Add tls_config_[add|set]keypair_ocsp functions so that ocsp staples may be

added associated to a keypair used for SNI, and are usable for more than just the "main" certificate. Modify httpd to use this. Bump libtls minor. ok jsing@
author: beck <> 2017-01-31 16:18:57 +0000
committer: beck <> 2017-01-31 16:18:57 +0000
commit: fb9dca0f0ed93924626f04529bb4dfa85e3ef25e (patch)
tree: 6cf82628d4d8b9b0ed4d03dd90872a7deae8fcb3
parent: 5dc75c022fd90332aaa1050db40f77ae54a9f43d (diff)
download: openbsd-fb9dca0f0ed93924626f04529bb4dfa85e3ef25e.tar.gz
openbsd-fb9dca0f0ed93924626f04529bb4dfa85e3ef25e.tar.bz2
openbsd-fb9dca0f0ed93924626f04529bb4dfa85e3ef25e.zip
6 files changed, 209 insertions, 58 deletions
diff --git a/src/lib/libtls/Symbols.list b/src/lib/libtls/Symbols.list
index a033e3e242..eb704ecbd2 100644
--- a/src/lib/libtls/Symbols.list
+++ b/src/lib/libtls/Symbols.list
@@ -5,6 +5,8 @@ tls_client
 tls_close
 tls_config_add_keypair_file
 tls_config_add_keypair_mem
+tls_config_add_keypair_ocsp_file
+tls_config_add_keypair_ocsp_mem
 tls_config_add_ticket_key
 tls_config_clear_keys
 tls_config_error
@@ -30,6 +32,8 @@ tls_config_set_key_file
 tls_config_set_key_mem
 tls_config_set_keypair_file
 tls_config_set_keypair_mem
+tls_config_set_keypair_ocsp_file
+tls_config_set_keypair_ocsp_mem
 tls_config_set_ocsp_staple_mem
 tls_config_set_ocsp_staple_file
 tls_config_set_protocols
diff --git a/src/lib/libtls/man/tls_config_ocsp_require_stapling.3 b/src/lib/libtls/man/tls_config_ocsp_require_stapling.3
index 0f532cf8c0..b8b7600904 100644
--- a/src/lib/libtls/man/tls_config_ocsp_require_stapling.3
+++ b/src/lib/libtls/man/tls_config_ocsp_require_stapling.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: tls_config_ocsp_require_stapling.3,v 1.3 2017/01/28 00:59:36 schwarze Exp $
+.\" $OpenBSD: tls_config_ocsp_require_stapling.3,v 1.4 2017/01/31 16:18:57 beck Exp $
 .\"
 .\" Copyright (c) 2016 Bob Beck <beck@openbsd.org>
 .\"
@@ -14,46 +14,25 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: January 28 2017 $
+.Dd $Mdocdate: January 31 2017 $
 .Dt TLS_CONFIG_OCSP_REQUIRE_STAPLING 3
 .Os
 .Sh NAME
 .Nm tls_config_ocsp_require_stapling ,
-.Nm tls_config_set_ocsp_staple_mem ,
-.Nm tls_config_set_ocsp_staple_file
 .Nd OCSP configuration for libtls
 .Sh SYNOPSIS
 .In tls.h
 .Ft void
 .Fn tls_config_ocsp_require_stapling "struct tls_config *config"
-.Ft int
-.Fo tls_config_set_ocsp_staple_mem
-.Fa "struct tls_config *config"
-.Fa "const char *staple"
-.Fa "size_t len"
-.Fc
-.Ft int
-.Fo tls_config_set_ocsp_staple_file
-.Fa "struct tls_config *config"
-.Fa "const char *staple_file"
 .Fc
 .Sh DESCRIPTION
 .Fn tls_config_ocsp_require_stapling
 requires that a valid stapled OCSP response be provided during the TLS handshake.
-.Pp
-.Fn tls_config_set_ocsp_staple_file
-sets a DER-encoded OCSP response to be stapled during the TLS handshake from
-the specified file.
-.Pp
-.Fn tls_config_set_ocsp_staple_mem
-sets a DER-encoded OCSP response to be stapled during the TLS handshake from
-memory.
-.Sh RETURN VALUES
-.Fn tls_config_set_ocsp_staple_mem
-and
-.Fn tls_config_set_ocsp_staple_file
-return 0 on success or -1 on error.
