Menu
▾
▴
openca-cvsdev — CVS Postings
You can subscribe to this list here.
| 2001 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
(164) |
Nov
(133) |
Dec
(307) |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2002 |
Jan
(202) |
Feb
(385) |
Mar
(235) |
Apr
(295) |
May
(258) |
Jun
(293) |
Jul
(199) |
Aug
(404) |
Sep
(439) |
Oct
(417) |
Nov
(360) |
Dec
(146) |
| 2003 |
Jan
(51) |
Feb
(47) |
Mar
(299) |
Apr
(257) |
May
(282) |
Jun
(294) |
Jul
(298) |
Aug
(284) |
Sep
(80) |
Oct
(34) |
Nov
(70) |
Dec
(73) |
| 2004 |
Jan
(227) |
Feb
(239) |
Mar
(206) |
Apr
(108) |
May
(162) |
Jun
(195) |
Jul
(187) |
Aug
(212) |
Sep
(241) |
Oct
(320) |
Nov
(161) |
Dec
(46) |
| 2005 |
Jan
(55) |
Feb
(129) |
Mar
(104) |
Apr
(111) |
May
(14) |
Jun
(211) |
Jul
(330) |
Aug
(314) |
Sep
(20) |
Oct
(90) |
Nov
(12) |
Dec
(39) |
| 2006 |
Jan
(18) |
Feb
(4) |
Mar
|
Apr
(5) |
May
|
Jun
|
Jul
(2) |
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
| 2007 |
Jan
(16) |
Feb
|
Mar
|
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
|
From: <ope...@li...> - 2005-12-16 18:07:04
|
Update of /cvsroot/openca/doc/guide/src/admin In directory sc8-pr-cvs1.sourceforge.net:/tmp/cvs-serv27618 Modified Files: ac.xml Log Message: Fixed ac.xml doc from Peter Gietz. --- madwolf Author of changes: madwolf Index: ac.xml =================================================================== RCS file: /cvsroot/openca/doc/guide/src/admin/ac.xml,v retrieving revision 1.1 retrieving revision 1.2 diff -C2 -d -r1.1 -r1.2 *** ac.xml 6 Jul 2005 15:39:21 -0000 1.1 --- ac.xml 16 Dec 2005 18:06:53 -0000 1.2 *************** *** 52,65 **** </objectinfo> <imageobject role="fop"> ! <imagedata fileref="../images/openca_ac.jpeg" format="JPEG" align="center"/> </imageobject> <imageobject role="ps"> ! <imagedata fileref="../images/openca_ac.eps" format="EPS" align="center"/> </imageobject> <imageobject role="pdf"> ! <imagedata fileref="../images/openca_ac.pdf" format="PDF" align="center"/> </imageobject> <imageobject role="html"> ! <imagedata fileref="../images/openca_ac.jpeg" format="JPEG" align="center"/> </imageobject> <textobject> --- 52,65 ---- </objectinfo> <imageobject role="fop"> ! <imagedata fileref="images/openca_ac.jpeg" format="JPEG" align="center"/> </imageobject> <imageobject role="ps"> ! <imagedata fileref="images/openca_ac.eps" format="EPS" align="center"/> </imageobject> <imageobject role="pdf"> ! <imagedata fileref="images/openca_ac.pdf" format="PDF" align="center"/> </imageobject> <imageobject role="html"> ! <imagedata fileref="images/openca_ac.jpeg" format="JPEG" align="center"/> </imageobject> <textobject> *************** *** 143,148 **** <para> This method can be used to login via login and passphrase. ! OpenCA supports authentication based on an internal database ! and based on calling an external program to perform the actual user authentication. <figure> --- 143,150 ---- <para> This method can be used to login via login and passphrase. ! OpenCA supports authentication based on 1.) an internal ! database, 2.) ! ldap authentication ! and 3.) based on calling an external program to perform the actual user authentication. <figure> *************** *** 153,160 **** </objectinfo> <imageobject role="fop"> ! <imagedata fileref="../images/login_passwd.png" format="PNG" align="center"/> </imageobject> <imageobject> ! <imagedata fileref="../images/login_passwd.png" format="PNG" align="center"/> </imageobject> <textobject> --- 155,162 ---- </objectinfo> <imageobject role="fop"> ! <imagedata fileref="images/login_passwd.png" format="PNG" align="center"/> </imageobject> <imageobject> ! <imagedata fileref="images/login_passwd.png" format="PNG" align="center"/> </imageobject> <textobject> *************** *** 165,168 **** --- 167,189 ---- </figure> </para> + <para> + It is possible to customize the headline (default: + "Login to OpenCA") and the prompt for the login id + (default: "Login"). This can be done with the following two + configuration parameters: + <example> + <title>Login screen configuration</title> + <programlisting> + <login> + <loginheadline>This is my customized login screen</loginheadline> + <loginprompt>my login prompt</loginprompt> + ... + <login> </programlisting> + </example> + This feature is especially usefull if used with the LDAP + authentication (see below), where you can use any attribute, + such as email address as login name. + </para> + <sect4> <title>internal database</title> *************** *** 202,205 **** --- 223,379 ---- </para> </sect4> + <sect4> + <title>LDAP authentication</title> + <para> + If you have an LDAP server with login data about your users + it makes sense to use it for user authentication in OpenCA. + You have to configure the LDAP data for access, being hostname + and port of the LDAP server, its base DN (the name space of + the server), a bind dn of an entry for OpenCA to authenticate + itself, which has to have appropriate access rights configured + in the LDAP server, and the respective password, and whether + OpenCa shall use TLS encryption in its communication to the + LDAP server and the location of the respective CA certificate. + Since the configuration file contains a password, it should + only be readable for the OpenCA process. + </para> + <example> + <title>LDAP Login configuration: LDAP data</title> + <programlisting> + <login> + <type>passwd</type> + <database>ldap</database> + <ldapdata> + <host>ldap.foo.com</host> + <port>389</port> + <base>dc=foo,dc=com</base> + <binddn>cn=openca,ou=services,dc=foo,dc=com</host> + <bindpw>secret</bindpw> + <usetls>yes</usetls> + <cacertpath>/opt/certs/</cacertpath> + ... + </ldapdata> + </login> </programlisting> + </example> + + <para> + Next you have to configure, which LDAP attribute contains + the identifier or login name of the users, which could be the + uid or even an email address. Some such attributes may + contain additional constant strings prefixed to the actual + value (e.g. the attribute proxyAddresses when used for + emasil addresses can contain the prefix "SMTP": + "SMTP:mi...@fo...r". If this is so you can specify + the prefix, so OpenCA finds the user even if she does not + include the prefix in the login name. + </para> + <example> + <title>LDAP login configuration: search attribute </title> + <programlisting> + <login> + <type>passwd</type> + <database>ldap</database> + <ldapdata> + ... + <searchattr>uid</searchattr> + <searchvalueprefix></searchvalueprefix> + ... + </ldapdata> + </login> </programlisting> + </example> + <para> + The LDAP authentication module supports two different + authentication methods:</para> + <orderedlist> + <listitem><para>bind (the generic simple LDAP authentication + mechanism using the password stored in attribute userPassword) + </para></listitem> + <listitem><para>pwattr (using the password stored in a freely + configurable attribute, see below)</para></listitem> + </orderedlist> + <para>You can use both methods in parallel, but then the + module must know which method to use for which entries. + This can be defined by values of a certain attribute, + which can be defined in the configuration as + ldapauthmethattr.</para> + + <para> + Then you must define which values of that attribute + should lead to which authentication method. A good example + would be to take the attribute objectClass as + ldapauthmethattr and say if the entry contains the + objectclass posixaccount to use the ldap bind method, if + it contains objectClass externalUser to use pwattr. + such mappings can be done with the constructs + <ldapauthmethmapping> (see example below). + </para> + <para> + If none of the conditions configured here are fulfilled + by an entry, a default mechanism has to be used, which + has to be configured (see example below). + </para> + + <para> + For the pwattr method you need to specify which + attribute contains the passwords to use. + The values in that attribute can and should be stored as + hash values. If so, the module needs to know which + hashing algorithm was used. + supported are: sha1, md5, crypt and none (=clear text). + </para> + <example> + <title>LDAP login configuration: authentication mechanisms</title> + <programlisting> + <login> + <type>passwd</type> + <database>ldap</database> + <ldapdata> + ... + <ldapauthmethattr>objectclass</authmethattr> + <ldapauthmethmapping> + <ldapauthmethattrvalue>posixaccount</ldapauthmethattrvalue> + <ldapauthmeth>bind</ldapauthmeth> + </ldapauthmethmappingt> + <ldapauthmethmapping> + <ldapauthmethattrvalue>externalUser</ldapauthmethattrvalue> + <ldapauthmeth>pwattr</ldapauthmeth> + </ldapauthmethmappingt> + <ldapdefaultauthmeth>bind</ldapdefaultauthmeth> + <ldappwattr>mypasswordattribute</ldappwattr> + <ldappwattrhash>sha1</ldappwattrhash> + </ldapdata> + </login> </programlisting> + </example> + + <para> + The LDAP Login module also provides for role mapping, + where certain values of a certain attribute map + to certain OpenCA roles. First you have to specify which LDAP + attribute contains the role mapping information. + Then you can easily define the mappings (with constructs + similiar to the above authmethmapping). This is configured + within the <passwd> element: + </para> + <example> + <title>LDAP login configuration: role mapping</title> + <programlisting> + <login> + <type>passwd</type> + <database>ldap</database> + <ldapdata> + ... + </ldapdata> + <passwd> + <roleattribute>memberOf</roleattribute> + <rolemapping> + <roleattributevalue>CN=OpenCA_RA,OU=UserGroups,dc=foo,dc=com</roleattributevalue> + <rol>RA Operator</role> + </rolemapping> + </passwd> + </login> </programlisting> + </example> + + </sect4> + <sect4> <title>external authentication</title> |
|
From: <ope...@li...> - 2005-12-15 13:56:18
|
Update of /cvsroot/openca/openca-0.9/docs/guide/admin In directory sc8-pr-cvs1.sourceforge.net:/tmp/cvs-serv16566/docs/guide/admin Modified Files: Tag: openca_0_9_2 ac.xml scep.xml Log Message: - improved UTF8 support - added ldap authentication - SCEP server improvements (certificate template request support, authenticated requests) Author of changes: mbartosch Index: ac.xml =================================================================== RCS file: /cvsroot/openca/openca-0.9/docs/guide/admin/Attic/ac.xml,v retrieving revision 1.14 retrieving revision 1.14.2.1 diff -C2 -d -r1.14 -r1.14.2.1 *** ac.xml 26 Aug 2004 14:08:02 -0000 1.14 --- ac.xml 15 Dec 2005 13:55:32 -0000 1.14.2.1 *************** *** 281,284 **** --- 281,436 ---- </para> </sect4> + <sect4> + <title>LDAP authentication</title> + <para> + LDAP authentication can be used to authenticate against + an LDAP directory. + Essentially this method is a variant of + the username/passwort authentiation. + </para> + <para> + Configuration example (source file can be found in contrib/access-control-with-ldap.xml) + <example> + <title>LDAP authentication configuration</title> + <programlisting> + + <openca> + <access_control> + <channel> + <type>mod_ssl</type> + <protocol>ssl</protocol> + <source>.*</source> + <asymmetric_cipher>.*</asymmetric_cipher> + <asymmetric_keylength>0</asymmetric_keylength> + <symmetric_cipher>.*</symmetric_cipher> + <symmetric_keylength>128</symmetric_keylength> + </channel> + <login> + <type>passwd</type> + <!-- with the following database you can use LDAP for + Login to OpenCA interfaces. This makes sense if + you manage your user with LDAP or Active Directory --> + <database>ldap</database> + <ldapdata> + <!-- first you have to specify the LDAP server used: --> + <host>okroot1.ELK-WUE.DE</host> + <port>3269</port> + <base>dc=OKR,dc=ELK-WUE,dc=de</base> + <binddn>cn=daasi,cn=users,dc=OKR,dc=ELK-WUE,dc=de</binddn> + <bindpw>X509v3smime</bindpw> + <!-- should the communication to the ldap server be encrypted + via TLS? If so you need to store the cacertificate + for authentiocating the LDAP server into the directory + specified here --> + <usetls>yes</usetls> + <cacertpath>/opt</cacertpath> + <!-- What is the attribute to search the name/ID for? + A good choice would be uid --> + <searchattr>proxyAddresses</searchattr> + <!-- Some LDAP/AD Attributes have some characters in front + of the actual value that should be ignored in searches, + e.g. the attribute proxyAddresses has strings determing + the protocol like "SMTP:mi...@fo...r". In this case you + would want to configure SMTP: in searchvalueprefix, so + your users will not have to care about it --> + <searchvalueprefix>SMTP:</searchvalueprefix> + <!-- there are different methods for authenticating with + LDAP. This module supports two by now. + 1.) bind (using the password stored in attribute + userPassword. + 2.) pwattr (using the password stored in a freely + configurable attribute, see below) + You can use both methods in paralel, but then the + module must know which method to use for which entries. + This can be defined by values of a certain attribute, + which can be defined in the configuration as + ldapauthmethattr: --> + <responsibleraattr>company</responsibleraattr> + <ldapauthmethattr>objectClass</ldapauthmethattr> + <!-- Then you must define which values of that attribute + should lead to which authentication method. A good example + would be to take the attribute objectClass as + ldapauthmethattr and say if the entry contains the + objectclass posixaccount to use the ldap bind method, if + it contains objectClass externalUser to use pwattr. + such mappings can be done with the following structures: --> + <ldapauthmethmapping> + <ldapauthmethattrvalue>contact</ldapauthmethattrvalue> + <ldapauthmeth>pwattr</ldapauthmeth> + </ldapauthmethmapping> + <ldapauthmethmapping> + <ldapauthmethattrvalue>organizationalPerson</ldapauthmethattrvalue> + <ldapauthmeth>bind</ldapauthmeth> + </ldapauthmethmapping> + <!-- if none of the conditions configured here are fulfiled + by an entry, a default mechanism has to be used, which + is configured here: --> + <ldapdefaultauthmeth>bind</ldapdefaultauthmeth> + <!-- For the pwattr method you need to specify which + attribute contains the passwords to use. This is + done here: --> + <ldappwattr>extensionAttribute14</ldappwattr> + <!-- The values in that attribute can and should be stored as + hash values. If so, the module needs to know which + hashing algorithm was used. + supported are: sha1, md5, crypt and none (=clear text) --> + <ldappwattrhash>sha1</ldappwattrhash> + </ldapdata> + <!-- you might want to have an self defined headline + in stead of "Login to OpenCA". You can specify the new + string here: --> + <loginheadline>Login Zertifizierungsstelle Evangelische Landeskirche Wuerttemberg</loginheadline> + <!-- you might also want to have a different text for prompting + the login name of the user in stead of "login", indicating + what type of ID info is requested: --> + <loginprompt>SMTP Email-Adresse</loginprompt> + <passwd> + <!-- The LDAP Login module also provides for role mapping, + where certain values of a certain attribute map + to certain OpenCA roles --> + <!-- first you have to specify which LDAP attribute contains + the role mapping information: --> + <roleattribute>memberOf</roleattribute> + <!-- now you can easily define the mappings (as known from the + above authmethmapping: --> + <rolemapping> + <roleattributevalue>CN=OpenCA_RA,OU=UserGroups_universal,DC=OKR,DC=ELK-WUE,DC=DE</roleattributevalue> + <role>RA Operator</role> + </rolemapping> + <rolemapping> + <roleattributevalue>CN=OpenCA_User,OU=UserGroups_universal,DC=OKR,DC=ELK-WUE,DC=DE</roleattributevalue> + <role>User</role> + </rolemapping> + + <!-- + the initial user root has the passphrase root + you can use the script openca-digest to create the passphrases + if you want to add another user simply create a second user structure + <user>...</user> + --> + <!-- <user> + <name>root</name> + <algorithm>sha1</algorithm> + <digest>upF71NxSsbgJZdkCtq+JqrOeJVQ</digest> + <role>CA Operator</role> + </user> + --> + </passwd> + </login> + <acl_config> + <acl>yes</acl> + <list>/opt/OpenCA/etc/rbac/acl.xml</list> + <command_dir>/opt/OpenCA/etc/rbac/cmds</command_dir> + <module_id>1</module_id> + <map_role>yes</map_role> + <map_operation>yes</map_operation> + </acl_config> + </access_control> + <token_config_file>/opt/OpenCA/etc/token.xml</token_config_file> + </openca> + </programlisting> + </example> + </para> + </sect4> </sect3> <sect3> Index: scep.xml =================================================================== RCS file: /cvsroot/openca/openca-0.9/docs/guide/admin/Attic/scep.xml,v retrieving revision 1.4.2.1 retrieving revision 1.4.2.2 diff -C2 -d -r1.4.2.1 -r1.4.2.2 *** scep.xml 5 Aug 2005 14:30:15 -0000 1.4.2.1 --- scep.xml 15 Dec 2005 13:55:32 -0000 1.4.2.2 *************** *** 26,29 **** --- 26,39 ---- equipment. </note> + <para> + The SCEP Server can accept the desired certificate role from new + enrollment requests from the CertificateTemplate Extension. + In order to make use of this feature, set the PKCS#10 attribute + 1.3.6.1.4.1.311.20.2 to the desired certificate role name (Unicode) + The Server will remove any non-alphanumeric characters and then try + to match the requested role with the ones defined for the RA. + If a match is found, this Role is selected for the new certificate + request. + </para> <sect2> <title><filename>OPENCADIR/etc/servers/scep.conf</filename></title> *************** *** 62,66 **** do not exist yet. Set this value to "YES" to allow initial enrollment ! of new systems. </para></listitem> </varlistentry> --- 72,86 ---- do not exist yet. Set this value to "YES" to allow initial enrollment ! of new systems unconditionally. ! Experimental: If set to "VALIDSIGNATURE" then ! the server will ! only accept SCEP requests that have been signed ! with a certificate issued by the same CA. This ! is not strictly defined by the newer SCEP drafts ! but allows to add an additional authentication ! step. In this case no self-signed certificates ! are accepted in the SCEP message, the server ! will require a valid signature (but this may be ! of any certificate issued by the infrastructure). </para></listitem> </varlistentry> |
