diff options
| -rw-r--r-- | src/lib/libtls/tls.c | 44 | ||||
| -rw-r--r-- | src/lib/libtls/tls_client.c | 11 | ||||
| -rw-r--r-- | src/lib/libtls/tls_internal.h | 11 | ||||
| -rw-r--r-- | src/lib/libtls/tls_server.c | 9 |
4 files changed, 38 insertions, 37 deletions
diff --git a/src/lib/libtls/tls.c b/src/lib/libtls/tls.c index 429881dbb3..bf0e1f769f 100644 --- a/src/lib/libtls/tls.c +++ b/src/lib/libtls/tls.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: tls.c,v 1.45 2016/08/13 13:05:51 jsing Exp $ */ | 1 | /* $OpenBSD: tls.c,v 1.46 2016/08/15 14:04:23 jsing Exp $ */ |
| 2 | /* | 2 | /* |
| 3 | * Copyright (c) 2014 Joel Sing <jsing@openbsd.org> | 3 | * Copyright (c) 2014 Joel Sing <jsing@openbsd.org> |
| 4 | * | 4 | * |
| @@ -207,7 +207,7 @@ tls_configure(struct tls *ctx, struct tls_config *config) | |||
| 207 | } | 207 | } |
| 208 | 208 | ||
| 209 | int | 209 | int |
| 210 | tls_configure_keypair(struct tls *ctx, SSL_CTX *ssl_ctx, | 210 | tls_configure_ssl_keypair(struct tls *ctx, SSL_CTX *ssl_ctx, |
| 211 | struct tls_keypair *keypair, int required) | 211 | struct tls_keypair *keypair, int required) |
| 212 | { | 212 | { |
| 213 | EVP_PKEY *pkey = NULL; | 213 | EVP_PKEY *pkey = NULL; |
| @@ -274,27 +274,27 @@ tls_configure_keypair(struct tls *ctx, SSL_CTX *ssl_ctx, | |||
| 274 | } | 274 | } |
| 275 | 275 | ||
| 276 | int | 276 | int |
| 277 | tls_configure_ssl(struct tls *ctx) | 277 | tls_configure_ssl(struct tls *ctx, SSL_CTX *ssl_ctx) |
| 278 | { | 278 | { |
| 279 | SSL_CTX_set_mode(ctx->ssl_ctx, SSL_MODE_ENABLE_PARTIAL_WRITE); | 279 | SSL_CTX_set_mode(ssl_ctx, SSL_MODE_ENABLE_PARTIAL_WRITE); |
| 280 | SSL_CTX_set_mode(ctx->ssl_ctx, SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER); | 280 | SSL_CTX_set_mode(ssl_ctx, SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER); |
| 281 | 281 | ||
| 282 | SSL_CTX_set_options(ctx->ssl_ctx, SSL_OP_NO_SSLv2); | 282 | SSL_CTX_set_options(ssl_ctx, SSL_OP_NO_SSLv2); |
| 283 | SSL_CTX_set_options(ctx->ssl_ctx, SSL_OP_NO_SSLv3); | 283 | SSL_CTX_set_options(ssl_ctx, SSL_OP_NO_SSLv3); |
| 284 | 284 | ||
| 285 | SSL_CTX_clear_options(ctx->ssl_ctx, SSL_OP_NO_TLSv1); | 285 | SSL_CTX_clear_options(ssl_ctx, SSL_OP_NO_TLSv1); |
| 286 | SSL_CTX_clear_options(ctx->ssl_ctx, SSL_OP_NO_TLSv1_1); | 286 | SSL_CTX_clear_options(ssl_ctx, SSL_OP_NO_TLSv1_1); |
| 287 | SSL_CTX_clear_options(ctx->ssl_ctx, SSL_OP_NO_TLSv1_2); | 287 | SSL_CTX_clear_options(ssl_ctx, SSL_OP_NO_TLSv1_2); |
| 288 | 288 | ||
| 289 | if ((ctx->config->protocols & TLS_PROTOCOL_TLSv1_0) == 0) | 289 | if ((ctx->config->protocols & TLS_PROTOCOL_TLSv1_0) == 0) |
| 290 | SSL_CTX_set_options(ctx->ssl_ctx, SSL_OP_NO_TLSv1); | 290 | SSL_CTX_set_options(ssl_ctx, SSL_OP_NO_TLSv1); |
| 291 | if ((ctx->config->protocols & TLS_PROTOCOL_TLSv1_1) == 0) | 291 | if ((ctx->config->protocols & TLS_PROTOCOL_TLSv1_1) == 0) |
| 292 | SSL_CTX_set_options(ctx->ssl_ctx, SSL_OP_NO_TLSv1_1); | 292 | SSL_CTX_set_options(ssl_ctx, SSL_OP_NO_TLSv1_1); |
