36#if defined(ENABLE_CRYPTO_OPENSSL)
49#ifdef ENABLE_CRYPTOAPI
56#include <openssl/bn.h>
57#include <openssl/crypto.h>
58#include <openssl/dh.h>
59#include <openssl/dsa.h>
60#include <openssl/err.h>
61#include <openssl/pkcs12.h>
62#include <openssl/rsa.h>
63#include <openssl/x509.h>
64#include <openssl/ssl.h>
66#include <openssl/ec.h>
69#if OPENSSL_VERSION_NUMBER >= 0x30000000L
70#define HAVE_OPENSSL_STORE_API
71#include <openssl/ui.h>
72#include <openssl/store.h>
75#if defined(_MSC_VER) && !defined(_M_ARM64)
76#include <openssl/applink.c>
94 mydata_index = SSL_get_ex_new_index(0,
"struct session *", NULL, NULL, NULL);
110 if (ctx->
ctx == NULL)
114 if (ERR_peek_error() != 0)
128 if (ctx->
ctx == NULL)
132 if (ERR_peek_error() != 0)
143 SSL_CTX_free(ctx->
ctx);
152 return NULL != ctx->
ctx;
157 const char *label,
size_t label_size,
158 void *ekm,
size_t ekm_size)
163 if (SSL_export_keying_material(ssl, ekm, ekm_size, label,
164 label_size, NULL, 0, 0) == 1)
179#ifndef INFO_CALLBACK_SSL_CONST
180#define INFO_CALLBACK_SSL_CONST const
185 if (where & SSL_CB_LOOP)
188 where & SSL_ST_CONNECT ?
"connect" :
189 where &SSL_ST_ACCEPT ?
"accept" :
190 "undefined", SSL_state_string_long(s));
192 else if (where & SSL_CB_ALERT)
195 where & SSL_CB_READ ?
"Received" :
"Sent",
196 SSL_alert_type_string_long(ret),
197 SSL_alert_desc_string_long(ret));
209#if defined(TLS1_3_VERSION)
212#elif OPENSSL_VERSION_NUMBER >= 0x10100000L
224 if (OpenSSL_version_num() >= 0x1010100fL)
232#elif defined(TLS1_2_VERSION) || defined(SSL_OP_NO_TLSv1_2)
234#elif defined(TLS1_1_VERSION) || defined(SSL_OP_NO_TLSv1_1)
251 return TLS1_1_VERSION;
255 return TLS1_2_VERSION;
265#ifndef TLS1_3_VERSION
273 return TLS1_3_VERSION;
290 int cur_min = SSL_CTX_get_min_proto_version(ctx->
ctx);
291 tls_ver_min = cur_min < TLS1_VERSION ? TLS1_VERSION : cur_min;
294 if (!SSL_CTX_set_min_proto_version(ctx->
ctx, tls_ver_min))
300 if (tls_ver_max && !SSL_CTX_set_max_proto_version(ctx->
ctx, tls_ver_max))
315 long sslopt = SSL_OP_SINGLE_DH_USE | SSL_OP_NO_TICKET;
316#ifdef SSL_OP_CIPHER_SERVER_PREFERENCE
317 sslopt |= SSL_OP_CIPHER_SERVER_PREFERENCE;
319 sslopt |= SSL_OP_NO_COMPRESSION;
323#ifdef SSL_OP_NO_RENEGOTIATION
324 sslopt |= SSL_OP_NO_RENEGOTIATION;
327 SSL_CTX_set_options(ctx->
ctx, sslopt);
334#ifdef SSL_MODE_RELEASE_BUFFERS
335 SSL_CTX_set_mode(ctx->
ctx, SSL_MODE_RELEASE_BUFFERS);
337 SSL_CTX_set_session_cache_mode(ctx->
ctx, SSL_SESS_CACHE_OFF);
341 int verify_flags = SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT;
348 verify_flags = SSL_VERIFY_PEER;
361 size_t begin_of_cipher, end_of_cipher;
363 const char *current_cipher;
364 size_t current_cipher_len;
368 size_t openssl_ciphers_len = 0;
369 openssl_ciphers[0] =
'\0';
372 begin_of_cipher = end_of_cipher = 0;
373 for (; begin_of_cipher < strlen(ciphers); begin_of_cipher = end_of_cipher)
375 end_of_cipher += strcspn(&ciphers[begin_of_cipher],
":");
378 if (NULL == cipher_pair)
381 current_cipher = &ciphers[begin_of_cipher];
382 current_cipher_len = end_of_cipher - begin_of_cipher;
387 msg(
D_LOW,
"No valid translation found for TLS cipher '%.*s'",
394 current_cipher_len = strlen(current_cipher);
396 if (end_of_cipher - begin_of_cipher == current_cipher_len
397 && 0 != memcmp(&ciphers[begin_of_cipher], cipher_pair->
iana_name,
398 end_of_cipher - begin_of_cipher))
406 if ((SIZE_MAX - openssl_ciphers_len) < current_cipher_len
407 || (len - 1) < (openssl_ciphers_len + current_cipher_len))
410 "Failed to set restricted TLS cipher list, too long (>%d).",
415 memcpy(&openssl_ciphers[openssl_ciphers_len], current_cipher, current_cipher_len);
416 openssl_ciphers_len += current_cipher_len;
417 openssl_ciphers[openssl_ciphers_len] =
':';
418 openssl_ciphers_len++;
423 if (openssl_ciphers_len > 0)
425 openssl_ciphers[openssl_ciphers_len-1] =
'\0';
435 if (!SSL_CTX_set_cipher_list(ctx->
ctx,
452 char openssl_ciphers[4096];
458 if (!SSL_CTX_set_cipher_list(ctx->
ctx, openssl_ciphers))
460 crypto_msg(
M_FATAL,
"Failed to set restricted TLS cipher list: %s", openssl_ciphers);
473 if (strlen(ciphers) >= (len - 1))
476 "Failed to set restricted TLS 1.3 cipher list, too long (>%d).",
480 strncpy(openssl_ciphers, ciphers, len);
482 for (
size_t i = 0; i < strlen(openssl_ciphers); i++)
484 if (openssl_ciphers[i] ==
'-')
486 openssl_ciphers[i] =
'_';
501#if !defined(TLS1_3_VERSION)
503 "Ignoring TLS 1.3 only tls-ciphersuites '%s' setting.",
508 char openssl_ciphers[4096];
512 if (!SSL_CTX_set_ciphersuites(ctx->
ctx, openssl_ciphers))
523#if OPENSSL_VERSION_NUMBER > 0x10100000L \
