NOEXPORT int load_cert(SERVICE_OPTIONS *section) {
/* load the certificate */
if(section->cert) {
s_log(LOG_INFO, "Loading certificate from file: %s", section->cert);
if(!SSL_CTX_use_certificate_chain_file(section->ctx, section->cert)) {
sslerror("SSL_CTX_use_certificate_chain_file");
return 1; /* FAILED */
}
}
/* load the private key */
if(!section->key) {
s_log(LOG_DEBUG, "No private key specified");
return 0; /* OK */
}
#ifndef OPENSSL_NO_ENGINE
if(section->engine) {
if(load_key_engine(section))
return 1; /* FAILED */
} else
#endif
{
if(load_key_file(section))
return 1; /* FAILED */
}
/* validate the private key */
if(!SSL_CTX_check_private_key(section->ctx)) {
sslerror("Private key does not match the certificate");
return 1; /* FAILED */
}
s_log(LOG_DEBUG, "Private key check succeeded");
return 0; /* OK */
}
NOEXPORT int auth_init(SERVICE_OPTIONS *section) {
int cert_needed=1, key_needed=1;
#ifndef OPENSSL_NO_PSK
if(section->psk_keys) {
if(section->option.client)
SSL_CTX_set_psk_client_callback(section->ctx, psk_client_callback);
else
SSL_CTX_set_psk_server_callback(section->ctx, psk_server_callback);
}
#endif /* !defined(OPENSSL_NO_PSK) */
/* load the certificate and private key */
if(!section->cert || !section->key) {
s_log(LOG_DEBUG, "No certificate or private key specified");
return 0; /* OK */
}
#ifndef OPENSSL_NO_ENGINE
if(section->engine) { /* try to use the engine first */
cert_needed=load_cert_engine(section);
key_needed=load_key_engine(section);
}
#endif
if(cert_needed && load_cert_file(section))
return 1; /* FAILED */
if(key_needed && load_key_file(section))
return 1; /* FAILED */
/* validate the private key against the certificate */
if(!SSL_CTX_check_private_key(section->ctx)) {
sslerror("Private key does not match the certificate");
return 1; /* FAILED */
}
s_log(LOG_DEBUG, "Private key check succeeded");
return 0; /* OK */
}