| 293 | if ((ctx->config->protocols & TLS_PROTOCOL_TLSv1_2) == 0) | 293 | if ((ctx->config->protocols & TLS_PROTOCOL_TLSv1_2) == 0) |
| 294 | SSL_CTX_set_options(ctx->ssl_ctx, SSL_OP_NO_TLSv1_2); | 294 | SSL_CTX_set_options(ssl_ctx, SSL_OP_NO_TLSv1_2); |
| 295 | 295 | ||
| 296 | if (ctx->config->alpn != NULL) { | 296 | if (ctx->config->alpn != NULL) { |
| 297 | if (SSL_CTX_set_alpn_protos(ctx->ssl_ctx, ctx->config->alpn, | 297 | if (SSL_CTX_set_alpn_protos(ssl_ctx, ctx->config->alpn, |
| 298 | ctx->config->alpn_len) != 0) { | 298 | ctx->config->alpn_len) != 0) { |
| 299 | tls_set_errorx(ctx, "failed to set alpn"); | 299 | tls_set_errorx(ctx, "failed to set alpn"); |
| 300 | goto err; | 300 | goto err; |
| @@ -302,7 +302,7 @@ tls_configure_ssl(struct tls *ctx) | |||
| 302 | } | 302 | } |
| 303 | 303 | ||
| 304 | if (ctx->config->ciphers != NULL) { | 304 | if (ctx->config->ciphers != NULL) { |
| 305 | if (SSL_CTX_set_cipher_list(ctx->ssl_ctx, | 305 | if (SSL_CTX_set_cipher_list(ssl_ctx, |
| 306 | ctx->config->ciphers) != 1) { | 306 | ctx->config->ciphers) != 1) { |
| 307 | tls_set_errorx(ctx, "failed to set ciphers"); | 307 | tls_set_errorx(ctx, "failed to set ciphers"); |
| 308 | goto err; | 308 | goto err; |
| @@ -310,7 +310,7 @@ tls_configure_ssl(struct tls *ctx) | |||
| 310 | } | 310 | } |
| 311 | 311 | ||
| 312 | if (ctx->config->verify_time == 0) { | 312 | if (ctx->config->verify_time == 0) { |
| 313 | X509_VERIFY_PARAM_set_flags(ctx->ssl_ctx->param, | 313 | X509_VERIFY_PARAM_set_flags(ssl_ctx->param, |
| 314 | X509_V_FLAG_NO_CHECK_TIME); | 314 | X509_V_FLAG_NO_CHECK_TIME); |
| 315 | } | 315 | } |
| 316 | 316 | ||
| @@ -321,13 +321,13 @@ tls_configure_ssl(struct tls *ctx) | |||
| 321 | } | 321 | } |
| 322 | 322 | ||
| 323 | int | 323 | int |
| 324 | tls_configure_ssl_verify(struct tls *ctx, int verify) | 324 | tls_configure_ssl_verify(struct tls *ctx, SSL_CTX *ssl_ctx, int verify) |
| 325 | { | 325 | { |
| 326 | size_t ca_len = ctx->config->ca_len; | 326 | size_t ca_len = ctx->config->ca_len; |
| 327 | char *ca_mem = ctx->config->ca_mem; | 327 | char *ca_mem = ctx->config->ca_mem; |
| 328 | char *ca_free = NULL; | 328 | char *ca_free = NULL; |
| 329 | 329 | ||
| 330 | SSL_CTX_set_verify(ctx->ssl_ctx, verify, NULL); | 330 | SSL_CTX_set_verify(ssl_ctx, verify, NULL); |
| 331 | 331 | ||
| 332 | /* If no CA has been specified, attempt to load the default. */ | 332 | /* If no CA has been specified, attempt to load the default. */ |
| 333 | if (ctx->config->ca_mem == NULL && ctx->config->ca_path == NULL) { | 333 | if (ctx->config->ca_mem == NULL && ctx->config->ca_path == NULL) { |
| @@ -342,19 +342,17 @@ tls_configure_ssl_verify(struct tls *ctx, int verify) | |||
| 342 | tls_set_errorx(ctx, "ca too long"); | 342 | tls_set_errorx(ctx, "ca too long"); |
| 343 | goto err; | 343 | goto err; |
| 344 | } | 344 | } |
| 345 | if (SSL_CTX_load_verify_mem(ctx->ssl_ctx, ca_mem, | 345 | if (SSL_CTX_load_verify_mem(ssl_ctx, ca_mem, ca_len) != 1) { |
| 346 | ca_len) != 1) { | ||
