35#if defined(ENABLE_CRYPTO_OPENSSL)
48#ifdef ENABLE_CRYPTOAPI
55#include <openssl/bn.h>
56#include <openssl/crypto.h>
57#include <openssl/dh.h>
58#include <openssl/dsa.h>
59#include <openssl/err.h>
60#include <openssl/pkcs12.h>
61#include <openssl/rsa.h>
62#include <openssl/x509.h>
63#include <openssl/ssl.h>
65#include <openssl/ec.h>
68#if OPENSSL_VERSION_NUMBER >= 0x30000000L
69#define HAVE_OPENSSL_STORE_API
70#include <openssl/ui.h>
71#include <openssl/store.h>
74#if defined(_MSC_VER) && !defined(_M_ARM64)
75#include <openssl/applink.c>
93 mydata_index = SSL_get_ex_new_index(0,
"struct session *", NULL, NULL, NULL);
109 if (ctx->
ctx == NULL)
113 if (ERR_peek_error() != 0)
127 if (ctx->
ctx == NULL)
131 if (ERR_peek_error() != 0)
142 SSL_CTX_free(ctx->
ctx);
151 return NULL != ctx->
ctx;
156 void *ekm,
size_t ekm_size)
161 if (SSL_export_keying_material(ssl, ekm, ekm_size, label, label_size, NULL, 0, 0) == 1)
176#ifndef INFO_CALLBACK_SSL_CONST
177#define INFO_CALLBACK_SSL_CONST const
182 if (where & SSL_CB_LOOP)
185 where & SSL_ST_CONNECT ?
"connect"
186 : where & SSL_ST_ACCEPT ?
"accept"
188 SSL_state_string_long(s));
190 else if (where & SSL_CB_ALERT)
193 SSL_alert_type_string_long(ret), SSL_alert_desc_string_long(ret));
205#if defined(TLS1_3_VERSION)
208#elif OPENSSL_VERSION_NUMBER >= 0x10100000L
220 if (OpenSSL_version_num() >= 0x1010100fL)
228#elif defined(TLS1_2_VERSION) || defined(SSL_OP_NO_TLSv1_2)
230#elif defined(TLS1_1_VERSION) || defined(SSL_OP_NO_TLSv1_1)
247 return TLS1_1_VERSION;
251 return TLS1_2_VERSION;
261#ifndef TLS1_3_VERSION
269 return TLS1_3_VERSION;
286 int cur_min = SSL_CTX_get_min_proto_version(ctx->
ctx);
287 tls_ver_min = cur_min < TLS1_VERSION ? TLS1_VERSION : cur_min;
290 if (!SSL_CTX_set_min_proto_version(ctx->
ctx, tls_ver_min))
296 if (tls_ver_max && !SSL_CTX_set_max_proto_version(ctx->
ctx, tls_ver_max))
311 uint64_t sslopt = SSL_OP_SINGLE_DH_USE | SSL_OP_NO_TICKET;
312#ifdef SSL_OP_CIPHER_SERVER_PREFERENCE
313 sslopt |= SSL_OP_CIPHER_SERVER_PREFERENCE;
315 sslopt |= SSL_OP_NO_COMPRESSION;
319#ifdef SSL_OP_NO_RENEGOTIATION
320 sslopt |= SSL_OP_NO_RENEGOTIATION;
323 SSL_CTX_set_options(ctx->
ctx, sslopt);
330#ifdef SSL_MODE_RELEASE_BUFFERS
331 SSL_CTX_set_mode(ctx->
ctx, SSL_MODE_RELEASE_BUFFERS);
333 SSL_CTX_set_session_cache_mode(ctx->
ctx, SSL_SESS_CACHE_OFF);
337 int verify_flags = SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT;
344 verify_flags = SSL_VERIFY_PEER;
357 size_t begin_of_cipher, end_of_cipher;
359 const char *current_cipher;
360 size_t current_cipher_len;
364 size_t openssl_ciphers_len = 0;
365 openssl_ciphers[0] =
'\0';
368 begin_of_cipher = end_of_cipher = 0;
369 for (; begin_of_cipher < strlen(ciphers); begin_of_cipher = end_of_cipher)
371 end_of_cipher += strcspn(&ciphers[begin_of_cipher],
":");
375 if (NULL == cipher_pair)
378 current_cipher = &ciphers[begin_of_cipher];
379 current_cipher_len = end_of_cipher - begin_of_cipher;
384 msg(
D_LOW,
"No valid translation found for TLS cipher '%.*s'",
391 current_cipher_len = strlen(current_cipher);
393 if (end_of_cipher - begin_of_cipher == current_cipher_len
395 != memcmp(&ciphers[begin_of_cipher], cipher_pair->
iana_name,
396 end_of_cipher - begin_of_cipher))
399 msg(
M_WARN,
"Deprecated TLS cipher name '%s', please use IANA name '%s'",
405 if ((SIZE_MAX - openssl_ciphers_len) < current_cipher_len
406 || (len - 1) < (openssl_ciphers_len + current_cipher_len))
408 msg(
M_FATAL,
"Failed to set restricted TLS cipher list, too long (>%d).",
413 memcpy(&openssl_ciphers[openssl_ciphers_len], current_cipher, current_cipher_len);
414 openssl_ciphers_len += current_cipher_len;
415 openssl_ciphers[openssl_ciphers_len] =
':';
416 openssl_ciphers_len++;
421 if (openssl_ciphers_len > 0)
423 openssl_ciphers[openssl_ciphers_len - 1] =
'\0';
433 if (!SSL_CTX_set_cipher_list(
451 char openssl_ciphers[4096];
457 if (!SSL_CTX_set_cipher_list(ctx->
ctx, openssl_ciphers))
459 crypto_msg(
M_FATAL,
"Failed to set restricted TLS cipher list: %s", openssl_ciphers);
471 if (strlen(ciphers) >= (len - 1))
473 msg(
M_FATAL,
"Failed to set restricted TLS 1.3 cipher list, too long (>%d).",
477 strncpy(openssl_ciphers, ciphers, len);
479 for (
size_t i = 0;
i < strlen(openssl_ciphers);
i++)
481 if (openssl_ciphers[
i] ==
'-')
483 openssl_ciphers[
i] =
'_';
498#if !defined(TLS1_3_VERSION)
500 "Not compiled with OpenSSL 1.1.1 or higher. "
501 "Ignoring TLS 1.3 only tls-ciphersuites '%s' setting.",
