15#ifndef OPENVPN_MBEDTLS_SSL_SSLCTX_H
16#define OPENVPN_MBEDTLS_SSL_SSLCTX_H
24#include <mbedtls/ssl.h>
25#include <mbedtls/oid.h>
26#include <mbedtls/sha1.h>
27#include <mbedtls/debug.h>
28#include <mbedtls/asn1.h>
29#include <mbedtls/version.h>
59namespace mbedtls_ctx_private {
62#if MBEDTLS_VERSION_NUMBER < 0x03000000
74const int ciphersuites[] =
77 MBEDTLS_TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
78 MBEDTLS_TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,
79 MBEDTLS_TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,
80 MBEDTLS_TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,
82 MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
83 MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,
86 MBEDTLS_TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
87 MBEDTLS_TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,
88 MBEDTLS_TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
89 MBEDTLS_TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,
91 MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
92 MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
95 MBEDTLS_TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,
96 MBEDTLS_TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,
98 MBEDTLS_TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,
101 MBEDTLS_TLS_RSA_WITH_AES_256_GCM_SHA384,
102 MBEDTLS_TLS_RSA_WITH_AES_256_CBC_SHA256,
103 MBEDTLS_TLS_RSA_WITH_AES_256_CBC_SHA,
104 MBEDTLS_TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384,
105 MBEDTLS_TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384,
106 MBEDTLS_TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,
108 MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384,
109 MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384,
110 MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,
113 MBEDTLS_TLS_RSA_WITH_AES_128_GCM_SHA256,
114 MBEDTLS_TLS_RSA_WITH_AES_128_CBC_SHA256,
115 MBEDTLS_TLS_RSA_WITH_AES_128_CBC_SHA,
116 MBEDTLS_TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256,
117 MBEDTLS_TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256,
118 MBEDTLS_TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,
120 MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256,
121 MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256,
122 MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,
125 MBEDTLS_TLS_RSA_WITH_3DES_EDE_CBC_SHA,
126 MBEDTLS_TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,
128 MBEDTLS_TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,
137#ifdef OPENVPN_ALLOW_INSECURE_CERTPROFILE
141const mbedtls_x509_crt_profile crt_profile_insecure =
143 MBEDTLS_X509_ID_FLAG(MBEDTLS_MD_MD5)
144 | MBEDTLS_X509_ID_FLAG(MBEDTLS_MD_SHA1)
145 | MBEDTLS_X509_ID_FLAG(MBEDTLS_MD_RIPEMD160)
146 | MBEDTLS_X509_ID_FLAG(MBEDTLS_MD_SHA224)
147 | MBEDTLS_X509_ID_FLAG(MBEDTLS_MD_SHA256)
148 | MBEDTLS_X509_ID_FLAG(MBEDTLS_MD_SHA384)
149 | MBEDTLS_X509_ID_FLAG(MBEDTLS_MD_SHA512),
156const mbedtls_x509_crt_profile crt_profile_legacy =
158 MBEDTLS_X509_ID_FLAG(MBEDTLS_MD_SHA1)
159 | MBEDTLS_X509_ID_FLAG(MBEDTLS_MD_RIPEMD160)
160 | MBEDTLS_X509_ID_FLAG(MBEDTLS_MD_SHA224)
161 | MBEDTLS_X509_ID_FLAG(MBEDTLS_MD_SHA256)
162 | MBEDTLS_X509_ID_FLAG(MBEDTLS_MD_SHA384)
163 | MBEDTLS_X509_ID_FLAG(MBEDTLS_MD_SHA512),
169const mbedtls_x509_crt_profile crt_profile_preferred =
171 MBEDTLS_X509_ID_FLAG(MBEDTLS_MD_SHA256)
172 | MBEDTLS_X509_ID_FLAG(MBEDTLS_MD_SHA384)
173 | MBEDTLS_X509_ID_FLAG(MBEDTLS_MD_SHA512),
182#if MBEDTLS_VERSION_NUMBER >= 0x03000000
191#if MBEDTLS_VERSION_NUMBER >= 0x03000000
192 return curve_info->tls_id;
194 return curve_info->grp_id;
198#if MBEDTLS_VERSION_NUMBER < 0x03000000
202 mbedtls_ssl_conf_curves(conf, groups);
299 void load_ca(
const std::string &ca_txt,
bool strict)
override
302 c->parse(ca_txt,
"ca", strict);
324 if (!extra_certs_txt.empty())
325 c->parse(extra_certs_txt,
"extra-certs",
true);
337 void load_dh(
const std::string &dh_txt)
override
340 mydh->parse(dh_txt,
"server-config");
347 return std::string();
354 return std::string();
361 return std::string();
368 return std::vector<std::string>();
375 return std::string();
382 return std::string();
383 return dh->extract();
451 if (!