| 347 | tls_set_errorx(ctx, "ssl verify memory setup failure"); | 346 | tls_set_errorx(ctx, "ssl verify memory setup failure"); |
| 348 | goto err; | 347 | goto err; |
| 349 | } | 348 | } |
| 350 | } else if (SSL_CTX_load_verify_locations(ctx->ssl_ctx, NULL, | 349 | } else if (SSL_CTX_load_verify_locations(ssl_ctx, NULL, |
| 351 | ctx->config->ca_path) != 1) { | 350 | ctx->config->ca_path) != 1) { |
| 352 | tls_set_errorx(ctx, "ssl verify locations failure"); | 351 | tls_set_errorx(ctx, "ssl verify locations failure"); |
| 353 | goto err; | 352 | goto err; |
| 354 | } | 353 | } |
| 355 | if (ctx->config->verify_depth >= 0) | 354 | if (ctx->config->verify_depth >= 0) |
| 356 | SSL_CTX_set_verify_depth(ctx->ssl_ctx, | 355 | SSL_CTX_set_verify_depth(ssl_ctx, ctx->config->verify_depth); |
| 357 | ctx->config->verify_depth); | ||
| 358 | 356 | ||
| 359 | free(ca_free); | 357 | free(ca_free); |
| 360 | 358 | ||
diff --git a/src/lib/libtls/tls_client.c b/src/lib/libtls/tls_client.c index 3847f4c46c..c360ecad52 100644 --- a/src/lib/libtls/tls_client.c +++ b/src/lib/libtls/tls_client.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: tls_client.c,v 1.33 2016/04/28 17:05:59 jsing Exp $ */ | 1 | /* $OpenBSD: tls_client.c,v 1.34 2016/08/15 14:04:23 jsing Exp $ */ |
| 2 | /* | 2 | /* |
| 3 | * Copyright (c) 2014 Joel Sing <jsing@openbsd.org> | 3 | * Copyright (c) 2014 Joel Sing <jsing@openbsd.org> |
| 4 | * | 4 | * |
| @@ -193,9 +193,10 @@ tls_connect_fds(struct tls *ctx, int fd_read, int fd_write, | |||
| 193 | goto err; | 193 | goto err; |
| 194 | } | 194 | } |
| 195 | 195 | ||
| 196 | if (tls_configure_ssl(ctx) != 0) | 196 | if (tls_configure_ssl(ctx, ctx->ssl_ctx) != 0) |
| 197 | goto err; | 197 | goto err; |
| 198 | if (tls_configure_keypair(ctx, ctx->ssl_ctx, ctx->config->keypair, 0) != 0) | 198 | if (tls_configure_ssl_keypair(ctx, ctx->ssl_ctx, |
| 199 | ctx->config->keypair, 0) != 0) | ||
| 199 | goto err; | 200 | goto err; |
| 200 | 201 | ||
| 201 | if (ctx->config->verify_name) { | 202 | if (ctx->config->verify_name) { |
| @@ -204,9 +205,9 @@ tls_connect_fds(struct tls *ctx, int fd_read, int fd_write, | |||
| 204 | goto err; | 205 | goto err; |
| 205 | } | 206 | } |
| 206 | } | 207 | } |
| 207 | |||
| 208 | if (ctx->config->verify_cert && | 208 | if (ctx->config->verify_cert && |
| 209 | (tls_configure_ssl_verify(ctx, SSL_VERIFY_PEER) == -1)) | 209 | (tls_configure_ssl_verify(ctx, ctx->ssl_ctx, |
| 210 | SSL_VERIFY_PEER) == -1)) | ||
| 210 | goto err; | 211 | goto err; |
| 211 | 212 | ||
| 212 | if ((ctx->ssl_conn = SSL_new(ctx->ssl_ctx)) == NULL) { | 213 | if ((ctx->ssl_conn = SSL_new(ctx->ssl_ctx)) == NULL) { |
diff --git a/src/lib/libtls/tls_internal.h b/src/lib/libtls/tls_internal.h index fa972bbadf..f266996a4c 100644 --- a/src/lib/libtls/tls_internal.h +++ b/src/lib/libtls/tls_internal.h | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: tls_internal.h,v 1.36 2016/08/13 13:05:51 jsing Exp $ */ | 1 | /* $OpenBSD: tls_internal.h,v 1.37 2016/08/15 14:04:23 jsing Exp $ */ |
| 2 | /* | 2 | /* |
