From: Steffan Karger Date: Sat, 21 Nov 2015 11:41:00 +0000 (+0100) Subject: polarssl: don't use deprecated functions anymore X-Git-Tag: v2.4_alpha1~198 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=67a67e39;p=thirdparty%2Fopenvpn.git polarssl: don't use deprecated functions anymore A number of functions were deprecated in polarssl 1.3.11. Stop using these, and use their alternatives instead. This enables (and also almost forces) us to move the pkcs11 and external key logic from the per-connection setup (key_state_ssl_init()) to the per-instance setup (tls_ctx_use_{pkcs11,external_private_key}()). Note that tls_ctx_use_external_private_key() is now placed right below external_pkcs1_sign() and external_key_len(), instead of right above, because it now needs to be aware of those static functions. Tested with: * PEM key files * pkcs11 * management-external-key Signed-off-by: Steffan Karger Acked-by: Gert Doering Message-Id: <1448106060-19469-1-git-send-email-steffan@karger.me> URL: http://article.gmane.org/gmane.network.openvpn.devel/10544 Signed-off-by: Gert Doering --- diff --git a/src/openvpn/crypto_polarssl.c b/src/openvpn/crypto_polarssl.c index c038f8e26..92fdb787a 100644 --- a/src/openvpn/crypto_polarssl.c +++ b/src/openvpn/crypto_polarssl.c @@ -485,7 +485,7 @@ cipher_ctx_init (cipher_context_t *ctx, uint8_t *key, int key_len, void cipher_ctx_cleanup (cipher_context_t *ctx) { - ASSERT (polar_ok(cipher_free_ctx(ctx))); + cipher_free(ctx); } int cipher_ctx_iv_length (const cipher_context_t *ctx) @@ -649,7 +649,7 @@ void md_ctx_final (md_context_t *ctx, uint8_t *dst) { ASSERT(0 == md_finish(ctx, dst)); - ASSERT(0 == md_free_ctx(ctx)); + md_free(ctx); } @@ -680,7 +680,7 @@ hmac_ctx_init (md_context_t *ctx, const uint8_t *key, int key_len, const md_info void hmac_ctx_cleanup(md_context_t *ctx) { - ASSERT(0 == md_free_ctx(ctx)); + md_free(ctx); } int diff --git a/src/openvpn/pkcs11_polarssl.c b/src/openvpn/pkcs11_polarssl.c index 4018b22a5..ccb6f8caf 100644 --- a/src/openvpn/pkcs11_polarssl.c +++ b/src/openvpn/pkcs11_polarssl.c @@ -62,6 +62,12 @@ pkcs11_init_tls_session(pkcs11h_certificate_t certificate, goto cleanup; } + ALLOC_OBJ_CLEAR (ssl_ctx->priv_key, pk_context); + if (!polar_ok(pk_init_ctx_rsa_alt(ssl_ctx->priv_key, ssl_ctx->priv_key_pkcs11, + ssl_pkcs11_decrypt, ssl_pkcs11_sign, ssl_pkcs11_key_len))) { + goto cleanup; + } + ret = 0; cleanup: diff --git a/src/openvpn/ssl_polarssl.c b/src/openvpn/ssl_polarssl.c index cf38e6943..cfdeb5215 100644 --- a/src/openvpn/ssl_polarssl.c +++ b/src/openvpn/ssl_polarssl.c @@ -355,24 +355,6 @@ struct external_context { size_t signature_length; }; -int -tls_ctx_use_external_private_key (struct tls_root_ctx *ctx, - const char *cert_file, const char *cert_file_inline) -{ - ASSERT(NULL != ctx); - - tls_ctx_load_cert_file(ctx, cert_file, cert_file_inline); - - if (ctx->crt_chain == NULL) - return 0; - - /* Most of the initialization happens in key_state_ssl_init() */ - ALLOC_OBJ_CLEAR (ctx->external_key, struct external_context); - ctx->external_key->signature_length = pk_get_len(&ctx->crt_chain->pk); - - return 1; -} - /** * external_pkcs1_sign implements a PolarSSL rsa_sign_func callback, that uses * the management interface to request an RSA signature for the supplied hash. @@ -505,6 +487,28 @@ static inline size_t external_key_len(void *vctx) return ctx->signature_length; } + +int +tls_ctx_use_external_private_key (struct tls_root_ctx *ctx, + const char *cert_file, const char *cert_file_inline) +{ + ASSERT(NULL != ctx); + + tls_ctx_load_cert_file(ctx, cert_file, cert_file_inline); + + if (ctx->crt_chain == NULL) + return 0; + + ALLOC_OBJ_CLEAR (ctx->external_key, struct external_context); + ctx->external_key->signature_length = pk_get_len(&ctx->crt_chain->pk); + + ALLOC_OBJ_CLEAR (ctx->priv_key, pk_context); + if (!polar_ok(pk_init_ctx_rsa_alt(ctx->priv_key, ctx->external_key, + NULL, external_pkcs1_sign, external_key_len))) + return 0; + + return 1; +} #endif void tls_ctx_load_ca (struct tls_root_ctx *ctx, const char *ca_file, @@ -757,22 +761,9 @@ void key_state_ssl_init(struct key_state_ssl *ks_ssl, /* Initialise authentication information */ if (is_server) polar_ok(ssl_set_dh_param_ctx(ks_ssl->ctx, ssl_ctx->dhm_ctx)); -#if defined(ENABLE_PKCS11) - if (ssl_ctx->priv_key_pkcs11 != NULL) - polar_ok(ssl_set_own_cert_alt(ks_ssl->ctx, ssl_ctx->crt_chain, - ssl_ctx->priv_key_pkcs11, ssl_pkcs11_decrypt, ssl_pkcs11_sign, - ssl_pkcs11_key_len)); - else -#endif -#if defined(MANAGMENT_EXTERNAL_KEY) - if (ssl_ctx->external_key != NULL) - polar_ok(ssl_set_own_cert_alt(ks_ssl->ctx, ssl_ctx->crt_chain, - ssl_ctx->external_key, NULL, external_pkcs1_sign, - external_key_len)); - else -#endif - polar_ok(ssl_set_own_cert(ks_ssl->ctx, ssl_ctx->crt_chain, - ssl_ctx->priv_key)); + + polar_ok(ssl_set_own_cert(ks_ssl->ctx, ssl_ctx->crt_chain, + ssl_ctx->priv_key)); /* Initialise SSL verification */ #if P2MP_SERVER diff --git a/src/openvpn/ssl_verify_polarssl.c b/src/openvpn/ssl_verify_polarssl.c index fa313ac17..62818adcb 100644 --- a/src/openvpn/ssl_verify_polarssl.c +++ b/src/openvpn/ssl_verify_polarssl.c @@ -319,8 +319,7 @@ x509_verify_cert_eku (x509_crt *cert, const char * const expected_oid) char oid_num_str[1024]; const char *oid_str; - oid_str = x509_oid_get_description(oid); - if (oid_str != NULL) + if (0 == oid_get_extended_key_usage( oid, &oid_str )) { msg (D_HANDSHAKE, "++ Certificate has EKU (str) %s, expects %s", oid_str, expected_oid); @@ -331,7 +330,7 @@ x509_verify_cert_eku (x509_crt *cert, const char * const expected_oid) } } - if (0 < x509_oid_get_numeric_string( oid_num_str, + if (0 < oid_get_numeric_string( oid_num_str, sizeof (oid_num_str), oid)) { msg (D_HANDSHAKE, "++ Certificate has EKU (oid) %s, expects %s",