commit - 114e9a4206567c38ad98fd24c627d08d17f89d7d
commit + 070b32952caf91e2f7f7598230236fdd872f99e5
blob - 4ccbbdc0cd482bea2364d9b2181d0399b12eb14d
blob + d96c37a25006265c253db20873b406fa8fc8bebd
--- ge.c
+++ ge.c
struct conf conf;
struct fcgi fcgi[FCGI_MAX]; /* just because it's referenced */
-struct vhosthead hosts;
+struct vhosthead hosts = TAILQ_HEAD_INITIALIZER(hosts);
-
static const struct option opts[] = {
{"help", no_argument, NULL, 'h'},
{"version", no_argument, NULL, 'V'},
}
static int
-serve(const char *host, int port, const char *dir, struct tls *ctx)
+serve(const char *host, int port, const char *dir)
{
struct addrinfo hints, *res, *res0;
int error, saved_errno, sock = -1;
freeaddrinfo(res0);
log_notice(NULL, "serving %s on port %d", dir, port);
- return server_main(ctx, NULL, sock, -1);
+ return server_main(NULL, sock, -1);
}
static __dead void
int
main(int argc, char **argv)
{
- struct tls_config *tlsconf;
- struct tls *ctx;
struct vhost *host;
struct location *loc;
const char *errstr, *certs_dir = NULL, *hostname = "localhost";
logger_init();
conf.port = 1965;
+ conf.protos = TLS_PROTOCOL_TLSv1_2 | TLS_PROTOCOL_TLSv1_3;
while ((ch = getopt_long(argc, argv, "d:H:hp:Vv", opts, NULL)) != -1) {
switch (ch) {
free(tmp);
}
- /* setup tls */
-
- if ((tlsconf = tls_config_new()) == NULL)
- fatal("tls_config_new");
-
- /* optionally accept client certs but don't try to verify them */
- tls_config_verify_client_optional(tlsconf);
- tls_config_insecure_noverifycert(tlsconf);
-
- if ((ctx = tls_server()) == NULL)
- fatal("tls_server failure");
-
- if (tls_config_set_keypair_file(tlsconf, host->cert, host->key))
- fatalx("can't load the keypair (%s, %s): %s",
- host->cert, host->key, tls_config_error(tlsconf));
-
- if (tls_configure(ctx, tlsconf) == -1)
- fatalx("tls_configure: %s", tls_error(ctx));
-
/* start the server */
signal(SIGPIPE, SIG_IGN);
setproctitle("%s", loc->dir);
- return serve(hostname, conf.port, loc->dir, ctx);
+ return serve(hostname, conf.port, loc->dir);
}
blob - 82a42cae8e2132bd67b4a1fcf29c9d9d91a6ecb6
blob + af4d9cf95cbba64d5fa5b2754b10ab3aee0e16d8
--- gmid.c
+++ gmid.c
struct conf conf;
-struct tls_config *tlsconf;
-struct tls *ctx;
-
static void
dummy_handler(int signo)
{
return sock;
}
-static void
-add_keypair(struct vhost *h)
-{
- if (*h->ocsp == '\0') {
- if (tls_config_add_keypair_file(tlsconf, h->cert, h->key) == -1)
- fatalx("failed to load the keypair (%s, %s): %s",
- h->cert, h->key, tls_config_error(tlsconf));
- } else {
- if (tls_config_add_keypair_ocsp_file(tlsconf, h->cert, h->key,
- h->ocsp) == -1)
- fatalx("failed to load the keypair (%s, %s, %s): %s",
- h->cert, h->key, h->ocsp,
- tls_config_error(tlsconf));
- }
-}
-
void
-setup_tls(void)
-{
- struct vhost *h;
-
- if ((tlsconf = tls_config_new()) == NULL)
- fatal("tls_config_new");
-
- /* optionally accept client certs, but don't try to verify them */
- tls_config_verify_client_optional(tlsconf);
- tls_config_insecure_noverifycert(tlsconf);
-
- if (tls_config_set_protocols(tlsconf, conf.protos) == -1)
- fatalx("tls_config_set_protocols: %s",
- tls_config_error(tlsconf));
-
- if ((ctx = tls_server()) == NULL)
- fatal("tls_server failure");
-
- h = TAILQ_FIRST(&hosts);
-
- /* we need to set something, then we can add how many key we want */
- if (tls_config_set_keypair_file(tlsconf, h->cert, h->key))
- fatalx("tls_config_set_keypair_file failed for (%s, %s): %s",
- h->cert, h->key, tls_config_error(tlsconf));
-
- /* same for OCSP */
- if (*h->ocsp != '\0' &&
- tls_config_set_ocsp_staple_file(tlsconf, h->ocsp) == -1)
- fatalx("tls_config_set_ocsp_staple_file failed for (%s): %s",
- h->ocsp, tls_config_error(tlsconf));
-
- while ((h = TAILQ_NEXT(h, vhosts)) != NULL)
- add_keypair(h);
-
- if (tls_configure(ctx, tlsconf) == -1)
- fatalx("tls_configure: %s", tls_error(ctx));
-}
-
-void
init_config(void)
{
TAILQ_INIT(&hosts);
}
memset(fcgi, 0, sizeof(fcgi));
