diff options
| author | jsing <> | 2016-08-02 07:47:11 +0000 | 
|---|---|---|
| committer | jsing <> | 2016-08-02 07:47:11 +0000 | 
| commit | fb78d4f6d57624a16bd22c0319a858faff7ab48b (patch) | |
| tree | 1d5b4f201a3bc844f8bc86fcc6d120b238b50589 | |
| parent | 680e19d9a3a467db66a0784ba8b264a2eecdb23b (diff) | |
| download | openbsd-fb78d4f6d57624a16bd22c0319a858faff7ab48b.tar.gz openbsd-fb78d4f6d57624a16bd22c0319a858faff7ab48b.tar.bz2 openbsd-fb78d4f6d57624a16bd22c0319a858faff7ab48b.zip | |
Revert previous since it adds new symbols.
Requested by deraadt@
| -rw-r--r-- | src/lib/libtls/tls.c | 10 | ||||
| -rw-r--r-- | src/lib/libtls/tls.h | 6 | ||||
| -rw-r--r-- | src/lib/libtls/tls_config.c | 70 | ||||
| -rw-r--r-- | src/lib/libtls/tls_conninfo.c | 35 | ||||
| -rw-r--r-- | src/lib/libtls/tls_init.3 | 36 | ||||
| -rw-r--r-- | src/lib/libtls/tls_internal.h | 6 | ||||
| -rw-r--r-- | src/lib/libtls/tls_server.c | 20 | ||||
| -rw-r--r-- | src/lib/libtls/tls_verify.c | 3 | 
8 files changed, 16 insertions, 170 deletions
| diff --git a/src/lib/libtls/tls.c b/src/lib/libtls/tls.c index 2584ceb88b..ddf847d390 100644 --- a/src/lib/libtls/tls.c +++ b/src/lib/libtls/tls.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: tls.c,v 1.42 2016/08/01 17:32:19 jsing Exp $ */ | 1 | /* $OpenBSD: tls.c,v 1.43 2016/08/02 07:47:11 jsing Exp $ */ | 
| 2 | /* | 2 | /* | 
| 3 | * Copyright (c) 2014 Joel Sing <jsing@openbsd.org> | 3 | * Copyright (c) 2014 Joel Sing <jsing@openbsd.org> | 
| 4 | * | 4 | * | 
| @@ -310,14 +310,6 @@ tls_configure_ssl(struct tls *ctx) | |||
| 310 | if ((ctx->config->protocols & TLS_PROTOCOL_TLSv1_2) == 0) | 310 | if ((ctx->config->protocols & TLS_PROTOCOL_TLSv1_2) == 0) | 
| 311 | SSL_CTX_set_options(ctx->ssl_ctx, SSL_OP_NO_TLSv1_2); | 311 | SSL_CTX_set_options(ctx->ssl_ctx, SSL_OP_NO_TLSv1_2); | 
| 312 | 312 | ||
| 313 | if (ctx->config->alpn != NULL) { | ||
| 314 | if (SSL_CTX_set_alpn_protos(ctx->ssl_ctx, ctx->config->alpn, | ||
| 315 | ctx->config->alpn_len) != 0) { | ||
| 316 | tls_set_errorx(ctx, "failed to set alpn"); | ||
| 317 | goto err; | ||
| 318 | } | ||
| 319 | } | ||
| 320 | |||
| 321 | if (ctx->config->ciphers != NULL) { | 313 | if (ctx->config->ciphers != NULL) { | 
| 322 | if (SSL_CTX_set_cipher_list(ctx->ssl_ctx, | 314 | if (SSL_CTX_set_cipher_list(ctx->ssl_ctx, | 
| 323 | ctx->config->ciphers) != 1) { | 315 | ctx->config->ciphers) != 1) { | 
| diff --git a/src/lib/libtls/tls.h b/src/lib/libtls/tls.h index e518623a71..1497319611 100644 --- a/src/lib/libtls/tls.h +++ b/src/lib/libtls/tls.h | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: tls.h,v 1.31 2016/08/01 17:40:23 jsing Exp $ */ | 1 | /* $OpenBSD: tls.h,v 1.32 2016/08/02 07:47:11 jsing Exp $ */ | 
| 2 | /* | 2 | /* | 
