summaryrefslogtreecommitdiff
path: root/src/lib/libtls/tls.c
diff options
context:
space:
mode:
Diffstat (limited to 'src/lib/libtls/tls.c')
-rw-r--r--src/lib/libtls/tls.c44
1 files changed, 21 insertions, 23 deletions
diff --git a/src/lib/libtls/tls.c b/src/lib/libtls/tls.c
index 429881dbb3..bf0e1f769f 100644
--- a/src/lib/libtls/tls.c
+++ b/src/lib/libtls/tls.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: tls.c,v 1.45 2016/08/13 13:05:51 jsing Exp $ */ 1/* $OpenBSD: tls.c,v 1.46 2016/08/15 14:04:23 jsing Exp $ */
2/* 2/*
3 * Copyright (c) 2014 Joel Sing <jsing@openbsd.org> 3 * Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
4 * 4 *
@@ -207,7 +207,7 @@ tls_configure(struct tls *ctx, struct tls_config *config)
207} 207}
208 208
209int 209int
210tls_configure_keypair(struct tls *ctx, SSL_CTX *ssl_ctx, 210tls_configure_ssl_keypair(struct tls *ctx, SSL_CTX *ssl_ctx,
211 struct tls_keypair *keypair, int required) 211 struct tls_keypair *keypair, int required)
212{ 212{
213 EVP_PKEY *pkey = NULL; 213 EVP_PKEY *pkey = NULL;
@@ -274,27 +274,27 @@ tls_configure_keypair(struct tls *ctx, SSL_CTX *ssl_ctx,
274} 274}
275 275
276int 276int
277tls_configure_ssl(struct tls *ctx) 277tls_configure_ssl(struct tls *ctx, SSL_CTX *ssl_ctx)
278{ 278{
279 SSL_CTX_set_mode(ctx->ssl_ctx, SSL_MODE_ENABLE_PARTIAL_WRITE); 279 SSL_CTX_set_mode(ssl_ctx, SSL_MODE_ENABLE_PARTIAL_WRITE);
280 SSL_CTX_set_mode(ctx->ssl_ctx, SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER); 280 SSL_CTX_set_mode(ssl_ctx, SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER);
281 281
282 SSL_CTX_set_options(ctx->ssl_ctx, SSL_OP_NO_SSLv2); 282 SSL_CTX_set_options(ssl_ctx, SSL_OP_NO_SSLv2);
283 SSL_CTX_set_options(ctx->ssl_ctx, SSL_OP_NO_SSLv3); 283 SSL_CTX_set_options(ssl_ctx, SSL_OP_NO_SSLv3);
284 284
285 SSL_CTX_clear_options(ctx->ssl_ctx, SSL_OP_NO_TLSv1); 285 SSL_CTX_clear_options(ssl_ctx, SSL_OP_NO_TLSv1);
286 SSL_CTX_clear_options(ctx->ssl_ctx, SSL_OP_NO_TLSv1_1); 286 SSL_CTX_clear_options(ssl_ctx, SSL_OP_NO_TLSv1_1);
287 SSL_CTX_clear_options(ctx->ssl_ctx, SSL_OP_NO_TLSv1_2); 287 SSL_CTX_clear_options(ssl_ctx, SSL_OP_NO_TLSv1_2);
288 288
289 if ((ctx->config->protocols & TLS_PROTOCOL_TLSv1_0) == 0) 289 if ((ctx->config->protocols & TLS_PROTOCOL_TLSv1_0) == 0)
290 SSL_CTX_set_options(ctx->ssl_ctx, SSL_OP_NO_TLSv1); 290 SSL_CTX_set_options(ssl_ctx, SSL_OP_NO_TLSv1);
291 if ((ctx->config->protocols & TLS_PROTOCOL_TLSv1_1) == 0) 291 if ((ctx->config->protocols & TLS_PROTOCOL_TLSv1_1) == 0)
292 SSL_CTX_set_options(ctx->ssl_ctx, SSL_OP_NO_TLSv1_1); 292 SSL_CTX_set_options(ssl_ctx, SSL_OP_NO_TLSv1_1);
293 if ((ctx->config->protocols & TLS_PROTOCOL_TLSv1_2) == 0) 293 if ((ctx->config->protocols & TLS_PROTOCOL_TLSv1_2) == 0)
294 SSL_CTX_set_options(ctx->ssl_ctx, SSL_OP_NO_TLSv1_2); 294 SSL_CTX_set_options(ssl_ctx, SSL_OP_NO_TLSv1_2);
295 295
296 if (ctx->config->alpn != NULL) { 296 if (ctx->config->alpn != NULL) {
297 if (SSL_CTX_set_alpn_protos(ctx->ssl_ctx, ctx->config->alpn, 297 if (SSL_CTX_set_alpn_protos(ssl_ctx, ctx->config->alpn,
