diff options
| author | jsing <> | 2016-08-15 14:04:23 +0000 |
|---|---|---|
| committer | jsing <> | 2016-08-15 14:04:23 +0000 |
| commit | b625f466ed086e94acecb66a8ddd3309cb0e3006 (patch) | |
| tree | 0f8db1f8992ad067c26b92b7063f1d0e0e260bb8 /src/lib/libtls/tls.c | |
| parent | 27106e2b77c6e7da64be6b4849b458e997106b07 (diff) | |
| download | openbsd-b625f466ed086e94acecb66a8ddd3309cb0e3006.tar.gz openbsd-b625f466ed086e94acecb66a8ddd3309cb0e3006.tar.bz2 openbsd-b625f466ed086e94acecb66a8ddd3309cb0e3006.zip | |
Explicitly pass in an SSL_CTX * to the functions that operate on one,
instead of assuming that they should use the one associated with the TLS
context. This allows these functions to be used with the additional
SSL contexts that are needed to support server-side SNI.
Also rename tls_configure_keypair() to tls_configure_ssl_keypair(), so that
these functions have a common prefix.
ok reyk@
Diffstat (limited to 'src/lib/libtls/tls.c')
| -rw-r--r-- | src/lib/libtls/tls.c | 44 |
1 files changed, 21 insertions, 23 deletions
diff --git a/src/lib/libtls/tls.c b/src/lib/libtls/tls.c index 429881dbb3..bf0e1f769f 100644 --- a/src/lib/libtls/tls.c +++ b/src/lib/libtls/tls.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: tls.c,v 1.45 2016/08/13 13:05:51 jsing Exp $ */ | 1 | /* $OpenBSD: tls.c,v 1.46 2016/08/15 14:04:23 jsing Exp $ */ |
| 2 | /* | 2 | /* |
| 3 | * Copyright (c) 2014 Joel Sing <jsing@openbsd.org> | 3 | * Copyright (c) 2014 Joel Sing <jsing@openbsd.org> |
| 4 | * | 4 | * |
| @@ -207,7 +207,7 @@ tls_configure(struct tls *ctx, struct tls_config *config) | |||
| 207 | } | 207 | } |
| 208 | 208 | ||
| 209 | int | 209 | int |
| 210 | tls_configure_keypair(struct tls *ctx, SSL_CTX *ssl_ctx, | 210 | tls_configure_ssl_keypair(struct tls *ctx, SSL_CTX *ssl_ctx, |
| 211 | struct tls_keypair *keypair, int required) | 211 | struct tls_keypair *keypair, int required) |
| 212 | { | 212 | { |
| 213 | EVP_PKEY *pkey = NULL; | 213 | EVP_PKEY *pkey = NULL; |
| @@ -274,27 +274,27 @@ tls_configure_keypair(struct tls *ctx, SSL_CTX *ssl_ctx, | |||
| 274 | } | 274 | } |
| 275 | 275 | ||
| 276 | int | 276 | int |
| 277 | tls_configure_ssl(struct tls *ctx) | 277 | tls_configure_ssl(struct tls *ctx, SSL_CTX *ssl_ctx) |
| 278 | { | 278 | { |
| 279 | SSL_CTX_set_mode(ctx->ssl_ctx, SSL_MODE_ENABLE_PARTIAL_WRITE); | 279 | SSL_CTX_set_mode(ssl_ctx, SSL_MODE_ENABLE_PARTIAL_WRITE); |
| 280 | SSL_CTX_set_mode(ctx->ssl_ctx, SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER); | 280 | SSL_CTX_set_mode(ssl_ctx, SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER); |
| 281 | 281 | ||
| 282 | SSL_CTX_set_options(ctx->ssl_ctx, SSL_OP_NO_SSLv2); | 282 | SSL_CTX_set_options(ssl_ctx, SSL_OP_NO_SSLv2); |
| 283 | SSL_CTX_set_options(ctx->ssl_ctx, SSL_OP_NO_SSLv3); | 283 | SSL_CTX_set_options(ssl_ctx, SSL_OP_NO_SSLv3); |
| 284 | 284 | ||
| 285 | SSL_CTX_clear_options(ctx->ssl_ctx, SSL_OP_NO_TLSv1); | 285 | SSL_CTX_clear_options(ssl_ctx, SSL_OP_NO_TLSv1); |
| 286 | SSL_CTX_clear_options(ctx->ssl_ctx, SSL_OP_NO_TLSv1_1); | 286 | SSL_CTX_clear_options(ssl_ctx, SSL_OP_NO_TLSv1_1); |
| 287 | SSL_CTX_clear_options(ctx->ssl_ctx, SSL_OP_NO_TLSv1_2); | 287 | SSL_CTX_clear_options(ssl_ctx, SSL_OP_NO_TLSv1_2); |
| 288 | 288 | ||
| 289 | if ((ctx->config->protocols & TLS_PROTOCOL_TLSv1_0) == 0) | 289 | if ((ctx->config->protocols & TLS_PROTOCOL_TLSv1_0) == 0) |
| 290 | SSL_CTX_set_options(ctx->ssl_ctx, SSL_OP_NO_TLSv1); | 290 | SSL_CTX_set_options(ssl_ctx, SSL_OP_NO_TLSv1); |
| 291 | if ((ctx->config->protocols & TLS_PROTOCOL_TLSv1_1) == 0) | 291 | if ((ctx->config->protocols & TLS_PROTOCOL_TLSv1_1) == 0) |
| 292 | SSL_CTX_set_options(ctx->ssl_ctx, SSL_OP_NO_TLSv1_1); | 292 | SSL_CTX_set_options(ssl_ctx, SSL_OP_NO_TLSv1_1); |
| 293 | if ((ctx->config->protocols & TLS_PROTOCOL_TLSv1_2) == 0) | 293 | if ((ctx->config->protocols & TLS_PROTOCOL_TLSv1_2) == 0) |
