This adds tls_config_error_code() and tls_error_code(), which will become
public API at a later date.
Additional error codes will be added in follow-up commits.
ok jsing@ beck@
EVP_EncryptInit_ex, EVP_DecryptInit_ex and HMAC_Init_ex are possible to
fail and return error.
Error from these functions will be fatal for the callback, and I choose to
return -1.
SSL_CTX_set_tlsext_ticket_key_cb.3 explains the return value of callback.
This also could fix Coverity CID 345319.
ok jsing@ tb@
Now that we have tls_init() under pthread_once(), automatically initialise
libtls from the entry point functions (tls_config(), tls_client() and
tls_server()) - this makes an explicit tls_init() call no longer a
requirement.
ok bcook@ beck@ inoguchi@
This fixes a bug where by a TLS server with SNI would always only return
the OCSP staple for the default keypair, rather than returning the OCSP
staple associated with the keypair that was selected via SNI.
Issue reported by William Graeber and confirmed by Andreas Bartelt.
Fix tested by William Graeber and Andreas Bartelt - thanks!
names of the elliptic curves that may be used during client and server
key exchange to be specified.
This deprecates tls_config_set_ecdhecurve(), which could only be used to
specify a single supported curve.
ok beck@
TLS Server Name extension, however seemingly several clients (including
Python, Ruby and Safari) violate the RFC. Given that this is a fairly
widespread issue, if we receive a TLS Server Name extension that contains
an IP literal, pretend that we did not receive the extension rather than
causing a handshake failure.
Issue raised by jsg@
ok jsg@
we can prevent libcrypto from going behind our back and trying to read
passwords from standard input (which we may not be permitted to do).
Found by jsg@ with httpd and password protected keys.
be called as soon as it has been passed to the final tls_configure() call,
simplifying lifetime tracking for the application.
Requested some time ago by tedu@.
ok beck@
rather than return codes. More strictly follow RFC 6125, in particular only
check the CN if there are no SAN identifiers present in the certificate
(per section 6.4.4).
Previous behaviour questioned by Daniel Stenberg <daniel at haxx dot se>.
ok beck@ jca@
issue where by calling tls_close() on a TLS context that has not attempted
a handshake, results in an unexpected failure.
Reported by Vinay Sajip.
ok beck@
lifetime with tls_config_set_session_lifetime(). This enables tickets
and uses an internal automatic rekeying mode for the ticket keys.
If multiple processes are involved the following functions can be used to make
tickets work accross all instances:
- tls_config_set_session_id() sets the session identifier
- tls_config_add_ticket_key() adds an encryption and authentication key
For now only the last 4 keys added will be used (unless they are too old).
If tls_config_add_ticket_key() is used the caller must ensure to add new keys
regularly. It is best to do this 4 times per session lifetime (which is also
the ticket key lifetime).
Since tickets break PFS it is best to minimize the session lifetime according
to needs.
With a lot of help, input and OK beck@, jsing@
This allows working with buffers and callback functions instead of directly on
sockets or file descriptors.
Original patch from Tobias Pape <tobias_at_netshed.de>.
ok beck@
that is required for certificate switching with libssl and the certificate
itself so that we can match against the subject and SANs. Hook up the
servername callback and switch to the appropriate SSL_CTX if we find a
matching certificate.
ok beck@
instead of assuming that they should use the one associated with the TLS
context. This allows these functions to be used with the additional
SSL contexts that are needed to support server-side SNI.
Also rename tls_configure_keypair() to tls_configure_ssl_keypair(), so that
these functions have a common prefix.
ok reyk@
and self-contained code, while preparing for the ability to handle
multiple keypairs. Also provide two additional functions that allow
a public certificate and private key to be set with a single function
call.
ok beck@
that we will pass the result through tls_ssl_error() on failure. Otherwise
we can end up reporting spurious errors due to their being unrelated errors
already on the error stack.
Spotted by Marko Kreen.
ok beck@
tls_accept/tls_connect functions can be guaranteed to succeed or fail and
will no longer return TLS_READ_AGAIN/TLS_WRITE_AGAIN. This also resolves
the semantics of tls_accept_*.
The tls_handshake() function now does I/O and can return
TLS_READ_AGAIN/TLS_WRITE_AGAIN. Calls to tls_read() and tls_write() will
trigger the handshake if it has not already completed, meaning that in many
cases existing code will continue to work.
Discussed over many coffees at l2k15.
ok beck@ bluhm@
The tls_set_error() function previously stored the errno but did nothing
with it. Change tls_set_error() to append the strerror(3) of the stored
errno so that we include useful information regarding failures.
Provide a tls_set_errorx() function that does not store the errno or
include strerror(3) in the error message. Call this function instead of
tls_set_error() for errors where the errno value has no useful meaning.
With feedback from and ok doug@
for the server, rather than on the context for the connection. This makes
more sense than the current behaviour does.
Issue reported by Tim van der Molen.
use for DHE. This enables the use of DHE cipher suites.
Rename tls_config_set_ecdhcurve() to tls_config_set_ecdhecurve() since it
is only used to specify the curve for ephemeral ECDH.
Discussed with reyk@
using the name of relayd relay or smtpd pki, use a 32 byte arc4random
buffer that should be unique for the context. This fixes an issue in
OpenSMTPD when a long pki name could break the configuration.
OK gilles@ benno@