OpenVPN
ssl.c
Go to the documentation of this file.
1 /*
2  * OpenVPN -- An application to securely tunnel IP networks
3  * over a single TCP/UDP port, with support for SSL/TLS-based
4  * session authentication and key exchange,
5  * packet encryption, packet authentication, and
6  * packet compression.
7  *
8  * Copyright (C) 2002-2018 OpenVPN Inc <sales@openvpn.net>
9  * Copyright (C) 2010-2018 Fox Crypto B.V. <openvpn@fox-it.com>
10  * Copyright (C) 2008-2013 David Sommerseth <dazo@users.sourceforge.net>
11  *
12  * This program is free software; you can redistribute it and/or modify
13  * it under the terms of the GNU General Public License version 2
14  * as published by the Free Software Foundation.
15  *
16  * This program is distributed in the hope that it will be useful,
17  * but WITHOUT ANY WARRANTY; without even the implied warranty of
18  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
19  * GNU General Public License for more details.
20  *
21  * You should have received a copy of the GNU General Public License along
22  * with this program; if not, write to the Free Software Foundation, Inc.,
23  * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
24  */
25 
30 /*
31  * The routines in this file deal with dynamically negotiating
32  * the data channel HMAC and cipher keys through a TLS session.
33  *
34  * Both the TLS session and the data channel are multiplexed
35  * over the same TCP/UDP port.
36  */
37 #ifdef HAVE_CONFIG_H
38 #include "config.h"
39 #elif defined(_MSC_VER)
40 #include "config-msvc.h"
41 #endif
42 
43 #include "syshead.h"
44 #include "win32.h"
45 
46 #include "error.h"
47 #include "common.h"
48 #include "socket.h"
49 #include "misc.h"
50 #include "fdmisc.h"
51 #include "interval.h"
52 #include "perf.h"
53 #include "status.h"
54 #include "gremlin.h"
55 #include "pkcs11.h"
56 #include "route.h"
57 #include "tls_crypt.h"
58 
59 #include "ssl.h"
60 #include "ssl_verify.h"
61 #include "ssl_backend.h"
62 #include "ssl_ncp.h"
63 #include "auth_token.h"
64 
65 #include "memdbg.h"
66 
67 #ifdef MEASURE_TLS_HANDSHAKE_STATS
68 
69 static int tls_handshake_success; /* GLOBAL */
70 static int tls_handshake_error; /* GLOBAL */
71 static int tls_packets_generated; /* GLOBAL */
72 static int tls_packets_sent; /* GLOBAL */
73 
74 #define INCR_SENT ++tls_packets_sent
75 #define INCR_GENERATED ++tls_packets_generated
76 #define INCR_SUCCESS ++tls_handshake_success
77 #define INCR_ERROR ++tls_handshake_error
78 
79 void
80 show_tls_performance_stats(void)
81 {
82  msg(D_TLS_DEBUG_LOW, "TLS Handshakes, success=%f%% (good=%d, bad=%d), retransmits=%f%%",
83  (double) tls_handshake_success / (tls_handshake_success + tls_handshake_error) * 100.0,
84  tls_handshake_success, tls_handshake_error,
85  (double) (tls_packets_sent - tls_packets_generated) / tls_packets_generated * 100.0);
86 }
87 #else /* ifdef MEASURE_TLS_HANDSHAKE_STATS */
88 
89 #define INCR_SENT
90 #define INCR_GENERATED
91 #define INCR_SUCCESS
92 #define INCR_ERROR
93 
94 #endif /* ifdef MEASURE_TLS_HANDSHAKE_STATS */
95 
100  {"ADH-SEED-SHA", "TLS-DH-anon-WITH-SEED-CBC-SHA"},
101  {"AES128-GCM-SHA256", "TLS-RSA-WITH-AES-128-GCM-SHA256"},
102  {"AES128-SHA256", "TLS-RSA-WITH-AES-128-CBC-SHA256"},
103  {"AES128-SHA", "TLS-RSA-WITH-AES-128-CBC-SHA"},
104  {"AES256-GCM-SHA384", "TLS-RSA-WITH-AES-256-GCM-SHA384"},
105  {"AES256-SHA256", "TLS-RSA-WITH-AES-256-CBC-SHA256"},
106  {"AES256-SHA", "TLS-RSA-WITH-AES-256-CBC-SHA"},
107  {"CAMELLIA128-SHA256", "TLS-RSA-WITH-CAMELLIA-128-CBC-SHA256"},
108  {"CAMELLIA128-SHA", "TLS-RSA-WITH-CAMELLIA-128-CBC-SHA"},
109  {"CAMELLIA256-SHA256", "TLS-RSA-WITH-CAMELLIA-256-CBC-SHA256"},
110  {"CAMELLIA256-SHA", "TLS-RSA-WITH-CAMELLIA-256-CBC-SHA"},
111  {"DES-CBC3-SHA", "TLS-RSA-WITH-3DES-EDE-CBC-SHA"},
112  {"DES-CBC-SHA", "TLS-RSA-WITH-DES-CBC-SHA"},
113  {"DH-DSS-SEED-SHA", "TLS-DH-DSS-WITH-SEED-CBC-SHA"},
114  {"DHE-DSS-AES128-GCM-SHA256", "TLS-DHE-DSS-WITH-AES-128-GCM-SHA256"},
115  {"DHE-DSS-AES128-SHA256", "TLS-DHE-DSS-WITH-AES-128-CBC-SHA256"},
116  {"DHE-DSS-AES128-SHA", "TLS-DHE-DSS-WITH-AES-128-CBC-SHA"},
117  {"DHE-DSS-AES256-GCM-SHA384", "TLS-DHE-DSS-WITH-AES-256-GCM-SHA384"},
118  {"DHE-DSS-AES256-SHA256", "TLS-DHE-DSS-WITH-AES-256-CBC-SHA256"},
119  {"DHE-DSS-AES256-SHA", "TLS-DHE-DSS-WITH-AES-256-CBC-SHA"},
120  {"DHE-DSS-CAMELLIA128-SHA256", "TLS-DHE-DSS-WITH-CAMELLIA-128-CBC-SHA256"},
121  {"DHE-DSS-CAMELLIA128-SHA", "TLS-DHE-DSS-WITH-CAMELLIA-128-CBC-SHA"},
122  {"DHE-DSS-CAMELLIA256-SHA256", "TLS-DHE-DSS-WITH-CAMELLIA-256-CBC-SHA256"},
123  {"DHE-DSS-CAMELLIA256-SHA", "TLS-DHE-DSS-WITH-CAMELLIA-256-CBC-SHA"},
124  {"DHE-DSS-SEED-SHA", "TLS-DHE-DSS-WITH-SEED-CBC-SHA"},
125  {"DHE-RSA-AES128-GCM-SHA256", "TLS-DHE-RSA-WITH-AES-128-GCM-SHA256"},
126  {"DHE-RSA-AES128-SHA256", "TLS-DHE-RSA-WITH-AES-128-CBC-SHA256"},
127  {"DHE-RSA-AES128-SHA", "TLS-DHE-RSA-WITH-AES-128-CBC-SHA"},
128  {"DHE-RSA-AES256-GCM-SHA384", "TLS-DHE-RSA-WITH-AES-256-GCM-SHA384"},
129  {"DHE-RSA-AES256-SHA256", "TLS-DHE-RSA-WITH-AES-256-CBC-SHA256"},
130  {"DHE-RSA-AES256-SHA", "TLS-DHE-RSA-WITH-AES-256-CBC-SHA"},
131  {"DHE-RSA-CAMELLIA128-SHA256", "TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA256"},
132  {"DHE-RSA-CAMELLIA128-SHA", "TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA"},
133  {"DHE-RSA-CAMELLIA256-SHA256", "TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA256"},
134  {"DHE-RSA-CAMELLIA256-SHA", "TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA"},
135  {"DHE-RSA-CHACHA20-POLY1305", "TLS-DHE-RSA-WITH-CHACHA20-POLY1305-SHA256"},
136  {"DHE-RSA-SEED-SHA", "TLS-DHE-RSA-WITH-SEED-CBC-SHA"},
137  {"DH-RSA-SEED-SHA", "TLS-DH-RSA-WITH-SEED-CBC-SHA"},
138  {"ECDH-ECDSA-AES128-GCM-SHA256", "TLS-ECDH-ECDSA-WITH-AES-128-GCM-SHA256"},
139  {"ECDH-ECDSA-AES128-SHA256", "TLS-ECDH-ECDSA-WITH-AES-128-CBC-SHA256"},
140  {"ECDH-ECDSA-AES128-SHA", "TLS-ECDH-ECDSA-WITH-AES-128-CBC-SHA"},
141  {"ECDH-ECDSA-AES256-GCM-SHA384", "TLS-ECDH-ECDSA-WITH-AES-256-GCM-SHA384"},
142  {"ECDH-ECDSA-AES256-SHA256", "TLS-ECDH-ECDSA-WITH-AES-256-CBC-SHA256"},
143  {"ECDH-ECDSA-AES256-SHA384", "TLS-ECDH-ECDSA-WITH-AES-256-CBC-SHA384"},
144  {"ECDH-ECDSA-AES256-SHA", "TLS-ECDH-ECDSA-WITH-AES-256-CBC-SHA"},
145  {"ECDH-ECDSA-CAMELLIA128-SHA256", "TLS-ECDH-ECDSA-WITH-CAMELLIA-128-CBC-SHA256"},
146  {"ECDH-ECDSA-CAMELLIA128-SHA", "TLS-ECDH-ECDSA-WITH-CAMELLIA-128-CBC-SHA"},
147  {"ECDH-ECDSA-CAMELLIA256-SHA256", "TLS-ECDH-ECDSA-WITH-CAMELLIA-256-CBC-SHA256"},
148  {"ECDH-ECDSA-CAMELLIA256-SHA", "TLS-ECDH-ECDSA-WITH-CAMELLIA-256-CBC-SHA"},
149  {"ECDH-ECDSA-DES-CBC3-SHA", "TLS-ECDH-ECDSA-WITH-3DES-EDE-CBC-SHA"},
150  {"ECDH-ECDSA-DES-CBC-SHA", "TLS-ECDH-ECDSA-WITH-DES-CBC-SHA"},
151  {"ECDH-ECDSA-RC4-SHA", "TLS-ECDH-ECDSA-WITH-RC4-128-SHA"},
152  {"ECDHE-ECDSA-AES128-GCM-SHA256", "TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256"},
153  {"ECDHE-ECDSA-AES128-SHA256", "TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256"},
154  {"ECDHE-ECDSA-AES128-SHA384", "TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA384"},
155  {"ECDHE-ECDSA-AES128-SHA", "TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA"},
156  {"ECDHE-ECDSA-AES256-GCM-SHA384", "TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384"},
157  {"ECDHE-ECDSA-AES256-SHA256", "TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA256"},
158  {"ECDHE-ECDSA-AES256-SHA384", "TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA384"},
159  {"ECDHE-ECDSA-AES256-SHA", "TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA"},
160  {"ECDHE-ECDSA-CAMELLIA128-SHA256", "TLS-ECDHE-ECDSA-WITH-CAMELLIA-128-CBC-SHA256"},
161  {"ECDHE-ECDSA-CAMELLIA128-SHA", "TLS-ECDHE-ECDSA-WITH-CAMELLIA-128-CBC-SHA"},
162  {"ECDHE-ECDSA-CAMELLIA256-SHA256", "TLS-ECDHE-ECDSA-WITH-CAMELLIA-256-CBC-SHA256"},
163  {"ECDHE-ECDSA-CAMELLIA256-SHA", "TLS-ECDHE-ECDSA-WITH-CAMELLIA-256-CBC-SHA"},
164  {"ECDHE-ECDSA-CHACHA20-POLY1305", "TLS-ECDHE-ECDSA-WITH-CHACHA20-POLY1305-SHA256"},
165  {"ECDHE-ECDSA-DES-CBC3-SHA", "TLS-ECDHE-ECDSA-WITH-3DES-EDE-CBC-SHA"},
166  {"ECDHE-ECDSA-DES-CBC-SHA", "TLS-ECDHE-ECDSA-WITH-DES-CBC-SHA"},
167  {"ECDHE-ECDSA-RC4-SHA", "TLS-ECDHE-ECDSA-WITH-RC4-128-SHA"},
168  {"ECDHE-RSA-AES128-GCM-SHA256", "TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256"},
169  {"ECDHE-RSA-AES128-SHA256", "TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA256"},
170  {"ECDHE-RSA-AES128-SHA384", "TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA384"},
171  {"ECDHE-RSA-AES128-SHA", "TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA"},
172  {"ECDHE-RSA-AES256-GCM-SHA384", "TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384"},
173  {"ECDHE-RSA-AES256-SHA256", "TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA256"},
174  {"ECDHE-RSA-AES256-SHA384", "TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384"},
175  {"ECDHE-RSA-AES256-SHA", "TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA"},
176  {"ECDHE-RSA-CAMELLIA128-SHA256", "TLS-ECDHE-RSA-WITH-CAMELLIA-128-CBC-SHA256"},
177  {"ECDHE-RSA-CAMELLIA128-SHA", "TLS-ECDHE-RSA-WITH-CAMELLIA-128-CBC-SHA"},
178  {"ECDHE-RSA-CAMELLIA256-SHA256", "TLS-ECDHE-RSA-WITH-CAMELLIA-256-CBC-SHA256"},
179  {"ECDHE-RSA-CAMELLIA256-SHA", "TLS-ECDHE-RSA-WITH-CAMELLIA-256-CBC-SHA"},
180  {"ECDHE-RSA-CHACHA20-POLY1305", "TLS-ECDHE-RSA-WITH-CHACHA20-POLY1305-SHA256"},
181  {"ECDHE-RSA-DES-CBC3-SHA", "TLS-ECDHE-RSA-WITH-3DES-EDE-CBC-SHA"},
182  {"ECDHE-RSA-DES-CBC-SHA", "TLS-ECDHE-RSA-WITH-DES-CBC-SHA"},
183  {"ECDHE-RSA-RC4-SHA", "TLS-ECDHE-RSA-WITH-RC4-128-SHA"},
184  {"ECDH-RSA-AES128-GCM-SHA256", "TLS-ECDH-RSA-WITH-AES-128-GCM-SHA256"},
185  {"ECDH-RSA-AES128-SHA256", "TLS-ECDH-RSA-WITH-AES-128-CBC-SHA256"},
186  {"ECDH-RSA-AES128-SHA384", "TLS-ECDH-RSA-WITH-AES-128-CBC-SHA384"},
187  {"ECDH-RSA-AES128-SHA", "TLS-ECDH-RSA-WITH-AES-128-CBC-SHA"},
188  {"ECDH-RSA-AES256-GCM-SHA384", "TLS-ECDH-RSA-WITH-AES-256-GCM-SHA384"},
189  {"ECDH-RSA-AES256-SHA256", "TLS-ECDH-RSA-WITH-AES-256-CBC-SHA256"},
190  {"ECDH-RSA-AES256-SHA384", "TLS-ECDH-RSA-WITH-AES-256-CBC-SHA384"},
191  {"ECDH-RSA-AES256-SHA", "TLS-ECDH-RSA-WITH-AES-256-CBC-SHA"},
192  {"ECDH-RSA-CAMELLIA128-SHA256", "TLS-ECDH-RSA-WITH-CAMELLIA-128-CBC-SHA256"},
193  {"ECDH-RSA-CAMELLIA128-SHA", "TLS-ECDH-RSA-WITH-CAMELLIA-128-CBC-SHA"},
194  {"ECDH-RSA-CAMELLIA256-SHA256", "TLS-ECDH-RSA-WITH-CAMELLIA-256-CBC-SHA256"},
195  {"ECDH-RSA-CAMELLIA256-SHA", "TLS-ECDH-RSA-WITH-CAMELLIA-256-CBC-SHA"},
196  {"ECDH-RSA-DES-CBC3-SHA", "TLS-ECDH-RSA-WITH-3DES-EDE-CBC-SHA"},
197  {"ECDH-RSA-DES-CBC-SHA", "TLS-ECDH-RSA-WITH-DES-CBC-SHA"},
198  {"ECDH-RSA-RC4-SHA", "TLS-ECDH-RSA-WITH-RC4-128-SHA"},
199  {"EDH-DSS-DES-CBC3-SHA", "TLS-DHE-DSS-WITH-3DES-EDE-CBC-SHA"},
200  {"EDH-DSS-DES-CBC-SHA", "TLS-DHE-DSS-WITH-DES-CBC-SHA"},
201  {"EDH-RSA-DES-CBC3-SHA", "TLS-DHE-RSA-WITH-3DES-EDE-CBC-SHA"},
202  {"EDH-RSA-DES-CBC-SHA", "TLS-DHE-RSA-WITH-DES-CBC-SHA"},
203  {"EXP-DES-CBC-SHA", "TLS-RSA-EXPORT-WITH-DES40-CBC-SHA"},
204  {"EXP-EDH-DSS-DES-CBC-SHA", "TLS-DH-DSS-EXPORT-WITH-DES40-CBC-SHA"},
205  {"EXP-EDH-RSA-DES-CBC-SHA", "TLS-DH-RSA-EXPORT-WITH-DES40-CBC-SHA"},
206  {"EXP-RC2-CBC-MD5", "TLS-RSA-EXPORT-WITH-RC2-CBC-40-MD5"},
207  {"EXP-RC4-MD5", "TLS-RSA-EXPORT-WITH-RC4-40-MD5"},
208  {"NULL-MD5", "TLS-RSA-WITH-NULL-MD5"},
209  {"NULL-SHA256", "TLS-RSA-WITH-NULL-SHA256"},
210  {"NULL-SHA", "TLS-RSA-WITH-NULL-SHA"},
211  {"PSK-3DES-EDE-CBC-SHA", "TLS-PSK-WITH-3DES-EDE-CBC-SHA"},
212  {"PSK-AES128-CBC-SHA", "TLS-PSK-WITH-AES-128-CBC-SHA"},
213  {"PSK-AES256-CBC-SHA", "TLS-PSK-WITH-AES-256-CBC-SHA"},
214  {"PSK-RC4-SHA", "TLS-PSK-WITH-RC4-128-SHA"},
215  {"RC4-MD5", "TLS-RSA-WITH-RC4-128-MD5"},
216  {"RC4-SHA", "TLS-RSA-WITH-RC4-128-SHA"},
217  {"SEED-SHA", "TLS-RSA-WITH-SEED-CBC-SHA"},
218  {"SRP-DSS-3DES-EDE-CBC-SHA", "TLS-SRP-SHA-DSS-WITH-3DES-EDE-CBC-SHA"},
219  {"SRP-DSS-AES-128-CBC-SHA", "TLS-SRP-SHA-DSS-WITH-AES-128-CBC-SHA"},
220  {"SRP-DSS-AES-256-CBC-SHA", "TLS-SRP-SHA-DSS-WITH-AES-256-CBC-SHA"},
221  {"SRP-RSA-3DES-EDE-CBC-SHA", "TLS-SRP-SHA-RSA-WITH-3DES-EDE-CBC-SHA"},
222  {"SRP-RSA-AES-128-CBC-SHA", "TLS-SRP-SHA-RSA-WITH-AES-128-CBC-SHA"},
223  {"SRP-RSA-AES-256-CBC-SHA", "TLS-SRP-SHA-RSA-WITH-AES-256-CBC-SHA"},
224 #ifdef ENABLE_CRYPTO_OPENSSL
225  /* OpenSSL-specific group names */
226  {"DEFAULT", "DEFAULT"},
227  {"ALL", "ALL"},
228  {"HIGH", "HIGH"}, {"!HIGH", "!HIGH"},
229  {"MEDIUM", "MEDIUM"}, {"!MEDIUM", "!MEDIUM"},
230  {"LOW", "LOW"}, {"!LOW", "!LOW"},
231  {"ECDH", "ECDH"}, {"!ECDH", "!ECDH"},
232  {"ECDSA", "ECDSA"}, {"!ECDSA", "!ECDSA"},
233  {"EDH", "EDH"}, {"!EDH", "!EDH"},
234  {"EXP", "EXP"}, {"!EXP", "!EXP"},
235  {"RSA", "RSA"}, {"!RSA", "!RSA"},
236  {"kRSA", "kRSA"}, {"!kRSA", "!kRSA"},
237  {"SRP", "SRP"}, {"!SRP", "!SRP"},
238 #endif
239  {NULL, NULL}
240 };
241 
253 static void
254 key_ctx_update_implicit_iv(struct key_ctx *ctx, uint8_t *key, size_t key_len);
255 
256 const tls_cipher_name_pair *
257 tls_get_cipher_name_pair(const char *cipher_name, size_t len)
258 {
260 
261  while (pair->openssl_name != NULL)
262  {
263  if ((strlen(pair->openssl_name) == len && 0 == memcmp(cipher_name, pair->openssl_name, len))
264  || (strlen(pair->iana_name) == len && 0 == memcmp(cipher_name, pair->iana_name, len)))
265  {
266  return pair;
267  }
268  pair++;
269  }
270 
271  /* No entry found, return NULL */
272  return NULL;
273 }
274 
282 static void
283 tls_limit_reneg_bytes(const cipher_kt_t *cipher, int *reneg_bytes)
284 {
285  if (cipher && cipher_kt_insecure(cipher))
286  {
287  if (*reneg_bytes == -1) /* Not user-specified */
288  {
289  msg(M_WARN, "WARNING: cipher with small block size in use, "
290  "reducing reneg-bytes to 64MB to mitigate SWEET32 attacks.");
291  *reneg_bytes = 64 * 1024 * 1024;
292  }
293  }
294 }
295 
296 /*
297  * Max number of bytes we will add
298  * for data structures common to both
299  * data and control channel packets.
300  * (opcode only).
301  */
302 void
304 {
305  frame_add_to_extra_frame(frame, 1); /* space for opcode */
306 }
307 
308 /*
309  * Max number of bytes we will add
310  * to control channel packet.
311  */
312 static void
313 tls_init_control_channel_frame_parameters(const struct frame *data_channel_frame,
314  struct frame *frame)
315 {
316  /*
317  * frame->extra_frame is already initialized with tls_auth buffer requirements,
318  * if --tls-auth is enabled.
319  */
320 
321  /* inherit link MTU and extra_link from data channel */
322  frame->link_mtu = data_channel_frame->link_mtu;
323  frame->extra_link = data_channel_frame->extra_link;
324 
325  /* set extra_frame */
329 
330  /* set dynamic link MTU to cap control channel packets at 1250 bytes */
331  ASSERT(TUN_LINK_DELTA(frame) < min_int(frame->link_mtu, 1250));
332  frame->link_mtu_dynamic = min_int(frame->link_mtu, 1250) - TUN_LINK_DELTA(frame);
333 }
334 
335 void
337 {
338  tls_init_lib();
339 
340  crypto_init_lib();
341 }
342 
343 void
345 {
347  prng_uninit();
348 
349  tls_free_lib();
350 }
351 
352 /*
353  * OpenSSL library calls pem_password_callback if the
354  * private key is protected by a password.
355  */
356 
357 static struct user_pass passbuf; /* GLOBAL */
358 
359 void
360 pem_password_setup(const char *auth_file)
361 {
362  if (!strlen(passbuf.password))
363  {
365  }
366 }
367 
368 int
369 pem_password_callback(char *buf, int size, int rwflag, void *u)
370 {
371  if (buf)
372  {
373  /* prompt for password even if --askpass wasn't specified */
374  pem_password_setup(NULL);
375  strncpynt(buf, passbuf.password, size);
376  purge_user_pass(&passbuf, false);
377 
378  return strlen(buf);
379  }
380  return 0;
381 }
382 
383 /*
384  * Auth username/password handling
385  */
386 
387 static bool auth_user_pass_enabled; /* GLOBAL */
388 static struct user_pass auth_user_pass; /* GLOBAL */
389 static struct user_pass auth_token; /* GLOBAL */
390 
391 #ifdef ENABLE_MANAGEMENT
392 static char *auth_challenge; /* GLOBAL */
393 #endif
394 
395 void
396 auth_user_pass_setup(const char *auth_file, const struct static_challenge_info *sci)
397 {
398  auth_user_pass_enabled = true;
400  {
401 #ifdef ENABLE_MANAGEMENT
402  if (auth_challenge) /* dynamic challenge/response */
403  {
405  auth_file,
406  UP_TYPE_AUTH,
408  auth_challenge);
409  }
410  else if (sci) /* static challenge response */
411  {
413  if (sci->flags & SC_ECHO)
414  {
416  }
418  auth_file,
419  UP_TYPE_AUTH,
420  flags,
421  sci->challenge_text);
422  }
423  else
424 #endif /* ifdef ENABLE_MANAGEMENT */
426  }
427 }
428 
429 /*
430  * Disable password caching
431  */
432 void
434 {
435  passbuf.nocache = true;
436  auth_user_pass.nocache = true;
437 }
438 
439 /*
440  * Set an authentication token
441  */
442 void
443 ssl_set_auth_token(const char *token)
444 {
446 }
447 
448 /*
449  * Cleans an auth token and checks if it was active
450  */
451 bool
453 {
454  bool wasdefined = auth_token.defined;
455  purge_user_pass(&auth_token, true);
456  return wasdefined;
457 }
458 
459 /*
460  * Forget private key password AND auth-user-pass username/password.
