From 69758252fce6231073cb288a4f5bbf8f7febc249 Mon Sep 17 00:00:00 2001
From: Adam Dickmeiss <adam@indexdata.dk>
Date: Thu, 29 Apr 2004 21:19:23 +0000
Subject: [PATCH] Implement cs_set_ssl_ctx which sets SSL_CTX for SSL
 comstack. Do not create SSL_CTX in cs_create (ssl_type).
 Create in tcpip_bind, tcpip_rcvconnect instead. This allows
 user to set custom SSL_CTX.

---
 NEWS                   |    5 ++++
 include/yaz/comstack.h |    9 ++++---
 src/comstack.c         |    3 +--
 src/tcpip.c            |   65 ++++++++++++++++++++++++++++++++++--------------
 src/unix.c             |    7 ++----
 5 files changed, 59 insertions(+), 30 deletions(-)

diff --git a/NEWS b/NEWS
index 5c953ac..ec23a79 100644
--- a/NEWS
+++ b/NEWS
@@ -1,5 +1,10 @@
 Possible compatibility problems with earlier versions marked with '*'.
 
+Implement cs_set_ssl_ctx which sets SSL_CTX for SSL comstack.
+
+Do not create SSL_CTX in cs_create (ssl_type). Create in tcpip_bind,
+tcpip_rcvconnect instead. This allows user to set custom SSL_CTX.
+
 ZOOM now allows inspection of X509 peer certificate for verification.
 The X509 buffer is retrived by reading ZOOM option "sslPeerCert".
 
diff --git a/include/yaz/comstack.h b/include/yaz/comstack.h
index 5215a06..4525515 100644
--- a/include/yaz/comstack.h
+++ b/include/yaz/comstack.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1995-2003, Index Data.
+ * Copyright (c) 1995-2004, Index Data.
  *
  * Permission to use, copy, modify, distribute, and sell this software and
  * its documentation, in whole or in part, for any purpose, is hereby granted,
@@ -23,7 +23,7 @@
  * LIABILITY, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE
  * OF THIS SOFTWARE.
  *
- * $Id: comstack.h,v 1.13 2004-04-28 22:44:59 adam Exp $
+ * $Id: comstack.h,v 1.14 2004-04-29 21:19:23 adam Exp $
  */
 
 #ifndef COMSTACK_H
@@ -137,11 +137,11 @@ struct comstack
 #define cs_straddr(handle, str) ((*(handle)->f_straddr)(handle, str))
 #define cs_want_read(handle) ((handle)->io_pending & CS_WANT_READ)
 #define cs_want_write(handle) ((handle)->io_pending & CS_WANT_WRITE)
-#define cs_set_blocking(handle,blocking) ((handle)->f_set_blocking(handle, blocking)
+#define cs_set_blocking(handle,blocking) ((handle)->f_set_blocking(handle, blocking))
 					  
 #define CS_WANT_READ 1
 #define CS_WANT_WRITE 2
-					  
+
 YAZ_EXPORT int cs_look (COMSTACK);
 YAZ_EXPORT const char *cs_strerror(COMSTACK h);
 YAZ_EXPORT const char *cs_errmsg(int n);
@@ -150,6 +150,7 @@ YAZ_EXPORT COMSTACK cs_create_host(const char *type_and_host,
 YAZ_EXPORT void cs_get_host_args(const char *type_and_host, const char **args);
 YAZ_EXPORT int cs_complete_auto(const unsigned char *buf, int len);
 YAZ_EXPORT void *cs_get_ssl(COMSTACK cs);
+YAZ_EXPORT int cs_set_ssl_ctx(COMSTACK cs, void *ctx);
 YAZ_EXPORT int cs_get_peer_certificate_x509(COMSTACK cs, char **buf, int *len);
                                           
 /*
diff --git a/src/comstack.c b/src/comstack.c
index 40d7d4d..8070c36 100644
--- a/src/comstack.c
+++ b/src/comstack.c
@@ -2,7 +2,7 @@
  * Copyright (c) 1995-2004, Index Data
  * See the file LICENSE for details.
  *
- * $Id: comstack.c,v 1.8 2004-04-29 08:55:17 adam Exp $
+ * $Id: comstack.c,v 1.9 2004-04-29 21:19:23 adam Exp $
  */
 
 #include <string.h>
@@ -121,7 +121,6 @@ COMSTACK cs_create_host(const char *type_and_host, int blocking, void **vp)
     {
 	t = tcpip_type;
 	host = type_and_host;
-        
     }
     cs = cs_create (t, blocking, proto);
     if (!cs)
diff --git a/src/tcpip.c b/src/tcpip.c
index 8dacfe5..bcee219 100644
--- a/src/tcpip.c
+++ b/src/tcpip.c
@@ -2,7 +2,7 @@
  * Copyright (c) 1995-2004, Index Data
  * See the file LICENSE for details.
  *
- * $Id: tcpip.c,v 1.4 2004-04-29 08:55:17 adam Exp $
+ * $Id: tcpip.c,v 1.5 2004-04-29 21:19:23 adam Exp $
  */
 
