From: jsing <jsing@openbsd.org>
Date: Thu, 8 Feb 2018 05:56:49 +0000 (+0000)
Subject: Split keypair handling out into its own file - it had already appeared
X-Git-Url: http://artulab.com/gitweb/?a=commitdiff_plain;h=bb4cb1b0441fa059bcc631311ed93636eefbc1b2;p=openbsd

Split keypair handling out into its own file - it had already appeared
in multiple locations.

ok beck@
---

diff --git a/lib/libtls/Makefile b/lib/libtls/Makefile
index 9e7b4fc7a61..c47119685e1 100644
--- a/lib/libtls/Makefile
+++ b/lib/libtls/Makefile
@@ -1,4 +1,4 @@
-#	$OpenBSD: Makefile,v 1.32 2017/08/13 19:42:33 doug Exp $
+#	$OpenBSD: Makefile,v 1.33 2018/02/08 05:56:49 jsing Exp $
 
 .include <bsd.own.mk>
 .ifndef NOMAN
@@ -32,6 +32,7 @@ SRCS=	tls.c \
 	tls_client.c \
 	tls_config.c \
 	tls_conninfo.c \
+	tls_keypair.c \
 	tls_peer.c \
 	tls_server.c \
 	tls_util.c \
diff --git a/lib/libtls/tls_config.c b/lib/libtls/tls_config.c
index d44b8dde49f..3db75dc62fc 100644
--- a/lib/libtls/tls_config.c
+++ b/lib/libtls/tls_config.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls_config.c,v 1.46 2018/02/05 00:52:24 jsing Exp $ */
+/* $OpenBSD: tls_config.c,v 1.47 2018/02/08 05:56:49 jsing Exp $ */
 /*
  * Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
  *
@@ -24,127 +24,8 @@
 #include <unistd.h>
 
 #include <tls.h>
-#include "tls_internal.h"
-
-static int
-set_string(const char **dest, const char *src)
-{
-	free((char *)*dest);
-	*dest = NULL;
-	if (src != NULL)
-		if ((*dest = strdup(src)) == NULL)
-			return -1;
-	return 0;
-}
-
-static void *
-memdup(const void *in, size_t len)
-{
-	void *out;
-
-	if ((out = malloc(len)) == NULL)
-		return NULL;
-	memcpy(out, in, len);
-	return out;
-}
-
-static int
-set_mem(char **dest, size_t *destlen, const void *src, size_t srclen)
-{
-	free(*dest);
-	*dest = NULL;
-	*destlen = 0;
-	if (src != NULL)
-		if ((*dest = memdup(src, srclen)) == NULL)
-			return -1;
-	*destlen = srclen;
-	return 0;
-}
-
-static struct tls_keypair *
-tls_keypair_new(void)
-{
-	return calloc(1, sizeof(struct tls_keypair));
-}
-
-static void
-tls_keypair_clear_key(struct tls_keypair *keypair)
-{
-	freezero(keypair->key_mem, keypair->key_len);
-	keypair->key_mem = NULL;
-	keypair->key_len = 0;
-}
-
-static int
-tls_keypair_set_cert_file(struct tls_keypair *keypair, struct tls_error *error,
-    const char *cert_file)
-{
-	return tls_config_load_file(error, "certificate", cert_file,
-	    &keypair->cert_mem, &keypair->cert_len);
-}
-
-static int
-tls_keypair_set_cert_mem(struct tls_keypair *keypair, const uint8_t *cert,
-    size_t len)
-{
-	return set_mem(&keypair->cert_mem, &keypair->cert_len, cert, len);
-}
 
