4 files changed, 95 insertions, 69 deletions
diff --git a/src/lib/libtls/tls.c b/src/lib/libtls/tls.c
index 0e206e2c7e..8f2c7dde05 100644
--- a/src/lib/libtls/tls.c
+++ b/src/lib/libtls/tls.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls.c,v 1.74 2018/02/08 10:19:31 jsing Exp $ */
+/* $OpenBSD: tls.c,v 1.75 2018/02/10 04:57:35 jsing Exp $ */
 /*
 * Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
 *
@@ -291,6 +291,34 @@ tls_cert_hash(X509 *cert, char **hash)
 }
 int
+tls_cert_pubkey_hash(X509 *cert, char **hash)
+{
+        char d[EVP_MAX_MD_SIZE], *dhex = NULL;
+        int dlen, rv = -1;
+        free(*hash);
+        *hash = NULL;
+        if (X509_pubkey_digest(cert, EVP_sha256(), d, &dlen) != 1)
+                goto err;
+        if (tls_hex_string(d, dlen, &dhex, NULL) != 0)
+                goto err;
+        if (asprintf(hash, "SHA256:%s", dhex) == -1) {
+                *hash = NULL;
+                goto err;
+        }
+        rv = 0;
+ err:
+        free(dhex);
+        return (rv);
+}
+int
 tls_configure_ssl_keypair(struct tls *ctx, SSL_CTX *ssl_ctx,
    struct tls_keypair *keypair, int required)
 {
@@ -313,9 +341,6 @@ tls_configure_ssl_keypair(struct tls *ctx, SSL_CTX *ssl_ctx,
                        tls_set_errorx(ctx, "failed to load certificate");
                        goto err;
                }
-                if (tls_keypair_pubkey_hash(keypair, &ctx->error,
-                    &keypair->pubkey_hash) == -1)
-                        goto err;
        }
        if (keypair->key_mem != NULL) {
diff --git a/src/lib/libtls/tls_config.c b/src/lib/libtls/tls_config.c
index 6dfebfaebf..2dab4fc7d8 100644
--- a/src/lib/libtls/tls_config.c
+++ b/src/lib/libtls/tls_config.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls_config.c,v 1.48 2018/02/10 04:41:24 jsing Exp $ */
+/* $OpenBSD: tls_config.c,v 1.49 2018/02/10 04:57:35 jsing Exp $ */
 /*
 * Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
 *
@@ -351,12 +351,13 @@ tls_config_add_keypair_mem_internal(struct tls_config *config, const uint8_t *ce
        if ((keypair = tls_keypair_new()) == NULL)
                return (-1);
-        if (tls_keypair_set_cert_mem(keypair, cert, cert_len) != 0)
+        if (tls_keypair_set_cert_mem(keypair, &config->error, cert, cert_len) != 0)
                goto err;
-        if (tls_keypair_set_key_mem(keypair, key, key_len) != 0)
+        if (tls_keypair_set_key_mem(keypair, &config->error, key, key_len) != 0)
                goto err;
        if (staple != NULL &&
-            tls_keypair_set_ocsp_staple_mem(keypair, staple, staple_len) != 0)
+            tls_keypair_set_ocsp_staple_mem(keypair, &config->error, staple,
+                staple_len) != 0)
                goto err;
        tls_config_keypair_add(config, keypair);
@@ -431,7 +432,8 @@ int
 tls_config_set_cert_mem(struct tls_config *config, const uint8_t *cert,
    size_t len)
 {
-        return tls_keypair_set_cert_mem(config->keypair, cert, len);
+        return tls_keypair_set_cert_mem(config->keypair, &config->error,
+            cert, len);
 }
 int
@@ -592,7 +594,8 @@ int
 tls_config_set_key_mem(struct tls_config *config, const uint8_t *key,
    size_t len)
 {
-        return tls_keypair_set_key_mem(config->keypair, key, len);
+        return tls_keypair_set_key_mem(config->keypair, &config->error,
+            key, len);
 }
 static int
@@ -789,7 +792,8 @@ int
