diff options
| author | Evgeniy Khramtsov <ekhramtsov@process-one.net> | 2017-05-23 09:27:52 +0300 |
|---|---|---|
| committer | Evgeniy Khramtsov <ekhramtsov@process-one.net> | 2017-05-23 09:27:52 +0300 |
| commit | 268065e5c495cc952bcb2ad737f8c40e188d8964 (patch) | |
| tree | 829bbf2528f01a24e1d4eab5bc163a624f544a97 | |
| parent | Implement cache for mod_announce (diff) | |
Validate all certfiles on startup
Diffstat (limited to '')
| -rw-r--r-- | src/ejabberd_pkix.erl | 31 | ||||
| -rw-r--r-- | src/ejabberd_sql.erl | 4 | ||||
| -rw-r--r-- | src/eldap.erl | 19 | ||||
| -rw-r--r-- | src/eldap_utils.erl | 10 | ||||
| -rw-r--r-- | src/mod_shared_roster_ldap.erl | 2 | ||||
| -rw-r--r-- | src/mod_vcard_ldap.erl | 2 |
6 files changed, 47 insertions, 21 deletions
diff --git a/src/ejabberd_pkix.erl b/src/ejabberd_pkix.erl index 7c03f1772..f9f0472f6 100644 --- a/src/ejabberd_pkix.erl +++ b/src/ejabberd_pkix.erl @@ -27,7 +27,7 @@ %% API -export([start_link/0, add_certfile/1, format_error/1, opt_type/1, - get_certfile/1, route_registered/1]). + get_certfile/1, try_certfile/1, route_registered/1]). %% gen_server callbacks -export([init/1, handle_call/3, handle_cast/2, handle_info/2, terminate/2, code_change/3]). @@ -56,15 +56,16 @@ %%%=================================================================== -spec add_certfile(filename:filename()) -> ok | {error, cert_error() | file:posix()}. -add_certfile(Path0) -> - Path = case filename:pathtype(Path0) of - relative -> - {ok, CWD} = file:get_cwd(), - iolist_to_binary(filename:join(CWD, Path0)); - _ -> - iolist_to_binary(Path0) - end, - gen_server:call(?MODULE, {add_certfile, Path}). +add_certfile(Path) -> + gen_server:call(?MODULE, {add_certfile, prep_path(Path)}). + +-spec try_certfile(filename:filename()) -> binary(). +try_certfile(Path0) -> + Path = prep_path(Path0), + case mk_cert_state(Path, false) of + {ok, _} -> Path; + {error, _} -> erlang:error(badarg) + end. route_registered(Route) -> gen_server:call(?MODULE, {route_registered, Route}). @@ -515,6 +516,16 @@ get_cert_path(G, [Root|_] = Acc) -> end, Es) end. +-spec prep_path(filename:filename()) -> binary(). +prep_path(Path0) -> + case filename:pathtype(Path0) of + relative -> + {ok, CWD} = file:get_cwd(), + iolist_to_binary(filename:join(CWD, Path0)); + _ -> + iolist_to_binary(Path0) + end. + -ifdef(SHORT_NAME_HASH). short_name_hash(IssuerID) -> public_key:short_name_hash(IssuerID). diff --git a/src/ejabberd_sql.erl b/src/ejabberd_sql.erl index 7d607781c..3b252631e 100644 --- a/src/ejabberd_sql.erl +++ b/src/ejabberd_sql.erl @@ -1104,7 +1104,7 @@ opt_type(sql_server) -> fun iolist_to_binary/1; opt_type(sql_username) -> fun iolist_to_binary/1; opt_type(sql_ssl) -> fun(B) when is_boolean(B) -> B end; opt_type(sql_ssl_verify) -> fun(B) when is_boolean(B) -> B end; -opt_type(sql_ssl_certfile) -> fun misc:try_read_file/1; +opt_type(sql_ssl_certfile) -> fun ejabberd_pkix:try_certfile/1; opt_type(sql_ssl_cafile) -> fun misc:try_read_file/1; opt_type(sql_query_timeout) -> fun (I) when is_integer(I), I > 0 -> I end; @@ -1115,6 +1115,6 @@ opt_type(sql_queue_type) -> opt_type(_) -> [sql_database, sql_keepalive_interval, sql_password, sql_port, sql_server, - sql_username, sql_ssl, sql_ssl_verify, sql_ssl_cerfile, + sql_username, sql_ssl, sql_ssl_verify, sql_ssl_certfile, sql_ssl_cafile, sql_queue_type, sql_query_timeout, sql_connect_timeout]. diff --git a/src/eldap.erl b/src/eldap.erl index 3c565e71d..f47550353 100644 --- a/src/eldap.erl +++ b/src/eldap.erl @@ -130,7 +130,8 @@ port = 389 :: inet:port_number(), sockmod = gen_tcp :: ssl | gen_tcp, tls = none :: none | tls, - tls_options = [] :: [{cacertfile, string()} | + tls_options = [] :: [{certfile, string()} | + {cacertfile, string()} | {depth, non_neg_integer()} | {verify, non_neg_integer()}], fd :: gen_tcp:socket() | undefined, @@ -577,11 +578,17 @@ init([Hosts, Port, Rootdn, Passwd, Opts]) -> end; PT -> PT end, + CertOpts = case proplists:get_value(tls_certfile, Opts) of + undefined -> + []; + Path1 -> + [{certfile, Path1}] + end, CacertOpts = case proplists:get_value(tls_cacertfile, Opts) of undefined -> []; - Path -> - [{cacertfile, Path}] + Path2 -> + [{cacertfile, Path2}] end, DepthOpts = case proplists:get_value(tls_depth, Opts) of undefined -> @@ -596,11 +603,11 @@ init([Hosts, Port, Rootdn, Passwd, Opts]) -> "certfiles configured, so verification " "is disabled.", []), - []; + CertOpts; Verify == soft -> - [{verify, 1}] ++ CacertOpts ++ DepthOpts; + [{verify, 1}] ++ CertOpts ++ CacertOpts ++ DepthOpts; Verify == hard -> - [{verify, 2}] ++ CacertOpts ++ DepthOpts; + [{verify, 2}] ++ CertOpts ++ CacertOpts ++ DepthOpts; true -> [] end, {ok, connecting, diff --git a/src/eldap_utils.erl b/src/eldap_utils.erl index 1dcdf0b48..5924c8af7 100644 --- a/src/eldap_utils.erl +++ b/src/eldap_utils.erl @@ -177,6 +177,7 @@ get_config(Host, Opts) -> Backups = get_opt(ldap_backups, Host, Opts, []), Encrypt = get_opt(ldap_encrypt, Host, Opts, none), TLSVerify = get_opt(ldap_tls_verify, Host, Opts, false), + TLSCertFile = get_opt(ldap_tls_certfile, Host, Opts), TLSCAFile = get_opt(ldap_tls_cacertfile, Host, Opts), TLSDepth = get_opt(ldap_tls_depth, Host, Opts), Port = get_opt(ldap_port, Host, Opts, @@ -203,6 +204,7 @@ get_config(Host, Opts) -> backups = Backups, tls_options = [{encrypt, Encrypt}, {tls_verify, TLSVerify}, + {tls_certfile, TLSCertFile}, {tls_cacertfile, TLSCAFile}, {tls_depth, TLSDepth}], port = Port, @@ -339,6 +341,7 @@ collect_parts_bit([],Acc,Uacc) -> (ldap_rootdn) -> fun((binary()) -> binary()); (ldap_servers) -> fun(([binary()]) -> [binary()]); (ldap_tls_certfile) -> fun((binary()) -> string()); + (ldap_tls_cacertfile) -> fun((binary()) -> string()); (ldap_tls_depth) -> fun((non_neg_integer()) -> non_neg_integer()); (ldap_tls_verify) -> fun((hard | soft | false) -> hard | soft | false); (ldap_filter) -> fun((binary()) -> binary()); @@ -366,6 +369,10 @@ opt_type(ldap_port) -> opt_type(ldap_rootdn) -> fun iolist_to_binary/1; opt_type(ldap_servers) -> fun (L) -> [iolist_to_binary(H) || H <- L] end; +opt_type(ldap_tls_certfile) -> + fun(S) -> + binary_to_list(ejabberd_pkix:try_certfile(S)) + end; opt_type(ldap_tls_cacertfile) -> fun(S) -> binary_to_list(misc:try_read_file(S)) end; opt_type(ldap_tls_depth) -> @@ -390,4 +397,5 @@ opt_type(_) -> [deref_aliases, ldap_backups, ldap_base, ldap_uids, ldap_deref_aliases, ldap_encrypt, ldap_password, ldap_port, ldap_rootdn, ldap_servers, ldap_filter, - ldap_tls_cacertfile, ldap_tls_depth, ldap_tls_verify]. + ldap_tls_certfile, ldap_tls_cacertfile, ldap_tls_depth, + ldap_tls_verify]. diff --git a/src/mod_shared_roster_ldap.erl b/src/mod_shared_roster_ldap.erl index 30cd44568..66cbebd93 100644 --- a/src/mod_shared_roster_ldap.erl +++ b/src/mod_shared_roster_ldap.erl @@ -583,7 +583,7 @@ mod_opt_type(ldap_servers) -> mod_opt_type(ldap_tls_cacertfile) -> fun misc:try_read_file/1; mod_opt_type(ldap_tls_certfile) -> - fun misc:try_read_file/1; + fun ejabberd_pkix:try_certfile/1; mod_opt_type(ldap_tls_depth) -> fun (I) when is_integer(I), I >= 0 -> I end; mod_opt_type(ldap_tls_verify) -> diff --git a/src/mod_vcard_ldap.erl b/src/mod_vcard_ldap.erl index 6a690779a..f1f076468 100644 --- a/src/mod_vcard_ldap.erl +++ b/src/mod_vcard_ldap.erl @@ -469,7 +469,7 @@ mod_opt_type(ldap_servers) -> mod_opt_type(ldap_tls_cacertfile) -> fun misc:try_read_file/1; mod_opt_type(ldap_tls_certfile) -> - fun misc:try_read_file/1; + fun ejabberd_pkix:try_certfile/1; mod_opt_type(ldap_tls_depth) -> fun (I) when is_integer(I), I >= 0 -> I end; mod_opt_type(ldap_tls_verify) -> |