Hi guys,
[as advised on the list, i'm going through rt]
I'm writing several privilege separated daemons which rely on openssl
and need reload support. What I really need is to be able to create SSL
context in jails, SSL_use_chain_certificate_file and friends don't work
in such an environment as the certificate files are usually owned by
root outside the jail.
All _file function call BIO_new then set the underlying filename and
continue their work.
Here is a diff that provides an alternate _fp function for every _file
function which takes a FILE * pointer which will be used as the
underlying BIO source.
diff -ruNp openssl-SNAP-20070904/doc/ssl/SSL_CTX_use_certificate.pod
openssl-work/doc/ssl/SSL_CTX_use_certificate.pod ---
openssl-SNAP-20070904/doc/ssl/SSL_CTX_use_certificate.pod Sat
Apr 9 01:00:10 2005 +++
openssl-work/doc/ssl/SSL_CTX_use_certificate.pod Tue Sep 4
14:47:35 2007 @@ -2,7 +2,7 @@ =head1 NAME
-SSL_CTX_use_certificate, SSL_CTX_use_certificate_ASN1,
SSL_CTX_use_certificate_file, SSL_use_certificate,
SSL_use_certificate_ASN1, SSL_use_certificate_file,
SSL_CTX_use_certificate_chain_file, SSL_CTX_use_PrivateKey,
SSL_CTX_use_PrivateKey_ASN1, SSL_CTX_use_PrivateKey_file,
SSL_CTX_use_RSAPrivateKey, SSL_CTX_use_RSAPrivateKey_ASN1,
SSL_CTX_use_RSAPrivateKey_file, SSL_use_PrivateKey_file,
SSL_use_PrivateKey_ASN1, SSL_use_PrivateKey, SSL_use_RSAPrivateKey,
SSL_use_RSAPrivateKey_ASN1, SSL_use_RSAPrivateKey_file,
SSL_CTX_check_private_key, SSL_check_private_key - load certificate and
key data +SSL_CTX_use_certificate, SSL_CTX_use_certificate_ASN1,
SSL_CTX_use_certificate_file, SSL_CTX_use_certificate_fp,
SSL_use_certificate, SSL_use_certificate_ASN1,
SSL_use_certificate_file, SSL_use_certificate_fp,
SSL_CTX_use_certificate_chain_file, SSL_CTX_use_certificate_chain_fp,
SSL_CTX_use_PrivateKey, SSL_CTX_use_PrivateKey_ASN1,
SSL_CTX_use_PrivateKey_file, SSL_CTX_use_PrivateKey_fp,
SSL_CTX_use_RSAPrivateKey, SSL_CTX_use_RSAPrivateKey_ASN1,
SSL_CTX_use_RSAPrivateKey_file, SSL_CTX_use_RSAPrivateKey_fp,
SSL_use_PrivateKey_file, SSL_use_PrivateKey_fp,
SSL_use_PrivateKey_ASN1, SSL_use_PrivateKey, SSL_use_RSAPrivateKey,
SSL_use_RSAPrivateKey_ASN1, SSL_use_RSAPrivateKey_file,
SSL_use_RSAPrivateKey_fp, SSL_CTX_check_private_key,
SSL_check_private_key - load certificate and key data =head1 SYNOPSIS
@@ -11,25 +11,32 @@ SSL_CTX_use_certificate,
SSL_CTX_use_certificate_ASN1, int SSL_CTX_use_certificate(SSL_CTX *ctx,
X509 *x); int SSL_CTX_use_certificate_ASN1(SSL_CTX *ctx, int len,
unsigned char *d); int SSL_CTX_use_certificate_file(SSL_CTX *ctx, const
char *file, int type);
+ int SSL_CTX_use_certificate_fp(SSL_CTX *ctx, FILE *fp, int type);
int SSL_use_certificate(SSL *ssl, X509 *x);
int SSL_use_certificate_ASN1(SSL *ssl, unsigned char *d, int len);
int SSL_use_certificate_file(SSL *ssl, const char *file, int type);
+ int SSL_use_certificate_fp(SSL *ssl, FILE *fp, int type);
int SSL_CTX_use_certificate_chain_file(SSL_CTX *ctx, const char
*file);
+ int SSL_CTX_use_certificate_chain_fp(SSL_CTX *ctx, FILE *fp);
int SSL_CTX_use_PrivateKey(SSL_CTX *ctx, EVP_PKEY *pkey);
int SSL_CTX_use_PrivateKey_ASN1(int pk, SSL_CTX *ctx, unsigned char
*d, long len);
int SSL_CTX_use_PrivateKey_file(SSL_CTX *ctx, const char *file, int
type);
+ int SSL_CTX_use_PrivateKey_fp(SSL_CTX *ctx, FILE *fp, int type);
int SSL_CTX_use_RSAPrivateKey(SSL_CTX *ctx, RSA *rsa);
int SSL_CTX_use_RSAPrivateKey_ASN1(SSL_CTX *ctx, unsigned char *d,
