PolarSSL / mbed TLS 1.3 is going end-of-life by 2016-12-31, so let's move
the master branch on to the 2.x series.
This patch purges all references to polarssl, except for file names and
some comments referring to 1.2 and earlier, which were never released as
'mbed TLS'. A separate patch for the file names follows, so the real
changes are easier to spot without git-fu.
This patch intends to not change any behaviour.
The vast majority of this patch is just renaming functions and structs.
There are some small changes in the implementation:
* In ssl_polarssl.c: the debug callback prototype changed, so our
implementation changed a bit too.
* in ssl_polarssl.c: the old polarssl ssl_context is now split into a
mbedtls_ssl_config and mbedtls_ssl_context. The intention is that
mbedtls_ssl_config is shared among connections, and mbedtls_ssl_context
contains the per-connection state. That doesn't work for us, because
we use per-connection verify callback data, while the verify callback
is registered on mbed_tls_config. Therefore we still need to init a
mbed_tls_config struct for each connection.
* in ssl_polarssl.c: the mbed bio handling changed, so our
implementation changed a bit too.
* in ssl_polarssl.c and ssl_verify_polarssl.c: the mbedtls x509 parse
functions now fail if we don't provide a NUL-terminated string, so use
strlen()+1 as the length argument to include the terminating NUL.
I tested this patch to work with:
* 'make check' (with 2.0.0 and 2.2.1, other tests just with 2.2.1)
* static key mode
* TLS mode with PEM key file
* TLS mode with password protected PEM key file
* TLS mode with management-external-key
* TLS mode with PKCS#11
* TLS mode with inline ca/key/cert/dh
Signed-off-by: Steffan Karger <steffan@karger.me>
Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <1460918143-408-1-git-send-email-steffan@karger.me>
URL: http://article.gmane.org/gmane.network.openvpn.devel/11458
Signed-off-by: Gert Doering <gert@greenie.muc.de>
... | ... |
@@ -291,10 +291,10 @@ AC_ARG_WITH( |
291 | 291 |
|
292 | 292 |
AC_ARG_WITH( |
293 | 293 |
[crypto-library], |
294 |
- [AS_HELP_STRING([--with-crypto-library=library], [build with the given crypto library, TYPE=openssl|polarssl @<:@default=openssl@:>@])], |
|
294 |
+ [AS_HELP_STRING([--with-crypto-library=library], [build with the given crypto library, TYPE=openssl|mbedtls @<:@default=openssl@:>@])], |
|
295 | 295 |
[ |
296 |
- case "${withval}" in |
|
297 |
- openssl|polarssl) ;; |
|
296 |
+ case "${withval}" in |
|
297 |
+ openssl|mbedtls) ;; |
|
298 | 298 |
*) AC_MSG_ERROR([bad value ${withval} for --with-crypto-library]) ;; |
299 | 299 |
esac |
300 | 300 |
], |
... | ... |
@@ -835,81 +835,77 @@ if test "${with_crypto_library}" = "openssl"; then |
835 | 835 |
AC_DEFINE([ENABLE_CRYPTO_OPENSSL], [1], [Use OpenSSL library]) |
836 | 836 |
CRYPTO_CFLAGS="${OPENSSL_CFLAGS}" |
837 | 837 |
CRYPTO_LIBS="${OPENSSL_LIBS}" |
838 |
-elif test "${with_crypto_library}" = "polarssl"; then |
|
839 |
- AC_ARG_VAR([POLARSSL_CFLAGS], [C compiler flags for polarssl]) |
|
840 |
- AC_ARG_VAR([POLARSSL_LIBS], [linker flags for polarssl]) |
|
838 |
+elif test "${with_crypto_library}" = "mbedtls"; then |
|
839 |
+ AC_ARG_VAR([MBEDTLS_CFLAGS], [C compiler flags for mbedtls]) |
|
840 |
+ AC_ARG_VAR([MBEDTLS_LIBS], [linker flags for mbedtls]) |
|
841 | 841 |
|
842 | 842 |
saved_CFLAGS="${CFLAGS}" |
843 | 843 |
saved_LIBS="${LIBS}" |
844 | 844 |
|
845 |
- if test -z "${POLARSSL_CFLAGS}" -a -z "${POLARSSL_LIBS}"; then |
|
846 |
- # if the user did not explicitly specify flags, try to autodetect |
|
847 |
- AC_SEARCH_LIBS( |
|
848 |
- [ssl_init], |
|
849 |
- [mbedtls polarssl], |
|
850 |
- [ |
|
851 |
- if test "${ac_cv_search_ssl_init}" != "none required"; then |
|
852 |
- POLARSSL_LIBS=${ac_cv_search_ssl_init} |
|
853 |
- fi |
|
854 |
- ], |
|
855 |
- [AC_MSG_ERROR([Could not find PolarSSL/mbed TLS.])], |
|
845 |
+ if test -z "${MBEDTLS_CFLAGS}" -a -z "${MBEDTLS_LIBS}"; then |
|
846 |
+ # if the user did not explicitly specify flags, try to autodetect |
|
847 |
+ AC_CHECK_LIB( |
|
848 |
+ [mbedtls], |
|
849 |
+ [mbedtls_ssl_init], |
|
850 |
+ [MBEDTLS_LIBS="-lmbedtls -lmbedcrypto -lmbedx509"], |
|
851 |
+ [AC_MSG_ERROR([Could not find mbed TLS.])], |
|
856 | 852 |
[${PKCS11_HELPER_LIBS}] |
857 | 853 |
) |
858 | 854 |
fi |
859 | 855 |
|
860 |
- CFLAGS="${POLARSSL_CFLAGS} ${PKCS11_HELPER_CFLAGS} ${CFLAGS}" |
|
861 |
- LIBS="${POLARSSL_LIBS} ${PKCS11_HELPER_LIBS} ${LIBS}" |
|
856 |
+ CFLAGS="${MBEDTLS_CFLAGS} ${PKCS11_HELPER_CFLAGS} ${CFLAGS}" |
|
857 |
+ LIBS="${MBEDTLS_LIBS} ${PKCS11_HELPER_LIBS} ${LIBS}" |
|
862 | 858 |
|
863 |
- AC_MSG_CHECKING([polarssl version]) |
|
859 |
+ AC_MSG_CHECKING([mbedtls version]) |
|
864 | 860 |
AC_COMPILE_IFELSE( |
865 | 861 |
[AC_LANG_PROGRAM( |
866 | 862 |
[[ |
867 |
-#include <polarssl/version.h> |
|
863 |
+#include <mbedtls/version.h> |
|
868 | 864 |
]], |
869 | 865 |
[[ |
870 |
-#if POLARSSL_VERSION_NUMBER < 0x01030800 || POLARSSL_VERSION_NUMBER >= 0x01040000 |
|
866 |
+#if MBEDTLS_VERSION_NUMBER < 0x02000000 || MBEDTLS_VERSION_NUMBER >= 0x03000000 |
|
871 | 867 |
#error invalid version |
872 | 868 |
#endif |
873 | 869 |
]] |
874 | 870 |
)], |
875 | 871 |
[AC_MSG_RESULT([ok])], |
876 |
- [AC_MSG_ERROR([PolarSSL 1.3.x required and must be 1.3.8 or later])] |
|
872 |
+ [AC_MSG_ERROR([mbed TLS 2.y.z required])] |
|
877 | 873 |
) |
878 | 874 |
|
879 |
- polarssl_with_pkcs11="no" |
|
875 |
+ mbedtls_with_pkcs11="no" |
|
880 | 876 |
AC_COMPILE_IFELSE( |
881 | 877 |
[AC_LANG_PROGRAM( |
882 | 878 |
[[ |
883 |
-#include <polarssl/config.h> |
|
879 |
+#include <mbedtls/config.h> |
|
884 | 880 |
]], |
885 | 881 |
[[ |
886 |
-#ifndef POLARSSL_PKCS11_C |
|
882 |
+#ifndef MBEDTLS_PKCS11_C |
|
887 | 883 |
#error pkcs11 wrapper missing |
888 | 884 |
#endif |
889 | 885 |
]] |
890 | 886 |
)], |
891 |
- polarssl_with_pkcs11="yes") |
|
887 |
+ mbedtls_with_pkcs11="yes") |
|
892 | 888 |
|
893 |
- AC_MSG_CHECKING([polarssl pkcs11 support]) |
|
889 |
+ AC_MSG_CHECKING([mbedtls pkcs11 support]) |
|
894 | 890 |
if test "${enable_pkcs11}" = "yes"; then |
895 |
- if test "${polarssl_with_pkcs11}" = "yes"; then |
|
891 |
+ if test "${mbedtls_with_pkcs11}" = "yes"; then |
|
896 | 892 |
AC_MSG_RESULT([ok]) |
897 | 893 |
else |
898 |
- AC_MSG_ERROR([polarssl has no pkcs11 wrapper compiled in]) |
|
894 |
+ AC_MSG_ERROR([mbedtls has no pkcs11 wrapper compiled in]) |
|
899 | 895 |
fi |
900 | 896 |
else |
901 |
- if test "${polarssl_with_pkcs11}" != "yes"; then |
|
897 |
+ if test "${mbedtls_with_pkcs11}" != "yes"; then |
|
902 | 898 |
AC_MSG_RESULT([ok]) |
903 | 899 |
else |
904 |
- AC_MSG_ERROR([PolarSSL compiled with PKCS11, while OpenVPN is not]) |
|
900 |
+ AC_MSG_ERROR([mbed TLS compiled with PKCS11, while OpenVPN is not]) |
|
905 | 901 |
fi |
906 | 902 |
fi |
907 | 903 |
|
908 | 904 |
have_crypto_aead_modes="yes" |
909 | 905 |
AC_CHECK_FUNCS( |
910 | 906 |
[ \ |
911 |
- cipher_write_tag \ |
|
912 |
- cipher_check_tag \ |
|
907 |
+ mbedtls_cipher_write_tag \ |
|
908 |
+ mbedtls_cipher_check_tag \ |
|
913 | 909 |
], |
914 | 910 |
, |
915 | 911 |
[have_crypto_aead_modes="no"; break] |
... | ... |
@@ -918,9 +914,9 @@ elif test "${with_crypto_library}" = "polarssl"; then |
918 | 918 |
CFLAGS="${saved_CFLAGS}" |
919 | 919 |
LIBS="${saved_LIBS}" |
920 | 920 |
have_crypto="yes" |
921 |
- AC_DEFINE([ENABLE_CRYPTO_POLARSSL], [1], [Use PolarSSL library]) |
|
922 |
- CRYPTO_CFLAGS="${POLARSSL_CFLAGS}" |
|
923 |
- CRYPTO_LIBS="${POLARSSL_LIBS}" |
|
921 |
+ AC_DEFINE([ENABLE_CRYPTO_MBEDTLS], [1], [Use mbed TLS library]) |
|
922 |
+ CRYPTO_CFLAGS="${MBEDTLS_CFLAGS}" |
|
923 |
+ CRYPTO_LIBS="${MBEDTLS_LIBS}" |
|
924 | 924 |
else |
925 | 925 |
AC_MSG_ERROR([Invalid crypto library: ${with_crypto_library}]) |
926 | 926 |
fi |
... | ... |
@@ -1048,8 +1044,8 @@ fi |
1048 | 1048 |
|
1049 | 1049 |
dnl enable --x509-username-field feature if requested |
1050 | 1050 |
if test "${enable_x509_alt_username}" = "yes"; then |
1051 |
- if test "${with_crypto_library}" = "polarssl" ; then |
|
1052 |
- AC_MSG_ERROR([PolarSSL does not support the --x509-username-field feature]) |
|
1051 |
+ if test "${with_crypto_library}" = "mbedtls" ; then |
|
1052 |
+ AC_MSG_ERROR([mbed TLS does not support the --x509-username-field feature]) |
|
1053 | 1053 |
fi |
1054 | 1054 |
|
1055 | 1055 |
AC_DEFINE([ENABLE_X509ALTUSERNAME], [1], [Enable --x509-username-field feature]) |
... | ... |
@@ -28,11 +28,11 @@ |
28 | 28 |
#define OPENVPN_PLUGIN_VERSION 3 |
29 | 29 |
|
30 | 30 |
#ifdef ENABLE_CRYPTO |
31 |
-#ifdef ENABLE_CRYPTO_POLARSSL |
|
32 |
-#include <polarssl/x509_crt.h> |
|
31 |
+#ifdef ENABLE_CRYPTO_MBEDTLS |
|
32 |
+#include <mbedtls/x509_crt.h> |
|
33 | 33 |
#ifndef __OPENVPN_X509_CERT_T_DECLARED |
34 | 34 |
#define __OPENVPN_X509_CERT_T_DECLARED |
35 |
-typedef x509_crt openvpn_x509_cert_t; |
|
35 |
+typedef mbedtls_x509_crt openvpn_x509_cert_t; |
|
36 | 36 |
#endif |
37 | 37 |
#else |
38 | 38 |
#include <openssl/x509.h> |
... | ... |
@@ -277,13 +277,13 @@ struct openvpn_plugin_callbacks |
277 | 277 |
/** |
278 | 278 |
* Used by the openvpn_plugin_open_v3() function to indicate to the |
279 | 279 |
* plug-in what kind of SSL implementation OpenVPN uses. This is |
280 |
- * to avoid SEGV issues when OpenVPN is complied against PolarSSL |
|
280 |
+ * to avoid SEGV issues when OpenVPN is complied against mbed TLS |
|
281 | 281 |
* and the plug-in against OpenSSL. |
282 | 282 |
*/ |
283 | 283 |
typedef enum { |
284 | 284 |
SSLAPI_NONE, |
285 | 285 |
SSLAPI_OPENSSL, |
286 |
- SSLAPI_POLARSSL |
|
286 |
+ SSLAPI_MBEDTLS |
|
287 | 287 |
} ovpnSSLAPI; |
288 | 288 |
|
289 | 289 |
/** |
... | ... |
@@ -33,7 +33,7 @@ |
33 | 33 |
#ifdef ENABLE_CRYPTO_OPENSSL |
34 | 34 |
#include "crypto_openssl.h" |
35 | 35 |
#endif |
36 |
-#ifdef ENABLE_CRYPTO_POLARSSL |
|
36 |
+#ifdef ENABLE_CRYPTO_MBEDTLS |
|
37 | 37 |
#include "crypto_polarssl.h" |
38 | 38 |
#endif |
39 | 39 |
#include "basic.h" |
... | ... |
@@ -294,7 +294,7 @@ bool cipher_kt_mode_aead(const cipher_kt_t *cipher); |
294 | 294 |
* @param key_len Length of the key, in bytes |
295 | 295 |
* @param kt Static cipher parameters to use |
296 | 296 |
* @param enc Whether to encrypt or decrypt (either |
297 |
- * \c POLARSSL_OP_ENCRYPT or \c POLARSSL_OP_DECRYPT). |
|
297 |
+ * \c MBEDTLS_OP_ENCRYPT or \c MBEDTLS_OP_DECRYPT). |
|
298 | 298 |
*/ |
299 | 299 |
void cipher_ctx_init (cipher_ctx_t *ctx, uint8_t *key, int key_len, |
300 | 300 |
const cipher_kt_t *kt, int enc); |
... | ... |
@@ -24,7 +24,7 @@ |
24 | 24 |
*/ |
25 | 25 |
|
26 | 26 |
/** |
27 |
- * @file Data Channel Cryptography PolarSSL-specific backend interface |
|
27 |
+ * @file Data Channel Cryptography mbed TLS-specific backend interface |
|
28 | 28 |
*/ |
29 | 29 |
|
30 | 30 |
#ifdef HAVE_CONFIG_H |
... | ... |
@@ -35,7 +35,7 @@ |
35 | 35 |
|
36 | 36 |
#include "syshead.h" |
37 | 37 |
|
38 |
-#if defined(ENABLE_CRYPTO) && defined(ENABLE_CRYPTO_POLARSSL) |
|
38 |
+#if defined(ENABLE_CRYPTO) && defined(ENABLE_CRYPTO_MBEDTLS) |
|
39 | 39 |
|
40 | 40 |
#include "errlevel.h" |
41 | 41 |
#include "basic.h" |
... | ... |
@@ -45,13 +45,14 @@ |
45 | 45 |
#include "otime.h" |
46 | 46 |
#include "misc.h" |
47 | 47 |
|
48 |
-#include <polarssl/des.h> |
|
49 |
-#include <polarssl/error.h> |
|
50 |
-#include <polarssl/md5.h> |
|
51 |
-#include <polarssl/cipher.h> |
|
52 |
-#include <polarssl/havege.h> |
|
48 |
+#include <mbedtls/des.h> |
|
49 |
+#include <mbedtls/error.h> |
|
50 |
+#include <mbedtls/md5.h> |
|
51 |
+#include <mbedtls/cipher.h> |
|
52 |
+#include <mbedtls/havege.h> |
|
53 |
+ |
|
54 |
+#include <mbedtls/entropy.h> |
|
53 | 55 |
|
54 |
-#include <polarssl/entropy.h> |
|
55 | 56 |
|
56 | 57 |
/* |
57 | 58 |
* |
... | ... |
@@ -62,7 +63,7 @@ |
62 | 62 |
void |
63 | 63 |
crypto_init_lib_engine (const char *engine_name) |
64 | 64 |
{ |
65 |
- msg (M_WARN, "Note: PolarSSL hardware crypto engine functionality is not " |
|
65 |
+ msg (M_WARN, "Note: mbed TLS hardware crypto engine functionality is not " |
|
66 | 66 |
"available"); |
67 | 67 |
} |
68 | 68 |
|
... | ... |
@@ -87,29 +88,29 @@ crypto_clear_error (void) |
87 | 87 |
{ |
88 | 88 |
} |
89 | 89 |
|
90 |
-bool polar_log_err(unsigned int flags, int errval, const char *prefix) |
|
90 |
+bool mbed_log_err(unsigned int flags, int errval, const char *prefix) |
|
91 | 91 |
{ |
92 | 92 |
if (0 != errval) |
93 | 93 |
{ |
94 | 94 |
char errstr[256]; |
95 |
- polarssl_strerror(errval, errstr, sizeof(errstr)); |
|
95 |
+ mbedtls_strerror(errval, errstr, sizeof(errstr)); |
|
96 | 96 |
|
97 |
- if (NULL == prefix) prefix = "PolarSSL error"; |
|
97 |
+ if (NULL == prefix) prefix = "mbed TLS error"; |
|
98 | 98 |
msg (flags, "%s: %s", prefix, errstr); |
99 | 99 |
} |
100 | 100 |
|
101 | 101 |
return 0 == errval; |
102 | 102 |
} |
103 | 103 |
|
104 |
-bool polar_log_func_line(unsigned int flags, int errval, const char *func, |
|
104 |
+bool mbed_log_func_line(unsigned int flags, int errval, const char *func, |
|
105 | 105 |
int line) |
106 | 106 |
{ |
107 | 107 |
char prefix[256]; |
108 | 108 |
|
109 | 109 |
if (!openvpn_snprintf(prefix, sizeof(prefix), "%s:%d", func, line)) |
110 |
- return polar_log_err(flags, errval, func); |
|
110 |
+ return mbed_log_err(flags, errval, func); |
|
111 | 111 |
|
112 |
- return polar_log_err(flags, errval, prefix); |
|
112 |
+ return mbed_log_err(flags, errval, prefix); |
|
113 | 113 |
} |
114 | 114 |
|
115 | 115 |
|
... | ... |
@@ -117,7 +118,7 @@ bool polar_log_func_line(unsigned int flags, int errval, const char *func, |
117 | 117 |
void |
118 | 118 |
crypto_init_dmalloc (void) |
119 | 119 |
{ |
120 |
- msg (M_ERR, "Error: dmalloc support is not available for PolarSSL."); |
|
120 |
+ msg (M_ERR, "Error: dmalloc support is not available for mbed TLS."); |
|
121 | 121 |
} |
122 | 122 |
#endif /* DMALLOC */ |
123 | 123 |
|
... | ... |
@@ -134,7 +135,7 @@ const size_t cipher_name_translation_table_count = |
134 | 134 |
void |
135 | 135 |
show_available_ciphers () |
136 | 136 |
{ |
137 |
- const int *ciphers = cipher_list(); |
|
137 |
+ const int *ciphers = mbedtls_cipher_list(); |
|
138 | 138 |
|
139 | 139 |
#ifndef ENABLE_SMALL |
140 | 140 |
printf ("The following ciphers and cipher modes are available for use\n" |
... | ... |
@@ -145,7 +146,7 @@ show_available_ciphers () |
145 | 145 |
|
146 | 146 |
while (*ciphers != 0) |
147 | 147 |
{ |
148 |
- const cipher_kt_t *info = cipher_info_from_type(*ciphers); |
|
148 |
+ const cipher_kt_t *info = mbedtls_cipher_info_from_type(*ciphers); |
|
149 | 149 |
|
150 | 150 |
if (info && (cipher_kt_mode_cbc(info) |
151 | 151 |
#ifdef HAVE_AEAD_CIPHER_MODES |
... | ... |
@@ -168,7 +169,7 @@ show_available_ciphers () |
168 | 168 |
void |
169 | 169 |
show_available_digests () |
170 | 170 |
{ |
171 |
- const int *digests = md_list(); |
|
171 |
+ const int *digests = mbedtls_md_list(); |
|
172 | 172 |
|
173 | 173 |
#ifndef ENABLE_SMALL |
174 | 174 |
printf ("The following message digests are available for use with\n" |
... | ... |
@@ -180,11 +181,11 @@ show_available_digests () |
180 | 180 |
|
181 | 181 |
while (*digests != 0) |
182 | 182 |
{ |
183 |
- const md_info_t *info = md_info_from_type(*digests); |
|
183 |
+ const mbedtls_md_info_t *info = mbedtls_md_info_from_type(*digests); |
|
184 | 184 |
|
185 | 185 |
if (info) |
186 |
- printf ("%s %d bit default key\n", |
|
187 |
- md_get_name(info), md_get_size(info) * 8); |
|
186 |
+ printf ("%s %d bit default key\n", mbedtls_md_get_name(info), |
|