 tls_config_set_ocsp_staple_mem(struct tls_config *config, const uint8_t *staple,
    size_t len)
 {
-        return tls_keypair_set_ocsp_staple_mem(config->keypair, staple, len);
+        return tls_keypair_set_ocsp_staple_mem(config->keypair, &config->error,
+            staple, len);
 }
 int
diff --git a/src/lib/libtls/tls_internal.h b/src/lib/libtls/tls_internal.h
index 14265037eb..f8b9e6118e 100644
--- a/src/lib/libtls/tls_internal.h
+++ b/src/lib/libtls/tls_internal.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls_internal.h,v 1.69 2018/02/10 04:41:24 jsing Exp $ */
+/* $OpenBSD: tls_internal.h,v 1.70 2018/02/10 04:57:35 jsing Exp $ */
 /*
 * Copyright (c) 2014 Jeremie Courreges-Anglas <jca@openbsd.org>
 * Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
@@ -199,25 +199,22 @@ int tls_set_mem(char **_dest, size_t *_destlen, const void *_src,
 int tls_set_string(const char **_dest, const char *_src);
 struct tls_keypair *tls_keypair_new(void);
-void tls_keypair_clear_key(struct tls_keypair *_keypair);
+void tls_keypair_clear(struct tls_keypair *_keypair);
+void tls_keypair_free(struct tls_keypair *_keypair);
 int tls_keypair_set_cert_file(struct tls_keypair *_keypair,
    struct tls_error *_error, const char *_cert_file);
-int tls_keypair_set_cert_mem(struct tls_keypair *_keypair, const uint8_t *_cert,
+int tls_keypair_set_cert_mem(struct tls_keypair *_keypair,
-    size_t _len);
+    struct tls_error *_error, const uint8_t *_cert, size_t _len);
 int tls_keypair_set_key_file(struct tls_keypair *_keypair,
    struct tls_error *_error, const char *_key_file);
-int tls_keypair_set_key_mem(struct tls_keypair *_keypair, const uint8_t *_key,
+int tls_keypair_set_key_mem(struct tls_keypair *_keypair,
-    size_t _len);
+    struct tls_error *_error, const uint8_t *_key, size_t _len);
 int tls_keypair_set_ocsp_staple_file(struct tls_keypair *_keypair,
    struct tls_error *_error, const char *_ocsp_file);
 int tls_keypair_set_ocsp_staple_mem(struct tls_keypair *_keypair,
-    const uint8_t *_staple, size_t _len);
+    struct tls_error *_error, const uint8_t *_staple, size_t _len);
-void tls_keypair_clear(struct tls_keypair *_keypair);
-void tls_keypair_free(struct tls_keypair *_keypair);
 int tls_keypair_load_cert(struct tls_keypair *_keypair,
    struct tls_error *_error, X509 **_cert);
-int tls_keypair_pubkey_hash(struct tls_keypair *_keypair,
-    struct tls_error *_error, char **_hash);
 struct tls_sni_ctx *tls_sni_ctx_new(void);
 void tls_sni_ctx_free(struct tls_sni_ctx *sni_ctx);
@@ -281,6 +278,7 @@ struct tls_ocsp *tls_ocsp_setup_from_peer(struct tls *ctx);
 int tls_hex_string(const unsigned char *_in, size_t _inlen, char **_out,
    size_t *_outlen);
 int tls_cert_hash(X509 *_cert, char **_hash);
+int tls_cert_pubkey_hash(X509 *_cert, char **_hash);
 int tls_password_cb(char *_buf, int _size, int _rwflag, void *_u);
diff --git a/src/lib/libtls/tls_keypair.c b/src/lib/libtls/tls_keypair.c
index 626a95853f..03e7f4ad76 100644
--- a/src/lib/libtls/tls_keypair.c
+++ b/src/lib/libtls/tls_keypair.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls_keypair.c,v 1.4 2018/02/08 10:19:31 jsing Exp $ */
+/* $OpenBSD: tls_keypair.c,v 1.5 2018/02/10 04:57:35 jsing Exp $ */
 /*
 * Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
 *
@@ -29,7 +29,7 @@ tls_keypair_new(void)
        return calloc(1, sizeof(struct tls_keypair));
 }
-void
+static void
 tls_keypair_clear_key(struct tls_keypair *keypair)
 {
