OpenVPN
ssl.c
Go to the documentation of this file.
1 /*
2  * OpenVPN -- An application to securely tunnel IP networks
3  * over a single TCP/UDP port, with support for SSL/TLS-based
4  * session authentication and key exchange,
5  * packet encryption, packet authentication, and
6  * packet compression.
7  *
8  * Copyright (C) 2002-2018 OpenVPN Inc <sales@openvpn.net>
9  * Copyright (C) 2010-2018 Fox Crypto B.V. <openvpn@fox-it.com>
10  * Copyright (C) 2008-2013 David Sommerseth <dazo@users.sourceforge.net>
11  *
12  * This program is free software; you can redistribute it and/or modify
13  * it under the terms of the GNU General Public License version 2
14  * as published by the Free Software Foundation.
15  *
16  * This program is distributed in the hope that it will be useful,
17  * but WITHOUT ANY WARRANTY; without even the implied warranty of
18  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
19  * GNU General Public License for more details.
20  *
21  * You should have received a copy of the GNU General Public License along
22  * with this program; if not, write to the Free Software Foundation, Inc.,
23  * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
24  */
25 
30 /*
31  * The routines in this file deal with dynamically negotiating
32  * the data channel HMAC and cipher keys through a TLS session.
33  *
34  * Both the TLS session and the data channel are multiplexed
35  * over the same TCP/UDP port.
36  */
37 #ifdef HAVE_CONFIG_H
38 #include "config.h"
39 #elif defined(_MSC_VER)
40 #include "config-msvc.h"
41 #endif
42 
43 #include "syshead.h"
44 #include "win32.h"
45 
46 #include "error.h"
47 #include "common.h"
48 #include "socket.h"
49 #include "misc.h"
50 #include "fdmisc.h"
51 #include "interval.h"
52 #include "perf.h"
53 #include "status.h"
54 #include "gremlin.h"
55 #include "pkcs11.h"
56 #include "route.h"
57 #include "tls_crypt.h"
58 
59 #include "ssl.h"
60 #include "ssl_verify.h"
61 #include "ssl_backend.h"
62 #include "ssl_ncp.h"
63 #include "auth_token.h"
64 
65 #include "memdbg.h"
66 
67 #ifdef MEASURE_TLS_HANDSHAKE_STATS
68 
69 static int tls_handshake_success; /* GLOBAL */
70 static int tls_handshake_error; /* GLOBAL */
71 static int tls_packets_generated; /* GLOBAL */
72 static int tls_packets_sent; /* GLOBAL */
73 
74 #define INCR_SENT ++tls_packets_sent
75 #define INCR_GENERATED ++tls_packets_generated
76 #define INCR_SUCCESS ++tls_handshake_success
77 #define INCR_ERROR ++tls_handshake_error
78 
79 void
80 show_tls_performance_stats(void)
81 {
82  msg(D_TLS_DEBUG_LOW, "TLS Handshakes, success=%f%% (good=%d, bad=%d), retransmits=%f%%",
83  (double) tls_handshake_success / (tls_handshake_success + tls_handshake_error) * 100.0,
84  tls_handshake_success, tls_handshake_error,
85  (double) (tls_packets_sent - tls_packets_generated) / tls_packets_generated * 100.0);
86 }
87 #else /* ifdef MEASURE_TLS_HANDSHAKE_STATS */
88 
89 #define INCR_SENT
90 #define INCR_GENERATED
91 #define INCR_SUCCESS
92 #define INCR_ERROR
93 
94 #endif /* ifdef MEASURE_TLS_HANDSHAKE_STATS */
95 
100  {"ADH-SEED-SHA", "TLS-DH-anon-WITH-SEED-CBC-SHA"},
101  {"AES128-GCM-SHA256", "TLS-RSA-WITH-AES-128-GCM-SHA256"},
102  {"AES128-SHA256", "TLS-RSA-WITH-AES-128-CBC-SHA256"},
103  {"AES128-SHA", "TLS-RSA-WITH-AES-128-CBC-SHA"},
104  {"AES256-GCM-SHA384", "TLS-RSA-WITH-AES-256-GCM-SHA384"},
105  {"AES256-SHA256", "TLS-RSA-WITH-AES-256-CBC-SHA256"},
106  {"AES256-SHA", "TLS-RSA-WITH-AES-256-CBC-SHA"},
107  {"CAMELLIA128-SHA256", "TLS-RSA-WITH-CAMELLIA-128-CBC-SHA256"},
108  {"CAMELLIA128-SHA", "TLS-RSA-WITH-CAMELLIA-128-CBC-SHA"},
109  {"CAMELLIA256-SHA256", "TLS-RSA-WITH-CAMELLIA-256-CBC-SHA256"},
110  {"CAMELLIA256-SHA", "TLS-RSA-WITH-CAMELLIA-256-CBC-SHA"},
111  {"DES-CBC3-SHA", "TLS-RSA-WITH-3DES-EDE-CBC-SHA"},
112  {"DES-CBC-SHA", "TLS-RSA-WITH-DES-CBC-SHA"},
113  {"DH-DSS-SEED-SHA", "TLS-DH-DSS-WITH-SEED-CBC-SHA"},
114  {"DHE-DSS-AES128-GCM-SHA256", "TLS-DHE-DSS-WITH-AES-128-GCM-SHA256"},
115  {"DHE-DSS-AES128-SHA256", "TLS-DHE-DSS-WITH-AES-128-CBC-SHA256"},
116  {"DHE-DSS-AES128-SHA", "TLS-DHE-DSS-WITH-AES-128-CBC-SHA"},
117  {"DHE-DSS-AES256-GCM-SHA384", "TLS-DHE-DSS-WITH-AES-256-GCM-SHA384"},
118  {"DHE-DSS-AES256-SHA256", "TLS-DHE-DSS-WITH-AES-256-CBC-SHA256"},
119  {"DHE-DSS-AES256-SHA", "TLS-DHE-DSS-WITH-AES-256-CBC-SHA"},
120  {"DHE-DSS-CAMELLIA128-SHA256", "TLS-DHE-DSS-WITH-CAMELLIA-128-CBC-SHA256"},
121  {"DHE-DSS-CAMELLIA128-SHA", "TLS-DHE-DSS-WITH-CAMELLIA-128-CBC-SHA"},
122  {"DHE-DSS-CAMELLIA256-SHA256", "TLS-DHE-DSS-WITH-CAMELLIA-256-CBC-SHA256"},
123  {"DHE-DSS-CAMELLIA256-SHA", "TLS-DHE-DSS-WITH-CAMELLIA-256-CBC-SHA"},
124  {"DHE-DSS-SEED-SHA", "TLS-DHE-DSS-WITH-SEED-CBC-SHA"},
125  {"DHE-RSA-AES128-GCM-SHA256", "TLS-DHE-RSA-WITH-AES-128-GCM-SHA256"},
126  {"DHE-RSA-AES128-SHA256", "TLS-DHE-RSA-WITH-AES-128-CBC-SHA256"},
127  {"DHE-RSA-AES128-SHA", "TLS-DHE-RSA-WITH-AES-128-CBC-SHA"},
128  {"DHE-RSA-AES256-GCM-SHA384", "TLS-DHE-RSA-WITH-AES-256-GCM-SHA384"},
129  {"DHE-RSA-AES256-SHA256", "TLS-DHE-RSA-WITH-AES-256-CBC-SHA256"},
130  {"DHE-RSA-AES256-SHA", "TLS-DHE-RSA-WITH-AES-256-CBC-SHA"},
131  {"DHE-RSA-CAMELLIA128-SHA256", "TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA256"},
132  {"DHE-RSA-CAMELLIA128-SHA", "TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA"},
133  {"DHE-RSA-CAMELLIA256-SHA256", "TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA256"},
134  {"DHE-RSA-CAMELLIA256-SHA", "TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA"},
135  {"DHE-RSA-CHACHA20-POLY1305", "TLS-DHE-RSA-WITH-CHACHA20-POLY1305-SHA256"},
136  {"DHE-RSA-SEED-SHA", "TLS-DHE-RSA-WITH-SEED-CBC-SHA"},
137  {"DH-RSA-SEED-SHA", "TLS-DH-RSA-WITH-SEED-CBC-SHA"},
138  {"ECDH-ECDSA-AES128-GCM-SHA256", "TLS-ECDH-ECDSA-WITH-AES-128-GCM-SHA256"},
139  {"ECDH-ECDSA-AES128-SHA256", "TLS-ECDH-ECDSA-WITH-AES-128-CBC-SHA256"},
140  {"ECDH-ECDSA-AES128-SHA", "TLS-ECDH-ECDSA-WITH-AES-128-CBC-SHA"},
141  {"ECDH-ECDSA-AES256-GCM-SHA384", "TLS-ECDH-ECDSA-WITH-AES-256-GCM-SHA384"},
142  {"ECDH-ECDSA-AES256-SHA256", "TLS-ECDH-ECDSA-WITH-AES-256-CBC-SHA256"},
143  {"ECDH-ECDSA-AES256-SHA384", "TLS-ECDH-ECDSA-WITH-AES-256-CBC-SHA384"},
144  {"ECDH-ECDSA-AES256-SHA", "TLS-ECDH-ECDSA-WITH-AES-256-CBC-SHA"},
145  {"ECDH-ECDSA-CAMELLIA128-SHA256", "TLS-ECDH-ECDSA-WITH-CAMELLIA-128-CBC-SHA256"},
146  {"ECDH-ECDSA-CAMELLIA128-SHA", "TLS-ECDH-ECDSA-WITH-CAMELLIA-128-CBC-SHA"},
147  {"ECDH-ECDSA-CAMELLIA256-SHA256", "TLS-ECDH-ECDSA-WITH-CAMELLIA-256-CBC-SHA256"},
148  {"ECDH-ECDSA-CAMELLIA256-SHA", "TLS-ECDH-ECDSA-WITH-CAMELLIA-256-CBC-SHA"},
149  {"ECDH-ECDSA-DES-CBC3-SHA", "TLS-ECDH-ECDSA-WITH-3DES-EDE-CBC-SHA"},
150  {"ECDH-ECDSA-DES-CBC-SHA", "TLS-ECDH-ECDSA-WITH-DES-CBC-SHA"},
151  {"ECDH-ECDSA-RC4-SHA", "TLS-ECDH-ECDSA-WITH-RC4-128-SHA"},
152  {"ECDHE-ECDSA-AES128-GCM-SHA256", "TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256"},
153  {"ECDHE-ECDSA-AES128-SHA256", "TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256"},
154  {"ECDHE-ECDSA-AES128-SHA384", "TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA384"},
155  {"ECDHE-ECDSA-AES128-SHA", "TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA"},
156  {"ECDHE-ECDSA-AES256-GCM-SHA384", "TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384"},
157  {"ECDHE-ECDSA-AES256-SHA256", "TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA256"},
158  {"ECDHE-ECDSA-AES256-SHA384", "TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA384"},
159  {"ECDHE-ECDSA-AES256-SHA", "TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA"},
160  {"ECDHE-ECDSA-CAMELLIA128-SHA256", "TLS-ECDHE-ECDSA-WITH-CAMELLIA-128-CBC-SHA256"},
161  {"ECDHE-ECDSA-CAMELLIA128-SHA", "TLS-ECDHE-ECDSA-WITH-CAMELLIA-128-CBC-SHA"},
162  {"ECDHE-ECDSA-CAMELLIA256-SHA256", "TLS-ECDHE-ECDSA-WITH-CAMELLIA-256-CBC-SHA256"},
163  {"ECDHE-ECDSA-CAMELLIA256-SHA", "TLS-ECDHE-ECDSA-WITH-CAMELLIA-256-CBC-SHA"},
164  {"ECDHE-ECDSA-CHACHA20-POLY1305", "TLS-ECDHE-ECDSA-WITH-CHACHA20-POLY1305-SHA256"},
165  {"ECDHE-ECDSA-DES-CBC3-SHA", "TLS-ECDHE-ECDSA-WITH-3DES-EDE-CBC-SHA"},
166  {"ECDHE-ECDSA-DES-CBC-SHA", "TLS-ECDHE-ECDSA-WITH-DES-CBC-SHA"},
167  {"ECDHE-ECDSA-RC4-SHA", "TLS-ECDHE-ECDSA-WITH-RC4-128-SHA"},
168  {"ECDHE-RSA-AES128-GCM-SHA256", "TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256"},
169  {"ECDHE-RSA-AES128-SHA256", "TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA256"},
170  {"ECDHE-RSA-AES128-SHA384", "TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA384"},
171  {"ECDHE-RSA-AES128-SHA", "TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA"},
172  {"ECDHE-RSA-AES256-GCM-SHA384", "TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384"},
173  {"ECDHE-RSA-AES256-SHA256", "TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA256"},
174  {"ECDHE-RSA-AES256-SHA384", "TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384"},
175  {"ECDHE-RSA-AES256-SHA", "TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA"},
176  {"ECDHE-RSA-CAMELLIA128-SHA256", "TLS-ECDHE-RSA-WITH-CAMELLIA-128-CBC-SHA256"},
177  {"ECDHE-RSA-CAMELLIA128-SHA", "TLS-ECDHE-RSA-WITH-CAMELLIA-128-CBC-SHA"},
178  {"ECDHE-RSA-CAMELLIA256-SHA256", "TLS-ECDHE-RSA-WITH-CAMELLIA-256-CBC-SHA256"},
179  {"ECDHE-RSA-CAMELLIA256-SHA", "TLS-ECDHE-RSA-WITH-CAMELLIA-256-CBC-SHA"},
180  {"ECDHE-RSA-CHACHA20-POLY1305", "TLS-ECDHE-RSA-WITH-CHACHA20-POLY1305-SHA256"},
181  {"ECDHE-RSA-DES-CBC3-SHA", "TLS-ECDHE-RSA-WITH-3DES-EDE-CBC-SHA"},
182  {"ECDHE-RSA-DES-CBC-SHA", "TLS-ECDHE-RSA-WITH-DES-CBC-SHA"},
183  {"ECDHE-RSA-RC4-SHA", "TLS-ECDHE-RSA-WITH-RC4-128-SHA"},
184  {"ECDH-RSA-AES128-GCM-SHA256", "TLS-ECDH-RSA-WITH-AES-128-GCM-SHA256"},
185  {"ECDH-RSA-AES128-SHA256", "TLS-ECDH-RSA-WITH-AES-128-CBC-SHA256"},
186  {"ECDH-RSA-AES128-SHA384", "TLS-ECDH-RSA-WITH-AES-128-CBC-SHA384"},
187  {"ECDH-RSA-AES128-SHA", "TLS-ECDH-RSA-WITH-AES-128-CBC-SHA"},
188  {"ECDH-RSA-AES256-GCM-SHA384", "TLS-ECDH-RSA-WITH-AES-256-GCM-SHA384"},
189  {"ECDH-RSA-AES256-SHA256", "TLS-ECDH-RSA-WITH-AES-256-CBC-SHA256"},
190  {"ECDH-RSA-AES256-SHA384", "TLS-ECDH-RSA-WITH-AES-256-CBC-SHA384"},
191  {"ECDH-RSA-AES256-SHA", "TLS-ECDH-RSA-WITH-AES-256-CBC-SHA"},
192  {"ECDH-RSA-CAMELLIA128-SHA256", "TLS-ECDH-RSA-WITH-CAMELLIA-128-CBC-SHA256"},
193  {"ECDH-RSA-CAMELLIA128-SHA", "TLS-ECDH-RSA-WITH-CAMELLIA-128-CBC-SHA"},
194  {"ECDH-RSA-CAMELLIA256-SHA256", "TLS-ECDH-RSA-WITH-CAMELLIA-256-CBC-SHA256"},
195  {"ECDH-RSA-CAMELLIA256-SHA", "TLS-ECDH-RSA-WITH-CAMELLIA-256-CBC-SHA"},
196  {"ECDH-RSA-DES-CBC3-SHA", "TLS-ECDH-RSA-WITH-3DES-EDE-CBC-SHA"},
197  {"ECDH-RSA-DES-CBC-SHA", "TLS-ECDH-RSA-WITH-DES-CBC-SHA"},
198  {"ECDH-RSA-RC4-SHA", "TLS-ECDH-RSA-WITH-RC4-128-SHA"},
199  {"EDH-DSS-DES-CBC3-SHA", "TLS-DHE-DSS-WITH-3DES-EDE-CBC-SHA"},
200  {"EDH-DSS-DES-CBC-SHA", "TLS-DHE-DSS-WITH-DES-CBC-SHA"},
201  {"EDH-RSA-DES-CBC3-SHA", "TLS-DHE-RSA-WITH-3DES-EDE-CBC-SHA"},
202  {"EDH-RSA-DES-CBC-SHA", "TLS-DHE-RSA-WITH-DES-CBC-SHA"},
203  {"EXP-DES-CBC-SHA", "TLS-RSA-EXPORT-WITH-DES40-CBC-SHA"},
204  {"EXP-EDH-DSS-DES-CBC-SHA", "TLS-DH-DSS-EXPORT-WITH-DES40-CBC-SHA"},
205  {"EXP-EDH-RSA-DES-CBC-SHA", "TLS-DH-RSA-EXPORT-WITH-DES40-CBC-SHA"},
206  {"EXP-RC2-CBC-MD5", "TLS-RSA-EXPORT-WITH-RC2-CBC-40-MD5"},
207  {"EXP-RC4-MD5", "TLS-RSA-EXPORT-WITH-RC4-40-MD5"},
208  {"NULL-MD5", "TLS-RSA-WITH-NULL-MD5"},
209  {"NULL-SHA256", "TLS-RSA-WITH-NULL-SHA256"},
210  {"NULL-SHA", "TLS-RSA-WITH-NULL-SHA"},
211  {"PSK-3DES-EDE-CBC-SHA", "TLS-PSK-WITH-3DES-EDE-CBC-SHA"},
212  {"PSK-AES128-CBC-SHA", "TLS-PSK-WITH-AES-128-CBC-SHA"},
213  {"PSK-AES256-CBC-SHA", "TLS-PSK-WITH-AES-256-CBC-SHA"},
214  {"PSK-RC4-SHA", "TLS-PSK-WITH-RC4-128-SHA"},
215  {"RC4-MD5", "TLS-RSA-WITH-RC4-128-MD5"},
216  {"RC4-SHA", "TLS-RSA-WITH-RC4-128-SHA"},
217  {"SEED-SHA", "TLS-RSA-WITH-SEED-CBC-SHA"},
218  {"SRP-DSS-3DES-EDE-CBC-SHA", "TLS-SRP-SHA-DSS-WITH-3DES-EDE-CBC-SHA"},
219  {"SRP-DSS-AES-128-CBC-SHA", "TLS-SRP-SHA-DSS-WITH-AES-128-CBC-SHA"},
220  {"SRP-DSS-AES-256-CBC-SHA", "TLS-SRP-SHA-DSS-WITH-AES-256-CBC-SHA"},
221  {"SRP-RSA-3DES-EDE-CBC-SHA", "TLS-SRP-SHA-RSA-WITH-3DES-EDE-CBC-SHA"},
222  {"SRP-RSA-AES-128-CBC-SHA", "TLS-SRP-SHA-RSA-WITH-AES-128-CBC-SHA"},
223  {"SRP-RSA-AES-256-CBC-SHA", "TLS-SRP-SHA-RSA-WITH-AES-256-CBC-SHA"},
224 #ifdef ENABLE_CRYPTO_OPENSSL
225  /* OpenSSL-specific group names */
226  {"DEFAULT", "DEFAULT"},
227  {"ALL", "ALL"},
228  {"HIGH", "HIGH"}, {"!HIGH", "!HIGH"},
229  {"MEDIUM", "MEDIUM"}, {"!MEDIUM", "!MEDIUM"},
230  {"LOW", "LOW"}, {"!LOW", "!LOW"},
231  {"ECDH", "ECDH"}, {"!ECDH", "!ECDH"},
232  {"ECDSA", "ECDSA"}, {"!ECDSA", "!ECDSA"},
233  {"EDH", "EDH"}, {"!EDH", "!EDH"},
234  {"EXP", "EXP"}, {"!EXP", "!EXP"},
235  {"RSA", "RSA"}, {"!RSA", "!RSA"},
236  {"kRSA", "kRSA"}, {"!kRSA", "!kRSA"},
237  {"SRP", "SRP"}, {"!SRP", "!SRP"},
238 #endif
239  {NULL, NULL}
240 };
241 
253 static void
254 key_ctx_update_implicit_iv(struct key_ctx *ctx, uint8_t *key, size_t key_len);
255 
256 const tls_cipher_name_pair *
257 tls_get_cipher_name_pair(const char *cipher_name, size_t len)
258 {
260 
261  while (pair->openssl_name != NULL)
262  {
263  if ((strlen(pair->openssl_name) == len && 0 == memcmp(cipher_name, pair->openssl_name, len))
264  || (strlen(pair->iana_name) == len && 0 == memcmp(cipher_name, pair->iana_name, len)))
265  {
266  return pair;
267  }
268  pair++;
269  }
270 
271  /* No entry found, return NULL */
272  return NULL;
273 }
274 
282 static void
283 tls_limit_reneg_bytes(const cipher_kt_t *cipher, int *reneg_bytes)
284 {
285  if (cipher && cipher_kt_insecure(cipher))
286  {
287  if (*reneg_bytes == -1) /* Not user-specified */
288  {
289  msg(M_WARN, "WARNING: cipher with small block size in use, "
290  "reducing reneg-bytes to 64MB to mitigate SWEET32 attacks.");
291  *reneg_bytes = 64 * 1024 * 1024;
292  }
293  }
294 }
295 
296 /*
297  * Max number of bytes we will add
298  * for data structures common to both
299  * data and control channel packets.
300  * (opcode only).
301  */
302 void
304 {
305  frame_add_to_extra_frame(frame, 1); /* space for opcode */
306 }
307 
308 /*
309  * Max number of bytes we will add
310  * to control channel packet.
311  */
312 static void
313 tls_init_control_channel_frame_parameters(const struct frame *data_channel_frame,
314  struct frame *frame)
315 {
316  /*
317  * frame->extra_frame is already initialized with tls_auth buffer requirements,
318  * if --tls-auth is enabled.
319  */
320 
321  /* inherit link MTU and extra_link from data channel */
322  frame->link_mtu = data_channel_frame->link_mtu;
323  frame->extra_link = data_channel_frame->extra_link;
324 
325  /* set extra_frame */
329 
330  /* set dynamic link MTU to cap control channel packets at 1250 bytes */
331  ASSERT(TUN_LINK_DELTA(frame) < min_int(frame->link_mtu, 1250));
332  frame->link_mtu_dynamic = min_int(frame->link_mtu, 1250) - TUN_LINK_DELTA(frame);
333 }
334 
335 void
337 {
338  tls_init_lib();
339 
340  crypto_init_lib();
341 }
342 
343 void
345 {
347  prng_uninit();
348 
349  tls_free_lib();
350 }
351 
352 /*
353  * OpenSSL library calls pem_password_callback if the
354  * private key is protected by a password.
355  */
356 
357 static struct user_pass passbuf; /* GLOBAL */
358 
359 void
360 pem_password_setup(const char *auth_file)
361 {
362  if (!strlen(passbuf.password))
363  {
365  }
366 }
367 
368 int
369 pem_password_callback(char *buf, int size, int rwflag, void *u)
370 {
371  if (buf)
372  {
373  /* prompt for password even if --askpass wasn't specified */
374  pem_password_setup(NULL);
375  strncpynt(buf, passbuf.password, size);
376  purge_user_pass(&passbuf, false);
377 
378  return strlen(buf);
379  }
380  return 0;
381 }
382 
383 /*
384  * Auth username/password handling
385  */
386 
387 static bool auth_user_pass_enabled; /* GLOBAL */
388 static struct user_pass auth_user_pass; /* GLOBAL */
389 static struct user_pass auth_token; /* GLOBAL */
390 
391 #ifdef ENABLE_MANAGEMENT
392 static char *auth_challenge; /* GLOBAL */
393 #endif
394 
395 void
396 auth_user_pass_setup(const char *auth_file, const struct static_challenge_info *sci)
397 {
398  auth_user_pass_enabled = true;
400  {
401 #ifdef ENABLE_MANAGEMENT
402  if (auth_challenge) /* dynamic challenge/response */
403  {
405  auth_file,
406  UP_TYPE_AUTH,
408  auth_challenge);
409  }
410  else if (sci) /* static challenge response */
411  {
413  if (sci->flags & SC_ECHO)
414  {
416  }
418  auth_file,
419  UP_TYPE_AUTH,
420  flags,
421  sci->challenge_text);
422  }
423  else
424 #endif /* ifdef ENABLE_MANAGEMENT */
426  }
427 }
428 
429 /*
430  * Disable password caching
431  */
432 void
434 {
435  passbuf.nocache = true;
436  auth_user_pass.nocache = true;
437  /* wait for push-reply, because auth-token may still need the username */
439 }
440 
441 /*
442  * Set an authentication token
443  */
444 void
445 ssl_set_auth_token(const char *token)
446 {
448 }
449 
450 /*
451  * Cleans an auth token and checks if it was active
452  */
453 bool
455 {
456  bool wasdefined = auth_token.defined;
457  purge_user_pass(&auth_token, true);
458  return wasdefined;
459 }
460 
461 /*
462  * Forget private key password AND auth-user-pass username/password.
