diff options
author | Přemysl Janouch <p.janouch@gmail.com> | 2016-02-19 23:46:44 +0100 |
---|---|---|
committer | Přemysl Janouch <p.janouch@gmail.com> | 2016-02-19 23:46:44 +0100 |
commit | 056e0a476561aafc428029cbd646bfbe17735088 (patch) | |
tree | b66e210295c8799f1bc9c136a25634c37ec1c7d2 | |
parent | 798ed73a8c2c4cda2f9ac9bba14ed230e81ee585 (diff) | |
download | xK-056e0a476561aafc428029cbd646bfbe17735088.tar.gz xK-056e0a476561aafc428029cbd646bfbe17735088.tar.xz xK-056e0a476561aafc428029cbd646bfbe17735088.zip |
Resolve tls_ca_{file,path} relative to config dir
-rw-r--r-- | degesch.c | 86 | ||||
-rw-r--r-- | zyklonb.c | 86 |
2 files changed, 109 insertions, 63 deletions
@@ -4471,6 +4471,51 @@ transport_tls_verify_callback (int preverify_ok, X509_STORE_CTX *ctx) } static bool +transport_tls_init_ca_set (SSL_CTX *ssl_ctx, const char *file, const char *path, + struct error **e) +{ + ERR_clear_error (); + + if (file || path) + { + if (SSL_CTX_load_verify_locations (ssl_ctx, file, path)) + return true; + + FAIL ("%s: %s", "Failed to set locations for the CA certificate bundle", + ERR_reason_error_string (ERR_get_error ())); + } + + if (!SSL_CTX_set_default_verify_paths (ssl_ctx)) + FAIL ("%s: %s", "Couldn't load the default CA certificate bundle", + ERR_reason_error_string (ERR_get_error ())); + return true; +} + +static bool +transport_tls_init_ca (struct server *s, SSL_CTX *ssl_ctx, struct error **e) +{ + const char *ca_file = get_config_string (s->config, "tls_ca_file"); + const char *ca_path = get_config_string (s->config, "tls_ca_path"); + + char *full_ca_file = ca_file + ? resolve_filename (ca_file, resolve_relative_config_filename) : NULL; + char *full_ca_path = ca_path + ? resolve_filename (ca_path, resolve_relative_config_filename) : NULL; + + bool ok = false; + if (ca_file && !full_ca_file) + error_set (e, "Couldn't find the CA bundle file"); + else if (ca_path && !full_ca_path) + error_set (e, "Couldn't find the CA bundle path"); + else + ok = transport_tls_init_ca_set (ssl_ctx, full_ca_file, full_ca_path, e); + + free (full_ca_file); + free (full_ca_path); + return ok; +} + +static bool transport_tls_init_ctx (struct server *s, SSL_CTX *ssl_ctx, struct error **e) { bool verify = get_config_boolean (s->config, "tls_verify"); @@ -4499,42 +4544,19 @@ transport_tls_init_ctx (struct server *s, SSL_CTX *ssl_ctx, struct error **e) SSL_CTX_set_options (ssl_ctx, SSL_OP_NO_COMPRESSION); #endif // SSL_OP_NO_COMPRESSION - const char *ca_file = get_config_string (s->config, "tls_ca_file"); - const char *ca_path = get_config_string (s->config, "tls_ca_path"); - - ERR_clear_error (); - struct error *error = NULL; - if (ca_file || ca_path) + if (!transport_tls_init_ca (s, ssl_ctx, &error)) { - if (SSL_CTX_load_verify_locations (ssl_ctx, ca_file, ca_path)) - return true; - - error_set (&error, "%s: %s", - "Failed to set locations for the CA certificate bundle", - ERR_reason_error_string (ERR_get_error ())); - goto ca_error; - } - - if (!SSL_CTX_set_default_verify_paths (ssl_ctx)) - { - error_set (&error, "%s: %s", - "Couldn't load the default CA certificate bundle", - ERR_reason_error_string (ERR_get_error ())); - goto ca_error; - } - return true; + if (verify) + { + error_propagate (e, error); + return false; + } -ca_error: - if (verify) - { - error_propagate (e, error); - return false; + // Only inform the user if