OpenVPN
ssl_openssl.c
Go to the documentation of this file.
1/*
2 * OpenVPN -- An application to securely tunnel IP networks
3 * over a single TCP/UDP port, with support for SSL/TLS-based
4 * session authentication and key exchange,
5 * packet encryption, packet authentication, and
6 * packet compression.
7 *
8 * Copyright (C) 2002-2026 OpenVPN Inc <sales@openvpn.net>
9 * Copyright (C) 2010-2026 Sentyron B.V. <openvpn@sentyron.com>
10 *
11 * This program is free software; you can redistribute it and/or modify
12 * it under the terms of the GNU General Public License version 2
13 * as published by the Free Software Foundation.
14 *
15 * This program is distributed in the hope that it will be useful,
16 * but WITHOUT ANY WARRANTY; without even the implied warranty of
17 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 * GNU General Public License for more details.
19 *
20 * You should have received a copy of the GNU General Public License along
21 * with this program; if not, see <https://www.gnu.org/licenses/>.
22 */
23
29#ifdef HAVE_CONFIG_H
30#include "config.h"
31#endif
32
33#include "syshead.h"
34
35#if defined(ENABLE_CRYPTO_OPENSSL)
36
37#include "errlevel.h"
38#include "buffer.h"
39#include "misc.h"
40#include "manage.h"
41#include "memdbg.h"
42#include "ssl_backend.h"
43#include "ssl_common.h"
44#include "base64.h"
45#include "openssl_compat.h"
46#include "xkey_common.h"
47
48#ifdef ENABLE_CRYPTOAPI
49#include "cryptoapi.h"
50#endif
51
52#include "ssl_verify_openssl.h"
53#include "ssl_util.h"
54
55#include <openssl/bn.h>
56#include <openssl/crypto.h>
57#include <openssl/dh.h>
58#include <openssl/dsa.h>
59#include <openssl/err.h>
60#include <openssl/pkcs12.h>
61#include <openssl/rsa.h>
62#include <openssl/x509.h>
63#include <openssl/ssl.h>
64#ifndef OPENSSL_NO_EC
65#include <openssl/ec.h>
66#endif
67
68#if OPENSSL_VERSION_NUMBER >= 0x30000000L
69#define HAVE_OPENSSL_STORE_API
70#include <openssl/ui.h>
71#include <openssl/store.h>
72#endif
73
74#if defined(_MSC_VER) && !defined(_M_ARM64)
75#include <openssl/applink.c>
76#endif
77
78OSSL_LIB_CTX *tls_libctx; /* Global */
79
80static void unload_xkey_provider(void);
81
82/*
83 * Allocate space in SSL objects in which to store a struct tls_session
84 * pointer back to parent.
85 *
86 */
87
88int mydata_index; /* GLOBAL */
89
90void
91tls_init_lib(void)
92{
93 mydata_index = SSL_get_ex_new_index(0, "struct session *", NULL, NULL, NULL);
94 ASSERT(mydata_index >= 0);
95}
96
97void
98tls_free_lib(void)
99{
100}
101
102void
103tls_ctx_server_new(struct tls_root_ctx *ctx)
104{
105 ASSERT(NULL != ctx);
106
107 ctx->ctx = SSL_CTX_new_ex(tls_libctx, NULL, SSLv23_server_method());
108
109 if (ctx->ctx == NULL)
110 {
111 crypto_msg(M_FATAL, "SSL_CTX_new SSLv23_server_method");
112 }
113 if (ERR_peek_error() != 0)
114 {
115 crypto_msg(M_WARN, "Warning: TLS server context initialisation "
116 "has warnings.");
117 }
118}
119
120void
121tls_ctx_client_new(struct tls_root_ctx *ctx)
122{
123 ASSERT(NULL != ctx);
124
125 ctx->ctx = SSL_CTX_new_ex(tls_libctx, NULL, SSLv23_client_method());
126
127 if (ctx->ctx == NULL)
128 {
129 crypto_msg(M_FATAL, "SSL_CTX_new SSLv23_client_method");
130 }
131 if (ERR_peek_error() != 0)
132 {
133 crypto_msg(M_WARN, "Warning: TLS client context initialisation "
134 "has warnings.");
135 }
136}
137
138void
139tls_ctx_free(struct tls_root_ctx *ctx)
140{
141 ASSERT(NULL != ctx);
142 SSL_CTX_free(ctx->ctx);
143 ctx->ctx = NULL;
144 sk_X509_CRL_pop_free(ctx->crls, X509_CRL_free);
145 ctx->crls = NULL;
146 unload_xkey_provider(); /* in case it is loaded */
147}
148
149bool
150tls_ctx_initialised(struct tls_root_ctx *ctx)
151{
152 /* either this should be NULL or should be non-null and then have a
153 * valid TLS ctx inside as well */
154 ASSERT(ctx == NULL || ctx->ctx != NULL);
155 return ctx != NULL;
156}
157
158bool
159key_state_export_keying_material(struct tls_session *session, const char *label, size_t label_size,
160 void *ekm, size_t ekm_size)
161
162{
163 SSL *ssl = session->key[KS_PRIMARY].ks_ssl.ssl;
164
165 if (SSL_export_keying_material(ssl, ekm, ekm_size, label, label_size, NULL, 0, 0) == 1)
166 {
167 return true;
168 }
169 else
170 {
171 secure_memzero(ekm, ekm_size);
172 return false;
173 }
174}
175
176/*
177 * Print debugging information on SSL/TLS session negotiation.
178 */
179
180#ifndef INFO_CALLBACK_SSL_CONST
181#define INFO_CALLBACK_SSL_CONST const
182#endif
183static void
184info_callback(INFO_CALLBACK_SSL_CONST SSL *s, int where, int ret)
185{
186 if (where & SSL_CB_LOOP)
187 {
188 dmsg(D_HANDSHAKE_VERBOSE, "SSL state (%s): %s",
189 where & SSL_ST_CONNECT ? "connect"
190 : where & SSL_ST_ACCEPT ? "accept"
191 : "undefined",
192 SSL_state_string_long(s));
193 }
194 else if (where & SSL_CB_ALERT)
195 {
196 dmsg(D_TLS_DEBUG_LOW, "%s %s SSL alert: %s", where & SSL_CB_READ ? "Received" : "Sent",
197 SSL_alert_type_string_long(ret), SSL_alert_desc_string_long(ret));
198 }
199}
200
201/*
202 * Return maximum TLS version supported by local OpenSSL library.
203 * Assume that presence of SSL_OP_NO_TLSvX macro indicates that
204 * TLSvX is supported.
205 */
206int
207tls_version_max(void)
208{
209#if defined(TLS1_3_VERSION)
210 /* If this is defined we can safely assume TLS 1.3 support */
211 return TLS_VER_1_3;
212#elif OPENSSL_VERSION_NUMBER >= 0x10100000L
213 /*
214 * If TLS_VER_1_3 is not defined, we were compiled against a version that
215 * did not support TLS 1.3.
216 *
217 * However, the library we are *linked* against might be OpenSSL 1.1.1
218 * and therefore supports TLS 1.3. This needs to be checked at runtime
219 * since we can be compiled against 1.1.0 and then the library can be
220 * upgraded to 1.1.1.
221 * We only need to check this for OpenSSL versions that can be
222 * upgraded to 1.1.1 without recompile (>= 1.1.0)
223 */
224 if (OpenSSL_version_num() >= 0x1010100fL)
225 {
226 return TLS_VER_1_3;
227 }
228 else
229 {
230 return TLS_VER_1_2;
231 }
232#elif defined(TLS1_2_VERSION) || defined(SSL_OP_NO_TLSv1_2)
233 return TLS_VER_1_2;
234#elif defined(TLS1_1_VERSION) || defined(SSL_OP_NO_TLSv1_1)
235 return TLS_VER_1_1;
236#else /* if defined(TLS1_3_VERSION) */
237 return TLS_VER_1_0;
238#endif
239}
240
242static uint16_t
243openssl_tls_version(unsigned int ver)
244{
245 if (ver == TLS_VER_1_0)
246 {
247 return TLS1_VERSION;
248 }
249 else if (ver == TLS_VER_1_1)
250 {
251 return TLS1_1_VERSION;
252 }
253 else if (ver == TLS_VER_1_2)
254 {
255 return TLS1_2_VERSION;
256 }
257 else if (ver == TLS_VER_1_3)
258 {
259 /*
260 * Supporting the library upgraded to TLS1.3 without recompile
261 * is enough to support here with a simple constant that the same
262 * as in the TLS 1.3, so spec it is very unlikely that OpenSSL
263 * will change this constant
264 */
265#ifndef TLS1_3_VERSION
266 /*
267 * We do not want to define TLS_VER_1_3 if not defined
268 * since other parts of the code use the existance of this macro
269 * as proxy for TLS 1.3 support
270 */
271 return 0x0304;
272#else
273 return TLS1_3_VERSION;
274#endif
275 }
276 return 0;
277}
278
279static bool
280tls_ctx_set_tls_versions(struct tls_root_ctx *ctx, unsigned int ssl_flags)
281{
282 uint16_t tls_ver_min =
283 openssl_tls_version((ssl_flags >> SSLF_TLS_VERSION_MIN_SHIFT) & SSLF_TLS_VERSION_MIN_MASK);
284 uint16_t tls_ver_max =
285 openssl_tls_version((ssl_flags >> SSLF_TLS_VERSION_MAX_SHIFT) & SSLF_TLS_VERSION_MAX_MASK);
286
287 if (!tls_ver_min)
288 {
289 /* Enforce at least TLS 1.0 */
290 uint16_t cur_min = (uint16_t)SSL_CTX_get_min_proto_version(ctx->ctx);
291 tls_ver_min = cur_min < TLS1_VERSION ? TLS1_VERSION : cur_min;
292 }
293
294 if (!SSL_CTX_set_min_proto_version(ctx->ctx, tls_ver_min))
295 {
296 msg(D_TLS_ERRORS, "%s: failed to set minimum TLS version", __func__);
297 return false;
298 }
299
300 if (tls_ver_max && !SSL_CTX_set_max_proto_version(ctx->ctx, tls_ver_max))
301 {
302 msg(D_TLS_ERRORS, "%s: failed to set maximum TLS version", __func__);
303 return false;
304 }
305
306 return true;
307}
308
309static int
310cert_verify_callback(X509_STORE_CTX *ctx, void *arg)
311{
312 struct tls_session *session;
313 SSL *ssl;
314
315 ssl = X509_STORE_CTX_get_ex_data(ctx, SSL_get_ex_data_X509_STORE_CTX_idx());
316 ASSERT(ssl);
317 session = SSL_get_ex_data(ssl, mydata_index);
318 ASSERT(session);
319
320 /* Configure CRLs. */
321 X509_STORE_CTX_set0_crls(ctx, session->opt->ssl_ctx->crls);
322 return X509_verify_cert(ctx);
323}
324
325bool
326tls_ctx_set_options(struct tls_root_ctx *ctx, unsigned int ssl_flags)
327{
328 ASSERT(NULL != ctx);
329
330 /* process SSL options */
331 uint64_t sslopt = SSL_OP_SINGLE_DH_USE | SSL_OP_NO_TICKET;
332#ifdef SSL_OP_CIPHER_SERVER_PREFERENCE
333 sslopt |= SSL_OP_CIPHER_SERVER_PREFERENCE;
334#endif
335 sslopt |= SSL_OP_NO_COMPRESSION;
336 /* Disable TLS renegotiations. OpenVPN's renegotiation creates new SSL
337 * session and does not depend on this feature. And TLS renegotiations have
338 * been problematic in the past */
339#ifdef SSL_OP_NO_RENEGOTIATION
340 sslopt |= SSL_OP_NO_RENEGOTIATION;
341#endif
342
343 SSL_CTX_set_options(ctx->ctx, sslopt);
344
345 if (!tls_ctx_set_tls_versions(ctx, ssl_flags))
346 {
347 return false;
348 }
349
350#ifdef SSL_MODE_RELEASE_BUFFERS
351 SSL_CTX_set_mode(ctx->ctx, SSL_MODE_RELEASE_BUFFERS);
352#endif
353 SSL_CTX_set_session_cache_mode(ctx->ctx, SSL_SESS_CACHE_OFF);
354 SSL_CTX_set_default_passwd_cb(ctx->ctx, pem_password_callback);
355
356 /* Require peer certificate verification */
357 int verify_flags = SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT;
358 if (ssl_flags & SSLF_CLIENT_CERT_NOT_REQUIRED)
359 {
360 verify_flags = 0;
361 }
362 else if (ssl_flags & SSLF_CLIENT_CERT_OPTIONAL)
363 {
364 verify_flags = SSL_VERIFY_PEER;
365 }
366 SSL_CTX_set_verify(ctx->ctx, verify_flags, verify_callback);
367 SSL_CTX_set_cert_verify_callback(ctx->ctx, cert_verify_callback, NULL);
368
369 SSL_CTX_set_info_callback(ctx->ctx, info_callback);
370
371 return true;
372}
373
374static void
375convert_tls_list_to_openssl(char *openssl_ciphers, size_t len, const char *ciphers)
376{
377 /* Parse supplied cipher list and pass on to OpenSSL */
378 size_t begin_of_cipher, end_of_cipher;
379
380 const char *current_cipher;
381 size_t current_cipher_len;
382
383 const tls_cipher_name_pair *cipher_pair;
384
385 size_t openssl_ciphers_len = 0;
386 openssl_ciphers[0] = '\0';
387
388 /* Translate IANA cipher suite names to OpenSSL names */
389 begin_of_cipher = end_of_cipher = 0;
390 for (; begin_of_cipher < strlen(ciphers); begin_of_cipher = end_of_cipher)
391 {
392 end_of_cipher += strcspn(&ciphers[begin_of_cipher], ":");
393 cipher_pair =
394 tls_get_cipher_name_pair(&ciphers[begin_of_cipher], end_of_cipher - begin_of_cipher);
395
396 if (NULL == cipher_pair)
397 {
398 /* No translation found, use original */
399 current_cipher = &ciphers[begin_of_cipher];
400 current_cipher_len = end_of_cipher - begin_of_cipher;
401
402 /* Issue warning on missing translation */
403 /* %.*s format specifier expects length of type int, so guarantee */
404 /* that length is small enough and cast to int. */
405 msg(D_LOW, "No valid translation found for TLS cipher '%.*s'",
406 constrain_int((int)current_cipher_len, 0, 256), current_cipher);
407 }
408 else
409 {
410 /* Use OpenSSL name */
411 current_cipher = cipher_pair->openssl_name;
412 current_cipher_len = strlen(current_cipher);
413
414 if (end_of_cipher - begin_of_cipher == current_cipher_len
415 && 0
416 != memcmp(&ciphers[begin_of_cipher], cipher_pair->iana_name,
417 end_of_cipher - begin_of_cipher))
418 {
419 /* Non-IANA name used, show warning */
420 msg(M_WARN, "Deprecated TLS cipher name '%s', please use IANA name '%s'",
421 cipher_pair->openssl_name, cipher_pair->iana_name);
422 }
423 }
424
425 /* Make sure new cipher name fits in cipher string */
426 if ((SIZE_MAX - openssl_ciphers_len) < current_cipher_len
427 || (len - 1) < (openssl_ciphers_len + current_cipher_len))
428 {
429 msg(M_FATAL, "Failed to set restricted TLS cipher list, too long (>%d).",
430 (int)(len - 1));
431 }
432
433 /* Concatenate cipher name to OpenSSL cipher string */
434 memcpy(&openssl_ciphers[openssl_ciphers_len], current_cipher, current_cipher_len);
435 openssl_ciphers_len += current_cipher_len;
436 openssl_ciphers[openssl_ciphers_len] = ':';
437 openssl_ciphers_len++;
438
439 end_of_cipher++;
440 }
441
442 if (openssl_ciphers_len > 0)
443 {
444 openssl_ciphers[openssl_ciphers_len - 1] = '\0';
445 }
446}
447
448void
449tls_ctx_restrict_ciphers(struct tls_root_ctx *ctx, const char *ciphers)
450{
451 if (ciphers == NULL)
452 {
453 /* Use sane default TLS cipher list */
454 if (!SSL_CTX_set_cipher_list(
455 ctx->ctx,
456 /* Use openssl's default list as a basis */
457 "DEFAULT"
458 /* Disable export ciphers and openssl's 'low' and 'medium' ciphers */
459 ":!EXP:!LOW:!MEDIUM"
460 /* Disable static (EC)DH keys (no forward secrecy) */
461 ":!kDH:!kECDH"
462 /* Disable DSA private keys */
463 ":!DSS"
464 /* Disable unsupported TLS modes */
465 ":!PSK:!SRP:!kRSA"))
466 {
467 crypto_msg(M_FATAL, "Failed to set default TLS cipher list.");
468 }
469 return;
470 }
471
472 char openssl_ciphers[4096];
473 convert_tls_list_to_openssl(openssl_ciphers, sizeof(openssl_ciphers), ciphers);
474
475 ASSERT(NULL != ctx);
476
477 /* Set OpenSSL cipher list */
478 if (!SSL_CTX_set_cipher_list(ctx->ctx, openssl_ciphers))
479 {
480 crypto_msg(M_FATAL, "Failed to set restricted TLS cipher list: %s", openssl_ciphers);
481 }
482}
483
484static void
485convert_tls13_list_to_openssl(char *openssl_ciphers, size_t len, const char *ciphers)
486{
487 /*
488 * OpenSSL (and official IANA) cipher names have _ in them. We
489 * historically used names with - in them. Silently convert names
490 * with - to names with _ to support both
491 */
492 if (strlen(ciphers) >= (len - 1))
493 {
494 msg(M_FATAL, "Failed to set restricted TLS 1.3 cipher list, too long (>%d).",
495 (int)(len - 1));
496 }
497
498 strncpy(openssl_ciphers, ciphers, len);
499
500 for (size_t i = 0; i < strlen(openssl_ciphers); i++)
501 {
502 if (openssl_ciphers[i] == '-')
503 {
504 openssl_ciphers[i] = '_';
505 }
506 }
507}
508
509void
510tls_ctx_restrict_ciphers_tls13(struct tls_root_ctx *ctx, const char *ciphers)
511{
512 if (ciphers == NULL)
513 {
514 /* default cipher list of OpenSSL 1.1.1 is sane, do not set own
515 * default as we do with tls-cipher */
516 return;
517 }
518
519#if !defined(TLS1_3_VERSION)
520 crypto_msg(M_WARN,
521 "Not compiled with OpenSSL 1.1.1 or higher. "
522 "Ignoring TLS 1.3 only tls-ciphersuites '%s' setting.",
523 ciphers);
524#else
525 ASSERT(NULL != ctx);
526
527 char openssl_ciphers[4096];
528 convert_tls13_list_to_openssl(openssl_ciphers, sizeof(openssl_ciphers), ciphers);
529
530 if (!SSL_CTX_set_ciphersuites(ctx->ctx, openssl_ciphers))
531 {
532 crypto_msg(M_FATAL, "Failed to set restricted TLS 1.3 cipher list: %s", openssl_ciphers);
533 }
534#endif
535}
536
537void
538tls_ctx_set_cert_profile(struct tls_root_ctx *ctx, const char *profile)
539{
540#if OPENSSL_VERSION_NUMBER > 0x10100000L \
541 && (!defined(LIBRESSL_VERSION_NUMBER) || LIBRESSL_VERSION_NUMBER > 0x3060000fL) \
542 && !defined(OPENSSL_IS_AWSLC)
543 /* OpenSSL does not have certificate profiles, but a complex set of
544 * callbacks that we could try to implement to achieve something similar.
