search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
OpenVPN: Update to version 2.3.2. Solves TLS security bug.
[tomato.git] / release / src / router / openvpn / src / openvpn / ssl_polarssl.c
blob2b5b37ba8d26d69dfbf23768b4690282417f4a4c
1 /*
2 * OpenVPN -- An application to securely tunnel IP networks
3 * over a single TCP/UDP port, with support for SSL/TLS-based
4 * session authentication and key exchange,
5 * packet encryption, packet authentication, and
6 * packet compression.
7 *
8 * Copyright (C) 2002-2010 OpenVPN Technologies, Inc. <sales@openvpn.net>
9 * Copyright (C) 2010 Fox Crypto B.V. <openvpn@fox-it.com>
10 *
11 * This program is free software; you can redistribute it and/or modify
12 * it under the terms of the GNU General Public License version 2
13 * as published by the Free Software Foundation.
14 *
15 * This program is distributed in the hope that it will be useful,
16 * but WITHOUT ANY WARRANTY; without even the implied warranty of
17 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 * GNU General Public License for more details.
19 *
20 * You should have received a copy of the GNU General Public License
21 * along with this program (see the file COPYING included with this
22 * distribution); if not, write to the Free Software Foundation, Inc.,
23 * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
24 */
25
26 /**
27 * @file Control Channel PolarSSL Backend
28 */
29
30 #ifdef HAVE_CONFIG_H
31 #include "config.h"
32 #elif defined(_MSC_VER)
33 #include "config-msvc.h"
34 #endif
35
36 #include "syshead.h"
37
38 #if defined(ENABLE_SSL) && defined(ENABLE_CRYPTO_POLARSSL)
39
40 #include "errlevel.h"
41 #include "ssl_backend.h"
42 #include "buffer.h"
43 #include "misc.h"
44 #include "manage.h"
45 #include "ssl_common.h"
46
47 #include <polarssl/sha2.h>
48 #include <polarssl/havege.h>
49
50 #include "ssl_verify_polarssl.h"
51 #include <polarssl/pem.h>
52
53 void
54 tls_init_lib()
55 {
56 }
57
58 void
59 tls_free_lib()
60 {
61 }
62
63 void
64 tls_clear_error()
65 {
66 }
67
68 void
69 tls_ctx_server_new(struct tls_root_ctx *ctx)
70 {
71 ASSERT(NULL != ctx);
72 CLEAR(*ctx);
73
74 ALLOC_OBJ_CLEAR(ctx->dhm_ctx, dhm_context);
75 ALLOC_OBJ_CLEAR(ctx->priv_key, rsa_context);
76
77 ALLOC_OBJ_CLEAR(ctx->ca_chain, x509_cert);
78 ALLOC_OBJ_CLEAR(ctx->crt_chain, x509_cert);
79
80
81 ctx->endpoint = SSL_IS_SERVER;
82 ctx->initialised = true;
83 }
84
85 void
86 tls_ctx_client_new(struct tls_root_ctx *ctx)
87 {
88 ASSERT(NULL != ctx);
89 CLEAR(*ctx);
90
91 ALLOC_OBJ_CLEAR(ctx->dhm_ctx, dhm_context);
92 ALLOC_OBJ_CLEAR(ctx->priv_key, rsa_context);
93
94 ALLOC_OBJ_CLEAR(ctx->ca_chain, x509_cert);
95 ALLOC_OBJ_CLEAR(ctx->crt_chain, x509_cert);
96
97 ctx->endpoint = SSL_IS_CLIENT;
98 ctx->initialised = true;
99 }
100
101 void
102 tls_ctx_free(struct tls_root_ctx *ctx)
103 {
104 if (ctx)
105 {
106 rsa_free(ctx->priv_key);
107 free(ctx->priv_key);
108
109 x509_free(ctx->ca_chain);
110 free(ctx->ca_chain);
111
112 x509_free(ctx->crt_chain);
113 free(ctx->crt_chain);
114
115 dhm_free(ctx->dhm_ctx);
116 free(ctx->dhm_ctx);
117
118 #if defined(ENABLE_PKCS11)
119 if (ctx->priv_key_pkcs11 != NULL) {
