summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorEdward Tomasz Napierala <trasz@FreeBSD.org>2017-08-01 01:47:45 +0100
committerEdward Tomasz Napierala <trasz@FreeBSD.org>2017-08-01 01:47:45 +0100
commit96f4fe10c6081cf441122039c39eb6422eef13e8 (patch)
treecfd1c29cb0c11663371663916a8b50bc4f7fbc91
parentaeaa420ad330a528391ed149371b55581a808655 (diff)
downloadirssi-96f4fe10c6081cf441122039c39eb6422eef13e8.zip
Change the way we load default CA certificates so it works with Capsicum.
Signed-off-by: Edward Tomasz Napierala <trasz@FreeBSD.org>
-rw-r--r--src/core/capsicum.c8
-rw-r--r--src/core/network-openssl.c23
-rw-r--r--src/core/network-openssl.h6
3 files changed, 34 insertions, 3 deletions
diff --git a/src/core/capsicum.c b/src/core/capsicum.c
index 06cb8d9b..79db780a 100644
--- a/src/core/capsicum.c
+++ b/src/core/capsicum.c
@@ -28,6 +28,7 @@
#include "log.h"
#include "misc.h"
#include "network.h"
+#include "network-openssl.h"
#include "settings.h"
#include "signals.h"
@@ -361,6 +362,7 @@ static void cmd_capsicum(const char *data, SERVER_REC *server, void *item)
static void cmd_capsicum_enter(void)
{
u_int mode;
+ gboolean inited;
int error;
error = cap_getmode(&mode);
@@ -369,6 +371,12 @@ static void cmd_capsicum_enter(void)
return;
}
+ inited = irssi_ssl_init();
+ if (!inited) {
+ signal_emit("capability mode failed", 1, strerror(errno));
+ return;
+ }
+
port_min = settings_get_int("capsicum_port_min");
port_max = settings_get_int("capsicum_port_max");
diff --git a/src/core/network-openssl.c b/src/core/network-openssl.c
index 4de3cb3c..78bdcce4 100644
--- a/src/core/network-openssl.c
+++ b/src/core/network-openssl.c
@@ -20,6 +20,7 @@
#include "module.h"
#include "network.h"
+#include "network-openssl.h"
#include "net-sendbuffer.h"
#include "misc.h"
#include "servers.h"
@@ -58,6 +59,7 @@ typedef struct
} GIOSSLChannel;
static int ssl_inited = FALSE;
+static X509_STORE *store = NULL;
static void irssi_ssl_free(GIOChannel *handle)
{
@@ -362,8 +364,10 @@ static GIOFuncs irssi_ssl_channel_funcs = {
irssi_ssl_get_flags
};
-static gboolean irssi_ssl_init(void)
+gboolean irssi_ssl_init(void)
{
+ int success;
+
#if (OPENSSL_VERSION_NUMBER >= 0x10100000L) && !defined(LIBRESSL_VERSION_NUMBER)
if (!OPENSSL_init_ssl(OPENSSL_INIT_SSL_DEFAULT, NULL)) {
g_error("Could not initialize OpenSSL");
@@ -374,6 +378,20 @@ static gboolean irssi_ssl_init(void)
SSL_load_error_strings();
OpenSSL_add_all_algorithms();
#endif
+ store = X509_STORE_new();
+ if (store == NULL) {
+ g_error("Could not initialize OpenSSL: X509_STORE_new() failed");
+ return FALSE;
+ }
+
+ success = X509_STORE_set_default_paths(store);
+ if (success == 0) {
+ g_error("Could not load default certificates");
+ X509_STORE_free(store);
+ store = NULL;
+ return FALSE;
+ }
+
ssl_inited = TRUE;
return TRUE;
@@ -492,8 +510,7 @@ static GIOChannel *irssi_ssl_get_iochannel(GIOChannel *handle, int port, SERVER_
g_free(scapath);
verify = TRUE;
} else {
- if (!SSL_CTX_set_default_verify_paths(ctx))
- g_warning("Could not load default certificates");
+ SSL_CTX_set_cert_store(ctx, store);
}
if(!(ssl = SSL_new(ctx)))
diff --git a/src/core/network-openssl.h b/src/core/network-openssl.h
new file mode 100644
index 00000000..4cd6d711
--- /dev/null
+++ b/src/core/network-openssl.h
@@ -0,0 +1,6 @@
+#ifndef __NETWORK_OPENSSL_H
+#define __NETWORK_OPENSSL_H
+
+gboolean irssi_ssl_init(void);
+
+#endif /* !__NETWORK_OPENSSL_H */