diff options
| author | Omar Polo <op@omarpolo.com> | 2023-06-12 21:27:24 +0000 |
|---|---|---|
| committer | Omar Polo <op@omarpolo.com> | 2023-06-12 21:27:24 +0000 |
| commit | 2cef5cf42a98f8b9c8c4f1a4d4da40b389de770a (patch) | |
| tree | b6b03671062692434a9d0d6bb1f2b9756b5f4bb0 | |
| parent | 89cfcb456921ed65a812b6e960de390553ac0ae5 (diff) | |
load_ca: get a buffer instead of a fd
We dup(1) the ca fd and send it to various processes, so they fail
loading it. Instead, use load_file to get a buffer with the file
content and pass that to load_ca which then loads via BIO.
| -rw-r--r-- | config.c | 13 | ||||
| -rw-r--r-- | gmid.h | 2 | ||||
| -rw-r--r-- | utils.c | 29 |
3 files changed, 29 insertions, 15 deletions
@@ -549,7 +549,8 @@ config_recv(struct conf *conf, struct imsg *imsg) struct envlist *env; struct alist *alias; struct proxy *proxy; - size_t datalen; + uint8_t *d; + size_t len, datalen; datalen = IMSG_DATA_SIZE(imsg); @@ -672,9 +673,12 @@ config_recv(struct conf *conf, struct imsg *imsg) memcpy(loc, imsg->data, datalen); if (imsg->fd != -1) { - loc->reqca = load_ca(imsg->fd); + if (load_file(imsg->fd, &d, &len) == -1) + fatal("load_file"); + loc->reqca = load_ca(d, len); if (loc->reqca == NULL) fatalx("failed to load CA"); + free(d); } TAILQ_INSERT_TAIL(&h->locations, loc, locations); @@ -707,9 +711,12 @@ config_recv(struct conf *conf, struct imsg *imsg) memcpy(proxy, imsg->data, datalen); if (imsg->fd != -1) { - proxy->reqca = load_ca(imsg->fd); + if (load_file(imsg->fd, &d, &len) == -1) + fatal("load_file"); + proxy->reqca = load_ca(d, len); if (proxy->reqca == NULL) fatal("failed to load CA"); + free(d); } TAILQ_INSERT_TAIL(&h->proxies, proxy, proxies); @@ -449,7 +449,7 @@ char *absolutify_path(const char*); char *xstrdup(const char*); void *xcalloc(size_t, size_t); void gen_certificate(const char*, const char*, const char*); -X509_STORE *load_ca(int); +X509_STORE *load_ca(uint8_t *, size_t); int validate_against_ca(X509_STORE*, const uint8_t*, size_t); void ssl_error(const char *); char *ssl_pubkey_hash(const uint8_t *, size_t); @@ -180,41 +180,48 @@ gen_certificate(const char *hostname, const char *certpath, const char *keypath) } X509_STORE * -load_ca(int fd) +load_ca(uint8_t *d, size_t len) { - FILE *f = NULL; + BIO *in; X509 *x = NULL; X509_STORE *store; if ((store = X509_STORE_new()) == NULL) { - close(fd); + log_warnx("%s: X509_STORE_new failed", __func__); return NULL; } - if ((f = fdopen(fd, "r")) == NULL) { - close(fd); + if ((in = BIO_new_mem_buf(d, len)) == NULL) { + log_warnx("%s: BIO_new_mem_buf failed", __func__); goto err; } - if ((x = PEM_read_X509(f, NULL, NULL, NULL)) == NULL) + if ((x = PEM_read_bio_X509(in, NULL, NULL, NULL)) == NULL) { + log_warnx("%s: PEM_read_bio_X509 failed", __func__); + ssl_error("PEM_read_bio_X509"); goto err; + } - if (X509_check_ca(x) == 0) + if (X509_check_ca(x) == 0) { + ssl_error("X509_check_ca"); goto err; + } - if (!X509_STORE_add_cert(store, x)) + if (!X509_STORE_add_cert(store, x)) { + ssl_error("X509_STORE_add_cert"); goto err; + } X509_free(x); - fclose(f); + BIO_free(in); return store; err: X509_STORE_free(store); if (x != NULL) X509_free(x); - if (f != NULL) - fclose(f); + if (in != NULL) + BIO_free(in); return NULL; } |