GCC Code Coverage Report
Directory: ./ Exec Total Coverage
File: lib/libtls/tls_config.c Lines: 152 387 39.3 %
Date: 2017-11-13 Branches: 49 212 23.1 %

Line Branch Exec Source
1
/* $OpenBSD: tls_config.c,v 1.44 2017/09/25 18:07:03 jsing Exp $ */
2
/*
3
 * Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
4
 *
5
 * Permission to use, copy, modify, and distribute this software for any
6
 * purpose with or without fee is hereby granted, provided that the above
7
 * copyright notice and this permission notice appear in all copies.
8
 *
9
 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
10
 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
11
 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
12
 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
13
 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
14
 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
15
 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
16
 */
17
18
#include <sys/stat.h>
19
20
#include <ctype.h>
21
#include <errno.h>
22
#include <fcntl.h>
23
#include <stdlib.h>
24
#include <unistd.h>
25
26
#include <tls.h>
27
#include "tls_internal.h"
28
29
static int
30
set_string(const char **dest, const char *src)
31
{
32
68
	free((char *)*dest);
33
34
	*dest = NULL;
34
34
	if (src != NULL)
35
34
		if ((*dest = strdup(src)) == NULL)
36
			return -1;
37
34
	return 0;
38
34
}
39
40
static void *
41
memdup(const void *in, size_t len)
42
{
43
	void *out;
44
45
	if ((out = malloc(len)) == NULL)
46
		return NULL;
47
	memcpy(out, in, len);
48
	return out;
49
}
50
51
static int
52
set_mem(char **dest, size_t *destlen, const void *src, size_t srclen)
53
{
54
48
	free(*dest);
55
24
	*dest = NULL;
56
24
	*destlen = 0;
57
24
	if (src != NULL)
58
		if ((*dest = memdup(src, srclen)) == NULL)
59
			return -1;
60
24
	*destlen = srclen;
61
24
	return 0;
62
24
}
63
64
static struct tls_keypair *
65
tls_keypair_new(void)
66
{
67
68
	return calloc(1, sizeof(struct tls_keypair));
68
}
69
70
static void
71
tls_keypair_clear_key(struct tls_keypair *keypair)
72
{
73
48
	freezero(keypair->key_mem, keypair->key_len);
74
24
	keypair->key_mem = NULL;
75
24
	keypair->key_len = 0;
76
24
}
77
78
static int
79
tls_keypair_set_cert_file(struct tls_keypair *keypair, struct tls_error *error,
80
    const char *cert_file)
81
{
82
6
	return tls_config_load_file(error, "certificate", cert_file,
83
12
	    &keypair->cert_mem, &keypair->cert_len);
84
}
85
86
static int
87
tls_keypair_set_cert_mem(struct tls_keypair *keypair, const uint8_t *cert,
88
    size_t len)
89
{
90
24
	return set_mem(&keypair->cert_mem, &keypair->cert_len, cert, len);
91
}
92
93
static int
94
tls_keypair_set_key_file(struct tls_keypair *keypair, struct tls_error *error,
95
    const char *key_file)
96
{
97
24
	tls_keypair_clear_key(keypair);
98
12
	return tls_config_load_file(error, "key", key_file,
99
12
	    &keypair->key_mem, &keypair->key_len);
100
}
101
102
static int
103
tls_keypair_set_key_mem(struct tls_keypair *keypair, const uint8_t *key,
104
    size_t len)
105
{
106
24
	tls_keypair_clear_key(keypair);
107
12
	return set_mem(&keypair->key_mem, &keypair->key_len, key, len);
108
}
109
110
static int
111