| 3 | * Copyright (c) 2014 Joel Sing <jsing@openbsd.org> | 3 | * Copyright (c) 2014 Joel Sing <jsing@openbsd.org> | 
| 4 | * | 4 | * | 
| @@ -52,7 +52,6 @@ const char *tls_error(struct tls *_ctx); | |||
| 52 | struct tls_config *tls_config_new(void); | 52 | struct tls_config *tls_config_new(void); | 
| 53 | void tls_config_free(struct tls_config *_config); | 53 | void tls_config_free(struct tls_config *_config); | 
| 54 | 54 | ||
| 55 | int tls_config_set_alpn(struct tls_config *_config, const char *_alpn); | ||
| 56 | int tls_config_set_ca_file(struct tls_config *_config, const char *_ca_file); | 55 | int tls_config_set_ca_file(struct tls_config *_config, const char *_ca_file); | 
| 57 | int tls_config_set_ca_path(struct tls_config *_config, const char *_ca_path); | 56 | int tls_config_set_ca_path(struct tls_config *_config, const char *_ca_path); | 
| 58 | int tls_config_set_ca_mem(struct tls_config *_config, const uint8_t *_ca, | 57 | int tls_config_set_ca_mem(struct tls_config *_config, const uint8_t *_ca, | 
| @@ -117,9 +116,8 @@ const char *tls_peer_cert_subject(struct tls *_ctx); | |||
| 117 | time_t tls_peer_cert_notbefore(struct tls *_ctx); | 116 | time_t tls_peer_cert_notbefore(struct tls *_ctx); | 
| 118 | time_t tls_peer_cert_notafter(struct tls *_ctx); | 117 | time_t tls_peer_cert_notafter(struct tls *_ctx); | 
| 119 | 118 | ||
| 120 | const char *tls_conn_alpn_selected(struct tls *_ctx); | ||
| 121 | const char *tls_conn_cipher(struct tls *_ctx); | ||
| 122 | const char *tls_conn_version(struct tls *_ctx); | 119 | const char *tls_conn_version(struct tls *_ctx); | 
| 120 | const char *tls_conn_cipher(struct tls *_ctx); | ||
| 123 | 121 | ||
| 124 | uint8_t *tls_load_file(const char *_file, size_t *_len, char *_password); | 122 | uint8_t *tls_load_file(const char *_file, size_t *_len, char *_password); | 
| 125 | 123 | ||
| diff --git a/src/lib/libtls/tls_config.c b/src/lib/libtls/tls_config.c index 640a69e783..63054ab1e9 100644 --- a/src/lib/libtls/tls_config.c +++ b/src/lib/libtls/tls_config.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: tls_config.c,v 1.23 2016/08/01 17:32:19 jsing Exp $ */ | 1 | /* $OpenBSD: tls_config.c,v 1.24 2016/08/02 07:47:11 jsing Exp $ */ | 
| 2 | /* | 2 | /* | 
| 3 | * Copyright (c) 2014 Joel Sing <jsing@openbsd.org> | 3 | * Copyright (c) 2014 Joel Sing <jsing@openbsd.org> | 
| 4 | * | 4 | * | 
| @@ -166,7 +166,6 @@ tls_config_free(struct tls_config *config) | |||
| 166 | 166 | ||
| 167 | free(config->error.msg); | 167 | free(config->error.msg); | 
| 168 | 168 | ||
| 169 | free(config->alpn); | ||
| 170 | free((char *)config->ca_file); | 169 | free((char *)config->ca_file); | 
| 171 | free((char *)config->ca_mem); | 170 | free((char *)config->ca_mem); | 
| 172 | free((char *)config->ca_path); | 171 | free((char *)config->ca_path); | 
