1 /**
2 * @file openssl/tls.c TLS backend using OpenSSL
3 *
4 * Copyright (C) 2010 Creytiv.com
5 */
6 #include <string.h>
7 #include <openssl/ssl.h>
8 #include <openssl/err.h>
9 #include <openssl/rsa.h>
10 #include <openssl/bn.h>
11 #include <openssl/evp.h>
12 #include <openssl/x509.h>
13 #include <re_types.h>
14 #include <re_fmt.h>
15 #include <re_mem.h>
16 #include <re_mbuf.h>
17 #include <re_main.h>
18 #include <re_sa.h>
19 #include <re_net.h>
20 #include <re_srtp.h>
21 #include <re_sys.h>
22 #include <re_tcp.h>
23 #include <re_tls.h>
24 #include "tls.h"
25
26
27 /* also defined by wincrypt.h */
28 #ifdef WIN32
29 #undef X509_NAME
30 #endif
31
32
33 #define DEBUG_MODULE "tls"
34 #define DEBUG_LEVEL 5
35 #include <re_dbg.h>
36
37
38 /* NOTE: shadow struct defined in tls_*.c */
39 struct tls_conn {
40 SSL *ssl;
41 };
42
43
destructor(void * data)44 static void destructor(void *data)
45 {
46 struct tls *tls = data;
47
48 if (tls->ctx)
49 SSL_CTX_free(tls->ctx);
50
51 if (tls->cert)
52 X509_free(tls->cert);
53
54 mem_deref(tls->pass);
55 }
56
57
58 /*The password code is not thread safe*/
password_cb(char * buf,int size,int rwflag,void * userdata)59 static int password_cb(char *buf, int size, int rwflag, void *userdata)
60 {
61 struct tls *tls = userdata;
62
63 (void)rwflag;
64
65 DEBUG_NOTICE("password callback\n");
66
67 if (size < (int)strlen(tls->pass)+1)
68 return 0;
69
70 strncpy(buf, tls->pass, size);
71
72 return (int)strlen(tls->pass);
73 }
74
75
keytype2int(enum tls_keytype type)76 static int keytype2int(enum tls_keytype type)
77 {
78 switch (type) {
79 case TLS_KEYTYPE_EC:
80 return EVP_PKEY_EC;
81 case TLS_KEYTYPE_RSA:
82 return EVP_PKEY_RSA;
83 default:
84 return EVP_PKEY_NONE;
85 }
86 }
87
88
89 /**
90 * Allocate a new TLS context
91 *
92 * @param tlsp Pointer to allocated TLS context
93 * @param method TLS method
94 * @param keyfile Optional private key file
95 * @param pwd Optional password
96 *
97 * @return 0 if success, otherwise errorcode
98 */
tls_alloc(struct tls ** tlsp,enum tls_method method,const char * keyfile,const char * pwd)99 int tls_alloc(struct tls **tlsp, enum tls_method method, const char *keyfile,
100 const char *pwd)
101 {
102 struct tls *tls;
103 int r, err;
104
105 if (!tlsp)
106 return EINVAL;
107
108 tls = mem_zalloc(sizeof(*tls), destructor);
109 if (!tls)
110 return ENOMEM;
111
112 switch (method) {
113
114 case TLS_METHOD_SSLV23:
115 tls->ctx = SSL_CTX_new(SSLv23_method());
116 break;
117
118 #ifdef USE_OPENSSL_DTLS
119 case TLS_METHOD_DTLSV1:
120 #if OPENSSL_VERSION_NUMBER >= 0x10100000L && \
121 !defined(LIBRESSL_VERSION_NUMBER)
122
123 tls->ctx = SSL_CTX_new(DTLS_method());
124 #else
125 tls->ctx = SSL_CTX_new(DTLSv1_method());
126 #endif
127 break;
128
129 #ifdef SSL_OP_NO_DTLSv1_2
130 /* DTLS v1.2 is available in OpenSSL 1.0.2 and later */
131
132 case TLS_METHOD_DTLS:
133 tls->ctx = SSL_CTX_new(DTLS_method());
134 break;
135
136 case TLS_METHOD_DTLSV1_2:
137 #if OPENSSL_VERSION_NUMBER >= 0x10100000L && \
138 !defined(LIBRESSL_VERSION_NUMBER)
139
140 tls->ctx = SSL_CTX_new(DTLS_method());
141 #else
142 tls->ctx = SSL_CTX_new(DTLSv1_2_method());
143 #endif
144 break;
145 #endif
146
147 #endif
148
149 default:
150 DEBUG_WARNING("tls method %d not supported\n", method);
151 err = ENOSYS;
152 goto out;
153 }
154
155 if (!tls->ctx) {
156 ERR_clear_error();
