Move the keypair pubkey hash handling code to during config.

The keypair pubkey hash was being generated and set in the keypair when the TLS context was being configured. This code should not be messing around with the keypair contents, since it is part of the config (and not the context). Instead, generate the pubkey hash and store it in the keypair when the certificate is configured. This means that we are guaranteed to have the pubkey hash and as a side benefit, we identify bad certificate content when it is provided, instead of during the context configuration. ok beck@
author: jsing <> 2018-02-10 04:57:35 +0000
committer: jsing <> 2018-02-10 04:57:35 +0000
commit: 55d7f5b4e436517c599ae10fb98d503022d8cca3 (patch)
tree: 220397ac4d651f9ebaa0a028f81a800a6991a0eb /src/lib/libtls/tls_internal.h
parent: 1ad3c784cb5a6f09eb35a87556f57f9a129ac572 (diff)
download: openbsd-55d7f5b4e436517c599ae10fb98d503022d8cca3.tar.gz
openbsd-55d7f5b4e436517c599ae10fb98d503022d8cca3.tar.bz2
openbsd-55d7f5b4e436517c599ae10fb98d503022d8cca3.zip
1 files changed, 9 insertions, 11 deletions
diff --git a/src/lib/libtls/tls_internal.h b/src/lib/libtls/tls_internal.h
index 14265037eb..f8b9e6118e 100644
--- a/src/lib/libtls/tls_internal.h
+++ b/src/lib/libtls/tls_internal.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls_internal.h,v 1.69 2018/02/10 04:41:24 jsing Exp $ */
+/* $OpenBSD: tls_internal.h,v 1.70 2018/02/10 04:57:35 jsing Exp $ */
 /*
 * Copyright (c) 2014 Jeremie Courreges-Anglas <jca@openbsd.org>
 * Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
@@ -199,25 +199,22 @@ int tls_set_mem(char **_dest, size_t *_destlen, const void *_src,
 int tls_set_string(const char **_dest, const char *_src);
 struct tls_keypair *tls_keypair_new(void);
-void tls_keypair_clear_key(struct tls_keypair *_keypair);
+void tls_keypair_clear(struct tls_keypair *_keypair);
+void tls_keypair_free(struct tls_keypair *_keypair);
 int tls_keypair_set_cert_file(struct tls_keypair *_keypair,
    struct tls_error *_error, const char *_cert_file);
-int tls_keypair_set_cert_mem(struct tls_keypair *_keypair, const uint8_t *_cert,
+int tls_keypair_set_cert_mem(struct tls_keypair *_keypair,
-    size_t _len);
+    struct tls_error *_error, const uint8_t *_cert, size_t _len);
 int tls_keypair_set_key_file(struct tls_keypair *_keypair,
    struct tls_error *_error, const char *_key_file);
-int tls_keypair_set_key_mem(struct tls_keypair *_keypair, const uint8_t *_key,
+int tls_keypair_set_key_mem(struct tls_keypair *_keypair,
-    size_t _len);
+    struct tls_error *_error, const uint8_t *_key, size_t _len);
 int tls_keypair_set_ocsp_staple_file(struct tls_keypair *_keypair,
    struct tls_error *_error, const char *_ocsp_file);
 int tls_keypair_set_ocsp_staple_mem(struct tls_keypair *_keypair,
-    const uint8_t *_staple, size_t _len);
+    struct tls_error *_error, const uint8_t *_staple, size_t _len);
-void tls_keypair_clear(struct tls_keypair *_keypair);
-void tls_keypair_free(struct tls_keypair *_keypair);
 int tls_keypair_load_cert(struct tls_keypair *_keypair,
    struct tls_error *_error, X509 **_cert);
-int tls_keypair_pubkey_hash(struct tls_keypair *_keypair,
-    struct tls_error *_error, char **_hash);
 struct tls_sni_ctx *tls_sni_ctx_new(void);
 void tls_sni_ctx_free(struct tls_sni_ctx *sni_ctx);
@@ -281,6 +278,7 @@ struct tls_ocsp *tls_ocsp_setup_from_peer(struct tls *ctx);
 int tls_hex_string(const unsigned char *_in, size_t _inlen, char **_out,
    size_t *_outlen);
 int tls_cert_hash(X509 *_cert, char **_hash);
+int tls_cert_pubkey_hash(X509 *_cert, char **_hash);
 int tls_password_cb(char *_buf, int _size, int _rwflag, void *_u);
author	jsing <>	2018-02-10 04:57:35 +0000
committer	jsing <>	2018-02-10 04:57:35 +0000
commit	55d7f5b4e436517c599ae10fb98d503022d8cca3 (patch)
tree	220397ac4d651f9ebaa0a028f81a800a6991a0eb /src/lib/libtls/tls_internal.h
parent	1ad3c784cb5a6f09eb35a87556f57f9a129ac572 (diff)
download	openbsd-55d7f5b4e436517c599ae10fb98d503022d8cca3.tar.gz openbsd-55d7f5b4e436517c599ae10fb98d503022d8cca3.tar.bz2 openbsd-55d7f5b4e436517c599ae10fb98d503022d8cca3.zip