Browse code
Refactored SSL initialisation functions
Signed-off-by: Adriaan de Jong <dejong@fox-it.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Signed-off-by: David Sommerseth <davids@redhat.com>
Adriaan de Jong authored on 2011/06/29 22:15:32Showing 5 changed files
| ... | ... |
@@ -6,6 +6,7 @@ |
| 6 | 6 |
* packet compression. |
| 7 | 7 |
* |
| 8 | 8 |
* Copyright (C) 2002-2010 OpenVPN Technologies, Inc. <sales@openvpn.net> |
| 9 |
+ * Copyright (C) 2010 Fox Crypto B.V. <openvpn@fox-it.com> |
|
| 9 | 10 |
* |
| 10 | 11 |
* Additions for eurephia plugin done by: |
| 11 | 12 |
* David Sommerseth <dazo@users.sourceforge.net> Copyright (C) 2008-2009 |
| ... | ... |
@@ -26,6 +27,10 @@ |
| 26 | 26 |
* 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA |
| 27 | 27 |
*/ |
| 28 | 28 |
|
| 29 |
+/** |
|
| 30 |
+ * @file Control Channel SSL/Data channel negotiation Module |
|
| 31 |
+ */ |
|
| 32 |
+ |
|
| 29 | 33 |
/* |
| 30 | 34 |
* The routines in this file deal with dynamically negotiating |
| 31 | 35 |
* the data channel HMAC and cipher keys through a TLS session. |
| ... | ... |
@@ -38,7 +43,6 @@ |
| 38 | 38 |
|
| 39 | 39 |
#if defined(USE_CRYPTO) && defined(USE_SSL) |
| 40 | 40 |
|
| 41 |
-#include "ssl.h" |
|
| 42 | 41 |
#include "error.h" |
| 43 | 42 |
#include "common.h" |
| 44 | 43 |
#include "integer.h" |
| ... | ... |
@@ -54,6 +58,10 @@ |
| 54 | 54 |
#include "base64.h" |
| 55 | 55 |
#include "route.h" |
| 56 | 56 |
|
| 57 |
+#include "ssl.h" |
|
| 58 |
+#include "ssl_verify.h" |
|
| 59 |
+#include "ssl_backend.h" |
|
| 60 |
+ |
|
| 57 | 61 |
#ifdef WIN32 |
| 58 | 62 |
#include "cryptoapi.h" |
| 59 | 63 |
#endif |
| ... | ... |
@@ -204,55 +212,20 @@ tls_init_control_channel_frame_parameters(const struct frame *data_channel_frame |
| 204 | 204 |
frame_set_mtu_dynamic (frame, 0, SET_MTU_TUN); |
| 205 | 205 |
} |
| 206 | 206 |
|
| 207 |
-/* |
|
| 208 |
- * Allocate space in SSL objects |
|
| 209 |
- * in which to store a struct tls_session |
|
| 210 |
- * pointer back to parent. |
|
| 211 |
- */ |
|
| 212 |
- |
|
| 213 |
-static int mydata_index; /* GLOBAL */ |
|
| 214 |
- |
|
| 215 |
-static void |
|
| 216 |
-ssl_set_mydata_index () |
|
| 217 |
-{
|
|
| 218 |
- mydata_index = SSL_get_ex_new_index (0, "struct session *", NULL, NULL, NULL); |
|
| 219 |
- ASSERT (mydata_index >= 0); |
|
| 220 |
-} |
|
| 221 |
- |
|
| 222 | 207 |
void |
| 223 | 208 |
init_ssl_lib () |
| 224 | 209 |
{
|
| 225 |
- SSL_library_init (); |
|
| 226 |
- SSL_load_error_strings (); |
|
| 227 |
- OpenSSL_add_all_algorithms (); |
