summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--openvpn/config.h4
-rw-r--r--openvpn/configure.ac54
-rw-r--r--openvpn/src/openvpn/buffer.h18
-rw-r--r--openvpn/src/openvpn/crypto.c22
-rw-r--r--openvpn/src/openvpn/crypto_backend.h12
-rw-r--r--openvpn/src/openvpn/crypto_openssl.c12
-rw-r--r--openvpn/src/openvpn/crypto_polarssl.c55
-rw-r--r--openvpn/src/openvpn/crypto_polarssl.h3
-rw-r--r--openvpn/src/openvpn/mbuf.h2
-rw-r--r--openvpn/src/openvpn/options.c24
-rw-r--r--openvpn/src/openvpn/plugin.c2
-rw-r--r--openvpn/src/openvpn/plugin.h2
-rw-r--r--openvpn/src/openvpn/route.c17
-rw-r--r--openvpn/src/openvpn/route.h2
-rw-r--r--openvpn/src/openvpn/ssl.c147
-rw-r--r--openvpn/src/openvpn/ssl_backend.h9
-rw-r--r--openvpn/src/openvpn/ssl_openssl.c77
-rw-r--r--openvpn/src/openvpn/ssl_polarssl.c63
-rw-r--r--openvpn/src/openvpn/ssl_polarssl.h1
-rw-r--r--openvpn/src/openvpn/ssl_verify_polarssl.c27
-rw-r--r--openvpn/src/openvpn/ssl_verify_polarssl.h22
-rw-r--r--openvpn/src/openvpn/syshead.h7
-rw-r--r--openvpn/src/openvpn/tun.c12
-rw-r--r--openvpn/src/openvpn/tun.h2
24 files changed, 473 insertions, 123 deletions
diff --git a/openvpn/config.h b/openvpn/config.h
index 8e738f37..c525e37f 100644
--- a/openvpn/config.h
+++ b/openvpn/config.h
@@ -450,7 +450,7 @@
#define PACKAGE_NAME "OpenVPN"
/* Define to the full name and version of this package. */
-#define PACKAGE_STRING "OpenVPN 2.3.0+dspatch3"
+#define PACKAGE_STRING "OpenVPN 2.3.1+dspatch3"
/* Define to the one symbol short name of this package. */
#define PACKAGE_TARNAME "openvpn"
@@ -559,7 +559,7 @@
/* #undef USE_VALGRIND */
/* Version number of package */
-#define VERSION "2.1.4"
+#define VERSION "2.3.1"
/* Enable GNU extensions on systems that have them. */
#ifndef _GNU_SOURCE
diff --git a/openvpn/configure.ac b/openvpn/configure.ac
index ddd322c1..7b35e504 100644
--- a/openvpn/configure.ac
+++ b/openvpn/configure.ac
@@ -726,6 +726,13 @@ case "${with_mem_check}" in
esac
PKG_CHECK_MODULES(
+ [PKCS11_HELPER],
+ [libpkcs11-helper-1 >= 1.02],
+ [have_pkcs11_helper="yes"],
+ []
+)
+
+PKG_CHECK_MODULES(
[OPENSSL_CRYPTO],
[libcrypto >= 0.9.6],
[have_openssl_crypto="yes"],
@@ -789,9 +796,11 @@ if test -z "${POLARSSL_LIBS}"; then
[polarssl],
[aes_crypt_cbc],
,
- [have_polarssl_crypto="no"]
+ [have_polarssl_crypto="no"],
+ [${PKCS11_HELPER_LIBS}]
)
- ]
+ ],
+ [${PKCS11_HELPER_LIBS}]
)
fi
@@ -805,15 +814,45 @@ if test "${with_crypto_library}" = "polarssl" ; then
#include <polarssl/version.h>
]],
[[
-#if POLARSSL_VERSION_NUMBER < 0x01010000
+#if POLARSSL_VERSION_NUMBER < 0x01020500
#error invalid version
#endif
]]
)],
[AC_MSG_RESULT([ok])],
- [AC_MSG_ERROR([invalid polarssl version])]
+ [AC_MSG_ERROR([PolarSSL 1.2.5 or newer required])]
)
+
+ polarssl_with_pkcs11="no"
+ AC_COMPILE_IFELSE(
+ [AC_LANG_PROGRAM(
+ [[
+#include <polarssl/config.h>
+ ]],
+ [[
+#ifndef POLARSSL_PKCS11_C
+#error pkcs11 wrapper missing
+#endif
+ ]]
+ )],
+ polarssl_with_pkcs11="yes")
CFLAGS="${old_CFLAGS}"
+
+ AC_MSG_CHECKING([polarssl pkcs11 support])
+ if test "${enable_pkcs11}" = "yes"; then
+ if test "${polarssl_with_pkcs11}" = "yes"; then
+ AC_MSG_RESULT([ok])
+ else
+ AC_MSG_ERROR([polarssl has no pkcs11 wrapper compiled in])
+ fi
+ else
+ if test "${polarssl_with_pkcs11}" != "yes"; then
+ AC_MSG_RESULT([ok])
+ else
+ AC_MSG_ERROR([PolarSSL compiled with PKCS11, while OpenVPN is not])
+ fi
+ fi
+
fi
AC_ARG_VAR([LZO_CFLAGS], [C compiler flags for lzo])
@@ -856,13 +895,6 @@ if test "${have_lzo}" = "yes"; then
CFLAGS="${saved_CFLAGS}"
fi
-PKG_CHECK_MODULES(
- [PKCS11_HELPER],
- [libpkcs11-helper-1 >= 1.02],
- [have_pkcs11_helper="yes"],
- []
-)
-
AC_MSG_CHECKING([git checkout])
GIT_CHECKOUT="no"
if test -n "${GIT}" -a -d "${srcdir}/.git"; then
diff --git a/openvpn/src/openvpn/buffer.h b/openvpn/src/openvpn/buffer.h
index 5e11de05..93efb096 100644
--- a/openvpn/src/openvpn/buffer.h
+++ b/openvpn/src/openvpn/buffer.h
@@ -668,6 +668,10 @@ buf_read_u32 (struct buffer *buf, bool *good)
}
}
+/**
+ * Compare src buffer contents with match.
+ * *NOT* constant time. Do not use when comparing HMACs.
+ */
static inline bool
buf_string_match (const struct buffer *src, const void *match, int size)
{
@@ -676,6 +680,10 @@ buf_string_match (const struct buffer *src, const void *match, int size)
return memcmp (BPTR (src), match, size) == 0;
}
+/**
+ * Compare first size bytes of src buffer contents with match.
+ * *NOT* constant time. Do not use when comparing HMACs.
+ */
static inline bool
buf_string_match_head (const struct buffer *src, const void *match, int size)
{
@@ -689,16 +697,6 @@ bool buf_string_compare_advance (struct buffer *src, const char *match);
int buf_substring_len (const struct buffer *buf, int delim);
/*
- * Bitwise operations
- */
-static inline void
-xor (uint8_t *dest, const uint8_t *src, int len)
-{
- while (len-- > 0)
- *dest++ ^= *src++;
-}
-
-/*
* Print a string which might be NULL
*/
const char *np (const char *str);
diff --git a/openvpn/src/openvpn/crypto.c b/openvpn/src/openvpn/crypto.c
index ac2eecdd..d9adf5b5 100644
--- a/openvpn/src/openvpn/crypto.c
+++ b/openvpn/src/openvpn/crypto.c
@@ -65,6 +65,24 @@
#define CRYPT_ERROR(format) \
do { msg (D_CRYPT_ERRORS, "%s: " format, error_prefix); goto error_exit; } while (false)
+/**
+ * As memcmp(), but constant-time.
