OpenVPN
ssl.c
Go to the documentation of this file.
1 /*
2  * OpenVPN -- An application to securely tunnel IP networks
3  * over a single TCP/UDP port, with support for SSL/TLS-based
4  * session authentication and key exchange,
5  * packet encryption, packet authentication, and
6  * packet compression.
7  *
8  * Copyright (C) 2002-2018 OpenVPN Inc <sales@openvpn.net>
9  * Copyright (C) 2010-2018 Fox Crypto B.V. <openvpn@fox-it.com>
10  * Copyright (C) 2008-2013 David Sommerseth <dazo@users.sourceforge.net>
11  *
12  * This program is free software; you can redistribute it and/or modify
13  * it under the terms of the GNU General Public License version 2
14  * as published by the Free Software Foundation.
15  *
16  * This program is distributed in the hope that it will be useful,
17  * but WITHOUT ANY WARRANTY; without even the implied warranty of
18  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
19  * GNU General Public License for more details.
20  *
21  * You should have received a copy of the GNU General Public License along
22  * with this program; if not, write to the Free Software Foundation, Inc.,
23  * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
24  */
25 
30 /*
31  * The routines in this file deal with dynamically negotiating
32  * the data channel HMAC and cipher keys through a TLS session.
33  *
34  * Both the TLS session and the data channel are multiplexed
35  * over the same TCP/UDP port.
36  */
37 #ifdef HAVE_CONFIG_H
38 #include "config.h"
39 #elif defined(_MSC_VER)
40 #include "config-msvc.h"
41 #endif
42 
43 #include "syshead.h"
44 #include "win32.h"
45 
46 #include "error.h"
47 #include "common.h"
48 #include "socket.h"
49 #include "misc.h"
50 #include "fdmisc.h"
51 #include "interval.h"
52 #include "perf.h"
53 #include "status.h"
54 #include "gremlin.h"
55 #include "pkcs11.h"
56 #include "route.h"
57 #include "tls_crypt.h"
58 
59 #include "ssl.h"
60 #include "ssl_verify.h"
61 #include "ssl_backend.h"
62 
63 #include "memdbg.h"
64 
65 #ifndef ENABLE_OCC
66 static const char ssl_default_options_string[] = "V0 UNDEF";
67 #endif
68 
69 static inline const char *
71 {
72 #ifdef ENABLE_OCC
73  return session->opt->local_options;
74 #else
75  return ssl_default_options_string;
76 #endif
77 }
78 
79 #ifdef MEASURE_TLS_HANDSHAKE_STATS
80 
81 static int tls_handshake_success; /* GLOBAL */
82 static int tls_handshake_error; /* GLOBAL */
83 static int tls_packets_generated; /* GLOBAL */
84 static int tls_packets_sent; /* GLOBAL */
85 
86 #define INCR_SENT ++tls_packets_sent
87 #define INCR_GENERATED ++tls_packets_generated
88 #define INCR_SUCCESS ++tls_handshake_success
89 #define INCR_ERROR ++tls_handshake_error
90 
91 void
92 show_tls_performance_stats(void)
93 {
94  msg(D_TLS_DEBUG_LOW, "TLS Handshakes, success=%f%% (good=%d, bad=%d), retransmits=%f%%",
95  (double) tls_handshake_success / (tls_handshake_success + tls_handshake_error) * 100.0,
96  tls_handshake_success, tls_handshake_error,
97  (double) (tls_packets_sent - tls_packets_generated) / tls_packets_generated * 100.0);
98 }
99 #else /* ifdef MEASURE_TLS_HANDSHAKE_STATS */
100 
101 #define INCR_SENT
102 #define INCR_GENERATED
103 #define INCR_SUCCESS
104 #define INCR_ERROR
105 
106 #endif /* ifdef MEASURE_TLS_HANDSHAKE_STATS */
107 
112  {"ADH-SEED-SHA", "TLS-DH-anon-WITH-SEED-CBC-SHA"},
113  {"AES128-GCM-SHA256", "TLS-RSA-WITH-AES-128-GCM-SHA256"},
114  {"AES128-SHA256", "TLS-RSA-WITH-AES-128-CBC-SHA256"},
115  {"AES128-SHA", "TLS-RSA-WITH-AES-128-CBC-SHA"},
116  {"AES256-GCM-SHA384", "TLS-RSA-WITH-AES-256-GCM-SHA384"},
117  {"AES256-SHA256", "TLS-RSA-WITH-AES-256-CBC-SHA256"},
118  {"AES256-SHA", "TLS-RSA-WITH-AES-256-CBC-SHA"},
119  {"CAMELLIA128-SHA256", "TLS-RSA-WITH-CAMELLIA-128-CBC-SHA256"},
120  {"CAMELLIA128-SHA", "TLS-RSA-WITH-CAMELLIA-128-CBC-SHA"},
121  {"CAMELLIA256-SHA256", "TLS-RSA-WITH-CAMELLIA-256-CBC-SHA256"},
122  {"CAMELLIA256-SHA", "TLS-RSA-WITH-CAMELLIA-256-CBC-SHA"},
123  {"DES-CBC3-SHA", "TLS-RSA-WITH-3DES-EDE-CBC-SHA"},
124  {"DES-CBC-SHA", "TLS-RSA-WITH-DES-CBC-SHA"},
125  {"DH-DSS-SEED-SHA", "TLS-DH-DSS-WITH-SEED-CBC-SHA"},
126  {"DHE-DSS-AES128-GCM-SHA256", "TLS-DHE-DSS-WITH-AES-128-GCM-SHA256"},
127  {"DHE-DSS-AES128-SHA256", "TLS-DHE-DSS-WITH-AES-128-CBC-SHA256"},
128  {"DHE-DSS-AES128-SHA", "TLS-DHE-DSS-WITH-AES-128-CBC-SHA"},
129  {"DHE-DSS-AES256-GCM-SHA384", "TLS-DHE-DSS-WITH-AES-256-GCM-SHA384"},
130  {"DHE-DSS-AES256-SHA256", "TLS-DHE-DSS-WITH-AES-256-CBC-SHA256"},
131  {"DHE-DSS-AES256-SHA", "TLS-DHE-DSS-WITH-AES-256-CBC-SHA"},
132  {"DHE-DSS-CAMELLIA128-SHA256", "TLS-DHE-DSS-WITH-CAMELLIA-128-CBC-SHA256"},
133  {"DHE-DSS-CAMELLIA128-SHA", "TLS-DHE-DSS-WITH-CAMELLIA-128-CBC-SHA"},
134  {"DHE-DSS-CAMELLIA256-SHA256", "TLS-DHE-DSS-WITH-CAMELLIA-256-CBC-SHA256"},
135  {"DHE-DSS-CAMELLIA256-SHA", "TLS-DHE-DSS-WITH-CAMELLIA-256-CBC-SHA"},
136  {"DHE-DSS-SEED-SHA", "TLS-DHE-DSS-WITH-SEED-CBC-SHA"},
137  {"DHE-RSA-AES128-GCM-SHA256", "TLS-DHE-RSA-WITH-AES-128-GCM-SHA256"},
138  {"DHE-RSA-AES128-SHA256", "TLS-DHE-RSA-WITH-AES-128-CBC-SHA256"},
139  {"DHE-RSA-AES128-SHA", "TLS-DHE-RSA-WITH-AES-128-CBC-SHA"},
140  {"DHE-RSA-AES256-GCM-SHA384", "TLS-DHE-RSA-WITH-AES-256-GCM-SHA384"},
141  {"DHE-RSA-AES256-SHA256", "TLS-DHE-RSA-WITH-AES-256-CBC-SHA256"},
142  {"DHE-RSA-AES256-SHA", "TLS-DHE-RSA-WITH-AES-256-CBC-SHA"},
143  {"DHE-RSA-CAMELLIA128-SHA256", "TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA256"},
144  {"DHE-RSA-CAMELLIA128-SHA", "TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA"},
145  {"DHE-RSA-CAMELLIA256-SHA256", "TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA256"},
146  {"DHE-RSA-CAMELLIA256-SHA", "TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA"},
147  {"DHE-RSA-CHACHA20-POLY1305", "TLS-DHE-RSA-WITH-CHACHA20-POLY1305-SHA256"},
148  {"DHE-RSA-SEED-SHA", "TLS-DHE-RSA-WITH-SEED-CBC-SHA"},
149  {"DH-RSA-SEED-SHA", "TLS-DH-RSA-WITH-SEED-CBC-SHA"},
150  {"ECDH-ECDSA-AES128-GCM-SHA256", "TLS-ECDH-ECDSA-WITH-AES-128-GCM-SHA256"},
151  {"ECDH-ECDSA-AES128-SHA256", "TLS-ECDH-ECDSA-WITH-AES-128-CBC-SHA256"},
152  {"ECDH-ECDSA-AES128-SHA", "TLS-ECDH-ECDSA-WITH-AES-128-CBC-SHA"},
153  {"ECDH-ECDSA-AES256-GCM-SHA384", "TLS-ECDH-ECDSA-WITH-AES-256-GCM-SHA384"},
154  {"ECDH-ECDSA-AES256-SHA256", "TLS-ECDH-ECDSA-WITH-AES-256-CBC-SHA256"},
155  {"ECDH-ECDSA-AES256-SHA384", "TLS-ECDH-ECDSA-WITH-AES-256-CBC-SHA384"},
156  {"ECDH-ECDSA-AES256-SHA", "TLS-ECDH-ECDSA-WITH-AES-256-CBC-SHA"},
157  {"ECDH-ECDSA-CAMELLIA128-SHA256", "TLS-ECDH-ECDSA-WITH-CAMELLIA-128-CBC-SHA256"},
158  {"ECDH-ECDSA-CAMELLIA128-SHA", "TLS-ECDH-ECDSA-WITH-CAMELLIA-128-CBC-SHA"},
159  {"ECDH-ECDSA-CAMELLIA256-SHA256", "TLS-ECDH-ECDSA-WITH-CAMELLIA-256-CBC-SHA256"},
160  {"ECDH-ECDSA-CAMELLIA256-SHA", "TLS-ECDH-ECDSA-WITH-CAMELLIA-256-CBC-SHA"},
161  {"ECDH-ECDSA-DES-CBC3-SHA", "TLS-ECDH-ECDSA-WITH-3DES-EDE-CBC-SHA"},
162  {"ECDH-ECDSA-DES-CBC-SHA", "TLS-ECDH-ECDSA-WITH-DES-CBC-SHA"},
163  {"ECDH-ECDSA-RC4-SHA", "TLS-ECDH-ECDSA-WITH-RC4-128-SHA"},
164  {"ECDHE-ECDSA-AES128-GCM-SHA256", "TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256"},
165  {"ECDHE-ECDSA-AES128-SHA256", "TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256"},
166  {"ECDHE-ECDSA-AES128-SHA384", "TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA384"},
167  {"ECDHE-ECDSA-AES128-SHA", "TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA"},
168  {"ECDHE-ECDSA-AES256-GCM-SHA384", "TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384"},
169  {"ECDHE-ECDSA-AES256-SHA256", "TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA256"},
170  {"ECDHE-ECDSA-AES256-SHA384", "TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA384"},
171  {"ECDHE-ECDSA-AES256-SHA", "TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA"},
172  {"ECDHE-ECDSA-CAMELLIA128-SHA256", "TLS-ECDHE-ECDSA-WITH-CAMELLIA-128-CBC-SHA256"},
173  {"ECDHE-ECDSA-CAMELLIA128-SHA", "TLS-ECDHE-ECDSA-WITH-CAMELLIA-128-CBC-SHA"},
174  {"ECDHE-ECDSA-CAMELLIA256-SHA256", "TLS-ECDHE-ECDSA-WITH-CAMELLIA-256-CBC-SHA256"},
175  {"ECDHE-ECDSA-CAMELLIA256-SHA", "TLS-ECDHE-ECDSA-WITH-CAMELLIA-256-CBC-SHA"},
176  {"ECDHE-ECDSA-CHACHA20-POLY1305", "TLS-ECDHE-ECDSA-WITH-CHACHA20-POLY1305-SHA256"},
177  {"ECDHE-ECDSA-DES-CBC3-SHA", "TLS-ECDHE-ECDSA-WITH-3DES-EDE-CBC-SHA"},
178  {"ECDHE-ECDSA-DES-CBC-SHA", "TLS-ECDHE-ECDSA-WITH-DES-CBC-SHA"},
179  {"ECDHE-ECDSA-RC4-SHA", "TLS-ECDHE-ECDSA-WITH-RC4-128-SHA"},
180  {"ECDHE-RSA-AES128-GCM-SHA256", "TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256"},
181  {"ECDHE-RSA-AES128-SHA256", "TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA256"},
182  {"ECDHE-RSA-AES128-SHA384", "TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA384"},
183  {"ECDHE-RSA-AES128-SHA", "TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA"},
184  {"ECDHE-RSA-AES256-GCM-SHA384", "TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384"},
185  {"ECDHE-RSA-AES256-SHA256", "TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA256"},
186  {"ECDHE-RSA-AES256-SHA384", "TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384"},
187  {"ECDHE-RSA-AES256-SHA", "TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA"},
188  {"ECDHE-RSA-CAMELLIA128-SHA256", "TLS-ECDHE-RSA-WITH-CAMELLIA-128-CBC-SHA256"},
189  {"ECDHE-RSA-CAMELLIA128-SHA", "TLS-ECDHE-RSA-WITH-CAMELLIA-128-CBC-SHA"},
190  {"ECDHE-RSA-CAMELLIA256-SHA256", "TLS-ECDHE-RSA-WITH-CAMELLIA-256-CBC-SHA256"},
191  {"ECDHE-RSA-CAMELLIA256-SHA", "TLS-ECDHE-RSA-WITH-CAMELLIA-256-CBC-SHA"},
192  {"ECDHE-RSA-CHACHA20-POLY1305", "TLS-ECDHE-RSA-WITH-CHACHA20-POLY1305-SHA256"},
193  {"ECDHE-RSA-DES-CBC3-SHA", "TLS-ECDHE-RSA-WITH-3DES-EDE-CBC-SHA"},
194  {"ECDHE-RSA-DES-CBC-SHA", "TLS-ECDHE-RSA-WITH-DES-CBC-SHA"},
195  {"ECDHE-RSA-RC4-SHA", "TLS-ECDHE-RSA-WITH-RC4-128-SHA"},
196  {"ECDH-RSA-AES128-GCM-SHA256", "TLS-ECDH-RSA-WITH-AES-128-GCM-SHA256"},
197  {"ECDH-RSA-AES128-SHA256", "TLS-ECDH-RSA-WITH-AES-128-CBC-SHA256"},
198  {"ECDH-RSA-AES128-SHA384", "TLS-ECDH-RSA-WITH-AES-128-CBC-SHA384"},
199  {"ECDH-RSA-AES128-SHA", "TLS-ECDH-RSA-WITH-AES-128-CBC-SHA"},
200  {"ECDH-RSA-AES256-GCM-SHA384", "TLS-ECDH-RSA-WITH-AES-256-GCM-SHA384"},
201  {"ECDH-RSA-AES256-SHA256", "TLS-ECDH-RSA-WITH-AES-256-CBC-SHA256"},
202  {"ECDH-RSA-AES256-SHA384", "TLS-ECDH-RSA-WITH-AES-256-CBC-SHA384"},
203  {"ECDH-RSA-AES256-SHA", "TLS-ECDH-RSA-WITH-AES-256-CBC-SHA"},
204  {"ECDH-RSA-CAMELLIA128-SHA256", "TLS-ECDH-RSA-WITH-CAMELLIA-128-CBC-SHA256"},
205  {"ECDH-RSA-CAMELLIA128-SHA", "TLS-ECDH-RSA-WITH-CAMELLIA-128-CBC-SHA"},
206  {"ECDH-RSA-CAMELLIA256-SHA256", "TLS-ECDH-RSA-WITH-CAMELLIA-256-CBC-SHA256"},
207  {"ECDH-RSA-CAMELLIA256-SHA", "TLS-ECDH-RSA-WITH-CAMELLIA-256-CBC-SHA"},
208  {"ECDH-RSA-DES-CBC3-SHA", "TLS-ECDH-RSA-WITH-3DES-EDE-CBC-SHA"},
209  {"ECDH-RSA-DES-CBC-SHA", "TLS-ECDH-RSA-WITH-DES-CBC-SHA"},
210  {"ECDH-RSA-RC4-SHA", "TLS-ECDH-RSA-WITH-RC4-128-SHA"},
211  {"EDH-DSS-DES-CBC3-SHA", "TLS-DHE-DSS-WITH-3DES-EDE-CBC-SHA"},
212  {"EDH-DSS-DES-CBC-SHA", "TLS-DHE-DSS-WITH-DES-CBC-SHA"},
213  {"EDH-RSA-DES-CBC3-SHA", "TLS-DHE-RSA-WITH-3DES-EDE-CBC-SHA"},
214  {"EDH-RSA-DES-CBC-SHA", "TLS-DHE-RSA-WITH-DES-CBC-SHA"},
215  {"EXP-DES-CBC-SHA", "TLS-RSA-EXPORT-WITH-DES40-CBC-SHA"},
216  {"EXP-EDH-DSS-DES-CBC-SHA", "TLS-DH-DSS-EXPORT-WITH-DES40-CBC-SHA"},
217  {"EXP-EDH-RSA-DES-CBC-SHA", "TLS-DH-RSA-EXPORT-WITH-DES40-CBC-SHA"},
218  {"EXP-RC2-CBC-MD5", "TLS-RSA-EXPORT-WITH-RC2-CBC-40-MD5"},
219  {"EXP-RC4-MD5", "TLS-RSA-EXPORT-WITH-RC4-40-MD5"},
220  {"NULL-MD5", "TLS-RSA-WITH-NULL-MD5"},
221  {"NULL-SHA256", "TLS-RSA-WITH-NULL-SHA256"},
222  {"NULL-SHA", "TLS-RSA-WITH-NULL-SHA"},
223  {"PSK-3DES-EDE-CBC-SHA", "TLS-PSK-WITH-3DES-EDE-CBC-SHA"},
224  {"PSK-AES128-CBC-SHA", "TLS-PSK-WITH-AES-128-CBC-SHA"},
225  {"PSK-AES256-CBC-SHA", "TLS-PSK-WITH-AES-256-CBC-SHA"},
226  {"PSK-RC4-SHA", "TLS-PSK-WITH-RC4-128-SHA"},
227  {"RC4-MD5", "TLS-RSA-WITH-RC4-128-MD5"},
228  {"RC4-SHA", "TLS-RSA-WITH-RC4-128-SHA"},
229  {"SEED-SHA", "TLS-RSA-WITH-SEED-CBC-SHA"},
230  {"SRP-DSS-3DES-EDE-CBC-SHA", "TLS-SRP-SHA-DSS-WITH-3DES-EDE-CBC-SHA"},
231  {"SRP-DSS-AES-128-CBC-SHA", "TLS-SRP-SHA-DSS-WITH-AES-128-CBC-SHA"},
232  {"SRP-DSS-AES-256-CBC-SHA", "TLS-SRP-SHA-DSS-WITH-AES-256-CBC-SHA"},
233  {"SRP-RSA-3DES-EDE-CBC-SHA", "TLS-SRP-SHA-RSA-WITH-3DES-EDE-CBC-SHA"},
234  {"SRP-RSA-AES-128-CBC-SHA", "TLS-SRP-SHA-RSA-WITH-AES-128-CBC-SHA"},
235  {"SRP-RSA-AES-256-CBC-SHA", "TLS-SRP-SHA-RSA-WITH-AES-256-CBC-SHA"},
236 #ifdef ENABLE_CRYPTO_OPENSSL
237  /* OpenSSL-specific group names */
238  {"DEFAULT", "DEFAULT"},
239  {"ALL", "ALL"},
240  {"HIGH", "HIGH"}, {"!HIGH", "!HIGH"},
241  {"MEDIUM", "MEDIUM"}, {"!MEDIUM", "!MEDIUM"},
242  {"LOW", "LOW"}, {"!LOW", "!LOW"},
243  {"ECDH", "ECDH"}, {"!ECDH", "!ECDH"},
244  {"ECDSA", "ECDSA"}, {"!ECDSA", "!ECDSA"},
245  {"EDH", "EDH"}, {"!EDH", "!EDH"},
246  {"EXP", "EXP"}, {"!EXP", "!EXP"},
247  {"RSA", "RSA"}, {"!RSA", "!RSA"},
248  {"kRSA", "kRSA"}, {"!kRSA", "!kRSA"},
249  {"SRP", "SRP"}, {"!SRP", "!SRP"},
250 #endif
251  {NULL, NULL}
252 };
253 
265 static void
266 key_ctx_update_implicit_iv(struct key_ctx *ctx, uint8_t *key, size_t key_len);
267 
268 const tls_cipher_name_pair *
269 tls_get_cipher_name_pair(const char *cipher_name, size_t len)
270 {
272 
273  while (pair->openssl_name != NULL)
274  {
275  if ((strlen(pair->openssl_name) == len && 0 == memcmp(cipher_name, pair->openssl_name, len))
276  || (strlen(pair->iana_name) == len && 0 == memcmp(cipher_name, pair->iana_name, len)))
277  {
278  return pair;
279  }
280  pair++;
281  }
282 
283  /* No entry found, return NULL */
284  return NULL;
285 }
286 
294 static void
295 tls_limit_reneg_bytes(const cipher_kt_t *cipher, int *reneg_bytes)
296 {
297  if (cipher && cipher_kt_insecure(cipher))
298  {
299  if (*reneg_bytes == -1) /* Not user-specified */
300  {
301  msg(M_WARN, "WARNING: cipher with small block size in use, "
302  "reducing reneg-bytes to 64MB to mitigate SWEET32 attacks.");
303  *reneg_bytes = 64 * 1024 * 1024;
304  }
305  }
306 }
307 
308 /*
309  * Max number of bytes we will add
310  * for data structures common to both
311  * data and control channel packets.
312  * (opcode only).
313  */
314 void
316 {
317  frame_add_to_extra_frame(frame, 1); /* space for opcode */
318 }
319 
320 /*
321  * Max number of bytes we will add
322  * to control channel packet.
323  */
324 static void
325 tls_init_control_channel_frame_parameters(const struct frame *data_channel_frame,
326  struct frame *frame)
327 {
328  /*
329  * frame->extra_frame is already initialized with tls_auth buffer requirements,
330  * if --tls-auth is enabled.
331  */
332 
333  /* inherit link MTU and extra_link from data channel */
334  frame->link_mtu = data_channel_frame->link_mtu;
335  frame->extra_link = data_channel_frame->extra_link;
336 
337  /* set extra_frame */
341 
342  /* set dynamic link MTU to cap control channel packets at 1250 bytes */
343  ASSERT(TUN_LINK_DELTA(frame) < min_int(frame->link_mtu, 1250));
344  frame->link_mtu_dynamic = min_int(frame->link_mtu, 1250) - TUN_LINK_DELTA(frame);
345 }
346 
347 void
349 {
350  tls_init_lib();
351 
352  crypto_init_lib();
353 }
354 
355 void
357 {
359  prng_uninit();
360 
361  tls_free_lib();
362 }
363 
364 /*
365  * OpenSSL library calls pem_password_callback if the
366  * private key is protected by a password.
367  */
368 
369 static struct user_pass passbuf; /* GLOBAL */
370 
371 void
372 pem_password_setup(const char *auth_file)
373 {
374  if (!strlen(passbuf.password))
375  {
377  }
378 }
379 
380 int
381 pem_password_callback(char *buf, int size, int rwflag, void *u)
382 {
383  if (buf)
384  {
385  /* prompt for password even if --askpass wasn't specified */
386  pem_password_setup(NULL);
387  strncpynt(buf, passbuf.password, size);
388  purge_user_pass(&passbuf, false);
389 
390  return strlen(buf);
391  }
392  return 0;
393 }
394 
395 /*
396  * Auth username/password handling
397  */
398 
399 static bool auth_user_pass_enabled; /* GLOBAL */
400 static struct user_pass auth_user_pass; /* GLOBAL */
401 static struct user_pass auth_token; /* GLOBAL */
402 
403 #ifdef ENABLE_MANAGEMENT
404 static char *auth_challenge; /* GLOBAL */
405 #endif
406 
407 void
408 auth_user_pass_setup(const char *auth_file, const struct static_challenge_info *sci)
409 {
410  auth_user_pass_enabled = true;
412  {
413 #ifdef ENABLE_MANAGEMENT
414  if (auth_challenge) /* dynamic challenge/response */
415  {
417  auth_file,
418  UP_TYPE_AUTH,
421  }
422  else if (sci) /* static challenge response */
423  {
425  if (sci->flags & SC_ECHO)
426  {
428  }
430  auth_file,
431  UP_TYPE_AUTH,
432  flags,
433  sci->challenge_text);
434  }
435  else
436 #endif /* ifdef ENABLE_MANAGEMENT */
438  }
439 }
440 
441 /*
442  * Disable password caching
443  */
444 void
446 {
447  passbuf.nocache = true;
448  auth_user_pass.nocache = true;
449  /* wait for push-reply, because auth-token may still need the username */
451 }
452 
453 /*
454  * Set an authentication token
455  */
456 void
457 ssl_set_auth_token(const char *token)
458 {
460 }
461 
462 /*
463  * Cleans an auth token and checks if it was active
464  */
465 bool
467 {
468  bool wasdefined = auth_token.defined;
469  purge_user_pass(&auth_token, true);
470  return wasdefined;
471 }
472 
473 /*
474  * Forget private key password AND auth-user-pass username/password.
