char * backend_x509_get_serial (openvpn_x509_cert_t *cert, struct gc_arena *gc) { char *buf = NULL; size_t buflen = 0; mpi serial_mpi = { 0 }; /* Transform asn1 integer serial into PolarSSL MPI */ mpi_init(&serial_mpi); if (!polar_ok(mpi_read_binary(&serial_mpi, cert->serial.p, cert->serial.len))) { msg(M_WARN, "Failed to retrieve serial from certificate."); return NULL; } /* Determine decimal representation length, allocate buffer */ mpi_write_string(&serial_mpi, 10, buf, &buflen); buf = gc_malloc(buflen, true, gc); /* Write MPI serial as decimal string into buffer */ if (!polar_ok(mpi_write_string(&serial_mpi, 10, buf, &buflen))) { msg(M_WARN, "Failed to write serial to string."); return NULL; } return buf; }
void cipher_des_encrypt_ecb (const unsigned char key[DES_KEY_LENGTH], unsigned char *src, unsigned char *dst) { des_context ctx; ASSERT (polar_ok(des_setkey_enc(&ctx, key))); ASSERT (polar_ok(des_crypt_ecb(&ctx, src, dst))); }
int cipher_ctx_reset (cipher_context_t *ctx, uint8_t *iv_buf) { if (!polar_ok(cipher_reset(ctx))) return 0; if (!polar_ok(cipher_set_iv(ctx, iv_buf, ctx->cipher_info->iv_size))) return 0; return 1; }
/* * check peer cert against CRL */ result_t x509_verify_crl(const char *crl_file, const char* crl_inline, x509_crt *cert, const char *subject) { result_t retval = FAILURE; x509_crl crl = {0}; struct gc_arena gc = gc_new(); char *serial; if (!strcmp (crl_file, INLINE_FILE_TAG) && crl_inline) { if (!polar_ok(x509_crl_parse(&crl, crl_inline, strlen(crl_inline)))) { msg (M_WARN, "CRL: cannot parse inline CRL"); goto end; } } else { if (!polar_ok(x509_crl_parse_file(&crl, crl_file))) { msg (M_WARN, "CRL: cannot read CRL from file %s", crl_file); goto end; } } if(cert->issuer_raw.len != crl.issuer_raw.len || memcmp(crl.issuer_raw.p, cert->issuer_raw.p, crl.issuer_raw.len) != 0) { msg (M_WARN, "CRL: CRL %s is from a different issuer than the issuer of " "certificate %s", crl_file, subject); retval = SUCCESS; goto end; } if (!polar_ok(x509_crt_revoked(cert, &crl))) { serial = backend_x509_get_serial_hex(cert, &gc); msg (D_HANDSHAKE, "CRL CHECK FAILED: %s (serial %s) is REVOKED", subject, (serial ? serial : "NOT AVAILABLE")); goto end; } retval = SUCCESS; msg (D_HANDSHAKE, "CRL CHECK OK: %s",subject); end: gc_free(&gc); x509_crl_free(&crl); return retval; }
/* * Initialise the given ctr_drbg context, using a personalisation string and an * entropy gathering function. */ ctr_drbg_context * rand_ctx_get() { static entropy_context ec = {0}; static ctr_drbg_context cd_ctx = {0}; static bool rand_initialised = false; if (!rand_initialised) { struct gc_arena gc = gc_new(); struct buffer pers_string = alloc_buf_gc(100, &gc); /* * Personalisation string, should be as unique as possible (see NIST * 800-90 section 8.7.1). We have very little information at this stage. * Include Program Name, memory address of the context and PID. */ buf_printf(&pers_string, "OpenVPN %0u %p %s", platform_getpid(), &cd_ctx, time_string(0, 0, 0, &gc)); /* Initialise PolarSSL RNG, and built-in entropy sources */ entropy_init(&ec); if (!polar_ok(ctr_drbg_init(&cd_ctx, entropy_func, &ec, BPTR(&pers_string), BLEN(&pers_string)))) msg (M_FATAL, "Failed to initialize random generator"); gc_free(&gc); rand_initialised = true; } return &cd_ctx; }
void cipher_ctx_init (cipher_context_t *ctx, uint8_t *key, int key_len, const cipher_info_t *kt, int enc) { ASSERT(NULL != kt && NULL != ctx); CLEAR (*ctx); if (!polar_ok(cipher_init_ctx(ctx, kt))) msg (M_FATAL, "PolarSSL cipher context init #1"); if (!polar_ok(cipher_setkey(ctx, key, key_len*8, enc))) msg (M_FATAL, "PolarSSL cipher set key"); /* make sure we used a big enough key */ ASSERT (ctx->key_length <= key_len*8); }
int cipher_ctx_final (cipher_context_t *ctx, uint8_t *dst, int *dst_len) { size_t s_dst_len = *dst_len; if (!polar_ok(cipher_finish(ctx, dst, &s_dst_len))) return 0; *dst_len = s_dst_len; return 1; }
int cipher_ctx_update (cipher_context_t *ctx, uint8_t *dst, int *dst_len, uint8_t *src, int src_len) { size_t s_dst_len = *dst_len; if (!polar_ok(cipher_update(ctx, src, (size_t)src_len, dst, &s_dst_len))) return 0; *dst_len = s_dst_len; return 1; }