Move the keypair pubkey hash handling code to during config.

The keypair pubkey hash was being generated and set in the keypair when the TLS context was being configured. This code should not be messing around with the keypair contents, since it is part of the config (and not the context). Instead, generate the pubkey hash and store it in the keypair when the certificate is configured. This means that we are guaranteed to have the pubkey hash and as a side benefit, we identify bad certificate content when it is provided, instead of during the context configuration. ok beck@
author: jsing <> 2018-02-10 04:57:35 +0000
committer: jsing <> 2018-02-10 04:57:35 +0000
commit: 55d7f5b4e436517c599ae10fb98d503022d8cca3 (patch)
tree: 220397ac4d651f9ebaa0a028f81a800a6991a0eb
parent: 1ad3c784cb5a6f09eb35a87556f57f9a129ac572 (diff)
download: openbsd-55d7f5b4e436517c599ae10fb98d503022d8cca3.tar.gz
openbsd-55d7f5b4e436517c599ae10fb98d503022d8cca3.tar.bz2
openbsd-55d7f5b4e436517c599ae10fb98d503022d8cca3.zip
4 files changed, 95 insertions, 69 deletions
diff --git a/src/lib/libtls/tls.c b/src/lib/libtls/tls.c
index 0e206e2c7e..8f2c7dde05 100644
--- a/src/lib/libtls/tls.c
+++ b/src/lib/libtls/tls.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls.c,v 1.74 2018/02/08 10:19:31 jsing Exp $ */
+/* $OpenBSD: tls.c,v 1.75 2018/02/10 04:57:35 jsing Exp $ */
 /*
 * Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
 *
@@ -291,6 +291,34 @@ tls_cert_hash(X509 *cert, char **hash)
 }
 int
+tls_cert_pubkey_hash(X509 *cert, char **hash)
+{
+        char d[EVP_MAX_MD_SIZE], *dhex = NULL;
+        int dlen, rv = -1;
+        free(*hash);
+        *hash = NULL;
+        if (X509_pubkey_digest(cert, EVP_sha256(), d, &dlen) != 1)
+                goto err;
+        if (tls_hex_string(d, dlen, &dhex, NULL) != 0)
+                goto err;
+        if (asprintf(hash, "SHA256:%s", dhex) == -1) {
+                *hash = NULL;
+                goto err;
+        }
+        rv = 0;
+ err:
+        free(dhex);
+        return (rv);
+}
+int
 tls_configure_ssl_keypair(struct tls *ctx, SSL_CTX *ssl_ctx,
    struct tls_keypair *keypair, int required)
 {
@@ -313,9 +341,6 @@ tls_configure_ssl_keypair(struct tls *ctx, SSL_CTX *ssl_ctx,
                        tls_set_errorx(ctx, "failed to load certificate");
                        goto err;
                }
-                if (tls_keypair_pubkey_hash(keypair, &ctx->error,
-                    &keypair->pubkey_hash) == -1)
-                        goto err;
        }
        if (keypair->key_mem != NULL) {
diff --git a/src/lib/libtls/tls_config.c b/src/lib/libtls/tls_config.c
index 6dfebfaebf..2dab4fc7d8 100644
--- a/src/lib/libtls/tls_config.c
+++ b/src/lib/libtls/tls_config.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls_config.c,v 1.48 2018/02/10 04:41:24 jsing Exp $ */
+/* $OpenBSD: tls_config.c,v 1.49 2018/02/10 04:57:35 jsing Exp $ */
 /*
 * Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
 *
@@ -351,12 +351,13 @@ tls_config_add_keypair_mem_internal(struct tls_config *config, const uint8_t *ce
        if ((keypair = tls_keypair_new()) == NULL)
                return (-1);
-        if (tls_keypair_set_cert_mem(keypair, cert, cert_len) != 0)