506 char openssl_ciphers[4096];
509 if (!SSL_CTX_set_ciphersuites(ctx->
ctx, openssl_ciphers))
511 crypto_msg(
M_FATAL,
"Failed to set restricted TLS 1.3 cipher list: %s", openssl_ciphers);
519#if OPENSSL_VERSION_NUMBER > 0x10100000L \
520 && (!defined(LIBRESSL_VERSION_NUMBER) || LIBRESSL_VERSION_NUMBER > 0x3060000fL)
525 if (!profile || 0 == strcmp(profile,
"legacy"))
527 SSL_CTX_set_security_level(ctx->
ctx, 1);
529 else if (0 == strcmp(profile,
"insecure"))
531 SSL_CTX_set_security_level(ctx->
ctx, 0);
533 else if (0 == strcmp(profile,
"preferred"))
535 SSL_CTX_set_security_level(ctx->
ctx, 2);
537 else if (0 == strcmp(profile,
"suiteb"))
539 SSL_CTX_set_security_level(ctx->
ctx, 3);
540 SSL_CTX_set_cipher_list(ctx->
ctx,
"SUITEB128");
544 msg(
M_FATAL,
"ERROR: Invalid cert profile: %s", profile);
550 "WARNING: OpenSSL 1.1.0 and LibreSSL do not support "
551 "--tls-cert-profile, ignoring user-set profile: '%s'",
561#if OPENSSL_VERSION_NUMBER < 0x30000000L && !defined(ENABLE_CRYPTO_WOLFSSL)
583 while ((token =
strsep(&tmp_groups,
":")))
585 if (
streq(token,
"secp256r1"))
587 token =
"prime256v1";
589 int nid = OBJ_sn2nid(token);
593 msg(
M_WARN,
"Warning unknown curve/group specified: %s", token);
597 glist[glistlen] = nid;
608 if (!SSL_CTX_set1_groups_list(ctx->
ctx, groups))
623 cert = SSL_CTX_get0_certificate(ctx->
ctx);
630 ret = X509_cmp_time(X509_get0_notBefore(cert), NULL);
637 msg(
M_WARN,
"WARNING: Your certificate is not yet valid!");
640 ret = X509_cmp_time(X509_get0_notAfter(cert), NULL);
647 msg(
M_WARN,
"WARNING: Your certificate has expired!");
660 if (!(bio = BIO_new_mem_buf((
char *)dh_file, -1)))
668 if (!(bio = BIO_new_file(dh_file,
"r")))
674#if OPENSSL_VERSION_NUMBER >= 0x30000000L
675 EVP_PKEY *dh = PEM_read_bio_Parameters(bio, NULL);
683 if (!SSL_CTX_set0_tmp_dh_pkey(ctx->
ctx, dh))
688 msg(
D_TLS_DEBUG_LOW,
"Diffie-Hellman initialized with %d bit key", 8 * EVP_PKEY_get_size(dh));
690 DH *dh = PEM_read_bio_DHparams(bio, NULL, NULL, NULL);
698 if (!SSL_CTX_set_tmp_dh(ctx->
ctx, dh))
712#if OPENSSL_VERSION_NUMBER >= 0x30000000L
713 if (curve_name != NULL)
715 msg(
M_WARN,
"WARNING: OpenSSL 3.0+ builds do not support specifying an "
716 "ECDH curve with --ecdh-curve, using default curves. Use "
717 "--tls-groups to specify groups.");
719#elif !defined(OPENSSL_NO_EC)
722 const char *sname = NULL;
725 SSL_CTX_set_options(ctx->
ctx, SSL_OP_SINGLE_ECDH_USE);
727 if (curve_name != NULL)
730 msg(
D_TLS_DEBUG,
"Using user specified ECDH curve (%s)", curve_name);
731 nid = OBJ_sn2nid(curve_name);
739 sname = OBJ_nid2sn(nid);
746 if (NID_undef == nid || NULL == (ecdh = EC_KEY_new_by_curve_name(nid)))
749 ecdh = EC_KEY_new_by_curve_name(NID_secp384r1);
751 (NULL == curve_name) ?
"extract curve from certificate" :
"use supplied curve";
753 sname = OBJ_nid2sn(NID_secp384r1);
756 if (!SSL_CTX_set_tmp_ecdh(ctx->
ctx, ecdh))
765 msg(
D_LOW,
"Your OpenSSL library was built without elliptic curve support."
766 " Skipping ECDH parameter loading.");
770#if defined(HAVE_OPENSSL_STORE_API)
777ui_reader(UI *ui, UI_STRING *uis)
779 SSL_CTX *ctx = UI_get0_user_data(ui);
781 if (UI_get_string_type(uis) == UIT_PROMPT)
783 const char *prompt = UI_get0_output_string(uis);
786 if (strstr(prompt,
"PKCS#11"))
792 UI_set_result(ui, uis, up.password);
798 pem_password_cb *cb = SSL_CTX_get_default_passwd_cb(ctx);
799 void *d = SSL_CTX_get_default_passwd_cb_userdata(ctx);
812clear_ossl_store_error(OSSL_STORE_CTX *store_ctx)
814 if (OSSL_STORE_error(store_ctx))
832 EVP_PKEY *pkey = NULL;
834#if !defined(HAVE_OPENSSL_STORE_API)
837 BIO *in = BIO_new_file(uri,
"r");
842 pkey = PEM_read_bio_PrivateKey(in, NULL, SSL_CTX_get_default_passwd_cb(ssl_ctx),
843 SSL_CTX_get_default_passwd_cb_userdata(ssl_ctx));
848 OSSL_STORE_CTX *store_ctx = NULL;
849 OSSL_STORE_INFO *info = NULL;
851 UI_METHOD *ui_method = UI_create_method(
"openvpn");
854 msg(
M_WARN,
"OpenSSL UI creation failed");
857 UI_method_set_reader(ui_method, ui_reader);
859 store_ctx = OSSL_STORE_open_ex(uri,
tls_libctx, NULL, ui_method, ssl_ctx, NULL, NULL, NULL);
864 if (OSSL_STORE_expect(store_ctx, OSSL_STORE_INFO_PKEY) != 1)
870 info = OSSL_STORE_load(store_ctx);
871 if (info || OSSL_STORE_eof(store_ctx))
879 clear_ossl_store_error(store_ctx);
885 pkey = OSSL_STORE_INFO_get1_PKEY(info);
886 OSSL_STORE_INFO_free(info);
890 OSSL_STORE_close(store_ctx);
891 UI_destroy_method(ui_method);
905 STACK_OF(X509) *ca = NULL;
