OpenVPN
Macros | Functions | Variables
ssl.c File Reference
#include "syshead.h"
#include "win32.h"
#include "error.h"
#include "common.h"
#include "socket.h"
#include "misc.h"
#include "fdmisc.h"
#include "interval.h"
#include "perf.h"
#include "status.h"
#include "gremlin.h"
#include "pkcs11.h"
#include "route.h"
#include "tls_crypt.h"
#include "ssl.h"
#include "ssl_verify.h"
#include "ssl_backend.h"
#include "memdbg.h"
Include dependency graph for ssl.c:

Go to the source code of this file.

Macros

#define INCR_SENT
 
#define INCR_GENERATED
 
#define INCR_SUCCESS
 
#define INCR_ERROR
 
#define SWAP_BUF_SIZE   256
 
#define FULL_SYNC   (reliable_empty(ks->send_reliable) && reliable_ack_empty(ks->rec_ack))
 

Functions

static const char * local_options_string (const struct tls_session *session)
 
static void key_ctx_update_implicit_iv (struct key_ctx *ctx, uint8_t *key, size_t key_len)
 Update the implicit IV for a key_ctx_bi based on TLS session ids and cipher used. More...
 
const tls_cipher_name_pairtls_get_cipher_name_pair (const char *cipher_name, size_t len)
 
static void tls_limit_reneg_bytes (const cipher_kt_t *cipher, int *reneg_bytes)
 Limit the reneg_bytes value when using a small-block (<128 bytes) cipher. More...
 
void tls_adjust_frame_parameters (struct frame *frame)
 
static void tls_init_control_channel_frame_parameters (const struct frame *data_channel_frame, struct frame *frame)
 
void init_ssl_lib (void)
 
void free_ssl_lib (void)
 
void pem_password_setup (const char *auth_file)
 
int pem_password_callback (char *buf, int size, int rwflag, void *u)
 Callback to retrieve the user's password. More...
 
void auth_user_pass_setup (const char *auth_file, const struct static_challenge_info *sci)
 
void ssl_set_auth_nocache (void)
 
void ssl_set_auth_token (const char *token)
 
bool ssl_clean_auth_token (void)
 
void ssl_purge_auth (const bool auth_user_pass_only)
 
void ssl_purge_auth_challenge (void)
 
void ssl_put_auth_challenge (const char *cr_str)
 
int tls_version_parse (const char *vstr, const char *extra)
 
static void tls_ctx_reload_crl (struct tls_root_ctx *ssl_ctx, const char *crl_file, const char *crl_file_inline)
 Load (or possibly reload) the CRL file into the SSL context. More...
 
void init_ssl (const struct options *options, struct tls_root_ctx *new_ctx)
 Build master SSL context object that serves for the whole of OpenVPN instantiation. More...
 
static const char * state_name (int state)
 
static const char * packet_opcode_name (int op)
 
static const char * session_index_name (int index)
 
static const char * print_key_id (struct tls_multi *multi, struct gc_arena *gc)
 
bool is_hard_reset (int op, int key_method)
 Given a key_method, return true if opcode represents the required form of hard_reset. More...
 
static bool tls_session_user_pass_enabled (struct tls_session *session)
 Returns whether or not the server should check for username/password. More...
 
static void move_session (struct tls_multi *multi, int dest, int src, bool reinit_src)
 
static void reset_session (struct tls_multi *multi, struct tls_session *session)
 
static void compute_earliest_wakeup (interval_t *earliest, interval_t seconds_from_now)
 
static bool lame_duck_must_die (const struct tls_session *session, interval_t *wakeup)
 
struct tls_multitls_multi_init (struct tls_options *tls_options)
 Allocate and initialize a tls_multi structure. More...
 
void tls_multi_init_finalize (struct tls_multi *multi, const struct frame *frame)
 Finalize initialization of a tls_multi structure. More...
 
struct tls_auth_standalonetls_auth_standalone_init (struct tls_options *tls_options, struct gc_arena *gc)
 
void tls_auth_standalone_finalize (struct tls_auth_standalone *tas, const struct frame *frame)
 
void tls_multi_init_set_options (struct tls_multi *multi, const char *local, const char *remote)
 
void tls_multi_free (struct tls_multi *multi, bool clear)
 Cleanup a tls_multi structure and free associated memory allocations. More...
 
