diff options
| author | claudio <> | 2017-08-09 21:27:24 +0000 |
|---|---|---|
| committer | claudio <> | 2017-08-09 21:27:24 +0000 |
| commit | 71babe0972b1aeead9b7f54acb4814fb9695d8ad (patch) | |
| tree | 3fe6a59e04489e4fff11a15572903b1a13783ae0 | |
| parent | 4b42daf331a8d82ddb90f60167a489d82d29b804 (diff) | |
| download | openbsd-71babe0972b1aeead9b7f54acb4814fb9695d8ad.tar.gz openbsd-71babe0972b1aeead9b7f54acb4814fb9695d8ad.tar.bz2 openbsd-71babe0972b1aeead9b7f54acb4814fb9695d8ad.zip | |
Don't use tls_cert_hash for the hashing used by the engine offloading magic
for the TLS privsep code. Instead use X509_pubkey_digest() because only the
key should be used as identifier. Relayd is rewriting certificates and then
the hash would change. Rename the hash is struct tls_keypair to pubkey_hash
to make clear what this hash is about.
With input and OK jsing@
Diffstat (limited to '')
| -rw-r--r-- | src/lib/libtls/tls.c | 27 | ||||
| -rw-r--r-- | src/lib/libtls/tls_config.c | 4 | ||||
| -rw-r--r-- | src/lib/libtls/tls_internal.h | 4 |
3 files changed, 24 insertions, 11 deletions
diff --git a/src/lib/libtls/tls.c b/src/lib/libtls/tls.c index ed857272c4..6df72e24e6 100644 --- a/src/lib/libtls/tls.c +++ b/src/lib/libtls/tls.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: tls.c,v 1.68 2017/07/06 17:12:22 jsing Exp $ */ | 1 | /* $OpenBSD: tls.c,v 1.69 2017/08/09 21:27:24 claudio Exp $ */ |
| 2 | /* | 2 | /* |
| 3 | * Copyright (c) 2014 Joel Sing <jsing@openbsd.org> | 3 | * Copyright (c) 2014 Joel Sing <jsing@openbsd.org> |
| 4 | * | 4 | * |
| @@ -283,11 +283,12 @@ tls_cert_hash(X509 *cert, char **hash) | |||
| 283 | } | 283 | } |
| 284 | 284 | ||
| 285 | static int | 285 | static int |
| 286 | tls_keypair_cert_hash(struct tls_keypair *keypair, char **hash) | 286 | tls_keypair_pubkey_hash(struct tls_keypair *keypair, char **hash) |
| 287 | { | 287 | { |
| 288 | BIO *membio = NULL; | 288 | BIO *membio = NULL; |
| 289 | X509 *cert = NULL; | 289 | X509 *cert = NULL; |
| 290 | int rv = -1; | 290 | char d[EVP_MAX_MD_SIZE], *dhex = NULL; |
| 291 | int dlen, rv = -1; | ||
| 291 | 292 | ||
| 292 | *hash = NULL; | 293 | *hash = NULL; |
| 293 | 294 | ||
| @@ -298,9 +299,21 @@ tls_keypair_cert_hash(struct tls_keypair *keypair, char **hash) | |||
| 298 | NULL)) == NULL) | 299 | NULL)) == NULL) |
| 299 | goto err; | 300 | goto err; |
| 300 | 301 | ||
| 301 | rv = tls_cert_hash(cert, hash); | 302 | if (X509_pubkey_digest(cert, EVP_sha256(), d, &dlen) != 1) |
| 303 | goto err; | ||
| 304 | |||
| 305 | if (tls_hex_string(d, dlen, &dhex, NULL) != 0) | ||
| 306 | goto err; | ||
| 307 | |||
| 308 | if (asprintf(hash, "SHA256:%s", dhex) == -1) { | ||
| 309 | *hash = NULL; | ||
| 310 | goto err; | ||
| 311 | } | ||
| 312 | |||
| 313 | rv = 0; | ||
| 302 | 314 | ||
| 303 | err: | 315 | err: |
| 316 | free(dhex); | ||
| 304 | X509_free(cert); | 317 | X509_free(cert); |
| 305 | BIO_free(membio); | 318 | BIO_free(membio); |
| 306 | 319 | ||
| @@ -331,7 +344,7 @@ tls_configure_ssl_keypair(struct tls *ctx, SSL_CTX *ssl_ctx, | |||
