aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--kike.c92
1 files changed, 48 insertions, 44 deletions
diff --git a/kike.c b/kike.c
index 9810e25..fd42c4f 100644
--- a/kike.c
+++ b/kike.c
@@ -2736,32 +2736,9 @@ irc_ssl_verify_callback (int verify_ok, X509_STORE_CTX *ctx)
}
static bool
-irc_initialize_ssl (struct server_context *ctx, struct error **e)
+irc_initialize_ssl_ctx (struct server_context *ctx,
+ const char *cert_path, const char *key_path, struct error **e)
{
- const char *ssl_cert = str_map_find (&ctx->config, "ssl_cert");
- const char *ssl_key = str_map_find (&ctx->config, "ssl_key");
-
- // Only try to enable SSL support if the user configures it; it is not
- // a failure if no one has requested it.
- if (!ssl_cert && !ssl_key)
- return true;
-
- if (!ssl_cert)
- error_set (e, "no SSL certificate set");
- else if (!ssl_key)
- error_set (e, "no SSL private key set");
- if (!ssl_cert || !ssl_key)
- return false;
-
- char *cert_path = resolve_config_filename (ssl_cert);
- char *key_path = resolve_config_filename (ssl_key);
- if (!cert_path)
- error_set (e, "%s: %s", "cannot open file", ssl_cert);
- else if (!key_path)
- error_set (e, "%s: %s", "cannot open file", ssl_key);
- if (!cert_path || !key_path)
- return false;
-
ctx->ssl_ctx = SSL_CTX_new (SSLv23_server_method ());
if (!ctx->ssl_ctx)
{
@@ -2769,7 +2746,7 @@ irc_initialize_ssl (struct server_context *ctx, struct error **e)
// multiple errors on the OpenSSL stack.
error_set (e, "%s: %s", "could not initialize SSL",
ERR_error_string (ERR_get_error (), NULL));
- goto error_ssl_1;
+ return false;
}
SSL_CTX_set_verify (ctx->ssl_ctx,
SSL_VERIFY_PEER | SSL_VERIFY_CLIENT_ONCE, irc_ssl_verify_callback);
@@ -2780,37 +2757,64 @@ irc_initialize_ssl (struct server_context *ctx, struct error **e)
(void) SSL_CTX_set_session_id_context (ctx->ssl_ctx,
session_id_context, sizeof session_id_context);
+ // Gah, spare me your awkward semantics, I just want to push data!
+ // XXX: do we want SSL_MODE_AUTO_RETRY as well? I guess not.
+ SSL_CTX_set_mode (ctx->ssl_ctx,
+ SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER | SSL_MODE_ENABLE_PARTIAL_WRITE);
+
// XXX: perhaps we should read the files ourselves for better messages
if (!SSL_CTX_use_certificate_chain_file (ctx->ssl_ctx, cert_path))
- {
error_set (e, "%s: %s", "setting the SSL client certificate failed",
ERR_error_string (ERR_get_error (), NULL));
- goto error_ssl_2;
- }
- if (!SSL_CTX_use_PrivateKey_file (ctx->ssl_ctx, key_path, SSL_FILETYPE_PEM))
- {
+ else if (!SSL_CTX_use_PrivateKey_file
+ (ctx->ssl_ctx, key_path, SSL_FILETYPE_PEM))
error_set (e, "%s: %s", "setting the SSL private key failed",
ERR_error_string (ERR_get_error (), NULL));
- goto error_ssl_2;
- }
-
- // TODO: SSL_CTX_check_private_key()? It has probably already been checked
- // by SSL_CTX_use_PrivateKey_file() above.
-
- // Gah, spare me your awkward semantics, I just want to push data!
- // XXX: do we want SSL_MODE_AUTO_RETRY as well? I guess not.
- SSL_CTX_set_mode (ctx->ssl_ctx,
- SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER | SSL_MODE_ENABLE_PARTIAL_WRITE);
- return true;
+ else
+ // TODO: SSL_CTX_check_private_key()? It has probably already been
+ // checked by SSL_CTX_use_PrivateKey_file() above.
+ return true;
-error_ssl_2:
SSL_CTX_free (ctx->ssl_ctx);
ctx->ssl_ctx = NULL;
-error_ssl_1:
return false;
}
static bool
+irc_initialize_ssl (struct server_context *ctx, struct error **e)
+{
+ const char *ssl_cert = str_map_find (&ctx->config, "ssl_cert");
+ const char *ssl_key = str_map_find (&ctx->config, "ssl_key");
+
+ // Only try to enable SSL support if the user configures it; it is not
+ // a failure if no one has requested it.
+ if (!ssl_cert && !ssl_key)
+ return true;
+
+ if (!ssl_cert)
+ error_set (e, "no SSL certificate set");
+ else if (!ssl_key)
+ error_set (e, "no SSL private key set");
+ if (!ssl_cert || !ssl_key)
+ return false;
+
+ bool result = false;
+
+ char *cert_path = resolve_config_filename (ssl_cert);
+ char *key_path = resolve_config_filename (ssl_key);
+ if (!cert_path)
+ error_set (e, "%s: %s", "cannot open file", ssl_cert);
+ else if (!key_path)
+ error_set (e, "%s: %s", "cannot open file", ssl_key);
+ else
+ result = irc_initialize_ssl_ctx (ctx, cert_path, key_path, e);
+
+ free (cert_path);
+ free (key_path);
+ return result;
+}
+
+static bool
irc_initialize_catalog (struct server_context *ctx, struct error **e)
{
hard_assert (ctx->catalog == (nl_catd) -1);