187 |
+ mbedtls_md_get_size(info) * 8); |
|
188 | 188 |
digests++; |
189 | 189 |
} |
190 | 190 |
printf ("\n"); |
... | ... |
@@ -193,7 +194,7 @@ show_available_digests () |
193 | 193 |
void |
194 | 194 |
show_available_engines () |
195 | 195 |
{ |
196 |
- printf ("Sorry, PolarSSL hardware crypto engine functionality is not " |
|
196 |
+ printf ("Sorry, mbed TLS hardware crypto engine functionality is not " |
|
197 | 197 |
"available\n"); |
198 | 198 |
} |
199 | 199 |
|
... | ... |
@@ -210,10 +211,10 @@ show_available_engines () |
210 | 210 |
* Initialise the given ctr_drbg context, using a personalisation string and an |
211 | 211 |
* entropy gathering function. |
212 | 212 |
*/ |
213 |
-ctr_drbg_context * rand_ctx_get() |
|
213 |
+mbedtls_ctr_drbg_context * rand_ctx_get() |
|
214 | 214 |
{ |
215 |
- static entropy_context ec = {0}; |
|
216 |
- static ctr_drbg_context cd_ctx = {0}; |
|
215 |
+ static mbedtls_entropy_context ec = {0}; |
|
216 |
+ static mbedtls_ctr_drbg_context cd_ctx = {0}; |
|
217 | 217 |
static bool rand_initialised = false; |
218 | 218 |
|
219 | 219 |
if (!rand_initialised) |
... | ... |
@@ -228,10 +229,11 @@ ctr_drbg_context * rand_ctx_get() |
228 | 228 |
*/ |
229 | 229 |
buf_printf(&pers_string, "OpenVPN %0u %p %s", platform_getpid(), &cd_ctx, time_string(0, 0, 0, &gc)); |
230 | 230 |
|
231 |
- /* Initialise PolarSSL RNG, and built-in entropy sources */ |
|
232 |
- entropy_init(&ec); |
|
231 |
+ /* Initialise mbed TLS RNG, and built-in entropy sources */ |
|
232 |
+ mbedtls_entropy_init(&ec); |
|
233 | 233 |
|
234 |
- if (!polar_ok(ctr_drbg_init(&cd_ctx, entropy_func, &ec, |
|
234 |
+ mbedtls_ctr_drbg_init(&cd_ctx); |
|
235 |
+ if (!mbed_ok(mbedtls_ctr_drbg_seed(&cd_ctx, mbedtls_entropy_func, &ec, |
|
235 | 236 |
BPTR(&pers_string), BLEN(&pers_string)))) |
236 | 237 |
msg (M_FATAL, "Failed to initialize random generator"); |
237 | 238 |
|
... | ... |
@@ -245,21 +247,21 @@ ctr_drbg_context * rand_ctx_get() |
245 | 245 |
#ifdef ENABLE_PREDICTION_RESISTANCE |
246 | 246 |
void rand_ctx_enable_prediction_resistance() |
247 | 247 |
{ |
248 |
- ctr_drbg_context *cd_ctx = rand_ctx_get(); |
|
248 |
+ mbedtls_ctr_drbg_context *cd_ctx = rand_ctx_get(); |
|
249 | 249 |
|
250 |
- ctr_drbg_set_prediction_resistance(cd_ctx, 1); |
|
250 |
+ mbedtls_ctr_drbg_set_prediction_resistance(cd_ctx, 1); |
|
251 | 251 |
} |
252 | 252 |
#endif /* ENABLE_PREDICTION_RESISTANCE */ |
253 | 253 |
|
254 | 254 |
int |
255 | 255 |
rand_bytes (uint8_t *output, int len) |
256 | 256 |
{ |
257 |
- ctr_drbg_context *rng_ctx = rand_ctx_get(); |
|
257 |
+ mbedtls_ctr_drbg_context *rng_ctx = rand_ctx_get(); |
|
258 | 258 |
|
259 | 259 |
while (len > 0) |
260 | 260 |
{ |
261 |
- const size_t blen = min_int (len, CTR_DRBG_MAX_REQUEST); |
|
262 |
- if (0 != ctr_drbg_random(rng_ctx, output, blen)) |
|
261 |
+ const size_t blen = min_int (len, MBEDTLS_CTR_DRBG_MAX_REQUEST); |
|
262 |
+ if (0 != mbedtls_ctr_drbg_random(rng_ctx, output, blen)) |
|
263 | 263 |
return 0; |
264 | 264 |
|
265 | 265 |
output += blen; |
... | ... |
@@ -277,14 +279,14 @@ rand_bytes (uint8_t *output, int len) |
277 | 277 |
|
278 | 278 |
|
279 | 279 |
int |
280 |
-key_des_num_cblocks (const cipher_info_t *kt) |
|
280 |
+key_des_num_cblocks (const mbedtls_cipher_info_t *kt) |
|
281 | 281 |
{ |
282 | 282 |
int ret = 0; |
283 |
- if (kt->type == POLARSSL_CIPHER_DES_CBC) |
|
283 |
+ if (kt->type == MBEDTLS_CIPHER_DES_CBC) |
|
284 | 284 |
ret = 1; |
285 |
- if (kt->type == POLARSSL_CIPHER_DES_EDE_CBC) |
|
285 |
+ if (kt->type == MBEDTLS_CIPHER_DES_EDE_CBC) |
|
286 | 286 |
ret = 2; |
287 |
- if (kt->type == POLARSSL_CIPHER_DES_EDE3_CBC) |
|
287 |
+ if (kt->type == MBEDTLS_CIPHER_DES_EDE3_CBC) |
|
288 | 288 |
ret = 3; |
289 | 289 |
|
290 | 290 |
dmsg (D_CRYPTO_DEBUG, "CRYPTO INFO: n_DES_cblocks=%d", ret); |
... | ... |
@@ -301,18 +303,18 @@ key_des_check (uint8_t *key, int key_len, int ndc) |
301 | 301 |
|
302 | 302 |
for (i = 0; i < ndc; ++i) |
303 | 303 |
{ |
304 |
- unsigned char *key = buf_read_alloc(&b, DES_KEY_SIZE); |
|
304 |
+ unsigned char *key = buf_read_alloc(&b, MBEDTLS_DES_KEY_SIZE); |
|
305 | 305 |
if (!key) |
306 | 306 |
{ |
307 | 307 |
msg (D_CRYPT_ERRORS, "CRYPTO INFO: check_key_DES: insufficient key material"); |
308 | 308 |
goto err; |
309 | 309 |
} |
310 |
- if (0 != des_key_check_weak(key)) |
|
310 |
+ if (0 != mbedtls_des_key_check_weak(key)) |
|
311 | 311 |
{ |
312 | 312 |
msg (D_CRYPT_ERRORS, "CRYPTO INFO: check_key_DES: weak key detected"); |
313 | 313 |
goto err; |
314 | 314 |
} |
315 |
- if (0 != des_key_check_key_parity(key)) |
|
315 |
+ if (0 != mbedtls_des_key_check_key_parity(key)) |
|
316 | 316 |
{ |
317 | 317 |
msg (D_CRYPT_ERRORS, "CRYPTO INFO: check_key_DES: bad parity detected"); |
318 | 318 |
goto err; |
... | ... |
@@ -333,13 +335,13 @@ key_des_fixup (uint8_t *key, int key_len, int ndc) |
333 | 333 |
buf_set_read (&b, key, key_len); |
334 | 334 |
for (i = 0; i < ndc; ++i) |
335 | 335 |
{ |
336 |
- unsigned char *key = buf_read_alloc(&b, DES_KEY_SIZE); |
|
336 |
+ unsigned char *key = buf_read_alloc(&b, MBEDTLS_DES_KEY_SIZE); |
|
337 | 337 |
if (!key) |
338 | 338 |
{ |
339 | 339 |
msg (D_CRYPT_ERRORS, "CRYPTO INFO: fixup_key_DES: insufficient key material"); |
340 | 340 |
return; |
341 | 341 |
} |
342 |
- des_key_set_parity(key); |
|
342 |
+ mbedtls_des_key_set_parity(key); |
|
343 | 343 |
} |
344 | 344 |
} |
345 | 345 |
|
... | ... |
@@ -350,29 +352,29 @@ key_des_fixup (uint8_t *key, int key_len, int ndc) |
350 | 350 |
*/ |
351 | 351 |
|
352 | 352 |
|
353 |
-const cipher_info_t * |
|
353 |
+const mbedtls_cipher_info_t * |
|
354 | 354 |
cipher_kt_get (const char *ciphername) |
355 | 355 |
{ |
356 |
- const cipher_info_t *cipher = NULL; |
|
356 |
+ const mbedtls_cipher_info_t *cipher = NULL; |
|
357 | 357 |
|
358 | 358 |
ASSERT (ciphername); |
359 | 359 |
|
360 |
- cipher = cipher_info_from_string(ciphername); |
|
360 |
+ cipher = mbedtls_cipher_info_from_string(ciphername); |
|
361 | 361 |
|
362 | 362 |
if (NULL == cipher) |
363 | 363 |
msg (M_FATAL, "Cipher algorithm '%s' not found", ciphername); |
364 | 364 |
|
365 |
- if (cipher->key_length/8 > MAX_CIPHER_KEY_LENGTH) |
|
365 |
+ if (cipher->key_bitlen/8 > MAX_CIPHER_KEY_LENGTH) |
|
366 | 366 |
msg (M_FATAL, "Cipher algorithm '%s' uses a default key size (%d bytes) which is larger than " PACKAGE_NAME "'s current maximum key size (%d bytes)", |
367 | 367 |
ciphername, |
368 |
- cipher->key_length/8, |
|
368 |
+ cipher->key_bitlen/8, |
|
369 | 369 |
MAX_CIPHER_KEY_LENGTH); |
370 | 370 |
|
371 | 371 |
return cipher; |
372 | 372 |
} |
373 | 373 |
|
374 | 374 |
const char * |
375 |
-cipher_kt_name (const cipher_info_t *cipher_kt) |
|
375 |
+cipher_kt_name (const mbedtls_cipher_info_t *cipher_kt) |
|
376 | 376 |
{ |
377 | 377 |
if (NULL == cipher_kt) |
378 | 378 |
return "[null-cipher]"; |
... | ... |
@@ -381,16 +383,16 @@ cipher_kt_name (const cipher_info_t *cipher_kt) |
381 | 381 |
} |
382 | 382 |
|
383 | 383 |
int |
384 |
-cipher_kt_key_size (const cipher_info_t *cipher_kt) |
|
384 |
+cipher_kt_key_size (const mbedtls_cipher_info_t *cipher_kt) |
|
385 | 385 |
{ |
386 | 386 |
if (NULL == cipher_kt) |
387 | 387 |
return 0; |
388 | 388 |
|
389 |
- return cipher_kt->key_length/8; |
|
389 |
+ return cipher_kt->key_bitlen/8; |
|
390 | 390 |
} |
391 | 391 |
|
392 | 392 |
int |
393 |
-cipher_kt_iv_size (const cipher_info_t *cipher_kt) |
|
393 |
+cipher_kt_iv_size (const mbedtls_cipher_info_t *cipher_kt) |
|
394 | 394 |
{ |
395 | 395 |
if (NULL == cipher_kt) |
396 | 396 |
return 0; |
... | ... |
@@ -398,7 +400,7 @@ cipher_kt_iv_size (const cipher_info_t *cipher_kt) |
398 | 398 |
} |
399 | 399 |
|
400 | 400 |
int |
401 |
-cipher_kt_block_size (const cipher_info_t *cipher_kt) |
|
401 |
+cipher_kt_block_size (const mbedtls_cipher_info_t *cipher_kt) |
|
402 | 402 |
{ |
403 | 403 |
if (NULL == cipher_kt) |
404 | 404 |
return 0; |
... | ... |
@@ -406,7 +408,7 @@ cipher_kt_block_size (const cipher_info_t *cipher_kt) |
406 | 406 |
} |
407 | 407 |
|
408 | 408 |
int |
409 |
-cipher_kt_tag_size (const cipher_info_t *cipher_kt) |
|
409 |
+cipher_kt_tag_size (const mbedtls_cipher_info_t *cipher_kt) |
|
410 | 410 |
{ |
411 | 411 |
#ifdef HAVE_AEAD_CIPHER_MODES |
412 | 412 |
if (cipher_kt && cipher_kt_mode_aead(cipher_kt)) |
... | ... |
@@ -416,7 +418,7 @@ cipher_kt_tag_size (const cipher_info_t *cipher_kt) |
416 | 416 |
} |
417 | 417 |
|
418 | 418 |
int |
419 |
-cipher_kt_mode (const cipher_info_t *cipher_kt) |
|
419 |
+cipher_kt_mode (const mbedtls_cipher_info_t *cipher_kt) |
|
420 | 420 |
{ |
421 | 421 |
ASSERT(NULL != cipher_kt); |
422 | 422 |
return cipher_kt->mode; |
... | ... |
@@ -432,7 +434,7 @@ bool |
432 | 432 |
cipher_kt_mode_ofb_cfb(const cipher_kt_t *cipher) |
433 | 433 |
{ |
434 | 434 |
return cipher && (cipher_kt_mode(cipher) == OPENVPN_MODE_OFB || |
435 |
- cipher_kt_mode(cipher) == OPENVPN_MODE_CFB); |
|
435 |
+ cipher_kt_mode(cipher) == OPENVPN_MODE_CFB); |
|
436 | 436 |
} |
437 | 437 |
|
438 | 438 |
bool |
... | ... |
@@ -450,31 +452,31 @@ cipher_kt_mode_aead(const cipher_kt_t *cipher) |
450 | 450 |
|
451 | 451 |
|
452 | 452 |
void |
453 |
-cipher_ctx_init (cipher_context_t *ctx, uint8_t *key, int key_len, |
|
454 |
- const cipher_info_t *kt, int enc) |
|
453 |
+cipher_ctx_init (mbedtls_cipher_context_t *ctx, uint8_t *key, int key_len, |
|
454 |
+ const mbedtls_cipher_info_t *kt, const mbedtls_operation_t operation) |
|
455 | 455 |
{ |
456 | 456 |
ASSERT(NULL != kt && NULL != ctx); |
457 | 457 |
|
458 | 458 |
CLEAR (*ctx); |
459 | 459 |
|
460 |
- if (!polar_ok(cipher_init_ctx(ctx, kt))) |
|
461 |
- msg (M_FATAL, "PolarSSL cipher context init #1"); |
|
460 |
+ if (!mbed_ok(mbedtls_cipher_setup(ctx, kt))) |
|
461 |
+ msg (M_FATAL, "mbed TLS cipher context init #1"); |
|
462 | 462 |
|
463 |
- if (!polar_ok(cipher_setkey(ctx, key, key_len*8, enc))) |
|
464 |
- msg (M_FATAL, "PolarSSL cipher set key"); |
|
463 |
+ if (!mbed_ok(mbedtls_cipher_setkey(ctx, key, key_len*8, operation))) |
|
464 |
+ msg (M_FATAL, "mbed TLS cipher set key"); |
|
465 | 465 |
|
466 | 466 |
/* make sure we used a big enough key */ |
467 |
- ASSERT (ctx->key_length <= key_len*8); |
|
467 |
+ ASSERT (ctx->key_bitlen <= key_len*8); |
|
468 | 468 |
} |
469 | 469 |
|
470 |
-void cipher_ctx_cleanup (cipher_context_t *ctx) |
|
470 |
+void cipher_ctx_cleanup (mbedtls_cipher_context_t *ctx) |
|
471 | 471 |
{ |
472 |
- cipher_free(ctx); |
|
472 |
+ mbedtls_cipher_free(ctx); |
|
473 | 473 |
} |
474 | 474 |
|
475 |
-int cipher_ctx_iv_length (const cipher_context_t *ctx) |
|
475 |
+int cipher_ctx_iv_length (const mbedtls_cipher_context_t *ctx) |
|
476 | 476 |
{ |
477 |
- return cipher_get_iv_size(ctx); |
|
477 |
+ return mbedtls_cipher_get_iv_size(ctx); |
|
478 | 478 |
} |
479 | 479 |
|
480 | 480 |
int cipher_ctx_get_tag (cipher_ctx_t *ctx, uint8_t* tag, int tag_len) |
... | ... |
@@ -483,7 +485,7 @@ int cipher_ctx_get_tag (cipher_ctx_t *ctx, uint8_t* tag, int tag_len) |
483 | 483 |
if (tag_len > SIZE_MAX) |
484 | 484 |
return 0; |
485 | 485 |
|
486 |
- if (!polar_ok (cipher_write_tag (ctx, (unsigned char *) tag, tag_len))) |
|
486 |
+ if (!mbed_ok (mbedtls_cipher_write_tag (ctx, (unsigned char *) tag, tag_len))) |
|
487 | 487 |
return 0; |
488 | 488 |
|
489 | 489 |
return 1; |
... | ... |
@@ -492,12 +494,12 @@ int cipher_ctx_get_tag (cipher_ctx_t *ctx, uint8_t* tag, int tag_len) |
492 | 492 |
#endif /* HAVE_AEAD_CIPHER_MODES */ |
493 | 493 |
} |
494 | 494 |
|
495 |
-int cipher_ctx_block_size(const cipher_context_t *ctx) |
|
495 |
+int cipher_ctx_block_size(const mbedtls_cipher_context_t *ctx) |
|
496 | 496 |
{ |
497 |
- return cipher_get_block_size(ctx); |
|
497 |
+ return mbedtls_cipher_get_block_size(ctx); |
|
498 | 498 |
} |
499 | 499 |
|
500 |
-int cipher_ctx_mode (const cipher_context_t *ctx) |
|
500 |
+int cipher_ctx_mode (const mbedtls_cipher_context_t *ctx) |
|
501 | 501 |
{ |
502 | 502 |
ASSERT(NULL != ctx); |
503 | 503 |
|
... | ... |
@@ -510,12 +512,12 @@ cipher_ctx_get_cipher_kt (const cipher_ctx_t *ctx) |
510 | 510 |
return ctx ? ctx->cipher_info : NULL; |
511 | 511 |
} |
512 | 512 |
|
513 |
-int cipher_ctx_reset (cipher_context_t *ctx, uint8_t *iv_buf) |
|
513 |
+int cipher_ctx_reset (mbedtls_cipher_context_t *ctx, uint8_t *iv_buf) |
|
514 | 514 |
{ |
515 |
- if (!polar_ok(cipher_reset(ctx))) |
|
515 |
+ if (!mbed_ok(mbedtls_cipher_reset(ctx))) |
|
516 | 516 |
return 0; |
517 | 517 |
|
518 |
- if (!polar_ok(cipher_set_iv(ctx, iv_buf, ctx->cipher_info->iv_size))) |
|
518 |
+ if (!mbed_ok(mbedtls_cipher_set_iv(ctx, iv_buf, ctx->cipher_info->iv_size))) |
|
519 | 519 |
return 0; |
520 | 520 |
|
521 | 521 |
return 1; |
... | ... |
@@ -527,7 +529,7 @@ int cipher_ctx_update_ad (cipher_ctx_t *ctx, const uint8_t *src, int src_len) |
527 | 527 |
if (src_len > SIZE_MAX) |
528 | 528 |
return 0; |
529 | 529 |
|
530 |
- if (!polar_ok (cipher_update_ad (ctx, src, src_len))) |
|
530 |
+ if (!mbed_ok (mbedtls_cipher_update_ad (ctx, src, src_len))) |
|
531 | 531 |
return 0; |
532 | 532 |
|
533 | 533 |
return 1; |
... | ... |
@@ -536,12 +538,13 @@ int cipher_ctx_update_ad (cipher_ctx_t *ctx, const uint8_t *src, int src_len) |
536 | 536 |
#endif /* HAVE_AEAD_CIPHER_MODES */ |
537 | 537 |
} |
538 | 538 |
|
539 |
-int cipher_ctx_update (cipher_context_t *ctx, uint8_t *dst, int *dst_len, |
|
540 |
- uint8_t *src, int src_len) |
|
539 |
+int cipher_ctx_update (mbedtls_cipher_context_t *ctx, uint8_t *dst, |
|
540 |
+ int *dst_len, uint8_t *src, int src_len) |
|
541 | 541 |
{ |
542 | 542 |
size_t s_dst_len = *dst_len; |
543 | 543 |
|
544 |
- if (!polar_ok(cipher_update(ctx, src, (size_t)src_len, dst, &s_dst_len))) |
|
544 |
+ if (!mbed_ok(mbedtls_cipher_update(ctx, src, (size_t) src_len, dst, |
|
545 |
+ &s_dst_len))) |
|
545 | 546 |
return 0; |
546 | 547 |
|
547 | 548 |
*dst_len = s_dst_len; |
... | ... |
@@ -549,11 +552,11 @@ int cipher_ctx_update (cipher_context_t *ctx, uint8_t *dst, int *dst_len, |
549 | 549 |
return 1; |
550 | 550 |
} |
551 | 551 |
|
552 |
-int cipher_ctx_final (cipher_context_t *ctx, uint8_t *dst, int *dst_len) |
|
552 |
+int cipher_ctx_final (mbedtls_cipher_context_t *ctx, uint8_t *dst, int *dst_len) |
|
553 | 553 |
{ |
554 | 554 |
size_t s_dst_len = *dst_len; |
555 | 555 |
|
556 |
- if (!polar_ok(cipher_finish(ctx, dst, &s_dst_len))) |
|
556 |
+ if (!mbed_ok(mbedtls_cipher_finish(ctx, dst, &s_dst_len))) |
|
557 | 557 |
return 0; |
558 | 558 |
|
559 | 559 |
*dst_len = s_dst_len; |
... | ... |
@@ -561,23 +564,30 @@ int cipher_ctx_final (cipher_context_t *ctx, uint8_t *dst, int *dst_len) |
561 | 561 |
return 1; |
562 | 562 |
} |
563 | 563 |
|
564 |
-int cipher_ctx_final_check_tag (cipher_context_t *ctx, uint8_t *dst, |
|
564 |
+int cipher_ctx_final_check_tag (mbedtls_cipher_context_t *ctx, uint8_t *dst, |
|
565 | 565 |
int *dst_len, uint8_t *tag, size_t tag_len) |
566 | 566 |
{ |
567 | 567 |
#ifdef HAVE_AEAD_CIPHER_MODES |
568 |
- if (POLARSSL_DECRYPT != ctx->operation) |
|
568 |
+ size_t olen = 0; |
|
569 |
+ |
|
570 |
+ if (MBEDTLS_DECRYPT != ctx->operation) |
|
569 | 571 |
return 0; |
570 | 572 |
|
571 | 573 |
if (tag_len > SIZE_MAX) |
572 | 574 |
return 0; |
573 | 575 |
|
574 |
- if (!cipher_ctx_final (ctx, dst, dst_len)) |
|
576 |
+ if (!mbed_ok (mbedtls_cipher_finish (ctx, dst, &olen))) |
|
575 | 577 |
{ |
576 | 578 |
msg (D_CRYPT_ERRORS, "%s: cipher_ctx_final() failed", __func__); |
577 | 579 |
return 0; |
578 | 580 |
} |
579 | 581 |
|
580 |
- if (!polar_ok (cipher_check_tag (ctx, (const unsigned char *) tag, tag_len))) |
