500 +@@ -27,6 +27,7 @@ + #endif + #if HAVE_OPENSSL + char *sslcredentials; ++ char *sslauthority; + FLAG sslrequired; + #endif + } CONFIG; +diff -ur conserver-8.1.16/console/console.c conserver-8.1.16-ssl/console/console.c +--- conserver-8.1.16/console/console.c 2006-06-14 23:01:05.000000000 -0400 ++++ conserver-8.1.16-ssl/console/console.c 2008-01-09 12:49:39.000000000 -0500 +@@ -105,7 +105,7 @@ + } else { + ciphers = "ALL:!LOW:!EXP:!MD5:@STRENGTH"; + } +- SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER, SSLVerifyCallback); ++ SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER|SSL_VERIFY_FAIL_IF_NO_PEER_CERT, SSLVerifyCallback); + SSL_CTX_set_options(ctx, + SSL_OP_ALL | SSL_OP_NO_SSLv2 | + SSL_OP_SINGLE_DH_USE); +@@ -113,6 +113,9 @@ + SSL_MODE_ENABLE_PARTIAL_WRITE | + SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER | + SSL_MODE_AUTO_RETRY); ++ if (config->sslauthority != (char *)0) { ++ SSL_CTX_load_verify_locations(ctx, config->sslauthority,""); ++ } + if (SSL_CTX_set_cipher_list(ctx, ciphers) != 1) { + Error("Setting SSL cipher list failed"); + Bye(EX_UNAVAILABLE); +@@ -2204,6 +2207,14 @@ + config->playback = 0; + + #if HAVE_OPENSSL ++ if (optConf->sslauthority != (char *)0 && ++ optConf->sslauthority[0] != '\000') ++ config->sslauthority = StrDup(optConf->sslauthority); ++ else if (pConfig->sslauthority != (char *)0 && ++ pConfig->sslauthority[0] != '\000') ++ config->sslauthority = StrDup(pConfig->sslauthority); ++ else ++ config->sslauthority = (char *)0; + if (optConf->sslcredentials != (char *)0 && + optConf->sslcredentials[0] != '\000') + config->sslcredentials = StrDup(optConf->sslcredentials); +diff -ur conserver-8.1.16/console/readconf.c conserver-8.1.16-ssl/console/readconf.c +--- conserver-8.1.16/console/readconf.c 2006-04-03 09:32:12.000000000 -0400 ++++ conserver-8.1.16-ssl/console/readconf.c 2008-01-09 11:14:20.000000000 -0500 +@@ -37,6 +37,8 @@ + if (c->escape != (char *)0) + free(c->escape); + #if HAVE_OPENSSL ++ if (c->sslauthority != (char *)0) ++ free(c->sslauthority); + if (c->sslcredentials != (char *)0) + free(c->sslcredentials); + #endif +@@ -86,6 +88,13 @@ + if (parserConfigDefault->playback != FLAGUNKNOWN) + c->playback = parserConfigDefault->playback; + #if HAVE_OPENSSL ++ if (parserConfigDefault->sslauthority != (char *)0) { ++ if (c->sslauthority != (char *)0) ++ free(c->sslauthority); ++ if ((c->sslauthority = ++ StrDup(parserConfigDefault->sslauthority)) == (char *)0) ++ OutOfMem(); ++ } + if (parserConfigDefault->sslcredentials != (char *)0) { + if (c->sslcredentials != (char *)0) + free(c->sslcredentials); +@@ -480,6 +489,32 @@ + + void + #if PROTOTYPES ++ConfigItemSslauthority(char *id) ++#else ++ConfigItemSslauthority(id) ++ char *id; ++#endif ++{ ++ CONDDEBUG((1, "ConfigItemSslauthority(%s) [%s:%d]", id, file, line)); ++#if HAVE_OPENSSL ++ if (parserConfigTemp->sslauthority != (char *)0) ++ free(parserConfigTemp->sslauthority); ++ ++ if ((id == (char *)0) || (*id == '\000')) { ++ parserConfigTemp->sslauthority = (char *)0; ++ return; ++ } ++ if ((parserConfigTemp->sslauthority = StrDup(id)) == (char *)0) ++ OutOfMem(); ++#else ++ Error ++ ("sslauthority ignored - encryption not compiled into code [%s:%d]", ++ file, line); ++#endif ++} ++ ++void ++#if PROTOTYPES + ConfigItemSslcredentials(char *id) + #else + ConfigItemSslcredentials(id) +@@ -712,6 +747,7 @@ + {"port", ConfigItemPort}, + {"replay", ConfigItemReplay}, + {"sslcredentials", ConfigItemSslcredentials}, ++ {"sslauthority", ConfigItemSslauthority}, + {"sslrequired", ConfigItemSslrequired}, + {"sslenabled", ConfigItemSslenabled}, + {"striphigh", ConfigItemStriphigh}, +diff -ur conserver-8.1.16/console/readconf.h conserver-8.1.16-ssl/console/readconf.h +--- conserver-8.1.16/console/readconf.h 2006-04-03 09:32:12.000000000 -0400 ++++ conserver-8.1.16-ssl/console/readconf.h 2008-01-09 11:07:41.000000000 -0500 +@@ -18,6 +18,7 @@ + unsigned short playback; + #if HAVE_OPENSSL + char *sslcredentials; ++ char *sslauthority; + FLAG sslrequired; + FLAG sslenabled; + #endif