Factor our the keypair handling in libtls. This results in more readable

and self-contained code, while preparing for the ability to handle multiple keypairs. Also provide two additional functions that allow a public certificate and private key to be set with a single function call. ok beck@
author: jsing <> 2016-04-28 17:05:59 +0000
committer: jsing <> 2016-04-28 17:05:59 +0000
commit: fc9e3dc14ffb94eed0f0165b2333d8e263e82106 (patch)
tree: 046b15c71afb290bae07f4b238cfdc296f78ca6b /src
parent: 969e83487c1a522a380e5b1adf920edf92244e62 (diff)
download: openbsd-fc9e3dc14ffb94eed0f0165b2333d8e263e82106.tar.gz
openbsd-fc9e3dc14ffb94eed0f0165b2333d8e263e82106.tar.bz2
openbsd-fc9e3dc14ffb94eed0f0165b2333d8e263e82106.zip
7 files changed, 164 insertions, 52 deletions
diff --git a/src/lib/libtls/tls.c b/src/lib/libtls/tls.c
index 661aa6ad0a..d067309cd3 100644
--- a/src/lib/libtls/tls.c
+++ b/src/lib/libtls/tls.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls.c,v 1.36 2016/04/28 16:48:44 jsing Exp $ */
+/* $OpenBSD: tls.c,v 1.37 2016/04/28 17:05:59 jsing Exp $ */
 /*
 * Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
 *
@@ -179,40 +179,41 @@ tls_configure(struct tls *ctx, struct tls_config *config)
 }
 int
-tls_configure_keypair(struct tls *ctx, int required)
+tls_configure_keypair(struct tls *ctx, SSL_CTX *ssl_ctx,
+    struct tls_keypair *keypair, int required)
 {
        EVP_PKEY *pkey = NULL;
        X509 *cert = NULL;
        BIO *bio = NULL;
        if (!required &&
-            ctx->config->cert_mem == NULL &&
+            keypair->cert_mem == NULL &&
-            ctx->config->key_mem == NULL &&
+            keypair->key_mem == NULL &&
-            ctx->config->cert_file == NULL &&
+            keypair->cert_file == NULL &&
-            ctx->config->key_file == NULL)
+            keypair->key_file == NULL)
                return(0);
-        if (ctx->config->cert_mem != NULL) {
+        if (keypair->cert_mem != NULL) {
-                if (ctx->config->cert_len > INT_MAX) {
+                if (keypair->cert_len > INT_MAX) {
                        tls_set_errorx(ctx, "certificate too long");
                        goto err;
                }
-                if (SSL_CTX_use_certificate_chain_mem(ctx->ssl_ctx,
+                if (SSL_CTX_use_certificate_chain_mem(ssl_ctx,
-                    ctx->config->cert_mem, ctx->config->cert_len) != 1) {
+                    keypair->cert_mem, keypair->cert_len) != 1) {
                        tls_set_errorx(ctx, "failed to load certificate");
                        goto err;
                }
                cert = NULL;
        }
-        if (ctx->config->key_mem != NULL) {
+        if (keypair->key_mem != NULL) {
-                if (ctx->config->key_len > INT_MAX) {
+                if (keypair->key_len > INT_MAX) {
                        tls_set_errorx(ctx, "key too long");
                        goto err;
                }
-                if ((bio = BIO_new_mem_buf(ctx->config->key_mem,
+                if ((bio = BIO_new_mem_buf(keypair->key_mem,
-                    ctx->config->key_len)) == NULL) {
+                    keypair->key_len)) == NULL) {
                        tls_set_errorx(ctx, "failed to create buffer");
                        goto err;
                }
@@ -221,7 +222,7 @@ tls_configure_keypair(struct tls *ctx, int required)
                        tls_set_errorx(ctx, "failed to read private key");
                        goto err;
                }
-                if (SSL_CTX_use_PrivateKey(ctx->ssl_ctx, pkey) != 1) {
+                if (SSL_CTX_use_PrivateKey(ssl_ctx, pkey) != 1) {
                        tls_set_errorx(ctx, "failed to load private key");
                        goto err;
                }
@@ -231,22 +232,22 @@ tls_configure_keypair(struct tls *ctx, int required)
                pkey = NULL;
        }
-        if (ctx->config->cert_file != NULL) {
+        if (keypair->cert_file != NULL) {
-                if (SSL_CTX_use_certificate_chain_file(ctx->ssl_ctx,
+                if (SSL_CTX_use_certificate_chain_file(ssl_ctx,
-                    ctx->config->cert_file) != 1) {
+                    keypair->cert_file) != 1) {
                        tls_set_errorx(ctx, "failed to load certificate file");
                        goto err;
                }
        }
-        if (ctx->config->key_file != NULL) {
+        if (keypair->key_file != NULL) {
-                if (SSL_CTX_use_PrivateKey_file(ctx->ssl_ctx,
+                if (SSL_CTX_use_PrivateKey_file(ssl_ctx,
