OpenVPN
ssl_openssl.c
Go to the documentation of this file.
1 /*
2  * OpenVPN -- An application to securely tunnel IP networks
3  * over a single TCP/UDP port, with support for SSL/TLS-based
4  * session authentication and key exchange,
5  * packet encryption, packet authentication, and
6  * packet compression.
7  *
8  * Copyright (C) 2002-2023 OpenVPN Inc <sales@openvpn.net>
9  * Copyright (C) 2010-2021 Fox Crypto B.V. <openvpn@foxcrypto.com>
10  *
11  * This program is free software; you can redistribute it and/or modify
12  * it under the terms of the GNU General Public License version 2
13  * as published by the Free Software Foundation.
14  *
15  * This program is distributed in the hope that it will be useful,
16  * but WITHOUT ANY WARRANTY; without even the implied warranty of
17  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18  * GNU General Public License for more details.
19  *
20  * You should have received a copy of the GNU General Public License along
21  * with this program; if not, write to the Free Software Foundation, Inc.,
22  * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
23  */
24 
29 #ifdef HAVE_CONFIG_H
30 #include "config.h"
31 #endif
32 
33 #include "syshead.h"
34 
35 #if defined(ENABLE_CRYPTO_OPENSSL)
36 
37 #include "errlevel.h"
38 #include "buffer.h"
39 #include "misc.h"
40 #include "manage.h"
41 #include "memdbg.h"
42 #include "ssl_backend.h"
43 #include "ssl_common.h"
44 #include "base64.h"
45 #include "openssl_compat.h"
46 #include "xkey_common.h"
47 
48 #ifdef ENABLE_CRYPTOAPI
49 #include "cryptoapi.h"
50 #endif
51 
52 #include "ssl_verify_openssl.h"
53 #include "ssl_util.h"
54 
55 #include <openssl/bn.h>
56 #include <openssl/crypto.h>
57 #include <openssl/dh.h>
58 #include <openssl/dsa.h>
59 #include <openssl/err.h>
60 #include <openssl/pkcs12.h>
61 #include <openssl/rsa.h>
62 #include <openssl/x509.h>
63 #include <openssl/ssl.h>
64 #ifndef OPENSSL_NO_EC
65 #include <openssl/ec.h>
66 #endif
67 
68 #if defined(_MSC_VER) && !defined(_M_ARM64)
69 #include <openssl/applink.c>
70 #endif
71 
72 OSSL_LIB_CTX *tls_libctx; /* Global */
73 
74 static void unload_xkey_provider(void);
75 
76 /*
77  * Allocate space in SSL objects in which to store a struct tls_session
78  * pointer back to parent.
79  *
80  */
81 
82 int mydata_index; /* GLOBAL */
83 
84 void
86 {
87 #if OPENSSL_VERSION_NUMBER < 0x10100000L
88  SSL_library_init();
89 #ifndef ENABLE_SMALL
90  SSL_load_error_strings();
91 #endif
92  OpenSSL_add_all_algorithms();
93 #endif
94  mydata_index = SSL_get_ex_new_index(0, "struct session *", NULL, NULL, NULL);
95  ASSERT(mydata_index >= 0);
96 }
97 
98 void
100 {
101 #if OPENSSL_VERSION_NUMBER < 0x10100000L
102  EVP_cleanup();
103 #ifndef ENABLE_SMALL
104  ERR_free_strings();
105 #endif
106 #endif
107 }
108 
109 void
111 {
112  ASSERT(NULL != ctx);
113 
114  ctx->ctx = SSL_CTX_new_ex(tls_libctx, NULL, SSLv23_server_method());
115 
116  if (ctx->ctx == NULL)
117  {
118  crypto_msg(M_FATAL, "SSL_CTX_new SSLv23_server_method");
119  }
120  if (ERR_peek_error() != 0)
121  {
122  crypto_msg(M_WARN, "Warning: TLS server context initialisation "
123  "has warnings.");
124  }
125 }
126 
127 void
129 {
130  ASSERT(NULL != ctx);
131 
132  ctx->ctx = SSL_CTX_new_ex(tls_libctx, NULL, SSLv23_client_method());
133 
134  if (ctx->ctx == NULL)
135  {
136  crypto_msg(M_FATAL, "SSL_CTX_new SSLv23_client_method");
137  }
138  if (ERR_peek_error() != 0)
139  {
140  crypto_msg(M_WARN, "Warning: TLS client context initialisation "
141  "has warnings.");
142  }
143 }
144 
145 void
147 {
148  ASSERT(NULL != ctx);
149  SSL_CTX_free(ctx->ctx);
150  ctx->ctx = NULL;
151  unload_xkey_provider(); /* in case it is loaded */
152 }
153 
154 bool
156 {
157  ASSERT(NULL != ctx);
158  return NULL != ctx->ctx;
159 }
160 
161 bool
163  const char *label, size_t label_size,
164  void *ekm, size_t ekm_size)
165 
166 {
167  SSL *ssl = session->key[KS_PRIMARY].ks_ssl.ssl;
168 
169  if (SSL_export_keying_material(ssl, ekm, ekm_size, label,
170  label_size, NULL, 0, 0) == 1)
171  {
172  return true;
173  }
174  else
175  {
176  secure_memzero(ekm, ekm_size);
177  return false;
178  }
179 }
180 
181 /*
182  * Print debugging information on SSL/TLS session negotiation.
183  */
184 
185 #ifndef INFO_CALLBACK_SSL_CONST
186 #define INFO_CALLBACK_SSL_CONST const
187 #endif
188 static void
189 info_callback(INFO_CALLBACK_SSL_CONST SSL *s, int where, int ret)
190 {
191  if (where & SSL_CB_LOOP)
192  {
193  dmsg(D_HANDSHAKE_VERBOSE, "SSL state (%s): %s",
194  where & SSL_ST_CONNECT ? "connect" :
195  where &SSL_ST_ACCEPT ? "accept" :
196  "undefined", SSL_state_string_long(s));
197  }
198  else if (where & SSL_CB_ALERT)
199  {
200  dmsg(D_TLS_DEBUG_LOW, "%s %s SSL alert: %s",
201  where & SSL_CB_READ ? "Received" : "Sent",
202  SSL_alert_type_string_long(ret),
203  SSL_alert_desc_string_long(ret));
204  }
205 }
206 
207 /*
208  * Return maximum TLS version supported by local OpenSSL library.
209  * Assume that presence of SSL_OP_NO_TLSvX macro indicates that
210  * TLSvX is supported.
211  */
212 int
214 {
215 #if defined(TLS1_3_VERSION)
216  /* If this is defined we can safely assume TLS 1.3 support */
217  return TLS_VER_1_3;
218 #elif OPENSSL_VERSION_NUMBER >= 0x10100000L
219  /*
220  * If TLS_VER_1_3 is not defined, we were compiled against a version that
221  * did not support TLS 1.3.
222  *
223  * However, the library we are *linked* against might be OpenSSL 1.1.1
224  * and therefore supports TLS 1.3. This needs to be checked at runtime
225  * since we can be compiled against 1.1.0 and then the library can be
226  * upgraded to 1.1.1.
227  * We only need to check this for OpenSSL versions that can be
228  * upgraded to 1.1.1 without recompile (>= 1.1.0)
229  */
230  if (OpenSSL_version_num() >= 0x1010100fL)
231  {
232  return TLS_VER_1_3;
233  }
234  else
235  {
236  return TLS_VER_1_2;
237  }
238 #elif defined(TLS1_2_VERSION) || defined(SSL_OP_NO_TLSv1_2)
239  return TLS_VER_1_2;
240 #elif defined(TLS1_1_VERSION) || defined(SSL_OP_NO_TLSv1_1)
241  return TLS_VER_1_1;
242 #else /* if defined(TLS1_3_VERSION) */
243  return TLS_VER_1_0;
244 #endif
245 }
246 
248 static int
250 {
251  if (ver == TLS_VER_1_0)
252  {
253  return TLS1_VERSION;
254  }
255  else if (ver == TLS_VER_1_1)
256  {
257  return TLS1_1_VERSION;
258  }
259  else if (ver == TLS_VER_1_2)
260  {
261  return TLS1_2_VERSION;
262  }
263  else if (ver == TLS_VER_1_3)
264  {
265  /*
266  * Supporting the library upgraded to TLS1.3 without recompile
267  * is enough to support here with a simple constant that the same
268  * as in the TLS 1.3, so spec it is very unlikely that OpenSSL
269  * will change this constant
270  */
271 #ifndef TLS1_3_VERSION
272  /*
273  * We do not want to define TLS_VER_1_3 if not defined
274  * since other parts of the code use the existance of this macro
275  * as proxy for TLS 1.3 support
276  */
277  return 0x0304;
278 #else
279  return TLS1_3_VERSION;
280 #endif
281  }
282  return 0;
283 }
284 
285 static bool
286 tls_ctx_set_tls_versions(struct tls_root_ctx *ctx, unsigned int ssl_flags)
287 {
288  int tls_ver_min = openssl_tls_version(
290  int tls_ver_max = openssl_tls_version(
292 
293  if (!tls_ver_min)
294  {
295  /* Enforce at least TLS 1.0 */
296  int cur_min = SSL_CTX_get_min_proto_version(ctx->ctx);
297  tls_ver_min = cur_min < TLS1_VERSION ? TLS1_VERSION : cur_min;
298  }
299 
300  if (!SSL_CTX_set_min_proto_version(ctx->ctx, tls_ver_min))
301  {
302  msg(D_TLS_ERRORS, "%s: failed to set minimum TLS version", __func__);
303  return false;
304  }
305 
306  if (tls_ver_max && !SSL_CTX_set_max_proto_version(ctx->ctx, tls_ver_max))
307  {
308  msg(D_TLS_ERRORS, "%s: failed to set maximum TLS version", __func__);
309  return false;
310  }
311 
312  return true;
313 }
314 
315 bool
316 tls_ctx_set_options(struct tls_root_ctx *ctx, unsigned int ssl_flags)
317 {
318  ASSERT(NULL != ctx);
319 
320  /* process SSL options */
321  long sslopt = SSL_OP_SINGLE_DH_USE | SSL_OP_NO_TICKET;
322 #ifdef SSL_OP_CIPHER_SERVER_PREFERENCE
323  sslopt |= SSL_OP_CIPHER_SERVER_PREFERENCE;
324 #endif
325  sslopt |= SSL_OP_NO_COMPRESSION;
326  /* Disable TLS renegotiations. OpenVPN's renegotiation creates new SSL
327  * session and does not depend on this feature. And TLS renegotiations have
328  * been problematic in the past */
329 #ifdef SSL_OP_NO_RENEGOTIATION
330  sslopt |= SSL_OP_NO_RENEGOTIATION;
331 #endif
332 
333  SSL_CTX_set_options(ctx->ctx, sslopt);
334 
335  if (!tls_ctx_set_tls_versions(ctx, ssl_flags))
336  {
337  return false;
338  }
339 
340 #ifdef SSL_MODE_RELEASE_BUFFERS
341  SSL_CTX_set_mode(ctx->ctx, SSL_MODE_RELEASE_BUFFERS);
342 #endif
343  SSL_CTX_set_session_cache_mode(ctx->ctx, SSL_SESS_CACHE_OFF);
344  SSL_CTX_set_default_passwd_cb(ctx->ctx, pem_password_callback);
345 
346  /* Require peer certificate verification */
347  int verify_flags = SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT;
348  if (ssl_flags & SSLF_CLIENT_CERT_NOT_REQUIRED)
349  {
350  verify_flags = 0;
351  }
352  else if (ssl_flags & SSLF_CLIENT_CERT_OPTIONAL)
353  {
354  verify_flags = SSL_VERIFY_PEER;
355  }
356  SSL_CTX_set_verify(ctx->ctx, verify_flags, verify_callback);
357 
358  SSL_CTX_set_info_callback(ctx->ctx, info_callback);
359 
360  return true;
361 }
362 
363 void
364 convert_tls_list_to_openssl(char *openssl_ciphers, size_t len, const char *ciphers)
365 {
366  /* Parse supplied cipher list and pass on to OpenSSL */
367  size_t begin_of_cipher, end_of_cipher;
368 
369  const char *current_cipher;
370  size_t current_cipher_len;
371 
372  const tls_cipher_name_pair *cipher_pair;
373 
374  size_t openssl_ciphers_len = 0;
375  openssl_ciphers[0] = '\0';
376 
377  /* Translate IANA cipher suite names to OpenSSL names */
378  begin_of_cipher = end_of_cipher = 0;
379  for (; begin_of_cipher < strlen(ciphers); begin_of_cipher = end_of_cipher)
380  {
381  end_of_cipher += strcspn(&ciphers[begin_of_cipher], ":");
382  cipher_pair = tls_get_cipher_name_pair(&ciphers[begin_of_cipher], end_of_cipher - begin_of_cipher);
383 
384  if (NULL == cipher_pair)
385  {
386  /* No translation found, use original */
387  current_cipher = &ciphers[begin_of_cipher];
388  current_cipher_len = end_of_cipher - begin_of_cipher;
389 
390  /* Issue warning on missing translation */
391  /* %.*s format specifier expects length of type int, so guarantee */
392  /* that length is small enough and cast to int. */
393  msg(D_LOW, "No valid translation found for TLS cipher '%.*s'",
394  constrain_int(current_cipher_len, 0, 256), current_cipher);
395  }
396  else
397  {
398  /* Use OpenSSL name */
399  current_cipher = cipher_pair->openssl_name;
400  current_cipher_len = strlen(current_cipher);
401 
402  if (end_of_cipher - begin_of_cipher == current_cipher_len
403  && 0 != memcmp(&ciphers[begin_of_cipher], cipher_pair->iana_name,
404  end_of_cipher - begin_of_cipher))
405  {
406  /* Non-IANA name used, show warning */