override.empty())
525 && opt.
exists(
"client-cert-not-required"))
530 const std::string name = opt.
get_optional(
"sni", 1, 256);
537 std::string ca_txt = opt.
cat(
"ca");
539 ca_txt += opt.
cat(
"relay-extra-ca");
545 const std::string crl_txt = opt.
cat(
"crl-verify");
546 if (!crl_txt.empty())
556 const std::string ec_txt = opt.
cat(
"extra-certs");
576 std::string relay_prefix;
578 relay_prefix =
"relay-";
596#if defined(MBEDTLS_SSL_MAJOR_VERSION_3) && defined(MBEDTLS_SSL_MINOR_VERSION_3)
598#elif defined(MBEDTLS_SSL_MAJOR_VERSION_3) && defined(MBEDTLS_SSL_MINOR_VERSION_2)
610 if (opt.
exists(
"tls-cipher"))
613 if (opt.
exists(
"tls-groups"))
621#ifdef OPENVPN_JSON_INTERNAL
622 SSLConfigAPI::Ptr json_override(
const Json::Value &root,
const bool load_cert_key)
const override
653#ifdef OPENVPN_ALLOW_INSECURE_CERTPROFILE
654 case TLSCertProfile::INSECURE:
655 return &mbedtls_ctx_private::crt_profile_insecure;
658 return &mbedtls_ctx_private::crt_profile_legacy;
660 return &mbedtls_ctx_private::crt_profile_preferred;
662 return &mbedtls_x509_crt_profile_suiteb;
685 std::vector<unsigned int>
ku;
717 mbedtls_ssl_handshake(
ssl);
722 const int status = mbedtls_ssl_write(
ssl, (
const unsigned char *)data, size);
740 const int status = mbedtls_ssl_read(
ssl, (
unsigned char *)data, capacity);
745 else if (status == MBEDTLS_ERR_SSL_PEER_CLOSE_NOTIFY)
756 throw ssl_ciphertext_in_overflow();
794 const char *ver = mbedtls_ssl_get_version(
ssl);
795 const char *cs = mbedtls_ssl_get_ciphersuite(
ssl);
797 return ver + std::string(
"/") + cs;
834 int endpoint, status;
842 endpoint = MBEDTLS_SSL_IS_SERVER;
846 endpoint = MBEDTLS_SSL_IS_CLIENT;
851 sslconf =
new mbedtls_ssl_config;
852 mbedtls_ssl_config_init(
sslconf);
853 mbedtls_ssl_config_defaults(
sslconf,
855 MBEDTLS_SSL_TRANSPORT_STREAM,
856 MBEDTLS_SSL_PRESET_DEFAULT);
862 ssl =
new mbedtls_ssl_context;
863 mbedtls_ssl_init(
ssl);
866#if MBEDTLS_VERSION_NUMBER > 0x03000000
867 mbedtls_ssl_protocol_version version;
872 version = MBEDTLS_SSL_VERSION_TLS1_2;
876 version = MBEDTLS_SSL_VERSION_TLS1_3;
879 mbedtls_ssl_conf_min_tls_version(
sslconf, version);
885#if defined(MBEDTLS_SSL_MAJOR_VERSION_3) && defined(MBEDTLS_SSL_MINOR_VERSION_1)
887 major = MBEDTLS_SSL_MAJOR_VERSION_3;
888 minor = MBEDTLS_SSL_MINOR_VERSION_1;
891#if defined(MBEDTLS_SSL_MAJOR_VERSION_3) && defined(MBEDTLS_SSL_MINOR_VERSION_2)
893 major = MBEDTLS_SSL_MAJOR_VERSION_3;
894 minor = MBEDTLS_SSL_MINOR_VERSION_2;
897#if defined(MBEDTLS_SSL_MAJOR_VERSION_3) && defined(MBEDTLS_SSL_MINOR_VERSION_3)
900 major = MBEDTLS_SSL_MAJOR_VERSION_3;
901 minor = MBEDTLS_SSL_MINOR_VERSION_3;
905 mbedtls_ssl_conf_min_version(
sslconf, major, minor);
909 mbedtls_ssl_conf_max_version(
sslconf, MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3);
922 authmode = MBEDTLS_SSL_VERIFY_NONE;
926 authmode = MBEDTLS_SSL_VERIFY_REQUIRED;
928 mbedtls_ssl_conf_authmode(
sslconf, authmode);
941 mbedtls_ssl_conf_renegotiation(
sslconf, MBEDTLS_SSL_RENEGOTIATION_DISABLED);
949#if MBEDTLS_VERSION_NUMBER < 0x03000000
951 mbedtls_ssl_conf_ciphersuites(
sslconf, mbedtls_ctx_private::ciphersuites);
961 mbedtls_ssl_conf_ca_chain(
sslconf,
971 if (mbedtls_ssl_set_hostname(
ssl, use_hostname ? hostname :
nullptr))
982 if (mbedtls_pk_get_type(&c.