545 * For now, use OpenSSL's security levels to achieve similar (but not equal)
546 * behaviour. */
547 if (!profile || 0 == strcmp(profile, "legacy"))
548 {
549 SSL_CTX_set_security_level(ctx->ctx, 1);
550 }
551 else if (0 == strcmp(profile, "insecure"))
552 {
553 SSL_CTX_set_security_level(ctx->ctx, 0);
554 }
555 else if (0 == strcmp(profile, "preferred"))
556 {
557 SSL_CTX_set_security_level(ctx->ctx, 2);
558 }
559 else if (0 == strcmp(profile, "suiteb"))
560 {
561 SSL_CTX_set_security_level(ctx->ctx, 3);
562 SSL_CTX_set_cipher_list(ctx->ctx, "SUITEB128");
563 }
564 else
565 {
566 msg(M_FATAL, "ERROR: Invalid cert profile: %s", profile);
567 }
568#else /* if OPENSSL_VERSION_NUMBER > 0x10100000L */
569 if (profile)
570 {
571 msg(M_WARN,
572 "WARNING: OpenSSL 1.1.0, AWS-LC and LibreSSL < 3.6.0 do not "
573 "support --tls-cert-profile, ignoring user-set profile: '%s'",
574 profile);
575 }
576#endif /* if OPENSSL_VERSION_NUMBER > 0x10100000L */
577}
578
579void
580tls_ctx_set_tls_groups(struct tls_root_ctx *ctx, const char *groups)
581{
582 ASSERT(ctx);
583#if OPENSSL_VERSION_NUMBER < 0x30000000L && !defined(ENABLE_CRYPTO_WOLFSSL)
584 struct gc_arena gc = gc_new();
585 /* This method could be as easy as
586 * SSL_CTX_set1_groups_list(ctx->ctx, groups)
587 * but OpenSSL (< 3.0) does not like the name secp256r1 for prime256v1
588 * This is one of the important curves.
589 * To support the same name for OpenSSL and mbedTLS, we do
590 * this dance.
591 * Also note that the code is wrong in the presence of OpenSSL3 providers.
592 */
593
594 int groups_count = get_num_elements(groups, ':');
595
596 int *glist;
597 /* Allocate an array for them */
598 ALLOC_ARRAY_CLEAR_GC(glist, int, groups_count, &gc);
599
600 /* Parse allowed ciphers, getting IDs */
601 int glistlen = 0;
602 char *tmp_groups = string_alloc(groups, &gc);
603
604 const char *token;
605 while ((token = strsep(&tmp_groups, ":")))
606 {
607 if (streq(token, "secp256r1"))
608 {
609 token = "prime256v1";
610 }
611 int nid = OBJ_sn2nid(token);
612
613 if (nid == 0)
614 {
615 msg(M_WARN, "Warning unknown curve/group specified: %s", token);
616 }
617 else
618 {
619 glist[glistlen] = nid;
620 glistlen++;
621 }
622 }
623
624 if (!SSL_CTX_set1_groups(ctx->ctx, glist, glistlen))
625 {
626 crypto_msg(M_FATAL, "Failed to set allowed TLS group list: %s", groups);
627 }
628 gc_free(&gc);
629#else /* if OPENSSL_VERSION_NUMBER < 0x30000000L */
630 if (!SSL_CTX_set1_groups_list(ctx->ctx, groups))
631 {
632 crypto_msg(M_FATAL, "Failed to set allowed TLS group list: %s", groups);
633 }
634#endif /* if OPENSSL_VERSION_NUMBER < 0x30000000L */
635}
636
637#if OPENSSL_VERSION_NUMBER < 0x40000000L
638void
639tls_ctx_check_cert_time(const struct tls_root_ctx *ctx)
640{
641 int ret;
642 const X509 *cert;
643
644 ASSERT(ctx);
645
646 cert = SSL_CTX_get0_certificate(ctx->ctx);
647
648 if (cert == NULL)
649 {
650 return; /* Nothing to check if there is no certificate */
651 }
652
653 ret = X509_cmp_time(X509_get0_notBefore(cert), NULL);
654 if (ret == 0)
655 {
656 msg(D_TLS_DEBUG_MED, "Failed to read certificate notBefore field.");
657 }
658 if (ret > 0)
659 {
660 msg(M_WARN, "WARNING: Your certificate is not yet valid!");
661 }
662
663 ret = X509_cmp_time(X509_get0_notAfter(cert), NULL);
664 if (ret == 0)
665 {
666 msg(D_TLS_DEBUG_MED, "Failed to read certificate notAfter field.");
667 }
668 if (ret < 0)
669 {
670 msg(M_WARN, "WARNING: Your certificate has expired!");
671 }
672}
673#else
674void
675tls_ctx_check_cert_time(const struct tls_root_ctx *ctx)
676{
677 const X509 *cert;
678 ASSERT(ctx);
679
680 cert = SSL_CTX_get0_certificate(ctx->ctx);
681
682 if (cert == NULL)
683 {
684 return; /* Nothing to check if there is no certificate */
685 }
686
687 X509_VERIFY_PARAM *vpm = X509_VERIFY_PARAM_new();
688
689 if (vpm == NULL)
690 {
691 msg(D_TLS_DEBUG_MED, "Failed to initialise certificate verification parameters.");
692 return;
693 }
694
695 X509_VERIFY_PARAM_set_flags(vpm, X509_V_FLAG_USE_CHECK_TIME);
696 X509_VERIFY_PARAM_set_time(vpm, now);
697
698 int error = 0;
699 int ret = X509_check_certificate_times(vpm, cert, &error);
700 X509_VERIFY_PARAM_free(vpm);
701
702 if (ret == 1)
703 {
704 return;
705 }
706
707 switch (error)
708 {
709 case X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD:
710 msg(D_TLS_DEBUG_MED, "Failed to read certificate notBefore field.");
711 break;
712
713 case X509_V_ERR_CERT_NOT_YET_VALID:
714 msg(M_WARN, "WARNING: Your certificate is not yet valid!");
715 break;
716
717 case X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD:
718 msg(D_TLS_DEBUG_MED, "Failed to read certificate notAfter field.");
719 break;
720
721 case X509_V_ERR_CERT_HAS_EXPIRED:
722 msg(M_WARN, "WARNING: Your certificate has expired!");
723 break;
724 }
725}
726#endif
727
728void
729tls_ctx_load_dh_params(struct tls_root_ctx *ctx, const char *dh_file, bool dh_file_inline)
730{
731 BIO *bio;
732
733 ASSERT(NULL != ctx);
734
735 if (dh_file_inline)
736 {
737 if (!(bio = BIO_new_mem_buf((char *)dh_file, -1)))
738 {
739 crypto_msg(M_FATAL, "Cannot open memory BIO for inline DH parameters");
740 }
741 }
742 else
743 {
744 /* Get Diffie Hellman Parameters */
745 if (!(bio = BIO_new_file(dh_file, "r")))
746 {
747 crypto_msg(M_FATAL, "Cannot open %s for DH parameters", dh_file);
748 }
749 }
750
751#if OPENSSL_VERSION_NUMBER >= 0x30000000L
752 EVP_PKEY *dh = PEM_read_bio_Parameters(bio, NULL);
753 BIO_free(bio);
754
755 if (!dh)
756 {
757 crypto_msg(M_FATAL, "Cannot load DH parameters from %s",
758 print_key_filename(dh_file, dh_file_inline));
759 }
760 if (!SSL_CTX_set0_tmp_dh_pkey(ctx->ctx, dh))
761 {
762 crypto_msg(M_FATAL, "SSL_CTX_set0_tmp_dh_pkey");
763 }
764
765 msg(D_TLS_DEBUG_LOW, "Diffie-Hellman initialized with %d bit key", 8 * EVP_PKEY_get_size(dh));
766#else /* if OPENSSL_VERSION_NUMBER >= 0x30000000L */
767 DH *dh = PEM_read_bio_DHparams(bio, NULL, NULL, NULL);
768 BIO_free(bio);
769
770 if (!dh)
771 {
772 crypto_msg(M_FATAL, "Cannot load DH parameters from %s",
773 print_key_filename(dh_file, dh_file_inline));
774 }
775 if (!SSL_CTX_set_tmp_dh(ctx->ctx, dh))
776 {
777 crypto_msg(M_FATAL, "SSL_CTX_set_tmp_dh");
778 }
779
780 msg(D_TLS_DEBUG_LOW, "Diffie-Hellman initialized with %d bit key", 8 * DH_size(dh));
781
782 DH_free(dh);
783#endif /* if OPENSSL_VERSION_NUMBER >= 0x30000000L */
784}
785
786void
787tls_ctx_load_ecdh_params(struct tls_root_ctx *ctx, const char *curve_name)
788{
789#if OPENSSL_VERSION_NUMBER >= 0x30000000L
790 if (curve_name != NULL)
791 {
792 msg(M_WARN, "WARNING: OpenSSL 3.0+ builds do not support specifying an "
793 "ECDH curve with --ecdh-curve, using default curves. Use "
794 "--tls-groups to specify groups.");
795 }
796#elif !defined(OPENSSL_NO_EC)
797 int nid = NID_undef;
798 EC_KEY *ecdh = NULL;
799 const char *sname = NULL;
800
801 /* Generate a new ECDH key for each SSL session (for non-ephemeral ECDH) */
802 SSL_CTX_set_options(ctx->ctx, SSL_OP_SINGLE_ECDH_USE);
803
804 if (curve_name != NULL)
805 {
806 /* Use user supplied curve if given */
807 msg(D_TLS_DEBUG, "Using user specified ECDH curve (%s)", curve_name);
808 nid = OBJ_sn2nid(curve_name);
809 }
810 else
811 {
812 return;
813 }
814
815 /* Translate NID back to name , just for kicks */
816 sname = OBJ_nid2sn(nid);
817 if (sname == NULL)
818 {
819 sname = "(Unknown)";
820 }
821
822 /* Create new EC key and set as ECDH key */
823 if (NID_undef == nid || NULL == (ecdh = EC_KEY_new_by_curve_name(nid)))
824 {
825 /* Creating key failed, fall back on sane default */
826 ecdh = EC_KEY_new_by_curve_name(NID_secp384r1);
827 const char *source =
828 (NULL == curve_name) ? "extract curve from certificate" : "use supplied curve";
829 msg(D_TLS_DEBUG_LOW, "Failed to %s (%s), using secp384r1 instead.", source, sname);
830 sname = OBJ_nid2sn(NID_secp384r1);
831 }
832
833 if (!SSL_CTX_set_tmp_ecdh(ctx->ctx, ecdh))
834 {
835 crypto_msg(M_FATAL, "SSL_CTX_set_tmp_ecdh: cannot add curve");
836 }
837
838 msg(D_TLS_DEBUG_LOW, "ECDH curve %s added", sname);
839
840 EC_KEY_free(ecdh);
841#else /* ifndef OPENSSL_NO_EC */
842 msg(D_LOW, "Your OpenSSL library was built without elliptic curve support."
