35 #if defined(ENABLE_CRYPTO_OPENSSL)
48 #ifdef ENABLE_CRYPTOAPI
55 #include <openssl/bn.h>
56 #include <openssl/crypto.h>
57 #include <openssl/dh.h>
58 #include <openssl/dsa.h>
59 #include <openssl/err.h>
60 #include <openssl/pkcs12.h>
61 #include <openssl/rsa.h>
62 #include <openssl/x509.h>
63 #include <openssl/ssl.h>
65 #include <openssl/ec.h>
68 #if defined(_MSC_VER) && !defined(_M_ARM64)
69 #include <openssl/applink.c>
87 #if OPENSSL_VERSION_NUMBER < 0x10100000L
90 SSL_load_error_strings();
92 OpenSSL_add_all_algorithms();
94 mydata_index = SSL_get_ex_new_index(0,
"struct session *", NULL, NULL, NULL);
101 #if OPENSSL_VERSION_NUMBER < 0x10100000L
116 if (ctx->
ctx == NULL)
120 if (ERR_peek_error() != 0)
134 if (ctx->
ctx == NULL)
138 if (ERR_peek_error() != 0)
149 SSL_CTX_free(ctx->
ctx);
158 return NULL != ctx->
ctx;
163 const char *label,
size_t label_size,
164 void *ekm,
size_t ekm_size)
169 if (SSL_export_keying_material(ssl, ekm, ekm_size, label,
170 label_size, NULL, 0, 0) == 1)
185 #ifndef INFO_CALLBACK_SSL_CONST
186 #define INFO_CALLBACK_SSL_CONST const
191 if (where & SSL_CB_LOOP)
194 where & SSL_ST_CONNECT ?
"connect" :
195 where &SSL_ST_ACCEPT ?
"accept" :
196 "undefined", SSL_state_string_long(s));
198 else if (where & SSL_CB_ALERT)
201 where & SSL_CB_READ ?
"Received" :
"Sent",
202 SSL_alert_type_string_long(ret),
203 SSL_alert_desc_string_long(ret));
215 #if defined(TLS1_3_VERSION)
218 #elif OPENSSL_VERSION_NUMBER >= 0x10100000L
230 if (OpenSSL_version_num() >= 0x1010100fL)
238 #elif defined(TLS1_2_VERSION) || defined(SSL_OP_NO_TLSv1_2)
240 #elif defined(TLS1_1_VERSION) || defined(SSL_OP_NO_TLSv1_1)
257 return TLS1_1_VERSION;
261 return TLS1_2_VERSION;
271 #ifndef TLS1_3_VERSION
279 return TLS1_3_VERSION;
297 tls_ver_min = cur_min < TLS1_VERSION ? TLS1_VERSION : cur_min;
321 long sslopt = SSL_OP_SINGLE_DH_USE | SSL_OP_NO_TICKET;
322 #ifdef SSL_OP_CIPHER_SERVER_PREFERENCE
323 sslopt |= SSL_OP_CIPHER_SERVER_PREFERENCE;
325 sslopt |= SSL_OP_NO_COMPRESSION;
329 #ifdef SSL_OP_NO_RENEGOTIATION
330 sslopt |= SSL_OP_NO_RENEGOTIATION;
333 SSL_CTX_set_options(ctx->
ctx, sslopt);
340 #ifdef SSL_MODE_RELEASE_BUFFERS
341 SSL_CTX_set_mode(ctx->
ctx, SSL_MODE_RELEASE_BUFFERS);
343 SSL_CTX_set_session_cache_mode(ctx->
ctx, SSL_SESS_CACHE_OFF);
347 int verify_flags = SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT;
354 verify_flags = SSL_VERIFY_PEER;
367 size_t begin_of_cipher, end_of_cipher;
369 const char *current_cipher;
370 size_t current_cipher_len;
374 size_t openssl_ciphers_len = 0;
375 openssl_ciphers[0] =
'\0';
378 begin_of_cipher = end_of_cipher = 0;
379 for (; begin_of_cipher < strlen(ciphers); begin_of_cipher = end_of_cipher)
