diff options
| author | Adriaan de Jong <dejong@fox-it.com> | 2011-06-29 15:15:32 +0200 |
|---|---|---|
| committer | David Sommerseth <davids@redhat.com> | 2011-10-19 22:31:46 +0200 |
| commit | 95993a1df3c39fd2ea9c037b2f0bfcdf040b7d59 (patch) | |
| tree | 7142b7312a929191d21069cbfa9198d73381148f | |
| parent | 9a160b796e1a40f9635231e5533ce40d46dba25f (diff) | |
| download | openvpn-95993a1df3c39fd2ea9c037b2f0bfcdf040b7d59.tar.gz openvpn-95993a1df3c39fd2ea9c037b2f0bfcdf040b7d59.tar.xz openvpn-95993a1df3c39fd2ea9c037b2f0bfcdf040b7d59.zip | |
Refactored SSL initialisation functions
Signed-off-by: Adriaan de Jong <dejong@fox-it.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Signed-off-by: David Sommerseth <davids@redhat.com>
| -rw-r--r-- | ssl.c | 70 | ||||
| -rw-r--r-- | ssl.h | 17 | ||||
| -rw-r--r-- | ssl_backend.h | 21 | ||||
| -rw-r--r-- | ssl_openssl.c | 32 | ||||
| -rw-r--r-- | ssl_openssl.h | 8 |
5 files changed, 97 insertions, 51 deletions
@@ -6,6 +6,7 @@ * packet compression. * * Copyright (C) 2002-2010 OpenVPN Technologies, Inc. <sales@openvpn.net> + * Copyright (C) 2010 Fox Crypto B.V. <openvpn@fox-it.com> * * Additions for eurephia plugin done by: * David Sommerseth <dazo@users.sourceforge.net> Copyright (C) 2008-2009 @@ -26,6 +27,10 @@ * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ +/** + * @file Control Channel SSL/Data channel negotiation Module + */ + /* * The routines in this file deal with dynamically negotiating * the data channel HMAC and cipher keys through a TLS session. @@ -38,7 +43,6 @@ #if defined(USE_CRYPTO) && defined(USE_SSL) -#include "ssl.h" #include "error.h" #include "common.h" #include "integer.h" @@ -54,6 +58,10 @@ #include "base64.h" #include "route.h" +#include "ssl.h" +#include "ssl_verify.h" +#include "ssl_backend.h" + #ifdef WIN32 #include "cryptoapi.h" #endif @@ -204,55 +212,20 @@ tls_init_control_channel_frame_parameters(const struct frame *data_channel_frame frame_set_mtu_dynamic (frame, 0, SET_MTU_TUN); } -/* - * Allocate space in SSL objects - * in which to store a struct tls_session - * pointer back to parent. - */ - -static int mydata_index; /* GLOBAL */ - -static void -ssl_set_mydata_index () -{ - mydata_index = SSL_get_ex_new_index (0, "struct session *", NULL, NULL, NULL); - ASSERT (mydata_index >= 0); -} - void init_ssl_lib () { - SSL_library_init (); - SSL_load_error_strings (); - OpenSSL_add_all_algorithms (); + tls_init_lib (); - crypto_init_lib(); - - /* - * If you build the OpenSSL library and OpenVPN with - * CRYPTO_MDEBUG, you will get a listing of OpenSSL - * memory leaks on program termination. - */ -#ifdef CRYPTO_MDEBUG - CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_ON); -#endif - - ssl_set_mydata_index (); + crypto_init_lib (); } void free_ssl_lib () { -#ifdef CRYPTO_MDEBUG - FILE* fp = fopen ("sdlog", "w"); - ASSERT (fp); - CRYPTO_mem_leaks_fp (fp); - fclose (fp); -#endif - crypto_uninit_lib (); - EVP_cleanup (); - ERR_free_strings (); + + tls_free_lib(); } /* @@ -5151,7 +5124,7 @@ tls_process (struct tls_multi *multi, } error: - ERR_clear_error (); + tls_clear_error(); ks->state = S_ERROR; msg (D_TLS_ERRORS, "TLS Error: TLS handshake failed"); INCR_ERROR; @@ -5184,7 +5157,7 @@ tls_multi_process (struct tls_multi *multi, perf_push (PERF_TLS_MULTI_PROCESS); - ERR_clear_error (); + tls_clear_error (); /* * Process each session object having state of S_INITIAL or greater, @@ -5791,7 +5764,7 @@ tls_pre_decrypt (struct tls_multi *multi, error: ++multi->n_soft_errors; error_lite: - ERR_clear_error (); + tls_clear_error(); goto