407  msg(M_WARN, "Deprecated TLS cipher name '%s', please use IANA name '%s'", cipher_pair->openssl_name, cipher_pair->iana_name);
408  }
409  }
410 
411  /* Make sure new cipher name fits in cipher string */
412  if ((SIZE_MAX - openssl_ciphers_len) < current_cipher_len
413  || (len - 1) < (openssl_ciphers_len + current_cipher_len))
414  {
415  msg(M_FATAL,
416  "Failed to set restricted TLS cipher list, too long (>%d).",
417  (int)(len - 1));
418  }
419 
420  /* Concatenate cipher name to OpenSSL cipher string */
421  memcpy(&openssl_ciphers[openssl_ciphers_len], current_cipher, current_cipher_len);
422  openssl_ciphers_len += current_cipher_len;
423  openssl_ciphers[openssl_ciphers_len] = ':';
424  openssl_ciphers_len++;
425 
426  end_of_cipher++;
427  }
428 
429  if (openssl_ciphers_len > 0)
430  {
431  openssl_ciphers[openssl_ciphers_len-1] = '\0';
432  }
433 }
434 
435 void
436 tls_ctx_restrict_ciphers(struct tls_root_ctx *ctx, const char *ciphers)
437 {
438  if (ciphers == NULL)
439  {
440  /* Use sane default TLS cipher list */
441  if (!SSL_CTX_set_cipher_list(ctx->ctx,
442  /* Use openssl's default list as a basis */
443  "DEFAULT"
444  /* Disable export ciphers and openssl's 'low' and 'medium' ciphers */
445  ":!EXP:!LOW:!MEDIUM"
446  /* Disable static (EC)DH keys (no forward secrecy) */
447  ":!kDH:!kECDH"
448  /* Disable DSA private keys */
449  ":!DSS"
450  /* Disable unsupported TLS modes */
451  ":!PSK:!SRP:!kRSA"))
452  {
453  crypto_msg(M_FATAL, "Failed to set default TLS cipher list.");
454  }
455  return;
456  }
457 
458  char openssl_ciphers[4096];
459  convert_tls_list_to_openssl(openssl_ciphers, sizeof(openssl_ciphers), ciphers);
460 
461  ASSERT(NULL != ctx);
462 
463  /* Set OpenSSL cipher list */
464  if (!SSL_CTX_set_cipher_list(ctx->ctx, openssl_ciphers))
465  {
466  crypto_msg(M_FATAL, "Failed to set restricted TLS cipher list: %s", openssl_ciphers);
467  }
468 }
469 
470 void
471 convert_tls13_list_to_openssl(char *openssl_ciphers, size_t len,
472  const char *ciphers)
473 {
474  /*
475  * OpenSSL (and official IANA) cipher names have _ in them. We
476  * historically used names with - in them. Silently convert names
477  * with - to names with _ to support both
478  */
479  if (strlen(ciphers) >= (len - 1))
480  {
481  msg(M_FATAL,
482  "Failed to set restricted TLS 1.3 cipher list, too long (>%d).",
483  (int) (len - 1));
484  }
485 
486  strncpy(openssl_ciphers, ciphers, len);
487 
488  for (size_t i = 0; i < strlen(openssl_ciphers); i++)
489  {
490  if (openssl_ciphers[i] == '-')
491  {
492  openssl_ciphers[i] = '_';
493  }
494  }
495 }
496 
497 void
498 tls_ctx_restrict_ciphers_tls13(struct tls_root_ctx *ctx, const char *ciphers)
499 {
500  if (ciphers == NULL)
501  {
502  /* default cipher list of OpenSSL 1.1.1 is sane, do not set own
503  * default as we do with tls-cipher */
504  return;
505  }
506 
507 #if !defined(TLS1_3_VERSION)
508  crypto_msg(M_WARN, "Not compiled with OpenSSL 1.1.1 or higher. "
509  "Ignoring TLS 1.3 only tls-ciphersuites '%s' setting.",
510  ciphers);
511 #else
512  ASSERT(NULL != ctx);
513 
514  char openssl_ciphers[4096];
515  convert_tls13_list_to_openssl(openssl_ciphers, sizeof(openssl_ciphers),
516  ciphers);
517 
518  if (!SSL_CTX_set_ciphersuites(ctx->ctx, openssl_ciphers))
519  {
520  crypto_msg(M_FATAL, "Failed to set restricted TLS 1.3 cipher list: %s",
521  openssl_ciphers);
522  }
523 #endif
524 }
525 
526 void
527 tls_ctx_set_cert_profile(struct tls_root_ctx *ctx, const char *profile)
528 {
529 #if OPENSSL_VERSION_NUMBER > 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
530  /* OpenSSL does not have certificate profiles, but a complex set of
531  * callbacks that we could try to implement to achieve something similar.
532  * For now, use OpenSSL's security levels to achieve similar (but not equal)
533  * behaviour. */
534  if (!profile || 0 == strcmp(profile, "legacy"))
535  {
536  SSL_CTX_set_security_level(ctx->ctx, 1);
537  }
538  else if (0 == strcmp(profile, "insecure"))
539  {
540  SSL_CTX_set_security_level(ctx->ctx, 0);
541  }
542  else if (0 == strcmp(profile, "preferred"))
543  {
544  SSL_CTX_set_security_level(ctx->ctx, 2);
545  }
546  else if (0 == strcmp(profile, "suiteb"))
547  {
548  SSL_CTX_set_security_level(ctx->ctx, 3);
549  SSL_CTX_set_cipher_list(ctx->ctx, "SUITEB128");
550  }
551  else
552  {
553  msg(M_FATAL, "ERROR: Invalid cert profile: %s", profile);
554  }
555 #else /* if OPENSSL_VERSION_NUMBER > 0x10100000L */
556  if (profile)
557  {
558  msg(M_WARN, "WARNING: OpenSSL 1.0.2 and LibreSSL do not support "
559  "--tls-cert-profile, ignoring user-set profile: '%s'", profile);
560  }
561 #endif /* if OPENSSL_VERSION_NUMBER > 0x10100000L */
562 }
563 
564 void
565 tls_ctx_set_tls_groups(struct tls_root_ctx *ctx, const char *groups)
566 {
567  ASSERT(ctx);
568 #if OPENSSL_VERSION_NUMBER < 0x30000000L
569  struct gc_arena gc = gc_new();
570  /* This method could be as easy as
571  * SSL_CTX_set1_groups_list(ctx->ctx, groups)
572  * but OpenSSL (< 3.0) does not like the name secp256r1 for prime256v1
573  * This is one of the important curves.
574  * To support the same name for OpenSSL and mbedTLS, we do
575  * this dance.
576  * Also note that the code is wrong in the presence of OpenSSL3 providers.
577  */
578 
579  int groups_count = get_num_elements(groups, ':');
580 
581  int *glist;
582  /* Allocate an array for them */
583  ALLOC_ARRAY_CLEAR_GC(glist, int, groups_count, &gc);
584 
585  /* Parse allowed ciphers, getting IDs */
586  int glistlen = 0;
587  char *tmp_groups = string_alloc(groups, &gc);
588 
589  const char *token;
590  while ((token = strsep(&tmp_groups, ":")))
591  {
592  if (streq(token, "secp256r1"))
593  {
594  token = "prime256v1";
595  }
596  int nid = OBJ_sn2nid(token);
597 
598  if (nid == 0)
599  {
600  msg(M_WARN, "Warning unknown curve/group specified: %s", token);
601  }
602  else
603  {
604  glist[glistlen] = nid;
605  glistlen++;
606  }
607  }
608 
609  if (!SSL_CTX_set1_groups(ctx->ctx, glist, glistlen))
610  {
611  crypto_msg(M_FATAL, "Failed to set allowed TLS group list: %s",
612  groups);
613  }
614  gc_free(&gc);
615 #else /* if OPENSSL_VERSION_NUMBER < 0x30000000L */
616  if (!SSL_CTX_set1_groups_list(ctx->ctx, groups))
617  {
618  crypto_msg(M_FATAL, "Failed to set allowed TLS group list: %s",
619  groups);
620  }
621 #endif /* if OPENSSL_VERSION_NUMBER < 0x30000000L */
622 }
623 
624 void
626 {
627  int ret;
628  const X509 *cert;
629 
630  ASSERT(ctx);
631 
632  cert = SSL_CTX_get0_certificate(ctx->ctx);
633 
634  if (cert == NULL)
635  {
636  return; /* Nothing to check if there is no certificate */
637  }
638 
639  ret = X509_cmp_time(X509_get0_notBefore(cert), NULL);
640  if (ret == 0)
641  {
642  msg(D_TLS_DEBUG_MED, "Failed to read certificate notBefore field.");
643  }
644  if (ret > 0)
645  {
646  msg(M_WARN, "WARNING: Your certificate is not yet valid!");
647  }
648 
649  ret = X509_cmp_time(X509_get0_notAfter(cert), NULL);
650  if (ret == 0)
651  {
652  msg(D_TLS_DEBUG_MED, "Failed to read certificate notAfter field.");
653  }
654  if (ret < 0)
655  {
656  msg(M_WARN, "WARNING: Your certificate has expired!");
657  }
658 }
659 
660 void
661 tls_ctx_load_dh_params(struct tls_root_ctx *ctx, const char *dh_file,
662  bool dh_file_inline)
663 {
664  BIO *bio;
665 
666  ASSERT(NULL != ctx);
667 
668  if (dh_file_inline)
669  {
670  if (!(bio = BIO_new_mem_buf((char *)dh_file, -1)))
671  {
672  crypto_msg(M_FATAL, "Cannot open memory BIO for inline DH parameters");
673  }
674  }
675  else
676  {
677  /* Get Diffie Hellman Parameters */
678  if (!(bio = BIO_new_file(dh_file, "r")))
679  {
680  crypto_msg(M_FATAL, "Cannot open %s for DH parameters", dh_file);
681  }
682  }
683 
684 #if OPENSSL_VERSION_NUMBER >= 0x30000000L
685  EVP_PKEY *dh = PEM_read_bio_Parameters(bio, NULL);
686  BIO_free(bio);
687 
688  if (!dh)
689  {
690  crypto_msg(M_FATAL, "Cannot load DH parameters from %s",
691  print_key_filename(dh_file, dh_file_inline));
692  }
693  if (!SSL_CTX_set0_tmp_dh_pkey(ctx->ctx, dh))
694  {
695  crypto_msg(M_FATAL, "SSL_CTX_set0_tmp_dh_pkey");
696  }
697 
698  msg(D_TLS_DEBUG_LOW, "Diffie-Hellman initialized with %d bit key",
699  8 * EVP_PKEY_get_size(dh));
700 #else /* if OPENSSL_VERSION_NUMBER >= 0x30000000L */
701  DH *dh = PEM_read_bio_DHparams(bio, NULL, NULL, NULL);
702  BIO_free(bio);
703 
704  if (!dh)
705  {
706  crypto_msg(M_FATAL, "Cannot load DH parameters from %s",
707  print_key_filename(dh_file, dh_file_inline));
708  }
709  if (!SSL_CTX_set_tmp_dh(ctx->ctx, dh))
710  {
711  crypto_msg(M_FATAL, "SSL_CTX_set_tmp_dh");
712  }
713 
714  msg(D_TLS_DEBUG_LOW, "Diffie-Hellman initialized with %d bit key",
715  8 * DH_size(dh));
716 
717  DH_free(dh);
718 #endif /* if OPENSSL_VERSION_NUMBER >= 0x30000000L */
719 }
720 
721 void
722 tls_ctx_load_ecdh_params(struct tls_root_ctx *ctx, const char *curve_name)
723 {
724 #if OPENSSL_VERSION_NUMBER >= 0x30000000L
725  if (curve_name != NULL)
726  {
727  msg(M_WARN, "WARNING: OpenSSL 3.0+ builds do not support specifying an "
728  "ECDH curve with --ecdh-curve, using default curves. Use "
729  "--tls-groups to specify groups.");
730  }
731 #elif !defined(OPENSSL_NO_EC)
732  int nid = NID_undef;
733  EC_KEY *ecdh = NULL;
734  const char *sname = NULL;
735 
736  /* Generate a new ECDH key for each SSL session (for non-ephemeral ECDH) */
737  SSL_CTX_set_options(ctx->ctx, SSL_OP_SINGLE_ECDH_USE);
738 
739  if (curve_name != NULL)
740  {
741  /* Use user supplied curve if given */
742  msg(D_TLS_DEBUG, "Using user specified ECDH curve (%s)", curve_name);
743  nid = OBJ_sn2nid(curve_name);
744  }
745  else
746  {
747 #if OPENSSL_VERSION_NUMBER < 0x10100000L
748 
749  /* OpenSSL 1.0.2 and newer can automatically handle ECDH parameter
750  * loading */
751  SSL_CTX_set_ecdh_auto(ctx->ctx, 1);
752 
753  /* OpenSSL 1.1.0 and newer have always ecdh auto loading enabled,
754  * so do nothing */
755 #endif
756  return;
757  }
758 
759  /* Translate NID back to name , just for kicks */
760  sname = OBJ_nid2sn(nid);
761  if (sname == NULL)
762  {
763  sname = "(Unknown)";
764  }
765 
766  /* Create new EC key and set as ECDH key */
767  if (NID_undef == nid || NULL == (ecdh = EC_KEY_new_by_curve_name(nid)))
768  {
769  /* Creating key failed, fall back on sane default */
770  ecdh = EC_KEY_new_by_curve_name(NID_secp384r1);
771  const char *source = (NULL == curve_name) ?
772  "extract curve from certificate" : "use supplied curve";
774  "Failed to %s (%s), using secp384r1 instead.", source, sname);
775  sname = OBJ_nid2sn(NID_secp384r1);
776  }
777 
778  if (!SSL_CTX_set_tmp_ecdh(ctx->ctx, ecdh))
779  {
780  crypto_msg(M_FATAL, "SSL_CTX_set_tmp_ecdh: cannot add curve");
781  }
782 
783  msg(D_TLS_DEBUG_LOW, "ECDH curve %s added", sname);
784 
785  EC_KEY_free(ecdh);
786 #else /* ifndef OPENSSL_NO_EC */
787  msg(D_LOW, "Your OpenSSL library was built without elliptic curve support."
