Add more options for TLS support

2025-02-19 10:01:24 +00:00 · 2022-11-07 15:21:51 +00:00 · 2022-11-07 15:21:51 +00:00 · df2c123655
commit df2c123655
parent 36b9547a8b
3 changed files with 110 additions and 69 deletions
--- a/10
+++ b/10
@ -1,3 +1,13 @@
+2022-11-07 Richard Frith-Macdonald <rfm@gnu.org>
+
+	* EcControl.m: Make Control specific config clearer and avoid
+	polluting server specific config space with it.
+	* EcCommand.m: Pass along more TLS control vlaues to clients
+	* EcProcess.m: Clean up setting TLS configuration, fix to be present
+	in all necessary code paths, add support for GSTLSVerifyClient,
+	GSTLSVerifyServer and GSTLSServerName in process config, so we can
+	control inter process verification.
+
 2022-11-04 Richard Frith-Macdonald <rfm@gnu.org>

 	* configure.ac:	check for crypt
--- a/EcCommand.m
+++ b/EcCommand.m
@ -1543,13 +1543,30 @@ valgrindLog(NSString *name)
 			  [opts setObject: opt forKey: GSTLSDebug];
 			}

-		      /* Pass on the TLS priority settings from the Command
-		       * server configuration to the client.
+		      /* Pass on the TLS priority settings and other config
+                       * from the Command server to the client.
 		       */
 		      if ((opt = [defs objectForKey: GSTLSPriority]) != nil)
 			{
 			  [opts setObject: opt forKey: GSTLSPriority];
 			}
+		      if ((opt = [defs objectForKey: GSTLSCAFile]) != nil)
+			{
+			  [opts setObject: opt forKey: GSTLSCAFile];
+			}
+		      if ((opt = [defs objectForKey: GSTLSRevokeFile]) != nil)
+			{
+			  [opts setObject: opt forKey: GSTLSRevokeFile];
+			}
+
+		      if ((opt = [defs objectForKey: @"GSTLSVerifyClient"]))
+			{
+			  [opts setObject: opt forKey: @"GSTLSVerifyClient"];
+			}
+		      if ((opt = [defs objectForKey: @"GSTLSVerifyServer"]))
+			{
+			  [opts setObject: opt forKey: @"GSTLSVerifyServer"];
+			}

 		      [defs setObject: opts
 			       forKey: @"NSSocketPortOptionsForTLS"];
--- a/EcProcess.m
+++ b/EcProcess.m
@ -32,6 +32,84 @@
 #import <GNUstepBase/NSObject+GNUstepBase.h>
 #if     GS_USE_GNUTLS
 #import <GNUstepBase/GSTLS.h>
+
+static void
+setupTLS(NSUserDefaults *u)
+{
+#if       !defined(TLS_DISTRIBUTED_OBJECTS)
+  if ([u boolForKey: @"EncryptedDO"])
+#endif
+    {
+      /* Enable encrypted DO if supported by the base library.
+       */
+      if ([NSSocketPort respondsToSelector:
+        @selector(setClientOptionsForTLS:)])
+        {
+          NSDictionary          *d;
+          NSMutableDictionary   *opts;
+          BOOL                  verifyClient = NO;
+          BOOL                  verifyServer = NO;
+
+          d = [u dictionaryForKey: @"NSSocketPortOptionsForTLS"];
+          if (nil == d)
+            {
+              opts = [NSMutableDictionary dictionary];
+            }
+          else
+            {
+              id        o;
+
+              /* If we were passed data rather than filenames
+               * we must set it up as cached data corresponding
+               * to well known names.
+               */
+              opts = AUTORELEASE([d mutableCopy]);
+              o = [opts objectForKey: GSTLSCertificateKeyFile];
+              if ([o isKindOfClass: [NSData class]])
+                {
+                  [GSTLSObject setData: o
+                            forTLSFile: @"self-signed-key"];
+                  [opts setObject: @"self-signed-key"
+                           forKey: GSTLSCertificateKeyFile];
+                }
+              o = [opts objectForKey: GSTLSCertificateFile];
+              if ([o isKindOfClass: [NSData class]])
+                {
+                  [GSTLSObject setData: o
+                            forTLSFile: @"self-signed-crt"];
+                  [opts setObject: @"self-signed-crt"
+                           forKey: GSTLSCertificateFile];
+                }
+              if ([[opts objectForKey: @"GSTLSVerifyClient"] boolValue]
+                || [[opts objectForKey: GSTLSVerify] boolValue])
+                {
+                  verifyClient = YES;
+                }
+              [opts removeObjectForKey: @"GSTLSVerifyClient"];
+              if ([[opts objectForKey: @"GSTLSVerifyServer"] boolValue]
+                || [[opts objectForKey: GSTLSVerify] boolValue])
+                {
+                  verifyServer = YES;
+                }
+              [opts removeObjectForKey: @"GSTLSVerifyServer"];
+            }
+
+          [opts setObject: (verifyClient ? @"YES" : @"NO") forKey: GSTLSVerify];
+          [NSSocketPort
+            performSelector: @selector(setClientOptionsForTLS:)
+                 withObject: opts];
+          [opts setObject: (verifyServer ? @"YES" : @"NO") forKey: GSTLSVerify];
+          [NSSocketPort
+            performSelector: @selector(setServerOptionsForTLS:)
+                 withObject: opts];
+        }
+    }
+}
+#else
+static void
+setupTLS(NSUserDefaults *u)
+{
+}
 #endif

