Blame

Date:
Message:
bundle libtls gmid (like all other daemons that want to do privsep crypto) has a very close relationship with libtls and need to stay in sync with it. OpenBSD' libtls was recently changed to use OpenSSL' EC_KEY_METHOD instead of the older ECDSA_METHOD, on the gmid side we have to do the same otherwise failures happens at runtime. In a similar manner, privsep crypto is silently broken in the current libretls (next version should fix it.) The proper solution would be to complete the signer APIs so that applications don't need to dive into the library' internals, but that's a mid-term goal, for the immediate bundling the 'little' libtls is the lesser evil. The configure script has gained a new (undocumented for the time being) flag `--with-libtls=bundled|system' to control which libtls to use. It defaults to `bundled' except for OpenBSD where it uses the `system' one. Note that OpenBSD versions before 7.3 (inclusive) ought to use --with-libtls=bundled too since they still do ECDSA_METHOD.
Actions:
History | Blob | Raw File
  1 f9ab77a8 2023-08-23 op /* $OpenBSD: tls_keypair.c,v 1.8 2021/01/05 17:37:12 jsing Exp $ */

  2 f9ab77a8 2023-08-23 op /*

  3 f9ab77a8 2023-08-23 op  * Copyright (c) 2014 Joel Sing <jsing@openbsd.org>

  4 f9ab77a8 2023-08-23 op  *

  5 f9ab77a8 2023-08-23 op  * Permission to use, copy, modify, and distribute this software for any

  6 f9ab77a8 2023-08-23 op  * purpose with or without fee is hereby granted, provided that the above

  7 f9ab77a8 2023-08-23 op  * copyright notice and this permission notice appear in all copies.

  8 f9ab77a8 2023-08-23 op  *

  9 f9ab77a8 2023-08-23 op  * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES

 10 f9ab77a8 2023-08-23 op  * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF

 11 f9ab77a8 2023-08-23 op  * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR

 12 f9ab77a8 2023-08-23 op  * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES

 13 f9ab77a8 2023-08-23 op  * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN

 14 f9ab77a8 2023-08-23 op  * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF

 15 f9ab77a8 2023-08-23 op  * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.

 16 f9ab77a8 2023-08-23 op  */

 17 f9ab77a8 2023-08-23 op 

 18 f9ab77a8 2023-08-23 op #include "config.h"

 19 f9ab77a8 2023-08-23 op 

 20 f9ab77a8 2023-08-23 op #include <openssl/bio.h>

 21 f9ab77a8 2023-08-23 op #include <openssl/err.h>

 22 f9ab77a8 2023-08-23 op #include <openssl/pem.h>

 23 f9ab77a8 2023-08-23 op 

 24 f9ab77a8 2023-08-23 op #include <tls.h>

 25 f9ab77a8 2023-08-23 op 

 26 f9ab77a8 2023-08-23 op #include "tls_internal.h"

 27 f9ab77a8 2023-08-23 op 

 28 f9ab77a8 2023-08-23 op struct tls_keypair *

 29 f9ab77a8 2023-08-23 op tls_keypair_new(void)

 30 f9ab77a8 2023-08-23 op {

 31 f9ab77a8 2023-08-23 op 	return calloc(1, sizeof(struct tls_keypair));

 32 f9ab77a8 2023-08-23 op }

 33 f9ab77a8 2023-08-23 op 

 34 f9ab77a8 2023-08-23 op static int

 35 f9ab77a8 2023-08-23 op tls_keypair_pubkey_hash(struct tls_keypair *keypair, struct tls_error *error)

 36 f9ab77a8 2023-08-23 op {

 37 f9ab77a8 2023-08-23 op 	X509 *cert = NULL;

 38 f9ab77a8 2023-08-23 op 	int rv = -1;

 39 f9ab77a8 2023-08-23 op 

 40 f9ab77a8 2023-08-23 op 	free(keypair->pubkey_hash);

 41 f9ab77a8 2023-08-23 op 	keypair->pubkey_hash = NULL;

 42 f9ab77a8 2023-08-23 op 

 43 f9ab77a8 2023-08-23 op 	if (keypair->cert_mem == NULL) {

 44 f9ab77a8 2023-08-23 op 		rv = 0;

 45 f9ab77a8 2023-08-23 op 		goto done;

 46 f9ab77a8 2023-08-23 op 	}

 47 f9ab77a8 2023-08-23 op 

 48 f9ab77a8 2023-08-23 op 	if (tls_keypair_load_cert(keypair, error, &cert) == -1)

 49 f9ab77a8 2023-08-23 op 		goto err;

 50 f9ab77a8 2023-08-23 op 	if (tls_cert_pubkey_hash(cert, &keypair->pubkey_hash) == -1)