475  */
476 void
477 ssl_purge_auth(const bool auth_user_pass_only)
478 {
479  if (!auth_user_pass_only)
480  {
481 #ifdef ENABLE_PKCS11
482  pkcs11_logout();
483 #endif
484  purge_user_pass(&passbuf, true);
485  }
487 #ifdef ENABLE_MANAGEMENT
489 #endif
490 }
491 
492 #ifdef ENABLE_MANAGEMENT
493 
494 void
496 {
498  auth_challenge = NULL;
499 }
500 
501 void
502 ssl_put_auth_challenge(const char *cr_str)
503 {
505  auth_challenge = string_alloc(cr_str, NULL);
506 }
507 
508 #endif
509 
510 /*
511  * Parse a TLS version string, returning a TLS_VER_x constant.
512  * If version string is not recognized and extra == "or-highest",
513  * return tls_version_max().
514  */
515 int
516 tls_version_parse(const char *vstr, const char *extra)
517 {
518  const int max_version = tls_version_max();
519  if (!strcmp(vstr, "1.0") && TLS_VER_1_0 <= max_version)
520  {
521  return TLS_VER_1_0;
522  }
523  else if (!strcmp(vstr, "1.1") && TLS_VER_1_1 <= max_version)
524  {
525  return TLS_VER_1_1;
526  }
527  else if (!strcmp(vstr, "1.2") && TLS_VER_1_2 <= max_version)
528  {
529  return TLS_VER_1_2;
530  }
531  else if (!strcmp(vstr, "1.3") && TLS_VER_1_3 <= max_version)
532  {
533  return TLS_VER_1_3;
534  }
535  else if (extra && !strcmp(extra, "or-highest"))
536  {
537  return max_version;
538  }
539  else
540  {
541  return TLS_VER_BAD;
542  }
543 }
544 
556 static void
557 tls_ctx_reload_crl(struct tls_root_ctx *ssl_ctx, const char *crl_file,
558  const char *crl_file_inline)
559 {
560  /* if something goes wrong with stat(), we'll store 0 as mtime */
561  platform_stat_t crl_stat = {0};
562 
563  /*
564  * an inline CRL can't change at runtime, therefore there is no need to
565  * reload it. It will be reloaded upon config change + SIGHUP.
566  * Use always '1' as dummy timestamp in this case: it will trigger the
567  * first load, but will prevent any future reload.
568  */
569  if (crl_file_inline)
570  {
571  crl_stat.st_mtime = 1;
572  }
573  else if (platform_stat(crl_file, &crl_stat) < 0)
574  {
575  msg(M_WARN, "WARNING: Failed to stat CRL file, not (re)loading CRL.");
576  return;
577  }
578 
579  /*
580  * Store the CRL if this is the first time or if the file was changed since
581  * the last load.
582  * Note: Windows does not support tv_nsec.
583  */
584  if ((ssl_ctx->crl_last_size == crl_stat.st_size)
585  && (ssl_ctx->crl_last_mtime == crl_stat.st_mtime))
586  {
587  return;
588  }
589 
590  ssl_ctx->crl_last_mtime = crl_stat.st_mtime;
591  ssl_ctx->crl_last_size = crl_stat.st_size;
592  backend_tls_ctx_reload_crl(ssl_ctx, crl_file, crl_file_inline);
593 }
594 
595 /*
596  * Initialize SSL context.
597  * All files are in PEM format.
598  */
599 void
600 init_ssl(const struct options *options, struct tls_root_ctx *new_ctx)
601 {
602  ASSERT(NULL != new_ctx);
603 
604  tls_clear_error();
605 
606  if (options->tls_server)
607  {
608  tls_ctx_server_new(new_ctx);
609 
610  if (options->dh_file)
611  {
612  tls_ctx_load_dh_params(new_ctx, options->dh_file,
613  options->dh_file_inline);
614  }
615  }
616  else /* if client */
617  {
618  tls_ctx_client_new(new_ctx);
619  }
620 
621  /* Restrict allowed certificate crypto algorithms */
622  tls_ctx_set_cert_profile(new_ctx, options->tls_cert_profile);
623 
624  /* Allowable ciphers */
625  /* Since @SECLEVEL also influences loading of certificates, set the
626  * cipher restrictions before loading certificates */
627  tls_ctx_restrict_ciphers(new_ctx, options->cipher_list);
629 
630  if (!tls_ctx_set_options(new_ctx, options->ssl_flags))
631  {
632  goto err;
633  }
634 
635  if (options->pkcs12_file)
636  {
637  if (0 != tls_ctx_load_pkcs12(new_ctx, options->pkcs12_file,
638  options->pkcs12_file_inline, !options->ca_file))
639  {
640  goto err;
641  }
642  }
643 #ifdef ENABLE_PKCS11
644  else if (options->pkcs11_providers[0])
645  {
646  if (!tls_ctx_use_pkcs11(new_ctx, options->pkcs11_id_management, options->pkcs11_id))
647  {
648  msg(M_WARN, "Cannot load certificate \"%s\" using PKCS#11 interface",
649  options->pkcs11_id);
650  goto err;
651  }
652  }
653 #endif
654 #ifdef ENABLE_CRYPTOAPI
655  else if (options->cryptoapi_cert)
656  {
657  tls_ctx_load_cryptoapi(new_ctx, options->cryptoapi_cert);
658  }
659 #endif
660 #ifdef ENABLE_MANAGEMENT
661  else if (options->management_flags & MF_EXTERNAL_CERT)
662  {
663  char *cert = management_query_cert(management,
664  options->management_certificate);
665  tls_ctx_load_cert_file(new_ctx, INLINE_FILE_TAG, cert);
666  free(cert);
667  }
668 #endif
669  else if (options->cert_file)
670  {
671  tls_ctx_load_cert_file(new_ctx, options->cert_file, options->cert_file_inline);
672  }
673 
674  if (options->priv_key_file)
675  {
676  if (0 != tls_ctx_load_priv_file(new_ctx, options->priv_key_file,
677  options->priv_key_file_inline))
678  {
679  goto err;
680  }
681  }
682 #ifdef ENABLE_MANAGEMENT
683  else if (options->management_flags & MF_EXTERNAL_KEY)
684  {
686  {
687  msg(M_WARN, "Cannot initialize mamagement-external-key");
688  goto err;
689  }
690  }
691 #endif
692 
693  if (options->ca_file || options->ca_path)
694  {
695  tls_ctx_load_ca(new_ctx, options->ca_file, options->ca_file_inline,
696  options->ca_path, options->tls_server);
697  }
698 
699  /* Load extra certificates that are part of our own certificate
700  * chain but shouldn't be included in the verify chain */
701  if (options->extra_certs_file)
702  {
704  }
705 
706  /* Check certificate notBefore and notAfter */
707  tls_ctx_check_cert_time(new_ctx);
708 
709  /* Read CRL */
710  if (options->crl_file && !(options->ssl_flags & SSLF_CRL_VERIFY_DIR))
711  {
712  tls_ctx_reload_crl(new_ctx, options->crl_file, options->crl_file_inline);
713  }
714 
715  /* Once keys and cert are loaded, load ECDH parameters */
716  if (options->tls_server)
717  {
718  tls_ctx_load_ecdh_params(new_ctx, options->ecdh_curve);
719  }
720 
721 #ifdef ENABLE_CRYPTO_MBEDTLS
722  /* Personalise the random by mixing in the certificate */
723  tls_ctx_personalise_random(new_ctx);
724 #endif
725 
726  tls_clear_error();
727  return;
728 
729 err:
730  tls_clear_error();
731  tls_ctx_free(new_ctx);
732  return;
733 }
734 
735 /*
736  * Map internal constants to ascii names.
737  */
738 static const char *
739 state_name(int state)
740 {
741  switch (state)
742  {
743  case S_UNDEF:
744  return "S_UNDEF";
745 
746  case S_INITIAL:
747  return "S_INITIAL";
748 
749  case S_PRE_START:
750  return "S_PRE_START";
751 
752  case S_START:
753  return "S_START";
754 
755  case S_SENT_KEY:
756  return "S_SENT_KEY";
757 
758  case S_GOT_KEY:
759  return "S_GOT_KEY";
760 
761  case S_ACTIVE:
762  return "S_ACTIVE";
763 
764  case S_NORMAL_OP:
765  return "S_NORMAL_OP";
766 
767  case S_ERROR:
768  return "S_ERROR";
769 
770  default:
771  return "S_???";
772  }
773 }
774 
775 static const char *
777 {
778  switch (op)
779  {
781  return "P_CONTROL_HARD_RESET_CLIENT_V1";
782 
784  return "P_CONTROL_HARD_RESET_SERVER_V1";
785 
787  return "P_CONTROL_HARD_RESET_CLIENT_V2";
788 
790  return "P_CONTROL_HARD_RESET_SERVER_V2";
791 
793  return "P_CONTROL_HARD_RESET_CLIENT_V3";
794 
796  return "P_CONTROL_SOFT_RESET_V1";
797 
798  case P_CONTROL_V1:
799  return "P_CONTROL_V1";
800 
801  case P_ACK_V1:
802  return "P_ACK_V1";
803 
804  case P_DATA_V1:
805  return "P_DATA_V1";
806 
807  case P_DATA_V2:
808  return "P_DATA_V2";
809 
810  default:
811  return "P_???";
812  }
813 }
814 
815 static const char *
817 {
818  switch (index)
819  {
820  case TM_ACTIVE:
821  return "TM_ACTIVE";
822 
823  case TM_UNTRUSTED:
824  return "TM_UNTRUSTED";
825 
826  case TM_LAME_DUCK:
827  return "TM_LAME_DUCK";
828 
829  default:
830  return "TM_???";
831  }
832 }
833 
834 /*
835  * For debugging.
836  */
837 static const char *
838 print_key_id(struct tls_multi *multi, struct gc_arena *gc)
839 {
840  int i;
841  struct buffer out = alloc_buf_gc(256, gc);
842 
843  for (i = 0; i < KEY_SCAN_SIZE; ++i)
844  {
845  struct key_state *ks = multi->key_scan[i];
846  buf_printf(&out, " [key#%d state=%s id=%d sid=%s]", i,
847  state_name(ks->state), ks->key_id,
849  }
850 
851  return BSTR(&out);
852 }
853 
854 bool
855 is_hard_reset(int op, int key_method)
856 {
857  if (!key_method || key_method == 1)
858  {
860  {
861  return true;
862  }
863  }
864 
865  if (!key_method || key_method >= 2)
866  {
869  {
870  return true;
871  }
872  }
873 
874  return false;
875 }
876 
900 static void
902 {
903  update_time();
904 
905  CLEAR(*ks);
906 
907  /*
908  * Build TLS object that reads/writes ciphertext
909  * to/from memory BIOs.
910  */
911  key_state_ssl_init(&ks->ks_ssl, &session->opt->ssl_ctx, session->opt->server,
912  session);
913 
914  /* Set control-channel initiation mode */
915  ks->initial_opcode = session->initial_opcode;
917  ks->state = S_INITIAL;
918  ks->key_id = session->key_id;
919 
920  /*
921  * key_id increments to KEY_ID_MASK then recycles back to 1.
922  * This way you know that if key_id is 0, it is the first key.
923  */
924  ++session->key_id;
925  session->key_id &= P_KEY_ID_MASK;
926  if (!session->key_id)
927  {
928  session->key_id = 1;
929  }
930 
931  /* allocate key source material object */
932  ALLOC_OBJ_CLEAR(ks->key_src, struct key_source2);
933 
934  /* allocate reliability objects */
937  ALLOC_OBJ_CLEAR(ks->rec_ack, struct reliable_ack);
938 
939  /* allocate buffers */
942  ks->ack_write_buf = alloc_buf(BUF_SIZE(&session->opt->frame));
943  reliable_init(ks->send_reliable, BUF_SIZE(&session->opt->frame),
945  ks->key_id ? false : session->opt->xmit_hold);
946  reliable_init(ks->rec_reliable, BUF_SIZE(&session->opt->frame),
948  false);
950 
951  /* init packet ID tracker */
952  if (session->opt->replay)
953  {
955  session->opt->replay_window, session->opt->replay_time, "SSL",
956  ks->key_id);
957  }
958 
959  ks->crypto_options.pid_persist = NULL;
960 
961 #ifdef MANAGEMENT_DEF_AUTH
962  ks->mda_key_id = session->opt->mda_context->mda_key_id_counter++;
963 #endif
964 }
965 
966 
980 static void
981 key_state_free(struct key_state *ks, bool clear)
982 {
983  ks->state = S_UNDEF;
984 
986 
990  free_buf(&ks->ack_write_buf);
992 
993  if (ks->send_reliable)
994  {
996  free(ks->send_reliable);
997  }
998 
999  if (ks->rec_reliable)
1000  {
1002  free(ks->rec_reliable);
1003  }
1004 
1005  if (ks->rec_ack)
1006  {
1007  free(ks->rec_ack);
1008  }
1009 
1010  if (ks->key_src)
1011  {
1012  free(ks->key_src);
1013  }
1014 
1016 
1017 #ifdef PLUGIN_DEF_AUTH
1019 #endif
1020 
1021  if (clear)
1022  {
1023  secure_memzero(ks, sizeof(*ks));
1024  }
1025 }
1026 
1040 static inline bool
1042 {
1043  return (session->opt->auth_user_pass_verify_script
1045 #ifdef MANAGEMENT_DEF_AUTH
1046  || management_enable_def_auth(management)
1047 #endif
1048  );
1049 }
1050 
1051 
1072 static void
1074 {
1075  struct gc_arena gc = gc_new();
1076 
1077  dmsg(D_TLS_DEBUG, "TLS: tls_session_init: entry");
1078 
1079  CLEAR(*session);
1080 
1081  /* Set options data to point to parent's option structure */
1082  session->opt = &multi->opt;
1083 
1084  /* Randomize session # if it is 0 */
1085  while (!session_id_defined(&session->session_id))
1086  {
1087  session_id_random(&session->session_id);
1088  }
1089 
1090  /* Are we a TLS server or client? */
1091  ASSERT(session->opt->key_method >= 1);
1092  if (session->opt->key_method == 1)
1093  {
1094  session->initial_opcode = session->opt->server ?
1096  }
1097  else /* session->opt->key_method >= 2 */
1098  {
1099  if (session->opt->server)
1100  {
1102  }
1103  else
1104  {
1105  session->initial_opcode = session->opt->tls_crypt_v2 ?
1107  }
1108  }
1109 
1110  /* Initialize control channel authentication parameters */
1111  session->tls_wrap = session->opt->tls_wrap;
1112  session->tls_wrap.work = alloc_buf(BUF_SIZE(&session->opt->frame));
1113 
1114  /* initialize packet ID replay window for --tls-auth */
1116  session->opt->replay_window,
1117  session->opt->replay_time,
1118  "TLS_WRAP", session->key_id);
1119 
1120  /* load most recent packet-id to replay protect on --tls-auth */
1122  &session->tls_wrap.opt.packet_id);
1123 
1124  key_state_init(session, &session->key[KS_PRIMARY]);
1125 
1126  dmsg(D_TLS_DEBUG, "TLS: tls_session_init: new session object, sid=%s",
1127  session_id_print(&session->session_id, &gc));
1128 
1129  gc_free(&gc);
1130 }
1131 
1144 static void
1146 {
1147  tls_wrap_free(&session->tls_wrap);
1148 
1149  for (size_t i = 0; i < KS_SIZE; ++i)
1150  {
1151  key_state_free(&session->key[i], false);
1152  }
1153 
1154  if (session->common_name)
1155  {
1156  free(session->common_name);
1157  }
1158 
1159  cert_hash_free(session->cert_hash_set);
1160 
1161  if (clear)
1162  {
1163  secure_memzero(session, sizeof(*session));
1164  }
1165 }
1166 
1172 static void
1173 move_session(struct tls_multi *multi, int dest, int src, bool reinit_src)
1174 {
1175  msg(D_TLS_DEBUG_LOW, "TLS: move_session: dest=%s src=%s reinit_src=%d",
1176  session_index_name(dest),
1177  session_index_name(src),
1178  reinit_src);
1179  ASSERT(src != dest);
1180  ASSERT(src >= 0 && src < TM_SIZE);
1181  ASSERT(dest >= 0 && dest < TM_SIZE);
1182  tls_session_free(&multi->session[dest], false);
1183  multi->session[dest] = multi->session[src];
1184 
1185  if (reinit_src)
1186  {
1187  tls_session_init(multi, &multi->session[src]);
1188  }
1189  else
1190  {
1191  secure_memzero(&multi->session[src], sizeof(multi->session[src]));
1192  }
1193 
1194  dmsg(D_TLS_DEBUG, "TLS: move_session: exit");
1195 }
1196 
1197 static void
1199 {
1200  tls_session_free(session, false);
1201  tls_session_init(multi, session);
1202 }
1203 
1204 /*
1205  * Used to determine in how many seconds we should be
1206  * called again.
1207  */
1208 static inline void
1209 compute_earliest_wakeup(interval_t *earliest, interval_t seconds_from_now)
1210 {
1211  if (seconds_from_now < *earliest)
1212  {
1213  *earliest = seconds_from_now;
1214  }
1215  if (*earliest < 0)
1216  {
1217  *earliest = 0;
1218  }
1219 }
1220 
1221 /*
1222  * Return true if "lame duck" or retiring key has expired and can
1223  * no longer be used.
1224  */
1225 static inline bool
1227 {
1228  const struct key_state *lame = &session->key[KS_LAME_DUCK];
1229  if (lame->state >= S_INITIAL)
1230  {
1231  const time_t local_now = now;
1232  ASSERT(lame->must_die); /* a lame duck key must always have an expiration */
1233  if (local_now < lame->must_die)
1234  {
1235  compute_earliest_wakeup(wakeup, lame->must_die - local_now);
1236  return false;
1237  }
1238  else
1239  {
1240  return true;
1241  }
1242  }
1243  else if (lame->state == S_ERROR)
1244  {
1245  return true;
1246  }
1247  else
1248  {
1249  return false;
1250  }
1251 }
1252 
1253 struct tls_multi *
1255 {
1256  struct tls_multi *ret;
1257 
1258  ALLOC_OBJ_CLEAR(ret, struct tls_multi);
1259 
1260  /* get command line derived options */
1261  ret->opt = *tls_options;
1262 
1263  /* set up list of keys to be scanned by data channel encrypt and decrypt routines */
1264  ASSERT(SIZE(ret->key_scan) == 3);
1265  ret->key_scan[0] = &ret->session[TM_ACTIVE].key[KS_PRIMARY];
1266  ret->key_scan[1] = &ret->session[TM_ACTIVE].key[KS_LAME_DUCK];
1267  ret->key_scan[2] = &ret->session[TM_LAME_DUCK].key[KS_LAME_DUCK];
1268 
1269  /* By default not use P_DATA_V2 */
1270  ret->use_peer_id = false;
1271 
1272  return ret;
1273 }
1274 
1275 void
1276 tls_multi_init_finalize(struct tls_multi *multi, const struct frame *frame)
1277 {
1279 
1280  /* initialize the active and untrusted sessions */
1281 
1282  tls_session_init(multi, &multi->session[TM_ACTIVE]);
1283 
1284  if (!multi->opt.single_session)
1285  {
1286  tls_session_init(multi, &multi->session[TM_UNTRUSTED]);
1287  }
1288 }
1289 
1290 /*
1291  * Initialize and finalize a standalone tls-auth verification object.
1292  */
1293 
1294 struct tls_auth_standalone *
1296  struct gc_arena *gc)
1297 {
1298  struct tls_auth_standalone *tas;
1299 
1300  ALLOC_OBJ_CLEAR_GC(tas, struct tls_auth_standalone, gc);
1301 
1302  tas->tls_wrap = tls_options->tls_wrap;
1303 
1304  /*
1305  * Standalone tls-auth is in read-only mode with respect to TLS
1306  * control channel state. After we build a new client instance
1307  * object, we will process this session-initiating packet for real.
1308  */
1310 
1311  /* get initial frame parms, still need to finalize */
1312  tas->frame = tls_options->frame;
1313 
1314  return tas;
1315 }
1316 
1317 void
1319  const struct frame *frame)
1320 {
1322 }
1323 
1324 /*
1325  * Set local and remote option compatibility strings.
1326  * Used to verify compatibility of local and remote option
1327  * sets.
1328  */
1329 void
1331  const char *local,
1332  const char *remote)
1333 {
1334 #ifdef ENABLE_OCC
1335  /* initialize options string */
1336  multi->opt.local_options = local;
1337  multi->opt.remote_options = remote;
1338 #endif
1339 }
1340 
1341 /*
1342  * Cleanup a tls_multi structure and free associated memory allocations.
1343  */
1344 void
1345 tls_multi_free(struct tls_multi *multi, bool clear)
1346 {
1347  int i;
1348 
1349  ASSERT(multi);
1350 
1351 #ifdef MANAGEMENT_DEF_AUTH
1352  man_def_auth_set_client_reason(multi, NULL);
1353 
1354 #endif
1355 #if P2MP_SERVER
1356  free(multi->peer_info);
1357 #endif
1358 
1359  if (multi->locked_cn)
1360  {
1361  free(multi->locked_cn);
1362  }
1363 
1364  if (multi->locked_username)
1365  {
1366  free(multi->locked_username);
1367  }
1368 
1370 
1371  if (multi->auth_token)
1372  {
1374  free(multi->auth_token);
1375  }
1376 
1377  free(multi->remote_ciphername);
1378 
1379  for (i = 0; i < TM_SIZE; ++i)
1380  {
1381  tls_session_free(&multi->session[i], false);
1382  }
1383 
1384  if (clear)
1385  {
1386  secure_memzero(multi, sizeof(*multi));
1387  }
1388 
1389  free(multi);
1390 }
1391 
1392 
1393 /*
1394  * Move a packet authentication HMAC + related fields to or from the front
1395  * of the buffer so it can be processed by encrypt/decrypt.
1396  */
1397 
1398 /*
1399  * Dependent on hmac size, opcode size, and session_id size.
1400  * Will assert if too small.
1401  */
1402 #define SWAP_BUF_SIZE 256
1403 
1404 static bool
1405 swap_hmac(struct buffer *buf, const struct crypto_options *co, bool incoming)
1406 {
1407  const struct key_ctx *ctx;
1408 
1409  ASSERT(co);
1410 
1411  ctx = (incoming ? &co->key_ctx_bi.decrypt : &co->key_ctx_bi.encrypt);
1412  ASSERT(ctx->hmac);
1413 
1414  {
1415  /* hmac + packet_id (8 bytes) */
1416  const int hmac_size = hmac_ctx_size(ctx->hmac) + packet_id_size(true);
1417 
1418  /* opcode + session_id */
1419  const int osid_size = 1 + SID_SIZE;
1420 
1421  int e1, e2;
1422  uint8_t *b = BPTR(buf);
1423  uint8_t buf1[SWAP_BUF_SIZE];
1424  uint8_t buf2[SWAP_BUF_SIZE];
1425 
1426  if (incoming)
1427  {
1428  e1 = osid_size;
1429  e2 = hmac_size;
1430  }
1431  else
1432  {
1433  e1 = hmac_size;
1434  e2 = osid_size;
1435  }
1436 
1437  ASSERT(e1 <= SWAP_BUF_SIZE && e2 <= SWAP_BUF_SIZE);
1438 
1439  if (buf->len >= e1 + e2)
1440  {
1441  memcpy(buf1, b, e1);
1442  memcpy(buf2, b + e1, e2);
1443  memcpy(b, buf2, e2);
1444  memcpy(b + e2, buf1, e1);
1445  return true;
1446  }
1447  else
1448  {
1449  return false;
1450  }
1451  }
1452 }
1453 
1454 #undef SWAP_BUF_SIZE
1455 
1456 /*
1457  * Write a control channel authentication record.
