struct tls_config *
tls_config_new(void)
{
struct tls_config *config;
if ((config = calloc(1, sizeof(*config))) == NULL)
return (NULL);
/*
* Default configuration.
*/
if (tls_config_set_ca_file(config, _PATH_SSL_CA_FILE) != 0)
goto err;
if (tls_config_set_dheparams(config, "none") != 0)
goto err;
if (tls_config_set_ecdhecurve(config, "auto") != 0)
goto err;
if (tls_config_set_ciphers(config, "secure") != 0)
goto err;
tls_config_set_protocols(config, TLS_PROTOCOLS_DEFAULT);
tls_config_set_verify_depth(config, 6);
tls_config_verify(config);
return (config);
err:
tls_config_free(config);
return (NULL);
}
struct tls_config *
tls_config_new_internal(void)
{
struct tls_config *config;
unsigned char sid[TLS_MAX_SESSION_ID_LENGTH];
if ((config = calloc(1, sizeof(*config))) == NULL)
return (NULL);
if ((config->keypair = tls_keypair_new()) == NULL)
goto err;
config->refcount = 1;
config->session_fd = -1;
/*
* Default configuration.
*/
if (tls_config_set_dheparams(config, "none") != 0)
goto err;
if (tls_config_set_ecdhecurves(config, "default") != 0)
goto err;
if (tls_config_set_ciphers(config, "secure") != 0)
goto err;
if (tls_config_set_protocols(config, TLS_PROTOCOLS_DEFAULT) != 0)
goto err;
if (tls_config_set_verify_depth(config, 6) != 0)
goto err;
/*
* Set session ID context to a random value. For the simple case
* of a single process server this is good enough. For multiprocess
* servers the session ID needs to be set by the caller.
*/
arc4random_buf(sid, sizeof(sid));
if (tls_config_set_session_id(config, sid, sizeof(sid)) != 0)
goto err;
config->ticket_keyrev = arc4random();
config->ticket_autorekey = 1;
tls_config_prefer_ciphers_server(config);
tls_config_verify(config);
return (config);
err:
tls_config_free(config);
return (NULL);
}
struct tls_config *
https_init(void)
{
struct tls_config *tls_config;
char *str;
int depth;
uint32_t http_tls_protocols;
const char *errstr;
if (tls_init() != 0)
errx(1, "tls init failed");
if ((tls_config = tls_config_new()) == NULL)
errx(1, "tls config_new failed");
tls_config_set_protocols(tls_config, TLS_PROTOCOLS_ALL);
if (tls_config_set_ciphers(tls_config, "compat") != 0)
errx(1, "tls set ciphers failed");
if (tls_options == NULL)
return tls_config;
while (*tls_options) {
switch (getsubopt(&tls_options, tls_verify_opts, &str)) {
case HTTP_TLS_CAFILE:
if (str == NULL)
errx(1, "missing CA file");
if (tls_config_set_ca_file(tls_config, str) != 0)
errx(1, "tls ca file failed");
break;
case HTTP_TLS_CAPATH:
if (str == NULL)
errx(1, "missing ca path");
if (tls_config_set_ca_path(tls_config, str) != 0)
errx(1, "tls ca path failed");
break;
case HTTP_TLS_CIPHERS:
if (str == NULL)
errx(1, "missing cipher list");
if (tls_config_set_ciphers(tls_config, str) != 0)
errx(1, "tls set ciphers failed");
break;
case HTTP_TLS_DONTVERIFY:
tls_config_insecure_noverifycert(tls_config);
tls_config_insecure_noverifyname(tls_config);
break;
case HTTP_TLS_PROTOCOLS:
if (tls_config_parse_protocols(&http_tls_protocols,
str) != 0)
errx(1, "tls parsing protocols failed");
tls_config_set_protocols(tls_config,
http_tls_protocols);
break;
case HTTP_TLS_VERIFYDEPTH:
if (str == NULL)
errx(1, "missing depth");
depth = strtonum(str, 0, INT_MAX, &errstr);
if (errstr)
errx(1, "Cert validation depth is %s", errstr);
tls_config_set_verify_depth(tls_config, depth);
break;
default:
errx(1, "Unknown -S suboption `%s'",
suboptarg ? suboptarg : "");
}
}
return tls_config;
}