| @@ -250,73 +249,6 @@ tls_config_parse_protocols(uint32_t *protocols, const char *protostr) | |||
| 250 | return (0); | 249 | return (0); | 
| 251 | } | 250 | } | 
| 252 | 251 | ||
| 253 | static int | ||
| 254 | tls_config_parse_alpn(struct tls_config *config, const char *alpn, | ||
| 255 | char **alpn_data, size_t *alpn_len) | ||
| 256 | { | ||
| 257 | size_t buf_len, i, len; | ||
| 258 | char *buf = NULL; | ||
| 259 | char *s = NULL; | ||
| 260 | char *p, *q; | ||
| 261 | |||
| 262 | free(*alpn_data); | ||
| 263 | *alpn_data = NULL; | ||
| 264 | *alpn_len = 0; | ||
| 265 | |||
| 266 | if ((buf_len = strlen(alpn) + 1) > 65535) { | ||
| 267 | tls_config_set_errorx(config, "alpn too large"); | ||
| 268 | goto err; | ||
| 269 | } | ||
| 270 | |||
| 271 | if ((buf = malloc(buf_len)) == NULL) { | ||
| 272 | tls_config_set_errorx(config, "out of memory"); | ||
| 273 | goto err; | ||
| 274 | } | ||
| 275 | |||
| 276 | if ((s = strdup(alpn)) == NULL) { | ||
| 277 | tls_config_set_errorx(config, "out of memory"); | ||
| 278 | goto err; | ||
| 279 | } | ||
| 280 | |||
| 281 | i = 0; | ||
| 282 | q = s; | ||
| 283 | while ((p = strsep(&q, ",")) != NULL) { | ||
| 284 | if ((len = strlen(p)) == 0) { | ||
| 285 | tls_config_set_errorx(config, | ||
| 286 | "alpn protocol with zero length"); | ||
| 287 | goto err; | ||
| 288 | } | ||
| 289 | if (len > 255) { | ||
| 290 | tls_config_set_errorx(config, | ||
| 291 | "alpn protocol too long"); | ||
| 292 | goto err; | ||
| 293 | } | ||
| 294 | buf[i++] = len & 0xff; | ||
| 295 | memcpy(&buf[i], p, len); | ||
| 296 | i += len; | ||
| 297 | } | ||
| 298 | |||
| 299 | free(s); | ||
| 300 | |||
| 301 | *alpn_data = buf; | ||
| 302 | *alpn_len = buf_len; | ||
| 303 | |||
| 304 | return (0); | ||
| 305 | |||
| 306 | err: | ||
| 307 | free(buf); | ||
| 308 | free(s); | ||
| 309 | |||
| 310 | return (-1); | ||
| 311 | } | ||
| 312 | |||
| 313 | int | ||
| 314 | tls_config_set_alpn(struct tls_config *config, const char *alpn) | ||
| 315 | { | ||
| 316 | return tls_config_parse_alpn(config, alpn, &config->alpn, | ||
| 317 | &config->alpn_len); | ||
| 318 | } | ||
| 319 | |||
| 320 | int | 252 | int | 
| 321 | tls_config_set_ca_file(struct tls_config *config, const char *ca_file) | 253 | tls_config_set_ca_file(struct tls_config *config, const char *ca_file) | 
| 322 | { | 254 | { | 
| diff --git a/src/lib/libtls/tls_conninfo.c b/src/lib/libtls/tls_conninfo.c index 93526fceeb..6caf655536 100644 --- a/src/lib/libtls/tls_conninfo.c +++ b/src/lib/libtls/tls_conninfo.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: tls_conninfo.c,v 1.6 2016/08/01 17:32:19 jsing Exp $ */ | 1 | /* $OpenBSD: tls_conninfo.c,v 1.7 2016/08/02 07:47:11 jsing Exp $ */ | 
| 2 | /* | 2 | /* | 
