Rename libressl to libtls to avoid confusion and to make it easier to

distinguish between LibreSSL (the project) and libressl (the library). Discussed with many.
author: jsing <> 2014-10-31 13:46:17 +0000
committer: jsing <> 2014-10-31 13:46:17 +0000
commit: cd85e00508e178758948e7a759609d0f1e7764df (patch)
tree: 44ea21a19ccf529a3e38fb107d3a2d1330f58d8e /src/lib/libtls/tls.c
parent: e83bdb8edcd9388f13b71372b277fdcce386a9b0 (diff)
download: openbsd-cd85e00508e178758948e7a759609d0f1e7764df.tar.gz
openbsd-cd85e00508e178758948e7a759609d0f1e7764df.tar.bz2
openbsd-cd85e00508e178758948e7a759609d0f1e7764df.zip
1 files changed, 300 insertions, 0 deletions
diff --git a/src/lib/libtls/tls.c b/src/lib/libtls/tls.c
new file mode 100644
index 0000000000..a7f612e40b
--- /dev/null
+++ b/src/lib/libtls/tls.c
@@ -0,0 +1,300 @@
+/* $OpenBSD: tls.c,v 1.1 2014/10/31 13:46:17 jsing Exp $ */
+/*
+ * Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+#include <sys/socket.h>
+#include <errno.h>
+#include <stdlib.h>
+#include <unistd.h>
+#include <openssl/bio.h>
+#include <openssl/evp.h>
+#include <openssl/pem.h>
+#include <openssl/x509.h>
+#include <tls.h>
+#include "tls_internal.h"
+static struct tls_config *tls_config_default;
+int
+tls_init(void)
+{
+        static int tls_initialised = 0;
+        if (tls_initialised)
+                return (0);
+        SSL_load_error_strings();
+        SSL_library_init();
+        if ((tls_config_default = tls_config_new()) == NULL)
+                return (-1);
+        tls_initialised = 1;
+        return (0);
+}
+const char *
+tls_error(struct tls *ctx)
+{
+        return ctx->errmsg;
+}
+int
+tls_set_error(struct tls *ctx, char *fmt, ...)
+{
+        va_list ap;
+        int rv;
+        ctx->err = errno;
+        free(ctx->errmsg);
+        ctx->errmsg = NULL;
+        va_start(ap, fmt);
+        rv = vasprintf(&ctx->errmsg, fmt, ap);
+        va_end(ap);
+        return (rv);
+}
+struct tls *
+tls_new(void)
+{
+        struct tls *ctx;
+        if ((ctx = calloc(1, sizeof(*ctx))) == NULL)
+                return (NULL);
+        ctx->config = tls_config_default;
+        tls_reset(ctx);
+        return (ctx);
+}
+int
+tls_configure(struct tls *ctx, struct tls_config *config)
+{
+        if (config == NULL)
+                config = tls_config_default;
+        ctx->config = config;
+        if ((ctx->flags & TLS_SERVER) != 0)
+                return (tls_configure_server(ctx));
+        return (0);
+}
+int
+tls_configure_keypair(struct tls *ctx)
+{
+        EVP_PKEY *pkey = NULL;
+        X509 *cert = NULL;
+        BIO *bio = NULL;
+        if (ctx->config->cert_mem != NULL) {
+                if (SSL_CTX_use_certificate_chain(ctx->ssl_ctx,
+                    ctx->config->cert_mem, ctx->config->cert_len) != 1) {
+                        tls_set_error(ctx, "failed to load certificate");
+                        goto err;
+                }
+                cert = NULL;
+        }
+        if (ctx->config->key_mem != NULL) {
+                if ((bio = BIO_new_mem_buf(ctx->config->key_mem,
+                    ctx->config->key_len)) == NULL) {
+                        tls_set_error(ctx, "failed to create buffer");
+                        goto err;
+                }
+                if ((pkey = PEM_read_bio_PrivateKey(bio, NULL, NULL,
+                    NULL)) == NULL) {
+                        tls_set_error(ctx, "failed to read private key");
+                        goto err;
+                }
