SSL configuration:
- warn when bip is not SSL-capable and configuration contain SSL options - add a client_side_ssl_key option to define the path to bip.pem file
This commit is contained in:
parent
8b272bb0fd
commit
e7e49fdad1
@ -16,6 +16,10 @@ port = 7778;
|
|||||||
# for bip using scripts/bipgenconfig.
|
# for bip using scripts/bipgenconfig.
|
||||||
client_side_ssl = false;
|
client_side_ssl = false;
|
||||||
|
|
||||||
|
# This is the file containing the SSL cert/key pair bip'll use to
|
||||||
|
# serve SSL clients. If unset, it defaults to <biphome>/bip.pem
|
||||||
|
#client_side_ssl_key = "/path/to/pemfile";
|
||||||
|
|
||||||
log_level = 3;
|
log_level = 3;
|
||||||
|
|
||||||
#pid_file="/var/run/bip/bip.pid";
|
#pid_file="/var/run/bip/bip.pid";
|
||||||
|
@ -54,7 +54,7 @@ syn region bipMain start=/\%^/ end=/\%$/
|
|||||||
" Top level elements
|
" Top level elements
|
||||||
syn keyword bipKeyword contained nextgroup=bipBoolV client_side_ssl
|
syn keyword bipKeyword contained nextgroup=bipBoolV client_side_ssl
|
||||||
syn keyword bipKeyword contained nextgroup=bipStringV log_root
|
syn keyword bipKeyword contained nextgroup=bipStringV log_root
|
||||||
\ log_format pid_file
|
\ log_format pid_file client_side_ssl_key
|
||||||
syn keyword bipKeyword contained nextgroup=bipNumericV port log_level
|
syn keyword bipKeyword contained nextgroup=bipNumericV port log_level
|
||||||
\ log_sync_interval
|
\ log_sync_interval
|
||||||
syn keyword bipKeyword contained nextgroup=bipIPV ip
|
syn keyword bipKeyword contained nextgroup=bipIPV ip
|
||||||
|
32
src/bip.c
32
src/bip.c
@ -563,6 +563,11 @@ static int add_connection(bip_t *bip, struct user *user, list_t *data)
|
|||||||
if (strcmp(t->pdata, "ca") == 0)
|
if (strcmp(t->pdata, "ca") == 0)
|
||||||
l->ssl_check_mode = SSL_CHECK_CA;
|
l->ssl_check_mode = SSL_CHECK_CA;
|
||||||
break;
|
break;
|
||||||
|
#else
|
||||||
|
case LEX_SSL_CHECK_MODE:
|
||||||
|
mylog(LOG_WARN, "Found SSL option whereas bip is "
|
||||||
|
"not built with SSL support.");
|
||||||
|
break;
|
||||||
#endif
|
#endif
|
||||||
default:
|
default:
|
||||||
conf_die(bip, "Unknown keyword in connection "
|
conf_die(bip, "Unknown keyword in connection "
|
||||||
@ -745,6 +750,12 @@ static int add_user(bip_t *bip, list_t *data, struct historical_directives *hds)
|
|||||||
case LEX_SSL_CHECK_STORE:
|
case LEX_SSL_CHECK_STORE:
|
||||||
MOVE_STRING(u->ssl_check_store, t->pdata);
|
MOVE_STRING(u->ssl_check_store, t->pdata);
|
||||||
break;
|
break;
|
||||||
|
#else
|
||||||
|
case LEX_SSL_CHECK_MODE:
|
||||||
|
case LEX_SSL_CHECK_STORE:
|
||||||
|
mylog(LOG_WARN, "Found SSL option whereas bip is "
|
||||||
|
"not built with SSL support.");
|
||||||
|
break;
|
||||||
#endif
|
#endif
|
||||||
default:
|
default:
|
||||||
