OpenVPN
ssl.c
Go to the documentation of this file.
1 /*
2  * OpenVPN -- An application to securely tunnel IP networks
3  * over a single TCP/UDP port, with support for SSL/TLS-based
4  * session authentication and key exchange,
5  * packet encryption, packet authentication, and
6  * packet compression.
7  *
8  * Copyright (C) 2002-2021 OpenVPN Inc <sales@openvpn.net>
9  * Copyright (C) 2010-2021 Fox Crypto B.V. <openvpn@foxcrypto.com>
10  * Copyright (C) 2008-2021 David Sommerseth <dazo@eurephia.org>
11  *
12  * This program is free software; you can redistribute it and/or modify
13  * it under the terms of the GNU General Public License version 2
14  * as published by the Free Software Foundation.
15  *
16  * This program is distributed in the hope that it will be useful,
17  * but WITHOUT ANY WARRANTY; without even the implied warranty of
18  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
19  * GNU General Public License for more details.
20  *
21  * You should have received a copy of the GNU General Public License along
22  * with this program; if not, write to the Free Software Foundation, Inc.,
23  * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
24  */
25 
30 /*
31  * The routines in this file deal with dynamically negotiating
32  * the data channel HMAC and cipher keys through a TLS session.
33  *
34  * Both the TLS session and the data channel are multiplexed
35  * over the same TCP/UDP port.
36  */
37 #ifdef HAVE_CONFIG_H
38 #include "config.h"
39 #elif defined(_MSC_VER)
40 #include "config-msvc.h"
41 #endif
42 
43 #include "syshead.h"
44 #include "win32.h"
45 
46 #include "error.h"
47 #include "common.h"
48 #include "socket.h"
49 #include "misc.h"
50 #include "fdmisc.h"
51 #include "interval.h"
52 #include "perf.h"
53 #include "status.h"
54 #include "gremlin.h"
55 #include "pkcs11.h"
56 #include "route.h"
57 #include "tls_crypt.h"
58 
59 #include "ssl.h"
60 #include "ssl_verify.h"
61 #include "ssl_backend.h"
62 #include "ssl_ncp.h"
63 #include "ssl_util.h"
64 #include "auth_token.h"
65 
66 #include "memdbg.h"
67 
68 #ifdef MEASURE_TLS_HANDSHAKE_STATS
69 
70 static int tls_handshake_success; /* GLOBAL */
71 static int tls_handshake_error; /* GLOBAL */
72 static int tls_packets_generated; /* GLOBAL */
73 static int tls_packets_sent; /* GLOBAL */
74 
75 #define INCR_SENT ++tls_packets_sent
76 #define INCR_GENERATED ++tls_packets_generated
77 #define INCR_SUCCESS ++tls_handshake_success
78 #define INCR_ERROR ++tls_handshake_error
79 
80 void
81 show_tls_performance_stats(void)
82 {
83  msg(D_TLS_DEBUG_LOW, "TLS Handshakes, success=%f%% (good=%d, bad=%d), retransmits=%f%%",
84  (double) tls_handshake_success / (tls_handshake_success + tls_handshake_error) * 100.0,
85  tls_handshake_success, tls_handshake_error,
86  (double) (tls_packets_sent - tls_packets_generated) / tls_packets_generated * 100.0);
87 }
88 #else /* ifdef MEASURE_TLS_HANDSHAKE_STATS */
89 
90 #define INCR_SENT
91 #define INCR_GENERATED