463  */
464 void
465 ssl_purge_auth(const bool auth_user_pass_only)
466 {
467  if (!auth_user_pass_only)
468  {
469 #ifdef ENABLE_PKCS11
470  pkcs11_logout();
471 #endif
472  purge_user_pass(&passbuf, true);
473  }
475 #ifdef ENABLE_MANAGEMENT
477 #endif
478 }
479 
480 #ifdef ENABLE_MANAGEMENT
481 
482 void
484 {
485  free(auth_challenge);
486  auth_challenge = NULL;
487 }
488 
489 void
490 ssl_put_auth_challenge(const char *cr_str)
491 {
493  auth_challenge = string_alloc(cr_str, NULL);
494 }
495 
496 #endif
497 
498 /*
499  * Parse a TLS version string, returning a TLS_VER_x constant.
500  * If version string is not recognized and extra == "or-highest",
501  * return tls_version_max().
502  */
503 int
504 tls_version_parse(const char *vstr, const char *extra)
505 {
506  const int max_version = tls_version_max();
507  if (!strcmp(vstr, "1.0") && TLS_VER_1_0 <= max_version)
508  {
509  return TLS_VER_1_0;
510  }
511  else if (!strcmp(vstr, "1.1") && TLS_VER_1_1 <= max_version)
512  {
513  return TLS_VER_1_1;
514  }
515  else if (!strcmp(vstr, "1.2") && TLS_VER_1_2 <= max_version)
516  {
517  return TLS_VER_1_2;
518  }
519  else if (!strcmp(vstr, "1.3") && TLS_VER_1_3 <= max_version)
520  {
521  return TLS_VER_1_3;
522  }
523  else if (extra && !strcmp(extra, "or-highest"))
524  {
525  return max_version;
526  }
527  else
528  {
529  return TLS_VER_BAD;
530  }
531 }
532 
544 static void
545 tls_ctx_reload_crl(struct tls_root_ctx *ssl_ctx, const char *crl_file,
546  bool crl_file_inline)
547 {
548  /* if something goes wrong with stat(), we'll store 0 as mtime */
549  platform_stat_t crl_stat = {0};
550 
551  /*
552  * an inline CRL can't change at runtime, therefore there is no need to
553  * reload it. It will be reloaded upon config change + SIGHUP.
554  * Use always '1' as dummy timestamp in this case: it will trigger the
555  * first load, but will prevent any future reload.
556  */
557  if (crl_file_inline)
558  {
559  crl_stat.st_mtime = 1;
560  }
561  else if (platform_stat(crl_file, &crl_stat) < 0)
562  {
563  msg(M_WARN, "WARNING: Failed to stat CRL file, not (re)loading CRL.");
564  return;
565  }
566 
567  /*
568  * Store the CRL if this is the first time or if the file was changed since
569  * the last load.
570  * Note: Windows does not support tv_nsec.
571  */
572  if ((ssl_ctx->crl_last_size == crl_stat.st_size)
573  && (ssl_ctx->crl_last_mtime == crl_stat.st_mtime))
574  {
575  return;
576  }
577 
578  ssl_ctx->crl_last_mtime = crl_stat.st_mtime;
579  ssl_ctx->crl_last_size = crl_stat.st_size;
580  backend_tls_ctx_reload_crl(ssl_ctx, crl_file, crl_file_inline);
581 }
582 
583 /*
584  * Initialize SSL context.
585  * All files are in PEM format.
586  */
587 void
588 init_ssl(const struct options *options, struct tls_root_ctx *new_ctx)
589 {
590  ASSERT(NULL != new_ctx);
591 
592  tls_clear_error();
593 
594  if (options->tls_server)
595  {
596  tls_ctx_server_new(new_ctx);
597 
598  if (options->dh_file)
599  {
600  tls_ctx_load_dh_params(new_ctx, options->dh_file,
601  options->dh_file_inline);
602  }
603  }
604  else /* if client */
605  {
606  tls_ctx_client_new(new_ctx);
607  }
608 
609  /* Restrict allowed certificate crypto algorithms */
610  tls_ctx_set_cert_profile(new_ctx, options->tls_cert_profile);
611 
612  /* Allowable ciphers */
613  /* Since @SECLEVEL also influences loading of certificates, set the
614  * cipher restrictions before loading certificates */
615  tls_ctx_restrict_ciphers(new_ctx, options->cipher_list);
617 
618  /* Set the allow groups/curves for TLS if we want to override them */
619  if (options->tls_groups)
620  {
621  tls_ctx_set_tls_groups(new_ctx, options->tls_groups);
622  }
623 
624  if (!tls_ctx_set_options(new_ctx, options->ssl_flags))
625  {
626  goto err;
627  }
628 
629  if (options->pkcs12_file)
630  {
631  if (0 != tls_ctx_load_pkcs12(new_ctx, options->pkcs12_file,
632  options->pkcs12_file_inline, !options->ca_file))
633  {
634  goto err;
635  }
636  }
637 #ifdef ENABLE_PKCS11
638  else if (options->pkcs11_providers[0])
639  {
640  if (!tls_ctx_use_pkcs11(new_ctx, options->pkcs11_id_management, options->pkcs11_id))
641  {
642  msg(M_WARN, "Cannot load certificate \"%s\" using PKCS#11 interface",
643  options->pkcs11_id);
644  goto err;
645  }
646  }
647 #endif
648 #ifdef ENABLE_CRYPTOAPI
649  else if (options->cryptoapi_cert)
650  {
651  tls_ctx_load_cryptoapi(new_ctx, options->cryptoapi_cert);
652  }
653 #endif
654 #ifdef ENABLE_MANAGEMENT
655  else if (options->management_flags & MF_EXTERNAL_CERT)
656  {
657  char *cert = management_query_cert(management,
658  options->management_certificate);
659  tls_ctx_load_cert_file(new_ctx, cert, true);
660  free(cert);
661  }
662 #endif
663  else if (options->cert_file)
664  {
665  tls_ctx_load_cert_file(new_ctx, options->cert_file, options->cert_file_inline);
666  }
667 
668  if (options->priv_key_file)
669  {
670  if (0 != tls_ctx_load_priv_file(new_ctx, options->priv_key_file,
671  options->priv_key_file_inline))
672  {
673  goto err;
674  }
675  }
676 #ifdef ENABLE_MANAGEMENT
677  else if (options->management_flags & MF_EXTERNAL_KEY)
678  {
680  {
681  msg(M_WARN, "Cannot initialize mamagement-external-key");
682  goto err;
683  }
684  }
685 #endif
686 
687  if (options->ca_file || options->ca_path)
688  {
689  tls_ctx_load_ca(new_ctx, options->ca_file, options->ca_file_inline,
690  options->ca_path, options->tls_server);
691  }
692 
693  /* Load extra certificates that are part of our own certificate
694  * chain but shouldn't be included in the verify chain */
695  if (options->extra_certs_file)
696  {
698  }
699 
700  /* Check certificate notBefore and notAfter */
701  tls_ctx_check_cert_time(new_ctx);
702 
703  /* Read CRL */
704  if (options->crl_file && !(options->ssl_flags & SSLF_CRL_VERIFY_DIR))
705  {
706  tls_ctx_reload_crl(new_ctx, options->crl_file, options->crl_file_inline);
707  }
708 
709  /* Once keys and cert are loaded, load ECDH parameters */
710  if (options->tls_server)
711  {
712  tls_ctx_load_ecdh_params(new_ctx, options->ecdh_curve);
713  }
714 
715 #ifdef ENABLE_CRYPTO_MBEDTLS
716  /* Personalise the random by mixing in the certificate */
717  tls_ctx_personalise_random(new_ctx);
718 #endif
719 
720  tls_clear_error();
721  return;
722 
723 err:
724  tls_clear_error();
725  tls_ctx_free(new_ctx);
726  return;
727 }
728 
729 /*
730  * Map internal constants to ascii names.
731  */
732 static const char *
733 state_name(int state)
734 {
735  switch (state)
736  {
737  case S_UNDEF:
738  return "S_UNDEF";
739 
740  case S_INITIAL:
741  return "S_INITIAL";
742 
743  case S_PRE_START:
744  return "S_PRE_START";
745 
746  case S_START:
747  return "S_START";
748 
749  case S_SENT_KEY:
750  return "S_SENT_KEY";
751 
752  case S_GOT_KEY:
753  return "S_GOT_KEY";
754 
755  case S_ACTIVE:
756  return "S_ACTIVE";
757 
758  case S_ERROR:
759  return "S_ERROR";
760 
761  default:
762  return "S_???";
763  }
764 }
765 
766 static const char *
768 {
769  switch (op)
770  {
772  return "P_CONTROL_HARD_RESET_CLIENT_V1";
773 
775  return "P_CONTROL_HARD_RESET_SERVER_V1";
776 
778  return "P_CONTROL_HARD_RESET_CLIENT_V2";
779 
781  return "P_CONTROL_HARD_RESET_SERVER_V2";
782 
784  return "P_CONTROL_HARD_RESET_CLIENT_V3";
785 
787  return "P_CONTROL_SOFT_RESET_V1";
788 
789  case P_CONTROL_V1:
790  return "P_CONTROL_V1";
791 
792  case P_ACK_V1:
793  return "P_ACK_V1";
794 
795  case P_DATA_V1:
796  return "P_DATA_V1";
797 
798  case P_DATA_V2:
799  return "P_DATA_V2";
800 
801  default:
802  return "P_???";
803  }
804 }
805 
806 static const char *
808 {
809  switch (index)
810  {
811  case TM_ACTIVE:
812  return "TM_ACTIVE";
813 
814  case TM_UNTRUSTED:
815  return "TM_UNTRUSTED";
816 
817  case TM_LAME_DUCK:
818  return "TM_LAME_DUCK";
819 
820  default:
821  return "TM_???";
822  }
823 }
824 
825 /*
826  * For debugging.
827  */
828 static const char *
829 print_key_id(struct tls_multi *multi, struct gc_arena *gc)
830 {
831  struct buffer out = alloc_buf_gc(256, gc);
832 
833  for (int i = 0; i < KEY_SCAN_SIZE; ++i)
834  {
835  struct key_state *ks = multi->key_scan[i];
836  buf_printf(&out, " [key#%d state=%s id=%d sid=%s]", i,
837  state_name(ks->state), ks->key_id,
839  }
840 
841  return BSTR(&out);
842 }
843 
844 bool
846 {
849  {
850  return true;
851  }
852 
853  return false;
854 }
855 
879 static void
881 {
882  update_time();
883 
884  CLEAR(*ks);
885 
886  /*
887  * Build TLS object that reads/writes ciphertext
888  * to/from memory BIOs.
889  */
890  key_state_ssl_init(&ks->ks_ssl, &session->opt->ssl_ctx, session->opt->server,
891  session);
892 
893  /* Set control-channel initiation mode */
894  ks->initial_opcode = session->initial_opcode;
896  ks->state = S_INITIAL;
897  ks->key_id = session->key_id;
898 
899  /*
900  * key_id increments to KEY_ID_MASK then recycles back to 1.
901  * This way you know that if key_id is 0, it is the first key.
902  */
903  ++session->key_id;
904  session->key_id &= P_KEY_ID_MASK;
905  if (!session->key_id)
906  {
907  session->key_id = 1;
908  }
909 
910  /* allocate key source material object */
911  ALLOC_OBJ_CLEAR(ks->key_src, struct key_source2);
912 
913  /* allocate reliability objects */
916  ALLOC_OBJ_CLEAR(ks->rec_ack, struct reliable_ack);
917 
918  /* allocate buffers */
921  ks->ack_write_buf = alloc_buf(BUF_SIZE(&session->opt->frame));
922  reliable_init(ks->send_reliable, BUF_SIZE(&session->opt->frame),
924  ks->key_id ? false : session->opt->xmit_hold);
925  reliable_init(ks->rec_reliable, BUF_SIZE(&session->opt->frame),
927  false);
929 
930  /* init packet ID tracker */
931  if (session->opt->replay)
932  {
934  session->opt->replay_window, session->opt->replay_time, "SSL",
935  ks->key_id);
936  }
937 
938  ks->crypto_options.pid_persist = NULL;
939 
940 #ifdef MANAGEMENT_DEF_AUTH
941  ks->mda_key_id = session->opt->mda_context->mda_key_id_counter++;
942 #endif
943 }
944 
945 
959 static void
960 key_state_free(struct key_state *ks, bool clear)
961 {
962  ks->state = S_UNDEF;
963 
965 
969  free_buf(&ks->ack_write_buf);
971 
972  if (ks->send_reliable)
973  {
975  free(ks->send_reliable);
976  }
977 
978  if (ks->rec_reliable)
979  {
981  free(ks->rec_reliable);
982  }
983 
984  if (ks->rec_ack)
985  {
986  free(ks->rec_ack);
987  }
988 
989  if (ks->key_src)
990  {
991  free(ks->key_src);
992  }
993 
995 
996 #ifdef PLUGIN_DEF_AUTH
998 #endif
999 
1000  if (clear)
1001  {
1002  secure_memzero(ks, sizeof(*ks));
1003  }
1004 }
1005 
1019 static inline bool
1021 {
1022  return (session->opt->auth_user_pass_verify_script
1024 #ifdef MANAGEMENT_DEF_AUTH
1025  || management_enable_def_auth(management)
1026 #endif
1027  );
1028 }
1029 
1030 
1051 static void
1053 {
1054  struct gc_arena gc = gc_new();
1055 
1056  dmsg(D_TLS_DEBUG, "TLS: tls_session_init: entry");
1057 
1058  CLEAR(*session);
1059 
1060  /* Set options data to point to parent's option structure */
1061  session->opt = &multi->opt;
1062 
1063  /* Randomize session # if it is 0 */
1064  while (!session_id_defined(&session->session_id))
1065  {
1066  session_id_random(&session->session_id);
1067  }
1068 
1069  /* Are we a TLS server or client? */
1070  if (session->opt->server)
1071  {
1073  }
1074  else
1075  {
1076  session->initial_opcode = session->opt->tls_crypt_v2 ?
1078  }
1079 
1080  /* Initialize control channel authentication parameters */
1081  session->tls_wrap = session->opt->tls_wrap;
1082  session->tls_wrap.work = alloc_buf(BUF_SIZE(&session->opt->frame));
1083 
1084  /* initialize packet ID replay window for --tls-auth */
1086  session->opt->replay_window,
1087  session->opt->replay_time,
1088  "TLS_WRAP", session->key_id);
1089 
1090  /* load most recent packet-id to replay protect on --tls-auth */
1092  &session->tls_wrap.opt.packet_id);
1093 
1094  key_state_init(session, &session->key[KS_PRIMARY]);
1095 
1096  dmsg(D_TLS_DEBUG, "TLS: tls_session_init: new session object, sid=%s",
1097  session_id_print(&session->session_id, &gc));
1098 
1099  gc_free(&gc);
1100 }
1101 
1114 static void
1116 {
1117  tls_wrap_free(&session->tls_wrap);
1118 
1119  for (size_t i = 0; i < KS_SIZE; ++i)
1120  {
1121  key_state_free(&session->key[i], false);
1122  }
1123 
1124  if (session->common_name)
1125  {
1126  free(session->common_name);
1127  }
1128 
1129  cert_hash_free(session->cert_hash_set);
1130 
1131  if (clear)
1132  {
1133  secure_memzero(session, sizeof(*session));
1134  }
1135 }
1136 
1142 static void
1143 move_session(struct tls_multi *multi, int dest, int src, bool reinit_src)
1144 {
1145  msg(D_TLS_DEBUG_LOW, "TLS: move_session: dest=%s src=%s reinit_src=%d",
1146  session_index_name(dest),
1147  session_index_name(src),
1148  reinit_src);
1149  ASSERT(src != dest);
1150  ASSERT(src >= 0 && src < TM_SIZE);
1151  ASSERT(dest >= 0 && dest < TM_SIZE);
1152  tls_session_free(&multi->session[dest], false);
1153  multi->session[dest] = multi->session[src];
1154 
1155  if (reinit_src)
1156  {
1157  tls_session_init(multi, &multi->session[src]);
1158  }
1159  else
1160  {
1161  secure_memzero(&multi->session[src], sizeof(multi->session[src]));
1162  }
1163 
1164  dmsg(D_TLS_DEBUG, "TLS: move_session: exit");
1165 }
1166 
1167 static void
1169 {
1170  tls_session_free(session, false);
1171  tls_session_init(multi, session);
1172 }
1173 
1174 /*
1175  * Used to determine in how many seconds we should be
1176  * called again.
1177  */
1178 static inline void
1179 compute_earliest_wakeup(interval_t *earliest, interval_t seconds_from_now)
1180 {
1181  if (seconds_from_now < *earliest)
1182  {
1183  *earliest = seconds_from_now;
1184  }
1185  if (*earliest < 0)
1186  {
1187  *earliest = 0;
1188  }
1189 }
1190 
1191 /*
1192  * Return true if "lame duck" or retiring key has expired and can
1193  * no longer be used.
1194  */
1195 static inline bool
1197 {
1198  const struct key_state *lame = &session->key[KS_LAME_DUCK];
1199  if (lame->state >= S_INITIAL)
1200  {
1201  ASSERT(lame->must_die); /* a lame duck key must always have an expiration */
1202  if (now < lame->must_die)
1203  {
1204  compute_earliest_wakeup(wakeup, lame->must_die - now);
1205  return false;
1206  }
1207  else
1208  {
1209  return true;
1210  }
1211  }
1212  else if (lame->state == S_ERROR)
1213  {
1214  return true;
1215  }
1216  else
1217  {
1218  return false;
1219  }
1220 }
1221 
1222 struct tls_multi *
1224 {
1225  struct tls_multi *ret;
1226 
1227  ALLOC_OBJ_CLEAR(ret, struct tls_multi);
1228 
1229  /* get command line derived options */
1230  ret->opt = *tls_options;
1231 
1232  /* set up list of keys to be scanned by data channel encrypt and decrypt routines */
1233  ASSERT(SIZE(ret->key_scan) == 3);
1234  ret->key_scan[0] = &ret->session[TM_ACTIVE].key[KS_PRIMARY];
1235  ret->key_scan[1] = &ret->session[TM_ACTIVE].key[KS_LAME_DUCK];
1236  ret->key_scan[2] = &ret->session[TM_LAME_DUCK].key[KS_LAME_DUCK];
1237 
1238  /* By default not use P_DATA_V2 */
1239  ret->use_peer_id = false;
1240 
1241  return ret;
1242 }
1243 
1244 void
1245 tls_multi_init_finalize(struct tls_multi *multi, const struct frame *frame)
1246 {
1248 
1249  /* initialize the active and untrusted sessions */
1250 
1251  tls_session_init(multi, &multi->session[TM_ACTIVE]);
1252 
1253  if (!multi->opt.single_session)
1254  {
1255  tls_session_init(multi, &multi->session[TM_UNTRUSTED]);
1256  }
1257 }
1258 
1259 /*
1260  * Initialize and finalize a standalone tls-auth verification object.
1261  */
1262 
1263 struct tls_auth_standalone *
1265  struct gc_arena *gc)
1266 {
1267  struct tls_auth_standalone *tas;
1268 
1269  ALLOC_OBJ_CLEAR_GC(tas, struct tls_auth_standalone, gc);
1270 
1271  tas->tls_wrap = tls_options->tls_wrap;
1272 
1273  /*
1274  * Standalone tls-auth is in read-only mode with respect to TLS
1275  * control channel state. After we build a new client instance
1276  * object, we will process this session-initiating packet for real.
1277  */
1279 
1280  /* get initial frame parms, still need to finalize */
1281  tas->frame = tls_options->frame;
1282 
1283  return tas;
1284 }
1285 
1286 void
1288  const struct frame *frame)
1289 {
1291 }
1292 
1293 /*
1294  * Set local and remote option compatibility strings.
1295  * Used to verify compatibility of local and remote option
1296  * sets.
1297  */
1298 void
1300  const char *local,
1301  const char *remote)
1302 {
1303  /* initialize options string */
1304  multi->opt.local_options = local;
1305  multi->opt.remote_options = remote;
1306 }
1307 
1308 /*
1309  * Cleanup a tls_multi structure and free associated memory allocations.
1310  */
1311 void
1312 tls_multi_free(struct tls_multi *multi, bool clear)
1313 {
1314  ASSERT(multi);
1315 
1316  auth_set_client_reason(multi, NULL);
1317 
1318  free(multi->peer_info);
1319 
1320  if (multi->locked_cn)
1321  {
1322  free(multi->locked_cn);
1323  }
1324 
1325  if (multi->locked_username)
1326  {
1327  free(multi->locked_username);
1328  }
1329 
1331 
1332  wipe_auth_token(multi);
1333 
1334  free(multi->remote_ciphername);
1335 
1336  for (int i = 0; i < TM_SIZE; ++i)
1337  {
1338  tls_session_free(&multi->session[i], false);
1339  }
1340 
1341  if (clear)
1342  {
1343  secure_memzero(multi, sizeof(*multi));
1344  }
1345 
1346  free(multi);
1347 }
1348 
1349 
1350 /*
1351  * Move a packet authentication HMAC + related fields to or from the front
1352  * of the buffer so it can be processed by encrypt/decrypt.
1353  */
1354 
1355 /*
1356  * Dependent on hmac size, opcode size, and session_id size.
1357  * Will assert if too small.
1358  */
1359 #define SWAP_BUF_SIZE 256
1360 
1361 static bool
1362 swap_hmac(struct buffer *buf, const struct crypto_options *co, bool incoming)
1363 {
1364  ASSERT(co);
1365 
1366  const struct key_ctx *ctx = (incoming ? &co->key_ctx_bi.decrypt :
1367  &co->key_ctx_bi.encrypt);
1368  ASSERT(ctx->hmac);
1369 
1370  {
1371  /* hmac + packet_id (8 bytes) */
1372  const int hmac_size = hmac_ctx_size(ctx->hmac) + packet_id_size(true);
1373 
1374  /* opcode + session_id */
1375  const int osid_size = 1 + SID_SIZE;
1376 
1377  int e1, e2;
1378  uint8_t *b = BPTR(buf);
1379  uint8_t buf1[SWAP_BUF_SIZE];
1380  uint8_t buf2[SWAP_BUF_SIZE];
1381 
1382  if (incoming)
1383  {
1384  e1 = osid_size;
1385  e2 = hmac_size;
1386  }
1387  else
1388  {
1389  e1 = hmac_size;
1390  e2 = osid_size;
1391  }
1392 
1393  ASSERT(e1 <= SWAP_BUF_SIZE && e2 <= SWAP_BUF_SIZE);
1394 
1395  if (buf->len >= e1 + e2)
1396  {
1397  memcpy(buf1, b, e1);
1398  memcpy(buf2, b + e1, e2);
1399  memcpy(b, buf2, e2);
1400  memcpy(b + e2, buf1, e1);
1401  return true;
1402  }
1403  else
1404  {
1405  return false;
1406  }
1407  }
1408 }
1409 
1410 #undef SWAP_BUF_SIZE
1411 
1412 /*
1413  * Write a control channel authentication record.
