Add support to libtls for client-side TLS session resumption.

A libtls client can specify a session file descriptor (a regular file with appropriate ownership and permissions) and libtls will manage reading and writing of session data across TLS handshakes. Discussed at length with deraadt@ and tedu@. Rides previous minor bump. ok beck@
author: jsing <> 2018-02-10 04:41:24 +0000
committer: jsing <> 2018-02-10 04:41:24 +0000
commit: 7f2c0ca878baa76136bb91e6e42ba28feb243a6b (patch)
tree: d414866dbbe43d007a4873fb2dc7e6cb637f7bce /src/lib/libtls/tls_config.c
parent: 8bb2c697afde11037803819ad6589618da0b6552 (diff)
download: openbsd-7f2c0ca878baa76136bb91e6e42ba28feb243a6b.tar.gz
openbsd-7f2c0ca878baa76136bb91e6e42ba28feb243a6b.tar.bz2
openbsd-7f2c0ca878baa76136bb91e6e42ba28feb243a6b.zip
1 files changed, 40 insertions, 1 deletions
diff --git a/src/lib/libtls/tls_config.c b/src/lib/libtls/tls_config.c
index 3db75dc62f..6dfebfaebf 100644
--- a/src/lib/libtls/tls_config.c
+++ b/src/lib/libtls/tls_config.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls_config.c,v 1.47 2018/02/08 05:56:49 jsing Exp $ */
+/* $OpenBSD: tls_config.c,v 1.48 2018/02/10 04:41:24 jsing Exp $ */
 /*
 * Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
 *
@@ -89,6 +89,7 @@ tls_config_new(void)
                goto err;
        config->refcount = 1;
+        config->session_fd = -1;
        /*
         * Default configuration.
@@ -670,6 +671,44 @@ tls_config_set_protocols(struct tls_config *config, uint32_t protocols)
 }
 int
+tls_config_set_session_fd(struct tls_config *config, int session_fd)
+{
+        struct stat sb;
+        mode_t mugo;
+        if (session_fd == -1) {
+                config->session_fd = session_fd;
+                return (0);
+        }
+        if (fstat(session_fd, &sb) == -1) {
+                tls_config_set_error(config, "failed to stat session file");
+                return (-1);
+        }
+        if (!S_ISREG(sb.st_mode)) {
+                tls_config_set_errorx(config,
+                    "session file is not a regular file");
+                return (-1);
+        }
+        if (sb.st_uid != getuid()) {
+                tls_config_set_errorx(config, "session file has incorrect "
+                    "owner (uid %i != %i)", sb.st_uid, getuid());
+                return (-1);
+        }
+        mugo = sb.st_mode & (S_IRWXU|S_IRWXG|S_IRWXO);
+        if (mugo != (S_IRUSR|S_IWUSR)) {
+                tls_config_set_errorx(config, "session file has incorrect "
+                    "permissions (%o != 600)", mugo);
+                return (-1);
+        }
+        config->session_fd = session_fd;
+        return (0);
+}
+int
 tls_config_set_verify_depth(struct tls_config *config, int verify_depth)
 {
        config->verify_depth = verify_depth;
author	jsing <>	2018-02-10 04:41:24 +0000
committer	jsing <>	2018-02-10 04:41:24 +0000
commit	7f2c0ca878baa76136bb91e6e42ba28feb243a6b (patch)
tree	d414866dbbe43d007a4873fb2dc7e6cb637f7bce /src/lib/libtls/tls_config.c
parent	8bb2c697afde11037803819ad6589618da0b6552 (diff)
download	openbsd-7f2c0ca878baa76136bb91e6e42ba28feb243a6b.tar.gz openbsd-7f2c0ca878baa76136bb91e6e42ba28feb243a6b.tar.bz2 openbsd-7f2c0ca878baa76136bb91e6e42ba28feb243a6b.zip

diff --git a/src/lib/libtls/tls_config.c b/src/lib/libtls/tls_config.c index 3db75dc62f..6dfebfaebf 100644 --- a/src/lib/libtls/tls_config.c +++ b/src/lib/libtls/tls_config.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: tls_config.c,v 1.47 2018/02/08 05:56:49 jsing Exp $ */	1	/* $OpenBSD: tls_config.c,v 1.48 2018/02/10 04:41:24 jsing Exp $ */
2	/*	2	/*
3	* Copyright (c) 2014 Joel Sing <jsing@openbsd.org>	3	* Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
4	*	4	*
@@ -89,6 +89,7 @@ tls_config_new(void)
89	goto err;	89	goto err;
90		90
91	config->refcount = 1;	91	config->refcount = 1;
		92	config->session_fd = -1;
92		93
93	/*	94	/*
94	* Default configuration.	95	* Default configuration.
@@ -670,6 +671,44 @@ tls_config_set_protocols(struct tls_config *config, uint32_t protocols)
670	}	671	}
671		672
672	int	673	int
		674	tls_config_set_session_fd(struct tls_config *config, int session_fd)
		675	{
		676	struct stat sb;
		677	mode_t mugo;
		678
		679	if (session_fd == -1) {
		680	config->session_fd = session_fd;
		681	return (0);
		682	}
		683
		684	if (fstat(session_fd, &sb) == -1) {
		685	tls_config_set_error(config, "failed to stat session file");
		686	return (-1);
		687	}
		688	if (!S_ISREG(sb.st_mode)) {
		689	tls_config_set_errorx(config,
		690	"session file is not a regular file");
		691	return (-1);
		692	}
		693
		694	if (sb.st_uid != getuid()) {
		695	tls_config_set_errorx(config, "session file has incorrect "
		696	"owner (uid %i != %i)", sb.st_uid, getuid());
		697	return (-1);
		698	}
		699	mugo = sb.st_mode & (S_IRWXU\|S_IRWXG\|S_IRWXO);
		700	if (mugo != (S_IRUSR\|S_IWUSR)) {
		701	tls_config_set_errorx(config, "session file has incorrect "
		702	"permissions (%o != 600)", mugo);
		703	return (-1);
		704	}
		705
		706	config->session_fd = session_fd;
		707
		708	return (0);
		709	}
		710
		711	int
673	tls_config_set_verify_depth(struct tls_config *config, int verify_depth)	712	tls_config_set_verify_depth(struct tls_config *config, int verify_depth)
674	{	713	{
675	config->verify_depth = verify_depth;	714	config->verify_depth = verify_depth;