2019-06-16 21:16:16 -04:00
|
|
|
/*
|
|
|
|
|
* OpenSSL certificate caching.
|
|
|
|
|
*
|
2023-02-07 19:35:18 -08:00
|
|
|
* Copyright (C) 2016-2023 Cisco Systems, Inc. and/or its affiliates. All rights reserved.
|
2019-06-16 21:16:16 -04:00
|
|
|
*
|
|
|
|
|
* Authors: Russ Kubik
|
|
|
|
|
*
|
|
|
|
|
* This program is free software; you can redistribute it and/or modify
|
|
|
|
|
* it under the terms of the GNU General Public License version 2 as
|
|
|
|
|
* published by the Free Software Foundation.
|
|
|
|
|
*
|
|
|
|
|
* This program is distributed in the hope that it will be useful,
|
|
|
|
|
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
|
|
|
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
|
|
|
* GNU General Public License for more details.
|
|
|
|
|
*
|
|
|
|
|
* You should have received a copy of the GNU General Public License
|
|
|
|
|
* along with this program; if not, write to the Free Software
|
|
|
|
|
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston,
|
|
|
|
|
* MA 02110-1301, USA.
|
|
|
|
|
*/
|
|
|
|
|
|
2019-07-25 14:04:25 -04:00
|
|
|
#include <openssl/ssl.h>
|
2019-06-16 21:16:16 -04:00
|
|
|
#include <openssl/x509.h>
|
|
|
|
|
#include <openssl/pem.h>
|
|
|
|
|
#include <openssl/err.h>
|
|
|
|
|
#include <string.h>
|
|
|
|
|
#include <pthread.h>
|
|
|
|
|
|
Add CMake build tooling
This patch adds experimental-quality CMake build tooling.
The libmspack build required a modification to use "" instead of <> for
header #includes. This will hopefully be included in the libmspack
upstream project when adding CMake build tooling to libmspack.
Removed use of libltdl when using CMake.
Flex & Bison are now required to build.
If -DMAINTAINER_MODE, then GPERF is also required, though it currently
doesn't actually do anything. TODO!
I found that the autotools build system was generating the lexer output
but not actually compiling it, instead using previously generated (and
manually renamed) lexer c source. As a consequence, changes to the .l
and .y files weren't making it into the build. To resolve this, I
removed generated flex/bison files and fixed the tooling to use the
freshly generated files. Flex and bison are now required build tools.
On Windows, this adds a dependency on the winflexbison package,
which can be obtained using Chocolatey or may be manually installed.
CMake tooling only has partial support for building with external LLVM
library, and no support for the internal LLVM (to be removed in the
future). I.e. The CMake build currently only supports the bytecode
interpreter.
Many files used include paths relative to the top source directory or
relative to the current project, rather than relative to each build
target. Modern CMake support requires including internal dependency
headers the same way you would external dependency headers (albeit
with "" instead of <>). This meant correcting all header includes to
be relative to the build targets and not relative to the workspace.
For example, ...
```c
include "../libclamav/clamav.h"
include "clamd/clamd_others.h"
```
... becomes:
```c
// libclamav
include "clamav.h"
// clamd
include "clamd_others.h"
```
Fixes header name conflicts by renaming a few of the files.
Converted the "shared" code into a static library, which depends on
libclamav. The ironically named "shared" static library provides
features common to the ClamAV apps which are not required in
libclamav itself and are not intended for use by downstream projects.
This change was required for correct modern CMake practices but was
also required to use the automake "subdir-objects" option.
This eliminates warnings when running autoreconf which, in the next
version of autoconf & automake are likely to break the build.
libclamav used to build in multiple stages where an earlier stage is
a static library containing utils required by the "shared" code.
Linking clamdscan and clamdtop with this libclamav utils static lib
allowed these two apps to function without libclamav. While this is
nice in theory, the practical gains are minimal and it complicates
the build system. As such, the autotools and CMake tooling was
simplified for improved maintainability and this feature was thrown
out. clamdtop and clamdscan now require libclamav to function.
Removed the nopthreads version of the autotools
libclamav_internal_utils static library and added pthread linking to
a couple apps that may have issues building on some platforms without
it, with the intention of removing needless complexity from the
source. Kept the regular version of libclamav_internal_utils.la
though it is no longer used anywhere but in libclamav.
Added an experimental doxygen build option which attempts to build
clamav.h and libfreshclam doxygen html docs.
The CMake build tooling also may build the example program(s), which
isn't a feature in the Autotools build system.
Changed C standard to C90+ due to inline linking issues with socket.h
when linking libfreshclam.so on Linux.
Generate common.rc for win32.
Fix tabs/spaces in shared Makefile.am, and remove vestigial ifndef
from misc.c.
Add CMake files to the automake dist, so users can try the new
CMake tooling w/out having to build from a git clone.
clamonacc changes:
- Renamed FANOTIFY macro to HAVE_SYS_FANOTIFY_H to better match other
similar macros.
- Added a new clamav-clamonacc.service systemd unit file, based on
the work of ChadDevOps & Aaron Brighton.
- Added missing clamonacc man page.
Updates to clamdscan man page, add missing options.
Remove vestigial CL_NOLIBCLAMAV definitions (all apps now use
libclamav).
Rename Windows mspack.dll to libmspack.dll so all ClamAV-built
libraries have the lib-prefix with Visual Studio as with CMake.
2020-08-13 00:25:34 -07:00
|
|
|
#include "cert_util.h"
|
|
|
|
|
#include "cert_util_internal.h"
|
2019-06-16 21:16:16 -04:00
|
|
|
|
Add CMake build tooling
This patch adds experimental-quality CMake build tooling.
The libmspack build required a modification to use "" instead of <> for
header #includes. This will hopefully be included in the libmspack
upstream project when adding CMake build tooling to libmspack.
Removed use of libltdl when using CMake.
Flex & Bison are now required to build.
If -DMAINTAINER_MODE, then GPERF is also required, though it currently
doesn't actually do anything. TODO!
