diff options
| author | Arne Schwabe <arne@rfc2549.org> | 2013-04-01 01:30:35 +0200 | 
|---|---|---|
| committer | Arne Schwabe <arne@rfc2549.org> | 2013-04-01 01:30:35 +0200 | 
| commit | 27ab1f2c4615cb395d6870cff21288e9e0e5a2c2 (patch) | |
| tree | a403b76320d4c6811eb4444826c91a21820d498f | |
| parent | d081ec36043019d152eab4970bf3f22b923e8b55 (diff) | |
Update OpenVPN to 2.3.1
24 files changed, 473 insertions, 123 deletions
| diff --git a/openvpn/config.h b/openvpn/config.h index 8e738f37..c525e37f 100644 --- a/openvpn/config.h +++ b/openvpn/config.h @@ -450,7 +450,7 @@  #define PACKAGE_NAME "OpenVPN"  /* Define to the full name and version of this package. */ -#define PACKAGE_STRING "OpenVPN 2.3.0+dspatch3" +#define PACKAGE_STRING "OpenVPN 2.3.1+dspatch3"  /* Define to the one symbol short name of this package. */  #define PACKAGE_TARNAME "openvpn" @@ -559,7 +559,7 @@  /* #undef USE_VALGRIND */  /* Version number of package */ -#define VERSION "2.1.4" +#define VERSION "2.3.1"  /* Enable GNU extensions on systems that have them.  */  #ifndef _GNU_SOURCE diff --git a/openvpn/configure.ac b/openvpn/configure.ac index ddd322c1..7b35e504 100644 --- a/openvpn/configure.ac +++ b/openvpn/configure.ac @@ -726,6 +726,13 @@ case "${with_mem_check}" in  esac  PKG_CHECK_MODULES( +	[PKCS11_HELPER], +	[libpkcs11-helper-1 >= 1.02], +	[have_pkcs11_helper="yes"], +	[] +) + +PKG_CHECK_MODULES(  	[OPENSSL_CRYPTO],  	[libcrypto >= 0.9.6],  	[have_openssl_crypto="yes"], @@ -789,9 +796,11 @@ if test -z "${POLARSSL_LIBS}"; then  				[polarssl],  				[aes_crypt_cbc],  				, -				[have_polarssl_crypto="no"] +				[have_polarssl_crypto="no"], +				[${PKCS11_HELPER_LIBS}]  			) -		] +		], +		[${PKCS11_HELPER_LIBS}]  	)  fi @@ -805,15 +814,45 @@ if test "${with_crypto_library}" = "polarssl" ; then  #include <polarssl/version.h>  			]],  			[[ -#if POLARSSL_VERSION_NUMBER < 0x01010000 +#if POLARSSL_VERSION_NUMBER < 0x01020500  #error invalid version  #endif  			]]  		)],  		[AC_MSG_RESULT([ok])], -		[AC_MSG_ERROR([invalid polarssl version])] +		[AC_MSG_ERROR([PolarSSL 1.2.5 or newer required])]  	) + +	polarssl_with_pkcs11="no" +	AC_COMPILE_IFELSE( +		[AC_LANG_PROGRAM( +			[[ +#include <polarssl/config.h> +			]], +			[[ +#ifndef POLARSSL_PKCS11_C +#error pkcs11 wrapper missing +#endif +			]] +		)], +		polarssl_with_pkcs11="yes")  	CFLAGS="${old_CFLAGS}" + +	AC_MSG_CHECKING([polarssl pkcs11 support]) +	if test "${enable_pkcs11}" = "yes"; then +		if test "${polarssl_with_pkcs11}" = "yes"; then +			AC_MSG_RESULT([ok]) +		else +			AC_MSG_ERROR([polarssl has no pkcs11 wrapper compiled in]) +		fi +	else +		if test "${polarssl_with_pkcs11}" != "yes"; then +			AC_MSG_RESULT([ok]) +		else +			AC_MSG_ERROR([PolarSSL compiled with PKCS11, while OpenVPN is not]) +		fi +	fi +  fi  AC_ARG_VAR([LZO_CFLAGS], [C compiler flags for lzo]) @@ -856,13 +895,6 @@ if test "${have_lzo}" = "yes"; then  	CFLAGS="${saved_CFLAGS}"  fi -PKG_CHECK_MODULES( -	[PKCS11_HELPER], -	[libpkcs11-helper-1 >= 1.02], -	[have_pkcs11_helper="yes"], -	[] -) -  AC_MSG_CHECKING([git checkout])  GIT_CHECKOUT="no"  if test -n "${GIT}" -a -d "${srcdir}/.git"; then diff --git a/openvpn/src/openvpn/buffer.h b/openvpn/src/openvpn/buffer.h index 5e11de05..93efb096 100644 --- a/openvpn/src/openvpn/buffer.h +++ b/openvpn/src/openvpn/buffer.h @@ -668,6 +668,10 @@ buf_read_u32 (struct buffer *buf, bool *good)      }  } +/** + * Compare src buffer contents with match. + * *NOT* constant time. Do not use when comparing HMACs. + */  static inline bool  buf_string_match (const struct buffer *src, const void *match, int size)  { @@ -676,6 +680,10 @@ buf_string_match (const struct buffer *src, const void *match, int size)    return memcmp (BPTR (src), match, size) == 0;  } +/** + * Compare first size bytes of src buffer contents with match. + * *NOT* constant time. Do not use when comparing HMACs. + */  static inline bool  buf_string_match_head (const struct buffer *src, const void *match, int size)  { @@ -689,16 +697,6 @@ bool buf_string_compare_advance (struct buffer *src, const char *match);  int buf_substring_len (const struct buffer *buf, int delim);  /* - * Bitwise operations - */ -static inline void -xor (uint8_t *dest, const uint8_t *src, int len) -{ -  while (len-- > 0) -    *dest++ ^= *src++; -} - -/*   * Print a string which might be NULL   */  const char *np (const char *str); diff --git a/openvpn/src/openvpn/crypto.c b/openvpn/src/openvpn/crypto.c index ac2eecdd..d9adf5b5 100644 --- a/openvpn/src/openvpn/crypto.c +++ b/openvpn/src/openvpn/crypto.c @@ -65,6 +65,24 @@  #define CRYPT_ERROR(format) \    do { msg (D_CRYPT_ERRORS, "%s: " format, error_prefix); goto error_exit; } while (false) +/** + * As memcmp(), but constant-time. + * Returns 0 when data is equal, non-zero otherwise. + */ +static int +memcmp_constant_time (const void *a, const void *b, size_t size) { +  const uint8_t * a1 = a; +  const uint8_t * b1 = b; +  int ret = 0; +  size_t i; + +  for (i = 0; i < size; i++) { +      ret |= *a1++ ^ *b1++; +  } + +  return ret; +} +  void  openvpn_encrypt (struct buffer *buf, struct buffer work,  		 const struct crypto_options *opt, @@ -244,7 +262,7 @@ openvpn_decrypt (struct buffer *buf, struct buffer work,  	  hmac_ctx_final (ctx->hmac, local_hmac);  	  /* Compare locally computed HMAC with packet HMAC */ -	  if (memcmp (local_hmac, BPTR (buf), hmac_len)) +	  if (memcmp_constant_time (local_hmac, BPTR (buf), hmac_len))  	    CRYPT_ERROR ("packet HMAC authentication failed");  	  ASSERT (buf_advance (buf, hmac_len)); @@ -401,7 +419,7 @@ init_key_type (struct key_type *kt, const char *ciphername,    CLEAR (*kt);    if (ciphername && ciphername_defined)      { -      kt->cipher = cipher_kt_get (ciphername); +      kt->cipher = cipher_kt_get (translate_cipher_name_from_openvpn(ciphername));        kt->cipher_length = cipher_kt_key_size (kt->cipher);        if (keysize > 0 && keysize <= MAX_CIPHER_KEY_LENGTH)  	kt->cipher_length = keysize; diff --git a/openvpn/src/openvpn/crypto_backend.h b/openvpn/src/openvpn/crypto_backend.h index 1eac6115..5ae47e6c 100644 --- a/openvpn/src/openvpn/crypto_backend.h +++ b/openvpn/src/openvpn/crypto_backend.h @@ -63,6 +63,18 @@ void crypto_init_lib_engine (const char *engine_name);  void crypto_init_dmalloc (void);  #endif /* DMALLOC */ +/** + * Translate a data channel cipher name from the OpenVPN config file + * 'language' to the crypto library specific name. + */ +const char * translate_cipher_name_from_openvpn (const char *cipher_name); + +/** + * Translate a data channel cipher name from the crypto library specific name + * to the OpenVPN config file 'language'. + */ +const char * translate_cipher_name_from_openvpn (const char *cipher_name); +  void show_available_ciphers (void);  void show_available_digests (void); diff --git a/openvpn/src/openvpn/crypto_openssl.c b/openvpn/src/openvpn/crypto_openssl.c index 53425029..21d1762d 100644 --- a/openvpn/src/openvpn/crypto_openssl.c +++ b/openvpn/src/openvpn/crypto_openssl.c @@ -281,6 +281,18 @@ crypto_init_dmalloc (void)  }  #endif /* DMALLOC */ +const char * +translate_cipher_name_from_openvpn (const char *cipher_name) { +  // OpenSSL doesn't require any translation +  return cipher_name; +} + +const char * +translate_cipher_name_to_openvpn (const char *cipher_name) { +  // OpenSSL doesn't require any translation +  return cipher_name; +} +  void  show_available_ciphers ()  { diff --git a/openvpn/src/openvpn/crypto_polarssl.c b/openvpn/src/openvpn/crypto_polarssl.c index 3978a3c6..1f27d6ca 100644 --- a/openvpn/src/openvpn/crypto_polarssl.c +++ b/openvpn/src/openvpn/crypto_polarssl.c @@ -94,6 +94,53 @@ crypto_init_dmalloc (void)  }  #endif /* DMALLOC */ +typedef struct { const char * openvpn_name; const char * polarssl_name; } cipher_name_pair; +cipher_name_pair cipher_name_translation_table[] = { +    { "BF-CBC", "BLOWFISH-CBC" }, +    { "BF-CFB", "BLOWFISH-CFB64" }, +    { "CAMELLIA-128-CFB", "CAMELLIA-128-CFB128" }, +    { "CAMELLIA-192-CFB", "CAMELLIA-192-CFB128" }, +    { "CAMELLIA-256-CFB", "CAMELLIA-256-CFB128" } +}; + +const cipher_name_pair * +get_cipher_name_pair(const char *cipher_name) { +  cipher_name_pair *pair; +  size_t i = 0; + +  /* Search for a cipher name translation */ +  for (; i < sizeof (cipher_name_translation_table) / sizeof (*cipher_name_translation_table); i++) +    { +      pair = &cipher_name_translation_table[i]; +      if (0 == strcmp (cipher_name, pair->openvpn_name) || +	  0 == strcmp (cipher_name, pair->polarssl_name)) +	  return pair; +    } + +  /* Nothing found, return null */ +  return NULL; +} + +const char * +translate_cipher_name_from_openvpn (const char *cipher_name) { +  const cipher_name_pair *pair = get_cipher_name_pair(cipher_name); + +  if (NULL == pair) +    return cipher_name; + +  return pair->polarssl_name; +} + +const char * +translate_cipher_name_to_openvpn (const char *cipher_name) { +  const cipher_name_pair *pair = get_cipher_name_pair(cipher_name); + +  if (NULL == pair) +    return cipher_name; + +  return pair->openvpn_name; +} +  void  show_available_ciphers ()  { @@ -114,7 +161,7 @@ show_available_ciphers ()        if (info && info->mode == POLARSSL_MODE_CBC)  	printf ("%s %d bit default key\n", -		info->name, info->key_length); +		cipher_kt_name(info), cipher_kt_key_size(info) * 8);        ciphers++;      } @@ -331,7 +378,8 @@ cipher_kt_name (const cipher_info_t *cipher_kt)  {    if (NULL == cipher_kt)      return "[null-cipher]"; -  return cipher_kt->name; + +  return translate_cipher_name_to_openvpn(cipher_kt->name);  }  int @@ -339,6 +387,9 @@ cipher_kt_key_size (const cipher_info_t *cipher_kt)  {    if (NULL == cipher_kt)      return 0; +  if (POLARSSL_CIPHER_ID_BLOWFISH == cipher_kt->base->cipher) +    return 128/8; /* Override PolarSSL 32 bit default key size with sane 128 bit default */ +    return cipher_kt->key_length/8;  } diff --git a/openvpn/src/openvpn/crypto_polarssl.h b/openvpn/src/openvpn/crypto_polarssl.h index bfabb91b..b6da4363 100644 --- a/openvpn/src/openvpn/crypto_polarssl.h +++ b/openvpn/src/openvpn/crypto_polarssl.h @@ -30,7 +30,6 @@  #ifndef CRYPTO_POLARSSL_H_  #define CRYPTO_POLARSSL_H_ -#include <polarssl/version.h>  #include <polarssl/cipher.h>  #include <polarssl/md.h>  #include <polarssl/ctr_drbg.h> @@ -60,7 +59,7 @@ typedef md_context_t hmac_ctx_t;  #define OPENVPN_MODE_OFB 	POLARSSL_MODE_OFB  /** Cipher is in CFB mode */ -#define OPENVPN_MODE_CFB 	POLARSSL_MODE_CFB128 +#define OPENVPN_MODE_CFB 	POLARSSL_MODE_CFB  /** Cipher should encrypt */  #define OPENVPN_OP_ENCRYPT 	POLARSSL_ENCRYPT diff --git a/openvpn/src/openvpn/mbuf.h b/openvpn/src/openvpn/mbuf.h index a0de679d..1085adc7 100644 --- a/openvpn/src/openvpn/mbuf.h +++ b/openvpn/src/openvpn/mbuf.h @@ -83,7 +83,7 @@ mbuf_defined (const struct mbuf_set *ms)    return ms && ms->len;  } -static inline bool +static inline unsigned int  mbuf_len (const struct mbuf_set *ms)  {    return ms->len; diff --git a/openvpn/src/openvpn/options.c b/openvpn/src/openvpn/options.c index 8f0112ad..db1cb33a 100644 --- a/openvpn/src/openvpn/options.c +++ b/openvpn/src/openvpn/options.c @@ -882,7 +882,7 @@ uninit_options (struct options *o)      }  } -#ifdef ENABLE_DEBUG +#ifndef ENABLE_SMALL  #define SHOW_PARM(name, value, format) msg(D_SHOW_PARMS, "  " #name " = " format, (value))  #define SHOW_STR(var)       SHOW_PARM(var, (o->var ? o->var : "[UNDEF]"), "'%s'") @@ -1082,7 +1082,7 @@ parse_hash_fingerprint(const char *str, int nbytes, int msglevel, struct gc_aren  #ifdef WIN32 -#ifdef ENABLE_DEBUG +#ifndef ENABLE_SMALL  static void  show_dhcp_option_addrs (const char *name, const in_addr_t *array, int len) @@ -1156,7 +1156,7 @@ dhcp_option_address_parse (const char *name, const char *parm, in_addr_t *array,  #if P2MP -#ifdef ENABLE_DEBUG +#ifndef ENABLE_SMALL  static void  show_p2mp_parms (const struct options *o) @@ -1228,7 +1228,7 @@ show_p2mp_parms (const struct options *o)    gc_free (&gc);  } -#endif /* ENABLE_DEBUG */ +#endif /* ! ENABLE_SMALL */  #if P2MP_SERVER @@ -1282,7 +1282,7 @@ option_iroute_ipv6 (struct options *o,  #endif /* P2MP_SERVER */  #endif /* P2MP */ -#if defined(ENABLE_HTTP_PROXY) && defined(ENABLE_DEBUG) +#if defined(ENABLE_HTTP_PROXY) && !defined(ENABLE_SMALL)  static void  show_http_proxy_options (const struct http_proxy_options *o)  { @@ -1335,7 +1335,7 @@ cnol_check_alloc (struct options *options)  }  #endif -#ifdef ENABLE_DEBUG +#ifndef ENABLE_SMALL  static void  show_connection_entry (const struct connection_entry *o)  { @@ -1402,7 +1402,7 @@ show_connection_entries (const struct options *o)  void  show_settings (const struct options *o)  { -#ifdef ENABLE_DEBUG +#ifndef ENABLE_SMALL    msg (D_SHOW_PARMS, "Current Parameter Settings:");    SHOW_STR (config); @@ -4625,6 +4625,12 @@ add_option (struct options *options,      {        VERIFY_PERMISSION (OPT_P_MESSAGES);        options->verbosity = positive_atoi (p[1]); +#if !defined(ENABLE_DEBUG) && !defined(ENABLE_SMALL) +      /* Warn when a debug verbosity is supplied when built without debug support */ +      if (options->verbosity >= 7) +        msg (M_WARN, "NOTE: debug verbosity (--verb %d) is enabled but this build lacks debug support.", +	    options->verbosity); +#endif      }    else if (streq (p[0], "mute") && p[1])      { @@ -5405,9 +5411,9 @@ add_option (struct options *options,  	  msg (msglevel, "error parsing --ifconfig-ipv6-pool parameters");  	  goto err;  	} -      if ( netbits != 64 ) +      if ( netbits < 64 || netbits > 112 )  	{ -	  msg( msglevel, "--ifconfig-ipv6-pool settings: only /64 supported right now (not /%d)", netbits ); +	  msg( msglevel, "--ifconfig-ipv6-pool settings: only /64../112 supported right now (not /%d)", netbits );  	  goto err;  	} diff --git a/openvpn/src/openvpn/plugin.c b/openvpn/src/openvpn/plugin.c index 83f79e4f..c96c121f 100644 --- a/openvpn/src/openvpn/plugin.c +++ b/openvpn/src/openvpn/plugin.c @@ -155,7 +155,7 @@ plugin_option_list_add (struct plugin_option_list *list, char **p, struct gc_are      return false;  } -#ifdef ENABLE_DEBUG +#ifndef ENABLE_SMALL  void  plugin_option_list_print (const struct plugin_option_list *list, int msglevel)  { diff --git a/openvpn/src/openvpn/plugin.h b/openvpn/src/openvpn/plugin.h index 4ba150d6..2f8416b1 100644 --- a/openvpn/src/openvpn/plugin.h +++ b/openvpn/src/openvpn/plugin.h @@ -108,7 +108,7 @@ struct plugin_return  struct plugin_option_list *plugin_option_list_new (struct gc_arena *gc);  bool plugin_option_list_add (struct plugin_option_list *list, char **p, struct gc_arena *gc); -#ifdef ENABLE_DEBUG +#ifndef ENABLE_SMALL  void plugin_option_list_print (const struct plugin_option_list *list, int msglevel);  #endif diff --git a/openvpn/src/openvpn/route.c b/openvpn/src/openvpn/route.c index 8a778884..03574b9e 100644 --- a/openvpn/src/openvpn/route.c +++ b/openvpn/src/openvpn/route.c @@ -1089,7 +1089,7 @@ delete_routes (struct route_list *rl, struct route_ipv6_list *rl6,      }  } -#ifdef ENABLE_DEBUG +#ifndef ENABLE_SMALL  static const char *  show_opt (const char *option) @@ -1408,17 +1408,20 @@ add_route (struct route *r,    argv_printf (&argv, "%s add",  		ROUTE_PATH); -#if 0 -  if (r->flags & RT_METRIC_DEFINED) -    argv_printf_cat (&argv, "-rtt %d", r->metric); -#endif -    argv_printf_cat (&argv, "%s -netmask %s %s",  	      network,  	      netmask,  	      gateway); -  /* FIXME -- add on-link support for Solaris */ +  /* Solaris can only distinguish between "metric 0" == "on-link on the +   * interface where the IP address given is configured" and "metric > 0" +   * == "use gateway specified" (no finer-grained route metrics available) +   * +   * More recent versions of Solaris can also do "-interface", but that +   * would break backwards compatibility with older versions for no gain. +   */ +  if (r->flags & RT_METRIC_DEFINED ) +    argv_printf_cat (&argv, "%d", r->metric);    argv_msg (D_ROUTE, &argv);    status = openvpn_execve_check (&argv, es, 0, "ERROR: Solaris route add command failed"); diff --git a/openvpn/src/openvpn/route.h b/openvpn/src/openvpn/route.h index e63db595..a40de32f 100644 --- a/openvpn/src/openvpn/route.h +++ b/openvpn/src/openvpn/route.h @@ -290,7 +290,7 @@ void