#include "syshead.h"#include "errlevel.h"#include "buffer.h"#include "misc.h"#include "manage.h"#include "memdbg.h"#include "ssl_backend.h"#include "ssl_common.h"#include "base64.h"#include "openssl_compat.h"#include "xkey_common.h"#include "cryptoapi.h"#include "ssl_verify_openssl.h"#include "ssl_util.h"#include <openssl/bn.h>#include <openssl/crypto.h>#include <openssl/dh.h>#include <openssl/dsa.h>#include <openssl/err.h>#include <openssl/pkcs12.h>#include <openssl/rsa.h>#include <openssl/x509.h>#include <openssl/ssl.h>#include <openssl/ec.h>
Go to the source code of this file.
Macros | |
| #define | INFO_CALLBACK_SSL_CONST const |
Functions | |
| static void | unload_xkey_provider (void) |
| Undo steps in load_xkey_provider. More... | |
| void | tls_init_lib (void) |
| Perform any static initialisation necessary by the library. More... | |
| void | tls_free_lib (void) |
| Free any global SSL library-specific data structures. More... | |
| void | tls_ctx_server_new (struct tls_root_ctx *ctx) |
| Initialise a library-specific TLS context for a server. More... | |
| void | tls_ctx_client_new (struct tls_root_ctx *ctx) |
| Initialises a library-specific TLS context for a client. More... | |
| void | tls_ctx_free (struct tls_root_ctx *ctx) |
| Frees the library-specific TLSv1 context. More... | |
| bool | tls_ctx_initialised (struct tls_root_ctx *ctx) |
| Checks whether the given TLS context is initialised. More... | |
| bool | key_state_export_keying_material (struct tls_session *session, const char *label, size_t label_size, void *ekm, size_t ekm_size) |
| Keying Material Exporters [RFC 5705] allows additional keying material to be derived from existing TLS channel. More... | |
| static void | info_callback (INFO_CALLBACK_SSL_CONST SSL *s, int where, int ret) |
| int | tls_version_max (void) |
| Return the maximum TLS version (as a TLS_VER_x constant) supported by current SSL implementation. More... | |
| static int | openssl_tls_version (int ver) |
| Convert internal version number to openssl version number. More... | |
| static bool | tls_ctx_set_tls_versions (struct tls_root_ctx *ctx, unsigned int ssl_flags) |
| bool | tls_ctx_set_options (struct tls_root_ctx *ctx, unsigned int ssl_flags) |
| Set any library specific options. More... | |
| void | convert_tls_list_to_openssl (char *openssl_ciphers, size_t len, const char *ciphers) |
| void | tls_ctx_restrict_ciphers (struct tls_root_ctx *ctx, const char *ciphers) |
| Restrict the list of ciphers that can be used within the TLS context for TLS 1.2 and below. More... | |
| void | convert_tls13_list_to_openssl (char *openssl_ciphers, size_t len, const char *ciphers) |
| void | tls_ctx_restrict_ciphers_tls13 (struct tls_root_ctx *ctx, const char *ciphers) |
| Restrict the list of ciphers that can be used within the TLS context for TLS 1.3 and higher. More... | |
| void | tls_ctx_set_cert_profile (struct tls_root_ctx *ctx, const char *profile) |
| Set the TLS certificate profile. More... | |
| void | tls_ctx_set_tls_groups (struct tls_root_ctx *ctx, const char *groups) |
| Set the (elliptic curve) group allowed for signatures and key exchange. More... | |
| void | tls_ctx_check_cert_time (const struct tls_root_ctx *ctx) |
| Check our certificate notBefore and notAfter fields, and warn if the cert is either not yet valid or has expired. More... | |
| void | tls_ctx_load_dh_params (struct tls_root_ctx *ctx, const char *dh_file, bool dh_file_inline) |
| Load Diffie Hellman Parameters, and load them into the library-specific TLS context. More... | |
| void | tls_ctx_load_ecdh_params (struct tls_root_ctx *ctx, const char *curve_name) |
| Load Elliptic Curve Parameters, and load them into the library-specific TLS context. More... | |
| int | tls_ctx_load_pkcs12 (struct tls_root_ctx *ctx, const char *pkcs12_file, bool pkcs12_file_inline, bool load_ca_file) |
| Load PKCS #12 file for key, cert and (optionally) CA certs, and add to library-specific TLS context. More... | |
| void | tls_ctx_load_cryptoapi (struct tls_root_ctx *ctx, const char *cryptoapi_cert) |
| Use Windows cryptoapi for key and cert, and add to library-specific TLS context. More... | |
| static void | tls_ctx_add_extra_certs (struct tls_root_ctx *ctx, BIO *bio, bool optional) |
| void | tls_ctx_load_cert_file (struct tls_root_ctx *ctx, const char *cert_file, bool cert_file_inline) |
| Load certificate file into the given TLS context. More... | |
| int | tls_ctx_load_priv_file (struct tls_root_ctx *ctx, const char *priv_key_file, bool priv_key_file_inline) |
| Load private key file into the given TLS context. More... | |
| void | backend_tls_ctx_reload_crl (struct tls_root_ctx *ssl_ctx, const char *crl_file, bool crl_inline) |
| Reload the Certificate Revocation List for the SSL channel. More... | |
| static int | rsa_pub_enc (int flen, const unsigned char *from, unsigned char *to, RSA *rsa, int padding) |
