Squashed 'OpenVPN Adapter/Vendors/openvpn/' changes from e6d68831a..35bbca799

35bbca799 Merged in OVPN3-184-generate-warning (pull request #1)
a73d2ce68 Merged in antonio/OVPN3-169-pure-ssl-transport (pull request #3)
8d7f5f3c1 Merged in feature/docker (pull request #2)
d9b5055cd [OVPN3-169] cli.cpp: compile with -DOPENVPN_TLS_LINK when requested
2d99bbfea [OVPN3-169] cliopt.hpp: add support for TLS transport module
62c8461d2 [OVPN3-169] tcpcli.hpp: add runtime support for TLSLink
e0e76bb28 [OVPN3-169] tcplink: introduce LinkBase abstract class
a71014d40 [OVPN3-169] tcplink: create LinkCommon class and inherit from it
cfd6df5bc build system: fix 'git apply'
3e49de7de [OVPN3-210] ovpncli: handle "allow-name-constraints" for OpenSSL
08d72bd76 [OVPN3-184] mbedtls: handle Name Constraints
40c70113d [OVPN3-184] Add mbedTLS patch
ef8d11f34 [OVPN3-169] OpenSSL: implement write_ciphertext_unbuffered() function
37dc86378 [OVPN3-169] mbedTLS: implement write_ciphertext_unbuffered() function
5834ed401 [OVPN3-169] SSLAPI: add write_ciphertext_unbuffered() function
071050b5f vars-linux-dbg: update linux debug profile
5bbfe68c3 [OVPN3-169] Protocol: add support for TLS transport protocol type
dc12d3189 [OVPN3-223] build: add docker images

git-subtree-dir: OpenVPN Adapter/Vendors/openvpn
git-subtree-split: 35bbca799dfa3fbe8e17f8d6e94c3946c397b593

openvpn/mbedtls/ssl/sslctx.hpp

@@ -35,6 +35,7 @@
 #include <mbedtls/oid.h>
 #include <mbedtls/sha1.h>
 #include <mbedtls/debug.h>
+#include <mbedtls/asn1.h>
 
 #include <openvpn/common/size.hpp>
 #include <openvpn/common/exception.hpp>
@@ -211,7 +212,8 @@ namespace openvpn {
 		 tls_cert_profile(TLSCertProfile::UNDEF),
 		 local_cert_enabled(true),
 		 enable_renegotiation(false),
-                 force_aes_cbc_ciphersuites(false) {}
+		 force_aes_cbc_ciphersuites(false),
+		 allow_name_constraints(false) {}
 
       virtual SSLFactoryAPI::Ptr new_factory()
       {
@@ -456,6 +458,8 @@ namespace openvpn {
 	    && opt.exists("client-cert-not-required"))
 	  flags |= SSLConst::NO_VERIFY_PEER;
 
+	allow_name_constraints = lflags & LF_ALLOW_NAME_CONSTRAINTS;
+
 	// ca
 	{
 	  std::string ca_txt = opt.cat("ca");
@@ -532,6 +536,16 @@ namespace openvpn {
 	}
       }
 
+      bool name_constraints_allowed() const
+      {
+	return allow_name_constraints;
+      }
+
+      bool is_server() const
+      {
+	return mode.is_server();
+      }
+
     private:
       const mbedtls_x509_crt_profile *select_crt_profile() const
       {
@@ -553,8 +567,12 @@ namespace openvpn {
       }
 
       Mode mode;
+
+    protected:
       MbedTLSPKI::X509Cert::Ptr crt_chain;  // local cert chain (including client cert + extra certs)
       MbedTLSPKI::X509Cert::Ptr ca_chain;   // CA chain for remote verification
+
+    private:
       MbedTLSPKI::X509CRL::Ptr crl_chain;   // CRL chain for remote verification
       MbedTLSPKI::PKContext::Ptr priv_key;  // private key
       std::string priv_key_pwd;              // private key password
@@ -573,6 +591,7 @@ namespace openvpn {
       bool local_cert_enabled;
       bool enable_renegotiation;
       bool force_aes_cbc_ciphersuites;
+      bool allow_name_constraints;
       RandomAPI::Ptr rng;   // random data source
     };
 
@@ -649,6 +668,14 @@ namespace openvpn {
 	  overflow = true;
       }
 
+      virtual void write_ciphertext_unbuffered(const unsigned char *data, const size_t size)
+      {
+	if (ct_in.size() < MAX_CIPHERTEXT_IN)
+	  ct_in.write(data, size);
+	else
+	  overflow = true;
+      }
+
       virtual bool read_ciphertext_ready() const
       {
 	return !ct_out.empty();
@@ -676,12 +703,12 @@ namespace openvpn {
 	return authcert;
       }
 
-      ~SSL()
+      virtual ~SSL()
       {
 	erase();
       }
 
-    private:
+    protected:
       SSL(MbedTLSContext* ctx, const char *hostname)
       {
 	clear();
@@ -863,6 +890,10 @@ namespace openvpn {
 	  }
       }
 
+      mbedtls_ssl_config *sslconf;          // SSL configuration parameters for SSL connection object
+      MbedTLSContext *parent;
+
+    private:
       // cleartext read callback
       static int ct_read_func(void *arg, unsigned char *data, size_t length)
       {
@@ -925,9 +956,7 @@ namespace openvpn {
 	clear();
       }
 
-      MbedTLSContext *parent;
       mbedtls_ssl_context *ssl;		  // underlying SSL connection object
-      mbedtls_ssl_config *sslconf;	  // SSL configuration parameters for SSL connection object
       MbedTLSPKI::PKContext epki_ctx;    // external PKI context
       RandomAPI::Ptr rng;                 // random data source
       MemQStream ct_in;                   // write ciphertext to here
@@ -954,13 +983,13 @@ namespace openvpn {
     {
       return config->mode;
     }
- 
-    ~MbedTLSContext()
+
+    virtual ~MbedTLSContext()
     {
       erase();
     }
 
-  private:
+  protected:
     MbedTLSContext(Config* config_arg)
       : config(config_arg)
     {
@@ -972,6 +1001,7 @@ namespace openvpn {
 	}
     }
 
+  private:
     size_t key_len() const
     {
       return mbedtls_pk_get_bitlen(&config->crt_chain->get()->pk) / 8;
@@ -1114,6 +1144,7 @@ namespace openvpn {
       return os.str();
     }
 
+  protected:
     static int verify_callback_client(void *arg, mbedtls_x509_crt *cert, int depth, uint32_t *flags)
     {
       MbedTLSContext::SSL *ssl = (MbedTLSContext::SSL *)arg;
@@ -1231,6 +1262,9 @@ namespace openvpn {
       return 0;
     }
 
+    Config::Ptr config;
+
+  private:
     static std::string cert_info(const mbedtls_x509_crt *cert, const char *prefix = nullptr)
     {
       const size_t buf_size = 4096;
@@ -1354,8 +1388,6 @@ namespace openvpn {
       MbedTLSContext *self = (MbedTLSContext *) arg;
       return self->key_len();
     }
-
-    Config::Ptr config;
   };
 
 } // namespace openvpn