912 if (pkcs12_file_inline)
914 BIO *b64 = BIO_new(BIO_f_base64());
915 BIO *bio = BIO_new_mem_buf((
void *)pkcs12_file, (
int)strlen(pkcs12_file));
918 p12 = d2i_PKCS12_bio(b64, NULL);
933 p12 = d2i_PKCS12_fp(fp, NULL);
942 if (!PKCS12_parse(p12,
"", &pkey, &cert, &ca))
947 if (!PKCS12_parse(p12,
password, &pkey, &cert, &ca))
950 "or unsupported/legacy encryption");
951#ifdef ENABLE_MANAGEMENT
952 if (
management && (ERR_GET_REASON(ERR_peek_error()) == PKCS12_R_MAC_VERIFY_FAILURE))
964 if (!SSL_CTX_use_certificate(ctx->
ctx, cert))
971 if (!SSL_CTX_use_PrivateKey(ctx->
ctx, pkey))
977 if (!SSL_CTX_check_private_key(ctx->
ctx))
989 if (ca && sk_X509_num(ca))
991 for (
i = 0;
i < sk_X509_num(ca);
i++)
993 X509_STORE *cert_store = SSL_CTX_get_cert_store(ctx->
ctx);
994 if (!X509_STORE_add_cert(cert_store, sk_X509_value(ca,
i)))
997 "Cannot add certificate to certificate chain (X509_STORE_add_cert)");
999 if (!SSL_CTX_add_client_CA(ctx->
ctx, sk_X509_value(ca,
i)))
1002 "Cannot add certificate to client CA list (SSL_CTX_add_client_CA)");
1014 if (ca && sk_X509_num(ca))
1016 for (
i = 0;
i < sk_X509_num(ca);
i++)
1018 if (!SSL_CTX_add_extra_chain_cert(ctx->
ctx, sk_X509_value(ca,
i)))
1022 "Cannot add extra certificate to chain (SSL_CTX_add_extra_chain_cert)");
1030#ifdef ENABLE_CRYPTOAPI
1039 crypto_msg(
M_FATAL,
"Cannot load certificate \"%s\" from Microsoft Certificate Store",
1052 if (!PEM_read_bio_X509(bio, &cert, NULL, NULL))
1058 if (optional && ERR_GET_REASON(ERR_peek_error()) == PEM_R_NO_START_LINE)
1061 (void)ERR_get_error();
1069 if (SSL_CTX_add_extra_chain_cert(ctx->
ctx, cert) != 1)
1081#if defined(HAVE_OPENSSL_STORE_API)
1091#if defined(HAVE_OPENSSL_STORE_API)
1094 OSSL_STORE_CTX *store_ctx = NULL;
1095 OSSL_STORE_INFO *info = NULL;
1099 UI_METHOD *ui_method = UI_create_method(
"openvpn");
1102 msg(
M_WARN,
"OpenSSL UI method creation failed");
1105 UI_method_set_reader(ui_method, ui_reader);
1108 OSSL_STORE_open_ex(uri,
tls_libctx, NULL, ui_method, tls_ctx->
ctx, NULL, NULL, NULL);
1113 if (OSSL_STORE_expect(store_ctx, OSSL_STORE_INFO_CERT) != 1)
1120 info = OSSL_STORE_load(store_ctx);
1121 if (info || OSSL_STORE_eof(store_ctx))
1129 clear_ossl_store_error(store_ctx);
1136 x = OSSL_STORE_INFO_get0_CERT(info);
1143 ret = SSL_CTX_use_certificate(tls_ctx->
ctx, x);
1148 OSSL_STORE_INFO_free(info);
1152 while (!OSSL_STORE_eof(store_ctx))
1154 info = OSSL_STORE_load(store_ctx);
1157 clear_ossl_store_error(store_ctx);
1160 x = OSSL_STORE_INFO_get1_CERT(info);
1161 if (x && SSL_CTX_add_extra_chain_cert(tls_ctx->
ctx, x) != 1)
1167 OSSL_STORE_INFO_free(info);
1182 UI_destroy_method(ui_method);
1183 OSSL_STORE_INFO_free(info);
1184 OSSL_STORE_close(store_ctx);
1199 if (cert_file_inline)
1201 in = BIO_new_mem_buf((
char *)cert_file, -1);
1205 in = BIO_new_file((
char *)cert_file,
"r");
1210 SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE_FILE, ERR_R_SYS_LIB);
1214 x = PEM_read_bio_X509(in, NULL, SSL_CTX_get_default_passwd_cb(ctx->
ctx),
1215 SSL_CTX_get_default_passwd_cb_userdata(ctx->
ctx));
1218 SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE_FILE, ERR_R_PEM_LIB);
1222 ret = SSL_CTX_use_certificate(ctx->
ctx, x);
1232 if (cert_file_inline)
1265 bool priv_key_file_inline)
1267 SSL_CTX *ssl_ctx = NULL;
1269 EVP_PKEY *pkey = NULL;
1276 if (priv_key_file_inline)
1278 in = BIO_new_mem_buf((
char *)priv_key_file, -1);
1283 pkey = PEM_read_bio_PrivateKey(in, NULL, SSL_CTX_get_default_passwd_cb(ctx->
ctx),
1284 SSL_CTX_get_default_passwd_cb_userdata(ctx->
ctx));
1291 if (!pkey || !SSL_CTX_use_PrivateKey(ssl_ctx, pkey))
1293#ifdef ENABLE_MANAGEMENT
1294 if (
management && (ERR_GET_REASON(ERR_peek_error()) == EVP_R_BAD_DECRYPT))
1305 if (!SSL_CTX_check_private_key(ssl_ctx))
1312 EVP_PKEY_free(pkey);
1322 X509_STORE *store = SSL_CTX_get_cert_store(ssl_ctx->
ctx);
1331 STACK_OF(X509_OBJECT) *objs = X509_STORE_get0_objects(store);
1332 for (
int i = 0;
i < sk_X509_OBJECT_num(objs);
i++)
1334 X509_OBJECT *obj = sk_X509_OBJECT_value(objs,
i);
1336 if (X509_OBJECT_get_type(obj) == X509_LU_CRL)
1338 sk_X509_OBJECT_delete(objs,
i);
1339 X509_OBJECT_free(obj);
1343 X509_STORE_set_flags(store, X509_V_FLAG_CRL_CHECK | X509_V_FLAG_CRL_CHECK_ALL);
1347 in = BIO_new_mem_buf((
char *)crl_file, -1);
1351 in = BIO_new_file(crl_file,
"r");
1360 int num_crls_loaded = 0;
1363 X509_CRL *crl = PEM_read_bio_X509_CRL(in, NULL, NULL, NULL);