843 " Skipping ECDH parameter loading.");
844#endif /* OPENSSL_NO_EC */
845}
846
847#if defined(HAVE_OPENSSL_STORE_API)
853static int
854ui_reader(UI *ui, UI_STRING *uis)
855{
856 SSL_CTX *ctx = UI_get0_user_data(ui);
857
858 if (UI_get_string_type(uis) == UIT_PROMPT)
859 {
860 const char *prompt = UI_get0_output_string(uis);
861
862 /* If pkcs#11 Use custom prompt similar to pkcs11-helper */
863 if (strstr(prompt, "PKCS#11"))
864 {
865 struct user_pass up;
866 CLEAR(up);
867 get_user_pass(&up, NULL, "PKCS#11 token",
868 GET_USER_PASS_MANAGEMENT | GET_USER_PASS_PASSWORD_ONLY);
869 UI_set_result(ui, uis, up.password);
870 purge_user_pass(&up, true);
871 }
872 else /* use our generic 'Private Key' passphrase callback */
873 {
874 char password[USER_PASS_LEN];
875 pem_password_cb *cb = SSL_CTX_get_default_passwd_cb(ctx);
876 void *d = SSL_CTX_get_default_passwd_cb_userdata(ctx);
877
878 cb(password, sizeof(password), 0, d);
879 UI_set_result(ui, uis, password);
880 secure_memzero(password, sizeof(password));
881 }
882
883 return 1;
884 }
885 return 0;
886}
887
888static void
889clear_ossl_store_error(OSSL_STORE_CTX *store_ctx)
890{
891 if (OSSL_STORE_error(store_ctx))
892 {
893 ERR_clear_error();
894 }
895}
896#endif /* defined(HAVE_OPENSSL_STORE_API) */
897
906static void *
907load_pkey_from_uri(const char *uri, SSL_CTX *ssl_ctx)
908{
909 EVP_PKEY *pkey = NULL;
910
911#if !defined(HAVE_OPENSSL_STORE_API)
912
913 /* Treat the uri as file name */
914 BIO *in = BIO_new_file(uri, "r");
915 if (!in)
916 {
917 return NULL;
918 }
919 pkey = PEM_read_bio_PrivateKey(in, NULL, SSL_CTX_get_default_passwd_cb(ssl_ctx),
920 SSL_CTX_get_default_passwd_cb_userdata(ssl_ctx));
921 BIO_free(in);
922
923#else /* defined(HAVE_OPENSSL_STORE_API) */
924
925 OSSL_STORE_CTX *store_ctx = NULL;
926 OSSL_STORE_INFO *info = NULL;
927
928 UI_METHOD *ui_method = UI_create_method("openvpn");
929 if (!ui_method)
930 {
931 msg(M_WARN, "OpenSSL UI creation failed");
932 return NULL;
933 }
934 UI_method_set_reader(ui_method, ui_reader);
935
936 store_ctx = OSSL_STORE_open_ex(uri, tls_libctx, NULL, ui_method, ssl_ctx, NULL, NULL, NULL);
937 if (!store_ctx)
938 {
939 goto end;
940 }
941 if (OSSL_STORE_expect(store_ctx, OSSL_STORE_INFO_PKEY) != 1)
942 {
943 goto end;
944 }
945 while (1)
946 {
947 info = OSSL_STORE_load(store_ctx);
948 if (info || OSSL_STORE_eof(store_ctx))
949 {
950 break;
951 }
952 /* OPENSSL_STORE_load can return error and still have usable objects to follow.
953 * ref: man OPENSSL_STORE_open
954 * Clear error and recurse through the file if info = NULL and eof not reached
955 */
956 clear_ossl_store_error(store_ctx);
957 }
958 if (!info)
959 {
960 goto end;
961 }
962 pkey = OSSL_STORE_INFO_get1_PKEY(info);
963 OSSL_STORE_INFO_free(info);
964 msg(D_TLS_DEBUG_MED, "Found pkey in store using URI: %s", uri);
965
966end:
967 OSSL_STORE_close(store_ctx);
968 UI_destroy_method(ui_method);
969
970#endif /* defined(HAVE_OPENSSL_STORE_API) */
971
972 return pkey;
973}
974
975int
976tls_ctx_load_pkcs12(struct tls_root_ctx *ctx, const char *pkcs12_file, bool pkcs12_file_inline,
977 bool load_ca_file)
978{
979 FILE *fp;
980 EVP_PKEY *pkey;
981 X509 *cert;
982 STACK_OF(X509) *ca = NULL;
983 PKCS12 *p12;
984 int i;
985 char password[256];
986
987 ASSERT(NULL != ctx);
988
989 if (pkcs12_file_inline)
990 {
991 BIO *b64 = BIO_new(BIO_f_base64());
992 BIO *bio = BIO_new_mem_buf((void *)pkcs12_file, (int)strlen(pkcs12_file));
993 ASSERT(b64 && bio);
994 BIO_push(b64, bio);
995 p12 = d2i_PKCS12_bio(b64, NULL);
996 if (!p12)
997 {
998 crypto_msg(M_FATAL, "Error reading inline PKCS#12 file");
999 }
1000 BIO_free(b64);
1001 BIO_free(bio);
1002 }
1003 else
1004 {
1005 /* Load the PKCS #12 file */
1006 if (!(fp = platform_fopen(pkcs12_file, "rb")))
1007 {
1008 crypto_msg(M_FATAL, "Error opening file %s", pkcs12_file);
1009 }
1010 p12 = d2i_PKCS12_fp(fp, NULL);
1011 fclose(fp);
1012 if (!p12)
1013 {
1014 crypto_msg(M_FATAL, "Error reading PKCS#12 file %s", pkcs12_file);
1015 }
1016 }
1017
1018 /* Parse the PKCS #12 file */
1019 if (!PKCS12_parse(p12, "", &pkey, &cert, &ca))
1020 {
1021 pem_password_callback(password, sizeof(password) - 1, 0, NULL);
1022 /* Reparse the PKCS #12 file with password */
1023 ca = NULL;
1024 if (!PKCS12_parse(p12, password, &pkey, &cert, &ca))
1025 {
1026 crypto_msg(M_WARN, "Decoding PKCS12 failed. Probably wrong password "
1027 "or unsupported/legacy encryption");
1028#ifdef ENABLE_MANAGEMENT
1029 if (management && (ERR_GET_REASON(ERR_peek_error()) == PKCS12_R_MAC_VERIFY_FAILURE))
1030 {
1031 management_auth_failure(management, UP_TYPE_PRIVATE_KEY, NULL);
1032 }
1033#endif
1034 PKCS12_free(p12);
1035 return 1;
1036 }
1037 }
1038 PKCS12_free(p12);
1039
1040 /* Load Certificate */
1041 if (!SSL_CTX_use_certificate(ctx->ctx, cert))
1042 {
1043 crypto_print_openssl_errors(M_WARN);
1044 crypto_msg(M_FATAL, "Cannot use certificate");
1045 }
1046
1047 /* Load Private Key */
1048 if (!SSL_CTX_use_PrivateKey(ctx->ctx, pkey))
1049 {
1050 crypto_msg(M_FATAL, "Cannot use private key");
1051 }
1052
1053 /* Check Private Key */
1054 if (!SSL_CTX_check_private_key(ctx->ctx))
1055 {
1056 crypto_msg(M_FATAL, "Private key does not match the certificate");
1057 }
1058
1059 /* Set Certificate Verification chain */
1060 if (load_ca_file)
1061 {
1062 /* Add CAs from PKCS12 to the cert store and mark them as trusted.
1063 * They're also used to fill in the chain of intermediate certs as
1064 * necessary.
1065 */
1066 if (ca && sk_X509_num(ca))
1067 {
1068 for (i = 0; i < sk_X509_num(ca); i++)
1069 {
1070 X509_STORE *cert_store = SSL_CTX_get_cert_store(ctx->ctx);
1071 if (!X509_STORE_add_cert(cert_store, sk_X509_value(ca, i)))
1072 {
1073 crypto_msg(M_FATAL,
1074 "Cannot add certificate to certificate chain (X509_STORE_add_cert)");
1075 }
1076 if (!SSL_CTX_add_client_CA(ctx->ctx, sk_X509_value(ca, i)))
1077 {
1078 crypto_msg(M_FATAL,
1079 "Cannot add certificate to client CA list (SSL_CTX_add_client_CA)");
1080 }
1081 }
1082 }
1083 }
1084 else
1085 {
1086 /* If trusted CA certs were loaded from a PEM file, and we ignore the
1087 * ones in PKCS12, do load PKCS12-provided certs to the client extra
1088 * certs chain just in case they include intermediate CAs needed to
1089 * prove my identity to the other end. This does not make them trusted.
1090 */
1091 if (ca && sk_X509_num(ca))
1092 {
1093 for (i = 0; i < sk_X509_num(ca); i++)
1094 {
1095 if (!SSL_CTX_add_extra_chain_cert(ctx->ctx, sk_X509_value(ca, i)))
1096 {
1097 crypto_msg(
1098 M_FATAL,
1099 "Cannot add extra certificate to chain (SSL_CTX_add_extra_chain_cert)");
1100 }
1101 }
1102 }
1103 }
1104 return 0;
1105}
1106
1107#ifdef ENABLE_CRYPTOAPI
1108void
1109tls_ctx_load_cryptoapi(struct tls_root_ctx *ctx, const char *cryptoapi_cert)
1110{
1111 ASSERT(NULL != ctx);
1112
1113 /* Load Certificate and Private Key */
1114 if (!SSL_CTX_use_CryptoAPI_certificate(ctx->ctx, cryptoapi_cert))
1115 {
1116 crypto_msg(M_FATAL, "Cannot load certificate \"%s\" from Microsoft Certificate Store",
1117 cryptoapi_cert);
1118 }
1119}
1120#endif /* ENABLE_CRYPTOAPI */
1121
1122static void
1123tls_ctx_add_extra_certs(struct tls_root_ctx *ctx, BIO *bio, bool optional)
1124{
1125 X509 *cert;
1126 while (true)
1127 {
1128 cert = NULL;
1129 if (!PEM_read_bio_X509(bio, &cert, NULL, NULL))
1130 {
1131 /* a PEM_R_NO_START_LINE "Error" indicates that no certificate
1132 * is found in the buffer. If loading more certificates is
1133 * optional, break without raising an error
1134 */
1135 if (optional && ERR_GET_REASON(ERR_peek_error()) == PEM_R_NO_START_LINE)
1136 {
1137 /* remove that error from error stack */
1138 (void)ERR_get_error();
1139 break;
1140 }
1141
1142 /* Otherwise, bail out with error */
1143 crypto_msg(M_FATAL, "Error reading extra certificate");
1144 }
1145 /* takes ownership of cert like a set1 method */
1146 if (SSL_CTX_add_extra_chain_cert(ctx->ctx, cert) != 1)
1147 {
1148 crypto_msg(M_FATAL, "Error adding extra certificate");
1149 }
1150 /* We loaded at least one certificate, so loading more is optional */
1151 optional = true;
1152 }
1153}
1154
1155static bool
1156cert_uri_supported(void)
1157{
1158#if defined(HAVE_OPENSSL_STORE_API)
1159 return 1;
1160#else
1161 return 0;
1162#endif
1163}
1164
1165static void
1166tls_ctx_load_cert_uri(struct tls_root_ctx *tls_ctx, const char *uri)
1167{
1168#if defined(HAVE_OPENSSL_STORE_API)
1169 X509 *x = NULL;
1170 int ret = 0;
1171 OSSL_STORE_CTX *store_ctx = NULL;
1172 OSSL_STORE_INFO *info = NULL;
1173
1174 ASSERT(NULL != tls_ctx);
1175
1176 UI_METHOD *ui_method = UI_create_method("openvpn");
1177 if (!ui_method)
1178 {
1179 msg(M_WARN, "OpenSSL UI method creation failed");
1180 goto end;
1181 }
1182 UI_method_set_reader(ui_method, ui_reader);
1183
1184 store_ctx =
1185 OSSL_STORE_open_ex(uri, tls_libctx, NULL, ui_method, tls_ctx->ctx, NULL, NULL, NULL);
1186 if (!store_ctx)
1187 {
1188 goto end;
1189 }
1190 if (OSSL_STORE_expect(store_ctx, OSSL_STORE_INFO_CERT) != 1)
1191 {
1192 goto end;
1193 }
1194
1195 while (1)
1196 {
1197 info = OSSL_STORE_load(store_ctx);
1198 if (info || OSSL_STORE_eof(store_ctx))
1199 {
1200 break;
1201 }
1202 /* OPENSSL_STORE_load can return error and still have usable objects to follow.
1203 * ref: man OPENSSL_STORE_open
1204 * Clear error and recurse through the file if info = NULL and eof not reached.