92 #define INCR_SUCCESS
93 #define INCR_ERROR
94 
95 #endif /* ifdef MEASURE_TLS_HANDSHAKE_STATS */
96 
101  {"ADH-SEED-SHA", "TLS-DH-anon-WITH-SEED-CBC-SHA"},
102  {"AES128-GCM-SHA256", "TLS-RSA-WITH-AES-128-GCM-SHA256"},
103  {"AES128-SHA256", "TLS-RSA-WITH-AES-128-CBC-SHA256"},
104  {"AES128-SHA", "TLS-RSA-WITH-AES-128-CBC-SHA"},
105  {"AES256-GCM-SHA384", "TLS-RSA-WITH-AES-256-GCM-SHA384"},
106  {"AES256-SHA256", "TLS-RSA-WITH-AES-256-CBC-SHA256"},
107  {"AES256-SHA", "TLS-RSA-WITH-AES-256-CBC-SHA"},
108  {"CAMELLIA128-SHA256", "TLS-RSA-WITH-CAMELLIA-128-CBC-SHA256"},
109  {"CAMELLIA128-SHA", "TLS-RSA-WITH-CAMELLIA-128-CBC-SHA"},
110  {"CAMELLIA256-SHA256", "TLS-RSA-WITH-CAMELLIA-256-CBC-SHA256"},
111  {"CAMELLIA256-SHA", "TLS-RSA-WITH-CAMELLIA-256-CBC-SHA"},
112  {"DES-CBC3-SHA", "TLS-RSA-WITH-3DES-EDE-CBC-SHA"},
113  {"DES-CBC-SHA", "TLS-RSA-WITH-DES-CBC-SHA"},
114  {"DH-DSS-SEED-SHA", "TLS-DH-DSS-WITH-SEED-CBC-SHA"},
115  {"DHE-DSS-AES128-GCM-SHA256", "TLS-DHE-DSS-WITH-AES-128-GCM-SHA256"},
116  {"DHE-DSS-AES128-SHA256", "TLS-DHE-DSS-WITH-AES-128-CBC-SHA256"},
117  {"DHE-DSS-AES128-SHA", "TLS-DHE-DSS-WITH-AES-128-CBC-SHA"},
118  {"DHE-DSS-AES256-GCM-SHA384", "TLS-DHE-DSS-WITH-AES-256-GCM-SHA384"},
119  {"DHE-DSS-AES256-SHA256", "TLS-DHE-DSS-WITH-AES-256-CBC-SHA256"},
120  {"DHE-DSS-AES256-SHA", "TLS-DHE-DSS-WITH-AES-256-CBC-SHA"},
121  {"DHE-DSS-CAMELLIA128-SHA256", "TLS-DHE-DSS-WITH-CAMELLIA-128-CBC-SHA256"},
122  {"DHE-DSS-CAMELLIA128-SHA", "TLS-DHE-DSS-WITH-CAMELLIA-128-CBC-SHA"},
123  {"DHE-DSS-CAMELLIA256-SHA256", "TLS-DHE-DSS-WITH-CAMELLIA-256-CBC-SHA256"},
124  {"DHE-DSS-CAMELLIA256-SHA", "TLS-DHE-DSS-WITH-CAMELLIA-256-CBC-SHA"},
125  {"DHE-DSS-SEED-SHA", "TLS-DHE-DSS-WITH-SEED-CBC-SHA"},
126  {"DHE-RSA-AES128-GCM-SHA256", "TLS-DHE-RSA-WITH-AES-128-GCM-SHA256"},
127  {"DHE-RSA-AES128-SHA256", "TLS-DHE-RSA-WITH-AES-128-CBC-SHA256"},
128  {"DHE-RSA-AES128-SHA", "TLS-DHE-RSA-WITH-AES-128-CBC-SHA"},
129  {"DHE-RSA-AES256-GCM-SHA384", "TLS-DHE-RSA-WITH-AES-256-GCM-SHA384"},
130  {"DHE-RSA-AES256-SHA256", "TLS-DHE-RSA-WITH-AES-256-CBC-SHA256"},
131  {"DHE-RSA-AES256-SHA", "TLS-DHE-RSA-WITH-AES-256-CBC-SHA"},
132  {"DHE-RSA-CAMELLIA128-SHA256", "TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA256"},
133  {"DHE-RSA-CAMELLIA128-SHA", "TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA"},
134  {"DHE-RSA-CAMELLIA256-SHA256", "TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA256"},
135  {"DHE-RSA-CAMELLIA256-SHA", "TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA"},
136  {"DHE-RSA-CHACHA20-POLY1305", "TLS-DHE-RSA-WITH-CHACHA20-POLY1305-SHA256"},
137  {"DHE-RSA-SEED-SHA", "TLS-DHE-RSA-WITH-SEED-CBC-SHA"},
138  {"DH-RSA-SEED-SHA", "TLS-DH-RSA-WITH-SEED-CBC-SHA"},
139  {"ECDH-ECDSA-AES128-GCM-SHA256", "TLS-ECDH-ECDSA-WITH-AES-128-GCM-SHA256"},
140  {"ECDH-ECDSA-AES128-SHA256", "TLS-ECDH-ECDSA-WITH-AES-128-CBC-SHA256"},
141  {"ECDH-ECDSA-AES128-SHA", "TLS-ECDH-ECDSA-WITH-AES-128-CBC-SHA"},
