diff options
| author | reyk <> | 2014-09-28 14:45:48 +0000 |
|---|---|---|
| committer | reyk <> | 2014-09-28 14:45:48 +0000 |
| commit | 86dd9a4f816c164cfa45e157991a16f15badb4a3 (patch) | |
| tree | 2558f6bbdff94c43a1f9a53c84ba5f0ffa3ea8c0 /src/lib/libressl/ressl.c | |
| parent | 091f5c3e6dfe57ebde616bd69bdc1866949e19a4 (diff) | |
| download | openbsd-86dd9a4f816c164cfa45e157991a16f15badb4a3.tar.gz openbsd-86dd9a4f816c164cfa45e157991a16f15badb4a3.tar.bz2 openbsd-86dd9a4f816c164cfa45e157991a16f15badb4a3.zip | |
Add a new API function SSL_CTX_use_certificate_chain() that allows to
read the PEM-encoded certificate chain from memory instead of a file.
This idea is derived from an older implementation in relayd that was
needed to use the function with a privep'ed process in a chroot. Now
it is time to get it into LibreSSL to make the API more privsep-
friendly and to make it available for other programs and the ressl
library.
ok jsing@ miod@
Diffstat (limited to 'src/lib/libressl/ressl.c')
| -rw-r--r-- | src/lib/libressl/ressl.c | 21 |
1 files changed, 5 insertions, 16 deletions
diff --git a/src/lib/libressl/ressl.c b/src/lib/libressl/ressl.c index 1bf971419b..f01448b8f4 100644 --- a/src/lib/libressl/ressl.c +++ b/src/lib/libressl/ressl.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: ressl.c,v 1.13 2014/09/28 06:24:00 tedu Exp $ */ | 1 | /* $OpenBSD: ressl.c,v 1.14 2014/09/28 14:45:48 reyk Exp $ */ |
| 2 | /* | 2 | /* |
| 3 | * Copyright (c) 2014 Joel Sing <jsing@openbsd.org> | 3 | * Copyright (c) 2014 Joel Sing <jsing@openbsd.org> |
| 4 | * | 4 | * |
| @@ -110,22 +110,11 @@ ressl_configure_keypair(struct ressl *ctx) | |||
| 110 | BIO *bio = NULL; | 110 | BIO *bio = NULL; |
| 111 | 111 | ||
| 112 | if (ctx->config->cert_mem != NULL) { | 112 | if (ctx->config->cert_mem != NULL) { |
| 113 | if ((bio = BIO_new_mem_buf(ctx->config->cert_mem, | 113 | if (SSL_CTX_use_certificate_chain(ctx->ssl_ctx, |
| 114 | ctx->config->cert_len)) == NULL) { | 114 | ctx->config->cert_mem, ctx->config->cert_len) != 1) { |
| 115 | ressl_set_error(ctx, "failed to create buffer"); | ||
| 116 | goto err; | ||
| 117 | } | ||
| 118 | if ((cert = PEM_read_bio_X509(bio, NULL, NULL, NULL)) == NULL) { | ||
| 119 | ressl_set_error(ctx, "failed to read certificate"); | ||
| 120 | goto err; | ||
| 121 | } | ||
| 122 | if (SSL_CTX_use_certificate(ctx->ssl_ctx, cert) != 1) { | ||
| 123 | ressl_set_error(ctx, "failed to load certificate"); | 115 | ressl_set_error(ctx, "failed to load certificate"); |
| 124 | goto err; | 116 | goto err; |
| 125 | } | 117 | } |
| 126 | BIO_free(bio); | ||
| 127 | bio = NULL; | ||
| 128 | X509_free(cert); | ||
| 129 | cert = NULL; | 118 | cert = NULL; |
| 130 | } | 119 | } |
| 131 | if (ctx->config->key_mem != NULL) { | 120 | if (ctx->config->key_mem != NULL) { |
| @@ -150,8 +139,8 @@ ressl_configure_keypair(struct ressl *ctx) | |||
| 150 | } | 139 | } |
| 151 | 140 | ||
| 152 | if (ctx->config->cert_file != NULL) { | 141 | if (ctx->config->cert_file != NULL) { |
| 153 | if (SSL_CTX_use_certificate_file(ctx->ssl_ctx, | 142 | if (SSL_CTX_use_certificate_chain_file(ctx->ssl_ctx, |
| 154 | ctx->config->cert_file, SSL_FILETYPE_PEM) != 1) { | 143 | ctx->config->cert_file) != 1) { |
| 155 | ressl_set_error(ctx, "failed to load certificate file"); | 144 | ressl_set_error(ctx, "failed to load certificate file"); |
| 156 | goto err; | 145 | goto err; |
| 157 | } | 146 | } |