1205 */
1206 clear_ossl_store_error(store_ctx);
1207 }
1208 if (!info)
1209 {
1210 goto end;
1211 }
1212
1213 x = OSSL_STORE_INFO_get0_CERT(info);
1214 if (x == NULL)
1215 {
1216 goto end;
1217 }
1218 msg(D_TLS_DEBUG_MED, "Found cert in store using URI: %s", uri);
1219
1220 ret = SSL_CTX_use_certificate(tls_ctx->ctx, x);
1221 if (!ret)
1222 {
1223 goto end;
1224 }
1225 OSSL_STORE_INFO_free(info);
1226 info = NULL;
1227
1228 /* iterate through the store and add extra certificates if any to the chain */
1229 while (!OSSL_STORE_eof(store_ctx))
1230 {
1231 info = OSSL_STORE_load(store_ctx);
1232 if (!info)
1233 {
1234 clear_ossl_store_error(store_ctx);
1235 continue;
1236 }
1237 x = OSSL_STORE_INFO_get1_CERT(info);
1238 if (x && SSL_CTX_add_extra_chain_cert(tls_ctx->ctx, x) != 1)
1239 {
1240 X509_free(x);
1241 crypto_msg(M_FATAL, "Error adding extra certificate");
1242 break;
1243 }
1244 OSSL_STORE_INFO_free(info);
1245 info = NULL;
1246 }
1247
1248end:
1249 if (!ret)
1250 {
1251 crypto_print_openssl_errors(M_WARN);
1252 crypto_msg(M_FATAL, "Cannot load certificate from URI <%s>", uri);
1253 }
1254 else
1255 {
1256 crypto_print_openssl_errors(M_DEBUG);
1257 }
1258
1259 UI_destroy_method(ui_method);
1260 OSSL_STORE_INFO_free(info);
1261 OSSL_STORE_close(store_ctx);
1262#else /* defined(HAVE_OPENSSL_STORE_API */
1263 ASSERT(0);
1264#endif /* defined(HAVE_OPENSSL_STORE_API */
1265}
1266
1267static void
1268tls_ctx_load_cert_pem_file(struct tls_root_ctx *ctx, const char *cert_file, bool cert_file_inline)
1269{
1270 BIO *in = NULL;
1271 X509 *x = NULL;
1272 int ret = 0;
1273
1274 ASSERT(NULL != ctx);
1275
1276 if (cert_file_inline)
1277 {
1278 in = BIO_new_mem_buf((char *)cert_file, -1);
1279 }
1280 else
1281 {
1282 in = BIO_new_file((char *)cert_file, "r");
1283 }
1284
1285 if (in == NULL)
1286 {
1287 SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE_FILE, ERR_R_SYS_LIB);
1288 goto end;
1289 }
1290
1291 x = PEM_read_bio_X509(in, NULL, SSL_CTX_get_default_passwd_cb(ctx->ctx),
1292 SSL_CTX_get_default_passwd_cb_userdata(ctx->ctx));
1293 if (x == NULL)
1294 {
1295 SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE_FILE, ERR_R_PEM_LIB);
1296 goto end;
1297 }
1298
1299 ret = SSL_CTX_use_certificate(ctx->ctx, x);
1300 if (ret)
1301 {
1302 tls_ctx_add_extra_certs(ctx, in, true);
1303 }
1304
1305end:
1306 if (!ret)
1307 {
1308 crypto_print_openssl_errors(M_WARN);
1309 if (cert_file_inline)
1310 {
1311 crypto_msg(M_FATAL, "Cannot load inline certificate file");
1312 }
1313 else
1314 {
1315 crypto_msg(M_FATAL, "Cannot load certificate file %s", cert_file);
1316 }
1317 }
1318 else
1319 {
1320 crypto_print_openssl_errors(M_DEBUG);
1321 }
1322
1323 BIO_free(in);
1324 X509_free(x);
1325}
1326
1327void
1328tls_ctx_load_cert_file(struct tls_root_ctx *ctx, const char *cert_file, bool cert_file_inline)
1329{
1330 if (cert_uri_supported() && !cert_file_inline)
1331 {
1332 tls_ctx_load_cert_uri(ctx, cert_file);
1333 }
1334 else
1335 {
1336 tls_ctx_load_cert_pem_file(ctx, cert_file, cert_file_inline);
1337 }
1338}
1339
1340int
1341tls_ctx_load_priv_file(struct tls_root_ctx *ctx, const char *priv_key_file,
1342 bool priv_key_file_inline)
1343{
1344 SSL_CTX *ssl_ctx = NULL;
1345 BIO *in = NULL;
1346 EVP_PKEY *pkey = NULL;
1347 int ret = 1;
1348
1349 ASSERT(NULL != ctx);
1350
1351 ssl_ctx = ctx->ctx;
1352
1353 if (priv_key_file_inline)
1354 {
1355 in = BIO_new_mem_buf((char *)priv_key_file, -1);
1356 if (in == NULL)
1357 {
1358 goto end;
1359 }
1360 pkey = PEM_read_bio_PrivateKey(in, NULL, SSL_CTX_get_default_passwd_cb(ctx->ctx),
1361 SSL_CTX_get_default_passwd_cb_userdata(ctx->ctx));
1362 }
1363 else
1364 {
1365 pkey = load_pkey_from_uri(priv_key_file, ssl_ctx);
1366 }
1367
1368 if (!pkey || !SSL_CTX_use_PrivateKey(ssl_ctx, pkey))
1369 {
1370#ifdef ENABLE_MANAGEMENT
1371 if (management && (ERR_GET_REASON(ERR_peek_error()) == EVP_R_BAD_DECRYPT))
1372 {
1373 management_auth_failure(management, UP_TYPE_PRIVATE_KEY, NULL);
1374 }
1375#endif
1376 crypto_msg(M_WARN, "Cannot load private key file %s",
1377 print_key_filename(priv_key_file, priv_key_file_inline));
1378 goto end;
1379 }
1380
1381 /* Check Private Key */
1382 if (!SSL_CTX_check_private_key(ssl_ctx))
1383 {
1384 crypto_msg(M_FATAL, "Private key does not match the certificate");
1385 }
1386 ret = 0;
1387
1388end:
1389 EVP_PKEY_free(pkey);
1390 BIO_free(in);
1391 return ret;
1392}
1393
1394void
1395backend_tls_ctx_reload_crl(struct tls_root_ctx *ssl_ctx, const char *crl_file, bool crl_inline)
1396{
1397 BIO *in = NULL;
1398 STACK_OF(X509_CRL) *crls = NULL;
1399
1400 X509_STORE *store = SSL_CTX_get_cert_store(ssl_ctx->ctx);
1401 if (!store)
1402 {
1403 crypto_msg(M_FATAL, "Cannot get certificate store");
1404 }
1405
1406 sk_X509_CRL_pop_free(ssl_ctx->crls, X509_CRL_free);
1407 ssl_ctx->crls = NULL;
1408
1409 X509_STORE_set_flags(store, X509_V_FLAG_CRL_CHECK | X509_V_FLAG_CRL_CHECK_ALL);
1410
1411 if (crl_inline)
1412 {
1413 in = BIO_new_mem_buf((char *)crl_file, -1);
1414 }
1415 else
1416 {
1417 in = BIO_new_file(crl_file, "r");
1418 }
1419
1420 if (in == NULL)
1421 {
1422 msg(M_WARN, "CRL: cannot read: %s", print_key_filename(crl_file, crl_inline));
1423 return;
1424 }
1425
1426 crls = sk_X509_CRL_new_null();
1427 if (crls == NULL)
1428 {
1429 crypto_msg(M_FATAL, "CRL: cannot create CRL list");
1430 }
1431
1432 int num_crls_loaded = 0;
1433 while (true)
1434 {
1435 X509_CRL *crl = PEM_read_bio_X509_CRL(in, NULL, NULL, NULL);
1436 if (crl == NULL)
1437 {
1438 /*
1439 * PEM_R_NO_START_LINE can be considered equivalent to EOF.
1440 */
1441 bool eof = ERR_GET_REASON(ERR_peek_error()) == PEM_R_NO_START_LINE;
1442 /* but warn if no CRLs have been loaded */
1443 if (num_crls_loaded > 0 && eof)
1444 {
1445 /* remove that error from error stack */
1446 (void)ERR_get_error();
1447 break;
1448 }
1449
1450 crypto_msg(M_WARN, "CRL: cannot read CRL from file %s",
1451 print_key_filename(crl_file, crl_inline));
1452 break;
1453 }
1454
1455 if (!sk_X509_CRL_push(crls, crl))
1456 {
1457 crypto_msg(M_FATAL, "CRL: cannot add CRL to list");
1458 }
1459 num_crls_loaded++;
1460 }
1461 msg(M_INFO, "CRL: loaded %d CRLs from file %s", num_crls_loaded, crl_file);
1462 ssl_ctx->crls = crls;
1463 BIO_free(in);
1464}
1465
1466
1467#if defined(ENABLE_MANAGEMENT) && !defined(HAVE_XKEY_PROVIDER)
1468
1469/* encrypt */
1470static int
1471rsa_pub_enc(int flen, const unsigned char *from, unsigned char *to, RSA *rsa, int padding)
1472{
1473 ASSERT(0);
1474 return -1;
1475}
1476
1477/* verify arbitrary data */
1478static int
1479rsa_pub_dec(int flen, const unsigned char *from, unsigned char *to, RSA *rsa, int padding)
1480{
1481 ASSERT(0);
1482 return -1;
1483}
1484
1485/* decrypt */
1486static int
1487rsa_priv_dec(int flen, const unsigned char *from, unsigned char *to, RSA *rsa, int padding)
1488{
1489 ASSERT(0);
1490 return -1;
1491}
1492
1493/* called at RSA_free */
1494static int
1495openvpn_extkey_rsa_finish(RSA *rsa)
1496{
1497 /* meth was allocated in tls_ctx_use_management_external_key() ; since
1498 * this function is called when the parent RSA object is destroyed,
1499 * it is no longer used after this point so kill it. */
1500 const RSA_METHOD *meth = RSA_get_method(rsa);
1501 RSA_meth_free((RSA_METHOD *)meth);
1502 return 1;
1503}
1504
1505/*
1506 * Convert OpenSSL's constant to the strings used in the management
1507 * interface query
1508 */
1509const char *
1510get_rsa_padding_name(const int padding)
1511{
1512 switch (padding)
1513 {
1514 case RSA_PKCS1_PADDING:
1515 return "RSA_PKCS1_PADDING";
1516
1517 case RSA_NO_PADDING:
1518 return "RSA_NO_PADDING";
1519
1520 default:
1521 return "UNKNOWN";
1522 }
1523}
1524
1536static int
1537get_sig_from_man(const unsigned char *dgst, unsigned int dgstlen, unsigned char *sig,
1538 unsigned int siglen, const char *algorithm)
1539{
1540 char *in_b64 = NULL;
1541 char *out_b64 = NULL;
1542 int len = -1;
1543
1544 int bencret = openvpn_base64_encode(dgst, dgstlen, &in_b64);
1545
1546 if (management && bencret > 0)
1547 {
1548 out_b64 = management_query_pk_sig(management, in_b64, algorithm);
1549 }
1550 if (out_b64)
1551 {
1552 len = openvpn_base64_decode(out_b64, sig, siglen);
1553 }
1554
1555 free(in_b64);
1556 free(out_b64);
1557 return len;
1558}
1559
1560/* sign arbitrary data */
1561static int
1562rsa_priv_enc(int flen, const unsigned char *from, unsigned char *to, RSA *rsa, int padding)
1563{
1564 int len = RSA_size(rsa);
1565
1566 if (padding != RSA_PKCS1_PADDING && padding != RSA_NO_PADDING)
1567 {
1568 RSAerr(RSA_F_RSA_OSSL_PRIVATE_ENCRYPT, RSA_R_UNKNOWN_PADDING_TYPE);
1569 return -1;
1570 }
1571
1572 int ret = get_sig_from_man(from, flen, to, len, get_rsa_padding_name(padding));
1573
1574 return (ret == len) ? ret : -1;
1575}
1576
1577static int
1578tls_ctx_use_external_rsa_key(struct tls_root_ctx *ctx, EVP_PKEY *pkey)
1579{
1580 RSA *rsa = NULL;
1581 RSA_METHOD *rsa_meth;
1582
1583 ASSERT(NULL != ctx);
1584
1585 const RSA *pub_rsa = EVP_PKEY_get0_RSA(pkey);
1586 ASSERT(NULL != pub_rsa);
1587
1588 /* allocate custom RSA method object */
1589 rsa_meth = RSA_meth_new("OpenVPN external private key RSA Method", RSA_METHOD_FLAG_NO_CHECK);
1590 check_malloc_return(rsa_meth);
1591 RSA_meth_set_pub_enc(rsa_meth, rsa_pub_enc);
1592 RSA_meth_set_pub_dec(rsa_meth, rsa_pub_dec);
1593 RSA_meth_set_priv_enc(rsa_meth, rsa_priv_enc);
1594 RSA_meth_set_priv_dec(rsa_meth, rsa_priv_dec);
1595 RSA_meth_set_init(rsa_meth, NULL);
1596 RSA_meth_set_finish(rsa_meth, openvpn_extkey_rsa_finish);
1597 RSA_meth_set0_app_data(rsa_meth, NULL);
1598
1599 /* allocate RSA object */
1600 rsa = RSA_new();
1601 if (rsa == NULL)
1602 {
1603 SSLerr(SSL_F_SSL_USE_PRIVATEKEY, ERR_R_MALLOC_FAILURE);
1604 goto err;
1605 }
1606
1607 /* initialize RSA object */
1608 const BIGNUM *n = NULL;
1609 const BIGNUM *e = NULL;
1610 RSA_get0_key(pub_rsa, &n, &e, NULL);
1611 RSA_set0_key(rsa, BN_dup(n), BN_dup(e), NULL);
1612 RSA_set_flags(rsa, RSA_flags(rsa) | RSA_FLAG_EXT_PKEY);
1613 if (!RSA_set_method(rsa, rsa_meth))
1614 {
1615 RSA_meth_free(rsa_meth);
1616 goto err;
1617 }
1618 /* from this point rsa_meth will get freed with rsa */
1619
1620 /* bind our custom RSA object to ssl_ctx */
1621 if (!SSL_CTX_use_RSAPrivateKey(ctx->ctx, rsa))
1622 {
1623 goto err;
1624 }
1625
1626 RSA_free(rsa); /* doesn't necessarily free, just decrements refcount */
1627 return 1;
1628
1629err:
1630 if (rsa)
1631 {
1632 RSA_free(rsa);
1633 }
1634 else if (rsa_meth)
1635 {
1636 RSA_meth_free(rsa_meth);
1637 }
1638 return 0;
1639}
1640
1641#if !defined(OPENSSL_NO_EC)
1642
1643/* called when EC_KEY is destroyed */
1644static void
1645openvpn_extkey_ec_finish(EC_KEY *ec)
1646{
1647 /* release the method structure */
1648 const EC_KEY_METHOD *ec_meth = EC_KEY_get_method(ec);
1649 EC_KEY_METHOD_free((EC_KEY_METHOD *)ec_meth);
1650}
1651
1652/* EC_KEY_METHOD callback: sign().
1653 * Sign the hash using EC key and return DER encoded signature in sig,
1654 * its length in siglen. Return value is 1 on success, 0 on error.
1655 */
1656static int
1657ecdsa_sign(int type, const unsigned char *dgst, int dgstlen, unsigned char *sig,
1658 unsigned int *siglen, const BIGNUM *kinv, const BIGNUM *r, EC_KEY *ec)
1659{
1660 int capacity = ECDSA_size(ec);
1661 /*
1662 * ECDSA does not seem to have proper constants for paddings since
1663 * there are only signatures without padding at the moment, use
1664 * a generic ECDSA for the moment
1665 */
1666 int len = get_sig_from_man(dgst, dgstlen, sig, capacity, "ECDSA");
1667
1668 if (len > 0)
1669 {
1670 *siglen = len;
1671 return 1;
1672 }
1673 return 0;
1674}
1675
1676/* EC_KEY_METHOD callback: sign_setup(). We do no precomputations */
1677static int
1678ecdsa_sign_setup(EC_KEY *ec, BN_CTX *ctx_in, BIGNUM **kinvp, BIGNUM **rp)
1679{
1680 return 1;
1681}
1682
1683/* EC_KEY_METHOD callback: sign_sig().
1684 * Sign the hash and return the result as a newly allocated ECDS_SIG
1685 * struct or NULL on error.
