Chapril/xmpp.chapril.org-ejabberd
25
1
Fork 0
mirror of https://github.com/processone/ejabberd.git synced 2024-11-24 16:23:40 +01:00
Code Releases Activity

Do not ignore a certificate containing no domain names

Browse Source 
Log a warning instead and assign it to an "empty" domain
This commit is contained in:
Evgeniy Khramtsov 2018-06-27 11:27:39 +03:00
parent 7881c5670c
commit 87357c700f
1 changed files with 16 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

25
src/ejabberd_pkix.erl
View File

@ -395,7 +395,7 @@ build_chain_and_check(State) ->
{ok, Chains} -> {ok, Chains} ->
InvalidCerts = validate(CertPaths, State), InvalidCerts = validate(CertPaths, State),
SortedChains = sort_chains(Chains, InvalidCerts), SortedChains = sort_chains(Chains, InvalidCerts),
store_certs(SortedChains); store_certs(SortedChains, State);
{error, Cert, Why} -> {error, Cert, Why} ->
Path = maps:get(Cert, State#state.certs), Path = maps:get(Cert, State#state.certs),
?ERROR_MSG("Failed to build certificate chain for ~s: ~s", ?ERROR_MSG("Failed to build certificate chain for ~s: ~s",
@ -403,14 +403,14 @@ build_chain_and_check(State) ->
{error, Why} {error, Why}
end. end.
-spec store_certs([{[cert()], priv_key()}]) -> ok | {error, file:posix()}. -spec store_certs([{[cert()], priv_key()}], state()) -> ok | {error, file:posix()}.
store_certs(Chains) -> store_certs(Chains, State) ->
?DEBUG("Storing certificate chains", []), ?DEBUG("Storing certificate chains", []),
Res = lists:foldl( Res = lists:foldl(
fun(_, {error, _} = Err) -> fun(_, {error, _} = Err) ->
Err; Err;
({Certs, Key}, Acc) -> ({Certs, Key}, Acc) ->
case store_cert(Certs, Key) of case store_cert(Certs, Key, State) of
{ok, FileDoms} -> {ok, FileDoms} ->
Acc ++ FileDoms; Acc ++ FileDoms;
{error, _} = Err -> {error, _} = Err ->
@ -429,9 +429,9 @@ store_certs(Chains) ->
end, FileDomains) end, FileDomains)
end. end.
-spec store_cert([cert()], priv_key()) -> {ok, [{binary(), binary()}]} | -spec store_cert([cert()], priv_key(), state()) -> {ok, [{binary(), binary()}]} |
{error, file:posix()}. {error, file:posix()}.
store_cert(Certs, Key) -> store_cert(Certs, Key, State) ->
CertPEMs = public_key:pem_encode( CertPEMs = public_key:pem_encode(
lists:map( lists:map(
fun(Cert) -> fun(Cert) ->
@ -445,12 +445,19 @@ store_cert(Certs, Key) ->
not_encrypted}]), not_encrypted}]),
PEMs = <<CertPEMs/binary, KeyPEM/binary>>, PEMs = <<CertPEMs/binary, KeyPEM/binary>>,
Cert = hd(Certs), Cert = hd(Certs),
Domains = xmpp_stream_pkix:get_cert_domains(Cert),
FileName = filename:join(certs_dir(), str:sha(PEMs)), FileName = filename:join(certs_dir(), str:sha(PEMs)),
case file:write_file(FileName, PEMs) of case file:write_file(FileName, PEMs) of
ok -> ok ->
file:change_mode(FileName, 8#600), file:change_mode(FileName, 8#600),
{ok, [{FileName, Domain} || Domain <- Domains]}; case xmpp_stream_pkix:get_cert_domains(Cert) of
[] ->
Path = maps:get(Cert, State#state.certs),
?WARNING_MSG("Certificate from ~s doesn't define "
"any domain names", [Path]),
{ok, [{FileName, <<"">>}]};
Domains ->
{ok, [{FileName, Domain} || Domain <- Domains]}
end;
{error, Why} = Err -> {error, Why} = Err ->
?ERROR_MSG("Failed to write to ~s: ~s", ?ERROR_MSG("Failed to write to ~s: ~s",
[FileName, file:format_error(Why)]), [FileName, file:format_error(Why)]),