diff options
Diffstat (limited to 'src/lib/libtls/tls.c')
| -rw-r--r-- | src/lib/libtls/tls.c | 45 |
1 files changed, 23 insertions, 22 deletions
diff --git a/src/lib/libtls/tls.c b/src/lib/libtls/tls.c index 661aa6ad0a..d067309cd3 100644 --- a/src/lib/libtls/tls.c +++ b/src/lib/libtls/tls.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: tls.c,v 1.36 2016/04/28 16:48:44 jsing Exp $ */ | 1 | /* $OpenBSD: tls.c,v 1.37 2016/04/28 17:05:59 jsing Exp $ */ |
| 2 | /* | 2 | /* |
| 3 | * Copyright (c) 2014 Joel Sing <jsing@openbsd.org> | 3 | * Copyright (c) 2014 Joel Sing <jsing@openbsd.org> |
| 4 | * | 4 | * |
| @@ -179,40 +179,41 @@ tls_configure(struct tls *ctx, struct tls_config *config) | |||
| 179 | } | 179 | } |
| 180 | 180 | ||
| 181 | int | 181 | int |
| 182 | tls_configure_keypair(struct tls *ctx, int required) | 182 | tls_configure_keypair(struct tls *ctx, SSL_CTX *ssl_ctx, |
| 183 | struct tls_keypair *keypair, int required) | ||
| 183 | { | 184 | { |
| 184 | EVP_PKEY *pkey = NULL; | 185 | EVP_PKEY *pkey = NULL; |
| 185 | X509 *cert = NULL; | 186 | X509 *cert = NULL; |
| 186 | BIO *bio = NULL; | 187 | BIO *bio = NULL; |
| 187 | 188 | ||
| 188 | if (!required && | 189 | if (!required && |
| 189 | ctx->config->cert_mem == NULL && | 190 | keypair->cert_mem == NULL && |
| 190 | ctx->config->key_mem == NULL && | 191 | keypair->key_mem == NULL && |
| 191 | ctx->config->cert_file == NULL && | 192 | keypair->cert_file == NULL && |
| 192 | ctx->config->key_file == NULL) | 193 | keypair->key_file == NULL) |
| 193 | return(0); | 194 | return(0); |
| 194 | 195 | ||
| 195 | if (ctx->config->cert_mem != NULL) { | 196 | if (keypair->cert_mem != NULL) { |
| 196 | if (ctx->config->cert_len > INT_MAX) { | 197 | if (keypair->cert_len > INT_MAX) { |
| 197 | tls_set_errorx(ctx, "certificate too long"); | 198 | tls_set_errorx(ctx, "certificate too long"); |
| 198 | goto err; | 199 | goto err; |
| 199 | } | 200 | } |
| 200 | 201 | ||
| 201 | if (SSL_CTX_use_certificate_chain_mem(ctx->ssl_ctx, | 202 | if (SSL_CTX_use_certificate_chain_mem(ssl_ctx, |
| 202 | ctx->config->cert_mem, ctx->config->cert_len) != 1) { | 203 | keypair->cert_mem, keypair->cert_len) != 1) { |
| 203 | tls_set_errorx(ctx, "failed to load certificate"); | 204 | tls_set_errorx(ctx, "failed to load certificate"); |
| 204 | goto err; | 205 | goto err; |
| 205 | } | 206 | } |
| 206 | cert = NULL; | 207 | cert = NULL; |
| 207 | } | 208 | } |
| 208 | if (ctx->config->key_mem != NULL) { | 209 | if (keypair->key_mem != NULL) { |
| 209 | if (ctx->config->key_len > INT_MAX) { | 210 | if (keypair->key_len > INT_MAX) { |
| 210 | tls_set_errorx(ctx, "key too long"); | 211 | tls_set_errorx(ctx, "key too long"); |
| 211 | goto err; | 212 | goto err; |
| 212 | } | 213 | } |
| 213 | 214 | ||
| 214 | if ((bio = BIO_new_mem_buf(ctx->config->key_mem, | 215 | if ((bio = BIO_new_mem_buf(keypair->key_mem, |
| 215 | ctx->config->key_len)) == NULL) { | 216 | keypair->key_len)) == NULL) { |
| 216 | tls_set_errorx(ctx, "failed to create buffer"); | 217 | tls_set_errorx(ctx, "failed to create buffer"); |
| 217 | goto err; | 218 | goto err; |
| 218 | } | 219 | } |
| @@ -221,7 +222,7 @@ tls_configure_keypair(struct tls *ctx, int required) | |||
| 221 | tls_set_errorx(ctx, "failed to read private key"); | 222 | tls_set_errorx(ctx, "failed to read private key"); |
| 222 | goto err; | 223 | goto err; |
| 223 | } | 224 | } |
| 224 | if (SSL_CTX_use_PrivateKey(ctx->ssl_ctx, pkey) != 1) { | 225 | if (SSL_CTX_use_PrivateKey(ssl_ctx, pkey) != 1) { |
| 225 | tls_set_errorx(ctx, "failed to load private key"); | 226 | tls_set_errorx(ctx, "failed to load private key"); |
| 226 | goto err; | 227 | goto err; |
| 227 | } | 228 | } |
| @@ -231,22 +232,22 @@ tls_configure_keypair(struct tls *ctx, int required) | |||
| 231 | pkey = NULL; | 232 | pkey = NULL; |
| 232 | } | 233 | } |
| 233 | 234 | ||
| 234 | if (ctx->config->cert_file != NULL) { | 235 | if (keypair->cert_file != NULL) { |
| 235 | if (SSL_CTX_use_certificate_chain_file(ctx->ssl_ctx, | 236 | if (SSL_CTX_use_certificate_chain_file(ssl_ctx, |
| 236 | ctx->config->cert_file) != 1) { | 237 | keypair->cert_file) != 1) { |
| 237 | tls_set_errorx(ctx, "failed to load certificate file"); | 238 | tls_set_errorx(ctx, "failed to load certificate file"); |
| 238 | goto err; | 239 | goto err; |
| 239 | } | 240 | } |
| 240 | } | 241 | } |
| 241 | if (ctx->config->key_file != NULL) { | 242 | if (keypair->key_file != NULL) { |
| 242 | if (SSL_CTX_use_PrivateKey_file(ctx->ssl_ctx, | 243 | if (SSL_CTX_use_PrivateKey_file(ssl_ctx, |
| 243 | ctx->config->key_file, SSL_FILETYPE_PEM) != 1) { | 244 | keypair->key_file, SSL_FILETYPE_PEM) != 1) { |
| 244 | tls_set_errorx(ctx, "failed to load private key file"); | 245 | tls_set_errorx(ctx, "failed to load private key file"); |
| 245 | goto err; | 246 | goto err; |
| 246 | } | 247 | } |
| 247 | } | 248 | } |
| 248 | 249 | ||
| 249 | if (SSL_CTX_check_private_key(ctx->ssl_ctx) != 1) { | 250 | if (SSL_CTX_check_private_key(ssl_ctx) != 1) { |
| 250 | tls_set_errorx(ctx, "private/public key mismatch"); | 251 | tls_set_errorx(ctx, "private/public key mismatch"); |
| 251 | goto err; | 252 | goto err; |
| 252 | } | 253 | } |