OpenVPN
ssl_common.h
Go to the documentation of this file.
1 /*
2  * OpenVPN -- An application to securely tunnel IP networks
3  * over a single TCP/UDP port, with support for SSL/TLS-based
4  * session authentication and key exchange,
5  * packet encryption, packet authentication, and
6  * packet compression.
7  *
8  * Copyright (C) 2002-2018 OpenVPN Inc <sales@openvpn.net>
9  * Copyright (C) 2010-2018 Fox Crypto B.V. <openvpn@fox-it.com>
10  *
11  * This program is free software; you can redistribute it and/or modify
12  * it under the terms of the GNU General Public License version 2
13  * as published by the Free Software Foundation.
14  *
15  * This program is distributed in the hope that it will be useful,
16  * but WITHOUT ANY WARRANTY; without even the implied warranty of
17  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18  * GNU General Public License for more details.
19  *
20  * You should have received a copy of the GNU General Public License along
21  * with this program; if not, write to the Free Software Foundation, Inc.,
22  * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
23  */
24 
29 #ifndef SSL_COMMON_H_
30 #define SSL_COMMON_H_
31 
32 #include "session_id.h"
33 #include "socket.h"
34 #include "packet_id.h"
35 #include "crypto.h"
36 #include "options.h"
37 
38 #include "ssl_backend.h"
39 
40 /* passwords */
41 #define UP_TYPE_AUTH "Auth"
42 #define UP_TYPE_PRIVATE_KEY "Private Key"
43 
77 #define S_ERROR -1
78 #define S_UNDEF 0
80 #define S_INITIAL 1
83 #define S_PRE_START 2
86 #define S_START 3
88 #define S_SENT_KEY 4
90 #define S_GOT_KEY 5
93 #define S_ACTIVE 6
97 /* ready to exchange data channel packets */
98 #define S_NORMAL_OP 7
108 struct key_source {
109  uint8_t pre_master[48];
112  uint8_t random1[32];
115  uint8_t random2[32];
117 };
118 
119 
125 struct key_source2 {
126  struct key_source client;
127  struct key_source server;
128 };
129 
148 struct key_state
149 {
150  int state;
151 
156  int key_id;
157 
158  struct key_state_ssl ks_ssl; /* contains SSL object and BIOs for the control channel */
159 
160  time_t established; /* when our state went S_ACTIVE */
161  time_t must_negotiate; /* key negotiation times out if not finished before this time */
162  time_t must_die; /* this object is destroyed at this time */
164  int initial_opcode; /* our initial P_ opcode */
165  struct session_id session_id_remote; /* peer's random session ID */
166  struct link_socket_actual remote_addr; /* peer's IP addr */
167 
168  struct crypto_options crypto_options;/* data channel crypto options */
170  struct key_source2 *key_src; /* source entropy for key expansion */
172  struct buffer plaintext_read_buf;
173  struct buffer plaintext_write_buf;
174  struct buffer ack_write_buf;
176  struct reliable *send_reliable; /* holds a copy of outgoing packets until ACK received */
177  struct reliable *rec_reliable; /* order incoming ciphertext packets before we pass to TLS */
178  struct reliable_ack *rec_ack; /* buffers all packet IDs we want to ACK back to sender */
180  struct buffer_list *paybuf;
182  counter_type n_bytes; /* how many bytes sent/recvd since last key exchange */
183  counter_type n_packets; /* how many packets sent/recvd since last key exchange */
184 
185  /*
186  * If bad username/password, TLS connection will come up but 'authenticated' will be false.
187  */
188  bool authenticated;
189  time_t auth_deferred_expire;
191 #ifdef ENABLE_DEF_AUTH
192  /* If auth_deferred is true, authentication is being deferred */
193  bool auth_deferred;
194 #ifdef MANAGEMENT_DEF_AUTH
195  unsigned int mda_key_id;
196  unsigned int mda_status;
197 #endif
198 #ifdef PLUGIN_DEF_AUTH
199  unsigned int auth_control_status;
200  time_t acf_last_mod;
201  char *auth_control_file;
202 #endif
203 #endif
204 };
205 
207 struct tls_wrap_ctx
208 {
209  enum {
210  TLS_WRAP_NONE = 0,
211  TLS_WRAP_AUTH,
212  TLS_WRAP_CRYPT,
213  } mode;
214  struct crypto_options opt;
215  struct buffer work;
216  struct key_ctx tls_crypt_v2_server_key;
217  const struct buffer *tls_crypt_v2_wkc;
219  struct buffer tls_crypt_v2_metadata;
220  bool cleanup_key_ctx;
222 };
224 /*
225  * Our const options, obtained directly or derived from
226  * command line options.
