|
|
7bd30fb |
From 6cd86799aea2effe59b7c396c8b8caca7311300e Mon Sep 17 00:00:00 2001
|
|
|
7bd30fb |
From: Adam Williamson <awilliam@redhat.com>
|
|
|
7bd30fb |
Date: Fri, 19 Sep 2014 13:01:53 -0700
|
|
|
7bd30fb |
Subject: [PATCH 1/2] check whether trust store is a file or directory in
|
|
|
7bd30fb |
CHECK_CA
|
|
|
7bd30fb |
|
|
|
7bd30fb |
The existing code only allows you to provide a set of trusted
|
|
|
7bd30fb |
CA certificates as an openssl 'CApath'-type directory. Fedora,
|
|
|
7bd30fb |
RHEL (and derived distros) and probably other distros provide
|
|
|
7bd30fb |
a system-wide database of trusted CA certs in various bundle
|
|
|
7bd30fb |
formats, but not as a CApath-type directory. This checks whether
|
|
|
7bd30fb |
check_store is a file or directory and loads it appropriately,
|
|
|
7bd30fb |
when initializing an SSL connection.
|
|
|
7bd30fb |
|
|
|
7bd30fb |
Note that there is code elsewhere which assumes the trust store
|
|
|
7bd30fb |
will be a file, but that code is hit only in CHECK_BASIC mode.
|
|
|
7bd30fb |
This change applies only to CHECK_CA mode.
|
|
|
7bd30fb |
---
|
|
|
7bd30fb |
bip.conf.5 | 5 +++++
|
|
|
7bd30fb |
samples/bip.conf | 10 ++++++----
|
|
|
7bd30fb |
src/connection.c | 29 ++++++++++++++++++++++++-----
|
|
|
7bd30fb |
3 files changed, 35 insertions(+), 9 deletions(-)
|
|
|
7bd30fb |
|
|
|
7bd30fb |
diff --git a/bip.conf.5 b/bip.conf.5
|
|
|
7bd30fb |
index a4a59a2..e8030c2 100644
|
|
|
7bd30fb |
--- a/bip.conf.5
|
|
|
7bd30fb |
+++ b/bip.conf.5
|
|
|
7bd30fb |
@@ -251,6 +251,11 @@ allows a "ssh-like" private key generation scheme. Note that in basic mode:
|
|
|
7bd30fb |
.TP
|
|
|
7bd30fb |
\fBssl_check_store\fP (default: \fBnot set\fP)
|
|
|
7bd30fb |
This repository is browsed by BIP when a SSL certificate or CA check is needed.
|
|
|
7bd30fb |
+In ssl_check_mode \fBbasic\fP it must be a file, to which certificates you
|
|
|
7bd30fb |
+choose to trust will be appended. In ssl_check_mode \fBca\fP it may be a
|
|
|
7bd30fb |
+single file containing one or more trusted certificates concatenated together
|
|
|
7bd30fb |
+between BEGIN CERTIFICATE and END CERTIFICATE lines, or a directory containing
|
|
|
7bd30fb |
+individual certificates in PEM format which has been processed by \fBc_rehash\fP.
|
|
|
7bd30fb |
|
|
|
7bd30fb |
.TP
|
|
|
7bd30fb |
\fBssl_client_certfile\fP (default: \fBnot set\fP)
|
|
|
7bd30fb |
diff --git a/samples/bip.conf b/samples/bip.conf
|
|
|
7bd30fb |
index 6761688..59a0339 100644
|
|
|
7bd30fb |
--- a/samples/bip.conf
|
|
|
7bd30fb |
+++ b/samples/bip.conf
|
|
|
7bd30fb |
@@ -117,13 +117,15 @@ user {
|
|
|
7bd30fb |
# using "basic" unless you're a crypto zealot...
|
|
|
7bd30fb |
ssl_check_mode = "none";
