Move the keypair pubkey hash handling code to during config.

The keypair pubkey hash was being generated and set in the keypair when the TLS context was being configured. This code should not be messing around with the keypair contents, since it is part of the config (and not the context). Instead, generate the pubkey hash and store it in the keypair when the certificate is configured. This means that we are guaranteed to have the pubkey hash and as a side benefit, we identify bad certificate content when it is provided, instead of during the context configuration. ok beck@
author: jsing <> 2018-02-10 04:57:35 +0000
committer: jsing <> 2018-02-10 04:57:35 +0000
commit: 55d7f5b4e436517c599ae10fb98d503022d8cca3 (patch)
tree: 220397ac4d651f9ebaa0a028f81a800a6991a0eb /src/lib/libtls/tls_keypair.c
parent: 1ad3c784cb5a6f09eb35a87556f57f9a129ac572 (diff)
download: openbsd-55d7f5b4e436517c599ae10fb98d503022d8cca3.tar.gz
openbsd-55d7f5b4e436517c599ae10fb98d503022d8cca3.tar.bz2
openbsd-55d7f5b4e436517c599ae10fb98d503022d8cca3.zip
1 files changed, 46 insertions, 47 deletions
diff --git a/src/lib/libtls/tls_keypair.c b/src/lib/libtls/tls_keypair.c
index 626a95853f..03e7f4ad76 100644
--- a/src/lib/libtls/tls_keypair.c
+++ b/src/lib/libtls/tls_keypair.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls_keypair.c,v 1.4 2018/02/08 10:19:31 jsing Exp $ */
+/* $OpenBSD: tls_keypair.c,v 1.5 2018/02/10 04:57:35 jsing Exp $ */
 /*
 * Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
 *
@@ -29,7 +29,7 @@ tls_keypair_new(void)
        return calloc(1, sizeof(struct tls_keypair));
 }
-void
+static void
 tls_keypair_clear_key(struct tls_keypair *keypair)
 {
        freezero(keypair->key_mem, keypair->key_len);
@@ -37,19 +37,50 @@ tls_keypair_clear_key(struct tls_keypair *keypair)
        keypair->key_len = 0;
 }
+static int
+tls_keypair_pubkey_hash(struct tls_keypair *keypair, struct tls_error *error)
+{
+        X509 *cert = NULL;
+        int rv = -1;
+        free(keypair->pubkey_hash);
+        keypair->pubkey_hash = NULL;
+        if (keypair->cert_mem == NULL) {
+                rv = 0;
+                goto done;
+        }
+        if (tls_keypair_load_cert(keypair, error, &cert) == -1)
+                goto err;
+        if (tls_cert_pubkey_hash(cert, &keypair->pubkey_hash) == -1)
+                goto err;
+        rv = 0;
+ err:
+        X509_free(cert);
+ done:
+        return (rv);
+}
 int
 tls_keypair_set_cert_file(struct tls_keypair *keypair, struct tls_error *error,
    const char *cert_file)
 {
-        return tls_config_load_file(error, "certificate", cert_file,
+        if (tls_config_load_file(error, "certificate", cert_file,
-            &keypair->cert_mem, &keypair->cert_len);
+            &keypair->cert_mem, &keypair->cert_len) == -1)
+                return -1;
+        return tls_keypair_pubkey_hash(keypair, error);
 }
 int
-tls_keypair_set_cert_mem(struct tls_keypair *keypair, const uint8_t *cert,
+tls_keypair_set_cert_mem(struct tls_keypair *keypair, struct tls_error *error,
-    size_t len)
+    const uint8_t *cert, size_t len)
 {
-        return tls_set_mem(&keypair->cert_mem, &keypair->cert_len, cert, len);
+        if (tls_set_mem(&keypair->cert_mem, &keypair->cert_len, cert, len) == -1)
+                return -1;
+        return tls_keypair_pubkey_hash(keypair, error);
 }
 int
@@ -62,8 +93,8 @@ tls_keypair_set_key_file(struct tls_keypair *keypair, struct tls_error *error,
 }
 int
-tls_keypair_set_key_mem(struct tls_keypair *keypair, const uint8_t *key,
+tls_keypair_set_key_mem(struct tls_keypair *keypair, struct tls_error *error,
-    size_t len)
+    const uint8_t *key, size_t len)
 {
        tls_keypair_clear_key(keypair);
