plaisthos has uploaded a new patch set (#2). ( http://gerrit.openvpn.net/c/openvpn/+/1431?usp=email )
Change subject: Change ssl_ctx in struct tls_options to be a pointer ...................................................................... Change ssl_ctx in struct tls_options to be a pointer The SSL CTX is shared between all of the instances. So any change to the SSL CTX will affect all instances. Currently the CRL is also reloaded potentially multiple times as each copy of tls_root_ctx has its own crl_last_mtime and crl_last_size values that will be checked if the CRL reload is necessary. Changing it to a pointer will make it more clear that this is shared and also the CRL being reload multiple times. Change-Id: I21251a42f94fa1d9de083d2acd95b887658c5760 Signed-off-by: Arne Schwabe <[email protected]> --- M src/openvpn/init.c M src/openvpn/openvpn.h M src/openvpn/ssl.c M src/openvpn/ssl.h M src/openvpn/ssl_common.h M src/openvpn/ssl_openssl.c M src/openvpn/ssl_verify_openssl.c 7 files changed, 31 insertions(+), 23 deletions(-) git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/31/1431/2 diff --git a/src/openvpn/init.c b/src/openvpn/init.c index fc079e1..0dcc5ad 100644 --- a/src/openvpn/init.c +++ b/src/openvpn/init.c @@ -2964,9 +2964,10 @@ key_schedule_free(struct key_schedule *ks, bool free_ssl_ctx) { free_key_ctx_bi(&ks->static_key); - if (tls_ctx_initialised(&ks->ssl_ctx) && free_ssl_ctx) + if (tls_ctx_initialised(ks->ssl_ctx) && free_ssl_ctx) { - tls_ctx_free(&ks->ssl_ctx); + tls_ctx_free(ks->ssl_ctx); + free(ks->ssl_ctx); free_key_ctx(&ks->auth_token_key); } CLEAR(*ks); @@ -3121,14 +3122,14 @@ { const struct options *options = &c->options; - if (!tls_ctx_initialised(&c->c1.ks.ssl_ctx)) + if (!tls_ctx_initialised(c->c1.ks.ssl_ctx)) { /* * Initialize the OpenSSL library's global - * SSL context. - */ - init_ssl(options, &(c->c1.ks.ssl_ctx), c->c0 && c->c0->uid_gid_chroot_set); - if (!tls_ctx_initialised(&c->c1.ks.ssl_ctx)) + * SSL context. */ + ASSERT(NULL == c->c1.ks.ssl_ctx); + c->c1.ks.ssl_ctx = init_ssl(options, c->c0 && c->c0->uid_gid_chroot_set); + if (!tls_ctx_initialised(c->c1.ks.ssl_ctx)) { switch (auth_retry_get()) { diff --git a/src/openvpn/openvpn.h b/src/openvpn/openvpn.h index a198fcf..2c1547b 100644 --- a/src/openvpn/openvpn.h +++ b/src/openvpn/openvpn.h @@ -60,7 +60,7 @@ struct key_ctx_bi static_key; /* our global SSL context */ - struct tls_root_ctx ssl_ctx; + struct tls_root_ctx *ssl_ctx; /* optional TLS control channel wrapping */ struct key_type tls_auth_key_type; diff --git a/src/openvpn/ssl.c b/src/openvpn/ssl.c index 741f40a..9d3a6ef 100644 --- a/src/openvpn/ssl.c +++ b/src/openvpn/ssl.c @@ -507,11 +507,9 @@ * Initialize SSL context. * All files are in PEM format. */ -void -init_ssl(const struct options *options, struct tls_root_ctx *new_ctx, bool in_chroot) +struct tls_root_ctx * +init_ssl(const struct options *options, bool in_chroot) { - ASSERT(NULL != new_ctx); - tls_clear_error(); if (key_is_external(options)) @@ -519,6 +517,9 @@ load_xkey_provider(); } + struct tls_root_ctx *new_ctx; + ALLOC_OBJ_CLEAR(new_ctx, struct tls_root_ctx); + if (options->tls_server) { tls_ctx_server_new(new_ctx); @@ -664,12 +665,13 @@ #endif tls_clear_error(); - return; + return new_ctx; err: tls_clear_error(); tls_ctx_free(new_ctx); - return; + free(new_ctx); + return