Add client certificate support. Still needs a few tweaks but this will

ride upcoming minor bump ok jsing@
author: beck <> 2015-09-09 19:23:04 +0000
committer: beck <> 2015-09-09 19:23:04 +0000
commit: cc008b2d6bedfbbad46502f4d5ac035f96f3a623 (patch)
tree: 54b585991caa7fede927175ee5ff75d793342b8f /src/lib/libtls/tls_client.c
parent: 8e3f7ae09db7a69fa93309c91e8f6b29f5bf53db (diff)
download: openbsd-cc008b2d6bedfbbad46502f4d5ac035f96f3a623.tar.gz
openbsd-cc008b2d6bedfbbad46502f4d5ac035f96f3a623.tar.bz2
openbsd-cc008b2d6bedfbbad46502f4d5ac035f96f3a623.zip
1 files changed, 6 insertions, 26 deletions
diff --git a/src/lib/libtls/tls_client.c b/src/lib/libtls/tls_client.c
index 81b5510431..056526ddc3 100644
--- a/src/lib/libtls/tls_client.c
+++ b/src/lib/libtls/tls_client.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls_client.c,v 1.23 2015/09/09 14:32:06 jsing Exp $ */
+/* $OpenBSD: tls_client.c,v 1.24 2015/09/09 19:23:04 beck Exp $ */
 /*
 * Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
 *
@@ -21,7 +21,6 @@
 #include <arpa/inet.h>
 #include <netinet/in.h>
-#include <limits.h>
 #include <netdb.h>
 #include <stdlib.h>
 #include <unistd.h>
@@ -190,6 +189,8 @@ tls_connect_fds(struct tls *ctx, int fd_read, int fd_write,
        if (tls_configure_ssl(ctx) != 0)
                goto err;
+        if (tls_configure_keypair(ctx, 0) != 0)
+                goto err;
        if (ctx->config->verify_name) {
                if (servername == NULL) {
@@ -198,30 +199,9 @@ tls_connect_fds(struct tls *ctx, int fd_read, int fd_write,
                }
        }
-        if (ctx->config->verify_cert) {
+        if (ctx->config->verify_cert &&
-                SSL_CTX_set_verify(ctx->ssl_ctx, SSL_VERIFY_PEER, NULL);
+            (tls_configure_ssl_verify(ctx, SSL_VERIFY_PEER) == -1))
+                goto err;
-                if (ctx->config->ca_mem != NULL) {
-                        if (ctx->config->ca_len > INT_MAX) {
-                                tls_set_errorx(ctx, "ca too long");
-                                goto err;
-                        }
-                        if (SSL_CTX_load_verify_mem(ctx->ssl_ctx,
-                            ctx->config->ca_mem, ctx->config->ca_len) != 1) {
-                                tls_set_errorx(ctx,
-                                    "ssl verify memory setup failure");
-                                goto err;
-                        }
-                } else if (SSL_CTX_load_verify_locations(ctx->ssl_ctx,
-                    ctx->config->ca_file, ctx->config->ca_path) != 1) {
-                        tls_set_errorx(ctx, "ssl verify setup failure");
-                        goto err;
-                }
-                if (ctx->config->verify_depth >= 0)
-                        SSL_CTX_set_verify_depth(ctx->ssl_ctx,
-                            ctx->config->verify_depth);
-        }
        if ((ctx->ssl_conn = SSL_new(ctx->ssl_ctx)) == NULL) {
                tls_set_errorx(ctx, "ssl connection failure");
author	beck <>	2015-09-09 19:23:04 +0000
committer	beck <>	2015-09-09 19:23:04 +0000
commit	cc008b2d6bedfbbad46502f4d5ac035f96f3a623 (patch)
tree	54b585991caa7fede927175ee5ff75d793342b8f /src/lib/libtls/tls_client.c
parent	8e3f7ae09db7a69fa93309c91e8f6b29f5bf53db (diff)
download	openbsd-cc008b2d6bedfbbad46502f4d5ac035f96f3a623.tar.gz openbsd-cc008b2d6bedfbbad46502f4d5ac035f96f3a623.tar.bz2 openbsd-cc008b2d6bedfbbad46502f4d5ac035f96f3a623.zip

diff --git a/src/lib/libtls/tls_client.c b/src/lib/libtls/tls_client.c index 81b5510431..056526ddc3 100644 --- a/src/lib/libtls/tls_client.c +++ b/src/lib/libtls/tls_client.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: tls_client.c,v 1.23 2015/09/09 14:32:06 jsing Exp $ */	1	/* $OpenBSD: tls_client.c,v 1.24 2015/09/09 19:23:04 beck Exp $ */
2	/*	2	/*
3	* Copyright (c) 2014 Joel Sing <jsing@openbsd.org>	3	* Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
4	*	4	*
@@ -21,7 +21,6 @@
21	#include <arpa/inet.h>	21	#include <arpa/inet.h>
22	#include <netinet/in.h>	22	#include <netinet/in.h>
23		23
24	#include <limits.h>
25	#include <netdb.h>	24	#include <netdb.h>
26	#include <stdlib.h>	25	#include <stdlib.h>
27	#include <unistd.h>	26	#include <unistd.h>
@@ -190,6 +189,8 @@ tls_connect_fds(struct tls *ctx, int fd_read, int fd_write,
190		189
191	if (tls_configure_ssl(ctx) != 0)	190	if (tls_configure_ssl(ctx) != 0)
192	goto err;	191	goto err;
		192	if (tls_configure_keypair(ctx, 0) != 0)
		193	goto err;
193		194
194	if (ctx->config->verify_name) {	195	if (ctx->config->verify_name) {
195	if (servername == NULL) {	196	if (servername == NULL) {
@@ -198,30 +199,9 @@ tls_connect_fds(struct tls *ctx, int fd_read, int fd_write,
198	}	199	}
199	}	200	}
200		201
201	if (ctx->config->verify_cert) {	202	if (ctx->config->verify_cert &&
202	SSL_CTX_set_verify(ctx->ssl_ctx, SSL_VERIFY_PEER, NULL);	203	(tls_configure_ssl_verify(ctx, SSL_VERIFY_PEER) == -1))
203		204	goto err;
204	if (ctx->config->ca_mem != NULL) {
205	if (ctx->config->ca_len > INT_MAX) {
206	tls_set_errorx(ctx, "ca too long");
207	goto err;
208	}
209
210	if (SSL_CTX_load_verify_mem(ctx->ssl_ctx,
211	ctx->config->ca_mem, ctx->config->ca_len) != 1) {
212	tls_set_errorx(ctx,
213	"ssl verify memory setup failure");
214	goto err;
215	}
216	} else if (SSL_CTX_load_verify_locations(ctx->ssl_ctx,
217	ctx->config->ca_file, ctx->config->ca_path) != 1) {
218	tls_set_errorx(ctx, "ssl verify setup failure");
219	goto err;
220	}
221	if (ctx->config->verify_depth >= 0)
222	SSL_CTX_set_verify_depth(ctx->ssl_ctx,
223	ctx->config->verify_depth);
224	}
225		205
226	if ((ctx->ssl_conn = SSL_new(ctx->ssl_ctx)) == NULL) {	206	if ((ctx->ssl_conn = SSL_new(ctx->ssl_ctx)) == NULL) {
227	tls_set_errorx(ctx, "ssl connection failure");	207	tls_set_errorx(ctx, "ssl connection failure");