From 380117c0cac185f05326a4726253011dcc1453e2 Mon Sep 17 00:00:00 2001 From: jsing Date: Tue, 2 Aug 2016 07:47:11 +0000 Subject: [PATCH] Revert previous since it adds new symbols. Requested by deraadt@ --- lib/libtls/tls.c | 10 +----- lib/libtls/tls.h | 6 ++-- lib/libtls/tls_config.c | 70 +-------------------------------------- lib/libtls/tls_conninfo.c | 35 +------------------- lib/libtls/tls_init.3 | 36 +++++--------------- lib/libtls/tls_internal.h | 6 +--- lib/libtls/tls_server.c | 20 +---------- lib/libtls/tls_verify.c | 3 +- 8 files changed, 16 insertions(+), 170 deletions(-) diff --git a/lib/libtls/tls.c b/lib/libtls/tls.c index 2584ceb88b4..ddf847d390e 100644 --- a/lib/libtls/tls.c +++ b/lib/libtls/tls.c @@ -1,4 +1,4 @@ -/* $OpenBSD: tls.c,v 1.42 2016/08/01 17:32:19 jsing Exp $ */ +/* $OpenBSD: tls.c,v 1.43 2016/08/02 07:47:11 jsing Exp $ */ /* * Copyright (c) 2014 Joel Sing * @@ -310,14 +310,6 @@ tls_configure_ssl(struct tls *ctx) if ((ctx->config->protocols & TLS_PROTOCOL_TLSv1_2) == 0) SSL_CTX_set_options(ctx->ssl_ctx, SSL_OP_NO_TLSv1_2); - if (ctx->config->alpn != NULL) { - if (SSL_CTX_set_alpn_protos(ctx->ssl_ctx, ctx->config->alpn, - ctx->config->alpn_len) != 0) { - tls_set_errorx(ctx, "failed to set alpn"); - goto err; - } - } - if (ctx->config->ciphers != NULL) { if (SSL_CTX_set_cipher_list(ctx->ssl_ctx, ctx->config->ciphers) != 1) { diff --git a/lib/libtls/tls.h b/lib/libtls/tls.h index e518623a71d..1497319611a 100644 --- a/lib/libtls/tls.h +++ b/lib/libtls/tls.h @@ -1,4 +1,4 @@ -/* $OpenBSD: tls.h,v 1.31 2016/08/01 17:40:23 jsing Exp $ */ +/* $OpenBSD: tls.h,v 1.32 2016/08/02 07:47:11 jsing Exp $ */ /* * Copyright (c) 2014 Joel Sing * @@ -52,7 +52,6 @@ const char *tls_error(struct tls *_ctx); struct tls_config *tls_config_new(void); void tls_config_free(struct tls_config *_config); -int tls_config_set_alpn(struct tls_config *_config, const char *_alpn); int tls_config_set_ca_file(struct tls_config *_config, const char *_ca_file); int tls_config_set_ca_path(struct tls_config *_config, const char *_ca_path); int tls_config_set_ca_mem(struct tls_config *_config, const uint8_t *_ca, @@ -117,9 +116,8 @@ const char *tls_peer_cert_subject(struct tls *_ctx); time_t tls_peer_cert_notbefore(struct tls *_ctx); time_t tls_peer_cert_notafter(struct tls *_ctx); -const char *tls_conn_alpn_selected(struct tls *_ctx); -const char *tls_conn_cipher(struct tls *_ctx); const char *tls_conn_version(struct tls *_ctx); +const char *tls_conn_cipher(struct tls *_ctx); uint8_t *tls_load_file(const char *_file, size_t *_len, char *_password); diff --git a/lib/libtls/tls_config.c b/lib/libtls/tls_config.c index 640a69e7831..63054ab1e9f 100644 --- a/lib/libtls/tls_config.c +++ b/lib/libtls/tls_config.c @@ -1,4 +1,4 @@ -/* $OpenBSD: tls_config.c,v 1.23 2016/08/01 17:32:19 jsing Exp $ */ +/* $OpenBSD: tls_config.c,v 1.24 2016/08/02 07:47:11 jsing Exp $ */ /* * Copyright (c) 2014 Joel Sing * @@ -166,7 +166,6 @@ tls_config_free(struct tls_config *config) free(config->error.msg); - free(config->alpn); free((char *)config->ca_file); free((char *)config->ca_mem); free((char *)config->ca_path); @@ -250,73 +249,6 @@ tls_config_parse_protocols(uint32_t *protocols, const char *protostr) return (0); } -static int -tls_config_parse_alpn(struct tls_config *config, const char *alpn, - char **alpn_data, size_t *alpn_len) -{ - size_t buf_len, i, len; - char *buf = NULL; - char *s = NULL; - char *p, *q; - - free(*alpn_data); - *alpn_data = NULL; - *alpn_len = 0; - - if ((buf_len = strlen(alpn) + 1) > 65535) { - tls_config_set_errorx(config, "alpn too large"); - goto err; - } - - if ((buf = malloc(buf_len)) == NULL) { - tls_config_set_errorx(config, "out of memory"); - goto err; - } - - if ((s = strdup(alpn)) == NULL) { - tls_config_set_errorx(config, "out of memory"); - goto err; - } - - i = 0; - q = s; - while ((p = strsep(&q, ",")) != NULL) { - if ((len = strlen(p)) == 0) { - tls_config_set_errorx(config, - "alpn protocol with zero length"); - goto err; - } - if (len > 255) { - tls_config_set_errorx(config, - "alpn protocol too long"); - goto err; - } - buf[i++] = len & 0xff; - memcpy(&buf[i], p, len); - i += len; - } - - free(s); - - *alpn_data = buf; - *alpn_len = buf_len; - - return (0); - - err: - free(buf); - free(s); - - return (-1); -} - -int -tls_config_set_alpn(struct tls_config *config, const char *alpn) -{ - return tls_config_parse_alpn(config, alpn, &config->alpn, - &config->alpn_len); -} - int tls_config_set_ca_file(struct tls_config *config, const char *ca_file) { diff --git a/lib/libtls/tls_conninfo.c b/lib/libtls/tls_conninfo.c index 93526fceeb1..6caf655536d 100644 --- a/lib/libtls/tls_conninfo.c +++ b/lib/libtls/tls_conninfo.c @@ -1,4 +1,4 @@ -/* $OpenBSD: tls_conninfo.c,v 1.6 2016/08/01 17:32:19 jsing Exp $ */ +/* $OpenBSD: tls_conninfo.c,v 1.7 2016/08/02 07:47:11 jsing Exp $ */ /* * Copyright (c) 2015 Joel Sing * Copyright (c) 2015 Bob Beck @@ -150,26 +150,6 @@ tls_get_peer_cert_times(struct tls *ctx, time_t *notbefore, time_t *notafter) return (rv); } -static int -tls_conninfo_alpn_proto(struct tls *ctx) -{ - const unsigned char *p; - unsigned int len; - - free(ctx->conninfo->alpn); - ctx->conninfo->alpn = NULL; - - SSL_get0_alpn_selected(ctx->ssl_conn, &p, &len); - if (len > 0) { - if ((ctx->conninfo->alpn = malloc(len + 1)) == NULL) - return (-1); - memcpy(ctx->conninfo->alpn, p, len); - ctx->conninfo->alpn[len] = '\0'; - } - - return (0); -} - int tls_get_conninfo(struct tls *ctx) { const char * tmp; @@ -195,9 +175,6 @@ tls_get_conninfo(struct tls *ctx) { ctx->conninfo->cipher = strdup(tmp); if (ctx->conninfo->cipher == NULL) goto err; - if (tls_conninfo_alpn_proto(ctx) == -1) - goto err; - return (0); err: tls_free_conninfo(ctx->conninfo); @@ -207,8 +184,6 @@ err: void tls_free_conninfo(struct tls_conninfo *conninfo) { if (conninfo != NULL) { - free(conninfo->alpn); - conninfo->alpn = NULL; free(conninfo->hash); conninfo->hash = NULL; free(conninfo->subject); @@ -222,14 +197,6 @@ tls_free_conninfo(struct tls_conninfo *conninfo) { } } -const char * -tls_conn_alpn_selected(struct tls *ctx) -{ - if (ctx->conninfo == NULL) - return (NULL); - return (ctx->conninfo->alpn); -} - const char * tls_conn_cipher(struct tls *ctx) { diff --git a/lib/libtls/tls_init.3 b/lib/libtls/tls_init.3 index 0969c093a1b..6ba2cb28be2 100644 --- a/lib/libtls/tls_init.3 +++ b/lib/libtls/tls_init.