summaryrefslogtreecommitdiff
path: root/src/lib/libtls/tls_server.c
diff options
context:
space:
mode:
Diffstat (limited to '')
-rw-r--r--src/lib/libtls/tls_server.c54
1 files changed, 34 insertions, 20 deletions
diff --git a/src/lib/libtls/tls_server.c b/src/lib/libtls/tls_server.c
index 5f93c7a035..a42985744b 100644
--- a/src/lib/libtls/tls_server.c
+++ b/src/lib/libtls/tls_server.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: tls_server.c,v 1.49 2023/05/14 07:26:25 op Exp $ */ 1/* $OpenBSD: tls_server.c,v 1.50 2024/03/26 06:24:52 joshua Exp $ */
2/* 2/*
3 * Copyright (c) 2014 Joel Sing <jsing@openbsd.org> 3 * Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
4 * 4 *
@@ -181,7 +181,8 @@ tls_server_ticket_cb(SSL *ssl, unsigned char *keyname, unsigned char *iv,
181 /* create new session */ 181 /* create new session */
182 key = tls_server_ticket_key(tls_ctx->config, NULL); 182 key = tls_server_ticket_key(tls_ctx->config, NULL);
183 if (key == NULL) { 183 if (key == NULL) {
184 tls_set_errorx(tls_ctx, "no valid ticket key found"); 184 tls_set_errorx(tls_ctx, TLS_ERROR_UNKNOWN,
185 "no valid ticket key found");
185 return (-1); 186 return (-1);
186 } 187 }
187 188
@@ -189,12 +190,14 @@ tls_server_ticket_cb(SSL *ssl, unsigned char *keyname, unsigned char *iv,
189 arc4random_buf(iv, EVP_MAX_IV_LENGTH); 190 arc4random_buf(iv, EVP_MAX_IV_LENGTH);
190 if (!EVP_EncryptInit_ex(ctx, EVP_aes_256_cbc(), NULL, 191 if (!EVP_EncryptInit_ex(ctx, EVP_aes_256_cbc(), NULL,
191 key->aes_key, iv)) { 192 key->aes_key, iv)) {
192 tls_set_errorx(tls_ctx, "failed to init encrypt"); 193 tls_set_errorx(tls_ctx, TLS_ERROR_UNKNOWN,
194 "failed to init encrypt");
193 return (-1); 195 return (-1);
194 } 196 }
195 if (!HMAC_Init_ex(hctx, key->hmac_key, sizeof(key->hmac_key), 197 if (!HMAC_Init_ex(hctx, key->hmac_key, sizeof(key->hmac_key),
196 EVP_sha256(), NULL)) { 198 EVP_sha256(), NULL)) {
197 tls_set_errorx(tls_ctx, "failed to init hmac"); 199 tls_set_errorx(tls_ctx, TLS_ERROR_UNKNOWN,
200 "failed to init hmac");
198 return (-1); 201 return (-1);
199 } 202 }
200 return (0); 203 return (0);
@@ -206,12 +209,14 @@ tls_server_ticket_cb(SSL *ssl, unsigned char *keyname, unsigned char *iv,
206 209
207 if (!EVP_DecryptInit_ex(ctx, EVP_aes_256_cbc(), NULL, 210 if (!EVP_DecryptInit_ex(ctx, EVP_aes_256_cbc(), NULL,
208 key->aes_key, iv)) { 211 key->aes_key, iv)) {
209 tls_set_errorx(tls_ctx, "failed to init decrypt"); 212 tls_set_errorx(tls_ctx, TLS_ERROR_UNKNOWN,
213 "failed to init decrypt");
210 return (-1); 214 return (-1);
211 } 215 }
212 if (!HMAC_Init_ex(hctx, key->hmac_key, sizeof(key->hmac_key), 216 if (!HMAC_Init_ex(hctx, key->hmac_key, sizeof(key->hmac_key),
213 EVP_sha256(), NULL)) { 217 EVP_sha256(), NULL)) {
214 tls_set_errorx(tls_ctx, "failed to init hmac"); 218 tls_set_errorx(tls_ctx, TLS_ERROR_UNKNOWN,
219 "failed to init hmac");
215 return (-1); 220 return (-1);
216 } 221 }
217 222
@@ -229,7 +234,7 @@ tls_configure_server_ssl(struct tls *ctx, SSL_CTX **ssl_ctx,
229 SSL_CTX_free(*ssl_ctx); 234 SSL_CTX_free(*ssl_ctx);
