OpenVPN
ssl.c
Go to the documentation of this file.
1/*
2 * OpenVPN -- An application to securely tunnel IP networks
3 * over a single TCP/UDP port, with support for SSL/TLS-based
4 * session authentication and key exchange,
5 * packet encryption, packet authentication, and
6 * packet compression.
7 *
8 * Copyright (C) 2002-2025 OpenVPN Inc <sales@openvpn.net>
9 * Copyright (C) 2010-2021 Sentyron B.V. <openvpn@sentyron.com>
10 * Copyright (C) 2008-2025 David Sommerseth <dazo@eurephia.org>
11 *
12 * This program is free software; you can redistribute it and/or modify
13 * it under the terms of the GNU General Public License version 2
14 * as published by the Free Software Foundation.
15 *
16 * This program is distributed in the hope that it will be useful,
17 * but WITHOUT ANY WARRANTY; without even the implied warranty of
18 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
19 * GNU General Public License for more details.
20 *
21 * You should have received a copy of the GNU General Public License along
22 * with this program; if not, see <https://www.gnu.org/licenses/>.
23 */
24
30/*
31 * The routines in this file deal with dynamically negotiating
32 * the data channel HMAC and cipher keys through a TLS session.
33 *
34 * Both the TLS session and the data channel are multiplexed
35 * over the same TCP/UDP port.
36 */
37#ifdef HAVE_CONFIG_H
38#include "config.h"
39#endif
40
41#include "syshead.h"
42#include "win32.h"
43
44#include "error.h"
45#include "common.h"
46#include "socket.h"
47#include "misc.h"
48#include "fdmisc.h"
49#include "interval.h"
50#include "perf.h"
51#include "status.h"
52#include "gremlin.h"
53#include "pkcs11.h"
54#include "route.h"
55#include "tls_crypt.h"
56
57#include "crypto_epoch.h"
58#include "ssl.h"
59#include "ssl_verify.h"
60#include "ssl_backend.h"
61#include "ssl_ncp.h"
62#include "ssl_util.h"
63#include "auth_token.h"
64#include "mss.h"
65#include "dco.h"
66
67#include "memdbg.h"
68#include "openvpn.h"
69
70#ifdef MEASURE_TLS_HANDSHAKE_STATS
71
72static int tls_handshake_success; /* GLOBAL */
73static int tls_handshake_error; /* GLOBAL */
74static int tls_packets_generated; /* GLOBAL */
75static int tls_packets_sent; /* GLOBAL */
76
77#define INCR_SENT ++tls_packets_sent
78#define INCR_GENERATED ++tls_packets_generated
79#define INCR_SUCCESS ++tls_handshake_success
80#define INCR_ERROR ++tls_handshake_error
81
82void
83show_tls_performance_stats(void)
84{
85 msg(D_TLS_DEBUG_LOW, "TLS Handshakes, success=%f%% (good=%d, bad=%d), retransmits=%f%%",
86 (double)tls_handshake_success / (tls_handshake_success + tls_handshake_error) * 100.0,
87 tls_handshake_success, tls_handshake_error,
88 (double)(tls_packets_sent - tls_packets_generated) / tls_packets_generated * 100.0);
89}
90#else /* ifdef MEASURE_TLS_HANDSHAKE_STATS */
91
92#define INCR_SENT
93#define INCR_GENERATED
94#define INCR_SUCCESS
95#define INCR_ERROR
96
97#endif /* ifdef MEASURE_TLS_HANDSHAKE_STATS */
98
106static void
107tls_limit_reneg_bytes(const char *ciphername, int64_t *reneg_bytes)
108{
109 if (cipher_kt_insecure(ciphername))
110 {
111 if (*reneg_bytes == -1) /* Not user-specified */
112 {
113 msg(M_WARN, "WARNING: cipher with small block size in use, "
114 "reducing reneg-bytes to 64MB to mitigate SWEET32 attacks.");
115 *reneg_bytes = 64 * 1024 * 1024;
116 }
117 }
118}
119
120static uint64_t
121tls_get_limit_aead(const char *ciphername)
122{
123 uint64_t limit = cipher_get_aead_limits(ciphername);
124
125 if (limit == 0)
126 {
127 return 0;
128 }
129
130 /* set limit to 7/8 of the limit so the renegotiation can succeed before
131 * we go over the limit */
132 limit = limit / 8 * 7;
133
135 "Note: AEAD cipher %s will trigger a renegotiation"
136 " at a sum of %" PRIi64 " blocks and packets.",
137 ciphername, limit);
138 return limit;
139}
140
141void
143{
144 /*
145 * frame->extra_frame is already initialized with tls_auth buffer requirements,
146 * if --tls-auth is enabled.
147 */
148
149 /* calculates the maximum overhead that control channel frames can have */
150 int overhead = 0;
151
152 /* Socks */
153 overhead += 10;
154
155 /* tls-auth and tls-crypt */
157
158 /* TCP length field and opcode */
159 overhead += 3;
160
161 /* ACK array and remote SESSION ID (part of the ACK array) */
162 overhead += ACK_SIZE(RELIABLE_ACK_SIZE);
163
164 /* Previous OpenVPN version calculated the maximum size and buffer of a
165 * control frame depending on the overhead of the data channel frame
166 * overhead and limited its maximum size to 1250. Since control frames
167 * also need to fit into data channel buffer we have the same
168 * default of 1500 + 100 as data channel buffers have. Increasing
169 * control channel mtu beyond this limit also increases the data channel
170 * buffers */
171 frame->buf.payload_size = max_int(1500, tls_mtu) + 100;
172
173 frame->buf.headroom = overhead;
174 frame->buf.tailroom = overhead;
175
176 frame->tun_mtu = tls_mtu;
177
178 /* Ensure the tun-mtu stays in a valid range */
181}
182
183#if defined(__GNUC__) || defined(__clang__)
184#pragma GCC diagnostic push
185#pragma GCC diagnostic ignored "-Wconversion"
186#endif
187
193static int
195{
196 const struct key_state *ks = &session->key[KS_PRIMARY];
197 int overhead = 0;
198
199 /* opcode */
200 overhead += 1;
201
202 /* our own session id */
203 overhead += SID_SIZE;
204
205 /* ACK array and remote SESSION ID (part of the ACK array) */
206 int ackstosend = reliable_ack_outstanding(ks->rec_ack) + ks->lru_acks->len;
207 overhead += ACK_SIZE(min_int(ackstosend, CONTROL_SEND_ACK_MAX));
208
209 /* Message packet id */
210 overhead += sizeof(packet_id_type);
211
212 if (session->tls_wrap.mode == TLS_WRAP_CRYPT)
213 {
214 overhead += tls_crypt_buf_overhead();
215 }
216 else if (session->tls_wrap.mode == TLS_WRAP_AUTH)
217 {
218 overhead += hmac_ctx_size(session->tls_wrap.opt.key_ctx_bi.encrypt.hmac);
219 overhead += packet_id_size(true);
220 }
221
222 /* Add the typical UDP overhead for an IPv6 UDP packet. TCP+IPv6 has a
223 * larger overhead but the risk of a TCP connection getting dropped because
224 * we try to send a too large packet is basically zero */
225 overhead += datagram_overhead(session->untrusted_addr.dest.addr.sa.sa_family, PROTO_UDP);
226
227 return overhead;
228}
229
230#if defined(__GNUC__) || defined(__clang__)
231#pragma GCC diagnostic pop
232#endif
233
234void
236{
237 tls_init_lib();
238
240}
241
242void
244{
246
247 tls_free_lib();
248}
249
250/*
251 * OpenSSL library calls pem_password_callback if the
252 * private key is protected by a password.
253 */
254
255static struct user_pass passbuf; /* GLOBAL */
256
257void
258pem_password_setup(const char *auth_file)
259{
261 if (!strlen(passbuf.password))
262 {
265 }
266}
267
268int
269pem_password_callback(char *buf, int size, int rwflag, void *u)
270{
271 if (buf)
272 {
273 /* prompt for password even if --askpass wasn't specified */
274 pem_password_setup(NULL);
276 strncpynt(buf, passbuf.password, (size_t)size);
277 purge_user_pass(&passbuf, false);
278
279 return (int)strlen(buf);
280 }
281 return 0;
282}
283
284/*
285 * Auth username/password handling
286 */
287
288static bool auth_user_pass_enabled; /* GLOBAL */
289static struct user_pass auth_user_pass; /* GLOBAL */
290static struct user_pass auth_token; /* GLOBAL */
291
292#ifdef ENABLE_MANAGEMENT
293static char *auth_challenge; /* GLOBAL */
294#endif
295
296void
301
302void
303auth_user_pass_setup(const char *auth_file, bool is_inline, const struct static_challenge_info *sci)
304{
305 unsigned int flags = GET_USER_PASS_MANAGEMENT;
306
307 if (is_inline)
308 {
310 }
311
313 {
315#ifdef ENABLE_MANAGEMENT
316 if (auth_challenge) /* dynamic challenge/response */
317 {
320 }
321 else if (sci) /* static challenge response */
322 {
324 if (sci->flags & SC_ECHO)
325 {
327 }
328 if (sci->flags & SC_CONCAT)
329 {
331 }
333 }
334 else
335#endif /* ifdef ENABLE_MANAGEMENT */
336 {
337 get_user_pass(&auth_user_pass, auth_file, UP_TYPE_AUTH, flags);
338 }
339 }
340}
341
342/*
343 * Disable password caching
344 */
345void
347{
348 passbuf.nocache = true;
349 auth_user_pass.nocache = true;
350}
351
352/*
353 * Get the password caching
354 */
355bool
357{
358 return passbuf.nocache;
359}
360
361/*
362 * Set an authentication token
363 */
364void
365ssl_set_auth_token(const char *token)
366{
367 set_auth_token(&auth_token, token);
368}
369
370void
375
376/*
377 * Cleans an auth token and checks if it was active
378 */
379bool
381{
382 bool wasdefined = auth_token.defined;
384 return wasdefined;
385}
386
387/*
388 * Forget private key password AND auth-user-pass username/password.
389 */
390void
391ssl_purge_auth(const bool auth_user_pass_only)
392{
393 if (!auth_user_pass_only)
394 {
395#ifdef ENABLE_PKCS11
396 pkcs11_logout();
397#endif
398 purge_user_pass(&passbuf, true);
399 }
401#ifdef ENABLE_MANAGEMENT
403#endif
404}
405
406#ifdef ENABLE_MANAGEMENT
407
408void
410{
411 free(auth_challenge);
412 auth_challenge = NULL;
413}
414
415void
416ssl_put_auth_challenge(const char *cr_str)
417{
419 auth_challenge = string_alloc(cr_str, NULL);
420}
421
422#endif
423
424/*
425 * Parse a TLS version string, returning a TLS_VER_x constant.
426 * If version string is not recognized and extra == "or-highest",
427 * return tls_version_max().
428 */
429int
430tls_version_parse(const char *vstr, const char *extra)
431{
432 const int max_version = tls_version_max();
433 if (!strcmp(vstr, "1.0") && TLS_VER_1_0 <= max_version)
434 {
435 return TLS_VER_1_0;
436 }
437 else if (!strcmp(vstr, "1.1") && TLS_VER_1_1 <= max_version)
438 {
439 return TLS_VER_1_1;
440 }
441 else if (!strcmp(vstr, "1.2") && TLS_VER_1_2 <= max_version)
442 {
443 return TLS_VER_1_2;
444 }
445 else if (!strcmp(vstr, "1.3") && TLS_VER_1_3 <= max_version)
446 {
447 return TLS_VER_1_3;
448 }
449 else if (extra && !strcmp(extra, "or-highest"))
450 {
451 return max_version;
452 }
453 else
454 {
455 return TLS_VER_BAD;
456 }
457}
458
470static void
471tls_ctx_reload_crl(struct tls_root_ctx *ssl_ctx, const char *crl_file, bool crl_file_inline)
472{
473 /* if something goes wrong with stat(), we'll store 0 as mtime */
474 platform_stat_t crl_stat = { 0 };
475
476 /*
477 * an inline CRL can't change at runtime, therefore there is no need to
478 * reload it. It will be reloaded upon config change + SIGHUP.
479 * Use always '1' as dummy timestamp in this case: it will trigger the
480 * first load, but will prevent any future reload.
481 */
482 if (crl_file_inline)
483 {
484 crl_stat.st_mtime = 1;
485 }
486 else if (platform_stat(crl_file, &crl_stat) < 0)
487 {
488 /* If crl_last_mtime is zero, the CRL file has not been read before. */
489 if (ssl_ctx->crl_last_mtime == 0)
490 {
491 msg(M_FATAL, "ERROR: Failed to stat CRL file during initialization, exiting.");
492 }
493 else
494 {
495 msg(M_WARN, "WARNING: Failed to stat CRL file, not reloading CRL.");
496 }
497 return;
498 }
499
500 /*
501 * Store the CRL if this is the first time or if the file was changed since
502 * the last load.
503 * Note: Windows does not support tv_nsec.
504 */
505 if ((ssl_ctx->crl_last_size == crl_stat.st_size)
506 && (ssl_ctx->crl_last_mtime == crl_stat.st_mtime))
507 {
508 return;
509 }
510
511 ssl_ctx->crl_last_mtime = crl_stat.st_mtime;
512 ssl_ctx->crl_last_size = crl_stat.st_size;
513 backend_tls_ctx_reload_crl(ssl_ctx, crl_file, crl_file_inline);
514}
515
516/*
517 * Initialize SSL context.
518 * All files are in PEM format.
519 */
520void
521init_ssl(const struct options *options, struct tls_root_ctx *new_ctx, bool in_chroot)
522{
523 ASSERT(NULL != new_ctx);
524
526
528 {
530 }
531
532 if (options->tls_server)
533 {
534 tls_ctx_server_new(new_ctx);
535
536 if (options->dh_file)
537 {
539 }
540 }
541 else /* if client */
542 {
543 tls_ctx_client_new(new_ctx);
544 }
545
546 /* Restrict allowed certificate crypto algorithms */
548
549 /* Allowable ciphers */
550 /* Since @SECLEVEL also influences loading of certificates, set the
551 * cipher restrictions before loading certificates */
554
555 /* Set the allow groups/curves for TLS if we want to override them */
556 if (options->tls_groups)
557 {
559 }
560
561 if (!tls_ctx_set_options(new_ctx, options->ssl_flags))
562 {
563 goto err;
564 }
565
566 if (options->pkcs12_file)
567 {
568 if (0
570 !options->ca_file))
571 {
572 goto err;
573 }
574 }
575#ifdef ENABLE_PKCS11
576 else if (options->pkcs11_providers[0])
577 {
578 if (!tls_ctx_use_pkcs11(new_ctx, options->pkcs11_id_management, options->pkcs11_id))
579 {
580 msg(M_WARN, "Cannot load certificate \"%s\" using PKCS#11 interface",
581 options->pkcs11_id);
582 goto err;
583 }
584 }
585#endif
586#ifdef ENABLE_CRYPTOAPI
587 else if (options->cryptoapi_cert)
588 {
590 }
591#endif
592#ifdef ENABLE_MANAGEMENT
594 {
596 tls_ctx_load_cert_file(new_ctx, cert, true);
597 free(cert);
598 }
599#endif
600 else if (options->cert_file)
601 {
603 }
604
606 {
607 if (0
610 {
611 goto err;
612 }
613 }
614#ifdef ENABLE_MANAGEMENT
616 {
618 {
619 msg(M_WARN, "Cannot initialize mamagement-external-key");
620 goto err;
621 }
622 }
623#endif
624
626 {
629 }
630
631 /* Load extra certificates that are part of our own certificate
632 * chain but shouldn't be included in the verify chain */
634 {
637 }
638
639 /* Check certificate notBefore and notAfter */
641
642 /* Read CRL */
644 {
645 /* If we're running with the chroot option, we may run init_ssl() before
646 * and after chroot-ing. We can use the crl_file path as-is if we're
647 * not going to chroot, or if we already are inside the chroot.
648 *
649 * If we're going to chroot later, we need to prefix the path of the
650 * chroot directory to crl_file.
651 */
652 if (!options->chroot_dir || in_chroot || options->crl_file_inline)
653 {
655 }
656 else
657 {
658 struct gc_arena gc = gc_new();
661 gc_free(&gc);
662 }
663 }
664
665 /* Once keys and cert are loaded, load ECDH parameters */
666 if (options->tls_server)
667 {
669 }
670
671#ifdef ENABLE_CRYPTO_MBEDTLS
672 /* Personalise the random by mixing in the certificate */
674#endif
675
677 return;
678
679err:
682 return;
683}
684
685/*
686 * Map internal constants to ascii names.
687 */
688static const char *
689state_name(int state)
690{
691 switch (state)
692 {
693 case S_UNDEF:
694 return "S_UNDEF";
695
696 case S_INITIAL:
697 return "S_INITIAL";
698
699 case S_PRE_START_SKIP:
700 return "S_PRE_START_SKIP";
701
702 case S_PRE_START:
703 return "S_PRE_START";
704
705 case S_START:
706 return "S_START";
707
708 case S_SENT_KEY:
709 return "S_SENT_KEY";
710
711 case S_GOT_KEY:
712 return "S_GOT_KEY";
713
714 case S_ACTIVE:
715 return "S_ACTIVE";
716
717 case S_ERROR:
718 return "S_ERROR";
719
720 case S_ERROR_PRE:
721 return "S_ERROR_PRE";
722
723 case S_GENERATED_KEYS:
724 return "S_GENERATED_KEYS";
725
726 default:
727 return "S_???";
728 }
729}
730
731static const char *
733{
734 switch (auth)
735 {
736 case KS_AUTH_TRUE:
737 return "KS_AUTH_TRUE";
738
739 case KS_AUTH_DEFERRED:
740 return "KS_AUTH_DEFERRED";
741
742 case KS_AUTH_FALSE:
743 return "KS_AUTH_FALSE";
744
745 default:
746 return "KS_????";
747 }
748}
749
750static const char *
752{
753 switch (index)
754 {
755 case TM_ACTIVE:
756 return "TM_ACTIVE";
757
758 case TM_INITIAL:
759 return "TM_INITIAL";
760
761 case TM_LAME_DUCK:
762 return "TM_LAME_DUCK";
763
764 default:
765 return "TM_???";
766 }
767}
768
769/*
770 * For debugging.
771 */
772static const char *
773print_key_id(struct tls_multi *multi, struct gc_arena *gc)
774{
775 struct buffer out = alloc_buf_gc(256, gc);
776
777 for (int i = 0; i < KEY_SCAN_SIZE; ++i)
778 {
779 struct key_state *ks = get_key_scan(multi, i);
780 buf_printf(&out, " [key#%d state=%s auth=%s id=%d sid=%s]", i, state_name(ks->state),
783 }
784
785 return BSTR(&out);
786}
787
788bool
790{
793 {
794 return true;
795 }
796
797 return false;
798}
799
823static void
825{
826 update_time();
827
828 CLEAR(*ks);
829
830 /*
831 * Build TLS object that reads/writes ciphertext
832 * to/from memory BIOs.
833 */
834 key_state_ssl_init(&ks->ks_ssl, &session->opt->ssl_ctx, session->opt->server, session);
835
836 /* Set control-channel initiation mode */
837 ks->initial_opcode = session->initial_opcode;
838 session->initial_opcode = P_CONTROL_SOFT_RESET_V1;
839 ks->state = S_INITIAL;
840 ks->key_id = session->key_id;
841
842 /*
843 * key_id increments to KEY_ID_MASK then recycles back to 1.
844 * This way you know that if key_id is 0, it is the first key.
845 */
846 ++session->key_id;
847 session->key_id &= P_KEY_ID_MASK;
848 if (!session->key_id)
849 {
850 session->key_id = 1;
851 }
852
853 /* allocate key source material object */
855
856 /* allocate reliability objects */
861
862 /* allocate buffers */
865 ks->ack_write_buf = alloc_buf(BUF_SIZE(&session->opt->frame));
866 reliable_init(ks->send_reliable, BUF_SIZE(&session->opt->frame),
867 session->opt->frame.buf.headroom, TLS_RELIABLE_N_SEND_BUFFERS,
868 ks->key_id ? false : session->opt->xmit_hold);
869 reliable_init(ks->rec_reliable, BUF_SIZE(&session->opt->frame),
870 session->opt->frame.buf.headroom, TLS_RELIABLE_N_REC_BUFFERS, false);
871 reliable_set_timeout(ks->send_reliable, session->opt->packet_timeout);
872
873 /* init packet ID tracker */
874 packet_id_init(&ks->crypto_options.packet_id, session->opt->replay_window,
875 session->opt->replay_time, "SSL", ks->key_id);
876
877 ks->crypto_options.pid_persist = NULL;
878
879#ifdef ENABLE_MANAGEMENT
880 ks->mda_key_id = session->opt->mda_context->mda_key_id_counter++;
881#endif
882
883 /*
884 * Attempt CRL reload before TLS negotiation. Won't be performed if
885 * the file was not modified since the last reload
886 */
887 if (session->opt->crl_file && !(session->opt->ssl_flags & SSLF_CRL_VERIFY_DIR))
888 {
889 tls_ctx_reload_crl(&session->opt->ssl_ctx, session->opt->crl_file,
890 session->opt->crl_file_inline);
891 }
892}
893
894
908static void
909key_state_free(struct key_state *ks, bool clear)
910{
911 ks->state = S_UNDEF;
912
914
921
924
925 free(ks->rec_ack);
926 free(ks->lru_acks);
927 free(ks->key_src);
928
930
933
934 if (clear)
935 {
936 secure_memzero(ks, sizeof(*ks));
937 }
938}
939
953static inline bool
955{
956 return (session->opt->auth_user_pass_verify_script
960#endif
961 );
962}
963
964
985static void
987{
988 struct gc_arena gc = gc_new();
989
990 dmsg(D_TLS_DEBUG, "TLS: tls_session_init: entry");
991
992 CLEAR(*session);
993
994 /* Set options data to point to parent's option structure */
995 session->opt = &multi->opt;
996
997 /* Randomize session # if it is 0 */
998 while (!session_id_defined(&session->session_id))
999 {
1000 session_id_random(&session->session_id);
1001 }
1002
1003 /* Are we a TLS server or client? */
1004 if (session->opt->server)
1005 {
1006 session->initial_opcode = P_CONTROL_HARD_RESET_SERVER_V2;
1007 }
1008 else
1009 {
1010 session->initial_opcode = session->opt->tls_crypt_v2 ? P_CONTROL_HARD_RESET_CLIENT_V3
1012 }
1013
1014 /* Initialize control channel authentication parameters */
1015 session->tls_wrap = session->opt->tls_wrap;
1016 session->tls_wrap.work = alloc_buf(BUF_SIZE(&session->opt->frame));
1017
1018 /* initialize packet ID replay window for --tls-auth */
1019 packet_id_init(&session->tls_wrap.opt.packet_id, session->opt->replay_window,
1020 session->opt->replay_time, "TLS_WRAP", session->key_id);
1021
1022 /* If we are using tls-crypt-v2 we manipulate the packet id to be (ab)used
1023 * to indicate early protocol negotiation */
1024 if (session->opt->tls_crypt_v2)
1025 {
1026 session->tls_wrap.opt.packet_id.send.time = now;
1027 session->tls_wrap.opt.packet_id.send.id = EARLY_NEG_START;
1028 }
1029
1030 /* load most recent packet-id to replay protect on --tls-auth */
1031 packet_id_persist_load_obj(session->tls_wrap.opt.pid_persist, &session->tls_wrap.opt.packet_id);
1032
1034
1035 dmsg(D_TLS_DEBUG, "TLS: tls_session_init: new session object, sid=%s",
1036 session_id_print(&session->session_id, &gc));
1037
1038 gc_free(&gc);
1039}
1040
1056static void
1058{
1059 tls_wrap_free(&session->tls_wrap);
1060 tls_wrap_free(&session->tls_wrap_reneg);
1061
1062 for (size_t i = 0; i < KS_SIZE; ++i)
1063 {
1064 /* we don't need clear=true for this call since
1065 * the structs are part of session and get cleared
1066 * as part of session */
1067 key_state_free(&session->key[i], false);
1068 }
1069
1070 free(session->common_name);
1071
1072 cert_hash_free(session->cert_hash_set);
1073
1074 if (clear)
1075 {
1076 secure_memzero(session, sizeof(*session));
1077 }
1078}
1079
1085static void
1086move_session(struct tls_multi *multi, int dest, int src, bool reinit_src)
1087{
1088 msg(D_TLS_DEBUG_LOW, "TLS: move_session: dest=%s src=%s reinit_src=%d",
1089 session_index_name(dest), session_index_name(src), reinit_src);
1090 ASSERT(src != dest);
1091 ASSERT(src >= 0 && src < TM_SIZE);
1092 ASSERT(dest >= 0 && dest < TM_SIZE);
1093 tls_session_free(&multi->session[dest], false);
1094 multi->session[dest] = multi->session[src];
1095
1096 if (reinit_src)
1097 {
1098 tls_session_init(multi, &multi->session[src]);
1099 }
1100 else
1101 {
1102 secure_memzero(&multi->session[src], sizeof(multi->session[src]));
1103 }
1104
1105 dmsg(D_TLS_DEBUG, "TLS: move_session: exit");
1106}
1107
1108static void
1110{
1111 tls_session_free(session, false);
1112 tls_session_init(multi, session);
1113}
1114
1115/*
1116 * Used to determine in how many seconds we should be
1117 * called again.