I found that the autotools build system was generating the lexer output
but not actually compiling it, instead using previously generated (and
manually renamed) lexer c source. As a consequence, changes to the .l
and .y files weren't making it into the build. To resolve this, I
removed generated flex/bison files and fixed the tooling to use the
freshly generated files. Flex and bison are now required build tools.
On Windows, this adds a dependency on the winflexbison package,
which can be obtained using Chocolatey or may be manually installed.
CMake tooling only has partial support for building with external LLVM
library, and no support for the internal LLVM (to be removed in the
future). I.e. The CMake build currently only supports the bytecode
interpreter.
Many files used include paths relative to the top source directory or
relative to the current project, rather than relative to each build
target. Modern CMake support requires including internal dependency
headers the same way you would external dependency headers (albeit
with "" instead of <>). This meant correcting all header includes to
be relative to the build targets and not relative to the workspace.
For example, ...
```c
include "../libclamav/clamav.h"
include "clamd/clamd_others.h"
```
... becomes:
```c
// libclamav
include "clamav.h"
// clamd
include "clamd_others.h"
```
Fixes header name conflicts by renaming a few of the files.
Converted the "shared" code into a static library, which depends on
libclamav. The ironically named "shared" static library provides
features common to the ClamAV apps which are not required in
libclamav itself and are not intended for use by downstream projects.
This change was required for correct modern CMake practices but was
also required to use the automake "subdir-objects" option.
This eliminates warnings when running autoreconf which, in the next
version of autoconf & automake are likely to break the build.
libclamav used to build in multiple stages where an earlier stage is
a static library containing utils required by the "shared" code.
Linking clamdscan and clamdtop with this libclamav utils static lib
allowed these two apps to function without libclamav. While this is
nice in theory, the practical gains are minimal and it complicates
the build system. As such, the autotools and CMake tooling was
simplified for improved maintainability and this feature was thrown
out. clamdtop and clamdscan now require libclamav to function.
Removed the nopthreads version of the autotools
libclamav_internal_utils static library and added pthread linking to
a couple apps that may have issues building on some platforms without
it, with the intention of removing needless complexity from the
source. Kept the regular version of libclamav_internal_utils.la
though it is no longer used anywhere but in libclamav.
Added an experimental doxygen build option which attempts to build
clamav.h and libfreshclam doxygen html docs.
The CMake build tooling also may build the example program(s), which
isn't a feature in the Autotools build system.
Changed C standard to C90+ due to inline linking issues with socket.h
when linking libfreshclam.so on Linux.
Generate common.rc for win32.
Fix tabs/spaces in shared Makefile.am, and remove vestigial ifndef
from misc.c.
Add CMake files to the automake dist, so users can try the new
CMake tooling w/out having to build from a git clone.
clamonacc changes:
- Renamed FANOTIFY macro to HAVE_SYS_FANOTIFY_H to better match other
similar macros.
- Added a new clamav-clamonacc.service systemd unit file, based on
the work of ChadDevOps & Aaron Brighton.
- Added missing clamonacc man page.
Updates to clamdscan man page, add missing options.
Remove vestigial CL_NOLIBCLAMAV definitions (all apps now use
libclamav).
Rename Windows mspack.dll to libmspack.dll so all ClamAV-built
libraries have the lib-prefix with Visual Studio as with CMake.
2020-08-13 00:25:34 -07:00
|
|
|
#include "output.h"
|
2019-06-16 21:16:16 -04:00
|
|
|
|
|
|
|
|
static cert_store_t _cert_store = {
|
|
|
|
|
.mutex = PTHREAD_MUTEX_INITIALIZER};
|
|
|
|
|
|
|
|
|
|
static cl_error_t _x509_to_pem(X509 *cert,
|
|
|
|
|
char **data,
|
|
|
|
|
int *len)
|
|
|
|
|
{
|
|
|
|
|
cl_error_t ret = CL_EFORMAT;
|
|
|
|
|
|
|
|
|
|
BIO *out = NULL;
|
|
|
|
|
long pem_len = 0;
|
|
|
|
|
char *pem_data = NULL;
|
|
|
|
|
|
|
|
|
|
if (cert == NULL || data == NULL || len == NULL) {
|
2022-02-16 00:13:55 +01:00
|
|
|
mprintf(LOGG_ERROR, "_x509_to_pem: Invalid argument\n");
|
2019-06-16 21:16:16 -04:00
|
|
|
goto done;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* Output the certs to a new BIO using the PEM format */
|
|
|
|
|
out = BIO_new(BIO_s_mem());
|
|
|
|
|
if (!out) {
|
2022-02-16 00:13:55 +01:00
|
|
|
mprintf(LOGG_ERROR, "BIO_new failed\n");
|
2019-06-16 21:16:16 -04:00
|
|
|
goto done;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
PEM_write_bio_X509(out, cert);
|
|
|
|
|
|
|
|
|
|
(void)BIO_flush(out);
|
|
|
|
|
|
|
|
|
|
/* Convert the BIO to char* */
|
|
|
|
|
pem_len = BIO_get_mem_data(out, &pem_data);
|
|
|
|
|
if (pem_len <= 0 || !pem_data) {
|
2022-02-16 00:13:55 +01:00
|
|
|
mprintf(LOGG_ERROR, "BIO_new: BIO_get_mem_data failed\n");
|
2019-06-16 21:16:16 -04:00
|
|
|
BIO_free_all(out);
|
|
|
|
|
goto done;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
*data = calloc(1, pem_len + 1);
|
|
|
|
|
if (!*data) {
|
2022-02-16 00:13:55 +01:00
|
|
|
mprintf(LOGG_ERROR, "BIO_new: malloc failed\n");
|
2019-06-16 21:16:16 -04:00
|
|
|
BIO_free_all(out);
|
|
|
|
|
goto done;
|
|
|
|
|
}
|
|
|
|
|
memcpy(*data, pem_data, pem_len);
|
|
|
|
|
(*data)[pem_len] = '\0';
|
|
|
|
|
|
|
|
|
|
*len = (int)pem_len;
|
|
|
|
|
|
|
|
|
|
BIO_free_all(out);
|
|
|
|
|
|
|
|
|
|
ret = CL_SUCCESS;
|
|
|
|
|
|
|
|
|
|
done:
|
2022-08-27 08:57:12 -07:00
|
|
|
return ret;
|
2019-06-16 21:16:16 -04:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* @brief This method will convert a X509 certificate to PEM format and append
|
|
|
|
|
* it to a string buffer.
