mirror of
https://github.com/OpenVPN/openvpn.git
synced 2024-09-20 12:02:28 +02:00
bf707bd2b1
Signed-off-by: Adriaan de Jong <dejong@fox-it.com> Acked-by: James Yonan <james@openvpn.net> Signed-off-by: David Sommerseth <davids@redhat.com>
439 lines
13 KiB
C
439 lines
13 KiB
C
/*
|
|
* OpenVPN -- An application to securely tunnel IP networks
|
|
* over a single TCP/UDP port, with support for SSL/TLS-based
|
|
* session authentication and key exchange,
|
|
* packet encryption, packet authentication, and
|
|
* packet compression.
|
|
*
|
|
* Copyright (C) 2002-2010 OpenVPN Technologies, Inc. <sales@openvpn.net>
|
|
* Copyright (C) 2010 Fox Crypto B.V. <openvpn@fox-it.com>
|
|
*
|
|
* This program is free software; you can redistribute it and/or modify
|
|
* it under the terms of the GNU General Public License version 2
|
|
* as published by the Free Software Foundation.
|
|
*
|
|
* This program is distributed in the hope that it will be useful,
|
|
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
* GNU General Public License for more details.
|
|
*
|
|
* You should have received a copy of the GNU General Public License
|
|
* along with this program (see the file COPYING included with this
|
|
* distribution); if not, write to the Free Software Foundation, Inc.,
|
|
* 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
|
|
*/
|
|
|
|
/**
|
|
* @file Control Channel SSL library backend module
|
|
*/
|
|
|
|
|
|
#ifndef SSL_BACKEND_H_
|
|
#define SSL_BACKEND_H_
|
|
|
|
#include "buffer.h"
|
|
|
|
#ifdef USE_OPENSSL
|
|
#include "ssl_openssl.h"
|
|
#endif
|
|
|
|
|
|
/*
|
|
*
|
|
* Functions implemented in ssl.c for use by the backend SSL library
|
|
*
|
|
*/
|
|
|
|
/**
|
|
* Callback to retrieve the user's password
|
|
*
|
|
* @param buf Buffer to return the password in
|
|
* @param size Size of the buffer
|
|
* @param rwflag Unused, needed for OpenSSL compatibility
|
|
* @param u Unused, needed for OpenSSL compatibility
|
|
*/
|
|
int pem_password_callback (char *buf, int size, int rwflag, void *u);
|
|
|
|
/*
|
|
*
|
|
* Functions used in ssl.c which must be implemented by the backend SSL library
|
|
*
|
|
*/
|
|
|
|
/**
|
|
* Perform any static initialisation necessary by the library.
|
|
* Called on OpenVPN initialisation
|
|
*/
|
|
void tls_init_lib();
|
|
|
|
/**
|
|
* Free any global SSL library-specific data structures.
|
|
*/
|
|
void tls_free_lib();
|
|
/**
|
|
* Clear the underlying SSL library's error state.
|
|
*/
|
|
void tls_clear_error();
|
|
|
|
/**
|
|
* Initialise a library-specific TLS context for a server.
|
|
*
|
|
* @param ctx TLS context to initialise
|
|
*/
|
|
void tls_ctx_server_new(struct tls_root_ctx *ctx);
|
|
|
|
/**
|
|
* Initialises a library-specific TLS context for a client.
|
|
*
|
|
* @param ctx TLS context to initialise
|
|
*/
|
|
void tls_ctx_client_new(struct tls_root_ctx *ctx);
|
|
|
|
/**
|
|
* Frees the library-specific TLSv1 context
|
|
*
|
|
* @param ctx TLS context to free
|
|
*/
|
|
void tls_ctx_free(struct tls_root_ctx *ctx);
|
|
|
|
/**
|
|
* Checks whether the given TLS context is initialised
|
|
*
|
|
* @param ctx TLS context to check
|
|
*
|
|
* @return true if the context is initialised, false if not.
|
|
*/
|
|
bool tls_ctx_initialised(struct tls_root_ctx *ctx);
|
|
|
|
/**
|
|
* Set any library specific options.
|
|
*
|
|
* Examples include disabling session caching, the password callback to use,
|
|
* and session verification parameters.
|
|
*
|
|
* @param ctx TLS context to set options on
|
|
* @param ssl_flags SSL flags to set
|
|
*/
|
|
void tls_ctx_set_options (struct tls_root_ctx *ctx, unsigned int ssl_flags);
|
|
|
|
/**
|
|
* Restrict the list of ciphers that can be used within the TLS context.
