summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
Diffstat
-rw-r--r--src/lib/libtls/Makefile3
-rw-r--r--src/lib/libtls/tls_config.c131
-rw-r--r--src/lib/libtls/tls_internal.h25
-rw-r--r--src/lib/libtls/tls_keypair.c146
-rw-r--r--src/lib/libtls/tls_server.c39
-rw-r--r--src/lib/libtls/tls_util.c37
6 files changed, 215 insertions, 166 deletions
diff --git a/src/lib/libtls/Makefile b/src/lib/libtls/Makefile
index 9e7b4fc7a6..c47119685e 100644
--- a/src/lib/libtls/Makefile
+++ b/src/lib/libtls/Makefile
@@ -1,4 +1,4 @@
1# $OpenBSD: Makefile,v 1.32 2017/08/13 19:42:33 doug Exp $ 1# $OpenBSD: Makefile,v 1.33 2018/02/08 05:56:49 jsing Exp $
2 2
3.include <bsd.own.mk> 3.include <bsd.own.mk>
4.ifndef NOMAN 4.ifndef NOMAN
@@ -32,6 +32,7 @@ SRCS= tls.c \
32 tls_client.c \ 32 tls_client.c \
33 tls_config.c \ 33 tls_config.c \
34 tls_conninfo.c \ 34 tls_conninfo.c \
35 tls_keypair.c \
35 tls_peer.c \ 36 tls_peer.c \
36 tls_server.c \ 37 tls_server.c \
37 tls_util.c \ 38 tls_util.c \
diff --git a/src/lib/libtls/tls_config.c b/src/lib/libtls/tls_config.c
index d44b8dde49..3db75dc62f 100644
--- a/src/lib/libtls/tls_config.c
+++ b/src/lib/libtls/tls_config.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: tls_config.c,v 1.46 2018/02/05 00:52:24 jsing Exp $ */ 1/* $OpenBSD: tls_config.c,v 1.47 2018/02/08 05:56:49 jsing Exp $ */
2/* 2/*
3 * Copyright (c) 2014 Joel Sing <jsing@openbsd.org> 3 * Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
4 * 4 *
@@ -24,127 +24,8 @@
24#include <unistd.h> 24#include <unistd.h>
25 25
26#include <tls.h> 26#include <tls.h>
27#include "tls_internal.h"
28
29static int
30set_string(const char **dest, const char *src)
31{
32 free((char *)*dest);
33 *dest = NULL;
34 if (src != NULL)
35 if ((*dest = strdup(src)) == NULL)
36 return -1;
37 return 0;
38}
39
40static void *
41memdup(const void *in, size_t len)
42{
43 void *out;
44
45 if ((out = malloc(len)) == NULL)
46 return NULL;
47 memcpy(out, in, len);
48 return out;
49}
50
51static int
52set_mem(char **dest, size_t *destlen, const void *src, size_t srclen)
53{
54 free(*dest);
55 *dest = NULL;
56 *destlen = 0;
57 if (src != NULL)
58 if ((*dest = memdup(src, srclen)) == NULL)
59 return -1;
60 *destlen = srclen;
61 return 0;
62}
63
64static struct tls_keypair *
65tls_keypair_new(void)
66{
67 return calloc(1, sizeof(struct tls_keypair));
68}
69
70static void
71tls_keypair_clear_key(struct tls_keypair *keypair)
72{
73 freezero(keypair->key_mem, keypair->key_len);
74 keypair->key_mem = NULL;
75 keypair->key_len = 0;
76}
77
78static int
79tls_keypair_set_cert_file(struct tls_keypair *keypair, struct tls_error *error,
80 const char *cert_file)
81{
82 return tls_config_load_file(error, "certificate", cert_file,
83 &keypair->cert_mem, &keypair->cert_len);
84}
85
86static int
87tls_keypair_set_cert_mem(struct tls_keypair *keypair, const uint8_t *cert,
88 size_t len)
