New configuration variables for client-side certificate

configlexer.lex

@@ -245,6 +245,10 @@ allow-axfr-fallback{COLON}	{ LEXOUT(("v(%s) ", yytext)); return VAR_ALLOW_AXFR_F
 tls-auth{COLON}		{ LEXOUT(("v(%s) ", yytext)); return VAR_TLS_AUTH;}
 auth-domain-name{COLON}		{ LEXOUT(("v(%s) ", yytext)); return VAR_TLS_AUTH_DOMAIN_NAME;}
 root-pem{COLON}		{ LEXOUT(("v(%s) ", yytext)); return VAR_TLS_AUTH_ROOT_PEM;}
+client-cert{COLON}		{ LEXOUT(("v(%s) ", yytext)); return VAR_TLS_AUTH_CLIENT_CERT;}
+client-key{COLON}		{ LEXOUT(("v(%s) ", yytext)); return VAR_TLS_AUTH_CLIENT_KEY;}
+client-key-pw{COLON}		{ LEXOUT(("v(%s) ", yytext)); return VAR_TLS_AUTH_CLIENT_KEY_PW;}
+password{COLON}		{ LEXOUT(("v(%s) ", yytext)); return VAR_TLS_AUTH_CLIENT_KEY;}
 key{COLON}		{ LEXOUT(("v(%s) ", yytext)); return VAR_KEY;}
 algorithm{COLON}	{ LEXOUT(("v(%s) ", yytext)); return VAR_ALGORITHM;}
 secret{COLON}		{ LEXOUT(("v(%s) ", yytext)); return VAR_SECRET;}

configparser.y

@@ -148,6 +148,9 @@ static int parse_range(const char *str, long long *low, long long *high);
 %token VAR_TLS_AUTH
 %token VAR_TLS_AUTH_DOMAIN_NAME
 %token VAR_TLS_AUTH_ROOT_PEM
+%token VAR_TLS_AUTH_CLIENT_CERT
+%token VAR_TLS_AUTH_CLIENT_KEY
+%token VAR_TLS_AUTH_CLIENT_KEY_PW
 
 /* pattern */
 %token VAR_PATTERN
@@ -665,6 +668,18 @@ tls_auth_option:
     {
 	    cfg_parser->tls_auth->root_pem = region_strdup(cfg_parser->opt->region, $2);
     };
+  | VAR_TLS_AUTH_CLIENT_CERT STRING
+    {
+	    cfg_parser->tls_auth->client_cert = region_strdup(cfg_parser->opt->region, $2);
+    };
+  | VAR_TLS_AUTH_CLIENT_KEY STRING
+    {
+	    cfg_parser->tls_auth->client_key = region_strdup(cfg_parser->opt->region, $2);
+    };
+  | VAR_TLS_AUTH_CLIENT_KEY_PW STRING
+    {
+	    cfg_parser->tls_auth->client_key_pw = region_strdup(cfg_parser->opt->region, $2);
+    };
 
 key:
     VAR_KEY

options.h

@@ -332,6 +332,9 @@ struct tls_auth_options {
 	char* name;
 	char* auth_domain_name;
 	char* root_pem;
+	char* client_cert;
+	char* client_key;
+	char* client_key_pw;
 };
 
 /** zone list free space */

xfrd-tcp.c

@@ -100,6 +100,14 @@ setup_ssl(struct xfrd_tcp_pipeline* tp, struct xfrd_tcp_set* tcp_set,
 	}
 	return 1;
 }
+
+int password_cb(char *buf, int size, int rwflag, void *u)
+{
+	strncpy(buf, (char *)u, size);
+	buf[size - 1] = '\0';
+	return strlen(buf);
+}
+
 #endif
 
 /* sort tcppipe, first on IP address, for an IPaddresss, sort on num_unused */
@@ -675,6 +683,8 @@ xfrd_tcp_open(struct xfrd_tcp_set* set, struct xfrd_tcp_pipeline* tp,
 			xfrd_set_refresh_now(zone);
 			return 0;
 		}
+
+		/* Load custom CA (if provided) */
 		if (zone->master->tls_auth_options->root_pem) {
 			if (SSL_CTX_load_verify_locations(set->ssl_ctx, zone->master->tls_auth_options->root_pem, NULL) != 1) {
 				log_msg(LOG_ERR, "xfrd tls: Unable to set root certificate");
@@ -684,6 +694,24 @@ xfrd_tcp_open(struct xfrd_tcp_set* set, struct xfrd_tcp_pipeline* tp,
 			}
 		}
 
+		/* Load client certificate (if provided) */
+		if (zone->master->tls_auth_options->client_cert &&
+		    zone->master->tls_auth_options->client_key) {
+			if (SSL_CTX_use_certificate_chain_file(set->ssl_ctx,
+			                                       zone->master->tls_auth_options->client_cert) != 1) {
+				log_msg(LOG_ERR, "xfrd tls: Unable to load client certificate from file %s", zone->master->tls_auth_options->client_cert);
+			}
+
+			if (zone->master->tls_auth_options->client_key_pw) {
+				SSL_CTX_set_default_passwd_cb(set->ssl_ctx, password_cb);
+				SSL_CTX_set_default_passwd_cb_userdata(set->ssl_ctx, zone->master->tls_auth_options->client_key_pw);
+			}
+
+			if (SSL_CTX_use_PrivateKey_file(set->ssl_ctx, zone->master->tls_auth_options->client_key, SSL_FILETYPE_PEM) != 1) {
+				log_msg(LOG_ERR, "xfrd tls: Unable to load private key from file from file %s", zone->master->tls_auth_options->client_key);
+			}
+		}
+
 		// TODO: There is a nasty case where the far end is listening on TCP 
 		// but not TLS. In that case the SSL_do_handshake function will loop, 
 		// returning SSL_ERROR_WANT_READ for the tcp_timeout (120s). This can