[bip] backport fixes to make CA mode TLS certificate validation work OOTB
Adam Williamson
adamwill at fedoraproject.org
Wed Jan 14 19:10:02 UTC 2015
commit 7bd30fb1730d6bef8edcabefed47876e1b8856b0
Author: Adam Williamson <awilliam at redhat.com>
Date: Wed Jan 14 11:07:13 2015 -0800
backport fixes to make CA mode TLS certificate validation work OOTB
...er-trust-store-is-a-file-or-directory-in-.patch | 115 ++++++++++++++++++++
...ertificate-store-to-be-unspecified-in-CA-.patch | 80 ++++++++++++++
bip.spec | 11 ++-
3 files changed, 205 insertions(+), 1 deletions(-)
---
diff --git a/0001-check-whether-trust-store-is-a-file-or-directory-in-.patch b/0001-check-whether-trust-store-is-a-file-or-directory-in-.patch
new file mode 100644
index 0000000..8cb12b0
--- /dev/null
+++ b/0001-check-whether-trust-store-is-a-file-or-directory-in-.patch
@@ -0,0 +1,115 @@
+From 6cd86799aea2effe59b7c396c8b8caca7311300e Mon Sep 17 00:00:00 2001
+From: Adam Williamson <awilliam at redhat.com>
+Date: Fri, 19 Sep 2014 13:01:53 -0700
+Subject: [PATCH 1/2] check whether trust store is a file or directory in
+ CHECK_CA
+
+The existing code only allows you to provide a set of trusted
+CA certificates as an openssl 'CApath'-type directory. Fedora,
+RHEL (and derived distros) and probably other distros provide
+a system-wide database of trusted CA certs in various bundle
+formats, but not as a CApath-type directory. This checks whether
+check_store is a file or directory and loads it appropriately,
+when initializing an SSL connection.
+
+Note that there is code elsewhere which assumes the trust store
+will be a file, but that code is hit only in CHECK_BASIC mode.
+This change applies only to CHECK_CA mode.
+---
+ bip.conf.5 | 5 +++++
+ samples/bip.conf | 10 ++++++----
+ src/connection.c | 29 ++++++++++++++++++++++++-----
+ 3 files changed, 35 insertions(+), 9 deletions(-)
+
+diff --git a/bip.conf.5 b/bip.conf.5
+index a4a59a2..e8030c2 100644
+--- a/bip.conf.5
++++ b/bip.conf.5
+@@ -251,6 +251,11 @@ allows a "ssh-like" private key generation scheme. Note that in basic mode:
+ .TP
+ \fBssl_check_store\fP (default: \fBnot set\fP)
+ This repository is browsed by BIP when a SSL certificate or CA check is needed.
++In ssl_check_mode \fBbasic\fP it must be a file, to which certificates you
++choose to trust will be appended. In ssl_check_mode \fBca\fP it may be a
++single file containing one or more trusted certificates concatenated together
++between BEGIN CERTIFICATE and END CERTIFICATE lines, or a directory containing
++individual certificates in PEM format which has been processed by \fBc_rehash\fP.
+
+ .TP
+ \fBssl_client_certfile\fP (default: \fBnot set\fP)
+diff --git a/samples/bip.conf b/samples/bip.conf
+index 6761688..59a0339 100644
+--- a/samples/bip.conf
++++ b/samples/bip.conf
+@@ -117,13 +117,15 @@ user {
+ # using "basic" unless you're a crypto zealot...
+ ssl_check_mode = "none";
+
+- # Location of the user's store for SSL certificate check
++ # Location of the user's store for server SSL certificate check
+ # In "basic" mode, that must point to a single file with all trusted
+ # certs concatenated together (the interactive "trust" appends to this
+ # file).
