about summary refs log tree commit diff
path: root/cert.c
diff options
context:
space:
mode:
authorC. McEnroe <june@causal.agency>2020-08-28 17:45:42 -0400
committerC. McEnroe <june@causal.agency>2020-08-28 18:14:25 -0400
commitd367723c4747ad369c8ce7f5a64c8a4c37e5f5c3 (patch)
tree3d526646ddb2adafa10bdd6ace8f231a09df154d /cert.c
parentSandbox pounce with pledge(2) (diff)
downloadpounce-d367723c4747ad369c8ce7f5a64c8a4c37e5f5c3.tar.gz
pounce-d367723c4747ad369c8ce7f5a64c8a4c37e5f5c3.zip
Refactor certificate loading and load all certs from config paths
Diffstat (limited to 'cert.c')
-rw-r--r--cert.c95
1 files changed, 95 insertions, 0 deletions
diff --git a/cert.c b/cert.c
new file mode 100644
index 0000000..23c9ce8
--- /dev/null
+++ b/cert.c
@@ -0,0 +1,95 @@
+/* Copyright (C) 2020  C. McEnroe <june@causal.agency>
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <https://www.gnu.org/licenses/>.
+ *
+ * Additional permission under GNU GPL version 3 section 7:
+ *
+ * If you modify this Program, or any covered work, by linking or
+ * combining it with OpenSSL (or a modified version of that library),
+ * containing parts covered by the terms of the OpenSSL License and the
+ * original SSLeay license, the licensors of this Program grant you
+ * additional permission to convey the resulting work. Corresponding
+ * Source for a non-source form of such a combination shall include the
+ * source code for the parts of OpenSSL used as well as that of the
+ * covered work.
+ */
+
+#include <err.h>
+#include <errno.h>
+#include <fcntl.h>
+#include <limits.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <sysexits.h>
+#include <unistd.h>
+
+#include "bounce.h"
+
+// This basically exists to work around certbot's symlinks from "live" into
+// "archive" under capsicum.
+
+int certOpen(struct Cert *cert, const char *path) {
+	char buf[PATH_MAX];
+	snprintf(buf, sizeof(buf), "%s", path);
+
+	char *base = strrchr(buf, '/');
+	if (base) {
+		*base = '\0';
+		snprintf(cert->name, sizeof(cert->name), "%s", &base[1]);
+		cert->parent = open(buf, O_DIRECTORY);
+	} else {
+		snprintf(cert->name, sizeof(cert->name), "%s", path);
+		cert->parent = open(".", O_DIRECTORY);
+	}
+	if (cert->parent < 0) return -1;
+
+	cert->target = cert->parent;
+	ssize_t len = readlinkat(cert->parent, cert->name, buf, sizeof(buf) - 1);
+	if (len < 0 && errno == EINVAL) return 0;
+	if (len < 0) return -1;
+	buf[len] = '\0';
+
+	base = strrchr(buf, '/');
+	if (base) {
+		*base = '\0';
+		cert->target = openat(cert->parent, buf, O_DIRECTORY);
+		if (cert->target < 0) return -1;
+	}
+	return 0;
+}
+
+FILE *certFile(const struct Cert *cert) {
+	const char *name = cert->name;
+
+	char buf[PATH_MAX];
+	ssize_t len = readlinkat(cert->parent, cert->name, buf, sizeof(buf) - 1);
+	if (len < 0) {
+		if (errno != EINVAL) return NULL;
+	} else {
+		// XXX: Assume only the target base name has changed.
+		buf[len] = '\0';
+		name = strrchr(buf, '/');
+		if (name) {
+			name = &name[1];
+		} else {
+			name = buf;
+		}
+	}
+
+	int fd = openat(cert->target, name, O_RDONLY);
+	if (fd < 0) return NULL;
+
+	return fdopen(fd, "r");
+}