crt_chain.
get()->get()->pk) == MBEDTLS_PK_RSA)
989 throw MbedTLSException(
"cert has unsupported type for external pki support");
1008 status = mbedtls_ssl_conf_dh_param_ctx(
sslconf, c.
dh->
get());
1037#if defined(MBEDTLS_SSL_CBC_RECORD_SPLITTING)
1038 mbedtls_ssl_conf_cbc_record_splitting(
sslconf,
1039 MBEDTLS_SSL_CBC_RECORD_SPLITTING_DISABLED);
1056 std::unique_ptr<mbedtls_compat_group_id[]>
groups;
1064 auto num_ciphers = std::count(cipher_list.begin(), cipher_list.end(),
':') + 1;
1068 std::stringstream cipher_list_ss(cipher_list);
1069 std::string ciphersuite;
1072 while (std::getline(cipher_list_ss, ciphersuite,
':'))
1076 if (pair && pair->
iana_name != ciphersuite)
1083 auto cipher_id = mbedtls_ssl_get_ciphersuite_id(ciphersuite.c_str());
1093 OVPN_LOG_INFO(
"mbed TLS -- warning ignoring unknown cipher suite '"
1094 << ciphersuite <<
"' in tls-cipher");
1105 auto num_groups = std::count(tls_groups.begin(), tls_groups.end(),
':') + 1;
1110 std::stringstream groups_ss(tls_groups);
1114 while (std::getline(groups_ss, group,
':'))
1116 const mbedtls_ecp_curve_info *ci = mbedtls_ecp_curve_info_from_name(group.c_str());
1125 OVPN_LOG_INFO(
"mbed TLS -- warning ignoring unknown group '"
1126 << group <<
"' in tls-groups");
1140 const size_t actual = self->
ct_in.
read(data, length);
1173 static void dbg_callback(
void *arg,
int level,
const char *filename,
int linenum,
const char *text)
1176 if (level <= self->
config->ssl_debug_level)
1177 OPENVPN_LOG_NTNL(
"mbed TLS[" << filename <<
":" << linenum <<
" " << level <<
"]: "
1194 mbedtls_ssl_free(
ssl);
1195 mbedtls_ssl_config_free(
sslconf);
1228 return SSL::Ptr(
new SSL(
this, hostname ? hostname->c_str() :
nullptr));
1248 static void load_cert_info_into_authcert(
AuthCert &authcert,
const std::string &
cert_txt)
1292#if MBEDTLS_VERSION_NUMBER < 0x03000000
1294 return bool(cert->ns_cert_type & MBEDTLS_X509_NS_CERT_TYPE_SSL_SERVER);
1296 return bool(cert->ns_cert_type & MBEDTLS_X509_NS_CERT_TYPE_SSL_CLIENT);
1313 for (std::vector<unsigned int>::const_iterator i =
config->
ku.begin(); i !=
config->
ku.end(); ++i)
1315 if (mbedtls_x509_crt_check_key_usage(cert, *i))
1333 mbedtls_x509_sequence *oid_seq = &cert->ext_key_usage;
1334 while (oid_seq !=
nullptr)
1336 mbedtls_x509_buf *oid = &oid_seq->buf;
1340 const char *oid_str;
1341 const int status = mbedtls_oid_get_extended_key_usage(oid, &oid_str);
1342 if (status >= 0 &&
config->
eku == oid_str)
1348 char oid_num_str[256];
1349 const int status = mbedtls_oid_get_numeric_string(oid_num_str,
sizeof(oid_num_str), oid);
1350 if (status >= 0 &&
config->
eku == oid_num_str)
1353 oid_seq = oid_seq->next;
1361 std::ostringstream
os;
1362 std::string status_str =
"OK";
1367 <<
" : depth=" << depth
