Add client certificate support. Still needs a few tweaks but this will

ride upcoming minor bump ok jsing@
author: beck <> 2015-09-09 19:23:04 +0000
committer: beck <> 2015-09-09 19:23:04 +0000
commit: 869b2e79c9ff30e6144dddc6562522a90c73bb14 (patch)
tree: 54b585991caa7fede927175ee5ff75d793342b8f
parent: 4a79aa2cb1398f29f4fe23724a6ad3e4ba8e3b94 (diff)
download: openbsd-869b2e79c9ff30e6144dddc6562522a90c73bb14.tar.gz
openbsd-869b2e79c9ff30e6144dddc6562522a90c73bb14.tar.bz2
openbsd-869b2e79c9ff30e6144dddc6562522a90c73bb14.zip
6 files changed, 76 insertions, 34 deletions
diff --git a/src/lib/libtls/tls.c b/src/lib/libtls/tls.c
index db14d3fc7d..0c4793cc9a 100644
--- a/src/lib/libtls/tls.c
+++ b/src/lib/libtls/tls.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls.c,v 1.17 2015/09/09 18:22:33 beck Exp $ */
+/* $OpenBSD: tls.c,v 1.18 2015/09/09 19:23:04 beck Exp $ */
 /*
 * Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
 *
@@ -147,12 +147,19 @@ tls_configure(struct tls *ctx, struct tls_config *config)
 }
 int
-tls_configure_keypair(struct tls *ctx)
+tls_configure_keypair(struct tls *ctx, int required)
 {
        EVP_PKEY *pkey = NULL;
        X509 *cert = NULL;
        BIO *bio = NULL;
+        if (!required &&
+            ctx->config->cert_mem == NULL &&
+            ctx->config->key_mem == NULL &&
+            ctx->config->cert_file == NULL &&
+            ctx->config->key_file == NULL)
+                return(0);
        if (ctx->config->cert_mem != NULL) {
                if (ctx->config->cert_len > INT_MAX) {
                        tls_set_errorx(ctx, "certificate too long");
@@ -256,6 +263,37 @@ err:
        return (-1);
 }
+int
+tls_configure_ssl_verify(struct tls *ctx, int verify)
+{
+        SSL_CTX_set_verify(ctx->ssl_ctx, verify, NULL);
+        if (ctx->config->ca_mem != NULL) {
+                /* XXX do this in set. */
+                if (ctx->config->ca_len > INT_MAX) {
+                        tls_set_error(ctx, "client ca too long");
+                        goto err;
+                }
+                if (SSL_CTX_load_verify_mem(ctx->ssl_ctx,
+                    ctx->config->ca_mem, ctx->config->ca_len) != 1) {
+                        tls_set_error(ctx,
+                            "ssl verify memory setup failure");
+                        goto err;
+                }
+        } else if (SSL_CTX_load_verify_locations(ctx->ssl_ctx,
+            ctx->config->ca_file, ctx->config->ca_path) != 1) {
+                tls_set_error(ctx, "ssl verify setup failure");
+                goto err;
+        }
+        if (ctx->config->verify_depth >= 0)
+                SSL_CTX_set_verify_depth(ctx->ssl_ctx,
+                    ctx->config->verify_depth);
+        return (0);
+ err:
+        return (-1);
+}
 void
 tls_free(struct tls *ctx)
 {
diff --git a/src/lib/libtls/tls.h b/src/lib/libtls/tls.h
index cb02ee8824..1a6257232c 100644
--- a/src/lib/libtls/tls.h
+++ b/src/lib/libtls/tls.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls.h,v 1.13 2015/06/19 06:20:11 bcook Exp $ */
+/* $OpenBSD: tls.h,v 1.14 2015/09/09 19:23:04 beck Exp $ */
 /*
 * Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
 *
@@ -73,6 +73,9 @@ void tls_config_insecure_noverifycert(struct tls_config *_config);
 void tls_config_insecure_noverifyname(struct tls_config *_config);
 void tls_config_verify(struct tls_config *_config);
+void tls_config_verify_client(struct tls_config *_config);
+void tls_config_verify_client_optional(struct tls_config *_config);
 struct tls *tls_client(void);
 struct tls *tls_server(void);
 int tls_configure(struct tls *_ctx, struct tls_config *_config);
diff --git a/src/lib/libtls/tls_client.c b/src/lib/libtls/tls_client.c
index 81b5510431..056526ddc3 100644
--- a/src/lib/libtls/tls_client.c
+++ b/src/lib/libtls/tls_client.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls_client.c,v 1.23 2015/09/09 14:32:06 jsing Exp $ */
+/* $OpenBSD: tls_client.c,v 1.24 2015/09/09 19:23:04 beck Exp $ */
 /*
 * Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
 *
@@ -21,7 +21,6 @@
 #include <arpa/inet.h>
 #include <netinet/in.h>
-#include <limits.h>
 #include <netdb.h>
 #include <stdlib.h>
 #include <unistd.h>
@@ -190,6 +189,8 @@ tls_connect_fds(struct tls *ctx, int fd_read, int fd_write,
        if (tls_configure_ssl(ctx) != 0)
                goto err;
+        if (tls_configure_keypair(ctx, 0) != 0)
+                goto err;
        if (ctx->config->verify_name) {
                if (servername == NULL) {
@@ -198,30 +199,9 @@ tls_connect_fds(struct tls *ctx, int fd_read, int fd_write,
                }
        }
-        if (ctx->config->verify_cert) {
+        if (ctx->config->verify_cert &&
-                SSL_CTX_set_verify(ctx->ssl_ctx, SSL_VERIFY_PEER, NULL);
+            (tls_configure_ssl_verify(ctx, SSL_VERIFY_PEER) == -1))
+                goto err;
-                if (ctx->config->ca_mem != NULL) {
-                        if (ctx->config->ca_len > INT_MAX) {
-                                tls_set_errorx(ctx, "ca too long");
-                                goto err;
-                        }
-                        if (SSL_CTX_load_verify_mem(ctx->ssl_ctx,
-                            ctx->config->ca_mem, ctx->config->ca_len) != 1) {
-                                tls_set_errorx(ctx,
-                                    "ssl verify memory setup failure");
-                                goto err;
-                        }
-                } else if (SSL_CTX_load_verify_locations(ctx->ssl_ctx,
-                    ctx->config->ca_file, ctx->config->ca_path) != 1) {
-                        tls_set_errorx(ctx, "ssl verify setup failure");
-                        goto err;
-                }
-                if (ctx->config->verify_depth >= 0)
-                        SSL_CTX_set_verify_depth(ctx->ssl_ctx,
-                            ctx->config->verify_depth);
-        }
        if ((ctx->ssl_conn = SSL_new(ctx->ssl_ctx)) == NULL) {
                tls_set_errorx(ctx, "ssl connection failure");
diff --git a/src/lib/libtls/tls_config.c b/src/lib/libtls/tls_config.c
index 4c25a79303..73073d8ff7 100644
--- a/src/lib/libtls/tls_config.c
+++ b/src/lib/libtls/tls_config.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls_config.c,v 1.9 2015/02/22 15:09:54 jsing Exp $ */
+/* $OpenBSD: tls_config.c,v 1.10 2015/09/09 19:23:04 beck Exp $ */
 /*
 * Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
 *
@@ -300,3 +300,15 @@ tls_config_verify(struct tls_config *config)
        config->verify_cert = 1;
        config->verify_name = 1;
 }
+void
+tls_config_verify_client(struct tls_config *config)
+{
+        config->verify_client = 1;
+}
+void
+tls_config_verify_client_optional(struct tls_config *config)
+{
+        config->verify_client = 2;
+}
diff --git a/src/lib/libtls/tls_internal.h b/src/lib/libtls/tls_internal.h
index d767c37494..58834c999f 100644
--- a/src/lib/libtls/tls_internal.h
+++ b/src/lib/libtls/tls_internal.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls_internal.h,v 1.15 2015/09/08 15:29:34 jsing Exp $ */
+/* $OpenBSD: tls_internal.h,v 1.16 2015/09/09 19:23:04 beck Exp $ */
 /*
 * Copyright (c) 2014 Jeremie Courreges-Anglas <jca@openbsd.org>
 * Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
@@ -42,6 +42,7 @@ struct tls_config {
        size_t key_len;
        uint32_t protocols;
        int verify_cert;
+        int verify_client;
        int verify_depth;
        int verify_name;
 };
@@ -70,9 +71,10 @@ struct tls *tls_new(void);
 struct tls *tls_server_conn(struct tls *ctx);
 int tls_check_servername(struct tls *ctx, X509 *cert, const char *servername);
-int tls_configure_keypair(struct tls *ctx);
+int tls_configure_keypair(struct tls *ctx, int);
 int tls_configure_server(struct tls *ctx);
 int tls_configure_ssl(struct tls *ctx);
+int tls_configure_ssl_verify(struct tls *ctx, int verify);
 int tls_host_port(const char *hostport, char **host, char **port);
 int tls_set_error(struct tls *ctx, const char *fmt, ...)
