This removes support for PolarSSL 1.2. The mimimum version of PolarSSL
required is now 1.3.3. The upgrade brings OpenVPN-with-PolarSSL:
* Support for EC-crypto in TLS (but not yet for external
pkcs11/management keys)
* Support for AES-NI (if PolarSSL is compiled with AES-NI support)
Signed-off-by: Steffan Karger <steffan.karger@fox-it.com>
Acked-by: James Yonan <james@openvpn.net>
Message-Id: <53528943.3090205@fox-it.com>
URL: http://article.gmane.org/gmane.network.openvpn.devel/8555
Signed-off-by: Gert Doering <gert@greenie.muc.de>
... | ... |
@@ -844,13 +844,13 @@ if test "${with_crypto_library}" = "polarssl" ; then |
844 | 844 |
#include <polarssl/version.h> |
845 | 845 |
]], |
846 | 846 |
[[ |
847 |
-#if POLARSSL_VERSION_NUMBER < 0x01020A00 || POLARSSL_VERSION_NUMBER >= 0x01030000 |
|
847 |
+#if POLARSSL_VERSION_NUMBER < 0x01030300 || POLARSSL_VERSION_NUMBER >= 0x01040000 |
|
848 | 848 |
#error invalid version |
849 | 849 |
#endif |
850 | 850 |
]] |
851 | 851 |
)], |
852 | 852 |
[AC_MSG_RESULT([ok])], |
853 |
- [AC_MSG_ERROR([PolarSSL 1.2.x required and must be 1.2.10 or later])] |
|
853 |
+ [AC_MSG_ERROR([PolarSSL 1.3.x required and must be 1.3.3 or later])] |
|
854 | 854 |
) |
855 | 855 |
|
856 | 856 |
polarssl_with_pkcs11="no" |
... | ... |
@@ -466,7 +466,12 @@ int cipher_ctx_mode (const cipher_context_t *ctx) |
466 | 466 |
|
467 | 467 |
int cipher_ctx_reset (cipher_context_t *ctx, uint8_t *iv_buf) |
468 | 468 |
{ |
469 |
- return 0 == cipher_reset(ctx, iv_buf); |
|
469 |
+ int retval = cipher_reset(ctx); |
|
470 |
+ |
|
471 |
+ if (0 == retval) |
|
472 |
+ retval = cipher_set_iv(ctx, iv_buf, ctx->cipher_info->iv_size); |
|
473 |
+ |
|
474 |
+ return 0 == retval; |
|
470 | 475 |
} |
471 | 476 |
|
472 | 477 |
int cipher_ctx_update (cipher_context_t *ctx, uint8_t *dst, int *dst_len, |
... | ... |
@@ -40,6 +40,7 @@ |
40 | 40 |
#include "errlevel.h" |
41 | 41 |
#include "pkcs11_backend.h" |
42 | 42 |
#include <polarssl/pkcs11.h> |
43 |
+#include <polarssl/x509.h> |
|
43 | 44 |
|
44 | 45 |
int |
45 | 46 |
pkcs11_init_tls_session(pkcs11h_certificate_t certificate, |
... | ... |
@@ -78,14 +79,14 @@ pkcs11_certificate_dn (pkcs11h_certificate_t cert, struct gc_arena *gc) |
78 | 78 |
char *ret = NULL; |
79 | 79 |
char dn[1024] = {0}; |
80 | 80 |
|
81 |
- x509_cert polar_cert = {0}; |
|
81 |
+ x509_crt polar_cert = {0}; |
|
82 | 82 |
|
83 | 83 |
if (pkcs11_x509_cert_init(&polar_cert, cert)) { |
84 | 84 |
msg (M_FATAL, "PKCS#11: Cannot retrieve PolarSSL certificate object"); |
85 | 85 |
goto cleanup; |
86 | 86 |
} |
87 | 87 |
|
88 |
- if (-1 == x509parse_dn_gets (dn, sizeof(dn), &polar_cert.subject)) { |
|
88 |
+ if (-1 == x509_dn_gets (dn, sizeof(dn), &polar_cert.subject)) { |
|
89 | 89 |
msg (M_FATAL, "PKCS#11: PolarSSL cannot parse subject"); |
90 | 90 |
goto cleanup; |
91 | 91 |
} |
... | ... |
@@ -93,7 +94,7 @@ pkcs11_certificate_dn (pkcs11h_certificate_t cert, struct gc_arena *gc) |
93 | 93 |
ret = string_alloc(dn, gc); |
94 | 94 |
|
95 | 95 |
cleanup: |
96 |
- x509_free(&polar_cert); |
|
96 |
+ x509_crt_free(&polar_cert); |
|
97 | 97 |
|
98 | 98 |
return ret; |
99 | 99 |
} |
... | ... |
@@ -104,14 +105,14 @@ pkcs11_certificate_serial (pkcs11h_certificate_t cert, char *serial, |
104 | 104 |
{ |
105 | 105 |
int ret = 1; |
106 | 106 |
|
107 |
- x509_cert polar_cert = {0}; |
|
107 |
+ x509_crt polar_cert = {0}; |
|
108 | 108 |
|
109 | 109 |
if (pkcs11_x509_cert_init(&polar_cert, cert)) { |
110 | 110 |
msg (M_FATAL, "PKCS#11: Cannot retrieve PolarSSL certificate object"); |
111 | 111 |
goto cleanup; |
112 | 112 |
} |
113 | 113 |
|
114 |
- if (-1 == x509parse_serial_gets (serial, serial_len, &polar_cert.serial)) { |
|
114 |
+ if (-1 == x509_serial_gets (serial, serial_len, &polar_cert.serial)) { |
|
115 | 115 |
msg (M_FATAL, "PKCS#11: PolarSSL cannot parse serial"); |
116 | 116 |
goto cleanup; |
117 | 117 |
} |
... | ... |
@@ -119,7 +120,7 @@ pkcs11_certificate_serial (pkcs11h_certificate_t cert, char *serial, |
119 | 119 |
ret = 0; |
120 | 120 |
|
121 | 121 |
cleanup: |
122 |
- x509_free(&polar_cert); |
|
122 |
+ x509_crt_free(&polar_cert); |
|
123 | 123 |
|
124 | 124 |
return ret; |
125 | 125 |
} |
... | ... |
@@ -45,12 +45,12 @@ |
45 | 45 |