1388#if MBEDTLS_VERSION_NUMBER < 0x03000000
1389 if (cert->sig_md == MBEDTLS_MD_MD5)
1394 if (cert->sig_md == MBEDTLS_MD_SHA1)
1406 OVPN_LOG_INFO(
"VERIFY FAIL -- bad ns-cert-type in leaf certificate");
1413 OVPN_LOG_INFO(
"VERIFY FAIL -- bad X509 key usage in leaf certificate");
1420 OVPN_LOG_INFO(
"VERIFY FAIL -- bad X509 extended key usage in leaf certificate");
1465 *
flags |= MBEDTLS_X509_BADCERT_OTHER;
1487 else if (depth == 0)
1492 OVPN_LOG_INFO(
"VERIFY FAIL -- bad ns-cert-type in leaf certificate");
1499 OVPN_LOG_INFO(
"VERIFY FAIL -- bad X509 key usage in leaf certificate");
1506 OVPN_LOG_INFO(
"VERIFY FAIL -- bad X509 extended key usage in leaf certificate");
1518 ssl->authcert->defined_ =
true;
1523 *
flags |= MBEDTLS_X509_BADCERT_OTHER;
1530 static std::string
cert_info(
const mbedtls_x509_crt *cert,
const char *prefix =
nullptr)
1532 const size_t buf_size = 4096;
1533 std::unique_ptr<char[]> buf(
new char[buf_size]);
1534 const int size = mbedtls_x509_crt_info(buf.get(), buf_size, prefix ? prefix :
"", cert);
1536 return std::string(buf.get());
1538 return "error rendering cert";
1546#
if MBEDTLS_VERSION_NUMBER < 0x03000000
1550 const unsigned char *
input,
1551 unsigned char *output,
1552 size_t output_max_len)
1554 OVPN_LOG_INFO(
"MbedTLSContext::epki_decrypt is unimplemented"
1555 <<
" output_max_len=" << output_max_len);
1557 return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
1561 int (*f_rng)(
void *,
unsigned char *,
size_t),
1563#
if MBEDTLS_VERSION_NUMBER < 0x03000000
1566 mbedtls_md_type_t md_alg,
1567 unsigned int hashlen,
1568 const unsigned char *hash,
1574#if MBEDTLS_VERSION_NUMBER < 0x03000000
1575 if (
mode == MBEDTLS_RSA_PRIVATE)
1580 size_t digest_prefix_len = 0;
1581 const unsigned char *digest_prefix =
nullptr;
1586 case MBEDTLS_MD_NONE:
1588 case MBEDTLS_MD_MD5:
1589 digest_prefix = PKCS1::DigestPrefix::MD5;
1590 digest_prefix_len =
sizeof(PKCS1::DigestPrefix::MD5);
1592 case MBEDTLS_MD_SHA1:
1593 digest_prefix = PKCS1::DigestPrefix::SHA1;
1594 digest_prefix_len =
sizeof(PKCS1::DigestPrefix::SHA1);
1596 case MBEDTLS_MD_SHA256:
1597 digest_prefix = PKCS1::DigestPrefix::SHA256;
1598 digest_prefix_len =
sizeof(PKCS1::DigestPrefix::SHA256);
1600 case MBEDTLS_MD_SHA384:
1601 digest_prefix = PKCS1::DigestPrefix::SHA384;
1602 digest_prefix_len =
sizeof(PKCS1::DigestPrefix::SHA384);
1604 case MBEDTLS_MD_SHA512:
1605 digest_prefix = PKCS1::DigestPrefix::SHA512;
1606 digest_prefix_len =
sizeof(PKCS1::DigestPrefix::SHA512);
1609 OVPN_LOG_INFO(
"MbedTLSContext::epki_sign unrecognized hash_id"
1610#
if MBEDTLS_VERSION_NUMBER < 0x03000000
1613 <<
" md_alg=" << md_alg <<
" hashlen=" << hashlen);
1614 return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
1619 if (digest_prefix_len)
1620 from_buf.
