diff options
| -rw-r--r-- | lib/libtls/tls.c | 5 | ||||
| -rw-r--r-- | lib/libtls/tls_internal.h | 6 | ||||
| -rw-r--r-- | lib/libtls/tls_ocsp.c | 22 | ||||
| -rw-r--r-- | lib/libtls/tls_server.c | 6 |
4 files changed, 25 insertions, 14 deletions
diff --git a/lib/libtls/tls.c b/lib/libtls/tls.c index d4e8d0114f2..f07c4c6deb0 100644 --- a/lib/libtls/tls.c +++ b/lib/libtls/tls.c @@ -1,4 +1,4 @@ -/* $OpenBSD: tls.c,v 1.70 2017/08/28 13:58:02 beck Exp $ */ +/* $OpenBSD: tls.c,v 1.71 2017/09/20 17:05:17 jsing Exp $ */ /* * Copyright (c) 2014 Joel Sing <jsing@openbsd.org> * @@ -235,6 +235,7 @@ tls_new(void) return (NULL); tls_reset(ctx); + if (tls_configure(ctx, tls_config_default) == -1) { free(ctx); return NULL; @@ -252,7 +253,9 @@ tls_configure(struct tls *ctx, struct tls_config *config) config->refcount++; tls_config_free(ctx->config); + ctx->config = config; + ctx->keypair = config->keypair; if ((ctx->flags & TLS_SERVER) != 0) return (tls_configure_server(ctx)); diff --git a/lib/libtls/tls_internal.h b/lib/libtls/tls_internal.h index 9e9443dbafd..f378ea5466b 100644 --- a/lib/libtls/tls_internal.h +++ b/lib/libtls/tls_internal.h @@ -1,4 +1,4 @@ -/* $OpenBSD: tls_internal.h,v 1.64 2017/08/10 18:18:30 jsing Exp $ */ +/* $OpenBSD: tls_internal.h,v 1.65 2017/09/20 17:05:17 jsing Exp $ */ /* * Copyright (c) 2014 Jeremie Courreges-Anglas <jca@openbsd.org> * Copyright (c) 2014 Joel Sing <jsing@openbsd.org> @@ -157,12 +157,16 @@ struct tls_ocsp { struct tls_sni_ctx { struct tls_sni_ctx *next; + struct tls_keypair *keypair; + SSL_CTX *ssl_ctx; X509 *ssl_cert; }; struct tls { struct tls_config *config; + struct tls_keypair *keypair; + struct tls_error error; uint32_t flags; diff --git a/lib/libtls/tls_ocsp.c b/lib/libtls/tls_ocsp.c index 4e2dba34870..a8835edc8ff 100644 --- a/lib/libtls/tls_ocsp.c +++ b/lib/libtls/tls_ocsp.c @@ -331,32 +331,32 @@ tls_ocsp_verify_cb(SSL *ssl, void *arg) int tls_ocsp_stapling_cb(SSL *ssl, void *arg) { - struct tls *ctx; - unsigned char *ocsp_staple = NULL; int ret = SSL_TLSEXT_ERR_ALERT_FATAL; + unsigned char *ocsp_staple = NULL; + struct tls *ctx; if ((ctx = SSL_get_app_data(ssl)) == NULL) goto err; - if (ctx->config->keypair == NULL || - ctx->config->keypair->ocsp_staple == NULL || - ctx->config->keypair->ocsp_staple_len == 0) + if (ctx->keypair == NULL || ctx->keypair->ocsp_staple == NULL || + ctx->keypair->ocsp_staple_len == 0) return SSL_TLSEXT_ERR_NOACK; - if ((ocsp_staple = malloc(ctx->config->keypair->ocsp_staple_len)) == - NULL) + if ((ocsp_staple = malloc(ctx->keypair->ocsp_staple_len)) == NULL) goto err; - memcpy(ocsp_staple, ctx->config->keypair->ocsp_staple, - ctx->config->keypair->ocsp_staple_len); + memcpy(ocsp_staple, ctx->keypair->ocsp_staple, + ctx->keypair->ocsp_staple_len); + if (SSL_set_tlsext_status_ocsp_resp(ctx->ssl_conn, ocsp_staple, - ctx->config->keypair->ocsp_staple_len) != 1) + ctx->keypair->ocsp_staple_len) != 1) goto err; ret = SSL_TLSEXT_ERR_OK; err: if (ret != SSL_TLSEXT_ERR_OK) free(ocsp_staple); + return ret; } @@ -364,7 +364,7 @@ tls_ocsp_stapling_cb(SSL *ssl, void *arg) * Public API */ -/* Retrieve OCSP URL from peer certificate, if present */ +/* Retrieve OCSP URL from peer certificate, if present. */ const char * tls_peer_ocsp_url(struct tls *ctx) { diff --git a/lib/libtls/tls_server.c b/lib/libtls/tls_server.c index 2622e4464f4..e1011769f63 100644 --- a/lib/libtls/tls_server.c +++ b/lib/libtls/tls_server.c @@ -1,4 +1,4 @@ -/* $OpenBSD: tls_server.c,v 1.41 2017/08/10 18:18:30 jsing Exp $ */ +/* $OpenBSD: tls_server.c,v 1.42 2017/09/20 17:05:17 jsing Exp $ */ /* * Copyright (c) 2014 Joel Sing <jsing@openbsd.org> * @@ -50,7 +50,9 @@ tls_server_conn(struct tls *ctx) conn_ctx->flags |= TLS_SERVER_CONN; ctx->config->refcount++; + conn_ctx->config = ctx->config; + conn_ctx->keypair = ctx->config->keypair; return (conn_ctx); } @@ -112,6 +114,7 @@ tls_servername_cb(SSL *ssl, int *al, void *arg) &match) == -1) goto err; if (match) { + conn_ctx->keypair = sni_ctx->keypair; SSL_set_SSL_CTX(conn_ctx->ssl_conn, sni_ctx->ssl_ctx); return (SSL_TLSEXT_ERR_OK); } @@ -341,6 +344,7 @@ tls_configure_server_sni(struct tls *ctx) tls_set_errorx(ctx, "out of memory"); goto err; } + (*sni_ctx)->keypair = kp; if (tls_configure_server_ssl(ctx, &(*sni_ctx)->ssl_ctx, kp) == -1) goto err; if (tls_keypair_load_cert(kp, &ctx->error, |