Permalink
Browse files

Refactored private key loading code

  • Loading branch information...
1 parent df9b63c commit 4431a8b7cf89500b81c9c62774ac75c1937297e3 @andj committed Jun 27, 2011
Showing with 93 additions and 60 deletions.
  1. +7 −60 ssl.c
  2. +17 −0 ssl_backend.h
  3. +69 −0 ssl_openssl.c
View
67 ssl.c
@@ -1809,34 +1809,6 @@ use_inline_load_client_CA_file (SSL_CTX *ctx, const char *ca_string)
return(ret);
}
-static int
-use_inline_PrivateKey_file (SSL_CTX *ctx, const char *key_string)
-{
- BIO *in = NULL;
- EVP_PKEY *pkey = NULL;
- int ret = 0;
-
- in = BIO_new_mem_buf ((char *)key_string, -1);
- if (!in)
- goto end;
-
- pkey = PEM_read_bio_PrivateKey (in,
- NULL,
- ctx->default_passwd_callback,
- ctx->default_passwd_callback_userdata);
- if (!pkey)
- goto end;
-
- ret = SSL_CTX_use_PrivateKey (ctx, pkey);
-
- end:
- if (pkey)
- EVP_PKEY_free (pkey);
- if (in)
- BIO_free (in);
- return ret;
-}
-
#endif
/*
@@ -1902,44 +1874,19 @@ init_ssl (const struct options *options, struct tls_root_ctx *new_ctx)
#endif
else
{
- /* Use seperate PEM files for key, cert and CA certs */
/* Load Certificate */
if (options->cert_file)
{
tls_ctx_load_cert_file(new_ctx, options->cert_file, options->cert_file_inline, NULL);
}
- /* Load Private Key */
- if (options->priv_key_file)
- {
- int status;
-
-#if ENABLE_INLINE_FILES
- if (!strcmp (options->priv_key_file, INLINE_FILE_TAG) && options->priv_key_file_inline)
- {
- status = use_inline_PrivateKey_file (ctx, options->priv_key_file_inline);
- }
- else
-#endif
- {
- status = SSL_CTX_use_PrivateKey_file (ctx, options->priv_key_file, SSL_FILETYPE_PEM);
- }
- if (!status)
- {
-#ifdef ENABLE_MANAGEMENT
- if (management && (ERR_GET_REASON (ERR_peek_error()) == EVP_R_BAD_DECRYPT))
- management_auth_failure (management, UP_TYPE_PRIVATE_KEY, NULL);
-#endif
- msg (M_WARN|M_SSL, "Cannot load private key file %s", options->priv_key_file);
- goto err;
- }
- warn_if_group_others_accessible (options->priv_key_file);
-
- /* Check Private Key */
- if (!SSL_CTX_check_private_key (ctx))
- msg (M_SSLERR, "Private key does not match the certificate");
- }
- }
+ /* Load Private Key */
+ if (options->priv_key_file)
+ {
+ if (0 != tls_ctx_load_priv_file(new_ctx, options->priv_key_file, options->priv_key_file_inline))
+ goto err;
+ }
+ }
if (options->ca_file || options->ca_path)
{
View
@@ -193,6 +193,23 @@ void tls_ctx_load_cert_file (struct tls_root_ctx *ctx, const char *cert_file,
);
/**
+ * Load private key file into the given TLS context.
+ *
+ * @param ctx TLS context to use
+ * @param priv_key_file The file name to load the private key from, or
+ * "[[INLINE]]" in the case of inline files.
+ * @param priv_key_file_inline A string containing the private key
+ *
+ * @return 1 if an error occurred, 0 if parsing was
+ * successful.
+ */
+int tls_ctx_load_priv_file (struct tls_root_ctx *ctx, const char *priv_key_file
+#if ENABLE_INLINE_FILES
+ , const char *priv_key_file_inline
+#endif
+ );
+
+/**
* Show the TLS ciphers that are available for us to use in the OpenSSL
* library.
*/
View
@@ -438,6 +438,75 @@ tls_ctx_load_cert_file (struct tls_root_ctx *ctx, const char *cert_file,
}
}
+#if ENABLE_INLINE_FILES
+static int
+use_inline_PrivateKey_file (SSL_CTX *ctx, const char *key_string)
+{
+ BIO *in = NULL;
+ EVP_PKEY *pkey = NULL;
+ int ret = 0;
+
+ in = BIO_new_mem_buf ((char *)key_string, -1);
+ if (!in)
+ goto end;
+
+ pkey = PEM_read_bio_PrivateKey (in,
+ NULL,
+ ctx->default_passwd_callback,
+ ctx->default_passwd_callback_userdata);
+ if (!pkey)
+ goto end;
+
+ ret = SSL_CTX_use_PrivateKey (ctx, pkey);
+
+ end:
+ if (pkey)
+ EVP_PKEY_free (pkey);
+ if (in)
+ BIO_free (in);
+ return ret;
+}
+#endif /* ENABLE_INLINE_FILES */
+
+int
+tls_ctx_load_priv_file (struct tls_root_ctx *ctx, const char *priv_key_file
+#if ENABLE_INLINE_FILES
+ , const char *priv_key_file_inline
+#endif
+ )
+{
+ ASSERT(NULL != ctx);
+
+ int status;
+
+#if ENABLE_INLINE_FILES
+ if (!strcmp (priv_key_file, INLINE_FILE_TAG) && priv_key_file_inline)
+ {
+ status = use_inline_PrivateKey_file (ctx->ctx, priv_key_file_inline);
+ }
+ else
+#endif /* ENABLE_INLINE_FILES */
+ {
+ status = SSL_CTX_use_PrivateKey_file (ctx->ctx, priv_key_file, SSL_FILETYPE_PEM);
+ }
+ if (!status)
+ {
+#ifdef ENABLE_MANAGEMENT
+ if (management && (ERR_GET_REASON (ERR_peek_error()) == EVP_R_BAD_DECRYPT))
+ management_auth_failure (management, UP_TYPE_PRIVATE_KEY, NULL);
+#endif
+ msg (M_WARN|M_SSL, "Cannot load private key file %s", priv_key_file);
+ return 1;
+ }
+ warn_if_group_others_accessible (priv_key_file);
+
+ /* Check Private Key */
+ if (!SSL_CTX_check_private_key (ctx->ctx))
+ msg (M_SSLERR, "Private key does not match the certificate");
+ return 0;
+
+}
+
void
show_available_tls_ciphers ()
{

1 comment on commit 4431a8b

Please sign in to comment.