1369 bool eof = ERR_GET_REASON(ERR_peek_error()) == PEM_R_NO_START_LINE;
1371 if (num_crls_loaded > 0 && eof)
1374 (void)ERR_get_error();
1383 if (!X509_STORE_add_crl(store, crl))
1393 msg(
M_INFO,
"CRL: loaded %d CRLs from file %s", num_crls_loaded, crl_file);
1399#if defined(ENABLE_MANAGEMENT) && !defined(HAVE_XKEY_PROVIDER)
1403rsa_pub_enc(
int flen,
const unsigned char *from,
unsigned char *to, RSA *rsa,
int padding)
1411rsa_pub_dec(
int flen,
const unsigned char *from,
unsigned char *to, RSA *rsa,
int padding)
1419rsa_priv_dec(
int flen,
const unsigned char *from,
unsigned char *to, RSA *rsa,
int padding)
1432 const RSA_METHOD *meth = RSA_get_method(rsa);
1433 RSA_meth_free((RSA_METHOD *)meth);
1446 case RSA_PKCS1_PADDING:
1447 return "RSA_PKCS1_PADDING";
1449 case RSA_NO_PADDING:
1450 return "RSA_NO_PADDING";
1470 unsigned int siglen,
const char *algorithm)
1472 char *in_b64 = NULL;
1473 char *out_b64 = NULL;
1494rsa_priv_enc(
int flen,
const unsigned char *from,
unsigned char *to, RSA *rsa,
int padding)
1496 unsigned int len = RSA_size(rsa);
1499 if (padding != RSA_PKCS1_PADDING && padding != RSA_NO_PADDING)
1501 RSAerr(RSA_F_RSA_OSSL_PRIVATE_ENCRYPT, RSA_R_UNKNOWN_PADDING_TYPE);
1507 return (ret == len) ? ret : -1;
1514 RSA_METHOD *rsa_meth;
1518 const RSA *pub_rsa = EVP_PKEY_get0_RSA(pkey);
1522 rsa_meth = RSA_meth_new(
"OpenVPN external private key RSA Method", RSA_METHOD_FLAG_NO_CHECK);
1528 RSA_meth_set_init(rsa_meth, NULL);
1530 RSA_meth_set0_app_data(rsa_meth, NULL);
1536 SSLerr(SSL_F_SSL_USE_PRIVATEKEY, ERR_R_MALLOC_FAILURE);
1541 const BIGNUM *n = NULL;
1542 const BIGNUM *e = NULL;
1543 RSA_get0_key(pub_rsa, &n, &e, NULL);
1544 RSA_set0_key(rsa, BN_dup(n), BN_dup(e), NULL);
1545 RSA_set_flags(rsa, RSA_flags(rsa) | RSA_FLAG_EXT_PKEY);
1546 if (!RSA_set_method(rsa, rsa_meth))
1548 RSA_meth_free(rsa_meth);
1554 if (!SSL_CTX_use_RSAPrivateKey(ctx->
ctx, rsa))
1569 RSA_meth_free(rsa_meth);
1574#if !defined(OPENSSL_NO_EC)
1581 const EC_KEY_METHOD *ec_meth = EC_KEY_get_method(ec);
1582 EC_KEY_METHOD_free((EC_KEY_METHOD *)ec_meth);
1590ecdsa_sign(
int type,
const unsigned char *dgst,
int dgstlen,
unsigned char *sig,
1591 unsigned int *siglen,
const BIGNUM *kinv,
const BIGNUM *r, EC_KEY *ec)
1593 int capacity = ECDSA_size(ec);
1621ecdsa_sign_sig(
const unsigned char *dgst,
int dgstlen,
const BIGNUM *in_kinv,
const BIGNUM *in_r,
1624 ECDSA_SIG *ecsig = NULL;
1625 unsigned int len = ECDSA_size(ec);
1629 if (
ecdsa_sign(0, dgst, dgstlen, buf, &len, NULL, NULL, ec) != 1)
1634 ecsig = d2i_ECDSA_SIG(NULL, (
const unsigned char **)&buf, len);
1645 EVP_PKEY *privkey = NULL;
1646 EC_KEY_METHOD *ec_method;
1650 ec_method = EC_KEY_METHOD_new(EC_KEY_OpenSSL());
1658#ifdef OPENSSL_IS_AWSLC
1664 ec = EC_KEY_dup(EVP_PKEY_get0_EC_KEY(pkey));
1667 EC_KEY_METHOD_free(ec_method);
1670 if (!EC_KEY_set_method(ec, ec_method))
1672 EC_KEY_METHOD_free(ec_method);
1677 privkey = EVP_PKEY_new();
1678 if (!EVP_PKEY_assign_EC_KEY(privkey, ec))
1684 if (!SSL_CTX_use_PrivateKey(ctx->
ctx, privkey))
1690 EVP_PKEY_free(privkey);
1695 EVP_PKEY_free(privkey);
1702#ifdef ENABLE_MANAGEMENT
1710 X509 *cert = SSL_CTX_get0_certificate(ctx->
ctx);
1715 EVP_PKEY *pkey = X509_get0_pubkey(cert);
1718#ifdef HAVE_XKEY_PROVIDER
1719 EVP_PKEY *privkey = xkey_load_management_key(
tls_libctx, pkey);
1720 if (!privkey || !SSL_CTX_use_PrivateKey(ctx->
ctx, privkey))
1722 EVP_PKEY_free(privkey);
1725 EVP_PKEY_free(privkey);
1727#if OPENSSL_VERSION_NUMBER < 0x30000000L
1728 if (EVP_PKEY_id(pkey) == EVP_PKEY_RSA)
1730 if (EVP_PKEY_is_a(pkey,
"RSA"))
1738#if !defined(OPENSSL_NO_EC)
1739#if OPENSSL_VERSION_NUMBER < 0x30000000L
1740 else if (EVP_PKEY_id(pkey) == EVP_PKEY_EC)
1742 else if (EVP_PKEY_is_a(pkey,
"EC"))
1752 crypto_msg(
M_WARN,
"management-external-key requires an RSA or EC certificate");
1779 return X509_NAME_cmp(*a, *b);
1784 const char *ca_path,
bool tls_server)
1786 STACK_OF(X509_INFO) *info_stack = NULL;
1787 STACK_OF(X509_NAME) *cert_names = NULL;
1788 X509_LOOKUP *lookup = NULL;
1789 X509_STORE *store = NULL;
1790 X509_NAME *xn = NULL;
1792 int i, added = 0, prev = 0;
1796 store = SSL_CTX_get_cert_store(ctx->
ctx);
1807 in = BIO_new_mem_buf((
char *)ca_file, -1);
1811 in = BIO_new_file(ca_file,
"r");
1816 info_stack = PEM_X509_INFO_read_bio(in, NULL, NULL, NULL);
1821 for (
i = 0;
i < sk_X509_INFO_num(info_stack);
i++)
1823 X509_INFO *info = sk_X509_INFO_value(info_stack,
i);
1826 X509_STORE_add_crl(store, info->crl);