| 3 | * Copyright (c) 2015 Joel Sing <jsing@openbsd.org> | 3 | * Copyright (c) 2015 Joel Sing <jsing@openbsd.org> | 
| 4 | * Copyright (c) 2015 Bob Beck <beck@openbsd.org> | 4 | * Copyright (c) 2015 Bob Beck <beck@openbsd.org> | 
| @@ -150,26 +150,6 @@ tls_get_peer_cert_times(struct tls *ctx, time_t *notbefore, time_t *notafter) | |||
| 150 | return (rv); | 150 | return (rv); | 
| 151 | } | 151 | } | 
| 152 | 152 | ||
| 153 | static int | ||
| 154 | tls_conninfo_alpn_proto(struct tls *ctx) | ||
| 155 | { | ||
| 156 | const unsigned char *p; | ||
| 157 | unsigned int len; | ||
| 158 | |||
| 159 | free(ctx->conninfo->alpn); | ||
| 160 | ctx->conninfo->alpn = NULL; | ||
| 161 | |||
| 162 | SSL_get0_alpn_selected(ctx->ssl_conn, &p, &len); | ||
| 163 | if (len > 0) { | ||
| 164 | if ((ctx->conninfo->alpn = malloc(len + 1)) == NULL) | ||
| 165 | return (-1); | ||
| 166 | memcpy(ctx->conninfo->alpn, p, len); | ||
| 167 | ctx->conninfo->alpn[len] = '\0'; | ||
| 168 | } | ||
| 169 | |||
| 170 | return (0); | ||
| 171 | } | ||
| 172 | |||
| 173 | int | 153 | int | 
| 174 | tls_get_conninfo(struct tls *ctx) { | 154 | tls_get_conninfo(struct tls *ctx) { | 
| 175 | const char * tmp; | 155 | const char * tmp; | 
| @@ -195,9 +175,6 @@ tls_get_conninfo(struct tls *ctx) { | |||
| 195 | ctx->conninfo->cipher = strdup(tmp); | 175 | ctx->conninfo->cipher = strdup(tmp); | 
| 196 | if (ctx->conninfo->cipher == NULL) | 176 | if (ctx->conninfo->cipher == NULL) | 
| 197 | goto err; | 177 | goto err; | 
| 198 | if (tls_conninfo_alpn_proto(ctx) == -1) | ||
| 199 | goto err; | ||
| 200 | |||
| 201 | return (0); | 178 | return (0); | 
| 202 | err: | 179 | err: | 
| 203 | tls_free_conninfo(ctx->conninfo); | 180 | tls_free_conninfo(ctx->conninfo); | 
| @@ -207,8 +184,6 @@ err: | |||
| 207 | void | 184 | void | 
| 208 | tls_free_conninfo(struct tls_conninfo *conninfo) { | 185 | tls_free_conninfo(struct tls_conninfo *conninfo) { | 
| 209 | if (conninfo != NULL) { | 186 | if (conninfo != NULL) { | 
| 210 | free(conninfo->alpn); | ||
| 211 | conninfo->alpn = NULL; | ||
| 212 | free(conninfo->hash); | 187 | free(conninfo->hash); | 
| 213 | conninfo->hash = NULL; | 188 | conninfo->hash = NULL; | 
| 214 | free(conninfo->subject); | 189 | free(conninfo->subject); | 
| @@ -223,14 +198,6 @@ tls_free_conninfo(struct tls_conninfo *conninfo) { | |||
| 223 | } | 198 | } | 
| 224 | 199 | ||
| 225 | const char * | 200 | const char * | 
| 226 | tls_conn_alpn_selected(struct tls *ctx) | ||
| 227 | { | ||
| 228 | if (ctx->conninfo == NULL) | ||
| 229 | return (NULL); | ||
| 230 | return (ctx->conninfo->alpn); | ||
| 231 | } | ||
| 232 | |||
| 233 | const char * | ||
| 234 | tls_conn_cipher(struct tls *ctx) | 201 | tls_conn_cipher(struct tls *ctx) | 
| 235 | { | 202 | { | 