381 end_of_cipher += strcspn(&ciphers[begin_of_cipher],
":");
384 if (NULL == cipher_pair)
387 current_cipher = &ciphers[begin_of_cipher];
388 current_cipher_len = end_of_cipher - begin_of_cipher;
393 msg(
D_LOW,
"No valid translation found for TLS cipher '%.*s'",
400 current_cipher_len = strlen(current_cipher);
402 if (end_of_cipher - begin_of_cipher == current_cipher_len
403 && 0 != memcmp(&ciphers[begin_of_cipher], cipher_pair->
iana_name,
404 end_of_cipher - begin_of_cipher))
412 if ((SIZE_MAX - openssl_ciphers_len) < current_cipher_len
413 || (len - 1) < (openssl_ciphers_len + current_cipher_len))
416 "Failed to set restricted TLS cipher list, too long (>%d).",
421 memcpy(&openssl_ciphers[openssl_ciphers_len], current_cipher, current_cipher_len);
422 openssl_ciphers_len += current_cipher_len;
423 openssl_ciphers[openssl_ciphers_len] =
':';
424 openssl_ciphers_len++;
429 if (openssl_ciphers_len > 0)
431 openssl_ciphers[openssl_ciphers_len-1] =
'\0';
441 if (!SSL_CTX_set_cipher_list(ctx->
ctx,
458 char openssl_ciphers[4096];
464 if (!SSL_CTX_set_cipher_list(ctx->
ctx, openssl_ciphers))
466 crypto_msg(
M_FATAL,
"Failed to set restricted TLS cipher list: %s", openssl_ciphers);
479 if (strlen(ciphers) >= (len - 1))
482 "Failed to set restricted TLS 1.3 cipher list, too long (>%d).",
486 strncpy(openssl_ciphers, ciphers, len);
488 for (
size_t i = 0; i < strlen(openssl_ciphers); i++)
490 if (openssl_ciphers[i] ==
'-')
492 openssl_ciphers[i] =
'_';
507 #if !defined(TLS1_3_VERSION)
509 "Ignoring TLS 1.3 only tls-ciphersuites '%s' setting.",
514 char openssl_ciphers[4096];
518 if (!SSL_CTX_set_ciphersuites(ctx->
ctx, openssl_ciphers))
529 #if OPENSSL_VERSION_NUMBER > 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
534 if (!profile || 0 == strcmp(profile,
"legacy"))
536 SSL_CTX_set_security_level(ctx->
ctx, 1);
538 else if (0 == strcmp(profile,
"insecure"))
540 SSL_CTX_set_security_level(ctx->
ctx, 0);
542 else if (0 == strcmp(profile,
"preferred"))
544 SSL_CTX_set_security_level(ctx->
ctx, 2);
546 else if (0 == strcmp(profile,
"suiteb"))
548 SSL_CTX_set_security_level(ctx->
ctx, 3);
549 SSL_CTX_set_cipher_list(ctx->
ctx,
"SUITEB128");
553 msg(
M_FATAL,
"ERROR: Invalid cert profile: %s", profile);
558 msg(
M_WARN,
"WARNING: OpenSSL 1.0.2 and LibreSSL do not support "
559 "--tls-cert-profile, ignoring user-set profile: '%s'", profile);
568 #if OPENSSL_VERSION_NUMBER < 0x30000000L
590 while ((token =
strsep(&tmp_groups,
":")))
592 if (
streq(token,
"secp256r1"))
594 token =
"prime256v1";
596 int nid = OBJ_sn2nid(token);
600 msg(
M_WARN,
"Warning unknown curve/group specified: %s", token);
604 glist[glistlen] = nid;
616 if (!SSL_CTX_set1_groups_list(ctx->
ctx, groups))
632 cert = SSL_CTX_get0_certificate(ctx->