        freezero(keypair->key_mem, keypair->key_len);
@@ -37,19 +37,50 @@ tls_keypair_clear_key(struct tls_keypair *keypair)
        keypair->key_len = 0;
 }
+static int
+tls_keypair_pubkey_hash(struct tls_keypair *keypair, struct tls_error *error)
+{
+        X509 *cert = NULL;
+        int rv = -1;
+        free(keypair->pubkey_hash);
+        keypair->pubkey_hash = NULL;
+        if (keypair->cert_mem == NULL) {
+                rv = 0;
+                goto done;
+        }
+        if (tls_keypair_load_cert(keypair, error, &cert) == -1)
+                goto err;
+        if (tls_cert_pubkey_hash(cert, &keypair->pubkey_hash) == -1)
+                goto err;
+        rv = 0;
+ err:
+        X509_free(cert);
+ done:
+        return (rv);
+}
 int
 tls_keypair_set_cert_file(struct tls_keypair *keypair, struct tls_error *error,
    const char *cert_file)
 {
-        return tls_config_load_file(error, "certificate", cert_file,
+        if (tls_config_load_file(error, "certificate", cert_file,
-            &keypair->cert_mem, &keypair->cert_len);
+            &keypair->cert_mem, &keypair->cert_len) == -1)
+                return -1;
+        return tls_keypair_pubkey_hash(keypair, error);
 }
 int
-tls_keypair_set_cert_mem(struct tls_keypair *keypair, const uint8_t *cert,
+tls_keypair_set_cert_mem(struct tls_keypair *keypair, struct tls_error *error,
-    size_t len)
+    const uint8_t *cert, size_t len)
 {
-        return tls_set_mem(&keypair->cert_mem, &keypair->cert_len, cert, len);
+        if (tls_set_mem(&keypair->cert_mem, &keypair->cert_len, cert, len) == -1)
+                return -1;
+        return tls_keypair_pubkey_hash(keypair, error);
 }
 int
@@ -62,8 +93,8 @@ tls_keypair_set_key_file(struct tls_keypair *keypair, struct tls_error *error,
 }
 int
-tls_keypair_set_key_mem(struct tls_keypair *keypair, const uint8_t *key,
+tls_keypair_set_key_mem(struct tls_keypair *keypair, struct tls_error *error,
-    size_t len)
+    const uint8_t *key, size_t len)
 {
        tls_keypair_clear_key(keypair);
        return tls_set_mem(&keypair->key_mem, &keypair->key_len, key, len);
@@ -79,7 +110,7 @@ tls_keypair_set_ocsp_staple_file(struct tls_keypair *keypair,
 int
 tls_keypair_set_ocsp_staple_mem(struct tls_keypair *keypair,
-    const uint8_t *staple, size_t len)
+    struct tls_error *error, const uint8_t *staple, size_t len)
 {
        return tls_set_mem(&keypair->ocsp_staple, &keypair->ocsp_staple_len,
            staple, len);
@@ -88,9 +119,11 @@ tls_keypair_set_ocsp_staple_mem(struct tls_keypair *keypair,
 void
 tls_keypair_clear(struct tls_keypair *keypair)
 {
-        tls_keypair_set_cert_mem(keypair, NULL, 0);
+        struct tls_error error;
-        tls_keypair_set_key_mem(keypair, NULL, 0);
-        tls_keypair_set_ocsp_staple_mem(keypair, NULL, 0);
+        tls_keypair_set_cert_mem(keypair, &error, NULL, 0);
+        tls_keypair_set_key_mem(keypair, &error, NULL, 0);
+        tls_keypair_set_ocsp_staple_mem(keypair, &error, NULL, 0);
        free(keypair->pubkey_hash);
        keypair->pubkey_hash = NULL;
@@ -143,37 +176,3 @@ tls_keypair_load_cert(struct tls_keypair *keypair, struct tls_error *error,
        return (rv);
 }
-int
-tls_keypair_pubkey_hash(struct tls_keypair *keypair, struct tls_error *error,
-    char **hash)
-{
-        X509 *cert = NULL;
-        char d[EVP_MAX_MD_SIZE], *dhex = NULL;
-        int dlen, rv = -1;
-        free(*hash);
-        *hash = NULL;
