mirror of https://github.com/omar-polo/gmid.git
load the certs per listening address
This commit is contained in:
parent
a0a42860d2
commit
e50f85adcb
3
config.c
3
config.c
|
@ -136,6 +136,7 @@ config_purge(struct conf *conf)
|
|||
if (addr->sock != -1) {
|
||||
close(addr->sock);
|
||||
event_del(&addr->evsock);
|
||||
tls_free(addr->ctx);
|
||||
}
|
||||
free(addr);
|
||||
}
|
||||
|
@ -548,6 +549,8 @@ config_recv(struct conf *conf, struct imsg *imsg)
|
|||
addr->sock = imsg->fd;
|
||||
event_set(&addr->evsock, addr->sock, EV_READ|EV_PERSIST,
|
||||
do_accept, addr);
|
||||
if ((addr->ctx = tls_server()) == NULL)
|
||||
fatal("tls_server failure");
|
||||
TAILQ_INSERT_HEAD(&conf->addrs, addr, addrs);
|
||||
break;
|
||||
|
||||
|
|
3
ge.c
3
ge.c
|
@ -213,6 +213,9 @@ serve(struct conf *conf, const char *host, int port, const char *dir)
|
|||
event_set(&addr->evsock, addr->sock, EV_READ|EV_PERSIST,
|
||||
do_accept, addr);
|
||||
|
||||
if ((addr->ctx = tls_server()) == NULL)
|
||||
fatal("tls_server failure");
|
||||
|
||||
TAILQ_INSERT_HEAD(&conf->addrs, addr, addrs);
|
||||
|
||||
acp = xcalloc(1, sizeof(*acp));
|
||||
|
|
1
gmid.h
1
gmid.h
|
@ -119,6 +119,7 @@ struct address {
|
|||
struct conf *conf;
|
||||
int sock;
|
||||
struct event evsock; /* set if sock != -1 */
|
||||
struct tls *ctx;
|
||||
|
||||
TAILQ_ENTRY(address) addrs;
|
||||
};
|
||||
|
|
112
server.c
112
server.c
|
@ -39,8 +39,6 @@
|
|||
|
||||
int shutting_down;
|
||||
|
||||
static struct tls *ctx;
|
||||
|
||||
#ifdef SIGINFO
|
||||
static struct event siginfo;
|
||||
#endif
|
||||
|
@ -1339,7 +1337,7 @@ do_accept(int sock, short et, void *d)
|
|||
memcpy(&c->raddr, &raddr, sizeof(raddr));
|
||||
c->raddrlen = len;
|
||||
|
||||
if (tls_accept_socket(ctx, &c->ctx, fd) == -1) {
|
||||
if (tls_accept_socket(addr->ctx, &c->ctx, fd) == -1) {
|
||||
log_warnx("failed to accept socket: %s", tls_error(c->ctx));
|
||||
close(c->fd);
|
||||
free(c);
|
||||
|
@ -1367,18 +1365,39 @@ handle_siginfo(int fd, short ev, void *d)
|
|||
}
|
||||
|
||||
static void
|
||||
add_keypair(struct vhost *h, struct tls_config *conf)
|
||||
add_matching_kps(struct tls_config *tlsconf, struct address *addr,
|
||||
struct conf *conf)
|
||||
{
|
||||
if (h->ocsp == NULL) {
|
||||
if (tls_config_add_keypair_mem(conf, h->cert, h->certlen,
|
||||
h->key, h->keylen) == -1)
|
||||
fatalx("failed to load the keypair: %s",
|
||||
tls_config_error(conf));
|
||||
} else {
|
||||
if (tls_config_add_keypair_ocsp_mem(conf, h->cert, h->certlen,
|
||||
h->key, h->keylen, h->ocsp, h->ocsplen) == -1)
|
||||
fatalx("failed to load the keypair: %s",
|
||||
tls_config_error(conf));
|
||||
struct address *vaddr;
|
||||
struct vhost *h;
|
||||
int r, any = 0;
|
||||
|
||||
TAILQ_FOREACH(h, &conf->hosts, vhosts) {
|
||||
TAILQ_FOREACH(vaddr, &h->addrs, addrs) {
|
||||
if (addr->ai_flags != vaddr->ai_flags ||
|
||||
addr->ai_family != vaddr->ai_family ||
|
||||
addr->ai_socktype != vaddr->ai_socktype ||
|
||||
addr->ai_protocol != vaddr->ai_protocol ||
|
||||
addr->slen != vaddr->slen ||
|
||||
