Download raw body.
libtls: a step towards privsep by default
Following up on our discussion [1] Ostap and I would like to share
work-in-progress patches for libtls. The overarching goal is to implement
privsep by default within libtls.
The two patches are:
* set_sign_cb.patch removes "fake keys" and temporarily exports
tls_config_set_sign_cb. With this patch libtls always uses a callback
for sign operation.
* set_sign_cb_relayd.patch integrates the previous patch into relayd.
The next step would be to also remove tls_config_set_sign_cb and implement
a privsep process in libtls. Then, relayd as well as smptd would not
need to fork their own privsep processes for tls. Other users of libtls
(e.g., httpd, syslogd, etc.) would get privsep automatically.
What do you think about this approach and the first patches?
[1] https://marc.info/?t=168829036200001
diff --git a/usr.sbin/relayd/ca.c b/usr.sbin/relayd/ca.c
index ea57b93e31e..b3e1f210d83 100644
--- a/usr.sbin/relayd/ca.c
+++ b/usr.sbin/relayd/ca.c
@@ -289,18 +289,14 @@ ca_dispatch_relay(int fd, struct privsep_proc *p, struct imsg *imsg)
* RSA privsep engine (called from unprivileged processes)
*/
-static const RSA_METHOD *rsa_default;
-static RSA_METHOD *rsae_method;
-
static int
-rsae_send_imsg(int flen, const u_char *from, u_char *to, RSA *rsa,
+rsae_send_imsg(int flen, const u_char *from, u_char *to, const char *pubkey_hash,
int padding, u_int cmd)
{
struct privsep *ps = env->sc_ps;
struct pollfd pfd[1];
struct ctl_keyop cko;
int ret = 0;
- char *hash;
struct iovec iov[2];
struct imsgbuf *ibuf;
struct imsgev *iev;
@@ -309,9 +305,6 @@ rsae_send_imsg(int flen, const u_char *from, u_char *to, RSA *rsa,
u_char *toptr;
static u_int seq = 0;
- if ((hash = RSA_get_ex_data(rsa, 0)) == NULL)
- return 0;
-
iev = proc_iev(ps, PROC_CA, ps->ps_instance);
ibuf = &iev->ibuf;
@@ -319,10 +312,9 @@ rsae_send_imsg(int flen, const u_char *from, u_char *to, RSA *rsa,
* XXX this could be nicer...
*/
- (void)strlcpy(cko.cko_hash, hash, sizeof(cko.cko_hash));
+ (void)strlcpy(cko.cko_hash, pubkey_hash, sizeof(cko.cko_hash));
cko.cko_proc = ps->ps_instance;
cko.cko_flen = flen;
- cko.cko_tlen = RSA_size(rsa);
cko.cko_padding = padding;
cko.cko_cookie = seq++;
@@ -386,14 +378,10 @@ rsae_send_imsg(int flen, const u_char *from, u_char *to, RSA *rsa,
if (imsg.hdr.type != cmd)
fatalx("invalid response");
- ret = cko.cko_tlen;
- if (ret > 0) {
- if (IMSG_DATA_SIZE(&imsg) !=
- (sizeof(cko) + ret))
- fatalx("data size");
- toptr = (u_char *)imsg.data + sizeof(cko);
- memcpy(to, toptr, ret);
- }
+ ret = IMSG_DATA_SIZE(&imsg) - sizeof(cko);
+ toptr = (u_char *)imsg.data + sizeof(cko);
