From 7aaea935932ae7871fd798464804f241c4ae866a Mon Sep 17 00:00:00 2001 From: "Jean-Marc Pigeon (Delson)" Date: Fri, 18 Jul 2025 14:07:25 -0400 Subject: [PATCH] Adjusting the way certificate is loaded when owned by root --- Makefile | 3 +- conf/mailleur.conf | 2 +- lib/unipos.c | 2 +- lib/unitls.c | 98 ++++++++++++++++++++++++++++++---------------- 4 files changed, 69 insertions(+), 36 deletions(-) diff --git a/Makefile b/Makefile index 293ae12..52a8d54 100644 --- a/Makefile +++ b/Makefile @@ -148,10 +148,11 @@ tlsref: -cert certs/localhost-cert.pem \ -key certs/localhost-key.pem \ -starttls smtp \ - -connect courriel.colba.net:587 + -connect tar1.osukiss.org:25 # -connect mx2.free.fr:25 # -connect mailprod1.safe.ca:587 +# -connect tar1.osukiss.org:25 # -connect courriel.colba.net:25 # -connect courriel.colba.net:587 # -connect $(TESTSRV):$(TESTPORT) diff --git a/conf/mailleur.conf b/conf/mailleur.conf index 35ee34e..c6e560c 100644 --- a/conf/mailleur.conf +++ b/conf/mailleur.conf @@ -36,7 +36,7 @@ SMTPPORTS="|||5,smtps||465|3,smtp||587|2" CA_ROOT_SRV="/etc/pki/mailleur/root-safe_CA.pem" CA_CERT_SRV="/etc/pki/mailleur/mailleur-cert.pem" CA_KEY_SRV="/etc/pki/mailleur/mailleur-key.pem" -CA_VERIFY_SRV=1 #to check PEER/client remote certificate +CA_VERIFY_SRV=0 #to check PEER/client remote certificate #------------------------------------------------ #Defining CLIENT mode Certificate data CA_ROOT_CLT="/etc/pki/mailleur/root-safe_CA.pem" diff --git a/lib/unipos.c b/lib/unipos.c index b972bc2..42b93d6 100644 --- a/lib/unipos.c +++ b/lib/unipos.c @@ -338,7 +338,7 @@ locked=false; phase=0; proceed=true; while (proceed==true) { - (void) rou_alert(0,"%s JMPDBG phase='%d'",OPEP,phase); + //(void) rou_alert(0,"%s JMPDBG phase='%d'",OPEP,phase); switch (phase) { case 0 : //Starting lock if (pos_request(posptr,"BEGIN")<0) { diff --git a/lib/unitls.c b/lib/unitls.c index c647f1d..81e687b 100644 --- a/lib/unitls.c +++ b/lib/unitls.c @@ -155,6 +155,64 @@ return tls; */ /********************************************************/ /* */ +/* Procedure to load the certificat beeing as root */ +/* */ +/********************************************************/ +static _Bool load_certs(TLSTYP *tls,const char *certs[]) + +{ +#define OPEP "unitls.c:load_certs," + +_Bool isok; +uid_t gid; //ccurrent group id +uid_t uid; //ccurrent user id + +gid=getegid(); //let be back to root if needed +uid=geteuid(); //to open certificate file +if (setegid(getgid())<0) + (void) rou_core_dump("%s Unable to set the Egid to '%d' (error=<%s>", + OPEP,getgid(),strerror(errno)); +if (seteuid(getuid())<0) + (void) rou_core_dump("%s Unable to set the Euid to '%d' (error=<%s>", + OPEP,getuid(),strerror(errno)); +isok=true; +for (int i=0;(i<3)&&(isok==true);i++) { + switch (i) { + case 0 : //loading the key file + (void) rou_alert(7,"%s key file=<%s>",OPEP,certs[i]); + isok=(SSL_CTX_use_PrivateKey_file(tls->ctx,certs[i],SSL_FILETYPE_PEM)==1); + break; + case 1 : //loading the chain file + (void) rou_alert(7,"%s chain file=<%s>",OPEP,certs[i]); + isok=(SSL_CTX_use_certificate_chain_file(tls->ctx,certs[i])==1); + break; + case 2 : //loading the root certificate + (void) rou_alert(7,"%s root certificate=<%s>",OPEP,certs[i]); + isok=(SSL_CTX_load_verify_locations(tls->ctx,certs[i],(const char *)0)==1); + break; + default : //SAFE Guard + (void) rou_alert(0,"%s value override (Bug!)",OPEP); + break; + } + if (isok==false) { + char msg[200]; + + (void) snprintf(msg,sizeof(msg),"%s, file[%d] <%s> missing?",OPEP,i,certs[i]); + (void) showtlserror(tls,0,msg); + break; + } + } +(void) setegid(gid); //recover the standard application +(void) seteuid(uid); //uid:gid +return isok; + +#undef OPEP +} +/* +^L +*/ +/********************************************************/ +/* */ /* Procedure to set the link certificate */ /* */ /********************************************************/ @@ -223,40 +281,14 @@ while (proceed==true) { phase=999; //no need to go furter } break; - case 2 : //first load certificate key - (void) rou_alert(7,"%s key file=<%s>",OPEP,certs[0]); - if (SSL_CTX_use_PrivateKey_file(tls->ctx,certs[0],SSL_FILETYPE_PEM)!=1) { - char msg[200]; - - (void) snprintf(msg,sizeof(msg),"%s, file <%s> missing?", - "Probleme with Certificate key",certs[0]); - (void) showtlserror(tls,0,msg); - phase=999; - } - break; - case 3 : //load certificate + chain file - (void) rou_alert(7,"%s chain file=<%s>",OPEP,certs[1]); - if (SSL_CTX_use_certificate_chain_file(tls->ctx,certs[1])!=1) { - char msg[200]; - - (void) snprintf(msg,sizeof(msg),"%s, file <%s> missing?", - "No chain Certificate",certs[1]); - (void) showtlserror(tls,0,msg); - phase=999; //no need to go furter - } - break; - case 4 : //loading root certificate - (void) rou_alert(7,"%s root certificate=<%s>",OPEP,certs[2]); - if (SSL_CTX_load_verify_locations(tls->ctx,certs[2],(const char *)0)!=1) { - char msg[200]; - - (void) snprintf(msg,sizeof(msg),"%s, file <%s> missing?", - "No root Certificate",certs[2]); - (void) showtlserror(tls,0,msg); + case 2 : //load certificate information + if (load_certs(tls,certs)==false) { + (void) rou_alert(0,"%s Unable to load certificate information (config?)", + OPEP); phase=999; //no need to go furter } break; - case 5 : //verify management + case 3 : //verify management if (((mode&SSL_VERIFY_PEER)!=0)||(tls->server==false)) tls->checkpeer=true; (void) SSL_CTX_set_verify(tls->ctx,mode,(int(*)())0); @@ -269,10 +301,10 @@ while (proceed==true) { phase=999; } break; - case 6 : //allowing partial write + case 4 : //allowing partial write (void) SSL_CTX_set_mode(tls->ctx,SSL_MODE_ENABLE_PARTIAL_WRITE); break; - case 7 : //everything fine + case 5 : //everything fine done=true; break; default : //SAFE Guard -- 2.47.3