|
582 |
+ if (olen > INT_MAX) |
|
583 |
+ return 0; |
|
584 |
+ *dst_len = olen; |
|
585 |
+ |
|
586 |
+ if (!mbed_ok (mbedtls_cipher_check_tag (ctx, (const unsigned char *) tag, |
|
587 |
+ tag_len))) |
|
581 | 588 |
return 0; |
582 | 589 |
|
583 | 590 |
return 1; |
... | ... |
@@ -591,10 +601,10 @@ cipher_des_encrypt_ecb (const unsigned char key[DES_KEY_LENGTH], |
591 | 591 |
unsigned char *src, |
592 | 592 |
unsigned char *dst) |
593 | 593 |
{ |
594 |
- des_context ctx; |
|
594 |
+ mbedtls_des_context ctx; |
|
595 | 595 |
|
596 |
- ASSERT (polar_ok(des_setkey_enc(&ctx, key))); |
|
597 |
- ASSERT (polar_ok(des_crypt_ecb(&ctx, src, dst))); |
|
596 |
+ ASSERT (mbed_ok(mbedtls_des_setkey_enc(&ctx, key))); |
|
597 |
+ ASSERT (mbed_ok(mbedtls_des_crypt_ecb(&ctx, src, dst))); |
|
598 | 598 |
} |
599 | 599 |
|
600 | 600 |
|
... | ... |
@@ -606,37 +616,37 @@ cipher_des_encrypt_ecb (const unsigned char key[DES_KEY_LENGTH], |
606 | 606 |
*/ |
607 | 607 |
|
608 | 608 |
|
609 |
-const md_info_t * |
|
609 |
+const mbedtls_md_info_t * |
|
610 | 610 |
md_kt_get (const char *digest) |
611 | 611 |
{ |
612 |
- const md_info_t *md = NULL; |
|
612 |
+ const mbedtls_md_info_t *md = NULL; |
|
613 | 613 |
ASSERT (digest); |
614 | 614 |
|
615 |
- md = md_info_from_string(digest); |
|
615 |
+ md = mbedtls_md_info_from_string(digest); |
|
616 | 616 |
if (!md) |
617 | 617 |
msg (M_FATAL, "Message hash algorithm '%s' not found", digest); |
618 |
- if (md_get_size(md) > MAX_HMAC_KEY_LENGTH) |
|
618 |
+ if (mbedtls_md_get_size(md) > MAX_HMAC_KEY_LENGTH) |
|
619 | 619 |
msg (M_FATAL, "Message hash algorithm '%s' uses a default hash size (%d bytes) which is larger than " PACKAGE_NAME "'s current maximum hash size (%d bytes)", |
620 | 620 |
digest, |
621 |
- md_get_size(md), |
|
621 |
+ mbedtls_md_get_size(md), |
|
622 | 622 |
MAX_HMAC_KEY_LENGTH); |
623 | 623 |
return md; |
624 | 624 |
} |
625 | 625 |
|
626 | 626 |
const char * |
627 |
-md_kt_name (const md_info_t *kt) |
|
627 |
+md_kt_name (const mbedtls_md_info_t *kt) |
|
628 | 628 |
{ |
629 | 629 |
if (NULL == kt) |
630 | 630 |
return "[null-digest]"; |
631 |
- return md_get_name (kt); |
|
631 |
+ return mbedtls_md_get_name (kt); |
|
632 | 632 |
} |
633 | 633 |
|
634 | 634 |
int |
635 |
-md_kt_size (const md_info_t *kt) |
|
635 |
+md_kt_size (const mbedtls_md_info_t *kt) |
|
636 | 636 |
{ |
637 | 637 |
if (NULL == kt) |
638 | 638 |
return 0; |
639 |
- return md_get_size(kt); |
|
639 |
+ return mbedtls_md_get_size(kt); |
|
640 | 640 |
} |
641 | 641 |
|
642 | 642 |
/* |
... | ... |
@@ -648,45 +658,44 @@ md_kt_size (const md_info_t *kt) |
648 | 648 |
int |
649 | 649 |
md_full (const md_kt_t *kt, const uint8_t *src, int src_len, uint8_t *dst) |
650 | 650 |
{ |
651 |
- return 0 == md(kt, src, src_len, dst); |
|
651 |
+ return 0 == mbedtls_md(kt, src, src_len, dst); |
|
652 | 652 |
} |
653 | 653 |
|
654 | 654 |
|
655 | 655 |
void |
656 |
-md_ctx_init (md_context_t *ctx, const md_info_t *kt) |
|
656 |
+md_ctx_init (mbedtls_md_context_t *ctx, const mbedtls_md_info_t *kt) |
|
657 | 657 |
{ |
658 | 658 |
ASSERT(NULL != ctx && NULL != kt); |
659 | 659 |
|
660 |
- CLEAR(*ctx); |
|
661 |
- |
|
662 |
- ASSERT(0 == md_init_ctx(ctx, kt)); |
|
663 |
- ASSERT(0 == md_starts(ctx)); |
|
660 |
+ mbedtls_md_init(ctx); |
|
661 |
+ ASSERT(0 == mbedtls_md_setup(ctx, kt, 0)); |
|
662 |
+ ASSERT(0 == mbedtls_md_starts(ctx)); |
|
664 | 663 |
} |
665 | 664 |
|
666 | 665 |
void |
667 |
-md_ctx_cleanup(md_context_t *ctx) |
|
666 |
+md_ctx_cleanup(mbedtls_md_context_t *ctx) |
|
668 | 667 |
{ |
669 | 668 |
} |
670 | 669 |
|
671 | 670 |
int |
672 |
-md_ctx_size (const md_context_t *ctx) |
|
671 |
+md_ctx_size (const mbedtls_md_context_t *ctx) |
|
673 | 672 |
{ |
674 | 673 |
if (NULL == ctx) |
675 | 674 |
return 0; |
676 |
- return md_get_size(ctx->md_info); |
|
675 |
+ return mbedtls_md_get_size(ctx->md_info); |
|
677 | 676 |
} |
678 | 677 |
|
679 | 678 |
void |
680 |
-md_ctx_update (md_context_t *ctx, const uint8_t *src, int src_len) |
|
679 |
+md_ctx_update (mbedtls_md_context_t *ctx, const uint8_t *src, int src_len) |
|
681 | 680 |
{ |
682 |
- ASSERT(0 == md_update(ctx, src, src_len)); |
|
681 |
+ ASSERT(0 == mbedtls_md_update(ctx, src, src_len)); |
|
683 | 682 |
} |
684 | 683 |
|
685 | 684 |
void |
686 |
-md_ctx_final (md_context_t *ctx, uint8_t *dst) |
|
685 |
+md_ctx_final (mbedtls_md_context_t *ctx, uint8_t *dst) |
|
687 | 686 |
{ |
688 |
- ASSERT(0 == md_finish(ctx, dst)); |
|
689 |
- md_free(ctx); |
|
687 |
+ ASSERT(0 == mbedtls_md_finish(ctx, dst)); |
|
688 |
+ mbedtls_md_free(ctx); |
|
690 | 689 |
} |
691 | 690 |
|
692 | 691 |
|
... | ... |
@@ -701,49 +710,49 @@ md_ctx_final (md_context_t *ctx, uint8_t *dst) |
701 | 701 |
* TODO: re-enable dmsg for crypto debug |
702 | 702 |
*/ |
703 | 703 |
void |
704 |
-hmac_ctx_init (md_context_t *ctx, const uint8_t *key, int key_len, const md_info_t *kt) |
|
704 |
+hmac_ctx_init (mbedtls_md_context_t *ctx, const uint8_t *key, int key_len, |
|
705 |
+ const mbedtls_md_info_t *kt) |
|
705 | 706 |
{ |
706 | 707 |
ASSERT(NULL != kt && NULL != ctx); |
707 | 708 |
|
708 |
- CLEAR(*ctx); |
|
709 |
- |
|
710 |
- ASSERT(0 == md_init_ctx(ctx, kt)); |
|
711 |
- ASSERT(0 == md_hmac_starts(ctx, key, key_len)); |
|
709 |
+ mbedtls_md_init(ctx); |
|
710 |
+ ASSERT(0 == mbedtls_md_setup(ctx, kt, 1)); |
|
711 |
+ ASSERT(0 == mbedtls_md_hmac_starts(ctx, key, key_len)); |
|
712 | 712 |
|
713 | 713 |
/* make sure we used a big enough key */ |
714 |
- ASSERT (md_get_size(kt) <= key_len); |
|
714 |
+ ASSERT (mbedtls_md_get_size(kt) <= key_len); |
|
715 | 715 |
} |
716 | 716 |
|
717 | 717 |
void |
718 |
-hmac_ctx_cleanup(md_context_t *ctx) |
|
718 |
+hmac_ctx_cleanup(mbedtls_md_context_t *ctx) |
|
719 | 719 |
{ |
720 |
- md_free(ctx); |
|
720 |
+ mbedtls_md_free(ctx); |
|
721 | 721 |
} |
722 | 722 |
|
723 | 723 |
int |
724 |
-hmac_ctx_size (const md_context_t *ctx) |
|
724 |
+hmac_ctx_size (const mbedtls_md_context_t *ctx) |
|
725 | 725 |
{ |
726 | 726 |
if (NULL == ctx) |
727 | 727 |
return 0; |
728 |
- return md_get_size(ctx->md_info); |
|
728 |
+ return mbedtls_md_get_size(ctx->md_info); |
|
729 | 729 |
} |
730 | 730 |
|
731 | 731 |
void |
732 |
-hmac_ctx_reset (md_context_t *ctx) |
|
732 |
+hmac_ctx_reset (mbedtls_md_context_t *ctx) |
|
733 | 733 |
{ |
734 |
- ASSERT(0 == md_hmac_reset(ctx)); |
|
734 |
+ ASSERT(0 == mbedtls_md_hmac_reset(ctx)); |
|
735 | 735 |
} |
736 | 736 |
|
737 | 737 |
void |
738 |
-hmac_ctx_update (md_context_t *ctx, const uint8_t *src, int src_len) |
|
738 |
+hmac_ctx_update (mbedtls_md_context_t *ctx, const uint8_t *src, int src_len) |
|
739 | 739 |
{ |
740 |
- ASSERT(0 == md_hmac_update(ctx, src, src_len)); |
|
740 |
+ ASSERT(0 == mbedtls_md_hmac_update(ctx, src, src_len)); |
|
741 | 741 |
} |
742 | 742 |
|
743 | 743 |
void |
744 |
-hmac_ctx_final (md_context_t *ctx, uint8_t *dst) |
|
744 |
+hmac_ctx_final (mbedtls_md_context_t *ctx, uint8_t *dst) |
|
745 | 745 |
{ |
746 |
- ASSERT(0 == md_hmac_finish(ctx, dst)); |
|
746 |
+ ASSERT(0 == mbedtls_md_hmac_finish(ctx, dst)); |
|
747 | 747 |
} |
748 | 748 |
|
749 |
-#endif /* ENABLE_CRYPTO && ENABLE_CRYPTO_POLARSSL */ |
|
749 |
+#endif /* ENABLE_CRYPTO && ENABLE_CRYPTO_MBEDTLS */ |
... | ... |
@@ -24,51 +24,51 @@ |
24 | 24 |
*/ |
25 | 25 |
|
26 | 26 |
/** |
27 |
- * @file Data Channel Cryptography PolarSSL-specific backend interface |
|
27 |
+ * @file Data Channel Cryptography mbed TLS-specific backend interface |
|
28 | 28 |
*/ |
29 | 29 |
|
30 |
-#ifndef CRYPTO_POLARSSL_H_ |
|
31 |
-#define CRYPTO_POLARSSL_H_ |
|
30 |
+#ifndef CRYPTO_MBEDTLS_H_ |
|
31 |
+#define CRYPTO_MBEDTLS_H_ |
|
32 | 32 |
|
33 |
-#include <polarssl/cipher.h> |
|
34 |
-#include <polarssl/md.h> |
|
35 |
-#include <polarssl/ctr_drbg.h> |
|
33 |
+#include <mbedtls/cipher.h> |
|
34 |
+#include <mbedtls/md.h> |
|
35 |
+#include <mbedtls/ctr_drbg.h> |
|
36 | 36 |
|
37 | 37 |
/** Generic cipher key type %context. */ |
38 |
-typedef cipher_info_t cipher_kt_t; |
|
38 |
+typedef mbedtls_cipher_info_t cipher_kt_t; |
|
39 | 39 |
|
40 | 40 |
/** Generic message digest key type %context. */ |
41 |
-typedef md_info_t md_kt_t; |
|
41 |
+typedef mbedtls_md_info_t md_kt_t; |
|
42 | 42 |
|
43 | 43 |
/** Generic cipher %context. */ |
44 |
-typedef cipher_context_t cipher_ctx_t; |
|
44 |
+typedef mbedtls_cipher_context_t cipher_ctx_t; |
|
45 | 45 |
|
46 | 46 |
/** Generic message digest %context. */ |
47 |
-typedef md_context_t md_ctx_t; |
|
47 |
+typedef mbedtls_md_context_t md_ctx_t; |
|
48 | 48 |
|
49 | 49 |
/** Generic HMAC %context. */ |
50 |
-typedef md_context_t hmac_ctx_t; |
|
50 |
+typedef mbedtls_md_context_t hmac_ctx_t; |
|
51 | 51 |
|
52 | 52 |
/** Maximum length of an IV */ |
53 |
-#define OPENVPN_MAX_IV_LENGTH POLARSSL_MAX_IV_LENGTH |
|
53 |
+#define OPENVPN_MAX_IV_LENGTH MBEDTLS_MAX_IV_LENGTH |
|
54 | 54 |
|
55 | 55 |
/** Cipher is in CBC mode */ |
56 |
-#define OPENVPN_MODE_CBC POLARSSL_MODE_CBC |
|
56 |
+#define OPENVPN_MODE_CBC MBEDTLS_MODE_CBC |
|
57 | 57 |
|
58 | 58 |
/** Cipher is in OFB mode */ |
59 |
-#define OPENVPN_MODE_OFB POLARSSL_MODE_OFB |
|
59 |
+#define OPENVPN_MODE_OFB MBEDTLS_MODE_OFB |
|
60 | 60 |
|
61 | 61 |
/** Cipher is in CFB mode */ |
62 |
-#define OPENVPN_MODE_CFB POLARSSL_MODE_CFB |
|
62 |
+#define OPENVPN_MODE_CFB MBEDTLS_MODE_CFB |
|
63 | 63 |
|
64 | 64 |
/** Cipher is in GCM mode */ |
65 |
-#define OPENVPN_MODE_GCM POLARSSL_MODE_GCM |
|
65 |
+#define OPENVPN_MODE_GCM MBEDTLS_MODE_GCM |
|
66 | 66 |
|
67 | 67 |
/** Cipher should encrypt */ |
68 |
-#define OPENVPN_OP_ENCRYPT POLARSSL_ENCRYPT |
|
68 |
+#define OPENVPN_OP_ENCRYPT MBEDTLS_ENCRYPT |
|
69 | 69 |
|
70 | 70 |
/** Cipher should decrypt */ |
71 |
-#define OPENVPN_OP_DECRYPT POLARSSL_DECRYPT |
|
71 |
+#define OPENVPN_OP_DECRYPT MBEDTLS_DECRYPT |
|
72 | 72 |
|
73 | 73 |
#define MD4_DIGEST_LENGTH 16 |
74 | 74 |
#define MD5_DIGEST_LENGTH 16 |
... | ... |
@@ -76,16 +76,16 @@ typedef md_context_t hmac_ctx_t; |
76 | 76 |
#define DES_KEY_LENGTH 8 |
77 | 77 |
|
78 | 78 |
/** |
79 |
- * Returns a singleton instance of the PolarSSL random number generator. |
|
79 |
+ * Returns a singleton instance of the mbed TLS random number generator. |
|
80 | 80 |
* |
81 |
- * For PolarSSL 1.1+, this is the CTR_DRBG random number generator. If it |
|
81 |
+ * For PolarSSL/mbed TLS 1.1+, this is the CTR_DRBG random number generator. If it |
|
82 | 82 |
* hasn't been initialised yet, the RNG will be initialised using the default |
83 | 83 |
* entropy sources. Aside from the default platform entropy sources, an |
84 | 84 |
* additional entropy source, the HAVEGE random number generator will also be |
85 | 85 |
* added. During initialisation, a personalisation string will be added based |
86 | 86 |
* on the time, the PID, and a pointer to the random context. |
87 | 87 |
*/ |
88 |
-ctr_drbg_context * rand_ctx_get(); |
|
88 |
+mbedtls_ctr_drbg_context *rand_ctx_get(); |
|
89 | 89 |
|
90 | 90 |
#ifdef ENABLE_PREDICTION_RESISTANCE |
91 | 91 |
/** |
... | ... |
@@ -95,34 +95,34 @@ void rand_ctx_enable_prediction_resistance(); |
95 | 95 |
#endif |
96 | 96 |
|
97 | 97 |
/** |
98 |
- * Log the supplied PolarSSL error, prefixed by supplied prefix. |
|
98 |
+ * Log the supplied mbed TLS error, prefixed by supplied prefix. |
|
99 | 99 |
* |
100 | 100 |
* @param flags Flags to indicate error type and priority. |
101 |
- * @param errval PolarSSL error code to convert to error message. |
|
102 |
- * @param prefix Prefix to PolarSSL error message. |
|
101 |
+ * @param errval mbed TLS error code to convert to error message. |
|
102 |
+ * @param prefix Prefix to mbed TLS error message. |
|
103 | 103 |
* |
104 | 104 |
* @returns true if no errors are detected, false otherwise. |
105 | 105 |
*/ |
106 |
-bool polar_log_err(unsigned int flags, int errval, const char *prefix); |
|
106 |
+bool mbed_log_err(unsigned int flags, int errval, const char *prefix); |
|
107 | 107 |
|
108 | 108 |
/** |
109 |
- * Log the supplied PolarSSL error, prefixed by function name and line number. |
|
109 |
+ * Log the supplied mbed TLS error, prefixed by function name and line number. |
|
110 | 110 |
* |
111 | 111 |
* @param flags Flags to indicate error type and priority. |
112 |
- * @param errval PolarSSL error code to convert to error message. |
|
112 |
+ * @param errval mbed TLS error code to convert to error message. |
|
113 | 113 |
* @param func Function name where error was reported. |
114 | 114 |
* @param line Line number where error was reported. |
115 | 115 |
* |
116 | 116 |
* @returns true if no errors are detected, false otherwise. |
117 | 117 |
*/ |
118 |
-bool polar_log_func_line(unsigned int flags, int errval, const char *func, |
|
118 |
+bool mbed_log_func_line(unsigned int flags, int errval, const char *func, |
|
119 | 119 |
int line); |
120 | 120 |
|
121 |
-/** Wraps polar_log_func_line() to prevent function calls for non-errors */ |
|
122 |
-static inline bool polar_log_func_line_lite(unsigned int flags, int errval, |
|
121 |
+/** Wraps mbed_log_func_line() to prevent function calls for non-errors */ |
|
122 |
+static inline bool mbed_log_func_line_lite(unsigned int flags, int errval, |
|
123 | 123 |
const char *func, int line) { |
124 | 124 |
if (errval) { |
125 |
- return polar_log_func_line (flags, errval, func, line); |
|
125 |
+ return mbed_log_func_line (flags, errval, func, line); |
|
126 | 126 |
} |
127 | 127 |
return true; |
128 | 128 |
} |
... | ... |
@@ -130,17 +130,17 @@ static inline bool polar_log_func_line_lite(unsigned int flags, int errval, |
130 | 130 |
/** |
131 | 131 |
* Check errval and log on error. |
132 | 132 |
* |
133 |
- * Convenience wrapper to put around polarssl library calls, e.g. |
|
134 |
- * if (!polar_ok(polarssl_func())) return 0; |
|
133 |
+ * Convenience wrapper to put around mbed TLS library calls, e.g. |
|
134 |
+ * if (!mbed_ok (mbedtls_ssl_func())) return 0; |
|
135 | 135 |
* or |
136 |
- * ASSERT (polar_ok(polarssl_func())); |
|
136 |
+ * ASSERT (mbed_ok (mbedtls_ssl_func())); |
|
137 | 137 |
* |
138 |
- * @param errval PolarSSL error code to convert to error message. |
|
138 |
+ * @param errval mbed TLS error code to convert to error message. |
|
139 | 139 |
* |
140 | 140 |
* @returns true if no errors are detected, false otherwise. |
141 | 141 |
*/ |
142 |
-#define polar_ok(errval) \ |
|
143 |
- polar_log_func_line_lite(D_CRYPT_ERRORS, errval, __func__, __LINE__) |
|
142 |
+#define mbed_ok(errval) \ |
|
143 |
+ mbed_log_func_line_lite(D_CRYPT_ERRORS, errval, __func__, __LINE__) |
|
144 | 144 |
|
145 | 145 |
|
146 |
-#endif /* CRYPTO_POLARSSL_H_ */ |
|
146 |
+#endif /* CRYPTO_MBEDTLS_H_ */ |
... | ... |
@@ -68,13 +68,13 @@ const char title_string[] = |
68 | 68 |
#endif |
69 | 69 |
" " TARGET_ALIAS |
70 | 70 |
#ifdef ENABLE_CRYPTO |
71 |
-#if defined(ENABLE_CRYPTO_POLARSSL) |
|
72 |
- " [SSL (PolarSSL)]" |
|
71 |
+#if defined(ENABLE_CRYPTO_MBEDTLS) |
|
72 |
+ " [SSL (mbed TLS)]" |
|
73 | 73 |
#elif defined(ENABLE_CRYPTO_OPENSSL) |
74 | 74 |
" [SSL (OpenSSL)]" |
75 | 75 |
#else |
76 | 76 |
" [SSL]" |
77 |
-#endif /* defined(ENABLE_CRYPTO_POLARSSL) */ |
|
77 |
+#endif /* defined(ENABLE_CRYPTO_MBEDTLS) */ |
|
78 | 78 |
#endif /* ENABLE_CRYPTO */ |
79 | 79 |
#ifdef USE_COMP |
80 | 80 |
#ifdef ENABLE_LZO |
... | ... |
@@ -524,7 +524,7 @@ static const char usage_message[] = |
524 | 524 |
"--keysize n : Size of cipher key in bits (optional).\n" |
525 | 525 |
" If unspecified, defaults to cipher-specific default.\n" |
