OpenVPN
ssl_mbedtls.c
Go to the documentation of this file.
1/*
2 * OpenVPN -- An application to securely tunnel IP networks
3 * over a single TCP/UDP port, with support for SSL/TLS-based
4 * session authentication and key exchange,
5 * packet encryption, packet authentication, and
6 * packet compression.
7 *
8 * Copyright (C) 2002-2025 OpenVPN Inc <sales@openvpn.net>
9 * Copyright (C) 2010-2021 Sentyron B.V. <openvpn@sentyron.com>
10 * Copyright (C) 2006-2010, Brainspark B.V.
11 *
12 * This program is free software; you can redistribute it and/or modify
13 * it under the terms of the GNU General Public License version 2
14 * as published by the Free Software Foundation.
15 *
16 * This program is distributed in the hope that it will be useful,
17 * but WITHOUT ANY WARRANTY; without even the implied warranty of
18 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
19 * GNU General Public License for more details.
20 *
21 * You should have received a copy of the GNU General Public License along
22 * with this program; if not, see <https://www.gnu.org/licenses/>.
23 */
24
30#ifdef HAVE_CONFIG_H
31#include "config.h"
32#endif
33
34#include "syshead.h"
35
36#if defined(ENABLE_CRYPTO_MBEDTLS)
37
38#include "errlevel.h"
39#include "ssl_backend.h"
40#include "base64.h"
41#include "buffer.h"
42#include "misc.h"
43#include "manage.h"
44#include "mbedtls_compat.h"
45#include "pkcs11_backend.h"
46#include "ssl_common.h"
47#include "ssl_util.h"
48
49#include "ssl_verify_mbedtls.h"
50#include <mbedtls/debug.h>
51#include <mbedtls/error.h>
52#include <mbedtls/version.h>
53
54#if MBEDTLS_VERSION_NUMBER >= 0x02040000
55#include <mbedtls/net_sockets.h>
56#else
57#include <mbedtls/net.h>
58#endif
59
60#include <mbedtls/oid.h>
61#include <mbedtls/pem.h>
62
63static const mbedtls_x509_crt_profile openvpn_x509_crt_profile_legacy = {
64 /* Hashes from SHA-1 and above */
65 MBEDTLS_X509_ID_FLAG(MBEDTLS_MD_SHA1) | MBEDTLS_X509_ID_FLAG(MBEDTLS_MD_RIPEMD160)
66 | MBEDTLS_X509_ID_FLAG(MBEDTLS_MD_SHA224) | MBEDTLS_X509_ID_FLAG(MBEDTLS_MD_SHA256)
67 | MBEDTLS_X509_ID_FLAG(MBEDTLS_MD_SHA384) | MBEDTLS_X509_ID_FLAG(MBEDTLS_MD_SHA512),
68 0xFFFFFFF, /* Any PK alg */
69 0xFFFFFFF, /* Any curve */
70 1024, /* RSA-1024 and larger */
71};
72
73static const mbedtls_x509_crt_profile openvpn_x509_crt_profile_preferred = {
74 /* SHA-2 and above */
75 MBEDTLS_X509_ID_FLAG(MBEDTLS_MD_SHA224) | MBEDTLS_X509_ID_FLAG(MBEDTLS_MD_SHA256)
76 | MBEDTLS_X509_ID_FLAG(MBEDTLS_MD_SHA384) | MBEDTLS_X509_ID_FLAG(MBEDTLS_MD_SHA512),
77 0xFFFFFFF, /* Any PK alg */
78 0xFFFFFFF, /* Any curve */
79 2048, /* RSA-2048 and larger */
80};
81
82#define openvpn_x509_crt_profile_suiteb mbedtls_x509_crt_profile_suiteb;
83
84void
85tls_init_lib(void)
86{
88}
89
90void
91tls_free_lib(void)
92{
93}
94
95void
97{
98 ASSERT(NULL != ctx);
99 CLEAR(*ctx);
100
101 ALLOC_OBJ_CLEAR(ctx->dhm_ctx, mbedtls_dhm_context);
102
103 ALLOC_OBJ_CLEAR(ctx->ca_chain, mbedtls_x509_crt);
104
105 ctx->endpoint = MBEDTLS_SSL_IS_SERVER;
106 ctx->initialised = true;
107}
108
109void
111{
112 ASSERT(NULL != ctx);
113 CLEAR(*ctx);
114
115 ALLOC_OBJ_CLEAR(ctx->dhm_ctx, mbedtls_dhm_context);
116 ALLOC_OBJ_CLEAR(ctx->ca_chain, mbedtls_x509_crt);
117
118 ctx->endpoint = MBEDTLS_SSL_IS_CLIENT;
119 ctx->initialised = true;
120}
121
122void
123tls_ctx_free(struct tls_root_ctx *ctx)
124{
125 if (ctx)
126 {
127 mbedtls_pk_free(ctx->priv_key);
128 free(ctx->priv_key);
129
130 mbedtls_x509_crt_free(ctx->ca_chain);
131 free(ctx->ca_chain);
132
133 mbedtls_x509_crt_free(ctx->crt_chain);
134 free(ctx->crt_chain);
135
136 mbedtls_dhm_free(ctx->dhm_ctx);
137 free(ctx->dhm_ctx);
138
139 mbedtls_x509_crl_free(ctx->crl);
140 free(ctx->crl);
141
142#if defined(ENABLE_PKCS11)
143 /* ...freeCertificate() can handle NULL ptrs, but if pkcs11 helper
144 * has not been initialized, it will ASSERT() - so, do not pass NULL
145 */
146 if (ctx->pkcs11_cert)
147 {
148 pkcs11h_certificate_freeCertificate(ctx->pkcs11_cert);
149 }
150#endif
151
152 free(ctx->allowed_ciphers);
153
154 free(ctx->groups);
155
156 CLEAR(*ctx);
157
158 ctx->initialised = false;
159 }
160}
161
162bool
164{
165 ASSERT(NULL != ctx);
166 return ctx->initialised;
167}
168#ifdef MBEDTLS_SSL_KEYING_MATERIAL_EXPORT
169/* mbedtls_ssl_export_keying_material does not need helper/callback methods */
170#elif defined(HAVE_MBEDTLS_SSL_CONF_EXPORT_KEYS_EXT_CB)
171/*
172 * Key export callback for older versions of mbed TLS, to be used with
173 * mbedtls_ssl_conf_export_keys_ext_cb(). It is called with the master
174 * secret, client random and server random, and the type of PRF function
175 * to use.
176 *
177 * Mbed TLS stores this callback in the mbedtls_ssl_config struct and it
178 * is used in the mbedtls_ssl_contexts set up from that config. */
179int
180mbedtls_ssl_export_keys_cb(void *p_expkey, const unsigned char *ms, const unsigned char *kb,
181 size_t maclen, size_t keylen, size_t ivlen,
182 const unsigned char client_random[32],
183 const unsigned char server_random[32],
184 mbedtls_tls_prf_types tls_prf_type)
185{
186 struct tls_session *session = p_expkey;
187 struct key_state_ssl *ks_ssl = &session->key[KS_PRIMARY].ks_ssl;
188 struct tls_key_cache *cache = &ks_ssl->tls_key_cache;
189
190 static_assert(sizeof(ks_ssl->ctx->session->master) == sizeof(cache->master_secret),
191 "master size mismatch");
192
193 memcpy(cache->client_server_random, client_random, 32);
194 memcpy(cache->client_server_random + 32, server_random, 32);
195 memcpy(cache->master_secret, ms, sizeof(cache->master_secret));
196 cache->tls_prf_type = tls_prf_type;
197
198 return 0;
199}
200#elif defined(HAVE_MBEDTLS_SSL_SET_EXPORT_KEYS_CB)
201/*
202 * Key export callback for newer versions of mbed TLS, to be used with
203 * mbedtls_ssl_set_export_keys_cb(). When used with TLS 1.2, the callback
204 * is called with the TLS 1.2 master secret, client random, server random
205 * and the type of PRF to use. With TLS 1.3, it is called with several
206 * different keys (indicated by type), but unfortunately not the exporter
207 * master secret.
