From 99cfb8c597f44ace647d8aa9d73b421b839f398e Mon Sep 17 00:00:00 2001 From: reyk Date: Thu, 22 Jan 2015 09:16:24 +0000 Subject: [PATCH] Allow to to load the CA chain directly from memory instead of specifying a file. This enables CA verification in privsep'ed processes that are running chroot'ed without direct access to the certificate files. With feedback, tests, and OK from bluhm@ --- lib/libtls/shlib_version | 2 +- lib/libtls/tls.h | 4 +++- lib/libtls/tls_client.c | 17 +++++++++++++++-- lib/libtls/tls_config.c | 9 ++++++++- lib/libtls/tls_init.3 | 11 +++++++++-- lib/libtls/tls_internal.h | 4 +++- 6 files changed, 39 insertions(+), 8 deletions(-) diff --git a/lib/libtls/shlib_version b/lib/libtls/shlib_version index 1edea46de91..893819d18ff 100644 --- a/lib/libtls/shlib_version +++ b/lib/libtls/shlib_version @@ -1,2 +1,2 @@ major=1 -minor=0 +minor=1 diff --git a/lib/libtls/tls.h b/lib/libtls/tls.h index 21e1d74b357..8dcf1257654 100644 --- a/lib/libtls/tls.h +++ b/lib/libtls/tls.h @@ -1,4 +1,4 @@ -/* $OpenBSD: tls.h,v 1.2 2014/11/02 14:45:05 jsing Exp $ */ +/* $OpenBSD: tls.h,v 1.3 2015/01/22 09:16:24 reyk Exp $ */ /* * Copyright (c) 2014 Joel Sing * @@ -42,6 +42,8 @@ void tls_config_free(struct tls_config *config); int tls_config_set_ca_file(struct tls_config *config, const char *ca_file); int tls_config_set_ca_path(struct tls_config *config, const char *ca_path); +int tls_config_set_ca_mem(struct tls_config *config, const uint8_t *ca, + size_t len); int tls_config_set_cert_file(struct tls_config *config, const char *cert_file); int tls_config_set_cert_mem(struct tls_config *config, const uint8_t *cert, size_t len); diff --git a/lib/libtls/tls_client.c b/lib/libtls/tls_client.c index c6117c32929..4a9a4c976d8 100644 --- a/lib/libtls/tls_client.c +++ b/lib/libtls/tls_client.c @@ -1,4 +1,4 @@ -/* $OpenBSD: tls_client.c,v 1.8 2015/01/13 17:35:35 bluhm Exp $ */ +/* $OpenBSD: tls_client.c,v 1.9 2015/01/22 09:16:24 reyk Exp $ */ /* * Copyright (c) 2014 Joel Sing * @@ -21,6 +21,7 @@ #include #include +#include #include #include #include @@ -168,7 +169,19 @@ tls_connect_fds(struct tls *ctx, int fd_read, int fd_write, if (ctx->config->verify_cert) { SSL_CTX_set_verify(ctx->ssl_ctx, SSL_VERIFY_PEER, NULL); - if (SSL_CTX_load_verify_locations(ctx->ssl_ctx, + if (ctx->config->ca_mem != NULL) { + if (ctx->config->ca_len > INT_MAX) { + tls_set_error(ctx, "ca too long"); + goto err; + } + + if (SSL_CTX_load_verify_mem(ctx->ssl_ctx, + ctx->config->ca_mem, ctx->config->ca_len) != 1) { + tls_set_error(ctx, + "ssl verify memory setup failure"); + goto err; + } + } else if (SSL_CTX_load_verify_locations(ctx->ssl_ctx, ctx->config->ca_file, ctx->config->ca_path) != 1) { tls_set_error(ctx, "ssl verify setup failure"); goto err; diff --git a/lib/libtls/tls_config.c b/lib/libtls/tls_config.c index 0e435f616aa..16120c5e4e3 100644 --- a/lib/libtls/tls_config.c +++ b/lib/libtls/tls_config.c @@ -1,4 +1,4 @@ -/* $OpenBSD: tls_config.c,v 1.1 2014/10/31 13:46:17 jsing Exp $ */ +/* $OpenBSD: tls_config.c,v 1.2 2015/01/22 09:16:24 reyk Exp $ */ /* * Copyright (c) 2014 Joel Sing * @@ -102,6 +102,7 @@ tls_config_free(struct tls_config *config) void tls_config_clear_keys(struct tls_config *config) { + tls_config_set_ca_mem(config, NULL, 0); tls_config_set_cert_mem(config, NULL, 0); tls_config_set_key_mem(config, NULL, 0); } @@ -118,6 +119,12 @@ tls_config_set_ca_path(struct tls_config *config, const char *ca_path) return set_string(&config->ca_path, ca_path); } +int +tls_config_set_ca_mem(struct tls_config *config, const uint8_t *ca, size_t len) +{ + return set_mem(&config->ca_mem, &config->ca_len, ca, len); +} + int tls_config_set_cert_file(struct tls_config *config, const char *cert_file) { diff --git a/lib/libtls/tls_init.3 b/lib/libtls/tls_init.3 index e8700782257..df2dfc8a411 100644 --- a/lib/libtls/tls_init.3 +++ b/lib/libtls/tls_init.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: tls_init.3,v 1.6 2015/01/01 13:30:52 schwarze Exp $ +.\" $OpenBSD: tls_init.3,v 1.7 2015/01/22 09:16:24 reyk Exp $ .\" .\" Copyright (c) 2014 Ted Unangst .\" @@ -14,7 +14,7 @@ .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. .\" -.Dd $Mdocdate: January 1 2015 $ +.Dd $Mdocdate: January 22 2015 $ .Dt TLS 3 .Os .Sh NAME @@ -24,6 +24,7 @@ .Nm tls_config_free , .Nm tls_config_set_ca_file , .Nm tls_config_set_ca_path , +.Nm tls_config_set_ca_mem , .Nm tls_config_set_cert_file , .Nm tls_config_set_cert_mem , .Nm tls_config_set_ciphers , @@ -63,6 +64,8 @@ .Ft "int" .Fn tls_config_set_ca_path "struct tls_config *config" "const char *ca_path" .Ft "int" +.Fn tls_config_set_ca_mem "struct tls_config *config" "const uint8_t *cert" "size_t len" +.Ft "int" .Fn tls_config_set_cert_file "struct tls_config *config" "const char *cert_file" .Ft "int" .Fn tls_config_set_cert_mem "struct tls_config *config" "const uint8_t *cert" "size_t len" @@ -198,6 +201,10 @@ sets the path (directory) which should be searched for root certificates. .Em (Client) .It +.Fn tls_config_set_ca_mem +sets the root certificates directly from memory. +.Em (Client) +.It .Fn tls_config_set_cert_file sets file from which the public certificate will be read. .Em (Client and server) diff --git a/lib/libtls/tls_internal.h b/lib/libtls/tls_internal.h index 1a2bd388b7d..9a1a180e0bf 100644 --- a/lib/libtls/tls_internal.h +++ b/lib/libtls/tls_internal.h @@ -1,4 +1,4 @@ -/* $OpenBSD: tls_internal.h,v 1.6 2015/01/13 17:35:35 bluhm Exp $ */ +/* $OpenBSD: tls_internal.h,v 1.7 2015/01/22 09:16:24 reyk Exp $ */ /* * Copyright (c) 2014 Jeremie Courreges-Anglas * Copyright (c) 2014 Joel Sing @@ -28,6 +28,8 @@ struct tls_config { const char *ca_file; const char *ca_path; + char *ca_mem; + size_t ca_len; const char *cert_file; char *cert_mem; size_t cert_len; -- 2.20.1