1458  */
1459 static void
1461  struct key_state *ks,
1462  struct buffer *buf,
1463  struct link_socket_actual **to_link_addr,
1464  int opcode,
1465  int max_ack,
1466  bool prepend_ack)
1467 {
1468  uint8_t header = ks->key_id | (opcode << P_OPCODE_SHIFT);
1469  struct buffer null = clear_buf();
1470 
1473  (ks->rec_ack, buf, &ks->session_id_remote, max_ack, prepend_ack));
1474 
1475  msg(D_TLS_DEBUG, "%s(): %s", __func__, packet_opcode_name(opcode));
1476 
1477  if (session->tls_wrap.mode == TLS_WRAP_AUTH
1478  || session->tls_wrap.mode == TLS_WRAP_NONE)
1479  {
1480  ASSERT(session_id_write_prepend(&session->session_id, buf));
1481  ASSERT(buf_write_prepend(buf, &header, sizeof(header)));
1482  }
1483  if (session->tls_wrap.mode == TLS_WRAP_AUTH)
1484  {
1485  /* no encryption, only write hmac */
1486  openvpn_encrypt(buf, null, &session->tls_wrap.opt);
1487  ASSERT(swap_hmac(buf, &session->tls_wrap.opt, false));
1488  }
1489  else if (session->tls_wrap.mode == TLS_WRAP_CRYPT)
1490  {
1491  ASSERT(buf_init(&session->tls_wrap.work, buf->offset));
1492  ASSERT(buf_write(&session->tls_wrap.work, &header, sizeof(header)));
1493  ASSERT(session_id_write(&session->session_id, &session->tls_wrap.work));
1494  if (!tls_crypt_wrap(buf, &session->tls_wrap.work, &session->tls_wrap.opt))
1495  {
1496  buf->len = 0;
1497  return;
1498  }
1499 
1500  if (opcode == P_CONTROL_HARD_RESET_CLIENT_V3)
1501  {
1502  if (!buf_copy(&session->tls_wrap.work,
1503  session->tls_wrap.tls_crypt_v2_wkc))
1504  {
1505  msg(D_TLS_ERRORS, "Could not append tls-crypt-v2 client key");
1506  buf->len = 0;
1507  return;
1508  }
1509  }
1510 
1511  /* Don't change the original data in buf, it's used by the reliability
1512  * layer to resend on failure. */
1513  *buf = session->tls_wrap.work;
1514  }
1515  *to_link_addr = &ks->remote_addr;
1516 }
1517 
1518 /*
1519  * Read a control channel authentication record.
1520  */
1521 static bool
1523  struct tls_wrap_ctx *ctx,
1524  const struct link_socket_actual *from,
1525  const struct tls_options *opt)
1526 {
1527  struct gc_arena gc = gc_new();
1528  bool ret = false;
1529 
1530  const uint8_t opcode = *(BPTR(buf)) >> P_OPCODE_SHIFT;
1531  if (opcode == P_CONTROL_HARD_RESET_CLIENT_V3
1532  && !tls_crypt_v2_extract_client_key(buf, ctx, opt))
1533  {
1534  msg(D_TLS_ERRORS,
1535  "TLS Error: can not extract tls-crypt-v2 client key from %s",
1536  print_link_socket_actual(from, &gc));
1537  goto cleanup;
1538  }
1539 
1540  if (ctx->mode == TLS_WRAP_AUTH)
1541  {
1542  struct buffer null = clear_buf();
1543 
1544  /* move the hmac record to the front of the packet */
1545  if (!swap_hmac(buf, &ctx->opt, true))
1546  {
1547  msg(D_TLS_ERRORS,
1548  "TLS Error: cannot locate HMAC in incoming packet from %s",
1549  print_link_socket_actual(from, &gc));
1550  gc_free(&gc);
1551  return false;
1552  }
1553 
1554  /* authenticate only (no decrypt) and remove the hmac record
1555  * from the head of the buffer */
1556  openvpn_decrypt(buf, null, &ctx->opt, NULL, BPTR(buf));
1557  if (!buf->len)
1558  {
1559  msg(D_TLS_ERRORS,
1560  "TLS Error: incoming packet authentication failed from %s",
1561  print_link_socket_actual(from, &gc));
1562  goto cleanup;
1563  }
1564 
1565  }
1566  else if (ctx->mode == TLS_WRAP_CRYPT)
1567  {
1568  struct buffer tmp = alloc_buf_gc(buf_forward_capacity_total(buf), &gc);
1569  if (!tls_crypt_unwrap(buf, &tmp, &ctx->opt))
1570  {
1571  msg(D_TLS_ERRORS, "TLS Error: tls-crypt unwrapping failed from %s",
1572  print_link_socket_actual(from, &gc));
1573  goto cleanup;
1574  }
1575  ASSERT(buf_init(buf, buf->offset));
1576  ASSERT(buf_copy(buf, &tmp));
1577  buf_clear(&tmp);
1578  }
1579  else if (ctx->tls_crypt_v2_server_key.cipher)
1580  {
1581  /* If tls-crypt-v2 is enabled, require *some* wrapping */
1582  msg(D_TLS_ERRORS, "TLS Error: could not determine wrapping from %s",
1583  print_link_socket_actual(from, &gc));
1584  /* TODO Do we want to support using tls-crypt-v2 and no control channel
1585  * wrapping at all simultaneously? That would allow server admins to
1586  * upgrade clients one-by-one without running a second instance, but we
1587  * should not enable it by default because it breaks DoS-protection.
1588  * So, add something like --tls-crypt-v2-allow-insecure-fallback ? */
1589  goto cleanup;
1590  }
1591 
1592  if (ctx->mode == TLS_WRAP_NONE || ctx->mode == TLS_WRAP_AUTH)
1593  {
1594  /* advance buffer pointer past opcode & session_id since our caller
1595  * already read it */
1596  buf_advance(buf, SID_SIZE + 1);
1597  }
1598 
1599  ret = true;
1600 cleanup:
1601  gc_free(&gc);
1602  return ret;
1603 }
1604 
1605 /*
1606  * For debugging, print contents of key_source2 structure.
1607  */
1608 
1609 static void
1611  const char *prefix)
1612 {
1613  struct gc_arena gc = gc_new();
1614 
1615  VALGRIND_MAKE_READABLE((void *)k->pre_master, sizeof(k->pre_master));
1616  VALGRIND_MAKE_READABLE((void *)k->random1, sizeof(k->random1));
1617  VALGRIND_MAKE_READABLE((void *)k->random2, sizeof(k->random2));
1618 
1620  "%s pre_master: %s",
1621  prefix,
1622  format_hex(k->pre_master, sizeof(k->pre_master), 0, &gc));
1624  "%s random1: %s",
1625  prefix,
1626  format_hex(k->random1, sizeof(k->random1), 0, &gc));
1628  "%s random2: %s",
1629  prefix,
1630  format_hex(k->random2, sizeof(k->random2), 0, &gc));
1631 
1632  gc_free(&gc);
1633 }
1634 
1635 static void
1637 {
1638  key_source_print(&k->client, "Client");
1639  key_source_print(&k->server, "Server");
1640 }
1641 
1642 /*
1643  * Generate the hash required by for the \c tls1_PRF function.
1644  *
1645  * @param md_kt Message digest to use
1646  * @param sec Secret to base the hash on
1647  * @param sec_len Length of the secret
1648  * @param seed Seed to hash
1649  * @param seed_len Length of the seed
1650  * @param out Output buffer
1651  * @param olen Length of the output buffer
1652  */
1653 static void
1654 tls1_P_hash(const md_kt_t *md_kt,
1655  const uint8_t *sec,
1656  int sec_len,
1657  const uint8_t *seed,
1658  int seed_len,
1659  uint8_t *out,
1660  int olen)
1661 {
1662  struct gc_arena gc = gc_new();
1663  int chunk;
1664  hmac_ctx_t *ctx;
1665  hmac_ctx_t *ctx_tmp;
1667  unsigned int A1_len;
1668 
1669 #ifdef ENABLE_DEBUG
1670  const int olen_orig = olen;
1671  const uint8_t *out_orig = out;
1672 #endif
1673 
1674  ctx = hmac_ctx_new();
1675  ctx_tmp = hmac_ctx_new();
1676 
1677  dmsg(D_SHOW_KEY_SOURCE, "tls1_P_hash sec: %s", format_hex(sec, sec_len, 0, &gc));
1678  dmsg(D_SHOW_KEY_SOURCE, "tls1_P_hash seed: %s", format_hex(seed, seed_len, 0, &gc));
1679 
1680  chunk = md_kt_size(md_kt);
1681  A1_len = md_kt_size(md_kt);
1682 
1683  hmac_ctx_init(ctx, sec, sec_len, md_kt);
1684  hmac_ctx_init(ctx_tmp, sec, sec_len, md_kt);
1685 
1686  hmac_ctx_update(ctx,seed,seed_len);
1687  hmac_ctx_final(ctx, A1);
1688 
1689  for (;; )
1690  {
1691  hmac_ctx_reset(ctx);
1692  hmac_ctx_reset(ctx_tmp);
1693  hmac_ctx_update(ctx,A1,A1_len);
1694  hmac_ctx_update(ctx_tmp,A1,A1_len);
1695  hmac_ctx_update(ctx,seed,seed_len);
1696 
1697  if (olen > chunk)
1698  {
1699  hmac_ctx_final(ctx, out);
1700  out += chunk;
1701  olen -= chunk;
1702  hmac_ctx_final(ctx_tmp, A1); /* calc the next A1 value */
1703  }
1704  else /* last one */
1705  {
1706  hmac_ctx_final(ctx, A1);
1707  memcpy(out,A1,olen);
1708  break;
1709  }
1710  }
1711  hmac_ctx_cleanup(ctx);
1712  hmac_ctx_free(ctx);
1713  hmac_ctx_cleanup(ctx_tmp);
1714  hmac_ctx_free(ctx_tmp);
1715  secure_memzero(A1, sizeof(A1));
1716 
1717  dmsg(D_SHOW_KEY_SOURCE, "tls1_P_hash out: %s", format_hex(out_orig, olen_orig, 0, &gc));
1718  gc_free(&gc);
1719 }
1720 
1721 /*
1722  * Use the TLS PRF function for generating data channel keys.
1723  * This code is based on the OpenSSL library.
1724  *
1725  * TLS generates keys as such:
1726  *
1727  * master_secret[48] = PRF(pre_master_secret[48], "master secret",
1728  * ClientHello.random[32] + ServerHello.random[32])
1729  *
1730  * key_block[] = PRF(SecurityParameters.master_secret[48],
1731  * "key expansion",
1732  * SecurityParameters.server_random[32] +
1733  * SecurityParameters.client_random[32]);
1734  *
1735  * Notes:
1736  *
1737  * (1) key_block contains a full set of 4 keys.
1738  * (2) The pre-master secret is generated by the client.
1739  */
1740 static void
1741 tls1_PRF(const uint8_t *label,
1742  int label_len,
1743  const uint8_t *sec,
1744  int slen,
1745  uint8_t *out1,
1746  int olen)
1747 {
1748  struct gc_arena gc = gc_new();
1749  const md_kt_t *md5 = md_kt_get("MD5");
1750  const md_kt_t *sha1 = md_kt_get("SHA1");
1751  int len,i;
1752  const uint8_t *S1,*S2;
1753  uint8_t *out2;
1754 
1755  out2 = (uint8_t *) gc_malloc(olen, false, &gc);
1756 
1757  len = slen/2;
1758  S1 = sec;
1759  S2 = &(sec[len]);
1760  len += (slen&1); /* add for odd, make longer */
1761 
1762  tls1_P_hash(md5,S1,len,label,label_len,out1,olen);
1763  tls1_P_hash(sha1,S2,len,label,label_len,out2,olen);
1764 
1765  for (i = 0; i<olen; i++)
1766  {
1767  out1[i] ^= out2[i];
1768  }
1769 
1770  secure_memzero(out2, olen);
1771 
1772  dmsg(D_SHOW_KEY_SOURCE, "tls1_PRF out[%d]: %s", olen, format_hex(out1, olen, 0, &gc));
1773 
1774  gc_free(&gc);
1775 }
1776 
1777 static void
1778 openvpn_PRF(const uint8_t *secret,
1779  int secret_len,
1780  const char *label,
1781  const uint8_t *client_seed,
1782  int client_seed_len,
1783  const uint8_t *server_seed,
1784  int server_seed_len,
1785  const struct session_id *client_sid,
1786  const struct session_id *server_sid,
1787  uint8_t *output,
1788  int output_len)
1789 {
1790  /* concatenate seed components */
1791 
1792  struct buffer seed = alloc_buf(strlen(label)
1793  + client_seed_len
1794  + server_seed_len
1795  + SID_SIZE * 2);
1796 
1797  ASSERT(buf_write(&seed, label, strlen(label)));
1798  ASSERT(buf_write(&seed, client_seed, client_seed_len));
1799  ASSERT(buf_write(&seed, server_seed, server_seed_len));
1800 
1801  if (client_sid)
1802  {
1803  ASSERT(buf_write(&seed, client_sid->id, SID_SIZE));
1804  }
1805  if (server_sid)
1806  {
1807  ASSERT(buf_write(&seed, server_sid->id, SID_SIZE));
1808  }
1809 
1810  /* compute PRF */
1811  tls1_PRF(BPTR(&seed), BLEN(&seed), secret, secret_len, output, output_len);
1812 
1813  buf_clear(&seed);
1814  free_buf(&seed);
1815 
1816  VALGRIND_MAKE_READABLE((void *)output, output_len);
1817 }
1818 
1819 /*
1820  * Using source entropy from local and remote hosts, mix into
1821  * master key.
1822  */
1823 static bool
1825  const struct key_type *key_type,
1826  const struct key_source2 *key_src,
1827  const struct session_id *client_sid,
1828  const struct session_id *server_sid,
1829  bool server)
1830 {
1831  uint8_t master[48] = { 0 };
1832  struct key2 key2 = { 0 };
1833  bool ret = false;
1834 
1835  if (key->initialized)
1836  {
1837  msg(D_TLS_ERRORS, "TLS Error: key already initialized");
1838  goto exit;
1839  }
1840 
1841  /* debugging print of source key material */
1842  key_source2_print(key_src);
1843 
1844  /* compute master secret */
1845  openvpn_PRF(key_src->client.pre_master,
1846  sizeof(key_src->client.pre_master),
1847  KEY_EXPANSION_ID " master secret",
1848  key_src->client.random1,
1849  sizeof(key_src->client.random1),
1850  key_src->server.random1,
1851  sizeof(key_src->server.random1),
1852  NULL,
1853  NULL,
1854  master,
1855  sizeof(master));
1856 
1857  /* compute key expansion */
1858  openvpn_PRF(master,
1859  sizeof(master),
1860  KEY_EXPANSION_ID " key expansion",
1861  key_src->client.random2,
1862  sizeof(key_src->client.random2),
1863  key_src->server.random2,
1864  sizeof(key_src->server.random2),
1865  client_sid,
1866  server_sid,
1867  (uint8_t *)key2.keys,
1868  sizeof(key2.keys));
1869 
1870  key2.n = 2;
1871 
1872  key2_print(&key2, key_type, "Master Encrypt", "Master Decrypt");
1873 
1874  /* check for weak keys */
1875  for (int i = 0; i < 2; ++i)
1876  {
1877  fixup_key(&key2.keys[i], key_type);
1878  if (!check_key(&key2.keys[i], key_type))
1879  {
1880  msg(D_TLS_ERRORS, "TLS Error: Bad dynamic key generated");
1881  goto exit;
1882  }
1883  }
1884 
1885  /* Initialize OpenSSL key contexts */
1886  int key_direction = server ? KEY_DIRECTION_INVERSE : KEY_DIRECTION_NORMAL;
1887  init_key_ctx_bi(key, &key2, key_direction, key_type, "Data Channel");
1888 
1889  /* Initialize implicit IVs */
1890  key_ctx_update_implicit_iv(&key->encrypt, key2.keys[(int)server].hmac,
1892  key_ctx_update_implicit_iv(&key->decrypt, key2.keys[1-(int)server].hmac,
1894 
1895  ret = true;
1896 
1897 exit:
1898  secure_memzero(&master, sizeof(master));
1899  secure_memzero(&key2, sizeof(key2));
1900 
1901  return ret;
1902 }
1903 
1904 static void
1905 key_ctx_update_implicit_iv(struct key_ctx *ctx, uint8_t *key, size_t key_len)
1906 {
1907  const cipher_kt_t *cipher_kt = cipher_ctx_get_cipher_kt(ctx->cipher);
1908 
1909  /* Only use implicit IV in AEAD cipher mode, where HMAC key is not used */
1910  if (cipher_kt_mode_aead(cipher_kt))
1911  {
1912  size_t impl_iv_len = 0;
1914  impl_iv_len = cipher_kt_iv_size(cipher_kt) - sizeof(packet_id_type);
1915  ASSERT(impl_iv_len <= OPENVPN_MAX_IV_LENGTH);
1916  ASSERT(impl_iv_len <= key_len);
1917  memcpy(ctx->implicit_iv, key, impl_iv_len);
1918  ctx->implicit_iv_len = impl_iv_len;
1919  }
1920 }
1921 
1922 bool
1923 tls_item_in_cipher_list(const char *item, const char *list)
1924 {
1925  char *tmp_ciphers = string_alloc(list, NULL);
1926  char *tmp_ciphers_orig = tmp_ciphers;
1927 
1928  const char *token = strtok(tmp_ciphers, ":");
1929  while (token)
1930  {
1931  if (0 == strcmp(token, item))
1932  {
1933  break;
1934  }
1935  token = strtok(NULL, ":");
1936  }
1937  free(tmp_ciphers_orig);
1938 
1939  return token != NULL;
1940 }
1941 
1942 void
1943 tls_poor_mans_ncp(struct options *o, const char *remote_ciphername)
1944 {
1945  if (o->ncp_enabled && remote_ciphername
1946  && 0 != strcmp(o->ciphername, remote_ciphername))
1947  {
1948  if (tls_item_in_cipher_list(remote_ciphername, o->ncp_ciphers))
1949  {
1950  o->ciphername = string_alloc(remote_ciphername, &o->gc);
1951  msg(D_TLS_DEBUG_LOW, "Using peer cipher '%s'", o->ciphername);
1952  }
1953  }
1954 }
1955 
1962 static bool
1964 {
1965  bool ret = false;
1966  struct key_state *ks = &session->key[KS_PRIMARY]; /* primary key */
1967  const struct session_id *client_sid = session->opt->server ?
1968  &ks->session_id_remote : &session->session_id;
1969  const struct session_id *server_sid = !session->opt->server ?
1970  &ks->session_id_remote : &session->session_id;
1971 
1972  ASSERT(ks->authenticated);
1973 
1974  ks->crypto_options.flags = session->opt->crypto_flags;
1976  &session->opt->key_type, ks->key_src, client_sid, server_sid,
1977  session->opt->server))
1978  {
1979  msg(D_TLS_ERRORS, "TLS Error: generate_key_expansion failed");
1980  goto cleanup;
1981  }
1983  &session->opt->renegotiate_bytes);
1984 
1985  ret = true;
1986 cleanup:
1987  secure_memzero(ks->key_src, sizeof(*ks->key_src));
1988  return ret;
1989 }
1990 
1991 bool
1993  struct options *options, struct frame *frame)
1994 {
1995  if (!session->opt->server
1996  && 0 != strcmp(options->ciphername, session->opt->config_ciphername)
1997  && !tls_item_in_cipher_list(options->ciphername, options->ncp_ciphers))
1998  {
1999  msg(D_TLS_ERRORS, "Error: pushed cipher not allowed - %s not in %s or %s",
2000  options->ciphername, session->opt->config_ciphername,
2001  options->ncp_ciphers);
2002  /* undo cipher push, abort connection setup */
2003  options->ciphername = session->opt->config_ciphername;
2004  return false;
2005  }
2006 
2007  if (strcmp(options->ciphername, session->opt->config_ciphername))
2008  {
2009  msg(D_HANDSHAKE, "Data Channel: using negotiated cipher '%s'",
2010  options->ciphername);
2011  if (options->keysize)
2012  {
2013  msg(D_HANDSHAKE, "NCP: overriding user-set keysize with default");
2014  options->keysize = 0;
2015  }
2016  }
2017 
2018  init_key_type(&session->opt->key_type, options->ciphername,
2019  options->authname, options->keysize, true, true);
2020 
2021  bool packet_id_long_form = cipher_kt_mode_ofb_cfb(session->opt->key_type.cipher);
2022  session->opt->crypto_flags &= ~(CO_PACKET_ID_LONG_FORM);
2023  if (packet_id_long_form)
2024  {
2026  }
2027 
2028  /* Update frame parameters: undo worst-case overhead, add actual overhead */
2030  crypto_adjust_frame_parameters(frame, &session->opt->key_type,
2031  options->replay, packet_id_long_form);
2032  frame_finalize(frame, options->ce.link_mtu_defined, options->ce.link_mtu,
2033  options->ce.tun_mtu_defined, options->ce.tun_mtu);
2034  frame_init_mssfix(frame, options);
2035  frame_print(frame, D_MTU_INFO, "Data Channel MTU parms");
2036 
2038 }
2039 
2040 static bool
2042  uint8_t *out,
2043  int outlen)
2044 {
2045  if (!rand_bytes(out, outlen))
2046  {
2047  msg(M_FATAL, "ERROR: Random number generator cannot obtain entropy for key generation [SSL]");
2048  }
2049  if (!buf_write(buf, out, outlen))
2050  {
2051  return false;
2052  }
2053  return true;
2054 }
2055 
2056 static bool
2058  struct buffer *buf,
2059  bool server)
2060 {
2061  struct key_source *k = &k2->client;
2062  if (server)
2063  {
2064  k = &k2->server;
2065  }
2066 
2067  CLEAR(*k);
2068 
2069  if (!server)
2070  {
2071  if (!random_bytes_to_buf(buf, k->pre_master, sizeof(k->pre_master)))
2072  {
2073  return false;
2074  }
2075  }
2076 
2077  if (!random_bytes_to_buf(buf, k->random1, sizeof(k->random1)))
2078  {
2079  return false;
2080  }
2081  if (!random_bytes_to_buf(buf, k->random2, sizeof(k->random2)))
2082  {
2083  return false;
2084  }
2085 
2086  return true;
2087 }
2088 
2089 static int
2091  struct buffer *buf,
2092  bool server)
2093 {
2094  struct key_source *k = &k2->client;
2095 
2096  if (!server)
2097  {
2098  k = &k2->server;
2099  }
2100 
2101  CLEAR(*k);
2102 
2103  if (server)
2104  {
2105  if (!buf_read(buf, k->pre_master, sizeof(k->pre_master)))
2106  {
2107  return 0;
2108  }
2109  }
2110 
2111  if (!buf_read(buf, k->random1, sizeof(k->random1)))
2112  {
2113  return 0;
2114  }
2115  if (!buf_read(buf, k->random2, sizeof(k->random2)))
2116  {
2117  return 0;
2118  }
2119 
2120  return 1;
2121 }
2122 
2123 static void
2125 {
2126  struct buffer *b;
2127 
2128  while ((b = buffer_list_peek(ks->paybuf)))
2129  {
2131  buffer_list_pop(ks->paybuf);
2132  }
2133 }
2134 
2135 /* true if no in/out acknowledgements pending */
2136 #define FULL_SYNC \
2137  (reliable_empty(ks->send_reliable) && reliable_ack_empty(ks->rec_ack))
2138 
2139 /*
2140  * Move the active key to the lame duck key and reinitialize the
2141  * active key.
2142  */
2143 static void
2145 {
2146  struct key_state *ks = &session->key[KS_PRIMARY]; /* primary key */
2147  struct key_state *ks_lame = &session->key[KS_LAME_DUCK]; /* retiring key */
2148 
2149  ks->must_die = now + session->opt->transition_window; /* remaining lifetime of old key */
2150  key_state_free(ks_lame, false);
2151  *ks_lame = *ks;
2152 
2153  key_state_init(session, ks);
2154  ks->session_id_remote = ks_lame->session_id_remote;
2155  ks->remote_addr = ks_lame->remote_addr;
2156 }
2157 
2158 /*
2159  * Read/write strings from/to a struct buffer with a u16 length prefix.
2160  */
2161 
2162 static bool
2164 {
2165  if (!buf_write_u16(buf, 0))
2166  {
2167  return false;
2168  }
2169  return true;
2170 }
2171 
2172 static bool
2173 write_string(struct buffer *buf, const char *str, const int maxlen)
2174 {
2175  const int len = strlen(str) + 1;
2176  if (len < 1 || (maxlen >= 0 && len > maxlen))
2177  {
2178  return false;
2179  }
2180  if (!buf_write_u16(buf, len))
2181  {
2182  return false;
2183  }
2184  if (!buf_write(buf, str, len))
2185  {
2186  return false;
2187  }
2188  return true;
2189 }
2190 
2191 static bool
2192 read_string(struct buffer *buf, char *str, const unsigned int capacity)
2193 {
2194  const int len = buf_read_u16(buf);
2195  if (len < 1 || len > (int)capacity)
2196  {
2197  return false;
2198  }
2199  if (!buf_read(buf, str, len))
2200  {
2201  return false;
2202  }
2203  str[len-1] = '\0';
2204  return true;
2205 }
2206 
2207 static char *
2209 {
2210  const int len = buf_read_u16(buf);
2211  char *str;
2212 
2213  if (len < 1)
2214  {
2215  return NULL;
2216  }
2217  str = (char *) malloc(len);
2218  check_malloc_return(str);
2219  if (!buf_read(buf, str, len))
2220  {
2221  free(str);
2222  return NULL;
2223  }
2224  str[len-1] = '\0';
2225  return str;
2226 }
2227 
2228 /*
2229  * Handle the reading and writing of key data to and from
2230  * the TLS control channel (cleartext).