|
From: <ope...@li...> - 2005-12-15 13:56:17
|
Update of /cvsroot/openca/openca-0.9/contrib In directory sc8-pr-cvs1.sourceforge.net:/tmp/cvs-serv16566/contrib Added Files: Tag: openca_0_9_2 access-control-with-ldap.xml Log Message: - improved UTF8 support - added ldap authentication - SCEP server improvements (certificate template request support, authenticated requests) Author of changes: mbartosch --- NEW FILE: access-control-with-ldap.xml --- <openca> <access_control> <channel> <type>mod_ssl</type> <protocol>ssl</protocol> <source>.*</source> <asymmetric_cipher>.*</asymmetric_cipher> <asymmetric_keylength>0</asymmetric_keylength> <symmetric_cipher>.*</symmetric_cipher> <symmetric_keylength>128</symmetric_keylength> </channel> <login> <type>passwd</type> <!-- with the following database you can use LDAP for Login to OpenCA interfaces. This makes sense if you manage your user with LDAP or Active Directory --> <database>ldap</database> <ldapdata> <!-- first you have to specify the LDAP server used: --> <host>okroot1.ELK-WUE.DE</host> <port>3269</port> <base>dc=OKR,dc=ELK-WUE,dc=de</base> <binddn>cn=daasi,cn=users,dc=OKR,dc=ELK-WUE,dc=de</binddn> <bindpw>X509v3smime</bindpw> <!-- should the communication to the ldap server be encrypted via TLS? If so you need to store the cacertificate for authentiocating the LDAP server into the directory specified here --> <usetls>yes</usetls> <cacertpath>/opt</cacertpath> <!-- What is the attribute to search the name/ID for? A good choice would be uid --> <searchattr>proxyAddresses</searchattr> <!-- Some LDAP/AD Attributes have some characters in front of the actual value that should be ignored in searches, e.g. the attribute proxyAddresses has strings determing the protocol like "SMTP:mi...@fo...r". In this case you would want to configure SMTP: in searchvalueprefix, so your users will not have to care about it --> <searchvalueprefix>SMTP:</searchvalueprefix> <!-- there are different methods for authenticating with LDAP. This module supports two by now. 1.) bind (using the password stored in attribute userPassword. 2.) pwattr (using the password stored in a freely configurable attribute, see below) You can use both methods in paralel, but then the module must know which method to use for which entries. This can be defined by values of a certain attribute, which can be defined in the configuration as ldapauthmethattr: --> <responsibleraattr>company</responsibleraattr> <ldapauthmethattr>objectClass</ldapauthmethattr> <!-- Then you must define which values of that attribute should lead to which authentication method. A good example would be to take the attribute objectClass as ldapauthmethattr and say if the entry contains the objectclass posixaccount to use the ldap bind method, if it contains objectClass externalUser to use pwattr. such mappings can be done with the following structures: --> <ldapauthmethmapping> <ldapauthmethattrvalue>contact</ldapauthmethattrvalue> <ldapauthmeth>pwattr</ldapauthmeth> </ldapauthmethmapping> <ldapauthmethmapping> <ldapauthmethattrvalue>organizationalPerson</ldapauthmethattrvalue> <ldapauthmeth>bind</ldapauthmeth> </ldapauthmethmapping> <!-- if none of the conditions configured here are fulfiled by an entry, a default mechanism has to be used, which is configured here: --> <ldapdefaultauthmeth>bind</ldapdefaultauthmeth> <!-- For the pwattr method you need to specify which attribute contains the passwords to use. This is done here: --> <ldappwattr>extensionAttribute14</ldappwattr> <!-- The values in that attribute can and should be stored as hash values. If so, the module needs to know which hashing algorithm was used. supported are: sha1, md5, crypt and none (=clear text) --> <ldappwattrhash>sha1</ldappwattrhash> </ldapdata> <!-- you might want to have an self defined headline in stead of "Login to OpenCA". You can specify the new string here: --> <loginheadline>Login Zertifizierungsstelle Evangelische Landeskirche Wuerttemberg</loginheadline> <!-- you might also want to have a different text for prompting the login name of the user in stead of "login", indicating what type of ID info is requested: --> <loginprompt>SMTP Email-Adresse</loginprompt> <passwd> <!-- The LDAP Login module also provides for role mapping, where certain values of a certain attribute map to certain OpenCA roles --> <!-- first you have to specify which LDAP attribute contains the role mapping information: --> <roleattribute>memberOf</roleattribute> <!-- now you can easily define the mappings (as known from the above authmethmapping: --> <rolemapping> <roleattributevalue>CN=OpenCA_RA,OU=UserGroups_universal,DC=OKR,DC=ELK-WUE,DC=DE</roleattributevalue> <role>RA Operator</role> </rolemapping> <rolemapping> <roleattributevalue>CN=OpenCA_User,OU=UserGroups_universal,DC=OKR,DC=ELK-WUE,DC=DE</roleattributevalue> <role>User</role> </rolemapping> <!-- the initial user root has the passphrase root you can use the script openca-digest to create the passphrases if you want to add another user simply create a second user structure <user>...</user> --> <!-- <user> <name>root</name> <algorithm>sha1</algorithm> <digest>upF71NxSsbgJZdkCtq+JqrOeJVQ</digest> <role>CA Operator</role> </user> --> </passwd> </login> <acl_config> <acl>yes</acl> <list>/opt/OpenCA/etc/rbac/acl.xml</list> <command_dir>/opt/OpenCA/etc/rbac/cmds</command_dir> <module_id>1</module_id> <map_role>yes</map_role> <map_operation>yes</map_operation> </acl_config> </access_control> <token_config_file>/opt/OpenCA/etc/token.xml</token_config_file> </openca> |
|
From: <ope...@li...> - 2005-12-15 13:56:17
|
Update of /cvsroot/openca/openca-0.9/src/common/lib/cmds In directory sc8-pr-cvs1.sourceforge.net:/tmp/cvs-serv16566/src/common/lib/cmds Modified Files: Tag: openca_0_9_2 scepPKIOperation Log Message: - improved UTF8 support - added ldap authentication - SCEP server improvements (certificate template request support, authenticated requests) Author of changes: mbartosch Index: scepPKIOperation =================================================================== RCS file: /cvsroot/openca/openca-0.9/src/common/lib/cmds/scepPKIOperation,v retrieving revision 1.17.2.4 retrieving revision 1.17.2.5 diff -C2 -d -r1.17.2.4 -r1.17.2.5 *** scepPKIOperation 5 Aug 2005 15:22:40 -0000 1.17.2.4 --- scepPKIOperation 15 Dec 2005 13:55:32 -0000 1.17.2.5 *************** *** 25,28 **** --- 25,33 ---- # 2005-08-05 Martin Bartosch <m.b...@cy...> # - code cleanup + # 2005-12-12 Martin Bartosch <m.b...@cy...> + # - added support for authenticated initial enrollment (signed by existing + # certificate) + # - bugfix: incorrect DN match for existing certificates + # - bugfix: IP SubjectAltName was not processed correctly # # *************** *** 48,51 **** --- 53,59 ---- # AllowEnrollment: if set to "NO" the SCEP server will not accept # requests for certificate DNs that don't exist yet. + # If set to "VALIDSIGNATURE" then the server will only accept SCEP + # requests that have been signed with a certificate issued by the + # same CA (newer SCEP drafts only). # # AllowRenewal: if set to "YES" the SCEP server will allow renewal *************** *** 81,84 **** --- 89,95 ---- $scep_crl, $CACert, $ChainDir); + our $SCEPSignature; + our $SignerDN; + our ($deep_debug, $ScepAllowEnrollment, $ScepAllowRenewal, $ScepDefaultRole, $ScepRenewalRDNMatch, $ScepDefaultRA, $ScepKeepSubjectAltName, *************** *** 89,93 **** - sub cmdScepPKIOperation { ##// Let's get parameters --- 100,103 ---- *************** *** 253,265 **** if (/GetCert/i) { ! ## FIXME: to be implemented - so long we send an failure msg ! ! $scep_failinfo = "badRequest"; ! scepAnswerFailure(); ! last SWITCH; ! ## only success or failure possible, no pending ! ## same reply like sending out cert } --- 263,291 ---- if (/GetCert/i) { ! ## Implemented by Radu Gajea, NBM (RIG) ! ## extract serial of searching certificate ! $ENV{pwd} = $scep_pwd; ! open OUT, "-|", "$scep_cmd -print_serial -noout -keyfile $scep_key -passin env:pwd -in $p7_file"; ! my $hex = join '', <OUT>; ! close OUT; ! ! my $key = hex($hex); ! ## search certificate in DataBase ! my $cert = $db->getItem(DATATYPE => "CERTIFICATE", KEY => $key); ! my $response; ! if ($cert) { ! $tools->saveFile (FILENAME => $cert_file, ! DATA => $cert->getPEM()); ! ## build response ! $ENV{pwd} = $scep_pwd; ! open OUT, "-|", "$scep_cmd -new -signcert $scep_cert -msgtype CertRep -status SUCCESS -issuedcert $cert_file -keyfile $scep_key -passin env:pwd -in $p7_file -serial $key -reccert $reccert_file -outform DER"; ! $response = join '', <OUT>; ! close OUT; ! delete $ENV{pwd}; + print $response; + last SWITCH; + } } *************** *** 389,395 **** # global variable $plain_csr is expected to contain the client request sub scepCheckRequest { ! if(not $ReqObj = new OpenCA::REQ(SHELL => $cryptoShell, ! GETTEXT => \&i18nGettext, ! DATA => $plain_csr)) { $errno = 723717; $errval = gettext ("Internal Request Error"); --- 415,444 ---- # global variable $plain_csr is expected to contain the client request sub scepCheckRequest { ! ! my $sig; ! ! ! # extract and verify signature if authenticated enrollment or ! # automatic renewal is allowed, in both cases the request must ! # be signed by a valid certificate ! if (($ScepAllowEnrollment =~ /validsignature/i) or ! ($ScepAllowRenewal =~/yes/i)) { ! ! # get SCEP request signer certificate ! $sig = scepExtractSignature(); ! ! # in either case a valid signature is required to proceed ! if (! $sig) { ! debug_cmds("cmdScepPKIOperation: invalid signature"); ! return undef; ! } ! ! $SignerDN = $sig->getSigner()->{"DN"}; ! debug_cmds("cmdScepPKIOperation: got SignerDN: $SignerDN"); ! } ! ! if (not $ReqObj = new OpenCA::REQ(SHELL => $cryptoShell, ! GETTEXT => \&i18nGettext, ! DATA => $plain_csr)) { $errno = 723717; $errval = gettext ("Internal Request Error"); *************** *** 439,449 **** debug_cmds("cmdScepPKIOperation: " . join("\n", Dumper @list)) if ($deep_debug); if (not @list or $#list == -1) { # matching certificate was not found (initial enrollment) ! if ($ScepAllowEnrollment =~ /yes/i) { ! debug_cmds("cmdScepPKIOperation: scepCheckRequest: initial enrollment allowed"); $ReqRole = $ScepDefaultRole; $ReqRA = $ScepDefaultRA; return 1; } --- 488,541 ---- debug_cmds("cmdScepPKIOperation: " . join("\n", Dumper @list)) if ($deep_debug); + debug_cmds("cmdScepPKIOperation: explicitly removing non-exact CN matches"); + @list = grep { $_->getParsed()->{DN_HASH}->{CN}[0] + eq $ReqObj->getParsed()->{DN_HASH}->{CN}[0] } @list; + if (not @list or $#list == -1) { # matching certificate was not found (initial enrollment) ! if ($ScepAllowEnrollment =~ /(yes|validsignature)/i) { ! debug_cmds("cmdScepPKIOperation: scepCheckRequest: initial enrollment"); $ReqRole = $ScepDefaultRole; $ReqRA = $ScepDefaultRA; + + # get requested role from request extensions + my $ExtRef = $ReqObj->getParsed()->{"OPENSSL_EXTENSIONS"}; + + if (exists $ExtRef->{"1.3.6.1.4.1.311.20.2"}) { + my $requested_template = $ExtRef->{"1.3.6.1.4.1.311.20.2"}->[0]; + debug_cmds("cmdScepPKIOperation: found certificate template request for $requested_template"); + + # decode DER encoded BMPSTRING + # The string looks like this: "...T.L.S._.S.e.r.v.e.r" + # Decoding it is not necessary because we throw away anything + # not alphanumeric anyway in the following step + #$requested_template + # = pack "c*", (unpack "s*", substr($requested_template, 2)); + # debug_cmds("cmdScepPKIOperation: decoded template: $requested_template"); + + # flatten the role name, i. e. only retain alphanumeric chars + $requested_template =~ s/[\W_]//g; + + # try to match the role against the preconfigered ones + my @roles = loadRoles(); + + foreach my $role (@roles) { + my $tmp = $role; + # flatten the role name + $tmp =~ s/[\W_]//g; + if ($requested_template eq $tmp) { + $ReqRole = $role; + debug_cmds("cmdScepPKIOperation: identified requested role $ReqRole"); + last; + } + } + + debug_cmds("cmdScepPKIOperation: will use role $ReqRole"); + } + + # if VALIDSIGNATURE was requested, the validity of the + # signature was already verified at the start of this + # function, so we can just allow enrollment here return 1; } *************** *** 523,533 **** ! # according to newer SCEP drafts it is possible to sign the PKCS#7 ! # structure with the old, already existing certificate (instead of ! # using a self-signed certificate) ! # function returns true if the request was signed with an already existing ! # valid certificate issued by the same CA that has the same DN as ! # in the request ! sub scepAuthorizeRequest { local *HANDLE; if (!open HANDLE, "< $p7_file") { --- 615,627 ---- ! # extract and verify signature from SCEP request. ! # returns cached instance if it was called before. ! # side effect: sets global variable $SCEPSignature ! # return: signature object or undef on error ! sub scepExtractSignature { ! ! # return cached result ! return $SCEPSignature if (defined $SCEPSignature); ! local *HANDLE; if (!open HANDLE, "< $p7_file") { *************** *** 543,556 **** #debug_cmds("cmdScepPKIOperation: data: $data") if ($deep_debug); my $sig = new OpenCA::PKCS7( SHELL => $cryptoShell, GETTEXT => \&i18nGettext, SIGNATURE => $data, OPAQUESIGNATURE => 1, ! # error 26 means incorrect key usage ! # flags; to be expected here, as ! # the already existing certificate ! # may have improper key usage bits. ! # The SCEP drafts allows this, though. ! IGNOREERRORS => [26], CA_DIR => $ChainDir, CA_CERT => $CACert, --- 637,660 ---- #debug_cmds("cmdScepPKIOperation: data: $data") if ($deep_debug); + # error 26 during PKCS7 verification means incorrect key usage + # flags; to be expected here, as the already existing certificate + # may have improper key usage bits. + # The SCEP drafts allows this, though. + my @ignoreerrors = ( 26 ); + + # if VALIDSIGNATURE is requested, no self-signed certificates should + # be accepted. + # otherwise allow initial inrollment via self-signed certs. + if (! ($ScepAllowEnrollment =~ /validsignature/i)) { + # 18: self-signed certificate + debug_cmds("cmdScepPKIOperation: allowing self-signed certificates in signature") if ($deep_debug); + push (@ignoreerrors, 18); + } + my $sig = new OpenCA::PKCS7( SHELL => $cryptoShell, GETTEXT => \&i18nGettext, SIGNATURE => $data, OPAQUESIGNATURE => 1, ! IGNOREERRORS => \@ignoreerrors, CA_DIR => $ChainDir, CA_CERT => $CACert, *************** *** 559,580 **** if (! $sig) { debug_cmds("cmdScepPKIOperation: Could not instantiate OpenCA::PKCS7 object"); ! return 0; } debug_cmds("cmdScepPKIOperation: PKCS7 signature successfully verified"); ! my $parsedsig = $sig->getParsed(); ! debug_cmds("cmdScepPKIOperation: OpenCA::PKCS7::status: " . $sig->status()); ! ! if (! $parsedsig) { ! debug_cmds("cmdScepPKIOperation: OpenCA::PKCS7::getParsed() returned signature validation error: " . $sig->status()); ! return 0; } ! if ($sig->status() != 0) { ! debug_cmds("cmdScepPKIOperation: OpenCA::PKCS7::getParsed() returned signature validation error: " . $sig->status()); return 0; } my $signer = $sig->getSigner(); # check if the signer certificate is valid --- 663,702 ---- if (! $sig) { debug_cmds("cmdScepPKIOperation: Could not instantiate OpenCA::PKCS7 object"); ! return undef; } debug_cmds("cmdScepPKIOperation: PKCS7 signature successfully verified"); ! if ($sig->status() != 0) { ! debug_cmds("cmdScepPKIOperation: OpenCA::PKCS7::status() returned signature validation error: " . $sig->status()); ! return undef; } ! # cache information ! $SCEPSignature = $sig; ! ! return $sig; ! } ! ! ! ! # according to newer SCEP drafts it is possible to sign the PKCS#7 ! # structure with the old, already existing certificate (instead of ! # using a self-signed certificate) ! # function returns true if the request was signed with an already existing ! # valid certificate issued by the same CA that has the same DN as ! # in the request ! sub scepAuthorizeRequest { ! ! my $sig = scepExtractSignature(); ! if (! $sig) { ! debug_cmds("cmdScepPKIOperation: invalid signature"); return 0; } my $signer = $sig->getSigner(); + if (! $signer) { + debug_cmds("cmdScepPKIOperation: could not extract signer cert from signature"); + return 0; + } # check if the signer certificate is valid *************** *** 586,597 **** } - - my $signerdn = $signer->{DN}; my $requestdn = $ReqObj->getParsed()->{"DN"}; ! debug_cmds("cmdScepPKIOperation: Signature Signer DN: $signerdn, Request DN: $requestdn"); # requester DN must be non-null and identical to existing certificate ! if (($signerdn eq "") or ($signerdn ne $requestdn)) { ! debug_cmds("cmdScepPKIOperation: Signature Signer DN ($signerdn) and request DN ($requestdn) do not match. Request was not authorized."); return 0; } --- 708,717 ---- } my $requestdn = $ReqObj->getParsed()->{"DN"}; ! debug_cmds("cmdScepPKIOperation: Signature Signer DN: $SignerDN, Request DN: $requestdn"); # requester DN must be non-null and identical to existing certificate ! if (($SignerDN eq "") or ($SignerDN ne $requestdn)) { ! debug_cmds("cmdScepPKIOperation: Signature Signer DN ($SignerDN) and request DN ($requestdn) do not match. Request was not authorized."); return 0; } *************** *** 634,637 **** --- 754,758 ---- $tmp .