461  */
462 void
463 ssl_purge_auth(const bool auth_user_pass_only)
464 {
465  if (!auth_user_pass_only)
466  {
467 #ifdef ENABLE_PKCS11
468  pkcs11_logout();
469 #endif
470  purge_user_pass(&passbuf, true);
471  }
473 #ifdef ENABLE_MANAGEMENT
475 #endif
476 }
477 
478 #ifdef ENABLE_MANAGEMENT
479 
480 void
482 {
483  free(auth_challenge);
484  auth_challenge = NULL;
485 }
486 
487 void
488 ssl_put_auth_challenge(const char *cr_str)
489 {
491  auth_challenge = string_alloc(cr_str, NULL);
492 }
493 
494 #endif
495 
496 /*
497  * Parse a TLS version string, returning a TLS_VER_x constant.
498  * If version string is not recognized and extra == "or-highest",
499  * return tls_version_max().
500  */
501 int
502 tls_version_parse(const char *vstr, const char *extra)
503 {
504  const int max_version = tls_version_max();
505  if (!strcmp(vstr, "1.0") && TLS_VER_1_0 <= max_version)
506  {
507  return TLS_VER_1_0;
508  }
509  else if (!strcmp(vstr, "1.1") && TLS_VER_1_1 <= max_version)
510  {
511  return TLS_VER_1_1;
512  }
513  else if (!strcmp(vstr, "1.2") && TLS_VER_1_2 <= max_version)
514  {
515  return TLS_VER_1_2;
516  }
517  else if (!strcmp(vstr, "1.3") && TLS_VER_1_3 <= max_version)
518  {
519  return TLS_VER_1_3;
520  }
521  else if (extra && !strcmp(extra, "or-highest"))
522  {
523  return max_version;
524  }
525  else
526  {
527  return TLS_VER_BAD;
528  }
529 }
530 
542 static void
543 tls_ctx_reload_crl(struct tls_root_ctx *ssl_ctx, const char *crl_file,
544  bool crl_file_inline)
545 {
546  /* if something goes wrong with stat(), we'll store 0 as mtime */
547  platform_stat_t crl_stat = {0};
548 
549  /*
550  * an inline CRL can't change at runtime, therefore there is no need to
551  * reload it. It will be reloaded upon config change + SIGHUP.
552  * Use always '1' as dummy timestamp in this case: it will trigger the
553  * first load, but will prevent any future reload.
554  */
555  if (crl_file_inline)
556  {
557  crl_stat.st_mtime = 1;
558  }
559  else if (platform_stat(crl_file, &crl_stat) < 0)
560  {
561  msg(M_WARN, "WARNING: Failed to stat CRL file, not (re)loading CRL.");
562  return;
563  }
564 
565  /*
566  * Store the CRL if this is the first time or if the file was changed since
567  * the last load.
568  * Note: Windows does not support tv_nsec.
569  */
570  if ((ssl_ctx->crl_last_size == crl_stat.st_size)
571  && (ssl_ctx->crl_last_mtime == crl_stat.st_mtime))
572  {
573  return;
574  }
575 
576  ssl_ctx->crl_last_mtime = crl_stat.st_mtime;
577  ssl_ctx->crl_last_size = crl_stat.st_size;
578  backend_tls_ctx_reload_crl(ssl_ctx, crl_file, crl_file_inline);
579 }
580 
581 /*
582  * Initialize SSL context.
583  * All files are in PEM format.
584  */
585 void
586 init_ssl(const struct options *options, struct tls_root_ctx *new_ctx)
587 {
588  ASSERT(NULL != new_ctx);
589 
590  tls_clear_error();
591 
592  if (options->tls_server)
593  {
594  tls_ctx_server_new(new_ctx);
595 
596  if (options->dh_file)
597  {
598  tls_ctx_load_dh_params(new_ctx, options->dh_file,
599  options->dh_file_inline);
600  }
601  }
602  else /* if client */
603  {
604  tls_ctx_client_new(new_ctx);
605  }
606 
607  /* Restrict allowed certificate crypto algorithms */
608  tls_ctx_set_cert_profile(new_ctx, options->tls_cert_profile);
609 
610  /* Allowable ciphers */
611  /* Since @SECLEVEL also influences loading of certificates, set the
612  * cipher restrictions before loading certificates */
613  tls_ctx_restrict_ciphers(new_ctx, options->cipher_list);
615 
616  /* Set the allow groups/curves for TLS if we want to override them */
617  if (options->tls_groups)
618  {
619  tls_ctx_set_tls_groups(new_ctx, options->tls_groups);
620  }
621 
622  if (!tls_ctx_set_options(new_ctx, options->ssl_flags))
623  {
624  goto err;
625  }
626 
627  if (options->pkcs12_file)
628  {
629  if (0 != tls_ctx_load_pkcs12(new_ctx, options->pkcs12_file,
630  options->pkcs12_file_inline, !options->ca_file))
631  {
632  goto err;
633  }
634  }
635 #ifdef ENABLE_PKCS11
636  else if (options->pkcs11_providers[0])
637  {
638  if (!tls_ctx_use_pkcs11(new_ctx, options->pkcs11_id_management, options->pkcs11_id))
639  {
640  msg(M_WARN, "Cannot load certificate \"%s\" using PKCS#11 interface",
641  options->pkcs11_id);
642  goto err;
643  }
644  }
645 #endif
646 #ifdef ENABLE_CRYPTOAPI
647  else if (options->cryptoapi_cert)
648  {
649  tls_ctx_load_cryptoapi(new_ctx, options->cryptoapi_cert);
650  }
651 #endif
652 #ifdef ENABLE_MANAGEMENT
653  else if (options->management_flags & MF_EXTERNAL_CERT)
654  {
655  char *cert = management_query_cert(management,
656  options->management_certificate);
657  tls_ctx_load_cert_file(new_ctx, cert, true);
658  free(cert);
659  }
660 #endif
661  else if (options->cert_file)
662  {
663  tls_ctx_load_cert_file(new_ctx, options->cert_file, options->cert_file_inline);
664  }
665 
666  if (options->priv_key_file)
667  {
668  if (0 != tls_ctx_load_priv_file(new_ctx, options->priv_key_file,
669  options->priv_key_file_inline))
670  {
671  goto err;
672  }
673  }
674 #ifdef ENABLE_MANAGEMENT
675  else if (options->management_flags & MF_EXTERNAL_KEY)
676  {
678  {
679  msg(M_WARN, "Cannot initialize mamagement-external-key");
680  goto err;
681  }
682  }
683 #endif
684 
685  if (options->ca_file || options->ca_path)
686  {
687  tls_ctx_load_ca(new_ctx, options->ca_file, options->ca_file_inline,
688  options->ca_path, options->tls_server);
689  }
690 
691  /* Load extra certificates that are part of our own certificate
692  * chain but shouldn't be included in the verify chain */
693  if (options->extra_certs_file)
694  {
696  }
697 
698  /* Check certificate notBefore and notAfter */
699  tls_ctx_check_cert_time(new_ctx);
700 
701  /* Read CRL */
702  if (options->crl_file && !(options->ssl_flags & SSLF_CRL_VERIFY_DIR))
703  {
704  tls_ctx_reload_crl(new_ctx, options->crl_file, options->crl_file_inline);
705  }
706 
707  /* Once keys and cert are loaded, load ECDH parameters */
708  if (options->tls_server)
709  {
710  tls_ctx_load_ecdh_params(new_ctx, options->ecdh_curve);
711  }
712 
713 #ifdef ENABLE_CRYPTO_MBEDTLS
714  /* Personalise the random by mixing in the certificate */
715  tls_ctx_personalise_random(new_ctx);
716 #endif
717 
718  tls_clear_error();
719  return;
720 
721 err:
722  tls_clear_error();
723  tls_ctx_free(new_ctx);
724  return;
725 }
726 
727 /*
728  * Map internal constants to ascii names.
729  */
730 static const char *
731 state_name(int state)
732 {
733  switch (state)
734  {
735  case S_UNDEF:
736  return "S_UNDEF";
737 
738  case S_INITIAL:
739  return "S_INITIAL";
740 
741  case S_PRE_START:
742  return "S_PRE_START";
743 
744  case S_START:
745  return "S_START";
746 
747  case S_SENT_KEY:
748  return "S_SENT_KEY";
749 
750  case S_GOT_KEY:
751  return "S_GOT_KEY";
752 
753  case S_ACTIVE:
754  return "S_ACTIVE";
755 
756  case S_ERROR:
757  return "S_ERROR";
758 
759  default:
760  return "S_???";
761  }
762 }
763 
764 static const char *
766 {
767  switch (auth)
768  {
769  case KS_AUTH_TRUE:
770  return "KS_AUTH_TRUE";
771  case KS_AUTH_DEFERRED:
772  return "KS_AUTH_DEFERRED";
773  case KS_AUTH_FALSE:
774  return "KS_AUTH_FALSE";
775  default:
776  return "KS_????";
777  }
778 }
779 
780 static const char *
782 {
783  switch (op)
784  {
786  return "P_CONTROL_HARD_RESET_CLIENT_V1";
787 
789  return "P_CONTROL_HARD_RESET_SERVER_V1";
790 
792  return "P_CONTROL_HARD_RESET_CLIENT_V2";
793 
795  return "P_CONTROL_HARD_RESET_SERVER_V2";
796 
798  return "P_CONTROL_HARD_RESET_CLIENT_V3";
799 
801  return "P_CONTROL_SOFT_RESET_V1";
802 
803  case P_CONTROL_V1:
804  return "P_CONTROL_V1";
805 
806  case P_ACK_V1:
807  return "P_ACK_V1";
808 
809  case P_DATA_V1:
810  return "P_DATA_V1";
811 
812  case P_DATA_V2:
813  return "P_DATA_V2";
814 
815  default:
816  return "P_???";
817  }
818 }
819 
820 static const char *
822 {
823  switch (index)
824  {
825  case TM_ACTIVE:
826  return "TM_ACTIVE";
827 
828  case TM_UNTRUSTED:
829  return "TM_UNTRUSTED";
830 
831  case TM_LAME_DUCK:
832  return "TM_LAME_DUCK";
833 
834  default:
835  return "TM_???";
836  }
837 }
838 
839 /*
840  * For debugging.
841  */
842 static const char *
843 print_key_id(struct tls_multi *multi, struct gc_arena *gc)
844 {
845  struct buffer out = alloc_buf_gc(256, gc);
846 
847  for (int i = 0; i < KEY_SCAN_SIZE; ++i)
848  {
849  struct key_state *ks = get_key_scan(multi, i);
850  buf_printf(&out, " [key#%d state=%s auth=%s id=%d sid=%s]", i,
852  ks->key_id,
854  }
855 
856  return BSTR(&out);
857 }
858 
859 bool
861 {
864  {
865  return true;
866  }
867 
868  return false;
869 }
870 
894 static void
896 {
897  update_time();
898 
899  CLEAR(*ks);
900 
901  /*
902  * Build TLS object that reads/writes ciphertext
903  * to/from memory BIOs.
904  */
905  key_state_ssl_init(&ks->ks_ssl, &session->opt->ssl_ctx, session->opt->server,
906  session);
907 
908  /* Set control-channel initiation mode */
909  ks->initial_opcode = session->initial_opcode;
911  ks->state = S_INITIAL;
912  ks->key_id = session->key_id;
913 
914  /*
915  * key_id increments to KEY_ID_MASK then recycles back to 1.
916  * This way you know that if key_id is 0, it is the first key.
917  */
918  ++session->key_id;
919  session->key_id &= P_KEY_ID_MASK;
920  if (!session->key_id)
921  {
922  session->key_id = 1;
923  }
924 
925  /* allocate key source material object */
926  ALLOC_OBJ_CLEAR(ks->key_src, struct key_source2);
927 
928  /* allocate reliability objects */
931  ALLOC_OBJ_CLEAR(ks->rec_ack, struct reliable_ack);
932 
933  /* allocate buffers */
936  ks->ack_write_buf = alloc_buf(BUF_SIZE(&session->opt->frame));
937  reliable_init(ks->send_reliable, BUF_SIZE(&session->opt->frame),
939  ks->key_id ? false : session->opt->xmit_hold);
940  reliable_init(ks->rec_reliable, BUF_SIZE(&session->opt->frame),
942  false);
944 
945  /* init packet ID tracker */
946  if (session->opt->replay)
947  {
949  session->opt->replay_window, session->opt->replay_time, "SSL",
950  ks->key_id);
951  }
952 
953  ks->crypto_options.pid_persist = NULL;
954 
955 #ifdef ENABLE_MANAGEMENT
956  ks->mda_key_id = session->opt->mda_context->mda_key_id_counter++;
957 #endif
958 }
959 
960 
974 static void
975 key_state_free(struct key_state *ks, bool clear)
976 {
977  ks->state = S_UNDEF;
978 
980 
984  free_buf(&ks->ack_write_buf);
986 
989 
990  free(ks->rec_ack);
991  free(ks->key_src);
992 
994 
995 #ifdef PLUGIN_DEF_AUTH
997 #endif
998 
999  if (clear)
1000  {
1001  secure_memzero(ks, sizeof(*ks));
1002  }
1003 }
1004 
1018 static inline bool
1020 {
1021  return (session->opt->auth_user_pass_verify_script
1023 #ifdef ENABLE_MANAGEMENT
1025 #endif
1026  );
1027 }
1028 
1029 
1050 static void
1052 {
1053  struct gc_arena gc = gc_new();
1054 
1055  dmsg(D_TLS_DEBUG, "TLS: tls_session_init: entry");
1056 
1057  CLEAR(*session);
1058 
1059  /* Set options data to point to parent's option structure */
1060  session->opt = &multi->opt;
1061 
1062  /* Randomize session # if it is 0 */
1063  while (!session_id_defined(&session->session_id))
1064  {
1065  session_id_random(&session->session_id);
1066  }
1067 
1068  /* Are we a TLS server or client? */
1069  if (session->opt->server)
1070  {
1072  }
1073  else
1074  {
1075  session->initial_opcode = session->opt->tls_crypt_v2 ?
1077  }
1078 
1079  /* Initialize control channel authentication parameters */
1080  session->tls_wrap = session->opt->tls_wrap;
1081  session->tls_wrap.work = alloc_buf(BUF_SIZE(&session->opt->frame));
1082 
1083  /* initialize packet ID replay window for --tls-auth */
1085  session->opt->replay_window,
1086  session->opt->replay_time,
1087  "TLS_WRAP", session->key_id);
1088 
1089  /* load most recent packet-id to replay protect on --tls-auth */
1091  &session->tls_wrap.opt.packet_id);
1092 
1093  key_state_init(session, &session->key[KS_PRIMARY]);
1094 
1095  dmsg(D_TLS_DEBUG, "TLS: tls_session_init: new session object, sid=%s",
1096  session_id_print(&session->session_id, &gc));
1097 
1098  gc_free(&gc);
1099 }
1100 
1116 static void
1118 {
1119  tls_wrap_free(&session->tls_wrap);
1120 
1121  for (size_t i = 0; i < KS_SIZE; ++i)
1122  {
1123  /* we don't need clear=true for this call since
1124  * the structs are part of session and get cleared
1125  * as part of session */
1126  key_state_free(&session->key[i], false);
1127  }
1128 
1129  free(session->common_name);
1130 
1131  cert_hash_free(session->cert_hash_set);
1132 
1133  if (clear)
1134  {
1135  secure_memzero(session, sizeof(*session));
1136  }
1137 }
1138 
1144 static void
1145 move_session(struct tls_multi *multi, int dest, int src, bool reinit_src)
1146 {
1147  msg(D_TLS_DEBUG_LOW, "TLS: move_session: dest=%s src=%s reinit_src=%d",
1148  session_index_name(dest),
1149  session_index_name(src),
1150  reinit_src);
1151  ASSERT(src != dest);
1152  ASSERT(src >= 0 && src < TM_SIZE);
1153  ASSERT(dest >= 0 && dest < TM_SIZE);
1154  tls_session_free(&multi->session[dest], false);
1155  multi->session[dest] = multi->session[src];
1156 
1157  if (reinit_src)
1158  {
1159  tls_session_init(multi, &multi->session[src]);
1160  }
1161  else
1162  {
1163  secure_memzero(&multi->session[src], sizeof(multi->session[src]));
1164  }
1165 
1166  dmsg(D_TLS_DEBUG, "TLS: move_session: exit");
1167 }
1168 
1169 static void
1171 {
1172  tls_session_free(session, false);
1173  tls_session_init(multi, session);
1174 }
1175 
1176 /*
1177  * Used to determine in how many seconds we should be
1178  * called again.
1179  */
1180 static inline void
1181 compute_earliest_wakeup(interval_t *earliest, interval_t seconds_from_now)
1182 {
1183  if (seconds_from_now < *earliest)
1184  {
1185  *earliest = seconds_from_now;
1186  }
1187  if (*earliest < 0)
1188  {
1189  *earliest = 0;
1190  }
1191 }
1192 
1193 /*
1194  * Return true if "lame duck" or retiring key has expired and can
1195  * no longer be used.
1196  */
1197 static inline bool
1199 {
1200  const struct key_state *lame = &session->key[KS_LAME_DUCK];
1201  if (lame->state >= S_INITIAL)
1202  {
1203  ASSERT(lame->must_die); /* a lame duck key must always have an expiration */
1204  if (now < lame->must_die)
1205  {
1206  compute_earliest_wakeup(wakeup, lame->must_die - now);
1207  return false;
1208  }
1209  else
1210  {
1211  return true;
1212  }
1213  }
1214  else if (lame->state == S_ERROR)
1215  {
1216  return true;
1217  }
1218  else
1219  {
1220  return false;
1221  }
1222 }
1223 
1224 struct tls_multi *
1226 {
1227  struct tls_multi *ret;
1228 
1229  ALLOC_OBJ_CLEAR(ret, struct tls_multi);
1230 
1231  /* get command line derived options */
1232  ret->opt = *tls_options;
1233 
1234  return ret;
1235 }
1236 
1237 void
1238 tls_multi_init_finalize(struct tls_multi *multi, const struct frame *frame)
1239 {
1241 
1242  /* initialize the active and untrusted sessions */
1243 
1244  tls_session_init(multi, &multi->session[TM_ACTIVE]);
1245 
1246  if (!multi->opt.single_session)
1247  {
1248  tls_session_init(multi, &multi->session[TM_UNTRUSTED]);
1249  }
1250 }
1251 
1252 /*
1253  * Initialize and finalize a standalone tls-auth verification object.
1254  */
1255 
1256 struct tls_auth_standalone *
1258  struct gc_arena *gc)
1259 {
1260  struct tls_auth_standalone *tas;
1261 
1262  ALLOC_OBJ_CLEAR_GC(tas, struct tls_auth_standalone, gc);
1263 
1264  tas->tls_wrap = tls_options->tls_wrap;
1265 
1266  /*
1267  * Standalone tls-auth is in read-only mode with respect to TLS
1268  * control channel state. After we build a new client instance
1269  * object, we will process this session-initiating packet for real.
1270  */
1272 
1273  /* get initial frame parms, still need to finalize */
1274  tas->frame = tls_options->frame;
1275 
1276  return tas;
1277 }
1278 
1279 void
1281  const struct frame *frame)
1282 {
1284 }
1285 
1286 /*
1287  * Set local and remote option compatibility strings.
1288  * Used to verify compatibility of local and remote option
1289  * sets.
1290  */
1291 void
1293  const char *local,
1294  const char *remote)
1295 {
1296  /* initialize options string */
1297  multi->opt.local_options = local;
1298  multi->opt.remote_options = remote;
1299 }
1300 
1301 /*
1302  * Cleanup a tls_multi structure and free associated memory allocations.
1303  */
1304 void
1305 tls_multi_free(struct tls_multi *multi, bool clear)
1306 {
1307  ASSERT(multi);
1308 
1309  auth_set_client_reason(multi, NULL);
1310 
1311  free(multi->peer_info);
1312  free(multi->locked_cn);
1313  free(multi->locked_username);
1314 
1316 
1317  wipe_auth_token(multi);
1318 
1319  free(multi->remote_ciphername);
1320 
1321  for (int i = 0; i < TM_SIZE; ++i)
1322  {
1323  tls_session_free(&multi->session[i], false);
1324  }
1325 
1326  if (clear)
1327  {
1328  secure_memzero(multi, sizeof(*multi));
1329  }
1330 
1331  free(multi);
1332 }
1333 
1334 
1335 /*
1336  * Move a packet authentication HMAC + related fields to or from the front
1337  * of the buffer so it can be processed by encrypt/decrypt.
1338  */
1339 
1340 /*
1341  * Dependent on hmac size, opcode size, and session_id size.
1342  * Will assert if too small.
1343  */
1344 #define SWAP_BUF_SIZE 256
1345 
1346 static bool
1347 swap_hmac(struct buffer *buf, const struct crypto_options *co, bool incoming)
1348 {
1349  ASSERT(co);
1350 
1351  const struct key_ctx *ctx = (incoming ? &co->key_ctx_bi.decrypt :
1352  &co->key_ctx_bi.encrypt);
1353  ASSERT(ctx->hmac);
1354 
1355  {
1356  /* hmac + packet_id (8 bytes) */
1357  const int hmac_size = hmac_ctx_size(ctx->hmac) + packet_id_size(true);
1358 
1359  /* opcode + session_id */
1360  const int osid_size = 1 + SID_SIZE;
1361 
1362  int e1, e2;
1363  uint8_t *b = BPTR(buf);
1364  uint8_t buf1[SWAP_BUF_SIZE];
1365  uint8_t buf2[SWAP_BUF_SIZE];
1366 
1367  if (incoming)
1368  {
1369  e1 = osid_size;
1370  e2 = hmac_size;
1371  }
1372  else
1373  {
1374  e1 = hmac_size;
1375  e2 = osid_size;
1376  }
1377 
1378  ASSERT(e1 <= SWAP_BUF_SIZE && e2 <= SWAP_BUF_SIZE);
1379 
1380  if (buf->len >= e1 + e2)
1381  {
1382  memcpy(buf1, b, e1);
1383  memcpy(buf2, b + e1, e2);
1384  memcpy(b, buf2, e2);
1385  memcpy(b + e2, buf1, e1);
1386  return true;
1387  }
1388  else
1389  {
1390  return false;
1391  }
1392  }
1393 }
1394 
1395 #undef SWAP_BUF_SIZE
1396 
1397 /*
1398  * Write a control channel authentication record.
1399  */
1400 static void
1402  struct key_state *ks,
1403  struct buffer *buf,
1404  struct link_socket_actual **to_link_addr,
1405  int opcode,
1406  int max_ack,
1407  bool prepend_ack)
1408 {
1409  uint8_t header = ks->key_id | (opcode << P_OPCODE_SHIFT);
1410  struct buffer null = clear_buf();
1411 
1414  (ks->rec_ack, buf, &ks->session_id_remote, max_ack, prepend_ack));
1415 
1416  msg(D_TLS_DEBUG, "%s(): %s", __func__, packet_opcode_name(opcode));
1417 
1418  if (session->tls_wrap.mode == TLS_WRAP_AUTH
1419  || session->tls_wrap.mode == TLS_WRAP_NONE)
1420  {
1421  ASSERT(session_id_write_prepend(&session->session_id, buf));
1422  ASSERT(buf_write_prepend(buf, &header, sizeof(header)));
1423  }
1424  if (session->tls_wrap.mode == TLS_WRAP_AUTH)
1425  {
1426  /* no encryption, only write hmac */
1427  openvpn_encrypt(buf, null, &session->tls_wrap.opt);
1428  ASSERT(swap_hmac(buf, &session->tls_wrap.opt, false));
1429  }
1430  else if (session->tls_wrap.mode == TLS_WRAP_CRYPT)
1431  {
1432  ASSERT(buf_init(&session->tls_wrap.work, buf->offset));
1433  ASSERT(buf_write(&session->tls_wrap.work, &header, sizeof(header)));
1434  ASSERT(session_id_write(&session->session_id, &session->tls_wrap.work));
1435  if (!tls_crypt_wrap(buf, &session->tls_wrap.work, &session->tls_wrap.opt))
1436  {
1437  buf->len = 0;
1438  return;
1439  }
1440 
1441  if (opcode == P_CONTROL_HARD_RESET_CLIENT_V3)
1442  {
1443  if (!buf_copy(&session->tls_wrap.work,
1444  session->tls_wrap.tls_crypt_v2_wkc))
1445  {
1446  msg(D_TLS_ERRORS, "Could not append tls-crypt-v2 client key");
1447  buf->len = 0;
1448  return;
1449  }
1450  }
1451 
1452  /* Don't change the original data in buf, it's used by the reliability
1453  * layer to resend on failure. */
1454  *buf = session->tls_wrap.work;
1455  }
1456  *to_link_addr = &ks->remote_addr;
1457 }
1458 
1459 /*
1460  * Read a control channel authentication record.
