diff options
Diffstat (limited to 'src/lib/libtls/tls.c')
-rw-r--r-- | src/lib/libtls/tls.c | 84 |
1 files changed, 62 insertions, 22 deletions
diff --git a/src/lib/libtls/tls.c b/src/lib/libtls/tls.c index 3d6723bbd9..02ddf447fb 100644 --- a/src/lib/libtls/tls.c +++ b/src/lib/libtls/tls.c | |||
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: tls.c,v 1.85 2020/05/24 15:12:54 jsing Exp $ */ | 1 | /* $OpenBSD: tls.c,v 1.86 2021/01/21 19:09:10 eric Exp $ */ |
2 | /* | 2 | /* |
3 | * Copyright (c) 2014 Joel Sing <jsing@openbsd.org> | 3 | * Copyright (c) 2014 Joel Sing <jsing@openbsd.org> |
4 | * | 4 | * |
@@ -326,12 +326,69 @@ tls_cert_pubkey_hash(X509 *cert, char **hash) | |||
326 | return (rv); | 326 | return (rv); |
327 | } | 327 | } |
328 | 328 | ||
329 | static int | ||
330 | tls_keypair_to_pkey(struct tls *ctx, struct tls_keypair *keypair, EVP_PKEY **pkey) | ||
331 | { | ||
332 | BIO *bio = NULL; | ||
333 | X509 *x509 = NULL; | ||
334 | char *mem; | ||
335 | size_t len; | ||
336 | int ret = -1; | ||
337 | |||
338 | *pkey = NULL; | ||
339 | |||
340 | if (ctx->config->use_fake_private_key) { | ||
341 | mem = keypair->cert_mem; | ||
342 | len = keypair->cert_len; | ||
343 | } else { | ||
344 | mem = keypair->key_mem; | ||
345 | len = keypair->key_len; | ||
346 | } | ||
347 | |||
348 | if (mem == NULL) | ||
349 | return (0); | ||
350 | |||
351 | if (len > INT_MAX) { | ||
352 | tls_set_errorx(ctx, ctx->config->use_fake_private_key ? | ||
353 | "cert too long" : "key too long"); | ||
354 | goto err; | ||
355 | } | ||
356 | |||
357 | if ((bio = BIO_new_mem_buf(mem, len)) == NULL) { | ||
358 | tls_set_errorx(ctx, "failed to create buffer"); | ||
359 | goto err; | ||
360 | } | ||
361 | |||
362 | if (ctx->config->use_fake_private_key) { | ||
363 | if ((x509 = PEM_read_bio_X509(bio, NULL, tls_password_cb, | ||
364 | NULL)) == NULL) { | ||
365 | tls_set_errorx(ctx, "failed to read X509 certificate"); | ||
366 | goto err; | ||
367 | } | ||
368 | if ((*pkey = X509_get_pubkey(x509)) == NULL) { | ||
369 | tls_set_errorx(ctx, "failed to retrieve pubkey"); | ||
370 | goto err; | ||
371 | } | ||
372 | } else { | ||
373 | if ((*pkey = PEM_read_bio_PrivateKey(bio, NULL, tls_password_cb, | ||
374 | NULL)) == NULL) { | ||
375 | tls_set_errorx(ctx, "failed to read private key"); | ||
376 | goto err; | ||
377 | } | ||
378 | } | ||
379 | |||
380 | ret = 0; | ||
381 | err: | ||
382 | BIO_free(bio); | ||
383 | X509_free(x509); | ||
384 | return (ret); | ||
385 | } | ||
386 | |||
329 | int | 387 | int |
330 | tls_configure_ssl_keypair(struct tls *ctx, SSL_CTX *ssl_ctx, | 388 | tls_configure_ssl_keypair(struct tls *ctx, SSL_CTX *ssl_ctx, |
331 | struct tls_keypair *keypair, int required) | 389 | struct tls_keypair *keypair, int required) |
332 | { | 390 | { |
333 | EVP_PKEY *pkey = NULL; | 391 | EVP_PKEY *pkey = NULL; |
334 | BIO *bio = NULL; | ||
335 | 392 | ||
336 | if (!required && | 393 | if (!required && |
337 | keypair->cert_mem == NULL && | 394 | keypair->cert_mem == NULL && |
@@ -351,23 +408,9 @@ tls_configure_ssl_keypair(struct tls *ctx, SSL_CTX *ssl_ctx, | |||
351 | } | 408 | } |
352 | } | 409 | } |
353 | 410 | ||
354 | if (keypair->key_mem != NULL) { | 411 | if (tls_keypair_to_pkey(ctx, keypair, &pkey) == -1) |
355 | if (keypair->key_len > INT_MAX) { | 412 | goto err; |
356 | tls_set_errorx(ctx, "key too long"); | 413 | if (pkey != NULL) { |
357 | goto err; | ||
358 | } | ||
359 | |||
360 | if ((bio = BIO_new_mem_buf(keypair->key_mem, | ||
361 | keypair->key_len)) == NULL) { | ||
362 | tls_set_errorx(ctx, "failed to create buffer"); | ||
363 | goto err; | ||
364 | } | ||
365 | if ((pkey = PEM_read_bio_PrivateKey(bio, NULL, tls_password_cb, | ||
366 | NULL)) == NULL) { | ||
367 | tls_set_errorx(ctx, "failed to read private key"); | ||
368 | goto err; | ||
369 | } | ||
370 | |||
371 | if (keypair->pubkey_hash != NULL) { | 414 | if (keypair->pubkey_hash != NULL) { |
372 | RSA *rsa; | 415 | RSA *rsa; |
373 | /* XXX only RSA for now for relayd privsep */ | 416 | /* XXX only RSA for now for relayd privsep */ |
@@ -381,8 +424,6 @@ tls_configure_ssl_keypair(struct tls *ctx, SSL_CTX *ssl_ctx, | |||
381 | tls_set_errorx(ctx, "failed to load private key"); | 424 | tls_set_errorx(ctx, "failed to load private key"); |
382 | goto err; | 425 | goto err; |
383 | } | 426 | } |
384 | BIO_free(bio); | ||
385 | bio = NULL; | ||
386 | EVP_PKEY_free(pkey); | 427 | EVP_PKEY_free(pkey); |
387 | pkey = NULL; | 428 | pkey = NULL; |
388 | } | 429 | } |
@@ -397,7 +438,6 @@ tls_configure_ssl_keypair(struct tls *ctx, SSL_CTX *ssl_ctx, | |||
397 | 438 | ||
398 | err: | 439 | err: |
399 | EVP_PKEY_free(pkey); | 440 | EVP_PKEY_free(pkey); |
400 | BIO_free(bio); | ||
401 | 441 | ||
402 | return (1); | 442 | return (1); |
403 | } | 443 | } |