tls_keypair_set_ocsp_staple_file(struct tls_keypair *keypair,
112
    struct tls_error *error, const char *ocsp_file)
113
{
114
	return tls_config_load_file(error, "ocsp", ocsp_file,
115
	    &keypair->ocsp_staple, &keypair->ocsp_staple_len);
116
}
117
118
static int
119
tls_keypair_set_ocsp_staple_mem(struct tls_keypair *keypair,
120
    const uint8_t *staple, size_t len)
121
{
122
	return set_mem(&keypair->ocsp_staple, &keypair->ocsp_staple_len, staple,
123
	    len);
124
}
125
126
static void
127
tls_keypair_clear(struct tls_keypair *keypair)
128
{
129
24
	tls_keypair_set_cert_mem(keypair, NULL, 0);
130
12
	tls_keypair_set_key_mem(keypair, NULL, 0);
131
12
}
132
133
static void
134
tls_keypair_free(struct tls_keypair *keypair)
135
{
136
24
	if (keypair == NULL)
137
		return;
138
139
12
	tls_keypair_clear(keypair);
140
141
12
	free(keypair->cert_mem);
142
12
	free(keypair->key_mem);
143
12
	free(keypair->ocsp_staple);
144
12
	free(keypair->pubkey_hash);
145
146
12
	free(keypair);
147
24
}
148
149
int
150
tls_config_load_file(struct tls_error *error, const char *filetype,
151
    const char *filename, char **buf, size_t *len)
152
{
153
48
	struct stat st;
154
	int fd = -1;
155
	ssize_t n;
156
157
24
	free(*buf);
158
24
	*buf = NULL;
159
24
	*len = 0;
160
161
24
	if ((fd = open(filename, O_RDONLY)) == -1) {
162
		tls_error_set(error, "failed to open %s file '%s'",
163
		    filetype, filename);
164
		goto fail;
165
	}
166
24
	if (fstat(fd, &st) != 0) {
167
		tls_error_set(error, "failed to stat %s file '%s'",
168
		    filetype, filename);
169
		goto fail;
170
	}
171
24
	if (st.st_size < 0)
172
		goto fail;
173
24
	*len = (size_t)st.st_size;
174
24
	if ((*buf = malloc(*len)) == NULL) {
175
		tls_error_set(error, "failed to allocate buffer for "
176
		    "%s file", filetype);
177
		goto fail;
178
	}
179
24
	n = read(fd, *buf, *len);
180

48
	if (n < 0 || (size_t)n != *len) {
181
		tls_error_set(error, "failed to read %s file '%s'",
182
		    filetype, filename);
183
		goto fail;
184
	}
185
24
	close(fd);
186
24
	return 0;
187
188
 fail:
189
	if (fd != -1)
190
		close(fd);
191
	freezero(*buf, *len);
192
	*buf = NULL;
193
	*len = 0;
194
195
	return -1;
196
24
}
197
198
struct tls_config *
199
tls_config_new(void)
200
{
201
	struct tls_config *config;
202
68
	unsigned char sid[TLS_MAX_SESSION_ID_LENGTH];
203
204
34
	if ((config = calloc(1, sizeof(*config))) == NULL)
205
		return (NULL);
206
207
34
	if ((config->keypair = tls_keypair_new()) == NULL)
208
		goto err;
209
210
34
	config->refcount = 1;
211
212
	/*
213
	 * Default configuration.
214
	 */
215
34
	if (tls_config_set_dheparams(config, "none") != 0)
216
		goto err;
217
34
	if (tls_config_set_ecdhecurves(config, "default") != 0)
218
		goto err;
219
34
	if (tls_config_set_ciphers(config, "secure") != 0)
220
		goto err;
221
222
34
	if (tls_config_set_protocols(config, TLS_PROTOCOLS_DEFAULT) != 0)
223
		goto err;
224
34
	if (tls_config_set_verify_depth(config, 6) != 0)
225
		goto err;
226
227
	/*
228
	 * Set session ID context to a random value.  For the simple case
229
	 * of a single process server this is good enough. For multiprocess
230
	 * servers the session ID needs to be set by the caller.