+                if (SSL_CTX_use_PrivateKey(ctx->ssl_ctx, pkey) != 1) {
+                        tls_set_error(ctx, "failed to load private key");
+                        goto err;
+                }
+                BIO_free(bio);
+                bio = NULL;
+                EVP_PKEY_free(pkey);
+                pkey = NULL;
+        }
+        if (ctx->config->cert_file != NULL) {
+                if (SSL_CTX_use_certificate_chain_file(ctx->ssl_ctx,
+                    ctx->config->cert_file) != 1) {
+                        tls_set_error(ctx, "failed to load certificate file");
+                        goto err;
+                }
+        }
+        if (ctx->config->key_file != NULL) {
+                if (SSL_CTX_use_PrivateKey_file(ctx->ssl_ctx,
+                    ctx->config->key_file, SSL_FILETYPE_PEM) != 1) {
+                        tls_set_error(ctx, "failed to load private key file");
+                        goto err;
+                }
+        }
+        if (SSL_CTX_check_private_key(ctx->ssl_ctx) != 1) {
+                tls_set_error(ctx, "private/public key mismatch");
+                goto err;
+        }
+        return (0);
+err:
+        EVP_PKEY_free(pkey);
+        X509_free(cert);
+        BIO_free(bio);
+        return (1);
+}
+int
+tls_configure_ssl(struct tls *ctx)
+{
+        SSL_CTX_set_options(ctx->ssl_ctx, SSL_OP_NO_SSLv2);
+        SSL_CTX_set_options(ctx->ssl_ctx, SSL_OP_NO_SSLv3);
+        SSL_CTX_clear_options(ctx->ssl_ctx, SSL_OP_NO_TLSv1);
+        SSL_CTX_clear_options(ctx->ssl_ctx, SSL_OP_NO_TLSv1_1);
+        SSL_CTX_clear_options(ctx->ssl_ctx, SSL_OP_NO_TLSv1_2);
+        if ((ctx->config->protocols & TLS_PROTOCOL_TLSv1_0) == 0)
+                SSL_CTX_set_options(ctx->ssl_ctx, SSL_OP_NO_TLSv1);
+        if ((ctx->config->protocols & TLS_PROTOCOL_TLSv1_1) == 0)
+                SSL_CTX_set_options(ctx->ssl_ctx, SSL_OP_NO_TLSv1_1);
+        if ((ctx->config->protocols & TLS_PROTOCOL_TLSv1_2) == 0)
+                SSL_CTX_set_options(ctx->ssl_ctx, SSL_OP_NO_TLSv1_2);
+        if (ctx->config->ciphers != NULL) {
+                if (SSL_CTX_set_cipher_list(ctx->ssl_ctx,
+                    ctx->config->ciphers) != 1) {
+                        tls_set_error(ctx, "failed to set ciphers");
+                        goto err;
+                }
+        }
+        return (0);
+err:
+        return (-1);
+}
+void
+tls_free(struct tls *ctx)
+{
+        if (ctx == NULL)
+                return;
+        tls_reset(ctx);
+        free(ctx);
+}
+void
+tls_reset(struct tls *ctx)
+{
+        SSL_CTX_free(ctx->ssl_ctx);
+        SSL_free(ctx->ssl_conn);
+        ctx->ssl_conn = NULL;
+        ctx->ssl_ctx = NULL;
+        ctx->socket = -1;
+        ctx->err = 0;
+        free(ctx->errmsg);
+        ctx->errmsg = NULL;
+}
+int
+tls_read(struct tls *ctx, void *buf, size_t buflen, size_t *outlen)
+{
+        int ret, ssl_err;
+        ret = SSL_read(ctx->ssl_conn, buf, buflen);
+        if (ret > 0) {
+                *outlen = (size_t)ret;
+                return (0);
+        }
+        ssl_err = SSL_get_error(ctx->ssl_conn, ret);
+        switch (ssl_err) {
+        case SSL_ERROR_WANT_READ:
+                return (TLS_READ_AGAIN);
+        case SSL_ERROR_WANT_WRITE:
+                return (TLS_WRITE_AGAIN);
+        default:
+                tls_set_error(ctx, "read failed (%i)", ssl_err);
+                return (-1);
+        }
+}
+int
+tls_write(struct tls *ctx, const void *buf, size_t buflen, size_t *outlen)
+{
+        int ret, ssl_err;
