From b625f466ed086e94acecb66a8ddd3309cb0e3006 Mon Sep 17 00:00:00 2001 From: jsing <> Date: Mon, 15 Aug 2016 14:04:23 +0000 Subject: Explicitly pass in an SSL_CTX * to the functions that operate on one, instead of assuming that they should use the one associated with the TLS context. This allows these functions to be used with the additional SSL contexts that are needed to support server-side SNI. Also rename tls_configure_keypair() to tls_configure_ssl_keypair(), so that these functions have a common prefix. ok reyk@ --- src/lib/libtls/tls.c | 44 +++++++++++++++++++++---------------------- src/lib/libtls/tls_client.c | 11 ++++++----- src/lib/libtls/tls_internal.h | 11 ++++++----- src/lib/libtls/tls_server.c | 9 +++++---- 4 files changed, 38 insertions(+), 37 deletions(-) (limited to 'src/lib') diff --git a/src/lib/libtls/tls.c b/src/lib/libtls/tls.c index 429881dbb3..bf0e1f769f 100644 --- a/src/lib/libtls/tls.c +++ b/src/lib/libtls/tls.c @@ -1,4 +1,4 @@ -/* $OpenBSD: tls.c,v 1.45 2016/08/13 13:05:51 jsing Exp $ */ +/* $OpenBSD: tls.c,v 1.46 2016/08/15 14:04:23 jsing Exp $ */ /* * Copyright (c) 2014 Joel Sing * @@ -207,7 +207,7 @@ tls_configure(struct tls *ctx, struct tls_config *config) } int -tls_configure_keypair(struct tls *ctx, SSL_CTX *ssl_ctx, +tls_configure_ssl_keypair(struct tls *ctx, SSL_CTX *ssl_ctx, struct tls_keypair *keypair, int required) { EVP_PKEY *pkey = NULL; @@ -274,27 +274,27 @@ tls_configure_keypair(struct tls *ctx, SSL_CTX *ssl_ctx, } int -tls_configure_ssl(struct tls *ctx) +tls_configure_ssl(struct tls *ctx, SSL_CTX *ssl_ctx) { - SSL_CTX_set_mode(ctx->ssl_ctx, SSL_MODE_ENABLE_PARTIAL_WRITE); - SSL_CTX_set_mode(ctx->ssl_ctx, SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER); + SSL_CTX_set_mode(ssl_ctx, SSL_MODE_ENABLE_PARTIAL_WRITE); + SSL_CTX_set_mode(ssl_ctx, SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER); - SSL_CTX_set_options(ctx->ssl_ctx, SSL_OP_NO_SSLv2); - SSL_CTX_set_options(ctx->ssl_ctx, SSL_OP_NO_SSLv3); + SSL_CTX_set_options(ssl_ctx, SSL_OP_NO_SSLv2); + SSL_CTX_set_options(ssl_ctx, SSL_OP_NO_SSLv3); - SSL_CTX_clear_options(ctx->ssl_ctx, SSL_OP_NO_TLSv1); - SSL_CTX_clear_options(ctx->ssl_ctx, SSL_OP_NO_TLSv1_1); - SSL_CTX_clear_options(ctx->ssl_ctx, SSL_OP_NO_TLSv1_2); + SSL_CTX_clear_options(ssl_ctx, SSL_OP_NO_TLSv1); + SSL_CTX_clear_options(ssl_ctx, SSL_OP_NO_TLSv1_1); + SSL_CTX_clear_options(ssl_ctx, SSL_OP_NO_TLSv1_2); if ((ctx->config->protocols & TLS_PROTOCOL_TLSv1_0) == 0) - SSL_CTX_set_options(ctx->ssl_ctx, SSL_OP_NO_TLSv1); + SSL_CTX_set_options(ssl_ctx, SSL_OP_NO_TLSv1); if ((ctx->config->protocols & TLS_PROTOCOL_TLSv1_1) == 0) - SSL_CTX_set_options(ctx->ssl_ctx, SSL_OP_NO_TLSv1_1); + SSL_CTX_set_options(ssl_ctx, SSL_OP_NO_TLSv1_1); if ((ctx->config->protocols & TLS_PROTOCOL_TLSv1_2) == 0) - SSL_CTX_set_options(ctx->ssl_ctx, SSL_OP_NO_TLSv1_2); + SSL_CTX_set_options(ssl_ctx, SSL_OP_NO_TLSv1_2); if (ctx->config->alpn != NULL) { - if (SSL_CTX_set_alpn_protos(ctx->ssl_ctx, ctx->config->alpn, + if (SSL_CTX_set_alpn_protos(ssl_ctx, ctx->config->alpn, ctx->config->alpn_len) != 0) { tls_set_errorx(ctx, "failed to set alpn"); goto err; @@ -302,7 +302,7 @@ tls_configure_ssl(struct tls *ctx) } if (ctx->config->ciphers != NULL) { - if (SSL_CTX_set_cipher_list(ctx->ssl_ctx, + if (SSL_CTX_set_cipher_list(ssl_ctx, ctx->config->ciphers) != 1) { tls_set_errorx(ctx, "failed to set ciphers"); goto err; @@ -310,7 +310,7 @@ tls_configure_ssl(struct tls *ctx) } if (ctx->config->verify_time == 0) { - X509_VERIFY_PARAM_set_flags(ctx->ssl_ctx->param, + X509_VERIFY_PARAM_set_flags(ssl_ctx->param, X509_V_FLAG_NO_CHECK_TIME); } @@ -321,13 +321,13 @@ tls_configure_ssl(struct tls *ctx) } int -tls_configure_ssl_verify(struct tls *ctx, int verify) +tls_configure_ssl_verify(struct tls *ctx, SSL_CTX *ssl_ctx, int verify) { size_t ca_len = ctx->config->ca_len; char *ca_mem = ctx->config->ca_mem; char *ca_free = NULL; - SSL_CTX_set_verify(ctx->ssl_ctx, verify, NULL); + SSL_CTX_set_verify(ssl_ctx, verify, NULL); /* If no CA has been specified, attempt to load the default. */ if (ctx->config->ca_mem == NULL && ctx->config->ca_path == NULL) { @@ -342,19 +342,17 @@ tls_configure_ssl_verify(struct tls *ctx, int verify) tls_set_errorx(ctx, "ca too long"); goto err; } - if (SSL_CTX_load_verify_mem(ctx->ssl_ctx, ca_mem, - ca_len) != 1) { + if (SSL_CTX_load_verify_mem(ssl_ctx, ca_mem, ca_len) != 1) { tls_set_errorx(ctx, "ssl verify memory setup failure"); goto err; } - } else if (SSL_CTX_load_verify_locations(ctx->ssl_ctx, NULL, + } else if (SSL_CTX_load_verify_locations(ssl_ctx, NULL, ctx->config->ca_path) != 1) { tls_set_errorx(ctx, "ssl verify locations failure"); goto err; } if (ctx->config->verify_depth >= 0) - SSL_CTX_set_verify_depth(ctx->ssl_ctx, - ctx->config->verify_depth); + SSL_CTX_set_verify_depth(ssl_ctx, ctx->config->verify_depth); free(ca_free); diff --git a/src/lib/libtls/tls_client.c b/src/lib/libtls/tls_client.c index 3847f4c46c..c360ecad52 100644 --- a/src/lib/libtls/tls_client.c +++ b/src/lib/libtls/tls_client.c @@ -1,4 +1,4 @@ -/* $OpenBSD: tls_client.c,v 1.33 2016/04/28 17:05:59 jsing Exp $ */ +/* $OpenBSD: tls_client.c,v 1.34 2016/08/15 14:04:23 jsing Exp $ */ /* * Copyright (c) 2014 Joel Sing * @@ -193,9 +193,10 @@ tls_connect_fds(struct tls *ctx, int fd_read, int fd_write, goto err; } - if (tls_configure_ssl(ctx) != 0) + if (tls_configure_ssl(ctx, ctx->ssl_ctx) != 0) goto