commit 2cef5cf42a98f8b9c8c4f1a4d4da40b389de770a
from: Omar Polo <op@omarpolo.com>
date: Mon Jun 12 21:27:24 2023 UTC

load_ca: get a buffer instead of a fd

We dup(1) the ca fd and send it to various processes, so they fail
loading it.  Instead, use load_file to get a buffer with the file
content and pass that to load_ca which then loads via BIO.

commit - 89cfcb456921ed65a812b6e960de390553ac0ae5
commit + 2cef5cf42a98f8b9c8c4f1a4d4da40b389de770a
blob - a9c972f6368b99b0314acf1515e0fe04866e38d3
blob + 3f563ed2aba7598f4c4da31068d0ece6d23cb7a9
--- config.c
+++ config.c
@@ -549,7 +549,8 @@ config_recv(struct conf *conf, struct imsg *imsg)
 	struct envlist	*env;
 	struct alist	*alias;
 	struct proxy	*proxy;
-	size_t		 datalen;
+	uint8_t		*d;
+	size_t		 len, datalen;
 
 	datalen = IMSG_DATA_SIZE(imsg);
 
@@ -672,9 +673,12 @@ config_recv(struct conf *conf, struct imsg *imsg)
 		memcpy(loc, imsg->data, datalen);
 
 		if (imsg->fd != -1) {
-			loc->reqca = load_ca(imsg->fd);
+			if (load_file(imsg->fd, &d, &len) == -1)
+				fatal("load_file");
+			loc->reqca = load_ca(d, len);
 			if (loc->reqca == NULL)
 				fatalx("failed to load CA");
+			free(d);
 		}
 
 		TAILQ_INSERT_TAIL(&h->locations, loc, locations);
@@ -707,9 +711,12 @@ config_recv(struct conf *conf, struct imsg *imsg)
 		memcpy(proxy, imsg->data, datalen);
 
 		if (imsg->fd != -1) {
-			proxy->reqca = load_ca(imsg->fd);
+			if (load_file(imsg->fd, &d, &len) == -1)
+				fatal("load_file");
+			proxy->reqca = load_ca(d, len);
 			if (proxy->reqca == NULL)
 				fatal("failed to load CA");
+			free(d);
 		}
 
 		TAILQ_INSERT_TAIL(&h->proxies, proxy, proxies);
blob - c68ab92ae218c467ce325262729266d389a51687
blob + 9a4f1f1d1698ad8b4c6f8798101bc94f60338f63
--- gmid.h
+++ gmid.h
@@ -449,7 +449,7 @@ char		*absolutify_path(const char*);
 char		*xstrdup(const char*);
 void		*xcalloc(size_t, size_t);
 void		 gen_certificate(const char*, const char*, const char*);
-X509_STORE	*load_ca(int);
+X509_STORE	*load_ca(uint8_t *, size_t);
 int		 validate_against_ca(X509_STORE*, const uint8_t*, size_t);
 void		 ssl_error(const char *);
 char		*ssl_pubkey_hash(const uint8_t *, size_t);
blob - 3b41671cf5f321874c01eb0a6b7d9c04a6cae13d
blob + 43c1f4d86e007ab4d57004d52162954ce91b70d2
--- utils.c
+++ utils.c
@@ -180,41 +180,48 @@ gen_certificate(const char *hostname, const char *cert
 }
 
 X509_STORE *
-load_ca(int fd)
+load_ca(uint8_t *d, size_t len)
 {
-	FILE		*f = NULL;
+	BIO		*in;
 	X509		*x = NULL;
 	X509_STORE	*store;
 
 	if ((store = X509_STORE_new()) == NULL) {
-		close(fd);
+		log_warnx("%s: X509_STORE_new failed", __func__);
 		return NULL;
 	}
 
-	if ((f = fdopen(fd, "r")) == NULL) {
-		close(fd);
+	if ((in = BIO_new_mem_buf(d, len)) == NULL) {
+		log_warnx("%s: BIO_new_mem_buf failed", __func__);
 		goto err;
 	}
 
-	if ((x = PEM_read_X509(f, NULL, NULL, NULL)) == NULL)
+	if ((x = PEM_read_bio_X509(in, NULL, NULL, NULL)) == NULL) {
+		log_warnx("%s: PEM_read_bio_X509 failed", __func__);
+		ssl_error("PEM_read_bio_X509");
 		goto err;
+	}
 
-	if (X509_check_ca(x) == 0)
+	if (X509_check_ca(x) == 0) {
+		ssl_error("X509_check_ca");
 		goto err;
+	}
 
-	if (!X509_STORE_add_cert(store, x))
+	if (!X509_STORE_add_cert(store, x)) {
+		ssl_error("X509_STORE_add_cert");
 		goto err;
+	}
 
 	X509_free(x);
-	fclose(f);
+	BIO_free(in);
 	return store;
 
 err:
 	X509_STORE_free(store);
 	if (x != NULL)
 		X509_free(x);
-	if (f != NULL)
-		fclose(f);
+	if (in != NULL)
+		BIO_free(in);
 	return NULL;
 }