Adjusting the way certificate is loaded when owned by root

diff --git a/Makefile b/Makefile
index 293ae12553db97b04dc42e22f3efa2a13853e770..52a8d548d058eb1e6290be8441c1e73bfb991fe5 100644 (file)
--- a/Makefile
+++ b/Makefile
@@ -148,10 +148,11 @@ tlsref:
                        -cert certs/localhost-cert.pem  \
                        -key certs/localhost-key.pem    \
                        -starttls smtp                  \
-                       -connect courriel.colba.net:587
+                       -connect tar1.osukiss.org:25
 
 #                      -connect mx2.free.fr:25
 #                      -connect mailprod1.safe.ca:587
+#                      -connect tar1.osukiss.org:25
 #                      -connect courriel.colba.net:25
 #                      -connect courriel.colba.net:587
 #                      -connect $(TESTSRV):$(TESTPORT) 

diff --git a/conf/mailleur.conf b/conf/mailleur.conf
index 35ee34efdc199d110cfaad322a8e57e431df2d50..c6e560c072ff51136fa496d97dbe9622371685b1 100644 (file)
--- a/conf/mailleur.conf
+++ b/conf/mailleur.conf
@@ -36,7 +36,7 @@ SMTPPORTS="|||5,smtps||465|3,smtp||587|2"
 CA_ROOT_SRV="/etc/pki/mailleur/root-safe_CA.pem"
 CA_CERT_SRV="/etc/pki/mailleur/mailleur-cert.pem"
 CA_KEY_SRV="/etc/pki/mailleur/mailleur-key.pem"
-CA_VERIFY_SRV=1        #to check PEER/client remote certificate
+CA_VERIFY_SRV=0        #to check PEER/client remote certificate
 #------------------------------------------------
 #Defining CLIENT mode Certificate data
 CA_ROOT_CLT="/etc/pki/mailleur/root-safe_CA.pem"

diff --git a/lib/unipos.c b/lib/unipos.c
index b972bc2cc2b5d360a568ba82edadc6b47a58a6c0..42b93d601f71e18753e2f820219498ee9ed43a59 100644 (file)
--- a/lib/unipos.c
+++ b/lib/unipos.c
@@ -338,7 +338,7 @@ locked=false;
   phase=0;
   proceed=true;
   while (proceed==true) {
-    (void) rou_alert(0,"%s JMPDBG phase='%d'",OPEP,phase);
+    //(void) rou_alert(0,"%s JMPDBG phase='%d'",OPEP,phase);
     switch (phase) {
       case 0    :       //Starting lock
         if (pos_request(posptr,"BEGIN")<0) {

