OpenVPN
ssl.c
Go to the documentation of this file.
1 /*
2  * OpenVPN -- An application to securely tunnel IP networks
3  * over a single TCP/UDP port, with support for SSL/TLS-based
4  * session authentication and key exchange,
5  * packet encryption, packet authentication, and
6  * packet compression.
7  *
8  * Copyright (C) 2002-2018 OpenVPN Inc <sales@openvpn.net>
9  * Copyright (C) 2010-2018 Fox Crypto B.V. <openvpn@fox-it.com>
10  * Copyright (C) 2008-2013 David Sommerseth <dazo@users.sourceforge.net>
11  *
12  * This program is free software; you can redistribute it and/or modify
13  * it under the terms of the GNU General Public License version 2
14  * as published by the Free Software Foundation.
15  *
16  * This program is distributed in the hope that it will be useful,
17  * but WITHOUT ANY WARRANTY; without even the implied warranty of
18  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
19  * GNU General Public License for more details.
20  *
21  * You should have received a copy of the GNU General Public License along
22  * with this program; if not, write to the Free Software Foundation, Inc.,
23  * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
24  */
25 
30 /*
31  * The routines in this file deal with dynamically negotiating
32  * the data channel HMAC and cipher keys through a TLS session.
33  *
34  * Both the TLS session and the data channel are multiplexed
35  * over the same TCP/UDP port.
36  */
37 #ifdef HAVE_CONFIG_H
38 #include "config.h"
39 #elif defined(_MSC_VER)
40 #include "config-msvc.h"
41 #endif
42 
43 #include "syshead.h"
44 #include "win32.h"
45 
46 #include "error.h"
47 #include "common.h"
48 #include "socket.h"
49 #include "misc.h"
50 #include "fdmisc.h"
51 #include "interval.h"
52 #include "perf.h"
53 #include "status.h"
54 #include "gremlin.h"
55 #include "pkcs11.h"
56 #include "route.h"
57 #include "tls_crypt.h"
58 
59 #include "ssl.h"
60 #include "ssl_verify.h"
61 #include "ssl_backend.h"
62 #include "auth_token.h"
63 
64 #include "memdbg.h"
65 
66 #ifndef ENABLE_OCC
67 static const char ssl_default_options_string[] = "V0 UNDEF";
68 #endif
69 
70 static inline const char *
72 {
73 #ifdef ENABLE_OCC
74  return session->opt->local_options;
75 #else
76  return ssl_default_options_string;
77 #endif
78 }
79 
80 #ifdef MEASURE_TLS_HANDSHAKE_STATS
81 
82 static int tls_handshake_success; /* GLOBAL */
83 static int tls_handshake_error; /* GLOBAL */
84 static int tls_packets_generated; /* GLOBAL */
85 static int tls_packets_sent; /* GLOBAL */
86 
87 #define INCR_SENT ++tls_packets_sent
88 #define INCR_GENERATED ++tls_packets_generated
89 #define INCR_SUCCESS ++tls_handshake_success
90 #define INCR_ERROR ++tls_handshake_error
91 
92 void
93 show_tls_performance_stats(void)
94 {
95  msg(D_TLS_DEBUG_LOW, "TLS Handshakes, success=%f%% (good=%d, bad=%d), retransmits=%f%%",
96  (double) tls_handshake_success / (tls_handshake_success + tls_handshake_error) * 100.0,
97  tls_handshake_success, tls_handshake_error,
98  (double) (tls_packets_sent - tls_packets_generated) / tls_packets_generated * 100.0);
99 }
100 #else /* ifdef MEASURE_TLS_HANDSHAKE_STATS */
101 
102 #define INCR_SENT
103 #define INCR_GENERATED
104 #define INCR_SUCCESS
105 #define INCR_ERROR
106 
107 #endif /* ifdef MEASURE_TLS_HANDSHAKE_STATS */
108 
113  {"ADH-SEED-SHA", "TLS-DH-anon-WITH-SEED-CBC-SHA"},
114  {"AES128-GCM-SHA256", "TLS-RSA-WITH-AES-128-GCM-SHA256"},
115  {"AES128-SHA256", "TLS-RSA-WITH-AES-128-CBC-SHA256"},
116  {"AES128-SHA", "TLS-RSA-WITH-AES-128-CBC-SHA"},
117  {"AES256-GCM-SHA384", "TLS-RSA-WITH-AES-256-GCM-SHA384"},
118  {"AES256-SHA256", "TLS-RSA-WITH-AES-256-CBC-SHA256"},
119  {"AES256-SHA", "TLS-RSA-WITH-AES-256-CBC-SHA"},
120  {"CAMELLIA128-SHA256", "TLS-RSA-WITH-CAMELLIA-128-CBC-SHA256"},
121  {"CAMELLIA128-SHA", "TLS-RSA-WITH-CAMELLIA-128-CBC-SHA"},
122  {"CAMELLIA256-SHA256", "TLS-RSA-WITH-CAMELLIA-256-CBC-SHA256"},
123  {"CAMELLIA256-SHA", "TLS-RSA-WITH-CAMELLIA-256-CBC-SHA"},
124  {"DES-CBC3-SHA", "TLS-RSA-WITH-3DES-EDE-CBC-SHA"},
125  {"DES-CBC-SHA", "TLS-RSA-WITH-DES-CBC-SHA"},
126  {"DH-DSS-SEED-SHA", "TLS-DH-DSS-WITH-SEED-CBC-SHA"},
127  {"DHE-DSS-AES128-GCM-SHA256", "TLS-DHE-DSS-WITH-AES-128-GCM-SHA256"},
128  {"DHE-DSS-AES128-SHA256", "TLS-DHE-DSS-WITH-AES-128-CBC-SHA256"},
129  {"DHE-DSS-AES128-SHA", "TLS-DHE-DSS-WITH-AES-128-CBC-SHA"},
130  {"DHE-DSS-AES256-GCM-SHA384", "TLS-DHE-DSS-WITH-AES-256-GCM-SHA384"},
131  {"DHE-DSS-AES256-SHA256", "TLS-DHE-DSS-WITH-AES-256-CBC-SHA256"},
132  {"DHE-DSS-AES256-SHA", "TLS-DHE-DSS-WITH-AES-256-CBC-SHA"},
133  {"DHE-DSS-CAMELLIA128-SHA256", "TLS-DHE-DSS-WITH-CAMELLIA-128-CBC-SHA256"},
134  {"DHE-DSS-CAMELLIA128-SHA", "TLS-DHE-DSS-WITH-CAMELLIA-128-CBC-SHA"},
135  {"DHE-DSS-CAMELLIA256-SHA256", "TLS-DHE-DSS-WITH-CAMELLIA-256-CBC-SHA256"},
136  {"DHE-DSS-CAMELLIA256-SHA", "TLS-DHE-DSS-WITH-CAMELLIA-256-CBC-SHA"},
137  {"DHE-DSS-SEED-SHA", "TLS-DHE-DSS-WITH-SEED-CBC-SHA"},
138  {"DHE-RSA-AES128-GCM-SHA256", "TLS-DHE-RSA-WITH-AES-128-GCM-SHA256"},
139  {"DHE-RSA-AES128-SHA256", "TLS-DHE-RSA-WITH-AES-128-CBC-SHA256"},
140  {"DHE-RSA-AES128-SHA", "TLS-DHE-RSA-WITH-AES-128-CBC-SHA"},
141  {"DHE-RSA-AES256-GCM-SHA384", "TLS-DHE-RSA-WITH-AES-256-GCM-SHA384"},
142  {"DHE-RSA-AES256-SHA256", "TLS-DHE-RSA-WITH-AES-256-CBC-SHA256"},
143  {"DHE-RSA-AES256-SHA", "TLS-DHE-RSA-WITH-AES-256-CBC-SHA"},
144  {"DHE-RSA-CAMELLIA128-SHA256", "TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA256"},
145  {"DHE-RSA-CAMELLIA128-SHA", "TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA"},
146  {"DHE-RSA-CAMELLIA256-SHA256", "TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA256"},
147  {"DHE-RSA-CAMELLIA256-SHA", "TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA"},
148  {"DHE-RSA-CHACHA20-POLY1305", "TLS-DHE-RSA-WITH-CHACHA20-POLY1305-SHA256"},
149  {"DHE-RSA-SEED-SHA", "TLS-DHE-RSA-WITH-SEED-CBC-SHA"},
150  {"DH-RSA-SEED-SHA", "TLS-DH-RSA-WITH-SEED-CBC-SHA"},
151  {"ECDH-ECDSA-AES128-GCM-SHA256", "TLS-ECDH-ECDSA-WITH-AES-128-GCM-SHA256"},
152  {"ECDH-ECDSA-AES128-SHA256", "TLS-ECDH-ECDSA-WITH-AES-128-CBC-SHA256"},
153  {"ECDH-ECDSA-AES128-SHA", "TLS-ECDH-ECDSA-WITH-AES-128-CBC-SHA"},
154  {"ECDH-ECDSA-AES256-GCM-SHA384", "TLS-ECDH-ECDSA-WITH-AES-256-GCM-SHA384"},
155  {"ECDH-ECDSA-AES256-SHA256", "TLS-ECDH-ECDSA-WITH-AES-256-CBC-SHA256"},
156  {"ECDH-ECDSA-AES256-SHA384", "TLS-ECDH-ECDSA-WITH-AES-256-CBC-SHA384"},
157  {"ECDH-ECDSA-AES256-SHA", "TLS-ECDH-ECDSA-WITH-AES-256-CBC-SHA"},
158  {"ECDH-ECDSA-CAMELLIA128-SHA256", "TLS-ECDH-ECDSA-WITH-CAMELLIA-128-CBC-SHA256"},
159  {"ECDH-ECDSA-CAMELLIA128-SHA", "TLS-ECDH-ECDSA-WITH-CAMELLIA-128-CBC-SHA"},
160  {"ECDH-ECDSA-CAMELLIA256-SHA256", "TLS-ECDH-ECDSA-WITH-CAMELLIA-256-CBC-SHA256"},
161  {"ECDH-ECDSA-CAMELLIA256-SHA", "TLS-ECDH-ECDSA-WITH-CAMELLIA-256-CBC-SHA"},
162  {"ECDH-ECDSA-DES-CBC3-SHA", "TLS-ECDH-ECDSA-WITH-3DES-EDE-CBC-SHA"},
163  {"ECDH-ECDSA-DES-CBC-SHA", "TLS-ECDH-ECDSA-WITH-DES-CBC-SHA"},
164  {"ECDH-ECDSA-RC4-SHA", "TLS-ECDH-ECDSA-WITH-RC4-128-SHA"},
165  {"ECDHE-ECDSA-AES128-GCM-SHA256", "TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256"},
166  {"ECDHE-ECDSA-AES128-SHA256", "TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256"},
167  {"ECDHE-ECDSA-AES128-SHA384", "TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA384"},
168  {"ECDHE-ECDSA-AES128-SHA", "TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA"},
169  {"ECDHE-ECDSA-AES256-GCM-SHA384", "TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384"},
170  {"ECDHE-ECDSA-AES256-SHA256", "TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA256"},
171  {"ECDHE-ECDSA-AES256-SHA384", "TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA384"},
172  {"ECDHE-ECDSA-AES256-SHA", "TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA"},
173  {"ECDHE-ECDSA-CAMELLIA128-SHA256", "TLS-ECDHE-ECDSA-WITH-CAMELLIA-128-CBC-SHA256"},
174  {"ECDHE-ECDSA-CAMELLIA128-SHA", "TLS-ECDHE-ECDSA-WITH-CAMELLIA-128-CBC-SHA"},
175  {"ECDHE-ECDSA-CAMELLIA256-SHA256", "TLS-ECDHE-ECDSA-WITH-CAMELLIA-256-CBC-SHA256"},
176  {"ECDHE-ECDSA-CAMELLIA256-SHA", "TLS-ECDHE-ECDSA-WITH-CAMELLIA-256-CBC-SHA"},
177  {"ECDHE-ECDSA-CHACHA20-POLY1305", "TLS-ECDHE-ECDSA-WITH-CHACHA20-POLY1305-SHA256"},
178  {"ECDHE-ECDSA-DES-CBC3-SHA", "TLS-ECDHE-ECDSA-WITH-3DES-EDE-CBC-SHA"},
179  {"ECDHE-ECDSA-DES-CBC-SHA", "TLS-ECDHE-ECDSA-WITH-DES-CBC-SHA"},
180  {"ECDHE-ECDSA-RC4-SHA", "TLS-ECDHE-ECDSA-WITH-RC4-128-SHA"},
181  {"ECDHE-RSA-AES128-GCM-SHA256", "TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256"},
182  {"ECDHE-RSA-AES128-SHA256", "TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA256"},
183  {"ECDHE-RSA-AES128-SHA384", "TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA384"},
184  {"ECDHE-RSA-AES128-SHA", "TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA"},
185  {"ECDHE-RSA-AES256-GCM-SHA384", "TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384"},
186  {"ECDHE-RSA-AES256-SHA256", "TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA256"},
187  {"ECDHE-RSA-AES256-SHA384", "TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384"},
188  {"ECDHE-RSA-AES256-SHA", "TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA"},
189  {"ECDHE-RSA-CAMELLIA128-SHA256", "TLS-ECDHE-RSA-WITH-CAMELLIA-128-CBC-SHA256"},
190  {"ECDHE-RSA-CAMELLIA128-SHA", "TLS-ECDHE-RSA-WITH-CAMELLIA-128-CBC-SHA"},
191  {"ECDHE-RSA-CAMELLIA256-SHA256", "TLS-ECDHE-RSA-WITH-CAMELLIA-256-CBC-SHA256"},
192  {"ECDHE-RSA-CAMELLIA256-SHA", "TLS-ECDHE-RSA-WITH-CAMELLIA-256-CBC-SHA"},
193  {"ECDHE-RSA-CHACHA20-POLY1305", "TLS-ECDHE-RSA-WITH-CHACHA20-POLY1305-SHA256"},
194  {"ECDHE-RSA-DES-CBC3-SHA", "TLS-ECDHE-RSA-WITH-3DES-EDE-CBC-SHA"},
195  {"ECDHE-RSA-DES-CBC-SHA", "TLS-ECDHE-RSA-WITH-DES-CBC-SHA"},
196  {"ECDHE-RSA-RC4-SHA", "TLS-ECDHE-RSA-WITH-RC4-128-SHA"},
197  {"ECDH-RSA-AES128-GCM-SHA256", "TLS-ECDH-RSA-WITH-AES-128-GCM-SHA256"},
198  {"ECDH-RSA-AES128-SHA256", "TLS-ECDH-RSA-WITH-AES-128-CBC-SHA256"},
199  {"ECDH-RSA-AES128-SHA384", "TLS-ECDH-RSA-WITH-AES-128-CBC-SHA384"},
200  {"ECDH-RSA-AES128-SHA", "TLS-ECDH-RSA-WITH-AES-128-CBC-SHA"},
201  {"ECDH-RSA-AES256-GCM-SHA384", "TLS-ECDH-RSA-WITH-AES-256-GCM-SHA384"},
202  {"ECDH-RSA-AES256-SHA256", "TLS-ECDH-RSA-WITH-AES-256-CBC-SHA256"},
203  {"ECDH-RSA-AES256-SHA384", "TLS-ECDH-RSA-WITH-AES-256-CBC-SHA384"},
204  {"ECDH-RSA-AES256-SHA", "TLS-ECDH-RSA-WITH-AES-256-CBC-SHA"},
205  {"ECDH-RSA-CAMELLIA128-SHA256", "TLS-ECDH-RSA-WITH-CAMELLIA-128-CBC-SHA256"},
206  {"ECDH-RSA-CAMELLIA128-SHA", "TLS-ECDH-RSA-WITH-CAMELLIA-128-CBC-SHA"},
207  {"ECDH-RSA-CAMELLIA256-SHA256", "TLS-ECDH-RSA-WITH-CAMELLIA-256-CBC-SHA256"},
208  {"ECDH-RSA-CAMELLIA256-SHA", "TLS-ECDH-RSA-WITH-CAMELLIA-256-CBC-SHA"},
209  {"ECDH-RSA-DES-CBC3-SHA", "TLS-ECDH-RSA-WITH-3DES-EDE-CBC-SHA"},
210  {"ECDH-RSA-DES-CBC-SHA", "TLS-ECDH-RSA-WITH-DES-CBC-SHA"},
211  {"ECDH-RSA-RC4-SHA", "TLS-ECDH-RSA-WITH-RC4-128-SHA"},
212  {"EDH-DSS-DES-CBC3-SHA", "TLS-DHE-DSS-WITH-3DES-EDE-CBC-SHA"},
213  {"EDH-DSS-DES-CBC-SHA", "TLS-DHE-DSS-WITH-DES-CBC-SHA"},
214  {"EDH-RSA-DES-CBC3-SHA", "TLS-DHE-RSA-WITH-3DES-EDE-CBC-SHA"},
215  {"EDH-RSA-DES-CBC-SHA", "TLS-DHE-RSA-WITH-DES-CBC-SHA"},
216  {"EXP-DES-CBC-SHA", "TLS-RSA-EXPORT-WITH-DES40-CBC-SHA"},
217  {"EXP-EDH-DSS-DES-CBC-SHA", "TLS-DH-DSS-EXPORT-WITH-DES40-CBC-SHA"},
218  {"EXP-EDH-RSA-DES-CBC-SHA", "TLS-DH-RSA-EXPORT-WITH-DES40-CBC-SHA"},
219  {"EXP-RC2-CBC-MD5", "TLS-RSA-EXPORT-WITH-RC2-CBC-40-MD5"},
220  {"EXP-RC4-MD5", "TLS-RSA-EXPORT-WITH-RC4-40-MD5"},
221  {"NULL-MD5", "TLS-RSA-WITH-NULL-MD5"},
222  {"NULL-SHA256", "TLS-RSA-WITH-NULL-SHA256"},
223  {"NULL-SHA", "TLS-RSA-WITH-NULL-SHA"},
224  {"PSK-3DES-EDE-CBC-SHA", "TLS-PSK-WITH-3DES-EDE-CBC-SHA"},
225  {"PSK-AES128-CBC-SHA", "TLS-PSK-WITH-AES-128-CBC-SHA"},
226  {"PSK-AES256-CBC-SHA", "TLS-PSK-WITH-AES-256-CBC-SHA"},
227  {"PSK-RC4-SHA", "TLS-PSK-WITH-RC4-128-SHA"},
228  {"RC4-MD5", "TLS-RSA-WITH-RC4-128-MD5"},
229  {"RC4-SHA", "TLS-RSA-WITH-RC4-128-SHA"},
230  {"SEED-SHA", "TLS-RSA-WITH-SEED-CBC-SHA"},
231  {"SRP-DSS-3DES-EDE-CBC-SHA", "TLS-SRP-SHA-DSS-WITH-3DES-EDE-CBC-SHA"},
232  {"SRP-DSS-AES-128-CBC-SHA", "TLS-SRP-SHA-DSS-WITH-AES-128-CBC-SHA"},
233  {"SRP-DSS-AES-256-CBC-SHA", "TLS-SRP-SHA-DSS-WITH-AES-256-CBC-SHA"},
234  {"SRP-RSA-3DES-EDE-CBC-SHA", "TLS-SRP-SHA-RSA-WITH-3DES-EDE-CBC-SHA"},
235  {"SRP-RSA-AES-128-CBC-SHA", "TLS-SRP-SHA-RSA-WITH-AES-128-CBC-SHA"},
236  {"SRP-RSA-AES-256-CBC-SHA", "TLS-SRP-SHA-RSA-WITH-AES-256-CBC-SHA"},
237 #ifdef ENABLE_CRYPTO_OPENSSL
238  /* OpenSSL-specific group names */
239  {"DEFAULT", "DEFAULT"},
240  {"ALL", "ALL"},
241  {"HIGH", "HIGH"}, {"!HIGH", "!HIGH"},
242  {"MEDIUM", "MEDIUM"}, {"!MEDIUM", "!MEDIUM"},
243  {"LOW", "LOW"}, {"!LOW", "!LOW"},
244  {"ECDH", "ECDH"}, {"!ECDH", "!ECDH"},
245  {"ECDSA", "ECDSA"}, {"!ECDSA", "!ECDSA"},
246  {"EDH", "EDH"}, {"!EDH", "!EDH"},
247  {"EXP", "EXP"}, {"!EXP", "!EXP"},
248  {"RSA", "RSA"}, {"!RSA", "!RSA"},
249  {"kRSA", "kRSA"}, {"!kRSA", "!kRSA"},
250  {"SRP", "SRP"}, {"!SRP", "!SRP"},
251 #endif
252  {NULL, NULL}
253 };
254 
266 static void
267 key_ctx_update_implicit_iv(struct key_ctx *ctx, uint8_t *key, size_t key_len);
268 
269 const tls_cipher_name_pair *
270 tls_get_cipher_name_pair(const char *cipher_name, size_t len)
271 {
273 
274  while (pair->openssl_name != NULL)
275  {
276  if ((strlen(pair->openssl_name) == len && 0 == memcmp(cipher_name, pair->openssl_name, len))
277  || (strlen(pair->iana_name) == len && 0 == memcmp(cipher_name, pair->iana_name, len)))
278  {
279  return pair;
280  }
281  pair++;
282  }
283 
284  /* No entry found, return NULL */
285  return NULL;
286 }
287 
295 static void
296 tls_limit_reneg_bytes(const cipher_kt_t *cipher, int *reneg_bytes)
297 {
298  if (cipher && cipher_kt_insecure(cipher))
299  {
300  if (*reneg_bytes == -1) /* Not user-specified */
301  {
302  msg(M_WARN, "WARNING: cipher with small block size in use, "
303  "reducing reneg-bytes to 64MB to mitigate SWEET32 attacks.");
304  *reneg_bytes = 64 * 1024 * 1024;
305  }
306  }
307 }
308 
309 /*
310  * Max number of bytes we will add
311  * for data structures common to both
312  * data and control channel packets.
313  * (opcode only).
314  */
315 void
317 {
318  frame_add_to_extra_frame(frame, 1); /* space for opcode */
319 }
320 
321 /*
322  * Max number of bytes we will add
323  * to control channel packet.
324  */
325 static void
326 tls_init_control_channel_frame_parameters(const struct frame *data_channel_frame,
327  struct frame *frame)
328 {
329  /*
330  * frame->extra_frame is already initialized with tls_auth buffer requirements,
331  * if --tls-auth is enabled.
332  */
333 
334  /* inherit link MTU and extra_link from data channel */
335  frame->link_mtu = data_channel_frame->link_mtu;
336  frame->extra_link = data_channel_frame->extra_link;
337 
338  /* set extra_frame */
342 
343  /* set dynamic link MTU to cap control channel packets at 1250 bytes */
344  ASSERT(TUN_LINK_DELTA(frame) < min_int(frame->link_mtu, 1250));
345  frame->link_mtu_dynamic = min_int(frame->link_mtu, 1250) - TUN_LINK_DELTA(frame);
346 }
347 
348 void
350 {
351  tls_init_lib();
352 
353  crypto_init_lib();
354 }
355 
356 void
358 {
360  prng_uninit();
361 
362  tls_free_lib();
363 }
364 
365 /*
366  * OpenSSL library calls pem_password_callback if the
367  * private key is protected by a password.
368  */
369 
370 static struct user_pass passbuf; /* GLOBAL */
371 
372 void
373 pem_password_setup(const char *auth_file)
374 {
375  if (!strlen(passbuf.password))
376  {
378  }
379 }
380 
381 int
382 pem_password_callback(char *buf, int size, int rwflag, void *u)
383 {
384  if (buf)
385  {
386  /* prompt for password even if --askpass wasn't specified */
387  pem_password_setup(NULL);
388  strncpynt(buf, passbuf.password, size);
389  purge_user_pass(&passbuf, false);
390 
391  return strlen(buf);
392  }
393  return 0;
394 }
395 
396 /*
397  * Auth username/password handling
398  */
399 
400 static bool auth_user_pass_enabled; /* GLOBAL */
401 static struct user_pass auth_user_pass; /* GLOBAL */
402 static struct user_pass auth_token; /* GLOBAL */
403 
404 #ifdef ENABLE_MANAGEMENT
405 static char *auth_challenge; /* GLOBAL */
406 #endif
407 
408 void
409 auth_user_pass_setup(const char *auth_file, const struct static_challenge_info *sci)
410 {
411  auth_user_pass_enabled = true;
413  {
414 #ifdef ENABLE_MANAGEMENT
415  if (auth_challenge) /* dynamic challenge/response */
416  {
418  auth_file,
419  UP_TYPE_AUTH,
422  }
423  else if (sci) /* static challenge response */
424  {
426  if (sci->flags & SC_ECHO)
427  {
429  }
431  auth_file,
432  UP_TYPE_AUTH,
433  flags,
434  sci->challenge_text);
435  }
436  else
437 #endif /* ifdef ENABLE_MANAGEMENT */
439  }
440 }
441 
442 /*
443  * Disable password caching
444  */
445 void
447 {
448  passbuf.nocache = true;
449  auth_user_pass.nocache = true;
450  /* wait for push-reply, because auth-token may still need the username */
452 }
453 
454 /*
455  * Set an authentication token
456  */
457 void
458 ssl_set_auth_token(const char *token)
459 {
461 }
462 
463 /*
464  * Cleans an auth token and checks if it was active
465  */
466 bool
468 {
469  bool wasdefined = auth_token.defined;
470  purge_user_pass(&auth_token, true);
471  return wasdefined;
472 }
473 
474 /*
475  * Forget private key password AND auth-user-pass username/password.
