[mod_openssl] ssl.privkey directive (optional)

ssl.privkey can be used to specify path to file containing private key in lieu of concatenating certificate and private key into single .pem
author: Glenn Strauss <gstrauss@gluelogic.com> 2019-01-26 17:22:43 -0500
committer: Glenn Strauss <gstrauss@gluelogic.com> 2019-01-26 17:22:43 -0500
commit: 2769f19ad3edd5376543851acba9610d47021d62 (patch)
tree: f74298c4a6b2871b560aec1f0a368265f35f4549
parent: 3ac7764cfe4d0f4d657972849e234361fee97601 (diff)
download: lighttpd-git-2769f19ad3edd5376543851acba9610d47021d62.tar.gz
1 files changed, 16 insertions, 7 deletions
diff --git a/src/mod_openssl.c b/src/mod_openssl.c
index 43bfffa8..2da3de23 100644
--- a/src/mod_openssl.c
+++ b/src/mod_openssl.c
@@ -62,6 +62,7 @@ typedef struct {
     unsigned short ssl_use_sslv2;
     unsigned short ssl_use_sslv3;
     buffer *ssl_pemfile;
+    buffer *ssl_privkey;
     buffer *ssl_ca_file;
     buffer *ssl_ca_crl_file;
     buffer *ssl_ca_dn_file;
@@ -134,6 +135,7 @@ FREE_FUNC(mod_openssl_free)
             if (NULL == s) continue;
             copy = s->ssl_enabled && buffer_string_is_empty(s->ssl_pemfile);
             buffer_free(s->ssl_pemfile);
+            buffer_free(s->ssl_privkey);
             buffer_free(s->ssl_ca_file);
             buffer_free(s->ssl_ca_crl_file);
             buffer_free(s->ssl_ca_dn_file);
@@ -514,14 +516,16 @@ network_openssl_load_pemfile (server *srv, plugin_config *s, size_t ndx)
 
     s->ssl_pemfile_x509 = x509_load_pem_file(srv, s->ssl_pemfile->ptr);
     if (NULL == s->ssl_pemfile_x509) return -1;
-    s->ssl_pemfile_pkey = evp_pkey_load_pem_file(srv, s->ssl_pemfile->ptr);
+    s->ssl_pemfile_pkey = !buffer_string_is_empty(s->ssl_privkey)
+      ? evp_pkey_load_pem_file(srv, s->ssl_privkey->ptr)
+      : evp_pkey_load_pem_file(srv, s->ssl_pemfile->ptr);
     if (NULL == s->ssl_pemfile_pkey) return -1;
 
     if (!X509_check_private_key(s->ssl_pemfile_x509, s->ssl_pemfile_pkey)) {
-        log_error_write(srv, __FILE__, __LINE__, "sssb", "SSL:",
+        log_error_write(srv, __FILE__, __LINE__, "sssbb", "SSL:",
                         "Private key does not match the certificate public key,"
                         " reason:", ERR_error_string(ERR_get_error(), NULL),
-                        s->ssl_pemfile);
+                        s->ssl_pemfile, s->ssl_privkey);
         return -1;
     }
 
@@ -1126,18 +1130,18 @@ network_init_ssl (server *srv, void *p_d)
         }
 
         if (1 != SSL_CTX_use_PrivateKey(s->ssl_ctx, s->ssl_pemfile_pkey)) {
-            log_error_write(srv, __FILE__, __LINE__, "ssb", "SSL:",
+            log_error_write(srv, __FILE__, __LINE__, "ssbb", "SSL:",
                             ERR_error_string(ERR_get_error(), NULL),
-                            s->ssl_pemfile);
+                            s->ssl_pemfile, s->ssl_privkey);
             return -1;
         }
 
         if (SSL_CTX_check_private_key(s->ssl_ctx) != 1) {
-            log_error_write(srv, __FILE__, __LINE__, "sssb", "SSL:",
+            log_error_write(srv, __FILE__, __LINE__, "sssbb", "SSL:",
                             "Private key does not match the certificate public "
                             "key, reason:",
                             ERR_error_string(ERR_get_error(), NULL),
-                            s->ssl_pemfile);
+                            s->ssl_pemfile, s->ssl_privkey);
             return -1;
         }
         SSL_CTX_set_default_read_ahead(s->ssl_ctx, s->ssl_read_ahead);
@@ -1197,6 +1201,7 @@ SETDEFAULTS_FUNC(mod_openssl_set_defaults)
         { "ssl.ca-dn-file",                    NULL, T_CONFIG_STRING,  T_CONFIG_SCOPE_CONNECTION }, /* 19 */
         { "ssl.openssl.ssl-conf-cmd",          NULL, T_CONFIG_ARRAY,   T_CONFIG_SCOPE_CONNECTION }, /* 20 */
         { "ssl.acme-tls-1",                    NULL, T_CONFIG_STRING,  T_CONFIG_SCOPE_CONNECTION }, /* 21 */
+        { "ssl.privkey",                       NULL, T_CONFIG_STRING,  T_CONFIG_SCOPE_CONNECTION }, /* 22 */
         { NULL,                         NULL, T_CONFIG_UNSET, T_CONFIG_SCOPE_UNSET }
     };
 
@@ -1210,6 +1215,7 @@ SETDEFAULTS_FUNC(mod_openssl_set_defaults)
 
         s->ssl_enabled   = 0;
         s->ssl_pemfile   = buffer_init();
+        s->ssl_privkey   = buffer_init();
         s->ssl_ca_file   = buffer_init();
         s->ssl_ca_crl_file = buffer_init();
         s->ssl_ca_dn_file = buffer_init();
@@ -1258,6 +1264,7 @@ SETDEFAULTS_FUNC(mod_openssl_set_defaults)
         cv[19].destination = s->ssl_ca_dn_file;
         cv[20].destination = s->ssl_conf_cmd;
         cv[21].destination = s->ssl_acme_tls_1;
+        cv[22].destination = s->ssl_privkey;
 
         p->config_storage[i] = s;
 
@@ -1310,6 +1317,7 @@ mod_openssl_patch_connection (server *srv, connection *con, handler_ctx *hctx)
 
     /*PATCH(ssl_enabled);*//*(not patched)*/
     /*PATCH(ssl_pemfile);*//*(not patched)*/
+    /*PATCH(ssl_privkey);*//*(not patched)*/
     PATCH(ssl_pemfile_x509);
     PATCH(ssl_pemfile_pkey);
     PATCH(ssl_ca_file);
@@ -1350,6 +1358,7 @@ mod_openssl_patch_connection (server *srv, connection *con, handler_ctx *hctx)
 
             if (buffer_is_equal_string(du->key, CONST_STR_LEN("ssl.pemfile"))) {
                 /*PATCH(ssl_pemfile);*//*(not patched)*/
+                /*PATCH(ssl_privkey);*//*(not patched)*/
                 PATCH(ssl_pemfile_x509);
                 PATCH(ssl_pemfile_pkey);
             } else if (buffer_is_equal_string(du->key, CONST_STR_LEN("ssl.ca-file"))) {
author	Glenn Strauss <gstrauss@gluelogic.com>	2019-01-26 17:22:43 -0500
committer	Glenn Strauss <gstrauss@gluelogic.com>	2019-01-26 17:22:43 -0500
commit	2769f19ad3edd5376543851acba9610d47021d62 (patch)
tree	f74298c4a6b2871b560aec1f0a368265f35f4549
parent	3ac7764cfe4d0f4d657972849e234361fee97601 (diff)
download	lighttpd-git-2769f19ad3edd5376543851acba9610d47021d62.tar.gz