long len); int SSL_CTX_use_RSAPrivateKey_file(SSL_CTX *ctx, const char
*file, int type);
+ int SSL_CTX_use_RSAPrivateKey_fp(SSL_CTX *ctx, FILE *fp, int type);
int SSL_use_PrivateKey(SSL *ssl, EVP_PKEY *pkey);
int SSL_use_PrivateKey_ASN1(int pk,SSL *ssl, unsigned char *d, long
len); int SSL_use_PrivateKey_file(SSL *ssl, const char *file, int type);
+ int SSL_use_PrivateKey_fp(SSL *ssl, FILE *fp, int type);
int SSL_use_RSAPrivateKey(SSL *ssl, RSA *rsa);
int SSL_use_RSAPrivateKey_ASN1(SSL *ssl, unsigned char *d, long len);
int SSL_use_RSAPrivateKey_file(SSL *ssl, const char *file, int type);
+ int SSL_use_RSAPrivateKey_fp(SSL *ssl, FILE *fp, int type);
int SSL_CTX_check_private_key(const SSL_CTX *ctx);
int SSL_check_private_key(const SSL *ssl);
@@ -66,6 +73,13 @@ SSL_use_certificate_file() loads the certificate
from See the NOTES section on why SSL_CTX_use_certificate_chain_file()
should be preferred.
+SSL_CTX_use_certificate_fp() loads the first certificate stored in the
+file pointer B<fp> into B<ctx>. The formatting B<type> of the
certificate +must be specified from the known types SSL_FILETYPE_PEM,
SSL_FILETYPE_ASN1. +SSL_use_certificate_fp() loads the certificate from
file pointer B<fp> +into B<ssl>. See the NOTES section on why
SSL_CTX_use_certificate_chain_fp() +should be preferred.
+
SSL_CTX_use_certificate_chain_file() loads a certificate chain from
B<file> into B<ctx>. The certificates must be in PEM format and must
be sorted starting with the subject's certificate (actual client or
server @@ -73,6 +87,13 @@ certificate), followed by intermediate CA
certificates ending at the highest level (root) CA.
There is no corresponding function working on a single SSL object.
+SSL_CTX_use_certificate_chain_fp() loads a certificate chain from file
+pointer B<fp> into B<ctx>. The certificates must be in PEM format and
must +be sorted starting with the subject's certificate (actual client
or server +certificate), followed by intermediate CA certificates if
applicable, and +ending at the highest level (root) CA.
+There is no corresponding function working on a single SSL object.
+
SSL_CTX_use_PrivateKey() adds B<pkey> as private key to B<ctx>.
SSL_CTX_use_RSAPrivateKey() adds the private key B<rsa> of type RSA
to B<ctx>. SSL_use_PrivateKey() adds B<pkey> as private key to B<ssl>;
@@ -99,6 +120,9 @@ B<file> to B<ctx>. SSL_use_PrivateKey_file() adds
the in B<file> to B<ssl>; SSL_use_RSAPrivateKey_file() adds the first
private RSA key found to B<ssl>.
+SSL_CTX_use_PrivateKey_fp() works just like
SSL_CTX_use_PrivateKey_file() except +it reads data from the file
pointer B<fp>. +
SSL_CTX_check_private_key() checks the consistency of a private key
with the corresponding certificate loaded into B<ctx>. If more than one
key/certificate pair (RSA/DSA) is installed, the last item installed
will @@ -120,9 +144,9 @@ one certificate or private key, consequently
SSL_CTX_use_certificate_chain_file() is only applicable to PEM
formatting. Files of type SSL_FILETYPE_PEM can contain more than one
item.
-SSL_CTX_use_certificate_chain_file() adds the first certificate found
-in the file to the certificate store. The other certificates are added
-to the store of chain certificates using
+SSL_CTX_use_certificate_chain_file() and
SSL_CTX_use_certificate_chain_fp() +add the first certificate found in
the file to the certificate store. +The other certificates are added to
the store of chain certificates using
L<SSL_CTX_add_extra_chain_cert(3)|SSL_CTX_add_extra_chain_cert(3)>.