476  */
477 void
478 ssl_purge_auth(const bool auth_user_pass_only)
479 {
480  if (!auth_user_pass_only)
481  {
482 #ifdef ENABLE_PKCS11
483  pkcs11_logout();
484 #endif
485  purge_user_pass(&passbuf, true);
486  }
488 #ifdef ENABLE_MANAGEMENT
490 #endif
491 }
492 
493 #ifdef ENABLE_MANAGEMENT
494 
495 void
497 {
499  auth_challenge = NULL;
500 }
501 
502 void
503 ssl_put_auth_challenge(const char *cr_str)
504 {
506  auth_challenge = string_alloc(cr_str, NULL);
507 }
508 
509 #endif
510 
511 /*
512  * Parse a TLS version string, returning a TLS_VER_x constant.
513  * If version string is not recognized and extra == "or-highest",
514  * return tls_version_max().
515  */
516 int
517 tls_version_parse(const char *vstr, const char *extra)
518 {
519  const int max_version = tls_version_max();
520  if (!strcmp(vstr, "1.0") && TLS_VER_1_0 <= max_version)
521  {
522  return TLS_VER_1_0;
523  }
524  else if (!strcmp(vstr, "1.1") && TLS_VER_1_1 <= max_version)
525  {
526  return TLS_VER_1_1;
527  }
528  else if (!strcmp(vstr, "1.2") && TLS_VER_1_2 <= max_version)
529  {
530  return TLS_VER_1_2;
531  }
532  else if (!strcmp(vstr, "1.3") && TLS_VER_1_3 <= max_version)
533  {
534  return TLS_VER_1_3;
535  }
536  else if (extra && !strcmp(extra, "or-highest"))
537  {
538  return max_version;
539  }
540  else
541  {
542  return TLS_VER_BAD;
543  }
544 }
545 
557 static void
558 tls_ctx_reload_crl(struct tls_root_ctx *ssl_ctx, const char *crl_file,
559  const char *crl_file_inline)
560 {
561  /* if something goes wrong with stat(), we'll store 0 as mtime */
562  platform_stat_t crl_stat = {0};
563 
564  /*
565  * an inline CRL can't change at runtime, therefore there is no need to
566  * reload it. It will be reloaded upon config change + SIGHUP.
567  * Use always '1' as dummy timestamp in this case: it will trigger the
568  * first load, but will prevent any future reload.
569  */
570  if (crl_file_inline)
571  {
572  crl_stat.st_mtime = 1;
573  }
574  else if (platform_stat(crl_file, &crl_stat) < 0)
575  {
576  msg(M_WARN, "WARNING: Failed to stat CRL file, not (re)loading CRL.");
577  return;
578  }
579 
580  /*
581  * Store the CRL if this is the first time or if the file was changed since
582  * the last load.
583  * Note: Windows does not support tv_nsec.
584  */
585  if ((ssl_ctx->crl_last_size == crl_stat.st_size)
586  && (ssl_ctx->crl_last_mtime == crl_stat.st_mtime))
587  {
588  return;
589  }
590 
591  ssl_ctx->crl_last_mtime = crl_stat.st_mtime;
592  ssl_ctx->crl_last_size = crl_stat.st_size;
593  backend_tls_ctx_reload_crl(ssl_ctx, crl_file, crl_file_inline);
594 }
595 
596 /*
597  * Initialize SSL context.
598  * All files are in PEM format.
599  */
600 void
601 init_ssl(const struct options *options, struct tls_root_ctx *new_ctx)
602 {
603  ASSERT(NULL != new_ctx);
604 
605  tls_clear_error();
606 
607  if (options->tls_server)
608  {
609  tls_ctx_server_new(new_ctx);
610 
611  if (options->dh_file)
612  {
613  tls_ctx_load_dh_params(new_ctx, options->dh_file,
614  options->dh_file_inline);
615  }
616  }
617  else /* if client */
618  {
619  tls_ctx_client_new(new_ctx);
620  }
621 
622  /* Restrict allowed certificate crypto algorithms */
623  tls_ctx_set_cert_profile(new_ctx, options->tls_cert_profile);
624 
625  /* Allowable ciphers */
626  /* Since @SECLEVEL also influences loading of certificates, set the
627  * cipher restrictions before loading certificates */
628  tls_ctx_restrict_ciphers(new_ctx, options->cipher_list);
630 
631  if (!tls_ctx_set_options(new_ctx, options->ssl_flags))
632  {
633  goto err;
634  }
635 
636  if (options->pkcs12_file)
637  {
638  if (0 != tls_ctx_load_pkcs12(new_ctx, options->pkcs12_file,
639  options->pkcs12_file_inline, !options->ca_file))
640  {
641  goto err;
642  }
643  }
644 #ifdef ENABLE_PKCS11
645  else if (options->pkcs11_providers[0])
646  {
647  if (!tls_ctx_use_pkcs11(new_ctx, options->pkcs11_id_management, options->pkcs11_id))
648  {
649  msg(M_WARN, "Cannot load certificate \"%s\" using PKCS#11 interface",
650  options->pkcs11_id);
651  goto err;
652  }
653  }
654 #endif
655 #ifdef ENABLE_CRYPTOAPI
656  else if (options->cryptoapi_cert)
657  {
658  tls_ctx_load_cryptoapi(new_ctx, options->cryptoapi_cert);
659  }
660 #endif
661 #ifdef ENABLE_MANAGEMENT
662  else if (options->management_flags & MF_EXTERNAL_CERT)
663  {
664  char *cert = management_query_cert(management,
665  options->management_certificate);
666  tls_ctx_load_cert_file(new_ctx, INLINE_FILE_TAG, cert);
667  free(cert);
668  }
669 #endif
670  else if (options->cert_file)
671  {
672  tls_ctx_load_cert_file(new_ctx, options->cert_file, options->cert_file_inline);
673  }
674 
675  if (options->priv_key_file)
676  {
677  if (0 != tls_ctx_load_priv_file(new_ctx, options->priv_key_file,
678  options->priv_key_file_inline))
679  {
680  goto err;
681  }
682  }
683 #ifdef ENABLE_MANAGEMENT
684  else if (options->management_flags & MF_EXTERNAL_KEY)
685  {
687  {
688  msg(M_WARN, "Cannot initialize mamagement-external-key");
689  goto err;
690  }
691  }
692 #endif
693 
694  if (options->ca_file || options->ca_path)
695  {
696  tls_ctx_load_ca(new_ctx, options->ca_file, options->ca_file_inline,
697  options->ca_path, options->tls_server);
698  }
699 
700  /* Load extra certificates that are part of our own certificate
701  * chain but shouldn't be included in the verify chain */
702  if (options->extra_certs_file)
703  {
705  }
706 
707  /* Check certificate notBefore and notAfter */
708  tls_ctx_check_cert_time(new_ctx);
709 
710  /* Read CRL */
711  if (options->crl_file && !(options->ssl_flags & SSLF_CRL_VERIFY_DIR))
712  {
713  tls_ctx_reload_crl(new_ctx, options->crl_file, options->crl_file_inline);
714  }
715 
716  /* Once keys and cert are loaded, load ECDH parameters */
717  if (options->tls_server)
718  {
719  tls_ctx_load_ecdh_params(new_ctx, options->ecdh_curve);
720  }
721 
722 #ifdef ENABLE_CRYPTO_MBEDTLS
723  /* Personalise the random by mixing in the certificate */
724  tls_ctx_personalise_random(new_ctx);
725 #endif
726 
727  tls_clear_error();
728  return;
729 
730 err:
731  tls_clear_error();
732  tls_ctx_free(new_ctx);
733  return;
734 }
735 
736 /*
737  * Map internal constants to ascii names.
738  */
739 static const char *
740 state_name(int state)
741 {
742  switch (state)
743  {
744  case S_UNDEF:
745  return "S_UNDEF";
746 
747  case S_INITIAL:
748  return "S_INITIAL";
749 
750  case S_PRE_START:
751  return "S_PRE_START";
752 
753  case S_START:
754  return "S_START";
755 
756  case S_SENT_KEY:
757  return "S_SENT_KEY";
758 
759  case S_GOT_KEY:
760  return "S_GOT_KEY";
761 
762  case S_ACTIVE:
763  return "S_ACTIVE";
764 
765  case S_NORMAL_OP:
766  return "S_NORMAL_OP";
767 
768  case S_ERROR:
769  return "S_ERROR";
770 
771  default:
772  return "S_???";
773  }
774 }
775 
776 static const char *
778 {
779  switch (op)
780  {
782  return "P_CONTROL_HARD_RESET_CLIENT_V1";
783 
785  return "P_CONTROL_HARD_RESET_SERVER_V1";
786 
788  return "P_CONTROL_HARD_RESET_CLIENT_V2";
789 
791  return "P_CONTROL_HARD_RESET_SERVER_V2";
792 
794  return "P_CONTROL_HARD_RESET_CLIENT_V3";
795 
797  return "P_CONTROL_SOFT_RESET_V1";
798 
799  case P_CONTROL_V1:
800  return "P_CONTROL_V1";
801 
802  case P_ACK_V1:
803  return "P_ACK_V1";
804 
805  case P_DATA_V1:
806  return "P_DATA_V1";
807 
808  case P_DATA_V2:
809  return "P_DATA_V2";
810 
811  default:
812  return "P_???";
813  }
814 }
815 
816 static const char *
818 {
819  switch (index)
820  {
821  case TM_ACTIVE:
822  return "TM_ACTIVE";
823 
824  case TM_UNTRUSTED:
825  return "TM_UNTRUSTED";
826 
827  case TM_LAME_DUCK:
828  return "TM_LAME_DUCK";
829 
830  default:
831  return "TM_???";
832  }
833 }
834 
835 /*
836  * For debugging.
837  */
838 static const char *
839 print_key_id(struct tls_multi *multi, struct gc_arena *gc)
840 {
841  int i;
842  struct buffer out = alloc_buf_gc(256, gc);
843 
844  for (i = 0; i < KEY_SCAN_SIZE; ++i)
845  {
846  struct key_state *ks = multi->key_scan[i];
847  buf_printf(&out, " [key#%d state=%s id=%d sid=%s]", i,
848  state_name(ks->state), ks->key_id,
850  }
851 
852  return BSTR(&out);
853 }
854 
855 bool
856 is_hard_reset(int op, int key_method)
857 {
858  if (!key_method || key_method == 1)
859  {
861  {
862  return true;
863  }
864  }
865 
866  if (!key_method || key_method >= 2)
867  {
870  {
871  return true;
872  }
873  }
874 
875  return false;
876 }
877 
901 static void
903 {
904  update_time();
905 
906  CLEAR(*ks);
907 
908  /*
909  * Build TLS object that reads/writes ciphertext
910  * to/from memory BIOs.
911  */
912  key_state_ssl_init(&ks->ks_ssl, &session->opt->ssl_ctx, session->opt->server,
913  session);
914 
915  /* Set control-channel initiation mode */
916  ks->initial_opcode = session->initial_opcode;
918  ks->state = S_INITIAL;
919  ks->key_id = session->key_id;
920 
921  /*
922  * key_id increments to KEY_ID_MASK then recycles back to 1.
923  * This way you know that if key_id is 0, it is the first key.
924  */
925  ++session->key_id;
926  session->key_id &= P_KEY_ID_MASK;
927  if (!session->key_id)
928  {
929  session->key_id = 1;
930  }
931 
932  /* allocate key source material object */
933  ALLOC_OBJ_CLEAR(ks->key_src, struct key_source2);
934 
935  /* allocate reliability objects */
938  ALLOC_OBJ_CLEAR(ks->rec_ack, struct reliable_ack);
939 
940  /* allocate buffers */
943  ks->ack_write_buf = alloc_buf(BUF_SIZE(&session->opt->frame));
944  reliable_init(ks->send_reliable, BUF_SIZE(&session->opt->frame),
946  ks->key_id ? false : session->opt->xmit_hold);
947  reliable_init(ks->rec_reliable, BUF_SIZE(&session->opt->frame),
949  false);
951 
952  /* init packet ID tracker */
953  if (session->opt->replay)
954  {
956  session->opt->replay_window, session->opt->replay_time, "SSL",
957  ks->key_id);
958  }
959 
960  ks->crypto_options.pid_persist = NULL;
961 
962 #ifdef MANAGEMENT_DEF_AUTH
963  ks->mda_key_id = session->opt->mda_context->mda_key_id_counter++;
964 #endif
965 }
966 
967 
981 static void
982 key_state_free(struct key_state *ks, bool clear)
983 {
984  ks->state = S_UNDEF;
985 
987 
991  free_buf(&ks->ack_write_buf);
993 
994  if (ks->send_reliable)
995  {
997  free(ks->send_reliable);
998  }
999 
1000  if (ks->rec_reliable)
1001  {
1003  free(ks->rec_reliable);
1004  }
1005 
1006  if (ks->rec_ack)
1007  {
1008  free(ks->rec_ack);
1009  }
1010 
1011  if (ks->key_src)
1012  {
1013  free(ks->key_src);
1014  }
1015 
1017 
1018 #ifdef PLUGIN_DEF_AUTH
1020 #endif
1021 
1022  if (clear)
1023  {
1024  secure_memzero(ks, sizeof(*ks));
1025  }
1026 }
1027 
1041 static inline bool
1043 {
1044  return (session->opt->auth_user_pass_verify_script
1046 #ifdef MANAGEMENT_DEF_AUTH
1047  || management_enable_def_auth(management)
1048 #endif
1049  );
1050 }
1051 
1052 
1073 static void
1075 {
1076  struct gc_arena gc = gc_new();
1077 
1078  dmsg(D_TLS_DEBUG, "TLS: tls_session_init: entry");
1079 
1080  CLEAR(*session);
1081 
1082  /* Set options data to point to parent's option structure */
1083  session->opt = &multi->opt;
1084 
1085  /* Randomize session # if it is 0 */
1086  while (!session_id_defined(&session->session_id))
1087  {
1088  session_id_random(&session->session_id);
1089  }
1090 
1091  /* Are we a TLS server or client? */
1092  ASSERT(session->opt->key_method >= 1);
1093  if (session->opt->key_method == 1)
1094  {
1095  session->initial_opcode = session->opt->server ?
1097  }
1098  else /* session->opt->key_method >= 2 */
1099  {
1100  if (session->opt->server)
1101  {
1103  }
1104  else
1105  {
1106  session->initial_opcode = session->opt->tls_crypt_v2 ?
1108  }
1109  }
1110 
1111  /* Initialize control channel authentication parameters */
1112  session->tls_wrap = session->opt->tls_wrap;
1113  session->tls_wrap.work = alloc_buf(BUF_SIZE(&session->opt->frame));
1114 
1115  /* initialize packet ID replay window for --tls-auth */
1117  session->opt->replay_window,
1118  session->opt->replay_time,
1119  "TLS_WRAP", session->key_id);
1120 
1121  /* load most recent packet-id to replay protect on --tls-auth */
1123  &session->tls_wrap.opt.packet_id);
1124 
1125  key_state_init(session, &session->key[KS_PRIMARY]);
1126 
1127  dmsg(D_TLS_DEBUG, "TLS: tls_session_init: new session object, sid=%s",
1128  session_id_print(&session->session_id, &gc));
1129 
1130  gc_free(&gc);
1131 }
1132 
1145 static void
1147 {
1148  tls_wrap_free(&session->tls_wrap);
1149 
1150  for (size_t i = 0; i < KS_SIZE; ++i)
1151  {
1152  key_state_free(&session->key[i], false);
1153  }
1154 
1155  if (session->common_name)
1156  {
1157  free(session->common_name);
1158  }
1159 
1160  cert_hash_free(session->cert_hash_set);
1161 
1162  if (clear)
1163  {
1164  secure_memzero(session, sizeof(*session));
1165  }
1166 }
1167 
1173 static void
1174 move_session(struct tls_multi *multi, int dest, int src, bool reinit_src)
1175 {
1176  msg(D_TLS_DEBUG_LOW, "TLS: move_session: dest=%s src=%s reinit_src=%d",
1177  session_index_name(dest),
1178  session_index_name(src),
1179  reinit_src);
1180  ASSERT(src != dest);
1181  ASSERT(src >= 0 && src < TM_SIZE);
1182  ASSERT(dest >= 0 && dest < TM_SIZE);
1183  tls_session_free(&multi->session[dest], false);
1184  multi->session[dest] = multi->session[src];
1185 
1186  if (reinit_src)
1187  {
1188  tls_session_init(multi, &multi->session[src]);
1189  }
1190  else
1191  {
1192  secure_memzero(&multi->session[src], sizeof(multi->session[src]));
1193  }
1194 
1195  dmsg(D_TLS_DEBUG, "TLS: move_session: exit");
1196 }
1197 
1198 static void
1200 {
1201  tls_session_free(session, false);
1202  tls_session_init(multi, session);
1203 }
1204 
1205 /*
1206  * Used to determine in how many seconds we should be
1207  * called again.
1208  */
1209 static inline void
1210 compute_earliest_wakeup(interval_t *earliest, interval_t seconds_from_now)
1211 {
1212  if (seconds_from_now < *earliest)
1213  {
1214  *earliest = seconds_from_now;
1215  }
1216  if (*earliest < 0)
1217  {
1218  *earliest = 0;
1219  }
1220 }
1221 
1222 /*
1223  * Return true if "lame duck" or retiring key has expired and can
1224  * no longer be used.
1225  */
1226 static inline bool
1228 {
1229  const struct key_state *lame = &session->key[KS_LAME_DUCK];
1230  if (lame->state >= S_INITIAL)
1231  {
1232  const time_t local_now = now;
1233  ASSERT(lame->must_die); /* a lame duck key must always have an expiration */
1234  if (local_now < lame->must_die)
1235  {
1236  compute_earliest_wakeup(wakeup, lame->must_die - local_now);
1237  return false;
1238  }
1239  else
1240  {
1241  return true;
1242  }
1243  }
1244  else if (lame->state == S_ERROR)
1245  {
1246  return true;
1247  }
1248  else
1249  {
1250  return false;
1251  }
1252 }
1253 
1254 struct tls_multi *
1256 {
1257  struct tls_multi *ret;
1258 
1259  ALLOC_OBJ_CLEAR(ret, struct tls_multi);
1260 
1261  /* get command line derived options */
1262  ret->opt = *tls_options;
1263 
1264  /* set up list of keys to be scanned by data channel encrypt and decrypt routines */
1265  ASSERT(SIZE(ret->key_scan) == 3);
1266  ret->key_scan[0] = &ret->session[TM_ACTIVE].key[KS_PRIMARY];
1267  ret->key_scan[1] = &ret->session[TM_ACTIVE].key[KS_LAME_DUCK];
1268  ret->key_scan[2] = &ret->session[TM_LAME_DUCK].key[KS_LAME_DUCK];
1269 
1270  /* By default not use P_DATA_V2 */
1271  ret->use_peer_id = false;
1272 
1273  return ret;
1274 }
1275 
1276 void
1277 tls_multi_init_finalize(struct tls_multi *multi, const struct frame *frame)
1278 {
1280 
1281  /* initialize the active and untrusted sessions */
1282 
1283  tls_session_init(multi, &multi->session[TM_ACTIVE]);
1284 
1285  if (!multi->opt.single_session)
1286  {
1287  tls_session_init(multi, &multi->session[TM_UNTRUSTED]);
1288  }
1289 }
1290 
1291 /*
1292  * Initialize and finalize a standalone tls-auth verification object.
1293  */
1294 
1295 struct tls_auth_standalone *
1297  struct gc_arena *gc)
1298 {
1299  struct tls_auth_standalone *tas;
1300 
1301  ALLOC_OBJ_CLEAR_GC(tas, struct tls_auth_standalone, gc);
1302 
1303  tas->tls_wrap = tls_options->tls_wrap;
1304 
1305  /*
1306  * Standalone tls-auth is in read-only mode with respect to TLS
1307  * control channel state. After we build a new client instance
1308  * object, we will process this session-initiating packet for real.
1309  */
1311 
1312  /* get initial frame parms, still need to finalize */
1313  tas->frame = tls_options->frame;
1314 
1315  return tas;
1316 }
1317 
1318 void
1320  const struct frame *frame)
1321 {
1323 }
1324 
1325 /*
1326  * Set local and remote option compatibility strings.
1327  * Used to verify compatibility of local and remote option
1328  * sets.
1329  */
1330 void
1332  const char *local,
1333  const char *remote)
1334 {
1335 #ifdef ENABLE_OCC
1336  /* initialize options string */
1337  multi->opt.local_options = local;
1338  multi->opt.remote_options = remote;
1339 #endif
1340 }
1341 
1342 /*
1343  * Cleanup a tls_multi structure and free associated memory allocations.
1344  */
1345 void
1346 tls_multi_free(struct tls_multi *multi, bool clear)
1347 {
1348  int i;
1349 
1350  ASSERT(multi);
1351 
1352 #if P2MP_SERVER
1353  auth_set_client_reason(multi, NULL);
1354 
1355  free(multi->peer_info);
1356 #endif
1357 
1358  if (multi->locked_cn)
1359  {
1360  free(multi->locked_cn);
1361  }
1362 
1363  if (multi->locked_username)
1364  {
1365  free(multi->locked_username);
1366  }
1367 
1369 
1370  wipe_auth_token(multi);
1371 
1372  free(multi->remote_ciphername);
1373 
1374  for (i = 0; i < TM_SIZE; ++i)
1375  {
1376  tls_session_free(&multi->session[i], false);
1377  }
1378 
1379  if (clear)
1380  {
1381  secure_memzero(multi, sizeof(*multi));
1382  }
1383 
1384  free(multi);
1385 }
1386 
1387 
1388 /*
1389  * Move a packet authentication HMAC + related fields to or from the front
1390  * of the buffer so it can be processed by encrypt/decrypt.
1391  */
1392 
1393 /*
1394  * Dependent on hmac size, opcode size, and session_id size.
1395  * Will assert if too small.
1396  */
1397 #define SWAP_BUF_SIZE 256
1398 
1399 static bool
1400 swap_hmac(struct buffer *buf, const struct crypto_options *co, bool incoming)
1401 {
1402  const struct key_ctx *ctx;
1403 
1404  ASSERT(co);
1405 
1406  ctx = (incoming ? &co->key_ctx_bi.decrypt : &co->key_ctx_bi.encrypt);
1407  ASSERT(ctx->hmac);
1408 
1409  {
1410  /* hmac + packet_id (8 bytes) */
1411  const int hmac_size = hmac_ctx_size(ctx->hmac) + packet_id_size(true);
1412 
1413  /* opcode + session_id */
1414  const int osid_size = 1 + SID_SIZE;
1415 
1416  int e1, e2;
1417  uint8_t *b = BPTR(buf);
1418  uint8_t buf1[SWAP_BUF_SIZE];
1419  uint8_t buf2[SWAP_BUF_SIZE];
1420 
1421  if (incoming)
1422  {
1423  e1 = osid_size;
1424  e2 = hmac_size;
1425  }
1426  else
1427  {
1428  e1 = hmac_size;
1429  e2 = osid_size;
1430  }
1431 
1432  ASSERT(e1 <= SWAP_BUF_SIZE && e2 <= SWAP_BUF_SIZE);
1433 
1434  if (buf->len >= e1 + e2)
1435  {
1436  memcpy(buf1, b, e1);
1437  memcpy(buf2, b + e1, e2);
1438  memcpy(b, buf2, e2);
1439  memcpy(b + e2, buf1, e1);
1440  return true;
1441  }
1442  else
1443  {
1444  return false;
1445  }
1446  }
1447 }
1448 
1449 #undef SWAP_BUF_SIZE
1450 
1451 /*
1452  * Write a control channel authentication record.
1453  */
1454 static void
1456  struct key_state *ks,
1457  struct buffer *buf,
1458  struct link_socket_actual **to_link_addr,
1459  int opcode,
1460  int max_ack,
1461  bool prepend_ack)
1462 {
1463  uint8_t header = ks->key_id | (opcode << P_OPCODE_SHIFT);
1464  struct buffer null = clear_buf();
1465 
1468  (ks->rec_ack, buf, &ks->session_id_remote, max_ack, prepend_ack));
1469 
1470  msg(D_TLS_DEBUG, "%s(): %s", __func__, packet_opcode_name(opcode));
1471 
1472  if (session->tls_wrap.mode == TLS_WRAP_AUTH
1473  || session->tls_wrap.mode == TLS_WRAP_NONE)
1474  {
1475  ASSERT(session_id_write_prepend(&session->session_id, buf));
1476  ASSERT(buf_write_prepend(buf, &header, sizeof(header)));
1477  }
1478  if (session->tls_wrap.mode == TLS_WRAP_AUTH)
1479  {
1480  /* no encryption, only write hmac */
1481  openvpn_encrypt(buf, null, &session->tls_wrap.opt);
1482  ASSERT(swap_hmac(buf, &session->tls_wrap.opt, false));
1483  }
1484  else if (session->tls_wrap.mode == TLS_WRAP_CRYPT)
1485  {
1486  ASSERT(buf_init(&session->tls_wrap.work, buf->offset));
1487  ASSERT(buf_write(&session->tls_wrap.work, &header, sizeof(header)));
1488  ASSERT(session_id_write(&session->session_id, &session->tls_wrap.work));
1489  if (!tls_crypt_wrap(buf, &session->tls_wrap.work, &session->tls_wrap.opt))
1490  {
1491  buf->len = 0;
1492  return;
1493  }
1494 
1495  if (opcode == P_CONTROL_HARD_RESET_CLIENT_V3)
1496  {
1497  if (!buf_copy(&session->tls_wrap.work,
1498  session->tls_wrap.tls_crypt_v2_wkc))
1499  {
1500  msg(D_TLS_ERRORS, "Could not append tls-crypt-v2 client key");
1501  buf->len = 0;
1502  return;
1503  }
1504  }
1505 
1506  /* Don't change the original data in buf, it's used by the reliability
1507  * layer to resend on failure. */
1508  *buf = session->tls_wrap.work;
1509  }
1510  *to_link_addr = &ks->remote_addr;
1511 }
1512 
1513 /*
1514  * Read a control channel authentication record.