| static int | rsa_pub_dec (int flen, const unsigned char *from, unsigned char *to, RSA *rsa, int padding) |
| static int | rsa_priv_dec (int flen, const unsigned char *from, unsigned char *to, RSA *rsa, int padding) |
| static int | openvpn_extkey_rsa_finish (RSA *rsa) |
| const char * | get_rsa_padding_name (const int padding) |
| static int | get_sig_from_man (const unsigned char *dgst, unsigned int dgstlen, unsigned char *sig, unsigned int siglen, const char *algorithm) |
| Pass the input hash in 'dgst' to management and get the signature back. More... | |
| static int | rsa_priv_enc (int flen, const unsigned char *from, unsigned char *to, RSA *rsa, int padding) |
| static int | tls_ctx_use_external_rsa_key (struct tls_root_ctx *ctx, EVP_PKEY *pkey) |
| static void | openvpn_extkey_ec_finish (EC_KEY *ec) |
| static int | ecdsa_sign (int type, const unsigned char *dgst, int dgstlen, unsigned char *sig, unsigned int *siglen, const BIGNUM *kinv, const BIGNUM *r, EC_KEY *ec) |
| static int | ecdsa_sign_setup (EC_KEY *ec, BN_CTX *ctx_in, BIGNUM **kinvp, BIGNUM **rp) |
| static ECDSA_SIG * | ecdsa_sign_sig (const unsigned char *dgst, int dgstlen, const BIGNUM *in_kinv, const BIGNUM *in_r, EC_KEY *ec) |
| static int | tls_ctx_use_external_ec_key (struct tls_root_ctx *ctx, EVP_PKEY *pkey) |
| int | tls_ctx_use_management_external_key (struct tls_root_ctx *ctx) |
| Tell the management interface to load the given certificate and the external private key matching the given certificate. More... | |
| static int | sk_x509_name_cmp (const X509_NAME *const *a, const X509_NAME *const *b) |
| void | tls_ctx_load_ca (struct tls_root_ctx *ctx, const char *ca_file, bool ca_file_inline, const char *ca_path, bool tls_server) |
| Load certificate authority certificates from the given file or path. More... | |
| void | tls_ctx_load_extra_certs (struct tls_root_ctx *ctx, const char *extra_certs_file, bool extra_certs_file_inline) |
| Load extra certificate authority certificates from the given file or path. More... | |
| static int | bio_write (BIO *bio, const uint8_t *data, int size, const char *desc) |
| static void | bio_write_post (const int status, struct buffer *buf) |
| static int | bio_read (BIO *bio, struct buffer *buf, const char *desc) |
| void | key_state_ssl_init (struct key_state_ssl *ks_ssl, const struct tls_root_ctx *ssl_ctx, bool is_server, struct tls_session *session) |
| Initialise the SSL channel part of the given key state. More... | |
| void | key_state_ssl_shutdown (struct key_state_ssl *ks_ssl) |
| Sets a TLS session to be shutdown state, so the TLS library will generate a shutdown alert. More... | |
| void | key_state_ssl_free (struct key_state_ssl *ks_ssl) |
| Free the SSL channel part of the given key state. More... | |
| int | key_state_write_plaintext (struct key_state_ssl *ks_ssl, struct buffer *buf) |
| Insert a plaintext buffer into the TLS module. More... | |
| int | key_state_write_plaintext_const (struct key_state_ssl *ks_ssl, const uint8_t *data, int len) |
| Insert plaintext data into the TLS module. More... | |
| int | key_state_read_ciphertext (struct key_state_ssl *ks_ssl, struct buffer *buf) |
| Extract ciphertext data from the TLS module. More... | |
| int | key_state_write_ciphertext (struct key_state_ssl *ks_ssl, struct buffer *buf) |
| Insert a ciphertext buffer into the TLS module. More... | |
| int | key_state_read_plaintext (struct key_state_ssl *ks_ssl, struct buffer *buf) |
| Extract plaintext data from the TLS module. More... | |
| static void | print_pkey_details (EVP_PKEY *pkey, char *buf, size_t buflen) |
| static void | print_cert_details (X509 *cert, char *buf, size_t buflen) |
| Print human readable information about the certificate into buf. More... | |
| static void | print_server_tempkey (SSL *ssl, char *buf, size_t buflen) |
| static const char * | get_sigtype (int nid) |
| Translate an OpenSSL NID into a more human readable name. More... | |
| static void | print_peer_signature (SSL *ssl, char *buf, size_t buflen) |
| Get the type of the signature that is used by the peer during the TLS handshake. More... | |
| void | print_details (struct key_state_ssl *ks_ssl, const char *prefix) |
| void | show_available_tls_ciphers_list (const char *cipher_list, const char *tls_cert_profile, bool tls13) |
| void | show_available_curves (void) |
| void | get_highest_preference_tls_cipher (char *buf, int size) |
| const char * | get_ssl_library_version (void) |
| return a pointer to a static memory area containing the name and version number of the SSL library in use More... | |
| void | load_xkey_provider (void) |
| Some helper routines for provider load/unload. More... | |
Variables | |
| OSSL_LIB_CTX * | tls_libctx |
| int | mydata_index |
| Allocate space in SSL objects in which to store a struct tls_session pointer back to parent. More... | |
Macro Definition Documentation
◆ INFO_CALLBACK_SSL_CONST
| #define INFO_CALLBACK_SSL_CONST const |
Definition at line 173 of file ssl_openssl.c.