231
	 */
232
34
	arc4random_buf(sid, sizeof(sid));
233
34
	if (tls_config_set_session_id(config, sid, sizeof(sid)) != 0)
234
		goto err;
235
34
	config->ticket_keyrev = arc4random();
236
34
	config->ticket_autorekey = 1;
237
238
34
	tls_config_prefer_ciphers_server(config);
239
240
34
	tls_config_verify(config);
241
242
34
	return (config);
243
244
 err:
245
	tls_config_free(config);
246
	return (NULL);
247
34
}
248
249
void
250
tls_config_free(struct tls_config *config)
251
{
252
	struct tls_keypair *kp, *nkp;
253
254
1900
	if (config == NULL)
255
806
		return;
256
257
144
	if (--config->refcount > 0)
258
132
		return;
259
260
48
	for (kp = config->keypair; kp != NULL; kp = nkp) {
261
12
		nkp = kp->next;
262
12
		tls_keypair_free(kp);
263
	}
264
265
12
	free(config->error.msg);
266
267
12
	free(config->alpn);
268
12
	free((char *)config->ca_mem);
269
12
	free((char *)config->ca_path);
270
12
	free((char *)config->ciphers);
271
12
	free((char *)config->crl_mem);
272
12
	free(config->ecdhecurves);
273
274
12
	free(config);
275
962
}
276
277
static void
278
tls_config_keypair_add(struct tls_config *config, struct tls_keypair *keypair)
279
{
280
	struct tls_keypair *kp;
281
282
	kp = config->keypair;
283
	while (kp->next != NULL)
284
		kp = kp->next;
285
286
	kp->next = keypair;
287
}
288
289
const char *
290
tls_config_error(struct tls_config *config)
291
{
292
	return config->error.msg;
293
}
294
295
void
296
tls_config_clear_keys(struct tls_config *config)
297
{
298
	struct tls_keypair *kp;
299
300
	for (kp = config->keypair; kp != NULL; kp = kp->next)
301
		tls_keypair_clear(kp);
302
303
	tls_config_set_ca_mem(config, NULL, 0);
304
	tls_config_set_crl_mem(config, NULL, 0);
305
}
306
307
int
308
tls_config_parse_protocols(uint32_t *protocols, const char *protostr)
309
{
310
	uint32_t proto, protos = 0;
311
	char *s, *p, *q;
312
	int negate;
313
314
	if (protostr == NULL)
315
		return TLS_PROTOCOLS_DEFAULT;
316
317
	if ((s = strdup(protostr)) == NULL)
318
		return (-1);
319
320
	q = s;
321
	while ((p = strsep(&q, ",:")) != NULL) {
322
		while (*p == ' ' || *p == '\t')
323
			p++;
324
325
		negate = 0;
326
		if (*p == '!') {
327
			negate = 1;
328
			p++;
329
		}
330
331
		if (negate && protos == 0)
332
			protos = TLS_PROTOCOLS_ALL;
333
334
		proto = 0;
335
		if (strcasecmp(p, "all") == 0 ||
336
		    strcasecmp(p, "legacy") == 0)
337
			proto = TLS_PROTOCOLS_ALL;
338
		else if (strcasecmp(p, "default") == 0 ||
339
		    strcasecmp(p, "secure") == 0)
340
			proto = TLS_PROTOCOLS_DEFAULT;
341
		if (strcasecmp(p, "tlsv1") == 0)
342
			proto = TLS_PROTOCOL_TLSv1;
343
		else if (strcasecmp(p, "tlsv1.0") == 0)
344
			proto = TLS_PROTOCOL_TLSv1_0;
345
		else if (strcasecmp(p, "tlsv1.1") == 0)
346
			proto = TLS_PROTOCOL_TLSv1_1;
347
		else if (strcasecmp(p, "tlsv1.2") == 0)
348
			proto = TLS_PROTOCOL_TLSv1_2;
349
350
		if (proto == 0) {
351
			free(s);
352
			return (-1);
353
		}
354
355
		if (negate)
356
			protos &= ~proto;
357
		else
358
			protos |= proto;
359
	}
360
361
	*protocols = protos;
362
363
	free(s);
364
365
	return (0);
366
}
367
368
static int
369
tls_config_parse_alpn(struct tls_config *config, const char *alpn,
370
    char **alpn_data, size_t *alpn_len)