There exists only one extra chain store, so that the same chain is
appended to both types of certificates, RSA and DSA! If it is not
intended to use diff -ruNp openssl-SNAP-20070904/doc/ssl/ssl.pod
openssl-work/doc/ssl/ssl.pod ---
openssl-SNAP-20070904/doc/ssl/ssl.pod Sat Mar 11 01:00:33 2006
+++ openssl-work/doc/ssl/ssl.pod Tue Sep 4 14:47:35 2007 @@
-362,18 +362,24 @@ session instead of a context. =item int
B<SSL_CTX_use_PrivateKey_file>(SSL_CTX *ctx, char *file, int type);
+=item int B<SSL_CTX_use_PrivateKey_fp>(SSL_CTX *ctx, FILE *fp, int
type); +
=item int B<SSL_CTX_use_RSAPrivateKey>(SSL_CTX *ctx, RSA *rsa);
=item int B<SSL_CTX_use_RSAPrivateKey_ASN1>(SSL_CTX *ctx, unsigned
char *d, long len);
=item int B<SSL_CTX_use_RSAPrivateKey_file>(SSL_CTX *ctx, char *file,
int type);
+=item int B<SSL_CTX_use_RSAPrivateKey_fp>(SSL_CTX *ctx, FILE *fp, int
type); +
=item int B<SSL_CTX_use_certificate>(SSL_CTX *ctx, X509 *x);
=item int B<SSL_CTX_use_certificate_ASN1>(SSL_CTX *ctx, int len,
unsigned char *d);
=item int B<SSL_CTX_use_certificate_file>(SSL_CTX *ctx, char *file,
int type);
+=item int B<SSL_CTX_use_certificate_fp>(SSL_CTX *ctx, FILE *fp, int
type); +
=item void B<SSL_CTX_set_psk_client_callback>(SSL_CTX *ctx, unsigned
int (*callback)(SSL *ssl, const char *hint, char *identity, unsigned
int max_identity_len, unsigned char *psk, unsigned int max_psk_len));
=item int B<SSL_CTX_use_psk_identity_hint>(SSL_CTX *ctx, const char
*hint); @@ -633,17 +639,23 @@ connection defined in the B<SSL>
structure. =item int B<SSL_use_PrivateKey_file>(SSL *ssl, char *file,
int type);
+=item int B<SSL_use_PrivateKey_fp>(SSL *ssl, FILE *fp, int type);
+
=item int B<SSL_use_RSAPrivateKey>(SSL *ssl, RSA *rsa);
=item int B<SSL_use_RSAPrivateKey_ASN1>(SSL *ssl, unsigned char *d,
long len);
=item int B<SSL_use_RSAPrivateKey_file>(SSL *ssl, char *file, int
type);
+=item int B<SSL_use_RSAPrivateKey_fp>(SSL *ssl, FILE *fp, int type);
+
=item int B<SSL_use_certificate>(SSL *ssl, X509 *x);
=item int B<SSL_use_certificate_ASN1>(SSL *ssl, int len, unsigned char
*d);
=item int B<SSL_use_certificate_file>(SSL *ssl, char *file, int type);
+
+=item int B<SSL_use_certificate_fp>(SSL *ssl, FILE *fp, int type);
=item int B<SSL_version>(const SSL *ssl);
diff -ruNp openssl-SNAP-20070904/ssl/ssl.h openssl-work/ssl/ssl.h
--- openssl-SNAP-20070904/ssl/ssl.h Fri Aug 31 15:03:02 2007
+++ openssl-work/ssl/ssl.h Tue Sep 4 11:47:11 2007
@@ -1401,6 +1401,7 @@ int SSL_use_certificate_ASN1(SSL *ssl,
const unsigned int SSL_use_RSAPrivateKey_file(SSL *ssl, const
char *file, int type); int SSL_use_PrivateKey_file(SSL *ssl,
const char *file, int type); int SSL_use_certificate_file(SSL
*ssl, const char *file, int type); +int
SSL_use_certificate_fp(SSL *ssl, FILE *fp, int type); int
