From fb9dca0f0ed93924626f04529bb4dfa85e3ef25e Mon Sep 17 00:00:00 2001 From: beck <> Date: Tue, 31 Jan 2017 16:18:57 +0000 Subject: Add tls_config_[add|set]keypair_ocsp functions so that ocsp staples may be added associated to a keypair used for SNI, and are usable for more than just the "main" certificate. Modify httpd to use this. Bump libtls minor. ok jsing@ --- src/lib/libtls/tls_config.c | 113 ++++++++++++++++++++++++++++++++++++++------ 1 file changed, 99 insertions(+), 14 deletions(-) (limited to 'src/lib/libtls/tls_config.c') diff --git a/src/lib/libtls/tls_config.c b/src/lib/libtls/tls_config.c index 83c649fd51..87c2166f9e 100644 --- a/src/lib/libtls/tls_config.c +++ b/src/lib/libtls/tls_config.c @@ -1,4 +1,4 @@ -/* $OpenBSD: tls_config.c,v 1.35 2017/01/29 17:52:11 beck Exp $ */ +/* $OpenBSD: tls_config.c,v 1.36 2017/01/31 16:18:57 beck Exp $ */ /* * Copyright (c) 2014 Joel Sing * @@ -416,9 +416,9 @@ tls_config_set_alpn(struct tls_config *config, const char *alpn) &config->alpn_len); } -int -tls_config_add_keypair_file(struct tls_config *config, - const char *cert_file, const char *key_file) +static int +tls_config_add_keypair_file_internal(struct tls_config *config, + const char *cert_file, const char *key_file, const char *ocsp_file) { struct tls_keypair *keypair; @@ -428,6 +428,10 @@ tls_config_add_keypair_file(struct tls_config *config, goto err; if (tls_keypair_set_key_file(keypair, &config->error, key_file) != 0) goto err; + if (ocsp_file != NULL && + tls_keypair_set_ocsp_staple_file(keypair, &config->error, + ocsp_file) != 0) + goto err; tls_config_keypair_add(config, keypair); @@ -438,9 +442,10 @@ tls_config_add_keypair_file(struct tls_config *config, return (-1); } -int -tls_config_add_keypair_mem(struct tls_config *config, const uint8_t *cert, - size_t cert_len, const uint8_t *key, size_t key_len) +static int +tls_config_add_keypair_mem_internal(struct tls_config *config, const uint8_t *cert, + size_t cert_len, const uint8_t *key, size_t key_len, + const uint8_t *staple, size_t staple_len) { struct tls_keypair *keypair; @@ -450,6 +455,9 @@ tls_config_add_keypair_mem(struct tls_config *config, const uint8_t *cert, goto err; if (tls_keypair_set_key_mem(keypair, key, key_len) != 0) goto err; + if (staple != NULL && + tls_keypair_set_ocsp_staple_mem(keypair, staple, staple_len) != 0) + goto err; tls_config_keypair_add(config, keypair); @@ -460,6 +468,39 @@ tls_config_add_keypair_mem(struct tls_config *config, const uint8_t *cert, return (-1); } +int +tls_config_add_keypair_mem(struct tls_config *config, const uint8_t *cert, + size_t cert_len, const uint8_t *key, size_t key_len) +{ + return tls_config_add_keypair_mem_internal(config, cert, cert_len, key, + key_len, NULL, 0); +} + +int +tls_config_add_keypair_file(struct tls_config *config, + const char *cert_file, const char *key_file) +{ + return tls_config_add_keypair_file_internal(config, cert_file, + key_file, NULL); +} + +int +tls_config_add_keypair_ocsp_mem(struct tls_config *config, const uint8_t *cert, + size_t cert_len, const uint8_t *key, size_t key_len, const uint8_t *staple, + size_t staple_len) +{ + return tls_config_add_keypair_mem_internal(config, cert, cert_len, key, + key_len, staple, staple_len); +} + +int +tls_config_add_keypair_ocsp_file(struct tls_config *config, + const char *cert_file, const char *key_file, const char *ocsp_file) +{ + return tls_config_add_keypair_file_internal(config, cert_file, + key_file, ocsp_file); +} + int tls_config_set_ca_file(struct tls_config *config, const char *ca_file) { @@ -581,30 +622,73 @@ tls_config_set_key_mem(struct tls_config *config, const uint8_t *key, return tls_keypair_set_key_mem(config->keypair, key, len); } -int -tls_config_set_keypair_file(struct tls_config *config, - const char *cert_file, const char *key_file) +static int +tls_config_set_keypair_file_internal(struct tls_config *config, + const char *cert_file, const char *key_file, const char *ocsp_file) { if (tls_config_set_cert_file(config, cert_file) != 0) return (-1); if (tls_config_set_key_file(config, key_file) != 0) return (-1); + if (tls_config_set_key_file(config, key_file) != 0) + return (-1); + if (ocsp_file != NULL && + tls_config_set_ocsp_staple_file(config, ocsp_file) != 0) + return (-1); return (0); } -int -tls_config_set_keypair_mem(struct tls_config *config, const uint8_t *cert, - size_t cert_len, const uint8_t *key, size_t key_len) +static int +tls_config_set_keypair_mem_internal(struct tls_config *config, const uint8_t *cert, + size_t cert_len, const uint8_t *key, size_t key_len, + const uint8_t *staple, size_t staple_len) { if (tls_config_set_cert_mem(config, cert, cert_len) != 0) return (-1); if (tls_config_set_key_mem(config, key, key_len) != 0) return (-1); + if ((staple != NULL) && + (tls_config_set_ocsp_staple_mem(config, staple, staple_len) != 0)) + return (-1); return (0); } +int +tls_config_set_keypair_file(struct tls_config *config, + const char *cert_file, const char *key_file) +{ + return tls_config_set_keypair_file_internal(config, cert_file, key_file, + NULL); +} + +int +tls_config_set_keypair_mem(struct tls_config *config, const uint8_t *cert, + size_t cert_len, const uint8_t *key, size_t key_len) +{ + return tls_config_set_keypair_mem_internal(config, cert, cert_len, + key, key_len, NULL, 0); +} + +int +tls_config_set_keypair_ocsp_file(struct tls_config *config, + const char *cert_file, const char *key_file, const char *ocsp_file) +{ + return tls_config_set_keypair_file_internal(config, cert_file, key_file, + ocsp_file); +} + +int +tls_config_set_keypair_ocsp_mem(struct tls_config *config, const uint8_t *cert, + size_t cert_len, const uint8_t *key, size_t key_len, + const uint8_t *staple, size_t staple_len) +{ + return tls_config_set_keypair_mem_internal(config, cert, cert_len, + key, key_len, staple, staple_len); +} + + int tls_config_set_protocols(struct tls_config *config, uint32_t protocols) { @@ -685,7 +769,8 @@ tls_config_set_ocsp_staple_file(struct tls_config *config, const char *staple_fi } int -tls_config_set_ocsp_staple_mem(struct tls_config *config, char *staple, size_t len) +tls_config_set_ocsp_staple_mem(struct tls_config *config, const uint8_t *staple, + size_t len) { return tls_keypair_set_ocsp_staple_mem(config->keypair, staple, len); } -- cgit v1.2.3-55-g6feb