summaryrefslogtreecommitdiff
path: root/src/openvpn/ssl_polarssl.c
diff options
context:
space:
mode:
Diffstat (limited to 'src/openvpn/ssl_polarssl.c')
-rw-r--r--src/openvpn/ssl_polarssl.c136
1 files changed, 89 insertions, 47 deletions
diff --git a/src/openvpn/ssl_polarssl.c b/src/openvpn/ssl_polarssl.c
index 0dfffd6..30c7395 100644
--- a/src/openvpn/ssl_polarssl.c
+++ b/src/openvpn/ssl_polarssl.c
@@ -40,6 +40,7 @@
#include "errlevel.h"
#include "ssl_backend.h"
+#include "base64.h"
#include "buffer.h"
#include "misc.h"
#include "manage.h"
@@ -49,7 +50,9 @@
#include <polarssl/havege.h>
#include "ssl_verify_polarssl.h"
+#include <polarssl/error.h>
#include <polarssl/pem.h>
+#include <polarssl/version.h>
void
tls_init_lib()
@@ -204,12 +207,13 @@ tls_ctx_restrict_ciphers(struct tls_root_ctx *ctx, const char *ciphers)
void
tls_ctx_load_dh_params (struct tls_root_ctx *ctx, const char *dh_file,
- const char *dh_file_inline
+ const char *dh_inline
)
{
- if (!strcmp (dh_file, INLINE_FILE_TAG) && dh_file_inline)
+ if (!strcmp (dh_file, INLINE_FILE_TAG) && dh_inline)
{
- if (0 != x509parse_dhm(ctx->dhm_ctx, dh_file_inline, strlen(dh_file_inline)))
+ if (0 != x509parse_dhm(ctx->dhm_ctx, (const unsigned char *) dh_inline,
+ strlen(dh_inline)))
msg (M_FATAL, "Cannot read inline DH parameters");
}
else
@@ -242,15 +246,15 @@ tls_ctx_load_cryptoapi(struct tls_root_ctx *ctx, const char *cryptoapi_cert)
void
tls_ctx_load_cert_file (struct tls_root_ctx *ctx, const char *cert_file,
- const char *cert_file_inline
+ const char *cert_inline
)
{
ASSERT(NULL != ctx);
- if (!strcmp (cert_file, INLINE_FILE_TAG) && cert_file_inline)
+ if (!strcmp (cert_file, INLINE_FILE_TAG) && cert_inline)
{
- if (0 != x509parse_crt(ctx->crt_chain, cert_file_inline,
- strlen(cert_file_inline)))
+ if (0 != x509parse_crt(ctx->crt_chain,
+ (const unsigned char *) cert_inline, strlen(cert_inline)))
msg (M_FATAL, "Cannot load inline certificate file");
}
else
@@ -262,30 +266,30 @@ tls_ctx_load_cert_file (struct tls_root_ctx *ctx, const char *cert_file,
int
tls_ctx_load_priv_file (struct tls_root_ctx *ctx, const char *priv_key_file,
- const char *priv_key_file_inline
+ const char *priv_key_inline
)
{
int status;
ASSERT(NULL != ctx);
- if (!strcmp (priv_key_file, INLINE_FILE_TAG) && priv_key_file_inline)
+ if (!strcmp (priv_key_file, INLINE_FILE_TAG) && priv_key_inline)
{
status = x509parse_key(ctx->priv_key,
- priv_key_file_inline, strlen(priv_key_file_inline),
+ (const unsigned char *) priv_key_inline, strlen(priv_key_inline),
NULL, 0);
- if (POLARSSL_ERR_PEM_PASSWORD_REQUIRED == status)
+ if (POLARSSL_ERR_X509_PASSWORD_REQUIRED == status)
{
char passbuf[512] = {0};
pem_password_callback(passbuf, 512, 0, NULL);
status = x509parse_key(ctx->priv_key,
- priv_key_file_inline, strlen(priv_key_file_inline),
- passbuf, strlen(passbuf));
+ (const unsigned char *) priv_key_inline, strlen(priv_key_inline),