+        ret = SSL_write(ctx->ssl_conn, buf, buflen);
+        if (ret > 0) {
+                *outlen = (size_t)ret;
+                return (0);
+        }
+        ssl_err = SSL_get_error(ctx->ssl_conn, ret);
+        switch (ssl_err) {
+        case SSL_ERROR_WANT_READ:
+                return (TLS_READ_AGAIN);
+        case SSL_ERROR_WANT_WRITE:
+                return (TLS_WRITE_AGAIN);
+        default:
+                tls_set_error(ctx, "write failed (%i)", ssl_err);
+                return (-1);
+        }
+}
+int
+tls_close(struct tls *ctx)
+{
+        /* XXX - handle case where multiple calls are required. */
+        if (ctx->ssl_conn != NULL) {
+                if (SSL_shutdown(ctx->ssl_conn) == -1) {
+                        tls_set_error(ctx, "SSL shutdown failed");
+                        goto err;
+                }
+        }
+        if (ctx->socket != -1) {
+                if (shutdown(ctx->socket, SHUT_RDWR) != 0) {
+                        tls_set_error(ctx, "shutdown");
+                        goto err;
+                }
+                if (close(ctx->socket) != 0) {
+                        tls_set_error(ctx, "close");
+                        goto err;
+                }
+                ctx->socket = -1;
+        }
+        return (0);
+err:
+        return (-1);
+}
author	jsing <>	2014-10-31 13:46:17 +0000
committer	jsing <>	2014-10-31 13:46:17 +0000
commit	cd85e00508e178758948e7a759609d0f1e7764df (patch)
tree	44ea21a19ccf529a3e38fb107d3a2d1330f58d8e /src/lib/libtls/tls.c
parent	e83bdb8edcd9388f13b71372b277fdcce386a9b0 (diff)
download	openbsd-cd85e00508e178758948e7a759609d0f1e7764df.tar.gz openbsd-cd85e00508e178758948e7a759609d0f1e7764df.tar.bz2 openbsd-cd85e00508e178758948e7a759609d0f1e7764df.zip

diff --git a/src/lib/libtls/tls.c b/src/lib/libtls/tls.c new file mode 100644 index 0000000000..a7f612e40b --- /dev/null +++ b/src/lib/libtls/tls.c
@@ -0,0 +1,300 @@
	1	/* $OpenBSD: tls.c,v 1.1 2014/10/31 13:46:17 jsing Exp $ */
	2	/*
	3	* Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
	4	*
	5	* Permission to use, copy, modify, and distribute this software for any
	6	* purpose with or without fee is hereby granted, provided that the above
	7	* copyright notice and this permission notice appear in all copies.
	8	*
	9	* THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
	10	* WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
	11	* MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
	12	* ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
	13	* WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
	14	* ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
	15	* OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
	16	*/
	17
	18	#include <sys/socket.h>
	19
	20	#include <errno.h>
	21	#include <stdlib.h>
	22	#include <unistd.h>
	23
	24	#include <openssl/bio.h>
	25	#include <openssl/evp.h>
	26	#include <openssl/pem.h>
	27	#include <openssl/x509.h>
	28
	29	#include <tls.h>
	30	#include "tls_internal.h"
	31
	32	static struct tls_config *tls_config_default;
	33
	34	int
	35	tls_init(void)
	36	{
	37	static int tls_initialised = 0;
	38
	39	if (tls_initialised)
	40	return (0);
	41
	42	SSL_load_error_strings();
	43	SSL_library_init();
	44
	45	if ((tls_config_default = tls_config_new()) == NULL)
	46	return (-1);
	47
	48	tls_initialised = 1;
	49
	50	return (0);
	51	}
	52
	53	const char *
	54	tls_error(struct tls *ctx)
	55	{
	56	return ctx->errmsg;
	57	}
	58
	59	int
	60	tls_set_error(struct tls ctx, char fmt, ...)
