diff options
Diffstat (limited to 'usr.sbin/acme-client/netproc.c')
-rw-r--r-- | usr.sbin/acme-client/netproc.c | 50 |
1 files changed, 12 insertions, 38 deletions
diff --git a/usr.sbin/acme-client/netproc.c b/usr.sbin/acme-client/netproc.c index 6b81b8a44c8..3275dcfc793 100644 --- a/usr.sbin/acme-client/netproc.c +++ b/usr.sbin/acme-client/netproc.c @@ -1,4 +1,4 @@ -/* $Id: netproc.c,v 1.21 2019/02/01 10:14:28 benno Exp $ */ +/* $Id: netproc.c,v 1.22 2019/02/01 10:16:04 benno Exp $ */ /* * Copyright (c) 2016 Kristaps Dzonsons <kristaps@bsd.lv> * @@ -94,7 +94,6 @@ url2host(const char *host, short *port, char **path) char *url, *ep; /* We only understand HTTP and HTTPS. */ - if (strncmp(host, "https://", 8) == 0) { *port = 443; if ((url = strdup(host + 8)) == NULL) { @@ -113,7 +112,6 @@ url2host(const char *host, short *port, char **path) } /* Terminate path part. */ - if ((ep = strchr(url, '/')) != NULL) { *path = strdup(ep); *ep = '\0'; @@ -238,7 +236,6 @@ again: } /* Copy the body part into our buffer. */ - free(c->buf.buf); c->buf.sz = g->bodypartsz; c->buf.buf = malloc(c->buf.sz); @@ -298,7 +295,6 @@ sreq(struct conn *c, const char *addr, const char *req) * Send the nonce and request payload to the acctproc. * This will create the proper JSON object we need. */ - if (writeop(c->fd, COMM_ACCT, ACCT_SIGN) <= 0) { free(nonce); return -1; @@ -312,12 +308,10 @@ sreq(struct conn *c, const char *addr, const char *req) free(nonce); /* Now read back the signed payload. */ - if ((reqsn = readstr(c->fd, COMM_REQ)) == NULL) return -1; /* Now send the signed payload to the CA. */ - if ((host = url2host(addr, &port, &path)) == NULL) { free(reqsn); return -1; @@ -337,7 +331,6 @@ sreq(struct conn *c, const char *addr, const char *req) return -1; /* Stuff response into parse buffer. */ - code = g->code; free(c->buf.buf); @@ -385,7 +378,7 @@ donewreg(struct conn *c, const struct capaths *p) /* * Request a challenge for the given domain name. - * This must happen for each name "alt". + * This must be called for each name "alt". * On non-zero exit, fills in "chng" with the challenge. */ static int @@ -420,7 +413,7 @@ dochngreq(struct conn *c, const char *alt, struct chng *chng, } /* - * Note to the CA that a challenge response is in place. + * Tell the CA that a challenge response is in place. */ static int dochngresp(struct conn *c, const struct chng *chng, const char *th) @@ -593,14 +586,13 @@ dofullchain(struct conn *c, const char *addr) } /* - * Here we communicate with the ACME server. - * For this, we'll need the certificate we want to upload and our - * account key information. + * Communicate with the ACME server. + * We need the certificate we want to upload and our account key information. */ int netproc(int kfd, int afd, int Cfd, int cfd, int dfd, int rfd, int newacct, int revocate, struct authority_c *authority, - const char *const *alts,size_t altsz) + const char *const *alts, size_t altsz) { int rc = 0; size_t i, done = 0; @@ -634,13 +626,11 @@ netproc(int kfd, int afd, int Cfd, int cfd, int dfd, int rfd, } /* - * Wait until the acctproc, keyproc, and revokeproc have started - * up and are ready to serve us data. - * There's no point in running if these don't work. - * Then check whether revokeproc indicates that the certificate - * on file (if any) can be updated. + * Wait until the acctproc, keyproc, and revokeproc have started up and + * are ready to serve us data. + * Then check whether revokeproc indicates that the certificate on file + * (if any) can