diff options
| author | jsing <> | 2018-02-10 04:41:24 +0000 |
|---|---|---|
| committer | jsing <> | 2018-02-10 04:41:24 +0000 |
| commit | ad2580ae7b71760c38ec88f34f360d5f1e6b3f13 (patch) | |
| tree | d414866dbbe43d007a4873fb2dc7e6cb637f7bce /src/lib/libtls/tls_config.c | |
| parent | 87264e9d7a6c2a965876fcf5e4b3dc46470e2562 (diff) | |
| download | openbsd-ad2580ae7b71760c38ec88f34f360d5f1e6b3f13.tar.gz openbsd-ad2580ae7b71760c38ec88f34f360d5f1e6b3f13.tar.bz2 openbsd-ad2580ae7b71760c38ec88f34f360d5f1e6b3f13.zip | |
Add support to libtls for client-side TLS session resumption.
A libtls client can specify a session file descriptor (a regular file
with appropriate ownership and permissions) and libtls will manage reading
and writing of session data across TLS handshakes.
Discussed at length with deraadt@ and tedu@.
Rides previous minor bump.
ok beck@
Diffstat (limited to 'src/lib/libtls/tls_config.c')
| -rw-r--r-- | src/lib/libtls/tls_config.c | 41 |
1 files changed, 40 insertions, 1 deletions
diff --git a/src/lib/libtls/tls_config.c b/src/lib/libtls/tls_config.c index 3db75dc62f..6dfebfaebf 100644 --- a/src/lib/libtls/tls_config.c +++ b/src/lib/libtls/tls_config.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: tls_config.c,v 1.47 2018/02/08 05:56:49 jsing Exp $ */ | 1 | /* $OpenBSD: tls_config.c,v 1.48 2018/02/10 04:41:24 jsing Exp $ */ |
| 2 | /* | 2 | /* |
| 3 | * Copyright (c) 2014 Joel Sing <jsing@openbsd.org> | 3 | * Copyright (c) 2014 Joel Sing <jsing@openbsd.org> |
| 4 | * | 4 | * |
| @@ -89,6 +89,7 @@ tls_config_new(void) | |||
| 89 | goto err; | 89 | goto err; |
| 90 | 90 | ||
| 91 | config->refcount = 1; | 91 | config->refcount = 1; |
| 92 | config->session_fd = -1; | ||
| 92 | 93 | ||
| 93 | /* | 94 | /* |
| 94 | * Default configuration. | 95 | * Default configuration. |
| @@ -670,6 +671,44 @@ tls_config_set_protocols(struct tls_config *config, uint32_t protocols) | |||
| 670 | } | 671 | } |
| 671 | 672 | ||
| 672 | int | 673 | int |
| 674 | tls_config_set_session_fd(struct tls_config *config, int session_fd) | ||
| 675 | { | ||
| 676 | struct stat sb; | ||
| 677 | mode_t mugo; | ||
| 678 | |||
| 679 | if (session_fd == -1) { | ||
| 680 | config->session_fd = session_fd; | ||
| 681 | return (0); | ||
| 682 | } | ||
| 683 | |||
| 684 | if (fstat(session_fd, &sb) == -1) { | ||
| 685 | tls_config_set_error(config, "failed to stat session file"); | ||
| 686 | return (-1); | ||
| 687 | } | ||
| 688 | if (!S_ISREG(sb.st_mode)) { | ||
| 689 | tls_config_set_errorx(config, | ||
| 690 | "session file is not a regular file"); | ||
| 691 | return (-1); | ||
| 692 | } | ||
| 693 | |||
| 694 | if (sb.st_uid != getuid()) { | ||
| 695 | tls_config_set_errorx(config, "session file has incorrect " | ||
| 696 | "owner (uid %i != %i)", sb.st_uid, getuid()); | ||
| 697 | return (-1); | ||
| 698 | } | ||
| 699 | mugo = sb.st_mode & (S_IRWXU|S_IRWXG|S_IRWXO); | ||
| 700 | if (mugo != (S_IRUSR|S_IWUSR)) { | ||
| 701 | tls_config_set_errorx(config, "session file has incorrect " | ||
| 702 | "permissions (%o != 600)", mugo); | ||
| 703 | return (-1); | ||
| 704 | } | ||
| 705 | |||
| 706 | config->session_fd = session_fd; | ||
| 707 | |||
| 708 | return (0); | ||
| 709 | } | ||
| 710 | |||
| 711 | int | ||
| 673 | tls_config_set_verify_depth(struct tls_config *config, int verify_depth) | 712 | tls_config_set_verify_depth(struct tls_config *config, int verify_depth) |
| 674 | { | 713 | { |
| 675 | config->verify_depth = verify_depth; | 714 | config->verify_depth = verify_depth; |