371
{
372
	size_t buf_len, i, len;
373
	char *buf = NULL;
374
	char *s = NULL;
375
	char *p, *q;
376
377
	free(*alpn_data);
378
	*alpn_data = NULL;
379
	*alpn_len = 0;
380
381
	if ((buf_len = strlen(alpn) + 1) > 65535) {
382
		tls_config_set_errorx(config, "alpn too large");
383
		goto err;
384
	}
385
386
	if ((buf = malloc(buf_len)) == NULL) {
387
		tls_config_set_errorx(config, "out of memory");
388
		goto err;
389
	}
390
391
	if ((s = strdup(alpn)) == NULL) {
392
		tls_config_set_errorx(config, "out of memory");
393
		goto err;
394
	}
395
396
	i = 0;
397
	q = s;
398
	while ((p = strsep(&q, ",")) != NULL) {
399
		if ((len = strlen(p)) == 0) {
400
			tls_config_set_errorx(config,
401
			    "alpn protocol with zero length");
402
			goto err;
403
		}
404
		if (len > 255) {
405
			tls_config_set_errorx(config,
406
			    "alpn protocol too long");
407
			goto err;
408
		}
409
		buf[i++] = len & 0xff;
410
		memcpy(&buf[i], p, len);
411
		i += len;
412
	}
413
414
	free(s);
415
416
	*alpn_data = buf;
417
	*alpn_len = buf_len;
418
419
	return (0);
420
421
 err:
422
	free(buf);
423
	free(s);
424
425
	return (-1);
426
}
427
428
int
429
tls_config_set_alpn(struct tls_config *config, const char *alpn)
430
{
431
	return tls_config_parse_alpn(config, alpn, &config->alpn,
432
	    &config->alpn_len);
433
}
434
435
static int
436
tls_config_add_keypair_file_internal(struct tls_config *config,
437
    const char *cert_file, const char *key_file, const char *ocsp_file)
438
{
439
	struct tls_keypair *keypair;
440
441
	if ((keypair = tls_keypair_new()) == NULL)
442
		return (-1);
443
	if (tls_keypair_set_cert_file(keypair, &config->error, cert_file) != 0)
444
		goto err;
445
	if (tls_keypair_set_key_file(keypair, &config->error, key_file) != 0)
446
		goto err;
447
	if (ocsp_file != NULL &&
448
	    tls_keypair_set_ocsp_staple_file(keypair, &config->error,
449
		ocsp_file) != 0)
450
		goto err;
451
452
	tls_config_keypair_add(config, keypair);
453
454
	return (0);
455
456
 err:
457
	tls_keypair_free(keypair);
458
	return (-1);
459
}
460
461
static int
462
tls_config_add_keypair_mem_internal(struct tls_config *config, const uint8_t *cert,
463
    size_t cert_len, const uint8_t *key, size_t key_len,
464
    const uint8_t *staple, size_t staple_len)
465
{
466
	struct tls_keypair *keypair;
467
468
	if ((keypair = tls_keypair_new()) == NULL)
469
		return (-1);
470
	if (tls_keypair_set_cert_mem(keypair, cert, cert_len) != 0)
471
		goto err;
472
	if (tls_keypair_set_key_mem(keypair, key, key_len) != 0)
473
		goto err;
474
	if (staple != NULL &&
475
	    tls_keypair_set_ocsp_staple_mem(keypair, staple, staple_len) != 0)
476
		goto err;
477
478
	tls_config_keypair_add(config, keypair);
479
480
	return (0);
481
482
 err:
483
	tls_keypair_free(keypair);
484
	return (-1);
485
}
486
487
int
488
tls_config_add_keypair_mem(struct tls_config *config, const uint8_t *cert,
489
    size_t cert_len, const uint8_t *key, size_t key_len)
490
{
491
	return tls_config_add_keypair_mem_internal(config, cert, cert_len, key,
492
	    key_len, NULL, 0);
493
}
494
495
int
496
tls_config_add_keypair_file(struct tls_config *config,
497
    const char *cert_file, const char *key_file)
498
{
499