|
| 210 |
+ tls_init_lib (); |
|
| 228 | 211 |
|
| 229 |
- crypto_init_lib(); |
|
| 230 |
- |
|
| 231 |
- /* |
|
| 232 |
- * If you build the OpenSSL library and OpenVPN with |
|
| 233 |
- * CRYPTO_MDEBUG, you will get a listing of OpenSSL |
|
| 234 |
- * memory leaks on program termination. |
|
| 235 |
- */ |
|
| 236 |
-#ifdef CRYPTO_MDEBUG |
|
| 237 |
- CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_ON); |
|
| 238 |
-#endif |
|
| 239 |
- |
|
| 240 |
- ssl_set_mydata_index (); |
|
| 212 |
+ crypto_init_lib (); |
|
| 241 | 213 |
} |
| 242 | 214 |
|
| 243 | 215 |
void |
| 244 | 216 |
free_ssl_lib () |
| 245 | 217 |
{
|
| 246 |
-#ifdef CRYPTO_MDEBUG |
|
| 247 |
- FILE* fp = fopen ("sdlog", "w");
|
|
| 248 |
- ASSERT (fp); |
|
| 249 |
- CRYPTO_mem_leaks_fp (fp); |
|
| 250 |
- fclose (fp); |
|
| 251 |
-#endif |
|
| 252 |
- |
|
| 253 | 218 |
crypto_uninit_lib (); |
| 254 |
- EVP_cleanup (); |
|
| 255 |
- ERR_free_strings (); |
|
| 219 |
+ |
|
| 220 |
+ tls_free_lib(); |
|
| 256 | 221 |
} |
| 257 | 222 |
|
| 258 | 223 |
/* |
| ... | ... |
@@ -5151,7 +5124,7 @@ tls_process (struct tls_multi *multi, |
| 5151 | 5151 |
} |
| 5152 | 5152 |
|
| 5153 | 5153 |
error: |
| 5154 |
- ERR_clear_error (); |
|
| 5154 |
+ tls_clear_error(); |
|
| 5155 | 5155 |
ks->state = S_ERROR; |
| 5156 | 5156 |
msg (D_TLS_ERRORS, "TLS Error: TLS handshake failed"); |
| 5157 | 5157 |
INCR_ERROR; |
| ... | ... |
@@ -5184,7 +5157,7 @@ tls_multi_process (struct tls_multi *multi, |
| 5184 | 5184 |
|
| 5185 | 5185 |
perf_push (PERF_TLS_MULTI_PROCESS); |
| 5186 | 5186 |
|
| 5187 |
- ERR_clear_error (); |
|
| 5187 |
+ tls_clear_error (); |
|
| 5188 | 5188 |
|
| 5189 | 5189 |
/* |
| 5190 | 5190 |
* Process each session object having state of S_INITIAL or greater, |
| ... | ... |
@@ -5791,7 +5764,7 @@ tls_pre_decrypt (struct tls_multi *multi, |
| 5791 | 5791 |
error: |
| 5792 | 5792 |
++multi->n_soft_errors; |
| 5793 | 5793 |
error_lite: |
| 5794 |
- ERR_clear_error (); |
|
| 5794 |
+ tls_clear_error(); |
|
| 5795 | 5795 |
goto done; |
| 5796 | 5796 |
} |
| 5797 | 5797 |
|
| ... | ... |
@@ -5902,7 +5875,7 @@ tls_pre_decrypt_lite (const struct tls_auth_standalone *tas, |
| 5902 | 5902 |
return ret; |
| 5903 | 5903 |
|
| 5904 | 5904 |
error: |
| 5905 |
- ERR_clear_error (); |
|
| 5905 |
+ tls_clear_error(); |
|
| 5906 | 5906 |
gc_free (&gc); |
| 5907 | 5907 |
return ret; |
| 5908 | 5908 |
} |
| ... | ... |
@@ -5997,7 +5970,7 @@ tls_send_payload (struct tls_multi *multi, |
| 5997 | 5997 |
struct key_state *ks; |
| 5998 | 5998 |