1118 */
1119static inline void
1121{
1122 if (seconds_from_now < *earliest)
1123 {
1124 *earliest = seconds_from_now;
1125 }
1126 if (*earliest < 0)
1127 {
1128 *earliest = 0;
1129 }
1130}
1131
1132#if defined(__GNUC__) || defined(__clang__)
1133#pragma GCC diagnostic push
1134#pragma GCC diagnostic ignored "-Wconversion"
1135#endif
1136
1137/*
1138 * Return true if "lame duck" or retiring key has expired and can
1139 * no longer be used.
1140 */
1141static inline bool
1143{
1144 const struct key_state *lame = &session->key[KS_LAME_DUCK];
1145 if (lame->state >= S_INITIAL)
1146 {
1147 ASSERT(lame->must_die); /* a lame duck key must always have an expiration */
1148 if (now < lame->must_die)
1149 {
1150 compute_earliest_wakeup(wakeup, lame->must_die - now);
1151 return false;
1152 }
1153 else
1154 {
1155 return true;
1156 }
1157 }
1158 else if (lame->state == S_ERROR)
1159 {
1160 return true;
1161 }
1162 else
1163 {
1164 return false;
1165 }
1166}
1167
1168struct tls_multi *
1170{
1171 struct tls_multi *ret;
1172
1173 ALLOC_OBJ_CLEAR(ret, struct tls_multi);
1174
1175 /* get command line derived options */
1176 ret->opt = *tls_options;
1177 ret->dco_peer_id = -1;
1178 ret->peer_id = MAX_PEER_ID;
1179
1180 return ret;
1181}
1182
1183void
1184tls_multi_init_finalize(struct tls_multi *multi, int tls_mtu)
1185{
1187 /* initialize the active and untrusted sessions */
1188
1189 tls_session_init(multi, &multi->session[TM_ACTIVE]);
1190 tls_session_init(multi, &multi->session[TM_INITIAL]);
1191}
1192
1193/*
1194 * Initialize and finalize a standalone tls-auth verification object.
1195 */
1196
1197struct tls_auth_standalone *
1199{
1200 struct tls_auth_standalone *tas;
1201
1203
1205
1206 /*
1207 * Standalone tls-auth is in read-only mode with respect to TLS
1208 * control channel state. After we build a new client instance
1209 * object, we will process this session-initiating packet for real.
1210 */
1212
1213 /* get initial frame parms, still need to finalize */
1214 tas->frame = tls_options->frame;
1215
1217 tls_options->replay_time, "TAS", 0);
1218
1219 return tas;
1220}
1221
1222void
1224{
1225 if (!tas)
1226 {
1227 return;
1228 }
1229
1231}
1232
1233/*
1234 * Set local and remote option compatibility strings.
1235 * Used to verify compatibility of local and remote option
1236 * sets.
1237 */
1238void
1239tls_multi_init_set_options(struct tls_multi *multi, const char *local, const char *remote)
1240{
1241 /* initialize options string */
1242 multi->opt.local_options = local;
1243 multi->opt.remote_options = remote;
1244}
1245
1246/*
1247 * Cleanup a tls_multi structure and free associated memory allocations.
1248 */
1249void
1250tls_multi_free(struct tls_multi *multi, bool clear)
1251{
1252 ASSERT(multi);
1253
1254 auth_set_client_reason(multi, NULL);
1255
1256 free(multi->peer_info);
1257 free(multi->locked_cn);
1258 free(multi->locked_username);
1259 free(multi->locked_original_username);
1260
1262
1263 wipe_auth_token(multi);
1264
1265 free(multi->remote_ciphername);
1266
1267 for (int i = 0; i < TM_SIZE; ++i)
1268 {
1269 tls_session_free(&multi->session[i], false);
1270 }
1271
1272 if (clear)
1273 {
1274 secure_memzero(multi, sizeof(*multi));
1275 }
1276
1277 free(multi);
1278}
1279
1280/*
1281 * For debugging, print contents of key_source2 structure.
1282 */
1283
1284static void
1285key_source_print(const struct key_source *k, const char *prefix)
1286{
1287 struct gc_arena gc = gc_new();
1288
1289 VALGRIND_MAKE_READABLE((void *)k->pre_master, sizeof(k->pre_master));
1290 VALGRIND_MAKE_READABLE((void *)k->random1, sizeof(k->random1));
1291 VALGRIND_MAKE_READABLE((void *)k->random2, sizeof(k->random2));
1292
1293 dmsg(D_SHOW_KEY_SOURCE, "%s pre_master: %s", prefix,
1294 format_hex(k->pre_master, sizeof(k->pre_master), 0, &gc));
1295 dmsg(D_SHOW_KEY_SOURCE, "%s random1: %s", prefix,
1296 format_hex(k->random1, sizeof(k->random1), 0, &gc));
1297 dmsg(D_SHOW_KEY_SOURCE, "%s random2: %s", prefix,
1298 format_hex(k->random2, sizeof(k->random2), 0, &gc));
1299
1300 gc_free(&gc);
1301}
1302
1303static void
1305{
1306 key_source_print(&k->client, "Client");
1307 key_source_print(&k->server, "Server");
1308}
1309
1310static bool
1311openvpn_PRF(const uint8_t *secret, size_t secret_len, const char *label, const uint8_t *client_seed,
1312 size_t client_seed_len, const uint8_t *server_seed, size_t server_seed_len,
1313 const struct session_id *client_sid, const struct session_id *server_sid,
1314 uint8_t *output, size_t output_len)
1315{
1316 /* concatenate seed components */
1317
1318 struct buffer seed =
1320
1324
1325 if (client_sid)
1326 {
1328 }
1329 if (server_sid)
1330 {
1332 }
1333
1334 /* compute PRF */
1336
1337 buf_clear(&seed);
1338 free_buf(&seed);
1339
1341 return ret;
1342}
1343
1344static void
1345init_epoch_keys(struct key_state *ks, struct tls_multi *multi, const struct key_type *key_type,
1346 bool server, struct key2 *key2)
1347{
1348 /* For now we hardcode this to be 16 for the software based data channel
1349 * DCO based implementations/HW implementation might adjust this number
1350 * based on their expected speed */
1351 const int future_key_count = 16;
1352
1353 int key_direction = server ? KEY_DIRECTION_INVERSE : KEY_DIRECTION_NORMAL;
1354 struct key_direction_state kds;
1355 key_direction_state_init(&kds, key_direction);
1356
1357 struct crypto_options *co = &ks->crypto_options;
1358
1359 /* For the epoch key we use the first 32 bytes of key2 cipher keys
1360 * for the initial secret */
1361 struct epoch_key e1_send = { 0 };
1362 e1_send.epoch = 1;
1363 memcpy(&e1_send.epoch_key, key2->keys[kds.out_key].cipher, sizeof(e1_send.epoch_key));
1364
1365 struct epoch_key e1_recv = { 0 };
1366 e1_recv.epoch = 1;
1367 memcpy(&e1_recv.epoch_key, key2->keys[kds.in_key].cipher, sizeof(e1_recv.epoch_key));
1368
1369 /* DCO implementations have two choices at this point.
1370 *
1371 * a) (more likely) they probably to pass E1 directly to kernel
1372 * space at this point and do all the other key derivation in kernel
1373 *
1374 * b) They let userspace do the key derivation and pass all the individual
1375 * keys to the DCO layer.
1376 * */
1377 epoch_init_key_ctx(co, key_type, &e1_send, &e1_recv, future_key_count);
1378
1379 secure_memzero(&e1_send, sizeof(e1_send));
1380 secure_memzero(&e1_recv, sizeof(e1_recv));
1381}
1382
1383static void
1384init_key_contexts(struct key_state *ks, struct tls_multi *multi, const struct key_type *key_type,
1385 bool server, struct key2 *key2, bool dco_enabled)
1386{
1387 struct key_ctx_bi *key = &ks->crypto_options.key_ctx_bi;
1388
1389 /* Initialize key contexts */
1390 int key_direction = server ? KEY_DIRECTION_INVERSE : KEY_DIRECTION_NORMAL;
1391
1392 if (dco_enabled)
1393 {
1394 if (key->encrypt.hmac)
1395 {
1396 msg(M_FATAL, "FATAL: DCO does not support --auth");
1397 }
1398
1399 int ret = init_key_dco_bi(multi, ks, key2, key_direction, key_type->cipher, server);
1400 if (ret < 0)
1401 {
1402 msg(M_FATAL, "Impossible to install key material in DCO: %s", strerror(-ret));
1403 }
1404
1405 /* encrypt/decrypt context are unused with DCO */
1406 CLEAR(key->encrypt);
1407 CLEAR(key->decrypt);
1408 key->initialized = true;
1409 }
1410 else if (multi->opt.crypto_flags & CO_EPOCH_DATA_KEY_FORMAT)
1411 {
1413 {
1414 msg(M_FATAL,
1415 "AEAD cipher (currently %s) "
1416 "required for epoch data format.",
1418 }
1419 init_epoch_keys(ks, multi, key_type, server, key2);
1420 }
1421 else
1422 {
1423 init_key_ctx_bi(key, key2, key_direction, key_type, "Data Channel");
1424 }
1425}
1426
1427static bool
1429{
1432 sizeof(key2->keys)))
1433 {
1434 return false;
1435 }
1436 key2->n = 2;
1437
1438 return true;
1439}
1440
1441static bool
1443{
1444 uint8_t master[48] = { 0 };
1445
1446 const struct key_state *ks = &session->key[KS_PRIMARY];
1447 const struct key_source2 *key_src = ks->key_src;
1448
1449 const struct session_id *client_sid =
1450 session->opt->server ? &ks->session_id_remote : &session->session_id;
1451 const struct session_id *server_sid =
1452 !session->opt->server ? &ks->session_id_remote : &session->session_id;
1453
1454 /* debugging print of source key material */
1455 key_source2_print(key_src);
1456
1457 /* compute master secret */
1458 if (!openvpn_PRF(key_src->client.pre_master, sizeof(key_src->client.pre_master),
1459 KEY_EXPANSION_ID " master secret", key_src->client.random1,
1460 sizeof(key_src->client.random1), key_src->server.random1,
1461 sizeof(key_src->server.random1), NULL, NULL, master, sizeof(master)))
1462 {
1463 return false;
1464 }
1465
1466 /* compute key expansion */
1467 if (!openvpn_PRF(master, sizeof(master), KEY_EXPANSION_ID " key expansion",
1468 key_src->client.random2, sizeof(key_src->client.random2),
1469 key_src->server.random2, sizeof(key_src->server.random2), client_sid,
1470 server_sid, (uint8_t *)key2->keys, sizeof(key2->keys)))
1471 {
1472 return false;
1473 }
1474 secure_memzero(&master, sizeof(master));
1475
1476 key2->n = 2;
1477
1478 return true;
1479}
1480
1481/*
1482 * Using source entropy from local and remote hosts, mix into
1483 * master key.
1484 */
1485static bool
1487{
1488 struct key_ctx_bi *key = &ks->crypto_options.key_ctx_bi;
1489 bool ret = false;
1490 struct key2 key2;
1491
1492 if (key->initialized)
1493 {
1494 msg(D_TLS_ERRORS, "TLS Error: key already initialized");
1495 goto exit;
1496 }
1497
1498 bool server = session->opt->server;
1499
1500 if (session->opt->crypto_flags & CO_USE_TLS_KEY_MATERIAL_EXPORT)
1501 {
1503 {
1504 msg(D_TLS_ERRORS, "TLS Error: Keying material export failed");
1505 goto exit;
1506 }
1507 }
1508 else
1509 {
1511 {
1512 msg(D_TLS_ERRORS, "TLS Error: PRF calculation failed. Your system "
1513 "might not support the old TLS 1.0 PRF calculation anymore or "
1514 "the policy does not allow it (e.g. running in FIPS mode). "
1515 "The peer did not announce support for the modern TLS Export "
1516 "feature that replaces the TLS 1.0 PRF (requires OpenVPN "
1517 "2.6.x or higher)");
1518 goto exit;
1519 }
1520 }
1521
1522 key2_print(&key2, &session->opt->key_type, "Master Encrypt", "Master Decrypt");
1523
1524 /* check for weak keys */
1525 for (int i = 0; i < 2; ++i)
1526 {
1527 if (!check_key(&key2.keys[i], &session->opt->key_type))
1528 {
1529 msg(D_TLS_ERRORS, "TLS Error: Bad dynamic key generated");
1530 goto exit;
1531 }
1532 }
1533
1534 init_key_contexts(ks, multi, &session->opt->key_type, server, &key2, session->opt->dco_enabled);
1535 ret = true;
1536
1537exit:
1538 secure_memzero(&key2, sizeof(key2));
1539
1540 return ret;
1541}
1542
1549bool
1551{
1552 bool ret = false;
1553 struct key_state *ks = &session->key[KS_PRIMARY]; /* primary key */
1554
1555 if (ks->authenticated <= KS_AUTH_FALSE)
1556 {
1557 msg(D_TLS_ERRORS, "TLS Error: key_state not authenticated");
1558 goto cleanup;
1559 }
1560
1561 ks->crypto_options.flags = session->opt->crypto_flags;
1562
1563 if (!generate_key_expansion(multi, ks, session))
1564 {
1565 msg(D_TLS_ERRORS, "TLS Error: generate_key_expansion failed");
1566 goto cleanup;
1567 }
1568 tls_limit_reneg_bytes(session->opt->key_type.cipher, &session->opt->renegotiate_bytes);
1569
1570 session->opt->aead_usage_limit = tls_get_limit_aead(session->opt->key_type.cipher);
1571
1572 /* set the state of the keys for the session to generated */
1573 ks->state = S_GENERATED_KEYS;
1574
1575 ret = true;
1576cleanup:
1577 secure_memzero(ks->key_src, sizeof(*ks->key_src));
1578 return ret;
1579}
1580
1581bool
1583 struct options *options, struct frame *frame,
1584 struct frame *frame_fragment, struct link_socket_info *lsi,
1585 dco_context_t *dco)
1586{
1587 if (session->key[KS_PRIMARY].crypto_options.key_ctx_bi.initialized)
1588 {
1589 /* keys already generated, nothing to do */
1590 return true;
1591 }
1592
1593 init_key_type(&session->opt->key_type, options->ciphername, options->authname, true, true);
1594
1595 bool packet_id_long_form = cipher_kt_mode_ofb_cfb(session->opt->key_type.cipher);
1596 session->opt->crypto_flags &= ~(CO_PACKET_ID_LONG_FORM);
1597 if (packet_id_long_form)
1598 {
1599 session->opt->crypto_flags |= CO_PACKET_ID_LONG_FORM;
1600 }
1601
1602 frame_calculate_dynamic(frame, &session->opt->key_type, options, lsi);
1603
1604 frame_print(frame, D_MTU_INFO, "Data Channel MTU parms");
1605
1606 /*
1607 * mssfix uses data channel framing, which at this point contains
1608 * actual overhead. Fragmentation logic uses frame_fragment, which
1609 * still contains worst case overhead. Replace it with actual overhead
1610 * to prevent unneeded fragmentation.
1611 */
1612
1613 if (frame_fragment)
1614 {
1615 frame_calculate_dynamic(frame_fragment, &session->opt->key_type, options, lsi);
1616 frame_print(frame_fragment, D_MTU_INFO, "Fragmentation MTU parms");
1617 }
1618
1619 if (session->key[KS_PRIMARY].key_id == 0
1620 && session->opt->crypto_flags & CO_USE_DYNAMIC_TLS_CRYPT)
1621 {
1622 /* If dynamic tls-crypt has been negotiated, and we are on the
1623 * first session (key_id = 0), generate a tls-crypt key for the
1624 * following renegotiations */
1626 {
1627 return false;
1628 }
1629 }
1630
1631 if (dco_enabled(options))
1632 {
1633 /* dco_set_peer() must be called if either keepalive or
1634 * mssfix are set to update in-kernel config */
1636 {
1637 int ret = dco_set_peer(dco, multi->dco_peer_id, options->ping_send_timeout,
1639 if (ret < 0)
1640 {
1641 msg(D_DCO, "Cannot set DCO peer parameters for peer (id=%u): %s",
1642 multi->dco_peer_id, strerror(-ret));
1643 return false;
1644 }
1645 }
1646 }
1648}
1649
1650bool
1652 struct options *options, struct frame *frame,
1653 struct frame *frame_fragment, struct link_socket_info *lsi,
1654 dco_context_t *dco)
1655{
1657 {
1658 return false;
1659 }
1660
1661 /* Import crypto settings that might be set by pull/push */
1662 session->opt->crypto_flags |= options->imported_protocol_flags;
1663
1664 return tls_session_update_crypto_params_do_work(multi, session, options, frame, frame_fragment,
1665 lsi, dco);
1666}
1667
1668
1669static bool
1670random_bytes_to_buf(struct buffer *buf, uint8_t *out, int outlen)
1671{
1672 if (!rand_bytes(out, outlen))
1673 {
1674 msg(M_FATAL,
1675 "ERROR: Random number generator cannot obtain entropy for key generation [SSL]");
1676 }
1677 if (!buf_write(buf, out, outlen))
1678 {
1679 return false;
1680 }
1681 return true;
1682}
1683
1684static bool
1685key_source2_randomize_write(struct key_source2 *k2, struct buffer *buf, bool server)
1686{
1687 struct key_source *k = &k2->client;
1688 if (server)
1689 {
1690 k = &k2->server;
1691 }
1692
1693 CLEAR(*k);
1694
1695 if (!server)
1696 {
1697 if (!random_bytes_to_buf(buf, k->pre_master, sizeof(k->pre_master)))
1698 {
1699 return false;
1700 }
1701 }
1702
1703 if (!random_bytes_to_buf(buf, k->random1, sizeof(k->random1)))
1704 {
1705 return false;
1706 }
1707 if (!random_bytes_to_buf(buf, k->random2, sizeof(k->random2)))
1708 {
1709 return false;
1710 }
1711
1712 return true;
1713}
1714
1715static int
1716key_source2_read(struct key_source2 *k2, struct buffer *buf, bool server)
1717{
1718 struct key_source *k = &k2->client;
1719
1720 if (!server)
1721 {
1722 k = &k2->server;
1723 }
1724
1725 CLEAR(*k);
1726
1727 if (server)
1728 {
1729 if (!buf_read(buf, k->pre_master, sizeof(k->pre_master)))
1730 {
1731 return 0;
1732 }
1733 }
1734
1735 if (!buf_read(buf, k->random1, sizeof(k->random1)))
1736 {
1737 return 0;
1738 }
1739 if (!buf_read(buf, k->random2, sizeof(k->random2)))
1740 {
1741 return 0;
1742 }
1743
1744 return 1;
1745}
1746
1747static void
1749{
1750 struct buffer *b;
1751
1752 while ((b = buffer_list_peek(ks->paybuf)))
1753 {
1754 key_state_write_plaintext_const(&ks->ks_ssl, b->data, b->len);
1756 }
1757}
1758
1759/*
1760 * Move the active key to the lame duck key and reinitialize the
1761 * active key.
1762 */
1763static void
1765{
1766 struct key_state *ks = &session->key[KS_PRIMARY]; /* primary key */
1767 struct key_state *ks_lame = &session->key[KS_LAME_DUCK]; /* retiring key */
1768
1769 ks->must_die = now + session->opt->transition_window; /* remaining lifetime of old key */
1770 key_state_free(ks_lame, false);
1771 *ks_lame = *ks;
1772
1774 ks->session_id_remote = ks_lame->session_id_remote;
1775 ks->remote_addr = ks_lame->remote_addr;
1776}
1777
1778void
1783
1784/*
1785 * Read/write strings from/to a struct buffer with a u16 length prefix.