208 *
209 * Unlike in older versions, the callback is not stored in the
210 * mbedtls_ssl_config. It is placed in the mbedtls_ssl_context after it
211 * has been set up. */
212void
213mbedtls_ssl_export_keys_cb(void *p_expkey, mbedtls_ssl_key_export_type type,
214 const unsigned char *secret, size_t secret_len,
215 const unsigned char client_random[32],
216 const unsigned char server_random[32],
217 mbedtls_tls_prf_types tls_prf_type)
218{
219 /* Since we can't get the TLS 1.3 exporter master secret, we ignore all key
220 * types except MBEDTLS_SSL_KEY_EXPORT_TLS12_MASTER_SECRET. */
221 if (type != MBEDTLS_SSL_KEY_EXPORT_TLS12_MASTER_SECRET)
222 {
223 return;
224 }
225
226 struct tls_session *session = p_expkey;
227 struct key_state_ssl *ks_ssl = &session->key[KS_PRIMARY].ks_ssl;
228 struct tls_key_cache *cache = &ks_ssl->tls_key_cache;
229
230 /* The TLS 1.2 master secret has a fixed size, so if secret_len has
231 * a different value, something is wrong with mbed TLS. */
232 if (secret_len != sizeof(cache->master_secret))
233 {
234 msg(M_FATAL, "ERROR: Incorrect TLS 1.2 master secret length: Got %zu, expected %zu",
235 secret_len, sizeof(cache->master_secret));
236 }
237
238 memcpy(cache->client_server_random, client_random, 32);
239 memcpy(cache->client_server_random + 32, server_random, 32);
240 memcpy(cache->master_secret, secret, sizeof(cache->master_secret));
241 cache->tls_prf_type = tls_prf_type;
242}
243#else /* ifdef MBEDTLS_SSL_KEYING_MATERIAL_EXPORT */
244#error mbedtls_ssl_conf_export_keys_ext_cb, mbedtls_ssl_set_export_keys_cb or mbedtls_ssl_export_keying_material must be available in mbed TLS
245#endif /* HAVE_MBEDTLS_SSL_CONF_EXPORT_KEYS_EXT_CB */
246
247
248bool
249key_state_export_keying_material(struct tls_session *session, const char *label, size_t label_size,
250 void *ekm, size_t ekm_size)
251{
252 ASSERT(strlen(label) == label_size);
253
254#if defined(MBEDTLS_SSL_KEYING_MATERIAL_EXPORT)
255 /* Our version of mbed TLS has a built-in TLS-Exporter. */
256
257 mbedtls_ssl_context *ctx = session->key[KS_PRIMARY].ks_ssl.ctx;
258 if (mbed_ok(
259 mbedtls_ssl_export_keying_material(ctx, ekm, ekm_size, label, label_size, NULL, 0, 0)))
260 {
261 return true;
262 }
263 else
264 {
265 return false;
266 }
267
268#else /* defined(MBEDTLS_SSL_KEYING_MATERIAL_EXPORT) */
269 struct tls_key_cache *cache = &session->key[KS_PRIMARY].ks_ssl.tls_key_cache;
270
271 /* If the type is NONE, we either have no cached secrets or
272 * there is no PRF, in both cases we cannot generate key material */
273 if (cache->tls_prf_type == MBEDTLS_SSL_TLS_PRF_NONE)
274 {
275 return false;
276 }
277
278 int ret = mbedtls_ssl_tls_prf(cache->tls_prf_type, cache->master_secret,
279 sizeof(cache->master_secret), label, cache->client_server_random,
280 sizeof(cache->client_server_random), ekm, ekm_size);
281
282 if (mbed_ok(ret))
283 {
284 return true;
285 }
286 else
287 {
288 secure_memzero(ekm, session->opt->ekm_size);
289 return false;
290 }
291#endif /* defined(MBEDTLS_SSL_KEYING_MATERIAL_EXPORT) */
292}
293
294bool
295tls_ctx_set_options(struct tls_root_ctx *ctx, unsigned int ssl_flags)
296{
297 return true;
298}
299
300static const char *
301tls_translate_cipher_name(const char *cipher_name)
302{
303 const tls_cipher_name_pair *pair = tls_get_cipher_name_pair(cipher_name, strlen(cipher_name));
304
305 if (NULL == pair)
306 {
307 /* No translation found, return original */
308 return cipher_name;
309 }
310
311 if (0 != strcmp(cipher_name, pair->iana_name))
312 {
313 /* Deprecated name found, notify user */
314 msg(M_WARN, "Deprecated cipher suite name '%s', please use IANA name '%s'",
315 pair->openssl_name, pair->iana_name);
316 }
317
318 return pair->iana_name;
319}
320
321void
322tls_ctx_restrict_ciphers_tls13(struct tls_root_ctx *ctx, const char *ciphers)
323{
324 if (ciphers == NULL)
325 {
326 /* Nothing to do, return without warning message */
327 return;
328 }
329
330 msg(M_WARN,
331 "mbed TLS does not support setting tls-ciphersuites. "
332 "Ignoring TLS 1.3 cipher list: %s",
333 ciphers);
334}
335
336void
337tls_ctx_restrict_ciphers(struct tls_root_ctx *ctx, const char *ciphers)
338{
339 char *tmp_ciphers, *tmp_ciphers_orig, *token;
340
341 if (NULL == ciphers)
342 {
343 return; /* Nothing to do */
344 }
345
346 ASSERT(NULL != ctx);
347
348 /* Get number of ciphers */
349 int cipher_count = get_num_elements(ciphers, ':');
350
351 /* Allocate an array for them */
352 ALLOC_ARRAY_CLEAR(ctx->allowed_ciphers, int, cipher_count + 1)
353
354 /* Parse allowed ciphers, getting IDs */
355 int i = 0;
356 tmp_ciphers_orig = tmp_ciphers = string_alloc(ciphers, NULL);
357
358 token = strtok(tmp_ciphers, ":");
359 while (token)
360 {
361 ctx->allowed_ciphers[i] = mbedtls_ssl_get_ciphersuite_id(tls_translate_cipher_name(token));
362 if (0 != ctx->allowed_ciphers[i])
363 {
364 i++;
365 }
366 token = strtok(NULL, ":");
367 }
368 free(tmp_ciphers_orig);
369}
370
371void
372tls_ctx_set_cert_profile(struct tls_root_ctx *ctx, const char *profile)
373{
374 if (!profile || 0 == strcmp(profile, "legacy") || 0 == strcmp(profile, "insecure"))
375 {
376 ctx->cert_profile = openvpn_x509_crt_profile_legacy;
377 }
378 else if (0 == strcmp(profile, "preferred"))
379 {
380 ctx->cert_profile = openvpn_x509_crt_profile_preferred;
381 }
382 else if (0 == strcmp(profile, "suiteb"))
383 {
384 ctx->cert_profile = openvpn_x509_crt_profile_suiteb;
385 }
386 else
387 {
388 msg(M_FATAL, "ERROR: Invalid cert profile: %s", profile);
389 }
390}
391
392void
393tls_ctx_set_tls_groups(struct tls_root_ctx *ctx, const char *groups)
394{
395 ASSERT(ctx);
396 struct gc_arena gc = gc_new();
397
398 /* Get number of groups and allocate an array in ctx */
399 int groups_count = get_num_elements(groups, ':');
400 ALLOC_ARRAY_CLEAR(ctx->groups, mbedtls_compat_group_id, groups_count + 1)
401
402 /* Parse allowed ciphers, getting IDs */
403 int i = 0;
404 char *tmp_groups = string_alloc(groups, &gc);
405
406 const char *token;
407 while ((token = strsep(&tmp_groups, ":")))
408 {
409 const mbedtls_ecp_curve_info *ci = mbedtls_ecp_curve_info_from_name(token);
410 if (!ci)
411 {
412 msg(M_WARN, "Warning unknown curve/group specified: %s", token);
413 }
414 else
415 {
417 i++;
418 }
419 }
420
421 /* Recent mbedtls versions state that the list of groups must be terminated
422 * with 0. Older versions state that it must be terminated with MBEDTLS_ECP_DP_NONE
423 * which is also 0, so this works either way. */
424 ctx->groups[i] = 0;
425
426 gc_free(&gc);