-                    ctx->config->key_file, SSL_FILETYPE_PEM) != 1) {
+                    keypair->key_file, SSL_FILETYPE_PEM) != 1) {
                        tls_set_errorx(ctx, "failed to load private key file");
                        goto err;
                }
        }
-        if (SSL_CTX_check_private_key(ctx->ssl_ctx) != 1) {
+        if (SSL_CTX_check_private_key(ssl_ctx) != 1) {
                tls_set_errorx(ctx, "private/public key mismatch");
                goto err;
        }
diff --git a/src/lib/libtls/tls.h b/src/lib/libtls/tls.h
index da229d1fee..6994f1417b 100644
--- a/src/lib/libtls/tls.h
+++ b/src/lib/libtls/tls.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls.h,v 1.27 2016/04/28 16:48:44 jsing Exp $ */
+/* $OpenBSD: tls.h,v 1.28 2016/04/28 17:05:59 jsing Exp $ */
 /*
 * Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
 *
@@ -66,6 +66,10 @@ int tls_config_set_ecdhecurve(struct tls_config *_config, const char *_name);
 int tls_config_set_key_file(struct tls_config *_config, const char *_key_file);
 int tls_config_set_key_mem(struct tls_config *_config, const uint8_t *_key,
    size_t _len);
+int tls_config_set_keypair_file(struct tls_config *_config,
+    const char *_cert_file, const char *_key_file);
+int tls_config_set_keypair_mem(struct tls_config *_config, const uint8_t *_cert,
+    size_t _cert_len, const uint8_t *_key, size_t _key_len);
 void tls_config_set_protocols(struct tls_config *_config, uint32_t _protocols);
 void tls_config_set_verify_depth(struct tls_config *_config, int _verify_depth);
diff --git a/src/lib/libtls/tls_client.c b/src/lib/libtls/tls_client.c
index 6bb24cd512..3847f4c46c 100644
--- a/src/lib/libtls/tls_client.c
+++ b/src/lib/libtls/tls_client.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls_client.c,v 1.32 2015/10/09 04:13:34 deraadt Exp $ */
+/* $OpenBSD: tls_client.c,v 1.33 2016/04/28 17:05:59 jsing Exp $ */
 /*
 * Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
 *
@@ -195,7 +195,7 @@ tls_connect_fds(struct tls *ctx, int fd_read, int fd_write,
        if (tls_configure_ssl(ctx) != 0)
                goto err;
-        if (tls_configure_keypair(ctx, 0) != 0)
+        if (tls_configure_keypair(ctx, ctx->ssl_ctx, ctx->config->keypair, 0) != 0)
                goto err;
        if (ctx->config->verify_name) {
diff --git a/src/lib/libtls/tls_config.c b/src/lib/libtls/tls_config.c
index 9c2b5810f6..b395337f49 100644
--- a/src/lib/libtls/tls_config.c
+++ b/src/lib/libtls/tls_config.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls_config.c,v 1.15 2016/04/28 16:48:44 jsing Exp $ */
+/* $OpenBSD: tls_config.c,v 1.16 2016/04/28 17:05:59 jsing Exp $ */
 /*
 * Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
 *
@@ -57,6 +57,63 @@ set_mem(char **dest, size_t *destlen, const void *src, size_t srclen)
        return 0;
 }
+static struct tls_keypair *
+tls_keypair_new()
+{
+        return calloc(1, sizeof(struct tls_keypair));
+}
+static int
+tls_keypair_set_cert_file(struct tls_keypair *keypair, const char *cert_file)
+{
+        return set_string(&keypair->cert_file, cert_file);
+}
+static int
+tls_keypair_set_cert_mem(struct tls_keypair *keypair, const uint8_t *cert,
+    size_t len)
+{
+        return set_mem(&keypair->cert_mem, &keypair->cert_len, cert, len);
+}
+static int
+tls_keypair_set_key_file(struct tls_keypair *keypair, const char *key_file)
+{
+        return set_string(&keypair->key_file, key_file);
+}
+static int
+tls_keypair_set_key_mem(struct tls_keypair *keypair, const uint8_t *key,
+    size_t len)
+{
+        if (keypair->key_mem != NULL)
+                explicit_bzero(keypair->key_mem, keypair->key_len);
+        return set_mem(&keypair->key_mem, &keypair->key_len, key, len);
+}
+static void
+tls_keypair_clear(struct tls_keypair *keypair)
+{
+        tls_keypair_set_cert_mem(keypair, NULL, 0);
+        tls_keypair_set_key_mem(keypair, NULL, 0);
+}
+static void
+tls_keypair_free(struct tls_keypair *keypair)
+{
+        if (keypair == NULL)
+                return;
+        tls_keypair_clear(keypair);
+        free((char *)keypair->cert_file);
+        free(keypair->cert_mem);
+        free((char *)keypair->key_file);
+        free(keypair->key_mem);
+        free(keypair);
+}
 struct tls_config *
 tls_config_new(void)
 {
@@ -65,6 +122,9 @@ tls_config_new(void)
        if ((config = calloc(1, sizeof(*config))) == NULL)
                return (NULL);
+        if ((config->keypair = tls_keypair_new()) == NULL)
+                goto err;
        /*
         * Default configuration.