|
|
|
|
|
*
|
|
|
|
|
* @note If realloc fails to reserve memory for *cert_data it will free whatever
|
|
|
|
|
* is currently in *cert_data before returning. total_buf_len is also set
|
|
|
|
|
* to 0 (zero) in this case.
|
|
|
|
|
*
|
|
|
|
|
* @param[in] *ca_cert Pointer to CA certificate
|
|
|
|
|
* @param[out] **cert_data Pointer to allocated string buffer
|
|
|
|
|
* @param[out] *total_buf_len Total of string buffer length after appending
|
|
|
|
|
* CA certificate (ca_cert)
|
|
|
|
|
* @param[in,out] *remaining_buf_len Remaining data left allowed in CA certificate
|
|
|
|
|
* chain after appending CA certificate
|
|
|
|
|
* (ca_cert)
|
|
|
|
|
*
|
|
|
|
|
* @return 0 on success, -1 on error
|
|
|
|
|
*/
|
|
|
|
|
static cl_error_t _x509_to_pem_append(X509 *ca_cert,
|
|
|
|
|
char **cert_data,
|
|
|
|
|
int *total_buf_len,
|
|
|
|
|
size_t *remaining_buf_len)
|
|
|
|
|
{
|
|
|
|
|
char *pem_data = NULL;
|
|
|
|
|
char *tmp;
|
|
|
|
|
int pem_data_len = 0;
|
|
|
|
|
cl_error_t ret = CL_EOPEN;
|
|
|
|
|
int current_len = 0;
|
|
|
|
|
|
|
|
|
|
if (ca_cert == NULL || total_buf_len == NULL ||
|
|
|
|
|
remaining_buf_len == NULL || *cert_data == NULL) {
|
2022-02-16 00:13:55 +01:00
|
|
|
mprintf(LOGG_ERROR, "NULL parameter given\n");
|
2019-06-16 21:16:16 -04:00
|
|
|
goto done;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
current_len = *total_buf_len;
|
|
|
|
|
|
2022-08-27 08:57:12 -07:00
|
|
|
if (CL_SUCCESS != _x509_to_pem(ca_cert, &pem_data, &pem_data_len)) {
|
2022-02-16 00:13:55 +01:00
|
|
|
mprintf(LOGG_ERROR, "Failed to convert x509 certificate to PEM\n");
|
2019-06-16 21:16:16 -04:00
|
|
|
goto done;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (pem_data_len > (int)*remaining_buf_len) {
|
|
|
|
|
tmp = realloc(*cert_data, current_len + pem_data_len + 1);
|
|
|
|
|
if (tmp == NULL) {
|
2022-02-16 00:13:55 +01:00
|
|
|
mprintf(LOGG_ERROR, "Could not realloc enough memory for PEM "
|
|
|
|
|
"certificate\n");
|
2019-06-16 21:16:16 -04:00
|
|
|
|
|
|
|
|
free(*cert_data);
|
|
|
|
|
*cert_data = NULL;
|
|
|
|
|
*total_buf_len = 0;
|
|
|
|
|
|
|
|
|
|
goto done;
|
|
|
|
|
}
|
|
|
|
|
*cert_data = tmp;
|
|
|
|
|
tmp = NULL;
|
|
|
|
|
*remaining_buf_len = 0;
|
|
|
|
|
} else {
|
|
|
|
|
*remaining_buf_len -= pem_data_len;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
memcpy(&((*cert_data)[current_len]), pem_data, pem_data_len);
|
|
|
|
|
*total_buf_len = current_len + pem_data_len;
|
|
|
|
|
(*cert_data)[*total_buf_len] = '\0';
|
|
|
|
|
|
|
|
|
|
ret = CL_SUCCESS;
|
|
|
|
|
|
|
|
|
|
done:
|
|
|
|
|
|
|
|
|
|
free(pem_data);
|
|
|
|
|
pem_data = NULL;
|
|
|
|
|
return ret;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
cert_store_t *cert_store_get_int(void)
|
|
|
|
|
{
|
|
|
|
|
return &_cert_store;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
void cert_store_unload_int(void)
|
|
|
|
|
{
|
|
|
|
|
if (_cert_store.loaded) {
|
|
|
|
|
cert_store_free_cert_list_int(&_cert_store.system_certs);
|
|
|
|
|
cert_store_free_cert_list_int(&_cert_store.trusted_certs);
|
|
|
|
|
_cert_store.loaded = false;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
void cert_store_free_cert_list_int(cert_list_t *cert_list)
|
|
|
|
|
{
|
|
|
|
|
size_t i;
|
|
|
|
|
|
|
|
|
|
if (cert_list && cert_list->certificates) {
|
|
|
|
|
for (i = 0; i < cert_list->count; ++i) {
|
|
|
|
|
X509_free(cert_list->certificates[i]);
|
|
|
|
|
cert_list->certificates[i] = NULL;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
free(cert_list->certificates);
|
|
|
|
|
cert_list->certificates = NULL;
|
|
|
|
|
cert_list->count = 0L;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
void cert_store_unload(void)
|
|
|
|
|
{
|
|
|
|
|
int pt_err;
|
|
|
|
|
|
|
|
|
|
pt_err = pthread_mutex_lock(&_cert_store.mutex);
|
|
|
|
|
if (pt_err) {
