OpenVPN
Macros | Functions
ssl_ncp.h File Reference
#include "buffer.h"
#include "options.h"
#include "ssl_common.h"
Include dependency graph for ssl_ncp.h:
This graph shows which files directly or indirectly include this file:

Go to the source code of this file.

Macros

#define MAX_NCP_CIPHERS_LENGTH   127
 The maximum length of a ncp-cipher string that is accepted. More...
 

Functions

bool tls_peer_supports_ncp (const char *peer_info)
 Returns whether the client supports NCP either by announcing IV_NCP>=2 or the IV_CIPHERS list. More...
 
bool check_pull_client_ncp (struct context *c, int found)
 Checks whether the cipher negotiation is in an acceptable state and we continue to connect or should abort. More...
 
char * ncp_get_best_cipher (const char *server_list, const char *peer_info, const char *remote_cipher, struct gc_arena *gc)
 Iterates through the ciphers in server_list and return the first cipher that is also supported by the peer according to the IV_NCP and IV_CIPHER values in peer_info. More...
 
const char * tls_peer_ncp_list (const char *peer_info, struct gc_arena *gc)
 Returns the support cipher list from the peer according to the IV_NCP and IV_CIPHER values in peer_info. More...
 
char * mutate_ncp_cipher_list (const char *list, struct gc_arena *gc)
 Check whether the ciphers in the supplied list are supported. More...
 
void append_cipher_to_ncp_list (struct options *o, const char *ciphername)
 Appends the cipher specified by the ciphernamer parameter to to the o->ncp_ciphers list. More...
 
bool tls_item_in_cipher_list (const char *item, const char *list)
 Return true iff item is present in the colon-separated zero-terminated cipher list. More...
 
void p2p_mode_ncp (struct tls_multi *multi, struct tls_session *session)
 Determines if there is common cipher of both peer by looking at the IV_CIPHER peer info. More...
 
const char * get_p2p_ncp_cipher (struct tls_session *session, const char *peer_info, struct gc_arena *gc)
 Determines the best common cipher from both peers IV_CIPHER lists. More...
 
bool check_session_cipher (struct tls_session *session, struct options *options)
 Checks if the cipher is allowed, otherwise returns false and reset the cipher to the config cipher. More...
 

Macro Definition Documentation

◆ MAX_NCP_CIPHERS_LENGTH

#define MAX_NCP_CIPHERS_LENGTH   127

The maximum length of a ncp-cipher string that is accepted.

Since this list needs to be pushed as IV_CIPHERS, we are conservative about its length.

Definition at line 125 of file ssl_ncp.h.

Function Documentation

◆ append_cipher_to_ncp_list()

void append_cipher_to_ncp_list ( struct options o,
const char *  ciphername 
)

Appends the cipher specified by the ciphernamer parameter to to the o->ncp_ciphers list.

Parameters
ooptions struct to modify. Its gc is also used
ciphernamethe ciphername to add

Definition at line 195 of file ssl_ncp.c.

References ASSERT, options::gc, gc_malloc(), options::ncp_ciphers, and openvpn_snprintf().

Referenced by options_set_backwards_compatible_options().

◆ check_pull_client_ncp()

bool check_pull_client_ncp ( struct context c,
int  found 
)

Checks whether the cipher negotiation is in an acceptable state and we continue to connect or should abort.

Returns
Wether the client NCP process suceeded or failed

Definition at line 315 of file ssl_ncp.c.

References context::c2, D_PUSH_DEBUG, D_TLS_ERRORS, options::enable_ncp_fallback, msg, options::ncp_ciphers, OPT_P_NCP, context::options, tls_multi::remote_ciphername, context_2::tls_multi, and tls_poor_mans_ncp().

Referenced by do_deferred_options().

◆ check_session_cipher()

bool check_session_cipher ( struct tls_session session,
struct options options 
)

Checks if the cipher is allowed, otherwise returns false and reset the cipher to the config cipher.

Definition at line 511 of file ssl_ncp.c.

References options::ciphername, D_TLS_ERRORS, options::enable_ncp_fallback, msg, options::ncp_ciphers, streq, and tls_item_in_cipher_list().

Referenced by tls_session_update_crypto_params().

◆ get_p2p_ncp_cipher()

const char* get_p2p_ncp_cipher ( struct tls_session session,
const char *  peer_info,
struct gc_arena gc 
)

Determines the best common cipher from both peers IV_CIPHER lists.

The first cipher from the tls-server that is also in the tls-client IV_CIPHER list will be returned. If no common cipher can be found, both peer will continue to use whatever cipher is their default and NULL will be returned.

