struct cert_key_and_chain {
X509 *cert;
EVP_PKEY *key;
- unsigned int num_chain_certs;
- /* This is an array of X509 pointers */
- X509 **chain_certs;
+ STACK_OF(X509) *chain;
DH *dh;
};
*/
static void ssl_sock_free_cert_key_and_chain_contents(struct cert_key_and_chain *ckch)
{
- int i;
-
if (!ckch)
return;
ckch->key = NULL;
/* Free each certificate in the chain */
- for (i = 0; i < ckch->num_chain_certs; i++) {
- if (ckch->chain_certs[i])
- X509_free(ckch->chain_certs[i]);
- }
-
- /* Free the chain obj itself and set to NULL */
- if (ckch->num_chain_certs > 0) {
- free(ckch->chain_certs);
- ckch->num_chain_certs = 0;
- ckch->chain_certs = NULL;
- }
+ if (ckch->chain)
+ sk_X509_pop_free(ckch->chain, X509_free);
+ ckch->chain = NULL;
}
{
BIO *in;
- X509 *ca = NULL;
+ X509 *ca;
int ret = 1;
ssl_sock_free_cert_key_and_chain_contents(ckch);
ckch->cert = PEM_read_bio_X509_AUX(in, NULL, NULL, NULL);
if (ckch->cert == NULL) {
memprintf(err, "%sunable to load certificate from file '%s'.\n",
- err && *err ? *err : "", path);
+ err && *err ? *err : "", path);
goto end;
}
/* Read Certificate Chain */
- while ((ca = PEM_read_bio_X509(in, NULL, NULL, NULL))) {
- /* Grow the chain certs */
- ckch->num_chain_certs++;
- ckch->chain_certs = realloc(ckch->chain_certs, (ckch->num_chain_certs * sizeof(X509 *)));
+ ckch->chain = sk_X509_new_null();
+ while ((ca = PEM_read_bio_X509(in, NULL, NULL, NULL)))
+ if (!sk_X509_push(ckch->chain, ca)) {
+ X509_free(ca);
+ goto end;
+ }
- /* use - 1 here since we just incremented it above */
- ckch->chain_certs[ckch->num_chain_certs - 1] = ca;
- }
ret = ERR_get_error();
if (ret && (ERR_GET_LIB(ret) != ERR_LIB_PEM && ERR_GET_REASON(ret) != PEM_R_NO_START_LINE)) {
memprintf(err, "%sunable to load certificate chain from file '%s'.\n",
*/
static int ssl_sock_put_ckch_into_ctx(const char *path, const struct cert_key_and_chain *ckch, SSL_CTX *ctx, char **err)
{
- int i = 0;
-
if (SSL_CTX_use_PrivateKey(ctx, ckch->key) <= 0) {
memprintf(err, "%sunable to load SSL private key into SSL Context '%s'.\n",
err && *err ? *err : "", path);
}
/* Load all certs in the ckch into the ctx_chain for the ssl_ctx */
- for (i = 0; i < ckch->num_chain_certs; i++) {
- if (!SSL_CTX_add1_chain_cert(ctx, ckch->chain_certs[i])) {
- memprintf(err, "%sunable to load chain certificate #%d into SSL Context '%s'. Make sure you are linking against Openssl >= 1.0.2.\n",
- err && *err ? *err : "", (i+1), path);
- return 1;
- }
+ if (!SSL_CTX_set1_chain(ctx, ckch->chain)) {
+ memprintf(err, "%sunable to load chain certificate into SSL Context '%s'. Make sure you are linking against Openssl >= 1.0.2.\n",
+ err && *err ? *err : "", path);
+ return 1;
}
if (SSL_CTX_check_private_key(ctx) <= 0) {
projects / thirdparty / haproxy.git / commitdiff