conf_die(bip, "Uknown keyword in user statement");
|
conf_die(bip, "Uknown keyword in user statement");
|
||||||
@ -953,9 +964,20 @@ int fireup(bip_t *bip, FILE *conf)
|
|||||||
case LEX_PORT:
|
case LEX_PORT:
|
||||||
conf_port = t->ndata;
|
conf_port = t->ndata;
|
||||||
break;
|
break;
|
||||||
|
#ifdef HAVE_LIBSSL
|
||||||
case LEX_CSS:
|
case LEX_CSS:
|
||||||
conf_css = t->ndata;
|
conf_css = t->ndata;
|
||||||
break;
|
break;
|
||||||
|
case LEX_CSS_KEY:
|
||||||
|
MOVE_STRING(conf_ssl_certfile, t->pdata);
|
||||||
|
break;
|
||||||
|
#else
|
||||||
|
case LEX_CSS:
|
||||||
|
case LEX_CSS_KEY:
|
||||||
|
mylog(LOG_WARN, "Found SSL option whereas bip is "
|
||||||
|
"not built with SSL support.");
|
||||||
|
break;
|
||||||
|
#endif
|
||||||
case LEX_PID_FILE:
|
case LEX_PID_FILE:
|
||||||
MOVE_STRING(conf_pid_file, t->pdata);
|
MOVE_STRING(conf_pid_file, t->pdata);
|
||||||
break;
|
break;
|
||||||
@ -1132,6 +1154,9 @@ int main(int argc, char **argv)
|
|||||||
conf_daemonize = 1;
|
conf_daemonize = 1;
|
||||||
conf_global_log_file = stderr;
|
conf_global_log_file = stderr;
|
||||||
conf_pid_file = NULL;
|
conf_pid_file = NULL;
|
||||||
|
#ifdef HAVE_LIBSSL
|
||||||
|
conf_ssl_certfile = NULL;
|
||||||
|
#endif
|
||||||
|
|
||||||
while ((ch = getopt(argc, argv, "hvnf:s:")) != -1) {
|
while ((ch = getopt(argc, argv, "hvnf:s:")) != -1) {
|
||||||
switch (ch) {
|
switch (ch) {
|
||||||
@ -1214,18 +1239,13 @@ int main(int argc, char **argv)
|
|||||||
}
|
}
|
||||||
|
|
||||||
#ifdef HAVE_LIBSSL
|
#ifdef HAVE_LIBSSL
|
||||||
conf_ssl_certfile = NULL; /* Make into a config option */
|
|
||||||
if (!conf_ssl_certfile) {
|
if (!conf_ssl_certfile) {
|
||||||
char *ap = "/bip.pem";
|
char *ap = "/bip.pem";
|
||||||
if (conf_ssl_certfile) {
|
|
||||||
free(conf_ssl_certfile);
|
|
||||||
conf_ssl_certfile = NULL;
|
|
||||||
}
|
|
||||||
conf_ssl_certfile = malloc(strlen(conf_biphome) +
|
conf_ssl_certfile = malloc(strlen(conf_biphome) +
|
||||||
strlen(ap) + 1);
|
strlen(ap) + 1);
|
||||||
strcpy(conf_ssl_certfile, conf_biphome);
|
strcpy(conf_ssl_certfile, conf_biphome);
|
||||||
strcat(conf_ssl_certfile, ap);
|
strcat(conf_ssl_certfile, ap);
|
||||||
mylog(LOG_INFO, "Default SSL certificate file: %s",
|
mylog(LOG_INFO, "Using default SSL certificate file: %s",
|
||||||
conf_ssl_certfile);
|
conf_ssl_certfile);
|
||||||
}
|
}
|
||||||
#endif
|
#endif
|
||||||
|
@ -68,7 +68,7 @@ struct tuple *tuple_l_new(int type, void *p)
|
|||||||
|
|
||||||
%}
|
%}
|
||||||
|
|
||||||