2231  */
2232 
2233 static bool
2235 {
2236  struct key key;
2237  struct key_state *ks = &session->key[KS_PRIMARY]; /* primary key */
2238 
2239  ASSERT(session->opt->key_method == 1);
2240  ASSERT(buf_init(buf, 0));
2241 
2242  generate_key_random(&key, &session->opt->key_type);
2243  if (!check_key(&key, &session->opt->key_type))
2244  {
2245  msg(D_TLS_ERRORS, "TLS Error: Bad encrypting key generated");
2246  return false;
2247  }
2248 
2249  if (!write_key(&key, &session->opt->key_type, buf))
2250  {
2251  msg(D_TLS_ERRORS, "TLS Error: write_key failed");
2252  return false;
2253  }
2254 
2256  &session->opt->key_type, OPENVPN_OP_ENCRYPT,
2257  "Data Channel Encrypt");
2258  secure_memzero(&key, sizeof(key));
2259 
2260  /* send local options string */
2261  {
2262  const char *local_options = local_options_string(session);
2263  const int optlen = strlen(local_options) + 1;
2264  if (!buf_write(buf, local_options, optlen))
2265  {
2266  msg(D_TLS_ERRORS, "TLS Error: KM1 write options failed");
2267  return false;
2268  }
2269  }
2270 
2271  return true;
2272 }
2273 
2274 static bool
2276 {
2277  struct gc_arena gc = gc_new();
2278  bool ret = false;
2279 
2280  if (session->opt->push_peer_info_detail > 0)
2281  {
2282  struct env_set *es = session->opt->es;
2283  struct env_item *e;
2284  struct buffer out = alloc_buf_gc(512*3, &gc);
2285 
2286  /* push version */
2287  buf_printf(&out, "IV_VER=%s\n", PACKAGE_VERSION);
2288 
2289  /* push platform */
2290 #if defined(TARGET_LINUX)
2291  buf_printf(&out, "IV_PLAT=linux\n");
2292 #elif defined(TARGET_SOLARIS)
2293  buf_printf(&out, "IV_PLAT=solaris\n");
2294 #elif defined(TARGET_OPENBSD)
2295  buf_printf(&out, "IV_PLAT=openbsd\n");
2296 #elif defined(TARGET_DARWIN)
2297  buf_printf(&out, "IV_PLAT=mac\n");
2298 #elif defined(TARGET_NETBSD)
2299  buf_printf(&out, "IV_PLAT=netbsd\n");
2300 #elif defined(TARGET_FREEBSD)
2301  buf_printf(&out, "IV_PLAT=freebsd\n");
2302 #elif defined(TARGET_ANDROID)
2303  buf_printf(&out, "IV_PLAT=android\n");
2304 #elif defined(_WIN32)
2305  buf_printf(&out, "IV_PLAT=win\n");
2306 #endif
2307 
2308  /* support for P_DATA_V2 */
2309  buf_printf(&out, "IV_PROTO=2\n");
2310 
2311  /* support for Negotiable Crypto Paramters */
2312  if (session->opt->ncp_enabled
2313  && (session->opt->mode == MODE_SERVER || session->opt->pull))
2314  {
2315  buf_printf(&out, "IV_NCP=2\n");
2316  }
2317 
2318  /* push compression status */
2319 #ifdef USE_COMP
2320  comp_generate_peer_info_string(&session->opt->comp_options, &out);
2321 #endif
2322 
2323  if (session->opt->push_peer_info_detail >= 2)
2324  {
2325  /* push mac addr */
2326  struct route_gateway_info rgi;
2327  get_default_gateway(&rgi);
2328  if (rgi.flags & RGI_HWADDR_DEFINED)
2329  {
2330  buf_printf(&out, "IV_HWADDR=%s\n", format_hex_ex(rgi.hwaddr, 6, 0, 1, ":", &gc));
2331  }
2332  buf_printf(&out, "IV_SSL=%s\n", get_ssl_library_version() );
2333 #if defined(_WIN32)
2334  buf_printf(&out, "IV_PLAT_VER=%s\n", win32_version_string(&gc, false));
2335 #endif
2336  }
2337 
2338  /* push env vars that begin with UV_, IV_PLAT_VER and IV_GUI_VER */
2339  for (e = es->list; e != NULL; e = e->next)
2340  {
2341  if (e->string)
2342  {
2343  if ((((strncmp(e->string, "UV_", 3)==0
2344  || strncmp(e->string, "IV_PLAT_VER=", sizeof("IV_PLAT_VER=")-1)==0)
2345  && session->opt->push_peer_info_detail >= 2)
2346  || (strncmp(e->string,"IV_GUI_VER=",sizeof("IV_GUI_VER=")-1)==0))
2347  && buf_safe(&out, strlen(e->string)+1))
2348  {
2349  buf_printf(&out, "%s\n", e->string);
2350  }
2351  }
2352  }
2353 
2354  if (!write_string(buf, BSTR(&out), -1))
2355  {
2356  goto error;
2357  }
2358  }
2359  else
2360  {
2361  if (!write_empty_string(buf)) /* no peer info */
2362  {
2363  goto error;
2364  }
2365  }
2366  ret = true;
2367 
2368 error:
2369  gc_free(&gc);
2370  return ret;
2371 }
2372 
2373 static bool
2375 {
2376  struct key_state *ks = &session->key[KS_PRIMARY]; /* primary key */
2377 
2378  ASSERT(session->opt->key_method == 2);
2379  ASSERT(buf_init(buf, 0));
2380 
2381  /* write a uint32 0 */
2382  if (!buf_write_u32(buf, 0))
2383  {
2384  goto error;
2385  }
2386 
2387  /* write key_method + flags */
2388  if (!buf_write_u8(buf, (session->opt->key_method & KEY_METHOD_MASK)))
2389  {
2390  goto error;
2391  }
2392 
2393  /* write key source material */
2394  if (!key_source2_randomize_write(ks->key_src, buf, session->opt->server))
2395  {
2396  goto error;
2397  }
2398 
2399  /* write options string */
2400  {
2401  if (!write_string(buf, local_options_string(session), TLS_OPTIONS_LEN))
2402  {
2403  goto error;
2404  }
2405  }
2406 
2407  /* write username/password if specified */
2409  {
2410 #ifdef ENABLE_MANAGEMENT
2411  auth_user_pass_setup(session->opt->auth_user_pass_file, session->opt->sci);
2412 #else
2413  auth_user_pass_setup(session->opt->auth_user_pass_file, NULL);
2414 #endif
2415  struct user_pass *up = &auth_user_pass;
2416 
2417  /*
2418  * If we have a valid auth-token, send that instead of real
2419  * username/password
2420  */
2421  if (auth_token.defined)
2422  up = &auth_token;
2423 
2424  if (!write_string(buf, up->username, -1))
2425  {
2426  goto error;
2427  }
2428  else if (!write_string(buf, up->password, -1))
2429  {
2430  goto error;
2431  }
2432  /* if auth-nocache was specified, the auth_user_pass object reaches
2433  * a "complete" state only after having received the push-reply
2434  * message.
2435  *
2436  * For this reason, skip the purge operation here if no push-reply
2437  * message has been received yet.
2438  *
2439  * This normally happens upon first negotiation only.
2440  */
2442  {
2444  }
2445  }
2446  else
2447  {
2448  if (!write_empty_string(buf)) /* no username */
2449  {
2450  goto error;
2451  }
2452  if (!write_empty_string(buf)) /* no password */
2453  {
2454  goto error;
2455  }
2456  }
2457 
2458  if (!push_peer_info(buf, session))
2459  {
2460  goto error;
2461  }
2462 
2463  /* Generate tunnel keys if we're a TLS server.
2464  * If we're a p2mp server and IV_NCP >= 2 is negotiated, the first key
2465  * generation is postponed until after the pull/push, so we can process pushed
2466  * cipher directives.
2467  */
2468  if (session->opt->server && !(session->opt->ncp_enabled
2469  && session->opt->mode == MODE_SERVER && ks->key_id <= 0))
2470  {
2471  if (ks->authenticated)
2472  {
2474  {
2475  msg(D_TLS_ERRORS, "TLS Error: server generate_key_expansion failed");
2476  goto error;
2477  }
2478  }
2479  }
2480 
2481  return true;
2482 
2483 error:
2484  msg(D_TLS_ERRORS, "TLS Error: Key Method #2 write failed");
2485  secure_memzero(ks->key_src, sizeof(*ks->key_src));
2486  return false;
2487 }
2488 
2489 static bool
2491 {
2492  int status;
2493  struct key key;
2494  struct key_state *ks = &session->key[KS_PRIMARY]; /* primary key */
2495 
2496  ASSERT(session->opt->key_method == 1);
2497 
2498  if (!session->verified)
2499  {
2500  msg(D_TLS_ERRORS,
2501  "TLS Error: Certificate verification failed (key-method 1)");
2502  goto error;
2503  }
2504 
2505  status = read_key(&key, &session->opt->key_type, buf);
2506  if (status != 1)
2507  {
2508  msg(D_TLS_ERRORS,
2509  "TLS Error: Error reading data channel key from plaintext buffer");
2510  goto error;
2511  }
2512 
2513  if (!check_key(&key, &session->opt->key_type))
2514  {
2515  msg(D_TLS_ERRORS, "TLS Error: Bad decrypting key received from peer");
2516  goto error;
2517  }
2518 
2519  if (buf->len < 1)
2520  {
2521  msg(D_TLS_ERRORS, "TLS Error: Missing options string");
2522  goto error;
2523  }
2524 
2525 #ifdef ENABLE_OCC
2526  /* compare received remote options string
2527  * with our locally computed options string */
2528  if (!session->opt->disable_occ
2529  && !options_cmp_equal_safe((char *) BPTR(buf), session->opt->remote_options, buf->len))
2530  {
2531  options_warning_safe((char *) BPTR(buf), session->opt->remote_options, buf->len);
2532  }
2533 #endif
2534 
2535  buf_clear(buf);
2536 
2538  &session->opt->key_type, OPENVPN_OP_DECRYPT,
2539  "Data Channel Decrypt");
2540  secure_memzero(&key, sizeof(key));
2541  ks->authenticated = true;
2542  return true;
2543 
2544 error:
2545  buf_clear(buf);
2546  secure_memzero(&key, sizeof(key));
2547  return false;
2548 }
2549 
2550 static bool
2551 key_method_2_read(struct buffer *buf, struct tls_multi *multi, struct tls_session *session)
2552 {
2553  struct key_state *ks = &session->key[KS_PRIMARY]; /* primary key */
2554 
2555  int key_method_flags;
2556  bool username_status, password_status;
2557 
2558  struct gc_arena gc = gc_new();
2559  char *options;
2560  struct user_pass *up = NULL;
2561 
2562  /* allocate temporary objects */
2563  ALLOC_ARRAY_CLEAR_GC(options, char, TLS_OPTIONS_LEN, &gc);
2564 
2565  ASSERT(session->opt->key_method == 2);
2566 
2567  /* discard leading uint32 */
2568  if (!buf_advance(buf, 4))
2569  {
2570  msg(D_TLS_ERRORS, "TLS ERROR: Plaintext buffer too short (%d bytes).",
2571  buf->len);
2572  goto error;
2573  }
2574 
2575  /* get key method */
2576  key_method_flags = buf_read_u8(buf);
2577  if ((key_method_flags & KEY_METHOD_MASK) != 2)
2578  {
2579  msg(D_TLS_ERRORS,
2580  "TLS ERROR: Unknown key_method/flags=%d received from remote host",
2581  key_method_flags);
2582  goto error;
2583  }
2584 
2585  /* get key source material (not actual keys yet) */
2586  if (!key_source2_read(ks->key_src, buf, session->opt->server))
2587  {
2588  msg(D_TLS_ERRORS, "TLS Error: Error reading remote data channel key source entropy from plaintext buffer");
2589  goto error;
2590  }
2591 
2592  /* get options */
2593  if (!read_string(buf, options, TLS_OPTIONS_LEN))
2594  {
2595  msg(D_TLS_ERRORS, "TLS Error: Failed to read required OCC options string");
2596  goto error;
2597  }
2598 
2599  ks->authenticated = false;
2600 
2601  /* always extract username + password fields from buf, even if not
2602  * authenticating for it, because otherwise we can't get at the
2603  * peer_info data which follows behind
2604  */
2605  ALLOC_OBJ_CLEAR_GC(up, struct user_pass, &gc);
2606  username_status = read_string(buf, up->username, USER_PASS_LEN);
2607  password_status = read_string(buf, up->password, USER_PASS_LEN);
2608 
2609 #if P2MP_SERVER
2610  /* get peer info from control channel */
2611  free(multi->peer_info);
2612  multi->peer_info = read_string_alloc(buf);
2613  if (multi->peer_info)
2614  {
2615  output_peer_info_env(session->opt->es, multi->peer_info);
2616  }
2617 
2618  free(multi->remote_ciphername);
2619  multi->remote_ciphername =
2620  options_string_extract_option(options, "cipher", NULL);
2621 
2622  if (tls_peer_info_ncp_ver(multi->peer_info) < 2)
2623  {
2624  /* Peer does not support NCP, but leave NCP enabled if the local and
2625  * remote cipher do not match to attempt 'poor-man's NCP'.
2626  */
2627  if (multi->remote_ciphername == NULL
2628  || 0 == strcmp(multi->remote_ciphername, multi->opt.config_ciphername))
2629  {
2630  session->opt->ncp_enabled = false;
2631  }
2632  }
2633 #endif /* if P2MP_SERVER */
2634 
2635  if (tls_session_user_pass_enabled(session))
2636  {
2637  /* Perform username/password authentication */
2638  if (!username_status || !password_status)
2639  {
2640  CLEAR(*up);
2641  if (!(session->opt->ssl_flags & SSLF_AUTH_USER_PASS_OPTIONAL))
2642  {
2643  msg(D_TLS_ERRORS, "TLS Error: Auth Username/Password was not provided by peer");
2644  goto error;
2645  }
2646  }
2647 
2648  verify_user_pass(up, multi, session);
2649  }
2650  else
2651  {
2652  /* Session verification should have occurred during TLS negotiation*/
2653  if (!session->verified)
2654  {
2655  msg(D_TLS_ERRORS,
2656  "TLS Error: Certificate verification failed (key-method 2)");
2657  goto error;
2658  }
2659  ks->authenticated = true;
2660  }
2661 
2662  /* clear username and password from memory */
2663  secure_memzero(up, sizeof(*up));
2664 
2665  /* Perform final authentication checks */
2666  if (ks->authenticated)
2667  {
2668  verify_final_auth_checks(multi, session);
2669  }
2670 
2671 #ifdef ENABLE_OCC
2672  /* check options consistency */
2673  if (!session->opt->disable_occ
2674  && !options_cmp_equal(options, session->opt->remote_options))
2675  {
2676  options_warning(options, session->opt->remote_options);
2677  if (session->opt->ssl_flags & SSLF_OPT_VERIFY)
2678  {
2679  msg(D_TLS_ERRORS, "Option inconsistency warnings triggering disconnect due to --opt-verify");
2680  ks->authenticated = false;
2681  }
2682  }
2683 #endif
2684 
2685  buf_clear(buf);
2686 
2687  /*
2688  * Call OPENVPN_PLUGIN_TLS_FINAL plugin if defined, for final
2689  * veto opportunity over authentication decision.
2690  */
2692  {
2694 
2695  if (plugin_call(session->opt->plugins, OPENVPN_PLUGIN_TLS_FINAL, NULL, NULL, session->opt->es) != OPENVPN_PLUGIN_FUNC_SUCCESS)
2696  {
2697  ks->authenticated = false;
2698  }
2699 
2700  setenv_del(session->opt->es, "exported_keying_material");
2701  }
2702 
2703  /*
2704  * Generate tunnel keys if we're a client.
2705  * If --pull is enabled, the first key generation is postponed until after the
2706  * pull/push, so we can process pushed cipher directives.
2707  */
2708  if (!session->opt->server && (!session->opt->pull || ks->key_id > 0))
2709  {
2711  {
2712  msg(D_TLS_ERRORS, "TLS Error: client generate_key_expansion failed");
2713  goto error;
2714  }
2715  }
2716 
2717  gc_free(&gc);
2718  return true;
2719 
2720 error:
2721  secure_memzero(ks->key_src, sizeof(*ks->key_src));
2722  if (up)
2723  {
2724  secure_memzero(up, sizeof(*up));
2725  }
2726  buf_clear(buf);
2727  gc_free(&gc);
2728  return false;
2729 }
2730 
2731 static int
2733 {
2734  int ret = o->handshake_window;
2735  const int r2 = o->renegotiate_seconds / 2;
2736 
2737  if (o->renegotiate_seconds && r2 < ret)
2738  {
2739  ret = r2;
2740  }
2741  return ret;
2742 }
2743 
2744 /*
2745  * This is the primary routine for processing TLS stuff inside the
2746  * the main event loop. When this routine exits
2747  * with non-error status, it will set *wakeup to the number of seconds
2748  * when it wants to be called again.
2749  *
2750  * Return value is true if we have placed a packet in *to_link which we
2751  * want to send to our peer.
2752  */
2753 static bool
2754 tls_process(struct tls_multi *multi,
2755  struct tls_session *session,
2756  struct buffer *to_link,
2757  struct link_socket_actual **to_link_addr,
2758  struct link_socket_info *to_link_socket_info,
2759  interval_t *wakeup)
2760 {
2761  struct gc_arena gc = gc_new();
2762  struct buffer *buf;
2763  bool state_change = false;
2764  bool active = false;
2765  struct key_state *ks = &session->key[KS_PRIMARY]; /* primary key */
2766  struct key_state *ks_lame = &session->key[KS_LAME_DUCK]; /* retiring key */
2767 
2768  /* Make sure we were initialized and that we're not in an error state */
2769  ASSERT(ks->state != S_UNDEF);
2770  ASSERT(ks->state != S_ERROR);
2771  ASSERT(session_id_defined(&session->session_id));
2772 
2773  /* Should we trigger a soft reset? -- new key, keeps old key for a while */
2774  if (ks->state >= S_ACTIVE
2775  && ((session->opt->renegotiate_seconds
2776  && now >= ks->established + session->opt->renegotiate_seconds)
2777  || (session->opt->renegotiate_bytes > 0
2778  && ks->n_bytes >= session->opt->renegotiate_bytes)
2779  || (session->opt->renegotiate_packets
2780  && ks->n_packets >= session->opt->renegotiate_packets)
2782  {
2783  msg(D_TLS_DEBUG_LOW, "TLS: soft reset sec=%d/%d bytes=" counter_format
2784  "/%d pkts=" counter_format "/%d",
2785  (int) (now - ks->established), session->opt->renegotiate_seconds,
2786  ks->n_bytes, session->opt->renegotiate_bytes,
2787  ks->n_packets, session->opt->renegotiate_packets);
2788  key_state_soft_reset(session);
2789  }
2790 
2791  /* Kill lame duck key transition_window seconds after primary key negotiation */
2792  if (lame_duck_must_die(session, wakeup))
2793  {
2794  key_state_free(ks_lame, true);
2795  msg(D_TLS_DEBUG_LOW, "TLS: tls_process: killed expiring key");
2796  }
2797 
2798  do
2799  {
2800  update_time();
2801 
2802  dmsg(D_TLS_DEBUG, "TLS: tls_process: chg=%d ks=%s lame=%s to_link->len=%d wakeup=%d",
2803  state_change,
2804  state_name(ks->state),
2805  state_name(ks_lame->state),
2806  to_link->len,
2807  *wakeup);
2808 
2809  state_change = false;
2810 
2811  /*
2812  * TLS activity is finished once we get to S_ACTIVE,
2813  * though we will still process acknowledgements.
2814  *
2815  * CHANGED with 2.0 -> now we may send tunnel configuration
2816  * info over the control channel.
2817  */
2818 
2819  /* Initial handshake */
2820  if (ks->state == S_INITIAL)
2821  {
2823  if (buf)
2824  {
2825  ks->must_negotiate = now + session->opt->handshake_window;
2827 
2828  /* null buffer */
2831 
2832  ks->state = S_PRE_START;
2833  state_change = true;
2834  dmsg(D_TLS_DEBUG, "TLS: Initial Handshake, sid=%s",
2835  session_id_print(&session->session_id, &gc));
2836 
2837 #ifdef ENABLE_MANAGEMENT
2839  {
2842  NULL,
2843  NULL,
2844  NULL,
2845  NULL,
2846  NULL);
2847  }
2848 #endif
2849  }
2850  }
2851 
2852  /* Are we timed out on receive? */
2853  if (now >= ks->must_negotiate)
2854  {
2855  if (ks->state < S_ACTIVE)
2856  {
2857  msg(D_TLS_ERRORS,
2858  "TLS Error: TLS key negotiation failed to occur within %d seconds (check your network connectivity)",
2859  session->opt->handshake_window);
2860  goto error;
2861  }
2862  else /* assume that ks->state == S_ACTIVE */
2863  {
2864  dmsg(D_TLS_DEBUG_MED, "STATE S_NORMAL_OP");
2865  ks->state = S_NORMAL_OP;
2866  ks->must_negotiate = 0;
2867  }
2868  }
2869 
2870  /* Wait for Initial Handshake ACK */
2871  if (ks->state == S_PRE_START && FULL_SYNC)
2872  {
2873  ks->state = S_START;
2874  state_change = true;
2875 
2876  /*
2877  * Attempt CRL reload before TLS negotiation. Won't be performed if
2878  * the file was not modified since the last reload
2879  */
2880  if (session->opt->crl_file
2881  && !(session->opt->ssl_flags & SSLF_CRL_VERIFY_DIR))
2882  {
2883  tls_ctx_reload_crl(&session->opt->ssl_ctx,
2884  session->opt->crl_file, session->opt->crl_file_inline);
2885  }
2886 
2887  /* New connection, remove any old X509 env variables */
2888  tls_x509_clear_env(session->opt->es);
2889 
2890  dmsg(D_TLS_DEBUG_MED, "STATE S_START");
2891  }
2892 
2893  /* Wait for ACK */
2894  if (((ks->state == S_GOT_KEY && !session->opt->server)
2895  || (ks->state == S_SENT_KEY && session->opt->server)))
2896  {
2897  if (FULL_SYNC)
2898  {
2899  ks->established = now;
2900  dmsg(D_TLS_DEBUG_MED, "STATE S_ACTIVE");
2902  {
2903  print_details(&ks->ks_ssl, "Control Channel:");
2904  }
2905  state_change = true;
2906  ks->state = S_ACTIVE;
2907  INCR_SUCCESS;
2908 
2909  /* Set outgoing address for data channel packets */
2910  link_socket_set_outgoing_addr(NULL, to_link_socket_info, &ks->remote_addr, session->common_name, session->opt->es);
2911 
2912  /* Flush any payload packets that were buffered before our state transitioned to S_ACTIVE */
2914 
2915 #ifdef MEASURE_TLS_HANDSHAKE_STATS
2916  show_tls_performance_stats();
2917 #endif
2918  }
2919  }
2920 
2921  /* Reliable buffer to outgoing TCP/UDP (send up to CONTROL_SEND_ACK_MAX ACKs
2922  * for previously received packets) */
2923  if (!to_link->len && reliable_can_send(ks->send_reliable))
2924  {
2925  int opcode;
2926  struct buffer b;
2927 
2928  buf = reliable_send(ks->send_reliable, &opcode);
2929  ASSERT(buf);
2930  b = *buf;
2931  INCR_SENT;
2932 
2933  write_control_auth(session, ks, &b, to_link_addr, opcode,
2934  CONTROL_SEND_ACK_MAX, true);
2935  *to_link = b;
2936  active = true;
2937  state_change = true;
2938  dmsg(D_TLS_DEBUG, "Reliable -> TCP/UDP");
2939  break;
2940  }
2941 
2942  /* Write incoming ciphertext to TLS object */
2944  if (buf)
2945  {
2946  int status = 0;
2947  if (buf->len)
2948  {
2949  status = key_state_write_ciphertext(&ks->ks_ssl, buf);
2950  if (status == -1)
2951  {
2952  msg(D_TLS_ERRORS,
2953  "TLS Error: Incoming Ciphertext -> TLS object write error");
2954  goto error;
2955  }
2956  }
2957  else
2958  {
2959  status = 1;
2960  }
2961  if (status == 1)
2962  {
2963  reliable_mark_deleted(ks->rec_reliable, buf, true);
2964  state_change = true;
2965  dmsg(D_TLS_DEBUG, "Incoming Ciphertext -> TLS");
2966  }
2967  }
2968 
2969  /* Read incoming plaintext from TLS object */
2970  buf = &ks->plaintext_read_buf;
2971  if (!buf->len)
2972  {
2973  int status;
2974 
2975  ASSERT(buf_init(buf, 0));
2977  update_time();
2978  if (status == -1)
2979  {
2980  msg(D_TLS_ERRORS, "TLS Error: TLS object -> incoming plaintext read error");
2981  goto error;
2982  }
2983  if (status == 1)
2984  {
2985  state_change = true;
2986  dmsg(D_TLS_DEBUG, "TLS -> Incoming Plaintext");
2987 
2988  /* More data may be available, wake up again asap to check. */
2989  *wakeup = 0;
2990  }
2991  }
2992 
2993  /* Send Key */
2994  buf = &ks->plaintext_write_buf;
2995  if (!buf->len && ((ks->state == S_START && !session->opt->server)
2996  || (ks->state == S_GOT_KEY && session->opt->server)))
2997  {
2998  if (session->opt->key_method == 1)
2999  {
3000  if (!key_method_1_write(buf, session))
3001  {
3002  goto error;
3003  }
3004  }
3005  else if (session->opt->key_method == 2)
3006  {
3007  if (!key_method_2_write(buf, session))
3008  {
3009  goto error;
3010  }
3011  }
3012  else
3013  {
3014  ASSERT(0);
3015  }
3016 
3017  state_change = true;
3018  dmsg(D_TLS_DEBUG_MED, "STATE S_SENT_KEY");
3019  ks->state = S_SENT_KEY;
3020  }
3021 
3022  /* Receive Key */
3023  buf = &ks->plaintext_read_buf;
3024  if (buf->len
3025  && ((ks->state == S_SENT_KEY && !session->opt->server)
3026  || (ks->state == S_START && session->opt->server)))
3027  {
3028  if (session->opt->key_method == 1)
3029  {
3030  if (!key_method_1_read(buf, session))
3031  {
3032  goto error;
3033  }
3034  }
3035  else if (session->opt->key_method == 2)
3036  {
3037  if (!key_method_2_read(buf, multi, session))
3038  {
3039  goto error;
3040  }
3041  }
3042  else
3043  {
3044  ASSERT(0);
3045  }
3046 
3047  state_change = true;
3048  dmsg(D_TLS_DEBUG_MED, "STATE S_GOT_KEY");
3049  ks->state = S_GOT_KEY;
3050  }
3051 
3052  /* Write outgoing plaintext to TLS object */
3053  buf = &ks->plaintext_write_buf;
3054  if (buf->len)
3055  {
3056  int status = key_state_write_plaintext(&ks->ks_ssl, buf);
3057  if (status == -1)
3058  {
3059  msg(D_TLS_ERRORS,
3060  "TLS ERROR: Outgoing Plaintext -> TLS object write error");
3061  goto error;
3062  }
3063  if (status == 1)
3064  {
3065  state_change = true;
3066  dmsg(D_TLS_DEBUG, "Outgoing Plaintext -> TLS");
3067  }
3068  }
3069 
3070  /* Outgoing Ciphertext to reliable buffer */
3071  if (ks->state >= S_START)
3072  {
3074  if (buf)
3075  {
3077  if (status == -1)
3078  {
3079  msg(D_TLS_ERRORS,
3080  "TLS Error: Ciphertext -> reliable TCP/UDP transport read error");
3081  goto error;
3082  }
3083  if (status == 1)
3084  {
3087  state_change = true;
3088  dmsg(D_TLS_DEBUG, "Outgoing Ciphertext -> Reliable");
3089  }
3090  }
3091  }
3092  }
3093  while (state_change);
3094 
3095  update_time();
3096 
3097  /* Send 1 or more ACKs (each received control packet gets one ACK) */
3098  if (!to_link->len && !reliable_ack_empty(ks->rec_ack))
3099  {
3100  struct buffer buf = ks->ack_write_buf;
3101  ASSERT(buf_init(&buf, FRAME_HEADROOM(&multi->opt.frame)));
3102  write_control_auth(session, ks, &buf, to_link_addr, P_ACK_V1,
3103  RELIABLE_ACK_SIZE, false);
3104  *to_link = buf;
3105  active = true;
3106  dmsg(D_TLS_DEBUG, "Dedicated ACK -> TCP/UDP");
3107  }
3108 
3109  /* When should we wake up again? */
3110  {
3111  if (ks->state >= S_INITIAL)
3112  {
3113  compute_earliest_wakeup(wakeup,
3115 
3116  if (ks->must_negotiate)
3117  {
3119  }
3120  }
3121 
3122  if (ks->established && session->opt->renegotiate_seconds)
3123  {
3124  compute_earliest_wakeup(wakeup,
3125  ks->established + session->opt->renegotiate_seconds - now);
3126  }
3127 
3128  /* prevent event-loop spinning by setting minimum wakeup of 1 second */
3129  if (*wakeup <= 0)
3130  {
3131  *wakeup = 1;
3132 
3133  /* if we had something to send to remote, but to_link was busy,
3134  * let caller know we need to be called again soon */
3135  active = true;
3136  }
3137 
3138  dmsg(D_TLS_DEBUG, "TLS: tls_process: timeout set to %d", *wakeup);
3139 
3140  gc_free(&gc);
3141  return active;
3142  }
3143 
3144 error:
3145  tls_clear_error();
3146  ks->state = S_ERROR;
3147  msg(D_TLS_ERRORS, "TLS Error: TLS handshake failed");
3148  INCR_ERROR;
3149  gc_free(&gc);
3150  return false;
3151 }
3152 
3153 /*
3154  * Called by the top-level event loop.