write(digest_prefix, digest_prefix_len);
1621 from_buf.
write(hash, hashlen);
1627 std::string sig_b64;
1633 const size_t len = self->
key_len();
1634 Buffer sigbuf(sig, len,
false);
1638 if (sigbuf.
size() != len)
1646 OVPN_LOG_INFO(
"MbedTLSContext::epki_sign unrecognized parameters"
1647#
if MBEDTLS_VERSION_NUMBER < 0x03000000
1650 <<
" md_alg=" << md_alg <<
" hashlen=" << hashlen);
1651 return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
1654 catch (
const std::exception &e)
1656 OPENVPN_LOG(
"MbedTLSContext::epki_sign exception: " << e.what());
1657 return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
1669 const mbedtls_x509_buf *s = &cert->serial;
1670 if (s->len > 0 && s->len <= authcert.
serial.
size())
1672 const size_t offset = authcert.
serial.
size() - s->len;
1674 std::memcpy(authcert.
serial.
number() + offset, s->p, s->len);
1680 const int SHA_DIGEST_LEN = 20;
1682#if MBEDTLS_VERSION_NUMBER < 0x02070000
1688 mbedtls_sha1(cert->raw.p, cert->raw.len, authcert->
issuer_fp);
1689#elif MBEDTLS_VERSION_NUMBER < 0x03000000
1690 if (mbedtls_sha1_ret(cert->raw.p, cert->raw.len, authcert.
issuer_fp))
1694 if (mbedtls_sha1(cert->raw.p, cert->raw.len, authcert.
issuer_fp))
1703 unsigned int ver = mbedtls_version_get_number();
1704 std::string version =
"mbed TLS "
1705 + std::to_string((ver >> 24) & 0xff)
1706 +
"." + std::to_string((ver >> 16) & 0xff)
1707 +
"." + std::to_string((ver >> 8) & 0xff);
const std::uint8_t * number() const
static constexpr size_t size()
std::uint8_t issuer_fp[20]
std::string encode(const V &data) const
size_t decode(void *data, size_t len, const std::string &str) const
size_t size() const
Returns the size of the buffer in T objects.
void write(const T *data, const size_t size)
Write data to the buffer.
virtual bool sign(const std::string &alias, const std::string &data, std::string &sig, const std::string &algorithm, const std::string &hashalg, const std::string &saltlen)=0
std::string validate_dh(const std::string &dh_txt) const override
void set_private_key_password(const std::string &pwd) override
void set_tls_version_min_override(const std::string &override) override
SSLFactoryAPI::Ptr new_factory() override
friend class MbedTLSContext
MbedTLSPKI::PKContext::Ptr priv_key
void set_external_pki_callback(ExternalPKIBase *external_pki_arg, const std::string &alias) override
std::string validate_crl(const std::string &crl_txt) const override
void set_client_session_tickets(const bool v) override
void set_ns_cert_type(const NSCert::Type ns_cert_type_arg) override
void set_tls_version_min(const TLSVersion::Type tvm) override
const Mode & get_mode() const override
void enable_legacy_algorithms(const bool v) override
void set_tls_cert_profile(const TLSCertProfile::Type type) override
std::string tls_cipher_list
void set_rng(const StrongRandomAPI::Ptr &rng_arg) override
const mbedtls_x509_crt_profile * select_crt_profile() const
void set_tls_cert_profile_override(const std::string &override) override
void load_cert(const std::string &cert_txt) override
ExternalPKIBase * external_pki
std::string extract_private_key() const override
void set_tls_remote(const std::string &tls_remote_arg) override
void load_ca(const std::string &ca_txt, bool strict) override
std::string external_pki_alias
std::string validate_cert_list(const std::string &certs_txt) const override
virtual void set_tls_ciphersuite_list(const std::string &override)
void set_session_ticket_handler(TLSSessionTicketBase *session_ticket_handler_arg) override
void load_private_key(const std::string &key_txt) override
std::string validate_cert(const std::string &cert_txt) const override
std::string extract_crl() const override
TLSCertProfile::Type tls_cert_profile
virtual void set_tls_cipher_list(const std::string &override)