227  */
229 {
230  /* our master TLS context from which all SSL objects derived */
231  struct tls_root_ctx ssl_ctx;
233  /* data channel cipher, hmac, and key lengths */
234  struct key_type key_type;
235 
236  /* true if we are a TLS server, client otherwise */
237  bool server;
238 
239  /* if true, don't xmit until first packet from peer is received */
240  bool xmit_hold;
242 #ifdef ENABLE_OCC
243  /* local and remote options strings
244  * that must match between client and server */
245  const char *local_options;
246  const char *remote_options;
247 #endif
248 
249  /* from command line */
250  int key_method;
251  bool replay;
252  bool single_session;
253 #ifdef ENABLE_OCC
254  bool disable_occ;
255 #endif
256  int mode;
257  bool pull;
258  int push_peer_info_detail;
259  int transition_window;
260  int handshake_window;
261  interval_t packet_timeout;
262  int renegotiate_bytes;
263  int renegotiate_packets;
264  interval_t renegotiate_seconds;
266  /* cert verification parms */
267  const char *verify_command;
268  const char *verify_export_cert;
269  int verify_x509_type;
270  const char *verify_x509_name;
271  const char *crl_file;
272  const char *crl_file_inline;
273  int ns_cert_type;
274  unsigned remote_cert_ku[MAX_PARMS];
275  const char *remote_cert_eku;
276  uint8_t *verify_hash;
277  hash_algo_type verify_hash_algo;
278  char *x509_username_field;
279 
280  /* allow openvpn config info to be
281  * passed over control channel */
282  bool pass_config_info;
284  /* struct crypto_option flags */
285  unsigned int crypto_flags;
287  int replay_window; /* --replay-window parm */
288  int replay_time; /* --replay-window parm */
289  bool tcp_mode;
291  const char *config_ciphername;
292  const char *config_authname;
293  bool ncp_enabled;
294 
295  bool tls_crypt_v2;
296  const char *tls_crypt_v2_verify_script;
297 
299  struct tls_wrap_ctx tls_wrap;
301  /* frame parameters for TLS control channel */
302  struct frame frame;
303 
304  /* used for username/password authentication */
305  const char *auth_user_pass_verify_script;
306  bool auth_user_pass_verify_script_via_file;
307  const char *tmp_dir;
308  const char *auth_user_pass_file;
309  bool auth_token_generate;
311  unsigned int auth_token_lifetime;
313  /* use the client-config-dir as a positive authenticator */
314  const char *client_config_dir_exclusive;
316  /* instance-wide environment variable set */
317  struct env_set *es;
318  const struct plugin_list *plugins;
320  /* compression parms */
321 #ifdef USE_COMP
322  struct compress_options comp_options;
323 #endif
325  /* configuration file SSL-related boolean and low-permutation options */
326 #define SSLF_CLIENT_CERT_NOT_REQUIRED (1<<0)
327 #define SSLF_CLIENT_CERT_OPTIONAL (1<<1)
328 #define SSLF_USERNAME_AS_COMMON_NAME (1<<2)
329 #define SSLF_AUTH_USER_PASS_OPTIONAL (1<<3)
330 #define SSLF_OPT_VERIFY (1<<4)
331 #define SSLF_CRL_VERIFY_DIR (1<<5)
332 #define SSLF_TLS_VERSION_MIN_SHIFT 6
333 #define SSLF_TLS_VERSION_MIN_MASK 0xF /* (uses bit positions 6 to 9) */
334 #define SSLF_TLS_VERSION_MAX_SHIFT 10
335 #define SSLF_TLS_VERSION_MAX_MASK 0xF /* (uses bit positions 10 to 13) */
336  unsigned int ssl_flags;
337 
338 #ifdef MANAGEMENT_DEF_AUTH
339  struct man_def_auth_context *mda_context;
340 #endif
342  const struct x509_track *x509_track;
344 #ifdef ENABLE_MANAGEMENT
345  const struct static_challenge_info *sci;
346 #endif
348  /* --gremlin bits */
349  int gremlin;
350 
351  /* Keying Material Exporter [RFC 5705] parameters */
352  const char *ekm_label;
353  size_t ekm_label_size;
354  size_t ekm_size;
355 };
356 
364 #define KS_PRIMARY 0
365 #define KS_LAME_DUCK 1
367 #define KS_SIZE 2
371 #define AUTH_TOKEN_SIZE 32
391 struct tls_session
392 {
393  /* const options and config info */
394  struct tls_options *opt;
395 
396  /* during hard reset used to control burst retransmit */
397  bool burst;
398 
399  /* authenticate control packets */
400  struct tls_wrap_ctx tls_wrap;
401 
402  int initial_opcode; /* our initial P_ opcode */
403  struct session_id session_id; /* our random session ID */
404 
410  int key_id;
411 
412  int limit_next; /* used for traffic shaping on the control channel */
414  int verify_maxlevel;
415 
416  char *common_name;
417 
420 #ifdef ENABLE_PF
421  uint32_t common_name_hashval;
422 #endif
423 
424  bool verified; /* true if peer certificate was verified against CA */
425 
426  /* not-yet-authenticated incoming client */
427  struct link_socket_actual untrusted_addr;
429  struct key_state key[KS_SIZE];
430 };
431 
449 #define TM_ACTIVE 0
450 #define TM_UNTRUSTED 1
452 #define TM_LAME_DUCK 2
453 #define TM_SIZE 3
459 /*
460  * The number of keys we will scan on encrypt or decrypt. The first
461  * is the "active" key. The second is the lame_duck or retiring key
462  * associated with the active key's session ID. The third is a detached
463  * lame duck session that only occurs in situations where a key renegotiate
464  * failed on the active key, but a lame duck key was still valid. By
465  * preserving the lame duck session, we can be assured of having a data
466  * channel key available even when network conditions are so bad that
467  * we can't negotiate a new key within the time allotted.
