From c2cce7c0d560e23e650ff65bc7697d3ee54c5e18 Mon Sep 17 00:00:00 2001 From: "Jean-Marc Pigeon (Delson)" Date: Sun, 4 May 2025 21:02:59 -0400 Subject: [PATCH] All certificate definition is now within environment --- Makefile | 2 +- app/feeder.c | 8 +------- lib/devsoc.c | 12 +++--------- lib/devsoc.h | 2 +- lib/lvleml.c | 2 +- lib/unitls.c | 25 ++++++++++++++++--------- lib/unitls.h | 2 +- 7 files changed, 24 insertions(+), 29 deletions(-) diff --git a/Makefile b/Makefile index 74edd0e..986c306 100644 --- a/Makefile +++ b/Makefile @@ -54,7 +54,7 @@ extfeed : debug $(DATATST)/extfeed00.tst onefeed : debug - bin/feeder \ + @ bin/feeder \ -f \ -d2 \ -c ./conf/feeder.conf.dvl \ diff --git a/app/feeder.c b/app/feeder.c index f9a4553..beee2a4 100644 --- a/app/feeder.c +++ b/app/feeder.c @@ -27,12 +27,6 @@ static char titre[100]; //test title static char testname[100]; //dest description -//default and debugging certificate for client/feeder mode -static const char *fdr_certs[3]={ - "./certs/localhost-key.pem", - "./certs/localhost-chain-cert.pem", - "./certs/root-safe_CA.pem" //safe root certificate - }; /* */ @@ -131,7 +125,7 @@ while (proceed==true) { } break; case 3 : //initiating TLS-Crypted in client mode - if (soc_starttls(socptr,false,fdr_certs)==false) + if (soc_starttls(socptr,false)==false) phase=999; break; case 4 : //eveythin is fine SOC in crypted mode diff --git a/lib/devsoc.c b/lib/devsoc.c index 17dc3fb..e3e8f8c 100644 --- a/lib/devsoc.c +++ b/lib/devsoc.c @@ -49,12 +49,6 @@ typedef struct { int iteration; //number of soc slot used on the IP }SOCTYP; -//default and debugging certificate for server mode -PUBLIC const char *srvr_certs[3]={ - "./certs/mailleur_server-key.pem", - "./certs/mailleur_server-chain-cert_x509.pem", - "./certs/root-safe_CA.pem" //safe root certificate - }; /* */ @@ -377,7 +371,7 @@ while (proceed==true) { break; case pro_smtps : //set secure socket newsoc->modtls=true; - newsoc->tls=tls_opentls(newsoc->handle,true,srvr_certs); + newsoc->tls=tls_opentls(newsoc->handle,true); if (newsoc->tls==(TLSTYP *)0) { (void) rou_alert(0,"%s Unable to get a TLS channel",OPEP); newsoc->modtls=false; @@ -1380,7 +1374,7 @@ return socptr; /* crypted channel, return true is successful. */ /* */ /********************************************************/ -PUBLIC _Bool soc_starttls(SOCPTR *socptr,_Bool server,const char *certs[3]) +PUBLIC _Bool soc_starttls(SOCPTR *socptr,_Bool server) { #define OPEP "devsoc.c:soc_starttls," @@ -1405,7 +1399,7 @@ if ((soc!=(SOCTYP *)0)&&(soc->modtls==false)) { case false : break; } - soc->tls=tls_opentls(soc->handle,server,certs); + soc->tls=tls_opentls(soc->handle,server); if (soc->tls!=(TLSTYP *)0) { soc->proto=pro_smtps; soc->modtls=true; diff --git a/lib/devsoc.h b/lib/devsoc.h index 14b202e..2a9f0ee 100644 --- a/lib/devsoc.h +++ b/lib/devsoc.h @@ -79,7 +79,7 @@ extern char *soc_getaddrinfo(SOCPTR *socptr,_Bool local,_Bool getname); extern SOCPTR *soc_release(SOCPTR *socptr); //procedure to initiate crypted mode on plain channel -extern _Bool soc_starttls(SOCPTR *socptr,_Bool server,const char *certs[3]); +extern _Bool soc_starttls(SOCPTR *socptr,_Bool server); //return flag true if socket is in crypted mode extern _Bool soc_iscrypted(SOCPTR *socptr); diff --git a/lib/lvleml.c b/lib/lvleml.c index 95c6f5e..e3bd81e 100644 --- a/lib/lvleml.c +++ b/lib/lvleml.c @@ -416,7 +416,7 @@ while (proceed==true) { proceed=doreset(contact,line); break; case c_starttls : //EHLO start encrypted link in server mode - switch (soc_starttls(contact->socptr,true,srvr_certs)) { + switch (soc_starttls(contact->socptr,true)) { case true : //link now in TLS crypted mode (void) transmit(contact,"%d Link now encrypted (cipher=<%s>)", CMDOK,soc_get_cipher_name(contact->socptr)); diff --git a/lib/unitls.c b/lib/unitls.c index 99415d0..761f2f5 100644 --- a/lib/unitls.c +++ b/lib/unitls.c @@ -154,10 +154,12 @@ return tls; /* Procedure to set the link certificate */ /* */ /********************************************************/ -static int set_certificate(TLSTYP *tls,const char *certs[3]) +static int set_certificate(TLSTYP *tls) { #define OPEP "unitls.c:set_certificate" + +const char *certs[3]; int done; int mode; int phase; @@ -170,7 +172,12 @@ phase=0; proceed=true; while (proceed==true) { switch (phase) { - case 0 : //first load certificate key + case 0 : //loading certificate names + certs[0]=getenv("CA_KEY"); + certs[1]=getenv("CA_CERT"); + certs[2]=getenv("CA_ROOT"); + break; + case 1 : //first load certificate key if (SSL_CTX_use_PrivateKey_file(tls->ctx,certs[0],SSL_FILETYPE_PEM)!=1) { char msg[200]; @@ -180,7 +187,7 @@ while (proceed==true) { phase=999; } break; - case 1 : //load certificate + chain file + case 2 : //load certificate + chain file if (SSL_CTX_use_certificate_chain_file(tls->ctx,certs[1])!=1) { char msg[200]; @@ -190,7 +197,7 @@ while (proceed==true) { phase=999; //no need to go furter } break; - case 2 : //loading root certificate + case 3 : //loading root certificate if (SSL_CTX_load_verify_locations(tls->ctx,certs[2],(const char *)0)!=1) { char msg[200]; @@ -200,7 +207,7 @@ while (proceed==true) { phase=999; //no need to go furter } break; - case 3 : //verify management + case 4 : //verify management if (((mode&SSL_VERIFY_PEER)!=0)||(tls->server==false)) tls->checkpeer=true; (void) SSL_CTX_set_verify(tls->ctx,mode,(int(*)())0); @@ -212,10 +219,10 @@ while (proceed==true) { phase=999; } break; - case 4 : //allowing partial write + case 5 : //allowing partial write (void) SSL_CTX_set_mode(tls->ctx,SSL_MODE_ENABLE_PARTIAL_WRITE); break; - case 5 : //everything fine + case 6 : //everything fine done=true; break; default : //SAFE Guard @@ -391,7 +398,7 @@ return ok; /* Procedure to open an SSL channel */ /* */ /********************************************************/ -PUBLIC TLSTYP *tls_opentls(int handle,_Bool server,const char *certs[3]) +PUBLIC TLSTYP *tls_opentls(int handle,_Bool server) { #define OPEP "unitls.c:tls_opentls" @@ -424,7 +431,7 @@ while (proceed==true) { } break; case 1 : //set certificate - if (set_certificate(tls,certs)==false) + if (set_certificate(tls)==false) phase=999; //trouble, trouble no need to go furter break; case 2 : //Setting the TLS channel diff --git a/lib/unitls.h b/lib/unitls.h index 726626d..a797e77 100644 --- a/lib/unitls.h +++ b/lib/unitls.h @@ -29,7 +29,7 @@ typedef struct { extern _Bool tls_verify(TLSTYP *tls); //procedure to open an tls channel -extern TLSTYP *tls_opentls(int handle,_Bool server,const char *certs[3]); +extern TLSTYP *tls_opentls(int handle,_Bool server); //procedure to close an tls channel extern TLSTYP *tls_closetls(TLSTYP *tls); -- 2.47.3