Changeset: fdbc8fe59b1d for MonetDB
URL: https://dev.monetdb.org/hg/MonetDB/rev/fdbc8fe59b1d
Modified Files:
common/stream/stream.h
common/stream/tls_stream.c
tools/merovingian/daemon/client.c
Branch: smapi
Log Message:
Start certificate/keypair parametrization
diffs (134 lines):
diff --git a/common/stream/stream.h b/common/stream/stream.h
--- a/common/stream/stream.h
+++ b/common/stream/stream.h
@@ -164,7 +164,8 @@ stream_export void close_stream(stream *
stream_export stream *open_urlstream(const char *url); // mclient.c, future
copy from remote
-stream_export stream *open_tls_server_stream(int fd, const char *name, stream
*s);
+
+stream_export stream *open_tls_server_stream(int fd, const char *name, stream
*s, const char *kp_fname, const char *ct_fname);
stream_export stream *file_rstream(FILE *restrict fp, bool binary, const char
*restrict name); // unused
stream_export stream *file_wstream(FILE *restrict fp, bool binary, const char
*restrict name); // unused
diff --git a/common/stream/tls_stream.c b/common/stream/tls_stream.c
--- a/common/stream/tls_stream.c
+++ b/common/stream/tls_stream.c
@@ -45,14 +45,15 @@ tls_read(stream *restrict s, void *restr
}
static void
-tls_close(stream *s) {
+tls_close(stream *s)
+{
/* TODO properly shutdown */
ssl_wrapper *w = (ssl_wrapper *)s->stream_data.p;
SSL_shutdown(w->cSSL);
}
static stream *
-new_tls_server_stream(int fd, const char *name)
+new_tls_server_stream(int fd, const char *name, const char *kp_fname, const
char *ct_fname)
{
int ssl_err = 1;
stream *ret;
@@ -75,8 +76,8 @@ new_tls_server_stream(int fd, const char
}
/* TODO parametrize */
- const char *server_keypair_fname =
"/home/kutsurak/src/monetdb/mercurial-repos/public/smapi/smapi-dev-certificates/new/server_keypair.pem";
- ssl_err = SSL_CTX_use_PrivateKey_file(w->ctx, server_keypair_fname,
SSL_FILETYPE_PEM);
+ // const char *server_keypair_fname =
"/home/kutsurak/src/monetdb/mercurial-repos/public/smapi/smapi-dev-certificates/new/server_keypair.pem";
+ ssl_err = SSL_CTX_use_PrivateKey_file(w->ctx, kp_fname,
SSL_FILETYPE_PEM);
if (ssl_err <= 0) {
/* TODO handle */
fprintf(stderr, "SSL_CTX_use_PrivateKey_file\n");
@@ -85,8 +86,8 @@ new_tls_server_stream(int fd, const char
}
/* TODO parametrize */
- const char *server_cert_chain_fname =
"/home/kutsurak/src/monetdb/mercurial-repos/public/smapi/smapi-dev-certificates/new/server_cert.pem";
- ssl_err = SSL_CTX_use_certificate_chain_file(w->ctx,
server_cert_chain_fname);
+ // const char *server_cert_chain_fname =
"/home/kutsurak/src/monetdb/mercurial-repos/public/smapi/smapi-dev-certificates/new/server_cert.pem";
+ ssl_err = SSL_CTX_use_certificate_chain_file(w->ctx, ct_fname);
if (ssl_err <= 0) {
/* TODO handle */
fprintf(stderr, "SSL_CTX_use_certificate_chain_file\n");
@@ -133,13 +134,14 @@ new_tls_server_stream(int fd, const char
}
stream *
-open_tls_server_stream(int fd, const char *name, stream *s) {
+open_tls_server_stream(int fd, const char *name, stream *s, const char
*kp_fname, const char *ct_fname)
+{
stream *ret;
/* This assumes that the read stream is created before the write
stream. This probably */
/* needs to change. */
if (s == NULL) {
- ret = new_tls_server_stream(fd, name);
+ ret = new_tls_server_stream(fd, name, kp_fname, ct_fname);
}
else {
if ((ret = create_stream(name)) == NULL) {
@@ -167,9 +169,11 @@ open_tls_server_stream(int fd, const cha
#else
stream *
-open_tls_serv_stream(int fd)
+open_tls_server_stream(int fd, const char *name, stream *s)
{
(void) fd;
+ (void) name;
+ (void) stream;
return NULL;
}
diff --git a/tools/merovingian/daemon/client.c
b/tools/merovingian/daemon/client.c
--- a/tools/merovingian/daemon/client.c
+++ b/tools/merovingian/daemon/client.c
@@ -85,7 +85,29 @@ handleClient(void *data)
memcpy(chal, ((struct clientdata *) data)->challenge, sizeof(chal));
free(data);
#ifdef HAVE_OPENSSL
- fdin = open_tls_server_stream(sock, "merovingian<-client (tls read)",
NULL);
+ char *ct_fname, *kp_fname;
+ bool use_tls = true;
+
+ kv = findConfKey(_mero_props, "tls_cert");
+ if (kv == NULL) {
+ use_tls = false;
+ }
+ ct_fname = strdup(kv->val);
+
+ kv = findConfKey(_mero_props, "tls_key");
+ if (kv == NULL) {
+ use_tls = false;
+ }
+ kp_fname = strdup(kv->val);
+
+ if (use_tls) {
+ fdin = open_tls_server_stream(sock, "merovingian<-client (tls
read)", NULL, kp_fname, ct_fname);
+ free(kp_fname);
+ free(ct_fname);
+ }
+ else {
+ fdin = socket_rstream(sock, "merovingian<-client (read)");
+ }
#else
fdin = socket_rstream(sock, "merovingian<-client (read)");
#endif // HAVE_OPENSSL
@@ -98,7 +120,12 @@ handleClient(void *data)
#ifdef HAVE_OPENSSL
/* stream library really wants 2 different streams one read only and
one read write. On the other hand openssl has */
/* one object (BIO) that handles both directions. */
- fout = open_tls_server_stream(sock, "merovingian->client (tls write)",
fdin);
+ if (use_tls) {
+ fout = open_tls_server_stream(sock, "merovingian->client (tls
write)", fdin, NULL, NULL);
+ }
+ else {
+ fout = socket_wstream(sock, "merovingian->client (write)");
+ }
#else
fout = socket_wstream(sock, "merovingian->client (write)");
#endif // HAVE_OPENSSL
_______________________________________________
checkin-list mailing list -- [email protected]
To unsubscribe send an email to [email protected]