SSL_CTX_use_RSAPrivateKey_file(SSL_CTX *ctx, const char *file, int
type); int SSL_CTX_use_PrivateKey_file(SSL_CTX *ctx, const char
*file, int type); int SSL_CTX_use_certificate_file(SSL_CTX *ctx,
const char *file, int type); @@ -1810,22 +1811,27 @@ void
ERR_load_SSL_strings(void); #define
SSL_F_SSL_CTX_USE_CERTIFICATE 171 #define
SSL_F_SSL_CTX_USE_CERTIFICATE_ASN1 172 #define
SSL_F_SSL_CTX_USE_CERTIFICATE_CHAIN_FILE 220 +#define
SSL_F_SSL_CTX_USE_CERTIFICATE_CHAIN_FP 221 #define
SSL_F_SSL_CTX_USE_CERTIFICATE_FILE 173 -#define
SSL_F_SSL_CTX_USE_PRIVATEKEY 174 -#define
SSL_F_SSL_CTX_USE_PRIVATEKEY_ASN1 175 -#define
SSL_F_SSL_CTX_USE_PRIVATEKEY_FILE 176 +#define
SSL_F_SSL_CTX_USE_CERTIFICATE_FP 174 +#define
SSL_F_SSL_CTX_USE_PRIVATEKEY 175 +#define
SSL_F_SSL_CTX_USE_PRIVATEKEY_ASN1 176 +#define
SSL_F_SSL_CTX_USE_PRIVATEKEY_FILE 177 +#define
SSL_F_SSL_CTX_USE_PRIVATEKEY_FP 178 #define
SSL_F_SSL_CTX_USE_PSK_IDENTITY_HINT 272 #define
SSL_F_SSL_CTX_USE_RSAPRIVATEKEY 177 #define
SSL_F_SSL_CTX_USE_RSAPRIVATEKEY_ASN1 178 #define
SSL_F_SSL_CTX_USE_RSAPRIVATEKEY_FILE 179 -#define
SSL_F_SSL_DO_HANDSHAKE 180 -#define
SSL_F_SSL_GET_NEW_SESSION 181 +#define
SSL_F_SSL_CTX_USE_RSAPRIVATEKEY_FP 180 +#define
SSL_F_SSL_DO_HANDSHAKE 181 +#define
SSL_F_SSL_GET_NEW_SESSION 182 #define
SSL_F_SSL_GET_PREV_SESSION 217 #define
SSL_F_SSL_GET_SERVER_SEND_CERT 182 #define
SSL_F_SSL_GET_SIGN_PKEY 183 #define
SSL_F_SSL_INIT_WBIO_BUFFER 184 #define
SSL_F_SSL_LOAD_CLIENT_CA_FILE 185 -#define
SSL_F_SSL_NEW 186 +#define
SSL_F_SSL_LOAD_CLIENT_CA_FP 186 +#define
SSL_F_SSL_NEW 187 #define
SSL_F_SSL_PEEK 270 #define
SSL_F_SSL_PREPARE_CLIENTHELLO_TLSEXT 281 #define
SSL_F_SSL_PREPARE_SERVERHELLO_TLSEXT 282 @@ -1852,16
+1858,19 @@ void ERR_load_SSL_strings(void); #define
SSL_F_SSL_USE_CERTIFICATE 198 #define
SSL_F_SSL_USE_CERTIFICATE_ASN1 199 #define
SSL_F_SSL_USE_CERTIFICATE_FILE 200 -#define
SSL_F_SSL_USE_PRIVATEKEY 201 -#define
SSL_F_SSL_USE_PRIVATEKEY_ASN1 202 -#define
SSL_F_SSL_USE_PRIVATEKEY_FILE 203 +#define
SSL_F_SSL_USE_CERTIFICATE_FP 201 +#define
SSL_F_SSL_USE_PRIVATEKEY 202 +#define
SSL_F_SSL_USE_PRIVATEKEY_ASN1 203 +#define
SSL_F_SSL_USE_PRIVATEKEY_FILE 204 +#define
SSL_F_SSL_USE_PRIVATEKEY_FP 205 #define
SSL_F_SSL_USE_PSK_IDENTITY_HINT 273 #define
SSL_F_SSL_USE_RSAPRIVATEKEY 204 #define
SSL_F_SSL_USE_RSAPRIVATEKEY_ASN1 205 #define
SSL_F_SSL_USE_RSAPRIVATEKEY_FILE 206 -#define
SSL_F_SSL_VERIFY_CERT_CHAIN 207 -#define
SSL_F_SSL_WRITE 208 -#define
SSL_F_TLS1_CHANGE_CIPHER_STATE 209 +#define
SSL_F_SSL_USE_RSAPRIVATEKEY_FP 207 +#define
SSL_F_SSL_VERIFY_CERT_CHAIN 208 +#define
SSL_F_SSL_WRITE 209 +#define
SSL_F_TLS1_CHANGE_CIPHER_STATE 210 #define
SSL_F_TLS1_CHECK_SERVERHELLO_TLSEXT 274 #define
SSL_F_TLS1_ENC 210 #define
SSL_F_TLS1_PREPARE_CLIENTHELLO_TLSEXT 275 diff -ruNp