Function Documentation
◆ backend_tls_ctx_reload_crl()
| void backend_tls_ctx_reload_crl | ( | struct tls_root_ctx * | ssl_ctx, |
| const char * | crl_file, | ||
| bool | crl_inline | ||
| ) |
Reload the Certificate Revocation List for the SSL channel.
- Parameters
-
ssl_ctx The TLS context to use when reloading the CRL crl_file The file name to load the CRL from, or an array containing the inline CRL. crl_inline True if crl_file is an inline CRL.
Definition at line 1068 of file ssl_openssl.c.
References ASSERT, crypto_msg, tls_root_ctx::ctx, M_FATAL, M_INFO, M_WARN, msg, and print_key_filename().
Referenced by tls_ctx_reload_crl().
◆ bio_read()
|
static |
Definition at line 1855 of file ssl_openssl.c.
References ASSERT, BLEN, BPTR, buf_forward_capacity(), crypto_msg, D_HANDSHAKE_VERBOSE, D_TLS_ERRORS, dmsg, buffer::len, and VALGRIND_MAKE_READABLE.
Referenced by key_state_read_ciphertext(), and key_state_read_plaintext().
◆ bio_write()
|
static |
Definition at line 1793 of file ssl_openssl.c.
References ASSERT, crypto_msg, D_HANDSHAKE_VERBOSE, D_TLS_ERRORS, and dmsg.
Referenced by key_state_write_ciphertext(), key_state_write_plaintext(), and key_state_write_plaintext_const().
◆ bio_write_post()
|
static |
Definition at line 1842 of file ssl_openssl.c.
References BLEN, BPTR, buffer::len, and status.
Referenced by key_state_write_ciphertext(), and key_state_write_plaintext().
◆ convert_tls13_list_to_openssl()
| void convert_tls13_list_to_openssl | ( | char * | openssl_ciphers, |
| size_t | len, | ||
| const char * | ciphers | ||
| ) |
Definition at line 458 of file ssl_openssl.c.
Referenced by tls_ctx_restrict_ciphers_tls13().
◆ convert_tls_list_to_openssl()
| void convert_tls_list_to_openssl | ( | char * | openssl_ciphers, |
| size_t | len, | ||
| const char * | ciphers | ||
| ) |
Definition at line 351 of file ssl_openssl.c.
References constrain_int(), D_LOW, tls_cipher_name_pair::iana_name, M_FATAL, M_WARN, msg, tls_cipher_name_pair::openssl_name, and tls_get_cipher_name_pair().
Referenced by tls_ctx_restrict_ciphers().
◆ ecdsa_sign()
|
static |
Definition at line 1346 of file ssl_openssl.c.
References get_sig_from_man().
Referenced by ecdsa_sign_sig(), and tls_ctx_use_external_ec_key().
◆ ecdsa_sign_setup()
|
static |
Definition at line 1367 of file ssl_openssl.c.
Referenced by tls_ctx_use_external_ec_key().
◆ ecdsa_sign_sig()
|
static |
Definition at line 1377 of file ssl_openssl.c.
References ecdsa_sign(), gc_free(), gc_malloc(), and gc_new().
Referenced by tls_ctx_use_external_ec_key().
◆ get_highest_preference_tls_cipher()
| void get_highest_preference_tls_cipher | ( | char * | buf, |
| int | size | ||
| ) |
Definition at line 2384 of file ssl_openssl.c.
References crypto_msg, tls_root_ctx::ctx, M_FATAL, and strncpynt().
◆ get_rsa_padding_name()
| const char* get_rsa_padding_name | ( | const int | padding | ) |
Definition at line 1194 of file ssl_openssl.c.