|
|
|
|
|
errno = pt_err;
|
2022-02-16 00:13:55 +01:00
|
|
|
mprintf(LOGG_ERROR, "Mutex lock failed\n");
|
2019-06-16 21:16:16 -04:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
cert_store_unload_int();
|
|
|
|
|
|
|
|
|
|
pt_err = pthread_mutex_unlock(&_cert_store.mutex);
|
|
|
|
|
if (pt_err) {
|
|
|
|
|
errno = pt_err;
|
2022-02-16 00:13:55 +01:00
|
|
|
mprintf(LOGG_ERROR, "Mutex unlock failed\n");
|
2019-06-16 21:16:16 -04:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2019-06-17 03:37:45 -04:00
|
|
|
#if OPENSSL_VERSION_NUMBER >= 0x10100000L /* 1.1.0+ */
|
|
|
|
|
static cl_error_t x509_cert_name_cmp(X509 *cert_a, X509 *cert_b, int *cmp_out)
|
|
|
|
|
{
|
2019-09-23 22:00:49 -04:00
|
|
|
cl_error_t status = CL_EMEM;
|
2019-06-17 03:37:45 -04:00
|
|
|
|
|
|
|
|
X509_NAME *a = NULL;
|
|
|
|
|
X509_NAME *b = NULL;
|
|
|
|
|
|
|
|
|
|
BIO *bio_out_a = NULL;
|
|
|
|
|
BIO *bio_out_b = NULL;
|
|
|
|
|
|
|
|
|
|
BUF_MEM *biomem_a;
|
|
|
|
|
BUF_MEM *biomem_b;
|
|
|
|
|
|
|
|
|
|
bio_out_a = BIO_new(BIO_s_mem());
|
|
|
|
|
if (!bio_out_a)
|
|
|
|
|
goto done;
|
|
|
|
|
|
|
|
|
|
bio_out_b = BIO_new(BIO_s_mem());
|
|
|
|
|
if (!bio_out_b)
|
|
|
|
|
goto done;
|
|
|
|
|
|
2019-09-23 22:00:49 -04:00
|
|
|
a = X509_get_subject_name(cert_a);
|
|
|
|
|
|
|
|
|
|
if (-1 == X509_NAME_print_ex(bio_out_a, a, 0, XN_FLAG_SEP_SPLUS_SPC)) {
|
2022-02-16 00:13:55 +01:00
|
|
|
mprintf(LOGG_ERROR, "Failed to print x509 certificate name!\n");
|
2019-09-23 22:00:49 -04:00
|
|
|
goto done;
|
|
|
|
|
}
|
2019-06-17 03:37:45 -04:00
|
|
|
BIO_get_mem_ptr(bio_out_a, &biomem_a);
|
|
|
|
|
|
2019-09-23 22:00:49 -04:00
|
|
|
b = X509_get_subject_name(cert_b);
|
|
|
|
|
|
|
|
|
|
if (-1 == X509_NAME_print_ex(bio_out_b, b, 0, XN_FLAG_SEP_SPLUS_SPC)) {
|
2022-02-16 00:13:55 +01:00
|
|
|
mprintf(LOGG_ERROR, "Failed to print x509 certificate name!\n");
|
2019-09-23 22:00:49 -04:00
|
|
|
goto done;
|
|
|
|
|
}
|
2019-06-17 03:37:45 -04:00
|
|
|
BIO_get_mem_ptr(bio_out_b, &biomem_b);
|
|
|
|
|
|
|
|
|
|
*cmp_out = strncmp(biomem_a->data, biomem_b->data, MIN(biomem_a->length, biomem_b->length));
|
2019-09-23 22:00:49 -04:00
|
|
|
status = CL_SUCCESS;
|
2019-06-17 03:37:45 -04:00
|
|
|
|
|
|
|
|
done:
|
|
|
|
|
if (NULL != bio_out_a)
|
|
|
|
|
BIO_free(bio_out_a);
|
|
|
|
|
if (NULL != bio_out_b)
|
|
|
|
|
BIO_free(bio_out_b);
|
|
|
|
|
|
2019-09-23 22:00:49 -04:00
|
|
|
return status;
|
2019-06-17 03:37:45 -04:00
|
|
|
}
|
|
|
|
|
|
2019-06-26 17:30:09 -04:00
|
|
|
cl_error_t x509_get_cert_name(X509 *cert, char **name)
|
2019-06-17 03:37:45 -04:00
|
|
|
{
|
2019-09-23 22:00:49 -04:00
|
|
|
cl_error_t status = CL_EMEM;
|
2019-06-17 03:37:45 -04:00
|
|
|
|
|
|
|
|
X509_NAME *a = NULL;
|
|
|
|
|
BIO *bio_out = NULL;
|
|
|
|
|
BUF_MEM *biomem;
|
2019-09-23 22:00:49 -04:00
|
|
|
char *cert_name = NULL;
|
2019-06-17 03:37:45 -04:00
|
|
|
|
|
|
|
|
if (NULL == cert || NULL == name) {
|
2019-09-23 22:00:49 -04:00
|
|
|
status = CL_EARG;
|
2019-06-17 03:37:45 -04:00
|
|
|
goto done;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
*name = NULL;
|
|
|
|
|
|
|
|
|
|
bio_out = BIO_new(BIO_s_mem());
|
|
|
|
|
if (!bio_out)
|
|
|
|
|
goto done;
|
|
|
|
|
|
2019-09-23 22:00:49 -04:00
|
|
|
a = X509_get_subject_name(cert);
|
|
|
|
|
|
|
|
|
|
if (-1 == X509_NAME_print_ex(bio_out, a, 0, XN_FLAG_SEP_SPLUS_SPC)) {
|
2022-02-16 00:13:55 +01:00
|
|
|
mprintf(LOGG_ERROR, "Failed to print x509 certificate name!\n");
|
2019-09-23 22:00:49 -04:00
|
|
|
goto done;
|
|
|
|
|
}
|
2019-06-17 03:37:45 -04:00
|
|
|
BIO_get_mem_ptr(bio_out, &biomem);
|
|
|
|
|
|
2019-09-23 22:00:49 -04:00
|
|
|
cert_name = malloc(biomem->length + 1);
|
|
|
|
|
if (!cert_name) {
|
2022-02-16 00:13:55 +01:00
|
|
|
mprintf(LOGG_ERROR, "Failed to allocate memory for certificate name biomem structure!\n");
|