1414  */
1415 static void
1417  struct key_state *ks,
1418  struct buffer *buf,
1419  struct link_socket_actual **to_link_addr,
1420  int opcode,
1421  int max_ack,
1422  bool prepend_ack)
1423 {
1424  uint8_t header = ks->key_id | (opcode << P_OPCODE_SHIFT);
1425  struct buffer null = clear_buf();
1426 
1429  (ks->rec_ack, buf, &ks->session_id_remote, max_ack, prepend_ack));
1430 
1431  msg(D_TLS_DEBUG, "%s(): %s", __func__, packet_opcode_name(opcode));
1432 
1433  if (session->tls_wrap.mode == TLS_WRAP_AUTH
1434  || session->tls_wrap.mode == TLS_WRAP_NONE)
1435  {
1436  ASSERT(session_id_write_prepend(&session->session_id, buf));
1437  ASSERT(buf_write_prepend(buf, &header, sizeof(header)));
1438  }
1439  if (session->tls_wrap.mode == TLS_WRAP_AUTH)
1440  {
1441  /* no encryption, only write hmac */
1442  openvpn_encrypt(buf, null, &session->tls_wrap.opt);
1443  ASSERT(swap_hmac(buf, &session->tls_wrap.opt, false));
1444  }
1445  else if (session->tls_wrap.mode == TLS_WRAP_CRYPT)
1446  {
1447  ASSERT(buf_init(&session->tls_wrap.work, buf->offset));
1448  ASSERT(buf_write(&session->tls_wrap.work, &header, sizeof(header)));
1449  ASSERT(session_id_write(&session->session_id, &session->tls_wrap.work));
1450  if (!tls_crypt_wrap(buf, &session->tls_wrap.work, &session->tls_wrap.opt))
1451  {
1452  buf->len = 0;
1453  return;
1454  }
1455 
1456  if (opcode == P_CONTROL_HARD_RESET_CLIENT_V3)
1457  {
1458  if (!buf_copy(&session->tls_wrap.work,
1459  session->tls_wrap.tls_crypt_v2_wkc))
1460  {
1461  msg(D_TLS_ERRORS, "Could not append tls-crypt-v2 client key");
1462  buf->len = 0;
1463  return;
1464  }
1465  }
1466 
1467  /* Don't change the original data in buf, it's used by the reliability
1468  * layer to resend on failure. */
1469  *buf = session->tls_wrap.work;
1470  }
1471  *to_link_addr = &ks->remote_addr;
1472 }
1473 
1474 /*
1475  * Read a control channel authentication record.
1476  */
1477 static bool
1479  struct tls_wrap_ctx *ctx,
1480  const struct link_socket_actual *from,
1481  const struct tls_options *opt)
1482 {
1483  struct gc_arena gc = gc_new();
1484  bool ret = false;
1485 
1486  const uint8_t opcode = *(BPTR(buf)) >> P_OPCODE_SHIFT;
1487  if (opcode == P_CONTROL_HARD_RESET_CLIENT_V3
1488  && !tls_crypt_v2_extract_client_key(buf, ctx, opt))
1489  {
1490  msg(D_TLS_ERRORS,
1491  "TLS Error: can not extract tls-crypt-v2 client key from %s",
1492  print_link_socket_actual(from, &gc));
1493  goto cleanup;
1494  }
1495 
1496  if (ctx->mode == TLS_WRAP_AUTH)
1497  {
1498  struct buffer null = clear_buf();
1499 
1500  /* move the hmac record to the front of the packet */
1501  if (!swap_hmac(buf, &ctx->opt, true))
1502  {
1503  msg(D_TLS_ERRORS,
1504  "TLS Error: cannot locate HMAC in incoming packet from %s",
1505  print_link_socket_actual(from, &gc));
1506  gc_free(&gc);
1507  return false;
1508  }
1509 
1510  /* authenticate only (no decrypt) and remove the hmac record
1511  * from the head of the buffer */
1512  openvpn_decrypt(buf, null, &ctx->opt, NULL, BPTR(buf));
1513  if (!buf->len)
1514  {
1515  msg(D_TLS_ERRORS,
1516  "TLS Error: incoming packet authentication failed from %s",
1517  print_link_socket_actual(from, &gc));
1518  goto cleanup;
1519  }
1520 
1521  }
1522  else if (ctx->mode == TLS_WRAP_CRYPT)
1523  {
1524  struct buffer tmp = alloc_buf_gc(buf_forward_capacity_total(buf), &gc);
1525  if (!tls_crypt_unwrap(buf, &tmp, &ctx->opt))
1526  {
1527  msg(D_TLS_ERRORS, "TLS Error: tls-crypt unwrapping failed from %s",
1528  print_link_socket_actual(from, &gc));
1529  goto cleanup;
1530  }
1531  ASSERT(buf_init(buf, buf->offset));
1532  ASSERT(buf_copy(buf, &tmp));
1533  buf_clear(&tmp);
1534  }
1535  else if (ctx->tls_crypt_v2_server_key.cipher)
1536  {
1537  /* If tls-crypt-v2 is enabled, require *some* wrapping */
1538  msg(D_TLS_ERRORS, "TLS Error: could not determine wrapping from %s",
1539  print_link_socket_actual(from, &gc));
1540  /* TODO Do we want to support using tls-crypt-v2 and no control channel
1541  * wrapping at all simultaneously? That would allow server admins to
1542  * upgrade clients one-by-one without running a second instance, but we
1543  * should not enable it by default because it breaks DoS-protection.
1544  * So, add something like --tls-crypt-v2-allow-insecure-fallback ? */
1545  goto cleanup;
1546  }
1547 
1548  if (ctx->mode == TLS_WRAP_NONE || ctx->mode == TLS_WRAP_AUTH)
1549  {
1550  /* advance buffer pointer past opcode & session_id since our caller
1551  * already read it */
1552  buf_advance(buf, SID_SIZE + 1);
1553  }
1554 
1555  ret = true;
1556 cleanup:
1557  gc_free(&gc);
1558  return ret;
1559 }
1560 
1561 /*
1562  * For debugging, print contents of key_source2 structure.
1563  */
1564 
1565 static void
1567  const char *prefix)
1568 {
1569  struct gc_arena gc = gc_new();
1570 
1571  VALGRIND_MAKE_READABLE((void *)k->pre_master, sizeof(k->pre_master));
1572  VALGRIND_MAKE_READABLE((void *)k->random1, sizeof(k->random1));
1573  VALGRIND_MAKE_READABLE((void *)k->random2, sizeof(k->random2));
1574 
1576  "%s pre_master: %s",
1577  prefix,
1578  format_hex(k->pre_master, sizeof(k->pre_master), 0, &gc));
1580  "%s random1: %s",
1581  prefix,
1582  format_hex(k->random1, sizeof(k->random1), 0, &gc));
1584  "%s random2: %s",
1585  prefix,
1586  format_hex(k->random2, sizeof(k->random2), 0, &gc));
1587 
1588  gc_free(&gc);
1589 }
1590 
1591 static void
1593 {
1594  key_source_print(&k->client, "Client");
1595  key_source_print(&k->server, "Server");
1596 }
1597 
1598 /*
1599  * Generate the hash required by for the \c tls1_PRF function.
1600  *
1601  * @param md_kt Message digest to use
1602  * @param sec Secret to base the hash on
1603  * @param sec_len Length of the secret
1604  * @param seed Seed to hash
1605  * @param seed_len Length of the seed
1606  * @param out Output buffer
1607  * @param olen Length of the output buffer
1608  */
1609 static void
1610 tls1_P_hash(const md_kt_t *md_kt,
1611  const uint8_t *sec,
1612  int sec_len,
1613  const uint8_t *seed,
1614  int seed_len,
1615  uint8_t *out,
1616  int olen)
1617 {
1618  struct gc_arena gc = gc_new();
1620 
1621 #ifdef ENABLE_DEBUG
1622  const int olen_orig = olen;
1623  const uint8_t *out_orig = out;
1624 #endif
1625 
1626  hmac_ctx_t *ctx = hmac_ctx_new();
1627  hmac_ctx_t *ctx_tmp = hmac_ctx_new();
1628 
1629  dmsg(D_SHOW_KEY_SOURCE, "tls1_P_hash sec: %s", format_hex(sec, sec_len, 0, &gc));
1630  dmsg(D_SHOW_KEY_SOURCE, "tls1_P_hash seed: %s", format_hex(seed, seed_len, 0, &gc));
1631 
1632  int chunk = md_kt_size(md_kt);
1633  unsigned int A1_len = md_kt_size(md_kt);
1634 
1635  hmac_ctx_init(ctx, sec, sec_len, md_kt);
1636  hmac_ctx_init(ctx_tmp, sec, sec_len, md_kt);
1637 
1638  hmac_ctx_update(ctx,seed,seed_len);
1639  hmac_ctx_final(ctx, A1);
1640 
1641  for (;; )
1642  {
1643  hmac_ctx_reset(ctx);
1644  hmac_ctx_reset(ctx_tmp);
1645  hmac_ctx_update(ctx,A1,A1_len);
1646  hmac_ctx_update(ctx_tmp,A1,A1_len);
1647  hmac_ctx_update(ctx,seed,seed_len);
1648 
1649  if (olen > chunk)
1650  {
1651  hmac_ctx_final(ctx, out);
1652  out += chunk;
1653  olen -= chunk;
1654  hmac_ctx_final(ctx_tmp, A1); /* calc the next A1 value */
1655  }
1656  else /* last one */
1657  {
1658  hmac_ctx_final(ctx, A1);
1659  memcpy(out,A1,olen);
1660  break;
1661  }
1662  }
1663  hmac_ctx_cleanup(ctx);
1664  hmac_ctx_free(ctx);
1665  hmac_ctx_cleanup(ctx_tmp);
1666  hmac_ctx_free(ctx_tmp);
1667  secure_memzero(A1, sizeof(A1));
1668 
1669  dmsg(D_SHOW_KEY_SOURCE, "tls1_P_hash out: %s", format_hex(out_orig, olen_orig, 0, &gc));
1670  gc_free(&gc);
1671 }
1672 
1673 /*
1674  * Use the TLS PRF function for generating data channel keys.
1675  * This code is based on the OpenSSL library.
1676  *
1677  * TLS generates keys as such:
1678  *
1679  * master_secret[48] = PRF(pre_master_secret[48], "master secret",
1680  * ClientHello.random[32] + ServerHello.random[32])
1681  *
1682  * key_block[] = PRF(SecurityParameters.master_secret[48],
1683  * "key expansion",
1684  * SecurityParameters.server_random[32] +
1685  * SecurityParameters.client_random[32]);
1686  *
1687  * Notes:
1688  *
1689  * (1) key_block contains a full set of 4 keys.
1690  * (2) The pre-master secret is generated by the client.
1691  */
1692 static void
1693 tls1_PRF(const uint8_t *label,
1694  int label_len,
1695  const uint8_t *sec,
1696  int slen,
1697  uint8_t *out1,
1698  int olen)
1699 {
1700  struct gc_arena gc = gc_new();
1701  const md_kt_t *md5 = md_kt_get("MD5");
1702  const md_kt_t *sha1 = md_kt_get("SHA1");
1703 
1704  uint8_t *out2 = (uint8_t *) gc_malloc(olen, false, &gc);
1705 
1706  int len = slen/2;
1707  const uint8_t *S1 = sec;
1708  const uint8_t *S2 = &(sec[len]);
1709  len += (slen&1); /* add for odd, make longer */
1710 
1711  tls1_P_hash(md5,S1,len,label,label_len,out1,olen);
1712  tls1_P_hash(sha1,S2,len,label,label_len,out2,olen);
1713 
1714  for (int i = 0; i<olen; i++)
1715  {
1716  out1[i] ^= out2[i];
1717  }
1718 
1719  secure_memzero(out2, olen);
1720 
1721  dmsg(D_SHOW_KEY_SOURCE, "tls1_PRF out[%d]: %s", olen, format_hex(out1, olen, 0, &gc));
1722 
1723  gc_free(&gc);
1724 }
1725 
1726 static void
1727 openvpn_PRF(const uint8_t *secret,
1728  int secret_len,
1729  const char *label,
1730  const uint8_t *client_seed,
1731  int client_seed_len,
1732  const uint8_t *server_seed,
1733  int server_seed_len,
1734  const struct session_id *client_sid,
1735  const struct session_id *server_sid,
1736  uint8_t *output,
1737  int output_len)
1738 {
1739  /* concatenate seed components */
1740 
1741  struct buffer seed = alloc_buf(strlen(label)
1742  + client_seed_len
1743  + server_seed_len
1744  + SID_SIZE * 2);
1745 
1746  ASSERT(buf_write(&seed, label, strlen(label)));
1747  ASSERT(buf_write(&seed, client_seed, client_seed_len));
1748  ASSERT(buf_write(&seed, server_seed, server_seed_len));
1749 
1750  if (client_sid)
1751  {
1752  ASSERT(buf_write(&seed, client_sid->id, SID_SIZE));
1753  }
1754  if (server_sid)
1755  {
1756  ASSERT(buf_write(&seed, server_sid->id, SID_SIZE));
1757  }
1758 
1759  /* compute PRF */
1760  tls1_PRF(BPTR(&seed), BLEN(&seed), secret, secret_len, output, output_len);
1761 
1762  buf_clear(&seed);
1763  free_buf(&seed);
1764 
1765  VALGRIND_MAKE_READABLE((void *)output, output_len);
1766 }
1767 
1768 /*
1769  * Using source entropy from local and remote hosts, mix into
1770  * master key.
1771  */
1772 static bool
1774  const struct key_type *key_type,
1775  const struct key_source2 *key_src,
1776  const struct session_id *client_sid,
1777  const struct session_id *server_sid,
1778  bool server)
1779 {
1780  uint8_t master[48] = { 0 };
1781  struct key2 key2 = { 0 };
1782  bool ret = false;
1783 
1784  if (key->initialized)
1785  {
1786  msg(D_TLS_ERRORS, "TLS Error: key already initialized");
1787  goto exit;
1788  }
1789 
1790  /* debugging print of source key material */
1791  key_source2_print(key_src);
1792 
1793  /* compute master secret */
1794  openvpn_PRF(key_src->client.pre_master,
1795  sizeof(key_src->client.pre_master),
1796  KEY_EXPANSION_ID " master secret",
1797  key_src->client.random1,
1798  sizeof(key_src->client.random1),
1799  key_src->server.random1,
1800  sizeof(key_src->server.random1),
1801  NULL,
1802  NULL,
1803  master,
1804  sizeof(master));
1805 
1806  /* compute key expansion */
1807  openvpn_PRF(master,
1808  sizeof(master),
1809  KEY_EXPANSION_ID " key expansion",
1810  key_src->client.random2,
1811  sizeof(key_src->client.random2),
1812  key_src->server.random2,
1813  sizeof(key_src->server.random2),
1814  client_sid,
1815  server_sid,
1816  (uint8_t *)key2.keys,
1817  sizeof(key2.keys));
1818 
1819  key2.n = 2;
1820 
1821  key2_print(&key2, key_type, "Master Encrypt", "Master Decrypt");
1822 
1823  /* check for weak keys */
1824  for (int i = 0; i < 2; ++i)
1825  {
1826  fixup_key(&key2.keys[i], key_type);
1827  if (!check_key(&key2.keys[i], key_type))
1828  {
1829  msg(D_TLS_ERRORS, "TLS Error: Bad dynamic key generated");
1830  goto exit;
1831  }
1832  }
1833 
1834  /* Initialize OpenSSL key contexts */
1835  int key_direction = server ? KEY_DIRECTION_INVERSE : KEY_DIRECTION_NORMAL;
1836  init_key_ctx_bi(key, &key2, key_direction, key_type, "Data Channel");
1837 
1838  /* Initialize implicit IVs */
1839  key_ctx_update_implicit_iv(&key->encrypt, key2.keys[(int)server].hmac,
1841  key_ctx_update_implicit_iv(&key->decrypt, key2.keys[1-(int)server].hmac,
1843 
1844  ret = true;
1845 
1846 exit:
1847  secure_memzero(&master, sizeof(master));
1848  secure_memzero(&key2, sizeof(key2));
1849 
1850  return ret;
1851 }
1852 
1853 static void
1854 key_ctx_update_implicit_iv(struct key_ctx *ctx, uint8_t *key, size_t key_len)
1855 {
1856  const cipher_kt_t *cipher_kt = cipher_ctx_get_cipher_kt(ctx->cipher);
1857 
1858  /* Only use implicit IV in AEAD cipher mode, where HMAC key is not used */
1859  if (cipher_kt_mode_aead(cipher_kt))
1860  {
1861  size_t impl_iv_len = 0;
1863  impl_iv_len = cipher_kt_iv_size(cipher_kt) - sizeof(packet_id_type);
1864  ASSERT(impl_iv_len <= OPENVPN_MAX_IV_LENGTH);
1865  ASSERT(impl_iv_len <= key_len);
1866  memcpy(ctx->implicit_iv, key, impl_iv_len);
1867  ctx->implicit_iv_len = impl_iv_len;
1868  }
1869 }
1870 
1877 static bool
1879 {
1880  bool ret = false;
1881  struct key_state *ks = &session->key[KS_PRIMARY]; /* primary key */
1882  const struct session_id *client_sid = session->opt->server ?
1883  &ks->session_id_remote : &session->session_id;
1884  const struct session_id *server_sid = !session->opt->server ?
1885  &ks->session_id_remote : &session->session_id;
1886 
1887  if (ks->authenticated == KS_AUTH_FALSE)
1888  {
1889  msg(D_TLS_ERRORS, "TLS Error: key_state not authenticated");
1890  goto cleanup;
1891  }
1892 
1893  ks->crypto_options.flags = session->opt->crypto_flags;
1895  &session->opt->key_type, ks->key_src, client_sid, server_sid,
1896  session->opt->server))
1897  {
1898  msg(D_TLS_ERRORS, "TLS Error: generate_key_expansion failed");
1899  goto cleanup;
1900  }
1902  &session->opt->renegotiate_bytes);
1903 
1904  ret = true;
1905 cleanup:
1906  secure_memzero(ks->key_src, sizeof(*ks->key_src));
1907  return ret;
1908 }
1909 
1910 bool
1912  struct options *options, struct frame *frame,
1913  struct frame *frame_fragment)
1914 {
1916  {
1917  /* keys already generated, nothing to do */
1918  return true;
1919  }
1920 
1921  bool cipher_allowed_as_fallback = options->enable_ncp_fallback
1922  && streq(options->ciphername, session->opt->config_ciphername);
1923 
1924  if (!session->opt->server && !cipher_allowed_as_fallback
1925  && !tls_item_in_cipher_list(options->ciphername, options->ncp_ciphers))
1926  {
1927  msg(D_TLS_ERRORS, "Error: pushed cipher not allowed - %s not in %s",
1928  options->ciphername, options->ncp_ciphers);
1929  /* undo cipher push, abort connection setup */
1930  options->ciphername = session->opt->config_ciphername;
1931  return false;
1932  }
1933 
1934  if (strcmp(options->ciphername, session->opt->config_ciphername))
1935  {
1936  msg(D_HANDSHAKE, "Data Channel: using negotiated cipher '%s'",
1937  options->ciphername);
1938  if (options->keysize)
1939  {
1940  msg(D_HANDSHAKE, "NCP: overriding user-set keysize with default");
1941  options->keysize = 0;
1942  }
1943  }
1944  else
1945  {
1946  /* Very hacky workaround and quick fix for frame calculation
1947  * different when adjusting frame size when the original and new cipher
1948  * are identical to avoid a regression with client without NCP */
1950  }
1951 
1952  init_key_type(&session->opt->key_type, options->ciphername,
1953  options->authname, options->keysize, true, true);
1954 
1955  bool packet_id_long_form = cipher_kt_mode_ofb_cfb(session->opt->key_type.cipher);
1956  session->opt->crypto_flags &= ~(CO_PACKET_ID_LONG_FORM);
1957  if (packet_id_long_form)
1958  {
1960  }
1961 
1962  /* Update frame parameters: undo worst-case overhead, add actual overhead */
1964  crypto_adjust_frame_parameters(frame, &session->opt->key_type,
1965  options->replay, packet_id_long_form);
1966  frame_finalize(frame, options->ce.link_mtu_defined, options->ce.link_mtu,
1967  options->ce.tun_mtu_defined, options->ce.tun_mtu);
1968  frame_init_mssfix(frame, options);
1969  frame_print(frame, D_MTU_INFO, "Data Channel MTU parms");
1970 
1971  /*
1972  * mssfix uses data channel framing, which at this point contains
1973  * actual overhead. Fragmentation logic uses frame_fragment, which
1974  * still contains worst case overhead. Replace it with actual overhead
1975  * to prevent unneeded fragmentation.
1976  */
1977 
1978  if (frame_fragment)
1979  {
1981  crypto_adjust_frame_parameters(frame_fragment, &session->opt->key_type,
1982  options->replay, packet_id_long_form);
1983  frame_set_mtu_dynamic(frame_fragment, options->ce.fragment, SET_MTU_UPPER_BOUND);
1984  frame_print(frame_fragment, D_MTU_INFO, "Fragmentation MTU parms");
1985  }
1986 
1988 }
1989 
1990 static bool
1992  uint8_t *out,
1993  int outlen)
1994 {
1995  if (!rand_bytes(out, outlen))
1996  {
1997  msg(M_FATAL, "ERROR: Random number generator cannot obtain entropy for key generation [SSL]");
1998  }
1999  if (!buf_write(buf, out, outlen))
2000  {
2001  return false;
2002  }
2003  return true;
2004 }
2005 
2006 static bool
2008  struct buffer *buf,
2009  bool server)
2010 {
2011  struct key_source *k = &k2->client;
2012  if (server)
2013  {
2014  k = &k2->server;
2015  }
2016 
2017  CLEAR(*k);
2018 
2019  if (!server)
2020  {
2021  if (!random_bytes_to_buf(buf, k->pre_master, sizeof(k->pre_master)))
2022  {
2023  return false;
2024  }
2025  }
2026 
2027  if (!random_bytes_to_buf(buf, k->random1, sizeof(k->random1)))
2028  {
2029  return false;
2030  }
2031  if (!random_bytes_to_buf(buf, k->random2, sizeof(k->random2)))
2032  {
2033  return false;
2034  }
2035 
2036  return true;
2037 }
2038 
2039 static int
2041  struct buffer *buf,
2042  bool server)
2043 {
2044  struct key_source *k = &k2->client;
2045 
2046  if (!server)
2047  {
2048  k = &k2->server;
2049  }
2050 
2051  CLEAR(*k);
2052 
2053  if (server)
2054  {
2055  if (!buf_read(buf, k->pre_master, sizeof(k->pre_master)))
2056  {
2057  return 0;
2058  }
2059  }
2060 
2061  if (!buf_read(buf, k->random1, sizeof(k->random1)))
2062  {
2063  return 0;
2064  }
2065  if (!buf_read(buf, k->random2, sizeof(k->random2)))
2066  {
2067  return 0;
2068  }
2069 
2070  return 1;
2071 }
2072 
2073 static void
2075 {
2076  struct buffer *b;
2077 
2078  while ((b = buffer_list_peek(ks->paybuf)))
2079  {
2081  buffer_list_pop(ks->paybuf);
2082  }
2083 }
2084 
2085 /* true if no in/out acknowledgements pending */
2086 #define FULL_SYNC \
2087  (reliable_empty(ks->send_reliable) && reliable_ack_empty(ks->rec_ack))
2088 
2089 /*
2090  * Move the active key to the lame duck key and reinitialize the
2091  * active key.
2092  */
2093 static void
2095 {
2096  struct key_state *ks = &session->key[KS_PRIMARY]; /* primary key */
2097  struct key_state *ks_lame = &session->key[KS_LAME_DUCK]; /* retiring key */
2098 
2099  ks->must_die = now + session->opt->transition_window; /* remaining lifetime of old key */
2100  key_state_free(ks_lame, false);
2101  *ks_lame = *ks;
2102 
2103  key_state_init(session, ks);
2104  ks->session_id_remote = ks_lame->session_id_remote;
2105  ks->remote_addr = ks_lame->remote_addr;
2106 }
2107 
2108 /*
2109  * Read/write strings from/to a struct buffer with a u16 length prefix.