    __attribute__((__format__ (printf, 2, 3)))
diff --git a/src/lib/libtls/tls_server.c b/src/lib/libtls/tls_server.c
index 190682e630..6f8daa0aca 100644
--- a/src/lib/libtls/tls_server.c
+++ b/src/lib/libtls/tls_server.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls_server.c,v 1.11 2015/09/09 14:32:06 jsing Exp $ */
+/* $OpenBSD: tls_server.c,v 1.12 2015/09/09 19:23:04 beck Exp $ */
 /*
 * Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
 *
@@ -60,8 +60,15 @@ tls_configure_server(struct tls *ctx)
        if (tls_configure_ssl(ctx) != 0)
                goto err;
-        if (tls_configure_keypair(ctx) != 0)
+        if (tls_configure_keypair(ctx, 1) != 0)
                goto err;
+        if (ctx->config->verify_client != 0) {
+                int verify = SSL_VERIFY_PEER;
+                if (ctx->config->verify_client == 1)
+                        verify |= SSL_VERIFY_FAIL_IF_NO_PEER_CERT;
+                if (tls_configure_ssl_verify(ctx, verify) == -1)
+                        goto err;
+        }
        if (ctx->config->dheparams == -1)
                SSL_CTX_set_dh_auto(ctx->ssl_ctx, 1);
author	beck <>	2015-09-09 19:23:04 +0000
committer	beck <>	2015-09-09 19:23:04 +0000
commit	869b2e79c9ff30e6144dddc6562522a90c73bb14 (patch)
tree	54b585991caa7fede927175ee5ff75d793342b8f
parent	4a79aa2cb1398f29f4fe23724a6ad3e4ba8e3b94 (diff)
download	openbsd-869b2e79c9ff30e6144dddc6562522a90c73bb14.tar.gz openbsd-869b2e79c9ff30e6144dddc6562522a90c73bb14.tar.bz2 openbsd-869b2e79c9ff30e6144dddc6562522a90c73bb14.zip

diff --git a/src/lib/libtls/tls.c b/src/lib/libtls/tls.c index db14d3fc7d..0c4793cc9a 100644 --- a/src/lib/libtls/tls.c +++ b/src/lib/libtls/tls.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: tls.c,v 1.17 2015/09/09 18:22:33 beck Exp $ */	1	/* $OpenBSD: tls.c,v 1.18 2015/09/09 19:23:04 beck Exp $ */
2	/*	2	/*
3	* Copyright (c) 2014 Joel Sing <jsing@openbsd.org>	3	* Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
4	*	4	*
@@ -147,12 +147,19 @@ tls_configure(struct tls ctx, struct tls_config config)
147	}	147	}
148		148
149	int	149	int
150	tls_configure_keypair(struct tls *ctx)	150	tls_configure_keypair(struct tls *ctx, int required)
151	{	151	{
152	EVP_PKEY *pkey = NULL;	152	EVP_PKEY *pkey = NULL;
153	X509 *cert = NULL;	153	X509 *cert = NULL;
154	BIO *bio = NULL;	154	BIO *bio = NULL;
155		155
		156	if (!required &&
		157	ctx->config->cert_mem == NULL &&
		158	ctx->config->key_mem == NULL &&
		159	ctx->config->cert_file == NULL &&
		160	ctx->config->key_file == NULL)
		161	return(0);
		162
156	if (ctx->config->cert_mem != NULL) {	163	if (ctx->config->cert_mem != NULL) {
157	if (ctx->config->cert_len > INT_MAX) {	164	if (ctx->config->cert_len > INT_MAX) {
158	tls_set_errorx(ctx, "certificate too long");	165	tls_set_errorx(ctx, "certificate too long");
@@ -256,6 +263,37 @@ err:
256	return (-1);	263	return (-1);
257	}	264	}
258		265
		266	int
		267	tls_configure_ssl_verify(struct tls *ctx, int verify)
		268	{
		269	SSL_CTX_set_verify(ctx->ssl_ctx, verify, NULL);
		270
		271	if (ctx->config->ca_mem != NULL) {
		272	/* XXX do this in set. */
		273	if (ctx->config->ca_len > INT_MAX) {
		274	tls_set_error(ctx, "client ca too long");
		275	goto err;
		276	}
		277	if (SSL_CTX_load_verify_mem(ctx->ssl_ctx,
		278	ctx->config->ca_mem, ctx->config->ca_len) != 1) {
		279	tls_set_error(ctx,
		280	"ssl verify memory setup failure");
		281	goto err;
		282	}
		283	} else if (SSL_CTX_load_verify_locations(ctx->ssl_ctx,
		284	ctx->config->ca_file, ctx->config->ca_path) != 1) {
		285	tls_set_error(ctx, "ssl verify setup failure");
		286	goto err;
		287	}
		288	if (ctx->config->verify_depth >= 0)
		289	SSL_CTX_set_verify_depth(ctx->ssl_ctx,
		290	ctx->config->verify_depth);
		291	return (0);
		292
		293	err:
		294	return (-1);
		295	}
		296
259	void	297	void
260	tls_free(struct tls *ctx)	298	tls_free(struct tls *ctx)
261	{	299	{


diff --git a/src/lib/libtls/tls.h b/src/lib/libtls/tls.h index cb02ee8824..1a6257232c 100644 --- a/src/lib/libtls/tls.h +++ b/src/lib/libtls/tls.h
@@ -1,4 +1,4 @@
1	/* $OpenBSD: tls.h,v 1.13 2015/06/19 06:20:11 bcook Exp $ */	1	/* $OpenBSD: tls.h,v 1.14 2015/09/09 19:23:04 beck Exp $ */
2	/*	2	/*
3	* Copyright (c) 2014 Joel Sing <jsing@openbsd.org>	3	* Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
4	*	4	*
@@ -73,6 +73,9 @@ void tls_config_insecure_noverifycert(struct tls_config *_config);
73	void tls_config_insecure_noverifyname(struct tls_config *_config);	73	void tls_config_insecure_noverifyname(struct tls_config *_config);
74	void tls_config_verify(struct tls_config *_config);	74	void tls_config_verify(struct tls_config *_config);
75		75
		76	void tls_config_verify_client(struct tls_config *_config);
		77	void tls_config_verify_client_optional(struct tls_config *_config);
		78
76	struct tls *tls_client(void);	79	struct tls *tls_client(void);
77	struct tls *tls_server(void);	80	struct tls *tls_server(void);
78	int tls_configure(struct tls _ctx, struct tls_config _config);	81	int tls_configure(struct tls _ctx, struct tls_config _config);


diff --git a/src/lib/libtls/tls_client.c b/src/lib/libtls/tls_client.c index 81b5510431..056526ddc3 100644 --- a/src/lib/libtls/tls_client.c +++ b/src/lib/libtls/tls_client.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: tls_client.c,v 1.23 2015/09/09 14:32:06 jsing Exp $ */	1	/* $OpenBSD: tls_client.c,v 1.24 2015/09/09 19:23:04 beck Exp $ */
2	/*	2	/*
3	* Copyright (c) 2014 Joel Sing <jsing@openbsd.org>	3	* Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
4	*	4	*
@@ -21,7 +21,6 @@
21	#include <arpa/inet.h>	21	#include <arpa/inet.h>
22	#include <netinet/in.h>	22	#include <netinet/in.h>
23		23