openssl-SNAP-20070904/ssl/ssl_err.c openssl-work/ssl/ssl_err.c ---
openssl-SNAP-20070904/ssl/ssl_err.c Fri Aug 31 15:03:03 2007 +++
openssl-work/ssl/ssl_err.c Tue Sep 4 11:59:18 2007 @@ -197,14
+197,18 @@ static ERR_STRING_DATA SSL_str_functs[]=
{ERR_FUNC(SSL_F_SSL_CTX_USE_CERTIFICATE), "SSL_CTX_use_certificate"},
{ERR_FUNC(SSL_F_SSL_CTX_USE_CERTIFICATE_ASN1), "SSL_CTX_use_certificate_ASN1"},
{ERR_FUNC(SSL_F_SSL_CTX_USE_CERTIFICATE_CHAIN_FILE),
"SSL_CTX_use_certificate_chain_file"},
+{ERR_FUNC(SSL_F_SSL_CTX_USE_CERTIFICATE_CHAIN_FP),
"SSL_CTX_use_certificate_chain_fp"},
{ERR_FUNC(SSL_F_SSL_CTX_USE_CERTIFICATE_FILE), "SSL_CTX_use_certificate_file"},
+{ERR_FUNC(SSL_F_SSL_CTX_USE_CERTIFICATE_FP), "SSL_CTX_use_certificate_fp"},
{ERR_FUNC(SSL_F_SSL_CTX_USE_PRIVATEKEY), "SSL_CTX_use_PrivateKey"},
{ERR_FUNC(SSL_F_SSL_CTX_USE_PRIVATEKEY_ASN1), "SSL_CTX_use_PrivateKey_ASN1"},
{ERR_FUNC(SSL_F_SSL_CTX_USE_PRIVATEKEY_FILE), "SSL_CTX_use_PrivateKey_file"},
+{ERR_FUNC(SSL_F_SSL_CTX_USE_PRIVATEKEY_FP), "SSL_CTX_use_PrivateKey_fp"},
{ERR_FUNC(SSL_F_SSL_CTX_USE_PSK_IDENTITY_HINT),
"SSL_CTX_use_psk_identity_hint"},
{ERR_FUNC(SSL_F_SSL_CTX_USE_RSAPRIVATEKEY), "SSL_CTX_use_RSAPrivateKey"},
{ERR_FUNC(SSL_F_SSL_CTX_USE_RSAPRIVATEKEY_ASN1),
"SSL_CTX_use_RSAPrivateKey_ASN1"},
{ERR_FUNC(SSL_F_SSL_CTX_USE_RSAPRIVATEKEY_FILE),
"SSL_CTX_use_RSAPrivateKey_file"},
+{ERR_FUNC(SSL_F_SSL_CTX_USE_RSAPRIVATEKEY_FP), "SSL_CTX_use_RSAPrivateKey_fp"},
{ERR_FUNC(SSL_F_SSL_DO_HANDSHAKE), "SSL_do_handshake"},
{ERR_FUNC(SSL_F_SSL_GET_NEW_SESSION), "SSL_GET_NEW_SESSION"},
{ERR_FUNC(SSL_F_SSL_GET_PREV_SESSION), "SSL_GET_PREV_SESSION"},
@@ -239,13 +243,16 @@ static ERR_STRING_DATA SSL_str_functs[]=
{ERR_FUNC(SSL_F_SSL_USE_CERTIFICATE), "SSL_use_certificate"},
{ERR_FUNC(SSL_F_SSL_USE_CERTIFICATE_ASN1), "SSL_use_certificate_ASN1"},
{ERR_FUNC(SSL_F_SSL_USE_CERTIFICATE_FILE), "SSL_use_certificate_file"},
+{ERR_FUNC(SSL_F_SSL_USE_CERTIFICATE_FP), "SSL_use_certificate_fp"},
{ERR_FUNC(SSL_F_SSL_USE_PRIVATEKEY), "SSL_use_PrivateKey"},
{ERR_FUNC(SSL_F_SSL_USE_PRIVATEKEY_ASN1), "SSL_use_PrivateKey_ASN1"},
{ERR_FUNC(SSL_F_SSL_USE_PRIVATEKEY_FILE), "SSL_use_PrivateKey_file"},
+{ERR_FUNC(SSL_F_SSL_USE_PRIVATEKEY_FP), "SSL_use_PrivateKey_fp"},
{ERR_FUNC(SSL_F_SSL_USE_PSK_IDENTITY_HINT), "SSL_use_psk_identity_hint"},
{ERR_FUNC(SSL_F_SSL_USE_RSAPRIVATEKEY), "SSL_use_RSAPrivateKey"},
{ERR_FUNC(SSL_F_SSL_USE_RSAPRIVATEKEY_ASN1), "SSL_use_RSAPrivateKey_ASN1"},
{ERR_FUNC(SSL_F_SSL_USE_RSAPRIVATEKEY_FILE), "SSL_use_RSAPrivateKey_file"},
+{ERR_FUNC(SSL_F_SSL_USE_RSAPRIVATEKEY_FP), "SSL_use_RSAPrivateKey_fp"},
{ERR_FUNC(SSL_F_SSL_VERIFY_CERT_CHAIN), "SSL_VERIFY_CERT_CHAIN"},
{ERR_FUNC(SSL_F_SSL_WRITE), "SSL_write"},
{ERR_FUNC(SSL_F_TLS1_CHANGE_CIPHER_STATE), "TLS1_CHANGE_CIPHER_STATE"},
