diff options
| author | jsing <> | 2016-07-06 16:16:36 +0000 |
|---|---|---|
| committer | jsing <> | 2016-07-06 16:16:36 +0000 |
| commit | c6881b696b1fa5d3e6966b53235e4c76d0574048 (patch) | |
| tree | dd36a8def4c5396baa868a5a3d3d3fa3785f19dd /src/lib/libtls/tls.c | |
| parent | c6b61bddec1634e2d244575d39a9e88063218f88 (diff) | |
| download | openbsd-c6881b696b1fa5d3e6966b53235e4c76d0574048.tar.gz openbsd-c6881b696b1fa5d3e6966b53235e4c76d0574048.tar.bz2 openbsd-c6881b696b1fa5d3e6966b53235e4c76d0574048.zip | |
Always load CA, key and certificate files at the time the configuration
function is called. This simplifies code and results in a single memory
based code path being used to provide data to libssl. Errors that occur
when accessing the specified file are now detected and propagated
immediately. Since the file access now occurs when the configuration
function is called, we now play nicely with privsep/pledge.
ok beck@ bluhm@ doug@
Diffstat (limited to 'src/lib/libtls/tls.c')
| -rw-r--r-- | src/lib/libtls/tls.c | 23 |
1 files changed, 3 insertions, 20 deletions
diff --git a/src/lib/libtls/tls.c b/src/lib/libtls/tls.c index 783d320a9d..e0464ec8b1 100644 --- a/src/lib/libtls/tls.c +++ b/src/lib/libtls/tls.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: tls.c,v 1.39 2016/07/06 02:32:57 jsing Exp $ */ | 1 | /* $OpenBSD: tls.c,v 1.40 2016/07/06 16:16:36 jsing Exp $ */ |
| 2 | /* | 2 | /* |
| 3 | * Copyright (c) 2014 Joel Sing <jsing@openbsd.org> | 3 | * Copyright (c) 2014 Joel Sing <jsing@openbsd.org> |
| 4 | * | 4 | * |
| @@ -216,9 +216,7 @@ tls_configure_keypair(struct tls *ctx, SSL_CTX *ssl_ctx, | |||
| 216 | 216 | ||
| 217 | if (!required && | 217 | if (!required && |
| 218 | keypair->cert_mem == NULL && | 218 | keypair->cert_mem == NULL && |
| 219 | keypair->key_mem == NULL && | 219 | keypair->key_mem == NULL) |
| 220 | keypair->cert_file == NULL && | ||
| 221 | keypair->key_file == NULL) | ||
| 222 | return(0); | 220 | return(0); |
| 223 | 221 | ||
| 224 | if (keypair->cert_mem != NULL) { | 222 | if (keypair->cert_mem != NULL) { |
| @@ -260,21 +258,6 @@ tls_configure_keypair(struct tls *ctx, SSL_CTX *ssl_ctx, | |||
| 260 | pkey = NULL; | 258 | pkey = NULL; |
| 261 | } | 259 | } |
| 262 | 260 | ||
| 263 | if (keypair->cert_file != NULL) { | ||
| 264 | if (SSL_CTX_use_certificate_chain_file(ssl_ctx, | ||
| 265 | keypair->cert_file) != 1) { | ||
| 266 | tls_set_errorx(ctx, "failed to load certificate file"); | ||
| 267 | goto err; | ||
| 268 | } | ||
| 269 | } | ||
| 270 | if (keypair->key_file != NULL) { | ||
| 271 | if (SSL_CTX_use_PrivateKey_file(ssl_ctx, | ||
| 272 | keypair->key_file, SSL_FILETYPE_PEM) != 1) { | ||
| 273 | tls_set_errorx(ctx, "failed to load private key file"); | ||
| 274 | goto err; | ||
| 275 | } | ||
| 276 | } | ||
| 277 | |||
| 278 | if (SSL_CTX_check_private_key(ssl_ctx) != 1) { | 261 | if (SSL_CTX_check_private_key(ssl_ctx) != 1) { |
| 279 | tls_set_errorx(ctx, "private/public key mismatch"); | 262 | tls_set_errorx(ctx, "private/public key mismatch"); |
| 280 | goto err; | 263 | goto err; |
| @@ -346,7 +329,7 @@ tls_configure_ssl_verify(struct tls *ctx, int verify) | |||
| 346 | goto err; | 329 | goto err; |
| 347 | } | 330 | } |
| 348 | } else if (SSL_CTX_load_verify_locations(ctx->ssl_ctx, | 331 | } else if (SSL_CTX_load_verify_locations(ctx->ssl_ctx, |
| 349 | ctx->config->ca_file, ctx->config->ca_path) != 1) { | 332 | NULL, ctx->config->ca_path) != 1) { |
| 350 | tls_set_errorx(ctx, "ssl verify setup failure"); | 333 | tls_set_errorx(ctx, "ssl verify setup failure"); |
| 351 | goto err; | 334 | goto err; |
| 352 | } | 335 | } |