NULL; } /* @@ -821,7 +823,7 @@ * Build TLS object that reads/writes ciphertext * to/from memory BIOs. */ - key_state_ssl_init(&ks->ks_ssl, &session->opt->ssl_ctx, session->opt->server, session); + key_state_ssl_init(&ks->ks_ssl, session->opt->ssl_ctx, session->opt->server, session); /* Set control-channel initiation mode */ ks->initial_opcode = session->initial_opcode; @@ -872,11 +874,12 @@ /* * Attempt CRL reload before TLS negotiation. Won't be performed if - * the file was not modified since the last reload + * the file was not modified since the last reload. This affects + * all instances sharing the same context */ if (session->opt->crl_file && !(session->opt->ssl_flags & SSLF_CRL_VERIFY_DIR)) { - tls_ctx_reload_crl(&session->opt->ssl_ctx, session->opt->crl_file, + tls_ctx_reload_crl(session->opt->ssl_ctx, session->opt->crl_file, session->opt->crl_file_inline); } } diff --git a/src/openvpn/ssl.h b/src/openvpn/ssl.h index db8a798..9ee9f38 100644 --- a/src/openvpn/ssl.h +++ b/src/openvpn/ssl.h @@ -144,7 +144,7 @@ * Build master SSL context object that serves for the whole of OpenVPN * instantiation */ -void init_ssl(const struct options *options, struct tls_root_ctx *ctx, bool in_chroot); +struct tls_root_ctx *init_ssl(const struct options *options, bool in_chroot); /** @addtogroup control_processor * @{ */ diff --git a/src/openvpn/ssl_common.h b/src/openvpn/ssl_common.h index 3129299..32643b4 100644 --- a/src/openvpn/ssl_common.h +++ b/src/openvpn/ssl_common.h @@ -305,8 +305,10 @@ */ struct tls_options { - /* our master TLS context from which all SSL objects derived */ - struct tls_root_ctx ssl_ctx; + /* our master TLS context from which all SSL objects derived, + * this context is shared between all instances so point + * the real master context */ + struct tls_root_ctx *ssl_ctx; /* data channel cipher, hmac, and key lengths */ struct key_type key_type; diff --git a/src/openvpn/ssl_openssl.c b/src/openvpn/ssl_openssl.c index a4a6863..48bbdfc 100644 --- a/src/openvpn/ssl_openssl.c +++ b/src/openvpn/ssl_openssl.c @@ -147,8 +147,10 @@ bool tls_ctx_initialised(struct tls_root_ctx *ctx) { - ASSERT(NULL != ctx); - return NULL != ctx->ctx; + /* either this should be NULL or should be non-null and then have a + * valid TLS ctx inside as well */ + ASSERT(ctx == NULL || ctx->ctx != NULL); + return ctx != NULL; } bool diff --git a/src/openvpn/ssl_verify_openssl.c b/src/openvpn/ssl_verify_openssl.c index 6cb04ee..633f78d 100644 --- a/src/openvpn/ssl_verify_openssl.c +++ b/src/openvpn/ssl_verify_openssl.c @@ -799,7 +799,7 @@ return false; } - X509_STORE *store = SSL_CTX_get_cert_store(opt->ssl_ctx.ctx); + X509_STORE *store = SSL_CTX_get_cert_store(opt->ssl_ctx->ctx); if (!store) { crypto_msg(M_FATAL, "Cannot get certificate store"); -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/1431?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings?usp=email Gerrit-MessageType: newpatchset Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: I21251a42f94fa1d9de083d2acd95b887658c5760 Gerrit-Change-Number: 1431 Gerrit-PatchSet: 2 Gerrit-Owner: plaisthos <[email protected]> Gerrit-CC: openvpn-devel <[email protected]>
_______________________________________________ Openvpn-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openvpn-devel
