void guac_kubernetes_init

void guac_kubernetes_init_ssl()

in src/protocols/kubernetes/ssl.c [134:233]
70 lines of code
14 McCabe index (conditional complexity)

void guac_kubernetes_init_ssl(guac_client* client, SSL_CTX* context) {

    guac_kubernetes_client* kubernetes_client =
        (guac_kubernetes_client*) client->data;

    guac_kubernetes_settings* settings = kubernetes_client->settings;

    /* Bypass certificate checks if requested */
    if (settings->ignore_cert) {
        SSL_CTX_set_verify(context, SSL_VERIFY_PEER, NULL);
        SSL_CTX_set_cert_verify_callback(context,
                guac_kubernetes_assume_cert_ok, NULL);
    }

    /* Otherwise use the given CA certificate to validate (if any) */
    else if (settings->ca_cert != NULL) {

        /* Read CA certificate from configuration data */
        X509* ca_cert = guac_kubernetes_read_cert(settings->ca_cert);
        if (ca_cert == NULL) {
            guac_client_abort(client, GUAC_PROTOCOL_STATUS_SERVER_ERROR,
                    "Provided CA certificate is unreadable");
            return;
        }

        /* Add certificate to CA store */
        X509_STORE* ca_store = SSL_CTX_get_cert_store(context);
        if (!X509_STORE_add_cert(ca_store, ca_cert)) {
            guac_client_abort(client, GUAC_PROTOCOL_STATUS_SERVER_ERROR,
                    "Unable to add CA certificate to certificate store of "
                    "SSL context");
            return;
        }

    }

    /* Certificate for SSL/TLS client auth */
    if (settings->client_cert != NULL) {

        /* Read client certificate from configuration data */
        X509* client_cert = guac_kubernetes_read_cert(settings->client_cert);
        if (client_cert == NULL) {
            guac_client_abort(client, GUAC_PROTOCOL_STATUS_SERVER_ERROR,
                    "Provided client certificate is unreadable");
            return;
        }

        /* Use parsed certificate for authentication */
        if (!SSL_CTX_use_certificate(context, client_cert)) {
            guac_client_abort(client, GUAC_PROTOCOL_STATUS_SERVER_ERROR,
                    "Client certificate could not be used for SSL/TLS "
                    "client authentication");
            return;
        }

    }

    /* Private key for SSL/TLS client auth */
    if (settings->client_key != NULL) {

        /* Read client private key from configuration data */
        EVP_PKEY* client_key = guac_kubernetes_read_key(settings->client_key);
        if (client_key == NULL) {
            guac_client_abort(client, GUAC_PROTOCOL_STATUS_SERVER_ERROR,
                    "Provided client private key is unreadable");
            return;
        }

        /* Use parsed key for authentication */
        if (!SSL_CTX_use_PrivateKey(context, client_key)) {
            guac_client_abort(client, GUAC_PROTOCOL_STATUS_SERVER_ERROR,
                    "Client private key could not be used for SSL/TLS "
                    "client authentication");
            return;
        }

    }

    /* Enable hostname checking */
    X509_VERIFY_PARAM *param = SSL_CTX_get0_param(context);
    X509_VERIFY_PARAM_set_hostflags(param,
            X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS);

    /* Validate properly depending on whether hostname is an IP address */
    if (guac_kubernetes_is_address(settings->hostname)) {
        if (!X509_VERIFY_PARAM_set1_ip_asc(param, settings->hostname)) {
            guac_client_abort(client, GUAC_PROTOCOL_STATUS_SERVER_ERROR,
                    "Server IP address validation could not be enabled");
            return;
        }
    }
    else {
        if (!X509_VERIFY_PARAM_set1_host(param, settings->hostname, 0)) {
            guac_client_abort(client, GUAC_PROTOCOL_STATUS_SERVER_ERROR,
                    "Server hostname validation could not be enabled");
            return;
        }
    }

}