2110  */
2111 
2112 static bool
2114 {
2115  if (!buf_write_u16(buf, 0))
2116  {
2117  return false;
2118  }
2119  return true;
2120 }
2121 
2122 static bool
2123 write_string(struct buffer *buf, const char *str, const int maxlen)
2124 {
2125  const int len = strlen(str) + 1;
2126  if (len < 1 || (maxlen >= 0 && len > maxlen))
2127  {
2128  return false;
2129  }
2130  if (!buf_write_u16(buf, len))
2131  {
2132  return false;
2133  }
2134  if (!buf_write(buf, str, len))
2135  {
2136  return false;
2137  }
2138  return true;
2139 }
2140 
2141 static bool
2142 read_string(struct buffer *buf, char *str, const unsigned int capacity)
2143 {
2144  const int len = buf_read_u16(buf);
2145  if (len < 1 || len > (int)capacity)
2146  {
2147  return false;
2148  }
2149  if (!buf_read(buf, str, len))
2150  {
2151  return false;
2152  }
2153  str[len-1] = '\0';
2154  return true;
2155 }
2156 
2157 static char *
2159 {
2160  const int len = buf_read_u16(buf);
2161  char *str;
2162 
2163  if (len < 1)
2164  {
2165  return NULL;
2166  }
2167  str = (char *) malloc(len);
2168  check_malloc_return(str);
2169  if (!buf_read(buf, str, len))
2170  {
2171  free(str);
2172  return NULL;
2173  }
2174  str[len-1] = '\0';
2175  return str;
2176 }
2177 
2178 static bool
2180 {
2181  struct gc_arena gc = gc_new();
2182  bool ret = false;
2183 
2184  if (session->opt->push_peer_info_detail > 0)
2185  {
2186  struct env_set *es = session->opt->es;
2187  struct buffer out = alloc_buf_gc(512*3, &gc);
2188 
2189  /* push version */
2190  buf_printf(&out, "IV_VER=%s\n", PACKAGE_VERSION);
2191 
2192  /* push platform */
2193 #if defined(TARGET_LINUX)
2194  buf_printf(&out, "IV_PLAT=linux\n");
2195 #elif defined(TARGET_SOLARIS)
2196  buf_printf(&out, "IV_PLAT=solaris\n");
2197 #elif defined(TARGET_OPENBSD)
2198  buf_printf(&out, "IV_PLAT=openbsd\n");
2199 #elif defined(TARGET_DARWIN)
2200  buf_printf(&out, "IV_PLAT=mac\n");
2201 #elif defined(TARGET_NETBSD)
2202  buf_printf(&out, "IV_PLAT=netbsd\n");
2203 #elif defined(TARGET_FREEBSD)
2204  buf_printf(&out, "IV_PLAT=freebsd\n");
2205 #elif defined(TARGET_ANDROID)
2206  buf_printf(&out, "IV_PLAT=android\n");
2207 #elif defined(_WIN32)
2208  buf_printf(&out, "IV_PLAT=win\n");
2209 #endif
2210 
2211  /* support for P_DATA_V2 */
2212  int iv_proto = IV_PROTO_DATA_V2;
2213 
2214  /* support for receiving push_reply before sending
2215  * push request, also signal that the client wants
2216  * to get push-reply messages without without requiring a round
2217  * trip for a push request message*/
2218  if(session->opt->pull)
2219  {
2220  iv_proto |= IV_PROTO_REQUEST_PUSH;
2221  }
2222 
2223  buf_printf(&out, "IV_PROTO=%d\n", iv_proto);
2224 
2225  /* support for Negotiable Crypto Parameters */
2226  if (session->opt->ncp_enabled
2227  && (session->opt->mode == MODE_SERVER || session->opt->pull))
2228  {
2229  if (tls_item_in_cipher_list("AES-128-GCM", session->opt->config_ncp_ciphers)
2230  && tls_item_in_cipher_list("AES-256-GCM", session->opt->config_ncp_ciphers))
2231  {
2232 
2233  buf_printf(&out, "IV_NCP=2\n");
2234  }
2235  buf_printf(&out, "IV_CIPHERS=%s\n", session->opt->config_ncp_ciphers);
2236  }
2237 
2238  /* push compression status */
2239 #ifdef USE_COMP
2240  comp_generate_peer_info_string(&session->opt->comp_options, &out);
2241 #endif
2242 
2243  if (session->opt->push_peer_info_detail >= 2)
2244  {
2245  /* push mac addr */
2246  struct route_gateway_info rgi;
2247  get_default_gateway(&rgi, session->opt->net_ctx);
2248  if (rgi.flags & RGI_HWADDR_DEFINED)
2249  {
2250  buf_printf(&out, "IV_HWADDR=%s\n", format_hex_ex(rgi.hwaddr, 6, 0, 1, ":", &gc));
2251  }
2252  buf_printf(&out, "IV_SSL=%s\n", get_ssl_library_version() );
2253 #if defined(_WIN32)
2254  buf_printf(&out, "IV_PLAT_VER=%s\n", win32_version_string(&gc, false));
2255 #endif
2256  }
2257 
2258  /* push env vars that begin with UV_, IV_PLAT_VER and IV_GUI_VER */
2259  for (struct env_item *e = es->list; e != NULL; e = e->next)
2260  {
2261  if (e->string)
2262  {
2263  if ((((strncmp(e->string, "UV_", 3)==0
2264  || strncmp(e->string, "IV_PLAT_VER=", sizeof("IV_PLAT_VER=")-1)==0)
2265  && session->opt->push_peer_info_detail >= 2)
2266  || (strncmp(e->string,"IV_GUI_VER=",sizeof("IV_GUI_VER=")-1)==0)
2267  || (strncmp(e->string,"IV_SSO=",sizeof("IV_SSO=")-1)==0)
2268  )
2269  && buf_safe(&out, strlen(e->string)+1))
2270  {
2271  buf_printf(&out, "%s\n", e->string);
2272  }
2273  }
2274  }
2275 
2276  if (!write_string(buf, BSTR(&out), -1))
2277  {
2278  goto error;
2279  }
2280  }
2281  else
2282  {
2283  if (!write_empty_string(buf)) /* no peer info */
2284  {
2285  goto error;
2286  }
2287  }
2288  ret = true;
2289 
2290 error:
2291  gc_free(&gc);
2292  return ret;
2293 }
2294 
2299 static bool
2301 {
2302  struct key_state *ks = &session->key[KS_PRIMARY]; /* primary key */
2303 
2304  ASSERT(buf_init(buf, 0));
2305 
2306  /* write a uint32 0 */
2307  if (!buf_write_u32(buf, 0))
2308  {
2309  goto error;
2310  }
2311 
2312  /* write key_method + flags */
2313  if (!buf_write_u8(buf, KEY_METHOD_2))
2314  {
2315  goto error;
2316  }
2317 
2318  /* write key source material */
2319  if (!key_source2_randomize_write(ks->key_src, buf, session->opt->server))
2320  {
2321  goto error;
2322  }
2323 
2324  /* write options string */
2325  {
2326  if (!write_string(buf, session->opt->local_options, TLS_OPTIONS_LEN))
2327  {
2328  goto error;
2329  }
2330  }
2331 
2332  /* write username/password if specified */
2333  if (auth_user_pass_enabled)
2334  {
2335 #ifdef ENABLE_MANAGEMENT
2336  auth_user_pass_setup(session->opt->auth_user_pass_file, session->opt->sci);
2337 #else
2338  auth_user_pass_setup(session->opt->auth_user_pass_file, NULL);
2339 #endif
2340  struct user_pass *up = &auth_user_pass;
2341 
2342  /*
2343  * If we have a valid auth-token, send that instead of real
2344  * username/password
2345  */
2346  if (auth_token.defined)
2347  {
2348  up = &auth_token;
2349  }
2350 
2351  if (!write_string(buf, up->username, -1))
2352  {
2353  goto error;
2354  }
2355  else if (!write_string(buf, up->password, -1))
2356  {
2357  goto error;
2358  }
2359  /* if auth-nocache was specified, the auth_user_pass object reaches
2360  * a "complete" state only after having received the push-reply
2361  * message.
2362  *
2363  * For this reason, skip the purge operation here if no push-reply
2364  * message has been received yet.
2365  *
2366  * This normally happens upon first negotiation only.
2367  */
2369  {
2371  }
2372  }
2373  else
2374  {
2375  if (!write_empty_string(buf)) /* no username */
2376  {
2377  goto error;
2378  }
2379  if (!write_empty_string(buf)) /* no password */
2380  {
2381  goto error;
2382  }
2383  }
2384 
2385  if (!push_peer_info(buf, session))
2386  {
2387  goto error;
2388  }
2389 
2390  /* Generate tunnel keys if we're a TLS server.
2391  * If we're a p2mp server and IV_NCP >= 2 is negotiated, the first key
2392  * generation is postponed until after the pull/push, so we can process pushed
2393  * cipher directives.
2394  */
2395  if (session->opt->server && !(session->opt->mode == MODE_SERVER && ks->key_id <= 0))
2396  {
2397  if (ks->authenticated > KS_AUTH_FALSE)
2398  {
2400  {
2401  msg(D_TLS_ERRORS, "TLS Error: server generate_key_expansion failed");
2402  goto error;
2403  }
2404  }
2405  }
2406 
2407  return true;
2408 
2409 error:
2410  msg(D_TLS_ERRORS, "TLS Error: Key Method #2 write failed");
2411  secure_memzero(ks->key_src, sizeof(*ks->key_src));
2412  return false;
2413 }
2414 
2419 static bool
2420 key_method_2_read(struct buffer *buf, struct tls_multi *multi, struct tls_session *session)
2421 {
2422  struct key_state *ks = &session->key[KS_PRIMARY]; /* primary key */
2423 
2424  bool username_status, password_status;
2425 
2426  struct gc_arena gc = gc_new();
2427  char *options;
2428  struct user_pass *up = NULL;
2429 
2430  /* allocate temporary objects */
2431  ALLOC_ARRAY_CLEAR_GC(options, char, TLS_OPTIONS_LEN, &gc);
2432 
2433  /* discard leading uint32 */
2434  if (!buf_advance(buf, 4))
2435  {
2436  msg(D_TLS_ERRORS, "TLS ERROR: Plaintext buffer too short (%d bytes).",
2437  buf->len);
2438  goto error;
2439  }
2440 
2441  /* get key method */
2442  int key_method_flags = buf_read_u8(buf);
2443  if ((key_method_flags & KEY_METHOD_MASK) != 2)
2444  {
2445  msg(D_TLS_ERRORS,
2446  "TLS ERROR: Unknown key_method/flags=%d received from remote host",
2447  key_method_flags);
2448  goto error;
2449  }
2450 
2451  /* get key source material (not actual keys yet) */
2452  if (!key_source2_read(ks->key_src, buf, session->opt->server))
2453  {
2454  msg(D_TLS_ERRORS, "TLS Error: Error reading remote data channel key source entropy from plaintext buffer");
2455  goto error;
2456  }
2457 
2458  /* get options */
2459  if (!read_string(buf, options, TLS_OPTIONS_LEN))
2460  {
2461  msg(D_TLS_ERRORS, "TLS Error: Failed to read required OCC options string");
2462  goto error;
2463  }
2464 
2466 
2467  /* always extract username + password fields from buf, even if not
2468  * authenticating for it, because otherwise we can't get at the
2469  * peer_info data which follows behind
2470  */
2471  ALLOC_OBJ_CLEAR_GC(up, struct user_pass, &gc);
2472  username_status = read_string(buf, up->username, USER_PASS_LEN);
2473  password_status = read_string(buf, up->password, USER_PASS_LEN);
2474 
2475  /* get peer info from control channel */
2476  free(multi->peer_info);
2477  multi->peer_info = read_string_alloc(buf);
2478  if (multi->peer_info)
2479  {
2480  output_peer_info_env(session->opt->es, multi->peer_info);
2481  }
2482 
2483  free(multi->remote_ciphername);
2484  multi->remote_ciphername =
2485  options_string_extract_option(options, "cipher", NULL);
2486 
2487  if (tls_session_user_pass_enabled(session))
2488  {
2489  /* Perform username/password authentication */
2490  if (!username_status || !password_status)
2491  {
2492  CLEAR(*up);
2493  if (!(session->opt->ssl_flags & SSLF_AUTH_USER_PASS_OPTIONAL))
2494  {
2495  msg(D_TLS_ERRORS, "TLS Error: Auth Username/Password was not provided by peer");
2496  goto error;
2497  }
2498  }
2499 
2500  verify_user_pass(up, multi, session);
2501  }
2502  else
2503  {
2504  /* Session verification should have occurred during TLS negotiation*/
2505  if (!session->verified)
2506  {
2507  msg(D_TLS_ERRORS,
2508  "TLS Error: Certificate verification failed (key-method 2)");
2509  goto error;
2510  }
2512  }
2513 
2514  /* clear username and password from memory */
2515  secure_memzero(up, sizeof(*up));
2516 
2517  /* Perform final authentication checks */
2518  if (ks->authenticated > KS_AUTH_FALSE)
2519  {
2520  verify_final_auth_checks(multi, session);
2521  }
2522 
2523  /* check options consistency */
2524  if (!session->opt->disable_occ
2525  && !options_cmp_equal(options, session->opt->remote_options))
2526  {
2527  options_warning(options, session->opt->remote_options);
2528  if (session->opt->ssl_flags & SSLF_OPT_VERIFY)
2529  {
2530  msg(D_TLS_ERRORS, "Option inconsistency warnings triggering disconnect due to --opt-verify");
2532  }
2533  }
2534 
2535  buf_clear(buf);
2536 
2537  /*
2538  * Call OPENVPN_PLUGIN_TLS_FINAL plugin if defined, for final
2539  * veto opportunity over authentication decision.
2540  */
2541  if ((ks->authenticated > KS_AUTH_FALSE)
2543  {
2545 
2546  if (plugin_call(session->opt->plugins, OPENVPN_PLUGIN_TLS_FINAL, NULL, NULL, session->opt->es) != OPENVPN_PLUGIN_FUNC_SUCCESS)
2547  {
2549  }
2550 
2551  setenv_del(session->opt->es, "exported_keying_material");
2552  }
2553 
2554  /*
2555  * Generate tunnel keys if we're a client.
2556  * If --pull is enabled, the first key generation is postponed until after the
2557  * pull/push, so we can process pushed cipher directives.
2558  */
2559  if (!session->opt->server && (!session->opt->pull || ks->key_id > 0))
2560  {
2562  {
2563  msg(D_TLS_ERRORS, "TLS Error: client generate_key_expansion failed");
2564  goto error;
2565  }
2566  }
2567 
2568  gc_free(&gc);
2569  return true;
2570 
2571 error:
2573  secure_memzero(ks->key_src, sizeof(*ks->key_src));
2574  if (up)
2575  {
2576  secure_memzero(up, sizeof(*up));
2577  }
2578  buf_clear(buf);
2579  gc_free(&gc);
2580  return false;
2581 }
2582 
2583 static int
2585 {
2586  int ret = o->handshake_window;
2587  const int r2 = o->renegotiate_seconds / 2;
2588 
2589  if (o->renegotiate_seconds && r2 < ret)
2590  {
2591  ret = r2;
2592  }
2593  return ret;
2594 }
2595 
2596 /*
2597  * This is the primary routine for processing TLS stuff inside the
2598  * the main event loop. When this routine exits
2599  * with non-error status, it will set *wakeup to the number of seconds
2600  * when it wants to be called again.
2601  *
2602  * Return value is true if we have placed a packet in *to_link which we
2603  * want to send to our peer.
2604  */
2605 static bool
2606 tls_process(struct tls_multi *multi,
2607  struct tls_session *session,
2608  struct buffer *to_link,
2609  struct link_socket_actual **to_link_addr,
2610  struct link_socket_info *to_link_socket_info,
2611  interval_t *wakeup)
2612 {
2613  struct gc_arena gc = gc_new();
2614  struct buffer *buf;
2615  bool state_change = false;
2616  bool active = false;
2617  struct key_state *ks = &session->key[KS_PRIMARY]; /* primary key */
2618  struct key_state *ks_lame = &session->key[KS_LAME_DUCK]; /* retiring key */
2619 
2620  /* Make sure we were initialized and that we're not in an error state */
2621  ASSERT(ks->state != S_UNDEF);
2622  ASSERT(ks->state != S_ERROR);
2623  ASSERT(session_id_defined(&session->session_id));
2624 
2625  /* Should we trigger a soft reset? -- new key, keeps old key for a while */
2626  if (ks->state >= S_ACTIVE
2627  && ((session->opt->renegotiate_seconds
2628  && now >= ks->established + session->opt->renegotiate_seconds)
2629  || (session->opt->renegotiate_bytes > 0
2630  && ks->n_bytes >= session->opt->renegotiate_bytes)
2631  || (session->opt->renegotiate_packets
2632  && ks->n_packets >= session->opt->renegotiate_packets)
2634  {
2635  msg(D_TLS_DEBUG_LOW, "TLS: soft reset sec=%d/%d bytes=" counter_format
2636  "/%d pkts=" counter_format "/%d",
2637  (int) (now - ks->established), session->opt->renegotiate_seconds,
2638  ks->n_bytes, session->opt->renegotiate_bytes,
2639  ks->n_packets, session->opt->renegotiate_packets);
2640  key_state_soft_reset(session);
2641  }
2642 
2643  /* Kill lame duck key transition_window seconds after primary key negotiation */
2644  if (lame_duck_must_die(session, wakeup))
2645  {
2646  key_state_free(ks_lame, true);
2647  msg(D_TLS_DEBUG_LOW, "TLS: tls_process: killed expiring key");
2648  }
2649 
2650  do
2651  {
2652  update_time();
2653 
2654  dmsg(D_TLS_DEBUG, "TLS: tls_process: chg=%d ks=%s lame=%s to_link->len=%d wakeup=%d",
2655  state_change,
2656  state_name(ks->state),
2657  state_name(ks_lame->state),
2658  to_link->len,
2659  *wakeup);
2660 
2661  state_change = false;
2662 
2663  /*
2664  * TLS activity is finished once we get to S_ACTIVE,
2665  * though we will still process acknowledgements.
2666  *
2667  * CHANGED with 2.0 -> now we may send tunnel configuration
2668  * info over the control channel.
2669  */
2670 
2671  /* Initial handshake */
2672  if (ks->state == S_INITIAL)
2673  {
2675  if (buf)
2676  {
2677  ks->must_negotiate = now + session->opt->handshake_window;
2679 
2680  /* null buffer */
2683 
2684  ks->state = S_PRE_START;
2685  state_change = true;
2686  dmsg(D_TLS_DEBUG, "TLS: Initial Handshake, sid=%s",
2687  session_id_print(&session->session_id, &gc));
2688 
2689 #ifdef ENABLE_MANAGEMENT
2691  {
2694  NULL,
2695  NULL,
2696  NULL,
2697  NULL,
2698  NULL);
2699  }
2700 #endif
2701  }
2702  }
2703 
2704  /* Are we timed out on receive? */
2705  if (now >= ks->must_negotiate && ks->state < S_ACTIVE)
2706  {
2707  msg(D_TLS_ERRORS,
2708  "TLS Error: TLS key negotiation failed to occur within %d seconds (check your network connectivity)",
2709  session->opt->handshake_window);
2710  goto error;
2711  }
2712 
2713  /* Wait for Initial Handshake ACK */
2714  if (ks->state == S_PRE_START && FULL_SYNC)
2715  {
2716  ks->state = S_START;
2717  state_change = true;
2718 
2719  /*
2720  * Attempt CRL reload before TLS negotiation. Won't be performed if
2721  * the file was not modified since the last reload
2722  */
2723  if (session->opt->crl_file
2724  && !(session->opt->ssl_flags & SSLF_CRL_VERIFY_DIR))
2725  {
2726  tls_ctx_reload_crl(&session->opt->ssl_ctx,
2727  session->opt->crl_file, session->opt->crl_file_inline);
2728  }
2729 
2730  /* New connection, remove any old X509 env variables */
2731  tls_x509_clear_env(session->opt->es);
2732 
2733  dmsg(D_TLS_DEBUG_MED, "STATE S_START");
2734  }
2735 
2736  /* Wait for ACK */
2737  if (((ks->state == S_GOT_KEY && !session->opt->server)
2738  || (ks->state == S_SENT_KEY && session->opt->server)))
2739  {
2740  if (FULL_SYNC)
2741  {
2742  ks->established = now;
2743  dmsg(D_TLS_DEBUG_MED, "STATE S_ACTIVE");
2745  {
2746  print_details(&ks->ks_ssl, "Control Channel:");
2747  }
2748  state_change = true;
2749  ks->state = S_ACTIVE;
2750  /* Cancel negotiation timeout */
2751  ks->must_negotiate = 0;
2752  INCR_SUCCESS;
2753 
2754  /* Set outgoing address for data channel packets */
2755  link_socket_set_outgoing_addr(to_link_socket_info, &ks->remote_addr, session->common_name, session->opt->es);
2756 
2757  /* Flush any payload packets that were buffered before our state transitioned to S_ACTIVE */
2759 
2760 #ifdef MEASURE_TLS_HANDSHAKE_STATS
2761  show_tls_performance_stats();
2762 #endif
2763  }
2764  }
2765 
2766  /* Reliable buffer to outgoing TCP/UDP (send up to CONTROL_SEND_ACK_MAX ACKs
2767  * for previously received packets) */
2768  if (!to_link->len && reliable_can_send(ks->send_reliable))
2769  {
2770  int opcode;
2771  struct buffer b;
2772 
2773  buf = reliable_send(ks->send_reliable, &opcode);
2774  ASSERT(buf);
2775  b = *buf;
2776  INCR_SENT;
2777 
2778  write_control_auth(session, ks, &b, to_link_addr, opcode,
2779  CONTROL_SEND_ACK_MAX, true);
2780  *to_link = b;
2781  active = true;
2782  state_change = true;
2783  dmsg(D_TLS_DEBUG, "Reliable -> TCP/UDP");
2784  break;
2785  }
2786 
2787  /* Write incoming ciphertext to TLS object */
2789  if (buf)
2790  {
2791  int status = 0;
2792  if (buf->len)
2793  {
2794  status = key_state_write_ciphertext(&ks->ks_ssl, buf);
2795  if (status == -1)
2796  {
2797  msg(D_TLS_ERRORS,
2798  "TLS Error: Incoming Ciphertext -> TLS object write error");
2799  goto error;
2800  }
2801  }
2802  else
2803  {
2804  status = 1;
2805  }
2806  if (status == 1)
2807  {
2808  reliable_mark_deleted(ks->rec_reliable, buf, true);
2809  state_change = true;
2810  dmsg(D_TLS_DEBUG, "Incoming Ciphertext -> TLS");
2811  }
2812  }
2813 
2814  /* Read incoming plaintext from TLS object */
2815  buf = &ks->plaintext_read_buf;
2816  if (!buf->len)
2817  {
2818  int status;
2819 
2820  ASSERT(buf_init(buf, 0));
2822  update_time();
2823  if (status == -1)
2824  {
2825  msg(D_TLS_ERRORS, "TLS Error: TLS object -> incoming plaintext read error");
2826  goto error;
2827  }
2828  if (status == 1)
2829  {
2830  state_change = true;
2831  dmsg(D_TLS_DEBUG, "TLS -> Incoming Plaintext");
2832 
2833  /* More data may be available, wake up again asap to check. */
2834  *wakeup = 0;
2835  }
2836  }
2837 
2838  /* Send Key */
2839  buf = &ks->plaintext_write_buf;
2840  if (!buf->len && ((ks->state == S_START && !session->opt->server)
2841  || (ks->state == S_GOT_KEY && session->opt->server)))
2842  {
2843  if (!key_method_2_write(buf, session))
2844  {
2845  goto error;
2846  }
2847 
2848  state_change = true;
2849  dmsg(D_TLS_DEBUG_MED, "STATE S_SENT_KEY");
2850  ks->state = S_SENT_KEY;
2851  }
2852 
2853  /* Receive Key */
2854  buf = &ks->plaintext_read_buf;
2855  if (buf->len
2856  && ((ks->state == S_SENT_KEY && !session->opt->server)
2857  || (ks->state == S_START && session->opt->server)))
2858  {
2859  if (!key_method_2_read(buf, multi, session))
2860  {
2861  goto error;
2862  }
2863 
2864  state_change = true;
2865  dmsg(D_TLS_DEBUG_MED, "STATE S_GOT_KEY");
2866  ks->state = S_GOT_KEY;
2867  }
2868 
2869  /* Write outgoing plaintext to TLS object */
2870  buf = &ks->plaintext_write_buf;
2871  if (buf->len)
2872  {
2873  int status = key_state_write_plaintext(&ks->ks_ssl, buf);
2874  if (status == -1)
2875  {
2876  msg(D_TLS_ERRORS,
2877  "TLS ERROR: Outgoing Plaintext -> TLS object write error");
2878  goto error;
2879  }
2880  if (status == 1)
2881  {
2882  state_change = true;
2883  dmsg(D_TLS_DEBUG, "Outgoing Plaintext -> TLS");
2884  }
2885  }
2886 
2887  /* Outgoing Ciphertext to reliable buffer */
2888  if (ks->state >= S_START)
2889  {
2891  if (buf)
2892  {
2894  if (status == -1)
2895  {
2896  msg(D_TLS_ERRORS,
2897  "TLS Error: Ciphertext -> reliable TCP/UDP transport read error");
2898  goto error;
2899  }
2900  if (status == 1)
2901  {
2904  state_change = true;
2905  dmsg(D_TLS_DEBUG, "Outgoing Ciphertext -> Reliable");
2906  }
2907  }
2908  }
2909  }
2910  while (state_change);
2911 
2912  update_time();
2913 
2914  /* Send 1 or more ACKs (each received control packet gets one ACK) */
2915  if (!to_link->len && !reliable_ack_empty(ks->rec_ack))
2916  {
2917  struct buffer buf = ks->ack_write_buf;
2918  ASSERT(buf_init(&buf, FRAME_HEADROOM(&multi->opt.frame)));
2919  write_control_auth(session, ks, &buf, to_link_addr, P_ACK_V1,
2920  RELIABLE_ACK_SIZE, false);
2921  *to_link = buf;
2922  active = true;
2923  dmsg(D_TLS_DEBUG, "Dedicated ACK -> TCP/UDP");
2924  }
2925 
2926  /* When should we wake up again? */
2927  {
2928  if (ks->state >= S_INITIAL)
2929  {
2930  compute_earliest_wakeup(wakeup,
2932 
2933  if (ks->must_negotiate)
2934  {
2936  }
2937  }
2938 
2939  if (ks->established && session->opt->renegotiate_seconds)
2940  {
2941  compute_earliest_wakeup(wakeup,
2942  ks->established + session->opt->renegotiate_seconds - now);
2943  }
2944 
2945  /* prevent event-loop spinning by setting minimum wakeup of 1 second */
2946  if (*wakeup <= 0)
2947  {
2948  *wakeup = 1;
2949 
2950  /* if we had something to send to remote, but to_link was busy,
2951  * let caller know we need to be called again soon */
2952  active = true;
2953  }
2954 
2955  dmsg(D_TLS_DEBUG, "TLS: tls_process: timeout set to %d", *wakeup);
2956 
2957  gc_free(&gc);
2958  return active;
2959  }
2960 
2961 error:
2962  tls_clear_error();
2963  ks->state = S_ERROR;
2964  msg(D_TLS_ERRORS, "TLS Error: TLS handshake failed");
2965  INCR_ERROR;
2966  gc_free(&gc);
2967  return false;
2968 }
2969 
2970 /*
2971  * Called by the top-level event loop.