1786 */
1787
1788static bool
1790{
1791 if (!buf_write_u16(buf, 0))
1792 {
1793 return false;
1794 }
1795 return true;
1796}
1797
1798static bool
1799write_string(struct buffer *buf, const char *str, const int maxlen)
1800{
1801 const int len = strlen(str) + 1;
1802 if (len < 1 || (maxlen >= 0 && len > maxlen))
1803 {
1804 return false;
1805 }
1806 if (!buf_write_u16(buf, len))
1807 {
1808 return false;
1809 }
1810 if (!buf_write(buf, str, len))
1811 {
1812 return false;
1813 }
1814 return true;
1815}
1816
1827static int
1828read_string(struct buffer *buf, char *str, const unsigned int capacity)
1829{
1830 const int len = buf_read_u16(buf);
1831 if (len < 1 || len > (int)capacity)
1832 {
1833 buf_advance(buf, len);
1834
1835 /* will also return 0 for a no string being present */
1836 return -len;
1837 }
1838 if (!buf_read(buf, str, len))
1839 {
1840 return -len;
1841 }
1842 str[len - 1] = '\0';
1843 return len;
1844}
1845
1846static char *
1848{
1849 const int len = buf_read_u16(buf);
1850 char *str;
1851
1852 if (len < 1)
1853 {
1854 return NULL;
1855 }
1856 str = (char *)malloc(len);
1858 if (!buf_read(buf, str, len))
1859 {
1860 free(str);
1861 return NULL;
1862 }
1863 str[len - 1] = '\0';
1864 return str;
1865}
1866
1882static bool
1884{
1885 struct gc_arena gc = gc_new();
1886 bool ret = false;
1887 struct buffer out = alloc_buf_gc(512 * 3, &gc);
1888
1889 if (session->opt->push_peer_info_detail > 1)
1890 {
1891 /* push version */
1892 buf_printf(&out, "IV_VER=%s\n", PACKAGE_VERSION);
1893
1894 /* push platform */
1895#if defined(TARGET_LINUX)
1896 buf_printf(&out, "IV_PLAT=linux\n");
1897#elif defined(TARGET_SOLARIS)
1898 buf_printf(&out, "IV_PLAT=solaris\n");
1899#elif defined(TARGET_OPENBSD)
1900 buf_printf(&out, "IV_PLAT=openbsd\n");
1901#elif defined(TARGET_DARWIN)
1902 buf_printf(&out, "IV_PLAT=mac\n");
1903#elif defined(TARGET_NETBSD)
1904 buf_printf(&out, "IV_PLAT=netbsd\n");
1905#elif defined(TARGET_FREEBSD)
1906 buf_printf(&out, "IV_PLAT=freebsd\n");
1907#elif defined(TARGET_ANDROID)
1908 buf_printf(&out, "IV_PLAT=android\n");
1909#elif defined(_WIN32)
1910 buf_printf(&out, "IV_PLAT=win\n");
1911#endif
1912 /* Announce that we do not require strict sequence numbers with
1913 * TCP. (TCP non-linear) */
1914 buf_printf(&out, "IV_TCPNL=1\n");
1915 }
1916
1917 /* These are the IV variable that are sent to peers in p2p mode */
1918 if (session->opt->push_peer_info_detail > 0)
1919 {
1920 /* support for P_DATA_V2 */
1922
1923 /* support for the latest --dns option */
1925
1926 /* support for exit notify via control channel */
1928
1929 /* support push-updates */
1931
1932 if (session->opt->pull)
1933 {
1934 /* support for receiving push_reply before sending
1935 * push request, also signal that the client wants
1936 * to get push-reply messages without requiring a round
1937 * trip for a push request message*/
1939
1940 /* Support keywords in the AUTH_PENDING control message */
1942
1943 /* support for AUTH_FAIL,TEMP control message */
1945
1946 /* support for tun-mtu as part of the push message */
1947 buf_printf(&out, "IV_MTU=%d\n", session->opt->frame.tun_max_mtu);
1948 }
1949
1950 /* support for Negotiable Crypto Parameters */
1951 if (session->opt->mode == MODE_SERVER || session->opt->pull)
1952 {
1953 if (tls_item_in_cipher_list("AES-128-GCM", session->opt->config_ncp_ciphers)
1954 && tls_item_in_cipher_list("AES-256-GCM", session->opt->config_ncp_ciphers))
1955 {
1956 buf_printf(&out, "IV_NCP=2\n");
1957 }
1958 }
1959 else
1960 {
1961 /* We are not using pull or p2mp server, instead do P2P NCP */
1963 }
1964
1965 if (session->opt->data_epoch_supported)
1966 {
1968 }
1969
1970 buf_printf(&out, "IV_CIPHERS=%s\n", session->opt->config_ncp_ciphers);
1971
1974
1975 buf_printf(&out, "IV_PROTO=%d\n", iv_proto);
1976
1977 if (session->opt->push_peer_info_detail > 1)
1978 {
1979 /* push compression status */
1980#ifdef USE_COMP
1981 comp_generate_peer_info_string(&session->opt->comp_options, &out);
1982#endif
1983 }
1984
1985 if (session->opt->push_peer_info_detail > 2)
1986 {
1987 /* push mac addr */
1988 struct route_gateway_info rgi;
1989 get_default_gateway(&rgi, 0, session->opt->net_ctx);
1990 if (rgi.flags & RGI_HWADDR_DEFINED)
1991 {
1992 buf_printf(&out, "IV_HWADDR=%s\n", format_hex_ex(rgi.hwaddr, 6, 0, 1, ":", &gc));
1993 }
1994 buf_printf(&out, "IV_SSL=%s\n", get_ssl_library_version());
1995#if defined(_WIN32)
1996 buf_printf(&out, "IV_PLAT_VER=%s\n", win32_version_string(&gc));
1997#else
1998 struct utsname u;
1999 uname(&u);
2000 buf_printf(&out, "IV_PLAT_VER=%s\n", u.release);
2001#endif
2002 }
2003
2004 if (session->opt->push_peer_info_detail > 1)
2005 {
2006 struct env_set *es = session->opt->es;
2007 /* push env vars that begin with UV_, IV_PLAT_VER and IV_GUI_VER */
2008 for (struct env_item *e = es->list; e != NULL; e = e->next)
2009 {
2010 if (e->string)
2011 {
2012 if ((((strncmp(e->string, "UV_", 3) == 0
2013 || strncmp(e->string, "IV_PLAT_VER=", sizeof("IV_PLAT_VER=") - 1) == 0)
2014 && session->opt->push_peer_info_detail > 2)
2015 || (strncmp(e->string, "IV_GUI_VER=", sizeof("IV_GUI_VER=") - 1) == 0)
2016 || (strncmp(e->string, "IV_SSO=", sizeof("IV_SSO=") - 1) == 0))
2017 && buf_safe(&out, strlen(e->string) + 1))
2018 {
2019 buf_printf(&out, "%s\n", e->string);
2020 }
2021 }
2022 }
2023 }
2024
2025 if (!write_string(buf, BSTR(&out), -1))
2026 {
2027 goto error;
2028 }
2029 }
2030 else
2031 {
2032 if (!write_empty_string(buf)) /* no peer info */
2033 {
2034 goto error;
2035 }
2036 }
2037 ret = true;
2038
2039error:
2040 gc_free(&gc);
2041 return ret;
2042}
2043
2044#ifdef USE_COMP
2045static bool
2046write_compat_local_options(struct buffer *buf, const char *options)
2047{
2048 struct gc_arena gc = gc_new();
2049 const char *local_options = options_string_compat_lzo(options, &gc);
2050 bool ret = write_string(buf, local_options, TLS_OPTIONS_LEN);
2051 gc_free(&gc);
2052 return ret;
2053}
2054#endif
2055
2060static bool
2061key_method_2_write(struct buffer *buf, struct tls_multi *multi, struct tls_session *session)
2062{
2063 struct key_state *ks = &session->key[KS_PRIMARY]; /* primary key */
2064
2065 ASSERT(buf_init(buf, 0));
2066
2067 /* write a uint32 0 */
2068 if (!buf_write_u32(buf, 0))
2069 {
2070 goto error;
2071 }
2072
2073 /* write key_method + flags */
2074 if (!buf_write_u8(buf, KEY_METHOD_2))
2075 {
2076 goto error;
2077 }
2078
2079 /* write key source material */
2080 if (!key_source2_randomize_write(ks->key_src, buf, session->opt->server))
2081 {
2082 goto error;
2083 }
2084
2085 /* write options string */
2086 {
2087#ifdef USE_COMP
2088 if (multi->remote_usescomp && session->opt->mode == MODE_SERVER
2089 && multi->opt.comp_options.flags & COMP_F_MIGRATE)
2090 {
2091 if (!write_compat_local_options(buf, session->opt->local_options))
2092 {
2093 goto error;
2094 }
2095 }
2096 else
2097#endif
2098 if (!write_string(buf, session->opt->local_options, TLS_OPTIONS_LEN))
2099 {
2100 goto error;
2101 }
2102 }
2103
2104 /* write username/password if specified or we are using a auth-token */
2106 {
2107#ifdef ENABLE_MANAGEMENT
2108 auth_user_pass_setup(session->opt->auth_user_pass_file,
2109 session->opt->auth_user_pass_file_inline, session->opt->sci);
2110#else
2111 auth_user_pass_setup(session->opt->auth_user_pass_file,
2112 session->opt->auth_user_pass_file_inline, NULL);
2113#endif
2114 struct user_pass *up = &auth_user_pass;
2115
2116 /*
2117 * If we have a valid auth-token, send that instead of real
2118 * username/password
2119 */
2121 {
2122 up = &auth_token;
2123 }
2125
2126 if (!write_string(buf, up->username, -1))
2127 {
2128 goto error;
2129 }
2130 else if (!write_string(buf, up->password, -1))
2131 {
2132 goto error;
2133 }
2134 /* save username for auth-token which may get pushed later */
2135 if (session->opt->pull && up != &auth_token)
2136 {
2140 }
2142 /* respect auth-nocache */
2144 }
2145 else
2146 {
2147 if (!write_empty_string(buf)) /* no username */
2148 {
2149 goto error;
2150 }
2151 if (!write_empty_string(buf)) /* no password */
2152 {
2153 goto error;
2154 }
2155 }
2156
2157 if (!push_peer_info(buf, session))
2158 {
2159 goto error;
2160 }
2161
2162 if (session->opt->server && session->opt->mode != MODE_SERVER && ks->key_id == 0)
2163 {
2164 /* tls-server option set and not P2MP server, so we
2165 * are a P2P client running in tls-server mode */
2166 p2p_mode_ncp(multi, session);
2167 }
2168
2169 return true;
2170
2171error:
2172 msg(D_TLS_ERRORS, "TLS Error: Key Method #2 write failed");
2173 secure_memzero(ks->key_src, sizeof(*ks->key_src));
2174 return false;
2175}
2176
2177static void
2179{
2180 if (session->opt->ekm_size > 0)
2181 {
2182 unsigned int size = session->opt->ekm_size;
2183 struct gc_arena gc = gc_new();
2184
2185 unsigned char *ekm = gc_malloc(session->opt->ekm_size, true, &gc);
2187 session->opt->ekm_label_size, ekm,
2188 session->opt->ekm_size))
2189 {
2190 unsigned int len = (size * 2) + 2;
2191
2192 const char *key = format_hex_ex(ekm, size, len, 0, NULL, &gc);
2193 setenv_str(session->opt->es, "exported_keying_material", key);
2194
2195 dmsg(D_TLS_DEBUG_MED, "%s: exported keying material: %s", __func__, key);
2196 secure_memzero(ekm, size);
2197 }
2198 else
2199 {
2200 msg(M_WARN, "WARNING: Export keying material failed!");
2201 setenv_del(session->opt->es, "exported_keying_material");
2202 }
2203 gc_free(&gc);
2204 }
2205}
2206
2211static bool
2212key_method_2_read(struct buffer *buf, struct tls_multi *multi, struct tls_session *session)
2213{
2214 struct key_state *ks = &session->key[KS_PRIMARY]; /* primary key */
2215
2216 struct gc_arena gc = gc_new();
2217 char *options;
2218 struct user_pass *up = NULL;
2219
2220 /* allocate temporary objects */
2222
2223 /* discard leading uint32 */
2224 if (!buf_advance(buf, 4))
2225 {
2226 msg(D_TLS_ERRORS, "TLS ERROR: Plaintext buffer too short (%d bytes).", buf->len);
2227 goto error;
2228 }
2229
2230 /* get key method */
2231 int key_method_flags = buf_read_u8(buf);
2232 if ((key_method_flags & KEY_METHOD_MASK) != 2)
2233 {
2234 msg(D_TLS_ERRORS, "TLS ERROR: Unknown key_method/flags=%d received from remote host",
2235 key_method_flags);
2236 goto error;
2237 }
2238
2239 /* get key source material (not actual keys yet) */
2240 if (!key_source2_read(ks->key_src, buf, session->opt->server))
2241 {
2243 "TLS Error: Error reading remote data channel key source entropy from plaintext buffer");
2244 goto error;
2245 }
2246
2247 /* get options */
2248 if (read_string(buf, options, TLS_OPTIONS_LEN) < 0)
2249 {
2250 msg(D_TLS_ERRORS, "TLS Error: Failed to read required OCC options string");
2251 goto error;
2252 }
2253
2255
2256 /* always extract username + password fields from buf, even if not
2257 * authenticating for it, because otherwise we can't get at the
2258 * peer_info data which follows behind
2259 */
2260 ALLOC_OBJ_CLEAR_GC(up, struct user_pass, &gc);
2261 int username_len = read_string(buf, up->username, USER_PASS_LEN);
2262 int password_len = read_string(buf, up->password, USER_PASS_LEN);
2263
2264 /* get peer info from control channel */
2265 free(multi->peer_info);
2266 multi->peer_info = read_string_alloc(buf);
2267 if (multi->peer_info)
2268 {
2269 output_peer_info_env(session->opt->es, multi->peer_info);
2270 }
2271
2272 free(multi->remote_ciphername);
2274 multi->remote_usescomp = strstr(options, ",comp-lzo,");
2275
2276 /* In OCC we send '[null-cipher]' instead 'none' */
2277 if (multi->remote_ciphername && strcmp(multi->remote_ciphername, "[null-cipher]") == 0)
2278 {
2279 free(multi->remote_ciphername);
2280 multi->remote_ciphername = string_alloc("none", NULL);
2281 }
2282
2283 if (username_len < 0 || password_len < 0)
2284 {
2285 msg(D_TLS_ERRORS, "TLS Error: Username (%d) or password (%d) too long", abs(username_len),
2286 abs(password_len));
2287 auth_set_client_reason(multi, "Username or password is too long. "
2288 "Maximum length is 128 bytes");
2289
2290 /* treat the same as failed username/password and do not error
2291 * out (goto error) to sent an AUTH_FAILED back to the client */
2293 }
2295 {
2296 /* Perform username/password authentication */
2297 if (!username_len || !password_len)
2298 {
2299 CLEAR(*up);
2300 if (!(session->opt->ssl_flags & SSLF_AUTH_USER_PASS_OPTIONAL))
2301 {
2302 msg(D_TLS_ERRORS, "TLS Error: Auth Username/Password was not provided by peer");
2303 goto error;
2304 }
2305 }
2306
2307 verify_user_pass(up, multi, session);
2308 }
2309 else
2310 {
2311 /* Session verification should have occurred during TLS negotiation*/
2312 if (!session->verified)
2313 {
2314 msg(D_TLS_ERRORS, "TLS Error: Certificate verification failed (key-method 2)");
2315 goto error;
2316 }
2318 }
2319
2320 /* clear username and password from memory */
2321 secure_memzero(up, sizeof(*up));
2322
2323 /* Perform final authentication checks */
2324 if (ks->authenticated > KS_AUTH_FALSE)
2325 {
2327 }
2328
2329 /* check options consistency */
2330 if (!options_cmp_equal(options, session->opt->remote_options))
2331 {
2332 const char *remote_options = session->opt->remote_options;
2333#ifdef USE_COMP
2334 if (multi->opt.comp_options.flags & COMP_F_MIGRATE && multi->remote_usescomp)
2335 {
2336 msg(D_PUSH, "Note: 'compress migrate' detected remote peer "
2337 "with compression enabled.");
2338 remote_options = options_string_compat_lzo(remote_options, &gc);
2339 }
2340#endif
2341
2342 options_warning(options, remote_options);
2343
2344 if (session->opt->ssl_flags & SSLF_OPT_VERIFY)
2345 {
2347 "Option inconsistency warnings triggering disconnect due to --opt-verify");
2349 }
2350 }
2351
2352 buf_clear(buf);
2353
2354 /*
2355 * Call OPENVPN_PLUGIN_TLS_FINAL plugin if defined, for final
2356 * veto opportunity over authentication decision.
2357 */
2358 if ((ks->authenticated > KS_AUTH_FALSE)
2360 {
2362
2363 if (plugin_call(session->opt->plugins, OPENVPN_PLUGIN_TLS_FINAL, NULL, NULL,
2364 session->opt->es)
2366 {
2368 }
2369
2370 setenv_del(session->opt->es, "exported_keying_material");
2371 }
2372
2373 if (!session->opt->server && !session->opt->pull && ks->key_id == 0)
2374 {
2375 /* We are a p2p tls-client without pull, enable common
2376 * protocol options */
2377 p2p_mode_ncp(multi, session);
2378 }
2379
2380 gc_free(&gc);
2381 return true;
2382
2383error:
2385 secure_memzero(ks->key_src, sizeof(*ks->key_src));
2386 if (up)
2387 {
2388 secure_memzero(up, sizeof(*up));
2389 }
2390 buf_clear(buf);
2391 gc_free(&gc);
2392 return false;
2393}
2394
2395static int
2397{
2398 int ret = o->handshake_window;
2399 const int r2 = o->renegotiate_seconds / 2;
2400
2401 if (o->renegotiate_seconds && r2 < ret)
2402 {
2403 ret = r2;
2404 }
2405 return ret;
2406}
2407
2414static bool
2416 bool skip_initial_send)
2417{
2419 if (!buf)
2420 {
2421 return false;
2422 }
2423
2424 ks->initial = now;
2425 ks->must_negotiate = now + session->opt->handshake_window;
2427
2428 /* null buffer */
2430
2431 /* If we want to skip sending the initial handshake packet we still generate
2432 * it to increase internal counters etc. but immediately mark it as done */
2434 {
2436 }
2438
2440
2441 struct gc_arena gc = gc_new();
2442 dmsg(D_TLS_DEBUG, "TLS: Initial Handshake, sid=%s",
2443 session_id_print(&session->session_id, &gc));
2444 gc_free(&gc);
2445
2446#ifdef ENABLE_MANAGEMENT
2448 {
2449 management_set_state(management, OPENVPN_STATE_WAIT, NULL, NULL, NULL, NULL, NULL);
2450 }
2451#endif
2452 return true;
2453}
2454
2459static void
2461 struct link_socket_info *to_link_socket_info, struct key_state *ks)
2462{
2463 dmsg(D_TLS_DEBUG_MED, "STATE S_ACTIVE");
2464
2465 ks->established = now;
2467 {
2468 print_details(&ks->ks_ssl, "Control Channel:");
2469 }
2470 ks->state = S_ACTIVE;
2471 /* Cancel negotiation timeout */
2472 ks->must_negotiate = 0;
2474
2475 /* Set outgoing address for data channel packets */
2476 link_socket_set_outgoing_addr(to_link_socket_info, &ks->remote_addr, session->common_name,
2477 session->opt->es);
2478
2479 /* Check if we need to advance the tls_multi state machine */
2480 if (multi->multi_state == CAS_NOT_CONNECTED)
2481 {
2482 if (session->opt->mode == MODE_SERVER)
2483 {
2484 /* On a server we continue with running connect scripts next */
2486 }
2487 else
2488 {
2489 /* Skip the connect script related states */
2491 }
2492 }
2493
2494 /* Flush any payload packets that were buffered before our state transitioned to S_ACTIVE */
2496
2497#ifdef MEASURE_TLS_HANDSHAKE_STATS
2498 show_tls_performance_stats();
2499#endif
2500}
2501
2502bool
2504 struct link_socket_actual *from)
2505{
2506 struct key_state *ks = &session->key[KS_PRIMARY];
2507 ks->session_id_remote = state->peer_session_id;
2508 ks->remote_addr = *from;
2509 session->session_id = state->server_session_id;
2510 session->untrusted_addr = *from;
2511 session->burst = true;
2512
2513 /* The OpenVPN protocol implicitly mandates that packet id always start
2514 * from 0 in the RESET packets as OpenVPN 2.x will not allow gaps in the
2515 * ids and starts always from 0. Since we skip/ignore one (RESET) packet
2516 * in each direction, we need to set the ids to 1 */
2517 ks->rec_reliable->packet_id = 1;
2518 /* for ks->send_reliable->packet_id, session_move_pre_start moves the
2519 * counter to 1 */
2520 session->tls_wrap.opt.packet_id.send.id = 1;
2521 return session_move_pre_start(session, ks, true);
2522}
2523
2527static bool
2529{
2530 while (buf->len > 0)
2531 {
2532 if (buf_len(buf) < 4)
2533 {
2534 goto error;
2535 }
2536 /* read type */
2537 uint16_t type = buf_read_u16(buf);
2538 uint16_t len = buf_read_u16(buf);
2539 if (buf_len(buf) < len)
2540 {
2541 goto error;
2542 }
2543
2544 switch (type)
2545 {
2547 if (len != sizeof(uint16_t))
2548 {
2549 goto error;
2550 }
2551 uint16_t flags = buf_read_u16(buf);
2552
2553 if (flags & EARLY_NEG_FLAG_RESEND_WKC)
2554 {
2556 }
2557 break;
2558
2559 default:
2560 /* Skip types we do not parse */
2561 buf_advance(buf, len);
2562 }
2563 }
2565
2566 return true;
2567error:
2568 msg(D_TLS_ERRORS, "TLS Error: Early negotiation malformed packet");
2569 return false;
2570}
2571
2576static bool
2577read_incoming_tls_ciphertext(struct buffer *buf, struct key_state *ks, bool *continue_tls_process)
2578{
2579 int status = 0;
2580 if (buf->len)
2581 {
2583 if (status == -1)
2584 {
2585 msg(D_TLS_ERRORS, "TLS Error: Incoming Ciphertext -> TLS object write error");
2586 return false;
2587 }
2588 }
2589 else
2590 {
2591 status = 1;
2592 }
2593 if (status == 1)
2594 {
2596 *continue_tls_process = true;
2597 dmsg(D_TLS_DEBUG, "Incoming Ciphertext -> TLS");
2598 }
2599 return true;
2600}
2601
2602static bool
2604{
2605 return (ks->crypto_options.flags & CO_RESEND_WKC) && (ks->send_reliable->packet_id == 1);
2606}
2607
2608
2609static bool
2611 bool *continue_tls_process)
2612{
2613 ASSERT(buf_init(buf, 0));
2614
2615 int status = key_state_read_plaintext(&ks->ks_ssl, buf);
2616
2617 update_time();
2618 if (status == -1)
2619 {
2620 msg(D_TLS_ERRORS, "TLS Error: TLS object -> incoming plaintext read error");
2621 return false;
2622 }
2623 if (status == 1)
2624 {
2625 *continue_tls_process = true;
2626 dmsg(D_TLS_DEBUG, "TLS -> Incoming Plaintext");
2627
2628 /* More data may be available, wake up again asap to check. */
2629 *wakeup = 0;
2630 }
2631 return true;
2632}
2633
2634static bool
2635write_outgoing_tls_ciphertext(struct tls_session *session, bool *continue_tls_process)
2636{
2637 struct key_state *ks = &session->key[KS_PRIMARY];
2638
2640 if (rel_avail == 0)
2641 {
2642 return true;
2643 }
2644
2645 /* We need to determine how much space is actually available in the control
2646 * channel frame */
2647 int max_pkt_len = min_int(TLS_CHANNEL_BUF_SIZE, session->opt->frame.tun_mtu);
2648
2649 /* Subtract overhead */
2651
2652 /* calculate total available length for outgoing tls ciphertext */
2653 int maxlen = max_pkt_len * rel_avail;
2654
2655 /* Is first packet one that will have a WKC appended? */
2657 {
2658 maxlen -= buf_len(session->tls_wrap.tls_crypt_v2_wkc);
2659 }
2660
2661 /* If we end up with a size that leaves no room for payload, ignore the
2662 * constraints to still be to send a packet. This might have gone negative
2663 * if we have a large wrapped client key. */
2664 if (maxlen < 16)
2665 {
2667 "Warning: --max-packet-size (%d) setting too low. "
2668 "Sending minimum sized packet.",
2669 session->opt->frame.tun_mtu);
2670 maxlen = 16;
2671 /* We set the maximum length here to ensure a packet with a wrapped
2672 * key can actually carry the 16 byte of payload */
2673 max_pkt_len = TLS_CHANNEL_BUF_SIZE;
2674 }
2675
2676 /* This seems a bit wasteful to allocate every time */
2677 struct gc_arena gc = gc_new();
2678 struct buffer tmp = alloc_buf_gc(maxlen, &gc);
2679
2681
2682 if (status == -1)
2683 {
2684 msg(D_TLS_ERRORS, "TLS Error: Ciphertext -> reliable TCP/UDP transport read error");
2685 gc_free(&gc);
2686 return false;
2687 }
2688 if (status == 1)
2689 {
2690 /* Split the TLS ciphertext (TLS record) into multiple small packets
2691 * that respect tls_mtu */
2692 while (tmp.len > 0)
2693 {
2694 int len = max_pkt_len;
2695 int opcode = P_CONTROL_V1;
2697 {
2698 opcode = P_CONTROL_WKC_V1;
2699 len = max_int(0, len - buf_len(session->tls_wrap.tls_crypt_v2_wkc));
2700 }
2701 /* do not send more than available */
2702 len = min_int(len, tmp.len);
2703
2705 /* we assert here since we checked for its availability before */
2706 ASSERT(buf);
2707 buf_copy_n(buf, &tmp, len);
2708
2711 *continue_tls_process = true;
2712 }
2713 dmsg(D_TLS_DEBUG, "Outgoing Ciphertext -> Reliable");
2714 }
2715
2716 gc_free(&gc);
2717 return true;
2718}
2719
2720static bool
2723{
2724 /* Outgoing Ciphertext to reliable buffer */
2725 if (ks->state >= S_START)
2726 {
2728 if (buf)
2729 {
2731 {
2732 return false;
2733 }
2734 }
2735 }
2736 return true;
2737}
2738
2739static bool
2740tls_process_state(struct tls_multi *multi, struct tls_session *session, struct buffer *to_link,
2741 struct link_socket_actual **to_link_addr,
2743{
2744 /* This variable indicates if we should call this method
2745 * again to process more incoming/outgoing TLS state/data
2746 * We want to repeat this until we either determined that there
2747 * is nothing more to process or that further processing
2748 * should only be done after the outer loop (sending packets etc.)
