diff options
| author | eric <> | 2022-01-25 21:51:24 +0000 |
|---|---|---|
| committer | eric <> | 2022-01-25 21:51:24 +0000 |
| commit | 5bc45eb57d3df492a992eb97f4f9efadef0b060c (patch) | |
| tree | f7e1f8bcb82bc7a21b3720f212d7fbf3f1d02872 /src/lib/libtls/tls.c | |
| parent | c8578f33457bc1465ca08176ebca6e8aac53fcd3 (diff) | |
| download | openbsd-5bc45eb57d3df492a992eb97f4f9efadef0b060c.tar.gz openbsd-5bc45eb57d3df492a992eb97f4f9efadef0b060c.tar.bz2 openbsd-5bc45eb57d3df492a992eb97f4f9efadef0b060c.zip | |
Introduce a signer interface intented to make TLS privsep simpler
to implement.
Add a tls_config_set_sign_cb() function that allows to register
a callback for the signing operation on a tls_config. When used,
the context installs fake pivate keys internally, and the callback
receives the hash of the public key.
Add a tls_signer_*() set of functions to manage tls_signer objects.
A tls_signer is an opaque structure on which keys are added.
It is used to compute signatures with private keys identified by
their associated public key hash.
Discussed with and ok jsing@ tb@
Diffstat (limited to 'src/lib/libtls/tls.c')
| -rw-r--r-- | src/lib/libtls/tls.c | 20 |
1 files changed, 19 insertions, 1 deletions
diff --git a/src/lib/libtls/tls.c b/src/lib/libtls/tls.c index 608f0a3acd..fd525aa428 100644 --- a/src/lib/libtls/tls.c +++ b/src/lib/libtls/tls.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: tls.c,v 1.92 2021/10/21 14:31:21 tb Exp $ */ | 1 | /* $OpenBSD: tls.c,v 1.93 2022/01/25 21:51:24 eric Exp $ */ |
| 2 | /* | 2 | /* |
| 3 | * Copyright (c) 2014 Joel Sing <jsing@openbsd.org> | 3 | * Copyright (c) 2014 Joel Sing <jsing@openbsd.org> |
| 4 | * | 4 | * |
| @@ -387,6 +387,8 @@ tls_keypair_to_pkey(struct tls *ctx, struct tls_keypair *keypair, EVP_PKEY **pke | |||
| 387 | static int | 387 | static int |
| 388 | tls_keypair_setup_pkey(struct tls *ctx, struct tls_keypair *keypair, EVP_PKEY *pkey) | 388 | tls_keypair_setup_pkey(struct tls *ctx, struct tls_keypair *keypair, EVP_PKEY *pkey) |
| 389 | { | 389 | { |
| 390 | RSA_METHOD *rsa_method; | ||
| 391 | ECDSA_METHOD *ecdsa_method; | ||
| 390 | RSA *rsa = NULL; | 392 | RSA *rsa = NULL; |
| 391 | EC_KEY *eckey = NULL; | 393 | EC_KEY *eckey = NULL; |
| 392 | int ret = -1; | 394 | int ret = -1; |
| @@ -407,6 +409,14 @@ tls_keypair_setup_pkey(struct tls *ctx, struct tls_keypair *keypair, EVP_PKEY *p | |||
| 407 | tls_set_errorx(ctx, "RSA key setup failure"); | 409 | tls_set_errorx(ctx, "RSA key setup failure"); |
| 408 | goto err; | 410 | goto err; |
| 409 | } | 411 | } |
| 412 | if (ctx->config->sign_cb == NULL) | ||
| 413 | break; | ||
| 414 | if ((rsa_method = tls_signer_rsa_method()) == NULL || | ||
| 415 | RSA_set_ex_data(rsa, 1, ctx->config) == 0 || | ||
| 416 | RSA_set_method(rsa, rsa_method) == 0) { | ||
| 417 | tls_set_errorx(ctx, "failed to setup RSA key"); | ||
| 418 | goto err; | ||
| 419 | } | ||
| 410 | break; | 420 | break; |
| 411 | case EVP_PKEY_EC: | 421 | case EVP_PKEY_EC: |
| 412 | if ((eckey = EVP_PKEY_get1_EC_KEY(pkey)) == NULL || | 422 | if ((eckey = EVP_PKEY_get1_EC_KEY(pkey)) == NULL || |
| @@ -414,6 +424,14 @@ tls_keypair_setup_pkey(struct tls *ctx, struct tls_keypair *keypair, EVP_PKEY *p | |||
| 414 | tls_set_errorx(ctx, "EC key setup failure"); | 424 | tls_set_errorx(ctx, "EC key setup failure"); |
| 415 | goto err; | 425 | goto err; |
| 416 | } | 426 | } |
| 427 | if (ctx->config->sign_cb == NULL) | ||
| 428 | break; | ||
| 429 | if ((ecdsa_method = tls_signer_ecdsa_method()) == NULL || | ||
| 430 | ECDSA_set_ex_data(eckey, 1, ctx->config) == 0 || | ||
| 431 | ECDSA_set_method(eckey, ecdsa_method) == 0) { | ||
| 432 | tls_set_errorx(ctx, "failed to setup EC key"); | ||
| 433 | goto err; | ||
| 434 | } | ||
| 417 | break; | 435 | break; |
| 418 | default: | 436 | default: |
| 419 | tls_set_errorx(ctx, "incorrect key type"); | 437 | tls_set_errorx(ctx, "incorrect key type"); |