1515  */
1516 static bool
1518  struct tls_wrap_ctx *ctx,
1519  const struct link_socket_actual *from,
1520  const struct tls_options *opt)
1521 {
1522  struct gc_arena gc = gc_new();
1523  bool ret = false;
1524 
1525  const uint8_t opcode = *(BPTR(buf)) >> P_OPCODE_SHIFT;
1526  if (opcode == P_CONTROL_HARD_RESET_CLIENT_V3
1527  && !tls_crypt_v2_extract_client_key(buf, ctx, opt))
1528  {
1529  msg(D_TLS_ERRORS,
1530  "TLS Error: can not extract tls-crypt-v2 client key from %s",
1531  print_link_socket_actual(from, &gc));
1532  goto cleanup;
1533  }
1534 
1535  if (ctx->mode == TLS_WRAP_AUTH)
1536  {
1537  struct buffer null = clear_buf();
1538 
1539  /* move the hmac record to the front of the packet */
1540  if (!swap_hmac(buf, &ctx->opt, true))
1541  {
1542  msg(D_TLS_ERRORS,
1543  "TLS Error: cannot locate HMAC in incoming packet from %s",
1544  print_link_socket_actual(from, &gc));
1545  gc_free(&gc);
1546  return false;
1547  }
1548 
1549  /* authenticate only (no decrypt) and remove the hmac record
1550  * from the head of the buffer */
1551  openvpn_decrypt(buf, null, &ctx->opt, NULL, BPTR(buf));
1552  if (!buf->len)
1553  {
1554  msg(D_TLS_ERRORS,
1555  "TLS Error: incoming packet authentication failed from %s",
1556  print_link_socket_actual(from, &gc));
1557  goto cleanup;
1558  }
1559 
1560  }
1561  else if (ctx->mode == TLS_WRAP_CRYPT)
1562  {
1563  struct buffer tmp = alloc_buf_gc(buf_forward_capacity_total(buf), &gc);
1564  if (!tls_crypt_unwrap(buf, &tmp, &ctx->opt))
1565  {
1566  msg(D_TLS_ERRORS, "TLS Error: tls-crypt unwrapping failed from %s",
1567  print_link_socket_actual(from, &gc));
1568  goto cleanup;
1569  }
1570  ASSERT(buf_init(buf, buf->offset));
1571  ASSERT(buf_copy(buf, &tmp));
1572  buf_clear(&tmp);
1573  }
1574  else if (ctx->tls_crypt_v2_server_key.cipher)
1575  {
1576  /* If tls-crypt-v2 is enabled, require *some* wrapping */
1577  msg(D_TLS_ERRORS, "TLS Error: could not determine wrapping from %s",
1578  print_link_socket_actual(from, &gc));
1579  /* TODO Do we want to support using tls-crypt-v2 and no control channel
1580  * wrapping at all simultaneously? That would allow server admins to
1581  * upgrade clients one-by-one without running a second instance, but we
1582  * should not enable it by default because it breaks DoS-protection.
1583  * So, add something like --tls-crypt-v2-allow-insecure-fallback ? */
1584  goto cleanup;
1585  }
1586 
1587  if (ctx->mode == TLS_WRAP_NONE || ctx->mode == TLS_WRAP_AUTH)
1588  {
1589  /* advance buffer pointer past opcode & session_id since our caller
1590  * already read it */
1591  buf_advance(buf, SID_SIZE + 1);
1592  }
1593 
1594  ret = true;
1595 cleanup:
1596  gc_free(&gc);
1597  return ret;
1598 }
1599 
1600 /*
1601  * For debugging, print contents of key_source2 structure.
1602  */
1603 
1604 static void
1606  const char *prefix)
1607 {
1608  struct gc_arena gc = gc_new();
1609 
1610  VALGRIND_MAKE_READABLE((void *)k->pre_master, sizeof(k->pre_master));
1611  VALGRIND_MAKE_READABLE((void *)k->random1, sizeof(k->random1));
1612  VALGRIND_MAKE_READABLE((void *)k->random2, sizeof(k->random2));
1613 
1615  "%s pre_master: %s",
1616  prefix,
1617  format_hex(k->pre_master, sizeof(k->pre_master), 0, &gc));
1619  "%s random1: %s",
1620  prefix,
1621  format_hex(k->random1, sizeof(k->random1), 0, &gc));
1623  "%s random2: %s",
1624  prefix,
1625  format_hex(k->random2, sizeof(k->random2), 0, &gc));
1626 
1627  gc_free(&gc);
1628 }
1629 
1630 static void
1632 {
1633  key_source_print(&k->client, "Client");
1634  key_source_print(&k->server, "Server");
1635 }
1636 
1637 /*
1638  * Generate the hash required by for the \c tls1_PRF function.
1639  *
1640  * @param md_kt Message digest to use
1641  * @param sec Secret to base the hash on
1642  * @param sec_len Length of the secret
1643  * @param seed Seed to hash
1644  * @param seed_len Length of the seed
1645  * @param out Output buffer
1646  * @param olen Length of the output buffer
1647  */
1648 static void
1649 tls1_P_hash(const md_kt_t *md_kt,
1650  const uint8_t *sec,
1651  int sec_len,
1652  const uint8_t *seed,
1653  int seed_len,
1654  uint8_t *out,
1655  int olen)
1656 {
1657  struct gc_arena gc = gc_new();
1658  int chunk;
1659  hmac_ctx_t *ctx;
1660  hmac_ctx_t *ctx_tmp;
1662  unsigned int A1_len;
1663 
1664 #ifdef ENABLE_DEBUG
1665  const int olen_orig = olen;
1666  const uint8_t *out_orig = out;
1667 #endif
1668 
1669  ctx = hmac_ctx_new();
1670  ctx_tmp = hmac_ctx_new();
1671 
1672  dmsg(D_SHOW_KEY_SOURCE, "tls1_P_hash sec: %s", format_hex(sec, sec_len, 0, &gc));
1673  dmsg(D_SHOW_KEY_SOURCE, "tls1_P_hash seed: %s", format_hex(seed, seed_len, 0, &gc));
1674 
1675  chunk = md_kt_size(md_kt);
1676  A1_len = md_kt_size(md_kt);
1677 
1678  hmac_ctx_init(ctx, sec, sec_len, md_kt);
1679  hmac_ctx_init(ctx_tmp, sec, sec_len, md_kt);
1680 
1681  hmac_ctx_update(ctx,seed,seed_len);
1682  hmac_ctx_final(ctx, A1);
1683 
1684  for (;; )
1685  {
1686  hmac_ctx_reset(ctx);
1687  hmac_ctx_reset(ctx_tmp);
1688  hmac_ctx_update(ctx,A1,A1_len);
1689  hmac_ctx_update(ctx_tmp,A1,A1_len);
1690  hmac_ctx_update(ctx,seed,seed_len);
1691 
1692  if (olen > chunk)
1693  {
1694  hmac_ctx_final(ctx, out);
1695  out += chunk;
1696  olen -= chunk;
1697  hmac_ctx_final(ctx_tmp, A1); /* calc the next A1 value */
1698  }
1699  else /* last one */
1700  {
1701  hmac_ctx_final(ctx, A1);
1702  memcpy(out,A1,olen);
1703  break;
1704  }
1705  }
1706  hmac_ctx_cleanup(ctx);
1707  hmac_ctx_free(ctx);
1708  hmac_ctx_cleanup(ctx_tmp);
1709  hmac_ctx_free(ctx_tmp);
1710  secure_memzero(A1, sizeof(A1));
1711 
1712  dmsg(D_SHOW_KEY_SOURCE, "tls1_P_hash out: %s", format_hex(out_orig, olen_orig, 0, &gc));
1713  gc_free(&gc);
1714 }
1715 
1716 /*
1717  * Use the TLS PRF function for generating data channel keys.
1718  * This code is based on the OpenSSL library.
1719  *
1720  * TLS generates keys as such:
1721  *
1722  * master_secret[48] = PRF(pre_master_secret[48], "master secret",
1723  * ClientHello.random[32] + ServerHello.random[32])
1724  *
1725  * key_block[] = PRF(SecurityParameters.master_secret[48],
1726  * "key expansion",
1727  * SecurityParameters.server_random[32] +
1728  * SecurityParameters.client_random[32]);
1729  *
1730  * Notes:
1731  *
1732  * (1) key_block contains a full set of 4 keys.
1733  * (2) The pre-master secret is generated by the client.
1734  */
1735 static void
1736 tls1_PRF(const uint8_t *label,
1737  int label_len,
1738  const uint8_t *sec,
1739  int slen,
1740  uint8_t *out1,
1741  int olen)
1742 {
1743  struct gc_arena gc = gc_new();
1744  const md_kt_t *md5 = md_kt_get("MD5");
1745  const md_kt_t *sha1 = md_kt_get("SHA1");
1746  int len,i;
1747  const uint8_t *S1,*S2;
1748  uint8_t *out2;
1749 
1750  out2 = (uint8_t *) gc_malloc(olen, false, &gc);
1751 
1752  len = slen/2;
1753  S1 = sec;
1754  S2 = &(sec[len]);
1755  len += (slen&1); /* add for odd, make longer */
1756 
1757  tls1_P_hash(md5,S1,len,label,label_len,out1,olen);
1758  tls1_P_hash(sha1,S2,len,label,label_len,out2,olen);
1759 
1760  for (i = 0; i<olen; i++)
1761  {
1762  out1[i] ^= out2[i];
1763  }
1764 
1765  secure_memzero(out2, olen);
1766 
1767  dmsg(D_SHOW_KEY_SOURCE, "tls1_PRF out[%d]: %s", olen, format_hex(out1, olen, 0, &gc));
1768 
1769  gc_free(&gc);
1770 }
1771 
1772 static void
1773 openvpn_PRF(const uint8_t *secret,
1774  int secret_len,
1775  const char *label,
1776  const uint8_t *client_seed,
1777  int client_seed_len,
1778  const uint8_t *server_seed,
1779  int server_seed_len,
1780  const struct session_id *client_sid,
1781  const struct session_id *server_sid,
1782  uint8_t *output,
1783  int output_len)
1784 {
1785  /* concatenate seed components */
1786 
1787  struct buffer seed = alloc_buf(strlen(label)
1788  + client_seed_len
1789  + server_seed_len
1790  + SID_SIZE * 2);
1791 
1792  ASSERT(buf_write(&seed, label, strlen(label)));
1793  ASSERT(buf_write(&seed, client_seed, client_seed_len));
1794  ASSERT(buf_write(&seed, server_seed, server_seed_len));
1795 
1796  if (client_sid)
1797  {
1798  ASSERT(buf_write(&seed, client_sid->id, SID_SIZE));
1799  }
1800  if (server_sid)
1801  {
1802  ASSERT(buf_write(&seed, server_sid->id, SID_SIZE));
1803  }
1804 
1805  /* compute PRF */
1806  tls1_PRF(BPTR(&seed), BLEN(&seed), secret, secret_len, output, output_len);
1807 
1808  buf_clear(&seed);
1809  free_buf(&seed);
1810 
1811  VALGRIND_MAKE_READABLE((void *)output, output_len);
1812 }
1813 
1814 /*
1815  * Using source entropy from local and remote hosts, mix into
1816  * master key.
1817  */
1818 static bool
1820  const struct key_type *key_type,
1821  const struct key_source2 *key_src,
1822  const struct session_id *client_sid,
1823  const struct session_id *server_sid,
1824  bool server)
1825 {
1826  uint8_t master[48] = { 0 };
1827  struct key2 key2 = { 0 };
1828  bool ret = false;
1829 
1830  if (key->initialized)
1831  {
1832  msg(D_TLS_ERRORS, "TLS Error: key already initialized");
1833  goto exit;
1834  }
1835 
1836  /* debugging print of source key material */
1837  key_source2_print(key_src);
1838 
1839  /* compute master secret */
1840  openvpn_PRF(key_src->client.pre_master,
1841  sizeof(key_src->client.pre_master),
1842  KEY_EXPANSION_ID " master secret",
1843  key_src->client.random1,
1844  sizeof(key_src->client.random1),
1845  key_src->server.random1,
1846  sizeof(key_src->server.random1),
1847  NULL,
1848  NULL,
1849  master,
1850  sizeof(master));
1851 
1852  /* compute key expansion */
1853  openvpn_PRF(master,
1854  sizeof(master),
1855  KEY_EXPANSION_ID " key expansion",
1856  key_src->client.random2,
1857  sizeof(key_src->client.random2),
1858  key_src->server.random2,
1859  sizeof(key_src->server.random2),
1860  client_sid,
1861  server_sid,
1862  (uint8_t *)key2.keys,
1863  sizeof(key2.keys));
1864 
1865  key2.n = 2;
1866 
1867  key2_print(&key2, key_type, "Master Encrypt", "Master Decrypt");
1868 
1869  /* check for weak keys */
1870  for (int i = 0; i < 2; ++i)
1871  {
1872  fixup_key(&key2.keys[i], key_type);
1873  if (!check_key(&key2.keys[i], key_type))
1874  {
1875  msg(D_TLS_ERRORS, "TLS Error: Bad dynamic key generated");
1876  goto exit;
1877  }
1878  }
1879 
1880  /* Initialize OpenSSL key contexts */
1881  int key_direction = server ? KEY_DIRECTION_INVERSE : KEY_DIRECTION_NORMAL;
1882  init_key_ctx_bi(key, &key2, key_direction, key_type, "Data Channel");
1883 
1884  /* Initialize implicit IVs */
1885  key_ctx_update_implicit_iv(&key->encrypt, key2.keys[(int)server].hmac,
1887  key_ctx_update_implicit_iv(&key->decrypt, key2.keys[1-(int)server].hmac,
1889 
1890  ret = true;
1891 
1892 exit:
1893  secure_memzero(&master, sizeof(master));
1894  secure_memzero(&key2, sizeof(key2));
1895 
1896  return ret;
1897 }
1898 
1899 static void
1900 key_ctx_update_implicit_iv(struct key_ctx *ctx, uint8_t *key, size_t key_len)
1901 {
1902  const cipher_kt_t *cipher_kt = cipher_ctx_get_cipher_kt(ctx->cipher);
1903 
1904  /* Only use implicit IV in AEAD cipher mode, where HMAC key is not used */
1905  if (cipher_kt_mode_aead(cipher_kt))
1906  {
1907  size_t impl_iv_len = 0;
1909  impl_iv_len = cipher_kt_iv_size(cipher_kt) - sizeof(packet_id_type);
1910  ASSERT(impl_iv_len <= OPENVPN_MAX_IV_LENGTH);
1911  ASSERT(impl_iv_len <= key_len);
1912  memcpy(ctx->implicit_iv, key, impl_iv_len);
1913  ctx->implicit_iv_len = impl_iv_len;
1914  }
1915 }
1916 
1917 bool
1918 tls_item_in_cipher_list(const char *item, const char *list)
1919 {
1920  char *tmp_ciphers = string_alloc(list, NULL);
1921  char *tmp_ciphers_orig = tmp_ciphers;
1922 
1923  const char *token = strtok(tmp_ciphers, ":");
1924  while (token)
1925  {
1926  if (0 == strcmp(token, item))
1927  {
1928  break;
1929  }
1930  token = strtok(NULL, ":");
1931  }
1932  free(tmp_ciphers_orig);
1933 
1934  return token != NULL;
1935 }
1936 
1937 const char *
1938 tls_peer_ncp_list(const char *peer_info, struct gc_arena *gc)
1939 {
1940  /* Check if the peer sends the IV_CIPHERS list */
1941  const char *ncp_ciphers_start;
1942  if (peer_info && (ncp_ciphers_start = strstr(peer_info, "IV_CIPHERS=")))
1943  {
1944  ncp_ciphers_start += strlen("IV_CIPHERS=");
1945  const char *ncp_ciphers_end = strstr(ncp_ciphers_start, "\n");
1946  if (!ncp_ciphers_end)
1947  {
1948  /* IV_CIPHERS is at end of the peer_info list and no '\n'
1949  * follows */
1950  ncp_ciphers_end = ncp_ciphers_start + strlen(ncp_ciphers_start);
1951  }
1952 
1953  char *ncp_ciphers_peer = string_alloc(ncp_ciphers_start, gc);
1954  /* NULL terminate the copy at the right position */
1955  ncp_ciphers_peer[ncp_ciphers_end - ncp_ciphers_start] = '\0';
1956  return ncp_ciphers_peer;
1957 
1958  }
1959  else if (tls_peer_info_ncp_ver(peer_info)>=2)
1960  {
1961  /* If the peer announces IV_NCP=2 then it supports the AES GCM
1962  * ciphers */
1963  return "AES-256-GCM:AES-128-GCM";
1964  }
1965  else
1966  {
1967  return "";
1968  }
1969 }
1970 
1971 char *
1972 ncp_get_best_cipher(const char *server_list, const char *server_cipher,
1973  const char *peer_info, const char *remote_cipher,
1974  struct gc_arena *gc)
1975 {
1976  /*
1977  * The gc of the parameter is tied to the VPN session, create a
1978  * short lived gc arena that is only valid for the duration of
1979  * this function
1980  */
1981  struct gc_arena gc_tmp = gc_new();
1982 
1983  const char *peer_ncp_list = tls_peer_ncp_list(peer_info, &gc_tmp);
1984  char *tmp_ciphers = string_alloc(server_list, &gc_tmp);
1985 
1986  const char *token = strsep(&tmp_ciphers, ":");
1987  while (token)
1988  {
1989  if (tls_item_in_cipher_list(token, peer_ncp_list)
1990  || streq(token, remote_cipher))
1991  {
1992  break;
1993  }
1994  token = strsep(&tmp_ciphers, ":");
1995  }
1996  /* We have not found a common cipher, as a last resort check if the
1997  * server cipher can be used
1998  */
1999  if (token == NULL
2000  && (tls_item_in_cipher_list(server_cipher, peer_ncp_list)
2001  || streq(server_cipher, remote_cipher)))
2002  {
2003  token = server_cipher;
2004  }
2005 
2006  char *ret = NULL;
2007  if (token != NULL)
2008  {
2009  ret = string_alloc(token, gc);
2010  }
2011 
2012  gc_free(&gc_tmp);
2013  return ret;
2014 }
2015 
2016 void
2017 tls_poor_mans_ncp(struct options *o, const char *remote_ciphername)
2018 {
2019  if (o->ncp_enabled && remote_ciphername
2020  && 0 != strcmp(o->ciphername, remote_ciphername))
2021  {
2022  if (tls_item_in_cipher_list(remote_ciphername, o->ncp_ciphers))
2023  {
2024  o->ciphername = string_alloc(remote_ciphername, &o->gc);
2025  msg(D_TLS_DEBUG_LOW, "Using peer cipher '%s'", o->ciphername);
2026  }
2027  }
2028 }
2029 
2036 static bool
2038 {
2039  bool ret = false;
2040  struct key_state *ks = &session->key[KS_PRIMARY]; /* primary key */
2041  const struct session_id *client_sid = session->opt->server ?
2042  &ks->session_id_remote : &session->session_id;
2043  const struct session_id *server_sid = !session->opt->server ?
2044  &ks->session_id_remote : &session->session_id;
2045 
2046  ASSERT(ks->authenticated);
2047 
2048  ks->crypto_options.flags = session->opt->crypto_flags;
2050  &session->opt->key_type, ks->key_src, client_sid, server_sid,
2051  session->opt->server))
2052  {
2053  msg(D_TLS_ERRORS, "TLS Error: generate_key_expansion failed");
2054  goto cleanup;
2055  }
2057  &session->opt->renegotiate_bytes);
2058 
2059  ret = true;
2060 cleanup:
2061  secure_memzero(ks->key_src, sizeof(*ks->key_src));
2062  return ret;
2063 }
2064 
2065 bool
2067  struct options *options, struct frame *frame,
2068  struct frame *frame_fragment)
2069 {
2070  if (!session->opt->server
2071  && 0 != strcmp(options->ciphername, session->opt->config_ciphername)
2072  && !tls_item_in_cipher_list(options->ciphername, options->ncp_ciphers))
2073  {
2074  msg(D_TLS_ERRORS, "Error: pushed cipher not allowed - %s not in %s or %s",
2075  options->ciphername, session->opt->config_ciphername,
2076  options->ncp_ciphers);
2077  /* undo cipher push, abort connection setup */
2078  options->ciphername = session->opt->config_ciphername;
2079  return false;
2080  }
2081 
2082  if (strcmp(options->ciphername, session->opt->config_ciphername))
2083  {
2084  msg(D_HANDSHAKE, "Data Channel: using negotiated cipher '%s'",
2085  options->ciphername);
2086  if (options->keysize)
2087  {
2088  msg(D_HANDSHAKE, "NCP: overriding user-set keysize with default");
2089  options->keysize = 0;
2090  }
2091  }
2092 
2093  init_key_type(&session->opt->key_type, options->ciphername,
2094  options->authname, options->keysize, true, true);
2095 
2096  bool packet_id_long_form = cipher_kt_mode_ofb_cfb(session->opt->key_type.cipher);
2097  session->opt->crypto_flags &= ~(CO_PACKET_ID_LONG_FORM);
2098  if (packet_id_long_form)
2099  {
2101  }
2102 
2103  /* Update frame parameters: undo worst-case overhead, add actual overhead */
2105  crypto_adjust_frame_parameters(frame, &session->opt->key_type,
2106  options->replay, packet_id_long_form);
2107  frame_finalize(frame, options->ce.link_mtu_defined, options->ce.link_mtu,
2108  options->ce.tun_mtu_defined, options->ce.tun_mtu);
2109  frame_init_mssfix(frame, options);
2110  frame_print(frame, D_MTU_INFO, "Data Channel MTU parms");
2111 
2112  /*
2113  * mssfix uses data channel framing, which at this point contains
2114  * actual overhead. Fragmentation logic uses frame_fragment, which
2115  * still contains worst case overhead. Replace it with actual overhead
2116  * to prevent unneeded fragmentation.
2117  */
2118 
2119  if (frame_fragment)
2120  {
2122  crypto_adjust_frame_parameters(frame_fragment, &session->opt->key_type,
2123  options->replay, packet_id_long_form);
2124  frame_set_mtu_dynamic(frame_fragment, options->ce.fragment, SET_MTU_UPPER_BOUND);
2125  frame_print(frame_fragment, D_MTU_INFO, "Fragmentation MTU parms");
2126  }
2127 
2129 }
2130 
2131 static bool
2133  uint8_t *out,
2134  int outlen)
2135 {
2136  if (!rand_bytes(out, outlen))
2137  {
2138  msg(M_FATAL, "ERROR: Random number generator cannot obtain entropy for key generation [SSL]");
2139  }
2140  if (!buf_write(buf, out, outlen))
2141  {
2142  return false;
2143  }
2144  return true;
2145 }
2146 
2147 static bool
2149  struct buffer *buf,
2150  bool server)
2151 {
2152  struct key_source *k = &k2->client;
2153  if (server)
2154  {
2155  k = &k2->server;
2156  }
2157 
2158  CLEAR(*k);
2159 
2160  if (!server)
2161  {
2162  if (!random_bytes_to_buf(buf, k->pre_master, sizeof(k->pre_master)))
2163  {
2164  return false;
2165  }
2166  }
2167 
2168  if (!random_bytes_to_buf(buf, k->random1, sizeof(k->random1)))
2169  {
2170  return false;
2171  }
2172  if (!random_bytes_to_buf(buf, k->random2, sizeof(k->random2)))
2173  {
2174  return false;
2175  }
2176 
2177  return true;
2178 }
2179 
2180 static int
2182  struct buffer *buf,
2183  bool server)
2184 {
2185  struct key_source *k = &k2->client;
2186 
2187  if (!server)
2188  {
2189  k = &k2->server;
2190  }
2191 
2192  CLEAR(*k);
2193 
2194  if (server)
2195  {
2196  if (!buf_read(buf, k->pre_master, sizeof(k->pre_master)))
2197  {
2198  return 0;
2199  }
2200  }
2201 
2202  if (!buf_read(buf, k->random1, sizeof(k->random1)))
2203  {
2204  return 0;
2205  }
2206  if (!buf_read(buf, k->random2, sizeof(k->random2)))
2207  {
2208  return 0;
2209  }
2210 
2211  return 1;
2212 }
2213 
2214 static void
2216 {
2217  struct buffer *b;
2218 
2219  while ((b = buffer_list_peek(ks->paybuf)))
2220  {
2222  buffer_list_pop(ks->paybuf);
2223  }
2224 }
2225 
2226 /* true if no in/out acknowledgements pending */
2227 #define FULL_SYNC \
2228  (reliable_empty(ks->send_reliable) && reliable_ack_empty(ks->rec_ack))
2229 
2230 /*
2231  * Move the active key to the lame duck key and reinitialize the
2232  * active key.
2233  */
2234 static void
2236 {
2237  struct key_state *ks = &session->key[KS_PRIMARY]; /* primary key */
2238  struct key_state *ks_lame = &session->key[KS_LAME_DUCK]; /* retiring key */
2239 
2240  ks->must_die = now + session->opt->transition_window; /* remaining lifetime of old key */
2241  key_state_free(ks_lame, false);
2242  *ks_lame = *ks;
2243 
2244  key_state_init(session, ks);
2245  ks->session_id_remote = ks_lame->session_id_remote;
2246  ks->remote_addr = ks_lame->remote_addr;
2247 }
2248 
2249 /*
2250  * Read/write strings from/to a struct buffer with a u16 length prefix.
