From 86dd9a4f816c164cfa45e157991a16f15badb4a3 Mon Sep 17 00:00:00 2001 From: reyk <> Date: Sun, 28 Sep 2014 14:45:48 +0000 Subject: Add a new API function SSL_CTX_use_certificate_chain() that allows to read the PEM-encoded certificate chain from memory instead of a file. This idea is derived from an older implementation in relayd that was needed to use the function with a privep'ed process in a chroot. Now it is time to get it into LibreSSL to make the API more privsep- friendly and to make it available for other programs and the ressl library. ok jsing@ miod@ --- src/lib/libressl/ressl.c | 21 +++++---------------- 1 file changed, 5 insertions(+), 16 deletions(-) (limited to 'src/lib/libressl/ressl.c') diff --git a/src/lib/libressl/ressl.c b/src/lib/libressl/ressl.c index 1bf971419b..f01448b8f4 100644 --- a/src/lib/libressl/ressl.c +++ b/src/lib/libressl/ressl.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ressl.c,v 1.13 2014/09/28 06:24:00 tedu Exp $ */ +/* $OpenBSD: ressl.c,v 1.14 2014/09/28 14:45:48 reyk Exp $ */ /* * Copyright (c) 2014 Joel Sing * @@ -110,22 +110,11 @@ ressl_configure_keypair(struct ressl *ctx) BIO *bio = NULL; if (ctx->config->cert_mem != NULL) { - if ((bio = BIO_new_mem_buf(ctx->config->cert_mem, - ctx->config->cert_len)) == NULL) { - ressl_set_error(ctx, "failed to create buffer"); - goto err; - } - if ((cert = PEM_read_bio_X509(bio, NULL, NULL, NULL)) == NULL) { - ressl_set_error(ctx, "failed to read certificate"); - goto err; - } - if (SSL_CTX_use_certificate(ctx->ssl_ctx, cert) != 1) { + if (SSL_CTX_use_certificate_chain(ctx->ssl_ctx, + ctx->config->cert_mem, ctx->config->cert_len) != 1) { ressl_set_error(ctx, "failed to load certificate"); goto err; } - BIO_free(bio); - bio = NULL; - X509_free(cert); cert = NULL; } if (ctx->config->key_mem != NULL) { @@ -150,8 +139,8 @@ ressl_configure_keypair(struct ressl *ctx) } if (ctx->config->cert_file != NULL) { - if (SSL_CTX_use_certificate_file(ctx->ssl_ctx, - ctx->config->cert_file, SSL_FILETYPE_PEM) != 1) { + if (SSL_CTX_use_certificate_chain_file(ctx->ssl_ctx, + ctx->config->cert_file) != 1) { ressl_set_error(ctx, "failed to load certificate file"); goto err; } -- cgit v1.2.3-55-g6feb