Explicitly pass in an SSL_CTX * to the functions that operate on one,

instead of assuming that they should use the one associated with the TLS context. This allows these functions to be used with the additional SSL contexts that are needed to support server-side SNI. Also rename tls_configure_keypair() to tls_configure_ssl_keypair(), so that these functions have a common prefix. ok reyk@
author: jsing <> 2016-08-15 14:04:23 +0000
committer: jsing <> 2016-08-15 14:04:23 +0000
commit: b625f466ed086e94acecb66a8ddd3309cb0e3006 (patch)
tree: 0f8db1f8992ad067c26b92b7063f1d0e0e260bb8 /src/lib
parent: 27106e2b77c6e7da64be6b4849b458e997106b07 (diff)
download: openbsd-b625f466ed086e94acecb66a8ddd3309cb0e3006.tar.gz
openbsd-b625f466ed086e94acecb66a8ddd3309cb0e3006.tar.bz2
openbsd-b625f466ed086e94acecb66a8ddd3309cb0e3006.zip
4 files changed, 38 insertions, 37 deletions
diff --git a/src/lib/libtls/tls.c b/src/lib/libtls/tls.c
index 429881dbb3..bf0e1f769f 100644
--- a/src/lib/libtls/tls.c
+++ b/src/lib/libtls/tls.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls.c,v 1.45 2016/08/13 13:05:51 jsing Exp $ */
+/* $OpenBSD: tls.c,v 1.46 2016/08/15 14:04:23 jsing Exp $ */
 /*
 * Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
 *
@@ -207,7 +207,7 @@ tls_configure(struct tls *ctx, struct tls_config *config)
 }
 int
-tls_configure_keypair(struct tls *ctx, SSL_CTX *ssl_ctx,
+tls_configure_ssl_keypair(struct tls *ctx, SSL_CTX *ssl_ctx,
    struct tls_keypair *keypair, int required)
 {
        EVP_PKEY *pkey = NULL;
@@ -274,27 +274,27 @@ tls_configure_keypair(struct tls *ctx, SSL_CTX *ssl_ctx,
 }
 int
-tls_configure_ssl(struct tls *ctx)
+tls_configure_ssl(struct tls *ctx, SSL_CTX *ssl_ctx)
 {
-        SSL_CTX_set_mode(ctx->ssl_ctx, SSL_MODE_ENABLE_PARTIAL_WRITE);
+        SSL_CTX_set_mode(ssl_ctx, SSL_MODE_ENABLE_PARTIAL_WRITE);
-        SSL_CTX_set_mode(ctx->ssl_ctx, SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER);
+        SSL_CTX_set_mode(ssl_ctx, SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER);
-        SSL_CTX_set_options(ctx->ssl_ctx, SSL_OP_NO_SSLv2);
+        SSL_CTX_set_options(ssl_ctx, SSL_OP_NO_SSLv2);
-        SSL_CTX_set_options(ctx->ssl_ctx, SSL_OP_NO_SSLv3);
+        SSL_CTX_set_options(ssl_ctx, SSL_OP_NO_SSLv3);
-        SSL_CTX_clear_options(ctx->ssl_ctx, SSL_OP_NO_TLSv1);
+        SSL_CTX_clear_options(ssl_ctx, SSL_OP_NO_TLSv1);
-        SSL_CTX_clear_options(ctx->ssl_ctx, SSL_OP_NO_TLSv1_1);
+        SSL_CTX_clear_options(ssl_ctx, SSL_OP_NO_TLSv1_1);
-        SSL_CTX_clear_options(ctx->ssl_ctx, SSL_OP_NO_TLSv1_2);
+        SSL_CTX_clear_options(ssl_ctx, SSL_OP_NO_TLSv1_2);
        if ((ctx->config->protocols & TLS_PROTOCOL_TLSv1_0) == 0)
-                SSL_CTX_set_options(ctx->ssl_ctx, SSL_OP_NO_TLSv1);
+                SSL_CTX_set_options(ssl_ctx, SSL_OP_NO_TLSv1);
        if ((ctx->config->protocols & TLS_PROTOCOL_TLSv1_1) == 0)