+ memcpy(to, toptr, ret);
+
done = 1;
imsg_free(&imsg);
@@ -404,54 +392,22 @@ rsae_send_imsg(int flen, const u_char *from, u_char *to, RSA *rsa,
return ret;
}
-int
-rsae_priv_enc(int flen, const u_char *from, u_char *to, RSA *rsa, int padding)
+int sign_cb(void *cb_arg, const char *pubkey_hash,
+ const uint8_t *input, size_t input_len, int padding_type,
+ uint8_t **out_signature, size_t *out_signature_len)
{
- DPRINTF("%s:%d", __func__, __LINE__);
- return rsae_send_imsg(flen, from, to, rsa, padding, IMSG_CA_PRIVENC);
-}
+ int res = rsae_send_imsg(input_len, input, *out_signature, pubkey_hash, padding_type, IMSG_CA_PRIVENC);
-int
-rsae_priv_dec(int flen, const u_char *from, u_char *to, RSA *rsa, int padding)
-{
- DPRINTF("%s:%d", __func__, __LINE__);
- return rsae_send_imsg(flen, from, to, rsa, padding, IMSG_CA_PRIVDEC);
+ if (res == -1)
+ return -1;
+
+ *out_signature_len = (size_t) res;
+ return 0;
}
void
ca_engine_init(struct relayd *x_env)
{
- const char *errstr;
-
if (env == NULL)
env = x_env;
-
- if (rsa_default != NULL)
- return;
-
- if ((rsa_default = RSA_get_default_method()) == NULL) {
- errstr = "RSA_get_default_method";
- goto fail;
- }
-
- if ((rsae_method = RSA_meth_dup(rsa_default)) == NULL) {
- errstr = "RSA_meth_dup";
- goto fail;
- }
-
- RSA_meth_set_priv_enc(rsae_method, rsae_priv_enc);
- RSA_meth_set_priv_dec(rsae_method, rsae_priv_dec);
-
- RSA_meth_set_flags(rsae_method,
- RSA_meth_get_flags(rsa_default) | RSA_METHOD_FLAG_NO_CHECK);
- RSA_meth_set0_app_data(rsae_method,
- RSA_meth_get0_app_data(rsa_default));
-
- RSA_set_default_method(rsae_method);
-
- return;
-
- fail:
- RSA_meth_free(rsae_method);
- fatalx("%s: %s", __func__, errstr);
}
diff --git a/usr.sbin/relayd/relay.c b/usr.sbin/relayd/relay.c
index c29f3917152..e2f3d7aaaf6 100644
--- a/usr.sbin/relayd/relay.c
+++ b/usr.sbin/relayd/relay.c
@@ -2124,7 +2124,12 @@ relay_tls_ctx_create_proto(struct protocol *proto, struct tls_config *tls_cfg)
* This function is not publicy exported because it is a hack until libtls
* has a proper privsep setup
*/
-void tls_config_use_fake_private_key(struct tls_config *config);
+
+typedef int (*tls_sign_cb)(void *_cb_arg, const char *_pubkey_hash,
+ const uint8_t *_input, size_t _input_len, int _padding_type,
+ uint8_t **_out_signature, size_t *_out_signature_len);
+
+int tls_config_set_sign_cb(struct tls_config *_config, tls_sign_cb _cb, void *_cb_arg);
int
relay_tls_ctx_create(struct relay *rlay)
@@ -2189,7 +2194,7 @@ relay_tls_ctx_create(struct relay *rlay)
* contacted by the RSA engine. The TLS library needs at
* least the public key parameters in the current process.