142  {"ECDH-ECDSA-AES256-GCM-SHA384", "TLS-ECDH-ECDSA-WITH-AES-256-GCM-SHA384"},
143  {"ECDH-ECDSA-AES256-SHA256", "TLS-ECDH-ECDSA-WITH-AES-256-CBC-SHA256"},
144  {"ECDH-ECDSA-AES256-SHA384", "TLS-ECDH-ECDSA-WITH-AES-256-CBC-SHA384"},
145  {"ECDH-ECDSA-AES256-SHA", "TLS-ECDH-ECDSA-WITH-AES-256-CBC-SHA"},
146  {"ECDH-ECDSA-CAMELLIA128-SHA256", "TLS-ECDH-ECDSA-WITH-CAMELLIA-128-CBC-SHA256"},
147  {"ECDH-ECDSA-CAMELLIA128-SHA", "TLS-ECDH-ECDSA-WITH-CAMELLIA-128-CBC-SHA"},
148  {"ECDH-ECDSA-CAMELLIA256-SHA256", "TLS-ECDH-ECDSA-WITH-CAMELLIA-256-CBC-SHA256"},
149  {"ECDH-ECDSA-CAMELLIA256-SHA", "TLS-ECDH-ECDSA-WITH-CAMELLIA-256-CBC-SHA"},
150  {"ECDH-ECDSA-DES-CBC3-SHA", "TLS-ECDH-ECDSA-WITH-3DES-EDE-CBC-SHA"},
151  {"ECDH-ECDSA-DES-CBC-SHA", "TLS-ECDH-ECDSA-WITH-DES-CBC-SHA"},
152  {"ECDH-ECDSA-RC4-SHA", "TLS-ECDH-ECDSA-WITH-RC4-128-SHA"},
153  {"ECDHE-ECDSA-AES128-GCM-SHA256", "TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256"},
154  {"ECDHE-ECDSA-AES128-SHA256", "TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256"},
155  {"ECDHE-ECDSA-AES128-SHA384", "TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA384"},
156  {"ECDHE-ECDSA-AES128-SHA", "TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA"},
157  {"ECDHE-ECDSA-AES256-GCM-SHA384", "TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384"},
158  {"ECDHE-ECDSA-AES256-SHA256", "TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA256"},
159  {"ECDHE-ECDSA-AES256-SHA384", "TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA384"},
160  {"ECDHE-ECDSA-AES256-SHA", "TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA"},
161  {"ECDHE-ECDSA-CAMELLIA128-SHA256", "TLS-ECDHE-ECDSA-WITH-CAMELLIA-128-CBC-SHA256"},
162  {"ECDHE-ECDSA-CAMELLIA128-SHA", "TLS-ECDHE-ECDSA-WITH-CAMELLIA-128-CBC-SHA"},
163  {"ECDHE-ECDSA-CAMELLIA256-SHA256", "TLS-ECDHE-ECDSA-WITH-CAMELLIA-256-CBC-SHA256"},
164  {"ECDHE-ECDSA-CAMELLIA256-SHA", "TLS-ECDHE-ECDSA-WITH-CAMELLIA-256-CBC-SHA"},
165  {"ECDHE-ECDSA-CHACHA20-POLY1305", "TLS-ECDHE-ECDSA-WITH-CHACHA20-POLY1305-SHA256"},
166  {"ECDHE-ECDSA-DES-CBC3-SHA", "TLS-ECDHE-ECDSA-WITH-3DES-EDE-CBC-SHA"},
167  {"ECDHE-ECDSA-DES-CBC-SHA", "TLS-ECDHE-ECDSA-WITH-DES-CBC-SHA"},
168  {"ECDHE-ECDSA-RC4-SHA", "TLS-ECDHE-ECDSA-WITH-RC4-128-SHA"},
169  {"ECDHE-RSA-AES128-GCM-SHA256", "TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256"},
170  {"ECDHE-RSA-AES128-SHA256", "TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA256"},
171  {"ECDHE-RSA-AES128-SHA384", "TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA384"},
172  {"ECDHE-RSA-AES128-SHA", "TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA"},
173  {"ECDHE-RSA-AES256-GCM-SHA384", "TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384"},
174  {"ECDHE-RSA-AES256-SHA256", "TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA256"},
175  {"ECDHE-RSA-AES256-SHA384", "TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384"},