+ * Returns 0 when data is equal, non-zero otherwise.
+ */
+static int
+memcmp_constant_time (const void *a, const void *b, size_t size) {
+ const uint8_t * a1 = a;
+ const uint8_t * b1 = b;
+ int ret = 0;
+ size_t i;
+
+ for (i = 0; i < size; i++) {
+ ret |= *a1++ ^ *b1++;
+ }
+
+ return ret;
+}
+
void
openvpn_encrypt (struct buffer *buf, struct buffer work,
const struct crypto_options *opt,
@@ -244,7 +262,7 @@ openvpn_decrypt (struct buffer *buf, struct buffer work,
hmac_ctx_final (ctx->hmac, local_hmac);
/* Compare locally computed HMAC with packet HMAC */
- if (memcmp (local_hmac, BPTR (buf), hmac_len))
+ if (memcmp_constant_time (local_hmac, BPTR (buf), hmac_len))
CRYPT_ERROR ("packet HMAC authentication failed");
ASSERT (buf_advance (buf, hmac_len));
@@ -401,7 +419,7 @@ init_key_type (struct key_type *kt, const char *ciphername,
CLEAR (*kt);
if (ciphername && ciphername_defined)
{
- kt->cipher = cipher_kt_get (ciphername);
+ kt->cipher = cipher_kt_get (translate_cipher_name_from_openvpn(ciphername));
kt->cipher_length = cipher_kt_key_size (kt->cipher);
if (keysize > 0 && keysize <= MAX_CIPHER_KEY_LENGTH)
kt->cipher_length = keysize;
diff --git a/openvpn/src/openvpn/crypto_backend.h b/openvpn/src/openvpn/crypto_backend.h
index 1eac6115..5ae47e6c 100644
--- a/openvpn/src/openvpn/crypto_backend.h
+++ b/openvpn/src/openvpn/crypto_backend.h
@@ -63,6 +63,18 @@ void crypto_init_lib_engine (const char *engine_name);
void crypto_init_dmalloc (void);
#endif /* DMALLOC */
+/**
+ * Translate a data channel cipher name from the OpenVPN config file
+ * 'language' to the crypto library specific name.
+ */
+const char * translate_cipher_name_from_openvpn (const char *cipher_name);
+
+/**
+ * Translate a data channel cipher name from the crypto library specific name
+ * to the OpenVPN config file 'language'.
+ */
+const char * translate_cipher_name_from_openvpn (const char *cipher_name);
+
void show_available_ciphers (void);
void show_available_digests (void);
diff --git a/openvpn/src/openvpn/crypto_openssl.c b/openvpn/src/openvpn/crypto_openssl.c
index 53425029..21d1762d 100644
--- a/openvpn/src/openvpn/crypto_openssl.c
+++ b/openvpn/src/openvpn/crypto_openssl.c
@@ -281,6 +281,18 @@ crypto_init_dmalloc (void)
}
#endif /* DMALLOC */
+const char *
+translate_cipher_name_from_openvpn (const char *cipher_name) {
+ // OpenSSL doesn't require any translation
+ return cipher_name;
+}
+
+const char *
+translate_cipher_name_to_openvpn (const char *cipher_name) {
+ // OpenSSL doesn't require any translation
+ return cipher_name;
+}
+
void
show_available_ciphers ()
{
diff --git a/openvpn/src/openvpn/crypto_polarssl.c b/openvpn/src/openvpn/crypto_polarssl.c
index 3978a3c6..1f27d6ca 100644
--- a/openvpn/src/openvpn/crypto_polarssl.c
+++ b/openvpn/src/openvpn/crypto_polarssl.c
@@ -94,6 +94,53 @@ crypto_init_dmalloc (void)
}
#endif /* DMALLOC */
+typedef struct { const char * openvpn_name; const char * polarssl_name; } cipher_name_pair;
+cipher_name_pair cipher_name_translation_table[] = {
+ { "BF-CBC", "BLOWFISH-CBC" },
+ { "BF-CFB", "BLOWFISH-CFB64" },
+ { "CAMELLIA-128-CFB", "CAMELLIA-128-CFB128" },
+ { "CAMELLIA-192-CFB", "CAMELLIA-192-CFB128" },
+ { "CAMELLIA-256-CFB", "CAMELLIA-256-CFB128" }
+};
+
+const cipher_name_pair *
+get_cipher_name_pair(const char *cipher_name) {
+ cipher_name_pair *pair;
+ size_t i = 0;
+
+ /* Search for a cipher name translation */
+ for (; i < sizeof (cipher_name_translation_table) / sizeof (*cipher_name_translation_table); i++)
+ {
+ pair = &cipher_name_translation_table[i];
+ if (0 == strcmp (cipher_name, pair->openvpn_name) ||
+ 0 == strcmp (cipher_name, pair->polarssl_name))
+ return pair;
+ }
+
+ /* Nothing found, return null */
+ return NULL;
+}
+
+const char *
+translate_cipher_name_from_openvpn (const char *cipher_name) {
+ const cipher_name_pair *pair = get_cipher_name_pair(cipher_name);
+
+ if (NULL == pair)
+ return cipher_name;
+
+ return pair->polarssl_name;
+}
+
+const char *
+translate_cipher_name_to_openvpn (const char *cipher_name) {
+ const cipher_name_pair *pair = get_cipher_name_pair(cipher_name);
+
+ if (NULL == pair)
+ return cipher_name;
+
+ return pair->openvpn_name;
+}
+
void
show_available_ciphers ()
{
@@ -114,7 +161,7 @@ show_available_ciphers ()
if (info && info->mode == POLARSSL_MODE_CBC)
printf ("%s %d bit default key\n",
- info->name, info->key_length);
+ cipher_kt_name(info), cipher_kt_key_size(info) * 8);
ciphers++;
}
@@ -331,7 +378,8 @@ cipher_kt_name (const cipher_info_t *cipher_kt)
{
if (NULL == cipher_kt)
return "[null-cipher]";
- return cipher_kt->name;
+
+ return translate_cipher_name_to_openvpn(cipher_kt->name);
}
int
@@ -339,6 +387,9 @@ cipher_kt_key_size (const cipher_info_t *cipher_kt)
{
if (NULL == cipher_kt)
return 0;
+ if (POLARSSL_CIPHER_ID_BLOWFISH == cipher_kt->base->cipher)
+ return 128/8; /* Override PolarSSL 32 bit default key size with sane 128 bit default */
+
return cipher_kt->key_length/8;
}
diff --git a/openvpn/src/openvpn/crypto_polarssl.h b/openvpn/src/openvpn/crypto_polarssl.h
index bfabb91b..b6da4363 100644
--- a/openvpn/src/openvpn/crypto_polarssl.h
+++ b/openvpn/src/openvpn/crypto_polarssl.h
@@ -30,7 +30,6 @@
#ifndef CRYPTO_POLARSSL_H_
#define CRYPTO_POLARSSL_H_
-#include <polarssl/version.h>
#include <polarssl/cipher.h>
#include <polarssl/md.h>