1829 if (tls_server && !info->x509)
1836 X509_STORE_add_cert(store, info->x509);
1845 if (cert_names == NULL)
1854 xn = X509_get_subject_name(info->x509);
1861 if (sk_X509_NAME_find(cert_names, xn) == -1)
1863 xn = X509_NAME_dup(xn);
1868 sk_X509_NAME_push(cert_names, xn);
1874 int cnum = sk_X509_NAME_num(cert_names);
1875 if (cnum != (prev + 1))
1878 "Cannot load CA certificate file %s (entry %d did not validate)",
1884 sk_X509_INFO_pop_free(info_stack, X509_INFO_free);
1889 cnum = sk_X509_NAME_num(cert_names);
1890 SSL_CTX_set_client_CA_list(ctx->
ctx, cert_names);
1895 crypto_msg(
M_FATAL,
"Cannot load CA certificate file %s (no entries were read)",
1904 "Cannot load CA certificate file %s (only %d "
1905 "of %d entries were valid X509 names)",
1916 lookup = X509_STORE_add_lookup(store, X509_LOOKUP_hash_dir());
1917 if (lookup && X509_LOOKUP_add_dir(lookup, ca_path, X509_FILETYPE_PEM))
1919 msg(
M_WARN,
"WARNING: experimental option --capath %s", ca_path);
1925 X509_STORE_set_flags(store, X509_V_FLAG_CRL_CHECK | X509_V_FLAG_CRL_CHECK_ALL);
1931 bool extra_certs_file_inline)
1934 if (extra_certs_file_inline)
1936 in = BIO_new_mem_buf((
char *)extra_certs_file, -1);
1940 in = BIO_new_file(extra_certs_file,
"r");
1969#warning BIO_DEBUG defined
1972static bool biofp_toggle;
1973static time_t biofp_last_open;
1974static const int biofp_reopen_interval = 600;
1989 const time_t current = time(NULL);
1990 const pid_t pid = getpid();
1992 if (biofp_last_open + biofp_reopen_interval < current)
1999 snprintf(fn,
sizeof(fn),
"bio/%d-%d.log", pid, biofp_toggle);
2000 biofp = fopen(fn,
"w");
2002 biofp_last_open = time(NULL);
2008bio_debug_data(
const char *mode, BIO *bio,
const uint8_t *buf,
int len,
const char *desc)
2014 fprintf(biofp,
"BIO_%s %s time=%" PRIi64
" bio=" ptr_format " len=%d data=%s\n", mode, desc,
2022bio_debug_oc(
const char *mode, BIO *bio)
2025 fprintf(biofp,
"BIO %s time=%" PRIi64
" bio=" ptr_format "\n", mode, (int64_t)time(NULL),
2036bio_write(BIO *bio,
const uint8_t *data,
int size,
const char *desc)
2050 bio_debug_data(
"write", bio, data, size, desc);
2052 i = BIO_write(bio, data, size);
2056 if (!BIO_should_retry(bio))
2112 int i = BIO_read(bio,
BPTR(buf), len);
2117 bio_debug_data(
"read", bio,
BPTR(buf),
i, desc);
2123 if (!BIO_should_retry(bio))
2153 ks_ssl->
ssl = SSL_new(ssl_ctx->
ctx);
2168 bio_debug_oc(
"open ssl_bio", ks_ssl->
ssl_bio);
2169 bio_debug_oc(
"open ct_in", ks_ssl->
ct_in);
2170 bio_debug_oc(
"open ct_out", ks_ssl->
ct_out);
2175 SSL_set_accept_state(ks_ssl->
ssl);
2179 SSL_set_connect_state(ks_ssl->
ssl);
2183 BIO_set_ssl(ks_ssl->
ssl_bio, ks_ssl->
ssl, BIO_NOCLOSE);
2189 SSL_set_shutdown(ks_ssl->
ssl, SSL_SENT_SHUTDOWN | SSL_RECEIVED_SHUTDOWN);
2198 bio_debug_oc(
"close ssl_bio", ks_ssl->
ssl_bio);
2199 bio_debug_oc(
"close ct_in", ks_ssl->
ct_in);
2200 bio_debug_oc(
"close ct_out", ks_ssl->
ct_out);
2202 BIO_free_all(ks_ssl->
ssl_bio);
2203 SSL_free(ks_ssl->
ssl);
2282 const char *curve =
"";
2283 const char *type =
"(error getting type)";
2291 int typeid = EVP_PKEY_id(pkey);
2292#if OPENSSL_VERSION_NUMBER < 0x30000000L
2293 bool is_ec =
typeid == EVP_PKEY_EC;
2295 bool is_ec = EVP_PKEY_is_a(pkey,
"EC");
2298#ifndef OPENSSL_NO_EC
2309 curve =
"(error getting curve name)";
2315#if OPENSSL_VERSION_NUMBER < 0x30000000L
2316 type = OBJ_nid2sn(
typeid);
2320 if (
typeid == EVP_PKEY_RSA)
2324 else if (
typeid == EVP_PKEY_DSA)
2328 else if (
typeid == EVP_PKEY_EC)
2331 type =
"EC, curve ";
2333 else if (type == NULL)
2335 type =
"unknown type";
2338 type = EVP_PKEY_get0_type_name(pkey);
2341 type =
"(error getting public key type)";
2346 snprintf(buf, buflen,
"%d bits %s%s", EVP_PKEY_bits(pkey), type, curve);
2358 EVP_PKEY *pkey = X509_get_pubkey(cert);
2359 char pkeybuf[64] = { 0 };
2362 char sig[128] = { 0 };
2363 int signature_nid = X509_get_signature_nid(cert);
2364 if (signature_nid != 0)
2366 snprintf(sig,
sizeof(sig),
", signature: %s", OBJ_nid2sn(signature_nid));
2369 snprintf(buf, buflen,
", peer certificate: %s%s", pkeybuf, sig);
2371 EVP_PKEY_free(pkey);
2377 EVP_PKEY *pkey = NULL;
2378 SSL_get_peer_tmp_key(ssl, &pkey);
2384 char pkeybuf[128] = { 0 };
2387 snprintf(buf, buflen,
", peer temporary key: %s", pkeybuf);
2389 EVP_PKEY_free(pkey);
2392#if !defined(LIBRESSL_VERSION_NUMBER) \
2393 || (defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER >= 0x3090000fL)
2418 return "(error getting name)";
2421 return OBJ_nid2sn(nid);