3155  *
3156  * Basically decides if we should call tls_process for
3157  * the active or untrusted sessions.
3158  */
3159 
3160 int
3162  struct buffer *to_link,
3163  struct link_socket_actual **to_link_addr,
3164  struct link_socket_info *to_link_socket_info,
3165  interval_t *wakeup)
3166 {
3167  struct gc_arena gc = gc_new();
3168  int i;
3169  int active = TLSMP_INACTIVE;
3170  bool error = false;
3171  int tas;
3172 
3174 
3175  tls_clear_error();
3176 
3177  /*
3178  * Process each session object having state of S_INITIAL or greater,
3179  * and which has a defined remote IP addr.
3180  */
3181 
3182  for (i = 0; i < TM_SIZE; ++i)
3183  {
3184  struct tls_session *session = &multi->session[i];
3185  struct key_state *ks = &session->key[KS_PRIMARY];
3186  struct key_state *ks_lame = &session->key[KS_LAME_DUCK];
3187 
3188  /* set initial remote address */
3189  if (i == TM_ACTIVE && ks->state == S_INITIAL
3190  && link_socket_actual_defined(&to_link_socket_info->lsa->actual))
3191  {
3192  ks->remote_addr = to_link_socket_info->lsa->actual;
3193  }
3194 
3195  dmsg(D_TLS_DEBUG,
3196  "TLS: tls_multi_process: i=%d state=%s, mysid=%s, stored-sid=%s, stored-ip=%s",
3197  i,
3198  state_name(ks->state),
3199  session_id_print(&session->session_id, &gc),
3202 
3204  {
3205  struct link_socket_actual *tla = NULL;
3206 
3207  update_time();
3208 
3209  if (tls_process(multi, session, to_link, &tla,
3210  to_link_socket_info, wakeup))
3211  {
3212  active = TLSMP_ACTIVE;
3213  }
3214 
3215  /*
3216  * If tls_process produced an outgoing packet,
3217  * return the link_socket_actual object (which
3218  * contains the outgoing address).
3219  */
3220  if (tla)
3221  {
3222  multi->to_link_addr = *tla;
3223  *to_link_addr = &multi->to_link_addr;
3224  }
3225 
3226  /*
3227  * If tls_process hits an error:
3228  * (1) If the session has an unexpired lame duck key, preserve it.
3229  * (2) Reinitialize the session.
3230  * (3) Increment soft error count
3231  */
3232  if (ks->state == S_ERROR)
3233  {
3234  ++multi->n_soft_errors;
3235 
3236  if (i == TM_ACTIVE)
3237  {
3238  error = true;
3239  }
3240 
3241  if (i == TM_ACTIVE
3242  && ks_lame->state >= S_ACTIVE
3243  && !multi->opt.single_session)
3244  {
3245  move_session(multi, TM_LAME_DUCK, TM_ACTIVE, true);
3246  }
3247  else
3248  {
3249  reset_session(multi, session);
3250  }
3251  }
3252  }
3253  }
3254 
3255  update_time();
3256 
3258 
3259  /*
3260  * If lame duck session expires, kill it.
3261  */
3262  if (lame_duck_must_die(&multi->session[TM_LAME_DUCK], wakeup))
3263  {
3264  tls_session_free(&multi->session[TM_LAME_DUCK], true);
3265  msg(D_TLS_DEBUG_LOW, "TLS: tls_multi_process: killed expiring key");
3266  }
3267 
3268  /*
3269  * If untrusted session achieves TLS authentication,
3270  * move it to active session, usurping any prior session.
3271  *
3272  * A semi-trusted session is one in which the certificate authentication
3273  * succeeded (if cert verification is enabled) but the username/password
3274  * verification failed. A semi-trusted session can forward data on the
3275  * TLS control channel but not on the tunnel channel.
3276  */
3277  if (DECRYPT_KEY_ENABLED(multi, &multi->session[TM_UNTRUSTED].key[KS_PRIMARY]))
3278  {
3279  move_session(multi, TM_ACTIVE, TM_UNTRUSTED, true);
3280  msg(D_TLS_DEBUG_LOW, "TLS: tls_multi_process: untrusted session promoted to %strusted",
3281  tas == TLS_AUTHENTICATION_SUCCEEDED ? "" : "semi-");
3282  }
3283 
3284  /*
3285  * A hard error means that TM_ACTIVE hit an S_ERROR state and that no
3286  * other key state objects are S_ACTIVE or higher.
3287  */
3288  if (error)
3289  {
3290  for (i = 0; i < (int) SIZE(multi->key_scan); ++i)
3291  {
3292  if (multi->key_scan[i]->state >= S_ACTIVE)
3293  {
3294  goto nohard;
3295  }
3296  }
3297  ++multi->n_hard_errors;
3298  }
3299 nohard:
3300 
3301 #ifdef ENABLE_DEBUG
3302  /* DEBUGGING -- flood peer with repeating connection attempts */
3303  {
3304  const int throw_level = GREMLIN_CONNECTION_FLOOD_LEVEL(multi->opt.gremlin);
3305  if (throw_level)
3306  {
3307  for (i = 0; i < (int) SIZE(multi->key_scan); ++i)
3308  {
3309  if (multi->key_scan[i]->state >= throw_level)
3310  {
3311  ++multi->n_hard_errors;
3312  ++multi->n_soft_errors;
3313  }
3314  }
3315  }
3316  }
3317 #endif
3318 
3319  perf_pop();
3320  gc_free(&gc);
3321 
3322  return (tas == TLS_AUTHENTICATION_FAILED) ? TLSMP_KILL : active;
3323 }
3324 
3325 /*
3326  * Pre and post-process the encryption & decryption buffers in order
3327  * to implement a multiplexed TLS channel over the TCP/UDP port.
3328  */
3329 
3330 /*
3331  *
3332  * When we are in TLS mode, this is the first routine which sees
3333  * an incoming packet.
3334  *
3335  * If it's a data packet, we set opt so that our caller can
3336  * decrypt it. We also give our caller the appropriate decryption key.
3337  *
3338  * If it's a control packet, we authenticate it and process it,
3339  * possibly creating a new tls_session if it represents the
3340  * first packet of a new session. For control packets, we will
3341  * also zero the size of *buf so that our caller ignores the
3342  * packet on our return.
3343  *
3344  * Note that openvpn only allows one active session at a time,
3345  * so a new session (once authenticated) will always usurp
3346  * an old session.
3347  *
3348  * Return true if input was an authenticated control channel
3349  * packet.
3350  *
3351  * If we are running in TLS thread mode, all public routines
3352  * below this point must be called with the L_TLS lock held.
3353  */
3354 
3355 bool
3357  const struct link_socket_actual *from,
3358  struct buffer *buf,
3359  struct crypto_options **opt,
3360  bool floated,
3361  const uint8_t **ad_start)
3362 {
3363  struct gc_arena gc = gc_new();
3364  bool ret = false;
3365 
3366  if (buf->len > 0)
3367  {
3368  int i;
3369  int op;
3370  int key_id;
3371 
3372  /* get opcode and key ID */
3373  {
3374  uint8_t c = *BPTR(buf);
3375  op = c >> P_OPCODE_SHIFT;
3376  key_id = c & P_KEY_ID_MASK;
3377  }
3378 
3379  if ((op == P_DATA_V1) || (op == P_DATA_V2))
3380  {
3381  /* data channel packet */
3382  for (i = 0; i < KEY_SCAN_SIZE; ++i)
3383  {
3384  struct key_state *ks = multi->key_scan[i];
3385 
3386  /*
3387  * This is the basic test of TLS state compatibility between a local OpenVPN
3388  * instance and its remote peer.
3389  *
3390  * If the test fails, it tells us that we are getting a packet from a source
3391  * which claims reference to a prior negotiated TLS session, but the local
3392  * OpenVPN instance has no memory of such a negotiation.
3393  *
3394  * It almost always occurs on UDP sessions when the passive side of the
3395  * connection is restarted without the active side restarting as well (the
3396  * passive side is the server which only listens for the connections, the
3397  * active side is the client which initiates connections).
3398  */
3399  if (DECRYPT_KEY_ENABLED(multi, ks)
3400  && key_id == ks->key_id
3401  && ks->authenticated
3402 #ifdef ENABLE_DEF_AUTH
3403  && !ks->auth_deferred
3404 #endif
3405  && (floated || link_socket_actual_match(from, &ks->remote_addr)))
3406  {
3408  {
3410  "Key %s [%d] not initialized (yet), dropping packet.",
3411  print_link_socket_actual(from, &gc), key_id);
3412  goto error_lite;
3413  }
3414 
3415  /* return appropriate data channel decrypt key in opt */
3416  *opt = &ks->crypto_options;
3417  if (op == P_DATA_V2)
3418  {
3419  *ad_start = BPTR(buf);
3420  }
3421  ASSERT(buf_advance(buf, 1));
3422  if (op == P_DATA_V1)
3423  {
3424  *ad_start = BPTR(buf);
3425  }
3426  else if (op == P_DATA_V2)
3427  {
3428  if (buf->len < 4)
3429  {
3430  msg(D_TLS_ERRORS, "Protocol error: received P_DATA_V2 from %s but length is < 4",
3431  print_link_socket_actual(from, &gc));
3432  goto error;
3433  }
3434  ASSERT(buf_advance(buf, 3));
3435  }
3436 
3437  ++ks->n_packets;
3438  ks->n_bytes += buf->len;
3440  "TLS: tls_pre_decrypt, key_id=%d, IP=%s",
3441  key_id, print_link_socket_actual(from, &gc));
3442  gc_free(&gc);
3443  return ret;
3444  }
3445  }
3446 
3447  msg(D_TLS_ERRORS,
3448  "TLS Error: local/remote TLS keys are out of sync: %s [%d]",
3449  print_link_socket_actual(from, &gc), key_id);
3450  goto error_lite;
3451  }
3452  else /* control channel packet */
3453  {
3454  bool do_burst = false;
3455  bool new_link = false;
3456  struct session_id sid; /* remote session ID */
3457 
3458  /* verify legal opcode */
3459  if (op < P_FIRST_OPCODE || op > P_LAST_OPCODE)
3460  {
3461  msg(D_TLS_ERRORS,
3462  "TLS Error: unknown opcode received from %s op=%d",
3463  print_link_socket_actual(from, &gc), op);
3464  goto error;
3465  }
3466 
3467  /* hard reset ? */
3468  if (is_hard_reset(op, 0))
3469  {
3470  /* verify client -> server or server -> client connection */
3471  if (((op == P_CONTROL_HARD_RESET_CLIENT_V1
3473  || op == P_CONTROL_HARD_RESET_CLIENT_V3) && !multi->opt.server)
3475  || op == P_CONTROL_HARD_RESET_SERVER_V2) && multi->opt.server))
3476  {
3477  msg(D_TLS_ERRORS,
3478  "TLS Error: client->client or server->server connection attempted from %s",
3479  print_link_socket_actual(from, &gc));
3480  goto error;
3481  }
3482  }
3483 
3484  /*
3485  * Authenticate Packet
3486  */
3487  dmsg(D_TLS_DEBUG, "TLS: control channel, op=%s, IP=%s",
3489 
3490  /* get remote session-id */
3491  {
3492  struct buffer tmp = *buf;
3493  buf_advance(&tmp, 1);
3494  if (!session_id_read(&sid, &tmp) || !session_id_defined(&sid))
3495  {
3496  msg(D_TLS_ERRORS,
3497  "TLS Error: session-id not found in packet from %s",
3498  print_link_socket_actual(from, &gc));
3499  goto error;
3500  }
3501  }
3502 
3503  /* use session ID to match up packet with appropriate tls_session object */
3504  for (i = 0; i < TM_SIZE; ++i)
3505  {
3506  struct tls_session *session = &multi->session[i];
3507  struct key_state *ks = &session->key[KS_PRIMARY];
3508 
3509  dmsg(D_TLS_DEBUG,
3510  "TLS: initial packet test, i=%d state=%s, mysid=%s, rec-sid=%s, rec-ip=%s, stored-sid=%s, stored-ip=%s",
3511  i,
3512  state_name(ks->state),
3513  session_id_print(&session->session_id, &gc),
3514  session_id_print(&sid, &gc),
3515  print_link_socket_actual(from, &gc),
3518 
3519  if (session_id_equal(&ks->session_id_remote, &sid))
3520  /* found a match */
3521  {
3522  if (i == TM_LAME_DUCK)
3523  {
3524  msg(D_TLS_ERRORS,
3525  "TLS ERROR: received control packet with stale session-id=%s",
3526  session_id_print(&sid, &gc));
3527  goto error;
3528  }
3529  dmsg(D_TLS_DEBUG,
3530  "TLS: found match, session[%d], sid=%s",
3531  i, session_id_print(&sid, &gc));
3532  break;
3533  }
3534  }
3535 
3536  /*
3537  * Initial packet received.
3538  */
3539 
3540  if (i == TM_SIZE && is_hard_reset(op, 0))
3541  {
3542  struct tls_session *session = &multi->session[TM_ACTIVE];
3543  struct key_state *ks = &session->key[KS_PRIMARY];
3544 
3545  if (!is_hard_reset(op, multi->opt.key_method))
3546  {
3547  msg(D_TLS_ERRORS, "TLS ERROR: initial packet local/remote key_method mismatch, local key_method=%d, op=%s",
3548  multi->opt.key_method,
3549  packet_opcode_name(op));
3550  goto error;
3551  }
3552 
3553  /*
3554  * If we have no session currently in progress, the initial packet will
3555  * open a new session in TM_ACTIVE rather than TM_UNTRUSTED.
3556  */
3558  {
3559  if (multi->opt.single_session && multi->n_sessions)
3560  {
3561  msg(D_TLS_ERRORS,
3562  "TLS Error: Cannot accept new session request from %s due to session context expire or --single-session [1]",
3563  print_link_socket_actual(from, &gc));
3564  goto error;
3565  }
3566 
3567 #ifdef ENABLE_MANAGEMENT
3568  if (management)
3569  {
3572  NULL,
3573  NULL,
3574  NULL,
3575  NULL,
3576  NULL);
3577  }
3578 #endif
3579 
3581  "TLS: Initial packet from %s, sid=%s",
3582  print_link_socket_actual(from, &gc),
3583  session_id_print(&sid, &gc));
3584 
3585  do_burst = true;
3586  new_link = true;
3587  i = TM_ACTIVE;
3588  session->untrusted_addr = *from;
3589  }
3590  }
3591 
3592  if (i == TM_SIZE && is_hard_reset(op, 0))
3593  {
3594  /*
3595  * No match with existing sessions,
3596  * probably a new session.
3597  */
3598  struct tls_session *session = &multi->session[TM_UNTRUSTED];
3599 
3600  /*
3601  * If --single-session, don't allow any hard-reset connection request
3602  * unless it the the first packet of the session.
3603  */
3604  if (multi->opt.single_session)
3605  {
3606  msg(D_TLS_ERRORS,
3607  "TLS Error: Cannot accept new session request from %s due to session context expire or --single-session [2]",
3608  print_link_socket_actual(from, &gc));
3609  goto error;
3610  }
3611 
3612  if (!is_hard_reset(op, multi->opt.key_method))
3613  {
3614  msg(D_TLS_ERRORS, "TLS ERROR: new session local/remote key_method mismatch, local key_method=%d, op=%s",
3615  multi->opt.key_method,
3616  packet_opcode_name(op));
3617  goto error;
3618  }
3619 
3620  if (!read_control_auth(buf, &session->tls_wrap, from,
3621  session->opt))
3622  {
3623  goto error;
3624  }
3625 
3626  /*
3627  * New session-initiating control packet is authenticated at this point,
3628  * assuming that the --tls-auth command line option was used.
3629  *
3630  * Without --tls-auth, we leave authentication entirely up to TLS.
3631  */
3633  "TLS: new session incoming connection from %s",
3634  print_link_socket_actual(from, &gc));
3635 
3636  new_link = true;
3637  i = TM_UNTRUSTED;
3638  session->untrusted_addr = *from;
3639  }
3640  else
3641  {
3642  struct tls_session *session = &multi->session[i];
3643  struct key_state *ks = &session->key[KS_PRIMARY];
3644 
3645  /*
3646  * Packet must belong to an existing session.
3647  */
3648  if (i != TM_ACTIVE && i != TM_UNTRUSTED)
3649  {
3650  msg(D_TLS_ERRORS,
3651  "TLS Error: Unroutable control packet received from %s (si=%d op=%s)",
3652  print_link_socket_actual(from, &gc),
3653  i,
3654  packet_opcode_name(op));
3655  goto error;
3656  }
3657 
3658  /*
3659  * Verify remote IP address
3660  */
3661  if (!new_link && !link_socket_actual_match(&ks->remote_addr, from))
3662  {
3663  msg(D_TLS_ERRORS, "TLS Error: Received control packet from unexpected IP addr: %s",
3664  print_link_socket_actual(from, &gc));
3665  goto error;
3666  }
3667 
3668  /*
3669  * Remote is requesting a key renegotiation
3670  */
3671  if (op == P_CONTROL_SOFT_RESET_V1
3672  && DECRYPT_KEY_ENABLED(multi, ks))
3673  {
3674  if (!read_control_auth(buf, &session->tls_wrap, from,
3675  session->opt))
3676  {
3677  goto error;
3678  }
3679 
3680  key_state_soft_reset(session);
3681 
3682  dmsg(D_TLS_DEBUG,
3683  "TLS: received P_CONTROL_SOFT_RESET_V1 s=%d sid=%s",
3684  i, session_id_print(&sid, &gc));
3685  }
3686  else
3687  {
3688  /*
3689  * Remote responding to our key renegotiation request?
3690  */
3691  if (op == P_CONTROL_SOFT_RESET_V1)
3692  {
3693  do_burst = true;
3694  }
3695 
3696  if (!read_control_auth(buf, &session->tls_wrap, from,
3697  session->opt))
3698  {
3699  goto error;
3700  }
3701 
3702  dmsg(D_TLS_DEBUG,
3703  "TLS: received control channel packet s#=%d sid=%s",
3704  i, session_id_print(&sid, &gc));
3705  }
3706  }
3707 
3708  /*
3709  * We have an authenticated control channel packet (if --tls-auth was set).
3710  * Now pass to our reliability layer which deals with
3711  * packet acknowledgements, retransmits, sequencing, etc.
3712  */
3713  {
3714  struct tls_session *session = &multi->session[i];
3715  struct key_state *ks = &session->key[KS_PRIMARY];
3716 
3717  /* Make sure we were initialized and that we're not in an error state */
3718  ASSERT(ks->state != S_UNDEF);
3719  ASSERT(ks->state != S_ERROR);
3720  ASSERT(session_id_defined(&session->session_id));
3721 
3722  /* Let our caller know we processed a control channel packet */
3723  ret = true;
3724 
3725  /*
3726  * Set our remote address and remote session_id
3727  */
3728  if (new_link)
3729  {
3730  ks->session_id_remote = sid;
3731  ks->remote_addr = *from;
3732  ++multi->n_sessions;
3733  }
3734  else if (!link_socket_actual_match(&ks->remote_addr, from))
3735  {
3736  msg(D_TLS_ERRORS,
3737  "TLS Error: Existing session control channel packet from unknown IP address: %s",
3738  print_link_socket_actual(from, &gc));
3739  goto error;
3740  }
3741 
3742  /*
3743  * Should we do a retransmit of all unacknowledged packets in
3744  * the send buffer? This improves the start-up efficiency of the
3745  * initial key negotiation after the 2nd peer comes online.
