SSL configuration:

- warn when bip is not SSL-capable and configuration contain SSL options - add a client_side_ssl_key option to define the path to bip.pem file
2008-01-07 14:27:37 +01:00 · 2008-01-07 14:27:37 +01:00 · e7e49fdad1
parent 8b272bb0fd
commit e7e49fdad1
5 changed files with 34 additions and 8 deletions
--- a/samples/bip.conf
+++ b/samples/bip.conf
@ -16,6 +16,10 @@ port = 7778;
 # for bip using scripts/bipgenconfig.
 client_side_ssl = false;

+# This is the file containing the SSL cert/key pair bip'll use to
+# serve SSL clients. If unset, it defaults to <biphome>/bip.pem
+#client_side_ssl_key = "/path/to/pemfile";
+
 log_level = 3;

 #pid_file="/var/run/bip/bip.pid";
--- a/samples/bip.vim
+++ b/samples/bip.vim
@ -54,7 +54,7 @@ syn region	bipMain		start=/\%^/ end=/\%$/
 " Top level elements
 syn keyword	bipKeyword	contained nextgroup=bipBoolV client_side_ssl
 syn keyword	bipKeyword	contained nextgroup=bipStringV log_root
-	\ log_format pid_file
+	\ log_format pid_file client_side_ssl_key
 syn keyword	bipKeyword	contained nextgroup=bipNumericV port log_level
 	\ log_sync_interval
 syn keyword	bipKeyword	contained nextgroup=bipIPV ip
--- a/src/bip.c
+++ b/src/bip.c
@ -563,6 +563,11 @@ static int add_connection(bip_t *bip, struct user *user, list_t *data)
 			if (strcmp(t->pdata, "ca") == 0)
 				l->ssl_check_mode = SSL_CHECK_CA;
 			break;
+#else
+		case LEX_SSL_CHECK_MODE:
+			mylog(LOG_WARN, "Found SSL option whereas bip is "
+					"not built with SSL support.");
+			break;
 #endif
 		default:
 			conf_die(bip, "Unknown keyword in connection "
@ -745,6 +750,12 @@ static int add_user(bip_t *bip, list_t *data, struct historical_directives *hds)
 		case LEX_SSL_CHECK_STORE:
 			MOVE_STRING(u->ssl_check_store, t->pdata);
 			break;
+#else
+		case LEX_SSL_CHECK_MODE:
+		case LEX_SSL_CHECK_STORE:
+			mylog(LOG_WARN, "Found SSL option whereas bip is "
+					"not built with SSL support.");
+			break;
 #endif
 		default:
 			conf_die(bip, "Uknown keyword in user statement");
@ -953,9 +964,20 @@ int fireup(bip_t *bip, FILE *conf)
 		case LEX_PORT:
 			conf_port = t->ndata;
 			break;
+#ifdef HAVE_LIBSSL
 		case LEX_CSS:
 			conf_css = t->ndata;
 			break;
+		case LEX_CSS_KEY:
+			MOVE_STRING(conf_ssl_certfile, t->pdata);
+			break;
+#else
+		case LEX_CSS:
+		case LEX_CSS_KEY:
+			mylog(LOG_WARN, "Found SSL option whereas bip is "
+					"not built with SSL support.");
+			break;
+#endif
 		case LEX_PID_FILE:
 			MOVE_STRING(conf_pid_file, t->pdata);
 			break;
@ -1132,6 +1154,9 @@ int main(int argc, char **argv)
 	conf_daemonize = 1;
 	conf_global_log_file = stderr;
 	conf_pid_file = NULL;
+#ifdef HAVE_LIBSSL
+	conf_ssl_certfile = NULL;
+#endif

 	while ((ch = getopt(argc, argv, "hvnf:s:")) != -1) {
 		switch (ch) {
@ -1214,18 +1239,13 @@ int main(int argc, char **argv)
 	}

 #ifdef HAVE_LIBSSL
-	conf_ssl_certfile = NULL;	/* Make into a config option */
 	if (!conf_ssl_certfile) {
 		char *ap = "/bip.pem";
-		if (conf_ssl_certfile) {
-			free(conf_ssl_certfile);
-			conf_ssl_certfile = NULL;
-		}
 		conf_ssl_certfile = malloc(strlen(conf_biphome) +
 				strlen(ap) + 1);
 		strcpy(conf_ssl_certfile, conf_biphome);
 		strcat(conf_ssl_certfile, ap);
-		mylog(LOG_INFO, "Default SSL certificate file: %s",
+		mylog(LOG_INFO, "Using default SSL certificate file: %s",
 				conf_ssl_certfile);
 	}
 #endif
--- a/src/conf.y
+++ b/src/conf.y
@ -68,7 +68,7 @@ struct tuple *tuple_l_new(int type, void *p)

