Navigation

← Previous Changeset
Next Changeset →

Changeset 2962688c237f289fcbac61c53e08fd0fb2c1021c

Timestamp:

02/25/08 23:03:41 (5 years ago)

Author:

Theo Schlossnagle <jesus@omniti.com>

git-committer:

Theo Schlossnagle <jesus@omniti.com> 1203980621 +0000

git-parent:

[46c8ff5682f6e2498f7d9295573d3ebcc82b9eb2]

git-author:

Theo Schlossnagle <jesus@omniti.com> 1203980621 +0000

Message:

fix up client auth stuff in SSL for client certs

Files:

src/Makefile.in (modified) (1 diff)
src/eventer/eventer_SSL_fd_opset.c (modified) (5 diffs)
src/eventer/eventer_SSL_fd_opset.h (modified) (1 diff)
src/noit_console.c (modified) (3 diffs)
src/noit_listener.c (modified) (7 diffs)
src/noit_listener.h (modified) (2 diffs)
src/sample.conf (modified) (1 diff)

Legend:

: Unmodified
: Added
: Removed
: Modified
: Copied
: Moved

src/Makefile.in

rce72dc2	r2962688
64	64	openssl x509 -req -in test.csr -signkey test.key -out test.crt
65	65
66		testcerts: test.key test.crt
	66	test-strat.key:
	67	openssl genrsa -out test-strat.key
	68
	69	test-strat.csr: test-strat.key
	70	openssl req -key test-strat.key -days 365 -new -out test-strat.csr
	71
	72	test-strat.crt: test-strat.key test-strat.csr
	73	openssl x509 -req -in test-strat.csr -signkey test-strat.key -out test-strat.crt
	74
	75	testcerts: test.key test.crt test-strat.key test-strat.crt
67	76
68	77	clean-subdirs:

src/eventer/eventer_SSL_fd_opset.c

r76832e4	r2962688
77	77
78	78	int
79		eventer_ssl_verify_dates(X509_STORE_CTX *x509ctx) {
	79	eventer_ssl_verify_dates(eventer_ssl_ctx_t *ctx, int ok,
	80	X509_STORE_CTX x509ctx, void closure) {
80	81	time_t now;
81	82	X509 *peer;
	83	if(!x509ctx) return -1;
82	84	peer = X509_STORE_CTX_get_current_cert(x509ctx);
83	85	time(&now);
…	…
85	87	if(X509_cmp_time(X509_get_notAfter(peer), &now) < 0) return 1;
86	88	return 0;
	89	}
	90
	91	int
	92	eventer_ssl_verify_cert(eventer_ssl_ctx_t *ctx, int ok,
	93	X509_STORE_CTX x509ctx, void closure) {
	94	SSL *ssl;
	95	noit_hash_table *options = closure;
	96	const char opt_no_ca, ignore_dates;
	97	int v_res;
	98
	99	if(!x509ctx) return 0;
	100
	101	if(!noit_hash_retrieve(options, "optional_no_ca", strlen("optional_no_ca"),
	102	(void **)&opt_no_ca))
	103	opt_no_ca = "false";
	104	if(!noit_hash_retrieve(options, "ignore_dates", strlen("ignore_dates"),
	105	(void **)&ignore_dates))
	106	ignore_dates = "false";
	107
	108	ssl = X509_STORE_CTX_get_ex_data(x509ctx,
	109	SSL_get_ex_data_X509_STORE_CTX_idx());
	110	v_res = X509_STORE_CTX_get_error(x509ctx);
	111
	112	if((v_res == X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT) \|\|
	113	(v_res == X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN) \|\|
	114	(v_res == X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY) \|\|
	115	(v_res == X509_V_ERR_CERT_UNTRUSTED) \|\|
	116	(v_res == X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE)) {
	117	if(!strcmp(opt_no_ca, "true")) ok = 1;
	118	else {
	119	noitL(noit_error, "SSL client cert invalid: %s\n",
	120	X509_verify_cert_error_string(v_res));
	121	ok = 0;
	122	goto set_out;
	123	}
	124	}
	125	v_res = eventer_ssl_verify_dates(ctx, ok, x509ctx, closure);
	126	if(v_res != 0) {
	127	if(!strcmp(ignore_dates, "true")) ok = 1;
	128	else {
	129	noitL(noit_error, "SSL client cert is %s valid.\n",
	130	(v_res < 0) ? "not yet" : "no longer");
	131	ok = 0;
	132	goto set_out;
	133	}
	134	}
	135	set_out:
	136	return ok;
87	137	}
88	138
…	…
168	218	SSL_CTX_set_tmp_rsa_callback(ctx->ssl_ctx, tmp_rsa_cb);
169	219	SSL_CTX_set_cipher_list(ctx->ssl_ctx, ciphers ? ciphers : "DEFAULT");
170		SSL_CTX_set_verify(ctx->ssl_ctx, SSL_VERIFY_PEER~~\|SSL_VERIFY_CLIENT_ONCE~~, verify_cb);
	220	SSL_CTX_set_verify(ctx->ssl_ctx, SSL_VERIFY_PEER, verify_cb);
171	221	SSL_CTX_set_options(ctx->ssl_ctx, SSL_OP_NO_SSLv2);
172	222
…	…
234	284	static int
235	285	eventer_SSL_setup(eventer_ssl_ctx_t *ctx) {
236		X509 *peer;
	286	X509 *peer = NULL;
237	287	SSL_set_mode(ctx->ssl, SSL_MODE_ENABLE_PARTIAL_WRITE);
238	288	peer = SSL_get_peer_certificate(ctx->ssl);
…	…
244	294	if(!peer \|\|
245	295	(peer && SSL_get_verify_result(ctx->ssl) != X509_V_OK)) {
246		if(ctx->verify_cb)
247		ctx->verify_cb(ctx, 0, NULL, ctx->verify_cb_closure);
	296	if(ctx->verify_cb) {
	297	return ctx->verify_cb(ctx, 0, NULL, ctx->verify_cb_closure);
	298	}
248	299	}
249	300	return 0;