+        if (tls_keypair_set_cert_mem(keypair, &config->error, cert, cert_len) != 0)
                goto err;
-        if (tls_keypair_set_key_mem(keypair, key, key_len) != 0)
+        if (tls_keypair_set_key_mem(keypair, &config->error, key, key_len) != 0)
                goto err;
        if (staple != NULL &&
-            tls_keypair_set_ocsp_staple_mem(keypair, staple, staple_len) != 0)
+            tls_keypair_set_ocsp_staple_mem(keypair, &config->error, staple,
+                staple_len) != 0)
                goto err;
        tls_config_keypair_add(config, keypair);
@@ -431,7 +432,8 @@ int
 tls_config_set_cert_mem(struct tls_config *config, const uint8_t *cert,
    size_t len)
 {
-        return tls_keypair_set_cert_mem(config->keypair, cert, len);
+        return tls_keypair_set_cert_mem(config->keypair, &config->error,
+            cert, len);
 }
 int
@@ -592,7 +594,8 @@ int
 tls_config_set_key_mem(struct tls_config *config, const uint8_t *key,
    size_t len)
 {
-        return tls_keypair_set_key_mem(config->keypair, key, len);
+        return tls_keypair_set_key_mem(config->keypair, &config->error,
+            key, len);
 }
 static int
@@ -789,7 +792,8 @@ int
 tls_config_set_ocsp_staple_mem(struct tls_config *config, const uint8_t *staple,
    size_t len)
 {
-        return tls_keypair_set_ocsp_staple_mem(config->keypair, staple, len);
+        return tls_keypair_set_ocsp_staple_mem(config->keypair, &config->error,
+            staple, len);
 }
 int
diff --git a/src/lib/libtls/tls_internal.h b/src/lib/libtls/tls_internal.h
index 14265037eb..f8b9e6118e 100644
--- a/src/lib/libtls/tls_internal.h
+++ b/src/lib/libtls/tls_internal.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls_internal.h,v 1.69 2018/02/10 04:41:24 jsing Exp $ */
+/* $OpenBSD: tls_internal.h,v 1.70 2018/02/10 04:57:35 jsing Exp $ */
 /*
 * Copyright (c) 2014 Jeremie Courreges-Anglas <jca@openbsd.org>
 * Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
@@ -199,25 +199,22 @@ int tls_set_mem(char **_dest, size_t *_destlen, const void *_src,
 int tls_set_string(const char **_dest, const char *_src);
 struct tls_keypair *tls_keypair_new(void);
-void tls_keypair_clear_key(struct tls_keypair *_keypair);
+void tls_keypair_clear(struct tls_keypair *_keypair);
+void tls_keypair_free(struct tls_keypair *_keypair);
 int tls_keypair_set_cert_file(struct tls_keypair *_keypair,
    struct tls_error *_error, const char *_cert_file);
-int tls_keypair_set_cert_mem(struct tls_keypair *_keypair, const uint8_t *_cert,
+int tls_keypair_set_cert_mem(struct tls_keypair *_keypair,
-    size_t _len);
+    struct tls_error *_error, const uint8_t *_cert, size_t _len);
 int tls_keypair_set_key_file(struct tls_keypair *_keypair,
    struct tls_error *_error, const char *_key_file);
-int tls_keypair_set_key_mem(struct tls_keypair *_keypair, const uint8_t *_key,
+int tls_keypair_set_key_mem(struct tls_keypair *_keypair,
-    size_t _len);
+    struct tls_error *_error, const uint8_t *_key, size_t _len);
 int tls_keypair_set_ocsp_staple_file(struct tls_keypair *_keypair,
    struct tls_error *_error, const char *_ocsp_file);