-static int
-tls_keypair_set_key_file(struct tls_keypair *keypair, struct tls_error *error,
-    const char *key_file)
-{
-	tls_keypair_clear_key(keypair);
-	return tls_config_load_file(error, "key", key_file,
-	    &keypair->key_mem, &keypair->key_len);
-}
-
-static int
-tls_keypair_set_key_mem(struct tls_keypair *keypair, const uint8_t *key,
-    size_t len)
-{
-	tls_keypair_clear_key(keypair);
-	return set_mem(&keypair->key_mem, &keypair->key_len, key, len);
-}
-
-static int
-tls_keypair_set_ocsp_staple_file(struct tls_keypair *keypair,
-    struct tls_error *error, const char *ocsp_file)
-{
-	return tls_config_load_file(error, "ocsp", ocsp_file,
-	    &keypair->ocsp_staple, &keypair->ocsp_staple_len);
-}
-
-static int
-tls_keypair_set_ocsp_staple_mem(struct tls_keypair *keypair,
-    const uint8_t *staple, size_t len)
-{
-	return set_mem(&keypair->ocsp_staple, &keypair->ocsp_staple_len, staple,
-	    len);
-}
-
-static void
-tls_keypair_clear(struct tls_keypair *keypair)
-{
-	tls_keypair_set_cert_mem(keypair, NULL, 0);
-	tls_keypair_set_key_mem(keypair, NULL, 0);
-}
-
-static void
-tls_keypair_free(struct tls_keypair *keypair)
-{
-	if (keypair == NULL)
-		return;
-
-	tls_keypair_clear(keypair);
-
-	free(keypair->cert_mem);
-	free(keypair->key_mem);
-	free(keypair->ocsp_staple);
-	free(keypair->pubkey_hash);
-
-	free(keypair);
-}
+#include "tls_internal.h"
 
 int
 tls_config_load_file(struct tls_error *error, const char *filetype,
@@ -529,13 +410,13 @@ tls_config_set_ca_file(struct tls_config *config, const char *ca_file)
 int
 tls_config_set_ca_path(struct tls_config *config, const char *ca_path)
 {
-	return set_string(&config->ca_path, ca_path);
+	return tls_set_string(&config->ca_path, ca_path);
 }
 
 int
 tls_config_set_ca_mem(struct tls_config *config, const uint8_t *ca, size_t len)
 {
-	return set_mem(&config->ca_mem, &config->ca_len, ca, len);
+	return tls_set_mem(&config->ca_mem, &config->ca_len, ca, len);
 }
 
 int
@@ -579,7 +460,7 @@ tls_config_set_ciphers(struct tls_config *config, const char *ciphers)
 	}
 
 	SSL_CTX_free(ssl_ctx);
-	return set_string(&config->ciphers, ciphers);
+	return tls_set_string(&config->ciphers, ciphers);
 
  err:
 	SSL_CTX_free(ssl_ctx);
@@ -597,7 +478,7 @@ int
 tls_config_set_crl_mem(struct tls_config *config, const uint8_t *crl,
     size_t len)
 {
-	return set_mem(&config->crl_mem, &config->crl_len, crl, len);
+	return tls_set_mem(&config->crl_mem, &config->crl_len, crl, len);
 }
 
 int
diff --git a/lib/libtls/tls_internal.h b/lib/libtls/tls_internal.h
index f378ea5466b..67a31b2efd2 100644
--- a/lib/libtls/tls_internal.h
+++ b/lib/libtls/tls_internal.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls_internal.h,v 1.65 2017/09/20 17:05:17 jsing Exp $ */
+/* $OpenBSD: tls_internal.h,v 1.66 2018/02/08 05:56:49 jsing Exp $ */
 /*
  * Copyright (c) 2014 Jeremie Courreges-Anglas <jca@openbsd.org>
  * Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
@@ -192,6 +192,29 @@ struct tls {
 	void *cb_arg;
 };
 
+int tls_set_mem(char **_dest, size_t *_destlen, const void *_src,
+    size_t _srclen);
+int tls_set_string(const char **_dest, const char *_src);
+
+struct tls_keypair *tls_keypair_new(void);
+void tls_keypair_clear_key(struct tls_keypair *_keypair);
+int tls_keypair_set_cert_file(struct tls_keypair *_keypair,
+    struct tls_error *_error, const char *_cert_file);
+int tls_keypair_set_cert_mem(struct tls_keypair *_keypair, const uint8_t *_cert,
+    size_t _len);
+int tls_keypair_set_key_file(struct tls_keypair *_keypair,
+    struct tls_error *_error, const char *_key_file);
+int tls_keypair_set_key_mem(struct tls_keypair *_keypair, const uint8_t *_key,
+    size_t _len);
+int tls_keypair_set_ocsp_staple_file(struct tls_keypair *_keypair,
+    struct tls_error *_error, const char *_ocsp_file);
+int tls_keypair_set_ocsp_staple_mem(struct tls_keypair *_keypair,
+    const uint8_t *_staple, size_t _len);
+void tls_keypair_clear(struct tls_keypair *_keypair);
+void tls_keypair_free(struct tls_keypair *_keypair);
+int tls_keypair_load_cert(struct tls_keypair *_keypair,
+    struct tls_error *_error, X509 **_cert);
+
 struct tls_sni_ctx *tls_sni_ctx_new(void);
 void tls_sni_ctx_free(struct tls_sni_ctx *sni_ctx);
 