Parameters
sessiontls_session
peer_infopeer info of the peer
gcgc arena that will be used to allocate the returned cipher
Returns
common cipher if one exist.

Definition at line 360 of file ssl_ncp.c.

References extract_var_peer_info(), gc_free(), gc_new(), string_alloc(), strsep(), and tls_item_in_cipher_list().

Referenced by do_deferred_p2p_ncp(), and p2p_mode_ncp().

◆ mutate_ncp_cipher_list()

char* mutate_ncp_cipher_list ( const char *  list,
struct gc_arena gc 
)

Check whether the ciphers in the supplied list are supported.

Parameters
listColon-separated list of ciphers @parms gc gc_arena to allocate the returned string
Returns
colon separated string of normalised (via translate_cipher_name_from_openvpn) and zero terminated string iff all ciphers in list are supported and the total length is short than MAX_NCP_CIPHERS_LENGTH. NULL otherwise.

Definition at line 95 of file ssl_ncp.c.

References alloc_buf(), buf_forward_capacity(), buf_len(), buf_null_terminate(), buf_puts(), buf_str(), cipher_kt_mode_aead(), cipher_kt_mode_cbc(), cipher_kt_mode_ofb_cfb(), cipher_kt_name(), cipher_valid(), free_buf(), M_WARN, MAX_NCP_CIPHERS_LENGTH, msg, and string_alloc().

Referenced by options_postprocess_mutate(), and test_check_ncp_ciphers_list().

◆ ncp_get_best_cipher()

char* ncp_get_best_cipher ( const char *  server_list,
const char *  peer_info,
const char *  remote_cipher,
struct gc_arena gc 
)

Iterates through the ciphers in server_list and return the first cipher that is also supported by the peer according to the IV_NCP and IV_CIPHER values in peer_info.

We also accept a cipher that is the remote cipher of the client for "Poor man's NCP": Use peer cipher if it is an allowed (NCP) cipher. Allows non-NCP peers to upgrade their cipher individually.

Make sure to call tls_session_update_crypto_params() after calling this function.

Parameters
gcgc arena that is ONLY used to allocate the returned string
Returns
NULL if no common cipher is available, otherwise the best common cipher

Definition at line 248 of file ssl_ncp.c.

References gc_free(), gc_new(), streq, string_alloc(), strsep(), tls_item_in_cipher_list(), and tls_peer_ncp_list().

Referenced by multi_client_set_protocol_options(), test_ncp_best(), and test_poor_man().

◆ p2p_mode_ncp()

void p2p_mode_ncp ( struct tls_multi multi,
struct tls_session session 
)

Determines if there is common cipher of both peer by looking at the IV_CIPHER peer info.

In contrast of the server mode NCP that tries to accomandate all kind of corner cases in P2P mode NCP only takes IV_CIPHER into account and falls back to previous behaviour if this fails.

Definition at line 470 of file ssl_ncp.c.

References alloc_buf_gc(), BSTR, buf_printf(), cipher_defined(), cipher_kt_name(), CO_USE_TLS_KEY_MATERIAL_EXPORT, D_TLS_DEBUG_LOW, gc_free(), gc_new(), get_p2p_ncp_cipher(), msg, p2p_ncp_set_options(), tls_multi::peer_id, tls_multi::peer_info, and tls_multi::use_peer_id.

Referenced by key_method_2_read(), and key_method_2_write().

◆ tls_item_in_cipher_list()

bool tls_item_in_cipher_list ( const char *  item,
const char *  list 
)

◆ tls_peer_ncp_list()

const char* tls_peer_ncp_list ( const char *  peer_info,
struct gc_arena gc 
)

Returns the support cipher list from the peer according to the IV_NCP and IV_CIPHER values in peer_info.

Returns
Either a string containing the ncp list that is either static or allocated via gc. If no information is available an empty string ("") is returned.

Definition at line 227 of file ssl_ncp.c.

References extract_var_peer_info(), and tls_peer_info_ncp_ver().

Referenced by multi_client_set_protocol_options(), ncp_get_best_cipher(), and test_extract_client_ciphers().

◆ tls_peer_supports_ncp()

bool tls_peer_supports_ncp ( const char *  peer_info)

Returns whether the client supports NCP either by announcing IV_NCP>=2 or the IV_CIPHERS list.

Definition at line 77 of file ssl_ncp.c.

References tls_peer_info_ncp_ver().

Referenced by prepare_push_reply(), and test_extract_client_ciphers().