120 pkcs11_priv_key_free(ctx->priv_key_pkcs11);
121 free(ctx->priv_key_pkcs11);
122 }
123 #endif
124
125 if (ctx->allowed_ciphers)
126 free(ctx->allowed_ciphers);
127
128 CLEAR(*ctx);
129
130 ctx->initialised = false;
131
132 }
133 }
134
135 bool
136 tls_ctx_initialised(struct tls_root_ctx *ctx)
137 {
138 ASSERT(NULL != ctx);
139 return ctx->initialised;
140 }
141
142 void
143 tls_ctx_set_options (struct tls_root_ctx *ctx, unsigned int ssl_flags)
144 {
145 }
146
147 static const char *
148 tls_translate_cipher_name (const char * cipher_name) {
149 const tls_cipher_name_pair * pair = tls_get_cipher_name_pair(cipher_name, strlen(cipher_name));
150
151 if (NULL == pair)
152 {
153 // No translation found, return original
154 return cipher_name;
155 }
156
157 if (0 != strcmp(cipher_name, pair->iana_name))
158 {
159 // Deprecated name found, notify user
160 msg(M_WARN, "Deprecated cipher suite name '%s', please use IANA name '%s'", pair->openssl_name, pair->iana_name);
161 }
162
163 return pair->iana_name;
164 }
165
166 void
167 tls_ctx_restrict_ciphers(struct tls_root_ctx *ctx, const char *ciphers)
168 {
169 char *tmp_ciphers, *tmp_ciphers_orig, *token;
170 int i, cipher_count;
171 int ciphers_len = strlen (ciphers);
172
173 ASSERT (NULL != ctx);
174 ASSERT (0 != ciphers_len);
175
176 /* Get number of ciphers */
177 for (i = 0, cipher_count = 1; i < ciphers_len; i++)
178 if (ciphers[i] == ':')
179 cipher_count++;
180
181 /* Allocate an array for them */
182 ALLOC_ARRAY_CLEAR(ctx->allowed_ciphers, int, cipher_count+1)
183
184 /* Parse allowed ciphers, getting IDs */
185 i = 0;
186 tmp_ciphers_orig = tmp_ciphers = strdup(ciphers);
187
188 token = strtok (tmp_ciphers, ":");
189 while(token)
190 {
191 ctx->allowed_ciphers[i] = ssl_get_ciphersuite_id (
192 tls_translate_cipher_name (token));
193 if (0 != ctx->allowed_ciphers[i])
194 i++;
195 token = strtok (NULL, ":");
196 }
197 free(tmp_ciphers_orig);
198 }
199
200 void
201 tls_ctx_load_dh_params (struct tls_root_ctx *ctx, const char *dh_file,
202 const char *dh_file_inline
203 )
204 {
205 if (!strcmp (dh_file, INLINE_FILE_TAG) && dh_file_inline)
206 {
207 if (0 != x509parse_dhm(ctx->dhm_ctx, dh_file_inline, strlen(dh_file_inline)))
208 msg (M_FATAL, "Cannot read inline DH parameters");
209 }
210 else
211 {
212 if (0 != x509parse_dhmfile(ctx->dhm_ctx, dh_file))
213 msg (M_FATAL, "Cannot read DH parameters from file %s", dh_file);
214 }
215
216 msg (D_TLS_DEBUG_LOW, "Diffie-Hellman initialized with " counter_format " bit key",
217 (counter_type) 8 * mpi_size(&ctx->dhm_ctx->P));
218 }
219
220 int
221 tls_ctx_load_pkcs12(struct tls_root_ctx *ctx, const char *pkcs12_file,
222 const char *pkcs12_file_inline,
223 bool load_ca_file
224 )
225 {
226 msg(M_FATAL, "PKCS #12 files not yet supported for PolarSSL.");
227 return 0;
228 }
229
230 #ifdef ENABLE_CRYPTOAPI
231 void
232 tls_ctx_load_cryptoapi(struct tls_root_ctx *ctx, const char *cryptoapi_cert)
233 {
234 msg(M_FATAL, "Windows CryptoAPI not yet supported for PolarSSL.");
235 }
236 #endif /* WIN32 */
237
238 void
239 tls_ctx_load_cert_file (struct tls_root_ctx *ctx, const char *cert_file,
240 const char *cert_file_inline,
