diff options
| author | jsing <> | 2018-02-10 04:57:35 +0000 |
|---|---|---|
| committer | jsing <> | 2018-02-10 04:57:35 +0000 |
| commit | 55d7f5b4e436517c599ae10fb98d503022d8cca3 (patch) | |
| tree | 220397ac4d651f9ebaa0a028f81a800a6991a0eb /src/lib/libtls/tls.c | |
| parent | 1ad3c784cb5a6f09eb35a87556f57f9a129ac572 (diff) | |
| download | openbsd-55d7f5b4e436517c599ae10fb98d503022d8cca3.tar.gz openbsd-55d7f5b4e436517c599ae10fb98d503022d8cca3.tar.bz2 openbsd-55d7f5b4e436517c599ae10fb98d503022d8cca3.zip | |
Move the keypair pubkey hash handling code to during config.
The keypair pubkey hash was being generated and set in the keypair when the
TLS context was being configured. This code should not be messing around
with the keypair contents, since it is part of the config (and not the
context).
Instead, generate the pubkey hash and store it in the keypair when the
certificate is configured. This means that we are guaranteed to have the
pubkey hash and as a side benefit, we identify bad certificate content
when it is provided, instead of during the context configuration.
ok beck@
Diffstat (limited to 'src/lib/libtls/tls.c')
| -rw-r--r-- | src/lib/libtls/tls.c | 33 |
1 files changed, 29 insertions, 4 deletions
diff --git a/src/lib/libtls/tls.c b/src/lib/libtls/tls.c index 0e206e2c7e..8f2c7dde05 100644 --- a/src/lib/libtls/tls.c +++ b/src/lib/libtls/tls.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: tls.c,v 1.74 2018/02/08 10:19:31 jsing Exp $ */ | 1 | /* $OpenBSD: tls.c,v 1.75 2018/02/10 04:57:35 jsing Exp $ */ |
| 2 | /* | 2 | /* |
| 3 | * Copyright (c) 2014 Joel Sing <jsing@openbsd.org> | 3 | * Copyright (c) 2014 Joel Sing <jsing@openbsd.org> |
| 4 | * | 4 | * |
| @@ -291,6 +291,34 @@ tls_cert_hash(X509 *cert, char **hash) | |||
| 291 | } | 291 | } |
| 292 | 292 | ||
| 293 | int | 293 | int |
| 294 | tls_cert_pubkey_hash(X509 *cert, char **hash) | ||
| 295 | { | ||
| 296 | char d[EVP_MAX_MD_SIZE], *dhex = NULL; | ||
| 297 | int dlen, rv = -1; | ||
| 298 | |||
| 299 | free(*hash); | ||
| 300 | *hash = NULL; | ||
| 301 | |||
| 302 | if (X509_pubkey_digest(cert, EVP_sha256(), d, &dlen) != 1) | ||
| 303 | goto err; | ||
| 304 | |||
| 305 | if (tls_hex_string(d, dlen, &dhex, NULL) != 0) | ||
| 306 | goto err; | ||
| 307 | |||
| 308 | if (asprintf(hash, "SHA256:%s", dhex) == -1) { | ||
| 309 | *hash = NULL; | ||
| 310 | goto err; | ||
| 311 | } | ||
| 312 | |||
| 313 | rv = 0; | ||
| 314 | |||
| 315 | err: | ||
| 316 | free(dhex); | ||
| 317 | |||
| 318 | return (rv); | ||
| 319 | } | ||
| 320 | |||
| 321 | int | ||
| 294 | tls_configure_ssl_keypair(struct tls *ctx, SSL_CTX *ssl_ctx, | 322 | tls_configure_ssl_keypair(struct tls *ctx, SSL_CTX *ssl_ctx, |
| 295 | struct tls_keypair *keypair, int required) | 323 | struct tls_keypair *keypair, int required) |
| 296 | { | 324 | { |
| @@ -313,9 +341,6 @@ tls_configure_ssl_keypair(struct tls *ctx, SSL_CTX *ssl_ctx, | |||
| 313 | tls_set_errorx(ctx, "failed to load certificate"); | 341 | tls_set_errorx(ctx, "failed to load certificate"); |
| 314 | goto err; | 342 | goto err; |
| 315 | } | 343 | } |
| 316 | if (tls_keypair_pubkey_hash(keypair, &ctx->error, | ||
| 317 | &keypair->pubkey_hash) == -1) | ||
| 318 | goto err; | ||
| 319 | } | 344 | } |
| 320 | 345 | ||
| 321 | if (keypair->key_mem != NULL) { | 346 | if (keypair->key_mem != NULL) { |