230 235
231 if ((*ssl_ctx = SSL_CTX_new(SSLv23_server_method())) == NULL) { 236 if ((*ssl_ctx = SSL_CTX_new(SSLv23_server_method())) == NULL) {
232 tls_set_errorx(ctx, "ssl context failure"); 237 tls_set_errorx(ctx, TLS_ERROR_UNKNOWN, "ssl context failure");
233 goto err; 238 goto err;
234 } 239 }
235 240
@@ -237,11 +242,13 @@ tls_configure_server_ssl(struct tls *ctx, SSL_CTX **ssl_ctx,
237 242
238 if (SSL_CTX_set_tlsext_servername_callback(*ssl_ctx, 243 if (SSL_CTX_set_tlsext_servername_callback(*ssl_ctx,
239 tls_servername_cb) != 1) { 244 tls_servername_cb) != 1) {
240 tls_set_error(ctx, "failed to set servername callback"); 245 tls_set_error(ctx, TLS_ERROR_UNKNOWN,
246 "failed to set servername callback");
241 goto err; 247 goto err;
242 } 248 }
243 if (SSL_CTX_set_tlsext_servername_arg(*ssl_ctx, ctx) != 1) { 249 if (SSL_CTX_set_tlsext_servername_arg(*ssl_ctx, ctx) != 1) {
244 tls_set_error(ctx, "failed to set servername callback arg"); 250 tls_set_error(ctx, TLS_ERROR_UNKNOWN,
251 "failed to set servername callback arg");
245 goto err; 252 goto err;
246 } 253 }
247 254
@@ -270,7 +277,8 @@ tls_configure_server_ssl(struct tls *ctx, SSL_CTX **ssl_ctx,
270 SSL_CTX_set_ecdh_auto(*ssl_ctx, 1); 277 SSL_CTX_set_ecdh_auto(*ssl_ctx, 1);
271 if (SSL_CTX_set1_groups(*ssl_ctx, ctx->config->ecdhecurves, 278 if (SSL_CTX_set1_groups(*ssl_ctx, ctx->config->ecdhecurves,
272 ctx->config->ecdhecurves_len) != 1) { 279 ctx->config->ecdhecurves_len) != 1) {
273 tls_set_errorx(ctx, "failed to set ecdhe curves"); 280 tls_set_errorx(ctx, TLS_ERROR_UNKNOWN,
281 "failed to set ecdhe curves");
274 goto err; 282 goto err;
275 } 283 }
276 } 284 }
@@ -279,7 +287,8 @@ tls_configure_server_ssl(struct tls *ctx, SSL_CTX **ssl_ctx,
279 SSL_CTX_set_options(*ssl_ctx, SSL_OP_CIPHER_SERVER_PREFERENCE); 287 SSL_CTX_set_options(*ssl_ctx, SSL_OP_CIPHER_SERVER_PREFERENCE);
280 288
281 if (SSL_CTX_set_tlsext_status_cb(*ssl_ctx, tls_ocsp_stapling_cb) != 1) { 289 if (SSL_CTX_set_tlsext_status_cb(*ssl_ctx, tls_ocsp_stapling_cb) != 1) {
282 tls_set_errorx(ctx, "failed to add OCSP stapling callback"); 290 tls_set_errorx(ctx, TLS_ERROR_UNKNOWN,
291 "failed to add OCSP stapling callback");
283 goto err; 292 goto err;
284 } 293 }
285 294
@@ -289,7 +298,7 @@ tls_configure_server_ssl(struct tls *ctx, SSL_CTX **ssl_ctx,
289 SSL_CTX_clear_options(*ssl_ctx, SSL_OP_NO_TICKET); 298 SSL_CTX_clear_options(*ssl_ctx, SSL_OP_NO_TICKET);
290 if (!SSL_CTX_set_tlsext_ticket_key_cb(*ssl_ctx, 299 if (!SSL_CTX_set_tlsext_ticket_key_cb(*ssl_ctx,
291 tls_server_ticket_cb)) { 300 tls_server_ticket_cb)) {
292 tls_set_error(ctx, 301 tls_set_error(ctx, TLS_ERROR_UNKNOWN,
293 "failed to set the TLS ticket callback"); 302 "failed to set the TLS ticket callback");
294 goto err; 303 goto err;
295 } 304 }
@@ -297,7 +306,8 @@ tls_configure_server_ssl(struct tls *ctx, SSL_CTX **ssl_ctx,
297 306
298 if (SSL_CTX_set_session_id_context(*ssl_ctx, ctx->config->session_id, 307 if (SSL_CTX_set_session_id_context(*ssl_ctx, ctx->config->session_id,
