commit 070b32952caf91e2f7f7598230236fdd872f99e5 from: Omar Polo date: Mon Jun 05 21:10:18 2023 UTC move and dedup the tls initalization in server.c commit - 114e9a4206567c38ad98fd24c627d08d17f89d7d commit + 070b32952caf91e2f7f7598230236fdd872f99e5 blob - 4ccbbdc0cd482bea2364d9b2181d0399b12eb14d blob + d96c37a25006265c253db20873b406fa8fc8bebd --- ge.c +++ ge.c @@ -33,9 +33,8 @@ struct imsgbuf ibuf, logibuf; struct conf conf; struct fcgi fcgi[FCGI_MAX]; /* just because it's referenced */ -struct vhosthead hosts; +struct vhosthead hosts = TAILQ_HEAD_INITIALIZER(hosts); - static const struct option opts[] = { {"help", no_argument, NULL, 'h'}, {"version", no_argument, NULL, 'V'}, @@ -136,7 +135,7 @@ logger_init(void) } static int -serve(const char *host, int port, const char *dir, struct tls *ctx) +serve(const char *host, int port, const char *dir) { struct addrinfo hints, *res, *res0; int error, saved_errno, sock = -1; @@ -184,7 +183,7 @@ serve(const char *host, int port, const char *dir, str freeaddrinfo(res0); log_notice(NULL, "serving %s on port %d", dir, port); - return server_main(ctx, NULL, sock, -1); + return server_main(NULL, sock, -1); } static __dead void @@ -200,8 +199,6 @@ usage(void) int main(int argc, char **argv) { - struct tls_config *tlsconf; - struct tls *ctx; struct vhost *host; struct location *loc; const char *errstr, *certs_dir = NULL, *hostname = "localhost"; @@ -210,6 +207,7 @@ main(int argc, char **argv) logger_init(); conf.port = 1965; + conf.protos = TLS_PROTOCOL_TLSv1_2 | TLS_PROTOCOL_TLSv1_3; while ((ch = getopt_long(argc, argv, "d:H:hp:Vv", opts, NULL)) != -1) { switch (ch) { @@ -276,27 +274,8 @@ main(int argc, char **argv) free(tmp); } - /* setup tls */ - - if ((tlsconf = tls_config_new()) == NULL) - fatal("tls_config_new"); - - /* optionally accept client certs but don't try to verify them */ - tls_config_verify_client_optional(tlsconf); - tls_config_insecure_noverifycert(tlsconf); - - if ((ctx = tls_server()) == NULL) - fatal("tls_server failure"); - - if (tls_config_set_keypair_file(tlsconf, host->cert, host->key)) - fatalx("can't load the keypair (%s, %s): %s", - host->cert, host->key, tls_config_error(tlsconf)); - - if (tls_configure(ctx, tlsconf) == -1) - fatalx("tls_configure: %s", tls_error(ctx)); - /* start the server */ signal(SIGPIPE, SIG_IGN); setproctitle("%s", loc->dir); - return serve(hostname, conf.port, loc->dir, ctx); + return serve(hostname, conf.port, loc->dir); } blob - 82a42cae8e2132bd67b4a1fcf29c9d9d91a6ecb6 blob + af4d9cf95cbba64d5fa5b2754b10ab3aee0e16d8 --- gmid.c +++ gmid.c @@ -51,9 +51,6 @@ const char *pidfile; struct conf conf; -struct tls_config *tlsconf; -struct tls *ctx; - static void dummy_handler(int signo) { @@ -115,62 +112,7 @@ make_socket(int port, int family) return sock; } -static void -add_keypair(struct vhost *h) -{ - if (*h->ocsp == '\0') { - if (tls_config_add_keypair_file(tlsconf, h->cert, h->key) == -1) - fatalx("failed to load the keypair (%s, %s): %s", - h->cert, h->key, tls_config_error(tlsconf)); - } else { - if (tls_config_add_keypair_ocsp_file(tlsconf, h->cert, h->key, - h->ocsp) == -1) - fatalx("failed to load the keypair (%s, %s, %s): %s", - h->cert, h->key, h->ocsp, - tls_config_error(tlsconf)); - } -} - void -setup_tls(void) -{ - struct vhost *h; - - if ((tlsconf = tls_config_new()) == NULL) - fatal("tls_config_new"); - - /* optionally accept client certs, but don't try to verify them */ - tls_config_verify_client_optional(tlsconf); - tls_config_insecure_noverifycert(tlsconf); - - if (tls_config_set_protocols(tlsconf, conf.protos) == -1) - fatalx("tls_config_set_protocols: %s", - tls_config_error(tlsconf)); - - if ((ctx = tls_server()) == NULL) - fatal("tls_server failure"); - - h = TAILQ_FIRST(&hosts); - - /* we need to set something, then we can add how many key we want */ - if (tls_config_set_keypair_file(tlsconf, h->cert, h->key)) - fatalx("tls_config_set_keypair_file failed for (%s, %s): %s", - h->cert, h->key, tls_config_error(tlsconf)); - - /* same for OCSP */ - if (*h->ocsp != '\0' && - tls_config_set_ocsp_staple_file(tlsconf, h->ocsp) == -1) - fatalx("tls_config_set_ocsp_staple_file failed for (%s): %s", - h->ocsp, tls_config_error(tlsconf)); - - while ((h = TAILQ_NEXT(h, vhosts)) != NULL) - add_keypair(h); - - if (tls_configure(ctx, tlsconf) == -1) - fatalx("tls_configure: %s", tls_error(ctx)); -} - -void