526 | 526 |
#endif |
527 |
-#ifndef ENABLE_CRYPTO_POLARSSL |
|
527 |
+#ifndef ENABLE_CRYPTO_MBEDTLS |
|
528 | 528 |
"--engine [name] : Enable OpenSSL hardware crypto engine functionality.\n" |
529 | 529 |
#endif |
530 | 530 |
"--no-replay : Disable replay protection.\n" |
... | ... |
@@ -550,10 +550,10 @@ static const char usage_message[] = |
550 | 550 |
" number, such as 1 (default), 2, etc.\n" |
551 | 551 |
"--ca file : Certificate authority file in .pem format containing\n" |
552 | 552 |
" root certificate.\n" |
553 |
-#ifndef ENABLE_CRYPTO_POLARSSL |
|
553 |
+#ifndef ENABLE_CRYPTO_MBEDTLS |
|
554 | 554 |
"--capath dir : A directory of trusted certificates (CAs" |
555 | 555 |
" and CRLs).\n" |
556 |
-#endif /* ENABLE_CRYPTO_POLARSSL */ |
|
556 |
+#endif /* ENABLE_CRYPTO_MBEDTLS */ |
|
557 | 557 |
"--dh file : File containing Diffie Hellman parameters\n" |
558 | 558 |
" in .pem format (for --tls-server only).\n" |
559 | 559 |
" Use \"openssl dhparam -out dh1024.pem 1024\" to generate.\n" |
... | ... |
@@ -565,7 +565,7 @@ static const char usage_message[] = |
565 | 565 |
" will accept from the peer. If version is unrecognized and 'or-highest'\n" |
566 | 566 |
" is specified, require max TLS version supported by SSL implementation.\n" |
567 | 567 |
"--tls-version-max <version> : sets the maximum TLS version we will use.\n" |
568 |
-#ifndef ENABLE_CRYPTO_POLARSSL |
|
568 |
+#ifndef ENABLE_CRYPTO_MBEDTLS |
|
569 | 569 |
"--pkcs12 file : PKCS#12 file containing local private key, local certificate\n" |
570 | 570 |
" and optionally the root CA certificate.\n" |
571 | 571 |
#endif |
... | ... |
@@ -1569,9 +1569,9 @@ show_settings (const struct options *o) |
1569 | 1569 |
SHOW_STR (prng_hash); |
1570 | 1570 |
SHOW_INT (prng_nonce_secret_len); |
1571 | 1571 |
SHOW_INT (keysize); |
1572 |
-#ifndef ENABLE_CRYPTO_POLARSSL |
|
1572 |
+#ifndef ENABLE_CRYPTO_MBEDTLS |
|
1573 | 1573 |
SHOW_BOOL (engine); |
1574 |
-#endif /* ENABLE_CRYPTO_POLARSSL */ |
|
1574 |
+#endif /* ENABLE_CRYPTO_MBEDTLS */ |
|
1575 | 1575 |
SHOW_BOOL (replay); |
1576 | 1576 |
SHOW_BOOL (mute_replay_warnings); |
1577 | 1577 |
SHOW_INT (replay_window); |
... | ... |
@@ -1603,7 +1603,7 @@ show_settings (const struct options *o) |
1603 | 1603 |
else |
1604 | 1604 |
#endif |
1605 | 1605 |
SHOW_STR (priv_key_file); |
1606 |
-#ifndef ENABLE_CRYPTO_POLARSSL |
|
1606 |
+#ifndef ENABLE_CRYPTO_MBEDTLS |
|
1607 | 1607 |
SHOW_STR (pkcs12_file); |
1608 | 1608 |
#endif |
1609 | 1609 |
#ifdef ENABLE_CRYPTOAPI |
... | ... |
@@ -2216,8 +2216,8 @@ options_postprocess_verify_ce (const struct options *options, const struct conne |
2216 | 2216 |
#endif |
2217 | 2217 |
if (options->pkcs12_file) |
2218 | 2218 |
{ |
2219 |
-#ifdef ENABLE_CRYPTO_POLARSSL |
|
2220 |
- msg(M_USAGE, "Parameter --pkcs12 cannot be used with the PolarSSL version version of OpenVPN."); |
|
2219 |
+#ifdef ENABLE_CRYPTO_MBEDTLS |
|
2220 |
+ msg(M_USAGE, "Parameter --pkcs12 cannot be used with the mbed TLS version version of OpenVPN."); |
|
2221 | 2221 |
#else |
2222 | 2222 |
if (options->ca_path) |
2223 | 2223 |
msg(M_USAGE, "Parameter --capath cannot be used when --pkcs12 is also specified."); |
... | ... |
@@ -2235,11 +2235,11 @@ options_postprocess_verify_ce (const struct options *options, const struct conne |
2235 | 2235 |
} |
2236 | 2236 |
else |
2237 | 2237 |
{ |
2238 |
-#ifdef ENABLE_CRYPTO_POLARSSL |
|
2238 |
+#ifdef ENABLE_CRYPTO_MBEDTLS |
|
2239 | 2239 |
if (!(options->ca_file)) |
2240 | 2240 |
msg(M_USAGE, "You must define CA file (--ca)"); |
2241 | 2241 |
if (options->ca_path) |
2242 |
- msg(M_USAGE, "Parameter --capath cannot be used with the PolarSSL version version of OpenVPN."); |
|
2242 |
+ msg(M_USAGE, "Parameter --capath cannot be used with the mbed TLS version version of OpenVPN."); |
|
2243 | 2243 |
#else |
2244 | 2244 |
if ((!(options->ca_file)) && (!(options->ca_path))) |
2245 | 2245 |
msg(M_USAGE, "You must define CA file (--ca) or CA path (--capath)"); |
... | ... |
@@ -2298,7 +2298,7 @@ options_postprocess_verify_ce (const struct options *options, const struct conne |
2298 | 2298 |
MUST_BE_UNDEF (dh_file); |
2299 | 2299 |
MUST_BE_UNDEF (cert_file); |
2300 | 2300 |
MUST_BE_UNDEF (priv_key_file); |
2301 |
-#ifndef ENABLE_CRYPTO_POLARSSL |
|
2301 |
+#ifndef ENABLE_CRYPTO_MBEDTLS |
|
2302 | 2302 |
MUST_BE_UNDEF (pkcs12_file); |
2303 | 2303 |
#endif |
2304 | 2304 |
MUST_BE_UNDEF (cipher_list); |
... | ... |
@@ -6566,7 +6566,7 @@ add_option (struct options *options, |
6566 | 6566 |
VERIFY_PERMISSION (OPT_P_GENERAL); |
6567 | 6567 |
options->test_crypto = true; |
6568 | 6568 |
} |
6569 |
-#ifndef ENABLE_CRYPTO_POLARSSL |
|
6569 |
+#ifndef ENABLE_CRYPTO_MBEDTLS |
|
6570 | 6570 |
else if (streq (p[0], "engine") && !p[2]) |
6571 | 6571 |
{ |
6572 | 6572 |
VERIFY_PERMISSION (OPT_P_GENERAL); |
... | ... |
@@ -6577,7 +6577,7 @@ add_option (struct options *options, |
6577 | 6577 |
else |
6578 | 6578 |
options->engine = "auto"; |
6579 | 6579 |
} |
6580 |
-#endif /* ENABLE_CRYPTO_POLARSSL */ |
|
6580 |
+#endif /* ENABLE_CRYPTO_MBEDTLS */ |
|
6581 | 6581 |
#ifdef HAVE_EVP_CIPHER_CTX_SET_KEY_LENGTH |
6582 | 6582 |
else if (streq (p[0], "keysize") && p[1] && !p[2]) |
6583 | 6583 |
{ |
... | ... |
@@ -6634,13 +6634,13 @@ add_option (struct options *options, |
6634 | 6634 |
options->ca_file_inline = p[2]; |
6635 | 6635 |
} |
6636 | 6636 |
} |
6637 |
-#ifndef ENABLE_CRYPTO_POLARSSL |
|
6637 |
+#ifndef ENABLE_CRYPTO_MBEDTLS |
|
6638 | 6638 |
else if (streq (p[0], "capath") && p[1] && !p[2]) |
6639 | 6639 |
{ |
6640 | 6640 |
VERIFY_PERMISSION (OPT_P_GENERAL); |
6641 | 6641 |
options->ca_path = p[1]; |
6642 | 6642 |
} |
6643 |
-#endif /* ENABLE_CRYPTO_POLARSSL */ |
|
6643 |
+#endif /* ENABLE_CRYPTO_MBEDTLS */ |
|
6644 | 6644 |
else if (streq (p[0], "dh") && p[1] && ((streq (p[1], INLINE_FILE_TAG) && p[2]) || !p[2]) && !p[3]) |
6645 | 6645 |
{ |
6646 | 6646 |
VERIFY_PERMISSION (OPT_P_GENERAL); |
... | ... |
@@ -6717,7 +6717,7 @@ add_option (struct options *options, |
6717 | 6717 |
~(SSLF_TLS_VERSION_MAX_MASK << SSLF_TLS_VERSION_MAX_SHIFT); |
6718 | 6718 |
options->ssl_flags |= (ver << SSLF_TLS_VERSION_MAX_SHIFT); |
6719 | 6719 |
} |
6720 |
-#ifndef ENABLE_CRYPTO_POLARSSL |
|
6720 |
+#ifndef ENABLE_CRYPTO_MBEDTLS |
|
6721 | 6721 |
else if (streq (p[0], "pkcs12") && p[1] && ((streq (p[1], INLINE_FILE_TAG) && p[2]) || !p[2]) && !p[3]) |
6722 | 6722 |
{ |
6723 | 6723 |
VERIFY_PERMISSION (OPT_P_GENERAL); |
... | ... |
@@ -6727,7 +6727,7 @@ add_option (struct options *options, |
6727 | 6727 |
options->pkcs12_file_inline = p[2]; |
6728 | 6728 |
} |
6729 | 6729 |
} |
6730 |
-#endif /* ENABLE_CRYPTO_POLARSSL */ |
|
6730 |
+#endif /* ENABLE_CRYPTO_MBEDTLS */ |
|
6731 | 6731 |
else if (streq (p[0], "askpass") && !p[2]) |
6732 | 6732 |
{ |
6733 | 6733 |
VERIFY_PERMISSION (OPT_P_GENERAL); |
... | ... |
@@ -6795,7 +6795,7 @@ add_option (struct options *options, |
6795 | 6795 |
string_substitute (p[1], ',', ' ', &options->gc), |
6796 | 6796 |
"tls-verify", true); |
6797 | 6797 |
} |
6798 |
-#ifndef ENABLE_CRYPTO_POLARSSL |
|
6798 |
+#ifndef ENABLE_CRYPTO_MBEDTLS |
|
6799 | 6799 |
else if (streq (p[0], "tls-export-cert") && p[1] && !p[2]) |
6800 | 6800 |
{ |
6801 | 6801 |
VERIFY_PERMISSION (OPT_P_GENERAL); |
... | ... |
@@ -78,8 +78,8 @@ struct options_pre_pull |
78 | 78 |
}; |
79 | 79 |
|
80 | 80 |
#endif |
81 |
-#if defined(ENABLE_CRYPTO) && !defined(ENABLE_CRYPTO_OPENSSL) && !defined(ENABLE_CRYPTO_POLARSSL) |
|
82 |
-# error "At least one of OpenSSL or PolarSSL needs to be defined." |
|
81 |
+#if defined(ENABLE_CRYPTO) && !defined(ENABLE_CRYPTO_OPENSSL) && !defined(ENABLE_CRYPTO_MBEDTLS) |
|
82 |
+# error "At least one of OpenSSL or mbed TLS needs to be defined." |
|
83 | 83 |
#endif |
84 | 84 |
|
85 | 85 |
struct connection_entry |
... | ... |
@@ -24,7 +24,7 @@ |
24 | 24 |
*/ |
25 | 25 |
|
26 | 26 |
/** |
27 |
- * @file PKCS #11 PolarSSL backend |
|
27 |
+ * @file PKCS #11 mbed TLS backend |
|
28 | 28 |
*/ |
29 | 29 |
|
30 | 30 |
#ifdef HAVE_CONFIG_H |
... | ... |
@@ -35,12 +35,12 @@ |
35 | 35 |
|
36 | 36 |
#include "syshead.h" |
37 | 37 |
|
38 |
-#if defined(ENABLE_PKCS11) && defined(ENABLE_CRYPTO_POLARSSL) |
|
38 |
+#if defined(ENABLE_PKCS11) && defined(ENABLE_CRYPTO_MBEDTLS) |
|
39 | 39 |
|
40 | 40 |
#include "errlevel.h" |
41 | 41 |
#include "pkcs11_backend.h" |
42 |
-#include <polarssl/pkcs11.h> |
|
43 |
-#include <polarssl/x509.h> |
|
42 |
+#include <mbedtls/pkcs11.h> |
|
43 |
+#include <mbedtls/x509.h> |
|
44 | 44 |
|
45 | 45 |
int |
46 | 46 |
pkcs11_init_tls_session(pkcs11h_certificate_t certificate, |
... | ... |
@@ -50,21 +50,22 @@ pkcs11_init_tls_session(pkcs11h_certificate_t certificate, |
50 | 50 |
|
51 | 51 |
ASSERT (NULL != ssl_ctx); |
52 | 52 |
|
53 |
- ALLOC_OBJ_CLEAR (ssl_ctx->crt_chain, x509_crt); |
|
54 |
- if (pkcs11_x509_cert_init(ssl_ctx->crt_chain, certificate)) { |
|
55 |
- msg (M_FATAL, "PKCS#11: Cannot retrieve PolarSSL certificate object"); |
|
53 |
+ ALLOC_OBJ_CLEAR (ssl_ctx->crt_chain, mbedtls_x509_crt); |
|
54 |
+ if (mbedtls_pkcs11_x509_cert_bind(ssl_ctx->crt_chain, certificate)) { |
|
55 |
+ msg (M_FATAL, "PKCS#11: Cannot retrieve mbed TLS certificate object"); |
|
56 | 56 |
goto cleanup; |
57 | 57 |
} |
58 | 58 |
|
59 |
- ALLOC_OBJ_CLEAR (ssl_ctx->priv_key_pkcs11, pkcs11_context); |
|
60 |
- if (pkcs11_priv_key_init(ssl_ctx->priv_key_pkcs11, certificate)) { |
|
61 |
- msg (M_FATAL, "PKCS#11: Cannot initialize PolarSSL private key object"); |
|
59 |
+ ALLOC_OBJ_CLEAR (ssl_ctx->priv_key_pkcs11, mbedtls_pkcs11_context); |
|
60 |
+ if (mbedtls_pkcs11_priv_key_bind(ssl_ctx->priv_key_pkcs11, certificate)) { |
|
61 |
+ msg (M_FATAL, "PKCS#11: Cannot initialize mbed TLS private key object"); |
|
62 | 62 |
goto cleanup; |
63 | 63 |
} |
64 | 64 |
|
65 |
- ALLOC_OBJ_CLEAR (ssl_ctx->priv_key, pk_context); |
|
66 |
- if (!polar_ok(pk_init_ctx_rsa_alt(ssl_ctx->priv_key, ssl_ctx->priv_key_pkcs11, |
|
67 |
- ssl_pkcs11_decrypt, ssl_pkcs11_sign, ssl_pkcs11_key_len))) { |
|
65 |
+ ALLOC_OBJ_CLEAR (ssl_ctx->priv_key, mbedtls_pk_context); |
|
66 |
+ if (!mbed_ok(mbedtls_pk_setup_rsa_alt(ssl_ctx->priv_key, |
|
67 |
+ ssl_ctx->priv_key_pkcs11, mbedtls_ssl_pkcs11_decrypt, |
|
68 |
+ mbedtls_ssl_pkcs11_sign, mbedtls_ssl_pkcs11_key_len))) { |
|
68 | 69 |
goto cleanup; |
69 | 70 |
} |
70 | 71 |
|
... | ... |
@@ -80,22 +81,22 @@ pkcs11_certificate_dn (pkcs11h_certificate_t cert, struct gc_arena *gc) |
80 | 80 |
char *ret = NULL; |
81 | 81 |
char dn[1024] = {0}; |
82 | 82 |
|
83 |
- x509_crt polar_cert = {0}; |
|
83 |
+ mbedtls_x509_crt mbed_crt = {0}; |
|
84 | 84 |
|
85 |
- if (pkcs11_x509_cert_init(&polar_cert, cert)) { |
|
86 |
- msg (M_FATAL, "PKCS#11: Cannot retrieve PolarSSL certificate object"); |
|
85 |
+ if (mbedtls_pkcs11_x509_cert_bind(&mbed_crt, cert)) { |
|
86 |
+ msg (M_FATAL, "PKCS#11: Cannot retrieve mbed TLS certificate object"); |
|
87 | 87 |
goto cleanup; |
88 | 88 |
} |
89 | 89 |
|
90 |
- if (-1 == x509_dn_gets (dn, sizeof(dn), &polar_cert.subject)) { |
|
91 |
- msg (M_FATAL, "PKCS#11: PolarSSL cannot parse subject"); |
|
90 |
+ if (-1 == mbedtls_x509_dn_gets (dn, sizeof(dn), &mbed_crt.subject)) { |
|
91 |
+ msg (M_FATAL, "PKCS#11: mbed TLS cannot parse subject"); |
|
92 | 92 |
goto cleanup; |
93 | 93 |
} |
94 | 94 |
|
95 | 95 |
ret = string_alloc(dn, gc); |
96 | 96 |
|
97 | 97 |
cleanup: |
98 |
- x509_crt_free(&polar_cert); |
|
98 |
+ mbedtls_x509_crt_free(&mbed_crt); |
|
99 | 99 |
|
100 | 100 |
return ret; |
101 | 101 |
} |
... | ... |
@@ -106,23 +107,23 @@ pkcs11_certificate_serial (pkcs11h_certificate_t cert, char *serial, |
106 | 106 |
{ |
107 | 107 |
int ret = 1; |
108 | 108 |
|
109 |
- x509_crt polar_cert = {0}; |
|
109 |
+ mbedtls_x509_crt mbed_crt = {0}; |
|
110 | 110 |
|
111 |
- if (pkcs11_x509_cert_init(&polar_cert, cert)) { |
|
112 |
- msg (M_FATAL, "PKCS#11: Cannot retrieve PolarSSL certificate object"); |
|
111 |
+ if (mbedtls_pkcs11_x509_cert_bind(&mbed_crt, cert)) { |
|
112 |
+ msg (M_FATAL, "PKCS#11: Cannot retrieve mbed TLS certificate object"); |
|
113 | 113 |
goto cleanup; |
114 | 114 |
} |
115 | 115 |
|
116 |
- if (-1 == x509_serial_gets (serial, serial_len, &polar_cert.serial)) { |
|
117 |
- msg (M_FATAL, "PKCS#11: PolarSSL cannot parse serial"); |
|
116 |
+ if (-1 == mbedtls_x509_serial_gets (serial, serial_len, &mbed_crt.serial)) { |
|
117 |
+ msg (M_FATAL, "PKCS#11: mbed TLS cannot parse serial"); |
|
118 | 118 |
goto cleanup; |
119 | 119 |
} |
120 | 120 |
|
121 | 121 |
ret = 0; |
122 | 122 |
|
123 | 123 |
cleanup: |
124 |
- x509_crt_free(&polar_cert); |
|
124 |
+ mbedtls_x509_crt_free(&mbed_crt); |
|
125 | 125 |
|
126 | 126 |
return ret; |
127 | 127 |
} |
128 |
-#endif /* defined(ENABLE_PKCS11) && defined(ENABLE_CRYPTO_POLARSSL) */ |
|
128 |
+#endif /* defined(ENABLE_PKCS11) && defined(ENABLE_CRYPTO_MBEDTLS) */ |
... | ... |
@@ -591,7 +591,7 @@ init_ssl (const struct options *options, struct tls_root_ctx *new_ctx) |
591 | 591 |
/* Allowable ciphers */ |
592 | 592 |
tls_ctx_restrict_ciphers(new_ctx, options->cipher_list); |
593 | 593 |
|
594 |
-#ifdef ENABLE_CRYPTO_POLARSSL |
|
594 |
+#ifdef ENABLE_CRYPTO_MBEDTLS |
|
595 | 595 |
/* Personalise the random by mixing in the certificate */ |
596 | 596 |
tls_ctx_personalise_random (new_ctx); |
597 | 597 |
#endif |
... | ... |
@@ -38,10 +38,10 @@ |
38 | 38 |
#include "ssl_verify_openssl.h" |
39 | 39 |
#define SSLAPI SSLAPI_OPENSSL |
40 | 40 |
#endif |
41 |
-#ifdef ENABLE_CRYPTO_POLARSSL |
|
41 |
+#ifdef ENABLE_CRYPTO_MBEDTLS |
|
42 | 42 |
#include "ssl_polarssl.h" |
43 | 43 |
#include "ssl_verify_polarssl.h" |
44 |
-#define SSLAPI SSLAPI_POLARSSL |
|
44 |
+#define SSLAPI SSLAPI_MBEDTLS |
|
45 | 45 |
#endif |
46 | 46 |
|
47 | 47 |
/* Ensure that SSLAPI got a sane value if SSL is disabled or unknown */ |
... | ... |
@@ -308,9 +308,9 @@ void tls_ctx_load_extra_certs (struct tls_root_ctx *ctx, const char *extra_certs |
308 | 308 |
const char *extra_certs_file_inline |
309 | 309 |
); |
310 | 310 |
|
311 |
-#ifdef ENABLE_CRYPTO_POLARSSL |
|
311 |
+#ifdef ENABLE_CRYPTO_MBEDTLS |
|
312 | 312 |
/** |
313 |
- * Add a personalisation string to the PolarSSL RNG, based on the certificate |
|
313 |
+ * Add a personalisation string to the mbed TLS RNG, based on the certificate |
|
314 | 314 |
* loaded into the given context. |
315 | 315 |
* |
316 | 316 |
* @param ctx TLS context to use |
... | ... |
@@ -25,7 +25,7 @@ |
25 | 25 |
*/ |
26 | 26 |
|
27 | 27 |
/** |
28 |
- * @file Control Channel PolarSSL Backend |
|
28 |
+ * @file Control Channel mbed TLS Backend |
|
29 | 29 |
*/ |
30 | 30 |
|
31 | 31 |
#ifdef HAVE_CONFIG_H |
... | ... |
@@ -36,7 +36,7 @@ |
36 | 36 |
|
37 | 37 |
#include "syshead.h" |
38 | 38 |
|
39 |
-#if defined(ENABLE_CRYPTO) && defined(ENABLE_CRYPTO_POLARSSL) |
|
39 |
+#if defined(ENABLE_CRYPTO) && defined(ENABLE_CRYPTO_MBEDTLS) |
|
40 | 40 |
|
41 | 41 |
#include "errlevel.h" |
42 | 42 |
#include "ssl_backend.h" |
... | ... |
@@ -46,15 +46,16 @@ |
46 | 46 |
#include "manage.h" |
47 | 47 |
#include "ssl_common.h" |
48 | 48 |
|
49 |
-#include <polarssl/havege.h> |
|
49 |
+#include <mbedtls/havege.h> |
|
50 | 50 |
|
51 | 51 |
#include "ssl_verify_polarssl.h" |
52 |
-#include <polarssl/debug.h> |
|
53 |
-#include <polarssl/error.h> |
|
54 |
-#include <polarssl/oid.h> |
|
55 |
-#include <polarssl/pem.h> |
|
56 |
-#include <polarssl/sha256.h> |
|
57 |
-#include <polarssl/version.h> |
|
52 |
+#include <mbedtls/debug.h> |
|
53 |
+#include <mbedtls/error.h> |
|
54 |
+#include <mbedtls/net.h> |
|
