Roxen.git / server / base_server / roxen.pike

version» Context lines:

Roxen.git/server/base_server/roxen.pike:2577:   #endif   #endif /* SSL.ServerConnection */   #ifdef ROXEN_SSL_DEBUG    report_debug("SSL: Cipher suites enabled for %O:\n"    "%s\n",    this_object(),    fmt_cipher_suites(ctx->preferred_suites));   #endif    }    - #if constant(Standards.X509) +     void certificates_changed(Variable.Variable|void ignored,    void|int ignore_eaddrinuse)    {    int old_cert_failure = cert_failure;    cert_failure = 0;       array(string) certificates = ({});    array(object) decoded_certs = ({});    array(object) decoded_keys = ({});   
Roxen.git/server/base_server/roxen.pike:2765: Inside #if constant(Standards.X509)
  #endif       if (!bound) {    bind (ignore_eaddrinuse);    if (old_cert_failure && bound)    report_notice (LOC_M(64, "TLS port %s opened.\n"), get_url());    if (!bound)    report_notice("Failed to bind port %s.\n", get_url());    }    } - #else -  // NB: The TBS Tools.X509 API has been deprecated in Pike 8.0. - #pragma no_deprecation_warnings -  void certificates_changed(Variable.Variable|void ignored, -  void|int ignore_eaddrinuse) -  { -  int old_cert_failure = cert_failure; -  cert_failure = 0; +     -  string raw_keydata; -  array(string) certificates = ({}); -  array(object) decoded_certs = ({}); -  Variable.Variable Certificates = getvar("ssl_cert_file"); -  -  object privs = Privs("Reading cert file"); -  -  foreach(map(Certificates->query(), String.trim_whites), string cert_file) { -  string raw_cert; -  SSL3_WERR (sprintf ("Reading cert file %O", cert_file)); -  if( catch{ raw_cert = lopen(cert_file, "r")->read(); } ) -  { -  CERT_WARNING (Certificates, -  LOC_M(8, "Reading certificate file %O failed: %s\n"), -  cert_file, strerror (errno())); -  continue; -  } -  -  object msg = Tools.PEM.pem_msg()->init( raw_cert ); -  object part = msg->parts["CERTIFICATE"] || -  msg->parts["X509 CERTIFICATE"]; -  string cert; -  -  if (msg->parts["RSA PRIVATE KEY"] || -  msg->parts["DSA PRIVATE KEY"]) { -  raw_keydata = raw_cert; -  } -  -  if (!part || !(cert = part->decoded_body())) -  { -  CERT_WARNING (Certificates, -  LOC_M(10, "No certificate found in %O.\n"), -  cert_file); -  continue; -  } -  certificates += ({ cert }); -  -  // FIXME: Support PKCS7 -  object tbs = Tools.X509.decode_certificate (cert); -  if (!tbs) { -  CERT_WARNING (Certificates, -  LOC_M(13, "Certificate not valid (DER).\n")); -  continue; -  } -  decoded_certs += ({tbs}); -  } -  -  if (!sizeof(decoded_certs)) { -  report_error ("TLS port %s: %s", get_url(), -  LOC_M(63,"No certificates found.\n")); -  cert_err_unbind(); -  cert_failure = 1; -  return; -  } -  -  Variable.Variable KeyFile = getvar("ssl_key_file"); -  -  if( strlen(KeyFile->query())) { -  SSL3_WERR (sprintf ("Reading key file %O", KeyFile->query())); -  if (catch{ raw_keydata = lopen(KeyFile->query(), "r")->read(); } ) -  CERT_ERROR (KeyFile, -  LOC_M(9, "Reading key file %O failed: %s\n"), -  KeyFile->query(), strerror (errno())); -  } -  else -  KeyFile = Certificates; -  -  privs = 0; -  -  if (!raw_keydata) -  CERT_ERROR (KeyFile, LOC_M (17,"No private key found.\n")); -  -  object msg = Tools.PEM.pem_msg()->init( raw_keydata ); -  -  SSL3_WERR(sprintf("key file contains: %O", indices(msg->parts))); -  -  object part; -  if (part = msg->parts["RSA PRIVATE KEY"]) -  { -  string key; -  -  if (!(key = part->decoded_body())) -  CERT_ERROR (KeyFile, -  LOC_M(11,"Private rsa key not valid")+" (PEM).\n"); -  -  object rsa = Standards.PKCS.RSA.parse_private_key(key); -  if (!rsa) -  CERT_ERROR (KeyFile, -  LOC_M(11,"Private rsa key not valid")+" (DER).\n"); -  -  ctx->rsa = rsa; -  -  SSL3_WERR(sprintf("RSA key size: %d bits", rsa->rsa_size())); -  -  if (rsa->rsa_size() > 512) -  { -  /* Too large for export */ -  ctx->short_rsa = Crypto.RSA()->generate_key(512, ctx->random); -  -  // ctx->long_rsa = Crypto.RSA()->generate_key(rsa->rsa_size(), ctx->random); -  } -  ctx->rsa_mode(); -  filter_preferred_suites(); -  -  array(int) key_matches = -  map(decoded_certs, -  lambda (object tbs) { -  return tbs->public_key->rsa->public_key_equal (rsa); -  }); -  -  int num_key_matches; -  // DWIM: Make sure the main cert comes first. -  array(string) new_certificates = allocate(sizeof(certificates)); -  int i,j; -  for (i=0; i < sizeof(certificates); i++) { -  if (key_matches[i]) { -  new_certificates[j++] = certificates[i]; -  num_key_matches++; -  } -  } -  for (i=0; i < sizeof(certificates); i++) { -  if (!key_matches[i]) { -  new_certificates[j++] = certificates[i]; -  } -  } -  if( !num_key_matches ) -  CERT_ERROR (KeyFile, -  LOC_M(14, "Certificate and private key do not match.\n")); -  ctx->certificates = new_certificates; -  } -  else if (part = msg->parts["DSA PRIVATE KEY"]) -  { -  string key; -  -  if (!(key = part->decoded_body())) -  CERT_ERROR (KeyFile, -  LOC_M(15,"Private dsa key not valid")+" (PEM).\n"); -  -  object dsa = Standards.PKCS.DSA.parse_private_key(key); -  if (!dsa) -  CERT_ERROR (KeyFile, -  LOC_M(15,"Private dsa key not valid")+" (DER).\n"); -  -  SSL3_WERR(sprintf("Using DSA key.")); -  -  //dsa->use_random(ctx->random); -  ctx->dsa = dsa; -  /* Use default DH parameters */ - #if constant(SSL.cipher) -  ctx->dh_params = SSL.cipher()->dh_parameters(); - #endif -  -  ctx->dhe_dss_mode(); -  filter_preferred_suites(); -  -  // FIXME: Add cert <-> private key check. -  -  ctx->certificates = certificates; -  } -  else -  CERT_ERROR (KeyFile, LOC_M(17,"No private key found.\n")); -  - #if EXPORT -  ctx->export_mode(); - #endif -  -  if (!bound) { -  bind (ignore_eaddrinuse); -  if (old_cert_failure && bound) -  report_notice (LOC_M(64, "TLS port %s opened.\n"), get_url()); -  } -  } - #pragma deprecation_warnings - #endif /* Tools.X509 */ -  +     class CertificateListVariable    {    inherit Variable.FileList;       string doc()    {    return sprintf(::doc() + "\n",    combine_path(getcwd(), "../local"),    getcwd());    }