print_default_gateway(const int msglevel, const struct route_gateway_info *  #define TLA_LOCAL           2  int test_local_addr (const in_addr_t addr, const struct route_gateway_info *rgi); -#ifdef ENABLE_DEBUG +#ifndef ENABLE_SMALL  void print_route_options (const struct route_option_list *rol,  			  int level);  #endif diff --git a/openvpn/src/openvpn/ssl.c b/openvpn/src/openvpn/ssl.c index 9f570b9d..b3673864 100644 --- a/openvpn/src/openvpn/ssl.c +++ b/openvpn/src/openvpn/ssl.c @@ -113,6 +113,153 @@ show_tls_performance_stats(void)  #endif +/** + * SSL/TLS Cipher suite name translation table + */ +static const tls_cipher_name_pair tls_cipher_name_translation_table[] = { +    {"ADH-SEED-SHA", "TLS-DH-anon-WITH-SEED-CBC-SHA"}, +    {"AES128-GCM-SHA256", "TLS-RSA-WITH-AES-128-GCM-SHA256"}, +    {"AES128-SHA256", "TLS-RSA-WITH-AES-128-CBC-SHA256"}, +    {"AES128-SHA", "TLS-RSA-WITH-AES-128-CBC-SHA"}, +    {"AES256-GCM-SHA384", "TLS-RSA-WITH-AES-256-GCM-SHA384"}, +    {"AES256-SHA256", "TLS-RSA-WITH-AES-256-CBC-SHA256"}, +    {"AES256-SHA", "TLS-RSA-WITH-AES-256-CBC-SHA"}, +    {"CAMELLIA128-SHA256", "TLS-RSA-WITH-CAMELLIA-128-CBC-SHA256"}, +    {"CAMELLIA128-SHA", "TLS-RSA-WITH-CAMELLIA-128-CBC-SHA"}, +    {"CAMELLIA256-SHA256", "TLS-RSA-WITH-CAMELLIA-256-CBC-SHA256"}, +    {"CAMELLIA256-SHA", "TLS-RSA-WITH-CAMELLIA-256-CBC-SHA"}, +    {"DES-CBC3-SHA", "TLS-RSA-WITH-3DES-EDE-CBC-SHA"}, +    {"DES-CBC-SHA", "TLS-RSA-WITH-DES-CBC-SHA"}, +    {"DH-DSS-SEED-SHA", "TLS-DH-DSS-WITH-SEED-CBC-SHA"}, +    {"DHE-DSS-AES128-GCM-SHA256", "TLS-DHE-DSS-WITH-AES-128-GCM-SHA256"}, +    {"DHE-DSS-AES128-SHA256", "TLS-DHE-DSS-WITH-AES-128-CBC-SHA256"}, +    {"DHE-DSS-AES128-SHA", "TLS-DHE-DSS-WITH-AES-128-CBC-SHA"}, +    {"DHE-DSS-AES256-GCM-SHA384", "TLS-DHE-DSS-WITH-AES-256-GCM-SHA384"}, +    {"DHE-DSS-AES256-SHA256", "TLS-DHE-DSS-WITH-AES-256-CBC-SHA256"}, +    {"DHE-DSS-AES256-SHA", "TLS-DHE-DSS-WITH-AES-256-CBC-SHA"}, +    {"DHE-DSS-CAMELLIA128-SHA256", "TLS-DHE-DSS-WITH-CAMELLIA-128-CBC-SHA256"}, +    {"DHE-DSS-CAMELLIA128-SHA", "TLS-DHE-DSS-WITH-CAMELLIA-128-CBC-SHA"}, +    {"DHE-DSS-CAMELLIA256-SHA256", "TLS-DHE-DSS-WITH-CAMELLIA-256-CBC-SHA256"}, +    {"DHE-DSS-CAMELLIA256-SHA", "TLS-DHE-DSS-WITH-CAMELLIA-256-CBC-SHA"}, +    {"DHE-DSS-DES-CBC3-SHA", "TLS-DHE-DSS-WITH-3DES-EDE-CBC-SHA"}, +    {"DHE-DSS-DES-CBC-SHA", "TLS-DHE-DSS-WITH-DES-CBC-SHA"}, +    {"DHE-DSS-SEED-SHA", "TLS-DHE-DSS-WITH-SEED-CBC-SHA"}, +    {"DHE-RSA-AES128-GCM-SHA256", "TLS-DHE-RSA-WITH-AES-128-GCM-SHA256"}, +    {"DHE-RSA-AES128-SHA256", "TLS-DHE-RSA-WITH-AES-128-CBC-SHA256"}, +    {"DHE-RSA-AES128-SHA", "TLS-DHE-RSA-WITH-AES-128-CBC-SHA"}, +    {"DHE-RSA-AES256-GCM-SHA384", "TLS-DHE-RSA-WITH-AES-256-GCM-SHA384"}, +    {"DHE-RSA-AES256-SHA256", "TLS-DHE-RSA-WITH-AES-256-CBC-SHA256"}, +    {"DHE-RSA-AES256-SHA", "TLS-DHE-RSA-WITH-AES-256-CBC-SHA"}, +    {"DHE-RSA-CAMELLIA128-SHA256", "TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA256"}, +    {"DHE-RSA-CAMELLIA128-SHA", "TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA"}, +    {"DHE-RSA-CAMELLIA256-SHA256", "TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA256"}, +    {"DHE-RSA-CAMELLIA256-SHA", "TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA"}, +    {"DHE-RSA-DES-CBC3-SHA", "TLS-DHE-RSA-WITH-3DES-EDE-CBC-SHA"}, +    {"DHE-RSA-DES-CBC-SHA", "TLS-DHE-RSA-WITH-DES-CBC-SHA"}, +    {"DHE-RSA-SEED-SHA", "TLS-DHE-RSA-WITH-SEED-CBC-SHA"}, +    {"DH-RSA-SEED-SHA", "TLS-DH-RSA-WITH-SEED-CBC-SHA"}, +    {"ECDH-ECDSA-AES128-GCM-SHA256", "TLS-ECDH-ECDSA-WITH-AES-128-GCM-SHA256"}, +    {"ECDH-ECDSA-AES128-SHA256", "TLS-ECDH-ECDSA-WITH-AES-128-CBC-SHA256"}, +    {"ECDH-ECDSA-AES128-SHA", "TLS-ECDH-ECDSA-WITH-AES-128-CBC-SHA"}, +    {"ECDH-ECDSA-AES256-GCM-SHA384", "TLS-ECDH-ECDSA-WITH-AES-256-GCM-SHA384"}, +    {"ECDH-ECDSA-AES256-SHA256", "TLS-ECDH-ECDSA-WITH-AES-256-CBC-SHA256"}, +    {"ECDH-ECDSA-AES256-SHA384", "TLS-ECDH-ECDSA-WITH-AES-256-CBC-SHA384"}, +    {"ECDH-ECDSA-AES256-SHA", "TLS-ECDH-ECDSA-WITH-AES-256-CBC-SHA"}, +    {"ECDH-ECDSA-CAMELLIA128-SHA256", "TLS-ECDH-ECDSA-WITH-CAMELLIA-128-CBC-SHA256"}, +    {"ECDH-ECDSA-CAMELLIA128-SHA", "TLS-ECDH-ECDSA-WITH-CAMELLIA-128-CBC-SHA"}, +    {"ECDH-ECDSA-CAMELLIA256-SHA256", "TLS-ECDH-ECDSA-WITH-CAMELLIA-256-CBC-SHA256"}, +    {"ECDH-ECDSA-CAMELLIA256-SHA", "TLS-ECDH-ECDSA-WITH-CAMELLIA-256-CBC-SHA"}, +    {"ECDH-ECDSA-DES-CBC3-SHA", "TLS-ECDH-ECDSA-WITH-3DES-EDE-CBC-SHA"}, +    {"ECDH-ECDSA-DES-CBC-SHA", "TLS-ECDH-ECDSA-WITH-DES-CBC-SHA"}, +    {"ECDH-ECDSA-RC4-SHA", "TLS-ECDH-ECDSA-WITH-RC4-128-SHA"}, +    {"ECDHE-ECDSA-AES128-GCM-SHA256", "TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256"}, +    {"ECDHE-ECDSA-AES128-SHA256", "TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256"}, +    {"ECDHE-ECDSA-AES128-SHA384", "TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA384"}, +    {"ECDHE-ECDSA-AES128-SHA", "TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA"}, +    {"ECDHE-ECDSA-AES256-GCM-SHA384", "TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384"}, +    {"ECDHE-ECDSA-AES256-SHA256", "TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA256"}, +    {"ECDHE-ECDSA-AES256-SHA384", "TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA384"}, +    {"ECDHE-ECDSA-AES256-SHA", "TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA"}, +    {"ECDHE-ECDSA-CAMELLIA128-SHA256", "TLS-ECDHE-ECDSA-WITH-CAMELLIA-128-CBC-SHA256"}, +    {"ECDHE-ECDSA-CAMELLIA128-SHA", "TLS-ECDHE-ECDSA-WITH-CAMELLIA-128-CBC-SHA"}, +    {"ECDHE-ECDSA-CAMELLIA256-SHA256", "TLS-ECDHE-ECDSA-WITH-CAMELLIA-256-CBC-SHA256"}, +    {"ECDHE-ECDSA-CAMELLIA256-SHA", "TLS-ECDHE-ECDSA-WITH-CAMELLIA-256-CBC-SHA"}, +    {"ECDHE-ECDSA-DES-CBC3-SHA", "TLS-ECDHE-ECDSA-WITH-3DES-EDE-CBC-SHA"}, +    {"ECDHE-ECDSA-DES-CBC-SHA", "TLS-ECDHE-ECDSA-WITH-DES-CBC-SHA"}, +    {"ECDHE-ECDSA-RC4-SHA", "TLS-ECDHE-ECDSA-WITH-RC4-128-SHA"}, +    {"ECDHE-RSA-AES128-GCM-SHA256", "TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256"}, +    {"ECDHE-RSA-AES128-SHA256", "TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA256"}, +    {"ECDHE-RSA-AES128-SHA384", "TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA384"}, +    {"ECDHE-RSA-AES128-SHA", "TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA"}, +    {"ECDHE-RSA-AES256-GCM-SHA384", "TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384"}, +    {"ECDHE-RSA-AES256-SHA256", "TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA256"}, +    {"ECDHE-RSA-AES256-SHA384", "TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384"}, +    {"ECDHE-RSA-AES256-SHA", "TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA"}, +    {"ECDHE-RSA-CAMELLIA128-SHA256", "TLS-ECDHE-RSA-WITH-CAMELLIA-128-CBC-SHA256"}, +    {"ECDHE-RSA-CAMELLIA128-SHA", "TLS-ECDHE-RSA-WITH-CAMELLIA-128-CBC-SHA"}, +    {"ECDHE-RSA-CAMELLIA256-SHA256", "TLS-ECDHE-RSA-WITH-CAMELLIA-256-CBC-SHA256"}, +    {"ECDHE-RSA-CAMELLIA256-SHA", "TLS-ECDHE-RSA-WITH-CAMELLIA-256-CBC-SHA"}, +    {"ECDHE-RSA-DES-CBC3-SHA", "TLS-ECDHE-RSA-WITH-3DES-EDE-CBC-SHA"}, +    {"ECDHE-RSA-DES-CBC-SHA", "TLS-ECDHE-RSA-WITH-DES-CBC-SHA"}, +    {"ECDHE-RSA-RC4-SHA", "TLS-ECDHE-RSA-WITH-RC4-128-SHA"}, +    {"ECDH-RSA-AES128-GCM-SHA256", "TLS-ECDH-RSA-WITH-AES-128-GCM-SHA256"}, +    {"ECDH-RSA-AES128-SHA256", "TLS-ECDH-RSA-WITH-AES-128-CBC-SHA256"}, +    {"ECDH-RSA-AES128-SHA384", "TLS-ECDH-RSA-WITH-AES-128-CBC-SHA384"}, +    {"ECDH-RSA-AES128-SHA", "TLS-ECDH-RSA-WITH-AES-128-CBC-SHA"}, +    {"ECDH-RSA-AES256-GCM-SHA384", "TLS-ECDH-RSA-WITH-AES-256-GCM-SHA384"}, +    {"ECDH-RSA-AES256-SHA256", "TLS-ECDH-RSA-WITH-AES-256-CBC-SHA256"}, +    {"ECDH-RSA-AES256-SHA384", "TLS-ECDH-RSA-WITH-AES-256-CBC-SHA384"}, +    {"ECDH-RSA-AES256-SHA", "TLS-ECDH-RSA-WITH-AES-256-CBC-SHA"}, +    {"ECDH-RSA-CAMELLIA128-SHA256", "TLS-ECDH-RSA-WITH-CAMELLIA-128-CBC-SHA256"}, +    {"ECDH-RSA-CAMELLIA128-SHA", "TLS-ECDH-RSA-WITH-CAMELLIA-128-CBC-SHA"}, +    {"ECDH-RSA-CAMELLIA256-SHA256", "TLS-ECDH-RSA-WITH-CAMELLIA-256-CBC-SHA256"}, +    {"ECDH-RSA-CAMELLIA256-SHA", "TLS-ECDH-RSA-WITH-CAMELLIA-256-CBC-SHA"}, +    {"ECDH-RSA-DES-CBC3-SHA", "TLS-ECDH-RSA-WITH-3DES-EDE-CBC-SHA"}, +    {"ECDH-RSA-DES-CBC-SHA", "TLS-ECDH-RSA-WITH-DES-CBC-SHA"}, +    {"ECDH-RSA-RC4-SHA", "TLS-ECDH-RSA-WITH-RC4-128-SHA"}, +    {"EDH-DSS-DES-CBC3-SHA", "TLS-DHE-DSS-WITH-3DES-EDE-CBC-SHA"}, +    {"EDH-DSS-DES-CBC-SHA", "TLS-DHE-DSS-WITH-DES-CBC-SHA"}, +    {"EDH-RSA-DES-CBC3-SHA", "TLS-DHE-RSA-WITH-3DES-EDE-CBC-SHA"}, +    {"EDH-RSA-DES-CBC-SHA", "TLS-DHE-RSA-WITH-DES-CBC-SHA"}, +    {"EXP-DES-CBC-SHA", "TLS-RSA-EXPORT-WITH-DES40-CBC-SHA"}, +    {"EXP-EDH-DSS-DES-CBC-SHA", "TLS-DH-DSS-EXPORT-WITH-DES40-CBC-SHA"}, +    {"EXP-EDH-RSA-DES-CBC-SHA", "TLS-DH-RSA-EXPORT-WITH-DES40-CBC-SHA"}, +    {"EXP-RC2-CBC-MD5", "TLS-RSA-EXPORT-WITH-RC2-CBC-40-MD5"}, +    {"EXP-RC4-MD5", "TLS-RSA-EXPORT-WITH-RC4-40-MD5"}, +    {"NULL-MD5", "TLS-RSA-WITH-NULL-MD5"}, +    {"NULL-SHA256", "TLS-RSA-WITH-NULL-SHA256"}, +    {"NULL-SHA", "TLS-RSA-WITH-NULL-SHA"}, +    {"PSK-3DES-EDE-CBC-SHA", "TLS-PSK-WITH-3DES-EDE-CBC-SHA"}, +    {"PSK-AES128-CBC-SHA", "TLS-PSK-WITH-AES-128-CBC-SHA"}, +    {"PSK-AES256-CBC-SHA", "TLS-PSK-WITH-AES-256-CBC-SHA"}, +    {"PSK-RC4-SHA", "TLS-PSK-WITH-RC4-128-SHA"}, +    {"RC4-MD5", "TLS-RSA-WITH-RC4-128-MD5"}, +    {"RC4-SHA", "TLS-RSA-WITH-RC4-128-SHA"}, +    {"SEED-SHA", "TLS-RSA-WITH-SEED-CBC-SHA"}, +    {"SRP-DSS-3DES-EDE-CBC-SHA", "TLS-SRP-SHA-DSS-WITH-3DES-EDE-CBC-SHA"}, +    {"SRP-DSS-AES-128-CBC-SHA", "TLS-SRP-SHA-DSS-WITH-AES-128-CBC-SHA"}, +    {"SRP-DSS-AES-256-CBC-SHA", "TLS-SRP-SHA-DSS-WITH-AES-256-CBC-SHA"}, +    {"SRP-RSA-3DES-EDE-CBC-SHA", "TLS-SRP-SHA-RSA-WITH-3DES-EDE-CBC-SHA"}, +    {"SRP-RSA-AES-128-CBC-SHA", "TLS-SRP-SHA-RSA-WITH-AES-128-CBC-SHA"}, +    {"SRP-RSA-AES-256-CBC-SHA", "TLS-SRP-SHA-RSA-WITH-AES-256-CBC-SHA"}, +    {NULL, NULL} +}; + +const tls_cipher_name_pair * +tls_get_cipher_name_pair (const char * cipher_name, size_t len) { +  const tls_cipher_name_pair * pair = tls_cipher_name_translation_table; + +  while (pair->openssl_name != NULL) { +      if ((strlen(pair->openssl_name) == len && 0 == memcmp (cipher_name, pair->openssl_name, len)) || +	  (strlen(pair->iana_name) == len && 0 == memcmp (cipher_name, pair->iana_name, len))) { +	  return pair; +      } +      pair++; +  } + +  // No entry found, return NULL +  return NULL; +}  /*   * Max number of bytes we will add diff --git a/openvpn/src/openvpn/ssl_backend.h b/openvpn/src/openvpn/ssl_backend.h index 203a4d26..f61580cf 100644 --- a/openvpn/src/openvpn/ssl_backend.h +++ b/openvpn/src/openvpn/ssl_backend.h @@ -43,6 +43,15 @@  #endif +/** + * Get a tls_cipher_name_pair containing OpenSSL and IANA names for supplied TLS cipher name + * + * @param cipher_name	Can be either OpenSSL or IANA cipher name + * @return		