 .Sh SEE ALSO
+.Xr tls_config_set_keypair_file 3 ,
+.Xr tls_config_set_keypair_mem 3 ,
+.Xr tls_config_add_keypair_file 3 ,
+.Xr tls_config_add_keypair_mem 3 ,
 .Xr tls_handshake 3 ,
 .Xr tls_init 3 ,
 .Xr tls_ocsp_process_response 3
diff --git a/src/lib/libtls/man/tls_load_file.3 b/src/lib/libtls/man/tls_load_file.3
index eeebd0339e..6c0a025955 100644
--- a/src/lib/libtls/man/tls_load_file.3
+++ b/src/lib/libtls/man/tls_load_file.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: tls_load_file.3,v 1.3 2017/01/28 00:59:36 schwarze Exp $
+.\" $OpenBSD: tls_load_file.3,v 1.4 2017/01/31 16:18:57 beck Exp $
 .\"
 .\" Copyright (c) 2014 Ted Unangst <tedu@openbsd.org>
 .\" Copyright (c) 2015 Reyk Floeter <reyk@openbsd.org>
@@ -17,7 +17,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: January 28 2017 $
+.Dd $Mdocdate: January 31 2017 $
 .Dt TLS_LOAD_FILE 3
 .Os
 .Sh NAME
@@ -29,9 +29,15 @@
 .Nm tls_config_set_cert_mem ,
 .Nm tls_config_set_key_file ,
 .Nm tls_config_set_key_mem ,
+.Nm tls_config_set_ocsp_staple_mem ,
+.Nm tls_config_set_ocsp_staple_file
 .Nm tls_config_set_keypair_file ,
 .Nm tls_config_set_keypair_mem ,
+.Nm tls_config_set_keypair_ocsp_file ,
+.Nm tls_config_set_keypair_ocsp_mem ,
 .Nm tls_config_add_keypair_file ,
+.Nm tls_config_add_keypair_ocsp_mem ,
+.Nm tls_config_add_keypair_ocsp_file ,
 .Nm tls_config_add_keypair_mem ,
 .Nm tls_config_clear_keys ,
 .Nm tls_config_set_verify_depth ,
@@ -83,6 +89,17 @@
 .Fa "struct tls_config *config"
 .Fa "const uint8_t *key"
 .Fa "size_t len"
+.Ft int
+.Fc
+.Fo tls_config_set_ocsp_staple_mem
+.Fa "struct tls_config *config"
+.Fa "const uint8_t *staple"
+.Fa "size_t len"
+.Fc
+.Ft int
+.Fo tls_config_set_ocsp_staple_file
+.Fa "struct tls_config *config"
+.Fa "const uint8_t *staple_file"
 .Fc
 .Ft int
 .Fo tls_config_set_keypair_file
@@ -99,6 +116,23 @@
 .Fa "size_t key_len"
 .Fc
 .Ft int
+.Fo tls_config_set_keypair_ocsp_file
+.Fa "struct tls_config *config"
+.Fa "const char *cert_file"
+.Fa "const char *key_file"
+.Fa "const char *staple_file"
+.Fc
+.Ft int
+.Fo tls_config_set_keypair_ocsp_mem
+.Fa "struct tls_config *config"
+.Fa "const uint8_t *cert"
+.Fa "size_t cert_len"
+.Fa "const uint8_t *key"
+.Fa "size_t key_len"
+.Fa "const uint8_t *staple"
+.Fa "size_t staple_len"
+.Fc
+.Ft int
 .Fo tls_config_add_keypair_file
 .Fa "struct tls_config *config"
 .Fa "const char *cert_file"
@@ -112,6 +146,23 @@
 .Fa "const uint8_t *key"
 .Fa "size_t key_len"
 .Fc
+.Ft int
+.Fo tls_config_add_keypair_ocsp_file
+.Fa "struct tls_config *config"
+.Fa "const char *cert_file"
+.Fa "const char *key_file"
+.Fa "const char *staple_file"
+.Fc
+.Ft int
+.Fo tls_config_add_keypair_ocsp_mem
+.Fa "struct tls_config *config"
+.Fa "const uint8_t *cert"
+.Fa "size_t cert_len"
+.Fa "const uint8_t *key"
+.Fa "size_t key_len"
+.Fa "const uint8_t *staple"
+.Fa "size_t staple_len"
+.Fc
 .Ft void
 .Fn tls_config_clear_keys "struct tls_config *config"
 .Ft int
@@ -157,19 +208,46 @@ sets the file from which the private key will be read.