1686 */
1687static ECDSA_SIG *
1688ecdsa_sign_sig(const unsigned char *dgst, int dgstlen, const BIGNUM *in_kinv, const BIGNUM *in_r,
1689 EC_KEY *ec)
1690{
1691 ECDSA_SIG *ecsig = NULL;
1692 unsigned int len = ECDSA_size(ec);
1693 struct gc_arena gc = gc_new();
1694
1695 unsigned char *buf = gc_malloc(len, false, &gc);
1696 if (ecdsa_sign(0, dgst, dgstlen, buf, &len, NULL, NULL, ec) != 1)
1697 {
1698 goto out;
1699 }
1700 /* const char ** should be avoided: not up to us, so we cast our way through */
1701 ecsig = d2i_ECDSA_SIG(NULL, (const unsigned char **)&buf, len);
1702
1703out:
1704 gc_free(&gc);
1705 return ecsig;
1706}
1707
1708static int
1709tls_ctx_use_external_ec_key(struct tls_root_ctx *ctx, EVP_PKEY *pkey)
1710{
1711 EC_KEY *ec = NULL;
1712 EVP_PKEY *privkey = NULL;
1713 EC_KEY_METHOD *ec_method;
1714
1715 ASSERT(ctx);
1716
1717 ec_method = EC_KEY_METHOD_new(EC_KEY_OpenSSL());
1718 if (!ec_method)
1719 {
1720 goto err;
1721 }
1722
1723 /* Among init methods, we only need the finish method */
1724 EC_KEY_METHOD_set_init(ec_method, NULL, openvpn_extkey_ec_finish, NULL, NULL, NULL, NULL);
1725#ifdef OPENSSL_IS_AWSLC
1726 EC_KEY_METHOD_set_sign(ec_method, ecdsa_sign, NULL, ecdsa_sign_sig);
1727#else
1728 EC_KEY_METHOD_set_sign(ec_method, ecdsa_sign, ecdsa_sign_setup, ecdsa_sign_sig);
1729#endif
1730
1731 ec = EC_KEY_dup(EVP_PKEY_get0_EC_KEY(pkey));
1732 if (!ec)
1733 {
1734 EC_KEY_METHOD_free(ec_method);
1735 goto err;
1736 }
1737 if (!EC_KEY_set_method(ec, ec_method))
1738 {
1739 EC_KEY_METHOD_free(ec_method);
1740 goto err;
1741 }
1742 /* from this point ec_method will get freed when ec is freed */
1743
1744 privkey = EVP_PKEY_new();
1745 if (!EVP_PKEY_assign_EC_KEY(privkey, ec))
1746 {
1747 goto err;
1748 }
1749 /* from this point ec will get freed when privkey is freed */
1750
1751 if (!SSL_CTX_use_PrivateKey(ctx->ctx, privkey))
1752 {
1753 ec = NULL; /* avoid double freeing it below */
1754 goto err;
1755 }
1756
1757 EVP_PKEY_free(privkey); /* this will down ref privkey and ec */
1758 return 1;
1759
1760err:
1761 /* Reach here only when ec and privkey can be independenly freed */
1762 EVP_PKEY_free(privkey);
1763 EC_KEY_free(ec);
1764 return 0;
1765}
1766#endif /* !defined(OPENSSL_NO_EC) */
1767#endif /* ENABLE_MANAGEMENT && !HAVE_XKEY_PROVIDER */
1768
1769#ifdef ENABLE_MANAGEMENT
1770int
1771tls_ctx_use_management_external_key(struct tls_root_ctx *ctx)
1772{
1773 int ret = 1;
1774
1775 ASSERT(NULL != ctx);
1776
1777 X509 *cert = SSL_CTX_get0_certificate(ctx->ctx);
1778
1779 ASSERT(NULL != cert);
1780
1781 /* get the public key */
1782 EVP_PKEY *pkey = X509_get0_pubkey(cert);
1783 ASSERT(pkey); /* NULL before SSL_CTX_use_certificate() is called */
1784
1785#ifdef HAVE_XKEY_PROVIDER
1786 EVP_PKEY *privkey = xkey_load_management_key(tls_libctx, pkey);
1787 if (!privkey || !SSL_CTX_use_PrivateKey(ctx->ctx, privkey))
1788 {
1789 EVP_PKEY_free(privkey);
1790 goto cleanup;
1791 }
1792 EVP_PKEY_free(privkey);
1793#else /* ifdef HAVE_XKEY_PROVIDER */
1794#if OPENSSL_VERSION_NUMBER < 0x30000000L
1795 if (EVP_PKEY_id(pkey) == EVP_PKEY_RSA)
1796#else /* OPENSSL_VERSION_NUMBER < 0x30000000L */
1797 if (EVP_PKEY_is_a(pkey, "RSA"))
1798#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
1799 {
1800 if (!tls_ctx_use_external_rsa_key(ctx, pkey))
1801 {
1802 goto cleanup;
1803 }
1804 }
1805#if !defined(OPENSSL_NO_EC)
1806#if OPENSSL_VERSION_NUMBER < 0x30000000L
1807 else if (EVP_PKEY_id(pkey) == EVP_PKEY_EC)
1808#else /* OPENSSL_VERSION_NUMBER < 0x30000000L */
1809 else if (EVP_PKEY_is_a(pkey, "EC"))
1810#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
1811 {
1812 if (!tls_ctx_use_external_ec_key(ctx, pkey))
1813 {
1814 goto cleanup;
1815 }
1816 }
1817 else
1818 {
1819 crypto_msg(M_WARN, "management-external-key requires an RSA or EC certificate");
1820 goto cleanup;
1821 }
1822#else /* !defined(OPENSSL_NO_EC) */
1823 else
1824 {
1825 crypto_msg(M_WARN, "management-external-key requires an RSA certificate");
1826 goto cleanup;
1827 }
1828#endif /* !defined(OPENSSL_NO_EC) */
1829
1830#endif /* HAVE_XKEY_PROVIDER */
1831
1832 ret = 0;
1833cleanup:
1834 if (ret)
1835 {
1836 crypto_msg(M_FATAL, "Cannot enable SSL external private key capability");
1837 }
1838 return ret;
1839}
1840
1841#endif /* ifdef ENABLE_MANAGEMENT */
1842
1843static int
1844sk_x509_name_cmp(const X509_NAME *const *a, const X509_NAME *const *b)
1845{
1846 return X509_NAME_cmp(*a, *b);
1847}
1848
1849void
1850tls_ctx_load_ca(struct tls_root_ctx *ctx, const char *ca_file, bool ca_file_inline,
1851 const char *ca_path, bool tls_server)
1852{
1853 STACK_OF(X509_INFO) *info_stack = NULL;
1854 STACK_OF(X509_NAME) *cert_names = NULL;
1855 X509_LOOKUP *lookup = NULL;
1856 X509_STORE *store = NULL;
1857 BIO *in = NULL;
1858 int i, added = 0, prev = 0;
1859
1860 ASSERT(NULL != ctx);
1861
1862 store = SSL_CTX_get_cert_store(ctx->ctx);
1863 if (!store)
1864 {
1865 crypto_msg(M_FATAL, "Cannot get certificate store");
1866 }
1867
1868 /* Try to add certificates and CRLs from ca_file */
1869 if (ca_file)
1870 {
1871 if (ca_file_inline)
1872 {
1873 in = BIO_new_mem_buf((char *)ca_file, -1);
1874 }
1875 else
1876 {
1877 in = BIO_new_file(ca_file, "r");
1878 }
1879
1880 if (in)
1881 {
1882 info_stack = PEM_X509_INFO_read_bio(in, NULL, NULL, NULL);
1883 }
1884
1885 if (info_stack)
1886 {
1887 for (i = 0; i < sk_X509_INFO_num(info_stack); i++)
1888 {
1889 X509_INFO *info = sk_X509_INFO_value(info_stack, i);
1890 if (info->crl)
1891 {
1892 X509_STORE_add_crl(store, info->crl);
1893 }
1894
1895 if (tls_server && !info->x509)
1896 {
1897 crypto_msg(M_FATAL, "X509 name was missing in TLS mode");
1898 }
1899
1900 if (info->x509)
1901 {
1902 X509_STORE_add_cert(store, info->x509);
1903 added++;
1904
1905 if (!tls_server)
1906 {
1907 continue;
1908 }
1909
1910 /* Use names of CAs as a client CA list */
1911 if (cert_names == NULL)
1912 {
1913 cert_names = sk_X509_NAME_new(sk_x509_name_cmp);
1914 if (!cert_names)
1915 {
1916 continue;
1917 }
1918 }
1919
1920 /* OpenSSL 4.0 has made X509_get_subject_name return const
1921 * but not adjusted the other functions to take const
1922 * arguments, and other libraries do not have const
1923 * arguments, so just ignore const here */
1924 X509_NAME *xn = (X509_NAME *)X509_get_subject_name(info->x509);
1925 if (!xn)
1926 {
1927 continue;
1928 }
1929
1930
1931 /* Don't add duplicate CA names */
1932 if (sk_X509_NAME_find(cert_names, (X509_NAME *)xn) == -1)
1933 {
1934 X509_NAME *xn_dup = X509_NAME_dup(xn);
1935 if (!xn_dup)
1936 {
1937 continue;
1938 }
1939 sk_X509_NAME_push(cert_names, xn_dup);
1940 }
1941 }
1942
1943 if (tls_server)
1944 {
1945 int cnum = sk_X509_NAME_num(cert_names);
1946 if (cnum != (prev + 1))
1947 {
1948 crypto_msg(M_WARN,
1949 "Cannot load CA certificate file %s (entry %d did not validate)",
1950 print_key_filename(ca_file, ca_file_inline), added);
1951 }
1952 prev = cnum;
1953 }
1954 }
1955 sk_X509_INFO_pop_free(info_stack, X509_INFO_free);
1956 }
1957 int cnum;
1958 if (tls_server)
1959 {
1960 cnum = sk_X509_NAME_num(cert_names);
1961 SSL_CTX_set_client_CA_list(ctx->ctx, cert_names);
1962 }
1963
1964 if (!added)
1965 {
1966 crypto_msg(M_FATAL, "Cannot load CA certificate file %s (no entries were read)",
1967 print_key_filename(ca_file, ca_file_inline));
1968 }
1969
1970 if (tls_server)
1971 {
1972 if (cnum != added)
1973 {
1974 crypto_msg(M_FATAL,
1975 "Cannot load CA certificate file %s (only %d "
1976 "of %d entries were valid X509 names)",
1977 print_key_filename(ca_file, ca_file_inline), cnum, added);
1978 }
1979 }
1980
1981 BIO_free(in);
1982 }
1983
1984 /* Set a store for certs (CA & CRL) with a lookup on the "capath" hash directory */
1985 if (ca_path)
1986 {
1987 lookup = X509_STORE_add_lookup(store, X509_LOOKUP_hash_dir());
1988 if (lookup && X509_LOOKUP_add_dir(lookup, ca_path, X509_FILETYPE_PEM))
1989 {
1990 msg(M_WARN, "WARNING: experimental option --capath %s", ca_path);
1991 }
1992 else
1993 {
1994 crypto_msg(M_FATAL, "Cannot add lookup at --capath %s", ca_path);
1995 }
1996 X509_STORE_set_flags(store, X509_V_FLAG_CRL_CHECK | X509_V_FLAG_CRL_CHECK_ALL);
1997 }
1998}
1999
2000void
2001tls_ctx_load_extra_certs(struct tls_root_ctx *ctx, const char *extra_certs_file,
2002 bool extra_certs_file_inline)
2003{
2004 BIO *in;
2005 if (extra_certs_file_inline)
2006 {
2007 in = BIO_new_mem_buf((char *)extra_certs_file, -1);
2008 }
2009 else
2010 {
2011 in = BIO_new_file(extra_certs_file, "r");
2012 }
2013
2014 if (in == NULL)
2015 {
2016 crypto_msg(M_FATAL, "Cannot load extra-certs file: %s",
2017 print_key_filename(extra_certs_file, extra_certs_file_inline));
2018 }
2019 else
2020 {
2021 tls_ctx_add_extra_certs(ctx, in, false);
2022 }
2023
2024 BIO_free(in);
2025}
2026
2027/* **************************************
2028 *
2029 * Key-state specific functions
2030 *
2031 ***************************************/
2032/*
2033 *
2034 * BIO functions
2035 *
2036 */
2037
2038#ifdef BIO_DEBUG
2039
2040#warning BIO_DEBUG defined
2041
2042static FILE *biofp; /* GLOBAL */
2043static bool biofp_toggle; /* GLOBAL */
2044static time_t biofp_last_open; /* GLOBAL */
2045static const int biofp_reopen_interval = 600; /* GLOBAL */
2046
2047static void
2048close_biofp(void)
2049{
2050 if (biofp)
2051 {
2052 ASSERT(!fclose(biofp));
2053 biofp = NULL;
2054 }
2055}
2056
2057static void
2058open_biofp(void)
2059{
2060 const time_t current = time(NULL);
2061 const pid_t pid = getpid();
2062
2063 if (biofp_last_open + biofp_reopen_interval < current)
2064 {
2065 close_biofp();
2066 }
2067 if (!biofp)
2068 {
2069 char fn[256];
2070 snprintf(fn, sizeof(fn), "bio/%d-%d.log", pid, biofp_toggle);
2071 biofp = fopen(fn, "w");
2072 ASSERT(biofp);
2073 biofp_last_open = time(NULL);
2074 biofp_toggle ^= 1;
2075 }
2076}
2077
2078static void
2079bio_debug_data(const char *mode, BIO *bio, const uint8_t *buf, int len, const char *desc)
2080{
2081 struct gc_arena gc = gc_new();
2082 if (len > 0)
2083 {
2084 open_biofp();
2085 fprintf(biofp, "BIO_%s %s time=%" PRIi64 " bio=" ptr_format " len=%d data=%s\n", mode, desc,
2086 (int64_t)time(NULL), (ptr_type)bio, len, format_hex(buf, len, 0, &gc));
2087 fflush(biofp);
2088 }
2089 gc_free(&gc);
2090}
2091
2092static void
2093bio_debug_oc(const char *mode, BIO *bio)
2094{
2095 open_biofp();
2096 fprintf(biofp, "BIO %s time=%" PRIi64 " bio=" ptr_format "\n", mode, (int64_t)time(NULL),
2097 (ptr_type)bio);
2098 fflush(biofp);
2099}
2100
2101#endif /* ifdef BIO_DEBUG */
2102
2103/*
2104 * Write to an OpenSSL BIO in non-blocking mode.
2105 */
2106static int
2107bio_write(BIO *bio, const uint8_t *data, int size, const char *desc)
2108{
2109 int i;
2110 int ret = 0;
2111 ASSERT(size >= 0);
2112 if (size)
2113 {
2114 /*
2115 * Free the L_TLS lock prior to calling BIO routines
2116 * so that foreground thread can still call
2117 * tls_pre_decrypt or tls_pre_encrypt,
2118 * allowing tunnel packet forwarding to continue.
2119 */
2120#ifdef BIO_DEBUG
2121 bio_debug_data("write", bio, data, size, desc);
2122#endif
2123 i = BIO_write(bio, data, size);
2124
2125 if (i < 0)
2126 {
2127 if (!BIO_should_retry(bio))
2128 {
2129 crypto_msg(D_TLS_ERRORS, "TLS ERROR: BIO write %s error", desc);
2130 ret = -1;
2131 ERR_clear_error();
2132 }
2133 }
2134 else if (i != size)
2135 {
2136 crypto_msg(D_TLS_ERRORS, "TLS ERROR: BIO write %s incomplete %d/%d", desc, i, size);
2137 ret = -1;
2138 ERR_clear_error();
2139 }
2140 else
2141 { /* successful write */
2142 dmsg(D_HANDSHAKE_VERBOSE, "BIO write %s %d bytes", desc, i);
2143 ret = 1;
2144 }
2145 }
2146 return ret;
2147}
2148
2149/*
2150 * Inline functions for reading from and writing
2151 * to BIOs.
2152 */
2153
2154static void
2155bio_write_post(const int status, struct buffer *buf)
2156{
2157 /* success status return from bio_write? */
2158 if (status == 1)
2159 {
2160 memset(BPTR(buf), 0, BLENZ(buf)); /* erase data just written */
2161 buf->len = 0;
2162 }
2163}
2164
2165/*
2166 * Read from an OpenSSL BIO in non-blocking mode.
