summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorReyk Floeter <reyk@cvs.openbsd.org>2015-01-22 09:26:06 +0000
committerReyk Floeter <reyk@cvs.openbsd.org>2015-01-22 09:26:06 +0000
commit9103d48d709d6d658783a600cec2c3803e2d79ca (patch)
tree2114bd7cdbc0f9dcb3d6bcf3a0bc332b37dec167
parentd8c6bc473f24342a7779cf1d21ce977aa7fd6dd1 (diff)
LibreSSL now supports loading of CA certificates from memory, replace
the internal and long-serving ssl_ctx_load_verify_memory() function with a call to the SSL_CTX_load_verify_mem() API function. The ssl_privsep.c file with hacks for using OpenSSL in privsep'ed processes can now go away; portable versions of smtpd and relayd should start depending on LibreSSL or they have to carry ssl_privsep.c in openbsd-compat to work with legacy OpenSSL. No functional change. Based on previous discussions with gilles@ bluhm@ and many others OK bluhm@ (as part of the libcrypto/libssl/libtls diff)
-rw-r--r--usr.sbin/relayd/Makefile4
-rw-r--r--usr.sbin/relayd/relay.c4
-rw-r--r--usr.sbin/relayd/relayd.h5
-rw-r--r--usr.sbin/relayd/ssl_privsep.c158
-rw-r--r--usr.sbin/smtpd/smtpd/Makefile4
-rw-r--r--usr.sbin/smtpd/ssl.h4
-rw-r--r--usr.sbin/smtpd/ssl_privsep.c159
7 files changed, 8 insertions, 330 deletions
diff --git a/usr.sbin/relayd/Makefile b/usr.sbin/relayd/Makefile
index e573d9acfd5..066acfa72f9 100644
--- a/usr.sbin/relayd/Makefile
+++ b/usr.sbin/relayd/Makefile
@@ -1,4 +1,4 @@
-# $OpenBSD: Makefile,v 1.27 2014/04/21 14:57:17 reyk Exp $
+# $OpenBSD: Makefile,v 1.28 2015/01/22 09:26:05 reyk Exp $
PROG= relayd
SRCS= parse.y
@@ -6,7 +6,7 @@ SRCS+= agentx.c ca.c carp.c check_icmp.c check_script.c \
check_tcp.c config.c control.c hce.c log.c name2id.c \
pfe.c pfe_filter.c pfe_route.c proc.c \
relay.c relay_http.c relay_udp.c relayd.c \
- shuffle.c snmp.c ssl.c ssl_privsep.c
+ shuffle.c snmp.c ssl.c
MAN= relayd.8 relayd.conf.5
LDADD= -levent -lssl -lcrypto -lutil
diff --git a/usr.sbin/relayd/relay.c b/usr.sbin/relayd/relay.c
index 091db106075..f69a91228db 100644
--- a/usr.sbin/relayd/relay.c
+++ b/usr.sbin/relayd/relay.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: relay.c,v 1.187 2015/01/16 15:08:52 reyk Exp $ */
+/* $OpenBSD: relay.c,v 1.188 2015/01/22 09:26:05 reyk Exp $ */
/*
* Copyright (c) 2006 - 2014 Reyk Floeter <reyk@openbsd.org>
@@ -2051,7 +2051,7 @@ relay_tls_ctx_create(struct relay *rlay)
/* Verify the server certificate if we have a CA chain */
if ((rlay->rl_conf.flags & F_TLSCLIENT) &&
(rlay->rl_tls_ca != NULL)) {
- if (!ssl_ctx_load_verify_memory(ctx,
+ if (!SSL_CTX_load_verify_mem(ctx,
rlay->rl_tls_ca, rlay->rl_conf.tls_ca_len))
goto err;
SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER, NULL);
diff --git a/usr.sbin/relayd/relayd.h b/usr.sbin/relayd/relayd.h
index e67ca49a5e3..e78ecc674fa 100644
--- a/usr.sbin/relayd/relayd.h
+++ b/usr.sbin/relayd/relayd.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: relayd.h,v 1.205 2015/01/16 15:08:52 reyk Exp $ */
+/* $OpenBSD: relayd.h,v 1.206 2015/01/22 09:26:05 reyk Exp $ */
/*
* Copyright (c) 2006 - 2015 Reyk Floeter <reyk@openbsd.org>
@@ -1220,9 +1220,6 @@ int ssl_load_pkey(const void *, size_t, char *, off_t,
int ssl_ctx_fake_private_key(SSL_CTX *, const void *, size_t,
char *, off_t, X509 **, EVP_PKEY **);
-/* ssl_privsep.c */
-int ssl_ctx_load_verify_memory(SSL_CTX *, char *, off_t);
-
/* ca.c */
pid_t ca(struct privsep *, struct privsep_proc *);
void ca_engine_init(struct relayd *);
diff --git a/usr.sbin/relayd/ssl_privsep.c b/usr.sbin/relayd/ssl_privsep.c
deleted file mode 100644
index b90d5960b11..00000000000
--- a/usr.sbin/relayd/ssl_privsep.c
+++ /dev/null
@@ -1,158 +0,0 @@
-/* $OpenBSD: ssl_privsep.c,v 1.11 2015/01/16 15:08:52 reyk Exp $ */
-
-/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
- * All rights reserved.
- *
- * This package is an SSL implementation written
- * by Eric Young (eay@cryptsoft.com).
- * The implementation was written so as to conform with Netscapes SSL.
- *
- * This library is free for commercial and non-commercial use as long as
- * the following conditions are aheared to. The following conditions
- * apply to all code found in this distribution, be it the RC4, RSA,
- * lhash, DES, etc., code; not just the SSL code. The SSL documentation
- * included with this distribution is covered by the same copyright terms
- * except that the holder is Tim Hudson (tjh@cryptsoft.com).
- *
- * Copyright remains Eric Young's, and as such any Copyright notices in
- * the code are not to be removed.
- * If this package is used in a product, Eric Young should be given attribution
- * as the author of the parts of the library used.
- * This can be in the form of a textual message at program startup or
- * in documentation (online or textual) provided with the package.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the copyright
- * notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in the
- * documentation and/or other materials provided with the distribution.
- * 3. All advertising materials mentioning features or use of this software
- * must display the following acknowledgement:
- * "This product includes cryptographic software written by
- * Eric Young (eay@cryptsoft.com)"
- * The word 'cryptographic' can be left out if the rouines from the library
- * being used are not cryptographic related :-).
- * 4. If you include any Windows specific code (or a derivative thereof) from
- * the apps directory (application code) you must include an acknowledgement:
- * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
- *
- * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- *
- * The licence and distribution terms for any publically available version or
- * derivative of this code cannot be changed. i.e. this code cannot simply be
- * copied and put under another distribution licence
- * [including the GNU Public Licence.]
- */
-
-/*
- * SSL operations needed when running in a privilege separated environment.
- * Adapted from openssl's ssl_rsa.c by Pierre-Yves Ritschard .
- */
-
-#include <sys/types.h>
-#include <sys/uio.h>
-
-#include <unistd.h>
-#include <stdio.h>
-
-#include <openssl/err.h>
-#include <openssl/bio.h>
-#include <openssl/objects.h>
-#include <openssl/evp.h>
-#include <openssl/x509.h>
-#include <openssl/pem.h>
-#include <openssl/ssl.h>
-
-int ssl_ctx_load_verify_memory(SSL_CTX *, char *, off_t);
-int ssl_by_mem_ctrl(X509_LOOKUP *, int, const char *, long, char **);
-
-X509_LOOKUP_METHOD x509_mem_lookup = {
- "Load cert from memory",
- NULL, /* new */
- NULL, /* free */
- NULL, /* init */
- NULL, /* shutdown */
- ssl_by_mem_ctrl, /* ctrl */
- NULL, /* get_by_subject */
- NULL, /* get_by_issuer_serial */
- NULL, /* get_by_fingerprint */
- NULL, /* get_by_alias */
-};
-
-#define X509_L_ADD_MEM 3
-
-int
-ssl_ctx_load_verify_memory(SSL_CTX *ctx, char *buf, off_t len)
-{
- X509_LOOKUP *lu;
- struct iovec iov;
-
- if ((lu = X509_STORE_add_lookup(ctx->cert_store,
- &x509_mem_lookup)) == NULL)
- return (0);
-
- iov.iov_base = buf;
- iov.iov_len = len;
-
- if (!ssl_by_mem_ctrl(lu, X509_L_ADD_MEM,
- (const char *)&iov, X509_FILETYPE_PEM, NULL))
- return (0);
-
- return (1);
-}
-
-int
-ssl_by_mem_ctrl(X509_LOOKUP *lu, int cmd, const char *buf,
- long type, char **ret)
-{
- STACK_OF(X509_INFO) *inf;
- const struct iovec *iov;
- X509_INFO *itmp;
- BIO *in = NULL;
- int i, count = 0;
-
- iov = (const struct iovec *)buf;
-
- if (type != X509_FILETYPE_PEM)
- goto done;
-
- if ((in = BIO_new_mem_buf(iov->iov_base, iov->iov_len)) == NULL)
- goto done;
-
- if ((inf = PEM_X509_INFO_read_bio(in, NULL, NULL, NULL)) == NULL)
- goto done;
-
- for (i = 0; i < sk_X509_INFO_num(inf); i++) {
- itmp = sk_X509_INFO_value(inf, i);
- if (itmp->x509) {
- X509_STORE_add_cert(lu->store_ctx, itmp->x509);
- count++;
- }
- if (itmp->crl) {
- X509_STORE_add_crl(lu->store_ctx, itmp->crl);
- count++;
- }
- }
- sk_X509_INFO_pop_free(inf, X509_INFO_free);
-
- done:
- if (!count)
- X509err(X509_F_X509_LOAD_CERT_CRL_FILE,ERR_R_PEM_LIB);
-
- if (in != NULL)
- BIO_free(in);
- return (count);
-}
diff --git a/usr.sbin/smtpd/smtpd/Makefile b/usr.sbin/smtpd/smtpd/Makefile
index cf751b62868..5defaf6039b 100644
--- a/usr.sbin/smtpd/smtpd/Makefile
+++ b/usr.sbin/smtpd/smtpd/Makefile
@@ -1,4 +1,4 @@
-# $OpenBSD: Makefile,v 1.77 2014/12/14 15:26:56 gilles Exp $
+# $OpenBSD: Makefile,v 1.78 2015/01/22 09:26:05 reyk Exp $
.PATH: ${.CURDIR}/..
@@ -10,7 +10,7 @@ SRCS= aliases.c bounce.c ca.c compress_backend.c config.c \
log.c mda.c mproc.c \
mta.c mta_session.c parse.y pony.c queue.c queue_backend.c \
ruleset.c runq.c scheduler.c scheduler_backend.c \
- smtp.c smtp_session.c smtpd.c ssl.c ssl_privsep.c \
+ smtp.c smtp_session.c smtpd.c ssl.c \
ssl_smtpd.c stat_backend.c table.c to.c tree.c util.c \
waitq.c
diff --git a/usr.sbin/smtpd/ssl.h b/usr.sbin/smtpd/ssl.h
index 28d4ed816a6..0bc82363f20 100644
--- a/usr.sbin/smtpd/ssl.h
+++ b/usr.sbin/smtpd/ssl.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl.h,v 1.10 2015/01/16 15:08:52 reyk Exp $ */
+/* $OpenBSD: ssl.h,v 1.11 2015/01/22 09:26:05 reyk Exp $ */
/*
* Copyright (c) 2013 Gilles Chehade <gilles@poolp.org>
*
@@ -50,7 +50,6 @@ DH *get_dh1024(void);
DH *get_dh_from_memory(char *, size_t);
void ssl_set_ephemeral_key_exchange(SSL_CTX *, DH *);
void ssl_set_ecdh_curve(SSL_CTX *, const char *);
-extern int ssl_ctx_load_verify_memory(SSL_CTX *, char *, off_t);
char *ssl_load_file(const char *, off_t *, mode_t);
char *ssl_load_key(const char *, off_t *, char *, mode_t, const char *);
@@ -67,5 +66,4 @@ int ssl_ctx_fake_private_key(SSL_CTX *, const void *, size_t,
char *, off_t, X509 **, EVP_PKEY **);
/* ssl_privsep.c */
-int ssl_ctx_load_verify_memory(SSL_CTX *, char *, off_t);
int ssl_by_mem_ctrl(X509_LOOKUP *, int, const char *, long, char **);
diff --git a/usr.sbin/smtpd/ssl_privsep.c b/usr.sbin/smtpd/ssl_privsep.c
deleted file mode 100644
index aa8c15d7210..00000000000
--- a/usr.sbin/smtpd/ssl_privsep.c
+++ /dev/null
@@ -1,159 +0,0 @@
-/* $OpenBSD: ssl_privsep.c,v 1.8 2015/01/16 15:08:52 reyk Exp $ */
-
-/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
- * All rights reserved.
- *
- * This package is an SSL implementation written
- * by Eric Young (eay@cryptsoft.com).
- * The implementation was written so as to conform with Netscapes SSL.
- *
- * This library is free for commercial and non-commercial use as long as
- * the following conditions are aheared to. The following conditions
- * apply to all code found in this distribution, be it the RC4, RSA,
- * lhash, DES, etc., code; not just the SSL code. The SSL documentation
- * included with this distribution is covered by the same copyright terms
- * except that the holder is Tim Hudson (tjh@cryptsoft.com).
- *
- * Copyright remains Eric Young's, and as such any Copyright notices in
- * the code are not to be removed.
- * If this package is used in a product, Eric Young should be given attribution
- * as the author of the parts of the library used.
- * This can be in the form of a textual message at program startup or
- * in documentation (online or textual) provided with the package.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the copyright
- * notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in the
- * documentation and/or other materials provided with the distribution.
- * 3. All advertising materials mentioning features or use of this software
- * must display the following acknowledgement:
- * "This product includes cryptographic software written by
- * Eric Young (eay@cryptsoft.com)"
- * The word 'cryptographic' can be left out if the rouines from the library
- * being used are not cryptographic related :-).
- * 4. If you include any Windows specific code (or a derivative thereof) from
- * the apps directory (application code) you must include an acknowledgement:
- * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
- *
- * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- *
- * The licence and distribution terms for any publically available version or
- * derivative of this code cannot be changed. i.e. this code cannot simply be
- * copied and put under another distribution licence
- * [including the GNU Public Licence.]
- */
-
-/*
- * SSL operations needed when running in a privilege separated environment.
- * Adapted from openssl's ssl_rsa.c by Pierre-Yves Ritschard .
- */
-
-#include <sys/types.h>
-#include <sys/uio.h>
-
-#include <unistd.h>
-#include <stdio.h>
-
-#include <openssl/err.h>
-#include <openssl/bio.h>
-#include <openssl/objects.h>
-#include <openssl/evp.h>
-#include <openssl/x509.h>
-#include <openssl/pem.h>
-#include <openssl/ssl.h>
-
-int ssl_ctx_use_private_key(SSL_CTX *, char *, off_t);
-int ssl_ctx_load_verify_memory(SSL_CTX *, char *, off_t);
-int ssl_by_mem_ctrl(X509_LOOKUP *, int, const char *, long, char **);
-
-X509_LOOKUP_METHOD x509_mem_lookup = {
- "Load cert from memory",
- NULL, /* new */
- NULL, /* free */
- NULL, /* init */
- NULL, /* shutdown */
- ssl_by_mem_ctrl, /* ctrl */
- NULL, /* get_by_subject */
- NULL, /* get_by_issuer_serial */
- NULL, /* get_by_fingerprint */
- NULL, /* get_by_alias */
-};
-
-#define X509_L_ADD_MEM 3
-
-int
-ssl_ctx_load_verify_memory(SSL_CTX *ctx, char *buf, off_t len)
-{
- X509_LOOKUP *lu;
- struct iovec iov;
-
- if ((lu = X509_STORE_add_lookup(ctx->cert_store,
- &x509_mem_lookup)) == NULL)
- return (0);
-
- iov.iov_base = buf;
- iov.iov_len = len;
-
- if (!ssl_by_mem_ctrl(lu, X509_L_ADD_MEM,
- (const char *)&iov, X509_FILETYPE_PEM, NULL))
- return (0);
-
- return (1);
-}
-
-int
-ssl_by_mem_ctrl(X509_LOOKUP *lu, int cmd, const char *buf,
- long type, char **ret)
-{
- STACK_OF(X509_INFO) *inf;
- const struct iovec *iov;
- X509_INFO *itmp;
- BIO *in = NULL;
- int i, count = 0;
-
- iov = (const struct iovec *)buf;
-
- if (type != X509_FILETYPE_PEM)
- goto done;
-
- if ((in = BIO_new_mem_buf(iov->iov_base, iov->iov_len)) == NULL)
- goto done;
-
- if ((inf = PEM_X509_INFO_read_bio(in, NULL, NULL, NULL)) == NULL)
- goto done;
-
- for (i = 0; i < sk_X509_INFO_num(inf); i++) {
- itmp = sk_X509_INFO_value(inf, i);
- if (itmp->x509) {
- X509_STORE_add_cert(lu->store_ctx, itmp->x509);
- count++;
- }
- if (itmp->crl) {
- X509_STORE_add_crl(lu->store_ctx, itmp->crl);
- count++;
- }
- }
- sk_X509_INFO_pop_free(inf, X509_INFO_free);
-
- done:
- if (!count)
- X509err(X509_F_X509_LOAD_CERT_CRL_FILE,ERR_R_PEM_LIB);
-
- if (in != NULL)
- BIO_free(in);
- return (count);
-}