ctx);
646 msg(
M_WARN,
"WARNING: Your certificate is not yet valid!");
656 msg(
M_WARN,
"WARNING: Your certificate has expired!");
670 if (!(bio = BIO_new_mem_buf((
char *)dh_file, -1)))
678 if (!(bio = BIO_new_file(dh_file,
"r")))
684 #if OPENSSL_VERSION_NUMBER >= 0x30000000L
685 EVP_PKEY *dh = PEM_read_bio_Parameters(bio, NULL);
693 if (!SSL_CTX_set0_tmp_dh_pkey(ctx->
ctx, dh))
699 8 * EVP_PKEY_get_size(dh));
701 DH *dh = PEM_read_bio_DHparams(bio, NULL, NULL, NULL);
709 if (!SSL_CTX_set_tmp_dh(ctx->
ctx, dh))
724 #if OPENSSL_VERSION_NUMBER >= 0x30000000L
725 if (curve_name != NULL)
727 msg(
M_WARN,
"WARNING: OpenSSL 3.0+ builds do not support specifying an "
728 "ECDH curve with --ecdh-curve, using default curves. Use "
729 "--tls-groups to specify groups.");
731 #elif !defined(OPENSSL_NO_EC)
734 const char *sname = NULL;
737 SSL_CTX_set_options(ctx->
ctx, SSL_OP_SINGLE_ECDH_USE);
739 if (curve_name != NULL)
742 msg(
D_TLS_DEBUG,
"Using user specified ECDH curve (%s)", curve_name);
743 nid = OBJ_sn2nid(curve_name);
747 #if OPENSSL_VERSION_NUMBER < 0x10100000L
751 SSL_CTX_set_ecdh_auto(ctx->
ctx, 1);
760 sname = OBJ_nid2sn(nid);
767 if (NID_undef == nid || NULL == (ecdh = EC_KEY_new_by_curve_name(nid)))
770 ecdh = EC_KEY_new_by_curve_name(NID_secp384r1);
771 const char *source = (NULL == curve_name) ?
772 "extract curve from certificate" :
"use supplied curve";
774 "Failed to %s (%s), using secp384r1 instead.", source, sname);
775 sname = OBJ_nid2sn(NID_secp384r1);
778 if (!SSL_CTX_set_tmp_ecdh(ctx->
ctx, ecdh))
787 msg(
D_LOW,
"Your OpenSSL library was built without elliptic curve support."
788 " Skipping ECDH parameter loading.");
794 bool pkcs12_file_inline,
bool load_ca_file)
806 if (pkcs12_file_inline)
808 BIO *b64 = BIO_new(BIO_f_base64());
809 BIO *bio = BIO_new_mem_buf((
void *) pkcs12_file,
810 (
int) strlen(pkcs12_file));
813 p12 = d2i_PKCS12_bio(b64, NULL);
828 p12 = d2i_PKCS12_fp(fp, NULL);
837 if (!PKCS12_parse(p12,
"", &pkey, &cert, &ca))
842 if (!PKCS12_parse(p12, password, &pkey, &cert, &ca))
845 "or unsupported/legacy encryption");
846 #ifdef ENABLE_MANAGEMENT
847 if (
management && (ERR_GET_REASON(ERR_peek_error()) == PKCS12_R_MAC_VERIFY_FAILURE))
859 if (!SSL_CTX_use_certificate(ctx->
ctx, cert))
866 if (!SSL_CTX_use_PrivateKey(ctx->
ctx, pkey))
872 if (!SSL_CTX_check_private_key(ctx->
ctx))
884 if (ca && sk_X509_num(ca))
886 for (i = 0; i < sk_X509_num(ca); i++)
888 X509_STORE *cert_store = SSL_CTX_get_cert_store(ctx->
ctx);
889 if (!X509_STORE_add_cert(cert_store, sk_X509_value(ca, i)))
891 crypto_msg(
M_FATAL,
"Cannot add certificate to certificate chain (X509_STORE_add_cert)");
893 if (!SSL_CTX_add_client_CA(ctx->
ctx, sk_X509_value(ca, i)))