427}
428
429
430void
431tls_ctx_check_cert_time(const struct tls_root_ctx *ctx)
432{
433 ASSERT(ctx);
434 if (ctx->crt_chain == NULL)
435 {
436 return; /* Nothing to check if there is no certificate */
437 }
438
439 if (mbedtls_x509_time_is_future(&ctx->crt_chain->valid_from))
440 {
441 msg(M_WARN, "WARNING: Your certificate is not yet valid!");
442 }
443
444 if (mbedtls_x509_time_is_past(&ctx->crt_chain->valid_to))
445 {
446 msg(M_WARN, "WARNING: Your certificate has expired!");
447 }
448}
449
450void
451tls_ctx_load_dh_params(struct tls_root_ctx *ctx, const char *dh_file, bool dh_inline)
452{
453 if (dh_inline)
454 {
455 if (!mbed_ok(mbedtls_dhm_parse_dhm(ctx->dhm_ctx, (const unsigned char *)dh_file,
456 strlen(dh_file) + 1)))
457 {
458 msg(M_FATAL, "Cannot read inline DH parameters");
459 }
460 }
461 else
462 {
463 if (!mbed_ok(mbedtls_dhm_parse_dhmfile(ctx->dhm_ctx, dh_file)))
464 {
465 msg(M_FATAL, "Cannot read DH parameters from file %s", dh_file);
466 }
467 }
468
469 msg(D_TLS_DEBUG_LOW, "Diffie-Hellman initialized with " counter_format " bit key",
471}
472
473void
474tls_ctx_load_ecdh_params(struct tls_root_ctx *ctx, const char *curve_name)
475{
476 if (NULL != curve_name)
477 {
478 msg(M_WARN, "WARNING: mbed TLS builds do not support specifying an "
479 "ECDH curve with --ecdh-curve, using default curves. Use "
480 "--tls-groups to specify curves.");
481 }
482}
483
484int
485tls_ctx_load_pkcs12(struct tls_root_ctx *ctx, const char *pkcs12_file, bool pkcs12_file_inline,
486 bool load_ca_file)
487{
488 msg(M_FATAL, "PKCS #12 files not yet supported for mbed TLS.");
489 return 0;
490}
491
492#ifdef ENABLE_CRYPTOAPI
493void
494tls_ctx_load_cryptoapi(struct tls_root_ctx *ctx, const char *cryptoapi_cert)
495{
496 msg(M_FATAL, "Windows CryptoAPI not yet supported for mbed TLS.");
497}
498#endif /* _WIN32 */
499
500void
501tls_ctx_load_cert_file(struct tls_root_ctx *ctx, const char *cert_file, bool cert_inline)
502{
503 ASSERT(NULL != ctx);
504
505 if (!ctx->crt_chain)
506 {
507 ALLOC_OBJ_CLEAR(ctx->crt_chain, mbedtls_x509_crt);
508 }
509
510 if (cert_inline)
511 {
512 if (!mbed_ok(mbedtls_x509_crt_parse(ctx->crt_chain, (const unsigned char *)cert_file,
513 strlen(cert_file) + 1)))
514 {
515 msg(M_FATAL, "Cannot load inline certificate file");
516 }
517 }
518 else
519 {
520 if (!mbed_ok(mbedtls_x509_crt_parse_file(ctx->crt_chain, cert_file)))
521 {
522 msg(M_FATAL, "Cannot load certificate file %s", cert_file);
523 }
524 }
525}
526
527int
528tls_ctx_load_priv_file(struct tls_root_ctx *ctx, const char *priv_key_file, bool priv_key_inline)
529{
530 int status;
531 ASSERT(NULL != ctx);
532
533 if (!ctx->priv_key)
534 {
535 ALLOC_OBJ_CLEAR(ctx->priv_key, mbedtls_pk_context);
536 }
537
538 if (priv_key_inline)
539 {
540 status = mbedtls_compat_pk_parse_key(ctx->priv_key, (const unsigned char *)priv_key_file,
541 strlen(priv_key_file) + 1, NULL, 0,
542 mbedtls_ctr_drbg_random, rand_ctx_get());
543
544 if (MBEDTLS_ERR_PK_PASSWORD_REQUIRED == status)
545 {
546 char passbuf[512] = { 0 };
547 pem_password_callback(passbuf, 512, 0, NULL);
549 ctx->priv_key, (const unsigned char *)priv_key_file, strlen(priv_key_file) + 1,
550 (unsigned char *)passbuf, strlen(passbuf), mbedtls_ctr_drbg_random, rand_ctx_get());
551 }
552 }
553 else
554 {
555 status = mbedtls_compat_pk_parse_keyfile(ctx->priv_key, priv_key_file, NULL,
556 mbedtls_ctr_drbg_random, rand_ctx_get());
557 if (MBEDTLS_ERR_PK_PASSWORD_REQUIRED == status)
558 {
559 char passbuf[512] = { 0 };
560 pem_password_callback(passbuf, 512, 0, NULL);
562 mbedtls_ctr_drbg_random, rand_ctx_get());
563 }
564 }
565 if (!mbed_ok(status))
566 {
567#ifdef ENABLE_MANAGEMENT
568 if (management && (MBEDTLS_ERR_PK_PASSWORD_MISMATCH == status))
569 {
571 }
572#endif
573 msg(M_WARN, "Cannot load private key file %s",
574 print_key_filename(priv_key_file, priv_key_inline));
575 return 1;
576 }
577
579 mbedtls_ctr_drbg_random, rand_ctx_get())))
580 {
581 msg(M_WARN, "Private key does not match the certificate");
582 return 1;
583 }
584
585 return 0;
586}
587
588#if defined(__GNUC__) || defined(__clang__)
589#pragma GCC diagnostic push
590#pragma GCC diagnostic ignored "-Wconversion"
591#endif
592
611static inline int
612external_pkcs1_sign(void *ctx_voidptr, int (*f_rng)(void *, unsigned char *, size_t), void *p_rng,
613#if MBEDTLS_VERSION_NUMBER < 0x03020100
614 int mode,
615#endif
616 mbedtls_md_type_t md_alg, unsigned int hashlen, const unsigned char *hash,
617 unsigned char *sig)
618{
619 struct external_context *const ctx = ctx_voidptr;
620 int rv;
621 uint8_t *to_sign = NULL;
622 size_t asn_len = 0, oid_size = 0;
623 const char *oid = NULL;
624
625 if (NULL == ctx)
626 {
627 return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
628 }
629
630#if MBEDTLS_VERSION_NUMBER < 0x03020100
631 if (MBEDTLS_RSA_PRIVATE != mode)
632 {
633 return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
634 }
635#endif
636
637 /*
638 * Support a wide range of hashes. TLSv1.1 and before only need SIG_RSA_RAW,
639 * but TLSv1.2 needs the full suite of hashes.
640 *
641 * This code has been taken from mbed TLS pkcs11_sign(), under the GPLv2.0+.
642 */
643 if (md_alg != MBEDTLS_MD_NONE)
644 {
645 const mbedtls_md_info_t *md_info = mbedtls_md_info_from_type(md_alg);
646 if (md_info == NULL)
647 {
648 return (MBEDTLS_ERR_RSA_BAD_INPUT_DATA);
649 }
650
651 if (!mbed_ok(mbedtls_oid_get_oid_by_md(md_alg, &oid, &oid_size)))
652 {
653 return (MBEDTLS_ERR_RSA_BAD_INPUT_DATA);
654 }
655
656 hashlen = mbedtls_md_get_size(md_info);
657 asn_len = 10 + oid_size;
658 }
659
660 if ((SIZE_MAX - hashlen) < asn_len || ctx->signature_length < (asn_len + hashlen))
661 {
662 return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
663 }
664
665 ALLOC_ARRAY_CLEAR(to_sign, uint8_t, asn_len + hashlen);
666 uint8_t *p = to_sign;
667 if (md_alg != MBEDTLS_MD_NONE)
668 {
669 /*
670 * DigestInfo ::= SEQUENCE {
671 * digestAlgorithm DigestAlgorithmIdentifier,
672 * digest Digest }
673 *
674 * DigestAlgorithmIdentifier ::= AlgorithmIdentifier
675 *
676 * Digest ::= OCTET STRING
677 */
678 *p++ = MBEDTLS_ASN1_SEQUENCE | MBEDTLS_ASN1_CONSTRUCTED;
679 *p++ = (unsigned char)(0x08 + oid_size + hashlen);
680 *p++ = MBEDTLS_ASN1_SEQUENCE | MBEDTLS_ASN1_CONSTRUCTED;
681 *p++ = (unsigned char)(0x04 + oid_size);
682 *p++ = MBEDTLS_ASN1_OID;
683 *p++ = oid_size & 0xFF;
684 memcpy(p, oid, oid_size);
685 p += oid_size;
686 *p++ = MBEDTLS_ASN1_NULL;
687 *p++ = 0x00;
688 *p++ = MBEDTLS_ASN1_OCTET_STRING;