| 236 | if (ctx->conninfo == NULL) | 203 | if (ctx->conninfo == NULL) | 
| diff --git a/src/lib/libtls/tls_init.3 b/src/lib/libtls/tls_init.3 index 0969c093a1..6ba2cb28be 100644 --- a/src/lib/libtls/tls_init.3 +++ b/src/lib/libtls/tls_init.3 | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | .\" $OpenBSD: tls_init.3,v 1.63 2016/08/01 17:32:19 jsing Exp $ | 1 | .\" $OpenBSD: tls_init.3,v 1.64 2016/08/02 07:47:11 jsing Exp $ | 
| 2 | .\" | 2 | .\" | 
| 3 | .\" Copyright (c) 2014 Ted Unangst <tedu@openbsd.org> | 3 | .\" Copyright (c) 2014 Ted Unangst <tedu@openbsd.org> | 
| 4 | .\" | 4 | .\" | 
| @@ -14,7 +14,7 @@ | |||
| 14 | .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF | 14 | .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF | 
| 15 | .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. | 15 | .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. | 
| 16 | .\" | 16 | .\" | 
| 17 | .Dd $Mdocdate: August 1 2016 $ | 17 | .Dd $Mdocdate: August 2 2016 $ | 
| 18 | .Dt TLS_INIT 3 | 18 | .Dt TLS_INIT 3 | 
| 19 | .Os | 19 | .Os | 
| 20 | .Sh NAME | 20 | .Sh NAME | 
| @@ -24,7 +24,6 @@ | |||
| 24 | .Nm tls_config_new , | 24 | .Nm tls_config_new , | 
| 25 | .Nm tls_config_free , | 25 | .Nm tls_config_free , | 
| 26 | .Nm tls_config_parse_protocols , | 26 | .Nm tls_config_parse_protocols , | 
| 27 | .Nm tls_config_set_alpn , | ||
| 28 | .Nm tls_config_set_ca_file , | 27 | .Nm tls_config_set_ca_file , | 
| 29 | .Nm tls_config_set_ca_path , | 28 | .Nm tls_config_set_ca_path , | 
| 30 | .Nm tls_config_set_ca_mem , | 29 | .Nm tls_config_set_ca_mem , | 
| @@ -55,9 +54,8 @@ | |||
| 55 | .Nm tls_peer_cert_hash , | 54 | .Nm tls_peer_cert_hash , | 
| 56 | .Nm tls_peer_cert_notbefore , | 55 | .Nm tls_peer_cert_notbefore , | 
| 57 | .Nm tls_peer_cert_notafter , | 56 | .Nm tls_peer_cert_notafter , | 
| 58 | .Nm tls_conn_alpn_selected , | ||
| 59 | .Nm tls_conn_cipher , | ||
| 60 | .Nm tls_conn_version , | 57 | .Nm tls_conn_version , | 
| 58 | .Nm tls_conn_cipher , | ||
| 61 | .Nm tls_load_file , | 59 | .Nm tls_load_file , | 
| 62 | .Nm tls_client , | 60 | .Nm tls_client , | 
| 63 | .Nm tls_server , | 61 | .Nm tls_server , | 
| @@ -90,8 +88,6 @@ | |||
| 90 | .Ft "int" | 88 | .Ft "int" | 
| 91 | .Fn tls_config_parse_protocols "uint32_t *protocols" "const char *protostr" | 89 | .Fn tls_config_parse_protocols "uint32_t *protocols" "const char *protostr" | 
| 92 | .Ft "int" | 90 | .Ft "int" | 
| 93 | .Fn tls_config_set_alpn "struct tls_config *config" "const char *alpn" | ||
| 94 | .Ft "int" | ||
| 95 | .Fn tls_config_set_ca_file "struct tls_config *config" "const char *ca_file" | 91 | .Fn tls_config_set_ca_file "struct tls_config *config" "const char *ca_file" | 
| 96 | .Ft "int" | 92 | .Ft "int" | 