157 err = ENOMEM;
158 goto out;
159 }
160
161 #if (OPENSSL_VERSION_NUMBER < 0x00905100L)
162 SSL_CTX_set_verify_depth(tls->ctx, 1);
163 #endif
164
165 /* Load our keys and certificates */
166 if (keyfile) {
167 if (pwd) {
168 err = str_dup(&tls->pass, pwd);
169 if (err)
170 goto out;
171
172 SSL_CTX_set_default_passwd_cb(tls->ctx, password_cb);
173 SSL_CTX_set_default_passwd_cb_userdata(tls->ctx, tls);
174 }
175
176 r = SSL_CTX_use_certificate_chain_file(tls->ctx, keyfile);
177 if (r <= 0) {
178 DEBUG_WARNING("Can't read certificate file: %s (%d)\n",
179 keyfile, r);
180 ERR_clear_error();
181 err = EINVAL;
182 goto out;
183 }
184
185 r = SSL_CTX_use_PrivateKey_file(tls->ctx, keyfile,
186 SSL_FILETYPE_PEM);
187 if (r <= 0) {
188 DEBUG_WARNING("Can't read key file: %s (%d)\n",
189 keyfile, r);
190 ERR_clear_error();
191 err = EINVAL;
192 goto out;
193 }
194 }
195
196 err = 0;
197 out:
198 if (err)
199 mem_deref(tls);
200 else
201 *tlsp = tls;
202
203 return err;
204 }
205
206
207 /**
208 * Set default locations for trusted CA certificates
209 *
210 * @param tls TLS Context
211 * @param capath Path to CA certificates
212 *
213 * @return 0 if success, otherwise errorcode
214 */
tls_add_ca(struct tls * tls,const char * capath)215 int tls_add_ca(struct tls *tls, const char *capath)
216 {
217 if (!tls || !capath)
218 return EINVAL;
219
220 /* Load the CAs we trust */
221 if (!(SSL_CTX_load_verify_locations(tls->ctx, capath, 0))) {
222 DEBUG_WARNING("Can't read CA list: %s\n", capath);
223 ERR_clear_error();
224 return EINVAL;
225 }
226
227 return 0;
228 }
229
230
231 /**
232 * Generate and set selfsigned certificate on TLS context
233 *
234 * @param tls TLS Context
235 * @param cn Common Name
236 *
237 * @return 0 if success, otherwise errorcode
238 */
tls_set_selfsigned(struct tls * tls,const char * cn)239 int tls_set_selfsigned(struct tls *tls, const char *cn)
240 {
241 X509_NAME *subj = NULL;
242 EVP_PKEY *key = NULL;
243 X509 *cert = NULL;
244 BIGNUM *bn = NULL;
245 RSA *rsa = NULL;
246 int r, err = ENOMEM;
247
248 if (!tls || !cn)
249 return EINVAL;
250
251 rsa = RSA_new();
252 if (!rsa)
253 goto out;
254
255 bn = BN_new();
256 if (!bn)
257 goto out;
258
259 BN_set_word(bn, RSA_F4);
260 if (!RSA_generate_key_ex(rsa, 1024, bn, NULL))
261 goto out;
262
263 key = EVP_PKEY_new();
264 if (!key)
265 goto out;
266
267 if (!EVP_PKEY_set1_RSA(key, rsa))
268 goto out;
269
270 cert = X509_new();
271 if (!cert)
272 goto out;
273
274 if (!X509_set_version(cert, 2))
275 goto out;
276
277 if (!ASN1_INTEGER_set(X509_get_serialNumber(cert), rand_u32()))
278 goto out;
279
280 subj = X509_NAME_new();
281 if (!subj)
282 goto out;
283
284 if (!X509_NAME_add_entry_by_txt(subj, "CN", MBSTRING_ASC,
285 (unsigned char *)cn,
286 (int)strlen(cn), -1, 0))
287 goto out;
288
289 if (!X509_set_issuer_name(cert, subj) ||
290 !X509_set_subject_name(cert, subj))
291 goto out;
292
293 if (!X509_gmtime_adj(X509_get_notBefore(cert), -3600*24*365) ||
294 !X509_gmtime_adj(X509_get_notAfter(cert), 3600*24*365*10))
295 goto out;
296
297 if (!X509_set_pubkey(cert, key))
298 goto out;
299
300 if (!X509_sign(cert, key, EVP_sha1()))
301 goto out;
302
303 r = SSL_CTX_use_certificate(tls->ctx, cert);
304 if (r != 1)
305 goto out;
306
307 r = SSL_CTX_use_PrivateKey(tls->ctx, key);
308 if (r != 1)
309 goto out;
310
311 if (tls->cert)
312 X509_free(tls->cert);