689 *p++ = hashlen;
690
691 /* Double-check ASN length */
692 ASSERT(asn_len == p - to_sign);
693 }
694
695 /* Copy the hash to be signed */
696 memcpy(p, hash, hashlen);
697
698 /* Call external signature function */
699 if (!ctx->sign(ctx->sign_ctx, to_sign, asn_len + hashlen, sig, ctx->signature_length))
700 {
701 rv = MBEDTLS_ERR_RSA_PRIVATE_FAILED;
702 goto done;
703 }
704
705 rv = 0;
706
707done:
708 free(to_sign);
709 return rv;
710}
711
712static inline size_t
713external_key_len(void *vctx)
714{
715 struct external_context *const ctx = vctx;
716
717 return ctx->signature_length;
718}
719
720int
722 void *sign_ctx)
723{
724 ASSERT(NULL != ctx);
725
726 if (ctx->crt_chain == NULL)
727 {
728 msg(M_WARN, "ERROR: external key requires a certificate.");
729 return 1;
730 }
731
732 if (mbedtls_pk_get_type(&ctx->crt_chain->pk) != MBEDTLS_PK_RSA)
733 {
734 msg(M_WARN, "ERROR: external key with mbed TLS requires a "
735 "certificate with an RSA key.");
736 return 1;
737 }
738
739 ctx->external_key.signature_length = mbedtls_pk_get_len(&ctx->crt_chain->pk);
740 ctx->external_key.sign = sign_func;
742
743 ALLOC_OBJ_CLEAR(ctx->priv_key, mbedtls_pk_context);
744 if (!mbed_ok(mbedtls_pk_setup_rsa_alt(ctx->priv_key, &ctx->external_key, NULL,
745 external_pkcs1_sign, external_key_len)))
746 {
747 return 1;
748 }
749
750 return 0;
751}
752
753#ifdef ENABLE_MANAGEMENT
755static bool
756management_sign_func(void *sign_ctx, const void *src, size_t src_len, void *dst, size_t dst_len)
757{
758 bool ret = false;
759 char *src_b64 = NULL;
760 char *dst_b64 = NULL;
761
762 if (!management || (openvpn_base64_encode(src, (int)src_len, &src_b64) <= 0))
763 {
764 goto cleanup;
765 }
766
767 /*
768 * We only support RSA external keys and PKCS1 signatures at the moment
769 * in mbed TLS, so the signature parameter is hardcoded to this encoding
770 */
771 if (!(dst_b64 = management_query_pk_sig(management, src_b64, "RSA_PKCS1_PADDING")))
772 {
773 goto cleanup;
774 }
775
776 if (openvpn_base64_decode(dst_b64, dst, (int)dst_len) != dst_len)
777 {
778 goto cleanup;
779 }
780
781 ret = true;
782cleanup:
783 free(src_b64);
784 free(dst_b64);
785
786 return ret;
787}
788
789int
791{
792 return tls_ctx_use_external_signing_func(ctx, management_sign_func, NULL);
793}
794
795#endif /* ifdef ENABLE_MANAGEMENT */
796
797void
798tls_ctx_load_ca(struct tls_root_ctx *ctx, const char *ca_file, bool ca_inline, const char *ca_path,
799 bool tls_server)
800{
801 if (ca_path)
802 {
803 msg(M_FATAL, "ERROR: mbed TLS cannot handle the capath directive");
804 }
805
806 if (ca_file && ca_inline)
807 {
808 if (!mbed_ok(mbedtls_x509_crt_parse(ctx->ca_chain, (const unsigned char *)ca_file,
809 strlen(ca_file) + 1)))
810 {
811 msg(M_FATAL, "Cannot load inline CA certificates");
812 }
813 }
814 else
815 {
816 /* Load CA file for verifying peer supplied certificate */
817 if (!mbed_ok(mbedtls_x509_crt_parse_file(ctx->ca_chain, ca_file)))
818 {
819 msg(M_FATAL, "Cannot load CA certificate file %s", ca_file);
820 }
821 }
822}
823
824void
825tls_ctx_load_extra_certs(struct tls_root_ctx *ctx, const char *extra_certs_file,
826 bool extra_certs_inline)
827{
828 ASSERT(NULL != ctx);
829
830 if (!ctx->crt_chain)
831 {
832 ALLOC_OBJ_CLEAR(ctx->crt_chain, mbedtls_x509_crt);
833 }
834
835 if (extra_certs_inline)
836 {
837 if (!mbed_ok(mbedtls_x509_crt_parse(ctx->crt_chain, (const unsigned char *)extra_certs_file,
838 strlen(extra_certs_file) + 1)))
839 {
840 msg(M_FATAL, "Cannot load inline extra-certs file");
841 }
842 }
843 else
844 {
845 if (!mbed_ok(mbedtls_x509_crt_parse_file(ctx->crt_chain, extra_certs_file)))
846 {
847 msg(M_FATAL, "Cannot load extra-certs file: %s", extra_certs_file);
848 }
849 }
850}
851
852/* **************************************
853 *
854 * Key-state specific functions
855 *
856 ***************************************/
857
858/*
859 * "Endless buffer"
860 */
861
862static inline void
863buf_free_entry(buffer_entry *entry)
864{
865 if (NULL != entry)
866 {
867 free(entry->data);
868 free(entry);
869 }
870}
871
872static void
873buf_free_entries(endless_buffer *buf)
874{
875 while (buf->first_block)
876 {
877 buffer_entry *cur_block = buf->first_block;
878 buf->first_block = cur_block->next_block;
879 buf_free_entry(cur_block);
880 }
881 buf->last_block = NULL;
882}
883
884static int
885endless_buf_read(endless_buffer *in, unsigned char *out, size_t out_len)
886{
887 size_t read_len = 0;
888
889 if (in->first_block == NULL)
890 {
891 return MBEDTLS_ERR_SSL_WANT_READ;
892 }
893
894 while (in->first_block != NULL && read_len < out_len)
895 {
896 int block_len = in->first_block->length - in->data_start;
897 if (block_len <= out_len - read_len)
898 {
899 buffer_entry *cur_entry = in->first_block;
900 memcpy(out + read_len, cur_entry->data + in->data_start, block_len);
901
902 read_len += block_len;
903
904 in->first_block = cur_entry->next_block;
905 in->data_start = 0;
906
907 if (in->first_block == NULL)
908 {
909 in->last_block = NULL;
910 }
911
912 buf_free_entry(cur_entry);
913 }
914 else
915 {
916 memcpy(out + read_len, in->first_block->data + in->data_start, out_len - read_len);
917 in->data_start += out_len - read_len;
918 read_len = out_len;
919 }
920 }
921
922 return read_len;
923}
924
925static int
926endless_buf_write(endless_buffer *out, const unsigned char *in, size_t len)
927{
928 buffer_entry *new_block = malloc(sizeof(buffer_entry));
929 if (NULL == new_block)
930 {
931 return MBEDTLS_ERR_NET_SEND_FAILED;
932 }
933
934 new_block->data = malloc(len);
935 if (NULL == new_block->data)
936 {
937 free(new_block);
938 return MBEDTLS_ERR_NET_SEND_FAILED;
939 }
940
941 new_block->length = len;
942 new_block->next_block = NULL;
943
944 memcpy(new_block->data, in, len);
945
946 if (NULL == out->first_block)
947 {
948 out->first_block = new_block;
949 }
950
951 if (NULL != out->last_block)
952 {
953 out->last_block->next_block = new_block;
954 }
955
956 out->last_block = new_block;
957
958 return len;
959}
960
961static int
962ssl_bio_read(void *ctx, unsigned char *out, size_t out_len)
963{
964 bio_ctx *my_ctx = (bio_ctx *)ctx;
965 return endless_buf_read(&my_ctx->in, out, out_len);
966}
967
968static int
969ssl_bio_write(void *ctx, const unsigned char *in, size_t in_len)
970{
971 bio_ctx *my_ctx = (bio_ctx *)ctx;
972 return endless_buf_write(&my_ctx->out, in, in_len);
973}
974
975static void
976my_debug(void *ctx, int level, const char *file, int line, const char *str)
977{