+- # In "ca" mode, it's a directory of a standard openssl store; you must
+- # put PEM objects (certificates, CRLs...) with .pem extension and run
+- # `c_rehash .' in it
++ # In "ca" mode, it can be either:
++ # - a directory of a standard openssl store; you must put PEM objects
++ # (certificates, CRLs...) with .pem extension and run `c_rehash .' in it
++ # - a certificate bundle file containing one or more certificates in PEM
++ # format, enclosed in BEGIN CERTIFICATE / END CERTIFICATE lines
+ ssl_check_store = "/home/bip4ever/.bip/trustedcerts.txt";
+
+ # Some networks (OFTC at least) allow you to authenticate to nickserv
+diff --git a/src/connection.c b/src/connection.c
+index da23996..b534cd0 100644
+--- a/src/connection.c
++++ b/src/connection.c
+@@ -1461,6 +1461,7 @@ static connection_t *_connection_new_SSL(char *dsthostname, char *dstport,
+ conn->ssl_check_mode = check_mode;
+
+ switch (conn->ssl_check_mode) {
++ struct stat st_buf;
+ case SSL_CHECK_BASIC:
+ if (!SSL_CTX_load_verify_locations(conn->ssl_ctx_h, check_store,
+ NULL)) {
+@@ -1469,13 +1470,31 @@ static connection_t *_connection_new_SSL(char *dsthostname, char *dstport,
+ }
+ break;
+ case SSL_CHECK_CA:
+- if (!SSL_CTX_load_verify_locations(conn->ssl_ctx_h, NULL,
+- check_store)) {
+- mylog(LOG_ERROR, "Can't assign check store to "
+- "SSL connection!");
++ // Check if check_store is a file or directory
++ if (stat(check_store, &st_buf) == 0) {
++ if (st_buf.st_mode & S_IFDIR) {
++ if (!SSL_CTX_load_verify_locations(conn->ssl_ctx_h, NULL,
++ check_store)) {
++ mylog(LOG_ERROR, "Can't assign check store to "
++ "SSL connection!");
++ return conn;
++ }
++ break;
++ }
++ if (st_buf.st_mode & S_IFREG) {
++ if (!SSL_CTX_load_verify_locations(conn->ssl_ctx_h, check_store,
++ NULL)) {
++ mylog(LOG_ERROR, "Can't assign check store to "
++ "SSL connection!");
++ return conn;
++ }
++ break;
++ }
++ mylog(LOG_ERROR, "Check store is neither a file nor a directory.");
+ return conn;
+ }
+- break;
++ mylog(LOG_ERROR, "Can't open check store! Make sure path is correct.");
++ return conn;
+ }
+
+ switch (conn->ssl_check_mode) {
+--
+2.1.0
+
diff --git a/0002-allow-for-certificate-store-to-be-unspecified-in-CA-.patch b/0002-allow-for-certificate-store-to-be-unspecified-in-CA-.patch
new file mode 100644
index 0000000..c635a48
--- /dev/null
+++ b/0002-allow-for-certificate-store-to-be-unspecified-in-CA-.patch
@@ -0,0 +1,80 @@
+From a54b6835493767c348b33381040506aee4629d19 Mon Sep 17 00:00:00 2001
+From: Adam Williamson <awilliam at redhat.com>
+Date: Fri, 19 Sep 2014 18:04:53 -0700
+Subject: [PATCH 2/2] allow for certificate store to be unspecified in CA mode
+
+In many cases, using OpenSSL's default certificate store is fine
+and even preferred. If your OpenSSL provider (e.g. your
+distribution) is competent, they will manage this database
+better than you likely will.
+
+This could be refined to test in the NULL case whether the
+certificate store is empty, and fail out if so.
