summaryrefslogtreecommitdiff
path: root/src/lib
diff options
context:
space:
mode:
Diffstat (limited to 'src/lib')
-rw-r--r--src/lib/libtls/tls.h8
-rw-r--r--src/lib/libtls/tls_config.c58
-rw-r--r--src/lib/libtls/tls_conninfo.c15
-rw-r--r--src/lib/libtls/tls_init.329
-rw-r--r--src/lib/libtls/tls_internal.h3
5 files changed, 107 insertions, 6 deletions
diff --git a/src/lib/libtls/tls.h b/src/lib/libtls/tls.h
index 13df43f046..7a68c3d0d3 100644
--- a/src/lib/libtls/tls.h
+++ b/src/lib/libtls/tls.h
@@ -1,4 +1,4 @@
1/* $OpenBSD: tls.h,v 1.33 2016/08/12 15:10:59 jsing Exp $ */ 1/* $OpenBSD: tls.h,v 1.34 2016/08/22 14:55:59 jsing Exp $ */
2/* 2/*
3 * Copyright (c) 2014 Joel Sing <jsing@openbsd.org> 3 * Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
4 * 4 *
@@ -52,6 +52,11 @@ const char *tls_error(struct tls *_ctx);
52struct tls_config *tls_config_new(void); 52struct tls_config *tls_config_new(void);
53void tls_config_free(struct tls_config *_config); 53void tls_config_free(struct tls_config *_config);
54 54
55int tls_config_add_keypair_file(struct tls_config *_config,
56 const char *_cert_file, const char *_key_file);
57int tls_config_add_keypair_mem(struct tls_config *_config, const uint8_t *_cert,
58 size_t _cert_len, const uint8_t *_key, size_t _key_len);
59
55int tls_config_set_alpn(struct tls_config *_config, const char *_alpn); 60int tls_config_set_alpn(struct tls_config *_config, const char *_alpn);
56int tls_config_set_ca_file(struct tls_config *_config, const char *_ca_file); 61int tls_config_set_ca_file(struct tls_config *_config, const char *_ca_file);
57int tls_config_set_ca_path(struct tls_config *_config, const char *_ca_path); 62int tls_config_set_ca_path(struct tls_config *_config, const char *_ca_path);
@@ -119,6 +124,7 @@ time_t tls_peer_cert_notafter(struct tls *_ctx);
119 124
120const char *tls_conn_alpn_selected(struct tls *_ctx); 125const char *tls_conn_alpn_selected(struct tls *_ctx);
121const char *tls_conn_cipher(struct tls *_ctx); 126const char *tls_conn_cipher(struct tls *_ctx);
127const char *tls_conn_servername(struct tls *_ctx);
122const char *tls_conn_version(struct tls *_ctx); 128const char *tls_conn_version(struct tls *_ctx);
123 129
124uint8_t *tls_load_file(const char *_file, size_t *_len, char *_password); 130uint8_t *tls_load_file(const char *_file, size_t *_len, char *_password);
diff --git a/src/lib/libtls/tls_config.c b/src/lib/libtls/tls_config.c
index 0d52704aa8..c07621acaf 100644
--- a/src/lib/libtls/tls_config.c
+++ b/src/lib/libtls/tls_config.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: tls_config.c,v 1.27 2016/08/13 13:15:53 jsing Exp $ */ 1/* $OpenBSD: tls_config.c,v 1.28 2016/08/22 14:55:59 jsing Exp $ */
2/* 2/*
3 * Copyright (c) 2014 Joel Sing <jsing@openbsd.org> 3 * Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
4 * 4 *
@@ -227,6 +227,18 @@ tls_config_free(struct tls_config *config)
227 free(config); 227 free(config);
228} 228}
229 229
230static void
231tls_config_keypair_add(struct tls_config *config, struct tls_keypair *keypair)
232{
233 struct tls_keypair *kp;
234
235 kp = config->keypair;
236 while (kp->next != NULL)
237 kp = kp->next;
238
239 kp->next = keypair;
240}
241
230const char * 242const char *
231tls_config_error(struct tls_config *config) 243tls_config_error(struct tls_config *config)
232{ 244{
@@ -370,6 +382,50 @@ tls_config_set_alpn(struct tls_config *config, const char *alpn)
370} 382}
371 383
372int 384int
385tls_config_add_keypair_file(struct tls_config *config,
386 const char *cert_file, const char *key_file)
387{
388 struct tls_keypair *keypair;
389
390 if ((keypair = tls_keypair_new()) == NULL)
391 return (-1);
392 if (tls_keypair_set_cert_file(keypair, &config->error, cert_file) != 0)
393 goto err;
394 if (tls_keypair_set_key_file(keypair, &config->error, key_file) != 0)
395 goto err;
396
397 tls_config_keypair_add(config, keypair);