55 |
+#include <mbedtls/oid.h> |
|
56 |
+#include <mbedtls/pem.h> |
|
57 |
+#include <mbedtls/sha256.h> |
|
58 |
+#include <mbedtls/version.h> |
|
58 | 59 |
|
59 | 60 |
void |
60 | 61 |
tls_init_lib() |
... | ... |
@@ -77,11 +78,11 @@ tls_ctx_server_new(struct tls_root_ctx *ctx) |
77 | 77 |
ASSERT(NULL != ctx); |
78 | 78 |
CLEAR(*ctx); |
79 | 79 |
|
80 |
- ALLOC_OBJ_CLEAR(ctx->dhm_ctx, dhm_context); |
|
80 |
+ ALLOC_OBJ_CLEAR(ctx->dhm_ctx, mbedtls_dhm_context); |
|
81 | 81 |
|
82 |
- ALLOC_OBJ_CLEAR(ctx->ca_chain, x509_crt); |
|
82 |
+ ALLOC_OBJ_CLEAR(ctx->ca_chain, mbedtls_x509_crt); |
|
83 | 83 |
|
84 |
- ctx->endpoint = SSL_IS_SERVER; |
|
84 |
+ ctx->endpoint = MBEDTLS_SSL_IS_SERVER; |
|
85 | 85 |
ctx->initialised = true; |
86 | 86 |
} |
87 | 87 |
|
... | ... |
@@ -91,10 +92,10 @@ tls_ctx_client_new(struct tls_root_ctx *ctx) |
91 | 91 |
ASSERT(NULL != ctx); |
92 | 92 |
CLEAR(*ctx); |
93 | 93 |
|
94 |
- ALLOC_OBJ_CLEAR(ctx->dhm_ctx, dhm_context); |
|
95 |
- ALLOC_OBJ_CLEAR(ctx->ca_chain, x509_crt); |
|
94 |
+ ALLOC_OBJ_CLEAR(ctx->dhm_ctx, mbedtls_dhm_context); |
|
95 |
+ ALLOC_OBJ_CLEAR(ctx->ca_chain, mbedtls_x509_crt); |
|
96 | 96 |
|
97 |
- ctx->endpoint = SSL_IS_CLIENT; |
|
97 |
+ ctx->endpoint = MBEDTLS_SSL_IS_CLIENT; |
|
98 | 98 |
ctx->initialised = true; |
99 | 99 |
} |
100 | 100 |
|
... | ... |
@@ -103,25 +104,25 @@ tls_ctx_free(struct tls_root_ctx *ctx) |
103 | 103 |
{ |
104 | 104 |
if (ctx) |
105 | 105 |
{ |
106 |
- pk_free(ctx->priv_key); |
|
106 |
+ mbedtls_pk_free(ctx->priv_key); |
|
107 | 107 |
if (ctx->priv_key) |
108 | 108 |
free(ctx->priv_key); |
109 | 109 |
|
110 |
- x509_crt_free(ctx->ca_chain); |
|
110 |
+ mbedtls_x509_crt_free(ctx->ca_chain); |
|
111 | 111 |
if (ctx->ca_chain) |
112 | 112 |
free(ctx->ca_chain); |
113 | 113 |
|
114 |
- x509_crt_free(ctx->crt_chain); |
|
114 |
+ mbedtls_x509_crt_free(ctx->crt_chain); |
|
115 | 115 |
if (ctx->crt_chain) |
116 | 116 |
free(ctx->crt_chain); |
117 | 117 |
|
118 |
- dhm_free(ctx->dhm_ctx); |
|
118 |
+ mbedtls_dhm_free(ctx->dhm_ctx); |
|
119 | 119 |
if (ctx->dhm_ctx) |
120 | 120 |
free(ctx->dhm_ctx); |
121 | 121 |
|
122 | 122 |
#if defined(ENABLE_PKCS11) |
123 | 123 |
if (ctx->priv_key_pkcs11 != NULL) { |
124 |
- pkcs11_priv_key_free(ctx->priv_key_pkcs11); |
|
124 |
+ mbedtls_pkcs11_priv_key_free(ctx->priv_key_pkcs11); |
|
125 | 125 |
free(ctx->priv_key_pkcs11); |
126 | 126 |
} |
127 | 127 |
#endif |
... | ... |
@@ -207,7 +208,7 @@ tls_ctx_restrict_ciphers(struct tls_root_ctx *ctx, const char *ciphers) |
207 | 207 |
token = strtok (tmp_ciphers, ":"); |
208 | 208 |
while(token) |
209 | 209 |
{ |
210 |
- ctx->allowed_ciphers[i] = ssl_get_ciphersuite_id ( |
|
210 |
+ ctx->allowed_ciphers[i] = mbedtls_ssl_get_ciphersuite_id ( |
|
211 | 211 |
tls_translate_cipher_name (token)); |
212 | 212 |
if (0 != ctx->allowed_ciphers[i]) |
213 | 213 |
i++; |
... | ... |
@@ -225,12 +226,12 @@ tls_ctx_check_cert_time (const struct tls_root_ctx *ctx) |
225 | 225 |
return; /* Nothing to check if there is no certificate */ |
226 | 226 |
} |
227 | 227 |
|
228 |
- if (x509_time_future (&ctx->crt_chain->valid_from)) |
|
228 |
+ if (mbedtls_x509_time_is_future (&ctx->crt_chain->valid_from)) |
|
229 | 229 |
{ |
230 | 230 |
msg (M_WARN, "WARNING: Your certificate is not yet valid!"); |
231 | 231 |
} |
232 | 232 |
|
233 |
- if (x509_time_expired (&ctx->crt_chain->valid_to)) |
|
233 |
+ if (mbedtls_x509_time_is_past (&ctx->crt_chain->valid_to)) |
|
234 | 234 |
{ |
235 | 235 |
msg (M_WARN, "WARNING: Your certificate has expired!"); |
236 | 236 |
} |
... | ... |
@@ -243,18 +244,18 @@ tls_ctx_load_dh_params (struct tls_root_ctx *ctx, const char *dh_file, |
243 | 243 |
{ |
244 | 244 |
if (!strcmp (dh_file, INLINE_FILE_TAG) && dh_inline) |
245 | 245 |
{ |
246 |
- if (!polar_ok(dhm_parse_dhm(ctx->dhm_ctx, |
|
247 |
- (const unsigned char *) dh_inline, strlen(dh_inline)))) |
|
246 |
+ if (!mbed_ok(mbedtls_dhm_parse_dhm(ctx->dhm_ctx, |
|
247 |
+ (const unsigned char *) dh_inline, strlen(dh_inline)+1))) |
|
248 | 248 |
msg (M_FATAL, "Cannot read inline DH parameters"); |
249 | 249 |
} |
250 | 250 |
else |
251 | 251 |
{ |
252 |
- if (!polar_ok(dhm_parse_dhmfile(ctx->dhm_ctx, dh_file))) |
|
252 |
+ if (!mbed_ok(mbedtls_dhm_parse_dhmfile(ctx->dhm_ctx, dh_file))) |
|
253 | 253 |
msg (M_FATAL, "Cannot read DH parameters from file %s", dh_file); |
254 | 254 |
} |
255 | 255 |
|
256 | 256 |
msg (D_TLS_DEBUG_LOW, "Diffie-Hellman initialized with " counter_format " bit key", |
257 |
- (counter_type) 8 * mpi_size(&ctx->dhm_ctx->P)); |
|
257 |
+ (counter_type) 8 * mbedtls_mpi_size(&ctx->dhm_ctx->P)); |
|
258 | 258 |
} |
259 | 259 |
|
260 | 260 |
void |
... | ... |
@@ -262,7 +263,7 @@ tls_ctx_load_ecdh_params (struct tls_root_ctx *ctx, const char *curve_name |
262 | 262 |
) |
263 | 263 |
{ |
264 | 264 |
if (NULL != curve_name) |
265 |
- msg(M_WARN, "WARNING: PolarSSL builds do not support specifying an ECDH " |
|
265 |
+ msg(M_WARN, "WARNING: mbed TLS builds do not support specifying an ECDH " |
|
266 | 266 |
"curve, using default curves."); |
267 | 267 |
} |
268 | 268 |
|
... | ... |
@@ -272,7 +273,7 @@ tls_ctx_load_pkcs12(struct tls_root_ctx *ctx, const char *pkcs12_file, |
272 | 272 |
bool load_ca_file |
273 | 273 |
) |
274 | 274 |
{ |
275 |
- msg(M_FATAL, "PKCS #12 files not yet supported for PolarSSL."); |
|
275 |
+ msg(M_FATAL, "PKCS #12 files not yet supported for mbed TLS."); |
|
276 | 276 |
return 0; |
277 | 277 |
} |
278 | 278 |
|
... | ... |
@@ -280,7 +281,7 @@ tls_ctx_load_pkcs12(struct tls_root_ctx *ctx, const char *pkcs12_file, |
280 | 280 |
void |
281 | 281 |
tls_ctx_load_cryptoapi(struct tls_root_ctx *ctx, const char *cryptoapi_cert) |
282 | 282 |
{ |
283 |
- msg(M_FATAL, "Windows CryptoAPI not yet supported for PolarSSL."); |
|
283 |
+ msg(M_FATAL, "Windows CryptoAPI not yet supported for mbed TLS."); |
|
284 | 284 |
} |
285 | 285 |
#endif /* WIN32 */ |
286 | 286 |
|
... | ... |
@@ -293,18 +294,18 @@ tls_ctx_load_cert_file (struct tls_root_ctx *ctx, const char *cert_file, |
293 | 293 |
|
294 | 294 |
if (!ctx->crt_chain) |
295 | 295 |
{ |
296 |
- ALLOC_OBJ_CLEAR(ctx->crt_chain, x509_crt); |
|
296 |
+ ALLOC_OBJ_CLEAR(ctx->crt_chain, mbedtls_x509_crt); |
|
297 | 297 |
} |
298 | 298 |
|
299 | 299 |
if (!strcmp (cert_file, INLINE_FILE_TAG) && cert_inline) |
300 | 300 |
{ |
301 |
- if (!polar_ok(x509_crt_parse(ctx->crt_chain, |
|
302 |
- (const unsigned char *) cert_inline, strlen(cert_inline)))) |
|
301 |
+ if (!mbed_ok(mbedtls_x509_crt_parse(ctx->crt_chain, |
|
302 |
+ (const unsigned char *) cert_inline, strlen(cert_inline)+1))) |
|
303 | 303 |
msg (M_FATAL, "Cannot load inline certificate file"); |
304 | 304 |
} |
305 | 305 |
else |
306 | 306 |
{ |
307 |
- if (!polar_ok(x509_crt_parse_file(ctx->crt_chain, cert_file))) |
|
307 |
+ if (!mbed_ok(mbedtls_x509_crt_parse_file(ctx->crt_chain, cert_file))) |
|
308 | 308 |
{ |
309 | 309 |
msg (M_FATAL, "Cannot load certificate file %s", cert_file); |
310 | 310 |
} |
... | ... |
@@ -321,38 +322,39 @@ tls_ctx_load_priv_file (struct tls_root_ctx *ctx, const char *priv_key_file, |
321 | 321 |
|
322 | 322 |
if (!ctx->priv_key) |
323 | 323 |
{ |
324 |
- ALLOC_OBJ_CLEAR(ctx->priv_key, pk_context); |
|
324 |
+ ALLOC_OBJ_CLEAR(ctx->priv_key, mbedtls_pk_context); |
|
325 | 325 |
} |
326 | 326 |
|
327 | 327 |
if (!strcmp (priv_key_file, INLINE_FILE_TAG) && priv_key_inline) |
328 | 328 |
{ |
329 |
- status = pk_parse_key(ctx->priv_key, |
|
330 |
- (const unsigned char *) priv_key_inline, strlen(priv_key_inline), |
|
329 |
+ status = mbedtls_pk_parse_key(ctx->priv_key, |
|
330 |
+ (const unsigned char *) priv_key_inline, strlen(priv_key_inline)+1, |
|
331 | 331 |
NULL, 0); |
332 | 332 |
|
333 |
- if (POLARSSL_ERR_PK_PASSWORD_REQUIRED == status) |
|
333 |
+ if (MBEDTLS_ERR_PK_PASSWORD_REQUIRED == status) |
|
334 | 334 |
{ |
335 | 335 |
char passbuf[512] = {0}; |
336 | 336 |
pem_password_callback(passbuf, 512, 0, NULL); |
337 |
- status = pk_parse_key(ctx->priv_key, |
|
338 |
- (const unsigned char *) priv_key_inline, strlen(priv_key_inline), |
|
339 |
- (unsigned char *) passbuf, strlen(passbuf)); |
|
337 |
+ status = mbedtls_pk_parse_key(ctx->priv_key, |
|
338 |
+ (const unsigned char *) priv_key_inline, |
|
339 |
+ strlen(priv_key_inline)+1, (unsigned char *) passbuf, |
|
340 |
+ strlen(passbuf)); |
|
340 | 341 |
} |
341 | 342 |
} |
342 | 343 |
else |
343 | 344 |
{ |
344 |
- status = pk_parse_keyfile(ctx->priv_key, priv_key_file, NULL); |
|
345 |
- if (POLARSSL_ERR_PK_PASSWORD_REQUIRED == status) |
|
345 |
+ status = mbedtls_pk_parse_keyfile(ctx->priv_key, priv_key_file, NULL); |
|
346 |
+ if (MBEDTLS_ERR_PK_PASSWORD_REQUIRED == status) |
|
346 | 347 |
{ |
347 | 348 |
char passbuf[512] = {0}; |
348 | 349 |
pem_password_callback(passbuf, 512, 0, NULL); |
349 |
- status = pk_parse_keyfile(ctx->priv_key, priv_key_file, passbuf); |
|
350 |
+ status = mbedtls_pk_parse_keyfile(ctx->priv_key, priv_key_file, passbuf); |
|
350 | 351 |
} |
351 | 352 |
} |
352 |
- if (!polar_ok(status)) |
|
353 |
+ if (!mbed_ok(status)) |
|
353 | 354 |
{ |
354 | 355 |
#ifdef ENABLE_MANAGEMENT |
355 |
- if (management && (POLARSSL_ERR_PK_PASSWORD_MISMATCH == status)) |
|
356 |
+ if (management && (MBEDTLS_ERR_PK_PASSWORD_MISMATCH == status)) |
|
356 | 357 |
management_auth_failure (management, UP_TYPE_PRIVATE_KEY, NULL); |
357 | 358 |
#endif |
358 | 359 |
msg (M_WARN, "Cannot load private key file %s", priv_key_file); |
... | ... |
@@ -377,7 +379,7 @@ struct external_context { |
377 | 377 |
}; |
378 | 378 |
|
379 | 379 |
/** |
380 |
- * external_pkcs1_sign implements a PolarSSL rsa_sign_func callback, that uses |
|
380 |
+ * external_pkcs1_sign implements a mbed TLS rsa_sign_func callback, that uses |
|
381 | 381 |
* the management interface to request an RSA signature for the supplied hash. |
382 | 382 |
* |
383 | 383 |
* @param ctx_voidptr Management external key context. |
... | ... |
@@ -386,18 +388,18 @@ struct external_context { |
386 | 386 |
* @param mode RSA mode (should be RSA_PRIVATE). |
387 | 387 |
* @param md_alg Message digest ('hash') algorithm type. |
388 | 388 |
* @param hashlen Length of hash (overridden by length specified by md_alg |
389 |
- * if md_alg != POLARSSL_MD_NONE). |
|
389 |
+ * if md_alg != MBEDTLS_MD_NONE). |
|
390 | 390 |
* @param hash The digest ('hash') to sign. Should have a size |
391 |
- * matching the length of md_alg (if != POLARSSL_MD_NONE), |
|
391 |
+ * matching the length of md_alg (if != MBEDTLS_MD_NONE), |
|
392 | 392 |
* or hashlen otherwise. |
393 | 393 |
* @param sig Buffer that returns the signature. Should be at least of |
394 | 394 |
* size ctx->signature_length. |
395 | 395 |
* |
396 |
- * @return 0 on success, non-zero polarssl error code on failure. |
|
396 |
+ * @return 0 on success, non-zero mbed TLS error code on failure. |
|
397 | 397 |
*/ |
398 | 398 |
static inline int external_pkcs1_sign( void *ctx_voidptr, |
399 | 399 |
int (*f_rng)(void *, unsigned char *, size_t), void *p_rng, int mode, |
400 |
- md_type_t md_alg, unsigned int hashlen, const unsigned char *hash, |
|
400 |
+ mbedtls_md_type_t md_alg, unsigned int hashlen, const unsigned char *hash, |
|
401 | 401 |
unsigned char *sig ) |
402 | 402 |
{ |
403 | 403 |
struct external_context * const ctx = ctx_voidptr; |
... | ... |
@@ -409,35 +411,35 @@ static inline int external_pkcs1_sign( void *ctx_voidptr, |
409 | 409 |
const char *oid = NULL; |
410 | 410 |
|
411 | 411 |
if( NULL == ctx ) |
412 |
- return POLARSSL_ERR_RSA_BAD_INPUT_DATA; |
|
412 |
+ return MBEDTLS_ERR_RSA_BAD_INPUT_DATA; |
|
413 | 413 |
|
414 |
- if( RSA_PRIVATE != mode ) |
|
415 |
- return POLARSSL_ERR_RSA_BAD_INPUT_DATA; |
|
414 |
+ if( MBEDTLS_RSA_PRIVATE != mode ) |
|
415 |
+ return MBEDTLS_ERR_RSA_BAD_INPUT_DATA; |
|
416 | 416 |
|
417 | 417 |
/* |
418 | 418 |
* Support a wide range of hashes. TLSv1.1 and before only need SIG_RSA_RAW, |
419 | 419 |
* but TLSv1.2 needs the full suite of hashes. |
420 | 420 |
* |
421 |
- * This code has been taken from PolarSSL pkcs11_sign(), under the GPLv2.0+. |
|
421 |
+ * This code has been taken from mbed TLS pkcs11_sign(), under the GPLv2.0+. |
|
422 | 422 |
*/ |
423 |
- if( md_alg != POLARSSL_MD_NONE ) |
|
423 |
+ if( md_alg != MBEDTLS_MD_NONE ) |
|
424 | 424 |
{ |
425 |
- const md_info_t *md_info = md_info_from_type( md_alg ); |
|
425 |
+ const mbedtls_md_info_t *md_info = mbedtls_md_info_from_type( md_alg ); |
|
426 | 426 |
if( md_info == NULL ) |
427 |
- return( POLARSSL_ERR_RSA_BAD_INPUT_DATA ); |
|
427 |
+ return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); |
|
428 | 428 |
|
429 |
- if (!polar_ok(oid_get_oid_by_md( md_alg, &oid, &oid_size ))) |
|
430 |
- return( POLARSSL_ERR_RSA_BAD_INPUT_DATA ); |
|
429 |
+ if (!mbed_ok(mbedtls_oid_get_oid_by_md( md_alg, &oid, &oid_size ))) |
|
430 |
+ return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); |
|
431 | 431 |
|
432 |
- hashlen = md_get_size( md_info ); |
|
432 |
+ hashlen = mbedtls_md_get_size( md_info ); |
|
433 | 433 |
asn_len = 10 + oid_size; |
434 | 434 |
} |
435 | 435 |
|
436 | 436 |
sig_len = ctx->signature_length; |
437 | 437 |
if ( (SIZE_MAX - hashlen) < asn_len || (hashlen + asn_len) > sig_len ) |
438 |
- return POLARSSL_ERR_RSA_BAD_INPUT_DATA; |
|
438 |
+ return MBEDTLS_ERR_RSA_BAD_INPUT_DATA; |
|
439 | 439 |
|
440 |
- if( md_alg != POLARSSL_MD_NONE ) |
|
440 |
+ if( md_alg != MBEDTLS_MD_NONE ) |
|
441 | 441 |
{ |
442 | 442 |
/* |
443 | 443 |
* DigestInfo ::= SEQUENCE { |
... | ... |
@@ -448,17 +450,17 @@ static inline int external_pkcs1_sign( void *ctx_voidptr, |
448 | 448 |
* |
449 | 449 |
* Digest ::= OCTET STRING |
450 | 450 |
*/ |
451 |
- *p++ = ASN1_SEQUENCE | ASN1_CONSTRUCTED; |
|
451 |
+ *p++ = MBEDTLS_ASN1_SEQUENCE | MBEDTLS_ASN1_CONSTRUCTED; |
|
452 | 452 |
*p++ = (unsigned char) ( 0x08 + oid_size + hashlen ); |
453 |
- *p++ = ASN1_SEQUENCE | ASN1_CONSTRUCTED; |
|
453 |
+ *p++ = MBEDTLS_ASN1_SEQUENCE | MBEDTLS_ASN1_CONSTRUCTED; |
|
454 | 454 |
*p++ = (unsigned char) ( 0x04 + oid_size ); |
455 |
- *p++ = ASN1_OID; |
|
455 |
+ *p++ = MBEDTLS_ASN1_OID; |
|
456 | 456 |
*p++ = oid_size & 0xFF; |
457 | 457 |
memcpy( p, oid, oid_size ); |
458 | 458 |
p += oid_size; |
459 |
- *p++ = ASN1_NULL; |
|
459 |
+ *p++ = MBEDTLS_ASN1_NULL; |
|
460 | 460 |
*p++ = 0x00; |
461 |
- *p++ = ASN1_OCTET_STRING; |
|
461 |
+ *p++ = MBEDTLS_ASN1_OCTET_STRING; |
|
462 | 462 |
*p++ = hashlen; |
463 | 463 |
|
464 | 464 |
/* Determine added ASN length */ |
... | ... |
@@ -471,7 +473,7 @@ static inline int external_pkcs1_sign( void *ctx_voidptr, |
471 | 471 |
/* convert 'from' to base64 */ |
472 | 472 |
if (openvpn_base64_encode (sig, asn_len + hashlen, &in_b64) <= 0) |
473 | 473 |
{ |
474 |
- rv = POLARSSL_ERR_RSA_BAD_INPUT_DATA; |
|
474 |
+ rv = MBEDTLS_ERR_RSA_BAD_INPUT_DATA; |
|
475 | 475 |
goto done; |
476 | 476 |
} |
477 | 477 |
|
... | ... |
@@ -480,7 +482,7 @@ static inline int external_pkcs1_sign( void *ctx_voidptr, |
480 | 480 |
out_b64 = management_query_rsa_sig (management, in_b64); |
481 | 481 |
if (!out_b64) |
482 | 482 |
{ |
483 |
- rv = POLARSSL_ERR_RSA_PRIVATE_FAILED; |
|
483 |
+ rv = MBEDTLS_ERR_RSA_PRIVATE_FAILED; |
|
484 | 484 |
goto done; |
485 | 485 |
} |
486 | 486 |
|
... | ... |
@@ -488,7 +490,7 @@ static inline int external_pkcs1_sign( void *ctx_voidptr, |
488 | 488 |
if ( openvpn_base64_decode (out_b64, sig, ctx->signature_length) != |
489 | 489 |
ctx->signature_length ) |
490 | 490 |
{ |
491 |
- rv = POLARSSL_ERR_RSA_PRIVATE_FAILED; |
|
491 |