*/
- tls_config_use_fake_private_key(tls_cfg);
+ tls_config_set_sign_cb(tls_cfg, sign_cb, NULL);
TAILQ_FOREACH(cert, env->sc_certs, cert_entry) {
if (cert->cert_relayid != rlay->rl_conf.id ||
@@ -2300,7 +2305,7 @@ relay_tls_inspect_create(struct relay *rlay, struct ctl_relay_event *cre)
goto err;
}
- tls_config_use_fake_private_key(tls_cfg);
+ tls_config_set_sign_cb(tls_cfg, sign_cb, NULL);
if (tls_config_set_keypair_ocsp_mem(tls_cfg,
cre->tlscert, cre->tlscert_len, NULL, 0, NULL, 0) != 0) {
diff --git a/usr.sbin/relayd/relayd.h b/usr.sbin/relayd/relayd.h
index ca178871a51..7fd473aa5cb 100644
--- a/usr.sbin/relayd/relayd.h
+++ b/usr.sbin/relayd/relayd.h
@@ -1302,6 +1302,9 @@ int ssl_load_pkey(char *, off_t, X509 **, EVP_PKEY **);
void ca(struct privsep *, struct privsep_proc *);
void ca_engine_init(struct relayd *);
void hash_x509(X509 *cert, char *hash, size_t hashlen);
+int sign_cb(void *cb_arg, const char *pubkey_hash,
+ const uint8_t *input, size_t input_len, int padding_type,
+ uint8_t **out_signature, size_t *out_signature_len);
/* relayd.c */
struct host *host_find(struct relayd *, objid_t);
diff --git a/lib/libtls/Symbols.list b/lib/libtls/Symbols.list
index 42c039d2945..8c7faafeff1 100644
--- a/lib/libtls/Symbols.list
+++ b/lib/libtls/Symbols.list
@@ -43,9 +43,8 @@ tls_config_set_protocols
tls_config_set_session_id
tls_config_set_session_lifetime
tls_config_set_session_fd
+tls_config_set_sign_cb
tls_config_set_verify_depth
-tls_config_skip_private_key_check
-tls_config_use_fake_private_key
tls_config_verify
tls_config_verify_client
tls_config_verify_client_optional
diff --git a/lib/libtls/tls.c b/lib/libtls/tls.c
index 41bb06d857f..ed2f042c7f7 100644
--- a/lib/libtls/tls.c
+++ b/lib/libtls/tls.c
@@ -275,6 +275,18 @@ tls_configure(struct tls *ctx, struct tls_config *config)
ctx->config = config;
ctx->keypair = config->keypair;
+ tls_signer_free(ctx->signer);
+
+ if (config->sign_cb != NULL) {
+ ctx->signer = NULL;
+ ctx->sign_cb = config->sign_cb;
+ ctx->sign_cb_arg = config->sign_cb_arg;
+ } else {
+ ctx->signer = tls_signer_new();
+ ctx->sign_cb = tls_signer_sign;
+ ctx->sign_cb_arg = ctx->signer;
+ }
+
if ((ctx->flags & TLS_SERVER) != 0)
return (tls_configure_server(ctx));
@@ -337,7 +349,8 @@ tls_cert_pubkey_hash(X509 *cert, char **hash)
}
static int
-tls_keypair_to_pkey(struct tls *ctx, struct tls_keypair *keypair, EVP_PKEY **pkey)
+tls_keypair_to_pubkey(struct tls *ctx, struct tls_keypair *keypair,
+ EVP_PKEY **pkey)
{
BIO *bio = NULL;
X509 *x509 = NULL;
@@ -347,21 +360,15 @@ tls_keypair_to_pkey(struct tls *ctx, struct tls_keypair *keypair, EVP_PKEY **pke
*pkey = NULL;
- if (ctx->config->use_fake_private_key) {
- mem = keypair->cert_mem;
- len = keypair->cert_len;
- } else {
- mem = keypair->key_mem;
- len = keypair->key_len;
- }
+ mem = keypair->cert_mem;
+ len = keypair->cert_len;
if (mem == NULL)
return (0);
if (len > INT_MAX) {
tls_set_errorx(ctx, TLS_ERROR_INVALID_ARGUMENT,
- ctx->config->use_fake_private_key ?
