Resolve tls_ca_{file,path} relative to config dir

author: Přemysl Janouch <p.janouch@gmail.com> 2016-02-19 23:46:44 +0100
committer: Přemysl Janouch <p.janouch@gmail.com> 2016-02-19 23:46:44 +0100
commit: 056e0a476561aafc428029cbd646bfbe17735088 (patch)
tree: b66e210295c8799f1bc9c136a25634c37ec1c7d2
parent: 798ed73a8c2c4cda2f9ac9bba14ed230e81ee585 (diff)
download: xK-056e0a476561aafc428029cbd646bfbe17735088.tar.gz
xK-056e0a476561aafc428029cbd646bfbe17735088.tar.xz
xK-056e0a476561aafc428029cbd646bfbe17735088.zip
2 files changed, 109 insertions, 63 deletions
diff --git a/degesch.c b/degesch.c
index cdbc473..912a489 100644
--- a/degesch.c
+++ b/degesch.c
@@ -4471,6 +4471,51 @@ transport_tls_verify_callback (int preverify_ok, X509_STORE_CTX *ctx)
 }
 
 static bool
+transport_tls_init_ca_set (SSL_CTX *ssl_ctx, const char *file, const char *path,
+	struct error **e)
+{
+	ERR_clear_error ();
+
+	if (file || path)
+	{
+		if (SSL_CTX_load_verify_locations (ssl_ctx, file, path))
+			return true;
+
+		FAIL ("%s: %s", "Failed to set locations for the CA certificate bundle",
+			ERR_reason_error_string (ERR_get_error ()));
+	}
+
+	if (!SSL_CTX_set_default_verify_paths (ssl_ctx))
+		FAIL ("%s: %s", "Couldn't load the default CA certificate bundle",
+			ERR_reason_error_string (ERR_get_error ()));
+	return true;
+}
+
+static bool
+transport_tls_init_ca (struct server *s, SSL_CTX *ssl_ctx, struct error **e)
+{
+	const char *ca_file = get_config_string (s->config, "tls_ca_file");
+	const char *ca_path = get_config_string (s->config, "tls_ca_path");
+
+	char *full_ca_file = ca_file
+		? resolve_filename (ca_file, resolve_relative_config_filename) : NULL;
+	char *full_ca_path = ca_path
+		? resolve_filename (ca_path, resolve_relative_config_filename) : NULL;
+
+	bool ok = false;
+	if      (ca_file && !full_ca_file)
+		error_set (e, "Couldn't find the CA bundle file");
+	else if (ca_path && !full_ca_path)
+		error_set (e, "Couldn't find the CA bundle path");
+	else
+		ok = transport_tls_init_ca_set (ssl_ctx, full_ca_file, full_ca_path, e);
+
+	free (full_ca_file);
+	free (full_ca_path);
+	return ok;
+}
+
+static bool
 transport_tls_init_ctx (struct server *s, SSL_CTX *ssl_ctx, struct error **e)
 {
 	bool verify = get_config_boolean (s->config, "tls_verify");
@@ -4499,42 +4544,19 @@ transport_tls_init_ctx (struct server *s, SSL_CTX *ssl_ctx, struct error **e)
 	SSL_CTX_set_options (ssl_ctx, SSL_OP_NO_COMPRESSION);
 #endif // SSL_OP_NO_COMPRESSION
 
-	const char *ca_file = get_config_string (s->config, "tls_ca_file");
-	const char *ca_path = get_config_string (s->config, "tls_ca_path");
-
-	ERR_clear_error ();
-
 	struct error *error = NULL;
-	if (ca_file || ca_path)
+	if (!transport_tls_init_ca (s, ssl_ctx, &error))
 	{
-		if (SSL_CTX_load_verify_locations (ssl_ctx, ca_file, ca_path))
-			return true;
-
-		error_set (&error, "%s: %s",
-			"Failed to set locations for the CA certificate bundle",
-			ERR_reason_error_string (ERR_get_error ()));
-		goto ca_error;
-	}
-
-	if (!SSL_CTX_set_default_verify_paths (ssl_ctx))
-	{
-		error_set (&error, "%s: %s",
-			"Couldn't load the default CA certificate bundle",
-			ERR_reason_error_string (ERR_get_error ()));
-		goto ca_error;
-	}
-	return true;
+		if (verify)
+		{
+			error_propagate (e, error);
+			return false;
+		}
 