diff --git a/lib/unitls.c b/lib/unitls.c
index c647f1d8d38b38ff4d5e6de908490b8add6a313f..81e687b69a90b20353ad9c14f622a76a270fea1f 100644 (file)
--- a/lib/unitls.c
+++ b/lib/unitls.c
@@ -155,6 +155,64 @@ return tls;
 */
 /********************************************************/
 /*                                                      */
+/*     Procedure to load the certificat beeing as root */
+/*                                                      */
+/********************************************************/
+static _Bool load_certs(TLSTYP *tls,const char *certs[])
+
+{
+#define OPEP    "unitls.c:load_certs,"
+
+_Bool isok;
+uid_t gid;      //ccurrent group id
+uid_t uid;      //ccurrent user id
+
+gid=getegid();  //let be back to root if needed
+uid=geteuid();  //to open certificate file
+if (setegid(getgid())<0)
+  (void) rou_core_dump("%s Unable to set the Egid to '%d' (error=<%s>",
+                        OPEP,getgid(),strerror(errno));
+if (seteuid(getuid())<0)
+  (void) rou_core_dump("%s Unable to set the Euid to '%d' (error=<%s>",
+                        OPEP,getuid(),strerror(errno));
+isok=true;
+for (int i=0;(i<3)&&(isok==true);i++) {
+  switch (i) {
+    case 0      :       //loading the key file
+      (void) rou_alert(7,"%s key file=<%s>",OPEP,certs[i]);
+      isok=(SSL_CTX_use_PrivateKey_file(tls->ctx,certs[i],SSL_FILETYPE_PEM)==1);
+      break;
+    case 1      :       //loading the chain file
+      (void) rou_alert(7,"%s chain file=<%s>",OPEP,certs[i]);
+      isok=(SSL_CTX_use_certificate_chain_file(tls->ctx,certs[i])==1);
+      break;
+    case 2      :       //loading the root certificate
+      (void) rou_alert(7,"%s root certificate=<%s>",OPEP,certs[i]);
+      isok=(SSL_CTX_load_verify_locations(tls->ctx,certs[i],(const char *)0)==1);
+      break;
+    default     :       //SAFE Guard
+      (void) rou_alert(0,"%s value override (Bug!)",OPEP);
+      break;
+    }
+  if (isok==false) {
+    char msg[200];
+
+    (void) snprintf(msg,sizeof(msg),"%s, file[%d] <%s> missing?",OPEP,i,certs[i]);
+    (void) showtlserror(tls,0,msg);
+    break;
+    }
+  }
+(void) setegid(gid);    //recover the standard application
+(void) seteuid(uid);    //uid:gid
+return isok;
+
+#undef  OPEP
+}
+/*
+^L
+*/
+/********************************************************/
+/*                                                      */
 /*     Procedure to set the link certificate           */
 /*                                                      */
 /********************************************************/
@@ -223,40 +281,14 @@ while (proceed==true) {
         phase=999;      //no need to go furter
         }
       break;
-    case 2      :       //first load certificate key
-      (void) rou_alert(7,"%s key file=<%s>",OPEP,certs[0]);
-      if (SSL_CTX_use_PrivateKey_file(tls->ctx,certs[0],SSL_FILETYPE_PEM)!=1) {
-        char msg[200];
-
-        (void) snprintf(msg,sizeof(msg),"%s, file <%s> missing?",
-                                        "Probleme with Certificate key",certs[0]);
-        (void) showtlserror(tls,0,msg);
-        phase=999;
-        }
-      break;
-    case 3      :       //load certificate + chain file
-      (void) rou_alert(7,"%s chain file=<%s>",OPEP,certs[1]);
-      if (SSL_CTX_use_certificate_chain_file(tls->ctx,certs[1])!=1) {
-        char msg[200];
-
-        (void) snprintf(msg,sizeof(msg),"%s, file <%s> missing?",
-                                        "No chain Certificate",certs[1]);
-        (void) showtlserror(tls,0,msg);
-        phase=999;      //no need to go furter
-        }
-      break;
-    case 4      :       //loading root certificate
-      (void) rou_alert(7,"%s root certificate=<%s>",OPEP,certs[2]);
-      if (SSL_CTX_load_verify_locations(tls->ctx,certs[2],(const char *)0)!=1) {
-        char msg[200];
-
-        (void) snprintf(msg,sizeof(msg),"%s, file <%s> missing?",
-                                        "No root Certificate",certs[2]);
-        (void) showtlserror(tls,0,msg);
+    case 2      :       //load certificate information
+      if (load_certs(tls,certs)==false) {
+        (void) rou_alert(0,"%s Unable to load certificate information (config?)",
+                            OPEP);
         phase=999;      //no need to go furter
         }
       break;
-    case 5      :       //verify management
+    case 3      :       //verify management
       if (((mode&SSL_VERIFY_PEER)!=0)||(tls->server==false))
         tls->checkpeer=true;
       (void) SSL_CTX_set_verify(tls->ctx,mode,(int(*)())0);
@@ -269,10 +301,10 @@ while (proceed==true) {
         phase=999;
         }
       break;
-    case 6      :       //allowing partial write
+    case 4      :       //allowing partial write
       (void) SSL_CTX_set_mode(tls->ctx,SSL_MODE_ENABLE_PARTIAL_WRITE);
       break;
-    case 7      :       //everything fine
+    case 5      :       //everything fine
       done=true;
       break;
     default     :       //SAFE Guard