From b8efb6d762890b56b4dfa31de9739067eeda9f5a Mon Sep 17 00:00:00 2001
From: hniksic <devnull@localhost>
Date: Wed, 27 Apr 2005 10:15:10 -0700
Subject: [PATCH] [svn] Allow separate specification of certificate type and
 private key type.

---
 src/ChangeLog | 10 +++++++
 src/http.c    |  4 +--
 src/init.c    | 59 ++++++++++++++++++------------------
 src/main.c    |  9 ++++--
 src/openssl.c | 82 ++++++++++++++++++++++++---------------------------
 src/options.h | 14 ++++-----
 6 files changed, 93 insertions(+), 85 deletions(-)

diff --git a/src/ChangeLog b/src/ChangeLog
index a6d30758..bb03ff3b 100644
--- a/src/ChangeLog
+++ b/src/ChangeLog
@@ -1,3 +1,13 @@
+2005-04-27  Hrvoje Niksic  <hniksic@xemacs.org>
+
+	* openssl.c (ssl_init): Ditto.
+
+	* options.h (struct options): Allow separate specification of key
+	type and certificate type.
+
+	* init.c (cmd_spec_cert_type): Provide a "der" synonym for "asn1"
+	certificate encoding.
+
 2005-04-26  Hrvoje Niksic  <hniksic@xemacs.org>
 
 	* openssl.c: Renamed "gen_sslfunc.c" to "openssl.c" and
diff --git a/src/http.c b/src/http.c
index 6fb2b743..5d382deb 100644
--- a/src/http.c
+++ b/src/http.c
@@ -1203,8 +1203,8 @@ gethttp (struct url *u, struct http_stat *hs, int *dt, struct url *proxy)
 	  break;
 	case SSLERRCERTKEY:
 	  logprintf (LOG_NOTQUIET,
-		     _("Failed to get certificate key from %s\n"),
-		     opt.cert_key);
+		     _("Failed to get private key from %s\n"),
+		     opt.private_key);
 	  logprintf (LOG_NOTQUIET,
 		     _("Trying without the specified certificate\n"));
 	  break;
diff --git a/src/init.c b/src/init.c
index 22943219..a52ce511 100644
--- a/src/init.c
+++ b/src/init.c
@@ -74,6 +74,9 @@ static int enable_tilde_expansion;
 CMD_DECLARE (cmd_boolean);
 CMD_DECLARE (cmd_bytes);
 CMD_DECLARE (cmd_bytes_large);
+#ifdef HAVE_SSL
+CMD_DECLARE (cmd_cert_type);
+#endif
 CMD_DECLARE (cmd_directory_vector);
 CMD_DECLARE (cmd_lockable_boolean);
 CMD_DECLARE (cmd_number);
@@ -84,9 +87,6 @@ CMD_DECLARE (cmd_directory);
 CMD_DECLARE (cmd_time);
 CMD_DECLARE (cmd_vector);
 
-#ifdef HAVE_SSL
-CMD_DECLARE (cmd_spec_cert_type);
-#endif
 CMD_DECLARE (cmd_spec_dirstruct);
 CMD_DECLARE (cmd_spec_header);
 CMD_DECLARE (cmd_spec_htmlify);
@@ -128,8 +128,7 @@ static struct {
 #ifdef HAVE_SSL
   { "cadirectory",	&opt.ca_directory,	cmd_directory },
   { "certificate",	&opt.cert_file,		cmd_file },
-  { "certificatekey",	&opt.cert_key,		cmd_file },
-  { "certificatetype",	&opt.cert_type,		cmd_spec_cert_type },
+  { "certificatetype",	&opt.cert_type,		cmd_cert_type },
   { "checkcertificate", &opt.check_cert,	cmd_boolean },
 #endif
   { "connecttimeout",	&opt.connect_timeout,	cmd_time },
@@ -196,6 +195,8 @@ static struct {
   { "postfile",		&opt.post_file_name,	cmd_file },
   { "preferfamily",	NULL,			cmd_spec_prefer_family },
   { "preservepermissions", &opt.preserve_perm,	cmd_boolean },
+  { "privatekey",	&opt.private_key,	cmd_file },
+  { "privatekeytype",	&opt.private_key_type,	cmd_cert_type },
   { "progress",		&opt.progress_type,	cmd_spec_progress },
   { "protocoldirectories", &opt.protocol_directories, cmd_boolean },
   { "proxypasswd",	&opt.proxy_passwd,	cmd_string },
@@ -616,6 +617,16 @@ run_command (const char *opt)
 
 /* Generic helper functions, for use with `commands'. */
 
+/* Forward declarations: */
+struct decode_item {
+  const char *name;
+  int code;
+};
+static int decode_string PARAMS ((const char *, const struct decode_item *,
+				  int, int *));
+static int simple_atoi PARAMS ((const char *, const char *, int *));
+static int simple_atof PARAMS ((const char *, const char *, double *));
+
 #define CMP1(p, c0) (TOLOWER((p)[0]) == (c0) && (p)[1] == '\0')
 