| 3 | * Copyright (c) 2014 Jeremie Courreges-Anglas <jca@openbsd.org> | 3 | * Copyright (c) 2014 Jeremie Courreges-Anglas <jca@openbsd.org> |
| 4 | * Copyright (c) 2014 Joel Sing <jsing@openbsd.org> | 4 | * Copyright (c) 2014 Joel Sing <jsing@openbsd.org> |
| @@ -112,11 +112,12 @@ struct tls *tls_new(void); | |||
| 112 | struct tls *tls_server_conn(struct tls *ctx); | 112 | struct tls *tls_server_conn(struct tls *ctx); |
| 113 | 113 | ||
| 114 | int tls_check_name(struct tls *ctx, X509 *cert, const char *servername); | 114 | int tls_check_name(struct tls *ctx, X509 *cert, const char *servername); |
| 115 | int tls_configure_keypair(struct tls *ctx, SSL_CTX *ssl_ctx, | ||
| 116 | struct tls_keypair *keypair, int required); | ||
| 117 | int tls_configure_server(struct tls *ctx); | 115 | int tls_configure_server(struct tls *ctx); |
| 118 | int tls_configure_ssl(struct tls *ctx); | 116 | |
| 119 | int tls_configure_ssl_verify(struct tls *ctx, int verify); | 117 | int tls_configure_ssl(struct tls *ctx, SSL_CTX *ssl_ctx); |
| 118 | int tls_configure_ssl_keypair(struct tls *ctx, SSL_CTX *ssl_ctx, | ||
| 119 | struct tls_keypair *keypair, int required); | ||
| 120 | int tls_configure_ssl_verify(struct tls *ctx, SSL_CTX *ssl_ctx, int verify); | ||
| 120 | 121 | ||
| 121 | int tls_handshake_client(struct tls *ctx); | 122 | int tls_handshake_client(struct tls *ctx); |
| 122 | int tls_handshake_server(struct tls *ctx); | 123 | int tls_handshake_server(struct tls *ctx); |
diff --git a/src/lib/libtls/tls_server.c b/src/lib/libtls/tls_server.c index 690af32eaf..bec9c0608f 100644 --- a/src/lib/libtls/tls_server.c +++ b/src/lib/libtls/tls_server.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: tls_server.c,v 1.22 2016/08/12 15:10:59 jsing Exp $ */ | 1 | /* $OpenBSD: tls_server.c,v 1.23 2016/08/15 14:04:23 jsing Exp $ */ |
| 2 | /* | 2 | /* |
| 3 | * Copyright (c) 2014 Joel Sing <jsing@openbsd.org> | 3 | * Copyright (c) 2014 Joel Sing <jsing@openbsd.org> |
| 4 | * | 4 | * |
| @@ -73,15 +73,16 @@ tls_configure_server(struct tls *ctx) | |||
| 73 | goto err; | 73 | goto err; |
| 74 | } | 74 | } |
| 75 | 75 | ||
| 76 | if (tls_configure_ssl(ctx) != 0) | 76 | if (tls_configure_ssl(ctx, ctx->ssl_ctx) != 0) |
| 77 | goto err; | 77 | goto err; |
| 78 | if (tls_configure_keypair(ctx, ctx->ssl_ctx, ctx->config->keypair, 1) != 0) | 78 | if (tls_configure_ssl_keypair(ctx, ctx->ssl_ctx, |
| 79 | ctx->config->keypair, 1) != 0) | ||
| 79 | goto err; | 80 | goto err; |
| 80 | if (ctx->config->verify_client != 0) { | 81 | if (ctx->config->verify_client != 0) { |
| 81 | int verify = SSL_VERIFY_PEER; | 82 | int verify = SSL_VERIFY_PEER; |
| 82 | if (ctx->config->verify_client == 1) | 83 | if (ctx->config->verify_client == 1) |
| 83 | verify |= SSL_VERIFY_FAIL_IF_NO_PEER_CERT; | 84 | verify |= SSL_VERIFY_FAIL_IF_NO_PEER_CERT; |
| 84 | if (tls_configure_ssl_verify(ctx, verify) == -1) | 85 | if (tls_configure_ssl_verify(ctx, ctx->ssl_ctx, verify) == -1) |
| 85 | goto err; | 86 | goto err; |
| 86 | } | 87 | } |
| 87 | 88 | ||