524 && (!defined(LIBRESSL_VERSION_NUMBER) || LIBRESSL_VERSION_NUMBER > 0x3060000fL)
529 if (!profile || 0 == strcmp(profile,
"legacy"))
531 SSL_CTX_set_security_level(ctx->
ctx, 1);
533 else if (0 == strcmp(profile,
"insecure"))
535 SSL_CTX_set_security_level(ctx->
ctx, 0);
537 else if (0 == strcmp(profile,
"preferred"))
539 SSL_CTX_set_security_level(ctx->
ctx, 2);
541 else if (0 == strcmp(profile,
"suiteb"))
543 SSL_CTX_set_security_level(ctx->
ctx, 3);
544 SSL_CTX_set_cipher_list(ctx->
ctx,
"SUITEB128");
548 msg(
M_FATAL,
"ERROR: Invalid cert profile: %s", profile);
553 msg(
M_WARN,
"WARNING: OpenSSL 1.1.0 and LibreSSL do not support "
554 "--tls-cert-profile, ignoring user-set profile: '%s'", profile);
563#if OPENSSL_VERSION_NUMBER < 0x30000000L
585 while ((token =
strsep(&tmp_groups,
":")))
587 if (
streq(token,
"secp256r1"))
589 token =
"prime256v1";
591 int nid = OBJ_sn2nid(token);
595 msg(
M_WARN,
"Warning unknown curve/group specified: %s", token);
599 glist[glistlen] = nid;
611 if (!SSL_CTX_set1_groups_list(ctx->
ctx, groups))
627 cert = SSL_CTX_get0_certificate(ctx->
ctx);
634 ret = X509_cmp_time(X509_get0_notBefore(cert), NULL);
641 msg(
M_WARN,
"WARNING: Your certificate is not yet valid!");
644 ret = X509_cmp_time(X509_get0_notAfter(cert), NULL);
651 msg(
M_WARN,
"WARNING: Your certificate has expired!");
665 if (!(bio = BIO_new_mem_buf((
char *)dh_file, -1)))
673 if (!(bio = BIO_new_file(dh_file,
"r")))
679#if OPENSSL_VERSION_NUMBER >= 0x30000000L
680 EVP_PKEY *dh = PEM_read_bio_Parameters(bio, NULL);
688 if (!SSL_CTX_set0_tmp_dh_pkey(ctx->
ctx, dh))
694 8 * EVP_PKEY_get_size(dh));
696 DH *dh = PEM_read_bio_DHparams(bio, NULL, NULL, NULL);
704 if (!SSL_CTX_set_tmp_dh(ctx->
ctx, dh))
719#if OPENSSL_VERSION_NUMBER >= 0x30000000L
720 if (curve_name != NULL)
722 msg(
M_WARN,
"WARNING: OpenSSL 3.0+ builds do not support specifying an "
723 "ECDH curve with --ecdh-curve, using default curves. Use "
724 "--tls-groups to specify groups.");
726#elif !defined(OPENSSL_NO_EC)
729 const char *sname = NULL;
732 SSL_CTX_set_options(ctx->
ctx, SSL_OP_SINGLE_ECDH_USE);
734 if (curve_name != NULL)
737 msg(
D_TLS_DEBUG,
"Using user specified ECDH curve (%s)", curve_name);
738 nid = OBJ_sn2nid(curve_name);
746 sname = OBJ_nid2sn(nid);
753 if (NID_undef == nid || NULL == (ecdh = EC_KEY_new_by_curve_name(nid)))
756 ecdh = EC_KEY_new_by_curve_name(NID_secp384r1);
757 const char *source = (NULL == curve_name) ?
758 "extract curve from certificate" :
"use supplied curve";
760 "Failed to %s (%s), using secp384r1 instead.", source, sname);
761 sname = OBJ_nid2sn(NID_secp384r1);
764 if (!SSL_CTX_set_tmp_ecdh(ctx->
ctx, ecdh))
773 msg(
D_LOW,
"Your OpenSSL library was built without elliptic curve support."
774 " Skipping ECDH parameter loading.");
778#if defined(HAVE_OPENSSL_STORE_API)
785ui_reader(UI *ui, UI_STRING *uis)
787 SSL_CTX *ctx = UI_get0_user_data(ui);
789 if (UI_get_string_type(uis) == UIT_PROMPT)
791 const char *prompt = UI_get0_output_string(uis);
794 if (strstr(prompt,
"PKCS#11"))
799 UI_set_result(ui, uis, up.password);
805 pem_password_cb *cb = SSL_CTX_get_default_passwd_cb(ctx);
806 void *d = SSL_CTX_get_default_passwd_cb_userdata(ctx);
819clear_ossl_store_error(OSSL_STORE_CTX *store_ctx)
821 if (OSSL_STORE_error(store_ctx))
839 EVP_PKEY *pkey = NULL;
841#if !defined(HAVE_OPENSSL_STORE_API)
844 BIO *in = BIO_new_file(uri,
"r");
849 pkey = PEM_read_bio_PrivateKey(in, NULL,
850 SSL_CTX_get_default_passwd_cb(ssl_ctx),
851 SSL_CTX_get_default_passwd_cb_userdata(ssl_ctx));
856 OSSL_STORE_CTX *store_ctx = NULL;
857 OSSL_STORE_INFO *info = NULL;
859 UI_METHOD *ui_method = UI_create_method(
"openvpn");
862 msg(
M_WARN,
"OpenSSL UI creation failed");
865 UI_method_set_reader(ui_method, ui_reader);
867 store_ctx = OSSL_STORE_open_ex(uri,
tls_libctx, NULL, ui_method, ssl_ctx,
873 if (OSSL_STORE_expect(store_ctx, OSSL_STORE_INFO_PKEY) != 1)
879 info = OSSL_STORE_load(store_ctx);
880 if (info || OSSL_STORE_eof(store_ctx))
888 clear_ossl_store_error(store_ctx);
894 pkey = OSSL_STORE_INFO_get1_PKEY(info);
895 OSSL_STORE_INFO_free(info);
899 OSSL_STORE_close(store_ctx);
900 UI_destroy_method(ui_method);
909 bool pkcs12_file_inline,
bool load_ca_file)
914 STACK_OF(X509) *ca = NULL;
921 if (pkcs12_file_inline)
923 BIO *b64 = BIO_new(BIO_f_base64());
924 BIO *bio = BIO_new_mem_buf((
void *) pkcs12_file,
925 (
int) strlen(pkcs12_file));
928 p12 = d2i_PKCS12_bio(b64, NULL);
943 p12 = d2i_PKCS12_fp(fp, NULL);
952 if (!PKCS12_parse(p12,
"", &pkey, &cert, &ca))
957 if (!PKCS12_parse(p12,