3746  */
3747  if (do_burst && !session->burst)
3748  {
3750  session->burst = true;
3751  }
3752 
3753  /* Check key_id */
3754  if (ks->key_id != key_id)
3755  {
3756  msg(D_TLS_ERRORS,
3757  "TLS ERROR: local/remote key IDs out of sync (%d/%d) ID: %s",
3758  ks->key_id, key_id, print_key_id(multi, &gc));
3759  goto error;
3760  }
3761 
3762  /*
3763  * Process incoming ACKs for packets we can now
3764  * delete from reliable send buffer
3765  */
3766  {
3767  /* buffers all packet IDs to delete from send_reliable */
3768  struct reliable_ack send_ack;
3769 
3770  send_ack.len = 0;
3771  if (!reliable_ack_read(&send_ack, buf, &session->session_id))
3772  {
3773  msg(D_TLS_ERRORS,
3774  "TLS Error: reading acknowledgement record from packet");
3775  goto error;
3776  }
3777  reliable_send_purge(ks->send_reliable, &send_ack);
3778  }
3779 
3780  if (op != P_ACK_V1 && reliable_can_get(ks->rec_reliable))
3781  {
3782  packet_id_type id;
3783 
3784  /* Extract the packet ID from the packet */
3785  if (reliable_ack_read_packet_id(buf, &id))
3786  {
3787  /* Avoid deadlock by rejecting packet that would de-sequentialize receive buffer */
3789  {
3790  if (reliable_not_replay(ks->rec_reliable, id))
3791  {
3792  /* Save incoming ciphertext packet to reliable buffer */
3793  struct buffer *in = reliable_get_buf(ks->rec_reliable);
3794  ASSERT(in);
3795  if (!buf_copy(in, buf))
3796  {
3798  "Incoming control channel packet too big, dropping.");
3799  goto error;
3800  }
3802  }
3803 
3804  /* Process outgoing acknowledgment for packet just received, even if it's a replay */
3806  }
3807  }
3808  }
3809  }
3810  }
3811  }
3812 
3813 done:
3814  buf->len = 0;
3815  *opt = NULL;
3816  gc_free(&gc);
3817  return ret;
3818 
3819 error:
3820  ++multi->n_soft_errors;
3821 error_lite:
3822  tls_clear_error();
3823  goto done;
3824 }
3825 
3826 /*
3827  * This function is similar to tls_pre_decrypt, except it is called
3828  * when we are in server mode and receive an initial incoming
3829  * packet. Note that we don't modify
3830  * any state in our parameter objects. The purpose is solely to
3831  * determine whether we should generate a client instance
3832  * object, in which case true is returned.
3833  *
3834  * This function is essentially the first-line HMAC firewall
3835  * on the UDP port listener in --mode server mode.
3836  */
3837 bool
3839  const struct link_socket_actual *from,
3840  const struct buffer *buf)
3841 
3842 {
3843  struct gc_arena gc = gc_new();
3844  bool ret = false;
3845 
3846  if (buf->len > 0)
3847  {
3848  int op;
3849  int key_id;
3850 
3851  /* get opcode and key ID */
3852  {
3853  uint8_t c = *BPTR(buf);
3854  op = c >> P_OPCODE_SHIFT;
3855  key_id = c & P_KEY_ID_MASK;
3856  }
3857 
3858  /* this packet is from an as-yet untrusted source, so
3859  * scrutinize carefully */
3860 
3863  {
3864  /*
3865  * This can occur due to bogus data or DoS packets.
3866  */
3868  "TLS State Error: No TLS state for client %s, opcode=%d",
3869  print_link_socket_actual(from, &gc),
3870  op);
3871  goto error;
3872  }
3873 
3874  if (key_id != 0)
3875  {
3877  "TLS State Error: Unknown key ID (%d) received from %s -- 0 was expected",
3878  key_id,
3879  print_link_socket_actual(from, &gc));
3880  goto error;
3881  }
3882 
3883  if (buf->len > EXPANDED_SIZE_DYNAMIC(&tas->frame))
3884  {
3886  "TLS State Error: Large packet (size %d) received from %s -- a packet no larger than %d bytes was expected",
3887  buf->len,
3888  print_link_socket_actual(from, &gc),
3889  EXPANDED_SIZE_DYNAMIC(&tas->frame));
3890  goto error;
3891  }
3892 
3893  {
3894  struct buffer newbuf = clone_buf(buf);
3895  struct tls_wrap_ctx tls_wrap_tmp = tas->tls_wrap;
3896  bool status;
3897 
3898  /* HMAC test, if --tls-auth was specified */
3899  status = read_control_auth(&newbuf, &tls_wrap_tmp, from, NULL);
3900  free_buf(&newbuf);
3901  free_buf(&tls_wrap_tmp.tls_crypt_v2_metadata);
3902  if (tls_wrap_tmp.cleanup_key_ctx)
3903  {
3904  free_key_ctx_bi(&tls_wrap_tmp.opt.key_ctx_bi);
3905  }
3906  if (!status)
3907  {
3908  goto error;
3909  }
3910 
3911  /*
3912  * At this point, if --tls-auth is being used, we know that
3913  * the packet has passed the HMAC test, but we don't know if
3914  * it is a replay yet. We will attempt to defeat replays
3915  * by not advancing to the S_START state until we
3916  * receive an ACK from our first reply to the client
3917  * that includes an HMAC of our randomly generated 64 bit
3918  * session ID.
3919  *
3920  * On the other hand if --tls-auth is not being used, we
3921  * will proceed to begin the TLS authentication
3922  * handshake with only cursory integrity checks having
3923  * been performed, since we will be leaving the task
3924  * of authentication solely up to TLS.
3925  */
3926 
3927  ret = true;
3928  }
3929  }
3930  gc_free(&gc);
3931  return ret;
3932 
3933 error:
3934  tls_clear_error();
3935  gc_free(&gc);
3936  return ret;
3937 }
3938 
3939 /* Choose the key with which to encrypt a data packet */
3940 void
3942  struct buffer *buf, struct crypto_options **opt)
3943 {
3944  multi->save_ks = NULL;
3945  if (buf->len > 0)
3946  {
3947  int i;
3948  struct key_state *ks_select = NULL;
3949  for (i = 0; i < KEY_SCAN_SIZE; ++i)
3950  {
3951  struct key_state *ks = multi->key_scan[i];
3952  if (ks->state >= S_ACTIVE
3953  && ks->authenticated
3955 #ifdef ENABLE_DEF_AUTH
3956  && !ks->auth_deferred
3957 #endif
3958  )
3959  {
3960  if (!ks_select)
3961  {
3962  ks_select = ks;
3963  }
3964  if (now >= ks->auth_deferred_expire)
3965  {
3966  ks_select = ks;
3967  break;
3968  }
3969  }
3970  }
3971 
3972  if (ks_select)
3973  {
3974  *opt = &ks_select->crypto_options;
3975  multi->save_ks = ks_select;
3976  dmsg(D_TLS_KEYSELECT, "TLS: tls_pre_encrypt: key_id=%d", ks_select->key_id);
3977  return;
3978  }
3979  else
3980  {
3981  struct gc_arena gc = gc_new();
3982  dmsg(D_TLS_KEYSELECT, "TLS Warning: no data channel send key available: %s",
3983  print_key_id(multi, &gc));
3984  gc_free(&gc);
3985  }
3986  }
3987 
3988  buf->len = 0;
3989  *opt = NULL;
3990 }
3991 
3992 void
3993 tls_prepend_opcode_v1(const struct tls_multi *multi, struct buffer *buf)
3994 {
3995  struct key_state *ks = multi->save_ks;
3996  uint8_t op;
3997 
3998  msg(D_TLS_DEBUG, __func__);
3999 
4000  ASSERT(ks);
4001 
4002  op = (P_DATA_V1 << P_OPCODE_SHIFT) | ks->key_id;
4003  ASSERT(buf_write_prepend(buf, &op, 1));
4004 }
4005 
4006 void
4007 tls_prepend_opcode_v2(const struct tls_multi *multi, struct buffer *buf)
4008 {
4009  struct key_state *ks = multi->save_ks;
4010  uint32_t peer;
4011 
4012  msg(D_TLS_DEBUG, __func__);
4013 
4014  ASSERT(ks);
4015 
4016  peer = htonl(((P_DATA_V2 << P_OPCODE_SHIFT) | ks->key_id) << 24
4017  | (multi->peer_id & 0xFFFFFF));
4018  ASSERT(buf_write_prepend(buf, &peer, 4));
4019 }
4020 
4021 void
4022 tls_post_encrypt(struct tls_multi *multi, struct buffer *buf)
4023 {
4024  struct key_state *ks = multi->save_ks;
4025  multi->save_ks = NULL;
4026 
4027  if (buf->len > 0)
4028  {
4029  ASSERT(ks);
4030 
4031  ++ks->n_packets;
4032  ks->n_bytes += buf->len;
4033  }
4034 }
4035 
4036 /*
4037  * Send a payload over the TLS control channel.
4038  * Called externally.
4039  */
4040 
4041 bool
4043  const uint8_t *data,
4044  int size)
4045 {
4046  struct tls_session *session;
4047  struct key_state *ks;
4048  bool ret = false;
4049 
4050  tls_clear_error();
4051 
4052  ASSERT(multi);
4053 
4054  session = &multi->session[TM_ACTIVE];
4055  ks = &session->key[KS_PRIMARY];
4056 
4057  if (ks->state >= S_ACTIVE)
4058  {
4059  if (key_state_write_plaintext_const(&ks->ks_ssl, data, size) == 1)
4060  {
4061  ret = true;
4062  }
4063  }
4064  else
4065  {
4066  if (!ks->paybuf)
4067  {
4068  ks->paybuf = buffer_list_new(0);
4069  }
4070  buffer_list_push_data(ks->paybuf, data, (size_t)size);
4071  ret = true;
4072  }
4073 
4074 
4075  tls_clear_error();
4076 
4077  return ret;
4078 }
4079 
4080 bool
4082  struct buffer *buf)
4083 {
4084  struct tls_session *session;
4085  struct key_state *ks;
4086  bool ret = false;
4087 
4088  tls_clear_error();
4089 
4090  ASSERT(multi);
4091 
4092  session = &multi->session[TM_ACTIVE];
4093  ks = &session->key[KS_PRIMARY];
4094 
4095  if (ks->state >= S_ACTIVE && BLEN(&ks->plaintext_read_buf))
4096  {
4097  if (buf_copy(buf, &ks->plaintext_read_buf))
4098  {
4099  ret = true;
4100  }
4101  ks->plaintext_read_buf.len = 0;
4102  }
4103 
4104  tls_clear_error();
4105 
4106  return ret;
4107 }
4108 
4109 void
4110 tls_update_remote_addr(struct tls_multi *multi, const struct link_socket_actual *addr)
4111 {
4112  struct gc_arena gc = gc_new();
4113  int i, j;
4114 
4115  for (i = 0; i < TM_SIZE; ++i)
4116  {
4117  struct tls_session *session = &multi->session[i];
4118 
4119  for (j = 0; j < KS_SIZE; ++j)
4120  {
4121  struct key_state *ks = &session->key[j];
4122 
4124  || link_socket_actual_match(addr, &ks->remote_addr))
4125  {
4126  continue;
4127  }
4128 
4129  dmsg(D_TLS_KEYSELECT, "TLS: tls_update_remote_addr from IP=%s to IP=%s",
4131  print_link_socket_actual(addr, &gc));
4132 
4133  ks->remote_addr = *addr;
4134  }
4135  }
4136  gc_free(&gc);
4137 }
4138 
4139 int
4140 tls_peer_info_ncp_ver(const char *peer_info)
4141 {
4142  const char *ncpstr = peer_info ? strstr(peer_info, "IV_NCP=") : NULL;
4143  if (ncpstr)
4144  {
4145  int ncp = 0;
4146  int r = sscanf(ncpstr, "IV_NCP=%d", &ncp);
4147  if (r == 1)
4148  {
4149  return ncp;
4150  }
4151  }
4152  return 0;
4153 }
4154 
4155 bool
4156 tls_check_ncp_cipher_list(const char *list)
4157 {
4158  bool unsupported_cipher_found = false;
4159 
4160  ASSERT(list);
4161 
4162  char *const tmp_ciphers = string_alloc(list, NULL);
4163  const char *token = strtok(tmp_ciphers, ":");
4164  while (token)
4165  {
4167  {
4168  msg(M_WARN, "Unsupported cipher in --ncp-ciphers: %s", token);
4169  unsupported_cipher_found = true;
4170  }
4171  token = strtok(NULL, ":");
4172  }
4173  free(tmp_ciphers);
4174 
4175  return 0 < strlen(list) && !unsupported_cipher_found;
4176 }
4177 
4178 void
4179 show_available_tls_ciphers(const char *cipher_list,
4180  const char *cipher_list_tls13,
4181  const char *tls_cert_profile)
4182 {
4183  printf("Available TLS Ciphers, listed in order of preference:\n");
4184 
4185 #if (ENABLE_CRYPTO_OPENSSL && OPENSSL_VERSION_NUMBER >= 0x1010100fL)
4186  printf("\nFor TLS 1.3 and newer (--tls-ciphersuites):\n\n");
4187  show_available_tls_ciphers_list(cipher_list_tls13, tls_cert_profile, true);
4188 #else
4189  (void) cipher_list_tls13; /* Avoid unused warning */
4190 #endif
4191 
4192  printf("\nFor TLS 1.2 and older (--tls-cipher):\n\n");
4193  show_available_tls_ciphers_list(cipher_list, tls_cert_profile, false);
4194 
4195  printf("\n"
4196  "Be aware that that whether a cipher suite in this list can actually work\n"
4197  "depends on the specific setup of both peers. See the man page entries of\n"
4198  "--tls-cipher and --show-tls for more details.\n\n"
4199  );
4200 }
4201 
4202 /*
4203  * Dump a human-readable rendition of an openvpn packet
4204  * into a garbage collectable string which is returned.
4205  */
4206 const char *
4207 protocol_dump(struct buffer *buffer, unsigned int flags, struct gc_arena *gc)
4208 {
4209  struct buffer out = alloc_buf_gc(256, gc);
4210  struct buffer buf = *buffer;
4211 
4212  uint8_t c;
4213  int op;
4214  int key_id;
4215 
4216  int tls_auth_hmac_size = (flags & PD_TLS_AUTH_HMAC_SIZE_MASK);
4217 
4218  if (buf.len <= 0)
4219  {
4220  buf_printf(&out, "DATA UNDEF len=%d", buf.len);
4221  goto done;
4222  }
4223 
4224  if (!(flags & PD_TLS))
4225  {
4226  goto print_data;
4227  }
4228 
4229  /*
4230  * Initial byte (opcode)
4231  */
4232  if (!buf_read(&buf, &c, sizeof(c)))
4233  {
4234  goto done;
4235  }
4236  op = (c >> P_OPCODE_SHIFT);
4237  key_id = c & P_KEY_ID_MASK;
4238  buf_printf(&out, "%s kid=%d", packet_opcode_name(op), key_id);
4239 
4240  if ((op == P_DATA_V1) || (op == P_DATA_V2))
4241  {
4242  goto print_data;
4243  }
4244 
4245  /*
4246  * Session ID
4247  */
4248  {
4249  struct session_id sid;
4250 
4251  if (!session_id_read(&sid, &buf))
4252  {
4253  goto done;
4254  }
4255  if (flags & PD_VERBOSE)
4256  {
4257  buf_printf(&out, " sid=%s", session_id_print(&sid, gc));
4258  }
4259  }
4260 
4261  /*
4262  * tls-auth hmac + packet_id
4263  */
4264  if (tls_auth_hmac_size)
4265  {
4266  struct packet_id_net pin;
4267  uint8_t tls_auth_hmac[MAX_HMAC_KEY_LENGTH];
4268 
4269  ASSERT(tls_auth_hmac_size <= MAX_HMAC_KEY_LENGTH);
4270 
4271  if (!buf_read(&buf, tls_auth_hmac, tls_auth_hmac_size))
4272  {
4273  goto done;
4274  }
4275  if (flags & PD_VERBOSE)
4276  {
4277  buf_printf(&out, " tls_hmac=%s", format_hex(tls_auth_hmac, tls_auth_hmac_size, 0, gc));
4278  }
4279 
4280  if (!packet_id_read(&pin, &buf, true))
4281  {
4282  goto done;
4283  }
4284  buf_printf(&out, " pid=%s", packet_id_net_print(&pin, (flags & PD_VERBOSE), gc));
4285  }
4286 
4287  /*
4288  * ACK list
4289  */
4290  buf_printf(&out, " %s", reliable_ack_print(&buf, (flags & PD_VERBOSE), gc));
4291 
4292  if (op == P_ACK_V1)
4293  {
4294  goto done;
4295  }
4296 
4297  /*
4298  * Packet ID
4299  */
4300  {
4301  packet_id_type l;
4302  if (!buf_read(&buf, &l, sizeof(l)))
4303  {
4304  goto done;
4305  }
4306  l = ntohpid(l);
4308  }
4309 
4310 print_data:
4311  if (flags & PD_SHOW_DATA)
4312  {
4313  buf_printf(&out, " DATA %s", format_hex(BPTR(&buf), BLEN(&buf), 80, gc));
4314  }
4315  else
4316  {
4317  buf_printf(&out, " DATA len=%d", buf.len);
4318  }
4319 
4320 done:
4321  return BSTR(&out);
4322 }
4323 
4324 void
4326 {
4327  auth_user_pass.wait_for_push = false;
4329 }
static void tls_init_control_channel_frame_parameters(const struct frame *data_channel_frame, struct frame *frame)
Definition: ssl.c:325
struct reliable * rec_reliable
Definition: ssl_common.h:190
#define TLSMP_ACTIVE
Definition: ssl.h:231
bool cipher_kt_mode_aead(const cipher_kt_t *cipher)
Check if the supplied cipher is a supported AEAD mode cipher.
char * management_query_cert(struct management *man, const char *cert_name)
Definition: manage.c:3657
static bool buf_write_u8(struct buffer *dest, int data)
Definition: buffer.h:713
void reliable_free(struct reliable *rel)
Free allocated memory associated with a reliable structure.
Definition: reliable.c:327
static const char * packet_opcode_name(int op)
Definition: ssl.c:776
const cipher_kt_t * cipher_ctx_get_cipher_kt(const cipher_ctx_t *ctx)
Returns the static cipher parameters for this context.
void options_warning(char *actual, const char *expected)
Definition: options.c:3742
const char * ecdh_curve
Definition: options.h:519
struct key_type key_type
Definition: ssl_common.h:247
int read_key(struct key *key, const struct key_type *kt, struct buffer *buf)
Definition: crypto.c:1631
#define EXPANDED_SIZE_DYNAMIC(f)
Definition: mtu.h:173
int tls_ctx_load_pkcs12(struct tls_root_ctx *ctx, const char *pkcs12_file, const char *pkcs12_file_inline, bool load_ca_file)
Load PKCS #12 file for key, cert and (optionally) CA certs, and add to library-specific TLS context...
Definition: ssl_openssl.c:698
#define P_CONTROL_HARD_RESET_SERVER_V1
Definition: ssl.h:55
static const char * print_key_id(struct tls_multi *multi, struct gc_arena *gc)
Definition: ssl.c:838
size_t implicit_iv_len
The length of implicit_iv.
Definition: crypto.h:170
const char * ca_file_inline
Definition: options.h:526
Security parameter state for processing data channel packets.
Definition: crypto.h:232
struct key_state_ssl ks_ssl
Definition: ssl_common.h:171
#define D_TLS_KEYSELECT
Definition: errlevel.h:142
const char * management_certificate
Definition: options.h:379
static void tls_wrap_free(struct tls_wrap_ctx *tls_wrap)
Free the elements of a tls_wrap_ctx structure.
Definition: ssl.h:534
#define CO_PACKET_ID_LONG_FORM
Bit-flag indicating whether to use OpenVPN&#39;s long packet ID format.
Definition: crypto.h:245
static void strncpynt(char *dest, const char *src, size_t maxlen)
Definition: buffer.h:348
#define TM_ACTIVE
Active tls_session.
Definition: ssl_common.h:465
Security parameter state of one TLS and data channel key session.
Definition: ssl_common.h:161
static void compute_earliest_wakeup(interval_t *earliest, interval_t seconds_from_now)
Definition: ssl.c:1209
bool tun_mtu_defined
Definition: options.h:108
struct buffer work
Work buffer (only for –tls-crypt)
Definition: ssl_common.h:228
bool ncp_enabled
Definition: options.h:489
unsigned int management_flags
Definition: options.h:378
struct packet_id packet_id
Current packet ID state for both sending and receiving directions.
Definition: crypto.h:238
struct key_state key[KS_SIZE]
Definition: ssl_common.h:445
#define TLSMP_INACTIVE
Definition: ssl.h:230
const char * crl_file
Definition: ssl_common.h:284
struct buffer plaintext_read_buf
Definition: ssl_common.h:185
int n_sessions
Number of sessions negotiated thus far.
Definition: ssl_common.h:528
unsigned int crypto_max_overhead(void)
Return the worst-case OpenVPN crypto overhead (in bytes)
Definition: crypto.c:732
#define S_NORMAL_OP
Normal operational key_state state.
Definition: ssl_common.h:110
void tls_auth_standalone_finalize(struct tls_auth_standalone *tas, const struct frame *frame)
Definition: ssl.c:1318
bool tls_crypt_v2
Definition: ssl_common.h:308
#define SSLF_CRL_VERIFY_DIR
Definition: ssl_common.h:344
bool options_cmp_equal_safe(char *actual, const char *expected, size_t actual_n)
Definition: options.c:3877
void free_buf(struct buffer *buf)
Definition: buffer.c:185
void ssl_put_auth_challenge(const char *cr_str)
Definition: ssl.c:502
#define D_TLS_DEBUG_LOW
Definition: errlevel.h:77
const char * cipher_list
Definition: options.h:516
static bool write_string(struct buffer *buf, const char *str, const int maxlen)
Definition: ssl.c:2173
unsigned int flags
Bit-flags determining behavior of security operation functions.
Definition: crypto.h:257
bool tls_server
Definition: options.h:507
#define TLS_MULTI_AUTH_STATUS_INTERVAL
Definition: ssl.h:100
void tls_ctx_load_cryptoapi(struct tls_root_ctx *ctx, const char *cryptoapi_cert)
Definition: ssl_openssl.c:827
char * string_alloc(const char *str, struct gc_arena *gc)
Definition: buffer.c:688
#define S_PRE_START
Waiting for the remote OpenVPN peer to acknowledge during the initial three-way handshake.
Definition: ssl_common.h:86
static const char * session_index_name(int index)
Definition: ssl.c:816
static void tls_ctx_reload_crl(struct tls_root_ctx *ssl_ctx, const char *crl_file, const char *crl_file_inline)
Load (or possibly reload) the CRL file into the SSL context.
Definition: ssl.c:557
static bool session_id_equal(const struct session_id *sid1, const struct session_id *sid2)
Definition: session_id.h:48
#define D_TLS_DEBUG
Definition: errlevel.h:159
#define USER_PASS_LEN
Definition: misc.h:72
struct key keys[2]
Two unidirectional sets of key material.
Definition: crypto.h:185
struct buffer tls_crypt_v2_metadata
Received from client.
Definition: ssl_common.h:232
void init_key_ctx(struct key_ctx *ctx, const struct key *key, const struct key_type *kt, int enc, const char *prefix)
Definition: crypto.c:821
static void tls_limit_reneg_bytes(const cipher_kt_t *cipher, int *reneg_bytes)
Limit the reneg_bytes value when using a small-block (<128 bytes) cipher.
Definition: ssl.c:295
const char * cert_file
Definition: options.h:512
struct packet_id_persist * pid_persist
Persistent packet ID state for keeping state between successive OpenVPN process startups.
Definition: crypto.h:240
bool options_cmp_equal(char *actual, const char *expected)
Definition: options.c:3736
const char * tls_cert_profile
Definition: options.h:518
#define GET_USER_PASS_STATIC_CHALLENGE
Definition: misc.h:121
Container for both halves of random material to be used in key method 2 data channel key generation...
Definition: ssl_common.h:138
static bool session_id_write(const struct session_id *sid, struct buffer *buf)
Definition: session_id.h:73
static void secure_memzero(void *data, size_t len)
Securely zeroise memory.
Definition: buffer.h:401
#define TLS_OPTIONS_LEN
Definition: ssl.h:107
void tls_ctx_load_ecdh_params(struct tls_root_ctx *ctx, const char *curve_name)
Load Elliptic Curve Parameters, and load them into the library-specific TLS context.
Definition: ssl_openssl.c:615
int key_state_write_plaintext_const(struct key_state_ssl *ks_ssl, const uint8_t *data, int len)
Insert plaintext data into the TLS module.
Definition: ssl_openssl.c:1863
static bool buf_advance(struct buffer *buf, int size)
Definition: buffer.h:639
void packet_id_persist_load_obj(const struct packet_id_persist *p, struct packet_id *pid)
Definition: packet_id.c:524
Packet geometry parameters.
Definition: mtu.h:93
struct key_state * save_ks
Definition: ssl_common.h:520
#define UP_TYPE_AUTH
Definition: ssl_common.h:41
#define SIZE(x)
Definition: basic.h:30
#define OPENVPN_MAX_IV_LENGTH
Maximum length of an IV.
bool cipher_kt_mode_ofb_cfb(const cipher_kt_t *cipher)
Check if the supplied cipher is a supported OFB or CFB mode cipher.
void fixup_key(struct key *key, const struct key_type *kt)
Definition: crypto.c:976
static void key_state_soft_reset(struct tls_session *session)
Definition: ssl.c:2144
static void link_socket_set_outgoing_addr(const struct buffer *buf, struct link_socket_info *info, const struct link_socket_actual *act, const char *common_name, struct env_set *es)
Definition: socket.h:983
const char * ca_path
Definition: options.h:510
struct tls_options * opt
Definition: ssl_common.h:410
time_t must_negotiate
Definition: ssl_common.h:174
#define SSLF_AUTH_USER_PASS_OPTIONAL
Definition: ssl_common.h:342
char * peer_info
Definition: ssl_common.h:559
const char * ca_file
Definition: options.h:509
const char * print_link_socket_actual(const struct link_socket_actual *act, struct gc_arena *gc)
Definition: socket.c:2892
#define RELIABLE_ACK_SIZE
The maximum number of packet IDs waiting to be acknowledged which can be stored in one reliable_ack s...