 %}

-%token LEX_IP LEX_EQ LEX_PORT LEX_CSS LEX_SEMICOLON LEX_CONNECTION LEX_NETWORK LEX_LBRA LEX_RBRA LEX_USER LEX_NAME LEX_NICK LEX_SERVER LEX_PASSWORD LEX_SRCIP LEX_HOST LEX_VHOST LEX_SOURCE_PORT LEX_NONE LEX_COMMENT LEX_BUNCH LEX_REALNAME LEX_SSL LEX_SSL_CHECK_MODE LEX_SSL_CHECK_STORE LEX_CHANNEL LEX_KEY LEX_LOG_ROOT LEX_LOG_FORMAT LEX_LOG_LEVEL LEX_BACKLOG_LINES LEX_BACKLOG_NO_TIMESTAMP LEX_BACKLOG LEX_LOG LEX_LOG_SYSTEM LEX_LOG_SYNC_INTERVAL LEX_FOLLOW_NICK LEX_ON_CONNECT_SEND LEX_AWAY_NICK LEX_PID_FILE LEX_IGN_FIRST_NICK LEX_ALWAYS_BACKLOG LEX_BLRESET_ON_TALK LEX_DEFAULT_USER LEX_DEFAULT_NICK LEX_DEFAULT_REALNAME LEX_NO_CLIENT_AWAY_MSG LEX_BL_MSG_ONLY LEX_ADMIN LEX_BIP_USE_NOTICE
+%token LEX_IP LEX_EQ LEX_PORT LEX_CSS LEX_SEMICOLON LEX_CONNECTION LEX_NETWORK LEX_LBRA LEX_RBRA LEX_USER LEX_NAME LEX_NICK LEX_SERVER LEX_PASSWORD LEX_SRCIP LEX_HOST LEX_VHOST LEX_SOURCE_PORT LEX_NONE LEX_COMMENT LEX_BUNCH LEX_REALNAME LEX_SSL LEX_SSL_CHECK_MODE LEX_SSL_CHECK_STORE LEX_CHANNEL LEX_KEY LEX_LOG_ROOT LEX_LOG_FORMAT LEX_LOG_LEVEL LEX_BACKLOG_LINES LEX_BACKLOG_NO_TIMESTAMP LEX_BACKLOG LEX_LOG LEX_LOG_SYSTEM LEX_LOG_SYNC_INTERVAL LEX_FOLLOW_NICK LEX_ON_CONNECT_SEND LEX_AWAY_NICK LEX_PID_FILE LEX_IGN_FIRST_NICK LEX_ALWAYS_BACKLOG LEX_BLRESET_ON_TALK LEX_DEFAULT_USER LEX_DEFAULT_NICK LEX_DEFAULT_REALNAME LEX_NO_CLIENT_AWAY_MSG LEX_BL_MSG_ONLY LEX_ADMIN LEX_BIP_USE_NOTICE LEX_CSS_KEY

 %union {
 	int number;
@ -97,6 +97,7 @@ command:
       | LEX_IP LEX_EQ LEX_STRING { $$ = tuple_s_new(LEX_IP, $3); }
       | LEX_PORT LEX_EQ LEX_INT { $$ = tuple_i_new(LEX_PORT, $3); }
       | LEX_CSS LEX_EQ LEX_BOOL { $$ = tuple_i_new(LEX_CSS, $3); }
+       | LEX_CSS_KEY LEX_EQ LEX_STRING { $$ = tuple_s_new(LEX_CSS_KEY, $3); }
       | LEX_LOG LEX_EQ LEX_BOOL { $$ = tuple_i_new(LEX_LOG, $3); }
       | LEX_LOG_SYSTEM LEX_EQ LEX_BOOL { $$ = tuple_i_new(LEX_LOG_SYSTEM, $3); }
       | LEX_LOG_SYNC_INTERVAL LEX_EQ LEX_INT { $$ = tuple_i_new(
--- a/src/lex.l
+++ b/src/lex.l
@ -111,6 +111,7 @@ list_t *parse_conf(FILE *file, int *err)
 "no_client_away_msg"	{ return LEX_NO_CLIENT_AWAY_MSG; }
 "pid_file"		{ return LEX_PID_FILE; }
 "bip_use_notice"	{ return LEX_BIP_USE_NOTICE; }
+"client_side_ssl_key"	{ return LEX_CSS_KEY; }
 \"[^"]*\" 		{
 				size_t len = strlen(yytext) - 2;
 				yylval.string = malloc(len + 1);