+---
+ src/bip.c | 12 +++++++++---
+ src/connection.c | 17 +++++++++++++++--
+ 2 files changed, 24 insertions(+), 5 deletions(-)
+
+diff --git a/src/bip.c b/src/bip.c
+index 37e72d9..f025c21 100644
+--- a/src/bip.c
++++ b/src/bip.c
+@@ -1540,9 +1540,15 @@ noroom:
+ bip_notify(ic, "%s", buf);
+
+ #ifdef HAVE_LIBSSL
+- bip_notify(ic, "SSL check mode '%s', stored into '%s'",
+- checkmode2text(u->ssl_check_mode),
+- STRORNULL(u->ssl_check_store));
++ if (u->ssl_check_store) {
++ bip_notify(ic, "SSL check mode '%s', stored into '%s'",
++ checkmode2text(u->ssl_check_mode),
++ u->ssl_check_store);
++ }
++ else {
++ bip_notify(ic, "SSL check mode '%s', default or no certificate store",
++ checkmode2text(u->ssl_check_mode));
++ }
+ if (u->ssl_client_certfile)
+ bip_notify(ic, "SSL client certificate stored into '%s'",
+ u->ssl_client_certfile);
+diff --git a/src/connection.c b/src/connection.c
+index b534cd0..ab1516e 100644
+--- a/src/connection.c
++++ b/src/connection.c
+@@ -1470,6 +1470,17 @@ static connection_t *_connection_new_SSL(char *dsthostname, char *dstport,
+ }
+ break;
+ case SSL_CHECK_CA:
++ if (!check_store) {
++ if (SSL_CTX_set_default_verify_paths(conn->ssl_ctx_h)) {
++ mylog(LOG_INFO, "No SSL certificate check store configured. "
++ "Default store will be used.");
++ break;
++ } else {
++ mylog(LOG_ERROR, "No SSL certificate check store configured "
++ "and cannot use default store!");
++ return conn;
++ }
++ }
+ // Check if check_store is a file or directory
+ if (stat(check_store, &st_buf) == 0) {
+ if (st_buf.st_mode & S_IFDIR) {
+@@ -1490,10 +1501,12 @@ static connection_t *_connection_new_SSL(char *dsthostname, char *dstport,
+ }
+ break;
+ }
+- mylog(LOG_ERROR, "Check store is neither a file nor a directory.");
++ mylog(LOG_ERROR, "Specified SSL certificate check store is neither "
++ "a file nor a directory.");
+ return conn;
+ }
+- mylog(LOG_ERROR, "Can't open check store! Make sure path is correct.");
++ mylog(LOG_ERROR, "Can't open SSL certificate check store! Check path "
++ "and permissions.");
+ return conn;
+ }
+
+--
+2.1.0
+
diff --git a/bip.spec b/bip.spec
index c3cd794..c213dc2 100644
--- a/bip.spec
+++ b/bip.spec
@@ -1,6 +1,6 @@
Name: bip
Version: 0.8.9
-Release: 5%{?dist}
+Release: 6%{?dist}
Summary: IRC Bouncer
Group: Applications/Internet
License: GPLv2+
@@ -13,6 +13,12 @@ Source2: bip-tmpfs.conf
Source3: bip.service
Patch0: 0001-Setup-bip-for-Fedora-s-paths.patch
Patch1: 0002-Throttle-joins-to-prevent-flooding.patch
+# Backports of https://projects.duckcorp.org/issues/350: makes CA mode
+# TLS work out of the box
+# https://projects.duckcorp.org/projects/bip/repository/revisions/89295ca4b2b89f88b4ce52fd78f0033a34906d90
+# https://projects.duckcorp.org/projects/bip/repository/revisions/88242715f489850a1f7cad6064492668c84f5083
+Patch2: 0001-check-whether-trust-store-is-a-file-or-directory-in-.patch
+Patch3: 0002-allow-for-certificate-store-to-be-unspecified-in-CA-.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
@@ -115,6 +121,9 @@ rm -rf $RPM_BUILD_ROOT
%{_unitdir}/bip.service
%changelog
+* Wed Dec 10 2014 Adam Williamson <awilliam at redhat.com> - 0.8.9-6
+- backport a couple of patches that make CA mode TLS validation work OOTB
+
* Mon Oct 06 2014 Brian C. Lane <bcl at redhat.com> 0.8.9-5
- Use network-online.target (#862610)
More information about the scm-commits
mailing list