repo: tlswrap
action: commit
revision: 
path_from: 
revision_from: ad886718a52097150ace577a95ecb5c4f5021444:
path_to: 
revision_to:
git.thebackupbox.net
tlswrap
git clone git://git.thebackupbox.net/tlswrap
commit ad886718a52097150ace577a95ecb5c4f5021444
Author: epoch 
Date:   Mon Apr 8 09:07:10 2024 +0000

    some cleanup and moved a bunch of messages to DEBUG from ERR because I do not want to see all of those all of the time

diff --git a/tlswrap.c b/tlswrap.c
index 8063100d75d705543529dc56ab53cd8097c8438a..
index ..8eeb7e4484571c78888c8098e146b480f5510afd 100644
--- a/tlswrap.c
+++ b/tlswrap.c
@@ -152,36 +152,27 @@ int client_cert(const SSL *ssl) {

 // returns 1 on success.
 int cert_cb(SSL *ssl, void *arg) {
+  char found=0;
   servername = SSL_get_servername(ssl, TLSEXT_NAMETYPE_host_name);
-  if(!servername) {
-    return 1;// no servername, let's just use whatever we had already.
-  }
-  if(chdir("/etc/tlswrap/") != 0) {
-    return 1;// if no extra certs are configured, no worries.
-  }
-
-  // I think I am going to open the dir for reading, then compare the servername to all of the dirs in there using fnmatch.
-  // configuration can just be done with a subdir named *.stuff for wildcard domains.
-  syslog(LOG_DAEMON|LOG_ERR,"servername: %s",servername);
+  if(!servername || chdir("/etc/tlswrap")) return 1;
+  syslog(LOG_DAEMON|LOG_DEBUG,"servername: %s",servername);
   if(strstr(servername,"..")) { // is there any good reason for this?
     syslog(LOG_DAEMON|LOG_ERR,"someone tried to directory traversal the servername");
     return 0;//might as well make it error here.
   }
   DIR *dir=opendir(".");
   struct dirent *dent;
-  while(dent=readdir(dir)) {
+  while((dent=readdir(dir))) {
     if(!strcmp(dent->d_name,".") || !strcmp(dent->d_name,"..")) continue;
-    syslog(LOG_DAEMON|LOG_ERR,"testing domain %s against %s",dent->d_name,servername);
     if(!fnmatch(dent->d_name,servername,FNM_NOESCAPE)) {
-      syslog(LOG_DAEMON|LOG_ERR,"FOUND THE MATCHING DOMAIN");
       if(chdir(dent->d_name) == 0) {
-        break; // we found a configured domain.
-      } else {
-        syslog(LOG_DAEMON|LOG_ERR,"failed to chdir to %s",servername);
+        found=1;
+        break;
       }
     }
   }
   closedir(dir);
+  if(!found) return 1;
   if(SSL_use_certificate_chain_file(ssl, "cert") <= 0) {
     syslog(LOG_DAEMON|LOG_ERR,"failed to load servername cert %s %s",getcwd(0,200),strerror(errno));
     return 1;// even if we can't find the cert, no worries. we got sane fallback.
@@ -732,16 +723,17 @@ int main(int argc,char *argv[]) {
     // this is fine. no need to ERR it.
   }
   if(kill(-child,SIGHUP)) {
-    syslog(LOG_DAEMON|LOG_ERR,"%s: killpg: %s",url,strerror(errno));
+    syslog(LOG_DAEMON|LOG_DEBUG,"%s: killpg: %s",url,strerror(errno));
   }
   sleep(5);
   if(kill(-child,SIGTERM)) {
-    syslog(LOG_DAEMON|LOG_ERR,"%s: killpg: %s",url,strerror(errno));
+    syslog(LOG_DAEMON|LOG_DEBUG,"%s: killpg: %s",url,strerror(errno));
   }
   sleep(5);
   if(kill(-child,SIGKILL)) {
-    syslog(LOG_DAEMON|LOG_ERR,"%s: killpg: %s",url,strerror(errno));
+    syslog(LOG_DAEMON|LOG_DEBUG,"%s: killpg: %s",url,strerror(errno));
   }
-  syslog(LOG_DAEMON|LOG_ERR,"%s: sent signals to all processes in our process group. they should be DEAD",url);
+  // we will end up here all of the time anyway, no need for me to see these messages constantly.
+  syslog(LOG_DAEMON|LOG_DEBUG,"%s: sent signals to all processes in our process group. they should be DEAD",url);
   return 0;
 }

-----END OF PAGE-----