diff --git a/lib/libtls/tls_keypair.c b/lib/libtls/tls_keypair.c
new file mode 100644
index 00000000000..eef92b3b24f
--- /dev/null
+++ b/lib/libtls/tls_keypair.c
@@ -0,0 +1,146 @@
+/* $OpenBSD: tls_keypair.c,v 1.1 2018/02/08 05:56:49 jsing Exp $ */
+/*
+ * Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#include <openssl/bio.h>
+#include <openssl/err.h>
+#include <openssl/pem.h>
+
+#include <tls.h>
+
+#include "tls_internal.h"
+
+struct tls_keypair *
+tls_keypair_new(void)
+{
+	return calloc(1, sizeof(struct tls_keypair));
+}
+
+void
+tls_keypair_clear_key(struct tls_keypair *keypair)
+{
+	freezero(keypair->key_mem, keypair->key_len);
+	keypair->key_mem = NULL;
+	keypair->key_len = 0;
+}
+
+int
+tls_keypair_set_cert_file(struct tls_keypair *keypair, struct tls_error *error,
+    const char *cert_file)
+{
+	return tls_config_load_file(error, "certificate", cert_file,
+	    &keypair->cert_mem, &keypair->cert_len);
+}
+
+int
+tls_keypair_set_cert_mem(struct tls_keypair *keypair, const uint8_t *cert,
+    size_t len)
+{
+	return tls_set_mem(&keypair->cert_mem, &keypair->cert_len, cert, len);
+}
+
+int
+tls_keypair_set_key_file(struct tls_keypair *keypair, struct tls_error *error,
+    const char *key_file)
+{
+	tls_keypair_clear_key(keypair);
+	return tls_config_load_file(error, "key", key_file,
+	    &keypair->key_mem, &keypair->key_len);
+}
+
+int
+tls_keypair_set_key_mem(struct tls_keypair *keypair, const uint8_t *key,
+    size_t len)
+{
+	tls_keypair_clear_key(keypair);
+	return tls_set_mem(&keypair->key_mem, &keypair->key_len, key, len);
+}
+
+int
+tls_keypair_set_ocsp_staple_file(struct tls_keypair *keypair,
+    struct tls_error *error, const char *ocsp_file)
+{
+	return tls_config_load_file(error, "ocsp", ocsp_file,
+	    &keypair->ocsp_staple, &keypair->ocsp_staple_len);
+}
+
+int
+tls_keypair_set_ocsp_staple_mem(struct tls_keypair *keypair,
+    const uint8_t *staple, size_t len)
+{
+	return tls_set_mem(&keypair->ocsp_staple, &keypair->ocsp_staple_len,
+	    staple, len);
+}
+
+void
+tls_keypair_clear(struct tls_keypair *keypair)
+{
+	tls_keypair_set_cert_mem(keypair, NULL, 0);
+	tls_keypair_set_key_mem(keypair, NULL, 0);
+}
+
+void
+tls_keypair_free(struct tls_keypair *keypair)
+{
+	if (keypair == NULL)
+		return;
+
+	tls_keypair_clear(keypair);
+
+	free(keypair->cert_mem);
+	free(keypair->key_mem);
+	free(keypair->ocsp_staple);
+	free(keypair->pubkey_hash);
+
+	free(keypair);
+}
+
+int
+tls_keypair_load_cert(struct tls_keypair *keypair, struct tls_error *error,
+    X509 **cert)
+{
+	char *errstr = "unknown";
+	BIO *cert_bio = NULL;
+	int ssl_err;
+	int rv = -1;
+
+	X509_free(*cert);
+	*cert = NULL;
+
+	if (keypair->cert_mem == NULL) {
+		tls_error_set(error, "keypair has no certificate");
+		goto err;
+	}
+	if ((cert_bio = BIO_new_mem_buf(keypair->cert_mem,
+	    keypair->cert_len)) == NULL) {
+		tls_error_set(error, "failed to create certificate bio");
+		goto err;
+	}
+	if ((*cert = PEM_read_bio_X509(cert_bio, NULL, tls_password_cb,
+	    NULL)) == NULL) {
+		if ((ssl_err = ERR_peek_error()) != 0)
+		    errstr = ERR_error_string(ssl_err, NULL);
+		tls_error_set(error, "failed to load certificate: %s", errstr);
+		goto err;
+	}
+
+	rv = 0;
+
+ err:
+	BIO_free(cert_bio);
+
+	return (rv);
+}
diff --git a/lib/libtls/tls_server.c b/lib/libtls/tls_server.c
index e1011769f63..98b09574371 100644
--- a/lib/libtls/tls_server.c
+++ b/lib/libtls/tls_server.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls_server.c,v 1.42 2017/09/20 17:05:17 jsing Exp $ */
+/* $OpenBSD: tls_server.c,v 1.43 2018/02/08 05:56:49 jsing Exp $ */
 /*
  * Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
  *
@@ -203,43 +203,6 @@ tls_server_ticket_cb(SSL *ssl, unsigned char *keyname, unsigned char *iv,
 	}
 }
 