 #define CMP2(p, c0, c1) (TOLOWER((p)[0]) == (c0)	\
@@ -696,8 +707,6 @@ cmd_lockable_boolean (const char *com, const char *val, void *place)
   return 1;
 }
 
-static int simple_atoi PARAMS ((const char *, const char *, int *));
-
 /* Set the non-negative integer value from VAL to PLACE.  With
    incorrect specification, the number remains unchanged.  */
 static int
@@ -860,8 +869,6 @@ cmd_directory_vector (const char *com, const char *val, void *place)
   return 1;
 }
 
-static int simple_atof PARAMS ((const char *, const char *, double *));
-
 /* Engine for cmd_bytes and cmd_bytes_large: converts a string such as
    "100k" or "2.5G" to a floating point number.  */
 
@@ -1025,26 +1032,15 @@ cmd_time (const char *com, const char *val, void *place)
   *(double *)place = number * mult;
   return 1;
 }
-
-/* Specialized helper functions, used by `commands' to handle some
-   options specially.  */
-
-static int check_user_specified_header PARAMS ((const char *));
-/* Forward decl */
-struct decode_item {
-  const char *name;
-  int code;
-};
-static int decode_string PARAMS ((const char *, const struct decode_item *,
-				  int, int *));
 
 #ifdef HAVE_SSL
 static int
-cmd_spec_cert_type (const char *com, const char *val, void *place)
+cmd_cert_type (const char *com, const char *val, void *place)
 {
   static const struct decode_item choices[] = {
-    { "pem", cert_type_pem },
-    { "asn1", cert_type_asn1 },
+    { "pem", keyfile_pem },
+    { "der", keyfile_asn1 },
+    { "asn1", keyfile_asn1 },
   };
   int ok = decode_string (val, choices, countof (choices), place);
   if (!ok)
@@ -1052,6 +1048,11 @@ cmd_spec_cert_type (const char *com, const char *val, void *place)
   return ok;
 }
 #endif
+
+/* Specialized helper functions, used by `commands' to handle some
+   options specially.  */
+
+static int check_user_specified_header PARAMS ((const char *));
 
 static int
 cmd_spec_dirstruct (const char *com, const char *val, void *place_ignored)
@@ -1455,12 +1456,12 @@ cleanup (void)
   xfree_null (opt.http_user);
   xfree_null (opt.http_passwd);
   free_vec (opt.user_headers);
-#ifdef HAVE_SSL
-  xfree_null (opt.sslcertkey);
-  xfree_null (opt.sslcertfile);
-#endif /* HAVE_SSL */
+# ifdef HAVE_SSL
+  xfree_null (opt.cert_file);
+  xfree_null (opt.private_key);
+# endif
   xfree_null (opt.bind_address);
   xfree_null (opt.cookies_input);
   xfree_null (opt.cookies_output);
-#endif
+#endif /* DEBUG_MALLOC */
 }
diff --git a/src/main.c b/src/main.c
index e5af97b9..6470c1e0 100644
--- a/src/main.c
+++ b/src/main.c
@@ -161,7 +161,6 @@ struct cmdline_option option_data[] =
     { IF_SSL ("ca-directory"), 0, OPT_VALUE, "cadirectory", -1 },
     { "cache", 0, OPT_BOOLEAN, "cache", -1 },
     { IF_SSL ("certificate"), 0, OPT_VALUE, "certificate", -1 },
-    { IF_SSL ("certificate-key"), 0, OPT_VALUE, "certificatekey", -1 },
     { IF_SSL ("certificate-type"), 0, OPT_VALUE, "certificatetype", -1 },
     { IF_SSL ("check-certificate"), 0, OPT_BOOLEAN, "checkcertificate", -1 },
     { "clobber", 0, OPT__CLOBBER, NULL, optional_argument },
@@ -222,6 +221,8 @@ struct cmdline_option option_data[] =
     { "post-file", 0, OPT_VALUE, "postfile", -1 },
     { "prefer-family", 0, OPT_VALUE, "preferfamily", -1 },
     { "preserve-permissions", 0, OPT_BOOLEAN, "preservepermissions", -1 },
+    { IF_SSL ("private-key"), 0, OPT_VALUE, "privatekey", -1 },
+    { IF_SSL ("private-key-type"), 0, OPT_VALUE, "privatekeytype", -1 },
     { "progress", 0, OPT_VALUE, "progress", -1 },
     { "protocol-directories", 0, OPT_BOOLEAN, "protocoldirectories", -1 },
     { "proxy", 0, OPT_BOOLEAN, "useproxy", -1 },
@@ -540,10 +541,12 @@ HTTPS (SSL/TLS) options:\n"),
        --no-check-certificate   don't validate the server's certificate.\n"),
     N_("\
        --certificate=FILE       client certificate file.\n"),
-    N_("\
-       --certificate-key=FILE   optional key file for this certificate.\n"),
     N_("\
        --certificate-type=TYPE  client certificate type, PEM or ASN1.\n"),
+    N_("\
+       --private-key=FILE       private key file.\n"),
+    N_("\
+       --private-key-type=TYPE  private key type, PEM or ASN1.\n"),
     N_("\
        --ca-certificate=FILE    file with the bundle of CA's.\n"),
     N_("\
diff --git a/src/openssl.c b/src/openssl.c
index 664ed1e6..920f5a50 100644
--- a/src/openssl.c
+++ b/src/openssl.c
@@ -154,6 +154,26 @@ ssl_print_errors (void)
     logprintf (LOG_NOTQUIET, "OpenSSL: %s\n", ERR_error_string (curerr, NULL));
 }
 