Referenced by rsa_priv_enc().
◆ get_sig_from_man()
|
static |
Pass the input hash in 'dgst' to management and get the signature back.
- Parameters
-
dgst hash to be signed dgstlen len of data in dgst sig On successful return signature is in sig. siglen length of buffer sig algorithm padding/hashing algorithm for the signature
- Returns
- signature length or -1 on error.
Definition at line 1221 of file ssl_openssl.c.
References management_query_pk_sig(), openvpn_base64_decode(), and openvpn_base64_encode().
Referenced by ecdsa_sign(), and rsa_priv_enc().
◆ get_sigtype()
|
static |
Translate an OpenSSL NID into a more human readable name.
- Parameters
-
nid
- Returns
Definition at line 2162 of file ssl_openssl.c.
Referenced by print_peer_signature().
◆ get_ssl_library_version()
| const char* get_ssl_library_version | ( | void | ) |
return a pointer to a static memory area containing the name and version number of the SSL library in use
Definition at line 2409 of file ssl_openssl.c.
Referenced by push_peer_info(), and show_library_versions().
◆ info_callback()
|
static |
Definition at line 176 of file ssl_openssl.c.
References D_HANDSHAKE_VERBOSE, D_TLS_DEBUG_LOW, and dmsg.
Referenced by tls_ctx_set_options().
◆ key_state_export_keying_material()
| bool key_state_export_keying_material | ( | struct tls_session * | session, |
| const char * | label, | ||
| size_t | label_size, | ||
| void * | ekm, | ||
| size_t | ekm_size | ||
| ) |
Keying Material Exporters [RFC 5705] allows additional keying material to be derived from existing TLS channel.
This exported keying material can then be used for a variety of purposes.
- Parameters
-
session The session associated with the given key_state label The label to use when exporting the key label_size The size of the label to use when exporting the key ekm Buffer to return the exported key material in ekm_size The size of ekm, in bytes
- Returns
- true if exporting succeeded, false otherwise
Definition at line 149 of file ssl_openssl.c.
References session::key, KS_PRIMARY, and secure_memzero().
◆ key_state_ssl_free()
| void key_state_ssl_free | ( | struct key_state_ssl * | ks_ssl | ) |
Free the SSL channel part of the given key state.
- Parameters
-
ks_ssl The SSL channel's state info to free
Definition at line 1950 of file ssl_openssl.c.
References key_state_ssl::ct_in, key_state_ssl::ct_out, key_state_ssl::ssl, and key_state_ssl::ssl_bio.
Referenced by key_state_free().
◆ key_state_ssl_init()
| void key_state_ssl_init | ( | struct key_state_ssl * | ks_ssl, |
| const struct tls_root_ctx * | ssl_ctx, | ||
| bool | is_server, | ||
| struct tls_session * | session | ||
| ) |
Initialise the SSL channel part of the given key state.
Settings will be loaded from a previously initialised TLS context.
- Parameters
-
ks_ssl The SSL channel's state info to initialise ssl_ctx The TLS context to use when initialising the channel. is_server Initialise a server? session The session associated with the given key_state
Definition at line 1904 of file ssl_openssl.c.
References ASSERT, CLEAR, crypto_msg, key_state_ssl::ct_in, key_state_ssl::ct_out, tls_root_ctx::ctx, M_FATAL, mydata_index, key_state_ssl::ssl, and key_state_ssl::ssl_bio.
Referenced by key_state_init().
◆ key_state_ssl_shutdown()
| void key_state_ssl_shutdown | ( | struct key_state_ssl * | ks_ssl | ) |
Sets a TLS session to be shutdown state, so the TLS library will generate a shutdown alert.
Definition at line 1944 of file ssl_openssl.c.
References key_state_ssl::ssl.
Referenced by tls_multi_process(), and tls_process_state().
◆ load_xkey_provider()
| void load_xkey_provider | ( | void | ) |
Some helper routines for provider load/unload.
Load ovpn.xkey provider used for external key signing.
Setup ovpn.xey provider for signing with external keys. It is loaded into a custom library context so as not to pollute the default context. Alternatively we could override any system-wide property query set on the default context. But we want to avoid that.
Definition at line 2442 of file ssl_openssl.c.
References check_malloc_return(), M_NONFATAL, msg, and tls_libctx.
Referenced by init_ssl().
◆ openssl_tls_version()
|
static |
Convert internal version number to openssl version number.
Definition at line 236 of file ssl_openssl.c.
References TLS_VER_1_0, TLS_VER_1_1, TLS_VER_1_2, and TLS_VER_1_3.
Referenced by show_available_tls_ciphers_list(), and tls_ctx_set_tls_versions().
◆ openvpn_extkey_ec_finish()
|
static |
Definition at line 1334 of file ssl_openssl.c.
Referenced by tls_ctx_use_external_ec_key().
