summaryrefslogtreecommitdiff
path: root/src/lib/libtls/tls.c
diff options
context:
space:
mode:
Diffstat (limited to 'src/lib/libtls/tls.c')
-rw-r--r--src/lib/libtls/tls.c84
1 files changed, 62 insertions, 22 deletions
diff --git a/src/lib/libtls/tls.c b/src/lib/libtls/tls.c
index 3d6723bbd9..02ddf447fb 100644
--- a/src/lib/libtls/tls.c
+++ b/src/lib/libtls/tls.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: tls.c,v 1.85 2020/05/24 15:12:54 jsing Exp $ */ 1/* $OpenBSD: tls.c,v 1.86 2021/01/21 19:09:10 eric Exp $ */
2/* 2/*
3 * Copyright (c) 2014 Joel Sing <jsing@openbsd.org> 3 * Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
4 * 4 *
@@ -326,12 +326,69 @@ tls_cert_pubkey_hash(X509 *cert, char **hash)
326 return (rv); 326 return (rv);
327} 327}
328 328
329static int
330tls_keypair_to_pkey(struct tls *ctx, struct tls_keypair *keypair, EVP_PKEY **pkey)
331{
332 BIO *bio = NULL;
333 X509 *x509 = NULL;
334 char *mem;
335 size_t len;
336 int ret = -1;
337
338 *pkey = NULL;
339
340 if (ctx->config->use_fake_private_key) {
341 mem = keypair->cert_mem;
342 len = keypair->cert_len;
343 } else {
344 mem = keypair->key_mem;
345 len = keypair->key_len;
346 }
347
348 if (mem == NULL)
349 return (0);
350
351 if (len > INT_MAX) {
352 tls_set_errorx(ctx, ctx->config->use_fake_private_key ?
353 "cert too long" : "key too long");
354 goto err;
355 }
356
357 if ((bio = BIO_new_mem_buf(mem, len)) == NULL) {
358 tls_set_errorx(ctx, "failed to create buffer");
359 goto err;
360 }
361
362 if (ctx->config->use_fake_private_key) {
363 if ((x509 = PEM_read_bio_X509(bio, NULL, tls_password_cb,
364 NULL)) == NULL) {
365 tls_set_errorx(ctx, "failed to read X509 certificate");
366 goto err;
367 }
368 if ((*pkey = X509_get_pubkey(x509)) == NULL) {
369 tls_set_errorx(ctx, "failed to retrieve pubkey");
370 goto err;
371 }
372 } else {
373 if ((*pkey = PEM_read_bio_PrivateKey(bio, NULL, tls_password_cb,
374 NULL)) == NULL) {
375 tls_set_errorx(ctx, "failed to read private key");
376 goto err;
377 }
378 }
379
380 ret = 0;
381 err:
382 BIO_free(bio);
383 X509_free(x509);
384 return (ret);
385}
386
329int 387int
330tls_configure_ssl_keypair(struct tls *ctx, SSL_CTX *ssl_ctx, 388tls_configure_ssl_keypair(struct tls *ctx, SSL_CTX *ssl_ctx,
331 struct tls_keypair *keypair, int required) 389 struct tls_keypair *keypair, int required)
332{ 390{
333 EVP_PKEY *pkey = NULL; 391 EVP_PKEY *pkey = NULL;
334 BIO *bio = NULL;
335 392
336 if (!required && 393 if (!required &&
337 keypair->cert_mem == NULL && 394 keypair->cert_mem == NULL &&
@@ -351,23 +408,9 @@ tls_configure_ssl_keypair(struct tls *ctx, SSL_CTX *ssl_ctx,
351 } 408 }
352 } 409 }
353 410
354 if (keypair->key_mem != NULL) { 411 if (tls_keypair_to_pkey(ctx, keypair, &pkey) == -1)
355 if (keypair->key_len > INT_MAX) { 412 goto err;
356 tls_set_errorx(ctx, "key too long"); 413 if (pkey != NULL) {
357 goto err;
358 }
359
360 if ((bio = BIO_new_mem_buf(keypair->key_mem,
361 keypair->key_len)) == NULL) {
362 tls_set_errorx(ctx, "failed to create buffer");
363 goto err;
364 }
365 if ((pkey = PEM_read_bio_PrivateKey(bio, NULL, tls_password_cb,
366 NULL)) == NULL) {
367 tls_set_errorx(ctx, "failed to read private key");
368 goto err;
369 }
370
371 if (keypair->pubkey_hash != NULL) { 414 if (keypair->pubkey_hash != NULL) {
372 RSA *rsa; 415 RSA *rsa;
373 /* XXX only RSA for now for relayd privsep */ 416 /* XXX only RSA for now for relayd privsep */
@@ -381,8 +424,6 @@ tls_configure_ssl_keypair(struct tls *ctx, SSL_CTX *ssl_ctx,
381 tls_set_errorx(ctx, "failed to load private key"); 424 tls_set_errorx(ctx, "failed to load private key");
382 goto err; 425 goto err;
383 } 426 }
384 BIO_free(bio);
385 bio = NULL;
386 EVP_PKEY_free(pkey); 427 EVP_PKEY_free(pkey);
387 pkey = NULL; 428 pkey = NULL;
388 } 429 }
@@ -397,7 +438,6 @@ tls_configure_ssl_keypair(struct tls *ctx, SSL_CTX *ssl_ctx,
397 438
398 err: 439 err:
399 EVP_PKEY_free(pkey); 440 EVP_PKEY_free(pkey);
400 BIO_free(bio);
401 441
402 return (1); 442 return (1);
403} 443}