2019-06-17 03:37:45 -04:00
|
|
|
goto done;
|
2019-09-23 22:00:49 -04:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
memcpy(cert_name, biomem->data, biomem->length);
|
|
|
|
|
cert_name[biomem->length] = '\0';
|
2019-06-17 03:37:45 -04:00
|
|
|
|
2019-09-23 22:00:49 -04:00
|
|
|
*name = cert_name;
|
|
|
|
|
status = CL_SUCCESS;
|
2019-06-17 03:37:45 -04:00
|
|
|
|
|
|
|
|
done:
|
|
|
|
|
if (NULL != bio_out)
|
|
|
|
|
BIO_free(bio_out);
|
|
|
|
|
|
2019-09-23 22:00:49 -04:00
|
|
|
return status;
|
2019-06-17 03:37:45 -04:00
|
|
|
}
|
|
|
|
|
#endif
|
|
|
|
|
|
2019-06-16 21:16:16 -04:00
|
|
|
cl_error_t cert_store_export_pem(char **cert_data,
|
|
|
|
|
int *cert_data_len,
|
|
|
|
|
X509 *additional_ca_cert)
|
|
|
|
|
{
|
|
|
|
|
const uint32_t STARTING_RAW_PEM_LENGTH = 350 * 1024;
|
|
|
|
|
uint32_t i;
|
|
|
|
|
cl_error_t ret = CL_EOPEN;
|
|
|
|
|
bool locked = false;
|
|
|
|
|
int pt_err;
|
|
|
|
|
|
|
|
|
|
size_t remaining_buf_len = STARTING_RAW_PEM_LENGTH;
|
|
|
|
|
bool add_additional_ca_cert = true;
|
|
|
|
|
|
|
|
|
|
if ((cert_data == NULL) || (cert_data_len == NULL)) {
|
2022-02-16 00:13:55 +01:00
|
|
|
mprintf(LOGG_ERROR, "One or more arguments are NULL\n");
|
2019-06-16 21:16:16 -04:00
|
|
|
goto done;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
*cert_data = calloc(1, STARTING_RAW_PEM_LENGTH + 1);
|
|
|
|
|
if (*cert_data == NULL) {
|
2022-02-16 00:13:55 +01:00
|
|
|
mprintf(LOGG_ERROR, "Could not allocate memory for PEM certs\n");
|
2019-06-16 21:16:16 -04:00
|
|
|
goto done;
|
|
|
|
|
}
|
|
|
|
|
*cert_data_len = 0;
|
|
|
|
|
|
|
|
|
|
pt_err = pthread_mutex_lock(&_cert_store.mutex);
|
|
|
|
|
if (pt_err) {
|
|
|
|
|
errno = pt_err;
|
2022-02-16 00:13:55 +01:00
|
|
|
mprintf(LOGG_ERROR, "Mutex lock failed\n");
|
2019-06-16 21:16:16 -04:00
|
|
|
}
|
|
|
|
|
locked = true;
|
|
|
|
|
|
|
|
|
|
if (!_cert_store.loaded) {
|
|
|
|
|
goto done;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* Load system root ca certs into list */
|
|
|
|
|
for (i = 0; i < _cert_store.system_certs.count; ++i) {
|
|
|
|
|
if (_x509_to_pem_append(_cert_store.system_certs.certificates[i],
|
|
|
|
|
cert_data,
|
|
|
|
|
cert_data_len,
|
|
|
|
|
&remaining_buf_len) != 0) {
|
|
|
|
|
goto done;
|
|
|
|
|
}
|
|
|
|
|
/*
|
|
|
|
|
* Two certs by the same name can cause conflicts. Trust the
|
|
|
|
|
* one in the OS certificate/key store if the additional CA
|
|
|
|
|
* name matches that of one in the store.
|
|
|
|
|
*/
|
2019-06-17 03:37:45 -04:00
|
|
|
#if OPENSSL_VERSION_NUMBER >= 0x10100000L
|
|
|
|
|
/* OpenSSL >= 1.1.0 */
|
|
|
|
|
if (additional_ca_cert) {
|
|
|
|
|
int cmp = 0;
|
|
|
|
|
if (CL_SUCCESS == x509_cert_name_cmp(_cert_store.system_certs.certificates[i],
|
|
|
|
|
additional_ca_cert,
|
|
|
|
|
&cmp)) {
|
|
|
|
|
if (0 == cmp)
|
|
|
|
|
add_additional_ca_cert = false;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
#else
|
|
|
|
|
/* OpenSSL <= 1.0.2 */
|
2019-06-16 21:16:16 -04:00
|
|
|
if (additional_ca_cert && additional_ca_cert->cert_info &&
|
|
|
|
|
(strcmp(_cert_store.system_certs.certificates[i]->name,
|
|
|
|
|
additional_ca_cert->name) == 0)) {
|
|
|
|
|
add_additional_ca_cert = false;
|
|
|
|
|
}
|
2019-06-17 03:37:45 -04:00
|
|
|
#endif
|
2019-06-16 21:16:16 -04:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* Load trusted ca certs into list */
|
|
|
|
|
for (i = 0; i < _cert_store.trusted_certs.count; ++i) {
|
|
|
|
|
if (_x509_to_pem_append(_cert_store.trusted_certs.certificates[i],
|
|
|
|
|
cert_data,
|
|
|
|
|
cert_data_len,
|
|
|
|
|
&remaining_buf_len) != 0) {
|
|
|
|
|
goto done;
|
|
|
|
|
}
|
|
|
|
|
/*
|
|
|
|
|
* Two certs by the same name can cause conflicts. Trust the
|
|
|
|
|
* one in the OS certificate/key store if the additional CA
|
|
|
|
|
* name matches that of one in the store.