241 openvpn_x509_cert_t **x509
242 )
243 {
244 ASSERT(NULL != ctx);
245 if (NULL != x509)
246 ASSERT(NULL == *x509);
247
248 if (!strcmp (cert_file, INLINE_FILE_TAG) && cert_file_inline)
249 {
250 if (0 != x509parse_crt(ctx->crt_chain, cert_file_inline,
251 strlen(cert_file_inline)))
252 msg (M_FATAL, "Cannot load inline certificate file");
253 }
254 else
255 {
256 if (0 != x509parse_crtfile(ctx->crt_chain, cert_file))
257 msg (M_FATAL, "Cannot load certificate file %s", cert_file);
258 }
259 if (x509)
260 {
261 *x509 = ctx->crt_chain;
262 }
263 }
264
265 void
266 tls_ctx_free_cert_file (openvpn_x509_cert_t *x509)
267 {
268 x509_free(x509);
269 }
270
271 int
272 tls_ctx_load_priv_file (struct tls_root_ctx *ctx, const char *priv_key_file,
273 const char *priv_key_file_inline
274 )
275 {
276 int status;
277 ASSERT(NULL != ctx);
278
279 if (!strcmp (priv_key_file, INLINE_FILE_TAG) && priv_key_file_inline)
280 {
281 status = x509parse_key(ctx->priv_key,
282 priv_key_file_inline, strlen(priv_key_file_inline),
283 NULL, 0);
284 if (POLARSSL_ERR_PEM_PASSWORD_REQUIRED == status)
285 {
286 char passbuf[512] = {0};
287 pem_password_callback(passbuf, 512, 0, NULL);
288 status = x509parse_key(ctx->priv_key,
289 priv_key_file_inline, strlen(priv_key_file_inline),
290 passbuf, strlen(passbuf));
291 }
292 }
293 else
294 {
295 status = x509parse_keyfile(ctx->priv_key, priv_key_file, NULL);
296 if (POLARSSL_ERR_PEM_PASSWORD_REQUIRED == status)
297 {
298 char passbuf[512] = {0};
299 pem_password_callback(passbuf, 512, 0, NULL);
300 status = x509parse_keyfile(ctx->priv_key, priv_key_file, passbuf);
301 }
302 }
303 if (0 != status)
304 {
305 #ifdef ENABLE_MANAGEMENT
306 if (management && (POLARSSL_ERR_PEM_PASSWORD_MISMATCH == status))
307 management_auth_failure (management, UP_TYPE_PRIVATE_KEY, NULL);
308 #endif
309 msg (M_WARN, "Cannot load private key file %s", priv_key_file);
310 return 1;
311 }
312
313 warn_if_group_others_accessible (priv_key_file);
314
315 /* TODO: Check Private Key */
316 #if 0
317 if (!SSL_CTX_check_private_key (ctx))
318 msg (M_SSLERR, "Private key does not match the certificate");
319 #endif
320 return 0;
321 }
322
323 #ifdef MANAGMENT_EXTERNAL_KEY
324
325 int
326 tls_ctx_use_external_private_key (struct tls_root_ctx *ctx, openvpn_x509_cert_t *cert)
327 {
328 msg(M_FATAL, "Use of management external keys not yet supported for PolarSSL.");
329 return false;
330 }
331
332 #endif
333
334 void tls_ctx_load_ca (struct tls_root_ctx *ctx, const char *ca_file,
335 const char *ca_file_inline,
336 const char *ca_path, bool tls_server
337 )
338 {
339 if (ca_path)
340 msg(M_FATAL, "ERROR: PolarSSL cannot handle the capath directive");
341
342 if (ca_file && !strcmp (ca_file, INLINE_FILE_TAG) && ca_file_inline)
343 {
344 if (0 != x509parse_crt(ctx->ca_chain, ca_file_inline, strlen(ca_file_inline)))
345 msg (M_FATAL, "Cannot load inline CA certificates");
346 }
347 else
348 {
349 /* Load CA file for verifying peer supplied certificate */
350 if (0 != x509parse_crtfile(ctx->ca_chain, ca_file))
351 msg (M_FATAL, "Cannot load CA certificate file %s", ca_file);
352 }
353 }
354
355 void