 51 f9ab77a8 2023-08-23 op 		goto err;

 52 f9ab77a8 2023-08-23 op 

 53 f9ab77a8 2023-08-23 op 	rv = 0;

 54 f9ab77a8 2023-08-23 op 

 55 f9ab77a8 2023-08-23 op  err:

 56 f9ab77a8 2023-08-23 op 	X509_free(cert);

 57 f9ab77a8 2023-08-23 op  done:

 58 f9ab77a8 2023-08-23 op 	return (rv);

 59 f9ab77a8 2023-08-23 op }

 60 f9ab77a8 2023-08-23 op 

 61 f9ab77a8 2023-08-23 op void

 62 f9ab77a8 2023-08-23 op tls_keypair_clear_key(struct tls_keypair *keypair)

 63 f9ab77a8 2023-08-23 op {

 64 f9ab77a8 2023-08-23 op 	freezero(keypair->key_mem, keypair->key_len);

 65 f9ab77a8 2023-08-23 op 	keypair->key_mem = NULL;

 66 f9ab77a8 2023-08-23 op 	keypair->key_len = 0;

 67 f9ab77a8 2023-08-23 op }

 68 f9ab77a8 2023-08-23 op 

 69 f9ab77a8 2023-08-23 op int

 70 f9ab77a8 2023-08-23 op tls_keypair_set_cert_file(struct tls_keypair *keypair, struct tls_error *error,

 71 f9ab77a8 2023-08-23 op     const char *cert_file)

 72 f9ab77a8 2023-08-23 op {

 73 f9ab77a8 2023-08-23 op 	if (tls_config_load_file(error, "certificate", cert_file,

 74 f9ab77a8 2023-08-23 op 	    &keypair->cert_mem, &keypair->cert_len) == -1)

 75 f9ab77a8 2023-08-23 op 		return -1;

 76 f9ab77a8 2023-08-23 op 	return tls_keypair_pubkey_hash(keypair, error);

 77 f9ab77a8 2023-08-23 op }

 78 f9ab77a8 2023-08-23 op 

 79 f9ab77a8 2023-08-23 op int

 80 f9ab77a8 2023-08-23 op tls_keypair_set_cert_mem(struct tls_keypair *keypair, struct tls_error *error,

 81 f9ab77a8 2023-08-23 op     const uint8_t *cert, size_t len)

 82 f9ab77a8 2023-08-23 op {

 83 f9ab77a8 2023-08-23 op 	if (tls_set_mem(&keypair->cert_mem, &keypair->cert_len, cert, len) == -1)

 84 f9ab77a8 2023-08-23 op 		return -1;

 85 f9ab77a8 2023-08-23 op 	return tls_keypair_pubkey_hash(keypair, error);

 86 f9ab77a8 2023-08-23 op }

 87 f9ab77a8 2023-08-23 op 

 88 f9ab77a8 2023-08-23 op int

 89 f9ab77a8 2023-08-23 op tls_keypair_set_key_file(struct tls_keypair *keypair, struct tls_error *error,

 90 f9ab77a8 2023-08-23 op     const char *key_file)

 91 f9ab77a8 2023-08-23 op {

 92 f9ab77a8 2023-08-23 op 	tls_keypair_clear_key(keypair);

 93 f9ab77a8 2023-08-23 op 	return tls_config_load_file(error, "key", key_file,

 94 f9ab77a8 2023-08-23 op 	    &keypair->key_mem, &keypair->key_len);

 95 f9ab77a8 2023-08-23 op }

 96 f9ab77a8 2023-08-23 op 

 97 f9ab77a8 2023-08-23 op int

 98 f9ab77a8 2023-08-23 op tls_keypair_set_key_mem(struct tls_keypair *keypair, struct tls_error *error,

 99 f9ab77a8 2023-08-23 op     const uint8_t *key, size_t len)

100 f9ab77a8 2023-08-23 op {

101 f9ab77a8 2023-08-23 op 	tls_keypair_clear_key(keypair);

102 f9ab77a8 2023-08-23 op 	return tls_set_mem(&keypair->key_mem, &keypair->key_len, key, len);

103 f9ab77a8 2023-08-23 op }

104 f9ab77a8 2023-08-23 op 

105 f9ab77a8 2023-08-23 op int

106 f9ab77a8 2023-08-23 op tls_keypair_set_ocsp_staple_file(struct tls_keypair *keypair,

107 f9ab77a8 2023-08-23 op     struct tls_error *error, const char *ocsp_file)

108 f9ab77a8 2023-08-23 op {

109 f9ab77a8 2023-08-23 op 	return tls_config_load_file(error, "ocsp", ocsp_file,