978 int my_loglevel = (level < 3) ? D_TLS_DEBUG_MED : D_TLS_DEBUG;
979 msg(my_loglevel, "mbed TLS msg (%s:%d): %s", file, line, str);
980}
981
982/*
983 * Further personalise the RNG using a hash of the public key
984 */
985void
986tls_ctx_personalise_random(struct tls_root_ctx *ctx)
987{
988 static char old_sha256_hash[32] = { 0 };
989 unsigned char sha256_hash[32] = { 0 };
990 mbedtls_ctr_drbg_context *cd_ctx = rand_ctx_get();
991
992 if (NULL != ctx->crt_chain)
993 {
994 mbedtls_x509_crt *cert = ctx->crt_chain;
995
996 if (!md_full("SHA256", cert->tbs.p, cert->tbs.len, sha256_hash))
997 {
998 msg(M_WARN, "WARNING: failed to personalise random");
999 }
1000
1001 if (0 != memcmp(old_sha256_hash, sha256_hash, sizeof(sha256_hash)))
1002 {
1003 if (!mbed_ok(mbedtls_compat_ctr_drbg_update(cd_ctx, sha256_hash, 32)))
1004 {
1005 msg(M_WARN, "WARNING: failed to personalise random, could not update CTR_DRBG");
1006 }
1007 memcpy(old_sha256_hash, sha256_hash, sizeof(old_sha256_hash));
1008 }
1009 }
1010}
1011
1012#if defined(__GNUC__) || defined(__clang__)
1013#pragma GCC diagnostic pop
1014#endif
1015
1016int
1017tls_version_max(void)
1018{
1019 /* We need mbedtls_ssl_export_keying_material() to support TLS 1.3. */
1020#if defined(MBEDTLS_SSL_PROTO_TLS1_3) && defined(MBEDTLS_SSL_KEYING_MATERIAL_EXPORT)
1021 return TLS_VER_1_3;
1022#elif defined(MBEDTLS_SSL_PROTO_TLS1_2)
1023 return TLS_VER_1_2;
1024#else
1025#error mbedtls is compiled without support for TLS 1.2 or 1.3
1026#endif
1027}
1028
1037tls_version_to_ssl_version(int tls_ver)
1038{
1039 switch (tls_ver)
1040 {
1041#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
1042 case TLS_VER_1_2:
1044#endif
1045
1046#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
1047 case TLS_VER_1_3:
1049#endif
1050
1051 default:
1052 msg(M_FATAL, "%s: invalid or unsupported TLS version %d", __func__, tls_ver);
1054 }
1055}
1056
1057void
1058backend_tls_ctx_reload_crl(struct tls_root_ctx *ctx, const char *crl_file, bool crl_inline)
1059{
1060 ASSERT(crl_file);
1061
1062 if (ctx->crl == NULL)
1063 {
1064 ALLOC_OBJ_CLEAR(ctx->crl, mbedtls_x509_crl);
1065 }
1066 mbedtls_x509_crl_free(ctx->crl);
1067
1068 if (crl_inline)
1069 {
1070 if (!mbed_ok(mbedtls_x509_crl_parse(ctx->crl, (const unsigned char *)crl_file,
1071 strlen(crl_file) + 1)))
1072 {
1073 msg(M_WARN, "CRL: cannot parse inline CRL");
1074 goto err;
1075 }
1076 }
1077 else
1078 {
1079 if (!mbed_ok(mbedtls_x509_crl_parse_file(ctx->crl, crl_file)))
1080 {
1081 msg(M_WARN, "CRL: cannot read CRL from file %s", crl_file);
1082 goto err;
1083 }
1084 }
1085 return;
1086
1087err:
1088 mbedtls_x509_crl_free(ctx->crl);
1089}
1090
1091void
1092key_state_ssl_init(struct key_state_ssl *ks_ssl, const struct tls_root_ctx *ssl_ctx, bool is_server,
1093 struct tls_session *session)
1094{
1095 ASSERT(NULL != ssl_ctx);
1096 ASSERT(ks_ssl);
1097 CLEAR(*ks_ssl);
1098
1099 /* Initialise SSL config */
1100 ALLOC_OBJ_CLEAR(ks_ssl->ssl_config, mbedtls_ssl_config);
1101 mbedtls_ssl_config_init(ks_ssl->ssl_config);
1102 mbedtls_ssl_config_defaults(ks_ssl->ssl_config, ssl_ctx->endpoint, MBEDTLS_SSL_TRANSPORT_STREAM,
1103 MBEDTLS_SSL_PRESET_DEFAULT);
1104#ifdef MBEDTLS_DEBUG_C
1105 /* We only want to have mbed TLS generate debug level logging when we would
1106 * also display it.
1107 * In fact mbed TLS 2.25.0 crashes generating debug log if Curve25591 is
1108 * selected for DH (https://github.com/ARMmbed/mbedtls/issues/4208) */
1109 if (session->opt->ssl_flags & SSLF_TLS_DEBUG_ENABLED)
1110 {
1111 mbedtls_debug_set_threshold(3);
1112 }
1113 else
1114 {
1115 mbedtls_debug_set_threshold(2);
1116 }
1117#endif
1118 mbedtls_ssl_conf_dbg(ks_ssl->ssl_config, my_debug, NULL);
1119 mbedtls_ssl_conf_rng(ks_ssl->ssl_config, mbedtls_ctr_drbg_random, rand_ctx_get());
1120
1121 mbedtls_ssl_conf_cert_profile(ks_ssl->ssl_config, &ssl_ctx->cert_profile);
1122
1123 if (ssl_ctx->allowed_ciphers)
1124 {
1125 mbedtls_ssl_conf_ciphersuites(ks_ssl->ssl_config, ssl_ctx->allowed_ciphers);
1126 }
1127
1128 if (ssl_ctx->groups)
1129 {
1130 mbedtls_ssl_conf_groups(ks_ssl->ssl_config, ssl_ctx->groups);
1131 }
1132
1133 /* Disable TLS renegotiations if the mbedtls library supports that feature.
1134 * OpenVPN's renegotiation creates new SSL sessions and does not depend on
1135 * this feature and TLS renegotiations have been problematic in the past. */
1136#if defined(MBEDTLS_SSL_RENEGOTIATION)
1137 mbedtls_ssl_conf_renegotiation(ks_ssl->ssl_config, MBEDTLS_SSL_RENEGOTIATION_DISABLED);
1138#endif /* MBEDTLS_SSL_RENEGOTIATION */
1139
1140 /* Disable record splitting (for now). OpenVPN assumes records are sent
1141 * unfragmented, and changing that will require thorough review and
1142 * testing. Since OpenVPN is not susceptible to BEAST, we can just
1143 * disable record splitting as a quick fix. */
1144#if defined(MBEDTLS_SSL_CBC_RECORD_SPLITTING)
1145 mbedtls_ssl_conf_cbc_record_splitting(ks_ssl->ssl_config,
1146 MBEDTLS_SSL_CBC_RECORD_SPLITTING_DISABLED);
1147#endif /* MBEDTLS_SSL_CBC_RECORD_SPLITTING */
1148
1149 /* Initialise authentication information */
1150 if (is_server)
1151 {
1152 mbed_ok(mbedtls_ssl_conf_dh_param_ctx(ks_ssl->ssl_config, ssl_ctx->dhm_ctx));
1153 }
1154
1155 mbed_ok(mbedtls_ssl_conf_own_cert(ks_ssl->ssl_config, ssl_ctx->crt_chain, ssl_ctx->priv_key));
1156
1157 /* Initialise SSL verification */
1158 if (session->opt->ssl_flags & SSLF_CLIENT_CERT_OPTIONAL)
1159 {
1160 mbedtls_ssl_conf_authmode(ks_ssl->ssl_config, MBEDTLS_SSL_VERIFY_OPTIONAL);
1161 }
1162 else if (!(session->opt->ssl_flags & SSLF_CLIENT_CERT_NOT_REQUIRED))
1163 {
1164 mbedtls_ssl_conf_authmode(ks_ssl->ssl_config, MBEDTLS_SSL_VERIFY_REQUIRED);
1165 }
1166 mbedtls_ssl_conf_verify(ks_ssl->ssl_config, verify_callback, session);
1167
1168 /* TODO: mbed TLS does not currently support sending the CA chain to the client */
1169 mbedtls_ssl_conf_ca_chain(ks_ssl->ssl_config, ssl_ctx->ca_chain, ssl_ctx->crl);
1170
1171 /* Initialize minimum TLS version */
1172 {
1173 const int configured_tls_version_min =
1175
1176 /* default to TLS 1.2 */
1178
1179 if (configured_tls_version_min > TLS_VER_UNSPEC)
1180 {
1181 version = tls_version_to_ssl_version(configured_tls_version_min);
1182 }
1183
1185 }
1186
1187 /* Initialize maximum TLS version */
1188 {
1189 const int configured_tls_version_max =
1191
1193
1194 if (configured_tls_version_max > TLS_VER_UNSPEC)
1195 {
1196 version = tls_version_to_ssl_version(configured_tls_version_max);
1197 }
1198 else
1199 {
1200 /* Default to tls_version_max(). */
