Implement cs_set_ssl_ctx which sets SSL_CTX for SSL comstack.

Do not create SSL_CTX in cs_create (ssl_type). Create in tcpip_bind,
tcpip_rcvconnect instead. This allows user to set custom SSL_CTX.

diff --git a/NEWS b/NEWS
index 5c953ac..ec23a79 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -1,5 +1,10 @@
 Possible compatibility problems with earlier versions marked with '*'.
 
 Possible compatibility problems with earlier versions marked with '*'.
 

+Implement cs_set_ssl_ctx which sets SSL_CTX for SSL comstack.
+
+Do not create SSL_CTX in cs_create (ssl_type). Create in tcpip_bind,
+tcpip_rcvconnect instead. This allows user to set custom SSL_CTX.
+

 ZOOM now allows inspection of X509 peer certificate for verification.
 The X509 buffer is retrived by reading ZOOM option "sslPeerCert".
 
 ZOOM now allows inspection of X509 peer certificate for verification.
 The X509 buffer is retrived by reading ZOOM option "sslPeerCert".
 

diff --git a/include/yaz/comstack.h b/include/yaz/comstack.h
index 5215a06..4525515 100644 (file)
--- a/include/yaz/comstack.h
+++ b/include/yaz/comstack.h
@@ -1,5 +1,5 @@
 /*
 /*

- * Copyright (c) 1995-2003, Index Data.
+ * Copyright (c) 1995-2004, Index Data.

  *
  * Permission to use, copy, modify, distribute, and sell this software and
  * its documentation, in whole or in part, for any purpose, is hereby granted,
  *
  * Permission to use, copy, modify, distribute, and sell this software and
  * its documentation, in whole or in part, for any purpose, is hereby granted,

@@ -23,7 +23,7 @@
  * LIABILITY, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE
  * OF THIS SOFTWARE.
  *
  * LIABILITY, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE
  * OF THIS SOFTWARE.
  *

- * $Id: comstack.h,v 1.13 2004-04-28 22:44:59 adam Exp $
+ * $Id: comstack.h,v 1.14 2004-04-29 21:19:23 adam Exp $

  */
 
 #ifndef COMSTACK_H
  */
 
 #ifndef COMSTACK_H

@@ -137,11 +137,11 @@ struct comstack
 #define cs_straddr(handle, str) ((*(handle)->f_straddr)(handle, str))
 #define cs_want_read(handle) ((handle)->io_pending & CS_WANT_READ)
 #define cs_want_write(handle) ((handle)->io_pending & CS_WANT_WRITE)
 #define cs_straddr(handle, str) ((*(handle)->f_straddr)(handle, str))
 #define cs_want_read(handle) ((handle)->io_pending & CS_WANT_READ)
 #define cs_want_write(handle) ((handle)->io_pending & CS_WANT_WRITE)

-#define cs_set_blocking(handle,blocking) ((handle)->f_set_blocking(handle, blocking)
+#define cs_set_blocking(handle,blocking) ((handle)->f_set_blocking(handle, blocking))

                                          
 #define CS_WANT_READ 1
 #define CS_WANT_WRITE 2
                                          
 #define CS_WANT_READ 1
 #define CS_WANT_WRITE 2

-                                         
+

 YAZ_EXPORT int cs_look (COMSTACK);
 YAZ_EXPORT const char *cs_strerror(COMSTACK h);
 YAZ_EXPORT const char *cs_errmsg(int n);
 YAZ_EXPORT int cs_look (COMSTACK);
 YAZ_EXPORT const char *cs_strerror(COMSTACK h);
 YAZ_EXPORT const char *cs_errmsg(int n);

@@ -150,6 +150,7 @@ YAZ_EXPORT COMSTACK cs_create_host(const char *type_and_host,
 YAZ_EXPORT void cs_get_host_args(const char *type_and_host, const char **args);
 YAZ_EXPORT int cs_complete_auto(const unsigned char *buf, int len);
 YAZ_EXPORT void *cs_get_ssl(COMSTACK cs);
 YAZ_EXPORT void cs_get_host_args(const char *type_and_host, const char **args);
 YAZ_EXPORT int cs_complete_auto(const unsigned char *buf, int len);
 YAZ_EXPORT void *cs_get_ssl(COMSTACK cs);

+YAZ_EXPORT int cs_set_ssl_ctx(COMSTACK cs, void *ctx);