-        if (tls_keypair_load_cert(keypair, error, &cert) == -1)
-                goto err;
-        if (X509_pubkey_digest(cert, EVP_sha256(), d, &dlen) != 1)
-                goto err;
-        if (tls_hex_string(d, dlen, &dhex, NULL) != 0)
-                goto err;
-        if (asprintf(hash, "SHA256:%s", dhex) == -1) {
-                *hash = NULL;
-                goto err;
-        }
-        rv = 0;
- err:
-        X509_free(cert);
-        free(dhex);
-        return (rv);
-}

diff --git a/src/lib/libtls/tls.c b/src/lib/libtls/tls.c index 0e206e2c7e..8f2c7dde05 100644 --- a/src/lib/libtls/tls.c +++ b/src/lib/libtls/tls.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: tls.c,v 1.74 2018/02/08 10:19:31 jsing Exp $ */	1	/* $OpenBSD: tls.c,v 1.75 2018/02/10 04:57:35 jsing Exp $ */
2	/*	2	/*
3	* Copyright (c) 2014 Joel Sing <jsing@openbsd.org>	3	* Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
4	*	4	*
@@ -291,6 +291,34 @@ tls_cert_hash(X509 cert, char *hash)
291	}	291	}
292		292
293	int	293	int
		294	tls_cert_pubkey_hash(X509 cert, char *hash)
		295	{
		296	char d[EVP_MAX_MD_SIZE], *dhex = NULL;
		297	int dlen, rv = -1;
		298
		299	free(*hash);
		300	*hash = NULL;
		301
		302	if (X509_pubkey_digest(cert, EVP_sha256(), d, &dlen) != 1)
		303	goto err;
		304
		305	if (tls_hex_string(d, dlen, &dhex, NULL) != 0)
		306	goto err;
		307
		308	if (asprintf(hash, "SHA256:%s", dhex) == -1) {
		309	*hash = NULL;
		310	goto err;
		311	}
		312
		313	rv = 0;
		314
		315	err:
		316	free(dhex);
		317
		318	return (rv);
		319	}
		320
		321	int
294	tls_configure_ssl_keypair(struct tls ctx, SSL_CTX ssl_ctx,	322	tls_configure_ssl_keypair(struct tls ctx, SSL_CTX ssl_ctx,
295	struct tls_keypair *keypair, int required)	323	struct tls_keypair *keypair, int required)
296	{	324	{
@@ -313,9 +341,6 @@ tls_configure_ssl_keypair(struct tls ctx, SSL_CTX ssl_ctx,
313	tls_set_errorx(ctx, "failed to load certificate");	341	tls_set_errorx(ctx, "failed to load certificate");
314	goto err;	342	goto err;
315	}	343	}
316	if (tls_keypair_pubkey_hash(keypair, &ctx->error,
317	&keypair->pubkey_hash) == -1)
318	goto err;
319	}	344	}
320		345
321	if (keypair->key_mem != NULL) {	346	if (keypair->key_mem != NULL) {


diff --git a/src/lib/libtls/tls_config.c b/src/lib/libtls/tls_config.c index 6dfebfaebf..2dab4fc7d8 100644 --- a/src/lib/libtls/tls_config.c +++ b/src/lib/libtls/tls_config.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: tls_config.c,v 1.48 2018/02/10 04:41:24 jsing Exp $ */	1	/* $OpenBSD: tls_config.c,v 1.49 2018/02/10 04:57:35 jsing Exp $ */
2	/*	2	/*
3	* Copyright (c) 2014 Joel Sing <jsing@openbsd.org>	3	* Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
4	*	4	*
@@ -351,12 +351,13 @@ tls_config_add_keypair_mem_internal(struct tls_config config, const uint8_t ce
351		351
352	if ((keypair = tls_keypair_new()) == NULL)	352	if ((keypair = tls_keypair_new()) == NULL)
353	return (-1);	353	return (-1);
354	if (tls_keypair_set_cert_mem(keypair, cert, cert_len) != 0)	354	if (tls_keypair_set_cert_mem(keypair, &config->error, cert, cert_len) != 0)
355	goto err;	355	goto err;
356	if (tls_keypair_set_key_mem(keypair, key, key_len) != 0)	356	if (tls_keypair_set_key_mem(keypair, &config->error, key, key_len) != 0)
357	goto err;	357	goto err;
358	if (staple != NULL &&	358	if (staple != NULL &&
359	tls_keypair_set_ocsp_staple_mem(keypair, staple, staple_len) != 0)	359	tls_keypair_set_ocsp_staple_mem(keypair, &config->error, staple,