895 crypto_msg(
M_FATAL,
"Cannot add certificate to client CA list (SSL_CTX_add_client_CA)");
907 if (ca && sk_X509_num(ca))
909 for (i = 0; i < sk_X509_num(ca); i++)
911 if (!SSL_CTX_add_extra_chain_cert(ctx->
ctx, sk_X509_value(ca, i)))
913 crypto_msg(
M_FATAL,
"Cannot add extra certificate to chain (SSL_CTX_add_extra_chain_cert)");
921 #ifdef ENABLE_CRYPTOAPI
930 crypto_msg(
M_FATAL,
"Cannot load certificate \"%s\" from Microsoft Certificate Store", cryptoapi_cert);
942 if (!PEM_read_bio_X509(bio, &cert, NULL, NULL))
949 && ERR_GET_REASON(ERR_peek_error()) == PEM_R_NO_START_LINE)
952 (void)ERR_get_error();
960 if (SSL_CTX_add_extra_chain_cert(ctx->
ctx, cert) != 1)
971 bool cert_file_inline)
979 if (cert_file_inline)
981 in = BIO_new_mem_buf((
char *) cert_file, -1);
985 in = BIO_new_file(cert_file,
"r");
990 SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE_FILE, ERR_R_SYS_LIB);
994 x = PEM_read_bio_X509(in, NULL,
999 SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE_FILE, ERR_R_PEM_LIB);
1003 ret = SSL_CTX_use_certificate(ctx->
ctx, x);
1013 if (cert_file_inline)
1033 bool priv_key_file_inline)
1035 SSL_CTX *ssl_ctx = NULL;
1037 EVP_PKEY *pkey = NULL;
1044 if (priv_key_file_inline)
1046 in = BIO_new_mem_buf((
char *) priv_key_file, -1);
1050 in = BIO_new_file(priv_key_file,
"r");
1058 pkey = PEM_read_bio_PrivateKey(in, NULL,
1062 if (!pkey || !SSL_CTX_use_PrivateKey(ssl_ctx, pkey))
1064 #ifdef ENABLE_MANAGEMENT
1065 if (
management && (ERR_GET_REASON(ERR_peek_error()) == EVP_R_BAD_DECRYPT))
1076 if (!SSL_CTX_check_private_key(ssl_ctx))
1083 EVP_PKEY_free(pkey);
1094 X509_STORE *store = SSL_CTX_get_cert_store(ssl_ctx->
ctx);
1103 STACK_OF(X509_OBJECT) *objs = X509_STORE_get0_objects(store);
1104 for (
int i = 0; i < sk_X509_OBJECT_num(objs); i++)
1106 X509_OBJECT *obj = sk_X509_OBJECT_value(objs, i);
1110 sk_X509_OBJECT_delete(objs, i);
1115 X509_STORE_set_flags(store, X509_V_FLAG_CRL_CHECK | X509_V_FLAG_CRL_CHECK_ALL);
1119 in = BIO_new_mem_buf((
char *) crl_file, -1);
1123 in = BIO_new_file(crl_file,
"r");
1133 int num_crls_loaded = 0;
1136 X509_CRL *crl = PEM_read_bio_X509_CRL(in, NULL, NULL, NULL);
1142 bool eof = ERR_GET_REASON(ERR_peek_error()) == PEM_R_NO_START_LINE;
1144 if (num_crls_loaded > 0 && eof)
1147 (void)ERR_get_error();
1156 if (!X509_STORE_add_crl(store, crl))
1166 msg(
M_INFO,
"CRL: loaded %d CRLs from file %s", num_crls_loaded, crl_file);
1172 #if defined(ENABLE_MANAGEMENT) && !defined(HAVE_XKEY_PROVIDER)
1176 rsa_pub_enc(
int flen,
const unsigned char *from,
unsigned char *to, RSA *rsa,
int padding)
1184 rsa_pub_dec(
int flen,
const unsigned char *from,
unsigned char *to, RSA *rsa,
int padding)
1192 rsa_priv_dec(
int flen,