	return tls_config_add_keypair_file_internal(config, cert_file,
500
	    key_file, NULL);
501
}
502
503
int
504
tls_config_add_keypair_ocsp_mem(struct tls_config *config, const uint8_t *cert,
505
    size_t cert_len, const uint8_t *key, size_t key_len, const uint8_t *staple,
506
    size_t staple_len)
507
{
508
	return tls_config_add_keypair_mem_internal(config, cert, cert_len, key,
509
	    key_len, staple, staple_len);
510
}
511
512
int
513
tls_config_add_keypair_ocsp_file(struct tls_config *config,
514
    const char *cert_file, const char *key_file, const char *ocsp_file)
515
{
516
	return tls_config_add_keypair_file_internal(config, cert_file,
517
	    key_file, ocsp_file);
518
}
519
520
int
521
tls_config_set_ca_file(struct tls_config *config, const char *ca_file)
522
{
523
18
	return tls_config_load_file(&config->error, "CA", ca_file,
524
6
	    &config->ca_mem, &config->ca_len);
525
}
526
527
int
528
tls_config_set_ca_path(struct tls_config *config, const char *ca_path)
529
{
530
	return set_string(&config->ca_path, ca_path);
531
}
532
533
int
534
tls_config_set_ca_mem(struct tls_config *config, const uint8_t *ca, size_t len)
535
{
536
	return set_mem(&config->ca_mem, &config->ca_len, ca, len);
537
}
538
539
int
540
tls_config_set_cert_file(struct tls_config *config, const char *cert_file)
541
{
542
12
	return tls_keypair_set_cert_file(config->keypair, &config->error,
543
	    cert_file);
544
}
545
546
int
547
tls_config_set_cert_mem(struct tls_config *config, const uint8_t *cert,
548
    size_t len)
549
{
550
	return tls_keypair_set_cert_mem(config->keypair, cert, len);
551
}
552
553
int
554
tls_config_set_ciphers(struct tls_config *config, const char *ciphers)
555
{
556
	SSL_CTX *ssl_ctx = NULL;
557
558

102
	if (ciphers == NULL ||
559
34
	    strcasecmp(ciphers, "default") == 0 ||
560
34
	    strcasecmp(ciphers, "secure") == 0)
561
34
		ciphers = TLS_CIPHERS_DEFAULT;
562
	else if (strcasecmp(ciphers, "compat") == 0)
563
		ciphers = TLS_CIPHERS_COMPAT;
564
	else if (strcasecmp(ciphers, "legacy") == 0)
565
		ciphers = TLS_CIPHERS_LEGACY;
566
	else if (strcasecmp(ciphers, "all") == 0 ||
567
	    strcasecmp(ciphers, "insecure") == 0)
568
		ciphers = TLS_CIPHERS_ALL;
569
570
34
	if ((ssl_ctx = SSL_CTX_new(SSLv23_method())) == NULL) {
571
		tls_config_set_errorx(config, "out of memory");
572
		goto fail;
573
	}
574
34
	if (SSL_CTX_set_cipher_list(ssl_ctx, ciphers) != 1) {
575
		tls_config_set_errorx(config, "no ciphers for '%s'", ciphers);
576
		goto fail;
577
	}
578
579
34
	SSL_CTX_free(ssl_ctx);
580
34
	return set_string(&config->ciphers, ciphers);
581
582
 fail:
583
	SSL_CTX_free(ssl_ctx);
584
	return -1;
585
34
}
586
587
int
588
tls_config_set_crl_file(struct tls_config *config, const char *crl_file)
589
{
590
	return tls_config_load_file(&config->error, "CRL", crl_file,
591
	    &config->crl_mem, &config->crl_len);
592
}
593
594
int
595
tls_config_set_crl_mem(struct tls_config *config, const uint8_t *crl,
596
    size_t len)
597
{
598
	return set_mem(&config->crl_mem, &config->crl_len, crl, len);
599
}
600
601
int
602
tls_config_set_dheparams(struct tls_config *config, const char *params)
603
{
604
	int keylen;
605
606

102
	if (params == NULL || strcasecmp(params, "none") == 0)