src/eventer/eventer_SSL_fd_opset.h

rb7ec807	r2962688
61	61	API_EXPORT(int) eventer_SSL_connect(eventer_t e, int *mask);
62	62
	63	API_EXPORT(int)
	64	eventer_ssl_verify_cert(eventer_ssl_ctx_t *ctx, int ok,
	65	X509_STORE_CTX x509ctx, void closure);
	66
	67	#define GET_SET_X509_NAME_PROTO(type) \
	68	API_EXPORT(char *) \
	69	eventer_ssl_get_peer_##type(eventer_ssl_ctx_t *ctx)
	70	GET_SET_X509_NAME_PROTO(issuer);
	71	GET_SET_X509_NAME_PROTO(subject);
	72
63	73	#endif
64	74

src/noit_console.c

re06b23e	r2962688
247	247	}
248	248
	249	void
	250	noit_console_motd(eventer_t e, acceptor_closure_t *ac,
	251	noit_console_closure_t ncct) {
	252	int ssl;
	253	ssl = eventer_get_eventer_ssl_ctx(e) ? 1 : 0;
	254	nc_printf(ncct, "noitd%s: %s\n",
	255	ssl ? "(secure)" : "",
	256	ac->remote_cn ? ac->remote_cn : "(no auth)");
	257	}
	258
249	259	int
250	260	noit_console_handler(eventer_t e, int mask, void *closure,
…	…
261	271	e->opset->close(e->fd, &newmask, e);
262	272	if(ncct) noit_console_closure_free(ncct);
263		free(ac);
	273	if(ac) acceptor_closure_free(ac);
264	274	return 0;
265	275	}
…	…
297	307	noit_console_state_init(ncct);
298	308	}
	309	noit_console_motd(e, ac, ncct);
299	310	ncct->initialized = 1;
300	311	}