2433 int peer_sig_type_nid = NID_undef;
2434 const char *peer_sig_unknown =
"unknown";
2435 const char *peer_sig = peer_sig_unknown;
2436 const char *peer_sig_type =
"unknown type";
2445#if !defined(LIBRESSL_VERSION_NUMBER) \
2446 || (defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER >= 0x3090000fL)
2449 if (SSL_get_peer_signature_type_nid(ssl, &peer_sig_type_nid) && peer_sig_type_nid != NID_undef)
2455 if (peer_sig == peer_sig_unknown && peer_sig_type_nid == NID_undef)
2460 snprintf(buf, buflen,
", peer signing digest/type: %s %s", peer_sig, peer_sig_type);
2463#if OPENSSL_VERSION_NUMBER >= 0x30000000L
2465print_tls_key_agreement_group(SSL *ssl,
char *buf,
size_t buflen)
2467 const char *groupname = SSL_get0_group_name(ssl);
2470 snprintf(buf, buflen,
", key agreement: (error fetching group)");
2474 snprintf(buf, buflen,
", key agreement: %s", groupname);
2489 const SSL_CIPHER *ciph;
2496 s1[0] = s2[0] = s3[0] = s4[0] = s5[0] = 0;
2497 ciph = SSL_get_current_cipher(ks_ssl->
ssl);
2498 snprintf(s1,
sizeof(s1),
"%s %s, cipher %s %s", prefix, SSL_get_version(ks_ssl->
ssl),
2499 SSL_CIPHER_get_version(ciph), SSL_CIPHER_get_name(ciph));
2500 X509 *cert = SSL_get_peer_certificate(ks_ssl->
ssl);
2509#if OPENSSL_VERSION_NUMBER >= 0x30000000L
2510 print_tls_key_agreement_group(ks_ssl->
ssl, s5,
sizeof(s5));
2521 tls_ctx.
ctx = SSL_CTX_new(SSLv23_method());
2527#if defined(TLS1_3_VERSION)
2536 SSL_CTX_set_max_proto_version(tls_ctx.
ctx, TLS1_2_VERSION);
2542 SSL *ssl = SSL_new(tls_ctx.
ctx);
2548#if OPENSSL_VERSION_NUMBER < 0x1010000fL || defined(OPENSSL_IS_AWSLC)
2549 STACK_OF(SSL_CIPHER) *sk = SSL_get_ciphers(ssl);
2551 STACK_OF(SSL_CIPHER) *sk = SSL_get1_supported_ciphers(ssl);
2553 for (
int i = 0;
i < sk_SSL_CIPHER_num(sk);
i++)
2555 const SSL_CIPHER *c = sk_SSL_CIPHER_value(sk,
i);
2557 const char *cipher_name = SSL_CIPHER_get_name(c);
2564 printf(
"%s\n", cipher_name);
2566 else if (NULL == pair)
2569 printf(
"%s (No IANA name known to OpenVPN, use OpenSSL name.)\n", cipher_name);
2576#if (OPENSSL_VERSION_NUMBER >= 0x1010000fL)
2577 sk_SSL_CIPHER_free(sk);
2580 SSL_CTX_free(tls_ctx.
ctx);
2590 printf(
"Consider using 'openssl ecparam -list_curves' as alternative to running\n"
2592 "Note this output does only list curves/groups that OpenSSL considers as\n"
2593 "builtin EC curves. It does not list additional curves nor X448 or X25519\n");
2594#ifndef OPENSSL_NO_EC
2595 EC_builtin_curve *curves = NULL;
2599 crv_len = EC_get_builtin_curves(NULL, 0);
2601 if (EC_get_builtin_curves(curves, crv_len))
2603 printf(
"\nAvailable Elliptic curves/groups:\n");
2604 for (n = 0; n < crv_len; n++)
2607 sname = OBJ_nid2sn(curves[n].nid);
2613 printf(
"%s\n", sname);
2622 msg(
M_WARN,
"Your OpenSSL library was built without elliptic curve support. "
2623 "No curves available.");
2630 return OpenSSL_version(OPENSSL_VERSION);
2635#ifdef HAVE_XKEY_PROVIDER
2639 const char *name = OSSL_PROVIDER_get0_name(prov);
2640 OSSL_PROVIDER_load(dest_libctx, name);
2648 OSSL_PROVIDER_unload(prov);
2663#ifdef HAVE_XKEY_PROVIDER
2676 OSSL_PROVIDER_do_all(NULL, provider_load,
tls_libctx);
2679 if (!OSSL_PROVIDER_available(
tls_libctx,
"ovpn.xkey"))
2681 OSSL_PROVIDER_add_builtin(
tls_libctx,
"ovpn.xkey", xkey_provider_init);
2682 if (!OSSL_PROVIDER_load(
tls_libctx,
"ovpn.xkey"))
2684 msg(
M_NONFATAL,
"ERROR: failed loading external key provider: "
2685 "Signing with external keys will not work.");
2695 EVP_set_default_properties(
tls_libctx,
"?provider!=ovpn.xkey");
2706#ifdef HAVE_XKEY_PROVIDER
2709 OSSL_PROVIDER_do_all(
tls_libctx, provider_unload, NULL);
void * gc_malloc(size_t size, bool clear, struct gc_arena *a)
char * string_alloc(const char *str, struct gc_arena *gc)
static char * format_hex(const uint8_t *data, int size, int maxoutput, struct gc_arena *gc)
#define ALLOC_ARRAY_CLEAR_GC(dptr, type, n, gc)
static int buf_forward_capacity(const struct buffer *buf)
static void secure_memzero(void *data, size_t len)
Securely zeroise memory.
static void check_malloc_return(void *p)
static void gc_free(struct gc_arena *a)
#define ALLOC_ARRAY(dptr, type, n)
static struct gc_arena gc_new(void)
char * strsep(char **stringp, const char *delim)
const char * print_key_filename(const char *str, bool is_inline)
To be used when printing a string that may contain inline data.
void crypto_print_openssl_errors(const unsigned int flags)
Retrieve any occurred OpenSSL errors and print those errors.