607
34
		keylen = 0;
608
	else if (strcasecmp(params, "auto") == 0)
609
		keylen = -1;
610
	else if (strcasecmp(params, "legacy") == 0)
611
		keylen = 1024;
612
	else {
613
		tls_config_set_errorx(config, "invalid dhe param '%s'", params);
614
		return (-1);
615
	}
616
617
34
	config->dheparams = keylen;
618
619
34
	return (0);
620
34
}
621
622
int
623
tls_config_set_ecdhecurve(struct tls_config *config, const char *curve)
624
{
625
	if (strchr(curve, ',') != NULL || strchr(curve, ':') != NULL) {
626
		tls_config_set_errorx(config, "invalid ecdhe curve '%s'",
627
		    curve);
628
		return (-1);
629
	}
630
631
	if (curve == NULL ||
632
	    strcasecmp(curve, "none") == 0 ||
633
	    strcasecmp(curve, "auto") == 0)
634
		curve = TLS_ECDHE_CURVES;
635
636
	return tls_config_set_ecdhecurves(config, curve);
637
}
638
639
int
640
tls_config_set_ecdhecurves(struct tls_config *config, const char *curves)
641
{
642
	int *curves_list = NULL, *curves_new;
643
	size_t curves_num = 0;
644
	char *cs = NULL;
645
68
	char *p, *q;
646
	int rv = -1;
647
	int nid;
648
649
34
	free(config->ecdhecurves);
650
34
	config->ecdhecurves = NULL;
651
34
	config->ecdhecurves_len = 0;
652
653

68
	if (curves == NULL || strcasecmp(curves, "default") == 0)
654
34
		curves = TLS_ECDHE_CURVES;
655
656
34
	if ((cs = strdup(curves)) == NULL) {
657
		tls_config_set_errorx(config, "out of memory");
658
		goto err;
659
	}
660
661
34
	q = cs;
662
272
	while ((p = strsep(&q, ",:")) != NULL) {
663

408
		while (*p == ' ' || *p == '\t')
664
			p++;
665
666
102
		nid = OBJ_sn2nid(p);
667
102
		if (nid == NID_undef)
668
68
			nid = OBJ_ln2nid(p);
669
102
		if (nid == NID_undef)
670
68
			nid = EC_curve_nist2nid(p);
671
102
		if (nid == NID_undef) {
672
			tls_config_set_errorx(config,
673
			    "invalid ecdhe curve '%s'", p);
674
			goto err;
675
		}
676
677
204
		if ((curves_new = reallocarray(curves_list, curves_num + 1,
678
102
		    sizeof(int))) == NULL) {
679
			tls_config_set_errorx(config, "out of memory");
680
			goto err;
681
		}
682
		curves_list = curves_new;
683
102
		curves_list[curves_num] = nid;
684
		curves_num++;
685
	}
686
687
34
	config->ecdhecurves = curves_list;
688
34
	config->ecdhecurves_len = curves_num;
689
	curves_list = NULL;
690
691
34
	rv = 0;
692
693
 err:
694
34
	free(cs);
695
34
	free(curves_list);
696
697
34
	return (rv);
698
34
}
699
700
int
701
tls_config_set_key_file(struct tls_config *config, const char *key_file)
702
{
703
24
	return tls_keypair_set_key_file(config->keypair, &config->error,
704
	    key_file);
705
}
706
707
int
708
tls_config_set_key_mem(struct tls_config *config, const uint8_t *key,
709
    size_t len)
710
{
711
	return tls_keypair_set_key_mem(config->keypair, key, len);
712
}
713
714
static int
715
tls_config_set_keypair_file_internal(struct tls_config *config,
716
    const char *cert_file, const char *key_file, const char *ocsp_file)
717
{
718
12
	if (tls_config_set_cert_file(config, cert_file) != 0)
719
		return (-1);
720
6
	if (tls_config_set_key_file(config, key_file) != 0)
721
		return (-1);
722
6
	if (tls_config_set_key_file(config, key_file) != 0)
723
		return (-1);
724

6
	if (ocsp_file != NULL &&
725
	    tls_config_set_ocsp_staple_file(config, ocsp_file) != 0)