110 f9ab77a8 2023-08-23 op 	    &keypair->ocsp_staple, &keypair->ocsp_staple_len);

111 f9ab77a8 2023-08-23 op }

112 f9ab77a8 2023-08-23 op 

113 f9ab77a8 2023-08-23 op int

114 f9ab77a8 2023-08-23 op tls_keypair_set_ocsp_staple_mem(struct tls_keypair *keypair,

115 f9ab77a8 2023-08-23 op     struct tls_error *error, const uint8_t *staple, size_t len)

116 f9ab77a8 2023-08-23 op {

117 f9ab77a8 2023-08-23 op 	return tls_set_mem(&keypair->ocsp_staple, &keypair->ocsp_staple_len,

118 f9ab77a8 2023-08-23 op 	    staple, len);

119 f9ab77a8 2023-08-23 op }

120 f9ab77a8 2023-08-23 op 

121 f9ab77a8 2023-08-23 op void

122 f9ab77a8 2023-08-23 op tls_keypair_free(struct tls_keypair *keypair)

123 f9ab77a8 2023-08-23 op {

124 f9ab77a8 2023-08-23 op 	if (keypair == NULL)

125 f9ab77a8 2023-08-23 op 		return;

126 f9ab77a8 2023-08-23 op 

127 f9ab77a8 2023-08-23 op 	tls_keypair_clear_key(keypair);

128 f9ab77a8 2023-08-23 op 

129 f9ab77a8 2023-08-23 op 	free(keypair->cert_mem);

130 f9ab77a8 2023-08-23 op 	free(keypair->ocsp_staple);

131 f9ab77a8 2023-08-23 op 	free(keypair->pubkey_hash);

132 f9ab77a8 2023-08-23 op 

133 f9ab77a8 2023-08-23 op 	free(keypair);

134 f9ab77a8 2023-08-23 op }

135 f9ab77a8 2023-08-23 op 

136 f9ab77a8 2023-08-23 op int

137 f9ab77a8 2023-08-23 op tls_keypair_load_cert(struct tls_keypair *keypair, struct tls_error *error,

138 f9ab77a8 2023-08-23 op     X509 **cert)

139 f9ab77a8 2023-08-23 op {

140 f9ab77a8 2023-08-23 op 	char *errstr = "unknown";

141 f9ab77a8 2023-08-23 op 	BIO *cert_bio = NULL;

142 f9ab77a8 2023-08-23 op 	unsigned long ssl_err;

143 f9ab77a8 2023-08-23 op 	int rv = -1;

144 f9ab77a8 2023-08-23 op 

145 f9ab77a8 2023-08-23 op 	X509_free(*cert);

146 f9ab77a8 2023-08-23 op 	*cert = NULL;

147 f9ab77a8 2023-08-23 op 

148 f9ab77a8 2023-08-23 op 	if (keypair->cert_mem == NULL) {

149 f9ab77a8 2023-08-23 op 		tls_error_set(error, "keypair has no certificate");

150 f9ab77a8 2023-08-23 op 		goto err;

151 f9ab77a8 2023-08-23 op 	}

152 f9ab77a8 2023-08-23 op 	if ((cert_bio = BIO_new_mem_buf(keypair->cert_mem,

153 f9ab77a8 2023-08-23 op 	    keypair->cert_len)) == NULL) {

154 f9ab77a8 2023-08-23 op 		tls_error_set(error, "failed to create certificate bio");

155 f9ab77a8 2023-08-23 op 		goto err;

156 f9ab77a8 2023-08-23 op 	}

157 f9ab77a8 2023-08-23 op 	if ((*cert = PEM_read_bio_X509(cert_bio, NULL, tls_password_cb,

158 f9ab77a8 2023-08-23 op 	    NULL)) == NULL) {

159 f9ab77a8 2023-08-23 op 		if ((ssl_err = ERR_peek_error()) != 0)

160 f9ab77a8 2023-08-23 op 			errstr = ERR_error_string(ssl_err, NULL);

161 f9ab77a8 2023-08-23 op 		tls_error_set(error, "failed to load certificate: %s", errstr);

162 f9ab77a8 2023-08-23 op 		goto err;

163 f9ab77a8 2023-08-23 op 	}

164 f9ab77a8 2023-08-23 op 

165 f9ab77a8 2023-08-23 op 	rv = 0;

166 f9ab77a8 2023-08-23 op 

167 f9ab77a8 2023-08-23 op  err:

168 f9ab77a8 2023-08-23 op 	BIO_free(cert_bio);

169 f9ab77a8 2023-08-23 op 

170 f9ab77a8 2023-08-23 op 	return (rv);

171 f9ab77a8 2023-08-23 op }