static bool swap_hmac (struct buffer *buf, const struct crypto_options *co, bool incoming)
 
static void write_control_auth (struct tls_session *session, struct key_state *ks, struct buffer *buf, struct link_socket_actual **to_link_addr, int opcode, int max_ack, bool prepend_ack)
 
static bool read_control_auth (struct buffer *buf, struct tls_wrap_ctx *ctx, const struct link_socket_actual *from, const struct tls_options *opt)
 
static void key_source_print (const struct key_source *k, const char *prefix)
 
static void key_source2_print (const struct key_source2 *k)
 
static void tls1_P_hash (const md_kt_t *md_kt, const uint8_t *sec, int sec_len, const uint8_t *seed, int seed_len, uint8_t *out, int olen)
 
static void tls1_PRF (const uint8_t *label, int label_len, const uint8_t *sec, int slen, uint8_t *out1, int olen)
 
static void openvpn_PRF (const uint8_t *secret, int secret_len, const char *label, const uint8_t *client_seed, int client_seed_len, const uint8_t *server_seed, int server_seed_len, const struct session_id *client_sid, const struct session_id *server_sid, uint8_t *output, int output_len)
 
static bool generate_key_expansion (struct key_ctx_bi *key, const struct key_type *key_type, const struct key_source2 *key_src, const struct session_id *client_sid, const struct session_id *server_sid, bool server)
 
bool tls_item_in_cipher_list (const char *item, const char *list)
 Return true iff item is present in the colon-separated zero-terminated cipher list. More...
 
void tls_poor_mans_ncp (struct options *o, const char *remote_ciphername)
 "Poor man's NCP": Use peer cipher if it is an allowed (NCP) cipher. More...
 
static bool tls_session_generate_data_channel_keys (struct tls_session *session)
 Generate data channel keys for the supplied TLS session. More...
 
bool tls_session_update_crypto_params (struct tls_session *session, struct options *options, struct frame *frame)
 Update TLS session crypto parameters (cipher and auth) and derive data channel keys based on the supplied options. More...
 
static bool random_bytes_to_buf (struct buffer *buf, uint8_t *out, int outlen)
 
static bool key_source2_randomize_write (struct key_source2 *k2, struct buffer *buf, bool server)
 
static int key_source2_read (struct key_source2 *k2, struct buffer *buf, bool server)
 
static void flush_payload_buffer (struct key_state *ks)
 
static void key_state_soft_reset (struct tls_session *session)
 
static bool write_empty_string (struct buffer *buf)
 
static bool write_string (struct buffer *buf, const char *str, const int maxlen)
 
static bool read_string (struct buffer *buf, char *str, const unsigned int capacity)
 
static char * read_string_alloc (struct buffer *buf)
 
static bool key_method_1_write (struct buffer *buf, struct tls_session *session)
 
static bool push_peer_info (struct buffer *buf, struct tls_session *session)
 
static bool key_method_2_write (struct buffer *buf, struct tls_session *session)
 
static bool key_method_1_read (struct buffer *buf, struct tls_session *session)
 
static bool key_method_2_read (struct buffer *buf, struct tls_multi *multi, struct tls_session *session)
 
static int auth_deferred_expire_window (const struct tls_options *o)
 
static bool tls_process (struct tls_multi *multi, struct tls_session *session, struct buffer *to_link, struct link_socket_actual **to_link_addr, struct link_socket_info *to_link_socket_info, interval_t *wakeup)
 
int tls_multi_process (struct tls_multi *multi, struct buffer *to_link, struct link_socket_actual **to_link_addr, struct link_socket_info *to_link_socket_info, interval_t *wakeup)
 
bool tls_pre_decrypt (struct tls_multi *multi, const struct link_socket_actual *from, struct buffer *buf, struct crypto_options **opt, bool floated, const uint8_t **ad_start)
 Determine whether an incoming packet is a data channel or control channel packet, and process accordingly. More...
 
bool tls_pre_decrypt_lite (const struct tls_auth_standalone *tas, const struct link_socket_actual *from, const struct buffer *buf)
 Inspect an incoming packet for which no VPN tunnel is active, and determine whether a new VPN tunnel should be created. More...
 