788  " Skipping ECDH parameter loading.");
789 #endif /* OPENSSL_NO_EC */
790 }
791 
792 int
793 tls_ctx_load_pkcs12(struct tls_root_ctx *ctx, const char *pkcs12_file,
794  bool pkcs12_file_inline, bool load_ca_file)
795 {
796  FILE *fp;
797  EVP_PKEY *pkey;
798  X509 *cert;
799  STACK_OF(X509) *ca = NULL;
800  PKCS12 *p12;
801  int i;
802  char password[256];
803 
804  ASSERT(NULL != ctx);
805 
806  if (pkcs12_file_inline)
807  {
808  BIO *b64 = BIO_new(BIO_f_base64());
809  BIO *bio = BIO_new_mem_buf((void *) pkcs12_file,
810  (int) strlen(pkcs12_file));
811  ASSERT(b64 && bio);
812  BIO_push(b64, bio);
813  p12 = d2i_PKCS12_bio(b64, NULL);
814  if (!p12)
815  {
816  crypto_msg(M_FATAL, "Error reading inline PKCS#12 file");
817  }
818  BIO_free(b64);
819  BIO_free(bio);
820  }
821  else
822  {
823  /* Load the PKCS #12 file */
824  if (!(fp = platform_fopen(pkcs12_file, "rb")))
825  {
826  crypto_msg(M_FATAL, "Error opening file %s", pkcs12_file);
827  }
828  p12 = d2i_PKCS12_fp(fp, NULL);
829  fclose(fp);
830  if (!p12)
831  {
832  crypto_msg(M_FATAL, "Error reading PKCS#12 file %s", pkcs12_file);
833  }
834  }
835 
836  /* Parse the PKCS #12 file */
837  if (!PKCS12_parse(p12, "", &pkey, &cert, &ca))
838  {
839  pem_password_callback(password, sizeof(password) - 1, 0, NULL);
840  /* Reparse the PKCS #12 file with password */
841  ca = NULL;
842  if (!PKCS12_parse(p12, password, &pkey, &cert, &ca))
843  {
844  crypto_msg(M_WARN, "Decoding PKCS12 failed. Probably wrong password "
845  "or unsupported/legacy encryption");
846 #ifdef ENABLE_MANAGEMENT
847  if (management && (ERR_GET_REASON(ERR_peek_error()) == PKCS12_R_MAC_VERIFY_FAILURE))
848  {
850  }
851 #endif
852  PKCS12_free(p12);
853  return 1;
854  }
855  }
856  PKCS12_free(p12);
857 
858  /* Load Certificate */
859  if (!SSL_CTX_use_certificate(ctx->ctx, cert))
860  {
862  crypto_msg(M_FATAL, "Cannot use certificate");
863  }
864 
865  /* Load Private Key */
866  if (!SSL_CTX_use_PrivateKey(ctx->ctx, pkey))
867  {
868  crypto_msg(M_FATAL, "Cannot use private key");
869  }
870 
871  /* Check Private Key */
872  if (!SSL_CTX_check_private_key(ctx->ctx))
873  {
874  crypto_msg(M_FATAL, "Private key does not match the certificate");
875  }
876 
877  /* Set Certificate Verification chain */
878  if (load_ca_file)
879  {
880  /* Add CAs from PKCS12 to the cert store and mark them as trusted.
881  * They're also used to fill in the chain of intermediate certs as
882  * necessary.
883  */
884  if (ca && sk_X509_num(ca))
885  {
886  for (i = 0; i < sk_X509_num(ca); i++)
887  {
888  X509_STORE *cert_store = SSL_CTX_get_cert_store(ctx->ctx);
889  if (!X509_STORE_add_cert(cert_store, sk_X509_value(ca, i)))
890  {
891  crypto_msg(M_FATAL, "Cannot add certificate to certificate chain (X509_STORE_add_cert)");
892  }
893  if (!SSL_CTX_add_client_CA(ctx->ctx, sk_X509_value(ca, i)))
894  {
895  crypto_msg(M_FATAL, "Cannot add certificate to client CA list (SSL_CTX_add_client_CA)");
896  }
897  }
898  }
899  }
900  else
901  {
902  /* If trusted CA certs were loaded from a PEM file, and we ignore the
903  * ones in PKCS12, do load PKCS12-provided certs to the client extra
904  * certs chain just in case they include intermediate CAs needed to
905  * prove my identity to the other end. This does not make them trusted.
906  */
907  if (ca && sk_X509_num(ca))
908  {
909  for (i = 0; i < sk_X509_num(ca); i++)
910  {
911  if (!SSL_CTX_add_extra_chain_cert(ctx->ctx, sk_X509_value(ca, i)))
912  {
913  crypto_msg(M_FATAL, "Cannot add extra certificate to chain (SSL_CTX_add_extra_chain_cert)");
914  }
915  }
916  }
917  }
918  return 0;
919 }
920 
921 #ifdef ENABLE_CRYPTOAPI
922 void
923 tls_ctx_load_cryptoapi(struct tls_root_ctx *ctx, const char *cryptoapi_cert)
924 {
925  ASSERT(NULL != ctx);
926 
927  /* Load Certificate and Private Key */
928  if (!SSL_CTX_use_CryptoAPI_certificate(ctx->ctx, cryptoapi_cert))
929  {
930  crypto_msg(M_FATAL, "Cannot load certificate \"%s\" from Microsoft Certificate Store", cryptoapi_cert);
931  }
932 }
933 #endif /* ENABLE_CRYPTOAPI */
934 
935 static void
936 tls_ctx_add_extra_certs(struct tls_root_ctx *ctx, BIO *bio, bool optional)
937 {
938  X509 *cert;
939  while (true)
940  {
941  cert = NULL;
942  if (!PEM_read_bio_X509(bio, &cert, NULL, NULL))
943  {
944  /* a PEM_R_NO_START_LINE "Error" indicates that no certificate
945  * is found in the buffer. If loading more certificates is
946  * optional, break without raising an error
947  */
948  if (optional
949  && ERR_GET_REASON(ERR_peek_error()) == PEM_R_NO_START_LINE)
950  {
951  /* remove that error from error stack */
952  (void)ERR_get_error();
953  break;
954  }
955 
956  /* Otherwise, bail out with error */
957  crypto_msg(M_FATAL, "Error reading extra certificate");
958  }
959  /* takes ownership of cert like a set1 method */
960  if (SSL_CTX_add_extra_chain_cert(ctx->ctx, cert) != 1)
961  {
962  crypto_msg(M_FATAL, "Error adding extra certificate");
963  }
964  /* We loaded at least one certificate, so loading more is optional */
965  optional = true;
966  }
967 }
968 
969 void
970 tls_ctx_load_cert_file(struct tls_root_ctx *ctx, const char *cert_file,
971  bool cert_file_inline)
972 {
973  BIO *in = NULL;
974  X509 *x = NULL;
975  int ret = 0;
976 
977  ASSERT(NULL != ctx);
978 
979  if (cert_file_inline)
980  {
981  in = BIO_new_mem_buf((char *) cert_file, -1);
982  }
983  else
984  {
985  in = BIO_new_file(cert_file, "r");
986  }
987 
988  if (in == NULL)
989  {
990  SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE_FILE, ERR_R_SYS_LIB);
991  goto end;
992  }
993 
994  x = PEM_read_bio_X509(in, NULL,
997  if (x == NULL)
998  {
999  SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE_FILE, ERR_R_PEM_LIB);
1000  goto end;
1001  }
1002 
1003  ret = SSL_CTX_use_certificate(ctx->ctx, x);
1004  if (ret)
1005  {
1006  tls_ctx_add_extra_certs(ctx, in, true);
1007  }
1008 
1009 end:
1010  if (!ret)
1011  {
1013  if (cert_file_inline)
1014  {
1015  crypto_msg(M_FATAL, "Cannot load inline certificate file");
1016  }
1017  else
1018  {
1019  crypto_msg(M_FATAL, "Cannot load certificate file %s", cert_file);
1020  }
1021  }
1022  else
1023  {
1025  }
1026 
1027  BIO_free(in);
1028  X509_free(x);
1029 }
1030 
1031 int
1032 tls_ctx_load_priv_file(struct tls_root_ctx *ctx, const char *priv_key_file,
1033  bool priv_key_file_inline)
1034 {
1035  SSL_CTX *ssl_ctx = NULL;
1036  BIO *in = NULL;
1037  EVP_PKEY *pkey = NULL;
1038  int ret = 1;
1039 
1040  ASSERT(NULL != ctx);
1041 
1042  ssl_ctx = ctx->ctx;
1043 
1044  if (priv_key_file_inline)
1045  {
1046  in = BIO_new_mem_buf((char *) priv_key_file, -1);
1047  }
1048  else
1049  {
1050  in = BIO_new_file(priv_key_file, "r");
1051  }
1052 
1053  if (!in)
1054  {
1055  goto end;
1056  }
1057 
1058  pkey = PEM_read_bio_PrivateKey(in, NULL,
1061 
1062  if (!pkey || !SSL_CTX_use_PrivateKey(ssl_ctx, pkey))
1063  {
1064 #ifdef ENABLE_MANAGEMENT
1065  if (management && (ERR_GET_REASON(ERR_peek_error()) == EVP_R_BAD_DECRYPT))
1066  {
1068  }
1069 #endif
1070  crypto_msg(M_WARN, "Cannot load private key file %s",
1071  print_key_filename(priv_key_file, priv_key_file_inline));
1072  goto end;
1073  }
1074 
1075  /* Check Private Key */
1076  if (!SSL_CTX_check_private_key(ssl_ctx))
1077  {
1078  crypto_msg(M_FATAL, "Private key does not match the certificate");
1079  }
1080  ret = 0;
1081 
1082 end:
1083  EVP_PKEY_free(pkey);
1084  BIO_free(in);
1085  return ret;
1086 }
1087 
1088 void
1089 backend_tls_ctx_reload_crl(struct tls_root_ctx *ssl_ctx, const char *crl_file,
1090  bool crl_inline)
1091 {
1092  BIO *in = NULL;
1093 
1094  X509_STORE *store = SSL_CTX_get_cert_store(ssl_ctx->ctx);
1095  if (!store)
1096  {
1097  crypto_msg(M_FATAL, "Cannot get certificate store");
1098  }
1099 
1100  /* Always start with a cleared CRL list, for that we
1101  * we need to manually find the CRL object from the stack
1102  * and remove it */
1103  STACK_OF(X509_OBJECT) *objs = X509_STORE_get0_objects(store);
1104  for (int i = 0; i < sk_X509_OBJECT_num(objs); i++)
1105  {
1106  X509_OBJECT *obj = sk_X509_OBJECT_value(objs, i);
1107  ASSERT(obj);
1108  if (X509_OBJECT_get_type(obj) == X509_LU_CRL)
1109  {
1110  sk_X509_OBJECT_delete(objs, i);
1111  X509_OBJECT_free(obj);
1112  }
1113  }
1114 
1115  X509_STORE_set_flags(store, X509_V_FLAG_CRL_CHECK | X509_V_FLAG_CRL_CHECK_ALL);
1116 
1117  if (crl_inline)
1118  {
1119  in = BIO_new_mem_buf((char *) crl_file, -1);
1120  }
1121  else
1122  {
1123  in = BIO_new_file(crl_file, "r");
1124  }
1125 
1126  if (in == NULL)
1127  {
1128  msg(M_WARN, "CRL: cannot read: %s",
1129  print_key_filename(crl_file, crl_inline));
1130  goto end;
1131  }
1132 
1133  int num_crls_loaded = 0;
1134  while (true)
1135  {
1136  X509_CRL *crl = PEM_read_bio_X509_CRL(in, NULL, NULL, NULL);
1137  if (crl == NULL)
1138  {
1139  /*
1140  * PEM_R_NO_START_LINE can be considered equivalent to EOF.