2167 */
2168static int
2169bio_read(BIO *bio, struct buffer *buf, const char *desc)
2170{
2171 ASSERT(buf->len >= 0);
2172 if (buf->len)
2173 {
2174 /* we only want to write empty buffers, ignore read request
2175 * if the buffer is not empty */
2176 return 0;
2177 }
2178 int len = buf_forward_capacity(buf);
2179
2180 /*
2181 * BIO_read brackets most of the serious RSA
2182 * key negotiation number crunching.
2183 */
2184 int i = BIO_read(bio, BPTR(buf), len);
2185
2186 VALGRIND_MAKE_READABLE((void *)&i, sizeof(i));
2187
2188#ifdef BIO_DEBUG
2189 bio_debug_data("read", bio, BPTR(buf), i, desc);
2190#endif
2191
2192 int ret = 0;
2193 if (i < 0)
2194 {
2195 if (!BIO_should_retry(bio))
2196 {
2197 crypto_msg(D_TLS_ERRORS, "TLS_ERROR: BIO read %s error", desc);
2198 buf->len = 0;
2199 ret = -1;
2200 ERR_clear_error();
2201 }
2202 }
2203 else if (!i)
2204 {
2205 buf->len = 0;
2206 }
2207 else
2208 { /* successful read */
2209 dmsg(D_HANDSHAKE_VERBOSE, "BIO read %s %d bytes", desc, i);
2210 buf->len = i;
2211 ret = 1;
2212 VALGRIND_MAKE_READABLE((void *)BPTR(buf), BLEN(buf));
2213 }
2214 return ret;
2215}
2216
2217void
2218key_state_ssl_init(struct key_state_ssl *ks_ssl, const struct tls_root_ctx *ssl_ctx, bool is_server,
2219 struct tls_session *session)
2220{
2221 ASSERT(NULL != ssl_ctx);
2222 ASSERT(ks_ssl);
2223 CLEAR(*ks_ssl);
2224
2225 ks_ssl->ssl = SSL_new(ssl_ctx->ctx);
2226 if (!ks_ssl->ssl)
2227 {
2228 crypto_msg(M_FATAL, "SSL_new failed");
2229 }
2230
2231 /* put session * in ssl object so we can access it
2232 * from verify callback*/
2233 SSL_set_ex_data(ks_ssl->ssl, mydata_index, session);
2234
2235 ASSERT((ks_ssl->ssl_bio = BIO_new(BIO_f_ssl())));
2236 ASSERT((ks_ssl->ct_in = BIO_new(BIO_s_mem())));
2237 ASSERT((ks_ssl->ct_out = BIO_new(BIO_s_mem())));
2238
2239#ifdef BIO_DEBUG
2240 bio_debug_oc("open ssl_bio", ks_ssl->ssl_bio);
2241 bio_debug_oc("open ct_in", ks_ssl->ct_in);
2242 bio_debug_oc("open ct_out", ks_ssl->ct_out);
2243#endif
2244
2245 if (is_server)
2246 {
2247 SSL_set_accept_state(ks_ssl->ssl);
2248 }
2249 else
2250 {
2251 SSL_set_connect_state(ks_ssl->ssl);
2252 }
2253
2254 SSL_set_bio(ks_ssl->ssl, ks_ssl->ct_in, ks_ssl->ct_out);
2255 BIO_set_ssl(ks_ssl->ssl_bio, ks_ssl->ssl, BIO_NOCLOSE);
2256}
2257
2258void
2259key_state_ssl_shutdown(struct key_state_ssl *ks_ssl)
2260{
2261 SSL_set_shutdown(ks_ssl->ssl, SSL_SENT_SHUTDOWN | SSL_RECEIVED_SHUTDOWN);
2262}
2263
2264void
2265key_state_ssl_free(struct key_state_ssl *ks_ssl)
2266{
2267 if (ks_ssl->ssl)
2268 {
2269#ifdef BIO_DEBUG
2270 bio_debug_oc("close ssl_bio", ks_ssl->ssl_bio);
2271 bio_debug_oc("close ct_in", ks_ssl->ct_in);
2272 bio_debug_oc("close ct_out", ks_ssl->ct_out);
2273#endif
2274 BIO_free_all(ks_ssl->ssl_bio);
2275 SSL_free(ks_ssl->ssl);
2276 }
2277}
2278
2279int
2280key_state_write_plaintext(struct key_state_ssl *ks_ssl, struct buffer *buf)
2281{
2282 int ret = 0;
2283
2284 ASSERT(NULL != ks_ssl);
2285
2286 ret = bio_write(ks_ssl->ssl_bio, BPTR(buf), BLEN(buf), "tls_write_plaintext");
2287 bio_write_post(ret, buf);
2288
2289 return ret;
2290}
2291
2292int
2293key_state_write_plaintext_const(struct key_state_ssl *ks_ssl, const uint8_t *data, int len)
2294{
2295 int ret = 0;
2296
2297 ASSERT(NULL != ks_ssl);
2298
2299 ret = bio_write(ks_ssl->ssl_bio, data, len, "tls_write_plaintext_const");
2300
2301 return ret;
2302}
2303
2304int
2305key_state_read_ciphertext(struct key_state_ssl *ks_ssl, struct buffer *buf)
2306{
2307 int ret = 0;
2308
2309 ASSERT(NULL != ks_ssl);
2310
2311 ret = bio_read(ks_ssl->ct_out, buf, "tls_read_ciphertext");
2312
2313 return ret;
2314}
2315
2316int
2317key_state_write_ciphertext(struct key_state_ssl *ks_ssl, struct buffer *buf)
2318{
2319 int ret = 0;
2320
2321 ASSERT(NULL != ks_ssl);
2322
2323 ret = bio_write(ks_ssl->ct_in, BPTR(buf), BLEN(buf), "tls_write_ciphertext");
2324 bio_write_post(ret, buf);
2325
2326 return ret;
2327}
2328
2329int
2330key_state_read_plaintext(struct key_state_ssl *ks_ssl, struct buffer *buf)
2331{
2332 int ret = 0;
2333
2334 ASSERT(NULL != ks_ssl);
2335
2336 ret = bio_read(ks_ssl->ssl_bio, buf, "tls_read_plaintext");
2337
2338 return ret;
2339}
2340
2341static void
2342print_pkey_details(EVP_PKEY *pkey, char *buf, size_t buflen)
2343{
2344 const char *curve = "";
2345 const char *type = "(error getting type)";
2346
2347 if (pkey == NULL)
2348 {
2349 buf[0] = 0;
2350 return;
2351 }
2352
2353 int typeid = EVP_PKEY_id(pkey);
2354#if OPENSSL_VERSION_NUMBER < 0x30000000L
2355 bool is_ec = typeid == EVP_PKEY_EC;
2356#else
2357 bool is_ec = EVP_PKEY_is_a(pkey, "EC");
2358#endif
2359
2360#ifndef OPENSSL_NO_EC
2361 char groupname[64];
2362 if (is_ec)
2363 {
2364 size_t len;
2365 if (EVP_PKEY_get_group_name(pkey, groupname, sizeof(groupname), &len))
2366 {
2367 curve = groupname;
2368 }
2369 else
2370 {
2371 curve = "(error getting curve name)";
2372 }
2373 }
2374#endif
2375 if (typeid != 0)
2376 {
2377#if OPENSSL_VERSION_NUMBER < 0x30000000L
2378 type = OBJ_nid2sn(typeid);
2379
2380 /* OpenSSL reports rsaEncryption, dsaEncryption and
2381 * id-ecPublicKey, map these values to nicer ones */
2382 if (typeid == EVP_PKEY_RSA)
2383 {
2384 type = "RSA";
2385 }
2386 else if (typeid == EVP_PKEY_DSA)
2387 {
2388 type = "DSA";
2389 }
2390 else if (typeid == EVP_PKEY_EC)
2391 {
2392 /* EC gets the curve appended after the type */
2393 type = "EC, curve ";
2394 }
2395 else if (type == NULL)
2396 {
2397 type = "unknown type";
2398 }
2399#else /* OpenSSL >= 3 */
2400 type = EVP_PKEY_get0_type_name(pkey);
2401 if (type == NULL)
2402 {
2403 type = "(error getting public key type)";
2404 }
2405#endif /* if OPENSSL_VERSION_NUMBER < 0x30000000L */
2406 }
2407
2408 snprintf(buf, buflen, "%d bits %s%s", EVP_PKEY_bits(pkey), type, curve);
2409}
2410
2417static void
2418print_cert_details(X509 *cert, char *buf, size_t buflen)
2419{
2420 EVP_PKEY *pkey = X509_get_pubkey(cert);
2421 char pkeybuf[64] = { 0 };
2422 print_pkey_details(pkey, pkeybuf, sizeof(pkeybuf));
2423
2424 char sig[128] = { 0 };
2425 int signature_nid = X509_get_signature_nid(cert);
2426 if (signature_nid != 0)
2427 {
2428 snprintf(sig, sizeof(sig), ", signature: %s", OBJ_nid2sn(signature_nid));
2429 }
2430
2431 snprintf(buf, buflen, ", peer certificate: %s%s", pkeybuf, sig);
2432
2433 EVP_PKEY_free(pkey);
2434}
2435
2436static void
2437print_server_tempkey(SSL *ssl, char *buf, size_t buflen)
2438{
2439 EVP_PKEY *pkey = NULL;
2440 SSL_get_peer_tmp_key(ssl, &pkey);
2441 if (!pkey)
2442 {
2443 return;
2444 }
2445
2446 char pkeybuf[128] = { 0 };
2447 print_pkey_details(pkey, pkeybuf, sizeof(pkeybuf));
2448
2449 snprintf(buf, buflen, ", peer temporary key: %s", pkeybuf);
2450
2451 EVP_PKEY_free(pkey);
2452}
2453
2454#if !defined(LIBRESSL_VERSION_NUMBER) \
2455 || (defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER >= 0x3090000fL)
2461static const char *
2462get_sigtype(int nid)
2463{
2464 /* Fix a few OpenSSL names to be better understandable */
2465 switch (nid)
2466 {
2467 case EVP_PKEY_RSA:
2468 /* will otherwise say rsaEncryption */
2469 return "RSA";
2470
2471 case EVP_PKEY_DSA:
2472 /* dsaEncryption otherwise */
2473 return "DSA";
2474
2475 case EVP_PKEY_EC:
2476 /* will say id-ecPublicKey */
2477 return "ECDSA";
2478
2479 case -1:
2480 return "(error getting name)";
2481
2482 default:
2483 {
2484 const char *type = OBJ_nid2sn(nid);
2485 if (!type)
2486 {
2487 /* This is unlikely to ever happen as OpenSSL is unlikely to
2488 * return an NID it cannot resolve itself but we silence
2489 * linter/code checkers here */
2490 type = "(error getting name, OBJ_nid2sn failed)";
2491 }
2492 return type;
2493 }
2494 }
2495}
2496#endif /* ifndef LIBRESSL_VERSION_NUMBER */
2497
2502static void
2503print_peer_signature(SSL *ssl, char *buf, size_t buflen)
2504{
2505 int peer_sig_type_nid = NID_undef;
2506 const char *peer_sig_unknown = "unknown";
2507 const char *peer_sig = peer_sig_unknown;
2508 const char *peer_sig_type = "unknown type";
2509
2510 const char *signame = NULL;
2511 SSL_get0_peer_signature_name(ssl, &signame);
2512 if (signame)
2513 {
2514 peer_sig = signame;
2515 }
2516
2517#if !defined(LIBRESSL_VERSION_NUMBER) \
2518 || (defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER >= 0x3090000fL)
2519 /* LibreSSL 3.7.x and 3.8.x implement this function but do not export it
2520 * and fail linking with an unresolved symbol */
2521 if (SSL_get_peer_signature_type_nid(ssl, &peer_sig_type_nid) && peer_sig_type_nid != NID_undef)
2522 {
2523 peer_sig_type = get_sigtype(peer_sig_type_nid);
2524 }
2525#endif
2526
2527 if (peer_sig == peer_sig_unknown && peer_sig_type_nid == NID_undef)
2528 {
2529 return;
2530 }
2531
2532 snprintf(buf, buflen, ", peer signing digest/type: %s %s", peer_sig, peer_sig_type);
2533}
2534
2535#if OPENSSL_VERSION_NUMBER >= 0x30000000L
2536void
2537print_tls_key_agreement_group(SSL *ssl, char *buf, size_t buflen)
2538{
2539 const char *groupname = SSL_get0_group_name(ssl);
2540 if (!groupname)
2541 {
2542 snprintf(buf, buflen, ", key agreement: (error fetching group)");
2543 }
2544 else
2545 {
2546 snprintf(buf, buflen, ", key agreement: %s", groupname);
2547 }
2548}
2549#endif
2550
2551/* **************************************
2552 *
2553 * Information functions
2554 *
2555 * Print information for the end user.
2556 *
2557 ***************************************/
2558void
2559print_details(struct key_state_ssl *ks_ssl, const char *prefix)
2560{
2561 const SSL_CIPHER *ciph;
2562 char s1[256];
2563 char s2[256];
2564 char s3[256];
2565 char s4[256];
2566 char s5[256];
2567
2568 s1[0] = s2[0] = s3[0] = s4[0] = s5[0] = 0;
2569 ciph = SSL_get_current_cipher(ks_ssl->ssl);
2570 snprintf(s1, sizeof(s1), "%s %s, cipher %s %s", prefix, SSL_get_version(ks_ssl->ssl),
2571 SSL_CIPHER_get_version(ciph), SSL_CIPHER_get_name(ciph));
2572 X509 *cert = SSL_get_peer_certificate(ks_ssl->ssl);
2573
2574 if (cert)
2575 {
2576 print_cert_details(cert, s2, sizeof(s2));
2577 X509_free(cert);
2578 }
2579 print_server_tempkey(ks_ssl->ssl, s3, sizeof(s3));
2580 print_peer_signature(ks_ssl->ssl, s4, sizeof(s4));
2581#if OPENSSL_VERSION_NUMBER >= 0x30000000L
2582 print_tls_key_agreement_group(ks_ssl->ssl, s5, sizeof(s5));
2583#endif
2584
2585 msg(D_HANDSHAKE, "%s%s%s%s%s", s1, s2, s3, s4, s5);
2586}
2587
2588void
2589show_available_tls_ciphers_list(const char *cipher_list, const char *tls_cert_profile, bool tls13)
2590{
2591 struct tls_root_ctx tls_ctx;
2592
2593 tls_ctx.ctx = SSL_CTX_new(SSLv23_method());
2594 if (!tls_ctx.ctx)
2595 {
2596 crypto_msg(M_FATAL, "Cannot create SSL_CTX object");
2597 }
2598
2599#if defined(TLS1_3_VERSION)
2600 if (tls13)
2601 {
2602 SSL_CTX_set_min_proto_version(tls_ctx.ctx, TLS1_3_VERSION);
2603 tls_ctx_restrict_ciphers_tls13(&tls_ctx, cipher_list);
2604 }
2605 else
2606#endif
2607 {
2608 SSL_CTX_set_max_proto_version(tls_ctx.ctx, TLS1_2_VERSION);
2609 tls_ctx_restrict_ciphers(&tls_ctx, cipher_list);
2610 }
2611
2612 tls_ctx_set_cert_profile(&tls_ctx, tls_cert_profile);
2613
2614 SSL *ssl = SSL_new(tls_ctx.ctx);
2615 if (!ssl)
2616 {
2617 crypto_msg(M_FATAL, "Cannot create SSL object");
2618 }
2619
2620#if OPENSSL_VERSION_NUMBER < 0x1010000fL || defined(OPENSSL_IS_AWSLC) || defined(ENABLE_CRYPTO_WOLFSSL)
2621 STACK_OF(SSL_CIPHER) *sk = SSL_get_ciphers(ssl);
2622#else
2623 STACK_OF(SSL_CIPHER) *sk = SSL_get1_supported_ciphers(ssl);
2624#endif
2625 for (int i = 0; i < sk_SSL_CIPHER_num(sk); i++)
2626 {
2627 const SSL_CIPHER *c = sk_SSL_CIPHER_value(sk, i);
2628
2629 const char *cipher_name = SSL_CIPHER_get_name(c);
2630
2631 const tls_cipher_name_pair *pair =
2632 tls_get_cipher_name_pair(cipher_name, strlen(cipher_name));
2633
2634 if (tls13)
2635 {
2636 printf("%s\n", cipher_name);
2637 }
2638 else if (NULL == pair)
2639 {
2640 /* No translation found, print warning */
2641 printf("%s (No IANA name known to OpenVPN, use OpenSSL name.)\n", cipher_name);
2642 }
2643 else
2644 {
2645 printf("%s\n", pair->iana_name);
2646 }
2647 }
2648#if (OPENSSL_VERSION_NUMBER >= 0x1010000fL)
2649 sk_SSL_CIPHER_free(sk);
2650#endif
2651 SSL_free(ssl);
2652 SSL_CTX_free(tls_ctx.ctx);
2653}
2654
2655/*
2656 * Show the Elliptic curves that are available for us to use
2657 * in the OpenSSL library.
