diff options
| author | jsing <> | 2016-04-28 17:05:59 +0000 | 
|---|---|---|
| committer | jsing <> | 2016-04-28 17:05:59 +0000 | 
| commit | fc9e3dc14ffb94eed0f0165b2333d8e263e82106 (patch) | |
| tree | 046b15c71afb290bae07f4b238cfdc296f78ca6b /src/lib/libtls/tls.c | |
| parent | 969e83487c1a522a380e5b1adf920edf92244e62 (diff) | |
| download | openbsd-fc9e3dc14ffb94eed0f0165b2333d8e263e82106.tar.gz openbsd-fc9e3dc14ffb94eed0f0165b2333d8e263e82106.tar.bz2 openbsd-fc9e3dc14ffb94eed0f0165b2333d8e263e82106.zip | |
Factor our the keypair handling in libtls. This results in more readable
and self-contained code, while preparing for the ability to handle
multiple keypairs. Also provide two additional functions that allow
a public certificate and private key to be set with a single function
call.
ok beck@
Diffstat (limited to 'src/lib/libtls/tls.c')
| -rw-r--r-- | src/lib/libtls/tls.c | 45 | 
1 files changed, 23 insertions, 22 deletions
| diff --git a/src/lib/libtls/tls.c b/src/lib/libtls/tls.c index 661aa6ad0a..d067309cd3 100644 --- a/src/lib/libtls/tls.c +++ b/src/lib/libtls/tls.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: tls.c,v 1.36 2016/04/28 16:48:44 jsing Exp $ */ | 1 | /* $OpenBSD: tls.c,v 1.37 2016/04/28 17:05:59 jsing Exp $ */ | 
| 2 | /* | 2 | /* | 
| 3 | * Copyright (c) 2014 Joel Sing <jsing@openbsd.org> | 3 | * Copyright (c) 2014 Joel Sing <jsing@openbsd.org> | 
| 4 | * | 4 | * | 
| @@ -179,40 +179,41 @@ tls_configure(struct tls *ctx, struct tls_config *config) | |||
| 179 | } | 179 | } | 
| 180 | 180 | ||
| 181 | int | 181 | int | 
| 182 | tls_configure_keypair(struct tls *ctx, int required) | 182 | tls_configure_keypair(struct tls *ctx, SSL_CTX *ssl_ctx, | 
| 183 | struct tls_keypair *keypair, int required) | ||
| 183 | { | 184 | { | 
| 184 | EVP_PKEY *pkey = NULL; | 185 | EVP_PKEY *pkey = NULL; | 
| 185 | X509 *cert = NULL; | 186 | X509 *cert = NULL; | 
| 186 | BIO *bio = NULL; | 187 | BIO *bio = NULL; | 
| 187 | 188 | ||
| 188 | if (!required && | 189 | if (!required && | 
| 189 | ctx->config->cert_mem == NULL && | 190 | keypair->cert_mem == NULL && | 
| 190 | ctx->config->key_mem == NULL && | 191 | keypair->key_mem == NULL && | 
| 191 | ctx->config->cert_file == NULL && | 192 | keypair->cert_file == NULL && | 
| 192 | ctx->config->key_file == NULL) | 193 | keypair->key_file == NULL) | 
| 193 | return(0); | 194 | return(0); | 
| 194 | 195 | ||
| 195 | if (ctx->config->cert_mem != NULL) { | 196 | if (keypair->cert_mem != NULL) { | 
| 196 | if (ctx->config->cert_len > INT_MAX) { | 197 | if (keypair->cert_len > INT_MAX) { | 
| 197 | tls_set_errorx(ctx, "certificate too long"); | 198 | tls_set_errorx(ctx, "certificate too long"); | 
| 198 | goto err; | 199 | goto err; | 
| 199 | } | 200 | } | 
| 200 | 201 | ||
| 201 | if (SSL_CTX_use_certificate_chain_mem(ctx->ssl_ctx, | 202 | if (SSL_CTX_use_certificate_chain_mem(ssl_ctx, | 
| 202 | ctx->config->cert_mem, ctx->config->cert_len) != 1) { | 203 | keypair->cert_mem, keypair->cert_len) != 1) { | 
