From b576f1e814fcffd832458c1f665c10b82ddbcdd5 Mon Sep 17 00:00:00 2001 From: Pierre-Yves Ritschard Date: Tue, 25 Sep 2007 08:24:27 +0000 Subject: Introduce two new functions to be able to load certificates while already chrooted and with privileges dropped. This is the very first step in being able to reload a layer 7 configuration. not ok reyk who's away but should be glad to see this in. --- usr.sbin/relayd/relay.c | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) (limited to 'usr.sbin/relayd/relay.c') diff --git a/usr.sbin/relayd/relay.c b/usr.sbin/relayd/relay.c index ec6025cc3f9..13544d9eb18 100644 --- a/usr.sbin/relayd/relay.c +++ b/usr.sbin/relayd/relay.c @@ -1,4 +1,4 @@ -/* $OpenBSD: relay.c,v 1.43 2007/09/10 11:59:22 reyk Exp $ */ +/* $OpenBSD: relay.c,v 1.44 2007/09/25 08:24:26 pyr Exp $ */ /* * Copyright (c) 2006, 2007 Reyk Floeter @@ -2012,6 +2012,7 @@ relay_dispatch_parent(int fd, short event, void * ptr) SSL_CTX * relay_ssl_ctx_create(struct relay *rlay) { + int fd; struct protocol *proto = rlay->proto; SSL_CTX *ctx; char certfile[PATH_MAX], hbuf[128]; @@ -2053,8 +2054,10 @@ relay_ssl_ctx_create(struct relay *rlay) if (snprintf(certfile, sizeof(certfile), "/etc/ssl/%s.crt", hbuf) == -1) goto err; + if ((fd = open(certfile, O_RDONLY|O_NONBLOCK)) == -1) + goto err; log_debug("relay_ssl_ctx_create: using certificate %s", certfile); - if (!SSL_CTX_use_certificate_chain_file(ctx, certfile)) + if (!ssl_ctx_use_certificate_chain(ctx, fd)) goto err; /* Load the private key */ @@ -2062,8 +2065,10 @@ relay_ssl_ctx_create(struct relay *rlay) "/etc/ssl/private/%s.key", hbuf) == -1) { goto err; } + if ((fd = open(certfile, O_RDONLY|O_NONBLOCK)) == -1) + goto err; log_debug("relay_ssl_ctx_create: using private key %s", certfile); - if (!SSL_CTX_use_PrivateKey_file(ctx, certfile, SSL_FILETYPE_PEM)) + if (!ssl_ctx_use_private_key(ctx, fd, SSL_FILETYPE_PEM)) goto err; if (!SSL_CTX_check_private_key(ctx)) goto err; -- cgit v1.2.3