+ rv = MBEDTLS_ERR_RSA_PRIVATE_FAILED; |
|
492 | 492 |
goto done; |
493 | 493 |
} |
494 | 494 |
|
... | ... |
@@ -521,10 +523,10 @@ tls_ctx_use_external_private_key (struct tls_root_ctx *ctx, |
521 | 521 |
return 0; |
522 | 522 |
|
523 | 523 |
ALLOC_OBJ_CLEAR (ctx->external_key, struct external_context); |
524 |
- ctx->external_key->signature_length = pk_get_len(&ctx->crt_chain->pk); |
|
524 |
+ ctx->external_key->signature_length = mbedtls_pk_get_len (&ctx->crt_chain->pk); |
|
525 | 525 |
|
526 |
- ALLOC_OBJ_CLEAR (ctx->priv_key, pk_context); |
|
527 |
- if (!polar_ok(pk_init_ctx_rsa_alt(ctx->priv_key, ctx->external_key, |
|
526 |
+ ALLOC_OBJ_CLEAR (ctx->priv_key, mbedtls_pk_context); |
|
527 |
+ if (!mbed_ok (mbedtls_pk_setup_rsa_alt (ctx->priv_key, ctx->external_key, |
|
528 | 528 |
NULL, external_pkcs1_sign, external_key_len))) |
529 | 529 |
return 0; |
530 | 530 |
|
... | ... |
@@ -537,18 +539,18 @@ void tls_ctx_load_ca (struct tls_root_ctx *ctx, const char *ca_file, |
537 | 537 |
) |
538 | 538 |
{ |
539 | 539 |
if (ca_path) |
540 |
- msg(M_FATAL, "ERROR: PolarSSL cannot handle the capath directive"); |
|
540 |
+ msg(M_FATAL, "ERROR: mbed TLS cannot handle the capath directive"); |
|
541 | 541 |
|
542 | 542 |
if (ca_file && !strcmp (ca_file, INLINE_FILE_TAG) && ca_inline) |
543 | 543 |
{ |
544 |
- if (!polar_ok(x509_crt_parse(ctx->ca_chain, |
|
545 |
- (const unsigned char *) ca_inline, strlen(ca_inline)))) |
|
544 |
+ if (!mbed_ok (mbedtls_x509_crt_parse (ctx->ca_chain, |
|
545 |
+ (const unsigned char *) ca_inline, strlen(ca_inline)+1))) |
|
546 | 546 |
msg (M_FATAL, "Cannot load inline CA certificates"); |
547 | 547 |
} |
548 | 548 |
else |
549 | 549 |
{ |
550 | 550 |
/* Load CA file for verifying peer supplied certificate */ |
551 |
- if (!polar_ok(x509_crt_parse_file(ctx->ca_chain, ca_file))) |
|
551 |
+ if (!mbed_ok (mbedtls_x509_crt_parse_file (ctx->ca_chain, ca_file))) |
|
552 | 552 |
msg (M_FATAL, "Cannot load CA certificate file %s", ca_file); |
553 | 553 |
} |
554 | 554 |
} |
... | ... |
@@ -562,19 +564,19 @@ tls_ctx_load_extra_certs (struct tls_root_ctx *ctx, const char *extra_certs_file |
562 | 562 |
|
563 | 563 |
if (!ctx->crt_chain) |
564 | 564 |
{ |
565 |
- ALLOC_OBJ_CLEAR (ctx->crt_chain, x509_crt); |
|
565 |
+ ALLOC_OBJ_CLEAR (ctx->crt_chain, mbedtls_x509_crt); |
|
566 | 566 |
} |
567 | 567 |
|
568 | 568 |
if (!strcmp (extra_certs_file, INLINE_FILE_TAG) && extra_certs_inline) |
569 | 569 |
{ |
570 |
- if (!polar_ok(x509_crt_parse(ctx->crt_chain, |
|
570 |
+ if (!mbed_ok(mbedtls_x509_crt_parse(ctx->crt_chain, |
|
571 | 571 |
(const unsigned char *) extra_certs_inline, |
572 |
- strlen(extra_certs_inline)))) |
|
572 |
+ strlen(extra_certs_inline)+1))) |
|
573 | 573 |
msg (M_FATAL, "Cannot load inline extra-certs file"); |
574 | 574 |
} |
575 | 575 |
else |
576 | 576 |
{ |
577 |
- if (!polar_ok(x509_crt_parse_file(ctx->crt_chain, extra_certs_file))) |
|
577 |
+ if (!mbed_ok(mbedtls_x509_crt_parse_file(ctx->crt_chain, extra_certs_file))) |
|
578 | 578 |
msg (M_FATAL, "Cannot load extra-certs file: %s", extra_certs_file); |
579 | 579 |
} |
580 | 580 |
} |
... | ... |
@@ -609,13 +611,12 @@ static void buf_free_entries(endless_buffer *buf) |
609 | 609 |
buf->last_block = NULL; |
610 | 610 |
} |
611 | 611 |
|
612 |
-static int endless_buf_read( void * ctx, unsigned char * out, size_t out_len ) |
|
612 |
+static int endless_buf_read( endless_buffer *in, unsigned char * out, size_t out_len ) |
|
613 | 613 |
{ |
614 |
- endless_buffer *in = (endless_buffer *) ctx; |
|
615 | 614 |
size_t read_len = 0; |
616 | 615 |
|
617 | 616 |
if (in->first_block == NULL) |
618 |
- return POLARSSL_ERR_NET_WANT_READ; |
|
617 |
+ return MBEDTLS_ERR_SSL_WANT_READ; |
|
619 | 618 |
|
620 | 619 |
while (in->first_block != NULL && read_len < out_len) |
621 | 620 |
{ |
... | ... |
@@ -648,18 +649,17 @@ static int endless_buf_read( void * ctx, unsigned char * out, size_t out_len ) |
648 | 648 |
return read_len; |
649 | 649 |
} |
650 | 650 |
|
651 |
-static int endless_buf_write( void *ctx, const unsigned char *in, size_t len ) |
|
651 |
+static int endless_buf_write( endless_buffer *out, const unsigned char *in, size_t len ) |
|
652 | 652 |
{ |
653 |
- endless_buffer *out = (endless_buffer *) ctx; |
|
654 | 653 |
buffer_entry *new_block = malloc(sizeof(buffer_entry)); |
655 | 654 |
if (NULL == new_block) |
656 |
- return POLARSSL_ERR_NET_SEND_FAILED; |
|
655 |
+ return MBEDTLS_ERR_NET_SEND_FAILED; |
|
657 | 656 |
|
658 | 657 |
new_block->data = malloc(len); |
659 | 658 |
if (NULL == new_block->data) |
660 | 659 |
{ |
661 | 660 |
free(new_block); |
662 |
- return POLARSSL_ERR_NET_SEND_FAILED; |
|
661 |
+ return MBEDTLS_ERR_NET_SEND_FAILED; |
|
663 | 662 |
} |
664 | 663 |
|
665 | 664 |
new_block->length = len; |
... | ... |
@@ -678,10 +678,23 @@ static int endless_buf_write( void *ctx, const unsigned char *in, size_t len ) |
678 | 678 |
return len; |
679 | 679 |
} |
680 | 680 |
|
681 |
-static void my_debug( void *ctx, int level, const char *str ) |
|
681 |
+static int ssl_bio_read( void *ctx, unsigned char *out, size_t out_len) |
|
682 |
+{ |
|
683 |
+ bio_ctx *my_ctx = (bio_ctx *) ctx; |
|
684 |
+ return endless_buf_read (&my_ctx->in, out, out_len); |
|
685 |
+} |
|
686 |
+ |
|
687 |
+static int ssl_bio_write( void *ctx, const unsigned char *in, size_t in_len) |
|
688 |
+{ |
|
689 |
+ bio_ctx *my_ctx = (bio_ctx *) ctx; |
|
690 |
+ return endless_buf_write (&my_ctx->out, in, in_len); |
|
691 |
+} |
|
692 |
+ |
|
693 |
+static void my_debug( void *ctx, int level, const char *file, int line, |
|
694 |
+ const char *str ) |
|
682 | 695 |
{ |
683 | 696 |
int my_loglevel = (level < 3) ? D_TLS_DEBUG_MED : D_TLS_DEBUG; |
684 |
- msg (my_loglevel, "PolarSSL msg: %s", str); |
|
697 |
+ msg (my_loglevel, "mbed TLS msg (%s:%d): %s", file, line, str); |
|
685 | 698 |
} |
686 | 699 |
|
687 | 700 |
/* |
... | ... |
@@ -691,16 +704,16 @@ void tls_ctx_personalise_random(struct tls_root_ctx *ctx) |
691 | 691 |
{ |
692 | 692 |
static char old_sha256_hash[32] = {0}; |
693 | 693 |
unsigned char sha256_hash[32] = {0}; |
694 |
- ctr_drbg_context *cd_ctx = rand_ctx_get(); |
|
694 |
+ mbedtls_ctr_drbg_context *cd_ctx = rand_ctx_get(); |
|
695 | 695 |
|
696 | 696 |
if (NULL != ctx->crt_chain) |
697 | 697 |
{ |
698 |
- x509_crt *cert = ctx->crt_chain; |
|
698 |
+ mbedtls_x509_crt *cert = ctx->crt_chain; |
|
699 | 699 |
|
700 |
- sha256(cert->tbs.p, cert->tbs.len, sha256_hash, false); |
|
700 |
+ mbedtls_sha256(cert->tbs.p, cert->tbs.len, sha256_hash, false); |
|
701 | 701 |
if ( 0 != memcmp(old_sha256_hash, sha256_hash, sizeof(sha256_hash))) |
702 | 702 |
{ |
703 |
- ctr_drbg_update(cd_ctx, sha256_hash, 32); |
|
703 |
+ mbedtls_ctr_drbg_update(cd_ctx, sha256_hash, 32); |
|
704 | 704 |
memcpy(old_sha256_hash, sha256_hash, sizeof(old_sha256_hash)); |
705 | 705 |
} |
706 | 706 |
} |
... | ... |
@@ -719,13 +732,13 @@ tls_version_max(void) |
719 | 719 |
} |
720 | 720 |
|
721 | 721 |
/** |
722 |
- * Convert an OpenVPN tls-version variable to PolarSSl format (i.e. a major and |
|
722 |
+ * Convert an OpenVPN tls-version variable to mbed TLS format (i.e. a major and |
|
723 | 723 |
* minor ssl version number). |
724 | 724 |
* |
725 | 725 |
* @param tls_ver The tls-version variable to convert. |
726 |
- * @param major Returns the TLS major version in polarssl format. |
|
726 |
+ * @param major Returns the TLS major version in mbed TLS format. |
|
727 | 727 |
* Must be a valid pointer. |
728 |
- * @param minor Returns the TLS minor version in polarssl format. |
|
728 |
+ * @param minor Returns the TLS minor version in mbed TLS format. |
|
729 | 729 |
* Must be a valid pointer. |
730 | 730 |
*/ |
731 | 731 |
static void tls_version_to_major_minor(int tls_ver, int *major, int *minor) { |
... | ... |
@@ -735,16 +748,16 @@ static void tls_version_to_major_minor(int tls_ver, int *major, int *minor) { |
735 | 735 |
switch (tls_ver) |
736 | 736 |
{ |
737 | 737 |
case TLS_VER_1_0: |
738 |
- *major = SSL_MAJOR_VERSION_3; |
|
739 |
- *minor = SSL_MINOR_VERSION_1; |
|
738 |
+ *major = MBEDTLS_SSL_MAJOR_VERSION_3; |
|
739 |
+ *minor = MBEDTLS_SSL_MINOR_VERSION_1; |
|
740 | 740 |
break; |
741 | 741 |
case TLS_VER_1_1: |
742 |
- *major = SSL_MAJOR_VERSION_3; |
|
743 |
- *minor = SSL_MINOR_VERSION_2; |
|
742 |
+ *major = MBEDTLS_SSL_MAJOR_VERSION_3; |
|
743 |
+ *minor = MBEDTLS_SSL_MINOR_VERSION_2; |
|
744 | 744 |
break; |
745 | 745 |
case TLS_VER_1_2: |
746 |
- *major = SSL_MAJOR_VERSION_3; |
|
747 |
- *minor = SSL_MINOR_VERSION_3; |
|
746 |
+ *major = MBEDTLS_SSL_MAJOR_VERSION_3; |
|
747 |
+ *minor = MBEDTLS_SSL_MINOR_VERSION_3; |
|
748 | 748 |
break; |
749 | 749 |
default: |
750 | 750 |
msg(M_FATAL, "%s: invalid TLS version %d", __func__, tls_ver); |
... | ... |
@@ -759,86 +772,90 @@ void key_state_ssl_init(struct key_state_ssl *ks_ssl, |
759 | 759 |
ASSERT(ks_ssl); |
760 | 760 |
CLEAR(*ks_ssl); |
761 | 761 |
|
762 |
- ALLOC_OBJ_CLEAR(ks_ssl->ctx, ssl_context); |
|
763 |
- if (polar_ok(ssl_init(ks_ssl->ctx))) |
|
762 |
+ /* Initialise SSL config */ |
|
763 |
+ mbedtls_ssl_config_init(&ks_ssl->ssl_config); |
|
764 |
+ mbedtls_ssl_config_defaults(&ks_ssl->ssl_config, ssl_ctx->endpoint, |
|
765 |
+ MBEDTLS_SSL_TRANSPORT_STREAM, MBEDTLS_SSL_PRESET_DEFAULT); |
|
766 |
+ mbedtls_debug_set_threshold(3); |
|
767 |
+ mbedtls_ssl_conf_dbg (&ks_ssl->ssl_config, my_debug, NULL); |
|
768 |
+ mbedtls_ssl_conf_rng (&ks_ssl->ssl_config, mbedtls_ctr_drbg_random, |
|
769 |
+ rand_ctx_get()); |
|
770 |
+ |
|
771 |
+ if (ssl_ctx->allowed_ciphers) |
|
772 |
+ mbedtls_ssl_conf_ciphersuites (&ks_ssl->ssl_config, ssl_ctx->allowed_ciphers); |
|
773 |
+ |
|
774 |
+ /* Disable record splitting (for now). OpenVPN assumes records are sent |
|
775 |
+ * unfragmented, and changing that will require thorough review and |
|
776 |
+ * testing. Since OpenVPN is not susceptible to BEAST, we can just |
|
777 |
+ * disable record splitting as a quick fix. */ |
|
778 |
+#if defined(MBEDTLS_SSL_CBC_RECORD_SPLITTING) |
|
779 |
+ mbedtls_ssl_conf_cbc_record_splitting (&ks_ssl->ssl_config, |
|
780 |
+ MBEDTLS_SSL_CBC_RECORD_SPLITTING_DISABLED); |
|
781 |
+#endif /* MBEDTLS_SSL_CBC_RECORD_SPLITTING */ |
|
782 |
+ |
|
783 |
+ /* Initialise authentication information */ |
|
784 |
+ if (is_server) |
|
785 |
+ mbed_ok (mbedtls_ssl_conf_dh_param_ctx(&ks_ssl->ssl_config, |
|
786 |
+ ssl_ctx->dhm_ctx)); |
|
787 |
+ |
|
788 |
+ mbed_ok (mbedtls_ssl_conf_own_cert(&ks_ssl->ssl_config, ssl_ctx->crt_chain, |
|
789 |
+ ssl_ctx->priv_key)); |
|
790 |
+ |
|
791 |
+ /* Initialise SSL verification */ |
|
792 |
+#if P2MP_SERVER |
|
793 |
+ if (session->opt->ssl_flags & SSLF_CLIENT_CERT_OPTIONAL) |
|
764 | 794 |
{ |
765 |
- /* Initialise SSL context */ |
|
766 |
- debug_set_threshold(3); |
|
767 |
- ssl_set_dbg (ks_ssl->ctx, my_debug, NULL); |
|
768 |
- ssl_set_endpoint (ks_ssl->ctx, ssl_ctx->endpoint); |
|
769 |
- |
|
770 |
- ssl_set_rng (ks_ssl->ctx, ctr_drbg_random, rand_ctx_get()); |
|
795 |
+ mbedtls_ssl_conf_authmode(&ks_ssl->ssl_config, MBEDTLS_SSL_VERIFY_OPTIONAL); |
|
796 |
+ } |
|
797 |
+ else if (!(session->opt->ssl_flags & SSLF_CLIENT_CERT_NOT_REQUIRED)) |
|
798 |
+#endif |
|
799 |
+ { |
|
800 |
+ mbedtls_ssl_conf_authmode (&ks_ssl->ssl_config, MBEDTLS_SSL_VERIFY_REQUIRED); |
|
801 |
+ } |
|
802 |
+ mbedtls_ssl_conf_verify (&ks_ssl->ssl_config, verify_callback, session); |
|
771 | 803 |
|
772 |
- if (ssl_ctx->allowed_ciphers) |
|
773 |
- ssl_set_ciphersuites (ks_ssl->ctx, ssl_ctx->allowed_ciphers); |
|
804 |
+ /* TODO: mbed TLS does not currently support sending the CA chain to the client */ |
|
805 |
+ mbedtls_ssl_conf_ca_chain (&ks_ssl->ssl_config, ssl_ctx->ca_chain, NULL ); |
|
774 | 806 |
|
775 |
- /* Disable record splitting (for now). OpenVPN assumes records are sent |
|
776 |
- * unfragmented, and changing that will require thorough review and |
|
777 |
- * testing. Since OpenVPN is not susceptible to BEAST, we can just |
|
778 |
- * disable record splitting as a quick fix. */ |
|
779 |
-#if defined(POLARSSL_SSL_CBC_RECORD_SPLITTING) |
|
780 |
- ssl_set_cbc_record_splitting (ks_ssl->ctx, SSL_CBC_RECORD_SPLITTING_DISABLED); |
|
781 |
-#endif /* POLARSSL_SSL_CBC_RECORD_SPLITTING */ |
|
807 |
+ /* Initialize minimum TLS version */ |
|
808 |
+ { |
|
809 |
+ const int tls_version_min = |
|
810 |
+ (session->opt->ssl_flags >> SSLF_TLS_VERSION_MIN_SHIFT) & |
|
811 |
+ SSLF_TLS_VERSION_MIN_MASK; |
|
782 | 812 |
|
783 |
- /* Initialise authentication information */ |
|
784 |
- if (is_server) |
|
785 |
- polar_ok(ssl_set_dh_param_ctx(ks_ssl->ctx, ssl_ctx->dhm_ctx)); |
|
813 |
+ /* default to TLS 1.0 */ |
|
814 |
+ int major = MBEDTLS_SSL_MAJOR_VERSION_3; |
|
815 |
+ int minor = MBEDTLS_SSL_MINOR_VERSION_1; |
|
786 | 816 |
|
787 |
- polar_ok(ssl_set_own_cert(ks_ssl->ctx, ssl_ctx->crt_chain, |
|
788 |
- ssl_ctx->priv_key)); |
|
817 |
+ if (tls_version_min > TLS_VER_UNSPEC) |
|
818 |
+ tls_version_to_major_minor(tls_version_min, &major, &minor); |
|
789 | 819 |
|
790 |
- /* Initialise SSL verification */ |
|
791 |
-#if P2MP_SERVER |
|
792 |
- if (session->opt->ssl_flags & SSLF_CLIENT_CERT_OPTIONAL) |
|
793 |
- { |
|
794 |
- ssl_set_authmode(ks_ssl->ctx, SSL_VERIFY_OPTIONAL); |
|
795 |
- } |
|
796 |
- else if (!(session->opt->ssl_flags & SSLF_CLIENT_CERT_NOT_REQUIRED)) |
|
797 |
-#endif |
|
798 |
- { |
|
799 |
- ssl_set_authmode (ks_ssl->ctx, SSL_VERIFY_REQUIRED); |
|
800 |
- } |
|
801 |
- ssl_set_verify (ks_ssl->ctx, verify_callback, session); |
|
820 |
+ mbedtls_ssl_conf_min_version(&ks_ssl->ssl_config, major, minor); |
|
821 |
+ } |
|
802 | 822 |
|
803 |
- /* TODO: PolarSSL does not currently support sending the CA chain to the client */ |
|
804 |
- ssl_set_ca_chain (ks_ssl->ctx, ssl_ctx->ca_chain, NULL, NULL ); |
|
823 |
+ /* Initialize maximum TLS version */ |
|
824 |
+ { |
|
825 |
+ const int tls_version_max = |
|
826 |
+ (session->opt->ssl_flags >> SSLF_TLS_VERSION_MAX_SHIFT) & |
|
827 |
+ SSLF_TLS_VERSION_MAX_MASK; |
|
805 | 828 |
|
806 |
- /* Initialize minimum TLS version */ |
|
829 |
+ if (tls_version_max > TLS_VER_UNSPEC) |
|
807 | 830 |
{ |
808 |
- const int tls_version_min = |
|
809 |
- (session->opt->ssl_flags >> SSLF_TLS_VERSION_MIN_SHIFT) & |
|
810 |
- SSLF_TLS_VERSION_MIN_MASK; |
|
811 |
- |
|
812 |
- /* default to TLS 1.0 */ |
|
813 |
- int major = SSL_MAJOR_VERSION_3; |
|
814 |
- int minor = SSL_MINOR_VERSION_1; |
|
815 |
- |
|
816 |
- if (tls_version_min > TLS_VER_UNSPEC) |
|
817 |
- tls_version_to_major_minor(tls_version_min, &major, &minor); |
|
818 |
- |
|
819 |
- ssl_set_min_version(ks_ssl->ctx, major, minor); |
|
831 |
+ int major, minor; |
|
832 |
+ tls_version_to_major_minor(tls_version_max, &major, &minor); |
|
833 |
+ mbedtls_ssl_conf_max_version(&ks_ssl->ssl_config, major, minor); |
|
820 | 834 |
} |
835 |
+ } |
|
821 | 836 |
|
822 |
- /* Initialize maximum TLS version */ |
|
823 |
- { |
|
824 |
- const int tls_version_max = |
|
825 |
- (session->opt->ssl_flags >> SSLF_TLS_VERSION_MAX_SHIFT) & |
|
826 |
- SSLF_TLS_VERSION_MAX_MASK; |
|
827 |
- |
|
828 |
- if (tls_version_max > TLS_VER_UNSPEC) |
|
829 |
- { |
|
830 |
- int major, minor; |
|
831 |
- tls_version_to_major_minor(tls_version_max, &major, &minor); |
|
832 |
- ssl_set_max_version(ks_ssl->ctx, major, minor); |
|
833 |
- } |
|
834 |
- } |
|
837 |
+ /* Initialise SSL context */ |
|
838 |
+ ALLOC_OBJ_CLEAR(ks_ssl->ctx, mbedtls_ssl_context); |
|
839 |
+ mbedtls_ssl_init(ks_ssl->ctx); |
|
840 |