313
314 tls->cert = cert;
315 cert = NULL;
316
317 err = 0;
318
319 out:
320 if (subj)
321 X509_NAME_free(subj);
322
323 if (cert)
324 X509_free(cert);
325
326 if (key)
327 EVP_PKEY_free(key);
328
329 if (rsa)
330 RSA_free(rsa);
331
332 if (bn)
333 BN_free(bn);
334
335 if (err)
336 ERR_clear_error();
337
338 return err;
339 }
340
341
342 /**
343 * Set the certificate and private key on a TLS context
344 *
345 * @param tls TLS Context
346 * @param cert Certificate in PEM format
347 * @param len_cert Length of certificate PEM string
348 * @param key Private key in PEM format, will be read from cert if NULL
349 * @param len_key Length of private key PEM string
350 *
351 * @return 0 if success, otherwise errorcode
352 */
tls_set_certificate_pem(struct tls * tls,const char * cert,size_t len_cert,const char * key,size_t len_key)353 int tls_set_certificate_pem(struct tls *tls, const char *cert, size_t len_cert,
354 const char *key, size_t len_key)
355 {
356 BIO *bio = NULL, *kbio = NULL;
357 X509 *x509 = NULL;
358 EVP_PKEY *pkey = NULL;
359 int r, err = ENOMEM;
360
361 if (!tls || !cert || !len_cert || (key && !len_key))
362 return EINVAL;
363
364 if (!key) {
365 key = cert;
366 len_key = len_cert;
367 }
368
369 bio = BIO_new_mem_buf((char *)cert, (int)len_cert);
370 kbio = BIO_new_mem_buf((char *)key, (int)len_key);
371 if (!bio || !kbio)
372 goto out;
373
374 x509 = PEM_read_bio_X509(bio, NULL, 0, NULL);
375 pkey = PEM_read_bio_PrivateKey(kbio, NULL, 0, NULL);
376 if (!x509 || !pkey)
377 goto out;
378
379 r = SSL_CTX_use_certificate(tls->ctx, x509);
380 if (r != 1)
381 goto out;
382
383 r = SSL_CTX_use_PrivateKey(tls->ctx, pkey);
384 if (r != 1) {
385 DEBUG_WARNING("set_certificate_pem: use_PrivateKey failed\n");
386 goto out;
387 }
388
389 if (tls->cert)
390 X509_free(tls->cert);
391
392 tls->cert = x509;
393 x509 = NULL;
394
395 err = 0;
396
397 out:
398 if (x509)
399 X509_free(x509);
400 if (pkey)
401 EVP_PKEY_free(pkey);
402 if (bio)
403 BIO_free(bio);
404 if (kbio)
405 BIO_free(kbio);
406 if (err)
407 ERR_clear_error();
408
409 return err;
410 }
411
412
413 /**
414 * Set the certificate and private key on a TLS context
415 *
416 * @param tls TLS Context
417 * @param keytype Private key type
418 * @param cert Certificate in DER format
419 * @param len_cert Length of certificate DER bytes
420 * @param key Private key in DER format, will be read from cert if NULL
421 * @param len_key Length of private key DER bytes
422 *
423 * @return 0 if success, otherwise errorcode
424 */
tls_set_certificate_der(struct tls * tls,enum tls_keytype keytype,const uint8_t * cert,size_t len_cert,const uint8_t * key,size_t len_key)425 int tls_set_certificate_der(struct tls *tls, enum tls_keytype keytype,
426 const uint8_t *cert, size_t len_cert,
427 const uint8_t *key, size_t len_key)
428 {
429 const uint8_t *buf_cert;
430 X509 *x509 = NULL;
431 EVP_PKEY *pkey = NULL;
432 int r, type, err = ENOMEM;
433
434 if (!tls || !cert || !len_cert || (key && !len_key))
435 return EINVAL;
436
437 type = keytype2int(keytype);
438 if (type == EVP_PKEY_NONE)
439 return EINVAL;
440
441 buf_cert = cert;
442
443 x509 = d2i_X509(NULL, &buf_cert, len_cert);
444 if (!x509)
445 goto out;
446
447 if (!key) {
448 key = buf_cert;
449 len_key = len_cert - (buf_cert - cert);
450 }
451
452 pkey = d2i_PrivateKey(type, NULL, &key, len_key);
453 if (!pkey)