 int tls_keypair_set_ocsp_staple_mem(struct tls_keypair *_keypair,
-    const uint8_t *_staple, size_t _len);
+    struct tls_error *_error, const uint8_t *_staple, size_t _len);
-void tls_keypair_clear(struct tls_keypair *_keypair);
-void tls_keypair_free(struct tls_keypair *_keypair);
 int tls_keypair_load_cert(struct tls_keypair *_keypair,
    struct tls_error *_error, X509 **_cert);
-int tls_keypair_pubkey_hash(struct tls_keypair *_keypair,
-    struct tls_error *_error, char **_hash);
 struct tls_sni_ctx *tls_sni_ctx_new(void);
 void tls_sni_ctx_free(struct tls_sni_ctx *sni_ctx);
@@ -281,6 +278,7 @@ struct tls_ocsp *tls_ocsp_setup_from_peer(struct tls *ctx);
 int tls_hex_string(const unsigned char *_in, size_t _inlen, char **_out,
    size_t *_outlen);
 int tls_cert_hash(X509 *_cert, char **_hash);
+int tls_cert_pubkey_hash(X509 *_cert, char **_hash);
 int tls_password_cb(char *_buf, int _size, int _rwflag, void *_u);
diff --git a/src/lib/libtls/tls_keypair.c b/src/lib/libtls/tls_keypair.c
index 626a95853f..03e7f4ad76 100644
--- a/src/lib/libtls/tls_keypair.c
+++ b/src/lib/libtls/tls_keypair.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls_keypair.c,v 1.4 2018/02/08 10:19:31 jsing Exp $ */
+/* $OpenBSD: tls_keypair.c,v 1.5 2018/02/10 04:57:35 jsing Exp $ */
 /*
 * Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
 *
@@ -29,7 +29,7 @@ tls_keypair_new(void)
        return calloc(1, sizeof(struct tls_keypair));
 }
-void
+static void
 tls_keypair_clear_key(struct tls_keypair *keypair)
 {
        freezero(keypair->key_mem, keypair->key_len);
@@ -37,19 +37,50 @@ tls_keypair_clear_key(struct tls_keypair *keypair)
        keypair->key_len = 0;
 }
+static int
+tls_keypair_pubkey_hash(struct tls_keypair *keypair, struct tls_error *error)
+{
+        X509 *cert = NULL;
+        int rv = -1;
+        free(keypair->pubkey_hash);
+        keypair->pubkey_hash = NULL;
+        if (keypair->cert_mem == NULL) {
+                rv = 0;
+                goto done;
+        }
+        if (tls_keypair_load_cert(keypair, error, &cert) == -1)
+                goto err;
+        if (tls_cert_pubkey_hash(cert, &keypair->pubkey_hash) == -1)
+                goto err;
+        rv = 0;
+ err:
+        X509_free(cert);
+ done:
+        return (rv);
+}
 int
 tls_keypair_set_cert_file(struct tls_keypair *keypair, struct tls_error *error,
    const char *cert_file)
 {
-        return tls_config_load_file(error, "certificate", cert_file,
+        if (tls_config_load_file(error, "certificate", cert_file,
-            &keypair->cert_mem, &keypair->cert_len);
+            &keypair->cert_mem, &keypair->cert_len) == -1)
+                return -1;
+        return tls_keypair_pubkey_hash(keypair, error);
 }
 int
-tls_keypair_set_cert_mem(struct tls_keypair *keypair, const uint8_t *cert,
+tls_keypair_set_cert_mem(struct tls_keypair *keypair, struct tls_error *error,
-    size_t len)
+    const uint8_t *cert, size_t len)
 {
-        return tls_set_mem(&keypair->cert_mem, &keypair->cert_len, cert, len);
+        if (tls_set_mem(&keypair->cert_mem, &keypair->cert_len, cert, len) == -1)
+                return -1;
+        return tls_keypair_pubkey_hash(keypair, error);
 }
 int