#include <polarssl/ctr_drbg.h>
@@ -60,7 +59,7 @@ typedef md_context_t hmac_ctx_t;
#define OPENVPN_MODE_OFB POLARSSL_MODE_OFB
/** Cipher is in CFB mode */
-#define OPENVPN_MODE_CFB POLARSSL_MODE_CFB128
+#define OPENVPN_MODE_CFB POLARSSL_MODE_CFB
/** Cipher should encrypt */
#define OPENVPN_OP_ENCRYPT POLARSSL_ENCRYPT
diff --git a/openvpn/src/openvpn/mbuf.h b/openvpn/src/openvpn/mbuf.h
index a0de679d..1085adc7 100644
--- a/openvpn/src/openvpn/mbuf.h
+++ b/openvpn/src/openvpn/mbuf.h
@@ -83,7 +83,7 @@ mbuf_defined (const struct mbuf_set *ms)
return ms && ms->len;
}
-static inline bool
+static inline unsigned int
mbuf_len (const struct mbuf_set *ms)
{
return ms->len;
diff --git a/openvpn/src/openvpn/options.c b/openvpn/src/openvpn/options.c
index 8f0112ad..db1cb33a 100644
--- a/openvpn/src/openvpn/options.c
+++ b/openvpn/src/openvpn/options.c
@@ -882,7 +882,7 @@ uninit_options (struct options *o)
}
}
-#ifdef ENABLE_DEBUG
+#ifndef ENABLE_SMALL
#define SHOW_PARM(name, value, format) msg(D_SHOW_PARMS, " " #name " = " format, (value))
#define SHOW_STR(var) SHOW_PARM(var, (o->var ? o->var : "[UNDEF]"), "'%s'")
@@ -1082,7 +1082,7 @@ parse_hash_fingerprint(const char *str, int nbytes, int msglevel, struct gc_aren
#ifdef WIN32
-#ifdef ENABLE_DEBUG
+#ifndef ENABLE_SMALL
static void
show_dhcp_option_addrs (const char *name, const in_addr_t *array, int len)
@@ -1156,7 +1156,7 @@ dhcp_option_address_parse (const char *name, const char *parm, in_addr_t *array,
#if P2MP
-#ifdef ENABLE_DEBUG
+#ifndef ENABLE_SMALL
static void
show_p2mp_parms (const struct options *o)
@@ -1228,7 +1228,7 @@ show_p2mp_parms (const struct options *o)
gc_free (&gc);
}
-#endif /* ENABLE_DEBUG */
+#endif /* ! ENABLE_SMALL */
#if P2MP_SERVER
@@ -1282,7 +1282,7 @@ option_iroute_ipv6 (struct options *o,
#endif /* P2MP_SERVER */
#endif /* P2MP */
-#if defined(ENABLE_HTTP_PROXY) && defined(ENABLE_DEBUG)
+#if defined(ENABLE_HTTP_PROXY) && !defined(ENABLE_SMALL)
static void
show_http_proxy_options (const struct http_proxy_options *o)
{
@@ -1335,7 +1335,7 @@ cnol_check_alloc (struct options *options)
}
#endif
-#ifdef ENABLE_DEBUG
+#ifndef ENABLE_SMALL
static void
show_connection_entry (const struct connection_entry *o)
{
@@ -1402,7 +1402,7 @@ show_connection_entries (const struct options *o)
void
show_settings (const struct options *o)
{
-#ifdef ENABLE_DEBUG
+#ifndef ENABLE_SMALL
msg (D_SHOW_PARMS, "Current Parameter Settings:");
SHOW_STR (config);
@@ -4625,6 +4625,12 @@ add_option (struct options *options,
{
VERIFY_PERMISSION (OPT_P_MESSAGES);
options->verbosity = positive_atoi (p[1]);
+#if !defined(ENABLE_DEBUG) && !defined(ENABLE_SMALL)
+ /* Warn when a debug verbosity is supplied when built without debug support */
+ if (options->verbosity >= 7)
+ msg (M_WARN, "NOTE: debug verbosity (--verb %d) is enabled but this build lacks debug support.",
+ options->verbosity);
+#endif
}
else if (streq (p[0], "mute") && p[1])
{
@@ -5405,9 +5411,9 @@ add_option (struct options *options,
msg (msglevel, "error parsing --ifconfig-ipv6-pool parameters");
goto err;
}
- if ( netbits != 64 )
+ if ( netbits < 64 || netbits > 112 )
{
- msg( msglevel, "--ifconfig-ipv6-pool settings: only /64 supported right now (not /%d)", netbits );
+ msg( msglevel, "--ifconfig-ipv6-pool settings: only /64../112 supported right now (not /%d)", netbits );
goto err;
}
diff --git a/openvpn/src/openvpn/plugin.c b/openvpn/src/openvpn/plugin.c
index 83f79e4f..c96c121f 100644
--- a/openvpn/src/openvpn/plugin.c
+++ b/openvpn/src/openvpn/plugin.c
@@ -155,7 +155,7 @@ plugin_option_list_add (struct plugin_option_list *list, char **p, struct gc_are
return false;
}
-#ifdef ENABLE_DEBUG
+#ifndef ENABLE_SMALL
void
plugin_option_list_print (const struct plugin_option_list *list, int msglevel)
{
diff --git a/openvpn/src/openvpn/plugin.h b/openvpn/src/openvpn/plugin.h
index 4ba150d6..2f8416b1 100644
--- a/openvpn/src/openvpn/plugin.h
+++ b/openvpn/src/openvpn/plugin.h
@@ -108,7 +108,7 @@ struct plugin_return
struct plugin_option_list *plugin_option_list_new (struct gc_arena *gc);
bool plugin_option_list_add (struct plugin_option_list *list, char **p, struct gc_arena *gc);
-#ifdef ENABLE_DEBUG
+#ifndef ENABLE_SMALL
void plugin_option_list_print (const struct plugin_option_list *list, int msglevel);
#endif
diff --git a/openvpn/src/openvpn/route.c b/openvpn/src/openvpn/route.c
index 8a778884..03574b9e 100644
--- a/openvpn/src/openvpn/route.c
+++ b/openvpn/src/openvpn/route.c
@@ -1089,7 +1089,7 @@ delete_routes (struct route_list *rl, struct route_ipv6_list *rl6,
}
}
-#ifdef ENABLE_DEBUG
+#ifndef ENABLE_SMALL
static const char *
show_opt (const char *option)
@@ -1408,17 +1408,20 @@ add_route (struct route *r,
argv_printf (&argv, "%s add",
ROUTE_PATH);
-#if 0
- if (r->flags & RT_METRIC_DEFINED)
- argv_printf_cat (&argv, "-rtt %d", r->metric);
-#endif
-
argv_printf_cat (&argv, "%s -netmask %s %s",
network,
netmask,
gateway);
- /* FIXME -- add on-link support for Solaris */
+ /* Solaris can only distinguish between "metric 0" == "on-link on the
+ * interface where the IP address given is configured" and "metric > 0"
+ * == "use gateway specified" (no finer-grained route metrics available)
+ *
+ * More recent versions of Solaris can also do "-interface", but that
+ * would break backwards compatibility with older versions for no gain.
