diff options
| author | jsing <> | 2016-08-13 13:05:51 +0000 |
|---|---|---|
| committer | jsing <> | 2016-08-13 13:05:51 +0000 |
| commit | 38f2d99e3768c4c4ef734bdce72659cc2b781447 (patch) | |
| tree | dbfa584d89ca8f2821053defe496bba86e955463 /src/lib/libtls/tls.c | |
| parent | bb926821ad696c9b9509352c5c112e09f73d008b (diff) | |
| download | openbsd-38f2d99e3768c4c4ef734bdce72659cc2b781447.tar.gz openbsd-38f2d99e3768c4c4ef734bdce72659cc2b781447.tar.bz2 openbsd-38f2d99e3768c4c4ef734bdce72659cc2b781447.zip | |
Load CA, certificate and key files into memory when the appropriate
tls_config_set_*_file() function is called. This allows us to immediately
propagate useful error messages, play more nicely with privsep/pledge and
have a single code path. Instead of always loading the default CA when
tls_config_new() is called, defer and only load the default CA when
tls_configure() is invoked, if a CA has not already been specified.
ok beck@ bluhm@
Diffstat (limited to '')
| -rw-r--r-- | src/lib/libtls/tls.c | 52 |
1 files changed, 25 insertions, 27 deletions
diff --git a/src/lib/libtls/tls.c b/src/lib/libtls/tls.c index 4d4910d128..429881dbb3 100644 --- a/src/lib/libtls/tls.c +++ b/src/lib/libtls/tls.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: tls.c,v 1.44 2016/08/12 15:10:59 jsing Exp $ */ | 1 | /* $OpenBSD: tls.c,v 1.45 2016/08/13 13:05:51 jsing Exp $ */ |
| 2 | /* | 2 | /* |
| 3 | * Copyright (c) 2014 Joel Sing <jsing@openbsd.org> | 3 | * Copyright (c) 2014 Joel Sing <jsing@openbsd.org> |
| 4 | * | 4 | * |
| @@ -216,9 +216,7 @@ tls_configure_keypair(struct tls *ctx, SSL_CTX *ssl_ctx, | |||
| 216 | 216 | ||
| 217 | if (!required && | 217 | if (!required && |
| 218 | keypair->cert_mem == NULL && | 218 | keypair->cert_mem == NULL && |
| 219 | keypair->key_mem == NULL && | 219 | keypair->key_mem == NULL) |
| 220 | keypair->cert_file == NULL && | ||
| 221 | keypair->key_file == NULL) | ||
| 222 | return(0); | 220 | return(0); |
| 223 | 221 | ||
| 224 | if (keypair->cert_mem != NULL) { | 222 | if (keypair->cert_mem != NULL) { |
| @@ -260,21 +258,6 @@ tls_configure_keypair(struct tls *ctx, SSL_CTX *ssl_ctx, | |||
| 260 | pkey = NULL; | 258 | pkey = NULL; |
| 261 | } | 259 | } |
| 262 | 260 | ||
| 263 | if (keypair->cert_file != NULL) { | ||
| 264 | if (SSL_CTX_use_certificate_chain_file(ssl_ctx, | ||
| 265 | keypair->cert_file) != 1) { | ||
| 266 | tls_set_errorx(ctx, "failed to load certificate file"); | ||
| 267 | goto err; | ||
| 268 | } | ||
| 269 | } | ||
| 270 | if (keypair->key_file != NULL) { | ||
| 271 | if (SSL_CTX_use_PrivateKey_file(ssl_ctx, | ||
| 272 | keypair->key_file, SSL_FILETYPE_PEM) != 1) { | ||
| 273 | tls_set_errorx(ctx, "failed to load private key file"); | ||
| 274 | goto err; | ||
| 275 | } | ||
| 276 | } | ||
| 277 | |||