Definition: reliable.h:46
static void gc_free(struct gc_arena *a)
Definition: buffer.h:1023
struct tls_root_ctx ssl_ctx
Definition: ssl_common.h:244
static bool check_debug_level(unsigned int level)
Definition: error.h:245
bool write_key(const struct key *key, const struct key_type *kt, struct buffer *buf)
Definition: crypto.c:1598
bool verified
Definition: ssl_common.h:440
void options_warning_safe(char *actual, const char *expected, size_t actual_n)
Definition: options.c:3900
static void frame_add_to_extra_frame(struct frame *frame, const unsigned int increment)
Definition: mtu.h:274
void tls_post_encrypt(struct tls_multi *multi, struct buffer *buf)
Perform some accounting for the key state used.
Definition: ssl.c:4022
static int plugin_call(const struct plugin_list *pl, const int type, const struct argv *av, struct plugin_return *pr, struct env_set *es)
Definition: plugin.h:201
const char * auth_user_pass_verify_script
Definition: ssl_common.h:318
const char * priv_key_file
Definition: options.h:514
void session_id_random(struct session_id *sid)
Definition: session_id.c:51
Security parameter state for a single VPN tunnel.
Definition: ssl_common.h:503
#define D_TLS_ERRORS
Definition: errlevel.h:59
static bool buf_safe(const struct buffer *buf, int len)
Definition: buffer.h:541
struct buffer_list * buffer_list_new(const int max_size)
Allocate an empty buffer list of capacity max_size.
Definition: buffer.c:1201
static bool tls_process(struct tls_multi *multi, struct tls_session *session, struct buffer *to_link, struct link_socket_actual **to_link_addr, struct link_socket_info *to_link_socket_info, interval_t *wakeup)
Definition: ssl.c:2754
int pem_password_callback(char *buf, int size, int rwflag, void *u)
Callback to retrieve the user&#39;s password.
Definition: ssl.c:381
#define ASSERT(x)
Definition: error.h:221
int tls_authentication_status(struct tls_multi *multi, const int latency)
Definition: ssl_verify.c:927
void key_state_ssl_free(struct key_state_ssl *ks_ssl)
Free the SSL channel part of the given key state.
Definition: ssl_openssl.c:1830
#define SID_SIZE
Definition: session_id.h:45
void tls_multi_free(struct tls_multi *multi, bool clear)
Cleanup a tls_multi structure and free associated memory allocations.
Definition: ssl.c:1345
const char * auth_user_pass_file
Definition: ssl_common.h:321
int n
The number of key objects stored in the key2.keys array.
Definition: crypto.h:183
struct reliable_ack * rec_ack
Definition: ssl_common.h:191
struct buffer alloc_buf(size_t size)
Definition: buffer.c:64
void buffer_list_free(struct buffer_list *ol)
Frees a buffer list and all the buffers in it.
Definition: buffer.c:1211
void backend_tls_ctx_reload_crl(struct tls_root_ctx *ssl_ctx, const char *crl_file, const char *crl_inline)
Reload the Certificate Revocation List for the SSL channel.
Definition: ssl_openssl.c:995
const char * crl_file_inline
Definition: options.h:529
int handshake_window
Definition: ssl_common.h:273
bool tls_item_in_cipher_list(const char *item, const char *list)
Return true iff item is present in the colon-separated zero-terminated cipher list.
Definition: ssl.c:1923
struct crypto_options opt
Crypto state.
Definition: ssl_common.h:227
void tls_update_remote_addr(struct tls_multi *multi, const struct link_socket_actual *addr)
Updates remote address in TLS sessions.
Definition: ssl.c:4110
#define S_UNDEF
Undefined state, used after a key_state is cleaned up.
Definition: ssl_common.h:78
struct cert_hash_set * cert_hash_set
Definition: ssl_common.h:434
static bool lame_duck_must_die(const struct tls_session *session, interval_t *wakeup)
Definition: ssl.c:1226
#define packet_id_format
Definition: packet_id.h:95
static void perf_pop(void)
Definition: perf.h:82
#define M_FATAL
Definition: error.h:94
bool buf_printf(struct buffer *buf, const char *format,...)
Definition: buffer.c:245
#define D_MULTI_DROPPED
Definition: errlevel.h:102
static bool read_string(struct buffer *buf, char *str, const unsigned int capacity)
Definition: ssl.c:2192
static void perf_push(int type)
Definition: perf.h:78
void tls_prepend_opcode_v2(const struct tls_multi *multi, struct buffer *buf)
Prepend an OpenVPN data channel P_DATA_V2 header to the packet.
Definition: ssl.c:4007
static bool read_control_auth(struct buffer *buf, struct tls_wrap_ctx *ctx, const struct link_socket_actual *from, const struct tls_options *opt)
Definition: ssl.c:1522
time_t crl_last_mtime
CRL last modification time.
Definition: ssl_mbedtls.h:100
static char * format_hex(const uint8_t *data, int size, int maxoutput, struct gc_arena *gc)
Definition: buffer.h:526
#define CLEAR(x)
Definition: basic.h:33
bool defined
Definition: misc.h:64
#define D_MTU_INFO
Definition: errlevel.h:106
static int buf_read_u8(struct buffer *buf)
Definition: buffer.h:812
const char * win32_version_string(struct gc_arena *gc, bool add_name)
Definition: win32.c:1438
int cipher_kt_iv_size(const cipher_kt_t *cipher_kt)
Returns the size of the IV used by the cipher, in bytes, or 0 if no IV is used.
bool cipher_kt_insecure(const cipher_kt_t *cipher)
Returns true if we consider this cipher to be insecure.
void key_state_export_keying_material(struct key_state_ssl *ks_ssl, struct tls_session *session) __attribute__((nonnull))
Keying Material Exporters [RFC 5705] allows additional keying material to be derived from existing TL...
Definition: ssl_openssl.c:149
const char * protocol_dump(struct buffer *buffer, unsigned int flags, struct gc_arena *gc)
Definition: ssl.c:4207
#define ENABLE_DEF_AUTH
Definition: config-msvc.h:5
#define TLS_VER_1_1
Definition: ssl_backend.h:115
static void flush_payload_buffer(struct key_state *ks)
Definition: ssl.c:2124
bool packet_id_read(struct packet_id_net *pin, struct buffer *buf, bool long_form)
Definition: packet_id.c:301
struct buffer * reliable_get_buf(struct reliable *rel)
Get the buffer of a free reliable entry in which to store a packet.
Definition: reliable.c:473
const char * pkcs12_file_inline
Definition: options.h:532
static bool push_peer_info(struct buffer *buf, struct tls_session *session)
Definition: ssl.c:2275
#define DECRYPT_KEY_ENABLED(multi, ks)
Check whether the ks key_state is ready to receive data channel packets.
Definition: ssl_verify.h:89
int key_state_write_plaintext(struct key_state_ssl *ks_ssl, struct buffer *buf)
Insert a plaintext buffer into the TLS module.
Definition: ssl_openssl.c:1845
#define TLS_VER_BAD
Parse a TLS version specifier.
Definition: ssl_backend.h:112
uint8_t random1[32]
Seed used for master secret generation, provided by both client and server.
Definition: ssl_common.h:125
void tls_free_lib(void)
Free any global SSL library-specific data structures.
Definition: ssl_openssl.c:90
bool check_key(struct key *key, const struct key_type *kt)
Definition: crypto.c:937
#define OPENVPN_STATE_AUTH
Definition: manage.h:492
unsigned int crypto_flags
Definition: ssl_common.h:298
bool tls_pre_decrypt_lite(const struct tls_auth_standalone *tas, const struct link_socket_actual *from, const struct buffer *buf)
Inspect an incoming packet for which no VPN tunnel is active, and determine whether a new VPN tunnel ...
Definition: ssl.c:3838
#define OPENVPN_PLUGIN_FUNC_SUCCESS
bool authenticated
Definition: ssl_common.h:201
struct tls_session session[TM_SIZE]
Array of tls_session objects representing control channel sessions with the remote peer...
Definition: ssl_common.h:578
const char * get_ssl_library_version(void)
return a pointer to a static memory area containing the name and version number of the SSL library in...
Definition: ssl_openssl.c:2124
static struct user_pass auth_user_pass
Definition: ssl.c:400
void ssl_set_auth_token(const char *token)
Definition: ssl.c:457
const char * config_ciphername
Definition: ssl_common.h:304
const char * pkcs12_file
Definition: options.h:515
struct reliable * send_reliable
Definition: ssl_common.h:189
int renegotiate_bytes
Definition: ssl_common.h:275
void hmac_ctx_cleanup(hmac_ctx_t *ctx)
mbedtls_md_context_t hmac_ctx_t
Generic HMAC context.
#define SSLF_OPT_VERIFY
Definition: ssl_common.h:343
bool link_mtu_defined
Definition: options.h:112
char username[USER_PASS_LEN]
Definition: misc.h:74
uint8_t hmac[MAX_HMAC_KEY_LENGTH]
Key material for HMAC operations.
Definition: crypto.h:155
void packet_id_free(struct packet_id *p)
Definition: packet_id.c:101
bool is_hard_reset(int op, int key_method)
Given a key_method, return true if opcode represents the required form of hard_reset.
Definition: ssl.c:855
static bool buf_read(struct buffer *src, void *dest, int size)
Definition: buffer.h:800
#define MODE_SERVER
Definition: options.h:191
void tls_pre_encrypt(struct tls_multi *multi, struct buffer *buf, struct crypto_options **opt)
Choose the appropriate security parameters with which to process an outgoing packet.
Definition: ssl.c:3941
bool use_peer_id
Definition: ssl_common.h:564
bool initialized
Definition: crypto.h:225
int offset
Offset in bytes of the actual content within the allocated memory.
Definition: buffer.h:64
void tls_ctx_client_new(struct tls_root_ctx *ctx)
Initialises a library-specific TLS context for a client.
Definition: ssl_openssl.c:118
#define TLS_VER_1_2
Definition: ssl_backend.h:116
struct link_socket_actual to_link_addr
Definition: ssl_common.h:526
#define OPENVPN_AEAD_MIN_IV_LEN
Minimal IV length for AEAD mode ciphers (in bytes): 4-byte packet id + 8 bytes implicit IV...
Definition: crypto.h:268
void reliable_mark_active_outgoing(struct reliable *rel, struct buffer *buf, int opcode)
Mark the reliable entry associated with the given buffer as active outgoing.
Definition: reliable.c:696
list flags
int len
Length in bytes of the actual content within the allocated memory.
Definition: buffer.h:66
void tls_ctx_set_cert_profile(struct tls_root_ctx *ctx, const char *profile)
Set the TLS certificate profile.
Definition: ssl_openssl.c:488
#define SWAP_BUF_SIZE
Definition: ssl.c:1402
void setenv_del(struct env_set *es, const char *name)
Definition: env_set.c:330
#define S_ACTIVE
Operational key_state state immediately after negotiation has completed while still within the handsh...
Definition: ssl_common.h:102
const char * ncp_ciphers
Definition: options.h:490
bool cleanup_key_ctx
opt.key_ctx_bi is owned by this context
Definition: ssl_common.h:233
static void reliable_set_timeout(struct reliable *rel, interval_t timeout)
Definition: reliable.h:465
static bool buf_write(struct buffer *dest, const void *src, int size)
Definition: buffer.h:689
off_t crl_last_size
size of last loaded CRL
Definition: ssl_mbedtls.h:101
struct key_state * key_scan[KEY_SCAN_SIZE]
List of key_state objects in the order they should be scanned by data channel modules.
Definition: ssl_common.h:511
const char * packet_id_net_print(const struct packet_id_net *pin, bool print_timestamp, struct gc_arena *gc)
Definition: packet_id.c:391
void prng_uninit(void)
Definition: crypto.c:1726
struct tls_auth_standalone * tls_auth_standalone_init(struct tls_options *tls_options, struct gc_arena *gc)
Definition: ssl.c:1295
static char * auth_challenge
Definition: ssl.c:404
static bool key_source2_randomize_write(struct key_source2 *k2, struct buffer *buf, bool server)
Definition: ssl.c:2057
uint8_t id[8]
Definition: session_id.h:40
struct link_socket_actual remote_addr
Definition: ssl_common.h:179
bool nocache
Definition: misc.h:65
char * options_string_extract_option(const char *options_string, const char *opt_name, struct gc_arena *gc)
Given an OpenVPN options string, extract the value of an option.
Definition: options.c:3916
#define BPTR(buf)
Definition: buffer.h:124
void packet_id_init(struct packet_id *p, int seq_backtrack, int time_backtrack, const char *name, int unit)
Definition: packet_id.c:78
bool reliable_ack_write(struct reliable_ack *ack, struct buffer *buf, const struct session_id *sid, int max, bool prepend)
Write a packet ID acknowledgment record to a buffer.
Definition: reliable.c:213
#define BUF_SIZE(f)
Definition: mtu.h:194
static bool write_empty_string(struct buffer *buf)
Definition: ssl.c:2163
void init_ssl(const struct options *options, struct tls_root_ctx *new_ctx)
Build master SSL context object that serves for the whole of OpenVPN instantiation.
Definition: ssl.c:600
#define KEY_DIRECTION_NORMAL
Definition: crypto.h:174
void print_details(struct key_state_ssl *ks_ssl, const char *prefix)
Definition: ssl_openssl.c:1929
Control channel wrapping (–tls-auth/–tls-crypt) context.
Definition: ssl_common.h:220
static void move_session(struct tls_multi *multi, int dest, int src, bool reinit_src)
Definition: ssl.c:1173
#define KEY_SCAN_SIZE
Definition: ssl_common.h:487
uint8_t random2[32]
Seed used for key expansion, provided by both client and server.
Definition: ssl_common.h:128
#define OPENVPN_STATE_WAIT
Definition: manage.h:491
#define GET_USER_PASS_STATIC_CHALLENGE_ECHO
Definition: misc.h:122
interval_t packet_timeout
Definition: ssl_common.h:274
void tls_prepend_opcode_v1(const struct tls_multi *multi, struct buffer *buf)
Prepend a one-byte OpenVPN data channel P_DATA_V1 opcode to the packet.
Definition: ssl.c:3993
#define S_ERROR
Error state.
Definition: ssl_common.h:77
int tun_mtu
Definition: options.h:107
static void tls1_PRF(const uint8_t *label, int label_len, const uint8_t *sec, int slen, uint8_t *out1, int olen)
Definition: ssl.c:1741
interval_t renegotiate_seconds
Definition: ssl_common.h:277
#define KS_SIZE
Size of the tls_session.key array.
Definition: ssl_common.h:381
int md_kt_size(const md_kt_t *kt)
Returns the size of the message digest, in bytes.
struct env_item * list
Definition: env_set.h:44
#define P_KEY_ID_MASK
Definition: ssl.h:50
void tls_ctx_free(struct tls_root_ctx *ctx)
Frees the library-specific TLSv1 context.
Definition: ssl_openssl.c:131
unsigned int packet_id_print_type
Definition: packet_id.h:96
void key_state_ssl_init(struct key_state_ssl *ks_ssl, const struct tls_root_ctx *ssl_ctx, bool is_server, struct tls_session *session)
Initialise the SSL channel part of the given key state.
Definition: ssl_openssl.c:1790
struct session_id session_id_remote
Definition: ssl_common.h:178
const char * iana_name
Definition: ssl_backend.h:62
#define AUTH_TOKEN_SIZE
Size of server side generated auth tokens.
Definition: ssl_common.h:385
static bool tls_session_generate_data_channel_keys(struct tls_session *session)
Generate data channel keys for the supplied TLS session.
Definition: ssl.c:1963
static bool packet_id_close_to_wrapping(const struct packet_id_send *p)
Definition: packet_id.h:311
int rand_bytes(uint8_t *output, int len)
Wrapper for secure random number generator.
#define counter_format
Definition: common.h:39
const char * crl_file_inline
Definition: ssl_common.h:285
void frame_print(const struct frame *frame, int level, const char *prefix)
Definition: mtu.c:139
static struct gc_arena gc_new(void)
Definition: buffer.h:1015
Container for one half of random material to be used in key method 2 data channel key generation...
Definition: ssl_common.h:121
#define KS_PRIMARY
Primary key state index.
Definition: ssl_common.h:377
bool single_session
Definition: ssl_common.h:265
bool tls_crypt_wrap(const struct buffer *src, struct buffer *dst, struct crypto_options *opt)
Wrap a control channel packet (both authenticates and encrypts the data).
Definition: tls_crypt.c:106
time_t now
Definition: otime.c:36
void reliable_ack_adjust_frame_parameters(struct frame *frame, int max)
Definition: reliable.c:258
void key_state_rm_auth_control_file(struct key_state *ks)
Remove the given key state&#39;s auth control file, if it exists.
#define malloc
Definition: cmocka.c:1795
#define P_CONTROL_HARD_RESET_SERVER_V2
Definition: ssl.h:64
const char * authname
Definition: options.h:491
#define S_START
Three-way handshake is complete, start of key exchange.
Definition: ssl_common.h:91
#define INCR_SUCCESS
Definition: ssl.c:103
void tls_ctx_load_extra_certs(struct tls_root_ctx *ctx, const char *extra_certs_file, const char *extra_certs_file_inline)
Load extra certificate authority certificates from the given file or path.
Definition: ssl_openssl.c:1563
time_t established
Definition: ssl_common.h:173
void show_available_tls_ciphers(const char *cipher_list, const char *cipher_list_tls13, const char *tls_cert_profile)
Definition: ssl.c:4179
#define ALLOC_OBJ_CLEAR(dptr, type)
Definition: buffer.h:1050
#define TM_UNTRUSTED
As yet un-trusted tls_session being negotiated.
Definition: ssl_common.h:466
struct crypto_options crypto_options
Definition: ssl_common.h:181
#define P_LAST_OPCODE
Definition: ssl.h:71
struct tls_multi * tls_multi_init(struct tls_options *tls_options)
Allocate and initialize a tls_multi structure.
Definition: ssl.c:1254
char * locked_cn
Definition: ssl_common.h:540
bool reliable_not_replay(const struct reliable *rel, packet_id_type id)
Check that a received packet&#39;s ID is not a replay.
Definition: reliable.c:426
void hmac_ctx_update(hmac_ctx_t *ctx, const uint8_t *src, int src_len)
struct buffer * reliable_get_buf_output_sequenced(struct reliable *rel)
Get the buffer of free reliable entry and check whether the outgoing acknowledgment sequence is still...
Definition: reliable.c:490
void free_ssl_lib(void)
Definition: ssl.c:356
static void key_ctx_update_implicit_iv(struct key_ctx *ctx, uint8_t *key, size_t key_len)
Update the implicit IV for a key_ctx_bi based on TLS session ids and cipher used. ...
Definition: ssl.c:1905
int extra_link
Maximum number of bytes in excess of external network interface&#39;s MTU that might be read from or writ...
Definition: mtu.h:122
#define FRAME_HEADROOM(f)
Definition: mtu.h:187
#define ntohpid(x)
Definition: packet_id.h:64
const struct static_challenge_info * sci
Definition: ssl_common.h:358
const char * reliable_ack_print(struct buffer *buf, bool verbose, struct gc_arena *gc)
Definition: reliable.c:265
int n_hard_errors
Definition: ssl_common.h:534
int transition_window
Definition: ssl_common.h:272
#define KEY_DIRECTION_INVERSE
Definition: crypto.h:175
#define INLINE_FILE_TAG
Definition: common.h:95
void * gc_malloc(size_t size, bool clear, struct gc_arena *a)
Definition: buffer.c:408
void frame_init_mssfix(struct frame *frame, const struct options *options)
Set the –mssfix option.
Definition: mtu.c:130
static struct user_pass passbuf
Definition: ssl.c:369
cipher_ctx_t * cipher
Generic cipher context.
Definition: crypto.h:166
#define TLS_RELIABLE_N_SEND_BUFFERS
Definition: ssl.h:82
bool xmit_hold
Definition: ssl_common.h:253
#define GET_USER_PASS_PASSWORD_ONLY
Definition: misc.h:114
unsigned __int32 uint32_t
Definition: config-msvc.h:121
mbedtls_md_info_t md_kt_t
Generic message digest key type context.
#define D_TLS_STATE_ERRORS
Definition: errlevel.h:130
#define S_INITIAL
Initial key_state state after initialization by key_state_init() before start of three-way handshake...
Definition: ssl_common.h:81
unsigned int flags
Definition: route.h:152
int keysize
Definition: options.h:492
#define INCR_ERROR
Definition: ssl.c:104
const char * ciphername
Definition: options.h:488
void tls_ctx_restrict_ciphers(struct tls_root_ctx *ctx, const char *ciphers)
Restrict the list of ciphers that can be used within the TLS context for TLS 1.2 and below...
Definition: ssl_openssl.c:397
static bool buf_write_u16(struct buffer *dest, int data)
Definition: buffer.h:720
void pem_password_setup(const char *auth_file)
Definition: ssl.c:372
interval_t reliable_send_timeout(const struct reliable *rel)
Determined how many seconds until the earliest resend should be attempted.
Definition: reliable.c:627
void ssl_purge_auth(const bool auth_user_pass_only)
Definition: ssl.c:477
static bool swap_hmac(struct buffer *buf, const struct crypto_options *co, bool incoming)
Definition: ssl.c:1405
int key_id
The current active key id, used to keep track of renegotiations.
Definition: ssl_common.h:426
static bool link_socket_actual_defined(const struct link_socket_actual *act)
Definition: socket.h:696
static struct user_pass auth_token
Definition: ssl.c:401
Container for one set of cipher and/or HMAC contexts.
Definition: crypto.h:164
bool ncp_enabled
Definition: ssl_common.h:306
#define P_CONTROL_V1
Definition: ssl.h:57
#define OPENVPN_PLUGIN_TLS_FINAL
static void reset_session(struct tls_multi *multi, struct tls_session *session)
Definition: ssl.c:1198
struct buffer_list * paybuf
Definition: ssl_common.h:193
mbedtls_cipher_info_t cipher_kt_t
Generic cipher key type context.
static bool reliable_ack_empty(struct reliable_ack *ack)
Check whether an acknowledgment structure contains any packet IDs to be acknowledged.
Definition: reliable.h:151
void tls_ctx_restrict_ciphers_tls13(struct tls_root_ctx *ctx, const char *ciphers)
Restrict the list of ciphers that can be used within the TLS context for TLS 1.3 and higher...
Definition: ssl_openssl.c:459
#define TLS_RELIABLE_N_REC_BUFFERS
Definition: ssl.h:83
void tls_adjust_frame_parameters(struct frame *frame)
Definition: ssl.c:315
struct key_ctx encrypt
Cipher and/or HMAC contexts for sending direction.
Definition: crypto.h:221
static bool session_id_defined(const struct session_id *sid1)
Definition: session_id.h:55
const char * extra_certs_file
Definition: options.h:513
void tls_ctx_server_new(struct tls_root_ctx *ctx)
Initialise a library-specific TLS context for a server.
Definition: ssl_openssl.c:105
int key_state_read_plaintext(struct key_state_ssl *ks_ssl, struct buffer *buf, int maxlen)
Extract plaintext data from the TLS module.
Definition: ssl_openssl.c:1907
int replay_window
Definition: ssl_common.h:300
static SERVICE_STATUS status
Definition: automatic.c:43
void init_key_ctx_bi(struct key_ctx_bi *ctx, const struct key2 *key2, int key_direction, const struct key_type *kt, const char *name)
Definition: crypto.c:874
void set_auth_token(struct user_pass *up, struct user_pass *tk, const char *token)
Definition: misc.c:480
static bool key_method_1_write(struct buffer *buf, struct tls_session *session)
Definition: ssl.c:2234
unsigned int ssl_flags
Definition: options.h:539
const struct buffer * tls_crypt_v2_wkc
Wrapped client key, sent to server.
Definition: ssl_common.h:230
static bool session_id_read(struct session_id *sid, struct buffer *buf)
Definition: session_id.h:61
#define P_CONTROL_HARD_RESET_CLIENT_V2
Definition: ssl.h:63
struct cert_hash_set * locked_cert_hash_set
Definition: ssl_common.h:542
bool tls_check_ncp_cipher_list(const char *list)
Check whether the ciphers in the supplied list are supported.
Definition: ssl.c:4156
struct tls_wrap_ctx tls_wrap
Definition: ssl.h:132
void ssl_set_auth_nocache(void)
Definition: ssl.c:445
int hmac_ctx_size(const hmac_ctx_t *ctx)
struct tls_wrap_ctx tls_wrap
Definition: ssl_common.h:416
#define PERF_TLS_MULTI_PROCESS
Definition: perf.h:42
bool tls_session_update_crypto_params(struct tls_session *session, struct options *options, struct frame *frame)
Update TLS session crypto parameters (cipher and auth) and derive data channel keys based on the supp...
Definition: ssl.c:1992
struct tls_options opt
Definition: ssl_common.h:509
void buf_clear(struct buffer *buf)
Definition: buffer.c:164
int n_soft_errors
Definition: ssl_common.h:535
void crypto_adjust_frame_parameters(struct frame *frame, const struct key_type *kt, bool packet_id, bool packet_id_long_form)
Calculate crypto overhead and adjust frame to account for that.