2251  */
2252 
2253 static bool
2255 {
2256  if (!buf_write_u16(buf, 0))
2257  {
2258  return false;
2259  }
2260  return true;
2261 }
2262 
2263 static bool
2264 write_string(struct buffer *buf, const char *str, const int maxlen)
2265 {
2266  const int len = strlen(str) + 1;
2267  if (len < 1 || (maxlen >= 0 && len > maxlen))
2268  {
2269  return false;
2270  }
2271  if (!buf_write_u16(buf, len))
2272  {
2273  return false;
2274  }
2275  if (!buf_write(buf, str, len))
2276  {
2277  return false;
2278  }
2279  return true;
2280 }
2281 
2282 static bool
2283 read_string(struct buffer *buf, char *str, const unsigned int capacity)
2284 {
2285  const int len = buf_read_u16(buf);
2286  if (len < 1 || len > (int)capacity)
2287  {
2288  return false;
2289  }
2290  if (!buf_read(buf, str, len))
2291  {
2292  return false;
2293  }
2294  str[len-1] = '\0';
2295  return true;
2296 }
2297 
2298 static char *
2300 {
2301  const int len = buf_read_u16(buf);
2302  char *str;
2303 
2304  if (len < 1)
2305  {
2306  return NULL;
2307  }
2308  str = (char *) malloc(len);
2309  check_malloc_return(str);
2310  if (!buf_read(buf, str, len))
2311  {
2312  free(str);
2313  return NULL;
2314  }
2315  str[len-1] = '\0';
2316  return str;
2317 }
2318 
2319 /*
2320  * Handle the reading and writing of key data to and from
2321  * the TLS control channel (cleartext).
2322  */
2323 
2324 static bool
2326 {
2327  struct key key;
2328  struct key_state *ks = &session->key[KS_PRIMARY]; /* primary key */
2329 
2330  ASSERT(session->opt->key_method == 1);
2331  ASSERT(buf_init(buf, 0));
2332 
2333  generate_key_random(&key, &session->opt->key_type);
2334  if (!check_key(&key, &session->opt->key_type))
2335  {
2336  msg(D_TLS_ERRORS, "TLS Error: Bad encrypting key generated");
2337  return false;
2338  }
2339 
2340  if (!write_key(&key, &session->opt->key_type, buf))
2341  {
2342  msg(D_TLS_ERRORS, "TLS Error: write_key failed");
2343  return false;
2344  }
2345 
2347  &session->opt->key_type, OPENVPN_OP_ENCRYPT,
2348  "Data Channel Encrypt");
2349  secure_memzero(&key, sizeof(key));
2350 
2351  /* send local options string */
2352  {
2353  const char *local_options = local_options_string(session);
2354  const int optlen = strlen(local_options) + 1;
2355  if (!buf_write(buf, local_options, optlen))
2356  {
2357  msg(D_TLS_ERRORS, "TLS Error: KM1 write options failed");
2358  return false;
2359  }
2360  }
2361 
2362  return true;
2363 }
2364 
2365 static bool
2367 {
2368  struct gc_arena gc = gc_new();
2369  bool ret = false;
2370 
2371  if (session->opt->push_peer_info_detail > 0)
2372  {
2373  struct env_set *es = session->opt->es;
2374  struct env_item *e;
2375  struct buffer out = alloc_buf_gc(512*3, &gc);
2376 
2377  /* push version */
2378  buf_printf(&out, "IV_VER=%s\n", PACKAGE_VERSION);
2379 
2380  /* push platform */
2381 #if defined(TARGET_LINUX)
2382  buf_printf(&out, "IV_PLAT=linux\n");
2383 #elif defined(TARGET_SOLARIS)
2384  buf_printf(&out, "IV_PLAT=solaris\n");
2385 #elif defined(TARGET_OPENBSD)
2386  buf_printf(&out, "IV_PLAT=openbsd\n");
2387 #elif defined(TARGET_DARWIN)
2388  buf_printf(&out, "IV_PLAT=mac\n");
2389 #elif defined(TARGET_NETBSD)
2390  buf_printf(&out, "IV_PLAT=netbsd\n");
2391 #elif defined(TARGET_FREEBSD)
2392  buf_printf(&out, "IV_PLAT=freebsd\n");
2393 #elif defined(TARGET_ANDROID)
2394  buf_printf(&out, "IV_PLAT=android\n");
2395 #elif defined(_WIN32)
2396  buf_printf(&out, "IV_PLAT=win\n");
2397 #endif
2398 
2399  /* support for P_DATA_V2 */
2400  buf_printf(&out, "IV_PROTO=2\n");
2401 
2402  /* support for Negotiable Crypto Parameters */
2403  if (session->opt->ncp_enabled
2404  && (session->opt->mode == MODE_SERVER || session->opt->pull))
2405  {
2406  if (tls_item_in_cipher_list("AES-128-GCM", session->opt->config_ncp_ciphers)
2407  && tls_item_in_cipher_list("AES-256-GCM", session->opt->config_ncp_ciphers))
2408  {
2409 
2410  buf_printf(&out, "IV_NCP=2\n");
2411  }
2412  buf_printf(&out, "IV_CIPHERS=%s\n", session->opt->config_ncp_ciphers);
2413  }
2414 
2415  /* push compression status */
2416 #ifdef USE_COMP
2417  comp_generate_peer_info_string(&session->opt->comp_options, &out);
2418 #endif
2419 
2420  if (session->opt->push_peer_info_detail >= 2)
2421  {
2422  /* push mac addr */
2423  struct route_gateway_info rgi;
2424  get_default_gateway(&rgi, session->opt->net_ctx);
2425  if (rgi.flags & RGI_HWADDR_DEFINED)
2426  {
2427  buf_printf(&out, "IV_HWADDR=%s\n", format_hex_ex(rgi.hwaddr, 6, 0, 1, ":", &gc));
2428  }
2429  buf_printf(&out, "IV_SSL=%s\n", get_ssl_library_version() );
2430 #if defined(_WIN32)
2431  buf_printf(&out, "IV_PLAT_VER=%s\n", win32_version_string(&gc, false));
2432 #endif
2433  }
2434 
2435  /* push env vars that begin with UV_, IV_PLAT_VER and IV_GUI_VER */
2436  for (e = es->list; e != NULL; e = e->next)
2437  {
2438  if (e->string)
2439  {
2440  if ((((strncmp(e->string, "UV_", 3)==0
2441  || strncmp(e->string, "IV_PLAT_VER=", sizeof("IV_PLAT_VER=")-1)==0)
2442  && session->opt->push_peer_info_detail >= 2)
2443  || (strncmp(e->string,"IV_GUI_VER=",sizeof("IV_GUI_VER=")-1)==0))
2444  && buf_safe(&out, strlen(e->string)+1))
2445  {
2446  buf_printf(&out, "%s\n", e->string);
2447  }
2448  }
2449  }
2450 
2451  if (!write_string(buf, BSTR(&out), -1))
2452  {
2453  goto error;
2454  }
2455  }
2456  else
2457  {
2458  if (!write_empty_string(buf)) /* no peer info */
2459  {
2460  goto error;
2461  }
2462  }
2463  ret = true;
2464 
2465 error:
2466  gc_free(&gc);
2467  return ret;
2468 }
2469 
2470 static bool
2472 {
2473  struct key_state *ks = &session->key[KS_PRIMARY]; /* primary key */
2474 
2475  ASSERT(session->opt->key_method == 2);
2476  ASSERT(buf_init(buf, 0));
2477 
2478  /* write a uint32 0 */
2479  if (!buf_write_u32(buf, 0))
2480  {
2481  goto error;
2482  }
2483 
2484  /* write key_method + flags */
2485  if (!buf_write_u8(buf, (session->opt->key_method & KEY_METHOD_MASK)))
2486  {
2487  goto error;
2488  }
2489 
2490  /* write key source material */
2491  if (!key_source2_randomize_write(ks->key_src, buf, session->opt->server))
2492  {
2493  goto error;
2494  }
2495 
2496  /* write options string */
2497  {
2498  if (!write_string(buf, local_options_string(session), TLS_OPTIONS_LEN))
2499  {
2500  goto error;
2501  }
2502  }
2503 
2504  /* write username/password if specified */
2506  {
2507 #ifdef ENABLE_MANAGEMENT
2508  auth_user_pass_setup(session->opt->auth_user_pass_file, session->opt->sci);
2509 #else
2510  auth_user_pass_setup(session->opt->auth_user_pass_file, NULL);
2511 #endif
2512  struct user_pass *up = &auth_user_pass;
2513 
2514  /*
2515  * If we have a valid auth-token, send that instead of real
2516  * username/password
2517  */
2518  if (auth_token.defined)
2519  up = &auth_token;
2520 
2521  if (!write_string(buf, up->username, -1))
2522  {
2523  goto error;
2524  }
2525  else if (!write_string(buf, up->password, -1))
2526  {
2527  goto error;
2528  }
2529  /* if auth-nocache was specified, the auth_user_pass object reaches
2530  * a "complete" state only after having received the push-reply
2531  * message.
2532  *
2533  * For this reason, skip the purge operation here if no push-reply
2534  * message has been received yet.
2535  *
2536  * This normally happens upon first negotiation only.
2537  */
2539  {
2541  }
2542  }
2543  else
2544  {
2545  if (!write_empty_string(buf)) /* no username */
2546  {
2547  goto error;
2548  }
2549  if (!write_empty_string(buf)) /* no password */
2550  {
2551  goto error;
2552  }
2553  }
2554 
2555  if (!push_peer_info(buf, session))
2556  {
2557  goto error;
2558  }
2559 
2560  /* Generate tunnel keys if we're a TLS server.
2561  * If we're a p2mp server and IV_NCP >= 2 is negotiated, the first key
2562  * generation is postponed until after the pull/push, so we can process pushed
2563  * cipher directives.
2564  */
2565  if (session->opt->server && !(session->opt->ncp_enabled
2566  && session->opt->mode == MODE_SERVER && ks->key_id <= 0))
2567  {
2568  if (ks->authenticated)
2569  {
2571  {
2572  msg(D_TLS_ERRORS, "TLS Error: server generate_key_expansion failed");
2573  goto error;
2574  }
2575  }
2576  }
2577 
2578  return true;
2579 
2580 error:
2581  msg(D_TLS_ERRORS, "TLS Error: Key Method #2 write failed");
2582  secure_memzero(ks->key_src, sizeof(*ks->key_src));
2583  return false;
2584 }
2585 
2586 static bool
2588 {
2589  int status;
2590  struct key key;
2591  struct key_state *ks = &session->key[KS_PRIMARY]; /* primary key */
2592 
2593  ASSERT(session->opt->key_method == 1);
2594 
2595  if (!session->verified)
2596  {
2597  msg(D_TLS_ERRORS,
2598  "TLS Error: Certificate verification failed (key-method 1)");
2599  goto error;
2600  }
2601 
2602  status = read_key(&key, &session->opt->key_type, buf);
2603  if (status != 1)
2604  {
2605  msg(D_TLS_ERRORS,
2606  "TLS Error: Error reading data channel key from plaintext buffer");
2607  goto error;
2608  }
2609 
2610  if (!check_key(&key, &session->opt->key_type))
2611  {
2612  msg(D_TLS_ERRORS, "TLS Error: Bad decrypting key received from peer");
2613  goto error;
2614  }
2615 
2616  if (buf->len < 1)
2617  {
2618  msg(D_TLS_ERRORS, "TLS Error: Missing options string");
2619  goto error;
2620  }
2621 
2622 #ifdef ENABLE_OCC
2623  /* compare received remote options string
2624  * with our locally computed options string */
2625  if (!session->opt->disable_occ
2626  && !options_cmp_equal_safe((char *) BPTR(buf), session->opt->remote_options, buf->len))
2627  {
2628  options_warning_safe((char *) BPTR(buf), session->opt->remote_options, buf->len);
2629  }
2630 #endif
2631 
2632  buf_clear(buf);
2633 
2635  &session->opt->key_type, OPENVPN_OP_DECRYPT,
2636  "Data Channel Decrypt");
2637  secure_memzero(&key, sizeof(key));
2638  ks->authenticated = true;
2639  return true;
2640 
2641 error:
2642  buf_clear(buf);
2643  secure_memzero(&key, sizeof(key));
2644  return false;
2645 }
2646 
2651 static bool
2652 tls_peer_supports_ncp(const char *peer_info)
2653 {
2654  if (!peer_info)
2655  {
2656  return false;
2657  }
2658  else if (tls_peer_info_ncp_ver(peer_info) >= 2
2659  || strstr(peer_info, "IV_CIPHERS="))
2660  {
2661  return true;
2662  }
2663  else
2664  {
2665  return false;
2666  }
2667 }
2668 
2669 static bool
2670 key_method_2_read(struct buffer *buf, struct tls_multi *multi, struct tls_session *session)
2671 {
2672  struct key_state *ks = &session->key[KS_PRIMARY]; /* primary key */
2673 
2674  int key_method_flags;
2675  bool username_status, password_status;
2676 
2677  struct gc_arena gc = gc_new();
2678  char *options;
2679  struct user_pass *up = NULL;
2680 
2681  /* allocate temporary objects */
2682  ALLOC_ARRAY_CLEAR_GC(options, char, TLS_OPTIONS_LEN, &gc);
2683 
2684  ASSERT(session->opt->key_method == 2);
2685 
2686  /* discard leading uint32 */
2687  if (!buf_advance(buf, 4))
2688  {
2689  msg(D_TLS_ERRORS, "TLS ERROR: Plaintext buffer too short (%d bytes).",
2690  buf->len);
2691  goto error;
2692  }
2693 
2694  /* get key method */
2695  key_method_flags = buf_read_u8(buf);
2696  if ((key_method_flags & KEY_METHOD_MASK) != 2)
2697  {
2698  msg(D_TLS_ERRORS,
2699  "TLS ERROR: Unknown key_method/flags=%d received from remote host",
2700  key_method_flags);
2701  goto error;
2702  }
2703 
2704  /* get key source material (not actual keys yet) */
2705  if (!key_source2_read(ks->key_src, buf, session->opt->server))
2706  {
2707  msg(D_TLS_ERRORS, "TLS Error: Error reading remote data channel key source entropy from plaintext buffer");
2708  goto error;
2709  }
2710 
2711  /* get options */
2712  if (!read_string(buf, options, TLS_OPTIONS_LEN))
2713  {
2714  msg(D_TLS_ERRORS, "TLS Error: Failed to read required OCC options string");
2715  goto error;
2716  }
2717 
2718  ks->authenticated = false;
2719 
2720  /* always extract username + password fields from buf, even if not
2721  * authenticating for it, because otherwise we can't get at the
2722  * peer_info data which follows behind
2723  */
2724  ALLOC_OBJ_CLEAR_GC(up, struct user_pass, &gc);
2725  username_status = read_string(buf, up->username, USER_PASS_LEN);
2726  password_status = read_string(buf, up->password, USER_PASS_LEN);
2727 
2728 #if P2MP_SERVER
2729  /* get peer info from control channel */
2730  free(multi->peer_info);
2731  multi->peer_info = read_string_alloc(buf);
2732  if (multi->peer_info)
2733  {
2734  output_peer_info_env(session->opt->es, multi->peer_info);
2735  }
2736 
2737  free(multi->remote_ciphername);
2738  multi->remote_ciphername =
2739  options_string_extract_option(options, "cipher", NULL);
2740 
2741  if (!tls_peer_supports_ncp(multi->peer_info))
2742  {
2743  /* Peer does not support NCP, but leave NCP enabled if the local and
2744  * remote cipher do not match to attempt 'poor-man's NCP'.
2745  */
2746  if (multi->remote_ciphername == NULL
2747  || 0 == strcmp(multi->remote_ciphername, multi->opt.config_ciphername))
2748  {
2749  session->opt->ncp_enabled = false;
2750  }
2751  }
2752 #endif /* if P2MP_SERVER */
2753 
2754  if (tls_session_user_pass_enabled(session))
2755  {
2756  /* Perform username/password authentication */
2757  if (!username_status || !password_status)
2758  {
2759  CLEAR(*up);
2760  if (!(session->opt->ssl_flags & SSLF_AUTH_USER_PASS_OPTIONAL))
2761  {
2762  msg(D_TLS_ERRORS, "TLS Error: Auth Username/Password was not provided by peer");
2763  goto error;
2764  }
2765  }
2766 
2767  verify_user_pass(up, multi, session);
2768  }
2769  else
2770  {
2771  /* Session verification should have occurred during TLS negotiation*/
2772  if (!session->verified)
2773  {
2774  msg(D_TLS_ERRORS,
2775  "TLS Error: Certificate verification failed (key-method 2)");
2776  goto error;
2777  }
2778  ks->authenticated = true;
2779  }
2780 
2781  /* clear username and password from memory */
2782  secure_memzero(up, sizeof(*up));
2783 
2784  /* Perform final authentication checks */
2785  if (ks->authenticated)
2786  {
2787  verify_final_auth_checks(multi, session);
2788  }
2789 
2790 #ifdef ENABLE_OCC
2791  /* check options consistency */
2792  if (!session->opt->disable_occ
2793  && !options_cmp_equal(options, session->opt->remote_options))
2794  {
2795  options_warning(options, session->opt->remote_options);
2796  if (session->opt->ssl_flags & SSLF_OPT_VERIFY)
2797  {
2798  msg(D_TLS_ERRORS, "Option inconsistency warnings triggering disconnect due to --opt-verify");
2799  ks->authenticated = false;
2800  }
2801  }
2802 #endif
2803 
2804  buf_clear(buf);
2805 
2806  /*
2807  * Call OPENVPN_PLUGIN_TLS_FINAL plugin if defined, for final
2808  * veto opportunity over authentication decision.
2809  */
2811  {
2813 
2814  if (plugin_call(session->opt->plugins, OPENVPN_PLUGIN_TLS_FINAL, NULL, NULL, session->opt->es) != OPENVPN_PLUGIN_FUNC_SUCCESS)
2815  {
2816  ks->authenticated = false;
2817  }
2818 
2819  setenv_del(session->opt->es, "exported_keying_material");
2820  }
2821 
2822  /*
2823  * Generate tunnel keys if we're a client.
2824  * If --pull is enabled, the first key generation is postponed until after the
2825  * pull/push, so we can process pushed cipher directives.
2826  */
2827  if (!session->opt->server && (!session->opt->pull || ks->key_id > 0))
2828  {
2830  {
2831  msg(D_TLS_ERRORS, "TLS Error: client generate_key_expansion failed");
2832  goto error;
2833  }
2834  }
2835 
2836  gc_free(&gc);
2837  return true;
2838 
2839 error:
2840  secure_memzero(ks->key_src, sizeof(*ks->key_src));
2841  if (up)
2842  {
2843  secure_memzero(up, sizeof(*up));
2844  }
2845  buf_clear(buf);
2846  gc_free(&gc);
2847  return false;
2848 }
2849 
2850 static int
2852 {
2853  int ret = o->handshake_window;
2854  const int r2 = o->renegotiate_seconds / 2;
2855 
2856  if (o->renegotiate_seconds && r2 < ret)
2857  {
2858  ret = r2;
2859  }
2860  return ret;
2861 }
2862 
2863 /*
2864  * This is the primary routine for processing TLS stuff inside the
2865  * the main event loop. When this routine exits
2866  * with non-error status, it will set *wakeup to the number of seconds
2867  * when it wants to be called again.
2868  *
2869  * Return value is true if we have placed a packet in *to_link which we
2870  * want to send to our peer.
2871  */
2872 static bool
2873 tls_process(struct tls_multi *multi,
2874  struct tls_session *session,
2875  struct buffer *to_link,
2876  struct link_socket_actual **to_link_addr,
2877  struct link_socket_info *to_link_socket_info,
2878  interval_t *wakeup)
2879 {
2880  struct gc_arena gc = gc_new();
2881  struct buffer *buf;
2882  bool state_change = false;
2883  bool active = false;
2884  struct key_state *ks = &session->key[KS_PRIMARY]; /* primary key */
2885  struct key_state *ks_lame = &session->key[KS_LAME_DUCK]; /* retiring key */
2886 
2887  /* Make sure we were initialized and that we're not in an error state */
2888  ASSERT(ks->state != S_UNDEF);
2889  ASSERT(ks->state != S_ERROR);
2890  ASSERT(session_id_defined(&session->session_id));
2891 
2892  /* Should we trigger a soft reset? -- new key, keeps old key for a while */
2893  if (ks->state >= S_ACTIVE
2894  && ((session->opt->renegotiate_seconds
2895  && now >= ks->established + session->opt->renegotiate_seconds)
2896  || (session->opt->renegotiate_bytes > 0
2897  && ks->n_bytes >= session->opt->renegotiate_bytes)
2898  || (session->opt->renegotiate_packets
2899  && ks->n_packets >= session->opt->renegotiate_packets)
2901  {
2902  msg(D_TLS_DEBUG_LOW, "TLS: soft reset sec=%d/%d bytes=" counter_format
2903  "/%d pkts=" counter_format "/%d",
2904  (int) (now - ks->established), session->opt->renegotiate_seconds,
2905  ks->n_bytes, session->opt->renegotiate_bytes,
2906  ks->n_packets, session->opt->renegotiate_packets);
2907  key_state_soft_reset(session);
2908  }
2909 
2910  /* Kill lame duck key transition_window seconds after primary key negotiation */
2911  if (lame_duck_must_die(session, wakeup))
2912  {
2913  key_state_free(ks_lame, true);
2914  msg(D_TLS_DEBUG_LOW, "TLS: tls_process: killed expiring key");
2915  }
2916 
2917  do
2918  {
2919  update_time();
2920 
2921  dmsg(D_TLS_DEBUG, "TLS: tls_process: chg=%d ks=%s lame=%s to_link->len=%d wakeup=%d",
2922  state_change,
2923  state_name(ks->state),
2924  state_name(ks_lame->state),
2925  to_link->len,
2926  *wakeup);
2927 
2928  state_change = false;
2929 
2930  /*
2931  * TLS activity is finished once we get to S_ACTIVE,
2932  * though we will still process acknowledgements.
2933  *
2934  * CHANGED with 2.0 -> now we may send tunnel configuration
2935  * info over the control channel.