        return tls_set_mem(&keypair->key_mem, &keypair->key_len, key, len);
@@ -79,7 +110,7 @@ tls_keypair_set_ocsp_staple_file(struct tls_keypair *keypair,
 int
 tls_keypair_set_ocsp_staple_mem(struct tls_keypair *keypair,
-    const uint8_t *staple, size_t len)
+    struct tls_error *error, const uint8_t *staple, size_t len)
 {
        return tls_set_mem(&keypair->ocsp_staple, &keypair->ocsp_staple_len,
            staple, len);
@@ -88,9 +119,11 @@ tls_keypair_set_ocsp_staple_mem(struct tls_keypair *keypair,
 void
 tls_keypair_clear(struct tls_keypair *keypair)
 {
-        tls_keypair_set_cert_mem(keypair, NULL, 0);
+        struct tls_error error;
-        tls_keypair_set_key_mem(keypair, NULL, 0);
-        tls_keypair_set_ocsp_staple_mem(keypair, NULL, 0);
+        tls_keypair_set_cert_mem(keypair, &error, NULL, 0);
+        tls_keypair_set_key_mem(keypair, &error, NULL, 0);
+        tls_keypair_set_ocsp_staple_mem(keypair, &error, NULL, 0);
        free(keypair->pubkey_hash);
        keypair->pubkey_hash = NULL;
@@ -143,37 +176,3 @@ tls_keypair_load_cert(struct tls_keypair *keypair, struct tls_error *error,
        return (rv);
 }
-int
-tls_keypair_pubkey_hash(struct tls_keypair *keypair, struct tls_error *error,
-    char **hash)
-{
-        X509 *cert = NULL;
-        char d[EVP_MAX_MD_SIZE], *dhex = NULL;
-        int dlen, rv = -1;
-        free(*hash);
-        *hash = NULL;
-        if (tls_keypair_load_cert(keypair, error, &cert) == -1)
-                goto err;
-        if (X509_pubkey_digest(cert, EVP_sha256(), d, &dlen) != 1)
-                goto err;
-        if (tls_hex_string(d, dlen, &dhex, NULL) != 0)
-                goto err;
-        if (asprintf(hash, "SHA256:%s", dhex) == -1) {
-                *hash = NULL;
-                goto err;
-        }
-        rv = 0;
- err:
-        X509_free(cert);
-        free(dhex);
-        return (rv);
-}
author	jsing <>	2018-02-10 04:57:35 +0000
committer	jsing <>	2018-02-10 04:57:35 +0000
commit	55d7f5b4e436517c599ae10fb98d503022d8cca3 (patch)
tree	220397ac4d651f9ebaa0a028f81a800a6991a0eb /src/lib/libtls/tls_keypair.c
parent	1ad3c784cb5a6f09eb35a87556f57f9a129ac572 (diff)
download	openbsd-55d7f5b4e436517c599ae10fb98d503022d8cca3.tar.gz openbsd-55d7f5b4e436517c599ae10fb98d503022d8cca3.tar.bz2 openbsd-55d7f5b4e436517c599ae10fb98d503022d8cca3.zip

diff --git a/src/lib/libtls/tls_keypair.c b/src/lib/libtls/tls_keypair.c index 626a95853f..03e7f4ad76 100644 --- a/src/lib/libtls/tls_keypair.c +++ b/src/lib/libtls/tls_keypair.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: tls_keypair.c,v 1.4 2018/02/08 10:19:31 jsing Exp $ */	1	/* $OpenBSD: tls_keypair.c,v 1.5 2018/02/10 04:57:35 jsing Exp $ */
2	/*	2	/*
3	* Copyright (c) 2014 Joel Sing <jsing@openbsd.org>	3	* Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
4	*	4	*
@@ -29,7 +29,7 @@ tls_keypair_new(void)
29	return calloc(1, sizeof(struct tls_keypair));	29	return calloc(1, sizeof(struct tls_keypair));
30	}	30	}
31		31
32	void	32	static void
33	tls_keypair_clear_key(struct tls_keypair *keypair)	33	tls_keypair_clear_key(struct tls_keypair *keypair)
34	{	34	{
35	freezero(keypair->key_mem, keypair->key_len);	35	freezero(keypair->key_mem, keypair->key_len);
@@ -37,19 +37,50 @@ tls_keypair_clear_key(struct tls_keypair *keypair)
37	keypair->key_len = 0;	37	keypair->key_len = 0;
38	}	38	}
39		39
		40	static int
		41	tls_keypair_pubkey_hash(struct tls_keypair keypair, struct tls_error error)
		42	{
		43	X509 *cert = NULL;
		44	int rv = -1;
		45
		46	free(keypair->pubkey_hash);
		47	keypair->pubkey_hash = NULL;
		48
		49	if (keypair->cert_mem == NULL) {
		50	rv = 0;
		51	goto done;
		52	}
		53
		54	if (tls_keypair_load_cert(keypair, error, &cert) == -1)
		55	goto err;
		56	if (tls_cert_pubkey_hash(cert, &keypair->pubkey_hash) == -1)
