search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Patrick Welche <prlw1@cam.ac.uk>
[netbsd-mini2440.git] / external / ibm-public / postfix / dist / src / tls / tls_certkey.c
blob097f0e7781ca0fbcae38745cb3e5a4f14942d7b8
1 /* $NetBSD$ */
2
3 /*++
4 /* NAME
5 /* tls_certkey 3
6 /* SUMMARY
7 /* public key certificate and private key loader
8 /* SYNOPSIS
9 /* #define TLS_INTERNAL
10 /* #include <tls.h>
11 /*
12 /* int tls_set_ca_certificate_info(ctx, CAfile, CApath)
13 /* SSL_CTX *ctx;
14 /* const char *CAfile;
15 /* const char *CApath;
16 /*
17 /* int tls_set_my_certificate_key_info(ctx, cert_file, key_file,
18 /* dcert_file, dkey_file,
19 /* eccert_file, eckey_file)
20 /* SSL_CTX *ctx;
21 /* const char *cert_file;
22 /* const char *key_file;
23 /* const char *dcert_file;
24 /* const char *dkey_file;
25 /* const char *eccert_file;
26 /* const char *eckey_file;
27 /* DESCRIPTION
28 /* OpenSSL supports two options to specify CA certificates:
29 /* either one file CAfile that contains all CA certificates,
30 /* or a directory CApath with separate files for each
31 /* individual CA, with symbolic links named after the hash
32 /* values of the certificates. The second option is not
33 /* convenient with a chrooted process.
34 /*
35 /* tls_set_ca_certificate_info() loads the CA certificate
36 /* information for the specified TLS server or client context.
37 /* The result is -1 on failure, 0 on success.
38 /*
39 /* tls_set_my_certificate_key_info() loads the public key
40 /* certificates and private keys for the specified TLS server
41 /* or client context. Up to 3 pairs of key pairs (RSA, DSA and
42 /* ECDSA) may be specified; each certificate and key pair must
43 /* match. The result is -1 on failure, 0 on success.
44 /* LICENSE
45 /* .ad
46 /* .fi
47 /* This software is free. You can do with it whatever you want.
48 /* The original author kindly requests that you acknowledge
49 /* the use of his software.
50 /* AUTHOR(S)
51 /* Originally written by:
52 /* Lutz Jaenicke
53 /* BTU Cottbus
54 /* Allgemeine Elektrotechnik
55 /* Universitaetsplatz 3-4
56 /* D-03044 Cottbus, Germany
57 /*
58 /* Updated by:
59 /* Wietse Venema
60 /* IBM T.J. Watson Research
61 /* P.O. Box 704
62 /* Yorktown Heights, NY 10598, USA
63 /*--*/
64
65 /* System library. */
66
67 #include <sys_defs.h>
68
69 #ifdef USE_TLS
70
71 /* Utility library. */
72
73 #include <msg.h>
74
75 /* TLS library. */
76
77 #define TLS_INTERNAL
78 #include <tls.h>
79
80 /* tls_set_ca_certificate_info - load certificate authority certificates */
81
82 int tls_set_ca_certificate_info(SSL_CTX *ctx, const char *CAfile,
83 const char *CApath)
84 {
85 if (*CAfile == 0)
86 CAfile = 0;
87 if (*CApath == 0)
88 CApath = 0;
89 if (CAfile || CApath) {
90 if (!SSL_CTX_load_verify_locations(ctx, CAfile, CApath)) {
91 msg_info("cannot load Certificate Authority data: "
92 "disabling TLS support");
93 tls_print_errors();
94 return (-1);
95 }
96 if (!SSL_CTX_set_default_verify_paths(ctx)) {
97 msg_info("cannot set certificate verification paths: "
98 "disabling TLS support");
99 tls_print_errors();
100 return (-1);
101 }
102 }
103 return (0);
104 }
105
106 /* set_cert_stuff - specify certificate and key information */
107
108 static int set_cert_stuff(SSL_CTX *ctx, const char *cert_type,
109 const char *cert_file,
110 const char *key_file)
111 {
112
113 /*
114 * We need both the private key (in key_file) and the public key
115 * certificate (in cert_file). Both may specify the same file.
116 *
117 * Code adapted from OpenSSL apps/s_cb.c.
118 */
119 ERR_clear_error();
120 if (SSL_CTX_use_certificate_chain_file(ctx, cert_file) <= 0) {
121 msg_warn("cannot get %s certificate from file %s: "
122 "disabling TLS support", cert_type, cert_file);
123 tls_print_errors();
124 return (0);
125 }
126 if (SSL_CTX_use_PrivateKey_file(ctx, key_file, SSL_FILETYPE_PEM) <= 0) {
127 msg_warn("cannot get %s private key from file %s: "
128 "disabling TLS support", cert_type, key_file);
129 tls_print_errors();
130 return (0);
131 }
132
133 /*
134 * Sanity check.
135 */
136 if (!SSL_CTX_check_private_key(ctx)) {
137 msg_warn("%s private key in %s does not match public key in %s: "
138 "disabling TLS support", cert_type, key_file, cert_file);
139 return (0);
140 }
141 return (1);
142 }
143
144 /* tls_set_my_certificate_key_info - load client or server certificates/keys */
145
146 int tls_set_my_certificate_key_info(SSL_CTX *ctx,
147 const char *cert_file,
148 const char *key_file,
149 const char *dcert_file,
150 const char *dkey_file,
151 const char *eccert_file,
152 const char *eckey_file)
153 {
154
155 /*
156 * Lack of certificates is fine so long as we are prepared to use
157 * anonymous ciphers.
158 */
159 if (*cert_file && !set_cert_stuff(ctx, "RSA", cert_file, key_file))
160 return (-1); /* logged */
161 if (*dcert_file && !set_cert_stuff(ctx, "DSA", dcert_file, dkey_file))
162 return (-1); /* logged */
163 #if OPENSSL_VERSION_NUMBER >= 0x00909000 && !defined(OPENSSL_NO_ECDH)
164 if (*eccert_file && !set_cert_stuff(ctx, "ECDSA", eccert_file, eckey_file))
165 return (-1); /* logged */
166 #else
167 if (*eccert_file)
168 msg_warn("ECDSA not supported. Ignoring ECDSA certificate file \"%s\"",
169 eccert_file);
170 #endif
171 return (0);
172 }
173
174 #endif
NetBSD on the FriendlyARM MINI2440