readd proxy certs and `require client ca' support

Was temporarly disabled during the transition to real privsep. While here, fix a memory leak when using `require client ca'. Also, avoid leaking info about the parent address space layout to server processes by not sending pointer values.
author: Omar Polo <op@omarpolo.com> 2023-06-09 09:28:26 +0000
committer: Omar Polo <op@omarpolo.com> 2023-06-09 09:28:26 +0000
commit: deadd9e1311204415754dcfa404bec4bf3cd557c (patch)
tree: 107b62ebaf9f463af2b18bbcaf6ea00ee68530e8 /utils.c
parent: c144b1b6f831446f82e201db1ab7fadab4cf11f0 (diff)
1 files changed, 7 insertions, 3 deletions
diff --git a/utils.c b/utils.c
index 794f896..9aac9df 100644
--- a/utils.c
+++ b/utils.c
@@ -177,17 +177,21 @@ gen_certificate(const char *hostname, const char *certpath, const char *keypath)
 }
 
 X509_STORE *
-load_ca(const char *path)
+load_ca(int fd)
 {
 	FILE		*f = NULL;
 	X509		*x = NULL;
 	X509_STORE	*store;
 
-	if ((store = X509_STORE_new()) == NULL)
+	if ((store = X509_STORE_new()) == NULL) {
+		close(fd);
 		return NULL;
+	}
 
-	if ((f = fopen(path, "r")) == NULL)
+	if ((f = fdopen(fd, "r")) == NULL) {
+		close(fd);
 		goto err;
+	}
 
 	if ((x = PEM_read_X509(f, NULL, NULL, NULL)) == NULL)
 		goto err;
author	Omar Polo <op@omarpolo.com>	2023-06-09 09:28:26 +0000
committer	Omar Polo <op@omarpolo.com>	2023-06-09 09:28:26 +0000
commit	deadd9e1311204415754dcfa404bec4bf3cd557c (patch)
tree	107b62ebaf9f463af2b18bbcaf6ea00ee68530e8 /utils.c
parent	c144b1b6f831446f82e201db1ab7fadab4cf11f0 (diff)