From 172f2e62c2266008c3411cd864d808fc68395788 Mon Sep 17 00:00:00 2001 From: Art Cancro Date: Tue, 17 Feb 2004 16:56:51 +0000 Subject: [PATCH] * During SSL initialization, create the "keys" directory if it does not exist ... generate a private key if that does not exist ... more code coming soon to generate CSR and self-signed cert. Hard-coded pathnames have been moved to sysconfig.h. --- citadel/ChangeLog | 7 +++++- citadel/serv_crypto.c | 57 ++++++++++++++++++++++++++++++++++++++----- citadel/sysconfig.h | 8 ++++++ 3 files changed, 65 insertions(+), 7 deletions(-) diff --git a/citadel/ChangeLog b/citadel/ChangeLog index 6294e3d7f..36986ccc6 100644 --- a/citadel/ChangeLog +++ b/citadel/ChangeLog @@ -1,4 +1,10 @@ $Log$ + Revision 614.41 2004/02/17 16:56:51 ajc + * During SSL initialization, create the "keys" directory if it does not + exist ... generate a private key if that does not exist ... more code + coming soon to generate CSR and self-signed cert. Hard-coded pathnames + have been moved to sysconfig.h. + Revision 614.40 2004/02/17 04:47:22 ajc * Support PLAIN auth method in SMTP @@ -5363,4 +5369,3 @@ Sat Jul 11 00:20:48 EDT 1998 Nathan Bryant Fri Jul 10 1998 Art Cancro * Initial CVS import - diff --git a/citadel/serv_crypto.c b/citadel/serv_crypto.c index 3462e0ae4..2b51706c7 100644 --- a/citadel/serv_crypto.c +++ b/citadel/serv_crypto.c @@ -2,6 +2,7 @@ #include #include +#include #include #include "sysdep.h" @@ -54,7 +55,7 @@ static unsigned long id_callback(void) * This function is taken from OpenSSL apps/s_cb.c */ -static int set_cert_stuff(SSL_CTX * ctx, +static int ctdl_install_certificate(SSL_CTX * ctx, const char *cert_file, const char *key_file) { if (cert_file != NULL) { @@ -88,6 +89,8 @@ void init_ssl(void) { SSL_METHOD *ssl_method; DH *dh; + RSA *rsa=NULL; + FILE *fp; if (!access("/var/run/egd-pool", F_OK)) RAND_egd("/var/run/egd-pool"); @@ -172,13 +175,55 @@ void init_ssl(void) SSL_CTX_set_tmp_dh(ssl_ctx, dh); DH_free(dh); - /* Get our certificates in order */ - if (set_cert_stuff(ssl_ctx, - BBSDIR "/keys/citadel.cer", - BBSDIR "/keys/citadel.key") != 1) { + /* Get our certificates in order. + * First, create the key/cert directory if it's not there already... + */ + mkdir(CTDL_CRYPTO_DIR, 0700); - lprintf(3, "SSL ERROR: cert is bad!\n"); + /* + * Generate a key pair if we don't have one. + */ + if (access(CTDL_KEY_PATH, R_OK) != 0) { + lprintf(3, "Generating RSA key pair.\n"); + rsa = RSA_generate_key(1024, /* modulus size */ + 65537, /* exponent */ + NULL, /* no callback */ + NULL); /* no callback */ + if (rsa == NULL) { + lprintf(2, "Key generation failed: %s\n", + ERR_reason_error_string(ERR_get_error())); + } + if (rsa != NULL) { + fp = fopen(CTDL_KEY_PATH, "w"); + if (fp != NULL) { + chmod(CTDL_KEY_PATH, 0600); + if (PEM_write_RSAPrivateKey(fp, /* the file */ + rsa, /* the key */ + NULL, /* no enc */ + NULL, /* no passphr */ + 0, /* no passphr */ + NULL, /* no callbk */ + NULL /* no callbk */ + ) != 1) { + lprintf(2, "Cannot write key: %s\n", + ERR_reason_error_string(ERR_get_error())); + unlink(CTDL_KEY_PATH); + } + fclose(fp); + } + RSA_free(rsa); + } + } + /* + * Now try to bind to the key and certificate. + */ + if (ctdl_install_certificate(ssl_ctx, + CTDL_CER_PATH, + CTDL_KEY_PATH) != 1) + { + lprintf(2, "Cannot install certificate: %s\n", + ERR_reason_error_string(ERR_get_error())); } /* Finally let the server know we're here */ diff --git a/citadel/sysconfig.h b/citadel/sysconfig.h index 257b779ef..1bc35fae2 100644 --- a/citadel/sysconfig.h +++ b/citadel/sysconfig.h @@ -109,3 +109,11 @@ * How long (in seconds) to retain message entries in the use table */ #define USETABLE_RETAIN 604800L /* 7 days */ + +/* + * Pathnames for cryptographic goodness + */ +#define CTDL_CRYPTO_DIR BBSDIR "/keys" +#define CTDL_KEY_PATH CTDL_CRYPTO_DIR "/citadel.key" +#define CTDL_CSR_PATH CTDL_CRYPTO_DIR "/citadel.csr" +#define CTDL_CER_PATH CTDL_CRYPTO_DIR "/citadel.cer" -- 2.30.2