diff options
Diffstat (limited to 'src/lib')
| -rw-r--r-- | src/lib/libtls/tls.c | 5 | ||||
| -rw-r--r-- | src/lib/libtls/tls_internal.h | 6 | ||||
| -rw-r--r-- | src/lib/libtls/tls_ocsp.c | 22 | ||||
| -rw-r--r-- | src/lib/libtls/tls_server.c | 6 |
4 files changed, 25 insertions, 14 deletions
diff --git a/src/lib/libtls/tls.c b/src/lib/libtls/tls.c index d4e8d0114f..f07c4c6deb 100644 --- a/src/lib/libtls/tls.c +++ b/src/lib/libtls/tls.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: tls.c,v 1.70 2017/08/28 13:58:02 beck Exp $ */ | 1 | /* $OpenBSD: tls.c,v 1.71 2017/09/20 17:05:17 jsing Exp $ */ |
| 2 | /* | 2 | /* |
| 3 | * Copyright (c) 2014 Joel Sing <jsing@openbsd.org> | 3 | * Copyright (c) 2014 Joel Sing <jsing@openbsd.org> |
| 4 | * | 4 | * |
| @@ -235,6 +235,7 @@ tls_new(void) | |||
| 235 | return (NULL); | 235 | return (NULL); |
| 236 | 236 | ||
| 237 | tls_reset(ctx); | 237 | tls_reset(ctx); |
| 238 | |||
| 238 | if (tls_configure(ctx, tls_config_default) == -1) { | 239 | if (tls_configure(ctx, tls_config_default) == -1) { |
| 239 | free(ctx); | 240 | free(ctx); |
| 240 | return NULL; | 241 | return NULL; |
| @@ -252,7 +253,9 @@ tls_configure(struct tls *ctx, struct tls_config *config) | |||
| 252 | config->refcount++; | 253 | config->refcount++; |
| 253 | 254 | ||
| 254 | tls_config_free(ctx->config); | 255 | tls_config_free(ctx->config); |
| 256 | |||
| 255 | ctx->config = config; | 257 | ctx->config = config; |
| 258 | ctx->keypair = config->keypair; | ||
| 256 | 259 | ||
| 257 | if ((ctx->flags & TLS_SERVER) != 0) | 260 | if ((ctx->flags & TLS_SERVER) != 0) |
| 258 | return (tls_configure_server(ctx)); | 261 | return (tls_configure_server(ctx)); |
diff --git a/src/lib/libtls/tls_internal.h b/src/lib/libtls/tls_internal.h index 9e9443dbaf..f378ea5466 100644 --- a/src/lib/libtls/tls_internal.h +++ b/src/lib/libtls/tls_internal.h | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: tls_internal.h,v 1.64 2017/08/10 18:18:30 jsing Exp $ */ | 1 | /* $OpenBSD: tls_internal.h,v 1.65 2017/09/20 17:05:17 jsing Exp $ */ |
| 2 | /* | 2 | /* |
| 3 | * Copyright (c) 2014 Jeremie Courreges-Anglas <jca@openbsd.org> | 3 | * Copyright (c) 2014 Jeremie Courreges-Anglas <jca@openbsd.org> |
| 4 | * Copyright (c) 2014 Joel Sing <jsing@openbsd.org> | 4 | * Copyright (c) 2014 Joel Sing <jsing@openbsd.org> |
| @@ -157,12 +157,16 @@ struct tls_ocsp { | |||
| 157 | struct tls_sni_ctx { | 157 | struct tls_sni_ctx { |
| 158 | struct tls_sni_ctx *next; | 158 | struct tls_sni_ctx *next; |
| 159 | 159 | ||
| 160 | struct tls_keypair *keypair; | ||
| 161 | |||
| 160 | SSL_CTX *ssl_ctx; | 162 | SSL_CTX *ssl_ctx; |
| 161 | X509 *ssl_cert; | 163 | X509 *ssl_cert; |
| 162 | }; | 164 | }; |
| 163 | 165 | ||
| 164 | struct tls { | 166 | struct tls { |
| 165 | struct tls_config *config; | 167 | struct tls_config *config; |
| 168 | struct tls_keypair *keypair; | ||
| 169 | |||
| 166 | struct tls_error error; | 170 | struct tls_error error; |
| 167 | 171 | ||
| 168 | uint32_t flags; | 172 | uint32_t flags; |
diff --git a/src/lib/libtls/tls_ocsp.c b/src/lib/libtls/tls_ocsp.c index 4e2dba3487..a8835edc8f 100644 --- a/src/lib/libtls/tls_ocsp.c +++ b/src/lib/libtls/tls_ocsp.c | |||
| @@ -331,32 +331,32 @@ tls_ocsp_verify_cb(SSL *ssl, void *arg) | |||
| 331 | int | 331 | int |
| 332 | tls_ocsp_stapling_cb(SSL *ssl, void *arg) | 332 | tls_ocsp_stapling_cb(SSL *ssl, void *arg) |
| 333 | { | 333 | { |
| 334 | struct tls *ctx; | ||
| 335 | unsigned char *ocsp_staple = NULL; | ||
| 336 | int ret = SSL_TLSEXT_ERR_ALERT_FATAL; | 334 | int ret = SSL_TLSEXT_ERR_ALERT_FATAL; |
| 335 | unsigned char *ocsp_staple = NULL; | ||
| 336 | struct tls *ctx; | ||
| 337 | 337 | ||
| 338 | if ((ctx = SSL_get_app_data(ssl)) == NULL) | 338 | if ((ctx = SSL_get_app_data(ssl)) == NULL) |
| 339 | goto err; | 339 | goto err; |
| 340 | 340 | ||