|
|
|
|
|
*/
|
2019-06-17 03:37:45 -04:00
|
|
|
#if OPENSSL_VERSION_NUMBER >= 0x10100000L
|
|
|
|
|
/* OpenSSL >= 1.1.0 */
|
|
|
|
|
if (additional_ca_cert) {
|
|
|
|
|
int cmp = 0;
|
|
|
|
|
if (CL_SUCCESS == x509_cert_name_cmp(_cert_store.trusted_certs.certificates[i],
|
|
|
|
|
additional_ca_cert,
|
|
|
|
|
&cmp)) {
|
|
|
|
|
if (0 == cmp)
|
|
|
|
|
add_additional_ca_cert = false;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
#else
|
|
|
|
|
/* OpenSSL <= 1.0.2 */
|
2019-06-16 21:16:16 -04:00
|
|
|
if (additional_ca_cert && additional_ca_cert->cert_info &&
|
|
|
|
|
(strcmp(_cert_store.trusted_certs.certificates[i]->name,
|
|
|
|
|
additional_ca_cert->name) == 0)) {
|
|
|
|
|
add_additional_ca_cert = false;
|
|
|
|
|
}
|
2019-06-17 03:37:45 -04:00
|
|
|
#endif
|
2019-06-16 21:16:16 -04:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* End with the additional CA certificate if provided */
|
|
|
|
|
if (additional_ca_cert && add_additional_ca_cert && *cert_data) {
|
|
|
|
|
/* Return an error only if we were unable to allocate memory */
|
|
|
|
|
if (_x509_to_pem_append(additional_ca_cert,
|
|
|
|
|
cert_data,
|
|
|
|
|
cert_data_len,
|
|
|
|
|
&remaining_buf_len) != 0) {
|
|
|
|
|
goto done;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
ret = CL_SUCCESS;
|
|
|
|
|
done:
|
|
|
|
|
if (locked) {
|
|
|
|
|
pt_err = pthread_mutex_unlock(&_cert_store.mutex);
|
|
|
|
|
if (pt_err) {
|
|
|
|
|
errno = pt_err;
|
2022-02-16 00:13:55 +01:00
|
|
|
mprintf(LOGG_ERROR, "Mutex unlock failed\n");
|
2019-06-16 21:16:16 -04:00
|
|
|
}
|
|
|
|
|
locked = false;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (ret != CL_SUCCESS && cert_data && *cert_data) {
|
|
|
|
|
free(*cert_data);
|
|
|
|
|
*cert_data = NULL;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return ret;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
cl_error_t cert_store_set_trusted_int(X509 **trusted_certs, size_t trusted_cert_count)
|
|
|
|
|
{
|
|
|
|
|
cl_error_t ret = CL_EOPEN;
|
|
|
|
|
size_t i, j;
|
|
|
|
|
cert_list_t tmp_trusted = {0};
|
|
|
|
|
|
|
|
|
|
do {
|
|
|
|
|
if ((trusted_certs == NULL) || (trusted_cert_count == 0)) {
|
2022-02-16 00:13:55 +01:00
|
|
|
mprintf(LOGG_ERROR, "Empty trusted certificate list\n");
|
2019-06-16 21:16:16 -04:00
|
|
|
break;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
tmp_trusted.certificates = calloc(trusted_cert_count,
|
|
|
|
|
sizeof(*tmp_trusted.certificates));
|
|
|
|
|
if (!tmp_trusted.certificates) {
|
2022-02-16 00:13:55 +01:00
|
|
|
mprintf(LOGG_ERROR, "Failed to reserve memory for trusted certs\n");
|
2019-06-16 21:16:16 -04:00
|
|
|
break;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
for (i = 0; i < trusted_cert_count; ++i) {
|
|
|
|
|
bool found = false;
|
|
|
|
|
|
|
|
|
|
/* Check if certificate already exists in system root cert list */
|
|
|
|
|
for (j = 0; j < _cert_store.system_certs.count; ++j) {
|
|
|
|
|
if (X509_cmp(trusted_certs[i],
|
|
|
|
|
_cert_store.system_certs.certificates[j]) == 0) {
|
|
|
|
|
found = true;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (found) {
|
|
|
|
|
continue; /* certificate is already found in cert store */
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
tmp_trusted.certificates[tmp_trusted.count] =
|
|
|
|
|
X509_dup(trusted_certs[i]);
|
|
|
|
|
if (!tmp_trusted.certificates[tmp_trusted.count]) {
|
2022-02-16 00:13:55 +01:00
|
|
|
mprintf(LOGG_ERROR, "X509_dup failed at index: %zu\n", i);
|
2019-06-16 21:16:16 -04:00
|
|
|
continue; /* continue on error */
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
tmp_trusted.count++;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
cert_store_free_cert_list_int(&_cert_store.trusted_certs);
|
|
|
|
|
|
|
|
|
|
_cert_store.trusted_certs.certificates = tmp_trusted.certificates;
|
|
|
|
|
_cert_store.trusted_certs.count = tmp_trusted.count;
|
|
|
|
|
|
|
|
|
|
tmp_trusted.certificates = NULL;
|
|
|
|
|
tmp_trusted.count = 0;
|
|
|
|
|
|
|
|
|
|
ret = CL_SUCCESS;
|
|
|
|
|
} while (0);
|
|
|
|
|
|
|
|
|
|
return ret;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
cl_error_t cert_store_set_trusted(X509 **trusted_certs, size_t trusted_cert_count)
|
|
|
|
|
{
|
|
|
|
|
cl_error_t ret = CL_EOPEN;
|
|
|
|
|
int pt_err;
|
|
|
|
|
|
|
|
|
|
pt_err = pthread_mutex_lock(&_cert_store.mutex);