1461  */
1462 static bool
1464  struct tls_wrap_ctx *ctx,
1465  const struct link_socket_actual *from,
1466  const struct tls_options *opt)
1467 {
1468  struct gc_arena gc = gc_new();
1469  bool ret = false;
1470 
1471  const uint8_t opcode = *(BPTR(buf)) >> P_OPCODE_SHIFT;
1472  if (opcode == P_CONTROL_HARD_RESET_CLIENT_V3
1473  && !tls_crypt_v2_extract_client_key(buf, ctx, opt))
1474  {
1475  msg(D_TLS_ERRORS,
1476  "TLS Error: can not extract tls-crypt-v2 client key from %s",
1477  print_link_socket_actual(from, &gc));
1478  goto cleanup;
1479  }
1480 
1481  if (ctx->mode == TLS_WRAP_AUTH)
1482  {
1483  struct buffer null = clear_buf();
1484 
1485  /* move the hmac record to the front of the packet */
1486  if (!swap_hmac(buf, &ctx->opt, true))
1487  {
1488  msg(D_TLS_ERRORS,
1489  "TLS Error: cannot locate HMAC in incoming packet from %s",
1490  print_link_socket_actual(from, &gc));
1491  gc_free(&gc);
1492  return false;
1493  }
1494 
1495  /* authenticate only (no decrypt) and remove the hmac record
1496  * from the head of the buffer */
1497  openvpn_decrypt(buf, null, &ctx->opt, NULL, BPTR(buf));
1498  if (!buf->len)
1499  {
1500  msg(D_TLS_ERRORS,
1501  "TLS Error: incoming packet authentication failed from %s",
1502  print_link_socket_actual(from, &gc));
1503  goto cleanup;
1504  }
1505 
1506  }
1507  else if (ctx->mode == TLS_WRAP_CRYPT)
1508  {
1509  struct buffer tmp = alloc_buf_gc(buf_forward_capacity_total(buf), &gc);
1510  if (!tls_crypt_unwrap(buf, &tmp, &ctx->opt))
1511  {
1512  msg(D_TLS_ERRORS, "TLS Error: tls-crypt unwrapping failed from %s",
1513  print_link_socket_actual(from, &gc));
1514  goto cleanup;
1515  }
1516  ASSERT(buf_init(buf, buf->offset));
1517  ASSERT(buf_copy(buf, &tmp));
1518  buf_clear(&tmp);
1519  }
1520  else if (ctx->tls_crypt_v2_server_key.cipher)
1521  {
1522  /* If tls-crypt-v2 is enabled, require *some* wrapping */
1523  msg(D_TLS_ERRORS, "TLS Error: could not determine wrapping from %s",
1524  print_link_socket_actual(from, &gc));
1525  /* TODO Do we want to support using tls-crypt-v2 and no control channel
1526  * wrapping at all simultaneously? That would allow server admins to
1527  * upgrade clients one-by-one without running a second instance, but we
1528  * should not enable it by default because it breaks DoS-protection.
1529  * So, add something like --tls-crypt-v2-allow-insecure-fallback ? */
1530  goto cleanup;
1531  }
1532 
1533  if (ctx->mode == TLS_WRAP_NONE || ctx->mode == TLS_WRAP_AUTH)
1534  {
1535  /* advance buffer pointer past opcode & session_id since our caller
1536  * already read it */
1537  buf_advance(buf, SID_SIZE + 1);
1538  }
1539 
1540  ret = true;
1541 cleanup:
1542  gc_free(&gc);
1543  return ret;
1544 }
1545 
1546 /*
1547  * For debugging, print contents of key_source2 structure.
1548  */
1549 
1550 static void
1552  const char *prefix)
1553 {
1554  struct gc_arena gc = gc_new();
1555 
1556  VALGRIND_MAKE_READABLE((void *)k->pre_master, sizeof(k->pre_master));
1557  VALGRIND_MAKE_READABLE((void *)k->random1, sizeof(k->random1));
1558  VALGRIND_MAKE_READABLE((void *)k->random2, sizeof(k->random2));
1559 
1561  "%s pre_master: %s",
1562  prefix,
1563  format_hex(k->pre_master, sizeof(k->pre_master), 0, &gc));
1565  "%s random1: %s",
1566  prefix,
1567  format_hex(k->random1, sizeof(k->random1), 0, &gc));
1569  "%s random2: %s",
1570  prefix,
1571  format_hex(k->random2, sizeof(k->random2), 0, &gc));
1572 
1573  gc_free(&gc);
1574 }
1575 
1576 static void
1578 {
1579  key_source_print(&k->client, "Client");
1580  key_source_print(&k->server, "Server");
1581 }
1582 
1583 /*
1584  * Generate the hash required by for the \c tls1_PRF function.
1585  *
1586  * @param md_kt Message digest to use
1587  * @param sec Secret to base the hash on
1588  * @param sec_len Length of the secret
1589  * @param seed Seed to hash
1590  * @param seed_len Length of the seed
1591  * @param out Output buffer
1592  * @param olen Length of the output buffer
1593  */
1594 static void
1595 tls1_P_hash(const md_kt_t *md_kt,
1596  const uint8_t *sec,
1597  int sec_len,
1598  const uint8_t *seed,
1599  int seed_len,
1600  uint8_t *out,
1601  int olen)
1602 {
1603  struct gc_arena gc = gc_new();
1605 
1606 #ifdef ENABLE_DEBUG
1607  const int olen_orig = olen;
1608  const uint8_t *out_orig = out;
1609 #endif
1610 
1611  hmac_ctx_t *ctx = hmac_ctx_new();
1612  hmac_ctx_t *ctx_tmp = hmac_ctx_new();
1613 
1614  dmsg(D_SHOW_KEY_SOURCE, "tls1_P_hash sec: %s", format_hex(sec, sec_len, 0, &gc));
1615  dmsg(D_SHOW_KEY_SOURCE, "tls1_P_hash seed: %s", format_hex(seed, seed_len, 0, &gc));
1616 
1617  int chunk = md_kt_size(md_kt);
1618  unsigned int A1_len = md_kt_size(md_kt);
1619 
1620  hmac_ctx_init(ctx, sec, sec_len, md_kt);
1621  hmac_ctx_init(ctx_tmp, sec, sec_len, md_kt);
1622 
1623  hmac_ctx_update(ctx,seed,seed_len);
1624  hmac_ctx_final(ctx, A1);
1625 
1626  for (;; )
1627  {
1628  hmac_ctx_reset(ctx);
1629  hmac_ctx_reset(ctx_tmp);
1630  hmac_ctx_update(ctx,A1,A1_len);
1631  hmac_ctx_update(ctx_tmp,A1,A1_len);
1632  hmac_ctx_update(ctx,seed,seed_len);
1633 
1634  if (olen > chunk)
1635  {
1636  hmac_ctx_final(ctx, out);
1637  out += chunk;
1638  olen -= chunk;
1639  hmac_ctx_final(ctx_tmp, A1); /* calc the next A1 value */
1640  }
1641  else /* last one */
1642  {
1643  hmac_ctx_final(ctx, A1);
1644  memcpy(out,A1,olen);
1645  break;
1646  }
1647  }
1648  hmac_ctx_cleanup(ctx);
1649  hmac_ctx_free(ctx);
1650  hmac_ctx_cleanup(ctx_tmp);
1651  hmac_ctx_free(ctx_tmp);
1652  secure_memzero(A1, sizeof(A1));
1653 
1654  dmsg(D_SHOW_KEY_SOURCE, "tls1_P_hash out: %s", format_hex(out_orig, olen_orig, 0, &gc));
1655  gc_free(&gc);
1656 }
1657 
1658 /*
1659  * Use the TLS PRF function for generating data channel keys.
1660  * This code is based on the OpenSSL library.
1661  *
1662  * TLS generates keys as such:
1663  *
1664  * master_secret[48] = PRF(pre_master_secret[48], "master secret",
1665  * ClientHello.random[32] + ServerHello.random[32])
1666  *
1667  * key_block[] = PRF(SecurityParameters.master_secret[48],
1668  * "key expansion",
1669  * SecurityParameters.server_random[32] +
1670  * SecurityParameters.client_random[32]);
1671  *
1672  * Notes:
1673  *
1674  * (1) key_block contains a full set of 4 keys.
1675  * (2) The pre-master secret is generated by the client.
1676  */
1677 static void
1678 tls1_PRF(const uint8_t *label,
1679  int label_len,
1680  const uint8_t *sec,
1681  int slen,
1682  uint8_t *out1,
1683  int olen)
1684 {
1685  struct gc_arena gc = gc_new();
1686  const md_kt_t *md5 = md_kt_get("MD5");
1687  const md_kt_t *sha1 = md_kt_get("SHA1");
1688 
1689  uint8_t *out2 = (uint8_t *) gc_malloc(olen, false, &gc);
1690 
1691  int len = slen/2;
1692  const uint8_t *S1 = sec;
1693  const uint8_t *S2 = &(sec[len]);
1694  len += (slen&1); /* add for odd, make longer */
1695 
1696  tls1_P_hash(md5,S1,len,label,label_len,out1,olen);
1697  tls1_P_hash(sha1,S2,len,label,label_len,out2,olen);
1698 
1699  for (int i = 0; i<olen; i++)
1700  {
1701  out1[i] ^= out2[i];
1702  }
1703 
1704  secure_memzero(out2, olen);
1705 
1706  dmsg(D_SHOW_KEY_SOURCE, "tls1_PRF out[%d]: %s", olen, format_hex(out1, olen, 0, &gc));
1707 
1708  gc_free(&gc);
1709 }
1710 
1711 static void
1712 openvpn_PRF(const uint8_t *secret,
1713  int secret_len,
1714  const char *label,
1715  const uint8_t *client_seed,
1716  int client_seed_len,
1717  const uint8_t *server_seed,
1718  int server_seed_len,
1719  const struct session_id *client_sid,
1720  const struct session_id *server_sid,
1721  uint8_t *output,
1722  int output_len)
1723 {
1724  /* concatenate seed components */
1725 
1726  struct buffer seed = alloc_buf(strlen(label)
1727  + client_seed_len
1728  + server_seed_len
1729  + SID_SIZE * 2);
1730 
1731  ASSERT(buf_write(&seed, label, strlen(label)));
1732  ASSERT(buf_write(&seed, client_seed, client_seed_len));
1733  ASSERT(buf_write(&seed, server_seed, server_seed_len));
1734 
1735  if (client_sid)
1736  {
1737  ASSERT(buf_write(&seed, client_sid->id, SID_SIZE));
1738  }
1739  if (server_sid)
1740  {
1741  ASSERT(buf_write(&seed, server_sid->id, SID_SIZE));
1742  }
1743 
1744  /* compute PRF */
1745  tls1_PRF(BPTR(&seed), BLEN(&seed), secret, secret_len, output, output_len);
1746 
1747  buf_clear(&seed);
1748  free_buf(&seed);
1749 
1750  VALGRIND_MAKE_READABLE((void *)output, output_len);
1751 }
1752 
1753 static void
1755  const struct key_type *key_type,
1756  bool server,
1757  struct key2 *key2)
1758 {
1759  /* Initialize key contexts */
1760  int key_direction = server ? KEY_DIRECTION_INVERSE : KEY_DIRECTION_NORMAL;
1761  init_key_ctx_bi(key, key2, key_direction, key_type, "Data Channel");
1762 
1763  /* Initialize implicit IVs */
1764  key_ctx_update_implicit_iv(&key->encrypt, (*key2).keys[(int)server].hmac,
1766  key_ctx_update_implicit_iv(&key->decrypt, (*key2).keys[1-(int)server].hmac,
1768 
1769 }
1770 
1771 static bool
1773 {
1775  strlen(EXPORT_KEY_DATA_LABEL),
1776  key2->keys, sizeof(key2->keys)))
1777  {
1778  return false;
1779  }
1780  key2->n = 2;
1781 
1782  return true;
1783 }
1784 
1785 static struct key2
1787 {
1788  uint8_t master[48] = { 0 };
1789 
1790  const struct key_state *ks = &session->key[KS_PRIMARY];
1791  const struct key_source2 *key_src = ks->key_src;
1792 
1793  const struct session_id *client_sid = session->opt->server ?
1794  &ks->session_id_remote : &session->session_id;
1795  const struct session_id *server_sid = !session->opt->server ?
1796  &ks->session_id_remote : &session->session_id;
1797 
1798  /* debugging print of source key material */
1799  key_source2_print(key_src);
1800 
1801  /* compute master secret */
1802  openvpn_PRF(key_src->client.pre_master,
1803  sizeof(key_src->client.pre_master),
1804  KEY_EXPANSION_ID " master secret",
1805  key_src->client.random1,
1806  sizeof(key_src->client.random1),
1807  key_src->server.random1,
1808  sizeof(key_src->server.random1),
1809  NULL,
1810  NULL,
1811  master,
1812  sizeof(master));
1813 
1814  struct key2 key2;
1815  /* compute key expansion */
1816  openvpn_PRF(master,
1817  sizeof(master),
1818  KEY_EXPANSION_ID " key expansion",
1819  key_src->client.random2,
1820  sizeof(key_src->client.random2),
1821  key_src->server.random2,
1822  sizeof(key_src->server.random2),
1823  client_sid,
1824  server_sid,
1825  (uint8_t *)key2.keys,
1826  sizeof(key2.keys));
1827  secure_memzero(&master, sizeof(master));
1828 
1829  /*
1830  * fixup_key only correctly sets DES parity bits if the cipher is a
1831  * DES variant.
1832  *
1833  * The newer OpenSSL and mbed TLS libraries (those that support EKM)
1834  * ignore these bits.
1835  *
1836  * We keep the DES fixup here as compatibility.
1837  * OpenVPN3 never did this fixup anyway. So this code is *probably* not
1838  * required but we keep it for compatibility until we remove DES support
1839  * since it does not hurt either.
1840  */
1841  for (int i = 0; i < 2; ++i)
1842  {
1843  fixup_key(&key2.keys[i], &session->opt->key_type);
1844  }
1845  key2.n = 2;
1846 
1847  return key2;
1848 }
1849 
1850 /*
1851  * Using source entropy from local and remote hosts, mix into
1852  * master key.
1853  */
1854 static bool
1856  struct tls_session *session)
1857 {
1858  bool ret = false;
1859  struct key2 key2;
1860 
1861  if (key->initialized)
1862  {
1863  msg(D_TLS_ERRORS, "TLS Error: key already initialized");
1864  goto exit;
1865  }
1866 
1867  bool server = session->opt->server;
1868 
1870  {
1871  if (!generate_key_expansion_tls_export(session, &key2))
1872  {
1873  msg(D_TLS_ERRORS, "TLS Error: Keying material export failed");
1874  goto exit;
1875  }
1876  }
1877  else
1878  {
1879  key2 = generate_key_expansion_openvpn_prf(session);
1880  }
1881 
1882  key2_print(&key2, &session->opt->key_type,
1883  "Master Encrypt", "Master Decrypt");
1884 
1885  /* check for weak keys */
1886  for (int i = 0; i < 2; ++i)
1887  {
1888  if (!check_key(&key2.keys[i], &session->opt->key_type))
1889  {
1890  msg(D_TLS_ERRORS, "TLS Error: Bad dynamic key generated");
1891  goto exit;
1892  }
1893  }
1894  init_key_contexts(key, &session->opt->key_type, server, &key2);
1895  ret = true;
1896 
1897 exit:
1898  secure_memzero(&key2, sizeof(key2));
1899 
1900  return ret;
1901 }
1902 
1903 static void
1904 key_ctx_update_implicit_iv(struct key_ctx *ctx, uint8_t *key, size_t key_len)
1905 {
1906  const cipher_kt_t *cipher_kt = cipher_ctx_get_cipher_kt(ctx->cipher);
1907 
1908  /* Only use implicit IV in AEAD cipher mode, where HMAC key is not used */
1909  if (cipher_kt_mode_aead(cipher_kt))
1910  {
1911  size_t impl_iv_len = 0;
1913  impl_iv_len = cipher_kt_iv_size(cipher_kt) - sizeof(packet_id_type);
1914  ASSERT(impl_iv_len <= OPENVPN_MAX_IV_LENGTH);
1915  ASSERT(impl_iv_len <= key_len);
1916  memcpy(ctx->implicit_iv, key, impl_iv_len);
1917  ctx->implicit_iv_len = impl_iv_len;
1918  }
1919 }
1920 
1927 static bool
1929 {
1930  bool ret = false;
1931  struct key_state *ks = &session->key[KS_PRIMARY]; /* primary key */
1932 
1933  if (ks->authenticated == KS_AUTH_FALSE)
1934  {
1935  msg(D_TLS_ERRORS, "TLS Error: key_state not authenticated");
1936  goto cleanup;
1937  }
1938 
1939  ks->crypto_options.flags = session->opt->crypto_flags;
1940 
1941  if (!generate_key_expansion(&ks->crypto_options.key_ctx_bi, session))
1942  {
1943  msg(D_TLS_ERRORS, "TLS Error: generate_key_expansion failed");
1944  goto cleanup;
1945  }
1947  &session->opt->renegotiate_bytes);
1948 
1949  ret = true;
1950 cleanup:
1951  secure_memzero(ks->key_src, sizeof(*ks->key_src));
1952  return ret;
1953 }
1954 
1955 bool
1957  struct options *options, struct frame *frame,
1958  struct frame *frame_fragment)
1959 {
1961  {
1962  /* keys already generated, nothing to do */
1963  return true;
1964  }
1965 
1966  bool cipher_allowed_as_fallback = options->enable_ncp_fallback
1967  && streq(options->ciphername, session->opt->config_ciphername);
1968 
1969  if (!session->opt->server && !cipher_allowed_as_fallback
1970  && !tls_item_in_cipher_list(options->ciphername, options->ncp_ciphers))
1971  {
1972  msg(D_TLS_ERRORS, "Error: pushed cipher not allowed - %s not in %s",
1973  options->ciphername, options->ncp_ciphers);
1974  /* undo cipher push, abort connection setup */
1975  options->ciphername = session->opt->config_ciphername;
1976  return false;
1977  }
1978 
1979  if (options->data_channel_use_ekm)
1980  {
1982  }
1983 
1984  if (strcmp(options->ciphername, session->opt->config_ciphername))
1985  {
1986  msg(D_HANDSHAKE, "Data Channel: using negotiated cipher '%s'",
1987  options->ciphername);
1988  if (options->keysize)
1989  {
1990  msg(D_HANDSHAKE, "NCP: overriding user-set keysize with default");
1991  options->keysize = 0;
1992  }
1993  }
1994  else
1995  {
1996  /* Very hacky workaround and quick fix for frame calculation
1997  * different when adjusting frame size when the original and new cipher
1998  * are identical to avoid a regression with client without NCP */
2000  }
2001 
2002  init_key_type(&session->opt->key_type, options->ciphername,
2003  options->authname, options->keysize, true, true);
2004 
2005  bool packet_id_long_form = cipher_kt_mode_ofb_cfb(session->opt->key_type.cipher);
2006  session->opt->crypto_flags &= ~(CO_PACKET_ID_LONG_FORM);
2007  if (packet_id_long_form)
2008  {
2010  }
2011 
2012  /* Update frame parameters: undo worst-case overhead, add actual overhead */
2014  crypto_adjust_frame_parameters(frame, &session->opt->key_type,
2015  options->replay, packet_id_long_form);
2016  frame_finalize(frame, options->ce.link_mtu_defined, options->ce.link_mtu,
2017  options->ce.tun_mtu_defined, options->ce.tun_mtu);
2018  frame_init_mssfix(frame, options);
2019  frame_print(frame, D_MTU_INFO, "Data Channel MTU parms");
2020 
2021  /*
2022  * mssfix uses data channel framing, which at this point contains
2023  * actual overhead. Fragmentation logic uses frame_fragment, which
2024  * still contains worst case overhead. Replace it with actual overhead
2025  * to prevent unneeded fragmentation.
2026  */
2027 
2028  if (frame_fragment)
2029  {
2031  crypto_adjust_frame_parameters(frame_fragment, &session->opt->key_type,
2032  options->replay, packet_id_long_form);
2033  frame_set_mtu_dynamic(frame_fragment, options->ce.fragment, SET_MTU_UPPER_BOUND);
2034  frame_print(frame_fragment, D_MTU_INFO, "Fragmentation MTU parms");
2035  }
2036 
2038 }
2039 
2040 static bool
2042  uint8_t *out,
2043  int outlen)
2044 {
2045  if (!rand_bytes(out, outlen))
2046  {
2047  msg(M_FATAL, "ERROR: Random number generator cannot obtain entropy for key generation [SSL]");
2048  }
2049  if (!buf_write(buf, out, outlen))
2050  {
2051  return false;
2052  }
2053  return true;
2054 }
2055 
2056 static bool
2058  struct buffer *buf,
2059  bool server)
2060 {
2061  struct key_source *k = &k2->client;
2062  if (server)
2063  {
2064  k = &k2->server;
2065  }
2066 
2067  CLEAR(*k);
2068 
2069  if (!server)
2070  {
2071  if (!random_bytes_to_buf(buf, k->pre_master, sizeof(k->pre_master)))
2072  {
2073  return false;
2074  }
2075  }
2076 
2077  if (!random_bytes_to_buf(buf, k->random1, sizeof(k->random1)))
2078  {
2079  return false;
2080  }
2081  if (!random_bytes_to_buf(buf, k->random2, sizeof(k->random2)))
2082  {
2083  return false;
2084  }
2085 
2086  return true;
2087 }
2088 
2089 static int
2091  struct buffer *buf,
2092  bool server)
2093 {
2094  struct key_source *k = &k2->client;
2095 
2096  if (!server)
2097  {
2098  k = &k2->server;
2099  }
2100 
2101  CLEAR(*k);
2102 
2103  if (server)
2104  {
2105  if (!buf_read(buf, k->pre_master, sizeof(k->pre_master)))
2106  {
2107  return 0;
2108  }
2109  }
2110 
2111  if (!buf_read(buf, k->random1, sizeof(k->random1)))
2112  {
2113  return 0;
2114  }
2115  if (!buf_read(buf, k->random2, sizeof(k->random2)))
2116  {
2117  return 0;
2118  }
2119 
2120  return 1;
2121 }
2122 
2123 static void
2125 {
2126  struct buffer *b;
2127 
2128  while ((b = buffer_list_peek(ks->paybuf)))
2129  {
2131  buffer_list_pop(ks->paybuf);
2132  }
2133 }
2134 
2135 /* true if no in/out acknowledgements pending */
2136 #define FULL_SYNC \
2137  (reliable_empty(ks->send_reliable) && reliable_ack_empty(ks->rec_ack))
2138 
2139 /*
2140  * Move the active key to the lame duck key and reinitialize the
2141  * active key.
2142  */
2143 static void
2145 {
2146  struct key_state *ks = &session->key[KS_PRIMARY]; /* primary key */
2147  struct key_state *ks_lame = &session->key[KS_LAME_DUCK]; /* retiring key */
2148 
2149  ks->must_die = now + session->opt->transition_window; /* remaining lifetime of old key */
2150  key_state_free(ks_lame, false);
2151  *ks_lame = *ks;
2152 
2153  key_state_init(session, ks);
2154  ks->session_id_remote = ks_lame->session_id_remote;
2155  ks->remote_addr = ks_lame->remote_addr;
2156 }
2157 
2158 /*
2159  * Read/write strings from/to a struct buffer with a u16 length prefix.
