Skip to content
This repository has been archived by the owner on Oct 22, 2020. It is now read-only.

Commit

Permalink
Refactored private key loading code
Browse files Browse the repository at this point in the history
  • Loading branch information
@andj
andj committed Jul 5, 2011
1 parent df9b63c commit 4431a8b
Show file tree
Hide file tree
Showing 3 changed files with 93 additions and 60 deletions.
67 changes: 7 additions & 60 deletions ssl.c
View file
Original file line number Original file line Diff line number Diff line change
Expand Up @@ -1809,34 +1809,6 @@ use_inline_load_client_CA_file (SSL_CTX *ctx, const char *ca_string)
return(ret); return(ret);
} }


static int
use_inline_PrivateKey_file (SSL_CTX *ctx, const char *key_string)
{
BIO *in = NULL;
EVP_PKEY *pkey = NULL;
int ret = 0;

in = BIO_new_mem_buf ((char *)key_string, -1);
if (!in)
goto end;

pkey = PEM_read_bio_PrivateKey (in,
NULL,
ctx->default_passwd_callback,
ctx->default_passwd_callback_userdata);
if (!pkey)
goto end;

ret = SSL_CTX_use_PrivateKey (ctx, pkey);

end:
if (pkey)
EVP_PKEY_free (pkey);
if (in)
BIO_free (in);
return ret;
}

#endif #endif


/* /*
Expand Down Expand Up @@ -1902,44 +1874,19 @@ init_ssl (const struct options *options, struct tls_root_ctx *new_ctx)
#endif #endif
else else
{ {
/* Use seperate PEM files for key, cert and CA certs */
/* Load Certificate */ /* Load Certificate */
if (options->cert_file) if (options->cert_file)
{ {
tls_ctx_load_cert_file(new_ctx, options->cert_file, options->cert_file_inline, NULL); tls_ctx_load_cert_file(new_ctx, options->cert_file, options->cert_file_inline, NULL);
} }


/* Load Private Key */ /* Load Private Key */
if (options->priv_key_file) if (options->priv_key_file)
{ {
int status; if (0 != tls_ctx_load_priv_file(new_ctx, options->priv_key_file, options->priv_key_file_inline))

goto err;
#if ENABLE_INLINE_FILES }
if (!strcmp (options->priv_key_file, INLINE_FILE_TAG) && options->priv_key_file_inline) }
{
status = use_inline_PrivateKey_file (ctx, options->priv_key_file_inline);
}
else
#endif
{
status = SSL_CTX_use_PrivateKey_file (ctx, options->priv_key_file, SSL_FILETYPE_PEM);
}
if (!status)
{
#ifdef ENABLE_MANAGEMENT
if (management && (ERR_GET_REASON (ERR_peek_error()) == EVP_R_BAD_DECRYPT))
management_auth_failure (management, UP_TYPE_PRIVATE_KEY, NULL);
#endif
msg (M_WARN|M_SSL, "Cannot load private key file %s", options->priv_key_file);
goto err;
}
warn_if_group_others_accessible (options->priv_key_file);

/* Check Private Key */
if (!SSL_CTX_check_private_key (ctx))
msg (M_SSLERR, "Private key does not match the certificate");
}
}


if (options->ca_file || options->ca_path) if (options->ca_file || options->ca_path)
{ {
Expand Down
17 changes: 17 additions & 0 deletions ssl_backend.h
View file
Original file line number Original file line Diff line number Diff line change
Expand Up @@ -192,6 +192,23 @@ void tls_ctx_load_cert_file (struct tls_root_ctx *ctx, const char *cert_file,
X509 **x509 X509 **x509
); );


/**
* Load private key file into the given TLS context.
*
* @param ctx TLS context to use
* @param priv_key_file The file name to load the private key from, or
* "[[INLINE]]" in the case of inline files.
* @param priv_key_file_inline A string containing the private key
*
* @return 1 if an error occurred, 0 if parsing was
* successful.
*/
int tls_ctx_load_priv_file (struct tls_root_ctx *ctx, const char *priv_key_file
#if ENABLE_INLINE_FILES
, const char *priv_key_file_inline
#endif
);

/** /**
* Show the TLS ciphers that are available for us to use in the OpenSSL * Show the TLS ciphers that are available for us to use in the OpenSSL
* library. * library.
Expand Down
69 changes: 69 additions & 0 deletions ssl_openssl.c
View file
Original file line number Original file line Diff line number Diff line change
Expand Up @@ -438,6 +438,75 @@ tls_ctx_load_cert_file (struct tls_root_ctx *ctx, const char *cert_file,
} }
} }


#if ENABLE_INLINE_FILES
static int
use_inline_PrivateKey_file (SSL_CTX *ctx, const char *key_string)
{
BIO *in = NULL;
EVP_PKEY *pkey = NULL;
int ret = 0;

in = BIO_new_mem_buf ((char *)key_string, -1);
if (!in)
goto end;

pkey = PEM_read_bio_PrivateKey (in,
NULL,
ctx->default_passwd_callback,
ctx->default_passwd_callback_userdata);
if (!pkey)
goto end;

ret = SSL_CTX_use_PrivateKey (ctx, pkey);

end:
if (pkey)
EVP_PKEY_free (pkey);
if (in)
BIO_free (in);
return ret;
}
#endif /* ENABLE_INLINE_FILES */

int
tls_ctx_load_priv_file (struct tls_root_ctx *ctx, const char *priv_key_file
#if ENABLE_INLINE_FILES
, const char *priv_key_file_inline
#endif
)
{
ASSERT(NULL != ctx);

int status;

#if ENABLE_INLINE_FILES
if (!strcmp (priv_key_file, INLINE_FILE_TAG) && priv_key_file_inline)
{
status = use_inline_PrivateKey_file (ctx->ctx, priv_key_file_inline);
}
else
#endif /* ENABLE_INLINE_FILES */
{
status = SSL_CTX_use_PrivateKey_file (ctx->ctx, priv_key_file, SSL_FILETYPE_PEM);
}
if (!status)
{
#ifdef ENABLE_MANAGEMENT
if (management && (ERR_GET_REASON (ERR_peek_error()) == EVP_R_BAD_DECRYPT))
management_auth_failure (management, UP_TYPE_PRIVATE_KEY, NULL);
#endif
msg (M_WARN|M_SSL, "Cannot load private key file %s", priv_key_file);
return 1;
}
warn_if_group_others_accessible (priv_key_file);

/* Check Private Key */
if (!SSL_CTX_check_private_key (ctx->ctx))
msg (M_SSLERR, "Private key does not match the certificate");
return 0;

}

void void
show_available_tls_ciphers () show_available_tls_ciphers ()
{ {
Expand Down

1 comment on commit 4431a8b

@andj
Copy link
Owner Author

@andj andj commented on 4431a8b Aug 25, 2011

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

https://gist.github.com/1171400

Please sign in to comment.