summary refs log tree commit diff
path: root/tls.c
diff options
context:
space:
mode:
Diffstat (limited to '')
-rw-r--r--tls.c25
1 files changed, 21 insertions, 4 deletions
diff --git a/tls.c b/tls.c
index fabf790..1dcf933 100644
--- a/tls.c
+++ b/tls.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls.c,v 1.90 2021/10/02 09:46:48 jsing Exp $ */
+/* $OpenBSD: tls.c,v 1.94 2022/02/08 19:13:50 tb Exp $ */
 /*
  * Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
  *
@@ -448,6 +448,8 @@ tls_keypair_to_pkey(struct tls *ctx, struct tls_keypair *keypair, EVP_PKEY **pke
 static int
 tls_keypair_setup_pkey(struct tls *ctx, struct tls_keypair *keypair, EVP_PKEY *pkey)
 {
+	RSA_METHOD *rsa_method;
+	ECDSA_METHOD *ecdsa_method;
 	RSA *rsa = NULL;
 	EC_KEY *eckey = NULL;
 	int ret = -1;
@@ -468,6 +470,14 @@ tls_keypair_setup_pkey(struct tls *ctx, struct tls_keypair *keypair, EVP_PKEY *p
 			tls_set_errorx(ctx, "RSA key setup failure");
 			goto err;
 		}
+		if (ctx->config->sign_cb == NULL)
+			break;
+		if ((rsa_method = tls_signer_rsa_method()) == NULL ||
+		    RSA_set_ex_data(rsa, 1, ctx->config) == 0 ||
+		    RSA_set_method(rsa, rsa_method) == 0) {
+			tls_set_errorx(ctx, "failed to setup RSA key");
+			goto err;
+		}
 		break;
 	case EVP_PKEY_EC:
 		if ((eckey = EVP_PKEY_get1_EC_KEY(pkey)) == NULL ||
@@ -475,6 +485,14 @@ tls_keypair_setup_pkey(struct tls *ctx, struct tls_keypair *keypair, EVP_PKEY *p
 			tls_set_errorx(ctx, "EC key setup failure");
 			goto err;
 		}
+		if (ctx->config->sign_cb == NULL)
+			break;
+		if ((ecdsa_method = tls_signer_ecdsa_method()) == NULL ||
+		    ECDSA_set_ex_data(eckey, 1, ctx->config) == 0 ||
+		    ECDSA_set_method(eckey, ecdsa_method) == 0) {
+			tls_set_errorx(ctx, "failed to setup EC key");
+			goto err;
+		}
 		break;
 	default:
 		tls_set_errorx(ctx, "incorrect key type");
@@ -731,9 +749,8 @@ tls_configure_ssl_verify(struct tls *ctx, SSL_CTX *ssl_ctx, int verify)
 				tls_set_error(ctx, "failed to add crl");
 				goto err;
 			}
-			xi->crl = NULL;
 		}
-		X509_VERIFY_PARAM_set_flags(X509_STORE_get0_param(store),
+		X509_STORE_set_flags(store,
 		    X509_V_FLAG_CRL_CHECK | X509_V_FLAG_CRL_CHECK_ALL);
 	}
 
@@ -849,7 +866,7 @@ tls_ssl_error(struct tls *ctx, SSL *ssl_conn, int ssl_ret, const char *prefix)
 	case SSL_ERROR_WANT_ACCEPT:
 	case SSL_ERROR_WANT_X509_LOOKUP:
 	default:
-		tls_set_ssl_errorx(ctx, "%s failed (%i)", prefix, ssl_err);
+		tls_set_ssl_errorx(ctx, "%s failed (%d)", prefix, ssl_err);
 		return (-1);
 	}
 }