Revert previous - it introduces problems with a common privsep use case.

3 files changed, 35 insertions, 72 deletions

diff --git a/src/lib/libtls/tls.c b/src/lib/libtls/tls.c
index e0464ec8b1..857b8d0811 100644
--- a/src/lib/libtls/tls.c
+++ b/src/lib/libtls/tls.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls.c,v 1.40 2016/07/06 16:16:36 jsing Exp $ */
+/* $OpenBSD: tls.c,v 1.41 2016/07/07 14:09:03 jsing Exp $ */
 /*
  * Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
  *
@@ -216,7 +216,9 @@ tls_configure_keypair(struct tls *ctx, SSL_CTX *ssl_ctx,
 
         if (!required &&
             keypair->cert_mem == NULL &&
-            keypair->key_mem == NULL)
+            keypair->key_mem == NULL &&
+            keypair->cert_file == NULL &&
+            keypair->key_file == NULL)
                 return(0);
 
         if (keypair->cert_mem != NULL) {
@@ -258,6 +260,21 @@ tls_configure_keypair(struct tls *ctx, SSL_CTX *ssl_ctx,
                 pkey = NULL;
         }
 
+        if (keypair->cert_file != NULL) {
+                if (SSL_CTX_use_certificate_chain_file(ssl_ctx,
+                    keypair->cert_file) != 1) {
+                        tls_set_errorx(ctx, "failed to load certificate file");
+                        goto err;
+                }
+        }
+        if (keypair->key_file != NULL) {
+                if (SSL_CTX_use_PrivateKey_file(ssl_ctx,
+                    keypair->key_file, SSL_FILETYPE_PEM) != 1) {
+                        tls_set_errorx(ctx, "failed to load private key file");
+                        goto err;
+                }
+        }
+
         if (SSL_CTX_check_private_key(ssl_ctx) != 1) {
                 tls_set_errorx(ctx, "private/public key mismatch");
                 goto err;
@@ -329,7 +346,7 @@ tls_configure_ssl_verify(struct tls *ctx, int verify)
                         goto err;
                 }
         } else if (SSL_CTX_load_verify_locations(ctx->ssl_ctx,
-            NULL, ctx->config->ca_path) != 1) {
+            ctx->config->ca_file, ctx->config->ca_path) != 1) {
                 tls_set_errorx(ctx, "ssl verify setup failure");
                 goto err;
         }
diff --git a/src/lib/libtls/tls_config.c b/src/lib/libtls/tls_config.c
index a348b826d5..6b47eeb8d1 100644
--- a/src/lib/libtls/tls_config.c
+++ b/src/lib/libtls/tls_config.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls_config.c,v 1.20 2016/07/06 16:47:18 jsing Exp $ */
+/* $OpenBSD: tls_config.c,v 1.21 2016/07/07 14:09:03 jsing Exp $ */
 /*
  * Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
  *
@@ -15,13 +15,9 @@
  * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
-#include <sys/stat.h>
-
 #include <ctype.h>
 #include <errno.h>
-#include <fcntl.h>
 #include <stdlib.h>
-#include <unistd.h>
 
 #include <tls.h>
 #include "tls_internal.h"
@@ -61,53 +57,6 @@ set_mem(char **dest, size_t *destlen, const void *src, size_t srclen)
         return 0;
 }
 
-static int
-load_file(struct tls_error *error, const char *filetype, const char *filename,
-    char **buf, size_t *len)
-{
-        struct stat st;
-        int fd = -1;
-
-        free(*buf);
-        *buf = NULL;
-        *len = 0;
-
-        if ((fd = open(filename, O_RDONLY)) == -1) {
-                tls_error_set(error, "failed to open %s file '%s'",
-                    filetype, filename);
-                goto fail;
-        }
-        if (fstat(fd, &st) != 0) {
-                tls_error_set(error, "failed to stat %s file '%s'",
-                    filetype, filename);
-                goto fail;
-        }
-        *len = (size_t)st.st_size;
-        if ((*buf = malloc(*len)) == NULL) {
-                tls_error_set(error, "failed to allocate buffer for "
-                    "%s file '%s'", filetype, filename);
-                goto fail;
-        }
-        if (read(fd, *buf, *len) != *len) {
-                tls_error_set(error, "failed to read %s file '%s'",
-                    filetype, filename);
-                goto fail;
-        }
-        close(fd);
-        return 0;
-
- fail:
-        if (fd != -1)
-                close(fd);
-        if (*buf != NULL)
-                explicit_bzero(*buf, *len);
-        free(*buf);
-        *buf = NULL;
-        *len = 0;
-
-        return -1;
-}
-
 static struct tls_keypair *
 tls_keypair_new()
 {
@@ -115,11 +64,9 @@ tls_keypair_new()
 }
 