void set_cn_reject_handler(CommonNameReject *cn_reject_handler_arg) override
void set_tls_version_max(const TLSVersion::Type tvm) override
void load_dh(const std::string &dh_txt) override
MbedTLSPKI::X509CRL::Ptr crl_chain
void load_cert(const std::string &cert_txt, const std::string &extra_certs_txt) override
void set_x509_track(X509Track::ConfigSet x509_track_config_arg) override
std::vector< std::string > extract_extra_certs() const override
std::string extract_cert() const override
std::string validate_private_key(const std::string &key_txt) const override
void load_crl(const std::string &crl_txt) override
void set_flags(const unsigned int flags_arg) override
MbedTLSPKI::X509Cert::Ptr crt_chain
VerifyX509Name verify_x509_name
void set_sni_handler(SNI::HandlerBase *sni_handler) override
void set_frame(const Frame::Ptr &frame_arg) override
X509Track::ConfigSet x509_track_config
std::vector< unsigned int > ku
MbedTLSRandom * get_mbed_random_class() const
void set_sni_name(const std::string &sni_name_arg) override
PKType::Type private_key_type() const override
void set_remote_cert_tls(const KUParse::TLSWebType wt) override
MbedTLSPKI::X509Cert::Ptr ca_chain
std::string extract_dh() const override
void set_debug_level(const int debug_level) override
NSCert::Type ns_cert_type
void set_mode(const Mode &mode_arg) override
virtual void set_tls_groups(const std::string &groups)
TLSVersion::Type tls_version_min
void load(const OptionList &opt, const unsigned int lflags) override
size_t private_key_length() const override
void set_local_cert_enabled(const bool v) override
std::string extract_ca() const override
MbedTLSContext * parent
Hold the array that is used for setting the curves.
ssize_t read_cleartext(void *data, const size_t capacity) override
std::unique_ptr< int[]> allowed_ciphers
void write_ciphertext_unbuffered(const unsigned char *data, const size_t size) override
mbedtls_ssl_config * sslconf
static int ct_write_func(void *arg, const unsigned char *data, size_t length)
void set_mbedtls_groups(const std::string &tls_groups)
void start_handshake() override
ssize_t write_cleartext_unbuffered(const void *data, const size_t size) override
void set_mbedtls_cipherlist(const std::string &cipher_list)
MbedTLSPKI::PKContext epki_ctx
void write_ciphertext(const BufferPtr &buf) override
std::unique_ptr< mbedtls_compat_group_id[]> groups
Hold the array that is used for setting the allowed ciphers.
bool export_keying_material(const std::string &label, unsigned char *, size_t size) override
SSL(MbedTLSContext *ctx, const char *hostname)
const AuthCert::Ptr & auth_cert() const override
static int rng_callback(void *arg, unsigned char *data, size_t len)
static void dbg_callback(void *arg, int level, const char *filename, int linenum, const char *text)
bool read_ciphertext_ready() const override
mbedtls_ssl_context * ssl
static int ct_read_func(void *arg, unsigned char *data, size_t length)
bool did_full_handshake() override
bool read_cleartext_ready() const override
std::string ssl_handshake_details() const override
BufferPtr read_ciphertext() override
void mark_no_cache() override
static void load_serial_number_into_authcert(AuthCert &authcert, const mbedtls_x509_crt *cert)
bool x509_cert_ku_defined() const
SSLAPI::Ptr ssl() override
bool x509_cert_eku_defined() const
bool verify_ns_cert_type(const mbedtls_x509_crt *cert) const
static int verify_callback_server(void *arg, mbedtls_x509_crt *cert, int depth, uint32_t *flags)
bool verify_x509_cert_ku(const mbedtls_x509_crt *cert)
MbedTLSContext(Config *config_arg)
static constexpr bool support_key_material_export()
static int verify_callback_client(void *arg, mbedtls_x509_crt *cert, int depth, uint32_t *flags)
SSLLib::Ctx libctx() override
const Mode & mode() const override
bool ns_cert_type_defined() const