void tls_pre_encrypt (struct tls_multi *multi, struct buffer *buf, struct crypto_options **opt)
 Choose the appropriate security parameters with which to process an outgoing packet. More...
 
void tls_prepend_opcode_v1 (const struct tls_multi *multi, struct buffer *buf)
 Prepend a one-byte OpenVPN data channel P_DATA_V1 opcode to the packet. More...
 
void tls_prepend_opcode_v2 (const struct tls_multi *multi, struct buffer *buf)
 Prepend an OpenVPN data channel P_DATA_V2 header to the packet. More...
 
void tls_post_encrypt (struct tls_multi *multi, struct buffer *buf)
 Perform some accounting for the key state used. More...
 
bool tls_send_payload (struct tls_multi *multi, const uint8_t *data, int size)
 
bool tls_rec_payload (struct tls_multi *multi, struct buffer *buf)
 
void tls_update_remote_addr (struct tls_multi *multi, const struct link_socket_actual *addr)
 Updates remote address in TLS sessions. More...
 
int tls_peer_info_ncp_ver (const char *peer_info)
 Return the Negotiable Crypto Parameters version advertised in the peer info string, or 0 if none specified. More...
 
bool tls_check_ncp_cipher_list (const char *list)
 Check whether the ciphers in the supplied list are supported. More...
 
void show_available_tls_ciphers (const char *cipher_list, const char *cipher_list_tls13, const char *tls_cert_profile)
 
const char * protocol_dump (struct buffer *buffer, unsigned int flags, struct gc_arena *gc)
 
void delayed_auth_pass_purge (void)
 
Functions for initialization and cleanup of key_state structures
static void key_state_init (struct tls_session *session, struct key_state *ks)
 Initialize a key_state structure. More...
 
static void key_state_free (struct key_state *ks, bool clear)
 Cleanup a key_state structure. More...
 
Functions for initialization and cleanup of tls_session structures
static void tls_session_init (struct tls_multi *multi, struct tls_session *session)
 Initialize a tls_session structure. More...
 
static void tls_session_free (struct tls_session *session, bool clear)
 Clean up a tls_session structure. More...
 

Variables

static const tls_cipher_name_pair tls_cipher_name_translation_table []
 SSL/TLS Cipher suite name translation table. More...
 
static struct user_pass passbuf
 
static bool auth_user_pass_enabled
 
static struct user_pass auth_user_pass
 
static struct user_pass auth_token
 
static char * auth_challenge
 

Macro Definition Documentation

◆ FULL_SYNC

#define FULL_SYNC   (reliable_empty(ks->send_reliable) && reliable_ack_empty(ks->rec_ack))

Definition at line 2136 of file ssl.c.

Referenced by tls_process().

◆ INCR_ERROR

#define INCR_ERROR

Definition at line 104 of file ssl.c.

Referenced by tls_process().

◆ INCR_GENERATED

#define INCR_GENERATED

Definition at line 102 of file ssl.c.

Referenced by tls_process().

◆ INCR_SENT

#define INCR_SENT

Definition at line 101 of file ssl.c.

Referenced by tls_process().

◆ INCR_SUCCESS

#define INCR_SUCCESS

Definition at line 103 of file ssl.c.

Referenced by tls_process().

◆ SWAP_BUF_SIZE

#define SWAP_BUF_SIZE   256

Definition at line 1402 of file ssl.c.

Referenced by swap_hmac().

Function Documentation

◆ auth_deferred_expire_window()

static int auth_deferred_expire_window ( const struct tls_options o)
static

Definition at line 2732 of file ssl.c.

References tls_options::handshake_window, and tls_options::renegotiate_seconds.

Referenced by tls_process().

◆ auth_user_pass_setup()

void auth_user_pass_setup ( const char *  auth_file,
const struct static_challenge_info sci 
)

◆ compute_earliest_wakeup()

static void compute_earliest_wakeup ( interval_t earliest,
interval_t  seconds_from_now 
)
inlinestatic

Definition at line 1209 of file ssl.c.

Referenced by lame_duck_must_die(), and tls_process().

◆ delayed_auth_pass_purge()

void delayed_auth_pass_purge ( void  )

Definition at line 4325 of file ssl.c.

References auth_user_pass, purge_user_pass(), and user_pass::wait_for_push.