356 tls_ctx_load_extra_certs (struct tls_root_ctx *ctx, const char *extra_certs_file,
357 const char *extra_certs_file_inline
358 )
359 {
360 ASSERT(NULL != ctx);
361
362 if (!strcmp (extra_certs_file, INLINE_FILE_TAG) && extra_certs_file_inline)
363 {
364 if (0 != x509parse_crt(ctx->crt_chain, extra_certs_file_inline,
365 strlen(extra_certs_file_inline)))
366 msg (M_FATAL, "Cannot load inline extra-certs file");
367 }
368 else
369 {
370 if (0 != x509parse_crtfile(ctx->crt_chain, extra_certs_file))
371 msg (M_FATAL, "Cannot load extra-certs file: %s", extra_certs_file);
372 }
373 }
374
375 /* **************************************
376 *
377 * Key-state specific functions
378 *
379 ***************************************/
380
381 /*
382 * "Endless buffer"
383 */
384
385 static inline void buf_free_entry(buffer_entry *entry)
386 {
387 if (NULL != entry)
388 {
389 free(entry->data);
390 free(entry);
391 }
392 }
393
394 static void buf_free_entries(endless_buffer *buf)
395 {
396 while(buf->first_block)
397 {
398 buffer_entry *cur_block = buf->first_block;
399 buf->first_block = cur_block->next_block;
400 buf_free_entry(cur_block);
401 }
402 buf->last_block = NULL;
403 }
404
405 static int endless_buf_read( void * ctx, unsigned char * out, size_t out_len )
406 {
407 endless_buffer *in = (endless_buffer *) ctx;
408 size_t read_len = 0;
409
410 if (in->first_block == NULL)
411 return POLARSSL_ERR_NET_WANT_READ;
412
413 while (in->first_block != NULL && read_len < out_len)
414 {
415 int block_len = in->first_block->length - in->data_start;
416 if (block_len <= out_len - read_len)
417 {
418 buffer_entry *cur_entry = in->first_block;
419 memcpy(out + read_len, cur_entry->data + in->data_start,
420 block_len);
421
422 read_len += block_len;
423
424 in->first_block = cur_entry->next_block;
425 in->data_start = 0;
426
427 if (in->first_block == NULL)
428 in->last_block = NULL;
429
430 buf_free_entry(cur_entry);
431 }
432 else
433 {
434 memcpy(out + read_len, in->first_block->data + in->data_start,
435 out_len - read_len);
436 in->data_start += out_len - read_len;
437 read_len = out_len;
438 }
439 }
440
441 return read_len;
442 }
443
444 static int endless_buf_write( void *ctx, const unsigned char *in, size_t len )
445 {
446 endless_buffer *out = (endless_buffer *) ctx;
447 buffer_entry *new_block = malloc(sizeof(buffer_entry));
448 if (NULL == new_block)
449 return POLARSSL_ERR_NET_SEND_FAILED;
450
451 new_block->data = malloc(len);
452 if (NULL == new_block->data)
453 {
454 free(new_block);
455 return POLARSSL_ERR_NET_SEND_FAILED;
456 }
457
458 new_block->length = len;
459 new_block->next_block = NULL;
460
461 memcpy(new_block->data, in, len);
462
463 if (NULL == out->first_block)
464 out->first_block = new_block;
465
466 if (NULL != out->last_block)
467 out->last_block->next_block = new_block;
468
469 out->last_block = new_block;
470
471 return len;
472 }
473
474 static void my_debug( void *ctx, int level, const char *str )
475 {
476 if (level == 1)
477 {
478 dmsg (D_HANDSHAKE_VERBOSE, "PolarSSL alert: %s", str);
479 }
480 }
481
482 /*
483 * Further personalise the RNG using a hash of the public key
484 */
485 void tls_ctx_personalise_random(struct tls_root_ctx *ctx)