diff -ruNp openssl-SNAP-20070904/ssl/ssl_rsa.c
openssl-work/ssl/ssl_rsa.c ---
openssl-SNAP-20070904/ssl/ssl_rsa.c Sat Apr 9 01:00:10 2005 +++
openssl-work/ssl/ssl_rsa.c Tue Sep 4 12:28:09 2007 @@ -82,6
+82,49 @@ int SSL_use_certificate(SSL *ssl, X509 *x) } #ifndef
OPENSSL_NO_STDIO +int SSL_use_certificate_fp(SSL *ssl, FILE *fp, int
type)
+ {
+ int j;
+ BIO *in;
+ int ret=0;
+ X509 *x=NULL;
+
+ in=BIO_new_fp(fp, BIO_NOCLOSE);
+ if (in == NULL)
+ {
+ SSLerr(SSL_F_SSL_USE_CERTIFICATE_FP,ERR_R_BUF_LIB);
+ goto end;
+ }
+
+ if (type == SSL_FILETYPE_ASN1)
+ {
+ j=ERR_R_ASN1_LIB;
+ x=d2i_X509_bio(in,NULL);
+ }
+ else if (type == SSL_FILETYPE_PEM)
+ {
+ j=ERR_R_PEM_LIB;
+
x=PEM_read_bio_X509(in,NULL,ssl->ctx->default_passwd_callback,ssl->ctx->default_passwd_callback_userdata);
+ }
+ else
+ {
+
SSLerr(SSL_F_SSL_USE_CERTIFICATE_FP,SSL_R_BAD_SSL_FILETYPE);
+ goto end;
+ }
+
+ if (x == NULL)
+ {
+ SSLerr(SSL_F_SSL_USE_CERTIFICATE_FP,j);
+ goto end;
+ }
+
+ ret=SSL_use_certificate(ssl,x);
+end:
+ if (x != NULL) X509_free(x);
+ if (in != NULL) BIO_free(in);
+ return(ret);
+ }
+
int SSL_use_certificate_file(SSL *ssl, const char *file, int type)
{
int j;
@@ -226,6 +269,47 @@ static int ssl_set_pkey(CERT *c, EVP_PKEY *pkey)
#ifndef OPENSSL_NO_RSA
#ifndef OPENSSL_NO_STDIO
+int SSL_use_RSAPrivateKey_fp(SSL *ssl, FILE *fp, int type)
+ {
+ int j,ret=0;
+ BIO *in;
+ RSA *rsa=NULL;
+
+ in=BIO_new_fp(fp, BIO_NOCLOSE);
+ if (in == NULL)
+ {
+ SSLerr(SSL_F_SSL_USE_RSAPRIVATEKEY_FP,ERR_R_BUF_LIB);
+ goto end;
+ }
+
+ if (type == SSL_FILETYPE_ASN1)
+ {
+ j=ERR_R_ASN1_LIB;
+ rsa=d2i_RSAPrivateKey_bio(in,NULL);
+ }
+ else if (type == SSL_FILETYPE_PEM)
+ {
+ j=ERR_R_PEM_LIB;
+ rsa=PEM_read_bio_RSAPrivateKey(in,NULL,
+
ssl->ctx->default_passwd_callback,ssl->ctx->default_passwd_callback_userdata);
+ }
+ else
+ {
+
SSLerr(SSL_F_SSL_USE_RSAPRIVATEKEY_FP,SSL_R_BAD_SSL_FILETYPE);
+ goto end;
+ }
+ if (rsa == NULL)
+ {
+ SSLerr(SSL_F_SSL_USE_RSAPRIVATEKEY_FP,j);
+ goto end;
+ }
+ ret=SSL_use_RSAPrivateKey(ssl,rsa);
+ RSA_free(rsa);
+end:
+ if (in != NULL) BIO_free(in);
+ return(ret);
+ }
+
int SSL_use_RSAPrivateKey_file(SSL *ssl, const char *file, int type)
{
int j,ret=0;
@@ -311,6 +395,47 @@ int SSL_use_PrivateKey(SSL *ssl, EVP_PKEY *pkey)
}
#ifndef OPENSSL_NO_STDIO
+int SSL_use_PrivateKey_fp(SSL *ssl, FILE *fp, int type)
+ {
+ int j,ret=0;
+ BIO *in;
+ EVP_PKEY *pkey=NULL;
+
+ in=BIO_new_fp(fp, BIO_NOCLOSE);
+ if (in == NULL)
+ {
+ SSLerr(SSL_F_SSL_USE_PRIVATEKEY_FP,ERR_R_BUF_LIB);
+ goto end;
+ }
+
+ if (type == SSL_FILETYPE_PEM)
+ {
+ j=ERR_R_PEM_LIB;
+ pkey=PEM_read_bio_PrivateKey(in,NULL,
+
ssl->ctx->default_passwd_callback,ssl->ctx->default_passwd_callback_userdata);
+ }
+ else if (type == SSL_FILETYPE_ASN1)
+ {
+ j = ERR_R_ASN1_LIB;