398
399 return (0);
400
401 err:
402 tls_keypair_free(keypair);
403 return (-1);
404}
405
406int
407tls_config_add_keypair_mem(struct tls_config *config, const uint8_t *cert,
408 size_t cert_len, const uint8_t *key, size_t key_len)
409{
410 struct tls_keypair *keypair;
411
412 if ((keypair = tls_keypair_new()) == NULL)
413 return (-1);
414 if (tls_keypair_set_cert_mem(keypair, cert, cert_len) != 0)
415 goto err;
416 if (tls_keypair_set_key_mem(keypair, key, key_len) != 0)
417 goto err;
418
419 tls_config_keypair_add(config, keypair);
420
421 return (0);
422
423 err:
424 tls_keypair_free(keypair);
425 return (-1);
426}
427
428int
373tls_config_set_ca_file(struct tls_config *config, const char *ca_file) 429tls_config_set_ca_file(struct tls_config *config, const char *ca_file)
374{ 430{
375 return tls_config_load_file(&config->error, "CA", ca_file, 431 return tls_config_load_file(&config->error, "CA", ca_file,
diff --git a/src/lib/libtls/tls_conninfo.c b/src/lib/libtls/tls_conninfo.c
index 523b2798d3..281af79866 100644
--- a/src/lib/libtls/tls_conninfo.c
+++ b/src/lib/libtls/tls_conninfo.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: tls_conninfo.c,v 1.9 2016/08/15 14:47:41 jsing Exp $ */ 1/* $OpenBSD: tls_conninfo.c,v 1.10 2016/08/22 14:55:59 jsing Exp $ */
2/* 2/*
3 * Copyright (c) 2015 Joel Sing <jsing@openbsd.org> 3 * Copyright (c) 2015 Joel Sing <jsing@openbsd.org>
4 * Copyright (c) 2015 Bob Beck <beck@openbsd.org> 4 * Copyright (c) 2015 Bob Beck <beck@openbsd.org>
@@ -199,6 +199,11 @@ tls_get_conninfo(struct tls *ctx)
199 goto err; 199 goto err;
200 if (tls_conninfo_alpn_proto(ctx) == -1) 200 if (tls_conninfo_alpn_proto(ctx) == -1)
201 goto err; 201 goto err;
202 if (ctx->servername != NULL) {
203 if ((ctx->conninfo->servername =
204 strdup(ctx->servername)) == NULL)
205 goto err;
206 }
202 207
203 return (0); 208 return (0);
204err: 209err:
@@ -242,6 +247,14 @@ tls_conn_cipher(struct tls *ctx)
242} 247}
243 248
244const char * 249const char *
250tls_conn_servername(struct tls *ctx)
251{
252 if (ctx->conninfo == NULL)
253 return (NULL);
254 return (ctx->conninfo->servername);
255}
256
257const char *
245tls_conn_version(struct tls *ctx) 258tls_conn_version(struct tls *ctx)
246{ 259{
247 if (ctx->conninfo == NULL) 260 if (ctx->conninfo == NULL)
diff --git a/src/lib/libtls/tls_init.3 b/src/lib/libtls/tls_init.3
index cd98450035..4d7367408b 100644
--- a/src/lib/libtls/tls_init.3
+++ b/src/lib/libtls/tls_init.3
@@ -1,4 +1,4 @@
1.\" $OpenBSD: tls_init.3,v 1.66 2016/08/18 15:43:12 jsing Exp $ 1.\" $OpenBSD: tls_init.3,v 1.67 2016/08/22 14:55:59 jsing Exp $
2.\" 2.\"
3.\" Copyright (c) 2014 Ted Unangst <tedu@openbsd.org> 3.\" Copyright (c) 2014 Ted Unangst <tedu@openbsd.org>
4.\" 4.\"
@@ -14,7 +14,7 @@
14.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 14.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
15.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 15.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
16.\" 16.\"
17.Dd $Mdocdate: August 18 2016 $ 17.Dd $Mdocdate: August 22 2016 $
18.Dt TLS_INIT 3 18.Dt TLS_INIT 3
19.Os 19.Os
20.Sh NAME 20.Sh NAME
@@ -24,6 +24,8 @@
24.Nm tls_config_new , 24.Nm tls_config_new ,
25.Nm tls_config_free , 25.Nm tls_config_free ,
26.Nm tls_config_parse_protocols , 26.Nm tls_config_parse_protocols ,
27.Nm tls_config_add_keypair_file ,
28.Nm tls_config_add_keypair_mem ,
27.Nm tls_config_set_alpn , 29.Nm tls_config_set_alpn ,
28.Nm tls_config_set_ca_file , 30.Nm tls_config_set_ca_file ,
29.Nm tls_config_set_ca_path , 31.Nm tls_config_set_ca_path ,
@@ -57,6 +59,7 @@
57.Nm tls_peer_cert_notafter , 59.Nm tls_peer_cert_notafter ,
58.Nm tls_conn_alpn_selected , 60.Nm tls_conn_alpn_selected ,
59.Nm tls_conn_cipher , 61.Nm tls_conn_cipher ,
62.Nm tls_conn_servername ,
60.Nm tls_conn_version , 63.Nm tls_conn_version ,
61.Nm tls_load_file , 64.Nm tls_load_file ,