static int epki_decrypt(void *arg, int mode, size_t *olen, const unsigned char *input, unsigned char *output, size_t output_max_len)
SSLAPI::Ptr ssl(const std::string *hostname, const std::string *cache_key) override
static int epki_sign(void *arg, int(*f_rng)(void *, unsigned char *, size_t), void *p_rng, int mode, mbedtls_md_type_t md_alg, unsigned int hashlen, const unsigned char *hash, unsigned char *sig)
static bool load_issuer_fingerprint_into_authcert(AuthCert &authcert, const mbedtls_x509_crt *cert)
virtual ~MbedTLSContext()
RCPtr< MbedTLSContext > Ptr
bool verify_x509_cert_eku(mbedtls_x509_crt *cert)
static size_t epki_key_len(void *arg)
static std::string cert_info(const mbedtls_x509_crt *cert, const char *prefix=nullptr)
static std::string status_string(const mbedtls_x509_crt *cert, const int depth, const uint32_t *flags)
static std::string mbedtls_verify_flags_errtext(const uint32_t flags)
void epki_enable(void *arg, mbedtls_pk_rsa_alt_decrypt_func epki_decrypt, mbedtls_pk_rsa_alt_sign_func epki_sign, mbedtls_pk_rsa_alt_key_len_func epki_key_len)
mbedtls_pk_context * get() const
void write_buf(const BufferPtr &bp)
void set_frame(const Frame::Ptr &frame)
void write(const unsigned char *data, size_t size)
size_t read(unsigned char *data, size_t len)
std::string get_optional(const std::string &name, size_t index, const size_t max_len) const
std::string cat(const std::string &name) const
const Option & get(const std::string &name) const
bool exists(const std::string &name) const
void reset() noexcept
Points this RCPtr<T> to nullptr safely.
T * get() const noexcept
Returns the raw pointer to the object T, or nullptr.
virtual bool rand_bytes_noexcept(unsigned char *buf, size_t size)=0
Fill a buffer with random bytes without throwing exceptions.
@ LF_ALLOW_CLIENT_CERT_NOT_REQUIRED
RCPtr< SSLFactoryAPI > Ptr
void init(const OptionList &opt, const std::string &relay_prefix)
bool verify(const std::string &value) const
@ VERIFY_X509_SUBJECT_RDN_PREFIX
@ VERIFY_X509_SUBJECT_RDN
#define OPENVPN_LOG_NTNL(args)
#define OPENVPN_LOG(args)
#define OVPN_LOG_INFO(args)
static int mbedtls_x509_crt_has_ext_type(const mbedtls_x509_crt *crt, int ext_type)
#define MBEDTLS_OID_X509_EXT_EXTENDED_KEY_USAGE
void remote_cert_ku(const OptionList &opt, const std::string &relay_prefix, std::vector< unsigned int > &ku)
void remote_cert_tls(const TLSWebType wt, std::vector< unsigned int > &ku, std::string &eku)
void remote_cert_eku(const OptionList &opt, const std::string &relay_prefix, std::string &eku)
static std::string x509_get_common_name(const mbedtls_x509_crt *cert)
static std::string x509_get_subject(const mbedtls_x509_crt *cert, bool new_format=false)
Type ns_cert_type(const std::string &ct)
void apply_override(Type &type, const std::string &override)
Type default_if_undef(const Type type)
Type parse_tls_cert_profile(const std::string &profile_name)
std::string sanitize_x509_name(const std::string &str)
bool test(const std::string &tls_remote, const std::string &subject, const std::string &common_name)
std::string sanitize_common_name(const std::string &str)
void log(const std::string &tls_remote, const std::string &subject, const std::string &common_name)
void apply_override(Type &tvm, const std::string &override)
Type parse_tls_version_min(const std::string &ver, const bool or_highest, const Type max_version)
static mbedtls_compat_group_id mbedtls_compat_get_group_id(const mbedtls_ecp_curve_info *curve_info)
const tls_cipher_name_pair * tls_get_cipher_name_pair(const std::string &ciphername)
SSLFactoryAPI::ssl_external_pki ssl_external_pki
static void mbedtls_ssl_conf_groups(mbedtls_ssl_config *conf, mbedtls_compat_group_id *groups)
mbedtls_ecp_group_id mbedtls_compat_group_id
const std::string get_ssl_library_version()
const char * openssl_name
const std::string cert_txt
static const char * input[]