From 7bb5e2926727e963de8411dbba9cc18df967bfbb Mon Sep 17 00:00:00 2001
From: Adam Dickmeiss <adam@indexdata.dk>
Date: Fri, 30 Apr 2004 19:10:35 +0000
Subject: [PATCH] SSL comstack now uses yaz.pem certificate file on server
 side by default. Certificate filename can be configured by
 calling comstack function cs_set_ssl_cert before cs_bind is
 used.

---
 NEWS                   |    6 +++++
 include/yaz/backend.h  |    3 ++-
 include/yaz/comstack.h |    3 ++-
 src/statserv.c         |   16 +++++++++----
 src/tcpip.c            |   61 +++++++++++++++++++++++++++++++-----------------
 5 files changed, 61 insertions(+), 28 deletions(-)

diff --git a/NEWS b/NEWS
index ec23a79..49988c1 100644
--- a/NEWS
+++ b/NEWS
@@ -1,5 +1,11 @@
 Possible compatibility problems with earlier versions marked with '*'.
 
+SSL comstack now uses yaz.pem certificate file on server side
+by default. Certificate filename can be configured by calling
+comstack function cs_set_ssl_cert before cs_bind is used.
+
+Fix bug regarding multiple calls to ZOOM_connection_connect.
+
 Implement cs_set_ssl_ctx which sets SSL_CTX for SSL comstack.
 
 Do not create SSL_CTX in cs_create (ssl_type). Create in tcpip_bind,
diff --git a/include/yaz/backend.h b/include/yaz/backend.h
index 167c339..27655e0 100644
--- a/include/yaz/backend.h
+++ b/include/yaz/backend.h
@@ -23,7 +23,7 @@
  * LIABILITY, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE
  * OF THIS SOFTWARE.
  *
- * $Id: backend.h,v 1.24 2004-02-16 17:57:05 adam Exp $
+ * $Id: backend.h,v 1.25 2004-04-30 19:10:35 adam Exp $
  */
 
 #ifndef BACKEND_H
@@ -275,6 +275,7 @@ typedef struct statserv_options_block
     struct bend_soap_handler *soap_handlers;
     char pid_fname[128];            /* pid fname */
     int background;                 /* auto daemon */
+    char cert_fname[128];           /* SSL certificate fname */
 } statserv_options_block;
 
 YAZ_EXPORT int statserv_main(
diff --git a/include/yaz/comstack.h b/include/yaz/comstack.h
index 4525515..160ab65 100644
--- a/include/yaz/comstack.h
+++ b/include/yaz/comstack.h
@@ -23,7 +23,7 @@
  * LIABILITY, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE
  * OF THIS SOFTWARE.
  *
- * $Id: comstack.h,v 1.14 2004-04-29 21:19:23 adam Exp $
+ * $Id: comstack.h,v 1.15 2004-04-30 19:10:35 adam Exp $
  */
 
 #ifndef COMSTACK_H
@@ -151,6 +151,7 @@ YAZ_EXPORT void cs_get_host_args(const char *type_and_host, const char **args);
 YAZ_EXPORT int cs_complete_auto(const unsigned char *buf, int len);
 YAZ_EXPORT void *cs_get_ssl(COMSTACK cs);
 YAZ_EXPORT int cs_set_ssl_ctx(COMSTACK cs, void *ctx);
+YAZ_EXPORT int cs_set_ssl_certf(COMSTACK cs, const char *fname);
 YAZ_EXPORT int cs_get_peer_certificate_x509(COMSTACK cs, char **buf, int *len);
                                           
 /*
diff --git a/src/statserv.c b/src/statserv.c
index 0882a87..7b211a6 100644
--- a/src/statserv.c
+++ b/src/statserv.c
@@ -5,7 +5,7 @@
  * NT threaded server code by
  *   Chas Woodfield, Fretwell Downing Informatics.
  *
- * $Id: statserv.c,v 1.6 2004-04-29 21:27:22 adam Exp $
+ * $Id: statserv.c,v 1.7 2004-04-30 19:10:35 adam Exp $
  */
 