- "certificate too long" : "key too long");
+ "certificate too long");
goto err;
}
@@ -370,25 +377,16 @@ tls_keypair_to_pkey(struct tls *ctx, struct tls_keypair *keypair, EVP_PKEY **pke
goto err;
}
- if (ctx->config->use_fake_private_key) {
- if ((x509 = PEM_read_bio_X509(bio, NULL, tls_password_cb,
- NULL)) == NULL) {
- tls_set_errorx(ctx, TLS_ERROR_UNKNOWN,
- "failed to read X509 certificate");
- goto err;
- }
- if ((*pkey = X509_get_pubkey(x509)) == NULL) {
- tls_set_errorx(ctx, TLS_ERROR_UNKNOWN,
- "failed to retrieve pubkey");
- goto err;
- }
- } else {
- if ((*pkey = PEM_read_bio_PrivateKey(bio, NULL, tls_password_cb,
- NULL)) == NULL) {
- tls_set_errorx(ctx, TLS_ERROR_UNKNOWN,
- "failed to read private key");
- goto err;
- }
+ if ((x509 = PEM_read_bio_X509(bio, NULL, tls_password_cb,
+ NULL)) == NULL) {
+ tls_set_errorx(ctx, TLS_ERROR_UNKNOWN,
+ "failed to read X509 certificate");
+ goto err;
+ }
+ if ((*pkey = X509_get_pubkey(x509)) == NULL) {
+ tls_set_errorx(ctx, TLS_ERROR_UNKNOWN,
+ "failed to retrieve pubkey");
+ goto err;
}
ret = 0;
@@ -407,15 +405,16 @@ tls_keypair_setup_pkey(struct tls *ctx, struct tls_keypair *keypair, EVP_PKEY *p
EC_KEY *eckey = NULL;
int ret = -1;
- /* Only install the pubkey hash if fake private keys are used. */
- if (!ctx->config->skip_private_key_check)
- return (0);
-
if (keypair->pubkey_hash == NULL) {
tls_set_errorx(ctx, TLS_ERROR_UNKNOWN, "public key hash not set");
goto err;
}
+ if (ctx->signer != NULL && tls_signer_add_keypair_mem(ctx->signer,
+ keypair->cert_mem, keypair->cert_len, keypair->key_mem,
+ keypair->key_len) == -1)
+ return (-1);
+
switch (EVP_PKEY_id(pkey)) {
case EVP_PKEY_RSA:
if ((rsa = EVP_PKEY_get1_RSA(pkey)) == NULL ||
@@ -424,15 +423,13 @@ tls_keypair_setup_pkey(struct tls *ctx, struct tls_keypair *keypair, EVP_PKEY *p
"RSA key setup failure");
goto err;
}
- if (ctx->config->sign_cb != NULL) {
- rsa_method = tls_signer_rsa_method();
- if (rsa_method == NULL ||
- RSA_set_ex_data(rsa, 1, ctx->config) == 0 ||
- RSA_set_method(rsa, rsa_method) == 0) {
- tls_set_errorx(ctx, TLS_ERROR_UNKNOWN,
- "failed to setup RSA key");
- goto err;
- }
+ rsa_method = tls_signer_rsa_method();
+ if (rsa_method == NULL ||
+ RSA_set_ex_data(rsa, 1, ctx) == 0 ||
+ RSA_set_method(rsa, rsa_method) == 0) {
+ tls_set_errorx(ctx, TLS_ERROR_UNKNOWN,
+ "failed to setup RSA key");
+ goto err;
}
/* Reset the key to work around caching in OpenSSL 3. */
if (EVP_PKEY_set1_RSA(pkey, rsa) == 0) {
@@ -448,15 +445,13 @@ tls_keypair_setup_pkey(struct tls *ctx, struct tls_keypair *keypair, EVP_PKEY *p
"EC key setup failure");
goto err;
}
- if (ctx->config->sign_cb != NULL) {
- ecdsa_method = tls_signer_ecdsa_method();
- if (ecdsa_method == NULL ||
- EC_KEY_set_ex_data(eckey, 1, ctx->config) == 0 ||
- EC_KEY_set_method(eckey, ecdsa_method) == 0) {
- tls_set_errorx(ctx, TLS_ERROR_UNKNOWN,
- "failed to setup EC key");
- goto err;
- }
+ ecdsa_method = tls_signer_ecdsa_method();
+ if (ecdsa_method == NULL ||
+ EC_KEY_set_ex_data(eckey, 1, ctx) == 0 ||
+ EC_KEY_set_method(eckey, ecdsa_method) == 0) {
