Allow to to load the CA chain directly from memory instead of

specifying a file. This enables CA verification in privsep'ed processes that are running chroot'ed without direct access to the certificate files. With feedback, tests, and OK from bluhm@
author: reyk <> 2015-01-22 09:16:24 +0000
committer: reyk <> 2015-01-22 09:16:24 +0000
commit: 476e2607c3b1ae9ae30fe836588badfedf089703 (patch)
tree: 0cd70582ac032f525e31a6921611469898b556c3 /src
parent: ab992313cf0983a16f4f53aa153303043aec169f (diff)
download: openbsd-476e2607c3b1ae9ae30fe836588badfedf089703.tar.gz
openbsd-476e2607c3b1ae9ae30fe836588badfedf089703.tar.bz2
openbsd-476e2607c3b1ae9ae30fe836588badfedf089703.zip
6 files changed, 39 insertions, 8 deletions
diff --git a/src/lib/libtls/shlib_version b/src/lib/libtls/shlib_version
index 1edea46de9..893819d18f 100644
--- a/src/lib/libtls/shlib_version
+++ b/src/lib/libtls/shlib_version
@@ -1,2 +1,2 @@
 major=1
-minor=0
+minor=1
diff --git a/src/lib/libtls/tls.h b/src/lib/libtls/tls.h
index 21e1d74b35..8dcf125765 100644
--- a/src/lib/libtls/tls.h
+++ b/src/lib/libtls/tls.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls.h,v 1.2 2014/11/02 14:45:05 jsing Exp $ */
+/* $OpenBSD: tls.h,v 1.3 2015/01/22 09:16:24 reyk Exp $ */
 /*
 * Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
 *
@@ -42,6 +42,8 @@ void tls_config_free(struct tls_config *config);
 int tls_config_set_ca_file(struct tls_config *config, const char *ca_file);
 int tls_config_set_ca_path(struct tls_config *config, const char *ca_path);
+int tls_config_set_ca_mem(struct tls_config *config, const uint8_t *ca,
+    size_t len);
 int tls_config_set_cert_file(struct tls_config *config, const char *cert_file);
 int tls_config_set_cert_mem(struct tls_config *config, const uint8_t *cert,
    size_t len);
diff --git a/src/lib/libtls/tls_client.c b/src/lib/libtls/tls_client.c
index c6117c3292..4a9a4c976d 100644
--- a/src/lib/libtls/tls_client.c
+++ b/src/lib/libtls/tls_client.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls_client.c,v 1.8 2015/01/13 17:35:35 bluhm Exp $ */
+/* $OpenBSD: tls_client.c,v 1.9 2015/01/22 09:16:24 reyk Exp $ */
 /*
 * Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
 *
@@ -21,6 +21,7 @@
 #include <arpa/inet.h>
 #include <netinet/in.h>
+#include <limits.h>
 #include <netdb.h>
 #include <stdlib.h>
 #include <unistd.h>
@@ -168,7 +169,19 @@ tls_connect_fds(struct tls *ctx, int fd_read, int fd_write,
        if (ctx->config->verify_cert) {
                SSL_CTX_set_verify(ctx->ssl_ctx, SSL_VERIFY_PEER, NULL);
-                if (SSL_CTX_load_verify_locations(ctx->ssl_ctx,
+                if (ctx->config->ca_mem != NULL) {
+                        if (ctx->config->ca_len > INT_MAX) {
+                                tls_set_error(ctx, "ca too long");
+                                goto err;
+                        }
+                        if (SSL_CTX_load_verify_mem(ctx->ssl_ctx,
+                            ctx->config->ca_mem, ctx->config->ca_len) != 1) {
+                                tls_set_error(ctx,
+                                    "ssl verify memory setup failure");
+                                goto err;
+                        }
+                } else if (SSL_CTX_load_verify_locations(ctx->ssl_ctx,
                    ctx->config->ca_file, ctx->config->ca_path) != 1) {
                        tls_set_error(ctx, "ssl verify setup failure");
                        goto err;
diff --git a/src/lib/libtls/tls_config.c b/src/lib/libtls/tls_config.c
index 0e435f616a..16120c5e4e 100644
