1 files changed, 46 insertions, 47 deletions
diff --git a/src/lib/libtls/tls_keypair.c b/src/lib/libtls/tls_keypair.c
index 626a95853f..03e7f4ad76 100644
--- a/src/lib/libtls/tls_keypair.c
+++ b/src/lib/libtls/tls_keypair.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls_keypair.c,v 1.4 2018/02/08 10:19:31 jsing Exp $ */
+/* $OpenBSD: tls_keypair.c,v 1.5 2018/02/10 04:57:35 jsing Exp $ */
 /*
 * Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
 *
@@ -29,7 +29,7 @@ tls_keypair_new(void)
        return calloc(1, sizeof(struct tls_keypair));
 }
-void
+static void
 tls_keypair_clear_key(struct tls_keypair *keypair)
 {
        freezero(keypair->key_mem, keypair->key_len);
@@ -37,19 +37,50 @@ tls_keypair_clear_key(struct tls_keypair *keypair)
        keypair->key_len = 0;
 }
+static int
+tls_keypair_pubkey_hash(struct tls_keypair *keypair, struct tls_error *error)
+{
+        X509 *cert = NULL;
+        int rv = -1;
+        free(keypair->pubkey_hash);
+        keypair->pubkey_hash = NULL;
+        if (keypair->cert_mem == NULL) {
+                rv = 0;
+                goto done;
+        }
+        if (tls_keypair_load_cert(keypair, error, &cert) == -1)
+                goto err;
+        if (tls_cert_pubkey_hash(cert, &keypair->pubkey_hash) == -1)
+                goto err;
+        rv = 0;
+ err:
+        X509_free(cert);
+ done:
+        return (rv);
+}
 int
 tls_keypair_set_cert_file(struct tls_keypair *keypair, struct tls_error *error,
    const char *cert_file)
 {
-        return tls_config_load_file(error, "certificate", cert_file,
+        if (tls_config_load_file(error, "certificate", cert_file,
-            &keypair->cert_mem, &keypair->cert_len);
+            &keypair->cert_mem, &keypair->cert_len) == -1)
+                return -1;
+        return tls_keypair_pubkey_hash(keypair, error);
 }
 int
-tls_keypair_set_cert_mem(struct tls_keypair *keypair, const uint8_t *cert,
+tls_keypair_set_cert_mem(struct tls_keypair *keypair, struct tls_error *error,
-    size_t len)
+    const uint8_t *cert, size_t len)
 {
-        return tls_set_mem(&keypair->cert_mem, &keypair->cert_len, cert, len);
+        if (tls_set_mem(&keypair->cert_mem, &keypair->cert_len, cert, len) == -1)
+                return -1;
+        return tls_keypair_pubkey_hash(keypair, error);
 }
 int
@@ -62,8 +93,8 @@ tls_keypair_set_key_file(struct tls_keypair *keypair, struct tls_error *error,
 }
 int
-tls_keypair_set_key_mem(struct tls_keypair *keypair, const uint8_t *key,
+tls_keypair_set_key_mem(struct tls_keypair *keypair, struct tls_error *error,
-    size_t len)
+    const uint8_t *key, size_t len)
 {
        tls_keypair_clear_key(keypair);
        return tls_set_mem(&keypair->key_mem, &keypair->key_len, key, len);
@@ -79,7 +110,7 @@ tls_keypair_set_ocsp_staple_file(struct tls_keypair *keypair,
 int
 tls_keypair_set_ocsp_staple_mem(struct tls_keypair *keypair,
-    const uint8_t *staple, size_t len)
+    struct tls_error *error, const uint8_t *staple, size_t len)
 {
        return tls_set_mem(&keypair->ocsp_staple, &keypair->ocsp_staple_len,
            staple, len);
@@ -88,9 +119,11 @@ tls_keypair_set_ocsp_staple_mem(struct tls_keypair *keypair,
 void
 tls_keypair_clear(struct tls_keypair *keypair)
 {
