From: reyk Date: Tue, 29 Apr 2014 10:08:55 +0000 (+0000) Subject: It is only required to load the keys and certs into the same SSL X-Git-Url: http://artulab.com/gitweb/?a=commitdiff_plain;h=20ee361142330c9ed59bca31f57825701533b9f1;p=openbsd It is only required to load the keys and certs into the same SSL context once. Simplify the code path by moving the loading from three different places into ssl_ctx_create(): ok gilles@ --- diff --git a/usr.sbin/smtpd/ssl.c b/usr.sbin/smtpd/ssl.c index ad24e54845f..b636ae0fd38 100644 --- a/usr.sbin/smtpd/ssl.c +++ b/usr.sbin/smtpd/ssl.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl.c,v 1.61 2014/04/19 14:09:19 gilles Exp $ */ +/* $OpenBSD: ssl.c,v 1.62 2014/04/29 10:08:55 reyk Exp $ */ /* * Copyright (c) 2008 Pierre-Yves Ritschard @@ -66,18 +66,10 @@ ssl_setup(SSL_CTX **ctxp, struct pki *pki) { DH *dh; SSL_CTX *ctx; - - ctx = ssl_ctx_create(); - if (!ssl_ctx_use_certificate_chain(ctx, - pki->pki_cert, pki->pki_cert_len)) - goto err; - if (!ssl_ctx_use_private_key(ctx, - pki->pki_key, pki->pki_key_len)) - goto err; + ctx = ssl_ctx_create(pki->pki_cert, pki->pki_cert_len, + pki->pki_key, pki->pki_key_len); - if (!SSL_CTX_check_private_key(ctx)) - goto err; if (!SSL_CTX_set_session_id_context(ctx, (const unsigned char *)pki->pki_name, strlen(pki->pki_name) + 1)) @@ -251,7 +243,7 @@ fail: } SSL_CTX * -ssl_ctx_create() +ssl_ctx_create(char *cert, off_t cert_len, char *key, off_t key_len) { SSL_CTX *ctx; @@ -273,6 +265,19 @@ ssl_ctx_create() fatal("ssl_ctx_create: could not set cipher list"); } + if (cert != NULL && key != NULL) { + if (!ssl_ctx_use_certificate_chain(ctx, cert, cert_len)) { + ssl_error("ssl_ctx_create"); + fatal("ssl_ctx_create: invalid certificate chain"); + } else if (!ssl_ctx_use_private_key(ctx, key, key_len)) { + ssl_error("ssl_ctx_create"); + fatal("ssl_ctx_create: could not use private key"); + } else if (!SSL_CTX_check_private_key(ctx)) { + ssl_error("ssl_ctx_create"); + fatal("ssl_ctx_create: invalid private key"); + } + } + return (ctx); } diff --git a/usr.sbin/smtpd/ssl.h b/usr.sbin/smtpd/ssl.h index d5eebe080c4..eb4e65f0550 100644 --- a/usr.sbin/smtpd/ssl.h +++ b/usr.sbin/smtpd/ssl.h @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl.h,v 1.5 2014/02/04 13:44:41 eric Exp $ */ +/* $OpenBSD: ssl.h,v 1.6 2014/04/29 10:08:55 reyk Exp $ */ /* * Copyright (c) 2013 Gilles Chehade * @@ -42,7 +42,7 @@ struct pki { /* ssl.c */ void ssl_init(void); int ssl_setup(SSL_CTX **, struct pki *); -SSL_CTX *ssl_ctx_create(void); +SSL_CTX *ssl_ctx_create(char *, off_t, char *, off_t); int ssl_cmp(struct pki *, struct pki *); DH *get_dh1024(void); DH *get_dh_from_memory(char *, size_t); diff --git a/usr.sbin/smtpd/ssl_smtpd.c b/usr.sbin/smtpd/ssl_smtpd.c index 8d796d51836..bf0c9d22570 100644 --- a/usr.sbin/smtpd/ssl_smtpd.c +++ b/usr.sbin/smtpd/ssl_smtpd.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_smtpd.c,v 1.4 2014/02/04 13:44:41 eric Exp $ */ +/* $OpenBSD: ssl_smtpd.c,v 1.5 2014/04/29 10:08:55 reyk Exp $ */ /* * Copyright (c) 2008 Pierre-Yves Ritschard @@ -49,16 +49,7 @@ ssl_mta_init(char *cert, off_t cert_len, char *key, off_t key_len) SSL_CTX *ctx = NULL; SSL *ssl = NULL; - ctx = ssl_ctx_create(); - - if (cert != NULL && key != NULL) { - if (!ssl_ctx_use_certificate_chain(ctx, cert, cert_len)) - goto err; - else if (!ssl_ctx_use_private_key(ctx, key, key_len)) - goto err; - else if (!SSL_CTX_check_private_key(ctx)) - goto err; - } + ctx = ssl_ctx_create(cert, cert_len, key, key_len); if ((ssl = SSL_new(ctx)) == NULL) goto err; @@ -96,12 +87,6 @@ ssl_smtp_init(void *ssl_ctx, char *cert, off_t cert_len, char *key, off_t key_le int (*cb)(SSL *,int *,void *) = sni; log_debug("debug: session_start_ssl: switching to SSL"); - if (!ssl_ctx_use_certificate_chain(ssl_ctx, cert, cert_len)) - goto err; - else if (!ssl_ctx_use_private_key(ssl_ctx, key, key_len)) - goto err; - else if (!SSL_CTX_check_private_key(ssl_ctx)) - goto err; SSL_CTX_set_verify(ssl_ctx, SSL_VERIFY_PEER, dummy_verify);