 .Fn tls_config_set_key_mem
 directly sets the private key from memory.
 .Pp
+.Fn tls_config_set_ocsp_staple_file
+sets a DER-encoded OCSP response to be stapled during the TLS handshake from
+the specified file.
+.Pp
+.Fn tls_config_set_ocsp_staple_mem
+sets a DER-encoded OCSP response to be stapled during the TLS handshake from
+memory.
+.Pp
 .Fn tls_config_set_keypair_file
-sets the files from which the public certificate and private key will be read.
+sets the files from which the public certificate, and private key will be read.
 .Pp
 .Fn tls_config_set_keypair_mem
-directly sets the public certificate and private key from memory.
+directly sets the public certificate, and private key from memory.
+.Pp
+.Fn tls_config_set_keypair_file
+sets the files from which the public certificate, private key, and DER encoded
+ocsp staple will be read.
+.Pp
+.Fn tls_config_set_keypair_ocsp_mem
+directly sets the public certificate, private key, and DER encoded OCSP staple
+from memory.
 .Pp
 .Fn tls_config_add_keypair_file
-adds an additional public certificate and private key from the specified files,
+adds an additional public certificate, and private key from the specified files,
 used as an alternative certificate for Server Name Indication (server only).
 .Pp
 .Fn tls_config_add_keypair_mem
-adds an additional public certificate and private key from memory,
+adds an additional public certificate, and private key from memory, used as an
-used as an alternative certificate for Server Name Indication (server only).
+alternative certificate for Server Name Indication (server only).
+.Pp
+.Pp
+.Fn tls_config_add_keypair_ocsp_file
+adds an additional public certificate, private key, and DER encoded OCSP staple
+from the specified files, used as an alternative certificate for Server Name
+Indication (server only).
+.Pp
+.Fn tls_config_add_keypair_ocsp_mem
+adds an additional public certificate, private key, and DER encoded OCSP staple
+from memory, used as an alternative certificate for Server Name Indication
+(server only).
 .Pp
 .Fn tls_config_clear_keys
 clears any secret keys from memory.
@@ -240,12 +318,7 @@ in
 .An Joel Sing Aq Mt jsing@openbsd.org
 with contibutions from
 .An Ted Unangst Aq Mt tedu@openbsd.org
-.Pp
-.An -nosplit
-.Fn tls_config_verify_client
 and
-.Fn tls_config_verify_client_optional
-were written by
 .An Bob Beck Aq Mt beck@openbsd.org .
 .Pp
 .Fn tls_load_file
diff --git a/src/lib/libtls/shlib_version b/src/lib/libtls/shlib_version
index 998729533f..a822f1f180 100644
--- a/src/lib/libtls/shlib_version
+++ b/src/lib/libtls/shlib_version
@@ -1,2 +1,2 @@
 major=15
-minor=2
+minor=3
diff --git a/src/lib/libtls/tls.h b/src/lib/libtls/tls.h
index 5680c74182..d9b2972e92 100644
--- a/src/lib/libtls/tls.h
+++ b/src/lib/libtls/tls.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls.h,v 1.46 2017/01/26 12:53:17 jsing Exp $ */
+/* $OpenBSD: tls.h,v 1.47 2017/01/31 16:18:57 beck Exp $ */
 /*
 * Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
 *
@@ -89,7 +89,12 @@ int tls_config_add_keypair_file(struct tls_config *_config,
    const char *_cert_file, const char *_key_file);
 int tls_config_add_keypair_mem(struct tls_config *_config, const uint8_t *_cert,
    size_t _cert_len, const uint8_t *_key, size_t _key_len);
+int tls_config_add_keypair_ocsp_file(struct tls_config *_config,
+    const char *_cert_file, const char *_key_file,
+    const char *_ocsp_staple_file);
+int tls_config_add_keypair_ocsp_mem(struct tls_config *_config, const uint8_t *_cert,
+    size_t _cert_len, const uint8_t *_key, size_t _key_len,
+    const uint8_t *_staple, size_t _staple_len);
 int tls_config_set_alpn(struct tls_config *_config, const char *_alpn);
 int tls_config_set_ca_file(struct tls_config *_config, const char *_ca_file);
 int tls_config_set_ca_path(struct tls_config *_config, const char *_ca_path);
@@ -109,8 +114,13 @@ int tls_config_set_keypair_file(struct tls_config *_config,