@@ -62,8 +93,8 @@ tls_keypair_set_key_file(struct tls_keypair *keypair, struct tls_error *error,
 }
 int
-tls_keypair_set_key_mem(struct tls_keypair *keypair, const uint8_t *key,
+tls_keypair_set_key_mem(struct tls_keypair *keypair, struct tls_error *error,
-    size_t len)
+    const uint8_t *key, size_t len)
 {
        tls_keypair_clear_key(keypair);
        return tls_set_mem(&keypair->key_mem, &keypair->key_len, key, len);
@@ -79,7 +110,7 @@ tls_keypair_set_ocsp_staple_file(struct tls_keypair *keypair,
 int
 tls_keypair_set_ocsp_staple_mem(struct tls_keypair *keypair,
-    const uint8_t *staple, size_t len)
+    struct tls_error *error, const uint8_t *staple, size_t len)
 {
        return tls_set_mem(&keypair->ocsp_staple, &keypair->ocsp_staple_len,
            staple, len);
@@ -88,9 +119,11 @@ tls_keypair_set_ocsp_staple_mem(struct tls_keypair *keypair,
 void
 tls_keypair_clear(struct tls_keypair *keypair)
 {
-        tls_keypair_set_cert_mem(keypair, NULL, 0);
+        struct tls_error error;
-        tls_keypair_set_key_mem(keypair, NULL, 0);
-        tls_keypair_set_ocsp_staple_mem(keypair, NULL, 0);
+        tls_keypair_set_cert_mem(keypair, &error, NULL, 0);
+        tls_keypair_set_key_mem(keypair, &error, NULL, 0);
+        tls_keypair_set_ocsp_staple_mem(keypair, &error, NULL, 0);
        free(keypair->pubkey_hash);
        keypair->pubkey_hash = NULL;
@@ -143,37 +176,3 @@ tls_keypair_load_cert(struct tls_keypair *keypair, struct tls_error *error,
        return (rv);
 }
-int
-tls_keypair_pubkey_hash(struct tls_keypair *keypair, struct tls_error *error,
-    char **hash)
-{
-        X509 *cert = NULL;
-        char d[EVP_MAX_MD_SIZE], *dhex = NULL;
-        int dlen, rv = -1;
-        free(*hash);
-        *hash = NULL;
-        if (tls_keypair_load_cert(keypair, error, &cert) == -1)
-                goto err;
-        if (X509_pubkey_digest(cert, EVP_sha256(), d, &dlen) != 1)
-                goto err;
-        if (tls_hex_string(d, dlen, &dhex, NULL) != 0)
-                goto err;
-        if (asprintf(hash, "SHA256:%s", dhex) == -1) {
-                *hash = NULL;
-                goto err;
-        }
-        rv = 0;
- err:
-        X509_free(cert);
-        free(dhex);
-        return (rv);
-}
author	jsing <>	2018-02-10 04:57:35 +0000
committer	jsing <>	2018-02-10 04:57:35 +0000
commit	55d7f5b4e436517c599ae10fb98d503022d8cca3 (patch)
tree	220397ac4d651f9ebaa0a028f81a800a6991a0eb
parent	1ad3c784cb5a6f09eb35a87556f57f9a129ac572 (diff)
download	openbsd-55d7f5b4e436517c599ae10fb98d503022d8cca3.tar.gz openbsd-55d7f5b4e436517c599ae10fb98d503022d8cca3.tar.bz2 openbsd-55d7f5b4e436517c599ae10fb98d503022d8cca3.zip

diff --git a/src/lib/libtls/tls.c b/src/lib/libtls/tls.c index 0e206e2c7e..8f2c7dde05 100644 --- a/src/lib/libtls/tls.c +++ b/src/lib/libtls/tls.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: tls.c,v 1.74 2018/02/08 10:19:31 jsing Exp $ */	1	/* $OpenBSD: tls.c,v 1.75 2018/02/10 04:57:35 jsing Exp $ */
2	/*	2	/*
3	* Copyright (c) 2014 Joel Sing <jsing@openbsd.org>	3	* Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
4	*	4	*
@@ -291,6 +291,34 @@ tls_cert_hash(X509 cert, char *hash)
291	}	291	}
292		292