-                SSL_CTX_set_options(ctx->ssl_ctx, SSL_OP_NO_TLSv1_1);
+                SSL_CTX_set_options(ssl_ctx, SSL_OP_NO_TLSv1_1);
        if ((ctx->config->protocols & TLS_PROTOCOL_TLSv1_2) == 0)
-                SSL_CTX_set_options(ctx->ssl_ctx, SSL_OP_NO_TLSv1_2);
+                SSL_CTX_set_options(ssl_ctx, SSL_OP_NO_TLSv1_2);
        if (ctx->config->alpn != NULL) {
-                if (SSL_CTX_set_alpn_protos(ctx->ssl_ctx, ctx->config->alpn,
+                if (SSL_CTX_set_alpn_protos(ssl_ctx, ctx->config->alpn,
                    ctx->config->alpn_len) != 0) {
                        tls_set_errorx(ctx, "failed to set alpn");
                        goto err;
@@ -302,7 +302,7 @@ tls_configure_ssl(struct tls *ctx)
        }
        if (ctx->config->ciphers != NULL) {
-                if (SSL_CTX_set_cipher_list(ctx->ssl_ctx,
+                if (SSL_CTX_set_cipher_list(ssl_ctx,
                    ctx->config->ciphers) != 1) {
                        tls_set_errorx(ctx, "failed to set ciphers");
                        goto err;
@@ -310,7 +310,7 @@ tls_configure_ssl(struct tls *ctx)
        }
        if (ctx->config->verify_time == 0) {
-                X509_VERIFY_PARAM_set_flags(ctx->ssl_ctx->param,
+                X509_VERIFY_PARAM_set_flags(ssl_ctx->param,
                    X509_V_FLAG_NO_CHECK_TIME);
        }
@@ -321,13 +321,13 @@ tls_configure_ssl(struct tls *ctx)
 }
 int
-tls_configure_ssl_verify(struct tls *ctx, int verify)
+tls_configure_ssl_verify(struct tls *ctx, SSL_CTX *ssl_ctx, int verify)
 {
        size_t ca_len = ctx->config->ca_len;
        char *ca_mem = ctx->config->ca_mem;
        char *ca_free = NULL;
-        SSL_CTX_set_verify(ctx->ssl_ctx, verify, NULL);
+        SSL_CTX_set_verify(ssl_ctx, verify, NULL);
        /* If no CA has been specified, attempt to load the default. */
        if (ctx->config->ca_mem == NULL && ctx->config->ca_path == NULL) {
@@ -342,19 +342,17 @@ tls_configure_ssl_verify(struct tls *ctx, int verify)
                        tls_set_errorx(ctx, "ca too long");
                        goto err;
                }
-                if (SSL_CTX_load_verify_mem(ctx->ssl_ctx, ca_mem,
+                if (SSL_CTX_load_verify_mem(ssl_ctx, ca_mem, ca_len) != 1) {
-                    ca_len) != 1) {
                        tls_set_errorx(ctx, "ssl verify memory setup failure");
                        goto err;
                }
-        } else if (SSL_CTX_load_verify_locations(ctx->ssl_ctx, NULL,
+        } else if (SSL_CTX_load_verify_locations(ssl_ctx, NULL,
            ctx->config->ca_path) != 1) {
                tls_set_errorx(ctx, "ssl verify locations failure");
                goto err;
        }
        if (ctx->config->verify_depth >= 0)
-                SSL_CTX_set_verify_depth(ctx->ssl_ctx,
+                SSL_CTX_set_verify_depth(ssl_ctx, ctx->config->verify_depth);
-                    ctx->config->verify_depth);
