Changeset c35ae3a734c66c3de2052ccd0b30da5672a446d1

Show
Ignore:
Timestamp:
01/14/10 16:11:45 (4 years ago)
Author:
Theo Schlossnagle <jesus@omniti.com>
git-committer:
Theo Schlossnagle <jesus@omniti.com> 1263485505 +0000
git-parent:

[43bd973480462e3a0c7a6e1ad2926df2d3137fcf]

git-author:
Theo Schlossnagle <jesus@omniti.com> 1263485505 +0000
Message:

closes #206

Files:

Legend:

Unmodified
Added
Removed
Modified
Copied
Moved
  • src/eventer/eventer_SSL_fd_opset.c

    reb243ce rc35ae3a  
    308308} 
    309309 
     310int 
     311eventer_ssl_use_crl(eventer_ssl_ctx_t *ctx, const char *crl_file) { 
     312  int ret; 
     313  X509_STORE *store; 
     314  X509_LOOKUP *lookup; 
     315  store = SSL_CTX_get_cert_store(ctx->ssl_ctx); 
     316  lookup = X509_STORE_add_lookup(store, X509_LOOKUP_file()); 
     317  ret = X509_load_crl_file(lookup, crl_file, X509_FILETYPE_PEM);  
     318  X509_STORE_set_flags(store, X509_V_FLAG_CRL_CHECK | 
     319                              X509_V_FLAG_CRL_CHECK_ALL); 
     320  return ret; 
     321} 
     322 
    310323/* 
    311324 * This is a set of helpers to tie the SSL stuff to the eventer_t. 
  • src/eventer/eventer_SSL_fd_opset.h

    r853067a rc35ae3a  
    9090 
    9191API_EXPORT(int) 
     92  eventer_ssl_use_crl(eventer_ssl_ctx_t *ctx, const char *crl_file); 
     93 
     94API_EXPORT(int) 
    9295  eventer_ssl_verify_cert(eventer_ssl_ctx_t *ctx, int ok, 
    9396                          X509_STORE_CTX *x509ctx, void *closure); 
  • src/noit_listener.c

    rf7914c0 rc35ae3a  
    132132   
    133133      if(listener_closure->sslconfig->size) { 
    134         const char *cert, *key, *ca, *ciphers
     134        const char *cert, *key, *ca, *ciphers, *crl
    135135        eventer_ssl_ctx_t *ctx; 
    136136        /* We have an SSL configuration.  While our socket accept is 
     
    151151          goto socketfail; 
    152152        } 
     153        SSLCONFGET(crl, "crl"); 
     154        if(crl) { 
     155          if(!eventer_ssl_use_crl(ctx, crl)) { 
     156            noitL(noit_error, "Failed to load CRL from %s\n", crl); 
     157            eventer_ssl_ctx_free(ctx); 
     158            newe->opset->close(newe->fd, &newmask, e); 
     159            eventer_free(newe); 
     160            goto socketfail; 
     161          } 
     162        } 
     163 
    153164        eventer_ssl_ctx_set_verify(ctx, eventer_ssl_verify_cert, 
    154165                                   listener_closure->sslconfig); 
  • src/stratcon_jlog_streamer.c

    r4da7bc1 rc35ae3a  
    512512                                 struct timeval *now) { 
    513513  noit_connection_ctx_t *nctx = closure; 
    514   const char *cert, *key, *ca, *ciphers
     514  const char *cert, *key, *ca, *ciphers, *crl = NULL
    515515  char remote_str[128], tmp_str[128]; 
    516516  eventer_ssl_ctx_t *sslctx; 
     
    564564  SSLCONFGET(ca, "ca_chain"); 
    565565  SSLCONFGET(ciphers, "ciphers"); 
     566  SSLCONFGET(crl, "crl"); 
    566567  sslctx = eventer_ssl_ctx_new(SSL_CLIENT, cert, key, ca, ciphers); 
    567568  if(!sslctx) goto connect_error; 
     569  if(crl) { 
     570    if(!eventer_ssl_use_crl(sslctx, crl)) { 
     571      noitL(noit_error, "Failed to load CRL from %s\n", crl); 
     572      eventer_ssl_ctx_free(sslctx); 
     573      goto connect_error; 
     574    } 
     575  } 
    568576 
    569577  memcpy(&nctx->last_connect, now, sizeof(*now)); 
  • test/Makefile.in

    r5715632 rc35ae3a  
    2424top_srcdir=@top_srcdir@ 
    2525 
    26 all:    testcerts 
     26all:    testcerts testcrl 
    2727clean:  clean-keys 
    2828# This stuff if all cert stuff to make testing the daemons easier 
     