2749 * has run once more */
2750 bool continue_tls_process = false;
2751 struct key_state *ks = &session->key[KS_PRIMARY]; /* primary key */
2752
2753 /* Initial handshake */
2754 if (ks->state == S_INITIAL)
2755 {
2756 continue_tls_process = session_move_pre_start(session, ks, false);
2757 }
2758
2759 /* Are we timed out on receive? */
2760 if (now >= ks->must_negotiate && ks->state >= S_UNDEF && ks->state < S_ACTIVE)
2761 {
2763 "TLS Error: TLS key negotiation failed to occur within %d seconds (check your network connectivity)",
2764 session->opt->handshake_window);
2765 goto error;
2766 }
2767
2768 /* Check if the initial three-way Handshake is complete.
2769 * We consider the handshake to be complete when our own initial
2770 * packet has been successfully ACKed. */
2771 if (ks->state == S_PRE_START && reliable_empty(ks->send_reliable))
2772 {
2773 ks->state = S_START;
2774 continue_tls_process = true;
2775
2776 /* New connection, remove any old X509 env variables */
2777 tls_x509_clear_env(session->opt->es);
2778 dmsg(D_TLS_DEBUG_MED, "STATE S_START");
2779 }
2780
2781 /* Wait for ACK */
2782 if (((ks->state == S_GOT_KEY && !session->opt->server)
2783 || (ks->state == S_SENT_KEY && session->opt->server))
2785 {
2786 session_move_active(multi, session, to_link_socket_info, ks);
2787 continue_tls_process = true;
2788 }
2789
2790 /* Reliable buffer to outgoing TCP/UDP (send up to CONTROL_SEND_ACK_MAX ACKs
2791 * for previously received packets) */
2792 if (!to_link->len && reliable_can_send(ks->send_reliable))
2793 {
2794 int opcode;
2795
2796 struct buffer *buf = reliable_send(ks->send_reliable, &opcode);
2797 ASSERT(buf);
2798 struct buffer b = *buf;
2799 INCR_SENT;
2800
2801 write_control_auth(session, ks, &b, to_link_addr, opcode, CONTROL_SEND_ACK_MAX, true);
2802 *to_link = b;
2803 dmsg(D_TLS_DEBUG, "Reliable -> TCP/UDP");
2804
2805 /* This changed the state of the outgoing buffer. In order to avoid
2806 * running this function again/further and invalidating the key_state
2807 * buffer and accessing the buffer that is now in to_link after it being
2808 * freed for a potential error, we shortcircuit exiting of the outer
2809 * process here. */
2810 return false;
2811 }
2812
2813 if (ks->state == S_ERROR_PRE)
2814 {
2815 /* When we end up here, we had one last chance to send an outstanding
2816 * packet that contained an alert. We do not ensure that this packet
2817 * has been successfully delivered (ie wait for the ACK etc)
2818 * but rather stop processing now */
2819 ks->state = S_ERROR;
2820 return false;
2821 }
2822
2823 /* Write incoming ciphertext to TLS object */
2825 if (entry)
2826 {
2827 /* The first packet from the peer (the reset packet) is special and
2828 * contains early protocol negotiation */
2829 if (entry->packet_id == 0 && is_hard_reset_method2(entry->opcode))
2830 {
2831 if (!parse_early_negotiation_tlvs(&entry->buf, ks))
2832 {
2833 goto error;
2834 }
2835 }
2836 else
2837 {
2838 if (!read_incoming_tls_ciphertext(&entry->buf, ks, &continue_tls_process))
2839 {
2840 goto error;
2841 }
2842 }
2843 }
2844
2845 /* Read incoming plaintext from TLS object */
2846 struct buffer *buf = &ks->plaintext_read_buf;
2847 if (!buf->len)
2848 {
2849 if (!read_incoming_tls_plaintext(ks, buf, wakeup, &continue_tls_process))
2850 {
2851 goto error;
2852 }
2853 }
2854
2855 /* Send Key */
2856 buf = &ks->plaintext_write_buf;
2857 if (!buf->len
2858 && ((ks->state == S_START && !session->opt->server)
2859 || (ks->state == S_GOT_KEY && session->opt->server)))
2860 {
2861 if (!key_method_2_write(buf, multi, session))
2862 {
2863 goto error;
2864 }
2865
2866 continue_tls_process = true;
2867 dmsg(D_TLS_DEBUG_MED, "STATE S_SENT_KEY");
2868 ks->state = S_SENT_KEY;
2869 }
2870
2871 /* Receive Key */
2872 buf = &ks->plaintext_read_buf;
2873 if (buf->len
2874 && ((ks->state == S_SENT_KEY && !session->opt->server)
2875 || (ks->state == S_START && session->opt->server)))
2876 {
2877 if (!key_method_2_read(buf, multi, session))
2878 {
2879 goto error;
2880 }
2881
2882 continue_tls_process = true;
2883 dmsg(D_TLS_DEBUG_MED, "STATE S_GOT_KEY");
2884 ks->state = S_GOT_KEY;
2885 }
2886
2887 /* Write outgoing plaintext to TLS object */
2888 buf = &ks->plaintext_write_buf;
2889 if (buf->len)
2890 {
2891 int status = key_state_write_plaintext(&ks->ks_ssl, buf);
2892 if (status == -1)
2893 {
2894 msg(D_TLS_ERRORS, "TLS ERROR: Outgoing Plaintext -> TLS object write error");
2895 goto error;
2896 }
2897 if (status == 1)
2898 {
2899 continue_tls_process = true;
2900 dmsg(D_TLS_DEBUG, "Outgoing Plaintext -> TLS");
2901 }
2902 }
2904 {
2905 goto error;
2906 }
2907
2908 return continue_tls_process;
2909error:
2911
2912 /* Shut down the TLS session but do a last read from the TLS
2913 * object to be able to read potential TLS alerts */
2916
2917 /* Put ourselves in the pre error state that will only send out the
2918 * control channel packets but nothing else */
2919 ks->state = S_ERROR_PRE;
2920
2921 msg(D_TLS_ERRORS, "TLS Error: TLS handshake failed");
2922 INCR_ERROR;
2923 return true;
2924}
2925
2930static bool
2932{
2933 /* Time limit */
2934 if (session->opt->renegotiate_seconds
2935 && now >= ks->established + session->opt->renegotiate_seconds)
2936 {
2937 return true;
2938 }
2939
2940 /* Byte limit */
2941 if (session->opt->renegotiate_bytes > 0 && ks->n_bytes >= session->opt->renegotiate_bytes)
2942 {
2943 return true;
2944 }
2945
2946 /* Packet limit */
2947 if (session->opt->renegotiate_packets && ks->n_packets >= session->opt->renegotiate_packets)
2948 {
2949 return true;
2950 }
2951
2952 /* epoch key id approaching the 16 bit limit */
2954 {
2955 /* We only need to check the send key as we always keep send
2956 * key epoch >= recv key epoch in \c epoch_replace_update_recv_key */
2957 if (ks->crypto_options.epoch_key_send.epoch >= 0xF000)
2958 {
2959 return true;
2960 }
2961 else
2962 {
2963 return false;
2964 }
2965 }
2966
2967
2968 /* Packet id approach the limit of the packet id */
2970 {
2971 return true;
2972 }
2973
2974 /* Check the AEAD usage limit of cleartext blocks + packets.
2975 *
2976 * Contrary to when epoch data mode is active, where only the sender side
2977 * checks the limit, here we check both receive and send limit since
2978 * we assume that only one side is aware of the limit.
2979 *
2980 * Since if both sides were aware, then both sides will probably also
2981 * switch to use epoch data channel instead, so this code is not
2982 * in effect then.
2983 *
2984 * When epoch are in use the crypto layer will handle this internally
2985 * with new epochs instead of triggering a renegotiation */
2986 const struct key_ctx_bi *key_ctx_bi = &ks->crypto_options.key_ctx_bi;
2987 const uint64_t usage_limit = session->opt->aead_usage_limit;
2988
2989 if (aead_usage_limit_reached(usage_limit, &key_ctx_bi->encrypt,
2993 {
2994 return true;
2995 }
2996
2998 {
2999 return true;
3000 }
3001
3002 return false;
3003}
3004/*
3005 * This is the primary routine for processing TLS stuff inside the
3006 * the main event loop. When this routine exits
3007 * with non-error status, it will set *wakeup to the number of seconds
3008 * when it wants to be called again.
3009 *
3010 * Return value is true if we have placed a packet in *to_link which we
3011 * want to send to our peer.
3012 */
3013static bool
3014tls_process(struct tls_multi *multi, struct tls_session *session, struct buffer *to_link,
3015 struct link_socket_actual **to_link_addr, struct link_socket_info *to_link_socket_info,
3016 interval_t *wakeup)
3017{
3018 struct key_state *ks = &session->key[KS_PRIMARY]; /* primary key */
3019 struct key_state *ks_lame = &session->key[KS_LAME_DUCK]; /* retiring key */
3020
3021 /* Make sure we were initialized and that we're not in an error state */
3022 ASSERT(ks->state != S_UNDEF);
3023 ASSERT(ks->state != S_ERROR);
3024 ASSERT(session_id_defined(&session->session_id));
3025
3026 /* Should we trigger a soft reset? -- new key, keeps old key for a while */
3028 {
3030 "TLS: soft reset sec=%d/%d bytes=" counter_format "/%" PRIi64 " pkts=" counter_format
3031 "/%" PRIi64 " aead_limit_send=%" PRIu64 "/%" PRIu64 " aead_limit_recv=%" PRIu64
3032 "/%" PRIu64,
3033 (int)(now - ks->established), session->opt->renegotiate_seconds, ks->n_bytes,
3034 session->opt->renegotiate_bytes, ks->n_packets, session->opt->renegotiate_packets,
3036 session->opt->aead_usage_limit,
3038 session->opt->aead_usage_limit);
3040 }
3041
3042 /* Kill lame duck key transition_window seconds after primary key negotiation */
3043 if (lame_duck_must_die(session, wakeup))
3044 {
3045 key_state_free(ks_lame, true);
3046 msg(D_TLS_DEBUG_LOW, "TLS: tls_process: killed expiring key");
3047 }
3048
3049 bool continue_tls_process = true;
3050 while (continue_tls_process)
3051 {
3052 update_time();
3053
3054 dmsg(D_TLS_DEBUG, "TLS: tls_process: chg=%d ks=%s lame=%s to_link->len=%d wakeup=%d",
3055 continue_tls_process, state_name(ks->state), state_name(ks_lame->state), to_link->len,
3056 *wakeup);
3057 continue_tls_process =
3058 tls_process_state(multi, session, to_link, to_link_addr, to_link_socket_info, wakeup);
3059
3060 if (ks->state == S_ERROR)
3061 {
3062 return false;
3063 }
3064 }
3065
3066 update_time();
3067
3068 /* We often send acks back to back to a following control packet. This
3069 * normally does not create a problem (apart from an extra packet).
3070 * However, with the P_CONTROL_WKC_V1 we need to ensure that the packet
3071 * gets resent if not received by remote, so instead we use an empty
3072 * control packet in this special case */
3073
3074 /* Send 1 or more ACKs (each received control packet gets one ACK) */
3075 if (!to_link->len && !reliable_ack_empty(ks->rec_ack))
3076 {
3078 {
3080 if (!buf)
3081 {
3082 return false;
3083 }
3084
3085 /* We do not write anything to the buffer, this way this will be
3086 * an empty control packet that gets the ack piggybacked and
3087 * also appended the wrapped client key since it has a WCK opcode */
3089 }
3090 else
3091 {
3092 struct buffer buf = ks->ack_write_buf;
3093 ASSERT(buf_init(&buf, multi->opt.frame.buf.headroom));
3094 write_control_auth(session, ks, &buf, to_link_addr, P_ACK_V1, RELIABLE_ACK_SIZE, false);
3095 *to_link = buf;
3096 dmsg(D_TLS_DEBUG, "Dedicated ACK -> TCP/UDP");
3097 }
3098 }
3099
3100 /* When should we wake up again? */
3101 if (ks->state >= S_INITIAL || ks->state == S_ERROR_PRE)
3102 {
3104
3105 if (ks->must_negotiate)
3106 {
3108 }
3109 }
3110
3111 if (ks->established && session->opt->renegotiate_seconds)
3112 {
3113 compute_earliest_wakeup(wakeup, ks->established + session->opt->renegotiate_seconds - now);
3114 }
3115
3116 dmsg(D_TLS_DEBUG, "TLS: tls_process: timeout set to %d", *wakeup);
3117
3118 /* prevent event-loop spinning by setting minimum wakeup of 1 second */
3119 if (*wakeup <= 0)
3120 {
3121 *wakeup = 1;
3122
3123 /* if we had something to send to remote, but to_link was busy,
3124 * let caller know we need to be called again soon */
3125 return true;
3126 }
3127
3128 /* If any of the state changes resulted in the to_link buffer being
3129 * set, we are also active */
3130 if (to_link->len)
3131 {
3132 return true;
3133 }
3134
3135 return false;
3136}
3137
3138
3146static void
3148{
3149 uint8_t *dataptr = to_link->data;
3150 if (!dataptr)
3151 {
3152 return;
3153 }
3154
3155 /* Checks buffers in tls_wrap */
3156 if (session->tls_wrap.work.data == dataptr)
3157 {
3158 msg(M_INFO, "Warning buffer of freed TLS session is "
3159 "still in use (tls_wrap.work.data)");
3160 goto used;
3161 }
3162
3163 for (int i = 0; i < KS_SIZE; i++)
3164 {
3165 struct key_state *ks = &session->key[i];
3166 if (ks->state == S_UNDEF)
3167 {
3168 continue;
3169 }
3170
3171 /* we don't expect send_reliable to be NULL when state is
3172 * not S_UNDEF, but people have reported crashes nonetheless,
3173 * therefore we better catch this event, report and exit.
3174 */
3175 if (!ks->send_reliable)
3176 {
3177 msg(M_FATAL,
3178 "ERROR: session->key[%d]->send_reliable is NULL "
3179 "while key state is %s. Exiting.",
3180 i, state_name(ks->state));
3181 }
3182
3183 for (int j = 0; j < ks->send_reliable->size; j++)
3184 {
3185 if (ks->send_reliable->array[j].buf.data == dataptr)
3186 {
3187 msg(M_INFO,
3188 "Warning buffer of freed TLS session is still in"
3189 " use (session->key[%d].send_reliable->array[%d])",
3190 i, j);
3191
3192 goto used;
3193 }
3194 }
3195 }
3196 return;
3197
3198used:
3199 to_link->len = 0;
3200 to_link->data = 0;
3201 /* for debugging, you can add an ASSERT(0); here to trigger an abort */
3202}
3203/*
3204 * Called by the top-level event loop.
3205 *
3206 * Basically decides if we should call tls_process for
3207 * the active or untrusted sessions.
3208 */
3209
3210int
3211tls_multi_process(struct tls_multi *multi, struct buffer *to_link,
3212 struct link_socket_actual **to_link_addr,
3213 struct link_socket_info *to_link_socket_info, interval_t *wakeup)
3214{
3215 struct gc_arena gc = gc_new();
3216 int active = TLSMP_INACTIVE;
3217 bool error = false;
3218
3220
3222
3223 /*
3224 * Process each session object having state of S_INITIAL or greater,
3225 * and which has a defined remote IP addr.
3226 */
3227
3228 for (int i = 0; i < TM_SIZE; ++i)
3229 {
3230 struct tls_session *session = &multi->session[i];
3231 struct key_state *ks = &session->key[KS_PRIMARY];
3232 struct key_state *ks_lame = &session->key[KS_LAME_DUCK];
3233
3234 /* set initial remote address. This triggers connecting with that
3235 * session. So we only do that if the TM_ACTIVE session is not
3236 * established */
3237 if (i == TM_INITIAL && ks->state == S_INITIAL && get_primary_key(multi)->state <= S_INITIAL
3238 && link_socket_actual_defined(&to_link_socket_info->lsa->actual))
3239 {
3240 ks->remote_addr = to_link_socket_info->lsa->actual;
3241 }
3242
3244 "TLS: tls_multi_process: i=%d state=%s, mysid=%s, stored-sid=%s, stored-ip=%s", i,
3245 state_name(ks->state), session_id_print(&session->session_id, &gc),
3248
3249 if ((ks->state >= S_INITIAL || ks->state == S_ERROR_PRE)
3251 {
3252 struct link_socket_actual *tla = NULL;
3253
3254 update_time();
3255
3256 if (tls_process(multi, session, to_link, &tla, to_link_socket_info, wakeup))
3257 {
3258 active = TLSMP_ACTIVE;
3259 }
3260
3261 /*
3262 * If tls_process produced an outgoing packet,
3263 * return the link_socket_actual object (which
3264 * contains the outgoing address).
3265 */
3266 if (tla)
3267 {
3268 multi->to_link_addr = *tla;
3269 *to_link_addr = &multi->to_link_addr;
3270 }
3271
3272 /*
3273 * If tls_process hits an error:
3274 * (1) If the session has an unexpired lame duck key, preserve it.
3275 * (2) Reinitialize the session.
3276 * (3) Increment soft error count
3277 */
3278 if (ks->state == S_ERROR)
3279 {
3280 ++multi->n_soft_errors;
3281
3282 if (i == TM_ACTIVE || (i == TM_INITIAL && get_primary_key(multi)->state < S_ACTIVE))
3283 {
3284 error = true;
3285 }
3286
3287 if (i == TM_ACTIVE && ks_lame->state >= S_GENERATED_KEYS
3288 && !multi->opt.single_session)
3289 {
3290 move_session(multi, TM_LAME_DUCK, TM_ACTIVE, true);
3291 }
3292 else
3293 {
3295 reset_session(multi, session);
3296 }
3297 }
3298 }
3299 }
3300
3301 update_time();
3302
3304
3305 /* If we have successfully authenticated and are still waiting for the authentication to finish
3306 * move the state machine for the multi context forward */
3307
3308 if (multi->multi_state >= CAS_CONNECT_DONE)
3309 {
3310 /* Only generate keys for the TM_ACTIVE session. We defer generating
3311 * keys for TM_INITIAL until we actually trust it.
3312 * For TM_LAME_DUCK it makes no sense to generate new keys. */
3313 struct tls_session *session = &multi->session[TM_ACTIVE];
3314 struct key_state *ks = &session->key[KS_PRIMARY];
3315
3316 if (ks->state == S_ACTIVE && ks->authenticated == KS_AUTH_TRUE)
3317 {
3318 /* Session is now fully authenticated.
3319 * tls_session_generate_data_channel_keys will move ks->state
3320 * from S_ACTIVE to S_GENERATED_KEYS */
3322 {
3323 msg(D_TLS_ERRORS, "TLS Error: generate_key_expansion failed");
3326 ks->state = S_ERROR_PRE;
3327 }
3328
3329 /* Update auth token on the client if needed on renegotiation
3330 * (key id !=0) */
3331 if (session->key[KS_PRIMARY].key_id != 0)
3332 {
3334 }
3335 }
3336 }
3337
3339 {
3340 multi->multi_state = CAS_PENDING;
3341 }
3342
3343 /*
3344 * If lame duck session expires, kill it.
3345 */
3346 if (lame_duck_must_die(&multi->session[TM_LAME_DUCK], wakeup))
3347 {
3348 tls_session_free(&multi->session[TM_LAME_DUCK], true);
3349 msg(D_TLS_DEBUG_LOW, "TLS: tls_multi_process: killed expiring key");
3350 }
3351
3352 /*
3353 * If untrusted session achieves TLS authentication,
3354 * move it to active session, usurping any prior session.
