summaryrefslogtreecommitdiff
path: root/src
diff options
context:
space:
mode:
authorjsing <>2016-08-18 15:52:03 +0000
committerjsing <>2016-08-18 15:52:03 +0000
commit1106933c5e1655871fb87ad0efed63240d2c4997 (patch)
tree5d5b3e4cc1ec499dd438443a0e49151f2d9a32f1 /src
parent39faa6290d74c4308c667d260360900fe50d8319 (diff)
downloadopenbsd-1106933c5e1655871fb87ad0efed63240d2c4997.tar.gz
openbsd-1106933c5e1655871fb87ad0efed63240d2c4997.tar.bz2
openbsd-1106933c5e1655871fb87ad0efed63240d2c4997.zip
Split out the TLS server SSL_CTX allocation and configuration code, so
that it can be reused to allocate the additional SSL_CTXs needed for SNI. ok reyk@
Diffstat (limited to 'src')
-rw-r--r--src/lib/libtls/tls_server.c56
1 files changed, 37 insertions, 19 deletions
diff --git a/src/lib/libtls/tls_server.c b/src/lib/libtls/tls_server.c
index bec9c0608f..40096ae99f 100644
--- a/src/lib/libtls/tls_server.c
+++ b/src/lib/libtls/tls_server.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: tls_server.c,v 1.23 2016/08/15 14:04:23 jsing Exp $ */ 1/* $OpenBSD: tls_server.c,v 1.24 2016/08/18 15:52:03 jsing Exp $ */
2/* 2/*
3 * Copyright (c) 2014 Joel Sing <jsing@openbsd.org> 3 * Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
4 * 4 *
@@ -62,55 +62,56 @@ tls_server_alpn_cb(SSL *ssl, const unsigned char **out, unsigned char *outlen,
62 return (SSL_TLSEXT_ERR_NOACK); 62 return (SSL_TLSEXT_ERR_NOACK);
63} 63}
64 64
65int 65static int
66tls_configure_server(struct tls *ctx) 66tls_configure_server_ssl(struct tls *ctx, SSL_CTX **ssl_ctx,
67 struct tls_keypair *keypair)
67{ 68{
68 EC_KEY *ecdh_key;
69 unsigned char sid[SSL_MAX_SSL_SESSION_ID_LENGTH]; 69 unsigned char sid[SSL_MAX_SSL_SESSION_ID_LENGTH];
70 EC_KEY *ecdh_key;
70 71
71 if ((ctx->ssl_ctx = SSL_CTX_new(SSLv23_server_method())) == NULL) { 72 SSL_CTX_free(*ssl_ctx);
73
74 if ((*ssl_ctx = SSL_CTX_new(SSLv23_server_method())) == NULL) {
72 tls_set_errorx(ctx, "ssl context failure"); 75 tls_set_errorx(ctx, "ssl context failure");
73 goto err; 76 goto err;
74 } 77 }
75 78
76 if (tls_configure_ssl(ctx, ctx->ssl_ctx) != 0) 79 if (tls_configure_ssl(ctx, *ssl_ctx) != 0)
77 goto err; 80 goto err;
78 if (tls_configure_ssl_keypair(ctx, ctx->ssl_ctx, 81 if (tls_configure_ssl_keypair(ctx, *ssl_ctx, keypair, 1) != 0)
79 ctx->config->keypair, 1) != 0)
80 goto err; 82 goto err;
81 if (ctx->config->verify_client != 0) { 83 if (ctx->config->verify_client != 0) {
82 int verify = SSL_VERIFY_PEER; 84 int verify = SSL_VERIFY_PEER;
83 if (ctx->config->verify_client == 1) 85 if (ctx->config->verify_client == 1)
84 verify |= SSL_VERIFY_FAIL_IF_NO_PEER_CERT; 86 verify |= SSL_VERIFY_FAIL_IF_NO_PEER_CERT;
85 if (tls_configure_ssl_verify(ctx, ctx->ssl_ctx, verify) == -1) 87 if (tls_configure_ssl_verify(ctx, *ssl_ctx, verify) == -1)
86 goto err; 88 goto err;
87 } 89 }
88 90