299 sizeof(ctx->config->session_id)) != 1) { 308 sizeof(ctx->config->session_id)) != 1) {
300 tls_set_error(ctx, "failed to set session id context"); 309 tls_set_error(ctx, TLS_ERROR_UNKNOWN,
310 "failed to set session id context");
301 goto err; 311 goto err;
302 } 312 }
303 313
@@ -323,7 +333,7 @@ tls_configure_server_sni(struct tls *ctx)
323 sni_ctx = &ctx->sni_ctx; 333 sni_ctx = &ctx->sni_ctx;
324 for (kp = ctx->config->keypair->next; kp != NULL; kp = kp->next) { 334 for (kp = ctx->config->keypair->next; kp != NULL; kp = kp->next) {
325 if ((*sni_ctx = tls_sni_ctx_new()) == NULL) { 335 if ((*sni_ctx = tls_sni_ctx_new()) == NULL) {
326 tls_set_errorx(ctx, "out of memory"); 336 tls_set_errorx(ctx, TLS_ERROR_OUT_OF_MEMORY, "out of memory");
327 goto err; 337 goto err;
328 } 338 }
329 (*sni_ctx)->keypair = kp; 339 (*sni_ctx)->keypair = kp;
@@ -362,22 +372,24 @@ tls_accept_common(struct tls *ctx)
362 struct tls *conn_ctx = NULL; 372 struct tls *conn_ctx = NULL;
363 373
364 if ((ctx->flags & TLS_SERVER) == 0) { 374 if ((ctx->flags & TLS_SERVER) == 0) {
365 tls_set_errorx(ctx, "not a server context"); 375 tls_set_errorx(ctx, TLS_ERROR_UNKNOWN, "not a server context");
366 goto err; 376 goto err;
367 } 377 }
368 378
369 if ((conn_ctx = tls_server_conn(ctx)) == NULL) { 379 if ((conn_ctx = tls_server_conn(ctx)) == NULL) {
370 tls_set_errorx(ctx, "connection context failure"); 380 tls_set_errorx(ctx, TLS_ERROR_UNKNOWN,
381 "connection context failure");
371 goto err; 382 goto err;
372 } 383 }
373 384
374 if ((conn_ctx->ssl_conn = SSL_new(ctx->ssl_ctx)) == NULL) { 385 if ((conn_ctx->ssl_conn = SSL_new(ctx->ssl_ctx)) == NULL) {
375 tls_set_errorx(ctx, "ssl failure"); 386 tls_set_errorx(ctx, TLS_ERROR_UNKNOWN, "ssl failure");
376 goto err; 387 goto err;
377 } 388 }
378 389
379 if (SSL_set_app_data(conn_ctx->ssl_conn, conn_ctx) != 1) { 390 if (SSL_set_app_data(conn_ctx->ssl_conn, conn_ctx) != 1) {
380 tls_set_errorx(ctx, "ssl application data failure"); 391 tls_set_errorx(ctx, TLS_ERROR_UNKNOWN,
392 "ssl application data failure");
381 goto err; 393 goto err;
382 } 394 }
383 395
@@ -405,7 +417,8 @@ tls_accept_fds(struct tls *ctx, struct tls **cctx, int fd_read, int fd_write)
405 417
406 if (SSL_set_rfd(conn_ctx->ssl_conn, fd_read) != 1 || 418 if (SSL_set_rfd(conn_ctx->ssl_conn, fd_read) != 1 ||
407 SSL_set_wfd(conn_ctx->ssl_conn, fd_write) != 1) { 419 SSL_set_wfd(conn_ctx->ssl_conn, fd_write) != 1) {
408 tls_set_errorx(ctx, "ssl file descriptor failure"); 420 tls_set_errorx(ctx, TLS_ERROR_UNKNOWN,
421 "ssl file descriptor failure");
409 goto err; 422 goto err;
410 } 423 }
411 424
@@ -448,7 +461,8 @@ tls_handshake_server(struct tls *ctx)
448 int rv = -1; 461 int rv = -1;
449 462
450 if ((ctx->flags & TLS_SERVER_CONN) == 0) { 463 if ((ctx->flags & TLS_SERVER_CONN) == 0) {
451 tls_set_errorx(ctx, "not a server connection context"); 464 tls_set_errorx(ctx, TLS_ERROR_UNKNOWN,
465 "not a server connection context");
452 goto err; 466 goto err;
453 } 467 }
454 468
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-08-15 01:16:12 +0000