1141  */
1142  bool eof = ERR_GET_REASON(ERR_peek_error()) == PEM_R_NO_START_LINE;
1143  /* but warn if no CRLs have been loaded */
1144  if (num_crls_loaded > 0 && eof)
1145  {
1146  /* remove that error from error stack */
1147  (void)ERR_get_error();
1148  break;
1149  }
1150 
1151  crypto_msg(M_WARN, "CRL: cannot read CRL from file %s",
1152  print_key_filename(crl_file, crl_inline));
1153  break;
1154  }
1155 
1156  if (!X509_STORE_add_crl(store, crl))
1157  {
1158  X509_CRL_free(crl);
1159  crypto_msg(M_WARN, "CRL: cannot add %s to store",
1160  print_key_filename(crl_file, crl_inline));
1161  break;
1162  }
1163  X509_CRL_free(crl);
1164  num_crls_loaded++;
1165  }
1166  msg(M_INFO, "CRL: loaded %d CRLs from file %s", num_crls_loaded, crl_file);
1167 end:
1168  BIO_free(in);
1169 }
1170 
1171 
1172 #if defined(ENABLE_MANAGEMENT) && !defined(HAVE_XKEY_PROVIDER)
1173 
1174 /* encrypt */
1175 static int
1176 rsa_pub_enc(int flen, const unsigned char *from, unsigned char *to, RSA *rsa, int padding)
1177 {
1178  ASSERT(0);
1179  return -1;
1180 }
1181 
1182 /* verify arbitrary data */
1183 static int
1184 rsa_pub_dec(int flen, const unsigned char *from, unsigned char *to, RSA *rsa, int padding)
1185 {
1186  ASSERT(0);
1187  return -1;
1188 }
1189 
1190 /* decrypt */
1191 static int
1192 rsa_priv_dec(int flen, const unsigned char *from, unsigned char *to, RSA *rsa, int padding)
1193 {
1194  ASSERT(0);
1195  return -1;
1196 }
1197 
1198 /* called at RSA_free */
1199 static int
1201 {
1202  /* meth was allocated in tls_ctx_use_management_external_key() ; since
1203  * this function is called when the parent RSA object is destroyed,
1204  * it is no longer used after this point so kill it. */
1205  const RSA_METHOD *meth = RSA_get_method(rsa);
1206  RSA_meth_free((RSA_METHOD *)meth);
1207  return 1;
1208 }
1209 
1210 /*
1211  * Convert OpenSSL's constant to the strings used in the management
1212  * interface query
1213  */
1214 const char *
1215 get_rsa_padding_name(const int padding)
1216 {
1217  switch (padding)
1218  {
1219  case RSA_PKCS1_PADDING:
1220  return "RSA_PKCS1_PADDING";
1221 
1222  case RSA_NO_PADDING:
1223  return "RSA_NO_PADDING";
1224 
1225  default:
1226  return "UNKNOWN";
1227  }
1228 }
1229 
1241 static int
1242 get_sig_from_man(const unsigned char *dgst, unsigned int dgstlen,
1243  unsigned char *sig, unsigned int siglen,
1244  const char *algorithm)
1245 {
1246  char *in_b64 = NULL;
1247  char *out_b64 = NULL;
1248  int len = -1;
1249 
1250  int bencret = openvpn_base64_encode(dgst, dgstlen, &in_b64);
1251 
1252  if (management && bencret > 0)
1253  {
1254  out_b64 = management_query_pk_sig(management, in_b64, algorithm);
1255 
1256  }
1257  if (out_b64)
1258  {
1259  len = openvpn_base64_decode(out_b64, sig, siglen);
1260  }
1261 
1262  free(in_b64);
1263  free(out_b64);
1264  return len;
1265 }
1266 
1267 /* sign arbitrary data */
1268 static int
1269 rsa_priv_enc(int flen, const unsigned char *from, unsigned char *to, RSA *rsa,
1270  int padding)
1271 {
1272  unsigned int len = RSA_size(rsa);
1273  int ret = -1;
1274 
1275  if (padding != RSA_PKCS1_PADDING && padding != RSA_NO_PADDING)
1276  {
1277  RSAerr(RSA_F_RSA_OSSL_PRIVATE_ENCRYPT, RSA_R_UNKNOWN_PADDING_TYPE);
1278  return -1;
1279  }
1280 
1281  ret = get_sig_from_man(from, flen, to, len, get_rsa_padding_name(padding));
1282 
1283  return (ret == len) ? ret : -1;
1284 }
1285 
1286 static int
1287 tls_ctx_use_external_rsa_key(struct tls_root_ctx *ctx, EVP_PKEY *pkey)
1288 {
1289  RSA *rsa = NULL;
1290  RSA_METHOD *rsa_meth;
1291 
1292  ASSERT(NULL != ctx);
1293 
1294  const RSA *pub_rsa = EVP_PKEY_get0_RSA(pkey);
1295  ASSERT(NULL != pub_rsa);
1296 
1297  /* allocate custom RSA method object */
1298  rsa_meth = RSA_meth_new("OpenVPN external private key RSA Method",
1299  RSA_METHOD_FLAG_NO_CHECK);
1300  check_malloc_return(rsa_meth);
1301  RSA_meth_set_pub_enc(rsa_meth, rsa_pub_enc);
1302  RSA_meth_set_pub_dec(rsa_meth, rsa_pub_dec);
1305  RSA_meth_set_init(rsa_meth, NULL);
1307  RSA_meth_set0_app_data(rsa_meth, NULL);
1308 
1309  /* allocate RSA object */
1310  rsa = RSA_new();
1311  if (rsa == NULL)
1312  {
1313  SSLerr(SSL_F_SSL_USE_PRIVATEKEY, ERR_R_MALLOC_FAILURE);
1314  goto err;
1315  }
1316 
1317  /* initialize RSA object */
1318  const BIGNUM *n = NULL;
1319  const BIGNUM *e = NULL;
1320  RSA_get0_key(pub_rsa, &n, &e, NULL);
1321  RSA_set0_key(rsa, BN_dup(n), BN_dup(e), NULL);
1322  RSA_set_flags(rsa, RSA_flags(rsa) | RSA_FLAG_EXT_PKEY);
1323  if (!RSA_set_method(rsa, rsa_meth))
1324  {
1325  RSA_meth_free(rsa_meth);
1326  goto err;
1327  }
1328  /* from this point rsa_meth will get freed with rsa */
1329 
1330  /* bind our custom RSA object to ssl_ctx */
1331  if (!SSL_CTX_use_RSAPrivateKey(ctx->ctx, rsa))
1332  {
1333  goto err;
1334  }
1335 
1336  RSA_free(rsa); /* doesn't necessarily free, just decrements refcount */
1337  return 1;
1338 
1339 err:
1340  if (rsa)
1341  {
1342  RSA_free(rsa);
1343  }
1344  else if (rsa_meth)
1345  {
1346  RSA_meth_free(rsa_meth);
1347  }
1348  return 0;
1349 }
1350 
1351 #if OPENSSL_VERSION_NUMBER > 0x10100000L && !defined(OPENSSL_NO_EC)
1352 
1353 /* called when EC_KEY is destroyed */
1354 static void
1355 openvpn_extkey_ec_finish(EC_KEY *ec)
1356 {
1357  /* release the method structure */
1358  const EC_KEY_METHOD *ec_meth = EC_KEY_get_method(ec);
1359  EC_KEY_METHOD_free((EC_KEY_METHOD *) ec_meth);
1360 }
1361 
1362 /* EC_KEY_METHOD callback: sign().
1363  * Sign the hash using EC key and return DER encoded signature in sig,
1364  * its length in siglen. Return value is 1 on success, 0 on error.
1365  */
1366 static int
1367 ecdsa_sign(int type, const unsigned char *dgst, int dgstlen, unsigned char *sig,
1368  unsigned int *siglen, const BIGNUM *kinv, const BIGNUM *r, EC_KEY *ec)
1369 {
1370  int capacity = ECDSA_size(ec);
1371  /*
1372  * ECDSA does not seem to have proper constants for paddings since
1373  * there are only signatures without padding at the moment, use
1374  * a generic ECDSA for the moment
1375  */
1376  int len = get_sig_from_man(dgst, dgstlen, sig, capacity, "ECDSA");
1377 
1378  if (len > 0)
1379  {
1380  *siglen = len;
1381  return 1;
1382  }
1383  return 0;
1384 }
1385 
1386 /* EC_KEY_METHOD callback: sign_setup(). We do no precomputations */
1387 static int
1388 ecdsa_sign_setup(EC_KEY *ec, BN_CTX *ctx_in, BIGNUM **kinvp, BIGNUM **rp)
1389 {
1390  return 1;
1391 }
1392 
1393 /* EC_KEY_METHOD callback: sign_sig().
1394  * Sign the hash and return the result as a newly allocated ECDS_SIG
1395  * struct or NULL on error.
1396  */
1397 static ECDSA_SIG *
1398 ecdsa_sign_sig(const unsigned char *dgst, int dgstlen, const BIGNUM *in_kinv,
1399  const BIGNUM *in_r, EC_KEY *ec)
1400 {
1401  ECDSA_SIG *ecsig = NULL;
1402  unsigned int len = ECDSA_size(ec);
1403  struct gc_arena gc = gc_new();
1404 
1405  unsigned char *buf = gc_malloc(len, false, &gc);
1406  if (ecdsa_sign(0, dgst, dgstlen, buf, &len, NULL, NULL, ec) != 1)
1407  {
1408  goto out;
1409  }
1410  /* const char ** should be avoided: not up to us, so we cast our way through */
1411  ecsig = d2i_ECDSA_SIG(NULL, (const unsigned char **)&buf, len);
1412 
1413 out:
1414  gc_free(&gc);
1415  return ecsig;
1416 }
1417 
1418 static int
1419 tls_ctx_use_external_ec_key(struct tls_root_ctx *ctx, EVP_PKEY *pkey)
1420 {
1421  EC_KEY *ec = NULL;
1422  EVP_PKEY *privkey = NULL;
1423  EC_KEY_METHOD *ec_method;
1424 
1425  ASSERT(ctx);
1426 
1427  ec_method = EC_KEY_METHOD_new(EC_KEY_OpenSSL());
1428  if (!ec_method)
1429  {
1430  goto err;
1431  }
1432 
1433  /* Among init methods, we only need the finish method */
1434  EC_KEY_METHOD_set_init(ec_method, NULL, openvpn_extkey_ec_finish, NULL, NULL, NULL, NULL);
1435  EC_KEY_METHOD_set_sign(ec_method, ecdsa_sign, ecdsa_sign_setup, ecdsa_sign_sig);
1436 
1437  ec = EC_KEY_dup(EVP_PKEY_get0_EC_KEY(pkey));
1438  if (!ec)
1439  {
1440  EC_KEY_METHOD_free(ec_method);
1441  goto err;
1442  }
1443  if (!EC_KEY_set_method(ec, ec_method))
1444  {
1445  EC_KEY_METHOD_free(ec_method);
1446  goto err;
1447  }
1448  /* from this point ec_method will get freed when ec is freed */
1449 
1450  privkey = EVP_PKEY_new();
1451  if (!EVP_PKEY_assign_EC_KEY(privkey, ec))
1452  {
1453  goto err;
1454  }
1455  /* from this point ec will get freed when privkey is freed */
1456 
1457  if (!SSL_CTX_use_PrivateKey(ctx->ctx, privkey))
1458  {
1459  ec = NULL; /* avoid double freeing it below */
1460  goto err;
1461  }
1462 
1463  EVP_PKEY_free(privkey); /* this will down ref privkey and ec */
1464  return 1;
1465 
1466 err:
1467  /* Reach here only when ec and privkey can be independenly freed */
1468  EVP_PKEY_free(privkey);
1469  EC_KEY_free(ec);
1470  return 0;
1471 }
1472 #endif /* OPENSSL_VERSION_NUMBER > 1.1.0 dev && !defined(OPENSSL_NO_EC) */
1473 #endif /* ENABLE_MANAGEMENT && !HAVE_XKEY_PROVIDER */
1474 
1475 #ifdef ENABLE_MANAGEMENT
1476 int
1478 {
1479  int ret = 1;
1480 
1481  ASSERT(NULL != ctx);
1482 
1483  X509 *cert = SSL_CTX_get0_certificate(ctx->ctx);
1484 
1485  ASSERT(NULL != cert);
1486 
1487  /* get the public key */
1488  EVP_PKEY *pkey = X509_get0_pubkey(cert);
1489  ASSERT(pkey); /* NULL before SSL_CTX_use_certificate() is called */
1490 
1491 #ifdef HAVE_XKEY_PROVIDER
1492  EVP_PKEY *privkey = xkey_load_management_key(tls_libctx, pkey);
1493  if (!privkey
1494  || !SSL_CTX_use_PrivateKey(ctx->ctx, privkey))
1495  {
1496  EVP_PKEY_free(privkey);
1497  goto cleanup;
1498  }
1499  EVP_PKEY_free(privkey);
1500 #else /* ifdef HAVE_XKEY_PROVIDER */
1501 #if OPENSSL_VERSION_NUMBER < 0x30000000L