293	int	293	int
		294	tls_cert_pubkey_hash(X509 cert, char *hash)
		295	{
		296	char d[EVP_MAX_MD_SIZE], *dhex = NULL;
		297	int dlen, rv = -1;
		298
		299	free(*hash);
		300	*hash = NULL;
		301
		302	if (X509_pubkey_digest(cert, EVP_sha256(), d, &dlen) != 1)
		303	goto err;
		304
		305	if (tls_hex_string(d, dlen, &dhex, NULL) != 0)
		306	goto err;
		307
		308	if (asprintf(hash, "SHA256:%s", dhex) == -1) {
		309	*hash = NULL;
		310	goto err;
		311	}
		312
		313	rv = 0;
		314
		315	err:
		316	free(dhex);
		317
		318	return (rv);
		319	}
		320
		321	int
294	tls_configure_ssl_keypair(struct tls ctx, SSL_CTX ssl_ctx,	322	tls_configure_ssl_keypair(struct tls ctx, SSL_CTX ssl_ctx,
295	struct tls_keypair *keypair, int required)	323	struct tls_keypair *keypair, int required)
296	{	324	{
@@ -313,9 +341,6 @@ tls_configure_ssl_keypair(struct tls ctx, SSL_CTX ssl_ctx,
313	tls_set_errorx(ctx, "failed to load certificate");	341	tls_set_errorx(ctx, "failed to load certificate");
314	goto err;	342	goto err;
315	}	343	}
316	if (tls_keypair_pubkey_hash(keypair, &ctx->error,
317	&keypair->pubkey_hash) == -1)
318	goto err;
319	}	344	}
320		345
321	if (keypair->key_mem != NULL) {	346	if (keypair->key_mem != NULL) {


diff --git a/src/lib/libtls/tls_config.c b/src/lib/libtls/tls_config.c index 6dfebfaebf..2dab4fc7d8 100644 --- a/src/lib/libtls/tls_config.c +++ b/src/lib/libtls/tls_config.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: tls_config.c,v 1.48 2018/02/10 04:41:24 jsing Exp $ */	1	/* $OpenBSD: tls_config.c,v 1.49 2018/02/10 04:57:35 jsing Exp $ */
2	/*	2	/*
3	* Copyright (c) 2014 Joel Sing <jsing@openbsd.org>	3	* Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
4	*	4	*
@@ -351,12 +351,13 @@ tls_config_add_keypair_mem_internal(struct tls_config config, const uint8_t ce
351		351
352	if ((keypair = tls_keypair_new()) == NULL)	352	if ((keypair = tls_keypair_new()) == NULL)
353	return (-1);	353	return (-1);
354	if (tls_keypair_set_cert_mem(keypair, cert, cert_len) != 0)	354	if (tls_keypair_set_cert_mem(keypair, &config->error, cert, cert_len) != 0)
355	goto err;	355	goto err;
356	if (tls_keypair_set_key_mem(keypair, key, key_len) != 0)	356	if (tls_keypair_set_key_mem(keypair, &config->error, key, key_len) != 0)
357	goto err;	357	goto err;
358	if (staple != NULL &&	358	if (staple != NULL &&
359	tls_keypair_set_ocsp_staple_mem(keypair, staple, staple_len) != 0)	359	tls_keypair_set_ocsp_staple_mem(keypair, &config->error, staple,
		360	staple_len) != 0)
360	goto err;	361	goto err;
361		362
362	tls_config_keypair_add(config, keypair);	363	tls_config_keypair_add(config, keypair);
@@ -431,7 +432,8 @@ int
431	tls_config_set_cert_mem(struct tls_config config, const uint8_t cert,	432	tls_config_set_cert_mem(struct tls_config config, const uint8_t cert,
432	size_t len)	433	size_t len)
433	{	434	{
434	return tls_keypair_set_cert_mem(config->keypair, cert, len);	435	return tls_keypair_set_cert_mem(config->keypair, &config->error,
		436	cert, len);
435	}	437	}
436		438
437	int	439	int
@@ -592,7 +594,8 @@ int
592	tls_config_set_key_mem(struct tls_config config, const uint8_t key,	594	tls_config_set_key_mem(struct tls_config config, const uint8_t key,