|
|
|
|
|
if (pt_err) {
|
|
|
|
|
errno = pt_err;
|
2022-02-16 00:13:55 +01:00
|
|
|
mprintf(LOGG_ERROR, "Mutex lock failed\n");
|
2019-06-16 21:16:16 -04:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (_cert_store.loaded) {
|
|
|
|
|
ret = cert_store_set_trusted_int(trusted_certs, trusted_cert_count);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
pt_err = pthread_mutex_unlock(&_cert_store.mutex);
|
|
|
|
|
if (pt_err) {
|
|
|
|
|
errno = pt_err;
|
2022-02-16 00:13:55 +01:00
|
|
|
mprintf(LOGG_ERROR, "Mutex unlock failed\n");
|
2019-06-16 21:16:16 -04:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return ret;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
size_t cert_store_remove_trusted(void)
|
|
|
|
|
{
|
|
|
|
|
size_t count = 0;
|
|
|
|
|
int pt_err;
|
|
|
|
|
|
|
|
|
|
pt_err = pthread_mutex_lock(&_cert_store.mutex);
|
|
|
|
|
if (pt_err) {
|
|
|
|
|
errno = pt_err;
|
2022-02-16 00:13:55 +01:00
|
|
|
mprintf(LOGG_ERROR, "Mutex lock failed\n");
|
2019-06-16 21:16:16 -04:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (_cert_store.loaded) {
|
|
|
|
|
count = _cert_store.trusted_certs.count;
|
|
|
|
|
cert_store_free_cert_list_int(&_cert_store.trusted_certs);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
pt_err = pthread_mutex_unlock(&_cert_store.mutex);
|
|
|
|
|
if (pt_err) {
|
|
|
|
|
errno = pt_err;
|
2022-02-16 00:13:55 +01:00
|
|
|
mprintf(LOGG_ERROR, "Mutex unlock failed\n");
|
2019-06-16 21:16:16 -04:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return count;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
void cert_fill_X509_store(X509_STORE *store, X509 **certs, size_t cert_count)
|
|
|
|
|
{
|
|
|
|
|
size_t i;
|
|
|
|
|
unsigned long err;
|
|
|
|
|
|
|
|
|
|
if (store && certs && cert_count > 0) {
|
|
|
|
|
for (i = 0; i < cert_count; ++i) {
|
|
|
|
|
if (!certs[i]) {
|
2022-02-16 00:13:55 +01:00
|
|
|
mprintf(LOGG_ERROR, "NULL cert at index %zu in X509 cert list; skipping\n", i);
|
2019-06-16 21:16:16 -04:00
|
|
|
continue;
|
|
|
|
|
}
|
|
|
|
|
if (X509_STORE_add_cert(store, certs[i]) != 1) {
|
2019-06-17 03:37:45 -04:00
|
|
|
char *name = NULL;
|
|
|
|
|
|
|
|
|
|
#if OPENSSL_VERSION_NUMBER >= 0x10100000L
|
|
|
|
|
x509_get_cert_name(certs[i], &name);
|
|
|
|
|
#else
|
|
|
|
|
name = certs[i]->name;
|
|
|
|
|
#endif
|
2019-06-16 21:16:16 -04:00
|
|
|
err = ERR_get_error();
|
|
|
|
|
if (X509_R_CERT_ALREADY_IN_HASH_TABLE == ERR_GET_REASON(err)) {
|
2022-02-16 00:13:55 +01:00
|
|
|
mprintf(LOGG_DEBUG, "Certificate skipped; already exists in store: %s\n",
|
2019-06-17 03:37:45 -04:00
|
|
|
(name ? name : ""));
|
2019-06-16 21:16:16 -04:00
|
|
|
} else {
|
2022-02-16 00:13:55 +01:00
|
|
|
mprintf(LOGG_ERROR, "Failed to add certificate to store: %s (%lu) [%s]\n",
|
2019-06-16 21:16:16 -04:00
|
|
|
ERR_error_string(err, NULL), err,
|
2019-06-17 03:37:45 -04:00
|
|
|
(name ? name : ""));
|
2019-06-16 21:16:16 -04:00
|
|
|
}
|
2019-06-17 03:37:45 -04:00
|
|
|
#if OPENSSL_VERSION_NUMBER >= 0x10100000L
|
2021-06-04 16:46:13 -07:00
|
|
|
if (NULL != name) {
|
|
|
|
|
free(name);
|
|
|
|
|
name = NULL;
|
|
|
|
|
}
|
2019-06-17 03:37:45 -04:00
|
|
|
#endif
|
2019-06-16 21:16:16 -04:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
void cert_store_export_certs(X509_STORE *store, X509 *additional_ca_cert)
|
|
|
|
|
{
|
|
|
|
|
cert_store_t *cert_store = NULL;
|
|
|
|
|
int pt_err;
|
|
|
|
|
|
|
|
|
|
do {
|
|
|
|
|
if (!store) {
|
2022-02-16 00:13:55 +01:00
|
|
|
mprintf(LOGG_ERROR, "NULL X509 store\n");
|
2019-06-16 21:16:16 -04:00
|
|
|
break;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
cert_store = cert_store_get_int();
|
|
|
|
|
if (!cert_store) {
|
2022-02-16 00:13:55 +01:00
|
|
|
mprintf(LOGG_ERROR, "Failed to retrieve cert store\n");
|
2019-06-16 21:16:16 -04:00
|
|
|
break;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
pt_err = pthread_mutex_lock(&cert_store->mutex);
|
|
|
|
|
if (pt_err) {
|
|
|
|
|
errno = pt_err;
|
2022-02-16 00:13:55 +01:00
|
|
|
mprintf(LOGG_ERROR, "Mutex lock failed\n");
|
2019-06-16 21:16:16 -04:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (!cert_store->loaded) {
|
2022-02-16 00:13:55 +01:00
|
|
|
mprintf(LOGG_ERROR, "Cert store not loaded\n");
|
2019-06-16 21:16:16 -04:00
|
|
|