-
- tls_free(ctx);
- tls_config_free(tlsconf);
}
static int
{
int i, p[2];
- /* setup tls before dropping privileges: we don't want user
- * to put private certs inside the chroot. */
- setup_tls();
-
for (i = 0; i < conf.prefork; ++i) {
if (socketpair(AF_UNIX, SOCK_STREAM | SOCK_CLOEXEC,
PF_UNSPEC, p) == -1)
close(p[0]);
imsg_init(&servibuf[i], p[1]);
setproctitle("server");
- _exit(server_main(ctx, &servibuf[i], sock4, sock6));
+ _exit(server_main(&servibuf[i], sock4, sock6));
default:
close(p[1]);
imsg_init(&servibuf[i], p[0]);
blob - e2a0128c08d8ba4f9708c9b559097668f0775c0d
blob + e187147921c5105a9bdcb3217cbc0d7da76fedc8
--- gmid.h
+++ gmid.h
char *data_dir(void);
void load_local_cert(struct vhost*, const char*, const char*);
int make_socket(int, int);
-void setup_tls(void);
void init_config(void);
void free_config(void);
void drop_priv(void);
void start_reply(struct client*, int, const char*);
void client_close(struct client *);
struct client *client_by_id(int);
-int server_main(struct tls *, struct imsgbuf *, int, int);
+int server_main(struct imsgbuf *, int, int);
int client_tree_cmp(struct client *, struct client *);
SPLAY_PROTOTYPE(client_tree_id, client, entry, client_tree_cmp);
blob - 337318272840745460077e5075f3ba1e0acb5df6
blob + 13bc1dbcd84a69cf3721bd84f0dd10259f686aee
--- server.c
+++ server.c
}
static void
-loop(struct tls *ctx_, int sock4, int sock6, struct imsgbuf *ibuf)
+loop(int sock4, int sock6, struct imsgbuf *ibuf)
{
- ctx = ctx_;
-
SPLAY_INIT(&clients);
event_init();
}
static void
+add_keypair(struct vhost *h, struct tls_config *conf)
+{
+ if (*h->ocsp == '\0') {
+ if (tls_config_add_keypair_file(conf, h->cert, h->key) == -1)
+ fatalx("failed to load the keypair (%s, %s): %s",
+ h->cert, h->key, tls_config_error(conf));
+ } else {
+ if (tls_config_add_keypair_ocsp_file(conf, h->cert, h->key,
+ h->ocsp) == -1)
+ fatalx("failed to load the keypair (%s, %s, %s): %s",
+ h->cert, h->key, h->ocsp,
+ tls_config_error(conf));
+ }
+}
+
+/*
+ * XXX: in a ideal privsep world, this is done by the parent process
+ * and its content sent to us.
+ */
+static void
+setup_tls(void)
+{
+ struct tls_config *tlsconf;
+ struct vhost *h;
+
+ if ((tlsconf = tls_config_new()) == NULL)
+ fatal("tls_config_new");
+
+ /* optionally accept client certs, but don't try to verify them */
+ tls_config_verify_client_optional(tlsconf);
+ tls_config_insecure_noverifycert(tlsconf);
+
+ if (tls_config_set_protocols(tlsconf, conf.protos) == -1)
+ fatalx("tls_config_set_protocols: %s",
+ tls_config_error(tlsconf));
+
+ h = TAILQ_FIRST(&hosts);
+
+ log_warn(NULL, "loading %s, %s, %s", h->cert, h->key, h->ocsp);
+
+ /* we need to set something, then we can add how many key we want */
+ if (tls_config_set_keypair_file(tlsconf, h->cert, h->key))
+ fatalx("tls_config_set_keypair_file failed for (%s, %s): %s",
+ h->cert, h->key, tls_config_error(tlsconf));
+
+ /* same for OCSP */
+ if (*h->ocsp != '\0' &&
+ tls_config_set_ocsp_staple_file(tlsconf, h->ocsp) == -1)
+ fatalx("tls_config_set_ocsp_staple_file failed for (%s): %s",
+ h->ocsp, tls_config_error(tlsconf));
+
+ while ((h = TAILQ_NEXT(h, vhosts)) != NULL)
+ add_keypair(h, tlsconf);
+
+ if ((ctx = tls_server()) == NULL)
+ fatal("tls_server failure");
+
+ if (tls_configure(ctx, tlsconf) == -1)
+ fatalx("tls_configure: %s", tls_error(ctx));
+
+ tls_config_free(tlsconf);
+}
+
+static void
load_vhosts(void)
{
struct vhost *h;
}
int
-server_main(struct tls *ctx_, struct imsgbuf *ibuf, int sock4, int sock6)
+server_main(struct imsgbuf *ibuf, int sock4, int sock6)
{
+ /*
+ * setup tls before dropping privileges: we don't want user
+ * to put private certs inside the chroot.
+ */
+ setup_tls();
drop_priv();
if (load_default_mime(&conf.mime) == -1)
fatal("can't load default mime");
sort_mime(&conf.mime);
load_vhosts();
- loop(ctx_, sock4, sock6, ibuf);
+ loop(sock4, sock6, ibuf);
return 0;
}