we're not actually verifying + log_server_error (s, s->buffer, "#s", error->message); + error_free (error); } - - // Only inform the user if we're not actually verifying - log_server_error (s, s->buffer, "#s", error->message); - error_free (error); return true; } @@ -1,7 +1,7 @@ /* * zyklonb.c: the experimental IRC bot * - * Copyright (c) 2014 - 2015, Přemysl Janouch <p.janouch@gmail.com> + * Copyright (c) 2014 - 2016, Přemysl Janouch <p.janouch@gmail.com> * * Permission to use, copy, modify, and/or distribute this software for any * purpose with or without fee is hereby granted, provided that the above @@ -315,6 +315,51 @@ irc_get_boolean_from_config } static bool +irc_initialize_ca_set (SSL_CTX *ssl_ctx, const char *file, const char *path, + struct error **e) +{ + ERR_clear_error (); + + if (file || path) + { + if (SSL_CTX_load_verify_locations (ssl_ctx, file, path)) + return true; + + FAIL ("%s: %s", "failed to set locations for the CA certificate bundle", + ERR_reason_error_string (ERR_get_error ())); + } + + if (!SSL_CTX_set_default_verify_paths (ssl_ctx)) + FAIL ("%s: %s", "couldn't load the default CA certificate bundle", + ERR_reason_error_string (ERR_get_error ())); + return true; +} + +static bool +irc_initialize_ca (struct bot_context *ctx, struct error **e) +{ + const char *ca_file = str_map_find (&ctx->config, "tls_ca_file"); + const char *ca_path = str_map_find (&ctx->config, "tls_ca_path"); + + char *full_file = ca_file + ? resolve_filename (ca_file, resolve_relative_config_filename) : NULL; + char *full_path = ca_path + ? resolve_filename (ca_path, resolve_relative_config_filename) : NULL; + + bool ok = false; + if (ca_file && !full_file) + error_set (e, "couldn't find the CA bundle file"); + else if (ca_path && !full_path) + error_set (e, "couldn't find the CA bundle path"); + else + ok = irc_initialize_ca_set (ctx->ssl_ctx, full_file, full_path, e); + + free (full_file); + free (full_path); + return ok; +} + +static bool irc_initialize_ssl_ctx (struct bot_context *ctx, struct error **e) { // Disable deprecated protocols (see RFC 7568) @@ -326,40 +371,19 @@ irc_initialize_ssl_ctx (struct bot_context *ctx, struct error **e) SSL_CTX_set_verify (ctx->ssl_ctx, verify ? SSL_VERIFY_PEER : SSL_VERIFY_NONE, NULL); - const char *ca_file = str_map_find (&ctx->config, "tls_ca_file"); - const char *ca_path = str_map_find (&ctx->config, "tls_ca_path"); - struct error *error = NULL; - if (ca_file || ca_path) - { - if (SSL_CTX_load_verify_locations (ctx->ssl_ctx, ca_file, ca_path)) - return true; - - error_set (&error, "%s: %s", - "failed to set locations for the CA certificate bundle", - ERR_reason_error_string (ERR_get_error ())); - goto ca_error; - } - - if (!SSL_CTX_set_default_verify_paths (ctx->ssl_ctx)) + if (!irc_initialize_ca (ctx, &error)) { - error_set (&error, "%s: %s", - "couldn't load the default CA certificate bundle", - ERR_reason_error_string (ERR_get_error ())); - goto ca_error; - } - return true; + if (verify) + { + error_propagate (e, error); + return false; + } -ca_error: - if (verify) - { - error_propagate (e, error); - return false; + // Only inform the user if we're not actually verifying + print_warning ("%s", error->message); + error_free (error); } - - // Only inform the user if we're not actually verifying - print_warning ("%s", error->message); - error_free (error); return true; } |