+ mbedtls_ssl_setup(ks_ssl->ctx, &ks_ssl->ssl_config); |
|
835 | 841 |
|
836 |
- /* Initialise BIOs */ |
|
837 |
- ALLOC_OBJ_CLEAR (ks_ssl->ct_in, endless_buffer); |
|
838 |
- ALLOC_OBJ_CLEAR (ks_ssl->ct_out, endless_buffer); |
|
839 |
- ssl_set_bio (ks_ssl->ctx, endless_buf_read, ks_ssl->ct_in, |
|
840 |
- endless_buf_write, ks_ssl->ct_out); |
|
841 |
- } |
|
842 |
+ /* Initialise BIOs */ |
|
843 |
+ CLEAR (ks_ssl->bio_ctx); |
|
844 |
+ mbedtls_ssl_set_bio (ks_ssl->ctx, &ks_ssl->bio_ctx, ssl_bio_write, |
|
845 |
+ ssl_bio_read, NULL); |
|
842 | 846 |
} |
843 | 847 |
|
844 | 848 |
void |
... | ... |
@@ -847,17 +864,12 @@ key_state_ssl_free(struct key_state_ssl *ks_ssl) |
847 | 847 |
if (ks_ssl) { |
848 | 848 |
if (ks_ssl->ctx) |
849 | 849 |
{ |
850 |
- ssl_free(ks_ssl->ctx); |
|
850 |
+ mbedtls_ssl_free(ks_ssl->ctx); |
|
851 | 851 |
free(ks_ssl->ctx); |
852 | 852 |
} |
853 |
- if (ks_ssl->ct_in) { |
|
854 |
- buf_free_entries(ks_ssl->ct_in); |
|
855 |
- free(ks_ssl->ct_in); |
|
856 |
- } |
|
857 |
- if (ks_ssl->ct_out) { |
|
858 |
- buf_free_entries(ks_ssl->ct_out); |
|
859 |
- free(ks_ssl->ct_out); |
|
860 |
- } |
|
853 |
+ mbedtls_ssl_config_free(&ks_ssl->ssl_config); |
|
854 |
+ buf_free_entries(&ks_ssl->bio_ctx.in); |
|
855 |
+ buf_free_entries(&ks_ssl->bio_ctx.out); |
|
861 | 856 |
CLEAR(*ks_ssl); |
862 | 857 |
} |
863 | 858 |
} |
... | ... |
@@ -897,14 +909,14 @@ key_state_write_plaintext_const (struct key_state_ssl *ks, const uint8_t *data, |
897 | 897 |
|
898 | 898 |
ASSERT (data); |
899 | 899 |
|
900 |
- retval = ssl_write(ks->ctx, data, len); |
|
900 |
+ retval = mbedtls_ssl_write(ks->ctx, data, len); |
|
901 | 901 |
|
902 | 902 |
if (retval < 0) |
903 | 903 |
{ |
904 | 904 |
perf_pop (); |
905 |
- if (POLARSSL_ERR_NET_WANT_WRITE == retval || POLARSSL_ERR_NET_WANT_READ == retval) |
|
905 |
+ if (MBEDTLS_ERR_SSL_WANT_WRITE == retval || MBEDTLS_ERR_SSL_WANT_READ == retval) |
|
906 | 906 |
return 0; |
907 |
- polar_log_err (D_TLS_ERRORS, retval, |
|
907 |
+ mbed_log_err (D_TLS_ERRORS, retval, |
|
908 | 908 |
"TLS ERROR: write tls_write_plaintext_const error"); |
909 | 909 |
return -1; |
910 | 910 |
} |
... | ... |
@@ -948,15 +960,15 @@ key_state_read_ciphertext (struct key_state_ssl *ks, struct buffer *buf, |
948 | 948 |
if (maxlen < len) |
949 | 949 |
len = maxlen; |
950 | 950 |
|
951 |
- retval = endless_buf_read(ks->ct_out, BPTR(buf), len); |
|
951 |
+ retval = endless_buf_read(&ks->bio_ctx.out, BPTR(buf), len); |
|
952 | 952 |
|
953 | 953 |
/* Error during read, check for retry error */ |
954 | 954 |
if (retval < 0) |
955 | 955 |
{ |
956 | 956 |
perf_pop (); |
957 |
- if (POLARSSL_ERR_NET_WANT_WRITE == retval || POLARSSL_ERR_NET_WANT_READ == retval) |
|
957 |
+ if (MBEDTLS_ERR_SSL_WANT_WRITE == retval || MBEDTLS_ERR_SSL_WANT_READ == retval) |
|
958 | 958 |
return 0; |
959 |
- polar_log_err (D_TLS_ERRORS, retval, "TLS_ERROR: read tls_read_ciphertext error"); |
|
959 |
+ mbed_log_err (D_TLS_ERRORS, retval, "TLS_ERROR: read tls_read_ciphertext error"); |
|
960 | 960 |
buf->len = 0; |
961 | 961 |
return -1; |
962 | 962 |
} |
... | ... |
@@ -991,15 +1003,15 @@ key_state_write_ciphertext (struct key_state_ssl *ks, struct buffer *buf) |
991 | 991 |
return 0; |
992 | 992 |
} |
993 | 993 |
|
994 |
- retval = endless_buf_write(ks->ct_in, BPTR(buf), buf->len); |
|
994 |
+ retval = endless_buf_write(&ks->bio_ctx.in, BPTR(buf), buf->len); |
|
995 | 995 |
|
996 | 996 |
if (retval < 0) |
997 | 997 |
{ |
998 | 998 |
perf_pop (); |
999 | 999 |
|
1000 |
- if (POLARSSL_ERR_NET_WANT_WRITE == retval || POLARSSL_ERR_NET_WANT_READ == retval) |
|
1000 |
+ if (MBEDTLS_ERR_SSL_WANT_WRITE == retval || MBEDTLS_ERR_SSL_WANT_READ == retval) |
|
1001 | 1001 |
return 0; |
1002 |
- polar_log_err (D_TLS_ERRORS, retval, |
|
1002 |
+ mbed_log_err (D_TLS_ERRORS, retval, |
|
1003 | 1003 |
"TLS ERROR: write tls_write_ciphertext error"); |
1004 | 1004 |
return -1; |
1005 | 1005 |
} |
... | ... |
@@ -1045,14 +1057,14 @@ key_state_read_plaintext (struct key_state_ssl *ks, struct buffer *buf, |
1045 | 1045 |
if (maxlen < len) |
1046 | 1046 |
len = maxlen; |
1047 | 1047 |
|
1048 |
- retval = ssl_read(ks->ctx, BPTR(buf), len); |
|
1048 |
+ retval = mbedtls_ssl_read(ks->ctx, BPTR(buf), len); |
|
1049 | 1049 |
|
1050 | 1050 |
/* Error during read, check for retry error */ |
1051 | 1051 |
if (retval < 0) |
1052 | 1052 |
{ |
1053 |
- if (POLARSSL_ERR_NET_WANT_WRITE == retval || POLARSSL_ERR_NET_WANT_READ == retval) |
|
1053 |
+ if (MBEDTLS_ERR_SSL_WANT_WRITE == retval || MBEDTLS_ERR_SSL_WANT_READ == retval) |
|
1054 | 1054 |
return 0; |
1055 |
- polar_log_err (D_TLS_ERRORS, retval, "TLS_ERROR: read tls_read_plaintext error"); |
|
1055 |
+ mbed_log_err (D_TLS_ERRORS, retval, "TLS_ERROR: read tls_read_plaintext error"); |
|
1056 | 1056 |
buf->len = 0; |
1057 | 1057 |
perf_pop (); |
1058 | 1058 |
return -1; |
... | ... |
@@ -1083,20 +1095,21 @@ key_state_read_plaintext (struct key_state_ssl *ks, struct buffer *buf, |
1083 | 1083 |
void |
1084 | 1084 |
print_details (struct key_state_ssl * ks_ssl, const char *prefix) |
1085 | 1085 |
{ |
1086 |
- const x509_crt *cert; |
|
1086 |
+ const mbedtls_x509_crt *cert; |
|
1087 | 1087 |
char s1[256]; |
1088 | 1088 |
char s2[256]; |
1089 | 1089 |
|
1090 | 1090 |
s1[0] = s2[0] = 0; |
1091 | 1091 |
openvpn_snprintf (s1, sizeof (s1), "%s %s, cipher %s", |
1092 | 1092 |
prefix, |
1093 |
- ssl_get_version (ks_ssl->ctx), |
|
1094 |
- ssl_get_ciphersuite(ks_ssl->ctx)); |
|
1093 |
+ mbedtls_ssl_get_version (ks_ssl->ctx), |
|
1094 |
+ mbedtls_ssl_get_ciphersuite (ks_ssl->ctx)); |
|
1095 | 1095 |
|
1096 |
- cert = ssl_get_peer_cert(ks_ssl->ctx); |
|
1096 |
+ cert = mbedtls_ssl_get_peer_cert (ks_ssl->ctx); |
|
1097 | 1097 |
if (cert != NULL) |
1098 | 1098 |
{ |
1099 |
- openvpn_snprintf (s2, sizeof (s2), ", %zu bit key", pk_get_size(&cert->pk)); |
|
1099 |
+ openvpn_snprintf (s2, sizeof (s2), ", %zu bit key", |
|
1100 |
+ mbedtls_pk_get_bitlen (&cert->pk)); |
|
1100 | 1101 |
} |
1101 | 1102 |
|
1102 | 1103 |
msg (D_HANDSHAKE, "%s%s", s1, s2); |
... | ... |
@@ -1106,7 +1119,7 @@ void |
1106 | 1106 |
show_available_tls_ciphers (const char *cipher_list) |
1107 | 1107 |
{ |
1108 | 1108 |
struct tls_root_ctx tls_ctx; |
1109 |
- const int *ciphers = ssl_list_ciphersuites(); |
|
1109 |
+ const int *ciphers = mbedtls_ssl_list_ciphersuites (); |
|
1110 | 1110 |
|
1111 | 1111 |
tls_ctx_server_new(&tls_ctx); |
1112 | 1112 |
tls_ctx_restrict_ciphers(&tls_ctx, cipher_list); |
... | ... |
@@ -1121,7 +1134,7 @@ show_available_tls_ciphers (const char *cipher_list) |
1121 | 1121 |
|
1122 | 1122 |
while (*ciphers != 0) |
1123 | 1123 |
{ |
1124 |
- printf ("%s\n", ssl_get_ciphersuite_name(*ciphers)); |
|
1124 |
+ printf ("%s\n", mbedtls_ssl_get_ciphersuite_name (*ciphers)); |
|
1125 | 1125 |
ciphers++; |
1126 | 1126 |
} |
1127 | 1127 |
printf ("\n" SHOW_TLS_CIPHER_LIST_WARNING); |
... | ... |
@@ -1132,14 +1145,14 @@ show_available_tls_ciphers (const char *cipher_list) |
1132 | 1132 |
void |
1133 | 1133 |
show_available_curves (void) |
1134 | 1134 |
{ |
1135 |
- const ecp_curve_info *pcurve = ecp_curve_list(); |
|
1135 |
+ const mbedtls_ecp_curve_info *pcurve = mbedtls_ecp_curve_list (); |
|
1136 | 1136 |
|
1137 | 1137 |
if (NULL == pcurve) |
1138 |
- msg (M_FATAL, "Cannot retrieve curve list from PolarSSL"); |
|
1138 |
+ msg (M_FATAL, "Cannot retrieve curve list from mbed TLS"); |
|
1139 | 1139 |
|
1140 | 1140 |
/* Print curve list */ |
1141 | 1141 |
printf ("Available Elliptic curves, listed in order of preference:\n\n"); |
1142 |
- while (POLARSSL_ECP_DP_NONE != pcurve->grp_id) |
|
1142 |
+ while (MBEDTLS_ECP_DP_NONE != pcurve->grp_id) |
|
1143 | 1143 |
{ |
1144 | 1144 |
printf("%s\n", pcurve->name); |
1145 | 1145 |
pcurve++; |
... | ... |
@@ -1150,22 +1163,22 @@ void |
1150 | 1150 |
get_highest_preference_tls_cipher (char *buf, int size) |
1151 | 1151 |
{ |
1152 | 1152 |
const char *cipher_name; |
1153 |
- const int *ciphers = ssl_list_ciphersuites(); |
|
1153 |
+ const int *ciphers = mbedtls_ssl_list_ciphersuites(); |
|
1154 | 1154 |
if (*ciphers == 0) |
1155 | 1155 |
msg (M_FATAL, "Cannot retrieve list of supported SSL ciphers."); |
1156 | 1156 |
|
1157 |
- cipher_name = ssl_get_ciphersuite_name(*ciphers); |
|
1157 |
+ cipher_name = mbedtls_ssl_get_ciphersuite_name(*ciphers); |
|
1158 | 1158 |
strncpynt (buf, cipher_name, size); |
1159 | 1159 |
} |
1160 | 1160 |
|
1161 | 1161 |
const char * |
1162 | 1162 |
get_ssl_library_version(void) |
1163 | 1163 |
{ |
1164 |
- static char polar_version[30]; |
|
1165 |
- unsigned int pv = version_get_number(); |
|
1166 |
- sprintf( polar_version, "PolarSSL %d.%d.%d", |
|
1164 |
+ static char mbedtls_version[30]; |
|
1165 |
+ unsigned int pv = mbedtls_version_get_number(); |
|
1166 |
+ sprintf( mbedtls_version, "mbed TLS %d.%d.%d", |
|
1167 | 1167 |
(pv>>24)&0xff, (pv>>16)&0xff, (pv>>8)&0xff ); |
1168 |
- return polar_version; |
|
1168 |
+ return mbedtls_version; |
|
1169 | 1169 |
} |
1170 | 1170 |
|
1171 |
-#endif /* defined(ENABLE_CRYPTO) && defined(ENABLE_CRYPTO_POLARSSL) */ |
|
1171 |
+#endif /* defined(ENABLE_CRYPTO) && defined(ENABLE_CRYPTO_MBEDTLS) */ |
... | ... |
@@ -24,19 +24,19 @@ |
24 | 24 |
*/ |
25 | 25 |
|
26 | 26 |
/** |
27 |
- * @file Control Channel PolarSSL Backend |
|
27 |
+ * @file Control Channel mbed TLS Backend |
|
28 | 28 |
*/ |
29 | 29 |
|
30 |
-#ifndef SSL_POLARSSL_H_ |
|
31 |
-#define SSL_POLARSSL_H_ |
|
30 |
+#ifndef SSL_MBEDTLS_H_ |
|
31 |
+#define SSL_MBEDTLS_H_ |
|
32 | 32 |
|
33 | 33 |
#include "syshead.h" |
34 | 34 |
|
35 |
-#include <polarssl/ssl.h> |
|
36 |
-#include <polarssl/x509_crt.h> |
|
35 |
+#include <mbedtls/ssl.h> |
|
36 |
+#include <mbedtls/x509_crt.h> |
|
37 | 37 |
|
38 | 38 |
#if defined(ENABLE_PKCS11) |
39 |
-#include <polarssl/pkcs11.h> |
|
39 |
+#include <mbedtls/pkcs11.h> |
|
40 | 40 |
#endif |
41 | 41 |
|
42 | 42 |
typedef struct _buffer_entry buffer_entry; |
... | ... |
@@ -53,6 +53,11 @@ typedef struct { |
53 | 53 |
buffer_entry *last_block; |
54 | 54 |
} endless_buffer; |
55 | 55 |
|
56 |
+typedef struct { |
|
57 |
+ endless_buffer in; |
|
58 |
+ endless_buffer out; |
|
59 |
+} bio_ctx; |
|
60 |
+ |
|
56 | 61 |
/** |
57 | 62 |
* Structure that wraps the TLS context. Contents differ depending on the |
58 | 63 |
* SSL library used. |
... | ... |
@@ -64,12 +69,12 @@ struct tls_root_ctx { |
64 | 64 |
|
65 | 65 |
int endpoint; /**< Whether or not this is a server or a client */ |
66 | 66 |
|
67 |
- dhm_context *dhm_ctx; /**< Diffie-Helmann-Merkle context */ |
|
68 |
- x509_crt *crt_chain; /**< Local Certificate chain */ |
|
69 |
- x509_crt *ca_chain; /**< CA chain for remote verification */ |
|
70 |
- pk_context *priv_key; /**< Local private key */ |
|
67 |
+ mbedtls_dhm_context *dhm_ctx; /**< Diffie-Helmann-Merkle context */ |
|
68 |
+ mbedtls_x509_crt *crt_chain; /**< Local Certificate chain */ |
|
69 |
+ mbedtls_x509_crt *ca_chain; /**< CA chain for remote verification */ |
|
70 |
+ mbedtls_pk_context *priv_key; /**< Local private key */ |
|
71 | 71 |
#if defined(ENABLE_PKCS11) |
72 |
- pkcs11_context *priv_key_pkcs11; /**< PKCS11 private key */ |
|
72 |
+ mbedtls_pkcs11_context *priv_key_pkcs11; /**< PKCS11 private key */ |
|
73 | 73 |
#endif |
74 | 74 |
#ifdef MANAGMENT_EXTERNAL_KEY |
75 | 75 |
struct external_context *external_key; /**< Management external key */ |
... | ... |
@@ -78,10 +83,10 @@ struct tls_root_ctx { |
78 | 78 |
}; |
79 | 79 |
|
80 | 80 |
struct key_state_ssl { |
81 |
- ssl_context *ctx; |
|
82 |
- endless_buffer *ct_in; |
|
83 |
- endless_buffer *ct_out; |
|
81 |
+ mbedtls_ssl_config ssl_config; /**< mbedTLS global ssl config */ |
|
82 |
+ mbedtls_ssl_context *ctx; /**< mbedTLS connection context */ |
|
83 |
+ bio_ctx bio_ctx; |
|
84 | 84 |
}; |
85 | 85 |
|
86 | 86 |
|
87 |
-#endif /* SSL_POLARSSL_H_ */ |
|
87 |
+#endif /* SSL_MBEDTLS_H_ */ |
... | ... |
@@ -24,7 +24,7 @@ |
24 | 24 |
*/ |
25 | 25 |
|
26 | 26 |
/** |
27 |
- * @file Control Channel Verification Module PolarSSL backend |
|
27 |
+ * @file Control Channel Verification Module mbed TLS backend |
|
28 | 28 |
*/ |
29 | 29 |
|
30 | 30 |
#ifdef HAVE_CONFIG_H |
... | ... |
@@ -35,21 +35,21 @@ |
35 | 35 |
|
36 | 36 |
#include "syshead.h" |
37 | 37 |
|
38 |
-#if defined(ENABLE_CRYPTO) && defined(ENABLE_CRYPTO_POLARSSL) |
|
38 |
+#if defined(ENABLE_CRYPTO) && defined(ENABLE_CRYPTO_MBEDTLS) |
|
39 | 39 |
|
40 | 40 |
#include "crypto_polarssl.h" |
41 | 41 |
#include "ssl_verify.h" |
42 |
-#include <polarssl/asn1.h> |
|
43 |
-#include <polarssl/error.h> |
|
44 |
-#include <polarssl/bignum.h> |
|
45 |
-#include <polarssl/oid.h> |
|
46 |
-#include <polarssl/sha1.h> |
|
42 |
+#include <mbedtls/asn1.h> |
|
43 |
+#include <mbedtls/error.h> |
|
44 |
+#include <mbedtls/bignum.h> |
|
45 |
+#include <mbedtls/oid.h> |
|
46 |
+#include <mbedtls/sha1.h> |
|
47 | 47 |
|
48 | 48 |
#define MAX_SUBJECT_LENGTH 256 |
49 | 49 |
|
50 | 50 |
int |
51 |
-verify_callback (void *session_obj, x509_crt *cert, int cert_depth, |
|
52 |
- int *flags) |
|
51 |
+verify_callback (void *session_obj, mbedtls_x509_crt *cert, int cert_depth, |
|
52 |
+ uint32_t *flags) |
|
53 | 53 |
{ |
54 | 54 |
struct tls_session *session = (struct tls_session *) session_obj; |
55 | 55 |
struct gc_arena gc = gc_new(); |
... | ... |
@@ -77,26 +77,26 @@ verify_callback (void *session_obj, x509_crt *cert, int cert_depth, |
77 | 77 |
} |
78 | 78 |
else if (SUCCESS != verify_cert(session, cert, cert_depth)) |
79 | 79 |
{ |
80 |
- *flags |= BADCERT_OTHER; |
|
80 |
+ *flags |= MBEDTLS_X509_BADCERT_OTHER; |
|
81 | 81 |
} |
82 | 82 |
|
83 | 83 |
gc_free(&gc); |
84 | 84 |
|
85 | 85 |
/* |
86 |
- * PolarSSL-1.2.0+ expects 0 on anything except fatal errors. |
|
86 |
+ * PolarSSL/mbed TLS-1.2.0+ expects 0 on anything except fatal errors. |
|
87 | 87 |
*/ |
88 | 88 |
return 0; |
89 | 89 |
} |
90 | 90 |
|
91 | 91 |
#ifdef ENABLE_X509ALTUSERNAME |
92 |
-# warning "X509 alt user name not yet supported for PolarSSL" |
|
92 |
+# warning "X509 alt user name not yet supported for mbed TLS" |
|
93 | 93 |
#endif |
94 | 94 |
|
95 | 95 |
result_t |
96 | 96 |
backend_x509_get_username (char *cn, int cn_len, |
97 |
- char *x509_username_field, x509_crt *cert) |
|
97 |
+ char *x509_username_field, mbedtls_x509_crt *cert) |
|
98 | 98 |
{ |
99 |
- x509_name *name; |
|
99 |
+ mbedtls_x509_name *name; |
|
100 | 100 |
|
101 | 101 |
ASSERT( cn != NULL ); |
102 | 102 |
|
... | ... |
@@ -105,7 +105,8 @@ backend_x509_get_username (char *cn, int cn_len, |
105 | 105 |
/* Find common name */ |
106 | 106 |
while( name != NULL ) |
107 | 107 |
{ |
108 |
- if( memcmp( name->oid.p, OID_AT_CN, OID_SIZE(OID_AT_CN) ) == 0) |
|
108 |
+ if (0 == memcmp (name->oid.p, MBEDTLS_OID_AT_CN, |
|
109 |
+ MBEDTLS_OID_SIZE (MBEDTLS_OID_AT_CN))) |
|
109 | 110 |
break; |
110 | 111 |
|
111 | 112 |
name = name->next; |
... | ... |
@@ -131,26 +132,27 @@ backend_x509_get_username (char *cn, int cn_len, |
131 | 131 |
} |
132 | 132 |
|
133 | 133 |
char * |
134 |
-backend_x509_get_serial (openvpn_x509_cert_t *cert, struct gc_arena *gc) |
|
134 |
+backend_x509_get_serial (mbedtls_x509_crt *cert, struct gc_arena *gc) |
|
135 | 135 |
{ |
136 | 136 |
char *buf = NULL; |
137 | 137 |
size_t buflen = 0; |
138 |
- mpi serial_mpi = { 0 }; |
|
138 |
+ mbedtls_mpi serial_mpi = { 0 }; |
|
139 | 139 |
|
140 |
- /* Transform asn1 integer serial into PolarSSL MPI */ |
|
141 |
- mpi_init(&serial_mpi); |
|
142 |
- if (!polar_ok(mpi_read_binary(&serial_mpi, cert->serial.p, cert->serial.len))) |
|
140 |