		360	staple_len) != 0)
360	goto err;	361	goto err;
361		362
362	tls_config_keypair_add(config, keypair);	363	tls_config_keypair_add(config, keypair);
@@ -431,7 +432,8 @@ int
431	tls_config_set_cert_mem(struct tls_config config, const uint8_t cert,	432	tls_config_set_cert_mem(struct tls_config config, const uint8_t cert,
432	size_t len)	433	size_t len)
433	{	434	{
434	return tls_keypair_set_cert_mem(config->keypair, cert, len);	435	return tls_keypair_set_cert_mem(config->keypair, &config->error,
		436	cert, len);
435	}	437	}
436		438
437	int	439	int
@@ -592,7 +594,8 @@ int
592	tls_config_set_key_mem(struct tls_config config, const uint8_t key,	594	tls_config_set_key_mem(struct tls_config config, const uint8_t key,
593	size_t len)	595	size_t len)
594	{	596	{
595	return tls_keypair_set_key_mem(config->keypair, key, len);	597	return tls_keypair_set_key_mem(config->keypair, &config->error,
		598	key, len);
596	}	599	}
597		600
598	static int	601	static int
@@ -789,7 +792,8 @@ int
789	tls_config_set_ocsp_staple_mem(struct tls_config config, const uint8_t staple,	792	tls_config_set_ocsp_staple_mem(struct tls_config config, const uint8_t staple,
790	size_t len)	793	size_t len)
791	{	794	{
792	return tls_keypair_set_ocsp_staple_mem(config->keypair, staple, len);	795	return tls_keypair_set_ocsp_staple_mem(config->keypair, &config->error,
		796	staple, len);
793	}	797	}
794		798
795	int	799	int


diff --git a/src/lib/libtls/tls_internal.h b/src/lib/libtls/tls_internal.h index 14265037eb..f8b9e6118e 100644 --- a/src/lib/libtls/tls_internal.h +++ b/src/lib/libtls/tls_internal.h
@@ -1,4 +1,4 @@
1	/* $OpenBSD: tls_internal.h,v 1.69 2018/02/10 04:41:24 jsing Exp $ */	1	/* $OpenBSD: tls_internal.h,v 1.70 2018/02/10 04:57:35 jsing Exp $ */
2	/*	2	/*
3	* Copyright (c) 2014 Jeremie Courreges-Anglas <jca@openbsd.org>	3	* Copyright (c) 2014 Jeremie Courreges-Anglas <jca@openbsd.org>
4	* Copyright (c) 2014 Joel Sing <jsing@openbsd.org>	4	* Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
@@ -199,25 +199,22 @@ int tls_set_mem(char *_dest, size_t _destlen, const void *_src,
199	int tls_set_string(const char *_dest, const char _src);	199	int tls_set_string(const char *_dest, const char _src);
200		200
201	struct tls_keypair *tls_keypair_new(void);	201	struct tls_keypair *tls_keypair_new(void);
202	void tls_keypair_clear_key(struct tls_keypair *_keypair);	202	void tls_keypair_clear(struct tls_keypair *_keypair);
		203	void tls_keypair_free(struct tls_keypair *_keypair);
203	int tls_keypair_set_cert_file(struct tls_keypair *_keypair,	204	int tls_keypair_set_cert_file(struct tls_keypair *_keypair,
204	struct tls_error _error, const char _cert_file);	205	struct tls_error _error, const char _cert_file);
205	int tls_keypair_set_cert_mem(struct tls_keypair _keypair, const uint8_t _cert,	206	int tls_keypair_set_cert_mem(struct tls_keypair *_keypair,
206	size_t _len);	207	struct tls_error _error, const uint8_t _cert, size_t _len);
207	int tls_keypair_set_key_file(struct tls_keypair *_keypair,	208	int tls_keypair_set_key_file(struct tls_keypair *_keypair,
208	struct tls_error _error, const char _key_file);	209	struct tls_error _error, const char _key_file);
209	int tls_keypair_set_key_mem(struct tls_keypair _keypair, const uint8_t _key,	210	int tls_keypair_set_key_mem(struct tls_keypair *_keypair,
210	size_t _len);	211	struct tls_error _error, const uint8_t _key, size_t _len);