62.Nm tls_client , 65.Nm tls_client ,
@@ -90,6 +93,10 @@
90.Ft "int" 93.Ft "int"
91.Fn tls_config_parse_protocols "uint32_t *protocols" "const char *protostr" 94.Fn tls_config_parse_protocols "uint32_t *protocols" "const char *protostr"
92.Ft "int" 95.Ft "int"
96.Fn tls_config_add_keypair_file "struct tls_config *config" "const char *cert_file" "const char *key_file"
97.Ft "int"
98.Fn tls_config_add_keypair_mem "struct tls_config *config" "const uint8_t *cert" "size_t cert_len" "const uint8_t *key" "size_t key_len"
99.Ft "int"
93.Fn tls_config_set_alpn "struct tls_config *config" "const char *alpn" 100.Fn tls_config_set_alpn "struct tls_config *config" "const char *alpn"
94.Ft "int" 101.Ft "int"
95.Fn tls_config_set_ca_file "struct tls_config *config" "const char *ca_file" 102.Fn tls_config_set_ca_file "struct tls_config *config" "const char *ca_file"
@@ -156,6 +163,8 @@
156.Ft "const char *" 163.Ft "const char *"
157.Fn tls_conn_cipher "struct tls *ctx" 164.Fn tls_conn_cipher "struct tls *ctx"
158.Ft "const char *" 165.Ft "const char *"
166.Fn tls_conn_servername "struct tls *ctx"
167.Ft "const char *"
159.Fn tls_conn_version "struct tls *ctx" 168.Fn tls_conn_version "struct tls *ctx"
160.Ft "uint8_t *" 169.Ft "uint8_t *"
161.Fn tls_load_file "const char *file" "size_t *len" "char *password" 170.Fn tls_load_file "const char *file" "size_t *len" "char *password"
@@ -301,6 +310,16 @@ The following functions modify a configuration by setting parameters (the
301configuration options may only apply to clients, to servers or to both): 310configuration options may only apply to clients, to servers or to both):
302.Bl -bullet -offset four 311.Bl -bullet -offset four
303.It 312.It
313.Fn tls_config_add_keypair_file
314adds an additional public certificate and private key from the specified files,
315used as an alternative certificate for Server Name Indication.
316.Em (Server)
317.It
318.Fn tls_config_set_keypair_mem
319adds an additional public certificate and private key from memory,
320used as an alternative certificate for Server Name Indication.
321.Em (Server)
322.It
304.Fn tls_config_set_alpn 323.Fn tls_config_set_alpn
305sets the ALPN protocols that are supported. 324sets the ALPN protocols that are supported.
306The alpn string is a comma separated list of protocols, in order of preference. 325The alpn string is a comma separated list of protocols, in order of preference.
@@ -445,6 +464,12 @@ connected to
445.Ar ctx . 464.Ar ctx .
446.Em (Server and client) 465.Em (Server and client)
447.It 466.It
467.Fn tls_conn_servername
468returns a string corresponding to the servername that the client connected to
469.Ar ctx
470requested by sending a TLS Server Name Indication extension.
471.Em (Server)
472.It
448.Fn tls_conn_version 473.Fn tls_conn_version
449returns a string corresponding to a TLS version negotiated with the peer 474returns a string corresponding to a TLS version negotiated with the peer
450connected to 475connected to
diff --git a/src/lib/libtls/tls_internal.h b/src/lib/libtls/tls_internal.h
index 428e29c857..3fcc7a021f 100644
--- a/src/lib/libtls/tls_internal.h
+++ b/src/lib/libtls/tls_internal.h
@@ -1,4 +1,4 @@
1/* $OpenBSD: tls_internal.h,v 1.40 2016/08/22 14:51:37 jsing Exp $ */ 1/* $OpenBSD: tls_internal.h,v 1.41 2016/08/22 14:55:59 jsing Exp $ */
2/* 2/*
3 * Copyright (c) 2014 Jeremie Courreges-Anglas <jca@openbsd.org> 3 * Copyright (c) 2014 Jeremie Courreges-Anglas <jca@openbsd.org>
4 * Copyright (c) 2014 Joel Sing <jsing@openbsd.org> 4 * Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
@@ -74,6 +74,7 @@ struct tls_config {
74struct tls_conninfo { 74struct tls_conninfo {
75 char *alpn; 75 char *alpn;
76 char *cipher; 76 char *cipher;
77 char *servername;
77 char *version; 78 char *version;
78 79
79 char *hash; 80 char *hash;
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-03-22 20:19:08 +0000