2160  */
2161 
2162 static bool
2164 {
2165  if (!buf_write_u16(buf, 0))
2166  {
2167  return false;
2168  }
2169  return true;
2170 }
2171 
2172 static bool
2173 write_string(struct buffer *buf, const char *str, const int maxlen)
2174 {
2175  const int len = strlen(str) + 1;
2176  if (len < 1 || (maxlen >= 0 && len > maxlen))
2177  {
2178  return false;
2179  }
2180  if (!buf_write_u16(buf, len))
2181  {
2182  return false;
2183  }
2184  if (!buf_write(buf, str, len))
2185  {
2186  return false;
2187  }
2188  return true;
2189 }
2190 
2191 static bool
2192 read_string(struct buffer *buf, char *str, const unsigned int capacity)
2193 {
2194  const int len = buf_read_u16(buf);
2195  if (len < 1 || len > (int)capacity)
2196  {
2197  return false;
2198  }
2199  if (!buf_read(buf, str, len))
2200  {
2201  return false;
2202  }
2203  str[len-1] = '\0';
2204  return true;
2205 }
2206 
2207 static char *
2209 {
2210  const int len = buf_read_u16(buf);
2211  char *str;
2212 
2213  if (len < 1)
2214  {
2215  return NULL;
2216  }
2217  str = (char *) malloc(len);
2218  check_malloc_return(str);
2219  if (!buf_read(buf, str, len))
2220  {
2221  free(str);
2222  return NULL;
2223  }
2224  str[len-1] = '\0';
2225  return str;
2226 }
2227 
2228 static bool
2230 {
2231  struct gc_arena gc = gc_new();
2232  bool ret = false;
2233 
2234  if (session->opt->push_peer_info_detail > 0)
2235  {
2236  struct env_set *es = session->opt->es;
2237  struct buffer out = alloc_buf_gc(512*3, &gc);
2238 
2239  /* push version */
2240  buf_printf(&out, "IV_VER=%s\n", PACKAGE_VERSION);
2241 
2242  /* push platform */
2243 #if defined(TARGET_LINUX)
2244  buf_printf(&out, "IV_PLAT=linux\n");
2245 #elif defined(TARGET_SOLARIS)
2246  buf_printf(&out, "IV_PLAT=solaris\n");
2247 #elif defined(TARGET_OPENBSD)
2248  buf_printf(&out, "IV_PLAT=openbsd\n");
2249 #elif defined(TARGET_DARWIN)
2250  buf_printf(&out, "IV_PLAT=mac\n");
2251 #elif defined(TARGET_NETBSD)
2252  buf_printf(&out, "IV_PLAT=netbsd\n");
2253 #elif defined(TARGET_FREEBSD)
2254  buf_printf(&out, "IV_PLAT=freebsd\n");
2255 #elif defined(TARGET_ANDROID)
2256  buf_printf(&out, "IV_PLAT=android\n");
2257 #elif defined(_WIN32)
2258  buf_printf(&out, "IV_PLAT=win\n");
2259 #endif
2260 
2261  /* support for P_DATA_V2 */
2262  int iv_proto = IV_PROTO_DATA_V2;
2263 
2264  /* support for receiving push_reply before sending
2265  * push request, also signal that the client wants
2266  * to get push-reply messages without without requiring a round
2267  * trip for a push request message*/
2268  if (session->opt->pull)
2269  {
2270  iv_proto |= IV_PROTO_REQUEST_PUSH;
2271  iv_proto |= IV_PROTO_AUTH_PENDING_KW;
2272  }
2273 
2274  /* support for Negotiable Crypto Parameters */
2275  if (session->opt->ncp_enabled
2276  && (session->opt->mode == MODE_SERVER || session->opt->pull))
2277  {
2278  if (tls_item_in_cipher_list("AES-128-GCM", session->opt->config_ncp_ciphers)
2279  && tls_item_in_cipher_list("AES-256-GCM", session->opt->config_ncp_ciphers))
2280  {
2281 
2282  buf_printf(&out, "IV_NCP=2\n");
2283  }
2284  buf_printf(&out, "IV_CIPHERS=%s\n", session->opt->config_ncp_ciphers);
2285 
2286 #ifdef HAVE_EXPORT_KEYING_MATERIAL
2287  iv_proto |= IV_PROTO_TLS_KEY_EXPORT;
2288 #endif
2289  }
2290 
2291  buf_printf(&out, "IV_PROTO=%d\n", iv_proto);
2292 
2293  /* push compression status */
2294 #ifdef USE_COMP
2295  comp_generate_peer_info_string(&session->opt->comp_options, &out);
2296 #endif
2297 
2298  if (session->opt->push_peer_info_detail >= 2)
2299  {
2300  /* push mac addr */
2301  struct route_gateway_info rgi;
2302  get_default_gateway(&rgi, session->opt->net_ctx);
2303  if (rgi.flags & RGI_HWADDR_DEFINED)
2304  {
2305  buf_printf(&out, "IV_HWADDR=%s\n", format_hex_ex(rgi.hwaddr, 6, 0, 1, ":", &gc));
2306  }
2307  buf_printf(&out, "IV_SSL=%s\n", get_ssl_library_version() );
2308 #if defined(_WIN32)
2309  buf_printf(&out, "IV_PLAT_VER=%s\n", win32_version_string(&gc, false));
2310 #endif
2311  }
2312 
2313  /* push env vars that begin with UV_, IV_PLAT_VER and IV_GUI_VER */
2314  for (struct env_item *e = es->list; e != NULL; e = e->next)
2315  {
2316  if (e->string)
2317  {
2318  if ((((strncmp(e->string, "UV_", 3)==0
2319  || strncmp(e->string, "IV_PLAT_VER=", sizeof("IV_PLAT_VER=")-1)==0)
2320  && session->opt->push_peer_info_detail >= 2)
2321  || (strncmp(e->string,"IV_GUI_VER=",sizeof("IV_GUI_VER=")-1)==0)
2322  || (strncmp(e->string,"IV_SSO=",sizeof("IV_SSO=")-1)==0)
2323  )
2324  && buf_safe(&out, strlen(e->string)+1))
2325  {
2326  buf_printf(&out, "%s\n", e->string);
2327  }
2328  }
2329  }
2330 
2331  if (!write_string(buf, BSTR(&out), -1))
2332  {
2333  goto error;
2334  }
2335  }
2336  else
2337  {
2338  if (!write_empty_string(buf)) /* no peer info */
2339  {
2340  goto error;
2341  }
2342  }
2343  ret = true;
2344 
2345 error:
2346  gc_free(&gc);
2347  return ret;
2348 }
2349 
2354 static bool
2356 {
2357  struct key_state *ks = &session->key[KS_PRIMARY]; /* primary key */
2358 
2359  ASSERT(buf_init(buf, 0));
2360 
2361  /* write a uint32 0 */
2362  if (!buf_write_u32(buf, 0))
2363  {
2364  goto error;
2365  }
2366 
2367  /* write key_method + flags */
2368  if (!buf_write_u8(buf, KEY_METHOD_2))
2369  {
2370  goto error;
2371  }
2372 
2373  /* write key source material */
2374  if (!key_source2_randomize_write(ks->key_src, buf, session->opt->server))
2375  {
2376  goto error;
2377  }
2378 
2379  /* write options string */
2380  {
2381  if (!write_string(buf, session->opt->local_options, TLS_OPTIONS_LEN))
2382  {
2383  goto error;
2384  }
2385  }
2386 
2387  /* write username/password if specified */
2388  if (auth_user_pass_enabled)
2389  {
2390 #ifdef ENABLE_MANAGEMENT
2391  auth_user_pass_setup(session->opt->auth_user_pass_file, session->opt->sci);
2392 #else
2393  auth_user_pass_setup(session->opt->auth_user_pass_file, NULL);
2394 #endif
2395  struct user_pass *up = &auth_user_pass;
2396 
2397  /*
2398  * If we have a valid auth-token, send that instead of real
2399  * username/password
2400  */
2401  if (auth_token.defined)
2402  {
2403  up = &auth_token;
2404  }
2405 
2406  if (!write_string(buf, up->username, -1))
2407  {
2408  goto error;
2409  }
2410  else if (!write_string(buf, up->password, -1))
2411  {
2412  goto error;
2413  }
2414  /* if auth-nocache was specified, the auth_user_pass object reaches
2415  * a "complete" state only after having received the push-reply
2416  * message. The push message might contain an auth-token that needs
2417  * the username of auth_user_pass.
2418  *
2419  * For this reason, skip the purge operation here if no push-reply
2420  * message has been received yet.
2421  *
2422  * This normally happens upon first negotiation only.
2423  */
2424  if (!session->opt->pull)
2425  {
2427  }
2428  }
2429  else
2430  {
2431  if (!write_empty_string(buf)) /* no username */
2432  {
2433  goto error;
2434  }
2435  if (!write_empty_string(buf)) /* no password */
2436  {
2437  goto error;
2438  }
2439  }
2440 
2441  if (!push_peer_info(buf, session))
2442  {
2443  goto error;
2444  }
2445 
2446  /* Generate tunnel keys if we're a TLS server.
2447  * If we're a p2mp server and IV_NCP >= 2 is negotiated, the first key
2448  * generation is postponed until after the pull/push, so we can process pushed
2449  * cipher directives.
2450  */
2451  if (session->opt->server && !(session->opt->mode == MODE_SERVER && ks->key_id <= 0))
2452  {
2453  if (ks->authenticated > KS_AUTH_FALSE)
2454  {
2456  {
2457  msg(D_TLS_ERRORS, "TLS Error: server generate_key_expansion failed");
2458  goto error;
2459  }
2460  }
2461  }
2462 
2463  return true;
2464 
2465 error:
2466  msg(D_TLS_ERRORS, "TLS Error: Key Method #2 write failed");
2467  secure_memzero(ks->key_src, sizeof(*ks->key_src));
2468  return false;
2469 }
2470 
2471 static void
2473  struct tls_session *session)
2474 {
2475  if (session->opt->ekm_size > 0)
2476  {
2477  unsigned int size = session->opt->ekm_size;
2478  struct gc_arena gc = gc_new();
2479 
2480  unsigned char *ekm = gc_malloc(session->opt->ekm_size, true, &gc);
2482  session->opt->ekm_label,
2483  session->opt->ekm_label_size,
2484  ekm, session->opt->ekm_size))
2485  {
2486  unsigned int len = (size * 2) + 2;
2487 
2488  const char *key = format_hex_ex(ekm, size, len, 0, NULL, &gc);
2489  setenv_str(session->opt->es, "exported_keying_material", key);
2490 
2491  dmsg(D_TLS_DEBUG_MED, "%s: exported keying material: %s",
2492  __func__, key);
2493  secure_memzero(ekm, size);
2494  }
2495  else
2496  {
2497  msg(M_WARN, "WARNING: Export keying material failed!");
2498  setenv_del(session->opt->es, "exported_keying_material");
2499  }
2500  gc_free(&gc);
2501  }
2502 }
2503 
2508 static bool
2509 key_method_2_read(struct buffer *buf, struct tls_multi *multi, struct tls_session *session)
2510 {
2511  struct key_state *ks = &session->key[KS_PRIMARY]; /* primary key */
2512 
2513  bool username_status, password_status;
2514 
2515  struct gc_arena gc = gc_new();
2516  char *options;
2517  struct user_pass *up = NULL;
2518 
2519  /* allocate temporary objects */
2520  ALLOC_ARRAY_CLEAR_GC(options, char, TLS_OPTIONS_LEN, &gc);
2521 
2522  /* discard leading uint32 */
2523  if (!buf_advance(buf, 4))
2524  {
2525  msg(D_TLS_ERRORS, "TLS ERROR: Plaintext buffer too short (%d bytes).",
2526  buf->len);
2527  goto error;
2528  }
2529 
2530  /* get key method */
2531  int key_method_flags = buf_read_u8(buf);
2532  if ((key_method_flags & KEY_METHOD_MASK) != 2)
2533  {
2534  msg(D_TLS_ERRORS,
2535  "TLS ERROR: Unknown key_method/flags=%d received from remote host",
2536  key_method_flags);
2537  goto error;
2538  }
2539 
2540  /* get key source material (not actual keys yet) */
2541  if (!key_source2_read(ks->key_src, buf, session->opt->server))
2542  {
2543  msg(D_TLS_ERRORS, "TLS Error: Error reading remote data channel key source entropy from plaintext buffer");
2544  goto error;
2545  }
2546 
2547  /* get options */
2548  if (!read_string(buf, options, TLS_OPTIONS_LEN))
2549  {
2550  msg(D_TLS_ERRORS, "TLS Error: Failed to read required OCC options string");
2551  goto error;
2552  }
2553 
2555 
2556  /* always extract username + password fields from buf, even if not
2557  * authenticating for it, because otherwise we can't get at the
2558  * peer_info data which follows behind
2559  */
2560  ALLOC_OBJ_CLEAR_GC(up, struct user_pass, &gc);
2561  username_status = read_string(buf, up->username, USER_PASS_LEN);
2562  password_status = read_string(buf, up->password, USER_PASS_LEN);
2563 
2564  /* get peer info from control channel */
2565  free(multi->peer_info);
2566  multi->peer_info = read_string_alloc(buf);
2567  if (multi->peer_info)
2568  {
2569  output_peer_info_env(session->opt->es, multi->peer_info);
2570  }
2571 
2572  free(multi->remote_ciphername);
2573  multi->remote_ciphername =
2574  options_string_extract_option(options, "cipher", NULL);
2575 
2576  /* In OCC we send '[null-cipher]' instead 'none' */
2577  if (multi->remote_ciphername
2578  && strcmp(multi->remote_ciphername, "[null-cipher]") == 0)
2579  {
2580  free(multi->remote_ciphername);
2581  multi->remote_ciphername = string_alloc("none", NULL);
2582  }
2583 
2584  if (tls_session_user_pass_enabled(session))
2585  {
2586  /* Perform username/password authentication */
2587  if (!username_status || !password_status)
2588  {
2589  CLEAR(*up);
2590  if (!(session->opt->ssl_flags & SSLF_AUTH_USER_PASS_OPTIONAL))
2591  {
2592  msg(D_TLS_ERRORS, "TLS Error: Auth Username/Password was not provided by peer");
2593  goto error;
2594  }
2595  }
2596 
2597  verify_user_pass(up, multi, session);
2598  }
2599  else
2600  {
2601  /* Session verification should have occurred during TLS negotiation*/
2602  if (!session->verified)
2603  {
2604  msg(D_TLS_ERRORS,
2605  "TLS Error: Certificate verification failed (key-method 2)");
2606  goto error;
2607  }
2609  }
2610 
2611  /* clear username and password from memory */
2612  secure_memzero(up, sizeof(*up));
2613 
2614  /* Perform final authentication checks */
2615  if (ks->authenticated > KS_AUTH_FALSE)
2616  {
2617  verify_final_auth_checks(multi, session);
2618  }
2619 
2620  /* check options consistency */
2621  if (!session->opt->disable_occ
2622  && !options_cmp_equal(options, session->opt->remote_options))
2623  {
2624  options_warning(options, session->opt->remote_options);
2625  if (session->opt->ssl_flags & SSLF_OPT_VERIFY)
2626  {
2627  msg(D_TLS_ERRORS, "Option inconsistency warnings triggering disconnect due to --opt-verify");
2629  }
2630  }
2631 
2632  buf_clear(buf);
2633 
2634  /*
2635  * Call OPENVPN_PLUGIN_TLS_FINAL plugin if defined, for final
2636  * veto opportunity over authentication decision.
2637  */
2638  if ((ks->authenticated > KS_AUTH_FALSE)
2640  {
2641  export_user_keying_material(&ks->ks_ssl, session);
2642 
2643  if (plugin_call(session->opt->plugins, OPENVPN_PLUGIN_TLS_FINAL, NULL, NULL, session->opt->es) != OPENVPN_PLUGIN_FUNC_SUCCESS)
2644  {
2646  }
2647 
2648  setenv_del(session->opt->es, "exported_keying_material");
2649  }
2650 
2651  /*
2652  * Generate tunnel keys if we're a client.
2653  * If --pull is enabled, the first key generation is postponed until after the
2654  * pull/push, so we can process pushed cipher directives.
2655  */
2656  if (!session->opt->server && (!session->opt->pull || ks->key_id > 0))
2657  {
2659  {
2660  msg(D_TLS_ERRORS, "TLS Error: client generate_key_expansion failed");
2661  goto error;
2662  }
2663  }
2664 
2665  gc_free(&gc);
2666  return true;
2667 
2668 error:
2670  secure_memzero(ks->key_src, sizeof(*ks->key_src));
2671  if (up)
2672  {
2673  secure_memzero(up, sizeof(*up));
2674  }
2675  buf_clear(buf);
2676  gc_free(&gc);
2677  return false;
2678 }
2679 
2680 static int
2682 {
2683  int ret = o->handshake_window;
2684  const int r2 = o->renegotiate_seconds / 2;
2685 
2686  if (o->renegotiate_seconds && r2 < ret)
2687  {
2688  ret = r2;
2689  }
2690  return ret;
2691 }
2692 
2693 /*
2694  * This is the primary routine for processing TLS stuff inside the
2695  * the main event loop. When this routine exits
2696  * with non-error status, it will set *wakeup to the number of seconds
2697  * when it wants to be called again.
2698  *
2699  * Return value is true if we have placed a packet in *to_link which we
2700  * want to send to our peer.
2701  */
2702 static bool
2703 tls_process(struct tls_multi *multi,
2704  struct tls_session *session,
2705  struct buffer *to_link,
2706  struct link_socket_actual **to_link_addr,
2707  struct link_socket_info *to_link_socket_info,
2708  interval_t *wakeup)
2709 {
2710  struct gc_arena gc = gc_new();
2711  struct buffer *buf;
2712  bool state_change = false;
2713  bool active = false;
2714  struct key_state *ks = &session->key[KS_PRIMARY]; /* primary key */
2715  struct key_state *ks_lame = &session->key[KS_LAME_DUCK]; /* retiring key */
2716 
2717  /* Make sure we were initialized and that we're not in an error state */
2718  ASSERT(ks->state != S_UNDEF);
2719  ASSERT(ks->state != S_ERROR);
2720  ASSERT(session_id_defined(&session->session_id));
2721 
2722  /* Should we trigger a soft reset? -- new key, keeps old key for a while */
2723  if (ks->state >= S_ACTIVE
2724  && ((session->opt->renegotiate_seconds
2725  && now >= ks->established + session->opt->renegotiate_seconds)
2726  || (session->opt->renegotiate_bytes > 0
2727  && ks->n_bytes >= session->opt->renegotiate_bytes)
2728  || (session->opt->renegotiate_packets
2729  && ks->n_packets >= session->opt->renegotiate_packets)
2731  {
2732  msg(D_TLS_DEBUG_LOW, "TLS: soft reset sec=%d/%d bytes=" counter_format
2733  "/%d pkts=" counter_format "/%d",
2734  (int) (now - ks->established), session->opt->renegotiate_seconds,
2735  ks->n_bytes, session->opt->renegotiate_bytes,
2736  ks->n_packets, session->opt->renegotiate_packets);
2737  key_state_soft_reset(session);
2738  }
2739 
2740  /* Kill lame duck key transition_window seconds after primary key negotiation */
2741  if (lame_duck_must_die(session, wakeup))
2742  {
2743  key_state_free(ks_lame, true);
2744  msg(D_TLS_DEBUG_LOW, "TLS: tls_process: killed expiring key");
2745  }
2746 
2747  do
2748  {
2749  update_time();
2750 
2751  dmsg(D_TLS_DEBUG, "TLS: tls_process: chg=%d ks=%s lame=%s to_link->len=%d wakeup=%d",
2752  state_change,
2753  state_name(ks->state),
2754  state_name(ks_lame->state),
2755  to_link->len,
2756  *wakeup);
2757 
2758  state_change = false;
2759 
2760  /*
2761  * TLS activity is finished once we get to S_ACTIVE,
2762  * though we will still process acknowledgements.
2763  *
2764  * CHANGED with 2.0 -> now we may send tunnel configuration
2765  * info over the control channel.
2766  */
2767 
2768  /* Initial handshake */
2769  if (ks->state == S_INITIAL)
2770  {
2772  if (buf)
2773  {
2774  ks->must_negotiate = now + session->opt->handshake_window;
2776 
2777  /* null buffer */
2780 
2781  ks->state = S_PRE_START;
2782  state_change = true;
2783  dmsg(D_TLS_DEBUG, "TLS: Initial Handshake, sid=%s",
2784  session_id_print(&session->session_id, &gc));
2785 
2786 #ifdef ENABLE_MANAGEMENT
2788  {
2791  NULL,
2792  NULL,
2793  NULL,
2794  NULL,
2795  NULL);
2796  }
2797 #endif
2798  }
2799  }
2800 
2801  /* Are we timed out on receive? */
2802  if (now >= ks->must_negotiate && ks->state < S_ACTIVE)
2803  {
2804  msg(D_TLS_ERRORS,
2805  "TLS Error: TLS key negotiation failed to occur within %d seconds (check your network connectivity)",
2806  session->opt->handshake_window);
2807  goto error;
2808  }
2809 
2810  /* Wait for Initial Handshake ACK */
2811  if (ks->state == S_PRE_START && FULL_SYNC)
2812  {
2813  ks->state = S_START;
2814  state_change = true;
2815 
2816  /*
2817  * Attempt CRL reload before TLS negotiation. Won't be performed if
2818  * the file was not modified since the last reload
2819  */
2820  if (session->opt->crl_file
2821  && !(session->opt->ssl_flags & SSLF_CRL_VERIFY_DIR))
2822  {
2823  tls_ctx_reload_crl(&session->opt->ssl_ctx,
2824  session->opt->crl_file, session->opt->crl_file_inline);
2825  }
2826 
2827  /* New connection, remove any old X509 env variables */
2828  tls_x509_clear_env(session->opt->es);
2829 
2830  dmsg(D_TLS_DEBUG_MED, "STATE S_START");
2831  }
2832 
2833  /* Wait for ACK */
2834  if (((ks->state == S_GOT_KEY && !session->opt->server)
2835  || (ks->state == S_SENT_KEY && session->opt->server)))
2836  {
2837  if (FULL_SYNC)
2838  {
2839  ks->established = now;
2840  dmsg(D_TLS_DEBUG_MED, "STATE S_ACTIVE");
2842  {
2843  print_details(&ks->ks_ssl, "Control Channel:");
2844  }
2845  state_change = true;
2846  ks->state = S_ACTIVE;
2847  /* Cancel negotiation timeout */
2848  ks->must_negotiate = 0;
2849  INCR_SUCCESS;
2850 
2851  /* Set outgoing address for data channel packets */
2852  link_socket_set_outgoing_addr(to_link_socket_info, &ks->remote_addr, session->common_name, session->opt->es);
2853 
2854  /* Flush any payload packets that were buffered before our state transitioned to S_ACTIVE */
2856 
2857 #ifdef MEASURE_TLS_HANDSHAKE_STATS
2858  show_tls_performance_stats();
2859 #endif
2860  }
2861  }
2862 
2863  /* Reliable buffer to outgoing TCP/UDP (send up to CONTROL_SEND_ACK_MAX ACKs
2864  * for previously received packets) */
2865  if (!to_link->len && reliable_can_send(ks->send_reliable))
2866  {
2867  int opcode;
2868  struct buffer b;
2869 
2870  buf = reliable_send(ks->send_reliable, &opcode);
2871  ASSERT(buf);
2872  b = *buf;
2873  INCR_SENT;
2874 
2875  write_control_auth(session, ks, &b, to_link_addr, opcode,
2876  CONTROL_SEND_ACK_MAX, true);
2877  *to_link = b;
2878  active = true;
2879  state_change = true;
2880  dmsg(D_TLS_DEBUG, "Reliable -> TCP/UDP");
2881  break;
2882  }
2883 
2884  /* Write incoming ciphertext to TLS object */
2886  if (buf)
2887  {
2888  int status = 0;
2889  if (buf->len)
2890  {
2891  status = key_state_write_ciphertext(&ks->ks_ssl, buf);
2892  if (status == -1)
2893  {
2894  msg(D_TLS_ERRORS,
2895  "TLS Error: Incoming Ciphertext -> TLS object write error");
2896  goto error;
2897  }
2898  }
2899  else
2900  {
2901  status = 1;
2902  }
2903  if (status == 1)
2904  {
2905  reliable_mark_deleted(ks->rec_reliable, buf, true);
2906  state_change = true;
2907  dmsg(D_TLS_DEBUG, "Incoming Ciphertext -> TLS");
2908  }
2909  }
2910 
2911  /* Read incoming plaintext from TLS object */
2912  buf = &ks->plaintext_read_buf;
2913  if (!buf->len)
2914  {
2915  int status;
2916 
2917  ASSERT(buf_init(buf, 0));
2919  update_time();
2920  if (status == -1)
2921  {
2922  msg(D_TLS_ERRORS, "TLS Error: TLS object -> incoming plaintext read error");
2923  goto error;
2924  }
2925  if (status == 1)
2926  {
2927  state_change = true;
2928  dmsg(D_TLS_DEBUG, "TLS -> Incoming Plaintext");
2929 
2930  /* More data may be available, wake up again asap to check. */
2931  *wakeup = 0;
2932  }
2933  }
2934 
2935  /* Send Key */
2936  buf = &ks->plaintext_write_buf;
2937  if (!buf->len && ((ks->state == S_START && !session->opt->server)
2938  || (ks->state == S_GOT_KEY && session->opt->server)))
2939  {
2940  if (!key_method_2_write(buf, session))
2941  {
2942  goto error;
2943  }
2944 
2945  state_change = true;
2946  dmsg(D_TLS_DEBUG_MED, "STATE S_SENT_KEY");
2947  ks->state = S_SENT_KEY;
2948  }
2949 
2950  /* Receive Key */
2951  buf = &ks->plaintext_read_buf;
2952  if (buf->len
2953  && ((ks->state == S_SENT_KEY && !session->opt->server)
2954  || (ks->state == S_START && session->opt->server)))
2955  {
2956  if (!key_method_2_read(buf, multi, session))
2957  {
2958  goto error;
2959  }
2960 
2961  state_change = true;
2962  dmsg(D_TLS_DEBUG_MED, "STATE S_GOT_KEY");
2963  ks->state = S_GOT_KEY;
2964  }
2965 
2966  /* Write outgoing plaintext to TLS object */
2967  buf = &ks->plaintext_write_buf;
2968  if (buf->len)
2969  {
2970  int status = key_state_write_plaintext(&ks->ks_ssl, buf);
2971  if (status == -1)
2972  {
2973  msg(D_TLS_ERRORS,
2974  "TLS ERROR: Outgoing Plaintext -> TLS object write error");
2975  goto error;
2976  }
2977  if (status == 1)
2978  {
2979  state_change = true;
2980  dmsg(D_TLS_DEBUG, "Outgoing Plaintext -> TLS");
2981  }
2982  }
2983 
2984  /* Outgoing Ciphertext to reliable buffer */
2985  if (ks->state >= S_START)
2986  {
2988  if (buf)
2989  {
2991  if (status == -1)
2992  {
2993  msg(D_TLS_ERRORS,
2994  "TLS Error: Ciphertext -> reliable TCP/UDP transport read error");
2995  goto error;
2996  }
2997  if (status == 1)
2998  {
3001  state_change = true;
3002  dmsg(D_TLS_DEBUG, "Outgoing Ciphertext -> Reliable");
3003  }
3004  }
3005  }
3006  }
3007  while (state_change);
3008 
3009  update_time();
3010 
3011  /* Send 1 or more ACKs (each received control packet gets one ACK) */
3012  if (!to_link->len && !reliable_ack_empty(ks->rec_ack))
3013  {
3014  struct buffer buf = ks->ack_write_buf;
3015  ASSERT(buf_init(&buf, FRAME_HEADROOM(&multi->opt.frame)));
3016  write_control_auth(session, ks, &buf, to_link_addr, P_ACK_V1,
3017  RELIABLE_ACK_SIZE, false);
3018  *to_link = buf;
3019  active = true;
3020  dmsg(D_TLS_DEBUG, "Dedicated ACK -> TCP/UDP");
3021  }
3022 
3023  /* When should we wake up again? */
3024  {
3025  if (ks->state >= S_INITIAL)
3026  {
3027  compute_earliest_wakeup(wakeup,
3029 
3030  if (ks->must_negotiate)
3031  {
3033  }
3034  }
3035 
3036  if (ks->established && session->opt->renegotiate_seconds)
3037  {
3038  compute_earliest_wakeup(wakeup,
3039  ks->established + session->opt->renegotiate_seconds - now);
3040  }
3041 
3042  /* prevent event-loop spinning by setting minimum wakeup of 1 second */
3043  if (*wakeup <= 0)
3044  {
3045  *wakeup = 1;
3046 
3047  /* if we had something to send to remote, but to_link was busy,
3048  * let caller know we need to be called again soon */
3049  active = true;
3050  }
3051 
3052  dmsg(D_TLS_DEBUG, "TLS: tls_process: timeout set to %d", *wakeup);
3053 
3054  gc_free(&gc);
3055  return active;
3056  }
3057 
3058 error:
3059  tls_clear_error();
3060  ks->state = S_ERROR;
3061  msg(D_TLS_ERRORS, "TLS Error: TLS handshake failed");
3062  INCR_ERROR;
3063  gc_free(&gc);
3064  return false;
3065 }
3066 
3067 /*
3068  * Called by the top-level event loop.