89{
90 return set_mem(&keypair->cert_mem, &keypair->cert_len, cert, len);
91}
92 27
93static int 28#include "tls_internal.h"
94tls_keypair_set_key_file(struct tls_keypair *keypair, struct tls_error *error,
95 const char *key_file)
96{
97 tls_keypair_clear_key(keypair);
98 return tls_config_load_file(error, "key", key_file,
99 &keypair->key_mem, &keypair->key_len);
100}
101
102static int
103tls_keypair_set_key_mem(struct tls_keypair *keypair, const uint8_t *key,
104 size_t len)
105{
106 tls_keypair_clear_key(keypair);
107 return set_mem(&keypair->key_mem, &keypair->key_len, key, len);
108}
109
110static int
111tls_keypair_set_ocsp_staple_file(struct tls_keypair *keypair,
112 struct tls_error *error, const char *ocsp_file)
113{
114 return tls_config_load_file(error, "ocsp", ocsp_file,
115 &keypair->ocsp_staple, &keypair->ocsp_staple_len);
116}
117
118static int
119tls_keypair_set_ocsp_staple_mem(struct tls_keypair *keypair,
120 const uint8_t *staple, size_t len)
121{
122 return set_mem(&keypair->ocsp_staple, &keypair->ocsp_staple_len, staple,
123 len);
124}
125
126static void
127tls_keypair_clear(struct tls_keypair *keypair)
128{
129 tls_keypair_set_cert_mem(keypair, NULL, 0);
130 tls_keypair_set_key_mem(keypair, NULL, 0);
131}
132
133static void
134tls_keypair_free(struct tls_keypair *keypair)
135{
136 if (keypair == NULL)
137 return;
138
139 tls_keypair_clear(keypair);
140
141 free(keypair->cert_mem);
142 free(keypair->key_mem);
143 free(keypair->ocsp_staple);
144 free(keypair->pubkey_hash);
145
146 free(keypair);
147}
148 29
149int 30int
150tls_config_load_file(struct tls_error *error, const char *filetype, 31tls_config_load_file(struct tls_error *error, const char *filetype,
@@ -529,13 +410,13 @@ tls_config_set_ca_file(struct tls_config *config, const char *ca_file)
529int 410int
530tls_config_set_ca_path(struct tls_config *config, const char *ca_path) 411tls_config_set_ca_path(struct tls_config *config, const char *ca_path)
531{ 412{
532 return set_string(&config->ca_path, ca_path); 413 return tls_set_string(&config->ca_path, ca_path);
533} 414}
534 415
535int 416int
536tls_config_set_ca_mem(struct tls_config *config, const uint8_t *ca, size_t len) 417tls_config_set_ca_mem(struct tls_config *config, const uint8_t *ca, size_t len)
537{ 418{
538 return set_mem(&config->ca_mem, &config->ca_len, ca, len); 419 return tls_set_mem(&config->ca_mem, &config->ca_len, ca, len);
539} 420}
540 421
541int 422int
@@ -579,7 +460,7 @@ tls_config_set_ciphers(struct tls_config *config, const char *ciphers)
579 } 460 }
580 461
581 SSL_CTX_free(ssl_ctx); 462 SSL_CTX_free(ssl_ctx);
582 return set_string(&config->ciphers, ciphers); 463 return tls_set_string(&config->ciphers, ciphers);
583 464
584 err: 465 err:
585 SSL_CTX_free(ssl_ctx); 466 SSL_CTX_free(ssl_ctx);
@@ -597,7 +478,7 @@ int
