diff options
| author | June McEnroe <june@causal.agency> | 2020-01-12 18:07:54 -0500 |
|---|---|---|
| committer | June McEnroe <june@causal.agency> | 2020-01-12 18:07:54 -0500 |
| commit | 5e6094e437a5437ceb6b083d16995ea629a4d720 (patch) | |
| tree | 34ad1b244212caab1b832a6243988e388282434a /local.c | |
| parent | Add a vendor capability for passive clients (diff) | |
| download | pounce-5e6094e437a5437ceb6b083d16995ea629a4d720.tar.gz pounce-5e6094e437a5437ceb6b083d16995ea629a4d720.zip | |
Add option to set local client CA
This is a little bit messy. Allows setting either -A or -W or both. Implements SASL EXTERNAL for clients that expect that when connecting with a client certificate. Need to test that reloading still works inside capsicum, since I suspect that rewind call may be blocked.
Diffstat (limited to 'local.c')
| -rw-r--r-- | local.c | 20 |
1 files changed, 19 insertions, 1 deletions
diff --git a/local.c b/local.c index c147259..a4de1bc 100644 --- a/local.c +++ b/local.c @@ -47,13 +47,14 @@ static byte *readFile(size_t *len, FILE *file) { byte *buf = malloc(stat.st_size); if (!buf) err(EX_OSERR, "malloc"); + rewind(file); *len = fread(buf, 1, stat.st_size, file); if (ferror(file)) err(EX_IOERR, "fread"); return buf; } -void localConfig(FILE *cert, FILE *priv) { +void localConfig(FILE *cert, FILE *priv, FILE *ca, bool require) { tls_free(server); server = tls_server(); if (!server) errx(EX_SOFTWARE, "tls_server"); @@ -76,6 +77,23 @@ void localConfig(FILE *cert, FILE *priv) { } free(buf); + if (ca) { + buf = readFile(&len, ca); + error = tls_config_set_ca_mem(config, buf, len); + if (error) { + errx( + EX_CONFIG, "tls_config_set_ca_mem: %s", + tls_config_error(config) + ); + } + free(buf); + if (require) { + tls_config_verify_client(config); + } else { + tls_config_verify_client_optional(config); + } + } + error = tls_configure(server, config); if (error) errx(EX_SOFTWARE, "tls_configure: %s", tls_error(server)); tls_config_free(config); |