done; } @@ -5902,7 +5875,7 @@ tls_pre_decrypt_lite (const struct tls_auth_standalone *tas, return ret; error: - ERR_clear_error (); + tls_clear_error(); gc_free (&gc); return ret; } @@ -5997,7 +5970,7 @@ tls_send_payload (struct tls_multi *multi, struct key_state *ks; bool ret = false; - ERR_clear_error (); + tls_clear_error(); ASSERT (multi); @@ -6017,7 +5990,8 @@ tls_send_payload (struct tls_multi *multi, ret = true; } - ERR_clear_error (); + + tls_clear_error(); return ret; } @@ -6030,7 +6004,7 @@ tls_rec_payload (struct tls_multi *multi, struct key_state *ks; bool ret = false; - ERR_clear_error (); + tls_clear_error(); ASSERT (multi); @@ -6044,7 +6018,7 @@ tls_rec_payload (struct tls_multi *multi, ks->plaintext_read_buf.len = 0; } - ERR_clear_error (); + tls_clear_error(); return ret; } @@ -6,6 +6,7 @@ * packet compression. * * Copyright (C) 2002-2010 OpenVPN Technologies, Inc. <sales@openvpn.net> + * Copyright (C) 2010 Fox Crypto B.V. <openvpn@fox-it.com> * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License version 2 @@ -22,12 +23,10 @@ * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ - /** - * @file header file + * @file Control Channel SSL/Data channel negotiation module */ - #ifndef OPENVPN_SSL_H #define OPENVPN_SSL_H @@ -51,6 +50,9 @@ #include "options.h" #include "plugin.h" +#include "ssl_common.h" +#include "ssl_verify.h" +#include "ssl_backend.h" /* Used in the TLS PRF function */ #define KEY_EXPANSION_ID "OpenVPN" @@ -231,6 +233,15 @@ struct cert_hash { struct cert_hash_set { struct cert_hash *ch[MAX_CERT_DEPTH]; }; +/* + * Prepare the SSL library for use + */ +void init_ssl_lib (void); + +/* + * Free any internal state that the SSL library might have + */ +void free_ssl_lib (void); /** * Container for one half of random material to be used in %key method 2 diff --git a/ssl_backend.h b/ssl_backend.h index d7e8361..639d850 100644 --- a/ssl_backend.h +++ b/ssl_backend.h @@ -43,4 +43,25 @@ * Functions implemented in ssl.c for use by the backend SSL library * */ +/* + * + * Functions used in ssl.c which must be implemented by the backend SSL library + * + */ + +/** + * Perform any static initialisation necessary by the library. + * Called on OpenVPN initialisation + */ +void tls_init_lib(); + +/** + * Free any global SSL library-specific data structures. + */ +void tls_free_lib(); +/** + * Clear the underlying SSL library's error state. + */ +void tls_clear_error(); + #endif /* SSL_BACKEND_H_ */ diff --git a/ssl_openssl.c b/ssl_openssl.c index b38af87..eff0bc4 100644 --- a/ssl_openssl.c +++ b/ssl_openssl.c @@ -42,3 +42,35 @@ #include <openssl/pkcs12.h> #include <openssl/x509.h> #include <openssl/crypto.h> + +/* + * Allocate space in SSL objects in which to store a struct tls_session + * pointer back to parent. + * + */ + +int mydata_index; /* GLOBAL */ + +void +tls_init_lib() +{ + SSL_library_init(); + SSL_load_error_strings(); + OpenSSL_add_all_algorithms (); + + mydata_index = SSL_get_ex_new_index(0, "struct session *", NULL, NULL, NULL); + ASSERT (mydata_index >= 0); +} + +void +tls_free_lib() +{ + EVP_cleanup(); + ERR_free_strings(); +} + +void +tls_clear_error() +{ + ERR_clear_error (); +} diff --git a/ssl_openssl.h b/ssl_openssl.h index d412ef2..fb817ae 100644 --- a/ssl_openssl.h +++ b/ssl_openssl.h @@ -32,4 +32,12 @@ #include <openssl/ssl.h> +/** + * Allocate space in SSL objects in which to store a struct tls_session + * pointer back to parent. + */ +extern int mydata_index; /* GLOBAL */ + +void openssl_set_mydata_index (void); + #endif /* SSL_OPENSSL_H_ */ |