|
|
*
|
|
* @param ctx TLS context to restrict
|
|
* @param ciphers String containing : delimited cipher names.
|
|
*/
|
|
void tls_ctx_restrict_ciphers(struct tls_root_ctx *ctx, const char *ciphers);
|
|
|
|
/**
|
|
* Load Diffie Hellman Parameters, and load them into the library-specific
|
|
* TLS context.
|
|
*
|
|
* @param ctx TLS context to use
|
|
* @param dh_file The file name to load the parameters from, or
|
|
* "[[INLINE]]" in the case of inline files.
|
|
* @param dh_file_inline A string containing the parameters
|
|
*/
|
|
void tls_ctx_load_dh_params(struct tls_root_ctx *ctx, const char *dh_file
|
|
#if ENABLE_INLINE_FILES
|
|
, const char *dh_file_inline
|
|
#endif /* ENABLE_INLINE_FILES */
|
|
);
|
|
|
|
/**
|
|
* Load PKCS #12 file for key, cert and (optionally) CA certs, and add to
|
|
* library-specific TLS context.
|
|
*
|
|
* @param ctx TLS context to use
|
|
* @param pkcs12_file The file name to load the information from, or
|
|
* "[[INLINE]]" in the case of inline files.
|
|
* @param pkcs12_file_inline A string containing the information
|
|
*
|
|
* @return 1 if an error occurred, 0 if parsing was
|
|
* successful.
|
|
*/
|
|
int tls_ctx_load_pkcs12(struct tls_root_ctx *ctx, const char *pkcs12_file,
|
|
#if ENABLE_INLINE_FILES
|
|
const char *pkcs12_file_inline,
|
|
#endif /* ENABLE_INLINE_FILES */
|
|
bool load_ca_file
|
|
);
|
|
|
|
/*
|
|
* Load PKCS #11 information for key and cert, and add to library-specific TLS
|
|
* context.
|
|
*
|
|
* TODO: document
|
|
*/
|
|
#ifdef ENABLE_PKCS11
|
|
int tls_ctx_load_pkcs11(struct tls_root_ctx *ctx,
|
|
bool pkcs11_id_management, const char *pkcs11_id);
|
|
#endif /* ENABLE_PKCS11 */
|
|
|
|
/**
|
|
* Use Windows cryptoapi for key and cert, and add to library-specific TLS
|
|
* context.
|
|
*
|
|
* @param ctx TLS context to use
|
|
* @param crypto_api_cert String representing the certificate to load.
|
|
*/
|
|
#ifdef WIN32
|
|
void tls_ctx_load_cryptoapi(struct tls_root_ctx *ctx, const char *cryptoapi_cert);
|
|
#endif /* WIN32 */
|
|
|
|
/**
|
|
* Load certificate file into the given TLS context. If the given certificate
|
|
* file contains a certificate chain, load the whole chain.
|
|
*
|
|
* @param ctx TLS context to use
|
|
* @param cert_file The file name to load the certificate from, or
|
|
* "[[INLINE]]" in the case of inline files.
|
|
* @param cert_file_inline A string containing the certificate
|
|
* @param x509 An optional certificate, if x509 is NULL,
|
|
* do nothing, if x509 is not NULL, *x509 will be
|
|
* allocated and filled with the loaded certificate.
|
|
* *x509 must be NULL.
|
|
*/
|
|
void tls_ctx_load_cert_file (struct tls_root_ctx *ctx, const char *cert_file,
|
|
#if ENABLE_INLINE_FILES
|
|
const char *cert_file_inline,
|
|
#endif
|
|
X509 **x509
|
|
);
|
|
|
|
/**
|
|
* Load private key file into the given TLS context.
|
|
*
|
|
* @param ctx TLS context to use
|
|
* @param priv_key_file The file name to load the private key from, or
|
|
* "[[INLINE]]" in the case of inline files.
|
|
* @param priv_key_file_inline A string containing the private key
|
|
*
|
|
* @return 1 if an error occurred, 0 if parsing was
|
|
* successful.