 static int
-tls_keypair_set_cert_file(struct tls_keypair *keypair, struct tls_error *error,
-    const char *cert_file)
+tls_keypair_set_cert_file(struct tls_keypair *keypair, const char *cert_file)
 {
-        return load_file(error, "certificate", cert_file, &keypair->cert_mem,
-            &keypair->cert_len);
+        return set_string(&keypair->cert_file, cert_file);
 }
 
 static int
@@ -130,13 +77,9 @@ tls_keypair_set_cert_mem(struct tls_keypair *keypair, const uint8_t *cert,
 }
 
 static int
-tls_keypair_set_key_file(struct tls_keypair *keypair, struct tls_error *error,
-    const char *key_file)
+tls_keypair_set_key_file(struct tls_keypair *keypair, const char *key_file)
 {
-        if (keypair->key_mem != NULL)
-                explicit_bzero(keypair->key_mem, keypair->key_len);
-        return load_file(error, "key", key_file, &keypair->key_mem,
-            &keypair->key_len);
+        return set_string(&keypair->key_file, key_file);
 }
 
 static int
@@ -163,7 +106,9 @@ tls_keypair_free(struct tls_keypair *keypair)
 
         tls_keypair_clear(keypair);
 
+        free((char *)keypair->cert_file);
         free(keypair->cert_mem);
+        free((char *)keypair->key_file);
         free(keypair->key_mem);
 
         free(keypair);
@@ -221,6 +166,7 @@ tls_config_free(struct tls_config *config)
 
         free(config->error.msg);
 
+        free((char *)config->ca_file);
         free((char *)config->ca_mem);
         free((char *)config->ca_path);
         free((char *)config->ciphers);
@@ -306,8 +252,7 @@ tls_config_parse_protocols(uint32_t *protocols, const char *protostr)
 int
 tls_config_set_ca_file(struct tls_config *config, const char *ca_file)
 {
-        return load_file(&config->error, "CA", ca_file, &config->ca_mem,
-            &config->ca_len);
+        return set_string(&config->ca_file, ca_file);
 }
 
 int
@@ -325,8 +270,7 @@ tls_config_set_ca_mem(struct tls_config *config, const uint8_t *ca, size_t len)
 int
 tls_config_set_cert_file(struct tls_config *config, const char *cert_file)
 {
-        return tls_keypair_set_cert_file(config->keypair, &config->error,
-            cert_file);
+        return tls_keypair_set_cert_file(config->keypair, cert_file);
 }
 
 int
@@ -409,8 +353,7 @@ tls_config_set_ecdhecurve(struct tls_config *config, const char *name)
 int
 tls_config_set_key_file(struct tls_config *config, const char *key_file)
 {
-        return tls_keypair_set_key_file(config->keypair, &config->error,
-            key_file);
+        return tls_keypair_set_key_file(config->keypair, key_file);
 }
 
 int
diff --git a/src/lib/libtls/tls_internal.h b/src/lib/libtls/tls_internal.h
index b7a1530c96..886ee1151f 100644
--- a/src/lib/libtls/tls_internal.h
+++ b/src/lib/libtls/tls_internal.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls_internal.h,v 1.30 2016/07/06 16:16:36 jsing Exp $ */
+/* $OpenBSD: tls_internal.h,v 1.31 2016/07/07 14:09:03 jsing Exp $ */
 /*
  * Copyright (c) 2014 Jeremie Courreges-Anglas <jca@openbsd.org>
  * Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
@@ -42,8 +42,10 @@ struct tls_error {
 struct tls_keypair {
         struct tls_keypair *next;
 
+        const char *cert_file;
         char *cert_mem;
         size_t cert_len;
+        const char *key_file;
         char *key_mem;
         size_t key_len;
 };
@@ -51,6 +53,7 @@ struct tls_keypair {
 struct tls_config {
         struct tls_error error;
 
+        const char *ca_file;
         const char *ca_path;
         char *ca_mem;
         size_t ca_len;