password, &pkey, &cert, &ca))
960 "or unsupported/legacy encryption");
961#ifdef ENABLE_MANAGEMENT
962 if (
management && (ERR_GET_REASON(ERR_peek_error()) == PKCS12_R_MAC_VERIFY_FAILURE))
974 if (!SSL_CTX_use_certificate(ctx->
ctx, cert))
981 if (!SSL_CTX_use_PrivateKey(ctx->
ctx, pkey))
987 if (!SSL_CTX_check_private_key(ctx->
ctx))
999 if (ca && sk_X509_num(ca))
1001 for (i = 0; i < sk_X509_num(ca); i++)
1003 X509_STORE *cert_store = SSL_CTX_get_cert_store(ctx->
ctx);
1004 if (!X509_STORE_add_cert(cert_store, sk_X509_value(ca, i)))
1006 crypto_msg(
M_FATAL,
"Cannot add certificate to certificate chain (X509_STORE_add_cert)");
1008 if (!SSL_CTX_add_client_CA(ctx->
ctx, sk_X509_value(ca, i)))
1010 crypto_msg(
M_FATAL,
"Cannot add certificate to client CA list (SSL_CTX_add_client_CA)");
1022 if (ca && sk_X509_num(ca))
1024 for (i = 0; i < sk_X509_num(ca); i++)
1026 if (!SSL_CTX_add_extra_chain_cert(ctx->
ctx, sk_X509_value(ca, i)))
1028 crypto_msg(
M_FATAL,
"Cannot add extra certificate to chain (SSL_CTX_add_extra_chain_cert)");
1036#ifdef ENABLE_CRYPTOAPI
1045 crypto_msg(
M_FATAL,
"Cannot load certificate \"%s\" from Microsoft Certificate Store", cryptoapi_cert);
1057 if (!PEM_read_bio_X509(bio, &cert, NULL, NULL))
1064 && ERR_GET_REASON(ERR_peek_error()) == PEM_R_NO_START_LINE)
1067 (void)ERR_get_error();
1075 if (SSL_CTX_add_extra_chain_cert(ctx->
ctx, cert) != 1)
1087#if defined(HAVE_OPENSSL_STORE_API)
1097#if defined(HAVE_OPENSSL_STORE_API)
1100 OSSL_STORE_CTX *store_ctx = NULL;
1101 OSSL_STORE_INFO *info = NULL;
1105 UI_METHOD *ui_method = UI_create_method(
"openvpn");
1108 msg(
M_WARN,
"OpenSSL UI method creation failed");
1111 UI_method_set_reader(ui_method, ui_reader);
1113 store_ctx = OSSL_STORE_open_ex(uri,
tls_libctx, NULL, ui_method, tls_ctx->
ctx,
1119 if (OSSL_STORE_expect(store_ctx, OSSL_STORE_INFO_CERT) != 1)
1126 info = OSSL_STORE_load(store_ctx);
1127 if (info || OSSL_STORE_eof(store_ctx))
1135 clear_ossl_store_error(store_ctx);
1142 x = OSSL_STORE_INFO_get0_CERT(info);
1149 ret = SSL_CTX_use_certificate(tls_ctx->
ctx, x);
1154 OSSL_STORE_INFO_free(info);
1158 while (!OSSL_STORE_eof(store_ctx))
1160 info = OSSL_STORE_load(store_ctx);
1163 clear_ossl_store_error(store_ctx);
1166 x = OSSL_STORE_INFO_get1_CERT(info);
1167 if (x && SSL_CTX_add_extra_chain_cert(tls_ctx->
ctx, x) != 1)
1173 OSSL_STORE_INFO_free(info);
1188 UI_destroy_method(ui_method);
1189 OSSL_STORE_INFO_free(info);
1190 OSSL_STORE_close(store_ctx);
1198 bool cert_file_inline)
1206 if (cert_file_inline)
1208 in = BIO_new_mem_buf((
char *) cert_file, -1);
1212 in = BIO_new_file((
char *) cert_file,
"r");
1217 SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE_FILE, ERR_R_SYS_LIB);
1221 x = PEM_read_bio_X509(in, NULL,
1222 SSL_CTX_get_default_passwd_cb(ctx->
ctx),
1223 SSL_CTX_get_default_passwd_cb_userdata(ctx->
ctx));
1226 SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE_FILE, ERR_R_PEM_LIB);
1230 ret = SSL_CTX_use_certificate(ctx->
ctx, x);
1240 if (cert_file_inline)
1260 bool cert_file_inline)
1274 bool priv_key_file_inline)
1276 SSL_CTX *ssl_ctx = NULL;
1278 EVP_PKEY *pkey = NULL;
1285 if (priv_key_file_inline)
1287 in = BIO_new_mem_buf((
char *) priv_key_file, -1);
1292 pkey = PEM_read_bio_PrivateKey(in, NULL,
1293 SSL_CTX_get_default_passwd_cb(ctx->
ctx),
1294 SSL_CTX_get_default_passwd_cb_userdata(ctx->
ctx));
1301 if (!pkey || !SSL_CTX_use_PrivateKey(ssl_ctx, pkey))
1303#ifdef ENABLE_MANAGEMENT
1304 if (
management && (ERR_GET_REASON(ERR_peek_error()) == EVP_R_BAD_DECRYPT))
1315 if (!SSL_CTX_check_private_key(ssl_ctx))
1322 EVP_PKEY_free(pkey);
1333 X509_STORE *store = SSL_CTX_get_cert_store(ssl_ctx->
ctx);
1342 STACK_OF(X509_OBJECT) *objs = X509_STORE_get0_objects(store);
1343 for (
int i = 0; i < sk_X509_OBJECT_num(objs); i++)
1345 X509_OBJECT *obj = sk_X509_OBJECT_value(objs, i);
1347 if (X509_OBJECT_get_type(obj) == X509_LU_CRL)
1349 sk_X509_OBJECT_delete(objs, i);
1350 X509_OBJECT_free(obj);
1354 X509_STORE_set_flags(store, X509_V_FLAG_CRL_CHECK | X509_V_FLAG_CRL_CHECK_ALL);
1358 in = BIO_new_mem_buf((
char *) crl_file, -1);
1362 in = BIO_new_file(crl_file,
"r");
1372 int num_crls_loaded = 0;
1375 X509_CRL *crl = PEM_read_bio_X509_CRL(in, NULL, NULL, NULL);
1381 bool eof = ERR_GET_REASON(ERR_peek_error()) == PEM_R_NO_START_LINE;
1383 if (num_crls_loaded > 0 && eof)
1386 (void)ERR_get_error();
1395 if (!X509_STORE_add_crl(store, crl))
1405 msg(
M_INFO,
"CRL: loaded %d CRLs from file %s", num_crls_loaded, crl_file);
1411#if defined(ENABLE_MANAGEMENT) && !defined(HAVE_XKEY_PROVIDER)
