diff options
| -rw-r--r-- | include/Makefile | 8 | ||||
| -rw-r--r-- | lib/Makefile | 6 | ||||
| -rw-r--r-- | lib/libressl/Makefile | 56 | ||||
| -rw-r--r-- | lib/libressl/ressl.h | 81 | ||||
| -rw-r--r-- | lib/libtls/Makefile | 58 | ||||
| -rw-r--r-- | lib/libtls/shlib_version (renamed from lib/libressl/shlib_version) | 2 | ||||
| -rw-r--r-- | lib/libtls/tls.c (renamed from lib/libressl/ressl.c) | 96 | ||||
| -rw-r--r-- | lib/libtls/tls.h | 74 | ||||
| -rw-r--r-- | lib/libtls/tls_client.c (renamed from lib/libressl/ressl_client.c) | 64 | ||||
| -rw-r--r-- | lib/libtls/tls_config.c (renamed from lib/libressl/ressl_config.c) | 60 | ||||
| -rw-r--r-- | lib/libtls/tls_init.3 (renamed from lib/libressl/ressl_init.3) | 232 | ||||
| -rw-r--r-- | lib/libtls/tls_internal.h (renamed from lib/libressl/ressl_internal.h) | 36 | ||||
| -rw-r--r-- | lib/libtls/tls_server.c (renamed from lib/libressl/ressl_server.c) | 82 | ||||
| -rw-r--r-- | lib/libtls/tls_util.c (renamed from lib/libressl/ressl_util.c) | 6 | ||||
| -rw-r--r-- | lib/libtls/tls_verify.c (renamed from lib/libressl/ressl_verify.c) | 26 | ||||
| -rw-r--r-- | share/mk/bsd.README | 4 | ||||
| -rw-r--r-- | share/mk/bsd.prog.mk | 4 |
17 files changed, 433 insertions, 462 deletions
diff --git a/include/Makefile b/include/Makefile index 3bac64d502f..3889dabd5c8 100644 --- a/include/Makefile +++ b/include/Makefile @@ -1,4 +1,4 @@ -# $OpenBSD: Makefile,v 1.195 2014/09/16 00:19:31 matthieu Exp $ +# $OpenBSD: Makefile,v 1.196 2014/10/31 13:46:17 jsing Exp $ # $NetBSD: Makefile,v 1.59 1996/05/15 21:36:43 jtc Exp $ # @(#)Makefile 5.45.1.1 (Berkeley) 5/6/91 @@ -42,9 +42,9 @@ RDIRS= ../lib/libcrypto ../lib/libcurses ../lib/libedit \ ../lib/libevent ../lib/libexpat ../lib/libform \ ../lib/libfuse ../lib/libkeynote ../lib/libmenu \ ../lib/libocurses ../lib/libossaudio ../lib/libpanel \ - ../lib/libpcap ../lib/libressl ../lib/librpcsvc \ - ../lib/librthread ../lib/libskey ../lib/libsqlite3 \ - ../lib/libssl ../lib/libusbhid ../lib/libutil ../lib/libz \ + ../lib/libpcap ../lib/librpcsvc ../lib/librthread ../lib/libskey \ + ../lib/libsqlite3 ../lib/libssl ../lib/libtls \ + ../lib/libusbhid ../lib/libutil ../lib/libz \ ../usr.bin/lex ../gnu/lib/libreadline \ ../sys/arch/${MACHINE} diff --git a/lib/Makefile b/lib/Makefile index 872727e9725..82be610e83b 100644 --- a/lib/Makefile +++ b/lib/Makefile @@ -1,9 +1,9 @@ -# $OpenBSD: Makefile,v 1.68 2014/07/14 00:49:03 jsing Exp $ +# $OpenBSD: Makefile,v 1.69 2014/10/31 13:46:17 jsing Exp $ # $NetBSD: Makefile,v 1.20.4.1 1996/06/14 17:22:38 cgd Exp $ SUBDIR= csu libarch libc libcrypto libcurses libedit libevent libexpat \ libform libfuse libkeynote libkvm libl libm libmenu \ - libocurses libossaudio libpanel libpcap libressl librthread librpcsvc \ - libskey libsndio libsqlite3 libssl libusbhid libutil liby libz + libocurses libossaudio libpanel libpcap librthread librpcsvc \ + libskey libsndio libsqlite3 libssl libtls libusbhid libutil liby libz .include <bsd.subdir.mk> diff --git a/lib/libressl/Makefile b/lib/libressl/Makefile deleted file mode 100644 index f21c0474edf..00000000000 --- a/lib/libressl/Makefile +++ /dev/null @@ -1,56 +0,0 @@ -# $OpenBSD: Makefile,v 1.5 2014/10/08 19:01:40 tedu Exp $ - -CFLAGS+= -Wall -Werror -Wimplicit -CFLAGS+= -DLIBRESSL_INTERNAL - -LIB= ressl - -DPADD= ${LIBCRYPTO} ${LIBSSL} - -HDRS= ressl.h - -SRCS= ressl.c \ - ressl_client.c \ - ressl_config.c \ - ressl_server.c \ - ressl_util.c \ - ressl_verify.c - -MAN= ressl_init.3 - -MLINKS+=ressl_init.3 ressl_error.3 -MLINKS+=ressl_init.3 ressl_config_new.3 -MLINKS+=ressl_init.3 ressl_config_free.3 -MLINKS+=ressl_init.3 ressl_set_ca_file.3 -MLINKS+=ressl_init.3 ressl_set_ca_path.3 -MLINKS+=ressl_init.3 ressl_set_cert_file.3 -MLINKS+=ressl_init.3 ressl_set_cert_mem.3 -MLINKS+=ressl_init.3 ressl_set_ciphers.3 -MLINKS+=ressl_init.3 ressl_set_ecdhcurve.3 -MLINKS+=ressl_init.3 ressl_set_key_file.3 -MLINKS+=ressl_init.3 ressl_set_key_mem.3 -MLINKS+=ressl_init.3 ressl_set_protocols.3 -MLINKS+=ressl_init.3 ressl_set_verify_depth.3 -MLINKS+=ressl_init.3 ressl_clear_keys.3 -MLINKS+=ressl_init.3 ressl_insecure_noverifyhost.3 -MLINKS+=ressl_init.3 ressl_insecure_noverifycert.3 -MLINKS+=ressl_init.3 ressl_verify.3 -MLINKS+=ressl_init.3 ressl_configure.3 -MLINKS+=ressl_init.3 ressl_reset.3 -MLINKS+=ressl_init.3 ressl_free.3 -MLINKS+=ressl_init.3 ressl_close.3 -MLINKS+=ressl_init.3 ressl_connect.3 -MLINKS+=ressl_init.3 ressl_connect_socket.3 -MLINKS+=ressl_init.3 ressl_read.3 -MLINKS+=ressl_init.3 ressl_write.3 - -includes: - @cd ${.CURDIR}; for i in $(HDRS); do \ - j="cmp -s $$i ${DESTDIR}/usr/include/$$i || \ - ${INSTALL} ${INSTALL_COPY} -o ${BINOWN} -g ${BINGRP} -m 444 $$i\ - ${DESTDIR}/usr/include/"; \ - echo $$j; \ - eval "$$j"; \ - done; - -.include <bsd.lib.mk> diff --git a/lib/libressl/ressl.h b/lib/libressl/ressl.h deleted file mode 100644 index 4ca2507f5a2..00000000000 --- a/lib/libressl/ressl.h +++ /dev/null @@ -1,81 +0,0 @@ -/* $OpenBSD: ressl.h,v 1.21 2014/10/15 21:02:39 tedu Exp $ */ -/* - * Copyright (c) 2014 Joel Sing <jsing@openbsd.org> - * - * Permission to use, copy, modify, and distribute this software for any - * purpose with or without fee is hereby granted, provided that the above - * copyright notice and this permission notice appear in all copies. - * - * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES - * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF - * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR - * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES - * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN - * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF - * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. - */ - -#ifndef HEADER_RESSL_H -#define HEADER_RESSL_H - -#define RESSL_API 20141008 - -#define RESSL_PROTOCOL_TLSv1_0 (1 << 1) -#define RESSL_PROTOCOL_TLSv1_1 (1 << 2) -#define RESSL_PROTOCOL_TLSv1_2 (1 << 3) -#define RESSL_PROTOCOL_TLSv1 \ - (RESSL_PROTOCOL_TLSv1_0|RESSL_PROTOCOL_TLSv1_1|RESSL_PROTOCOL_TLSv1_2) -#define RESSL_PROTOCOLS_DEFAULT RESSL_PROTOCOL_TLSv1 - -#define RESSL_READ_AGAIN -2 -#define RESSL_WRITE_AGAIN -3 - -struct ressl; -struct ressl_config; - -int ressl_init(void); - -const char *ressl_error(struct ressl *ctx); - -struct ressl_config *ressl_config_new(void); -void ressl_config_free(struct ressl_config *config); - -int ressl_config_set_ca_file(struct ressl_config *config, const char *ca_file); -int ressl_config_set_ca_path(struct ressl_config *config, const char *ca_path); -int ressl_config_set_cert_file(struct ressl_config *config, - const char *cert_file); -int ressl_config_set_cert_mem(struct ressl_config *config, const uint8_t *cert, - size_t len); -int ressl_config_set_ciphers(struct ressl_config *config, const char *ciphers); -int ressl_config_set_ecdhcurve(struct ressl_config *config, const char *name); -int ressl_config_set_key_file(struct ressl_config *config, - const char *key_file); -int ressl_config_set_key_mem(struct ressl_config *config, const uint8_t *key, - size_t len); -void ressl_config_set_protocols(struct ressl_config *config, - uint32_t protocols); -void ressl_config_set_verify_depth(struct ressl_config *config, - int verify_depth); - -void ressl_config_clear_keys(struct ressl_config *config); -void ressl_config_insecure_noverifyhost(struct ressl_config *config); -void ressl_config_insecure_noverifycert(struct ressl_config *config); -void ressl_config_verify(struct ressl_config *config); - -struct ressl *ressl_client(void); -struct ressl *ressl_server(void); -int ressl_configure(struct ressl *ctx, struct ressl_config *config); -void ressl_reset(struct ressl *ctx); -void ressl_free(struct ressl *ctx); - -int ressl_accept(struct ressl *ctx, struct ressl **cctx); -int ressl_accept_socket(struct ressl *ctx, struct ressl **cctx, int socket); -int ressl_connect(struct ressl *ctx, const char *host, const char *port); -int ressl_connect_socket(struct ressl *ctx, int s, const char *hostname); -int ressl_listen(struct ressl *ctx, const char *host, const char *port, int af); -int ressl_read(struct ressl *ctx, void *buf, size_t buflen, size_t *outlen); -int ressl_write(struct ressl *ctx, const void *buf, size_t buflen, - size_t *outlen); -int ressl_close(struct ressl *ctx); - -#endif /* HEADER_RESSL_H */ diff --git a/lib/libtls/Makefile b/lib/libtls/Makefile new file mode 100644 index 00000000000..b83a6de2ce0 --- /dev/null +++ b/lib/libtls/Makefile @@ -0,0 +1,58 @@ +# $OpenBSD: Makefile,v 1.1 2014/10/31 13:46:17 jsing Exp $ + +CFLAGS+= -Wall -Werror -Wimplicit +CFLAGS+= -DLIBRESSL_INTERNAL + +LIB= tls + +DPADD= ${LIBCRYPTO} ${LIBSSL} + +HDRS= tls.h + +SRCS= tls.c \ + tls_client.c \ + tls_config.c \ + tls_server.c \ + tls_util.c \ + tls_verify.c + +MAN= tls_init.3 + +MLINKS+=tls_init.3 tls_config_new.3 +MLINKS+=tls_init.3 tls_config_free.3 +MLINKS+=tls_init.3 tls_config_set_ca_file.3 +MLINKS+=tls_init.3 tls_config_set_ca_path.3 +MLINKS+=tls_init.3 tls_config_set_cert_file.3 +MLINKS+=tls_init.3 tls_config_set_cert_mem.3 +MLINKS+=tls_init.3 tls_config_set_ciphers.3 +MLINKS+=tls_init.3 tls_config_set_ecdhcurve.3 +MLINKS+=tls_init.3 tls_config_set_key_file.3 +MLINKS+=tls_init.3 tls_config_set_key_mem.3 +MLINKS+=tls_init.3 tls_config_set_protocols.3 +MLINKS+=tls_init.3 tls_config_set_verify_depth.3 +MLINKS+=tls_init.3 tls_config_clear_keys.3 +MLINKS+=tls_init.3 tls_config_insecure_noverifyhost.3 +MLINKS+=tls_init.3 tls_config_insecure_noverifycert.3 +MLINKS+=tls_init.3 tls_config_verify.3 +MLINKS+=tls_init.3 tls_client.3 +MLINKS+=tls_init.3 tls_server.3 +MLINKS+=tls_init.3 tls_configure.3 +MLINKS+=tls_init.3 tls_error.3 +MLINKS+=tls_init.3 tls_reset.3 +MLINKS+=tls_init.3 tls_free.3 +MLINKS+=tls_init.3 tls_close.3 +MLINKS+=tls_init.3 tls_connect.3 +MLINKS+=tls_init.3 tls_connect_socket.3 +MLINKS+=tls_init.3 tls_read.3 +MLINKS+=tls_init.3 tls_write.3 + +includes: + @cd ${.CURDIR}; for i in $(HDRS); do \ + j="cmp -s $$i ${DESTDIR}/usr/include/$$i || \ + ${INSTALL} ${INSTALL_COPY} -o ${BINOWN} -g ${BINGRP} -m 444 $$i\ + ${DESTDIR}/usr/include/"; \ + echo $$j; \ + eval "$$j"; \ + done; + +.include <bsd.lib.mk> diff --git a/lib/libressl/shlib_version b/lib/libtls/shlib_version index b52599a164f..1edea46de91 100644 --- a/lib/libressl/shlib_version +++ b/lib/libtls/shlib_version @@ -1,2 +1,2 @@ -major=2 +major=1 minor=0 diff --git a/lib/libressl/ressl.c b/lib/libtls/tls.c index 06c7d54cc28..a7f612e40ba 100644 --- a/lib/libressl/ressl.c +++ b/lib/libtls/tls.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ressl.c,v 1.18 2014/10/15 21:02:39 tedu Exp $ */ +/* $OpenBSD: tls.c,v 1.1 2014/10/31 13:46:17 jsing Exp $ */ /* * Copyright (c) 2014 Joel Sing <jsing@openbsd.org> * @@ -26,38 +26,38 @@ #include <openssl/pem.h> #include <openssl/x509.h> -#include <ressl.h> -#include "ressl_internal.h" +#include <tls.h> +#include "tls_internal.h" -static struct ressl_config *ressl_config_default; +static struct tls_config *tls_config_default; int -ressl_init(void) +tls_init(void) { - static int ressl_initialised = 0; + static int tls_initialised = 0; - if (ressl_initialised) + if (tls_initialised) return (0); SSL_load_error_strings(); SSL_library_init(); - if ((ressl_config_default = ressl_config_new()) == NULL) + if ((tls_config_default = tls_config_new()) == NULL) return (-1); - ressl_initialised = 1; + tls_initialised = 1; return (0); } const char * -ressl_error(struct ressl *ctx) +tls_error(struct tls *ctx) { return ctx->errmsg; } int -ressl_set_error(struct ressl *ctx, char *fmt, ...) +tls_set_error(struct tls *ctx, char *fmt, ...) { va_list ap; int rv; @@ -73,37 +73,37 @@ ressl_set_error(struct ressl *ctx, char *fmt, ...) return (rv); } -struct ressl * -ressl_new(void) +struct tls * +tls_new(void) { - struct ressl *ctx; + struct tls *ctx; if ((ctx = calloc(1, sizeof(*ctx))) == NULL) return (NULL); - ctx->config = ressl_config_default; + ctx->config = tls_config_default; - ressl_reset(ctx); + tls_reset(ctx); return (ctx); } int -ressl_configure(struct ressl *ctx, struct ressl_config *config) +tls_configure(struct tls *ctx, struct tls_config *config) { if (config == NULL) - config = ressl_config_default; + config = tls_config_default; ctx->config = config; - if ((ctx->flags & RESSL_SERVER) != 0) - return (ressl_configure_server(ctx)); + if ((ctx->flags & TLS_SERVER) != 0) + return (tls_configure_server(ctx)); return (0); } int -ressl_configure_keypair(struct ressl *ctx) +tls_configure_keypair(struct tls *ctx) { EVP_PKEY *pkey = NULL; X509 *cert = NULL; @@ -112,7 +112,7 @@ ressl_configure_keypair(struct ressl *ctx) if (ctx->config->cert_mem != NULL) { if (SSL_CTX_use_certificate_chain(ctx->ssl_ctx, ctx->config->cert_mem, ctx->config->cert_len) != 1) { - ressl_set_error(ctx, "failed to load certificate"); + tls_set_error(ctx, "failed to load certificate"); goto err; } cert = NULL; @@ -120,16 +120,16 @@ ressl_configure_keypair(struct ressl *ctx) if (ctx->config->key_mem != NULL) { if ((bio = BIO_new_mem_buf(ctx->config->key_mem, ctx->config->key_len)) == NULL) { - ressl_set_error(ctx, "failed to create buffer"); + tls_set_error(ctx, "failed to create buffer"); goto err; } if ((pkey = PEM_read_bio_PrivateKey(bio, NULL, NULL, NULL)) == NULL) { - ressl_set_error(ctx, "failed to read private key"); + tls_set_error(ctx, "failed to read private key"); goto err; } if (SSL_CTX_use_PrivateKey(ctx->ssl_ctx, pkey) != 1) { - ressl_set_error(ctx, "failed to load private key"); + tls_set_error(ctx, "failed to load private key"); goto err; } BIO_free(bio); @@ -141,20 +141,20 @@ ressl_configure_keypair(struct ressl *ctx) if (ctx->config->cert_file != NULL) { if (SSL_CTX_use_certificate_chain_file(ctx->ssl_ctx, ctx->config->cert_file) != 1) { - ressl_set_error(ctx, "failed to load certificate file"); + tls_set_error(ctx, "failed to load certificate file"); goto err; } } if (ctx->config->key_file != NULL) { if (SSL_CTX_use_PrivateKey_file(ctx->ssl_ctx, ctx->config->key_file, SSL_FILETYPE_PEM) != 1) { - ressl_set_error(ctx, "failed to load private key file"); + tls_set_error(ctx, "failed to load private key file"); goto err; } } if (SSL_CTX_check_private_key(ctx->ssl_ctx) != 1) { - ressl_set_error(ctx, "private/public key mismatch"); + tls_set_error(ctx, "private/public key mismatch"); goto err; } @@ -169,7 +169,7 @@ err: } int -ressl_configure_ssl(struct ressl *ctx) +tls_configure_ssl(struct tls *ctx) { SSL_CTX_set_options(ctx->ssl_ctx, SSL_OP_NO_SSLv2); SSL_CTX_set_options(ctx->ssl_ctx, SSL_OP_NO_SSLv3); @@ -178,17 +178,17 @@ ressl_configure_ssl(struct ressl *ctx) SSL_CTX_clear_options(ctx->ssl_ctx, SSL_OP_NO_TLSv1_1); SSL_CTX_clear_options(ctx->ssl_ctx, SSL_OP_NO_TLSv1_2); - if ((ctx->config->protocols & RESSL_PROTOCOL_TLSv1_0) == 0) + if ((ctx->config->protocols & TLS_PROTOCOL_TLSv1_0) == 0) SSL_CTX_set_options(ctx->ssl_ctx, SSL_OP_NO_TLSv1); - if ((ctx->config->protocols & RESSL_PROTOCOL_TLSv1_1) == 0) + if ((ctx->config->protocols & TLS_PROTOCOL_TLSv1_1) == 0) SSL_CTX_set_options(ctx->ssl_ctx, SSL_OP_NO_TLSv1_1); - if ((ctx->config->protocols & RESSL_PROTOCOL_TLSv1_2) == 0) + if ((ctx->config->protocols & TLS_PROTOCOL_TLSv1_2) == 0) SSL_CTX_set_options(ctx->ssl_ctx, SSL_OP_NO_TLSv1_2); if (ctx->config->ciphers != NULL) { if (SSL_CTX_set_cipher_list(ctx->ssl_ctx, ctx->config->ciphers) != 1) { - ressl_set_error(ctx, "failed to set ciphers"); + tls_set_error(ctx, "failed to set ciphers"); goto err; } } @@ -200,16 +200,16 @@ err: } void -ressl_free(struct ressl *ctx) +tls_free(struct tls *ctx) { if (ctx == NULL) return; - ressl_reset(ctx); + tls_reset(ctx); free(ctx); } void -ressl_reset(struct ressl *ctx) +tls_reset(struct tls *ctx) { SSL_CTX_free(ctx->ssl_ctx); SSL_free(ctx->ssl_conn); @@ -225,7 +225,7 @@ ressl_reset(struct ressl *ctx) } int -ressl_read(struct ressl *ctx, void *buf, size_t buflen, size_t *outlen) +tls_read(struct tls *ctx, void *buf, size_t buflen, size_t *outlen) { int ret, ssl_err; @@ -238,17 +238,17 @@ ressl_read(struct ressl *ctx, void *buf, size_t buflen, size_t *outlen) ssl_err = SSL_get_error(ctx->ssl_conn, ret); switch (ssl_err) { case SSL_ERROR_WANT_READ: - return (RESSL_READ_AGAIN); + return (TLS_READ_AGAIN); case SSL_ERROR_WANT_WRITE: - return (RESSL_WRITE_AGAIN); + return (TLS_WRITE_AGAIN); default: - ressl_set_error(ctx, "read failed (%i)", ssl_err); + tls_set_error(ctx, "read failed (%i)", ssl_err); return (-1); } } int -ressl_write(struct ressl *ctx, const void *buf, size_t buflen, size_t *outlen) +tls_write(struct tls *ctx, const void *buf, size_t buflen, size_t *outlen) { int ret, ssl_err; @@ -261,33 +261,33 @@ ressl_write(struct ressl *ctx, const void *buf, size_t buflen, size_t *outlen) ssl_err = SSL_get_error(ctx->ssl_conn, ret); switch (ssl_err) { case SSL_ERROR_WANT_READ: - return (RESSL_READ_AGAIN); + return (TLS_READ_AGAIN); case SSL_ERROR_WANT_WRITE: - return (RESSL_WRITE_AGAIN); + return (TLS_WRITE_AGAIN); default: - ressl_set_error(ctx, "write failed (%i)", ssl_err); + tls_set_error(ctx, "write failed (%i)", ssl_err); return (-1); } } int -ressl_close(struct ressl *ctx) +tls_close(struct tls *ctx) { /* XXX - handle case where multiple calls are required. */ if (ctx->ssl_conn != NULL) { if (SSL_shutdown(ctx->ssl_conn) == -1) { - ressl_set_error(ctx, "SSL shutdown failed"); + tls_set_error(ctx, "SSL shutdown failed"); goto err; } } if (ctx->socket != -1) { if (shutdown(ctx->socket, SHUT_RDWR) != 0) { - ressl_set_error(ctx, "shutdown"); + tls_set_error(ctx, "shutdown"); goto err; } if (close(ctx->socket) != 0) { - ressl_set_error(ctx, "close"); + tls_set_error(ctx, "close"); goto err; } ctx->socket = -1; diff --git a/lib/libtls/tls.h b/lib/libtls/tls.h new file mode 100644 index 00000000000..0fa776e584c --- /dev/null +++ b/lib/libtls/tls.h @@ -0,0 +1,74 @@ +/* $OpenBSD: tls.h,v 1.1 2014/10/31 13:46:17 jsing Exp $ */ +/* + * Copyright (c) 2014 Joel Sing <jsing@openbsd.org> + * + * Permission to use, copy, modify, and distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR + * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN + * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF + * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + */ + +#ifndef HEADER_TLS_H +#define HEADER_TLS_H + +#define TLS_API 20141031 + +#define TLS_PROTOCOL_TLSv1_0 (1 << 1) +#define TLS_PROTOCOL_TLSv1_1 (1 << 2) +#define TLS_PROTOCOL_TLSv1_2 (1 << 3) +#define TLS_PROTOCOL_TLSv1 \ + (TLS_PROTOCOL_TLSv1_0|TLS_PROTOCOL_TLSv1_1|TLS_PROTOCOL_TLSv1_2) +#define TLS_PROTOCOLS_DEFAULT TLS_PROTOCOL_TLSv1 + +#define TLS_READ_AGAIN -2 +#define TLS_WRITE_AGAIN -3 + +struct tls; +struct tls_config; + +int tls_init(void); + +const char *tls_error(struct tls *ctx); + +struct tls_config *tls_config_new(void); +void tls_config_free(struct tls_config *config); + +int tls_config_set_ca_file(struct tls_config *config, const char *ca_file); +int tls_config_set_ca_path(struct tls_config *config, const char *ca_path); +int tls_config_set_cert_file(struct tls_config *config, const char *cert_file); +int tls_config_set_cert_mem(struct tls_config *config, const uint8_t *cert, + size_t len); +int tls_config_set_ciphers(struct tls_config *config, const char *ciphers); +int tls_config_set_ecdhcurve(struct tls_config *config, const char *name); +int tls_config_set_key_file(struct tls_config *config, const char *key_file); +int tls_config_set_key_mem(struct tls_config *config, const uint8_t *key, + size_t len); +void tls_config_set_protocols(struct tls_config *config, uint32_t protocols); +void tls_config_set_verify_depth(struct tls_config *config, int verify_depth); + +void tls_config_clear_keys(struct tls_config *config); +void tls_config_insecure_noverifyhost(struct tls_config *config); +void tls_config_insecure_noverifycert(struct tls_config *config); +void tls_config_verify(struct tls_config *config); + +struct tls *tls_client(void); +struct tls *tls_server(void); +int tls_configure(struct tls *ctx, struct tls_config *config); +void tls_reset(struct tls *ctx); +void tls_free(struct tls *ctx); + +int tls_accept_socket(struct tls *ctx, struct tls **cctx, int socket); +int tls_connect(struct tls *ctx, const char *host, const char *port); +int tls_connect_socket(struct tls *ctx, int s, const char *hostname); +int tls_read(struct tls *ctx, void *buf, size_t buflen, size_t *outlen); +int tls_write(struct tls *ctx, const void *buf, size_t buflen, size_t *outlen); +int tls_close(struct tls *ctx); + +#endif /* HEADER_TLS_H */ diff --git a/lib/libressl/ressl_client.c b/lib/libtls/tls_client.c index 013963f3a14..853766f87b6 100644 --- a/lib/libressl/ressl_client.c +++ b/lib/libtls/tls_client.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ressl_client.c,v 1.5 2014/10/03 14:14:40 tedu Exp $ */ +/* $OpenBSD: tls_client.c,v 1.1 2014/10/31 13:46:17 jsing Exp $ */ /* * Copyright (c) 2014 Joel Sing <jsing@openbsd.org> * @@ -26,37 +26,37 @@ #include <openssl/x509.h> -#include <ressl.h> -#include "ressl_internal.h" +#include <tls.h> +#include "tls_internal.h" -struct ressl * -ressl_client(void) +struct tls * +tls_client(void) { - struct ressl *ctx; + struct tls *ctx; - if ((ctx = ressl_new()) == NULL) + if ((ctx = tls_new()) == NULL) return (NULL); - ctx->flags |= RESSL_CLIENT; + ctx->flags |= TLS_CLIENT; return (ctx); } int -ressl_connect(struct ressl *ctx, const char *host, const char *port) +tls_connect(struct tls *ctx, const char *host, const char *port) { struct addrinfo hints, *res, *res0; const char *h = NULL, *p = NULL; char *hs = NULL, *ps = NULL; int rv = -1, s = -1, ret; - if ((ctx->flags & RESSL_CLIENT) == 0) { - ressl_set_error(ctx, "not a client context"); + if ((ctx->flags & TLS_CLIENT) == 0) { + tls_set_error(ctx, "not a client context"); goto err; } if (host == NULL) { - ressl_set_error(ctx, "host not specified"); + tls_set_error(ctx, "host not specified"); goto err; } @@ -65,9 +65,9 @@ ressl_connect(struct ressl *ctx, const char *host, const char *port) * otherwise use the default. */ if ((p = (char *)port) == NULL) { - ret = ressl_host_port(host, &hs, &ps); + ret = tls_host_port(host, &hs, &ps); if (ret == -1) { - ressl_set_error(ctx, "memory allocation failure"); + tls_set_error(ctx, "memory allocation failure"); goto err; } if (ret != 0) @@ -82,17 +82,17 @@ ressl_connect(struct ressl *ctx, const char *host, const char *port) hints.ai_socktype = SOCK_STREAM; if ((ret = getaddrinfo(h, p, &hints, &res0)) != 0) { - ressl_set_error(ctx, "%s", gai_strerror(ret)); + tls_set_error(ctx, "%s", gai_strerror(ret)); goto err; } for (res = res0; res; res = res->ai_next) { s = socket(res->ai_family, res->ai_socktype, res->ai_protocol); if (s == -1) { - ressl_set_error(ctx, "socket"); + tls_set_error(ctx, "socket"); continue; } if (connect(s, res->ai_addr, res->ai_addrlen) == -1) { - ressl_set_error(ctx, "connect"); + tls_set_error(ctx, "connect"); close(s); s = -1; continue; @@ -105,7 +105,7 @@ ressl_connect(struct ressl *ctx, const char *host, const char *port) if (s == -1) goto err; - if (ressl_connect_socket(ctx, s, h) != 0) { + if (tls_connect_socket(ctx, s, h) != 0) { close(s); goto err; } @@ -121,30 +121,30 @@ err: } int -ressl_connect_socket(struct ressl *ctx, int socket, const char *hostname) +tls_connect_socket(struct tls *ctx, int socket, const char *hostname) { union { struct in_addr ip4; struct in6_addr ip6; } addrbuf; X509 *cert = NULL; int ret; - if ((ctx->flags & RESSL_CLIENT) == 0) { - ressl_set_error(ctx, "not a client context"); + if ((ctx->flags & TLS_CLIENT) == 0) { + tls_set_error(ctx, "not a client context"); goto err; } ctx->socket = socket; if ((ctx->ssl_ctx = SSL_CTX_new(SSLv23_client_method())) == NULL) { - ressl_set_error(ctx, "ssl context failure"); + tls_set_error(ctx, "ssl context failure"); goto err; } - if (ressl_configure_ssl(ctx) != 0) + if (tls_configure_ssl(ctx) != 0) goto err; if (ctx->config->verify_host) { if (hostname == NULL) { - ressl_set_error(ctx, "server name not specified"); + tls_set_error(ctx, "server name not specified"); goto err; } } @@ -154,7 +154,7 @@ ressl_connect_socket(struct ressl *ctx, int socket, const char *hostname) if (SSL_CTX_load_verify_locations(ctx->ssl_ctx, ctx->config->ca_file, ctx->config->ca_path) != 1) { - ressl_set_error(ctx, "ssl verify setup failure"); + tls_set_error(ctx, "ssl verify setup failure"); goto err; } if (ctx->config->verify_depth >= 0) @@ -163,11 +163,11 @@ ressl_connect_socket(struct ressl *ctx, int socket, const char *hostname) } if ((ctx->ssl_conn = SSL_new(ctx->ssl_ctx)) == NULL) { - ressl_set_error(ctx, "ssl connection failure"); + tls_set_error(ctx, "ssl connection failure"); goto err; } if (SSL_set_fd(ctx->ssl_conn, ctx->socket) != 1) { - ressl_set_error(ctx, "ssl file descriptor failure"); + tls_set_error(ctx, "ssl file descriptor failure"); goto err; } @@ -179,13 +179,13 @@ ressl_connect_socket(struct ressl *ctx, int socket, const char *hostname) inet_pton(AF_INET, hostname, &addrbuf) != 1 && inet_pton(AF_INET6, hostname, &addrbuf) != 1) { if (SSL_set_tlsext_host_name(ctx->ssl_conn, hostname) == 0) { - ressl_set_error(ctx, "SNI host name failed"); + tls_set_error(ctx, "SNI host name failed"); goto err; } } if ((ret = SSL_connect(ctx->ssl_conn)) != 1) { - ressl_set_error(ctx, "SSL connect failed: %i", + tls_set_error(ctx, "SSL connect failed: %i", SSL_get_error(ctx->ssl_conn, ret)); goto err; } @@ -193,11 +193,11 @@ ressl_connect_socket(struct ressl *ctx, int socket, const char *hostname) if (ctx->config->verify_host) { cert = SSL_get_peer_certificate(ctx->ssl_conn); if (cert == NULL) { - ressl_set_error(ctx, "no server certificate"); + tls_set_error(ctx, "no server certificate"); goto err; } - if (ressl_check_hostname(cert, hostname) != 0) { - ressl_set_error(ctx, "host `%s' not present in" + if (tls_check_hostname(cert, hostname) != 0) { + tls_set_error(ctx, "host `%s' not present in" " server certificate", hostname); goto err; } diff --git a/lib/libressl/ressl_config.c b/lib/libtls/tls_config.c index a45364c2ef1..0e435f616aa 100644 --- a/lib/libressl/ressl_config.c +++ b/lib/libtls/tls_config.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ressl_config.c,v 1.14 2014/10/03 14:14:40 tedu Exp $ */ +/* $OpenBSD: tls_config.c,v 1.1 2014/10/31 13:46:17 jsing Exp $ */ /* * Copyright (c) 2014 Joel Sing <jsing@openbsd.org> * @@ -18,8 +18,8 @@ #include <errno.h> #include <stdlib.h> -#include <ressl.h> -#include "ressl_internal.h" +#include <tls.h> +#include "tls_internal.h" static int set_string(const char **dest, const char *src) @@ -56,10 +56,10 @@ set_mem(char **dest, size_t *destlen, const void *src, size_t srclen) return 0; } -struct ressl_config * -ressl_config_new(void) +struct tls_config * +tls_config_new(void) { - struct ressl_config *config; + struct tls_config *config; if ((config = calloc(1, sizeof(*config))) == NULL) return (NULL); @@ -67,26 +67,26 @@ ressl_config_new(void) /* * Default configuration. */ - if (ressl_config_set_ca_file(config, _PATH_SSL_CA_FILE) != 0) { - ressl_config_free(config); + if (tls_config_set_ca_file(config, _PATH_SSL_CA_FILE) != 0) { + tls_config_free(config); return (NULL); } - ressl_config_set_ecdhcurve(config, "auto"); - ressl_config_set_protocols(config, RESSL_PROTOCOLS_DEFAULT); - ressl_config_set_verify_depth(config, 6); + tls_config_set_ecdhcurve(config, "auto"); + tls_config_set_protocols(config, TLS_PROTOCOLS_DEFAULT); + tls_config_set_verify_depth(config, 6); - ressl_config_verify(config); + tls_config_verify(config); return (config); } void -ressl_config_free(struct ressl_config *config) +tls_config_free(struct tls_config *config) { if (config == NULL) return; - ressl_config_clear_keys(config); + tls_config_clear_keys(config); free((char *)config->ca_file); free((char *)config->ca_path); @@ -100,45 +100,45 @@ ressl_config_free(struct ressl_config *config) } void -ressl_config_clear_keys(struct ressl_config *config) +tls_config_clear_keys(struct tls_config *config) { - ressl_config_set_cert_mem(config, NULL, 0); - ressl_config_set_key_mem(config, NULL, 0); + tls_config_set_cert_mem(config, NULL, 0); + tls_config_set_key_mem(config, NULL, 0); } int -ressl_config_set_ca_file(struct ressl_config *config, const char *ca_file) +tls_config_set_ca_file(struct tls_config *config, const char *ca_file) { return set_string(&config->ca_file, ca_file); } int -ressl_config_set_ca_path(struct ressl_config *config, const char *ca_path) +tls_config_set_ca_path(struct tls_config *config, const char *ca_path) { return set_string(&config->ca_path, ca_path); } int -ressl_config_set_cert_file(struct ressl_config *config, const char *cert_file) +tls_config_set_cert_file(struct tls_config *config, const char *cert_file) { return set_string(&config->cert_file, cert_file); } int -ressl_config_set_cert_mem(struct ressl_config *config, const uint8_t *cert, +tls_config_set_cert_mem(struct tls_config *config, const uint8_t *cert, size_t len) { return set_mem(&config->cert_mem, &config->cert_len, cert, len); } int -ressl_config_set_ciphers(struct ressl_config *config, const char *ciphers) +tls_config_set_ciphers(struct tls_config *config, const char *ciphers) { return set_string(&config->ciphers, ciphers); } int -ressl_config_set_ecdhcurve(struct ressl_config *config, const char *name) +tls_config_set_ecdhcurve(struct tls_config *config, const char *name) { int nid; @@ -155,13 +155,13 @@ ressl_config_set_ecdhcurve(struct ressl_config *config, const char *name) } int -ressl_config_set_key_file(struct ressl_config *config, const char *key_file) +tls_config_set_key_file(struct tls_config *config, const char *key_file) { return set_string(&config->key_file, key_file); } int -ressl_config_set_key_mem(struct ressl_config *config, const uint8_t *key, +tls_config_set_key_mem(struct tls_config *config, const uint8_t *key, size_t len) { if (config->key_mem) @@ -170,31 +170,31 @@ ressl_config_set_key_mem(struct ressl_config *config, const uint8_t *key, } void -ressl_config_set_protocols(struct ressl_config *config, uint32_t protocols) +tls_config_set_protocols(struct tls_config *config, uint32_t protocols) { config->protocols = protocols; } void -ressl_config_set_verify_depth(struct ressl_config *config, int verify_depth) +tls_config_set_verify_depth(struct tls_config *config, int verify_depth) { config->verify_depth = verify_depth; } void -ressl_config_insecure_noverifyhost(struct ressl_config *config) +tls_config_insecure_noverifyhost(struct tls_config *config) { config->verify_host = 0; } void -ressl_config_insecure_noverifycert(struct ressl_config *config) +tls_config_insecure_noverifycert(struct tls_config *config) { config->verify_cert = 0; } void -ressl_config_verify(struct ressl_config *config) +tls_config_verify(struct tls_config *config) { config->verify_host = 1; config->verify_cert = 1; diff --git a/lib/libressl/ressl_init.3 b/lib/libtls/tls_init.3 index 81a32350ee0..faa9b995393 100644 --- a/lib/libressl/ressl_init.3 +++ b/lib/libtls/tls_init.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: ressl_init.3,v 1.9 2014/10/16 12:46:35 tedu Exp $ +.\" $OpenBSD: tls_init.3,v 1.1 2014/10/31 13:46:17 jsing Exp $ .\" .\" Copyright (c) 2014 Ted Unangst <tedu@openbsd.org> .\" @@ -14,167 +14,167 @@ .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. .\" -.Dd $Mdocdate: October 16 2014 $ -.Dt RESSL 3 +.Dd $Mdocdate: October 31 2014 $ +.Dt TLS 3 .Os .Sh NAME -.Nm ressl_init , -.Nm ressl_error , -.Nm ressl_config_new , -.Nm ressl_config_free , -.Nm ressl_config_set_ca_file , -.Nm ressl_config_set_ca_path , -.Nm ressl_config_set_cert_file , -.Nm ressl_config_set_cert_mem , -.Nm ressl_config_set_ciphers , -.Nm ressl_config_set_ecdhcurve , -.Nm ressl_config_set_key_file , -.Nm ressl_config_set_key_mem , -.Nm ressl_config_set_protocols , -.Nm ressl_config_set_verify_depth , -.Nm ressl_config_clear_keys , -.Nm ressl_config_insecure_noverifyhost , -.Nm ressl_config_insecure_noverifycert , -.Nm ressl_config_verify , -.Nm ressl_client , -.Nm ressl_server , -.Nm ressl_configure , -.Nm ressl_reset , -.Nm ressl_close , -.Nm ressl_free , -.Nm ressl_connect , -.Nm ressl_connect_socket , -.Nm ressl_read , -.Nm ressl_write , -.Nd ressl TLS client and server API +.Nm tls_init , +.Nm tls_error , +.Nm tls_config_new , +.Nm tls_config_free , +.Nm tls_config_set_ca_file , +.Nm tls_config_set_ca_path , +.Nm tls_config_set_cert_file , +.Nm tls_config_set_cert_mem , +.Nm tls_config_set_ciphers , +.Nm tls_config_set_ecdhcurve , +.Nm tls_config_set_key_file , +.Nm tls_config_set_key_mem , +.Nm tls_config_set_protocols , +.Nm tls_config_set_verify_depth , +.Nm tls_config_clear_keys , +.Nm tls_config_insecure_noverifyhost , +.Nm tls_config_insecure_noverifycert , +.Nm tls_config_verify , +.Nm tls_client , +.Nm tls_server , +.Nm tls_configure , +.Nm tls_reset , +.Nm tls_close , +.Nm tls_free , +.Nm tls_connect , +.Nm tls_connect_socket , +.Nm tls_read , +.Nm tls_write , +.Nd tls TLS client and server API .Sh SYNOPSIS -.In ressl.h +.In tls.h .Ft "int" -.Fn ressl_init "void" +.Fn tls_init "void" .Ft "const char *" -.Fn ressl_error "struct ressl *ctx" -.Ft "struct ressl_config *" -.Fn ressl_config_new "void" +.Fn tls_error "struct tls *ctx" +.Ft "struct tls_config *" +.Fn tls_config_new "void" .Ft "void" -.Fn ressl_config_free "struct ressl_config *config" +.Fn tls_config_free "struct tls_config *config" .Ft "int" -.Fn ressl_config_set_ca_file "struct ressl_config *config" "const char *ca_file" +.Fn tls_config_set_ca_file "struct tls_config *config" "const char *ca_file" .Ft "int" -.Fn ressl_config_set_ca_path "struct ressl_config *config" "const char *ca_path" +.Fn tls_config_set_ca_path "struct tls_config *config" "const char *ca_path" .Ft "int" -.Fn ressl_config_set_cert_file "struct ressl_config *config" "const char *cert_file" +.Fn tls_config_set_cert_file "struct tls_config *config" "const char *cert_file" .Ft "int" -.Fn ressl_config_set_cert_mem "struct ressl_config *config" "const uint8_t *cert" "size_t len" +.Fn tls_config_set_cert_mem "struct tls_config *config" "const uint8_t *cert" "size_t len" .Ft "int" -.Fn ressl_config_set_ciphers "struct ressl_config *config" "const char *ciphers" +.Fn tls_config_set_ciphers "struct tls_config *config" "const char *ciphers" .Ft "int" -.Fn ressl_config_set_ecdhcurve "struct ressl_config *config" "const char *name" +.Fn tls_config_set_ecdhcurve "struct tls_config *config" "const char *name" .Ft "int" -.Fn ressl_config_set_key_file "struct ressl_config *config" "const char *key_file" +.Fn tls_config_set_key_file "struct tls_config *config" "const char *key_file" .Ft "int" -.Fn ressl_config_set_key_mem "struct ressl_config *config" "const uint8_t *key" "size_t len" +.Fn tls_config_set_key_mem "struct tls_config *config" "const uint8_t *key" "size_t len" .Ft "int" -.Fn ressl_config_set_protocols "struct ressl_config *config" "uint32_t protocols" +.Fn tls_config_set_protocols "struct tls_config *config" "uint32_t protocols" .Ft "int" -.Fn ressl_config_set_verify_depth "struct ressl_config *config" "int verify_depth" +.Fn tls_config_set_verify_depth "struct tls_config *config" "int verify_depth" .Ft "void" -.Fn ressl_config_clear_keys "struct ressl_config *config" +.Fn tls_config_clear_keys "struct tls_config *config" .Ft "void" -.Fn ressl_config_insecure_noverifyhost "struct ressl_config *config" +.Fn tls_config_insecure_noverifyhost "struct tls_config *config" .Ft "void" -.Fn ressl_config_insecure_noverifycert "struct ressl_config *config" +.Fn tls_config_insecure_noverifycert "struct tls_config *config" .Ft "void" -.Fn ressl_config_verify "struct ressl_config *config" -.Ft "struct ressl *" -.Fn ressl_client void -.Ft "struct ressl *" -.Fn ressl_server void +.Fn tls_config_verify "struct tls_config *config" +.Ft "struct tls *" +.Fn tls_client void +.Ft "struct tls *" +.Fn tls_server void .Ft "int" -.Fn ressl_configure "struct ressl *ctx" "struct ressl_config *config" +.Fn tls_configure "struct tls *ctx" "struct tls_config *config" .Ft "void" -.Fn ressl_reset "struct ressl *ctx" +.Fn tls_reset "struct tls *ctx" .Ft "int" -.Fn ressl_close "struct ressl *ctx" +.Fn tls_close "struct tls *ctx" .Ft "void" -.Fn ressl_free "struct ressl *ctx" +.Fn tls_free "struct tls *ctx" .Ft "int" -.Fn ressl_connect "struct ressl *ctx" "const char *host" "const char *port" +.Fn tls_connect "struct tls *ctx" "const char *host" "const char *port" .Ft "int" -.Fn ressl_connect_socket "struct ressl *ctx" "int s" "const char *hostname" +.Fn tls_connect_socket "struct tls *ctx" "int s" "const char *hostname" .Ft "int" -.Fn ressl_read "struct ressl *ctx" "void *buf" "size_t buflen" "size_t *outlen" +.Fn tls_read "struct tls *ctx" "void *buf" "size_t buflen" "size_t *outlen" .Ft "int" -.Fn ressl_write "struct ressl *ctx" "const void *buf" "size_t buflen" +.Fn tls_write "struct tls *ctx" "const void *buf" "size_t buflen" .Sh DESCRIPTION The -.Nm ressl +.Nm tls family of functions establishes a secure communications channel using the TLS socket protocol. Both clients and servers are supported. .Pp The -.Fn ressl_init +.Fn tls_init function should be called once before any function is used. .Pp Before a connection is created, a configuration must be created. The -.Fn ressl_config_new +.Fn tls_config_new function returns a new default configuration that can be used for future connections. Several functions exist to change the options of the configuration; see below. .Pp A -.Em ressl +.Em tls connection is represented as a .Em context . A new .Em context is created by either the -.Fn ressl_client +.Fn tls_client or -.Fn ressl_server +.Fn tls_server functions. The context can then be configured with the function -.Fn ressl_configure . +.Fn tls_configure . The same -.Em ressl_config +.Em tls_config object can be used to configure multiple contexts. .Pp A client connection is initiated after configuration by calling -.Fn ressl_connect . +.Fn tls_connect . This function will create a new socket, connect to the specified host and port, and then establish a secure connection. An already existing socket can be upgraded to a secure connection by calling -.Fn ressl_connect_socket . +.Fn tls_connect_socket . .Pp Two functions are provided for input and output, -.Fn ressl_read +.Fn tls_read and -.Fn ressl_write . +.Fn tls_write . .Pp -After use, a ressl +After use, a tls .Em context should be closed with -.Fn ressl_close , +.Fn tls_close , and then freed by calling -.Fn ressl_free . +.Fn tls_free . When no more contexts are to be created, the -.Em ressl_config +.Em tls_config object should be freed by calling -.Fn ressl_config_free . +.Fn tls_config_free . .Sh FUNCTIONS The -.Fn ressl_init +.Fn tls_init function initializes global data structures. It should be called once before any other functions. .Pp The following functions create and free configuration objects. .Bl -bullet -offset four .It -.Fn ressl_config_new +.Fn tls_config_new allocates a new default configuration object. .It -.Fn ressl_config_free +.Fn tls_config_free frees a configuration object. .El .Pp @@ -182,68 +182,68 @@ The following functions modify a configuration by setting parameters. Configuration options may apply to only clients or only servers or both. .Bl -bullet -offset four .It -.Fn ressl_config_set_ca_file +.Fn tls_config_set_ca_file sets the filename used to load a file containing the root certificates. .Em (Client) .It -.Fn ressl_config_set_ca_path +.Fn tls_config_set_ca_path sets the path (directory) which should be searched for root certificates. .Em (Client) .It -.Fn ressl_config_set_cert_file +.Fn tls_config_set_cert_file sets file from which the public certificate will be read. .Em (Client and server) .It -.Fn ressl_config_set_cert_mem +.Fn tls_config_set_cert_mem sets the public certificate directly from memory. .Em (Client and server) .It -.Fn ressl_config_set_ciphers +.Fn tls_config_set_ciphers sets the list of ciphers that may be used. .Em (Client and server) .It -.Fn ressl_config_set_key_file +.Fn tls_config_set_key_file sets the file from which the private key will be read. .Em (Server) .It -.Fn ressl_config_set_key_mem +.Fn tls_config_set_key_mem directly sets the private key from memory. .Em (Server) .It -.Fn ressl_config_set_protocols +.Fn tls_config_set_protocols sets which versions of the protocol may be used. Possible values are the bitwise OR of: .Pp -.Bl -tag -width "RESSL_PROTOCOL_TLSv1_2" -offset indent -compact -.It Dv RESSL_PROTOCOL_TLSv1_0 -.It Dv RESSL_PROTOCOL_TLSv1_1 -.It Dv RESSL_PROTOCOL_TLSv1_2 +.Bl -tag -width "TLS_PROTOCOL_TLSv1_2" -offset indent -compact +.It Dv TLS_PROTOCOL_TLSv1_0 +.It Dv TLS_PROTOCOL_TLSv1_1 +.It Dv TLS_PROTOCOL_TLSv1_2 .El .Pp Additionally, the values -.Dv RESSL_PROTOCOL_TLSv1 +.Dv TLS_PROTOCOL_TLSv1 (all TLS versions) and -.Dv RESSL_PROTOCOLS_DEFAULT +.Dv TLS_PROTOCOLS_DEFAULT (currently all TLS versions) may be used. .Em (Client and server) .It -.Fn ressl_config_clear_keys +.Fn tls_config_clear_keys clears any secret keys from memory. .Em (Server) .It -.Fn ressl_config_insecure_noverifyhost +.Fn tls_config_insecure_noverifyhost disables hostname verification. Be careful when using this option. .Em (Client) .It -.Fn ressl_config_insecure_noverifycert +.Fn tls_config_insecure_noverifycert disables certificate verification. Be extremely careful when using this option. .Em (Client) .It -.Fn ressl_config_verify +.Fn tls_config_verify reenables hostname and certificate verification. .Em (Client) .El @@ -251,28 +251,28 @@ reenables hostname and certificate verification. The following functions create, prepare, and free a connection context. .Bl -bullet -offset four .It -.Fn ressl_client -creates a new ressl context for client connections. +.Fn tls_client +creates a new tls context for client connections. .It -.Fn ressl_server -creates a new ressl context for server connections. +.Fn tls_server +creates a new tls context for server connections. .It -.Fn ressl_configure -readies a ressl context for use by applying the configuration +.Fn tls_configure +readies a tls context for use by applying the configuration options. .It -.Fn ressl_close +.Fn tls_close closes a connection after use. .It -.Fn ressl_free -frees a ressl context after use. +.Fn tls_free +frees a tls context after use. .El .Pp The following functions initiate a connection and perform input and output operations. .Bl -bullet -offset four .It -.Fn ressl_connect +.Fn tls_connect connects a client context to the server named by .Fa host . The @@ -280,10 +280,10 @@ The may be numeric or a service name. If it is NULL then a host of the format "hostname:port" is permitted. .It -.Fn ressl_connect_socket +.Fn tls_connect_socket connects a client context to an already established socket connection. .It -.Fn ressl_read +.Fn tls_read reads .Fa buflen bytes of data from the socket into @@ -291,7 +291,7 @@ bytes of data from the socket into The amount of data read is returned in .Fa outlen . .It -.Fn ressl_write +.Fn tls_write writes .Fa buflen bytes of data from @@ -309,7 +309,7 @@ Functions that return a pointer will return NULL on error. .\" .Sh SEE ALSO .Sh HISTORY The -.Nm ressl +.Nm tls API first appeared in .Ox 5.6 as a response to the unnecessary challenges other APIs present in diff --git a/lib/libressl/ressl_internal.h b/lib/libtls/tls_internal.h index b752b5fd88d..da696e228d3 100644 --- a/lib/libressl/ressl_internal.h +++ b/lib/libtls/tls_internal.h @@ -1,4 +1,4 @@ -/* $OpenBSD: ressl_internal.h,v 1.12 2014/10/03 14:14:40 tedu Exp $ */ +/* $OpenBSD: tls_internal.h,v 1.1 2014/10/31 13:46:17 jsing Exp $ */ /* * Copyright (c) 2014 Jeremie Courreges-Anglas <jca@openbsd.org> * Copyright (c) 2014 Joel Sing <jsing@openbsd.org> @@ -16,8 +16,8 @@ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ -#ifndef HEADER_RESSL_INTERNAL_H -#define HEADER_RESSL_INTERNAL_H +#ifndef HEADER_TLS_INTERNAL_H +#define HEADER_TLS_INTERNAL_H #include <openssl/ssl.h> @@ -25,7 +25,7 @@ #define _PATH_SSL_CA_FILE "/etc/ssl/cert.pem" -struct ressl_config { +struct tls_config { const char *ca_file; const char *ca_path; const char *cert_file; @@ -42,12 +42,12 @@ struct ressl_config { int verify_depth; }; -#define RESSL_CLIENT (1 << 0) -#define RESSL_SERVER (1 << 1) -#define RESSL_SERVER_CONN (1 << 2) +#define TLS_CLIENT (1 << 0) +#define TLS_SERVER (1 << 1) +#define TLS_SERVER_CONN (1 << 2) -struct ressl { - struct ressl_config *config; +struct tls { + struct tls_config *config; uint64_t flags; int err; @@ -59,14 +59,14 @@ struct ressl { SSL_CTX *ssl_ctx; }; -struct ressl *ressl_new(void); -struct ressl *ressl_server_conn(struct ressl *ctx); +struct tls *tls_new(void); +struct tls *tls_server_conn(struct tls *ctx); -int ressl_check_hostname(X509 *cert, const char *host); -int ressl_configure_keypair(struct ressl *ctx); -int ressl_configure_server(struct ressl *ctx); -int ressl_configure_ssl(struct ressl *ctx); -int ressl_host_port(const char *hostport, char **host, char **port); -int ressl_set_error(struct ressl *ctx, char *fmt, ...); +int tls_check_hostname(X509 *cert, const char *host); +int tls_configure_keypair(struct tls *ctx); +int tls_configure_server(struct tls *ctx); +int tls_configure_ssl(struct tls *ctx); +int tls_host_port(const char *hostport, char **host, char **port); +int tls_set_error(struct tls *ctx, char *fmt, ...); -#endif /* HEADER_RESSL_INTERNAL_H */ +#endif /* HEADER_TLS_INTERNAL_H */ diff --git a/lib/libressl/ressl_server.c b/lib/libtls/tls_server.c index 4783674a0b9..001f19ded4d 100644 --- a/lib/libressl/ressl_server.c +++ b/lib/libtls/tls_server.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ressl_server.c,v 1.11 2014/10/15 14:08:26 jsing Exp $ */ +/* $OpenBSD: tls_server.c,v 1.1 2014/10/31 13:46:17 jsing Exp $ */ /* * Copyright (c) 2014 Joel Sing <jsing@openbsd.org> * @@ -18,48 +18,48 @@ #include <openssl/ec.h> #include <openssl/ssl.h> -#include <ressl.h> -#include "ressl_internal.h" +#include <tls.h> +#include "tls_internal.h" -struct ressl * -ressl_server(void) +struct tls * +tls_server(void) { - struct ressl *ctx; + struct tls *ctx; - if ((ctx = ressl_new()) == NULL) + if ((ctx = tls_new()) == NULL) return (NULL); - ctx->flags |= RESSL_SERVER; + ctx->flags |= TLS_SERVER; return (ctx); } -struct ressl * -ressl_server_conn(struct ressl *ctx) +struct tls * +tls_server_conn(struct tls *ctx) { - struct ressl *conn_ctx; + struct tls *conn_ctx; - if ((conn_ctx = ressl_new()) == NULL) + if ((conn_ctx = tls_new()) == NULL) return (NULL); - conn_ctx->flags |= RESSL_SERVER_CONN; + conn_ctx->flags |= TLS_SERVER_CONN; return (conn_ctx); } int -ressl_configure_server(struct ressl *ctx) +tls_configure_server(struct tls *ctx) { EC_KEY *ecdh_key; if ((ctx->ssl_ctx = SSL_CTX_new(SSLv23_server_method())) == NULL) { - ressl_set_error(ctx, "ssl context failure"); + tls_set_error(ctx, "ssl context failure"); goto err; } - if (ressl_configure_ssl(ctx) != 0) + if (tls_configure_ssl(ctx) != 0) goto err; - if (ressl_configure_keypair(ctx) != 0) + if (tls_configure_keypair(ctx) != 0) goto err; if (ctx->config->ecdhcurve == -1) { @@ -67,7 +67,7 @@ ressl_configure_server(struct ressl *ctx) } else if (ctx->config->ecdhcurve != NID_undef) { if ((ecdh_key = EC_KEY_new_by_curve_name( ctx->config->ecdhcurve)) == NULL) { - ressl_set_error(ctx, "failed to set ECDH curve"); + tls_set_error(ctx, "failed to set ECDH curve"); goto err; } SSL_CTX_set_options(ctx->ssl_ctx, SSL_OP_SINGLE_ECDH_USE); @@ -82,43 +82,19 @@ err: } int -ressl_listen(struct ressl *ctx, const char *host, const char *port, int af) +tls_accept_socket(struct tls *ctx, struct tls **cctx, int socket) { - if ((ctx->flags & RESSL_SERVER) == 0) { - ressl_set_error(ctx, "not a server context"); - goto err; - } - -err: - return (-1); -} - -int -ressl_accept(struct ressl *ctx, struct ressl **cctx) -{ - if ((ctx->flags & RESSL_SERVER) == 0) { - ressl_set_error(ctx, "not a server context"); - goto err; - } - -err: - return (-1); -} - -int -ressl_accept_socket(struct ressl *ctx, struct ressl **cctx, int socket) -{ - struct ressl *conn_ctx = *cctx; + struct tls *conn_ctx = *cctx; int ret, ssl_err; - if ((ctx->flags & RESSL_SERVER) == 0) { - ressl_set_error(ctx, "not a server context"); + if ((ctx->flags & TLS_SERVER) == 0) { + tls_set_error(ctx, "not a server context"); goto err; } if (conn_ctx == NULL) { - if ((conn_ctx = ressl_server_conn(ctx)) == NULL) { - ressl_set_error(ctx, "connection context failure"); + if ((conn_ctx = tls_server_conn(ctx)) == NULL) { + tls_set_error(ctx, "connection context failure"); goto err; } *cctx = conn_ctx; @@ -126,12 +102,12 @@ ressl_accept_socket(struct ressl *ctx, struct ressl **cctx, int socket) conn_ctx->socket = socket; if ((conn_ctx->ssl_conn = SSL_new(ctx->ssl_ctx)) == NULL) { - ressl_set_error(ctx, "ssl failure"); + tls_set_error(ctx, "ssl failure"); goto err; } if (SSL_set_fd(conn_ctx->ssl_conn, socket) != 1) { - ressl_set_error(ctx, "ssl set fd failure"); + tls_set_error(ctx, "ssl set fd failure"); goto err; } SSL_set_app_data(conn_ctx->ssl_conn, conn_ctx); @@ -141,11 +117,11 @@ ressl_accept_socket(struct ressl *ctx, struct ressl **cctx, int socket) ssl_err = SSL_get_error(conn_ctx->ssl_conn, ret); switch (ssl_err) { case SSL_ERROR_WANT_READ: - return (RESSL_READ_AGAIN); + return (TLS_READ_AGAIN); case SSL_ERROR_WANT_WRITE: - return (RESSL_WRITE_AGAIN); + return (TLS_WRITE_AGAIN); default: - ressl_set_error(ctx, "ssl accept failure (%i)", + tls_set_error(ctx, "ssl accept failure (%i)", ssl_err); goto err; } diff --git a/lib/libressl/ressl_util.c b/lib/libtls/tls_util.c index d8b8f51738e..2adfb674b8f 100644 --- a/lib/libressl/ressl_util.c +++ b/lib/libtls/tls_util.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ressl_util.c,v 1.2 2014/08/05 12:46:16 jsing Exp $ */ +/* $OpenBSD: tls_util.c,v 1.1 2014/10/31 13:46:17 jsing Exp $ */ /* * Copyright (c) 2014 Joel Sing <jsing@openbsd.org> * @@ -17,7 +17,7 @@ #include <stdlib.h> -#include "ressl_internal.h" +#include "tls_internal.h" /* * Extract the host and port from a colon separated value. For a literal IPv6 @@ -28,7 +28,7 @@ * On memory allocation failure -1 will be returned. */ int -ressl_host_port(const char *hostport, char **host, char **port) +tls_host_port(const char *hostport, char **host, char **port) { char *h, *p, *s; int rv = 1; diff --git a/lib/libressl/ressl_verify.c b/lib/libtls/tls_verify.c index 5e9f370e1cc..fa0010922fc 100644 --- a/lib/libressl/ressl_verify.c +++ b/lib/libtls/tls_verify.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ressl_verify.c,v 1.5 2014/10/06 11:55:48 jca Exp $ */ +/* $OpenBSD: tls_verify.c,v 1.1 2014/10/31 13:46:17 jsing Exp $ */ /* * Copyright (c) 2014 Jeremie Courreges-Anglas <jca@openbsd.org> * @@ -24,14 +24,14 @@ #include <openssl/x509v3.h> -#include "ressl_internal.h" +#include "tls_internal.h" -int ressl_match_hostname(const char *cert_hostname, const char *hostname); -int ressl_check_subject_altname(X509 *cert, const char *host); -int ressl_check_common_name(X509 *cert, const char *host); +int tls_match_hostname(const char *cert_hostname, const char *hostname); +int tls_check_subject_altname(X509 *cert, const char *host); +int tls_check_common_name(X509 *cert, const char *host); int -ressl_match_hostname(const char *cert_hostname, const char *hostname) +tls_match_hostname(const char *cert_hostname, const char *hostname) { const char *cert_domain, *domain, *next_dot; @@ -80,7 +80,7 @@ ressl_match_hostname(const char *cert_hostname, const char *hostname) } int -ressl_check_subject_altname(X509 *cert, const char *host) +tls_check_subject_altname(X509 *cert, const char *host) { STACK_OF(GENERAL_NAME) *altname_stack = NULL; union { struct in_addr ip4; struct in6_addr ip6; } addrbuf; @@ -131,7 +131,7 @@ ressl_check_subject_altname(X509 *cert, const char *host) break; } - if (ressl_match_hostname(data, host) == 0) { + if (tls_match_hostname(data, host) == 0) { rv = 0; break; } @@ -160,7 +160,7 @@ ressl_check_subject_altname(X509 *cert, const char *host) } int -ressl_check_common_name(X509 *cert, const char *host) +tls_check_common_name(X509 *cert, const char *host) { X509_NAME *name; char *common_name = NULL; @@ -205,7 +205,7 @@ ressl_check_common_name(X509 *cert, const char *host) goto out; } - if (ressl_match_hostname(common_name, host) == 0) + if (tls_match_hostname(common_name, host) == 0) rv = 0; out: free(common_name); @@ -213,13 +213,13 @@ out: } int -ressl_check_hostname(X509 *cert, const char *host) +tls_check_hostname(X509 *cert, const char *host) { int rv; - rv = ressl_check_subject_altname(cert, host); + rv = tls_check_subject_altname(cert, host); if (rv == 0 || rv == -2) return rv; - return ressl_check_common_name(cert, host); + return tls_check_common_name(cert, host); } diff --git a/share/mk/bsd.README b/share/mk/bsd.README index edcc864f173..5f3444f4fbe 100644 --- a/share/mk/bsd.README +++ b/share/mk/bsd.README @@ -1,4 +1,4 @@ -# $OpenBSD: bsd.README,v 1.58 2014/10/13 14:31:01 schwarze Exp $ +# $OpenBSD: bsd.README,v 1.59 2014/10/31 13:46:17 jsing Exp $ # $NetBSD: bsd.README,v 1.17 1996/04/13 02:08:08 thorpej Exp $ # @(#)bsd.README 5.1 (Berkeley) 5/11/90 @@ -355,13 +355,13 @@ DPADD Additional dependencies for the program. Usually used for LIBPCAP /usr/lib/libpcap.a LIBPERL /usr/lib/libperl.a LIBPTHREAD /usr/lib/libpthread.a - LIBRESSL /usr/lib/libressl.a LIBRPCSVC /usr/lib/librpcsvc.a LIBSKEY /usr/lib/libskey.a LIBSNDIO /usr/lib/libsndio.a LIBSSL /usr/lib/libssl.a LIBTERMCAP /usr/lib/libtermcap.a LIBTERMLIB /usr/lib/libtermlib.a + LIBTLS /usr/lib/libtls.a LIBUSB /usr/lib/libusbhid.a LIBUTIL /usr/lib/libutil.a LIBY /usr/lib/liby.a diff --git a/share/mk/bsd.prog.mk b/share/mk/bsd.prog.mk index d6b797fe9a8..cbfb3776f74 100644 --- a/share/mk/bsd.prog.mk +++ b/share/mk/bsd.prog.mk @@ -1,4 +1,4 @@ -# $OpenBSD: bsd.prog.mk,v 1.64 2014/09/29 19:37:51 gsoares Exp $ +# $OpenBSD: bsd.prog.mk,v 1.65 2014/10/31 13:46:17 jsing Exp $ # $NetBSD: bsd.prog.mk,v 1.55 1996/04/08 21:19:26 jtc Exp $ # @(#)bsd.prog.mk 5.26 (Berkeley) 6/25/91 @@ -48,11 +48,11 @@ LIBPANELW?= ${DESTDIR}/usr/lib/libpanelw.a LIBPCAP?= ${DESTDIR}/usr/lib/libpcap.a LIBPERL?= ${DESTDIR}/usr/lib/libperl.a LIBPTHREAD?= ${DESTDIR}/usr/lib/libpthread.a -LIBRESSL?= ${DESTDIR}/usr/lib/libressl.a LIBRPCSVC?= ${DESTDIR}/usr/lib/librpcsvc.a LIBSKEY?= ${DESTDIR}/usr/lib/libskey.a LIBSNDIO?= ${DESTDIR}/usr/lib/libsndio.a LIBSSL?= ${DESTDIR}/usr/lib/libssl.a +LIBTLS?= ${DESTDIR}/usr/lib/libtls.a LIBTERMCAP?= ${DESTDIR}/usr/lib/libtermcap.a LIBTERMLIB?= ${DESTDIR}/usr/lib/libtermlib.a LIBUSB?= ${DESTDIR}/usr/lib/libusbhid.a |