3355 *
3356 * A semi-trusted session is one in which the certificate authentication
3357 * succeeded (if cert verification is enabled) but the username/password
3358 * verification failed. A semi-trusted session can forward data on the
3359 * TLS control channel but not on the tunnel channel.
3360 */
3361 if (TLS_AUTHENTICATED(multi, &multi->session[TM_INITIAL].key[KS_PRIMARY]))
3362 {
3363 move_session(multi, TM_ACTIVE, TM_INITIAL, true);
3364 tas = tls_authentication_status(multi);
3366 "TLS: tls_multi_process: initial untrusted "
3367 "session promoted to %strusted",
3368 tas == TLS_AUTHENTICATION_SUCCEEDED ? "" : "semi-");
3369
3370 if (multi->multi_state == CAS_CONNECT_DONE)
3371 {
3373 active = TLSMP_RECONNECT;
3374 }
3375 }
3376
3377 /*
3378 * A hard error means that TM_ACTIVE hit an S_ERROR state and that no
3379 * other key state objects are S_ACTIVE or higher.
3380 */
3381 if (error)
3382 {
3383 for (int i = 0; i < KEY_SCAN_SIZE; ++i)
3384 {
3385 if (get_key_scan(multi, i)->state >= S_ACTIVE)
3386 {
3387 goto nohard;
3388 }
3389 }
3390 ++multi->n_hard_errors;
3391 }
3392nohard:
3393
3394#ifdef ENABLE_DEBUG
3395 /* DEBUGGING -- flood peer with repeating connection attempts */
3396 {
3397 const int throw_level = GREMLIN_CONNECTION_FLOOD_LEVEL(multi->opt.gremlin);
3398 if (throw_level)
3399 {
3400 for (int i = 0; i < KEY_SCAN_SIZE; ++i)
3401 {
3402 if (get_key_scan(multi, i)->state >= throw_level)
3403 {
3404 ++multi->n_hard_errors;
3405 ++multi->n_soft_errors;
3406 }
3407 }
3408 }
3409 }
3410#endif
3411
3412 perf_pop();
3413 gc_free(&gc);
3414
3415 return (tas == TLS_AUTHENTICATION_FAILED) ? TLSMP_KILL : active;
3416}
3417
3422static void
3424 int key_id)
3425{
3426 struct gc_arena gc = gc_new();
3427 const char *source = print_link_socket_actual(from, &gc);
3428
3429
3430 for (int i = 0; i < KEY_SCAN_SIZE; ++i)
3431 {
3432 struct key_state *ks = get_key_scan(multi, i);
3433 if (ks->key_id != key_id)
3434 {
3435 continue;
3436 }
3437
3438 /* Our key state has been progressed far enough to be part of a valid
3439 * session but has not generated keys. */
3440 if (ks->state >= S_INITIAL && ks->state < S_GENERATED_KEYS)
3441 {
3442 msg(D_MULTI_DROPPED, "Key %s [%d] not initialized (yet), dropping packet.", source,
3443 key_id);
3444 gc_free(&gc);
3445 return;
3446 }
3447 if (ks->state >= S_ACTIVE && ks->authenticated != KS_AUTH_TRUE)
3448 {
3449 msg(D_MULTI_DROPPED, "Key %s [%d] not authorized%s, dropping packet.", source, key_id,
3450 (ks->authenticated == KS_AUTH_DEFERRED) ? " (deferred)" : "");
3451 gc_free(&gc);
3452 return;
3453 }
3454 }
3455
3457 "TLS Error: local/remote TLS keys are out of sync: %s "
3458 "(received key id: %d, known key ids: %s)",
3459 source, key_id, print_key_id(multi, &gc));
3460 gc_free(&gc);
3461}
3462
3470static inline void
3472 struct buffer *buf, struct crypto_options **opt, bool floated,
3473 const uint8_t **ad_start)
3474{
3475 struct gc_arena gc = gc_new();
3476
3477 uint8_t c = *BPTR(buf);
3478 int op = c >> P_OPCODE_SHIFT;
3479 int key_id = c & P_KEY_ID_MASK;
3480
3481 for (int i = 0; i < KEY_SCAN_SIZE; ++i)
3482 {
3483 struct key_state *ks = get_key_scan(multi, i);
3484
3485 /*
3486 * This is the basic test of TLS state compatibility between a local OpenVPN
3487 * instance and its remote peer.
3488 *
3489 * If the test fails, it tells us that we are getting a packet from a source
3490 * which claims reference to a prior negotiated TLS session, but the local
3491 * OpenVPN instance has no memory of such a negotiation.
3492 *
3493 * It almost always occurs on UDP sessions when the passive side of the
3494 * connection is restarted without the active side restarting as well (the
3495 * passive side is the server which only listens for the connections, the
3496 * active side is the client which initiates connections).
3497 */
3498 if (ks->state >= S_GENERATED_KEYS && key_id == ks->key_id
3499 && ks->authenticated == KS_AUTH_TRUE
3500 && (floated || link_socket_actual_match(from, &ks->remote_addr)))
3501 {
3503 /* return appropriate data channel decrypt key in opt */
3504 *opt = &ks->crypto_options;
3505 if (op == P_DATA_V2)
3506 {
3507 *ad_start = BPTR(buf);
3508 }
3509 ASSERT(buf_advance(buf, 1));
3510 if (op == P_DATA_V1)
3511 {
3512 *ad_start = BPTR(buf);
3513 }
3514 else if (op == P_DATA_V2)
3515 {
3516 if (buf->len < 4)
3517 {
3519 "Protocol error: received P_DATA_V2 from %s but length is < 4",
3521 ++multi->n_soft_errors;
3522 goto done;
3523 }
3524 ASSERT(buf_advance(buf, 3));
3525 }
3526
3527 ++ks->n_packets;
3528 ks->n_bytes += buf->len;
3529 dmsg(D_TLS_KEYSELECT, "TLS: tls_pre_decrypt, key_id=%d, IP=%s", key_id,
3531 gc_free(&gc);
3532 return;
3533 }
3534 }
3535
3537
3538done:
3539 gc_free(&gc);
3541 buf->len = 0;
3542 *opt = NULL;
3543}
3544
3545/*
3546 *
3547 * When we are in TLS mode, this is the first routine which sees
3548 * an incoming packet.
3549 *
3550 * If it's a data packet, we set opt so that our caller can
3551 * decrypt it. We also give our caller the appropriate decryption key.
3552 *
3553 * If it's a control packet, we authenticate it and process it,
3554 * possibly creating a new tls_session if it represents the
3555 * first packet of a new session. For control packets, we will
3556 * also zero the size of *buf so that our caller ignores the
3557 * packet on our return.
3558 *
3559 * Note that openvpn only allows one active session at a time,
3560 * so a new session (once authenticated) will always usurp
3561 * an old session.
3562 *
3563 * Return true if input was an authenticated control channel
3564 * packet.
3565 *
3566 * If we are running in TLS thread mode, all public routines
3567 * below this point must be called with the L_TLS lock held.
3568 */
3569
3570bool
3571tls_pre_decrypt(struct tls_multi *multi, const struct link_socket_actual *from, struct buffer *buf,
3572 struct crypto_options **opt, bool floated, const uint8_t **ad_start)
3573{
3574 if (buf->len <= 0)
3575 {
3576 buf->len = 0;
3577 *opt = NULL;
3578 return false;
3579 }
3580
3581 struct gc_arena gc = gc_new();
3582 bool ret = false;
3583
3584 /* get opcode */
3585 uint8_t pkt_firstbyte = *BPTR(buf);
3586 int op = pkt_firstbyte >> P_OPCODE_SHIFT;
3587
3588 if ((op == P_DATA_V1) || (op == P_DATA_V2))
3589 {
3590 handle_data_channel_packet(multi, from, buf, opt, floated, ad_start);
3591 return false;
3592 }
3593
3594 /* get key_id */
3595 int key_id = pkt_firstbyte & P_KEY_ID_MASK;
3596
3597 /* control channel packet */
3598 bool do_burst = false;
3599 bool new_link = false;
3600 struct session_id sid; /* remote session ID */
3601
3602 /* verify legal opcode */
3603 if (op < P_FIRST_OPCODE || op > P_LAST_OPCODE)
3604 {
3606 {
3607 msg(D_TLS_ERRORS, "Peer tried unsupported key-method 1");
3608 }
3609 msg(D_TLS_ERRORS, "TLS Error: unknown opcode received from %s op=%d",
3610 print_link_socket_actual(from, &gc), op);
3611 goto error;
3612 }
3613
3614 /* hard reset ? */
3615 if (is_hard_reset_method2(op))
3616 {
3617 /* verify client -> server or server -> client connection */
3619 && !multi->opt.server)
3620 || ((op == P_CONTROL_HARD_RESET_SERVER_V2) && multi->opt.server))
3621 {
3623 "TLS Error: client->client or server->server connection attempted from %s",
3625 goto error;
3626 }
3627 }
3628
3629 /*
3630 * Authenticate Packet
3631 */
3632 dmsg(D_TLS_DEBUG, "TLS: control channel, op=%s, IP=%s", packet_opcode_name(op),
3634
3635 /* get remote session-id */
3636 {
3637 struct buffer tmp = *buf;
3638 buf_advance(&tmp, 1);
3640 {
3641 msg(D_TLS_ERRORS, "TLS Error: session-id not found in packet from %s",
3643 goto error;
3644 }
3645 }
3646
3647 int i;
3648 /* use session ID to match up packet with appropriate tls_session object */
3649 for (i = 0; i < TM_SIZE; ++i)
3650 {
3651 struct tls_session *session = &multi->session[i];
3652 struct key_state *ks = &session->key[KS_PRIMARY];
3653
3654 dmsg(
3656 "TLS: initial packet test, i=%d state=%s, mysid=%s, rec-sid=%s, rec-ip=%s, stored-sid=%s, stored-ip=%s",
3657 i, state_name(ks->state), session_id_print(&session->session_id, &gc),
3661
3662 if (session_id_equal(&ks->session_id_remote, &sid))
3663 /* found a match */
3664 {
3665 if (i == TM_LAME_DUCK)
3666 {
3667 msg(D_TLS_ERRORS, "TLS ERROR: received control packet with stale session-id=%s",
3668 session_id_print(&sid, &gc));
3669 goto error;
3670 }
3671 dmsg(D_TLS_DEBUG, "TLS: found match, session[%d], sid=%s", i,
3672 session_id_print(&sid, &gc));
3673 break;
3674 }
3675 }
3676
3677 /*
3678 * Hard reset and session id does not match any session in
3679 * multi->session: Possible initial packet. New sessions always start
3680 * as TM_INITIAL
3681 */
3682 if (i == TM_SIZE && is_hard_reset_method2(op))
3683 {
3684 /*
3685 * No match with existing sessions,
3686 * probably a new session.
3687 */
3688 struct tls_session *session = &multi->session[TM_INITIAL];
3689
3690 /*
3691 * If --single-session, don't allow any hard-reset connection request
3692 * unless it is the first packet of the session.
3693 */
3694 if (multi->opt.single_session && multi->n_sessions)
3695 {
3697 "TLS Error: Cannot accept new session request from %s due "
3698 "to session context expire or --single-session",
3700 goto error;
3701 }
3702
3704 true))
3705 {
3706 goto error;
3707 }
3708
3709#ifdef ENABLE_MANAGEMENT
3710 if (management)
3711 {
3712 management_set_state(management, OPENVPN_STATE_AUTH, NULL, NULL, NULL, NULL, NULL);
3713 }
3714#endif
3715
3716 /*
3717 * New session-initiating control packet is authenticated at this point,
3718 * assuming that the --tls-auth command line option was used.
3719 *
3720 * Without --tls-auth, we leave authentication entirely up to TLS.
3721 */
3722 msg(D_TLS_DEBUG_LOW, "TLS: Initial packet from %s, sid=%s",
3724
3725 do_burst = true;
3726 new_link = true;
3727 i = TM_INITIAL;
3728 session->untrusted_addr = *from;
3729 }
3730 else
3731 {
3732 struct tls_session *session = &multi->session[i];
3733 struct key_state *ks = &session->key[KS_PRIMARY];
3734
3735 /*
3736 * Packet must belong to an existing session.
3737 */
3738 if (i != TM_ACTIVE && i != TM_INITIAL)
3739 {
3740 msg(D_TLS_ERRORS, "TLS Error: Unroutable control packet received from %s (si=%d op=%s)",
3742 goto error;
3743 }
3744
3745 /*
3746 * Verify remote IP address
3747 */
3748 if (!new_link && !link_socket_actual_match(&ks->remote_addr, from))
3749 {
3750 msg(D_TLS_ERRORS, "TLS Error: Received control packet from unexpected IP addr: %s",
3752 goto error;
3753 }
3754
3755 /*
3756 * Remote is requesting a key renegotiation. We only allow renegotiation
3757 * when the previous session is fully established to avoid weird corner
3758 * cases.
3759 */
3761 {
3763 session->opt, false))
3764 {
3765 goto error;
3766 }
3767
3769
3770 dmsg(D_TLS_DEBUG, "TLS: received P_CONTROL_SOFT_RESET_V1 s=%d sid=%s", i,
3771 session_id_print(&sid, &gc));
3772 }
3773 else
3774 {
3775 bool initial_packet = false;
3776 if (ks->state == S_PRE_START_SKIP)
3777 {
3778 /* When we are coming from the session_skip_to_pre_start
3779 * method, we allow this initial packet to setup the
3780 * tls-crypt-v2 peer specific key */
3781 initial_packet = true;
3782 ks->state = S_PRE_START;
3783 }
3784 /*
3785 * Remote responding to our key renegotiation request?
3786 */
3787 if (op == P_CONTROL_SOFT_RESET_V1)
3788 {
3789 do_burst = true;
3790 }
3791
3793 session->opt, initial_packet))
3794 {
3795 /* if an initial packet in read_control_auth, we rather
3796 * error out than anything else */
3797 if (initial_packet)
3798 {
3799 multi->n_hard_errors++;
3800 }
3801 goto error;
3802 }
3803
3804 dmsg(D_TLS_DEBUG, "TLS: received control channel packet s#=%d sid=%s", i,
3805 session_id_print(&sid, &gc));
3806 }
3807 }
3808
3809 /*
3810 * We have an authenticated control channel packet (if --tls-auth/tls-crypt
3811 * or tls-crypt-v2 was set).
3812 * Now pass to our reliability layer which deals with
3813 * packet acknowledgements, retransmits, sequencing, etc.
3814 */
3815 struct tls_session *session = &multi->session[i];
3816 struct key_state *ks = &session->key[KS_PRIMARY];
3817
3818 /* Make sure we were initialized and that we're not in an error state */
3819 ASSERT(ks->state != S_UNDEF);
3820 ASSERT(ks->state != S_ERROR);
3821 ASSERT(session_id_defined(&session->session_id));
3822
3823 /* Let our caller know we processed a control channel packet */
3824 ret = true;
3825
3826 /*
3827 * Set our remote address and remote session_id
3828 */
3829 if (new_link)
3830 {
3831 ks->session_id_remote = sid;
3832 ks->remote_addr = *from;
3833 ++multi->n_sessions;
3834 }
3835 else if (!link_socket_actual_match(&ks->remote_addr, from))
3836 {
3838 "TLS Error: Existing session control channel packet from unknown IP address: %s",
3840 goto error;
3841 }
3842
3843 /*
3844 * Should we do a retransmit of all unacknowledged packets in
3845 * the send buffer? This improves the start-up efficiency of the
3846 * initial key negotiation after the 2nd peer comes online.
3847 */
3848 if (do_burst && !session->burst)
3849 {
3851 session->burst = true;
3852 }
3853
3854 /* Check key_id */
3855 if (ks->key_id != key_id)
3856 {
3857 msg(D_TLS_ERRORS, "TLS ERROR: local/remote key IDs out of sync (%d/%d) ID: %s", ks->key_id,
3858 key_id, print_key_id(multi, &gc));
3859 goto error;
3860 }
3861
3862 /*
3863 * Process incoming ACKs for packets we can now
3864 * delete from reliable send buffer
3865 */
3866 {
3867 /* buffers all packet IDs to delete from send_reliable */
3868 struct reliable_ack send_ack;
3869
3870 if (!reliable_ack_read(&send_ack, buf, &session->session_id))
3871 {
3872 msg(D_TLS_ERRORS, "TLS Error: reading acknowledgement record from packet");
3873 goto error;
3874 }
3876 }
3877
3878 if (op != P_ACK_V1 && reliable_can_get(ks->rec_reliable))
3879 {
3880 packet_id_type id;
3881
3882 /* Extract the packet ID from the packet */
3883 if (reliable_ack_read_packet_id(buf, &id))
3884 {
3885 /* Avoid deadlock by rejecting packet that would de-sequentialize receive buffer */
3887 {
3888 if (reliable_not_replay(ks->rec_reliable, id))
3889 {
3890 /* Save incoming ciphertext packet to reliable buffer */
3891 struct buffer *in = reliable_get_buf(ks->rec_reliable);
3892 ASSERT(in);
3893 if (!buf_copy(in, buf))
3894 {
3895 msg(D_MULTI_DROPPED, "Incoming control channel packet too big, dropping.");
3896 goto error;
3897 }
3899 }
3900
3901 /* Process outgoing acknowledgment for packet just received, even if it's a replay
3902 */
3904 }
3905 }
3906 }
3907 /* Remember that we received a valid control channel packet */
3908 ks->peer_last_packet = now;
3909
3910done:
3911 buf->len = 0;
3912 *opt = NULL;
3913 gc_free(&gc);
3914 return ret;
3915
3916error:
3917 ++multi->n_soft_errors;
3919 goto done;
3920}
3921
3922
3923struct key_state *
3925{
3926 struct key_state *ks_select = NULL;
3927 for (int i = 0; i < KEY_SCAN_SIZE; ++i)
3928 {
3929 struct key_state *ks = get_key_scan(multi, i);
3930 if (ks->state >= S_GENERATED_KEYS && ks->authenticated == KS_AUTH_TRUE)
3931 {
3933
3934 if (!ks_select)
3935 {
3936 ks_select = ks;
3937 }
3938 if (now >= ks->auth_deferred_expire)
3939 {
3940 ks_select = ks;
3941 break;
3942 }
3943 }
3944 }
3945 return ks_select;
3946}
3947
3948
3949/* Choose the key with which to encrypt a data packet */
3950void
3951tls_pre_encrypt(struct tls_multi *multi, struct buffer *buf, struct crypto_options **opt)
3952{
3953 multi->save_ks = NULL;
3954 if (buf->len <= 0)
3955 {
3956 buf->len = 0;
3957 *opt = NULL;
3958 return;
3959 }
3960
3961 struct key_state *ks_select = tls_select_encryption_key(multi);
3962
3963 if (ks_select)
3964 {
3965 *opt = &ks_select->crypto_options;
3966 multi->save_ks = ks_select;
3967 dmsg(D_TLS_KEYSELECT, "TLS: tls_pre_encrypt: key_id=%d", ks_select->key_id);
3968 return;
3969 }
3970 else
3971 {
3972 struct gc_arena gc = gc_new();
3973 dmsg(D_TLS_KEYSELECT, "TLS Warning: no data channel send key available: %s",
3974 print_key_id(multi, &gc));
3975 gc_free(&gc);
3976
3977 *opt = NULL;
3978 buf->len = 0;
3979 }
3980}
3981
3982void
3983tls_prepend_opcode_v1(const struct tls_multi *multi, struct buffer *buf)
3984{
3985 struct key_state *ks = multi->save_ks;
3986 uint8_t op;
3987
3988 msg(D_TLS_DEBUG, __func__);
3989
3990 ASSERT(ks);
3991
3992 op = (P_DATA_V1 << P_OPCODE_SHIFT) | ks->key_id;
3993 ASSERT(buf_write_prepend(buf, &op, 1));
3994}
3995
3996#if defined(__GNUC__) || defined(__clang__)
3997#pragma GCC diagnostic pop
3998#endif
3999
4000void
4001tls_prepend_opcode_v2(const struct tls_multi *multi, struct buffer *buf)
4002{
4003 struct key_state *ks = multi->save_ks;
4004 uint32_t peer;
4005
4006 msg(D_TLS_DEBUG, __func__);
4007
4008 ASSERT(ks);
4009
4010 peer = htonl(((P_DATA_V2 << P_OPCODE_SHIFT) | ks->key_id) << 24 | (multi->peer_id & 0xFFFFFF));
4011 ASSERT(buf_write_prepend(buf, &peer, 4));
4012}
4013
4014void
4015tls_post_encrypt(struct tls_multi *multi, struct buffer *buf)
4016{
4017 struct key_state *ks = multi->save_ks;
4018 multi->save_ks = NULL;
4019
4020 if (buf->len > 0)
4021 {
4022 ASSERT(ks);
4023
4024 ++ks->n_packets;
4025 ks->n_bytes += buf->len;
4026 }
4027}
4028
4029/*
4030 * Send a payload over the TLS control channel.
4031 * Called externally.
4032 */
4033
4034bool
4035tls_send_payload(struct key_state *ks, const uint8_t *data, int size)
4036{
4037 bool ret = false;
4038
4040
4041 ASSERT(ks);
4042
4043 if (ks->state >= S_ACTIVE)
4044 {
4045 if (key_state_write_plaintext_const(&ks->ks_ssl, data, size) == 1)
4046 {
4047 ret = true;
4048 }
4049 }
4050 else
4051 {
4052 if (!ks->paybuf)
4053 {
4054 ks->paybuf = buffer_list_new();
4055 }
4056 buffer_list_push_data(ks->paybuf, data, (size_t)size);
4057 ret = true;
4058 }
4059
4060
4062
4063 return ret;
4064}
4065
4066bool
4067tls_rec_payload(struct tls_multi *multi, struct buffer *buf)
4068{
4069 bool ret = false;
4070
4072
4073 ASSERT(multi);
4074
4075 struct key_state *ks = get_key_scan(multi, 0);
4076
4077 if (ks->state >= S_ACTIVE && BLEN(&ks->plaintext_read_buf))
4078 {
4079 if (buf_copy(buf, &ks->plaintext_read_buf))
4080 {
4081 ret = true;
4082 }
4083 ks->plaintext_read_buf.len = 0;
4084 }
4085
4087
4088 return ret;
4089}
4090
4091void
4092tls_update_remote_addr(struct tls_multi *multi, const struct link_socket_actual *addr)
4093{
4094 struct gc_arena gc = gc_new();
4095 for (int i = 0; i < TM_SIZE; ++i)
4096 {
4097 struct tls_session *session = &multi->session[i];
4098
4099 for (int j = 0; j < KS_SIZE; ++j)
4100 {
4101 struct key_state *ks = &session->key[j];
4102
4105 {
4106 continue;
4107 }
4108
4109 dmsg(D_TLS_KEYSELECT, "TLS: tls_update_remote_addr from IP=%s to IP=%s",
4112
4113 ks->remote_addr = *addr;
4114 }
4115 }
4116 gc_free(&gc);
4117}
4118
4119void
4120show_available_tls_ciphers(const char *cipher_list, const char *cipher_list_tls13,
4121 const char *tls_cert_profile)
4122{
4123 printf("Available TLS Ciphers, listed in order of preference:\n");
4124
4126 {
4127 printf("\nFor TLS 1.3 and newer (--tls-ciphersuites):\n\n");
4128 show_available_tls_ciphers_list(cipher_list_tls13, tls_cert_profile, true);
4129 }
4130
4131 printf("\nFor TLS 1.2 and older (--tls-cipher):\n\n");
4132 show_available_tls_ciphers_list(cipher_list, tls_cert_profile, false);
4133
4134 printf("\n"
4135 "Be aware that that whether a cipher suite in this list can actually work\n"
4136 "depends on the specific setup of both peers. See the man page entries of\n"
4137 "--tls-cipher and --show-tls for more details.\n\n");
4138}
4139
4140/*
4141 * Dump a human-readable rendition of an openvpn packet
4142 * into a garbage collectable string which is returned.
