The SSL CTX is shared between all of the instances. So any change to the
SSL CTX will affect all instances. Currently the CRL is also reloaded
potentially multiple times as each copy of tls_root_ctx has its own
crl_last_mtime and crl_last_size values that will be checked if the CRL
reload is necessary.
Changing it to a pointer will make it more clear that this is shared
and also the CRL being reloaded multiple times.
Change-Id: I21251a42f94fa1d9de083d2acd95b887658c5760
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: MaxF <max@max-fillinger.net>
Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1431
Message-Id: <
20251216144207.12171-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg35116.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
key_schedule_free(struct key_schedule *ks, bool free_ssl_ctx)
{
free_key_ctx_bi(&ks->static_key);
- if (tls_ctx_initialised(&ks->ssl_ctx) && free_ssl_ctx)
+ if (tls_ctx_initialised(ks->ssl_ctx) && free_ssl_ctx)
{
- tls_ctx_free(&ks->ssl_ctx);
+ tls_ctx_free(ks->ssl_ctx);
+ free(ks->ssl_ctx);
free_key_ctx(&ks->auth_token_key);
}
CLEAR(*ks);
{
const struct options *options = &c->options;
- if (!tls_ctx_initialised(&c->c1.ks.ssl_ctx))
+ if (!tls_ctx_initialised(c->c1.ks.ssl_ctx))
{
/*
* Initialize the OpenSSL library's global
* SSL context.
*/
- init_ssl(options, &(c->c1.ks.ssl_ctx), c->c0 && c->c0->uid_gid_chroot_set);
- if (!tls_ctx_initialised(&c->c1.ks.ssl_ctx))
+ ASSERT(NULL == c->c1.ks.ssl_ctx);
+ c->c1.ks.ssl_ctx = init_ssl(options, c->c0 && c->c0->uid_gid_chroot_set);
+ if (!tls_ctx_initialised(c->c1.ks.ssl_ctx))
{
switch (auth_retry_get())
{
struct key_ctx_bi static_key;
/* our global SSL context */
- struct tls_root_ctx ssl_ctx;
+ struct tls_root_ctx *ssl_ctx;
/* optional TLS control channel wrapping */
struct key_type tls_auth_key_type;
* Initialize SSL context.
* All files are in PEM format.
*/
-void
-init_ssl(const struct options *options, struct tls_root_ctx *new_ctx, bool in_chroot)
+struct tls_root_ctx *
+init_ssl(const struct options *options, bool in_chroot)
{
- ASSERT(NULL != new_ctx);
-
tls_clear_error();
if (key_is_external(options))
load_xkey_provider();
}
+ struct tls_root_ctx *new_ctx;
+ ALLOC_OBJ_CLEAR(new_ctx, struct tls_root_ctx);
+
if (options->tls_server)
{
tls_ctx_server_new(new_ctx);
#endif
tls_clear_error();
- return;
+ return new_ctx;
err:
tls_clear_error();
tls_ctx_free(new_ctx);
- return;
+ free(new_ctx);
+ return NULL;
}
/*
* Build TLS object that reads/writes ciphertext
* to/from memory BIOs.
*/
- key_state_ssl_init(&ks->ks_ssl, &session->opt->ssl_ctx, session->opt->server, session);
+ key_state_ssl_init(&ks->ks_ssl, session->opt->ssl_ctx, session->opt->server, session);
/* Set control-channel initiation mode */
ks->initial_opcode = session->initial_opcode;
/*
* Attempt CRL reload before TLS negotiation. Won't be performed if
- * the file was not modified since the last reload
+ * the file was not modified since the last reload. This affects
+ * all instances (all instances share the same context).
*/
if (session->opt->crl_file && !(session->opt->ssl_flags & SSLF_CRL_VERIFY_DIR))
{
- tls_ctx_reload_crl(&session->opt->ssl_ctx, session->opt->crl_file,
+ tls_ctx_reload_crl(session->opt->ssl_ctx, session->opt->crl_file,
session->opt->crl_file_inline);
}
}
* Build master SSL context object that serves for the whole of OpenVPN
* instantiation
*/
-void init_ssl(const struct options *options, struct tls_root_ctx *ctx, bool in_chroot);
+struct tls_root_ctx *init_ssl(const struct options *options, bool in_chroot);
/** @addtogroup control_processor
* @{ */
*/
struct tls_options
{
- /* our master TLS context from which all SSL objects derived */
- struct tls_root_ctx ssl_ctx;
+ /* our master TLS context from which all SSL objects are derived,
+ * this context is shared between all instances in p2pm with
+ * inherit_context_child. */
+ struct tls_root_ctx *ssl_ctx;
/* data channel cipher, hmac, and key lengths */
struct key_type key_type;
bool
tls_ctx_initialised(struct tls_root_ctx *ctx)
{
- ASSERT(NULL != ctx);
- return ctx->initialised;
+ /* either this should be NULL or should be non-null and then have a
+ * valid TLS ctx inside as well */
+ ASSERT(NULL == ctx || ctx->initialised);
+ return ctx != NULL;
}
#if !defined(MBEDTLS_SSL_KEYING_MATERIAL_EXPORT)
/*
bool
tls_ctx_initialised(struct tls_root_ctx *ctx)
{
- ASSERT(NULL != ctx);
- return NULL != ctx->ctx;
+ /* either this should be NULL or should be non-null and then have a
+ * valid TLS ctx inside as well */
+ ASSERT(ctx == NULL || ctx->ctx != NULL);
+ return ctx != NULL;
}
bool
tls_verify_crl_missing(const struct tls_options *opt)
{
if (opt->crl_file && !(opt->ssl_flags & SSLF_CRL_VERIFY_DIR)
- && (opt->ssl_ctx.crl == NULL || opt->ssl_ctx.crl->version == 0))
+ && (opt->ssl_ctx->crl == NULL || opt->ssl_ctx->crl->version == 0))
{
return true;
}
return false;
}
- X509_STORE *store = SSL_CTX_get_cert_store(opt->ssl_ctx.ctx);
+ X509_STORE *store = SSL_CTX_get_cert_store(opt->ssl_ctx->ctx);
if (!store)
{
crypto_msg(M_FATAL, "Cannot get certificate store");
projects / thirdparty / openvpn.git / commitdiff