         */
@@ -94,20 +154,21 @@ tls_config_new(void)
 void
 tls_config_free(struct tls_config *config)
 {
+        struct tls_keypair *kp, *nkp;
        if (config == NULL)
                return;
-        tls_config_clear_keys(config);
+        for (kp = config->keypair; kp != NULL; kp = nkp) {
+                nkp = kp->next;
+                tls_keypair_free(kp);
+        }
        free(config->error.msg);
        free((char *)config->ca_file);
        free((char *)config->ca_path);
-        free((char *)config->cert_file);
-        free(config->cert_mem);
        free((char *)config->ciphers);
-        free((char *)config->key_file);
-        free(config->key_mem);
        free(config);
 }
@@ -121,9 +182,12 @@ tls_config_error(struct tls_config *config)
 void
 tls_config_clear_keys(struct tls_config *config)
 {
+        struct tls_keypair *kp;
+        for (kp = config->keypair; kp != NULL; kp = kp->next)
+                tls_keypair_clear(kp);
        tls_config_set_ca_mem(config, NULL, 0);
-        tls_config_set_cert_mem(config, NULL, 0);
-        tls_config_set_key_mem(config, NULL, 0);
 }
 int
@@ -205,14 +269,14 @@ tls_config_set_ca_mem(struct tls_config *config, const uint8_t *ca, size_t len)
 int
 tls_config_set_cert_file(struct tls_config *config, const char *cert_file)
 {
-        return set_string(&config->cert_file, cert_file);
+        return tls_keypair_set_cert_file(config->keypair, cert_file);
 }
 int
 tls_config_set_cert_mem(struct tls_config *config, const uint8_t *cert,
    size_t len)
 {
-        return set_mem(&config->cert_mem, &config->cert_len, cert, len);
+        return tls_keypair_set_cert_mem(config->keypair, cert, len);
 }
 int
@@ -272,16 +336,38 @@ tls_config_set_ecdhecurve(struct tls_config *config, const char *name)
 int
 tls_config_set_key_file(struct tls_config *config, const char *key_file)
 {
-        return set_string(&config->key_file, key_file);
+        return tls_keypair_set_key_file(config->keypair, key_file);
 }
 int
 tls_config_set_key_mem(struct tls_config *config, const uint8_t *key,
    size_t len)
 {
-        if (config->key_mem)
+        return tls_keypair_set_key_mem(config->keypair, key, len);
-                explicit_bzero(config->key_mem, config->key_len);
+}
-        return set_mem(&config->key_mem, &config->key_len, key, len);
+int
+tls_config_set_keypair_file(struct tls_config *config,
+    const char *cert_file, const char *key_file)
+{
+        if (tls_config_set_cert_file(config, cert_file) != 0)
+                return (-1);
+        if (tls_config_set_key_file(config, key_file) != 0)
+                return (-1);
+        return (0);
+}
+int
+tls_config_set_keypair_mem(struct tls_config *config, const uint8_t *cert,
+    size_t cert_len, const uint8_t *key, size_t key_len)
+{
+        if (tls_config_set_cert_mem(config, cert, cert_len) != 0)
+                return (-1);
+        if (tls_config_set_key_mem(config, key, key_len) != 0)
+                return (-1);
+        return (0);
 }
 void
diff --git a/src/lib/libtls/tls_init.3 b/src/lib/libtls/tls_init.3
index 48662e0868..da8565a248 100644
--- a/src/lib/libtls/tls_init.3
+++ b/src/lib/libtls/tls_init.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: tls_init.3,v 1.57 2016/04/28 16:48:44 jsing Exp $
+.\" $OpenBSD: tls_init.3,v 1.58 2016/04/28 17:05:59 jsing Exp $
 .\"
 .\" Copyright (c) 2014 Ted Unangst <tedu@openbsd.org>
 .\"
@@ -34,6 +34,8 @@
 .Nm tls_config_set_ecdhecurve ,
 .Nm tls_config_set_key_file ,
 .Nm tls_config_set_key_mem ,
+.Nm tls_config_set_keypair_file ,
+.Nm tls_config_set_keypair_mem ,
 .Nm tls_config_set_protocols ,
 .Nm tls_config_set_verify_depth ,
 .Nm tls_config_prefer_ciphers_client ,
@@ -105,6 +107,10 @@
 .Fn tls_config_set_key_file "struct tls_config *config" "const char *key_file"
 .Ft "int"
 .Fn tls_config_set_key_mem "struct tls_config *config" "const uint8_t *key" "size_t len"
+.Ft "int"
+.Fn tls_config_set_keypair_file "struct tls_config *config" "const char *cert_file" "const char *key_file"
+.Ft "int"
+.Fn tls_config_set_keypair_mem "struct tls_config *config" "const uint8_t *cert" "size_t cert_len" "const uint8_t *key" "size_t key_len"
 .Ft "void"
 .Fn tls_config_set_protocols "struct tls_config *config" "uint32_t protocols"
 .Ft "void"
@@ -327,11 +333,19 @@ permitted names are:
 .It
 .Fn tls_config_set_key_file
 sets the file from which the private key will be read.
-.Em (Server)
+.Em (Client and server)
 .It
 .Fn tls_config_set_key_mem
 directly sets the private key from memory.
-.Em (Server)
+.Em (Client and server)
+.It
+.Fn tls_config_set_keypair_file
+sets the files from which the public certificate and private key will be read.
+.Em (Client and server)
+.It
+.Fn tls_config_set_keypair_mem
+directly sets the public certifcate and private key from memory.