597tls_config_set_crl_mem(struct tls_config *config, const uint8_t *crl, 478tls_config_set_crl_mem(struct tls_config *config, const uint8_t *crl,
598 size_t len) 479 size_t len)
599{ 480{
600 return set_mem(&config->crl_mem, &config->crl_len, crl, len); 481 return tls_set_mem(&config->crl_mem, &config->crl_len, crl, len);
601} 482}
602 483
603int 484int
diff --git a/src/lib/libtls/tls_internal.h b/src/lib/libtls/tls_internal.h
index f378ea5466..67a31b2efd 100644
--- a/src/lib/libtls/tls_internal.h
+++ b/src/lib/libtls/tls_internal.h
@@ -1,4 +1,4 @@
1/* $OpenBSD: tls_internal.h,v 1.65 2017/09/20 17:05:17 jsing Exp $ */ 1/* $OpenBSD: tls_internal.h,v 1.66 2018/02/08 05:56:49 jsing Exp $ */
2/* 2/*
3 * Copyright (c) 2014 Jeremie Courreges-Anglas <jca@openbsd.org> 3 * Copyright (c) 2014 Jeremie Courreges-Anglas <jca@openbsd.org>
4 * Copyright (c) 2014 Joel Sing <jsing@openbsd.org> 4 * Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
@@ -192,6 +192,29 @@ struct tls {
192 void *cb_arg; 192 void *cb_arg;
193}; 193};
194 194
195int tls_set_mem(char **_dest, size_t *_destlen, const void *_src,
196 size_t _srclen);
197int tls_set_string(const char **_dest, const char *_src);
198
199struct tls_keypair *tls_keypair_new(void);
200void tls_keypair_clear_key(struct tls_keypair *_keypair);
201int tls_keypair_set_cert_file(struct tls_keypair *_keypair,
202 struct tls_error *_error, const char *_cert_file);
203int tls_keypair_set_cert_mem(struct tls_keypair *_keypair, const uint8_t *_cert,
204 size_t _len);
205int tls_keypair_set_key_file(struct tls_keypair *_keypair,
206 struct tls_error *_error, const char *_key_file);
207int tls_keypair_set_key_mem(struct tls_keypair *_keypair, const uint8_t *_key,
208 size_t _len);
209int tls_keypair_set_ocsp_staple_file(struct tls_keypair *_keypair,
210 struct tls_error *_error, const char *_ocsp_file);
211int tls_keypair_set_ocsp_staple_mem(struct tls_keypair *_keypair,
212 const uint8_t *_staple, size_t _len);
213void tls_keypair_clear(struct tls_keypair *_keypair);
214void tls_keypair_free(struct tls_keypair *_keypair);
215int tls_keypair_load_cert(struct tls_keypair *_keypair,
216 struct tls_error *_error, X509 **_cert);
217
195struct tls_sni_ctx *tls_sni_ctx_new(void); 218struct tls_sni_ctx *tls_sni_ctx_new(void);
196void tls_sni_ctx_free(struct tls_sni_ctx *sni_ctx); 219void tls_sni_ctx_free(struct tls_sni_ctx *sni_ctx);
197 220
diff --git a/src/lib/libtls/tls_keypair.c b/src/lib/libtls/tls_keypair.c
new file mode 100644
index 0000000000..eef92b3b24
--- /dev/null
+++ b/src/lib/libtls/tls_keypair.c
@@ -0,0 +1,146 @@
1/* $OpenBSD: tls_keypair.c,v 1.1 2018/02/08 05:56:49 jsing Exp $ */
2/*
3 * Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
4 *
5 * Permission to use, copy, modify, and distribute this software for any
6 * purpose with or without fee is hereby granted, provided that the above
7 * copyright notice and this permission notice appear in all copies.