Referenced by initialization_sequence_completed().

◆ flush_payload_buffer()

static void flush_payload_buffer ( struct key_state ks)
static

◆ free_ssl_lib()

void free_ssl_lib ( void  )

Definition at line 356 of file ssl.c.

References crypto_uninit_lib(), prng_uninit(), and tls_free_lib().

Referenced by uninit_static().

◆ generate_key_expansion()

static bool generate_key_expansion ( struct key_ctx_bi key,
const struct key_type key_type,
const struct key_source2 key_src,
const struct session_id client_sid,
const struct session_id server_sid,
bool  server 
)
static

◆ init_ssl()

void init_ssl ( const struct options options,
struct tls_root_ctx new_ctx 
)

◆ init_ssl_lib()

void init_ssl_lib ( void  )

Definition at line 348 of file ssl.c.

References crypto_init_lib(), and tls_init_lib().

Referenced by init_static().

◆ is_hard_reset()

bool is_hard_reset ( int  op,
int  key_method 
)

Given a key_method, return true if opcode represents the required form of hard_reset.

If key_method == 0, return true if any form of hard reset is used.

Definition at line 855 of file ssl.c.

References P_CONTROL_HARD_RESET_CLIENT_V1, P_CONTROL_HARD_RESET_CLIENT_V2, P_CONTROL_HARD_RESET_CLIENT_V3, P_CONTROL_HARD_RESET_SERVER_V1, and P_CONTROL_HARD_RESET_SERVER_V2.

Referenced by process_incoming_link_part1(), and tls_pre_decrypt().

◆ key_ctx_update_implicit_iv()

static void key_ctx_update_implicit_iv ( struct key_ctx ctx,
uint8_t key,
size_t  key_len 
)
static

Update the implicit IV for a key_ctx_bi based on TLS session ids and cipher used.

Note that the implicit IV is based on the HMAC key, but only in AEAD modes where the HMAC key is not used for an actual HMAC.

Parameters
ctxEncrypt/decrypt key context
keyHMAC key, used to calculate implicit IV
key_lenHMAC key length

Definition at line 1905 of file ssl.c.

References ASSERT, key_ctx::cipher, cipher_ctx_get_cipher_kt(), cipher_kt_iv_size(), cipher_kt_mode_aead(), key_ctx::implicit_iv, key_ctx::implicit_iv_len, OPENVPN_AEAD_MIN_IV_LEN, and OPENVPN_MAX_IV_LENGTH.

Referenced by generate_key_expansion().

◆ key_method_1_read()

static bool key_method_1_read ( struct buffer buf,
struct tls_session session 
)
static

◆ key_method_1_write()

static bool key_method_1_write ( struct buffer buf,
struct tls_session session 
)
static

◆ key_method_2_read()

static bool key_method_2_read ( struct buffer buf,
struct tls_multi multi,
struct tls_session session 
)
static

◆ key_method_2_write()

static bool key_method_2_write ( struct buffer buf,
struct tls_session session 
)
static

◆ key_source2_print()

static void key_source2_print ( const struct key_source2 k)
static

Definition at line 1636 of file ssl.c.

References key_source2::client, key_source_print(), and key_source2::server.

Referenced by generate_key_expansion().

◆ key_source2_randomize_write()

static bool key_source2_randomize_write ( struct key_source2 k2,
struct buffer buf,
bool  server 
)
static

◆ key_source2_read()

static int key_source2_read ( struct key_source2 k2,
struct buffer buf,
bool  server 
)
static

◆ key_source_print()

static void key_source_print ( const struct key_source k,
const char *  prefix 
)
static

◆ key_state_soft_reset()

static void key_state_soft_reset ( struct tls_session session)
static

◆ lame_duck_must_die()

static bool lame_duck_must_die ( const struct tls_session session,
interval_t wakeup 
)
inlinestatic

◆ local_options_string()

static const char* local_options_string ( const struct tls_session session)
inlinestatic

Definition at line 70 of file ssl.c.

References D_TLS_DEBUG_LOW, tls_options::local_options, msg, and tls_session::opt.

Referenced by key_method_1_write(), and key_method_2_write().