| 331 | tls_set_errorx(ctx, "failed to load certificate"); | 344 | tls_set_errorx(ctx, "failed to load certificate"); |
| 332 | goto err; | 345 | goto err; |
| 333 | } | 346 | } |
| 334 | if (tls_keypair_cert_hash(keypair, &keypair->cert_hash) == -1) | 347 | if (tls_keypair_pubkey_hash(keypair, &keypair->pubkey_hash) == -1) |
| 335 | goto err; | 348 | goto err; |
| 336 | } | 349 | } |
| 337 | 350 | ||
| @@ -352,11 +365,11 @@ tls_configure_ssl_keypair(struct tls *ctx, SSL_CTX *ssl_ctx, | |||
| 352 | goto err; | 365 | goto err; |
| 353 | } | 366 | } |
| 354 | 367 | ||
| 355 | if (keypair->cert_hash != NULL) { | 368 | if (keypair->pubkey_hash != NULL) { |
| 356 | RSA *rsa; | 369 | RSA *rsa; |
| 357 | /* XXX only RSA for now for relayd privsep */ | 370 | /* XXX only RSA for now for relayd privsep */ |
| 358 | if ((rsa = EVP_PKEY_get1_RSA(pkey)) != NULL) { | 371 | if ((rsa = EVP_PKEY_get1_RSA(pkey)) != NULL) { |
| 359 | RSA_set_ex_data(rsa, 0, keypair->cert_hash); | 372 | RSA_set_ex_data(rsa, 0, keypair->pubkey_hash); |
| 360 | RSA_free(rsa); | 373 | RSA_free(rsa); |
| 361 | } | 374 | } |
| 362 | } | 375 | } |
diff --git a/src/lib/libtls/tls_config.c b/src/lib/libtls/tls_config.c index fe049d1e4e..40374ea220 100644 --- a/src/lib/libtls/tls_config.c +++ b/src/lib/libtls/tls_config.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: tls_config.c,v 1.41 2017/07/06 17:12:22 jsing Exp $ */ | 1 | /* $OpenBSD: tls_config.c,v 1.42 2017/08/09 21:27:24 claudio Exp $ */ |
| 2 | /* | 2 | /* |
| 3 | * Copyright (c) 2014 Joel Sing <jsing@openbsd.org> | 3 | * Copyright (c) 2014 Joel Sing <jsing@openbsd.org> |
| 4 | * | 4 | * |
| @@ -141,7 +141,7 @@ tls_keypair_free(struct tls_keypair *keypair) | |||
| 141 | free(keypair->cert_mem); | 141 | free(keypair->cert_mem); |
| 142 | free(keypair->key_mem); | 142 | free(keypair->key_mem); |
| 143 | free(keypair->ocsp_staple); | 143 | free(keypair->ocsp_staple); |
| 144 | free(keypair->cert_hash); | 144 | free(keypair->pubkey_hash); |
| 145 | 145 | ||
| 146 | free(keypair); | 146 | free(keypair); |
| 147 | } | 147 | } |
diff --git a/src/lib/libtls/tls_internal.h b/src/lib/libtls/tls_internal.h index bed9d6e7f4..6079babccf 100644 --- a/src/lib/libtls/tls_internal.h +++ b/src/lib/libtls/tls_internal.h | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: tls_internal.h,v 1.62 2017/07/06 17:12:22 jsing Exp $ */ | 1 | /* $OpenBSD: tls_internal.h,v 1.63 2017/08/09 21:27:24 claudio Exp $ */ |
| 2 | /* | 2 | /* |
| 3 | * Copyright (c) 2014 Jeremie Courreges-Anglas <jca@openbsd.org> | 3 | * Copyright (c) 2014 Jeremie Courreges-Anglas <jca@openbsd.org> |
| 4 | * Copyright (c) 2014 Joel Sing <jsing@openbsd.org> | 4 | * Copyright (c) 2014 Joel Sing <jsing@openbsd.org> |
| @@ -53,7 +53,7 @@ struct tls_keypair { | |||
| 53 | size_t key_len; | 53 | size_t key_len; |
| 54 | char *ocsp_staple; | 54 | char *ocsp_staple; |
| 55 | size_t ocsp_staple_len; | 55 | size_t ocsp_staple_len; |
| 56 | char *cert_hash; | 56 | char *pubkey_hash; |
| 57 | }; | 57 | }; |
| 58 | 58 | ||
| 59 | #define TLS_MIN_SESSION_TIMEOUT (4) | 59 | #define TLS_MIN_SESSION_TIMEOUT (4) |