-        tls_keypair_set_cert_mem(keypair, NULL, 0);
+        struct tls_error error;
-        tls_keypair_set_key_mem(keypair, NULL, 0);
-        tls_keypair_set_ocsp_staple_mem(keypair, NULL, 0);
+        tls_keypair_set_cert_mem(keypair, &error, NULL, 0);
+        tls_keypair_set_key_mem(keypair, &error, NULL, 0);
+        tls_keypair_set_ocsp_staple_mem(keypair, &error, NULL, 0);
        free(keypair->pubkey_hash);
        keypair->pubkey_hash = NULL;
@@ -143,37 +176,3 @@ tls_keypair_load_cert(struct tls_keypair *keypair, struct tls_error *error,
        return (rv);
 }
-int
-tls_keypair_pubkey_hash(struct tls_keypair *keypair, struct tls_error *error,
-    char **hash)
-{
-        X509 *cert = NULL;
-        char d[EVP_MAX_MD_SIZE], *dhex = NULL;
-        int dlen, rv = -1;
-        free(*hash);
-        *hash = NULL;
-        if (tls_keypair_load_cert(keypair, error, &cert) == -1)
-                goto err;
-        if (X509_pubkey_digest(cert, EVP_sha256(), d, &dlen) != 1)
-                goto err;
-        if (tls_hex_string(d, dlen, &dhex, NULL) != 0)
-                goto err;
-        if (asprintf(hash, "SHA256:%s", dhex) == -1) {
-                *hash = NULL;
-                goto err;
-        }
-        rv = 0;
- err:
-        X509_free(cert);
-        free(dhex);
-        return (rv);
-}

diff --git a/src/lib/libtls/tls_keypair.c b/src/lib/libtls/tls_keypair.c index 626a95853f..03e7f4ad76 100644 --- a/src/lib/libtls/tls_keypair.c +++ b/src/lib/libtls/tls_keypair.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: tls_keypair.c,v 1.4 2018/02/08 10:19:31 jsing Exp $ */	1	/* $OpenBSD: tls_keypair.c,v 1.5 2018/02/10 04:57:35 jsing Exp $ */
2	/*	2	/*
3	* Copyright (c) 2014 Joel Sing <jsing@openbsd.org>	3	* Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
4	*	4	*
@@ -29,7 +29,7 @@ tls_keypair_new(void)
29	return calloc(1, sizeof(struct tls_keypair));	29	return calloc(1, sizeof(struct tls_keypair));
30	}	30	}
31		31
32	void	32	static void
33	tls_keypair_clear_key(struct tls_keypair *keypair)	33	tls_keypair_clear_key(struct tls_keypair *keypair)
34	{	34	{
35	freezero(keypair->key_mem, keypair->key_len);	35	freezero(keypair->key_mem, keypair->key_len);
@@ -37,19 +37,50 @@ tls_keypair_clear_key(struct tls_keypair *keypair)
37	keypair->key_len = 0;	37	keypair->key_len = 0;
38	}	38	}
39		39
		40	static int
		41	tls_keypair_pubkey_hash(struct tls_keypair keypair, struct tls_error error)
		42	{
		43	X509 *cert = NULL;
		44	int rv = -1;
		45
		46	free(keypair->pubkey_hash);
		47	keypair->pubkey_hash = NULL;
		48
		49	if (keypair->cert_mem == NULL) {
		50	rv = 0;
		51	goto done;
		52	}
		53
		54	if (tls_keypair_load_cert(keypair, error, &cert) == -1)
		55	goto err;
		56	if (tls_cert_pubkey_hash(cert, &keypair->pubkey_hash) == -1)
		57	goto err;
		58
		59	rv = 0;
		60
		61	err:
		62	X509_free(cert);
		63	done:
		64	return (rv);
		65	}
		66
40	int	67	int
41	tls_keypair_set_cert_file(struct tls_keypair keypair, struct tls_error error,	68	tls_keypair_set_cert_file(struct tls_keypair keypair, struct tls_error error,
42	const char *cert_file)	69	const char *cert_file)
43	{	70	{
44	return tls_config_load_file(error, "certificate", cert_file,	71	if (tls_config_load_file(error, "certificate", cert_file,
