mirror of https://github.com/omar-polo/gmid.git
load_ca: get a buffer instead of a fd
We dup(1) the ca fd and send it to various processes, so they fail loading it. Instead, use load_file to get a buffer with the file content and pass that to load_ca which then loads via BIO.
This commit is contained in:
parent
89cfcb4569
commit
2cef5cf42a
13
config.c
13
config.c
|
@ -549,7 +549,8 @@ config_recv(struct conf *conf, struct imsg *imsg)
|
|||
struct envlist *env;
|
||||
struct alist *alias;
|
||||
struct proxy *proxy;
|
||||
size_t datalen;
|
||||
uint8_t *d;
|
||||
size_t len, datalen;
|
||||
|
||||
datalen = IMSG_DATA_SIZE(imsg);
|
||||
|
||||
|
@ -672,9 +673,12 @@ config_recv(struct conf *conf, struct imsg *imsg)
|
|||
memcpy(loc, imsg->data, datalen);
|
||||
|
||||
if (imsg->fd != -1) {
|
||||
loc->reqca = load_ca(imsg->fd);
|
||||
if (load_file(imsg->fd, &d, &len) == -1)
|
||||
fatal("load_file");
|
||||
loc->reqca = load_ca(d, len);
|
||||
if (loc->reqca == NULL)
|
||||
fatalx("failed to load CA");
|
||||
free(d);
|
||||
}
|
||||
|
||||
TAILQ_INSERT_TAIL(&h->locations, loc, locations);
|
||||
|
@ -707,9 +711,12 @@ config_recv(struct conf *conf, struct imsg *imsg)
|
|||
memcpy(proxy, imsg->data, datalen);
|
||||
|
||||
if (imsg->fd != -1) {
|
||||
proxy->reqca = load_ca(imsg->fd);
|
||||
if (load_file(imsg->fd, &d, &len) == -1)
|
||||
fatal("load_file");
|
||||
proxy->reqca = load_ca(d, len);
|
||||
if (proxy->reqca == NULL)
|
||||
fatal("failed to load CA");
|
||||
free(d);
|
||||
}
|
||||
|
||||
TAILQ_INSERT_TAIL(&h->proxies, proxy, proxies);
|
||||
|
|
2
gmid.h
2
gmid.h
|
@ -449,7 +449,7 @@ char *absolutify_path(const char*);
|
|||
char *xstrdup(const char*);
|
||||
void *xcalloc(size_t, size_t);
|
||||
void gen_certificate(const char*, const char*, const char*);
|
||||
X509_STORE *load_ca(int);
|
||||
X509_STORE *load_ca(uint8_t *, size_t);
|
||||
int validate_against_ca(X509_STORE*, const uint8_t*, size_t);
|
||||
void ssl_error(const char *);
|
||||
char *ssl_pubkey_hash(const uint8_t *, size_t);
|
||||
|
|
29
utils.c
29
utils.c
|
@ -180,41 +180,48 @@ gen_certificate(const char *hostname, const char *certpath, const char *keypath)
|
|||
}
|
||||
|
||||
X509_STORE *
|
||||
load_ca(int fd)
|
||||
load_ca(uint8_t *d, size_t len)
|
||||
{
|
||||
FILE *f = NULL;
|
||||
BIO *in;
|
||||
X509 *x = NULL;
|
||||
X509_STORE *store;
|
||||
|
||||
if ((store = X509_STORE_new()) == NULL) {
|
||||
close(fd);
|
||||
log_warnx("%s: X509_STORE_new failed", __func__);
|
||||
return NULL;
|
||||
}
|
||||
|
||||
if ((f = fdopen(fd, "r")) == NULL) {
|
||||
close(fd);
|
||||
if ((in = BIO_new_mem_buf(d, len)) == NULL) {
|
||||
log_warnx("%s: BIO_new_mem_buf failed", __func__);
|
||||
goto err;
|
||||
}
|
||||
|
||||
if ((x = PEM_read_X509(f, NULL, NULL, NULL)) == NULL)
|
||||
if ((x = PEM_read_bio_X509(in, NULL, NULL, NULL)) == NULL) {
|
||||
log_warnx("%s: PEM_read_bio_X509 failed", __func__);
|
||||
ssl_error("PEM_read_bio_X509");
|
||||
goto err;
|
||||
}
|
||||
|
||||
if (X509_check_ca(x) == 0)
|
||||
if (X509_check_ca(x) == 0) {
|
||||
ssl_error("X509_check_ca");
|
||||
goto err;
|
||||
}
|
||||
|
||||
if (!X509_STORE_add_cert(store, x))
|
||||
if (!X509_STORE_add_cert(store, x)) {
|
||||
ssl_error("X509_STORE_add_cert");
|
||||
goto err;
|
||||
}
|
||||
|
||||
X509_free(x);
|
||||
fclose(f);
|
||||
BIO_free(in);
|
||||
return store;
|
||||
|
||||
err:
|
||||
X509_STORE_free(store);
|
||||
if (x != NULL)
|
||||
X509_free(x);
|
||||
if (f != NULL)
|
||||
fclose(f);
|
||||
if (in != NULL)
|
||||
BIO_free(in);
|
||||
return NULL;
|
||||
}
|
||||
|
||||
|
|
Loading…
Reference in New Issue