| 97 | .Fn tls_config_set_ca_path "struct tls_config *config" "const char *ca_path" | 93 | .Fn tls_config_set_ca_path "struct tls_config *config" "const char *ca_path" | 
| @@ -152,11 +148,9 @@ | |||
| 152 | .Ft "time_t" | 148 | .Ft "time_t" | 
| 153 | .Fn tls_peer_cert_notafter "struct tls *ctx" | 149 | .Fn tls_peer_cert_notafter "struct tls *ctx" | 
| 154 | .Ft "const char *" | 150 | .Ft "const char *" | 
| 155 | .Fn tls_conn_alpn_selected "struct tls *ctx" | 151 | .Fn tls_conn_version "struct tls *ctx" | 
| 156 | .Ft "const char *" | 152 | .Ft "const char *" | 
| 157 | .Fn tls_conn_cipher "struct tls *ctx" | 153 | .Fn tls_conn_cipher "struct tls *ctx" | 
| 158 | .Ft "const char *" | ||
| 159 | .Fn tls_conn_version "struct tls *ctx" | ||
| 160 | .Ft "uint8_t *" | 154 | .Ft "uint8_t *" | 
| 161 | .Fn tls_load_file "const char *file" "size_t *len" "char *password" | 155 | .Fn tls_load_file "const char *file" "size_t *len" "char *password" | 
| 162 | .Ft "struct tls *" | 156 | .Ft "struct tls *" | 
| @@ -301,11 +295,6 @@ The following functions modify a configuration by setting parameters. | |||
| 301 | Configuration options may apply to only clients or only servers or both. | 295 | Configuration options may apply to only clients or only servers or both. | 
| 302 | .Bl -bullet -offset four | 296 | .Bl -bullet -offset four | 
| 303 | .It | 297 | .It | 
| 304 | .Fn tls_config_set_alpn | ||
| 305 | sets the ALPN protocols that are supported. | ||
| 306 | The alpn string is a comma separated list of protocols, in order of preference. | ||
| 307 | .Em (Client and Server) | ||
| 308 | .It | ||
| 309 | .Fn tls_config_set_ca_file | 298 | .Fn tls_config_set_ca_file | 
| 310 | sets the filename used to load a file | 299 | sets the filename used to load a file | 
| 311 | containing the root certificates. | 300 | containing the root certificates. | 
| @@ -491,14 +480,13 @@ the peer certificate from | |||
| 491 | will only succeed after the handshake is complete. | 480 | will only succeed after the handshake is complete. | 
| 492 | .Em (Server and client) | 481 | .Em (Server and client) | 
| 493 | .It | 482 | .It | 
| 494 | .Fn tls_conn_alpn_selected | 483 | .Fn tls_conn_version | 
| 495 | returns a string that specifies the ALPN protocol selected for use with the peer | 484 | returns a string | 
| 485 | corresponding to a TLS version negotiated with the peer | ||
| 496 | connected to | 486 | connected to | 
| 497 | .Ar ctx . | 487 | .Ar ctx . | 
| 498 | If no protocol was selected then NULL is returned. | 488 | .Fn tls_conn_version | 
| 499 | .Fn tls_conn_alpn_selected | ||
| 500 | will only succeed after the handshake is complete. | 489 | will only succeed after the handshake is complete. | 
| 501 | .Em (Server and Client) | ||
| 502 | .It | 490 | .It | 