#include "manage.h" |
46 | 46 |
#include "ssl_common.h" |
47 | 47 |
|
48 |
-#include <polarssl/sha2.h> |
|
49 | 48 |
#include <polarssl/havege.h> |
50 | 49 |
|
51 | 50 |
#include "ssl_verify_polarssl.h" |
52 | 51 |
#include <polarssl/error.h> |
53 | 52 |
#include <polarssl/pem.h> |
53 |
+#include <polarssl/sha256.h> |
|
54 | 54 |
|
55 | 55 |
void |
56 | 56 |
tls_init_lib() |
... | ... |
@@ -74,10 +74,10 @@ tls_ctx_server_new(struct tls_root_ctx *ctx) |
74 | 74 |
CLEAR(*ctx); |
75 | 75 |
|
76 | 76 |
ALLOC_OBJ_CLEAR(ctx->dhm_ctx, dhm_context); |
77 |
- ALLOC_OBJ_CLEAR(ctx->priv_key, rsa_context); |
|
77 |
+ ALLOC_OBJ_CLEAR(ctx->priv_key, pk_context); |
|
78 | 78 |
|
79 |
- ALLOC_OBJ_CLEAR(ctx->ca_chain, x509_cert); |
|
80 |
- ALLOC_OBJ_CLEAR(ctx->crt_chain, x509_cert); |
|
79 |
+ ALLOC_OBJ_CLEAR(ctx->ca_chain, x509_crt); |
|
80 |
+ ALLOC_OBJ_CLEAR(ctx->crt_chain, x509_crt); |
|
81 | 81 |
|
82 | 82 |
|
83 | 83 |
ctx->endpoint = SSL_IS_SERVER; |
... | ... |
@@ -91,10 +91,10 @@ tls_ctx_client_new(struct tls_root_ctx *ctx) |
91 | 91 |
CLEAR(*ctx); |
92 | 92 |
|
93 | 93 |
ALLOC_OBJ_CLEAR(ctx->dhm_ctx, dhm_context); |
94 |
- ALLOC_OBJ_CLEAR(ctx->priv_key, rsa_context); |
|
94 |
+ ALLOC_OBJ_CLEAR(ctx->priv_key, pk_context); |
|
95 | 95 |
|
96 |
- ALLOC_OBJ_CLEAR(ctx->ca_chain, x509_cert); |
|
97 |
- ALLOC_OBJ_CLEAR(ctx->crt_chain, x509_cert); |
|
96 |
+ ALLOC_OBJ_CLEAR(ctx->ca_chain, x509_crt); |
|
97 |
+ ALLOC_OBJ_CLEAR(ctx->crt_chain, x509_crt); |
|
98 | 98 |
|
99 | 99 |
ctx->endpoint = SSL_IS_CLIENT; |
100 | 100 |
ctx->initialised = true; |
... | ... |
@@ -105,13 +105,13 @@ tls_ctx_free(struct tls_root_ctx *ctx) |
105 | 105 |
{ |
106 | 106 |
if (ctx) |
107 | 107 |
{ |
108 |
- rsa_free(ctx->priv_key); |
|
108 |
+ pk_free(ctx->priv_key); |
|
109 | 109 |
free(ctx->priv_key); |
110 | 110 |
|
111 |
- x509_free(ctx->ca_chain); |
|
111 |
+ x509_crt_free(ctx->ca_chain); |
|
112 | 112 |
free(ctx->ca_chain); |
113 | 113 |
|
114 |
- x509_free(ctx->crt_chain); |
|
114 |
+ x509_crt_free(ctx->crt_chain); |
|
115 | 115 |
free(ctx->crt_chain); |
116 | 116 |
|
117 | 117 |
dhm_free(ctx->dhm_ctx); |
... | ... |
@@ -215,12 +215,12 @@ tls_ctx_load_dh_params (struct tls_root_ctx *ctx, const char *dh_file, |
215 | 215 |
{ |
216 | 216 |
if (!strcmp (dh_file, INLINE_FILE_TAG) && dh_file_inline) |
217 | 217 |
{ |
218 |
- if (0 != x509parse_dhm(ctx->dhm_ctx, dh_file_inline, strlen(dh_file_inline))) |
|
218 |
+ if (0 != dhm_parse_dhm(ctx->dhm_ctx, dh_file_inline, strlen(dh_file_inline))) |
|
219 | 219 |
msg (M_FATAL, "Cannot read inline DH parameters"); |
220 | 220 |
} |
221 | 221 |
else |
222 | 222 |
{ |
223 |
- if (0 != x509parse_dhmfile(ctx->dhm_ctx, dh_file)) |
|
223 |
+ if (0 != dhm_parse_dhmfile(ctx->dhm_ctx, dh_file)) |
|
224 | 224 |
msg (M_FATAL, "Cannot read DH parameters from file %s", dh_file); |
225 | 225 |
} |
226 | 226 |
|
... | ... |
@@ -255,13 +255,13 @@ tls_ctx_load_cert_file (struct tls_root_ctx *ctx, const char *cert_file, |
255 | 255 |
|
256 | 256 |
if (!strcmp (cert_file, INLINE_FILE_TAG) && cert_file_inline) |
257 | 257 |
{ |
258 |
- if (0 != x509parse_crt(ctx->crt_chain, cert_file_inline, |
|
258 |
+ if (0 != x509_crt_parse(ctx->crt_chain, cert_file_inline, |
|
259 | 259 |
strlen(cert_file_inline))) |
260 | 260 |
msg (M_FATAL, "Cannot load inline certificate file"); |
261 | 261 |
} |
262 | 262 |
else |
263 | 263 |
{ |
264 |
- if (0 != x509parse_crtfile(ctx->crt_chain, cert_file)) |
|
264 |
+ if (0 != x509_crt_parse_file(ctx->crt_chain, cert_file)) |
|
265 | 265 |
msg (M_FATAL, "Cannot load certificate file %s", cert_file); |
266 | 266 |
} |
267 | 267 |
} |
... | ... |
@@ -276,26 +276,27 @@ tls_ctx_load_priv_file (struct tls_root_ctx *ctx, const char *priv_key_file, |
276 | 276 |
|
277 | 277 |
if (!strcmp (priv_key_file, INLINE_FILE_TAG) && priv_key_file_inline) |
278 | 278 |
{ |
279 |
- status = x509parse_key(ctx->priv_key, |
|
279 |
+ status = pk_parse_key(ctx->priv_key, |
|
280 | 280 |
priv_key_file_inline, strlen(priv_key_file_inline), |
281 | 281 |
NULL, 0); |
282 |
+ |
|
282 | 283 |
if (POLARSSL_ERR_PEM_PASSWORD_REQUIRED == status) |
283 | 284 |
{ |
284 | 285 |
char passbuf[512] = {0}; |
285 | 286 |
pem_password_callback(passbuf, 512, 0, NULL); |
286 |