 YAZ_EXPORT int cs_get_peer_certificate_x509(COMSTACK cs, char **buf, int *len);
                                           
 /*
 YAZ_EXPORT int cs_get_peer_certificate_x509(COMSTACK cs, char **buf, int *len);
                                           
 /*

diff --git a/src/comstack.c b/src/comstack.c
index 40d7d4d..8070c36 100644 (file)
--- a/src/comstack.c
+++ b/src/comstack.c
@@ -2,7 +2,7 @@
  * Copyright (c) 1995-2004, Index Data
  * See the file LICENSE for details.
  *
  * Copyright (c) 1995-2004, Index Data
  * See the file LICENSE for details.
  *

- * $Id: comstack.c,v 1.8 2004-04-29 08:55:17 adam Exp $
+ * $Id: comstack.c,v 1.9 2004-04-29 21:19:23 adam Exp $

  */
 
 #include <string.h>
  */
 
 #include <string.h>

@@ -121,7 +121,6 @@ COMSTACK cs_create_host(const char *type_and_host, int blocking, void **vp)
     {
        t = tcpip_type;
        host = type_and_host;
     {
        t = tcpip_type;
        host = type_and_host;

-        

     }
     cs = cs_create (t, blocking, proto);
     if (!cs)
     }
     cs = cs_create (t, blocking, proto);
     if (!cs)

diff --git a/src/tcpip.c b/src/tcpip.c
index 8dacfe5..bcee219 100644 (file)
--- a/src/tcpip.c
+++ b/src/tcpip.c
@@ -2,7 +2,7 @@
  * Copyright (c) 1995-2004, Index Data
  * See the file LICENSE for details.
  *
  * Copyright (c) 1995-2004, Index Data
  * See the file LICENSE for details.
  *

- * $Id: tcpip.c,v 1.4 2004-04-29 08:55:17 adam Exp $
+ * $Id: tcpip.c,v 1.5 2004-04-29 21:19:23 adam Exp $

  */
 
 #include <stdio.h>
  */
 
 #include <stdio.h>

@@ -76,8 +76,8 @@ typedef struct tcpip_state
     struct sockaddr_in addr;  /* returned by cs_straddr */
     char buf[128]; /* returned by cs_addrstr */
 #if HAVE_OPENSSL_SSL_H
     struct sockaddr_in addr;  /* returned by cs_straddr */
     char buf[128]; /* returned by cs_addrstr */
 #if HAVE_OPENSSL_SSL_H

-    SSL_CTX *ctx;
-    SSL_CTX *ctx_alloc;
+    SSL_CTX *ctx;       /* current CTX. */
+    SSL_CTX *ctx_alloc; /* If =ctx it is owned by CS. If 0 it is not owned */

     SSL *ssl;
 #endif
 } tcpip_state;
     SSL *ssl;
 #endif
 } tcpip_state;

@@ -204,20 +204,9 @@ COMSTACK ssl_type(int s, int blocking, int protocol, void *vp)
     p->f_put = ssl_put;
     p->type = ssl_type;
     state = (tcpip_state *) p->cprivate;
     p->f_put = ssl_put;
     p->type = ssl_type;
     state = (tcpip_state *) p->cprivate;

-    if (vp)
-       state->ctx = vp;
-    else
-    {
-       SSL_load_error_strings();
-       SSLeay_add_all_algorithms();

 
 

-       state->ctx = state->ctx_alloc = SSL_CTX_new (SSLv23_method());
-       if (!state->ctx)
-       {
-           tcpip_close(p);
-           return 0;
-       }
-    }
+    state->ctx = vp;  /* may be NULL */
+

     /* note: we don't handle already opened socket in SSL mode - yet */
     return p;
 }
     /* note: we don't handle already opened socket in SSL mode - yet */
     return p;
 }

@@ -295,9 +284,6 @@ int tcpip_more(COMSTACK h)
 int tcpip_connect(COMSTACK h, void *address)
 {
     struct sockaddr_in *add = (struct sockaddr_in *)address;
 int tcpip_connect(COMSTACK h, void *address)
 {
     struct sockaddr_in *add = (struct sockaddr_in *)address;

-#if HAVE_OPENSSL_SSL_H
-    tcpip_state *sp = (tcpip_state *)h->cprivate;
-#endif

     int r;
 #ifdef __sun__
     int recbuflen;
     int r;
 #ifdef __sun__
     int recbuflen;