◆ openvpn_extkey_rsa_finish()
|
static |
Definition at line 1179 of file ssl_openssl.c.
Referenced by tls_ctx_use_external_rsa_key().
◆ print_cert_details()
|
static |
Print human readable information about the certificate into buf.
- Parameters
-
cert the certificate being used buf output buffer buflen output buffer length
Definition at line 2115 of file ssl_openssl.c.
References print_pkey_details().
Referenced by print_details().
◆ print_details()
| void print_details | ( | struct key_state_ssl * | ks_ssl, |
| const char * | prefix | ||
| ) |
Definition at line 2240 of file ssl_openssl.c.
References D_HANDSHAKE, msg, print_cert_details(), print_peer_signature(), print_server_tempkey(), and key_state_ssl::ssl.
Referenced by session_move_active().
◆ print_peer_signature()
|
static |
Get the type of the signature that is used by the peer during the TLS handshake.
Definition at line 2193 of file ssl_openssl.c.
References get_sigtype().
Referenced by print_details().
◆ print_pkey_details()
|
static |
Definition at line 2038 of file ssl_openssl.c.
References EVP_PKEY_get_group_name().
Referenced by print_cert_details(), and print_server_tempkey().
◆ print_server_tempkey()
|
static |
Definition at line 2136 of file ssl_openssl.c.
References print_pkey_details().
Referenced by print_details().
◆ rsa_priv_dec()
|
static |
Definition at line 1171 of file ssl_openssl.c.
References ASSERT.
Referenced by tls_ctx_use_external_rsa_key().
◆ rsa_priv_enc()
|
static |
Definition at line 1248 of file ssl_openssl.c.
References get_rsa_padding_name(), and get_sig_from_man().
Referenced by tls_ctx_use_external_rsa_key().
◆ rsa_pub_dec()
|
static |
Definition at line 1163 of file ssl_openssl.c.
References ASSERT.
Referenced by tls_ctx_use_external_rsa_key().
◆ rsa_pub_enc()
|
static |
Definition at line 1155 of file ssl_openssl.c.
References ASSERT.
Referenced by tls_ctx_use_external_rsa_key().
◆ show_available_curves()
| void show_available_curves | ( | void | ) |
Definition at line 2344 of file ssl_openssl.c.
References ALLOC_ARRAY, crypto_msg, M_FATAL, M_WARN, and msg.
Referenced by print_openssl_info().
◆ show_available_tls_ciphers_list()
| void show_available_tls_ciphers_list | ( | const char * | cipher_list, |
| const char * | tls_cert_profile, | ||
| bool | tls13 | ||
| ) |
Definition at line 2269 of file ssl_openssl.c.
References crypto_msg, tls_root_ctx::ctx, tls_cipher_name_pair::iana_name, M_FATAL, openssl_tls_version(), tls_ctx_restrict_ciphers(), tls_ctx_restrict_ciphers_tls13(), tls_ctx_set_cert_profile(), tls_get_cipher_name_pair(), and TLS_VER_1_3.
Referenced by show_available_tls_ciphers().
◆ sk_x509_name_cmp()
|
static |
Definition at line 1530 of file ssl_openssl.c.
Referenced by tls_ctx_load_ca().
◆ tls_ctx_add_extra_certs()
|
static |
Definition at line 915 of file ssl_openssl.c.
References crypto_msg, tls_root_ctx::ctx, and M_FATAL.
Referenced by tls_ctx_load_cert_file(), and tls_ctx_load_extra_certs().
◆ tls_ctx_check_cert_time()
| void tls_ctx_check_cert_time | ( | const struct tls_root_ctx * | ctx | ) |
Check our certificate notBefore and notAfter fields, and warn if the cert is either not yet valid or has expired.
Note that this is a non-fatal error, since we compare against the system time, which might be incorrect.
- Parameters
-
ctx TLS context to get our certificate from.
Definition at line 613 of file ssl_openssl.c.
References ASSERT, tls_root_ctx::ctx, D_TLS_DEBUG_MED, M_WARN, and msg.
Referenced by init_ssl().
◆ tls_ctx_client_new()
| void tls_ctx_client_new | ( | struct tls_root_ctx * | ctx | ) |
Initialises a library-specific TLS context for a client.
- Parameters
-
ctx TLS context to initialise
Definition at line 115 of file ssl_openssl.c.
References ASSERT, crypto_msg, tls_root_ctx::ctx, M_FATAL, M_WARN, SSL_CTX_new_ex, and tls_libctx.
Referenced by crypto_pem_encode_certificate(), and init_ssl().
◆ tls_ctx_free()
| void tls_ctx_free | ( | struct tls_root_ctx * | ctx | ) |
Frees the library-specific TLSv1 context.
- Parameters
-
ctx TLS context to free
Definition at line 133 of file ssl_openssl.c.