- status = x509parse_key(ctx->priv_key, |
|
287 |
+ status = pk_parse_key(ctx->priv_key, |
|
287 | 288 |
priv_key_file_inline, strlen(priv_key_file_inline), |
288 | 289 |
(unsigned char *) passbuf, strlen(passbuf)); |
289 | 290 |
} |
290 | 291 |
} |
291 | 292 |
else |
292 | 293 |
{ |
293 |
- status = x509parse_keyfile(ctx->priv_key, priv_key_file, NULL); |
|
294 |
+ status = pk_parse_keyfile(ctx->priv_key, priv_key_file, NULL); |
|
294 | 295 |
if (POLARSSL_ERR_PEM_PASSWORD_REQUIRED == status) |
295 | 296 |
{ |
296 | 297 |
char passbuf[512] = {0}; |
297 | 298 |
pem_password_callback(passbuf, 512, 0, NULL); |
298 |
- status = x509parse_keyfile(ctx->priv_key, priv_key_file, passbuf); |
|
299 |
+ status = pk_parse_keyfile(ctx->priv_key, priv_key_file, passbuf); |
|
299 | 300 |
} |
300 | 301 |
} |
301 | 302 |
if (0 != status) |
... | ... |
@@ -338,30 +339,48 @@ tls_ctx_use_external_private_key (struct tls_root_ctx *ctx, |
338 | 338 |
|
339 | 339 |
/* Most of the initialization happens in key_state_ssl_init() */ |
340 | 340 |
ALLOC_OBJ_CLEAR (ctx->external_key, struct external_context); |
341 |
- ctx->external_key->signature_length = ctx->crt_chain->rsa.len; |
|
341 |
+ ctx->external_key->signature_length = pk_get_len(&ctx->crt_chain->pk); |
|
342 | 342 |
|
343 | 343 |
return 1; |
344 | 344 |
} |
345 | 345 |
|
346 |
+/** |
|
347 |
+ * external_pkcs1_sign implements a PolarSSL rsa_sign_func callback, that uses |
|
348 |
+ * the management interface to request an RSA signature for the supplied hash. |
|
349 |
+ * |
|
350 |
+ * @param ctx_voidptr Management external key context. |
|
351 |
+ * @param f_rng (Unused) |
|
352 |
+ * @param p_rng (Unused) |
|
353 |
+ * @param mode RSA mode (should be RSA_PRIVATE). |
|
354 |
+ * @param md_alg Message digest ('hash') algorithm type. |
|
355 |
+ * @param hashlen Length of hash (overridden by length specified by md_alg |
|
356 |
+ * if md_alg != POLARSSL_MD_NONE). |
|
357 |
+ * @param hash The digest ('hash') to sign. Should have a size |
|
358 |
+ * matching the length of md_alg (if != POLARSSL_MD_NONE), |
|
359 |
+ * or hashlen otherwise. |
|
360 |
+ * @param sig Buffer that returns the signature. Should be at least of |
|
361 |
+ * size ctx->signature_length. |
|
362 |
+ * |
|
363 |
+ * @return 0 on success, non-zero polarssl error code on failure. |
|
364 |
+ */ |
|
346 | 365 |
static inline int external_pkcs1_sign( void *ctx_voidptr, |
347 | 366 |
int (*f_rng)(void *, unsigned char *, size_t), void *p_rng, int mode, |
348 |
- int hash_id, unsigned int hashlen, const unsigned char *hash, |
|
367 |
+ md_type_t md_alg, unsigned int hashlen, const unsigned char *hash, |
|
349 | 368 |
unsigned char *sig ) |
350 | 369 |
{ |
351 | 370 |
struct external_context * const ctx = ctx_voidptr; |
352 | 371 |
char *in_b64 = NULL; |
353 | 372 |
char *out_b64 = NULL; |
354 | 373 |
int rv; |
355 |
- unsigned char * const p = sig; |
|
356 |
- size_t asn_len; |
|
374 |
+ unsigned char *p = sig; |
|
375 |
+ size_t asn_len = 0, oid_size = 0, sig_len = 0; |
|
376 |
+ const char *oid = NULL; |
|
357 | 377 |
|
358 |
- ASSERT(NULL != ctx); |
|
378 |
+ if( NULL == ctx ) |
|
379 |
+ return POLARSSL_ERR_RSA_BAD_INPUT_DATA; |
|
359 | 380 |
|
360 |
- if (RSA_PRIVATE != mode) |
|
361 |
- { |
|
362 |
- rv = POLARSSL_ERR_RSA_BAD_INPUT_DATA; |
|
363 |
- goto done; |
|
364 |
- } |
|
381 |
+ if( RSA_PRIVATE != mode ) |
|
382 |
+ return POLARSSL_ERR_RSA_BAD_INPUT_DATA; |
|
365 | 383 |
|
366 | 384 |
/* |
367 | 385 |
* Support a wide range of hashes. TLSv1.1 and before only need SIG_RSA_RAW, |
... | ... |
@@ -369,67 +388,54 @@ static inline int external_pkcs1_sign( void *ctx_voidptr, |
369 | 369 |
* |
370 | 370 |
* This code has been taken from PolarSSL pkcs11_sign(), under the GPLv2.0+. |
371 | 371 |
*/ |
372 |
- switch( hash_id ) |
|
373 |
- { |
|
374 |
- case SIG_RSA_RAW: |
|
375 |
- asn_len = 0; |
|
376 |
- memcpy( p, hash, hashlen ); |
|
377 |
- break; |
|
378 |
- |
|
379 |
- case SIG_RSA_MD2: |
|
380 |
- asn_len = OID_SIZE(ASN1_HASH_MDX); |
|
381 |
- memcpy( p, ASN1_HASH_MDX, asn_len ); |
|
382 |
- memcpy( p + asn_len, hash, hashlen ); |
|
383 |
- p[13] = 2; break; |
|
384 |
- |
|
385 |
- case SIG_RSA_MD4: |
|
386 |
- asn_len = OID_SIZE(ASN1_HASH_MDX); |