 #include <stdio.h>
@@ -78,7 +78,8 @@ statserv_options_block control_block = {
 #endif /* WIN32 */
     0,                          /* SOAP handlers */
     "",                         /* PID fname */
-    0                           /* background daemon */
+    0,                          /* background daemon */
+    ""                          /* SSL certificate filename */
 };
 
 static int max_sessions = 0;
@@ -657,6 +658,9 @@ static int add_listener(char *where, int what)
 	yaz_log(LOG_FATAL, "Failed to listen on %s", where);
 	return -1;
     }
+    if (*control_block.cert_fname)
+	cs_set_ssl_certf(l, control_block.cert_fname);
+
     if (cs_bind(l, ap, CS_SERVER) < 0)
     {
     	yaz_log(LOG_FATAL|LOG_ERRNO, "Failed to bind to %s", where);
@@ -833,7 +837,8 @@ int check_options(int argc, char **argv)
     int ret = 0, r;
     char *arg;
 
-    while ((ret = options("1a:iszSTl:v:u:c:w:t:k:d:A:p:D", argv, argc, &arg)) != -2)
+    while ((ret = options("1a:iszSTl:v:u:c:w:t:k:d:A:p:DC:",
+			  argv, argc, &arg)) != -2)
     {
     	switch (ret)
     	{
@@ -884,6 +889,9 @@ int check_options(int argc, char **argv)
 	case 'c':
 	    strcpy(control_block.configname, arg ? arg : "");
 	    break;
+	case 'C':
+	    strcpy(control_block.cert_fname, arg ? arg : "");
+	    break;
 	case 'd':
 	    strcpy(control_block.daemon_name, arg ? arg : "");
 	    break;
@@ -930,7 +938,7 @@ int check_options(int argc, char **argv)
 	default:
 	    fprintf(stderr, "Usage: %s [ -a <pdufile> -v <loglevel>"
 		    " -l <logfile> -u <user> -c <config> -t <minutes>"
-		    " -k <kilobytes> -d <daemon> -p <pidfile>"
+		    " -k <kilobytes> -d <daemon> -p <pidfile> -C certfile"
                         " -ziDST1 -w <directory> <listener-addr>... ]\n", me);
 	    return 1;
         }
diff --git a/src/tcpip.c b/src/tcpip.c
index bcee219..54d8dba 100644
--- a/src/tcpip.c
+++ b/src/tcpip.c
@@ -2,7 +2,7 @@
  * Copyright (c) 1995-2004, Index Data
  * See the file LICENSE for details.
  *
- * $Id: tcpip.c,v 1.5 2004-04-29 21:19:23 adam Exp $
+ * $Id: tcpip.c,v 1.6 2004-04-30 19:10:35 adam Exp $
  */
 
 #include <stdio.h>
@@ -79,6 +79,7 @@ typedef struct tcpip_state
     SSL_CTX *ctx;       /* current CTX. */
     SSL_CTX *ctx_alloc; /* If =ctx it is owned by CS. If 0 it is not owned */
     SSL *ssl;
+    char cert_fname[256];
 #endif
 } tcpip_state;
 
@@ -112,7 +113,7 @@ static int tcpip_init (void)
 COMSTACK tcpip_type(int s, int blocking, int protocol, void *vp)
 {
     COMSTACK p;
-    tcpip_state *state;
+    tcpip_state *sp;
     int new_socket;
 #ifdef WIN32
     unsigned long tru = 1;
@@ -130,7 +131,7 @@ COMSTACK tcpip_type(int s, int blocking, int protocol, void *vp)
 	new_socket = 0;
     if (!(p = (struct comstack *)xmalloc(sizeof(struct comstack))))
 	return 0;
-    if (!(state = (struct tcpip_state *)(p->cprivate =
+    if (!(sp = (struct tcpip_state *)(p->cprivate =
                                          xmalloc(sizeof(tcpip_state)))))
 	return 0;
 
@@ -172,17 +173,18 @@ COMSTACK tcpip_type(int s, int blocking, int protocol, void *vp)
     p->stackerr = 0;
 
 #if HAVE_OPENSSL_SSL_H
-    state->ctx = state->ctx_alloc = 0;
-    state->ssl = 0;
+    sp->ctx = sp->ctx_alloc = 0;
+    sp->ssl = 0;
+    strcpy(sp->cert_fname, "yaz.pem");
 #endif
 