+.Em (Client and server)
 .It
 .Fn tls_config_set_protocols
 sets which versions of the protocol may be used.
diff --git a/src/lib/libtls/tls_internal.h b/src/lib/libtls/tls_internal.h
index 21bf2b4613..cb5d90f542 100644
--- a/src/lib/libtls/tls_internal.h
+++ b/src/lib/libtls/tls_internal.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls_internal.h,v 1.27 2016/04/28 16:48:44 jsing Exp $ */
+/* $OpenBSD: tls_internal.h,v 1.28 2016/04/28 17:05:59 jsing Exp $ */
 /*
 * Copyright (c) 2014 Jeremie Courreges-Anglas <jca@openbsd.org>
 * Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
@@ -39,6 +39,17 @@ struct tls_error {
        int num;
 };
+struct tls_keypair {
+        struct tls_keypair *next;
+        const char *cert_file;
+        char *cert_mem;
+        size_t cert_len;
+        const char *key_file;
+        char *key_mem;
+        size_t key_len;
+};
 struct tls_config {
        struct tls_error error;
@@ -46,16 +57,11 @@ struct tls_config {
        const char *ca_path;
        char *ca_mem;
        size_t ca_len;
-        const char *cert_file;
-        char *cert_mem;
-        size_t cert_len;
        const char *ciphers;
        int ciphers_server;
        int dheparams;
        int ecdhecurve;
-        const char *key_file;
+        struct tls_keypair *keypair;
-        char *key_mem;
-        size_t key_len;
        uint32_t protocols;
        int verify_cert;
        int verify_client;
@@ -103,7 +109,8 @@ struct tls *tls_new(void);
 struct tls *tls_server_conn(struct tls *ctx);
 int tls_check_name(struct tls *ctx, X509 *cert, const char *servername);
-int tls_configure_keypair(struct tls *ctx, int);
+int tls_configure_keypair(struct tls *ctx, SSL_CTX *ssl_ctx,
+    struct tls_keypair *keypair, int required);
 int tls_configure_server(struct tls *ctx);
 int tls_configure_ssl(struct tls *ctx);
 int tls_configure_ssl_verify(struct tls *ctx, int verify);
diff --git a/src/lib/libtls/tls_server.c b/src/lib/libtls/tls_server.c
index ad98cf3d7e..1d94c99bc0 100644
--- a/src/lib/libtls/tls_server.c
+++ b/src/lib/libtls/tls_server.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls_server.c,v 1.18 2015/09/29 10:17:04 deraadt Exp $ */
+/* $OpenBSD: tls_server.c,v 1.19 2016/04/28 17:05:59 jsing Exp $ */
 /*
 * Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
 *
@@ -61,7 +61,7 @@ tls_configure_server(struct tls *ctx)
        if (tls_configure_ssl(ctx) != 0)
                goto err;
-        if (tls_configure_keypair(ctx, 1) != 0)
+        if (tls_configure_keypair(ctx, ctx->ssl_ctx, ctx->config->keypair, 1) != 0)
                goto err;
        if (ctx->config->verify_client != 0) {
                int verify = SSL_VERIFY_PEER;
author	jsing <>	2016-04-28 17:05:59 +0000
committer	jsing <>	2016-04-28 17:05:59 +0000
commit	fc9e3dc14ffb94eed0f0165b2333d8e263e82106 (patch)
tree	046b15c71afb290bae07f4b238cfdc296f78ca6b /src
parent	969e83487c1a522a380e5b1adf920edf92244e62 (diff)
download	openbsd-fc9e3dc14ffb94eed0f0165b2333d8e263e82106.tar.gz openbsd-fc9e3dc14ffb94eed0f0165b2333d8e263e82106.tar.bz2 openbsd-fc9e3dc14ffb94eed0f0165b2333d8e263e82106.zip

diff --git a/src/lib/libtls/tls.c b/src/lib/libtls/tls.c index 661aa6ad0a..d067309cd3 100644 --- a/src/lib/libtls/tls.c +++ b/src/lib/libtls/tls.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: tls.c,v 1.36 2016/04/28 16:48:44 jsing Exp $ */	1	/* $OpenBSD: tls.c,v 1.37 2016/04/28 17:05:59 jsing Exp $ */
2	/*	2	/*
3	* Copyright (c) 2014 Joel Sing <jsing@openbsd.org>	3	* Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
4	*	4	*
@@ -179,40 +179,41 @@ tls_configure(struct tls ctx, struct tls_config config)
179	}	179	}
180		180
181	int	181	int
182	tls_configure_keypair(struct tls *ctx, int required)	182	tls_configure_keypair(struct tls ctx, SSL_CTX ssl_ctx,
		183	struct tls_keypair *keypair, int required)
183	{	184	{
184	EVP_PKEY *pkey = NULL;	185	EVP_PKEY *pkey = NULL;
185	X509 *cert = NULL;	186	X509 *cert = NULL;
186	BIO *bio = NULL;	187	BIO *bio = NULL;
187		188
188	if (!required &&	189	if (!required &&
189	ctx->config->cert_mem == NULL &&	190	keypair->cert_mem == NULL &&