|
387 |
- memcpy( p, ASN1_HASH_MDX, asn_len ); |
|
388 |
- memcpy( p + asn_len, hash, hashlen ); |
|
389 |
- p[13] = 4; break; |
|
390 |
- |
|
391 |
- case SIG_RSA_MD5: |
|
392 |
- asn_len = OID_SIZE(ASN1_HASH_MDX); |
|
393 |
- memcpy( p, ASN1_HASH_MDX, asn_len ); |
|
394 |
- memcpy( p + asn_len, hash, hashlen ); |
|
395 |
- p[13] = 5; break; |
|
396 |
- |
|
397 |
- case SIG_RSA_SHA1: |
|
398 |
- asn_len = OID_SIZE(ASN1_HASH_SHA1); |
|
399 |
- memcpy( p, ASN1_HASH_SHA1, asn_len ); |
|
400 |
- memcpy( p + 15, hash, hashlen ); |
|
401 |
- break; |
|
402 |
- |
|
403 |
- case SIG_RSA_SHA224: |
|
404 |
- asn_len = OID_SIZE(ASN1_HASH_SHA2X); |
|
405 |
- memcpy( p, ASN1_HASH_SHA2X, asn_len ); |
|
406 |
- memcpy( p + asn_len, hash, hashlen ); |
|
407 |
- p[1] += hashlen; p[14] = 4; p[18] += hashlen; break; |
|
408 |
- |
|
409 |
- case SIG_RSA_SHA256: |
|
410 |
- asn_len = OID_SIZE(ASN1_HASH_SHA2X); |
|
411 |
- memcpy( p, ASN1_HASH_SHA2X, asn_len ); |
|
412 |
- memcpy( p + asn_len, hash, hashlen ); |
|
413 |
- p[1] += hashlen; p[14] = 1; p[18] += hashlen; break; |
|
414 |
- |
|
415 |
- case SIG_RSA_SHA384: |
|
416 |
- asn_len = OID_SIZE(ASN1_HASH_SHA2X); |
|
417 |
- memcpy( p, ASN1_HASH_SHA2X, asn_len ); |
|
418 |
- memcpy( p + asn_len, hash, hashlen ); |
|
419 |
- p[1] += hashlen; p[14] = 2; p[18] += hashlen; break; |
|
420 |
- |
|
421 |
- case SIG_RSA_SHA512: |
|
422 |
- asn_len = OID_SIZE(ASN1_HASH_SHA2X); |
|
423 |
- memcpy( p, ASN1_HASH_SHA2X, asn_len ); |
|
424 |
- memcpy( p + asn_len, hash, hashlen ); |
|
425 |
- p[1] += hashlen; p[14] = 3; p[18] += hashlen; break; |
|
426 |
- |
|
427 |
- /* End of copy */ |
|
428 |
- default: |
|
429 |
- rv = POLARSSL_ERR_RSA_BAD_INPUT_DATA; |
|
430 |
- goto done; |
|
372 |
+ if( md_alg != POLARSSL_MD_NONE ) |
|
373 |
+ { |
|
374 |
+ const md_info_t *md_info = md_info_from_type( md_alg ); |
|
375 |
+ if( md_info == NULL ) |
|
376 |
+ return( POLARSSL_ERR_RSA_BAD_INPUT_DATA ); |
|
377 |
+ |
|
378 |
+ if( oid_get_oid_by_md( md_alg, &oid, &oid_size ) != 0 ) |
|
379 |
+ return( POLARSSL_ERR_RSA_BAD_INPUT_DATA ); |
|
380 |
+ |
|
381 |
+ hashlen = md_get_size( md_info ); |
|
382 |
+ asn_len = 10 + oid_size; |
|
383 |
+ } |
|
384 |
+ |
|
385 |
+ sig_len = ctx->signature_length; |
|
386 |
+ if ( (SIZE_MAX - hashlen) < asn_len || (hashlen + asn_len) > sig_len ) |
|
387 |
+ return POLARSSL_ERR_RSA_BAD_INPUT_DATA; |
|
388 |
+ |
|
389 |
+ if( md_alg != POLARSSL_MD_NONE ) |
|
390 |
+ { |
|
391 |
+ /* |
|
392 |
+ * DigestInfo ::= SEQUENCE { |
|
393 |
+ * digestAlgorithm DigestAlgorithmIdentifier, |
|
394 |
+ * digest Digest } |
|
395 |
+ * |
|
396 |
+ * DigestAlgorithmIdentifier ::= AlgorithmIdentifier |
|
397 |
+ * |
|
398 |
+ * Digest ::= OCTET STRING |
|
399 |
+ */ |
|
400 |
+ *p++ = ASN1_SEQUENCE | ASN1_CONSTRUCTED; |
|
401 |
+ *p++ = (unsigned char) ( 0x08 + oid_size + hashlen ); |
|
402 |
+ *p++ = ASN1_SEQUENCE | ASN1_CONSTRUCTED; |
|
403 |
+ *p++ = (unsigned char) ( 0x04 + oid_size ); |
|
404 |
+ *p++ = ASN1_OID; |
|
405 |
+ *p++ = oid_size & 0xFF; |
|
406 |
+ memcpy( p, oid, oid_size ); |
|
407 |
+ p += oid_size; |
|
408 |
+ *p++ = ASN1_NULL; |
|
409 |
+ *p++ = 0x00; |
|
410 |
+ *p++ = ASN1_OCTET_STRING; |
|
411 |
+ *p++ = hashlen; |
|
412 |
+ |
|
413 |
+ /* Determine added ASN length */ |
|
414 |
+ asn_len = p - sig; |
|
431 | 415 |
} |
432 | 416 |
|
417 |
+ /* Copy the hash to be signed */ |
|
418 |
+ memcpy( p, hash, hashlen ); |
|
419 |
+ |
|
433 | 420 |
/* convert 'from' to base64 */ |
434 | 421 |
if (openvpn_base64_encode (sig, asn_len + hashlen, &in_b64) <= 0) |
435 | 422 |
{ |
... | ... |
@@ -456,7 +462,7 @@ static inline int external_pkcs1_sign( void *ctx_voidptr, |
456 | 456 |
|
457 | 457 |
rv = 0; |
458 | 458 |
|
459 |
- done: |
|
459 |
+done: |
|
460 | 460 |
if (in_b64) |
461 | 461 |
free (in_b64); |
462 | 462 |
if (out_b64) |
... | ... |
@@ -482,14 +488,14 @@ void tls_ctx_load_ca (struct tls_root_ctx *ctx, const char *ca_file, |
482 | 482 |
|
483 | 483 |
if (ca_file && !strcmp (ca_file, INLINE_FILE_TAG) && ca_file_inline) |
484 | 484 |
{ |
485 |
- if (0 != x509parse_crt(ctx->ca_chain, (unsigned char *) ca_file_inline, |
|
486 |
- strlen(ca_file_inline))) |
|
485 |