1502  if (EVP_PKEY_id(pkey) == EVP_PKEY_RSA)
1503 #else /* OPENSSL_VERSION_NUMBER < 0x30000000L */
1504  if (EVP_PKEY_is_a(pkey, "RSA"))
1505 #endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
1506  {
1507  if (!tls_ctx_use_external_rsa_key(ctx, pkey))
1508  {
1509  goto cleanup;
1510  }
1511  }
1512 #if (OPENSSL_VERSION_NUMBER > 0x10100000L) && !defined(OPENSSL_NO_EC)
1513 #if OPENSSL_VERSION_NUMBER < 0x30000000L
1514  else if (EVP_PKEY_id(pkey) == EVP_PKEY_EC)
1515 #else /* OPENSSL_VERSION_NUMBER < 0x30000000L */
1516  else if (EVP_PKEY_is_a(pkey, "EC"))
1517 #endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
1518  {
1519  if (!tls_ctx_use_external_ec_key(ctx, pkey))
1520  {
1521  goto cleanup;
1522  }
1523  }
1524  else
1525  {
1526  crypto_msg(M_WARN, "management-external-key requires an RSA or EC certificate");
1527  goto cleanup;
1528  }
1529 #else /* OPENSSL_VERSION_NUMBER > 1.1.0 dev && !defined(OPENSSL_NO_EC) */
1530  else
1531  {
1532  crypto_msg(M_WARN, "management-external-key requires an RSA certificate");
1533  goto cleanup;
1534  }
1535 #endif /* OPENSSL_VERSION_NUMBER > 1.1.0 dev && !defined(OPENSSL_NO_EC) */
1536 
1537 #endif /* HAVE_XKEY_PROVIDER */
1538 
1539  ret = 0;
1540 cleanup:
1541  if (ret)
1542  {
1543  crypto_msg(M_FATAL, "Cannot enable SSL external private key capability");
1544  }
1545  return ret;
1546 }
1547 
1548 #endif /* ifdef ENABLE_MANAGEMENT */
1549 
1550 static int
1551 sk_x509_name_cmp(const X509_NAME *const *a, const X509_NAME *const *b)
1552 {
1553  return X509_NAME_cmp(*a, *b);
1554 }
1555 
1556 void
1557 tls_ctx_load_ca(struct tls_root_ctx *ctx, const char *ca_file,
1558  bool ca_file_inline, const char *ca_path, bool tls_server)
1559 {
1560  STACK_OF(X509_INFO) *info_stack = NULL;
1561  STACK_OF(X509_NAME) *cert_names = NULL;
1562  X509_LOOKUP *lookup = NULL;
1563  X509_STORE *store = NULL;
1564  X509_NAME *xn = NULL;
1565  BIO *in = NULL;
1566  int i, added = 0, prev = 0;
1567 
1568  ASSERT(NULL != ctx);
1569 
1570  store = SSL_CTX_get_cert_store(ctx->ctx);
1571  if (!store)
1572  {
1573  crypto_msg(M_FATAL, "Cannot get certificate store");
1574  }
1575 
1576  /* Try to add certificates and CRLs from ca_file */
1577  if (ca_file)
1578  {
1579  if (ca_file_inline)
1580  {
1581  in = BIO_new_mem_buf((char *)ca_file, -1);
1582  }
1583  else
1584  {
1585  in = BIO_new_file(ca_file, "r");
1586  }
1587 
1588  if (in)
1589  {
1590  info_stack = PEM_X509_INFO_read_bio(in, NULL, NULL, NULL);
1591  }
1592 
1593  if (info_stack)
1594  {
1595  for (i = 0; i < sk_X509_INFO_num(info_stack); i++)
1596  {
1597  X509_INFO *info = sk_X509_INFO_value(info_stack, i);
1598  if (info->crl)
1599  {
1600  X509_STORE_add_crl(store, info->crl);
1601  }
1602 
1603  if (tls_server && !info->x509)
1604  {
1605  crypto_msg(M_FATAL, "X509 name was missing in TLS mode");
1606  }
1607 
1608  if (info->x509)
1609  {
1610  X509_STORE_add_cert(store, info->x509);
1611  added++;
1612 
1613  if (!tls_server)
1614  {
1615  continue;
1616  }
1617 
1618  /* Use names of CAs as a client CA list */
1619  if (cert_names == NULL)
1620  {
1621  cert_names = sk_X509_NAME_new(sk_x509_name_cmp);
1622  if (!cert_names)
1623  {
1624  continue;
1625  }
1626  }
1627 
1628  xn = X509_get_subject_name(info->x509);
1629  if (!xn)
1630  {
1631  continue;
1632  }
1633 
1634  /* Don't add duplicate CA names */
1635  if (sk_X509_NAME_find(cert_names, xn) == -1)
1636  {
1637  xn = X509_NAME_dup(xn);
1638  if (!xn)
1639  {
1640  continue;
1641  }
1642  sk_X509_NAME_push(cert_names, xn);
1643  }
1644  }
1645 
1646  if (tls_server)
1647  {
1648  int cnum = sk_X509_NAME_num(cert_names);
1649  if (cnum != (prev + 1))
1650  {
1652  "Cannot load CA certificate file %s (entry %d did not validate)",
1653  print_key_filename(ca_file, ca_file_inline),
1654  added);
1655  }
1656  prev = cnum;
1657  }
1658  }
1659  sk_X509_INFO_pop_free(info_stack, X509_INFO_free);
1660  }
1661 
1662  if (tls_server)
1663  {
1664  SSL_CTX_set_client_CA_list(ctx->ctx, cert_names);
1665  }
1666 
1667  if (!added)
1668  {
1670  "Cannot load CA certificate file %s (no entries were read)",
1671  print_key_filename(ca_file, ca_file_inline));
1672  }
1673 
1674  if (tls_server)
1675  {
1676  int cnum = sk_X509_NAME_num(cert_names);
1677  if (cnum != added)
1678  {
1679  crypto_msg(M_FATAL, "Cannot load CA certificate file %s (only %d "
1680  "of %d entries were valid X509 names)",
1681  print_key_filename(ca_file, ca_file_inline), cnum,
1682  added);
1683  }
1684  }
1685 
1686  BIO_free(in);
1687  }
1688 
1689  /* Set a store for certs (CA & CRL) with a lookup on the "capath" hash directory */
1690  if (ca_path)
1691  {
1692  lookup = X509_STORE_add_lookup(store, X509_LOOKUP_hash_dir());
1693  if (lookup && X509_LOOKUP_add_dir(lookup, ca_path, X509_FILETYPE_PEM))
1694  {
1695  msg(M_WARN, "WARNING: experimental option --capath %s", ca_path);
1696  }
1697  else
1698  {
1699  crypto_msg(M_FATAL, "Cannot add lookup at --capath %s", ca_path);
1700  }
1701  X509_STORE_set_flags(store, X509_V_FLAG_CRL_CHECK | X509_V_FLAG_CRL_CHECK_ALL);
1702  }
1703 }
1704 
1705 void
1706 tls_ctx_load_extra_certs(struct tls_root_ctx *ctx, const char *extra_certs_file,
1707  bool extra_certs_file_inline)
1708 {
1709  BIO *in;
1710  if (extra_certs_file_inline)
1711  {
1712  in = BIO_new_mem_buf((char *)extra_certs_file, -1);
1713  }
1714  else
1715  {
1716  in = BIO_new_file(extra_certs_file, "r");
1717  }
1718 
1719  if (in == NULL)
1720  {
1721  crypto_msg(M_FATAL, "Cannot load extra-certs file: %s",
1722  print_key_filename(extra_certs_file,
1723  extra_certs_file_inline));
1724 
1725  }
1726  else
1727  {
1728  tls_ctx_add_extra_certs(ctx, in, false);
1729  }
1730 
1731  BIO_free(in);
1732 }
1733 
1734 /* **************************************
1735  *
1736  * Key-state specific functions
1737  *
1738  ***************************************/
1739 /*
1740  *
1741  * BIO functions
1742  *
1743  */
1744 
1745 #ifdef BIO_DEBUG
1746 
1747 #warning BIO_DEBUG defined
1748 
1749 static FILE *biofp; /* GLOBAL */
1750 static bool biofp_toggle; /* GLOBAL */
1751 static time_t biofp_last_open; /* GLOBAL */
1752 static const int biofp_reopen_interval = 600; /* GLOBAL */
1753 
1754 static void
1755 close_biofp(void)
1756 {
1757  if (biofp)
1758  {
1759  ASSERT(!fclose(biofp));
1760  biofp = NULL;
1761  }
1762 }
1763 
1764 static void
1765 open_biofp(void)
1766 {
1767  const time_t current = time(NULL);
1768  const pid_t pid = getpid();
1769 
1770  if (biofp_last_open + biofp_reopen_interval < current)
1771  {
1772  close_biofp();
1773  }
1774  if (!biofp)
1775  {
1776  char fn[256];
1777  openvpn_snprintf(fn, sizeof(fn), "bio/%d-%d.log", pid, biofp_toggle);
1778  biofp = fopen(fn, "w");
1779  ASSERT(biofp);
1780  biofp_last_open = time(NULL);
1781  biofp_toggle ^= 1;
1782  }
1783 }
1784 
1785 static void
1786 bio_debug_data(const char *mode, BIO *bio, const uint8_t *buf, int len, const char *desc)
1787 {
1788  struct gc_arena gc = gc_new();
1789  if (len > 0)
1790  {
1791  open_biofp();
1792  fprintf(biofp, "BIO_%s %s time=%" PRIi64 " bio=" ptr_format " len=%d data=%s\n",
1793  mode, desc, (int64_t)time(NULL), (ptr_type)bio, len, format_hex(buf, len, 0, &gc));
1794  fflush(biofp);
1795  }
1796  gc_free(&gc);
1797 }
1798 
1799 static void
1800 bio_debug_oc(const char *mode, BIO *bio)
1801 {
1802  open_biofp();
1803  fprintf(biofp, "BIO %s time=%" PRIi64 " bio=" ptr_format "\n",
1804  mode, (int64_t)time(NULL), (ptr_type)bio);
1805  fflush(biofp);
1806 }
1807 
1808 #endif /* ifdef BIO_DEBUG */
1809 
1810 /*
1811  * Write to an OpenSSL BIO in non-blocking mode.
1812  */
1813 static int
1814 bio_write(BIO *bio, const uint8_t *data, int size, const char *desc)
1815 {
1816  int i;
1817  int ret = 0;
1818  ASSERT(size >= 0);
1819  if (size)
1820  {
1821  /*
1822  * Free the L_TLS lock prior to calling BIO routines
1823  * so that foreground thread can still call
1824  * tls_pre_decrypt or tls_pre_encrypt,
1825  * allowing tunnel packet forwarding to continue.
1826  */
1827 #ifdef BIO_DEBUG
1828  bio_debug_data("write", bio, data, size, desc);
1829 #endif
1830  i = BIO_write(bio, data, size);
1831 
1832  if (i < 0)
1833  {
1834  if (!BIO_should_retry(bio))
1835  {
1836  crypto_msg(D_TLS_ERRORS, "TLS ERROR: BIO write %s error", desc);
1837  ret = -1;
1838  ERR_clear_error();
1839  }
1840  }
1841  else if (i != size)
1842  {
1843  crypto_msg(D_TLS_ERRORS, "TLS ERROR: BIO write %s incomplete %d/%d",
1844  desc, i, size);
1845  ret = -1;
1846  ERR_clear_error();
1847  }
1848  else
1849  { /* successful write */
1850  dmsg(D_HANDSHAKE_VERBOSE, "BIO write %s %d bytes", desc, i);
1851  ret = 1;
1852  }
1853  }
1854  return ret;
1855 }
1856 
1857 /*
1858  * Inline functions for reading from and writing
1859  * to BIOs.
1860  */
1861 
1862 static void
1863 bio_write_post(const int status, struct buffer *buf)
1864 {
1865  if (status == 1) /* success status return from bio_write? */
1866  {
1867  memset(BPTR(buf), 0, BLEN(buf)); /* erase data just written */
1868  buf->len = 0;
1869  }
1870 }
1871 
1872 /*
1873  * Read from an OpenSSL BIO in non-blocking mode.
1874  */
1875 static int
1876 bio_read(BIO *bio, struct buffer *buf, const char *desc)
1877 {
1878  ASSERT(buf->len >= 0);
1879  if (buf->len)
1880  {
1881  /* we only want to write empty buffers, ignore read request
1882  * if the buffer is not empty */
1883  return 0;
1884  }
1885  int len = buf_forward_capacity(buf);
1886 
1887  /*
1888  * BIO_read brackets most of the serious RSA
1889  * key negotiation number crunching.
