char *
backend_x509_get_serial (openvpn_x509_cert_t *cert, struct gc_arena *gc)
{
char *buf = NULL;
size_t buflen = 0;
mpi serial_mpi = { 0 };
/* Transform asn1 integer serial into PolarSSL MPI */
mpi_init(&serial_mpi);
if (!polar_ok(mpi_read_binary(&serial_mpi, cert->serial.p, cert->serial.len)))
{
msg(M_WARN, "Failed to retrieve serial from certificate.");
return NULL;
}
/* Determine decimal representation length, allocate buffer */
mpi_write_string(&serial_mpi, 10, buf, &buflen);
buf = gc_malloc(buflen, true, gc);
/* Write MPI serial as decimal string into buffer */
if (!polar_ok(mpi_write_string(&serial_mpi, 10, buf, &buflen)))
{
msg(M_WARN, "Failed to write serial to string.");
return NULL;
}
return buf;
}
void
cipher_des_encrypt_ecb (const unsigned char key[DES_KEY_LENGTH],
unsigned char *src,
unsigned char *dst)
{
des_context ctx;
ASSERT (polar_ok(des_setkey_enc(&ctx, key)));
ASSERT (polar_ok(des_crypt_ecb(&ctx, src, dst)));
}
int cipher_ctx_reset (cipher_context_t *ctx, uint8_t *iv_buf)
{
if (!polar_ok(cipher_reset(ctx)))
return 0;
if (!polar_ok(cipher_set_iv(ctx, iv_buf, ctx->cipher_info->iv_size)))
return 0;
return 1;
}
/*
* check peer cert against CRL
*/
result_t
x509_verify_crl(const char *crl_file, const char* crl_inline,
x509_crt *cert, const char *subject)
{
result_t retval = FAILURE;
x509_crl crl = {0};
struct gc_arena gc = gc_new();
char *serial;
if (!strcmp (crl_file, INLINE_FILE_TAG) && crl_inline)
{
if (!polar_ok(x509_crl_parse(&crl, crl_inline, strlen(crl_inline))))
{
msg (M_WARN, "CRL: cannot parse inline CRL");
goto end;
}
}
else
{
if (!polar_ok(x509_crl_parse_file(&crl, crl_file)))
{
msg (M_WARN, "CRL: cannot read CRL from file %s", crl_file);
goto end;
}
}
if(cert->issuer_raw.len != crl.issuer_raw.len ||
memcmp(crl.issuer_raw.p, cert->issuer_raw.p, crl.issuer_raw.len) != 0)
{
msg (M_WARN, "CRL: CRL %s is from a different issuer than the issuer of "
"certificate %s", crl_file, subject);
retval = SUCCESS;
goto end;
}
if (!polar_ok(x509_crt_revoked(cert, &crl)))
{
serial = backend_x509_get_serial_hex(cert, &gc);
msg (D_HANDSHAKE, "CRL CHECK FAILED: %s (serial %s) is REVOKED", subject, (serial ? serial : "NOT AVAILABLE"));
goto end;
}
retval = SUCCESS;
msg (D_HANDSHAKE, "CRL CHECK OK: %s",subject);
end:
gc_free(&gc);
x509_crl_free(&crl);
return retval;
}
/*
* Initialise the given ctr_drbg context, using a personalisation string and an
* entropy gathering function.
*/
ctr_drbg_context * rand_ctx_get()
{
static entropy_context ec = {0};
static ctr_drbg_context cd_ctx = {0};
static bool rand_initialised = false;
if (!rand_initialised)
{
struct gc_arena gc = gc_new();
struct buffer pers_string = alloc_buf_gc(100, &gc);
/*
* Personalisation string, should be as unique as possible (see NIST
* 800-90 section 8.7.1). We have very little information at this stage.
* Include Program Name, memory address of the context and PID.
*/
buf_printf(&pers_string, "OpenVPN %0u %p %s", platform_getpid(), &cd_ctx, time_string(0, 0, 0, &gc));
/* Initialise PolarSSL RNG, and built-in entropy sources */
entropy_init(&ec);
if (!polar_ok(ctr_drbg_init(&cd_ctx, entropy_func, &ec,
BPTR(&pers_string), BLEN(&pers_string))))
msg (M_FATAL, "Failed to initialize random generator");
gc_free(&gc);
rand_initialised = true;
}
return &cd_ctx;
}
void
cipher_ctx_init (cipher_context_t *ctx, uint8_t *key, int key_len,
const cipher_info_t *kt, int enc)
{
ASSERT(NULL != kt && NULL != ctx);
CLEAR (*ctx);
if (!polar_ok(cipher_init_ctx(ctx, kt)))
msg (M_FATAL, "PolarSSL cipher context init #1");
if (!polar_ok(cipher_setkey(ctx, key, key_len*8, enc)))
msg (M_FATAL, "PolarSSL cipher set key");
/* make sure we used a big enough key */
ASSERT (ctx->key_length <= key_len*8);
}
int cipher_ctx_final (cipher_context_t *ctx, uint8_t *dst, int *dst_len)
{
size_t s_dst_len = *dst_len;
if (!polar_ok(cipher_finish(ctx, dst, &s_dst_len)))
return 0;
*dst_len = s_dst_len;
return 1;
}
int cipher_ctx_update (cipher_context_t *ctx, uint8_t *dst, int *dst_len,
uint8_t *src, int src_len)
{
size_t s_dst_len = *dst_len;
if (!polar_ok(cipher_update(ctx, src, (size_t)src_len, dst, &s_dst_len)))
return 0;
*dst_len = s_dst_len;
return 1;
}