+ /* Transform asn1 integer serial into mbed TLS MPI */ |
|
141 |
+ mbedtls_mpi_init(&serial_mpi); |
|
142 |
+ if (!mbed_ok(mbedtls_mpi_read_binary(&serial_mpi, cert->serial.p, |
|
143 |
+ cert->serial.len))) |
|
143 | 144 |
{ |
144 | 145 |
msg(M_WARN, "Failed to retrieve serial from certificate."); |
145 | 146 |
return NULL; |
146 | 147 |
} |
147 | 148 |
|
148 | 149 |
/* Determine decimal representation length, allocate buffer */ |
149 |
- mpi_write_string(&serial_mpi, 10, buf, &buflen); |
|
150 |
+ mbedtls_mpi_write_string(&serial_mpi, 10, NULL, 0, &buflen); |
|
150 | 151 |
buf = gc_malloc(buflen, true, gc); |
151 | 152 |
|
152 | 153 |
/* Write MPI serial as decimal string into buffer */ |
153 |
- if (!polar_ok(mpi_write_string(&serial_mpi, 10, buf, &buflen))) |
|
154 |
+ if (!mbed_ok(mbedtls_mpi_write_string(&serial_mpi, 10, buf, buflen, &buflen))) |
|
154 | 155 |
{ |
155 | 156 |
msg(M_WARN, "Failed to write serial to string."); |
156 | 157 |
return NULL; |
... | ... |
@@ -160,36 +162,36 @@ backend_x509_get_serial (openvpn_x509_cert_t *cert, struct gc_arena *gc) |
160 | 160 |
} |
161 | 161 |
|
162 | 162 |
char * |
163 |
-backend_x509_get_serial_hex (openvpn_x509_cert_t *cert, struct gc_arena *gc) |
|
163 |
+backend_x509_get_serial_hex (mbedtls_x509_crt *cert, struct gc_arena *gc) |
|
164 | 164 |
{ |
165 | 165 |
char *buf = NULL; |
166 | 166 |
size_t len = cert->serial.len * 3 + 1; |
167 | 167 |
|
168 | 168 |
buf = gc_malloc(len, true, gc); |
169 | 169 |
|
170 |
- if(x509_serial_gets(buf, len-1, &cert->serial) < 0) |
|
170 |
+ if(mbedtls_x509_serial_gets(buf, len-1, &cert->serial) < 0) |
|
171 | 171 |
buf = NULL; |
172 | 172 |
|
173 | 173 |
return buf; |
174 | 174 |
} |
175 | 175 |
|
176 | 176 |
unsigned char * |
177 |
-x509_get_sha1_hash (x509_crt *cert, struct gc_arena *gc) |
|
177 |
+x509_get_sha1_hash (mbedtls_x509_crt *cert, struct gc_arena *gc) |
|
178 | 178 |
{ |
179 | 179 |
unsigned char *sha1_hash = gc_malloc(SHA_DIGEST_LENGTH, false, gc); |
180 |
- sha1(cert->raw.p, cert->raw.len, sha1_hash); |
|
180 |
+ mbedtls_sha1(cert->raw.p, cert->tbs.len, sha1_hash); |
|
181 | 181 |
return sha1_hash; |
182 | 182 |
} |
183 | 183 |
|
184 | 184 |
char * |
185 |
-x509_get_subject(x509_crt *cert, struct gc_arena *gc) |
|
185 |
+x509_get_subject(mbedtls_x509_crt *cert, struct gc_arena *gc) |
|
186 | 186 |
{ |
187 | 187 |
char tmp_subject[MAX_SUBJECT_LENGTH] = {0}; |
188 | 188 |
char *subject = NULL; |
189 | 189 |
|
190 | 190 |
int ret = 0; |
191 | 191 |
|
192 |
- ret = x509_dn_gets( tmp_subject, MAX_SUBJECT_LENGTH-1, &cert->subject ); |
|
192 |
+ ret = mbedtls_x509_dn_gets( tmp_subject, MAX_SUBJECT_LENGTH-1, &cert->subject ); |
|
193 | 193 |
if (ret > 0) |
194 | 194 |
{ |
195 | 195 |
/* Allocate the required space for the subject */ |
... | ... |
@@ -216,7 +218,7 @@ do_setenv_x509 (struct env_set *es, const char *name, char *value, int depth) |
216 | 216 |
} |
217 | 217 |
|
218 | 218 |
static char * |
219 |
-asn1_buf_to_c_string(const asn1_buf *orig, struct gc_arena *gc) |
|
219 |
+asn1_buf_to_c_string(const mbedtls_asn1_buf *orig, struct gc_arena *gc) |
|
220 | 220 |
{ |
221 | 221 |
size_t i; |
222 | 222 |
char *val; |
... | ... |
@@ -232,13 +234,13 @@ asn1_buf_to_c_string(const asn1_buf *orig, struct gc_arena *gc) |
232 | 232 |
|
233 | 233 |
static void |
234 | 234 |
do_setenv_name(struct env_set *es, const struct x509_track *xt, |
235 |
- const x509_crt *cert, int depth, struct gc_arena *gc) |
|
235 |
+ const mbedtls_x509_crt *cert, int depth, struct gc_arena *gc) |
|
236 | 236 |
{ |
237 |
- const x509_name *xn; |
|
237 |
+ const mbedtls_x509_name *xn; |
|
238 | 238 |
for (xn = &cert->subject; xn != NULL; xn = xn->next) |
239 | 239 |
{ |
240 | 240 |
const char *xn_short_name = NULL; |
241 |
- if (0 == oid_get_attr_short_name (&xn->oid, &xn_short_name) && |
|
241 |
+ if (0 == mbedtls_oid_get_attr_short_name (&xn->oid, &xn_short_name) && |
|
242 | 242 |
0 == strcmp (xt->name, xn_short_name)) |
243 | 243 |
{ |
244 | 244 |
char *val_str = asn1_buf_to_c_string (&xn->val, gc); |
... | ... |
@@ -263,7 +265,8 @@ x509_track_add (const struct x509_track **ll_head, const char *name, int msgleve |
263 | 263 |
} |
264 | 264 |
|
265 | 265 |
void |
266 |
-x509_setenv_track (const struct x509_track *xt, struct env_set *es, const int depth, x509_crt *cert) |
|
266 |
+x509_setenv_track (const struct x509_track *xt, struct env_set *es, |
|
267 |
+ const int depth, mbedtls_x509_crt *cert) |
|
267 | 268 |
{ |
268 | 269 |
struct gc_arena gc = gc_new(); |
269 | 270 |
while (xt) |
... | ... |
@@ -293,11 +296,11 @@ x509_setenv_track (const struct x509_track *xt, struct env_set *es, const int de |
293 | 293 |
* X509_{cert_depth}_{name}={value} |
294 | 294 |
*/ |
295 | 295 |
void |
296 |
-x509_setenv (struct env_set *es, int cert_depth, openvpn_x509_cert_t *cert) |
|
296 |
+x509_setenv (struct env_set *es, int cert_depth, mbedtls_x509_crt *cert) |
|
297 | 297 |
{ |
298 | 298 |
int i; |
299 | 299 |
unsigned char c; |
300 |
- const x509_name *name; |
|
300 |
+ const mbedtls_x509_name *name; |
|
301 | 301 |
char s[128]; |
302 | 302 |
|
303 | 303 |
name = &cert->subject; |
... | ... |
@@ -309,7 +312,7 @@ x509_setenv (struct env_set *es, int cert_depth, openvpn_x509_cert_t *cert) |
309 | 309 |
char name_expand[64+8]; |
310 | 310 |
const char *shortname; |
311 | 311 |
|
312 |
- if( 0 == oid_get_attr_short_name(&name->oid, &shortname) ) |
|
312 |
+ if( 0 == mbedtls_oid_get_attr_short_name(&name->oid, &shortname) ) |
|
313 | 313 |
{ |
314 | 314 |
openvpn_snprintf (name_expand, sizeof(name_expand), "X509_%d_%s", |
315 | 315 |
cert_depth, shortname); |
... | ... |
@@ -342,27 +345,29 @@ x509_setenv (struct env_set *es, int cert_depth, openvpn_x509_cert_t *cert) |
342 | 342 |
} |
343 | 343 |
|
344 | 344 |
result_t |
345 |
-x509_verify_ns_cert_type(const x509_crt *cert, const int usage) |
|
345 |
+x509_verify_ns_cert_type(const mbedtls_x509_crt *cert, const int usage) |
|
346 | 346 |
{ |
347 | 347 |
if (usage == NS_CERT_CHECK_NONE) |
348 | 348 |
return SUCCESS; |
349 | 349 |
if (usage == NS_CERT_CHECK_CLIENT) |
350 |
- return ((cert->ext_types & EXT_NS_CERT_TYPE) |
|
351 |
- && (cert->ns_cert_type & NS_CERT_TYPE_SSL_CLIENT)) ? SUCCESS : FAILURE; |
|
350 |
+ return ((cert->ext_types & MBEDTLS_X509_EXT_NS_CERT_TYPE) |
|
351 |
+ && (cert->ns_cert_type & MBEDTLS_X509_NS_CERT_TYPE_SSL_CLIENT)) ? |
|
352 |
+ SUCCESS : FAILURE; |
|
352 | 353 |
if (usage == NS_CERT_CHECK_SERVER) |
353 |
- return ((cert->ext_types & EXT_NS_CERT_TYPE) |
|
354 |
- && (cert->ns_cert_type & NS_CERT_TYPE_SSL_SERVER)) ? SUCCESS : FAILURE; |
|
354 |
+ return ((cert->ext_types & MBEDTLS_X509_EXT_NS_CERT_TYPE) |
|
355 |
+ && (cert->ns_cert_type & MBEDTLS_X509_NS_CERT_TYPE_SSL_SERVER)) ? |
|
356 |
+ SUCCESS : FAILURE; |
|
355 | 357 |
|
356 | 358 |
return FAILURE; |
357 | 359 |
} |
358 | 360 |
|
359 | 361 |
result_t |
360 |
-x509_verify_cert_ku (x509_crt *cert, const unsigned * const expected_ku, |
|
362 |
+x509_verify_cert_ku (mbedtls_x509_crt *cert, const unsigned * const expected_ku, |
|
361 | 363 |
int expected_len) |
362 | 364 |
{ |
363 | 365 |
result_t fFound = FAILURE; |
364 | 366 |
|
365 |
- if(!(cert->ext_types & EXT_KEY_USAGE)) |
|
367 |
+ if(!(cert->ext_types & MBEDTLS_X509_EXT_KEY_USAGE)) |
|
366 | 368 |
{ |
367 | 369 |
msg (D_HANDSHAKE, "Certificate does not have key usage extension"); |
368 | 370 |
} |
... | ... |
@@ -390,26 +395,26 @@ x509_verify_cert_ku (x509_crt *cert, const unsigned * const expected_ku, |
390 | 390 |
} |
391 | 391 |
|
392 | 392 |
result_t |
393 |
-x509_verify_cert_eku (x509_crt *cert, const char * const expected_oid) |
|
393 |
+x509_verify_cert_eku (mbedtls_x509_crt *cert, const char * const expected_oid) |
|
394 | 394 |
{ |
395 | 395 |
result_t fFound = FAILURE; |
396 | 396 |
|
397 |
- if (!(cert->ext_types & EXT_EXTENDED_KEY_USAGE)) |
|
397 |
+ if (!(cert->ext_types & MBEDTLS_X509_EXT_EXTENDED_KEY_USAGE)) |
|
398 | 398 |
{ |
399 | 399 |
msg (D_HANDSHAKE, "Certificate does not have extended key usage extension"); |
400 | 400 |
} |
401 | 401 |
else |
402 | 402 |
{ |
403 |
- x509_sequence *oid_seq = &(cert->ext_key_usage); |
|
403 |
+ mbedtls_x509_sequence *oid_seq = &(cert->ext_key_usage); |
|
404 | 404 |
|
405 | 405 |
msg (D_HANDSHAKE, "Validating certificate extended key usage"); |
406 | 406 |
while (oid_seq != NULL) |
407 | 407 |
{ |
408 |
- x509_buf *oid = &oid_seq->buf; |
|
408 |
+ mbedtls_x509_buf *oid = &oid_seq->buf; |
|
409 | 409 |
char oid_num_str[1024]; |
410 | 410 |
const char *oid_str; |
411 | 411 |
|
412 |
- if (0 == oid_get_extended_key_usage( oid, &oid_str )) |
|
412 |
+ if (0 == mbedtls_oid_get_extended_key_usage( oid, &oid_str )) |
|
413 | 413 |
{ |
414 | 414 |
msg (D_HANDSHAKE, "++ Certificate has EKU (str) %s, expects %s", |
415 | 415 |
oid_str, expected_oid); |
... | ... |
@@ -420,7 +425,7 @@ x509_verify_cert_eku (x509_crt *cert, const char * const expected_oid) |
420 | 420 |
} |
421 | 421 |
} |
422 | 422 |
|
423 |
- if (0 < oid_get_numeric_string( oid_num_str, |
|
423 |
+ if (0 < mbedtls_oid_get_numeric_string( oid_num_str, |
|
424 | 424 |
sizeof (oid_num_str), oid)) |
425 | 425 |
{ |
426 | 426 |
msg (D_HANDSHAKE, "++ Certificate has EKU (oid) %s, expects %s", |
... | ... |
@@ -439,9 +444,9 @@ x509_verify_cert_eku (x509_crt *cert, const char * const expected_oid) |
439 | 439 |
} |
440 | 440 |
|
441 | 441 |
result_t |
442 |
-x509_write_pem(FILE *peercert_file, x509_crt *peercert) |
|
442 |
+x509_write_pem(FILE *peercert_file, mbedtls_x509_crt *peercert) |
|
443 | 443 |
{ |
444 |
- msg (M_WARN, "PolarSSL does not support writing peer certificate in PEM format"); |
|
444 |
+ msg (M_WARN, "mbed TLS does not support writing peer certificate in PEM format"); |
|
445 | 445 |
return FAILURE; |
446 | 446 |
} |
447 | 447 |
|
... | ... |
@@ -449,17 +454,18 @@ x509_write_pem(FILE *peercert_file, x509_crt *peercert) |
449 | 449 |
* check peer cert against CRL |
450 | 450 |
*/ |
451 | 451 |
result_t |
452 |
-x509_verify_crl(const char *crl_file, const char* crl_inline, |
|
453 |
- x509_crt *cert, const char *subject) |
|
452 |
+x509_verify_crl(const char *crl_file, const char *crl_inline, |
|
453 |
+ mbedtls_x509_crt *cert, const char *subject) |
|
454 | 454 |
{ |
455 | 455 |
result_t retval = FAILURE; |
456 |
- x509_crl crl = {0}; |
|
456 |
+ mbedtls_x509_crl crl = {0}; |
|
457 | 457 |
struct gc_arena gc = gc_new(); |
458 | 458 |
char *serial; |
459 | 459 |
|
460 | 460 |
if (!strcmp (crl_file, INLINE_FILE_TAG) && crl_inline) |
461 | 461 |
{ |
462 |
- if (!polar_ok(x509_crl_parse(&crl, crl_inline, strlen(crl_inline)))) |
|
462 |
+ if (!mbed_ok(mbedtls_x509_crl_parse(&crl, |
|
463 |
+ (const unsigned char *)crl_inline, strlen(crl_inline)+1))) |
|
463 | 464 |
{ |
464 | 465 |
msg (M_WARN, "CRL: cannot parse inline CRL"); |
465 | 466 |
goto end; |
... | ... |
@@ -467,7 +473,7 @@ x509_verify_crl(const char *crl_file, const char* crl_inline, |
467 | 467 |
} |
468 | 468 |
else |
469 | 469 |
{ |
470 |
- if (!polar_ok(x509_crl_parse_file(&crl, crl_file))) |
|
470 |
+ if (!mbed_ok(mbedtls_x509_crl_parse_file(&crl, crl_file))) |
|
471 | 471 |
{ |
472 | 472 |
msg (M_WARN, "CRL: cannot read CRL from file %s", crl_file); |
473 | 473 |
goto end; |
... | ... |
@@ -483,7 +489,7 @@ x509_verify_crl(const char *crl_file, const char* crl_inline, |
483 | 483 |
goto end; |
484 | 484 |
} |
485 | 485 |
|
486 |
- if (!polar_ok(x509_crt_revoked(cert, &crl))) |
|
486 |
+ if (!mbed_ok(mbedtls_x509_crt_is_revoked(cert, &crl))) |
|
487 | 487 |
{ |
488 | 488 |
serial = backend_x509_get_serial_hex(cert, &gc); |
489 | 489 |
msg (D_HANDSHAKE, "CRL CHECK FAILED: %s (serial %s) is REVOKED", subject, (serial ? serial : "NOT AVAILABLE")); |
... | ... |
@@ -495,8 +501,8 @@ x509_verify_crl(const char *crl_file, const char* crl_inline, |
495 | 495 |
|
496 | 496 |
end: |
497 | 497 |
gc_free(&gc); |
498 |
- x509_crl_free(&crl); |
|
498 |
+ mbedtls_x509_crl_free(&crl); |
|
499 | 499 |
return retval; |
500 | 500 |
} |
501 | 501 |
|
502 |
-#endif /* #if defined(ENABLE_CRYPTO) && defined(ENABLE_CRYPTO_POLARSSL) */ |
|
502 |
+#endif /* #if defined(ENABLE_CRYPTO) && defined(ENABLE_CRYPTO_MBEDTLS) */ |
... | ... |
@@ -24,18 +24,18 @@ |
24 | 24 |
*/ |
25 | 25 |
|
26 | 26 |
/** |
27 |
- * @file Control Channel Verification Module PolarSSL backend |
|
27 |
+ * @file Control Channel Verification Module mbed TLS backend |
|
28 | 28 |
*/ |
29 | 29 |
|
30 |
-#ifndef SSL_VERIFY_POLARSSL_H_ |
|
31 |
-#define SSL_VERIFY_POLARSSL_H_ |
|
30 |
+#ifndef SSL_VERIFY_MBEDTLS_H_ |
|
31 |
+#define SSL_VERIFY_MBEDTLS_H_ |
|
32 | 32 |
|
33 | 33 |
#include "syshead.h" |
34 |
-#include <polarssl/x509_crt.h> |
|
34 |
+#include <mbedtls/x509_crt.h> |
|
35 | 35 |
|
36 | 36 |
#ifndef __OPENVPN_X509_CERT_T_DECLARED |
37 | 37 |
#define __OPENVPN_X509_CERT_T_DECLARED |
38 |
-typedef x509_crt openvpn_x509_cert_t; |
|
38 |
+typedef mbedtls_x509_crt openvpn_x509_cert_t; |
|
39 | 39 |
#endif |
40 | 40 |
|
41 | 41 |
/** @name Function for authenticating a new connection from a remote OpenVPN peer |
... | ... |
@@ -50,7 +50,7 @@ typedef x509_crt openvpn_x509_cert_t; |
50 | 50 |
* determine whether the remote OpenVPN peer's certificate is allowed to |
51 | 51 |
* connect. It is called for once for every certificate in the chain. The |
52 | 52 |
* callback functionality is configured in the \c init_ssl() function, which |
53 |
- * calls the PolarSSL library's \c ssl_set_verify_callback() function with \c |
|
53 |
+ * calls the mbed TLS library's \c ssl_set_verify_callback() function with \c |
|
54 | 54 |
* verify_callback() as its callback argument. |
55 | 55 |
* |
56 | 56 |
* It checks *flags and registers the certificate hash. If these steps succeed, |
... | ... |
@@ -59,7 +59,7 @@ typedef x509_crt openvpn_x509_cert_t; |
59 | 59 |
* |
60 | 60 |
* @param session_obj - The OpenVPN \c tls_session associated with this object, |
61 | 61 |
* as set during SSL session setup. |
62 |
- * @param cert - The certificate used by PolarSSL. |
|
62 |
+ * @param cert - The certificate used by mbed TLS. |
|
63 | 63 |
* @param cert_depth - The depth of the current certificate in the chain, with |
64 | 64 |
* 0 being the actual certificate. |
65 | 65 |
* @param flags - Whether the remote OpenVPN peer's certificate |
... | ... |
@@ -70,9 +70,9 @@ typedef x509_crt openvpn_x509_cert_t; |
70 | 70 |
* |
71 | 71 |
* @return The return value is 0 unless a fatal error occurred. |
72 | 72 |
*/ |
73 |
-int verify_callback (void *session_obj, x509_crt *cert, int cert_depth, |
|
74 |
- int *flags); |
|
73 |
+int verify_callback (void *session_obj, mbedtls_x509_crt *cert, int cert_depth, |
|
74 |
+ uint32_t *flags); |
|
75 | 75 |
|
76 | 76 |
/** @} name Function for authenticating a new connection from a remote OpenVPN peer */ |
77 | 77 |
|
78 |
-#endif /* SSL_VERIFY_POLARSSL_H_ */ |
|
78 |
+#endif /* SSL_VERIFY_MBEDTLS_H_ */ |
... | ... |
@@ -564,10 +564,10 @@ socket_defined (const socket_descriptor_t sd) |
564 | 564 |
#define MANAGMENT_EXTERNAL_KEY |
565 | 565 |
#endif |
566 | 566 |
|
567 |
-/* Enable PolarSSL RNG prediction resistance support */ |
|
568 |
-#ifdef ENABLE_CRYPTO_POLARSSL |
|
567 |
+/* Enable mbed TLS RNG prediction resistance support */ |
|
568 |
+#ifdef ENABLE_CRYPTO_MBEDTLS |
|
569 | 569 |
#define ENABLE_PREDICTION_RESISTANCE |
570 |
-#endif /* ENABLE_CRYPTO_POLARSSL */ |
|
570 |
+#endif /* ENABLE_CRYPTO_MBEDTLS */ |
|
571 | 571 |
|
572 | 572 |
/* |
573 | 573 |
* MANAGEMENT_IN_EXTRA allows the management interface to |