-static int
-tls_keypair_load_cert(struct tls_keypair *keypair, struct tls_error *error,
-    X509 **cert)
-{
-	char *errstr = "unknown";
-	BIO *cert_bio = NULL;
-	int ssl_err;
-	int rv = -1;
-
-	X509_free(*cert);
-	*cert = NULL;
-
-	if (keypair->cert_mem == NULL) {
-		tls_error_set(error, "keypair has no certificate");
-		goto err;
-	}
-	if ((cert_bio = BIO_new_mem_buf(keypair->cert_mem,
-	    keypair->cert_len)) == NULL) {
-		tls_error_set(error, "failed to create certificate bio");
-		goto err;
-	}
-	if ((*cert = PEM_read_bio_X509(cert_bio, NULL, tls_password_cb,
-	    NULL)) == NULL) {
-		if ((ssl_err = ERR_peek_error()) != 0)
-		    errstr = ERR_error_string(ssl_err, NULL);
-		tls_error_set(error, "failed to load certificate: %s", errstr);
-		goto err;
-	}
-
-	rv = 0;
-
- err:
-	BIO_free(cert_bio);
-
-	return (rv);
-}
-
 static int
 tls_configure_server_ssl(struct tls *ctx, SSL_CTX **ssl_ctx,
     struct tls_keypair *keypair)
diff --git a/lib/libtls/tls_util.c b/lib/libtls/tls_util.c
index f9df287ca87..06b60597af9 100644
--- a/lib/libtls/tls_util.c
+++ b/lib/libtls/tls_util.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls_util.c,v 1.10 2018/02/05 00:52:24 jsing Exp $ */
+/* $OpenBSD: tls_util.c,v 1.11 2018/02/08 05:56:49 jsing Exp $ */
 /*
  * Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
  * Copyright (c) 2015 Reyk Floeter <reyk@openbsd.org>
@@ -25,6 +25,41 @@
 #include "tls.h"
 #include "tls_internal.h"
 
+static void *
+memdup(const void *in, size_t len)
+{
+	void *out;
+
+	if ((out = malloc(len)) == NULL)
+		return NULL;
+	memcpy(out, in, len);
+	return out;
+}
+
+int
+tls_set_mem(char **dest, size_t *destlen, const void *src, size_t srclen)
+{
+	free(*dest);
+	*dest = NULL;
+	*destlen = 0;
+	if (src != NULL)
+		if ((*dest = memdup(src, srclen)) == NULL)
+			return -1;
+	*destlen = srclen;
+	return 0;
+}
+
+int
+tls_set_string(const char **dest, const char *src)
+{
+	free((char *)*dest);
+	*dest = NULL;
+	if (src != NULL)
+		if ((*dest = strdup(src)) == NULL)
+			return -1;
+	return 0;
+}
+
 /*
  * Extract the host and port from a colon separated value. For a literal IPv6
  * address the address must be contained with square braces. If a host and