frontend: Support custom SSL options for each listener.

diff --git a/src/frontend/sock.c b/src/frontend/sock.c
index eb753156531c316b050cb5c7ee90879696976a3f..c2a805aa2510fbe168f4e706b52acfec804dabc7 100644 (file)
--- a/src/frontend/sock.c
+++ b/src/frontend/sock.c
@@ -80,6 +80,7 @@ typedef struct {
        int   type;
 
        /* optional SSL settings */
+       sdb_ssl_options_t ssl_opts;
        sdb_ssl_server_t *ssl;
 
        /* listener configuration */
@@ -290,8 +291,7 @@ open_tcp(listener_t *listener)
 
        assert(listener);
 
-       /* TODO: make options configurable */
-       listener->ssl = sdb_ssl_server_create(NULL);
+       listener->ssl = sdb_ssl_server_create(&listener->ssl_opts);
        if (! listener->ssl)
                return -1;
 
@@ -444,6 +444,7 @@ listener_destroy(listener_t *listener)
                return;
 
        listener_close(listener);
+       sdb_ssl_free_options(&listener->ssl_opts);
 
        if (listener->address)
                free(listener->address);
@@ -480,6 +481,7 @@ listener_create(sdb_fe_socket_t *sock, const char *address)
        if ((! strncmp(address, listener_impls[type].prefix, len))
                        && (address[len] == ':'))
                address += strlen(listener_impls[type].prefix) + 1;
+       memset(listener, 0, sizeof(*listener));
 
        listener->sock_fd = -1;
        listener->address = strdup(address);
@@ -494,12 +496,6 @@ listener_create(sdb_fe_socket_t *sock, const char *address)
        listener->setup = NULL;
        listener->ssl = NULL;
 
-       if (listener_impls[type].open(listener)) {
-               /* prints error */
-               listener_destroy(listener);
-               return NULL;
-       }
-
        ++sock->listeners_num;
        return listener;
 } /* listener_create */
@@ -714,7 +710,8 @@ sdb_fe_sock_destroy(sdb_fe_socket_t *sock)
 } /* sdb_fe_sock_destroy */
 
 int
-sdb_fe_sock_add_listener(sdb_fe_socket_t *sock, const char *address)
+sdb_fe_sock_add_listener(sdb_fe_socket_t *sock, const char *address,
+               const sdb_ssl_options_t *opts)
 {
        listener_t *listener;
 
@@ -724,6 +721,44 @@ sdb_fe_sock_add_listener(sdb_fe_socket_t *sock, const char *address)
        listener = listener_create(sock, address);
        if (! listener)
                return -1;
+
+       if (opts) {
+               int ret = 0;
+
+               if (opts->ca_file) {
+                       listener->ssl_opts.ca_file = strdup(opts->ca_file);
+                       if (! listener->ssl_opts.ca_file)
+                               ret = -1;
+               }
+               if (opts->key_file) {
+                       listener->ssl_opts.key_file = strdup(opts->key_file);
+                       if (! listener->ssl_opts.key_file)
+                               ret = -1;
+               }
+               if (opts->cert_file) {
+                       listener->ssl_opts.cert_file = strdup(opts->cert_file);
+                       if (! listener->ssl_opts.cert_file)
+                               ret = -1;
+               }
+               if (opts->crl_file) {
+                       listener->ssl_opts.crl_file = strdup(opts->crl_file);
+                       if (! listener->ssl_opts.crl_file)
+                               ret = -1;
+               }
+
+               if (ret) {
+                       listener_destroy(listener);
+                       --sock->listeners_num;
+                       return ret;
+               }
+       }
+
+       if (listener_impls[listener->type].open(listener)) {
+               /* prints error */
+               listener_destroy(listener);
+               --sock->listeners_num;
+               return -1;
+       }
        return 0;
 } /* sdb_fe_sock_add_listener */
 

diff --git a/src/include/frontend/sock.h b/src/include/frontend/sock.h
index be07329d41e42f60f0ce41fcd51e18a46391735a..37354c21af026e7ec171085985d8bfd865e6ce46 100644 (file)
--- a/src/include/frontend/sock.h
+++ b/src/include/frontend/sock.h
@@ -25,6 +25,8 @@
  * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
  */
 
+#include "utils/ssl.h"
+
 #include <stdbool.h>
 #include <unistd.h>
 
@@ -77,12 +79,15 @@ sdb_fe_sock_destroy(sdb_fe_socket_t *sock);
  *
  *  - unix: listen on a UNIX socket
  *
+ * If specified, the SSL options will be used for any SSL connection.
+ *
  * Returns:
  *  - 0 on success
  *  - a negative value else
  */
 int
-sdb_fe_sock_add_listener(sdb_fe_socket_t *sock, const char *address);
+sdb_fe_sock_add_listener(sdb_fe_socket_t *sock, const char *address,
+               const sdb_ssl_options_t *opts);
 
 /*
  * sdb_fe_sock_clear_listeners:

diff --git a/src/tools/sysdbd/main.c b/src/tools/sysdbd/main.c
index 9d85ba8ead2005d285b91c1bdf513fae21372f3d..c7fad8027b4a0da2fe6175af33001ca6f9fd7145 100644 (file)
--- a/src/tools/sysdbd/main.c
+++ b/src/tools/sysdbd/main.c
@@ -257,7 +257,7 @@ main_loop(void)
                }
 
                for (i = 0; i < listen_addresses_num; ++i) {
-                       if (sdb_fe_sock_add_listener(sock, listen_addresses[i])) {
+                       if (sdb_fe_sock_add_listener(sock, listen_addresses[i], NULL)) {
                                status = 1;
                                break;
                        }

diff --git a/t/unit/frontend/sock_test.c b/t/unit/frontend/sock_test.c
index be2c46d5536a7b455275883685327852eedbc348..6d69ed9ca4a2428c0615a8e4b7e7cafe7c185781 100644 (file)
--- a/t/unit/frontend/sock_test.c
+++ b/t/unit/frontend/sock_test.c
@@ -75,7 +75,7 @@ sock_listen(char *tmp_file)
        int check;
 
        sprintf(sock_addr, "unix:%s", tmp_file);
-       check = sdb_fe_sock_add_listener(sock, sock_addr);
+       check = sdb_fe_sock_add_listener(sock, sock_addr, NULL);
        fail_unless(check == 0,
                        "sdb_fe_sock_add_listener(%s) = %i; expected: 0",
                        sock_addr, check);