summaryrefslogtreecommitdiff
path: root/src
diff options
context:
space:
mode:
Diffstat (limited to 'src')
-rw-r--r--src/lib/libtls/tls_config.c20
-rw-r--r--src/lib/libtls/tls_ocsp.c37
-rw-r--r--src/lib/libtls/tls_util.c32
-rw-r--r--src/lib/libtls/tls_verify.c14
4 files changed, 52 insertions, 51 deletions
diff --git a/src/lib/libtls/tls_config.c b/src/lib/libtls/tls_config.c
index e2e3f4abaa..d44b8dde49 100644
--- a/src/lib/libtls/tls_config.c
+++ b/src/lib/libtls/tls_config.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: tls_config.c,v 1.45 2017/12/09 16:46:08 jsing Exp $ */ 1/* $OpenBSD: tls_config.c,v 1.46 2018/02/05 00:52:24 jsing Exp $ */
2/* 2/*
3 * Copyright (c) 2014 Joel Sing <jsing@openbsd.org> 3 * Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
4 * 4 *
@@ -161,31 +161,31 @@ tls_config_load_file(struct tls_error *error, const char *filetype,
161 if ((fd = open(filename, O_RDONLY)) == -1) { 161 if ((fd = open(filename, O_RDONLY)) == -1) {
162 tls_error_set(error, "failed to open %s file '%s'", 162 tls_error_set(error, "failed to open %s file '%s'",
163 filetype, filename); 163 filetype, filename);
164 goto fail; 164 goto err;
165 } 165 }
166 if (fstat(fd, &st) != 0) { 166 if (fstat(fd, &st) != 0) {
167 tls_error_set(error, "failed to stat %s file '%s'", 167 tls_error_set(error, "failed to stat %s file '%s'",
168 filetype, filename); 168 filetype, filename);
169 goto fail; 169 goto err;
170 } 170 }
171 if (st.st_size < 0) 171 if (st.st_size < 0)
172 goto fail; 172 goto err;
173 *len = (size_t)st.st_size; 173 *len = (size_t)st.st_size;
174 if ((*buf = malloc(*len)) == NULL) { 174 if ((*buf = malloc(*len)) == NULL) {
175 tls_error_set(error, "failed to allocate buffer for " 175 tls_error_set(error, "failed to allocate buffer for "
176 "%s file", filetype); 176 "%s file", filetype);
177 goto fail; 177 goto err;
178 } 178 }
179 n = read(fd, *buf, *len); 179 n = read(fd, *buf, *len);
180 if (n < 0 || (size_t)n != *len) { 180 if (n < 0 || (size_t)n != *len) {
181 tls_error_set(error, "failed to read %s file '%s'", 181 tls_error_set(error, "failed to read %s file '%s'",
182 filetype, filename); 182 filetype, filename);
183 goto fail; 183 goto err;
184 } 184 }
185 close(fd); 185 close(fd);
186 return 0; 186 return 0;
187 187
188 fail: 188 err:
189 if (fd != -1) 189 if (fd != -1)
190 close(fd); 190 close(fd);
191 freezero(*buf, *len); 191 freezero(*buf, *len);
@@ -571,17 +571,17 @@ tls_config_set_ciphers(struct tls_config *config, const char *ciphers)
571 571
572 if ((ssl_ctx = SSL_CTX_new(SSLv23_method())) == NULL) { 572 if ((ssl_ctx = SSL_CTX_new(SSLv23_method())) == NULL) {
573 tls_config_set_errorx(config, "out of memory"); 573 tls_config_set_errorx(config, "out of memory");
574 goto fail; 574 goto err;
575 } 575 }
576 if (SSL_CTX_set_cipher_list(ssl_ctx, ciphers) != 1) { 576 if (SSL_CTX_set_cipher_list(ssl_ctx, ciphers) != 1) {
577 tls_config_set_errorx(config, "no ciphers for '%s'", ciphers); 577 tls_config_set_errorx(config, "no ciphers for '%s'", ciphers);
578 goto fail; 578 goto err;
579 } 579 }
580 580
581 SSL_CTX_free(ssl_ctx); 581 SSL_CTX_free(ssl_ctx);
582 return set_string(&config->ciphers, ciphers); 582 return set_string(&config->ciphers, ciphers);
583 583
584 fail: 584 err:
585 SSL_CTX_free(ssl_ctx); 585 SSL_CTX_free(ssl_ctx);