+ (const unsigned char *) passbuf, strlen(passbuf));
}
}
else
{
status = x509parse_keyfile(ctx->priv_key, priv_key_file, NULL);
- if (POLARSSL_ERR_PEM_PASSWORD_REQUIRED == status)
+ if (POLARSSL_ERR_X509_PASSWORD_REQUIRED == status)
{
char passbuf[512] = {0};
pem_password_callback(passbuf, 512, 0, NULL);
@@ -295,7 +299,7 @@ tls_ctx_load_priv_file (struct tls_root_ctx *ctx, const char *priv_key_file,
if (0 != status)
{
#ifdef ENABLE_MANAGEMENT
- if (management && (POLARSSL_ERR_PEM_PASSWORD_MISMATCH == status))
+ if (management && (POLARSSL_ERR_X509_PASSWORD_MISMATCH == status))
management_auth_failure (management, UP_TYPE_PRIVATE_KEY, NULL);
#endif
msg (M_WARN, "Cannot load private key file %s", priv_key_file);
@@ -467,16 +471,17 @@ static inline size_t external_key_len(void *vctx)
#endif
void tls_ctx_load_ca (struct tls_root_ctx *ctx, const char *ca_file,
- const char *ca_file_inline,
+ const char *ca_inline,
const char *ca_path, bool tls_server
)
{
if (ca_path)
msg(M_FATAL, "ERROR: PolarSSL cannot handle the capath directive");
- if (ca_file && !strcmp (ca_file, INLINE_FILE_TAG) && ca_file_inline)
+ if (ca_file && !strcmp (ca_file, INLINE_FILE_TAG) && ca_inline)
{
- if (0 != x509parse_crt(ctx->ca_chain, ca_file_inline, strlen(ca_file_inline)))
+ if (0 != x509parse_crt(ctx->ca_chain, (const unsigned char *) ca_inline,
+ strlen(ca_inline)))
msg (M_FATAL, "Cannot load inline CA certificates");
}
else
@@ -489,15 +494,16 @@ void tls_ctx_load_ca (struct tls_root_ctx *ctx, const char *ca_file,
void
tls_ctx_load_extra_certs (struct tls_root_ctx *ctx, const char *extra_certs_file,
- const char *extra_certs_file_inline
+ const char *extra_certs_inline
)
{
ASSERT(NULL != ctx);
- if (!strcmp (extra_certs_file, INLINE_FILE_TAG) && extra_certs_file_inline)
+ if (!strcmp (extra_certs_file, INLINE_FILE_TAG) && extra_certs_inline)
{
- if (0 != x509parse_crt(ctx->crt_chain, extra_certs_file_inline,
- strlen(extra_certs_file_inline)))
+ if (0 != x509parse_crt(ctx->crt_chain,
+ (const unsigned char *) extra_certs_inline,
+ strlen(extra_certs_inline)))
msg (M_FATAL, "Cannot load inline extra-certs file");
}
else
@@ -620,7 +626,7 @@ static void my_debug( void *ctx, int level, const char *str )
void tls_ctx_personalise_random(struct tls_root_ctx *ctx)
{
static char old_sha256_hash[32] = {0};
- char sha256_hash[32] = {0};
+ unsigned char sha256_hash[32] = {0};
ctr_drbg_context *cd_ctx = rand_ctx_get();
if (NULL != ctx->crt_chain)
@@ -648,6 +654,40 @@ tls_version_max(void)
#endif
}
+/**
+ * Convert an OpenVPN tls-version variable to PolarSSl format (i.e. a major and
+ * minor ssl version number).
+ *
+ * @param tls_ver The tls-version variable to convert.
+ * @param major Returns the TLS major version in polarssl format.
+ * Must be a valid pointer.
+ * @param minor Returns the TLS minor version in polarssl format.
+ * Must be a valid pointer.
