diff options
Diffstat (limited to 'src')
| -rw-r--r-- | src/lib/libtls/tls_config.c | 26 | ||||
| -rw-r--r-- | src/lib/libtls/tls_internal.h | 6 | ||||
| -rw-r--r-- | src/lib/libtls/tls_ocsp.c | 14 |
3 files changed, 32 insertions, 14 deletions
diff --git a/src/lib/libtls/tls_config.c b/src/lib/libtls/tls_config.c index 8fa810461c..83c649fd51 100644 --- a/src/lib/libtls/tls_config.c +++ b/src/lib/libtls/tls_config.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: tls_config.c,v 1.34 2017/01/24 01:48:05 claudio Exp $ */ | 1 | /* $OpenBSD: tls_config.c,v 1.35 2017/01/29 17:52:11 beck Exp $ */ |
| 2 | /* | 2 | /* |
| 3 | * Copyright (c) 2014 Joel Sing <jsing@openbsd.org> | 3 | * Copyright (c) 2014 Joel Sing <jsing@openbsd.org> |
| 4 | * | 4 | * |
| @@ -101,6 +101,22 @@ tls_keypair_set_key_mem(struct tls_keypair *keypair, const uint8_t *key, | |||
| 101 | return set_mem(&keypair->key_mem, &keypair->key_len, key, len); | 101 | return set_mem(&keypair->key_mem, &keypair->key_len, key, len); |
| 102 | } | 102 | } |
| 103 | 103 | ||
| 104 | static int | ||
| 105 | tls_keypair_set_ocsp_staple_file(struct tls_keypair *keypair, | ||
| 106 | struct tls_error *error, const char *ocsp_file) | ||
| 107 | { | ||
| 108 | return tls_config_load_file(error, "ocsp", ocsp_file, | ||
| 109 | &keypair->ocsp_staple, &keypair->ocsp_staple_len); | ||
| 110 | } | ||
| 111 | |||
| 112 | static int | ||
| 113 | tls_keypair_set_ocsp_staple_mem(struct tls_keypair *keypair, | ||
| 114 | const uint8_t *staple, size_t len) | ||
| 115 | { | ||
| 116 | return set_mem(&keypair->ocsp_staple, &keypair->ocsp_staple_len, staple, | ||
| 117 | len); | ||
| 118 | } | ||
| 119 | |||
| 104 | static void | 120 | static void |
| 105 | tls_keypair_clear(struct tls_keypair *keypair) | 121 | tls_keypair_clear(struct tls_keypair *keypair) |
| 106 | { | 122 | { |
| @@ -118,6 +134,7 @@ tls_keypair_free(struct tls_keypair *keypair) | |||
| 118 | 134 | ||
| 119 | free(keypair->cert_mem); | 135 | free(keypair->cert_mem); |
| 120 | free(keypair->key_mem); | 136 | free(keypair->key_mem); |
| 137 | free(keypair->ocsp_staple); | ||
| 121 | 138 | ||
| 122 | free(keypair); | 139 | free(keypair); |
| 123 | } | 140 | } |
| @@ -241,7 +258,6 @@ tls_config_free(struct tls_config *config) | |||
| 241 | free((char *)config->ca_mem); | 258 | free((char *)config->ca_mem); |
| 242 | free((char *)config->ca_path); | 259 | free((char *)config->ca_path); |
| 243 | free((char *)config->ciphers); | 260 | free((char *)config->ciphers); |
| 244 | free(config->ocsp_staple); | ||
| 245 | 261 | ||
| 246 | free(config); | 262 | free(config); |
| 247 | } | 263 | } |
| @@ -664,14 +680,14 @@ tls_config_verify_client_optional(struct tls_config *config) | |||
| 664 | int | 680 | int |
| 665 | tls_config_set_ocsp_staple_file(struct tls_config *config, const char *staple_file) | 681 | tls_config_set_ocsp_staple_file(struct tls_config *config, const char *staple_file) |
| 666 | { | 682 | { |
| 667 | return tls_config_load_file(&config->error, "OCSP", staple_file, | 683 | return tls_keypair_set_ocsp_staple_file(config->keypair, &config->error, |
| 668 | &config->ocsp_staple, &config->ocsp_staple_len); | 684 | staple_file); |
| 669 | } | 685 | } |
| 670 | 686 | ||
| 671 | int | 687 | int |
| 672 | tls_config_set_ocsp_staple_mem(struct tls_config *config, char *staple, size_t len) | 688 | tls_config_set_ocsp_staple_mem(struct tls_config *config, char *staple, size_t len) |
