load_ca: get a buffer instead of a fd

We dup(1) the ca fd and send it to various processes, so they fail loading it. Instead, use load_file to get a buffer with the file content and pass that to load_ca which then loads via BIO.
2023-06-12 21:27:24 +00:00 · 2023-06-12 21:27:24 +00:00 · 2cef5cf42a
parent 89cfcb4569
commit 2cef5cf42a
3 changed files with 29 additions and 15 deletions
--- a/config.c
+++ b/config.c
@ -549,7 +549,8 @@ config_recv(struct conf *conf, struct imsg *imsg)
 	struct envlist	*env;
 	struct alist	*alias;
 	struct proxy	*proxy;
-	size_t		 datalen;
+	uint8_t		*d;
+	size_t		 len, datalen;

 	datalen = IMSG_DATA_SIZE(imsg);

@ -672,9 +673,12 @@ config_recv(struct conf *conf, struct imsg *imsg)
 		memcpy(loc, imsg->data, datalen);

 		if (imsg->fd != -1) {
-			loc->reqca = load_ca(imsg->fd);
+			if (load_file(imsg->fd, &d, &len) == -1)
+				fatal("load_file");
+			loc->reqca = load_ca(d, len);
 			if (loc->reqca == NULL)
 				fatalx("failed to load CA");
+			free(d);
 		}

 		TAILQ_INSERT_TAIL(&h->locations, loc, locations);
@ -707,9 +711,12 @@ config_recv(struct conf *conf, struct imsg *imsg)
 		memcpy(proxy, imsg->data, datalen);

 		if (imsg->fd != -1) {
-			proxy->reqca = load_ca(imsg->fd);
+			if (load_file(imsg->fd, &d, &len) == -1)
+				fatal("load_file");
+			proxy->reqca = load_ca(d, len);
 			if (proxy->reqca == NULL)
 				fatal("failed to load CA");
+			free(d);
 		}

 		TAILQ_INSERT_TAIL(&h->proxies, proxy, proxies);
--- a/gmid.h
+++ b/gmid.h
@ -449,7 +449,7 @@ char		*absolutify_path(const char*);
 char		*xstrdup(const char*);
 void		*xcalloc(size_t, size_t);
 void		 gen_certificate(const char*, const char*, const char*);
-X509_STORE	*load_ca(int);
+X509_STORE	*load_ca(uint8_t *, size_t);
 int		 validate_against_ca(X509_STORE*, const uint8_t*, size_t);
 void		 ssl_error(const char *);
 char		*ssl_pubkey_hash(const uint8_t *, size_t);
--- a/utils.c
+++ b/utils.c
@ -180,41 +180,48 @@ gen_certificate(const char *hostname, const char *certpath, const char *keypath)
 }

 X509_STORE *
-load_ca(int fd)
+load_ca(uint8_t *d, size_t len)
 {
-	FILE		*f = NULL;
+	BIO		*in;
 	X509		*x = NULL;
 	X509_STORE	*store;

 	if ((store = X509_STORE_new()) == NULL) {
-		close(fd);
+		log_warnx("%s: X509_STORE_new failed", __func__);
 		return NULL;
 	}

-	if ((f = fdopen(fd, "r")) == NULL) {
-		close(fd);
+	if ((in = BIO_new_mem_buf(d, len)) == NULL) {
+		log_warnx("%s: BIO_new_mem_buf failed", __func__);
 		goto err;
 	}

-	if ((x = PEM_read_X509(f, NULL, NULL, NULL)) == NULL)
+	if ((x = PEM_read_bio_X509(in, NULL, NULL, NULL)) == NULL) {
+		log_warnx("%s: PEM_read_bio_X509 failed", __func__);
+		ssl_error("PEM_read_bio_X509");
 		goto err;
+	}

-	if (X509_check_ca(x) == 0)
+	if (X509_check_ca(x) == 0) {
+		ssl_error("X509_check_ca");
 		goto err;
+	}

-	if (!X509_STORE_add_cert(store, x))
+	if (!X509_STORE_add_cert(store, x)) {
+		ssl_error("X509_STORE_add_cert");
 		goto err;
+	}

 	X509_free(x);
-	fclose(f);
+	BIO_free(in);
 	return store;

 err:
 	X509_STORE_free(store);
 	if (x != NULL)
 		X509_free(x);
-	if (f != NULL)
-		fclose(f);
+	if (in != NULL)
+		BIO_free(in);
 	return NULL;
 }