1415rsa_pub_enc(
int flen,
const unsigned char *from,
unsigned char *to, RSA *rsa,
int padding)
1415rsa_pub_enc(
int flen,
const unsigned char *from,
unsigned char *to, RSA *rsa,
int padding) {
…}
1423rsa_pub_dec(
int flen,
const unsigned char *from,
unsigned char *to, RSA *rsa,
int padding)
1423rsa_pub_dec(
int flen,
const unsigned char *from,
unsigned char *to, RSA *rsa,
int padding) {
…}
1431rsa_priv_dec(
int flen,
const unsigned char *from,
unsigned char *to, RSA *rsa,
int padding)
1431rsa_priv_dec(
int flen,
const unsigned char *from,
unsigned char *to, RSA *rsa,
int padding) {
…}
1444 const RSA_METHOD *meth = RSA_get_method(rsa);
1445 RSA_meth_free((RSA_METHOD *)meth);
1458 case RSA_PKCS1_PADDING:
1459 return "RSA_PKCS1_PADDING";
1461 case RSA_NO_PADDING:
1462 return "RSA_NO_PADDING";
1482 unsigned char *sig,
unsigned int siglen,
1483 const char *algorithm)
1485 char *in_b64 = NULL;
1486 char *out_b64 = NULL;
1508rsa_priv_enc(
int flen,
const unsigned char *from,
unsigned char *to, RSA *rsa,
1511 unsigned int len = RSA_size(rsa);
1514 if (padding != RSA_PKCS1_PADDING && padding != RSA_NO_PADDING)
1516 RSAerr(RSA_F_RSA_OSSL_PRIVATE_ENCRYPT, RSA_R_UNKNOWN_PADDING_TYPE);
1522 return (ret == len) ? ret : -1;
1508rsa_priv_enc(
int flen,
const unsigned char *from,
unsigned char *to, RSA *rsa, {
…}
1529 RSA_METHOD *rsa_meth;
1533 const RSA *pub_rsa = EVP_PKEY_get0_RSA(pkey);
1537 rsa_meth = RSA_meth_new(
"OpenVPN external private key RSA Method",
1538 RSA_METHOD_FLAG_NO_CHECK);
1544 RSA_meth_set_init(rsa_meth, NULL);
1546 RSA_meth_set0_app_data(rsa_meth, NULL);
1552 SSLerr(SSL_F_SSL_USE_PRIVATEKEY, ERR_R_MALLOC_FAILURE);
1557 const BIGNUM *n = NULL;
1558 const BIGNUM *e = NULL;
1559 RSA_get0_key(pub_rsa, &n, &e, NULL);
1560 RSA_set0_key(rsa, BN_dup(n), BN_dup(e), NULL);
1561 RSA_set_flags(rsa, RSA_flags(rsa) | RSA_FLAG_EXT_PKEY);
1562 if (!RSA_set_method(rsa, rsa_meth))
1564 RSA_meth_free(rsa_meth);
1570 if (!SSL_CTX_use_RSAPrivateKey(ctx->
ctx, rsa))
1585 RSA_meth_free(rsa_meth);
1590#if !defined(OPENSSL_NO_EC)
1597 const EC_KEY_METHOD *ec_meth = EC_KEY_get_method(ec);
1598 EC_KEY_METHOD_free((EC_KEY_METHOD *) ec_meth);
1606ecdsa_sign(
int type,
const unsigned char *dgst,
int dgstlen,
unsigned char *sig,
1607 unsigned int *siglen,
const BIGNUM *kinv,
const BIGNUM *r, EC_KEY *ec)
1609 int capacity = ECDSA_size(ec);
1606ecdsa_sign(
int type,
const unsigned char *dgst,
int dgstlen,
unsigned char *sig, {
…}
1638 const BIGNUM *in_r, EC_KEY *ec)
1640 ECDSA_SIG *ecsig = NULL;
1641 unsigned int len = ECDSA_size(ec);
1645 if (
ecdsa_sign(0, dgst, dgstlen, buf, &len, NULL, NULL, ec) != 1)
1650 ecsig = d2i_ECDSA_SIG(NULL, (
const unsigned char **)&buf, len);
1661 EVP_PKEY *privkey = NULL;
1662 EC_KEY_METHOD *ec_method;
1666 ec_method = EC_KEY_METHOD_new(EC_KEY_OpenSSL());
1674#ifdef OPENSSL_IS_AWSLC
1680 ec = EC_KEY_dup(EVP_PKEY_get0_EC_KEY(pkey));
1683 EC_KEY_METHOD_free(ec_method);
1686 if (!EC_KEY_set_method(ec, ec_method))
1688 EC_KEY_METHOD_free(ec_method);
1693 privkey = EVP_PKEY_new();
1694 if (!EVP_PKEY_assign_EC_KEY(privkey, ec))
1700 if (!SSL_CTX_use_PrivateKey(ctx->
ctx, privkey))
1706 EVP_PKEY_free(privkey);
1711 EVP_PKEY_free(privkey);
1718#ifdef ENABLE_MANAGEMENT
1726 X509 *cert = SSL_CTX_get0_certificate(ctx->
ctx);
1731 EVP_PKEY *pkey = X509_get0_pubkey(cert);
1734#ifdef HAVE_XKEY_PROVIDER
1735 EVP_PKEY *privkey = xkey_load_management_key(
tls_libctx, pkey);
1737 || !SSL_CTX_use_PrivateKey(ctx->
ctx, privkey))
1739 EVP_PKEY_free(privkey);
1742 EVP_PKEY_free(privkey);
1744#if OPENSSL_VERSION_NUMBER < 0x30000000L
1745 if (EVP_PKEY_id(pkey) == EVP_PKEY_RSA)
1747 if (EVP_PKEY_is_a(pkey,
"RSA"))
1755#if !defined(OPENSSL_NO_EC)
1756#if OPENSSL_VERSION_NUMBER < 0x30000000L
1757 else if (EVP_PKEY_id(pkey) == EVP_PKEY_EC)
1759 else if (EVP_PKEY_is_a(pkey,
"EC"))
1769 crypto_msg(
M_WARN,
"management-external-key requires an RSA or EC certificate");
1796 return X509_NAME_cmp(*a, *b);
1801 bool ca_file_inline,
const char *ca_path,
bool tls_server)
1803 STACK_OF(X509_INFO) *info_stack = NULL;
1804 STACK_OF(X509_NAME) *cert_names = NULL;
1805 X509_LOOKUP *lookup = NULL;
1806 X509_STORE *store = NULL;
1807 X509_NAME *xn = NULL;
1809 int i, added = 0, prev = 0;
1813 store = SSL_CTX_get_cert_store(ctx->
ctx);
1824 in = BIO_new_mem_buf((
char *)ca_file, -1);
1828 in = BIO_new_file(ca_file,
"r");
1833 info_stack = PEM_X509_INFO_read_bio(in, NULL, NULL, NULL);
1838 for (i = 0; i < sk_X509_INFO_num(info_stack); i++)
1840 X509_INFO *info = sk_X509_INFO_value(info_stack, i);
