From 44dd39b3ef3980019277e7612fd5bc9cbd4d3e65 Mon Sep 17 00:00:00 2001 From: Arne Schwabe Date: Tue, 16 Dec 2025 15:42:00 +0100 Subject: [PATCH] Change ssl_ctx in struct tls_options to be a pointer The SSL CTX is shared between all of the instances. So any change to the SSL CTX will affect all instances. Currently the CRL is also reloaded potentially multiple times as each copy of tls_root_ctx has its own crl_last_mtime and crl_last_size values that will be checked if the CRL reload is necessary. Changing it to a pointer will make it more clear that this is shared and also the CRL being reloaded multiple times. Change-Id: I21251a42f94fa1d9de083d2acd95b887658c5760 Signed-off-by: Arne Schwabe Acked-by: MaxF Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1431 Message-Id: <20251216144207.12171-1-gert@greenie.muc.de> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg35116.html Signed-off-by: Gert Doering --- src/openvpn/init.c | 12 +++++++----- src/openvpn/openvpn.h | 2 +- src/openvpn/ssl.c | 21 ++++++++++++--------- src/openvpn/ssl.h | 2 +- src/openvpn/ssl_common.h | 6 ++++-- src/openvpn/ssl_mbedtls.c | 6 ++++-- src/openvpn/ssl_openssl.c | 6 ++++-- src/openvpn/ssl_verify_mbedtls.c | 2 +- src/openvpn/ssl_verify_openssl.c | 2 +- 9 files changed, 35 insertions(+), 24 deletions(-) diff --git a/src/openvpn/init.c b/src/openvpn/init.c index cd0152003..ee198cea5 100644 --- a/src/openvpn/init.c +++ b/src/openvpn/init.c @@ -2964,9 +2964,10 @@ static void key_schedule_free(struct key_schedule *ks, bool free_ssl_ctx) { free_key_ctx_bi(&ks->static_key); - if (tls_ctx_initialised(&ks->ssl_ctx) && free_ssl_ctx) + if (tls_ctx_initialised(ks->ssl_ctx) && free_ssl_ctx) { - tls_ctx_free(&ks->ssl_ctx); + tls_ctx_free(ks->ssl_ctx); + free(ks->ssl_ctx); free_key_ctx(&ks->auth_token_key); } CLEAR(*ks); @@ -3121,14 +3122,15 @@ do_init_crypto_tls_c1(struct context *c) { const struct options *options = &c->options; - if (!tls_ctx_initialised(&c->c1.ks.ssl_ctx)) + if (!tls_ctx_initialised(c->c1.ks.ssl_ctx)) { /* * Initialize the OpenSSL library's global * SSL context. */ - init_ssl(options, &(c->c1.ks.ssl_ctx), c->c0 && c->c0->uid_gid_chroot_set); - if (!tls_ctx_initialised(&c->c1.ks.ssl_ctx)) + ASSERT(NULL == c->c1.ks.ssl_ctx); + c->c1.ks.ssl_ctx = init_ssl(options, c->c0 && c->c0->uid_gid_chroot_set); + if (!tls_ctx_initialised(c->c1.ks.ssl_ctx)) { switch (auth_retry_get()) { diff --git a/src/openvpn/openvpn.h b/src/openvpn/openvpn.h index 3e1ae78d3..9325e21fd 100644 --- a/src/openvpn/openvpn.h +++ b/src/openvpn/openvpn.h @@ -60,7 +60,7 @@ struct key_schedule struct key_ctx_bi static_key; /* our global SSL context */ - struct tls_root_ctx ssl_ctx; + struct tls_root_ctx *ssl_ctx; /* optional TLS control channel wrapping */ struct key_type tls_auth_key_type; diff --git a/src/openvpn/ssl.c b/src/openvpn/ssl.c index 741f40aed..5ee51e90d 100644 --- a/src/openvpn/ssl.c +++ b/src/openvpn/ssl.c @@ -507,11 +507,9 @@ tls_ctx_reload_crl(struct tls_root_ctx *ssl_ctx, const char *crl_file, bool crl_ * Initialize SSL context. * All files are in PEM format. */ -void -init_ssl(const struct options *options, struct tls_root_ctx *new_ctx, bool in_chroot) +struct tls_root_ctx * +init_ssl(const struct options *options, bool in_chroot) { - ASSERT(NULL != new_ctx); - tls_clear_error(); if (key_is_external(options)) @@ -519,6 +517,9 @@ init_ssl(const struct options *options, struct tls_root_ctx *new_ctx, bool in_ch load_xkey_provider(); } + struct tls_root_ctx *new_ctx; + ALLOC_OBJ_CLEAR(new_ctx, struct tls_root_ctx); + if (options->tls_server) { tls_ctx_server_new(new_ctx); @@ -664,12 +665,13 @@ init_ssl(const struct options *options, struct tls_root_ctx *new_ctx, bool in_ch #endif tls_clear_error(); - return; + return new_ctx; err: tls_clear_error(); tls_ctx_free(new_ctx); - return; + free(new_ctx); + return NULL; } /* @@ -821,7 +823,7 @@ key_state_init(struct tls_session *session, struct key_state *ks) * Build TLS object that reads/writes ciphertext * to/from memory BIOs. */ - key_state_ssl_init(&ks->ks_ssl, &session->opt->ssl_ctx, session->opt->server, session); + key_state_ssl_init(&ks->ks_ssl, session->opt->ssl_ctx, session->opt->server, session); /* Set control-channel initiation mode */ ks->initial_opcode = session->initial_opcode; @@ -872,11 +874,12 @@ key_state_init(struct tls_session *session, struct key_state *ks) /* * Attempt CRL reload before TLS negotiation. Won't be performed if - * the file was not modified since the last reload + * the file was not modified since the last reload. This affects + * all instances (all instances share the same context). */ if (session->opt->crl_file && !(session->opt->ssl_flags & SSLF_CRL_VERIFY_DIR)) { - tls_ctx_reload_crl(&session->opt->ssl_ctx, session->opt->crl_file, + tls_ctx_reload_crl(session->opt->ssl_ctx, session->opt->crl_file, session->opt->crl_file_inline); } } diff --git a/src/openvpn/ssl.h b/src/openvpn/ssl.h index db8a7985b..9ee9f3897 100644 --- a/src/openvpn/ssl.h +++ b/src/openvpn/ssl.h @@ -144,7 +144,7 @@ void free_ssl_lib(void); * Build master SSL context object that serves for the whole of OpenVPN * instantiation */ -void init_ssl(const struct options *options, struct tls_root_ctx *ctx, bool in_chroot); +struct tls_root_ctx *init_ssl(const struct options *options, bool in_chroot); /** @addtogroup control_processor * @{ */ diff --git a/src/openvpn/ssl_common.h b/src/openvpn/ssl_common.h index 3129299b7..2764840cb 100644 --- a/src/openvpn/ssl_common.h +++ b/src/openvpn/ssl_common.h @@ -305,8 +305,10 @@ struct tls_wrap_ctx */ struct tls_options { - /* our master TLS context from which all SSL objects derived */ - struct tls_root_ctx ssl_ctx; + /* our master TLS context from which all SSL objects are derived, + * this context is shared between all instances in p2pm with + * inherit_context_child. */ + struct tls_root_ctx *ssl_ctx; /* data channel cipher, hmac, and key lengths */ struct key_type key_type; diff --git a/src/openvpn/ssl_mbedtls.c b/src/openvpn/ssl_mbedtls.c index 3440319cc..28b92edad 100644 --- a/src/openvpn/ssl_mbedtls.c +++ b/src/openvpn/ssl_mbedtls.c @@ -157,8 +157,10 @@ tls_ctx_free(struct tls_root_ctx *ctx) bool tls_ctx_initialised(struct tls_root_ctx *ctx) { - ASSERT(NULL != ctx); - return ctx->initialised; + /* either this should be NULL or should be non-null and then have a + * valid TLS ctx inside as well */ + ASSERT(NULL == ctx || ctx->initialised); + return ctx != NULL; } #if !defined(MBEDTLS_SSL_KEYING_MATERIAL_EXPORT) /* diff --git a/src/openvpn/ssl_openssl.c b/src/openvpn/ssl_openssl.c index a4a686310..48bbdfce9 100644 --- a/src/openvpn/ssl_openssl.c +++ b/src/openvpn/ssl_openssl.c @@ -147,8 +147,10 @@ tls_ctx_free(struct tls_root_ctx *ctx) bool tls_ctx_initialised(struct tls_root_ctx *ctx) { - ASSERT(NULL != ctx); - return NULL != ctx->ctx; + /* either this should be NULL or should be non-null and then have a + * valid TLS ctx inside as well */ + ASSERT(ctx == NULL || ctx->ctx != NULL); + return ctx != NULL; } bool diff --git a/src/openvpn/ssl_verify_mbedtls.c b/src/openvpn/ssl_verify_mbedtls.c index 250c8060e..b7de5500d 100644 --- a/src/openvpn/ssl_verify_mbedtls.c +++ b/src/openvpn/ssl_verify_mbedtls.c @@ -572,7 +572,7 @@ bool tls_verify_crl_missing(const struct tls_options *opt) { if (opt->crl_file && !(opt->ssl_flags & SSLF_CRL_VERIFY_DIR) - && (opt->ssl_ctx.crl == NULL || opt->ssl_ctx.crl->version == 0)) + && (opt->ssl_ctx->crl == NULL || opt->ssl_ctx->crl->version == 0)) { return true; } diff --git a/src/openvpn/ssl_verify_openssl.c b/src/openvpn/ssl_verify_openssl.c index 6cb04ee7c..633f78ded 100644 --- a/src/openvpn/ssl_verify_openssl.c +++ b/src/openvpn/ssl_verify_openssl.c @@ -799,7 +799,7 @@ tls_verify_crl_missing(const struct tls_options *opt) return false; } - X509_STORE *store = SSL_CTX_get_cert_store(opt->ssl_ctx.ctx); + X509_STORE *store = SSL_CTX_get_cert_store(opt->ssl_ctx->ctx); if (!store) { crypto_msg(M_FATAL, "Cannot get certificate store"); -- 2.47.3