454 goto out;
455
456 r = SSL_CTX_use_certificate(tls->ctx, x509);
457 if (r != 1)
458 goto out;
459
460 r = SSL_CTX_use_PrivateKey(tls->ctx, pkey);
461 if (r != 1) {
462 DEBUG_WARNING("set_certificate_der: use_PrivateKey failed\n");
463 goto out;
464 }
465
466 if (tls->cert)
467 X509_free(tls->cert);
468
469 tls->cert = x509;
470 x509 = NULL;
471
472 err = 0;
473
474 out:
475 if (x509)
476 X509_free(x509);
477 if (pkey)
478 EVP_PKEY_free(pkey);
479 if (err)
480 ERR_clear_error();
481
482 return err;
483 }
484
485
486 /**
487 * Set the certificate and private key on a TLS context
488 *
489 * @param tls TLS Context
490 * @param pem Certificate and private key in PEM format
491 * @param len Length of PEM string
492 *
493 * @return 0 if success, otherwise errorcode
494 */
tls_set_certificate(struct tls * tls,const char * pem,size_t len)495 int tls_set_certificate(struct tls *tls, const char *pem, size_t len)
496 {
497 return tls_set_certificate_pem(tls, pem, len, NULL, 0);
498 }
499
500
verify_handler(int ok,X509_STORE_CTX * ctx)501 static int verify_handler(int ok, X509_STORE_CTX *ctx)
502 {
503 (void)ok;
504 (void)ctx;
505
506 return 1; /* We trust the certificate from peer */
507 }
508
509
510 /**
511 * Set TLS server context to request certificate from client
512 *
513 * @param tls TLS Context
514 */
tls_set_verify_client(struct tls * tls)515 void tls_set_verify_client(struct tls *tls)
516 {
517 if (!tls)
518 return;
519
520 SSL_CTX_set_verify_depth(tls->ctx, 0);
521 SSL_CTX_set_verify(tls->ctx, SSL_VERIFY_PEER | SSL_VERIFY_CLIENT_ONCE,
522 verify_handler);
523 }
524
525
526 /**
527 * Set SRTP suites on TLS context
528 *
529 * @param tls TLS Context
530 * @param suites Secure-RTP Profiles
531 *
532 * @return 0 if success, otherwise errorcode
533 */
tls_set_srtp(struct tls * tls,const char * suites)534 int tls_set_srtp(struct tls *tls, const char *suites)
535 {
536 #ifdef USE_OPENSSL_SRTP
537 if (!tls || !suites)
538 return EINVAL;
539
540 if (0 != SSL_CTX_set_tlsext_use_srtp(tls->ctx, suites)) {
541 ERR_clear_error();
542 return ENOSYS;
543 }
544
545 return 0;
546 #else
547 (void)tls;
548 (void)suites;
549
550 return ENOSYS;
551 #endif
552 }
553
554
cert_fingerprint(X509 * cert,enum tls_fingerprint type,uint8_t * md,size_t size)555 static int cert_fingerprint(X509 *cert, enum tls_fingerprint type,
556 uint8_t *md, size_t size)
557 {
558 unsigned int len = (unsigned int)size;
559 int n;
560
561 switch (type) {
562
563 case TLS_FINGERPRINT_SHA1:
564 if (size < 20)
565 return EOVERFLOW;
566
567 n = X509_digest(cert, EVP_sha1(), md, &len);
568 break;
569
570 case TLS_FINGERPRINT_SHA256:
571 if (size < 32)
572 return EOVERFLOW;
573
574 n = X509_digest(cert, EVP_sha256(), md, &len);
575 break;
576
577 default:
578 return ENOSYS;
579 }
580
581 if (n != 1) {
582 ERR_clear_error();
583 return ENOENT;
584 }
585
586 return 0;
587 }
588
589
590 /**
591 * Get fingerprint of local certificate
592 *
593 * @param tls TLS Context
594 * @param type Digest type
595 * @param md Buffer for fingerprint digest
596 * @param size Buffer size
597 *
598 * @return 0 if success, otherwise errorcode
599 */
tls_fingerprint(const struct tls * tls,enum tls_fingerprint type,uint8_t * md,size_t size)600 int tls_fingerprint(const struct tls *tls, enum tls_fingerprint type,
601 uint8_t *md, size_t size)
602 {
603 if (!tls || !tls->cert || !md)