    const char *_cert_file, const char *_key_file);
 int tls_config_set_keypair_mem(struct tls_config *_config, const uint8_t *_cert,
    size_t _cert_len, const uint8_t *_key, size_t _key_len);
-int tls_config_set_ocsp_staple_mem(struct tls_config *_config, char *_staple,
+int tls_config_set_keypair_ocsp_file(struct tls_config *_config,
-    size_t _len);
+    const char *_cert_file, const char *_key_file, const char *_staple_file);
+int tls_config_set_keypair_ocsp_mem(struct tls_config *_config, const uint8_t *_cert,
+    size_t _cert_len, const uint8_t *_key, size_t _key_len,
+    const uint8_t *_staple, size_t staple_len);
+int tls_config_set_ocsp_staple_mem(struct tls_config *_config,
+    const uint8_t *_staple, size_t _len);
 int tls_config_set_ocsp_staple_file(struct tls_config *_config,
    const char *_staple_file);
 int tls_config_set_protocols(struct tls_config *_config, uint32_t _protocols);
diff --git a/src/lib/libtls/tls_config.c b/src/lib/libtls/tls_config.c
index 83c649fd51..87c2166f9e 100644
--- a/src/lib/libtls/tls_config.c
+++ b/src/lib/libtls/tls_config.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls_config.c,v 1.35 2017/01/29 17:52:11 beck Exp $ */
+/* $OpenBSD: tls_config.c,v 1.36 2017/01/31 16:18:57 beck Exp $ */
 /*
 * Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
 *
@@ -416,9 +416,9 @@ tls_config_set_alpn(struct tls_config *config, const char *alpn)
            &config->alpn_len);
 }
-int
+static int
-tls_config_add_keypair_file(struct tls_config *config,
+tls_config_add_keypair_file_internal(struct tls_config *config,
-    const char *cert_file, const char *key_file)
+    const char *cert_file, const char *key_file, const char *ocsp_file)
 {
        struct tls_keypair *keypair;
@@ -428,6 +428,10 @@ tls_config_add_keypair_file(struct tls_config *config,
                goto err;
        if (tls_keypair_set_key_file(keypair, &config->error, key_file) != 0)
                goto err;
+        if (ocsp_file != NULL &&
+            tls_keypair_set_ocsp_staple_file(keypair, &config->error,
+                ocsp_file) != 0)
+                goto err;
        tls_config_keypair_add(config, keypair);
@@ -438,9 +442,10 @@ tls_config_add_keypair_file(struct tls_config *config,
        return (-1);
 }
-int
+static int
-tls_config_add_keypair_mem(struct tls_config *config, const uint8_t *cert,
+tls_config_add_keypair_mem_internal(struct tls_config *config, const uint8_t *cert,
-    size_t cert_len, const uint8_t *key, size_t key_len)
+    size_t cert_len, const uint8_t *key, size_t key_len,
+    const uint8_t *staple, size_t staple_len)
 {
        struct tls_keypair *keypair;
@@ -450,6 +455,9 @@ tls_config_add_keypair_mem(struct tls_config *config, const uint8_t *cert,
                goto err;
        if (tls_keypair_set_key_mem(keypair, key, key_len) != 0)
                goto err;
+        if (staple != NULL &&
+            tls_keypair_set_ocsp_staple_mem(keypair, staple, staple_len) != 0)
+                goto err;
        tls_config_keypair_add(config, keypair);
@@ -461,6 +469,39 @@ tls_config_add_keypair_mem(struct tls_config *config, const uint8_t *cert,
 }
 int
+tls_config_add_keypair_mem(struct tls_config *config, const uint8_t *cert,
+    size_t cert_len, const uint8_t *key, size_t key_len)
+{
+        return tls_config_add_keypair_mem_internal(config, cert, cert_len, key,
+            key_len, NULL, 0);
+}
+int
+tls_config_add_keypair_file(struct tls_config *config,
+    const char *cert_file, const char *key_file)
+{
+        return tls_config_add_keypair_file_internal(config, cert_file,
+            key_file, NULL);
+}
+int
+tls_config_add_keypair_ocsp_mem(struct tls_config *config, const uint8_t *cert,
+    size_t cert_len, const uint8_t *key, size_t key_len, const uint8_t *staple,
+    size_t staple_len)
+{
+        return tls_config_add_keypair_mem_internal(config, cert, cert_len, key,
+            key_len, staple, staple_len);