Definition: crypto.c:698
const md_kt_t * md_kt_get(const char *digest)
Return message digest parameters, based on the given digest name.
const char * challenge_text
Definition: misc.h:101
const char * cert_file_inline
Definition: options.h:527
const struct plugin_list * plugins
Definition: ssl_common.h:331
struct buffer plaintext_write_buf
Definition: ssl_common.h:186
struct env_item * next
Definition: env_set.h:39
static bool buf_copy(struct buffer *dest, const struct buffer *src)
Definition: buffer.h:734
struct link_socket_actual untrusted_addr
Definition: ssl_common.h:443
char * string
Definition: env_set.h:38
hmac_ctx_t * hmac
Generic HMAC context.
Definition: crypto.h:167
#define S_GOT_KEY
Local OpenVPN process has received the remote&#39;s part of the key material.
Definition: ssl_common.h:97
char * format_hex_ex(const uint8_t *data, int size, int maxoutput, unsigned int space_break_flags, const char *separator, struct gc_arena *gc)
Definition: buffer.c:522
#define RGI_HWADDR_DEFINED
Definition: route.h:148
#define PAYLOAD_SIZE_DYNAMIC(f)
Definition: mtu.h:166
void free_key_ctx_bi(struct key_ctx_bi *ctx)
Definition: crypto.c:912
#define PD_TLS_AUTH_HMAC_SIZE_MASK
Definition: ssl.h:593
#define CO_IGNORE_PACKET_ID
Bit-flag indicating whether to ignore the packet ID of a received packet.
Definition: crypto.h:248
char * remote_ciphername
cipher specified in peer&#39;s config file
Definition: ssl_common.h:566
#define INCR_SENT
Definition: ssl.c:101
bool tls_rec_payload(struct tls_multi *multi, struct buffer *buf)
Definition: ssl.c:4081
static void key_source2_print(const struct key_source2 *k)
Definition: ssl.c:1636
void tls_multi_init_set_options(struct tls_multi *multi, const char *local, const char *remote)
Definition: ssl.c:1330
static const char * local_options_string(const struct tls_session *session)
Definition: ssl.c:70
struct connection_entry ce
Definition: options.h:213
#define SC_ECHO
Definition: misc.h:98
static void openvpn_PRF(const uint8_t *secret, int secret_len, const char *label, const uint8_t *client_seed, int client_seed_len, const uint8_t *server_seed, int server_seed_len, const struct session_id *client_sid, const struct session_id *server_sid, uint8_t *output, int output_len)
Definition: ssl.c:1778
Get a tls_cipher_name_pair containing OpenSSL and IANA names for supplied TLS cipher name...
Definition: ssl_backend.h:62
struct packet_id_send send
Definition: packet_id.h:207
uint8_t * data
Pointer to the allocated memory.
Definition: buffer.h:68
#define dmsg
Definition: error.h:174
bool wait_for_push
Definition: misc.h:66
const char * local_options
Definition: ssl_common.h:258
#define TM_SIZE
Size of the tls_multi.session array.
Definition: ssl_common.h:470
#define TLS_VER_1_0
Definition: ssl_backend.h:114
#define TLS_AUTHENTICATION_FAILED
Definition: ssl_verify.h:69
struct key_ctx decrypt
cipher and/or HMAC contexts for receiving direction.
Definition: crypto.h:223
struct key_source client
Random provided by client.
Definition: ssl_common.h:139
int platform_stat(const char *path, platform_stat_t *buf)
Definition: platform.c:328
#define TLS_VER_1_3
Definition: ssl_backend.h:117
#define MAX_HMAC_KEY_LENGTH
void openvpn_encrypt(struct buffer *buf, struct buffer work, struct crypto_options *opt)
Encrypt and HMAC sign a packet so that it can be sent as a data channel VPN tunnel packet to a remote...
Definition: crypto.c:303
Container for bidirectional cipher and HMAC key material.
Definition: crypto.h:181
void tls_ctx_check_cert_time(const struct tls_root_ctx *ctx)
Check our certificate notBefore and notAfter fields, and warn if the cert is either not yet valid or ...
Definition: ssl_openssl.c:522
void show_available_tls_ciphers_list(const char *cipher_list, const char *tls_cert_profile, bool tls13)
Definition: ssl_openssl.c:1989
int tls_version_parse(const char *vstr, const char *extra)
Definition: ssl.c:516
static bool tls_session_user_pass_enabled(struct tls_session *session)
Returns whether or not the server should check for username/password.
Definition: ssl.c:1041
#define P_DATA_V1
Definition: ssl.h:59
static void tls1_P_hash(const md_kt_t *md_kt, const uint8_t *sec, int sec_len, const uint8_t *seed, int seed_len, uint8_t *out, int olen)
Definition: ssl.c:1654
#define CONTROL_SEND_ACK_MAX
Definition: ssl.h:77
#define BLEN(buf)
Definition: buffer.h:127
time_t auth_deferred_expire
Definition: ssl_common.h:202
struct key_source server
Random provided by server.
Definition: ssl_common.h:140
static void tls_session_init(struct tls_multi *multi, struct tls_session *session)
Initialize a tls_session structure.
Definition: ssl.c:1073
bool reliable_wont_break_sequentiality(const struct reliable *rel, packet_id_type id)
Check that a received packet&#39;s ID can safely be stored in the reliable structure&#39;s processing window...
Definition: reliable.c:453
void init_ssl_lib(void)
Definition: ssl.c:348
void tls_poor_mans_ncp(struct options *o, const char *remote_ciphername)
"Poor man&#39;s NCP": Use peer cipher if it is an allowed (NCP) cipher.
Definition: ssl.c:1943
void verify_user_pass(struct user_pass *up, struct tls_multi *multi, struct tls_session *session)
Verify the given username and password, using either an external script, a plugin, or the management interface.
Definition: ssl_verify.c:1260
#define P_OPCODE_SHIFT
Definition: ssl.h:51
struct buffer * reliable_get_buf_sequenced(struct reliable *rel)
Get the buffer of the next sequential and active entry.
Definition: reliable.c:526
void auth_user_pass_setup(const char *auth_file, const struct static_challenge_info *sci)
Definition: ssl.c:408
struct frame frame
Definition: ssl.h:133
#define D_HANDSHAKE
Definition: errlevel.h:72
static bool get_user_pass(struct user_pass *up, const char *auth_file, const char *prefix, const unsigned int flags)
Definition: misc.h:133
int key_id
Key id for this key_state, inherited from struct tls_session.
Definition: ssl_common.h:169
#define GET_USER_PASS_DYNAMIC_CHALLENGE
Definition: misc.h:120
bool openvpn_decrypt(struct buffer *buf, struct buffer work, struct crypto_options *opt, const struct frame *frame, const uint8_t *ad_start)
HMAC verify and decrypt a data channel packet received from a remote OpenVPN peer.
Definition: crypto.c:672
#define D_SHOW_KEY_SOURCE
Definition: errlevel.h:118
#define TLSMP_KILL
Definition: ssl.h:232
void tls_ctx_load_ca(struct tls_root_ctx *ctx, const char *ca_file, const char *ca_file_inline, const char *ca_path, bool tls_server)
Load certificate authority certificates from the given file or path.
Definition: ssl_openssl.c:1410
unsigned __int8 uint8_t
Definition: config-msvc.h:123
struct buffer * reliable_send(struct reliable *rel, int *opcode)
Get the next packet to send to the remote peer.
Definition: reliable.c:570
void reliable_mark_deleted(struct reliable *rel, struct buffer *buf, bool inc_pid)
Remove an entry from a reliable structure.
Definition: reliable.c:723
struct session_id session_id
Definition: ssl_common.h:419
bool get_user_pass_cr(struct user_pass *up, const char *auth_file, const char *prefix, const unsigned int flags, const char *auth_challenge)
Definition: misc.c:124
bool tls_pre_decrypt(struct tls_multi *multi, const struct link_socket_actual *from, struct buffer *buf, struct crypto_options **opt, bool floated, const uint8_t **ad_start)
Determine whether an incoming packet is a data channel or control channel packet, and process accordi...
Definition: ssl.c:3356
#define ALLOC_ARRAY_CLEAR_GC(dptr, type, n, gc)
Definition: buffer.h:1072
void purge_user_pass(struct user_pass *up, const bool force)
Definition: misc.c:459
Structure that wraps the TLS context.
Definition: ssl_mbedtls.h:90
static bool buf_write_u32(struct buffer *dest, int data)
Definition: buffer.h:727
unsigned int flags
Definition: misc.h:99
#define ALLOC_OBJ_CLEAR_GC(dptr, type, gc)
Definition: buffer.h:1087
static char * read_string_alloc(struct buffer *buf)
Definition: ssl.c:2208
char * auth_token
If server sends a generated auth-token, this is the token to use for future user/pass authentications...
Definition: ssl_common.h:568
#define OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY
bool plugin_defined(const struct plugin_list *pl, const int type)
Definition: plugin.c:894
bool ssl_clean_auth_token(void)
Definition: ssl.c:466
static void key_state_free(struct key_state *ks, bool clear)
Cleanup a key_state structure.
Definition: ssl.c:981
#define KS_LAME_DUCK
Key state index that will retire soon.
Definition: ssl_common.h:378
static void check_malloc_return(const void *p)
Definition: buffer.h:1093
#define P_CONTROL_SOFT_RESET_V1
Definition: ssl.h:56
const char * extra_certs_file_inline
Definition: options.h:528
struct key_source2 * key_src
Definition: ssl_common.h:183
int initial_opcode
Definition: ssl_common.h:418
void tls_ctx_load_dh_params(struct tls_root_ctx *ctx, const char *dh_file, const char *dh_file_inline)
Load Diffie Hellman Parameters, and load them into the library-specific TLS context.
Definition: ssl_openssl.c:571
static bool key_method_1_read(struct buffer *buf, struct tls_session *session)
Definition: ssl.c:2490
struct key_ctx_bi key_ctx_bi
OpenSSL cipher and HMAC contexts for both sending and receiving directions.
Definition: crypto.h:234
void delayed_auth_pass_purge(void)
Definition: ssl.c:4325
Security parameter state of a single session within a VPN tunnel.
Definition: ssl_common.h:407
#define VALGRIND_MAKE_READABLE(addr, len)
Definition: memdbg.h:53
#define S_SENT_KEY
Local OpenVPN process has sent its part of the key material.
Definition: ssl_common.h:94
bool tls_ctx_set_options(struct tls_root_ctx *ctx, unsigned int ssl_flags)
Set any library specific options.
Definition: ssl_openssl.c:281
void output_peer_info_env(struct env_set *es, const char *peer_info)
Definition: misc.c:717
static void write_control_auth(struct tls_session *session, struct key_state *ks, struct buffer *buf, struct link_socket_actual **to_link_addr, int opcode, int max_ack, bool prepend_ack)
Definition: ssl.c:1460
#define msg
Definition: error.h:173
Definition: misc.h:62
int renegotiate_packets
Definition: ssl_common.h:276
int push_peer_info_detail
Definition: ssl_common.h:271
The acknowledgment structure in which packet IDs are stored for later acknowledgment.
Definition: reliable.h:64
int initial_opcode
Definition: ssl_common.h:177
bool disable_occ
Definition: ssl_common.h:267
Wrapper structure for dynamically allocated memory.
Definition: buffer.h:60
bool reliable_ack_read_packet_id(struct buffer *buf, packet_id_type *pid)
Read the packet ID of a received packet.
Definition: reliable.c:123
struct frame frame
Definition: ssl_common.h:315
void tls_multi_init_finalize(struct tls_multi *multi, const struct frame *frame)
Finalize initialization of a tls_multi structure.
Definition: ssl.c:1276
#define TLS_AUTHENTICATION_SUCCEEDED
Definition: ssl_verify.h:68
#define buf_init(buf, offset)
Definition: buffer.h:196
#define OPENVPN_OP_ENCRYPT
Cipher should encrypt.
bool tls_send_payload(struct tls_multi *multi, const uint8_t *data, int size)
Definition: ssl.c:4042
static bool buf_write_prepend(struct buffer *dest, const void *src, int size)
Definition: buffer.h:701
static bool key_method_2_write(struct buffer *buf, struct tls_session *session)
Definition: ssl.c:2374
void frame_finalize(struct frame *frame, bool link_mtu_defined, int link_mtu, bool tun_mtu_defined, int tun_mtu)
Definition: mtu.c:56
const char * cipher_list_tls13
Definition: options.h:517
#define OPENVPN_OP_DECRYPT
Cipher should decrypt.
bool reliable_can_send(const struct reliable *rel)
Check whether a reliable structure has any active entries ready to be (re)sent.
Definition: reliable.c:542
void management_set_state(struct management *man, const int state, const char *detail, const in_addr_t *tun_local_ip, const struct in6_addr *tun_local_ip6, const struct openvpn_sockaddr *local, const struct openvpn_sockaddr *remote)
Definition: manage.c:2663
char * locked_username
Definition: ssl_common.h:541
char * common_name
Definition: ssl_common.h:432
void reliable_init(struct reliable *rel, int buf_size, int offset, int array_size, bool hold)
Initialize a reliable structure.
Definition: reliable.c:309
int tls_ctx_load_priv_file(struct tls_root_ctx *ctx, const char *priv_key_file, const char *priv_key_file_inline)
Load private key file into the given TLS context.
Definition: ssl_openssl.c:928
bool tls_crypt_v2_extract_client_key(struct buffer *buf, struct tls_wrap_ctx *ctx, const struct tls_options *opt)
Extract a tls-crypt-v2 client key from a P_CONTROL_HARD_RESET_CLIENT_V3 message, and load the key int...
Definition: tls_crypt.c:609
void crypto_uninit_lib(void)
const char * translate_cipher_name_from_openvpn(const char *cipher_name)
Translate a data channel cipher name from the crypto library specific name to the OpenVPN config file...
Definition: crypto.c:1827
The reliability layer storage structure for one VPN tunnel&#39;s control channel in one direction...
Definition: reliable.h:88
int link_mtu
Maximum packet size to be sent over the external network interface.
Definition: mtu.h:94
#define D_TLS_DEBUG_MED
Definition: errlevel.h:151
#define TM_LAME_DUCK
Old tls_session.
Definition: ssl_common.h:469
struct buffer alloc_buf_gc(size_t size, struct gc_arena *gc)
Definition: buffer.c:90
uint8_t hwaddr[6]
Definition: route.h:162
uint32_t peer_id
Definition: ssl_common.h:563
int key_state_write_ciphertext(struct key_state_ssl *ks_ssl, struct buffer *buf)
Insert a ciphertext buffer into the TLS module.
Definition: ssl_openssl.c:1892
static void frame_remove_from_extra_frame(struct frame *frame, const unsigned int decrement)
Definition: mtu.h:280
uint32_t packet_id_type
Definition: packet_id.h:49
#define PD_VERBOSE
Definition: ssl.h:596
static const char * state_name(int state)
Definition: ssl.c:739
void tls_init_lib(void)
Perform any static initialisation necessary by the library.
Definition: ssl_openssl.c:77
bool tls_crypt_unwrap(const struct buffer *src, struct buffer *dst, struct crypto_options *opt)
Unwrap a control channel packet (decrypts, authenticates and performs replay checks).
Definition: tls_crypt.c:183
static bool generate_key_expansion(struct key_ctx_bi *key, const struct key_type *key_type, const struct key_source2 *key_src, const struct session_id *client_sid, const struct session_id *server_sid, bool server)
Definition: ssl.c:1824
void tls_clear_error(void)
Clear the underlying SSL library&#39;s error state.
Definition: ssl_openssl.c:99
void ssl_purge_auth_challenge(void)
Definition: ssl.c:495
static int min_int(int x, int y)
Definition: integer.h:57
#define PACKAGE_VERSION
Definition: config.h:742
static int buf_forward_capacity_total(const struct buffer *buf)
Definition: buffer.h:580
bool reliable_can_get(const struct reliable *rel)
Check whether a reliable structure has any free buffers available for use.
Definition: reliable.c:407
#define free
Definition: cmocka.c:1850
void tls_ctx_load_cert_file(struct tls_root_ctx *ctx, const char *cert_file, const char *cert_file_inline)
Use Windows cryptoapi for key and cert, and add to library-specific TLS context.
Definition: ssl_openssl.c:862
void tls_x509_clear_env(struct env_set *es)
Remove any X509_ env variables from env_set es.
Definition: ssl_verify.c:1494
int tls_version_max(void)
Return the maximum TLS version (as a TLS_VER_x constant) supported by current SSL implementation...
Definition: ssl_openssl.c:212
#define PD_TLS
Definition: ssl.h:595
#define P_CONTROL_HARD_RESET_CLIENT_V1
Definition: ssl.h:54
void generate_key_random(struct key *key, const struct key_type *kt)
Definition: crypto.c:1023
void key2_print(const struct key2 *k, const struct key_type *kt, const char *prefix0, const char *prefix1)
Definition: crypto.c:1067
Garbage collection arena used to keep track of dynamically allocated memory.
Definition: buffer.h:116
bool reliable_ack_read(struct reliable_ack *ack, struct buffer *buf, const struct session_id *sid)
Read an acknowledgment record from a received packet.
Definition: reliable.c:158
const char * openssl_name
Definition: ssl_backend.h:62
void get_default_gateway(struct route_gateway_info *rgi)
Definition: route.c:2724
static bool link_socket_actual_match(const struct link_socket_actual *a1, const struct link_socket_actual *a2)
Definition: socket.h:883
int tls_ctx_use_management_external_key(struct tls_root_ctx *ctx)
Tell the management interface to load the given certificate and the external private key matching the...
Definition: ssl_openssl.c:1337
void cert_hash_free(struct cert_hash_set *chs)
Frees the given set of certificate hashes.
Definition: ssl_verify.c:254
int key_method
Definition: ssl_common.h:263
#define FULL_SYNC
Definition: ssl.c:2136
static int buf_read_u16(struct buffer *buf)
Definition: buffer.h:825
static struct buffer clear_buf(void)
Return an empty struct buffer.
Definition: buffer.h:209
int interval_t
Definition: common.h:45
#define UP_TYPE_PRIVATE_KEY
Definition: ssl_common.h:42
static void key_source_print(const struct key_source *k, const char *prefix)
Definition: ssl.c:1610
counter_type n_bytes
Definition: ssl_common.h:195
struct buffer ack_write_buf
Definition: ssl_common.h:187
const char * session_id_print(const struct session_id *sid, struct gc_arena *gc)
Definition: session_id.c:57
uint8_t implicit_iv[OPENVPN_MAX_IV_LENGTH]
The implicit part of the IV.
Definition: crypto.h:168
void hmac_ctx_init(hmac_ctx_t *ctx, const uint8_t *key, int key_length, const md_kt_t *kt)
int key_state_read_ciphertext(struct key_state_ssl *ks_ssl, struct buffer *buf, int maxlen)
Extract ciphertext data from the TLS module.
Definition: ssl_openssl.c:1877
static const tls_cipher_name_pair tls_cipher_name_translation_table[]
SSL/TLS Cipher suite name translation table.
Definition: ssl.c:111
static void key_state_init(struct tls_session *session, struct key_state *ks)
Initialize a key_state structure.
Definition: ssl.c:901
static int key_source2_read(struct key_source2 *k2, struct buffer *buf, bool server)
Definition: ssl.c:2090
#define BSTR(buf)
Definition: buffer.h:129
static bool auth_user_pass_enabled
Definition: ssl.c:399
hmac_ctx_t * hmac_ctx_new(void)
#define TUN_LINK_DELTA(f)
Definition: mtu.h:151
#define KEY_METHOD_MASK
Definition: ssl.h:119
const char * dh_file
Definition: options.h:511
time_t must_die
Definition: ssl_common.h:175
#define KEY_EXPANSION_ID
Definition: ssl.h:47
static void tls_session_free(struct tls_session *session, bool clear)
Clean up a tls_session structure.
Definition: ssl.c:1145
char password[USER_PASS_LEN]
Definition: misc.h:75
#define P_CONTROL_HARD_RESET_CLIENT_V3
Definition: ssl.h:67
struct buffer clone_buf(const struct buffer *buf)
Definition: buffer.c:117
void verify_final_auth_checks(struct tls_multi *multi, struct tls_session *session)
Perform final authentication checks, including locking of the cn, the allowed certificate hashes...
Definition: ssl_verify.c:1432
static bool random_bytes_to_buf(struct buffer *buf, uint8_t *out, int outlen)
Definition: ssl.c:2041
void reliable_mark_active_incoming(struct reliable *rel, struct buffer *buf, packet_id_type pid, int opcode)
Mark the reliable entry associated with the given buffer as active incoming.
Definition: reliable.c:664
struct gc_arena gc
Definition: options.h:183
void hmac_ctx_final(hmac_ctx_t *ctx, uint8_t *dst)
const cipher_kt_t * cipher
Cipher static parameters.
Definition: crypto.h:143
static void update_time(void)
Definition: otime.h:93
bool replay
Definition: options.h:496
static int auth_deferred_expire_window(const struct tls_options *o)
Definition: ssl.c:2732
char * dest
Definition: compat-lz4.h:431
counter_type n_packets
Definition: ssl_common.h:196
int tls_peer_info_ncp_ver(const char *peer_info)
Return the Negotiable Crypto Parameters version advertised in the peer info string, or 0 if none specified.
Definition: ssl.c:4140
#define TLS_CHANNEL_BUF_SIZE
Definition: common.h:78
#define MF_EXTERNAL_CERT
Definition: manage.h:349
void buffer_list_pop(struct buffer_list *ol)
Definition: buffer.c:1348
#define P_ACK_V1
Definition: ssl.h:58
void hmac_ctx_free(hmac_ctx_t *ctx)
struct buffer * buffer_list_peek(struct buffer_list *ol)
Retrieve the head buffer.
Definition: buffer.c:1283
const char * dh_file_inline
Definition: options.h:531
struct key_ctx tls_crypt_v2_server_key
Decrypts client keys.
Definition: ssl_common.h:229
struct buffer_entry * buffer_list_push_data(struct buffer_list *ol, const void *data, size_t size)
Allocates and appends a new buffer containing data of length size.
Definition: buffer.c:1256
#define MF_EXTERNAL_KEY
Definition: manage.h:345
const char * remote_options
Definition: ssl_common.h:259
#define P_DATA_V2
Definition: ssl.h:60
const tls_cipher_name_pair * tls_get_cipher_name_pair(const char *cipher_name, size_t len)
Definition: ssl.c:269
int replay_time
Definition: ssl_common.h:301
void reliable_schedule_now(struct reliable *rel)
Reschedule all entries of a reliable structure to be ready for (re)sending immediately.
Definition: reliable.c:608
void reliable_send_purge(struct reliable *rel, const struct reliable_ack *ack)
Remove acknowledged packets from a reliable structure.
Definition: reliable.c:355
static int packet_id_size(bool long_form)
Definition: packet_id.h:305
const cipher_kt_t * cipher_kt_get(const char *ciphername)
Return cipher parameters, based on the given cipher name.
void crypto_init_lib(void)
unsigned int ssl_flags
Definition: ssl_common.h:349
char * priv_key_file_inline
Definition: options.h:530
struct _stat platform_stat_t
Definition: platform.h:141
#define PD_SHOW_DATA
Definition: ssl.h:594
uint8_t pre_master[48]
Random used for master secret generation, provided only by client OpenVPN peer.
Definition: ssl_common.h:122
#define M_WARN
Definition: error.h:96
void hmac_ctx_reset(hmac_ctx_t *ctx)
struct env_set * es
Definition: ssl_common.h:330
static bool session_id_write_prepend(const struct session_id *sid, struct buffer *buf)
Definition: session_id.h:67
static bool key_method_2_read(struct buffer *buf, struct tls_multi *multi, struct tls_session *session)
Definition: ssl.c:2551
Container for two sets of OpenSSL cipher and/or HMAC contexts for both sending and receiving directio...
Definition: crypto.h:219
void init_key_type(struct key_type *kt, const char *ciphername, const char *authname, int keysize, bool tls_mode, bool warn)
Initialize a key_type structure with.
Definition: crypto.c:743
Container for unidirectional cipher and HMAC key material.
Definition: crypto.h:151
struct tls_wrap_ctx tls_wrap
TLS handshake wrapping state.
Definition: ssl_common.h:312
#define GET_USER_PASS_MANAGEMENT
Definition: misc.h:112
bool reliable_ack_acknowledge_packet_id(struct reliable_ack *ack, packet_id_type pid)
Record a packet ID for later acknowledgment.
Definition: reliable.c:141
int link_mtu_dynamic
Dynamic MTU value for the external network interface.
Definition: mtu.h:97
enum tls_wrap_ctx::@9 mode
Control channel wrapping mode.
int link_mtu
Definition: options.h:111
#define INCR_GENERATED
Definition: ssl.c:102
int tls_multi_process(struct tls_multi *multi, struct buffer *to_link, struct link_socket_actual **to_link_addr, struct link_socket_info *to_link_socket_info, interval_t *wakeup)
Definition: ssl.c:3161
const char * crl_file
Definition: options.h:524