diff options
| -rw-r--r-- | src/lib/libtls/tls_server.c | 56 |
1 files changed, 37 insertions, 19 deletions
diff --git a/src/lib/libtls/tls_server.c b/src/lib/libtls/tls_server.c index bec9c0608f..40096ae99f 100644 --- a/src/lib/libtls/tls_server.c +++ b/src/lib/libtls/tls_server.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: tls_server.c,v 1.23 2016/08/15 14:04:23 jsing Exp $ */ | 1 | /* $OpenBSD: tls_server.c,v 1.24 2016/08/18 15:52:03 jsing Exp $ */ |
| 2 | /* | 2 | /* |
| 3 | * Copyright (c) 2014 Joel Sing <jsing@openbsd.org> | 3 | * Copyright (c) 2014 Joel Sing <jsing@openbsd.org> |
| 4 | * | 4 | * |
| @@ -62,55 +62,56 @@ tls_server_alpn_cb(SSL *ssl, const unsigned char **out, unsigned char *outlen, | |||
| 62 | return (SSL_TLSEXT_ERR_NOACK); | 62 | return (SSL_TLSEXT_ERR_NOACK); |
| 63 | } | 63 | } |
| 64 | 64 | ||
| 65 | int | 65 | static int |
| 66 | tls_configure_server(struct tls *ctx) | 66 | tls_configure_server_ssl(struct tls *ctx, SSL_CTX **ssl_ctx, |
| 67 | struct tls_keypair *keypair) | ||
| 67 | { | 68 | { |
| 68 | EC_KEY *ecdh_key; | ||
| 69 | unsigned char sid[SSL_MAX_SSL_SESSION_ID_LENGTH]; | 69 | unsigned char sid[SSL_MAX_SSL_SESSION_ID_LENGTH]; |
| 70 | EC_KEY *ecdh_key; | ||
| 70 | 71 | ||
| 71 | if ((ctx->ssl_ctx = SSL_CTX_new(SSLv23_server_method())) == NULL) { | 72 | SSL_CTX_free(*ssl_ctx); |
| 73 | |||
| 74 | if ((*ssl_ctx = SSL_CTX_new(SSLv23_server_method())) == NULL) { | ||
| 72 | tls_set_errorx(ctx, "ssl context failure"); | 75 | tls_set_errorx(ctx, "ssl context failure"); |
| 73 | goto err; | 76 | goto err; |
| 74 | } | 77 | } |
| 75 | 78 | ||
| 76 | if (tls_configure_ssl(ctx, ctx->ssl_ctx) != 0) | 79 | if (tls_configure_ssl(ctx, *ssl_ctx) != 0) |
| 77 | goto err; | 80 | goto err; |
| 78 | if (tls_configure_ssl_keypair(ctx, ctx->ssl_ctx, | 81 | if (tls_configure_ssl_keypair(ctx, *ssl_ctx, keypair, 1) != 0) |
| 79 | ctx->config->keypair, 1) != 0) | ||
| 80 | goto err; | 82 | goto err; |
| 81 | if (ctx->config->verify_client != 0) { | 83 | if (ctx->config->verify_client != 0) { |
| 82 | int verify = SSL_VERIFY_PEER; | 84 | int verify = SSL_VERIFY_PEER; |
| 83 | if (ctx->config->verify_client == 1) | 85 | if (ctx->config->verify_client == 1) |
| 84 | verify |= SSL_VERIFY_FAIL_IF_NO_PEER_CERT; | 86 | verify |= SSL_VERIFY_FAIL_IF_NO_PEER_CERT; |
| 85 | if (tls_configure_ssl_verify(ctx, ctx->ssl_ctx, verify) == -1) | 87 | if (tls_configure_ssl_verify(ctx, *ssl_ctx, verify) == -1) |
| 86 | goto err; | 88 | goto err; |
| 87 | } | 89 | } |
| 88 | 90 | ||
| 89 | if (ctx->config->alpn != NULL) | 91 | if (ctx->config->alpn != NULL) |
| 90 | SSL_CTX_set_alpn_select_cb(ctx->ssl_ctx, tls_server_alpn_cb, | 92 | SSL_CTX_set_alpn_select_cb(*ssl_ctx, tls_server_alpn_cb, |
| 91 | ctx); | 93 | ctx); |
| 92 | 94 | ||
| 93 | if (ctx->config->dheparams == -1) | 95 | if (ctx->config->dheparams == -1) |
| 94 | SSL_CTX_set_dh_auto(ctx->ssl_ctx, 1); | 96 | SSL_CTX_set_dh_auto(*ssl_ctx, 1); |