|
|
*/
|
|
int tls_ctx_load_priv_file (struct tls_root_ctx *ctx, const char *priv_key_file
|
|
#if ENABLE_INLINE_FILES
|
|
, const char *priv_key_file_inline
|
|
#endif
|
|
);
|
|
|
|
#ifdef MANAGMENT_EXTERNAL_KEY
|
|
|
|
/**
|
|
* Tell the management interface to load the external private key matching
|
|
* the given certificate.
|
|
*
|
|
* @param ctx TLS context to use
|
|
* @param cert The certificate file to load the private key for
|
|
* "[[INLINE]]" in the case of inline files.
|
|
*
|
|
* @return 1 if an error occurred, 0 if parsing was
|
|
* successful.
|
|
*/
|
|
int tls_ctx_use_external_private_key (struct tls_root_ctx *ctx, X509 *cert);
|
|
|
|
#endif
|
|
|
|
/**
|
|
* Load certificate authority certificates from the given file or path.
|
|
*
|
|
* Note that not all SSL libraries support loading from a path.
|
|
*
|
|
* @param ctx TLS context to use
|
|
* @param ca_file The file name to load the CAs from, or
|
|
* "[[INLINE]]" in the case of inline files.
|
|
* @param ca_file_inline A string containing the CAs
|
|
* @param ca_path The path to load the CAs from
|
|
*/
|
|
void tls_ctx_load_ca (struct tls_root_ctx *ctx, const char *ca_file,
|
|
#if ENABLE_INLINE_FILES
|
|
const char *ca_file_inline,
|
|
#endif
|
|
const char *ca_path, bool tls_server
|
|
);
|
|
|
|
/**
|
|
* Load extra certificate authority certificates from the given file or path.
|
|
* These Load extra certificates that are part of our own certificate
|
|
* chain but shouldn't be included in the verify chain.
|
|
*
|
|
*
|
|
* @param ctx TLS context to use
|
|
* @param extra_certs_file The file name to load the certs from, or
|
|
* "[[INLINE]]" in the case of inline files.
|
|
* @param extra_certs_file_inline A string containing the certs
|
|
*/
|
|
void tls_ctx_load_extra_certs (struct tls_root_ctx *ctx, const char *extra_certs_file
|
|
#if ENABLE_INLINE_FILES
|
|
, const char *extra_certs_file_inline
|
|
#endif
|
|
);
|
|
|
|
/* **************************************
|
|
*
|
|
* Key-state specific functions
|
|
*
|
|
***************************************/
|
|
|
|
/**
|
|
* Initialise the SSL channel part of the given key state. Settings will be
|
|
* loaded from a previously initialised TLS context.
|
|
*
|
|
* @param ks_ssl The SSL channel's state info to initialise
|
|
* @param ssl_ctx The TLS context to use when initialising the channel.
|
|
* @param is_server Initialise a server?
|
|
* @param session The session associated with the given key_state
|
|
*/
|
|
void key_state_ssl_init(struct key_state_ssl *ks_ssl,
|
|
const struct tls_root_ctx *ssl_ctx, bool is_server, void *session);
|
|
|
|
/**
|
|
* Free the SSL channel part of the given key state.
|
|
*
|
|
* @param ks_ssl The SSL channel's state info to free
|
|
*/
|
|
void key_state_ssl_free(struct key_state_ssl *ks_ssl);
|
|
|
|
/**************************************************************************/
|
|
/** @addtogroup control_tls
|
|
* @{ */
|
|
|
|
/** @name Functions for packets to be sent to a remote OpenVPN peer
|
|
* @{ */
|
|
|
|
/**
|
|
* Insert a plaintext buffer into the TLS module.
|
|
*
|
|
* After successfully processing the data, the data in \a buf is zeroized,
|
|
* its length set to zero, and a value of \c 1 is returned.
|
|
*
|
|
* @param ks_ssl - The security parameter state for this %key
|
|
* session.
|
|
* @param buf - The plaintext message to process.
|
|
*
|
|
* @return The return value indicates whether the data was successfully
|
|
* processed:
|
|
* - \c 1: All the data was processed successfully.
|
|
* - \c 0: The data was not processed, this function should be called
|
|
* again later to retry.
|
|
* - \c -1: An error occurred.
|
|
*/
|
|
int key_state_write_plaintext (struct key_state_ssl *ks_ssl, struct buffer *buf);
|
|
|
|
/**
|
|
* Insert plaintext data into the TLS module.
|
|
*
|
|
* @param ks_ssl - The security parameter state for this %key
|
|
* session.