        free(ca_free);
diff --git a/src/lib/libtls/tls_client.c b/src/lib/libtls/tls_client.c
index 3847f4c46c..c360ecad52 100644
--- a/src/lib/libtls/tls_client.c
+++ b/src/lib/libtls/tls_client.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls_client.c,v 1.33 2016/04/28 17:05:59 jsing Exp $ */
+/* $OpenBSD: tls_client.c,v 1.34 2016/08/15 14:04:23 jsing Exp $ */
 /*
 * Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
 *
@@ -193,9 +193,10 @@ tls_connect_fds(struct tls *ctx, int fd_read, int fd_write,
                goto err;
        }
-        if (tls_configure_ssl(ctx) != 0)
+        if (tls_configure_ssl(ctx, ctx->ssl_ctx) != 0)
                goto err;
-        if (tls_configure_keypair(ctx, ctx->ssl_ctx, ctx->config->keypair, 0) != 0)
+        if (tls_configure_ssl_keypair(ctx, ctx->ssl_ctx,
+            ctx->config->keypair, 0) != 0)
                goto err;
        if (ctx->config->verify_name) {
@@ -204,9 +205,9 @@ tls_connect_fds(struct tls *ctx, int fd_read, int fd_write,
                        goto err;
                }
        }
        if (ctx->config->verify_cert &&
-            (tls_configure_ssl_verify(ctx, SSL_VERIFY_PEER) == -1))
+            (tls_configure_ssl_verify(ctx, ctx->ssl_ctx,
+             SSL_VERIFY_PEER) == -1))
                goto err;
        if ((ctx->ssl_conn = SSL_new(ctx->ssl_ctx)) == NULL) {
diff --git a/src/lib/libtls/tls_internal.h b/src/lib/libtls/tls_internal.h
index fa972bbadf..f266996a4c 100644
--- a/src/lib/libtls/tls_internal.h
+++ b/src/lib/libtls/tls_internal.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls_internal.h,v 1.36 2016/08/13 13:05:51 jsing Exp $ */
+/* $OpenBSD: tls_internal.h,v 1.37 2016/08/15 14:04:23 jsing Exp $ */
 /*
 * Copyright (c) 2014 Jeremie Courreges-Anglas <jca@openbsd.org>
 * Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
@@ -112,11 +112,12 @@ struct tls *tls_new(void);
 struct tls *tls_server_conn(struct tls *ctx);
 int tls_check_name(struct tls *ctx, X509 *cert, const char *servername);
-int tls_configure_keypair(struct tls *ctx, SSL_CTX *ssl_ctx,
-    struct tls_keypair *keypair, int required);
 int tls_configure_server(struct tls *ctx);
-int tls_configure_ssl(struct tls *ctx);
-int tls_configure_ssl_verify(struct tls *ctx, int verify);
+int tls_configure_ssl(struct tls *ctx, SSL_CTX *ssl_ctx);
+int tls_configure_ssl_keypair(struct tls *ctx, SSL_CTX *ssl_ctx,
+    struct tls_keypair *keypair, int required);
+int tls_configure_ssl_verify(struct tls *ctx, SSL_CTX *ssl_ctx, int verify);
 int tls_handshake_client(struct tls *ctx);
 int tls_handshake_server(struct tls *ctx);
diff --git a/src/lib/libtls/tls_server.c b/src/lib/libtls/tls_server.c
index 690af32eaf..bec9c0608f 100644
--- a/src/lib/libtls/tls_server.c
+++ b/src/lib/libtls/tls_server.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls_server.c,v 1.22 2016/08/12 15:10:59 jsing Exp $ */
+/* $OpenBSD: tls_server.c,v 1.23 2016/08/15 14:04:23 jsing Exp $ */