3069  *
3070  * Basically decides if we should call tls_process for
3071  * the active or untrusted sessions.
3072  */
3073 
3074 int
3076  struct buffer *to_link,
3077  struct link_socket_actual **to_link_addr,
3078  struct link_socket_info *to_link_socket_info,
3079  interval_t *wakeup)
3080 {
3081  struct gc_arena gc = gc_new();
3082  int active = TLSMP_INACTIVE;
3083  bool error = false;
3084 
3086 
3087  tls_clear_error();
3088 
3089  /*
3090  * Process each session object having state of S_INITIAL or greater,
3091  * and which has a defined remote IP addr.
3092  */
3093 
3094  for (int i = 0; i < TM_SIZE; ++i)
3095  {
3096  struct tls_session *session = &multi->session[i];
3097  struct key_state *ks = &session->key[KS_PRIMARY];
3098  struct key_state *ks_lame = &session->key[KS_LAME_DUCK];
3099 
3100  /* set initial remote address */
3101  if (i == TM_ACTIVE && ks->state == S_INITIAL
3102  && link_socket_actual_defined(&to_link_socket_info->lsa->actual))
3103  {
3104  ks->remote_addr = to_link_socket_info->lsa->actual;
3105  }
3106 
3107  dmsg(D_TLS_DEBUG,
3108  "TLS: tls_multi_process: i=%d state=%s, mysid=%s, stored-sid=%s, stored-ip=%s",
3109  i,
3110  state_name(ks->state),
3111  session_id_print(&session->session_id, &gc),
3114 
3116  {
3117  struct link_socket_actual *tla = NULL;
3118 
3119  update_time();
3120 
3121  if (tls_process(multi, session, to_link, &tla,
3122  to_link_socket_info, wakeup))
3123  {
3124  active = TLSMP_ACTIVE;
3125  }
3126 
3127  /*
3128  * If tls_process produced an outgoing packet,
3129  * return the link_socket_actual object (which
3130  * contains the outgoing address).
3131  */
3132  if (tla)
3133  {
3134  multi->to_link_addr = *tla;
3135  *to_link_addr = &multi->to_link_addr;
3136  }
3137 
3138  /*
3139  * If tls_process hits an error:
3140  * (1) If the session has an unexpired lame duck key, preserve it.
3141  * (2) Reinitialize the session.
3142  * (3) Increment soft error count
3143  */
3144  if (ks->state == S_ERROR)
3145  {
3146  ++multi->n_soft_errors;
3147 
3148  if (i == TM_ACTIVE)
3149  {
3150  error = true;
3151  }
3152 
3153  if (i == TM_ACTIVE
3154  && ks_lame->state >= S_ACTIVE
3155  && !multi->opt.single_session)
3156  {
3157  move_session(multi, TM_LAME_DUCK, TM_ACTIVE, true);
3158  }
3159  else
3160  {
3161  reset_session(multi, session);
3162  }
3163  }
3164  }
3165  }
3166 
3167  update_time();
3168 
3170 
3171  /*
3172  * If lame duck session expires, kill it.
3173  */
3174  if (lame_duck_must_die(&multi->session[TM_LAME_DUCK], wakeup))
3175  {
3176  tls_session_free(&multi->session[TM_LAME_DUCK], true);
3177  msg(D_TLS_DEBUG_LOW, "TLS: tls_multi_process: killed expiring key");
3178  }
3179 
3180  /*
3181  * If untrusted session achieves TLS authentication,
3182  * move it to active session, usurping any prior session.
3183  *
3184  * A semi-trusted session is one in which the certificate authentication
3185  * succeeded (if cert verification is enabled) but the username/password
3186  * verification failed. A semi-trusted session can forward data on the
3187  * TLS control channel but not on the tunnel channel.
3188  */
3189  if (TLS_AUTHENTICATED(multi, &multi->session[TM_UNTRUSTED].key[KS_PRIMARY]))
3190  {
3191  move_session(multi, TM_ACTIVE, TM_UNTRUSTED, true);
3192  msg(D_TLS_DEBUG_LOW, "TLS: tls_multi_process: untrusted session promoted to %strusted",
3193  tas == TLS_AUTHENTICATION_SUCCEEDED ? "" : "semi-");
3194  }
3195 
3196  /*
3197  * A hard error means that TM_ACTIVE hit an S_ERROR state and that no
3198  * other key state objects are S_ACTIVE or higher.
3199  */
3200  if (error)
3201  {
3202  for (int i = 0; i < KEY_SCAN_SIZE; ++i)
3203  {
3204  if (get_key_scan(multi, i)->state >= S_ACTIVE)
3205  {
3206  goto nohard;
3207  }
3208  }
3209  ++multi->n_hard_errors;
3210  }
3211 nohard:
3212 
3213 #ifdef ENABLE_DEBUG
3214  /* DEBUGGING -- flood peer with repeating connection attempts */
3215  {
3216  const int throw_level = GREMLIN_CONNECTION_FLOOD_LEVEL(multi->opt.gremlin);
3217  if (throw_level)
3218  {
3219  for (int i = 0; i < KEY_SCAN_SIZE; ++i)
3220  {
3221  if (get_key_scan(multi, i)->state >= throw_level)
3222  {
3223  ++multi->n_hard_errors;
3224  ++multi->n_soft_errors;
3225  }
3226  }
3227  }
3228  }
3229 #endif
3230 
3231  perf_pop();
3232  gc_free(&gc);
3233 
3234  return (tas == TLS_AUTHENTICATION_FAILED) ? TLSMP_KILL : active;
3235 }
3236 
3237 /*
3238  * Pre and post-process the encryption & decryption buffers in order
3239  * to implement a multiplexed TLS channel over the TCP/UDP port.
3240  */
3241 
3242 static inline void
3244  const struct link_socket_actual *from,
3245  struct buffer *buf,
3246  struct crypto_options **opt,
3247  bool floated,
3248  const uint8_t **ad_start)
3249 {
3250  struct gc_arena gc = gc_new();
3251 
3252  uint8_t c = *BPTR(buf);
3253  int op = c >> P_OPCODE_SHIFT;
3254  int key_id = c & P_KEY_ID_MASK;
3255 
3256  /* data channel packet */
3257  for (int i = 0; i < KEY_SCAN_SIZE; ++i)
3258  {
3259  struct key_state *ks = get_key_scan(multi, i);
3260 
3261  /*
3262  * This is the basic test of TLS state compatibility between a local OpenVPN
3263  * instance and its remote peer.
3264  *
3265  * If the test fails, it tells us that we are getting a packet from a source
3266  * which claims reference to a prior negotiated TLS session, but the local
3267  * OpenVPN instance has no memory of such a negotiation.
3268  *
3269  * It almost always occurs on UDP sessions when the passive side of the
3270  * connection is restarted without the active side restarting as well (the
3271  * passive side is the server which only listens for the connections, the
3272  * active side is the client which initiates connections).
3273  */
3274  if (TLS_AUTHENTICATED(multi, ks)
3275  && key_id == ks->key_id
3276  && (ks->authenticated == KS_AUTH_TRUE)
3277  && (floated || link_socket_actual_match(from, &ks->remote_addr)))
3278  {
3280  {
3282  "Key %s [%d] not initialized (yet), dropping packet.",
3283  print_link_socket_actual(from, &gc), key_id);
3284  goto done;
3285  }
3286 
3287  /* return appropriate data channel decrypt key in opt */
3288  *opt = &ks->crypto_options;
3289  if (op == P_DATA_V2)
3290  {
3291  *ad_start = BPTR(buf);
3292  }
3293  ASSERT(buf_advance(buf, 1));
3294  if (op == P_DATA_V1)
3295  {
3296  *ad_start = BPTR(buf);
3297  }
3298  else if (op == P_DATA_V2)
3299  {
3300  if (buf->len < 4)
3301  {
3302  msg(D_TLS_ERRORS, "Protocol error: received P_DATA_V2 from %s but length is < 4",
3303  print_link_socket_actual(from, &gc));
3304  ++multi->n_soft_errors;
3305  goto done;
3306  }
3307  ASSERT(buf_advance(buf, 3));
3308  }
3309 
3310  ++ks->n_packets;
3311  ks->n_bytes += buf->len;
3313  "TLS: tls_pre_decrypt, key_id=%d, IP=%s",
3314  key_id, print_link_socket_actual(from, &gc));
3315  gc_free(&gc);
3316  return;
3317  }
3318  }
3319 
3320  msg(D_TLS_ERRORS,
3321  "TLS Error: local/remote TLS keys are out of sync: %s "
3322  "(received key id: %d, known key ids: %s)",
3323  print_link_socket_actual(from, &gc), key_id,
3324  print_key_id(multi, &gc));
3325 
3326 done:
3327  tls_clear_error();
3328  buf->len = 0;
3329  *opt = NULL;
3330  gc_free(&gc);
3331 }
3332 
3333 /*
3334  *
3335  * When we are in TLS mode, this is the first routine which sees
3336  * an incoming packet.
3337  *
3338  * If it's a data packet, we set opt so that our caller can
3339  * decrypt it. We also give our caller the appropriate decryption key.
3340  *
3341  * If it's a control packet, we authenticate it and process it,
3342  * possibly creating a new tls_session if it represents the
3343  * first packet of a new session. For control packets, we will
3344  * also zero the size of *buf so that our caller ignores the
3345  * packet on our return.
3346  *
3347  * Note that openvpn only allows one active session at a time,
3348  * so a new session (once authenticated) will always usurp
3349  * an old session.
3350  *
3351  * Return true if input was an authenticated control channel
3352  * packet.
3353  *
3354  * If we are running in TLS thread mode, all public routines
3355  * below this point must be called with the L_TLS lock held.
3356  */
3357 
3358 bool
3360  const struct link_socket_actual *from,
3361  struct buffer *buf,
3362  struct crypto_options **opt,
3363  bool floated,
3364  const uint8_t **ad_start)
3365 {
3366 
3367  if (buf->len <= 0)
3368  {
3369  buf->len = 0;
3370  *opt = NULL;
3371  return false;
3372  }
3373 
3374  struct gc_arena gc = gc_new();
3375  bool ret = false;
3376 
3377  /* get opcode */
3378  uint8_t pkt_firstbyte = *BPTR(buf);
3379  int op = pkt_firstbyte >> P_OPCODE_SHIFT;
3380 
3381  if ((op == P_DATA_V1) || (op == P_DATA_V2))
3382  {
3383  handle_data_channel_packet(multi, from, buf, opt, floated, ad_start);
3384  return false;
3385  }
3386 
3387  /* get key_id */
3388  int key_id = pkt_firstbyte & P_KEY_ID_MASK;
3389 
3390  /* control channel packet */
3391  bool do_burst = false;
3392  bool new_link = false;
3393  struct session_id sid; /* remote session ID */
3394 
3395  /* verify legal opcode */
3396  if (op < P_FIRST_OPCODE || op > P_LAST_OPCODE)
3397  {
3400  {
3401  msg(D_TLS_ERRORS, "Peer tried unsupported key-method 1");
3402  }
3403  msg(D_TLS_ERRORS,
3404  "TLS Error: unknown opcode received from %s op=%d",
3405  print_link_socket_actual(from, &gc), op);
3406  goto error;
3407  }
3408 
3409  /* hard reset ? */
3410  if (is_hard_reset_method2(op))
3411  {
3412  /* verify client -> server or server -> client connection */
3413  if (((op == P_CONTROL_HARD_RESET_CLIENT_V2
3414  || op == P_CONTROL_HARD_RESET_CLIENT_V3) && !multi->opt.server)
3415  || ((op == P_CONTROL_HARD_RESET_SERVER_V2) && multi->opt.server))
3416  {
3417  msg(D_TLS_ERRORS,
3418  "TLS Error: client->client or server->server connection attempted from %s",
3419  print_link_socket_actual(from, &gc));
3420  goto error;
3421  }
3422  }
3423 
3424  /*
3425  * Authenticate Packet
3426  */
3427  dmsg(D_TLS_DEBUG, "TLS: control channel, op=%s, IP=%s",
3429 
3430  /* get remote session-id */
3431  {
3432  struct buffer tmp = *buf;
3433  buf_advance(&tmp, 1);
3434  if (!session_id_read(&sid, &tmp) || !session_id_defined(&sid))
3435  {
3436  msg(D_TLS_ERRORS,
3437  "TLS Error: session-id not found in packet from %s",
3438  print_link_socket_actual(from, &gc));
3439  goto error;
3440  }
3441  }
3442 
3443  int i;
3444  /* use session ID to match up packet with appropriate tls_session object */
3445  for (i = 0; i < TM_SIZE; ++i)
3446  {
3447  struct tls_session *session = &multi->session[i];
3448  struct key_state *ks = &session->key[KS_PRIMARY];
3449 
3450  dmsg(D_TLS_DEBUG,
3451  "TLS: initial packet test, i=%d state=%s, mysid=%s, rec-sid=%s, rec-ip=%s, stored-sid=%s, stored-ip=%s",
3452  i,
3453  state_name(ks->state),
3454  session_id_print(&session->session_id, &gc),
3455  session_id_print(&sid, &gc),
3456  print_link_socket_actual(from, &gc),
3459 
3460  if (session_id_equal(&ks->session_id_remote, &sid))
3461  /* found a match */
3462  {
3463  if (i == TM_LAME_DUCK)
3464  {
3465  msg(D_TLS_ERRORS,
3466  "TLS ERROR: received control packet with stale session-id=%s",
3467  session_id_print(&sid, &gc));
3468  goto error;
3469  }
3470  dmsg(D_TLS_DEBUG,
3471  "TLS: found match, session[%d], sid=%s",
3472  i, session_id_print(&sid, &gc));
3473  break;
3474  }
3475  }
3476 
3477  /*
3478  * Hard reset and session id does not match any session in
3479  * multi->session: Possible initial packet
3480  */
3481  if (i == TM_SIZE && is_hard_reset_method2(op))
3482  {
3483  struct tls_session *session = &multi->session[TM_ACTIVE];
3484  struct key_state *ks = &session->key[KS_PRIMARY];
3485 
3486  /*
3487  * If we have no session currently in progress, the initial packet will
3488  * open a new session in TM_ACTIVE rather than TM_UNTRUSTED.
3489  */
3491  {
3492  if (multi->opt.single_session && multi->n_sessions)
3493  {
3494  msg(D_TLS_ERRORS,
3495  "TLS Error: Cannot accept new session request from %s due to session context expire or --single-session [1]",
3496  print_link_socket_actual(from, &gc));
3497  goto error;
3498  }
3499 
3500 #ifdef ENABLE_MANAGEMENT
3501  if (management)
3502  {
3505  NULL,
3506  NULL,
3507  NULL,
3508  NULL,
3509  NULL);
3510  }
3511 #endif
3512 
3514  "TLS: Initial packet from %s, sid=%s",
3515  print_link_socket_actual(from, &gc),
3516  session_id_print(&sid, &gc));
3517 
3518  do_burst = true;
3519  new_link = true;
3520  i = TM_ACTIVE;
3521  session->untrusted_addr = *from;
3522  }
3523  }
3524 
3525  /*
3526  * If we detected new session in the last if block, variable i has
3527  * changed to TM_ACTIVE, so check the condition again.
3528  */
3529  if (i == TM_SIZE && is_hard_reset_method2(op))
3530  {
3531  /*
3532  * No match with existing sessions,
3533  * probably a new session.
3534  */
3535  struct tls_session *session = &multi->session[TM_UNTRUSTED];
3536 
3537  /*
3538  * If --single-session, don't allow any hard-reset connection request
3539  * unless it the first packet of the session.
3540  */
3541  if (multi->opt.single_session)
3542  {
3543  msg(D_TLS_ERRORS,
3544  "TLS Error: Cannot accept new session request from %s due to session context expire or --single-session [2]",
3545  print_link_socket_actual(from, &gc));
3546  goto error;
3547  }
3548 
3549  if (!read_control_auth(buf, &session->tls_wrap, from,
3550  session->opt))
3551  {
3552  goto error;
3553  }
3554 
3555  /*
3556  * New session-initiating control packet is authenticated at this point,
3557  * assuming that the --tls-auth command line option was used.
3558  *
3559  * Without --tls-auth, we leave authentication entirely up to TLS.
3560  */
3562  "TLS: new session incoming connection from %s",
3563  print_link_socket_actual(from, &gc));
3564 
3565  new_link = true;
3566  i = TM_UNTRUSTED;
3567  session->untrusted_addr = *from;
3568  }
3569  else
3570  {
3571  struct tls_session *session = &multi->session[i];
3572  struct key_state *ks = &session->key[KS_PRIMARY];
3573 
3574  /*
3575  * Packet must belong to an existing session.
3576  */
3577  if (i != TM_ACTIVE && i != TM_UNTRUSTED)
3578  {
3579  msg(D_TLS_ERRORS,
3580  "TLS Error: Unroutable control packet received from %s (si=%d op=%s)",
3581  print_link_socket_actual(from, &gc),
3582  i,
3583  packet_opcode_name(op));
3584  goto error;
3585  }
3586 
3587  /*
3588  * Verify remote IP address
3589  */
3590  if (!new_link && !link_socket_actual_match(&ks->remote_addr, from))
3591  {
3592  msg(D_TLS_ERRORS, "TLS Error: Received control packet from unexpected IP addr: %s",
3593  print_link_socket_actual(from, &gc));
3594  goto error;
3595  }
3596 
3597  /*
3598  * Remote is requesting a key renegotiation
3599  */
3600  if (op == P_CONTROL_SOFT_RESET_V1
3601  && TLS_AUTHENTICATED(multi, ks))
3602  {
3603  if (!read_control_auth(buf, &session->tls_wrap, from,
3604  session->opt))
3605  {
3606  goto error;
3607  }
3608 
3609  key_state_soft_reset(session);
3610 
3611  dmsg(D_TLS_DEBUG,
3612  "TLS: received P_CONTROL_SOFT_RESET_V1 s=%d sid=%s",
3613  i, session_id_print(&sid, &gc));
3614  }
3615  else
3616  {
3617  /*
3618  * Remote responding to our key renegotiation request?
3619  */
3620  if (op == P_CONTROL_SOFT_RESET_V1)
3621  {
3622  do_burst = true;
3623  }
3624 
3625  if (!read_control_auth(buf, &session->tls_wrap, from,
3626  session->opt))
3627  {
3628  goto error;
3629  }
3630 
3631  dmsg(D_TLS_DEBUG,
3632  "TLS: received control channel packet s#=%d sid=%s",
3633  i, session_id_print(&sid, &gc));
3634  }
3635  }
3636 
3637  /*
3638  * We have an authenticated control channel packet (if --tls-auth was set).
3639  * Now pass to our reliability layer which deals with
3640  * packet acknowledgements, retransmits, sequencing, etc.
3641  */
3642  struct tls_session *session = &multi->session[i];
3643  struct key_state *ks = &session->key[KS_PRIMARY];
3644 
3645  /* Make sure we were initialized and that we're not in an error state */
3646  ASSERT(ks->state != S_UNDEF);
3647  ASSERT(ks->state != S_ERROR);
3648  ASSERT(session_id_defined(&session->session_id));
3649 
3650  /* Let our caller know we processed a control channel packet */
3651  ret = true;
3652 
3653  /*
3654  * Set our remote address and remote session_id
3655  */
3656  if (new_link)
3657  {
3658  ks->session_id_remote = sid;
3659  ks->remote_addr = *from;
3660  ++multi->n_sessions;
3661  }
3662  else if (!link_socket_actual_match(&ks->remote_addr, from))
3663  {
3664  msg(D_TLS_ERRORS,
3665  "TLS Error: Existing session control channel packet from unknown IP address: %s",
3666  print_link_socket_actual(from, &gc));
3667  goto error;
3668  }
3669 
3670  /*
3671  * Should we do a retransmit of all unacknowledged packets in
3672  * the send buffer? This improves the start-up efficiency of the
3673  * initial key negotiation after the 2nd peer comes online.
3674  */
3675  if (do_burst && !session->burst)
3676  {
3678  session->burst = true;
3679  }
3680 
3681  /* Check key_id */
3682  if (ks->key_id != key_id)
3683  {
3684  msg(D_TLS_ERRORS,
3685  "TLS ERROR: local/remote key IDs out of sync (%d/%d) ID: %s",
3686  ks->key_id, key_id, print_key_id(multi, &gc));
3687  goto error;
3688  }
3689 
3690  /*
3691  * Process incoming ACKs for packets we can now
3692  * delete from reliable send buffer
3693  */
3694  {
3695  /* buffers all packet IDs to delete from send_reliable */
3696  struct reliable_ack send_ack;
3697 
3698  send_ack.len = 0;
3699  if (!reliable_ack_read(&send_ack, buf, &session->session_id))
3700  {
3701  msg(D_TLS_ERRORS,
3702  "TLS Error: reading acknowledgement record from packet");
3703  goto error;
3704  }
3705  reliable_send_purge(ks->send_reliable, &send_ack);
3706  }
3707 
3708  if (op != P_ACK_V1 && reliable_can_get(ks->rec_reliable))
3709  {
3710  packet_id_type id;
3711 
3712  /* Extract the packet ID from the packet */
3713  if (reliable_ack_read_packet_id(buf, &id))
3714  {
3715  /* Avoid deadlock by rejecting packet that would de-sequentialize receive buffer */
3717  {
3718  if (reliable_not_replay(ks->rec_reliable, id))
3719  {
3720  /* Save incoming ciphertext packet to reliable buffer */
3721  struct buffer *in = reliable_get_buf(ks->rec_reliable);
3722  ASSERT(in);
3723  if (!buf_copy(in, buf))
3724  {
3726  "Incoming control channel packet too big, dropping.");
3727  goto error;
3728  }
3730  }
3731 
3732  /* Process outgoing acknowledgment for packet just received, even if it's a replay */
3734  }
3735  }
3736  }
3737  /* Remember that we received a valid control channel packet */
3738  ks->peer_last_packet = now;
3739 
3740 done:
3741  buf->len = 0;
3742  *opt = NULL;
3743  gc_free(&gc);
3744  return ret;
3745 
3746 error:
3747  ++multi->n_soft_errors;
3748  tls_clear_error();
3749  goto done;
3750 }
3751 
3752 /*
3753  * This function is similar to tls_pre_decrypt, except it is called
3754  * when we are in server mode and receive an initial incoming
3755  * packet. Note that we don't modify
3756  * any state in our parameter objects. The purpose is solely to
3757  * determine whether we should generate a client instance
3758  * object, in which case true is returned.