2936  */
2937 
2938  /* Initial handshake */
2939  if (ks->state == S_INITIAL)
2940  {
2942  if (buf)
2943  {
2944  ks->must_negotiate = now + session->opt->handshake_window;
2946 
2947  /* null buffer */
2950 
2951  ks->state = S_PRE_START;
2952  state_change = true;
2953  dmsg(D_TLS_DEBUG, "TLS: Initial Handshake, sid=%s",
2954  session_id_print(&session->session_id, &gc));
2955 
2956 #ifdef ENABLE_MANAGEMENT
2958  {
2961  NULL,
2962  NULL,
2963  NULL,
2964  NULL,
2965  NULL);
2966  }
2967 #endif
2968  }
2969  }
2970 
2971  /* Are we timed out on receive? */
2972  if (now >= ks->must_negotiate)
2973  {
2974  if (ks->state < S_ACTIVE)
2975  {
2976  msg(D_TLS_ERRORS,
2977  "TLS Error: TLS key negotiation failed to occur within %d seconds (check your network connectivity)",
2978  session->opt->handshake_window);
2979  goto error;
2980  }
2981  else /* assume that ks->state == S_ACTIVE */
2982  {
2983  dmsg(D_TLS_DEBUG_MED, "STATE S_NORMAL_OP");
2984  ks->state = S_NORMAL_OP;
2985  ks->must_negotiate = 0;
2986  }
2987  }
2988 
2989  /* Wait for Initial Handshake ACK */
2990  if (ks->state == S_PRE_START && FULL_SYNC)
2991  {
2992  ks->state = S_START;
2993  state_change = true;
2994 
2995  /*
2996  * Attempt CRL reload before TLS negotiation. Won't be performed if
2997  * the file was not modified since the last reload
2998  */
2999  if (session->opt->crl_file
3000  && !(session->opt->ssl_flags & SSLF_CRL_VERIFY_DIR))
3001  {
3002  tls_ctx_reload_crl(&session->opt->ssl_ctx,
3003  session->opt->crl_file, session->opt->crl_file_inline);
3004  }
3005 
3006  /* New connection, remove any old X509 env variables */
3007  tls_x509_clear_env(session->opt->es);
3008 
3009  dmsg(D_TLS_DEBUG_MED, "STATE S_START");
3010  }
3011 
3012  /* Wait for ACK */
3013  if (((ks->state == S_GOT_KEY && !session->opt->server)
3014  || (ks->state == S_SENT_KEY && session->opt->server)))
3015  {
3016  if (FULL_SYNC)
3017  {
3018  ks->established = now;
3019  dmsg(D_TLS_DEBUG_MED, "STATE S_ACTIVE");
3021  {
3022  print_details(&ks->ks_ssl, "Control Channel:");
3023  }
3024  state_change = true;
3025  ks->state = S_ACTIVE;
3026  INCR_SUCCESS;
3027 
3028  /* Set outgoing address for data channel packets */
3029  link_socket_set_outgoing_addr(NULL, to_link_socket_info, &ks->remote_addr, session->common_name, session->opt->es);
3030 
3031  /* Flush any payload packets that were buffered before our state transitioned to S_ACTIVE */
3033 
3034 #ifdef MEASURE_TLS_HANDSHAKE_STATS
3035  show_tls_performance_stats();
3036 #endif
3037  }
3038  }
3039 
3040  /* Reliable buffer to outgoing TCP/UDP (send up to CONTROL_SEND_ACK_MAX ACKs
3041  * for previously received packets) */
3042  if (!to_link->len && reliable_can_send(ks->send_reliable))
3043  {
3044  int opcode;
3045  struct buffer b;
3046 
3047  buf = reliable_send(ks->send_reliable, &opcode);
3048  ASSERT(buf);
3049  b = *buf;
3050  INCR_SENT;
3051 
3052  write_control_auth(session, ks, &b, to_link_addr, opcode,
3053  CONTROL_SEND_ACK_MAX, true);
3054  *to_link = b;
3055  active = true;
3056  state_change = true;
3057  dmsg(D_TLS_DEBUG, "Reliable -> TCP/UDP");
3058  break;
3059  }
3060 
3061  /* Write incoming ciphertext to TLS object */
3063  if (buf)
3064  {
3065  int status = 0;
3066  if (buf->len)
3067  {
3068  status = key_state_write_ciphertext(&ks->ks_ssl, buf);
3069  if (status == -1)
3070  {
3071  msg(D_TLS_ERRORS,
3072  "TLS Error: Incoming Ciphertext -> TLS object write error");
3073  goto error;
3074  }
3075  }
3076  else
3077  {
3078  status = 1;
3079  }
3080  if (status == 1)
3081  {
3082  reliable_mark_deleted(ks->rec_reliable, buf, true);
3083  state_change = true;
3084  dmsg(D_TLS_DEBUG, "Incoming Ciphertext -> TLS");
3085  }
3086  }
3087 
3088  /* Read incoming plaintext from TLS object */
3089  buf = &ks->plaintext_read_buf;
3090  if (!buf->len)
3091  {
3092  int status;
3093 
3094  ASSERT(buf_init(buf, 0));
3096  update_time();
3097  if (status == -1)
3098  {
3099  msg(D_TLS_ERRORS, "TLS Error: TLS object -> incoming plaintext read error");
3100  goto error;
3101  }
3102  if (status == 1)
3103  {
3104  state_change = true;
3105  dmsg(D_TLS_DEBUG, "TLS -> Incoming Plaintext");
3106 
3107  /* More data may be available, wake up again asap to check. */
3108  *wakeup = 0;
3109  }
3110  }
3111 
3112  /* Send Key */
3113  buf = &ks->plaintext_write_buf;
3114  if (!buf->len && ((ks->state == S_START && !session->opt->server)
3115  || (ks->state == S_GOT_KEY && session->opt->server)))
3116  {
3117  if (session->opt->key_method == 1)
3118  {
3119  if (!key_method_1_write(buf, session))
3120  {
3121  goto error;
3122  }
3123  }
3124  else if (session->opt->key_method == 2)
3125  {
3126  if (!key_method_2_write(buf, session))
3127  {
3128  goto error;
3129  }
3130  }
3131  else
3132  {
3133  ASSERT(0);
3134  }
3135 
3136  state_change = true;
3137  dmsg(D_TLS_DEBUG_MED, "STATE S_SENT_KEY");
3138  ks->state = S_SENT_KEY;
3139  }
3140 
3141  /* Receive Key */
3142  buf = &ks->plaintext_read_buf;
3143  if (buf->len
3144  && ((ks->state == S_SENT_KEY && !session->opt->server)
3145  || (ks->state == S_START && session->opt->server)))
3146  {
3147  if (session->opt->key_method == 1)
3148  {
3149  if (!key_method_1_read(buf, session))
3150  {
3151  goto error;
3152  }
3153  }
3154  else if (session->opt->key_method == 2)
3155  {
3156  if (!key_method_2_read(buf, multi, session))
3157  {
3158  goto error;
3159  }
3160  }
3161  else
3162  {
3163  ASSERT(0);
3164  }
3165 
3166  state_change = true;
3167  dmsg(D_TLS_DEBUG_MED, "STATE S_GOT_KEY");
3168  ks->state = S_GOT_KEY;
3169  }
3170 
3171  /* Write outgoing plaintext to TLS object */
3172  buf = &ks->plaintext_write_buf;
3173  if (buf->len)
3174  {
3175  int status = key_state_write_plaintext(&ks->ks_ssl, buf);
3176  if (status == -1)
3177  {
3178  msg(D_TLS_ERRORS,
3179  "TLS ERROR: Outgoing Plaintext -> TLS object write error");
3180  goto error;
3181  }
3182  if (status == 1)
3183  {
3184  state_change = true;
3185  dmsg(D_TLS_DEBUG, "Outgoing Plaintext -> TLS");
3186  }
3187  }
3188 
3189  /* Outgoing Ciphertext to reliable buffer */
3190  if (ks->state >= S_START)
3191  {
3193  if (buf)
3194  {
3196  if (status == -1)
3197  {
3198  msg(D_TLS_ERRORS,
3199  "TLS Error: Ciphertext -> reliable TCP/UDP transport read error");
3200  goto error;
3201  }
3202  if (status == 1)
3203  {
3206  state_change = true;
3207  dmsg(D_TLS_DEBUG, "Outgoing Ciphertext -> Reliable");
3208  }
3209  }
3210  }
3211  }
3212  while (state_change);
3213 
3214  update_time();
3215 
3216  /* Send 1 or more ACKs (each received control packet gets one ACK) */
3217  if (!to_link->len && !reliable_ack_empty(ks->rec_ack))
3218  {
3219  struct buffer buf = ks->ack_write_buf;
3220  ASSERT(buf_init(&buf, FRAME_HEADROOM(&multi->opt.frame)));
3221  write_control_auth(session, ks, &buf, to_link_addr, P_ACK_V1,
3222  RELIABLE_ACK_SIZE, false);
3223  *to_link = buf;
3224  active = true;
3225  dmsg(D_TLS_DEBUG, "Dedicated ACK -> TCP/UDP");
3226  }
3227 
3228  /* When should we wake up again? */
3229  {
3230  if (ks->state >= S_INITIAL)
3231  {
3232  compute_earliest_wakeup(wakeup,
3234 
3235  if (ks->must_negotiate)
3236  {
3238  }
3239  }
3240 
3241  if (ks->established && session->opt->renegotiate_seconds)
3242  {
3243  compute_earliest_wakeup(wakeup,
3244  ks->established + session->opt->renegotiate_seconds - now);
3245  }
3246 
3247  /* prevent event-loop spinning by setting minimum wakeup of 1 second */
3248  if (*wakeup <= 0)
3249  {
3250  *wakeup = 1;
3251 
3252  /* if we had something to send to remote, but to_link was busy,
3253  * let caller know we need to be called again soon */
3254  active = true;
3255  }
3256 
3257  dmsg(D_TLS_DEBUG, "TLS: tls_process: timeout set to %d", *wakeup);
3258 
3259  gc_free(&gc);
3260  return active;
3261  }
3262 
3263 error:
3264  tls_clear_error();
3265  ks->state = S_ERROR;
3266  msg(D_TLS_ERRORS, "TLS Error: TLS handshake failed");
3267  INCR_ERROR;
3268  gc_free(&gc);
3269  return false;
3270 }
3271 
3272 /*
3273  * Called by the top-level event loop.
3274  *
3275  * Basically decides if we should call tls_process for
3276  * the active or untrusted sessions.
3277  */
3278 
3279 int
3281  struct buffer *to_link,
3282  struct link_socket_actual **to_link_addr,
3283  struct link_socket_info *to_link_socket_info,
3284  interval_t *wakeup)
3285 {
3286  struct gc_arena gc = gc_new();
3287  int i;
3288  int active = TLSMP_INACTIVE;
3289  bool error = false;
3290  int tas;
3291 
3293 
3294  tls_clear_error();
3295 
3296  /*
3297  * Process each session object having state of S_INITIAL or greater,
3298  * and which has a defined remote IP addr.
3299  */
3300 
3301  for (i = 0; i < TM_SIZE; ++i)
3302  {
3303  struct tls_session *session = &multi->session[i];
3304  struct key_state *ks = &session->key[KS_PRIMARY];
3305  struct key_state *ks_lame = &session->key[KS_LAME_DUCK];
3306 
3307  /* set initial remote address */
3308  if (i == TM_ACTIVE && ks->state == S_INITIAL
3309  && link_socket_actual_defined(&to_link_socket_info->lsa->actual))
3310  {
3311  ks->remote_addr = to_link_socket_info->lsa->actual;
3312  }
3313 
3314  dmsg(D_TLS_DEBUG,
3315  "TLS: tls_multi_process: i=%d state=%s, mysid=%s, stored-sid=%s, stored-ip=%s",
3316  i,
3317  state_name(ks->state),
3318  session_id_print(&session->session_id, &gc),
3321 
3323  {
3324  struct link_socket_actual *tla = NULL;
3325 
3326  update_time();
3327 
3328  if (tls_process(multi, session, to_link, &tla,
3329  to_link_socket_info, wakeup))
3330  {
3331  active = TLSMP_ACTIVE;
3332  }
3333 
3334  /*
3335  * If tls_process produced an outgoing packet,
3336  * return the link_socket_actual object (which
3337  * contains the outgoing address).
3338  */
3339  if (tla)
3340  {
3341  multi->to_link_addr = *tla;
3342  *to_link_addr = &multi->to_link_addr;
3343  }
3344 
3345  /*
3346  * If tls_process hits an error:
3347  * (1) If the session has an unexpired lame duck key, preserve it.
3348  * (2) Reinitialize the session.
3349  * (3) Increment soft error count
3350  */
3351  if (ks->state == S_ERROR)
3352  {
3353  ++multi->n_soft_errors;
3354 
3355  if (i == TM_ACTIVE)
3356  {
3357  error = true;
3358  }
3359 
3360  if (i == TM_ACTIVE
3361  && ks_lame->state >= S_ACTIVE
3362  && !multi->opt.single_session)
3363  {
3364  move_session(multi, TM_LAME_DUCK, TM_ACTIVE, true);
3365  }
3366  else
3367  {
3368  reset_session(multi, session);
3369  }
3370  }
3371  }
3372  }
3373 
3374  update_time();
3375 
3377 
3378  /*
3379  * If lame duck session expires, kill it.
3380  */
3381  if (lame_duck_must_die(&multi->session[TM_LAME_DUCK], wakeup))
3382  {
3383  tls_session_free(&multi->session[TM_LAME_DUCK], true);
3384  msg(D_TLS_DEBUG_LOW, "TLS: tls_multi_process: killed expiring key");
3385  }
3386 
3387  /*
3388  * If untrusted session achieves TLS authentication,
3389  * move it to active session, usurping any prior session.
3390  *
3391  * A semi-trusted session is one in which the certificate authentication
3392  * succeeded (if cert verification is enabled) but the username/password
3393  * verification failed. A semi-trusted session can forward data on the
3394  * TLS control channel but not on the tunnel channel.
3395  */
3396  if (DECRYPT_KEY_ENABLED(multi, &multi->session[TM_UNTRUSTED].key[KS_PRIMARY]))
3397  {
3398  move_session(multi, TM_ACTIVE, TM_UNTRUSTED, true);
3399  msg(D_TLS_DEBUG_LOW, "TLS: tls_multi_process: untrusted session promoted to %strusted",
3400  tas == TLS_AUTHENTICATION_SUCCEEDED ? "" : "semi-");
3401  }
3402 
3403  /*
3404  * A hard error means that TM_ACTIVE hit an S_ERROR state and that no
3405  * other key state objects are S_ACTIVE or higher.
3406  */
3407  if (error)
3408  {
3409  for (i = 0; i < (int) SIZE(multi->key_scan); ++i)
3410  {
3411  if (multi->key_scan[i]->state >= S_ACTIVE)
3412  {
3413  goto nohard;
3414  }
3415  }
3416  ++multi->n_hard_errors;
3417  }
3418 nohard:
3419 
3420 #ifdef ENABLE_DEBUG
3421  /* DEBUGGING -- flood peer with repeating connection attempts */
3422  {
3423  const int throw_level = GREMLIN_CONNECTION_FLOOD_LEVEL(multi->opt.gremlin);
3424  if (throw_level)
3425  {
3426  for (i = 0; i < (int) SIZE(multi->key_scan); ++i)
3427  {
3428  if (multi->key_scan[i]->state >= throw_level)
3429  {
3430  ++multi->n_hard_errors;
3431  ++multi->n_soft_errors;
3432  }
3433  }
3434  }
3435  }
3436 #endif
3437 
3438  perf_pop();
3439  gc_free(&gc);
3440 
3441  return (tas == TLS_AUTHENTICATION_FAILED) ? TLSMP_KILL : active;
3442 }
3443 
3444 /*
3445  * Pre and post-process the encryption & decryption buffers in order
3446  * to implement a multiplexed TLS channel over the TCP/UDP port.
3447  */
3448 
3449 /*
3450  *
3451  * When we are in TLS mode, this is the first routine which sees
3452  * an incoming packet.
3453  *
3454  * If it's a data packet, we set opt so that our caller can
3455  * decrypt it. We also give our caller the appropriate decryption key.
3456  *
3457  * If it's a control packet, we authenticate it and process it,
3458  * possibly creating a new tls_session if it represents the
3459  * first packet of a new session. For control packets, we will
3460  * also zero the size of *buf so that our caller ignores the
3461  * packet on our return.
3462  *
3463  * Note that openvpn only allows one active session at a time,
3464  * so a new session (once authenticated) will always usurp
3465  * an old session.
3466  *
3467  * Return true if input was an authenticated control channel
3468  * packet.
3469  *
3470  * If we are running in TLS thread mode, all public routines
3471  * below this point must be called with the L_TLS lock held.
3472  */
3473 
3474 bool
3476  const struct link_socket_actual *from,
3477  struct buffer *buf,
3478  struct crypto_options **opt,
3479  bool floated,
3480  const uint8_t **ad_start)
3481 {
3482  struct gc_arena gc = gc_new();
3483  bool ret = false;
3484 
3485  if (buf->len > 0)
3486  {
3487  int i;
3488  int op;
3489  int key_id;
3490 
3491  /* get opcode and key ID */
3492  {
3493  uint8_t c = *BPTR(buf);
3494  op = c >> P_OPCODE_SHIFT;
3495  key_id = c & P_KEY_ID_MASK;
3496  }
3497 
3498  if ((op == P_DATA_V1) || (op == P_DATA_V2))
3499  {
3500  /* data channel packet */
3501  for (i = 0; i < KEY_SCAN_SIZE; ++i)
3502  {
3503  struct key_state *ks = multi->key_scan[i];
3504 
3505  /*
3506  * This is the basic test of TLS state compatibility between a local OpenVPN
3507  * instance and its remote peer.
3508  *
3509  * If the test fails, it tells us that we are getting a packet from a source
3510  * which claims reference to a prior negotiated TLS session, but the local
3511  * OpenVPN instance has no memory of such a negotiation.
3512  *
3513  * It almost always occurs on UDP sessions when the passive side of the
3514  * connection is restarted without the active side restarting as well (the
3515  * passive side is the server which only listens for the connections, the
3516  * active side is the client which initiates connections).
3517  */
3518  if (DECRYPT_KEY_ENABLED(multi, ks)
3519  && key_id == ks->key_id
3520  && ks->authenticated
3521 #ifdef ENABLE_DEF_AUTH
3522  && !ks->auth_deferred
3523 #endif
3524  && (floated || link_socket_actual_match(from, &ks->remote_addr)))
3525  {
3527  {
3529  "Key %s [%d] not initialized (yet), dropping packet.",
3530  print_link_socket_actual(from, &gc), key_id);
3531  goto error_lite;
3532  }
3533 
3534  /* return appropriate data channel decrypt key in opt */
3535  *opt = &ks->crypto_options;
3536  if (op == P_DATA_V2)
3537  {
3538  *ad_start = BPTR(buf);
3539  }
3540  ASSERT(buf_advance(buf, 1));
3541  if (op == P_DATA_V1)
3542  {
3543  *ad_start = BPTR(buf);
3544  }
3545  else if (op == P_DATA_V2)
3546  {
3547  if (buf->len < 4)
3548  {
3549  msg(D_TLS_ERRORS, "Protocol error: received P_DATA_V2 from %s but length is < 4",
3550  print_link_socket_actual(from, &gc));
3551  goto error;
3552  }
3553  ASSERT(buf_advance(buf, 3));
3554  }
3555 
3556  ++ks->n_packets;
3557  ks->n_bytes += buf->len;
3559  "TLS: tls_pre_decrypt, key_id=%d, IP=%s",
3560  key_id, print_link_socket_actual(from, &gc));
3561  gc_free(&gc);
3562  return ret;
3563  }
3564  }
3565 
3566  msg(D_TLS_ERRORS,
3567  "TLS Error: local/remote TLS keys are out of sync: %s [%d]",
3568  print_link_socket_actual(from, &gc), key_id);
3569  goto error_lite;
3570  }
3571  else /* control channel packet */
3572  {
3573  bool do_burst = false;
3574  bool new_link = false;
3575  struct session_id sid; /* remote session ID */
3576 
3577  /* verify legal opcode */
3578  if (op < P_FIRST_OPCODE || op > P_LAST_OPCODE)
3579  {
3580  msg(D_TLS_ERRORS,
3581  "TLS Error: unknown opcode received from %s op=%d",
3582  print_link_socket_actual(from, &gc), op);
3583  goto error;
3584  }
3585 
3586  /* hard reset ? */
3587  if (is_hard_reset(op, 0))
3588  {
3589  /* verify client -> server or server -> client connection */
3590  if (((op == P_CONTROL_HARD_RESET_CLIENT_V1
3592  || op == P_CONTROL_HARD_RESET_CLIENT_V3) && !multi->opt.server)
3594  || op == P_CONTROL_HARD_RESET_SERVER_V2) && multi->opt.server))
3595  {
3596  msg(D_TLS_ERRORS,
3597  "TLS Error: client->client or server->server connection attempted from %s",
3598  print_link_socket_actual(from, &gc));
3599  goto error;
3600  }
3601  }
3602 
3603  /*
3604  * Authenticate Packet
3605  */
3606  dmsg(D_TLS_DEBUG, "TLS: control channel, op=%s, IP=%s",
3608 
3609  /* get remote session-id */
3610  {
3611  struct buffer tmp = *buf;
3612  buf_advance(&tmp, 1);
3613  if (!session_id_read(&sid, &tmp) || !session_id_defined(&sid))
3614  {
3615  msg(D_TLS_ERRORS,
3616  "TLS Error: session-id not found in packet from %s",
3617  print_link_socket_actual(from, &gc));
3618  goto error;
3619  }
3620  }
3621 
3622  /* use session ID to match up packet with appropriate tls_session object */
3623  for (i = 0; i < TM_SIZE; ++i)
3624  {
3625  struct tls_session *session = &multi->session[i];
3626  struct key_state *ks = &session->key[KS_PRIMARY];
3627 
3628  dmsg(D_TLS_DEBUG,
3629  "TLS: initial packet test, i=%d state=%s, mysid=%s, rec-sid=%s, rec-ip=%s, stored-sid=%s, stored-ip=%s",
3630  i,
3631  state_name(ks->state),
3632  session_id_print(&session->session_id, &gc),
3633  session_id_print(&sid, &gc),
3634  print_link_socket_actual(from, &gc),
3637 
3638  if (session_id_equal(&ks->session_id_remote, &sid))
3639  /* found a match */
3640  {
3641  if (i == TM_LAME_DUCK)
3642  {
3643  msg(D_TLS_ERRORS,
3644  "TLS ERROR: received control packet with stale session-id=%s",
3645  session_id_print(&sid, &gc));
3646  goto error;
3647  }
3648  dmsg(D_TLS_DEBUG,
3649  "TLS: found match, session[%d], sid=%s",
3650  i, session_id_print(&sid, &gc));
3651  break;
3652  }
3653  }
3654 
3655  /*
3656  * Initial packet received.
3657  */
3658 
3659  if (i == TM_SIZE && is_hard_reset(op, 0))
3660  {
3661  struct tls_session *session = &multi->session[TM_ACTIVE];
3662  struct key_state *ks = &session->key[KS_PRIMARY];
3663 
3664  if (!is_hard_reset(op, multi->opt.key_method))
3665  {
3666  msg(D_TLS_ERRORS, "TLS ERROR: initial packet local/remote key_method mismatch, local key_method=%d, op=%s",
3667  multi->opt.key_method,
3668  packet_opcode_name(op));
3669  goto error;
3670  }
3671 
3672  /*
3673  * If we have no session currently in progress, the initial packet will
3674  * open a new session in TM_ACTIVE rather than TM_UNTRUSTED.
3675  */
3677  {
3678  if (multi->opt.single_session && multi->n_sessions)
3679  {
3680  msg(D_TLS_ERRORS,
3681  "TLS Error: Cannot accept new session request from %s due to session context expire or --single-session [1]",
3682  print_link_socket_actual(from, &gc));
3683  goto error;
3684  }
3685 
3686 #ifdef ENABLE_MANAGEMENT
3687  if (management)
3688  {
3691  NULL,
3692  NULL,
3693  NULL,
3694  NULL,
3695  NULL);
3696  }
3697 #endif
3698 
3700  "TLS: Initial packet from %s, sid=%s",
3701  print_link_socket_actual(from, &gc),
3702  session_id_print(&sid, &gc));
3703 
3704  do_burst = true;
3705  new_link = true;
3706  i = TM_ACTIVE;
3707  session->untrusted_addr = *from;
3708  }
3709  }
3710 
3711  if (i == TM_SIZE && is_hard_reset(op, 0))
3712  {
3713  /*
3714  * No match with existing sessions,
3715  * probably a new session.
3716  */
3717  struct tls_session *session = &multi->session[TM_UNTRUSTED];
3718 
3719  /*
3720  * If --single-session, don't allow any hard-reset connection request
3721  * unless it the the first packet of the session.
3722  */
3723  if (multi->opt.single_session)
3724  {
3725  msg(D_TLS_ERRORS,
3726  "TLS Error: Cannot accept new session request from %s due to session context expire or --single-session [2]",
3727  print_link_socket_actual(from, &gc));
3728  goto error;
3729  }
3730 
3731  if (!is_hard_reset(op, multi->opt.key_method))
3732  {
3733  msg(D_TLS_ERRORS, "TLS ERROR: new session local/remote key_method mismatch, local key_method=%d, op=%s",
3734  multi->opt.key_method,
3735  packet_opcode_name(op));
3736  goto error;
3737  }
3738 
3739  if (!read_control_auth(buf, &session->tls_wrap, from,
3740  session->opt))
3741  {
3742  goto error;
3743  }
3744 
3745  /*
3746  * New session-initiating control packet is authenticated at this point,
3747  * assuming that the --tls-auth command line option was used.
3748  *
3749  * Without --tls-auth, we leave authentication entirely up to TLS.
3750  */
3752  "TLS: new session incoming connection from %s",
3753  print_link_socket_actual(from, &gc));
3754 
3755  new_link = true;
3756  i = TM_UNTRUSTED;
3757  session->untrusted_addr = *from;
3758  }
3759  else
3760  {
3761  struct tls_session *session = &multi->session[i];
3762  struct key_state *ks = &session->key[KS_PRIMARY];
3763 
3764  /*
3765  * Packet must belong to an existing session.
3766  */
3767  if (i != TM_ACTIVE && i != TM_UNTRUSTED)
3768  {
3769  msg(D_TLS_ERRORS,
3770  "TLS Error: Unroutable control packet received from %s (si=%d op=%s)",
3771  print_link_socket_actual(from, &gc),
3772  i,
3773  packet_opcode_name(op));
3774  goto error;
3775  }
3776 
3777  /*
3778  * Verify remote IP address
3779  */
3780  if (!new_link && !link_socket_actual_match(&ks->remote_addr, from))
3781  {
3782  msg(D_TLS_ERRORS, "TLS Error: Received control packet from unexpected IP addr: %s",
3783  print_link_socket_actual(from, &gc));
3784  goto error;
3785  }
3786 
3787  /*
3788  * Remote is requesting a key renegotiation
3789  */
3790  if (op == P_CONTROL_SOFT_RESET_V1
3791  && DECRYPT_KEY_ENABLED(multi, ks))
3792  {
3793  if (!read_control_auth(buf, &session->tls_wrap, from,
3794  session->opt))
3795  {
3796  goto error;
3797  }
3798 
3799  key_state_soft_reset(session);
3800 
3801  dmsg(D_TLS_DEBUG,
3802  "TLS: received P_CONTROL_SOFT_RESET_V1 s=%d sid=%s",
3803  i, session_id_print(&sid, &gc));
3804  }
3805  else
3806  {
3807  /*
3808  * Remote responding to our key renegotiation request?
3809  */
3810  if (op == P_CONTROL_SOFT_RESET_V1)
3811  {
3812  do_burst = true;
3813  }
3814 
3815  if (!read_control_auth(buf, &session->tls_wrap, from,
3816  session->opt))
3817  {
3818  goto error;
3819  }
3820 
3821  dmsg(D_TLS_DEBUG,
3822  "TLS: received control channel packet s#=%d sid=%s",
3823  i, session_id_print(&sid, &gc));
3824  }
3825  }
3826 
3827  /*
3828  * We have an authenticated control channel packet (if --tls-auth was set).
3829  * Now pass to our reliability layer which deals with
3830  * packet acknowledgements, retransmits, sequencing, etc.
3831  */
3832  {
3833  struct tls_session *session = &multi->session[i];
3834  struct key_state *ks = &session->key[KS_PRIMARY];
3835 
3836  /* Make sure we were initialized and that we're not in an error state */
3837  ASSERT(ks->state != S_UNDEF);
3838  ASSERT(ks->state != S_ERROR);
3839  ASSERT(session_id_defined(&session->session_id));
3840 
3841  /* Let our caller know we processed a control channel packet */
3842  ret = true;
3843 
3844  /*
3845  * Set our remote address and remote session_id
3846  */
3847  if (new_link)
3848  {
3849  ks->session_id_remote = sid;
3850  ks->remote_addr = *from;
3851  ++multi->n_sessions;
3852  }
3853  else if (!link_socket_actual_match(&ks->remote_addr, from))
3854  {
3855  msg(D_TLS_ERRORS,
3856  "TLS Error: Existing session control channel packet from unknown IP address: %s",
3857  print_link_socket_actual(from, &gc));
3858  goto error;
3859  }
3860 
3861  /*
3862  * Should we do a retransmit of all unacknowledged packets in
3863  * the send buffer? This improves the start-up efficiency of the
3864  * initial key negotiation after the 2nd peer comes online.