298 ctx->config->alpn_len) != 0) { 298 ctx->config->alpn_len) != 0) {
299 tls_set_errorx(ctx, "failed to set alpn"); 299 tls_set_errorx(ctx, "failed to set alpn");
300 goto err; 300 goto err;
@@ -302,7 +302,7 @@ tls_configure_ssl(struct tls *ctx)
302 } 302 }
303 303
304 if (ctx->config->ciphers != NULL) { 304 if (ctx->config->ciphers != NULL) {
305 if (SSL_CTX_set_cipher_list(ctx->ssl_ctx, 305 if (SSL_CTX_set_cipher_list(ssl_ctx,
306 ctx->config->ciphers) != 1) { 306 ctx->config->ciphers) != 1) {
307 tls_set_errorx(ctx, "failed to set ciphers"); 307 tls_set_errorx(ctx, "failed to set ciphers");
308 goto err; 308 goto err;
@@ -310,7 +310,7 @@ tls_configure_ssl(struct tls *ctx)
310 } 310 }
311 311
312 if (ctx->config->verify_time == 0) { 312 if (ctx->config->verify_time == 0) {
313 X509_VERIFY_PARAM_set_flags(ctx->ssl_ctx->param, 313 X509_VERIFY_PARAM_set_flags(ssl_ctx->param,
314 X509_V_FLAG_NO_CHECK_TIME); 314 X509_V_FLAG_NO_CHECK_TIME);
315 } 315 }
316 316
@@ -321,13 +321,13 @@ tls_configure_ssl(struct tls *ctx)
321} 321}
322 322
323int 323int
324tls_configure_ssl_verify(struct tls *ctx, int verify) 324tls_configure_ssl_verify(struct tls *ctx, SSL_CTX *ssl_ctx, int verify)
325{ 325{
326 size_t ca_len = ctx->config->ca_len; 326 size_t ca_len = ctx->config->ca_len;
327 char *ca_mem = ctx->config->ca_mem; 327 char *ca_mem = ctx->config->ca_mem;
328 char *ca_free = NULL; 328 char *ca_free = NULL;
329 329
330 SSL_CTX_set_verify(ctx->ssl_ctx, verify, NULL); 330 SSL_CTX_set_verify(ssl_ctx, verify, NULL);
331 331
332 /* If no CA has been specified, attempt to load the default. */ 332 /* If no CA has been specified, attempt to load the default. */
333 if (ctx->config->ca_mem == NULL && ctx->config->ca_path == NULL) { 333 if (ctx->config->ca_mem == NULL && ctx->config->ca_path == NULL) {
@@ -342,19 +342,17 @@ tls_configure_ssl_verify(struct tls *ctx, int verify)
342 tls_set_errorx(ctx, "ca too long"); 342 tls_set_errorx(ctx, "ca too long");
343 goto err; 343 goto err;
344 } 344 }
345 if (SSL_CTX_load_verify_mem(ctx->ssl_ctx, ca_mem, 345 if (SSL_CTX_load_verify_mem(ssl_ctx, ca_mem, ca_len) != 1) {
346 ca_len) != 1) {
347 tls_set_errorx(ctx, "ssl verify memory setup failure"); 346 tls_set_errorx(ctx, "ssl verify memory setup failure");
348 goto err; 347 goto err;
349 } 348 }
350 } else if (SSL_CTX_load_verify_locations(ctx->ssl_ctx, NULL, 349 } else if (SSL_CTX_load_verify_locations(ssl_ctx, NULL,
351 ctx->config->ca_path) != 1) { 350 ctx->config->ca_path) != 1) {
352 tls_set_errorx(ctx, "ssl verify locations failure"); 351 tls_set_errorx(ctx, "ssl verify locations failure");
353 goto err; 352 goto err;
354 } 353 }
355 if (ctx->config->verify_depth >= 0) 354 if (ctx->config->verify_depth >= 0)
356 SSL_CTX_set_verify_depth(ctx->ssl_ctx, 355 SSL_CTX_set_verify_depth(ssl_ctx, ctx->config->verify_depth);
357 ctx->config->verify_depth);
358 356
359 free(ca_free); 357 free(ca_free);
360 358
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-12-05 08:13:00 +0000