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: tls_init.3,v 1.63 2016/08/01 17:32:19 jsing Exp $ +.\" $OpenBSD: tls_init.3,v 1.64 2016/08/02 07:47:11 jsing Exp $ .\" .\" Copyright (c) 2014 Ted Unangst .\" @@ -14,7 +14,7 @@ .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. .\" -.Dd $Mdocdate: August 1 2016 $ +.Dd $Mdocdate: August 2 2016 $ .Dt TLS_INIT 3 .Os .Sh NAME @@ -24,7 +24,6 @@ .Nm tls_config_new , .Nm tls_config_free , .Nm tls_config_parse_protocols , -.Nm tls_config_set_alpn , .Nm tls_config_set_ca_file , .Nm tls_config_set_ca_path , .Nm tls_config_set_ca_mem , @@ -55,9 +54,8 @@ .Nm tls_peer_cert_hash , .Nm tls_peer_cert_notbefore , .Nm tls_peer_cert_notafter , -.Nm tls_conn_alpn_selected , -.Nm tls_conn_cipher , .Nm tls_conn_version , +.Nm tls_conn_cipher , .Nm tls_load_file , .Nm tls_client , .Nm tls_server , @@ -90,8 +88,6 @@ .Ft "int" .Fn tls_config_parse_protocols "uint32_t *protocols" "const char *protostr" .Ft "int" -.Fn tls_config_set_alpn "struct tls_config *config" "const char *alpn" -.Ft "int" .Fn tls_config_set_ca_file "struct tls_config *config" "const char *ca_file" .Ft "int" .Fn tls_config_set_ca_path "struct tls_config *config" "const char *ca_path" @@ -152,11 +148,9 @@ .Ft "time_t" .Fn tls_peer_cert_notafter "struct tls *ctx" .Ft "const char *" -.Fn tls_conn_alpn_selected "struct tls *ctx" +.Fn tls_conn_version "struct tls *ctx" .Ft "const char *" .Fn tls_conn_cipher "struct tls *ctx" -.Ft "const char *" -.Fn tls_conn_version "struct tls *ctx" .Ft "uint8_t *" .Fn tls_load_file "const char *file" "size_t *len" "char *password" .Ft "struct tls *" @@ -301,11 +295,6 @@ The following functions modify a configuration by setting parameters. Configuration options may apply to only clients or only servers or both. .Bl -bullet -offset four .It -.Fn tls_config_set_alpn -sets the ALPN protocols that are supported. -The alpn string is a comma separated list of protocols, in order of preference. -.Em (Client and Server) -.It .Fn tls_config_set_ca_file sets the filename used to load a file containing the root certificates. @@ -491,14 +480,13 @@ the peer certificate from will only succeed after the handshake is complete. .Em (Server and client) .It -.Fn tls_conn_alpn_selected -returns a string that specifies the ALPN protocol selected for use with the peer +.Fn tls_conn_version +returns a string +corresponding to a TLS version negotiated with the peer connected to .Ar ctx . -If no protocol was selected then NULL is returned. -.Fn tls_conn_alpn_selected +.Fn tls_conn_version will only succeed after the handshake is complete. -.Em (Server and Client) .It .Fn