Signed-off-by: Adriaan de Jong <dejong@fox-it.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Signed-off-by: David Sommerseth <davids@redhat.com>
... | ... |
@@ -6,6 +6,7 @@ |
6 | 6 |
* packet compression. |
7 | 7 |
* |
8 | 8 |
* Copyright (C) 2002-2010 OpenVPN Technologies, Inc. <sales@openvpn.net> |
9 |
+ * Copyright (C) 2010 Fox Crypto B.V. <openvpn@fox-it.com> |
|
9 | 10 |
* |
10 | 11 |
* Additions for eurephia plugin done by: |
11 | 12 |
* David Sommerseth <dazo@users.sourceforge.net> Copyright (C) 2008-2009 |
... | ... |
@@ -26,6 +27,10 @@ |
26 | 26 |
* 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA |
27 | 27 |
*/ |
28 | 28 |
|
29 |
+/** |
|
30 |
+ * @file Control Channel SSL/Data channel negotiation Module |
|
31 |
+ */ |
|
32 |
+ |
|
29 | 33 |
/* |
30 | 34 |
* The routines in this file deal with dynamically negotiating |
31 | 35 |
* the data channel HMAC and cipher keys through a TLS session. |
... | ... |
@@ -38,7 +43,6 @@ |
38 | 38 |
|
39 | 39 |
#if defined(USE_CRYPTO) && defined(USE_SSL) |
40 | 40 |
|
41 |
-#include "ssl.h" |
|
42 | 41 |
#include "error.h" |
43 | 42 |
#include "common.h" |
44 | 43 |
#include "integer.h" |
... | ... |
@@ -54,6 +58,10 @@ |
54 | 54 |
#include "base64.h" |
55 | 55 |
#include "route.h" |
56 | 56 |
|
57 |
+#include "ssl.h" |
|
58 |
+#include "ssl_verify.h" |
|
59 |
+#include "ssl_backend.h" |
|
60 |
+ |
|
57 | 61 |
#ifdef WIN32 |
58 | 62 |
#include "cryptoapi.h" |
59 | 63 |
#endif |
... | ... |
@@ -204,55 +212,20 @@ tls_init_control_channel_frame_parameters(const struct frame *data_channel_frame |
204 | 204 |
frame_set_mtu_dynamic (frame, 0, SET_MTU_TUN); |
205 | 205 |
} |
206 | 206 |
|
207 |
-/* |
|
208 |
- * Allocate space in SSL objects |
|
209 |
- * in which to store a struct tls_session |
|
210 |
- * pointer back to parent. |
|
211 |
- */ |
|
212 |
- |
|
213 |
-static int mydata_index; /* GLOBAL */ |
|
214 |
- |
|
215 |
-static void |
|
216 |
-ssl_set_mydata_index () |
|
217 |
-{ |
|
218 |
- mydata_index = SSL_get_ex_new_index (0, "struct session *", NULL, NULL, NULL); |
|
219 |
- ASSERT (mydata_index >= 0); |
|
220 |
-} |
|
221 |
- |
|
222 | 207 |
void |
223 | 208 |
init_ssl_lib () |
224 | 209 |
{ |
225 |
- SSL_library_init (); |
|
226 |
- SSL_load_error_strings (); |
|
227 |
- OpenSSL_add_all_algorithms (); |
|
210 |
+ tls_init_lib (); |
|
228 | 211 |
|
229 |
- crypto_init_lib(); |
|
230 |
- |
|
231 |
- /* |
|
232 |
- * If you build the OpenSSL library and OpenVPN with |
|
233 |
- * CRYPTO_MDEBUG, you will get a listing of OpenSSL |
|
234 |
- * memory leaks on program termination. |
|
235 |
- */ |
|
236 |
-#ifdef CRYPTO_MDEBUG |
|
237 |
- CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_ON); |
|
238 |
-#endif |
|
239 |
- |
|
240 |
- ssl_set_mydata_index (); |
|
212 |
+ crypto_init_lib (); |
|
241 | 213 |
} |
242 | 214 |
|
243 | 215 |
void |
244 | 216 |
free_ssl_lib () |
245 | 217 |
{ |
246 |
-#ifdef CRYPTO_MDEBUG |
|
247 |
- FILE* fp = fopen ("sdlog", "w"); |
|
248 |
- ASSERT (fp); |
|
249 |
- CRYPTO_mem_leaks_fp (fp); |
|
250 |
- fclose (fp); |
|
251 |
-#endif |
|
252 |
- |
|
253 | 218 |
crypto_uninit_lib (); |
254 |
- EVP_cleanup (); |