+ tls_set_errorx(ctx, TLS_ERROR_UNKNOWN,
+ "failed to setup EC key");
+ goto err;
}
/* Reset the key to work around caching in OpenSSL 3. */
if (EVP_PKEY_set1_EC_KEY(pkey, eckey) == 0) {
@@ -480,15 +475,10 @@ tls_keypair_setup_pkey(struct tls *ctx, struct tls_keypair *keypair, EVP_PKEY *p
int
tls_configure_ssl_keypair(struct tls *ctx, SSL_CTX *ssl_ctx,
- struct tls_keypair *keypair, int required)
+ struct tls_keypair *keypair)
{
EVP_PKEY *pkey = NULL;
- if (!required &&
- keypair->cert_mem == NULL &&
- keypair->key_mem == NULL)
- return(0);
-
if (keypair->cert_mem != NULL) {
if (keypair->cert_len > INT_MAX) {
tls_set_errorx(ctx, TLS_ERROR_INVALID_ARGUMENT,
@@ -504,27 +494,20 @@ tls_configure_ssl_keypair(struct tls *ctx, SSL_CTX *ssl_ctx,
}
}
- if (tls_keypair_to_pkey(ctx, keypair, &pkey) == -1)
+ if (tls_keypair_to_pubkey(ctx, keypair, &pkey) == -1)
goto err;
if (pkey != NULL) {
if (tls_keypair_setup_pkey(ctx, keypair, pkey) == -1)
goto err;
if (SSL_CTX_use_PrivateKey(ssl_ctx, pkey) != 1) {
tls_set_errorx(ctx, TLS_ERROR_UNKNOWN,
- "failed to load private key");
+ "failed to configure SSL_CTX with pubkey");
goto err;
}
EVP_PKEY_free(pkey);
pkey = NULL;
}
- if (!ctx->config->skip_private_key_check &&
- SSL_CTX_check_private_key(ssl_ctx) != 1) {
- tls_set_errorx(ctx, TLS_ERROR_UNKNOWN,
- "private/public key mismatch");
- goto err;
- }
-
return (0);
err:
@@ -725,6 +708,9 @@ tls_reset(struct tls *ctx)
tls_config_free(ctx->config);
ctx->config = NULL;
+ tls_signer_free(ctx->signer);
+ ctx->signer = NULL;
+
SSL_CTX_free(ctx->ssl_ctx);
SSL_free(ctx->ssl_conn);
X509_free(ctx->ssl_peer_cert);
diff --git a/lib/libtls/tls_client.c b/lib/libtls/tls_client.c
index 97e1d402105..4a77e7aa827 100644
--- a/lib/libtls/tls_client.c
+++ b/lib/libtls/tls_client.c
@@ -326,7 +326,7 @@ tls_connect_common(struct tls *ctx, const char *servername)
goto err;
if (tls_configure_ssl_keypair(ctx, ctx->ssl_ctx,
- ctx->config->keypair, 0) != 0)
+ ctx->config->keypair) != 0)
goto err;
if (ctx->config->verify_name) {
diff --git a/lib/libtls/tls_config.c b/lib/libtls/tls_config.c
index 10dc5003cbc..c118def7bf9 100644
--- a/lib/libtls/tls_config.c
+++ b/lib/libtls/tls_config.c
@@ -761,11 +761,11 @@ tls_config_set_session_fd(struct tls_config *config, int session_fd)
int
tls_config_set_sign_cb(struct tls_config *config, tls_sign_cb cb, void *cb_arg)
{
- config->use_fake_private_key = 1;
- config->skip_private_key_check = 1;
config->sign_cb = cb;
config->sign_cb_arg = cb_arg;
+ tls_config_clear_keys(config);
+
return (0);
}
@@ -833,19 +833,6 @@ tls_config_verify_client_optional(struct tls_config *config)
config->verify_client = 2;
}
-void
-tls_config_skip_private_key_check(struct tls_config *config)
-{
- config->skip_private_key_check = 1;
-}
-
-void
-tls_config_use_fake_private_key(struct tls_config *config)
-{
- config->use_fake_private_key = 1;
- config->skip_private_key_check = 1;
-}
-
int
tls_config_set_ocsp_staple_file(struct tls_config *config, const char *staple_file)
{
diff --git a/lib/libtls/tls_internal.h b/lib/libtls/tls_internal.h
