int tls_keypair_set_ocsp_staple_file(struct tls_keypair *keypair, struct tls_error *error, const char *ocsp_file) { return tls_config_load_file(error, "ocsp", ocsp_file, &keypair->ocsp_staple, &keypair->ocsp_staple_len); }
int tls_keypair_set_key_file(struct tls_keypair *keypair, struct tls_error *error, const char *key_file) { tls_keypair_clear_key(keypair); return tls_config_load_file(error, "key", key_file, &keypair->key_mem, &keypair->key_len); }
int tls_keypair_set_cert_file(struct tls_keypair *keypair, struct tls_error *error, const char *cert_file) { if (tls_config_load_file(error, "certificate", cert_file, &keypair->cert_mem, &keypair->cert_len) == -1) return -1; return tls_keypair_pubkey_hash(keypair, error); }
int tls_configure_ssl_verify(struct tls *ctx, SSL_CTX *ssl_ctx, int verify) { size_t ca_len = ctx->config->ca_len; char *ca_mem = ctx->config->ca_mem; char *crl_mem = ctx->config->crl_mem; size_t crl_len = ctx->config->crl_len; char *ca_free = NULL; STACK_OF(X509_INFO) *xis = NULL; X509_STORE *store; X509_INFO *xi; BIO *bio = NULL; int rv = -1; int i; SSL_CTX_set_verify(ssl_ctx, verify, NULL); SSL_CTX_set_cert_verify_callback(ssl_ctx, tls_ssl_cert_verify_cb, ctx); if (ctx->config->verify_depth >= 0) SSL_CTX_set_verify_depth(ssl_ctx, ctx->config->verify_depth); if (ctx->config->verify_cert == 0) goto done; /* If no CA has been specified, attempt to load the default. */ if (ctx->config->ca_mem == NULL && ctx->config->ca_path == NULL) { if (tls_config_load_file(&ctx->error, "CA", _PATH_SSL_CA_FILE, &ca_mem, &ca_len) != 0) goto err; ca_free = ca_mem; } if (ca_mem != NULL) { if (ca_len > INT_MAX) { tls_set_errorx(ctx, "ca too long"); goto err; } if (SSL_CTX_load_verify_mem(ssl_ctx, ca_mem, ca_len) != 1) { tls_set_errorx(ctx, "ssl verify memory setup failure"); goto err; } } else if (SSL_CTX_load_verify_locations(ssl_ctx, NULL, ctx->config->ca_path) != 1) { tls_set_errorx(ctx, "ssl verify locations failure"); goto err; } if (crl_mem != NULL) { if (crl_len > INT_MAX) { tls_set_errorx(ctx, "crl too long"); goto err; } if ((bio = BIO_new_mem_buf(crl_mem, crl_len)) == NULL) { tls_set_errorx(ctx, "failed to create buffer"); goto err; } if ((xis = PEM_X509_INFO_read_bio(bio, NULL, tls_password_cb, NULL)) == NULL) { tls_set_errorx(ctx, "failed to parse crl"); goto err; } store = SSL_CTX_get_cert_store(ssl_ctx); for (i = 0; i < sk_X509_INFO_num(xis); i++) { xi = sk_X509_INFO_value(xis, i); if (xi->crl == NULL) continue; if (!X509_STORE_add_crl(store, xi->crl)) { tls_set_error(ctx, "failed to add crl"); goto err; } xi->crl = NULL; } X509_VERIFY_PARAM_set_flags(store->param, X509_V_FLAG_CRL_CHECK | X509_V_FLAG_CRL_CHECK_ALL); } done: rv = 0; err: sk_X509_INFO_pop_free(xis, X509_INFO_free); BIO_free(bio); free(ca_free); return (rv); }
int tls_config_set_crl_file(struct tls_config *config, const char *crl_file) { return tls_config_load_file(&config->error, "CRL", crl_file, &config->crl_mem, &config->crl_len); }
int tls_config_set_ca_file(struct tls_config *config, const char *ca_file) { return tls_config_load_file(&config->error, "CA", ca_file, &config->ca_mem, &config->ca_len); }