3759  *
3760  * This function is essentially the first-line HMAC firewall
3761  * on the UDP port listener in --mode server mode.
3762  */
3763 bool
3765  const struct link_socket_actual *from,
3766  const struct buffer *buf)
3767 
3768 {
3769  if (buf->len <= 0)
3770  {
3771  return false;
3772  }
3773  struct gc_arena gc = gc_new();
3774 
3775  /* get opcode and key ID */
3776  uint8_t pkt_firstbyte = *BPTR(buf);
3777  int op = pkt_firstbyte >> P_OPCODE_SHIFT;
3778  int key_id = pkt_firstbyte & P_KEY_ID_MASK;
3779 
3780  /* this packet is from an as-yet untrusted source, so
3781  * scrutinize carefully */
3782 
3785  {
3786  /*
3787  * This can occur due to bogus data or DoS packets.
3788  */
3790  "TLS State Error: No TLS state for client %s, opcode=%d",
3791  print_link_socket_actual(from, &gc),
3792  op);
3793  goto error;
3794  }
3795 
3796  if (key_id != 0)
3797  {
3799  "TLS State Error: Unknown key ID (%d) received from %s -- 0 was expected",
3800  key_id,
3801  print_link_socket_actual(from, &gc));
3802  goto error;
3803  }
3804 
3805  if (buf->len > EXPANDED_SIZE_DYNAMIC(&tas->frame))
3806  {
3808  "TLS State Error: Large packet (size %d) received from %s -- a packet no larger than %d bytes was expected",
3809  buf->len,
3810  print_link_socket_actual(from, &gc),
3811  EXPANDED_SIZE_DYNAMIC(&tas->frame));
3812  goto error;
3813  }
3814 
3815 
3816  struct buffer newbuf = clone_buf(buf);
3817  struct tls_wrap_ctx tls_wrap_tmp = tas->tls_wrap;
3818 
3819  /* HMAC test, if --tls-auth was specified */
3820  bool status = read_control_auth(&newbuf, &tls_wrap_tmp, from, NULL);
3821  free_buf(&newbuf);
3822  free_buf(&tls_wrap_tmp.tls_crypt_v2_metadata);
3823  if (tls_wrap_tmp.cleanup_key_ctx)
3824  {
3825  free_key_ctx_bi(&tls_wrap_tmp.opt.key_ctx_bi);
3826  }
3827  if (!status)
3828  {
3829  goto error;
3830  }
3831 
3832  /*
3833  * At this point, if --tls-auth is being used, we know that
3834  * the packet has passed the HMAC test, but we don't know if
3835  * it is a replay yet. We will attempt to defeat replays
3836  * by not advancing to the S_START state until we
3837  * receive an ACK from our first reply to the client
3838  * that includes an HMAC of our randomly generated 64 bit
3839  * session ID.
3840  *
3841  * On the other hand if --tls-auth is not being used, we
3842  * will proceed to begin the TLS authentication
3843  * handshake with only cursory integrity checks having
3844  * been performed, since we will be leaving the task
3845  * of authentication solely up to TLS.
3846  */
3847  gc_free(&gc);
3848  return true;
3849 
3850 error:
3851  tls_clear_error();
3852  gc_free(&gc);
3853  return false;
3854 }
3855 
3856 /* Choose the key with which to encrypt a data packet */
3857 void
3859  struct buffer *buf, struct crypto_options **opt)
3860 {
3861  multi->save_ks = NULL;
3862  if (buf->len <= 0)
3863  {
3864  buf->len = 0;
3865  *opt = NULL;
3866  return;
3867  }
3868 
3869  struct key_state *ks_select = NULL;
3870  for (int i = 0; i < KEY_SCAN_SIZE; ++i)
3871  {
3872  struct key_state *ks = get_key_scan(multi, i);
3873  if (ks->state >= S_ACTIVE
3874  && (ks->authenticated == KS_AUTH_TRUE)
3876  )
3877  {
3878  if (!ks_select)
3879  {
3880  ks_select = ks;
3881  }
3882  if (now >= ks->auth_deferred_expire)
3883  {
3884  ks_select = ks;
3885  break;
3886  }
3887  }
3888  }
3889 
3890  if (ks_select)
3891  {
3892  *opt = &ks_select->crypto_options;
3893  multi->save_ks = ks_select;
3894  dmsg(D_TLS_KEYSELECT, "TLS: tls_pre_encrypt: key_id=%d", ks_select->key_id);
3895  return;
3896  }
3897  else
3898  {
3899  struct gc_arena gc = gc_new();
3900  dmsg(D_TLS_KEYSELECT, "TLS Warning: no data channel send key available: %s",
3901  print_key_id(multi, &gc));
3902  gc_free(&gc);
3903 
3904  *opt = NULL;
3905  buf->len = 0;
3906  }
3907 }
3908 
3909 void
3910 tls_prepend_opcode_v1(const struct tls_multi *multi, struct buffer *buf)
3911 {
3912  struct key_state *ks = multi->save_ks;
3913  uint8_t op;
3914 
3915  msg(D_TLS_DEBUG, __func__);
3916 
3917  ASSERT(ks);
3918 
3919  op = (P_DATA_V1 << P_OPCODE_SHIFT) | ks->key_id;
3920  ASSERT(buf_write_prepend(buf, &op, 1));
3921 }
3922 
3923 void
3924 tls_prepend_opcode_v2(const struct tls_multi *multi, struct buffer *buf)
3925 {
3926  struct key_state *ks = multi->save_ks;
3927  uint32_t peer;
3928 
3929  msg(D_TLS_DEBUG, __func__);
3930 
3931  ASSERT(ks);
3932 
3933  peer = htonl(((P_DATA_V2 << P_OPCODE_SHIFT) | ks->key_id) << 24
3934  | (multi->peer_id & 0xFFFFFF));
3935  ASSERT(buf_write_prepend(buf, &peer, 4));
3936 }
3937 
3938 void
3939 tls_post_encrypt(struct tls_multi *multi, struct buffer *buf)
3940 {
3941  struct key_state *ks = multi->save_ks;
3942  multi->save_ks = NULL;
3943 
3944  if (buf->len > 0)
3945  {
3946  ASSERT(ks);
3947 
3948  ++ks->n_packets;
3949  ks->n_bytes += buf->len;
3950  }
3951 }
3952 
3953 /*
3954  * Send a payload over the TLS control channel.
3955  * Called externally.
3956  */
3957 
3958 bool
3960  const uint8_t *data,
3961  int size)
3962 {
3963  struct tls_session *session;
3964  struct key_state *ks;
3965  bool ret = false;
3966 
3967  tls_clear_error();
3968 
3969  ASSERT(multi);
3970 
3971  session = &multi->session[TM_ACTIVE];
3972  ks = &session->key[KS_PRIMARY];
3973 
3974  if (ks->state >= S_ACTIVE)
3975  {
3976  if (key_state_write_plaintext_const(&ks->ks_ssl, data, size) == 1)
3977  {
3978  ret = true;
3979  }
3980  }
3981  else
3982  {
3983  if (!ks->paybuf)
3984  {
3985  ks->paybuf = buffer_list_new(0);
3986  }
3987  buffer_list_push_data(ks->paybuf, data, (size_t)size);
3988  ret = true;
3989  }
3990 
3991 
3992  tls_clear_error();
3993 
3994  return ret;
3995 }
3996 
3997 bool
3999  struct buffer *buf)
4000 {
4001  struct tls_session *session;
4002  struct key_state *ks;
4003  bool ret = false;
4004 
4005  tls_clear_error();
4006 
4007  ASSERT(multi);
4008 
4009  session = &multi->session[TM_ACTIVE];
4010  ks = &session->key[KS_PRIMARY];
4011 
4012  if (ks->state >= S_ACTIVE && BLEN(&ks->plaintext_read_buf))
4013  {
4014  if (buf_copy(buf, &ks->plaintext_read_buf))
4015  {
4016  ret = true;
4017  }
4018  ks->plaintext_read_buf.len = 0;
4019  }
4020 
4021  tls_clear_error();
4022 
4023  return ret;
4024 }
4025 
4026 void
4027 tls_update_remote_addr(struct tls_multi *multi, const struct link_socket_actual *addr)
4028 {
4029  struct gc_arena gc = gc_new();
4030  for (int i = 0; i < TM_SIZE; ++i)
4031  {
4032  struct tls_session *session = &multi->session[i];
4033 
4034  for (int j = 0; j < KS_SIZE; ++j)
4035  {
4036  struct key_state *ks = &session->key[j];
4037 
4039  || link_socket_actual_match(addr, &ks->remote_addr))
4040  {
4041  continue;
4042  }
4043 
4044  dmsg(D_TLS_KEYSELECT, "TLS: tls_update_remote_addr from IP=%s to IP=%s",
4046  print_link_socket_actual(addr, &gc));
4047 
4048  ks->remote_addr = *addr;
4049  }
4050  }
4051  gc_free(&gc);
4052 }
4053 
4054 void
4055 show_available_tls_ciphers(const char *cipher_list,
4056  const char *cipher_list_tls13,
4057  const char *tls_cert_profile)
4058 {
4059  printf("Available TLS Ciphers, listed in order of preference:\n");
4060 
4061  if (tls_version_max() >= TLS_VER_1_3)
4062  {
4063  printf("\nFor TLS 1.3 and newer (--tls-ciphersuites):\n\n");
4064  show_available_tls_ciphers_list(cipher_list_tls13, tls_cert_profile, true);
4065  }
4066 
4067  printf("\nFor TLS 1.2 and older (--tls-cipher):\n\n");
4068  show_available_tls_ciphers_list(cipher_list, tls_cert_profile, false);
4069 
4070  printf("\n"
4071  "Be aware that that whether a cipher suite in this list can actually work\n"
4072  "depends on the specific setup of both peers. See the man page entries of\n"
4073  "--tls-cipher and --show-tls for more details.\n\n"
4074  );
4075 }
4076 
4077 /*
4078  * Dump a human-readable rendition of an openvpn packet
4079  * into a garbage collectable string which is returned.
4080  */
4081 const char *
4082 protocol_dump(struct buffer *buffer, unsigned int flags, struct gc_arena *gc)
4083 {
4084  struct buffer out = alloc_buf_gc(256, gc);
4085  struct buffer buf = *buffer;
4086 
4087  uint8_t c;
4088  int op;
4089  int key_id;
4090 
4091  int tls_auth_hmac_size = (flags & PD_TLS_AUTH_HMAC_SIZE_MASK);
4092 
4093  if (buf.len <= 0)
4094  {
4095  buf_printf(&out, "DATA UNDEF len=%d", buf.len);
4096  goto done;
4097  }
4098 
4099  if (!(flags & PD_TLS))
4100  {
4101  goto print_data;
4102  }
4103 
4104  /*
4105  * Initial byte (opcode)
4106  */
4107  if (!buf_read(&buf, &c, sizeof(c)))
4108  {
4109  goto done;
4110  }
4111  op = (c >> P_OPCODE_SHIFT);
4112  key_id = c & P_KEY_ID_MASK;
4113  buf_printf(&out, "%s kid=%d", packet_opcode_name(op), key_id);
4114 
4115  if ((op == P_DATA_V1) || (op == P_DATA_V2))
4116  {
4117  goto print_data;
4118  }
4119 
4120  /*
4121  * Session ID
4122  */
4123  {
4124  struct session_id sid;
4125 
4126  if (!session_id_read(&sid, &buf))
4127  {
4128  goto done;
4129  }
4130  if (flags & PD_VERBOSE)
4131  {
4132  buf_printf(&out, " sid=%s", session_id_print(&sid, gc));
4133  }
4134  }
4135 
4136  /*
4137  * tls-auth hmac + packet_id
4138  */
4139  if (tls_auth_hmac_size)
4140  {
4141  struct packet_id_net pin;
4142  uint8_t tls_auth_hmac[MAX_HMAC_KEY_LENGTH];
4143 
4144  ASSERT(tls_auth_hmac_size <= MAX_HMAC_KEY_LENGTH);
4145 
4146  if (!buf_read(&buf, tls_auth_hmac, tls_auth_hmac_size))
4147  {
4148  goto done;
4149  }
4150  if (flags & PD_VERBOSE)
4151  {
4152  buf_printf(&out, " tls_hmac=%s", format_hex(tls_auth_hmac, tls_auth_hmac_size, 0, gc));
4153  }
4154 
4155  if (!packet_id_read(&pin, &buf, true))
4156  {
4157  goto done;
4158  }
4159  buf_printf(&out, " pid=%s", packet_id_net_print(&pin, (flags & PD_VERBOSE), gc));
4160  }
4161 
4162  /*
4163  * ACK list
4164  */
4165  buf_printf(&out, " %s", reliable_ack_print(&buf, (flags & PD_VERBOSE), gc));
4166 
4167  if (op == P_ACK_V1)
4168  {
4169  goto done;
4170  }
4171 
4172  /*
4173  * Packet ID
4174  */
4175  {
4176  packet_id_type l;
4177  if (!buf_read(&buf, &l, sizeof(l)))
4178  {
4179  goto done;
4180  }
4181  l = ntohpid(l);
4183  }
4184 
4185 print_data:
4186  if (flags & PD_SHOW_DATA)
4187  {
4188  buf_printf(&out, " DATA %s", format_hex(BPTR(&buf), BLEN(&buf), 80, gc));
4189  }
4190  else
4191  {
4192  buf_printf(&out, " DATA len=%d", buf.len);
4193  }
4194 
4195 done:
4196  return BSTR(&out);
4197 }
4198 
4199 void
4201 {
4203 }
static void tls_init_control_channel_frame_parameters(const struct frame *data_channel_frame, struct frame *frame)
Definition: ssl.c:313
struct reliable * rec_reliable
Definition: ssl_common.h:208
#define TLSMP_ACTIVE
Definition: ssl.h:243
bool cipher_kt_mode_aead(const cipher_kt_t *cipher)
Check if the supplied cipher is a supported AEAD mode cipher.
char * management_query_cert(struct management *man, const char *cert_name)
Definition: manage.c:3757
static bool buf_write_u8(struct buffer *dest, int data)
Definition: buffer.h:713
void reliable_free(struct reliable *rel)
Free allocated memory associated with a reliable structure and the pointer itself.
Definition: reliable.c:327
static const char * packet_opcode_name(int op)
Definition: ssl.c:781
const cipher_kt_t * cipher_ctx_get_cipher_kt(const cipher_ctx_t *ctx)
Returns the static cipher parameters for this context.
void options_warning(char *actual, const char *expected)
Definition: options.c:3869
const char * ecdh_curve
Definition: options.h:542
struct key_type key_type
Definition: ssl_common.h:259
#define EXPANDED_SIZE_DYNAMIC(f)
Definition: mtu.h:173
#define P_CONTROL_HARD_RESET_SERVER_V1
Definition: ssl.h:55
static const char * print_key_id(struct tls_multi *multi, struct gc_arena *gc)
Definition: ssl.c:843
size_t implicit_iv_len
The length of implicit_iv.
Definition: crypto.h:170
Security parameter state for processing data channel packets.
Definition: crypto.h:232
struct key_state_ssl ks_ssl
Definition: ssl_common.h:188
#define D_TLS_KEYSELECT
Definition: errlevel.h:144
const char * management_certificate
Definition: options.h:390
static void tls_wrap_free(struct tls_wrap_ctx *tls_wrap)
Free the elements of a tls_wrap_ctx structure.
Definition: ssl.h:511
#define CO_PACKET_ID_LONG_FORM
Bit-flag indicating whether to use OpenVPN&#39;s long packet ID format.
Definition: crypto.h:245
static void strncpynt(char *dest, const char *src, size_t maxlen)
Definition: buffer.h:348
#define TM_ACTIVE
Active tls_session.
Definition: ssl_common.h:475
Security parameter state of one TLS and data channel key session.
Definition: ssl_common.h:178
static void compute_earliest_wakeup(interval_t *earliest, interval_t seconds_from_now)
Definition: ssl.c:1181
bool tun_mtu_defined
Definition: options.h:108
struct buffer work
Work buffer (only for –tls-crypt)
Definition: ssl_common.h:240
unsigned int management_flags
Definition: options.h:389
struct packet_id packet_id
Current packet ID state for both sending and receiving directions.
Definition: crypto.h:238
struct key_state key[KS_SIZE]
Definition: ssl_common.h:455
#define TLSMP_INACTIVE
Definition: ssl.h:242
const char * crl_file
Definition: ssl_common.h:291
struct buffer plaintext_read_buf
Definition: ssl_common.h:203
int n_sessions
Number of sessions negotiated thus far.
Definition: ssl_common.h:532
unsigned int crypto_max_overhead(void)
Return the worst-case OpenVPN crypto overhead (in bytes)
Definition: crypto.c:716
void tls_auth_standalone_finalize(struct tls_auth_standalone *tas, const struct frame *frame)
Definition: ssl.c:1280
bool tls_crypt_v2
Definition: ssl_common.h:319
#define SSLF_CRL_VERIFY_DIR
Definition: ssl_common.h:360
void ssl_clean_user_pass(void)
Cleans the saved user/password unless auth-nocache is in use.
Definition: ssl.c:4200
void free_buf(struct buffer *buf)
Definition: buffer.c:185
void ssl_put_auth_challenge(const char *cr_str)
Definition: ssl.c:488
#define D_TLS_DEBUG_LOW
Definition: errlevel.h:77
const char * cipher_list
Definition: options.h:538
static bool write_string(struct buffer *buf, const char *str, const int maxlen)
Definition: ssl.c:2173
unsigned int flags
Bit-flags determining behavior of security operation functions.
Definition: crypto.h:261
bool tls_server
Definition: options.h:523
static void export_user_keying_material(struct key_state_ssl *ssl, struct tls_session *session)
Definition: ssl.c:2472
#define TLS_MULTI_AUTH_STATUS_INTERVAL
Definition: ssl.h:95
void tls_ctx_load_cryptoapi(struct tls_root_ctx *ctx, const char *cryptoapi_cert)
Definition: ssl_openssl.c:875
char * string_alloc(const char *str, struct gc_arena *gc)
Definition: buffer.c:685
#define S_PRE_START
Waiting for the remote OpenVPN peer to acknowledge during the initial three-way handshake.
Definition: ssl_common.h:85
static const char * session_index_name(int index)
Definition: ssl.c:821
bool enable_ncp_fallback
If defined fall back to ciphername if NCP fails.
Definition: options.h:503
static bool session_id_equal(const struct session_id *sid1, const struct session_id *sid2)
Definition: session_id.h:48
#define D_TLS_DEBUG
Definition: errlevel.h:163
#define USER_PASS_LEN
Definition: misc.h:65
struct key keys[2]
Two unidirectional sets of key material.
Definition: crypto.h:185
struct buffer tls_crypt_v2_metadata
Received from client.
Definition: ssl_common.h:244
#define IV_PROTO_DATA_V2
Support P_DATA_V2.
Definition: ssl.h:113
static void tls_limit_reneg_bytes(const cipher_kt_t *cipher, int *reneg_bytes)
Limit the reneg_bytes value when using a small-block (<128 bytes) cipher.
Definition: ssl.c:283
const char * cert_file
Definition: options.h:530
struct packet_id_persist * pid_persist
Persistent packet ID state for keeping state between successive OpenVPN process startups.
Definition: crypto.h:240
bool options_cmp_equal(char *actual, const char *expected)
Definition: options.c:3863
const char * tls_cert_profile
Definition: options.h:541
#define GET_USER_PASS_STATIC_CHALLENGE
Definition: misc.h:114
#define streq(x, y)
Definition: options.h:653
Container for both halves of random material to be used in key method 2 data channel key generation...
Definition: ssl_common.h:136
static bool session_id_write(const struct session_id *sid, struct buffer *buf)
Definition: session_id.h:73
static void secure_memzero(void *data, size_t len)
Securely zeroise memory.
Definition: buffer.h:401
#define TLS_OPTIONS_LEN
Definition: ssl.h:102
void tls_ctx_load_ecdh_params(struct tls_root_ctx *ctx, const char *curve_name)
Load Elliptic Curve Parameters, and load them into the library-specific TLS context.
Definition: ssl_openssl.c:683
int key_state_write_plaintext_const(struct key_state_ssl *ks_ssl, const uint8_t *data, int len)
Insert plaintext data into the TLS module.
Definition: ssl_openssl.c:1946
static bool buf_advance(struct buffer *buf, int size)
Definition: buffer.h:639
void packet_id_persist_load_obj(const struct packet_id_persist *p, struct packet_id *pid)
Definition: packet_id.c:521
Packet geometry parameters.
Definition: mtu.h:93
struct key_state * save_ks
Definition: ssl_common.h:524
#define UP_TYPE_AUTH
Definition: ssl_common.h:41
#define OPENVPN_MAX_IV_LENGTH
Maximum length of an IV.
static bool generate_key_expansion_tls_export(struct tls_session *session, struct key2 *key2)
Definition: ssl.c:1772
bool cipher_kt_mode_ofb_cfb(const cipher_kt_t *cipher)
Check if the supplied cipher is a supported OFB or CFB mode cipher.
#define IV_PROTO_AUTH_PENDING_KW
Supports signaling keywords with AUTH_PENDING, e.g.
Definition: ssl.h:123
void fixup_key(struct key *key, const struct key_type *kt)
Definition: crypto.c:972
static void key_state_soft_reset(struct tls_session *session)
Definition: ssl.c:2144
enum ks_auth_state authenticated
Definition: ssl_common.h:219
const char * ca_path
Definition: options.h:527
struct tls_options * opt
Definition: ssl_common.h:420
time_t must_negotiate
Definition: ssl_common.h:191
#define SSLF_AUTH_USER_PASS_OPTIONAL
Definition: ssl_common.h:358
char * peer_info
Definition: ssl_common.h:560
const char * ca_file
Definition: options.h:525
const char * print_link_socket_actual(const struct link_socket_actual *act, struct gc_arena *gc)
Definition: socket.c:2838
#define RELIABLE_ACK_SIZE
The maximum number of packet IDs waiting to be acknowledged which can be stored in one reliable_ack s...
Definition: reliable.h:46
bool extra_certs_file_inline
Definition: options.h:533
bool cert_file_inline
Definition: options.h:531
static void gc_free(struct gc_arena *a)
Definition: buffer.h:1023
struct tls_root_ctx ssl_ctx
Definition: ssl_common.h:256
bool verified
Definition: ssl_common.h:450
void backend_tls_ctx_reload_crl(struct tls_root_ctx *ssl_ctx, const char *crl_file, bool crl_inline)
Reload the Certificate Revocation List for the SSL channel.
Definition: ssl_openssl.c:1044
static void frame_add_to_extra_frame(struct frame *frame, const unsigned int increment)
Definition: mtu.h:274
void tls_post_encrypt(struct tls_multi *multi, struct buffer *buf)
Perform some accounting for the key state used.
Definition: ssl.c:3939
static int plugin_call(const struct plugin_list *pl, const int type, const struct argv *av, struct plugin_return *pr, struct env_set *es)
Definition: plugin.h:202
#define dmsg
Definition: error.h:174
const char * auth_user_pass_verify_script
Definition: ssl_common.h:328
const char * priv_key_file
Definition: options.h:534
void session_id_random(struct session_id *sid)
Definition: session_id.c:51
Security parameter state for a single VPN tunnel.
Definition: ssl_common.h:512
#define D_TLS_ERRORS
Definition: errlevel.h:59
static void handle_data_channel_packet(struct tls_multi *multi, const struct link_socket_actual *from, struct buffer *buf, struct crypto_options **opt, bool floated, const uint8_t **ad_start)
Definition: ssl.c:3243
static bool buf_safe(const struct buffer *buf, int len)
Definition: buffer.h:541
struct buffer_list * buffer_list_new(const int max_size)
Allocate an empty buffer list of capacity max_size.
Definition: buffer.c:1198
static bool tls_process(struct tls_multi *multi, struct tls_session *session, struct buffer *to_link, struct link_socket_actual **to_link_addr, struct link_socket_info *to_link_socket_info, interval_t *wakeup)
Definition: ssl.c:2703
int pem_password_callback(char *buf, int size, int rwflag, void *u)
Callback to retrieve the user&#39;s password.
