Add client certificate support. Still needs a few tweaks but this will

ride upcoming minor bump ok jsing@
author: beck <> 2015-09-09 19:23:04 +0000
committer: beck <> 2015-09-09 19:23:04 +0000
commit: 869b2e79c9ff30e6144dddc6562522a90c73bb14 (patch)
tree: 54b585991caa7fede927175ee5ff75d793342b8f /src/lib/libtls/tls.c
parent: 4a79aa2cb1398f29f4fe23724a6ad3e4ba8e3b94 (diff)
download: openbsd-869b2e79c9ff30e6144dddc6562522a90c73bb14.tar.gz
openbsd-869b2e79c9ff30e6144dddc6562522a90c73bb14.tar.bz2
openbsd-869b2e79c9ff30e6144dddc6562522a90c73bb14.zip
1 files changed, 40 insertions, 2 deletions
diff --git a/src/lib/libtls/tls.c b/src/lib/libtls/tls.c
index db14d3fc7d..0c4793cc9a 100644
--- a/src/lib/libtls/tls.c
+++ b/src/lib/libtls/tls.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls.c,v 1.17 2015/09/09 18:22:33 beck Exp $ */
+/* $OpenBSD: tls.c,v 1.18 2015/09/09 19:23:04 beck Exp $ */
 /*
 * Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
 *
@@ -147,12 +147,19 @@ tls_configure(struct tls *ctx, struct tls_config *config)
 }
 int
-tls_configure_keypair(struct tls *ctx)
+tls_configure_keypair(struct tls *ctx, int required)
 {
        EVP_PKEY *pkey = NULL;
        X509 *cert = NULL;
        BIO *bio = NULL;
+        if (!required &&
+            ctx->config->cert_mem == NULL &&
+            ctx->config->key_mem == NULL &&
+            ctx->config->cert_file == NULL &&
+            ctx->config->key_file == NULL)
+                return(0);
        if (ctx->config->cert_mem != NULL) {
                if (ctx->config->cert_len > INT_MAX) {
                        tls_set_errorx(ctx, "certificate too long");
@@ -256,6 +263,37 @@ err:
        return (-1);
 }
+int
+tls_configure_ssl_verify(struct tls *ctx, int verify)
+{
+        SSL_CTX_set_verify(ctx->ssl_ctx, verify, NULL);
+        if (ctx->config->ca_mem != NULL) {
+                /* XXX do this in set. */
+                if (ctx->config->ca_len > INT_MAX) {
+                        tls_set_error(ctx, "client ca too long");
+                        goto err;
+                }
+                if (SSL_CTX_load_verify_mem(ctx->ssl_ctx,
+                    ctx->config->ca_mem, ctx->config->ca_len) != 1) {
+                        tls_set_error(ctx,
+                            "ssl verify memory setup failure");
+                        goto err;
+                }
+        } else if (SSL_CTX_load_verify_locations(ctx->ssl_ctx,
+            ctx->config->ca_file, ctx->config->ca_path) != 1) {
+                tls_set_error(ctx, "ssl verify setup failure");
+                goto err;
+        }
+        if (ctx->config->verify_depth >= 0)
+                SSL_CTX_set_verify_depth(ctx->ssl_ctx,
+                    ctx->config->verify_depth);
+        return (0);
+ err:
+        return (-1);
+}
 void
 tls_free(struct tls *ctx)
 {
author	beck <>	2015-09-09 19:23:04 +0000
committer	beck <>	2015-09-09 19:23:04 +0000
commit	869b2e79c9ff30e6144dddc6562522a90c73bb14 (patch)
tree	54b585991caa7fede927175ee5ff75d793342b8f /src/lib/libtls/tls.c
parent	4a79aa2cb1398f29f4fe23724a6ad3e4ba8e3b94 (diff)
download	openbsd-869b2e79c9ff30e6144dddc6562522a90c73bb14.tar.gz openbsd-869b2e79c9ff30e6144dddc6562522a90c73bb14.tar.bz2 openbsd-869b2e79c9ff30e6144dddc6562522a90c73bb14.zip

diff --git a/src/lib/libtls/tls.c b/src/lib/libtls/tls.c index db14d3fc7d..0c4793cc9a 100644 --- a/src/lib/libtls/tls.c +++ b/src/lib/libtls/tls.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: tls.c,v 1.17 2015/09/09 18:22:33 beck Exp $ */	1	/* $OpenBSD: tls.c,v 1.18 2015/09/09 19:23:04 beck Exp $ */
2	/*	2	/*
3	* Copyright (c) 2014 Joel Sing <jsing@openbsd.org>	3	* Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
4	*	4	*
@@ -147,12 +147,19 @@ tls_configure(struct tls ctx, struct tls_config config)
147	}	147	}
148		148
149	int	149	int
150	tls_configure_keypair(struct tls *ctx)	150	tls_configure_keypair(struct tls *ctx, int required)
151	{	151	{
152	EVP_PKEY *pkey = NULL;	152	EVP_PKEY *pkey = NULL;
153	X509 *cert = NULL;	153	X509 *cert = NULL;
154	BIO *bio = NULL;	154	BIO *bio = NULL;
155		155
		156	if (!required &&
		157	ctx->config->cert_mem == NULL &&
		158	ctx->config->key_mem == NULL &&
		159	ctx->config->cert_file == NULL &&
		160	ctx->config->key_file == NULL)
		161	return(0);
		162
156	if (ctx->config->cert_mem != NULL) {	163	if (ctx->config->cert_mem != NULL) {
157	if (ctx->config->cert_len > INT_MAX) {	164	if (ctx->config->cert_len > INT_MAX) {
158	tls_set_errorx(ctx, "certificate too long");	165	tls_set_errorx(ctx, "certificate too long");
@@ -256,6 +263,37 @@ err:
256	return (-1);	263	return (-1);
257	}	264	}
258		265
		266	int
		267	tls_configure_ssl_verify(struct tls *ctx, int verify)
		268	{
		269	SSL_CTX_set_verify(ctx->ssl_ctx, verify, NULL);
		270
		271	if (ctx->config->ca_mem != NULL) {
		272	/* XXX do this in set. */
		273	if (ctx->config->ca_len > INT_MAX) {
		274	tls_set_error(ctx, "client ca too long");
		275	goto err;
		276	}
		277	if (SSL_CTX_load_verify_mem(ctx->ssl_ctx,
		278	ctx->config->ca_mem, ctx->config->ca_len) != 1) {
		279	tls_set_error(ctx,
		280	"ssl verify memory setup failure");
		281	goto err;
		282	}
		283	} else if (SSL_CTX_load_verify_locations(ctx->ssl_ctx,
		284	ctx->config->ca_file, ctx->config->ca_path) != 1) {
		285	tls_set_error(ctx, "ssl verify setup failure");
		286	goto err;
		287	}
		288	if (ctx->config->verify_depth >= 0)
		289	SSL_CTX_set_verify_depth(ctx->ssl_ctx,
		290	ctx->config->verify_depth);
		291	return (0);
		292
		293	err:
		294	return (-1);
		295	}
		296
259	void	297	void
260	tls_free(struct tls *ctx)	298	tls_free(struct tls *ctx)
261	{	299	{