| 203 | tls_set_errorx(ctx, "failed to load certificate"); | 204 | tls_set_errorx(ctx, "failed to load certificate"); | 
| 204 | goto err; | 205 | goto err; | 
| 205 | } | 206 | } | 
| 206 | cert = NULL; | 207 | cert = NULL; | 
| 207 | } | 208 | } | 
| 208 | if (ctx->config->key_mem != NULL) { | 209 | if (keypair->key_mem != NULL) { | 
| 209 | if (ctx->config->key_len > INT_MAX) { | 210 | if (keypair->key_len > INT_MAX) { | 
| 210 | tls_set_errorx(ctx, "key too long"); | 211 | tls_set_errorx(ctx, "key too long"); | 
| 211 | goto err; | 212 | goto err; | 
| 212 | } | 213 | } | 
| 213 | 214 | ||
| 214 | if ((bio = BIO_new_mem_buf(ctx->config->key_mem, | 215 | if ((bio = BIO_new_mem_buf(keypair->key_mem, | 
| 215 | ctx->config->key_len)) == NULL) { | 216 | keypair->key_len)) == NULL) { | 
| 216 | tls_set_errorx(ctx, "failed to create buffer"); | 217 | tls_set_errorx(ctx, "failed to create buffer"); | 
| 217 | goto err; | 218 | goto err; | 
| 218 | } | 219 | } | 
| @@ -221,7 +222,7 @@ tls_configure_keypair(struct tls *ctx, int required) | |||
| 221 | tls_set_errorx(ctx, "failed to read private key"); | 222 | tls_set_errorx(ctx, "failed to read private key"); | 
| 222 | goto err; | 223 | goto err; | 
| 223 | } | 224 | } | 
| 224 | if (SSL_CTX_use_PrivateKey(ctx->ssl_ctx, pkey) != 1) { | 225 | if (SSL_CTX_use_PrivateKey(ssl_ctx, pkey) != 1) { | 
| 225 | tls_set_errorx(ctx, "failed to load private key"); | 226 | tls_set_errorx(ctx, "failed to load private key"); | 
| 226 | goto err; | 227 | goto err; | 
| 227 | } | 228 | } | 
| @@ -231,22 +232,22 @@ tls_configure_keypair(struct tls *ctx, int required) | |||
| 231 | pkey = NULL; | 232 | pkey = NULL; | 
| 232 | } | 233 | } | 
| 233 | 234 | ||
| 234 | if (ctx->config->cert_file != NULL) { | 235 | if (keypair->cert_file != NULL) { | 
| 235 | if (SSL_CTX_use_certificate_chain_file(ctx->ssl_ctx, | 236 | if (SSL_CTX_use_certificate_chain_file(ssl_ctx, | 
| 236 | ctx->config->cert_file) != 1) { | 237 | keypair->cert_file) != 1) { | 
| 237 | tls_set_errorx(ctx, "failed to load certificate file"); | 238 | tls_set_errorx(ctx, "failed to load certificate file"); | 
| 238 | goto err; | 239 | goto err; | 
| 239 | } | 240 | } | 
| 240 | } | 241 | } | 
| 241 | if (ctx->config->key_file != NULL) { | 242 | if (keypair->key_file != NULL) { | 
| 242 | if (SSL_CTX_use_PrivateKey_file(ctx->ssl_ctx, | 243 | if (SSL_CTX_use_PrivateKey_file(ssl_ctx, | 
| 243 | ctx->config->key_file, SSL_FILETYPE_PEM) != 1) { | 244 | keypair->key_file, SSL_FILETYPE_PEM) != 1) { | 
| 244 | tls_set_errorx(ctx, "failed to load private key file"); | 245 | tls_set_errorx(ctx, "failed to load private key file"); | 
| 245 | goto err; | 246 | goto err; | 
| 246 | } | 247 | } | 
| 247 | } | 248 | } | 
| 248 | 249 | ||
| 249 | if (SSL_CTX_check_private_key(ctx->ssl_ctx) != 1) { | 250 | if (SSL_CTX_check_private_key(ssl_ctx) != 1) { | 
| 250 | tls_set_errorx(ctx, "private/public key mismatch"); | 251 | tls_set_errorx(ctx, "private/public key mismatch"); | 
| 251 | goto err; | 252 | goto err; | 
| 252 | } | 253 | } | 
