summary refs log tree commit diff
diff options
context:
space:
mode:
authorJune McEnroe <june@causal.agency>2019-10-27 21:50:56 -0400
committerJune McEnroe <june@causal.agency>2019-11-01 01:01:17 -0400
commit0c667f1dc709c0104f244169983289ef1164f862 (patch)
treee229ab9daf6ed61a6a3dd3d3ad5521fe6c59ed97
parentUse capsicum (diff)
downloadpounce-0c667f1dc709c0104f244169983289ef1164f862.tar.gz
pounce-0c667f1dc709c0104f244169983289ef1164f862.zip
Re-read cert and key from the same FILEs
-rw-r--r--bounce.c13
-rw-r--r--bounce.h2
-rw-r--r--listen.c37
3 files changed, 43 insertions, 9 deletions
diff --git a/bounce.c b/bounce.c
index bb4f902..a5b448a 100644
--- a/bounce.c
+++ b/bounce.c
@@ -194,6 +194,12 @@ int main(int argc, char *argv[]) {
 	ringAlloc(ring);
 	if (save) saveLoad(save);
 
+	FILE *cert = fopen(certPath, "r");
+	if (!cert) err(EX_NOINPUT, "%s", certPath);
+	FILE *priv = fopen(privPath, "r");
+	if (!priv) err(EX_NOINPUT, "%s", privPath);
+	listenConfig(cert, priv);
+
 	int bind[8];
 	listenConfig(certPath, privPath);
 	size_t binds = listenBind(bind, 8, bindHost, bindPort);
@@ -204,11 +210,14 @@ int main(int argc, char *argv[]) {
 	int error = cap_enter();
 	if (error) err(EX_OSERR, "cap_enter");
 
-	cap_rights_t sockRights, bindRights;
+	cap_rights_t fileRights, sockRights, bindRights;
+	cap_rights_init(&fileRights, CAP_FSTAT, CAP_PREAD);
 	cap_rights_init(&sockRights, CAP_EVENT, CAP_RECV, CAP_SEND, CAP_SETSOCKOPT);
 	cap_rights_init(&bindRights, CAP_LISTEN, CAP_ACCEPT);
 	cap_rights_merge(&bindRights, &sockRights);
 
+	cap_rights_limit(fileno(cert), &fileRights);
+	cap_rights_limit(fileno(priv), &fileRights);
 	for (size_t i = 0; i < binds; ++i) {
 		error = cap_rights_limit(bind[i], &bindRights);
 		if (error) err(EX_OSERR, "cap_rights_limit");
@@ -248,7 +257,7 @@ int main(int argc, char *argv[]) {
 			signals[SIGINFO] = 0;
 		}
 		if (signals[SIGUSR1]) {
-			listenConfig(certPath, privPath);
+			listenConfig(cert, priv);
 			signals[SIGUSR1] = 0;
 		}
 
diff --git a/bounce.h b/bounce.h
index 5a03af2..60a6795 100644
--- a/bounce.h
+++ b/bounce.h
@@ -74,7 +74,7 @@ void ringInfo(void);
 int ringSave(FILE *file);
 void ringLoad(FILE *file);
 
-void listenConfig(const char *cert, const char *priv);
+void listenConfig(FILE *cert, FILE *priv);
 size_t listenBind(int fds[], size_t cap, const char *host, const char *port);
 struct tls *listenAccept(int *fd, int bind);
 
diff --git a/listen.c b/listen.c
index 1797acf..9fc2443 100644
--- a/listen.c
+++ b/listen.c
@@ -17,8 +17,10 @@
 #include <err.h>
 #include <netdb.h>
 #include <netinet/in.h>
+#include <stdio.h>
 #include <stdlib.h>
 #include <sys/socket.h>
+#include <sys/stat.h>
 #include <sysexits.h>
 #include <tls.h>
 #include <unistd.h>
@@ -27,7 +29,23 @@
 
 static struct tls *server;
 
-void listenConfig(const char *cert, const char *priv) {
+static byte *reread(size_t *len, FILE *file) {
+	struct stat stat;
+	int error = fstat(fileno(file), &stat);
+	if (error) err(EX_IOERR, "fstat");
+
+	byte *buf = malloc(stat.st_size);
+	if (!buf) err(EX_OSERR, "malloc");
+
+	fpurge(file);
+	rewind(file);
+	*len = fread(buf, 1, stat.st_size, file);
+	if (ferror(file)) err(EX_IOERR, "fread");
+
+	return buf;
+}
+
+void listenConfig(FILE *cert, FILE *priv) {
 	tls_free(server);
 	server = tls_server();
 	if (!server) errx(EX_SOFTWARE, "tls_server");
@@ -35,13 +53,20 @@ void listenConfig(const char *cert, const char *priv) {
 	struct tls_config *config = tls_config_new();
 	if (!config) errx(EX_SOFTWARE, "tls_config_new");
 
-	int error = tls_config_set_keypair_file(config, cert, priv);
+	size_t len;
+	byte *buf = reread(&len, cert);
+	int error = tls_config_set_cert_mem(config, buf, len);
+	if (error) {
+		errx(EX_CONFIG, "tls_config_set_cert_mem: %s", tls_config_error(config));
+	}
+	free(buf);
+
+	buf = reread(&len, priv);
+	error = tls_config_set_key_mem(config, buf, len);
 	if (error) {
-		errx(
-			EX_CONFIG, "tls_config_set_keypair_file: %s",
-			tls_config_error(config)
-		);
+		errx(EX_CONFIG, "tls_config_set_key_mem: %s", tls_config_error(config));
 	}
+	free(buf);
 
 	error = tls_configure(server, config);
 	if (error) errx(EX_SOFTWARE, "tls_configure: %s", tls_error(server));