604 return EINVAL;
605
606 return cert_fingerprint(tls->cert, type, md, size);
607 }
608
609
610 /**
611 * Get fingerprint of peer certificate of a TLS connection
612 *
613 * @param tc TLS Connection
614 * @param type Digest type
615 * @param md Buffer for fingerprint digest
616 * @param size Buffer size
617 *
618 * @return 0 if success, otherwise errorcode
619 */
tls_peer_fingerprint(const struct tls_conn * tc,enum tls_fingerprint type,uint8_t * md,size_t size)620 int tls_peer_fingerprint(const struct tls_conn *tc, enum tls_fingerprint type,
621 uint8_t *md, size_t size)
622 {
623 X509 *cert;
624 int err;
625
626 if (!tc || !md)
627 return EINVAL;
628
629 cert = SSL_get_peer_certificate(tc->ssl);
630 if (!cert)
631 return ENOENT;
632
633 err = cert_fingerprint(cert, type, md, size);
634
635 X509_free(cert);
636
637 return err;
638 }
639
640
641 /**
642 * Get common name of peer certificate of a TLS connection
643 *
644 * @param tc TLS Connection
645 * @param cn Returned common name
646 * @param size Size of common name
647 *
648 * @return 0 if success, otherwise errorcode
649 */
tls_peer_common_name(const struct tls_conn * tc,char * cn,size_t size)650 int tls_peer_common_name(const struct tls_conn *tc, char *cn, size_t size)
651 {
652 X509 *cert;
653 int n;
654
655 if (!tc || !cn || !size)
656 return EINVAL;
657
658 cert = SSL_get_peer_certificate(tc->ssl);
659 if (!cert)
660 return ENOENT;
661
662 n = X509_NAME_get_text_by_NID(X509_get_subject_name(cert),
663 NID_commonName, cn, (int)size);
664
665 X509_free(cert);
666
667 if (n < 0) {
668 ERR_clear_error();
669 return ENOENT;
670 }
671
672 return 0;
673 }
674
675
676 /**
677 * Verify peer certificate of a TLS connection
678 *
679 * @param tc TLS Connection
680 *
681 * @return 0 if verified, otherwise errorcode
682 */
tls_peer_verify(const struct tls_conn * tc)683 int tls_peer_verify(const struct tls_conn *tc)
684 {
685 if (!tc)
686 return EINVAL;
687
688 if (SSL_get_verify_result(tc->ssl) != X509_V_OK)
689 return EAUTH;
690
691 return 0;
692 }
693
694
695 /**
696 * Get SRTP suite and keying material of a TLS connection
697 *
698 * @param tc TLS Connection
699 * @param suite Returned SRTP suite
700 * @param cli_key Client key
701 * @param cli_key_size Client key size
702 * @param srv_key Server key
703 * @param srv_key_size Server key size
704 *
705 * @return 0 if success, otherwise errorcode
706 */
tls_srtp_keyinfo(const struct tls_conn * tc,enum srtp_suite * suite,uint8_t * cli_key,size_t cli_key_size,uint8_t * srv_key,size_t srv_key_size)707 int tls_srtp_keyinfo(const struct tls_conn *tc, enum srtp_suite *suite,
708 uint8_t *cli_key, size_t cli_key_size,
709 uint8_t *srv_key, size_t srv_key_size)
710 {
711 #ifdef USE_OPENSSL_SRTP
712 static const char *label = "EXTRACTOR-dtls_srtp";
713 size_t key_size, salt_size, size;
714 SRTP_PROTECTION_PROFILE *sel;
715 uint8_t keymat[256], *p;
716
717 if (!tc || !suite || !cli_key || !srv_key)
718 return EINVAL;
719
720 sel = SSL_get_selected_srtp_profile(tc->ssl);
721 if (!sel)
722 return ENOENT;
723
724 switch (sel->id) {
725
726 case SRTP_AES128_CM_SHA1_80:
727 *suite = SRTP_AES_CM_128_HMAC_SHA1_80;
728 key_size = 16;
729 salt_size = 14;
730 break;
731
732 case SRTP_AES128_CM_SHA1_32:
733 *suite = SRTP_AES_CM_128_HMAC_SHA1_32;
734 key_size = 16;
735 salt_size = 14;
736 break;
737
738 default:
739 return ENOSYS;