1843 X509_STORE_add_crl(store, info->crl);
1846 if (tls_server && !info->x509)
1853 X509_STORE_add_cert(store, info->x509);
1862 if (cert_names == NULL)
1871 xn = X509_get_subject_name(info->x509);
1878 if (sk_X509_NAME_find(cert_names, xn) == -1)
1880 xn = X509_NAME_dup(xn);
1885 sk_X509_NAME_push(cert_names, xn);
1891 int cnum = sk_X509_NAME_num(cert_names);
1892 if (cnum != (prev + 1))
1895 "Cannot load CA certificate file %s (entry %d did not validate)",
1902 sk_X509_INFO_pop_free(info_stack, X509_INFO_free);
1907 cnum = sk_X509_NAME_num(cert_names);
1908 SSL_CTX_set_client_CA_list(ctx->
ctx, cert_names);
1914 "Cannot load CA certificate file %s (no entries were read)",
1923 "of %d entries were valid X509 names)",
1935 lookup = X509_STORE_add_lookup(store, X509_LOOKUP_hash_dir());
1936 if (lookup && X509_LOOKUP_add_dir(lookup, ca_path, X509_FILETYPE_PEM))
1938 msg(
M_WARN,
"WARNING: experimental option --capath %s", ca_path);
1944 X509_STORE_set_flags(store, X509_V_FLAG_CRL_CHECK | X509_V_FLAG_CRL_CHECK_ALL);
1950 bool extra_certs_file_inline)
1953 if (extra_certs_file_inline)
1955 in = BIO_new_mem_buf((
char *)extra_certs_file, -1);
1959 in = BIO_new_file(extra_certs_file,
"r");
1966 extra_certs_file_inline));
1990#warning BIO_DEBUG defined
1993static bool biofp_toggle;
1994static time_t biofp_last_open;
1995static const int biofp_reopen_interval = 600;
2010 const time_t current = time(NULL);
2011 const pid_t pid = getpid();
2013 if (biofp_last_open + biofp_reopen_interval < current)
2020 snprintf(fn,
sizeof(fn),
"bio/%d-%d.log", pid, biofp_toggle);
2021 biofp = fopen(fn,
"w");
2023 biofp_last_open = time(NULL);
2029bio_debug_data(
const char *mode, BIO *bio,
const uint8_t *buf,
int len,
const char *desc)
2035 fprintf(biofp,
"BIO_%s %s time=%" PRIi64
" bio=" ptr_format " len=%d data=%s\n",
2043bio_debug_oc(
const char *mode, BIO *bio)
2046 fprintf(biofp,
"BIO %s time=%" PRIi64
" bio=" ptr_format "\n",
2047 mode, (int64_t)time(NULL), (
ptr_type)bio);
2057bio_write(BIO *bio,
const uint8_t *data,
int size,
const char *desc)
2071 bio_debug_data(
"write", bio, data, size, desc);
2073 i = BIO_write(bio, data, size);
2077 if (!BIO_should_retry(bio))
2057bio_write(BIO *bio,
const uint8_t *data,
int size,
const char *desc) {
…}
2134 int i = BIO_read(bio,
BPTR(buf), len);
2139 bio_debug_data(
"read", bio,
BPTR(buf), i, desc);
2145 if (!BIO_should_retry(bio))
2174 ks_ssl->
ssl = SSL_new(ssl_ctx->
ctx);
2189 bio_debug_oc(
"open ssl_bio", ks_ssl->
ssl_bio);
2190 bio_debug_oc(
"open ct_in", ks_ssl->
ct_in);
2191 bio_debug_oc(
"open ct_out", ks_ssl->
ct_out);
2196 SSL_set_accept_state(ks_ssl->
ssl);
2200 SSL_set_connect_state(ks_ssl->
ssl);
2204 BIO_set_ssl(ks_ssl->
ssl_bio, ks_ssl->
ssl, BIO_NOCLOSE);
2210 SSL_set_shutdown(ks_ssl->
ssl, SSL_SENT_SHUTDOWN | SSL_RECEIVED_SHUTDOWN);
2219 bio_debug_oc(
"close ssl_bio", ks_ssl->
ssl_bio);
2220 bio_debug_oc(
"close ct_in", ks_ssl->
ct_in);
2221 bio_debug_oc(
"close ct_out", ks_ssl->
ct_out);
2223 BIO_free_all(ks_ssl->
ssl_bio);
2224 SSL_free(ks_ssl->
ssl);
2237 "tls_write_plaintext");
2304 const char *curve =
"";
2305 const char *type =
"(error getting type)";
2313 int typeid = EVP_PKEY_id(pkey);
2314#if OPENSSL_VERSION_NUMBER < 0x30000000L
2315 bool is_ec =
typeid == EVP_PKEY_EC;
2317 bool is_ec = EVP_PKEY_is_a(pkey,
"EC");
2320#ifndef OPENSSL_NO_EC
2331 curve =
"(error getting curve name)";
2337#if OPENSSL_VERSION_NUMBER < 0x30000000L
2338 type = OBJ_nid2sn(
typeid);
2342 if (
typeid == EVP_PKEY_RSA)
2346 else if (
typeid == EVP_PKEY_DSA)
2350 else if (
typeid == EVP_PKEY_EC)
2353 type =
"EC, curve ";
2355 else if (type == NULL)
2357 type =
"unknown type";
2360 type = EVP_PKEY_get0_type_name(pkey);
2363 type =
"(error getting public key type)";
2368 snprintf(buf, buflen,
"%d bits %s%s",
2369 EVP_PKEY_bits(pkey), type, curve);
2381 EVP_PKEY *pkey = X509_get_pubkey(cert);
2382 char pkeybuf[64] = { 0 };
2385 char sig[128] = { 0 };
2386 int signature_nid = X509_get_signature_nid(cert);
2387 if (signature_nid != 0)
2389 snprintf(sig,
sizeof(sig),
", signature: %s",
2390 OBJ_nid2sn(signature_nid));
2393 snprintf(buf, buflen,
", peer certificate: %s%s",
2396 EVP_PKEY_free(pkey);
2402 EVP_PKEY *pkey = NULL;
2403 SSL_get_peer_tmp_key(ssl, &pkey);
2409 char pkeybuf[128] = { 0 };
2412 snprintf(buf, buflen,
", peer temporary key: %s",
2415 EVP_PKEY_free(pkey);
2418#if !defined(LIBRESSL_VERSION_NUMBER) \
2419 || (defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER >= 0x3090000fL)
2444 return "(error getting name)";