726
		return (-1);
727
728
6
	return (0);
729
6
}
730
731
static int
732
tls_config_set_keypair_mem_internal(struct tls_config *config, const uint8_t *cert,
733
    size_t cert_len, const uint8_t *key, size_t key_len,
734
    const uint8_t *staple, size_t staple_len)
735
{
736
	if (tls_config_set_cert_mem(config, cert, cert_len) != 0)
737
		return (-1);
738
	if (tls_config_set_key_mem(config, key, key_len) != 0)
739
		return (-1);
740
	if ((staple != NULL) &&
741
	    (tls_config_set_ocsp_staple_mem(config, staple, staple_len) != 0))
742
		return (-1);
743
744
	return (0);
745
}
746
747
int
748
tls_config_set_keypair_file(struct tls_config *config,
749
    const char *cert_file, const char *key_file)
750
{
751
12
	return tls_config_set_keypair_file_internal(config, cert_file, key_file,
752
	    NULL);
753
}
754
755
int
756
tls_config_set_keypair_mem(struct tls_config *config, const uint8_t *cert,
757
    size_t cert_len, const uint8_t *key, size_t key_len)
758
{
759
	return tls_config_set_keypair_mem_internal(config, cert, cert_len,
760
	    key, key_len, NULL, 0);
761
}
762
763
int
764
tls_config_set_keypair_ocsp_file(struct tls_config *config,
765
    const char *cert_file, const char *key_file, const char *ocsp_file)
766
{
767
	return tls_config_set_keypair_file_internal(config, cert_file, key_file,
768
	    ocsp_file);
769
}
770
771
int
772
tls_config_set_keypair_ocsp_mem(struct tls_config *config, const uint8_t *cert,
773
    size_t cert_len, const uint8_t *key, size_t key_len,
774
    const uint8_t *staple, size_t staple_len)
775
{
776
	return tls_config_set_keypair_mem_internal(config, cert, cert_len,
777
	    key, key_len, staple, staple_len);
778
}
779
780
781
int
782
tls_config_set_protocols(struct tls_config *config, uint32_t protocols)
783
{
784
68
	config->protocols = protocols;
785
786
34
	return (0);
787
}
788
789
int
790
tls_config_set_verify_depth(struct tls_config *config, int verify_depth)
791
{
792
68
	config->verify_depth = verify_depth;
793
794
34
	return (0);
795
}
796
797
void
798
tls_config_prefer_ciphers_client(struct tls_config *config)
799
{
800
	config->ciphers_server = 0;
801
}
802
803
void
804
tls_config_prefer_ciphers_server(struct tls_config *config)
805
{
806
68
	config->ciphers_server = 1;
807
34
}
808
809
void
810
tls_config_insecure_noverifycert(struct tls_config *config)
811
{
812
	config->verify_cert = 0;
813
}
814
815
void
816
tls_config_insecure_noverifyname(struct tls_config *config)
817
{
818
12
	config->verify_name = 0;
819
6
}
820
821
void
822
tls_config_insecure_noverifytime(struct tls_config *config)
823
{
824
	config->verify_time = 0;
825
}
826
827
void
828
tls_config_verify(struct tls_config *config)
829
{
830
68
	config->verify_cert = 1;
831
34
	config->verify_name = 1;
832
34
	config->verify_time = 1;
833
34
}
834
835
void
836
tls_config_ocsp_require_stapling(struct tls_config *config)
837
{
838
	config->ocsp_require_stapling = 1;
839
}
840
841
void
842
tls_config_verify_client(struct tls_config *config)
843
{
844
	config->verify_client = 1;
845
}
846
847
void
848
tls_config_verify_client_optional(struct tls_config *config)
849
{
850
	config->verify_client = 2;
851
}
852
853
void
854
