summaryrefslogtreecommitdiff
path: root/src/lib
diff options
context:
space:
mode:
authorclaudio <>2017-08-09 21:27:24 +0000
committerclaudio <>2017-08-09 21:27:24 +0000
commitb172f94f665e55aa2da726f07d8a751a8f88aed8 (patch)
tree3fe6a59e04489e4fff11a15572903b1a13783ae0 /src/lib
parent728461d1289a45d154875141eb0e954d9a212e34 (diff)
downloadopenbsd-b172f94f665e55aa2da726f07d8a751a8f88aed8.tar.gz
openbsd-b172f94f665e55aa2da726f07d8a751a8f88aed8.tar.bz2
openbsd-b172f94f665e55aa2da726f07d8a751a8f88aed8.zip
Don't use tls_cert_hash for the hashing used by the engine offloading magic
for the TLS privsep code. Instead use X509_pubkey_digest() because only the key should be used as identifier. Relayd is rewriting certificates and then the hash would change. Rename the hash is struct tls_keypair to pubkey_hash to make clear what this hash is about. With input and OK jsing@
Diffstat (limited to 'src/lib')
-rw-r--r--src/lib/libtls/tls.c27
-rw-r--r--src/lib/libtls/tls_config.c4
-rw-r--r--src/lib/libtls/tls_internal.h4
3 files changed, 24 insertions, 11 deletions
diff --git a/src/lib/libtls/tls.c b/src/lib/libtls/tls.c
index ed857272c4..6df72e24e6 100644
--- a/src/lib/libtls/tls.c
+++ b/src/lib/libtls/tls.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: tls.c,v 1.68 2017/07/06 17:12:22 jsing Exp $ */ 1/* $OpenBSD: tls.c,v 1.69 2017/08/09 21:27:24 claudio Exp $ */
2/* 2/*
3 * Copyright (c) 2014 Joel Sing <jsing@openbsd.org> 3 * Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
4 * 4 *
@@ -283,11 +283,12 @@ tls_cert_hash(X509 *cert, char **hash)
283} 283}
284 284
285static int 285static int
286tls_keypair_cert_hash(struct tls_keypair *keypair, char **hash) 286tls_keypair_pubkey_hash(struct tls_keypair *keypair, char **hash)
287{ 287{
288 BIO *membio = NULL; 288 BIO *membio = NULL;
289 X509 *cert = NULL; 289 X509 *cert = NULL;
290 int rv = -1; 290 char d[EVP_MAX_MD_SIZE], *dhex = NULL;
291 int dlen, rv = -1;
291 292
292 *hash = NULL; 293 *hash = NULL;
293 294
@@ -298,9 +299,21 @@ tls_keypair_cert_hash(struct tls_keypair *keypair, char **hash)
298 NULL)) == NULL) 299 NULL)) == NULL)
299 goto err; 300 goto err;
300 301
301 rv = tls_cert_hash(cert, hash); 302 if (X509_pubkey_digest(cert, EVP_sha256(), d, &dlen) != 1)
303 goto err;
304
305 if (tls_hex_string(d, dlen, &dhex, NULL) != 0)
306 goto err;
307
308 if (asprintf(hash, "SHA256:%s", dhex) == -1) {
309 *hash = NULL;
310 goto err;
311 }
312
313 rv = 0;
302 314
303 err: 315 err:
316 free(dhex);
304 X509_free(cert); 317 X509_free(cert);
305 BIO_free(membio); 318 BIO_free(membio);
306 319
@@ -331,7 +344,7 @@ tls_configure_ssl_keypair(struct tls *ctx, SSL_CTX *ssl_ctx,
331 tls_set_errorx(ctx, "failed to load certificate"); 344 tls_set_errorx(ctx, "failed to load certificate");
332 goto err; 345 goto err;
333 } 346 }
334 if (tls_keypair_cert_hash(keypair, &keypair->cert_hash) == -1) 347 if (tls_keypair_pubkey_hash(keypair, &keypair->pubkey_hash) == -1)
335 goto err; 348 goto err;
336 } 349 }
337 350
@@ -352,11 +365,11 @@ tls_configure_ssl_keypair(struct tls *ctx, SSL_CTX *ssl_ctx,
352 goto err; 365 goto err;
353 } 366 }
354 367
355 if (keypair->cert_hash != NULL) { 368 if (keypair->pubkey_hash != NULL) {
356 RSA *rsa; 369 RSA *rsa;
357 /* XXX only RSA for now for relayd privsep */ 370 /* XXX only RSA for now for relayd privsep */
358 if ((rsa = EVP_PKEY_get1_RSA(pkey)) != NULL) { 371 if ((rsa = EVP_PKEY_get1_RSA(pkey)) != NULL) {
359 RSA_set_ex_data(rsa, 0, keypair->cert_hash); 372 RSA_set_ex_data(rsa, 0, keypair->pubkey_hash);
360 RSA_free(rsa); 373 RSA_free(rsa);
361 } 374 }
362 } 375 }
diff --git a/src/lib/libtls/tls_config.c b/src/lib/libtls/tls_config.c
index fe049d1e4e..40374ea220 100644
--- a/src/lib/libtls/tls_config.c
+++ b/src/lib/libtls/tls_config.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: tls_config.c,v 1.41 2017/07/06 17:12:22 jsing Exp $ */ 1/* $OpenBSD: tls_config.c,v 1.42 2017/08/09 21:27:24 claudio Exp $ */
2/* 2/*
3 * Copyright (c) 2014 Joel Sing <jsing@openbsd.org> 3 * Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
4 * 4 *
@@ -141,7 +141,7 @@ tls_keypair_free(struct tls_keypair *keypair)
141 free(keypair->cert_mem); 141 free(keypair->cert_mem);
142 free(keypair->key_mem); 142 free(keypair->key_mem);
143 free(keypair->ocsp_staple); 143 free(keypair->ocsp_staple);
144 free(keypair->cert_hash); 144 free(keypair->pubkey_hash);
145 145
146 free(keypair); 146 free(keypair);
147} 147}
diff --git a/src/lib/libtls/tls_internal.h b/src/lib/libtls/tls_internal.h
index bed9d6e7f4..6079babccf 100644
--- a/src/lib/libtls/tls_internal.h
+++ b/src/lib/libtls/tls_internal.h
@@ -1,4 +1,4 @@
1/* $OpenBSD: tls_internal.h,v 1.62 2017/07/06 17:12:22 jsing Exp $ */ 1/* $OpenBSD: tls_internal.h,v 1.63 2017/08/09 21:27:24 claudio Exp $ */
2/* 2/*
3 * Copyright (c) 2014 Jeremie Courreges-Anglas <jca@openbsd.org> 3 * Copyright (c) 2014 Jeremie Courreges-Anglas <jca@openbsd.org>
4 * Copyright (c) 2014 Joel Sing <jsing@openbsd.org> 4 * Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
@@ -53,7 +53,7 @@ struct tls_keypair {
53 size_t key_len; 53 size_t key_len;
54 char *ocsp_staple; 54 char *ocsp_staple;
55 size_t ocsp_staple_len; 55 size_t ocsp_staple_len;
56 char *cert_hash; 56 char *pubkey_hash;
57}; 57};
58 58
59#define TLS_MIN_SESSION_TIMEOUT (4) 59#define TLS_MIN_SESSION_TIMEOUT (4)
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-03-24 18:24:00 +0000