1201 version = tls_version_to_ssl_version(tls_version_max());
1202 }
1203
1205 }
1206
1207#if defined(HAVE_MBEDTLS_SSL_CONF_EXPORT_KEYS_EXT_CB) \
1208 && !defined(MBEDTLS_SSL_KEYING_MATERIAL_EXPORT)
1209 /* Initialize keying material exporter, old style. */
1210 mbedtls_ssl_conf_export_keys_ext_cb(ks_ssl->ssl_config, mbedtls_ssl_export_keys_cb, session);
1211#endif
1212
1213 /* Initialise SSL context */
1214 ALLOC_OBJ_CLEAR(ks_ssl->ctx, mbedtls_ssl_context);
1215 mbedtls_ssl_init(ks_ssl->ctx);
1216 mbed_ok(mbedtls_ssl_setup(ks_ssl->ctx, ks_ssl->ssl_config));
1217 /* We do verification in our own callback depending on the
1218 * exact configuration. We do not rely on the default hostname
1219 * verification. */
1220 ASSERT(mbed_ok(mbedtls_ssl_set_hostname(ks_ssl->ctx, NULL)));
1221
1222#if defined(HAVE_MBEDTLS_SSL_SET_EXPORT_KEYS_CB) && !defined(MBEDTLS_SSL_KEYING_MATERIAL_EXPORT)
1223 /* Initialize keying material exporter, new style. */
1224 mbedtls_ssl_set_export_keys_cb(ks_ssl->ctx, mbedtls_ssl_export_keys_cb, session);
1225#endif
1226
1227 /* Initialise BIOs */
1229 mbedtls_ssl_set_bio(ks_ssl->ctx, ks_ssl->bio_ctx, ssl_bio_write, ssl_bio_read, NULL);
1230}
1231
1232
1233void
1235{
1236 mbedtls_ssl_send_alert_message(ks_ssl->ctx, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1237 MBEDTLS_SSL_ALERT_MSG_CLOSE_NOTIFY);
1238}
1239
1240void
1241key_state_ssl_free(struct key_state_ssl *ks_ssl)
1242{
1243 if (ks_ssl)
1244 {
1245 CLEAR(ks_ssl->tls_key_cache);
1246
1247 if (ks_ssl->ctx)
1248 {
1249 mbedtls_ssl_free(ks_ssl->ctx);
1250 free(ks_ssl->ctx);
1251 }
1252 if (ks_ssl->ssl_config)
1253 {
1254 mbedtls_ssl_config_free(ks_ssl->ssl_config);
1255 free(ks_ssl->ssl_config);
1256 }
1257 if (ks_ssl->bio_ctx)
1258 {
1259 buf_free_entries(&ks_ssl->bio_ctx->in);
1260 buf_free_entries(&ks_ssl->bio_ctx->out);
1261 free(ks_ssl->bio_ctx);
1262 }
1263 CLEAR(*ks_ssl);
1264 }
1265}
1266
1267int
1268key_state_write_plaintext(struct key_state_ssl *ks, struct buffer *buf)
1269{
1270 int retval = 0;
1271
1272 ASSERT(buf);
1273
1274 retval = key_state_write_plaintext_const(ks, BPTR(buf), BLEN(buf));
1275
1276 if (1 == retval)
1277 {
1278 memset(BPTR(buf), 0, BLEN(buf)); /* erase data just written */
1279 buf->len = 0;
1280 }
1281
1282 return retval;
1283}
1284
1285int
1286key_state_write_plaintext_const(struct key_state_ssl *ks, const uint8_t *data, int len)
1287{
1288 int retval = 0;
1290
1291 ASSERT(NULL != ks);
1292 ASSERT(len >= 0);
1293
1294 if (0 == len)
1295 {
1296 perf_pop();
1297 return 0;
1298 }
1299
1300 ASSERT(data);
1301
1302 retval = mbedtls_ssl_write(ks->ctx, data, len);
1303
1304 if (retval < 0)
1305 {
1306 perf_pop();
1307 if (MBEDTLS_ERR_SSL_WANT_WRITE == retval || MBEDTLS_ERR_SSL_WANT_READ == retval)
1308 {
1309 return 0;
1310 }
1311 mbed_log_err(D_TLS_ERRORS, retval, "TLS ERROR: write tls_write_plaintext_const error");
1312 return -1;
1313 }
1314
1315 if (retval != len)
1316 {
1317 msg(D_TLS_ERRORS, "TLS ERROR: write tls_write_plaintext_const incomplete %d/%d", retval,
1318 len);
1319 perf_pop();
1320 return -1;
1321 }
1322
1323 /* successful write */
1324 dmsg(D_HANDSHAKE_VERBOSE, "write tls_write_plaintext_const %d bytes", retval);
1325
1326 perf_pop();
1327 return 1;
1328}
1329
1330int
1331key_state_read_ciphertext(struct key_state_ssl *ks, struct buffer *buf)
1332{
1333 int retval = 0;
1334 int len = 0;
1335
1337
1338 ASSERT(NULL != ks);
1339 ASSERT(buf);
1340 ASSERT(buf->len >= 0);
1341
1342 if (buf->len)
1343 {
1344 perf_pop();
1345 return 0;
1346 }
1347
1348 len = buf_forward_capacity(buf);
1349
1350 retval = endless_buf_read(&ks->bio_ctx->out, BPTR(buf), len);
1351
1352 /* Error during read, check for retry error */
1353 if (retval < 0)
1354 {
1355 perf_pop();
1356 if (MBEDTLS_ERR_SSL_WANT_WRITE == retval || MBEDTLS_ERR_SSL_WANT_READ == retval)
1357 {
1358 return 0;
1359 }
1360 mbed_log_err(D_TLS_ERRORS, retval, "TLS_ERROR: read tls_read_ciphertext error");
1361 buf->len = 0;
1362 return -1;
1363 }
1364 /* Nothing read, try again */
1365 if (0 == retval)
1366 {
1367 buf->len = 0;
1368 perf_pop();
1369 return 0;
1370 }
1371
1372 /* successful read */
1373 dmsg(D_HANDSHAKE_VERBOSE, "read tls_read_ciphertext %d bytes", retval);
1374 buf->len = retval;
1375 perf_pop();
1376 return 1;
1377}
1378
1379int
1380key_state_write_ciphertext(struct key_state_ssl *ks, struct buffer *buf)
1381{
1382 int retval = 0;
1384
1385 ASSERT(NULL != ks);
1386 ASSERT(buf);
1387 ASSERT(buf->len >= 0);
1388
1389 if (0 == buf->len)
1390 {
1391 perf_pop();
1392 return 0;
1393 }
1394
1395 retval = endless_buf_write(&ks->bio_ctx->in, BPTR(buf), buf->len);
1396
1397 if (retval < 0)
1398 {
1399 perf_pop();
1400
1401 if (MBEDTLS_ERR_SSL_WANT_WRITE == retval || MBEDTLS_ERR_SSL_WANT_READ == retval)
1402 {
1403 return 0;
1404 }
1405 mbed_log_err(D_TLS_ERRORS, retval, "TLS ERROR: write tls_write_ciphertext error");
1406 return -1;
1407 }
1408
1409 if (retval != buf->len)
1410 {
1411 msg(D_TLS_ERRORS, "TLS ERROR: write tls_write_ciphertext incomplete %d/%d", retval,
1412 buf->len);
1413 perf_pop();
1414 return -1;
1415 }
1416
1417 /* successful write */
1418 dmsg(D_HANDSHAKE_VERBOSE, "write tls_write_ciphertext %d bytes", retval);
1419
1420 memset(BPTR(buf), 0, BLEN(buf)); /* erase data just written */
1421 buf->len = 0;
1422
1423 perf_pop();
1424 return 1;
1425}
1426
1427int
1428key_state_read_plaintext(struct key_state_ssl *ks, struct buffer *buf)
1429{
1430 int retval = 0;
1431 int len = 0;
1432
1434
1435 ASSERT(NULL != ks);
1436 ASSERT(buf);
1437 ASSERT(buf->len >= 0);
1438
1439 if (buf->len)
1440 {
1441 perf_pop();
1442 return 0;
1443 }
1444
1445 len = buf_forward_capacity(buf);
1446
1447 retval = mbedtls_ssl_read(ks->ctx, BPTR(buf), len);
1448
1449 /* Error during read, check for retry error */
1450 if (retval < 0)
1451 {
1452 if (MBEDTLS_ERR_SSL_WANT_WRITE == retval || MBEDTLS_ERR_SSL_WANT_READ == retval)
1453 {
1454 return 0;
1455 }
1456 mbed_log_err(D_TLS_ERRORS, retval, "TLS_ERROR: read tls_read_plaintext error");
1457 buf->len = 0;
1458 perf_pop();
1459 return -1;
1460 }
1461 /* Nothing read, try again */
1462 if (0 == retval)
1463 {
1464 buf->len = 0;
1465 perf_pop();
1466 return 0;
1467 }
1468
1469 /* successful read */
1470 dmsg(D_HANDSHAKE_VERBOSE, "read tls_read_plaintext %d bytes", retval);
1471 buf->len = retval;
1472
1473 perf_pop();
1474 return 1;
1475}
1476
1477/* **************************************
1478 *
1479 * Information functions
1480 *
1481 * Print information for the end user.