	61	{
	62	va_list ap;
	63	int rv;
	64
	65	ctx->err = errno;
	66	free(ctx->errmsg);
	67	ctx->errmsg = NULL;
	68
	69	va_start(ap, fmt);
	70	rv = vasprintf(&ctx->errmsg, fmt, ap);
	71	va_end(ap);
	72
	73	return (rv);
	74	}
	75
	76	struct tls *
	77	tls_new(void)
	78	{
	79	struct tls *ctx;
	80
	81	if ((ctx = calloc(1, sizeof(*ctx))) == NULL)
	82	return (NULL);
	83
	84	ctx->config = tls_config_default;
	85
	86	tls_reset(ctx);
	87
	88	return (ctx);
	89	}
	90
	91	int
	92	tls_configure(struct tls ctx, struct tls_config config)
	93	{
	94	if (config == NULL)
	95	config = tls_config_default;
	96
	97	ctx->config = config;
	98
	99	if ((ctx->flags & TLS_SERVER) != 0)
	100	return (tls_configure_server(ctx));
	101
	102	return (0);
	103	}
	104
	105	int
	106	tls_configure_keypair(struct tls *ctx)
	107	{
	108	EVP_PKEY *pkey = NULL;
	109	X509 *cert = NULL;
	110	BIO *bio = NULL;
	111
	112	if (ctx->config->cert_mem != NULL) {
	113	if (SSL_CTX_use_certificate_chain(ctx->ssl_ctx,
	114	ctx->config->cert_mem, ctx->config->cert_len) != 1) {
	115	tls_set_error(ctx, "failed to load certificate");
	116	goto err;
	117	}
	118	cert = NULL;
	119	}
	120	if (ctx->config->key_mem != NULL) {
	121	if ((bio = BIO_new_mem_buf(ctx->config->key_mem,
	122	ctx->config->key_len)) == NULL) {
	123	tls_set_error(ctx, "failed to create buffer");
	124	goto err;
	125	}
	126	if ((pkey = PEM_read_bio_PrivateKey(bio, NULL, NULL,
	127	NULL)) == NULL) {
	128	tls_set_error(ctx, "failed to read private key");
	129	goto err;
	130	}
	131	if (SSL_CTX_use_PrivateKey(ctx->ssl_ctx, pkey) != 1) {
	132	tls_set_error(ctx, "failed to load private key");
	133	goto err;
	134	}
	135	BIO_free(bio);
	136	bio = NULL;
	137	EVP_PKEY_free(pkey);
	138	pkey = NULL;
	139	}
	140
	141	if (ctx->config->cert_file != NULL) {
	142	if (SSL_CTX_use_certificate_chain_file(ctx->ssl_ctx,
	143	ctx->config->cert_file) != 1) {
	144	tls_set_error(ctx, "failed to load certificate file");
	145	goto err;
	146	}
	147	}
	148	if (ctx->config->key_file != NULL) {
	149	if (SSL_CTX_use_PrivateKey_file(ctx->ssl_ctx,
	150	ctx->config->key_file, SSL_FILETYPE_PEM) != 1) {
	151	tls_set_error(ctx, "failed to load private key file");
	152	goto err;
	153	}
	154	}
	155
	156	if (SSL_CTX_check_private_key(ctx->ssl_ctx) != 1) {
	157	tls_set_error(ctx, "private/public key mismatch");
	158	goto err;
	159	}
	160
	161	return (0);
	162
	163	err:
	164	EVP_PKEY_free(pkey);
	165	X509_free(cert);
	166	BIO_free(bio);
	167
	168	return (1);
	169	}
	170
	171	int
	172	tls_configure_ssl(struct tls *ctx)
	173	{
	174	SSL_CTX_set_options(ctx->ssl_ctx, SSL_OP_NO_SSLv2);
	175	SSL_CTX_set_options(ctx->ssl_ctx, SSL_OP_NO_SSLv3);
	176
	177	SSL_CTX_clear_options(ctx->ssl_ctx, SSL_OP_NO_TLSv1);
	178	SSL_CTX_clear_options(ctx->ssl_ctx, SSL_OP_NO_TLSv1_1);