References ASSERT, tls_root_ctx::ctx, and unload_xkey_provider().
Referenced by crypto_pem_encode_certificate(), init_ssl(), and key_schedule_free().
◆ tls_ctx_initialised()
| bool tls_ctx_initialised | ( | struct tls_root_ctx * | ctx | ) |
Checks whether the given TLS context is initialised.
- Parameters
-
ctx TLS context to check
- Returns
- true if the context is initialised, false if not.
Definition at line 142 of file ssl_openssl.c.
References ASSERT, and tls_root_ctx::ctx.
Referenced by do_init_crypto_tls_c1(), and key_schedule_free().
◆ tls_ctx_load_ca()
| void tls_ctx_load_ca | ( | struct tls_root_ctx * | ctx, |
| const char * | ca_file, | ||
| bool | ca_file_inline, | ||
| const char * | ca_path, | ||
| bool | tls_server | ||
| ) |
Load certificate authority certificates from the given file or path.
Note that not all SSL libraries support loading from a path.
- Parameters
-
ctx TLS context to use ca_file The file name to load the CAs from, or a string containing the CAs in the case of inline files. ca_file_inline True if ca_file is an inline file ca_path The path to load the CAs from
Definition at line 1536 of file ssl_openssl.c.
References ASSERT, crypto_msg, tls_root_ctx::ctx, M_FATAL, M_WARN, msg, print_key_filename(), and sk_x509_name_cmp().
Referenced by init_ssl().
◆ tls_ctx_load_cert_file()
| void tls_ctx_load_cert_file | ( | struct tls_root_ctx * | ctx, |
| const char * | cert_file, | ||
| bool | cert_file_inline | ||
| ) |
Load certificate file into the given TLS context.
If the given certificate file contains a certificate chain, load the whole chain.
- Parameters
-
ctx TLS context to use cert_file The file name to load the certificate from, or a string containing the certificate in the case of inline files. cert_file_inline True if cert_file is an inline file.
Definition at line 949 of file ssl_openssl.c.
References ASSERT, crypto_msg, crypto_print_openssl_errors(), tls_root_ctx::ctx, M_DEBUG, M_FATAL, M_WARN, and tls_ctx_add_extra_certs().
Referenced by crypto_pem_encode_certificate(), and init_ssl().
◆ tls_ctx_load_cryptoapi()
| void tls_ctx_load_cryptoapi | ( | struct tls_root_ctx * | ctx, |
| const char * | cryptoapi_cert | ||
| ) |
Use Windows cryptoapi for key and cert, and add to library-specific TLS context.
- Parameters
-
ctx TLS context to use crypto_api_cert String representing the certificate to load.
Definition at line 902 of file ssl_openssl.c.
References ASSERT, crypto_msg, tls_root_ctx::ctx, M_FATAL, and SSL_CTX_use_CryptoAPI_certificate().
Referenced by init_ssl().
◆ tls_ctx_load_dh_params()
| void tls_ctx_load_dh_params | ( | struct tls_root_ctx * | ctx, |
| const char * | dh_file, | ||
| bool | dh_file_inline | ||
| ) |
Load Diffie Hellman Parameters, and load them into the library-specific TLS context.
- Parameters
-
ctx TLS context to use dh_file The file name to load the parameters from, or a string containing the parameters in the case of inline files. dh_file_inline True if dh_file is an inline file.
Definition at line 649 of file ssl_openssl.c.
References ASSERT, crypto_msg, tls_root_ctx::ctx, D_TLS_DEBUG_LOW, M_FATAL, msg, and print_key_filename().
Referenced by init_ssl().
◆ tls_ctx_load_ecdh_params()
| void tls_ctx_load_ecdh_params | ( | struct tls_root_ctx * | ctx, |
| const char * | curve_name | ||
| ) |
Load Elliptic Curve Parameters, and load them into the library-specific TLS context.
- Parameters
-
ctx TLS context to use curve_name The name of the elliptic curve to load.
Definition at line 710 of file ssl_openssl.c.
References crypto_msg, tls_root_ctx::ctx, D_LOW, D_TLS_DEBUG, D_TLS_DEBUG_LOW, M_FATAL, M_WARN, and msg.
Referenced by init_ssl().
◆ tls_ctx_load_extra_certs()
| void tls_ctx_load_extra_certs | ( | struct tls_root_ctx * | ctx, |
| const char * | extra_certs_file, | ||
| bool | extra_certs_file_inline | ||
| ) |
Load extra certificate authority certificates from the given file or path.
These Load extra certificates that are part of our own certificate chain but shouldn't be included in the verify chain.
- Parameters
-
ctx TLS context to use extra_certs_file The file name to load the certs from, or a string containing the certs in the case of inline files. extra_certs_file_inline True if extra_certs_file is an inline file.
Definition at line 1685 of file ssl_openssl.c.