3865  */
3866  if (do_burst && !session->burst)
3867  {
3869  session->burst = true;
3870  }
3871 
3872  /* Check key_id */
3873  if (ks->key_id != key_id)
3874  {
3875  msg(D_TLS_ERRORS,
3876  "TLS ERROR: local/remote key IDs out of sync (%d/%d) ID: %s",
3877  ks->key_id, key_id, print_key_id(multi, &gc));
3878  goto error;
3879  }
3880 
3881  /*
3882  * Process incoming ACKs for packets we can now
3883  * delete from reliable send buffer
3884  */
3885  {
3886  /* buffers all packet IDs to delete from send_reliable */
3887  struct reliable_ack send_ack;
3888 
3889  send_ack.len = 0;
3890  if (!reliable_ack_read(&send_ack, buf, &session->session_id))
3891  {
3892  msg(D_TLS_ERRORS,
3893  "TLS Error: reading acknowledgement record from packet");
3894  goto error;
3895  }
3896  reliable_send_purge(ks->send_reliable, &send_ack);
3897  }
3898 
3899  if (op != P_ACK_V1 && reliable_can_get(ks->rec_reliable))
3900  {
3901  packet_id_type id;
3902 
3903  /* Extract the packet ID from the packet */
3904  if (reliable_ack_read_packet_id(buf, &id))
3905  {
3906  /* Avoid deadlock by rejecting packet that would de-sequentialize receive buffer */
3908  {
3909  if (reliable_not_replay(ks->rec_reliable, id))
3910  {
3911  /* Save incoming ciphertext packet to reliable buffer */
3912  struct buffer *in = reliable_get_buf(ks->rec_reliable);
3913  ASSERT(in);
3914  if (!buf_copy(in, buf))
3915  {
3917  "Incoming control channel packet too big, dropping.");
3918  goto error;
3919  }
3921  }
3922 
3923  /* Process outgoing acknowledgment for packet just received, even if it's a replay */
3925  }
3926  }
3927  }
3928  }
3929  }
3930  }
3931 
3932 done:
3933  buf->len = 0;
3934  *opt = NULL;
3935  gc_free(&gc);
3936  return ret;
3937 
3938 error:
3939  ++multi->n_soft_errors;
3940 error_lite:
3941  tls_clear_error();
3942  goto done;
3943 }
3944 
3945 /*
3946  * This function is similar to tls_pre_decrypt, except it is called
3947  * when we are in server mode and receive an initial incoming
3948  * packet. Note that we don't modify
3949  * any state in our parameter objects. The purpose is solely to
3950  * determine whether we should generate a client instance
3951  * object, in which case true is returned.
3952  *
3953  * This function is essentially the first-line HMAC firewall
3954  * on the UDP port listener in --mode server mode.
3955  */
3956 bool
3958  const struct link_socket_actual *from,
3959  const struct buffer *buf)
3960 
3961 {
3962  struct gc_arena gc = gc_new();
3963  bool ret = false;
3964 
3965  if (buf->len > 0)
3966  {
3967  int op;
3968  int key_id;
3969 
3970  /* get opcode and key ID */
3971  {
3972  uint8_t c = *BPTR(buf);
3973  op = c >> P_OPCODE_SHIFT;
3974  key_id = c & P_KEY_ID_MASK;
3975  }
3976 
3977  /* this packet is from an as-yet untrusted source, so
3978  * scrutinize carefully */
3979 
3982  {
3983  /*
3984  * This can occur due to bogus data or DoS packets.
3985  */
3987  "TLS State Error: No TLS state for client %s, opcode=%d",
3988  print_link_socket_actual(from, &gc),
3989  op);
3990  goto error;
3991  }
3992 
3993  if (key_id != 0)
3994  {
3996  "TLS State Error: Unknown key ID (%d) received from %s -- 0 was expected",
3997  key_id,
3998  print_link_socket_actual(from, &gc));
3999  goto error;
4000  }
4001 
4002  if (buf->len > EXPANDED_SIZE_DYNAMIC(&tas->frame))
4003  {
4005  "TLS State Error: Large packet (size %d) received from %s -- a packet no larger than %d bytes was expected",
4006  buf->len,
4007  print_link_socket_actual(from, &gc),
4008  EXPANDED_SIZE_DYNAMIC(&tas->frame));
4009  goto error;
4010  }
4011 
4012  {
4013  struct buffer newbuf = clone_buf(buf);
4014  struct tls_wrap_ctx tls_wrap_tmp = tas->tls_wrap;
4015  bool status;
4016 
4017  /* HMAC test, if --tls-auth was specified */
4018  status = read_control_auth(&newbuf, &tls_wrap_tmp, from, NULL);
4019  free_buf(&newbuf);
4020  free_buf(&tls_wrap_tmp.tls_crypt_v2_metadata);
4021  if (tls_wrap_tmp.cleanup_key_ctx)
4022  {
4023  free_key_ctx_bi(&tls_wrap_tmp.opt.key_ctx_bi);
4024  }
4025  if (!status)
4026  {
4027  goto error;
4028  }
4029 
4030  /*
4031  * At this point, if --tls-auth is being used, we know that
4032  * the packet has passed the HMAC test, but we don't know if
4033  * it is a replay yet. We will attempt to defeat replays
4034  * by not advancing to the S_START state until we
4035  * receive an ACK from our first reply to the client
4036  * that includes an HMAC of our randomly generated 64 bit
4037  * session ID.
4038  *
4039  * On the other hand if --tls-auth is not being used, we
4040  * will proceed to begin the TLS authentication
4041  * handshake with only cursory integrity checks having
4042  * been performed, since we will be leaving the task
4043  * of authentication solely up to TLS.
4044  */
4045 
4046  ret = true;
4047  }
4048  }
4049  gc_free(&gc);
4050  return ret;
4051 
4052 error:
4053  tls_clear_error();
4054  gc_free(&gc);
4055  return ret;
4056 }
4057 
4058 /* Choose the key with which to encrypt a data packet */
4059 void
4061  struct buffer *buf, struct crypto_options **opt)
4062 {
4063  multi->save_ks = NULL;
4064  if (buf->len > 0)
4065  {
4066  int i;
4067  struct key_state *ks_select = NULL;
4068  for (i = 0; i < KEY_SCAN_SIZE; ++i)
4069  {
4070  struct key_state *ks = multi->key_scan[i];
4071  if (ks->state >= S_ACTIVE
4072  && ks->authenticated
4074 #ifdef ENABLE_DEF_AUTH
4075  && !ks->auth_deferred
4076 #endif
4077  )
4078  {
4079  if (!ks_select)
4080  {
4081  ks_select = ks;
4082  }
4083  if (now >= ks->auth_deferred_expire)
4084  {
4085  ks_select = ks;
4086  break;
4087  }
4088  }
4089  }
4090 
4091  if (ks_select)
4092  {
4093  *opt = &ks_select->crypto_options;
4094  multi->save_ks = ks_select;
4095  dmsg(D_TLS_KEYSELECT, "TLS: tls_pre_encrypt: key_id=%d", ks_select->key_id);
4096  return;
4097  }
4098  else
4099  {
4100  struct gc_arena gc = gc_new();
4101  dmsg(D_TLS_KEYSELECT, "TLS Warning: no data channel send key available: %s",
4102  print_key_id(multi, &gc));
4103  gc_free(&gc);
4104  }
4105  }
4106 
4107  buf->len = 0;
4108  *opt = NULL;
4109 }
4110 
4111 void
4112 tls_prepend_opcode_v1(const struct tls_multi *multi, struct buffer *buf)
4113 {
4114  struct key_state *ks = multi->save_ks;
4115  uint8_t op;
4116 
4117  msg(D_TLS_DEBUG, __func__);
4118 
4119  ASSERT(ks);
4120 
4121  op = (P_DATA_V1 << P_OPCODE_SHIFT) | ks->key_id;
4122  ASSERT(buf_write_prepend(buf, &op, 1));
4123 }
4124 
4125 void
4126 tls_prepend_opcode_v2(const struct tls_multi *multi, struct buffer *buf)
4127 {
4128  struct key_state *ks = multi->save_ks;
4129  uint32_t peer;
4130 
4131  msg(D_TLS_DEBUG, __func__);
4132 
4133  ASSERT(ks);
4134 
4135  peer = htonl(((P_DATA_V2 << P_OPCODE_SHIFT) | ks->key_id) << 24
4136  | (multi->peer_id & 0xFFFFFF));
4137  ASSERT(buf_write_prepend(buf, &peer, 4));
4138 }
4139 
4140 void
4141 tls_post_encrypt(struct tls_multi *multi, struct buffer *buf)
4142 {
4143  struct key_state *ks = multi->save_ks;
4144  multi->save_ks = NULL;
4145 
4146  if (buf->len > 0)
4147  {
4148  ASSERT(ks);
4149 
4150  ++ks->n_packets;
4151  ks->n_bytes += buf->len;
4152  }
4153 }
4154 
4155 /*
4156  * Send a payload over the TLS control channel.
4157  * Called externally.
4158  */
4159 
4160 bool
4162  const uint8_t *data,
4163  int size)
4164 {
4165  struct tls_session *session;
4166  struct key_state *ks;
4167  bool ret = false;
4168 
4169  tls_clear_error();
4170 
4171  ASSERT(multi);
4172 
4173  session = &multi->session[TM_ACTIVE];
4174  ks = &session->key[KS_PRIMARY];
4175 
4176  if (ks->state >= S_ACTIVE)
4177  {
4178  if (key_state_write_plaintext_const(&ks->ks_ssl, data, size) == 1)
4179  {
4180  ret = true;
4181  }
4182  }
4183  else
4184  {
4185  if (!ks->paybuf)
4186  {
4187  ks->paybuf = buffer_list_new(0);
4188  }
4189  buffer_list_push_data(ks->paybuf, data, (size_t)size);
4190  ret = true;
4191  }
4192 
4193 
4194  tls_clear_error();
4195 
4196  return ret;
4197 }
4198 
4199 bool
4201  struct buffer *buf)
4202 {
4203  struct tls_session *session;
4204  struct key_state *ks;
4205  bool ret = false;
4206 
4207  tls_clear_error();
4208 
4209  ASSERT(multi);
4210 
4211  session = &multi->session[TM_ACTIVE];
4212  ks = &session->key[KS_PRIMARY];
4213 
4214  if (ks->state >= S_ACTIVE && BLEN(&ks->plaintext_read_buf))
4215  {
4216  if (buf_copy(buf, &ks->plaintext_read_buf))
4217  {
4218  ret = true;
4219  }
4220  ks->plaintext_read_buf.len = 0;
4221  }
4222 
4223  tls_clear_error();
4224 
4225  return ret;
4226 }
4227 
4228 void
4229 tls_update_remote_addr(struct tls_multi *multi, const struct link_socket_actual *addr)
4230 {
4231  struct gc_arena gc = gc_new();
4232  int i, j;
4233 
4234  for (i = 0; i < TM_SIZE; ++i)
4235  {
4236  struct tls_session *session = &multi->session[i];
4237 
4238  for (j = 0; j < KS_SIZE; ++j)
4239  {
4240  struct key_state *ks = &session->key[j];
4241 
4243  || link_socket_actual_match(addr, &ks->remote_addr))
4244  {
4245  continue;
4246  }
4247 
4248  dmsg(D_TLS_KEYSELECT, "TLS: tls_update_remote_addr from IP=%s to IP=%s",
4250  print_link_socket_actual(addr, &gc));
4251 
4252  ks->remote_addr = *addr;
4253  }
4254  }
4255  gc_free(&gc);
4256 }
4257 
4258 int
4259 tls_peer_info_ncp_ver(const char *peer_info)
4260 {
4261  const char *ncpstr = peer_info ? strstr(peer_info, "IV_NCP=") : NULL;
4262  if (ncpstr)
4263  {
4264  int ncp = 0;
4265  int r = sscanf(ncpstr, "IV_NCP=%d", &ncp);
4266  if (r == 1)
4267  {
4268  return ncp;
4269  }
4270  }
4271  return 0;
4272 }
4273 
4274 bool
4275 tls_check_ncp_cipher_list(const char *list)
4276 {
4277  bool unsupported_cipher_found = false;
4278 
4279  ASSERT(list);
4280 
4281  char *const tmp_ciphers = string_alloc(list, NULL);
4282  const char *token = strtok(tmp_ciphers, ":");
4283  while (token)
4284  {
4286  {
4287  msg(M_WARN, "Unsupported cipher in --ncp-ciphers: %s", token);
4288  unsupported_cipher_found = true;
4289  }
4290  token = strtok(NULL, ":");
4291  }
4292  free(tmp_ciphers);
4293 
4294  return 0 < strlen(list) && !unsupported_cipher_found;
4295 }
4296 
4297 void
4298 show_available_tls_ciphers(const char *cipher_list,
4299  const char *cipher_list_tls13,
4300  const char *tls_cert_profile)
4301 {
4302  printf("Available TLS Ciphers, listed in order of preference:\n");
4303 
4304  if (tls_version_max() >= TLS_VER_1_3)
4305  {
4306  printf("\nFor TLS 1.3 and newer (--tls-ciphersuites):\n\n");
4307  show_available_tls_ciphers_list(cipher_list_tls13, tls_cert_profile, true);
4308  }
4309 
4310  printf("\nFor TLS 1.2 and older (--tls-cipher):\n\n");
4311  show_available_tls_ciphers_list(cipher_list, tls_cert_profile, false);
4312 
4313  printf("\n"
4314  "Be aware that that whether a cipher suite in this list can actually work\n"
4315  "depends on the specific setup of both peers. See the man page entries of\n"
4316  "--tls-cipher and --show-tls for more details.\n\n"
4317  );
4318 }
4319 
4320 /*
4321  * Dump a human-readable rendition of an openvpn packet
4322  * into a garbage collectable string which is returned.
4323  */
4324 const char *
4325 protocol_dump(struct buffer *buffer, unsigned int flags, struct gc_arena *gc)
4326 {
4327  struct buffer out = alloc_buf_gc(256, gc);
4328  struct buffer buf = *buffer;
4329 
4330  uint8_t c;
4331  int op;
4332  int key_id;
4333 
4334  int tls_auth_hmac_size = (flags & PD_TLS_AUTH_HMAC_SIZE_MASK);
4335 
4336  if (buf.len <= 0)
4337  {
4338  buf_printf(&out, "DATA UNDEF len=%d", buf.len);
4339  goto done;
4340  }
4341 
4342  if (!(flags & PD_TLS))
4343  {
4344  goto print_data;
4345  }
4346 
4347  /*
4348  * Initial byte (opcode)
4349  */
4350  if (!buf_read(&buf, &c, sizeof(c)))
4351  {
4352  goto done;
4353  }
4354  op = (c >> P_OPCODE_SHIFT);
4355  key_id = c & P_KEY_ID_MASK;
4356  buf_printf(&out, "%s kid=%d", packet_opcode_name(op), key_id);
4357 
4358  if ((op == P_DATA_V1) || (op == P_DATA_V2))
4359  {
4360  goto print_data;
4361  }
4362 
4363  /*
4364  * Session ID
4365  */
4366  {
4367  struct session_id sid;
4368 
4369  if (!session_id_read(&sid, &buf))
4370  {
4371  goto done;
4372  }
4373  if (flags & PD_VERBOSE)
4374  {
4375  buf_printf(&out, " sid=%s", session_id_print(&sid, gc));
4376  }
4377  }
4378 
4379  /*
4380  * tls-auth hmac + packet_id
4381  */
4382  if (tls_auth_hmac_size)
4383  {
4384  struct packet_id_net pin;
4385  uint8_t tls_auth_hmac[MAX_HMAC_KEY_LENGTH];
4386 
4387  ASSERT(tls_auth_hmac_size <= MAX_HMAC_KEY_LENGTH);
4388 
4389  if (!buf_read(&buf, tls_auth_hmac, tls_auth_hmac_size))
4390  {
4391  goto done;
4392  }
4393  if (flags & PD_VERBOSE)
4394  {
4395  buf_printf(&out, " tls_hmac=%s", format_hex(tls_auth_hmac, tls_auth_hmac_size, 0, gc));
4396  }
4397 
4398  if (!packet_id_read(&pin, &buf, true))
4399  {
4400  goto done;
4401  }
4402  buf_printf(&out, " pid=%s", packet_id_net_print(&pin, (flags & PD_VERBOSE), gc));
4403  }
4404 
4405  /*
4406  * ACK list
4407  */
4408  buf_printf(&out, " %s", reliable_ack_print(&buf, (flags & PD_VERBOSE), gc));
4409 
4410  if (op == P_ACK_V1)
4411  {
4412  goto done;
4413  }
4414 
4415  /*
4416  * Packet ID
4417  */
4418  {
4419  packet_id_type l;
4420  if (!buf_read(&buf, &l, sizeof(l)))
4421  {
4422  goto done;
4423  }
4424  l = ntohpid(l);
4426  }
4427 
4428 print_data:
4429  if (flags & PD_SHOW_DATA)
4430  {
4431  buf_printf(&out, " DATA %s", format_hex(BPTR(&buf), BLEN(&buf), 80, gc));
4432  }
4433  else
4434  {
4435  buf_printf(&out, " DATA len=%d", buf.len);
4436  }
4437 
4438 done:
4439  return BSTR(&out);
4440 }
4441 
4442 void
4444 {
4445  auth_user_pass.wait_for_push = false;
4447 }
static void tls_init_control_channel_frame_parameters(const struct frame *data_channel_frame, struct frame *frame)
Definition: ssl.c:326
struct reliable * rec_reliable
Definition: ssl_common.h:190
#define TLSMP_ACTIVE
Definition: ssl.h:231
bool cipher_kt_mode_aead(const cipher_kt_t *cipher)
Check if the supplied cipher is a supported AEAD mode cipher.
char * management_query_cert(struct management *man, const char *cert_name)
Definition: manage.c:3671
static bool buf_write_u8(struct buffer *dest, int data)
Definition: buffer.h:713
void reliable_free(struct reliable *rel)
Free allocated memory associated with a reliable structure.
Definition: reliable.c:327
static const char * packet_opcode_name(int op)
Definition: ssl.c:777
const cipher_kt_t * cipher_ctx_get_cipher_kt(const cipher_ctx_t *ctx)
Returns the static cipher parameters for this context.
void options_warning(char *actual, const char *expected)
Definition: options.c:3832
const char * ecdh_curve
Definition: options.h:541
struct key_type key_type
Definition: ssl_common.h:247
int read_key(struct key *key, const struct key_type *kt, struct buffer *buf)
Definition: crypto.c:1645
#define EXPANDED_SIZE_DYNAMIC(f)
Definition: mtu.h:173
int tls_ctx_load_pkcs12(struct tls_root_ctx *ctx, const char *pkcs12_file, const char *pkcs12_file_inline, bool load_ca_file)
Load PKCS #12 file for key, cert and (optionally) CA certs, and add to library-specific TLS context...
Definition: ssl_openssl.c:742
#define P_CONTROL_HARD_RESET_SERVER_V1
Definition: ssl.h:55
static const char * print_key_id(struct tls_multi *multi, struct gc_arena *gc)
Definition: ssl.c:839
size_t implicit_iv_len
The length of implicit_iv.
Definition: crypto.h:170
const char * ca_file_inline
Definition: options.h:548
Security parameter state for processing data channel packets.
Definition: crypto.h:232
struct key_state_ssl ks_ssl
Definition: ssl_common.h:171
#define D_TLS_KEYSELECT
Definition: errlevel.h:143
const char * management_certificate
Definition: options.h:396
static void tls_wrap_free(struct tls_wrap_ctx *tls_wrap)
Free the elements of a tls_wrap_ctx structure.
Definition: ssl.h:571
char * ncp_get_best_cipher(const char *server_list, const char *server_cipher, const char *peer_info, const char *remote_cipher, struct gc_arena *gc)
Iterates through the ciphers in server_list and return the first cipher that is also supported by the...
Definition: ssl.c:1972
#define CO_PACKET_ID_LONG_FORM
Bit-flag indicating whether to use OpenVPN&#39;s long packet ID format.
Definition: crypto.h:245
static void strncpynt(char *dest, const char *src, size_t maxlen)
Definition: buffer.h:348
#define TM_ACTIVE
Active tls_session.
Definition: ssl_common.h:466
Security parameter state of one TLS and data channel key session.
Definition: ssl_common.h:161
static void compute_earliest_wakeup(interval_t *earliest, interval_t seconds_from_now)
Definition: ssl.c:1210
bool tun_mtu_defined
Definition: options.h:108
struct buffer work
Work buffer (only for –tls-crypt)
Definition: ssl_common.h:228
bool ncp_enabled
Definition: options.h:511
unsigned int management_flags
Definition: options.h:395
struct packet_id packet_id
Current packet ID state for both sending and receiving directions.
Definition: crypto.h:238
struct key_state key[KS_SIZE]
Definition: ssl_common.h:446
#define TLSMP_INACTIVE
Definition: ssl.h:230
const char * crl_file
Definition: ssl_common.h:284
struct buffer plaintext_read_buf
Definition: ssl_common.h:185
int n_sessions
Number of sessions negotiated thus far.
Definition: ssl_common.h:528
unsigned int crypto_max_overhead(void)
Return the worst-case OpenVPN crypto overhead (in bytes)
Definition: crypto.c:732
#define S_NORMAL_OP
Normal operational key_state state.
Definition: ssl_common.h:110
void tls_auth_standalone_finalize(struct tls_auth_standalone *tas, const struct frame *frame)
Definition: ssl.c:1319
bool tls_crypt_v2
Definition: ssl_common.h:308
#define SSLF_CRL_VERIFY_DIR
Definition: ssl_common.h:351
bool options_cmp_equal_safe(char *actual, const char *expected, size_t actual_n)
Definition: options.c:3967
void free_buf(struct buffer *buf)
Definition: buffer.c:185
void ssl_put_auth_challenge(const char *cr_str)
Definition: ssl.c:503
#define D_TLS_DEBUG_LOW
Definition: errlevel.h:77
const char * cipher_list
Definition: options.h:538
static bool write_string(struct buffer *buf, const char *str, const int maxlen)
Definition: ssl.c:2264
unsigned int flags
Bit-flags determining behavior of security operation functions.
Definition: crypto.h:257
bool tls_server
Definition: options.h:529
#define TLS_MULTI_AUTH_STATUS_INTERVAL
Definition: ssl.h:100
void tls_ctx_load_cryptoapi(struct tls_root_ctx *ctx, const char *cryptoapi_cert)
Definition: ssl_openssl.c:871
char * string_alloc(const char *str, struct gc_arena *gc)
Definition: buffer.c:688
#define S_PRE_START
Waiting for the remote OpenVPN peer to acknowledge during the initial three-way handshake.
Definition: ssl_common.h:86
static const char * session_index_name(int index)
Definition: ssl.c:817
static void tls_ctx_reload_crl(struct tls_root_ctx *ssl_ctx, const char *crl_file, const char *crl_file_inline)
Load (or possibly reload) the CRL file into the SSL context.
Definition: ssl.c:558
static bool session_id_equal(const struct session_id *sid1, const struct session_id *sid2)
Definition: session_id.h:48
#define D_TLS_DEBUG
Definition: errlevel.h:162
#define USER_PASS_LEN
Definition: misc.h:72
struct key keys[2]
Two unidirectional sets of key material.
Definition: crypto.h:185
struct buffer tls_crypt_v2_metadata
Received from client.
Definition: ssl_common.h:232
void init_key_ctx(struct key_ctx *ctx, const struct key *key, const struct key_type *kt, int enc, const char *prefix)
Definition: crypto.c:836
static void tls_limit_reneg_bytes(const cipher_kt_t *cipher, int *reneg_bytes)
Limit the reneg_bytes value when using a small-block (<128 bytes) cipher.
Definition: ssl.c:296
const char * cert_file
Definition: options.h:534
struct packet_id_persist * pid_persist
Persistent packet ID state for keeping state between successive OpenVPN process startups.
Definition: crypto.h:240
bool options_cmp_equal(char *actual, const char *expected)
Definition: options.c:3826
const char * tls_cert_profile
Definition: options.h:540
#define GET_USER_PASS_STATIC_CHALLENGE
Definition: misc.h:121
#define streq(x, y)
Definition: options.h:660
Container for both halves of random material to be used in key method 2 data channel key generation...
Definition: ssl_common.h:138
static bool session_id_write(const struct session_id *sid, struct buffer *buf)
Definition: session_id.h:73
static void secure_memzero(void *data, size_t len)
Securely zeroise memory.
Definition: buffer.h:401
#define TLS_OPTIONS_LEN
Definition: ssl.h:107
void tls_ctx_load_ecdh_params(struct tls_root_ctx *ctx, const char *curve_name)
Load Elliptic Curve Parameters, and load them into the library-specific TLS context.
Definition: ssl_openssl.c:656
int key_state_write_plaintext_const(struct key_state_ssl *ks_ssl, const uint8_t *data, int len)
Insert plaintext data into the TLS module.
Definition: ssl_openssl.c:1947
static bool buf_advance(struct buffer *buf, int size)
Definition: buffer.h:639
void packet_id_persist_load_obj(const struct packet_id_persist *p, struct packet_id *pid)
Definition: packet_id.c:524
Packet geometry parameters.
Definition: mtu.h:93
struct key_state * save_ks
Definition: ssl_common.h:520
#define UP_TYPE_AUTH
Definition: ssl_common.h:41
#define OPENVPN_MAX_IV_LENGTH
Maximum length of an IV.
bool cipher_kt_mode_ofb_cfb(const cipher_kt_t *cipher)
Check if the supplied cipher is a supported OFB or CFB mode cipher.
void fixup_key(struct key *key, const struct key_type *kt)
Definition: crypto.c:985
static void key_state_soft_reset(struct tls_session *session)
Definition: ssl.c:2235
static void link_socket_set_outgoing_addr(const struct buffer *buf, struct link_socket_info *info, const struct link_socket_actual *act, const char *common_name, struct env_set *es)
Definition: socket.h:983
const char * ca_path
Definition: options.h:532
struct tls_options * opt
Definition: ssl_common.h:411
time_t must_negotiate
Definition: ssl_common.h:174
#define SSLF_AUTH_USER_PASS_OPTIONAL
Definition: ssl_common.h:349
char * peer_info
Definition: ssl_common.h:559
const char * ca_file
Definition: options.h:531
const char * print_link_socket_actual(const struct link_socket_actual *act, struct gc_arena *gc)
Definition: socket.c:2892
#define RELIABLE_ACK_SIZE
The maximum number of packet IDs waiting to be acknowledged which can be stored in one reliable_ack s...