tls_config_skip_private_key_check(struct tls_config *config)
855
{
856
	config->skip_private_key_check = 1;
857
}
858
859
int
860
tls_config_set_ocsp_staple_file(struct tls_config *config, const char *staple_file)
861
{
862
	return tls_keypair_set_ocsp_staple_file(config->keypair, &config->error,
863
	    staple_file);
864
}
865
866
int
867
tls_config_set_ocsp_staple_mem(struct tls_config *config, const uint8_t *staple,
868
    size_t len)
869
{
870
	return tls_keypair_set_ocsp_staple_mem(config->keypair, staple, len);
871
}
872
873
int
874
tls_config_set_session_id(struct tls_config *config,
875
    const unsigned char *session_id, size_t len)
876
{
877
68
	if (len > TLS_MAX_SESSION_ID_LENGTH) {
878
		tls_config_set_errorx(config, "session ID too large");
879
		return (-1);
880
	}
881
34
	memset(config->session_id, 0, sizeof(config->session_id));
882
34
	memcpy(config->session_id, session_id, len);
883
34
	return (0);
884
34
}
885
886
int
887
tls_config_set_session_lifetime(struct tls_config *config, int lifetime)
888
{
889
	if (lifetime > TLS_MAX_SESSION_TIMEOUT) {
890
		tls_config_set_errorx(config, "session lifetime too large");
891
		return (-1);
892
	}
893
	if (lifetime != 0 && lifetime < TLS_MIN_SESSION_TIMEOUT) {
894
		tls_config_set_errorx(config, "session lifetime too small");
895
		return (-1);
896
	}
897
898
	config->session_lifetime = lifetime;
899
	return (0);
900
}
901
902
int
903
tls_config_add_ticket_key(struct tls_config *config, uint32_t keyrev,
904
    unsigned char *key, size_t keylen)
905
{
906
	struct tls_ticket_key newkey;
907
	int i;
908
909
	if (TLS_TICKET_KEY_SIZE != keylen ||
910
	    sizeof(newkey.aes_key) + sizeof(newkey.hmac_key) > keylen) {
911
		tls_config_set_errorx(config,
912
		    "wrong amount of ticket key data");
913
		return (-1);
914
	}
915
916
	keyrev = htonl(keyrev);
917
	memset(&newkey, 0, sizeof(newkey));
918
	memcpy(newkey.key_name, &keyrev, sizeof(keyrev));
919
	memcpy(newkey.aes_key, key, sizeof(newkey.aes_key));
920
	memcpy(newkey.hmac_key, key + sizeof(newkey.aes_key),
921
	    sizeof(newkey.hmac_key));
922
	newkey.time = time(NULL);
923
924
	for (i = 0; i < TLS_NUM_TICKETS; i++) {
925
		struct tls_ticket_key *tk = &config->ticket_keys[i];
926
		if (memcmp(newkey.key_name, tk->key_name,
927
		    sizeof(tk->key_name)) != 0)
928
			continue;
929
930
		/* allow re-entry of most recent key */
931
		if (i == 0 && memcmp(newkey.aes_key, tk->aes_key,
932
		    sizeof(tk->aes_key)) == 0 && memcmp(newkey.hmac_key,
933
		    tk->hmac_key, sizeof(tk->hmac_key)) == 0)
934
			return (0);
935
		tls_config_set_errorx(config, "ticket key already present");
936
		return (-1);
937
	}
938
939
	memmove(&config->ticket_keys[1], &config->ticket_keys[0],
940
	    sizeof(config->ticket_keys) - sizeof(config->ticket_keys[0]));
941
	config->ticket_keys[0] = newkey;
942
943
	config->ticket_autorekey = 0;
944
945
	return (0);
946
}
947
948
int
949
tls_config_ticket_autorekey(struct tls_config *config)
950
{
951
	unsigned char key[TLS_TICKET_KEY_SIZE];
952
	int rv;
953
954
	arc4random_buf(key, sizeof(key));
955
	rv = tls_config_add_ticket_key(config, config->ticket_keyrev++, key,
956
	    sizeof(key));
957
	config->ticket_autorekey = 1;
958
	return (rv);
959
}