+ if (0 != x509_crt_parse(ctx->ca_chain, (unsigned char *) ca_file_inline, |
|
486 |
+ strlen(ca_file_inline))) |
|
487 | 487 |
msg (M_FATAL, "Cannot load inline CA certificates"); |
488 | 488 |
} |
489 | 489 |
else |
490 | 490 |
{ |
491 | 491 |
/* Load CA file for verifying peer supplied certificate */ |
492 |
- if (0 != x509parse_crtfile(ctx->ca_chain, ca_file)) |
|
492 |
+ if (0 != x509_crt_parse_file(ctx->ca_chain, ca_file)) |
|
493 | 493 |
msg (M_FATAL, "Cannot load CA certificate file %s", ca_file); |
494 | 494 |
} |
495 | 495 |
} |
... | ... |
@@ -503,14 +509,14 @@ tls_ctx_load_extra_certs (struct tls_root_ctx *ctx, const char *extra_certs_file |
503 | 503 |
|
504 | 504 |
if (!strcmp (extra_certs_file, INLINE_FILE_TAG) && extra_certs_file_inline) |
505 | 505 |
{ |
506 |
- if (0 != x509parse_crt(ctx->crt_chain, |
|
506 |
+ if (0 != x509_crt_parse(ctx->crt_chain, |
|
507 | 507 |
(unsigned char *) extra_certs_file_inline, |
508 |
- strlen(extra_certs_file_inline))) |
|
508 |
+ strlen(extra_certs_file_inline))) |
|
509 | 509 |
msg (M_FATAL, "Cannot load inline extra-certs file"); |
510 | 510 |
} |
511 | 511 |
else |
512 | 512 |
{ |
513 |
- if (0 != x509parse_crtfile(ctx->crt_chain, extra_certs_file)) |
|
513 |
+ if (0 != x509_crt_parse_file(ctx->crt_chain, extra_certs_file)) |
|
514 | 514 |
msg (M_FATAL, "Cannot load extra-certs file: %s", extra_certs_file); |
515 | 515 |
} |
516 | 516 |
} |
... | ... |
@@ -633,9 +639,9 @@ void tls_ctx_personalise_random(struct tls_root_ctx *ctx) |
633 | 633 |
|
634 | 634 |
if (NULL != ctx->crt_chain) |
635 | 635 |
{ |
636 |
- x509_cert *cert = ctx->crt_chain; |
|
636 |
+ x509_crt *cert = ctx->crt_chain; |
|
637 | 637 |
|
638 |
- sha2(cert->tbs.p, cert->tbs.len, sha256_hash, false); |
|
638 |
+ sha256(cert->tbs.p, cert->tbs.len, sha256_hash, false); |
|
639 | 639 |
if ( 0 != memcmp(old_sha256_hash, sha256_hash, sizeof(sha256_hash))) |
640 | 640 |
{ |
641 | 641 |
ctr_drbg_update(cd_ctx, sha256_hash, 32); |
... | ... |
@@ -1021,7 +1027,7 @@ key_state_read_plaintext (struct key_state_ssl *ks, struct buffer *buf, |
1021 | 1021 |
void |
1022 | 1022 |
print_details (struct key_state_ssl * ks_ssl, const char *prefix) |
1023 | 1023 |
{ |
1024 |
- const x509_cert *cert; |
|
1024 |
+ const x509_crt *cert; |
|
1025 | 1025 |
char s1[256]; |
1026 | 1026 |
char s2[256]; |
1027 | 1027 |
|
... | ... |
@@ -1034,7 +1040,7 @@ print_details (struct key_state_ssl * ks_ssl, const char *prefix) |
1034 | 1034 |
cert = ssl_get_peer_cert(ks_ssl->ctx); |
1035 | 1035 |
if (cert != NULL) |
1036 | 1036 |
{ |
1037 |
- openvpn_snprintf (s2, sizeof (s2), ", " counter_format " bit RSA", (counter_type) cert->rsa.len * 8); |
|
1037 |
+ openvpn_snprintf (s2, sizeof (s2), ", %zu bit key", pk_get_size(&cert->pk)); |
|
1038 | 1038 |
} |
1039 | 1039 |
|
1040 | 1040 |
msg (D_HANDSHAKE, "%s%s", s1, s2); |
... | ... |
@@ -33,6 +33,7 @@ |
33 | 33 |
#include "syshead.h" |
34 | 34 |
|
35 | 35 |
#include <polarssl/ssl.h> |
36 |
+#include <polarssl/x509_crt.h> |
|
36 | 37 |
|
37 | 38 |
#if defined(ENABLE_PKCS11) |
38 | 39 |
#include <polarssl/pkcs11.h> |
... | ... |
@@ -64,9 +65,9 @@ struct tls_root_ctx { |
64 | 64 |
int endpoint; /**< Whether or not this is a server or a client */ |
65 | 65 |
|
66 | 66 |
dhm_context *dhm_ctx; /**< Diffie-Helmann-Merkle context */ |
67 |
- x509_cert *crt_chain; /**< Local Certificate chain */ |
|
68 |
- x509_cert *ca_chain; /**< CA chain for remote verification */ |
|
69 |
- rsa_context *priv_key; /**< Local private key */ |
|
67 |
+ x509_crt *crt_chain; /**< Local Certificate chain */ |
|
68 |
+ x509_crt *ca_chain; /**< CA chain for remote verification */ |
|
69 |
+ pk_context *priv_key; /**< Local private key */ |
|
70 | 70 |
#if defined(ENABLE_PKCS11) |
71 | 71 |
pkcs11_context *priv_key_pkcs11; /**< PKCS11 private key */ |
72 | 72 |
#endif |
... | ... |
@@ -431,7 +431,7 @@ verify_cert_set_env(struct env_set *es, openvpn_x509_cert_t *peer_cert, int cert |
431 | 431 |
} |
432 | 432 |
|
433 | 433 |
/* export serial number as environmental variable */ |
434 |
- serial = x509_get_serial(peer_cert, &gc); |
|
434 |
+ serial = backend_x509_get_serial(peer_cert, &gc); |
|
435 | 435 |
openvpn_snprintf (envname, sizeof(envname), "tls_serial_%d", cert_depth); |
436 | 436 |