	179	SSL_CTX_clear_options(ctx->ssl_ctx, SSL_OP_NO_TLSv1_2);
	180
	181	if ((ctx->config->protocols & TLS_PROTOCOL_TLSv1_0) == 0)
	182	SSL_CTX_set_options(ctx->ssl_ctx, SSL_OP_NO_TLSv1);
	183	if ((ctx->config->protocols & TLS_PROTOCOL_TLSv1_1) == 0)
	184	SSL_CTX_set_options(ctx->ssl_ctx, SSL_OP_NO_TLSv1_1);
	185	if ((ctx->config->protocols & TLS_PROTOCOL_TLSv1_2) == 0)
	186	SSL_CTX_set_options(ctx->ssl_ctx, SSL_OP_NO_TLSv1_2);
	187
	188	if (ctx->config->ciphers != NULL) {
	189	if (SSL_CTX_set_cipher_list(ctx->ssl_ctx,
	190	ctx->config->ciphers) != 1) {
	191	tls_set_error(ctx, "failed to set ciphers");
	192	goto err;
	193	}
	194	}
	195
	196	return (0);
	197
	198	err:
	199	return (-1);
	200	}
	201
	202	void
	203	tls_free(struct tls *ctx)
	204	{
	205	if (ctx == NULL)
	206	return;
	207	tls_reset(ctx);
	208	free(ctx);
	209	}
	210
	211	void
	212	tls_reset(struct tls *ctx)
	213	{
	214	SSL_CTX_free(ctx->ssl_ctx);
	215	SSL_free(ctx->ssl_conn);
	216
	217	ctx->ssl_conn = NULL;
	218	ctx->ssl_ctx = NULL;
	219
	220	ctx->socket = -1;
	221
	222	ctx->err = 0;
	223	free(ctx->errmsg);
	224	ctx->errmsg = NULL;
	225	}
	226
	227	int
	228	tls_read(struct tls ctx, void buf, size_t buflen, size_t *outlen)
	229	{
	230	int ret, ssl_err;
	231
	232	ret = SSL_read(ctx->ssl_conn, buf, buflen);
	233	if (ret > 0) {
	234	*outlen = (size_t)ret;
	235	return (0);
	236	}
	237
	238	ssl_err = SSL_get_error(ctx->ssl_conn, ret);
	239	switch (ssl_err) {
	240	case SSL_ERROR_WANT_READ:
	241	return (TLS_READ_AGAIN);
	242	case SSL_ERROR_WANT_WRITE:
	243	return (TLS_WRITE_AGAIN);
	244	default:
	245	tls_set_error(ctx, "read failed (%i)", ssl_err);
	246	return (-1);
	247	}
	248	}
	249
	250	int
	251	tls_write(struct tls ctx, const void buf, size_t buflen, size_t *outlen)
	252	{
	253	int ret, ssl_err;
	254
	255	ret = SSL_write(ctx->ssl_conn, buf, buflen);
	256	if (ret > 0) {
	257	*outlen = (size_t)ret;
	258	return (0);
	259	}
	260
	261	ssl_err = SSL_get_error(ctx->ssl_conn, ret);
	262	switch (ssl_err) {
	263	case SSL_ERROR_WANT_READ:
	264	return (TLS_READ_AGAIN);
	265	case SSL_ERROR_WANT_WRITE:
	266	return (TLS_WRITE_AGAIN);
	267	default:
	268	tls_set_error(ctx, "write failed (%i)", ssl_err);
	269	return (-1);
	270	}
	271	}
	272
	273	int
	274	tls_close(struct tls *ctx)
	275	{
	276	/* XXX - handle case where multiple calls are required. */
	277	if (ctx->ssl_conn != NULL) {
	278	if (SSL_shutdown(ctx->ssl_conn) == -1) {
	279	tls_set_error(ctx, "SSL shutdown failed");
	280	goto err;
	281	}
	282	}
	283
	284	if (ctx->socket != -1) {
	285	if (shutdown(ctx->socket, SHUT_RDWR) != 0) {
	286	tls_set_error(ctx, "shutdown");
	287	goto err;
	288	}
	289	if (close(ctx->socket) != 0) {
	290	tls_set_error(ctx, "close");
	291	goto err;
	292	}
	293	ctx->socket = -1;
	294	}
	295
	296	return (0);
	297
	298	err:
	299	return (-1);
	300	}