190	ctx->config->key_mem == NULL &&	191	keypair->key_mem == NULL &&
191	ctx->config->cert_file == NULL &&	192	keypair->cert_file == NULL &&
192	ctx->config->key_file == NULL)	193	keypair->key_file == NULL)
193	return(0);	194	return(0);
194		195
195	if (ctx->config->cert_mem != NULL) {	196	if (keypair->cert_mem != NULL) {
196	if (ctx->config->cert_len > INT_MAX) {	197	if (keypair->cert_len > INT_MAX) {
197	tls_set_errorx(ctx, "certificate too long");	198	tls_set_errorx(ctx, "certificate too long");
198	goto err;	199	goto err;
199	}	200	}
200		201
201	if (SSL_CTX_use_certificate_chain_mem(ctx->ssl_ctx,	202	if (SSL_CTX_use_certificate_chain_mem(ssl_ctx,
202	ctx->config->cert_mem, ctx->config->cert_len) != 1) {	203	keypair->cert_mem, keypair->cert_len) != 1) {
203	tls_set_errorx(ctx, "failed to load certificate");	204	tls_set_errorx(ctx, "failed to load certificate");
204	goto err;	205	goto err;
205	}	206	}
206	cert = NULL;	207	cert = NULL;
207	}	208	}
208	if (ctx->config->key_mem != NULL) {	209	if (keypair->key_mem != NULL) {
209	if (ctx->config->key_len > INT_MAX) {	210	if (keypair->key_len > INT_MAX) {
210	tls_set_errorx(ctx, "key too long");	211	tls_set_errorx(ctx, "key too long");
211	goto err;	212	goto err;
212	}	213	}
213		214
214	if ((bio = BIO_new_mem_buf(ctx->config->key_mem,	215	if ((bio = BIO_new_mem_buf(keypair->key_mem,
215	ctx->config->key_len)) == NULL) {	216	keypair->key_len)) == NULL) {
216	tls_set_errorx(ctx, "failed to create buffer");	217	tls_set_errorx(ctx, "failed to create buffer");
217	goto err;	218	goto err;
218	}	219	}
@@ -221,7 +222,7 @@ tls_configure_keypair(struct tls *ctx, int required)
221	tls_set_errorx(ctx, "failed to read private key");	222	tls_set_errorx(ctx, "failed to read private key");
222	goto err;	223	goto err;
223	}	224	}
224	if (SSL_CTX_use_PrivateKey(ctx->ssl_ctx, pkey) != 1) {	225	if (SSL_CTX_use_PrivateKey(ssl_ctx, pkey) != 1) {
225	tls_set_errorx(ctx, "failed to load private key");	226	tls_set_errorx(ctx, "failed to load private key");
226	goto err;	227	goto err;
227	}	228	}
@@ -231,22 +232,22 @@ tls_configure_keypair(struct tls *ctx, int required)
231	pkey = NULL;	232	pkey = NULL;
232	}	233	}
233		234
234	if (ctx->config->cert_file != NULL) {	235	if (keypair->cert_file != NULL) {
235	if (SSL_CTX_use_certificate_chain_file(ctx->ssl_ctx,	236	if (SSL_CTX_use_certificate_chain_file(ssl_ctx,
236	ctx->config->cert_file) != 1) {	237	keypair->cert_file) != 1) {
237	tls_set_errorx(ctx, "failed to load certificate file");	238	tls_set_errorx(ctx, "failed to load certificate file");
238	goto err;	239	goto err;
239	}	240	}
240	}	241	}
241	if (ctx->config->key_file != NULL) {	242	if (keypair->key_file != NULL) {
242	if (SSL_CTX_use_PrivateKey_file(ctx->ssl_ctx,	243	if (SSL_CTX_use_PrivateKey_file(ssl_ctx,
243	ctx->config->key_file, SSL_FILETYPE_PEM) != 1) {	244	keypair->key_file, SSL_FILETYPE_PEM) != 1) {
244	tls_set_errorx(ctx, "failed to load private key file");	245	tls_set_errorx(ctx, "failed to load private key file");
245	goto err;	246	goto err;
246	}	247	}
247	}	248	}
248		249
249	if (SSL_CTX_check_private_key(ctx->ssl_ctx) != 1) {	250	if (SSL_CTX_check_private_key(ssl_ctx) != 1) {
250	tls_set_errorx(ctx, "private/public key mismatch");	251	tls_set_errorx(ctx, "private/public key mismatch");
251	goto err;	252	goto err;
252	}	253	}


diff --git a/src/lib/libtls/tls.h b/src/lib/libtls/tls.h index da229d1fee..6994f1417b 100644 --- a/src/lib/libtls/tls.h +++ b/src/lib/libtls/tls.h
@@ -1,4 +1,4 @@
1	/* $OpenBSD: tls.h,v 1.27 2016/04/28 16:48:44 jsing Exp $ */	1	/* $OpenBSD: tls.h,v 1.28 2016/04/28 17:05:59 jsing Exp $ */
2	/*	2	/*
3	* Copyright (c) 2014 Joel Sing <jsing@openbsd.org>	3	* Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
4	*	4	*
@@ -66,6 +66,10 @@ int tls_config_set_ecdhecurve(struct tls_config _config, const char _name);
66	int tls_config_set_key_file(struct tls_config _config, const char _key_file);	66	int tls_config_set_key_file(struct tls_config _config, const char _key_file);
67	int tls_config_set_key_mem(struct tls_config _config, const uint8_t _key,	67	int tls_config_set_key_mem(struct tls_config _config, const uint8_t _key,