= "ROLE = $ReqRole\n"; $tmp .= "RA = $ReqRA\n"; + $tmp .= "REQUEST_AUTH_USERID = $SignerDN\n" if (defined $SignerDN and ($SignerDN ne "")); $tmp .= "SCEP_TID = ".$scep_tid."\n"; *************** *** 647,650 **** --- 768,772 ---- @SANs = ( $ExtRef->{"X509v3 Subject Alternative Name"} ); } + map { s/IP Address/IP/g; } @SANs; debug_cmds("cmdScepPKIOperation: got SubjectAltNames " . join(", ", @SANs) . " from request"); |
|
From: <ope...@li...> - 2005-12-15 13:56:16
|
Update of /cvsroot/openca/openca-0.9 In directory sc8-pr-cvs1.sourceforge.net:/tmp/cvs-serv16566 Modified Files: Tag: openca_0_9_2 CHANGES RELEASE-NOTES Log Message: - improved UTF8 support - added ldap authentication - SCEP server improvements (certificate template request support, authenticated requests) Author of changes: mbartosch Index: CHANGES =================================================================== RCS file: /cvsroot/openca/openca-0.9/CHANGES,v retrieving revision 1.295.2.66 retrieving revision 1.295.2.67 diff -C2 -d -r1.295.2.66 -r1.295.2.67 *** CHANGES 27 Oct 2005 12:53:11 -0000 1.295.2.66 --- CHANGES 15 Dec 2005 13:55:25 -0000 1.295.2.67 *************** *** 3,6 **** --- 3,17 ---- "cvs commit". + 2005-Dec-xx: + * added LDAP authentication (Peter Gietz) + * fixed bug #1378831 (Julia Dubenskaya) + * fixed bug #1339236 (Julia Dubenskaya) + * fixed bug #1254337 + * SCEP server improvements: + * added getCert function to SCEP server (submitted by Radu Gajea) + * added certificate profile selection support via SCEP enrollment + * added automatic approval to SCEP server + * various bug fixes + 2005-Oct-xx: * fixed UTF8 MIME issue (from Julia) Index: RELEASE-NOTES =================================================================== RCS file: /cvsroot/openca/openca-0.9/Attic/RELEASE-NOTES,v retrieving revision 1.1.2.2 retrieving revision 1.1.2.3 diff -C2 -d -r1.1.2.2 -r1.1.2.3 *** RELEASE-NOTES 12 Aug 2005 08:29:17 -0000 1.1.2.2 --- RELEASE-NOTES 15 Dec 2005 13:55:25 -0000 1.1.2.3 *************** *** 12,15 **** --- 12,28 ---- + 2005-12-xx - OpenCA 0.9.2.5 + - Improved UTF-8 Support + - LDAP Authentication + - SCEP improvements (Certificate template request support, authenticated + requests) + + Configuration file changes: + etc/servers/scep.conf.template + modified: ScepAllowEnrollment (new possible value 'VALIDSIGNATURE', + backward compatible) + + --------------------------------------------------------------------------- + 2005-08-12 - OpenCA 0.9.2.4 |
|
From: <ope...@li...> - 2005-12-15 13:55:53
|
Update of /cvsroot/openca/openca-0.9/src/modules/openca-ac In directory sc8-pr-cvs1.sourceforge.net:/tmp/cvs-serv16566/src/modules/openca-ac Modified Files: Tag: openca_0_9_2 AC.pm Log Message: - improved UTF8 support - added ldap authentication - SCEP server improvements (certificate template request support, authenticated requests) Author of changes: mbartosch Index: AC.pm =================================================================== RCS file: /cvsroot/openca/openca-0.9/src/modules/openca-ac/AC.pm,v retrieving revision 1.60.2.3 retrieving revision 1.60.2.4 diff -C2 -d -r1.60.2.3 -r1.60.2.4 *** AC.pm 15 Oct 2004 07:59:43 -0000 1.60.2.3 --- AC.pm 15 Dec 2005 13:55:34 -0000 1.60.2.4 *************** *** 19,23 **** --- 19,28 ---- ## Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA ## + ## Includes a new database "ldap" which implements authentication and role + ## mapping via ldap (or Active Directory). + ## Written by Peter Gietz, DAASI International GmbH, for the Evangelische + ## Landeskirche Wuerttemberg + use strict; *************** *** 31,34 **** --- 36,58 ---- use FileHandle; + + my $is_ldaps; + + eval ( "use Net::LDAPS;" ); + if ($@) { + print STDERR "Error in use Net::LDAPS"; + $is_ldaps=0; + } else { + $is_ldaps=1; + } + + use Net::LDAP; + + use Net::LDAP::Util qw(ldap_error_text + ldap_error_name + ldap_error_desc + ); + + our ($ldapoperation, $ldapmsg); our ($errno, $errval); *************** *** 307,310 **** --- 331,500 ---- } + + sub loadLDAPLoginConfig + { + my $self = shift; + $self->debug ("loadLDAPLoginConfig: entering function"); + + ## get the configdata <ldapdata>...</ldapdata> + $self->{ident}->{ldaphost} = + $self->{cache}->get_xpath ( + FILENAME => $self->{configfile}, + XPATH => 'access_control/login/ldapdata/host' + ); + $self->debug (" LDAP host: $self->{ident}->{ldaphost}"); + + $self->{ident}->{ldapport} = + $self->{cache}->get_xpath ( + FILENAME => $self->{configfile}, + XPATH => 'access_control/login/ldapdata/port' + ); + $self->debug (" LDAP port: $self->{ident}->{ldapport}"); + + $self->{ident}->{ldapbase} = + $self->{cache}->get_xpath ( + FILENAME => $self->{configfile}, + XPATH => 'access_control/login/ldapdata/base' + ); + $self->debug (" LDAP base: $self->{ident}->{ldapbase}"); + + $self->{ident}->{ldapversion} = + $self->{cache}->get_xpath ( + FILENAME => $self->{configfile}, + XPATH => 'access_control/login/ldapdata/version' + ); + if (! $self->{ident}->{ldapversion} ) { + $self->{ident}->{ldapversion} = 3; + } + $self->debug (" LDAP base: $self->{ident}->{ldapversion}"); + + $self->{ident}->{ldapbinddn} = + $self->{cache}->get_xpath ( + FILENAME => $self->{configfile}, + XPATH => 'access_control/login/ldapdata/binddn' + ); + $self->debug (" LDAP binddn: $self->{ident}->{ldapbinddn}"); + + $self->{ident}->{ldapbindpw} = + $self->{cache}->get_xpath ( + FILENAME => $self->{configfile}, + XPATH => 'access_control/login/ldapdata/bindpw' + ); + $self->debug (" LDAP bindpw: XXXXXXXX"); + + + my $ldapusetls = + $self->{cache}->get_xpath ( + FILENAME => $self->{configfile}, + XPATH => 'access_control/login/ldapdata/usetls' + ); + $self->debug (" LDAP use TLS: |$ldapusetls|"); + + $self->{ident}->{ldapcacertpath} = + $self->{cache}->get_xpath ( + FILENAME => $self->{configfile}, + XPATH => 'access_control/login/ldapdata/cacertpath' + ); + $self->debug (" CA Cert path: |$self->{ident}->{ldapcacertpath}|"); + + + # my $is_tls=undef; + + if ( lc($ldapusetls) eq "yes" || lc($ldapusetls) eq "starttls" ) { + ## Access to the ca certificate is prerequisite for TLS: + if ( not $self->{ident}->{ldapcacertpath} ) { + $self->setError (6273150, + $self->{gettext} ("LDAP Login config error: you need to specify cacertpath for TLS.")); + return undef; + } + if ( lc($ldapusetls) eq "yes" ) { + $self->{ident}->{is_tls}=1; + } else { + $self->{ident}->{is_tls}=2; + } + } else { + $self->{ident}->{is_tls}=0; + } + + $self->debug (" LDAP IS_TLS: |$self->{ident}->{is_tls}|"); + + $self->{ident}->{ldapsearchattr} = + $self->{cache}->get_xpath ( + FILENAME => $self->{configfile}, + XPATH => 'access_control/login/ldapdata/searchattr' + ); + $self->debug (" LDAP search attrib: " . + $self->{ident}->{ldapsearchattr}); + + $self->{ident}->{ldapsearchvalueprefix} = + $self->{cache}->get_xpath ( + FILENAME => $self->{configfile}, + XPATH => 'access_control/login/ldapdata/searchvalueprefix' + ); + $self->debug (" LDAP search value prefix: " . + $self->{ident}->{ldapsearchvalueprefix}); + + $self->{ident}->{ldapauthmethattr} = + $self->{cache}->get_xpath ( + FILENAME => $self->{configfile}, + XPATH => 'access_control/login/ldapdata/ldapauthmethattr' + ); + $self->debug (" LDAP authmeth attribute: " . + $self->{ident}->{ldapauthmethattr}); + + + $self->{ident}->{ldapdefaultauthmethod} = $self->{cache}->get_xpath ( + FILENAME => $self->{configfile}, + XPATH => 'access_control/login/ldapdata/ldapdefaultauthmeth' + ); + $self->debug (" LDAP defaultauthmeth: " . + $self->{ident}->{ldapdefaultauthmethod} ); + + $self->{ident}->{ldappwattr} = + $self->{cache}->get_xpath ( + FILENAME => $self->{configfile}, + XPATH => 'access_control/login/ldapdata/ldappwattr' + ); + $self->debug (" LDAP PW attr: $self->{ident}->{ldappwattr}"); + + $self->{ident}->{ldappwattrhash} = + $self->{cache}->get_xpath ( + FILENAME => $self->{configfile}, + XPATH => 'access_control/login/ldapdata/ldappwattrhash' + ); + $self->debug (" LDAP PW attr hash: $self->{ident}->{ldappwattrhash}"); + + $self->{ident}->{ldaproleattr} = + $self->{cache}->get_xpath ( + FILENAME => $self->{configfile}, + XPATH => 'access_control/login/passwd/roleattribute' + ); + $self->debug (" LDAP role attribute: $self->{ident}->{ldaproleattr}"); + + my $ii = 0; # constant + + + $self->{ident}->{ldaprole_count} = + $self->{cache}->get_xpath_count ( + FILENAME => $self->{configfile}, + XPATH => [ 'access_control/login/passwd/rolemapping' ]); + + $self->debug (" number of roles defined: ". + $self->{ident}->{ldaprole_count}); + + + + if (not defined $self->{ident}->{type}) + { + $self->setXMLerror (6271008, "Authentication verification"); + return undef; + } + + $self->debug ("loadLoginConfig: leaving function successfully"); + return 1; + } + + + sub loadModuleID { *************** *** 600,603 **** --- 790,794 ---- $self->{session}->setParam ('name', $self->{ident}->{name}); $self->{session}->setParam ('role', $self->{ident}->{role}); + $self->{session}->setParam ('entrydn', $self->{ident}->{entrydn}); $self->{session}->setParam ('valid', '1'); $self->{journal}->{login}->{name} = $self->{ident}->{name}; *************** *** 631,634 **** --- 822,826 ---- $self->{ident}->{name} = $self->{session}->getParam("name"); $self->{ident}->{role} = $self->{session}->getParam("role"); + $self->{ident}->{entrydn} = $self->{session}->getParam("entrydn"); $self->{ident}->{valid} = $self->{session}->getParam("valid"); $self->{ident}->{prepare_ident} = $self->{session}->getParam("prepare_ident"); *************** *** 652,656 **** sub login { my $self = shift; ! $self->debug (" Try to login ..."); if ($self->{ident}->{type} =~ /^none$/i) { --- 844,848 ---- sub login { my $self = shift; ! $self->debug (" Try to login ....."); if ($self->{ident}->{type} =~ /^none$/i) { *************** *** 660,665 **** return 1; } elsif ($self->{ident}->{type} =~ /^passwd$/i) { ! $self->debug (" type ... passwd"); $self->{journal}->{login}->{type} = "passwd"; if ($self->{cgi}->param ('login')) { $self->debug (" credentials ... present"); --- 852,865 ---- return 1; } elsif ($self->{ident}->{type} =~ /^passwd$/i) { ! $self->debug (" type ..... passwd"); $self->{journal}->{login}->{type} = "passwd"; + + my $database = + $self->{cache}->get_xpath ( + FILENAME => $self->{configfile}, + XPATH => 'access_control/login/database' + ); + $self->debug (" database ..... $database"); + if ($self->{cgi}->param ('login')) { $self->debug (" credentials ... present"); *************** *** 667,675 **** $self->debug (" name ... ".$self->{ident}->{name}); - my $database = - $self->{cache}->get_xpath ( - FILENAME => $self->{configfile}, - XPATH => 'access_control/login/database' - ); # external database source --- 867,870 ---- *************** *** 758,761 **** --- 953,1353 ---- # } } + ## LDAP database source (user/password stored in LDAP or AD server) + elsif ($database =~ /^ldap$/i) { + $self->debug (" database ... LDAP"); + + $self->loadLDAPLoginConfig; + ## some more config stuff: + my $ldapauthmeth_count = $self->{cache}->get_xpath_count ( + FILENAME => $self->{configfile}, + XPATH => 'access_control/login/ldapdata/ldapauthmethmapping'); + + my %methods; + + for (my $i=0; $i<$ldapauthmeth_count; $i++) + { + my $condition = $self->{cache}->get_xpath ( + FILENAME => $self->{configfile}, + XPATH => [ 'access_control/login/ldapdata/ldapauthmethmapping', 'ldapauthmethattrvalue' ], + COUNTER => [ $i, 0 ] + ); + + my $method = $self->{cache}->get_xpath ( + FILENAME => $self->{configfile}, + XPATH => [ 'access_control/login/ldapdata/ldapauthmethmapping', 'ldapauthmeth' ], + COUNTER => [ $i, 0 ] + ); + + $methods{$condition} = $method; + } + + ## now start an LDAP connection + my $bindmsg = undef; + my $ldap = undef; + + if ( $self->{ident}->{is_tls} == 1 && ! $is_ldaps ) { + $self->debug("no ldaps installed, thus switching to start_tls"); + $self->{ident}->{is_tls}=2; + } + + if ( $self->{ident}->{is_tls} == 1) { + $self->debug(" starting a SSL (ldaps) session on ". + "$self->{ident}->{ldaphost}:$self->{ident}->{ldapport} certpath: $self->{ident}->{ldapcacertpath}"); + + $ldap = Net::LDAPS->new ($self->{ident}->{ldaphost}, + port => $self->{ident}->{ldapport}, + async => 0, + version => 3, + capath => $self->{ident}->{ldapcacertpath} + ); + } else { + $ldap = Net::LDAP->new ($self->{ident}->{ldaphost}, + port => $self->{ident}->{ldapport}, + async => 0, + version => 3 + ); + } + + if (not $ldap) + { + $self->setError(6273153, + $self->{gettext}("LDAP Login: connect to server failed.")); + return undef; + } + else + { + $self->debug (" LDAP connect successfull"); + my $starttls_OID = "1.3.6.1.4.1.1466.20037"; + my $is_rootdse = undef; + + if ($self->{ident}->{is_tls} == 2) { + + my $root_dse = $ldap->root_dse(); + + if ($root_dse) { + my @namingContext = + $root_dse->get_value( 'namingContexts', + asref => 0 ); + $self->debug(" naming contexts are:"); + + foreach (0..