diff options
Diffstat (limited to 'lib')
-rw-r--r-- | lib/libtls/tls.h | 8 | ||||
-rw-r--r-- | lib/libtls/tls_config.c | 58 | ||||
-rw-r--r-- | lib/libtls/tls_conninfo.c | 15 | ||||
-rw-r--r-- | lib/libtls/tls_init.3 | 29 | ||||
-rw-r--r-- | lib/libtls/tls_internal.h | 3 |
5 files changed, 107 insertions, 6 deletions
diff --git a/lib/libtls/tls.h b/lib/libtls/tls.h index 13df43f0461..7a68c3d0d36 100644 --- a/lib/libtls/tls.h +++ b/lib/libtls/tls.h @@ -1,4 +1,4 @@ -/* $OpenBSD: tls.h,v 1.33 2016/08/12 15:10:59 jsing Exp $ */ +/* $OpenBSD: tls.h,v 1.34 2016/08/22 14:55:59 jsing Exp $ */ /* * Copyright (c) 2014 Joel Sing <jsing@openbsd.org> * @@ -52,6 +52,11 @@ const char *tls_error(struct tls *_ctx); struct tls_config *tls_config_new(void); void tls_config_free(struct tls_config *_config); +int tls_config_add_keypair_file(struct tls_config *_config, + const char *_cert_file, const char *_key_file); +int tls_config_add_keypair_mem(struct tls_config *_config, const uint8_t *_cert, + size_t _cert_len, const uint8_t *_key, size_t _key_len); + int tls_config_set_alpn(struct tls_config *_config, const char *_alpn); int tls_config_set_ca_file(struct tls_config *_config, const char *_ca_file); int tls_config_set_ca_path(struct tls_config *_config, const char *_ca_path); @@ -119,6 +124,7 @@ time_t tls_peer_cert_notafter(struct tls *_ctx); const char *tls_conn_alpn_selected(struct tls *_ctx); const char *tls_conn_cipher(struct tls *_ctx); +const char *tls_conn_servername(struct tls *_ctx); const char *tls_conn_version(struct tls *_ctx); uint8_t *tls_load_file(const char *_file, size_t *_len, char *_password); diff --git a/lib/libtls/tls_config.c b/lib/libtls/tls_config.c index 0d52704aa81..c07621acaf2 100644 --- a/lib/libtls/tls_config.c +++ b/lib/libtls/tls_config.c @@ -1,4 +1,4 @@ -/* $OpenBSD: tls_config.c,v 1.27 2016/08/13 13:15:53 jsing Exp $ */ +/* $OpenBSD: tls_config.c,v 1.28 2016/08/22 14:55:59 jsing Exp $ */ /* * Copyright (c) 2014 Joel Sing <jsing@openbsd.org> * @@ -227,6 +227,18 @@ tls_config_free(struct tls_config *config) free(config); } +static void +tls_config_keypair_add(struct tls_config *config, struct tls_keypair *keypair) +{ + struct tls_keypair *kp; + + kp = config->keypair; + while (kp->next != NULL) + kp = kp->next; + + kp->next = keypair; +} + const char * tls_config_error(struct tls_config *config) { @@ -370,6 +382,50 @@ tls_config_set_alpn(struct tls_config *config, const char *alpn) } int +tls_config_add_keypair_file(struct tls_config *config, + const char *cert_file, const char *key_file) +{ + struct tls_keypair *keypair; + + if ((keypair = tls_keypair_new()) == NULL) + return (-1); + if (tls_keypair_set_cert_file(keypair, &config->error, cert_file) != 0) + goto err; + if (tls_keypair_set_key_file(keypair, &config->error, key_file) != 0) + goto err; + + tls_config_keypair_add(config, keypair); + + return (0); + + err: + tls_keypair_free(keypair); + return (-1); +} + +int +tls_config_add_keypair_mem(struct tls_config *config, const uint8_t *cert, + size_t cert_len, const uint8_t *key, size_t key_len) +{ + struct tls_keypair *keypair; + + if ((keypair = tls_keypair_new()) == NULL) + return (-1); + if (tls_keypair_set_cert_mem(keypair, cert, cert_len) != 0) + goto err; + if (tls_keypair_set_key_mem(keypair, key, key_len) != 0) + goto err; + + tls_config_keypair_add(config, keypair); + + return (0); + + err: + tls_keypair_free(keypair); + return (-1); +} + +int tls_config_set_ca_file(struct tls_config *config, const char *ca_file) { return tls_config_load_file(&config->error, "CA", ca_file, diff --git a/lib/libtls/tls_conninfo.c b/lib/libtls/tls_conninfo.c index 523b2798d36..281af798665 100644 --- a/lib/libtls/tls_conninfo.c +++ b/lib/libtls/tls_conninfo.c @@ -1,4 +1,4 @@ -/* $OpenBSD: tls_conninfo.c,v 1.9 2016/08/15 14:47:41 jsing Exp $ */ +/* $OpenBSD: tls_conninfo.c,v 1.10 2016/08/22 14:55:59 jsing Exp $ */ /* * Copyright (c) 2015 Joel Sing <jsing@openbsd.org> * Copyright (c) 2015 Bob Beck <beck@openbsd.org> @@ -199,6 +199,11 @@ tls_get_conninfo(struct tls *ctx) goto err; if (tls_conninfo_alpn_proto(ctx) == -1) goto err; + if (ctx->servername != NULL) { + if ((ctx->conninfo->servername = + strdup(ctx->servername)) == NULL) + goto err; + } return (0); err: @@ -242,6 +247,14 @@ tls_conn_cipher(struct tls *ctx) } const char * +tls_conn_servername(struct tls *ctx) +{ + if (ctx->conninfo == NULL) + return (NULL); + return (ctx->conninfo->servername); +} + +const char * tls_conn_version(struct tls *ctx) { if (ctx->conninfo == NULL) diff --git a/lib/libtls/tls_init.3 b/lib/libtls/tls_init.3 index cd984500355..4d7367408be 100644 --- a/lib/libtls/tls_init.3 +++ b/lib/libtls/tls_init.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: tls_init.3,v 1.66 2016/08/18 15:43:12 jsing Exp $ +.\" $OpenBSD: tls_init.3,v 1.67 2016/08/22 14:55:59 jsing Exp $ .\" .\" Copyright (c) 2014 Ted Unangst <tedu@openbsd.org> .\" @@ -14,7 +14,7 @@ .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. .\" -.Dd $Mdocdate: August 18 2016 $ +.Dd $Mdocdate: August 22 2016 $ .Dt TLS_INIT 3 .Os .Sh NAME @@ -24,6 +24,8 @@ .Nm tls_config_new , .Nm tls_config_free , .Nm tls_config_parse_protocols , +.Nm tls_config_add_keypair_file , +.Nm tls_config_add_keypair_mem , .Nm tls_config_set_alpn , .Nm tls_config_set_ca_file , .Nm tls_config_set_ca_path , @@ -57,6 +59,7 @@ .Nm tls_peer_cert_notafter , .Nm tls_conn_alpn_selected , .Nm tls_conn_cipher , +.Nm tls_conn_servername , .Nm tls_conn_version , .Nm tls_load_file , .Nm tls_client , @@ -90,6 +93,10 @@ .Ft "int" .Fn tls_config_parse_protocols "uint32_t *protocols" "const char *protostr" .Ft "int" +.Fn tls_config_add_keypair_file "struct tls_config *config" "const char *cert_file" "const char *key_file" +.Ft "int" +.Fn tls_config_add_keypair_mem "struct tls_config *config" "const uint8_t *cert" "size_t cert_len" "const uint8_t *key" "size_t key_len" +.Ft "int" .Fn tls_config_set_alpn "struct tls_config *config" "const char *alpn" .Ft "int" .Fn tls_config_set_ca_file "struct tls_config *config" "const char *ca_file" @@ -156,6 +163,8 @@ .Ft "const char *" .Fn tls_conn_cipher "struct tls *ctx" .Ft "const char *" +.Fn tls_conn_servername "struct tls *ctx" +.Ft "const char *" .Fn tls_conn_version "struct tls *ctx" .Ft "uint8_t *" .Fn tls_load_file "const char *file" "size_t *len" "char *password" @@ -301,6 +310,16 @@ The following functions modify a configuration by setting parameters (the configuration options may only apply to clients, to servers or to both): .Bl -bullet -offset four .It +.Fn tls_config_add_keypair_file +adds an additional public certificate and private key from the specified files, +used as an alternative certificate for Server Name Indication. +.Em (Server) +.It +.Fn tls_config_set_keypair_mem +adds an additional public certificate and private key from memory, +used as an alternative certificate for Server Name Indication. +.Em (Server) +.It .Fn tls_config_set_alpn sets the ALPN protocols that are supported. The alpn string is a comma separated list of protocols, in order of preference. @@ -445,6 +464,12 @@ connected to .Ar ctx . .Em (Server and client) .It +.Fn tls_conn_servername +returns a string corresponding to the servername that the client connected to +.Ar ctx +requested by sending a TLS Server Name Indication extension. +.Em (Server) +.It .Fn tls_conn_version returns a string corresponding to a TLS version negotiated with the peer connected to diff --git a/lib/libtls/tls_internal.h b/lib/libtls/tls_internal.h index 428e29c8577..3fcc7a021fa 100644 --- a/lib/libtls/tls_internal.h +++ b/lib/libtls/tls_internal.h @@ -1,4 +1,4 @@ -/* $OpenBSD: tls_internal.h,v 1.40 2016/08/22 14:51:37 jsing Exp $ */ +/* $OpenBSD: tls_internal.h,v 1.41 2016/08/22 14:55:59 jsing Exp $ */ /* * Copyright (c) 2014 Jeremie Courreges-Anglas <jca@openbsd.org> * Copyright (c) 2014 Joel Sing <jsing@openbsd.org> @@ -74,6 +74,7 @@ struct tls_config { struct tls_conninfo { char *alpn; char *cipher; + char *servername; char *version; char *hash; |