From: Adriaan de Jong <dejong@fox-it.com>
Date: Mon, 27 Jun 2011 15:44:40 +0000 (+0200)
Subject: Refactored initalisation of key_states
X-Git-Tag: v2.3-alpha1~142
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=d7efe640112f94cb20ce52a6adf0bd1b4d5f4ec2;p=thirdparty%2Fopenvpn.git

Refactored initalisation of key_states

Signed-off-by: Adriaan de Jong <dejong@fox-it.com>
Acked-by: James Yonan <james@openvpn.net>
Signed-off-by: David Sommerseth <davids@redhat.com>
---

diff --git a/ssl.c b/ssl.c
index 932854266..ae9d36c57 100644
--- a/ssl.c
+++ b/ssl.c
@@ -1869,21 +1869,6 @@ is_hard_reset (int op, int key_method)
   return false;
 }
 
-/*
- * OpenVPN's interface to SSL/TLS authentication,
- * encryption, and decryption is exclusively
- * through "memory BIOs".
- */
-static BIO *
-getbio (BIO_METHOD * type, const char *desc)
-{
-  BIO *ret;
-  ret = BIO_new (type);
-  if (!ret)
-    msg (M_SSLERR, "Error creating %s BIO", desc);
-  return ret;
-}
-
 /*
  * Write to an OpenSSL BIO in non-blocking mode.
  */
@@ -2202,37 +2187,14 @@ key_state_init (struct tls_session *session, struct key_state *ks)
 {
   update_time ();
 
+  CLEAR (*ks);
+
   /*
    * Build TLS object that reads/writes ciphertext
    * to/from memory BIOs.
    */
-  CLEAR (*ks);
-
-  ks->ks_ssl.ssl = SSL_new (session->opt->ssl_ctx.ctx);
-  if (!ks->ks_ssl.ssl)
-    msg (M_SSLERR, "SSL_new failed");
-
-  /* put session * in ssl object so we can access it
-     from verify callback*/
-  SSL_set_ex_data (ks->ks_ssl.ssl, mydata_index, session);
-
-  ks->ks_ssl.ssl_bio = getbio (BIO_f_ssl (), "ssl_bio");
-  ks->ks_ssl.ct_in = getbio (BIO_s_mem (), "ct_in");
-  ks->ks_ssl.ct_out = getbio (BIO_s_mem (), "ct_out");
-
-#ifdef BIO_DEBUG
-  bio_debug_oc ("open ssl_bio", ks->ks_ssl.ssl_bio);
-  bio_debug_oc ("open ct_in", ks->ks_ssl.ct_in);
-  bio_debug_oc ("open ct_out", ks->ks_ssl.ct_out);
-#endif
-
-  if (session->opt->server)
-    SSL_set_accept_state (ks->ks_ssl.ssl);
-  else
-    SSL_set_connect_state (ks->ks_ssl.ssl);
-
-  SSL_set_bio (ks->ks_ssl.ssl, ks->ks_ssl.ct_in, ks->ks_ssl.ct_out);
-  BIO_set_ssl (ks->ks_ssl.ssl_bio, ks->ks_ssl.ssl, BIO_NOCLOSE);
+  key_state_ssl_init(&ks->ks_ssl, &session->opt->ssl_ctx, session->opt->server,
+      session);
 
   /* Set control-channel initiation mode */
   ks->initial_opcode = session->initial_opcode;
diff --git a/ssl_backend.h b/ssl_backend.h
index 64d93360c..5c96dafed 100644
--- a/ssl_backend.h
+++ b/ssl_backend.h
@@ -269,6 +269,24 @@ void tls_ctx_load_extra_certs (struct tls_root_ctx *ctx, const char *extra_certs
 #endif
     );
 
+/* **************************************
+ *
+ * Key-state specific functions
+ *
+ ***************************************/
+
+/**
+ * Initialise the SSL channel part of the given key state. Settings will be
+ * loaded from a previously initialised TLS context.
+ *
+ * @param ks_ssl	The SSL channel's state info to initialise
+ * @param ssl_ctx	The TLS context to use when initialising the channel.
+ * @param is_server	Initialise a server?
+ * @param session	The session associated with the given key_state
+ */
+void key_state_ssl_init(struct key_state_ssl *ks_ssl,
+    const struct tls_root_ctx *ssl_ctx, bool is_server, void *session);
+
 /*
  * Show the TLS ciphers that are available for us to use in the OpenSSL
  * library.
diff --git a/ssl_openssl.c b/ssl_openssl.c
index 6897c2994..1214c6ead 100644
--- a/ssl_openssl.c
+++ b/ssl_openssl.c
@@ -829,6 +829,66 @@ tls_ctx_load_ca (struct tls_root_ctx *ctx, const char *ca_file,
 
 }
 
+/* **************************************
+ *
+ * Key-state specific functions
+ *
+ ***************************************/
+/*
+ *
+ * BIO functions
+ *
+ */
+
+/*
+ * OpenVPN's interface to SSL/TLS authentication,
+ * encryption, and decryption is exclusively
+ * through "memory BIOs".
+ */
+static BIO *
+getbio (BIO_METHOD * type, const char *desc)
+{
+  BIO *ret;
+  ret = BIO_new (type);
+  if (!ret)
+    msg (M_SSLERR, "Error creating %s BIO", desc);
+  return ret;
+}
+
+void
+key_state_ssl_init(struct key_state_ssl *ks_ssl, const struct tls_root_ctx *ssl_ctx, bool is_server, void *session)
+{
+  ASSERT(NULL != ssl_ctx);
+  ASSERT(ks_ssl);
+  CLEAR (*ks_ssl);
+
+  ks_ssl->ssl = SSL_new (ssl_ctx->ctx);
+  if (!ks_ssl->ssl)
+    msg (M_SSLERR, "SSL_new failed");
+
+  /* put session * in ssl object so we can access it
+     from verify callback*/
+  SSL_set_ex_data (ks_ssl->ssl, mydata_index, session);
+
+  ks_ssl->ssl_bio = getbio (BIO_f_ssl (), "ssl_bio");
+  ks_ssl->ct_in = getbio (BIO_s_mem (), "ct_in");
+  ks_ssl->ct_out = getbio (BIO_s_mem (), "ct_out");
+
+#ifdef BIO_DEBUG
+  bio_debug_oc ("open ssl_bio", ks_ssl->ssl_bio);
+  bio_debug_oc ("open ct_in", ks_ssl->ct_in);
+  bio_debug_oc ("open ct_out", ks_ssl->ct_out);
+#endif
+
+  if (is_server)
+    SSL_set_accept_state (ks_ssl->ssl);
+  else
+    SSL_set_connect_state (ks_ssl->ssl);
+
+  SSL_set_bio (ks_ssl->ssl, ks_ssl->ct_in, ks_ssl->ct_out);
+  BIO_set_ssl (ks_ssl->ssl_bio, ks_ssl->ssl, BIO_NOCLOSE);
+}
+
 void
 tls_ctx_load_extra_certs (struct tls_root_ctx *ctx, const char *extra_certs_file
 #if ENABLE_INLINE_FILES