1482 *
1483 ***************************************/
1484void
1485print_details(struct key_state_ssl *ks_ssl, const char *prefix)
1486{
1487 const mbedtls_x509_crt *cert;
1488 char s1[256];
1489 char s2[256];
1490
1491 s1[0] = s2[0] = 0;
1492 snprintf(s1, sizeof(s1), "%s %s, cipher %s", prefix, mbedtls_ssl_get_version(ks_ssl->ctx),
1493 mbedtls_ssl_get_ciphersuite(ks_ssl->ctx));
1494
1495 cert = mbedtls_ssl_get_peer_cert(ks_ssl->ctx);
1496 if (cert != NULL)
1497 {
1498 snprintf(s2, sizeof(s2), ", %u bit key", (unsigned int)mbedtls_pk_get_bitlen(&cert->pk));
1499 }
1500
1501 msg(D_HANDSHAKE, "%s%s", s1, s2);
1502}
1503
1504void
1505show_available_tls_ciphers_list(const char *cipher_list, const char *tls_cert_profile, bool tls13)
1506{
1507 if (tls13)
1508 {
1509 /* mbed TLS has no TLS 1.3 support currently */
1510 return;
1511 }
1512 struct tls_root_ctx tls_ctx;
1513 const int *ciphers = mbedtls_ssl_list_ciphersuites();
1514
1515 tls_ctx_server_new(&tls_ctx);
1516 tls_ctx_set_cert_profile(&tls_ctx, tls_cert_profile);
1517 tls_ctx_restrict_ciphers(&tls_ctx, cipher_list);
1518
1519 if (tls_ctx.allowed_ciphers)
1520 {
1521 ciphers = tls_ctx.allowed_ciphers;
1522 }
1523
1524 while (*ciphers != 0)
1525 {
1526 printf("%s\n", mbedtls_ssl_get_ciphersuite_name(*ciphers));
1527 ciphers++;
1528 }
1529 tls_ctx_free(&tls_ctx);
1530}
1531
1532void
1534{
1535 const mbedtls_ecp_curve_info *pcurve = mbedtls_ecp_curve_list();
1536
1537 if (NULL == pcurve)
1538 {
1539 msg(M_FATAL, "Cannot retrieve curve list from mbed TLS");
1540 }
1541
1542 /* Print curve list */
1543 printf("Available Elliptic curves, listed in order of preference:\n\n");
1544 while (MBEDTLS_ECP_DP_NONE != pcurve->grp_id)
1545 {
1546 printf("%s\n", pcurve->name);
1547 pcurve++;
1548 }
1549}
1550
1551const char *
1553{
1554 static char mbedtls_version[30];
1555 unsigned int pv = mbedtls_version_get_number();
1556 snprintf(mbedtls_version, sizeof(mbedtls_version), "mbed TLS %d.%d.%d", (pv >> 24) & 0xff,
1557 (pv >> 16) & 0xff, (pv >> 8) & 0xff);
1558 return mbedtls_version;
1559}
1560
1561void
1563{
1564 return; /* no external key provider in mbedTLS build */
1565}
1566
1567#endif /* defined(ENABLE_CRYPTO_MBEDTLS) */
char * string_alloc(const char *str, struct gc_arena *gc)
Definition buffer.c:649
#define BPTR(buf)
Definition buffer.h:123
#define ALLOC_ARRAY_CLEAR(dptr, type, n)
Definition buffer.h:1058
static int buf_forward_capacity(const struct buffer *buf)
Definition buffer.h:539
static void secure_memzero(void *data, size_t len)
Securely zeroise memory.
Definition buffer.h:414
#define BLEN(buf)
Definition buffer.h:126
static void gc_free(struct gc_arena *a)
Definition buffer.h:1015
#define ALLOC_OBJ_CLEAR(dptr, type)
Definition buffer.h:1042
static struct gc_arena gc_new(void)
Definition buffer.h:1007
uint64_t counter_type
Definition common.h:29
#define counter_format
Definition common.h:30
char * strsep(char **stringp, const char *delim)
const char * print_key_filename(const char *str, bool is_inline)
To be used when printing a string that may contain inline data.
Definition crypto.c:1278
int md_full(const char *mdname, const uint8_t *src, int src_len, uint8_t *dst)
Calculates the message digest for the given buffer.
mbedtls_ctr_drbg_context * rand_ctx_get(void)
Returns a singleton instance of the mbed TLS random number generator.
#define mbed_ok(errval)
Check errval and log on error.
bool mbed_log_err(unsigned int flags, int errval, const char *prefix)
Log the supplied mbed TLS error, prefixed by supplied prefix.
#define D_TLS_DEBUG_LOW
Definition errlevel.h:76
#define D_TLS_DEBUG_MED
Definition errlevel.h:156
#define D_HANDSHAKE_VERBOSE
Definition errlevel.h:155
#define D_HANDSHAKE
Definition errlevel.h:71
#define D_TLS_ERRORS
Definition errlevel.h:58
#define D_TLS_DEBUG
Definition errlevel.h:164
#define KS_PRIMARY
Primary key state index.
Definition ssl_common.h:465
int key_state_read_plaintext(struct key_state_ssl *ks_ssl, struct buffer *buf)
Extract plaintext data from the TLS module.
int key_state_write_ciphertext(struct key_state_ssl *ks_ssl, struct buffer *buf)
Insert a ciphertext buffer into the TLS module.
int key_state_read_ciphertext(struct key_state_ssl *ks_ssl, struct buffer *buf)
Extract ciphertext data from the TLS module.
int key_state_write_plaintext_const(struct key_state_ssl *ks_ssl, const uint8_t *data, int len)
Insert plaintext data into the TLS module.
int key_state_write_plaintext(struct key_state_ssl *ks_ssl, struct buffer *buf)
Insert a plaintext buffer into the TLS module.
int verify_callback(void *session_obj, mbedtls_x509_crt *cert, int cert_depth, uint32_t *flags)
Verify that the remote OpenVPN peer's certificate allows setting up a VPN tunnel.
static SERVICE_STATUS status
Definition interactive.c:51
void management_auth_failure(struct management *man, const char *type, const char *reason)
Definition manage.c:3124
char * management_query_pk_sig(struct management *man, const char *b64_data, const char *algorithm)
Definition manage.c:3786
mbedtls compatibility stub.
static int mbedtls_compat_pk_parse_key(mbedtls_pk_context *ctx, const unsigned char *key, size_t keylen, const unsigned char *pwd, size_t pwdlen, int(*f_rng)(void *, unsigned char *, size_t), void *p_rng)
mbedtls_ssl_protocol_version
@ MBEDTLS_SSL_VERSION_TLS1_2
@ MBEDTLS_SSL_VERSION_TLS1_3
@ MBEDTLS_SSL_VERSION_UNKNOWN
static void mbedtls_compat_psa_crypto_init(void)
static mbedtls_compat_group_id mbedtls_compat_get_group_id(const mbedtls_ecp_curve_info *curve_info)
static int mbedtls_compat_ctr_drbg_update(mbedtls_ctr_drbg_context *ctx, const unsigned char *additional, size_t add_len)
static int mbedtls_compat_pk_check_pair(const mbedtls_pk_context *pub, const mbedtls_pk_context *prv, int(*f_rng)(void *, unsigned char *, size_t), void *p_rng)
static void mbedtls_ssl_conf_groups(mbedtls_ssl_config *conf, mbedtls_compat_group_id *groups)
static size_t mbedtls_dhm_get_bitlen(const mbedtls_dhm_context *ctx)
static void mbedtls_ssl_conf_max_tls_version(mbedtls_ssl_config *conf, mbedtls_ssl_protocol_version tls_version)
mbedtls_ecp_group_id mbedtls_compat_group_id
static void mbedtls_ssl_conf_min_tls_version(mbedtls_ssl_config *conf, mbedtls_ssl_protocol_version tls_version)
static int mbedtls_compat_pk_parse_keyfile(mbedtls_pk_context *ctx, const char *path, const char *password, int(*f_rng)(void *, unsigned char *, size_t), void *p_rng)
#define CLEAR(x)
Definition basic.h:32
#define M_FATAL
Definition error.h:90
#define dmsg(flags,...)
Definition error.h:172
#define msg(flags,...)
Definition error.h:152
#define ASSERT(x)
Definition error.h:219
#define M_WARN
Definition error.h:92
static void perf_push(int type)
Definition perf.h:77
#define PERF_BIO_READ_PLAINTEXT
Definition perf.h:37
#define PERF_BIO_WRITE_CIPHERTEXT
Definition perf.h:40
static void perf_pop(void)
Definition perf.h:81
#define PERF_BIO_READ_CIPHERTEXT
Definition perf.h:39
#define PERF_BIO_WRITE_PLAINTEXT
Definition perf.h:38
PKCS #11 SSL library-specific backend.
int openvpn_base64_decode(const char *str, void *data, int size)
Definition base64.c:160
int openvpn_base64_encode(const void *data, int size, char **str)
Definition base64.c:51
static struct user_pass passbuf
Definition ssl.c:255
int pem_password_callback(char *buf, int size, int rwflag, void *u)
Callback to retrieve the user's password.
Definition ssl.c:269
void load_xkey_provider(void)
Load ovpn.xkey provider used for external key signing.
