1 files changed, 40 insertions, 1 deletions
diff --git a/src/lib/libtls/tls_config.c b/src/lib/libtls/tls_config.c
index 3db75dc62f..6dfebfaebf 100644
--- a/src/lib/libtls/tls_config.c
+++ b/src/lib/libtls/tls_config.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls_config.c,v 1.47 2018/02/08 05:56:49 jsing Exp $ */
+/* $OpenBSD: tls_config.c,v 1.48 2018/02/10 04:41:24 jsing Exp $ */
 /*
 * Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
 *
@@ -89,6 +89,7 @@ tls_config_new(void)
                goto err;
        config->refcount = 1;
+        config->session_fd = -1;
        /*
         * Default configuration.
@@ -670,6 +671,44 @@ tls_config_set_protocols(struct tls_config *config, uint32_t protocols)
 }
 int
+tls_config_set_session_fd(struct tls_config *config, int session_fd)
+{
+        struct stat sb;
+        mode_t mugo;
+        if (session_fd == -1) {
+                config->session_fd = session_fd;
+                return (0);
+        }
+        if (fstat(session_fd, &sb) == -1) {
+                tls_config_set_error(config, "failed to stat session file");
+                return (-1);
+        }
+        if (!S_ISREG(sb.st_mode)) {
+                tls_config_set_errorx(config,
+                    "session file is not a regular file");
+                return (-1);
+        }
+        if (sb.st_uid != getuid()) {
+                tls_config_set_errorx(config, "session file has incorrect "
+                    "owner (uid %i != %i)", sb.st_uid, getuid());
+                return (-1);
+        }
+        mugo = sb.st_mode & (S_IRWXU|S_IRWXG|S_IRWXO);
+        if (mugo != (S_IRUSR|S_IWUSR)) {
+                tls_config_set_errorx(config, "session file has incorrect "
+                    "permissions (%o != 600)", mugo);
+                return (-1);
+        }
+        config->session_fd = session_fd;
+        return (0);
+}
+int
 tls_config_set_verify_depth(struct tls_config *config, int verify_depth)
 {
        config->verify_depth = verify_depth;

diff --git a/src/lib/libtls/tls_config.c b/src/lib/libtls/tls_config.c index 3db75dc62f..6dfebfaebf 100644 --- a/src/lib/libtls/tls_config.c +++ b/src/lib/libtls/tls_config.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: tls_config.c,v 1.47 2018/02/08 05:56:49 jsing Exp $ */	1	/* $OpenBSD: tls_config.c,v 1.48 2018/02/10 04:41:24 jsing Exp $ */
2	/*	2	/*
3	* Copyright (c) 2014 Joel Sing <jsing@openbsd.org>	3	* Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
4	*	4	*
@@ -89,6 +89,7 @@ tls_config_new(void)
89	goto err;	89	goto err;
90		90
91	config->refcount = 1;	91	config->refcount = 1;
		92	config->session_fd = -1;
92		93
93	/*	94	/*
94	* Default configuration.	95	* Default configuration.
@@ -670,6 +671,44 @@ tls_config_set_protocols(struct tls_config *config, uint32_t protocols)
670	}	671	}
671		672
672	int	673	int
		674	tls_config_set_session_fd(struct tls_config *config, int session_fd)
		675	{
		676	struct stat sb;
		677	mode_t mugo;
		678
		679	if (session_fd == -1) {
		680	config->session_fd = session_fd;
		681	return (0);
		682	}
		683
		684	if (fstat(session_fd, &sb) == -1) {
		685	tls_config_set_error(config, "failed to stat session file");
		686	return (-1);
		687	}
		688	if (!S_ISREG(sb.st_mode)) {
		689	tls_config_set_errorx(config,
		690	"session file is not a regular file");
		691	return (-1);
		692	}
		693
		694	if (sb.st_uid != getuid()) {
		695	tls_config_set_errorx(config, "session file has incorrect "
		696	"owner (uid %i != %i)", sb.st_uid, getuid());
		697	return (-1);
		698	}
		699	mugo = sb.st_mode & (S_IRWXU\|S_IRWXG\|S_IRWXO);
		700	if (mugo != (S_IRUSR\|S_IWUSR)) {
		701	tls_config_set_errorx(config, "session file has incorrect "
		702	"permissions (%o != 600)", mugo);
		703	return (-1);
		704	}
		705
		706	config->session_fd = session_fd;
		707
		708	return (0);
		709	}
		710
		711	int
673	tls_config_set_verify_depth(struct tls_config *config, int verify_depth)	712	tls_config_set_verify_depth(struct tls_config *config, int verify_depth)
674	{	713	{
675	config->verify_depth = verify_depth;	714	config->verify_depth = verify_depth;