break;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* On Linux, system certificates are loaded by OpenSSL */
|
|
|
|
|
#if defined(_WIN32) || defined(DARWIN)
|
|
|
|
|
cert_fill_X509_store(store,
|
|
|
|
|
cert_store->system_certs.certificates,
|
|
|
|
|
cert_store->system_certs.count);
|
|
|
|
|
#endif
|
|
|
|
|
|
|
|
|
|
cert_fill_X509_store(store,
|
|
|
|
|
cert_store->trusted_certs.certificates,
|
|
|
|
|
cert_store->trusted_certs.count);
|
|
|
|
|
|
|
|
|
|
/* Adding the additional CA cert to the trustchain */
|
|
|
|
|
if ((additional_ca_cert != NULL) &&
|
|
|
|
|
(X509_STORE_add_cert(store, additional_ca_cert) != 1)) {
|
2019-06-17 03:37:45 -04:00
|
|
|
char *name = NULL;
|
2019-06-16 21:16:16 -04:00
|
|
|
unsigned long err = ERR_get_error();
|
2019-06-17 03:37:45 -04:00
|
|
|
|
|
|
|
|
#if OPENSSL_VERSION_NUMBER >= 0x10100000L
|
|
|
|
|
x509_get_cert_name(additional_ca_cert, &name);
|
|
|
|
|
#else
|
|
|
|
|
name = additional_ca_cert->name;
|
|
|
|
|
#endif
|
2019-06-16 21:16:16 -04:00
|
|
|
if (X509_R_CERT_ALREADY_IN_HASH_TABLE == ERR_GET_REASON(err)) {
|
2022-02-16 00:13:55 +01:00
|
|
|
mprintf(LOGG_INFO, "Certificate is already in trust [%s]\n",
|
2019-06-17 03:37:45 -04:00
|
|
|
(name ? name : ""));
|
2019-06-16 21:16:16 -04:00
|
|
|
} else {
|
2022-02-16 00:13:55 +01:00
|
|
|
mprintf(LOGG_ERROR, "Failed to add CA certificate for the SSL context. "
|
|
|
|
|
"Error: %d [%s]\n",
|
2019-06-16 21:16:16 -04:00
|
|
|
ERR_GET_REASON(err),
|
2019-06-17 03:37:45 -04:00
|
|
|
(name ? name : ""));
|
2019-06-16 21:16:16 -04:00
|
|
|
}
|
2019-06-17 03:37:45 -04:00
|
|
|
#if OPENSSL_VERSION_NUMBER >= 0x10100000L
|
2021-06-04 16:46:13 -07:00
|
|
|
if (NULL != name) {
|
|
|
|
|
free(name);
|
|
|
|
|
name = NULL;
|
|
|
|
|
}
|
2019-06-17 03:37:45 -04:00
|
|
|
#endif
|
2019-06-16 21:16:16 -04:00
|
|
|
}
|
|
|
|
|
} while (0);
|
|
|
|
|
|
|
|
|
|
if (cert_store) {
|
|
|
|
|
pt_err = pthread_mutex_unlock(&cert_store->mutex);
|
|
|
|
|
if (pt_err) {
|
|
|
|
|
errno = pt_err;
|
2022-02-16 00:13:55 +01:00
|
|
|
mprintf(LOGG_ERROR, "Mutex unlock failed\n");
|
2019-06-16 21:16:16 -04:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
CURLcode sslctx_function(CURL *curl, void *ssl_ctx, void *userptr)
|
|
|
|
|
{
|
|
|
|
|
CURLcode status = CURLE_BAD_FUNCTION_ARGUMENT;
|
|
|
|
|
cert_store_t *cert_store = NULL;
|
|
|
|
|
|
|
|
|
|
UNUSEDPARAM(curl);
|
|
|
|
|
UNUSEDPARAM(userptr);
|
|
|
|
|
|
|
|
|
|
cert_store = cert_store_get_int();
|
|
|
|
|
if (!cert_store) {
|
2022-02-16 00:13:55 +01:00
|
|
|
mprintf(LOGG_ERROR, "Failed to retrieve cert store\n");
|
2019-06-16 21:16:16 -04:00
|
|
|
goto done;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (!cert_store->loaded) {
|
|
|
|
|
if (CL_SUCCESS != cert_store_load(NULL, 0)) {
|
2022-02-16 00:13:55 +01:00
|
|
|
mprintf(LOGG_ERROR, "Failed to load cert store\n");
|
2019-06-16 21:16:16 -04:00
|
|
|
goto done;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
X509_STORE *store = SSL_CTX_get_cert_store((SSL_CTX *)ssl_ctx);
|
|
|
|
|
|
|
|
|
|
cert_store_export_certs(store, NULL);
|
|
|
|
|
|
|
|
|
|
status = CURLE_OK;
|
|
|
|
|
|
|
|
|
|
done:
|
|
|
|
|
|
|
|
|
|
return status;
|
|
|
|
|
}
|
2023-08-02 15:51:04 -07:00
|
|
|
|
|
|
|
|
void set_tls_client_certificate(CURL *curl)
|
|
|
|
|
{
|
|
|
|
|
char *client_certificate;
|
|
|
|
|
char *client_key;
|
|
|
|
|
char *client_key_passwd;
|
|
|
|
|
|
|
|
|
|
client_certificate = getenv("FRESHCLAM_CLIENT_CERT");
|
|
|
|
|
if (client_certificate == NULL) {
|
|
|
|
|
return;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
client_key = getenv("FRESHCLAM_CLIENT_KEY");
|
|
|
|
|
if (client_key == NULL) {
|
|
|
|
|
return;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
client_key_passwd = getenv("FRESHCLAM_CLIENT_KEY_PASSWD");
|
|
|
|
|
|
|
|
|
|
/* set the cert for client authentication */
|
|
|
|
|
curl_easy_setopt(curl, CURLOPT_SSLCERTTYPE, "PEM");
|
|
|
|
|
curl_easy_setopt(curl, CURLOPT_SSLCERT, client_certificate);
|
|
|
|
|
|
|
|
|
|
/* set the private key type and path */
|
|
|
|
|
curl_easy_setopt(curl, CURLOPT_SSLKEYTYPE, "PEM");
|
|
|
|
|
curl_easy_setopt(curl, CURLOPT_SSLKEY, client_key);
|
|
|
|
|
|
|
|
|
|
/* the private key may require a password */
|
|
|
|
|
if (client_key_passwd == NULL) {
|
|
|
|
|
curl_easy_setopt(curl, CURLOPT_KEYPASSWD, client_key_passwd);
|
|
|
|
|
}
|
|
|
|
|
}
|