211	int tls_keypair_set_ocsp_staple_file(struct tls_keypair *_keypair,	212	int tls_keypair_set_ocsp_staple_file(struct tls_keypair *_keypair,
212	struct tls_error _error, const char _ocsp_file);	213	struct tls_error _error, const char _ocsp_file);
213	int tls_keypair_set_ocsp_staple_mem(struct tls_keypair *_keypair,	214	int tls_keypair_set_ocsp_staple_mem(struct tls_keypair *_keypair,
214	const uint8_t *_staple, size_t _len);	215	struct tls_error _error, const uint8_t _staple, size_t _len);
215	void tls_keypair_clear(struct tls_keypair *_keypair);
216	void tls_keypair_free(struct tls_keypair *_keypair);
217	int tls_keypair_load_cert(struct tls_keypair *_keypair,	216	int tls_keypair_load_cert(struct tls_keypair *_keypair,
218	struct tls_error _error, X509 *_cert);	217	struct tls_error _error, X509 *_cert);
219	int tls_keypair_pubkey_hash(struct tls_keypair *_keypair,
220	struct tls_error _error, char *_hash);
221		218
222	struct tls_sni_ctx *tls_sni_ctx_new(void);	219	struct tls_sni_ctx *tls_sni_ctx_new(void);
223	void tls_sni_ctx_free(struct tls_sni_ctx *sni_ctx);	220	void tls_sni_ctx_free(struct tls_sni_ctx *sni_ctx);
@@ -281,6 +278,7 @@ struct tls_ocsp tls_ocsp_setup_from_peer(struct tls ctx);
281	int tls_hex_string(const unsigned char _in, size_t _inlen, char *_out,	278	int tls_hex_string(const unsigned char _in, size_t _inlen, char *_out,
282	size_t *_outlen);	279	size_t *_outlen);
283	int tls_cert_hash(X509 _cert, char *_hash);	280	int tls_cert_hash(X509 _cert, char *_hash);
		281	int tls_cert_pubkey_hash(X509 _cert, char *_hash);
284		282
285	int tls_password_cb(char _buf, int _size, int _rwflag, void _u);	283	int tls_password_cb(char _buf, int _size, int _rwflag, void _u);
286		284


diff --git a/src/lib/libtls/tls_keypair.c b/src/lib/libtls/tls_keypair.c index 626a95853f..03e7f4ad76 100644 --- a/src/lib/libtls/tls_keypair.c +++ b/src/lib/libtls/tls_keypair.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: tls_keypair.c,v 1.4 2018/02/08 10:19:31 jsing Exp $ */	1	/* $OpenBSD: tls_keypair.c,v 1.5 2018/02/10 04:57:35 jsing Exp $ */
2	/*	2	/*
3	* Copyright (c) 2014 Joel Sing <jsing@openbsd.org>	3	* Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
4	*	4	*
@@ -29,7 +29,7 @@ tls_keypair_new(void)
29	return calloc(1, sizeof(struct tls_keypair));	29	return calloc(1, sizeof(struct tls_keypair));
30	}	30	}
31		31
32	void	32	static void
33	tls_keypair_clear_key(struct tls_keypair *keypair)	33	tls_keypair_clear_key(struct tls_keypair *keypair)
34	{	34	{
35	freezero(keypair->key_mem, keypair->key_len);	35	freezero(keypair->key_mem, keypair->key_len);
@@ -37,19 +37,50 @@ tls_keypair_clear_key(struct tls_keypair *keypair)
37	keypair->key_len = 0;	37	keypair->key_len = 0;
38	}	38	}
39		39
		40	static int
		41	tls_keypair_pubkey_hash(struct tls_keypair keypair, struct tls_error error)
		42	{
		43	X509 *cert = NULL;
		44	int rv = -1;
		45
		46	free(keypair->pubkey_hash);
		47	keypair->pubkey_hash = NULL;
		48
		49	if (keypair->cert_mem == NULL) {
		50	rv = 0;
		51	goto done;
		52	}
		53
		54	if (tls_keypair_load_cert(keypair, error, &cert) == -1)
		55	goto err;
		56	if (tls_cert_pubkey_hash(cert, &keypair->pubkey_hash) == -1)
		57	goto err;
		58
		59	rv = 0;
		60
		61	err:
		62	X509_free(cert);
		63	done:
		64	return (rv);
		65	}
		66
40	int	67	int
41	tls_keypair_set_cert_file(struct tls_keypair keypair, struct tls_error error,	68	tls_keypair_set_cert_file(struct tls_keypair keypair, struct tls_error error,