memcmp(&addr->ss, &vaddr->ss, addr->slen) != 0)
|
||||
continue;
|
||||
|
||||
if (!any) {
|
||||
any = 1;
|
||||
r = tls_config_set_keypair_ocsp_mem(tlsconf,
|
||||
h->cert, h->certlen, h->key, h->keylen,
|
||||
h->ocsp, h->ocsplen);
|
||||
} else {
|
||||
r = tls_config_add_keypair_ocsp_mem(tlsconf,
|
||||
h->cert, h->certlen, h->key, h->keylen,
|
||||
h->ocsp, h->ocsplen);
|
||||
}
|
||||
|
||||
if (r == -1)
|
||||
fatalx("failed to load keypair"
|
||||
" for host %s: %s", h->domain,
|
||||
tls_config_error(tlsconf));
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
|
@ -1386,50 +1405,31 @@ static void
|
|||
setup_tls(struct conf *conf)
|
||||
{
|
||||
struct tls_config *tlsconf;
|
||||
struct vhost *h;
|
||||
struct address *addr;
|
||||
|
||||
if (ctx == NULL) {
|
||||
if ((ctx = tls_server()) == NULL)
|
||||
fatal("tls_server failure");
|
||||
TAILQ_FOREACH(addr, &conf->addrs, addrs) {
|
||||
if ((tlsconf = tls_config_new()) == NULL)
|
||||
fatal("tls_config_new");
|
||||
|
||||
if (conf->use_privsep_crypto)
|
||||
tls_config_use_fake_private_key(tlsconf);
|
||||
|
||||
/* optionally accept client certs but don't verify */
|
||||
tls_config_verify_client_optional(tlsconf);
|
||||
tls_config_insecure_noverifycert(tlsconf);
|
||||
|
||||
if (tls_config_set_protocols(tlsconf, conf->protos) == -1)
|
||||
fatalx("tls_config_set_protocols: %s",
|
||||
tls_config_error(tlsconf));
|
||||
|
||||
add_matching_kps(tlsconf, addr, conf);
|
||||
|
||||
tls_reset(addr->ctx);
|
||||
if (tls_configure(addr->ctx, tlsconf) == -1)
|
||||
fatalx("tls_configure: %s", tls_error(addr->ctx));
|
||||
|
||||
tls_config_free(tlsconf);
|
||||
}
|
||||
|
||||
if ((tlsconf = tls_config_new()) == NULL)
|
||||
fatal("tls_config_new");
|
||||
|
||||
if (conf->use_privsep_crypto)
|
||||
tls_config_use_fake_private_key(tlsconf);
|
||||
|
||||
/* optionally accept client certs, but don't try to verify them */
|
||||
tls_config_verify_client_optional(tlsconf);
|
||||
tls_config_insecure_noverifycert(tlsconf);
|
||||
|
||||
if (tls_config_set_protocols(tlsconf, conf->protos) == -1)
|
||||
fatalx("tls_config_set_protocols: %s",
|
||||
tls_config_error(tlsconf));
|
||||
|
||||
h = TAILQ_FIRST(&conf->hosts);
|
||||
|
||||
/* we need to set something, then we can add how many key we want */
|
||||
if (tls_config_set_keypair_mem(tlsconf, h->cert, h->certlen,
|
||||
h->key, h->keylen) == -1)
|
||||
fatalx("tls_config_set_keypair_mem failed: %s",
|
||||
tls_config_error(tlsconf));
|
||||
|
||||
/* same for OCSP */
|
||||
if (h->ocsp != NULL &&
|
||||
tls_config_set_ocsp_staple_mem(tlsconf, h->ocsp, h->ocsplen)
|
||||
== -1)
|
||||
fatalx("tls_config_set_ocsp_staple_file failed: %s",
|
||||
tls_config_error(tlsconf));
|
||||
|
||||
while ((h = TAILQ_NEXT(h, vhosts)) != NULL)
|
||||
add_keypair(h, tlsconf);
|
||||
|
||||
tls_reset(ctx);
|
||||
if (tls_configure(ctx, tlsconf) == -1)
|
||||
fatalx("tls_configure: %s", tls_error(ctx));
|
||||
|
||||
tls_config_free(tlsconf);
|
||||
}
|
||||
|
||||
static void
|
||||
|
|
Loading…
Reference in New Issue