| 503 | .Fn tls_conn_cipher | 491 | .Fn tls_conn_cipher | 
| 504 | returns a string | 492 | returns a string | 
| @@ -509,14 +497,6 @@ connected to | |||
| 509 | will only succeed after the handshake is complete. | 497 | will only succeed after the handshake is complete. | 
| 510 | .Em (Server and client) | 498 | .Em (Server and client) | 
| 511 | .It | 499 | .It | 
| 512 | .Fn tls_conn_version | ||
| 513 | returns a string | ||
| 514 | corresponding to a TLS version negotiated with the peer | ||
| 515 | connected to | ||
| 516 | .Ar ctx . | ||
| 517 | .Fn tls_conn_version | ||
| 518 | will only succeed after the handshake is complete. | ||
| 519 | .It | ||
| 520 | .Fn tls_load_file | 500 | .Fn tls_load_file | 
| 521 | loads a certificate or key from disk into memory to be loaded with | 501 | loads a certificate or key from disk into memory to be loaded with | 
| 522 | .Fn tls_config_set_ca_mem , | 502 | .Fn tls_config_set_ca_mem , | 
| diff --git a/src/lib/libtls/tls_internal.h b/src/lib/libtls/tls_internal.h index 17358429c7..be5d659e68 100644 --- a/src/lib/libtls/tls_internal.h +++ b/src/lib/libtls/tls_internal.h | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: tls_internal.h,v 1.33 2016/08/01 17:32:19 jsing Exp $ */ | 1 | /* $OpenBSD: tls_internal.h,v 1.34 2016/08/02 07:47:11 jsing Exp $ */ | 
| 2 | /* | 2 | /* | 
| 3 | * Copyright (c) 2014 Jeremie Courreges-Anglas <jca@openbsd.org> | 3 | * Copyright (c) 2014 Jeremie Courreges-Anglas <jca@openbsd.org> | 
| 4 | * Copyright (c) 2014 Joel Sing <jsing@openbsd.org> | 4 | * Copyright (c) 2014 Joel Sing <jsing@openbsd.org> | 
| @@ -55,8 +55,6 @@ struct tls_keypair { | |||
| 55 | struct tls_config { | 55 | struct tls_config { | 
| 56 | struct tls_error error; | 56 | struct tls_error error; | 
| 57 | 57 | ||
| 58 | char *alpn; | ||
| 59 | size_t alpn_len; | ||
| 60 | const char *ca_file; | 58 | const char *ca_file; | 
| 61 | const char *ca_path; | 59 | const char *ca_path; | 
| 62 | char *ca_mem; | 60 | char *ca_mem; | 
| @@ -75,7 +73,6 @@ struct tls_config { | |||
| 75 | }; | 73 | }; | 
| 76 | 74 | ||
| 77 | struct tls_conninfo { | 75 | struct tls_conninfo { | 
| 78 | char *alpn; | ||
| 79 | char *issuer; | 76 | char *issuer; | 
| 80 | char *subject; | 77 | char *subject; | 
| 81 | char *hash; | 78 | char *hash; | 
| @@ -107,7 +104,6 @@ struct tls { | |||
| 107 | SSL *ssl_conn; | 104 | SSL *ssl_conn; | 
| 108 | SSL_CTX *ssl_ctx; | 105 | SSL_CTX *ssl_ctx; | 
| 109 | X509 *ssl_peer_cert; | 106 | X509 *ssl_peer_cert; | 
| 110 | |||
| 111 | struct tls_conninfo *conninfo; | 107 | struct tls_conninfo *conninfo; | 
| 112 | }; | 108 | }; | 
| 113 | 109 | ||