68	size_t _len);	68	size_t _len);
		69	int tls_config_set_keypair_file(struct tls_config *_config,
		70	const char _cert_file, const char _key_file);
		71	int tls_config_set_keypair_mem(struct tls_config _config, const uint8_t _cert,
		72	size_t _cert_len, const uint8_t *_key, size_t _key_len);
69	void tls_config_set_protocols(struct tls_config *_config, uint32_t _protocols);	73	void tls_config_set_protocols(struct tls_config *_config, uint32_t _protocols);
70	void tls_config_set_verify_depth(struct tls_config *_config, int _verify_depth);	74	void tls_config_set_verify_depth(struct tls_config *_config, int _verify_depth);
71		75


diff --git a/src/lib/libtls/tls_client.c b/src/lib/libtls/tls_client.c index 6bb24cd512..3847f4c46c 100644 --- a/src/lib/libtls/tls_client.c +++ b/src/lib/libtls/tls_client.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: tls_client.c,v 1.32 2015/10/09 04:13:34 deraadt Exp $ */	1	/* $OpenBSD: tls_client.c,v 1.33 2016/04/28 17:05:59 jsing Exp $ */
2	/*	2	/*
3	* Copyright (c) 2014 Joel Sing <jsing@openbsd.org>	3	* Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
4	*	4	*
@@ -195,7 +195,7 @@ tls_connect_fds(struct tls *ctx, int fd_read, int fd_write,
195		195
196	if (tls_configure_ssl(ctx) != 0)	196	if (tls_configure_ssl(ctx) != 0)
197	goto err;	197	goto err;
198	if (tls_configure_keypair(ctx, 0) != 0)	198	if (tls_configure_keypair(ctx, ctx->ssl_ctx, ctx->config->keypair, 0) != 0)
199	goto err;	199	goto err;
200		200
201	if (ctx->config->verify_name) {	201	if (ctx->config->verify_name) {


diff --git a/src/lib/libtls/tls_config.c b/src/lib/libtls/tls_config.c index 9c2b5810f6..b395337f49 100644 --- a/src/lib/libtls/tls_config.c +++ b/src/lib/libtls/tls_config.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: tls_config.c,v 1.15 2016/04/28 16:48:44 jsing Exp $ */	1	/* $OpenBSD: tls_config.c,v 1.16 2016/04/28 17:05:59 jsing Exp $ */
2	/*	2	/*
3	* Copyright (c) 2014 Joel Sing <jsing@openbsd.org>	3	* Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
4	*	4	*
@@ -57,6 +57,63 @@ set_mem(char *dest, size_t destlen, const void *src, size_t srclen)
57	return 0;	57	return 0;
58	}	58	}
59		59
		60	static struct tls_keypair *
		61	tls_keypair_new()
		62	{
		63	return calloc(1, sizeof(struct tls_keypair));
		64	}
		65
		66	static int
		67	tls_keypair_set_cert_file(struct tls_keypair keypair, const char cert_file)
		68	{
		69	return set_string(&keypair->cert_file, cert_file);
		70	}
		71
		72	static int
		73	tls_keypair_set_cert_mem(struct tls_keypair keypair, const uint8_t cert,
		74	size_t len)
		75	{
		76	return set_mem(&keypair->cert_mem, &keypair->cert_len, cert, len);
		77	}
		78
		79	static int
		80	tls_keypair_set_key_file(struct tls_keypair keypair, const char key_file)
		81	{
		82	return set_string(&keypair->key_file, key_file);
		83	}
		84
		85	static int
		86	tls_keypair_set_key_mem(struct tls_keypair keypair, const uint8_t key,
		87	size_t len)
		88	{
		89	if (keypair->key_mem != NULL)
		90	explicit_bzero(keypair->key_mem, keypair->key_len);
		91	return set_mem(&keypair->key_mem, &keypair->key_len, key, len);
		92	}
		93
		94	static void
		95	tls_keypair_clear(struct tls_keypair *keypair)
		96	{
		97	tls_keypair_set_cert_mem(keypair, NULL, 0);
		98	tls_keypair_set_key_mem(keypair, NULL, 0);
		99	}
		100
		101	static void
		102	tls_keypair_free(struct tls_keypair *keypair)
		103	{
		104	if (keypair == NULL)
		105	return;
		106
		107	tls_keypair_clear(keypair);
		108
		109	free((char *)keypair->cert_file);
		110	free(keypair->cert_mem);
		111	free((char *)keypair->key_file);
		112	free(keypair->key_mem);
		113
		114	free(keypair);
		115	}
		116
60	struct tls_config *	117	struct tls_config *
61	tls_config_new(void)	118	tls_config_new(void)
62	{	119	{
@@ -65,6 +122,9 @@ tls_config_new(void)
65	if ((config = calloc(1, sizeof(*config))) == NULL)	122	if ((config = calloc(1, sizeof(*config))) == NULL)
66	return (NULL);	123	return (NULL);
67		124
		125	if ((config->keypair = tls_keypair_new()) == NULL)
		126	goto err;
		127
68	/*	128	/*
69	* Default configuration.	129	* Default configuration.