Definition: reliable.h:46
static void gc_free(struct gc_arena *a)
Definition: buffer.h:1023
struct tls_root_ctx ssl_ctx
Definition: ssl_common.h:244
bool write_key(const struct key *key, const struct key_type *kt, struct buffer *buf)
Definition: crypto.c:1612
bool verified
Definition: ssl_common.h:441
void options_warning_safe(char *actual, const char *expected, size_t actual_n)
Definition: options.c:3990
static void frame_add_to_extra_frame(struct frame *frame, const unsigned int increment)
Definition: mtu.h:274
void tls_post_encrypt(struct tls_multi *multi, struct buffer *buf)
Perform some accounting for the key state used.
Definition: ssl.c:4141
static int plugin_call(const struct plugin_list *pl, const int type, const struct argv *av, struct plugin_return *pr, struct env_set *es)
Definition: plugin.h:201
#define dmsg
Definition: error.h:174
const char * auth_user_pass_verify_script
Definition: ssl_common.h:317
const char * priv_key_file
Definition: options.h:536
void session_id_random(struct session_id *sid)
Definition: session_id.c:51
Security parameter state for a single VPN tunnel.
Definition: ssl_common.h:503
#define D_TLS_ERRORS
Definition: errlevel.h:59
static bool buf_safe(const struct buffer *buf, int len)
Definition: buffer.h:541
const char * tls_peer_ncp_list(const char *peer_info, struct gc_arena *gc)
Returns the support cipher list from the peer according to the IV_NCP and IV_CIPHER values in peer_in...
Definition: ssl.c:1938
struct buffer_list * buffer_list_new(const int max_size)
Allocate an empty buffer list of capacity max_size.
Definition: buffer.c:1201
static bool tls_process(struct tls_multi *multi, struct tls_session *session, struct buffer *to_link, struct link_socket_actual **to_link_addr, struct link_socket_info *to_link_socket_info, interval_t *wakeup)
Definition: ssl.c:2873
int pem_password_callback(char *buf, int size, int rwflag, void *u)
Callback to retrieve the user&#39;s password.
Definition: ssl.c:382
int tls_authentication_status(struct tls_multi *multi, const int latency)
Definition: ssl_verify.c:907
void key_state_ssl_free(struct key_state_ssl *ks_ssl)
Free the SSL channel part of the given key state.
Definition: ssl_openssl.c:1914
#define SID_SIZE
Definition: session_id.h:45
void tls_multi_free(struct tls_multi *multi, bool clear)
Cleanup a tls_multi structure and free associated memory allocations.
Definition: ssl.c:1346
#define SET_MTU_UPPER_BOUND
Definition: mtu.h:221
const char * auth_user_pass_file
Definition: ssl_common.h:320
int n
The number of key objects stored in the key2.keys array.
Definition: crypto.h:183
struct reliable_ack * rec_ack
Definition: ssl_common.h:191
struct buffer alloc_buf(size_t size)
Definition: buffer.c:64
void buffer_list_free(struct buffer_list *ol)
Frees a buffer list and all the buffers in it.
Definition: buffer.c:1211
void backend_tls_ctx_reload_crl(struct tls_root_ctx *ssl_ctx, const char *crl_file, const char *crl_inline)
Reload the Certificate Revocation List for the SSL channel.
Definition: ssl_openssl.c:1039
const char * config_ncp_ciphers
Definition: ssl_common.h:305
const char * crl_file_inline
Definition: options.h:551
int handshake_window
Definition: ssl_common.h:273
bool tls_item_in_cipher_list(const char *item, const char *list)
Return true iff item is present in the colon-separated zero-terminated cipher list.
Definition: ssl.c:1918
struct crypto_options opt
Crypto state.
Definition: ssl_common.h:227
void tls_update_remote_addr(struct tls_multi *multi, const struct link_socket_actual *addr)
Updates remote address in TLS sessions.
Definition: ssl.c:4229
#define S_UNDEF
Undefined state, used after a key_state is cleaned up.
Definition: ssl_common.h:78
struct cert_hash_set * cert_hash_set
Definition: ssl_common.h:435
static bool lame_duck_must_die(const struct tls_session *session, interval_t *wakeup)
Definition: ssl.c:1227
#define packet_id_format
Definition: packet_id.h:95
static void perf_pop(void)
Definition: perf.h:82
bool buf_printf(struct buffer *buf, const char *format,...)
Definition: buffer.c:245
#define D_MULTI_DROPPED
Definition: errlevel.h:102
static bool read_string(struct buffer *buf, char *str, const unsigned int capacity)
Definition: ssl.c:2283
static void perf_push(int type)
Definition: perf.h:78
void tls_prepend_opcode_v2(const struct tls_multi *multi, struct buffer *buf)
Prepend an OpenVPN data channel P_DATA_V2 header to the packet.
Definition: ssl.c:4126
static bool read_control_auth(struct buffer *buf, struct tls_wrap_ctx *ctx, const struct link_socket_actual *from, const struct tls_options *opt)
Definition: ssl.c:1517
time_t crl_last_mtime
CRL last modification time.
Definition: ssl_mbedtls.h:101
static char * format_hex(const uint8_t *data, int size, int maxoutput, struct gc_arena *gc)
Definition: buffer.h:526
bool defined
Definition: misc.h:64
#define SIZE(x)
Definition: basic.h:30
#define D_MTU_INFO
Definition: errlevel.h:106
static int buf_read_u8(struct buffer *buf)
Definition: buffer.h:812
const char * win32_version_string(struct gc_arena *gc, bool add_name)
Definition: win32.c:1441
int cipher_kt_iv_size(const cipher_kt_t *cipher_kt)
Returns the size of the IV used by the cipher, in bytes, or 0 if no IV is used.
bool cipher_kt_insecure(const cipher_kt_t *cipher)
Returns true if we consider this cipher to be insecure.
void key_state_export_keying_material(struct key_state_ssl *ks_ssl, struct tls_session *session) __attribute__((nonnull))
Keying Material Exporters [RFC 5705] allows additional keying material to be derived from existing TL...
Definition: ssl_openssl.c:152
const char * protocol_dump(struct buffer *buffer, unsigned int flags, struct gc_arena *gc)
Definition: ssl.c:4325
#define ENABLE_DEF_AUTH
Definition: config-msvc.h:5
const char * cryptoapi_cert
Definition: options.h:574
#define TLS_VER_1_1
Definition: ssl_backend.h:115
static void flush_payload_buffer(struct key_state *ks)
Definition: ssl.c:2215
bool packet_id_read(struct packet_id_net *pin, struct buffer *buf, bool long_form)
Definition: packet_id.c:301
struct buffer * reliable_get_buf(struct reliable *rel)
Get the buffer of a free reliable entry in which to store a packet.
Definition: reliable.c:473
const char * pkcs12_file_inline
Definition: options.h:554
static bool push_peer_info(struct buffer *buf, struct tls_session *session)
Definition: ssl.c:2366
#define DECRYPT_KEY_ENABLED(multi, ks)
Check whether the ks key_state is ready to receive data channel packets.
Definition: ssl_verify.h:89
int key_state_write_plaintext(struct key_state_ssl *ks_ssl, struct buffer *buf)
Insert a plaintext buffer into the TLS module.
Definition: ssl_openssl.c:1929
#define TLS_VER_BAD
Parse a TLS version specifier.
Definition: ssl_backend.h:112
#define ASSERT(x)
Definition: error.h:221
uint8_t random1[32]
Seed used for master secret generation, provided by both client and server.
Definition: ssl_common.h:125
void tls_free_lib(void)
Free any global SSL library-specific data structures.
Definition: ssl_openssl.c:91
bool check_key(struct key *key, const struct key_type *kt)
Definition: crypto.c:946
#define OPENVPN_STATE_AUTH
Definition: manage.h:495
static bool check_debug_level(unsigned int level)
Definition: error.h:245
unsigned int crypto_flags
Definition: ssl_common.h:298
bool tls_pre_decrypt_lite(const struct tls_auth_standalone *tas, const struct link_socket_actual *from, const struct buffer *buf)
Inspect an incoming packet for which no VPN tunnel is active, and determine whether a new VPN tunnel ...
Definition: ssl.c:3957
#define OPENVPN_PLUGIN_FUNC_SUCCESS
bool authenticated
Definition: ssl_common.h:201
struct tls_session session[TM_SIZE]
Array of tls_session objects representing control channel sessions with the remote peer...
Definition: ssl_common.h:593
const char * get_ssl_library_version(void)
return a pointer to a static memory area containing the name and version number of the SSL library in...
Definition: ssl_openssl.c:2210
static struct user_pass auth_user_pass
Definition: ssl.c:401
void ssl_set_auth_token(const char *token)
Definition: ssl.c:458
const char * config_ciphername
Definition: ssl_common.h:304
bool tls_session_update_crypto_params(struct tls_session *session, struct options *options, struct frame *frame, struct frame *frame_fragment)
Update TLS session crypto parameters (cipher and auth) and derive data channel keys based on the supp...
Definition: ssl.c:2066
const char * pkcs12_file
Definition: options.h:537
struct reliable * send_reliable
Definition: ssl_common.h:189
int renegotiate_bytes
Definition: ssl_common.h:275
void hmac_ctx_cleanup(hmac_ctx_t *ctx)
mbedtls_md_context_t hmac_ctx_t
Generic HMAC context.
#define SSLF_OPT_VERIFY
Definition: ssl_common.h:350
bool link_mtu_defined
Definition: options.h:112
char username[USER_PASS_LEN]
Definition: misc.h:74
uint8_t hmac[MAX_HMAC_KEY_LENGTH]
Key material for HMAC operations.
Definition: crypto.h:155
void packet_id_free(struct packet_id *p)
Definition: packet_id.c:101
bool is_hard_reset(int op, int key_method)
Given a key_method, return true if opcode represents the required form of hard_reset.
Definition: ssl.c:856
static bool buf_read(struct buffer *src, void *dest, int size)
Definition: buffer.h:800
#define MODE_SERVER
Definition: options.h:205
void tls_pre_encrypt(struct tls_multi *multi, struct buffer *buf, struct crypto_options **opt)
Choose the appropriate security parameters with which to process an outgoing packet.
Definition: ssl.c:4060
bool use_peer_id
Definition: ssl_common.h:586
bool initialized
Definition: crypto.h:225
int offset
Offset in bytes of the actual content within the allocated memory.
Definition: buffer.h:64
void tls_ctx_client_new(struct tls_root_ctx *ctx)
Initialises a library-specific TLS context for a client.
Definition: ssl_openssl.c:121
#define TLS_VER_1_2
Definition: ssl_backend.h:116
struct link_socket_actual to_link_addr
Definition: ssl_common.h:526
#define OPENVPN_AEAD_MIN_IV_LEN
Minimal IV length for AEAD mode ciphers (in bytes): 4-byte packet id + 8 bytes implicit IV...
Definition: crypto.h:268
void reliable_mark_active_outgoing(struct reliable *rel, struct buffer *buf, int opcode)
Mark the reliable entry associated with the given buffer as active outgoing.
Definition: reliable.c:696
list flags
int len
Length in bytes of the actual content within the allocated memory.
Definition: buffer.h:66
void tls_ctx_set_cert_profile(struct tls_root_ctx *ctx, const char *profile)
Set the TLS certificate profile.
Definition: ssl_openssl.c:527
#define SWAP_BUF_SIZE
Definition: ssl.c:1397
void setenv_del(struct env_set *es, const char *name)
Definition: env_set.c:330
#define S_ACTIVE
Operational key_state state immediately after negotiation has completed while still within the handsh...
Definition: ssl_common.h:102
const char * ncp_ciphers
Definition: options.h:512
bool cleanup_key_ctx
opt.key_ctx_bi is owned by this context
Definition: ssl_common.h:233
static void reliable_set_timeout(struct reliable *rel, interval_t timeout)
Definition: reliable.h:465
static bool buf_write(struct buffer *dest, const void *src, int size)
Definition: buffer.h:689
off_t crl_last_size
size of last loaded CRL
Definition: ssl_mbedtls.h:102
struct key_state * key_scan[KEY_SCAN_SIZE]
List of key_state objects in the order they should be scanned by data channel modules.
Definition: ssl_common.h:511
const char * packet_id_net_print(const struct packet_id_net *pin, bool print_timestamp, struct gc_arena *gc)
Definition: packet_id.c:391
void prng_uninit(void)
Definition: crypto.c:1740
struct tls_auth_standalone * tls_auth_standalone_init(struct tls_options *tls_options, struct gc_arena *gc)
Definition: ssl.c:1296
static char * auth_challenge
Definition: ssl.c:405
static bool key_source2_randomize_write(struct key_source2 *k2, struct buffer *buf, bool server)
Definition: ssl.c:2148
uint8_t id[8]
Definition: session_id.h:40
struct link_socket_actual remote_addr
Definition: ssl_common.h:179
bool nocache
Definition: misc.h:65
#define CLEAR(x)
Definition: basic.h:33
char * options_string_extract_option(const char *options_string, const char *opt_name, struct gc_arena *gc)
Given an OpenVPN options string, extract the value of an option.
Definition: options.c:4006
#define BPTR(buf)
Definition: buffer.h:124
void packet_id_init(struct packet_id *p, int seq_backtrack, int time_backtrack, const char *name, int unit)
Definition: packet_id.c:78
bool reliable_ack_write(struct reliable_ack *ack, struct buffer *buf, const struct session_id *sid, int max, bool prepend)
Write a packet ID acknowledgment record to a buffer.
Definition: reliable.c:213
#define BUF_SIZE(f)
Definition: mtu.h:194
static bool write_empty_string(struct buffer *buf)
Definition: ssl.c:2254
void init_ssl(const struct options *options, struct tls_root_ctx *new_ctx)
Build master SSL context object that serves for the whole of OpenVPN instantiation.
Definition: ssl.c:601
#define KEY_DIRECTION_NORMAL
Definition: crypto.h:174
void print_details(struct key_state_ssl *ks_ssl, const char *prefix)
Definition: ssl_openssl.c:2013
Control channel wrapping (–tls-auth/–tls-crypt) context.
Definition: ssl_common.h:220
void get_default_gateway(struct route_gateway_info *rgi, openvpn_net_ctx_t *ctx)
Definition: route.c:2722
static void move_session(struct tls_multi *multi, int dest, int src, bool reinit_src)
Definition: ssl.c:1174
#define KEY_SCAN_SIZE
Definition: ssl_common.h:488
uint8_t random2[32]
Seed used for key expansion, provided by both client and server.
Definition: ssl_common.h:128
#define OPENVPN_STATE_WAIT
Definition: manage.h:494
#define GET_USER_PASS_STATIC_CHALLENGE_ECHO
Definition: misc.h:122
interval_t packet_timeout
Definition: ssl_common.h:274
void tls_prepend_opcode_v1(const struct tls_multi *multi, struct buffer *buf)
Prepend a one-byte OpenVPN data channel P_DATA_V1 opcode to the packet.
Definition: ssl.c:4112
#define S_ERROR
Error state.
Definition: ssl_common.h:77
int tun_mtu
Definition: options.h:107
static void tls1_PRF(const uint8_t *label, int label_len, const uint8_t *sec, int slen, uint8_t *out1, int olen)
Definition: ssl.c:1736
interval_t renegotiate_seconds
Definition: ssl_common.h:277
#define KS_SIZE
Size of the tls_session.key array.
Definition: ssl_common.h:388
struct env_item * list
Definition: env_set.h:44
#define P_KEY_ID_MASK
Definition: ssl.h:50
void tls_ctx_free(struct tls_root_ctx *ctx)
Frees the library-specific TLSv1 context.
Definition: ssl_openssl.c:134
unsigned int packet_id_print_type
Definition: packet_id.h:96
void key_state_ssl_init(struct key_state_ssl *ks_ssl, const struct tls_root_ctx *ssl_ctx, bool is_server, struct tls_session *session)
Initialise the SSL channel part of the given key state.
Definition: ssl_openssl.c:1874
struct session_id session_id_remote
Definition: ssl_common.h:178
const char * iana_name
Definition: ssl_backend.h:62
static bool tls_session_generate_data_channel_keys(struct tls_session *session)
Generate data channel keys for the supplied TLS session.
Definition: ssl.c:2037
static bool packet_id_close_to_wrapping(const struct packet_id_send *p)
Definition: packet_id.h:311
int rand_bytes(uint8_t *output, int len)
Wrapper for secure random number generator.
#define counter_format
Definition: common.h:39
const char * crl_file_inline
Definition: ssl_common.h:285
void frame_print(const struct frame *frame, int level, const char *prefix)
Definition: mtu.c:139
static struct gc_arena gc_new(void)
Definition: buffer.h:1015
Container for one half of random material to be used in key method 2 data channel key generation...
Definition: ssl_common.h:121
#define KS_PRIMARY
Primary key state index.
Definition: ssl_common.h:384
bool single_session
Definition: ssl_common.h:265
bool tls_crypt_wrap(const struct buffer *src, struct buffer *dst, struct crypto_options *opt)
Wrap a control channel packet (both authenticates and encrypts the data).
Definition: tls_crypt.c:106
time_t now
Definition: otime.c:36
void reliable_ack_adjust_frame_parameters(struct frame *frame, int max)
Definition: reliable.c:258
void key_state_rm_auth_control_file(struct key_state *ks)
Remove the given key state&#39;s auth control file, if it exists.
#define malloc
Definition: cmocka.c:1795
#define P_CONTROL_HARD_RESET_SERVER_V2
Definition: ssl.h:64
const char * authname
Definition: options.h:513
#define S_START
Three-way handshake is complete, start of key exchange.
Definition: ssl_common.h:91
#define INCR_SUCCESS
Definition: ssl.c:104
openvpn_net_ctx_t * net_ctx
Definition: ssl_common.h:337
void tls_ctx_load_extra_certs(struct tls_root_ctx *ctx, const char *extra_certs_file, const char *extra_certs_file_inline)
Load extra certificate authority certificates from the given file or path.
Definition: ssl_openssl.c:1647
time_t established
Definition: ssl_common.h:173
void show_available_tls_ciphers(const char *cipher_list, const char *cipher_list_tls13, const char *tls_cert_profile)
Definition: ssl.c:4298
#define ALLOC_OBJ_CLEAR(dptr, type)
Definition: buffer.h:1050
#define TM_UNTRUSTED
As yet un-trusted tls_session being negotiated.
Definition: ssl_common.h:467
struct crypto_options crypto_options
Definition: ssl_common.h:181
#define P_LAST_OPCODE
Definition: ssl.h:71
struct tls_multi * tls_multi_init(struct tls_options *tls_options)
Allocate and initialize a tls_multi structure.
Definition: ssl.c:1255
char * locked_cn
Definition: ssl_common.h:540
bool reliable_not_replay(const struct reliable *rel, packet_id_type id)
Check that a received packet&#39;s ID is not a replay.
Definition: reliable.c:426
void hmac_ctx_update(hmac_ctx_t *ctx, const uint8_t *src, int src_len)
struct buffer * reliable_get_buf_output_sequenced(struct reliable *rel)
Get the buffer of free reliable entry and check whether the outgoing acknowledgment sequence is still...
Definition: reliable.c:490
void free_ssl_lib(void)
Definition: ssl.c:357
static void key_ctx_update_implicit_iv(struct key_ctx *ctx, uint8_t *key, size_t key_len)
Update the implicit IV for a key_ctx_bi based on TLS session ids and cipher used. ...
Definition: ssl.c:1900
int extra_link
Maximum number of bytes in excess of external network interface&#39;s MTU that might be read from or writ...
Definition: mtu.h:122
#define FRAME_HEADROOM(f)
Definition: mtu.h:187
#define ntohpid(x)
Definition: packet_id.h:64
const struct static_challenge_info * sci
Definition: ssl_common.h:365
const char * reliable_ack_print(struct buffer *buf, bool verbose, struct gc_arena *gc)
Definition: reliable.c:265
int n_hard_errors
Definition: ssl_common.h:534
void auth_set_client_reason(struct tls_multi *multi, const char *client_reason)
Sets the reason why authentication of a client failed.
Definition: ssl_verify.c:807
int transition_window
Definition: ssl_common.h:272
#define KEY_DIRECTION_INVERSE
Definition: crypto.h:175
#define INLINE_FILE_TAG
Definition: common.h:95
void * gc_malloc(size_t size, bool clear, struct gc_arena *a)
Definition: buffer.c:408
void frame_init_mssfix(struct frame *frame, const struct options *options)
Set the –mssfix option.
Definition: mtu.c:130
static struct user_pass passbuf
Definition: ssl.c:370
cipher_ctx_t * cipher
Generic cipher context.
Definition: crypto.h:166
#define TLS_RELIABLE_N_SEND_BUFFERS
Definition: ssl.h:82
bool xmit_hold
Definition: ssl_common.h:253
#define GET_USER_PASS_PASSWORD_ONLY
Definition: misc.h:114
unsigned __int32 uint32_t
Definition: config-msvc.h:158
void wipe_auth_token(struct tls_multi *multi)
Wipes the authentication token out of the memory, frees and cleans up related buffers and flags...
Definition: auth_token.c:390
mbedtls_md_info_t md_kt_t
Generic message digest key type context.
#define D_TLS_STATE_ERRORS
Definition: errlevel.h:131
#define S_INITIAL
Initial key_state state after initialization by key_state_init() before start of three-way handshake...
Definition: ssl_common.h:81
unsigned int flags
Definition: route.h:153
int keysize
Definition: options.h:514
#define INCR_ERROR
Definition: ssl.c:105
const char * ciphername
Definition: options.h:510
void tls_ctx_restrict_ciphers(struct tls_root_ctx *ctx, const char *ciphers)
Restrict the list of ciphers that can be used within the TLS context for TLS 1.2 and below...
Definition: ssl_openssl.c:436
static bool buf_write_u16(struct buffer *dest, int data)
Definition: buffer.h:720
void pem_password_setup(const char *auth_file)
Definition: ssl.c:373
interval_t reliable_send_timeout(const struct reliable *rel)
Determined how many seconds until the earliest resend should be attempted.
Definition: reliable.c:627
void ssl_purge_auth(const bool auth_user_pass_only)
Definition: ssl.c:478
static bool swap_hmac(struct buffer *buf, const struct crypto_options *co, bool incoming)
Definition: ssl.c:1400
int key_id
The current active key id, used to keep track of renegotiations.
Definition: ssl_common.h:427
static bool link_socket_actual_defined(const struct link_socket_actual *act)
Definition: socket.h:696
static struct user_pass auth_token
Definition: ssl.c:402
Container for one set of cipher and/or HMAC contexts.
Definition: crypto.h:164
bool ncp_enabled
Definition: ssl_common.h:306
#define P_CONTROL_V1
Definition: ssl.h:57
#define OPENVPN_PLUGIN_TLS_FINAL
static void reset_session(struct tls_multi *multi, struct tls_session *session)
Definition: ssl.c:1199
struct buffer_list * paybuf
Definition: ssl_common.h:193
mbedtls_cipher_info_t cipher_kt_t
Generic cipher key type context.
static bool reliable_ack_empty(struct reliable_ack *ack)
Check whether an acknowledgment structure contains any packet IDs to be acknowledged.
Definition: reliable.h:151
void tls_ctx_restrict_ciphers_tls13(struct tls_root_ctx *ctx, const char *ciphers)
Restrict the list of ciphers that can be used within the TLS context for TLS 1.3 and higher...
Definition: ssl_openssl.c:498
#define TLS_RELIABLE_N_REC_BUFFERS
Definition: ssl.h:83
void tls_adjust_frame_parameters(struct frame *frame)
Definition: ssl.c:316
struct key_ctx encrypt
Cipher and/or HMAC contexts for sending direction.
Definition: crypto.h:221
static bool session_id_defined(const struct session_id *sid1)
Definition: session_id.h:55
const char * extra_certs_file
Definition: options.h:535
void tls_ctx_server_new(struct tls_root_ctx *ctx)
Initialise a library-specific TLS context for a server.
Definition: ssl_openssl.c:108
int key_state_read_plaintext(struct key_state_ssl *ks_ssl, struct buffer *buf, int maxlen)
Extract plaintext data from the TLS module.
Definition: ssl_openssl.c:1991
int replay_window
Definition: ssl_common.h:300
static SERVICE_STATUS status
Definition: automatic.c:43
void init_key_ctx_bi(struct key_ctx_bi *ctx, const struct key2 *key2, int key_direction, const struct key_type *kt, const char *name)
Definition: crypto.c:884
void set_auth_token(struct user_pass *up, struct user_pass *tk, const char *token)
Definition: misc.c:480
static bool key_method_1_write(struct buffer *buf, struct tls_session *session)
Definition: ssl.c:2325
unsigned int ssl_flags
Definition: options.h:561
const struct buffer * tls_crypt_v2_wkc
Wrapped client key, sent to server.
Definition: ssl_common.h:230
static bool session_id_read(struct session_id *sid, struct buffer *buf)
Definition: session_id.h:61
#define P_CONTROL_HARD_RESET_CLIENT_V2
Definition: ssl.h:63
struct cert_hash_set * locked_cert_hash_set
Definition: ssl_common.h:542
bool tls_check_ncp_cipher_list(const char *list)
Check whether the ciphers in the supplied list are supported.