8 *
9 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
10 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
11 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
12 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
13 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
14 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
15 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
16 */
17
18#include <openssl/bio.h>
19#include <openssl/err.h>
20#include <openssl/pem.h>
21
22#include <tls.h>
23
24#include "tls_internal.h"
25
26struct tls_keypair *
27tls_keypair_new(void)
28{
29 return calloc(1, sizeof(struct tls_keypair));
30}
31
32void
33tls_keypair_clear_key(struct tls_keypair *keypair)
34{
35 freezero(keypair->key_mem, keypair->key_len);
36 keypair->key_mem = NULL;
37 keypair->key_len = 0;
38}
39
40int
41tls_keypair_set_cert_file(struct tls_keypair *keypair, struct tls_error *error,
42 const char *cert_file)
43{
44 return tls_config_load_file(error, "certificate", cert_file,
45 &keypair->cert_mem, &keypair->cert_len);
46}
47
48int
49tls_keypair_set_cert_mem(struct tls_keypair *keypair, const uint8_t *cert,
50 size_t len)
51{
52 return tls_set_mem(&keypair->cert_mem, &keypair->cert_len, cert, len);
53}
54
55int
56tls_keypair_set_key_file(struct tls_keypair *keypair, struct tls_error *error,
57 const char *key_file)
58{
59 tls_keypair_clear_key(keypair);
60 return tls_config_load_file(error, "key", key_file,
61 &keypair->key_mem, &keypair->key_len);
62}
63
64int
65tls_keypair_set_key_mem(struct tls_keypair *keypair, const uint8_t *key,
66 size_t len)
67{
68 tls_keypair_clear_key(keypair);
69 return tls_set_mem(&keypair->key_mem, &keypair->key_len, key, len);
70}
71
72int
73tls_keypair_set_ocsp_staple_file(struct tls_keypair *keypair,
74 struct tls_error *error, const char *ocsp_file)
75{
76 return tls_config_load_file(error, "ocsp", ocsp_file,
77 &keypair->ocsp_staple, &keypair->ocsp_staple_len);
78}
79
80int
81tls_keypair_set_ocsp_staple_mem(struct tls_keypair *keypair,
82 const uint8_t *staple, size_t len)
83{
84 return tls_set_mem(&keypair->ocsp_staple, &keypair->ocsp_staple_len,
85 staple, len);
86}
87
88void
89tls_keypair_clear(struct tls_keypair *keypair)
90{
91 tls_keypair_set_cert_mem(keypair, NULL, 0);
92 tls_keypair_set_key_mem(keypair, NULL, 0);
93}
94
95void
96tls_keypair_free(struct tls_keypair *keypair)
97{
98 if (keypair == NULL)
99 return;
100
101 tls_keypair_clear(keypair);
102
103 free(keypair->cert_mem);
104 free(keypair->key_mem);
105 free(keypair->ocsp_staple);
106 free(keypair->pubkey_hash);
107
108 free(keypair);
109}
110
111int
112tls_keypair_load_cert(struct tls_keypair *keypair, struct tls_error *error,
113 X509 **cert)
114{
115 char *errstr = "unknown";
116 BIO *cert_bio = NULL;
117 int ssl_err;
118 int rv = -1;
119
120 X509_free(*cert);
121 *cert = NULL;
122
123 if (keypair->cert_mem == NULL) {
124 tls_error_set(error, "keypair has no certificate");
125 goto err;
126 }
127 if ((cert_bio = BIO_new_mem_buf(keypair->cert_mem,
128 keypair->cert_len)) == NULL) {
129 tls_error_set(error, "failed to create certificate bio");
130 goto err;
131 }
132 if ((*cert = PEM_read_bio_X509(cert_bio, NULL, tls_password_cb,
133 NULL)) == NULL) {
134 if ((ssl_err = ERR_peek_error()) != 0)
135 errstr = ERR_error_string(ssl_err, NULL);
136 tls_error_set(error, "failed to load certificate: %s", errstr);
137 goto err;
138 }
139
140 rv = 0;
141
142 err:
143 BIO_free(cert_bio);