4143 */
4144const char *
4145protocol_dump(struct buffer *buffer, unsigned int flags, struct gc_arena *gc)
4146{
4147 struct buffer out = alloc_buf_gc(256, gc);
4148 struct buffer buf = *buffer;
4149
4150 uint8_t c;
4151 int op;
4152 int key_id;
4153
4155
4156 if (buf.len <= 0)
4157 {
4158 buf_printf(&out, "DATA UNDEF len=%d", buf.len);
4159 goto done;
4160 }
4161
4162 if (!(flags & PD_TLS))
4163 {
4164 goto print_data;
4165 }
4166
4167 /*
4168 * Initial byte (opcode)
4169 */
4170 if (!buf_read(&buf, &c, sizeof(c)))
4171 {
4172 goto done;
4173 }
4174 op = (c >> P_OPCODE_SHIFT);
4175 key_id = c & P_KEY_ID_MASK;
4176 buf_printf(&out, "%s kid=%d", packet_opcode_name(op), key_id);
4177
4178 if ((op == P_DATA_V1) || (op == P_DATA_V2))
4179 {
4180 goto print_data;
4181 }
4182
4183 /*
4184 * Session ID
4185 */
4186 {
4187 struct session_id sid;
4188
4189 if (!session_id_read(&sid, &buf))
4190 {
4191 goto done;
4192 }
4193 if (flags & PD_VERBOSE)
4194 {
4195 buf_printf(&out, " sid=%s", session_id_print(&sid, gc));
4196 }
4197 }
4198
4199 /*
4200 * tls-auth hmac + packet_id
4201 */
4202 if (tls_auth_hmac_size)
4203 {
4204 struct packet_id_net pin;
4205 uint8_t tls_auth_hmac[MAX_HMAC_KEY_LENGTH];
4206
4207 ASSERT(tls_auth_hmac_size <= MAX_HMAC_KEY_LENGTH);
4208
4209 if (!buf_read(&buf, tls_auth_hmac, tls_auth_hmac_size))
4210 {
4211 goto done;
4212 }
4213 if (flags & PD_VERBOSE)
4214 {
4215 buf_printf(&out, " tls_hmac=%s", format_hex(tls_auth_hmac, tls_auth_hmac_size, 0, gc));
4216 }
4217
4218 if (!packet_id_read(&pin, &buf, true))
4219 {
4220 goto done;
4221 }
4222 buf_printf(&out, " pid=%s", packet_id_net_print(&pin, (flags & PD_VERBOSE), gc));
4223 }
4224 /*
4225 * packet_id + tls-crypt hmac
4226 */
4227 if (flags & PD_TLS_CRYPT)
4228 {
4229 struct packet_id_net pin;
4230 uint8_t tls_crypt_hmac[TLS_CRYPT_TAG_SIZE];
4231
4232 if (!packet_id_read(&pin, &buf, true))
4233 {
4234 goto done;
4235 }
4236 buf_printf(&out, " pid=%s", packet_id_net_print(&pin, (flags & PD_VERBOSE), gc));
4237 if (!buf_read(&buf, tls_crypt_hmac, TLS_CRYPT_TAG_SIZE))
4238 {
4239 goto done;
4240 }
4241 if (flags & PD_VERBOSE)
4242 {
4243 buf_printf(&out, " tls_crypt_hmac=%s",
4244 format_hex(tls_crypt_hmac, TLS_CRYPT_TAG_SIZE, 0, gc));
4245 }
4246 /*
4247 * Remainder is encrypted and optional wKc
4248 */
4249 goto done;
4250 }
4251
4252 /*
4253 * ACK list
4254 */
4255 buf_printf(&out, " %s", reliable_ack_print(&buf, (flags & PD_VERBOSE), gc));
4256
4257 if (op == P_ACK_V1)
4258 {
4259 goto print_data;
4260 }
4261
4262 /*
4263 * Packet ID
4264 */
4265 {
4267 if (!buf_read(&buf, &l, sizeof(l)))
4268 {
4269 goto done;
4270 }
4271 l = ntohpid(l);
4273 }
4274
4275print_data:
4276 if (flags & PD_SHOW_DATA)
4277 {
4278 buf_printf(&out, " DATA %s", format_hex(BPTR(&buf), BLEN(&buf), 80, gc));
4279 }
4280 else
4281 {
4282 buf_printf(&out, " DATA len=%d", buf.len);
4283 }
4284
4285done:
4286 return BSTR(&out);
4287}
void wipe_auth_token(struct tls_multi *multi)
Wipes the authentication token out of the memory, frees and cleans up related buffers and flags.
Definition auth_token.c:395
void resend_auth_token_renegotiation(struct tls_multi *multi, struct tls_session *session)
Checks if a client should be sent a new auth token to update its current auth-token.
Definition auth_token.c:454
struct buffer_entry * buffer_list_push_data(struct buffer_list *ol, const void *data, size_t size)
Allocates and appends a new buffer containing data of length size.
Definition buffer.c:1203
void free_buf(struct buffer *buf)
Definition buffer.c:184
void buf_clear(struct buffer *buf)
Definition buffer.c:163
void buffer_list_pop(struct buffer_list *ol)
Definition buffer.c:1294
bool buf_printf(struct buffer *buf, const char *format,...)
Definition buffer.c:241
char * format_hex_ex(const uint8_t *data, int size, int maxoutput, unsigned int space_break_flags, const char *separator, struct gc_arena *gc)
Definition buffer.c:483
struct buffer_list * buffer_list_new(void)
Allocate an empty buffer list of capacity max_size.
Definition buffer.c:1149
struct buffer * buffer_list_peek(struct buffer_list *ol)
Retrieve the head buffer.
Definition buffer.c:1230
void buffer_list_free(struct buffer_list *ol)
Frees a buffer list and all the buffers in it.
Definition buffer.c:1158
void * gc_malloc(size_t size, bool clear, struct gc_arena *a)
Definition buffer.c:336
struct buffer alloc_buf_gc(size_t size, struct gc_arena *gc)
Definition buffer.c:89
struct buffer alloc_buf(size_t size)
Definition buffer.c:63
char * string_alloc(const char *str, struct gc_arena *gc)
Definition buffer.c:649
static bool buf_write_u16(struct buffer *dest, uint16_t data)
Definition buffer.h:690
static char * format_hex(const uint8_t *data, int size, int maxoutput, struct gc_arena *gc)
Definition buffer.h:503
#define BSTR(buf)
Definition buffer.h:128
static bool buf_copy(struct buffer *dest, const struct buffer *src)
Definition buffer.h:704
#define BPTR(buf)
Definition buffer.h:123
static bool buf_write_u32(struct buffer *dest, uint32_t data)
Definition buffer.h:697
static bool buf_write_prepend(struct buffer *dest, const void *src, int size)
Definition buffer.h:672
static int buf_read_u16(struct buffer *buf)
Definition buffer.h:787
static bool buf_copy_n(struct buffer *dest, struct buffer *src, int n)
Definition buffer.h:710
#define ALLOC_ARRAY_CLEAR_GC(dptr, type, n, gc)
Definition buffer.h:1064
static bool buf_safe(const struct buffer *buf, size_t len)
Definition buffer.h:518
static bool buf_read(struct buffer *src, void *dest, int size)
Definition buffer.h:762
static bool buf_advance(struct buffer *buf, int size)
Definition buffer.h:616
static int buf_len(const struct buffer *buf)
Definition buffer.h:253
static void secure_memzero(void *data, size_t len)
Securely zeroise memory.
Definition buffer.h:414
static bool buf_write(struct buffer *dest, const void *src, size_t size)
Definition buffer.h:660
static bool buf_write_u8(struct buffer *dest, uint8_t data)
Definition buffer.h:684
#define ALLOC_OBJ_CLEAR_GC(dptr, type, gc)
Definition buffer.h:1079
static int buf_read_u8(struct buffer *buf)
Definition buffer.h:774
#define BLEN(buf)
Definition buffer.h:126
static void strncpynt(char *dest, const char *src, size_t maxlen)
Definition buffer.h:361
static void check_malloc_return(void *p)
Definition buffer.h:1085
static void gc_free(struct gc_arena *a)
Definition buffer.h:1015
#define ALLOC_OBJ_CLEAR(dptr, type)
Definition buffer.h:1042
#define buf_init(buf, offset)
Definition buffer.h:209
static struct gc_arena gc_new(void)
Definition buffer.h:1007
int interval_t
Definition common.h:35
#define TLS_CHANNEL_BUF_SIZE
Definition common.h:68
#define counter_format
Definition common.h:30
#define TLS_CHANNEL_MTU_MIN
Definition common.h:81
#define COMP_F_MIGRATE
push stub-v2 or comp-lzo no when we see a client with comp-lzo in occ
Definition comp.h:47
#define PACKAGE_VERSION
Definition config.h:504
#define ENABLE_MANAGEMENT
Definition config.h:53
void free_key_ctx_bi(struct key_ctx_bi *ctx)
Definition crypto.c:1099
void key2_print(const struct key2 *k, const struct key_type *kt, const char *prefix0, const char *prefix1)
Prints the keys in a key2 structure.
Definition crypto.c:1179
void init_key_type(struct key_type *kt, const char *ciphername, const char *authname, bool tls_mode, bool warn)
Initialize a key_type structure with.
Definition crypto.c:874
bool check_key(struct key *key, const struct key_type *kt)
Definition crypto.c:1125
uint64_t cipher_get_aead_limits(const char *ciphername)
Check if the cipher is an AEAD cipher and needs to be limited to a certain number of number of blocks...
Definition crypto.c:343
void init_key_ctx_bi(struct key_ctx_bi *ctx, const struct key2 *key2, int key_direction, const struct key_type *kt, const char *name)
Definition crypto.c:1061
void key_direction_state_init(struct key_direction_state *kds, int key_direction)
Definition crypto.c:1673
#define KEY_DIRECTION_NORMAL
Definition crypto.h:232
#define CO_PACKET_ID_LONG_FORM
Bit-flag indicating whether to use OpenVPN's long packet ID format.
Definition crypto.h:345
#define CO_USE_TLS_KEY_MATERIAL_EXPORT
Bit-flag indicating that data channel key derivation is done using TLS keying material export [RFC570...
Definition crypto.h:357
#define CO_USE_DYNAMIC_TLS_CRYPT
Bit-flag indicating that renegotiations are using tls-crypt with a TLS-EKM derived key.
Definition crypto.h:373
#define CO_IGNORE_PACKET_ID
Bit-flag indicating whether to ignore the packet ID of a received packet.
Definition crypto.h:348
#define CO_RESEND_WKC
Bit-flag indicating that the client is expected to resend the wrapped client key with the 2nd packet ...
Definition crypto.h:361
#define CO_EPOCH_DATA_KEY_FORMAT
Bit-flag indicating the epoch the data format.
Definition crypto.h:377
static bool cipher_decrypt_verify_fail_warn(const struct key_ctx *ctx)
Check if the number of failed decryption is approaching the limit and we should try to move to a new ...
Definition crypto.h:722
#define KEY_DIRECTION_INVERSE
Definition crypto.h:233
static bool aead_usage_limit_reached(const uint64_t limit, const struct key_ctx *key_ctx, int64_t higest_pid)
Checks if the usage limit for an AEAD cipher is reached.
Definition crypto.h:751
bool ssl_tls1_PRF(const uint8_t *seed, size_t seed_len, const uint8_t *secret, size_t secret_len, uint8_t *output, size_t output_len)
Calculates the TLS 1.0-1.1 PRF function.
void crypto_uninit_lib(void)
bool cipher_kt_mode_aead(const char *ciphername)
Check if the supplied cipher is a supported AEAD mode cipher.
void crypto_init_lib(void)
bool cipher_kt_mode_ofb_cfb(const char *ciphername)
Check if the supplied cipher is a supported OFB or CFB mode cipher.
int hmac_ctx_size(hmac_ctx_t *ctx)
bool cipher_kt_insecure(const char *ciphername)
Returns true if we consider this cipher to be insecure.
int rand_bytes(uint8_t *output, int len)
Wrapper for secure random number generator.
const char * cipher_kt_name(const char *ciphername)
Retrieve a normalised string describing the cipher (e.g.
#define MAX_HMAC_KEY_LENGTH
#define OPENVPN_MAX_HMAC_SIZE
void free_epoch_key_ctx(struct crypto_options *co)
Frees the extra data structures used by epoch keys in crypto_options.
void epoch_init_key_ctx(struct crypto_options *co, const struct key_type *key_type, const struct epoch_key *e1_send, const struct epoch_key *e1_recv, uint16_t future_key_count)
Initialises data channel keys and internal structures for epoch data keys using the provided E0 epoch...
static int dco_set_peer(dco_context_t *dco, unsigned int peerid, int keepalive_interval, int keepalive_timeout, int mss)
Definition dco.h:343
void * dco_context_t
Definition dco.h:261
static int init_key_dco_bi(struct tls_multi *multi, struct key_state *ks, const struct key2 *key2, int key_direction, const char *ciphername, bool server)
Definition dco.h:323
void setenv_str(struct env_set *es, const char *name, const char *value)
Definition env_set.c:307
void setenv_del(struct env_set *es, const char *name)
Definition env_set.c:352
#define D_TLS_DEBUG_LOW
Definition errlevel.h:76
#define D_PUSH
Definition errlevel.h:82
#define D_TLS_DEBUG_MED
Definition errlevel.h:156
#define D_DCO
Definition errlevel.h:93
#define D_SHOW_KEYS
Definition errlevel.h:120
#define D_MULTI_DROPPED
Definition errlevel.h:100
#define D_HANDSHAKE
Definition errlevel.h:71
#define D_SHOW_KEY_SOURCE
Definition errlevel.h:121
#define D_TLS_KEYSELECT
Definition errlevel.h:145
#define D_MTU_INFO
Definition errlevel.h:104
#define D_TLS_ERRORS
Definition errlevel.h:58
#define M_INFO
Definition errlevel.h:54
#define D_TLS_DEBUG
Definition errlevel.h:164
#define S_ACTIVE
Operational key_state state immediately after negotiation has completed while still within the handsh...
Definition ssl_common.h:100
struct tls_auth_standalone * tls_auth_standalone_init(struct tls_options *tls_options, struct gc_arena *gc)
Definition ssl.c:1198
#define TM_INITIAL
As yet un-trusted tls_session \ being negotiated.
Definition ssl_common.h:546
#define KS_SIZE
Size of the tls_session.key array.
Definition ssl_common.h:469
static void key_state_free(struct key_state *ks, bool clear)
Cleanup a key_state structure.
Definition ssl.c:909
static void tls_session_free(struct tls_session *session, bool clear)
Clean up a tls_session structure.
Definition ssl.c:1057
void tls_init_control_channel_frame_parameters(struct frame *frame, int tls_mtu)
Definition ssl.c:142
void tls_multi_free(struct tls_multi *multi, bool clear)
Cleanup a tls_multi structure and free associated memory allocations.
Definition ssl.c:1250
#define S_ERROR_PRE
Error state but try to send out alerts before killing the keystore and moving it to S_ERROR.
Definition ssl_common.h:79
#define KS_PRIMARY
Primary key state index.
Definition ssl_common.h:465
#define S_PRE_START_SKIP
Waiting for the remote OpenVPN peer to acknowledge during the initial three-way handshake.
Definition ssl_common.h:87
#define S_UNDEF
Undefined state, used after a key_state is cleaned up.
Definition ssl_common.h:82
#define S_START
Three-way handshake is complete, start of key exchange.
Definition ssl_common.h:93
#define S_GOT_KEY
Local OpenVPN process has received the remote's part of the key material.
Definition ssl_common.h:97
#define S_PRE_START
Waiting for the remote OpenVPN peer to acknowledge during the initial three-way handshake.
Definition ssl_common.h:90
struct tls_multi * tls_multi_init(struct tls_options *tls_options)
Allocate and initialize a tls_multi structure.
Definition ssl.c:1169
void tls_multi_init_finalize(struct tls_multi *multi, int tls_mtu)
Finalize initialization of a tls_multi structure.
Definition ssl.c:1184
#define TM_LAME_DUCK
Old tls_session.
Definition ssl_common.h:549
static void tls_session_init(struct tls_multi *multi, struct tls_session *session)
Initialize a tls_session structure.
Definition ssl.c:986
#define TM_SIZE
Size of the tls_multi.session \ array.
Definition ssl_common.h:550
void tls_auth_standalone_free(struct tls_auth_standalone *tas)
Frees a standalone tls-auth verification object.
Definition ssl.c:1223
#define TM_ACTIVE
Active tls_session.
Definition ssl_common.h:545
#define S_GENERATED_KEYS
The data channel keys have been generated The TLS session is fully authenticated when reaching this s...
Definition ssl_common.h:105
#define KS_LAME_DUCK
Key state index that will retire \ soon.
Definition ssl_common.h:466
#define S_SENT_KEY
Local OpenVPN process has sent its part of the key material.
Definition ssl_common.h:95
#define S_ERROR
Error state.
Definition ssl_common.h:78
#define S_INITIAL
Initial key_state state after initialization by key_state_init() before start of three-way handshake.
Definition ssl_common.h:84
static void key_state_init(struct tls_session *session, struct key_state *ks)
Initialize a key_state structure.
Definition ssl.c:824
void tls_multi_init_set_options(struct tls_multi *multi, const char *local, const char *remote)
Definition ssl.c:1239
int key_state_read_plaintext(struct key_state_ssl *ks_ssl, struct buffer *buf)
Extract plaintext data from the TLS module.
int key_state_write_ciphertext(struct key_state_ssl *ks_ssl, struct buffer *buf)
Insert a ciphertext buffer into the TLS module.
int key_state_read_ciphertext(struct key_state_ssl *ks_ssl, struct buffer *buf)
Extract ciphertext data from the TLS module.
int key_state_write_plaintext_const(struct key_state_ssl *ks_ssl, const uint8_t *data, int len)
Insert plaintext data into the TLS module.
int key_state_write_plaintext(struct key_state_ssl *ks_ssl, struct buffer *buf)
Insert a plaintext buffer into the TLS module.
void tls_post_encrypt(struct tls_multi *multi, struct buffer *buf)
Perform some accounting for the key state used.
Definition ssl.c:4015
struct key_state * tls_select_encryption_key(struct tls_multi *multi)
Selects the primary encryption that should be used to encrypt data of an outgoing packet.
Definition ssl.c:3924
#define TLS_AUTHENTICATED(multi, ks)
Check whether the ks key_state has finished the key exchange part of the OpenVPN hand shake.
Definition ssl_verify.h:113
void tls_prepend_opcode_v1(const struct tls_multi *multi, struct buffer *buf)
Prepend a one-byte OpenVPN data channel P_DATA_V1 opcode to the packet.
Definition ssl.c:3983
void tls_pre_encrypt(struct tls_multi *multi, struct buffer *buf, struct crypto_options **opt)
Choose the appropriate security parameters with which to process an outgoing packet.
Definition ssl.c:3951
void tls_prepend_opcode_v2(const struct tls_multi *multi, struct buffer *buf)
Prepend an OpenVPN data channel P_DATA_V2 header to the packet.
Definition ssl.c:4001
bool tls_pre_decrypt(struct tls_multi *multi, const struct link_socket_actual *from, struct buffer *buf, struct crypto_options **opt, bool floated, const uint8_t **ad_start)
Determine whether an incoming packet is a data channel or control channel packet, and process accordi...
Definition ssl.c:3571
void reliable_free(struct reliable *rel)
Free allocated memory associated with a reliable structure and the pointer itself.
Definition reliable.c:364
bool reliable_ack_read(struct reliable_ack *ack, struct buffer *buf, const struct session_id *sid)
Read an acknowledgment record from a received packet.
Definition reliable.c:144
struct buffer * reliable_get_buf_output_sequenced(struct reliable *rel)
Get the buffer of free reliable entry and check whether the outgoing acknowledgment sequence is still...
Definition reliable.c:562
void reliable_schedule_now(struct reliable *rel)
Reschedule all entries of a reliable structure to be ready for (re)sending immediately.
Definition reliable.c:675
bool reliable_ack_read_packet_id(struct buffer *buf, packet_id_type *pid)
Read the packet ID of a received packet.
Definition reliable.c:109
static int reliable_ack_outstanding(struct reliable_ack *ack)
Returns the number of packets that need to be acked.
Definition reliable.h:189
void reliable_mark_active_incoming(struct reliable *rel, struct buffer *buf, packet_id_type pid, int opcode)
Mark the reliable entry associated with the given buffer as active incoming.
Definition reliable.c:736
void reliable_mark_active_outgoing(struct reliable *rel, struct buffer *buf, int opcode)
Mark the reliable entry associated with the given buffer as active outgoing.
Definition reliable.c:769
const char * reliable_ack_print(struct buffer *buf, bool verbose, struct gc_arena *gc)
Definition reliable.c:305
bool reliable_ack_acknowledge_packet_id(struct reliable_ack *ack, packet_id_type pid)
Record a packet ID for later acknowledgment.
Definition reliable.c:127
static void reliable_set_timeout(struct reliable *rel, interval_t timeout)
Definition reliable.h:526
bool reliable_can_get(const struct reliable *rel)
Check whether a reliable structure has any free buffers available for use.
Definition reliable.c:454
void reliable_send_purge(struct reliable *rel, const struct reliable_ack *ack)
Remove acknowledged packets from a reliable structure.
Definition reliable.c:395
struct buffer * reliable_get_buf(struct reliable *rel)
Get the buffer of a free reliable entry in which to store a packet.
Definition reliable.c:518
struct buffer * reliable_send(struct reliable *rel, int *opcode)
Get the next packet to send to the remote peer.
Definition reliable.c:638
bool reliable_can_send(const struct reliable *rel)
Check whether a reliable structure has any active entries ready to be (re)sent.