+ */
+ if (r->flags & RT_METRIC_DEFINED )
+ argv_printf_cat (&argv, "%d", r->metric);
argv_msg (D_ROUTE, &argv);
status = openvpn_execve_check (&argv, es, 0, "ERROR: Solaris route add command failed");
diff --git a/openvpn/src/openvpn/route.h b/openvpn/src/openvpn/route.h
index e63db595..a40de32f 100644
--- a/openvpn/src/openvpn/route.h
+++ b/openvpn/src/openvpn/route.h
@@ -290,7 +290,7 @@ void print_default_gateway(const int msglevel, const struct route_gateway_info *
#define TLA_LOCAL 2
int test_local_addr (const in_addr_t addr, const struct route_gateway_info *rgi);
-#ifdef ENABLE_DEBUG
+#ifndef ENABLE_SMALL
void print_route_options (const struct route_option_list *rol,
int level);
#endif
diff --git a/openvpn/src/openvpn/ssl.c b/openvpn/src/openvpn/ssl.c
index 9f570b9d..b3673864 100644
--- a/openvpn/src/openvpn/ssl.c
+++ b/openvpn/src/openvpn/ssl.c
@@ -113,6 +113,153 @@ show_tls_performance_stats(void)
#endif
+/**
+ * SSL/TLS Cipher suite name translation table
+ */
+static const tls_cipher_name_pair tls_cipher_name_translation_table[] = {
+ {"ADH-SEED-SHA", "TLS-DH-anon-WITH-SEED-CBC-SHA"},
+ {"AES128-GCM-SHA256", "TLS-RSA-WITH-AES-128-GCM-SHA256"},
+ {"AES128-SHA256", "TLS-RSA-WITH-AES-128-CBC-SHA256"},
+ {"AES128-SHA", "TLS-RSA-WITH-AES-128-CBC-SHA"},
+ {"AES256-GCM-SHA384", "TLS-RSA-WITH-AES-256-GCM-SHA384"},
+ {"AES256-SHA256", "TLS-RSA-WITH-AES-256-CBC-SHA256"},
+ {"AES256-SHA", "TLS-RSA-WITH-AES-256-CBC-SHA"},
+ {"CAMELLIA128-SHA256", "TLS-RSA-WITH-CAMELLIA-128-CBC-SHA256"},
+ {"CAMELLIA128-SHA", "TLS-RSA-WITH-CAMELLIA-128-CBC-SHA"},
+ {"CAMELLIA256-SHA256", "TLS-RSA-WITH-CAMELLIA-256-CBC-SHA256"},
+ {"CAMELLIA256-SHA", "TLS-RSA-WITH-CAMELLIA-256-CBC-SHA"},
+ {"DES-CBC3-SHA", "TLS-RSA-WITH-3DES-EDE-CBC-SHA"},
+ {"DES-CBC-SHA", "TLS-RSA-WITH-DES-CBC-SHA"},
+ {"DH-DSS-SEED-SHA", "TLS-DH-DSS-WITH-SEED-CBC-SHA"},
+ {"DHE-DSS-AES128-GCM-SHA256", "TLS-DHE-DSS-WITH-AES-128-GCM-SHA256"},
+ {"DHE-DSS-AES128-SHA256", "TLS-DHE-DSS-WITH-AES-128-CBC-SHA256"},
+ {"DHE-DSS-AES128-SHA", "TLS-DHE-DSS-WITH-AES-128-CBC-SHA"},
+ {"DHE-DSS-AES256-GCM-SHA384", "TLS-DHE-DSS-WITH-AES-256-GCM-SHA384"},
+ {"DHE-DSS-AES256-SHA256", "TLS-DHE-DSS-WITH-AES-256-CBC-SHA256"},
+ {"DHE-DSS-AES256-SHA", "TLS-DHE-DSS-WITH-AES-256-CBC-SHA"},
+ {"DHE-DSS-CAMELLIA128-SHA256", "TLS-DHE-DSS-WITH-CAMELLIA-128-CBC-SHA256"},
+ {"DHE-DSS-CAMELLIA128-SHA", "TLS-DHE-DSS-WITH-CAMELLIA-128-CBC-SHA"},
+ {"DHE-DSS-CAMELLIA256-SHA256", "TLS-DHE-DSS-WITH-CAMELLIA-256-CBC-SHA256"},
+ {"DHE-DSS-CAMELLIA256-SHA", "TLS-DHE-DSS-WITH-CAMELLIA-256-CBC-SHA"},
+ {"DHE-DSS-DES-CBC3-SHA", "TLS-DHE-DSS-WITH-3DES-EDE-CBC-SHA"},
+ {"DHE-DSS-DES-CBC-SHA", "TLS-DHE-DSS-WITH-DES-CBC-SHA"},
+ {"DHE-DSS-SEED-SHA", "TLS-DHE-DSS-WITH-SEED-CBC-SHA"},
+ {"DHE-RSA-AES128-GCM-SHA256", "TLS-DHE-RSA-WITH-AES-128-GCM-SHA256"},
+ {"DHE-RSA-AES128-SHA256", "TLS-DHE-RSA-WITH-AES-128-CBC-SHA256"},
+ {"DHE-RSA-AES128-SHA", "TLS-DHE-RSA-WITH-AES-128-CBC-SHA"},
+ {"DHE-RSA-AES256-GCM-SHA384", "TLS-DHE-RSA-WITH-AES-256-GCM-SHA384"},
+ {"DHE-RSA-AES256-SHA256", "TLS-DHE-RSA-WITH-AES-256-CBC-SHA256"},
+ {"DHE-RSA-AES256-SHA", "TLS-DHE-RSA-WITH-AES-256-CBC-SHA"},
+ {"DHE-RSA-CAMELLIA128-SHA256", "TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA256"},
+ {"DHE-RSA-CAMELLIA128-SHA", "TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA"},
+ {"DHE-RSA-CAMELLIA256-SHA256", "TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA256"},
+ {"DHE-RSA-CAMELLIA256-SHA", "TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA"},
+ {"DHE-RSA-DES-CBC3-SHA", "TLS-DHE-RSA-WITH-3DES-EDE-CBC-SHA"},
+ {"DHE-RSA-DES-CBC-SHA", "TLS-DHE-RSA-WITH-DES-CBC-SHA"},
+ {"DHE-RSA-SEED-SHA", "TLS-DHE-RSA-WITH-SEED-CBC-SHA"},
+ {"DH-RSA-SEED-SHA", "TLS-DH-RSA-WITH-SEED-CBC-SHA"},
+ {"ECDH-ECDSA-AES128-GCM-SHA256", "TLS-ECDH-ECDSA-WITH-AES-128-GCM-SHA256"},
+ {"ECDH-ECDSA-AES128-SHA256", "TLS-ECDH-ECDSA-WITH-AES-128-CBC-SHA256"},
+ {"ECDH-ECDSA-AES128-SHA", "TLS-ECDH-ECDSA-WITH-AES-128-CBC-SHA"},
+ {"ECDH-ECDSA-AES256-GCM-SHA384", "TLS-ECDH-ECDSA-WITH-AES-256-GCM-SHA384"},
+ {"ECDH-ECDSA-AES256-SHA256", "TLS-ECDH-ECDSA-WITH-AES-256-CBC-SHA256"},
+ {"ECDH-ECDSA-AES256-SHA384", "TLS-ECDH-ECDSA-WITH-AES-256-CBC-SHA384"},
+ {"ECDH-ECDSA-AES256-SHA", "TLS-ECDH-ECDSA-WITH-AES-256-CBC-SHA"},
+ {"ECDH-ECDSA-CAMELLIA128-SHA256", "TLS-ECDH-ECDSA-WITH-CAMELLIA-128-CBC-SHA256"},
+ {"ECDH-ECDSA-CAMELLIA128-SHA", "TLS-ECDH-ECDSA-WITH-CAMELLIA-128-CBC-SHA"},
+ {"ECDH-ECDSA-CAMELLIA256-SHA256", "TLS-ECDH-ECDSA-WITH-CAMELLIA-256-CBC-SHA256"},
+ {"ECDH-ECDSA-CAMELLIA256-SHA", "TLS-ECDH-ECDSA-WITH-CAMELLIA-256-CBC-SHA"},
+ {"ECDH-ECDSA-DES-CBC3-SHA", "TLS-ECDH-ECDSA-WITH-3DES-EDE-CBC-SHA"},
+ {"ECDH-ECDSA-DES-CBC-SHA", "TLS-ECDH-ECDSA-WITH-DES-CBC-SHA"},
+ {"ECDH-ECDSA-RC4-SHA", "TLS-ECDH-ECDSA-WITH-RC4-128-SHA"},
+ {"ECDHE-ECDSA-AES128-GCM-SHA256", "TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256"},
+ {"ECDHE-ECDSA-AES128-SHA256", "TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256"},
+ {"ECDHE-ECDSA-AES128-SHA384", "TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA384"},
+ {"ECDHE-ECDSA-AES128-SHA", "TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA"},
