summaryrefslogtreecommitdiff
path: root/src/openvpn/ssl.c
diff options
context:
space:
mode:
authorJörg Frings-Fürst <debian@jff-webhosting.net>2017-06-27 13:56:16 +0200
committerJörg Frings-Fürst <debian@jff-webhosting.net>2017-06-27 13:56:16 +0200
commit749384a154025e268b53cf3cc79eaeddde2b3ceb (patch)
tree27baa9e6aec76635d750405d90cd461440a656d1 /src/openvpn/ssl.c
parentdb4f04c584f7d4e828b5d317cf40962b9d854ac5 (diff)
initial stretch branch release 2.4.0-6
Diffstat (limited to 'src/openvpn/ssl.c')
-rw-r--r--src/openvpn/ssl.c125
1 files changed, 33 insertions, 92 deletions
diff --git a/src/openvpn/ssl.c b/src/openvpn/ssl.c
index 15cd94a..d94a421 100644
--- a/src/openvpn/ssl.c
+++ b/src/openvpn/ssl.c
@@ -18,9 +18,10 @@
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
- * You should have received a copy of the GNU General Public License along
- * with this program; if not, write to the Free Software Foundation, Inc.,
- * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ * You should have received a copy of the GNU General Public License
+ * along with this program (see the file COPYING included with this
+ * distribution); if not, write to the Free Software Foundation, Inc.,
+ * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
*/
/**
@@ -268,12 +269,10 @@ static void
key_ctx_update_implicit_iv(struct key_ctx *ctx, uint8_t *key, size_t key_len);
const tls_cipher_name_pair *
-tls_get_cipher_name_pair(const char *cipher_name, size_t len)
-{
+tls_get_cipher_name_pair(const char *cipher_name, size_t len) {
const tls_cipher_name_pair *pair = tls_cipher_name_translation_table;
- while (pair->openssl_name != NULL)
- {
+ while (pair->openssl_name != NULL) {
if ((strlen(pair->openssl_name) == len && 0 == memcmp(cipher_name, pair->openssl_name, len))
|| (strlen(pair->iana_name) == len && 0 == memcmp(cipher_name, pair->iana_name, len)))
{
@@ -451,8 +450,6 @@ ssl_set_auth_nocache(void)
{
passbuf.nocache = true;
auth_user_pass.nocache = true;
- /* wait for push-reply, because auth-token may invert nocache */
- auth_user_pass.wait_for_push = true;
}
/*
@@ -461,14 +458,6 @@ ssl_set_auth_nocache(void)
void
ssl_set_auth_token(const char *token)
{
- if (auth_user_pass.nocache)
- {
- msg(M_INFO,
- "auth-token received, disabling auth-nocache for the "
- "authentication token");
- auth_user_pass.nocache = false;
- }
-
set_auth_token(&auth_user_pass, token);
}
@@ -580,12 +569,12 @@ tls_ctx_reload_crl(struct tls_root_ctx *ssl_ctx, const char *crl_file,
* Note: Windows does not support tv_nsec.
*/
if ((ssl_ctx->crl_last_size == crl_stat.st_size)
- && (ssl_ctx->crl_last_mtime == crl_stat.st_mtime))
+ && (ssl_ctx->crl_last_mtime.tv_sec == crl_stat.st_mtime))
{
return;
}
- ssl_ctx->crl_last_mtime = crl_stat.st_mtime;
+ ssl_ctx->crl_last_mtime.tv_sec = crl_stat.st_mtime;
ssl_ctx->crl_last_size = crl_stat.st_size;
backend_tls_ctx_reload_crl(ssl_ctx, crl_file, crl_file_inline);
}
@@ -1072,9 +1061,7 @@ tls_session_init(struct tls_multi *multi, struct tls_session *session)
/* Randomize session # if it is 0 */
while (!session_id_defined(&session->session_id))
- {
session_id_random(&session->session_id);
- }
/* Are we a TLS server or client? */
ASSERT(session->opt->key_method >= 1);
@@ -1136,9 +1123,7 @@ tls_session_free(struct tls_session *session, bool clear)
free_buf(&session->tls_wrap.work);
for (i = 0; i < KS_SIZE; ++i)
- {
key_state_free(&session->key[i], false);
- }
if (session->common_name)
{
@@ -1195,8 +1180,7 @@ reset_session(struct tls_multi *multi, struct tls_session *session)
* called again.