468  */
469 #define KEY_SCAN_SIZE 3
471 
485 struct tls_multi
486 {
487  /* used to coordinate access between main thread and TLS thread */
488  /*MUTEX_PTR_DEFINE (mutex);*/
489 
490  /* const options and config info */
491  struct tls_options opt;
492 
493  struct key_state *key_scan[KEY_SCAN_SIZE];
498  /*
499  * used by tls_pre_encrypt to communicate the encrypt key
500  * to tls_post_encrypt()
501  */
502  struct key_state *save_ks; /* temporary pointer used between pre/post routines */
504  /*
505  * Used to return outgoing address from
506  * tls_multi_process.
507  */
508  struct link_socket_actual to_link_addr;
510  int n_sessions;
513  /*
514  * Number of errors.
515  */
516  int n_hard_errors; /* errors due to TLS negotiation failure */
517  int n_soft_errors; /* errors due to unrecognized or failed-to-authenticate incoming packets */
518 
519  /*
520  * Our locked common name, username, and cert hashes (cannot change during the life of this tls_multi object)
521  */
522  char *locked_cn;
523  char *locked_username;
524  struct cert_hash_set *locked_cert_hash_set;
525 
526 #ifdef ENABLE_DEF_AUTH
527  /*
528  * An error message to send to client on AUTH_FAILED
529  */
530  char *client_reason;
531 
532  /* Time of last call to tls_authentication_status */
533  time_t tas_last;
534 #endif
536 #if P2MP_SERVER
537  /*
538  * A multi-line string of general-purpose info received from peer
539  * over control channel.
540  */
541  char *peer_info;
542 #endif
543 
544  /* For P_DATA_V2 */
545  uint32_t peer_id;
546  bool use_peer_id;
547 
548  char *remote_ciphername;
550  char *auth_token;
554  time_t auth_token_tstamp;
555  bool auth_token_sent;
557  /*
558  * Our session objects.
559  */
560  struct tls_session session[TM_SIZE];
564 };
565 
566 #endif /* SSL_COMMON_H_ */
Security parameter state for processing data channel packets.
Definition: crypto.h:232
Security parameter state of one TLS and data channel key session.
Definition: ssl_common.h:161
Container for both halves of random material to be used in key method 2 data channel key generation...
Definition: ssl_common.h:138
Packet geometry parameters.
Definition: mtu.h:93
Security parameter state for a single VPN tunnel.
Definition: ssl_common.h:503
hash_algo_type
Types referencing specific message digest hashing algorithms.
#define MAX_PARMS
Definition: options.h:51
Structure containing the hashes for a full certificate chain.
Definition: ssl_verify.h:59
Control channel wrapping (–tls-auth/–tls-crypt) context.
Definition: ssl_common.h:220
#define KEY_SCAN_SIZE
Definition: ssl_common.h:487
#define KS_SIZE
Size of the tls_session.key array.
Definition: ssl_common.h:381
Container for one half of random material to be used in key method 2 data channel key generation...
Definition: ssl_common.h:121
unsigned __int32 uint32_t
Definition: config-msvc.h:121
static struct user_pass auth_token
Definition: ssl.c:401
Container for one set of cipher and/or HMAC contexts.
Definition: crypto.h:164
unsigned int counter_type
Definition: common.h:38
#define TM_SIZE
Size of the tls_multi.session array.
Definition: ssl_common.h:470
struct key_source server
Random provided by server.
Definition: ssl_common.h:140
unsigned __int8 uint8_t
Definition: config-msvc.h:123
Structure that wraps the TLS context.
Definition: ssl_mbedtls.h:90
Security parameter state of a single session within a VPN tunnel.
Definition: ssl_common.h:407
The acknowledgment structure in which packet IDs are stored for later acknowledgment.
Definition: reliable.h:64
Wrapper structure for dynamically allocated memory.
Definition: buffer.h:60
The reliability layer storage structure for one VPN tunnel&#39;s control channel in one direction...
Definition: reliable.h:88
int interval_t
Definition: common.h:45
Container for unidirectional cipher and HMAC key material.
Definition: crypto.h:151