		57	goto err;
		58
		59	rv = 0;
		60
		61	err:
		62	X509_free(cert);
		63	done:
		64	return (rv);
		65	}
		66
40	int	67	int
41	tls_keypair_set_cert_file(struct tls_keypair keypair, struct tls_error error,	68	tls_keypair_set_cert_file(struct tls_keypair keypair, struct tls_error error,
42	const char *cert_file)	69	const char *cert_file)
43	{	70	{
44	return tls_config_load_file(error, "certificate", cert_file,	71	if (tls_config_load_file(error, "certificate", cert_file,
45	&keypair->cert_mem, &keypair->cert_len);	72	&keypair->cert_mem, &keypair->cert_len) == -1)
		73	return -1;
		74	return tls_keypair_pubkey_hash(keypair, error);
46	}	75	}
47		76
48	int	77	int
49	tls_keypair_set_cert_mem(struct tls_keypair keypair, const uint8_t cert,	78	tls_keypair_set_cert_mem(struct tls_keypair keypair, struct tls_error error,
50	size_t len)	79	const uint8_t *cert, size_t len)
51	{	80	{
52	return tls_set_mem(&keypair->cert_mem, &keypair->cert_len, cert, len);	81	if (tls_set_mem(&keypair->cert_mem, &keypair->cert_len, cert, len) == -1)
		82	return -1;
		83	return tls_keypair_pubkey_hash(keypair, error);
53	}	84	}
54		85
55	int	86	int
@@ -62,8 +93,8 @@ tls_keypair_set_key_file(struct tls_keypair keypair, struct tls_error error,
62	}	93	}
63		94
64	int	95	int
65	tls_keypair_set_key_mem(struct tls_keypair keypair, const uint8_t key,	96	tls_keypair_set_key_mem(struct tls_keypair keypair, struct tls_error error,
66	size_t len)	97	const uint8_t *key, size_t len)
67	{	98	{
68	tls_keypair_clear_key(keypair);	99	tls_keypair_clear_key(keypair);
69	return tls_set_mem(&keypair->key_mem, &keypair->key_len, key, len);	100	return tls_set_mem(&keypair->key_mem, &keypair->key_len, key, len);
@@ -79,7 +110,7 @@ tls_keypair_set_ocsp_staple_file(struct tls_keypair *keypair,
79		110
80	int	111	int
81	tls_keypair_set_ocsp_staple_mem(struct tls_keypair *keypair,	112	tls_keypair_set_ocsp_staple_mem(struct tls_keypair *keypair,
82	const uint8_t *staple, size_t len)	113	struct tls_error error, const uint8_t staple, size_t len)
83	{	114	{
84	return tls_set_mem(&keypair->ocsp_staple, &keypair->ocsp_staple_len,	115	return tls_set_mem(&keypair->ocsp_staple, &keypair->ocsp_staple_len,
85	staple, len);	116	staple, len);
@@ -88,9 +119,11 @@ tls_keypair_set_ocsp_staple_mem(struct tls_keypair *keypair,
88	void	119	void
89	tls_keypair_clear(struct tls_keypair *keypair)	120	tls_keypair_clear(struct tls_keypair *keypair)
90	{	121	{
91	tls_keypair_set_cert_mem(keypair, NULL, 0);	122	struct tls_error error;
92	tls_keypair_set_key_mem(keypair, NULL, 0);	123
93	tls_keypair_set_ocsp_staple_mem(keypair, NULL, 0);	124	tls_keypair_set_cert_mem(keypair, &error, NULL, 0);
		125	tls_keypair_set_key_mem(keypair, &error, NULL, 0);
		126	tls_keypair_set_ocsp_staple_mem(keypair, &error, NULL, 0);
94		127
95	free(keypair->pubkey_hash);	128	free(keypair->pubkey_hash);
96	keypair->pubkey_hash = NULL;	129	keypair->pubkey_hash = NULL;
@@ -143,37 +176,3 @@ tls_keypair_load_cert(struct tls_keypair keypair, struct tls_error error,
143		176
144	return (rv);	177	return (rv);
145	}	178	}
146
147	int
148	tls_keypair_pubkey_hash(struct tls_keypair keypair, struct tls_error error,
149	char **hash)
150	{
151	X509 *cert = NULL;
152	char d[EVP_MAX_MD_SIZE], *dhex = NULL;
153	int dlen, rv = -1;
154
155	free(*hash);
156	*hash = NULL;
157
158	if (tls_keypair_load_cert(keypair, error, &cert) == -1)
159	goto err;
160
161	if (X509_pubkey_digest(cert, EVP_sha256(), d, &dlen) != 1)
162	goto err;
163
164	if (tls_hex_string(d, dlen, &dhex, NULL) != 0)
165	goto err;
166
167	if (asprintf(hash, "SHA256:%s", dhex) == -1) {
168	*hash = NULL;
169	goto err;
170	}
171
172	rv = 0;
173
174	err:
175	X509_free(cert);
176	free(dhex);
177
178	return (rv);
179	}