--- a/src/lib/libtls/tls_config.c
+++ b/src/lib/libtls/tls_config.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls_config.c,v 1.1 2014/10/31 13:46:17 jsing Exp $ */
+/* $OpenBSD: tls_config.c,v 1.2 2015/01/22 09:16:24 reyk Exp $ */
 /*
 * Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
 *
@@ -102,6 +102,7 @@ tls_config_free(struct tls_config *config)
 void
 tls_config_clear_keys(struct tls_config *config)
 {
+        tls_config_set_ca_mem(config, NULL, 0);
        tls_config_set_cert_mem(config, NULL, 0);
        tls_config_set_key_mem(config, NULL, 0);
 }
@@ -119,6 +120,12 @@ tls_config_set_ca_path(struct tls_config *config, const char *ca_path)
 }
 int
+tls_config_set_ca_mem(struct tls_config *config, const uint8_t *ca, size_t len)
+{
+        return set_mem(&config->ca_mem, &config->ca_len, ca, len);
+}
+int
 tls_config_set_cert_file(struct tls_config *config, const char *cert_file)
 {
        return set_string(&config->cert_file, cert_file);
diff --git a/src/lib/libtls/tls_init.3 b/src/lib/libtls/tls_init.3
index e870078225..df2dfc8a41 100644
--- a/src/lib/libtls/tls_init.3
+++ b/src/lib/libtls/tls_init.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: tls_init.3,v 1.6 2015/01/01 13:30:52 schwarze Exp $
+.\" $OpenBSD: tls_init.3,v 1.7 2015/01/22 09:16:24 reyk Exp $
 .\"
 .\" Copyright (c) 2014 Ted Unangst <tedu@openbsd.org>
 .\"
@@ -14,7 +14,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: January 1 2015 $
+.Dd $Mdocdate: January 22 2015 $
 .Dt TLS 3
 .Os
 .Sh NAME
@@ -24,6 +24,7 @@
 .Nm tls_config_free ,
 .Nm tls_config_set_ca_file ,
 .Nm tls_config_set_ca_path ,
+.Nm tls_config_set_ca_mem ,
 .Nm tls_config_set_cert_file ,
 .Nm tls_config_set_cert_mem ,
 .Nm tls_config_set_ciphers ,
@@ -63,6 +64,8 @@
 .Ft "int"
 .Fn tls_config_set_ca_path "struct tls_config *config" "const char *ca_path"
 .Ft "int"
+.Fn tls_config_set_ca_mem "struct tls_config *config" "const uint8_t *cert" "size_t len"
+.Ft "int"
 .Fn tls_config_set_cert_file "struct tls_config *config" "const char *cert_file"
 .Ft "int"
 .Fn tls_config_set_cert_mem  "struct tls_config *config" "const uint8_t *cert" "size_t len"
@@ -198,6 +201,10 @@ sets the path (directory) which should be searched for root
 certificates.
 .Em (Client)
 .It
+.Fn tls_config_set_ca_mem
+sets the root certificates directly from memory.
+.Em (Client)
+.It
 .Fn tls_config_set_cert_file
 sets file from which the public certificate will be read.
 .Em (Client and server)
diff --git a/src/lib/libtls/tls_internal.h b/src/lib/libtls/tls_internal.h
index 1a2bd388b7..9a1a180e0b 100644
--- a/src/lib/libtls/tls_internal.h
+++ b/src/lib/libtls/tls_internal.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls_internal.h,v 1.6 2015/01/13 17:35:35 bluhm Exp $ */
+/* $OpenBSD: tls_internal.h,v 1.7 2015/01/22 09:16:24 reyk Exp $ */
 /*
 * Copyright (c) 2014 Jeremie Courreges-Anglas <jca@openbsd.org>
 * Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
@@ -28,6 +28,8 @@
 struct tls_config {
        const char *ca_file;
        const char *ca_path;
+        char *ca_mem;
+        size_t ca_len;
        const char *cert_file;
        char *cert_mem;
        size_t cert_len;
author	reyk <>	2015-01-22 09:16:24 +0000
committer	reyk <>	2015-01-22 09:16:24 +0000
commit	476e2607c3b1ae9ae30fe836588badfedf089703 (patch)
tree	0cd70582ac032f525e31a6921611469898b556c3 /src
parent	ab992313cf0983a16f4f53aa153303043aec169f (diff)
download	openbsd-476e2607c3b1ae9ae30fe836588badfedf089703.tar.gz openbsd-476e2607c3b1ae9ae30fe836588badfedf089703.tar.bz2 openbsd-476e2607c3b1ae9ae30fe836588badfedf089703.zip