 /*
 * Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
 *
@@ -73,15 +73,16 @@ tls_configure_server(struct tls *ctx)
                goto err;
        }
-        if (tls_configure_ssl(ctx) != 0)
+        if (tls_configure_ssl(ctx, ctx->ssl_ctx) != 0)
                goto err;
-        if (tls_configure_keypair(ctx, ctx->ssl_ctx, ctx->config->keypair, 1) != 0)
+        if (tls_configure_ssl_keypair(ctx, ctx->ssl_ctx,
+            ctx->config->keypair, 1) != 0)
                goto err;
        if (ctx->config->verify_client != 0) {
                int verify = SSL_VERIFY_PEER;
                if (ctx->config->verify_client == 1)
                        verify |= SSL_VERIFY_FAIL_IF_NO_PEER_CERT;
-                if (tls_configure_ssl_verify(ctx, verify) == -1)
+                if (tls_configure_ssl_verify(ctx, ctx->ssl_ctx, verify) == -1)
                        goto err;
        }
author	jsing <>	2016-08-15 14:04:23 +0000
committer	jsing <>	2016-08-15 14:04:23 +0000
commit	b625f466ed086e94acecb66a8ddd3309cb0e3006 (patch)
tree	0f8db1f8992ad067c26b92b7063f1d0e0e260bb8 /src/lib
parent	27106e2b77c6e7da64be6b4849b458e997106b07 (diff)
download	openbsd-b625f466ed086e94acecb66a8ddd3309cb0e3006.tar.gz openbsd-b625f466ed086e94acecb66a8ddd3309cb0e3006.tar.bz2 openbsd-b625f466ed086e94acecb66a8ddd3309cb0e3006.zip

diff --git a/src/lib/libtls/tls.c b/src/lib/libtls/tls.c index 429881dbb3..bf0e1f769f 100644 --- a/src/lib/libtls/tls.c +++ b/src/lib/libtls/tls.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: tls.c,v 1.45 2016/08/13 13:05:51 jsing Exp $ */	1	/* $OpenBSD: tls.c,v 1.46 2016/08/15 14:04:23 jsing Exp $ */
2	/*	2	/*
3	* Copyright (c) 2014 Joel Sing <jsing@openbsd.org>	3	* Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
4	*	4	*
@@ -207,7 +207,7 @@ tls_configure(struct tls ctx, struct tls_config config)
207	}	207	}
208		208
209	int	209	int
210	tls_configure_keypair(struct tls ctx, SSL_CTX ssl_ctx,	210	tls_configure_ssl_keypair(struct tls ctx, SSL_CTX ssl_ctx,
211	struct tls_keypair *keypair, int required)	211	struct tls_keypair *keypair, int required)
212	{	212	{
213	EVP_PKEY *pkey = NULL;	213	EVP_PKEY *pkey = NULL;
@@ -274,27 +274,27 @@ tls_configure_keypair(struct tls ctx, SSL_CTX ssl_ctx,
274	}	274	}
275		275
276	int	276	int
277	tls_configure_ssl(struct tls *ctx)	277	tls_configure_ssl(struct tls ctx, SSL_CTX ssl_ctx)
278	{	278	{
279	SSL_CTX_set_mode(ctx->ssl_ctx, SSL_MODE_ENABLE_PARTIAL_WRITE);	279	SSL_CTX_set_mode(ssl_ctx, SSL_MODE_ENABLE_PARTIAL_WRITE);
280	SSL_CTX_set_mode(ctx->ssl_ctx, SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER);	280	SSL_CTX_set_mode(ssl_ctx, SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER);
281		281
282	SSL_CTX_set_options(ctx->ssl_ctx, SSL_OP_NO_SSLv2);	282	SSL_CTX_set_options(ssl_ctx, SSL_OP_NO_SSLv2);
283	SSL_CTX_set_options(ctx->ssl_ctx, SSL_OP_NO_SSLv3);	283	SSL_CTX_set_options(ssl_ctx, SSL_OP_NO_SSLv3);