| 95 | else if (ctx->config->dheparams == 1024) | 97 | else if (ctx->config->dheparams == 1024) |
| 96 | SSL_CTX_set_dh_auto(ctx->ssl_ctx, 2); | 98 | SSL_CTX_set_dh_auto(*ssl_ctx, 2); |
| 97 | 99 | ||
| 98 | if (ctx->config->ecdhecurve == -1) { | 100 | if (ctx->config->ecdhecurve == -1) { |
| 99 | SSL_CTX_set_ecdh_auto(ctx->ssl_ctx, 1); | 101 | SSL_CTX_set_ecdh_auto(*ssl_ctx, 1); |
| 100 | } else if (ctx->config->ecdhecurve != NID_undef) { | 102 | } else if (ctx->config->ecdhecurve != NID_undef) { |
| 101 | if ((ecdh_key = EC_KEY_new_by_curve_name( | 103 | if ((ecdh_key = EC_KEY_new_by_curve_name( |
| 102 | ctx->config->ecdhecurve)) == NULL) { | 104 | ctx->config->ecdhecurve)) == NULL) { |
| 103 | tls_set_errorx(ctx, "failed to set ECDHE curve"); | 105 | tls_set_errorx(ctx, "failed to set ECDHE curve"); |
| 104 | goto err; | 106 | goto err; |
| 105 | } | 107 | } |
| 106 | SSL_CTX_set_options(ctx->ssl_ctx, SSL_OP_SINGLE_ECDH_USE); | 108 | SSL_CTX_set_options(*ssl_ctx, SSL_OP_SINGLE_ECDH_USE); |
| 107 | SSL_CTX_set_tmp_ecdh(ctx->ssl_ctx, ecdh_key); | 109 | SSL_CTX_set_tmp_ecdh(*ssl_ctx, ecdh_key); |
| 108 | EC_KEY_free(ecdh_key); | 110 | EC_KEY_free(ecdh_key); |
| 109 | } | 111 | } |
| 110 | 112 | ||
| 111 | if (ctx->config->ciphers_server == 1) | 113 | if (ctx->config->ciphers_server == 1) |
| 112 | SSL_CTX_set_options(ctx->ssl_ctx, | 114 | SSL_CTX_set_options(*ssl_ctx, SSL_OP_CIPHER_SERVER_PREFERENCE); |
| 113 | SSL_OP_CIPHER_SERVER_PREFERENCE); | ||
| 114 | 115 | ||
| 115 | /* | 116 | /* |
| 116 | * Set session ID context to a random value. We don't support | 117 | * Set session ID context to a random value. We don't support |
| @@ -118,13 +119,30 @@ tls_configure_server(struct tls *ctx) | |||
| 118 | * session ID context that is valid during run time. | 119 | * session ID context that is valid during run time. |
| 119 | */ | 120 | */ |
| 120 | arc4random_buf(sid, sizeof(sid)); | 121 | arc4random_buf(sid, sizeof(sid)); |
| 121 | if (!SSL_CTX_set_session_id_context(ctx->ssl_ctx, sid, sizeof(sid))) { | 122 | if (SSL_CTX_set_session_id_context(*ssl_ctx, sid, |
| 122 | tls_set_errorx(ctx, "failed to set session id context"); | 123 | sizeof(sid)) != 1) { |
| 124 | tls_set_error(ctx, "failed to set session id context"); | ||
| 123 | goto err; | 125 | goto err; |
| 124 | } | 126 | } |
| 125 | 127 | ||
| 126 | return (0); | 128 | return (0); |
| 127 | 129 | ||
| 130 | err: | ||
| 131 | SSL_CTX_free(*ssl_ctx); | ||
| 132 | *ssl_ctx = NULL; | ||
| 133 | |||
| 134 | return (-1); | ||
| 135 | } | ||
| 136 | |||
| 137 | int | ||
| 138 | tls_configure_server(struct tls *ctx) | ||
| 139 | { | ||
| 140 | if (tls_configure_server_ssl(ctx, &ctx->ssl_ctx, | ||
| 141 | ctx->config->keypair) == -1) | ||
| 142 | goto err; | ||
| 143 | |||
| 144 | return (0); | ||
| 145 | |||
| 128 | err: | 146 | err: |
| 129 | return (-1); | 147 | return (-1); |
| 130 | } | 148 | } |