+}
+int
+tls_config_add_keypair_ocsp_file(struct tls_config *config,
+    const char *cert_file, const char *key_file, const char *ocsp_file)
+{
+        return tls_config_add_keypair_file_internal(config, cert_file,
+            key_file, ocsp_file);
+}
+int
 tls_config_set_ca_file(struct tls_config *config, const char *ca_file)
 {
        return tls_config_load_file(&config->error, "CA", ca_file,
@@ -581,31 +622,74 @@ tls_config_set_key_mem(struct tls_config *config, const uint8_t *key,
        return tls_keypair_set_key_mem(config->keypair, key, len);
 }
-int
+static int
-tls_config_set_keypair_file(struct tls_config *config,
+tls_config_set_keypair_file_internal(struct tls_config *config,
-    const char *cert_file, const char *key_file)
+    const char *cert_file, const char *key_file, const char *ocsp_file)
 {
        if (tls_config_set_cert_file(config, cert_file) != 0)
                return (-1);
        if (tls_config_set_key_file(config, key_file) != 0)
                return (-1);
+        if (tls_config_set_key_file(config, key_file) != 0)
+                return (-1);
+        if (ocsp_file != NULL &&
+            tls_config_set_ocsp_staple_file(config, ocsp_file) != 0)
+                return (-1);
        return (0);
 }
-int
+static int
-tls_config_set_keypair_mem(struct tls_config *config, const uint8_t *cert,
+tls_config_set_keypair_mem_internal(struct tls_config *config, const uint8_t *cert,
-    size_t cert_len, const uint8_t *key, size_t key_len)
+    size_t cert_len, const uint8_t *key, size_t key_len,
+    const uint8_t *staple, size_t staple_len)
 {
        if (tls_config_set_cert_mem(config, cert, cert_len) != 0)
                return (-1);
        if (tls_config_set_key_mem(config, key, key_len) != 0)
                return (-1);
+        if ((staple != NULL) &&
+            (tls_config_set_ocsp_staple_mem(config, staple, staple_len) != 0))
+                return (-1);
        return (0);
 }
 int
+tls_config_set_keypair_file(struct tls_config *config,
+    const char *cert_file, const char *key_file)
+{
+        return tls_config_set_keypair_file_internal(config, cert_file, key_file,
+            NULL);
+}
+int
+tls_config_set_keypair_mem(struct tls_config *config, const uint8_t *cert,
+    size_t cert_len, const uint8_t *key, size_t key_len)
+{
+        return tls_config_set_keypair_mem_internal(config, cert, cert_len,
+            key, key_len, NULL, 0);
+}
+int
+tls_config_set_keypair_ocsp_file(struct tls_config *config,
+    const char *cert_file, const char *key_file, const char *ocsp_file)
+{
+        return tls_config_set_keypair_file_internal(config, cert_file, key_file,
+            ocsp_file);
+}
+int
+tls_config_set_keypair_ocsp_mem(struct tls_config *config, const uint8_t *cert,
+    size_t cert_len, const uint8_t *key, size_t key_len,
+    const uint8_t *staple, size_t staple_len)
+{
+        return tls_config_set_keypair_mem_internal(config, cert, cert_len,
+            key, key_len, staple, staple_len);
+}
+int
 tls_config_set_protocols(struct tls_config *config, uint32_t protocols)
 {
        config->protocols = protocols;
@@ -685,7 +769,8 @@ tls_config_set_ocsp_staple_file(struct tls_config *config, const char *staple_fi
 }
 int
-tls_config_set_ocsp_staple_mem(struct tls_config *config, char *staple, size_t len)
+tls_config_set_ocsp_staple_mem(struct tls_config *config, const uint8_t *staple,
+    size_t len)
 {
        return tls_keypair_set_ocsp_staple_mem(config->keypair, staple, len);
 }
author	beck <>	2017-01-31 16:18:57 +0000
committer	beck <>	2017-01-31 16:18:57 +0000
commit	fb9dca0f0ed93924626f04529bb4dfa85e3ef25e (patch)
tree	6cf82628d4d8b9b0ed4d03dd90872a7deae8fcb3
parent	5dc75c022fd90332aaa1050db40f77ae54a9f43d (diff)
download	openbsd-fb9dca0f0ed93924626f04529bb4dfa85e3ef25e.tar.gz openbsd-fb9dca0f0ed93924626f04529bb4dfa85e3ef25e.tar.bz2 openbsd-fb9dca0f0ed93924626f04529bb4dfa85e3ef25e.zip