summary refs log tree commit diff
path: root/local.c
diff options
context:
space:
mode:
authorJune McEnroe <june@causal.agency>2020-01-12 18:07:54 -0500
committerJune McEnroe <june@causal.agency>2020-01-12 18:07:54 -0500
commit5e6094e437a5437ceb6b083d16995ea629a4d720 (patch)
tree34ad1b244212caab1b832a6243988e388282434a /local.c
parentAdd a vendor capability for passive clients (diff)
downloadpounce-5e6094e437a5437ceb6b083d16995ea629a4d720.tar.gz
pounce-5e6094e437a5437ceb6b083d16995ea629a4d720.zip
Add option to set local client CA
This is a little bit messy. Allows setting either -A or -W or both.
Implements SASL EXTERNAL for clients that expect that when connecting
with a client certificate.

Need to test that reloading still works inside capsicum, since I suspect
that rewind call may be blocked.
Diffstat (limited to '')
-rw-r--r--local.c20
1 files changed, 19 insertions, 1 deletions
diff --git a/local.c b/local.c
index c147259..a4de1bc 100644
--- a/local.c
+++ b/local.c
@@ -47,13 +47,14 @@ static byte *readFile(size_t *len, FILE *file) {
 	byte *buf = malloc(stat.st_size);
 	if (!buf) err(EX_OSERR, "malloc");
 
+	rewind(file);
 	*len = fread(buf, 1, stat.st_size, file);
 	if (ferror(file)) err(EX_IOERR, "fread");
 
 	return buf;
 }
 
-void localConfig(FILE *cert, FILE *priv) {
+void localConfig(FILE *cert, FILE *priv, FILE *ca, bool require) {
 	tls_free(server);
 	server = tls_server();
 	if (!server) errx(EX_SOFTWARE, "tls_server");
@@ -76,6 +77,23 @@ void localConfig(FILE *cert, FILE *priv) {
 	}
 	free(buf);
 
+	if (ca) {
+		buf = readFile(&len, ca);
+		error = tls_config_set_ca_mem(config, buf, len);
+		if (error) {
+			errx(
+				EX_CONFIG, "tls_config_set_ca_mem: %s",
+				tls_config_error(config)
+			);
+		}
+		free(buf);
+		if (require) {
+			tls_config_verify_client(config);
+		} else {
+			tls_config_verify_client_optional(config);
+		}
+	}
+
 	error = tls_configure(server, config);
 	if (error) errx(EX_SOFTWARE, "tls_configure: %s", tls_error(server));
 	tls_config_free(config);