2972  *
2973  * Basically decides if we should call tls_process for
2974  * the active or untrusted sessions.
2975  */
2976 
2977 int
2979  struct buffer *to_link,
2980  struct link_socket_actual **to_link_addr,
2981  struct link_socket_info *to_link_socket_info,
2982  interval_t *wakeup)
2983 {
2984  struct gc_arena gc = gc_new();
2985  int active = TLSMP_INACTIVE;
2986  bool error = false;
2987 
2989 
2990  tls_clear_error();
2991 
2992  /*
2993  * Process each session object having state of S_INITIAL or greater,
2994  * and which has a defined remote IP addr.
2995  */
2996 
2997  for (int i = 0; i < TM_SIZE; ++i)
2998  {
2999  struct tls_session *session = &multi->session[i];
3000  struct key_state *ks = &session->key[KS_PRIMARY];
3001  struct key_state *ks_lame = &session->key[KS_LAME_DUCK];
3002 
3003  /* set initial remote address */
3004  if (i == TM_ACTIVE && ks->state == S_INITIAL
3005  && link_socket_actual_defined(&to_link_socket_info->lsa->actual))
3006  {
3007  ks->remote_addr = to_link_socket_info->lsa->actual;
3008  }
3009 
3010  dmsg(D_TLS_DEBUG,
3011  "TLS: tls_multi_process: i=%d state=%s, mysid=%s, stored-sid=%s, stored-ip=%s",
3012  i,
3013  state_name(ks->state),
3014  session_id_print(&session->session_id, &gc),
3017 
3019  {
3020  struct link_socket_actual *tla = NULL;
3021 
3022  update_time();
3023 
3024  if (tls_process(multi, session, to_link, &tla,
3025  to_link_socket_info, wakeup))
3026  {
3027  active = TLSMP_ACTIVE;
3028  }
3029 
3030  /*
3031  * If tls_process produced an outgoing packet,
3032  * return the link_socket_actual object (which
3033  * contains the outgoing address).
3034  */
3035  if (tla)
3036  {
3037  multi->to_link_addr = *tla;
3038  *to_link_addr = &multi->to_link_addr;
3039  }
3040 
3041  /*
3042  * If tls_process hits an error:
3043  * (1) If the session has an unexpired lame duck key, preserve it.
3044  * (2) Reinitialize the session.
3045  * (3) Increment soft error count
3046  */
3047  if (ks->state == S_ERROR)
3048  {
3049  ++multi->n_soft_errors;
3050 
3051  if (i == TM_ACTIVE)
3052  {
3053  error = true;
3054  }
3055 
3056  if (i == TM_ACTIVE
3057  && ks_lame->state >= S_ACTIVE
3058  && !multi->opt.single_session)
3059  {
3060  move_session(multi, TM_LAME_DUCK, TM_ACTIVE, true);
3061  }
3062  else
3063  {
3064  reset_session(multi, session);
3065  }
3066  }
3067  }
3068  }
3069 
3070  update_time();
3071 
3073 
3074  /*
3075  * If lame duck session expires, kill it.
3076  */
3077  if (lame_duck_must_die(&multi->session[TM_LAME_DUCK], wakeup))
3078  {
3079  tls_session_free(&multi->session[TM_LAME_DUCK], true);
3080  msg(D_TLS_DEBUG_LOW, "TLS: tls_multi_process: killed expiring key");
3081  }
3082 
3083  /*
3084  * If untrusted session achieves TLS authentication,
3085  * move it to active session, usurping any prior session.
3086  *
3087  * A semi-trusted session is one in which the certificate authentication
3088  * succeeded (if cert verification is enabled) but the username/password
3089  * verification failed. A semi-trusted session can forward data on the
3090  * TLS control channel but not on the tunnel channel.
3091  */
3092  if (DECRYPT_KEY_ENABLED(multi, &multi->session[TM_UNTRUSTED].key[KS_PRIMARY]))
3093  {
3094  move_session(multi, TM_ACTIVE, TM_UNTRUSTED, true);
3095  msg(D_TLS_DEBUG_LOW, "TLS: tls_multi_process: untrusted session promoted to %strusted",
3096  tas == TLS_AUTHENTICATION_SUCCEEDED ? "" : "semi-");
3097  }
3098 
3099  /*
3100  * A hard error means that TM_ACTIVE hit an S_ERROR state and that no
3101  * other key state objects are S_ACTIVE or higher.
3102  */
3103  if (error)
3104  {
3105  for (int i = 0; i < (int) SIZE(multi->key_scan); ++i)
3106  {
3107  if (multi->key_scan[i]->state >= S_ACTIVE)
3108  {
3109  goto nohard;
3110  }
3111  }
3112  ++multi->n_hard_errors;
3113  }
3114 nohard:
3115 
3116 #ifdef ENABLE_DEBUG
3117  /* DEBUGGING -- flood peer with repeating connection attempts */
3118  {
3119  const int throw_level = GREMLIN_CONNECTION_FLOOD_LEVEL(multi->opt.gremlin);
3120  if (throw_level)
3121  {
3122  for (int i = 0; i < (int) SIZE(multi->key_scan); ++i)
3123  {
3124  if (multi->key_scan[i]->state >= throw_level)
3125  {
3126  ++multi->n_hard_errors;
3127  ++multi->n_soft_errors;
3128  }
3129  }
3130  }
3131  }
3132 #endif
3133 
3134  perf_pop();
3135  gc_free(&gc);
3136 
3137  return (tas == TLS_AUTHENTICATION_FAILED) ? TLSMP_KILL : active;
3138 }
3139 
3140 /*
3141  * Pre and post-process the encryption & decryption buffers in order
3142  * to implement a multiplexed TLS channel over the TCP/UDP port.
3143  */
3144 
3145 static inline void
3147  const struct link_socket_actual *from,
3148  struct buffer *buf,
3149  struct crypto_options **opt,
3150  bool floated,
3151  const uint8_t **ad_start)
3152 {
3153  struct gc_arena gc = gc_new();
3154 
3155  uint8_t c = *BPTR(buf);
3156  int op = c >> P_OPCODE_SHIFT;
3157  int key_id = c & P_KEY_ID_MASK;
3158 
3159  /* data channel packet */
3160  for (int i = 0; i < KEY_SCAN_SIZE; ++i)
3161  {
3162  struct key_state *ks = multi->key_scan[i];
3163 
3164  /*
3165  * This is the basic test of TLS state compatibility between a local OpenVPN
3166  * instance and its remote peer.
3167  *
3168  * If the test fails, it tells us that we are getting a packet from a source
3169  * which claims reference to a prior negotiated TLS session, but the local
3170  * OpenVPN instance has no memory of such a negotiation.
3171  *
3172  * It almost always occurs on UDP sessions when the passive side of the
3173  * connection is restarted without the active side restarting as well (the
3174  * passive side is the server which only listens for the connections, the
3175  * active side is the client which initiates connections).
3176  */
3177  if (DECRYPT_KEY_ENABLED(multi, ks)
3178  && key_id == ks->key_id
3179  && (ks->authenticated == KS_AUTH_TRUE)
3180  && (floated || link_socket_actual_match(from, &ks->remote_addr)))
3181  {
3183  {
3185  "Key %s [%d] not initialized (yet), dropping packet.",
3186  print_link_socket_actual(from, &gc), key_id);
3187  goto done;
3188  }
3189 
3190  /* return appropriate data channel decrypt key in opt */
3191  *opt = &ks->crypto_options;
3192  if (op == P_DATA_V2)
3193  {
3194  *ad_start = BPTR(buf);
3195  }
3196  ASSERT(buf_advance(buf, 1));
3197  if (op == P_DATA_V1)
3198  {
3199  *ad_start = BPTR(buf);
3200  }
3201  else if (op == P_DATA_V2)
3202  {
3203  if (buf->len < 4)
3204  {
3205  msg(D_TLS_ERRORS, "Protocol error: received P_DATA_V2 from %s but length is < 4",
3206  print_link_socket_actual(from, &gc));
3207  ++multi->n_soft_errors;
3208  goto done;
3209  }
3210  ASSERT(buf_advance(buf, 3));
3211  }
3212 
3213  ++ks->n_packets;
3214  ks->n_bytes += buf->len;
3216  "TLS: tls_pre_decrypt, key_id=%d, IP=%s",
3217  key_id, print_link_socket_actual(from, &gc));
3218  gc_free(&gc);
3219  return;
3220  }
3221  }
3222 
3223  msg(D_TLS_ERRORS,
3224  "TLS Error: local/remote TLS keys are out of sync: %s [%d]",
3225  print_link_socket_actual(from, &gc), key_id);
3226 
3227 done:
3228  tls_clear_error();
3229  buf->len = 0;
3230  *opt = NULL;
3231  gc_free(&gc);
3232 }
3233 
3234 /*
3235  *
3236  * When we are in TLS mode, this is the first routine which sees
3237  * an incoming packet.
3238  *
3239  * If it's a data packet, we set opt so that our caller can
3240  * decrypt it. We also give our caller the appropriate decryption key.
3241  *
3242  * If it's a control packet, we authenticate it and process it,
3243  * possibly creating a new tls_session if it represents the
3244  * first packet of a new session. For control packets, we will
3245  * also zero the size of *buf so that our caller ignores the
3246  * packet on our return.
3247  *
3248  * Note that openvpn only allows one active session at a time,
3249  * so a new session (once authenticated) will always usurp
3250  * an old session.
3251  *
3252  * Return true if input was an authenticated control channel
3253  * packet.
3254  *
3255  * If we are running in TLS thread mode, all public routines
3256  * below this point must be called with the L_TLS lock held.
3257  */
3258 
3259 bool
3261  const struct link_socket_actual *from,
3262  struct buffer *buf,
3263  struct crypto_options **opt,
3264  bool floated,
3265  const uint8_t **ad_start)
3266 {
3267 
3268  if (buf->len <= 0)
3269  {
3270  buf->len = 0;
3271  *opt = NULL;
3272  return false;
3273  }
3274 
3275  struct gc_arena gc = gc_new();
3276  bool ret = false;
3277 
3278  /* get opcode */
3279  uint8_t pkt_firstbyte = *BPTR(buf);
3280  int op = pkt_firstbyte >> P_OPCODE_SHIFT;
3281 
3282  if ((op == P_DATA_V1) || (op == P_DATA_V2))
3283  {
3284  handle_data_channel_packet(multi, from, buf, opt, floated, ad_start);
3285  return false;
3286  }
3287 
3288  /* get key_id */
3289  int key_id = pkt_firstbyte & P_KEY_ID_MASK;
3290 
3291  /* control channel packet */
3292  bool do_burst = false;
3293  bool new_link = false;
3294  struct session_id sid; /* remote session ID */
3295 
3296  /* verify legal opcode */
3297  if (op < P_FIRST_OPCODE || op > P_LAST_OPCODE)
3298  {
3301  {
3302  msg(D_TLS_ERRORS, "Peer tried unsupported key-method 1");
3303  }
3304  msg(D_TLS_ERRORS,
3305  "TLS Error: unknown opcode received from %s op=%d",
3306  print_link_socket_actual(from, &gc), op);
3307  goto error;
3308  }
3309 
3310  /* hard reset ? */
3311  if (is_hard_reset_method2(op))
3312  {
3313  /* verify client -> server or server -> client connection */
3314  if (((op == P_CONTROL_HARD_RESET_CLIENT_V2
3315  || op == P_CONTROL_HARD_RESET_CLIENT_V3) && !multi->opt.server)
3316  || ((op == P_CONTROL_HARD_RESET_SERVER_V2) && multi->opt.server))
3317  {
3318  msg(D_TLS_ERRORS,
3319  "TLS Error: client->client or server->server connection attempted from %s",
3320  print_link_socket_actual(from, &gc));
3321  goto error;
3322  }
3323  }
3324 
3325  /*
3326  * Authenticate Packet
3327  */
3328  dmsg(D_TLS_DEBUG, "TLS: control channel, op=%s, IP=%s",
3330 
3331  /* get remote session-id */
3332  {
3333  struct buffer tmp = *buf;
3334  buf_advance(&tmp, 1);
3335  if (!session_id_read(&sid, &tmp) || !session_id_defined(&sid))
3336  {
3337  msg(D_TLS_ERRORS,
3338  "TLS Error: session-id not found in packet from %s",
3339  print_link_socket_actual(from, &gc));
3340  goto error;
3341  }
3342  }
3343 
3344  int i;
3345  /* use session ID to match up packet with appropriate tls_session object */
3346  for (i = 0; i < TM_SIZE; ++i)
3347  {
3348  struct tls_session *session = &multi->session[i];
3349  struct key_state *ks = &session->key[KS_PRIMARY];
3350 
3351  dmsg(D_TLS_DEBUG,
3352  "TLS: initial packet test, i=%d state=%s, mysid=%s, rec-sid=%s, rec-ip=%s, stored-sid=%s, stored-ip=%s",
3353  i,
3354  state_name(ks->state),
3355  session_id_print(&session->session_id, &gc),
3356  session_id_print(&sid, &gc),
3357  print_link_socket_actual(from, &gc),
3360 
3361  if (session_id_equal(&ks->session_id_remote, &sid))
3362  /* found a match */
3363  {
3364  if (i == TM_LAME_DUCK)
3365  {
3366  msg(D_TLS_ERRORS,
3367  "TLS ERROR: received control packet with stale session-id=%s",
3368  session_id_print(&sid, &gc));
3369  goto error;
3370  }
3371  dmsg(D_TLS_DEBUG,
3372  "TLS: found match, session[%d], sid=%s",
3373  i, session_id_print(&sid, &gc));
3374  break;
3375  }
3376  }
3377 
3378  /*
3379  * Hard reset and session id does not match any session in
3380  * multi->session: Possible initial packet
3381  */
3382  if (i == TM_SIZE && is_hard_reset_method2(op))
3383  {
3384  struct tls_session *session = &multi->session[TM_ACTIVE];
3385  struct key_state *ks = &session->key[KS_PRIMARY];
3386 
3387  /*
3388  * If we have no session currently in progress, the initial packet will
3389  * open a new session in TM_ACTIVE rather than TM_UNTRUSTED.
3390  */
3392  {
3393  if (multi->opt.single_session && multi->n_sessions)
3394  {
3395  msg(D_TLS_ERRORS,
3396  "TLS Error: Cannot accept new session request from %s due to session context expire or --single-session [1]",
3397  print_link_socket_actual(from, &gc));
3398  goto error;
3399  }
3400 
3401 #ifdef ENABLE_MANAGEMENT
3402  if (management)
3403  {
3406  NULL,
3407  NULL,
3408  NULL,
3409  NULL,
3410  NULL);
3411  }
3412 #endif
3413 
3415  "TLS: Initial packet from %s, sid=%s",
3416  print_link_socket_actual(from, &gc),
3417  session_id_print(&sid, &gc));
3418 
3419  do_burst = true;
3420  new_link = true;
3421  i = TM_ACTIVE;
3422  session->untrusted_addr = *from;
3423  }
3424  }
3425 
3426  /*
3427  * If we detected new session in the last if block, variable i has
3428  * changed to TM_ACTIVE, so check the condition again.
3429  */
3430  if (i == TM_SIZE && is_hard_reset_method2(op))
3431  {
3432  /*
3433  * No match with existing sessions,
3434  * probably a new session.
3435  */
3436  struct tls_session *session = &multi->session[TM_UNTRUSTED];
3437 
3438  /*
3439  * If --single-session, don't allow any hard-reset connection request
3440  * unless it the first packet of the session.
3441  */
3442  if (multi->opt.single_session)
3443  {
3444  msg(D_TLS_ERRORS,
3445  "TLS Error: Cannot accept new session request from %s due to session context expire or --single-session [2]",
3446  print_link_socket_actual(from, &gc));
3447  goto error;
3448  }
3449 
3450  if (!read_control_auth(buf, &session->tls_wrap, from,
3451  session->opt))
3452  {
3453  goto error;
3454  }
3455 
3456  /*
3457  * New session-initiating control packet is authenticated at this point,
3458  * assuming that the --tls-auth command line option was used.
3459  *
3460  * Without --tls-auth, we leave authentication entirely up to TLS.
3461  */
3463  "TLS: new session incoming connection from %s",
3464  print_link_socket_actual(from, &gc));
3465 
3466  new_link = true;
3467  i = TM_UNTRUSTED;
3468  session->untrusted_addr = *from;
3469  }
3470  else
3471  {
3472  struct tls_session *session = &multi->session[i];
3473  struct key_state *ks = &session->key[KS_PRIMARY];
3474 
3475  /*
3476  * Packet must belong to an existing session.
3477  */
3478  if (i != TM_ACTIVE && i != TM_UNTRUSTED)
3479  {
3480  msg(D_TLS_ERRORS,
3481  "TLS Error: Unroutable control packet received from %s (si=%d op=%s)",
3482  print_link_socket_actual(from, &gc),
3483  i,
3484  packet_opcode_name(op));
3485  goto error;
3486  }
3487 
3488  /*
3489  * Verify remote IP address
3490  */
3491  if (!new_link && !link_socket_actual_match(&ks->remote_addr, from))
3492  {
3493  msg(D_TLS_ERRORS, "TLS Error: Received control packet from unexpected IP addr: %s",
3494  print_link_socket_actual(from, &gc));
3495  goto error;
3496  }
3497 
3498  /*
3499  * Remote is requesting a key renegotiation
3500  */
3501  if (op == P_CONTROL_SOFT_RESET_V1
3502  && DECRYPT_KEY_ENABLED(multi, ks))
3503  {
3504  if (!read_control_auth(buf, &session->tls_wrap, from,
3505  session->opt))
3506  {
3507  goto error;
3508  }
3509 
3510  key_state_soft_reset(session);
3511 
3512  dmsg(D_TLS_DEBUG,
3513  "TLS: received P_CONTROL_SOFT_RESET_V1 s=%d sid=%s",
3514  i, session_id_print(&sid, &gc));
3515  }
3516  else
3517  {
3518  /*
3519  * Remote responding to our key renegotiation request?
3520  */
3521  if (op == P_CONTROL_SOFT_RESET_V1)
3522  {
3523  do_burst = true;
3524  }
3525 
3526  if (!read_control_auth(buf, &session->tls_wrap, from,
3527  session->opt))
3528  {
3529  goto error;
3530  }
3531 
3532  dmsg(D_TLS_DEBUG,
3533  "TLS: received control channel packet s#=%d sid=%s",
3534  i, session_id_print(&sid, &gc));
3535  }
3536  }
3537 
3538  /*
3539  * We have an authenticated control channel packet (if --tls-auth was set).
3540  * Now pass to our reliability layer which deals with
3541  * packet acknowledgements, retransmits, sequencing, etc.
3542  */
3543  struct tls_session *session = &multi->session[i];
3544  struct key_state *ks = &session->key[KS_PRIMARY];
3545 
3546  /* Make sure we were initialized and that we're not in an error state */
3547  ASSERT(ks->state != S_UNDEF);
3548  ASSERT(ks->state != S_ERROR);
3549  ASSERT(session_id_defined(&session->session_id));
3550 
3551  /* Let our caller know we processed a control channel packet */
3552  ret = true;
3553 
3554  /*
3555  * Set our remote address and remote session_id
3556  */
3557  if (new_link)
3558  {
3559  ks->session_id_remote = sid;
3560  ks->remote_addr = *from;
3561  ++multi->n_sessions;
3562  }
3563  else if (!link_socket_actual_match(&ks->remote_addr, from))
3564  {
3565  msg(D_TLS_ERRORS,
3566  "TLS Error: Existing session control channel packet from unknown IP address: %s",
3567  print_link_socket_actual(from, &gc));
3568  goto error;
3569  }
3570 
3571  /*
3572  * Should we do a retransmit of all unacknowledged packets in
3573  * the send buffer? This improves the start-up efficiency of the
3574  * initial key negotiation after the 2nd peer comes online.
3575  */
3576  if (do_burst && !session->burst)
3577  {
3579  session->burst = true;
3580  }
3581 
3582  /* Check key_id */
3583  if (ks->key_id != key_id)
3584  {
3585  msg(D_TLS_ERRORS,
3586  "TLS ERROR: local/remote key IDs out of sync (%d/%d) ID: %s",
3587  ks->key_id, key_id, print_key_id(multi, &gc));
3588  goto error;
3589  }
3590 
3591  /*
3592  * Process incoming ACKs for packets we can now
3593  * delete from reliable send buffer
3594  */
3595  {
3596  /* buffers all packet IDs to delete from send_reliable */
3597  struct reliable_ack send_ack;
3598 
3599  send_ack.len = 0;
3600  if (!reliable_ack_read(&send_ack, buf, &session->session_id))
3601  {
3602  msg(D_TLS_ERRORS,
3603  "TLS Error: reading acknowledgement record from packet");
3604  goto error;
3605  }
3606  reliable_send_purge(ks->send_reliable, &send_ack);
3607  }
3608 
3609  if (op != P_ACK_V1 && reliable_can_get(ks->rec_reliable))
3610  {
3611  packet_id_type id;
3612 
3613  /* Extract the packet ID from the packet */
3614  if (reliable_ack_read_packet_id(buf, &id))
3615  {
3616  /* Avoid deadlock by rejecting packet that would de-sequentialize receive buffer */
3618  {
3619  if (reliable_not_replay(ks->rec_reliable, id))
3620  {
3621  /* Save incoming ciphertext packet to reliable buffer */
3622  struct buffer *in = reliable_get_buf(ks->rec_reliable);
3623  ASSERT(in);
3624  if (!buf_copy(in, buf))
3625  {
3627  "Incoming control channel packet too big, dropping.");
3628  goto error;
3629  }
3631  }
3632 
3633  /* Process outgoing acknowledgment for packet just received, even if it's a replay */
3635  }
3636  }
3637  }
3638 
3639 done:
3640  buf->len = 0;
3641  *opt = NULL;
3642  gc_free(&gc);
3643  return ret;
3644 
3645 error:
3646  ++multi->n_soft_errors;
3647  tls_clear_error();
3648  goto done;
3649 }
3650 
3651 /*
3652  * This function is similar to tls_pre_decrypt, except it is called
3653  * when we are in server mode and receive an initial incoming
3654  * packet. Note that we don't modify
3655  * any state in our parameter objects. The purpose is solely to
3656  * determine whether we should generate a client instance
3657  * object, in which case true is returned.