const unsigned char *from,
unsigned char *to, RSA *rsa,
int padding)
1205 const RSA_METHOD *meth = RSA_get_method(rsa);
1219 case RSA_PKCS1_PADDING:
1220 return "RSA_PKCS1_PADDING";
1222 case RSA_NO_PADDING:
1223 return "RSA_NO_PADDING";
1243 unsigned char *sig,
unsigned int siglen,
1244 const char *algorithm)
1246 char *in_b64 = NULL;
1247 char *out_b64 = NULL;
1269 rsa_priv_enc(
int flen,
const unsigned char *from,
unsigned char *to, RSA *rsa,
1272 unsigned int len = RSA_size(rsa);
1275 if (padding != RSA_PKCS1_PADDING && padding != RSA_NO_PADDING)
1283 return (ret == len) ? ret : -1;
1290 RSA_METHOD *rsa_meth;
1298 rsa_meth =
RSA_meth_new(
"OpenVPN external private key RSA Method",
1299 RSA_METHOD_FLAG_NO_CHECK);
1313 SSLerr(SSL_F_SSL_USE_PRIVATEKEY, ERR_R_MALLOC_FAILURE);
1318 const BIGNUM *n = NULL;
1319 const BIGNUM *e = NULL;
1323 if (!RSA_set_method(rsa, rsa_meth))
1331 if (!SSL_CTX_use_RSAPrivateKey(ctx->
ctx, rsa))
1351 #if OPENSSL_VERSION_NUMBER > 0x10100000L && !defined(OPENSSL_NO_EC)
1355 openvpn_extkey_ec_finish(EC_KEY *ec)
1358 const EC_KEY_METHOD *ec_meth = EC_KEY_get_method(ec);
1359 EC_KEY_METHOD_free((EC_KEY_METHOD *) ec_meth);
1367 ecdsa_sign(
int type,
const unsigned char *dgst,
int dgstlen,
unsigned char *sig,
1368 unsigned int *siglen,
const BIGNUM *kinv,
const BIGNUM *r, EC_KEY *ec)
1370 int capacity = ECDSA_size(ec);
1388 ecdsa_sign_setup(EC_KEY *ec, BN_CTX *ctx_in, BIGNUM **kinvp, BIGNUM **rp)
1398 ecdsa_sign_sig(
const unsigned char *dgst,
int dgstlen,
const BIGNUM *in_kinv,
1399 const BIGNUM *in_r, EC_KEY *ec)
1401 ECDSA_SIG *ecsig = NULL;
1402 unsigned int len = ECDSA_size(ec);
1405 unsigned char *buf =
gc_malloc(len,
false, &gc);
1406 if (ecdsa_sign(0, dgst, dgstlen, buf, &len, NULL, NULL, ec) != 1)
1411 ecsig = d2i_ECDSA_SIG(NULL, (
const unsigned char **)&buf, len);
1419 tls_ctx_use_external_ec_key(
struct tls_root_ctx *ctx, EVP_PKEY *pkey)
1422 EVP_PKEY *privkey = NULL;
1423 EC_KEY_METHOD *ec_method;
1427 ec_method = EC_KEY_METHOD_new(EC_KEY_OpenSSL());
1434 EC_KEY_METHOD_set_init(ec_method, NULL, openvpn_extkey_ec_finish, NULL, NULL, NULL, NULL);
1435 EC_KEY_METHOD_set_sign(ec_method, ecdsa_sign, ecdsa_sign_setup, ecdsa_sign_sig);
1440 EC_KEY_METHOD_free(ec_method);
1443 if (!EC_KEY_set_method(ec, ec_method))
1445 EC_KEY_METHOD_free(ec_method);
1450 privkey = EVP_PKEY_new();
1451 if (!EVP_PKEY_assign_EC_KEY(privkey, ec))
1457 if (!SSL_CTX_use_PrivateKey(ctx->
ctx, privkey))
1463 EVP_PKEY_free(privkey);
1468 EVP_PKEY_free(privkey);
1475 #ifdef ENABLE_MANAGEMENT
1483 X509 *cert = SSL_CTX_get0_certificate(ctx->
ctx);
1491 #ifdef HAVE_XKEY_PROVIDER
1492 EVP_PKEY *privkey = xkey_load_management_key(
tls_libctx, pkey);
1494 || !SSL_CTX_use_PrivateKey(ctx->