1890  */
1891  int i = BIO_read(bio, BPTR(buf), len);
1892 
1893  VALGRIND_MAKE_READABLE((void *) &i, sizeof(i));
1894 
1895 #ifdef BIO_DEBUG
1896  bio_debug_data("read", bio, BPTR(buf), i, desc);
1897 #endif
1898 
1899  int ret = 0;
1900  if (i < 0)
1901  {
1902  if (!BIO_should_retry(bio))
1903  {
1904  crypto_msg(D_TLS_ERRORS, "TLS_ERROR: BIO read %s error", desc);
1905  buf->len = 0;
1906  ret = -1;
1907  ERR_clear_error();
1908  }
1909  }
1910  else if (!i)
1911  {
1912  buf->len = 0;
1913  }
1914  else
1915  { /* successful read */
1916  dmsg(D_HANDSHAKE_VERBOSE, "BIO read %s %d bytes", desc, i);
1917  buf->len = i;
1918  ret = 1;
1919  VALGRIND_MAKE_READABLE((void *) BPTR(buf), BLEN(buf));
1920  }
1921  return ret;
1922 }
1923 
1924 void
1925 key_state_ssl_init(struct key_state_ssl *ks_ssl, const struct tls_root_ctx *ssl_ctx, bool is_server, struct tls_session *session)
1926 {
1927  ASSERT(NULL != ssl_ctx);
1928  ASSERT(ks_ssl);
1929  CLEAR(*ks_ssl);
1930 
1931  ks_ssl->ssl = SSL_new(ssl_ctx->ctx);
1932  if (!ks_ssl->ssl)
1933  {
1934  crypto_msg(M_FATAL, "SSL_new failed");
1935  }
1936 
1937  /* put session * in ssl object so we can access it
1938  * from verify callback*/
1939  SSL_set_ex_data(ks_ssl->ssl, mydata_index, session);
1940 
1941  ASSERT((ks_ssl->ssl_bio = BIO_new(BIO_f_ssl())));
1942  ASSERT((ks_ssl->ct_in = BIO_new(BIO_s_mem())));
1943  ASSERT((ks_ssl->ct_out = BIO_new(BIO_s_mem())));
1944 
1945 #ifdef BIO_DEBUG
1946  bio_debug_oc("open ssl_bio", ks_ssl->ssl_bio);
1947  bio_debug_oc("open ct_in", ks_ssl->ct_in);
1948  bio_debug_oc("open ct_out", ks_ssl->ct_out);
1949 #endif
1950 
1951  if (is_server)
1952  {
1953  SSL_set_accept_state(ks_ssl->ssl);
1954  }
1955  else
1956  {
1957  SSL_set_connect_state(ks_ssl->ssl);
1958  }
1959 
1960  SSL_set_bio(ks_ssl->ssl, ks_ssl->ct_in, ks_ssl->ct_out);
1961  BIO_set_ssl(ks_ssl->ssl_bio, ks_ssl->ssl, BIO_NOCLOSE);
1962 }
1963 
1964 void
1966 {
1967  if (ks_ssl->ssl)
1968  {
1969 #ifdef BIO_DEBUG
1970  bio_debug_oc("close ssl_bio", ks_ssl->ssl_bio);
1971  bio_debug_oc("close ct_in", ks_ssl->ct_in);
1972  bio_debug_oc("close ct_out", ks_ssl->ct_out);
1973 #endif
1974  BIO_free_all(ks_ssl->ssl_bio);
1975  SSL_free(ks_ssl->ssl);
1976  }
1977 }
1978 
1979 int
1980 key_state_write_plaintext(struct key_state_ssl *ks_ssl, struct buffer *buf)
1981 {
1982  int ret = 0;
1984 
1985  ASSERT(NULL != ks_ssl);
1986 
1987  ret = bio_write(ks_ssl->ssl_bio, BPTR(buf), BLEN(buf),
1988  "tls_write_plaintext");
1989  bio_write_post(ret, buf);
1990 
1991  perf_pop();
1992  return ret;
1993 }
1994 
1995 int
1996 key_state_write_plaintext_const(struct key_state_ssl *ks_ssl, const uint8_t *data, int len)
1997 {
1998  int ret = 0;
2000 
2001  ASSERT(NULL != ks_ssl);
2002 
2003  ret = bio_write(ks_ssl->ssl_bio, data, len, "tls_write_plaintext_const");
2004 
2005  perf_pop();
2006  return ret;
2007 }
2008 
2009 int
2010 key_state_read_ciphertext(struct key_state_ssl *ks_ssl, struct buffer *buf)
2011 {
2012  int ret = 0;
2014 
2015  ASSERT(NULL != ks_ssl);
2016 
2017  ret = bio_read(ks_ssl->ct_out, buf, "tls_read_ciphertext");
2018 
2019  perf_pop();
2020  return ret;
2021 }
2022 
2023 int
2025 {
2026  int ret = 0;
2028 
2029  ASSERT(NULL != ks_ssl);
2030 
2031  ret = bio_write(ks_ssl->ct_in, BPTR(buf), BLEN(buf), "tls_write_ciphertext");
2032  bio_write_post(ret, buf);
2033 
2034  perf_pop();
2035  return ret;
2036 }
2037 
2038 int
2039 key_state_read_plaintext(struct key_state_ssl *ks_ssl, struct buffer *buf)
2040 {
2041  int ret = 0;
2043 
2044  ASSERT(NULL != ks_ssl);
2045 
2046  ret = bio_read(ks_ssl->ssl_bio, buf, "tls_read_plaintext");
2047 
2048  perf_pop();
2049  return ret;
2050 }
2051 
2052 static void
2053 print_pkey_details(EVP_PKEY *pkey, char *buf, size_t buflen)
2054 {
2055  const char *curve = "";
2056  const char *type = "(error getting type)";
2057 
2058  if (pkey == NULL)
2059  {
2060  buf[0] = 0;
2061  return;
2062  }
2063 
2064  int typeid = EVP_PKEY_id(pkey);
2065 #if OPENSSL_VERSION_NUMBER < 0x30000000L
2066  bool is_ec = typeid == EVP_PKEY_EC;
2067 #else
2068  bool is_ec = EVP_PKEY_is_a(pkey, "EC");
2069 #endif
2070 
2071 #ifndef OPENSSL_NO_EC
2072  char groupname[256];
2073  if (is_ec)
2074  {
2075  size_t len;
2076  if (EVP_PKEY_get_group_name(pkey, groupname, sizeof(groupname), &len))
2077  {
2078  curve = groupname;
2079  }
2080  else
2081  {
2082  curve = "(error getting curve name)";
2083  }
2084  }
2085 #endif
2086  if (typeid != 0)
2087  {
2088 #if OPENSSL_VERSION_NUMBER < 0x30000000L
2089  type = OBJ_nid2sn(typeid);
2090 
2091  /* OpenSSL reports rsaEncryption, dsaEncryption and
2092  * id-ecPublicKey, map these values to nicer ones */
2093  if (typeid == EVP_PKEY_RSA)
2094  {
2095  type = "RSA";
2096  }
2097  else if (typeid == EVP_PKEY_DSA)
2098  {
2099  type = "DSA";
2100  }
2101  else if (typeid == EVP_PKEY_EC)
2102  {
2103  /* EC gets the curve appended after the type */
2104  type = "EC, curve ";
2105  }
2106  else if (type == NULL)
2107  {
2108  type = "unknown type";
2109  }
2110 #else /* OpenSSL >= 3 */
2111  type = EVP_PKEY_get0_type_name(pkey);
2112  if (type == NULL)
2113  {
2114  type = "(error getting public key type)";
2115  }
2116 #endif /* if OPENSSL_VERSION_NUMBER < 0x30000000L */
2117  }
2118 
2119  openvpn_snprintf(buf, buflen, "%d bits %s%s",
2120  EVP_PKEY_bits(pkey), type, curve);
2121 }
2122 
2129 static void
2130 print_cert_details(X509 *cert, char *buf, size_t buflen)
2131 {
2132  EVP_PKEY *pkey = X509_get_pubkey(cert);
2133  char pkeybuf[128] = { 0 };
2134  print_pkey_details(pkey, pkeybuf, sizeof(pkeybuf));
2135 
2136  char sig[128] = { 0 };
2137  int signature_nid = X509_get_signature_nid(cert);
2138  if (signature_nid != 0)
2139  {
2140  openvpn_snprintf(sig, sizeof(sig), ", signature: %s",
2141  OBJ_nid2sn(signature_nid));
2142  }
2143 
2144  openvpn_snprintf(buf, buflen, ", peer certificate: %s%s",
2145  pkeybuf, sig);
2146 
2147  EVP_PKEY_free(pkey);
2148 }
2149 
2150 static void
2151 print_server_tempkey(SSL *ssl, char *buf, size_t buflen)
2152 {
2153  EVP_PKEY *pkey = NULL;
2154  SSL_get_peer_tmp_key(ssl, &pkey);
2155  if (!pkey)
2156  {
2157  return;
2158  }
2159 
2160  char pkeybuf[128] = { 0 };
2161  print_pkey_details(pkey, pkeybuf, sizeof(pkeybuf));
2162 
2163  openvpn_snprintf(buf, buflen, ", peer temporary key: %s",
2164  pkeybuf);
2165 
2166  EVP_PKEY_free(pkey);
2167 }
2168 
2169 /* **************************************
2170  *
2171  * Information functions
2172  *
2173  * Print information for the end user.
2174  *
2175  ***************************************/
2176 void
2177 print_details(struct key_state_ssl *ks_ssl, const char *prefix)
2178 {
2179  const SSL_CIPHER *ciph;
2180  char s1[256];
2181  char s2[256];
2182  char s3[256];
2183 
2184  s1[0] = s2[0] = s3[0] = 0;
2185  ciph = SSL_get_current_cipher(ks_ssl->ssl);
2186  openvpn_snprintf(s1, sizeof(s1), "%s %s, cipher %s %s",
2187  prefix,
2188  SSL_get_version(ks_ssl->ssl),
2189  SSL_CIPHER_get_version(ciph),
2190  SSL_CIPHER_get_name(ciph));
2191  X509 *cert = SSL_get_peer_certificate(ks_ssl->ssl);
2192 
2193  if (cert)
2194  {
2195  print_cert_details(cert, s2, sizeof(s2));
2196  X509_free(cert);
2197  }
2198  print_server_tempkey(ks_ssl->ssl, s3, sizeof(s3));
2199 
2200  msg(D_HANDSHAKE, "%s%s%s", s1, s2, s3);
2201 }
2202 
2203 void
2204 show_available_tls_ciphers_list(const char *cipher_list,
2205  const char *tls_cert_profile,
2206  bool tls13)
2207 {
2208  struct tls_root_ctx tls_ctx;
2209 
2210  tls_ctx.ctx = SSL_CTX_new(SSLv23_method());
2211  if (!tls_ctx.ctx)
2212  {
2213  crypto_msg(M_FATAL, "Cannot create SSL_CTX object");
2214  }
2215 
2216 #if defined(TLS1_3_VERSION)
2217  if (tls13)
2218  {
2221  tls_ctx_restrict_ciphers_tls13(&tls_ctx, cipher_list);
2222  }
2223  else
2224 #endif
2225  {
2226  SSL_CTX_set_max_proto_version(tls_ctx.ctx, TLS1_2_VERSION);
2227  tls_ctx_restrict_ciphers(&tls_ctx, cipher_list);
2228  }
2229 
2230  tls_ctx_set_cert_profile(&tls_ctx, tls_cert_profile);
2231 
2232  SSL *ssl = SSL_new(tls_ctx.ctx);
2233  if (!ssl)
2234  {
2235  crypto_msg(M_FATAL, "Cannot create SSL object");
2236  }
2237 
2238 #if OPENSSL_VERSION_NUMBER < 0x1010000fL
2239  STACK_OF(SSL_CIPHER) *sk = SSL_get_ciphers(ssl);
2240 #else
2241  STACK_OF(SSL_CIPHER) *sk = SSL_get1_supported_ciphers(ssl);
2242 #endif
2243  for (int i = 0; i < sk_SSL_CIPHER_num(sk); i++)
2244  {
2245  const SSL_CIPHER *c = sk_SSL_CIPHER_value(sk, i);
2246 
2247  const char *cipher_name = SSL_CIPHER_get_name(c);
2248 
2249  const tls_cipher_name_pair *pair =
2250  tls_get_cipher_name_pair(cipher_name, strlen(cipher_name));
2251 
2252  if (tls13)
2253  {
2254  printf("%s\n", cipher_name);
2255  }
2256  else if (NULL == pair)
2257  {
2258  /* No translation found, print warning */
2259  printf("%s (No IANA name known to OpenVPN, use OpenSSL name.)\n",
2260  cipher_name);
2261  }
2262  else
2263  {
2264  printf("%s\n", pair->iana_name);
2265  }
2266  }
2267 #if (OPENSSL_VERSION_NUMBER >= 0x1010000fL)
2268  sk_SSL_CIPHER_free(sk);
2269 #endif
2270  SSL_free(ssl);
2271  SSL_CTX_free(tls_ctx.ctx);
2272 }
2273 
2274 /*
2275  * Show the Elliptic curves that are available for us to use
2276  * in the OpenSSL library.
2277  */
2278 void
2280 {
2281  printf("Consider using 'openssl ecparam -list_curves' as alternative to running\n"
2282  "this command.\n"
2283  "Note this output does only list curves/groups that OpenSSL considers as\n"
2284  "builtin EC curves. It does not list additional curves nor X448 or X25519\n");
2285 #ifndef OPENSSL_NO_EC
2286  EC_builtin_curve *curves = NULL;
2287  size_t crv_len = 0;
2288  size_t n = 0;
2289 
2290  crv_len = EC_get_builtin_curves(NULL, 0);
2291  ALLOC_ARRAY(curves, EC_builtin_curve, crv_len);
2292  if (EC_get_builtin_curves(curves, crv_len))
2293  {
2294  printf("\nAvailable Elliptic curves/groups:\n");
2295  for (n = 0; n < crv_len; n++)
2296  {
2297  const char *sname;
2298  sname = OBJ_nid2sn(curves[n].nid);
2299  if (sname == NULL)
2300  {
2301  sname = "";
2302  }
2303 
2304  printf("%s\n", sname);
2305  }
2306  }
2307  else
2308  {
2309  crypto_msg(M_FATAL, "Cannot get list of builtin curves");
2310  }
2311  free(curves);
2312 #else /* ifndef OPENSSL_NO_EC */
2313  msg(M_WARN, "Your OpenSSL library was built without elliptic curve support. "
2314  "No curves available.");
2315 #endif /* ifndef OPENSSL_NO_EC */
2316 }
2317 
2318 void
2320 {
2321  SSL_CTX *ctx;
2322  SSL *ssl;
2323  const char *cipher_name;
2324 
2325  ctx = SSL_CTX_new(SSLv23_method());
2326  if (!ctx)
2327  {
2328  crypto_msg(M_FATAL, "Cannot create SSL_CTX object");
2329  }
2330  ssl = SSL_new(ctx);
2331  if (!ssl)
2332  {
2333  crypto_msg(M_FATAL, "Cannot create SSL object");
2334  }
2335 
2336  cipher_name = SSL_get_cipher_list(ssl, 0);
2337  strncpynt(buf, cipher_name, size);
2338 
2339  SSL_free(ssl);
2340  SSL_CTX_free(ctx);
2341 }
2342 
2343 const char *
2345 {
2347 }
2348 
2349 
2351 #ifdef HAVE_XKEY_PROVIDER
2352 static int
2353 provider_load(OSSL_PROVIDER *prov, void *dest_libctx)
2354 {
2355  const char *name = OSSL_PROVIDER_get0_name(prov);
2356  OSSL_PROVIDER_load(dest_libctx, name);
2357  return 1;
2358 }
2359 
2360 static int
2361 provider_unload(OSSL_PROVIDER *prov, void *unused)
2362 {
2363  (void) unused;
2364  OSSL_PROVIDER_unload(prov);
2365  return 1;
2366 }
2367 #endif /* HAVE_XKEY_PROVIDER */
2368 
2376 void
2378 {
2379 #ifdef HAVE_XKEY_PROVIDER
2380 
2381  /* Make a new library context for use in TLS context */
2382  if (!tls_libctx)
2383  {
2384  tls_libctx = OSSL_LIB_CTX_new();
2386 
2387  /* Load all providers in default LIBCTX into this libctx.
2388  * OpenSSL has a child libctx functionality to automate this,
2389  * but currently that is usable only from within providers.
2390  * So we do something close to it manually here.
2391  */
2392  OSSL_PROVIDER_do_all(NULL, provider_load, tls_libctx);
2393  }
2394 
2395  if (!OSSL_PROVIDER_available(tls_libctx, "ovpn.xkey"))
2396  {
2397  OSSL_PROVIDER_add_builtin(tls_libctx, "ovpn.xkey", xkey_provider_init);
2398  if (!OSSL_PROVIDER_load(tls_libctx, "ovpn.xkey"))
2399  {
2400  msg(M_NONFATAL, "ERROR: failed loading external key provider: "
2401  "Signing with external keys will not work.");
2402  }
2403  }
2404 
2405  /* We only implement minimal functionality in ovpn.xkey, so we do not want
2406  * methods in xkey to be picked unless absolutely required (i.e, when the key
2407  * is external). Ensure this by setting a default propquery for the custom
2408  * libctx that unprefers, but does not forbid, ovpn.xkey. See also man page
2409  * of "property" in OpenSSL 3.0.