tls_conn_cipher returns a string @@ -509,14 +497,6 @@ connected to will only succeed after the handshake is complete. .Em (Server and client) .It -.Fn tls_conn_version -returns a string -corresponding to a TLS version negotiated with the peer -connected to -.Ar ctx . -.Fn tls_conn_version -will only succeed after the handshake is complete. -.It .Fn tls_load_file loads a certificate or key from disk into memory to be loaded with .Fn tls_config_set_ca_mem , diff --git a/lib/libtls/tls_internal.h b/lib/libtls/tls_internal.h index 17358429c7e..be5d659e68e 100644 --- a/lib/libtls/tls_internal.h +++ b/lib/libtls/tls_internal.h @@ -1,4 +1,4 @@ -/* $OpenBSD: tls_internal.h,v 1.33 2016/08/01 17:32:19 jsing Exp $ */ +/* $OpenBSD: tls_internal.h,v 1.34 2016/08/02 07:47:11 jsing Exp $ */ /* * Copyright (c) 2014 Jeremie Courreges-Anglas * Copyright (c) 2014 Joel Sing @@ -55,8 +55,6 @@ struct tls_keypair { struct tls_config { struct tls_error error; - char *alpn; - size_t alpn_len; const char *ca_file; const char *ca_path; char *ca_mem; @@ -75,7 +73,6 @@ struct tls_config { }; struct tls_conninfo { - char *alpn; char *issuer; char *subject; char *hash; @@ -107,7 +104,6 @@ struct tls { SSL *ssl_conn; SSL_CTX *ssl_ctx; X509 *ssl_peer_cert; - struct tls_conninfo *conninfo; }; diff --git a/lib/libtls/tls_server.c b/lib/libtls/tls_server.c index f13c9db083f..bba15aae7e6 100644 --- a/lib/libtls/tls_server.c +++ b/lib/libtls/tls_server.c @@ -1,4 +1,4 @@ -/* $OpenBSD: tls_server.c,v 1.20 2016/08/01 17:32:19 jsing Exp $ */ +/* $OpenBSD: tls_server.c,v 1.21 2016/08/02 07:47:11 jsing Exp $ */ /* * Copyright (c) 2014 Joel Sing * @@ -48,20 +48,6 @@ tls_server_conn(struct tls *ctx) return (conn_ctx); } -static int -tls_server_alpn_cb(SSL *ssl, const unsigned char **out, unsigned char *outlen, - const unsigned char *in, unsigned int inlen, void *arg) -{ - struct tls *ctx = arg; - - if (SSL_select_next_proto((unsigned char**)out, outlen, - ctx->config->alpn, ctx->config->alpn_len, in, inlen) == - OPENSSL_NPN_NEGOTIATED) - return (SSL_TLSEXT_ERR_OK); - - return (SSL_TLSEXT_ERR_NOACK); -} - int tls_configure_server(struct tls *ctx) { @@ -85,10 +71,6 @@ tls_configure_server(struct tls *ctx) goto err; } - if (ctx->config->alpn != NULL) - SSL_CTX_set_alpn_select_cb(ctx->ssl_ctx, tls_server_alpn_cb, - ctx); - if (ctx->config->dheparams == -1) SSL_CTX_set_dh_auto(ctx->ssl_ctx, 1); else if (ctx->config->dheparams == 1024) diff --git a/lib/libtls/tls_verify.c b/lib/libtls/tls_verify.c index eec72bade8c..9e73750a6e7 100644 --- a/lib/libtls/tls_verify.c +++ b/lib/libtls/tls_verify.c @@ -1,4 +1,4 @@ -/* $OpenBSD: tls_verify.c,v 1.15 2015/09/29 13:10:53 jsing Exp $ */ +/* $OpenBSD: tls_verify.c,v 1.16 2016/08/02 07:47:11 jsing Exp $ */ /* * Copyright (c) 2014 Jeremie Courreges-Anglas * @@ -114,7 +114,6 @@ tls_check_subject_altname(struct tls *ctx, X509 *cert, const char *name) GENERAL_NAME *altname; altname = sk_GENERAL_NAME_value(altname_stack, i); - if (altname->type != type) continue; -- 2.20.1