593	size_t len)	595	size_t len)
594	{	596	{
595	return tls_keypair_set_key_mem(config->keypair, key, len);	597	return tls_keypair_set_key_mem(config->keypair, &config->error,
		598	key, len);
596	}	599	}
597		600
598	static int	601	static int
@@ -789,7 +792,8 @@ int
789	tls_config_set_ocsp_staple_mem(struct tls_config config, const uint8_t staple,	792	tls_config_set_ocsp_staple_mem(struct tls_config config, const uint8_t staple,
790	size_t len)	793	size_t len)
791	{	794	{
792	return tls_keypair_set_ocsp_staple_mem(config->keypair, staple, len);	795	return tls_keypair_set_ocsp_staple_mem(config->keypair, &config->error,
		796	staple, len);
793	}	797	}
794		798
795	int	799	int


diff --git a/src/lib/libtls/tls_internal.h b/src/lib/libtls/tls_internal.h index 14265037eb..f8b9e6118e 100644 --- a/src/lib/libtls/tls_internal.h +++ b/src/lib/libtls/tls_internal.h
@@ -1,4 +1,4 @@
1	/* $OpenBSD: tls_internal.h,v 1.69 2018/02/10 04:41:24 jsing Exp $ */	1	/* $OpenBSD: tls_internal.h,v 1.70 2018/02/10 04:57:35 jsing Exp $ */
2	/*	2	/*
3	* Copyright (c) 2014 Jeremie Courreges-Anglas <jca@openbsd.org>	3	* Copyright (c) 2014 Jeremie Courreges-Anglas <jca@openbsd.org>
4	* Copyright (c) 2014 Joel Sing <jsing@openbsd.org>	4	* Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
@@ -199,25 +199,22 @@ int tls_set_mem(char *_dest, size_t _destlen, const void *_src,
199	int tls_set_string(const char *_dest, const char _src);	199	int tls_set_string(const char *_dest, const char _src);
200		200
201	struct tls_keypair *tls_keypair_new(void);	201	struct tls_keypair *tls_keypair_new(void);
202	void tls_keypair_clear_key(struct tls_keypair *_keypair);	202	void tls_keypair_clear(struct tls_keypair *_keypair);
		203	void tls_keypair_free(struct tls_keypair *_keypair);
203	int tls_keypair_set_cert_file(struct tls_keypair *_keypair,	204	int tls_keypair_set_cert_file(struct tls_keypair *_keypair,
204	struct tls_error _error, const char _cert_file);	205	struct tls_error _error, const char _cert_file);
205	int tls_keypair_set_cert_mem(struct tls_keypair _keypair, const uint8_t _cert,	206	int tls_keypair_set_cert_mem(struct tls_keypair *_keypair,
206	size_t _len);	207	struct tls_error _error, const uint8_t _cert, size_t _len);
207	int tls_keypair_set_key_file(struct tls_keypair *_keypair,	208	int tls_keypair_set_key_file(struct tls_keypair *_keypair,
208	struct tls_error _error, const char _key_file);	209	struct tls_error _error, const char _key_file);
209	int tls_keypair_set_key_mem(struct tls_keypair _keypair, const uint8_t _key,	210	int tls_keypair_set_key_mem(struct tls_keypair *_keypair,
210	size_t _len);	211	struct tls_error _error, const uint8_t _key, size_t _len);
211	int tls_keypair_set_ocsp_staple_file(struct tls_keypair *_keypair,	212	int tls_keypair_set_ocsp_staple_file(struct tls_keypair *_keypair,
212	struct tls_error _error, const char _ocsp_file);	213	struct tls_error _error, const char _ocsp_file);
213	int tls_keypair_set_ocsp_staple_mem(struct tls_keypair *_keypair,	214	int tls_keypair_set_ocsp_staple_mem(struct tls_keypair *_keypair,
214	const uint8_t *_staple, size_t _len);	215	struct tls_error _error, const uint8_t _staple, size_t _len);