ctx, privkey))
1496 EVP_PKEY_free(privkey);
1499 EVP_PKEY_free(privkey);
1501 #if OPENSSL_VERSION_NUMBER < 0x30000000L
1502 if (EVP_PKEY_id(pkey) == EVP_PKEY_RSA)
1504 if (EVP_PKEY_is_a(pkey,
"RSA"))
1512 #if (OPENSSL_VERSION_NUMBER > 0x10100000L) && !defined(OPENSSL_NO_EC)
1513 #if OPENSSL_VERSION_NUMBER < 0x30000000L
1514 else if (EVP_PKEY_id(pkey) == EVP_PKEY_EC)
1516 else if (EVP_PKEY_is_a(pkey,
"EC"))
1519 if (!tls_ctx_use_external_ec_key(ctx, pkey))
1526 crypto_msg(
M_WARN,
"management-external-key requires an RSA or EC certificate");
1553 return X509_NAME_cmp(*a, *b);
1558 bool ca_file_inline,
const char *ca_path,
bool tls_server)
1560 STACK_OF(X509_INFO) *info_stack = NULL;
1561 STACK_OF(X509_NAME) *cert_names = NULL;
1562 X509_LOOKUP *lookup = NULL;
1563 X509_STORE *store = NULL;
1564 X509_NAME *xn = NULL;
1566 int i, added = 0, prev = 0;
1570 store = SSL_CTX_get_cert_store(ctx->
ctx);
1581 in = BIO_new_mem_buf((
char *)ca_file, -1);
1585 in = BIO_new_file(ca_file,
"r");
1590 info_stack = PEM_X509_INFO_read_bio(in, NULL, NULL, NULL);
1595 for (i = 0; i < sk_X509_INFO_num(info_stack); i++)
1597 X509_INFO *info = sk_X509_INFO_value(info_stack, i);
1600 X509_STORE_add_crl(store, info->crl);
1603 if (tls_server && !info->x509)
1610 X509_STORE_add_cert(store, info->x509);
1619 if (cert_names == NULL)
1628 xn = X509_get_subject_name(info->x509);
1635 if (sk_X509_NAME_find(cert_names, xn) == -1)
1637 xn = X509_NAME_dup(xn);
1642 sk_X509_NAME_push(cert_names, xn);
1648 int cnum = sk_X509_NAME_num(cert_names);
1649 if (cnum != (prev + 1))
1652 "Cannot load CA certificate file %s (entry %d did not validate)",
1659 sk_X509_INFO_pop_free(info_stack, X509_INFO_free);
1664 SSL_CTX_set_client_CA_list(ctx->
ctx, cert_names);
1670 "Cannot load CA certificate file %s (no entries were read)",
1676 int cnum = sk_X509_NAME_num(cert_names);
1680 "of %d entries were valid X509 names)",
1692 lookup = X509_STORE_add_lookup(store, X509_LOOKUP_hash_dir());
1693 if (lookup && X509_LOOKUP_add_dir(lookup, ca_path, X509_FILETYPE_PEM))
1695 msg(
M_WARN,
"WARNING: experimental option --capath %s", ca_path);
1701 X509_STORE_set_flags(store, X509_V_FLAG_CRL_CHECK | X509_V_FLAG_CRL_CHECK_ALL);
1707 bool extra_certs_file_inline)
1710 if (extra_certs_file_inline)
1712 in = BIO_new_mem_buf((
char *)extra_certs_file, -1);
1716 in = BIO_new_file(extra_certs_file,
"r");
1723 extra_certs_file_inline));
1747 #warning BIO_DEBUG defined
1750 static bool biofp_toggle;
1751 static time_t biofp_last_open;
1752 static const int biofp_reopen_interval = 600;
1767 const time_t current = time(NULL);
1768 const pid_t pid = getpid();
1770 if (biofp_last_open + biofp_reopen_interval < current)
1778 biofp = fopen(fn,