Definition reliable.c:612
bool reliable_empty(const struct reliable *rel)
Check whether a reliable structure is empty.
Definition reliable.c:380
bool reliable_not_replay(const struct reliable *rel, packet_id_type id)
Check that a received packet's ID is not a replay.
Definition reliable.c:472
#define RELIABLE_ACK_SIZE
The maximum number of packet IDs \ waiting to be acknowledged which can \ be stored in one reliable_a...
Definition reliable.h:43
interval_t reliable_send_timeout(const struct reliable *rel)
Determined how many seconds until the earliest resend should be attempted.
Definition reliable.c:698
struct reliable_entry * reliable_get_entry_sequenced(struct reliable *rel)
Get the buffer of the next sequential and active entry.
Definition reliable.c:597
void reliable_init(struct reliable *rel, int buf_size, int offset, int array_size, bool hold)
Initialize a reliable structure.
Definition reliable.c:348
void reliable_mark_deleted(struct reliable *rel, struct buffer *buf)
Remove an entry from a reliable structure.
Definition reliable.c:796
int reliable_get_num_output_sequenced_available(struct reliable *rel)
Counts the number of free buffers in output that can be potentially used for sending.
Definition reliable.c:533
bool reliable_wont_break_sequentiality(const struct reliable *rel, packet_id_type id)
Check that a received packet's ID can safely be stored in the reliable structure's processing window.
Definition reliable.c:499
#define ACK_SIZE(n)
Definition reliable.h:70
static bool reliable_ack_empty(struct reliable_ack *ack)
Check whether an acknowledgment structure contains any packet IDs to be acknowledged.
Definition reliable.h:176
#define TLS_CRYPT_TAG_SIZE
Definition tls_crypt.h:88
bool tls_session_generate_dynamic_tls_crypt_key(struct tls_session *session)
Generates a TLS-Crypt key to be used with dynamic tls-crypt using the TLS EKM exporter function.
Definition tls_crypt.c:95
int tls_crypt_buf_overhead(void)
Returns the maximum overhead (in bytes) added to the destination buffer by tls_crypt_wrap().
Definition tls_crypt.c:54
static int min_int(int x, int y)
Definition integer.h:105
static int max_int(int x, int y)
Definition integer.h:92
static SERVICE_STATUS status
Definition interactive.c:51
char * management_query_cert(struct management *man, const char *cert_name)
Definition manage.c:3812
void management_set_state(struct management *man, const int state, const char *detail, const in_addr_t *tun_local_ip, const struct in6_addr *tun_local_ip6, const struct openvpn_sockaddr *local, const struct openvpn_sockaddr *remote)
Definition manage.c:2796
#define MF_EXTERNAL_KEY
Definition manage.h:36
#define OPENVPN_STATE_AUTH
Definition manage.h:458
#define OPENVPN_STATE_WAIT
Definition manage.h:457
#define MF_EXTERNAL_CERT
Definition manage.h:42
static bool management_enable_def_auth(const struct management *man)
Definition manage.h:438
#define VALGRIND_MAKE_READABLE(addr, len)
Definition memdbg.h:53
void unprotect_user_pass(struct user_pass *up)
Decrypt username and password buffers in user_pass.
Definition misc.c:812
bool get_user_pass_cr(struct user_pass *up, const char *auth_file, const char *prefix, const unsigned int flags, const char *auth_challenge)
Retrieves the user credentials from various sources depending on the flags.
Definition misc.c:201
void purge_user_pass(struct user_pass *up, const bool force)
Definition misc.c:474
void set_auth_token_user(struct user_pass *tk, const char *username)
Sets the auth-token username by base64 decoding the passed username.
Definition misc.c:520
void output_peer_info_env(struct env_set *es, const char *peer_info)
Definition misc.c:759
struct buffer prepend_dir(const char *dir, const char *path, struct gc_arena *gc)
Prepend a directory to a path.
Definition misc.c:781
void protect_user_pass(struct user_pass *up)
Encrypt username and password buffers in user_pass.
Definition misc.c:792
void set_auth_token(struct user_pass *tk, const char *token)
Sets the auth-token to token.
Definition misc.c:500
#define USER_PASS_LEN
Definition misc.h:64
#define GET_USER_PASS_STATIC_CHALLENGE_CONCAT
indicates password and response should be concatenated
Definition misc.h:125
#define GET_USER_PASS_MANAGEMENT
Definition misc.h:110
#define GET_USER_PASS_PASSWORD_ONLY
Definition misc.h:112
#define GET_USER_PASS_STATIC_CHALLENGE_ECHO
SCRV1 protocol – echo response.
Definition misc.h:120
#define GET_USER_PASS_INLINE_CREDS
indicates that auth_file is actually inline creds
Definition misc.h:123
#define GET_USER_PASS_STATIC_CHALLENGE
SCRV1 protocol – static challenge.
Definition misc.h:119
#define SC_CONCAT
Definition misc.h:92
#define SC_ECHO
Definition misc.h:91
static bool get_user_pass(struct user_pass *up, const char *auth_file, const char *prefix, const unsigned int flags)
Retrieves the user credentials from various sources depending on the flags.
Definition misc.h:150
#define GET_USER_PASS_DYNAMIC_CHALLENGE
CRV1 protocol – dynamic challenge.
Definition misc.h:118
void frame_calculate_dynamic(struct frame *frame, struct key_type *kt, const struct options *options, struct link_socket_info *lsi)
Set the –mssfix option.
Definition mss.c:331
void frame_print(const struct frame *frame, msglvl_t msglevel, const char *prefix)
Definition mtu.c:190
#define BUF_SIZE(f)
Definition mtu.h:178
#define OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY
#define OPENVPN_PLUGIN_TLS_FINAL
#define OPENVPN_PLUGIN_FUNC_SUCCESS
#define CLEAR(x)
Definition basic.h:32
static bool check_debug_level(msglvl_t level)
Definition error.h:259
#define M_FATAL
Definition error.h:90
#define dmsg(flags,...)
Definition error.h:172
#define msg(flags,...)
Definition error.h:152
#define ASSERT(x)
Definition error.h:219
#define M_WARN
Definition error.h:92
#define MAX_PEER_ID
Definition openvpn.h:554
bool options_cmp_equal(char *actual, const char *expected)
Definition options.c:4551
bool key_is_external(const struct options *options)
Definition options.c:6179
char * options_string_extract_option(const char *options_string, const char *opt_name, struct gc_arena *gc)
Given an OpenVPN options string, extract the value of an option.
Definition options.c:4708
void options_warning(char *actual, const char *expected)
Definition options.c:4557
#define MODE_SERVER
Definition options.h:261
static bool dco_enabled(const struct options *o)
Returns whether the current configuration has dco enabled.
Definition options.h:936
time_t now
Definition otime.c:33
static void update_time(void)
Definition otime.h:81
void packet_id_persist_load_obj(const struct packet_id_persist *p, struct packet_id *pid)
Definition packet_id.c:548
void packet_id_init(struct packet_id *p, int seq_backtrack, int time_backtrack, const char *name, int unit)
Definition packet_id.c:96
void packet_id_free(struct packet_id *p)
Definition packet_id.c:126
bool packet_id_read(struct packet_id_net *pin, struct buffer *buf, bool long_form)
Definition packet_id.c:319
const char * packet_id_net_print(const struct packet_id_net *pin, bool print_timestamp, struct gc_arena *gc)
Definition packet_id.c:423
#define packet_id_format
Definition packet_id.h:76
uint64_t packet_id_print_type
Definition packet_id.h:77
uint32_t packet_id_type
Definition packet_id.h:45
static bool packet_id_close_to_wrapping(const struct packet_id_send *p)
Definition packet_id.h:328
#define ntohpid(x)
Definition packet_id.h:64
static int packet_id_size(bool long_form)
Definition packet_id.h:322
static void perf_push(int type)
Definition perf.h:77
#define PERF_TLS_MULTI_PROCESS
Definition perf.h:41
static void perf_pop(void)
Definition perf.h:81
int platform_stat(const char *path, platform_stat_t *buf)
Definition platform.c:530
struct _stat platform_stat_t
Definition platform.h:142
bool plugin_defined(const struct plugin_list *pl, const int type)
Definition plugin.c:904
static int plugin_call(const struct plugin_list *pl, const int type, const struct argv *av, struct plugin_return *pr, struct env_set *es)
Definition plugin.h:195
void get_default_gateway(struct route_gateway_info *rgi, in_addr_t dest, openvpn_net_ctx_t *ctx)
Retrieves the best gateway for a given destination based on the routing table.
Definition route.c:2569
#define RGI_HWADDR_DEFINED
Definition route.h:161
void session_id_random(struct session_id *sid)
Definition session_id.c:48
const char * session_id_print(const struct session_id *sid, struct gc_arena *gc)
Definition session_id.c:54
static bool session_id_equal(const struct session_id *sid1, const struct session_id *sid2)
Definition session_id.h:47
static bool session_id_defined(const struct session_id *sid1)
Definition session_id.h:53
static bool session_id_read(struct session_id *sid, struct buffer *buf)
Definition session_id.h:59
#define SID_SIZE
Definition session_id.h:44
static void link_socket_set_outgoing_addr(struct link_socket_info *info, const struct link_socket_actual *act, const char *common_name, struct env_set *es)
Definition socket.h:484
const char * print_link_socket_actual(const struct link_socket_actual *act, struct gc_arena *gc)
static bool link_socket_actual_defined(const struct link_socket_actual *act)
static int datagram_overhead(sa_family_t af, int proto)
static bool link_socket_actual_match(const struct link_socket_actual *a1, const struct link_socket_actual *a2)
@ PROTO_UDP
void ssl_purge_auth(const bool auth_user_pass_only)
Definition ssl.c:391
void ssl_set_auth_token_user(const char *username)
Definition ssl.c:371
static bool generate_key_expansion(struct tls_multi *multi, struct key_state *ks, struct tls_session *session)
Definition ssl.c:1486
static bool tls_process(struct tls_multi *multi, struct tls_session *session, struct buffer *to_link, struct link_socket_actual **to_link_addr, struct link_socket_info *to_link_socket_info, interval_t *wakeup)
Definition ssl.c:3014
static bool tls_session_user_pass_enabled(struct tls_session *session)
Returns whether or not the server should check for username/password.
Definition ssl.c:954
static int auth_deferred_expire_window(const struct tls_options *o)
Definition ssl.c:2396
static struct user_pass passbuf
Definition ssl.c:255
static const char * print_key_id(struct tls_multi *multi, struct gc_arena *gc)
Definition ssl.c:773
#define INCR_GENERATED
Definition ssl.c:93
static struct user_pass auth_token
Definition ssl.c:290
static void init_epoch_keys(struct key_state *ks, struct tls_multi *multi, const struct key_type *key_type, bool server, struct key2 *key2)
Definition ssl.c:1345
static bool lame_duck_must_die(const struct tls_session *session, interval_t *wakeup)
Definition ssl.c:1142
void ssl_set_auth_nocache(void)
Definition ssl.c:346
static const char * ks_auth_name(enum ks_auth_state auth)
Definition ssl.c:732
static int key_source2_read(struct key_source2 *k2, struct buffer *buf, bool server)
Definition ssl.c:1716
static void move_session(struct tls_multi *multi, int dest, int src, bool reinit_src)
Definition ssl.c:1086
static void handle_data_channel_packet(struct tls_multi *multi, const struct link_socket_actual *from, struct buffer *buf, struct crypto_options **opt, bool floated, const uint8_t **ad_start)
Check the keyid of the an incoming data channel packet and return the matching crypto parameters in o...
Definition ssl.c:3471
static void export_user_keying_material(struct tls_session *session)
Definition ssl.c:2178
void ssl_put_auth_challenge(const char *cr_str)
Definition ssl.c:416
#define INCR_SUCCESS
Definition ssl.c:94
int pem_password_callback(char *buf, int size, int rwflag, void *u)
Callback to retrieve the user's password.
Definition ssl.c:269
static bool control_packet_needs_wkc(const struct key_state *ks)
Definition ssl.c:2603
void tls_update_remote_addr(struct tls_multi *multi, const struct link_socket_actual *addr)
Updates remote address in TLS sessions.
Definition ssl.c:4092
static bool read_incoming_tls_ciphertext(struct buffer *buf, struct key_state *ks, bool *continue_tls_process)
Read incoming ciphertext and passes it to the buffer of the SSL library.
Definition ssl.c:2577
bool tls_send_payload(struct key_state *ks, const uint8_t *data, int size)
Definition ssl.c:4035
static void key_source2_print(const struct key_source2 *k)
Definition ssl.c:1304
static struct user_pass auth_user_pass
Definition ssl.c:289
static void compute_earliest_wakeup(interval_t *earliest, interval_t seconds_from_now)
Definition ssl.c:1120
bool tls_rec_payload(struct tls_multi *multi, struct buffer *buf)
Definition ssl.c:4067
static bool write_outgoing_tls_ciphertext(struct tls_session *session, bool *continue_tls_process)
Definition ssl.c:2635
static bool check_outgoing_ciphertext(struct key_state *ks, struct tls_session *session, bool *continue_tls_process)
Definition ssl.c:2721
static void check_session_buf_not_used(struct buffer *to_link, struct tls_session *session)
This is a safe guard function to double check that a buffer from a session is not used in a session t...
Definition ssl.c:3147
static int calc_control_channel_frame_overhead(const struct tls_session *session)
calculate the maximum overhead that control channel frames have This includes header,...
Definition ssl.c:194
bool tls_session_generate_data_channel_keys(struct tls_multi *multi, struct tls_session *session)
Generate data channel keys for the supplied TLS session.
Definition ssl.c:1550
static void flush_payload_buffer(struct key_state *ks)
Definition ssl.c:1748
static void init_key_contexts(struct key_state *ks, struct tls_multi *multi, const struct key_type *key_type, bool server, struct key2 *key2, bool dco_enabled)
Definition ssl.c:1384
static void print_key_id_not_found_reason(struct tls_multi *multi, const struct link_socket_actual *from, int key_id)
We have not found a matching key to decrypt data channel packet, try to generate a sensible error mes...
Definition ssl.c:3423
bool tls_session_update_crypto_params_do_work(struct tls_multi *multi, struct tls_session *session, struct options *options, struct frame *frame, struct frame *frame_fragment, struct link_socket_info *lsi, dco_context_t *dco)
Definition ssl.c:1582
void tls_session_soft_reset(struct tls_multi *tls_multi)
Definition ssl.c:1779
void init_ssl(const struct options *options, struct tls_root_ctx *new_ctx, bool in_chroot)
Build master SSL context object that serves for the whole of OpenVPN instantiation.
Definition ssl.c:521
bool is_hard_reset_method2(int op)
Given a key_method, return true if opcode represents the one of the hard_reset op codes for key-metho...
Definition ssl.c:789
static char * read_string_alloc(struct buffer *buf)
Definition ssl.c:1847
static bool should_trigger_renegotiation(const struct tls_session *session, const struct key_state *ks)
Determines if a renegotiation should be triggerred based on the various factors that can trigger one.
Definition ssl.c:2931
int tls_version_parse(const char *vstr, const char *extra)
Definition ssl.c:430
static int read_string(struct buffer *buf, char *str, const unsigned int capacity)
Read a string that is encoded as a 2 byte header with the length from the buffer buf.
Definition ssl.c:1828
bool session_skip_to_pre_start(struct tls_session *session, struct tls_pre_decrypt_state *state, struct link_socket_actual *from)
Definition ssl.c:2503
static const char * session_index_name(int index)
Definition ssl.c:751
static void session_move_active(struct tls_multi *multi, struct tls_session *session, struct link_socket_info *to_link_socket_info, struct key_state *ks)
Moves the key to state to S_ACTIVE and also advances the multi_state state machine if this is the ini...
Definition ssl.c:2460
static uint64_t tls_get_limit_aead(const char *ciphername)
Definition ssl.c:121
static bool random_bytes_to_buf(struct buffer *buf, uint8_t *out, int outlen)
Definition ssl.c:1670
void ssl_set_auth_token(const char *token)
Definition ssl.c:365
static bool openvpn_PRF(const uint8_t *secret, size_t secret_len, const char *label, const uint8_t *client_seed, size_t client_seed_len, const uint8_t *server_seed, size_t server_seed_len, const struct session_id *client_sid, const struct session_id *server_sid, uint8_t *output, size_t output_len)
Definition ssl.c:1311
#define INCR_SENT
Definition ssl.c:92
int tls_multi_process(struct tls_multi *multi, struct buffer *to_link, struct link_socket_actual **to_link_addr, struct link_socket_info *to_link_socket_info, interval_t *wakeup)
Definition ssl.c:3211
static bool tls_process_state(struct tls_multi *multi, struct tls_session *session, struct buffer *to_link, struct link_socket_actual **to_link_addr, struct link_socket_info *to_link_socket_info, interval_t *wakeup)
Definition ssl.c:2740
bool ssl_get_auth_nocache(void)
Definition ssl.c:356
static bool key_method_2_write(struct buffer *buf, struct tls_multi *multi, struct tls_session *session)
Handle the writing of key data, peer-info, username/password, OCC to the TLS control channel (clearte...
Definition ssl.c:2061
void pem_password_setup(const char *auth_file)
Definition ssl.c:258
void init_ssl_lib(void)
Definition ssl.c:235
static void key_source_print(const struct key_source *k, const char *prefix)
Definition ssl.c:1285
bool tls_session_update_crypto_params(struct tls_multi *multi, struct tls_session *session, struct options *options, struct frame *frame, struct frame *frame_fragment, struct link_socket_info *lsi, dco_context_t *dco)
Update TLS session crypto parameters (cipher and auth) and derive data channel keys based on the supp...
Definition ssl.c:1651
static bool write_empty_string(struct buffer *buf)
Definition ssl.c:1789
static void tls_limit_reneg_bytes(const char *ciphername, int64_t *reneg_bytes)
Limit the reneg_bytes value when using a small-block (<128 bytes) cipher.
Definition ssl.c:107
void free_ssl_lib(void)
Definition ssl.c:243
static void key_state_soft_reset(struct tls_session *session)
Definition ssl.c:1764
static bool parse_early_negotiation_tlvs(struct buffer *buf, struct key_state *ks)
Parses the TLVs (type, length, value) in the early negotiation.
Definition ssl.c:2528
static bool auth_user_pass_enabled
Definition ssl.c:288
static char * auth_challenge
Definition ssl.c:293
static bool key_source2_randomize_write(struct key_source2 *k2, struct buffer *buf, bool server)
Definition ssl.c:1685
static const char * state_name(int state)
Definition ssl.c:689
static bool generate_key_expansion_openvpn_prf(const struct tls_session *session, struct key2 *key2)
Definition ssl.c:1442
static void reset_session(struct tls_multi *multi, struct tls_session *session)
Definition ssl.c:1109
#define INCR_ERROR
Definition ssl.c:95
static void tls_ctx_reload_crl(struct tls_root_ctx *ssl_ctx, const char *crl_file, bool crl_file_inline)
Load (or possibly reload) the CRL file into the SSL context.
Definition ssl.c:471
void auth_user_pass_setup(const char *auth_file, bool is_inline, const struct static_challenge_info *sci)
Definition ssl.c:303
static bool generate_key_expansion_tls_export(struct tls_session *session, struct key2 *key2)
Definition ssl.c:1428
bool ssl_clean_auth_token(void)
Definition ssl.c:380
static bool push_peer_info(struct buffer *buf, struct tls_session *session)
Prepares the IV_ and UV_ variables that are part of the exchange to signal the peer's capabilities.
Definition ssl.c:1883
static bool write_string(struct buffer *buf, const char *str, const int maxlen)
Definition ssl.c:1799
void enable_auth_user_pass(void)
Definition ssl.c:297
void ssl_purge_auth_challenge(void)
Definition ssl.c:409
void show_available_tls_ciphers(const char *cipher_list, const char *cipher_list_tls13, const char *tls_cert_profile)
Definition ssl.c:4120
static bool read_incoming_tls_plaintext(struct key_state *ks, struct buffer *buf, interval_t *wakeup, bool *continue_tls_process)
Definition ssl.c:2610
static bool key_method_2_read(struct buffer *buf, struct tls_multi *multi, struct tls_session *session)
Handle reading key data, peer-info, username/password, OCC from the TLS control channel (cleartext).
Definition ssl.c:2212
static bool session_move_pre_start(const struct tls_session *session, struct key_state *ks, bool skip_initial_send)
Move the session from S_INITIAL to S_PRE_START.
Definition ssl.c:2415
const char * protocol_dump(struct buffer *buffer, unsigned int flags, struct gc_arena *gc)
Definition ssl.c:4145
Control Channel SSL/Data channel negotiation module.
#define IV_PROTO_CC_EXIT_NOTIFY
Support for explicit exit notify via control channel This also includes support for the protocol-flag...
Definition ssl.h:102
#define TLSMP_RECONNECT
Definition ssl.h:232
#define IV_PROTO_DATA_EPOCH
Support the extended packet id and epoch format for data channel packets.
Definition ssl.h:111
void load_xkey_provider(void)
Load ovpn.xkey provider used for external key signing.
static void tls_wrap_free(struct tls_wrap_ctx *tls_wrap)
Free the elements of a tls_wrap_ctx structure.
Definition ssl.h:472
#define IV_PROTO_AUTH_FAIL_TEMP
Support for AUTH_FAIL,TEMP messages.
Definition ssl.h:105
#define IV_PROTO_DATA_V2
Support P_DATA_V2.
Definition ssl.h:80
#define KEY_METHOD_2
Definition ssl.h:122
#define CONTROL_SEND_ACK_MAX
Definition ssl.h:55
#define TLSMP_ACTIVE
Definition ssl.h:230
#define KEY_EXPANSION_ID
Definition ssl.h:49
#define IV_PROTO_TLS_KEY_EXPORT
Supports key derivation via TLS key material exporter [RFC5705].
Definition ssl.h:87
#define PD_TLS_CRYPT
Definition ssl.h:525
#define PD_TLS
Definition ssl.h:523
#define IV_PROTO_PUSH_UPDATE
Supports push-update.
Definition ssl.h:117
#define IV_PROTO_AUTH_PENDING_KW
Supports signaling keywords with AUTH_PENDING, e.g.
Definition ssl.h:90
#define PD_VERBOSE
Definition ssl.h:524
#define IV_PROTO_DYN_TLS_CRYPT
Support to dynamic tls-crypt (renegotiation with TLS-EKM derived tls-crypt key)
Definition ssl.h:108
#define TLSMP_KILL
Definition ssl.h:231
#define PD_SHOW_DATA
Definition ssl.h:522
#define IV_PROTO_REQUEST_PUSH
Assume client will send a push request and server does not need to wait for a push-request to send a ...
Definition ssl.h:84
#define KEY_METHOD_MASK
Definition ssl.h:125
#define IV_PROTO_DNS_OPTION_V2
Supports the –dns option after all the incompatible changes.