215	void tls_keypair_clear(struct tls_keypair *_keypair);
216	void tls_keypair_free(struct tls_keypair *_keypair);
217	int tls_keypair_load_cert(struct tls_keypair *_keypair,	216	int tls_keypair_load_cert(struct tls_keypair *_keypair,
218	struct tls_error _error, X509 *_cert);	217	struct tls_error _error, X509 *_cert);
219	int tls_keypair_pubkey_hash(struct tls_keypair *_keypair,
220	struct tls_error _error, char *_hash);
221		218
222	struct tls_sni_ctx *tls_sni_ctx_new(void);	219	struct tls_sni_ctx *tls_sni_ctx_new(void);
223	void tls_sni_ctx_free(struct tls_sni_ctx *sni_ctx);	220	void tls_sni_ctx_free(struct tls_sni_ctx *sni_ctx);
@@ -281,6 +278,7 @@ struct tls_ocsp tls_ocsp_setup_from_peer(struct tls ctx);
281	int tls_hex_string(const unsigned char _in, size_t _inlen, char *_out,	278	int tls_hex_string(const unsigned char _in, size_t _inlen, char *_out,
282	size_t *_outlen);	279	size_t *_outlen);
283	int tls_cert_hash(X509 _cert, char *_hash);	280	int tls_cert_hash(X509 _cert, char *_hash);
		281	int tls_cert_pubkey_hash(X509 _cert, char *_hash);
284		282
285	int tls_password_cb(char _buf, int _size, int _rwflag, void _u);	283	int tls_password_cb(char _buf, int _size, int _rwflag, void _u);
286		284


diff --git a/src/lib/libtls/tls_keypair.c b/src/lib/libtls/tls_keypair.c index 626a95853f..03e7f4ad76 100644 --- a/src/lib/libtls/tls_keypair.c +++ b/src/lib/libtls/tls_keypair.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: tls_keypair.c,v 1.4 2018/02/08 10:19:31 jsing Exp $ */	1	/* $OpenBSD: tls_keypair.c,v 1.5 2018/02/10 04:57:35 jsing Exp $ */
2	/*	2	/*
3	* Copyright (c) 2014 Joel Sing <jsing@openbsd.org>	3	* Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
4	*	4	*
@@ -29,7 +29,7 @@ tls_keypair_new(void)
29	return calloc(1, sizeof(struct tls_keypair));	29	return calloc(1, sizeof(struct tls_keypair));
30	}	30	}
31		31
32	void	32	static void
33	tls_keypair_clear_key(struct tls_keypair *keypair)	33	tls_keypair_clear_key(struct tls_keypair *keypair)
34	{	34	{
35	freezero(keypair->key_mem, keypair->key_len);	35	freezero(keypair->key_mem, keypair->key_len);
@@ -37,19 +37,50 @@ tls_keypair_clear_key(struct tls_keypair *keypair)
37	keypair->key_len = 0;	37	keypair->key_len = 0;
38	}	38	}
39		39
		40	static int
		41	tls_keypair_pubkey_hash(struct tls_keypair keypair, struct tls_error error)
		42	{
		43	X509 *cert = NULL;
		44	int rv = -1;
		45
		46	free(keypair->pubkey_hash);
		47	keypair->pubkey_hash = NULL;
		48
		49	if (keypair->cert_mem == NULL) {
		50	rv = 0;
		51	goto done;
		52	}
		53
		54	if (tls_keypair_load_cert(keypair, error, &cert) == -1)
		55	goto err;
		56	if (tls_cert_pubkey_hash(cert, &keypair->pubkey_hash) == -1)
		57	goto err;
		58
		59	rv = 0;
		60
		61	err:
		62	X509_free(cert);
		63	done:
		64	return (rv);
		65	}
		66
40	int	67	int
41	tls_keypair_set_cert_file(struct tls_keypair keypair, struct tls_error error,	68	tls_keypair_set_cert_file(struct tls_keypair keypair, struct tls_error error,
42	const char *cert_file)	69	const char *cert_file)
43	{	70	{
44	return tls_config_load_file(error, "certificate", cert_file,	71	if (tls_config_load_file(error, "certificate", cert_file,
45	&keypair->cert_mem, &keypair->cert_len);	72	&keypair->cert_mem, &keypair->cert_len) == -1)