    5151        openssl ca -batch -config demo-openssl.cnf -in client.csr -out client.crt -outdir . -keyfile test-ca.key -cert test-ca.crt -days 120 
    5252 
     53badclient.key: 
     54        openssl genrsa -out badclient.key 
     55 
     56badclient.csr:  badclient.key 
     57        openssl req -key badclient.key -days 365 -new -out badclient.csr -config demo-openssl.cnf -subj "/C=US/ST=Maryland/O=OmniTI Labs/CN=samplebadclient" 
     58 
     59badclient.crt:  badclient.csr test-ca.key test-ca.crt 
     60        openssl ca -batch -config demo-openssl.cnf -in badclient.csr -out badclient.crt -outdir . -keyfile test-ca.key -cert test-ca.crt -days 120 
     61 
    5362test-noit.key: 
    5463        openssl genrsa -out test-noit.key 
     
    6978        openssl ca -batch -config demo-openssl.cnf -in test-stratcon.csr -out test-stratcon.crt -outdir . -keyfile test-ca.key -cert test-ca.crt -days 120 
    7079 
    71 testcerts:      demoCA-dir test-noit.key test-noit.crt test-stratcon.key test-stratcon.crt test-ca.key test-ca.crt client.key client.crt 
     80test-ca.crl:    demoCA-dir test-ca.key test-ca.crt badclient.key badclient.crt 
     81        openssl ca -config demo-openssl.cnf  -keyfile test-ca.key -cert test-ca.crt -revoke badclient.crt 
     82        openssl ca -config demo-openssl.cnf  -keyfile test-ca.key -cert test-ca.crt -gencrl -out  test-ca.crl 
     83 
     84testcrl:        test-ca.crl 
     85 
     86testcerts:      demoCA-dir test-noit.key test-noit.crt test-stratcon.key test-stratcon.crt test-ca.key test-ca.crt client.key client.crt badclient.key badclient.crt 
    7287 
    7388clean-keys: 
  • test/t/000_prereq.t

    r5715632 rc35ae3a  
    1 use Test::More tests => 4
     1use Test::More tests => 5
    22my @progs = qw/pg_ctl initdb psql rm/; 
    33 
     
    1212  ok($found, "found $prog ($found)"); 
    1313} 
     14mkdir "logs"; 
     15ok(-d "logs", "logs dir exists"); 
    1416 
    15171; 
  • test/t/apiclient.pm

    r65401ed rc35ae3a  
    77    my $host = shift; 
    88    my $port = shift; 
     9    my $options = { 
     10        'cainfo' => '../test-ca.crt', 
     11        'key' => '../client.key', 
     12        'cert' => '../client.crt', 
     13    }; 
     14    my $ext = shift || {}; 
     15    while(my ($k,$v) = each %$ext) { 
     16      $options->{$k} = $v; 
     17    } 
    918    my $curl = WWW::Curl::Easy->new(); 
    1019    $curl->setopt(CURLOPT_SSL_VERIFYPEER, 0); 
    11     $curl->setopt(CURLOPT_CAINFO, '../test-ca.crt'); 
    12     $curl->setopt(CURLOPT_SSLKEY, '../client.key'); 
    13     $curl->setopt(CURLOPT_SSLCERT, '../client.crt'); 
     20    $curl->setopt(CURLOPT_CAINFO, $options->{cainfo}); 
     21    $curl->setopt(CURLOPT_SSLKEY, $options->{key}); 
     22    $curl->setopt(CURLOPT_SSLCERT, $options->{cert}); 
    1423    $curl->setopt(CURLOPT_TIMEOUT, 35); 
    1524    return bless { curl => $curl, host => $host, port => $port }, $class; 
  • test/t/testconfig.pm

    r65401ed rc35ae3a  
    11package testconfig; 
     2use Test::More; 
    23use Fcntl; 
    34use DBI; 
     
    160161      <key_file>$cwd/../test-noit.key</key_file> 
    161162      <ca_chain>$cwd/../test-ca.crt</ca_chain> 
     163      <crl>$cwd/../test-ca.crl</crl> 
    162164    </sslconfig> 
    163165    <consoles type="noit_console">