diff options
Diffstat (limited to 'kike.c')
-rw-r--r-- | kike.c | 92 |
1 files changed, 48 insertions, 44 deletions
@@ -2736,32 +2736,9 @@ irc_ssl_verify_callback (int verify_ok, X509_STORE_CTX *ctx) } static bool -irc_initialize_ssl (struct server_context *ctx, struct error **e) +irc_initialize_ssl_ctx (struct server_context *ctx, + const char *cert_path, const char *key_path, struct error **e) { - const char *ssl_cert = str_map_find (&ctx->config, "ssl_cert"); - const char *ssl_key = str_map_find (&ctx->config, "ssl_key"); - - // Only try to enable SSL support if the user configures it; it is not - // a failure if no one has requested it. - if (!ssl_cert && !ssl_key) - return true; - - if (!ssl_cert) - error_set (e, "no SSL certificate set"); - else if (!ssl_key) - error_set (e, "no SSL private key set"); - if (!ssl_cert || !ssl_key) - return false; - - char *cert_path = resolve_config_filename (ssl_cert); - char *key_path = resolve_config_filename (ssl_key); - if (!cert_path) - error_set (e, "%s: %s", "cannot open file", ssl_cert); - else if (!key_path) - error_set (e, "%s: %s", "cannot open file", ssl_key); - if (!cert_path || !key_path) - return false; - ctx->ssl_ctx = SSL_CTX_new (SSLv23_server_method ()); if (!ctx->ssl_ctx) { @@ -2769,7 +2746,7 @@ irc_initialize_ssl (struct server_context *ctx, struct error **e) // multiple errors on the OpenSSL stack. error_set (e, "%s: %s", "could not initialize SSL", ERR_error_string (ERR_get_error (), NULL)); - goto error_ssl_1; + return false; } SSL_CTX_set_verify (ctx->ssl_ctx, SSL_VERIFY_PEER | SSL_VERIFY_CLIENT_ONCE, irc_ssl_verify_callback); @@ -2780,37 +2757,64 @@ irc_initialize_ssl (struct server_context *ctx, struct error **e) (void) SSL_CTX_set_session_id_context (ctx->ssl_ctx, session_id_context, sizeof session_id_context); + // Gah, spare me your awkward semantics, I just want to push data! + // XXX: do we want SSL_MODE_AUTO_RETRY as well? I guess not. + SSL_CTX_set_mode (ctx->ssl_ctx, + SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER | SSL_MODE_ENABLE_PARTIAL_WRITE); + // XXX: perhaps we should read the files ourselves for better messages if (!SSL_CTX_use_certificate_chain_file (ctx->ssl_ctx, cert_path)) - { error_set (e, "%s: %s", "setting the SSL client certificate failed", ERR_error_string (ERR_get_error (), NULL)); - goto error_ssl_2; - } - if (!SSL_CTX_use_PrivateKey_file (ctx->ssl_ctx, key_path, SSL_FILETYPE_PEM)) - { + else if (!SSL_CTX_use_PrivateKey_file + (ctx->ssl_ctx, key_path, SSL_FILETYPE_PEM)) error_set (e, "%s: %s", "setting the SSL private key failed", ERR_error_string (ERR_get_error (), NULL)); - goto error_ssl_2; - } - - // TODO: SSL_CTX_check_private_key()? It has probably already been checked - // by SSL_CTX_use_PrivateKey_file() above. - - // Gah, spare me your awkward semantics, I just want to push data! - // XXX: do we want SSL_MODE_AUTO_RETRY as well? I guess not. - SSL_CTX_set_mode (ctx->ssl_ctx, - SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER | SSL_MODE_ENABLE_PARTIAL_WRITE); - return true; + else + // TODO: SSL_CTX_check_private_key()? It has probably already been + // checked by SSL_CTX_use_PrivateKey_file() above. + return true; -error_ssl_2: SSL_CTX_free (ctx->ssl_ctx); ctx->ssl_ctx = NULL; -error_ssl_1: return false; } static bool +irc_initialize_ssl (struct server_context *ctx, struct error **e) +{ + const char *ssl_cert = str_map_find (&ctx->config, "ssl_cert"); + const char *ssl_key = str_map_find (&ctx->config, "ssl_key"); + + // Only try to enable SSL support if the user configures it; it is not + // a failure if no one has requested it. + if (!ssl_cert && !ssl_key) + return true; + + if (!ssl_cert) + error_set (e, "no SSL certificate set"); + else if (!ssl_key) + error_set (e, "no SSL private key set"); + if (!ssl_cert || !ssl_key) + return false; + + bool result = false; + + char *cert_path = resolve_config_filename (ssl_cert); + char *key_path = resolve_config_filename (ssl_key); + if (!cert_path) + error_set (e, "%s: %s", "cannot open file", ssl_cert); + else if (!key_path) + error_set (e, "%s: %s", "cannot open file", ssl_key); + else + result = irc_initialize_ssl_ctx (ctx, cert_path, key_path, e); + + free (cert_path); + free (key_path); + return result; +} + +static bool irc_initialize_catalog (struct server_context *ctx, struct error **e) { hard_assert (ctx->catalog == (nl_catd) -1); |