		73	return -1;
		74	return tls_keypair_pubkey_hash(keypair, error);
46	}	75	}
47		76
48	int	77	int
49	tls_keypair_set_cert_mem(struct tls_keypair keypair, const uint8_t cert,	78	tls_keypair_set_cert_mem(struct tls_keypair keypair, struct tls_error error,
50	size_t len)	79	const uint8_t *cert, size_t len)
51	{	80	{
52	return tls_set_mem(&keypair->cert_mem, &keypair->cert_len, cert, len);	81	if (tls_set_mem(&keypair->cert_mem, &keypair->cert_len, cert, len) == -1)
		82	return -1;
		83	return tls_keypair_pubkey_hash(keypair, error);
53	}	84	}
54		85
55	int	86	int
@@ -62,8 +93,8 @@ tls_keypair_set_key_file(struct tls_keypair keypair, struct tls_error error,
62	}	93	}
63		94
64	int	95	int
65	tls_keypair_set_key_mem(struct tls_keypair keypair, const uint8_t key,	96	tls_keypair_set_key_mem(struct tls_keypair keypair, struct tls_error error,
66	size_t len)	97	const uint8_t *key, size_t len)
67	{	98	{
68	tls_keypair_clear_key(keypair);	99	tls_keypair_clear_key(keypair);
69	return tls_set_mem(&keypair->key_mem, &keypair->key_len, key, len);	100	return tls_set_mem(&keypair->key_mem, &keypair->key_len, key, len);
@@ -79,7 +110,7 @@ tls_keypair_set_ocsp_staple_file(struct tls_keypair *keypair,
79		110
80	int	111	int
81	tls_keypair_set_ocsp_staple_mem(struct tls_keypair *keypair,	112	tls_keypair_set_ocsp_staple_mem(struct tls_keypair *keypair,
82	const uint8_t *staple, size_t len)	113	struct tls_error error, const uint8_t staple, size_t len)
83	{	114	{
84	return tls_set_mem(&keypair->ocsp_staple, &keypair->ocsp_staple_len,	115	return tls_set_mem(&keypair->ocsp_staple, &keypair->ocsp_staple_len,
85	staple, len);	116	staple, len);
@@ -88,9 +119,11 @@ tls_keypair_set_ocsp_staple_mem(struct tls_keypair *keypair,
88	void	119	void
89	tls_keypair_clear(struct tls_keypair *keypair)	120	tls_keypair_clear(struct tls_keypair *keypair)
90	{	121	{
91	tls_keypair_set_cert_mem(keypair, NULL, 0);	122	struct tls_error error;
92	tls_keypair_set_key_mem(keypair, NULL, 0);	123
93	tls_keypair_set_ocsp_staple_mem(keypair, NULL, 0);	124	tls_keypair_set_cert_mem(keypair, &error, NULL, 0);
		125	tls_keypair_set_key_mem(keypair, &error, NULL, 0);
		126	tls_keypair_set_ocsp_staple_mem(keypair, &error, NULL, 0);
94		127
95	free(keypair->pubkey_hash);	128	free(keypair->pubkey_hash);
96	keypair->pubkey_hash = NULL;	129	keypair->pubkey_hash = NULL;
@@ -143,37 +176,3 @@ tls_keypair_load_cert(struct tls_keypair keypair, struct tls_error error,
143		176
144	return (rv);	177	return (rv);
145	}	178	}
146
147	int
148	tls_keypair_pubkey_hash(struct tls_keypair keypair, struct tls_error error,
149	char **hash)
150	{
151	X509 *cert = NULL;
152	char d[EVP_MAX_MD_SIZE], *dhex = NULL;
153	int dlen, rv = -1;
154
155	free(*hash);
156	*hash = NULL;
157
158	if (tls_keypair_load_cert(keypair, error, &cert) == -1)
159	goto err;
160
161	if (X509_pubkey_digest(cert, EVP_sha256(), d, &dlen) != 1)
162	goto err;
163
164	if (tls_hex_string(d, dlen, &dhex, NULL) != 0)
165	goto err;
166
167	if (asprintf(hash, "SHA256:%s", dhex) == -1) {
168	*hash = NULL;
169	goto err;
170	}
171
172	rv = 0;
173
174	err:
175	X509_free(cert);
176	free(dhex);
177
178	return (rv);
179	}