◆ move_session()

static void move_session ( struct tls_multi multi,
int  dest,
int  src,
bool  reinit_src 
)
static

◆ openvpn_PRF()

static void openvpn_PRF ( const uint8_t secret,
int  secret_len,
const char *  label,
const uint8_t client_seed,
int  client_seed_len,
const uint8_t server_seed,
int  server_seed_len,
const struct session_id client_sid,
const struct session_id server_sid,
uint8_t output,
int  output_len 
)
static

◆ packet_opcode_name()

static const char* packet_opcode_name ( int  op)
static

◆ pem_password_callback()

int pem_password_callback ( char *  buf,
int  size,
int  rwflag,
void *  u 
)

Callback to retrieve the user's password.

Parameters
bufBuffer to return the password in
sizeSize of the buffer
rwflagUnused, needed for OpenSSL compatibility
uUnused, needed for OpenSSL compatibility

Definition at line 381 of file ssl.c.

References passbuf, user_pass::password, pem_password_setup(), purge_user_pass(), and strncpynt().

Referenced by tls_ctx_load_pkcs12(), and tls_ctx_set_options().

◆ pem_password_setup()

void pem_password_setup ( const char *  auth_file)

◆ print_key_id()

static const char* print_key_id ( struct tls_multi multi,
struct gc_arena gc 
)
static

◆ protocol_dump()

const char* protocol_dump ( struct buffer buffer,
unsigned int  flags,
struct gc_arena gc 
)

◆ push_peer_info()

static bool push_peer_info ( struct buffer buf,
struct tls_session session 
)
static

◆ random_bytes_to_buf()

static bool random_bytes_to_buf ( struct buffer buf,
uint8_t out,
int  outlen 
)
static

Definition at line 2041 of file ssl.c.

References buf_write(), M_FATAL, msg, and rand_bytes().

Referenced by key_source2_randomize_write().

◆ read_control_auth()

static bool read_control_auth ( struct buffer buf,
struct tls_wrap_ctx ctx,
const struct link_socket_actual from,
const struct tls_options opt 
)
static

◆ read_string()

static bool read_string ( struct buffer buf,
char *  str,
const unsigned int  capacity 
)
static

Definition at line 2192 of file ssl.c.

References buf_read(), and buf_read_u16().

Referenced by key_method_2_read().

◆ read_string_alloc()

static char* read_string_alloc ( struct buffer buf)
static

Definition at line 2208 of file ssl.c.

References buf_read(), buf_read_u16(), check_malloc_return(), free, and malloc.

Referenced by key_method_2_read().

◆ reset_session()

static void reset_session ( struct tls_multi multi,
struct tls_session session 
)
static

Definition at line 1198 of file ssl.c.

References tls_session_free(), and tls_session_init().

Referenced by tls_multi_process().

◆ session_index_name()

static const char* session_index_name ( int  index)
static

Definition at line 816 of file ssl.c.

References TM_ACTIVE, TM_LAME_DUCK, and TM_UNTRUSTED.

Referenced by move_session().

◆ show_available_tls_ciphers()

void show_available_tls_ciphers ( const char *  cipher_list,
const char *  cipher_list_tls13,
const char *  tls_cert_profile 
)

Definition at line 4179 of file ssl.c.

References show_available_tls_ciphers_list().

Referenced by print_openssl_info().

◆ ssl_clean_auth_token()

bool ssl_clean_auth_token ( void  )

Definition at line 466 of file ssl.c.

References auth_token, user_pass::defined, and purge_user_pass().

Referenced by receive_auth_failed().

◆ ssl_purge_auth()

void ssl_purge_auth ( const bool  auth_user_pass_only)

◆ ssl_purge_auth_challenge()

void ssl_purge_auth_challenge ( void  )

Definition at line 495 of file ssl.c.

References auth_challenge, and free.

Referenced by ssl_purge_auth(), and ssl_put_auth_challenge().

◆ ssl_put_auth_challenge()

void ssl_put_auth_challenge ( const char *  cr_str)

Definition at line 502 of file ssl.c.

References auth_challenge, ssl_purge_auth_challenge(), and string_alloc().

Referenced by receive_auth_failed().

◆ ssl_set_auth_nocache()

void ssl_set_auth_nocache ( void  )

Definition at line 445 of file ssl.c.

