Commit b71416ef authored by Guillaume Roguez's avatar Guillaume Roguez Committed by Gerrit Code Review

security: re-enable ca_list and regenerate it.

Previous commit doesn't fix well the issue.
We really need the ca_list.pem.
It wasn't generated if not existing (removed code).
This patch re-adds this code and call it when tls is initialized
and when a ring account is registered.

Refs #72156

Change-Id: I39fc773bbf2d23a8975359590d60535287ebedfd
parent 0f09f09d
......@@ -102,7 +102,7 @@ RingAccount::RingAccount(const std::string& accountID, bool /* presenceEnabled *
idPath_ = fileutils::get_data_dir()+DIR_SEPARATOR_STR+getAccountID();
fileutils::check_dir(idPath_.c_str());
caPath_ = idPath_ + DIR_SEPARATOR_STR "certs";
//DEPRECATED? caListPath_ = idPath_ + DIR_SEPARATOR_STR "ca_list.pem";
caListPath_ = idPath_ + DIR_SEPARATOR_STR "ca_list.pem";
}
RingAccount::~RingAccount()
......@@ -709,6 +709,7 @@ void RingAccount::doRegister_()
Manager::instance().registerEventHandler((uintptr_t)this, [this]{ handleEvents(); });
setRegistrationState(RegistrationState::TRYING);
regenerateCAList();
dht_.bootstrap(loadNodes());
if (!hostname_.empty()) {
std::stringstream ss(hostname_);
......@@ -1049,6 +1050,7 @@ RingAccount::loadValues() const
void
RingAccount::initTlsConfiguration()
{
regenerateCAList();
}
static std::unique_ptr<gnutls_dh_params_int, decltype(gnutls_dh_params_deinit)&>
......@@ -1200,4 +1202,26 @@ RingAccount::sendTrustRequest(const std::string& to)
dht::TrustRequest(DHT_TYPE_NS));
}
void
RingAccount::regenerateCAList()
{
std::ofstream list(caListPath_, std::ios::trunc | std::ios::binary);
if (!list.is_open()) {
RING_ERR("Could write CA list");
return;
}
{
std::ifstream file(tlsCaListFile_, std::ios::binary);
list << file.rdbuf();
}
for (const auto& ca : fileutils::readDirectory(caPath_)) {
std::ifstream file(ca, std::ios::binary);
if (!file)
continue;
list << file.rdbuf();
}
}
} // namespace ring
......@@ -291,6 +291,8 @@ class RingAccount : public SIPAccountBase {
*/
bool mapPortUPnP();
void regenerateCAList();
dht::DhtRunner dht_ {};
dht::InfoHash callKey_;
......
......@@ -370,7 +370,8 @@ TrustStore::setStoreCertStatus(const crypto::Certificate& crt,
status == TrustStore::Status::ALLOWED ? "ALLOWED" : "BANNED");
}
/*
#if 0
void
TrustStore::generateCAList(const std::string& out_path)
{
......@@ -380,6 +381,7 @@ TrustStore::generateCAList(const std::string& out_path)
ss << cert.second.first->toString();
auto res = ss.str();
fileutils::saveFile(out_path, {std::begin(res), std::end(res)});
}*/
}
#endif
}} // namespace ring::tls
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment