From 2bba7dc5c89d676d237d552502ff325af9a07e25 Mon Sep 17 00:00:00 2001 From: Bob Beck Date: Tue, 31 Jan 2017 16:18:58 +0000 Subject: Add tls_config_[add|set]keypair_ocsp functions so that ocsp staples may be added associated to a keypair used for SNI, and are usable for more than just the "main" certificate. Modify httpd to use this. Bump libtls minor. ok jsing@ --- lib/libtls/Symbols.list | 4 + lib/libtls/man/tls_config_ocsp_require_stapling.3 | 33 ++----- lib/libtls/man/tls_load_file.3 | 97 ++++++++++++++++--- lib/libtls/shlib_version | 2 +- lib/libtls/tls.h | 18 +++- lib/libtls/tls_config.c | 113 +++++++++++++++++++--- usr.sbin/httpd/server.c | 23 ++--- 7 files changed, 217 insertions(+), 73 deletions(-) diff --git a/lib/libtls/Symbols.list b/lib/libtls/Symbols.list index a033e3e2420..eb704ecbd25 100644 --- a/lib/libtls/Symbols.list +++ b/lib/libtls/Symbols.list @@ -5,6 +5,8 @@ tls_client tls_close tls_config_add_keypair_file tls_config_add_keypair_mem +tls_config_add_keypair_ocsp_file +tls_config_add_keypair_ocsp_mem tls_config_add_ticket_key tls_config_clear_keys tls_config_error @@ -30,6 +32,8 @@ tls_config_set_key_file tls_config_set_key_mem tls_config_set_keypair_file tls_config_set_keypair_mem +tls_config_set_keypair_ocsp_file +tls_config_set_keypair_ocsp_mem tls_config_set_ocsp_staple_mem tls_config_set_ocsp_staple_file tls_config_set_protocols diff --git a/lib/libtls/man/tls_config_ocsp_require_stapling.3 b/lib/libtls/man/tls_config_ocsp_require_stapling.3 index 0f532cf8c01..b8b76009041 100644 --- a/lib/libtls/man/tls_config_ocsp_require_stapling.3 +++ b/lib/libtls/man/tls_config_ocsp_require_stapling.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: tls_config_ocsp_require_stapling.3,v 1.3 2017/01/28 00:59:36 schwarze Exp $ +.\" $OpenBSD: tls_config_ocsp_require_stapling.3,v 1.4 2017/01/31 16:18:57 beck Exp $ .\" .\" Copyright (c) 2016 Bob Beck .\" @@ -14,46 +14,25 @@ .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. .\" -.Dd $Mdocdate: January 28 2017 $ +.Dd $Mdocdate: January 31 2017 $ .Dt TLS_CONFIG_OCSP_REQUIRE_STAPLING 3 .Os .Sh NAME .Nm tls_config_ocsp_require_stapling , -.Nm tls_config_set_ocsp_staple_mem , -.Nm tls_config_set_ocsp_staple_file .Nd OCSP configuration for libtls .Sh SYNOPSIS .In tls.h .Ft void .Fn tls_config_ocsp_require_stapling "struct tls_config *config" -.Ft int -.Fo tls_config_set_ocsp_staple_mem -.Fa "struct tls_config *config" -.Fa "const char *staple" -.Fa "size_t len" -.Fc -.Ft int -.Fo tls_config_set_ocsp_staple_file -.Fa "struct tls_config *config" -.Fa "const char *staple_file" .Fc .Sh DESCRIPTION .Fn tls_config_ocsp_require_stapling requires that a valid stapled OCSP response be provided during the TLS handshake. -.Pp -.Fn tls_config_set_ocsp_staple_file -sets a DER-encoded OCSP response to be stapled during the TLS handshake from -the specified file. -.Pp -.Fn tls_config_set_ocsp_staple_mem -sets a DER-encoded OCSP response to be stapled during the TLS handshake from -memory. -.Sh RETURN VALUES -.Fn tls_config_set_ocsp_staple_mem -and -.Fn tls_config_set_ocsp_staple_file -return 0 on success or -1 on error. .Sh SEE ALSO +.Xr tls_config_set_keypair_file 3 , +.Xr tls_config_set_keypair_mem 3 , +.Xr tls_config_add_keypair_file 3 , +.Xr tls_config_add_keypair_mem 3 , .Xr tls_handshake 3 , .Xr tls_init 3 , .Xr tls_ocsp_process_response 3 diff --git a/lib/libtls/man/tls_load_file.3 b/lib/libtls/man/tls_load_file.3 index eeebd0339ec..6c0a025955b 100644 --- a/lib/libtls/man/tls_load_file.3 +++ b/lib/libtls/man/tls_load_file.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: tls_load_file.3,v 1.3 2017/01/28 00:59:36 schwarze Exp $ +.\" $OpenBSD: tls_load_file.3,v 1.4 2017/01/31 16:18:57 beck Exp $ .\" .\" Copyright (c) 2014 Ted Unangst .\" Copyright (c) 2015 Reyk Floeter @@ -17,7 +17,7 @@ .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. .\" -.Dd $Mdocdate: January 28 2017 $ +.Dd $Mdocdate: January 31 2017 $ .Dt TLS_LOAD_FILE 3 .Os .Sh NAME @@ -29,9 +29,15 @@ .Nm tls_config_set_cert_mem , .Nm tls_config_set_key_file , .Nm tls_config_set_key_mem , +.Nm tls_config_set_ocsp_staple_mem , +.Nm tls_config_set_ocsp_staple_file .Nm tls_config_set_keypair_file , .Nm tls_config_set_keypair_mem , +.Nm tls_config_set_keypair_ocsp_file , +.Nm tls_config_set_keypair_ocsp_mem , .Nm tls_config_add_keypair_file , +.Nm tls_config_add_keypair_ocsp_mem , +.Nm tls_config_add_keypair_ocsp_file , .Nm tls_config_add_keypair_mem , .Nm tls_config_clear_keys , .Nm tls_config_set_verify_depth , @@ -83,6 +89,17 @@ .Fa "struct tls_config *config" .Fa "const uint8_t *key" .Fa "size_t len" +.Ft int +.Fc +.Fo tls_config_set_ocsp_staple_mem +.Fa "struct tls_config *config" +.Fa "const uint8_t *staple" +.Fa "size_t len" +.Fc +.Ft int +.Fo tls_config_set_ocsp_staple_file +.Fa "struct tls_config *config" +.Fa "const uint8_t *staple_file" .Fc .Ft int .Fo tls_config_set_keypair_file @@ -99,6 +116,23 @@ .Fa "size_t key_len" .Fc .Ft int +.Fo tls_config_set_keypair_ocsp_file +.Fa "struct tls_config *config" +.Fa "const char *cert_file" +.Fa "const char *key_file" +.Fa "const char *staple_file" +.Fc +.Ft int +.Fo tls_config_set_keypair_ocsp_mem +.Fa "struct tls_config *config" +.Fa "const uint8_t *cert" +.Fa "size_t cert_len" +.Fa "const uint8_t *key" +.Fa "size_t key_len" +.Fa "const uint8_t *staple" +.Fa "size_t staple_len" +.Fc +.Ft int .Fo tls_config_add_keypair_file .Fa "struct tls_config *config" .Fa "const char *cert_file" @@ -112,6 +146,23 @@ .Fa "const uint8_t *key" .Fa "size_t key_len" .Fc +.Ft int +.Fo tls_config_add_keypair_ocsp_file +.Fa "struct tls_config *config" +.Fa "const char *cert_file" +.Fa "const char *key_file" +.Fa "const char *staple_file" +.Fc +.Ft int +.Fo tls_config_add_keypair_ocsp_mem +.Fa "struct tls_config *config" +.Fa "const uint8_t *cert" +.Fa "size_t cert_len" +.Fa "const uint8_t *key" +.Fa "size_t key_len" +.Fa "const uint8_t *staple" +.Fa "size_t staple_len" +.Fc .Ft void .Fn tls_config_clear_keys "struct tls_config *config" .Ft int @@ -157,19 +208,46 @@ sets the file from which the private key will be read. .Fn tls_config_set_key_mem directly sets the private key from memory. .Pp +.Fn tls_config_set_ocsp_staple_file +sets a DER-encoded OCSP response to be stapled during the TLS handshake from +the specified file. +.Pp +.Fn tls_config_set_ocsp_staple_mem +sets a DER-encoded OCSP response to be stapled during the TLS handshake from +memory. +.Pp .Fn tls_config_set_keypair_file -sets the files from which the public certificate and private key will be read. +sets the files from which the public certificate, and private key will be read. .Pp .Fn tls_config_set_keypair_mem -directly sets the public certificate and private key from memory. +directly sets the public certificate, and private key from memory. +.Pp +.Fn tls_config_set_keypair_file +sets the files from which the public certificate, private key, and DER encoded +ocsp staple will be read. +.Pp +.Fn tls_config_set_keypair_ocsp_mem +directly sets the public certificate, private key, and DER encoded OCSP staple +from memory. .Pp .Fn tls_config_add_keypair_file -adds an additional public certificate and private key from the specified files, +adds an additional public certificate, and private key from the specified files, used as an alternative certificate for Server Name Indication (server only). .Pp .Fn tls_config_add_keypair_mem -adds an additional public certificate and private key from memory, -used as an alternative certificate for Server Name Indication (server only). +adds an additional public certificate, and private key from memory, used as an +alternative certificate for Server Name Indication (server only). +.Pp +.Pp +.Fn tls_config_add_keypair_ocsp_file +adds an additional public certificate, private key, and DER encoded OCSP staple +from the specified files, used as an alternative certificate for Server Name +Indication (server only). +.Pp +.Fn tls_config_add_keypair_ocsp_mem +adds an additional public certificate, private key, and DER encoded OCSP staple +from memory, used as an alternative certificate for Server Name Indication +(server only). .Pp .Fn tls_config_clear_keys clears any secret keys from memory. @@ -240,12 +318,7 @@ in .An Joel Sing Aq Mt jsing@openbsd.org with contibutions from .An Ted Unangst Aq Mt tedu@openbsd.org -.Pp -.An -nosplit -.Fn tls_config_verify_client and -.Fn tls_config_verify_client_optional -were written by .An Bob Beck Aq Mt beck@openbsd.org . .Pp .Fn tls_load_file diff --git a/lib/libtls/shlib_version b/lib/libtls/shlib_version index 998729533f3..a822f1f1801 100644 --- a/lib/libtls/shlib_version +++ b/lib/libtls/shlib_version @@ -1,2 +1,2 @@ major=15 -minor=2 +minor=3 diff --git a/lib/libtls/tls.h b/lib/libtls/tls.h index 5680c741827..d9b2972e92a 100644 --- a/lib/libtls/tls.h +++ b/lib/libtls/tls.h @@ -1,4 +1,4 @@ -/* $OpenBSD: tls.h,v 1.46 2017/01/26 12:53:17 jsing Exp $ */ +/* $OpenBSD: tls.h,v 1.47 2017/01/31 16:18:57 beck Exp $ */ /* * Copyright (c) 2014 Joel Sing * @@ -89,7 +89,12 @@ int tls_config_add_keypair_file(struct tls_config *_config, const char *_cert_file, const char *_key_file); int tls_config_add_keypair_mem(struct tls_config *_config, const uint8_t *_cert, size_t _cert_len, const uint8_t *_key, size_t _key_len); - +int tls_config_add_keypair_ocsp_file(struct tls_config *_config, + const char *_cert_file, const char *_key_file, + const char *_ocsp_staple_file); +int tls_config_add_keypair_ocsp_mem(struct tls_config *_config, const uint8_t *_cert, + size_t _cert_len, const uint8_t *_key, size_t _key_len, + const uint8_t *_staple, size_t _staple_len); int tls_config_set_alpn(struct tls_config *_config, const char *_alpn); int tls_config_set_ca_file(struct tls_config *_config, const char *_ca_file); int tls_config_set_ca_path(struct tls_config *_config, const char *_ca_path); @@ -109,8 +114,13 @@ int tls_config_set_keypair_file(struct tls_config *_config, const char *_cert_file, const char *_key_file); int tls_config_set_keypair_mem(struct tls_config *_config, const uint8_t *_cert, size_t _cert_len, const uint8_t *_key, size_t _key_len); -int tls_config_set_ocsp_staple_mem(struct tls_config *_config, char *_staple, - size_t _len); +int tls_config_set_keypair_ocsp_file(struct tls_config *_config, + const char *_cert_file, const char *_key_file, const char *_staple_file); +int tls_config_set_keypair_ocsp_mem(struct tls_config *_config, const uint8_t *_cert, + size_t _cert_len, const uint8_t *_key, size_t _key_len, + const uint8_t *_staple, size_t staple_len); +int tls_config_set_ocsp_staple_mem(struct tls_config *_config, + const uint8_t *_staple, size_t _len); int tls_config_set_ocsp_staple_file(struct tls_config *_config, const char *_staple_file); int tls_config_set_protocols(struct tls_config *_config, uint32_t _protocols); diff --git a/lib/libtls/tls_config.c b/lib/libtls/tls_config.c index 83c649fd510..87c2166f9ea 100644 --- a/lib/libtls/tls_config.c +++ b/lib/libtls/tls_config.c @@ -1,4 +1,4 @@ -/* $OpenBSD: tls_config.c,v 1.35 2017/01/29 17:52:11 beck Exp $ */ +/* $OpenBSD: tls_config.c,v 1.36 2017/01/31 16:18:57 beck Exp $ */ /* * Copyright (c) 2014 Joel Sing * @@ -416,9 +416,9 @@ tls_config_set_alpn(struct tls_config *config, const char *alpn) &config->alpn_len); } -int -tls_config_add_keypair_file(struct tls_config *config, - const char *cert_file, const char *key_file) +static int +tls_config_add_keypair_file_internal(struct tls_config *config, + const char *cert_file, const char *key_file, const char *ocsp_file) { struct tls_keypair *keypair; @@ -428,6 +428,10 @@ tls_config_add_keypair_file(struct tls_config *config, goto err; if (tls_keypair_set_key_file(keypair, &config->error, key_file) != 0) goto err; + if (ocsp_file != NULL && + tls_keypair_set_ocsp_staple_file(keypair, &config->error, + ocsp_file) != 0) + goto err; tls_config_keypair_add(config, keypair); @@ -438,9 +442,10 @@ tls_config_add_keypair_file(struct tls_config *config, return (-1); } -int -tls_config_add_keypair_mem(struct tls_config *config, const uint8_t *cert, - size_t cert_len, const uint8_t *key, size_t key_len) +static int +tls_config_add_keypair_mem_internal(struct tls_config *config, const uint8_t *cert, + size_t cert_len, const uint8_t *key, size_t key_len, + const uint8_t *staple, size_t staple_len) { struct tls_keypair *keypair; @@ -450,6 +455,9 @@ tls_config_add_keypair_mem(struct tls_config *config, const uint8_t *cert, goto err; if (tls_keypair_set_key_mem(keypair, key, key_len) != 0) goto err; + if (staple != NULL && + tls_keypair_set_ocsp_staple_mem(keypair, staple, staple_len) != 0) + goto err; tls_config_keypair_add(config, keypair); @@ -460,6 +468,39 @@ tls_config_add_keypair_mem(struct tls_config *config, const uint8_t *cert, return (-1); } +int +tls_config_add_keypair_mem(struct tls_config *config, const uint8_t *cert, + size_t cert_len, const uint8_t *key, size_t key_len) +{ + return tls_config_add_keypair_mem_internal(config, cert, cert_len, key, + key_len, NULL, 0); +} + +int +tls_config_add_keypair_file(struct tls_config *config, + const char *cert_file, const char *key_file) +{ + return tls_config_add_keypair_file_internal(config, cert_file, + key_file, NULL); +} + +int +tls_config_add_keypair_ocsp_mem(struct tls_config *config, const uint8_t *cert, + size_t cert_len, const uint8_t *key, size_t key_len, const uint8_t *staple, + size_t staple_len) +{ + return tls_config_add_keypair_mem_internal(config, cert, cert_len, key, + key_len, staple, staple_len); +} + +int +tls_config_add_keypair_ocsp_file(struct tls_config *config, + const char *cert_file, const char *key_file, const char *ocsp_file) +{ + return tls_config_add_keypair_file_internal(config, cert_file, + key_file, ocsp_file); +} + int tls_config_set_ca_file(struct tls_config *config, const char *ca_file) { @@ -581,30 +622,73 @@ tls_config_set_key_mem(struct tls_config *config, const uint8_t *key, return tls_keypair_set_key_mem(config->keypair, key, len); } -int -tls_config_set_keypair_file(struct tls_config *config, - const char *cert_file, const char *key_file) +static int +tls_config_set_keypair_file_internal(struct tls_config *config, + const char *cert_file, const char *key_file, const char *ocsp_file) { if (tls_config_set_cert_file(config, cert_file) != 0) return (-1); if (tls_config_set_key_file(config, key_file) != 0) return (-1); + if (tls_config_set_key_file(config, key_file) != 0) + return (-1); + if (ocsp_file != NULL && + tls_config_set_ocsp_staple_file(config, ocsp_file) != 0) + return (-1); return (0); } -int -tls_config_set_keypair_mem(struct tls_config *config, const uint8_t *cert, - size_t cert_len, const uint8_t *key, size_t key_len) +static int +tls_config_set_keypair_mem_internal(struct tls_config *config, const uint8_t *cert, + size_t cert_len, const uint8_t *key, size_t key_len, + const uint8_t *staple, size_t staple_len) { if (tls_config_set_cert_mem(config, cert, cert_len) != 0) return (-1); if (tls_config_set_key_mem(config, key, key_len) != 0) return (-1); + if ((staple != NULL) && + (tls_config_set_ocsp_staple_mem(config, staple, staple_len) != 0)) + return (-1); return (0); } +int +tls_config_set_keypair_file(struct tls_config *config, + const char *cert_file, const char *key_file) +{ + return tls_config_set_keypair_file_internal(config, cert_file, key_file, + NULL); +} + +int +tls_config_set_keypair_mem(struct tls_config *config, const uint8_t *cert, + size_t cert_len, const uint8_t *key, size_t key_len) +{ + return tls_config_set_keypair_mem_internal(config, cert, cert_len, + key, key_len, NULL, 0); +} + +int +tls_config_set_keypair_ocsp_file(struct tls_config *config, + const char *cert_file, const char *key_file, const char *ocsp_file) +{ + return tls_config_set_keypair_file_internal(config, cert_file, key_file, + ocsp_file); +} + +int +tls_config_set_keypair_ocsp_mem(struct tls_config *config, const uint8_t *cert, + size_t cert_len, const uint8_t *key, size_t key_len, + const uint8_t *staple, size_t staple_len) +{ + return tls_config_set_keypair_mem_internal(config, cert, cert_len, + key, key_len, staple, staple_len); +} + + int tls_config_set_protocols(struct tls_config *config, uint32_t protocols) { @@ -685,7 +769,8 @@ tls_config_set_ocsp_staple_file(struct tls_config *config, const char *staple_fi } int -tls_config_set_ocsp_staple_mem(struct tls_config *config, char *staple, size_t len) +tls_config_set_ocsp_staple_mem(struct tls_config *config, const uint8_t *staple, + size_t len) { return tls_keypair_set_ocsp_staple_mem(config->keypair, staple, len); } diff --git a/usr.sbin/httpd/server.c b/usr.sbin/httpd/server.c index b6a8b550a97..bd54db6c144 100644 --- a/usr.sbin/httpd/server.c +++ b/usr.sbin/httpd/server.c @@ -1,4 +1,4 @@ -/* $OpenBSD: server.c,v 1.102 2017/01/31 12:20:05 reyk Exp $ */ +/* $OpenBSD: server.c,v 1.103 2017/01/31 16:18:57 beck Exp $ */ /* * Copyright (c) 2006 - 2015 Reyk Floeter @@ -241,9 +241,10 @@ server_tls_init(struct server *srv) return (-1); } - if (tls_config_set_keypair_mem(srv->srv_tls_config, + if (tls_config_set_keypair_ocsp_mem(srv->srv_tls_config, srv->srv_conf.tls_cert, srv->srv_conf.tls_cert_len, - srv->srv_conf.tls_key, srv->srv_conf.tls_key_len) != 0) { + srv->srv_conf.tls_key, srv->srv_conf.tls_key_len, + srv_conf->tls_ocsp_staple, srv_conf->tls_ocsp_staple_len) != 0) { log_warnx("%s: failed to set tls certificate/key: %s", __func__, tls_config_error(srv->srv_tls_config)); return (-1); @@ -263,22 +264,14 @@ server_tls_init(struct server *srv) continue; log_debug("%s: adding keypair for server %s", __func__, srv->srv_conf.name); - if (tls_config_add_keypair_mem(srv->srv_tls_config, + if (tls_config_add_keypair_ocsp_mem(srv->srv_tls_config, srv_conf->tls_cert, srv_conf->tls_cert_len, - srv_conf->tls_key, srv_conf->tls_key_len) != 0) { + srv_conf->tls_key, srv_conf->tls_key_len, + srv_conf->tls_ocsp_staple, + srv_conf->tls_ocsp_staple_len) != 0) { log_warnx("%s: failed to add tls keypair", __func__); return (-1); } - if (srv_conf->tls_ocsp_staple == NULL) - continue; - log_debug("%s: adding ocsp staple for server %s", __func__, - srv->srv_conf.name); - if (tls_config_set_ocsp_staple_mem(srv->srv_tls_config, - srv_conf->tls_ocsp_staple, srv_conf->tls_ocsp_staple_len) - != 0 ) { - log_warnx("%s: failed to add ocsp staple", __func__); - return (-1); - } } if (tls_configure(srv->srv_tls_ctx, srv->srv_tls_config) != 0) { -- cgit v1.2.3