diff --git a/examples/https/https.zig b/examples/https/https.zig index 8dc16aa..668d9b4 100644 --- a/examples/https/https.zig +++ b/examples/https/https.zig @@ -44,12 +44,13 @@ pub fn main() !void { help_and_exit(KEY_FILE, err); }; - const tls = zap.fio_tls_new( + const tls = try zap.Tls.init( "localhost:4443", CERT_FILE, KEY_FILE, null, // key file is not password-protected ); + defer tls.deinit(); var listener = zap.SimpleHttpListener.init(.{ .port = 4443, diff --git a/facil.io/lib/facil/tls/fio_tls.h b/facil.io/lib/facil/tls/fio_tls.h index 1dfa2c3..4648ce8 100644 --- a/facil.io/lib/facil/tls/fio_tls.h +++ b/facil.io/lib/facil/tls/fio_tls.h @@ -42,7 +42,7 @@ fio_tls_s *fio_tls_new(const char *server_name, const char *public_cert_file, * "public_key.pem", * "private_key.pem", NULL ); */ -void fio_tls_cert_add(fio_tls_s *, const char *server_name, +int fio_tls_cert_add(fio_tls_s *, const char *server_name, const char *public_cert_file, const char *private_key_file, const char *pk_password); @@ -87,7 +87,7 @@ uintptr_t fio_tls_alpn_count(fio_tls_s *tls); * * fio_tls_trust(tls, "google-ca.pem" ); */ -void fio_tls_trust(fio_tls_s *, const char *public_cert_file); +int fio_tls_trust(fio_tls_s *, const char *public_cert_file); /** * Establishes an SSL/TLS connection as an SSL/TLS Server, using the specified diff --git a/facil.io/lib/facil/tls/fio_tls_missing.c b/facil.io/lib/facil/tls/fio_tls_missing.c index 80aa239..39ca90a 100644 --- a/facil.io/lib/facil/tls/fio_tls_missing.c +++ b/facil.io/lib/facil/tls/fio_tls_missing.c @@ -480,14 +480,18 @@ fio_tls_s *FIO_TLS_WEAK fio_tls_new(const char *server_name, const char *cert, REQUIRE_LIBRARY(); fio_tls_s *tls = calloc(sizeof(*tls), 1); tls->ref = 1; - fio_tls_cert_add(tls, server_name, key, cert, pk_password); + if(fio_tls_cert_add(tls, server_name, key, cert, pk_password) != 0) { + // file not found error + free(tls); + return NULL; + } return tls; } /** * Adds a certificate a new SSL/TLS context / settings object. */ -void FIO_TLS_WEAK fio_tls_cert_add(fio_tls_s *tls, const char *server_name, +int FIO_TLS_WEAK fio_tls_cert_add(fio_tls_s *tls, const char *server_name, const char *cert, const char *key, const char *pk_password) { REQUIRE_LIBRARY(); @@ -510,11 +514,11 @@ void FIO_TLS_WEAK fio_tls_cert_add(fio_tls_s *tls, const char *server_name, } fio_tls_cert_destroy(&c); fio_tls_build_context(tls); - return; + return 0; file_missing: FIO_LOG_FATAL("TLS certificate file missing for either %s or %s or both.", key, cert); - exit(203); // CoalNova's suggestion. Was: -1 + return -1; // rene } /** @@ -560,22 +564,22 @@ uintptr_t FIO_TLS_WEAK fio_tls_alpn_count(fio_tls_s *tls) { * * fio_tls_trust(tls, "google-ca.pem" ); */ -void FIO_TLS_WEAK fio_tls_trust(fio_tls_s *tls, const char *public_cert_file) { +int FIO_TLS_WEAK fio_tls_trust(fio_tls_s *tls, const char *public_cert_file) { REQUIRE_LIBRARY(); trust_s c = { .pem = FIO_STR_INIT, }; if (!public_cert_file) - return; + return 0; if (fio_str_readfile(&c.pem, public_cert_file, 0, 0).data == NULL) goto file_missing; trust_ary_push(&tls->trust, c); fio_tls_trust_destroy(&c); fio_tls_build_context(tls); - return; + return 0; file_missing: FIO_LOG_FATAL("TLS certificate file missing for %s ", public_cert_file); - exit(204); // CoalNova's suggestion. was: -1. + return -1; // rene } /** diff --git a/facil.io/lib/facil/tls/fio_tls_openssl.c b/facil.io/lib/facil/tls/fio_tls_openssl.c index 8fa6df3..8fb2c9a 100644 --- a/facil.io/lib/facil/tls/fio_tls_openssl.c +++ b/facil.io/lib/facil/tls/fio_tls_openssl.c @@ -855,14 +855,18 @@ fio_tls_s *FIO_TLS_WEAK fio_tls_new(const char *server_name, const char *cert, REQUIRE_LIBRARY(); fio_tls_s *tls = calloc(sizeof(*tls), 1); tls->ref = 1; - fio_tls_cert_add(tls, server_name, key, cert, pk_password); + if(fio_tls_cert_add(tls, server_name, key, cert, pk_password) != 0) { + // file not found error + free(tls); + return NULL; + } return tls; } /** * Adds a certificate a new SSL/TLS context / settings object. */ -void FIO_TLS_WEAK fio_tls_cert_add(fio_tls_s *tls, const char *server_name, +int FIO_TLS_WEAK fio_tls_cert_add(fio_tls_s *tls, const char *server_name, const char *cert, const char *key, const char *pk_password) { REQUIRE_LIBRARY(); @@ -885,11 +889,11 @@ void FIO_TLS_WEAK fio_tls_cert_add(fio_tls_s *tls, const char *server_name, } fio_tls_cert_destroy(&c); fio_tls_build_context(tls); - return; + return 0; file_missing: FIO_LOG_FATAL("TLS certificate file missing for either %s or %s or both.", key, cert); - exit(200); // CoalNova's suggestion. Was: -1 + return -1; } /** @@ -937,22 +941,22 @@ uintptr_t FIO_TLS_WEAK fio_tls_alpn_count(fio_tls_s *tls) { * * fio_tls_trust(tls, "google-ca.pem" ); */ -void FIO_TLS_WEAK fio_tls_trust(fio_tls_s *tls, const char *public_cert_file) { +int FIO_TLS_WEAK fio_tls_trust(fio_tls_s *tls, const char *public_cert_file) { REQUIRE_LIBRARY(); trust_s c = { .pem = FIO_STR_INIT, }; if (!public_cert_file) - return; + return 0; if (fio_str_readfile(&c.pem, public_cert_file, 0, 0).data == NULL) goto file_missing; trust_ary_push(&tls->trust, c); fio_tls_trust_destroy(&c); fio_tls_build_context(tls); - return; + return 0; file_missing: FIO_LOG_FATAL("TLS certificate file missing for %s ", public_cert_file); - exit(201); // CoalNova's suggestion. Was: -1 + return -1; // CoalNova's suggestion. Was: -1 } /** diff --git a/src/fio.zig b/src/fio.zig index ac2ce3c..a71ff6c 100644 --- a/src/fio.zig +++ b/src/fio.zig @@ -195,12 +195,12 @@ pub extern fn fio_tls_cert_add( public_certificate_file: ?[*:0]const u8, private_key_file: ?[*:0]const u8, private_key_password: ?[*:0]const u8, -) void; +) c_int; /// Adds a certificate to the "trust" list, which automatically adds a peer verification requirement. /// Note: when the fio_tls_s object is used for server connections, this will limit connections to /// clients that connect using a trusted certificate. -pub extern fn fio_tls_trust(tls: ?*anyopaque, public_cert_file: ?[*:0]const u8) void; +pub extern fn fio_tls_trust(tls: ?*anyopaque, public_cert_file: ?[*:0]const u8) c_int; /// Establishes an SSL/TLS connection as an SSL/TLS Server, using the specified context / settings object. /// The uuid should be a socket UUID that is already connected to a peer (i.e., the result of fio_accept). diff --git a/src/zap.zig b/src/zap.zig index d13b22c..1f5bc02 100644 --- a/src/zap.zig +++ b/src/zap.zig @@ -4,6 +4,9 @@ const std = @import("std"); const fio = @import("fio.zig"); +/// Server-Side TLS function wrapper +pub const Tls = @import("tls.zig"); + pub usingnamespace @import("fio.zig"); pub usingnamespace @import("endpoint.zig"); pub usingnamespace @import("util.zig"); @@ -770,7 +773,7 @@ pub const SimpleHttpListenerSettings = struct { log: bool = false, ws_timeout: u8 = 40, ws_max_msg_size: usize = 262144, - tls: ?*anyopaque = null, + tls: ?Tls = null, }; pub const SimpleHttpListener = struct { @@ -884,7 +887,7 @@ pub const SimpleHttpListener = struct { .max_body_size = self.settings.max_body_size orelse 50 * 1024 * 1024, // fio provides good default: .max_clients = self.settings.max_clients orelse 0, - .tls = self.settings.tls, + .tls = if (self.settings.tls) |tls| tls.fio_tls else null, .reserved1 = 0, .reserved2 = 0, .reserved3 = 0,