$#namingContext) { + $self->debug(" $namingContext[$_]"); + } + $is_rootdse = 1; + } else { + $self->debug("root_dse unsuccessfull"); + } + + + if ( $is_rootdse && + ! $root_dse->supported_extension ($starttls_OID)) { + + $self->debug("Server does not support START_TLS"); + $self->debug("Please reconfigure your LDAP ". + "Authentication settings"); + self->setError(6273161, + $self->{gettext}("LDAP Login: Server does not support TLS.")); + + return undef; + } + + $self->debug(" starting a Start_TLS session on $self->{ident}->{ldaphost}:$self->{ident}->{ldapport} certpath: $self->{ident}->{ldapcacertpath}"); + + my $tlsmsg = $ldap->start_tls ( + verify =>'require', + capath => $self->{ident}->{ldapcacertpath} + ); + + if ( $tlsmsg->is_error() ) { + $self->print_ldaperror("Start TLS", $tlsmsg); + $self->debug(" Possible reason: The directory in \"capath\" must contain certificates "); + $self->debug(" named using the hash value of the certificates\' subject names. "); + $self->debug(" To generate these names, use OpenSSL like this in Unix:"); + $self->debug(" ln -s cacert.pem \`openssl x509 -hash -noout \< cacert.pem\`.0"); + $self->setError(6273162, + $self->{gettext}("LDAP Login: Start TLS did not succeed.")); + return(undef); + } else { + $self->debug(" starttls successful"); + } + + } + + + ## now OpenCA authenticates itself by binding to the + ## entry configured in ldapbinddn + my $bindmsg = $ldap->bind( $self->{ident}->{ldapbinddn}, + 'password' => $self->{ident}->{ldapbindpw} ); + + if ($bindmsg->is_error()) + { + if ( $bindmsg->code() == 49 ) { + $self->debug("invalid ldap credentials\n"); + } else { + $self->print_ldaperror("LDAP bind", $bindmsg); + } + $self->setError( 6273154, $self->{gettext}("OpenCA LDAP Authentication failed.")); + return undef; + } + + $self->debug(" LDAP Openca Login successfull"); + } + + ## now search for an entry with an ID-attribute containing + ## the value inputted by the user + + + my $ldapsearchfilter = + "($self->{ident}->{ldapsearchattr}=$self->{ident}->{ldapsearchvalueprefix}$self->{ident}->{name})"; + $self->debug(" search filter: $ldapsearchfilter"); + + + my $searchmesg = $ldap->search( + base => $self->{ident}->{ldapbase}, + filter => $ldapsearchfilter + ); + + if ($searchmesg->is_error()) + { + $self->print_ldaperror("LDAP search", $searchmesg); + setError(6273154, $self->{gettext}("OpenCA LDAP Authentication failed.")); + return undef; + } + + + my $entrycount = $searchmesg->count(); + + ## no user found? + if ( not $entrycount ) { + $self->setError(6273120, + $self->{gettext}("LDAP Login: user not found.")); + return undef; + } + + ## more than one user found? + if ( $entrycount > 1 ) { + $self->setError(6273157, + $self->{gettext}("LDAP Login: more than one user found.")); + return undef; + } + + ## ok lets analyse the entry found: + my $value = undef; + my @rolevalues = undef; + my @ldapauthmethattrvalues = undef; + my @ldappwattrvalues = undef; + my $rolevaluecount = 0; + my $ldapauthmethattrvaluecount = 0; + my $ldappwattrvaluecount = 0; + + my $entry = $searchmesg->entry ( 0 ); + $self->{ident}->{entrydn} = $entry->dn(); + + $self->debug("analysing entry $self->{ident}->{entrydn}"); + + foreach my $attr ( $entry->attributes ) { + foreach $value ( $entry->get_value( $attr ) ) { + # $self->debug("attr: |$attr| = $value"); + if ( lc($attr) eq lc($self->{ident}->{ldaproleattr}) ) { + # $self->debug ("Roleattribute = $value"); + $rolevalues[$rolevaluecount] = $value; + $rolevaluecount ++; + } elsif ( lc($attr) eq + lc($self->{ident}->{ldapauthmethattr}) ) { + # $self->debug ("ldapauthmethattribute = $value"); + $ldapauthmethattrvalues[$ldapauthmethattrvaluecount] = $value; + $ldapauthmethattrvaluecount ++; + } elsif ( lc($attr) eq + lc($self->{ident}->{ldappwattr}) ) { + # $self->debug ("ldappwattribute = $value"); + $ldappwattrvalues[$ldappwattrvaluecount] = $value; + $ldappwattrvaluecount ++; + } + } + } + + $self->debug("rolecount: $rolevaluecount; authmethcount: $ldapauthmethattrvaluecount; ldappwattrcount: $ldappwattrvaluecount"); + + + ## lets see which auth method to use: + my $is_found = 0; + my $valuekey; + my $ldapauthmeth = undef; + for (my $ii = 0; $ii < $ldapauthmethattrvaluecount; $ii++) { + foreach $valuekey (keys %methods) { + if ( $valuekey eq $ldapauthmethattrvalues[$ii] ) { + $is_found = 1; + $ldapauthmeth = $methods{$valuekey}; + last; + } + } + if ($is_found ) { last;} + } + + if ($is_found) { + $self->debug (" Found auth meth"); + if ($ldapauthmeth eq "pwattr" && not $ldappwattrvaluecount ) { + # Error no value of ldap pw attribute + $self->debug ("Error pwattr method chosen without pw attr in entry"); + $self->setError (6273158, + $self->{gettext} ("LDAP Login: password attribute is missing in the entry.")); + return undef; + } + } else { + $ldapauthmeth = $self->{ident}->{ldapdefaultauthmethod}; + } + + $self->debug("ldapauthmeth: $ldapauthmeth"); + + ## Method pwattr + ## (use a configurable password attribute for authentication) + if ( $ldapauthmeth eq "pwattr" ) { + my $algorithm = undef; + my $digest = undef; + + my $ldapdigest = $ldappwattrvalues[0]; + + $self->debug("ldapdigest : |$ldapdigest| "); + + ## create comparable value + $self->{ident}->{algorithm} = + lc ($self->{ident}->{ldappwattrhash}); + + my $pw = $self->{cgi}->param ('passwd'); + + ## compute the digest + if ($self->{ident}->{algorithm} =~ /^sha1$/i) + { + use Digest::SHA1; + my $digest = Digest::SHA1->new; + $digest->add ($pw); + $self->debug( "Digest: SHA1\n"); + $self->debug( "String: ".$pw."\n" ); + my $b64digest = $digest->b64digest; + $self->debug( "SHA1: ".$b64digest."\n"); + $self->{ident}->{digest} = $b64digest; + + } elsif ($self->{ident}->{algorithm} =~ /^md5$/i) { + use Digest::MD5; + $digest = Digest::MD5->new; + $digest->add($self->{cgi}->param ('passwd')); + $self->{ident}->{digest} = $digest->b64digest; + + } elsif ($self->{ident}->{algorithm} =~ /^crypt$/i) { + $self->{ident}->{digest} = + crypt ($self->{cgi}->param ('passwd'), $ldapdigest); + } elsif ($self->{ident}->{algorithm} =~ /^none$/i) { + $self->{ident}->{digest} = $ldapdigest; + } else { + $self->setError (6273151, + $self->{gettext} ("LDAP Login config error: unknown passphrasehashing algorithm.")); + return undef; + } + + $self->debug (" ident name ... ".$self->{ident}->{name}); + $self->debug (" ident algorithm ... ".$self->{ident}->{algorithm}); + $self->debug (" ident digest ... ".$self->{ident}->{digest}); + + ## compare passphrases + + ## sometimes hash creators put the algorithm used in front of + ## the value and a '=' at its end. We will strip that for + ## comparision + if ( $ldapdigest =~ /^\{\w+\}(.+)=$/ ) { + $ldapdigest = $1; + $self->debug ("value contains {X}Y="); + } + $self->debug (" comparing |".$self->{ident}->{digest}."| with |".$ldapdigest."|"); + + if ($self->{ident}->{digest} ne $ldapdigest) { + $self->setError (6273155, + $self->{gettext} ("LDAP Login failed.")); + return undef; + } + } elsif ( $ldapauthmeth eq "bind" ) { + ## do simple ldap bind for authentication + my $passwd = $self->{cgi}->param ('passwd'); + + my $bindmsg = $ldap->bind( $self->{ident}->{entrydn}, + 'password' => $passwd ); + + if ($bindmsg->is_error()) + { + my $msg = $self->{gettext} ("LDAP-bind failed: __ERRVAL__", + "__ERRVAL__", $self->errval) ; + if ( $bindmsg->code() == 49 ) { + $self->debug ("invalid ldap credentials in configuration"); + } else { + $self->debug ("LDAP Login: Cannot bind to server."); + $self->debug ("bind error: ". $bindmsg->error()); + $self->debug ("bind servererr: ".$bindmsg->server_error()); + $self->debug ("bind mesg code: ".$bindmsg->code()); + } + $self->setError (6273155, + $self->{gettext} ("LDAP Login failed.")); + return undef; + } + + $self->debug (" LDAP Login successfull"); + + ### $self->{ident}->{dn} = $entrydn; + + my $unbindmesg = $ldap->unbind; + if (not $unbindmesg->is_error ) { + $self->debug (" ldap unbind success "); + } + + } else { + + $self->debug ("unknown ldap auth meth $ldapauthmeth"); + $self->setError (6273152, + $self->{gettext} ("LDAP Login config error: unknown authentication method.")); + return undef; + } + + ## OK the user seems to be authenticated properly, let's see if we can + ## map her to a role: + my $found = 0; + my $rolefound = undef; + + $self->debug ("looking for the role"); + + for (my $kk = 0; $kk < $self->{ident}->{ldaprole_count}; $kk++) + { + my $roleattributevalue = + $self->{cache}->get_xpath ( + FILENAME => $self->{configfile}, + XPATH => [ 'access_control/login/passwd/rolemapping', 'roleattributevalue' ], + COUNTER => [ $kk, 0 ]); + $self->debug(" role attribute value: $roleattributevalue"); + + for (my $ii =0; $ii < $rolevaluecount; $ii++) { + if ( $roleattributevalue eq $rolevalues[$ii] ) { + $rolefound = + $self->{cache}->get_xpath ( + FILENAME => $self->{configfile}, + XPATH => [ 'access_control/login/passwd/rolemapping', 'role' ], + COUNTER => [ $kk, 0 ]); + $found=1; + last; + } + } + if ($found) { last; } + } + + if ( not $found ) { + $self->debug ("no role found for user."); + $self->setError (6273159, + $self->{gettext} ("LDAP Login: no role found for user.")); + return undef; + } else { + $self->debug (" found role: $rolefound "); + $self->{ident}->{role}= lc($rolefound); + } + + ## Everything is done for now + + $self->debug("end of LDAP Auth Module"); + } # internal database source (user/password stored in XML file) elsif ($database =~ /^internal$/i) { *************** *** 878,883 **** $cmd_panel->[1] = '<input type="reset" value="'. $self->{gettext}('Reset').'">'; ! $info_list->{BODY}->[0]->[0] = $self->{gettext}('Login'); $info_list->{BODY}->[0]->[1] = '<input type="text" name="login" value=""'; $info_list->{BODY}->[1]->[0] = $self->{gettext}('Password'); --- 1470,1498 ---- $cmd_panel->[1] = '<input type="reset" value="'. $self->{gettext}('Reset').'">'; + my $gui_name = undef; ! ## new code outside of the ldap login module: ! my $loginheadline = ! $self->{cache}->get_xpath ( ! FILENAME => $self->{configfile}, ! XPATH => 'access_control/login/loginheadline' ! ); ! my $loginprompt = ! $self->{cache}->get_xpath ( ! FILENAME => $self->{configfile}, ! XPATH => 'access_control/login/loginprompt' ! ); ! if ($loginheadline) { ! $gui_name = $loginheadline; ! } else { ! $gui_name = $self->{gettext}('Login to OpenCA'); ! } ! ! if ($loginprompt) { ! $info_list->{BODY}->[0]->[0] = $loginprompt; ! } else { ! $info_list->{BODY}->[0]->[0] = $self->{gettext}('Login'); ! } ! ## end of new code $info_list->{BODY}->[0]->[1] = '<input type="text" name="login" value=""'; $info_list->{BODY}->[1]->[0] = $self->{gettext}('Password'); *************** *** 885,889 **** $self->{gui}->libSendReply ( ! "NAME" => $self->{gettext}('Login to OpenCA'), "HIDDEN_LIST" => $hidden_list, "INFO_LIST" => $info_list, --- 1500,1505 ---- $self->{gui}->libSendReply ( ! # "NAME" => $self->{gettext}('Login to OpenCA'), ! "NAME" => $gui_name, "HIDDEN_LIST" => $hidden_list, "INFO_LIST" => $info_list, *************** *** 994,997 **** --- 1610,1648 ---- } + + sub mybind { + my $self = shift; + my ( $logtext, $ldapbinddn, $ldapbindpw, $ldap ) = @_; + + my $bindmsg = $ldap->bind( $ldapbinddn, + 'password' => $ldapbindpw ); + + if ($bindmsg->is_error()) + { + my $msg = $self->{gettext} ("LDAP-bind failed: __ERRVAL__", + "__ERRVAL__", $self->errval) ; + if ( $bindmsg->code() == 49 ) { + $self->debug ("invalid ldap credentials in configuration"); + } else { + $self->debug ("$logtext: Cannot bind to server."); + $self->debug ("bind error: ". $bindmsg->error()); + $self->debug ("bind servererr: ".$bindmsg->server_error()); + $self->debug ("bind mesg code: ".$bindmsg->code()); + } + $self->setError (6273166, + $self->{gettext} ("LDAP Login failed.")); + # $self->setError (6273166, + # "$logtext fehlgeschlagen: Konfigurationsfehler"); + return undef; + } + + $self->debug (" $logtext successfull"); + + } + + + + + sub stopSession { my $self = shift; *************** *** 1120,1123 **** --- 1771,1782 ---- } + sub getDN + { + my $self = shift; + return undef if (not exists $self->{ident}); + return undef if (not exists $self->{ident}->{dn}); + return $self->{ident}->{dn}; + } + sub getRole { *************** *** 1614,1616 **** --- 2273,2292 ---- } + + sub print_ldaperror { + my $self = shift; + my ($operation, $msg) = @_; + + $self->debug (" $operation unsuccessful:"); + $self->debug (" msg code: " . $msg->code() ); + $self->debug (" msg error: " . $msg->error() ); + $self->debug (" msg error name: " . ldap_error_name($msg) ); + $self->debug (" msg error text: " . ldap_error_text($msg) ); + $self->debug (" msg error desc: " . ldap_error_desc($msg) ); + # if ( $ldapmsg->server_error() ) { + # $self->debug (" msg server error: " . $ldapmsg->server_error() ); + # } + } + + 1; |
|
From: <ope...@li...> - 2005-12-15 13:55:53
|
Update of /cvsroot/openca/openca-0.9/src/modules/openca-xml-cache In directory sc8-pr-cvs1.sourceforge.net:/tmp/cvs-serv16566/src/modules/openca-xml-cache Modified Files: Tag: openca_0_9_2 Cache.pm Log Message: - improved UTF8 support - added ldap authentication - SCEP server improvements (certificate template request support, authenticated requests) Author of changes: mbartosch Index: Cache.pm =================================================================== RCS file: /cvsroot/openca/openca-0.9/src/modules/openca-xml-cache/Cache.pm,v retrieving revision 1.13.2.1 retrieving revision 1.13.2.2 diff -C2 -d -r1.13.2.1 -r1.13.2.2 *** Cache.pm 5 Oct 2004 13:25:00 -0000 1.13.2.1 --- Cache.pm 15 Dec 2005 13:55:34 -0000 1.13.2.2 *************** *** 16,19 **** --- 16,20 ---- use XML::Twig; + use utf8; use Socket; ## use Carp; *************** *** 332,335 **** --- 333,338 ---- ## get the answer my $answer = $self->getXML ($filename, $xpath, $counter); + utf8::encode($answer); + $self->debug ("IPCLOOP: answer: $answer"); |
|
From: <ope...@li...> - 2005-12-15 13:55:51
|
Update of /cvsroot/openca/openca-0.9/src/scep/src In directory sc8-pr-cvs1.sourceforge.net:/tmp/cvs-serv16566/src/scep/src Modified Files: Tag: openca_0_9_2 scep.c Log Message: - improved UTF8 support - added ldap authentication - SCEP server improvements (certificate template request support, authenticated requests) Author of changes: mbartosch Index: scep.c =================================================================== RCS file: /cvsroot/openca/openca-0.9/src/scep/src/scep.c,v retrieving revision 1.30.2.1 retrieving revision 1.30.2.2 diff -C2 -d -r1.30.2.1 -r1.30.2.2 *** scep.c 10 Dec 2004 09:40:30 -0000 1.30.2.1 --- scep.c 15 Dec 2005 13:55:35 -0000 1.30.2.2 *************** *** 52,55 **** --- 52,56 ---- "\nNew Message Extensions:\n\n", " -msgtype <arg> new message format type (default is PKCSReq).\n", + " -print_serial print serial (CertReq msgtype).\n", " -status <arg> new SCEP message status (SUCCESS|PENDING|FAILURE).\n", " -failinfo <arg> new SCEP message failure info ( BadAlg|... ).\n", *************** *** 265,268 **** --- 266,270 ---- int print_transid = 0; int print_msgtype = 0; + int print_serial = 0; //private - not documented *************** *** 495,498 **** --- 497,502 ---- else if (strcmp(*argv,"-print_scert") == 0) print_scert=1; + else if (strcmp(*argv,"-print_serial") == 0) + print_serial=1; else if (strcmp(*argv,"-noout") == 0) noout=1; *************** *** 993,996 **** --- 997,1011 ---- SCEP_MSG_print(outbio, out_msg, pkey, signcert); + //Implemented by Radu Gajea, NBM (RIG) + if( print_serial && out_msg ) { + unsigned char *data=NULL; + long len = 0; + data = (unsigned char *) SCEP_MSG_decrypt(out_msg, pkey, signcert, &len); + if( data ) { + i2a_ASN1_INTEGER( outbio, out_msg->env_data.content.ias->serial ); + free( data ); + } + } + if( !noout && out_msg ) { int ret = 0; |
|
From: <ope...@li...> - 2005-12-15 13:55:51
|
Update of /cvsroot/openca/openca-0.9/src/scripts In directory sc8-pr-cvs1.sourceforge.net:/tmp/cvs-serv16566/src/scripts Modified Files: Tag: openca_0_9_2 Makefile Log Message: - improved UTF8 support - added ldap authentication - SCEP server improvements (certificate template request support, authenticated requests) Author of changes: mbartosch Index: Makefile =================================================================== RCS file: /cvsroot/openca/openca-0.9/src/scripts/Makefile,v retrieving revision 1.6.2.2 retrieving revision 1.6.2.3 diff -C2 -d -r1.6.2.2 -r1.6.2.3 *** Makefile 5 Aug 2005 10:50:36 -0000 1.6.2.2 --- Makefile 15 Dec 2005 13:55:35 -0000 1.6.2.3 *************** *** 36,40 **** # common for both CA and external server: ! install-ca install-ra: install # here is nothing to do --- 36,42 ---- # common for both CA and external server: ! install-ca: install ! ! install-ra: install # here is nothing to do |
|
From: <ope...@li...> - 2005-11-11 05:48:50
|
Update of /cvsroot/openca/openca-0.9/src/ocspd/src In directory sc8-pr-cvs1.sourceforge.net:/tmp/cvs-serv1870 Modified Files: configuration.c Log Message: Author of changes: madwolf Index: configuration.c =================================================================== RCS file: /cvsroot/openca/openca-0.9/src/ocspd/src/configuration.c,v retrieving revision 1.11 retrieving revision 1.12 diff -C2 -d -r1.11 -r1.12 *** configuration.c 11 Nov 2005 05:46:32 -0000 1.11 --- configuration.c 11 Nov 2005 05:48:43 -0000 1.12 *************** *** 415,426 **** if( a->crl_url == NULL ) { ! if( a->ca_id ) { ! syslog( LOG_ERR, ! "Error reloading CRL for CA %s [URI]", ! a->ca_id ); ! } else { ! syslog( LOG_ERR, ! "Error reloading one CRL [%d]", i ); ! } continue; } --- 415,421 ---- if( a->crl_url == NULL ) { ! syslog( LOG_ERR, ! "Error reloading CRL for CA %s [URI]", ! a->ca_id ); continue; } |