486 {
487 static char old_sha256_hash[32] = {0};
488 char sha256_hash[32] = {0};
489 ctr_drbg_context *cd_ctx = rand_ctx_get();
490
491 if (NULL != ctx->crt_chain)
492 {
493 x509_cert *cert = ctx->crt_chain;
494
495 sha2(cert->tbs.p, cert->tbs.len, sha256_hash, false);
496 if ( 0 != memcmp(old_sha256_hash, sha256_hash, sizeof(sha256_hash)))
497 {
498 ctr_drbg_update(cd_ctx, sha256_hash, 32);
499 memcpy(old_sha256_hash, sha256_hash, sizeof(old_sha256_hash));
500 }
501 }
502 }
503
504 void key_state_ssl_init(struct key_state_ssl *ks_ssl,
505 const struct tls_root_ctx *ssl_ctx, bool is_server, void *session)
506 {
507 ASSERT(NULL != ssl_ctx);
508 ASSERT(ks_ssl);
509 CLEAR(*ks_ssl);
510
511 ALLOC_OBJ_CLEAR(ks_ssl->ctx, ssl_context);
512 if (0 == ssl_init(ks_ssl->ctx))
513 {
514 /* Initialise SSL context */
515 ssl_set_dbg (ks_ssl->ctx, my_debug, NULL);
516 ssl_set_endpoint (ks_ssl->ctx, ssl_ctx->endpoint);
517
518 ssl_set_rng (ks_ssl->ctx, ctr_drbg_random, rand_ctx_get());
519
520 if (ssl_ctx->allowed_ciphers)
521 ssl_set_ciphersuites (ks_ssl->ctx, ssl_ctx->allowed_ciphers);
522
523 /* Initialise authentication information */
524 if (is_server)
525 ssl_set_dh_param_ctx (ks_ssl->ctx, ssl_ctx->dhm_ctx );
526 #if defined(ENABLE_PKCS11)
527 if (ssl_ctx->priv_key_pkcs11 != NULL)
528 ssl_set_own_cert_alt( ks_ssl->ctx, ssl_ctx->crt_chain,
529 ssl_ctx->priv_key_pkcs11, ssl_pkcs11_decrypt, ssl_pkcs11_sign,
530 ssl_pkcs11_key_len );
531 else
532 #endif
533 ssl_set_own_cert( ks_ssl->ctx, ssl_ctx->crt_chain, ssl_ctx->priv_key );
534
535 /* Initialise SSL verification */
536 ssl_set_authmode (ks_ssl->ctx, SSL_VERIFY_REQUIRED);
537 ssl_set_verify (ks_ssl->ctx, verify_callback, session);
538 /* TODO: PolarSSL does not currently support sending the CA chain to the client */
539 ssl_set_ca_chain (ks_ssl->ctx, ssl_ctx->ca_chain, NULL, NULL );
540
541 /* Initialise BIOs */
542 ALLOC_OBJ_CLEAR (ks_ssl->ct_in, endless_buffer);
543 ALLOC_OBJ_CLEAR (ks_ssl->ct_out, endless_buffer);
544 ssl_set_bio (ks_ssl->ctx, endless_buf_read, ks_ssl->ct_in,
545 endless_buf_write, ks_ssl->ct_out);
546 }
547 }
548
549 void
550 key_state_ssl_free(struct key_state_ssl *ks_ssl)
551 {
552 if (ks_ssl) {
553 if (ks_ssl->ctx)
554 {
555 ssl_free(ks_ssl->ctx);
556 free(ks_ssl->ctx);
557 }
558 if (ks_ssl->ct_in) {
559 buf_free_entries(ks_ssl->ct_in);
560 free(ks_ssl->ct_in);
561 }
562 if (ks_ssl->ct_out) {
563 buf_free_entries(ks_ssl->ct_out);
564 free(ks_ssl->ct_out);
565 }
566 CLEAR(*ks_ssl);
567 }
568 }
569
570 int
571 key_state_write_plaintext (struct key_state_ssl *ks, struct buffer *buf)
572 {
573 int retval = 0;
574 perf_push (PERF_BIO_WRITE_PLAINTEXT);
575
576 ASSERT (NULL != ks);
577 ASSERT (buf);
578 ASSERT (buf->len >= 0);
579
580 if (0 == buf->len)
581 {
582 return 0;
583 perf_pop ();
584 }
585
586 retval = ssl_write(ks->ctx, BPTR(buf), buf->len);
587
588 if (retval < 0)
589 {
590 perf_pop ();
591 if (POLARSSL_ERR_NET_WANT_WRITE == retval || POLARSSL_ERR_NET_WANT_READ == retval)
592 return 0;
593 msg (D_TLS_ERRORS, "TLS ERROR: write tls_write_plaintext error");
594 return -1;
595 }
596
597 if (retval != buf->len)
598 {