740 }
741
742 size = key_size + salt_size;
743
744 if (cli_key_size < size || srv_key_size < size)
745 return EOVERFLOW;
746
747 if (sizeof(keymat) < 2*size)
748 return EOVERFLOW;
749
750 if (1 != SSL_export_keying_material(tc->ssl, keymat, 2*size, label,
751 strlen(label), NULL, 0, 0)) {
752 ERR_clear_error();
753 return ENOENT;
754 }
755
756 p = keymat;
757
758 memcpy(cli_key, p, key_size); p += key_size;
759 memcpy(srv_key, p, key_size); p += key_size;
760 memcpy(cli_key + key_size, p, salt_size); p += salt_size;
761 memcpy(srv_key + key_size, p, salt_size);
762
763 return 0;
764 #else
765 (void)tc;
766 (void)suite;
767 (void)cli_key;
768 (void)cli_key_size;
769 (void)srv_key;
770 (void)srv_key_size;
771
772 return ENOSYS;
773 #endif
774 }
775
776
777 /**
778 * Get cipher name of a TLS connection
779 *
780 * @param tc TLS Connection
781 *
782 * @return name of cipher actually used.
783 */
tls_cipher_name(const struct tls_conn * tc)784 const char *tls_cipher_name(const struct tls_conn *tc)
785 {
786 if (!tc)
787 return NULL;
788
789 return SSL_get_cipher_name(tc->ssl);
790 }
791
792
793 /**
794 * Set the ciphers to use for this TLS context
795 *
796 * @param tls TLS Context
797 * @param cipherv Vector of cipher names, in order of priority
798 * @param count Number of cipher names in the vector
799 *
800 * @return 0 if success, otherwise errorcode
801 */
tls_set_ciphers(struct tls * tls,const char * cipherv[],size_t count)802 int tls_set_ciphers(struct tls *tls, const char *cipherv[], size_t count)
803 {
804 struct mbuf *mb;
805 int r, err;
806 size_t i;
807
808 if (!tls || !cipherv || !count)
809 return EINVAL;
810
811 mb = mbuf_alloc(32 * count);
812 if (!mb)
813 return ENOMEM;
814
815 for (i=0; i<count; i++) {
816
817 err = mbuf_printf(mb, "%s%s", i>0 ? ":" : "", cipherv[i]);
818 if (err)
819 goto out;
820 }
821
822 err = mbuf_write_u8(mb, '\0');
823 if (err)
824 goto out;
825
826 r = SSL_CTX_set_cipher_list(tls->ctx, (char *)mb->buf);
827 if (r <= 0) {
828 ERR_clear_error();
829 err = EPROTO;
830 goto out;
831 }
832
833 out:
834 mem_deref(mb);
835
836 return err;
837 }
838
839
840 /**
841 * Set the server name on a TLS Connection, using TLS SNI extension.
842 *
843 * @param tc TLS Connection
844 * @param servername Server name
845 *
846 * @return 0 if success, otherwise errorcode
847 */
tls_set_servername(struct tls_conn * tc,const char * servername)848 int tls_set_servername(struct tls_conn *tc, const char *servername)
849 {
850 if (!tc || !servername)
851 return EINVAL;
852
853 if (1 != SSL_set_tlsext_host_name(tc->ssl, servername)) {
854 DEBUG_WARNING("tls: SSL_set_tlsext_host_name error\n");
855 ERR_clear_error();
856 return EPROTO;
857 }
858
859 return 0;
860 }
861
862
print_error(const char * str,size_t len,void * unused)863 static int print_error(const char *str, size_t len, void *unused)
864 {
865 (void)unused;
866 DEBUG_WARNING("%b", str, len);
867
868 return 1;
869 }
870
871
tls_flush_error(void)872 void tls_flush_error(void)
873 {
874 ERR_print_errors_cb(print_error, NULL);
875 }
876
877
878 /**
879 * Get the backend-specific (OpenSSL) context
880 *
881 * @param tls Generic TLS Context
882 *
883 * @return OpenSSL context
884 */
tls_openssl_context(const struct tls * tls)885 struct ssl_ctx_st *tls_openssl_context(const struct tls *tls)
886 {
887 return tls ? tls->ctx : NULL;
888 }
889