+ pkey = d2i_PrivateKey_bio(in,NULL);
+ }
+ else
+ {
+
SSLerr(SSL_F_SSL_USE_PRIVATEKEY_FP,SSL_R_BAD_SSL_FILETYPE);
+ goto end;
+ }
+ if (pkey == NULL)
+ {
+ SSLerr(SSL_F_SSL_USE_PRIVATEKEY_FP,j);
+ goto end;
+ }
+ ret=SSL_use_PrivateKey(ssl,pkey);
+ EVP_PKEY_free(pkey);
+end:
+ if (in != NULL) BIO_free(in);
+ return(ret);
+ }
+
int SSL_use_PrivateKey_file(SSL *ssl, const char *file, int type)
{
int j,ret=0;
@@ -451,6 +576,49 @@ static int ssl_set_cert(CERT *c, X509 *x)
}
#ifndef OPENSSL_NO_STDIO
+int SSL_CTX_use_certificate_fp(SSL_CTX *ctx, FILE *fp, int type)
+ {
+ int j;
+ BIO *in;
+ int ret=0;
+ X509 *x=NULL;
+
+ in=BIO_new_fp(fp, BIO_NOCLOSE);
+ if (in == NULL)
+ {
+ SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE_FP,ERR_R_BUF_LIB);
+ goto end;
+ }
+
+ if (type == SSL_FILETYPE_ASN1)
+ {
+ j=ERR_R_ASN1_LIB;
+ x=d2i_X509_bio(in,NULL);
+ }
+ else if (type == SSL_FILETYPE_PEM)
+ {
+ j=ERR_R_PEM_LIB;
+
x=PEM_read_bio_X509(in,NULL,ctx->default_passwd_callback,ctx->default_passwd_callback_userdata);
+ }
+ else
+ {
+
SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE_FP,SSL_R_BAD_SSL_FILETYPE);
+ goto end;
+ }
+
+ if (x == NULL)
+ {
+ SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE_FP,j);
+ goto end;
+ }
+
+ ret=SSL_CTX_use_certificate(ctx,x);
+end:
+ if (x != NULL) X509_free(x);
+ if (in != NULL) BIO_free(in);
+ return(ret);
+ }
+
int SSL_CTX_use_certificate_file(SSL_CTX *ctx, const char *file, int
type) {
int j;
@@ -548,6 +716,47 @@ int SSL_CTX_use_RSAPrivateKey(SSL_CTX *ctx, RSA
*rsa) }
#ifndef OPENSSL_NO_STDIO
+int SSL_CTX_use_RSAPrivateKey_fp(SSL_CTX *ctx, FILE *fp, int type)
+ {
+ int j,ret=0;
+ BIO *in;
+ RSA *rsa=NULL;
+
+ in=BIO_new_fp(fp, BIO_NOCLOSE);
+ if (in == NULL)
+ {
+
SSLerr(SSL_F_SSL_CTX_USE_RSAPRIVATEKEY_FP,ERR_R_BUF_LIB);
+ goto end;
+ }
+
+ if (type == SSL_FILETYPE_ASN1)
+ {
+ j=ERR_R_ASN1_LIB;
+ rsa=d2i_RSAPrivateKey_bio(in,NULL);
+ }
+ else if (type == SSL_FILETYPE_PEM)
+ {
+ j=ERR_R_PEM_LIB;
+ rsa=PEM_read_bio_RSAPrivateKey(in,NULL,
+
ctx->default_passwd_callback,ctx->default_passwd_callback_userdata);
+ }
+ else
+ {
+
SSLerr(SSL_F_SSL_CTX_USE_RSAPRIVATEKEY_FP,SSL_R_BAD_SSL_FILETYPE);
+ goto end;
+ }
+ if (rsa == NULL)
+ {
+ SSLerr(SSL_F_SSL_CTX_USE_RSAPRIVATEKEY_FP,j);
+ goto end;
+ }
+ ret=SSL_CTX_use_RSAPrivateKey(ctx,rsa);
+ RSA_free(rsa);
+end:
+ if (in != NULL) BIO_free(in);
+ return(ret);
+ }
+
int SSL_CTX_use_RSAPrivateKey_file(SSL_CTX *ctx, const char *file, int
type) {
int j,ret=0;
@@ -630,6 +839,47 @@ int SSL_CTX_use_PrivateKey(SSL_CTX *ctx, EVP_PKEY
*pke }
#ifndef OPENSSL_NO_STDIO
+int SSL_CTX_use_PrivateKey_fp(SSL_CTX *ctx, FILE *fp, int type)
+ {
+ int j,ret=0;
+ BIO *in;
+ EVP_PKEY *pkey=NULL;
+
+ in=BIO_new_fp(fp, BIO_NOCLOSE);
+ if (in == NULL)
+ {