 #include <stdio.h>
@@ -76,8 +76,8 @@ typedef struct tcpip_state
     struct sockaddr_in addr;  /* returned by cs_straddr */
     char buf[128]; /* returned by cs_addrstr */
 #if HAVE_OPENSSL_SSL_H
-    SSL_CTX *ctx;
-    SSL_CTX *ctx_alloc;
+    SSL_CTX *ctx;       /* current CTX. */
+    SSL_CTX *ctx_alloc; /* If =ctx it is owned by CS. If 0 it is not owned */
     SSL *ssl;
 #endif
 } tcpip_state;
@@ -204,20 +204,9 @@ COMSTACK ssl_type(int s, int blocking, int protocol, void *vp)
     p->f_put = ssl_put;
     p->type = ssl_type;
     state = (tcpip_state *) p->cprivate;
-    if (vp)
-	state->ctx = vp;
-    else
-    {
-	SSL_load_error_strings();
-	SSLeay_add_all_algorithms();
 
-	state->ctx = state->ctx_alloc = SSL_CTX_new (SSLv23_method());
-	if (!state->ctx)
-	{
-	    tcpip_close(p);
-	    return 0;
-	}
-    }
+    state->ctx = vp;  /* may be NULL */
+
     /* note: we don't handle already opened socket in SSL mode - yet */
     return p;
 }
@@ -295,9 +284,6 @@ int tcpip_more(COMSTACK h)
 int tcpip_connect(COMSTACK h, void *address)
 {
     struct sockaddr_in *add = (struct sockaddr_in *)address;
-#if HAVE_OPENSSL_SSL_H
-    tcpip_state *sp = (tcpip_state *)h->cprivate;
-#endif
     int r;
 #ifdef __sun__
     int recbuflen;
@@ -383,6 +369,18 @@ int tcpip_rcvconnect(COMSTACK h)
 	return -1;
     }
 #if HAVE_OPENSSL_SSL_H
+    if (h->type == ssl_type && !sp->ctx)
+    {
+	SSL_load_error_strings();
+	SSLeay_add_all_algorithms();
+
+	sp->ctx = sp->ctx_alloc = SSL_CTX_new (SSLv23_method());
+	if (!sp->ctx)
+	{
+	    h->cerrno = CSERRORSSL;
+	    return -1;
+	}
+    }
     if (sp->ctx)
     {
 	int res;
@@ -451,6 +449,18 @@ static int tcpip_bind(COMSTACK h, void *address, int mode)
 
 #if HAVE_OPENSSL_SSL_H
     tcpip_state *sp = (tcpip_state *)h->cprivate;
+    if (h->type == ssl_type && !sp->ctx)
+    {
+	SSL_load_error_strings();
+	SSLeay_add_all_algorithms();
+
+	sp->ctx = sp->ctx_alloc = SSL_CTX_new (SSLv23_method());
+	if (!sp->ctx)
+	{
+	    h->cerrno = CSERRORSSL;
+	    return -1;
+	}
+    }
     if (sp->ctx)
     {
 	if (sp->ctx_alloc)
@@ -1098,6 +1108,18 @@ int static tcpip_set_blocking(COMSTACK p, int blocking)
 }
 
 #if HAVE_OPENSSL_SSL_H
+int cs_set_ssl_ctx(COMSTACK cs, void *ctx)
+{
+    struct tcpip_state *state;
+    if (!cs || cs->type != ssl_type)
+        return 0;
+    state = (struct tcpip_state *) cs->cprivate;
+    if (state->ctx_alloc)
+	return 0;
+    state->ctx = ctx;
+    return 1;
+}
+
 void *cs_get_ssl(COMSTACK cs)
 {
     struct tcpip_state *state;
@@ -1129,6 +1151,11 @@ int cs_get_peer_certificate_x509(COMSTACK cs, char **buf, int *len)
     return 0;
 }
 #else
+int cs_set_ssl_ctx(COMSTACK cs, void *ctx)
+{
+    return 0;
+}
+
 void *cs_get_ssl(COMSTACK cs)
 {
     return 0;
diff --git a/src/unix.c b/src/unix.c
index 8a60065..bd6ce7c 100644
--- a/src/unix.c
+++ b/src/unix.c
@@ -1,8 +1,8 @@
 /*
- * Copyright (c) 1995-2003, Index Data
+ * Copyright (c) 1995-2004, Index Data
  * See the file LICENSE for details.
  *
- * $Id: unix.c,v 1.3 2003-12-30 00:29:53 adam Exp $
+ * $Id: unix.c,v 1.4 2004-04-29 21:19:23 adam Exp $
  * UNIX socket COMSTACK. By Morten Bøgeskov.
  */
 #ifndef WIN32
@@ -343,9 +343,6 @@ static int unix_rcvconnect(COMSTACK h)
     return 0;
 }
 
-#define CERTF "ztest.pem"
-#define KEYF "ztest.pem"
-
 static int unix_bind(COMSTACK h, void *address, int mode)
 {
     unix_state *sp = (unix_state *)h->cprivate;
-- 
1.7.10.4