|
|
* @param data - A pointer to the data to process.
|
|
* @param len - The length in bytes of the data to process.
|
|
*
|
|
* @return The return value indicates whether the data was successfully
|
|
* processed:
|
|
* - \c 1: All the data was processed successfully.
|
|
* - \c 0: The data was not processed, this function should be called
|
|
* again later to retry.
|
|
* - \c -1: An error occurred.
|
|
*/
|
|
int key_state_write_plaintext_const (struct key_state_ssl *ks_ssl,
|
|
const uint8_t *data, int len);
|
|
|
|
/**
|
|
* Extract ciphertext data from the TLS module.
|
|
*
|
|
* If the \a buf buffer has a length other than zero, this function does
|
|
* not perform any action and returns 0.
|
|
*
|
|
* @param ks_ssl - The security parameter state for this %key
|
|
* session.
|
|
* @param buf - A buffer in which to store the ciphertext.
|
|
* @param maxlen - The maximum number of bytes to extract.
|
|
*
|
|
* @return The return value indicates whether the data was successfully
|
|
* processed:
|
|
* - \c 1: Data was extracted successfully.
|
|
* - \c 0: No data was extracted, this function should be called again
|
|
* later to retry.
|
|
* - \c -1: An error occurred.
|
|
*/
|
|
int key_state_read_ciphertext (struct key_state_ssl *ks_ssl, struct buffer *buf,
|
|
int maxlen);
|
|
|
|
/** @} name Functions for packets to be sent to a remote OpenVPN peer */
|
|
|
|
|
|
/** @name Functions for packets received from a remote OpenVPN peer
|
|
* @{ */
|
|
|
|
/**
|
|
* Insert a ciphertext buffer into the TLS module.
|
|
*
|
|
* After successfully processing the data, the data in \a buf is zeroized,
|
|
* its length set to zero, and a value of \c 1 is returned.
|
|
*
|
|
* @param ks_ssl - The security parameter state for this %key
|
|
* session.
|
|
* @param buf - The ciphertext message to process.
|
|
*
|
|
* @return The return value indicates whether the data was successfully
|
|
* processed:
|
|
* - \c 1: All the data was processed successfully.
|
|
* - \c 0: The data was not processed, this function should be called
|
|
* again later to retry.
|
|
* - \c -1: An error occurred.
|
|
*/
|
|
int key_state_write_ciphertext (struct key_state_ssl *ks_ssl,
|
|
struct buffer *buf);
|
|
|
|
/**
|
|
* Extract plaintext data from the TLS module.
|
|
*
|
|
* If the \a buf buffer has a length other than zero, this function does
|
|
* not perform any action and returns 0.
|
|
*
|
|
* @param ks_ssl - The security parameter state for this %key
|
|
* session.
|
|
* @param buf - A buffer in which to store the plaintext.
|
|
* @param maxlen - The maximum number of bytes to extract.
|
|
*
|
|
* @return The return value indicates whether the data was successfully
|
|
* processed:
|
|
* - \c 1: Data was extracted successfully.
|
|
* - \c 0: No data was extracted, this function should be called again
|
|
* later to retry.
|
|
* - \c -1: An error occurred.
|
|
*/
|
|
int key_state_read_plaintext (struct key_state_ssl *ks_ssl, struct buffer *buf,
|
|
int maxlen);
|
|
|
|
/** @} name Functions for packets received from a remote OpenVPN peer */
|
|
|
|
/** @} addtogroup control_tls */
|
|
|
|
/* **************************************
|
|
*
|
|
* Information functions
|
|
*
|
|
* Print information for the end user.
|
|
*
|
|
***************************************/
|
|
|
|
/*
|
|
* Print a one line summary of SSL/TLS session handshake.
|
|
*/
|
|
void print_details (struct key_state_ssl * ks_ssl, const char *prefix);
|
|
|
|
/*
|
|
* Show the TLS ciphers that are available for us to use in the OpenSSL
|
|
* library.
|
|
*/
|
|
void show_available_tls_ciphers ();
|
|
|
|
/*
|
|
* The OpenSSL library has a notion of preference in TLS ciphers. Higher
|
|
* preference == more secure. Return the highest preference cipher.
|
|
*/
|
|
void get_highest_preference_tls_cipher (char *buf, int size);
|
|
|
|
#endif /* SSL_BACKEND_H_ */
|