|
255 |
- ERR_free_strings (); |
|
219 |
+ |
|
220 |
+ tls_free_lib(); |
|
256 | 221 |
} |
257 | 222 |
|
258 | 223 |
/* |
... | ... |
@@ -5151,7 +5124,7 @@ tls_process (struct tls_multi *multi, |
5151 | 5151 |
} |
5152 | 5152 |
|
5153 | 5153 |
error: |
5154 |
- ERR_clear_error (); |
|
5154 |
+ tls_clear_error(); |
|
5155 | 5155 |
ks->state = S_ERROR; |
5156 | 5156 |
msg (D_TLS_ERRORS, "TLS Error: TLS handshake failed"); |
5157 | 5157 |
INCR_ERROR; |
... | ... |
@@ -5184,7 +5157,7 @@ tls_multi_process (struct tls_multi *multi, |
5184 | 5184 |
|
5185 | 5185 |
perf_push (PERF_TLS_MULTI_PROCESS); |
5186 | 5186 |
|
5187 |
- ERR_clear_error (); |
|
5187 |
+ tls_clear_error (); |
|
5188 | 5188 |
|
5189 | 5189 |
/* |
5190 | 5190 |
* Process each session object having state of S_INITIAL or greater, |
... | ... |
@@ -5791,7 +5764,7 @@ tls_pre_decrypt (struct tls_multi *multi, |
5791 | 5791 |
error: |
5792 | 5792 |
++multi->n_soft_errors; |
5793 | 5793 |
error_lite: |
5794 |
- ERR_clear_error (); |
|
5794 |
+ tls_clear_error(); |
|
5795 | 5795 |
goto done; |
5796 | 5796 |
} |
5797 | 5797 |
|
... | ... |
@@ -5902,7 +5875,7 @@ tls_pre_decrypt_lite (const struct tls_auth_standalone *tas, |
5902 | 5902 |
return ret; |
5903 | 5903 |
|
5904 | 5904 |
error: |
5905 |
- ERR_clear_error (); |
|
5905 |
+ tls_clear_error(); |
|
5906 | 5906 |
gc_free (&gc); |
5907 | 5907 |
return ret; |
5908 | 5908 |
} |
... | ... |
@@ -5997,7 +5970,7 @@ tls_send_payload (struct tls_multi *multi, |
5997 | 5997 |
struct key_state *ks; |
5998 | 5998 |
bool ret = false; |
5999 | 5999 |
|
6000 |
- ERR_clear_error (); |
|
6000 |
+ tls_clear_error(); |
|
6001 | 6001 |
|
6002 | 6002 |
ASSERT (multi); |
6003 | 6003 |
|
... | ... |
@@ -6017,7 +5990,8 @@ tls_send_payload (struct tls_multi *multi, |
6017 | 6017 |
ret = true; |
6018 | 6018 |
} |
6019 | 6019 |
|
6020 |
- ERR_clear_error (); |
|
6020 |
+ |
|
6021 |
+ tls_clear_error(); |
|
6021 | 6022 |
|
6022 | 6023 |
return ret; |
6023 | 6024 |
} |
... | ... |
@@ -6030,7 +6004,7 @@ tls_rec_payload (struct tls_multi *multi, |
6030 | 6030 |
struct key_state *ks; |
6031 | 6031 |
bool ret = false; |
6032 | 6032 |
|
6033 |
- ERR_clear_error (); |
|
6033 |
+ tls_clear_error(); |
|
6034 | 6034 |
|
6035 | 6035 |
ASSERT (multi); |
6036 | 6036 |
|
... | ... |
@@ -6044,7 +6018,7 @@ tls_rec_payload (struct tls_multi *multi, |
6044 | 6044 |
ks->plaintext_read_buf.len = 0; |
6045 | 6045 |
} |
6046 | 6046 |
|
6047 |
- ERR_clear_error (); |
|
6047 |
+ tls_clear_error(); |
|
6048 | 6048 |
|
6049 | 6049 |
return ret; |
6050 | 6050 |
} |
... | ... |
@@ -6,6 +6,7 @@ |
6 | 6 |
* packet compression. |
7 | 7 |
* |
8 | 8 |
* Copyright (C) 2002-2010 OpenVPN Technologies, Inc. <sales@openvpn.net> |
9 |
+ * Copyright (C) 2010 Fox Crypto B.V. <openvpn@fox-it.com> |
|
9 | 10 |
* |
10 | 11 |
* This program is free software; you can redistribute it and/or modify |
11 | 12 |
* it under the terms of the GNU General Public License version 2 |
... | ... |
@@ -22,12 +23,10 @@ |
22 | 22 |
* 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA |
23 | 23 |
*/ |
24 | 24 |
|
25 |
- |
|
26 | 25 |
/** |
27 |
- * @file header file |
|
26 |