#define crypto_msg(flags,...)
Retrieve any OpenSSL errors, then print the supplied error message.
int SSL_CTX_use_CryptoAPI_certificate(SSL_CTX *ssl_ctx, const char *cert_prop)
#define D_HANDSHAKE_VERBOSE
#define KS_PRIMARY
Primary key state index.
int key_state_read_plaintext(struct key_state_ssl *ks_ssl, struct buffer *buf)
Extract plaintext data from the TLS module.
int key_state_write_ciphertext(struct key_state_ssl *ks_ssl, struct buffer *buf)
Insert a ciphertext buffer into the TLS module.
int key_state_read_ciphertext(struct key_state_ssl *ks_ssl, struct buffer *buf)
Extract ciphertext data from the TLS module.
int key_state_write_plaintext_const(struct key_state_ssl *ks_ssl, const uint8_t *data, int len)
Insert plaintext data into the TLS module.
int key_state_write_plaintext(struct key_state_ssl *ks_ssl, struct buffer *buf)
Insert a plaintext buffer into the TLS module.
int verify_callback(void *session_obj, mbedtls_x509_crt *cert, int cert_depth, uint32_t *flags)
Verify that the remote OpenVPN peer's certificate allows setting up a VPN tunnel.
static int constrain_int(int x, int min, int max)
static SERVICE_STATUS status
void management_auth_failure(struct management *man, const char *type, const char *reason)
char * management_query_pk_sig(struct management *man, const char *b64_data, const char *algorithm)
#define VALGRIND_MAKE_READABLE(addr, len)
void purge_user_pass(struct user_pass *up, const bool force)
#define GET_USER_PASS_MANAGEMENT
#define GET_USER_PASS_PASSWORD_ONLY
static bool get_user_pass(struct user_pass *up, const char *auth_file, const char *prefix, const unsigned int flags)
Retrieves the user credentials from various sources depending on the flags.
OpenSSL compatibility stub.
static int SSL_get0_peer_signature_name(SSL *ssl, const char **sigalg)
static int EVP_PKEY_get_group_name(EVP_PKEY *pkey, char *gname, size_t gname_sz, size_t *gname_len)
#define SSL_CTX_set1_groups
#define SSL_CTX_new_ex(libctx, propq, method)
Reduce SSL_CTX_new_ex() to SSL_CTX_new() for OpenSSL < 3.
static void perf_push(int type)
#define PERF_BIO_READ_PLAINTEXT
#define PERF_BIO_WRITE_CIPHERTEXT
static void perf_pop(void)
#define PERF_BIO_READ_CIPHERTEXT
#define PERF_BIO_WRITE_PLAINTEXT
int openvpn_base64_decode(const char *str, void *data, int size)
int openvpn_base64_encode(const void *data, int size, char **str)
int pem_password_callback(char *buf, int size, int rwflag, void *u)
Callback to retrieve the user's password.
Control Channel SSL library backend module.
Control Channel Common Data Structures.
#define SSLF_TLS_VERSION_MAX_SHIFT
#define UP_TYPE_PRIVATE_KEY
#define SSLF_CLIENT_CERT_OPTIONAL
#define SSLF_CLIENT_CERT_NOT_REQUIRED
#define SSLF_TLS_VERSION_MAX_MASK
#define SSLF_TLS_VERSION_MIN_SHIFT
#define SSLF_TLS_VERSION_MIN_MASK
void tls_ctx_set_tls_groups(struct tls_root_ctx *ctx, const char *groups)
Set the (elliptic curve) group allowed for signatures and key exchange.
void tls_ctx_free(struct tls_root_ctx *ctx)
Frees the library-specific TLSv1 context.
static int bio_read(BIO *bio, struct buffer *buf, const char *desc)
const char * get_ssl_library_version(void)
return a pointer to a static memory area containing the name and version number of the SSL library in...
static void openvpn_extkey_ec_finish(EC_KEY *ec)
static bool tls_ctx_set_tls_versions(struct tls_root_ctx *ctx, unsigned int ssl_flags)
static int bio_write(BIO *bio, const uint8_t *data, int size, const char *desc)
static int openvpn_extkey_rsa_finish(RSA *rsa)
static int tls_ctx_use_external_ec_key(struct tls_root_ctx *ctx, EVP_PKEY *pkey)
static int openssl_tls_version(int ver)
Convert internal version number to openssl version number.
bool key_state_export_keying_material(struct tls_session *session, const char *label, size_t label_size, void *ekm, size_t ekm_size)
Keying Material Exporters [RFC 5705] allows additional keying material to be derived from existing TL...
void load_xkey_provider(void)
Some helper routines for provider load/unload.
static void print_pkey_details(EVP_PKEY *pkey, char *buf, size_t buflen)
static void print_server_tempkey(SSL *ssl, char *buf, size_t buflen)
static int rsa_pub_enc(int flen, const unsigned char *from, unsigned char *to, RSA *rsa, int padding)
static void tls_ctx_add_extra_certs(struct tls_root_ctx *ctx, BIO *bio, bool optional)
void show_available_tls_ciphers_list(const char *cipher_list, const char *tls_cert_profile, bool tls13)
Show the TLS ciphers that are available for us to use in the library depending on the TLS version.
static void * load_pkey_from_uri(const char *uri, SSL_CTX *ssl_ctx)
Load private key from OSSL_STORE URI or file uri : URI of object or filename ssl_ctx : SSL_CTX for UI...
void tls_ctx_server_new(struct tls_root_ctx *ctx)
Initialise a library-specific TLS context for a server.
void show_available_curves(void)
Show the available elliptic curves in the crypto library.
void key_state_ssl_free(struct key_state_ssl *ks_ssl)
Free the SSL channel part of the given key state.
static int ecdsa_sign(int type, const unsigned char *dgst, int dgstlen, unsigned char *sig, unsigned int *siglen, const BIGNUM *kinv, const BIGNUM *r, EC_KEY *ec)
int tls_ctx_load_priv_file(struct tls_root_ctx *ctx, const char *priv_key_file, bool priv_key_file_inline)
Load private key file into the given TLS context.
void key_state_ssl_shutdown(struct key_state_ssl *ks_ssl)
Sets a TLS session to be shutdown state, so the TLS library will generate a shutdown alert.
void tls_ctx_load_extra_certs(struct tls_root_ctx *ctx, const char *extra_certs_file, bool extra_certs_file_inline)
Load extra certificate authority certificates from the given file or path.
static void print_peer_signature(SSL *ssl, char *buf, size_t buflen)
Get the type of the signature that is used by the peer during the TLS handshake.