index 5ff48ed7c97..010f6dc8593 100644
--- a/lib/libtls/tls_internal.h
+++ b/lib/libtls/tls_internal.h
@@ -26,6 +26,13 @@
#include <openssl/ssl.h>
+/* XXX these symbols are not fully hidden so relayd can use them. */
+typedef int (*tls_sign_cb)(void *_cb_arg, const char *_pubkey_hash,
+ const uint8_t *_input, size_t _input_len, int _padding_type,
+ uint8_t **_out_signature, size_t *_out_signature_len);
+int tls_config_set_sign_cb(struct tls_config *_config, tls_sign_cb _cb,
+ void *_cb_arg);
+
__BEGIN_HIDDEN_DECLS
#ifndef TLS_DEFAULT_CA_FILE
@@ -79,9 +86,17 @@ struct tls_ticket_key {
time_t time;
};
-typedef int (*tls_sign_cb)(void *_cb_arg, const char *_pubkey_hash,
- const uint8_t *_input, size_t _input_len, int _padding_type,
- uint8_t **_out_signature, size_t *_out_signature_len);
+struct tls_signer_key {
+ char *hash;
+ RSA *rsa;
+ EC_KEY *ecdsa;
+ struct tls_signer_key *next;
+};
+
+struct tls_signer {
+ struct tls_error error;
+ struct tls_signer_key *keys;
+};
struct tls_config {
struct tls_error error;
@@ -115,8 +130,6 @@ struct tls_config {
int verify_depth;
int verify_name;
int verify_time;
- int skip_private_key_check;
- int use_fake_private_key;
tls_sign_cb sign_cb;
void *sign_cb_arg;
};
@@ -191,6 +204,10 @@ struct tls {
char *servername;
int socket;
+ struct tls_signer *signer;
+ tls_sign_cb sign_cb;
+ void *sign_cb_arg;
+
SSL *ssl_conn;
SSL_CTX *ssl_ctx;
@@ -244,7 +261,7 @@ int tls_configure_server(struct tls *ctx);
int tls_configure_ssl(struct tls *ctx, SSL_CTX *ssl_ctx);
int tls_configure_ssl_keypair(struct tls *ctx, SSL_CTX *ssl_ctx,
- struct tls_keypair *keypair, int required);
+ struct tls_keypair *keypair);
int tls_configure_ssl_verify(struct tls *ctx, SSL_CTX *ssl_ctx, int verify);
int tls_handshake_client(struct tls *ctx);
@@ -304,9 +321,6 @@ EC_KEY_METHOD *tls_signer_ecdsa_method(void);
#define TLS_PADDING_NONE 0
#define TLS_PADDING_RSA_PKCS1 1
-int tls_config_set_sign_cb(struct tls_config *_config, tls_sign_cb _cb,
- void *_cb_arg);
-
struct tls_signer* tls_signer_new(void);
void tls_signer_free(struct tls_signer * _signer);
const char *tls_signer_error(struct tls_signer * _signer);
@@ -314,14 +328,10 @@ int tls_signer_add_keypair_file(struct tls_signer *_signer,
const char *_cert_file, const char *_key_file);
int tls_signer_add_keypair_mem(struct tls_signer *_signer, const uint8_t *_cert,
size_t _cert_len, const uint8_t *_key, size_t _key_len);
-int tls_signer_sign(struct tls_signer *_signer, const char *_pubkey_hash,
+int tls_signer_sign(void *_cb_arg, const char *_pubkey_hash,
const uint8_t *_input, size_t _input_len, int _padding_type,
uint8_t **_out_signature, size_t *_out_signature_len);
__END_HIDDEN_DECLS
-/* XXX this function is not fully hidden so relayd can use it */
-void tls_config_skip_private_key_check(struct tls_config *config);
-void tls_config_use_fake_private_key(struct tls_config *config);
-
#endif /* HEADER_TLS_INTERNAL_H */
diff --git a/lib/libtls/tls_server.c b/lib/libtls/tls_server.c
index a94b4221ed6..f713fbeff04 100644
--- a/lib/libtls/tls_server.c
+++ b/lib/libtls/tls_server.c