setenv_str (es, envname, serial); |
437 | 437 |
|
... | ... |
@@ -558,7 +558,7 @@ verify_check_crl_dir(const char *crl_dir, openvpn_x509_cert_t *cert) |
558 | 558 |
int fd = -1; |
559 | 559 |
struct gc_arena gc = gc_new(); |
560 | 560 |
|
561 |
- char *serial = x509_get_serial(cert, &gc); |
|
561 |
+ char *serial = backend_x509_get_serial(cert, &gc); |
|
562 | 562 |
|
563 | 563 |
if (!openvpn_snprintf(fn, sizeof(fn), "%s%c%s", crl_dir, OS_SPECIFIC_DIRSEP, serial)) |
564 | 564 |
{ |
... | ... |
@@ -610,7 +610,7 @@ verify_cert(struct tls_session *session, openvpn_x509_cert_t *cert, int cert_dep |
610 | 610 |
string_replace_leading (subject, '-', '_'); |
611 | 611 |
|
612 | 612 |
/* extract the username (default is CN) */ |
613 |
- if (SUCCESS != x509_get_username (common_name, TLS_USERNAME_LEN, |
|
613 |
+ if (SUCCESS != backend_x509_get_username (common_name, TLS_USERNAME_LEN, |
|
614 | 614 |
opt->x509_username_field, cert)) |
615 | 615 |
{ |
616 | 616 |
if (!cert_depth) |
... | ... |
@@ -109,7 +109,7 @@ unsigned char *x509_get_sha1_hash (openvpn_x509_cert_t *cert, struct gc_arena *g |
109 | 109 |
* |
110 | 110 |
* @return \c FAILURE, \c or SUCCESS |
111 | 111 |
*/ |
112 |
-result_t x509_get_username (char *common_name, int cn_len, |
|
112 |
+result_t backend_x509_get_username (char *common_name, int cn_len, |
|
113 | 113 |
char * x509_username_field, openvpn_x509_cert_t *peer_cert); |
114 | 114 |
|
115 | 115 |
/* |
... | ... |
@@ -122,7 +122,7 @@ result_t x509_get_username (char *common_name, int cn_len, |
122 | 122 |
* |
123 | 123 |
* @return The certificate's serial number. |
124 | 124 |
*/ |
125 |
-char *x509_get_serial (openvpn_x509_cert_t *cert, struct gc_arena *gc); |
|
125 |
+char *backend_x509_get_serial (openvpn_x509_cert_t *cert, struct gc_arena *gc); |
|
126 | 126 |
|
127 | 127 |
/* |
128 | 128 |
* Save X509 fields to environment, using the naming convention: |
... | ... |
@@ -202,7 +202,7 @@ extract_x509_field_ssl (X509_NAME *x509, const char *field_name, char *out, |
202 | 202 |
} |
203 | 203 |
|
204 | 204 |
result_t |
205 |
-x509_get_username (char *common_name, int cn_len, |
|
205 |
+backend_x509_get_username (char *common_name, int cn_len, |
|
206 | 206 |
char * x509_username_field, X509 *peer_cert) |
207 | 207 |
{ |
208 | 208 |
#ifdef ENABLE_X509ALTUSERNAME |
... | ... |
@@ -220,7 +220,7 @@ x509_get_username (char *common_name, int cn_len, |
220 | 220 |
} |
221 | 221 |
|
222 | 222 |
char * |
223 |
-x509_get_serial (openvpn_x509_cert_t *cert, struct gc_arena *gc) |
|
223 |
+backend_x509_get_serial (openvpn_x509_cert_t *cert, struct gc_arena *gc) |
|
224 | 224 |
{ |
225 | 225 |
ASN1_INTEGER *asn1_i; |
226 | 226 |
BIGNUM *bignum; |
... | ... |
@@ -38,12 +38,13 @@ |
38 | 38 |
#if defined(ENABLE_SSL) && defined(ENABLE_CRYPTO_POLARSSL) |
39 | 39 |
|
40 | 40 |
#include "ssl_verify.h" |
41 |
+#include <polarssl/oid.h> |
|
41 | 42 |
#include <polarssl/sha1.h> |
42 | 43 |
|
43 | 44 |
#define MAX_SUBJECT_LENGTH 256 |
44 | 45 |
|
45 | 46 |
int |
46 |
-verify_callback (void *session_obj, x509_cert *cert, int cert_depth, |
|
47 |
+verify_callback (void *session_obj, x509_crt *cert, int cert_depth, |
|
47 | 48 |
int *flags) |
48 | 49 |
{ |
49 | 50 |
struct tls_session *session = (struct tls_session *) session_obj; |
... | ... |
@@ -88,8 +89,8 @@ verify_callback (void *session_obj, x509_cert *cert, int cert_depth, |
88 | 88 |
#endif |
89 | 89 |
|
90 | 90 |
result_t |
91 |
-x509_get_username (char *cn, int cn_len, |
|
92 |
- char *x509_username_field, x509_cert *cert) |
|
91 |
+backend_x509_get_username (char *cn, int cn_len, |
|
92 |
+ char *x509_username_field, x509_crt *cert) |
|
93 | 93 |
{ |
94 | 94 |
x509_name *name; |
95 | 95 |
|
... | ... |
@@ -100,7 +101,7 @@ x509_get_username (char *cn, int cn_len, |
100 | 100 |
/* Find common name */ |
101 | 101 |
while( name != NULL ) |
102 | 102 |
{ |
103 |
- if( memcmp( name->oid.p, OID_CN, OID_SIZE(OID_CN) ) == 0) |
|
103 |
+ if( memcmp( name->oid.p, OID_AT_CN, OID_SIZE(OID_AT_CN) ) == 0) |
|
104 | 104 |
break; |
105 | 105 |
|
106 | 106 |
name = name->next; |
... | ... |
@@ -123,21 +124,21 @@ x509_get_username (char *cn, int cn_len, |
123 | 123 |
} |
124 | 124 |
|
125 | 125 |
char * |
126 |