+ {"ECDHE-ECDSA-AES256-GCM-SHA384", "TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384"},
+ {"ECDHE-ECDSA-AES256-SHA256", "TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA256"},
+ {"ECDHE-ECDSA-AES256-SHA384", "TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA384"},
+ {"ECDHE-ECDSA-AES256-SHA", "TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA"},
+ {"ECDHE-ECDSA-CAMELLIA128-SHA256", "TLS-ECDHE-ECDSA-WITH-CAMELLIA-128-CBC-SHA256"},
+ {"ECDHE-ECDSA-CAMELLIA128-SHA", "TLS-ECDHE-ECDSA-WITH-CAMELLIA-128-CBC-SHA"},
+ {"ECDHE-ECDSA-CAMELLIA256-SHA256", "TLS-ECDHE-ECDSA-WITH-CAMELLIA-256-CBC-SHA256"},
+ {"ECDHE-ECDSA-CAMELLIA256-SHA", "TLS-ECDHE-ECDSA-WITH-CAMELLIA-256-CBC-SHA"},
+ {"ECDHE-ECDSA-DES-CBC3-SHA", "TLS-ECDHE-ECDSA-WITH-3DES-EDE-CBC-SHA"},
+ {"ECDHE-ECDSA-DES-CBC-SHA", "TLS-ECDHE-ECDSA-WITH-DES-CBC-SHA"},
+ {"ECDHE-ECDSA-RC4-SHA", "TLS-ECDHE-ECDSA-WITH-RC4-128-SHA"},
+ {"ECDHE-RSA-AES128-GCM-SHA256", "TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256"},
+ {"ECDHE-RSA-AES128-SHA256", "TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA256"},
+ {"ECDHE-RSA-AES128-SHA384", "TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA384"},
+ {"ECDHE-RSA-AES128-SHA", "TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA"},
+ {"ECDHE-RSA-AES256-GCM-SHA384", "TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384"},
+ {"ECDHE-RSA-AES256-SHA256", "TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA256"},
+ {"ECDHE-RSA-AES256-SHA384", "TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384"},
+ {"ECDHE-RSA-AES256-SHA", "TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA"},
+ {"ECDHE-RSA-CAMELLIA128-SHA256", "TLS-ECDHE-RSA-WITH-CAMELLIA-128-CBC-SHA256"},
+ {"ECDHE-RSA-CAMELLIA128-SHA", "TLS-ECDHE-RSA-WITH-CAMELLIA-128-CBC-SHA"},
+ {"ECDHE-RSA-CAMELLIA256-SHA256", "TLS-ECDHE-RSA-WITH-CAMELLIA-256-CBC-SHA256"},
+ {"ECDHE-RSA-CAMELLIA256-SHA", "TLS-ECDHE-RSA-WITH-CAMELLIA-256-CBC-SHA"},
+ {"ECDHE-RSA-DES-CBC3-SHA", "TLS-ECDHE-RSA-WITH-3DES-EDE-CBC-SHA"},
+ {"ECDHE-RSA-DES-CBC-SHA", "TLS-ECDHE-RSA-WITH-DES-CBC-SHA"},
+ {"ECDHE-RSA-RC4-SHA", "TLS-ECDHE-RSA-WITH-RC4-128-SHA"},
+ {"ECDH-RSA-AES128-GCM-SHA256", "TLS-ECDH-RSA-WITH-AES-128-GCM-SHA256"},
+ {"ECDH-RSA-AES128-SHA256", "TLS-ECDH-RSA-WITH-AES-128-CBC-SHA256"},
+ {"ECDH-RSA-AES128-SHA384", "TLS-ECDH-RSA-WITH-AES-128-CBC-SHA384"},
+ {"ECDH-RSA-AES128-SHA", "TLS-ECDH-RSA-WITH-AES-128-CBC-SHA"},
+ {"ECDH-RSA-AES256-GCM-SHA384", "TLS-ECDH-RSA-WITH-AES-256-GCM-SHA384"},
+ {"ECDH-RSA-AES256-SHA256", "TLS-ECDH-RSA-WITH-AES-256-CBC-SHA256"},
+ {"ECDH-RSA-AES256-SHA384", "TLS-ECDH-RSA-WITH-AES-256-CBC-SHA384"},
+ {"ECDH-RSA-AES256-SHA", "TLS-ECDH-RSA-WITH-AES-256-CBC-SHA"},
+ {"ECDH-RSA-CAMELLIA128-SHA256", "TLS-ECDH-RSA-WITH-CAMELLIA-128-CBC-SHA256"},
+ {"ECDH-RSA-CAMELLIA128-SHA", "TLS-ECDH-RSA-WITH-CAMELLIA-128-CBC-SHA"},
+ {"ECDH-RSA-CAMELLIA256-SHA256", "TLS-ECDH-RSA-WITH-CAMELLIA-256-CBC-SHA256"},
+ {"ECDH-RSA-CAMELLIA256-SHA", "TLS-ECDH-RSA-WITH-CAMELLIA-256-CBC-SHA"},
+ {"ECDH-RSA-DES-CBC3-SHA", "TLS-ECDH-RSA-WITH-3DES-EDE-CBC-SHA"},
+ {"ECDH-RSA-DES-CBC-SHA", "TLS-ECDH-RSA-WITH-DES-CBC-SHA"},
+ {"ECDH-RSA-RC4-SHA", "TLS-ECDH-RSA-WITH-RC4-128-SHA"},
+ {"EDH-DSS-DES-CBC3-SHA", "TLS-DHE-DSS-WITH-3DES-EDE-CBC-SHA"},
+ {"EDH-DSS-DES-CBC-SHA", "TLS-DHE-DSS-WITH-DES-CBC-SHA"},
+ {"EDH-RSA-DES-CBC3-SHA", "TLS-DHE-RSA-WITH-3DES-EDE-CBC-SHA"},
+ {"EDH-RSA-DES-CBC-SHA", "TLS-DHE-RSA-WITH-DES-CBC-SHA"},
+ {"EXP-DES-CBC-SHA", "TLS-RSA-EXPORT-WITH-DES40-CBC-SHA"},
+ {"EXP-EDH-DSS-DES-CBC-SHA", "TLS-DH-DSS-EXPORT-WITH-DES40-CBC-SHA"},
+ {"EXP-EDH-RSA-DES-CBC-SHA", "TLS-DH-RSA-EXPORT-WITH-DES40-CBC-SHA"},
+ {"EXP-RC2-CBC-MD5", "TLS-RSA-EXPORT-WITH-RC2-CBC-40-MD5"},
+ {"EXP-RC4-MD5", "TLS-RSA-EXPORT-WITH-RC4-40-MD5"},
+ {"NULL-MD5", "TLS-RSA-WITH-NULL-MD5"},
+ {"NULL-SHA256", "TLS-RSA-WITH-NULL-SHA256"},
+ {"NULL-SHA", "TLS-RSA-WITH-NULL-SHA"},
+ {"PSK-3DES-EDE-CBC-SHA", "TLS-PSK-WITH-3DES-EDE-CBC-SHA"},
+ {"PSK-AES128-CBC-SHA", "TLS-PSK-WITH-AES-128-CBC-SHA"},
+ {"PSK-AES256-CBC-SHA", "TLS-PSK-WITH-AES-256-CBC-SHA"},
+ {"PSK-RC4-SHA", "TLS-PSK-WITH-RC4-128-SHA"},
+ {"RC4-MD5", "TLS-RSA-WITH-RC4-128-MD5"},
+ {"RC4-SHA", "TLS-RSA-WITH-RC4-128-SHA"},
+ {"SEED-SHA", "TLS-RSA-WITH-SEED-CBC-SHA"},
+ {"SRP-DSS-3DES-EDE-CBC-SHA", "TLS-SRP-SHA-DSS-WITH-3DES-EDE-CBC-SHA"},
+ {"SRP-DSS-AES-128-CBC-SHA", "TLS-SRP-SHA-DSS-WITH-AES-128-CBC-SHA"},
+ {"SRP-DSS-AES-256-CBC-SHA", "TLS-SRP-SHA-DSS-WITH-AES-256-CBC-SHA"},
+ {"SRP-RSA-3DES-EDE-CBC-SHA", "TLS-SRP-SHA-RSA-WITH-3DES-EDE-CBC-SHA"},
+ {"SRP-RSA-AES-128-CBC-SHA", "TLS-SRP-SHA-RSA-WITH-AES-128-CBC-SHA"},
+ {"SRP-RSA-AES-256-CBC-SHA", "TLS-SRP-SHA-RSA-WITH-AES-256-CBC-SHA"},
+ {NULL, NULL}
+};
+
+const tls_cipher_name_pair *
+tls_get_cipher_name_pair (const char * cipher_name, size_t len) {
+ const tls_cipher_name_pair * pair = tls_cipher_name_translation_table;
+
+ while (pair->openssl_name != NULL) {
+ if ((strlen(pair->openssl_name) == len && 0 == memcmp (cipher_name, pair->openssl_name, len)) ||
+ (strlen(pair->iana_name) == len && 0 == memcmp (cipher_name, pair->iana_name, len))) {
+ return pair;
+ }
+ pair++;
+ }
+
+ // No entry found, return NULL