| 673 | { | 689 | { |
| 674 | return set_mem(&config->ocsp_staple, &config->ocsp_staple_len, staple, len); | 690 | return tls_keypair_set_ocsp_staple_mem(config->keypair, staple, len); |
| 675 | } | 691 | } |
| 676 | 692 | ||
| 677 | int | 693 | int |
diff --git a/src/lib/libtls/tls_internal.h b/src/lib/libtls/tls_internal.h index 37737c3499..fbb139c84a 100644 --- a/src/lib/libtls/tls_internal.h +++ b/src/lib/libtls/tls_internal.h | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: tls_internal.h,v 1.52 2017/01/26 12:56:37 jsing Exp $ */ | 1 | /* $OpenBSD: tls_internal.h,v 1.53 2017/01/29 17:52:11 beck Exp $ */ |
| 2 | /* | 2 | /* |
| 3 | * Copyright (c) 2014 Jeremie Courreges-Anglas <jca@openbsd.org> | 3 | * Copyright (c) 2014 Jeremie Courreges-Anglas <jca@openbsd.org> |
| 4 | * Copyright (c) 2014 Joel Sing <jsing@openbsd.org> | 4 | * Copyright (c) 2014 Joel Sing <jsing@openbsd.org> |
| @@ -51,6 +51,8 @@ struct tls_keypair { | |||
| 51 | size_t cert_len; | 51 | size_t cert_len; |
| 52 | char *key_mem; | 52 | char *key_mem; |
| 53 | size_t key_len; | 53 | size_t key_len; |
| 54 | char *ocsp_staple; | ||
| 55 | size_t ocsp_staple_len; | ||
| 54 | }; | 56 | }; |
| 55 | 57 | ||
| 56 | #define TLS_MIN_SESSION_TIMEOUT (4) | 58 | #define TLS_MIN_SESSION_TIMEOUT (4) |
| @@ -83,8 +85,6 @@ struct tls_config { | |||
| 83 | int ecdhecurve; | 85 | int ecdhecurve; |
| 84 | struct tls_keypair *keypair; | 86 | struct tls_keypair *keypair; |
| 85 | int ocsp_require_stapling; | 87 | int ocsp_require_stapling; |
| 86 | char *ocsp_staple; | ||
| 87 | size_t ocsp_staple_len; | ||
| 88 | uint32_t protocols; | 88 | uint32_t protocols; |
| 89 | unsigned char session_id[TLS_MAX_SESSION_ID_LENGTH]; | 89 | unsigned char session_id[TLS_MAX_SESSION_ID_LENGTH]; |
| 90 | int session_lifetime; | 90 | int session_lifetime; |
diff --git a/src/lib/libtls/tls_ocsp.c b/src/lib/libtls/tls_ocsp.c index 791bee0e17..a7aca37a7d 100644 --- a/src/lib/libtls/tls_ocsp.c +++ b/src/lib/libtls/tls_ocsp.c | |||
| @@ -332,17 +332,19 @@ tls_ocsp_stapling_cb(SSL *ssl, void *arg) | |||
| 332 | if ((ctx = SSL_get_app_data(ssl)) == NULL) | 332 | if ((ctx = SSL_get_app_data(ssl)) == NULL) |
| 333 | goto err; | 333 | goto err; |
| 334 | 334 | ||
| 335 | if (ctx->config->ocsp_staple == NULL || | 335 | if (ctx->config->keypair == NULL || |
| 336 | ctx->config->ocsp_staple_len == 0) | 336 | ctx->config->keypair->ocsp_staple == NULL || |
| 337 | ctx->config->keypair->ocsp_staple_len == 0) | ||
| 337 | return SSL_TLSEXT_ERR_NOACK; | 338 | return SSL_TLSEXT_ERR_NOACK; |
| 338 | 339 | ||
| 339 | if ((ocsp_staple = malloc(ctx->config->ocsp_staple_len)) == NULL) | 340 | if ((ocsp_staple = malloc(ctx->config->keypair->ocsp_staple_len)) == |
| 341 | NULL) | ||
| 340 | goto err; | 342 | goto err; |
| 341 | 343 | ||
| 342 | memcpy(ocsp_staple, ctx->config->ocsp_staple, | 344 | memcpy(ocsp_staple, ctx->config->keypair->ocsp_staple, |
| 343 | ctx->config->ocsp_staple_len); | 345 | ctx->config->keypair->ocsp_staple_len); |
| 344 | if (SSL_set_tlsext_status_ocsp_resp(ctx->ssl_conn, ocsp_staple, | 346 | if (SSL_set_tlsext_status_ocsp_resp(ctx->ssl_conn, ocsp_staple, |
| 345 | ctx->config->ocsp_staple_len) != 1) | 347 | ctx->config->keypair->ocsp_staple_len) != 1) |
| 346 | goto err; | 348 | goto err; |
| 347 | 349 | ||
| 348 | ret = SSL_TLSEXT_ERR_OK; | 350 | ret = SSL_TLSEXT_ERR_OK; |