src/noit_listener.c

r4dccf83	r2962688
20	20	#include "noit_conf.h"
21	21
	22	void
	23	acceptor_closure_free(acceptor_closure_t *ac) {
	24	if(ac->remote_cn) free(ac->remote_cn);
	25	free(ac);
	26	}
	27
22	28	static int
23	29	noit_listener_accept_ssl(eventer_t e, int mask,
…	…
25	31	int rv;
26	32	listener_closure_t listener_closure = (listener_closure_t)closure;
27		~~eventer_ssl_ctx_t *ctx~~;
	33	acceptor_closure_t *ac = NULL;
28	34	if(!closure) goto socketfail;
	35	ac = listener_closure->dispatch_closure;
29	36
30	37	rv = eventer_SSL_accept(e, &mask);
31	38	if(rv > 0) {
	39	eventer_ssl_ctx_t *sslctx;
32	40	e->callback = listener_closure->dispatch_callback;
33	41	/* We must make a copy of the acceptor_closure_t for each new
34	42	* connection.
35	43	*/
36		e->closure = malloc(sizeof(*listener_closure->dispatch_closure));
37		memcpy(e->closure, listener_closure->dispatch_closure,
38		sizeof(*listener_closure->dispatch_closure));
	44	if((sslctx = eventer_get_eventer_ssl_ctx(e)) != NULL) {
	45	char cn, end;
	46	cn = eventer_ssl_get_peer_subject(sslctx);
	47	if(cn && (cn = strstr(cn, "CN=")) != NULL) {
	48	cn += 3;
	49	end = cn;
	50	while(end && end != '/') end++;
	51	ac->remote_cn = malloc(end - cn + 1);
	52	memcpy(ac->remote_cn, cn, end - cn);
	53	ac->remote_cn[end-cn] = '\0';
	54	}
	55	}
	56	e->closure = ac;
39	57	return e->callback(e, mask, e->closure, tv);
40	58	}
41	59	if(errno == EAGAIN) return mask\|EVENTER_EXCEPTION;
42		~~ctx = eventer_get_eventer_ssl_ctx(e);~~
43		~~eventer_ssl_ctx_free(ctx);~~
44	60
45	61	socketfail:
	62	if(listener_closure) free(listener_closure);
	63	if(ac) acceptor_closure_free(ac);
46	64	eventer_remove_fd(e->fd);
47	65	e->opset->close(e->fd, &mask, e);
…	…
55	73	socklen_t salen;
56	74	listener_closure_t listener_closure = (listener_closure_t)closure;
57		union {
58		struct sockaddr_in addr4;
59		struct sockaddr_in6 addr6;
60		struct sockaddr_un unix;
61		} s;
	75	acceptor_closure_t *ac = NULL;
62	76
63	77	if(mask & EVENTER_EXCEPTION) {
64	78	socketfail:
	79	if(ac) acceptor_closure_free(ac);
65	80	eventer_remove_fd(e->fd);
66	81	e->opset->close(e->fd, &mask, e);
…	…
68	83	}
69	84
70		conn = e->opset->accept(e->fd, (struct sockaddr *)&s, &salen, &newmask, e);
	85	ac = malloc(sizeof(*ac));
	86	memcpy(ac, listener_closure->dispatch_closure, sizeof(*ac));
	87	conn = e->opset->accept(e->fd, &ac->remote_addr, &salen, &newmask, e);
71	88	if(conn >= 0) {
72	89	socklen_t on = 1;
…	…
79	96	newe->fd = conn;
80	97	newe->mask = EVENTER_READ \| EVENTER_WRITE \| EVENTER_EXCEPTION;
	98
81	99	if(listener_closure->sslconfig->size) {
82	100	char cert, key, ca, ciphers;
…	…
98	116	goto socketfail;
99	117	}
	118	eventer_ssl_ctx_set_verify(ctx, eventer_ssl_verify_cert,
	119	listener_closure->sslconfig);
100	120	EVENTER_ATTACH_SSL(newe, ctx);
101	121	newe->callback = noit_listener_accept_ssl;
102		newe->closure = listener_closure;
	122	newe->closure = malloc(sizeof(*listener_closure));
	123	memcpy(newe->closure, listener_closure, sizeof(*listener_closure));
	124	((listener_closure_t)newe->closure)->dispatch_closure = ac;
103	125	}
104	126	else {
…	…
107	129	* connection.
108	130	*/
109		newe->closure = malloc(sizeof(*listener_closure->dispatch_closure));
110		memcpy(newe->closure, listener_closure->dispatch_closure,
111		sizeof(*listener_closure->dispatch_closure));
	131	newe->closure = ac;
112	132	}
113	133	eventer_add(newe);

src/noit_listener.h

rb7ec807	r2962688
12	12
13	13	typedef struct {
	14	struct sockaddr remote_addr;
	15	char *remote_cn;
14	16	noit_hash_table *config;
15	17	void *service_ctx;
…	…
27	29
28	30	API_EXPORT(int)
29		noit_listener(char *host, unsigned short port, int type,
30		int backlog, noit_hash_table *sslconfig,
31		noit_hash_table *config,
32		eventer_func_t handler, void *service_ctx);
	31	noit_listener(char *host, unsigned short port, int type,
	32	int backlog, noit_hash_table *sslconfig,
	33	noit_hash_table *config,
	34	eventer_func_t handler, void *service_ctx);
	35
	36	API_EXPORT(void)
	37	acceptor_closure_free(acceptor_closure_t *ac);
33	38
34	39	#endif

src/sample.conf

re94ac86	r2962688
44	44	<listener address="*" port="32323">
45	45	<sslconfig>
	46	<optional_no_ca>true</optional_no_ca>
46	47	<certificate_file>test.crt</certificate_file>
47	48	<key_file>test.key</key_file>
	49	<ca_chain>test.crt</ca_chain>
48	50	</sslconfig>
49	51	</listener>