diff options
author | Jörg Frings-Fürst <debian@jff-webhosting.net> | 2017-06-27 13:56:16 +0200 |
---|---|---|
committer | Jörg Frings-Fürst <debian@jff-webhosting.net> | 2017-06-27 13:56:16 +0200 |
commit | 749384a154025e268b53cf3cc79eaeddde2b3ceb (patch) | |
tree | 27baa9e6aec76635d750405d90cd461440a656d1 /src/openvpn/ssl_openssl.c | |
parent | db4f04c584f7d4e828b5d317cf40962b9d854ac5 (diff) |
initial stretch branch release 2.4.0-6
Diffstat (limited to 'src/openvpn/ssl_openssl.c')
-rw-r--r-- | src/openvpn/ssl_openssl.c | 107 |
1 files changed, 44 insertions, 63 deletions
diff --git a/src/openvpn/ssl_openssl.c b/src/openvpn/ssl_openssl.c index e589dcd..eae1e22 100644 --- a/src/openvpn/ssl_openssl.c +++ b/src/openvpn/ssl_openssl.c @@ -17,9 +17,10 @@ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * - * You should have received a copy of the GNU General Public License along - * with this program; if not, write to the Free Software Foundation, Inc., - * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. + * You should have received a copy of the GNU General Public License + * along with this program (see the file COPYING included with this + * distribution); if not, write to the Free Software Foundation, Inc., + * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ /** @@ -44,7 +45,6 @@ #include "ssl_backend.h" #include "ssl_common.h" #include "base64.h" -#include "openssl_compat.h" #ifdef ENABLE_CRYPTOAPI #include "cryptoapi.h" @@ -321,8 +321,7 @@ tls_ctx_restrict_ciphers(struct tls_root_ctx *ctx, const char *ciphers) /* Translate IANA cipher suite names to OpenSSL names */ begin_of_cipher = end_of_cipher = 0; - for (; begin_of_cipher < strlen(ciphers); begin_of_cipher = end_of_cipher) - { + for (; begin_of_cipher < strlen(ciphers); begin_of_cipher = end_of_cipher) { end_of_cipher += strcspn(&ciphers[begin_of_cipher], ":"); cipher_pair = tls_get_cipher_name_pair(&ciphers[begin_of_cipher], end_of_cipher - begin_of_cipher); @@ -354,8 +353,7 @@ tls_ctx_restrict_ciphers(struct tls_root_ctx *ctx, const char *ciphers) } /* Make sure new cipher name fits in cipher string */ - if ((SIZE_MAX - openssl_ciphers_len) < current_cipher_len - || ((sizeof(openssl_ciphers)-1) < openssl_ciphers_len + current_cipher_len)) + if (((sizeof(openssl_ciphers)-1) - openssl_ciphers_len) < current_cipher_len) { msg(M_FATAL, "Failed to set restricted TLS cipher list, too long (>%d).", @@ -509,18 +507,10 @@ tls_ctx_load_ecdh_params(struct tls_root_ctx *ctx, const char *curve_name const EC_GROUP *ecgrp = NULL; EVP_PKEY *pkey = NULL; -#if OPENSSL_VERSION_NUMBER >= 0x10002000L && !defined(LIBRESSL_VERSION_NUMBER) - pkey = SSL_CTX_get0_privatekey(ctx->ctx); -#else /* Little hack to get private key ref from SSL_CTX, yay OpenSSL... */ - SSL *ssl = SSL_new(ctx->ctx); - if (!ssl) - { - crypto_msg(M_FATAL, "SSL_new