24	#include <limits.h>
25	#include <netdb.h>	24	#include <netdb.h>
26	#include <stdlib.h>	25	#include <stdlib.h>
27	#include <unistd.h>	26	#include <unistd.h>
@@ -190,6 +189,8 @@ tls_connect_fds(struct tls *ctx, int fd_read, int fd_write,
190		189
191	if (tls_configure_ssl(ctx) != 0)	190	if (tls_configure_ssl(ctx) != 0)
192	goto err;	191	goto err;
		192	if (tls_configure_keypair(ctx, 0) != 0)
		193	goto err;
193		194
194	if (ctx->config->verify_name) {	195	if (ctx->config->verify_name) {
195	if (servername == NULL) {	196	if (servername == NULL) {
@@ -198,30 +199,9 @@ tls_connect_fds(struct tls *ctx, int fd_read, int fd_write,
198	}	199	}
199	}	200	}
200		201
201	if (ctx->config->verify_cert) {	202	if (ctx->config->verify_cert &&
202	SSL_CTX_set_verify(ctx->ssl_ctx, SSL_VERIFY_PEER, NULL);	203	(tls_configure_ssl_verify(ctx, SSL_VERIFY_PEER) == -1))
203		204	goto err;
204	if (ctx->config->ca_mem != NULL) {
205	if (ctx->config->ca_len > INT_MAX) {
206	tls_set_errorx(ctx, "ca too long");
207	goto err;
208	}
209
210	if (SSL_CTX_load_verify_mem(ctx->ssl_ctx,
211	ctx->config->ca_mem, ctx->config->ca_len) != 1) {
212	tls_set_errorx(ctx,
213	"ssl verify memory setup failure");
214	goto err;
215	}
216	} else if (SSL_CTX_load_verify_locations(ctx->ssl_ctx,
217	ctx->config->ca_file, ctx->config->ca_path) != 1) {
218	tls_set_errorx(ctx, "ssl verify setup failure");
219	goto err;
220	}
221	if (ctx->config->verify_depth >= 0)
222	SSL_CTX_set_verify_depth(ctx->ssl_ctx,
223	ctx->config->verify_depth);
224	}
225		205
226	if ((ctx->ssl_conn = SSL_new(ctx->ssl_ctx)) == NULL) {	206	if ((ctx->ssl_conn = SSL_new(ctx->ssl_ctx)) == NULL) {
227	tls_set_errorx(ctx, "ssl connection failure");	207	tls_set_errorx(ctx, "ssl connection failure");


diff --git a/src/lib/libtls/tls_config.c b/src/lib/libtls/tls_config.c index 4c25a79303..73073d8ff7 100644 --- a/src/lib/libtls/tls_config.c +++ b/src/lib/libtls/tls_config.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: tls_config.c,v 1.9 2015/02/22 15:09:54 jsing Exp $ */	1	/* $OpenBSD: tls_config.c,v 1.10 2015/09/09 19:23:04 beck Exp $ */
2	/*	2	/*
3	* Copyright (c) 2014 Joel Sing <jsing@openbsd.org>	3	* Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
4	*	4	*
@@ -300,3 +300,15 @@ tls_config_verify(struct tls_config *config)
300	config->verify_cert = 1;	300	config->verify_cert = 1;
301	config->verify_name = 1;	301	config->verify_name = 1;
302	}	302	}
		303
		304	void
		305	tls_config_verify_client(struct tls_config *config)
		306	{
		307	config->verify_client = 1;
		308	}
		309
		310	void
		311	tls_config_verify_client_optional(struct tls_config *config)
		312	{
		313	config->verify_client = 2;
		314	}


diff --git a/src/lib/libtls/tls_internal.h b/src/lib/libtls/tls_internal.h index d767c37494..58834c999f 100644 --- a/src/lib/libtls/tls_internal.h +++ b/src/lib/libtls/tls_internal.h