bool ret = false; |
| 5999 | 5999 |
|
| 6000 |
- ERR_clear_error (); |
|
| 6000 |
+ tls_clear_error(); |
|
| 6001 | 6001 |
|
| 6002 | 6002 |
ASSERT (multi); |
| 6003 | 6003 |
|
| ... | ... |
@@ -6017,7 +5990,8 @@ tls_send_payload (struct tls_multi *multi, |
| 6017 | 6017 |
ret = true; |
| 6018 | 6018 |
} |
| 6019 | 6019 |
|
| 6020 |
- ERR_clear_error (); |
|
| 6020 |
+ |
|
| 6021 |
+ tls_clear_error(); |
|
| 6021 | 6022 |
|
| 6022 | 6023 |
return ret; |
| 6023 | 6024 |
} |
| ... | ... |
@@ -6030,7 +6004,7 @@ tls_rec_payload (struct tls_multi *multi, |
| 6030 | 6030 |
struct key_state *ks; |
| 6031 | 6031 |
bool ret = false; |
| 6032 | 6032 |
|
| 6033 |
- ERR_clear_error (); |
|
| 6033 |
+ tls_clear_error(); |
|
| 6034 | 6034 |
|
| 6035 | 6035 |
ASSERT (multi); |
| 6036 | 6036 |
|
| ... | ... |
@@ -6044,7 +6018,7 @@ tls_rec_payload (struct tls_multi *multi, |
| 6044 | 6044 |
ks->plaintext_read_buf.len = 0; |
| 6045 | 6045 |
} |
| 6046 | 6046 |
|
| 6047 |
- ERR_clear_error (); |
|
| 6047 |
+ tls_clear_error(); |
|
| 6048 | 6048 |
|
| 6049 | 6049 |
return ret; |
| 6050 | 6050 |
} |
| ... | ... |
@@ -6,6 +6,7 @@ |
| 6 | 6 |
* packet compression. |
| 7 | 7 |
* |
| 8 | 8 |
* Copyright (C) 2002-2010 OpenVPN Technologies, Inc. <sales@openvpn.net> |
| 9 |
+ * Copyright (C) 2010 Fox Crypto B.V. <openvpn@fox-it.com> |
|
| 9 | 10 |
* |
| 10 | 11 |
* This program is free software; you can redistribute it and/or modify |
| 11 | 12 |
* it under the terms of the GNU General Public License version 2 |
| ... | ... |
@@ -22,12 +23,10 @@ |
| 22 | 22 |
* 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA |
| 23 | 23 |
*/ |
| 24 | 24 |
|
| 25 |
- |
|
| 26 | 25 |
/** |
| 27 |
- * @file header file |
|
| 26 |
+ * @file Control Channel SSL/Data channel negotiation module |
|
| 28 | 27 |
*/ |
| 29 | 28 |
|
| 30 |
- |
|
| 31 | 29 |
#ifndef OPENVPN_SSL_H |
| 32 | 30 |
#define OPENVPN_SSL_H |
| 33 | 31 |
|
| ... | ... |
@@ -51,6 +50,9 @@ |
| 51 | 51 |
#include "options.h" |
| 52 | 52 |
#include "plugin.h" |
| 53 | 53 |
|
| 54 |
+#include "ssl_common.h" |
|
| 55 |
+#include "ssl_verify.h" |
|
| 56 |
+#include "ssl_backend.h" |
|
| 54 | 57 |
|
| 55 | 58 |
/* Used in the TLS PRF function */ |
| 56 | 59 |
#define KEY_EXPANSION_ID "OpenVPN" |
| ... | ... |
@@ -231,6 +233,15 @@ struct cert_hash {
|
| 231 | 231 |
struct cert_hash_set {
|
| 232 | 232 |
struct cert_hash *ch[MAX_CERT_DEPTH]; |
| 233 | 233 |
}; |
| 234 |
+/* |
|
| 235 |
+ * Prepare the SSL library for use |
|
| 236 |
+ */ |
|
| 237 |
+void init_ssl_lib (void); |
|
| 238 |