be updated. */ - if ((lval = readop(afd, COMM_ACCT_STAT)) == 0) { rc = 1; goto out; @@ -666,14 +656,12 @@ netproc(int kfd, int afd, int Cfd, int cfd, int dfd, int rfd, } /* If our certificate is up-to-date, return now. */ - if (lval == REVOKE_OK) { rc = 1; goto out; } /* Allocate main state. */ - chngs = calloc(altsz, sizeof(struct chng)); if (chngs == NULL) { warn("calloc"); @@ -685,9 +673,7 @@ netproc(int kfd, int afd, int Cfd, int cfd, int dfd, int rfd, c.na = authority->api; /* - * Look up the domain of the ACME server. - * We'll use this ourselves instead of having libcurl do the DNS - * resolution itself. + * Look up the API urls of the ACME server. */ if (!dodirs(&c, c.na, &paths)) goto out; @@ -698,7 +684,6 @@ netproc(int kfd, int afd, int Cfd, int cfd, int dfd, int rfd, * Following that, submit the request to the CA then notify the * certproc, which will in turn notify the fileproc. */ - if (revocate) { if ((cert = readstr(rfd, COMM_CSR)) == NULL) goto out; @@ -710,12 +695,10 @@ netproc(int kfd, int afd, int Cfd, int cfd, int dfd, int rfd, } /* If new, register with the CA server. */ - if (newacct && ! donewreg(&c, &paths)) goto out; /* Pre-authorise all domains with CA server. */ - for (i = 0; i < altsz; i++) if (!dochngreq(&c, alts[i], &chngs[i], &paths)) goto out; @@ -726,14 +709,12 @@ netproc(int kfd, int afd, int Cfd, int cfd, int dfd, int rfd, * We'll combine this to the challenge to create our response, * which will be orchestrated by the chngproc. */ - if (writeop(afd, COMM_ACCT, ACCT_THUMBPRINT) <= 0) goto out; else if ((thumb = readstr(afd, COMM_THUMB)) == NULL) goto out; /* We'll now ask chngproc to build the challenge. */ - for (i = 0; i < altsz; i++) { if (writeop(Cfd, COMM_CHNG_OP, CHNG_SYN) <= 0) goto out; @@ -743,12 +724,10 @@ netproc(int kfd, int afd, int Cfd, int cfd, int dfd, int rfd, goto out; /* Read that the challenge has been made. */ - if (readop(Cfd, COMM_CHNG_ACK) != CHNG_ACK) goto out; /* Write to the CA that it's ready. */ - if (!dochngresp(&c, &chngs[i], thumb)) goto out; } @@ -758,7 +737,6 @@ netproc(int kfd, int afd, int Cfd, int cfd, int dfd, int rfd, * Connect to the server (assume it's the same server) once * every five seconds. */ - for (;;) { for (i = 0; i < altsz; i++) { doddbg("%s: done %lu, altsz %lu, i %lu, status %d", @@ -772,7 +750,6 @@ netproc(int kfd, int afd, int Cfd, int cfd, int dfd, int rfd, goto out; } - /* Sleep before every attempt. */ sleep(RETRY_DELAY); if (dochngcheck(&c, &chngs[i])) { if (chngs[i].status == CHNG_VALID) @@ -785,16 +762,15 @@ netproc(int kfd, int afd, int Cfd, int cfd, int dfd, int rfd, if (done == altsz) break; } + /* * Write our acknowledgement that the challenges are over. * The challenge process will remove all of the files. */ - if (writeop(Cfd, COMM_CHNG_OP, CHNG_STOP) <= 0) goto out; /* Wait to receive the certificate itself. */ - if ((cert = readstr(kfd, COMM_CERT)) == NULL) goto out; @@ -802,7 +778,6 @@ netproc(int kfd, int afd, int Cfd, int cfd, int dfd, int rfd, * Otherwise, submit the CA for signing, download the signed * copy, and ship that into the certificate process for copying. */ - if (!docert(&c, paths.newcert, cert)) goto out; else if (writeop(cfd, COMM_CSR_OP, CERT_UPDATE) <= 0) @@ -815,7 +790,6 @@ netproc(int kfd, int afd, int Cfd, int cfd, int dfd, int rfd, * Then contact the issuer to get the certificate chain. * Write this chain directly back to the certproc. */ - if ((url = readstr(cfd, COMM_ISSUER)) == NULL) goto out; else if (!dofullchain(&c, url)) |