tls_cipher_name_pair* if found, NULL otherwise + */ +typedef struct { const char *openssl_name; const char *iana_name; } tls_cipher_name_pair; +const tls_cipher_name_pair *tls_get_cipher_name_pair (const char *cipher_name, size_t len); +  /*   *   * Functions implemented in ssl.c for use by the backend SSL library diff --git a/openvpn/src/openvpn/ssl_openssl.c b/openvpn/src/openvpn/ssl_openssl.c index a727b605..1006617c 100644 --- a/openvpn/src/openvpn/ssl_openssl.c +++ b/openvpn/src/openvpn/ssl_openssl.c @@ -202,10 +202,69 @@ tls_ctx_set_options (struct tls_root_ctx *ctx, unsigned int ssl_flags)  void  tls_ctx_restrict_ciphers(struct tls_root_ctx *ctx, const char *ciphers)  { +  size_t begin_of_cipher, end_of_cipher; + +  const char *current_cipher; +  size_t current_cipher_len; + +  const tls_cipher_name_pair *cipher_pair; + +  const size_t openssl_ciphers_size = 4096; +  char openssl_ciphers[openssl_ciphers_size]; +  size_t openssl_ciphers_len = 0; +  openssl_ciphers[0] = '\0'; +    ASSERT(NULL != ctx); -  if(!SSL_CTX_set_cipher_list(ctx->ctx, ciphers)) -    msg(M_SSLERR, "Failed to set restricted TLS cipher list: %s", ciphers); +  // Translate IANA cipher suite names to OpenSSL names +  for (begin_of_cipher = 0; begin_of_cipher < strlen(ciphers); begin_of_cipher = end_of_cipher+1) { +      end_of_cipher = strcspn(&ciphers[begin_of_cipher], ":"); +      cipher_pair = tls_get_cipher_name_pair(&ciphers[begin_of_cipher], end_of_cipher - begin_of_cipher); + +      if (NULL == cipher_pair) +        { +          // No translation found, use original +          current_cipher = &ciphers[begin_of_cipher]; +          current_cipher_len = end_of_cipher - begin_of_cipher; + +          // Issue warning on missing translation +          // %.*s format specifier expects length of type int, so guarantee +          // that length is small enough and cast to int. +          msg (M_WARN, "No valid translation found for TLS cipher '%.*s'", +              (int) MIN(current_cipher_len, 256), current_cipher); +        } +      else +	{ +	  // Use OpenSSL name +          current_cipher = cipher_pair->openssl_name; +          current_cipher_len = strlen(current_cipher); + +	  if (end_of_cipher - begin_of_cipher == current_cipher_len && +	      0 == memcmp (&ciphers[begin_of_cipher], cipher_pair->openssl_name, end_of_cipher - begin_of_cipher)) +	    { +	      // Non-IANA name used, show warning +	      msg (M_WARN, "Deprecated TLS cipher name '%s', please use IANA name '%s'", cipher_pair->openssl_name, cipher_pair->iana_name); +	    } +	} + +      // Make sure new cipher name fits in cipher string +      if (((openssl_ciphers_size-1) - openssl_ciphers_len) < current_cipher_len) { +	msg(M_SSLERR, "Failed to set restricted TLS cipher list, too long (>%zu).", openssl_ciphers_size-1); +      } + +      // Concatenate cipher name to OpenSSL cipher string +      memcpy(&openssl_ciphers[openssl_ciphers_len], current_cipher, current_cipher_len); +      openssl_ciphers_len += current_cipher_len; +      openssl_ciphers[openssl_ciphers_len] = ':'; +      openssl_ciphers_len++; +  } + +  if (openssl_ciphers_len > 0) +    openssl_ciphers[openssl_ciphers_len-1] = '\0'; + +  // Set OpenSSL cipher list +  if(!SSL_CTX_set_cipher_list(ctx->ctx, openssl_ciphers)) +    msg(M_SSLERR, "Failed to set restricted TLS cipher list: %s", openssl_ciphers);  }  void @@ -1131,6 +1190,8 @@ show_available_tls_ciphers ()    SSL_CTX *ctx;    SSL *ssl;    const char *cipher_name; +  const char *print_name; +  const tls_cipher_name_pair *pair;    int priority = 0;    ctx = SSL_CTX_new (TLSv1_method ()); @@ -1144,7 +1205,17 @@ show_available_tls_ciphers ()    printf ("Available TLS Ciphers,\n");    printf ("listed in order of preference:\n\n");    while ((cipher_name = SSL_get_cipher_list (ssl, priority++))) -    printf ("%s\n", cipher_name); +    { +      pair = tls_get_cipher_name_pair(cipher_name, strlen(cipher_name)); + +      if (NULL == pair) { +          // No translation found, print warning +	  printf ("%s (No IANA name known to OpenVPN, use OpenSSL name.)\n", cipher_name); +      } else { +	  printf ("%s\n", pair->iana_name); +      } + +    }    printf ("\n");    SSL_free (ssl); diff --git a/openvpn/src/openvpn/ssl_polarssl.c b/openvpn/src/openvpn/ssl_polarssl.c index 12318b33..2b5b37ba 100644 --- a/openvpn/src/openvpn/ssl_polarssl.c +++ b/openvpn/src/openvpn/ssl_polarssl.c @@ -65,23 +65,6 @@ tls_clear_error()  {  } -static int default_ciphersuites[] = -{ -    SSL_EDH_RSA_AES_256_SHA, -    SSL_EDH_RSA_CAMELLIA_256_SHA, -    SSL_EDH_RSA_AES_128_SHA, -    SSL_EDH_RSA_CAMELLIA_128_SHA, -    SSL_EDH_RSA_DES_168_SHA, -    SSL_RSA_AES_256_SHA, -    SSL_RSA_CAMELLIA_256_SHA, -    SSL_RSA_AES_128_SHA, -    SSL_RSA_CAMELLIA_128_SHA, -    SSL_RSA_DES_168_SHA, -    SSL_RSA_RC4_128_SHA, -    SSL_RSA_RC4_128_MD5, -    0 -}; -  void  tls_ctx_server_new(struct tls_root_ctx *ctx)  { @@ -161,6 +144,25 @@ tls_ctx_set_options (struct tls_root_ctx *ctx, unsigned int ssl_flags)  {  } +static const char * +tls_translate_cipher_name (const char * cipher_name) { +  const tls_cipher_name_pair * pair = tls_get_cipher_name_pair(cipher_name, strlen(cipher_name)); + +  if (NULL == pair) +    { +      // No translation found, return original +      return cipher_name; +    } + +  if (0 != strcmp(cipher_name, pair->iana_name)) +    { +      // Deprecated name found, notify