70	*/	130	*/
@@ -94,20 +154,21 @@ tls_config_new(void)
94	void	154	void
95	tls_config_free(struct tls_config *config)	155	tls_config_free(struct tls_config *config)
96	{	156	{
		157	struct tls_keypair kp, nkp;
		158
97	if (config == NULL)	159	if (config == NULL)
98	return;	160	return;
99		161
100	tls_config_clear_keys(config);	162	for (kp = config->keypair; kp != NULL; kp = nkp) {
		163	nkp = kp->next;
		164	tls_keypair_free(kp);
		165	}
101		166
102	free(config->error.msg);	167	free(config->error.msg);
103		168
104	free((char *)config->ca_file);	169	free((char *)config->ca_file);
105	free((char *)config->ca_path);	170	free((char *)config->ca_path);
106	free((char *)config->cert_file);
107	free(config->cert_mem);
108	free((char *)config->ciphers);	171	free((char *)config->ciphers);
109	free((char *)config->key_file);
110	free(config->key_mem);
111		172
112	free(config);	173	free(config);
113	}	174	}
@@ -121,9 +182,12 @@ tls_config_error(struct tls_config *config)
121	void	182	void
122	tls_config_clear_keys(struct tls_config *config)	183	tls_config_clear_keys(struct tls_config *config)
123	{	184	{
		185	struct tls_keypair *kp;
		186
		187	for (kp = config->keypair; kp != NULL; kp = kp->next)
		188	tls_keypair_clear(kp);
		189
124	tls_config_set_ca_mem(config, NULL, 0);	190	tls_config_set_ca_mem(config, NULL, 0);
125	tls_config_set_cert_mem(config, NULL, 0);
126	tls_config_set_key_mem(config, NULL, 0);
127	}	191	}
128		192
129	int	193	int
@@ -205,14 +269,14 @@ tls_config_set_ca_mem(struct tls_config config, const uint8_t ca, size_t len)
205	int	269	int
206	tls_config_set_cert_file(struct tls_config config, const char cert_file)	270	tls_config_set_cert_file(struct tls_config config, const char cert_file)
207	{	271	{
208	return set_string(&config->cert_file, cert_file);	272	return tls_keypair_set_cert_file(config->keypair, cert_file);
209	}	273	}
210		274
211	int	275	int
212	tls_config_set_cert_mem(struct tls_config config, const uint8_t cert,	276	tls_config_set_cert_mem(struct tls_config config, const uint8_t cert,
213	size_t len)	277	size_t len)
214	{	278	{
215	return set_mem(&config->cert_mem, &config->cert_len, cert, len);	279	return tls_keypair_set_cert_mem(config->keypair, cert, len);
216	}	280	}
217		281
218	int	282	int
@@ -272,16 +336,38 @@ tls_config_set_ecdhecurve(struct tls_config config, const char name)
272	int	336	int
273	tls_config_set_key_file(struct tls_config config, const char key_file)	337	tls_config_set_key_file(struct tls_config config, const char key_file)
274	{	338	{
275	return set_string(&config->key_file, key_file);	339	return tls_keypair_set_key_file(config->keypair, key_file);
276	}	340	}
277		341
278	int	342	int
279	tls_config_set_key_mem(struct tls_config config, const uint8_t key,	343	tls_config_set_key_mem(struct tls_config config, const uint8_t key,
280	size_t len)	344	size_t len)
281	{	345	{
282	if (config->key_mem)	346	return tls_keypair_set_key_mem(config->keypair, key, len);
283	explicit_bzero(config->key_mem, config->key_len);	347	}
284	return set_mem(&config->key_mem, &config->key_len, key, len);	348
		349	int
		350	tls_config_set_keypair_file(struct tls_config *config,
		351	const char cert_file, const char key_file)
		352	{
		353	if (tls_config_set_cert_file(config, cert_file) != 0)
		354	return (-1);
		355	if (tls_config_set_key_file(config, key_file) != 0)
		356	return (-1);
		357
		358	return (0);
		359	}
		360
		361	int
		362	tls_config_set_keypair_mem(struct tls_config config, const uint8_t cert,
		363	size_t cert_len, const uint8_t *key, size_t key_len)
		364	{
		365	if (tls_config_set_cert_mem(config, cert, cert_len) != 0)
		366	return (-1);
		367	if (tls_config_set_key_mem(config, key, key_len) != 0)
		368	return (-1);
		369
		370	return (0);
285	}	371	}
286		372
287	void	373	void


diff --git a/src/lib/libtls/tls_init.3 b/src/lib/libtls/tls_init.3 index 48662e0868..da8565a248 100644 --- a/src/lib/libtls/tls_init.3 +++ b/src/lib/libtls/tls_init.3
@@ -1,4 +1,4 @@
1	.\" $OpenBSD: tls_init.3,v 1.57 2016/04/28 16:48:44 jsing Exp $	1	.\" $OpenBSD: tls_init.3,v 1.58 2016/04/28 17:05:59 jsing Exp $
2	.\"	2	.\"
3	.\" Copyright (c) 2014 Ted Unangst <tedu@openbsd.org>	3	.\" Copyright (c) 2014 Ted Unangst <tedu@openbsd.org>
4	.\"	4	.\"
@@ -34,6 +34,8 @@
34	.Nm tls_config_set_ecdhecurve ,	34	.Nm tls_config_set_ecdhecurve ,
35	.Nm tls_config_set_key_file ,	35	.Nm tls_config_set_key_file ,
36	.Nm tls_config_set_key_mem ,	36	.Nm tls_config_set_key_mem ,
		37	.Nm tls_config_set_keypair_file ,
		38	.Nm tls_config_set_keypair_mem ,
37	.Nm tls_config_set_protocols ,	39	.Nm tls_config_set_protocols ,
38	.Nm tls_config_set_verify_depth ,	40	.Nm tls_config_set_verify_depth ,
39	.Nm tls_config_prefer_ciphers_client ,	41	.Nm tls_config_prefer_ciphers_client ,
@@ -105,6 +107,10 @@
105	.Fn tls_config_set_key_file "struct tls_config config" "const char key_file"	107	.Fn tls_config_set_key_file "struct tls_config config" "const char key_file"
106	.Ft "int"	108	.Ft "int"
107	.Fn tls_config_set_key_mem "struct tls_config config" "const uint8_t key" "size_t len"	109	.Fn tls_config_set_key_mem "struct tls_config config" "const uint8_t key" "size_t len"
		110	.Ft "int"
		111	.Fn tls_config_set_keypair_file "struct tls_config config" "const char cert_file" "const char *key_file"
		112	.Ft "int"
		113	.Fn tls_config_set_keypair_mem "struct tls_config config" "const uint8_t cert" "size_t cert_len" "const uint8_t *key" "size_t key_len"
108	.Ft "void"	114	.Ft "void"
109	.Fn tls_config_set_protocols "struct tls_config *config" "uint32_t protocols"	115	.Fn tls_config_set_protocols "struct tls_config *config" "uint32_t protocols"
110	.Ft "void"	116	.Ft "void"
@@ -327,11 +333,19 @@ permitted names are:
327	.It	333	.It
328	.Fn tls_config_set_key_file	334	.Fn tls_config_set_key_file
329	sets the file from which the private key will be read.	335	sets the file from which the private key will be read.