*/
static inline void
-compute_earliest_wakeup(interval_t *earliest, interval_t seconds_from_now)
-{
+compute_earliest_wakeup(interval_t *earliest, interval_t seconds_from_now) {
if (seconds_from_now < *earliest)
{
*earliest = seconds_from_now;
@@ -1366,9 +1350,7 @@ tls_multi_free(struct tls_multi *multi, bool clear)
free(multi->remote_ciphername);
for (i = 0; i < TM_SIZE; ++i)
- {
tls_session_free(&multi->session[i], false);
- }
if (clear)
{
@@ -1616,8 +1598,8 @@ tls1_P_hash(const md_kt_t *md_kt,
{
struct gc_arena gc = gc_new();
int chunk;
- hmac_ctx_t *ctx;
- hmac_ctx_t *ctx_tmp;
+ hmac_ctx_t ctx;
+ hmac_ctx_t ctx_tmp;
uint8_t A1[MAX_HMAC_KEY_LENGTH];
unsigned int A1_len;
@@ -1626,8 +1608,8 @@ tls1_P_hash(const md_kt_t *md_kt,
const uint8_t *out_orig = out;
#endif
- ctx = hmac_ctx_new();
- ctx_tmp = hmac_ctx_new();
+ CLEAR(ctx);
+ CLEAR(ctx_tmp);
dmsg(D_SHOW_KEY_SOURCE, "tls1_P_hash sec: %s", format_hex(sec, sec_len, 0, &gc));
dmsg(D_SHOW_KEY_SOURCE, "tls1_P_hash seed: %s", format_hex(seed, seed_len, 0, &gc));
@@ -1635,38 +1617,36 @@ tls1_P_hash(const md_kt_t *md_kt,
chunk = md_kt_size(md_kt);
A1_len = md_kt_size(md_kt);
- hmac_ctx_init(ctx, sec, sec_len, md_kt);
- hmac_ctx_init(ctx_tmp, sec, sec_len, md_kt);
+ hmac_ctx_init(&ctx, sec, sec_len, md_kt);
+ hmac_ctx_init(&ctx_tmp, sec, sec_len, md_kt);
- hmac_ctx_update(ctx,seed,seed_len);
- hmac_ctx_final(ctx, A1);
+ hmac_ctx_update(&ctx,seed,seed_len);
+ hmac_ctx_final(&ctx, A1);
for (;; )
{
- hmac_ctx_reset(ctx);
- hmac_ctx_reset(ctx_tmp);
- hmac_ctx_update(ctx,A1,A1_len);
- hmac_ctx_update(ctx_tmp,A1,A1_len);
- hmac_ctx_update(ctx,seed,seed_len);
+ hmac_ctx_reset(&ctx);
+ hmac_ctx_reset(&ctx_tmp);
+ hmac_ctx_update(&ctx,A1,A1_len);
+ hmac_ctx_update(&ctx_tmp,A1,A1_len);
+ hmac_ctx_update(&ctx,seed,seed_len);
if (olen > chunk)
{
- hmac_ctx_final(ctx, out);
+ hmac_ctx_final(&ctx, out);
out += chunk;
olen -= chunk;
- hmac_ctx_final(ctx_tmp, A1); /* calc the next A1 value */
+ hmac_ctx_final(&ctx_tmp, A1); /* calc the next A1 value */
}
else /* last one */
{
- hmac_ctx_final(ctx, A1);
+ hmac_ctx_final(&ctx, A1);
memcpy(out,A1,olen);
break;
}
}
- hmac_ctx_cleanup(ctx);
- hmac_ctx_free(ctx);
- hmac_ctx_cleanup(ctx_tmp);
- hmac_ctx_free(ctx_tmp);
+ hmac_ctx_cleanup(&ctx);
+ hmac_ctx_cleanup(&ctx_tmp);
secure_memzero(A1, sizeof(A1));
dmsg(D_SHOW_KEY_SOURCE, "tls1_P_hash out: %s", format_hex(out_orig, olen_orig, 0, &gc));
@@ -1718,9 +1698,7 @@ tls1_PRF(const uint8_t *label,
tls1_P_hash(sha1,S2,len,label,label_len,out2,olen);
for (i = 0; i<olen; i++)
- {
out1[i] ^= out2[i];
- }
secure_memzero(out2, olen);
@@ -1870,8 +1848,7 @@ exit:
}
static void
-key_ctx_update_implicit_iv(struct key_ctx *ctx, uint8_t *key, size_t key_len)
-{
+key_ctx_update_implicit_iv(struct key_ctx *ctx, uint8_t *key, size_t key_len) {
const cipher_kt_t *cipher_kt = cipher_ctx_get_cipher_kt(ctx->cipher);
