diff options
author | Edward Tomasz Napierala <trasz@FreeBSD.org> | 2017-08-01 01:47:45 +0100 |
---|---|---|
committer | Edward Tomasz Napierala <trasz@FreeBSD.org> | 2017-08-01 01:47:45 +0100 |
commit | 96f4fe10c6081cf441122039c39eb6422eef13e8 (patch) | |
tree | cfd1c29cb0c11663371663916a8b50bc4f7fbc91 | |
parent | aeaa420ad330a528391ed149371b55581a808655 (diff) | |
download | irssi-96f4fe10c6081cf441122039c39eb6422eef13e8.zip |
Change the way we load default CA certificates so it works with Capsicum.
Signed-off-by: Edward Tomasz Napierala <trasz@FreeBSD.org>
-rw-r--r-- | src/core/capsicum.c | 8 | ||||
-rw-r--r-- | src/core/network-openssl.c | 23 | ||||
-rw-r--r-- | src/core/network-openssl.h | 6 |
3 files changed, 34 insertions, 3 deletions
diff --git a/src/core/capsicum.c b/src/core/capsicum.c index 06cb8d9b..79db780a 100644 --- a/src/core/capsicum.c +++ b/src/core/capsicum.c @@ -28,6 +28,7 @@ #include "log.h" #include "misc.h" #include "network.h" +#include "network-openssl.h" #include "settings.h" #include "signals.h" @@ -361,6 +362,7 @@ static void cmd_capsicum(const char *data, SERVER_REC *server, void *item) static void cmd_capsicum_enter(void) { u_int mode; + gboolean inited; int error; error = cap_getmode(&mode); @@ -369,6 +371,12 @@ static void cmd_capsicum_enter(void) return; } + inited = irssi_ssl_init(); + if (!inited) { + signal_emit("capability mode failed", 1, strerror(errno)); + return; + } + port_min = settings_get_int("capsicum_port_min"); port_max = settings_get_int("capsicum_port_max"); diff --git a/src/core/network-openssl.c b/src/core/network-openssl.c index 4de3cb3c..78bdcce4 100644 --- a/src/core/network-openssl.c +++ b/src/core/network-openssl.c @@ -20,6 +20,7 @@ #include "module.h" #include "network.h" +#include "network-openssl.h" #include "net-sendbuffer.h" #include "misc.h" #include "servers.h" @@ -58,6 +59,7 @@ typedef struct } GIOSSLChannel; static int ssl_inited = FALSE; +static X509_STORE *store = NULL; static void irssi_ssl_free(GIOChannel *handle) { @@ -362,8 +364,10 @@ static GIOFuncs irssi_ssl_channel_funcs = { irssi_ssl_get_flags }; -static gboolean irssi_ssl_init(void) +gboolean irssi_ssl_init(void) { + int success; + #if (OPENSSL_VERSION_NUMBER >= 0x10100000L) && !defined(LIBRESSL_VERSION_NUMBER) if (!OPENSSL_init_ssl(OPENSSL_INIT_SSL_DEFAULT, NULL)) { g_error("Could not initialize OpenSSL"); @@ -374,6 +378,20 @@ static gboolean irssi_ssl_init(void) SSL_load_error_strings(); OpenSSL_add_all_algorithms(); #endif + store = X509_STORE_new(); + if (store == NULL) { + g_error("Could not initialize OpenSSL: X509_STORE_new() failed"); + return FALSE; + } + + success = X509_STORE_set_default_paths(store); + if (success == 0) { + g_error("Could not load default certificates"); + X509_STORE_free(store); + store = NULL; + return FALSE; + } + ssl_inited = TRUE; return TRUE; @@ -492,8 +510,7 @@ static GIOChannel *irssi_ssl_get_iochannel(GIOChannel *handle, int port, SERVER_ g_free(scapath); verify = TRUE; } else { - if (!SSL_CTX_set_default_verify_paths(ctx)) - g_warning("Could not load default certificates"); + SSL_CTX_set_cert_store(ctx, store); } if(!(ssl = SSL_new(ctx))) diff --git a/src/core/network-openssl.h b/src/core/network-openssl.h new file mode 100644 index 00000000..4cd6d711 --- /dev/null +++ b/src/core/network-openssl.h @@ -0,0 +1,6 @@ +#ifndef __NETWORK_OPENSSL_H +#define __NETWORK_OPENSSL_H + +gboolean irssi_ssl_init(void); + +#endif /* !__NETWORK_OPENSSL_H */ |