Update of /cvsroot/openca/openca-0.9/src/ocspd/src In directory sc8-pr-cvs1.sourceforge.net:/tmp/cvs-serv1413 Modified Files: Makefile.am Makefile.in config.h configuration.c general.h hash-db.c support.c Added Files: crypto.c crypto.h Log Message: Author of changes: --- NEW FILE: crypto.c --- /* * OCSP responder - Massimiliano Pala (ma...@op...) * OpenCA Licensed Software * * Copyright (c) 2001-2006 The OpenCA Project. All rights reserved. * * ==================================================================== * * This product includes cryptographic software written by Eric Young * (ea...@cr...). This product includes software written by Tim * Hudson (tj...@cr...). * */ #include "general.h" #include <openssl/asn1.h> #include <openssl/txt_db.h> #include <openssl/conf.h> #include <openssl/buffer.h> #include <openssl/x509.h> #include "crypto.h" extern int verbose; char * ocspd_parse_cdp_ext ( STACK_OF(X509) *sk_cert ) { STACK_OF(DIST_POINT) *sk_cdp = NULL; DIST_POINT *cdp = NULL; X509 *cert = NULL; STACK_OF(CONF_VALUE) *sk_val = NULL; CONF_VALUE *v = NULL; char *ret = NULL; int i = -1; int k = -1; if( (!sk_cert) || (sk_X509_num(sk_cert) < 1) ) { return NULL; }; if( (cert = sk_X509_value(sk_cert, 0)) == NULL ) { return NULL; } if(( sk_cdp=X509_get_ext_d2i(cert, NID_crl_distribution_points, NULL, NULL)) == NULL ) { return NULL; } /* Should we go through the whole stack ? Maybe, now we just take the first value... */ if(( cdp = sk_DIST_POINT_pop( sk_cdp )) == NULL ) { sk_DIST_POINT_free( sk_cdp ); return NULL; } if( cdp->distpoint ) { if(cdp->distpoint->type == 0) { if( cdp->distpoint->name.fullname ) { sk_val = i2v_GENERAL_NAMES(NULL, cdp->distpoint->name.fullname, sk_val); k=0; for( ;; ) { v = sk_CONF_VALUE_value( sk_val, k++ ); if( v == NULL ) break; if( strncmp("URI", v->name, 3) == 0 ) { if( verbose ) syslog(LOG_INFO, "Found CDP in cert %s:%s", v->name, v->value ); ret = strdup( v->value ); break; } } sk_CONF_VALUE_free(sk_val); } } else { DIST_POINT_free( cdp ); sk_DIST_POINT_free( sk_cdp ); } } return ret; } --- NEW FILE: crypto.h --- /* src/tools/support.h */ /* * OCSP responder * by Massimiliano Pala (ma...@op...) * OpenCA project 2001 * * Copyright (c) 2001 The OpenCA Project. All rights reserved. * * ==================================================================== * * This product includes cryptographic software written by Eric Young * (ea...@cr...). This product includes software written by Tim * Hudson (tj...@cr...). * */ #ifndef _OCSPD_CRYPTO #define _OCSPD_CRYPTO #include <openssl/x509v3.h> char * ocspd_parse_cdp_ext ( STACK_OF(X509) *sk_cert ); #endif Index: Makefile.am =================================================================== RCS file: /cvsroot/openca/openca-0.9/src/ocspd/src/Makefile.am,v retrieving revision 1.16 retrieving revision 1.17 diff -C2 -d -r1.16 -r1.17 *** Makefile.am 4 Nov 2005 00:32:09 -0000 1.16 --- Makefile.am 11 Nov 2005 05:46:32 -0000 1.17 *************** *** 30,34 **** if OCSPD_ARCH_LINUX OCSPD_MYLDFLAGS = ! # OCSPD_INCLUDE_LIBS = -ldl OCSPD_DEFS = $(BASE_DEFS) -DOCSPD_ARCH_LINUX=1 else --- 30,34 ---- if OCSPD_ARCH_LINUX OCSPD_MYLDFLAGS = ! OCSPD_INCLUDE_LIBS = -ldl OCSPD_DEFS = $(BASE_DEFS) -DOCSPD_ARCH_LINUX=1 else *************** *** 78,81 **** --- 78,82 ---- configuration.c configuration.h \ support.c support.h \ + crypto.c crypto.h \ http_client.c http_client.h \ ocsp_db.h hash-db.c $(ENGINE_SRC) Index: Makefile.in =================================================================== RCS file: /cvsroot/openca/openca-0.9/src/ocspd/src/Makefile.in,v retrieving revision 1.19 retrieving revision 1.20 diff -C2 -d -r1.19 -r1.20 *** Makefile.in 4 Nov 2005 00:32:09 -0000 1.19 --- Makefile.in 11 Nov 2005 05:46:32 -0000 1.20 *************** *** 58,68 **** am__ocspd_SOURCES_DIST = ocspd.c ocspd.h general.h ocsp_response.c \ ocsp_response.h server.c server.h configuration.c \ ! configuration.h support.c support.h http_client.c \ ! http_client.h ocsp_db.h hash-db.c ocspd_engine.c \ ocspd_engine.h @HAVE_ENGINE_TRUE@am__objects_1 = ocspd_engine.$(OBJEXT) am_ocspd_OBJECTS = ocspd.$(OBJEXT) ocsp_response.$(OBJEXT) \ server.$(OBJEXT) configuration.$(OBJEXT) support.$(OBJEXT) \ ! http_client.$(OBJEXT) hash-db.$(OBJEXT) $(am__objects_1) ocspd_OBJECTS = $(am_ocspd_OBJECTS) am__DEPENDENCIES_1 = --- 58,69 ---- am__ocspd_SOURCES_DIST = ocspd.c ocspd.h general.h ocsp_response.c \ ocsp_response.h server.c server.h configuration.c \ ! configuration.h support.c support.h crypto.c crypto.h \ ! http_client.c http_client.h ocsp_db.h hash-db.c ocspd_engine.c \ ocspd_engine.h @HAVE_ENGINE_TRUE@am__objects_1 = ocspd_engine.$(OBJEXT) am_ocspd_OBJECTS = ocspd.$(OBJEXT) ocsp_response.$(OBJEXT) \ server.$(OBJEXT) configuration.$(OBJEXT) support.$(OBJEXT) \ ! crypto.$(OBJEXT) http_client.$(OBJEXT) hash-db.$(OBJEXT) \ ! $(am__objects_1) ocspd_OBJECTS = $(am_ocspd_OBJECTS) am__DEPENDENCIES_1 = *************** *** 138,144 **** LN_S = @LN_S@ LTLIBOBJS = @LTLIBOBJS@ - MAINT = @MAINT@ - MAINTAINER_MODE_FALSE = @MAINTAINER_MODE_FALSE@ - MAINTAINER_MODE_TRUE = @MAINTAINER_MODE_TRUE@ MAKEINFO = @MAKEINFO@ OBJEXT = @OBJEXT@ --- 139,142 ---- *************** *** 247,250 **** --- 245,254 ---- @OCSPD_ARCH_BSD_TRUE@@OCSPD_ARCH_LINUX_FALSE@OCSPD_MYLDFLAGS = @OCSPD_ARCH_LINUX_TRUE@OCSPD_MYLDFLAGS = + @OCSPD_ARCH_BSD_FALSE@@OCSPD_ARCH_HPUX_FALSE@@OCSPD_ARCH_LINUX_FALSE@@OCSPD_ARCH_OSX_FALSE@@OCSPD_ARCH_SOLARIS_FALSE@OCSPD_INCLUDE_LIBS = + @OCSPD_ARCH_BSD_FALSE@@OCSPD_ARCH_HPUX_TRUE@@OCSPD_ARCH_LINUX_FALSE@@OCSPD_ARCH_OSX_FALSE@@OCSPD_ARCH_SOLARIS_FALSE@OCSPD_INCLUDE_LIBS = -ll + @OCSPD_ARCH_BSD_FALSE@@OCSPD_ARCH_LINUX_FALSE@@OCSPD_ARCH_OSX_FALSE@@OCSPD_ARCH_SOLARIS_TRUE@OCSPD_INCLUDE_LIBS = -ll -ldl -lnsl -lsocket -lposix4 + @OCSPD_ARCH_BSD_FALSE@@OCSPD_ARCH_LINUX_FALSE@@OCSPD_ARCH_OSX_TRUE@OCSPD_INCLUDE_LIBS = -ll -lIOKit + @OCSPD_ARCH_BSD_TRUE@@OCSPD_ARCH_LINUX_FALSE@OCSPD_INCLUDE_LIBS = + @OCSPD_ARCH_LINUX_TRUE@OCSPD_INCLUDE_LIBS = -ldl @OCSPD_ARCH_BSD_FALSE@@OCSPD_ARCH_HPUX_FALSE@@OCSPD_ARCH_LINUX_FALSE@@OCSPD_ARCH_OSX_FALSE@@OCSPD_ARCH_SOLARIS_FALSE@OCSPD_DEFS = $(BASE_DEFS) -DOCSPD_ARCH_UNKNOWN=1 @OCSPD_ARCH_BSD_FALSE@@OCSPD_ARCH_HPUX_TRUE@@OCSPD_ARCH_LINUX_FALSE@@OCSPD_ARCH_OSX_FALSE@@OCSPD_ARCH_SOLARIS_FALSE@OCSPD_DEFS = $(BASE_DEFS) -DOCSPD_ARCH_HPUX=1 *************** *** 252,262 **** @OCSPD_ARCH_BSD_FALSE@@OCSPD_ARCH_LINUX_FALSE@@OCSPD_ARCH_OSX_TRUE@OCSPD_DEFS = $(BASE_DEFS) -DOCSPD_ARCH_OSX=1 @OCSPD_ARCH_BSD_TRUE@@OCSPD_ARCH_LINUX_FALSE@OCSPD_DEFS = $(BASE_DEFS) -DOCSPD_ARCH_BSD=1 - # OCSPD_INCLUDE_LIBS = -ldl @OCSPD_ARCH_LINUX_TRUE@OCSPD_DEFS = $(BASE_DEFS) -DOCSPD_ARCH_LINUX=1 - @OCSPD_ARCH_BSD_FALSE@@OCSPD_ARCH_HPUX_FALSE@@OCSPD_ARCH_LINUX_FALSE@@OCSPD_ARCH_OSX_FALSE@@OCSPD_ARCH_SOLARIS_FALSE@OCSPD_INCLUDE_LIBS = - @OCSPD_ARCH_BSD_FALSE@@OCSPD_ARCH_HPUX_TRUE@@OCSPD_ARCH_LINUX_FALSE@@OCSPD_ARCH_OSX_FALSE@@OCSPD_ARCH_SOLARIS_FALSE@OCSPD_INCLUDE_LIBS = -ll - @OCSPD_ARCH_BSD_FALSE@@OCSPD_ARCH_LINUX_FALSE@@OCSPD_ARCH_OSX_FALSE@@OCSPD_ARCH_SOLARIS_TRUE@OCSPD_INCLUDE_LIBS = -ll -ldl -lnsl -lsocket -lposix4 - @OCSPD_ARCH_BSD_FALSE@@OCSPD_ARCH_LINUX_FALSE@@OCSPD_ARCH_OSX_TRUE@OCSPD_INCLUDE_LIBS = -ll -lIOKit - @OCSPD_ARCH_BSD_TRUE@@OCSPD_ARCH_LINUX_FALSE@OCSPD_INCLUDE_LIBS = @OCSPD_ARCH_BSD_FALSE@@OCSPD_ARCH_LINUX_FALSE@@OCSPD_ARCH_OSX_TRUE@COND_INCLUDES = -I/System/Library/Frameworks/IOKit.framework/Headers/usb \ @OCSPD_ARCH_BSD_FALSE@@OCSPD_ARCH_LINUX_FALSE@@OCSPD_ARCH_OSX_TRUE@ -I/System/Library/Frameworks/IOKit.framework/Headers --- 256,260 ---- *************** *** 269,272 **** --- 267,271 ---- configuration.c configuration.h \ support.c support.h \ + crypto.c crypto.h \ http_client.c http_client.h \ ocsp_db.h hash-db.c $(ENGINE_SRC) *************** *** 281,285 **** .SUFFIXES: .SUFFIXES: .c .lo .o .obj ! $(srcdir)/Makefile.in: @MAINTAINER_MODE_TRUE@ $(srcdir)/Makefile.am $(am__configure_deps) @for dep in $?; do \ case '$(am__configure_deps)' in \ --- 280,284 ---- .SUFFIXES: .SUFFIXES: .c .lo .o .obj ! $(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps) @for dep in $?; do \ case '$(am__configure_deps)' in \ *************** *** 306,312 **** cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ! $(top_srcdir)/configure: @MAINTAINER_MODE_TRUE@ $(am__configure_deps) cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ! $(ACLOCAL_M4): @MAINTAINER_MODE_TRUE@ $(am__aclocal_m4_deps) cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh --- 305,311 ---- cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ! $(top_srcdir)/configure: $(am__configure_deps) cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ! $(ACLOCAL_M4): $(am__aclocal_m4_deps) cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh *************** *** 320,324 **** @rm -f stamp-h1 cd $(top_builddir) && $(SHELL) ./config.status src/config.h ! $(srcdir)/config.h.in: @MAINTAINER_MODE_TRUE@ $(am__configure_deps) cd $(top_srcdir) && $(AUTOHEADER) rm -f stamp-h1 --- 319,323 ---- @rm -f stamp-h1 cd $(top_builddir) && $(SHELL) ./config.status src/config.h ! $(srcdir)/config.h.in: $(am__configure_deps) cd $(top_srcdir) && $(AUTOHEADER) rm -f stamp-h1 *************** *** 366,369 **** --- 365,369 ---- @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/configuration.Po@am__quote@ + @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/crypto.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/hash-db.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/http_client.Po@am__quote@ Index: configuration.c =================================================================== RCS file: /cvsroot/openca/openca-0.9/src/ocspd/src/configuration.c,v retrieving revision 1.10 retrieving revision 1.11 diff -C2 -d -r1.10 -r1.11 *** configuration.c 6 Oct 2005 10:24:39 -0000 1.10 --- configuration.c 11 Nov 2005 05:46:32 -0000 1.11 *************** *** 232,236 **** /* Now process the CRL data */ if ((crlUrl_s = NCONF_get_string(conf->conf, ! ca_section, ENV_OCSPD_CRL_URL)) == NULL) { if( verbose ) --- 232,240 ---- /* Now process the CRL data */ if ((crlUrl_s = NCONF_get_string(conf->conf, ! ca_section, ENV_OCSPD_CRL_URL))==NULL) { ! ! X509 *x = NULL; ! ! x = sk_X509_value(ca->cert, 0); if( verbose ) *************** *** 238,244 **** ENV_OCSPD_CRL_URL); ! continue; }; bzero(&crl_data, sizeof(crl_data)); --- 242,272 ---- ENV_OCSPD_CRL_URL); ! /* If the CDP extension is present in ! the CA CERTIFICATE and the cert is ! self-signed */ ! if( X509_NAME_cmp( ! X509_get_subject_name(x), ! X509_get_issuer_name(x)) == 0 ) { ! ! if( verbose ) ! syslog(LOG_INFO, ! "Root CA found, check for " ! "CDP extension"); ! ! if( crlUrl_s=ocspd_parse_cdp_ext(ca->cert)) { ! if (verbose) ! syslog( LOG_INFO, "Using CDP " ! "extension from CA cert" ); ! } else { ! syslog( LOG_ERR, "ERROR: no CRL url" ! "available (CONFIG, CA cert " ! "CDP extension)" ); ! } ! } }; + /* Set the ID of the CA */ + ca->ca_id = ca_section; + bzero(&crl_data, sizeof(crl_data)); *************** *** 278,284 **** } - /* Set the ID of the CA */ - ca->ca_id = ca_section; - if((ca->crl = ocspd_get_crl( crl_data.url )) == NULL) { syslog(LOG_ERR, "Error Loading CRL for [ %s ]", --- 306,309 ---- *************** *** 390,395 **** if( a->crl_url == NULL ) { ! syslog( LOG_ERR, "Error reloading CRL for CA %s [URI]", a->ca_id ); continue; } --- 415,426 ---- if( a->crl_url == NULL ) { ! if( a->ca_id ) { ! syslog( LOG_ERR, ! "Error reloading CRL for CA %s [URI]", a->ca_id ); + } else { + syslog( LOG_ERR, + "Error reloading one CRL [%d]", i ); + } continue; } *************** *** 451,464 **** if( sk_X509_num(cacert) < 1 ) { if(verbose) ! syslog(LOG_ERR, "No CA cert loaded"); return(-2); } ! final = -1; for( i = 0; i < sk_X509_num(cacert); i++ ) { /* Gets the Public Key of the CA Certificate */ ! if((pkey = X509_get_pubkey(sk_X509_value(cacert,i))) == NULL ) return(-3); /* Checks the CRL - 0 if failure, > 0 if successful */ --- 482,509 ---- if( sk_X509_num(cacert) < 1 ) { if(verbose) ! syslog(LOG_ERR, "No CA cert loaded (%d)", ! sk_X509_num(cacert)); return(-2); } ! final = -99; for( i = 0; i < sk_X509_num(cacert); i++ ) { + X509 *x = NULL; + BIO *out = NULL; + + if( (x = sk_X509_value(cacert,i)) == NULL ) { + continue; + } + pkey = X509_get_pubkey( x ); /* Gets the Public Key of the CA Certificate */ ! if(pkey == NULL ) { ! syslog( LOG_ERR, "ERROR parsing Pub Key from CA Cert " ! " [%d]", i ); return(-3); + } + + /* Ever CLEAR the error queue!!!! */ + ERR_clear_error(); /* Checks the CRL - 0 if failure, > 0 if successful */ Index: general.h =================================================================== RCS file: /cvsroot/openca/openca-0.9/src/ocspd/src/general.h,v retrieving revision 1.18 retrieving revision 1.19 diff -C2 -d -r1.18 -r1.19 *** general.h 4 Nov 2005 00:32:09 -0000 1.18 --- general.h 11 Nov 2005 05:46:32 -0000 1.19 *************** *** 1,3 **** ! /* OpenCA OCSP daemon - (c) 2000-2004 by Massimiliano Pala and OpenCA Group */ #ifndef HEADER_OPENCA_OCSPD_GENERAL_H --- 1,9 ---- ! /* OpenCA OCSP responder ! * (c) 2000-2006 by Massimiliano Pala and OpenCA Group ! * All Rights Reserved ! * ! * =================================================================== ! * Released under OpenCA LICENSE ! */ #ifndef HEADER_OPENCA_OCSPD_GENERAL_H *************** *** 5,8 **** --- 11,15 ---- #include "config.h" + #include "crypto.h" /* External Variables */ Index: hash-db.c =================================================================== RCS file: /cvsroot/openca/openca-0.9/src/ocspd/src/hash-db.c,v retrieving revision 1.7 retrieving revision 1.8 diff -C2 -d -r1.7 -r1.8 *** hash-db.c 4 Nov 2005 00:32:09 -0000 1.7 --- hash-db.c 11 Nov 2005 05:46:32 -0000 1.8 *************** *** 220,223 **** --- 220,224 ---- BIO_reset( membio ); + ERR_clear_error(); /* Is it DER encoded (???) */ *************** *** 327,330 **** --- 328,332 ---- == NULL ) { BIO_reset( membio ); + ERR_clear_error(); crl = ocspd_X509_CRL_bio( membio, FORMAT_PEM ); } *************** *** 408,411 **** --- 410,414 ---- if ( (ret=PEM_read_bio_X509(mem,NULL,NULL,NULL)) == NULL ) { BIO_reset(mem); + ERR_clear_error(); if ( ocspd_parse_http_headers ( mem ) == 0 ) { if( mem ) BIO_free_all(mem); *************** *** 418,421 **** --- 421,425 ---- syslog( LOG_ERR, "ERROR -- Unknown CA cert" " format (should either PEM or DER)"); + ERR_clear_error(); } else { if( verbose ) *************** *** 487,490 **** --- 491,495 ---- /* If it is not in DER format, let's try the PEM one */ BIO_reset(mem); + ERR_clear_error(); /* Parse the headers again... */ *************** *** 498,501 **** --- 503,507 ---- syslog(LOG_ERR, "ERROR -- unknown CRL format (should " "be PEM or DER encoded)"); + ERR_clear_error(); } else { if(verbose) *************** *** 885,886 **** --- 891,893 ---- } + Index: support.c =================================================================== RCS file: /cvsroot/openca/openca-0.9/src/ocspd/src/support.c,v retrieving revision 1.8 retrieving revision 1.9 diff -C2 -d -r1.8 -r1.9 *** support.c 20 Oct 2005 13:22:24 -0000 1.8 --- support.c 11 Nov 2005 05:46:32 -0000 1.9 *************** *** 369,370 **** --- 369,371 ---- return 1; } + |
|
From: <ope...@li...> - 2005-11-04 21:52:44
|