2447 return OBJ_nid2sn(nid);
2459 int peer_sig_type_nid = NID_undef;
2460 const char *peer_sig_unknown =
"unknown";
2461 const char *peer_sig = peer_sig_unknown;
2462 const char *peer_sig_type =
"unknown type";
2471#if !defined(LIBRESSL_VERSION_NUMBER) \
2472 || (defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER >= 0x3090000fL)
2475 if (SSL_get_peer_signature_type_nid(ssl, &peer_sig_type_nid)
2476 && peer_sig_type_nid != NID_undef)
2482 if (peer_sig == peer_sig_unknown && peer_sig_type_nid == NID_undef)
2487 snprintf(buf, buflen,
", peer signing digest/type: %s %s",
2488 peer_sig, peer_sig_type);
2491#if OPENSSL_VERSION_NUMBER >= 0x30000000L
2493print_tls_key_agreement_group(SSL *ssl,
char *buf,
size_t buflen)
2495 const char *groupname = SSL_get0_group_name(ssl);
2498 snprintf(buf, buflen,
", key agreement: (error fetching group)");
2502 snprintf(buf, buflen,
", key agreement: %s", groupname);
2517 const SSL_CIPHER *ciph;
2524 s1[0] = s2[0] = s3[0] = s4[0] = s5[0] = 0;
2525 ciph = SSL_get_current_cipher(ks_ssl->
ssl);
2526 snprintf(s1,
sizeof(s1),
"%s %s, cipher %s %s",
2528 SSL_get_version(ks_ssl->
ssl),
2529 SSL_CIPHER_get_version(ciph),
2530 SSL_CIPHER_get_name(ciph));
2531 X509 *cert = SSL_get_peer_certificate(ks_ssl->
ssl);
2540#if OPENSSL_VERSION_NUMBER >= 0x30000000L
2541 print_tls_key_agreement_group(ks_ssl->
ssl, s5,
sizeof(s5));
2549 const char *tls_cert_profile,
2554 tls_ctx.
ctx = SSL_CTX_new(SSLv23_method());
2560#if defined(TLS1_3_VERSION)
2563 SSL_CTX_set_min_proto_version(tls_ctx.
ctx,
2570 SSL_CTX_set_max_proto_version(tls_ctx.
ctx, TLS1_2_VERSION);
2576 SSL *ssl = SSL_new(tls_ctx.
ctx);
2582#if OPENSSL_VERSION_NUMBER < 0x1010000fL || defined(OPENSSL_IS_AWSLC)
2583 STACK_OF(SSL_CIPHER) *sk = SSL_get_ciphers(ssl);
2585 STACK_OF(SSL_CIPHER) *sk = SSL_get1_supported_ciphers(ssl);
2587 for (
int i = 0; i < sk_SSL_CIPHER_num(sk); i++)
2589 const SSL_CIPHER *c = sk_SSL_CIPHER_value(sk, i);
2591 const char *cipher_name = SSL_CIPHER_get_name(c);
2598 printf(
"%s\n", cipher_name);
2600 else if (NULL == pair)
2603 printf(
"%s (No IANA name known to OpenVPN, use OpenSSL name.)\n",
2611#if (OPENSSL_VERSION_NUMBER >= 0x1010000fL)
2612 sk_SSL_CIPHER_free(sk);
2615 SSL_CTX_free(tls_ctx.
ctx);
2625 printf(
"Consider using 'openssl ecparam -list_curves' as alternative to running\n"
2627 "Note this output does only list curves/groups that OpenSSL considers as\n"
2628 "builtin EC curves. It does not list additional curves nor X448 or X25519\n");
2629#ifndef OPENSSL_NO_EC
2630 EC_builtin_curve *curves = NULL;
2634 crv_len = EC_get_builtin_curves(NULL, 0);
2636 if (EC_get_builtin_curves(curves, crv_len))
2638 printf(
"\nAvailable Elliptic curves/groups:\n");
2639 for (n = 0; n < crv_len; n++)
2642 sname = OBJ_nid2sn(curves[n].nid);
2648 printf(
"%s\n", sname);
2657 msg(
M_WARN,
"Your OpenSSL library was built without elliptic curve support. "
2658 "No curves available.");
2665 return OpenSSL_version(OPENSSL_VERSION);
2670#ifdef HAVE_XKEY_PROVIDER
2674 const char *name = OSSL_PROVIDER_get0_name(prov);
2675 OSSL_PROVIDER_load(dest_libctx, name);
2683 OSSL_PROVIDER_unload(prov);
2698#ifdef HAVE_XKEY_PROVIDER
2711 OSSL_PROVIDER_do_all(NULL, provider_load,
tls_libctx);
2714 if (!OSSL_PROVIDER_available(
tls_libctx,
"ovpn.xkey"))
2716 OSSL_PROVIDER_add_builtin(
tls_libctx,
"ovpn.xkey", xkey_provider_init);
2717 if (!OSSL_PROVIDER_load(
tls_libctx,
"ovpn.xkey"))
2719 msg(
M_NONFATAL,
"ERROR: failed loading external key provider: "
2720 "Signing with external keys will not work.");
2730 EVP_set_default_properties(
tls_libctx,
"?provider!=ovpn.xkey");
2741#ifdef HAVE_XKEY_PROVIDER
2744 OSSL_PROVIDER_do_all(
tls_libctx, provider_unload, NULL);
void * gc_malloc(size_t size, bool clear, struct gc_arena *a)
char * string_alloc(const char *str, struct gc_arena *gc)
static char * format_hex(const uint8_t *data, int size, int maxoutput, struct gc_arena *gc)
#define ALLOC_ARRAY_CLEAR_GC(dptr, type, n, gc)
static int buf_forward_capacity(const struct buffer *buf)
static void secure_memzero(void *data, size_t len)
Securely zeroise memory.
static void check_malloc_return(void *p)
static void gc_free(struct gc_arena *a)
#define ALLOC_ARRAY(dptr, type, n)
static struct gc_arena gc_new(void)
char * strsep(char **stringp, const char *delim)
const char * print_key_filename(const char *str, bool is_inline)
To be used when printing a string that may contain inline data.
void crypto_print_openssl_errors(const unsigned int flags)
Retrieve any occurred OpenSSL errors and print those errors.