@@ -254,7 +254,7 @@ tls_configure_server_ssl(struct tls *ctx, SSL_CTX **ssl_ctx,
if (tls_configure_ssl(ctx, *ssl_ctx) != 0)
goto err;
- if (tls_configure_ssl_keypair(ctx, *ssl_ctx, keypair, 1) != 0)
+ if (tls_configure_ssl_keypair(ctx, *ssl_ctx, keypair) != 0)
goto err;
if (ctx->config->verify_client != 0) {
int verify = SSL_VERIFY_PEER;
diff --git a/lib/libtls/tls_signer.c b/lib/libtls/tls_signer.c
index d423b3b1c82..ee68c123cd3 100644
--- a/lib/libtls/tls_signer.c
+++ b/lib/libtls/tls_signer.c
@@ -24,18 +24,6 @@
#include "tls.h"
#include "tls_internal.h"
-struct tls_signer_key {
- char *hash;
- RSA *rsa;
- EC_KEY *ecdsa;
- struct tls_signer_key *next;
-};
-
-struct tls_signer {
- struct tls_error error;
- struct tls_signer_key *keys;
-};
-
static pthread_mutex_t signer_method_lock = PTHREAD_MUTEX_INITIALIZER;
struct tls_signer *
@@ -283,10 +271,11 @@ tls_sign_ecdsa(struct tls_signer *signer, struct tls_signer_key *skey,
}
int
-tls_signer_sign(struct tls_signer *signer, const char *pubkey_hash,
+tls_signer_sign(void *cb_arg, const char *pubkey_hash,
const uint8_t *input, size_t input_len, int padding_type,
uint8_t **out_signature, size_t *out_signature_len)
{
+ struct tls_signer *signer = cb_arg;
struct tls_signer_key *skey;
*out_signature = NULL;
@@ -318,7 +307,7 @@ static int
tls_rsa_priv_enc(int from_len, const unsigned char *from, unsigned char *to,
RSA *rsa, int rsa_padding)
{
- struct tls_config *config;
+ struct tls *ctx = NULL;
uint8_t *signature = NULL;
size_t signature_len = 0;
const char *pubkey_hash;
@@ -331,9 +320,9 @@ tls_rsa_priv_enc(int from_len, const unsigned char *from, unsigned char *to,
*/
pubkey_hash = RSA_get_ex_data(rsa, 0);
- config = RSA_get_ex_data(rsa, 1);
+ ctx = RSA_get_ex_data(rsa, 1);
- if (pubkey_hash == NULL || config == NULL)
+ if (pubkey_hash == NULL || ctx == NULL)
goto err;
if (rsa_padding == RSA_NO_PADDING) {
@@ -347,7 +336,7 @@ tls_rsa_priv_enc(int from_len, const unsigned char *from, unsigned char *to,
if (from_len < 0)
goto err;
- if (config->sign_cb(config->sign_cb_arg, pubkey_hash, from, from_len,
+ if (ctx->sign_cb(ctx->sign_cb_arg, pubkey_hash, from, from_len,
padding_type, &signature, &signature_len) == -1)
goto err;
@@ -391,7 +380,7 @@ static ECDSA_SIG *
tls_ecdsa_do_sign(const unsigned char *dgst, int dgst_len, const BIGNUM *inv,
const BIGNUM *rp, EC_KEY *eckey)
{
- struct tls_config *config;
+ struct tls *ctx = NULL;
ECDSA_SIG *ecdsa_sig = NULL;
uint8_t *signature = NULL;
size_t signature_len = 0;
@@ -404,15 +393,15 @@ tls_ecdsa_do_sign(const unsigned char *dgst, int dgst_len, const BIGNUM *inv,
*/
pubkey_hash = EC_KEY_get_ex_data(eckey, 0);
- config = EC_KEY_get_ex_data(eckey, 1);
+ ctx = EC_KEY_get_ex_data(eckey, 1);
- if (pubkey_hash == NULL || config == NULL)
+ if (pubkey_hash == NULL || ctx == NULL)
goto err;
if (dgst_len < 0)
goto err;
- if (config->sign_cb(config->sign_cb_arg, pubkey_hash, dgst, dgst_len,
+ if (ctx->sign_cb(ctx->sign_cb_arg, pubkey_hash, dgst, dgst_len,
TLS_PADDING_NONE, &signature, &signature_len) == -1)
goto err;
libtls: a step towards privsep by default