+ */
+static void tls_version_to_major_minor(int tls_ver, int *major, int *minor) {
+ ASSERT(major);
+ ASSERT(minor);
+
+ switch (tls_ver)
+ {
+ case TLS_VER_1_0:
+ *major = SSL_MAJOR_VERSION_3;
+ *minor = SSL_MINOR_VERSION_1;
+ break;
+ case TLS_VER_1_1:
+ *major = SSL_MAJOR_VERSION_3;
+ *minor = SSL_MINOR_VERSION_2;
+ break;
+ case TLS_VER_1_2:
+ *major = SSL_MAJOR_VERSION_3;
+ *minor = SSL_MINOR_VERSION_3;
+ break;
+ default:
+ msg(M_FATAL, "%s: invalid TLS version %d", __func__, tls_ver);
+ break;
+ }
+}
+
void key_state_ssl_init(struct key_state_ssl *ks_ssl,
const struct tls_root_ctx *ssl_ctx, bool is_server, struct tls_session *session)
{
@@ -706,30 +746,32 @@ void key_state_ssl_init(struct key_state_ssl *ks_ssl,
/* Initialize minimum TLS version */
{
- const int tls_version_min = (session->opt->ssl_flags >> SSLF_TLS_VERSION_SHIFT) & SSLF_TLS_VERSION_MASK;
- int polar_major;
- int polar_minor;
- switch (tls_version_min)
+ const int tls_version_min =
+ (session->opt->ssl_flags >> SSLF_TLS_VERSION_MIN_SHIFT) &
+ SSLF_TLS_VERSION_MIN_MASK;
+
+ /* default to TLS 1.0 */
+ int major = SSL_MAJOR_VERSION_3;
+ int minor = SSL_MINOR_VERSION_1;
+
+ if (tls_version_min > TLS_VER_UNSPEC)
+ tls_version_to_major_minor(tls_version_min, &major, &minor);
+
+ ssl_set_min_version(ks_ssl->ctx, major, minor);
+ }
+
+ /* Initialize maximum TLS version */
+ {
+ const int tls_version_max =
+ (session->opt->ssl_flags >> SSLF_TLS_VERSION_MAX_SHIFT) &
+ SSLF_TLS_VERSION_MAX_MASK;
+
+ if (tls_version_max > TLS_VER_UNSPEC)
{
- case TLS_VER_1_0:
- default:
- polar_major = SSL_MAJOR_VERSION_3;
- polar_minor = SSL_MINOR_VERSION_1;
- break;
-#if defined(SSL_MAJOR_VERSION_3) && defined(SSL_MINOR_VERSION_2)
- case TLS_VER_1_1:
- polar_major = SSL_MAJOR_VERSION_3;
- polar_minor = SSL_MINOR_VERSION_2;
- break;
-#endif
-#if defined(SSL_MAJOR_VERSION_3) && defined(SSL_MINOR_VERSION_3)
- case TLS_VER_1_2:
- polar_major = SSL_MAJOR_VERSION_3;
- polar_minor = SSL_MINOR_VERSION_3;
- break;
-#endif
+ int major, minor;
+ tls_version_to_major_minor(tls_version_max, &major, &minor);
+ ssl_set_max_version(ks_ssl->ctx, major, minor);
}
- ssl_set_min_version(ks_ssl->ctx, polar_major, polar_minor);
}
/* Initialise BIOs */
@@ -1053,7 +1095,7 @@ show_available_tls_ciphers (const char *cipher_list)
printf ("%s\n", ssl_get_ciphersuite_name(*ciphers));
ciphers++;
}
- printf ("\n");
+ printf ("\n" SHOW_TLS_CIPHER_LIST_WARNING);
}
void
@@ -1068,7 +1110,7 @@ get_highest_preference_tls_cipher (char *buf, int size)
strncpynt (buf, cipher_name, size);
}
-char *
+const char *
get_ssl_library_version(void)
{
static char polar_version[30];
generated by cgit v1.2.3 (git 2.25.1) at 2024-07-04 06:39:16 +0000