#define crypto_msg(flags,...)
Retrieve any OpenSSL errors, then print the supplied error message.
int SSL_CTX_use_CryptoAPI_certificate(SSL_CTX *ssl_ctx, const char *cert_prop)
#define D_HANDSHAKE_VERBOSE
#define KS_PRIMARY
Primary key state index.
int key_state_read_plaintext(struct key_state_ssl *ks_ssl, struct buffer *buf)
Extract plaintext data from the TLS module.
int key_state_write_ciphertext(struct key_state_ssl *ks_ssl, struct buffer *buf)
Insert a ciphertext buffer into the TLS module.
int key_state_read_ciphertext(struct key_state_ssl *ks_ssl, struct buffer *buf)
Extract ciphertext data from the TLS module.
int key_state_write_plaintext_const(struct key_state_ssl *ks_ssl, const uint8_t *data, int len)
Insert plaintext data into the TLS module.
int key_state_write_plaintext(struct key_state_ssl *ks_ssl, struct buffer *buf)
Insert a plaintext buffer into the TLS module.
int verify_callback(void *session_obj, mbedtls_x509_crt *cert, int cert_depth, uint32_t *flags)
Verify that the remote OpenVPN peer's certificate allows setting up a VPN tunnel.
static int constrain_int(int x, int min, int max)
static SERVICE_STATUS status
void management_auth_failure(struct management *man, const char *type, const char *reason)
char * management_query_pk_sig(struct management *man, const char *b64_data, const char *algorithm)
#define VALGRIND_MAKE_READABLE(addr, len)
void purge_user_pass(struct user_pass *up, const bool force)
#define GET_USER_PASS_MANAGEMENT
#define GET_USER_PASS_PASSWORD_ONLY
static bool get_user_pass(struct user_pass *up, const char *auth_file, const char *prefix, const unsigned int flags)
Retrieves the user credentials from various sources depending on the flags.
OpenSSL compatibility stub.
static int SSL_get0_peer_signature_name(SSL *ssl, const char **sigalg)
static int EVP_PKEY_get_group_name(EVP_PKEY *pkey, char *gname, size_t gname_sz, size_t *gname_len)
#define SSL_CTX_set1_groups
#define SSL_CTX_new_ex(libctx, propq, method)
Reduce SSL_CTX_new_ex() to SSL_CTX_new() for OpenSSL < 3.
static void perf_push(int type)
#define PERF_BIO_READ_PLAINTEXT
#define PERF_BIO_WRITE_CIPHERTEXT
static void perf_pop(void)
#define PERF_BIO_READ_CIPHERTEXT
#define PERF_BIO_WRITE_PLAINTEXT
int openvpn_base64_decode(const char *str, void *data, int size)
int openvpn_base64_encode(const void *data, int size, char **str)
int pem_password_callback(char *buf, int size, int rwflag, void *u)
Callback to retrieve the user's password.
Control Channel SSL library backend module.
Control Channel Common Data Structures.
#define SSLF_TLS_VERSION_MAX_SHIFT
#define UP_TYPE_PRIVATE_KEY
#define SSLF_CLIENT_CERT_OPTIONAL
#define SSLF_CLIENT_CERT_NOT_REQUIRED
#define SSLF_TLS_VERSION_MAX_MASK
#define SSLF_TLS_VERSION_MIN_SHIFT
#define SSLF_TLS_VERSION_MIN_MASK
void tls_ctx_set_tls_groups(struct tls_root_ctx *ctx, const char *groups)
Set the (elliptic curve) group allowed for signatures and key exchange.
void tls_ctx_free(struct tls_root_ctx *ctx)
Frees the library-specific TLSv1 context.
static int bio_read(BIO *bio, struct buffer *buf, const char *desc)
const char * get_ssl_library_version(void)
return a pointer to a static memory area containing the name and version number of the SSL library in...
static void openvpn_extkey_ec_finish(EC_KEY *ec)
static bool tls_ctx_set_tls_versions(struct tls_root_ctx *ctx, unsigned int ssl_flags)
static int bio_write(BIO *bio, const uint8_t *data, int size, const char *desc)
static int openvpn_extkey_rsa_finish(RSA *rsa)
static int tls_ctx_use_external_ec_key(struct tls_root_ctx *ctx, EVP_PKEY *pkey)
static int openssl_tls_version(int ver)
Convert internal version number to openssl version number.
bool key_state_export_keying_material(struct tls_session *session, const char *label, size_t label_size, void *ekm, size_t ekm_size)
Keying Material Exporters [RFC 5705] allows additional keying material to be derived from existing TL...
void load_xkey_provider(void)
Some helper routines for provider load/unload.
static void print_pkey_details(EVP_PKEY *pkey, char *buf, size_t buflen)
static void print_server_tempkey(SSL *ssl, char *buf, size_t buflen)
static int rsa_pub_enc(int flen, const unsigned char *from, unsigned char *to, RSA *rsa, int padding)
static void tls_ctx_add_extra_certs(struct tls_root_ctx *ctx, BIO *bio, bool optional)
void show_available_tls_ciphers_list(const char *cipher_list, const char *tls_cert_profile, bool tls13)
Show the TLS ciphers that are available for us to use in the library depending on the TLS version.
static void * load_pkey_from_uri(const char *uri, SSL_CTX *ssl_ctx)
Load private key from OSSL_STORE URI or file uri : URI of object or filename ssl_ctx : SSL_CTX for UI...
void tls_ctx_server_new(struct tls_root_ctx *ctx)
Initialise a library-specific TLS context for a server.
void show_available_curves(void)
Show the available elliptic curves in the crypto library.
void key_state_ssl_free(struct key_state_ssl *ks_ssl)
Free the SSL channel part of the given key state.
static int ecdsa_sign(int type, const unsigned char *dgst, int dgstlen, unsigned char *sig, unsigned int *siglen, const BIGNUM *kinv, const BIGNUM *r, EC_KEY *ec)
int tls_ctx_load_priv_file(struct tls_root_ctx *ctx, const char *priv_key_file, bool priv_key_file_inline)
Load private key file into the given TLS context.
void key_state_ssl_shutdown(struct key_state_ssl *ks_ssl)
Sets a TLS session to be shutdown state, so the TLS library will generate a shutdown alert.
void tls_ctx_load_extra_certs(struct tls_root_ctx *ctx, const char *extra_certs_file, bool extra_certs_file_inline)
Load extra certificate authority certificates from the given file or path.
static void print_peer_signature(SSL *ssl, char *buf, size_t buflen)
Get the type of the signature that is used by the peer during the TLS handshake.