| diff --git a/src/lib/libtls/tls_server.c b/src/lib/libtls/tls_server.c index f13c9db083..bba15aae7e 100644 --- a/src/lib/libtls/tls_server.c +++ b/src/lib/libtls/tls_server.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: tls_server.c,v 1.20 2016/08/01 17:32:19 jsing Exp $ */ | 1 | /* $OpenBSD: tls_server.c,v 1.21 2016/08/02 07:47:11 jsing Exp $ */ | 
| 2 | /* | 2 | /* | 
| 3 | * Copyright (c) 2014 Joel Sing <jsing@openbsd.org> | 3 | * Copyright (c) 2014 Joel Sing <jsing@openbsd.org> | 
| 4 | * | 4 | * | 
| @@ -48,20 +48,6 @@ tls_server_conn(struct tls *ctx) | |||
| 48 | return (conn_ctx); | 48 | return (conn_ctx); | 
| 49 | } | 49 | } | 
| 50 | 50 | ||
| 51 | static int | ||
| 52 | tls_server_alpn_cb(SSL *ssl, const unsigned char **out, unsigned char *outlen, | ||
| 53 | const unsigned char *in, unsigned int inlen, void *arg) | ||
| 54 | { | ||
| 55 | struct tls *ctx = arg; | ||
| 56 | |||
| 57 | if (SSL_select_next_proto((unsigned char**)out, outlen, | ||
| 58 | ctx->config->alpn, ctx->config->alpn_len, in, inlen) == | ||
| 59 | OPENSSL_NPN_NEGOTIATED) | ||
| 60 | return (SSL_TLSEXT_ERR_OK); | ||
| 61 | |||
| 62 | return (SSL_TLSEXT_ERR_NOACK); | ||
| 63 | } | ||
| 64 | |||
| 65 | int | 51 | int | 
| 66 | tls_configure_server(struct tls *ctx) | 52 | tls_configure_server(struct tls *ctx) | 
| 67 | { | 53 | { | 
| @@ -85,10 +71,6 @@ tls_configure_server(struct tls *ctx) | |||
| 85 | goto err; | 71 | goto err; | 
| 86 | } | 72 | } | 
| 87 | 73 | ||
| 88 | if (ctx->config->alpn != NULL) | ||
| 89 | SSL_CTX_set_alpn_select_cb(ctx->ssl_ctx, tls_server_alpn_cb, | ||
| 90 | ctx); | ||
| 91 | |||
| 92 | if (ctx->config->dheparams == -1) | 74 | if (ctx->config->dheparams == -1) | 
| 93 | SSL_CTX_set_dh_auto(ctx->ssl_ctx, 1); | 75 | SSL_CTX_set_dh_auto(ctx->ssl_ctx, 1); | 
| 94 | else if (ctx->config->dheparams == 1024) | 76 | else if (ctx->config->dheparams == 1024) | 
| diff --git a/src/lib/libtls/tls_verify.c b/src/lib/libtls/tls_verify.c index eec72bade8..9e73750a6e 100644 --- a/src/lib/libtls/tls_verify.c +++ b/src/lib/libtls/tls_verify.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: tls_verify.c,v 1.15 2015/09/29 13:10:53 jsing Exp $ */ | 1 | /* $OpenBSD: tls_verify.c,v 1.16 2016/08/02 07:47:11 jsing Exp $ */ | 
| 2 | /* | 2 | /* | 
| 3 | * Copyright (c) 2014 Jeremie Courreges-Anglas <jca@openbsd.org> | 3 | * Copyright (c) 2014 Jeremie Courreges-Anglas <jca@openbsd.org> | 
| 4 | * | 4 | * | 
| @@ -114,7 +114,6 @@ tls_check_subject_altname(struct tls *ctx, X509 *cert, const char *name) | |||
| 114 | GENERAL_NAME *altname; | 114 | GENERAL_NAME *altname; | 
| 115 | 115 | ||
| 116 | altname = sk_GENERAL_NAME_value(altname_stack, i); | 116 | altname = sk_GENERAL_NAME_value(altname_stack, i); | 
| 117 | |||
| 118 | if (altname->type != type) | 117 | if (altname->type != type) | 
| 119 | continue; | 118 | continue; | 
| 120 | 119 | ||