References auth_user_pass, user_pass::nocache, passbuf, and user_pass::wait_for_push.

Referenced by add_option().

◆ ssl_set_auth_token()

void ssl_set_auth_token ( const char *  token)

Definition at line 457 of file ssl.c.

References auth_token, auth_user_pass, and set_auth_token().

Referenced by add_option().

◆ state_name()

static const char* state_name ( int  state)
static

◆ swap_hmac()

static bool swap_hmac ( struct buffer buf,
const struct crypto_options co,
bool  incoming 
)
static

◆ tls1_P_hash()

static void tls1_P_hash ( const md_kt_t md_kt,
const uint8_t sec,
int  sec_len,
const uint8_t seed,
int  seed_len,
uint8_t out,
int  olen 
)
static

◆ tls1_PRF()

static void tls1_PRF ( const uint8_t label,
int  label_len,
const uint8_t sec,
int  slen,
uint8_t out1,
int  olen 
)
static

◆ tls_adjust_frame_parameters()

void tls_adjust_frame_parameters ( struct frame frame)

Definition at line 315 of file ssl.c.

References frame_add_to_extra_frame().

Referenced by do_init_crypto_tls(), and tls_init_control_channel_frame_parameters().

◆ tls_check_ncp_cipher_list()

bool tls_check_ncp_cipher_list ( const char *  list)

Check whether the ciphers in the supplied list are supported.

Parameters
listColon-separated list of ciphers
Returns
true iff all ciphers in list are supported.

Definition at line 4156 of file ssl.c.

References ASSERT, cipher_kt_get(), free, M_WARN, msg, string_alloc(), and translate_cipher_name_from_openvpn().

Referenced by options_postprocess_verify_ce().

◆ tls_ctx_reload_crl()

static void tls_ctx_reload_crl ( struct tls_root_ctx ssl_ctx,
const char *  crl_file,
const char *  crl_file_inline 
)
static

Load (or possibly reload) the CRL file into the SSL context.

No reload is performed under the following conditions:

  • the CRL file was passed inline
  • the CRL file was not modified since the last (re)load
Parameters
ssl_ctxThe TLS context to use when reloading the CRL
crl_fileThe file name to load the CRL from, or "[[INLINE]]" in the case of inline files.
crl_inlineA string containing the CRL

Definition at line 557 of file ssl.c.

References backend_tls_ctx_reload_crl(), tls_root_ctx::crl_last_mtime, tls_root_ctx::crl_last_size, M_WARN, msg, and platform_stat().

Referenced by init_ssl(), and tls_process().

◆ tls_get_cipher_name_pair()

const tls_cipher_name_pair* tls_get_cipher_name_pair ( const char *  cipher_name,
size_t  len 
)

◆ tls_init_control_channel_frame_parameters()

static void tls_init_control_channel_frame_parameters ( const struct frame data_channel_frame,
struct frame frame 
)
static

◆ tls_item_in_cipher_list()

bool tls_item_in_cipher_list ( const char *  item,
const char *  list 
)

Return true iff item is present in the colon-separated zero-terminated cipher list.

Definition at line 1923 of file ssl.c.

References free, and string_alloc().

Referenced by tls_poor_mans_ncp(), and tls_session_update_crypto_params().

◆ tls_limit_reneg_bytes()

static void tls_limit_reneg_bytes ( const cipher_kt_t cipher,
int *  reneg_bytes 
)
static

Limit the reneg_bytes value when using a small-block (<128 bytes) cipher.

Parameters
cipherThe current cipher (may be NULL).
reneg_bytesPointer to the current reneg_bytes, updated if needed. May not be NULL.

Definition at line 295 of file ssl.c.

References cipher_kt_insecure(), M_WARN, and msg.

Referenced by tls_session_generate_data_channel_keys().

◆ tls_multi_process()

int tls_multi_process ( struct tls_multi multi,
struct buffer to_link,
struct link_socket_actual **  to_link_addr,
struct link_socket_info to_link_socket_info,
interval_t wakeup 
)

◆ tls_peer_info_ncp_ver()

int tls_peer_info_ncp_ver ( const char *  peer_info)

Return the Negotiable Crypto Parameters version advertised in the peer info string, or 0 if none specified.

Definition at line 4140 of file ssl.c.