284		284
285	SSL_CTX_clear_options(ctx->ssl_ctx, SSL_OP_NO_TLSv1);	285	SSL_CTX_clear_options(ssl_ctx, SSL_OP_NO_TLSv1);
286	SSL_CTX_clear_options(ctx->ssl_ctx, SSL_OP_NO_TLSv1_1);	286	SSL_CTX_clear_options(ssl_ctx, SSL_OP_NO_TLSv1_1);
287	SSL_CTX_clear_options(ctx->ssl_ctx, SSL_OP_NO_TLSv1_2);	287	SSL_CTX_clear_options(ssl_ctx, SSL_OP_NO_TLSv1_2);
288		288
289	if ((ctx->config->protocols & TLS_PROTOCOL_TLSv1_0) == 0)	289	if ((ctx->config->protocols & TLS_PROTOCOL_TLSv1_0) == 0)
290	SSL_CTX_set_options(ctx->ssl_ctx, SSL_OP_NO_TLSv1);	290	SSL_CTX_set_options(ssl_ctx, SSL_OP_NO_TLSv1);
291	if ((ctx->config->protocols & TLS_PROTOCOL_TLSv1_1) == 0)	291	if ((ctx->config->protocols & TLS_PROTOCOL_TLSv1_1) == 0)
292	SSL_CTX_set_options(ctx->ssl_ctx, SSL_OP_NO_TLSv1_1);	292	SSL_CTX_set_options(ssl_ctx, SSL_OP_NO_TLSv1_1);
293	if ((ctx->config->protocols & TLS_PROTOCOL_TLSv1_2) == 0)	293	if ((ctx->config->protocols & TLS_PROTOCOL_TLSv1_2) == 0)
294	SSL_CTX_set_options(ctx->ssl_ctx, SSL_OP_NO_TLSv1_2);	294	SSL_CTX_set_options(ssl_ctx, SSL_OP_NO_TLSv1_2);
295		295
296	if (ctx->config->alpn != NULL) {	296	if (ctx->config->alpn != NULL) {
297	if (SSL_CTX_set_alpn_protos(ctx->ssl_ctx, ctx->config->alpn,	297	if (SSL_CTX_set_alpn_protos(ssl_ctx, ctx->config->alpn,
298	ctx->config->alpn_len) != 0) {	298	ctx->config->alpn_len) != 0) {
299	tls_set_errorx(ctx, "failed to set alpn");	299	tls_set_errorx(ctx, "failed to set alpn");
300	goto err;	300	goto err;
@@ -302,7 +302,7 @@ tls_configure_ssl(struct tls *ctx)
302	}	302	}
303		303
304	if (ctx->config->ciphers != NULL) {	304	if (ctx->config->ciphers != NULL) {
305	if (SSL_CTX_set_cipher_list(ctx->ssl_ctx,	305	if (SSL_CTX_set_cipher_list(ssl_ctx,
306	ctx->config->ciphers) != 1) {	306	ctx->config->ciphers) != 1) {
307	tls_set_errorx(ctx, "failed to set ciphers");	307	tls_set_errorx(ctx, "failed to set ciphers");
308	goto err;	308	goto err;
@@ -310,7 +310,7 @@ tls_configure_ssl(struct tls *ctx)
310	}	310	}
311		311
312	if (ctx->config->verify_time == 0) {	312	if (ctx->config->verify_time == 0) {
313	X509_VERIFY_PARAM_set_flags(ctx->ssl_ctx->param,	313	X509_VERIFY_PARAM_set_flags(ssl_ctx->param,
314	X509_V_FLAG_NO_CHECK_TIME);	314	X509_V_FLAG_NO_CHECK_TIME);
315	}	315	}
316		316
@@ -321,13 +321,13 @@ tls_configure_ssl(struct tls *ctx)
321	}	321	}
322		322
323	int	323	int
324	tls_configure_ssl_verify(struct tls *ctx, int verify)	324	tls_configure_ssl_verify(struct tls ctx, SSL_CTX ssl_ctx, int verify)
325	{	325	{
326	size_t ca_len = ctx->config->ca_len;	326	size_t ca_len = ctx->config->ca_len;
327	char *ca_mem = ctx->config->ca_mem;	327	char *ca_mem = ctx->config->ca_mem;
328	char *ca_free = NULL;	328	char *ca_free = NULL;
329		329
330	SSL_CTX_set_verify(ctx->ssl_ctx, verify, NULL);	330	SSL_CTX_set_verify(ssl_ctx, verify, NULL);
331		331
332	/* If no CA has been specified, attempt to load the default. */	332	/* If no CA has been specified, attempt to load the default. */