330	.Em (Server)	336	.Em (Client and server)
331	.It	337	.It
332	.Fn tls_config_set_key_mem	338	.Fn tls_config_set_key_mem
333	directly sets the private key from memory.	339	directly sets the private key from memory.
334	.Em (Server)	340	.Em (Client and server)
		341	.It
		342	.Fn tls_config_set_keypair_file
		343	sets the files from which the public certificate and private key will be read.
		344	.Em (Client and server)
		345	.It
		346	.Fn tls_config_set_keypair_mem
		347	directly sets the public certifcate and private key from memory.
		348	.Em (Client and server)
335	.It	349	.It
336	.Fn tls_config_set_protocols	350	.Fn tls_config_set_protocols
337	sets which versions of the protocol may be used.	351	sets which versions of the protocol may be used.


diff --git a/src/lib/libtls/tls_internal.h b/src/lib/libtls/tls_internal.h index 21bf2b4613..cb5d90f542 100644 --- a/src/lib/libtls/tls_internal.h +++ b/src/lib/libtls/tls_internal.h
@@ -1,4 +1,4 @@
1	/* $OpenBSD: tls_internal.h,v 1.27 2016/04/28 16:48:44 jsing Exp $ */	1	/* $OpenBSD: tls_internal.h,v 1.28 2016/04/28 17:05:59 jsing Exp $ */
2	/*	2	/*
3	* Copyright (c) 2014 Jeremie Courreges-Anglas <jca@openbsd.org>	3	* Copyright (c) 2014 Jeremie Courreges-Anglas <jca@openbsd.org>
4	* Copyright (c) 2014 Joel Sing <jsing@openbsd.org>	4	* Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
@@ -39,6 +39,17 @@ struct tls_error {
39	int num;	39	int num;
40	};	40	};
41		41
		42	struct tls_keypair {
		43	struct tls_keypair *next;
		44
		45	const char *cert_file;
		46	char *cert_mem;
		47	size_t cert_len;
		48	const char *key_file;
		49	char *key_mem;
		50	size_t key_len;
		51	};
		52
42	struct tls_config {	53	struct tls_config {
43	struct tls_error error;	54	struct tls_error error;
44		55
@@ -46,16 +57,11 @@ struct tls_config {
46	const char *ca_path;	57	const char *ca_path;
47	char *ca_mem;	58	char *ca_mem;
48	size_t ca_len;	59	size_t ca_len;
49	const char *cert_file;
50	char *cert_mem;
51	size_t cert_len;
52	const char *ciphers;	60	const char *ciphers;
53	int ciphers_server;	61	int ciphers_server;
54	int dheparams;	62	int dheparams;
55	int ecdhecurve;	63	int ecdhecurve;
56	const char *key_file;	64	struct tls_keypair *keypair;
57	char *key_mem;
58	size_t key_len;
59	uint32_t protocols;	65	uint32_t protocols;
60	int verify_cert;	66	int verify_cert;
61	int verify_client;	67	int verify_client;
@@ -103,7 +109,8 @@ struct tls *tls_new(void);
103	struct tls tls_server_conn(struct tls ctx);	109	struct tls tls_server_conn(struct tls ctx);
104		110
105	int tls_check_name(struct tls ctx, X509 cert, const char *servername);	111	int tls_check_name(struct tls ctx, X509 cert, const char *servername);
106	int tls_configure_keypair(struct tls *ctx, int);	112	int tls_configure_keypair(struct tls ctx, SSL_CTX ssl_ctx,
		113	struct tls_keypair *keypair, int required);
107	int tls_configure_server(struct tls *ctx);	114	int tls_configure_server(struct tls *ctx);
108	int tls_configure_ssl(struct tls *ctx);	115	int tls_configure_ssl(struct tls *ctx);
109	int tls_configure_ssl_verify(struct tls *ctx, int verify);	116	int tls_configure_ssl_verify(struct tls *ctx, int verify);


diff --git a/src/lib/libtls/tls_server.c b/src/lib/libtls/tls_server.c index ad98cf3d7e..1d94c99bc0 100644 --- a/src/lib/libtls/tls_server.c +++ b/src/lib/libtls/tls_server.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: tls_server.c,v 1.18 2015/09/29 10:17:04 deraadt Exp $ */	1	/* $OpenBSD: tls_server.c,v 1.19 2016/04/28 17:05:59 jsing Exp $ */
2	/*	2	/*
3	* Copyright (c) 2014 Joel Sing <jsing@openbsd.org>	3	* Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
4	*	4	*
@@ -61,7 +61,7 @@ tls_configure_server(struct tls *ctx)
61		61
62	if (tls_configure_ssl(ctx) != 0)	62	if (tls_configure_ssl(ctx) != 0)
63	goto err;	63	goto err;
64	if (tls_configure_keypair(ctx, 1) != 0)	64	if (tls_configure_keypair(ctx, ctx->ssl_ctx, ctx->config->keypair, 1) != 0)
65	goto err;	65	goto err;
66	if (ctx->config->verify_client != 0) {	66	if (ctx->config->verify_client != 0) {
67	int verify = SSL_VERIFY_PEER;	67	int verify = SSL_VERIFY_PEER;