45	&keypair->cert_mem, &keypair->cert_len);	72	&keypair->cert_mem, &keypair->cert_len) == -1)
		73	return -1;
		74	return tls_keypair_pubkey_hash(keypair, error);
46	}	75	}
47		76
48	int	77	int
49	tls_keypair_set_cert_mem(struct tls_keypair keypair, const uint8_t cert,	78	tls_keypair_set_cert_mem(struct tls_keypair keypair, struct tls_error error,
50	size_t len)	79	const uint8_t *cert, size_t len)
51	{	80	{
52	return tls_set_mem(&keypair->cert_mem, &keypair->cert_len, cert, len);	81	if (tls_set_mem(&keypair->cert_mem, &keypair->cert_len, cert, len) == -1)
		82	return -1;
		83	return tls_keypair_pubkey_hash(keypair, error);
53	}	84	}
54		85
55	int	86	int
@@ -62,8 +93,8 @@ tls_keypair_set_key_file(struct tls_keypair keypair, struct tls_error error,
62	}	93	}
63		94
64	int	95	int
65	tls_keypair_set_key_mem(struct tls_keypair keypair, const uint8_t key,	96	tls_keypair_set_key_mem(struct tls_keypair keypair, struct tls_error error,
66	size_t len)	97	const uint8_t *key, size_t len)
67	{	98	{
68	tls_keypair_clear_key(keypair);	99	tls_keypair_clear_key(keypair);
69	return tls_set_mem(&keypair->key_mem, &keypair->key_len, key, len);	100	return tls_set_mem(&keypair->key_mem, &keypair->key_len, key, len);
@@ -79,7 +110,7 @@ tls_keypair_set_ocsp_staple_file(struct tls_keypair *keypair,
79		110
80	int	111	int
81	tls_keypair_set_ocsp_staple_mem(struct tls_keypair *keypair,	112	tls_keypair_set_ocsp_staple_mem(struct tls_keypair *keypair,
82	const uint8_t *staple, size_t len)	113	struct tls_error error, const uint8_t staple, size_t len)
83	{	114	{
84	return tls_set_mem(&keypair->ocsp_staple, &keypair->ocsp_staple_len,	115	return tls_set_mem(&keypair->ocsp_staple, &keypair->ocsp_staple_len,
85	staple, len);	116	staple, len);
@@ -88,9 +119,11 @@ tls_keypair_set_ocsp_staple_mem(struct tls_keypair *keypair,
88	void	119	void
89	tls_keypair_clear(struct tls_keypair *keypair)	120	tls_keypair_clear(struct tls_keypair *keypair)
90	{	121	{
91	tls_keypair_set_cert_mem(keypair, NULL, 0);	122	struct tls_error error;
92	tls_keypair_set_key_mem(keypair, NULL, 0);	123
93	tls_keypair_set_ocsp_staple_mem(keypair, NULL, 0);	124	tls_keypair_set_cert_mem(keypair, &error, NULL, 0);
		125	tls_keypair_set_key_mem(keypair, &error, NULL, 0);
		126	tls_keypair_set_ocsp_staple_mem(keypair, &error, NULL, 0);
94		127
95	free(keypair->pubkey_hash);	128	free(keypair->pubkey_hash);
96	keypair->pubkey_hash = NULL;	129	keypair->pubkey_hash = NULL;
@@ -143,37 +176,3 @@ tls_keypair_load_cert(struct tls_keypair keypair, struct tls_error error,
143		176
144	return (rv);	177	return (rv);
145	}	178	}
146
147	int
148	tls_keypair_pubkey_hash(struct tls_keypair keypair, struct tls_error error,
149	char **hash)
150	{
151	X509 *cert = NULL;
152	char d[EVP_MAX_MD_SIZE], *dhex = NULL;
153	int dlen, rv = -1;
154
155	free(*hash);
156	*hash = NULL;
157
158	if (tls_keypair_load_cert(keypair, error, &cert) == -1)
159	goto err;
160
161	if (X509_pubkey_digest(cert, EVP_sha256(), d, &dlen) != 1)
162	goto err;
163
164	if (tls_hex_string(d, dlen, &dhex, NULL) != 0)
165	goto err;
166
167	if (asprintf(hash, "SHA256:%s", dhex) == -1) {
168	*hash = NULL;
169	goto err;
170	}
171
172	rv = 0;
173
174	err:
175	X509_free(cert);
176	free(dhex);
177
178	return (rv);
179	}