42	const char *cert_file)	69	const char *cert_file)
43	{	70	{
44	return tls_config_load_file(error, "certificate", cert_file,	71	if (tls_config_load_file(error, "certificate", cert_file,
45	&keypair->cert_mem, &keypair->cert_len);	72	&keypair->cert_mem, &keypair->cert_len) == -1)
		73	return -1;
		74	return tls_keypair_pubkey_hash(keypair, error);
46	}	75	}
47		76
48	int	77	int
49	tls_keypair_set_cert_mem(struct tls_keypair keypair, const uint8_t cert,	78	tls_keypair_set_cert_mem(struct tls_keypair keypair, struct tls_error error,
50	size_t len)	79	const uint8_t *cert, size_t len)
51	{	80	{
52	return tls_set_mem(&keypair->cert_mem, &keypair->cert_len, cert, len);	81	if (tls_set_mem(&keypair->cert_mem, &keypair->cert_len, cert, len) == -1)
		82	return -1;
		83	return tls_keypair_pubkey_hash(keypair, error);
53	}	84	}
54		85
55	int	86	int
@@ -62,8 +93,8 @@ tls_keypair_set_key_file(struct tls_keypair keypair, struct tls_error error,
62	}	93	}
63		94
64	int	95	int
65	tls_keypair_set_key_mem(struct tls_keypair keypair, const uint8_t key,	96	tls_keypair_set_key_mem(struct tls_keypair keypair, struct tls_error error,
66	size_t len)	97	const uint8_t *key, size_t len)
67	{	98	{
68	tls_keypair_clear_key(keypair);	99	tls_keypair_clear_key(keypair);
69	return tls_set_mem(&keypair->key_mem, &keypair->key_len, key, len);	100	return tls_set_mem(&keypair->key_mem, &keypair->key_len, key, len);
@@ -79,7 +110,7 @@ tls_keypair_set_ocsp_staple_file(struct tls_keypair *keypair,
79		110
80	int	111	int
81	tls_keypair_set_ocsp_staple_mem(struct tls_keypair *keypair,	112	tls_keypair_set_ocsp_staple_mem(struct tls_keypair *keypair,
82	const uint8_t *staple, size_t len)	113	struct tls_error error, const uint8_t staple, size_t len)
83	{	114	{
84	return tls_set_mem(&keypair->ocsp_staple, &keypair->ocsp_staple_len,	115	return tls_set_mem(&keypair->ocsp_staple, &keypair->ocsp_staple_len,
85	staple, len);	116	staple, len);
@@ -88,9 +119,11 @@ tls_keypair_set_ocsp_staple_mem(struct tls_keypair *keypair,
88	void	119	void
89	tls_keypair_clear(struct tls_keypair *keypair)	120	tls_keypair_clear(struct tls_keypair *keypair)
90	{	121	{
91	tls_keypair_set_cert_mem(keypair, NULL, 0);	122	struct tls_error error;
92	tls_keypair_set_key_mem(keypair, NULL, 0);	123
93	tls_keypair_set_ocsp_staple_mem(keypair, NULL, 0);	124	tls_keypair_set_cert_mem(keypair, &error, NULL, 0);
		125	tls_keypair_set_key_mem(keypair, &error, NULL, 0);
		126	tls_keypair_set_ocsp_staple_mem(keypair, &error, NULL, 0);
94		127
95	free(keypair->pubkey_hash);	128	free(keypair->pubkey_hash);
96	keypair->pubkey_hash = NULL;	129	keypair->pubkey_hash = NULL;
@@ -143,37 +176,3 @@ tls_keypair_load_cert(struct tls_keypair keypair, struct tls_error error,
143		176
144	return (rv);	177	return (rv);
145	}	178	}
146
147	int
148	tls_keypair_pubkey_hash(struct tls_keypair keypair, struct tls_error error,
149	char **hash)
150	{
151	X509 *cert = NULL;
152	char d[EVP_MAX_MD_SIZE], *dhex = NULL;
153	int dlen, rv = -1;
154
155	free(*hash);
156	*hash = NULL;
157
158	if (tls_keypair_load_cert(keypair, error, &cert) == -1)
159	goto err;
160
161	if (X509_pubkey_digest(cert, EVP_sha256(), d, &dlen) != 1)
162	goto err;
163
164	if (tls_hex_string(d, dlen, &dhex, NULL) != 0)
165	goto err;
166
167	if (asprintf(hash, "SHA256:%s", dhex) == -1) {
168	*hash = NULL;
169	goto err;
170	}
171
172	rv = 0;
173
174	err:
175	X509_free(cert);
176	free(dhex);
177
178	return (rv);
179	}