| 294 | SSL_CTX_set_options(ctx->ssl_ctx, SSL_OP_NO_TLSv1_2); | 294 | SSL_CTX_set_options(ssl_ctx, SSL_OP_NO_TLSv1_2); |
| 295 | 295 | ||
| 296 | if (ctx->config->alpn != NULL) { | 296 | if (ctx->config->alpn != NULL) { |
| 297 | if (SSL_CTX_set_alpn_protos(ctx->ssl_ctx, ctx->config->alpn, | 297 | if (SSL_CTX_set_alpn_protos(ssl_ctx, ctx->config->alpn, |
| 298 | ctx->config->alpn_len) != 0) { | 298 | ctx->config->alpn_len) != 0) { |
| 299 | tls_set_errorx(ctx, "failed to set alpn"); | 299 | tls_set_errorx(ctx, "failed to set alpn"); |
| 300 | goto err; | 300 | goto err; |
| @@ -302,7 +302,7 @@ tls_configure_ssl(struct tls *ctx) | |||
| 302 | } | 302 | } |
| 303 | 303 | ||
| 304 | if (ctx->config->ciphers != NULL) { | 304 | if (ctx->config->ciphers != NULL) { |
| 305 | if (SSL_CTX_set_cipher_list(ctx->ssl_ctx, | 305 | if (SSL_CTX_set_cipher_list(ssl_ctx, |
| 306 | ctx->config->ciphers) != 1) { | 306 | ctx->config->ciphers) != 1) { |
| 307 | tls_set_errorx(ctx, "failed to set ciphers"); | 307 | tls_set_errorx(ctx, "failed to set ciphers"); |
| 308 | goto err; | 308 | goto err; |
| @@ -310,7 +310,7 @@ tls_configure_ssl(struct tls *ctx) | |||
| 310 | } | 310 | } |
| 311 | 311 | ||
| 312 | if (ctx->config->verify_time == 0) { | 312 | if (ctx->config->verify_time == 0) { |
| 313 | X509_VERIFY_PARAM_set_flags(ctx->ssl_ctx->param, | 313 | X509_VERIFY_PARAM_set_flags(ssl_ctx->param, |
| 314 | X509_V_FLAG_NO_CHECK_TIME); | 314 | X509_V_FLAG_NO_CHECK_TIME); |
| 315 | } | 315 | } |
| 316 | 316 | ||
| @@ -321,13 +321,13 @@ tls_configure_ssl(struct tls *ctx) | |||
| 321 | } | 321 | } |
| 322 | 322 | ||
| 323 | int | 323 | int |
| 324 | tls_configure_ssl_verify(struct tls *ctx, int verify) | 324 | tls_configure_ssl_verify(struct tls *ctx, SSL_CTX *ssl_ctx, int verify) |
| 325 | { | 325 | { |
| 326 | size_t ca_len = ctx->config->ca_len; | 326 | size_t ca_len = ctx->config->ca_len; |
| 327 | char *ca_mem = ctx->config->ca_mem; | 327 | char *ca_mem = ctx->config->ca_mem; |
| 328 | char *ca_free = NULL; | 328 | char *ca_free = NULL; |
| 329 | 329 | ||
| 330 | SSL_CTX_set_verify(ctx->ssl_ctx, verify, NULL); | 330 | SSL_CTX_set_verify(ssl_ctx, verify, NULL); |
| 331 | 331 | ||
| 332 | /* If no CA has been specified, attempt to load the default. */ | 332 | /* If no CA has been specified, attempt to load the default. */ |
| 333 | if (ctx->config->ca_mem == NULL && ctx->config->ca_path == NULL) { | 333 | if (ctx->config->ca_mem == NULL && ctx->config->ca_path == NULL) { |
| @@ -342,19 +342,17 @@ tls_configure_ssl_verify(struct tls *ctx, int verify) | |||
| 342 | tls_set_errorx(ctx, "ca too long"); | 342 | tls_set_errorx(ctx, "ca too long"); |
| 343 | goto err; | 343 | goto err; |
| 344 | } | 344 | } |
| 345 | if (SSL_CTX_load_verify_mem(ctx->ssl_ctx, ca_mem, | 345 | if (SSL_CTX_load_verify_mem(ssl_ctx, ca_mem, ca_len) != 1) { |
| 346 | ca_len) != 1) { | ||
| 347 | tls_set_errorx(ctx, "ssl verify memory setup failure"); | 346 | tls_set_errorx(ctx, "ssl verify memory setup failure"); |
| 348 | goto err; | 347 | goto err; |
| 349 | } | 348 | } |
| 350 | } else if (SSL_CTX_load_verify_locations(ctx->ssl_ctx, NULL, | 349 | } else if (SSL_CTX_load_verify_locations(ssl_ctx, NULL, |
| 351 | ctx->config->ca_path) != 1) { | 350 | ctx->config->ca_path) != 1) { |
| 352 | tls_set_errorx(ctx, "ssl verify locations failure"); | 351 | tls_set_errorx(ctx, "ssl verify locations failure"); |
| 353 | goto err; | 352 | goto err; |
| 354 | } | 353 | } |
| 355 | if (ctx->config->verify_depth >= 0) | 354 | if (ctx->config->verify_depth >= 0) |
| 356 | SSL_CTX_set_verify_depth(ctx->ssl_ctx, | 355 | SSL_CTX_set_verify_depth(ssl_ctx, ctx->config->verify_depth); |
| 357 | ctx->config->verify_depth); | ||
| 358 | 356 | ||
| 359 | free(ca_free); | 357 | free(ca_free); |
| 360 | 358 | ||