Update of /cvsroot/openca/openca-0.9/src/ocspd/src In directory sc8-pr-cvs1.sourceforge.net:/tmp/cvs-serv26428/src Modified Files: config.h server.c server.h Log Message: Fixed RedHat packaging, fixed init-script on solaris/macos. Verified MacOS porting. -- madwolf Author of changes: madwolf Index: server.c =================================================================== RCS file: /cvsroot/openca/openca-0.9/src/ocspd/src/server.c,v retrieving revision 1.17 retrieving revision 1.18 diff -C2 -d -r1.17 -r1.18 *** server.c 4 Nov 2005 00:32:09 -0000 1.17 --- server.c 4 Nov 2005 21:52:35 -0000 1.18 *************** *** 134,137 **** --- 134,140 ---- spawn_children( &bio_socket, max_child, ocspd_conf ); + /* Register the alrm handler */ + set_parent_alrm_handler(); + // Register signal handlers signal( SIGCHLD, child_died ); *************** *** 766,775 **** int i=0; int pid = 0; - /* - int ppid = 0; - int min_alarm = 0; - struct passwd *pw = NULL; - struct group *gr = NULL; - */ if(verbose) --- 769,772 ---- *************** *** 777,791 **** max_child, live_childrens ); - /* - if( (pw = getpwnam( ocspd_conf->user ) ) == NULL ) { - syslog( LOG_ERR, "Cannot find user %s", ocspd_conf->user); - return 0; - } - if( (gr = getgrnam( ocspd_conf->group ) ) == NULL ) { - syslog( LOG_ERR, "Cannot find group %s", ocspd_conf->group); - return 0; - } - */ - /* Let's init the client list, -1 means free space */ for( i = 0 ; i < max_child; i++ ) { --- 774,777 ---- *************** *** 797,823 **** if ( pid == 0 ) { /* child */ ! // Register signal handlers ! signal( SIGCHLD, SIG_DFL ); ! signal( SIGALRM, SIG_IGN ); ! #ifdef SIGHUP ! signal( SIGHUP, child_sighup ); ! #endif ! signal( SIGTERM, exit_child ); ! signal( SIGKILL, exit_child ); ! signal( SIGSTOP, exit_child ); ! ! /* ! if (setgid (gr->gr_gid) == -1) { ! syslog(LOG_ERR,"Error setting group %d (%s)", ! gr->gr_gid, ocspd_conf->user); ! _exit(1); ! } ! if (setuid (pw->pw_uid) == -1) { ! syslog(LOG_ERR,"Error setting user%d (%s)", ! gr->gr_gid, ocspd_conf->group); ! _exit(1); ! } ! */ ! handle_connection( bio, ocspd_conf ); _exit(0); --- 783,787 ---- if ( pid == 0 ) { /* child */ ! set_child_sig_handlers(); handle_connection( bio, ocspd_conf ); _exit(0); *************** *** 836,839 **** --- 800,826 ---- } + if( verbose ) + syslog( LOG_INFO, "%s:%d Active Childrens [ %d ]", + __FILE__, __LINE__, live_childrens ); + + return 1; + } + + int set_child_sig_handlers( void ) { + /* Register signal handlers */ + signal( SIGCHLD, SIG_DFL ); + signal( SIGALRM, SIG_IGN ); + #ifdef SIGHUP + signal( SIGHUP, child_sighup ); + #endif + signal( SIGTERM, exit_child ); + signal( SIGKILL, exit_child ); + signal( SIGSTOP, exit_child ); + + return 1; + } + + int set_parent_alrm_handler( void ) { + /* Now on the parent process we setup the auto_checking functions */ *************** *** 861,868 **** } - if( verbose ) - syslog( LOG_INFO, "%s:%d Active Childrens [ %d ]", - __FILE__, __LINE__, live_childrens ); - return 1; } --- 848,851 ---- *************** *** 883,886 **** --- 866,872 ---- ocspd_conf->current_crl_reload = 0; + + /* Calling signal seems to be needed on Solaris(!?!) */ + signal( SIGALRM, auto_crl_check ); alarm( ocspd_conf->alarm_decrement ); server_status = RELOAD; *************** *** 912,916 **** --- 898,906 ---- ca->ca_id ); if ( ocspd_conf->crl_reload_expired == 1 ) { + /* Calling signal seems to be + needed on Solaris(!?!) */ + signal( SIGALRM, auto_crl_check ); alarm( ocspd_conf->crl_check_validity ); + if( verbose ) { syslog(LOG_INFO, *************** *** 955,958 **** --- 945,950 ---- ocspd_conf->crl_check_validity ); + /* Calling signal seems to be needed on Solaris(!?!) */ + signal( SIGALRM, auto_crl_check ); alarm( ocspd_conf->crl_check_validity ); } Index: server.h =================================================================== RCS file: /cvsroot/openca/openca-0.9/src/ocspd/src/server.h,v retrieving revision 1.9 retrieving revision 1.10 diff -C2 -d -r1.9 -r1.10 *** server.h 4 Nov 2005 00:32:09 -0000 1.9 --- server.h 4 Nov 2005 21:52:35 -0000 1.10 *************** *** 2,6 **** * OCSP responder * by Massimiliano Pala (ma...@op...) ! * OpenCA project 2001 * * Copyright (c) 2001 The OpenCA Project. All rights reserved. --- 2,6 ---- * OCSP responder * by Massimiliano Pala (ma...@op...) ! * OpenCA Licensed Software * * Copyright (c) 2001 The OpenCA Project. All rights reserved. *************** *** 14,17 **** --- 14,20 ---- */ + #ifndef _OCSPD_SERVER + #define OCSPD_SERVER + #define MAX_IN_LINES 16536 #ifdef OPENSSL_SYS_WIN16 *************** *** 68,69 **** --- 71,77 ---- int check_crl_validity ( CA_LIST_ENTRY *ca ); int delete_all_childs( void ); + + int set_child_sig_handlers( void ); + int set_parent_alrm_handler( void ); + + #endif |
|
From: <ope...@li...> - 2005-11-04 21:52:43
|
Update of /cvsroot/openca/openca-0.9/src/ocspd In directory sc8-pr-cvs1.sourceforge.net:/tmp/cvs-serv26428 Modified Files: AUTHORS ChangeLog README VERSION Log Message: Fixed RedHat packaging, fixed init-script on solaris/macos. Verified MacOS porting. -- madwolf Author of changes: madwolf Index: AUTHORS =================================================================== RCS file: /cvsroot/openca/openca-0.9/src/ocspd/AUTHORS,v retrieving revision 1.1 retrieving revision 1.2 diff -C2 -d -r1.1 -r1.2 *** AUTHORS 12 Aug 2002 12:42:44 -0000 1.1 --- AUTHORS 4 Nov 2005 21:52:35 -0000 1.2 *************** *** 1,9 **** ! Project Author(s) Massimiliano Pala <ma...@op...> ! Project Contributor(s) Many thanks go to the people of the OpenSSL project from where some of the used code comes from. Many thanks to all of them, now and forever. ! Project Beta Tester(s) --- 1,16 ---- ! Project Author(s): Massimiliano Pala <ma...@op...> ! Project Contributor(s): Many thanks go to the people of the OpenSSL project from where some of the used code comes from. Many thanks to all of them, now and forever. ! Additional contribution (in no particular order) from: ! * Sergei Vyshenski ! * Julia Dubenskaya ! ! Project Alpha and Beta Tester(s) (in no particular order): ! * Maselli Giovanni Francesco ! * Guillaume Tamboise ! * Apu Kapadia Index: ChangeLog =================================================================== RCS file: /cvsroot/openca/openca-0.9/src/ocspd/ChangeLog,v retrieving revision 1.13 retrieving revision 1.14 diff -C2 -d -r1.13 -r1.14 *** ChangeLog 20 Oct 2005 13:22:23 -0000 1.13 --- ChangeLog 4 Nov 2005 21:52:35 -0000 1.14 *************** *** 1,2 **** --- 1,7 ---- + * Thu Nov 3 19:33:21 EST 2005 Massimiliano Pala <ma...@op...> + -Fixed compile against OpenSSL 0.9.8a + -Fixed HTTP downloading routines for CRLs and CA certs + -Fixed Solaris Port for Signal Handling on CRLs check and reloading + * Thu Oct 20 09:19:27 EDT 2005 Massimiliano Pala <ma...@op...> -Added extra checking on initialization of variables to avoid errors Index: README =================================================================== RCS file: /cvsroot/openca/openca-0.9/src/ocspd/README,v retrieving revision 1.2 retrieving revision 1.3 diff -C2 -d -r1.2 -r1.3 *** README 17 May 2004 17:15:39 -0000 1.2 --- README 4 Nov 2005 21:52:35 -0000 1.3 *************** *** 1,5 **** ============================================================================= OpenCA's OCSP Responder ! (c) 2002, 2003, 2004 by Massimiliano Pala and OpenCA Group OpenCA Licesed Software ============================================================================= --- 1,5 ---- ============================================================================= OpenCA's OCSP Responder ! (c) 2001-2006 by Massimiliano Pala and OpenCA Group OpenCA Licesed Software ============================================================================= Index: VERSION =================================================================== RCS file: /cvsroot/openca/openca-0.9/src/ocspd/VERSION,v retrieving revision 1.16 retrieving revision 1.17 diff -C2 -d -r1.16 -r1.17 *** VERSION 20 Oct 2005 13:22:23 -0000 1.16 --- VERSION 4 Nov 2005 21:52:35 -0000 1.17 *************** *** 1 **** ! 1.0.7 --- 1 ---- ! 1.1.0a |
|
From: <ope...@li...> - 2005-11-04 21:52:43
|
Update of /cvsroot/openca/openca-0.9/src/ocspd/contrib In directory sc8-pr-cvs1.sourceforge.net:/tmp/cvs-serv26428/contrib Modified Files: OpenCA-OCSPD.spec Log Message: Fixed RedHat packaging, fixed init-script on solaris/macos. Verified MacOS porting. -- madwolf Author of changes: madwolf Index: OpenCA-OCSPD.spec =================================================================== RCS file: /cvsroot/openca/openca-0.9/src/ocspd/contrib/OpenCA-OCSPD.spec,v retrieving revision 1.4 retrieving revision 1.5 diff -C2 -d -r1.4 -r1.5 *** OpenCA-OCSPD.spec 6 Oct 2005 10:24:39 -0000 1.4 --- OpenCA-OCSPD.spec 4 Nov 2005 21:52:35 -0000 1.5 *************** *** 1,3 **** ! %define ver 1.0.6 %define RELEASE 1 %define rel %{?CUSTOM_RELEASE} %{!?CUSTOM_RELEASE:%RELEASE} --- 1,3 ---- ! %define ver 1.1.0a %define RELEASE 1 %define rel %{?CUSTOM_RELEASE} %{!?CUSTOM_RELEASE:%RELEASE} *************** *** 12,16 **** Version: %ver Release: %rel ! Copyright: OpenCA Licensed Software Group: Network/Daemons Source: OpenCA-OCSPD-%{ver}.tar.gz --- 12,16 ---- Version: %ver Release: %rel ! License: OpenCA License (BSD Style) Group: Network/Daemons Source: OpenCA-OCSPD-%{ver}.tar.gz *************** *** 72,75 **** --- 72,80 ---- %changelog + * Thu Nov 3 2005 Massimiliano Pala <ma...@op...> + -Fixed compile against OpenSSL 0.9.8a + -Fixed HTTP downloading routines for CRLs and CA certs + -Fixed Solaris Port for Signal Handling on CRLs check and reloading + * Thu Oct 6 2005 Massimiliano Pala <ma...@op...> -Fixed variables init (for Solaris) and code cleanup |
|
From: <ope...@li...> - 2005-11-04 21:52:43
|
Update of /cvsroot/openca/openca-0.9/src/ocspd/etc In directory sc8-pr-cvs1.sourceforge.net:/tmp/cvs-serv26428/etc Modified Files: ocspd.in Log Message: Fixed RedHat packaging, fixed init-script on solaris/macos. Verified MacOS porting. -- madwolf Author of changes: madwolf Index: ocspd.in =================================================================== RCS file: /cvsroot/openca/openca-0.9/src/ocspd/etc/ocspd.in,v retrieving revision 1.1 retrieving revision 1.2 diff -C2 -d -r1.1 -r1.2 *** ocspd.in 15 Jun 2005 17:04:51 -0000 1.1 --- ocspd.in 4 Nov 2005 21:52:35 -0000 1.2 *************** *** 12,16 **** # Source function library. ! . /etc/rc.d/init.d/functions ocspd="${sbin}/ocspd"; --- 12,16 ---- # Source function library. ! # . /etc/rc.d/init.d/functions ocspd="${sbin}/ocspd"; *************** *** 31,39 **** if [ -f "$pidfile" ] ; then pid=`cat $pidfile`; ! if [ "x$pid" = "x" ] ; then ! killall -15 ocspd ! else kill -15 ${pid} ! fi fi echo "Done." --- 31,42 ---- if [ -f "$pidfile" ] ; then pid=`cat $pidfile`; ! # if [ "x$pid" = "x" ] ; then ! # killall -15 ocspd ! # else kill -15 ${pid} ! # fi ! rm -f "$pidfile" ! else ! echo "Missing pidfile (already stopped?)" fi echo "Done." |
|
From: <ope...@li...> - 2005-11-04 00:32:28
|
Update of /cvsroot/openca/openca-0.9/src/ocspd/build In directory sc8-pr-cvs1.sourceforge.net:/tmp/cvs-serv6899/build Modified Files: config.sub ltmain.sh Log Message: Fixed OpenSSL-0.9.8 port and improved HTTP load of CRLs and CA Certs. --- madwolf Author of changes: madwolf Index: config.sub =================================================================== RCS file: /cvsroot/openca/openca-0.9/src/ocspd/build/config.sub,v retrieving revision 1.3 retrieving revision 1.4 diff -C2 -d -r1.3 -r1.4 *** config.sub 18 Jan 2005 13:00:08 -0000 1.3 --- config.sub 4 Nov 2005 00:32:09 -0000 1.4 *************** *** 261,265 **** | sh | sh[1234] | sh[23]e | sh[34]eb | shbe | shle | sh[1234]le | sh3ele \ | sh64 | sh64le \ ! | sparc | sparc64 | sparc86x | sparclet | sparclite | sparcv9 | sparcv9b \ | strongarm \ | tahoe | thumb | tic4x | tic80 | tron \ --- 261,265 ---- | sh | sh[1234] | sh[23]e | sh[34]eb | shbe | shle | sh[1234]le | sh3ele \ | sh64 | sh64le \ ! | sparc | sparc64 | sparc86x | sparclet | sparclite | sparcv8 | sparcv9 | sparcv9b \ | strongarm \ | tahoe | thumb | tic4x | tic80 | tron \ *************** *** 335,339 **** | shle-* | sh[1234]le-* | sh3ele-* | sh64-* | sh64le-* \ | sparc-* | sparc64-* | sparc86x-* | sparclet-* | sparclite-* \ ! | sparcv9-* | sparcv9b-* | strongarm-* | sv1-* | sx?-* \ | tahoe-* | thumb-* \ | tic30-* | tic4x-* | tic54x-* | tic55x-* | tic6x-* | tic80-* \ --- 335,339 ---- | shle-* | sh[1234]le-* | sh3ele-* | sh64-* | sh64le-* \ | sparc-* | sparc64-* | sparc86x-* | sparclet-* | sparclite-* \ ! | sparcv8-* | sparcv9-* | sparcv9b-* | strongarm-* | sv1-* | sx?-* \ | tahoe-* | thumb-* \ | tic30-* | tic4x-* | tic54x-* | tic55x-* | tic6x-* | tic80-* \ *************** *** 1052,1056 **** basic_machine=sh64-unknown ;; ! sparc | sparcv9 | sparcv9b) basic_machine=sparc-sun ;; --- 1052,1056 ---- basic_machine=sh64-unknown ;; ! sparc | sparcv8 | sparcv9 | sparcv9b) basic_machine=sparc-sun ;; Index: ltmain.sh =================================================================== RCS file: /cvsroot/openca/openca-0.9/src/ocspd/build/ltmain.sh,v retrieving revision 1.3 retrieving revision 1.4 diff -C2 -d -r1.3 -r1.4 *** ltmain.sh 18 Jan 2005 13:00:08 -0000 1.3 --- ltmain.sh 4 Nov 2005 00:32:09 -0000 1.4 *************** *** 2,6 **** # NOTE: Changing this file will not affect anything until you rerun configure. # ! # Copyright (C) 1996, 1997, 1998, 1999, 2000, 2001, 2003, 2004 # Free Software Foundation, Inc. # Originally by Gordon Matzigkeit <go...@gn...>, 1996 --- 2,6 ---- # NOTE: Changing this file will not affect anything until you rerun configure. # ! # Copyright (C) 1996, 1997, 1998, 1999, 2000, 2001, 2003, 2004, 2005 # Free Software Foundation, Inc. [...1266 lines suppressed...] ;; --- 5430,5434 ---- arg=`$echo "X$arg" | $Xsed -e "$sed_quote_subst"` case $arg in ! *$quote_scanset* | *]* | *\|* | *\&* | *\(* | *\)* | "") arg="\"$arg\"" ;; *************** *** 6398,6402 **** $echo "Try \`$modename --help' for more information about other modes." ! exit $EXIT_SUCCESS # The TAGs below are defined such that we never get into a situation --- 6469,6473 ---- $echo "Try \`$modename --help' for more information about other modes." ! exit $? # The TAGs below are defined such that we never get into a situation |
|
From: <ope...@li...> - 2005-11-04 00:32:28
|
Update of /cvsroot/openca/openca-0.9/src/ocspd/contrib In directory sc8-pr-cvs1.sourceforge.net:/tmp/cvs-serv6899/contrib Modified Files: autogen.sh Log Message: Fixed OpenSSL-0.9.8 port and improved HTTP load of CRLs and CA Certs. --- madwolf Author of changes: madwolf Index: autogen.sh =================================================================== RCS file: /cvsroot/openca/openca-0.9/src/ocspd/contrib/autogen.sh,v retrieving revision 1.1 retrieving revision 1.2 diff -C2 -d -r1.1 -r1.2 *** autogen.sh 12 Aug 2002 12:42:44 -0000 1.1 --- autogen.sh 4 Nov 2005 00:32:09 -0000 1.2 *************** *** 8,11 **** ## autoheader automake --add-missing --copy ! autoreconf --localdir=build --gnu --- 8,12 ---- ## autoheader automake --add-missing --copy ! # autoreconf --localdir=build --gnu ! autoreconf |
|
From: <ope...@li...> - 2005-11-04 00:32:28
|
Update of /cvsroot/openca/openca-0.9/src/ocspd/etc In directory sc8-pr-cvs1.sourceforge.net:/tmp/cvs-serv6899/etc Modified Files: Makefile.in Log Message: Fixed OpenSSL-0.9.8 port and improved HTTP load of CRLs and CA Certs. --- madwolf Author of changes: madwolf Index: Makefile.in =================================================================== RCS file: /cvsroot/openca/openca-0.9/src/ocspd/etc/Makefile.in,v retrieving revision 1.14 retrieving revision 1.15 diff -C2 -d -r1.14 -r1.15 *** Makefile.in 27 Apr 2005 13:33:46 -0000 1.14 --- Makefile.in 4 Nov 2005 00:32:09 -0000 1.15 *************** *** 1,7 **** ! # Makefile.in generated by automake 1.9.2 from Makefile.am. # @configure_input@ # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, ! # 2003, 2004 Free Software Foundation, Inc. # This Makefile.in is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, --- 1,7 ---- ! # Makefile.in generated by automake 1.9.5 from Makefile.am. # @configure_input@ # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, ! # 2003, 2004, 2005 Free Software Foundation, Inc. # This Makefile.in is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, |
|
From: <ope...@li...> - 2005-11-04 00:32:28
|
Update of /cvsroot/openca/openca-0.9/src/ocspd/docs In directory sc8-pr-cvs1.sourceforge.net:/tmp/cvs-serv6899/docs Modified Files: Makefile.in Log Message: Fixed OpenSSL-0.9.8 port and improved HTTP load of CRLs and CA Certs. --- madwolf Author of changes: madwolf Index: Makefile.in =================================================================== RCS file: /cvsroot/openca/openca-0.9/src/ocspd/docs/Makefile.in,v retrieving revision 1.16 retrieving revision 1.17 diff -C2 -d -r1.16 -r1.17 *** Makefile.in 27 Apr 2005 13:33:46 -0000 1.16 --- Makefile.in 4 Nov 2005 00:32:09 -0000 1.17 *************** *** 1,7 **** ! # Makefile.in generated by automake 1.9.2 from Makefile.am. # @configure_input@ # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, ! # 2003, 2004 Free Software Foundation, Inc. # This Makefile.in is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, --- 1,7 ---- ! # Makefile.in generated by automake 1.9.5 from Makefile.am. # @configure_input@ # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, ! # 2003, 2004, 2005 Free Software Foundation, Inc. # This Makefile.in is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, |
|
From: <ope...@li...> - 2005-11-04 00:32:27
|