+ SSLerr(SSL_F_SSL_CTX_USE_PRIVATEKEY_FP,ERR_R_BUF_LIB);
+ goto end;
+ }
+
+ if (type == SSL_FILETYPE_PEM)
+ {
+ j=ERR_R_PEM_LIB;
+ pkey=PEM_read_bio_PrivateKey(in,NULL,
+
ctx->default_passwd_callback,ctx->default_passwd_callback_userdata);
+ }
+ else if (type == SSL_FILETYPE_ASN1)
+ {
+ j = ERR_R_ASN1_LIB;
+ pkey = d2i_PrivateKey_bio(in,NULL);
+ }
+ else
+ {
+
SSLerr(SSL_F_SSL_CTX_USE_PRIVATEKEY_FP,SSL_R_BAD_SSL_FILETYPE);
+ goto end;
+ }
+ if (pkey == NULL)
+ {
+ SSLerr(SSL_F_SSL_CTX_USE_PRIVATEKEY_FP,j);
+ goto end;
+ }
+ ret=SSL_CTX_use_PrivateKey(ctx,pkey);
+ EVP_PKEY_free(pkey);
+end:
+ if (in != NULL) BIO_free(in);
+ return(ret);
+ }
+
int SSL_CTX_use_PrivateKey_file(SSL_CTX *ctx, const char *file, int
type) {
int j,ret=0;
@@ -702,6 +952,73 @@ int SSL_CTX_use_PrivateKey_ASN1(int type, SSL_CTX
*ctx
* possibly followed by a sequence of CA certificates that should be
* sent to the peer in the Certificate message.
*/
+int SSL_CTX_use_certificate_chain_fp(SSL_CTX *ctx, FILE *fp)
+ {
+ BIO *in;
+ int ret=0;
+ X509 *x=NULL;
+
+ in=BIO_new_fp(fp, BIO_NOCLOSE);
+ if (in == NULL)
+ {
+
SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE_CHAIN_FP,ERR_R_BUF_LIB);
+ goto end;
+ }
+
+
x=PEM_read_bio_X509(in,NULL,ctx->default_passwd_callback,ctx->default_passwd_callback_userdata);
+ if (x == NULL)
+ {
+
SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE_CHAIN_FP,ERR_R_PEM_LIB);
+ goto end;
+ }
+
+ ret=SSL_CTX_use_certificate(ctx,x);
+ if (ERR_peek_error() != 0)
+ ret = 0; /* Key/certificate mismatch doesn't imply
ret==0 ... */
+ if (ret)
+ {
+ /* If we could set up our certificate, now proceed to
+ * the CA certificates.
+ */
+ X509 *ca;
+ int r;
+ unsigned long err;
+
+ if (ctx->extra_certs != NULL)
+ {
+ sk_X509_pop_free(ctx->extra_certs, X509_free);
+ ctx->extra_certs = NULL;
+ }
+
+ while ((ca =
PEM_read_bio_X509(in,NULL,ctx->default_passwd_callback,ctx->default_passwd_callback_userdata))
+ != NULL)
+ {
+ r = SSL_CTX_add_extra_chain_cert(ctx, ca);
+ if (!r)
+ {
+ X509_free(ca);
+ ret = 0;
+ goto end;
+ }
+ /* Note that we must not free r if it was
successfully
+ * added to the chain (while we must free the
main
+ * certificate, since its reference count is
increased
+ * by SSL_CTX_use_certificate). */
+ }
+ /* When the while loop ends, it's usually just EOF. */
+ err = ERR_peek_last_error();
+ if (ERR_GET_LIB(err) == ERR_LIB_PEM &&
ERR_GET_REASON(err) == PEM_R_NO_START_LINE)
+ ERR_clear_error();
+ else
+ ret = 0; /* some real error */
+ }
+
+end:
+ if (x != NULL) X509_free(x);
+ if (in != NULL) BIO_free(in);
+ return(ret);
+ }
+
int SSL_CTX_use_certificate_chain_file(SSL_CTX *ctx, const char *file)
{
BIO *in;
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [email protected]
Automated List Manager [EMAIL PROTECTED]