333	if (ctx->config->ca_mem == NULL && ctx->config->ca_path == NULL) {	333	if (ctx->config->ca_mem == NULL && ctx->config->ca_path == NULL) {
@@ -342,19 +342,17 @@ tls_configure_ssl_verify(struct tls *ctx, int verify)
342	tls_set_errorx(ctx, "ca too long");	342	tls_set_errorx(ctx, "ca too long");
343	goto err;	343	goto err;
344	}	344	}
345	if (SSL_CTX_load_verify_mem(ctx->ssl_ctx, ca_mem,	345	if (SSL_CTX_load_verify_mem(ssl_ctx, ca_mem, ca_len) != 1) {
346	ca_len) != 1) {
347	tls_set_errorx(ctx, "ssl verify memory setup failure");	346	tls_set_errorx(ctx, "ssl verify memory setup failure");
348	goto err;	347	goto err;
349	}	348	}
350	} else if (SSL_CTX_load_verify_locations(ctx->ssl_ctx, NULL,	349	} else if (SSL_CTX_load_verify_locations(ssl_ctx, NULL,
351	ctx->config->ca_path) != 1) {	350	ctx->config->ca_path) != 1) {
352	tls_set_errorx(ctx, "ssl verify locations failure");	351	tls_set_errorx(ctx, "ssl verify locations failure");
353	goto err;	352	goto err;
354	}	353	}
355	if (ctx->config->verify_depth >= 0)	354	if (ctx->config->verify_depth >= 0)
356	SSL_CTX_set_verify_depth(ctx->ssl_ctx,	355	SSL_CTX_set_verify_depth(ssl_ctx, ctx->config->verify_depth);
357	ctx->config->verify_depth);
358		356
359	free(ca_free);	357	free(ca_free);
360		358


diff --git a/src/lib/libtls/tls_client.c b/src/lib/libtls/tls_client.c index 3847f4c46c..c360ecad52 100644 --- a/src/lib/libtls/tls_client.c +++ b/src/lib/libtls/tls_client.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: tls_client.c,v 1.33 2016/04/28 17:05:59 jsing Exp $ */	1	/* $OpenBSD: tls_client.c,v 1.34 2016/08/15 14:04:23 jsing Exp $ */
2	/*	2	/*
3	* Copyright (c) 2014 Joel Sing <jsing@openbsd.org>	3	* Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
4	*	4	*
@@ -193,9 +193,10 @@ tls_connect_fds(struct tls *ctx, int fd_read, int fd_write,
193	goto err;	193	goto err;
194	}	194	}
195		195
196	if (tls_configure_ssl(ctx) != 0)	196	if (tls_configure_ssl(ctx, ctx->ssl_ctx) != 0)
197	goto err;	197	goto err;
198	if (tls_configure_keypair(ctx, ctx->ssl_ctx, ctx->config->keypair, 0) != 0)	198	if (tls_configure_ssl_keypair(ctx, ctx->ssl_ctx,
		199	ctx->config->keypair, 0) != 0)
199	goto err;	200	goto err;
200		201
201	if (ctx->config->verify_name) {	202	if (ctx->config->verify_name) {
@@ -204,9 +205,9 @@ tls_connect_fds(struct tls *ctx, int fd_read, int fd_write,
204	goto err;	205	goto err;
205	}	206	}
206	}	207	}
207
208	if (ctx->config->verify_cert &&	208	if (ctx->config->verify_cert &&
209	(tls_configure_ssl_verify(ctx, SSL_VERIFY_PEER) == -1))	209	(tls_configure_ssl_verify(ctx, ctx->ssl_ctx,
		210	SSL_VERIFY_PEER) == -1))
210	goto err;	211	goto err;
211		212
212	if ((ctx->ssl_conn = SSL_new(ctx->ssl_ctx)) == NULL) {	213	if ((ctx->ssl_conn = SSL_new(ctx->ssl_ctx)) == NULL) {


diff --git a/src/lib/libtls/tls_internal.h b/src/lib/libtls/tls_internal.h index fa972bbadf..f266996a4c 100644 --- a/src/lib/libtls/tls_internal.h +++ b/src/lib/libtls/tls_internal.h