2410  */
2411  EVP_set_default_properties(tls_libctx, "?provider!=ovpn.xkey");
2412 
2413 #endif /* HAVE_XKEY_PROVIDER */
2414 }
2415 
2419 static void
2421 {
2422 #ifdef HAVE_XKEY_PROVIDER
2423  if (tls_libctx)
2424  {
2425  OSSL_PROVIDER_do_all(tls_libctx, provider_unload, NULL);
2426  OSSL_LIB_CTX_free(tls_libctx);
2427  }
2428 #endif /* HAVE_XKEY_PROVIDER */
2429  tls_libctx = NULL;
2430 }
2431 
2432 #endif /* defined(ENABLE_CRYPTO_OPENSSL) */
SSLF_TLS_VERSION_MIN_SHIFT
#define SSLF_TLS_VERSION_MIN_SHIFT
Definition: ssl_common.h:410
tls_ctx_add_extra_certs
static void tls_ctx_add_extra_certs(struct tls_root_ctx *ctx, BIO *bio, bool optional)
Definition: ssl_openssl.c:936
openvpn_base64_decode
int openvpn_base64_decode(const char *str, void *data, int size)
Definition: base64.c:158
D_TLS_DEBUG
#define D_TLS_DEBUG
Definition: errlevel.h:165
tls_ctx_set_options
bool tls_ctx_set_options(struct tls_root_ctx *ctx, unsigned int ssl_flags)
Set any library specific options.
Definition: ssl_openssl.c:316
SSL_get_peer_tmp_key
#define SSL_get_peer_tmp_key
Definition: openssl_compat.h:79
key_state_export_keying_material
bool key_state_export_keying_material(struct tls_session *session, const char *label, size_t label_size, void *ekm, size_t ekm_size)
Keying Material Exporters [RFC 5705] allows additional keying material to be derived from existing TL...
Definition: ssl_openssl.c:162
get_rsa_padding_name
const char * get_rsa_padding_name(const int padding)
Definition: ssl_openssl.c:1215
M_INFO
#define M_INFO
Definition: errlevel.h:55
key_state_ssl
Definition: ssl_mbedtls.h:125
rsa_priv_dec
static int rsa_priv_dec(int flen, const unsigned char *from, unsigned char *to, RSA *rsa, int padding)
Definition: ssl_openssl.c:1192
OPENSSL_VERSION
#define OPENSSL_VERSION
Definition: openssl_compat.h:627
EVP_PKEY_get0_RSA
static RSA * EVP_PKEY_get0_RSA(EVP_PKEY *pkey)
Get the RSA object of a public key.
Definition: openssl_compat.h:241
tls_ctx_client_new
void tls_ctx_client_new(struct tls_root_ctx *ctx)
Initialises a library-specific TLS context for a client.
Definition: ssl_openssl.c:128
key_state_ssl::ct_in
BIO * ct_in
Definition: ssl_openssl.h:48
sk_x509_name_cmp
static int sk_x509_name_cmp(const X509_NAME *const *a, const X509_NAME *const *b)
Definition: ssl_openssl.c:1551
ssl_backend.h
gc_new
static struct gc_arena gc_new(void)
Definition: buffer.h:1031
PERF_BIO_READ_PLAINTEXT
#define PERF_BIO_READ_PLAINTEXT
Definition: perf.h:38
tls_ctx_restrict_ciphers_tls13
void tls_ctx_restrict_ciphers_tls13(struct tls_root_ctx *ctx, const char *ciphers)
Restrict the list of ciphers that can be used within the TLS context for TLS 1.3 and higher.
Definition: ssl_openssl.c:498
SSLF_TLS_VERSION_MAX_MASK
#define SSLF_TLS_VERSION_MAX_MASK
Definition: ssl_common.h:413
key_state_ssl_free
void key_state_ssl_free(struct key_state_ssl *ks_ssl)
Free the SSL channel part of the given key state.
Definition: ssl_openssl.c:1965
buffer::len
int len
Length in bytes of the actual content within the allocated memory.
Definition: buffer.h:66
M_FATAL
#define M_FATAL
Definition: error.h:95
convert_tls13_list_to_openssl
void convert_tls13_list_to_openssl(char *openssl_ciphers, size_t len, const char *ciphers)
Definition: ssl_openssl.c:471
info_callback
static void info_callback(INFO_CALLBACK_SSL_CONST SSL *s, int where, int ret)
Definition: ssl_openssl.c:189
mydata_index
int mydata_index
Allocate space in SSL objects in which to store a struct tls_session pointer back to parent.
Definition: ssl_openssl.c:82
streq
#define streq(x, y)
Definition: options.h:708
management_auth_failure
void management_auth_failure(struct management *man, const char *type, const char *reason)
Definition: manage.c:3080
M_NONFATAL
#define M_NONFATAL
Definition: error.h:96
manage.h
D_HANDSHAKE_VERBOSE
#define D_HANDSHAKE_VERBOSE
Definition: errlevel.h:156
KS_PRIMARY
#define KS_PRIMARY
Primary key state index.
Definition: ssl_common.h:445
D_TLS_DEBUG_LOW
#define D_TLS_DEBUG_LOW
Definition: errlevel.h:77
print_details
void print_details(struct key_state_ssl *ks_ssl, const char *prefix)
Definition: ssl_openssl.c:2177
RSA_meth_set_priv_dec
static int RSA_meth_set_priv_dec(RSA_METHOD *meth, int(*priv_dec)(int flen, const unsigned char *from, unsigned char *to, RSA *rsa, int padding))
Set the private decoding function of an RSA_METHOD object.
Definition: openssl_compat.h:512
tls_ctx_load_ca
void tls_ctx_load_ca(struct tls_root_ctx *ctx, const char *ca_file, bool ca_file_inline, const char *ca_path, bool tls_server)
Load certificate authority certificates from the given file or path.
Definition: ssl_openssl.c:1557
key_state_ssl::ssl_bio
BIO * ssl_bio
Definition: ssl_openssl.h:47
D_HANDSHAKE
#define D_HANDSHAKE
Definition: errlevel.h:72
key_state_ssl::ct_out
BIO * ct_out
Definition: ssl_openssl.h:49
TLS_VER_1_1
#define TLS_VER_1_1
Definition: ssl_backend.h:106
print_cert_details
static void print_cert_details(X509 *cert, char *buf, size_t buflen)
Print human readable information about the certificate into buf.
Definition: ssl_openssl.c:2130
get_num_elements
int get_num_elements(const char *string, char delimiter)
Returns the occurrences of 'delimiter' in a string +1 This is typically used to find out the number e...
Definition: ssl_util.c:284
session::key
char key[48]
Definition: keyingmaterialexporter.c:58
get_ssl_library_version
const char * get_ssl_library_version(void)
return a pointer to a static memory area containing the name and version number of the SSL library in...
Definition: ssl_openssl.c:2344
X509_get0_notAfter
#define X509_get0_notAfter
Definition: openssl_compat.h:123
tls_init_lib
void tls_init_lib(void)
Perform any static initialisation necessary by the library.
Definition: ssl_openssl.c:85
xkey_common.h
openvpn_base64_encode
int openvpn_base64_encode(const void *data, int size, char **str)
Definition: base64.c:52
get_sig_from_man
static int get_sig_from_man(const unsigned char *dgst, unsigned int dgstlen, unsigned char *sig, unsigned int siglen, const char *algorithm)
Pass the input hash in 'dgst' to management and get the signature back.
Definition: ssl_openssl.c:1242
ssl_verify_openssl.h
VALGRIND_MAKE_READABLE
#define VALGRIND_MAKE_READABLE(addr, len)
Definition: memdbg.h:53
print_key_filename
const char * print_key_filename(const char *str, bool is_inline)
To be used when printing a string that may contain inline data.
Definition: crypto.c:1083
dmsg
#define dmsg(flags,...)
Definition: error.h:154
PERF_BIO_WRITE_PLAINTEXT
#define PERF_BIO_WRITE_PLAINTEXT
Definition: perf.h:39
D_LOW
#define D_LOW
Definition: errlevel.h:97
tls_ctx_load_dh_params
void tls_ctx_load_dh_params(struct tls_root_ctx *ctx, const char *dh_file, bool dh_file_inline)
Load Diffie Hellman Parameters, and load them into the library-specific TLS context.
Definition: ssl_openssl.c:661
key_state_ssl::ssl
SSL * ssl
Definition: ssl_openssl.h:46
load_xkey_provider
void load_xkey_provider(void)
Some helper routines for provider load/unload.
Definition: ssl_openssl.c:2377
TLS_VER_1_0
#define TLS_VER_1_0
Definition: ssl_backend.h:105
RSA_meth_set_finish
static int RSA_meth_set_finish(RSA_METHOD *meth, int(*finish)(RSA *rsa))
Set the finish function of an RSA_METHOD object.
Definition: openssl_compat.h:570
RSA_F_RSA_OSSL_PRIVATE_ENCRYPT
#define RSA_F_RSA_OSSL_PRIVATE_ENCRYPT
Definition: openssl_compat.h:75
key_state_write_ciphertext
int key_state_write_ciphertext(struct key_state_ssl *ks_ssl, struct buffer *buf)
Insert a ciphertext buffer into the TLS module.
Definition: ssl_openssl.c:2024
openvpn_extkey_rsa_finish
static int openvpn_extkey_rsa_finish(RSA *rsa)
Definition: ssl_openssl.c:1200
tls_ctx_set_tls_versions
static bool tls_ctx_set_tls_versions(struct tls_root_ctx *ctx, unsigned int ssl_flags)
Definition: ssl_openssl.c:286
convert_tls_list_to_openssl
void convert_tls_list_to_openssl(char *openssl_ciphers, size_t len, const char *ciphers)
Definition: ssl_openssl.c:364
tls_ctx_use_external_rsa_key
static int tls_ctx_use_external_rsa_key(struct tls_root_ctx *ctx, EVP_PKEY *pkey)
Definition: ssl_openssl.c:1287
CLEAR
#define CLEAR(x)
Definition: basic.h:33
tls_ctx_load_cert_file
void tls_ctx_load_cert_file(struct tls_root_ctx *ctx, const char *cert_file, bool cert_file_inline)
Use Windows cryptoapi for key and cert, and add to library-specific TLS context.
Definition: ssl_openssl.c:970
ssl_util.h
key_state_read_plaintext
int key_state_read_plaintext(struct key_state_ssl *ks_ssl, struct buffer *buf)
Extract plaintext data from the TLS module.
Definition: ssl_openssl.c:2039
RSA_set_flags
static void RSA_set_flags(RSA *rsa, int flags)
Set the RSA flags.
Definition: openssl_compat.h:278
string_alloc
char * string_alloc(const char *str, struct gc_arena *gc)
Definition: buffer.c:693
secure_memzero
static void secure_memzero(void *data, size_t len)
Securely zeroise memory.
Definition: buffer.h:414
RSA_meth_new
static RSA_METHOD * RSA_meth_new(const char *name, int flags)
Allocate a new RSA method object.
Definition: openssl_compat.h:411
ASSERT
#define ASSERT(x)
Definition: error.h:201
SSL_CTX_get_default_passwd_cb_userdata
static void * SSL_CTX_get_default_passwd_cb_userdata(SSL_CTX *ctx)
Fetch the default password callback user data from the SSL context.
Definition: openssl_compat.h:180
tls_get_cipher_name_pair
const tls_cipher_name_pair * tls_get_cipher_name_pair(const char *cipher_name, size_t len)
Definition: ssl_util.c:265
get_highest_preference_tls_cipher
void get_highest_preference_tls_cipher(char *buf, int size)
Definition: ssl_openssl.c:2319
STACK_OF
static STACK_OF(X509_OBJECT) *X509_STORE_get0_objects(X509_STORE *store)
Fetch the X509 object stack from the X509 store.
Definition: openssl_compat.h:216
SSLF_TLS_VERSION_MIN_MASK
#define SSLF_TLS_VERSION_MIN_MASK
Definition: ssl_common.h:411
key_state_ssl_init
void key_state_ssl_init(struct key_state_ssl *ks_ssl, const struct tls_root_ctx *ssl_ctx, bool is_server, struct tls_session *session)
Initialise the SSL channel part of the given key state.
Definition: ssl_openssl.c:1925
tls_ctx_server_new
void tls_ctx_server_new(struct tls_root_ctx *ctx)
Initialise a library-specific TLS context for a server.
Definition: ssl_openssl.c:110
BLEN
#define BLEN(buf)
Definition: buffer.h:127
SSL_CTX_new_ex
#define SSL_CTX_new_ex(libctx, propq, method)
Reduce SSL_CTX_new_ex() to SSL_CTX_new() for OpenSSL < 3.
Definition: openssl_compat.h:770
tls_version_max
int tls_version_max(void)
Return the maximum TLS version (as a TLS_VER_x constant) supported by current SSL implementation.
Definition: ssl_openssl.c:213
RSA_meth_set_init
static int RSA_meth_set_init(RSA_METHOD *meth, int(*init)(RSA *rsa))
Set the init function of an RSA_METHOD object.
Definition: openssl_compat.h:533
RSA_meth_set_priv_enc
static int RSA_meth_set_priv_enc(RSA_METHOD *meth, int(*priv_enc)(int flen, const unsigned char *from, unsigned char *to, RSA *rsa, int padding))
Set the private encoding function of an RSA_METHOD object.
Definition: openssl_compat.h:491
SSL_CTX_get_min_proto_version
static int SSL_CTX_get_min_proto_version(SSL_CTX *ctx)
Return the min SSL protocol version currently enabled in the context.
Definition: openssl_compat.h:633
cryptoapi.h
SSL_CTX_set_max_proto_version
static int SSL_CTX_set_max_proto_version(SSL_CTX *ctx, long tls_ver_max)
Mimics SSL_CTX_set_max_proto_version for OpenSSL < 1.1.
Definition: openssl_compat.h:701
PERF_BIO_WRITE_CIPHERTEXT
#define PERF_BIO_WRITE_CIPHERTEXT
Definition: perf.h:41
tls_ctx_use_management_external_key
int tls_ctx_use_management_external_key(struct tls_root_ctx *ctx)
Tell the management interface to load the given certificate and the external private key matching the...
Definition: ssl_openssl.c:1477
tls_ctx_load_priv_file
int tls_ctx_load_priv_file(struct tls_root_ctx *ctx, const char *priv_key_file, bool priv_key_file_inline)
Load private key file into the given TLS context.
