aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorPřemysl Janouch <p.janouch@gmail.com>2016-02-19 23:46:44 +0100
committerPřemysl Janouch <p.janouch@gmail.com>2016-02-19 23:46:44 +0100
commit056e0a476561aafc428029cbd646bfbe17735088 (patch)
treeb66e210295c8799f1bc9c136a25634c37ec1c7d2
parent798ed73a8c2c4cda2f9ac9bba14ed230e81ee585 (diff)
downloadxK-056e0a476561aafc428029cbd646bfbe17735088.tar.gz
xK-056e0a476561aafc428029cbd646bfbe17735088.tar.xz
xK-056e0a476561aafc428029cbd646bfbe17735088.zip
Resolve tls_ca_{file,path} relative to config dir
-rw-r--r--degesch.c86
-rw-r--r--zyklonb.c86
2 files changed, 109 insertions, 63 deletions
diff --git a/degesch.c b/degesch.c
index cdbc473..912a489 100644
--- a/degesch.c
+++ b/degesch.c
@@ -4471,6 +4471,51 @@ transport_tls_verify_callback (int preverify_ok, X509_STORE_CTX *ctx)
}
static bool
+transport_tls_init_ca_set (SSL_CTX *ssl_ctx, const char *file, const char *path,
+ struct error **e)
+{
+ ERR_clear_error ();
+
+ if (file || path)
+ {
+ if (SSL_CTX_load_verify_locations (ssl_ctx, file, path))
+ return true;
+
+ FAIL ("%s: %s", "Failed to set locations for the CA certificate bundle",
+ ERR_reason_error_string (ERR_get_error ()));
+ }
+
+ if (!SSL_CTX_set_default_verify_paths (ssl_ctx))
+ FAIL ("%s: %s", "Couldn't load the default CA certificate bundle",
+ ERR_reason_error_string (ERR_get_error ()));
+ return true;
+}
+
+static bool
+transport_tls_init_ca (struct server *s, SSL_CTX *ssl_ctx, struct error **e)
+{
+ const char *ca_file = get_config_string (s->config, "tls_ca_file");
+ const char *ca_path = get_config_string (s->config, "tls_ca_path");
+
+ char *full_ca_file = ca_file
+ ? resolve_filename (ca_file, resolve_relative_config_filename) : NULL;
+ char *full_ca_path = ca_path
+ ? resolve_filename (ca_path, resolve_relative_config_filename) : NULL;
+
+ bool ok = false;
+ if (ca_file && !full_ca_file)
+ error_set (e, "Couldn't find the CA bundle file");
+ else if (ca_path && !full_ca_path)
+ error_set (e, "Couldn't find the CA bundle path");
+ else
+ ok = transport_tls_init_ca_set (ssl_ctx, full_ca_file, full_ca_path, e);
+
+ free (full_ca_file);
+ free (full_ca_path);
+ return ok;
+}
+
+static bool
transport_tls_init_ctx (struct server *s, SSL_CTX *ssl_ctx, struct error **e)
{
bool verify = get_config_boolean (s->config, "tls_verify");
@@ -4499,42 +4544,19 @@ transport_tls_init_ctx (struct server *s, SSL_CTX *ssl_ctx, struct error **e)
SSL_CTX_set_options (ssl_ctx, SSL_OP_NO_COMPRESSION);
#endif // SSL_OP_NO_COMPRESSION
- const char *ca_file = get_config_string (s->config, "tls_ca_file");
- const char *ca_path = get_config_string (s->config, "tls_ca_path");
-
- ERR_clear_error ();
-
struct error *error = NULL;
- if (ca_file || ca_path)
+ if (!transport_tls_init_ca (s, ssl_ctx, &error))
{
- if (SSL_CTX_load_verify_locations (ssl_ctx, ca_file, ca_path))
- return true;
-
- error_set (&error, "%s: %s",
- "Failed to set locations for the CA certificate bundle",
- ERR_reason_error_string (ERR_get_error ()));
- goto ca_error;
- }
-
- if (!SSL_CTX_set_default_verify_paths (ssl_ctx))
- {
- error_set (&error, "%s: %s",
- "Couldn't load the default CA certificate bundle",
- ERR_reason_error_string (ERR_get_error ()));
- goto ca_error;
- }
- return true;
+ if (verify)
+ {
+ error_propagate (e, error);
+ return false;
+ }
-ca_error:
- if (verify)
- {
- error_propagate (e, error);
- return false;