| 341 | if (ctx->config->keypair == NULL || | 341 | if (ctx->keypair == NULL || ctx->keypair->ocsp_staple == NULL || |
| 342 | ctx->config->keypair->ocsp_staple == NULL || | 342 | ctx->keypair->ocsp_staple_len == 0) |
| 343 | ctx->config->keypair->ocsp_staple_len == 0) | ||
| 344 | return SSL_TLSEXT_ERR_NOACK; | 343 | return SSL_TLSEXT_ERR_NOACK; |
| 345 | 344 | ||
| 346 | if ((ocsp_staple = malloc(ctx->config->keypair->ocsp_staple_len)) == | 345 | if ((ocsp_staple = malloc(ctx->keypair->ocsp_staple_len)) == NULL) |
| 347 | NULL) | ||
| 348 | goto err; | 346 | goto err; |
| 349 | 347 | ||
| 350 | memcpy(ocsp_staple, ctx->config->keypair->ocsp_staple, | 348 | memcpy(ocsp_staple, ctx->keypair->ocsp_staple, |
| 351 | ctx->config->keypair->ocsp_staple_len); | 349 | ctx->keypair->ocsp_staple_len); |
| 350 | |||
| 352 | if (SSL_set_tlsext_status_ocsp_resp(ctx->ssl_conn, ocsp_staple, | 351 | if (SSL_set_tlsext_status_ocsp_resp(ctx->ssl_conn, ocsp_staple, |
| 353 | ctx->config->keypair->ocsp_staple_len) != 1) | 352 | ctx->keypair->ocsp_staple_len) != 1) |
| 354 | goto err; | 353 | goto err; |
| 355 | 354 | ||
| 356 | ret = SSL_TLSEXT_ERR_OK; | 355 | ret = SSL_TLSEXT_ERR_OK; |
| 357 | err: | 356 | err: |
| 358 | if (ret != SSL_TLSEXT_ERR_OK) | 357 | if (ret != SSL_TLSEXT_ERR_OK) |
| 359 | free(ocsp_staple); | 358 | free(ocsp_staple); |
| 359 | |||
| 360 | return ret; | 360 | return ret; |
| 361 | } | 361 | } |
| 362 | 362 | ||
| @@ -364,7 +364,7 @@ tls_ocsp_stapling_cb(SSL *ssl, void *arg) | |||
| 364 | * Public API | 364 | * Public API |
| 365 | */ | 365 | */ |
| 366 | 366 | ||
| 367 | /* Retrieve OCSP URL from peer certificate, if present */ | 367 | /* Retrieve OCSP URL from peer certificate, if present. */ |
| 368 | const char * | 368 | const char * |
| 369 | tls_peer_ocsp_url(struct tls *ctx) | 369 | tls_peer_ocsp_url(struct tls *ctx) |
| 370 | { | 370 | { |
diff --git a/src/lib/libtls/tls_server.c b/src/lib/libtls/tls_server.c index 2622e4464f..e1011769f6 100644 --- a/src/lib/libtls/tls_server.c +++ b/src/lib/libtls/tls_server.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: tls_server.c,v 1.41 2017/08/10 18:18:30 jsing Exp $ */ | 1 | /* $OpenBSD: tls_server.c,v 1.42 2017/09/20 17:05:17 jsing Exp $ */ |
| 2 | /* | 2 | /* |
| 3 | * Copyright (c) 2014 Joel Sing <jsing@openbsd.org> | 3 | * Copyright (c) 2014 Joel Sing <jsing@openbsd.org> |
| 4 | * | 4 | * |
| @@ -50,7 +50,9 @@ tls_server_conn(struct tls *ctx) | |||
| 50 | conn_ctx->flags |= TLS_SERVER_CONN; | 50 | conn_ctx->flags |= TLS_SERVER_CONN; |
| 51 | 51 | ||
| 52 | ctx->config->refcount++; | 52 | ctx->config->refcount++; |
| 53 | |||
| 53 | conn_ctx->config = ctx->config; | 54 | conn_ctx->config = ctx->config; |
| 55 | conn_ctx->keypair = ctx->config->keypair; | ||
| 54 | 56 | ||
| 55 | return (conn_ctx); | 57 | return (conn_ctx); |
| 56 | } | 58 | } |
| @@ -112,6 +114,7 @@ tls_servername_cb(SSL *ssl, int *al, void *arg) | |||
| 112 | &match) == -1) | 114 | &match) == -1) |
| 113 | goto err; | 115 | goto err; |
| 114 | if (match) { | 116 | if (match) { |
| 117 | conn_ctx->keypair = sni_ctx->keypair; | ||
| 115 | SSL_set_SSL_CTX(conn_ctx->ssl_conn, sni_ctx->ssl_ctx); | 118 | SSL_set_SSL_CTX(conn_ctx->ssl_conn, sni_ctx->ssl_ctx); |
| 116 | return (SSL_TLSEXT_ERR_OK); | 119 | return (SSL_TLSEXT_ERR_OK); |
| 117 | } | 120 | } |
| @@ -341,6 +344,7 @@ tls_configure_server_sni(struct tls *ctx) | |||
| 341 | tls_set_errorx(ctx, "out of memory"); | 344 | tls_set_errorx(ctx, "out of memory"); |
| 342 | goto err; | 345 | goto err; |
| 343 | } | 346 | } |
| 347 | (*sni_ctx)->keypair = kp; | ||
| 344 | if (tls_configure_server_ssl(ctx, &(*sni_ctx)->ssl_ctx, kp) == -1) | 348 | if (tls_configure_server_ssl(ctx, &(*sni_ctx)->ssl_ctx, kp) == -1) |
| 345 | goto err; | 349 | goto err; |
| 346 | if (tls_keypair_load_cert(kp, &ctx->error, | 350 | if (tls_keypair_load_cert(kp, &ctx->error, |