586 return -1; 586 return -1;
587} 587}
diff --git a/src/lib/libtls/tls_ocsp.c b/src/lib/libtls/tls_ocsp.c
index a8835edc8f..307ae842b8 100644
--- a/src/lib/libtls/tls_ocsp.c
+++ b/src/lib/libtls/tls_ocsp.c
@@ -101,23 +101,24 @@ tls_ocsp_fill_info(struct tls *ctx, int response_status, int cert_status,
101 tls_ocsp_asn1_parse_time(ctx, revtime, &info->revocation_time) != 0) { 101 tls_ocsp_asn1_parse_time(ctx, revtime, &info->revocation_time) != 0) {
102 tls_set_error(ctx, 102 tls_set_error(ctx,
103 "unable to parse revocation time in OCSP reply"); 103 "unable to parse revocation time in OCSP reply");
104 goto error; 104 goto err;
105 } 105 }
106 if (thisupd != NULL && 106 if (thisupd != NULL &&
107 tls_ocsp_asn1_parse_time(ctx, thisupd, &info->this_update) != 0) { 107 tls_ocsp_asn1_parse_time(ctx, thisupd, &info->this_update) != 0) {
108 tls_set_error(ctx, 108 tls_set_error(ctx,
109 "unable to parse this update time in OCSP reply"); 109 "unable to parse this update time in OCSP reply");
110 goto error; 110 goto err;
111 } 111 }
112 if (nextupd != NULL && 112 if (nextupd != NULL &&
113 tls_ocsp_asn1_parse_time(ctx, nextupd, &info->next_update) != 0) { 113 tls_ocsp_asn1_parse_time(ctx, nextupd, &info->next_update) != 0) {
114 tls_set_error(ctx, 114 tls_set_error(ctx,
115 "unable to parse next update time in OCSP reply"); 115 "unable to parse next update time in OCSP reply");
116 goto error; 116 goto err;
117 } 117 }
118 ctx->ocsp->ocsp_result = info; 118 ctx->ocsp->ocsp_result = info;
119 return 0; 119 return 0;
120 error: 120
121 err:
121 free(info); 122 free(info);
122 return -1; 123 return -1;
123} 124}
@@ -162,32 +163,32 @@ tls_ocsp_setup_from_peer(struct tls *ctx)
162 STACK_OF(OPENSSL_STRING) *ocsp_urls = NULL; 163 STACK_OF(OPENSSL_STRING) *ocsp_urls = NULL;
163 164
164 if ((ocsp = tls_ocsp_new()) == NULL) 165 if ((ocsp = tls_ocsp_new()) == NULL)
165 goto failed; 166 goto err;
166 167
167 /* steal state from ctx struct */ 168 /* steal state from ctx struct */
168 ocsp->main_cert = SSL_get_peer_certificate(ctx->ssl_conn); 169 ocsp->main_cert = SSL_get_peer_certificate(ctx->ssl_conn);
169 ocsp->extra_certs = SSL_get_peer_cert_chain(ctx->ssl_conn); 170 ocsp->extra_certs = SSL_get_peer_cert_chain(ctx->ssl_conn);
170 if (ocsp->main_cert == NULL) { 171 if (ocsp->main_cert == NULL) {
171 tls_set_errorx(ctx, "no peer certificate for OCSP"); 172 tls_set_errorx(ctx, "no peer certificate for OCSP");
172 goto failed; 173 goto err;
173 } 174 }
174 175
175 ocsp_urls = X509_get1_ocsp(ocsp->main_cert); 176 ocsp_urls = X509_get1_ocsp(ocsp->main_cert);
176 if (ocsp_urls == NULL) { 177 if (ocsp_urls == NULL) {
177 tls_set_errorx(ctx, "no OCSP URLs in peer certificate"); 178 tls_set_errorx(ctx, "no OCSP URLs in peer certificate");
178 goto failed; 179 goto err;
179 } 180 }
180 181
181 ocsp->ocsp_url = strdup(sk_OPENSSL_STRING_value(ocsp_urls, 0)); 182 ocsp->ocsp_url = strdup(sk_OPENSSL_STRING_value(ocsp_urls, 0));
182 if (ocsp->ocsp_url == NULL) { 183 if (ocsp->ocsp_url == NULL) {
183 tls_set_errorx(ctx, "out of memory"); 184 tls_set_errorx(ctx, "out of memory");
184 goto failed; 185 goto err;
185 } 186 }
186 187
187 X509_email_free(ocsp_urls); 188 X509_email_free(ocsp_urls);
188 return ocsp; 189 return ocsp;
189 190
190 failed: 191 err:
191 tls_ocsp_free(ocsp); 192 tls_ocsp_free(ocsp);
192 X509_email_free(ocsp_urls); 193 X509_email_free(ocsp_urls);
193 return NULL; 194 return NULL;
@@ -206,7 +207,7 @@ tls_ocsp_verify_response(struct tls *ctx, OCSP_RESPONSE *resp)
206 207
207 if ((br = OCSP_response_get1_basic(resp)) == NULL) { 208 if ((br = OCSP_response_get1_basic(resp)) == NULL) {
208 tls_set_errorx(ctx, "cannot load ocsp reply"); 209 tls_set_errorx(ctx, "cannot load ocsp reply");
209 goto error; 210 goto err;
210 } 211 }
211 212
212 /* 213 /*
@@ -219,7 +220,7 @@ tls_ocsp_verify_response(struct tls *ctx, OCSP_RESPONSE *resp)
219 if (OCSP_basic_verify(br, ctx->ocsp->extra_certs, 220 if (OCSP_basic_verify(br, ctx->ocsp->extra_certs,
220 SSL_CTX_get_cert_store(ctx->ssl_ctx), flags) != 1) { 221 SSL_CTX_get_cert_store(ctx->ssl_ctx), flags) != 1) {
221 tls_set_error(ctx, "ocsp verify failed"); 222 tls_set_error(ctx, "ocsp verify failed");
222 goto error; 223 goto err;
223 } 224 }
224 225
225 /* signature OK, look inside */ 226 /* signature OK, look inside */
@@ -227,43 +228,43 @@ tls_ocsp_verify_response(struct tls *ctx, OCSP_RESPONSE *resp)
227 if (response_status != OCSP_RESPONSE_STATUS_SUCCESSFUL) { 228 if (response_status != OCSP_RESPONSE_STATUS_SUCCESSFUL) {
228 tls_set_errorx(ctx, "ocsp verify failed: response - %s", 229 tls_set_errorx(ctx, "ocsp verify failed: response - %s",
229 OCSP_response_status_str(response_status)); 230 OCSP_response_status_str(response_status));
230 goto error; 231 goto err;
231 } 232 }
232 233
233 cid = tls_ocsp_get_certid(ctx->ocsp->main_cert, 234 cid = tls_ocsp_get_certid(ctx->ocsp->main_cert,
234 ctx->ocsp->extra_certs, ctx->ssl_ctx); 235 ctx->ocsp->extra_certs, ctx->ssl_ctx);
235 if (cid == NULL) { 236 if (cid == NULL) {
236 tls_set_errorx(ctx, "ocsp verify failed: no issuer cert"); 237 tls_set_errorx(ctx, "ocsp verify failed: no issuer cert");
237 goto error; 238 goto err;
238 } 239 }
239 240
240 if (OCSP_resp_find_status(br, cid, &cert_status, &crl_reason, 241 if (OCSP_resp_find_status(br, cid, &cert_status, &crl_reason,
241 &revtime, &thisupd, &nextupd) != 1) { 242 &revtime, &thisupd, &nextupd) != 1) {
242 tls_set_errorx(ctx, "ocsp verify failed: no result for cert"); 243 tls_set_errorx(ctx, "ocsp verify failed: no result for cert");
243 goto error; 244 goto err;
244 } 245 }
245 246
246 if (OCSP_check_validity(thisupd, nextupd, JITTER_SEC, 247 if (OCSP_check_validity(thisupd, nextupd, JITTER_SEC,
247 MAXAGE_SEC) != 1) { 248 MAXAGE_SEC) != 1) {
248 tls_set_errorx(ctx, 249 tls_set_errorx(ctx,
249 "ocsp verify failed: ocsp response not current"); 250 "ocsp verify failed: ocsp response not current");
250 goto error; 251 goto err;
251 } 252 }
252 253
253 if (tls_ocsp_fill_info(ctx, response_status, cert_status, 254 if (tls_ocsp_fill_info(ctx, response_status, cert_status,
254 crl_reason, revtime, thisupd, nextupd) != 0) 255 crl_reason, revtime, thisupd, nextupd) != 0)
255 goto error; 256 goto err;
256 257
257 /* finally can look at status */ 258 /* finally can look at status */
258 if (cert_status != V_OCSP_CERTSTATUS_GOOD && cert_status != 259 if (cert_status != V_OCSP_CERTSTATUS_GOOD && cert_status !=
259 V_OCSP_CERTSTATUS_UNKNOWN) { 260 V_OCSP_CERTSTATUS_UNKNOWN) {
260 tls_set_errorx(ctx, "ocsp verify failed: revoked cert - %s", 261 tls_set_errorx(ctx, "ocsp verify failed: revoked cert - %s",