3658  *
3659  * This function is essentially the first-line HMAC firewall
3660  * on the UDP port listener in --mode server mode.
3661  */
3662 bool
3664  const struct link_socket_actual *from,
3665  const struct buffer *buf)
3666 
3667 {
3668  if (buf->len <= 0)
3669  {
3670  return false;
3671  }
3672  struct gc_arena gc = gc_new();
3673 
3674  /* get opcode and key ID */
3675  uint8_t pkt_firstbyte = *BPTR(buf);
3676  int op = pkt_firstbyte >> P_OPCODE_SHIFT;
3677  int key_id = pkt_firstbyte & P_KEY_ID_MASK;
3678 
3679  /* this packet is from an as-yet untrusted source, so
3680  * scrutinize carefully */
3681 
3684  {
3685  /*
3686  * This can occur due to bogus data or DoS packets.
3687  */
3689  "TLS State Error: No TLS state for client %s, opcode=%d",
3690  print_link_socket_actual(from, &gc),
3691  op);
3692  goto error;
3693  }
3694 
3695  if (key_id != 0)
3696  {
3698  "TLS State Error: Unknown key ID (%d) received from %s -- 0 was expected",
3699  key_id,
3700  print_link_socket_actual(from, &gc));
3701  goto error;
3702  }
3703 
3704  if (buf->len > EXPANDED_SIZE_DYNAMIC(&tas->frame))
3705  {
3707  "TLS State Error: Large packet (size %d) received from %s -- a packet no larger than %d bytes was expected",
3708  buf->len,
3709  print_link_socket_actual(from, &gc),
3710  EXPANDED_SIZE_DYNAMIC(&tas->frame));
3711  goto error;
3712  }
3713 
3714 
3715  struct buffer newbuf = clone_buf(buf);
3716  struct tls_wrap_ctx tls_wrap_tmp = tas->tls_wrap;
3717 
3718  /* HMAC test, if --tls-auth was specified */
3719  bool status = read_control_auth(&newbuf, &tls_wrap_tmp, from, NULL);
3720  free_buf(&newbuf);
3721  free_buf(&tls_wrap_tmp.tls_crypt_v2_metadata);
3722  if (tls_wrap_tmp.cleanup_key_ctx)
3723  {
3724  free_key_ctx_bi(&tls_wrap_tmp.opt.key_ctx_bi);
3725  }
3726  if (!status)
3727  {
3728  goto error;
3729  }
3730 
3731  /*
3732  * At this point, if --tls-auth is being used, we know that
3733  * the packet has passed the HMAC test, but we don't know if
3734  * it is a replay yet. We will attempt to defeat replays
3735  * by not advancing to the S_START state until we
3736  * receive an ACK from our first reply to the client
3737  * that includes an HMAC of our randomly generated 64 bit
3738  * session ID.
3739  *
3740  * On the other hand if --tls-auth is not being used, we
3741  * will proceed to begin the TLS authentication
3742  * handshake with only cursory integrity checks having
3743  * been performed, since we will be leaving the task
3744  * of authentication solely up to TLS.
3745  */
3746  gc_free(&gc);
3747  return true;
3748 
3749 error:
3750  tls_clear_error();
3751  gc_free(&gc);
3752  return false;
3753 }
3754 
3755 /* Choose the key with which to encrypt a data packet */
3756 void
3758  struct buffer *buf, struct crypto_options **opt)
3759 {
3760  multi->save_ks = NULL;
3761  if (buf->len <= 0)
3762  {
3763  buf->len = 0;
3764  *opt = NULL;
3765  return;
3766  }
3767 
3768  struct key_state *ks_select = NULL;
3769  for (int i = 0; i < KEY_SCAN_SIZE; ++i)
3770  {
3771  struct key_state *ks = multi->key_scan[i];
3772  if (ks->state >= S_ACTIVE
3773  && (ks->authenticated == KS_AUTH_TRUE)
3775  )
3776  {
3777  if (!ks_select)
3778  {
3779  ks_select = ks;
3780  }
3781  if (now >= ks->auth_deferred_expire)
3782  {
3783  ks_select = ks;
3784  break;
3785  }
3786  }
3787  }
3788 
3789  if (ks_select)
3790  {
3791  *opt = &ks_select->crypto_options;
3792  multi->save_ks = ks_select;
3793  dmsg(D_TLS_KEYSELECT, "TLS: tls_pre_encrypt: key_id=%d", ks_select->key_id);
3794  return;
3795  }
3796  else
3797  {
3798  struct gc_arena gc = gc_new();
3799  dmsg(D_TLS_KEYSELECT, "TLS Warning: no data channel send key available: %s",
3800  print_key_id(multi, &gc));
3801  gc_free(&gc);
3802 
3803  *opt = NULL;
3804  buf->len = 0;
3805  }
3806 }
3807 
3808 void
3809 tls_prepend_opcode_v1(const struct tls_multi *multi, struct buffer *buf)
3810 {
3811  struct key_state *ks = multi->save_ks;
3812  uint8_t op;
3813 
3814  msg(D_TLS_DEBUG, __func__);
3815 
3816  ASSERT(ks);
3817 
3818  op = (P_DATA_V1 << P_OPCODE_SHIFT) | ks->key_id;
3819  ASSERT(buf_write_prepend(buf, &op, 1));
3820 }
3821 
3822 void
3823 tls_prepend_opcode_v2(const struct tls_multi *multi, struct buffer *buf)
3824 {
3825  struct key_state *ks = multi->save_ks;
3826  uint32_t peer;
3827 
3828  msg(D_TLS_DEBUG, __func__);
3829 
3830  ASSERT(ks);
3831 
3832  peer = htonl(((P_DATA_V2 << P_OPCODE_SHIFT) | ks->key_id) << 24
3833  | (multi->peer_id & 0xFFFFFF));
3834  ASSERT(buf_write_prepend(buf, &peer, 4));
3835 }
3836 
3837 void
3838 tls_post_encrypt(struct tls_multi *multi, struct buffer *buf)
3839 {
3840  struct key_state *ks = multi->save_ks;
3841  multi->save_ks = NULL;
3842 
3843  if (buf->len > 0)
3844  {
3845  ASSERT(ks);
3846 
3847  ++ks->n_packets;
3848  ks->n_bytes += buf->len;
3849  }
3850 }
3851 
3852 /*
3853  * Send a payload over the TLS control channel.
3854  * Called externally.
3855  */
3856 
3857 bool
3859  const uint8_t *data,
3860  int size)
3861 {
3862  struct tls_session *session;
3863  struct key_state *ks;
3864  bool ret = false;
3865 
3866  tls_clear_error();
3867 
3868  ASSERT(multi);
3869 
3870  session = &multi->session[TM_ACTIVE];
3871  ks = &session->key[KS_PRIMARY];
3872 
3873  if (ks->state >= S_ACTIVE)
3874  {
3875  if (key_state_write_plaintext_const(&ks->ks_ssl, data, size) == 1)
3876  {
3877  ret = true;
3878  }
3879  }
3880  else
3881  {
3882  if (!ks->paybuf)
3883  {
3884  ks->paybuf = buffer_list_new(0);
3885  }
3886  buffer_list_push_data(ks->paybuf, data, (size_t)size);
3887  ret = true;
3888  }
3889 
3890 
3891  tls_clear_error();
3892 
3893  return ret;
3894 }
3895 
3896 bool
3898  struct buffer *buf)
3899 {
3900  struct tls_session *session;
3901  struct key_state *ks;
3902  bool ret = false;
3903 
3904  tls_clear_error();
3905 
3906  ASSERT(multi);
3907 
3908  session = &multi->session[TM_ACTIVE];
3909  ks = &session->key[KS_PRIMARY];
3910 
3911  if (ks->state >= S_ACTIVE && BLEN(&ks->plaintext_read_buf))
3912  {
3913  if (buf_copy(buf, &ks->plaintext_read_buf))
3914  {
3915  ret = true;
3916  }
3917  ks->plaintext_read_buf.len = 0;
3918  }
3919 
3920  tls_clear_error();
3921 
3922  return ret;
3923 }
3924 
3925 void
3926 tls_update_remote_addr(struct tls_multi *multi, const struct link_socket_actual *addr)
3927 {
3928  struct gc_arena gc = gc_new();
3929  for (int i = 0; i < TM_SIZE; ++i)
3930  {
3931  struct tls_session *session = &multi->session[i];
3932 
3933  for (int j = 0; j < KS_SIZE; ++j)
3934  {
3935  struct key_state *ks = &session->key[j];
3936 
3938  || link_socket_actual_match(addr, &ks->remote_addr))
3939  {
3940  continue;
3941  }
3942 
3943  dmsg(D_TLS_KEYSELECT, "TLS: tls_update_remote_addr from IP=%s to IP=%s",
3945  print_link_socket_actual(addr, &gc));
3946 
3947  ks->remote_addr = *addr;
3948  }
3949  }
3950  gc_free(&gc);
3951 }
3952 
3953 void
3954 show_available_tls_ciphers(const char *cipher_list,
3955  const char *cipher_list_tls13,
3956  const char *tls_cert_profile)
3957 {
3958  printf("Available TLS Ciphers, listed in order of preference:\n");
3959 
3960  if (tls_version_max() >= TLS_VER_1_3)
3961  {
3962  printf("\nFor TLS 1.3 and newer (--tls-ciphersuites):\n\n");
3963  show_available_tls_ciphers_list(cipher_list_tls13, tls_cert_profile, true);
3964  }
3965 
3966  printf("\nFor TLS 1.2 and older (--tls-cipher):\n\n");
3967  show_available_tls_ciphers_list(cipher_list, tls_cert_profile, false);
3968 
3969  printf("\n"
3970  "Be aware that that whether a cipher suite in this list can actually work\n"
3971  "depends on the specific setup of both peers. See the man page entries of\n"
3972  "--tls-cipher and --show-tls for more details.\n\n"
3973  );
3974 }
3975 
3976 /*
3977  * Dump a human-readable rendition of an openvpn packet
3978  * into a garbage collectable string which is returned.
3979  */
3980 const char *
3981 protocol_dump(struct buffer *buffer, unsigned int flags, struct gc_arena *gc)
3982 {
3983  struct buffer out = alloc_buf_gc(256, gc);
3984  struct buffer buf = *buffer;
3985 
3986  uint8_t c;
3987  int op;
3988  int key_id;
3989 
3990  int tls_auth_hmac_size = (flags & PD_TLS_AUTH_HMAC_SIZE_MASK);
3991 
3992  if (buf.len <= 0)
3993  {
3994  buf_printf(&out, "DATA UNDEF len=%d", buf.len);
3995  goto done;
3996  }
3997 
3998  if (!(flags & PD_TLS))
3999  {
4000  goto print_data;
4001  }
4002 
4003  /*
4004  * Initial byte (opcode)
4005  */
4006  if (!buf_read(&buf, &c, sizeof(c)))
4007  {
4008  goto done;
4009  }
4010  op = (c >> P_OPCODE_SHIFT);
4011  key_id = c & P_KEY_ID_MASK;
4012  buf_printf(&out, "%s kid=%d", packet_opcode_name(op), key_id);
4013 
4014  if ((op == P_DATA_V1) || (op == P_DATA_V2))
4015  {
4016  goto print_data;
4017  }
4018 
4019  /*
4020  * Session ID
4021  */
4022  {
4023  struct session_id sid;
4024 
4025  if (!session_id_read(&sid, &buf))
4026  {
4027  goto done;
4028  }
4029  if (flags & PD_VERBOSE)
4030  {
4031  buf_printf(&out, " sid=%s", session_id_print(&sid, gc));
4032  }
4033  }
4034 
4035  /*
4036  * tls-auth hmac + packet_id
4037  */
4038  if (tls_auth_hmac_size)
4039  {
4040  struct packet_id_net pin;
4041  uint8_t tls_auth_hmac[MAX_HMAC_KEY_LENGTH];
4042 
4043  ASSERT(tls_auth_hmac_size <= MAX_HMAC_KEY_LENGTH);
4044 
4045  if (!buf_read(&buf, tls_auth_hmac, tls_auth_hmac_size))
4046  {
4047  goto done;
4048  }
4049  if (flags & PD_VERBOSE)
4050  {
4051  buf_printf(&out, " tls_hmac=%s", format_hex(tls_auth_hmac, tls_auth_hmac_size, 0, gc));
4052  }
4053 
4054  if (!packet_id_read(&pin, &buf, true))
4055  {
4056  goto done;
4057  }
4058  buf_printf(&out, " pid=%s", packet_id_net_print(&pin, (flags & PD_VERBOSE), gc));
4059  }
4060 
4061  /*
4062  * ACK list
4063  */
4064  buf_printf(&out, " %s", reliable_ack_print(&buf, (flags & PD_VERBOSE), gc));
4065 
4066  if (op == P_ACK_V1)
4067  {
4068  goto done;
4069  }
4070 
4071  /*
4072  * Packet ID
4073  */
4074  {
4075  packet_id_type l;
4076  if (!buf_read(&buf, &l, sizeof(l)))
4077  {
4078  goto done;
4079  }
4080  l = ntohpid(l);
4082  }
4083 
4084 print_data:
4085  if (flags & PD_SHOW_DATA)
4086  {
4087  buf_printf(&out, " DATA %s", format_hex(BPTR(&buf), BLEN(&buf), 80, gc));
4088  }
4089  else
4090  {
4091  buf_printf(&out, " DATA len=%d", buf.len);
4092  }
4093 
4094 done:
4095  return BSTR(&out);
4096 }
4097 
4098 void
4100 {
4101  auth_user_pass.wait_for_push = false;
4103 }
static void tls_init_control_channel_frame_parameters(const struct frame *data_channel_frame, struct frame *frame)
Definition: ssl.c:313
struct reliable * rec_reliable
Definition: ssl_common.h:207
#define TLSMP_ACTIVE
Definition: ssl.h:238
bool cipher_kt_mode_aead(const cipher_kt_t *cipher)
Check if the supplied cipher is a supported AEAD mode cipher.
char * management_query_cert(struct management *man, const char *cert_name)
Definition: manage.c:3780
static bool buf_write_u8(struct buffer *dest, int data)
Definition: buffer.h:713
void reliable_free(struct reliable *rel)
Free allocated memory associated with a reliable structure.
Definition: reliable.c:327
static const char * packet_opcode_name(int op)
Definition: ssl.c:767
const cipher_kt_t * cipher_ctx_get_cipher_kt(const cipher_ctx_t *ctx)
Returns the static cipher parameters for this context.
void options_warning(char *actual, const char *expected)
Definition: options.c:3905
const char * ecdh_curve
Definition: options.h:545
struct key_type key_type
Definition: ssl_common.h:260
#define EXPANDED_SIZE_DYNAMIC(f)
Definition: mtu.h:173
#define P_CONTROL_HARD_RESET_SERVER_V1
Definition: ssl.h:55
static const char * print_key_id(struct tls_multi *multi, struct gc_arena *gc)
Definition: ssl.c:829
size_t implicit_iv_len
The length of implicit_iv.
Definition: crypto.h:170
Security parameter state for processing data channel packets.
Definition: crypto.h:232
struct key_state_ssl ks_ssl
Definition: ssl_common.h:188
#define D_TLS_KEYSELECT
Definition: errlevel.h:143
const char * management_certificate
Definition: options.h:393
static void tls_wrap_free(struct tls_wrap_ctx *tls_wrap)
Free the elements of a tls_wrap_ctx structure.
Definition: ssl.h:514
#define CO_PACKET_ID_LONG_FORM
Bit-flag indicating whether to use OpenVPN&#39;s long packet ID format.
Definition: crypto.h:245
static void strncpynt(char *dest, const char *src, size_t maxlen)
Definition: buffer.h:348
#define TM_ACTIVE
Active tls_session.
Definition: ssl_common.h:472
Security parameter state of one TLS and data channel key session.
Definition: ssl_common.h:178
static void compute_earliest_wakeup(interval_t *earliest, interval_t seconds_from_now)
Definition: ssl.c:1179
bool tun_mtu_defined
Definition: options.h:108
struct buffer work
Work buffer (only for –tls-crypt)
Definition: ssl_common.h:241
unsigned int management_flags
Definition: options.h:392
struct packet_id packet_id
Current packet ID state for both sending and receiving directions.
Definition: crypto.h:238
struct key_state key[KS_SIZE]
Definition: ssl_common.h:452
#define TLSMP_INACTIVE
Definition: ssl.h:237
const char * crl_file
Definition: ssl_common.h:292
struct buffer plaintext_read_buf
Definition: ssl_common.h:202
int n_sessions
Number of sessions negotiated thus far.
Definition: ssl_common.h:534
unsigned int crypto_max_overhead(void)
Return the worst-case OpenVPN crypto overhead (in bytes)
Definition: crypto.c:716
void tls_auth_standalone_finalize(struct tls_auth_standalone *tas, const struct frame *frame)
Definition: ssl.c:1287
bool tls_crypt_v2
Definition: ssl_common.h:316
#define SSLF_CRL_VERIFY_DIR
Definition: ssl_common.h:357
void free_buf(struct buffer *buf)
Definition: buffer.c:185
void ssl_put_auth_challenge(const char *cr_str)
Definition: ssl.c:490
#define D_TLS_DEBUG_LOW
Definition: errlevel.h:77
const char * cipher_list
Definition: options.h:541
static bool write_string(struct buffer *buf, const char *str, const int maxlen)
Definition: ssl.c:2123
unsigned int flags
Bit-flags determining behavior of security operation functions.
Definition: crypto.h:257
bool tls_server
Definition: options.h:526
#define TLS_MULTI_AUTH_STATUS_INTERVAL
Definition: ssl.h:95
void tls_ctx_load_cryptoapi(struct tls_root_ctx *ctx, const char *cryptoapi_cert)
Definition: ssl_openssl.c:890
char * string_alloc(const char *str, struct gc_arena *gc)
Definition: buffer.c:688
#define S_PRE_START
Waiting for the remote OpenVPN peer to acknowledge during the initial three-way handshake.
Definition: ssl_common.h:85
static const char * session_index_name(int index)
Definition: ssl.c:807
bool enable_ncp_fallback
If defined fall back to ciphername if NCP fails.
Definition: options.h:506
static bool session_id_equal(const struct session_id *sid1, const struct session_id *sid2)
Definition: session_id.h:48
#define D_TLS_DEBUG
Definition: errlevel.h:162
#define USER_PASS_LEN
Definition: misc.h:73
struct key keys[2]
Two unidirectional sets of key material.
Definition: crypto.h:185
struct buffer tls_crypt_v2_metadata
Received from client.
Definition: ssl_common.h:245
#define IV_PROTO_DATA_V2
Support P_DATA_V2.
Definition: ssl.h:113
static void tls_limit_reneg_bytes(const cipher_kt_t *cipher, int *reneg_bytes)
Limit the reneg_bytes value when using a small-block (<128 bytes) cipher.
Definition: ssl.c:283
const char * cert_file
Definition: options.h:533
struct packet_id_persist * pid_persist
Persistent packet ID state for keeping state between successive OpenVPN process startups.
Definition: crypto.h:240
bool options_cmp_equal(char *actual, const char *expected)
Definition: options.c:3899
const char * tls_cert_profile
Definition: options.h:544
#define GET_USER_PASS_STATIC_CHALLENGE
Definition: misc.h:122
#define streq(x, y)
Definition: options.h:653
Container for both halves of random material to be used in key method 2 data channel key generation...
Definition: ssl_common.h:136
static bool session_id_write(const struct session_id *sid, struct buffer *buf)
Definition: session_id.h:73
static void secure_memzero(void *data, size_t len)
Securely zeroise memory.
Definition: buffer.h:401
#define TLS_OPTIONS_LEN
Definition: ssl.h:102
void tls_ctx_load_ecdh_params(struct tls_root_ctx *ctx, const char *curve_name)
Load Elliptic Curve Parameters, and load them into the library-specific TLS context.
Definition: ssl_openssl.c:698
int key_state_write_plaintext_const(struct key_state_ssl *ks_ssl, const uint8_t *data, int len)
Insert plaintext data into the TLS module.
Definition: ssl_openssl.c:1985
static bool buf_advance(struct buffer *buf, int size)
Definition: buffer.h:639
void packet_id_persist_load_obj(const struct packet_id_persist *p, struct packet_id *pid)
Definition: packet_id.c:524
Packet geometry parameters.
Definition: mtu.h:93
struct key_state * save_ks
Definition: ssl_common.h:526
#define UP_TYPE_AUTH
Definition: ssl_common.h:41
#define OPENVPN_MAX_IV_LENGTH
Maximum length of an IV.
bool cipher_kt_mode_ofb_cfb(const cipher_kt_t *cipher)
Check if the supplied cipher is a supported OFB or CFB mode cipher.
void fixup_key(struct key *key, const struct key_type *kt)
Definition: crypto.c:972
static void key_state_soft_reset(struct tls_session *session)
Definition: ssl.c:2094
enum ks_auth_state authenticated
Definition: ssl_common.h:218
const char * ca_path
Definition: options.h:530
struct tls_options * opt
Definition: ssl_common.h:417
time_t must_negotiate
Definition: ssl_common.h:191
#define SSLF_AUTH_USER_PASS_OPTIONAL
Definition: ssl_common.h:355
char * peer_info
Definition: ssl_common.h:564
const char * ca_file
Definition: options.h:528
const char * print_link_socket_actual(const struct link_socket_actual *act, struct gc_arena *gc)
Definition: socket.c:2905
#define RELIABLE_ACK_SIZE
The maximum number of packet IDs waiting to be acknowledged which can be stored in one reliable_ack s...
Definition: reliable.h:46
bool extra_certs_file_inline
Definition: options.h:536
bool cert_file_inline
Definition: options.h:534
static void gc_free(struct gc_arena *a)
Definition: buffer.h:1023
struct tls_root_ctx ssl_ctx
Definition: ssl_common.h:257
bool verified
Definition: ssl_common.h:447
void backend_tls_ctx_reload_crl(struct tls_root_ctx *ssl_ctx, const char *crl_file, bool crl_inline)
Reload the Certificate Revocation List for the SSL channel.
Definition: ssl_openssl.c:1071
static void frame_add_to_extra_frame(struct frame *frame, const unsigned int increment)
Definition: mtu.h:274
void tls_post_encrypt(struct tls_multi *multi, struct buffer *buf)
Perform some accounting for the key state used.
Definition: ssl.c:3838
static int plugin_call(const struct plugin_list *pl, const int type, const struct argv *av, struct plugin_return *pr, struct env_set *es)
Definition: plugin.h:202
#define dmsg
Definition: error.h:174
const char * auth_user_pass_verify_script
Definition: ssl_common.h:325
const char * priv_key_file
Definition: options.h:537
void session_id_random(struct session_id *sid)
Definition: session_id.c:51
Security parameter state for a single VPN tunnel.
Definition: ssl_common.h:509
#define D_TLS_ERRORS
Definition: errlevel.h:59
static void handle_data_channel_packet(struct tls_multi *multi, const struct link_socket_actual *from, struct buffer *buf, struct crypto_options **opt, bool floated, const uint8_t **ad_start)
Definition: ssl.c:3146
static bool buf_safe(const struct buffer *buf, int len)
Definition: buffer.h:541
struct buffer_list * buffer_list_new(const int max_size)
Allocate an empty buffer list of capacity max_size.
Definition: buffer.c:1201
static bool tls_process(struct tls_multi *multi, struct tls_session *session, struct buffer *to_link, struct link_socket_actual **to_link_addr, struct link_socket_info *to_link_socket_info, interval_t *wakeup)
Definition: ssl.c:2606
int pem_password_callback(char *buf, int size, int rwflag, void *u)
Callback to retrieve the user&#39;s password.
