* During SSL initialization, create the "keys" directory if it does not

  exist ... generate a private key if that does not exist ... more code
  coming soon to generate CSR and self-signed cert.  Hard-coded pathnames
  have been moved to sysconfig.h.

diff --git a/citadel/ChangeLog b/citadel/ChangeLog
index 6294e3d7faa1a9c361506286ff268c33225b1583..36986ccc670d68e0b55354972943b8e2c0a2c558 100644 (file)
--- a/citadel/ChangeLog
+++ b/citadel/ChangeLog
@@ -1,4 +1,10 @@
  $Log$
+ Revision 614.41  2004/02/17 16:56:51  ajc
+ * During SSL initialization, create the "keys" directory if it does not
+   exist ... generate a private key if that does not exist ... more code
+   coming soon to generate CSR and self-signed cert.  Hard-coded pathnames
+   have been moved to sysconfig.h.
+
  Revision 614.40  2004/02/17 04:47:22  ajc
  * Support PLAIN auth method in SMTP
 
@@ -5363,4 +5369,3 @@ Sat Jul 11 00:20:48 EDT 1998 Nathan Bryant <bryant@cs.usm.maine.edu>
 
 Fri Jul 10 1998 Art Cancro <ajc@uncensored.citadel.org>
        * Initial CVS import
-

diff --git a/citadel/serv_crypto.c b/citadel/serv_crypto.c
index 3462e0ae4ec6cc93747c2fcd0002fcc4571326bc..2b51706c7b094c3cc8749c36bda13dcd8d50a7ea 100644 (file)
--- a/citadel/serv_crypto.c
+++ b/citadel/serv_crypto.c
@@ -2,6 +2,7 @@
 
 #include <string.h>
 #include <unistd.h>
+#include <sys/stat.h>
 #include <sys/types.h>
 #include "sysdep.h"
 
@@ -54,7 +55,7 @@ static unsigned long id_callback(void)
   * This function is taken from OpenSSL apps/s_cb.c
   */
 
-static int set_cert_stuff(SSL_CTX * ctx,
+static int ctdl_install_certificate(SSL_CTX * ctx,
                          const char *cert_file, const char *key_file)
 {
        if (cert_file != NULL) {
@@ -88,6 +89,8 @@ void init_ssl(void)
 {
        SSL_METHOD *ssl_method;
        DH *dh;
+       RSA *rsa=NULL;
+       FILE *fp;
 
        if (!access("/var/run/egd-pool", F_OK))
                RAND_egd("/var/run/egd-pool");
@@ -172,13 +175,55 @@ void init_ssl(void)
        SSL_CTX_set_tmp_dh(ssl_ctx, dh);
        DH_free(dh);
 
-       /* Get our certificates in order */
-       if (set_cert_stuff(ssl_ctx,
-                          BBSDIR "/keys/citadel.cer",
-                          BBSDIR "/keys/citadel.key") != 1) {
+       /* Get our certificates in order.
+        * First, create the key/cert directory if it's not there already...
+        */
+       mkdir(CTDL_CRYPTO_DIR, 0700);
 
-               lprintf(3, "SSL ERROR: cert is bad!\n");
+       /*
+        * Generate a key pair if we don't have one.
+        */
+       if (access(CTDL_KEY_PATH, R_OK) != 0) {
+               lprintf(3, "Generating RSA key pair.\n");
+               rsa = RSA_generate_key(1024,    /* modulus size */
+                                       65537,  /* exponent */
+                                       NULL,   /* no callback */
+                                       NULL);  /* no callback */
+               if (rsa == NULL) {
+                       lprintf(2, "Key generation failed: %s\n",
+                               ERR_reason_error_string(ERR_get_error()));
+               }
+               if (rsa != NULL) {
+                       fp = fopen(CTDL_KEY_PATH, "w");
+                       if (fp != NULL) {
+                               chmod(CTDL_KEY_PATH, 0600);
+                               if (PEM_write_RSAPrivateKey(fp, /* the file */
+                                                       rsa,    /* the key */
+                                                       NULL,   /* no enc */
+                                                       NULL,   /* no passphr */
+                                                       0,      /* no passphr */
+                                                       NULL,   /* no callbk */
+                                                       NULL    /* no callbk */
+                               ) != 1) {
+                                       lprintf(2, "Cannot write key: %s\n",
+                                               ERR_reason_error_string(ERR_get_error()));
+                                       unlink(CTDL_KEY_PATH);
+                               }
+                               fclose(fp);
+                       }
+                       RSA_free(rsa);
+               }
+       }
 
+       /*
+        * Now try to bind to the key and certificate.
+        */
+       if (ctdl_install_certificate(ssl_ctx,
+                       CTDL_CER_PATH,
+                       CTDL_KEY_PATH) != 1)
+       {
+               lprintf(2, "Cannot install certificate: %s\n",
+                               ERR_reason_error_string(ERR_get_error()));
        }
 
        /* Finally let the server know we're here */

diff --git a/citadel/sysconfig.h b/citadel/sysconfig.h
index 257b779effc7f1c9789a6fdb9a41b20ff514d4bf..1bc35fae2ff02995fdcc610a19d799d06c983423 100644 (file)
--- a/citadel/sysconfig.h
+++ b/citadel/sysconfig.h
@@ -109,3 +109,11 @@
  * How long (in seconds) to retain message entries in the use table
  */
 #define USETABLE_RETAIN                604800L         /* 7 days */
+
+/*
+ * Pathnames for cryptographic goodness
+ */
+#define        CTDL_CRYPTO_DIR         BBSDIR "/keys"
+#define CTDL_KEY_PATH          CTDL_CRYPTO_DIR "/citadel.key"
+#define CTDL_CSR_PATH          CTDL_CRYPTO_DIR "/citadel.csr"
+#define CTDL_CER_PATH          CTDL_CRYPTO_DIR "/citadel.cer"