Move the keypair pubkey hash handling code to during config.

The keypair pubkey hash was being generated and set in the keypair when the TLS context was being configured. This code should not be messing around with the keypair contents, since it is part of the config (and not the context). Instead, generate the pubkey hash and store it in the keypair when the certificate is configured. This means that we are guaranteed to have the pubkey hash and as a side benefit, we identify bad certificate content when it is provided, instead of during the context configuration. ok beck@
author: jsing <> 2018-02-10 04:57:35 +0000
committer: jsing <> 2018-02-10 04:57:35 +0000
commit: 351d578b1eacfbf1586f49fbbabbdb4e7efdbf5c (patch)
tree: 220397ac4d651f9ebaa0a028f81a800a6991a0eb /src/lib/libtls/tls_config.c
parent: 0865717e89a23608e9e870a932e575c2eee93965 (diff)
download: openbsd-351d578b1eacfbf1586f49fbbabbdb4e7efdbf5c.tar.gz
openbsd-351d578b1eacfbf1586f49fbbabbdb4e7efdbf5c.tar.bz2
openbsd-351d578b1eacfbf1586f49fbbabbdb4e7efdbf5c.zip
1 files changed, 11 insertions, 7 deletions
diff --git a/src/lib/libtls/tls_config.c b/src/lib/libtls/tls_config.c
index 6dfebfaebf..2dab4fc7d8 100644
--- a/src/lib/libtls/tls_config.c
+++ b/src/lib/libtls/tls_config.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls_config.c,v 1.48 2018/02/10 04:41:24 jsing Exp $ */
+/* $OpenBSD: tls_config.c,v 1.49 2018/02/10 04:57:35 jsing Exp $ */
 /*
 * Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
 *
@@ -351,12 +351,13 @@ tls_config_add_keypair_mem_internal(struct tls_config *config, const uint8_t *ce
        if ((keypair = tls_keypair_new()) == NULL)
                return (-1);
-        if (tls_keypair_set_cert_mem(keypair, cert, cert_len) != 0)
+        if (tls_keypair_set_cert_mem(keypair, &config->error, cert, cert_len) != 0)
                goto err;
-        if (tls_keypair_set_key_mem(keypair, key, key_len) != 0)
+        if (tls_keypair_set_key_mem(keypair, &config->error, key, key_len) != 0)
                goto err;
        if (staple != NULL &&
-            tls_keypair_set_ocsp_staple_mem(keypair, staple, staple_len) != 0)
+            tls_keypair_set_ocsp_staple_mem(keypair, &config->error, staple,
+                staple_len) != 0)
                goto err;
        tls_config_keypair_add(config, keypair);
@@ -431,7 +432,8 @@ int
 tls_config_set_cert_mem(struct tls_config *config, const uint8_t *cert,
    size_t len)
 {
-        return tls_keypair_set_cert_mem(config->keypair, cert, len);
+        return tls_keypair_set_cert_mem(config->keypair, &config->error,
+            cert, len);
 }
 int
@@ -592,7 +594,8 @@ int
 tls_config_set_key_mem(struct tls_config *config, const uint8_t *key,
    size_t len)
 {
-        return tls_keypair_set_key_mem(config->keypair, key, len);
+        return tls_keypair_set_key_mem(config->keypair, &config->error,
+            key, len);
 }
 static int
@@ -789,7 +792,8 @@ int
 tls_config_set_ocsp_staple_mem(struct tls_config *config, const uint8_t *staple,
    size_t len)
 {
-        return tls_keypair_set_ocsp_staple_mem(config->keypair, staple, len);
+        return tls_keypair_set_ocsp_staple_mem(config->keypair, &config->error,
+            staple, len);
 }
 int
author	jsing <>	2018-02-10 04:57:35 +0000
committer	jsing <>	2018-02-10 04:57:35 +0000
commit	351d578b1eacfbf1586f49fbbabbdb4e7efdbf5c (patch)
tree	220397ac4d651f9ebaa0a028f81a800a6991a0eb /src/lib/libtls/tls_config.c
parent	0865717e89a23608e9e870a932e575c2eee93965 (diff)
download	openbsd-351d578b1eacfbf1586f49fbbabbdb4e7efdbf5c.tar.gz openbsd-351d578b1eacfbf1586f49fbbabbdb4e7efdbf5c.tar.bz2 openbsd-351d578b1eacfbf1586f49fbbabbdb4e7efdbf5c.zip