 #import "EcProcess.h"
@ -234,6 +312,7 @@ trim(char *str)
 }
 #endif

+
@interface      EcDefaultRegistration : NSObject
 {
  NSString      *name;          // The name/key of the default (without prefix)
@ -1663,56 +1742,9 @@ findMode(NSDictionary* d, NSString* s)
              [cmdDefs removeVolatileDomainForName: NSArgumentDomain];
              [cmdDefs setVolatileDomain: m forName: NSArgumentDomain];
            }
-#if     GS_USE_GNUTLS
-#if       !defined(TLS_DISTRIBUTED_OBJECTS)
-	  if ([cmdDefs boolForKey: @"EncryptedDO"])
-#endif
-	    {
-	      /* Enable encrypted DO if supported by the base library.
-	       */
-	      if ([NSSocketPort respondsToSelector:
-		@selector(setClientOptionsForTLS:)])
-		{
-		  defs = [cmdDefs
-		    dictionaryForKey: @"NSSocketPortOptionsForTLS"];
-		  if (defs != nil)
-		    {
-		      NSMutableDictionary   *opts;
-		      id                    o;
-
-		      /* If we were passed data rather than filenames
-		       * we must set it up as cached data corresponding
-		       * to well known names.
-		       */
-		      opts = AUTORELEASE([defs mutableCopy]);
-		      o = [opts objectForKey: GSTLSCertificateKeyFile];
-		      if ([o isKindOfClass: [NSData class]])
-			{
-			  [GSTLSObject setData: o
-				    forTLSFile: @"self-signed-key"];
-			  [opts setObject: @"self-signed-key"
-				   forKey: GSTLSCertificateKeyFile];
-			}
-		      o = [opts objectForKey: GSTLSCertificateFile];
-		      if ([o isKindOfClass: [NSData class]])
-			{
-			  [GSTLSObject setData: o
-				    forTLSFile: @"self-signed-crt"];
-			  [opts setObject: @"self-signed-crt"
-				   forKey: GSTLSCertificateFile];
-			}
-		      [NSSocketPort
-			performSelector: @selector(setClientOptionsForTLS:)
-			     withObject: opts];
-		      [NSSocketPort
-			performSelector: @selector(setServerOptionsForTLS:)
-			     withObject: opts];
-		    }
-		}
-	    }
-#endif
        }

+      setupTLS(cmdDefs);
      cmdUser = EC_EFFECTIVE_USER;
      if (nil == cmdUser)
 	{
@ -3217,25 +3249,7 @@ NSLog(@"Ignored attempt to set timer interval to %g ... using 10.0", interval);
    }
  if (nil == ecLock)
    {
-#if     GS_USE_GNUTLS
-#if       !defined(TLS_DISTRIBUTED_OBJECTS)
-      if ([[NSUserDefaults standardUserDefaults] boolForKey: @"EncryptedDO"])
-#endif
-	{
-	  /* Enable encrypted DO if supported by the base library.
-	   */
-	  if ([NSSocketPort respondsToSelector:
-	    @selector(setClientOptionsForTLS:)])
-	    {
-	      NSDictionary  *opts = [NSDictionary dictionary];
-
-	      [NSSocketPort performSelector: @selector(setClientOptionsForTLS:)
-				 withObject: opts];
-	      [NSSocketPort performSelector: @selector(setServerOptionsForTLS:)
-				 withObject: opts];
-	    }
-	}
-#endif
+      setupTLS([NSUserDefaults standardUserDefaults]);
      ecLock = [NSRecursiveLock new];
      dateClass = [NSDate class];
      cDateClass = [NSCalendarDate class];