|
|
|
7bd30fb |
|
|
|
7bd30fb |
- # Location of the user's store for SSL certificate check
|
|
|
7bd30fb |
+ # Location of the user's store for server SSL certificate check
|
|
|
7bd30fb |
# In "basic" mode, that must point to a single file with all trusted
|
|
|
7bd30fb |
# certs concatenated together (the interactive "trust" appends to this
|
|
|
7bd30fb |
# file).
|
|
|
7bd30fb |
- # In "ca" mode, it's a directory of a standard openssl store; you must
|
|
|
7bd30fb |
- # put PEM objects (certificates, CRLs...) with .pem extension and run
|
|
|
7bd30fb |
- # `c_rehash .' in it
|
|
|
7bd30fb |
+ # In "ca" mode, it can be either:
|
|
|
7bd30fb |
+ # - a directory of a standard openssl store; you must put PEM objects
|
|
|
7bd30fb |
+ # (certificates, CRLs...) with .pem extension and run `c_rehash .' in it
|
|
|
7bd30fb |
+ # - a certificate bundle file containing one or more certificates in PEM
|
|
|
7bd30fb |
+ # format, enclosed in BEGIN CERTIFICATE / END CERTIFICATE lines
|
|
|
7bd30fb |
ssl_check_store = "/home/bip4ever/.bip/trustedcerts.txt";
|
|
|
7bd30fb |
|
|
|
7bd30fb |
# Some networks (OFTC at least) allow you to authenticate to nickserv
|
|
|
7bd30fb |
diff --git a/src/connection.c b/src/connection.c
|
|
|
7bd30fb |
index da23996..b534cd0 100644
|
|
|
7bd30fb |
--- a/src/connection.c
|
|
|
7bd30fb |
+++ b/src/connection.c
|
|
|
7bd30fb |
@@ -1461,6 +1461,7 @@ static connection_t *_connection_new_SSL(char *dsthostname, char *dstport,
|
|
|
7bd30fb |
conn->ssl_check_mode = check_mode;
|
|
|
7bd30fb |
|
|
|
7bd30fb |
switch (conn->ssl_check_mode) {
|
|
|
7bd30fb |
+ struct stat st_buf;
|
|
|
7bd30fb |
case SSL_CHECK_BASIC:
|
|
|
7bd30fb |
if (!SSL_CTX_load_verify_locations(conn->ssl_ctx_h, check_store,
|
|
|
7bd30fb |
NULL)) {
|
|
|
7bd30fb |
@@ -1469,13 +1470,31 @@ static connection_t *_connection_new_SSL(char *dsthostname, char *dstport,
|
|
|
7bd30fb |
}
|
|
|
7bd30fb |
break;
|
|
|
7bd30fb |
case SSL_CHECK_CA:
|
|
|
7bd30fb |
- if (!SSL_CTX_load_verify_locations(conn->ssl_ctx_h, NULL,
|
|
|
7bd30fb |
- check_store)) {
|
|
|
7bd30fb |
- mylog(LOG_ERROR, "Can't assign check store to "
|
|
|
7bd30fb |
- "SSL connection!");
|
|
|
7bd30fb |
+ // Check if check_store is a file or directory
|
|
|
7bd30fb |
+ if (stat(check_store, &st_buf) == 0) {
|
|
|
7bd30fb |
+ if (st_buf.st_mode & S_IFDIR) {
|
|
|
7bd30fb |
+ if (!SSL_CTX_load_verify_locations(conn->ssl_ctx_h, NULL,
|
|
|
7bd30fb |
+ check_store)) {
|
|
|
7bd30fb |
+ mylog(LOG_ERROR, "Can't assign check store to "
|
|
|
7bd30fb |
+ "SSL connection!");
|
|
|
7bd30fb |
+ return conn;
|
|
|
7bd30fb |
+ }
|
|
|
7bd30fb |
+ break;
|
|
|
7bd30fb |
+ }
|
|
|
7bd30fb |
+ if (st_buf.st_mode & S_IFREG) {
|
|
|
7bd30fb |
+ if (!SSL_CTX_load_verify_locations(conn->ssl_ctx_h, check_store,
|
|
|
7bd30fb |
+ NULL)) {
|
|
|
7bd30fb |
+ mylog(LOG_ERROR, "Can't assign check store to "
|
|
|
7bd30fb |
+ "SSL connection!");
|
|
|
7bd30fb |
+ return conn;
|
|
|
7bd30fb |
+ }
|
|
|
7bd30fb |
+ break;
|
|
|
7bd30fb |
+ }
|
|
|
7bd30fb |
+ mylog(LOG_ERROR, "Check store is neither a file nor a directory.");
|
|
|
7bd30fb |
return conn;
|
|
|
7bd30fb |
}
|
|
|
7bd30fb |
- break;
|
|
|
7bd30fb |
+ mylog(LOG_ERROR, "Can't open check store! Make sure path is correct.");
|
|
|
7bd30fb |
+ return conn;
|
|
|
7bd30fb |
}
|
|
|
7bd30fb |
|
|
|
7bd30fb |
switch (conn->ssl_check_mode) {
|
|
|
7bd30fb |
--
|
|
|
7bd30fb |
2.1.0
|
|
|
7bd30fb |
|