@@ -383,6 +369,18 @@ int tcpip_rcvconnect(COMSTACK h)
        return -1;
     }
 #if HAVE_OPENSSL_SSL_H
        return -1;
     }
 #if HAVE_OPENSSL_SSL_H

+    if (h->type == ssl_type && !sp->ctx)
+    {
+       SSL_load_error_strings();
+       SSLeay_add_all_algorithms();
+
+       sp->ctx = sp->ctx_alloc = SSL_CTX_new (SSLv23_method());
+       if (!sp->ctx)
+       {
+           h->cerrno = CSERRORSSL;
+           return -1;
+       }
+    }

     if (sp->ctx)
     {
        int res;
     if (sp->ctx)
     {
        int res;

@@ -451,6 +449,18 @@ static int tcpip_bind(COMSTACK h, void *address, int mode)
 
 #if HAVE_OPENSSL_SSL_H
     tcpip_state *sp = (tcpip_state *)h->cprivate;
 
 #if HAVE_OPENSSL_SSL_H
     tcpip_state *sp = (tcpip_state *)h->cprivate;

+    if (h->type == ssl_type && !sp->ctx)
+    {
+       SSL_load_error_strings();
+       SSLeay_add_all_algorithms();
+
+       sp->ctx = sp->ctx_alloc = SSL_CTX_new (SSLv23_method());
+       if (!sp->ctx)
+       {
+           h->cerrno = CSERRORSSL;
+           return -1;
+       }
+    }

     if (sp->ctx)
     {
        if (sp->ctx_alloc)
     if (sp->ctx)
     {
        if (sp->ctx_alloc)

@@ -1098,6 +1108,18 @@ int static tcpip_set_blocking(COMSTACK p, int blocking)
 }
 
 #if HAVE_OPENSSL_SSL_H
 }
 
 #if HAVE_OPENSSL_SSL_H

+int cs_set_ssl_ctx(COMSTACK cs, void *ctx)
+{
+    struct tcpip_state *state;
+    if (!cs || cs->type != ssl_type)
+        return 0;
+    state = (struct tcpip_state *) cs->cprivate;
+    if (state->ctx_alloc)
+       return 0;
+    state->ctx = ctx;
+    return 1;
+}
+

 void *cs_get_ssl(COMSTACK cs)
 {
     struct tcpip_state *state;
 void *cs_get_ssl(COMSTACK cs)
 {
     struct tcpip_state *state;

@@ -1129,6 +1151,11 @@ int cs_get_peer_certificate_x509(COMSTACK cs, char **buf, int *len)
     return 0;
 }
 #else
     return 0;
 }
 #else

+int cs_set_ssl_ctx(COMSTACK cs, void *ctx)
+{
+    return 0;
+}
+

 void *cs_get_ssl(COMSTACK cs)
 {
     return 0;
 void *cs_get_ssl(COMSTACK cs)
 {
     return 0;

diff --git a/src/unix.c b/src/unix.c
index 8a60065..bd6ce7c 100644 (file)
--- a/src/unix.c
+++ b/src/unix.c
@@ -1,8 +1,8 @@
 /*
 /*

- * Copyright (c) 1995-2003, Index Data
+ * Copyright (c) 1995-2004, Index Data

  * See the file LICENSE for details.
  *
  * See the file LICENSE for details.
  *

- * $Id: unix.c,v 1.3 2003-12-30 00:29:53 adam Exp $
+ * $Id: unix.c,v 1.4 2004-04-29 21:19:23 adam Exp $

  * UNIX socket COMSTACK. By Morten Bøgeskov.
  */
 #ifndef WIN32
  * UNIX socket COMSTACK. By Morten Bøgeskov.
  */
 #ifndef WIN32

@@ -343,9 +343,6 @@ static int unix_rcvconnect(COMSTACK h)
     return 0;
 }
 
     return 0;
 }
 

-#define CERTF "ztest.pem"
-#define KEYF "ztest.pem"
-

 static int unix_bind(COMSTACK h, void *address, int mode)
 {
     unix_state *sp = (unix_state *)h->cprivate;
 static int unix_bind(COMSTACK h, void *address, int mode)
 {
     unix_state *sp = (unix_state *)h->cprivate;