Definition: ssl.c:369
void key_state_ssl_free(struct key_state_ssl *ks_ssl)
Free the SSL channel part of the given key state.
Definition: ssl_openssl.c:1913
#define SID_SIZE
Definition: session_id.h:45
void tls_multi_free(struct tls_multi *multi, bool clear)
Cleanup a tls_multi structure and free associated memory allocations.
Definition: ssl.c:1305
#define SET_MTU_UPPER_BOUND
Definition: mtu.h:221
const char * auth_user_pass_file
Definition: ssl_common.h:331
int n
The number of key objects stored in the key2.keys array.
Definition: crypto.h:183
struct reliable_ack * rec_ack
Definition: ssl_common.h:209
struct buffer alloc_buf(size_t size)
Definition: buffer.c:64
void buffer_list_free(struct buffer_list *ol)
Frees a buffer list and all the buffers in it.
Definition: buffer.c:1208
const char * config_ncp_ciphers
Definition: ssl_common.h:316
int handshake_window
Definition: ssl_common.h:280
struct crypto_options opt
Crypto state.
Definition: ssl_common.h:239
void tls_update_remote_addr(struct tls_multi *multi, const struct link_socket_actual *addr)
Updates remote address in TLS sessions.
Definition: ssl.c:4027
#define S_UNDEF
Undefined state, used after a key_state is cleaned up.
Definition: ssl_common.h:77
bool is_hard_reset_method2(int op)
Given a key_method, return true if opcode represents the one of the hard_reset op codes for key-metho...
Definition: ssl.c:860
struct cert_hash_set * cert_hash_set
Definition: ssl_common.h:444
static bool lame_duck_must_die(const struct tls_session *session, interval_t *wakeup)
Definition: ssl.c:1198
static void init_key_contexts(struct key_ctx_bi *key, const struct key_type *key_type, bool server, struct key2 *key2)
Definition: ssl.c:1754
#define packet_id_format
Definition: packet_id.h:95
static void perf_pop(void)
Definition: perf.h:82
Key state is authenticated.
Definition: ssl_common.h:153
void key_state_rm_auth_control_file(struct key_state *ks)
Remove the given key state&#39;s auth control file, if it exists.
Definition: ssl_verify.c:873
bool buf_printf(struct buffer *buf, const char *format,...)
Definition: buffer.c:242
#define D_MULTI_DROPPED
Definition: errlevel.h:103
static bool read_string(struct buffer *buf, char *str, const unsigned int capacity)
Definition: ssl.c:2192
static void perf_push(int type)
Definition: perf.h:78
void tls_prepend_opcode_v2(const struct tls_multi *multi, struct buffer *buf)
Prepend an OpenVPN data channel P_DATA_V2 header to the packet.
Definition: ssl.c:3924
static bool read_control_auth(struct buffer *buf, struct tls_wrap_ctx *ctx, const struct link_socket_actual *from, const struct tls_options *opt)
Definition: ssl.c:1463
time_t crl_last_mtime
CRL last modification time.
Definition: ssl_mbedtls.h:114
struct man_def_auth_context * mda_context
Definition: ssl_common.h:368
static char * format_hex(const uint8_t *data, int size, int maxoutput, struct gc_arena *gc)
Definition: buffer.h:526
#define EXPORT_KEY_DATA_LABEL
Definition: ssl_backend.h:392
void setenv_str(struct env_set *es, const char *name, const char *value)
Definition: env_set.c:285
bool defined
Definition: misc.h:58
#define D_MTU_INFO
Definition: errlevel.h:107
#define TLS_AUTHENTICATED(multi, ks)
Check whether the ks key_state has finished the key exchange part of the OpenVPN hand shake...
Definition: ssl_verify.h:113
static int buf_read_u8(struct buffer *buf)
Definition: buffer.h:812
const char * win32_version_string(struct gc_arena *gc, bool add_name)
Definition: win32.c:1449
int cipher_kt_iv_size(const cipher_kt_t *cipher_kt)
Returns the size of the IV used by the cipher, in bytes, or 0 if no IV is used.
bool cipher_kt_insecure(const cipher_kt_t *cipher)
Returns true if we consider this cipher to be insecure.
const char * protocol_dump(struct buffer *buffer, unsigned int flags, struct gc_arena *gc)
Definition: ssl.c:4082
const char * cryptoapi_cert
Definition: options.h:568
#define TLS_VER_1_1
Definition: ssl_backend.h:115
const char * ekm_label
Definition: ssl_common.h:381
static void flush_payload_buffer(struct key_state *ks)
Definition: ssl.c:2124
bool packet_id_read(struct packet_id_net *pin, struct buffer *buf, bool long_form)
Definition: packet_id.c:298
struct buffer * reliable_get_buf(struct reliable *rel)
Get the buffer of a free reliable entry in which to store a packet.
Definition: reliable.c:478
static bool push_peer_info(struct buffer *buf, struct tls_session *session)
Definition: ssl.c:2229
int key_state_write_plaintext(struct key_state_ssl *ks_ssl, struct buffer *buf)
Insert a plaintext buffer into the TLS module.
Definition: ssl_openssl.c:1928
bool tls_item_in_cipher_list(const char *item, const char *list)
Return true iff item is present in the colon-separated zero-terminated cipher list.
Definition: ssl_ncp.c:175
#define TLS_VER_BAD
Parse a TLS version specifier.
Definition: ssl_backend.h:112
#define ASSERT(x)
Definition: error.h:221
enum tls_auth_status tls_authentication_status(struct tls_multi *multi, const int latency)
Return current session authentication state of the tls_multi structure This will return TLS_AUTHENTIC...
Definition: ssl_verify.c:930
#define IV_PROTO_REQUEST_PUSH
Assume client will send a push request and server does not need to wait for a push-request to send a ...
Definition: ssl.h:117
uint8_t random1[32]
Seed used for master secret generation, provided by both client and server.
Definition: ssl_common.h:123
void tls_free_lib(void)
Free any global SSL library-specific data structures.
Definition: ssl_openssl.c:91
bool check_key(struct key *key, const struct key_type *kt)
Definition: crypto.c:933
#define OPENVPN_STATE_AUTH
Definition: manage.h:491
static bool check_debug_level(unsigned int level)
Definition: error.h:245
unsigned int crypto_flags
Definition: ssl_common.h:309
bool tls_pre_decrypt_lite(const struct tls_auth_standalone *tas, const struct link_socket_actual *from, const struct buffer *buf)
Inspect an incoming packet for which no VPN tunnel is active, and determine whether a new VPN tunnel ...
Definition: ssl.c:3764
#define OPENVPN_PLUGIN_FUNC_SUCCESS
struct tls_session session[TM_SIZE]
Array of tls_session objects representing control channel sessions with the remote peer...
Definition: ssl_common.h:593
const char * get_ssl_library_version(void)
return a pointer to a static memory area containing the name and version number of the SSL library in...
Definition: ssl_openssl.c:2211
static struct user_pass auth_user_pass
Definition: ssl.c:388
void ssl_set_auth_token(const char *token)
Definition: ssl.c:443
const char * config_ciphername
Definition: ssl_common.h:315
bool tls_session_update_crypto_params(struct tls_session *session, struct options *options, struct frame *frame, struct frame *frame_fragment)
Update TLS session crypto parameters (cipher and auth) and derive data channel keys based on the supp...
Definition: ssl.c:1956
const char * pkcs12_file
Definition: options.h:536
struct reliable * send_reliable
Definition: ssl_common.h:207
int renegotiate_bytes
Definition: ssl_common.h:282
void hmac_ctx_cleanup(hmac_ctx_t *ctx)
mbedtls_md_context_t hmac_ctx_t
Generic HMAC context.
#define SSLF_OPT_VERIFY
Definition: ssl_common.h:359
bool link_mtu_defined
Definition: options.h:112
char username[USER_PASS_LEN]
Definition: misc.h:67
#define IV_PROTO_TLS_KEY_EXPORT
Supports key derivation via TLS key material exporter [RFC5705].
Definition: ssl.h:120
void packet_id_free(struct packet_id *p)
Definition: packet_id.c:101
static bool buf_read(struct buffer *src, void *dest, int size)
Definition: buffer.h:800
#define MODE_SERVER
Definition: options.h:205
void tls_pre_encrypt(struct tls_multi *multi, struct buffer *buf, struct crypto_options **opt)
Choose the appropriate security parameters with which to process an outgoing packet.
Definition: ssl.c:3858
bool initialized
Definition: crypto.h:225
int offset
Offset in bytes of the actual content within the allocated memory.
Definition: buffer.h:64
void tls_ctx_client_new(struct tls_root_ctx *ctx)
Initialises a library-specific TLS context for a client.
Definition: ssl_openssl.c:126
#define TLS_VER_1_2
Definition: ssl_backend.h:116
struct link_socket_actual to_link_addr
Definition: ssl_common.h:530
#define OPENVPN_AEAD_MIN_IV_LEN
Minimal IV length for AEAD mode ciphers (in bytes): 4-byte packet id + 8 bytes implicit IV...
Definition: crypto.h:272
void reliable_mark_active_outgoing(struct reliable *rel, struct buffer *buf, int opcode)
Mark the reliable entry associated with the given buffer as active outgoing.
Definition: reliable.c:701
list flags
int len
Length in bytes of the actual content within the allocated memory.
Definition: buffer.h:66
void tls_ctx_set_cert_profile(struct tls_root_ctx *ctx, const char *profile)
Set the TLS certificate profile.
Definition: ssl_openssl.c:518
#define SWAP_BUF_SIZE
Definition: ssl.c:1344
void setenv_del(struct env_set *es, const char *name)
Definition: env_set.c:330
#define S_ACTIVE
Operational key_state state immediately after negotiation has completed while still within the handsh...
Definition: ssl_common.h:101
const char * ncp_ciphers
Definition: options.h:506
bool cleanup_key_ctx
opt.key_ctx_bi is owned by this context
Definition: ssl_common.h:245
static void reliable_set_timeout(struct reliable *rel, interval_t timeout)
Definition: reliable.h:467
static bool buf_write(struct buffer *dest, const void *src, int size)
Definition: buffer.h:689
off_t crl_last_size
size of last loaded CRL
Definition: ssl_mbedtls.h:115
const char * packet_id_net_print(const struct packet_id_net *pin, bool print_timestamp, struct gc_arena *gc)
Definition: packet_id.c:388
void prng_uninit(void)
Definition: crypto.c:1738
struct tls_auth_standalone * tls_auth_standalone_init(struct tls_options *tls_options, struct gc_arena *gc)
Definition: ssl.c:1257
static char * auth_challenge
Definition: ssl.c:392
static bool key_source2_randomize_write(struct key_source2 *k2, struct buffer *buf, bool server)
Definition: ssl.c:2057
uint8_t id[8]
Definition: session_id.h:40
size_t ekm_size
Definition: ssl_common.h:383
struct link_socket_actual remote_addr
Definition: ssl_common.h:197
bool nocache
Definition: misc.h:59
#define CLEAR(x)
Definition: basic.h:33
char * options_string_extract_option(const char *options_string, const char *opt_name, struct gc_arena *gc)
Given an OpenVPN options string, extract the value of an option.
Definition: options.c:4042
#define BPTR(buf)
Definition: buffer.h:124
void packet_id_init(struct packet_id *p, int seq_backtrack, int time_backtrack, const char *name, int unit)
Definition: packet_id.c:78
bool reliable_ack_write(struct reliable_ack *ack, struct buffer *buf, const struct session_id *sid, int max, bool prepend)
Write a packet ID acknowledgment record to a buffer.
Definition: reliable.c:213
#define BUF_SIZE(f)
Definition: mtu.h:194
static bool write_empty_string(struct buffer *buf)
Definition: ssl.c:2163
void init_ssl(const struct options *options, struct tls_root_ctx *new_ctx)
Build master SSL context object that serves for the whole of OpenVPN instantiation.
Definition: ssl.c:586
#define KEY_DIRECTION_NORMAL
Definition: crypto.h:174
void print_details(struct key_state_ssl *ks_ssl, const char *prefix)
Definition: ssl_openssl.c:2012
Control channel wrapping (–tls-auth/–tls-crypt) context.
Definition: ssl_common.h:232
bool crl_file_inline
Definition: options.h:548
void get_default_gateway(struct route_gateway_info *rgi, openvpn_net_ctx_t *ctx)
Definition: route.c:2740
static void move_session(struct tls_multi *multi, int dest, int src, bool reinit_src)
Definition: ssl.c:1145
#define KEY_SCAN_SIZE
Definition: ssl_common.h:497
uint8_t random2[32]
Seed used for key expansion, provided by both client and server.
Definition: ssl_common.h:126
#define OPENVPN_STATE_WAIT
Definition: manage.h:490
#define GET_USER_PASS_STATIC_CHALLENGE_ECHO
Definition: misc.h:115
interval_t packet_timeout
Definition: ssl_common.h:281
void tls_prepend_opcode_v1(const struct tls_multi *multi, struct buffer *buf)
Prepend a one-byte OpenVPN data channel P_DATA_V1 opcode to the packet.
Definition: ssl.c:3910
#define S_ERROR
Error state.
Definition: ssl_common.h:76
int tun_mtu
Definition: options.h:107
static void tls1_PRF(const uint8_t *label, int label_len, const uint8_t *sec, int slen, uint8_t *out1, int olen)
Definition: ssl.c:1678
interval_t renegotiate_seconds
Definition: ssl_common.h:284
Key state authentication is being deferred, by async auth.
Definition: ssl_common.h:151
#define KS_SIZE
Size of the tls_session.key array.
Definition: ssl_common.h:397
struct env_item * list
Definition: env_set.h:44
#define P_KEY_ID_MASK
Definition: ssl.h:50
void tls_ctx_free(struct tls_root_ctx *ctx)
Frees the library-specific TLSv1 context.
Definition: ssl_openssl.c:144
unsigned int packet_id_print_type
Definition: packet_id.h:96
void key_state_ssl_init(struct key_state_ssl *ks_ssl, const struct tls_root_ctx *ssl_ctx, bool is_server, struct tls_session *session)
Initialise the SSL channel part of the given key state.
Definition: ssl_openssl.c:1873
struct session_id session_id_remote
Definition: ssl_common.h:196
const char * iana_name
Definition: ssl_backend.h:62
static bool tls_session_generate_data_channel_keys(struct tls_session *session)
Generate data channel keys for the supplied TLS session.
Definition: ssl.c:1928
static bool packet_id_close_to_wrapping(const struct packet_id_send *p)
Definition: packet_id.h:311
int rand_bytes(uint8_t *output, int len)
Wrapper for secure random number generator.
#define counter_format
Definition: common.h:39
void frame_print(const struct frame *frame, int level, const char *prefix)
Definition: mtu.c:139
static struct gc_arena gc_new(void)
Definition: buffer.h:1015
Container for one half of random material to be used in key method 2 data channel key generation...
Definition: ssl_common.h:119
bool ca_file_inline
Definition: options.h:526
#define KS_PRIMARY
Primary key state index.
Definition: ssl_common.h:393
Key state is not authenticated.
Definition: ssl_common.h:150
bool single_session
Definition: ssl_common.h:274
bool tls_crypt_wrap(const struct buffer *src, struct buffer *dst, struct crypto_options *opt)
Wrap a control channel packet (both authenticates and encrypts the data).
Definition: tls_crypt.c:106
time_t now
Definition: otime.c:36
void reliable_ack_adjust_frame_parameters(struct frame *frame, int max)
Definition: reliable.c:258
#define malloc
Definition: cmocka.c:1795
#define P_CONTROL_HARD_RESET_SERVER_V2
Definition: ssl.h:64
const char * authname
Definition: options.h:507
#define S_START
Three-way handshake is complete, start of key exchange.
Definition: ssl_common.h:90
#define INCR_SUCCESS
Definition: ssl.c:91
openvpn_net_ctx_t * net_ctx
Definition: ssl_common.h:346
time_t established
Definition: ssl_common.h:190
void show_available_tls_ciphers(const char *cipher_list, const char *cipher_list_tls13, const char *tls_cert_profile)
Definition: ssl.c:4055
#define ALLOC_OBJ_CLEAR(dptr, type)
Definition: buffer.h:1050
#define TM_UNTRUSTED
As yet un-trusted tls_session being negotiated.
Definition: ssl_common.h:476
static const char * ks_auth_name(enum ks_auth_state auth)
Definition: ssl.c:765
unsigned int mda_key_id
Definition: ssl_common.h:223
struct crypto_options crypto_options
Definition: ssl_common.h:199
#define ENABLE_MANAGEMENT
Definition: config-msvc.h:14
ks_auth_state
This reflects the (server side) authentication state after the TLS session has been established and k...
Definition: ssl_common.h:149
#define P_LAST_OPCODE
Definition: ssl.h:73
struct tls_multi * tls_multi_init(struct tls_options *tls_options)
Allocate and initialize a tls_multi structure.
Definition: ssl.c:1225
char * locked_cn
Definition: ssl_common.h:544
bool reliable_not_replay(const struct reliable *rel, packet_id_type id)
Check that a received packet&#39;s ID is not a replay.
Definition: reliable.c:431
void hmac_ctx_update(hmac_ctx_t *ctx, const uint8_t *src, int src_len)
struct buffer * reliable_get_buf_output_sequenced(struct reliable *rel)
Get the buffer of free reliable entry and check whether the outgoing acknowledgment sequence is still...
Definition: reliable.c:495
void free_ssl_lib(void)
Definition: ssl.c:344
static void key_ctx_update_implicit_iv(struct key_ctx *ctx, uint8_t *key, size_t key_len)
Update the implicit IV for a key_ctx_bi based on TLS session ids and cipher used. ...
Definition: ssl.c:1904
int extra_link
Maximum number of bytes in excess of external network interface&#39;s MTU that might be read from or writ...
Definition: mtu.h:122
#define FRAME_HEADROOM(f)
Definition: mtu.h:187
#define ntohpid(x)
Definition: packet_id.h:64
const struct static_challenge_info * sci
Definition: ssl_common.h:374
static bool generate_key_expansion(struct key_ctx_bi *key, struct tls_session *session)
Definition: ssl.c:1855
const char * reliable_ack_print(struct buffer *buf, bool verbose, struct gc_arena *gc)
Definition: reliable.c:265
int n_hard_errors
Definition: ssl_common.h:538
void auth_set_client_reason(struct tls_multi *multi, const char *client_reason)
Sets the reason why authentication of a client failed.
Definition: ssl_verify.c:840
int transition_window
Definition: ssl_common.h:279
#define KEY_DIRECTION_INVERSE
Definition: crypto.h:175
void * gc_malloc(size_t size, bool clear, struct gc_arena *a)
Definition: buffer.c:405
void frame_init_mssfix(struct frame *frame, const struct options *options)
Set the –mssfix option.
Definition: mtu.c:130
bool key_state_export_keying_material(struct tls_session *session, const char *label, size_t label_size, void *ekm, size_t ekm_size)
Keying Material Exporters [RFC 5705] allows additional keying material to be derived from existing TL...
Definition: ssl_openssl.c:159
static struct user_pass passbuf
Definition: ssl.c:357
cipher_ctx_t * cipher
Generic cipher context.
Definition: crypto.h:166
#define TLS_RELIABLE_N_SEND_BUFFERS
Definition: ssl.h:84
bool xmit_hold
Definition: ssl_common.h:265
#define GET_USER_PASS_PASSWORD_ONLY
Definition: misc.h:107
unsigned __int32 uint32_t
Definition: config-msvc.h:157
void wipe_auth_token(struct tls_multi *multi)
Wipes the authentication token out of the memory, frees and cleans up related buffers and flags...
Definition: auth_token.c:390
mbedtls_md_info_t md_kt_t
Generic message digest key type context.
#define D_TLS_STATE_ERRORS
Definition: errlevel.h:132
#define S_INITIAL
Initial key_state state after initialization by key_state_init() before start of three-way handshake...
Definition: ssl_common.h:80
unsigned int flags
Definition: route.h:153
int keysize
Definition: options.h:508
#define INCR_ERROR
Definition: ssl.c:92
const char * ciphername
Definition: options.h:502
void tls_ctx_restrict_ciphers(struct tls_root_ctx *ctx, const char *ciphers)
Restrict the list of ciphers that can be used within the TLS context for TLS 1.2 and below...
Definition: ssl_openssl.c:427
static bool buf_write_u16(struct buffer *dest, int data)
Definition: buffer.h:720
void pem_password_setup(const char *auth_file)
Definition: ssl.c:360
interval_t reliable_send_timeout(const struct reliable *rel)
Determined how many seconds until the earliest resend should be attempted.
Definition: reliable.c:632
void ssl_purge_auth(const bool auth_user_pass_only)
Definition: ssl.c:463
static bool swap_hmac(struct buffer *buf, const struct crypto_options *co, bool incoming)
Definition: ssl.c:1347
int key_id
The current active key id, used to keep track of renegotiations.
Definition: ssl_common.h:436
static bool link_socket_actual_defined(const struct link_socket_actual *act)
Definition: socket.h:693
static struct user_pass auth_token
Definition: ssl.c:389
Container for one set of cipher and/or HMAC contexts.
Definition: crypto.h:164
bool ncp_enabled
Definition: ssl_common.h:317
#define P_CONTROL_V1
Definition: ssl.h:57
#define OPENVPN_PLUGIN_TLS_FINAL
static void reset_session(struct tls_multi *multi, struct tls_session *session)
Definition: ssl.c:1170
struct buffer_list * paybuf
Definition: ssl_common.h:211
mbedtls_cipher_info_t cipher_kt_t
Generic cipher key type context.
static bool reliable_ack_empty(struct reliable_ack *ack)
Check whether an acknowledgment structure contains any packet IDs to be acknowledged.
Definition: reliable.h:151
void tls_ctx_restrict_ciphers_tls13(struct tls_root_ctx *ctx, const char *ciphers)
Restrict the list of ciphers that can be used within the TLS context for TLS 1.3 and higher...
Definition: ssl_openssl.c:489
#define TLS_RELIABLE_N_REC_BUFFERS
Definition: ssl.h:85
void tls_adjust_frame_parameters(struct frame *frame)
Definition: ssl.c:303
struct key_ctx encrypt
Cipher and/or HMAC contexts for sending direction.
Definition: crypto.h:221
static bool session_id_defined(const struct session_id *sid1)
Definition: session_id.h:55
const char * extra_certs_file
Definition: options.h:532
void tls_ctx_server_new(struct tls_root_ctx *ctx)
Initialise a library-specific TLS context for a server.
Definition: ssl_openssl.c:108
int key_state_read_plaintext(struct key_state_ssl *ks_ssl, struct buffer *buf, int maxlen)
Extract plaintext data from the TLS module.
Definition: ssl_openssl.c:1990
int replay_window
Definition: ssl_common.h:311
static SERVICE_STATUS status
Definition: automatic.c:43
void init_key_ctx_bi(struct key_ctx_bi *ctx, const struct key2 *key2, int key_direction, const struct key_type *kt, const char *name)
Definition: crypto.c:871
void set_auth_token(struct user_pass *up, struct user_pass *tk, const char *token)
Sets the auth-token to token if a username is available from either up or already present in tk...
Definition: misc.c:490
unsigned int ssl_flags
Definition: options.h:555
const struct buffer * tls_crypt_v2_wkc
Wrapped client key, sent to server.
Definition: ssl_common.h:242
#define CO_USE_TLS_KEY_MATERIAL_EXPORT
Bit-flag indicating that data channel key derivation is done using TLS keying material export [RFC570...
Definition: crypto.h:257
static bool session_id_read(struct session_id *sid, struct buffer *buf)
Definition: session_id.h:61
#define P_CONTROL_HARD_RESET_CLIENT_V2
Definition: ssl.h:63
struct cert_hash_set * locked_cert_hash_set
Definition: ssl_common.h:546
struct tls_wrap_ctx tls_wrap
Definition: ssl.h:144
void ssl_set_auth_nocache(void)
Definition: ssl.c:433
int hmac_ctx_size(const hmac_ctx_t *ctx)
struct tls_wrap_ctx tls_wrap
Definition: ssl_common.h:426
#define PERF_TLS_MULTI_PROCESS
Definition: perf.h:42
struct tls_options opt
Definition: ssl_common.h:518
void buf_clear(struct buffer *buf)
Definition: buffer.c:164
int n_soft_errors
Definition: ssl_common.h:539
void crypto_adjust_frame_parameters(struct frame *frame, const struct key_type *kt, bool packet_id, bool packet_id_long_form)
Calculate crypto overhead and adjust frame to account for that.
Definition: crypto.c:682
const md_kt_t * md_kt_get(const char *digest)
Return message digest parameters, based on the given digest name.
const char * challenge_text
Definition: misc.h:94
static struct key_state * get_key_scan(struct tls_multi *multi, int index)
gets an item of key_state objects in the order they should be scanned by data channel modules...