OSSL_LIB_CTX * tls_libctx
static const char * get_sigtype(int nid)
Translate an OpenSSL NID into a more human readable name.
int mydata_index
Allocate space in SSL objects in which to store a struct tls_session pointer back to parent.
static void print_cert_details(X509 *cert, char *buf, size_t buflen)
Print human readable information about the certificate into buf.
static int ecdsa_sign_setup(EC_KEY *ec, BN_CTX *ctx_in, BIGNUM **kinvp, BIGNUM **rp)
void tls_ctx_check_cert_time(const struct tls_root_ctx *ctx)
Check our certificate notBefore and notAfter fields, and warn if the cert is either not yet valid or ...
void tls_ctx_restrict_ciphers_tls13(struct tls_root_ctx *ctx, const char *ciphers)
Restrict the list of ciphers that can be used within the TLS context for TLS 1.3 and higher.
static bool cert_uri_supported(void)
static int rsa_priv_dec(int flen, const unsigned char *from, unsigned char *to, RSA *rsa, int padding)
#define INFO_CALLBACK_SSL_CONST
static int rsa_pub_dec(int flen, const unsigned char *from, unsigned char *to, RSA *rsa, int padding)
static void bio_write_post(const int status, struct buffer *buf)
int tls_ctx_load_pkcs12(struct tls_root_ctx *ctx, const char *pkcs12_file, bool pkcs12_file_inline, bool load_ca_file)
Load PKCS #12 file for key, cert and (optionally) CA certs, and add to library-specific TLS context.
bool tls_ctx_initialised(struct tls_root_ctx *ctx)
Checks whether the given TLS context is initialised.
void key_state_ssl_init(struct key_state_ssl *ks_ssl, const struct tls_root_ctx *ssl_ctx, bool is_server, struct tls_session *session)
Initialise the SSL channel part of the given key state.
void tls_free_lib(void)
Free any global SSL library-specific data structures.
static void unload_xkey_provider(void)
Undo steps in load_xkey_provider.
const char * get_rsa_padding_name(const int padding)
void tls_ctx_load_ecdh_params(struct tls_root_ctx *ctx, const char *curve_name)
Load Elliptic Curve Parameters, and load them into the library-specific TLS context.
static int get_sig_from_man(const unsigned char *dgst, unsigned int dgstlen, unsigned char *sig, unsigned int siglen, const char *algorithm)
Pass the input hash in 'dgst' to management and get the signature back.
static void tls_ctx_load_cert_uri(struct tls_root_ctx *tls_ctx, const char *uri)
static int rsa_priv_enc(int flen, const unsigned char *from, unsigned char *to, RSA *rsa, int padding)
static void convert_tls_list_to_openssl(char *openssl_ciphers, size_t len, const char *ciphers)
static void tls_ctx_load_cert_pem_file(struct tls_root_ctx *ctx, const char *cert_file, bool cert_file_inline)
void tls_init_lib(void)
Perform any static initialisation necessary by the library.
void print_details(struct key_state_ssl *ks_ssl, const char *prefix)
Print a one line summary of SSL/TLS session handshake.
static void info_callback(INFO_CALLBACK_SSL_CONST SSL *s, int where, int ret)
int tls_version_max(void)
Return the maximum TLS version (as a TLS_VER_x constant) supported by current SSL implementation.
void backend_tls_ctx_reload_crl(struct tls_root_ctx *ssl_ctx, const char *crl_file, bool crl_inline)
Reload the Certificate Revocation List for the SSL channel.
void tls_ctx_restrict_ciphers(struct tls_root_ctx *ctx, const char *ciphers)
Restrict the list of ciphers that can be used within the TLS context for TLS 1.2 and below.
void tls_ctx_load_ca(struct tls_root_ctx *ctx, const char *ca_file, bool ca_file_inline, const char *ca_path, bool tls_server)
Load certificate authority certificates from the given file or path.
void tls_ctx_set_cert_profile(struct tls_root_ctx *ctx, const char *profile)
Set the TLS certificate profile.
int tls_ctx_use_management_external_key(struct tls_root_ctx *ctx)
Tell the management interface to load the given certificate and the external private key matching the...
static int tls_ctx_use_external_rsa_key(struct tls_root_ctx *ctx, EVP_PKEY *pkey)
static ECDSA_SIG * ecdsa_sign_sig(const unsigned char *dgst, int dgstlen, const BIGNUM *in_kinv, const BIGNUM *in_r, EC_KEY *ec)
void tls_ctx_load_cryptoapi(struct tls_root_ctx *ctx, const char *cryptoapi_cert)
Use Windows cryptoapi for key and cert, and add to library-specific TLS context.
static void convert_tls13_list_to_openssl(char *openssl_ciphers, size_t len, const char *ciphers)
bool tls_ctx_set_options(struct tls_root_ctx *ctx, unsigned int ssl_flags)
Set any library specific options.
void tls_ctx_load_dh_params(struct tls_root_ctx *ctx, const char *dh_file, bool dh_file_inline)
Load Diffie Hellman Parameters, and load them into the library-specific TLS context.
void tls_ctx_client_new(struct tls_root_ctx *ctx)
Initialises a library-specific TLS context for a client.
static int sk_x509_name_cmp(const X509_NAME *const *a, const X509_NAME *const *b)
void tls_ctx_load_cert_file(struct tls_root_ctx *ctx, const char *cert_file, bool cert_file_inline)
Load certificate file into the given TLS context.
int get_num_elements(const char *string, char delimiter)
Returns the occurrences of 'delimiter' in a string +1 This is typically used to find out the number e...
const tls_cipher_name_pair * tls_get_cipher_name_pair(const char *cipher_name, size_t len)
Control Channel Verification Module OpenSSL backend.
Wrapper structure for dynamically allocated memory.
int len
Length in bytes of the actual content within the allocated memory.
Garbage collection arena used to keep track of dynamically allocated memory.
Get a tls_cipher_name_pair containing OpenSSL and IANA names for supplied TLS cipher name.
const char * openssl_name
Structure that wraps the TLS context.
Security parameter state of a single session within a VPN tunnel.
char password[USER_PASS_LEN]
static int cleanup(void **state)