+ return NULL;
+}
/*
* Max number of bytes we will add
diff --git a/openvpn/src/openvpn/ssl_backend.h b/openvpn/src/openvpn/ssl_backend.h
index 203a4d26..f61580cf 100644
--- a/openvpn/src/openvpn/ssl_backend.h
+++ b/openvpn/src/openvpn/ssl_backend.h
@@ -43,6 +43,15 @@
#endif
+/**
+ * Get a tls_cipher_name_pair containing OpenSSL and IANA names for supplied TLS cipher name
+ *
+ * @param cipher_name Can be either OpenSSL or IANA cipher name
+ * @return tls_cipher_name_pair* if found, NULL otherwise
+ */
+typedef struct { const char *openssl_name; const char *iana_name; } tls_cipher_name_pair;
+const tls_cipher_name_pair *tls_get_cipher_name_pair (const char *cipher_name, size_t len);
+
/*
*
* Functions implemented in ssl.c for use by the backend SSL library
diff --git a/openvpn/src/openvpn/ssl_openssl.c b/openvpn/src/openvpn/ssl_openssl.c
index a727b605..1006617c 100644
--- a/openvpn/src/openvpn/ssl_openssl.c
+++ b/openvpn/src/openvpn/ssl_openssl.c
@@ -202,10 +202,69 @@ tls_ctx_set_options (struct tls_root_ctx *ctx, unsigned int ssl_flags)
void
tls_ctx_restrict_ciphers(struct tls_root_ctx *ctx, const char *ciphers)
{
+ size_t begin_of_cipher, end_of_cipher;
+
+ const char *current_cipher;
+ size_t current_cipher_len;
+
+ const tls_cipher_name_pair *cipher_pair;
+
+ const size_t openssl_ciphers_size = 4096;
+ char openssl_ciphers[openssl_ciphers_size];
+ size_t openssl_ciphers_len = 0;
+ openssl_ciphers[0] = '\0';
+
ASSERT(NULL != ctx);
- if(!SSL_CTX_set_cipher_list(ctx->ctx, ciphers))
- msg(M_SSLERR, "Failed to set restricted TLS cipher list: %s", ciphers);
+ // Translate IANA cipher suite names to OpenSSL names
+ for (begin_of_cipher = 0; begin_of_cipher < strlen(ciphers); begin_of_cipher = end_of_cipher+1) {
+ end_of_cipher = strcspn(&ciphers[begin_of_cipher], ":");
+ cipher_pair = tls_get_cipher_name_pair(&ciphers[begin_of_cipher], end_of_cipher - begin_of_cipher);
+
+ if (NULL == cipher_pair)
+ {
+ // No translation found, use original
+ current_cipher = &ciphers[begin_of_cipher];
+ current_cipher_len = end_of_cipher - begin_of_cipher;
+
+ // Issue warning on missing translation
+ // %.*s format specifier expects length of type int, so guarantee
+ // that length is small enough and cast to int.
+ msg (M_WARN, "No valid translation found for TLS cipher '%.*s'",
+ (int) MIN(current_cipher_len, 256), current_cipher);
+ }
+ else
+ {
+ // Use OpenSSL name
+ current_cipher = cipher_pair->openssl_name;
+ current_cipher_len = strlen(current_cipher);
+
+ if (end_of_cipher - begin_of_cipher == current_cipher_len &&
+ 0 == memcmp (&ciphers[begin_of_cipher], cipher_pair->openssl_name, end_of_cipher - begin_of_cipher))
+ {
+ // Non-IANA name used, show warning
+ msg (M_WARN, "Deprecated TLS cipher name '%s', please use IANA name '%s'", cipher_pair->openssl_name, cipher_pair->iana_name);
+ }
+ }
+
+ // Make sure new cipher name fits in cipher string
+ if (((openssl_ciphers_size-1) - openssl_ciphers_len) < current_cipher_len) {
+ msg(M_SSLERR, "Failed to set restricted TLS cipher list, too long (>%zu).", openssl_ciphers_size-1);
+ }
+
+ // Concatenate cipher name to OpenSSL cipher string
+ memcpy(&openssl_ciphers[openssl_ciphers_len], current_cipher, current_cipher_len);
+ openssl_ciphers_len += current_cipher_len;
+ openssl_ciphers[openssl_ciphers_len] = ':';
+ openssl_ciphers_len++;
+ }
+
+ if (openssl_ciphers_len > 0)
+ openssl_ciphers[openssl_ciphers_len-1] = '\0';
+
+ // Set OpenSSL cipher list
+ if(!SSL_CTX_set_cipher_list(ctx->ctx, openssl_ciphers))
+ msg(M_SSLERR, "Failed to set restricted TLS cipher list: %s", openssl_ciphers);
}
void
@@ -1131,6 +1190,8 @@ show_available_tls_ciphers ()
SSL_CTX *ctx;
SSL *ssl;
const char *cipher_name;
+ const char *print_name;
+ const tls_cipher_name_pair *pair;
int priority = 0;
ctx = SSL_CTX_new (TLSv1_method ());
@@ -1144,7 +1205,17 @@ show_available_tls_ciphers ()
printf ("Available TLS Ciphers,\n");
printf ("listed in order of preference:\n\n");
while ((cipher_name = SSL_get_cipher_list (ssl, priority++)))
- printf ("%s\n", cipher_name);
+ {
+ pair = tls_get_cipher_name_pair(cipher_name, strlen(cipher_name));
+
+ if (NULL == pair) {
+ // No translation found, print warning
+ printf ("%s (No IANA name known to OpenVPN, use OpenSSL name.)\n", cipher_name);
+ } else {
+ printf ("%s\n", pair->iana_name);
+ }
+
+ }
printf ("\n");
SSL_free (ssl);
diff --git a/openvpn/src/openvpn/ssl_polarssl.c b/openvpn/src/openvpn/ssl_polarssl.c
index 12318b33..2b5b37ba 100644
--- a/openvpn/src/openvpn/ssl_polarssl.c
+++ b/openvpn/src/openvpn/ssl_polarssl.c
@@ -65,23 +65,6 @@ tls_clear_error()
{
}
-static int default_ciphersuites[] =
-{
- SSL_EDH_RSA_AES_256_SHA,
- SSL_EDH_RSA_CAMELLIA_256_SHA,
- SSL_EDH_RSA_AES_128_SHA,
- SSL_EDH_RSA_CAMELLIA_128_SHA,
- SSL_EDH_RSA_DES_168_SHA,
- SSL_RSA_AES_256_SHA,
- SSL_RSA_CAMELLIA_256_SHA,
- SSL_RSA_AES_128_SHA,
- SSL_RSA_CAMELLIA_128_SHA,
- SSL_RSA_DES_168_SHA,
- SSL_RSA_RC4_128_SHA,
- SSL_RSA_RC4_128_MD5,
- 0
-};
-
void
tls_ctx_server_new(struct tls_root_ctx *ctx)
{
@@ -161,6 +144,25 @@ tls_ctx_set_options (struct tls_root_ctx *ctx, unsigned int ssl_flags)
{
}
+static const char *
+tls_translate_cipher_name (const char * cipher_name) {