2658 */
2659void
2660show_available_curves(void)
2661{
2662 printf("Consider using 'openssl ecparam -list_curves' as alternative to running\n"
2663 "this command.\n"
2664 "Note this output does only list curves/groups that OpenSSL considers as\n"
2665 "builtin EC curves. It does not list additional curves nor X448 or X25519\n");
2666#ifndef OPENSSL_NO_EC
2667 EC_builtin_curve *curves = NULL;
2668 size_t crv_len = 0;
2669 size_t n = 0;
2670
2671 crv_len = EC_get_builtin_curves(NULL, 0);
2672 ALLOC_ARRAY(curves, EC_builtin_curve, crv_len);
2673 if (EC_get_builtin_curves(curves, crv_len))
2674 {
2675 printf("\nAvailable Elliptic curves/groups:\n");
2676 for (n = 0; n < crv_len; n++)
2677 {
2678 const char *sname;
2679 sname = OBJ_nid2sn(curves[n].nid);
2680 if (sname == NULL)
2681 {
2682 sname = "";
2683 }
2684
2685 printf("%s\n", sname);
2686 }
2687 }
2688 else
2689 {
2690 crypto_msg(M_FATAL, "Cannot get list of builtin curves");
2691 }
2692 free(curves);
2693#else /* ifndef OPENSSL_NO_EC */
2694 msg(M_WARN, "Your OpenSSL library was built without elliptic curve support. "
2695 "No curves available.");
2696#endif /* ifndef OPENSSL_NO_EC */
2697}
2698
2699const char *
2700get_ssl_library_version(void)
2701{
2702 return OpenSSL_version(OPENSSL_VERSION);
2703}
2704
2705
2707#ifdef HAVE_XKEY_PROVIDER
2708static int
2709provider_load(OSSL_PROVIDER *prov, void *dest_libctx)
2710{
2711 const char *name = OSSL_PROVIDER_get0_name(prov);
2712 OSSL_PROVIDER_load(dest_libctx, name);
2713 return 1;
2714}
2715
2716static int
2717provider_unload(OSSL_PROVIDER *prov, void *unused)
2718{
2719 (void)unused;
2720 OSSL_PROVIDER_unload(prov);
2721 return 1;
2722}
2723#endif /* HAVE_XKEY_PROVIDER */
2724
2732void
2733load_xkey_provider(void)
2734{
2735#ifdef HAVE_XKEY_PROVIDER
2736
2737 /* Make a new library context for use in TLS context */
2738 if (!tls_libctx)
2739 {
2740 tls_libctx = OSSL_LIB_CTX_new();
2741 check_malloc_return(tls_libctx);
2742
2743 /* Load all providers in default LIBCTX into this libctx.
2744 * OpenSSL has a child libctx functionality to automate this,
2745 * but currently that is usable only from within providers.
2746 * So we do something close to it manually here.
2747 */
2748 OSSL_PROVIDER_do_all(NULL, provider_load, tls_libctx);
2749 }
2750
2751 if (!OSSL_PROVIDER_available(tls_libctx, "ovpn.xkey"))
2752 {
2753 OSSL_PROVIDER_add_builtin(tls_libctx, "ovpn.xkey", xkey_provider_init);
2754 if (!OSSL_PROVIDER_load(tls_libctx, "ovpn.xkey"))
2755 {
2756 msg(M_NONFATAL, "ERROR: failed loading external key provider: "
2757 "Signing with external keys will not work.");
2758 }
2759 }
2760
2761 /* We only implement minimal functionality in ovpn.xkey, so we do not want
2762 * methods in xkey to be picked unless absolutely required (i.e, when the key
2763 * is external). Ensure this by setting a default propquery for the custom
2764 * libctx that unprefers, but does not forbid, ovpn.xkey. See also man page
2765 * of "property" in OpenSSL 3.0.
2766 */
2767 EVP_set_default_properties(tls_libctx, "?provider!=ovpn.xkey");
2768
2769#endif /* HAVE_XKEY_PROVIDER */
2770}
2771
2775static void
2776unload_xkey_provider(void)
2777{
2778#ifdef HAVE_XKEY_PROVIDER
2779 if (tls_libctx)
2780 {
2781 OSSL_PROVIDER_do_all(tls_libctx, provider_unload, NULL);
2782 OSSL_LIB_CTX_free(tls_libctx);
2783 }
2784#endif /* HAVE_XKEY_PROVIDER */
2785 tls_libctx = NULL;
2786}
2787
2788#endif /* defined(ENABLE_CRYPTO_OPENSSL) */
gc_malloc
void * gc_malloc(size_t size, bool clear, struct gc_arena *a)
Definition buffer.c:336
string_alloc
char * string_alloc(const char *str, struct gc_arena *gc)
Definition buffer.c:648
BPTR
#define BPTR(buf)
Definition buffer.h:123
ALLOC_ARRAY_CLEAR_GC
#define ALLOC_ARRAY_CLEAR_GC(dptr, type, n, gc)
Definition buffer.h:1110
buf_forward_capacity
static int buf_forward_capacity(const struct buffer *buf)
Definition buffer.h:540
secure_memzero
static void secure_memzero(void *data, size_t len)
Securely zeroise memory.
Definition buffer.h:415
BLEN
#define BLEN(buf)
Definition buffer.h:126
format_hex
static char * format_hex(const uint8_t *data, size_t size, size_t maxoutput, struct gc_arena *gc)
Definition buffer.h:504
BLENZ
#define BLENZ(buf)
Definition buffer.h:127
check_malloc_return
static void check_malloc_return(void *p)
Definition buffer.h:1131
gc_free
static void gc_free(struct gc_arena *a)
Definition buffer.h:1049
ALLOC_ARRAY
#define ALLOC_ARRAY(dptr, type, n)
Definition buffer.h:1094
gc_new
static struct gc_arena gc_new(void)
Definition buffer.h:1041
ptr_type
unsigned long ptr_type
Definition common.h:59
ptr_format
#define ptr_format
Definition common.h:50
strsep
char * strsep(char **stringp, const char *delim)
Definition compat-strsep.c:35
print_key_filename
const char * print_key_filename(const char *str, bool is_inline)
To be used when printing a string that may contain inline data.
Definition crypto.c:1279
crypto_print_openssl_errors
void crypto_print_openssl_errors(const unsigned int flags)
Retrieve any occurred OpenSSL errors and print those errors.
Definition crypto_openssl.c:230
crypto_msg
#define crypto_msg(flags,...)
Retrieve any OpenSSL errors, then print the supplied error message.
Definition crypto_openssl.h:116
SSL_CTX_use_CryptoAPI_certificate
int SSL_CTX_use_CryptoAPI_certificate(SSL_CTX *ssl_ctx, const char *cert_prop)
Definition cryptoapi.c:58
D_TLS_DEBUG_LOW
#define D_TLS_DEBUG_LOW
Definition errlevel.h:76
D_TLS_DEBUG_MED
#define D_TLS_DEBUG_MED
Definition errlevel.h:156
D_HANDSHAKE_VERBOSE
#define D_HANDSHAKE_VERBOSE
Definition errlevel.h:155
D_HANDSHAKE
#define D_HANDSHAKE
Definition errlevel.h:71
D_TLS_ERRORS
#define D_TLS_ERRORS
Definition errlevel.h:58
D_LOW
#define D_LOW
Definition errlevel.h:96
M_INFO
#define M_INFO
Definition errlevel.h:54
D_TLS_DEBUG
#define D_TLS_DEBUG
Definition errlevel.h:164
KS_PRIMARY
#define KS_PRIMARY
Primary key state index.
Definition ssl_common.h:465
key_state_read_plaintext
int key_state_read_plaintext(struct key_state_ssl *ks_ssl, struct buffer *buf)
Extract plaintext data from the TLS module.
Definition ssl_openssl.c:2330
key_state_write_ciphertext
int key_state_write_ciphertext(struct key_state_ssl *ks_ssl, struct buffer *buf)
Insert a ciphertext buffer into the TLS module.
Definition ssl_openssl.c:2317
key_state_read_ciphertext
int key_state_read_ciphertext(struct key_state_ssl *ks_ssl, struct buffer *buf)
Extract ciphertext data from the TLS module.
Definition ssl_openssl.c:2305
key_state_write_plaintext_const
int key_state_write_plaintext_const(struct key_state_ssl *ks_ssl, const uint8_t *data, int len)
Insert plaintext data into the TLS module.
Definition ssl_openssl.c:2293
key_state_write_plaintext
int key_state_write_plaintext(struct key_state_ssl *ks_ssl, struct buffer *buf)
Insert a plaintext buffer into the TLS module.
Definition ssl_openssl.c:2280
verify_callback
int verify_callback(void *session_obj, mbedtls_x509_crt *cert, int cert_depth, uint32_t *flags)
Verify that the remote OpenVPN peer's certificate allows setting up a VPN tunnel.
constrain_int
static int constrain_int(int x, int min, int max)
Definition integer.h:118
status
static SERVICE_STATUS status
Definition interactive.c:51
management_auth_failure
void management_auth_failure(struct management *man, const char *type, const char *reason)
Definition manage.c:3212
management_query_pk_sig
char * management_query_pk_sig(struct management *man, const char *b64_data, const char *algorithm)
Definition manage.c:3879
VALGRIND_MAKE_READABLE
#define VALGRIND_MAKE_READABLE(addr, len)
Definition memdbg.h:53
purge_user_pass
void purge_user_pass(struct user_pass *up, const bool force)
Definition misc.c:474
USER_PASS_LEN
#define USER_PASS_LEN
Definition misc.h:67
GET_USER_PASS_MANAGEMENT
#define GET_USER_PASS_MANAGEMENT
Definition misc.h:113
GET_USER_PASS_PASSWORD_ONLY
#define GET_USER_PASS_PASSWORD_ONLY
Definition misc.h:115
get_user_pass
static bool get_user_pass(struct user_pass *up, const char *auth_file, const char *prefix, const unsigned int flags)
Retrieves the user credentials from various sources depending on the flags.
Definition misc.h:155
openssl_compat.h
OpenSSL compatibility stub.
OSSL_PROVIDER
void OSSL_PROVIDER
Definition openssl_compat.h:122
SSL_get0_peer_signature_name
static int SSL_get0_peer_signature_name(SSL *ssl, const char **sigalg)
Definition openssl_compat.h:168
OSSL_LIB_CTX
void OSSL_LIB_CTX
Definition openssl_compat.h:121
EVP_PKEY_get_group_name
static int EVP_PKEY_get_group_name(EVP_PKEY *pkey, char *gname, size_t gname_sz, size_t *gname_len)
Definition openssl_compat.h:84
SSL_CTX_set1_groups
#define SSL_CTX_set1_groups
Definition openssl_compat.h:59
SSL_CTX_new_ex
#define SSL_CTX_new_ex(libctx, propq, method)
Reduce SSL_CTX_new_ex() to SSL_CTX_new() for OpenSSL < 3.
Definition openssl_compat.h:118
CLEAR
#define CLEAR(x)
Definition basic.h:32
M_FATAL
#define M_FATAL
Definition error.h:90
M_NONFATAL
#define M_NONFATAL
Definition error.h:91
dmsg
#define dmsg(flags,...)
Definition error.h:172
msg
#define msg(flags,...)
Definition error.h:152
ASSERT
#define ASSERT(x)
Definition error.h:219
M_DEBUG
#define M_DEBUG
Definition error.h:93
M_WARN
#define M_WARN
Definition error.h:92
streq
#define streq(x, y)
Definition options.h:721
now
time_t now
Definition otime.c:33
platform_fopen
FILE * platform_fopen(const char *path, const char *mode)
Definition platform.c:500
openvpn_base64_decode
int openvpn_base64_decode(const char *str, void *data, int size)
Definition base64.c:160
openvpn_base64_encode
int openvpn_base64_encode(const void *data, int size, char **str)
Definition base64.c:51
pem_password_callback
int pem_password_callback(char *buf, int size, int rwflag, void *u)
Callback to retrieve the user's password.
Definition ssl.c:259
ssl_backend.h
Control Channel SSL library backend module.
TLS_VER_1_0
#define TLS_VER_1_0
Definition ssl_backend.h:105
TLS_VER_1_2
#define TLS_VER_1_2
Definition ssl_backend.h:107
TLS_VER_1_3
#define TLS_VER_1_3
Definition ssl_backend.h:108
TLS_VER_1_1
#define TLS_VER_1_1
Definition ssl_backend.h:106
ssl_common.h
Control Channel Common Data Structures.
SSLF_TLS_VERSION_MAX_SHIFT
#define SSLF_TLS_VERSION_MAX_SHIFT
Definition ssl_common.h:432
UP_TYPE_PRIVATE_KEY
#define UP_TYPE_PRIVATE_KEY
Definition ssl_common.h:42
SSLF_CLIENT_CERT_OPTIONAL
#define SSLF_CLIENT_CERT_OPTIONAL
Definition ssl_common.h:425
SSLF_CLIENT_CERT_NOT_REQUIRED
#define SSLF_CLIENT_CERT_NOT_REQUIRED
Definition ssl_common.h:424
SSLF_TLS_VERSION_MAX_MASK
#define SSLF_TLS_VERSION_MAX_MASK
Definition ssl_common.h:433
SSLF_TLS_VERSION_MIN_SHIFT
#define SSLF_TLS_VERSION_MIN_SHIFT
Definition ssl_common.h:430
SSLF_TLS_VERSION_MIN_MASK
#define SSLF_TLS_VERSION_MIN_MASK
Definition ssl_common.h:431
tls_ctx_set_tls_groups
void tls_ctx_set_tls_groups(struct tls_root_ctx *ctx, const char *groups)
Set the (elliptic curve) group allowed for signatures and key exchange.