+/* Convert keyfile type as used by options.h to a type as accepted by
+   SSL_CTX_use_certificate_file and SSL_CTX_use_PrivateKey_file.
+
+   (options.h intentionally doesn't use values from openssl/ssl.h so
+   it doesn't depend specifically on OpenSSL for SSL functionality.)  */
+
+static int
+key_type_to_ssl_type (enum keyfile_type type)
+{
+  switch (type)
+    {
+    case keyfile_pem:
+      return SSL_FILETYPE_PEM;
+    case keyfile_asn1:
+      return SSL_FILETYPE_ASN1;
+    default:
+      abort ();
+    }
+}
+
 /* Creates a SSL Context and sets some defaults for it */
 uerr_t
 ssl_init ()
@@ -191,59 +211,33 @@ ssl_init ()
     case secure_protocol_tlsv1:
       meth = TLSv1_client_method ();
       break;
-    }
-  if (meth == NULL)
-    {
-      ssl_print_errors ();
-      return SSLERRCTXCREATE;
+    default:
+      abort ();
     }
 
   ssl_ctx = SSL_CTX_new (meth);
-  if (meth == NULL)
-    {
-      ssl_print_errors ();
-      return SSLERRCTXCREATE;
-    }
-
   SSL_CTX_set_default_verify_paths (ssl_ctx);
   SSL_CTX_load_verify_locations (ssl_ctx, opt.ca_cert, opt.ca_directory);
   SSL_CTX_set_verify (ssl_ctx,
 		      opt.check_cert ? SSL_VERIFY_PEER : SSL_VERIFY_NONE,
 		      verify_callback);
 
-  if (opt.cert_file != NULL || opt.cert_key != NULL)
-    {
-      int ssl_cert_type = SSL_FILETYPE_PEM;
-      switch (opt.cert_type)
-	{
-	case cert_type_pem:
-	  ssl_cert_type = SSL_FILETYPE_PEM;
-	  break;
-	case cert_type_asn1:
-	  ssl_cert_type = SSL_FILETYPE_ASN1;
-	  break;
-	}
-
-#if 0 /* what was this supposed to achieve? */
-      if (opt.cert_key == NULL) 
-	opt.cert_key = opt.cert_file;
-      if (opt.cert_file == NULL)
-	opt.cert_file = opt.cert_key;
-#endif
-
-      if (SSL_CTX_use_certificate_file (ssl_ctx, opt.cert_file,
-					ssl_cert_type) != 1)
-	{
-	  ssl_print_errors ();
-  	  return SSLERRCERTFILE;
-	}
-      if (SSL_CTX_use_PrivateKey_file (ssl_ctx, opt.cert_key,
-				       ssl_cert_type) != 1)
-	{
-	  ssl_print_errors ();
-	  return SSLERRCERTKEY;
-	}
-    }
+  if (opt.cert_file)
+    if (SSL_CTX_use_certificate_file (ssl_ctx, opt.cert_file,
+				      key_type_to_ssl_type (opt.cert_type))
+	!= 1)
+      {
+	ssl_print_errors ();
+	return SSLERRCERTFILE;
+      }
+  if (opt.private_key)
+    if (SSL_CTX_use_PrivateKey_file (ssl_ctx, opt.private_key,
+				     key_type_to_ssl_type (opt.private_key_type))
+	!= 1)
+      {
+	ssl_print_errors ();
+	return SSLERRCERTKEY;
+      }
 
   return 0; /* Succeded */
 }
diff --git a/src/options.h b/src/options.h
index 48c8fd00..eea4061f 100644
--- a/src/options.h
+++ b/src/options.h
@@ -167,13 +167,13 @@ struct options
   } secure_protocol;		/* type of secure protocol to use. */
   int check_cert;		/* whether to validate the server's cert */
   char *cert_file;		/* external client certificate to use. */
-  char *cert_key;		/* the keyfile for this certificate
-				   (if not internal) included in the
-				   certfile. */
-  enum {
-    cert_type_pem,
-    cert_type_asn1
-  } cert_type;			/* type of client certificate */
+  char *private_key;		/* private key file (if not internal). */
+  enum keyfile_type {
+    keyfile_pem,
+    keyfile_asn1
+  } cert_type;			/* type of client certificate file */
+  enum keyfile_type
+    private_key_type;		/* type of private key file */
 
   char *ca_directory;		/* CA directory (hash files) */
   char *ca_cert;		/* CA certificate file to use */
-- 
2.39.2