%token LEX_IP LEX_EQ LEX_PORT LEX_CSS LEX_SEMICOLON LEX_CONNECTION LEX_NETWORK LEX_LBRA LEX_RBRA LEX_USER LEX_NAME LEX_NICK LEX_SERVER LEX_PASSWORD LEX_SRCIP LEX_HOST LEX_VHOST LEX_SOURCE_PORT LEX_NONE LEX_COMMENT LEX_BUNCH LEX_REALNAME LEX_SSL LEX_SSL_CHECK_MODE LEX_SSL_CHECK_STORE LEX_CHANNEL LEX_KEY LEX_LOG_ROOT LEX_LOG_FORMAT LEX_LOG_LEVEL LEX_BACKLOG_LINES LEX_BACKLOG_NO_TIMESTAMP LEX_BACKLOG LEX_LOG LEX_LOG_SYSTEM LEX_LOG_SYNC_INTERVAL LEX_FOLLOW_NICK LEX_ON_CONNECT_SEND LEX_AWAY_NICK LEX_PID_FILE LEX_IGN_FIRST_NICK LEX_ALWAYS_BACKLOG LEX_BLRESET_ON_TALK LEX_DEFAULT_USER LEX_DEFAULT_NICK LEX_DEFAULT_REALNAME LEX_NO_CLIENT_AWAY_MSG LEX_BL_MSG_ONLY LEX_ADMIN LEX_BIP_USE_NOTICE
|
%token LEX_IP LEX_EQ LEX_PORT LEX_CSS LEX_SEMICOLON LEX_CONNECTION LEX_NETWORK LEX_LBRA LEX_RBRA LEX_USER LEX_NAME LEX_NICK LEX_SERVER LEX_PASSWORD LEX_SRCIP LEX_HOST LEX_VHOST LEX_SOURCE_PORT LEX_NONE LEX_COMMENT LEX_BUNCH LEX_REALNAME LEX_SSL LEX_SSL_CHECK_MODE LEX_SSL_CHECK_STORE LEX_CHANNEL LEX_KEY LEX_LOG_ROOT LEX_LOG_FORMAT LEX_LOG_LEVEL LEX_BACKLOG_LINES LEX_BACKLOG_NO_TIMESTAMP LEX_BACKLOG LEX_LOG LEX_LOG_SYSTEM LEX_LOG_SYNC_INTERVAL LEX_FOLLOW_NICK LEX_ON_CONNECT_SEND LEX_AWAY_NICK LEX_PID_FILE LEX_IGN_FIRST_NICK LEX_ALWAYS_BACKLOG LEX_BLRESET_ON_TALK LEX_DEFAULT_USER LEX_DEFAULT_NICK LEX_DEFAULT_REALNAME LEX_NO_CLIENT_AWAY_MSG LEX_BL_MSG_ONLY LEX_ADMIN LEX_BIP_USE_NOTICE LEX_CSS_KEY
|
||||||
|
|
||||||
%union {
|
%union {
|
||||||
int number;
|
int number;
|
||||||
@ -97,6 +97,7 @@ command:
|
|||||||
| LEX_IP LEX_EQ LEX_STRING { $$ = tuple_s_new(LEX_IP, $3); }
|
| LEX_IP LEX_EQ LEX_STRING { $$ = tuple_s_new(LEX_IP, $3); }
|
||||||
| LEX_PORT LEX_EQ LEX_INT { $$ = tuple_i_new(LEX_PORT, $3); }
|
| LEX_PORT LEX_EQ LEX_INT { $$ = tuple_i_new(LEX_PORT, $3); }
|
||||||
| LEX_CSS LEX_EQ LEX_BOOL { $$ = tuple_i_new(LEX_CSS, $3); }
|
| LEX_CSS LEX_EQ LEX_BOOL { $$ = tuple_i_new(LEX_CSS, $3); }
|
||||||
|
| LEX_CSS_KEY LEX_EQ LEX_STRING { $$ = tuple_s_new(LEX_CSS_KEY, $3); }
|
||||||
| LEX_LOG LEX_EQ LEX_BOOL { $$ = tuple_i_new(LEX_LOG, $3); }
|
| LEX_LOG LEX_EQ LEX_BOOL { $$ = tuple_i_new(LEX_LOG, $3); }
|
||||||
| LEX_LOG_SYSTEM LEX_EQ LEX_BOOL { $$ = tuple_i_new(LEX_LOG_SYSTEM, $3); }
|
| LEX_LOG_SYSTEM LEX_EQ LEX_BOOL { $$ = tuple_i_new(LEX_LOG_SYSTEM, $3); }
|
||||||
| LEX_LOG_SYNC_INTERVAL LEX_EQ LEX_INT { $$ = tuple_i_new(
|
| LEX_LOG_SYNC_INTERVAL LEX_EQ LEX_INT { $$ = tuple_i_new(
|
||||||
|
@ -111,6 +111,7 @@ list_t *parse_conf(FILE *file, int *err)
|
|||||||
"no_client_away_msg" { return LEX_NO_CLIENT_AWAY_MSG; }
|
"no_client_away_msg" { return LEX_NO_CLIENT_AWAY_MSG; }
|
||||||
"pid_file" { return LEX_PID_FILE; }
|
"pid_file" { return LEX_PID_FILE; }
|
||||||
"bip_use_notice" { return LEX_BIP_USE_NOTICE; }
|
"bip_use_notice" { return LEX_BIP_USE_NOTICE; }
|
||||||
|
"client_side_ssl_key" { return LEX_CSS_KEY; }
|
||||||
\"[^"]*\" {
|
\"[^"]*\" {
|
||||||
size_t len = strlen(yytext) - 2;
|
size_t len = strlen(yytext) - 2;
|
||||||
yylval.string = malloc(len + 1);
|
yylval.string = malloc(len + 1);
|
||||||
|
Loading…
x
Reference in New Issue
Block a user