-x509_get_serial (x509_cert *cert, struct gc_arena *gc) |
|
126 |
+backend_x509_get_serial (x509_crt *cert, struct gc_arena *gc) |
|
127 | 127 |
{ |
128 | 128 |
char *buf = NULL; |
129 | 129 |
size_t len = cert->serial.len * 3 + 1; |
130 | 130 |
|
131 | 131 |
buf = gc_malloc(len, true, gc); |
132 | 132 |
|
133 |
- if(x509parse_serial_gets(buf, len-1, &cert->serial) < 0) |
|
133 |
+ if(x509_serial_gets(buf, len-1, &cert->serial) < 0) |
|
134 | 134 |
buf = NULL; |
135 | 135 |
|
136 | 136 |
return buf; |
137 | 137 |
} |
138 | 138 |
|
139 | 139 |
unsigned char * |
140 |
-x509_get_sha1_hash (x509_cert *cert, struct gc_arena *gc) |
|
140 |
+x509_get_sha1_hash (x509_crt *cert, struct gc_arena *gc) |
|
141 | 141 |
{ |
142 | 142 |
unsigned char *sha1_hash = gc_malloc(SHA_DIGEST_LENGTH, false, gc); |
143 | 143 |
sha1(cert->tbs.p, cert->tbs.len, sha1_hash); |
... | ... |
@@ -145,14 +146,14 @@ x509_get_sha1_hash (x509_cert *cert, struct gc_arena *gc) |
145 | 145 |
} |
146 | 146 |
|
147 | 147 |
char * |
148 |
-x509_get_subject(x509_cert *cert, struct gc_arena *gc) |
|
148 |
+x509_get_subject(x509_crt *cert, struct gc_arena *gc) |
|
149 | 149 |
{ |
150 | 150 |
char tmp_subject[MAX_SUBJECT_LENGTH] = {0}; |
151 | 151 |
char *subject = NULL; |
152 | 152 |
|
153 | 153 |
int ret = 0; |
154 | 154 |
|
155 |
- ret = x509parse_dn_gets( tmp_subject, MAX_SUBJECT_LENGTH-1, &cert->subject ); |
|
155 |
+ ret = x509_dn_gets( tmp_subject, MAX_SUBJECT_LENGTH-1, &cert->subject ); |
|
156 | 156 |
if (ret > 0) |
157 | 157 |
{ |
158 | 158 |
/* Allocate the required space for the subject */ |
... | ... |
@@ -182,70 +183,28 @@ x509_setenv (struct env_set *es, int cert_depth, openvpn_x509_cert_t *cert) |
182 | 182 |
while( name != NULL ) |
183 | 183 |
{ |
184 | 184 |
char name_expand[64+8]; |
185 |
+ const char *shortname; |
|
185 | 186 |
|
186 |
- if( name->oid.len == 2 && memcmp( name->oid.p, OID_X520, 2 ) == 0 ) |
|
187 |
+ if( 0 == oid_get_attr_short_name(&name->oid, &shortname) ) |
|
187 | 188 |
{ |
188 |
- switch( name->oid.p[2] ) |
|
189 |
- { |
|
190 |
- case X520_COMMON_NAME: |
|
191 |
- openvpn_snprintf (name_expand, sizeof(name_expand), "X509_%d_CN", |
|
192 |
- cert_depth); break; |
|
193 |
- |
|
194 |
- case X520_COUNTRY: |
|
195 |
- openvpn_snprintf (name_expand, sizeof(name_expand), "X509_%d_C", |
|
196 |
- cert_depth); break; |
|
197 |
- |
|
198 |
- case X520_LOCALITY: |
|
199 |
- openvpn_snprintf (name_expand, sizeof(name_expand), "X509_%d_L", |
|
200 |
- cert_depth); break; |
|
201 |
- |
|
202 |
- case X520_STATE: |
|
203 |
- openvpn_snprintf (name_expand, sizeof(name_expand), "X509_%d_ST", |
|
204 |
- cert_depth); break; |
|
205 |
- |
|
206 |
- case X520_ORGANIZATION: |
|
207 |
- openvpn_snprintf (name_expand, sizeof(name_expand), "X509_%d_O", |
|
208 |
- cert_depth); break; |
|
209 |
- |
|
210 |
- case X520_ORG_UNIT: |
|
211 |
- openvpn_snprintf (name_expand, sizeof(name_expand), "X509_%d_OU", |
|
212 |
- cert_depth); break; |
|
213 |
- |
|
214 |
- default: |
|
215 |
- openvpn_snprintf (name_expand, sizeof(name_expand), |
|
216 |
- "X509_%d_0x%02X", cert_depth, name->oid.p[2]); |
|
217 |
- break; |
|
218 |
- } |
|
189 |
+ openvpn_snprintf (name_expand, sizeof(name_expand), "X509_%d_%s", |
|
190 |
+ cert_depth, shortname); |
|
219 | 191 |
} |
220 |
- else if( name->oid.len == 8 && memcmp( name->oid.p, OID_PKCS9, 8 ) == 0 ) |
|
221 |
- { |
|
222 |
- switch( name->oid.p[8] ) |
|
223 |
- { |
|
224 |
- case PKCS9_EMAIL: |
|
225 |
- openvpn_snprintf (name_expand, sizeof(name_expand), |
|
226 |
- "X509_%d_emailAddress", cert_depth); break; |
|
227 |
- |
|
228 |
- default: |
|
229 |
- openvpn_snprintf (name_expand, sizeof(name_expand), |
|
230 |
- "X509_%d_0x%02X", cert_depth, name->oid.p[8]); |
|
231 |
- break; |
|
232 |
- } |
|
233 |
- } |
|
234 |
- else |
|
235 |
- { |
|
236 |
- openvpn_snprintf (name_expand, sizeof(name_expand), "X509_%d_\?\?", |
|
237 |
- cert_depth); |
|
238 |
- } |
|
239 |
- |
|
240 |
- for( i = 0; i < name->val.len; i++ ) |
|
192 |
+ else |
|
193 |
+ { |
|
194 |
+ openvpn_snprintf (name_expand, sizeof(name_expand), "X509_%d_\?\?", |
|
195 |
+ cert_depth); |
|
196 |
+ } |
|
197 |
+ |
|
198 |
+ for( i = 0; i < name->val.len; i++ ) |
|
241 | 199 |
{ |