"w");
1780 biofp_last_open = time(NULL);
1786 bio_debug_data(
const char *mode, BIO *bio,
const uint8_t *buf,
int len,
const char *desc)
1792 fprintf(biofp,
"BIO_%s %s time=%" PRIi64
" bio=" ptr_format " len=%d data=%s\n",
1800 bio_debug_oc(
const char *mode, BIO *bio)
1803 fprintf(biofp,
"BIO %s time=%" PRIi64
" bio=" ptr_format "\n",
1804 mode, (int64_t)time(NULL), (
ptr_type)bio);
1814 bio_write(BIO *bio,
const uint8_t *data,
int size,
const char *desc)
1828 bio_debug_data(
"write", bio, data, size, desc);
1830 i = BIO_write(bio, data, size);
1834 if (!BIO_should_retry(bio))
1891 int i = BIO_read(bio,
BPTR(buf), len);
1896 bio_debug_data(
"read", bio,
BPTR(buf), i, desc);
1902 if (!BIO_should_retry(bio))
1931 ks_ssl->
ssl = SSL_new(ssl_ctx->
ctx);
1946 bio_debug_oc(
"open ssl_bio", ks_ssl->
ssl_bio);
1947 bio_debug_oc(
"open ct_in", ks_ssl->
ct_in);
1948 bio_debug_oc(
"open ct_out", ks_ssl->
ct_out);
1953 SSL_set_accept_state(ks_ssl->
ssl);
1957 SSL_set_connect_state(ks_ssl->
ssl);
1961 BIO_set_ssl(ks_ssl->
ssl_bio, ks_ssl->
ssl, BIO_NOCLOSE);
1970 bio_debug_oc(
"close ssl_bio", ks_ssl->
ssl_bio);
1971 bio_debug_oc(
"close ct_in", ks_ssl->
ct_in);
1972 bio_debug_oc(
"close ct_out", ks_ssl->
ct_out);
1974 BIO_free_all(ks_ssl->
ssl_bio);
1975 SSL_free(ks_ssl->
ssl);
1988 "tls_write_plaintext");
2055 const char *curve =
"";
2056 const char *type =
"(error getting type)";
2064 int typeid = EVP_PKEY_id(pkey);
2065 #if OPENSSL_VERSION_NUMBER < 0x30000000L
2066 bool is_ec =
typeid == EVP_PKEY_EC;
2068 bool is_ec = EVP_PKEY_is_a(pkey,
"EC");
2071 #ifndef OPENSSL_NO_EC
2072 char groupname[256];
2082 curve =
"(error getting curve name)";
2088 #if OPENSSL_VERSION_NUMBER < 0x30000000L
2089 type = OBJ_nid2sn(
typeid);
2093 if (
typeid == EVP_PKEY_RSA)
2097 else if (
typeid == EVP_PKEY_DSA)
2101 else if (
typeid == EVP_PKEY_EC)
2104 type =
"EC, curve ";
2106 else if (type == NULL)
2108 type =
"unknown type";
2111 type = EVP_PKEY_get0_type_name(pkey);
2114 type =
"(error getting public key type)";
2120 EVP_PKEY_bits(pkey), type, curve);
2132 EVP_PKEY *pkey = X509_get_pubkey(cert);
2133 char pkeybuf[128] = { 0 };
2136 char sig[128] = { 0 };
2137 int signature_nid = X509_get_signature_nid(cert);
2138 if (signature_nid != 0)
2141 OBJ_nid2sn(signature_nid));
2147 EVP_PKEY_free(pkey);
2153 EVP_PKEY *pkey = NULL;
2160 char pkeybuf[128] = { 0 };
2166 EVP_PKEY_free(pkey);
2179 const SSL_CIPHER *ciph;
2184 s1[0] = s2[0] = s3[0] = 0;
2185 ciph = SSL_get_current_cipher(ks_ssl->
ssl);
2188 SSL_get_version(ks_ssl->
ssl),
2189 SSL_CIPHER_get_version(ciph),
2190 SSL_CIPHER_get_name(ciph));
2191 X509 *cert = SSL_get_peer_certificate(ks_ssl->
ssl);
2205 const char *tls_cert_profile,
2210 tls_ctx.