init_config(void) { TAILQ_INIT(&hosts); @@ -233,9 +175,6 @@ free_config(void) } memset(fcgi, 0, sizeof(fcgi)); - - tls_free(ctx); - tls_config_free(tlsconf); } static int @@ -322,10 +261,6 @@ serve(void) { int i, p[2]; - /* setup tls before dropping privileges: we don't want user - * to put private certs inside the chroot. */ - setup_tls(); - for (i = 0; i < conf.prefork; ++i) { if (socketpair(AF_UNIX, SOCK_STREAM | SOCK_CLOEXEC, PF_UNSPEC, p) == -1) @@ -338,7 +273,7 @@ serve(void) close(p[0]); imsg_init(&servibuf[i], p[1]); setproctitle("server"); - _exit(server_main(ctx, &servibuf[i], sock4, sock6)); + _exit(server_main(&servibuf[i], sock4, sock6)); default: close(p[1]); imsg_init(&servibuf[i], p[0]); blob - e2a0128c08d8ba4f9708c9b559097668f0775c0d blob + e187147921c5105a9bdcb3217cbc0d7da76fedc8 --- gmid.h +++ gmid.h @@ -297,7 +297,6 @@ enum imsg_type { char *data_dir(void); void load_local_cert(struct vhost*, const char*, const char*); int make_socket(int, int); -void setup_tls(void); void init_config(void); void free_config(void); void drop_priv(void); @@ -335,7 +334,7 @@ void client_write(struct bufferevent *, void *); void start_reply(struct client*, int, const char*); void client_close(struct client *); struct client *client_by_id(int); -int server_main(struct tls *, struct imsgbuf *, int, int); +int server_main(struct imsgbuf *, int, int); int client_tree_cmp(struct client *, struct client *); SPLAY_PROTOTYPE(client_tree_id, client, entry, client_tree_cmp); blob - 337318272840745460077e5075f3ba1e0acb5df6 blob + 13bc1dbcd84a69cf3721bd84f0dd10259f686aee --- server.c +++ server.c @@ -1368,10 +1368,8 @@ handle_siginfo(int fd, short ev, void *d) } static void -loop(struct tls *ctx_, int sock4, int sock6, struct imsgbuf *ibuf) +loop(int sock4, int sock6, struct imsgbuf *ibuf) { - ctx = ctx_; - SPLAY_INIT(&clients); event_init(); @@ -1405,6 +1403,70 @@ loop(struct tls *ctx_, int sock4, int sock6, struct im } static void +add_keypair(struct vhost *h, struct tls_config *conf) +{ + if (*h->ocsp == '\0') { + if (tls_config_add_keypair_file(conf, h->cert, h->key) == -1) + fatalx("failed to load the keypair (%s, %s): %s", + h->cert, h->key, tls_config_error(conf)); + } else { + if (tls_config_add_keypair_ocsp_file(conf, h->cert, h->key, + h->ocsp) == -1) + fatalx("failed to load the keypair (%s, %s, %s): %s", + h->cert, h->key, h->ocsp, + tls_config_error(conf)); + } +} + +/* + * XXX: in a ideal privsep world, this is done by the parent process + * and its content sent to us. + */ +static void +setup_tls(void) +{ + struct tls_config *tlsconf; + struct vhost *h; + + if ((tlsconf = tls_config_new()) == NULL) + fatal("tls_config_new"); + + /* optionally accept client certs, but don't try to verify them */ + tls_config_verify_client_optional(tlsconf); + tls_config_insecure_noverifycert(tlsconf); + + if (tls_config_set_protocols(tlsconf, conf.protos) == -1) + fatalx("tls_config_set_protocols: %s", + tls_config_error(tlsconf)); + + h = TAILQ_FIRST(&hosts); + + log_warn(NULL, "loading %s, %s, %s", h->cert, h->key, h->ocsp); + + /* we need to set something, then we can add how many key we want */ + if (tls_config_set_keypair_file(tlsconf, h->cert, h->key)) + fatalx("tls_config_set_keypair_file failed for (%s, %s): %s", + h->cert, h->key, tls_config_error(tlsconf)); + + /* same for OCSP */ + if (*h->ocsp != '\0' && + tls_config_set_ocsp_staple_file(tlsconf, h->ocsp) == -1) + fatalx("tls_config_set_ocsp_staple_file failed for (%s): %s", + h->ocsp, tls_config_error(tlsconf)); + + while ((h = TAILQ_NEXT(h, vhosts)) != NULL) + add_keypair(h, tlsconf); + + if ((ctx = tls_server()) == NULL) + fatal("tls_server failure"); + + if (tls_configure(ctx, tlsconf) == -1) + fatalx("tls_configure: %s", tls_error(ctx)); + + tls_config_free(tlsconf); +} + +static void load_vhosts(void) { struct vhost *h; @@ -1423,14 +1485,19 @@ load_vhosts(void) } int -server_main(struct tls *ctx_, struct imsgbuf *ibuf, int sock4, int sock6) +server_main(struct imsgbuf *ibuf, int sock4, int sock6) { + /* + * setup tls before dropping privileges: we don't want user + * to put private certs inside the chroot. + */ + setup_tls(); drop_priv(); if (load_default_mime(&conf.mime) == -1) fatal("can't load default mime"); sort_mime(&conf.mime); load_vhosts(); - loop(ctx_, sock4, sock6, ibuf); + loop(sock4, sock6, ibuf); return 0; }