diff options
| author | Valentin Bartenev <vbart@nginx.com> | 2018-09-20 15:27:08 +0300 |
|---|---|---|
| committer | Valentin Bartenev <vbart@nginx.com> | 2018-09-20 15:27:08 +0300 |
| commit | 8d844bc2aa78d5acc789c5865a62bedbeba76902 (patch) | |
| tree | cbc6e225402434d5b14cb454a2b7c02cebc93bbf /src/nxt_openssl.c | |
| parent | 2dfd8ffc2fa36712c8987afa870c355185d61af9 (diff) | |
| download | unit-8d844bc2aa78d5acc789c5865a62bedbeba76902.tar.gz unit-8d844bc2aa78d5acc789c5865a62bedbeba76902.tar.bz2 | |
Controller: certificates storage interface.
Diffstat (limited to 'src/nxt_openssl.c')
| -rw-r--r-- | src/nxt_openssl.c | 94 |
1 files changed, 87 insertions, 7 deletions
diff --git a/src/nxt_openssl.c b/src/nxt_openssl.c index ca0e698c..91ba3cb0 100644 --- a/src/nxt_openssl.c +++ b/src/nxt_openssl.c @@ -40,6 +40,7 @@ static void nxt_openssl_locks_free(void); #endif static nxt_int_t nxt_openssl_server_init(nxt_task_t *task, nxt_tls_conf_t *conf); +static nxt_uint_t nxt_openssl_chain_file(SSL_CTX *ctx, nxt_fd_t fd); static void nxt_openssl_server_free(nxt_task_t *task, nxt_tls_conf_t *conf); static void nxt_openssl_conn_init(nxt_task_t *task, nxt_tls_conf_t *conf, nxt_conn_t *c); @@ -246,7 +247,8 @@ static nxt_int_t nxt_openssl_server_init(nxt_task_t *task, nxt_tls_conf_t *conf) { SSL_CTX *ctx; - const char *certificate, *key, *ciphers, *ca_certificate; + nxt_fd_t fd; + const char *ciphers, *ca_certificate; STACK_OF(X509_NAME) *list; ctx = SSL_CTX_new(SSLv23_server_method()); @@ -284,15 +286,14 @@ nxt_openssl_server_init(nxt_task_t *task, nxt_tls_conf_t *conf) #endif - certificate = conf->certificate; + fd = conf->chain_file; - if (SSL_CTX_use_certificate_chain_file(ctx, certificate) == 0) { + if (nxt_openssl_chain_file(ctx, fd) != NXT_OK) { nxt_openssl_log_error(task, NXT_LOG_ALERT, - "SSL_CTX_use_certificate_file(\"%s\") failed", - certificate); + "nxt_openssl_chain_file() failed"); goto fail; } - +/* key = conf->certificate_key; if (SSL_CTX_use_PrivateKey_file(ctx, key, SSL_FILETYPE_PEM) == 0) { @@ -301,7 +302,7 @@ nxt_openssl_server_init(nxt_task_t *task, nxt_tls_conf_t *conf) key); goto fail; } - +*/ ciphers = (conf->ciphers != NULL) ? conf->ciphers : "HIGH:!aNULL:!MD5"; if (SSL_CTX_set_cipher_list(ctx, ciphers) == 0) { @@ -358,6 +359,85 @@ fail: } +static nxt_uint_t +nxt_openssl_chain_file(SSL_CTX *ctx, nxt_fd_t fd) +{ + BIO *bio; + X509 *cert, *ca; + long reason; + EVP_PKEY *key; + nxt_uint_t ret; + + bio = BIO_new(BIO_s_fd()); + if (bio == NULL) { + return NXT_ERROR; + } + + BIO_set_fd(bio, fd, BIO_CLOSE); + + ret = NXT_ERROR; + + cert = PEM_read_bio_X509_AUX(bio, NULL, NULL, NULL); + if (cert == NULL) { + goto end; + } + + if (SSL_CTX_use_certificate(ctx, cert) != 1) { + goto end; + } + + for ( ;; ) { + ca = PEM_read_bio_X509(bio, NULL, NULL, NULL); + + if (ca == NULL) { + reason = ERR_GET_REASON(ERR_peek_last_error()); + if (reason != PEM_R_NO_START_LINE) { + goto end; + } + + ERR_clear_error(); + break; + } + + /* + * Note that ca isn't freed if it was successfully added to the chain, + * while the main certificate needs a X509_free() call, since + * its reference count is increased by SSL_CTX_use_certificate(). + */ +#if OPENSSL_VERSION_NUMBER > 0x10002000L + if (SSL_CTX_add0_chain_cert(ctx, ca) != 1) { +#else + if (SSL_CTX_add_extra_chain_cert(ctx, ca) != 1) { +#endif + X509_free(ca); + goto end; + } + } + + if (BIO_reset(bio) != 0) { + goto end; + } + + key = PEM_read_bio_PrivateKey(bio, NULL, NULL, NULL); + if (key == NULL) { + goto end; + } + + if (SSL_CTX_use_PrivateKey(ctx, key) == 1) { + ret = NXT_OK; + } + + EVP_PKEY_free(key); + +end: + + X509_free(cert); + BIO_free(bio); + + return ret; +} + + static void nxt_openssl_server_free(nxt_task_t *task, nxt_tls_conf_t *conf) { |