err; - if (tls_configure_keypair(ctx, ctx->ssl_ctx, ctx->config->keypair, 0) != 0) + if (tls_configure_ssl_keypair(ctx, ctx->ssl_ctx, + ctx->config->keypair, 0) != 0) goto err; if (ctx->config->verify_name) { @@ -204,9 +205,9 @@ tls_connect_fds(struct tls *ctx, int fd_read, int fd_write, goto err; } } - if (ctx->config->verify_cert && - (tls_configure_ssl_verify(ctx, SSL_VERIFY_PEER) == -1)) + (tls_configure_ssl_verify(ctx, ctx->ssl_ctx, + SSL_VERIFY_PEER) == -1)) goto err; if ((ctx->ssl_conn = SSL_new(ctx->ssl_ctx)) == NULL) { diff --git a/src/lib/libtls/tls_internal.h b/src/lib/libtls/tls_internal.h index fa972bbadf..f266996a4c 100644 --- a/src/lib/libtls/tls_internal.h +++ b/src/lib/libtls/tls_internal.h @@ -1,4 +1,4 @@ -/* $OpenBSD: tls_internal.h,v 1.36 2016/08/13 13:05:51 jsing Exp $ */ +/* $OpenBSD: tls_internal.h,v 1.37 2016/08/15 14:04:23 jsing Exp $ */ /* * Copyright (c) 2014 Jeremie Courreges-Anglas * Copyright (c) 2014 Joel Sing @@ -112,11 +112,12 @@ struct tls *tls_new(void); struct tls *tls_server_conn(struct tls *ctx); int tls_check_name(struct tls *ctx, X509 *cert, const char *servername); -int tls_configure_keypair(struct tls *ctx, SSL_CTX *ssl_ctx, - struct tls_keypair *keypair, int required); int tls_configure_server(struct tls *ctx); -int tls_configure_ssl(struct tls *ctx); -int tls_configure_ssl_verify(struct tls *ctx, int verify); + +int tls_configure_ssl(struct tls *ctx, SSL_CTX *ssl_ctx); +int tls_configure_ssl_keypair(struct tls *ctx, SSL_CTX *ssl_ctx, + struct tls_keypair *keypair, int required); +int tls_configure_ssl_verify(struct tls *ctx, SSL_CTX *ssl_ctx, int verify); int tls_handshake_client(struct tls *ctx); int tls_handshake_server(struct tls *ctx); diff --git a/src/lib/libtls/tls_server.c b/src/lib/libtls/tls_server.c index 690af32eaf..bec9c0608f 100644 --- a/src/lib/libtls/tls_server.c +++ b/src/lib/libtls/tls_server.c @@ -1,4 +1,4 @@ -/* $OpenBSD: tls_server.c,v 1.22 2016/08/12 15:10:59 jsing Exp $ */ +/* $OpenBSD: tls_server.c,v 1.23 2016/08/15 14:04:23 jsing Exp $ */ /* * Copyright (c) 2014 Joel Sing * @@ -73,15 +73,16 @@ tls_configure_server(struct tls *ctx) goto err; } - if (tls_configure_ssl(ctx) != 0) + if (tls_configure_ssl(ctx, ctx->ssl_ctx) != 0) goto err; - if (tls_configure_keypair(ctx, ctx->ssl_ctx, ctx->config->keypair, 1) != 0) + if (tls_configure_ssl_keypair(ctx, ctx->ssl_ctx, + ctx->config->keypair, 1) != 0) goto err; if (ctx->config->verify_client != 0) { int verify = SSL_VERIFY_PEER; if (ctx->config->verify_client == 1) verify |= SSL_VERIFY_FAIL_IF_NO_PEER_CERT; - if (tls_configure_ssl_verify(ctx, verify) == -1) + if (tls_configure_ssl_verify(ctx, ctx->ssl_ctx, verify) == -1) goto err; } -- cgit v1.2.3-55-g6feb