OSSL_LIB_CTX * tls_libctx
static const char * get_sigtype(int nid)
Translate an OpenSSL NID into a more human readable name.
int mydata_index
Allocate space in SSL objects in which to store a struct tls_session pointer back to parent.
static void print_cert_details(X509 *cert, char *buf, size_t buflen)
Print human readable information about the certificate into buf.
static int ecdsa_sign_setup(EC_KEY *ec, BN_CTX *ctx_in, BIGNUM **kinvp, BIGNUM **rp)
void tls_ctx_check_cert_time(const struct tls_root_ctx *ctx)
Check our certificate notBefore and notAfter fields, and warn if the cert is either not yet valid or ...
void tls_ctx_restrict_ciphers_tls13(struct tls_root_ctx *ctx, const char *ciphers)
Restrict the list of ciphers that can be used within the TLS context for TLS 1.3 and higher.
static bool cert_uri_supported(void)
static int rsa_priv_dec(int flen, const unsigned char *from, unsigned char *to, RSA *rsa, int padding)
#define INFO_CALLBACK_SSL_CONST
static int rsa_pub_dec(int flen, const unsigned char *from, unsigned char *to, RSA *rsa, int padding)
static void bio_write_post(const int status, struct buffer *buf)
int tls_ctx_load_pkcs12(struct tls_root_ctx *ctx, const char *pkcs12_file, bool pkcs12_file_inline, bool load_ca_file)
Load PKCS #12 file for key, cert and (optionally) CA certs, and add to library-specific TLS context.
bool tls_ctx_initialised(struct tls_root_ctx *ctx)
Checks whether the given TLS context is initialised.
void key_state_ssl_init(struct key_state_ssl *ks_ssl, const struct tls_root_ctx *ssl_ctx, bool is_server, struct tls_session *session)
Initialise the SSL channel part of the given key state.
void tls_free_lib(void)
Free any global SSL library-specific data structures.
static void unload_xkey_provider(void)
Undo steps in load_xkey_provider.
const char * get_rsa_padding_name(const int padding)
void tls_ctx_load_ecdh_params(struct tls_root_ctx *ctx, const char *curve_name)
Load Elliptic Curve Parameters, and load them into the library-specific TLS context.
static int get_sig_from_man(const unsigned char *dgst, unsigned int dgstlen, unsigned char *sig, unsigned int siglen, const char *algorithm)
Pass the input hash in 'dgst' to management and get the signature back.
static void tls_ctx_load_cert_uri(struct tls_root_ctx *tls_ctx, const char *uri)
static int rsa_priv_enc(int flen, const unsigned char *from, unsigned char *to, RSA *rsa, int padding)
static void convert_tls_list_to_openssl(char *openssl_ciphers, size_t len, const char *ciphers)
static void tls_ctx_load_cert_pem_file(struct tls_root_ctx *ctx, const char *cert_file, bool cert_file_inline)
void tls_init_lib(void)
Perform any static initialisation necessary by the library.
void print_details(struct key_state_ssl *ks_ssl, const char *prefix)
Print a one line summary of SSL/TLS session handshake.
static void info_callback(INFO_CALLBACK_SSL_CONST SSL *s, int where, int ret)
int tls_version_max(void)
Return the maximum TLS version (as a TLS_VER_x constant) supported by current SSL implementation.
void backend_tls_ctx_reload_crl(struct tls_root_ctx *ssl_ctx, const char *crl_file, bool crl_inline)
Reload the Certificate Revocation List for the SSL channel.
void tls_ctx_restrict_ciphers(struct tls_root_ctx *ctx, const char *ciphers)
Restrict the list of ciphers that can be used within the TLS context for TLS 1.2 and below.
void tls_ctx_load_ca(struct tls_root_ctx *ctx, const char *ca_file, bool ca_file_inline, const char *ca_path, bool tls_server)
Load certificate authority certificates from the given file or path.
void tls_ctx_set_cert_profile(struct tls_root_ctx *ctx, const char *profile)
Set the TLS certificate profile.
int tls_ctx_use_management_external_key(struct tls_root_ctx *ctx)
Tell the management interface to load the given certificate and the external private key matching the...
static int tls_ctx_use_external_rsa_key(struct tls_root_ctx *ctx, EVP_PKEY *pkey)
static ECDSA_SIG * ecdsa_sign_sig(const unsigned char *dgst, int dgstlen, const BIGNUM *in_kinv, const BIGNUM *in_r, EC_KEY *ec)
void tls_ctx_load_cryptoapi(struct tls_root_ctx *ctx, const char *cryptoapi_cert)
Use Windows cryptoapi for key and cert, and add to library-specific TLS context.
static void convert_tls13_list_to_openssl(char *openssl_ciphers, size_t len, const char *ciphers)
bool tls_ctx_set_options(struct tls_root_ctx *ctx, unsigned int ssl_flags)
Set any library specific options.
void tls_ctx_load_dh_params(struct tls_root_ctx *ctx, const char *dh_file, bool dh_file_inline)
Load Diffie Hellman Parameters, and load them into the library-specific TLS context.
void tls_ctx_client_new(struct tls_root_ctx *ctx)
Initialises a library-specific TLS context for a client.
static int sk_x509_name_cmp(const X509_NAME *const *a, const X509_NAME *const *b)
void tls_ctx_load_cert_file(struct tls_root_ctx *ctx, const char *cert_file, bool cert_file_inline)
Load certificate file into the given TLS context.
int get_num_elements(const char *string, char delimiter)
Returns the occurrences of 'delimiter' in a string +1 This is typically used to find out the number e...
const tls_cipher_name_pair * tls_get_cipher_name_pair(const char *cipher_name, size_t len)
Control Channel Verification Module OpenSSL backend.
Wrapper structure for dynamically allocated memory.
int len
Length in bytes of the actual content within the allocated memory.
Garbage collection arena used to keep track of dynamically allocated memory.
Get a tls_cipher_name_pair containing OpenSSL and IANA names for supplied TLS cipher name.
const char * openssl_name
Structure that wraps the TLS context.
Security parameter state of a single session within a VPN tunnel.
char password[USER_PASS_LEN]
static int cleanup(void **state)