user +      msg(M_WARN, "Deprecated cipher suite name '%s', please use IANA name '%s'", pair->openssl_name, pair->iana_name); +    } + +  return pair->iana_name; +} +  void  tls_ctx_restrict_ciphers(struct tls_root_ctx *ctx, const char *ciphers)  { @@ -186,7 +188,8 @@ tls_ctx_restrict_ciphers(struct tls_root_ctx *ctx, const char *ciphers)    token = strtok (tmp_ciphers, ":");    while(token)      { -      ctx->allowed_ciphers[i] = ssl_get_ciphersuite_id (token); +      ctx->allowed_ciphers[i] = ssl_get_ciphersuite_id ( +	  tls_translate_cipher_name (token));        if (0 != ctx->allowed_ciphers[i])  	i++;        token = strtok (NULL, ":"); @@ -514,20 +517,17 @@ void key_state_ssl_init(struct key_state_ssl *ks_ssl,        ssl_set_rng (ks_ssl->ctx, ctr_drbg_random, rand_ctx_get()); -      ALLOC_OBJ_CLEAR (ks_ssl->ssn, ssl_session); -      ssl_set_session (ks_ssl->ctx, 0, 0, ks_ssl->ssn );        if (ssl_ctx->allowed_ciphers)  	ssl_set_ciphersuites (ks_ssl->ctx, ssl_ctx->allowed_ciphers); -      else -	ssl_set_ciphersuites (ks_ssl->ctx, default_ciphersuites);        /* Initialise authentication information */        if (is_server)  	ssl_set_dh_param_ctx (ks_ssl->ctx, ssl_ctx->dhm_ctx );  #if defined(ENABLE_PKCS11)        if (ssl_ctx->priv_key_pkcs11 != NULL) -	ssl_set_own_cert_pkcs11( ks_ssl->ctx, ssl_ctx->crt_chain, -	    ssl_ctx->priv_key_pkcs11 ); +	ssl_set_own_cert_alt( ks_ssl->ctx, ssl_ctx->crt_chain, +	    ssl_ctx->priv_key_pkcs11, ssl_pkcs11_decrypt, ssl_pkcs11_sign, +	    ssl_pkcs11_key_len );        else  #endif  	ssl_set_own_cert( ks_ssl->ctx, ssl_ctx->crt_chain, ssl_ctx->priv_key ); @@ -543,7 +543,6 @@ void key_state_ssl_init(struct key_state_ssl *ks_ssl,        ALLOC_OBJ_CLEAR (ks_ssl->ct_out, endless_buffer);        ssl_set_bio (ks_ssl->ctx, endless_buf_read, ks_ssl->ct_in,  	  endless_buf_write, ks_ssl->ct_out); -      }  } @@ -556,8 +555,6 @@ key_state_ssl_free(struct key_state_ssl *ks_ssl)  	  ssl_free(ks_ssl->ctx);  	  free(ks_ssl->ctx);  	} -      if (ks_ssl->ssn) -	free(ks_ssl->ssn);        if (ks_ssl->ct_in) {  	buf_free_entries(ks_ssl->ct_in);  	free(ks_ssl->ct_in); @@ -666,6 +663,7 @@ key_state_read_ciphertext (struct key_state_ssl *ks, struct buffer *buf,  {    int retval = 0;    int len = 0; +  char error_message[1024];    perf_push (PERF_BIO_READ_CIPHERTEXT); @@ -691,7 +689,8 @@ key_state_read_ciphertext (struct key_state_ssl *ks, struct buffer *buf,        perf_pop ();        if (POLARSSL_ERR_NET_WANT_WRITE == retval || POLARSSL_ERR_NET_WANT_READ == retval)  	return 0; -      msg (D_TLS_ERRORS, "TLS_ERROR: read tls_read_plaintext error"); +      error_strerror(retval, error_message, sizeof(error_message)); +      msg (D_TLS_ERRORS, "TLS_ERROR: read tls_read_ciphertext error: %d %s", retval, error_message);        buf->len = 0;        return -1;      } @@ -763,6 +762,7 @@ key_state_read_plaintext (struct key_state_ssl *ks, struct buffer *buf,  {    int retval = 0;    int len = 0; +  char error_message[1024];    perf_push (PERF_BIO_READ_PLAINTEXT); @@ -787,7 +787,8 @@ key_state_read_plaintext (struct key_state_ssl *ks, struct buffer *buf,      {        if (POLARSSL_ERR_NET_WANT_WRITE == retval || POLARSSL_ERR_NET_WANT_READ == retval)  	return 0; -      msg (D_TLS_ERRORS, "TLS_ERROR: read tls_read_plaintext error"); +      error_strerror(retval, error_message, sizeof(error_message)); +      msg (D_TLS_ERRORS, "TLS_ERROR: read tls_read_plaintext error: %d %s", retval, error_message);        buf->len = 0;        perf_pop ();        return -1; @@ -818,7 +819,7 @@ key_state_read_plaintext (struct key_state_ssl *ks, struct buffer *buf,  void  print_details (struct key_state_ssl * ks_ssl, const char *prefix)  { -  x509_cert *cert; +  const x509_cert *cert;    char s1[256];    char s2[256]; @@ -828,7 +829,7 @@ print_details (struct key_state_ssl * ks_ssl, const char *prefix)  		    ssl_get_version (ks_ssl->ctx),  		    ssl_get_ciphersuite(ks_ssl->ctx)); -  cert = ks_ssl->ctx->peer_cert; +  cert = ssl_get_peer_cert(ks_ssl->ctx);    if (cert != NULL)      {        openvpn_snprintf (s2, sizeof (s2), ", " counter_format " bit RSA", (counter_type) cert->rsa.len * 8); diff --git a/openvpn/src/openvpn/ssl_polarssl.h b/openvpn/src/openvpn/ssl_polarssl.h index 456573f5..da936998 100644 --- a/openvpn/src/openvpn/ssl_polarssl.h +++ b/openvpn/src/openvpn/ssl_polarssl.h @@ -73,7 +73,6 @@ struct tls_root_ctx {  struct key_state_ssl {          ssl_context *ctx; -        ssl_session *ssn;          endless_buffer *ct_in;          endless_buffer *ct_out;  }; diff --git a/openvpn/src/openvpn/ssl_verify_polarssl.c b/openvpn/src/openvpn/ssl_verify_polarssl.c index a32db8df..5db4f027 100644 --- a/openvpn/src/openvpn/ssl_verify_polarssl.c +++ b/openvpn/src/openvpn/ssl_verify_polarssl.c @@ -44,11 +44,10 @@  int  verify_callback (void *session_obj, x509_cert *cert, int cert_depth, -    int preverify_ok) +    int *flags)  {    struct tls_session *session = (struct tls_session *) session_obj;    struct gc_arena gc = gc_new(); -  int ret = 1;    ASSERT (cert);    ASSERT (session); @@ -59,31 +58,29 @@ verify_callback (void *session_obj, x509_cert *cert, int cert_depth,    cert_hash_remember (session, cert_depth, x509_get_sha1_hash(cert, &gc));    /* did peer present cert which was signed by our root cert? */ -  if (!preverify_ok) +  if (*flags != 0)      {        char *subject = x509_get_subject(cert, &gc);        if (subject) -	msg (D_TLS_ERRORS, "VERIFY ERROR: depth=%d, %s", cert_depth, subject); +	msg (D_TLS_ERRORS, "VERIFY ERROR: depth=%d, flags=%x, %s", cert_depth, *flags, subject);        else -	msg (D_TLS_ERRORS, "VERIFY ERROR: depth=%d, could not extract X509 " -	      "subject string from certificate", cert_depth); +	msg (D_TLS_ERRORS, "VERIFY ERROR: depth=%d, flags=%x, could not extract X509 " +	      "subject string from certificate", *flags, cert_depth); -      goto cleanup; +      /* Leave flags set to non-zero to indicate that the cert is not ok */ +    } +  else if (SUCCESS != verify_cert(session, cert, cert_depth)) +    { +      *flags |= BADCERT_OTHER;      } -  if (SUCCESS != verify_cert(session, cert, cert_depth)) -    goto cleanup; - -  ret = 0; - -cleanup:    gc_free(&gc);    /* -   * PolarSSL expects 1 on failure, 0 on success +   * PolarSSL-1.2.0+ expects 0 on anything except fatal errors.     */ -  return ret; +  return 0;  }  #ifdef ENABLE_X509ALTUSERNAME diff --git a/openvpn/src/openvpn/ssl_verify_polarssl.h b/openvpn/src/openvpn/ssl_verify_polarssl.h index fceee667..b259081f 100644 --- a/openvpn/src/openvpn/ssl_verify_polarssl.h +++ b/openvpn/src/openvpn/ssl_verify_polarssl.h @@ -55,27 +55,25 @@ typedef x509_cert openvpn_x509_cert_t;   * calls the PolarSSL library's \c ssl_set_verify_callback() function with \c   * verify_callback() as its callback argument.   * - * It checks preverify_ok, and registers the certificate hash. If these steps - * succeed, it calls the \c verify_cert() function, which performs - * OpenVPN-specific verification. + * It checks *flags and registers the certificate hash. If these steps succeed, + * it calls the \c verify_cert() function, which performs OpenVPN-specific + * verification.   *   * @param session_obj  - The OpenVPN \c tls_session associated with this object,   *                       as set during SSL session setup.   * @param cert         - The certificate used by PolarSSL.   * @param cert_depth   - The depth of the current certificate in the chain, with   *                       0 being the actual certificate. - * @param preverify_ok - Whether the remote OpenVPN peer's certificate - *                       past verification.  A value of 1 means it - *                       verified successfully, 0 means it failed. + * @param flags        - Whether the remote OpenVPN peer's certificate + *                       passed verification.  A value of 0 means it + *                       verified successfully, any other value means it + *                       failed. \c verify_callback() is considered to have + *                       ok'ed this certificate if flags is 0 when it returns.   * - * @return The return value indicates whether the supplied certificate is - *     allowed to set up a VPN tunnel.  The following values can be - *     returned: - *      - \c 0: failure, this certificate is not allowed to connect. - *      - \c 1: success, this certificate is allowed to connect. + * @return The return value is 0 unless a fatal error occurred.   */  int verify_callback (void *session_obj, x509_cert *cert, int cert_depth, -    int preverify_ok); +    int *flags);  /** @} name Function for authenticating a new connection from a remote OpenVPN peer */ diff --git a/openvpn/src/openvpn/syshead.h b/openvpn/src/openvpn/syshead.h index db02c237..0c3e4ee5 100644 --- a/openvpn/src/openvpn/syshead.h +++ b/openvpn/src/openvpn/syshead.h @@ -399,6 +399,13 @@  #endif  /* + * do we have the MIN() macro? + */ +#ifndef MIN +#define MIN(a,b) (((a)<(b))?(a):(b)) +#endif + +/*   * Do we have the capability to report extended socket errors?   */  #if defined(HAVE_LINUX_TYPES_H) && defined(HAVE_LINUX_ERRQUEUE_H) && defined(HAVE_SOCK_EXTENDED_ERR) && defined(HAVE_MSGHDR) && defined(HAVE_CMSGHDR) && defined(CMSG_FIRSTHDR) && defined(CMSG_NXTHDR) && defined(IP_RECVERR) && defined(MSG_ERRQUEUE) && defined(SOL_IP) && defined(HAVE_IOVEC) diff --git a/openvpn/src/openvpn/tun.c b/openvpn/src/openvpn/tun.c index a0754427..d7d53a78 100644 --- a/openvpn/src/openvpn/tun.c +++ b/openvpn/src/openvpn/tun.c @@ -74,6 +74,8 @@ static void solaris_error_close (struct tuntap *tt, const struct env_set *es, co  #include <stropts.h>  #endif +static void clear_tuntap (struct tuntap *tuntap); +  bool  is_dev_type (const char *dev, const char *dev_type, const char *match_type)  { @@ -299,16 +301,6 @@ warn_on_use_of_common_subnets (void)  }  /* - * Complain if --dev tap and --ifconfig is used on an OS for which - * we don't have a custom tap ifconfig template below. - */ -static void -no_tap_ifconfig () -{ -  msg (M_FATAL, "Sorry but you cannot use --dev tap and --ifconfig together on this OS because I have not yet been programmed to understand the appropriate ifconfig syntax to use for TAP-style devices on this OS.  Your best alternative is to use an --up script and do the ifconfig command manually."); -} - -/*   * Return a string to be used for options compatibility check   * between peers.   */ diff --git a/openvpn/src/openvpn/tun.h b/openvpn/src/openvpn/tun.h index e7d941ab..2bbb8133 100644 --- a/openvpn/src/openvpn/tun.h +++ b/openvpn/src/openvpn/tun.h @@ -203,8 +203,6 @@ tuntap_defined (const struct tuntap *tt)   * Function prototypes   */ -static void clear_tuntap (struct tuntap *tuntap); -  void open_tun (const char *dev, const char *dev_type, const char *dev_node,  	       struct tuntap *tt); | 