-    state->altbuf = 0;
-    state->altsize = state->altlen = 0;
-    state->towrite = state->written = -1;
+    sp->altbuf = 0;
+    sp->altsize = sp->altlen = 0;
+    sp->towrite = sp->written = -1;
     if (protocol == PROTO_WAIS)
-	state->complete = completeWAIS;
+	sp->complete = completeWAIS;
     else
-	state->complete = cs_complete_auto;
+	sp->complete = cs_complete_auto;
 
     p->timeout = COMSTACK_DEFAULT_TIMEOUT;
     TRC(fprintf(stderr, "Created new TCPIP comstack\n"));
@@ -194,7 +196,7 @@ COMSTACK tcpip_type(int s, int blocking, int protocol, void *vp)
 
 COMSTACK ssl_type(int s, int blocking, int protocol, void *vp)
 {
-    tcpip_state *state;
+    tcpip_state *sp;
     COMSTACK p;
 
     p = tcpip_type (s, blocking, protocol, 0);
@@ -203,9 +205,9 @@ COMSTACK ssl_type(int s, int blocking, int protocol, void *vp)
     p->f_get = ssl_get;
     p->f_put = ssl_put;
     p->type = ssl_type;
-    state = (tcpip_state *) p->cprivate;
+    sp = (tcpip_state *) p->cprivate;
 
-    state->ctx = vp;  /* may be NULL */
+    sp->ctx = vp;  /* may be NULL */
 
     /* note: we don't handle already opened socket in SSL mode - yet */
     return p;
@@ -466,14 +468,14 @@ static int tcpip_bind(COMSTACK h, void *address, int mode)
 	if (sp->ctx_alloc)
 	{
 	    int res;
-	    res = SSL_CTX_use_certificate_file (sp->ctx, CERTF,
+	    res = SSL_CTX_use_certificate_file (sp->ctx, sp->cert_fname,
 						SSL_FILETYPE_PEM);
 	    if (res <= 0)
 	    {
 		ERR_print_errors_fp(stderr);
 		exit (2);
 	    }
-	    res = SSL_CTX_use_PrivateKey_file (sp->ctx, KEYF,
+	    res = SSL_CTX_use_PrivateKey_file (sp->ctx, sp->cert_fname,
 					       SSL_FILETYPE_PEM);
 	    if (res <= 0)
 	    {
@@ -1110,23 +1112,34 @@ int static tcpip_set_blocking(COMSTACK p, int blocking)
 #if HAVE_OPENSSL_SSL_H
 int cs_set_ssl_ctx(COMSTACK cs, void *ctx)
 {
-    struct tcpip_state *state;
+    struct tcpip_state *sp;
     if (!cs || cs->type != ssl_type)
         return 0;
-    state = (struct tcpip_state *) cs->cprivate;
-    if (state->ctx_alloc)
+    sp = (struct tcpip_state *) cs->cprivate;
+    if (sp->ctx_alloc)
 	return 0;
-    state->ctx = ctx;
+    sp->ctx = ctx;
     return 1;
 }
 
 void *cs_get_ssl(COMSTACK cs)
 {
-    struct tcpip_state *state;
+    struct tcpip_state *sp;
     if (!cs || cs->type != ssl_type)
         return 0;
-    state = (struct tcpip_state *) cs->cprivate;
-    return state->ssl;  
+    sp = (struct tcpip_state *) cs->cprivate;
+    return sp->ssl;  
+}
+
+int cs_set_ssl_certf(COMSTACK cs, const char *fname)
+{
+    struct tcpip_state *sp;
+    if (!cs || cs->type != ssl_type)
+	return 0;
+    sp = (struct tcpip_state *) cs->cprivate;
+    strncpy(sp->cert_fname, fname, sizeof(sp->cert_fname)-1);
+    sp->cert_fname[sizeof(sp->cert_fname)-1] = '\0';
+    return 1;
 }
 
 int cs_get_peer_certificate_x509(COMSTACK cs, char **buf, int *len)
@@ -1166,5 +1179,9 @@ int cs_get_peer_certificate_x509(COMSTACK cs, char **buf, int *len)
     return 0;
 }
 
+int cs_set_ssl_certf(COMSTACK cs, const char *fname)
+{
+    return 0;
+}
 #endif
 
-- 
1.7.10.4