Update of /cvsroot/openca/openca-0.9/src/ocspd In directory sc8-pr-cvs1.sourceforge.net:/tmp/cvs-serv6899 Modified Files: Makefile.in aclocal.m4 configure configure.in Log Message: Fixed OpenSSL-0.9.8 port and improved HTTP load of CRLs and CA Certs. --- madwolf Author of changes: madwolf Index: Makefile.in =================================================================== RCS file: /cvsroot/openca/openca-0.9/src/ocspd/Makefile.in,v retrieving revision 1.22 retrieving revision 1.23 diff -C2 -d -r1.22 -r1.23 *** Makefile.in 6 Oct 2005 10:24:39 -0000 1.22 --- Makefile.in 4 Nov 2005 00:32:09 -0000 1.23 *************** *** 1,7 **** ! # Makefile.in generated by automake 1.9.2 from Makefile.am. # @configure_input@ # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, ! # 2003, 2004 Free Software Foundation, Inc. # This Makefile.in is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, --- 1,7 ---- ! # Makefile.in generated by automake 1.9.5 from Makefile.am. # @configure_input@ # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, ! # 2003, 2004, 2005 Free Software Foundation, Inc. # This Makefile.in is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, *************** *** 322,326 **** # (2) otherwise, pass the desired values on the `make' command line. $(RECURSIVE_TARGETS): ! @set fnord $$MAKEFLAGS; amf=$$2; \ dot_seen=no; \ target=`echo $@ | sed s/-recursive//`; \ --- 322,332 ---- # (2) otherwise, pass the desired values on the `make' command line. $(RECURSIVE_TARGETS): ! @failcom='exit 1'; \ ! for f in x $$MAKEFLAGS; do \ ! case $$f in \ ! *=* | --[!k]*);; \ ! *k*) failcom='fail=yes';; \ ! esac; \ ! done; \ dot_seen=no; \ target=`echo $@ | sed s/-recursive//`; \ *************** *** 334,338 **** fi; \ (cd $$subdir && $(MAKE) $(AM_MAKEFLAGS) $$local_target) \ ! || case "$$amf" in *=*) exit 1;; *k*) fail=yes;; *) exit 1;; esac; \ done; \ if test "$$dot_seen" = "no"; then \ --- 340,344 ---- fi; \ (cd $$subdir && $(MAKE) $(AM_MAKEFLAGS) $$local_target) \ ! || eval $$failcom; \ done; \ if test "$$dot_seen" = "no"; then \ *************** *** 342,346 **** mostlyclean-recursive clean-recursive distclean-recursive \ maintainer-clean-recursive: ! @set fnord $$MAKEFLAGS; amf=$$2; \ dot_seen=no; \ case "$@" in \ --- 348,358 ---- mostlyclean-recursive clean-recursive distclean-recursive \ maintainer-clean-recursive: ! @failcom='exit 1'; \ ! for f in x $$MAKEFLAGS; do \ ! case $$f in \ ! *=* | --[!k]*);; \ ! *k*) failcom='fail=yes';; \ ! esac; \ ! done; \ dot_seen=no; \ case "$@" in \ *************** *** 363,367 **** fi; \ (cd $$subdir && $(MAKE) $(AM_MAKEFLAGS) $$local_target) \ ! || case "$$amf" in *=*) exit 1;; *k*) fail=yes;; *) exit 1;; esac; \ done && test -z "$$fail" tags-recursive: --- 375,379 ---- fi; \ (cd $$subdir && $(MAKE) $(AM_MAKEFLAGS) $$local_target) \ ! || eval $$failcom; \ done && test -z "$$fail" tags-recursive: Index: aclocal.m4 =================================================================== RCS file: /cvsroot/openca/openca-0.9/src/ocspd/aclocal.m4,v retrieving revision 1.10 retrieving revision 1.11 diff -C2 -d -r1.10 -r1.11 *** aclocal.m4 18 Jan 2005 15:15:45 -0000 1.10 --- aclocal.m4 4 Nov 2005 00:32:09 -0000 1.11 *************** *** 1,6 **** ! # generated automatically by aclocal 1.9.2 -*- Autoconf -*- ! # Copyright (C) 1996, 1997, 1998, 1999, 2000, 2001, 2002, 2003, 2004 ! # Free Software Foundation, Inc. # This file is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, --- 1,6 ---- ! # generated automatically by aclocal 1.9.5 -*- Autoconf -*- ! # Copyright (C) 1996, 1997, 1998, 1999, 2000, 2001, 2002, 2003, 2004, [...2701 lines suppressed...] --- 7002,7012 ---- # Check how to create a tarball. -*- Autoconf -*- ! # Copyright (C) 2004, 2005 Free Software Foundation, Inc. ! # ! # This file is free software; the Free Software Foundation ! # gives unlimited permission to copy and/or distribute it, ! # with or without modifications, as long as this notice is preserved. + # serial 2 # _AM_PROG_TAR(FORMAT) *************** *** 7042,7045 **** --- 7096,7100 ---- ]) # _AM_PROG_TAR + dnl Check for OCSP support libraries in installed openssl dnl maybe a better check for the libraries should be required Index: configure =================================================================== RCS file: /cvsroot/openca/openca-0.9/src/ocspd/configure,v retrieving revision 1.17 retrieving revision 1.18 diff -C2 -d -r1.17 -r1.18 *** configure 27 Apr 2005 13:33:44 -0000 1.17 --- configure 4 Nov 2005 00:32:09 -0000 1.18 *************** *** 279,283 **** # The HP-UX ksh and POSIX shell print the target directory to stdout # if CDPATH is set. ! if test "X${CDPATH+set}" = Xset; then CDPATH=:; export CDPATH; fi if test -z "$ECHO"; then --- 279,283 ---- # The HP-UX ksh and POSIX shell print the target directory to stdout # if CDPATH is set. ! (unset CDPATH) >/dev/null 2>&1 && unset CDPATH [...3812 lines suppressed...] *** 21153,21161 **** openssl_cflags= ! openssl_libs="-lcrypto -lssl" if [ x${openssl_prefix} != x ]; then openssl_cflags=-I${openssl_prefix}/include ! openssl_libs="-L${openssl_prefix}/lib -L${openssl_prefix} -lcrypto -lssl" openssl_setup=yes --- 21641,21649 ---- openssl_cflags= ! openssl_libs="-lssl -lcrypto -ldl" if [ x${openssl_prefix} != x ]; then openssl_cflags=-I${openssl_prefix}/include ! openssl_libs="-L${openssl_prefix}/lib -L${openssl_prefix} -lssl -lcrypto -ldl" openssl_setup=yes Index: configure.in =================================================================== RCS file: /cvsroot/openca/openca-0.9/src/ocspd/configure.in,v retrieving revision 1.13 retrieving revision 1.14 diff -C2 -d -r1.13 -r1.14 *** configure.in 27 Apr 2005 13:33:45 -0000 1.13 --- configure.in 4 Nov 2005 00:32:09 -0000 1.14 *************** *** 11,15 **** AC_CANONICAL_SYSTEM AM_INIT_AUTOMAKE(OpenCA-OCSPD,`cat VERSION` ) ! dnl AM_CONFIG_HEADER(config.h) dnl Options. --- 11,15 ---- AC_CANONICAL_SYSTEM AM_INIT_AUTOMAKE(OpenCA-OCSPD,`cat VERSION` ) ! # AM_CONFIG_HEADER(config.h) dnl Options. *************** *** 139,148 **** dnl Defaults openssl_cflags= ! openssl_libs="-lcrypto -lssl" dnl Now see if the user specified openssl_prefix if [[ x${openssl_prefix} != x ]]; then openssl_cflags=[-I${openssl_prefix}/include] ! openssl_libs=["-L${openssl_prefix}/lib -L${openssl_prefix} -lcrypto -lssl"] openssl_setup=yes dnl AC_MSG_RESULT( [User specified --with-openssl-prefix]) --- 139,148 ---- dnl Defaults openssl_cflags= ! openssl_libs="-lssl -lcrypto -ldl" dnl Now see if the user specified openssl_prefix if [[ x${openssl_prefix} != x ]]; then openssl_cflags=[-I${openssl_prefix}/include] ! openssl_libs=["-L${openssl_prefix}/lib -L${openssl_prefix} -lssl -lcrypto -ldl"] openssl_setup=yes dnl AC_MSG_RESULT( [User specified --with-openssl-prefix]) |
Update of /cvsroot/openca/openca-0.9/src/ocspd/src In directory sc8-pr-cvs1.sourceforge.net:/tmp/cvs-serv6899/src Modified Files: Makefile.am Makefile.in config.h general.h hash-db.c server.c server.h Added Files: http_client.c http_client.h Log Message: Fixed OpenSSL-0.9.8 port and improved HTTP load of CRLs and CA Certs. --- madwolf Author of changes: --- NEW FILE: http_client.c --- /* * OCSP responder * by Massimiliano Pala (ma...@op...) * OpenCA project 2001 * * Copyright (c) 2001 The OpenCA Project. All rights reserved. * * ==================================================================== * * This product includes cryptographic software written by Eric Young * (ea...@cr...). This product includes software written by Tim * Hudson (tj...@cr...). * */ #include "http_client.h" /* External imported variables */ extern int debug; extern int verbose; /* Functions */ BIO *ocspd_http_connect( URL *url ) { BIO *cbio = NULL; char buf[1024]; if( (!url) || (!url->addr) ) { syslog( LOG_ERR, "ERROR: Missing address for HTTP connect"); return NULL; } /* We build the "host:port" string to be used */ bzero(buf, sizeof(buf)); sprintf( buf, "%s:%d", url->addr, url->port ); if((cbio = BIO_new_connect(buf)) == NULL ) { syslog(LOG_ERR, "ERROR: cannot connect to %s", url->addr); return NULL; } if (BIO_do_connect(cbio) <= 0) { syslog(LOG_ERR, "ERROR: cannot connect to %s", url->addr); BIO_free_all(cbio); return NULL; } return cbio; } BUF_MEM *ocspd_http_get_data ( BIO *in, unsigned long max_size ) { BUF_MEM *buf = NULL; unsigned long fullsize = 0; unsigned long newsize = 0; /* get subject name from bio using recommended OpenSSL template */ buf = BUF_MEM_new(); for (;;) { if ((buf == NULL) || (!BUF_MEM_grow(buf, fullsize+512))) { if( in ) BIO_free_all (in); return NULL; } newsize = BIO_read(in, &(buf->data[fullsize]), 512); fullsize += newsize; if (newsize == 0) break; if (newsize < 0) { /* Error Reading from buf */ BUF_MEM_free( buf ); BIO_free_all(in); return NULL; } if( (max_size) && (fullsize > max_size)) { /* Max Reading size exceeded */ syslog( LOG_ERR, "HTTP Read -- Max read size exceeded " " [ %d ]", max_size ); BUF_MEM_free( buf ); BIO_free_all(in); return NULL; } } /* Make sure the buf ends with a \x0 value */ buf->data[fullsize] = '\x0'; return buf; } BUF_MEM *ocspd_http_get ( URL *url, unsigned long max_size ) { BIO *in = NULL; BUF_MEM *buf = NULL; long fullsize = 0; long newsize = 0; char linebuf[1024]; int head_lines; char get_s[] = "GET %s HTTP/1.0\r\n\r\n"; in = ocspd_http_connect( url ); if( !in ) return NULL; if( verbose ) { syslog( LOG_INFO, "Successfully Connected to HTTP server"); } /* Print the "GET" command to the server and wait for the answer */ BIO_printf(in, get_s, url->path); /* Get HTTP data */ if((buf = ocspd_http_get_data ( in, max_size )) == NULL ) { syslog( LOG_ERR, "ERROR -- can not read http data."); } /* Release the socket */ BIO_free_all (in); return buf; } int ocspd_parse_http_headers ( BIO *in ) { int head_lines = 0; char linebuf[1024]; head_lines = 0; do { int read_code = 0; bzero(linebuf, sizeof linebuf); if((read_code = BIO_gets(in, linebuf, sizeof(linebuf))) < 0) { syslog( LOG_ERR, "HTTP - Error (%d) retrieving data" " (head_lines=%d)", read_code, head_lines ); return 0; } /* Let's check if the first line has good code */ if ( ( head_lines == 0 ) && ( strncmp( &(linebuf[9]), "200", 3) != 0 )) { /* Got an error - probably not found (?) */ syslog( LOG_ERR, "HTTP - Error retrieving data" " (%s)", linebuf ); return 0; } else { head_lines++; } } while( (linebuf[0] != '\r') && (linebuf[0] != '\n') ); if( verbose ) { syslog( LOG_INFO, "Successfully Parsed HTTP HEADERS"); } return 1; } --- NEW FILE: http_client.h --- /* * OCSP responder * by Massimiliano Pala (ma...@op...) * OpenCA project 2001-2006 * * Copyright (c) 2001 The OpenCA Project. All rights reserved. * * ==================================================================== * * This product includes cryptographic software written by Eric Young * (ea...@cr...). This product includes software written by Tim * Hudson (tj...@cr...). * */ /* Functions prototypes*/ #ifndef _OCSPD_HTTP_CLIENT #define _OCSPD_HTTP_CLIENT #include "general.h" #include <openssl/bio.h> BIO *ocspd_http_connect( URL *url ); BUF_MEM *ocspd_http_get( URL *url, unsigned long max_size ); BUF_MEM *ocspd_http_get_data ( BIO *in, unsigned long max_size ); int ocspd_parse_http_headers ( BIO *in ); #endif Index: Makefile.am =================================================================== RCS file: /cvsroot/openca/openca-0.9/src/ocspd/src/Makefile.am,v retrieving revision 1.15 retrieving revision 1.16 diff -C2 -d -r1.15 -r1.16 *** Makefile.am 27 Apr 2005 13:33:46 -0000 1.15 --- Makefile.am 4 Nov 2005 00:32:09 -0000 1.16 *************** *** 78,81 **** --- 78,82 ---- configuration.c configuration.h \ support.c support.h \ + http_client.c http_client.h \ ocsp_db.h hash-db.c $(ENGINE_SRC) Index: Makefile.in =================================================================== RCS file: /cvsroot/openca/openca-0.9/src/ocspd/src/Makefile.in,v retrieving revision 1.18 retrieving revision 1.19 diff -C2 -d -r1.18 -r1.19 *** Makefile.in 27 Apr 2005 13:33:46 -0000 1.18 --- Makefile.in 4 Nov 2005 00:32:09 -0000 1.19 *************** *** 1,7 **** ! # Makefile.in generated by automake 1.9.2 from Makefile.am. # @configure_input@ # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, ! # 2003, 2004 Free Software Foundation, Inc. # This Makefile.in is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, --- 1,7 ---- ! # Makefile.in generated by automake 1.9.5 from Makefile.am. # @configure_input@ # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, ! # 2003, 2004, 2005 Free Software Foundation, Inc. # This Makefile.in is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, *************** *** 58,67 **** am__ocspd_SOURCES_DIST = ocspd.c ocspd.h general.h ocsp_response.c \ ocsp_response.h server.c server.h configuration.c \ ! configuration.h support.c support.h ocsp_db.h hash-db.c \ ! ocspd_engine.c ocspd_engine.h @HAVE_ENGINE_TRUE@am__objects_1 = ocspd_engine.$(OBJEXT) am_ocspd_OBJECTS = ocspd.$(OBJEXT) ocsp_response.$(OBJEXT) \ server.$(OBJEXT) configuration.$(OBJEXT) support.$(OBJEXT) \ ! hash-db.$(OBJEXT) $(am__objects_1) ocspd_OBJECTS = $(am_ocspd_OBJECTS) am__DEPENDENCIES_1 = --- 58,68 ---- am__ocspd_SOURCES_DIST = ocspd.c ocspd.h general.h ocsp_response.c \ ocsp_response.h server.c server.h configuration.c \ ! configuration.h support.c support.h http_client.c \ ! http_client.h ocsp_db.h hash-db.c ocspd_engine.c \ ! ocspd_engine.h @HAVE_ENGINE_TRUE@am__objects_1 = ocspd_engine.$(OBJEXT) am_ocspd_OBJECTS = ocspd.$(OBJEXT) ocsp_response.$(OBJEXT) \ server.$(OBJEXT) configuration.$(OBJEXT) support.$(OBJEXT) \ ! http_client.$(OBJEXT) hash-db.$(OBJEXT) $(am__objects_1) ocspd_OBJECTS = $(am_ocspd_OBJECTS) am__DEPENDENCIES_1 = *************** *** 74,82 **** COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \ $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) ! LTCOMPILE = $(LIBTOOL) --mode=compile --tag=CC $(CC) $(DEFS) \ $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \ $(AM_CFLAGS) $(CFLAGS) CCLD = $(CC) ! LINK = $(LIBTOOL) --mode=link --tag=CC $(CCLD) $(AM_CFLAGS) $(CFLAGS) \ $(AM_LDFLAGS) $(LDFLAGS) -o $@ SOURCES = $(ocspd_SOURCES) --- 75,83 ---- COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \ $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) ! LTCOMPILE = $(LIBTOOL) --tag=CC --mode=compile $(CC) $(DEFS) \ $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \ $(AM_CFLAGS) $(CFLAGS) CCLD = $(CC) ! LINK = $(LIBTOOL) --tag=CC --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \ $(AM_LDFLAGS) $(LDFLAGS) -o $@ SOURCES = $(ocspd_SOURCES) *************** *** 268,271 **** --- 269,273 ---- configuration.c configuration.h \ support.c support.h \ + http_client.c http_client.h \ ocsp_db.h hash-db.c $(ENGINE_SRC) *************** *** 365,368 **** --- 367,371 ---- @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/configuration.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/hash-db.Po@am__quote@ + @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/http_client.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ocsp_response.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ocspd.Po@am__quote@ Index: config.h =================================================================== RCS file: /cvsroot/openca/openca-0.9/src/ocspd/src/config.h,v retrieving revision 1.9 retrieving revision 1.10 diff -C2 -d -r1.9 -r1.10 *** config.h 6 Oct 2005 10:24:39 -0000 1.9 --- config.h 4 Nov 2005 00:32:09 -0000 1.10 *************** *** 26,30 **** /* Define if there is OCSP support in your openssl distro */ ! #define HAVE_OCSP 1 /* Define if there is LDAP support in your system */ --- 26,30 ---- /* Define if there is OCSP support in your openssl distro */ ! /* #undef HAVE_OCSP */ /* Define if there is LDAP support in your system */ Index: general.h =================================================================== RCS file: /cvsroot/openca/openca-0.9/src/ocspd/src/general.h,v retrieving revision 1.17 retrieving revision 1.18 diff -C2 -d -r1.17 -r1.18 *** general.h 6 Oct 2005 10:24:39 -0000 1.17 --- general.h 4 Nov 2005 00:32:09 -0000 1.18 *************** *** 340,344 **** int alarm_decrement; ! long max_req_size; #ifdef HAVE_ENGINE --- 340,344 ---- int alarm_decrement; ! unsigned long max_req_size; #ifdef HAVE_ENGINE Index: hash-db.c =================================================================== RCS file: /cvsroot/openca/openca-0.9/src/ocspd/src/hash-db.c,v retrieving revision 1.6 retrieving revision 1.7 diff -C2 -d -r1.6 -r1.7 *** hash-db.c 20 Oct 2005 13:22:24 -0000 1.6 --- hash-db.c 4 Nov 2005 00:32:09 -0000 1.7 *************** *** 15,18 **** --- 15,19 ---- #include "general.h" + #include "http_client.h" #include <openssl/txt_db.h> *************** *** 355,455 **** #endif - BIO *ocspd_http_connect( URL *url ) { - - BIO *cbio = NULL; - char buf[1024]; - - if( (!url) || (!url->addr) ) { - syslog( LOG_ERR, "ERROR: Missing address for HTTP connect"); - return NULL; - } - - /* We build the "host:port" string to be used */ - bzero(buf, sizeof(buf)); - sprintf( buf, "%s:%d", url->addr, url->port ); - - if((cbio = BIO_new_connect(buf)) == NULL ) { - syslog(LOG_ERR, "ERROR: cannot connect to %s", url->addr); - return NULL; - } - - if (BIO_do_connect(cbio) <= 0) { - syslog(LOG_ERR, "ERROR: cannot connect to %s", url->addr); - BIO_free_all(cbio); - return NULL; - } - - return cbio; - } STACK_OF(X509) *ocspd_load_ca_http( URL *url ) { int cont = 1; X509 *ret = NULL; STACK_OF(X509) *x_sk = NULL; - BIO *in = NULL; BIO *mem = NULL; ! long len = 0; ! char buf[16535]; ! ! char get_s[] = "GET %s HTTP/1.0\n\n"; ! ! in = ocspd_http_connect( url ); ! if( !in ) return NULL; ! if((x_sk = sk_X509_new_null()) == NULL ) { ! return(NULL); } ! if(!