+ |
|
| 239 |
+/* |
|
| 240 |
+ * Free any internal state that the SSL library might have |
|
| 241 |
+ */ |
|
| 242 |
+void free_ssl_lib (void); |
|
| 234 | 243 |
|
| 235 | 244 |
/** |
| 236 | 245 |
* Container for one half of random material to be used in %key method 2 |
| ... | ... |
@@ -43,4 +43,25 @@ |
| 43 | 43 |
* Functions implemented in ssl.c for use by the backend SSL library |
| 44 | 44 |
* |
| 45 | 45 |
*/ |
| 46 |
+/* |
|
| 47 |
+ * |
|
| 48 |
+ * Functions used in ssl.c which must be implemented by the backend SSL library |
|
| 49 |
+ * |
|
| 50 |
+ */ |
|
| 51 |
+ |
|
| 52 |
+/** |
|
| 53 |
+ * Perform any static initialisation necessary by the library. |
|
| 54 |
+ * Called on OpenVPN initialisation |
|
| 55 |
+ */ |
|
| 56 |
+void tls_init_lib(); |
|
| 57 |
+ |
|
| 58 |
+/** |
|
| 59 |
+ * Free any global SSL library-specific data structures. |
|
| 60 |
+ */ |
|
| 61 |
+void tls_free_lib(); |
|
| 62 |
+/** |
|
| 63 |
+ * Clear the underlying SSL library's error state. |
|
| 64 |
+ */ |
|
| 65 |
+void tls_clear_error(); |
|
| 66 |
+ |
|
| 46 | 67 |
#endif /* SSL_BACKEND_H_ */ |
| ... | ... |
@@ -42,3 +42,35 @@ |
| 42 | 42 |
#include <openssl/pkcs12.h> |
| 43 | 43 |
#include <openssl/x509.h> |
| 44 | 44 |
#include <openssl/crypto.h> |
| 45 |
+ |
|
| 46 |
+/* |
|
| 47 |
+ * Allocate space in SSL objects in which to store a struct tls_session |
|
| 48 |
+ * pointer back to parent. |
|
| 49 |
+ * |
|
| 50 |
+ */ |
|
| 51 |
+ |
|
| 52 |
+int mydata_index; /* GLOBAL */ |
|
| 53 |
+ |
|
| 54 |
+void |
|
| 55 |
+tls_init_lib() |
|
| 56 |
+{
|
|
| 57 |
+ SSL_library_init(); |
|
| 58 |
+ SSL_load_error_strings(); |
|
| 59 |
+ OpenSSL_add_all_algorithms (); |
|
| 60 |
+ |
|
| 61 |
+ mydata_index = SSL_get_ex_new_index(0, "struct session *", NULL, NULL, NULL); |
|
| 62 |
+ ASSERT (mydata_index >= 0); |
|
| 63 |
+} |
|
| 64 |
+ |
|
| 65 |
+void |
|
| 66 |
+tls_free_lib() |
|
| 67 |
+{
|
|
| 68 |
+ EVP_cleanup(); |
|
| 69 |
+ ERR_free_strings(); |
|
| 70 |
+} |
|
| 71 |
+ |
|
| 72 |
+void |
|
| 73 |
+tls_clear_error() |
|
| 74 |
+{
|
|
| 75 |
+ ERR_clear_error (); |
|
| 76 |
+} |
| ... | ... |
@@ -32,4 +32,12 @@ |
| 32 | 32 |
|
| 33 | 33 |
#include <openssl/ssl.h> |
| 34 | 34 |
|
| 35 |
+/** |
|
| 36 |
+ * Allocate space in SSL objects in which to store a struct tls_session |
|
| 37 |
+ * pointer back to parent. |
|
| 38 |
+ */ |
|
| 39 |
+extern int mydata_index; /* GLOBAL */ |
|
| 40 |
+ |
|
| 41 |
+void openssl_set_mydata_index (void); |
|
| 42 |
+ |
|
| 35 | 43 |
#endif /* SSL_OPENSSL_H_ */ |