failed"); - } - pkey = SSL_get_privatekey(ssl); - SSL_free(ssl); -#endif + SSL ssl; + ssl.cert = ctx->ctx->cert; + pkey = SSL_get_privatekey(&ssl); msg(D_TLS_DEBUG, "Extracting ECDH curve from private key"); @@ -659,8 +649,7 @@ tls_ctx_load_pkcs12(struct tls_root_ctx *ctx, const char *pkcs12_file, { for (i = 0; i < sk_X509_num(ca); i++) { - X509_STORE *cert_store = SSL_CTX_get_cert_store(ctx->ctx); - if (!X509_STORE_add_cert(cert_store,sk_X509_value(ca, i))) + if (!X509_STORE_add_cert(ctx->ctx->cert_store,sk_X509_value(ca, i))) { crypto_msg(M_FATAL,"Cannot add certificate to certificate chain (X509_STORE_add_cert)"); } @@ -762,9 +751,8 @@ tls_ctx_load_cert_file_and_copy(struct tls_root_ctx *ctx, goto end; } - x = PEM_read_bio_X509(in, NULL, - SSL_CTX_get_default_passwd_cb(ctx->ctx), - SSL_CTX_get_default_passwd_cb_userdata(ctx->ctx)); + x = PEM_read_bio_X509(in, NULL, ctx->ctx->default_passwd_callback, + ctx->ctx->default_passwd_callback_userdata); if (x == NULL) { SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE_FILE, ERR_R_PEM_LIB); @@ -846,8 +834,8 @@ tls_ctx_load_priv_file(struct tls_root_ctx *ctx, const char *priv_key_file, } pkey = PEM_read_bio_PrivateKey(in, NULL, - SSL_CTX_get_default_passwd_cb(ctx->ctx), - SSL_CTX_get_default_passwd_cb_userdata(ctx->ctx)); + ssl_ctx->default_passwd_callback, + ssl_ctx->default_passwd_callback_userdata); if (!pkey) { goto end; @@ -900,15 +888,15 @@ backend_tls_ctx_reload_crl(struct tls_root_ctx *ssl_ctx, const char *crl_file, /* Always start with a cleared CRL list, for that we * we need to manually find the CRL object from the stack * and remove it */ - STACK_OF(X509_OBJECT) *objs = X509_STORE_get0_objects(store); - for (int i = 0; i < sk_X509_OBJECT_num(objs); i++) + for (int i = 0; i < sk_X509_OBJECT_num(store->objs); i++) { - X509_OBJECT *obj = sk_X509_OBJECT_value(objs, i); + X509_OBJECT *obj = sk_X509_OBJECT_value(store->objs, i); ASSERT(obj); - if (X509_OBJECT_get_type(obj) == X509_LU_CRL) + if (obj->type == X509_LU_CRL) { - sk_X509_OBJECT_delete(objs, i); - X509_OBJECT_free(obj); + sk_X509_OBJECT_delete(store->objs, i); + X509_OBJECT_free_contents(obj); + OPENSSL_free(obj); } } @@ -976,13 +964,10 @@ rsa_priv_dec(int flen, const unsigned char *from, unsigned char *to, RSA *rsa, i /* called at RSA_free */ static int -openvpn_extkey_rsa_finish(RSA *rsa) +rsa_finish(RSA *rsa) { - /* meth was allocated in tls_ctx_use_external_private_key() ; since - * this function is called when the parent RSA object is destroyed, - * it is no longer used after this point so kill it. */ - const RSA_METHOD *meth = RSA_get_method(rsa); - RSA_meth_free((RSA_METHOD *)meth); + free((void *)rsa->meth); + rsa->meth = NULL; return 1; } @@ -998,7 +983,7 @@ rsa_priv_enc(int flen, const unsigned char *from, unsigned char *to, RSA *rsa, i if (padding != RSA_PKCS1_PADDING) { - RSAerr(RSA_F_RSA_OSSL_PRIVATE_ENCRYPT, RSA_R_UNKNOWN_PADDING_TYPE); + RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT, RSA_R_UNKNOWN_PADDING_TYPE); goto done; } @@ -1056,16 +1041,16 @@ tls_ctx_use_external_private_key(struct tls_root_ctx *ctx, ASSERT(NULL != cert); /* allocate custom RSA method object */ - rsa_meth = RSA_meth_new("OpenVPN external private key RSA Method", - RSA_METHOD_FLAG_NO_CHECK); - check_malloc_return(rsa_meth); - RSA_meth_set_pub_enc(rsa_meth, rsa_pub_enc); - RSA_meth_set_pub_dec(rsa_meth, rsa_pub_dec); - RSA_meth_set_priv_enc(rsa_meth, rsa_priv_enc); - RSA_meth_set_priv_dec(rsa_meth, rsa_priv_dec); - RSA_meth_set_init(rsa_meth, NULL); - RSA_meth_set_finish(rsa_meth, openvpn_extkey_rsa_finish); - RSA_meth_set0_app_data(rsa_meth, NULL); + ALLOC_OBJ_CLEAR(rsa_meth, RSA_METHOD); + rsa_meth->name = "OpenVPN external private key RSA Method"; + rsa_meth->rsa_pub_enc = rsa_pub_enc; + rsa_meth->rsa_pub_dec = rsa_pub_dec; + rsa_meth->rsa_priv_enc = rsa_priv_enc; + rsa_meth->rsa_priv_dec = rsa_priv_dec; + rsa_meth->init = NULL; + rsa_meth->finish = rsa_finish; + rsa_meth->flags = RSA_METHOD_FLAG_NO_CHECK; + rsa_meth->app_data = NULL; /* allocate RSA object */ rsa = RSA_new(); @@ -1076,16 +1061,12 @@ tls_ctx_use_external_private_key(struct tls_root_ctx *ctx, } /* get the public key */ - EVP_PKEY *pkey = X509_get0_pubkey(cert); - ASSERT(pkey); /* NULL before SSL_CTX_use_certificate() is called */ - pub_rsa = EVP_PKEY_get0_RSA(pkey); + ASSERT(cert->cert_info->key->pkey); /* NULL before SSL_CTX_use_certificate() is called */ + pub_rsa = cert->cert_info->key->pkey->pkey.rsa; /* initialize RSA object */ - const BIGNUM *n = NULL; - const BIGNUM *e = NULL; - RSA_get0_key(pub_rsa, &n, &e, NULL); - RSA_set0_key(rsa, BN_dup(n), BN_dup(e), NULL); - RSA_set_flags(rsa, RSA_flags(rsa) | RSA_FLAG_EXT_PKEY); + rsa->n = BN_dup(pub_rsa->n); + rsa->flags |= RSA_FLAG_EXT_PKEY; if (!RSA_set_method(rsa, rsa_meth)) { goto err; @@ -1686,17 +1667,17 @@ print_details(struct key_state_ssl *ks_ssl, const char *prefix) EVP_PKEY *pkey = X509_get_pubkey(cert); if (pkey != NULL) { - if (EVP_PKEY_id(pkey) == EVP_PKEY_RSA && EVP_PKEY_get0_RSA(pkey) != NULL) + if (pkey->type == EVP_PKEY_RSA && pkey->pkey.rsa != NULL + && pkey->pkey.rsa->n != NULL) { - RSA *rsa = EVP_PKEY_get0_RSA(pkey); openvpn_snprintf(s2, sizeof(s2), ", %d bit RSA", - RSA_bits(rsa)); + BN_num_bits(pkey->pkey.rsa->n)); } - else if (EVP_PKEY_id(pkey) == EVP_PKEY_DSA && EVP_PKEY_get0_DSA(pkey) != NULL) + else if (pkey->type == EVP_PKEY_DSA && pkey->pkey.dsa != NULL + && pkey->pkey.dsa->p != NULL) { - DSA *dsa = EVP_PKEY_get0_DSA(pkey); openvpn_snprintf(s2, sizeof(s2), ", %d bit DSA", - DSA_bits(dsa)); + BN_num_bits(pkey->pkey.dsa->p)); } EVP_PKEY_free(pkey); } |