-ca_error:
-	if (verify)
-	{
-		error_propagate (e, error);
-		return false;
+		// Only inform the user if we're not actually verifying
+		log_server_error (s, s->buffer, "#s", error->message);
+		error_free (error);
 	}
-
-	// Only inform the user if we're not actually verifying
-	log_server_error (s, s->buffer, "#s", error->message);
-	error_free (error);
 	return true;
 }
 
diff --git a/zyklonb.c b/zyklonb.c
index 4a04757..cd40254 100644
--- a/zyklonb.c
+++ b/zyklonb.c
@@ -1,7 +1,7 @@
 /*
  * zyklonb.c: the experimental IRC bot
  *
- * Copyright (c) 2014 - 2015, Přemysl Janouch <p.janouch@gmail.com>
+ * Copyright (c) 2014 - 2016, Přemysl Janouch <p.janouch@gmail.com>
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -315,6 +315,51 @@ irc_get_boolean_from_config
 }
 
 static bool
+irc_initialize_ca_set (SSL_CTX *ssl_ctx, const char *file, const char *path,
+	struct error **e)
+{
+	ERR_clear_error ();
+
+	if (file || path)
+	{
+		if (SSL_CTX_load_verify_locations (ssl_ctx, file, path))
+			return true;
+
+		FAIL ("%s: %s", "failed to set locations for the CA certificate bundle",
+			ERR_reason_error_string (ERR_get_error ()));
+	}
+
+	if (!SSL_CTX_set_default_verify_paths (ssl_ctx))
+		FAIL ("%s: %s", "couldn't load the default CA certificate bundle",
+			ERR_reason_error_string (ERR_get_error ()));
+	return true;
+}
+
+static bool
+irc_initialize_ca (struct bot_context *ctx, struct error **e)
+{
+	const char *ca_file = str_map_find (&ctx->config, "tls_ca_file");
+	const char *ca_path = str_map_find (&ctx->config, "tls_ca_path");
+
+	char *full_file = ca_file
+		? resolve_filename (ca_file, resolve_relative_config_filename) : NULL;
+	char *full_path = ca_path
+		? resolve_filename (ca_path, resolve_relative_config_filename) : NULL;
+
+	bool ok = false;
+	if      (ca_file && !full_file)
+		error_set (e, "couldn't find the CA bundle file");
+	else if (ca_path && !full_path)
+		error_set (e, "couldn't find the CA bundle path");
+	else
+		ok = irc_initialize_ca_set (ctx->ssl_ctx, full_file, full_path, e);
+
+	free (full_file);
+	free (full_path);
+	return ok;
+}
+
+static bool
 irc_initialize_ssl_ctx (struct bot_context *ctx, struct error **e)
 {
 	// Disable deprecated protocols (see RFC 7568)
@@ -326,40 +371,19 @@ irc_initialize_ssl_ctx (struct bot_context *ctx, struct error **e)
 	SSL_CTX_set_verify (ctx->ssl_ctx,
 		verify ? SSL_VERIFY_PEER : SSL_VERIFY_NONE, NULL);
 
-	const char *ca_file = str_map_find (&ctx->config, "tls_ca_file");
-	const char *ca_path = str_map_find (&ctx->config, "tls_ca_path");
-
 	struct error *error = NULL;
-	if (ca_file || ca_path)
-	{
-		if (SSL_CTX_load_verify_locations (ctx->ssl_ctx, ca_file, ca_path))
-			return true;
-
-		error_set (&error, "%s: %s",
-			"failed to set locations for the CA certificate bundle",
-			ERR_reason_error_string (ERR_get_error ()));
-		goto ca_error;
-	}
-
-	if (!SSL_CTX_set_default_verify_paths (ctx->ssl_ctx))
+	if (!irc_initialize_ca (ctx, &error))
 	{
-		error_set (&error, "%s: %s",
-			"couldn't load the default CA certificate bundle",
-			ERR_reason_error_string (ERR_get_error ()));
-		goto ca_error;
-	}
-	return true;
+		if (verify)
+		{
+			error_propagate (e, error);
+			return false;
+		}
 
-ca_error:
-	if (verify)
-	{
-		error_propagate (e, error);
-		return false;
+		// Only inform the user if we're not actually verifying
+		print_warning ("%s", error->message);
+		error_free (error);
 	}
-
-	// Only inform the user if we're not actually verifying
-	print_warning ("%s", error->message);
-	error_free (error);
 	return true;
 }
author	Přemysl Janouch <p.janouch@gmail.com>	2016-02-19 23:46:44 +0100
committer	Přemysl Janouch <p.janouch@gmail.com>	2016-02-19 23:46:44 +0100
commit	056e0a476561aafc428029cbd646bfbe17735088 (patch)
tree	b66e210295c8799f1bc9c136a25634c37ec1c7d2
parent	798ed73a8c2c4cda2f9ac9bba14ed230e81ee585 (diff)
download	xK-056e0a476561aafc428029cbd646bfbe17735088.tar.gz xK-056e0a476561aafc428029cbd646bfbe17735088.tar.xz xK-056e0a476561aafc428029cbd646bfbe17735088.zip