144
145 return (rv);
146}
diff --git a/src/lib/libtls/tls_server.c b/src/lib/libtls/tls_server.c
index e1011769f6..98b0957437 100644
--- a/src/lib/libtls/tls_server.c
+++ b/src/lib/libtls/tls_server.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: tls_server.c,v 1.42 2017/09/20 17:05:17 jsing Exp $ */ 1/* $OpenBSD: tls_server.c,v 1.43 2018/02/08 05:56:49 jsing Exp $ */
2/* 2/*
3 * Copyright (c) 2014 Joel Sing <jsing@openbsd.org> 3 * Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
4 * 4 *
@@ -204,43 +204,6 @@ tls_server_ticket_cb(SSL *ssl, unsigned char *keyname, unsigned char *iv,
204} 204}
205 205
206static int 206static int
207tls_keypair_load_cert(struct tls_keypair *keypair, struct tls_error *error,
208 X509 **cert)
209{
210 char *errstr = "unknown";
211 BIO *cert_bio = NULL;
212 int ssl_err;
213 int rv = -1;
214
215 X509_free(*cert);
216 *cert = NULL;
217
218 if (keypair->cert_mem == NULL) {
219 tls_error_set(error, "keypair has no certificate");
220 goto err;
221 }
222 if ((cert_bio = BIO_new_mem_buf(keypair->cert_mem,
223 keypair->cert_len)) == NULL) {
224 tls_error_set(error, "failed to create certificate bio");
225 goto err;
226 }
227 if ((*cert = PEM_read_bio_X509(cert_bio, NULL, tls_password_cb,
228 NULL)) == NULL) {
229 if ((ssl_err = ERR_peek_error()) != 0)
230 errstr = ERR_error_string(ssl_err, NULL);
231 tls_error_set(error, "failed to load certificate: %s", errstr);
232 goto err;
233 }
234
235 rv = 0;
236
237 err:
238 BIO_free(cert_bio);
239
240 return (rv);
241}
242
243static int
244tls_configure_server_ssl(struct tls *ctx, SSL_CTX **ssl_ctx, 207tls_configure_server_ssl(struct tls *ctx, SSL_CTX **ssl_ctx,
245 struct tls_keypair *keypair) 208 struct tls_keypair *keypair)
246{ 209{
diff --git a/src/lib/libtls/tls_util.c b/src/lib/libtls/tls_util.c
index f9df287ca8..06b60597af 100644
--- a/src/lib/libtls/tls_util.c
+++ b/src/lib/libtls/tls_util.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: tls_util.c,v 1.10 2018/02/05 00:52:24 jsing Exp $ */ 1/* $OpenBSD: tls_util.c,v 1.11 2018/02/08 05:56:49 jsing Exp $ */
2/* 2/*
3 * Copyright (c) 2014 Joel Sing <jsing@openbsd.org> 3 * Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
4 * Copyright (c) 2015 Reyk Floeter <reyk@openbsd.org> 4 * Copyright (c) 2015 Reyk Floeter <reyk@openbsd.org>
@@ -25,6 +25,41 @@
25#include "tls.h" 25#include "tls.h"
26#include "tls_internal.h" 26#include "tls_internal.h"
27 27
28static void *
29memdup(const void *in, size_t len)
30{
31 void *out;
32
33 if ((out = malloc(len)) == NULL)
34 return NULL;
35 memcpy(out, in, len);
36 return out;
37}
38
39int
40tls_set_mem(char **dest, size_t *destlen, const void *src, size_t srclen)
41{
42 free(*dest);
43 *dest = NULL;
44 *destlen = 0;
45 if (src != NULL)
46 if ((*dest = memdup(src, srclen)) == NULL)
47 return -1;
48 *destlen = srclen;
49 return 0;
50}
51
52int
53tls_set_string(const char **dest, const char *src)
54{
55 free((char *)*dest);
56 *dest = NULL;
57 if (src != NULL)
58 if ((*dest = strdup(src)) == NULL)
59 return -1;
60 return 0;
61}
62
28/* 63/*
29 * Extract the host and port from a colon separated value. For a literal IPv6 64 * Extract the host and port from a colon separated value. For a literal IPv6
30 * address the address must be contained with square braces. If a host and 65 * address the address must be contained with square braces. If a host and
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-03-20 23:29:54 +0000