599 msg (D_TLS_ERRORS,
600 "TLS ERROR: write tls_write_plaintext incomplete %d/%d",
601 retval, buf->len);
602 perf_pop ();
603 return -1;
604 }
605
606 /* successful write */
607 dmsg (D_HANDSHAKE_VERBOSE, "write tls_write_plaintext %d bytes", retval);
608
609 memset (BPTR (buf), 0, BLEN (buf)); /* erase data just written */
610 buf->len = 0;
611
612 perf_pop ();
613 return 1;
614 }
615
616 int
617 key_state_write_plaintext_const (struct key_state_ssl *ks, const uint8_t *data, int len)
618 {
619 int retval = 0;
620 perf_push (PERF_BIO_WRITE_PLAINTEXT);
621
622 ASSERT (NULL != ks);
623 ASSERT (len >= 0);
624
625 if (0 == len)
626 {
627 perf_pop ();
628 return 0;
629 }
630
631 ASSERT (data);
632
633 retval = ssl_write(ks->ctx, data, len);
634
635 if (retval < 0)
636 {
637 perf_pop ();
638 if (POLARSSL_ERR_NET_WANT_WRITE == retval || POLARSSL_ERR_NET_WANT_READ == retval)
639 return 0;
640 msg (D_TLS_ERRORS, "TLS ERROR: write tls_write_plaintext_const error");
641 return -1;
642 }
643
644 if (retval != len)
645 {
646 msg (D_TLS_ERRORS,
647 "TLS ERROR: write tls_write_plaintext_const incomplete %d/%d",
648 retval, len);
649 perf_pop ();
650 return -1;
651 }
652
653 /* successful write */
654 dmsg (D_HANDSHAKE_VERBOSE, "write tls_write_plaintext_const %d bytes", retval);
655
656 perf_pop ();
657 return 1;
658 }
659
660 int
661 key_state_read_ciphertext (struct key_state_ssl *ks, struct buffer *buf,
662 int maxlen)
663 {
664 int retval = 0;
665 int len = 0;
666 char error_message[1024];
667
668 perf_push (PERF_BIO_READ_CIPHERTEXT);
669
670 ASSERT (NULL != ks);
671 ASSERT (buf);
672 ASSERT (buf->len >= 0);
673
674 if (buf->len)
675 {
676 perf_pop ();
677 return 0;
678 }
679
680 len = buf_forward_capacity (buf);
681 if (maxlen < len)
682 len = maxlen;
683
684 retval = endless_buf_read(ks->ct_out, BPTR(buf), len);
685
686 /* Error during read, check for retry error */
687 if (retval < 0)
688 {
689 perf_pop ();
690 if (POLARSSL_ERR_NET_WANT_WRITE == retval || POLARSSL_ERR_NET_WANT_READ == retval)
691 return 0;
692 error_strerror(retval, error_message, sizeof(error_message));
693 msg (D_TLS_ERRORS, "TLS_ERROR: read tls_read_ciphertext error: %d %s", retval, error_message);
694 buf->len = 0;
695 return -1;
696 }
697 /* Nothing read, try again */
698 if (0 == retval)
699 {
700 buf->len = 0;
701 perf_pop ();
702 return 0;
703 }
704
705 /* successful read */
706 dmsg (D_HANDSHAKE_VERBOSE, "read tls_read_ciphertext %d bytes", retval);
707 buf->len = retval;
708 perf_pop ();
709 return 1;
710 }
711
712 int
713 key_state_write_ciphertext (struct key_state_ssl *ks, struct buffer *buf)
714 {
715 int retval = 0;
716 perf_push (PERF_BIO_WRITE_CIPHERTEXT);
717
718 ASSERT (NULL != ks);
719 ASSERT (buf);
720 ASSERT (buf->len >= 0);
721
722 if (0 == buf->len)
723 {
724 perf_pop ();
725 return 0;
726 }
727
728 retval = endless_buf_write(ks->ct_in, BPTR(buf), buf->len);
729
730 if (retval < 0)
731 {
732 perf_pop ();
733
734 if (POLARSSL_ERR_NET_WANT_WRITE == retval || POLARSSL_ERR_NET_WANT_READ == retval)
735 return 0;
736 msg (D_TLS_ERRORS, "TLS ERROR: write tls_write_ciphertext error");
737 return -1;
738 }
739
740 if (retval != buf->len)