+ const tls_cipher_name_pair * pair = tls_get_cipher_name_pair(cipher_name, strlen(cipher_name));
+
+ if (NULL == pair)
+ {
+ // No translation found, return original
+ return cipher_name;
+ }
+
+ if (0 != strcmp(cipher_name, pair->iana_name))
+ {
+ // Deprecated name found, notify user
+ msg(M_WARN, "Deprecated cipher suite name '%s', please use IANA name '%s'", pair->openssl_name, pair->iana_name);
+ }
+
+ return pair->iana_name;
+}
+
void
tls_ctx_restrict_ciphers(struct tls_root_ctx *ctx, const char *ciphers)
{
@@ -186,7 +188,8 @@ tls_ctx_restrict_ciphers(struct tls_root_ctx *ctx, const char *ciphers)
token = strtok (tmp_ciphers, ":");
while(token)
{
- ctx->allowed_ciphers[i] = ssl_get_ciphersuite_id (token);
+ ctx->allowed_ciphers[i] = ssl_get_ciphersuite_id (
+ tls_translate_cipher_name (token));
if (0 != ctx->allowed_ciphers[i])
i++;
token = strtok (NULL, ":");
@@ -514,20 +517,17 @@ void key_state_ssl_init(struct key_state_ssl *ks_ssl,
ssl_set_rng (ks_ssl->ctx, ctr_drbg_random, rand_ctx_get());
- ALLOC_OBJ_CLEAR (ks_ssl->ssn, ssl_session);
- ssl_set_session (ks_ssl->ctx, 0, 0, ks_ssl->ssn );
if (ssl_ctx->allowed_ciphers)
ssl_set_ciphersuites (ks_ssl->ctx, ssl_ctx->allowed_ciphers);
- else
- ssl_set_ciphersuites (ks_ssl->ctx, default_ciphersuites);
/* Initialise authentication information */
if (is_server)
ssl_set_dh_param_ctx (ks_ssl->ctx, ssl_ctx->dhm_ctx );
#if defined(ENABLE_PKCS11)
if (ssl_ctx->priv_key_pkcs11 != NULL)
- ssl_set_own_cert_pkcs11( ks_ssl->ctx, ssl_ctx->crt_chain,
- ssl_ctx->priv_key_pkcs11 );
+ ssl_set_own_cert_alt( ks_ssl->ctx, ssl_ctx->crt_chain,
+ ssl_ctx->priv_key_pkcs11, ssl_pkcs11_decrypt, ssl_pkcs11_sign,
+ ssl_pkcs11_key_len );
else
#endif
ssl_set_own_cert( ks_ssl->ctx, ssl_ctx->crt_chain, ssl_ctx->priv_key );
@@ -543,7 +543,6 @@ void key_state_ssl_init(struct key_state_ssl *ks_ssl,
ALLOC_OBJ_CLEAR (ks_ssl->ct_out, endless_buffer);
ssl_set_bio (ks_ssl->ctx, endless_buf_read, ks_ssl->ct_in,
endless_buf_write, ks_ssl->ct_out);
-
}
}
@@ -556,8 +555,6 @@ key_state_ssl_free(struct key_state_ssl *ks_ssl)
ssl_free(ks_ssl->ctx);
free(ks_ssl->ctx);
}
- if (ks_ssl->ssn)
- free(ks_ssl->ssn);
if (ks_ssl->ct_in) {
buf_free_entries(ks_ssl->ct_in);
free(ks_ssl->ct_in);
@@ -666,6 +663,7 @@ key_state_read_ciphertext (struct key_state_ssl *ks, struct buffer *buf,
{
int retval = 0;
int len = 0;
+ char error_message[1024];
perf_push (PERF_BIO_READ_CIPHERTEXT);
@@ -691,7 +689,8 @@ key_state_read_ciphertext (struct key_state_ssl *ks, struct buffer *buf,
perf_pop ();
if (POLARSSL_ERR_NET_WANT_WRITE == retval || POLARSSL_ERR_NET_WANT_READ == retval)
return 0;
- msg (D_TLS_ERRORS, "TLS_ERROR: read tls_read_plaintext error");
+ error_strerror(retval, error_message, sizeof(error_message));
+ msg (D_TLS_ERRORS, "TLS_ERROR: read tls_read_ciphertext error: %d %s", retval, error_message);
buf->len = 0;
return -1;
}
@@ -763,6 +762,7 @@ key_state_read_plaintext (struct key_state_ssl *ks, struct buffer *buf,
{
int retval = 0;
int len = 0;
+ char error_message[1024];
perf_push (PERF_BIO_READ_PLAINTEXT);
@@ -787,7 +787,8 @@ key_state_read_plaintext (struct key_state_ssl *ks, struct buffer *buf,
{
if (POLARSSL_ERR_NET_WANT_WRITE == retval || POLARSSL_ERR_NET_WANT_READ == retval)
return 0;
- msg (D_TLS_ERRORS, "TLS_ERROR: read tls_read_plaintext error");
+ error_strerror(retval, error_message, sizeof(error_message));
+ msg (D_TLS_ERRORS, "TLS_ERROR: read tls_read_plaintext error: %d %s", retval, error_message);
buf->len = 0;
perf_pop ();
return -1;
@@ -818,7 +819,7 @@ key_state_read_plaintext (struct key_state_ssl *ks, struct buffer *buf,
void
print_details (struct key_state_ssl * ks_ssl, const char *prefix)
{
- x509_cert *cert;
+ const x509_cert *cert;
char s1[256];
char s2[256];
@@ -828,7 +829,7 @@ print_details (struct key_state_ssl * ks_ssl, const char *prefix)
ssl_get_version (ks_ssl->ctx),
ssl_get_ciphersuite(ks_ssl->ctx));
- cert = ks_ssl->ctx->peer_cert;
+ cert = ssl_get_peer_cert(ks_ssl->ctx);
if (cert != NULL)
{
openvpn_snprintf (s2, sizeof (s2), ", " counter_format " bit RSA", (counter_type) cert->rsa.len * 8);
diff --git a/openvpn/src/openvpn/ssl_polarssl.h b/openvpn/src/openvpn/ssl_polarssl.h
index 456573f5..da936998 100644
--- a/openvpn/src/openvpn/ssl_polarssl.h
+++ b/openvpn/src/openvpn/ssl_polarssl.h
@@ -73,7 +73,6 @@ struct tls_root_ctx {
struct key_state_ssl {
ssl_context *ctx;
- ssl_session *ssn;
endless_buffer *ct_in;
endless_buffer *ct_out;
};
diff --git a/openvpn/src/openvpn/ssl_verify_polarssl.c b/openvpn/src/openvpn/ssl_verify_polarssl.c
index a32db8df..5db4f027 100644
--- a/openvpn/src/openvpn/ssl_verify_polarssl.c
+++ b/openvpn/src/openvpn/ssl_verify_polarssl.c
@@ -44,11 +44,10 @@
int
verify_callback (void *session_obj, x509_cert *cert, int cert_depth,
- int preverify_ok)
+ int *flags)
{
struct tls_session *session = (struct tls_session *) session_obj;
struct gc_arena gc = gc_new();
- int ret = 1;
ASSERT (cert);
ASSERT (session);
@@ -59,31 +58,29 @@ verify_callback (void *session_obj, x509_cert *cert, int cert_depth,
cert_hash_remember (session, cert_depth, x509_get_sha1_hash(cert, &gc));
/* did peer present cert which was signed by our root cert? */
