Home Explore Help
Register Sign In
PSG
/
civetweb
mirror of https://github.com/civetweb/civetweb.git
5
0
Fork 0
Files Issues 0 Wiki
Browse Source

optimized flow for use of short lived certificates

Martin Gaida 9 years ago
parent
249defe425
commit
134f978964
1 changed files with 46 additions and 33 deletions
Unified View Show Diff Stats
  1. 46 33
      src/civetweb.c

+ 46 - 33
src/civetweb.c
View File 

@@ -10531,18 +10531,12 @@ ssl_id_callback(void)
 
 #endif
 
 #endif
 
 }
 
 }
 
 
 
-static pthread_mutex_t *ssl_mutexes;
 
 static int ssl_use_pem_file(struct mg_context *ctx, const char *pem);
 
 static int ssl_use_pem_file(struct mg_context *ctx, const char *pem);
 
 static const char * ssl_error(void);
 
 static const char * ssl_error(void);
 
 
 
 static int
 
 static int
 
-sslize(struct mg_connection *conn, SSL_CTX *s, int (*func)(SSL *))
 
+refresh_trust(struct mg_connection *conn)
 
 {
 
 {
 
-	int ret, err;
 
-	if (!conn) {
 
-		return 0;
 
-	}
 
-
 
 	static int reload_lock = 0;
 
 	static int reload_lock = 0;
 
 	static long int data_check = 0;
 
 	static long int data_check = 0;
 
 
 
@@ -10558,37 +10552,35 @@ sslize(struct mg_connection *conn, SSL_CTX *s, int (*func)(SSL *))
 
 		t = (long int) cert_buf.st_mtime;
 
 		t = (long int) cert_buf.st_mtime;
 
 	}
 
 	}
 
 
 
-	int short_trust = !strcmp(conn->ctx->config[SSL_SHORT_TRUST], "yes");
 
 	if (data_check != t) {
 
 	if (data_check != t) {
 
 		data_check = t;
 
 		data_check = t;
 
-		if (short_trust) {
 
-			int should_verify_peer =
 
-					(conn->ctx->config[SSL_DO_VERIFY_PEER] != NULL)
 
-					&& (mg_strcasecmp(conn->ctx->config[SSL_DO_VERIFY_PEER], "yes") == 0);
 
-
 
-			if (should_verify_peer) {
 
-				char *ca_path = conn->ctx->config[SSL_CA_PATH];
 
-				char *ca_file = conn->ctx->config[SSL_CA_FILE];
 
-				if (SSL_CTX_load_verify_locations(conn->ctx->ssl_ctx, ca_file, ca_path)
 
-					!= 1) {
 
-					mg_cry(fc(conn->ctx),
 
-						   "SSL_CTX_load_verify_locations error: %s "
 
-								   "ssl_verify_peer requires setting "
 
-								   "either ssl_ca_path or ssl_ca_file. Is any of them "
 
-								   "present in "
 
-								   "the .conf file?",
 
-						   ssl_error());
 
-					return 0;
 
-				}
 
+
 
+		int should_verify_peer =
 
+				(conn->ctx->config[SSL_DO_VERIFY_PEER] != NULL)
 
+				&& (mg_strcasecmp(conn->ctx->config[SSL_DO_VERIFY_PEER], "yes") == 0);
 
+
 
+		if (should_verify_peer) {
 
+			char *ca_path = conn->ctx->config[SSL_CA_PATH];
 
+			char *ca_file = conn->ctx->config[SSL_CA_FILE];
 
+			if (SSL_CTX_load_verify_locations(conn->ctx->ssl_ctx, ca_file, ca_path)
 
+				!= 1) {
 
+				mg_cry(fc(conn->ctx),
 
+					   "SSL_CTX_load_verify_locations error: %s "
 
+							   "ssl_verify_peer requires setting "
 
+							   "either ssl_ca_path or ssl_ca_file. Is any of them "
 
+							   "present in "
 
+							   "the .conf file?",
 
+					   ssl_error());
 
+				return 0;
 
 			}
 
 			}
 
+		}
 
 
 
-			if (!reload_lock) {
 
-				reload_lock = 1;
 
-				if (ssl_use_pem_file(conn->ctx, pem) == 0) {
 
-					return 0;
 
-				}
 
-				reload_lock = 0;
 
+		if (!reload_lock) {
 
+			reload_lock = 1;
 
+			if (ssl_use_pem_file(conn->ctx, pem) == 0) {
 
+				return 0;
 
 			}
 
 			}
 
+			reload_lock = 0;
 
 		}
 
 		}
 
 	}
 
 	}
 
 	/* lock while cert is reloading */
 
 	/* lock while cert is reloading */
 
@@ -10596,6 +10588,27 @@ sslize(struct mg_connection *conn, SSL_CTX *s, int (*func)(SSL *))
 
 		sleep(1);
 
 		sleep(1);
 
 	}
 
 	}
 
 
 
+	return 1;
 
+}
 
+
 
+static pthread_mutex_t *ssl_mutexes;
 
+
 
+static int
 
+sslize(struct mg_connection *conn, SSL_CTX *s, int (*func)(SSL *))
 
+{
 
+	int ret, err;
 
+	if (!conn) {
 
+		return 0;
 
+	}
 
+
 
+	int short_trust = !strcmp(conn->ctx->config[SSL_SHORT_TRUST], "yes");
 
+	if (short_trust) {
 
+		int trust_ret = refresh_trust(conn);
 
+		if (!trust_ret) {
 
+			return trust_ret;
 
+		}
 
+	}
 
+
 
 	conn->ssl = SSL_new(s);
 
 	conn->ssl = SSL_new(s);
 
 	if (conn->ssl == NULL) {
 
 	if (conn->ssl == NULL) {
 
 		return 0;
 
 		return 0;