Definition ssl_openssl.c:580
tls_ctx_free
void tls_ctx_free(struct tls_root_ctx *ctx)
Frees the library-specific TLSv1 context.
Definition ssl_openssl.c:139
bio_read
static int bio_read(BIO *bio, struct buffer *buf, const char *desc)
Definition ssl_openssl.c:2169
get_ssl_library_version
const char * get_ssl_library_version(void)
return a pointer to a static memory area containing the name and version number of the SSL library in...
Definition ssl_openssl.c:2700
openvpn_extkey_ec_finish
static void openvpn_extkey_ec_finish(EC_KEY *ec)
Definition ssl_openssl.c:1645
tls_ctx_set_tls_versions
static bool tls_ctx_set_tls_versions(struct tls_root_ctx *ctx, unsigned int ssl_flags)
Definition ssl_openssl.c:280
bio_write
static int bio_write(BIO *bio, const uint8_t *data, int size, const char *desc)
Definition ssl_openssl.c:2107
openvpn_extkey_rsa_finish
static int openvpn_extkey_rsa_finish(RSA *rsa)
Definition ssl_openssl.c:1495
tls_ctx_use_external_ec_key
static int tls_ctx_use_external_ec_key(struct tls_root_ctx *ctx, EVP_PKEY *pkey)
Definition ssl_openssl.c:1709
key_state_export_keying_material
bool key_state_export_keying_material(struct tls_session *session, const char *label, size_t label_size, void *ekm, size_t ekm_size)
Keying Material Exporters [RFC 5705] allows additional keying material to be derived from existing TL...
Definition ssl_openssl.c:159
load_xkey_provider
void load_xkey_provider(void)
Some helper routines for provider load/unload.
Definition ssl_openssl.c:2733
print_pkey_details
static void print_pkey_details(EVP_PKEY *pkey, char *buf, size_t buflen)
Definition ssl_openssl.c:2342
print_server_tempkey
static void print_server_tempkey(SSL *ssl, char *buf, size_t buflen)
Definition ssl_openssl.c:2437
rsa_pub_enc
static int rsa_pub_enc(int flen, const unsigned char *from, unsigned char *to, RSA *rsa, int padding)
Definition ssl_openssl.c:1471
tls_ctx_add_extra_certs
static void tls_ctx_add_extra_certs(struct tls_root_ctx *ctx, BIO *bio, bool optional)
Definition ssl_openssl.c:1123
show_available_tls_ciphers_list
void show_available_tls_ciphers_list(const char *cipher_list, const char *tls_cert_profile, bool tls13)
Show the TLS ciphers that are available for us to use in the library depending on the TLS version.
Definition ssl_openssl.c:2589
load_pkey_from_uri
static void * load_pkey_from_uri(const char *uri, SSL_CTX *ssl_ctx)
Load private key from OSSL_STORE URI or file uri : URI of object or filename ssl_ctx : SSL_CTX for UI...
Definition ssl_openssl.c:907
tls_ctx_server_new
void tls_ctx_server_new(struct tls_root_ctx *ctx)
Initialise a library-specific TLS context for a server.
Definition ssl_openssl.c:103
show_available_curves
void show_available_curves(void)
Show the available elliptic curves in the crypto library.
Definition ssl_openssl.c:2660
openssl_tls_version
static uint16_t openssl_tls_version(unsigned int ver)
Convert internal version number to openssl version number.
Definition ssl_openssl.c:243
key_state_ssl_free
void key_state_ssl_free(struct key_state_ssl *ks_ssl)
Free the SSL channel part of the given key state.
Definition ssl_openssl.c:2265
ecdsa_sign
static int ecdsa_sign(int type, const unsigned char *dgst, int dgstlen, unsigned char *sig, unsigned int *siglen, const BIGNUM *kinv, const BIGNUM *r, EC_KEY *ec)
Definition ssl_openssl.c:1657
tls_ctx_load_priv_file
int tls_ctx_load_priv_file(struct tls_root_ctx *ctx, const char *priv_key_file, bool priv_key_file_inline)
Load private key file into the given TLS context.
Definition ssl_openssl.c:1341
cert_verify_callback
static int cert_verify_callback(X509_STORE_CTX *ctx, void *arg)
Definition ssl_openssl.c:310
key_state_ssl_shutdown
void key_state_ssl_shutdown(struct key_state_ssl *ks_ssl)
Sets a TLS session to be shutdown state, so the TLS library will generate a shutdown alert.
Definition ssl_openssl.c:2259
tls_ctx_load_extra_certs
void tls_ctx_load_extra_certs(struct tls_root_ctx *ctx, const char *extra_certs_file, bool extra_certs_file_inline)
Load extra certificate authority certificates from the given file or path.
Definition ssl_openssl.c:2001
print_peer_signature
static void print_peer_signature(SSL *ssl, char *buf, size_t buflen)
Get the type of the signature that is used by the peer during the TLS handshake.
Definition ssl_openssl.c:2503
tls_libctx
OSSL_LIB_CTX * tls_libctx
Definition ssl_openssl.c:78
get_sigtype
static const char * get_sigtype(int nid)
Translate an OpenSSL NID into a more human readable name.
Definition ssl_openssl.c:2462
mydata_index
int mydata_index
Allocate space in SSL objects in which to store a struct tls_session pointer back to parent.
Definition ssl_openssl.c:88
print_cert_details
static void print_cert_details(X509 *cert, char *buf, size_t buflen)
Print human readable information about the certificate into buf.
Definition ssl_openssl.c:2418
ecdsa_sign_setup
static int ecdsa_sign_setup(EC_KEY *ec, BN_CTX *ctx_in, BIGNUM **kinvp, BIGNUM **rp)
Definition ssl_openssl.c:1678
tls_ctx_check_cert_time
void tls_ctx_check_cert_time(const struct tls_root_ctx *ctx)
Check our certificate notBefore and notAfter fields, and warn if the cert is either not yet valid or ...
Definition ssl_openssl.c:639
tls_ctx_restrict_ciphers_tls13
void tls_ctx_restrict_ciphers_tls13(struct tls_root_ctx *ctx, const char *ciphers)
Restrict the list of ciphers that can be used within the TLS context for TLS 1.3 and higher.
Definition ssl_openssl.c:510
cert_uri_supported
static bool cert_uri_supported(void)
Definition ssl_openssl.c:1156
rsa_priv_dec
static int rsa_priv_dec(int flen, const unsigned char *from, unsigned char *to, RSA *rsa, int padding)
Definition ssl_openssl.c:1487
INFO_CALLBACK_SSL_CONST
#define INFO_CALLBACK_SSL_CONST
Definition ssl_openssl.c:181
rsa_pub_dec
static int rsa_pub_dec(int flen, const unsigned char *from, unsigned char *to, RSA *rsa, int padding)
Definition ssl_openssl.c:1479
bio_write_post
static void bio_write_post(const int status, struct buffer *buf)
Definition ssl_openssl.c:2155
tls_ctx_load_pkcs12
int tls_ctx_load_pkcs12(struct tls_root_ctx *ctx, const char *pkcs12_file, bool pkcs12_file_inline, bool load_ca_file)
Load PKCS #12 file for key, cert and (optionally) CA certs, and add to library-specific TLS context.
Definition ssl_openssl.c:976
tls_ctx_initialised
bool tls_ctx_initialised(struct tls_root_ctx *ctx)
Checks whether the given TLS context is initialised.
Definition ssl_openssl.c:150
key_state_ssl_init
void key_state_ssl_init(struct key_state_ssl *ks_ssl, const struct tls_root_ctx *ssl_ctx, bool is_server, struct tls_session *session)
Initialise the SSL channel part of the given key state.
Definition ssl_openssl.c:2218
tls_free_lib
void tls_free_lib(void)
Free any global SSL library-specific data structures.
Definition ssl_openssl.c:98
unload_xkey_provider
static void unload_xkey_provider(void)
Undo steps in load_xkey_provider.
Definition ssl_openssl.c:2776
get_rsa_padding_name
const char * get_rsa_padding_name(const int padding)
Definition ssl_openssl.c:1510
tls_ctx_load_ecdh_params
void tls_ctx_load_ecdh_params(struct tls_root_ctx *ctx, const char *curve_name)
Load Elliptic Curve Parameters, and load them into the library-specific TLS context.
Definition ssl_openssl.c:787
get_sig_from_man
static int get_sig_from_man(const unsigned char *dgst, unsigned int dgstlen, unsigned char *sig, unsigned int siglen, const char *algorithm)
Pass the input hash in 'dgst' to management and get the signature back.
Definition ssl_openssl.c:1537
tls_ctx_load_cert_uri
static void tls_ctx_load_cert_uri(struct tls_root_ctx *tls_ctx, const char *uri)
Definition ssl_openssl.c:1166
rsa_priv_enc
static int rsa_priv_enc(int flen, const unsigned char *from, unsigned char *to, RSA *rsa, int padding)
Definition ssl_openssl.c:1562
convert_tls_list_to_openssl
static void convert_tls_list_to_openssl(char *openssl_ciphers, size_t len, const char *ciphers)
Definition ssl_openssl.c:375
tls_ctx_load_cert_pem_file
static void tls_ctx_load_cert_pem_file(struct tls_root_ctx *ctx, const char *cert_file, bool cert_file_inline)
Definition ssl_openssl.c:1268
tls_init_lib
void tls_init_lib(void)
Perform any static initialisation necessary by the library.
Definition ssl_openssl.c:91
print_details
void print_details(struct key_state_ssl *ks_ssl, const char *prefix)
Print a one line summary of SSL/TLS session handshake.
Definition ssl_openssl.c:2559
info_callback
static void info_callback(INFO_CALLBACK_SSL_CONST SSL *s, int where, int ret)
Definition ssl_openssl.c:184
tls_version_max
int tls_version_max(void)
Return the maximum TLS version (as a TLS_VER_x constant) supported by current SSL implementation.
Definition ssl_openssl.c:207
backend_tls_ctx_reload_crl
void backend_tls_ctx_reload_crl(struct tls_root_ctx *ssl_ctx, const char *crl_file, bool crl_inline)
Reload the Certificate Revocation List for the SSL channel.
Definition ssl_openssl.c:1395
tls_ctx_restrict_ciphers
void tls_ctx_restrict_ciphers(struct tls_root_ctx *ctx, const char *ciphers)
Restrict the list of ciphers that can be used within the TLS context for TLS 1.2 and below.
Definition ssl_openssl.c:449
tls_ctx_load_ca
void tls_ctx_load_ca(struct tls_root_ctx *ctx, const char *ca_file, bool ca_file_inline, const char *ca_path, bool tls_server)
Load certificate authority certificates from the given file or path.
Definition ssl_openssl.c:1850
tls_ctx_set_cert_profile
void tls_ctx_set_cert_profile(struct tls_root_ctx *ctx, const char *profile)
Set the TLS certificate profile.
Definition ssl_openssl.c:538
tls_ctx_use_management_external_key
int tls_ctx_use_management_external_key(struct tls_root_ctx *ctx)
Tell the management interface to load the given certificate and the external private key matching the...
Definition ssl_openssl.c:1771
tls_ctx_use_external_rsa_key
static int tls_ctx_use_external_rsa_key(struct tls_root_ctx *ctx, EVP_PKEY *pkey)
Definition ssl_openssl.c:1578
ecdsa_sign_sig
static ECDSA_SIG * ecdsa_sign_sig(const unsigned char *dgst, int dgstlen, const BIGNUM *in_kinv, const BIGNUM *in_r, EC_KEY *ec)
Definition ssl_openssl.c:1688
tls_ctx_load_cryptoapi
void tls_ctx_load_cryptoapi(struct tls_root_ctx *ctx, const char *cryptoapi_cert)
Use Windows cryptoapi for key and cert, and add to library-specific TLS context.
Definition ssl_openssl.c:1109
convert_tls13_list_to_openssl
static void convert_tls13_list_to_openssl(char *openssl_ciphers, size_t len, const char *ciphers)
Definition ssl_openssl.c:485
tls_ctx_set_options
bool tls_ctx_set_options(struct tls_root_ctx *ctx, unsigned int ssl_flags)
Set any library specific options.
Definition ssl_openssl.c:326
tls_ctx_load_dh_params
void tls_ctx_load_dh_params(struct tls_root_ctx *ctx, const char *dh_file, bool dh_file_inline)
Load Diffie Hellman Parameters, and load them into the library-specific TLS context.
Definition ssl_openssl.c:729
tls_ctx_client_new
void tls_ctx_client_new(struct tls_root_ctx *ctx)
Initialises a library-specific TLS context for a client.
Definition ssl_openssl.c:121
sk_x509_name_cmp
static int sk_x509_name_cmp(const X509_NAME *const *a, const X509_NAME *const *b)
Definition ssl_openssl.c:1844
tls_ctx_load_cert_file
void tls_ctx_load_cert_file(struct tls_root_ctx *ctx, const char *cert_file, bool cert_file_inline)
Load certificate file into the given TLS context.
Definition ssl_openssl.c:1328
get_num_elements
int get_num_elements(const char *string, char delimiter)
Returns the occurrences of 'delimiter' in a string +1 This is typically used to find out the number e...
Definition ssl_util.c:304
tls_get_cipher_name_pair
const tls_cipher_name_pair * tls_get_cipher_name_pair(const char *cipher_name, size_t len)
Definition ssl_util.c:285
ssl_util.h
SSL utility functions.
ssl_verify_openssl.h
Control Channel Verification Module OpenSSL backend.
buffer
Wrapper structure for dynamically allocated memory.
Definition buffer.h:60
buffer::len
int len
Length in bytes of the actual content within the allocated memory.
Definition buffer.h:65
gc_arena
Garbage collection arena used to keep track of dynamically allocated memory.
Definition buffer.h:116
key_state_ssl
Definition ssl_mbedtls.h:138
key_state_ssl::ct_in
BIO * ct_in
Definition ssl_openssl.h:51
key_state_ssl::ssl
SSL * ssl
Definition ssl_openssl.h:49
key_state_ssl::ssl_bio
BIO * ssl_bio
Definition ssl_openssl.h:50
key_state_ssl::ct_out
BIO * ct_out
Definition ssl_openssl.h:52
signame
Definition sig.c:47
tls_cipher_name_pair
Get a tls_cipher_name_pair containing OpenSSL and IANA names for supplied TLS cipher name.
Definition ssl_util.h:77
tls_cipher_name_pair::iana_name
const char * iana_name
Definition ssl_util.h:79
tls_cipher_name_pair::openssl_name
const char * openssl_name
Definition ssl_util.h:78
tls_root_ctx
Structure that wraps the TLS context.
Definition ssl_mbedtls.h:114
tls_root_ctx::STACK_OF
STACK_OF(X509_CRL) *crls
tls_root_ctx::ctx
SSL_CTX * ctx
Definition ssl_openssl.h:41
tls_session
Security parameter state of a single session within a VPN tunnel.
Definition ssl_common.h:490
user_pass
Definition misc.h:55
user_pass::password
char password[USER_PASS_LEN]
Definition misc.h:71
cleanup
static int cleanup(void **state)
Definition test_pkcs11.c:289
gc
struct gc_arena gc
Definition test_ssl.c:133
xkey_common.h
Generated by doxygen 1.9.8