Definition: ssl_openssl.c:1032
ALLOC_ARRAY_CLEAR_GC
#define ALLOC_ARRAY_CLEAR_GC(dptr, type, n, gc)
Definition: buffer.h:1088
misc.h
unload_xkey_provider
static void unload_xkey_provider(void)
Undo steps in load_xkey_provider.
Definition: ssl_openssl.c:2420
SSL_CTX_set1_groups
#define SSL_CTX_set1_groups
Definition: openssl_compat.h:50
M_WARN
#define M_WARN
Definition: error.h:97
RSA_get0_key
static void RSA_get0_key(const RSA *rsa, const BIGNUM **n, const BIGNUM **e, const BIGNUM **d)
Get the RSA parameters.
Definition: openssl_compat.h:295
perf_pop
static void perf_pop(void)
Definition: perf.h:82
X509_get0_pubkey
static EVP_PKEY * X509_get0_pubkey(const X509 *x)
Get the public key from a X509 certificate.
Definition: openssl_compat.h:204
tls_ctx_load_extra_certs
void tls_ctx_load_extra_certs(struct tls_root_ctx *ctx, const char *extra_certs_file, bool extra_certs_file_inline)
Load extra certificate authority certificates from the given file or path.
Definition: ssl_openssl.c:1706
base64.h
errlevel.h
SSLF_CLIENT_CERT_NOT_REQUIRED
#define SSLF_CLIENT_CERT_NOT_REQUIRED
Definition: ssl_common.h:404
management_query_pk_sig
char * management_query_pk_sig(struct management *man, const char *b64_data, const char *algorithm)
Definition: manage.c:3747
bio_write
static int bio_write(BIO *bio, const uint8_t *data, int size, const char *desc)
Definition: ssl_openssl.c:1814
INFO_CALLBACK_SSL_CONST
#define INFO_CALLBACK_SSL_CONST
Definition: ssl_openssl.c:186
buffer
Wrapper structure for dynamically allocated memory.
Definition: buffer.h:60
print_pkey_details
static void print_pkey_details(EVP_PKEY *pkey, char *buf, size_t buflen)
Definition: ssl_openssl.c:2053
show_available_curves
void show_available_curves(void)
Definition: ssl_openssl.c:2279
key_state_write_plaintext
int key_state_write_plaintext(struct key_state_ssl *ks_ssl, struct buffer *buf)
Insert a plaintext buffer into the TLS module.
Definition: ssl_openssl.c:1980
tls_ctx_load_pkcs12
int tls_ctx_load_pkcs12(struct tls_root_ctx *ctx, const char *pkcs12_file, bool pkcs12_file_inline, bool load_ca_file)
Load PKCS #12 file for key, cert and (optionally) CA certs, and add to library-specific TLS context.
Definition: ssl_openssl.c:793
show_available_tls_ciphers_list
void show_available_tls_ciphers_list(const char *cipher_list, const char *tls_cert_profile, bool tls13)
Definition: ssl_openssl.c:2204
D_TLS_ERRORS
#define D_TLS_ERRORS
Definition: errlevel.h:59
tls_ctx_load_cryptoapi
void tls_ctx_load_cryptoapi(struct tls_root_ctx *ctx, const char *cryptoapi_cert)
Definition: ssl_openssl.c:923
X509_OBJECT_get_type
static int X509_OBJECT_get_type(const X509_OBJECT *obj)
Get the type of an X509 object.
Definition: openssl_compat.h:229
TLS_VER_1_2
#define TLS_VER_1_2
Definition: ssl_backend.h:107
rsa_pub_dec
static int rsa_pub_dec(int flen, const unsigned char *from, unsigned char *to, RSA *rsa, int padding)
Definition: ssl_openssl.c:1184
tls_free_lib
void tls_free_lib(void)
Free any global SSL library-specific data structures.
Definition: ssl_openssl.c:99
openssl_compat.h
tls_session
Security parameter state of a single session within a VPN tunnel.
Definition: ssl_common.h:468
openssl_tls_version
static int openssl_tls_version(int ver)
Convert internal version number to openssl version number.
Definition: ssl_openssl.c:249
buffer.h
syshead.h
tls_ctx_initialised
bool tls_ctx_initialised(struct tls_root_ctx *ctx)
Checks whether the given TLS context is initialised.
Definition: ssl_openssl.c:155
platform_fopen
FILE * platform_fopen(const char *path, const char *mode)
Definition: platform.c:514
BPTR
#define BPTR(buf)
Definition: buffer.h:124
tls_ctx_check_cert_time
void tls_ctx_check_cert_time(const struct tls_root_ctx *ctx)
Check our certificate notBefore and notAfter fields, and warn if the cert is either not yet valid or ...
Definition: ssl_openssl.c:625
SSL_CTX_get_default_passwd_cb
static pem_password_cb * SSL_CTX_get_default_passwd_cb(SSL_CTX *ctx)
Fetch the default password callback from the SSL context.
Definition: openssl_compat.h:192
SSLF_TLS_VERSION_MAX_SHIFT
#define SSLF_TLS_VERSION_MAX_SHIFT
Definition: ssl_common.h:412
gc_arena
Garbage collection arena used to keep track of dynamically allocated memory.
Definition: buffer.h:116
bio_read
static int bio_read(BIO *bio, struct buffer *buf, const char *desc)
Definition: ssl_openssl.c:1876
rsa_priv_enc
static int rsa_priv_enc(int flen, const unsigned char *from, unsigned char *to, RSA *rsa, int padding)
Definition: ssl_openssl.c:1269
X509_OBJECT_free
static void X509_OBJECT_free(X509_OBJECT *obj)
Destroy a X509 object.
Definition: openssl_compat.h:61
crypto_print_openssl_errors
void crypto_print_openssl_errors(const unsigned int flags)
Retrieve any occurred OpenSSL errors and print those errors.
Definition: crypto_openssl.c:238
tls_ctx_restrict_ciphers
void tls_ctx_restrict_ciphers(struct tls_root_ctx *ctx, const char *ciphers)
Restrict the list of ciphers that can be used within the TLS context for TLS 1.2 and below.
Definition: ssl_openssl.c:436
RSA_meth_set_pub_enc
static int RSA_meth_set_pub_enc(RSA_METHOD *meth, int(*pub_enc)(int flen, const unsigned char *from, unsigned char *to, RSA *rsa, int padding))
Set the public encoding function of an RSA_METHOD object.
Definition: openssl_compat.h:449
EVP_PKEY_get_group_name
static int EVP_PKEY_get_group_name(EVP_PKEY *pkey, char *gname, size_t gname_sz, size_t *gname_len)
Definition: openssl_compat.h:735
RSA_meth_set_pub_dec
static int RSA_meth_set_pub_dec(RSA_METHOD *meth, int(*pub_dec)(int flen, const unsigned char *from, unsigned char *to, RSA *rsa, int padding))
Set the public decoding function of an RSA_METHOD object.
Definition: openssl_compat.h:470
tls_ctx_free
void tls_ctx_free(struct tls_root_ctx *ctx)
Frees the library-specific TLSv1 context.
Definition: ssl_openssl.c:146
strncpynt
static void strncpynt(char *dest, const char *src, size_t maxlen)
Definition: buffer.h:361
RSA_set0_key
static int RSA_set0_key(RSA *rsa, BIGNUM *n, BIGNUM *e, BIGNUM *d)
Set the RSA parameters.
Definition: openssl_compat.h:322
M_DEBUG
#define M_DEBUG
Definition: error.h:98
PERF_BIO_READ_CIPHERTEXT
#define PERF_BIO_READ_CIPHERTEXT
Definition: perf.h:40
backend_tls_ctx_reload_crl
void backend_tls_ctx_reload_crl(struct tls_root_ctx *ssl_ctx, const char *crl_file, bool crl_inline)
Reload the Certificate Revocation List for the SSL channel.
Definition: ssl_openssl.c:1089
tls_cipher_name_pair::openssl_name
const char * openssl_name
Definition: ssl_util.h:75
tls_ctx_set_tls_groups
void tls_ctx_set_tls_groups(struct tls_root_ctx *ctx, const char *groups)
Set the (elliptic curve) group allowed for signatures and key exchange.
Definition: ssl_openssl.c:565
crypto_msg
#define crypto_msg(flags,...)
Retrieve any OpenSSL errors, then print the supplied error message.
Definition: crypto_openssl.h:115
rsa_pub_enc
static int rsa_pub_enc(int flen, const unsigned char *from, unsigned char *to, RSA *rsa, int padding)
Definition: ssl_openssl.c:1176
gc_malloc
void * gc_malloc(size_t size, bool clear, struct gc_arena *a)
Definition: buffer.c:380
verify_callback
int verify_callback(void *session_obj, mbedtls_x509_crt *cert, int cert_depth, uint32_t *flags)
Verify that the remote OpenVPN peer's certificate allows setting up a VPN tunnel.
D_TLS_DEBUG_MED
#define D_TLS_DEBUG_MED
Definition: errlevel.h:157
tls_root_ctx
Structure that wraps the TLS context.
Definition: ssl_mbedtls.h:104
SSL_CTX_set_min_proto_version
static int SSL_CTX_set_min_proto_version(SSL_CTX *ctx, long tls_ver_min)
Mimics SSL_CTX_set_min_proto_version for OpenSSL < 1.1.
Definition: openssl_compat.h:674
openvpn_snprintf
bool openvpn_snprintf(char *str, size_t size, const char *format,...)
Definition: buffer.c:294
status
static SERVICE_STATUS status
Definition: interactive.c:52
SSL_CTX_use_CryptoAPI_certificate
int SSL_CTX_use_CryptoAPI_certificate(SSL_CTX *ssl_ctx, const char *cert_prop)
Definition: cryptoapi.c:59
tls_ctx_set_cert_profile
void tls_ctx_set_cert_profile(struct tls_root_ctx *ctx, const char *profile)
Set the TLS certificate profile.
Definition: ssl_openssl.c:527
ptr_type
unsigned long ptr_type
Definition: common.h:58
management
Definition: manage.h:335
gc_free
static void gc_free(struct gc_arena *a)
Definition: buffer.h:1039
tls_ctx_load_ecdh_params
void tls_ctx_load_ecdh_params(struct tls_root_ctx *ctx, const char *curve_name)
Load Elliptic Curve Parameters, and load them into the library-specific TLS context.
Definition: ssl_openssl.c:722
print_server_tempkey
static void print_server_tempkey(SSL *ssl, char *buf, size_t buflen)
Definition: ssl_openssl.c:2151
TLS_VER_1_3
#define TLS_VER_1_3
Definition: ssl_backend.h:108
EVP_PKEY_get0_EC_KEY
static EC_KEY * EVP_PKEY_get0_EC_KEY(EVP_PKEY *pkey)
Get the EC_KEY object of a public key.
Definition: openssl_compat.h:253
RSA_meth_set0_app_data
static int RSA_meth_set0_app_data(RSA_METHOD *meth, void *app_data)
Set the application data of an RSA_METHOD object.
Definition: openssl_compat.h:588
strsep
char * strsep(char **stringp, const char *delim)
Definition: compat-strsep.c:36
OSSL_PROVIDER
void OSSL_PROVIDER
Definition: openssl_compat.h:775
config.h
RSA_meth_free
static void RSA_meth_free(RSA_METHOD *meth)
Free an existing RSA_METHOD object.
Definition: openssl_compat.h:426
X509_get0_notBefore
#define X509_get0_notBefore
Definition: openssl_compat.h:122
pem_password_callback
int pem_password_callback(char *buf, int size, int rwflag, void *u)
Callback to retrieve the user's password.
Definition: ssl.c:253
ssl_common.h
OpenSSL_version
#define OpenSSL_version
Definition: openssl_compat.h:628
tls_root_ctx::ctx
SSL_CTX * ctx
Definition: ssl_openssl.h:40
tls_libctx
OSSL_LIB_CTX * tls_libctx
Definition: ssl_openssl.c:72
format_hex
static char * format_hex(const uint8_t *data, int size, int maxoutput, struct gc_arena *gc)
Definition: buffer.h:523
bio_write_post
static void bio_write_post(const int status, struct buffer *buf)
Definition: ssl_openssl.c:1863
check_malloc_return
static void check_malloc_return(void *p)
Definition: buffer.h:1109
session
Definition: keyingmaterialexporter.c:56
constrain_int
static int constrain_int(int x, int min, int max)
Definition: integer.h:102
buf_forward_capacity
static int buf_forward_capacity(const struct buffer *buf)
Definition: buffer.h:559
key_state_write_plaintext_const
int key_state_write_plaintext_const(struct key_state_ssl *ks_ssl, const uint8_t *data, int len)
Insert plaintext data into the TLS module.
Definition: ssl_openssl.c:1996
memdbg.h
ALLOC_ARRAY
#define ALLOC_ARRAY(dptr, type, n)
Definition: buffer.h:1072
tls_cipher_name_pair::iana_name
const char * iana_name
Definition: ssl_util.h:75
UP_TYPE_PRIVATE_KEY
#define UP_TYPE_PRIVATE_KEY
Definition: ssl_common.h:42
msg
#define msg(flags,...)
Definition: error.h:150
OSSL_LIB_CTX
void OSSL_LIB_CTX
Definition: openssl_compat.h:774
SSLF_CLIENT_CERT_OPTIONAL
#define SSLF_CLIENT_CERT_OPTIONAL
Definition: ssl_common.h:405
perf_push
static void perf_push(int type)
Definition: perf.h:78
ptr_format
#define ptr_format
Definition: common.h:49
key_state_read_ciphertext
int key_state_read_ciphertext(struct key_state_ssl *ks_ssl, struct buffer *buf)
Extract ciphertext data from the TLS module.
Definition: ssl_openssl.c:2010
tls_cipher_name_pair
Get a tls_cipher_name_pair containing OpenSSL and IANA names for supplied TLS cipher name.
Definition: ssl_util.h:75
cleanup
static int cleanup(void **state)
Definition: test_pkcs11.c:280