From 20ee361142330c9ed59bca31f57825701533b9f1 Mon Sep 17 00:00:00 2001 From: reyk Date: Tue, 29 Apr 2014 10:08:55 +0000 Subject: [PATCH] It is only required to load the keys and certs into the same SSL context once. Simplify the code path by moving the loading from three different places into ssl_ctx_create(): ok gilles@ --- usr.sbin/smtpd/ssl.c | 29 +++++++++++++++++------------ usr.sbin/smtpd/ssl.h | 4 ++-- usr.sbin/smtpd/ssl_smtpd.c | 19 ++----------------- 3 files changed, 21 insertions(+), 31 deletions(-) diff --git a/usr.sbin/smtpd/ssl.c b/usr.sbin/smtpd/ssl.c index ad24e54845f..b636ae0fd38 100644 --- a/usr.sbin/smtpd/ssl.c +++ b/usr.sbin/smtpd/ssl.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl.c,v 1.61 2014/04/19 14:09:19 gilles Exp $ */ +/* $OpenBSD: ssl.c,v 1.62 2014/04/29 10:08:55 reyk Exp $ */ /* * Copyright (c) 2008 Pierre-Yves Ritschard @@ -66,18 +66,10 @@ ssl_setup(SSL_CTX **ctxp, struct pki *pki) { DH *dh; SSL_CTX *ctx; - - ctx = ssl_ctx_create(); - if (!ssl_ctx_use_certificate_chain(ctx, - pki->pki_cert, pki->pki_cert_len)) - goto err; - if (!ssl_ctx_use_private_key(ctx, - pki->pki_key, pki->pki_key_len)) - goto err; + ctx = ssl_ctx_create(pki->pki_cert, pki->pki_cert_len, + pki->pki_key, pki->pki_key_len); - if (!SSL_CTX_check_private_key(ctx)) - goto err; if (!SSL_CTX_set_session_id_context(ctx, (const unsigned char *)pki->pki_name, strlen(pki->pki_name) + 1)) @@ -251,7 +243,7 @@ fail: } SSL_CTX * -ssl_ctx_create() +ssl_ctx_create(char *cert, off_t cert_len, char *key, off_t key_len) { SSL_CTX *ctx; @@ -273,6 +265,19 @@ ssl_ctx_create() fatal("ssl_ctx_create: could not set cipher list"); } + if (cert != NULL && key != NULL) { + if (!ssl_ctx_use_certificate_chain(ctx, cert, cert_len)) { + ssl_error("ssl_ctx_create"); + fatal("ssl_ctx_create: invalid certificate chain"); + } else if (!ssl_ctx_use_private_key(ctx, key, key_len)) { + ssl_error("ssl_ctx_create"); + fatal("ssl_ctx_create: could not use private key"); + } else if (!SSL_CTX_check_private_key(ctx)) { + ssl_error("ssl_ctx_create"); + fatal("ssl_ctx_create: invalid private key"); + } + } + return (ctx); } diff --git a/usr.sbin/smtpd/ssl.h b/usr.sbin/smtpd/ssl.h index d5eebe080c4..eb4e65f0550 100644 --- a/usr.sbin/smtpd/ssl.h +++ b/usr.sbin/smtpd/ssl.h @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl.h,v 1.5 2014/02/04 13:44:41 eric Exp $ */ +/* $OpenBSD: ssl.h,v 1.6 2014/04/29 10:08:55 reyk Exp $ */ /* * Copyright (c) 2013 Gilles Chehade * @@ -42,7 +42,7 @@ struct pki { /* ssl.c */ void ssl_init(void); int ssl_setup(SSL_CTX **, struct pki *); -SSL_CTX *ssl_ctx_create(void); +SSL_CTX *ssl_ctx_create(char *, off_t, char *, off_t); int ssl_cmp(struct pki *, struct pki *); DH *get_dh1024(void); DH *get_dh_from_memory(char *, size_t); diff --git a/usr.sbin/smtpd/ssl_smtpd.c b/usr.sbin/smtpd/ssl_smtpd.c index 8d796d51836..bf0c9d22570 100644 --- a/usr.sbin/smtpd/ssl_smtpd.c +++ b/usr.sbin/smtpd/ssl_smtpd.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_smtpd.c,v 1.4 2014/02/04 13:44:41 eric Exp $ */ +/* $OpenBSD: ssl_smtpd.c,v 1.5 2014/04/29 10:08:55 reyk Exp $ */ /* * Copyright (c) 2008 Pierre-Yves Ritschard @@ -49,16 +49,7 @@ ssl_mta_init(char *cert, off_t cert_len, char *key, off_t key_len) SSL_CTX *ctx = NULL; SSL *ssl = NULL; - ctx = ssl_ctx_create(); - - if (cert != NULL && key != NULL) { - if (!ssl_ctx_use_certificate_chain(ctx, cert, cert_len)) - goto err; - else if (!ssl_ctx_use_private_key(ctx, key, key_len)) - goto err; - else if (!SSL_CTX_check_private_key(ctx)) - goto err; - } + ctx = ssl_ctx_create(cert, cert_len, key, key_len); if ((ssl = SSL_new(ctx)) == NULL) goto err; @@ -96,12 +87,6 @@ ssl_smtp_init(void *ssl_ctx, char *cert, off_t cert_len, char *key, off_t key_le int (*cb)(SSL *,int *,void *) = sni; log_debug("debug: session_start_ssl: switching to SSL"); - if (!ssl_ctx_use_certificate_chain(ssl_ctx, cert, cert_len)) - goto err; - else if (!ssl_ctx_use_private_key(ssl_ctx, key, key_len)) - goto err; - else if (!SSL_CTX_check_private_key(ssl_ctx)) - goto err; SSL_CTX_set_verify(ssl_ctx, SSL_VERIFY_PEER, dummy_verify); -- 2.20.1