Referenced by key_method_2_read(), and prepare_push_reply().

◆ tls_poor_mans_ncp()

void tls_poor_mans_ncp ( struct options o,
const char *  remote_ciphername 
)

"Poor man's NCP": Use peer cipher if it is an allowed (NCP) cipher.

Allows non-NCP peers to upgrade their cipher individually.

Make sure to call tls_session_update_crypto_params() after calling this function.

Definition at line 1943 of file ssl.c.

References options::ciphername, D_TLS_DEBUG_LOW, options::gc, msg, options::ncp_ciphers, options::ncp_enabled, string_alloc(), and tls_item_in_cipher_list().

Referenced by do_deferred_options(), and prepare_push_reply().

◆ tls_process()

static bool tls_process ( struct tls_multi multi,
struct tls_session session,
struct buffer to_link,
struct link_socket_actual **  to_link_addr,
struct link_socket_info to_link_socket_info,
interval_t wakeup 
)
static

Definition at line 2754 of file ssl.c.

References key_state::ack_write_buf, ASSERT, key_state::auth_deferred_expire, auth_deferred_expire_window(), buf_init, check_debug_level(), tls_session::common_name, compute_earliest_wakeup(), CONTROL_SEND_ACK_MAX, counter_format, tls_options::crl_file, tls_options::crl_file_inline, key_state::crypto_options, D_HANDSHAKE, D_TLS_DEBUG, D_TLS_DEBUG_LOW, D_TLS_DEBUG_MED, D_TLS_ERRORS, dmsg, tls_options::es, key_state::established, flush_payload_buffer(), tls_options::frame, FRAME_HEADROOM, FULL_SYNC, gc_free(), gc_new(), tls_options::handshake_window, INCR_ERROR, INCR_GENERATED, INCR_SENT, INCR_SUCCESS, key_state::initial_opcode, tls_session::key, tls_options::key_method, key_method_1_read(), key_method_1_write(), key_method_2_read(), key_method_2_write(), key_state_free(), key_state_read_ciphertext(), key_state_read_plaintext(), key_state_soft_reset(), key_state_write_ciphertext(), key_state_write_plaintext(), KS_LAME_DUCK, KS_PRIMARY, key_state::ks_ssl, lame_duck_must_die(), buffer::len, link_socket_set_outgoing_addr(), management_set_state(), msg, key_state::must_negotiate, key_state::n_bytes, key_state::n_packets, now, OPENVPN_STATE_WAIT, tls_session::opt, tls_multi::opt, P_ACK_V1, P_CONTROL_SOFT_RESET_V1, P_CONTROL_V1, crypto_options::packet_id, packet_id_close_to_wrapping(), PAYLOAD_SIZE_DYNAMIC, key_state::plaintext_read_buf, key_state::plaintext_write_buf, print_details(), key_state::rec_ack, key_state::rec_reliable, reliable_ack_empty(), RELIABLE_ACK_SIZE, reliable_can_send(), reliable_get_buf_output_sequenced(), reliable_get_buf_sequenced(), reliable_mark_active_outgoing(), reliable_mark_deleted(), reliable_send(), reliable_send_timeout(), key_state::remote_addr, tls_options::renegotiate_bytes, tls_options::renegotiate_packets, tls_options::renegotiate_seconds, S_ACTIVE, S_ERROR, S_GOT_KEY, S_INITIAL, S_NORMAL_OP, S_PRE_START, S_SENT_KEY, S_START, S_UNDEF, packet_id::send, key_state::send_reliable, tls_options::server, tls_session::session_id, session_id_defined(), session_id_print(), tls_options::ssl_ctx, tls_options::ssl_flags, SSLF_CRL_VERIFY_DIR, key_state::state, state_name(), status, TLS_CHANNEL_BUF_SIZE, tls_clear_error(), tls_ctx_reload_crl(), tls_x509_clear_env(), update_time(), and write_control_auth().

Referenced by tls_multi_process().

◆ tls_rec_payload()

bool tls_rec_payload ( struct tls_multi multi,
struct buffer buf 
)

◆ tls_send_payload()

bool tls_send_payload ( struct tls_multi multi,
const uint8_t data,
int  size 
)

◆ tls_session_generate_data_channel_keys()

static bool tls_session_generate_data_channel_keys ( struct tls_session session)
static

◆ tls_session_update_crypto_params()

bool tls_session_update_crypto_params ( struct tls_session session,
struct options options,
struct frame frame 
)

Update TLS session crypto parameters (cipher and auth) and derive data channel keys based on the supplied options.