261 OCSP_crl_reason_str(crl_reason)); 262 OCSP_crl_reason_str(crl_reason));
262 goto error; 263 goto err;
263 } 264 }
264 ret = 0; 265 ret = 0;
265 266
266 error: 267 err:
267 sk_X509_free(combined); 268 sk_X509_free(combined);
268 OCSP_CERTID_free(cid); 269 OCSP_CERTID_free(cid);
269 OCSP_BASICRESP_free(br); 270 OCSP_BASICRESP_free(br);
diff --git a/src/lib/libtls/tls_util.c b/src/lib/libtls/tls_util.c
index aaa3eef49f..f9df287ca8 100644
--- a/src/lib/libtls/tls_util.c
+++ b/src/lib/libtls/tls_util.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: tls_util.c,v 1.9 2017/06/22 18:03:57 jsing Exp $ */ 1/* $OpenBSD: tls_util.c,v 1.10 2018/02/05 00:52:24 jsing Exp $ */
2/* 2/*
3 * Copyright (c) 2014 Joel Sing <jsing@openbsd.org> 3 * Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
4 * Copyright (c) 2015 Reyk Floeter <reyk@openbsd.org> 4 * Copyright (c) 2015 Reyk Floeter <reyk@openbsd.org>
@@ -43,7 +43,7 @@ tls_host_port(const char *hostport, char **host, char **port)
43 *port = NULL; 43 *port = NULL;
44 44
45 if ((s = strdup(hostport)) == NULL) 45 if ((s = strdup(hostport)) == NULL)
46 goto fail; 46 goto err;
47 47
48 h = p = s; 48 h = p = s;
49 49
@@ -66,14 +66,14 @@ tls_host_port(const char *hostport, char **host, char **port)
66 *p++ = '\0'; 66 *p++ = '\0';
67 67
68 if (asprintf(host, "%s", h) == -1) 68 if (asprintf(host, "%s", h) == -1)
69 goto fail; 69 goto err;
70 if (asprintf(port, "%s", p) == -1) 70 if (asprintf(port, "%s", p) == -1)
71 goto fail; 71 goto err;
72 72
73 rv = 0; 73 rv = 0;
74 goto done; 74 goto done;
75 75
76 fail: 76 err:
77 free(*host); 77 free(*host);
78 *host = NULL; 78 *host = NULL;
79 free(*port); 79 free(*port);
@@ -126,38 +126,38 @@ tls_load_file(const char *name, size_t *len, char *password)
126 /* Just load the file into memory without decryption */ 126 /* Just load the file into memory without decryption */
127 if (password == NULL) { 127 if (password == NULL) {
128 if (fstat(fd, &st) != 0) 128 if (fstat(fd, &st) != 0)
129 goto fail; 129 goto err;
130 if (st.st_size < 0) 130 if (st.st_size < 0)
131 goto fail; 131 goto err;
132 size = (size_t)st.st_size; 132 size = (size_t)st.st_size;
133 if ((buf = malloc(size)) == NULL) 133 if ((buf = malloc(size)) == NULL)
134 goto fail; 134 goto err;
135 n = read(fd, buf, size); 135 n = read(fd, buf, size);
136 if (n < 0 || (size_t)n != size) 136 if (n < 0 || (size_t)n != size)
137 goto fail; 137 goto err;
138 close(fd); 138 close(fd);
139 goto done; 139 goto done;
140 } 140 }
141 141
142 /* Or read the (possibly) encrypted key from file */ 142 /* Or read the (possibly) encrypted key from file */
143 if ((fp = fdopen(fd, "r")) == NULL) 143 if ((fp = fdopen(fd, "r")) == NULL)
144 goto fail; 144 goto err;
145 fd = -1; 145 fd = -1;
146 146
147 key = PEM_read_PrivateKey(fp, NULL, tls_password_cb, password); 147 key = PEM_read_PrivateKey(fp, NULL, tls_password_cb, password);
148 fclose(fp); 148 fclose(fp);
149 if (key == NULL) 149 if (key == NULL)
150 goto fail; 150 goto err;
151 151
152 /* Write unencrypted key to memory buffer */ 152 /* Write unencrypted key to memory buffer */
153 if ((bio = BIO_new(BIO_s_mem())) == NULL) 153 if ((bio = BIO_new(BIO_s_mem())) == NULL)
154 goto fail; 154 goto err;