89 if (ctx->config->alpn != NULL) 91 if (ctx->config->alpn != NULL)
90 SSL_CTX_set_alpn_select_cb(ctx->ssl_ctx, tls_server_alpn_cb, 92 SSL_CTX_set_alpn_select_cb(*ssl_ctx, tls_server_alpn_cb,
91 ctx); 93 ctx);
92 94
93 if (ctx->config->dheparams == -1) 95 if (ctx->config->dheparams == -1)
94 SSL_CTX_set_dh_auto(ctx->ssl_ctx, 1); 96 SSL_CTX_set_dh_auto(*ssl_ctx, 1);
95 else if (ctx->config->dheparams == 1024) 97 else if (ctx->config->dheparams == 1024)
96 SSL_CTX_set_dh_auto(ctx->ssl_ctx, 2); 98 SSL_CTX_set_dh_auto(*ssl_ctx, 2);
97 99
98 if (ctx->config->ecdhecurve == -1) { 100 if (ctx->config->ecdhecurve == -1) {
99 SSL_CTX_set_ecdh_auto(ctx->ssl_ctx, 1); 101 SSL_CTX_set_ecdh_auto(*ssl_ctx, 1);
100 } else if (ctx->config->ecdhecurve != NID_undef) { 102 } else if (ctx->config->ecdhecurve != NID_undef) {
101 if ((ecdh_key = EC_KEY_new_by_curve_name( 103 if ((ecdh_key = EC_KEY_new_by_curve_name(
102 ctx->config->ecdhecurve)) == NULL) { 104 ctx->config->ecdhecurve)) == NULL) {
103 tls_set_errorx(ctx, "failed to set ECDHE curve"); 105 tls_set_errorx(ctx, "failed to set ECDHE curve");
104 goto err; 106 goto err;
105 } 107 }
106 SSL_CTX_set_options(ctx->ssl_ctx, SSL_OP_SINGLE_ECDH_USE); 108 SSL_CTX_set_options(*ssl_ctx, SSL_OP_SINGLE_ECDH_USE);
107 SSL_CTX_set_tmp_ecdh(ctx->ssl_ctx, ecdh_key); 109 SSL_CTX_set_tmp_ecdh(*ssl_ctx, ecdh_key);
108 EC_KEY_free(ecdh_key); 110 EC_KEY_free(ecdh_key);
109 } 111 }
110 112
111 if (ctx->config->ciphers_server == 1) 113 if (ctx->config->ciphers_server == 1)
112 SSL_CTX_set_options(ctx->ssl_ctx, 114 SSL_CTX_set_options(*ssl_ctx, SSL_OP_CIPHER_SERVER_PREFERENCE);
113 SSL_OP_CIPHER_SERVER_PREFERENCE);
114 115
115 /* 116 /*
116 * Set session ID context to a random value. We don't support 117 * Set session ID context to a random value. We don't support
@@ -118,13 +119,30 @@ tls_configure_server(struct tls *ctx)
118 * session ID context that is valid during run time. 119 * session ID context that is valid during run time.
119 */ 120 */
120 arc4random_buf(sid, sizeof(sid)); 121 arc4random_buf(sid, sizeof(sid));
121 if (!SSL_CTX_set_session_id_context(ctx->ssl_ctx, sid, sizeof(sid))) { 122 if (SSL_CTX_set_session_id_context(*ssl_ctx, sid,
122 tls_set_errorx(ctx, "failed to set session id context"); 123 sizeof(sid)) != 1) {
124 tls_set_error(ctx, "failed to set session id context");
123 goto err; 125 goto err;
124 } 126 }
125 127
126 return (0); 128 return (0);
127 129
130 err:
131 SSL_CTX_free(*ssl_ctx);
132 *ssl_ctx = NULL;
133
134 return (-1);
135}
136
137int
138tls_configure_server(struct tls *ctx)
139{
140 if (tls_configure_server_ssl(ctx, &ctx->ssl_ctx,
141 ctx->config->keypair) == -1)
142 goto err;
143
144 return (0);
145
128 err: 146 err:
129 return (-1); 147 return (-1);
130} 148}
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-03-22 17:58:00 +0000