diff options
Diffstat (limited to '')
| -rw-r--r-- | src/lib/libtls/tls.c | 42 |
1 files changed, 40 insertions, 2 deletions
diff --git a/src/lib/libtls/tls.c b/src/lib/libtls/tls.c index db14d3fc7d..0c4793cc9a 100644 --- a/src/lib/libtls/tls.c +++ b/src/lib/libtls/tls.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: tls.c,v 1.17 2015/09/09 18:22:33 beck Exp $ */ | 1 | /* $OpenBSD: tls.c,v 1.18 2015/09/09 19:23:04 beck Exp $ */ |
| 2 | /* | 2 | /* |
| 3 | * Copyright (c) 2014 Joel Sing <jsing@openbsd.org> | 3 | * Copyright (c) 2014 Joel Sing <jsing@openbsd.org> |
| 4 | * | 4 | * |
| @@ -147,12 +147,19 @@ tls_configure(struct tls *ctx, struct tls_config *config) | |||
| 147 | } | 147 | } |
| 148 | 148 | ||
| 149 | int | 149 | int |
| 150 | tls_configure_keypair(struct tls *ctx) | 150 | tls_configure_keypair(struct tls *ctx, int required) |
| 151 | { | 151 | { |
| 152 | EVP_PKEY *pkey = NULL; | 152 | EVP_PKEY *pkey = NULL; |
| 153 | X509 *cert = NULL; | 153 | X509 *cert = NULL; |
| 154 | BIO *bio = NULL; | 154 | BIO *bio = NULL; |
| 155 | 155 | ||
| 156 | if (!required && | ||
| 157 | ctx->config->cert_mem == NULL && | ||
| 158 | ctx->config->key_mem == NULL && | ||
| 159 | ctx->config->cert_file == NULL && | ||
| 160 | ctx->config->key_file == NULL) | ||
| 161 | return(0); | ||
| 162 | |||
| 156 | if (ctx->config->cert_mem != NULL) { | 163 | if (ctx->config->cert_mem != NULL) { |
| 157 | if (ctx->config->cert_len > INT_MAX) { | 164 | if (ctx->config->cert_len > INT_MAX) { |
| 158 | tls_set_errorx(ctx, "certificate too long"); | 165 | tls_set_errorx(ctx, "certificate too long"); |
| @@ -256,6 +263,37 @@ err: | |||
| 256 | return (-1); | 263 | return (-1); |
| 257 | } | 264 | } |
| 258 | 265 | ||
| 266 | int | ||
| 267 | tls_configure_ssl_verify(struct tls *ctx, int verify) | ||
| 268 | { | ||
| 269 | SSL_CTX_set_verify(ctx->ssl_ctx, verify, NULL); | ||
| 270 | |||
| 271 | if (ctx->config->ca_mem != NULL) { | ||
| 272 | /* XXX do this in set. */ | ||
| 273 | if (ctx->config->ca_len > INT_MAX) { | ||
| 274 | tls_set_error(ctx, "client ca too long"); | ||
| 275 | goto err; | ||
| 276 | } | ||
| 277 | if (SSL_CTX_load_verify_mem(ctx->ssl_ctx, | ||
| 278 | ctx->config->ca_mem, ctx->config->ca_len) != 1) { | ||
| 279 | tls_set_error(ctx, | ||
| 280 | "ssl verify memory setup failure"); | ||
| 281 | goto err; | ||
| 282 | } | ||
| 283 | } else if (SSL_CTX_load_verify_locations(ctx->ssl_ctx, | ||
| 284 | ctx->config->ca_file, ctx->config->ca_path) != 1) { | ||
| 285 | tls_set_error(ctx, "ssl verify setup failure"); | ||
| 286 | goto err; | ||
| 287 | } | ||
| 288 | if (ctx->config->verify_depth >= 0) | ||
| 289 | SSL_CTX_set_verify_depth(ctx->ssl_ctx, | ||
| 290 | ctx->config->verify_depth); | ||
| 291 | return (0); | ||
| 292 | |||
| 293 | err: | ||
| 294 | return (-1); | ||
| 295 | } | ||
| 296 | |||
| 259 | void | 297 | void |
| 260 | tls_free(struct tls *ctx) | 298 | tls_free(struct tls *ctx) |
| 261 | { | 299 | { |