References crypto_msg, M_FATAL, print_key_filename(), and tls_ctx_add_extra_certs().
Referenced by init_ssl().
◆ tls_ctx_load_pkcs12()
| int tls_ctx_load_pkcs12 | ( | struct tls_root_ctx * | ctx, |
| const char * | pkcs12_file, | ||
| bool | pkcs12_file_inline, | ||
| bool | load_ca_file | ||
| ) |
Load PKCS #12 file for key, cert and (optionally) CA certs, and add to library-specific TLS context.
- Parameters
-
ctx TLS context to use pkcs12_file The file name to load the information from, or a string containing the information in the case of inline files. pkcs12_file_inline True if pkcs12_file is an inline file.
- Returns
- 1 if an error occurred, 0 if parsing was successful.
Definition at line 772 of file ssl_openssl.c.
References ASSERT, crypto_msg, crypto_print_openssl_errors(), tls_root_ctx::ctx, M_FATAL, M_WARN, management_auth_failure(), pem_password_callback(), platform_fopen(), and UP_TYPE_PRIVATE_KEY.
Referenced by init_ssl().
◆ tls_ctx_load_priv_file()
| int tls_ctx_load_priv_file | ( | struct tls_root_ctx * | ctx, |
| const char * | priv_key_file, | ||
| bool | priv_key_file_inline | ||
| ) |
Load private key file into the given TLS context.
- Parameters
-
ctx TLS context to use priv_key_file The file name to load the private key from, or a string containing the private key in the case of inline files. priv_key_file_inline True if priv_key_file is an inline file
- Returns
- 1 if an error occurred, 0 if parsing was successful.
Definition at line 1011 of file ssl_openssl.c.
References ASSERT, crypto_msg, tls_root_ctx::ctx, M_FATAL, M_WARN, management_auth_failure(), print_key_filename(), and UP_TYPE_PRIVATE_KEY.
Referenced by init_ssl().
◆ tls_ctx_restrict_ciphers()
| void tls_ctx_restrict_ciphers | ( | struct tls_root_ctx * | ctx, |
| const char * | ciphers | ||
| ) |
Restrict the list of ciphers that can be used within the TLS context for TLS 1.2 and below.
- Parameters
-
ctx TLS context to restrict, must be valid. ciphers String containing : delimited cipher names, or NULL to use sane defaults.
Definition at line 423 of file ssl_openssl.c.
References ASSERT, convert_tls_list_to_openssl(), crypto_msg, tls_root_ctx::ctx, and M_FATAL.
Referenced by init_ssl(), and show_available_tls_ciphers_list().
◆ tls_ctx_restrict_ciphers_tls13()
| void tls_ctx_restrict_ciphers_tls13 | ( | struct tls_root_ctx * | ctx, |
| const char * | ciphers | ||
| ) |
Restrict the list of ciphers that can be used within the TLS context for TLS 1.3 and higher.
- Parameters
-
ctx TLS context to restrict, must be valid. ciphers String containing : delimited cipher names, or NULL to use sane defaults.
Definition at line 485 of file ssl_openssl.c.
References ASSERT, convert_tls13_list_to_openssl(), crypto_msg, tls_root_ctx::ctx, M_FATAL, and M_WARN.
Referenced by init_ssl(), and show_available_tls_ciphers_list().
◆ tls_ctx_server_new()
| void tls_ctx_server_new | ( | struct tls_root_ctx * | ctx | ) |
Initialise a library-specific TLS context for a server.
- Parameters
-
ctx TLS context to initialise
Definition at line 97 of file ssl_openssl.c.
References ASSERT, crypto_msg, tls_root_ctx::ctx, M_FATAL, M_WARN, SSL_CTX_new_ex, and tls_libctx.
Referenced by init_ssl().
◆ tls_ctx_set_cert_profile()
| void tls_ctx_set_cert_profile | ( | struct tls_root_ctx * | ctx, |
| const char * | profile | ||
| ) |
Set the TLS certificate profile.
The profile defines which crypto algorithms may be used in the supplied certificate.
- Parameters
-
ctx TLS context to restrict, must be valid. profile The profile name ('preferred', 'legacy' or 'suiteb'). Defaults to 'preferred' if NULL.
Definition at line 514 of file ssl_openssl.c.
References tls_root_ctx::ctx, M_FATAL, M_WARN, and msg.
Referenced by init_ssl(), and show_available_tls_ciphers_list().
◆ tls_ctx_set_options()
| bool tls_ctx_set_options | ( | struct tls_root_ctx * | ctx, |
| unsigned int | ssl_flags | ||
| ) |
Set any library specific options.
Examples include disabling session caching, the password callback to use, and session verification parameters.
- Parameters
-
ctx TLS context to set options on ssl_flags SSL flags to set
- Returns
- true on success, false otherwise.
Definition at line 303 of file ssl_openssl.c.
