From 0c667f1dc709c0104f244169983289ef1164f862 Mon Sep 17 00:00:00 2001 From: Curtis McEnroe Date: Sun, 27 Oct 2019 21:50:56 -0400 Subject: Re-read cert and key from the same FILEs --- bounce.c | 13 +++++++++++-- bounce.h | 2 +- listen.c | 37 +++++++++++++++++++++++++++++++------ 3 files changed, 43 insertions(+), 9 deletions(-) diff --git a/bounce.c b/bounce.c index bb4f902..a5b448a 100644 --- a/bounce.c +++ b/bounce.c @@ -194,6 +194,12 @@ int main(int argc, char *argv[]) { ringAlloc(ring); if (save) saveLoad(save); + FILE *cert = fopen(certPath, "r"); + if (!cert) err(EX_NOINPUT, "%s", certPath); + FILE *priv = fopen(privPath, "r"); + if (!priv) err(EX_NOINPUT, "%s", privPath); + listenConfig(cert, priv); + int bind[8]; listenConfig(certPath, privPath); size_t binds = listenBind(bind, 8, bindHost, bindPort); @@ -204,11 +210,14 @@ int main(int argc, char *argv[]) { int error = cap_enter(); if (error) err(EX_OSERR, "cap_enter"); - cap_rights_t sockRights, bindRights; + cap_rights_t fileRights, sockRights, bindRights; + cap_rights_init(&fileRights, CAP_FSTAT, CAP_PREAD); cap_rights_init(&sockRights, CAP_EVENT, CAP_RECV, CAP_SEND, CAP_SETSOCKOPT); cap_rights_init(&bindRights, CAP_LISTEN, CAP_ACCEPT); cap_rights_merge(&bindRights, &sockRights); + cap_rights_limit(fileno(cert), &fileRights); + cap_rights_limit(fileno(priv), &fileRights); for (size_t i = 0; i < binds; ++i) { error = cap_rights_limit(bind[i], &bindRights); if (error) err(EX_OSERR, "cap_rights_limit"); @@ -248,7 +257,7 @@ int main(int argc, char *argv[]) { signals[SIGINFO] = 0; } if (signals[SIGUSR1]) { - listenConfig(certPath, privPath); + listenConfig(cert, priv); signals[SIGUSR1] = 0; } diff --git a/bounce.h b/bounce.h index 5a03af2..60a6795 100644 --- a/bounce.h +++ b/bounce.h @@ -74,7 +74,7 @@ void ringInfo(void); int ringSave(FILE *file); void ringLoad(FILE *file); -void listenConfig(const char *cert, const char *priv); +void listenConfig(FILE *cert, FILE *priv); size_t listenBind(int fds[], size_t cap, const char *host, const char *port); struct tls *listenAccept(int *fd, int bind); diff --git a/listen.c b/listen.c index 1797acf..9fc2443 100644 --- a/listen.c +++ b/listen.c @@ -17,8 +17,10 @@ #include #include #include +#include #include #include +#include #include #include #include @@ -27,7 +29,23 @@ static struct tls *server; -void listenConfig(const char *cert, const char *priv) { +static byte *reread(size_t *len, FILE *file) { + struct stat stat; + int error = fstat(fileno(file), &stat); + if (error) err(EX_IOERR, "fstat"); + + byte *buf = malloc(stat.st_size); + if (!buf) err(EX_OSERR, "malloc"); + + fpurge(file); + rewind(file); + *len = fread(buf, 1, stat.st_size, file); + if (ferror(file)) err(EX_IOERR, "fread"); + + return buf; +} + +void listenConfig(FILE *cert, FILE *priv) { tls_free(server); server = tls_server(); if (!server) errx(EX_SOFTWARE, "tls_server"); @@ -35,13 +53,20 @@ void listenConfig(const char *cert, const char *priv) { struct tls_config *config = tls_config_new(); if (!config) errx(EX_SOFTWARE, "tls_config_new"); - int error = tls_config_set_keypair_file(config, cert, priv); + size_t len; + byte *buf = reread(&len, cert); + int error = tls_config_set_cert_mem(config, buf, len); + if (error) { + errx(EX_CONFIG, "tls_config_set_cert_mem: %s", tls_config_error(config)); + } + free(buf); + + buf = reread(&len, priv); + error = tls_config_set_key_mem(config, buf, len); if (error) { - errx( - EX_CONFIG, "tls_config_set_keypair_file: %s", - tls_config_error(config) - ); + errx(EX_CONFIG, "tls_config_set_key_mem: %s", tls_config_error(config)); } + free(buf); error = tls_configure(server, config); if (error) errx(EX_SOFTWARE, "tls_configure: %s", tls_error(server)); -- cgit 1.4.1