Definition: ssl_common.h:603
const struct plugin_list * plugins
Definition: ssl_common.h:347
struct buffer plaintext_write_buf
Definition: ssl_common.h:204
struct env_item * next
Definition: env_set.h:39
static bool buf_copy(struct buffer *dest, const struct buffer *src)
Definition: buffer.h:734
struct link_socket_actual untrusted_addr
Definition: ssl_common.h:453
#define msg
Definition: error.h:173
hmac_ctx_t * hmac
Generic HMAC context.
Definition: crypto.h:167
#define S_GOT_KEY
Local OpenVPN process has received the remote&#39;s part of the key material.
Definition: ssl_common.h:96
char * format_hex_ex(const uint8_t *data, int size, int maxoutput, unsigned int space_break_flags, const char *separator, struct gc_arena *gc)
Definition: buffer.c:519
#define RGI_HWADDR_DEFINED
Definition: route.h:149
#define PAYLOAD_SIZE_DYNAMIC(f)
Definition: mtu.h:166
void free_key_ctx_bi(struct key_ctx_bi *ctx)
Definition: crypto.c:908
#define PD_TLS_AUTH_HMAC_SIZE_MASK
Definition: ssl.h:570
#define CO_IGNORE_PACKET_ID
Bit-flag indicating whether to ignore the packet ID of a received packet.
Definition: crypto.h:248
char * remote_ciphername
cipher specified in peer&#39;s config file
Definition: ssl_common.h:588
#define INCR_SENT
Definition: ssl.c:89
bool tls_rec_payload(struct tls_multi *multi, struct buffer *buf)
Definition: ssl.c:3998
static void key_source2_print(const struct key_source2 *k)
Definition: ssl.c:1577
void tls_multi_init_set_options(struct tls_multi *multi, const char *local, const char *remote)
Definition: ssl.c:1292
struct connection_entry ce
Definition: options.h:230
#define SC_ECHO
Definition: misc.h:91
void tls_ctx_load_extra_certs(struct tls_root_ctx *ctx, const char *extra_certs_file, bool extra_certs_file_inline)
Load extra certificate authority certificates from the given file or path.
Definition: ssl_openssl.c:1644
static void openvpn_PRF(const uint8_t *secret, int secret_len, const char *label, const uint8_t *client_seed, int client_seed_len, const uint8_t *server_seed, int server_seed_len, const struct session_id *client_sid, const struct session_id *server_sid, uint8_t *output, int output_len)
Definition: ssl.c:1712
Get a tls_cipher_name_pair containing OpenSSL and IANA names for supplied TLS cipher name...
Definition: ssl_backend.h:62
struct packet_id_send send
Definition: packet_id.h:207
uint8_t * data
Pointer to the allocated memory.
Definition: buffer.h:68
char * dest
Definition: compat-lz4.h:686
const char * local_options
Definition: ssl_common.h:269
#define TM_SIZE
Size of the tls_multi.session array.
Definition: ssl_common.h:480
#define TLS_VER_1_0
Definition: ssl_backend.h:114
struct key_ctx decrypt
cipher and/or HMAC contexts for receiving direction.
Definition: crypto.h:223
struct key_source client
Random provided by client.
Definition: ssl_common.h:137
int platform_stat(const char *path, platform_stat_t *buf)
Definition: platform.c:362
#define TLS_VER_1_3
Definition: ssl_backend.h:117
const char * tls_groups
Definition: options.h:540
#define MAX_HMAC_KEY_LENGTH
void openvpn_encrypt(struct buffer *buf, struct buffer work, struct crypto_options *opt)
Encrypt and HMAC sign a packet so that it can be sent as a data channel VPN tunnel packet to a remote...
Definition: crypto.c:299
Container for bidirectional cipher and HMAC key material.
Definition: crypto.h:181
static void link_socket_set_outgoing_addr(struct link_socket_info *info, const struct link_socket_actual *act, const char *common_name, struct env_set *es)
Definition: socket.h:980
void tls_ctx_check_cert_time(const struct tls_root_ctx *ctx)
Check our certificate notBefore and notAfter fields, and warn if the cert is either not yet valid or ...
Definition: ssl_openssl.c:603
void show_available_tls_ciphers_list(const char *cipher_list, const char *tls_cert_profile, bool tls13)
Definition: ssl_openssl.c:2072
int tls_version_parse(const char *vstr, const char *extra)
Definition: ssl.c:502
static bool tls_session_user_pass_enabled(struct tls_session *session)
Returns whether or not the server should check for username/password.
Definition: ssl.c:1019
void tls_ctx_set_tls_groups(struct tls_root_ctx *ctx, const char *groups)
Set the (elliptic curve) group allowed for signatures and key exchange.
Definition: ssl_openssl.c:552
#define P_DATA_V1
Definition: ssl.h:59
static void tls1_P_hash(const md_kt_t *md_kt, const uint8_t *sec, int sec_len, const uint8_t *seed, int seed_len, uint8_t *out, int olen)
Definition: ssl.c:1595
#define CONTROL_SEND_ACK_MAX
Definition: ssl.h:79
#define BLEN(buf)
Definition: buffer.h:127
void tls_ctx_load_cert_file(struct tls_root_ctx *ctx, const char *cert_file, bool cert_file_inline)
Use Windows cryptoapi for key and cert, and add to library-specific TLS context.
Definition: ssl_openssl.c:922
time_t auth_deferred_expire
Definition: ssl_common.h:220
struct key_source server
Random provided by server.
Definition: ssl_common.h:138
static void tls_session_init(struct tls_multi *multi, struct tls_session *session)
Initialize a tls_session structure.
Definition: ssl.c:1051
bool reliable_wont_break_sequentiality(const struct reliable *rel, packet_id_type id)
Check that a received packet&#39;s ID can safely be stored in the reliable structure&#39;s processing window...
Definition: reliable.c:458
void init_ssl_lib(void)
Definition: ssl.c:336
bool pkcs12_file_inline
Definition: options.h:537
void verify_user_pass(struct user_pass *up, struct tls_multi *multi, struct tls_session *session)
Verify the given username and password, using either an external script, a plugin, or the management interface.
Definition: ssl_verify.c:1233
#define P_OPCODE_SHIFT
Definition: ssl.h:51
unsigned char md_kt_size(const md_kt_t *kt)
Returns the size of the message digest, in bytes.
struct buffer * reliable_get_buf_sequenced(struct reliable *rel)
Get the buffer of the next sequential and active entry.
Definition: reliable.c:531
void auth_user_pass_setup(const char *auth_file, const struct static_challenge_info *sci)
Definition: ssl.c:396
struct frame frame
Definition: ssl.h:145
#define D_HANDSHAKE
Definition: errlevel.h:72
static bool get_user_pass(struct user_pass *up, const char *auth_file, const char *prefix, const unsigned int flags)
Definition: misc.h:126
int key_id
Key id for this key_state, inherited from struct tls_session.
Definition: ssl_common.h:186
#define GET_USER_PASS_DYNAMIC_CHALLENGE
Definition: misc.h:113
bool openvpn_decrypt(struct buffer *buf, struct buffer work, struct crypto_options *opt, const struct frame *frame, const uint8_t *ad_start)
HMAC verify and decrypt a data channel packet received from a remote OpenVPN peer.
Definition: crypto.c:656
#define D_SHOW_KEY_SOURCE
Definition: errlevel.h:120
#define TLSMP_KILL
Definition: ssl.h:244
unsigned __int8 uint8_t
Definition: config-msvc.h:159
struct buffer * reliable_send(struct reliable *rel, int *opcode)
Get the next packet to send to the remote peer.
Definition: reliable.c:575
void reliable_mark_deleted(struct reliable *rel, struct buffer *buf, bool inc_pid)
Remove an entry from a reliable structure.
Definition: reliable.c:728
struct session_id session_id
Definition: ssl_common.h:429
bool get_user_pass_cr(struct user_pass *up, const char *auth_file, const char *prefix, const unsigned int flags, const char *auth_challenge)
Definition: misc.c:136
bool tls_pre_decrypt(struct tls_multi *multi, const struct link_socket_actual *from, struct buffer *buf, struct crypto_options **opt, bool floated, const uint8_t **ad_start)
Determine whether an incoming packet is a data channel or control channel packet, and process accordi...
Definition: ssl.c:3359
#define ALLOC_ARRAY_CLEAR_GC(dptr, type, n, gc)
Definition: buffer.h:1072
void purge_user_pass(struct user_pass *up, const bool force)
Definition: misc.c:469
enum tls_wrap_ctx::@11 mode
Control channel wrapping mode.
Structure that wraps the TLS context.
Definition: ssl_mbedtls.h:104
static bool buf_write_u32(struct buffer *dest, int data)
Definition: buffer.h:727
void frame_set_mtu_dynamic(struct frame *frame, int mtu, unsigned int flags)
Definition: mtu.c:87
unsigned int flags
Definition: misc.h:92
#define ALLOC_OBJ_CLEAR_GC(dptr, type, gc)
Definition: buffer.h:1087
static char * read_string_alloc(struct buffer *buf)
Definition: ssl.c:2208
#define OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY
bool plugin_defined(const struct plugin_list *pl, const int type)
Definition: plugin.c:901
bool ssl_clean_auth_token(void)
Definition: ssl.c:452
static void key_state_free(struct key_state *ks, bool clear)
Cleanup a key_state structure.
Definition: ssl.c:975
#define KS_LAME_DUCK
Key state index that will retire soon.
Definition: ssl_common.h:394
static void check_malloc_return(const void *p)
Definition: buffer.h:1093
#define P_CONTROL_SOFT_RESET_V1
Definition: ssl.h:56
struct key_source2 * key_src
Definition: ssl_common.h:201
int initial_opcode
Definition: ssl_common.h:428
struct key_ctx_bi key_ctx_bi
OpenSSL cipher and HMAC contexts for both sending and receiving directions.
Definition: crypto.h:234
Security parameter state of a single session within a VPN tunnel.
Definition: ssl_common.h:417
#define VALGRIND_MAKE_READABLE(addr, len)
Definition: memdbg.h:53
#define S_SENT_KEY
Local OpenVPN process has sent its part of the key material.
Definition: ssl_common.h:93
bool tls_ctx_set_options(struct tls_root_ctx *ctx, unsigned int ssl_flags)
Set any library specific options.
Definition: ssl_openssl.c:313
void output_peer_info_env(struct env_set *es, const char *peer_info)
Definition: misc.c:730
static void write_control_auth(struct tls_session *session, struct key_state *ks, struct buffer *buf, struct link_socket_actual **to_link_addr, int opcode, int max_ack, bool prepend_ack)
Definition: ssl.c:1401
Definition: misc.h:56
int renegotiate_packets
Definition: ssl_common.h:283
int push_peer_info_detail
Definition: ssl_common.h:278
The acknowledgment structure in which packet IDs are stored for later acknowledgment.
Definition: reliable.h:64
int initial_opcode
Definition: ssl_common.h:195
bool disable_occ
Definition: ssl_common.h:275
Wrapper structure for dynamically allocated memory.
Definition: buffer.h:60
#define M_FATAL
Definition: error.h:94
bool reliable_ack_read_packet_id(struct buffer *buf, packet_id_type *pid)
Read the packet ID of a received packet.
Definition: reliable.c:123
struct frame frame
Definition: ssl_common.h:325
#define KEY_METHOD_2
Definition: ssl.h:128
time_t peer_last_packet
Definition: ssl_common.h:193
void tls_multi_init_finalize(struct tls_multi *multi, const struct frame *frame)
Finalize initialization of a tls_multi structure.
Definition: ssl.c:1238
bool crl_file_inline
Definition: ssl_common.h:292
#define buf_init(buf, offset)
Definition: buffer.h:196
bool tls_send_payload(struct tls_multi *multi, const uint8_t *data, int size)
Definition: ssl.c:3959
int tls_ctx_load_pkcs12(struct tls_root_ctx *ctx, const char *pkcs12_file, bool pkcs12_file_inline, bool load_ca_file)
Load PKCS #12 file for key, cert and (optionally) CA certs, and add to library-specific TLS context...
Definition: ssl_openssl.c:748
static bool management_enable_def_auth(const struct management *man)
Definition: manage.h:471
static bool buf_write_prepend(struct buffer *dest, const void *src, int size)
Definition: buffer.h:701
static bool key_method_2_write(struct buffer *buf, struct tls_session *session)
Handle the writing of key data, peer-info, username/password, OCC to the TLS control channel (clearte...
Definition: ssl.c:2355
void tls_ctx_load_dh_params(struct tls_root_ctx *ctx, const char *dh_file, bool dh_file_inline)
Load Diffie Hellman Parameters, and load them into the library-specific TLS context.
Definition: ssl_openssl.c:639
void frame_finalize(struct frame *frame, bool link_mtu_defined, int link_mtu, bool tun_mtu_defined, int tun_mtu)
Definition: mtu.c:56
unsigned int mda_key_id_counter
Definition: manage.h:51
const char * cipher_list_tls13
Definition: options.h:539
bool reliable_can_send(const struct reliable *rel)
Check whether a reliable structure has any active entries ready to be (re)sent.
Definition: reliable.c:547
void management_set_state(struct management *man, const int state, const char *detail, const in_addr_t *tun_local_ip, const struct in6_addr *tun_local_ip6, const struct openvpn_sockaddr *local, const struct openvpn_sockaddr *remote)
Definition: manage.c:2719
char * locked_username
Definition: ssl_common.h:545
char * common_name
Definition: ssl_common.h:442
void reliable_init(struct reliable *rel, int buf_size, int offset, int array_size, bool hold)
Initialize a reliable structure.
Definition: reliable.c:309
bool tls_crypt_v2_extract_client_key(struct buffer *buf, struct tls_wrap_ctx *ctx, const struct tls_options *opt)
Extract a tls-crypt-v2 client key from a P_CONTROL_HARD_RESET_CLIENT_V3 message, and load the key int...
Definition: tls_crypt.c:570
void crypto_uninit_lib(void)
The reliability layer storage structure for one VPN tunnel&#39;s control channel in one direction...
Definition: reliable.h:88
size_t ekm_label_size
Definition: ssl_common.h:382
int link_mtu
Maximum packet size to be sent over the external network interface.
Definition: mtu.h:94
#define D_TLS_DEBUG_MED
Definition: errlevel.h:155
#define TM_LAME_DUCK
Old tls_session.
Definition: ssl_common.h:479
struct buffer alloc_buf_gc(size_t size, struct gc_arena *gc)
Definition: buffer.c:90
uint8_t hwaddr[6]
Definition: route.h:163
uint32_t peer_id
Definition: ssl_common.h:585
int key_state_write_ciphertext(struct key_state_ssl *ks_ssl, struct buffer *buf)
Insert a ciphertext buffer into the TLS module.
Definition: ssl_openssl.c:1975
static void frame_remove_from_extra_frame(struct frame *frame, const unsigned int decrement)
Definition: mtu.h:280
uint32_t packet_id_type
Definition: packet_id.h:49
#define PD_VERBOSE
Definition: ssl.h:573
static const char * state_name(int state)
Definition: ssl.c:731
void tls_init_lib(void)
Perform any static initialisation necessary by the library.
Definition: ssl_openssl.c:77
bool tls_crypt_unwrap(const struct buffer *src, struct buffer *dst, struct crypto_options *opt)
Unwrap a control channel packet (decrypts, authenticates and performs replay checks).
Definition: tls_crypt.c:183
#define M_WARN
Definition: error.h:96
void tls_clear_error(void)
Clear the underlying SSL library&#39;s error state.
Definition: ssl_openssl.c:102
void ssl_purge_auth_challenge(void)
Definition: ssl.c:481
static int min_int(int x, int y)
Definition: integer.h:82
#define PACKAGE_VERSION
Definition: config.h:742
static int buf_forward_capacity_total(const struct buffer *buf)
Definition: buffer.h:580
bool reliable_can_get(const struct reliable *rel)
Check whether a reliable structure has any free buffers available for use.
Definition: reliable.c:412
#define free
Definition: cmocka.c:1850
void tls_x509_clear_env(struct env_set *es)
Remove any X509_ env variables from env_set es.
Definition: ssl_verify.c:1475
int tls_version_max(void)
Return the maximum TLS version (as a TLS_VER_x constant) supported by current SSL implementation...
Definition: ssl_openssl.c:210
tls_auth_status
Definition: ssl_verify.h:68
#define PD_TLS
Definition: ssl.h:572
#define P_CONTROL_HARD_RESET_CLIENT_V1
Definition: ssl.h:54
void key2_print(const struct key2 *k, const struct key_type *kt, const char *prefix0, const char *prefix1)
Definition: crypto.c:1063
Garbage collection arena used to keep track of dynamically allocated memory.
Definition: buffer.h:116
bool reliable_ack_read(struct reliable_ack *ack, struct buffer *buf, const struct session_id *sid)
Read an acknowledgment record from a received packet.
Definition: reliable.c:158
const char * openssl_name
Definition: ssl_backend.h:62
static bool link_socket_actual_match(const struct link_socket_actual *a1, const struct link_socket_actual *a2)
Definition: socket.h:880
int tls_ctx_use_management_external_key(struct tls_root_ctx *ctx)
Tell the management interface to load the given certificate and the external private key matching the...
Definition: ssl_openssl.c:1433
void cert_hash_free(struct cert_hash_set *chs)
Frees the given set of certificate hashes.
Definition: ssl_verify.c:234
#define FULL_SYNC
Definition: ssl.c:2136
static int buf_read_u16(struct buffer *buf)
Definition: buffer.h:825
static struct buffer clear_buf(void)
Return an empty struct buffer.
Definition: buffer.h:209
int interval_t
Definition: common.h:45
#define UP_TYPE_PRIVATE_KEY
Definition: ssl_common.h:42
static void key_source_print(const struct key_source *k, const char *prefix)
Definition: ssl.c:1551
counter_type n_bytes
Definition: ssl_common.h:213
struct buffer ack_write_buf
Definition: ssl_common.h:205
const char * session_id_print(const struct session_id *sid, struct gc_arena *gc)
Definition: session_id.c:57
uint8_t implicit_iv[OPENVPN_MAX_IV_LENGTH]
The implicit part of the IV.
Definition: crypto.h:168
void hmac_ctx_init(hmac_ctx_t *ctx, const uint8_t *key, int key_length, const md_kt_t *kt)
int key_state_read_ciphertext(struct key_state_ssl *ks_ssl, struct buffer *buf, int maxlen)
Extract ciphertext data from the TLS module.
Definition: ssl_openssl.c:1960
static const tls_cipher_name_pair tls_cipher_name_translation_table[]
SSL/TLS Cipher suite name translation table.
Definition: ssl.c:99
static void key_state_init(struct tls_session *session, struct key_state *ks)
Initialize a key_state structure.
Definition: ssl.c:895
static int key_source2_read(struct key_source2 *k2, struct buffer *buf, bool server)
Definition: ssl.c:2090
#define BSTR(buf)
Definition: buffer.h:129
static bool auth_user_pass_enabled
Definition: ssl.c:387
hmac_ctx_t * hmac_ctx_new(void)
#define TUN_LINK_DELTA(f)
Definition: mtu.h:151
#define KEY_METHOD_MASK
Definition: ssl.h:131
const char * dh_file
Definition: options.h:528
time_t must_die
Definition: ssl_common.h:192
#define KEY_EXPANSION_ID
Definition: ssl.h:47
static void tls_session_free(struct tls_session *session, bool clear)
Clean up a tls_session structure.
Definition: ssl.c:1117
char password[USER_PASS_LEN]
Definition: misc.h:68
#define P_CONTROL_HARD_RESET_CLIENT_V3
Definition: ssl.h:67
struct buffer clone_buf(const struct buffer *buf)
Definition: buffer.c:117
void verify_final_auth_checks(struct tls_multi *multi, struct tls_session *session)
Perform final authentication checks, including locking of the cn, the allowed certificate hashes...
Definition: ssl_verify.c:1413
static bool random_bytes_to_buf(struct buffer *buf, uint8_t *out, int outlen)
Definition: ssl.c:2041
void tls_ctx_load_ca(struct tls_root_ctx *ctx, const char *ca_file, bool ca_file_inline, const char *ca_path, bool tls_server)
Load certificate authority certificates from the given file or path.
Definition: ssl_openssl.c:1495
void reliable_mark_active_incoming(struct reliable *rel, struct buffer *buf, packet_id_type pid, int opcode)
Mark the reliable entry associated with the given buffer as active incoming.
Definition: reliable.c:669
void hmac_ctx_final(hmac_ctx_t *ctx, uint8_t *dst)
const cipher_kt_t * cipher
Cipher static parameters.
Definition: crypto.h:143
static void update_time(void)
Definition: otime.h:94
bool replay
Definition: options.h:512
static int auth_deferred_expire_window(const struct tls_options *o)
Definition: ssl.c:2681
counter_type n_packets
Definition: ssl_common.h:214
bool dh_file_inline
Definition: options.h:529
int tls_ctx_load_priv_file(struct tls_root_ctx *ctx, const char *priv_key_file, bool priv_key_file_inline)
Load private key file into the given TLS context.
Definition: ssl_openssl.c:983
#define TLS_CHANNEL_BUF_SIZE
Definition: common.h:78
#define MF_EXTERNAL_CERT
Definition: manage.h:347
void buffer_list_pop(struct buffer_list *ol)
Definition: buffer.c:1345
#define P_ACK_V1
Definition: ssl.h:58
void hmac_ctx_free(hmac_ctx_t *ctx)
struct buffer * buffer_list_peek(struct buffer_list *ol)
Retrieve the head buffer.
Definition: buffer.c:1280
struct key_ctx tls_crypt_v2_server_key
Decrypts client keys.
Definition: ssl_common.h:241
static void tls_ctx_reload_crl(struct tls_root_ctx *ssl_ctx, const char *crl_file, bool crl_file_inline)
Load (or possibly reload) the CRL file into the SSL context.
Definition: ssl.c:543
struct buffer_entry * buffer_list_push_data(struct buffer_list *ol, const void *data, size_t size)
Allocates and appends a new buffer containing data of length size.
Definition: buffer.c:1253
#define MF_EXTERNAL_KEY
Definition: manage.h:341
const char * remote_options
Definition: ssl_common.h:270
#define P_DATA_V2
Definition: ssl.h:60
const tls_cipher_name_pair * tls_get_cipher_name_pair(const char *cipher_name, size_t len)
Definition: ssl.c:257
int replay_time
Definition: ssl_common.h:312
void reliable_schedule_now(struct reliable *rel)
Reschedule all entries of a reliable structure to be ready for (re)sending immediately.
Definition: reliable.c:613
void reliable_send_purge(struct reliable *rel, const struct reliable_ack *ack)
Remove acknowledged packets from a reliable structure.
Definition: reliable.c:360
static int packet_id_size(bool long_form)
Definition: packet_id.h:305
static struct key2 generate_key_expansion_openvpn_prf(const struct tls_session *session)
Definition: ssl.c:1786
void crypto_init_lib(void)
unsigned int ssl_flags
Definition: ssl_common.h:365
struct _stat platform_stat_t
Definition: platform.h:144
#define PD_SHOW_DATA
Definition: ssl.h:571
uint8_t pre_master[48]
Random used for master secret generation, provided only by client OpenVPN peer.
Definition: ssl_common.h:120
void hmac_ctx_reset(hmac_ctx_t *ctx)
struct env_set * es
Definition: ssl_common.h:345
bool priv_key_file_inline
Definition: options.h:535
static bool session_id_write_prepend(const struct session_id *sid, struct buffer *buf)
Definition: session_id.h:67
static bool key_method_2_read(struct buffer *buf, struct tls_multi *multi, struct tls_session *session)
Handle reading key data, peer-info, username/password, OCC from the TLS control channel (cleartext)...
Definition: ssl.c:2509
int fragment
Definition: options.h:117
Container for two sets of OpenSSL cipher and/or HMAC contexts for both sending and receiving directio...
Definition: crypto.h:219
void init_key_type(struct key_type *kt, const char *ciphername, const char *authname, int keysize, bool tls_mode, bool warn)
Initialize a key_type structure with.
Definition: crypto.c:741
Container for unidirectional cipher and HMAC key material.
Definition: crypto.h:151
struct tls_wrap_ctx tls_wrap
TLS handshake wrapping state.
Definition: ssl_common.h:323
#define GET_USER_PASS_MANAGEMENT
Definition: misc.h:105
bool reliable_ack_acknowledge_packet_id(struct reliable_ack *ack, packet_id_type pid)
Record a packet ID for later acknowledgment.
Definition: reliable.c:141
int link_mtu_dynamic
Dynamic MTU value for the external network interface.
Definition: mtu.h:97
int link_mtu
Definition: options.h:111
#define INCR_GENERATED
Definition: ssl.c:90
int tls_multi_process(struct tls_multi *multi, struct buffer *to_link, struct link_socket_actual **to_link_addr, struct link_socket_info *to_link_socket_info, interval_t *wakeup)
Definition: ssl.c:3075
bool data_channel_use_ekm
Definition: options.h:650
const char * crl_file
Definition: options.h:547