+ // Only inform the user if we're not actually verifying
+ log_server_error (s, s->buffer, "#s", error->message);
+ error_free (error);
}
-
- // Only inform the user if we're not actually verifying
- log_server_error (s, s->buffer, "#s", error->message);
- error_free (error);
return true;
}
diff --git a/zyklonb.c b/zyklonb.c
index 4a04757..cd40254 100644
--- a/zyklonb.c
+++ b/zyklonb.c
@@ -1,7 +1,7 @@
/*
* zyklonb.c: the experimental IRC bot
*
- * Copyright (c) 2014 - 2015, Přemysl Janouch <p.janouch@gmail.com>
+ * Copyright (c) 2014 - 2016, Přemysl Janouch <p.janouch@gmail.com>
*
* Permission to use, copy, modify, and/or distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
@@ -315,6 +315,51 @@ irc_get_boolean_from_config
}
static bool
+irc_initialize_ca_set (SSL_CTX *ssl_ctx, const char *file, const char *path,
+ struct error **e)
+{
+ ERR_clear_error ();
+
+ if (file || path)
+ {
+ if (SSL_CTX_load_verify_locations (ssl_ctx, file, path))
+ return true;
+
+ FAIL ("%s: %s", "failed to set locations for the CA certificate bundle",
+ ERR_reason_error_string (ERR_get_error ()));
+ }
+
+ if (!SSL_CTX_set_default_verify_paths (ssl_ctx))
+ FAIL ("%s: %s", "couldn't load the default CA certificate bundle",
+ ERR_reason_error_string (ERR_get_error ()));
+ return true;
+}
+
+static bool
+irc_initialize_ca (struct bot_context *ctx, struct error **e)
+{
+ const char *ca_file = str_map_find (&ctx->config, "tls_ca_file");
+ const char *ca_path = str_map_find (&ctx->config, "tls_ca_path");
+
+ char *full_file = ca_file
+ ? resolve_filename (ca_file, resolve_relative_config_filename) : NULL;
+ char *full_path = ca_path
+ ? resolve_filename (ca_path, resolve_relative_config_filename) : NULL;
+
+ bool ok = false;
+ if (ca_file && !full_file)
+ error_set (e, "couldn't find the CA bundle file");
+ else if (ca_path && !full_path)
+ error_set (e, "couldn't find the CA bundle path");
+ else
+ ok = irc_initialize_ca_set (ctx->ssl_ctx, full_file, full_path, e);
+
+ free (full_file);
+ free (full_path);
+ return ok;
+}
+
+static bool
irc_initialize_ssl_ctx (struct bot_context *ctx, struct error **e)
{
// Disable deprecated protocols (see RFC 7568)
@@ -326,40 +371,19 @@ irc_initialize_ssl_ctx (struct bot_context *ctx, struct error **e)
SSL_CTX_set_verify (ctx->ssl_ctx,
verify ? SSL_VERIFY_PEER : SSL_VERIFY_NONE, NULL);
- const char *ca_file = str_map_find (&ctx->config, "tls_ca_file");
- const char *ca_path = str_map_find (&ctx->config, "tls_ca_path");
-
struct error *error = NULL;
- if (ca_file || ca_path)
- {
- if (SSL_CTX_load_verify_locations (ctx->ssl_ctx, ca_file, ca_path))
- return true;
-
- error_set (&error, "%s: %s",
- "failed to set locations for the CA certificate bundle",
- ERR_reason_error_string (ERR_get_error ()));
- goto ca_error;
- }
-
- if (!SSL_CTX_set_default_verify_paths (ctx->ssl_ctx))
+ if (!irc_initialize_ca (ctx, &error))
{
- error_set (&error, "%s: %s",
- "couldn't load the default CA certificate bundle",
- ERR_reason_error_string (ERR_get_error ()));
- goto ca_error;
- }
- return true;
+ if (verify)
+ {
+ error_propagate (e, error);
+ return false;
+ }
-ca_error:
- if (verify)
- {
- error_propagate (e, error);
- return false;
+ // Only inform the user if we're not actually verifying
+ print_warning ("%s", error->message);
+ error_free (error);
}
-
- // Only inform the user if we're not actually verifying
- print_warning ("%s", error->message);
- error_free (error);
return true;
}