Definition: ssl.c:369
int tls_authentication_status(struct tls_multi *multi, const int latency)
Definition: ssl_verify.c:915
void key_state_ssl_free(struct key_state_ssl *ks_ssl)
Free the SSL channel part of the given key state.
Definition: ssl_openssl.c:1952
#define SID_SIZE
Definition: session_id.h:45
void tls_multi_free(struct tls_multi *multi, bool clear)
Cleanup a tls_multi structure and free associated memory allocations.
Definition: ssl.c:1312
#define SET_MTU_UPPER_BOUND
Definition: mtu.h:221
const char * auth_user_pass_file
Definition: ssl_common.h:328
int n
The number of key objects stored in the key2.keys array.
Definition: crypto.h:183
struct reliable_ack * rec_ack
Definition: ssl_common.h:208
struct buffer alloc_buf(size_t size)
Definition: buffer.c:64
void buffer_list_free(struct buffer_list *ol)
Frees a buffer list and all the buffers in it.
Definition: buffer.c:1211
const char * config_ncp_ciphers
Definition: ssl_common.h:313
int handshake_window
Definition: ssl_common.h:281
struct crypto_options opt
Crypto state.
Definition: ssl_common.h:240
void tls_update_remote_addr(struct tls_multi *multi, const struct link_socket_actual *addr)
Updates remote address in TLS sessions.
Definition: ssl.c:3926
#define S_UNDEF
Undefined state, used after a key_state is cleaned up.
Definition: ssl_common.h:77
bool is_hard_reset_method2(int op)
Given a key_method, return true if opcode represents the one of the hard_reset op codes for key-metho...
Definition: ssl.c:845
struct cert_hash_set * cert_hash_set
Definition: ssl_common.h:441
static bool lame_duck_must_die(const struct tls_session *session, interval_t *wakeup)
Definition: ssl.c:1196
#define packet_id_format
Definition: packet_id.h:95
static void perf_pop(void)
Definition: perf.h:82
Key state is authenticated.
Definition: ssl_common.h:153
bool buf_printf(struct buffer *buf, const char *format,...)
Definition: buffer.c:245
#define D_MULTI_DROPPED
Definition: errlevel.h:102
static bool read_string(struct buffer *buf, char *str, const unsigned int capacity)
Definition: ssl.c:2142
static void perf_push(int type)
Definition: perf.h:78
void tls_prepend_opcode_v2(const struct tls_multi *multi, struct buffer *buf)
Prepend an OpenVPN data channel P_DATA_V2 header to the packet.
Definition: ssl.c:3823
static bool read_control_auth(struct buffer *buf, struct tls_wrap_ctx *ctx, const struct link_socket_actual *from, const struct tls_options *opt)
Definition: ssl.c:1478
time_t crl_last_mtime
CRL last modification time.
Definition: ssl_mbedtls.h:101
static char * format_hex(const uint8_t *data, int size, int maxoutput, struct gc_arena *gc)
Definition: buffer.h:526
bool defined
Definition: misc.h:65
#define SIZE(x)
Definition: basic.h:30
#define D_MTU_INFO
Definition: errlevel.h:106
static int buf_read_u8(struct buffer *buf)
Definition: buffer.h:812
const char * win32_version_string(struct gc_arena *gc, bool add_name)
Definition: win32.c:1449
int cipher_kt_iv_size(const cipher_kt_t *cipher_kt)
Returns the size of the IV used by the cipher, in bytes, or 0 if no IV is used.
bool cipher_kt_insecure(const cipher_kt_t *cipher)
Returns true if we consider this cipher to be insecure.
void key_state_export_keying_material(struct key_state_ssl *ks_ssl, struct tls_session *session) __attribute__((nonnull))
Keying Material Exporters [RFC 5705] allows additional keying material to be derived from existing TL...
Definition: ssl_openssl.c:162
const char * protocol_dump(struct buffer *buffer, unsigned int flags, struct gc_arena *gc)
Definition: ssl.c:3981
const char * cryptoapi_cert
Definition: options.h:571
#define TLS_VER_1_1
Definition: ssl_backend.h:115
static void flush_payload_buffer(struct key_state *ks)
Definition: ssl.c:2074
bool packet_id_read(struct packet_id_net *pin, struct buffer *buf, bool long_form)
Definition: packet_id.c:301
struct buffer * reliable_get_buf(struct reliable *rel)
Get the buffer of a free reliable entry in which to store a packet.
Definition: reliable.c:473
static bool push_peer_info(struct buffer *buf, struct tls_session *session)
Definition: ssl.c:2179
#define DECRYPT_KEY_ENABLED(multi, ks)
Check whether the ks key_state is ready to receive data channel packets.
Definition: ssl_verify.h:89
int key_state_write_plaintext(struct key_state_ssl *ks_ssl, struct buffer *buf)
Insert a plaintext buffer into the TLS module.
Definition: ssl_openssl.c:1967
bool tls_item_in_cipher_list(const char *item, const char *list)
Return true iff item is present in the colon-separated zero-terminated cipher list.
Definition: ssl_ncp.c:161
#define TLS_VER_BAD
Parse a TLS version specifier.
Definition: ssl_backend.h:112
#define ASSERT(x)
Definition: error.h:221
#define IV_PROTO_REQUEST_PUSH
Assume client will send a push request and server does not need to wait for a push-request to send a ...
Definition: ssl.h:117
uint8_t random1[32]
Seed used for master secret generation, provided by both client and server.
Definition: ssl_common.h:123
void tls_free_lib(void)
Free any global SSL library-specific data structures.
Definition: ssl_openssl.c:91
bool check_key(struct key *key, const struct key_type *kt)
Definition: crypto.c:933
#define OPENVPN_STATE_AUTH
Definition: manage.h:504
static bool check_debug_level(unsigned int level)
Definition: error.h:245
unsigned int crypto_flags
Definition: ssl_common.h:306
bool tls_pre_decrypt_lite(const struct tls_auth_standalone *tas, const struct link_socket_actual *from, const struct buffer *buf)
Inspect an incoming packet for which no VPN tunnel is active, and determine whether a new VPN tunnel ...
Definition: ssl.c:3663
#define OPENVPN_PLUGIN_FUNC_SUCCESS
struct tls_session session[TM_SIZE]
Array of tls_session objects representing control channel sessions with the remote peer...
Definition: ssl_common.h:597
const char * get_ssl_library_version(void)
return a pointer to a static memory area containing the name and version number of the SSL library in...
Definition: ssl_openssl.c:2250
static struct user_pass auth_user_pass
Definition: ssl.c:388
void ssl_set_auth_token(const char *token)
Definition: ssl.c:445
const char * config_ciphername
Definition: ssl_common.h:312
bool tls_session_update_crypto_params(struct tls_session *session, struct options *options, struct frame *frame, struct frame *frame_fragment)
Update TLS session crypto parameters (cipher and auth) and derive data channel keys based on the supp...
Definition: ssl.c:1911
const char * pkcs12_file
Definition: options.h:539
struct reliable * send_reliable
Definition: ssl_common.h:206
int renegotiate_bytes
Definition: ssl_common.h:283
void hmac_ctx_cleanup(hmac_ctx_t *ctx)
mbedtls_md_context_t hmac_ctx_t
Generic HMAC context.
#define SSLF_OPT_VERIFY
Definition: ssl_common.h:356
bool link_mtu_defined
Definition: options.h:112
char username[USER_PASS_LEN]
Definition: misc.h:75
uint8_t hmac[MAX_HMAC_KEY_LENGTH]
Key material for HMAC operations.
Definition: crypto.h:155
void packet_id_free(struct packet_id *p)
Definition: packet_id.c:101
static bool buf_read(struct buffer *src, void *dest, int size)
Definition: buffer.h:800
#define MODE_SERVER
Definition: options.h:205
void tls_pre_encrypt(struct tls_multi *multi, struct buffer *buf, struct crypto_options **opt)
Choose the appropriate security parameters with which to process an outgoing packet.
Definition: ssl.c:3757
bool use_peer_id
Definition: ssl_common.h:590
bool initialized
Definition: crypto.h:225
int offset
Offset in bytes of the actual content within the allocated memory.
Definition: buffer.h:64
void tls_ctx_client_new(struct tls_root_ctx *ctx)
Initialises a library-specific TLS context for a client.
Definition: ssl_openssl.c:126
#define TLS_VER_1_2
Definition: ssl_backend.h:116
struct link_socket_actual to_link_addr
Definition: ssl_common.h:532
#define OPENVPN_AEAD_MIN_IV_LEN
Minimal IV length for AEAD mode ciphers (in bytes): 4-byte packet id + 8 bytes implicit IV...
Definition: crypto.h:268
void reliable_mark_active_outgoing(struct reliable *rel, struct buffer *buf, int opcode)
Mark the reliable entry associated with the given buffer as active outgoing.
Definition: reliable.c:696
list flags
int len
Length in bytes of the actual content within the allocated memory.
Definition: buffer.h:66
void tls_ctx_set_cert_profile(struct tls_root_ctx *ctx, const char *profile)
Set the TLS certificate profile.
Definition: ssl_openssl.c:533
#define SWAP_BUF_SIZE
Definition: ssl.c:1359
void setenv_del(struct env_set *es, const char *name)
Definition: env_set.c:330
#define S_ACTIVE
Operational key_state state immediately after negotiation has completed while still within the handsh...
Definition: ssl_common.h:101
const char * ncp_ciphers
Definition: options.h:509
bool cleanup_key_ctx
opt.key_ctx_bi is owned by this context
Definition: ssl_common.h:246
static void reliable_set_timeout(struct reliable *rel, interval_t timeout)
Definition: reliable.h:465
static bool buf_write(struct buffer *dest, const void *src, int size)
Definition: buffer.h:689
off_t crl_last_size
size of last loaded CRL
Definition: ssl_mbedtls.h:102
struct key_state * key_scan[KEY_SCAN_SIZE]
List of key_state objects in the order they should be scanned by data channel modules.
Definition: ssl_common.h:517
const char * packet_id_net_print(const struct packet_id_net *pin, bool print_timestamp, struct gc_arena *gc)
Definition: packet_id.c:391
void prng_uninit(void)
Definition: crypto.c:1738
struct tls_auth_standalone * tls_auth_standalone_init(struct tls_options *tls_options, struct gc_arena *gc)
Definition: ssl.c:1264
static char * auth_challenge
Definition: ssl.c:392
static bool key_source2_randomize_write(struct key_source2 *k2, struct buffer *buf, bool server)
Definition: ssl.c:2007
uint8_t id[8]
Definition: session_id.h:40
struct link_socket_actual remote_addr
Definition: ssl_common.h:196
bool nocache
Definition: misc.h:66
#define CLEAR(x)
Definition: basic.h:33
char * options_string_extract_option(const char *options_string, const char *opt_name, struct gc_arena *gc)
Given an OpenVPN options string, extract the value of an option.
Definition: options.c:4078
#define BPTR(buf)
Definition: buffer.h:124
void packet_id_init(struct packet_id *p, int seq_backtrack, int time_backtrack, const char *name, int unit)
Definition: packet_id.c:78
bool reliable_ack_write(struct reliable_ack *ack, struct buffer *buf, const struct session_id *sid, int max, bool prepend)
Write a packet ID acknowledgment record to a buffer.
Definition: reliable.c:213
#define BUF_SIZE(f)
Definition: mtu.h:194
static bool write_empty_string(struct buffer *buf)
Definition: ssl.c:2113
void init_ssl(const struct options *options, struct tls_root_ctx *new_ctx)
Build master SSL context object that serves for the whole of OpenVPN instantiation.
Definition: ssl.c:588
#define KEY_DIRECTION_NORMAL
Definition: crypto.h:174
void print_details(struct key_state_ssl *ks_ssl, const char *prefix)
Definition: ssl_openssl.c:2051
Control channel wrapping (–tls-auth/–tls-crypt) context.
Definition: ssl_common.h:233
bool crl_file_inline
Definition: options.h:551
void get_default_gateway(struct route_gateway_info *rgi, openvpn_net_ctx_t *ctx)
Definition: route.c:2730
static void move_session(struct tls_multi *multi, int dest, int src, bool reinit_src)
Definition: ssl.c:1143
#define KEY_SCAN_SIZE
Definition: ssl_common.h:494
uint8_t random2[32]
Seed used for key expansion, provided by both client and server.
Definition: ssl_common.h:126
#define OPENVPN_STATE_WAIT
Definition: manage.h:503
#define GET_USER_PASS_STATIC_CHALLENGE_ECHO
Definition: misc.h:123
interval_t packet_timeout
Definition: ssl_common.h:282
void tls_prepend_opcode_v1(const struct tls_multi *multi, struct buffer *buf)
Prepend a one-byte OpenVPN data channel P_DATA_V1 opcode to the packet.
Definition: ssl.c:3809
#define S_ERROR
Error state.
Definition: ssl_common.h:76
int tun_mtu
Definition: options.h:107
static void tls1_PRF(const uint8_t *label, int label_len, const uint8_t *sec, int slen, uint8_t *out1, int olen)
Definition: ssl.c:1693
interval_t renegotiate_seconds
Definition: ssl_common.h:285
#define KS_SIZE
Size of the tls_session.key array.
Definition: ssl_common.h:394
struct env_item * list
Definition: env_set.h:44
#define P_KEY_ID_MASK
Definition: ssl.h:50
void tls_ctx_free(struct tls_root_ctx *ctx)
Frees the library-specific TLSv1 context.
Definition: ssl_openssl.c:144
unsigned int packet_id_print_type
Definition: packet_id.h:96
void key_state_ssl_init(struct key_state_ssl *ks_ssl, const struct tls_root_ctx *ssl_ctx, bool is_server, struct tls_session *session)
Initialise the SSL channel part of the given key state.
Definition: ssl_openssl.c:1912
struct session_id session_id_remote
Definition: ssl_common.h:195
const char * iana_name
Definition: ssl_backend.h:62
static bool tls_session_generate_data_channel_keys(struct tls_session *session)
Generate data channel keys for the supplied TLS session.
Definition: ssl.c:1878
static bool packet_id_close_to_wrapping(const struct packet_id_send *p)
Definition: packet_id.h:311
int rand_bytes(uint8_t *output, int len)
Wrapper for secure random number generator.
#define counter_format
Definition: common.h:39
void frame_print(const struct frame *frame, int level, const char *prefix)
Definition: mtu.c:139
static struct gc_arena gc_new(void)
Definition: buffer.h:1015
Container for one half of random material to be used in key method 2 data channel key generation...
Definition: ssl_common.h:119
bool ca_file_inline
Definition: options.h:529
#define KS_PRIMARY
Primary key state index.
Definition: ssl_common.h:390
Key state is not authenticated.
Definition: ssl_common.h:150
bool single_session
Definition: ssl_common.h:275
bool tls_crypt_wrap(const struct buffer *src, struct buffer *dst, struct crypto_options *opt)
Wrap a control channel packet (both authenticates and encrypts the data).
Definition: tls_crypt.c:106
time_t now
Definition: otime.c:36
void reliable_ack_adjust_frame_parameters(struct frame *frame, int max)
Definition: reliable.c:258
void key_state_rm_auth_control_file(struct key_state *ks)
Remove the given key state&#39;s auth control file, if it exists.
#define malloc
Definition: cmocka.c:1795
#define P_CONTROL_HARD_RESET_SERVER_V2
Definition: ssl.h:64
const char * authname
Definition: options.h:510
#define S_START
Three-way handshake is complete, start of key exchange.
Definition: ssl_common.h:90
#define INCR_SUCCESS
Definition: ssl.c:91
openvpn_net_ctx_t * net_ctx
Definition: ssl_common.h:343
time_t established
Definition: ssl_common.h:190
void show_available_tls_ciphers(const char *cipher_list, const char *cipher_list_tls13, const char *tls_cert_profile)
Definition: ssl.c:3954
#define ALLOC_OBJ_CLEAR(dptr, type)
Definition: buffer.h:1050
#define TM_UNTRUSTED
As yet un-trusted tls_session being negotiated.
Definition: ssl_common.h:473
struct crypto_options crypto_options
Definition: ssl_common.h:198
#define P_LAST_OPCODE
Definition: ssl.h:73
struct tls_multi * tls_multi_init(struct tls_options *tls_options)
Allocate and initialize a tls_multi structure.
Definition: ssl.c:1223
char * locked_cn
Definition: ssl_common.h:546
bool reliable_not_replay(const struct reliable *rel, packet_id_type id)
Check that a received packet&#39;s ID is not a replay.
Definition: reliable.c:426
void hmac_ctx_update(hmac_ctx_t *ctx, const uint8_t *src, int src_len)
struct buffer * reliable_get_buf_output_sequenced(struct reliable *rel)
Get the buffer of free reliable entry and check whether the outgoing acknowledgment sequence is still...
Definition: reliable.c:490
void free_ssl_lib(void)
Definition: ssl.c:344
static void key_ctx_update_implicit_iv(struct key_ctx *ctx, uint8_t *key, size_t key_len)
Update the implicit IV for a key_ctx_bi based on TLS session ids and cipher used. ...
Definition: ssl.c:1854
int extra_link
Maximum number of bytes in excess of external network interface&#39;s MTU that might be read from or writ...
Definition: mtu.h:122
#define FRAME_HEADROOM(f)
Definition: mtu.h:187
#define ntohpid(x)
Definition: packet_id.h:64
const struct static_challenge_info * sci
Definition: ssl_common.h:371
const char * reliable_ack_print(struct buffer *buf, bool verbose, struct gc_arena *gc)
Definition: reliable.c:265
int n_hard_errors
Definition: ssl_common.h:540
void auth_set_client_reason(struct tls_multi *multi, const char *client_reason)
Sets the reason why authentication of a client failed.
Definition: ssl_verify.c:815
int transition_window
Definition: ssl_common.h:280
#define KEY_DIRECTION_INVERSE
Definition: crypto.h:175
void * gc_malloc(size_t size, bool clear, struct gc_arena *a)
Definition: buffer.c:408
void frame_init_mssfix(struct frame *frame, const struct options *options)
Set the –mssfix option.
Definition: mtu.c:130
static struct user_pass passbuf
Definition: ssl.c:357
cipher_ctx_t * cipher
Generic cipher context.
Definition: crypto.h:166
#define TLS_RELIABLE_N_SEND_BUFFERS
Definition: ssl.h:84
bool xmit_hold
Definition: ssl_common.h:266
#define GET_USER_PASS_PASSWORD_ONLY
Definition: misc.h:115
unsigned __int32 uint32_t
Definition: config-msvc.h:157
void wipe_auth_token(struct tls_multi *multi)
Wipes the authentication token out of the memory, frees and cleans up related buffers and flags...
Definition: auth_token.c:390
mbedtls_md_info_t md_kt_t
Generic message digest key type context.
#define D_TLS_STATE_ERRORS
Definition: errlevel.h:131
#define S_INITIAL
Initial key_state state after initialization by key_state_init() before start of three-way handshake...
Definition: ssl_common.h:80
unsigned int flags
Definition: route.h:153
int keysize
Definition: options.h:511
#define INCR_ERROR
Definition: ssl.c:92
const char * ciphername
Definition: options.h:505
void tls_ctx_restrict_ciphers(struct tls_root_ctx *ctx, const char *ciphers)
Restrict the list of ciphers that can be used within the TLS context for TLS 1.2 and below...
Definition: ssl_openssl.c:442
static bool buf_write_u16(struct buffer *dest, int data)
Definition: buffer.h:720
void pem_password_setup(const char *auth_file)
Definition: ssl.c:360
interval_t reliable_send_timeout(const struct reliable *rel)
Determined how many seconds until the earliest resend should be attempted.
Definition: reliable.c:627
void ssl_purge_auth(const bool auth_user_pass_only)
Definition: ssl.c:465
static bool swap_hmac(struct buffer *buf, const struct crypto_options *co, bool incoming)
Definition: ssl.c:1362
int key_id
The current active key id, used to keep track of renegotiations.
Definition: ssl_common.h:433
static bool link_socket_actual_defined(const struct link_socket_actual *act)
Definition: socket.h:699
static struct user_pass auth_token
Definition: ssl.c:389
Container for one set of cipher and/or HMAC contexts.
Definition: crypto.h:164
bool ncp_enabled
Definition: ssl_common.h:314
#define P_CONTROL_V1
Definition: ssl.h:57
#define OPENVPN_PLUGIN_TLS_FINAL
static void reset_session(struct tls_multi *multi, struct tls_session *session)
Definition: ssl.c:1168
struct buffer_list * paybuf
Definition: ssl_common.h:210
mbedtls_cipher_info_t cipher_kt_t
Generic cipher key type context.
static bool reliable_ack_empty(struct reliable_ack *ack)
Check whether an acknowledgment structure contains any packet IDs to be acknowledged.
Definition: reliable.h:151
void tls_ctx_restrict_ciphers_tls13(struct tls_root_ctx *ctx, const char *ciphers)
Restrict the list of ciphers that can be used within the TLS context for TLS 1.3 and higher...
Definition: ssl_openssl.c:504
#define TLS_RELIABLE_N_REC_BUFFERS
Definition: ssl.h:85
void tls_adjust_frame_parameters(struct frame *frame)
Definition: ssl.c:303
struct key_ctx encrypt
Cipher and/or HMAC contexts for sending direction.
Definition: crypto.h:221
static bool session_id_defined(const struct session_id *sid1)
Definition: session_id.h:55
const char * extra_certs_file
Definition: options.h:535
void tls_ctx_server_new(struct tls_root_ctx *ctx)
Initialise a library-specific TLS context for a server.
Definition: ssl_openssl.c:108
int key_state_read_plaintext(struct key_state_ssl *ks_ssl, struct buffer *buf, int maxlen)
Extract plaintext data from the TLS module.
Definition: ssl_openssl.c:2029
int replay_window
Definition: ssl_common.h:308
static SERVICE_STATUS status
Definition: automatic.c:43
void init_key_ctx_bi(struct key_ctx_bi *ctx, const struct key2 *key2, int key_direction, const struct key_type *kt, const char *name)
Definition: crypto.c:871
void set_auth_token(struct user_pass *up, struct user_pass *tk, const char *token)
Definition: misc.c:510
unsigned int ssl_flags
Definition: options.h:558
const struct buffer * tls_crypt_v2_wkc
Wrapped client key, sent to server.
Definition: ssl_common.h:243
static bool session_id_read(struct session_id *sid, struct buffer *buf)
Definition: session_id.h:61
#define P_CONTROL_HARD_RESET_CLIENT_V2
Definition: ssl.h:63
struct cert_hash_set * locked_cert_hash_set
Definition: ssl_common.h:548
struct tls_wrap_ctx tls_wrap
Definition: ssl.h:139
void ssl_set_auth_nocache(void)
Definition: ssl.c:433
int hmac_ctx_size(const hmac_ctx_t *ctx)
struct tls_wrap_ctx tls_wrap
Definition: ssl_common.h:423
#define PERF_TLS_MULTI_PROCESS
Definition: perf.h:42
struct tls_options opt
Definition: ssl_common.h:515
void buf_clear(struct buffer *buf)
Definition: buffer.c:164
int n_soft_errors
Definition: ssl_common.h:541
void crypto_adjust_frame_parameters(struct frame *frame, const struct key_type *kt, bool packet_id, bool packet_id_long_form)
Calculate crypto overhead and adjust frame to account for that.
Definition: crypto.c:682
const md_kt_t * md_kt_get(const char *digest)
Return message digest parameters, based on the given digest name.
const char * challenge_text
Definition: misc.h:102
const struct plugin_list * plugins
Definition: ssl_common.h:344
struct buffer plaintext_write_buf
Definition: ssl_common.h:203
struct env_item * next
Definition: env_set.h:39
static bool buf_copy(struct buffer *dest, const struct buffer *src)
Definition: buffer.h:734
struct link_socket_actual untrusted_addr
Definition: ssl_common.h:450
#define msg
Definition: error.h:173
hmac_ctx_t * hmac
Generic HMAC context.
Definition: crypto.h:167
#define S_GOT_KEY
Local OpenVPN process has received the remote&#39;s part of the key material.