242 |
- if( i >= (int) sizeof( s ) - 1 ) |
|
243 |
- break; |
|
200 |
+ if( i >= (int) sizeof( s ) - 1 ) |
|
201 |
+ break; |
|
244 | 202 |
|
245 |
- c = name->val.p[i]; |
|
246 |
- if( c < 32 || c == 127 || ( c > 128 && c < 160 ) ) |
|
247 |
- s[i] = '?'; |
|
248 |
- else s[i] = c; |
|
203 |
+ c = name->val.p[i]; |
|
204 |
+ if( c < 32 || c == 127 || ( c > 128 && c < 160 ) ) |
|
205 |
+ s[i] = '?'; |
|
206 |
+ else s[i] = c; |
|
249 | 207 |
} |
250 | 208 |
s[i] = '\0'; |
251 | 209 |
|
... | ... |
@@ -259,7 +218,7 @@ x509_setenv (struct env_set *es, int cert_depth, openvpn_x509_cert_t *cert) |
259 | 259 |
} |
260 | 260 |
|
261 | 261 |
result_t |
262 |
-x509_verify_ns_cert_type(const x509_cert *cert, const int usage) |
|
262 |
+x509_verify_ns_cert_type(const x509_crt *cert, const int usage) |
|
263 | 263 |
{ |
264 | 264 |
if (usage == NS_CERT_CHECK_NONE) |
265 | 265 |
return SUCCESS; |
... | ... |
@@ -274,7 +233,7 @@ x509_verify_ns_cert_type(const x509_cert *cert, const int usage) |
274 | 274 |
} |
275 | 275 |
|
276 | 276 |
result_t |
277 |
-x509_verify_cert_ku (x509_cert *cert, const unsigned * const expected_ku, |
|
277 |
+x509_verify_cert_ku (x509_crt *cert, const unsigned * const expected_ku, |
|
278 | 278 |
int expected_len) |
279 | 279 |
{ |
280 | 280 |
result_t fFound = FAILURE; |
... | ... |
@@ -307,7 +266,7 @@ x509_verify_cert_ku (x509_cert *cert, const unsigned * const expected_ku, |
307 | 307 |
} |
308 | 308 |
|
309 | 309 |
result_t |
310 |
-x509_verify_cert_eku (x509_cert *cert, const char * const expected_oid) |
|
310 |
+x509_verify_cert_eku (x509_crt *cert, const char * const expected_oid) |
|
311 | 311 |
{ |
312 | 312 |
result_t fFound = FAILURE; |
313 | 313 |
|
... | ... |
@@ -357,7 +316,7 @@ x509_verify_cert_eku (x509_cert *cert, const char * const expected_oid) |
357 | 357 |
} |
358 | 358 |
|
359 | 359 |
result_t |
360 |
-x509_write_pem(FILE *peercert_file, x509_cert *peercert) |
|
360 |
+x509_write_pem(FILE *peercert_file, x509_crt *peercert) |
|
361 | 361 |
{ |
362 | 362 |
msg (M_WARN, "PolarSSL does not support writing peer certificate in PEM format"); |
363 | 363 |
return FAILURE; |
... | ... |
@@ -367,12 +326,12 @@ x509_write_pem(FILE *peercert_file, x509_cert *peercert) |
367 | 367 |
* check peer cert against CRL |
368 | 368 |
*/ |
369 | 369 |
result_t |
370 |
-x509_verify_crl(const char *crl_file, x509_cert *cert, const char *subject) |
|
370 |
+x509_verify_crl(const char *crl_file, x509_crt *cert, const char *subject) |
|
371 | 371 |
{ |
372 | 372 |
result_t retval = FAILURE; |
373 | 373 |
x509_crl crl = {0}; |
374 | 374 |
|
375 |
- if (x509parse_crlfile(&crl, crl_file) != 0) |
|
375 |
+ if (x509_crl_parse_file(&crl, crl_file) != 0) |
|
376 | 376 |
{ |
377 | 377 |
msg (M_ERR, "CRL: cannot read CRL from file %s", crl_file); |
378 | 378 |
goto end; |
... | ... |
@@ -387,7 +346,7 @@ x509_verify_crl(const char *crl_file, x509_cert *cert, const char *subject) |
387 | 387 |
goto end; |
388 | 388 |
} |
389 | 389 |
|
390 |
- if (0 != x509parse_revoked(cert, &crl)) |
|
390 |
+ if (0 != x509_crt_revoked(cert, &crl)) |
|
391 | 391 |
{ |
392 | 392 |
msg (D_HANDSHAKE, "CRL CHECK FAILED: %s is REVOKED", subject); |
393 | 393 |
goto end; |
... | ... |
@@ -33,11 +33,11 @@ |
33 | 33 |
#include "syshead.h" |
34 | 34 |
#include "misc.h" |
35 | 35 |
#include "manage.h" |
36 |
-#include <polarssl/x509.h> |
|
36 |
+#include <polarssl/x509_crt.h> |
|
37 | 37 |
|
38 | 38 |
#ifndef __OPENVPN_X509_CERT_T_DECLARED |
39 | 39 |
#define __OPENVPN_X509_CERT_T_DECLARED |
40 |
-typedef x509_cert openvpn_x509_cert_t; |
|
40 |
+typedef x509_crt openvpn_x509_cert_t; |
|
41 | 41 |
#endif |
42 | 42 |
|
43 | 43 |
/** @name Function for authenticating a new connection from a remote OpenVPN peer |
... | ... |
@@ -72,7 +72,7 @@ typedef x509_cert openvpn_x509_cert_t; |
72 | 72 |
* |
73 | 73 |
* @return The return value is 0 unless a fatal error occurred. |
74 | 74 |
*/ |
75 |
-int verify_callback (void *session_obj, x509_cert *cert, int cert_depth, |
|
75 |
+int verify_callback (void *session_obj, x509_crt *cert, int cert_depth, |
|
76 | 76 |
int *flags); |
77 | 77 |
|
78 | 78 |
/** @} name Function for authenticating a new connection from a remote OpenVPN peer */ |