References ASSERT, tls_root_ctx::ctx, info_callback(), pem_password_callback(), SSLF_CLIENT_CERT_NOT_REQUIRED, SSLF_CLIENT_CERT_OPTIONAL, tls_ctx_set_tls_versions(), and verify_callback().
Referenced by init_ssl().
◆ tls_ctx_set_tls_groups()
| void tls_ctx_set_tls_groups | ( | struct tls_root_ctx * | ctx, |
| const char * | groups | ||
| ) |
Set the (elliptic curve) group allowed for signatures and key exchange.
- Parameters
-
ctx TLS context to restrict, must be valid. groups List of groups that will be allowed, in priority, separated by :
Definition at line 553 of file ssl_openssl.c.
References ALLOC_ARRAY_CLEAR_GC, ASSERT, crypto_msg, tls_root_ctx::ctx, gc_free(), gc_new(), get_num_elements(), M_FATAL, M_WARN, msg, SSL_CTX_set1_groups, streq, string_alloc(), and strsep().
Referenced by init_ssl().
◆ tls_ctx_set_tls_versions()
|
static |
Definition at line 273 of file ssl_openssl.c.
References tls_root_ctx::ctx, D_TLS_ERRORS, msg, openssl_tls_version(), SSLF_TLS_VERSION_MAX_MASK, SSLF_TLS_VERSION_MAX_SHIFT, SSLF_TLS_VERSION_MIN_MASK, and SSLF_TLS_VERSION_MIN_SHIFT.
Referenced by tls_ctx_set_options().
◆ tls_ctx_use_external_ec_key()
|
static |
Definition at line 1398 of file ssl_openssl.c.
References ASSERT, tls_root_ctx::ctx, ecdsa_sign(), ecdsa_sign_setup(), ecdsa_sign_sig(), and openvpn_extkey_ec_finish().
Referenced by tls_ctx_use_management_external_key().
◆ tls_ctx_use_external_rsa_key()
|
static |
Definition at line 1266 of file ssl_openssl.c.
References ASSERT, check_malloc_return(), tls_root_ctx::ctx, openvpn_extkey_rsa_finish(), rsa_priv_dec(), rsa_priv_enc(), rsa_pub_dec(), and rsa_pub_enc().
Referenced by tls_ctx_use_management_external_key().
◆ tls_ctx_use_management_external_key()
| int tls_ctx_use_management_external_key | ( | struct tls_root_ctx * | ctx | ) |
Tell the management interface to load the given certificate and the external private key matching the given certificate.
- Parameters
-
ctx TLS context to use
- Returns
- 1 if an error occurred, 0 if successful.
Definition at line 1456 of file ssl_openssl.c.
References ASSERT, cleanup(), crypto_msg, tls_root_ctx::ctx, M_FATAL, M_WARN, tls_ctx_use_external_ec_key(), tls_ctx_use_external_rsa_key(), and tls_libctx.
Referenced by init_ssl().
◆ tls_free_lib()
| void tls_free_lib | ( | void | ) |
Free any global SSL library-specific data structures.
Definition at line 92 of file ssl_openssl.c.
Referenced by free_ssl_lib(), and main().
◆ tls_init_lib()
| void tls_init_lib | ( | void | ) |
Perform any static initialisation necessary by the library.
Called on OpenVPN initialisation
Definition at line 85 of file ssl_openssl.c.
References ASSERT, and mydata_index.
Referenced by init_ssl_lib(), and main().
◆ tls_version_max()
| int tls_version_max | ( | void | ) |
Return the maximum TLS version (as a TLS_VER_x constant) supported by current SSL implementation.
- Returns
- One of the TLS_VER_x constants (but not TLS_VER_BAD).
Definition at line 200 of file ssl_openssl.c.
References TLS_VER_1_0, TLS_VER_1_1, TLS_VER_1_2, and TLS_VER_1_3.
Referenced by options_postprocess_verify_ce(), show_available_tls_ciphers(), and tls_version_parse().
◆ unload_xkey_provider()
|
static |
Undo steps in load_xkey_provider.
Definition at line 2485 of file ssl_openssl.c.
References tls_libctx.
Referenced by tls_ctx_free().
Variable Documentation
◆ mydata_index
| int mydata_index |
Allocate space in SSL objects in which to store a struct tls_session pointer back to parent.
Definition at line 82 of file ssl_openssl.c.
Referenced by key_state_ssl_init(), tls_init_lib(), and verify_callback().
◆ tls_libctx
| OSSL_LIB_CTX* tls_libctx |
Definition at line 72 of file ssl_openssl.c.
Referenced by load_xkey_provider(), setup_pkcs11(), teardown_pkcs11(), test_tls_ctx_use_pkcs11(), tls_ctx_client_new(), tls_ctx_server_new(), tls_ctx_use_management_external_key(), and unload_xkey_provider().