+ * @file Control Channel SSL/Data channel negotiation module |
|
28 | 27 |
*/ |
29 | 28 |
|
30 |
- |
|
31 | 29 |
#ifndef OPENVPN_SSL_H |
32 | 30 |
#define OPENVPN_SSL_H |
33 | 31 |
|
... | ... |
@@ -51,6 +50,9 @@ |
51 | 51 |
#include "options.h" |
52 | 52 |
#include "plugin.h" |
53 | 53 |
|
54 |
+#include "ssl_common.h" |
|
55 |
+#include "ssl_verify.h" |
|
56 |
+#include "ssl_backend.h" |
|
54 | 57 |
|
55 | 58 |
/* Used in the TLS PRF function */ |
56 | 59 |
#define KEY_EXPANSION_ID "OpenVPN" |
... | ... |
@@ -231,6 +233,15 @@ struct cert_hash { |
231 | 231 |
struct cert_hash_set { |
232 | 232 |
struct cert_hash *ch[MAX_CERT_DEPTH]; |
233 | 233 |
}; |
234 |
+/* |
|
235 |
+ * Prepare the SSL library for use |
|
236 |
+ */ |
|
237 |
+void init_ssl_lib (void); |
|
238 |
+ |
|
239 |
+/* |
|
240 |
+ * Free any internal state that the SSL library might have |
|
241 |
+ */ |
|
242 |
+void free_ssl_lib (void); |
|
234 | 243 |
|
235 | 244 |
/** |
236 | 245 |
* Container for one half of random material to be used in %key method 2 |
... | ... |
@@ -43,4 +43,25 @@ |
43 | 43 |
* Functions implemented in ssl.c for use by the backend SSL library |
44 | 44 |
* |
45 | 45 |
*/ |
46 |
+/* |
|
47 |
+ * |
|
48 |
+ * Functions used in ssl.c which must be implemented by the backend SSL library |
|
49 |
+ * |
|
50 |
+ */ |
|
51 |
+ |
|
52 |
+/** |
|
53 |
+ * Perform any static initialisation necessary by the library. |
|
54 |
+ * Called on OpenVPN initialisation |
|
55 |
+ */ |
|
56 |
+void tls_init_lib(); |
|
57 |
+ |
|
58 |
+/** |
|
59 |
+ * Free any global SSL library-specific data structures. |
|
60 |
+ */ |
|
61 |
+void tls_free_lib(); |
|
62 |
+/** |
|
63 |
+ * Clear the underlying SSL library's error state. |
|
64 |
+ */ |
|
65 |
+void tls_clear_error(); |
|
66 |
+ |
|
46 | 67 |
#endif /* SSL_BACKEND_H_ */ |
... | ... |
@@ -42,3 +42,35 @@ |
42 | 42 |
#include <openssl/pkcs12.h> |
43 | 43 |
#include <openssl/x509.h> |
44 | 44 |
#include <openssl/crypto.h> |
45 |
+ |
|
46 |
+/* |
|
47 |
+ * Allocate space in SSL objects in which to store a struct tls_session |
|
48 |
+ * pointer back to parent. |
|
49 |
+ * |
|
50 |
+ */ |
|
51 |
+ |
|
52 |
+int mydata_index; /* GLOBAL */ |
|
53 |
+ |
|
54 |
+void |
|
55 |
+tls_init_lib() |
|
56 |
+{ |
|
57 |
+ SSL_library_init(); |
|
58 |
+ SSL_load_error_strings(); |
|
59 |
+ OpenSSL_add_all_algorithms (); |
|
60 |
+ |
|
61 |
+ mydata_index = SSL_get_ex_new_index(0, "struct session *", NULL, NULL, NULL); |
|
62 |
+ ASSERT (mydata_index >= 0); |
|
63 |
+} |
|
64 |
+ |
|
65 |
+void |
|
66 |
+tls_free_lib() |
|
67 |
+{ |
|
68 |
+ EVP_cleanup(); |
|
69 |
+ ERR_free_strings(); |
|
70 |
+} |
|
71 |
+ |
|
72 |
+void |
|
73 |
+tls_clear_error() |
|
74 |
+{ |
|
75 |
+ ERR_clear_error (); |
|
76 |
+} |
... | ... |
@@ -32,4 +32,12 @@ |
32 | 32 |
|
33 | 33 |
#include <openssl/ssl.h> |
34 | 34 |
|
35 |
+/** |
|
36 |
+ * Allocate space in SSL objects in which to store a struct tls_session |
|
37 |
+ * pointer back to parent. |
|
38 |
+ */ |
|
39 |
+extern int mydata_index; /* GLOBAL */ |
|
40 |
+ |
|
41 |
+void openssl_set_mydata_index (void); |
|
42 |
+ |
|
35 | 43 |
#endif /* SSL_OPENSSL_H_ */ |