Definition ssl.h:114
#define PD_TLS_AUTH_HMAC_SIZE_MASK
Definition ssl.h:521
#define IV_PROTO_NCP_P2P
Support doing NCP in P2P mode.
Definition ssl.h:95
#define TLSMP_INACTIVE
Definition ssl.h:229
#define TLS_OPTIONS_LEN
Definition ssl.h:69
Control Channel SSL library backend module.
void tls_ctx_set_tls_groups(struct tls_root_ctx *ctx, const char *groups)
Set the (elliptic curve) group allowed for signatures and key exchange.
void tls_ctx_free(struct tls_root_ctx *ctx)
Frees the library-specific TLSv1 context.
const char * get_ssl_library_version(void)
return a pointer to a static memory area containing the name and version number of the SSL library in...
void tls_clear_error(void)
Clear the underlying SSL library's error state.
bool key_state_export_keying_material(struct tls_session *session, const char *label, size_t label_size, void *ekm, size_t ekm_size)
Keying Material Exporters [RFC 5705] allows additional keying material to be derived from existing TL...
#define TLS_VER_BAD
Parse a TLS version specifier.
void show_available_tls_ciphers_list(const char *cipher_list, const char *tls_cert_profile, bool tls13)
Show the TLS ciphers that are available for us to use in the library depending on the TLS version.
#define TLS_VER_1_0
void tls_ctx_server_new(struct tls_root_ctx *ctx)
Initialise a library-specific TLS context for a server.
#define EXPORT_KEY_DATA_LABEL
void key_state_ssl_free(struct key_state_ssl *ks_ssl)
Free the SSL channel part of the given key state.
#define TLS_VER_1_2
int tls_ctx_load_priv_file(struct tls_root_ctx *ctx, const char *priv_key_file, bool priv_key_file_inline)
Load private key file into the given TLS context.
void key_state_ssl_shutdown(struct key_state_ssl *ks_ssl)
Sets a TLS session to be shutdown state, so the TLS library will generate a shutdown alert.
void tls_ctx_load_extra_certs(struct tls_root_ctx *ctx, const char *extra_certs_file, bool extra_certs_file_inline)
Load extra certificate authority certificates from the given file or path.
void tls_ctx_check_cert_time(const struct tls_root_ctx *ctx)
Check our certificate notBefore and notAfter fields, and warn if the cert is either not yet valid or ...
void tls_ctx_restrict_ciphers_tls13(struct tls_root_ctx *ctx, const char *ciphers)
Restrict the list of ciphers that can be used within the TLS context for TLS 1.3 and higher.
int tls_ctx_load_pkcs12(struct tls_root_ctx *ctx, const char *pkcs12_file, bool pkcs12_file_inline, bool load_ca_file)
Load PKCS #12 file for key, cert and (optionally) CA certs, and add to library-specific TLS context.
void key_state_ssl_init(struct key_state_ssl *ks_ssl, const struct tls_root_ctx *ssl_ctx, bool is_server, struct tls_session *session)
Initialise the SSL channel part of the given key state.
void tls_free_lib(void)
Free any global SSL library-specific data structures.
Definition ssl_openssl.c:98
void tls_ctx_load_ecdh_params(struct tls_root_ctx *ctx, const char *curve_name)
Load Elliptic Curve Parameters, and load them into the library-specific TLS context.
#define TLS_VER_1_3
#define TLS_VER_1_1
void tls_init_lib(void)
Perform any static initialisation necessary by the library.
Definition ssl_openssl.c:91
void print_details(struct key_state_ssl *ks_ssl, const char *prefix)
Print a one line summary of SSL/TLS session handshake.
int tls_version_max(void)
Return the maximum TLS version (as a TLS_VER_x constant) supported by current SSL implementation.
void backend_tls_ctx_reload_crl(struct tls_root_ctx *ssl_ctx, const char *crl_file, bool crl_inline)
Reload the Certificate Revocation List for the SSL channel.
void tls_ctx_restrict_ciphers(struct tls_root_ctx *ctx, const char *ciphers)
Restrict the list of ciphers that can be used within the TLS context for TLS 1.2 and below.
void tls_ctx_load_ca(struct tls_root_ctx *ctx, const char *ca_file, bool ca_file_inline, const char *ca_path, bool tls_server)
Load certificate authority certificates from the given file or path.
void tls_ctx_set_cert_profile(struct tls_root_ctx *ctx, const char *profile)
Set the TLS certificate profile.
int tls_ctx_use_management_external_key(struct tls_root_ctx *ctx)
Tell the management interface to load the given certificate and the external private key matching the...
void tls_ctx_load_cryptoapi(struct tls_root_ctx *ctx, const char *cryptoapi_cert)
Use Windows cryptoapi for key and cert, and add to library-specific TLS context.
bool tls_ctx_set_options(struct tls_root_ctx *ctx, unsigned int ssl_flags)
Set any library specific options.
void tls_ctx_load_dh_params(struct tls_root_ctx *ctx, const char *dh_file, bool dh_file_inline)
Load Diffie Hellman Parameters, and load them into the library-specific TLS context.
void tls_ctx_client_new(struct tls_root_ctx *ctx)
Initialises a library-specific TLS context for a client.
void tls_ctx_load_cert_file(struct tls_root_ctx *ctx, const char *cert_file, bool cert_file_inline)
Load certificate file into the given TLS context.
#define KEY_SCAN_SIZE
Definition ssl_common.h:567
static struct key_state * get_key_scan(struct tls_multi *multi, int index)
gets an item of key_state objects in the order they should be scanned by data channel modules.
Definition ssl_common.h:733
#define UP_TYPE_PRIVATE_KEY
Definition ssl_common.h:42
#define SSLF_AUTH_USER_PASS_OPTIONAL
Definition ssl_common.h:427
@ CAS_CONNECT_DONE
Definition ssl_common.h:594
@ CAS_WAITING_AUTH
Initial TLS connection established but deferred auth is not yet finished.
Definition ssl_common.h:582
@ CAS_PENDING
Options import (Connect script/plugin, ccd,...)
Definition ssl_common.h:583
@ CAS_WAITING_OPTIONS_IMPORT
client with pull or p2p waiting for first time options import
Definition ssl_common.h:587
@ CAS_NOT_CONNECTED
Definition ssl_common.h:581
@ CAS_RECONNECT_PENDING
session has already successful established (CAS_CONNECT_DONE) but has a reconnect and needs to redo s...
Definition ssl_common.h:593
ks_auth_state
This reflects the (server side) authentication state after the TLS session has been established and k...
Definition ssl_common.h:153
@ KS_AUTH_TRUE
Key state is authenticated.
Definition ssl_common.h:157
@ KS_AUTH_FALSE
Key state is not authenticated
Definition ssl_common.h:154
@ KS_AUTH_DEFERRED
Key state authentication is being deferred, by async auth.
Definition ssl_common.h:155
#define SSLF_CRL_VERIFY_DIR
Definition ssl_common.h:429
#define UP_TYPE_AUTH
Definition ssl_common.h:41
static const struct key_state * get_primary_key(const struct tls_multi *multi)
gets an item of key_state objects in the order they should be scanned by data channel modules.
Definition ssl_common.h:756
#define SSLF_OPT_VERIFY
Definition ssl_common.h:428
bool check_session_cipher(struct tls_session *session, struct options *options)
Checks if the cipher is allowed, otherwise returns false and reset the cipher to the config cipher.
Definition ssl_ncp.c:515
void p2p_mode_ncp(struct tls_multi *multi, struct tls_session *session)
Determines if there is common cipher of both peer by looking at the IV_CIPHER peer info.
Definition ssl_ncp.c:472
bool tls_item_in_cipher_list(const char *item, const char *list)
Return true iff item is present in the colon-separated zero-terminated cipher list.
Definition ssl_ncp.c:206
Control Channel SSL/Data dynamic negotiation Module This file is split from ssl.h to be able to unit ...
void write_control_auth(struct tls_session *session, struct key_state *ks, struct buffer *buf, struct link_socket_actual **to_link_addr, int opcode, int max_ack, bool prepend_ack)
Definition ssl_pkt.c:169
bool read_control_auth(struct buffer *buf, struct tls_wrap_ctx *ctx, const struct link_socket_actual *from, const struct tls_options *opt, bool initial_packet)
Read a control channel authentication record.
Definition ssl_pkt.c:197
#define EARLY_NEG_FLAG_RESEND_WKC
Definition ssl_pkt.h:323
#define P_DATA_V1
Definition ssl_pkt.h:47
#define P_DATA_V2
Definition ssl_pkt.h:48
#define P_OPCODE_SHIFT
Definition ssl_pkt.h:39
#define TLV_TYPE_EARLY_NEG_FLAGS
Definition ssl_pkt.h:322
#define P_ACK_V1
Definition ssl_pkt.h:46
#define P_CONTROL_WKC_V1
Definition ssl_pkt.h:59
#define P_CONTROL_HARD_RESET_CLIENT_V1
Definition ssl_pkt.h:42
#define P_KEY_ID_MASK
Definition ssl_pkt.h:38
#define TLS_RELIABLE_N_REC_BUFFERS
Definition ssl_pkt.h:71
static const char * packet_opcode_name(int op)
Definition ssl_pkt.h:241
#define P_CONTROL_HARD_RESET_SERVER_V2
Definition ssl_pkt.h:52
#define P_CONTROL_SOFT_RESET_V1
Definition ssl_pkt.h:44
#define P_CONTROL_V1
Definition ssl_pkt.h:45
#define P_LAST_OPCODE
Definition ssl_pkt.h:65
#define EARLY_NEG_START
Definition ssl_pkt.h:315
#define P_CONTROL_HARD_RESET_CLIENT_V2
Definition ssl_pkt.h:51
#define P_CONTROL_HARD_RESET_SERVER_V1
Definition ssl_pkt.h:43
static struct tls_wrap_ctx * tls_session_get_tls_wrap(struct tls_session *session, int key_id)
Determines if the current session should use the renegotiation tls wrap struct instead the normal one...
Definition ssl_pkt.h:292
#define P_CONTROL_HARD_RESET_CLIENT_V3
Definition ssl_pkt.h:55
#define TLS_RELIABLE_N_SEND_BUFFERS
Definition ssl_pkt.h:70
const char * options_string_compat_lzo(const char *options, struct gc_arena *gc)
Takes a locally produced OCC string for TLS server mode and modifies as if the option comp-lzo was en...
Definition ssl_util.c:76
SSL utility functions.
void key_state_rm_auth_control_files(struct auth_deferred_status *ads)
Removes auth_pending and auth_control files from file system and key_state structure.
Definition ssl_verify.c:962
void tls_x509_clear_env(struct env_set *es)
Remove any X509_ env variables from env_set es.
void verify_final_auth_checks(struct tls_multi *multi, struct tls_session *session)
Perform final authentication checks, including locking of the cn, the allowed certificate hashes,...
void auth_set_client_reason(struct tls_multi *multi, const char *client_reason)
Sets the reason why authentication of a client failed.
Definition ssl_verify.c:803
enum tls_auth_status tls_authentication_status(struct tls_multi *multi)
Return current session authentication state of the tls_multi structure This will return TLS_AUTHENTIC...
void verify_user_pass(struct user_pass *up, struct tls_multi *multi, struct tls_session *session)
Main username/password verification entry point.
void cert_hash_free(struct cert_hash_set *chs)
Frees the given set of certificate hashes.
Definition ssl_verify.c:215
Control Channel Verification Module.
tls_auth_status
Definition ssl_verify.h:74
@ TLS_AUTHENTICATION_SUCCEEDED
Definition ssl_verify.h:75
@ TLS_AUTHENTICATION_FAILED
Definition ssl_verify.h:76
Wrapper structure for dynamically allocated memory.
Definition buffer.h:60
uint8_t * data
Pointer to the allocated memory.
Definition buffer.h:67
int len
Length in bytes of the actual content within the allocated memory.
Definition buffer.h:65
Security parameter state for processing data channel packets.
Definition crypto.h:293
struct epoch_key epoch_key_send
last epoch_key used for generation of the current send data keys.
Definition crypto.h:302
unsigned int flags
Bit-flags determining behavior of security operation functions.
Definition crypto.h:384
struct packet_id_persist * pid_persist
Persistent packet ID state for keeping state between successive OpenVPN process startups.
Definition crypto.h:340
struct key_ctx_bi key_ctx_bi
OpenSSL cipher and HMAC contexts for both sending and receiving directions.
Definition crypto.h:294
struct packet_id packet_id
Current packet ID state for both sending and receiving directions.
Definition crypto.h:331
struct env_item * list
Definition env_set.h:45
uint8_t epoch_key[SHA256_DIGEST_LENGTH]
Definition crypto.h:193
uint16_t epoch
Definition crypto.h:194
Packet geometry parameters.
Definition mtu.h:103
int tun_mtu
the (user) configured tun-mtu.
Definition mtu.h:137
int payload_size
the maximum size that a payload that our buffers can hold from either tun device or network link.
Definition mtu.h:108
int headroom
the headroom in the buffer, this is choosen to allow all potential header to be added before the pack...
Definition mtu.h:114
uint16_t mss_fix
The actual MSS value that should be written to the payload packets.
Definition mtu.h:124
struct frame::@8 buf
int tailroom
the tailroom in the buffer.
Definition mtu.h:118
Garbage collection arena used to keep track of dynamically allocated memory.
Definition buffer.h:116
Container for bidirectional cipher and HMAC key material.
Definition crypto.h:240
int n
The number of key objects stored in the key2.keys array.
Definition crypto.h:241
struct key keys[2]
Two unidirectional sets of key material.
Definition crypto.h:243
Container for two sets of OpenSSL cipher and/or HMAC contexts for both sending and receiving directio...
Definition crypto.h:280
bool initialized
Definition crypto.h:285
struct key_ctx decrypt
cipher and/or HMAC contexts for receiving direction.
Definition crypto.h:283
struct key_ctx encrypt
Cipher and/or HMAC contexts for sending direction.
Definition crypto.h:281
uint64_t plaintext_blocks
Counter for the number of plaintext block encrypted using this cipher with the current key in number ...
Definition crypto.h:222
Key ordering of the key2.keys array.
Definition crypto.h:259
int in_key
Index into the key2.keys array for the receiving direction.
Definition crypto.h:262
int out_key
Index into the key2.keys array for the sending direction.
Definition crypto.h:260
Container for both halves of random material to be used in key method 2 data channel key generation.
Definition ssl_common.h:139
struct key_source client
Random provided by client.
Definition ssl_common.h:140
struct key_source server
Random provided by server.
Definition ssl_common.h:141
Container for one half of random material to be used in key method 2 data channel key generation.
Definition ssl_common.h:121
uint8_t random1[32]
Seed used for master secret generation, provided by both client and server.
Definition ssl_common.h:125
uint8_t pre_master[48]
Random used for master secret generation, provided only by client OpenVPN peer.
Definition ssl_common.h:122
uint8_t random2[32]
Seed used for key expansion, provided by both client and server.
Definition ssl_common.h:128
Security parameter state of one TLS and data channel key session.
Definition ssl_common.h:208
struct buffer_list * paybuf
Holds outgoing message for the control channel until ks->state reaches S_ACTIVE.
Definition ssl_common.h:252
struct crypto_options crypto_options
Definition ssl_common.h:237
struct buffer ack_write_buf
Definition ssl_common.h:243
struct buffer plaintext_read_buf
Definition ssl_common.h:241
struct auth_deferred_status plugin_auth
Definition ssl_common.h:268
time_t must_die
Definition ssl_common.h:230
struct buffer plaintext_write_buf
Definition ssl_common.h:242
struct link_socket_actual remote_addr
Definition ssl_common.h:235
time_t established
Definition ssl_common.h:228
struct key_state_ssl ks_ssl
Definition ssl_common.h:225
time_t must_negotiate
Definition ssl_common.h:229
struct reliable_ack * rec_ack
Definition ssl_common.h:247
struct reliable * rec_reliable
Definition ssl_common.h:246
struct session_id session_id_remote
Definition ssl_common.h:234
unsigned int mda_key_id
Definition ssl_common.h:263
struct auth_deferred_status script_auth
Definition ssl_common.h:269
time_t initial
Definition ssl_common.h:227
enum ks_auth_state authenticated
Definition ssl_common.h:259
int key_id
Key id for this key_state, inherited from struct tls_session.
Definition ssl_common.h:217
time_t peer_last_packet
Definition ssl_common.h:231
struct reliable * send_reliable
Definition ssl_common.h:245
time_t auth_deferred_expire
Definition ssl_common.h:260
int initial_opcode
Definition ssl_common.h:233
struct reliable_ack * lru_acks
Definition ssl_common.h:248
struct key_source2 * key_src
Definition ssl_common.h:239
counter_type n_bytes
Definition ssl_common.h:253
counter_type n_packets
Definition ssl_common.h:254
const char * cipher
const name of the cipher
Definition crypto.h:142
Container for unidirectional cipher and HMAC key material.
Definition crypto.h:152
uint8_t cipher[MAX_CIPHER_KEY_LENGTH]
Key material for cipher operations.
Definition crypto.h:153
uint8_t hmac[MAX_HMAC_KEY_LENGTH]
Key material for HMAC operations.
Definition crypto.h:155
unsigned int imported_protocol_flags
Definition options.h:724
bool crl_file_inline
Definition options.h:620
const char * cryptoapi_cert
Definition options.h:642
bool pkcs12_file_inline
Definition options.h:609
const char * ca_file
Definition options.h:597
unsigned int ssl_flags
Definition options.h:629
const char * authname
Definition options.h:582
bool dh_file_inline
Definition options.h:601
const char * pkcs12_file
Definition options.h:608
const char * tls_groups
Definition options.h:612
const char * tls_cert_profile
Definition options.h:613
unsigned int management_flags
Definition options.h:462
const char * ciphername
Definition options.h:576
bool tls_server
Definition options.h:595
const char * extra_certs_file
Definition options.h:604
bool priv_key_file_inline
Definition options.h:607
const char * crl_file
Definition options.h:619
const char * dh_file
Definition options.h:600
bool ca_file_inline
Definition options.h:598
bool extra_certs_file_inline
Definition options.h:605
const char * cipher_list_tls13
Definition options.h:611
const char * ecdh_curve
Definition options.h:614
const char * cipher_list
Definition options.h:610
const char * management_certificate
Definition options.h:459
const char * chroot_dir
Definition options.h:379
const char * ca_path
Definition options.h:599
int ping_rec_timeout
Definition options.h:351
int ping_send_timeout
Definition options.h:350
const char * priv_key_file
Definition options.h:606
const char * cert_file
Definition options.h:602
bool cert_file_inline
Definition options.h:603
Data structure for describing the packet id that is received/send to the network.
Definition packet_id.h:191
uint64_t id
Definition packet_id.h:117
uint64_t id
Definition packet_id.h:153
struct packet_id_send send
Definition packet_id.h:200
struct packet_id_rec rec
Definition packet_id.h:201
The acknowledgment structure in which packet IDs are stored for later acknowledgment.
Definition reliable.h:64
The structure in which the reliability layer stores a single incoming or outgoing packet.
Definition reliable.h:77
struct buffer buf
Definition reliable.h:86
int opcode
Definition reliable.h:85
packet_id_type packet_id
Definition reliable.h:81
The reliability layer storage structure for one VPN tunnel's control channel in one direction.
Definition reliable.h:94
struct reliable_entry array[RELIABLE_CAPACITY]
Definition reliable.h:100
int size
Definition reliable.h:95
packet_id_type packet_id
Definition reliable.h:97
uint8_t hwaddr[6]
Definition route.h:177
unsigned int flags
Definition route.h:165
unsigned int flags
Definition misc.h:93
const char * challenge_text
Definition misc.h:95
struct frame frame
Definition ssl_pkt.h:81
struct tls_wrap_ctx tls_wrap
Definition ssl_pkt.h:79
Security parameter state for a single VPN tunnel.
Definition ssl_common.h:612
int n_hard_errors
Definition ssl_common.h:638
bool remote_usescomp
remote announced comp-lzo in OCC string
Definition ssl_common.h:704
struct link_socket_actual to_link_addr
Definition ssl_common.h:629
char * peer_info
A multi-line string of general-purpose info received from peer over control channel.
Definition ssl_common.h:673
struct key_state * save_ks
Definition ssl_common.h:623
char * remote_ciphername
cipher specified in peer's config file
Definition ssl_common.h:703
char * locked_username
The locked username is the username we assume the client is using.
Definition ssl_common.h:650
enum multi_status multi_state
Definition ssl_common.h:633
struct tls_options opt
Definition ssl_common.h:617
struct tls_session session[TM_SIZE]
Array of tls_session objects representing control channel sessions with the remote peer.
Definition ssl_common.h:712
struct cert_hash_set * locked_cert_hash_set
Definition ssl_common.h:656
char * locked_cn
Our locked common name, username, and cert hashes (cannot change during the life of this tls_multi ob...
Definition ssl_common.h:645
uint32_t peer_id
Definition ssl_common.h:700
char * locked_original_username
The username that client initially used before being overridden by –override-user.
Definition ssl_common.h:654
int n_sessions
Number of sessions negotiated thus far.
Definition ssl_common.h:631
int dco_peer_id
This is the handle that DCO uses to identify this session with the kernel.
Definition ssl_common.h:724
int n_soft_errors
Definition ssl_common.h:639
struct tls_wrap_ctx tls_wrap
TLS handshake wrapping state.
Definition ssl_common.h:388
unsigned int crypto_flags
Definition ssl_common.h:370
interval_t renegotiate_seconds
Definition ssl_common.h:348
struct frame frame
Definition ssl_common.h:390
const char * remote_options
Definition ssl_common.h:323
bool single_session
Definition ssl_common.h:326
const char * local_options
Definition ssl_common.h:322
int handshake_window
Definition ssl_common.h:341
int replay_window
Definition ssl_common.h:372
struct that stores the temporary data for the tls lite decrypt functions
Definition ssl_pkt.h:106
Structure that wraps the TLS context.
off_t crl_last_size
size of last loaded CRL
time_t crl_last_mtime
CRL last modification time.
Security parameter state of a single session within a VPN tunnel.
Definition ssl_common.h:490
int key_id
The current active key id, used to keep track of renegotiations.
Definition ssl_common.h:512
struct key_state key[KS_SIZE]
Definition ssl_common.h:525
struct crypto_options opt
Crypto state.
Definition ssl_common.h:283
bool token_defined
Definition misc.h:56
bool protected
Definition misc.h:58
bool defined
Definition misc.h:53
char password[USER_PASS_LEN]
Definition misc.h:68
bool nocache
Definition misc.h:57
char username[USER_PASS_LEN]
Definition misc.h:67
struct env_set * es
static int cleanup(void **state)
struct gc_arena gc
Definition test_ssl.c:131
const char * win32_version_string(struct gc_arena *gc)
Get Windows version string with architecture info.
Definition win32.c:1380