Control Channel SSL library backend module.
void tls_ctx_set_tls_groups(struct tls_root_ctx *ctx, const char *groups)
Set the (elliptic curve) group allowed for signatures and key exchange.
void tls_ctx_free(struct tls_root_ctx *ctx)
Frees the library-specific TLSv1 context.
const char * get_ssl_library_version(void)
return a pointer to a static memory area containing the name and version number of the SSL library in...
bool key_state_export_keying_material(struct tls_session *session, const char *label, size_t label_size, void *ekm, size_t ekm_size)
Keying Material Exporters [RFC 5705] allows additional keying material to be derived from existing TL...
void show_available_tls_ciphers_list(const char *cipher_list, const char *tls_cert_profile, bool tls13)
Show the TLS ciphers that are available for us to use in the library depending on the TLS version.
void tls_ctx_server_new(struct tls_root_ctx *ctx)
Initialise a library-specific TLS context for a server.
void show_available_curves(void)
Show the available elliptic curves in the crypto library.
void key_state_ssl_free(struct key_state_ssl *ks_ssl)
Free the SSL channel part of the given key state.
#define TLS_VER_1_2
int tls_ctx_load_priv_file(struct tls_root_ctx *ctx, const char *priv_key_file, bool priv_key_file_inline)
Load private key file into the given TLS context.
void key_state_ssl_shutdown(struct key_state_ssl *ks_ssl)
Sets a TLS session to be shutdown state, so the TLS library will generate a shutdown alert.
void tls_ctx_load_extra_certs(struct tls_root_ctx *ctx, const char *extra_certs_file, bool extra_certs_file_inline)
Load extra certificate authority certificates from the given file or path.
void tls_ctx_check_cert_time(const struct tls_root_ctx *ctx)
Check our certificate notBefore and notAfter fields, and warn if the cert is either not yet valid or ...
void tls_ctx_restrict_ciphers_tls13(struct tls_root_ctx *ctx, const char *ciphers)
Restrict the list of ciphers that can be used within the TLS context for TLS 1.3 and higher.
int tls_ctx_load_pkcs12(struct tls_root_ctx *ctx, const char *pkcs12_file, bool pkcs12_file_inline, bool load_ca_file)
Load PKCS #12 file for key, cert and (optionally) CA certs, and add to library-specific TLS context.
bool tls_ctx_initialised(struct tls_root_ctx *ctx)
Checks whether the given TLS context is initialised.
void key_state_ssl_init(struct key_state_ssl *ks_ssl, const struct tls_root_ctx *ssl_ctx, bool is_server, struct tls_session *session)
Initialise the SSL channel part of the given key state.
void tls_free_lib(void)
Free any global SSL library-specific data structures.
Definition ssl_openssl.c:98
void tls_ctx_load_ecdh_params(struct tls_root_ctx *ctx, const char *curve_name)
Load Elliptic Curve Parameters, and load them into the library-specific TLS context.
#define TLS_VER_1_3
#define TLS_VER_UNSPEC
void tls_init_lib(void)
Perform any static initialisation necessary by the library.
Definition ssl_openssl.c:91
void print_details(struct key_state_ssl *ks_ssl, const char *prefix)
Print a one line summary of SSL/TLS session handshake.
int tls_version_max(void)
Return the maximum TLS version (as a TLS_VER_x constant) supported by current SSL implementation.
void backend_tls_ctx_reload_crl(struct tls_root_ctx *ssl_ctx, const char *crl_file, bool crl_inline)
Reload the Certificate Revocation List for the SSL channel.
void tls_ctx_restrict_ciphers(struct tls_root_ctx *ctx, const char *ciphers)
Restrict the list of ciphers that can be used within the TLS context for TLS 1.2 and below.
void tls_ctx_load_ca(struct tls_root_ctx *ctx, const char *ca_file, bool ca_file_inline, const char *ca_path, bool tls_server)
Load certificate authority certificates from the given file or path.
void tls_ctx_set_cert_profile(struct tls_root_ctx *ctx, const char *profile)
Set the TLS certificate profile.
int tls_ctx_use_management_external_key(struct tls_root_ctx *ctx)
Tell the management interface to load the given certificate and the external private key matching the...
void tls_ctx_load_cryptoapi(struct tls_root_ctx *ctx, const char *cryptoapi_cert)
Use Windows cryptoapi for key and cert, and add to library-specific TLS context.
bool tls_ctx_set_options(struct tls_root_ctx *ctx, unsigned int ssl_flags)
Set any library specific options.
void tls_ctx_load_dh_params(struct tls_root_ctx *ctx, const char *dh_file, bool dh_file_inline)
Load Diffie Hellman Parameters, and load them into the library-specific TLS context.
void tls_ctx_client_new(struct tls_root_ctx *ctx)
Initialises a library-specific TLS context for a client.
void tls_ctx_load_cert_file(struct tls_root_ctx *ctx, const char *cert_file, bool cert_file_inline)
Load certificate file into the given TLS context.
Control Channel Common Data Structures.
#define SSLF_TLS_VERSION_MAX_SHIFT
Definition ssl_common.h:432
#define UP_TYPE_PRIVATE_KEY
Definition ssl_common.h:42
#define SSLF_CLIENT_CERT_OPTIONAL
Definition ssl_common.h:425
#define SSLF_CLIENT_CERT_NOT_REQUIRED
Definition ssl_common.h:424
#define SSLF_TLS_DEBUG_ENABLED
Definition ssl_common.h:434
#define SSLF_TLS_VERSION_MAX_MASK
Definition ssl_common.h:433
#define SSLF_TLS_VERSION_MIN_SHIFT
Definition ssl_common.h:430
#define SSLF_TLS_VERSION_MIN_MASK
Definition ssl_common.h:431
int tls_ctx_use_external_signing_func(struct tls_root_ctx *ctx, external_sign_func sign_func, void *sign_ctx)
Call the supplied signing function to create a TLS signature during the TLS handshake.
bool(* external_sign_func)(void *sign_ctx, const void *src, size_t src_size, void *dst, size_t dst_size)
External signing function prototype.
Definition ssl_mbedtls.h:79
int get_num_elements(const char *string, char delimiter)
Returns the occurrences of 'delimiter' in a string +1 This is typically used to find out the number e...
Definition ssl_util.c:299
const tls_cipher_name_pair * tls_get_cipher_name_pair(const char *cipher_name, size_t len)
Definition ssl_util.c:275
SSL utility functions.
Control Channel Verification Module mbed TLS backend.
size_t length
Definition ssl_mbedtls.h:48
uint8_t * data
Definition ssl_mbedtls.h:49
buffer_entry * next_block
Definition ssl_mbedtls.h:50
endless_buffer out
Definition ssl_mbedtls.h:63
endless_buffer in
Definition ssl_mbedtls.h:62
Definition buffer.h:1097
Wrapper structure for dynamically allocated memory.
Definition buffer.h:60
int len
Length in bytes of the actual content within the allocated memory.
Definition buffer.h:65
size_t data_start
Definition ssl_mbedtls.h:55
buffer_entry * first_block
Definition ssl_mbedtls.h:56
buffer_entry * last_block
Definition ssl_mbedtls.h:57
Context used by external_pkcs1_sign()
Definition ssl_mbedtls.h:84
external_sign_func sign
Definition ssl_mbedtls.h:86
size_t signature_length
Definition ssl_mbedtls.h:85
Garbage collection arena used to keep track of dynamically allocated memory.
Definition buffer.h:116
Definition list.h:53
bio_ctx * bio_ctx
mbedtls_ssl_config * ssl_config
mbedTLS global ssl config
mbedtls_ssl_context * ctx
mbedTLS connection context
struct tls_key_cache tls_key_cache
Get a tls_cipher_name_pair containing OpenSSL and IANA names for supplied TLS cipher name.
Definition ssl_util.h:77
const char * iana_name
Definition ssl_util.h:79
const char * openssl_name
Definition ssl_util.h:78
struct to cache TLS secrets for keying material exporter (RFC 5705).
Definition ssl_mbedtls.h:98
unsigned char master_secret[48]
mbedtls_tls_prf_types tls_prf_type
unsigned char client_server_random[64]
Definition ssl_mbedtls.h:99
Structure that wraps the TLS context.
mbedtls_x509_crl * crl
Certificate Revocation List.
mbedtls_x509_crt * crt_chain
Local Certificate chain.
mbedtls_x509_crt * ca_chain
CA chain for remote verification.
mbedtls_compat_group_id * groups
List of allowed groups for this connection.
int * allowed_ciphers
List of allowed ciphers for this connection.
mbedtls_dhm_context * dhm_ctx
Diffie-Helmann-Merkle context.
mbedtls_x509_crt_profile cert_profile
Allowed certificate types.
bool initialised
True if the context has been initialised.
int endpoint
Whether or not this is a server or a client.
struct external_context external_key
External key context.
mbedtls_pk_context * priv_key
Local private key.
Security parameter state of a single session within a VPN tunnel.
Definition ssl_common.h:490
static int cleanup(void **state)
struct gc_arena gc
Definition test_ssl.c:131