Parameters
sessionThe TLS session to update.
optionsThe options to use when updating session.
frameThe frame options for this session (frame overhead is adjusted based on the selected cipher/auth).
Returns
true if updating succeeded, false otherwise.

Definition at line 1992 of file ssl.c.

References options::authname, options::ce, key_type::cipher, cipher_kt_mode_ofb_cfb(), options::ciphername, CO_PACKET_ID_LONG_FORM, tls_options::config_ciphername, crypto_adjust_frame_parameters(), tls_options::crypto_flags, crypto_max_overhead(), D_HANDSHAKE, D_MTU_INFO, D_TLS_ERRORS, frame_finalize(), frame_init_mssfix(), frame_print(), frame_remove_from_extra_frame(), init_key_type(), tls_options::key_type, options::keysize, connection_entry::link_mtu, connection_entry::link_mtu_defined, msg, options::ncp_ciphers, tls_session::opt, options::replay, tls_options::server, tls_item_in_cipher_list(), tls_session_generate_data_channel_keys(), connection_entry::tun_mtu, and connection_entry::tun_mtu_defined.

Referenced by do_deferred_options(), and incoming_push_message().

◆ tls_session_user_pass_enabled()

static bool tls_session_user_pass_enabled ( struct tls_session session)
inlinestatic

Returns whether or not the server should check for username/password.

Parameters
sessionThe current TLS session
Returns
true if username and password verification is enabled, false if not.

Definition at line 1041 of file ssl.c.

References tls_options::auth_user_pass_verify_script, OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY, tls_session::opt, plugin_defined(), and tls_options::plugins.

Referenced by key_method_2_read().

◆ tls_update_remote_addr()

void tls_update_remote_addr ( struct tls_multi multi,
const struct link_socket_actual addr 
)

Updates remote address in TLS sessions.

Parameters
multi- Tunnel to update
addr- new address

Definition at line 4110 of file ssl.c.

References D_TLS_KEYSELECT, dmsg, gc_free(), gc_new(), tls_session::key, KS_SIZE, link_socket_actual_defined(), link_socket_actual_match(), print_link_socket_actual(), key_state::remote_addr, tls_multi::session, and TM_SIZE.

Referenced by multi_process_float().

◆ tls_version_parse()

int tls_version_parse ( const char *  vstr,
const char *  extra 
)

Definition at line 516 of file ssl.c.

References TLS_VER_1_0, TLS_VER_1_1, TLS_VER_1_2, TLS_VER_1_3, TLS_VER_BAD, and tls_version_max().

Referenced by add_option().

◆ write_control_auth()

static void write_control_auth ( struct tls_session session,
struct key_state ks,
struct buffer buf,
struct link_socket_actual **  to_link_addr,
int  opcode,
int  max_ack,
bool  prepend_ack 
)
static

◆ write_empty_string()

static bool write_empty_string ( struct buffer buf)
static

Definition at line 2163 of file ssl.c.

References buf_write_u16().

Referenced by key_method_2_write(), and push_peer_info().

◆ write_string()

static bool write_string ( struct buffer buf,
const char *  str,
const int  maxlen 
)
static

Definition at line 2173 of file ssl.c.

References buf_write(), and buf_write_u16().

Referenced by key_method_2_write(), and push_peer_info().

Variable Documentation

◆ auth_challenge

char* auth_challenge
static

◆ auth_token

struct user_pass auth_token
static

◆ auth_user_pass

struct user_pass auth_user_pass
static

◆ auth_user_pass_enabled

bool auth_user_pass_enabled
static

Definition at line 399 of file ssl.c.

Referenced by auth_user_pass_setup(), and key_method_2_write().

◆ passbuf

struct user_pass passbuf
static

◆ tls_cipher_name_translation_table

const tls_cipher_name_pair tls_cipher_name_translation_table[]
static

SSL/TLS Cipher suite name translation table.

Definition at line 111 of file ssl.c.

Referenced by tls_get_cipher_name_pair().