@@ -1,4 +1,4 @@
1	/* $OpenBSD: tls_internal.h,v 1.36 2016/08/13 13:05:51 jsing Exp $ */	1	/* $OpenBSD: tls_internal.h,v 1.37 2016/08/15 14:04:23 jsing Exp $ */
2	/*	2	/*
3	* Copyright (c) 2014 Jeremie Courreges-Anglas <jca@openbsd.org>	3	* Copyright (c) 2014 Jeremie Courreges-Anglas <jca@openbsd.org>
4	* Copyright (c) 2014 Joel Sing <jsing@openbsd.org>	4	* Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
@@ -112,11 +112,12 @@ struct tls *tls_new(void);
112	struct tls tls_server_conn(struct tls ctx);	112	struct tls tls_server_conn(struct tls ctx);
113		113
114	int tls_check_name(struct tls ctx, X509 cert, const char *servername);	114	int tls_check_name(struct tls ctx, X509 cert, const char *servername);
115	int tls_configure_keypair(struct tls ctx, SSL_CTX ssl_ctx,
116	struct tls_keypair *keypair, int required);
117	int tls_configure_server(struct tls *ctx);	115	int tls_configure_server(struct tls *ctx);
118	int tls_configure_ssl(struct tls *ctx);	116
119	int tls_configure_ssl_verify(struct tls *ctx, int verify);	117	int tls_configure_ssl(struct tls ctx, SSL_CTX ssl_ctx);
		118	int tls_configure_ssl_keypair(struct tls ctx, SSL_CTX ssl_ctx,
		119	struct tls_keypair *keypair, int required);
		120	int tls_configure_ssl_verify(struct tls ctx, SSL_CTX ssl_ctx, int verify);
120		121
121	int tls_handshake_client(struct tls *ctx);	122	int tls_handshake_client(struct tls *ctx);
122	int tls_handshake_server(struct tls *ctx);	123	int tls_handshake_server(struct tls *ctx);


diff --git a/src/lib/libtls/tls_server.c b/src/lib/libtls/tls_server.c index 690af32eaf..bec9c0608f 100644 --- a/src/lib/libtls/tls_server.c +++ b/src/lib/libtls/tls_server.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: tls_server.c,v 1.22 2016/08/12 15:10:59 jsing Exp $ */	1	/* $OpenBSD: tls_server.c,v 1.23 2016/08/15 14:04:23 jsing Exp $ */
2	/*	2	/*
3	* Copyright (c) 2014 Joel Sing <jsing@openbsd.org>	3	* Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
4	*	4	*
@@ -73,15 +73,16 @@ tls_configure_server(struct tls *ctx)
73	goto err;	73	goto err;
74	}	74	}
75		75
76	if (tls_configure_ssl(ctx) != 0)	76	if (tls_configure_ssl(ctx, ctx->ssl_ctx) != 0)
77	goto err;	77	goto err;
78	if (tls_configure_keypair(ctx, ctx->ssl_ctx, ctx->config->keypair, 1) != 0)	78	if (tls_configure_ssl_keypair(ctx, ctx->ssl_ctx,
		79	ctx->config->keypair, 1) != 0)
79	goto err;	80	goto err;
80	if (ctx->config->verify_client != 0) {	81	if (ctx->config->verify_client != 0) {
81	int verify = SSL_VERIFY_PEER;	82	int verify = SSL_VERIFY_PEER;
82	if (ctx->config->verify_client == 1)	83	if (ctx->config->verify_client == 1)
83	verify \|= SSL_VERIFY_FAIL_IF_NO_PEER_CERT;	84	verify \|= SSL_VERIFY_FAIL_IF_NO_PEER_CERT;
84	if (tls_configure_ssl_verify(ctx, verify) == -1)	85	if (tls_configure_ssl_verify(ctx, ctx->ssl_ctx, verify) == -1)
85	goto err;	86	goto err;
86	}	87	}
87		88