ctx = SSL_CTX_new(SSLv23_method());
2216 #if defined(TLS1_3_VERSION)
2232 SSL *ssl = SSL_new(tls_ctx.
ctx);
2238 #if OPENSSL_VERSION_NUMBER < 0x1010000fL
2239 STACK_OF(SSL_CIPHER) *sk = SSL_get_ciphers(ssl);
2241 STACK_OF(SSL_CIPHER) *sk = SSL_get1_supported_ciphers(ssl);
2243 for (
int i = 0; i < sk_SSL_CIPHER_num(sk); i++)
2245 const SSL_CIPHER *c = sk_SSL_CIPHER_value(sk, i);
2247 const char *cipher_name = SSL_CIPHER_get_name(c);
2254 printf(
"%s\n", cipher_name);
2256 else if (NULL == pair)
2259 printf(
"%s (No IANA name known to OpenVPN, use OpenSSL name.)\n",
2267 #if (OPENSSL_VERSION_NUMBER >= 0x1010000fL)
2268 sk_SSL_CIPHER_free(sk);
2271 SSL_CTX_free(tls_ctx.
ctx);
2281 printf(
"Consider using 'openssl ecparam -list_curves' as alternative to running\n"
2283 "Note this output does only list curves/groups that OpenSSL considers as\n"
2284 "builtin EC curves. It does not list additional curves nor X448 or X25519\n");
2285 #ifndef OPENSSL_NO_EC
2286 EC_builtin_curve *curves = NULL;
2290 crv_len = EC_get_builtin_curves(NULL, 0);
2292 if (EC_get_builtin_curves(curves, crv_len))
2294 printf(
"\nAvailable Elliptic curves/groups:\n");
2295 for (n = 0; n < crv_len; n++)
2298 sname = OBJ_nid2sn(curves[n].nid);
2304 printf(
"%s\n", sname);
2313 msg(
M_WARN,
"Your OpenSSL library was built without elliptic curve support. "
2314 "No curves available.");
2323 const char *cipher_name;
2325 ctx = SSL_CTX_new(SSLv23_method());
2336 cipher_name = SSL_get_cipher_list(ssl, 0);
2351 #ifdef HAVE_XKEY_PROVIDER
2355 const char *name = OSSL_PROVIDER_get0_name(prov);
2356 OSSL_PROVIDER_load(dest_libctx, name);
2364 OSSL_PROVIDER_unload(prov);
2379 #ifdef HAVE_XKEY_PROVIDER
2392 OSSL_PROVIDER_do_all(NULL, provider_load,
tls_libctx);
2395 if (!OSSL_PROVIDER_available(
tls_libctx,
"ovpn.xkey"))
2397 OSSL_PROVIDER_add_builtin(
tls_libctx,
"ovpn.xkey", xkey_provider_init);
2398 if (!OSSL_PROVIDER_load(
tls_libctx,
"ovpn.xkey"))
2400 msg(
M_NONFATAL,
"ERROR: failed loading external key provider: "
2401 "Signing with external keys will not work.");
2411 EVP_set_default_properties(
tls_libctx,
"?provider!=ovpn.xkey");
2422 #ifdef HAVE_XKEY_PROVIDER
2425 OSSL_PROVIDER_do_all(
tls_libctx, provider_unload, NULL);