741 {
742 msg (D_TLS_ERRORS,
743 "TLS ERROR: write tls_write_ciphertext incomplete %d/%d",
744 retval, buf->len);
745 perf_pop ();
746 return -1;
747 }
748
749 /* successful write */
750 dmsg (D_HANDSHAKE_VERBOSE, "write tls_write_ciphertext %d bytes", retval);
751
752 memset (BPTR (buf), 0, BLEN (buf)); /* erase data just written */
753 buf->len = 0;
754
755 perf_pop ();
756 return 1;
757 }
758
759 int
760 key_state_read_plaintext (struct key_state_ssl *ks, struct buffer *buf,
761 int maxlen)
762 {
763 int retval = 0;
764 int len = 0;
765 char error_message[1024];
766
767 perf_push (PERF_BIO_READ_PLAINTEXT);
768
769 ASSERT (NULL != ks);
770 ASSERT (buf);
771 ASSERT (buf->len >= 0);
772
773 if (buf->len)
774 {
775 perf_pop ();
776 return 0;
777 }
778
779 len = buf_forward_capacity (buf);
780 if (maxlen < len)
781 len = maxlen;
782
783 retval = ssl_read(ks->ctx, BPTR(buf), len);
784
785 /* Error during read, check for retry error */
786 if (retval < 0)
787 {
788 if (POLARSSL_ERR_NET_WANT_WRITE == retval || POLARSSL_ERR_NET_WANT_READ == retval)
789 return 0;
790 error_strerror(retval, error_message, sizeof(error_message));
791 msg (D_TLS_ERRORS, "TLS_ERROR: read tls_read_plaintext error: %d %s", retval, error_message);
792 buf->len = 0;
793 perf_pop ();
794 return -1;
795 }
796 /* Nothing read, try again */
797 if (0 == retval)
798 {
799 buf->len = 0;
800 perf_pop ();
801 return 0;
802 }
803
804 /* successful read */
805 dmsg (D_HANDSHAKE_VERBOSE, "read tls_read_plaintext %d bytes", retval);
806 buf->len = retval;
807
808 perf_pop ();
809 return 1;
810 }
811
812 /* **************************************
813 *
814 * Information functions
815 *
816 * Print information for the end user.
817 *
818 ***************************************/
819 void
820 print_details (struct key_state_ssl * ks_ssl, const char *prefix)
821 {
822 const x509_cert *cert;
823 char s1[256];
824 char s2[256];
825
826 s1[0] = s2[0] = 0;
827 openvpn_snprintf (s1, sizeof (s1), "%s %s, cipher %s",
828 prefix,
829 ssl_get_version (ks_ssl->ctx),
830 ssl_get_ciphersuite(ks_ssl->ctx));
831
832 cert = ssl_get_peer_cert(ks_ssl->ctx);
833 if (cert != NULL)
834 {
835 openvpn_snprintf (s2, sizeof (s2), ", " counter_format " bit RSA", (counter_type) cert->rsa.len * 8);
836 }
837
838 msg (D_HANDSHAKE, "%s%s", s1, s2);
839 }
840
841 void
842 show_available_tls_ciphers ()
843 {
844 const int *ciphers = ssl_list_ciphersuites();
845
846 #ifndef ENABLE_SMALL
847 printf ("Available TLS Ciphers,\n");
848 printf ("listed in order of preference:\n\n");
849 #endif
850
851 while (*ciphers != 0)
852 {
853 printf ("%s\n", ssl_get_ciphersuite_name(*ciphers));
854 ciphers++;
855 }
856 printf ("\n");
857 }
858
859 void
860 get_highest_preference_tls_cipher (char *buf, int size)
861 {
862 const char *cipher_name;
863 const int *ciphers = ssl_list_ciphersuites();
864 if (*ciphers == 0)
865 msg (M_FATAL, "Cannot retrieve list of supported SSL ciphers.");
866
867 cipher_name = ssl_get_ciphersuite_name(*ciphers);
868 strncpynt (buf, cipher_name, size);
869 }
870
871 #endif /* defined(ENABLE_SSL) && defined(ENABLE_CRYPTO_POLARSSL) */
Tomato firmware and modifications.