155 if (!PEM_write_bio_PrivateKey(bio, key, NULL, NULL, 0, NULL, NULL)) 155 if (!PEM_write_bio_PrivateKey(bio, key, NULL, NULL, 0, NULL, NULL))
156 goto fail; 156 goto err;
157 if ((size = BIO_get_mem_data(bio, &data)) <= 0) 157 if ((size = BIO_get_mem_data(bio, &data)) <= 0)
158 goto fail; 158 goto err;
159 if ((buf = malloc(size)) == NULL) 159 if ((buf = malloc(size)) == NULL)
160 goto fail; 160 goto err;
161 memcpy(buf, data, size); 161 memcpy(buf, data, size);
162 162
163 BIO_free_all(bio); 163 BIO_free_all(bio);
@@ -167,7 +167,7 @@ tls_load_file(const char *name, size_t *len, char *password)
167 *len = size; 167 *len = size;
168 return (buf); 168 return (buf);
169 169
170 fail: 170 err:
171 if (fd != -1) 171 if (fd != -1)
172 close(fd); 172 close(fd);
173 freezero(buf, size); 173 freezero(buf, size);
diff --git a/src/lib/libtls/tls_verify.c b/src/lib/libtls/tls_verify.c
index 3bd1057d0c..acbe163ffd 100644
--- a/src/lib/libtls/tls_verify.c
+++ b/src/lib/libtls/tls_verify.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: tls_verify.c,v 1.19 2017/04/10 17:11:13 jsing Exp $ */ 1/* $OpenBSD: tls_verify.c,v 1.20 2018/02/05 00:52:24 jsing Exp $ */
2/* 2/*
3 * Copyright (c) 2014 Jeremie Courreges-Anglas <jca@openbsd.org> 3 * Copyright (c) 2014 Jeremie Courreges-Anglas <jca@openbsd.org>
4 * 4 *
@@ -215,16 +215,16 @@ tls_check_common_name(struct tls *ctx, X509 *cert, const char *name,
215 215
216 subject_name = X509_get_subject_name(cert); 216 subject_name = X509_get_subject_name(cert);
217 if (subject_name == NULL) 217 if (subject_name == NULL)
218 goto out; 218 goto done;
219 219
220 common_name_len = X509_NAME_get_text_by_NID(subject_name, 220 common_name_len = X509_NAME_get_text_by_NID(subject_name,
221 NID_commonName, NULL, 0); 221 NID_commonName, NULL, 0);
222 if (common_name_len < 0) 222 if (common_name_len < 0)
223 goto out; 223 goto done;
224 224
225 common_name = calloc(common_name_len + 1, 1); 225 common_name = calloc(common_name_len + 1, 1);
226 if (common_name == NULL) 226 if (common_name == NULL)
227 goto out; 227 goto done;
228 228
229 X509_NAME_get_text_by_NID(subject_name, NID_commonName, common_name, 229 X509_NAME_get_text_by_NID(subject_name, NID_commonName, common_name,
230 common_name_len + 1); 230 common_name_len + 1);
@@ -236,7 +236,7 @@ tls_check_common_name(struct tls *ctx, X509 *cert, const char *name,
236 "NUL byte in Common Name field, " 236 "NUL byte in Common Name field, "
237 "probably a malicious certificate", name); 237 "probably a malicious certificate", name);
238 rv = -1; 238 rv = -1;
239 goto out; 239 goto done;
240 } 240 }
241 241
242 /* 242 /*
@@ -247,13 +247,13 @@ tls_check_common_name(struct tls *ctx, X509 *cert, const char *name,
247 inet_pton(AF_INET6, name, &addrbuf) == 1) { 247 inet_pton(AF_INET6, name, &addrbuf) == 1) {
248 if (strcmp(common_name, name) == 0) 248 if (strcmp(common_name, name) == 0)
249 *cn_match = 1; 249 *cn_match = 1;
250 goto out; 250 goto done;
251 } 251 }
252 252
253 if (tls_match_name(common_name, name) == 0) 253 if (tls_match_name(common_name, name) == 0)
254 *cn_match = 1; 254 *cn_match = 1;
255 255
256 out: 256 done:
257 free(common_name); 257 free(common_name);
258 return rv; 258 return rv;
259} 259}
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-10-24 00:48:25 +0000