Internal changes to allow for relayd engine privsep. sends the hash of the

public key as an identifier to RSA, and adds an function for relayd to use to disable private key checking when doing engine privsep. ok jsing@
author: beck <> 2017-04-05 03:13:53 +0000
committer: beck <> 2017-04-05 03:13:53 +0000
commit: f5eb17185d6269ff2a9ad8980b6ec5a8f508dcdd (patch)
tree: ff8e0ddc9e52cbb810c54bc2d58bc7b56babddf9 /src/lib/libtls/tls_conninfo.c
parent: 15512fa62e34a4703d9f430c652ea37068e1ce6c (diff)
download: openbsd-f5eb17185d6269ff2a9ad8980b6ec5a8f508dcdd.tar.gz
openbsd-f5eb17185d6269ff2a9ad8980b6ec5a8f508dcdd.tar.bz2
openbsd-f5eb17185d6269ff2a9ad8980b6ec5a8f508dcdd.zip
1 files changed, 7 insertions, 25 deletions
diff --git a/src/lib/libtls/tls_conninfo.c b/src/lib/libtls/tls_conninfo.c
index 5cdd0f77c8..c4d23c308b 100644
--- a/src/lib/libtls/tls_conninfo.c
+++ b/src/lib/libtls/tls_conninfo.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls_conninfo.c,v 1.13 2017/01/09 15:31:20 jsing Exp $ */
+/* $OpenBSD: tls_conninfo.c,v 1.14 2017/04/05 03:13:53 beck Exp $ */
 /*
 * Copyright (c) 2015 Joel Sing <jsing@openbsd.org>
 * Copyright (c) 2015 Bob Beck <beck@openbsd.org>
@@ -23,7 +23,7 @@
 #include <tls.h>
 #include "tls_internal.h"
-static int
+int
 tls_hex_string(const unsigned char *in, size_t inlen, char **out,
    size_t *outlen)
 {
@@ -56,35 +56,16 @@ tls_hex_string(const unsigned char *in, size_t inlen, char **out,
 static int
 tls_get_peer_cert_hash(struct tls *ctx, char **hash)
 {
-        char d[EVP_MAX_MD_SIZE], *dhex = NULL;
-        int dlen, rv = -1;
        *hash = NULL;
        if (ctx->ssl_peer_cert == NULL)
                return (0);
-        if (X509_digest(ctx->ssl_peer_cert, EVP_sha256(), d, &dlen) != 1) {
+        if (tls_cert_hash(ctx->ssl_peer_cert, hash) == -1) {
-                tls_set_errorx(ctx, "digest failed");
+                tls_set_errorx(ctx, "unable to compute peer certificate hash - out of memory");
-                goto err;
-        }
-        if (tls_hex_string(d, dlen, &dhex, NULL) != 0) {
-                tls_set_errorx(ctx, "digest hex string failed");
-                goto err;
-        }
-        if (asprintf(hash, "SHA256:%s", dhex) == -1) {
-                tls_set_errorx(ctx, "out of memory");
                *hash = NULL;
-                goto err;
+                return -1;
        }
+        return 0;
-        rv = 0;
-err:
-        free(dhex);
-        return (rv);
 }
 static int
@@ -294,3 +275,4 @@ tls_conn_version(struct tls *ctx)
                return (NULL);
        return (ctx->conninfo->version);
 }
author	beck <>	2017-04-05 03:13:53 +0000
committer	beck <>	2017-04-05 03:13:53 +0000
commit	f5eb17185d6269ff2a9ad8980b6ec5a8f508dcdd (patch)
tree	ff8e0ddc9e52cbb810c54bc2d58bc7b56babddf9 /src/lib/libtls/tls_conninfo.c
parent	15512fa62e34a4703d9f430c652ea37068e1ce6c (diff)
download	openbsd-f5eb17185d6269ff2a9ad8980b6ec5a8f508dcdd.tar.gz openbsd-f5eb17185d6269ff2a9ad8980b6ec5a8f508dcdd.tar.bz2 openbsd-f5eb17185d6269ff2a9ad8980b6ec5a8f508dcdd.zip

diff --git a/src/lib/libtls/tls_conninfo.c b/src/lib/libtls/tls_conninfo.c index 5cdd0f77c8..c4d23c308b 100644 --- a/src/lib/libtls/tls_conninfo.c +++ b/src/lib/libtls/tls_conninfo.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: tls_conninfo.c,v 1.13 2017/01/09 15:31:20 jsing Exp $ */	1	/* $OpenBSD: tls_conninfo.c,v 1.14 2017/04/05 03:13:53 beck Exp $ */
2	/*	2	/*
3	* Copyright (c) 2015 Joel Sing <jsing@openbsd.org>	3	* Copyright (c) 2015 Joel Sing <jsing@openbsd.org>
4	* Copyright (c) 2015 Bob Beck <beck@openbsd.org>	4	* Copyright (c) 2015 Bob Beck <beck@openbsd.org>
@@ -23,7 +23,7 @@
23	#include <tls.h>	23	#include <tls.h>
24	#include "tls_internal.h"	24	#include "tls_internal.h"
25		25
26	static int	26	int
27	tls_hex_string(const unsigned char in, size_t inlen, char *out,	27	tls_hex_string(const unsigned char in, size_t inlen, char *out,
28	size_t *outlen)	28	size_t *outlen)
29	{	29	{
@@ -56,35 +56,16 @@ tls_hex_string(const unsigned char in, size_t inlen, char *out,
56	static int	56	static int
57	tls_get_peer_cert_hash(struct tls ctx, char *hash)	57	tls_get_peer_cert_hash(struct tls ctx, char *hash)
58	{	58	{
59	char d[EVP_MAX_MD_SIZE], *dhex = NULL;
60	int dlen, rv = -1;
61
62	*hash = NULL;	59	*hash = NULL;
63	if (ctx->ssl_peer_cert == NULL)	60	if (ctx->ssl_peer_cert == NULL)
64	return (0);	61	return (0);
65		62
66	if (X509_digest(ctx->ssl_peer_cert, EVP_sha256(), d, &dlen) != 1) {	63	if (tls_cert_hash(ctx->ssl_peer_cert, hash) == -1) {
67	tls_set_errorx(ctx, "digest failed");	64	tls_set_errorx(ctx, "unable to compute peer certificate hash - out of memory");
68	goto err;
69	}
70
71	if (tls_hex_string(d, dlen, &dhex, NULL) != 0) {
72	tls_set_errorx(ctx, "digest hex string failed");
73	goto err;
74	}
75
76	if (asprintf(hash, "SHA256:%s", dhex) == -1) {
77	tls_set_errorx(ctx, "out of memory");
78	*hash = NULL;	65	*hash = NULL;
79	goto err;	66	return -1;
80	}	67	}
81		68	return 0;
82	rv = 0;
83
84	err:
85	free(dhex);
86
87	return (rv);
88	}	69	}
89		70
90	static int	71	static int
@@ -294,3 +275,4 @@ tls_conn_version(struct tls *ctx)
294	return (NULL);	275	return (NULL);
295	return (ctx->conninfo->version);	276	return (ctx->conninfo->version);
296	}	277	}
		278