(mem = BIO_new(BIO_s_mem()))) { ! BIO_free_all(in); ! return x_sk; } ! BIO_printf(in, get_s, url->path); ! while ((len = BIO_read(in, buf, sizeof buf))) { ! if(len < 0) { ! BIO_free(mem); ! BIO_free(in); ! return x_sk; ! } ! BIO_write(mem, buf, len); ! } ! BIO_free(in); ! BIO_flush(mem); ! do { ! if(BIO_gets(mem, buf, sizeof buf) < 0) { ! BIO_free_all(mem); ! return x_sk; ! } } - while( (buf[0] != '\r') && (buf[0] != '\n') ); ! /*DEBUG*/ ! /* ! out = BIO_new(BIO_s_file()); ! BIO_set_fp(out,stdout,BIO_NOCLOSE); ! */ ! cont = 1; ! while ( cont == 1 ) { ! /* Try PEM format */ ! if ( (ret=PEM_read_bio_X509(mem,NULL,NULL,NULL)) ! == NULL ) { ! BIO_reset(mem); ! /* Is it DER encoded (???) */ ! if( (ret = d2i_X509_bio( mem, NULL )) == NULL ) { ! cont = 0; ! break; ! } } ! if(!ret) { ! cont = 0; } else { ! sk_X509_push(x_sk, ret); } } ! BIO_free(mem); if(verbose) { --- 356,435 ---- #endif STACK_OF(X509) *ocspd_load_ca_http( URL *url ) { int cont = 1; + int head_lines = 0; + char linebuf[1024]; X509 *ret = NULL; STACK_OF(X509) *x_sk = NULL; BIO *mem = NULL; ! BUF_MEM *buf = NULL; ! /* Check for non empty URL */ ! if( (!url) || (!url->addr)) { ! syslog(LOG_ERR, "Configuration error: needed valid URL for" ! " CA Cert HTTP download!"); ! return NULL; } ! /* Get the object data from HTTP */ ! if( (buf = ocspd_http_get ( url, 0 )) == NULL ) { ! syslog(LOG_ERR, "Error loading CA Cert from HTTP [%s]", ! url->addr ); ! return NULL; } ! if( verbose ) { ! syslog( LOG_INFO, "Successfully got CA HTTP data [%lu]", ! buf->length); ! } ! /* Build a memory bio from the MEM_BUF data */ ! if(!(mem = BIO_new_mem_buf(buf->data, buf->length) )) { ! syslog( LOG_ERR, "ERROR: Internal memory allocation error!"); ! if( buf ) BUF_MEM_free (buf); ! return NULL; } ! if ( ocspd_parse_http_headers ( mem ) == 0 ) { ! if( mem ) BIO_free_all(mem); ! if( buf ) BUF_MEM_free ( buf ); ! return NULL; ! } ! if((x_sk = sk_X509_new_null()) == NULL ) { ! syslog(LOG_ERR, "ERROR allocating memory."); ! if( mem ) BIO_free_all(mem); ! if( buf ) BUF_MEM_free ( buf ); ! return NULL; ! } ! /* Try PEM format */ ! if ( (ret=PEM_read_bio_X509(mem,NULL,NULL,NULL)) == NULL ) { ! BIO_reset(mem); ! if ( ocspd_parse_http_headers ( mem ) == 0 ) { ! if( mem ) BIO_free_all(mem); ! if( buf ) BUF_MEM_free ( buf ); ! return NULL; } ! ! /* Is it DER encoded (???) */ ! if( (ret = d2i_X509_bio( mem, NULL )) == NULL ) { ! syslog( LOG_ERR, "ERROR -- Unknown CA cert" ! " format (should either PEM or DER)"); } else { ! if( verbose ) ! syslog(LOG_INFO, "CA cert is in DER format"); } + } else { + if( verbose ) + syslog(LOG_INFO, "CA cert is in PEM format"); } ! ! if( ret ) ! sk_X509_push(x_sk, ret); ! ! if( mem ) BIO_free_all(mem); ! if( buf ) BUF_MEM_free ( buf ); if(verbose) { *************** *** 462,507 **** X509_CRL *ocspd_load_crl_http( URL *url ) { ! BIO *in = NULL; BIO *mem = NULL; ! long len = 0; ! char buf[16535]; ! X509_CRL *crl = NULL; ! char get_s[] = "GET %s HTTP/1.0\n\n"; ! in = ocspd_http_connect( url ); ! if( !in ) return NULL; ! if(!(mem = BIO_new(BIO_s_mem()))) { ! BIO_free_all(in); ! return NULL; } ! BIO_printf(in, get_s, url->path); ! while ((len = BIO_read(in, buf, sizeof buf))) { ! if(len < 0) { ! BIO_free(mem); ! BIO_free(in); ! return NULL; ! } ! BIO_write(mem, buf, len); ! } ! BIO_free(in); ! BIO_flush(mem); ! do { ! if(BIO_gets(mem, buf, sizeof buf) < 0) { ! BIO_free_all(mem); ! return NULL; ! } } - while( (buf[0] != '\r') && (buf[0] != '\n') ); if( (crl = ocspd_X509_CRL_bio( mem, FORMAT_ASN1 )) == NULL ) { BIO_reset(mem); ! crl = ocspd_X509_CRL_bio( mem, FORMAT_PEM ); ! } ! BIO_free(mem); return crl; --- 442,512 ---- X509_CRL *ocspd_load_crl_http( URL *url ) { ! int cont = 1; ! X509_CRL *crl = NULL; BIO *mem = NULL; ! BUF_MEM *buf = NULL; ! int head_lines = 0; ! char linebuf[1024]; ! /* Check for non empty URL */ ! if( (!url) || (!url->addr)) { ! syslog(LOG_ERR, "Configuration error: needed valid URL for" ! " CA Cert HTTP download!"); ! return NULL; ! } ! /* Get the object data from HTTP */ ! if( (buf = ocspd_http_get ( url, 0 )) == NULL ) { ! syslog(LOG_ERR, "Error loading CRL from HTTP [%s]", ! url->addr ); ! } ! if( verbose ) { ! syslog( LOG_INFO, "Successfully got CRL HTTP data [%lu]", ! buf->length); } ! /* Build a memory bio from the MEM_BUF data */ ! if(!(mem = BIO_new_mem_buf(buf->data, buf->length) )) { ! syslog( LOG_ERR, "ERROR: Internal memory allocation error!"); ! if( buf ) BUF_MEM_free (buf); ! return NULL; ! } ! /* Check the HTTP headers */ ! if( ocspd_parse_http_headers( mem ) == 0 ) { ! if( mem ) BIO_free_all (mem); ! if( buf ) BUF_MEM_free (buf); ! return NULL; } + /* Try and load CRL - ASN1 first, PEM second */ if( (crl = ocspd_X509_CRL_bio( mem, FORMAT_ASN1 )) == NULL ) { + + /* If it is not in DER format, let's try the PEM one */ BIO_reset(mem); ! ! /* Parse the headers again... */ ! if( ocspd_parse_http_headers( mem ) == 0 ) { ! if( mem ) BIO_free_all (mem); ! if( buf ) BUF_MEM_free (buf); ! return NULL; ! } ! ! if( (crl = ocspd_X509_CRL_bio( mem, FORMAT_PEM )) == NULL ) { ! syslog(LOG_ERR, "ERROR -- unknown CRL format (should " ! "be PEM or DER encoded)"); ! } else { ! if(verbose) ! syslog(LOG_INFO, "CRL is in PEM format"); ! } ! } else { ! if (verbose) ! syslog(LOG_INFO, "CRL is in DER format"); ! } ! ! if( mem ) BIO_free(mem); ! if( buf ) BUF_MEM_free( buf); return crl; *************** *** 559,564 **** X509_CRL *ocspd_load_crl_file( URL *url ) { ! BIO *in = NULL; ! // STACK_OF(X509_REVOKED) *rev = NULL; X509_CRL *crl = NULL; --- 564,568 ---- X509_CRL *ocspd_load_crl_file( URL *url ) { ! BIO *in = NULL; X509_CRL *crl = NULL; *************** *** 569,585 **** if( (crl = ocspd_X509_CRL_bio( in, FORMAT_PEM )) == NULL ) { ! crl = ocspd_X509_CRL_bio( in, FORMAT_ASN1 ); } - /* - if (crlform == FORMAT_ASN1) - crl=d2i_X509_CRL_bio(in,NULL); - else if (crlform == FORMAT_PEM) - crl=PEM_read_bio_X509_CRL(in,NULL,NULL,NULL); - else { - BIO_free( in ); - return(NULL); - } - */ BIO_free( in ); --- 573,588 ---- if( (crl = ocspd_X509_CRL_bio( in, FORMAT_PEM )) == NULL ) { ! if((crl = ocspd_X509_CRL_bio( in, FORMAT_ASN1 )) == NULL ) { ! syslog(LOG_ERR, "ERROR -- unknown CRL format (should " ! "be PEM or DER encoded)"); ! } else { ! if(verbose) ! syslog(LOG_INFO, "CRL is in DER format"); ! } ! } else { ! if(verbose) ! syslog(LOG_INFO, "CRL is in PEM format"); } BIO_free( in ); *************** *** 656,662 **** X509 *x = NULL; ! char buff[EVP_MAX_MD_SIZE]; ! int j, i, nid; /* Check for needed info */ --- 659,665 ---- X509 *x = NULL; ! unsigned char buff[EVP_MAX_MD_SIZE]; ! unsigned int j, i, nid; /* Check for needed info */ Index: server.c =================================================================== RCS file: /cvsroot/openca/openca-0.9/src/ocspd/src/server.c,v retrieving revision 1.16 retrieving revision 1.17 diff -C2 -d -r1.16 -r1.17 *** server.c 6 Oct 2005 10:24:39 -0000 1.16 --- server.c 4 Nov 2005 00:32:09 -0000 1.17 *************** *** 154,159 **** if( pause() < 0 ) { if(verbose) ! syslog(LOG_ERR, "PAUSE => %s", ! strerror(errno)); } } --- 154,159 ---- if( pause() < 0 ) { if(verbose) ! syslog(LOG_ERR, "Verbose Debug Info [" ! " %s ]", strerror(errno)); } } *************** *** 371,375 **** } - OCSP_REQUEST *get_ocsp_request( BIO *bio ) { --- 371,374 ---- *************** *** 415,418 **** --- 414,479 ---- } + OCSP_REQUEST *NEW_get_ocsp_request( BIO *in ) { + + int head_lines = 0; + char linebuf[1024]; + + BUF_MEM *buf = NULL; + OCSP_REQUEST *ocsp_req = NULL; + BIO *mem = NULL; + + if( (buf = ocspd_http_get_data(in, ocspd_conf->max_req_size)) == NULL){ + if( verbose ) + syslog ( LOG_ERR, "ERROR -- impossible reading req"); + return NULL; + } + + /* Build a memory bio from the MEM_BUF data */ + if(!(mem = BIO_new_mem_buf(buf->data, buf->length) )) { + syslog( LOG_ERR, "ERROR: Internal memory allocation error!"); + if( buf ) BUF_MEM_free (buf); + return NULL; + } + + + head_lines = 0; + do { + int read_code = 0; + + bzero(linebuf, sizeof linebuf); + if((read_code = BIO_gets(mem, linebuf, sizeof(linebuf))) < 0) { + syslog( LOG_ERR, "HTTP - Error (%d) retrieving header" + " (%d)", read_code, head_lines ); + if( buf ) BUF_MEM_free ( buf ); + return NULL; + } + + /* Let's check if the first line has good code */ + if ( ( head_lines == 0 ) && + ( strncmp( linebuf, "POST ", 5) != 0 )) { + /* Got an error - probably not found (?) */ + syslog( LOG_ERR, "ERROR - HTTP method is not POST, " + " rejecting."); + if( buf ) BUF_MEM_free ( buf ); + return NULL; + } else { + head_lines++; + } + } + while( (linebuf[0] != '\r') && (linebuf[0] != '\n') ); + + ocsp_req = d2i_OCSP_REQUEST_bio(mem, NULL); + if (!ocsp_req) { + /* remove to prevent unused log... + syslog( LOG_ERR, "Error parsing OCSP request\n");*/ + if( verbose ) + syslog(LOG_ERR, "ERROR in parsing request"); + } + + if( mem ) BIO_free_all (mem); + if( buf ) BUF_MEM_free (buf); + return ocsp_req; + } + int send_ocsp_response(BIO *bio, OCSP_RESPONSE *resp) { Index: server.h =================================================================== RCS file: /cvsroot/openca/openca-0.9/src/ocspd/src/server.h,v retrieving revision 1.8 retrieving revision 1.9 diff -C2 -d -r1.8 -r1.9 *** server.h 6 Oct 2005 10:24:39 -0000 1.8 --- server.h 4 Nov 2005 00:32:09 -0000 1.9 *************** *** 25,28 **** --- 25,29 ---- #include <sys/poll.h> + #include "http_client.h" /* Functions */ |
|
From: <ope...@li...> - 2005-10-27 12:53:24
|
Update of /cvsroot/openca/openca-0.9/src/common/lib/cmds In directory sc8-pr-cvs1.sourceforge.net:/tmp/cvs-serv16932/openca-0.9/src/common/lib/cmds Modified Files: Tag: openca_0_9_2 warnExpiring Log Message: utf8 mime fix from Julia and fix for removed patch Author of changes: michaelbell Index: warnExpiring =================================================================== RCS file: /cvsroot/openca/openca-0.9/src/common/lib/cmds/warnExpiring,v retrieving revision 1.5.2.4 retrieving revision 1.5.2.5 diff -C2 -d -r1.5.2.4 -r1.5.2.5 *** warnExpiring 13 Oct 2005 14:44:50 -0000 1.5.2.4 --- warnExpiring 27 Oct 2005 12:53:12 -0000 1.5.2.5 *************** *** 35,40 **** use Time::Local; use MIME::Lite; - use MIME::Words qw(:all); my $cert = $db->getNextItem( DATATYPE=>'VALID_CERTIFICATE', KEY=>-1 ); --- 35,40 ---- use Time::Local; + use MIME::Base64; use MIME::Lite; my $cert = $db->getNextItem( DATATYPE=>'VALID_CERTIFICATE', KEY=>-1 ); *************** *** 92,107 **** $text = $query->subVar ($text, '__CERT_NOTAFTER__', $expires); $text = $query->subVar ($text, '__CERT_CN__', $cn); my $msg = MIME::Lite->new( ! From =>encode_mimewords(gettext ("PKI Certificate Manager")). ! " <".$service_email.">", ! To =>encode_mimewords($cn)." <$email>", ! Subject =>encode_mimewords( ! i18nGettext ("Certificate __SERIAL__ will expiring", ! "__SERIAL__", $key)), Type =>'TEXT', Encoding =>'8bit', Data =>$text ); ! $msg->attr("content-type.charset" => "UTF-8"); print $msg->as_string if ($DEBUG); --- 92,118 ---- $text = $query->subVar ($text, '__CERT_NOTAFTER__', $expires); $text = $query->subVar ($text, '__CERT_CN__', $cn); + + my $encoding = 'UTF-8'; + + my $from = gettext ("PKI Certificate Manager"); + my $enc_from = MIME::Base64::encode($from,""); + $from = "=?" . $encoding . "?B?" . $enc_from . "?=" . " <".$service_email.">"; + + my $enc_to = MIME::Base64::encode($cn,""); + my $to = "=?" . $encoding . "?B?" . $enc_to . "?=" . " <$email>"; + + my $subject = i18nGettext ("Certificate __SERIAL__ will expiring","__SERIAL__", $key); + my $enc_subject = MIME::Base64::encode($subject,""); + $subject = "=?" . $encoding . "?B?" . $enc_subject . "?="; + my $msg = MIME::Lite->new( ! From => $from, ! To => $to, ! Subject => $subject, Type =>'TEXT', Encoding =>'8bit', Data =>$text ); ! $msg->attr("content-type.charset" => $encoding); print $msg->as_string if ($DEBUG); |
|
From: <ope...@li...> - 2005-10-27 12:53:22
|
Update of /cvsroot/openca/openca-0.9 In directory sc8-pr-cvs1.sourceforge.net:/tmp/cvs-serv16932/openca-0.9 Modified Files: Tag: openca_0_9_2 CHANGES Log Message: utf8 mime fix from Julia and fix for removed patch Author of changes: michaelbell Index: CHANGES =================================================================== RCS file: /cvsroot/openca/openca-0.9/CHANGES,v retrieving revision 1.295.2.65 retrieving revision 1.295.2.66 diff -C2 -d -r1.295.2.65 -r1.295.2.66 *** CHANGES 13 Oct 2005 14:44:52 -0000 1.295.2.65 --- CHANGES 27 Oct 2005 12:53:11 -0000 1.295.2.66 *************** *** 3,7 **** "cvs commit". ! 2005-Oct-05: * large UTF8 update from Julia and Sergei (Cryptocom) * Fixed Integer Overflow error in CSR/CRR approval --- 3,9 ---- "cvs commit". ! 2005-Oct-xx: ! * fixed UTF8 MIME issue (from Julia) ! * fixed getSerial in OpenCA::CRL to return a string * large UTF8 update from Julia and Sergei (Cryptocom) * Fixed Integer Overflow error in CSR/CRR approval |
|
From: <ope...@li...> - 2005-10-27 12:53:22
|
Update of /cvsroot/openca/openca-0.9/src/modules/openca-crl In directory sc8-pr-cvs1.sourceforge.net:/tmp/cvs-serv16932/openca-0.9/src/modules/openca-crl Modified Files: Tag: openca_0_9_2 CRL.pm Log Message: utf8 mime fix from Julia and fix for removed patch Author of changes: michaelbell Index: CRL.pm =================================================================== RCS file: /cvsroot/openca/openca-0.9/src/modules/openca-crl/CRL.pm,v retrieving revision 1.24 retrieving revision 1.24.2.1 diff -C2 -d -r1.24 -r1.24.2.1 *** CRL.pm 17 Aug 2004 13:00:00 -0000 1.24 --- CRL.pm 27 Oct 2005 12:53:13 -0000 1.24.2.1 *************** *** 403,411 **** # return the serial if one is present ! return $self->getParsed()->{SERIAL} if ($self->getParsed()->{SERIAL} >= 0); # new numbering by timestamp ! return $self->{backend}->getNumericDate ( $self->getParsed()->{LAST_UPDATE} ); --- 403,411 ---- # return the serial if one is present ! return "".$self->getParsed()->{SERIAL} if ($self->getParsed()->{SERIAL} >= 0); # new numbering by timestamp ! return "".$self->{backend}->getNumericDate ( $self->getParsed()->{LAST_UPDATE} ); |
|
From: <ope...@li...> - 2005-10-27 12:53:22
|
Update of /cvsroot/openca/openca-0.9/src/common/lib/functions In directory sc8-pr-cvs1.sourceforge.net:/tmp/cvs-serv16932/openca-0.9/src/common/lib/functions Modified Files: Tag: openca_0_9_2 crypto-utils.lib initServer Log Message: utf8 mime fix from Julia and fix for removed patch Author of changes: michaelbell Index: crypto-utils.lib =================================================================== RCS file: /cvsroot/openca/openca-0.9/src/common/lib/functions/crypto-utils.lib,v retrieving revision 1.65.2.9 retrieving revision 1.65.2.10 diff -C2 -d -r1.65.2.9 -r1.65.2.10 *** crypto-utils.lib 13 Oct 2005 14:44:50 -0000 1.65.2.9 --- crypto-utils.lib 27 Oct 2005 12:53:12 -0000 1.65.2.10 *************** *** 1497,1501 **** if ($encoding eq "C") { ! $encoding = undef; } else { $encoding =~ s/^.*\.// if ($encoding ne "C"); ## remove language --- 1497,1501 ---- if ($encoding eq "C") { ! $encoding = 'UTF-8'; } else { $encoding =~ s/^.*\.// if ($encoding ne "C"); ## remove language *************** *** 1594,1598 **** if ($encoding eq "C") { ! $encoding = undef; } else { $encoding =~ s/^.*\.// if ($encoding ne "C"); ## remove language --- 1594,1598 ---- if ($encoding eq "C") { ! $encoding = 'UTF-8'; } else { $encoding =~ s/^.*\.// if ($encoding ne "C"); ## remove language Index: initServer =================================================================== RCS file: /cvsroot/openca/openca-0.9/src/common/lib/functions/initServer,v retrieving revision 1.47.2.9 retrieving revision 1.47.2.10 diff -C2 -d -r1.47.2.9 -r1.47.2.10 *** initServer 13 Oct 2005 14:44:50 -0000 1.47.2.9 --- initServer 27 Oct 2005 12:53:13 -0000 1.47.2.10 *************** *** 649,652 **** --- 649,659 ---- } + if ($CHARSET =~ m/^utf[_-]*8$/i) { + $query->autoEscape(0); + } + else { + $query->autoEscape(1); + } + setPerformancePoint ("session loaded and language ready"); return 1; |
1 message has been excluded from this view by a project administrator.