/* Only use implicit IV in AEAD cipher mode, where HMAC key is not used */
@@ -1970,12 +1947,6 @@ tls_session_update_crypto_params(struct tls_session *session,
return false;
}
- if (strcmp(options->ciphername, session->opt->config_ciphername))
- {
- msg(D_HANDSHAKE, "Data Channel: using negotiated cipher '%s'",
- options->ciphername);
- }
-
init_key_type(&session->opt->key_type, options->ciphername,
options->authname, options->keysize, true, true);
@@ -2269,7 +2240,7 @@ push_peer_info(struct buffer *buf, struct tls_session *session)
buf_printf(&out, "IV_PLAT=mac\n");
#elif defined(TARGET_NETBSD)
buf_printf(&out, "IV_PLAT=netbsd\n");
-#elif defined(TARGET_FREEBSD)
+#elif defined(TARGET_FREEBSD) || defined(__FreeBSD_kernel__)
buf_printf(&out, "IV_PLAT=freebsd\n");
#elif defined(TARGET_ANDROID)
buf_printf(&out, "IV_PLAT=android\n");
@@ -2393,21 +2364,7 @@ key_method_2_write(struct buffer *buf, struct tls_session *session)
{
goto error;
}
- /* if auth-nocache was specified, the auth_user_pass object reaches
- * a "complete" state only after having received the push-reply
- * message.
- * This is the case because auth-token statement in a push-reply would
- * invert its nocache.
- *
- * For this reason, skip the purge operation here if no push-reply
- * message has been received yet.
- *
- * This normally happens upon first negotiation only.
- */
- if (!auth_user_pass.wait_for_push)
- {
- purge_user_pass(&auth_user_pass, false);
- }
+ purge_user_pass(&auth_user_pass, false);
}
else
{
@@ -2523,7 +2480,7 @@ key_method_2_read(struct buffer *buf, struct tls_multi *multi, struct tls_sessio
struct gc_arena gc = gc_new();
char *options;
- struct user_pass *up = NULL;
+ struct user_pass *up;
/* allocate temporary objects */
ALLOC_ARRAY_CLEAR_GC(options, char, TLS_OPTIONS_LEN, &gc);
@@ -2685,10 +2642,6 @@ key_method_2_read(struct buffer *buf, struct tls_multi *multi, struct tls_sessio
error:
secure_memzero(ks->key_src, sizeof(*ks->key_src));
- if (up)
- {
- secure_memzero(up, sizeof(*up));
- }
buf_clear(buf);
gc_free(&gc);
return false;
@@ -2850,9 +2803,6 @@ tls_process(struct tls_multi *multi,
session->opt->crl_file, session->opt->crl_file_inline);
}
- /* New connection, remove any old X509 env variables */
- tls_x509_clear_env(session->opt->es);
-
dmsg(D_TLS_DEBUG_MED, "STATE S_START");
}
@@ -4106,8 +4056,7 @@ tls_peer_info_ncp_ver(const char *peer_info)
}
bool
-tls_check_ncp_cipher_list(const char *list)
-{
+tls_check_ncp_cipher_list(const char *list) {
bool unsupported_cipher_found = false;
ASSERT(list);
@@ -4250,16 +4199,8 @@ done:
return BSTR(&out);
}
-void
-delayed_auth_pass_purge(void)
-{
- auth_user_pass.wait_for_push = false;
- purge_user_pass(&auth_user_pass, false);
-}
-
#else /* if defined(ENABLE_CRYPTO) */
static void
-dummy(void)
-{
+dummy(void) {
}
#endif /* ENABLE_CRYPTO */