- if (!preverify_ok)
+ if (*flags != 0)
{
char *subject = x509_get_subject(cert, &gc);
if (subject)
- msg (D_TLS_ERRORS, "VERIFY ERROR: depth=%d, %s", cert_depth, subject);
+ msg (D_TLS_ERRORS, "VERIFY ERROR: depth=%d, flags=%x, %s", cert_depth, *flags, subject);
else
- msg (D_TLS_ERRORS, "VERIFY ERROR: depth=%d, could not extract X509 "
- "subject string from certificate", cert_depth);
+ msg (D_TLS_ERRORS, "VERIFY ERROR: depth=%d, flags=%x, could not extract X509 "
+ "subject string from certificate", *flags, cert_depth);
- goto cleanup;
+ /* Leave flags set to non-zero to indicate that the cert is not ok */
+ }
+ else if (SUCCESS != verify_cert(session, cert, cert_depth))
+ {
+ *flags |= BADCERT_OTHER;
}
- if (SUCCESS != verify_cert(session, cert, cert_depth))
- goto cleanup;
-
- ret = 0;
-
-cleanup:
gc_free(&gc);
/*
- * PolarSSL expects 1 on failure, 0 on success
+ * PolarSSL-1.2.0+ expects 0 on anything except fatal errors.
*/
- return ret;
+ return 0;
}
#ifdef ENABLE_X509ALTUSERNAME
diff --git a/openvpn/src/openvpn/ssl_verify_polarssl.h b/openvpn/src/openvpn/ssl_verify_polarssl.h
index fceee667..b259081f 100644
--- a/openvpn/src/openvpn/ssl_verify_polarssl.h
+++ b/openvpn/src/openvpn/ssl_verify_polarssl.h
@@ -55,27 +55,25 @@ typedef x509_cert openvpn_x509_cert_t;
* calls the PolarSSL library's \c ssl_set_verify_callback() function with \c
* verify_callback() as its callback argument.
*
- * It checks preverify_ok, and registers the certificate hash. If these steps
- * succeed, it calls the \c verify_cert() function, which performs
- * OpenVPN-specific verification.
+ * It checks *flags and registers the certificate hash. If these steps succeed,
+ * it calls the \c verify_cert() function, which performs OpenVPN-specific
+ * verification.
*
* @param session_obj - The OpenVPN \c tls_session associated with this object,
* as set during SSL session setup.
* @param cert - The certificate used by PolarSSL.
* @param cert_depth - The depth of the current certificate in the chain, with
* 0 being the actual certificate.
- * @param preverify_ok - Whether the remote OpenVPN peer's certificate
- * past verification. A value of 1 means it
- * verified successfully, 0 means it failed.
+ * @param flags - Whether the remote OpenVPN peer's certificate
+ * passed verification. A value of 0 means it
+ * verified successfully, any other value means it
+ * failed. \c verify_callback() is considered to have
+ * ok'ed this certificate if flags is 0 when it returns.
*
- * @return The return value indicates whether the supplied certificate is
- * allowed to set up a VPN tunnel. The following values can be
- * returned:
- * - \c 0: failure, this certificate is not allowed to connect.
- * - \c 1: success, this certificate is allowed to connect.
+ * @return The return value is 0 unless a fatal error occurred.
*/
int verify_callback (void *session_obj, x509_cert *cert, int cert_depth,
- int preverify_ok);
+ int *flags);
/** @} name Function for authenticating a new connection from a remote OpenVPN peer */
diff --git a/openvpn/src/openvpn/syshead.h b/openvpn/src/openvpn/syshead.h
index db02c237..0c3e4ee5 100644
--- a/openvpn/src/openvpn/syshead.h
+++ b/openvpn/src/openvpn/syshead.h
@@ -399,6 +399,13 @@
#endif
/*
+ * do we have the MIN() macro?
+ */
+#ifndef MIN
+#define MIN(a,b) (((a)<(b))?(a):(b))
+#endif
+
+/*
* Do we have the capability to report extended socket errors?
*/
#if defined(HAVE_LINUX_TYPES_H) && defined(HAVE_LINUX_ERRQUEUE_H) && defined(HAVE_SOCK_EXTENDED_ERR) && defined(HAVE_MSGHDR) && defined(HAVE_CMSGHDR) && defined(CMSG_FIRSTHDR) && defined(CMSG_NXTHDR) && defined(IP_RECVERR) && defined(MSG_ERRQUEUE) && defined(SOL_IP) && defined(HAVE_IOVEC)
diff --git a/openvpn/src/openvpn/tun.c b/openvpn/src/openvpn/tun.c
index a0754427..d7d53a78 100644
--- a/openvpn/src/openvpn/tun.c
+++ b/openvpn/src/openvpn/tun.c
@@ -74,6 +74,8 @@ static void solaris_error_close (struct tuntap *tt, const struct env_set *es, co
#include <stropts.h>
#endif
+static void clear_tuntap (struct tuntap *tuntap);
+
bool
is_dev_type (const char *dev, const char *dev_type, const char *match_type)
{
@@ -299,16 +301,6 @@ warn_on_use_of_common_subnets (void)
}
/*
- * Complain if --dev tap and --ifconfig is used on an OS for which
- * we don't have a custom tap ifconfig template below.
- */
-static void
-no_tap_ifconfig ()
-{
- msg (M_FATAL, "Sorry but you cannot use --dev tap and --ifconfig together on this OS because I have not yet been programmed to understand the appropriate ifconfig syntax to use for TAP-style devices on this OS. Your best alternative is to use an --up script and do the ifconfig command manually.");
-}
-
-/*
* Return a string to be used for options compatibility check
* between peers.
*/
diff --git a/openvpn/src/openvpn/tun.h b/openvpn/src/openvpn/tun.h
index e7d941ab..2bbb8133 100644
--- a/openvpn/src/openvpn/tun.h
+++ b/openvpn/src/openvpn/tun.h
@@ -203,8 +203,6 @@ tuntap_defined (const struct tuntap *tt)
* Function prototypes
*/
-static void clear_tuntap (struct tuntap *tuntap);
-
void open_tun (const char *dev, const char *dev_type, const char *dev_node,
struct tuntap *tt);