From 056e0a476561aafc428029cbd646bfbe17735088 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?P=C5=99emysl=20Janouch?= <p.janouch@gmail.com>
Date: Fri, 19 Feb 2016 23:46:44 +0100
Subject: Resolve tls_ca_{file,path} relative to config dir

---
 degesch.c | 86 +++++++++++++++++++++++++++++++++++++++------------------------
 1 file changed, 54 insertions(+), 32 deletions(-)

(limited to 'degesch.c')

diff --git a/degesch.c b/degesch.c
index cdbc473..912a489 100644
--- a/degesch.c
+++ b/degesch.c
@@ -4470,6 +4470,51 @@ transport_tls_verify_callback (int preverify_ok, X509_STORE_CTX *ctx)
 	return preverify_ok;
 }
 
+static bool
+transport_tls_init_ca_set (SSL_CTX *ssl_ctx, const char *file, const char *path,
+	struct error **e)
+{
+	ERR_clear_error ();
+
+	if (file || path)
+	{
+		if (SSL_CTX_load_verify_locations (ssl_ctx, file, path))
+			return true;
+
+		FAIL ("%s: %s", "Failed to set locations for the CA certificate bundle",
+			ERR_reason_error_string (ERR_get_error ()));
+	}
+
+	if (!SSL_CTX_set_default_verify_paths (ssl_ctx))
+		FAIL ("%s: %s", "Couldn't load the default CA certificate bundle",
+			ERR_reason_error_string (ERR_get_error ()));
+	return true;
+}
+
+static bool
+transport_tls_init_ca (struct server *s, SSL_CTX *ssl_ctx, struct error **e)
+{
+	const char *ca_file = get_config_string (s->config, "tls_ca_file");
+	const char *ca_path = get_config_string (s->config, "tls_ca_path");
+
+	char *full_ca_file = ca_file
+		? resolve_filename (ca_file, resolve_relative_config_filename) : NULL;
+	char *full_ca_path = ca_path
+		? resolve_filename (ca_path, resolve_relative_config_filename) : NULL;
+
+	bool ok = false;
+	if      (ca_file && !full_ca_file)
+		error_set (e, "Couldn't find the CA bundle file");
+	else if (ca_path && !full_ca_path)
+		error_set (e, "Couldn't find the CA bundle path");
+	else
+		ok = transport_tls_init_ca_set (ssl_ctx, full_ca_file, full_ca_path, e);
+
+	free (full_ca_file);
+	free (full_ca_path);
+	return ok;
+}
+
 static bool
 transport_tls_init_ctx (struct server *s, SSL_CTX *ssl_ctx, struct error **e)
 {
@@ -4499,42 +4544,19 @@ transport_tls_init_ctx (struct server *s, SSL_CTX *ssl_ctx, struct error **e)
 	SSL_CTX_set_options (ssl_ctx, SSL_OP_NO_COMPRESSION);
 #endif // SSL_OP_NO_COMPRESSION
 
-	const char *ca_file = get_config_string (s->config, "tls_ca_file");
-	const char *ca_path = get_config_string (s->config, "tls_ca_path");
-
-	ERR_clear_error ();
-
 	struct error *error = NULL;
-	if (ca_file || ca_path)
+	if (!transport_tls_init_ca (s, ssl_ctx, &error))
 	{
-		if (SSL_CTX_load_verify_locations (ssl_ctx, ca_file, ca_path))
-			return true;
-
-		error_set (&error, "%s: %s",
-			"Failed to set locations for the CA certificate bundle",
-			ERR_reason_error_string (ERR_get_error ()));
-		goto ca_error;
-	}
-
-	if (!SSL_CTX_set_default_verify_paths (ssl_ctx))
-	{
-		error_set (&error, "%s: %s",
-			"Couldn't load the default CA certificate bundle",
-			ERR_reason_error_string (ERR_get_error ()));
-		goto ca_error;
-	}
-	return true;
+		if (verify)
+		{
+			error_propagate (e, error);
+			return false;
+		}
 
-ca_error:
-	if (verify)
-	{
-		error_propagate (e, error);
-		return false;
+		// Only inform the user if we're not actually verifying
+		log_server_error (s, s->buffer, "#s", error->message);
+		error_free (error);
 	}
-
-	// Only inform the user if we're not actually verifying
-	log_server_error (s, s->buffer, "#s", error->message);
-	error_free (error);
 	return true;
 }
 
-- 
cgit v1.2.3