Definition: ssl_common.h:96
char * format_hex_ex(const uint8_t *data, int size, int maxoutput, unsigned int space_break_flags, const char *separator, struct gc_arena *gc)
Definition: buffer.c:522
#define RGI_HWADDR_DEFINED
Definition: route.h:149
#define PAYLOAD_SIZE_DYNAMIC(f)
Definition: mtu.h:166
void free_key_ctx_bi(struct key_ctx_bi *ctx)
Definition: crypto.c:908
#define PD_TLS_AUTH_HMAC_SIZE_MASK
Definition: ssl.h:573
#define CO_IGNORE_PACKET_ID
Bit-flag indicating whether to ignore the packet ID of a received packet.
Definition: crypto.h:248
char * remote_ciphername
cipher specified in peer&#39;s config file
Definition: ssl_common.h:592
#define INCR_SENT
Definition: ssl.c:89
bool tls_rec_payload(struct tls_multi *multi, struct buffer *buf)
Definition: ssl.c:3897
static void key_source2_print(const struct key_source2 *k)
Definition: ssl.c:1592
void tls_multi_init_set_options(struct tls_multi *multi, const char *local, const char *remote)
Definition: ssl.c:1299
struct connection_entry ce
Definition: options.h:230
#define SC_ECHO
Definition: misc.h:99
void tls_ctx_load_extra_certs(struct tls_root_ctx *ctx, const char *extra_certs_file, bool extra_certs_file_inline)
Load extra certificate authority certificates from the given file or path.
Definition: ssl_openssl.c:1683
static void openvpn_PRF(const uint8_t *secret, int secret_len, const char *label, const uint8_t *client_seed, int client_seed_len, const uint8_t *server_seed, int server_seed_len, const struct session_id *client_sid, const struct session_id *server_sid, uint8_t *output, int output_len)
Definition: ssl.c:1727
Get a tls_cipher_name_pair containing OpenSSL and IANA names for supplied TLS cipher name...
Definition: ssl_backend.h:62
struct packet_id_send send
Definition: packet_id.h:207
uint8_t * data
Pointer to the allocated memory.
Definition: buffer.h:68
bool wait_for_push
Definition: misc.h:67
const char * local_options
Definition: ssl_common.h:270
#define TM_SIZE
Size of the tls_multi.session array.
Definition: ssl_common.h:477
#define TLS_VER_1_0
Definition: ssl_backend.h:114
#define TLS_AUTHENTICATION_FAILED
Definition: ssl_verify.h:69
struct key_ctx decrypt
cipher and/or HMAC contexts for receiving direction.
Definition: crypto.h:223
struct key_source client
Random provided by client.
Definition: ssl_common.h:137
int platform_stat(const char *path, platform_stat_t *buf)
Definition: platform.c:328
#define TLS_VER_1_3
Definition: ssl_backend.h:117
const char * tls_groups
Definition: options.h:543
#define MAX_HMAC_KEY_LENGTH
void openvpn_encrypt(struct buffer *buf, struct buffer work, struct crypto_options *opt)
Encrypt and HMAC sign a packet so that it can be sent as a data channel VPN tunnel packet to a remote...
Definition: crypto.c:299
Container for bidirectional cipher and HMAC key material.
Definition: crypto.h:181
static void link_socket_set_outgoing_addr(struct link_socket_info *info, const struct link_socket_actual *act, const char *common_name, struct env_set *es)
Definition: socket.h:986
void tls_ctx_check_cert_time(const struct tls_root_ctx *ctx)
Check our certificate notBefore and notAfter fields, and warn if the cert is either not yet valid or ...
Definition: ssl_openssl.c:618
void show_available_tls_ciphers_list(const char *cipher_list, const char *tls_cert_profile, bool tls13)
Definition: ssl_openssl.c:2111
int tls_version_parse(const char *vstr, const char *extra)
Definition: ssl.c:504
static bool tls_session_user_pass_enabled(struct tls_session *session)
Returns whether or not the server should check for username/password.
Definition: ssl.c:1020
void tls_ctx_set_tls_groups(struct tls_root_ctx *ctx, const char *groups)
Set the (elliptic curve) group allowed for signatures and key exchange.
Definition: ssl_openssl.c:567
#define P_DATA_V1
Definition: ssl.h:59
static void tls1_P_hash(const md_kt_t *md_kt, const uint8_t *sec, int sec_len, const uint8_t *seed, int seed_len, uint8_t *out, int olen)
Definition: ssl.c:1610
#define CONTROL_SEND_ACK_MAX
Definition: ssl.h:79
#define BLEN(buf)
Definition: buffer.h:127
void tls_ctx_load_cert_file(struct tls_root_ctx *ctx, const char *cert_file, bool cert_file_inline)
Use Windows cryptoapi for key and cert, and add to library-specific TLS context.
Definition: ssl_openssl.c:937
time_t auth_deferred_expire
Definition: ssl_common.h:219
struct key_source server
Random provided by server.
Definition: ssl_common.h:138
static void tls_session_init(struct tls_multi *multi, struct tls_session *session)
Initialize a tls_session structure.
Definition: ssl.c:1052
bool reliable_wont_break_sequentiality(const struct reliable *rel, packet_id_type id)
Check that a received packet&#39;s ID can safely be stored in the reliable structure&#39;s processing window...
Definition: reliable.c:453
void init_ssl_lib(void)
Definition: ssl.c:336
bool pkcs12_file_inline
Definition: options.h:540
void verify_user_pass(struct user_pass *up, struct tls_multi *multi, struct tls_session *session)
Verify the given username and password, using either an external script, a plugin, or the management interface.
Definition: ssl_verify.c:1265
#define P_OPCODE_SHIFT
Definition: ssl.h:51
unsigned char md_kt_size(const md_kt_t *kt)
Returns the size of the message digest, in bytes.
struct buffer * reliable_get_buf_sequenced(struct reliable *rel)
Get the buffer of the next sequential and active entry.
Definition: reliable.c:526
void auth_user_pass_setup(const char *auth_file, const struct static_challenge_info *sci)
Definition: ssl.c:396
struct frame frame
Definition: ssl.h:140
#define D_HANDSHAKE
Definition: errlevel.h:72
static bool get_user_pass(struct user_pass *up, const char *auth_file, const char *prefix, const unsigned int flags)
Definition: misc.h:134
int key_id
Key id for this key_state, inherited from struct tls_session.
Definition: ssl_common.h:186
#define GET_USER_PASS_DYNAMIC_CHALLENGE
Definition: misc.h:121
bool openvpn_decrypt(struct buffer *buf, struct buffer work, struct crypto_options *opt, const struct frame *frame, const uint8_t *ad_start)
HMAC verify and decrypt a data channel packet received from a remote OpenVPN peer.
Definition: crypto.c:656
#define D_SHOW_KEY_SOURCE
Definition: errlevel.h:119
#define TLSMP_KILL
Definition: ssl.h:239
unsigned __int8 uint8_t
Definition: config-msvc.h:159
struct buffer * reliable_send(struct reliable *rel, int *opcode)
Get the next packet to send to the remote peer.
Definition: reliable.c:570
void reliable_mark_deleted(struct reliable *rel, struct buffer *buf, bool inc_pid)
Remove an entry from a reliable structure.
Definition: reliable.c:723
struct session_id session_id
Definition: ssl_common.h:426
bool get_user_pass_cr(struct user_pass *up, const char *auth_file, const char *prefix, const unsigned int flags, const char *auth_challenge)
Definition: misc.c:156
bool tls_pre_decrypt(struct tls_multi *multi, const struct link_socket_actual *from, struct buffer *buf, struct crypto_options **opt, bool floated, const uint8_t **ad_start)
Determine whether an incoming packet is a data channel or control channel packet, and process accordi...
Definition: ssl.c:3260
#define ALLOC_ARRAY_CLEAR_GC(dptr, type, n, gc)
Definition: buffer.h:1072
void purge_user_pass(struct user_pass *up, const bool force)
Definition: misc.c:489
enum tls_wrap_ctx::@11 mode
Control channel wrapping mode.
Structure that wraps the TLS context.
Definition: ssl_mbedtls.h:91
static bool buf_write_u32(struct buffer *dest, int data)
Definition: buffer.h:727
void frame_set_mtu_dynamic(struct frame *frame, int mtu, unsigned int flags)
Definition: mtu.c:87
unsigned int flags
Definition: misc.h:100
#define ALLOC_OBJ_CLEAR_GC(dptr, type, gc)
Definition: buffer.h:1087
static char * read_string_alloc(struct buffer *buf)
Definition: ssl.c:2158
#define OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY
bool plugin_defined(const struct plugin_list *pl, const int type)
Definition: plugin.c:901
bool ssl_clean_auth_token(void)
Definition: ssl.c:454
static void key_state_free(struct key_state *ks, bool clear)
Cleanup a key_state structure.
Definition: ssl.c:960
#define KS_LAME_DUCK
Key state index that will retire soon.
Definition: ssl_common.h:391
static void check_malloc_return(const void *p)
Definition: buffer.h:1093
#define P_CONTROL_SOFT_RESET_V1
Definition: ssl.h:56
struct key_source2 * key_src
Definition: ssl_common.h:200
int initial_opcode
Definition: ssl_common.h:425
struct key_ctx_bi key_ctx_bi
OpenSSL cipher and HMAC contexts for both sending and receiving directions.
Definition: crypto.h:234
void delayed_auth_pass_purge(void)
Definition: ssl.c:4099
Security parameter state of a single session within a VPN tunnel.
Definition: ssl_common.h:414
#define VALGRIND_MAKE_READABLE(addr, len)
Definition: memdbg.h:53
#define S_SENT_KEY
Local OpenVPN process has sent its part of the key material.
Definition: ssl_common.h:93
bool tls_ctx_set_options(struct tls_root_ctx *ctx, unsigned int ssl_flags)
Set any library specific options.
Definition: ssl_openssl.c:328
void output_peer_info_env(struct env_set *es, const char *peer_info)
Definition: misc.c:745
static void write_control_auth(struct tls_session *session, struct key_state *ks, struct buffer *buf, struct link_socket_actual **to_link_addr, int opcode, int max_ack, bool prepend_ack)
Definition: ssl.c:1416
Definition: misc.h:63
int renegotiate_packets
Definition: ssl_common.h:284
int push_peer_info_detail
Definition: ssl_common.h:279
The acknowledgment structure in which packet IDs are stored for later acknowledgment.
Definition: reliable.h:64
int initial_opcode
Definition: ssl_common.h:194
bool disable_occ
Definition: ssl_common.h:276
Wrapper structure for dynamically allocated memory.
Definition: buffer.h:60
#define M_FATAL
Definition: error.h:94
bool reliable_ack_read_packet_id(struct buffer *buf, packet_id_type *pid)
Read the packet ID of a received packet.
Definition: reliable.c:123
struct frame frame
Definition: ssl_common.h:322
#define KEY_METHOD_2
Definition: ssl.h:123
void tls_multi_init_finalize(struct tls_multi *multi, const struct frame *frame)
Finalize initialization of a tls_multi structure.
Definition: ssl.c:1245
#define TLS_AUTHENTICATION_SUCCEEDED
Definition: ssl_verify.h:68
bool crl_file_inline
Definition: ssl_common.h:293
#define buf_init(buf, offset)
Definition: buffer.h:196
bool tls_send_payload(struct tls_multi *multi, const uint8_t *data, int size)
Definition: ssl.c:3858
int tls_ctx_load_pkcs12(struct tls_root_ctx *ctx, const char *pkcs12_file, bool pkcs12_file_inline, bool load_ca_file)
Load PKCS #12 file for key, cert and (optionally) CA certs, and add to library-specific TLS context...
Definition: ssl_openssl.c:763
static bool buf_write_prepend(struct buffer *dest, const void *src, int size)
Definition: buffer.h:701
static bool key_method_2_write(struct buffer *buf, struct tls_session *session)
Handle the writing of key data, peer-info, username/password, OCC to the TLS control channel (clearte...
Definition: ssl.c:2300
void tls_ctx_load_dh_params(struct tls_root_ctx *ctx, const char *dh_file, bool dh_file_inline)
Load Diffie Hellman Parameters, and load them into the library-specific TLS context.
Definition: ssl_openssl.c:654
void frame_finalize(struct frame *frame, bool link_mtu_defined, int link_mtu, bool tun_mtu_defined, int tun_mtu)
Definition: mtu.c:56
const char * cipher_list_tls13
Definition: options.h:542
bool reliable_can_send(const struct reliable *rel)
Check whether a reliable structure has any active entries ready to be (re)sent.
Definition: reliable.c:542
void management_set_state(struct management *man, const int state, const char *detail, const in_addr_t *tun_local_ip, const struct in6_addr *tun_local_ip6, const struct openvpn_sockaddr *local, const struct openvpn_sockaddr *remote)
Definition: manage.c:2746
char * locked_username
Definition: ssl_common.h:547
char * common_name
Definition: ssl_common.h:439
void reliable_init(struct reliable *rel, int buf_size, int offset, int array_size, bool hold)
Initialize a reliable structure.
Definition: reliable.c:309
bool tls_crypt_v2_extract_client_key(struct buffer *buf, struct tls_wrap_ctx *ctx, const struct tls_options *opt)
Extract a tls-crypt-v2 client key from a P_CONTROL_HARD_RESET_CLIENT_V3 message, and load the key int...
Definition: tls_crypt.c:570
void crypto_uninit_lib(void)
The reliability layer storage structure for one VPN tunnel&#39;s control channel in one direction...
Definition: reliable.h:88
int link_mtu
Maximum packet size to be sent over the external network interface.
Definition: mtu.h:94
#define D_TLS_DEBUG_MED
Definition: errlevel.h:154
#define TM_LAME_DUCK
Old tls_session.
Definition: ssl_common.h:476
struct buffer alloc_buf_gc(size_t size, struct gc_arena *gc)
Definition: buffer.c:90
uint8_t hwaddr[6]
Definition: route.h:163
uint32_t peer_id
Definition: ssl_common.h:589
int key_state_write_ciphertext(struct key_state_ssl *ks_ssl, struct buffer *buf)
Insert a ciphertext buffer into the TLS module.
Definition: ssl_openssl.c:2014
static void frame_remove_from_extra_frame(struct frame *frame, const unsigned int decrement)
Definition: mtu.h:280
uint32_t packet_id_type
Definition: packet_id.h:49
#define PD_VERBOSE
Definition: ssl.h:576
static const char * state_name(int state)
Definition: ssl.c:733
void tls_init_lib(void)
Perform any static initialisation necessary by the library.
Definition: ssl_openssl.c:77
bool tls_crypt_unwrap(const struct buffer *src, struct buffer *dst, struct crypto_options *opt)
Unwrap a control channel packet (decrypts, authenticates and performs replay checks).
Definition: tls_crypt.c:183
static bool generate_key_expansion(struct key_ctx_bi *key, const struct key_type *key_type, const struct key_source2 *key_src, const struct session_id *client_sid, const struct session_id *server_sid, bool server)
Definition: ssl.c:1773
#define M_WARN
Definition: error.h:96
void tls_clear_error(void)
Clear the underlying SSL library&#39;s error state.
Definition: ssl_openssl.c:102
void ssl_purge_auth_challenge(void)
Definition: ssl.c:483
static int min_int(int x, int y)
Definition: integer.h:57
#define PACKAGE_VERSION
Definition: config.h:742
static int buf_forward_capacity_total(const struct buffer *buf)
Definition: buffer.h:580
bool reliable_can_get(const struct reliable *rel)
Check whether a reliable structure has any free buffers available for use.
Definition: reliable.c:407
#define free
Definition: cmocka.c:1850
void tls_x509_clear_env(struct env_set *es)
Remove any X509_ env variables from env_set es.
Definition: ssl_verify.c:1503
int tls_version_max(void)
Return the maximum TLS version (as a TLS_VER_x constant) supported by current SSL implementation...
Definition: ssl_openssl.c:225
#define PD_TLS
Definition: ssl.h:575
#define P_CONTROL_HARD_RESET_CLIENT_V1
Definition: ssl.h:54
void key2_print(const struct key2 *k, const struct key_type *kt, const char *prefix0, const char *prefix1)
Definition: crypto.c:1063
Garbage collection arena used to keep track of dynamically allocated memory.
Definition: buffer.h:116
bool reliable_ack_read(struct reliable_ack *ack, struct buffer *buf, const struct session_id *sid)
Read an acknowledgment record from a received packet.
Definition: reliable.c:158
const char * openssl_name
Definition: ssl_backend.h:62
static bool link_socket_actual_match(const struct link_socket_actual *a1, const struct link_socket_actual *a2)
Definition: socket.h:886
int tls_ctx_use_management_external_key(struct tls_root_ctx *ctx)
Tell the management interface to load the given certificate and the external private key matching the...
Definition: ssl_openssl.c:1469
void cert_hash_free(struct cert_hash_set *chs)
Frees the given set of certificate hashes.
Definition: ssl_verify.c:234
#define FULL_SYNC
Definition: ssl.c:2086
static int buf_read_u16(struct buffer *buf)
Definition: buffer.h:825
static struct buffer clear_buf(void)
Return an empty struct buffer.
Definition: buffer.h:209
int interval_t
Definition: common.h:45
#define UP_TYPE_PRIVATE_KEY
Definition: ssl_common.h:42
static void key_source_print(const struct key_source *k, const char *prefix)
Definition: ssl.c:1566
counter_type n_bytes
Definition: ssl_common.h:212
struct buffer ack_write_buf
Definition: ssl_common.h:204
const char * session_id_print(const struct session_id *sid, struct gc_arena *gc)
Definition: session_id.c:57
uint8_t implicit_iv[OPENVPN_MAX_IV_LENGTH]
The implicit part of the IV.
Definition: crypto.h:168
void hmac_ctx_init(hmac_ctx_t *ctx, const uint8_t *key, int key_length, const md_kt_t *kt)
int key_state_read_ciphertext(struct key_state_ssl *ks_ssl, struct buffer *buf, int maxlen)
Extract ciphertext data from the TLS module.
Definition: ssl_openssl.c:1999
static const tls_cipher_name_pair tls_cipher_name_translation_table[]
SSL/TLS Cipher suite name translation table.
Definition: ssl.c:99
static void key_state_init(struct tls_session *session, struct key_state *ks)
Initialize a key_state structure.
Definition: ssl.c:880
static int key_source2_read(struct key_source2 *k2, struct buffer *buf, bool server)
Definition: ssl.c:2040
#define BSTR(buf)
Definition: buffer.h:129
static bool auth_user_pass_enabled
Definition: ssl.c:387
hmac_ctx_t * hmac_ctx_new(void)
#define TUN_LINK_DELTA(f)
Definition: mtu.h:151
#define KEY_METHOD_MASK
Definition: ssl.h:126
const char * dh_file
Definition: options.h:531
time_t must_die
Definition: ssl_common.h:192
#define KEY_EXPANSION_ID
Definition: ssl.h:47
static void tls_session_free(struct tls_session *session, bool clear)
Clean up a tls_session structure.
Definition: ssl.c:1115
char password[USER_PASS_LEN]
Definition: misc.h:76
#define P_CONTROL_HARD_RESET_CLIENT_V3
Definition: ssl.h:67
struct buffer clone_buf(const struct buffer *buf)
Definition: buffer.c:117
void verify_final_auth_checks(struct tls_multi *multi, struct tls_session *session)
Perform final authentication checks, including locking of the cn, the allowed certificate hashes...
Definition: ssl_verify.c:1441
static bool random_bytes_to_buf(struct buffer *buf, uint8_t *out, int outlen)
Definition: ssl.c:1991
void tls_ctx_load_ca(struct tls_root_ctx *ctx, const char *ca_file, bool ca_file_inline, const char *ca_path, bool tls_server)
Load certificate authority certificates from the given file or path.
Definition: ssl_openssl.c:1531
void reliable_mark_active_incoming(struct reliable *rel, struct buffer *buf, packet_id_type pid, int opcode)
Mark the reliable entry associated with the given buffer as active incoming.
Definition: reliable.c:664
void hmac_ctx_final(hmac_ctx_t *ctx, uint8_t *dst)
const cipher_kt_t * cipher
Cipher static parameters.
Definition: crypto.h:143
static void update_time(void)
Definition: otime.h:93
bool replay
Definition: options.h:515
static int auth_deferred_expire_window(const struct tls_options *o)
Definition: ssl.c:2584
char * dest
Definition: compat-lz4.h:431
counter_type n_packets
Definition: ssl_common.h:213
bool dh_file_inline
Definition: options.h:532
int tls_ctx_load_priv_file(struct tls_root_ctx *ctx, const char *priv_key_file, bool priv_key_file_inline)
Load private key file into the given TLS context.
Definition: ssl_openssl.c:1004
#define TLS_CHANNEL_BUF_SIZE
Definition: common.h:78
#define MF_EXTERNAL_CERT
Definition: manage.h:355
void buffer_list_pop(struct buffer_list *ol)
Definition: buffer.c:1348
#define P_ACK_V1
Definition: ssl.h:58
void hmac_ctx_free(hmac_ctx_t *ctx)
struct buffer * buffer_list_peek(struct buffer_list *ol)
Retrieve the head buffer.
Definition: buffer.c:1283
struct key_ctx tls_crypt_v2_server_key
Decrypts client keys.
Definition: ssl_common.h:242
static void tls_ctx_reload_crl(struct tls_root_ctx *ssl_ctx, const char *crl_file, bool crl_file_inline)
Load (or possibly reload) the CRL file into the SSL context.
Definition: ssl.c:545
struct buffer_entry * buffer_list_push_data(struct buffer_list *ol, const void *data, size_t size)
Allocates and appends a new buffer containing data of length size.
Definition: buffer.c:1256
#define MF_EXTERNAL_KEY
Definition: manage.h:349
const char * remote_options
Definition: ssl_common.h:271
#define P_DATA_V2
Definition: ssl.h:60
const tls_cipher_name_pair * tls_get_cipher_name_pair(const char *cipher_name, size_t len)
Definition: ssl.c:257
int replay_time
Definition: ssl_common.h:309
void reliable_schedule_now(struct reliable *rel)
Reschedule all entries of a reliable structure to be ready for (re)sending immediately.
Definition: reliable.c:608
void reliable_send_purge(struct reliable *rel, const struct reliable_ack *ack)
Remove acknowledged packets from a reliable structure.
Definition: reliable.c:355
static int packet_id_size(bool long_form)
Definition: packet_id.h:305
void crypto_init_lib(void)
unsigned int ssl_flags
Definition: ssl_common.h:362
struct _stat platform_stat_t
Definition: platform.h:141
#define PD_SHOW_DATA
Definition: ssl.h:574
uint8_t pre_master[48]
Random used for master secret generation, provided only by client OpenVPN peer.
Definition: ssl_common.h:120
void hmac_ctx_reset(hmac_ctx_t *ctx)
struct env_set * es
Definition: ssl_common.h:342
bool priv_key_file_inline
Definition: options.h:538
static bool session_id_write_prepend(const struct session_id *sid, struct buffer *buf)
Definition: session_id.h:67
static bool key_method_2_read(struct buffer *buf, struct tls_multi *multi, struct tls_session *session)
Handle reading key data, peer-info, username/password, OCC from the TLS control channel (cleartext)...
Definition: ssl.c:2420
int fragment
Definition: options.h:117
Container for two sets of OpenSSL cipher and/or HMAC contexts for both sending and receiving directio...
Definition: crypto.h:219
void init_key_type(struct key_type *kt, const char *ciphername, const char *authname, int keysize, bool tls_mode, bool warn)
Initialize a key_type structure with.
Definition: crypto.c:741
Container for unidirectional cipher and HMAC key material.
Definition: crypto.h:151
struct tls_wrap_ctx tls_wrap
TLS handshake wrapping state.
Definition: ssl_common.h:320
#define GET_USER_PASS_MANAGEMENT
Definition: misc.h:113
bool reliable_ack_acknowledge_packet_id(struct reliable_ack *ack, packet_id_type pid)
Record a packet ID for later acknowledgment.
Definition: reliable.c:141
int link_mtu_dynamic
Dynamic MTU value for the external network interface.
Definition: mtu.h:97
int link_mtu
Definition: options.h:111
#define INCR_GENERATED
Definition: ssl.c:90
int tls_multi_process(struct tls_multi *multi, struct buffer *to_link, struct link_socket_actual **to_link_addr, struct link_socket_info *to_link_socket_info, interval_t *wakeup)
Definition: ssl.c:2978
const char * crl_file
Definition: options.h:550