summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorclaudio <claudio@openbsd.org>2017-08-09 21:27:24 +0000
committerclaudio <claudio@openbsd.org>2017-08-09 21:27:24 +0000
commit6db33eddedcec488e2addfd852352deb0c3f72a8 (patch)
tree6bc7e5df3d0a972e3fd28407af1ea88b7c4f9222
parentAdd IA32_MISC_ENABLE MSR and bitfield values, to be used shortly by (diff)
downloadwireguard-openbsd-6db33eddedcec488e2addfd852352deb0c3f72a8.tar.xz
wireguard-openbsd-6db33eddedcec488e2addfd852352deb0c3f72a8.zip
Don't use tls_cert_hash for the hashing used by the engine offloading magic
for the TLS privsep code. Instead use X509_pubkey_digest() because only the key should be used as identifier. Relayd is rewriting certificates and then the hash would change. Rename the hash is struct tls_keypair to pubkey_hash to make clear what this hash is about. With input and OK jsing@
-rw-r--r--lib/libtls/tls.c27
-rw-r--r--lib/libtls/tls_config.c4
-rw-r--r--lib/libtls/tls_internal.h4
3 files changed, 24 insertions, 11 deletions
diff --git a/lib/libtls/tls.c b/lib/libtls/tls.c
index ed857272c46..6df72e24e67 100644
--- a/lib/libtls/tls.c
+++ b/lib/libtls/tls.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls.c,v 1.68 2017/07/06 17:12:22 jsing Exp $ */
+/* $OpenBSD: tls.c,v 1.69 2017/08/09 21:27:24 claudio Exp $ */
/*
* Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
*
@@ -283,11 +283,12 @@ tls_cert_hash(X509 *cert, char **hash)
}
static int
-tls_keypair_cert_hash(struct tls_keypair *keypair, char **hash)
+tls_keypair_pubkey_hash(struct tls_keypair *keypair, char **hash)
{
BIO *membio = NULL;
X509 *cert = NULL;
- int rv = -1;
+ char d[EVP_MAX_MD_SIZE], *dhex = NULL;
+ int dlen, rv = -1;
*hash = NULL;
@@ -298,9 +299,21 @@ tls_keypair_cert_hash(struct tls_keypair *keypair, char **hash)
NULL)) == NULL)
goto err;
- rv = tls_cert_hash(cert, hash);
+ if (X509_pubkey_digest(cert, EVP_sha256(), d, &dlen) != 1)
+ goto err;
+
+ if (tls_hex_string(d, dlen, &dhex, NULL) != 0)
+ goto err;
+
+ if (asprintf(hash, "SHA256:%s", dhex) == -1) {
+ *hash = NULL;
+ goto err;
+ }
+
+ rv = 0;
err:
+ free(dhex);
X509_free(cert);
BIO_free(membio);
@@ -331,7 +344,7 @@ tls_configure_ssl_keypair(struct tls *ctx, SSL_CTX *ssl_ctx,
tls_set_errorx(ctx, "failed to load certificate");
goto err;
}
- if (tls_keypair_cert_hash(keypair, &keypair->cert_hash) == -1)
+ if (tls_keypair_pubkey_hash(keypair, &keypair->pubkey_hash) == -1)
goto err;
}
@@ -352,11 +365,11 @@ tls_configure_ssl_keypair(struct tls *ctx, SSL_CTX *ssl_ctx,
goto err;
}
- if (keypair->cert_hash != NULL) {
+ if (keypair->pubkey_hash != NULL) {
RSA *rsa;
/* XXX only RSA for now for relayd privsep */
if ((rsa = EVP_PKEY_get1_RSA(pkey)) != NULL) {
- RSA_set_ex_data(rsa, 0, keypair->cert_hash);
+ RSA_set_ex_data(rsa, 0, keypair->pubkey_hash);
RSA_free(rsa);
}
}
diff --git a/lib/libtls/tls_config.c b/lib/libtls/tls_config.c
index fe049d1e4e5..40374ea2203 100644
--- a/lib/libtls/tls_config.c
+++ b/lib/libtls/tls_config.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls_config.c,v 1.41 2017/07/06 17:12:22 jsing Exp $ */
+/* $OpenBSD: tls_config.c,v 1.42 2017/08/09 21:27:24 claudio Exp $ */
/*
* Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
*
@@ -141,7 +141,7 @@ tls_keypair_free(struct tls_keypair *keypair)
free(keypair->cert_mem);
free(keypair->key_mem);
free(keypair->ocsp_staple);
- free(keypair->cert_hash);
+ free(keypair->pubkey_hash);
free(keypair);
}
diff --git a/lib/libtls/tls_internal.h b/lib/libtls/tls_internal.h
index bed9d6e7f4e..6079babccf8 100644
--- a/lib/libtls/tls_internal.h
+++ b/lib/libtls/tls_internal.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls_internal.h,v 1.62 2017/07/06 17:12:22 jsing Exp $ */
+/* $OpenBSD: tls_internal.h,v 1.63 2017/08/09 21:27:24 claudio Exp $ */
/*
* Copyright (c) 2014 Jeremie Courreges-Anglas <jca@openbsd.org>
* Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
@@ -53,7 +53,7 @@ struct tls_keypair {
size_t key_len;
char *ocsp_staple;
size_t ocsp_staple_len;
- char *cert_hash;
+ char *pubkey_hash;
};
#define TLS_MIN_SESSION_TIMEOUT (4)