Definition: ssl.c:4275
struct tls_wrap_ctx tls_wrap
Definition: ssl.h:132
void ssl_set_auth_nocache(void)
Definition: ssl.c:446
int hmac_ctx_size(const hmac_ctx_t *ctx)
struct tls_wrap_ctx tls_wrap
Definition: ssl_common.h:417
#define PERF_TLS_MULTI_PROCESS
Definition: perf.h:42
struct tls_options opt
Definition: ssl_common.h:509
void buf_clear(struct buffer *buf)
Definition: buffer.c:164
int n_soft_errors
Definition: ssl_common.h:535
void crypto_adjust_frame_parameters(struct frame *frame, const struct key_type *kt, bool packet_id, bool packet_id_long_form)
Calculate crypto overhead and adjust frame to account for that.
Definition: crypto.c:698
const md_kt_t * md_kt_get(const char *digest)
Return message digest parameters, based on the given digest name.
const char * challenge_text
Definition: misc.h:101
const char * cert_file_inline
Definition: options.h:549
const struct plugin_list * plugins
Definition: ssl_common.h:338
struct buffer plaintext_write_buf
Definition: ssl_common.h:186
struct env_item * next
Definition: env_set.h:39
static bool buf_copy(struct buffer *dest, const struct buffer *src)
Definition: buffer.h:734
struct link_socket_actual untrusted_addr
Definition: ssl_common.h:444
char * string
Definition: env_set.h:38
#define msg
Definition: error.h:173
hmac_ctx_t * hmac
Generic HMAC context.
Definition: crypto.h:167
#define S_GOT_KEY
Local OpenVPN process has received the remote&#39;s part of the key material.
Definition: ssl_common.h:97
char * format_hex_ex(const uint8_t *data, int size, int maxoutput, unsigned int space_break_flags, const char *separator, struct gc_arena *gc)
Definition: buffer.c:522
#define RGI_HWADDR_DEFINED
Definition: route.h:149
#define PAYLOAD_SIZE_DYNAMIC(f)
Definition: mtu.h:166
void free_key_ctx_bi(struct key_ctx_bi *ctx)
Definition: crypto.c:921
#define PD_TLS_AUTH_HMAC_SIZE_MASK
Definition: ssl.h:630
#define CO_IGNORE_PACKET_ID
Bit-flag indicating whether to ignore the packet ID of a received packet.
Definition: crypto.h:248
char * remote_ciphername
cipher specified in peer&#39;s config file
Definition: ssl_common.h:588
#define INCR_SENT
Definition: ssl.c:102
bool tls_rec_payload(struct tls_multi *multi, struct buffer *buf)
Definition: ssl.c:4200
static void key_source2_print(const struct key_source2 *k)
Definition: ssl.c:1631
void tls_multi_init_set_options(struct tls_multi *multi, const char *local, const char *remote)
Definition: ssl.c:1331
static const char * local_options_string(const struct tls_session *session)
Definition: ssl.c:71
struct connection_entry ce
Definition: options.h:230
#define SC_ECHO
Definition: misc.h:98
static void openvpn_PRF(const uint8_t *secret, int secret_len, const char *label, const uint8_t *client_seed, int client_seed_len, const uint8_t *server_seed, int server_seed_len, const struct session_id *client_sid, const struct session_id *server_sid, uint8_t *output, int output_len)
Definition: ssl.c:1773
Get a tls_cipher_name_pair containing OpenSSL and IANA names for supplied TLS cipher name...
Definition: ssl_backend.h:62
struct packet_id_send send
Definition: packet_id.h:207
uint8_t * data
Pointer to the allocated memory.
Definition: buffer.h:68
bool wait_for_push
Definition: misc.h:66
const char * local_options
Definition: ssl_common.h:258
#define TM_SIZE
Size of the tls_multi.session array.
Definition: ssl_common.h:471
#define TLS_VER_1_0
Definition: ssl_backend.h:114
#define TLS_AUTHENTICATION_FAILED
Definition: ssl_verify.h:69
struct key_ctx decrypt
cipher and/or HMAC contexts for receiving direction.
Definition: crypto.h:223
struct key_source client
Random provided by client.
Definition: ssl_common.h:139
int platform_stat(const char *path, platform_stat_t *buf)
Definition: platform.c:328
#define TLS_VER_1_3
Definition: ssl_backend.h:117
#define MAX_HMAC_KEY_LENGTH
void openvpn_encrypt(struct buffer *buf, struct buffer work, struct crypto_options *opt)
Encrypt and HMAC sign a packet so that it can be sent as a data channel VPN tunnel packet to a remote...
Definition: crypto.c:303
Container for bidirectional cipher and HMAC key material.
Definition: crypto.h:181
void tls_ctx_check_cert_time(const struct tls_root_ctx *ctx)
Check our certificate notBefore and notAfter fields, and warn if the cert is either not yet valid or ...
Definition: ssl_openssl.c:561
void show_available_tls_ciphers_list(const char *cipher_list, const char *tls_cert_profile, bool tls13)
Definition: ssl_openssl.c:2073
int tls_version_parse(const char *vstr, const char *extra)
Definition: ssl.c:517
static bool tls_session_user_pass_enabled(struct tls_session *session)
Returns whether or not the server should check for username/password.
Definition: ssl.c:1042
#define P_DATA_V1
Definition: ssl.h:59
static void tls1_P_hash(const md_kt_t *md_kt, const uint8_t *sec, int sec_len, const uint8_t *seed, int seed_len, uint8_t *out, int olen)
Definition: ssl.c:1649
#define CONTROL_SEND_ACK_MAX
Definition: ssl.h:77
#define BLEN(buf)
Definition: buffer.h:127
time_t auth_deferred_expire
Definition: ssl_common.h:202
struct key_source server
Random provided by server.
Definition: ssl_common.h:140
static void tls_session_init(struct tls_multi *multi, struct tls_session *session)
Initialize a tls_session structure.
Definition: ssl.c:1074
bool reliable_wont_break_sequentiality(const struct reliable *rel, packet_id_type id)
Check that a received packet&#39;s ID can safely be stored in the reliable structure&#39;s processing window...
Definition: reliable.c:453
void init_ssl_lib(void)
Definition: ssl.c:349
char * strsep(char **stringp, const char *delim)
Definition: compat-strsep.c:38
void tls_poor_mans_ncp(struct options *o, const char *remote_ciphername)
"Poor man&#39;s NCP": Use peer cipher if it is an allowed (NCP) cipher.
Definition: ssl.c:2017
void verify_user_pass(struct user_pass *up, struct tls_multi *multi, struct tls_session *session)
Verify the given username and password, using either an external script, a plugin, or the management interface.
Definition: ssl_verify.c:1254
#define P_OPCODE_SHIFT
Definition: ssl.h:51
unsigned char md_kt_size(const md_kt_t *kt)
Returns the size of the message digest, in bytes.
struct buffer * reliable_get_buf_sequenced(struct reliable *rel)
Get the buffer of the next sequential and active entry.
Definition: reliable.c:526
void auth_user_pass_setup(const char *auth_file, const struct static_challenge_info *sci)
Definition: ssl.c:409
struct frame frame
Definition: ssl.h:133
#define D_HANDSHAKE
Definition: errlevel.h:72
static bool get_user_pass(struct user_pass *up, const char *auth_file, const char *prefix, const unsigned int flags)
Definition: misc.h:133
int key_id
Key id for this key_state, inherited from struct tls_session.
Definition: ssl_common.h:169
#define GET_USER_PASS_DYNAMIC_CHALLENGE
Definition: misc.h:120
bool openvpn_decrypt(struct buffer *buf, struct buffer work, struct crypto_options *opt, const struct frame *frame, const uint8_t *ad_start)
HMAC verify and decrypt a data channel packet received from a remote OpenVPN peer.
Definition: crypto.c:672
#define D_SHOW_KEY_SOURCE
Definition: errlevel.h:119
#define TLSMP_KILL
Definition: ssl.h:232
void tls_ctx_load_ca(struct tls_root_ctx *ctx, const char *ca_file, const char *ca_file_inline, const char *ca_path, bool tls_server)
Load certificate authority certificates from the given file or path.
Definition: ssl_openssl.c:1494
unsigned __int8 uint8_t
Definition: config-msvc.h:160
struct buffer * reliable_send(struct reliable *rel, int *opcode)
Get the next packet to send to the remote peer.
Definition: reliable.c:570
void reliable_mark_deleted(struct reliable *rel, struct buffer *buf, bool inc_pid)
Remove an entry from a reliable structure.
Definition: reliable.c:723
struct session_id session_id
Definition: ssl_common.h:420
bool get_user_pass_cr(struct user_pass *up, const char *auth_file, const char *prefix, const unsigned int flags, const char *auth_challenge)
Definition: misc.c:124
bool tls_pre_decrypt(struct tls_multi *multi, const struct link_socket_actual *from, struct buffer *buf, struct crypto_options **opt, bool floated, const uint8_t **ad_start)
Determine whether an incoming packet is a data channel or control channel packet, and process accordi...
Definition: ssl.c:3475
#define ALLOC_ARRAY_CLEAR_GC(dptr, type, n, gc)
Definition: buffer.h:1072
void purge_user_pass(struct user_pass *up, const bool force)
Definition: misc.c:459
enum tls_wrap_ctx::@11 mode
Control channel wrapping mode.
Structure that wraps the TLS context.
Definition: ssl_mbedtls.h:91
static bool buf_write_u32(struct buffer *dest, int data)
Definition: buffer.h:727
void frame_set_mtu_dynamic(struct frame *frame, int mtu, unsigned int flags)
Definition: mtu.c:87
unsigned int flags
Definition: misc.h:99
#define ALLOC_OBJ_CLEAR_GC(dptr, type, gc)
Definition: buffer.h:1087
static char * read_string_alloc(struct buffer *buf)
Definition: ssl.c:2299
#define OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY
bool plugin_defined(const struct plugin_list *pl, const int type)
Definition: plugin.c:894
bool ssl_clean_auth_token(void)
Definition: ssl.c:467
static void key_state_free(struct key_state *ks, bool clear)
Cleanup a key_state structure.
Definition: ssl.c:982
#define KS_LAME_DUCK
Key state index that will retire soon.
Definition: ssl_common.h:385
static void check_malloc_return(const void *p)
Definition: buffer.h:1093
#define P_CONTROL_SOFT_RESET_V1
Definition: ssl.h:56
const char * extra_certs_file_inline
Definition: options.h:550
struct key_source2 * key_src
Definition: ssl_common.h:183
int initial_opcode
Definition: ssl_common.h:419
void tls_ctx_load_dh_params(struct tls_root_ctx *ctx, const char *dh_file, const char *dh_file_inline)
Load Diffie Hellman Parameters, and load them into the library-specific TLS context.
Definition: ssl_openssl.c:612
static bool key_method_1_read(struct buffer *buf, struct tls_session *session)
Definition: ssl.c:2587
struct key_ctx_bi key_ctx_bi
OpenSSL cipher and HMAC contexts for both sending and receiving directions.
Definition: crypto.h:234
void delayed_auth_pass_purge(void)
Definition: ssl.c:4443
Security parameter state of a single session within a VPN tunnel.
Definition: ssl_common.h:408
#define VALGRIND_MAKE_READABLE(addr, len)
Definition: memdbg.h:53
#define S_SENT_KEY
Local OpenVPN process has sent its part of the key material.
Definition: ssl_common.h:94
bool tls_ctx_set_options(struct tls_root_ctx *ctx, unsigned int ssl_flags)
Set any library specific options.
Definition: ssl_openssl.c:320
void output_peer_info_env(struct env_set *es, const char *peer_info)
Definition: misc.c:717
static void write_control_auth(struct tls_session *session, struct key_state *ks, struct buffer *buf, struct link_socket_actual **to_link_addr, int opcode, int max_ack, bool prepend_ack)
Definition: ssl.c:1455
Definition: misc.h:62
int renegotiate_packets
Definition: ssl_common.h:276
int push_peer_info_detail
Definition: ssl_common.h:271
The acknowledgment structure in which packet IDs are stored for later acknowledgment.
Definition: reliable.h:64
int initial_opcode
Definition: ssl_common.h:177
bool disable_occ
Definition: ssl_common.h:267
Wrapper structure for dynamically allocated memory.
Definition: buffer.h:60
#define M_FATAL
Definition: error.h:94
bool reliable_ack_read_packet_id(struct buffer *buf, packet_id_type *pid)
Read the packet ID of a received packet.
Definition: reliable.c:123
struct frame frame
Definition: ssl_common.h:314
void tls_multi_init_finalize(struct tls_multi *multi, const struct frame *frame)
Finalize initialization of a tls_multi structure.
Definition: ssl.c:1277
#define TLS_AUTHENTICATION_SUCCEEDED
Definition: ssl_verify.h:68
#define buf_init(buf, offset)
Definition: buffer.h:196
#define OPENVPN_OP_ENCRYPT
Cipher should encrypt.
bool tls_send_payload(struct tls_multi *multi, const uint8_t *data, int size)
Definition: ssl.c:4161
static bool buf_write_prepend(struct buffer *dest, const void *src, int size)
Definition: buffer.h:701
static bool key_method_2_write(struct buffer *buf, struct tls_session *session)
Definition: ssl.c:2471
void frame_finalize(struct frame *frame, bool link_mtu_defined, int link_mtu, bool tun_mtu_defined, int tun_mtu)
Definition: mtu.c:56
const char * cipher_list_tls13
Definition: options.h:539
#define OPENVPN_OP_DECRYPT
Cipher should decrypt.
bool reliable_can_send(const struct reliable *rel)
Check whether a reliable structure has any active entries ready to be (re)sent.
Definition: reliable.c:542
void management_set_state(struct management *man, const int state, const char *detail, const in_addr_t *tun_local_ip, const struct in6_addr *tun_local_ip6, const struct openvpn_sockaddr *local, const struct openvpn_sockaddr *remote)
Definition: manage.c:2663
char * locked_username
Definition: ssl_common.h:541
char * common_name
Definition: ssl_common.h:433
void reliable_init(struct reliable *rel, int buf_size, int offset, int array_size, bool hold)
Initialize a reliable structure.
Definition: reliable.c:309
int tls_ctx_load_priv_file(struct tls_root_ctx *ctx, const char *priv_key_file, const char *priv_key_file_inline)
Load private key file into the given TLS context.
Definition: ssl_openssl.c:972
bool tls_crypt_v2_extract_client_key(struct buffer *buf, struct tls_wrap_ctx *ctx, const struct tls_options *opt)
Extract a tls-crypt-v2 client key from a P_CONTROL_HARD_RESET_CLIENT_V3 message, and load the key int...
Definition: tls_crypt.c:570
void crypto_uninit_lib(void)
const char * translate_cipher_name_from_openvpn(const char *cipher_name)
Translate a data channel cipher name from the crypto library specific name to the OpenVPN config file...
Definition: crypto.c:1841
The reliability layer storage structure for one VPN tunnel&#39;s control channel in one direction...
Definition: reliable.h:88
int link_mtu
Maximum packet size to be sent over the external network interface.
Definition: mtu.h:94
#define D_TLS_DEBUG_MED
Definition: errlevel.h:154
#define TM_LAME_DUCK
Old tls_session.
Definition: ssl_common.h:470
struct buffer alloc_buf_gc(size_t size, struct gc_arena *gc)
Definition: buffer.c:90
uint8_t hwaddr[6]
Definition: route.h:163
uint32_t peer_id
Definition: ssl_common.h:585
int key_state_write_ciphertext(struct key_state_ssl *ks_ssl, struct buffer *buf)
Insert a ciphertext buffer into the TLS module.
Definition: ssl_openssl.c:1976
static void frame_remove_from_extra_frame(struct frame *frame, const unsigned int decrement)
Definition: mtu.h:280
uint32_t packet_id_type
Definition: packet_id.h:49
#define PD_VERBOSE
Definition: ssl.h:633
static const char * state_name(int state)
Definition: ssl.c:740
void tls_init_lib(void)
Perform any static initialisation necessary by the library.
Definition: ssl_openssl.c:77
bool tls_crypt_unwrap(const struct buffer *src, struct buffer *dst, struct crypto_options *opt)
Unwrap a control channel packet (decrypts, authenticates and performs replay checks).
Definition: tls_crypt.c:183
static bool generate_key_expansion(struct key_ctx_bi *key, const struct key_type *key_type, const struct key_source2 *key_src, const struct session_id *client_sid, const struct session_id *server_sid, bool server)
Definition: ssl.c:1819
#define M_WARN
Definition: error.h:96
void tls_clear_error(void)
Clear the underlying SSL library&#39;s error state.
Definition: ssl_openssl.c:102
void ssl_purge_auth_challenge(void)
Definition: ssl.c:496
static int min_int(int x, int y)
Definition: integer.h:57
#define PACKAGE_VERSION
Definition: config.h:742
static int buf_forward_capacity_total(const struct buffer *buf)
Definition: buffer.h:580
bool reliable_can_get(const struct reliable *rel)
Check whether a reliable structure has any free buffers available for use.
Definition: reliable.c:407
#define free
Definition: cmocka.c:1850
void tls_ctx_load_cert_file(struct tls_root_ctx *ctx, const char *cert_file, const char *cert_file_inline)
Use Windows cryptoapi for key and cert, and add to library-specific TLS context.
Definition: ssl_openssl.c:906
void tls_x509_clear_env(struct env_set *es)
Remove any X509_ env variables from env_set es.
Definition: ssl_verify.c:1496
int tls_version_max(void)
Return the maximum TLS version (as a TLS_VER_x constant) supported by current SSL implementation...
Definition: ssl_openssl.c:217
#define PD_TLS
Definition: ssl.h:632
#define P_CONTROL_HARD_RESET_CLIENT_V1
Definition: ssl.h:54
void generate_key_random(struct key *key, const struct key_type *kt)
Definition: crypto.c:1032
void key2_print(const struct key2 *k, const struct key_type *kt, const char *prefix0, const char *prefix1)
Definition: crypto.c:1076
Garbage collection arena used to keep track of dynamically allocated memory.
Definition: buffer.h:116
bool reliable_ack_read(struct reliable_ack *ack, struct buffer *buf, const struct session_id *sid)
Read an acknowledgment record from a received packet.
Definition: reliable.c:158
const char * openssl_name
Definition: ssl_backend.h:62
static bool link_socket_actual_match(const struct link_socket_actual *a1, const struct link_socket_actual *a2)
Definition: socket.h:883
int tls_ctx_use_management_external_key(struct tls_root_ctx *ctx)
Tell the management interface to load the given certificate and the external private key matching the...
Definition: ssl_openssl.c:1417
void cert_hash_free(struct cert_hash_set *chs)
Frees the given set of certificate hashes.
Definition: ssl_verify.c:234
int key_method
Definition: ssl_common.h:263
#define FULL_SYNC
Definition: ssl.c:2227
static int buf_read_u16(struct buffer *buf)
Definition: buffer.h:825
static struct buffer clear_buf(void)
Return an empty struct buffer.
Definition: buffer.h:209
int interval_t
Definition: common.h:45
#define UP_TYPE_PRIVATE_KEY
Definition: ssl_common.h:42
static void key_source_print(const struct key_source *k, const char *prefix)
Definition: ssl.c:1605
counter_type n_bytes
Definition: ssl_common.h:195
struct buffer ack_write_buf
Definition: ssl_common.h:187
const char * session_id_print(const struct session_id *sid, struct gc_arena *gc)
Definition: session_id.c:57
static bool tls_peer_supports_ncp(const char *peer_info)
Returns whether the client supports NCP either by announcing IV_NCP>=2 or the IV_CIPHERS list...
Definition: ssl.c:2652
uint8_t implicit_iv[OPENVPN_MAX_IV_LENGTH]
The implicit part of the IV.
Definition: crypto.h:168
void hmac_ctx_init(hmac_ctx_t *ctx, const uint8_t *key, int key_length, const md_kt_t *kt)
int key_state_read_ciphertext(struct key_state_ssl *ks_ssl, struct buffer *buf, int maxlen)
Extract ciphertext data from the TLS module.
Definition: ssl_openssl.c:1961
static const tls_cipher_name_pair tls_cipher_name_translation_table[]
SSL/TLS Cipher suite name translation table.
Definition: ssl.c:112
static void key_state_init(struct tls_session *session, struct key_state *ks)
Initialize a key_state structure.
Definition: ssl.c:902
static int key_source2_read(struct key_source2 *k2, struct buffer *buf, bool server)
Definition: ssl.c:2181
#define BSTR(buf)
Definition: buffer.h:129
static bool auth_user_pass_enabled
Definition: ssl.c:400
hmac_ctx_t * hmac_ctx_new(void)
#define TUN_LINK_DELTA(f)
Definition: mtu.h:151
#define KEY_METHOD_MASK
Definition: ssl.h:119
const char * dh_file
Definition: options.h:533
time_t must_die
Definition: ssl_common.h:175
#define KEY_EXPANSION_ID
Definition: ssl.h:47
static void tls_session_free(struct tls_session *session, bool clear)
Clean up a tls_session structure.
Definition: ssl.c:1146
char password[USER_PASS_LEN]
Definition: misc.h:75
#define P_CONTROL_HARD_RESET_CLIENT_V3
Definition: ssl.h:67
struct buffer clone_buf(const struct buffer *buf)
Definition: buffer.c:117
void verify_final_auth_checks(struct tls_multi *multi, struct tls_session *session)
Perform final authentication checks, including locking of the cn, the allowed certificate hashes...
Definition: ssl_verify.c:1434
static bool random_bytes_to_buf(struct buffer *buf, uint8_t *out, int outlen)
Definition: ssl.c:2132
void reliable_mark_active_incoming(struct reliable *rel, struct buffer *buf, packet_id_type pid, int opcode)
Mark the reliable entry associated with the given buffer as active incoming.
Definition: reliable.c:664
struct gc_arena gc
Definition: options.h:197
void hmac_ctx_final(hmac_ctx_t *ctx, uint8_t *dst)
const cipher_kt_t * cipher
Cipher static parameters.
Definition: crypto.h:143
static void update_time(void)
Definition: otime.h:93
bool replay
Definition: options.h:518
static int auth_deferred_expire_window(const struct tls_options *o)
Definition: ssl.c:2851
char * dest
Definition: compat-lz4.h:431
counter_type n_packets
Definition: ssl_common.h:196
int tls_peer_info_ncp_ver(const char *peer_info)
Return the Negotiable Crypto Parameters version advertised in the peer info string, or 0 if none specified.
Definition: ssl.c:4259
#define TLS_CHANNEL_BUF_SIZE
Definition: common.h:78
#define MF_EXTERNAL_CERT
Definition: manage.h:351
void buffer_list_pop(struct buffer_list *ol)
Definition: buffer.c:1348
#define P_ACK_V1
Definition: ssl.h:58
void hmac_ctx_free(hmac_ctx_t *ctx)
struct buffer * buffer_list_peek(struct buffer_list *ol)
Retrieve the head buffer.
Definition: buffer.c:1283
const char * dh_file_inline
Definition: options.h:553
struct key_ctx tls_crypt_v2_server_key
Decrypts client keys.
Definition: ssl_common.h:229
struct buffer_entry * buffer_list_push_data(struct buffer_list *ol, const void *data, size_t size)
Allocates and appends a new buffer containing data of length size.
Definition: buffer.c:1256
#define MF_EXTERNAL_KEY
Definition: manage.h:345
const char * remote_options
Definition: ssl_common.h:259
#define P_DATA_V2
Definition: ssl.h:60
const tls_cipher_name_pair * tls_get_cipher_name_pair(const char *cipher_name, size_t len)
Definition: ssl.c:270
int replay_time
Definition: ssl_common.h:301
void reliable_schedule_now(struct reliable *rel)
Reschedule all entries of a reliable structure to be ready for (re)sending immediately.
Definition: reliable.c:608
void reliable_send_purge(struct reliable *rel, const struct reliable_ack *ack)
Remove acknowledged packets from a reliable structure.
Definition: reliable.c:355
static int packet_id_size(bool long_form)
Definition: packet_id.h:305
const cipher_kt_t * cipher_kt_get(const char *ciphername)
Return cipher parameters, based on the given cipher name.
void crypto_init_lib(void)
unsigned int ssl_flags
Definition: ssl_common.h:356
char * priv_key_file_inline
Definition: options.h:552
struct _stat platform_stat_t
Definition: platform.h:141
#define PD_SHOW_DATA
Definition: ssl.h:631
uint8_t pre_master[48]
Random used for master secret generation, provided only by client OpenVPN peer.
Definition: ssl_common.h:122
void hmac_ctx_reset(hmac_ctx_t *ctx)
struct env_set * es
Definition: ssl_common.h:336
static bool session_id_write_prepend(const struct session_id *sid, struct buffer *buf)
Definition: session_id.h:67
static bool key_method_2_read(struct buffer *buf, struct tls_multi *multi, struct tls_session *session)
Definition: ssl.c:2670
int fragment
Definition: options.h:117
Container for two sets of OpenSSL cipher and/or HMAC contexts for both sending and receiving directio...
Definition: crypto.h:219
void init_key_type(struct key_type *kt, const char *ciphername, const char *authname, int keysize, bool tls_mode, bool warn)
Initialize a key_type structure with.
Definition: crypto.c:754
Container for unidirectional cipher and HMAC key material.
Definition: crypto.h:151
struct tls_wrap_ctx tls_wrap
TLS handshake wrapping state.
Definition: ssl_common.h:312
#define GET_USER_PASS_MANAGEMENT
Definition: misc.h:112
bool reliable_ack_acknowledge_packet_id(struct reliable_ack *ack, packet_id_type pid)
Record a packet ID for later acknowledgment.
Definition: reliable.c:141
int link_mtu_dynamic
Dynamic MTU value for the external network interface.
Definition: mtu.h:97
int link_mtu
Definition: options.h:111
#define INCR_GENERATED
Definition: ssl.c:103
int tls_multi_process(struct tls_multi *multi, struct buffer *to_link, struct link_socket_actual **to_link_addr, struct link_socket_info *to_link_socket_info, interval_t *wakeup)
Definition: ssl.c:3280
const char * crl_file
Definition: options.h:546