@@ -1,4 +1,4 @@
1	/* $OpenBSD: tls_internal.h,v 1.15 2015/09/08 15:29:34 jsing Exp $ */	1	/* $OpenBSD: tls_internal.h,v 1.16 2015/09/09 19:23:04 beck Exp $ */
2	/*	2	/*
3	* Copyright (c) 2014 Jeremie Courreges-Anglas <jca@openbsd.org>	3	* Copyright (c) 2014 Jeremie Courreges-Anglas <jca@openbsd.org>
4	* Copyright (c) 2014 Joel Sing <jsing@openbsd.org>	4	* Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
@@ -42,6 +42,7 @@ struct tls_config {
42	size_t key_len;	42	size_t key_len;
43	uint32_t protocols;	43	uint32_t protocols;
44	int verify_cert;	44	int verify_cert;
		45	int verify_client;
45	int verify_depth;	46	int verify_depth;
46	int verify_name;	47	int verify_name;
47	};	48	};
@@ -70,9 +71,10 @@ struct tls *tls_new(void);
70	struct tls tls_server_conn(struct tls ctx);	71	struct tls tls_server_conn(struct tls ctx);
71		72
72	int tls_check_servername(struct tls ctx, X509 cert, const char *servername);	73	int tls_check_servername(struct tls ctx, X509 cert, const char *servername);
73	int tls_configure_keypair(struct tls *ctx);	74	int tls_configure_keypair(struct tls *ctx, int);
74	int tls_configure_server(struct tls *ctx);	75	int tls_configure_server(struct tls *ctx);
75	int tls_configure_ssl(struct tls *ctx);	76	int tls_configure_ssl(struct tls *ctx);
		77	int tls_configure_ssl_verify(struct tls *ctx, int verify);
76	int tls_host_port(const char hostport, char host, char *port);	78	int tls_host_port(const char hostport, char host, char *port);
77	int tls_set_error(struct tls ctx, const char fmt, ...)	79	int tls_set_error(struct tls ctx, const char fmt, ...)
78	__attribute__((__format__ (printf, 2, 3)))	80	__attribute__((__format__ (printf, 2, 3)))


diff --git a/src/lib/libtls/tls_server.c b/src/lib/libtls/tls_server.c index 190682e630..6f8daa0aca 100644 --- a/src/lib/libtls/tls_server.c +++ b/src/lib/libtls/tls_server.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: tls_server.c,v 1.11 2015/09/09 14:32:06 jsing Exp $ */	1	/* $OpenBSD: tls_server.c,v 1.12 2015/09/09 19:23:04 beck Exp $ */
2	/*	2	/*
3	* Copyright (c) 2014 Joel Sing <jsing@openbsd.org>	3	* Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
4	*	4	*
@@ -60,8 +60,15 @@ tls_configure_server(struct tls *ctx)
60		60
61	if (tls_configure_ssl(ctx) != 0)	61	if (tls_configure_ssl(ctx) != 0)
62	goto err;	62	goto err;
63	if (tls_configure_keypair(ctx) != 0)	63	if (tls_configure_keypair(ctx, 1) != 0)
64	goto err;	64	goto err;
		65	if (ctx->config->verify_client != 0) {
		66	int verify = SSL_VERIFY_PEER;
		67	if (ctx->config->verify_client == 1)
		68	verify \|= SSL_VERIFY_FAIL_IF_NO_PEER_CERT;
		69	if (tls_configure_ssl_verify(ctx, verify) == -1)
		70	goto err;
		71	}
65		72
66	if (ctx->config->dheparams == -1)	73	if (ctx->config->dheparams == -1)
67	SSL_CTX_set_dh_auto(ctx->ssl_ctx, 1);	74	SSL_CTX_set_dh_auto(ctx->ssl_ctx, 1);