| 278 | if (SSL_CTX_check_private_key(ssl_ctx) != 1) { | 261 | if (SSL_CTX_check_private_key(ssl_ctx) != 1) { |
| 279 | tls_set_errorx(ctx, "private/public key mismatch"); | 262 | tls_set_errorx(ctx, "private/public key mismatch"); |
| 280 | goto err; | 263 | goto err; |
| @@ -340,31 +323,46 @@ tls_configure_ssl(struct tls *ctx) | |||
| 340 | int | 323 | int |
| 341 | tls_configure_ssl_verify(struct tls *ctx, int verify) | 324 | tls_configure_ssl_verify(struct tls *ctx, int verify) |
| 342 | { | 325 | { |
| 326 | size_t ca_len = ctx->config->ca_len; | ||
| 327 | char *ca_mem = ctx->config->ca_mem; | ||
| 328 | char *ca_free = NULL; | ||
| 329 | |||
| 343 | SSL_CTX_set_verify(ctx->ssl_ctx, verify, NULL); | 330 | SSL_CTX_set_verify(ctx->ssl_ctx, verify, NULL); |
| 344 | 331 | ||
| 345 | if (ctx->config->ca_mem != NULL) { | 332 | /* If no CA has been specified, attempt to load the default. */ |
| 346 | /* XXX do this in set. */ | 333 | if (ctx->config->ca_mem == NULL && ctx->config->ca_path == NULL) { |
| 347 | if (ctx->config->ca_len > INT_MAX) { | 334 | if (tls_config_load_file(&ctx->error, "CA", _PATH_SSL_CA_FILE, |
| 335 | &ca_mem, &ca_len) != 0) | ||
| 336 | goto err; | ||
| 337 | ca_free = ca_mem; | ||
| 338 | } | ||
| 339 | |||
| 340 | if (ca_mem != NULL) { | ||
| 341 | if (ca_len > INT_MAX) { | ||
| 348 | tls_set_errorx(ctx, "ca too long"); | 342 | tls_set_errorx(ctx, "ca too long"); |
| 349 | goto err; | 343 | goto err; |
| 350 | } | 344 | } |
| 351 | if (SSL_CTX_load_verify_mem(ctx->ssl_ctx, | 345 | if (SSL_CTX_load_verify_mem(ctx->ssl_ctx, ca_mem, |
| 352 | ctx->config->ca_mem, ctx->config->ca_len) != 1) { | 346 | ca_len) != 1) { |
| 353 | tls_set_errorx(ctx, "ssl verify memory setup failure"); | 347 | tls_set_errorx(ctx, "ssl verify memory setup failure"); |
| 354 | goto err; | 348 | goto err; |
| 355 | } | 349 | } |
| 356 | } else if (SSL_CTX_load_verify_locations(ctx->ssl_ctx, | 350 | } else if (SSL_CTX_load_verify_locations(ctx->ssl_ctx, NULL, |
| 357 | ctx->config->ca_file, ctx->config->ca_path) != 1) { | 351 | ctx->config->ca_path) != 1) { |
| 358 | tls_set_errorx(ctx, "ssl verify setup failure"); | 352 | tls_set_errorx(ctx, "ssl verify locations failure"); |
| 359 | goto err; | 353 | goto err; |
| 360 | } | 354 | } |
| 361 | if (ctx->config->verify_depth >= 0) | 355 | if (ctx->config->verify_depth >= 0) |
| 362 | SSL_CTX_set_verify_depth(ctx->ssl_ctx, | 356 | SSL_CTX_set_verify_depth(ctx->ssl_ctx, |
| 363 | ctx->config->verify_depth); | 357 | ctx->config->verify_depth); |
| 364 | 358 | ||
| 359 | free(ca_free); | ||
| 360 | |||
| 365 | return (0); | 361 | return (0); |
| 366 | 362 | ||
| 367 | err: | 363 | err: |
| 364 | free(ca_free); | ||
| 365 | |||
| 368 | return (-1); | 366 | return (-1); |
| 369 | } | 367 | } |
| 370 | 368 | ||