176  {"ECDHE-RSA-AES256-SHA", "TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA"},
177  {"ECDHE-RSA-CAMELLIA128-SHA256", "TLS-ECDHE-RSA-WITH-CAMELLIA-128-CBC-SHA256"},
178  {"ECDHE-RSA-CAMELLIA128-SHA", "TLS-ECDHE-RSA-WITH-CAMELLIA-128-CBC-SHA"},
179  {"ECDHE-RSA-CAMELLIA256-SHA256", "TLS-ECDHE-RSA-WITH-CAMELLIA-256-CBC-SHA256"},
180  {"ECDHE-RSA-CAMELLIA256-SHA", "TLS-ECDHE-RSA-WITH-CAMELLIA-256-CBC-SHA"},
181  {"ECDHE-RSA-CHACHA20-POLY1305", "TLS-ECDHE-RSA-WITH-CHACHA20-POLY1305-SHA256"},
182  {"ECDHE-RSA-DES-CBC3-SHA", "TLS-ECDHE-RSA-WITH-3DES-EDE-CBC-SHA"},
183  {"ECDHE-RSA-DES-CBC-SHA", "TLS-ECDHE-RSA-WITH-DES-CBC-SHA"},
184  {"ECDHE-RSA-RC4-SHA", "TLS-ECDHE-RSA-WITH-RC4-128-SHA"},
185  {"ECDH-RSA-AES128-GCM-SHA256", "TLS-ECDH-RSA-WITH-AES-128-GCM-SHA256"},
186  {"ECDH-RSA-AES128-SHA256", "TLS-ECDH-RSA-WITH-AES-128-CBC-SHA256"},
187  {"ECDH-RSA-AES128-SHA384", "TLS-ECDH-RSA-WITH-AES-128-CBC-SHA384"},
188  {"ECDH-RSA-AES128-SHA", "TLS-ECDH-RSA-WITH-AES-128-CBC-SHA"},
189  {"ECDH-RSA-AES256-GCM-SHA384", "TLS-ECDH-RSA-WITH-AES-256-GCM-SHA384"},
190  {"ECDH-RSA-AES256-SHA256", "TLS-ECDH-RSA-WITH-AES-256-CBC-SHA256"},
191  {"ECDH-RSA-AES256-SHA384", "TLS-ECDH-RSA-WITH-AES-256-CBC-SHA384"},
192  {"ECDH-RSA-AES256-SHA", "TLS-ECDH-RSA-WITH-AES-256-CBC-SHA"},
193  {"ECDH-RSA-CAMELLIA128-SHA256", "TLS-ECDH-RSA-WITH-CAMELLIA-128-CBC-SHA256"},
194  {"ECDH-RSA-CAMELLIA128-SHA", "TLS-ECDH-RSA-WITH-CAMELLIA-128-CBC-SHA"},
195  {"ECDH-RSA-CAMELLIA256-SHA256", "TLS-ECDH-RSA-WITH-CAMELLIA-256-CBC-SHA256"},
196  {"ECDH-RSA-CAMELLIA256-SHA", "TLS-ECDH-RSA-WITH-CAMELLIA-256-CBC-SHA"},
197  {"ECDH-RSA-DES-CBC3-SHA", "TLS-ECDH-RSA-WITH-3DES-EDE-CBC-SHA"},
198  {"ECDH-RSA-DES-CBC-SHA", "TLS-ECDH-RSA-WITH-DES-CBC-SHA"},
199  {"ECDH-RSA-RC4-SHA", "TLS-ECDH-RSA-WITH-RC4-128-SHA"},
200  {"EDH-DSS-DES-CBC3-SHA", "TLS-DHE-DSS-WITH-3DES-EDE-CBC-SHA"},
201  {"EDH-DSS-DES-CBC-SHA", "TLS-DHE-DSS-WITH-DES-CBC-SHA"},
202  {"EDH-RSA-DES-CBC3-SHA", "TLS-DHE-RSA-WITH-3DES-EDE-CBC-SHA"},
203  {"EDH-RSA-DES-CBC-SHA", "TLS-DHE-RSA-WITH-DES-CBC-SHA"},
204  {"EXP-DES-CBC-SHA", "TLS-RSA-EXPORT-WITH-DES40-CBC-SHA"},
205  {"EXP-EDH-DSS-DES-CBC-SHA", "TLS-DH-DSS-EXPORT-WITH-DES40-CBC-SHA"},
206  {"EXP-EDH-RSA-DES-CBC-SHA", "TLS-DH-RSA-EXPORT-WITH-DES40-CBC-SHA"},
207  {"EXP-RC2-CBC-MD5", "TLS-RSA-EXPORT-WITH-RC2-CBC-40-MD5"},
208  {"EXP-RC4-MD5", "TLS-RSA-EXPORT-WITH-RC4-40-MD5"},
209  {"NULL-MD5", "TLS-RSA-WITH-NULL-MD5"},
210  {"NULL-SHA256", "TLS-RSA-WITH-NULL-SHA256"},
211  {"NULL-SHA", "TLS-RSA-WITH-NULL-SHA"},
212  {"PSK-3DES-EDE-CBC-SHA", "TLS-PSK-WITH-3DES-EDE-CBC-SHA"},
213  {"PSK-AES128-CBC-SHA", "TLS-PSK-WITH-AES-128-CBC-SHA"},
214  {"PSK-AES256-CBC-SHA", "TLS-PSK-WITH-AES-256-CBC-SHA"},
215  {"PSK-RC4-SHA", "TLS-PSK-WITH-RC4-128-SHA"},
216  {"RC4-MD5", "TLS-RSA-WITH-RC4-128-MD5"},
217  {"RC4-SHA", "TLS-RSA-WITH-RC4-128-SHA"},
218  {"SEED-SHA", "TLS-RSA-WITH-SEED-CBC-SHA"},
219  {"SRP-DSS-3DES-EDE-CBC-SHA", "TLS-SRP-SHA-DSS-WITH-3DES-EDE-CBC-SHA"},
220  {"SRP-DSS-AES-128-CBC-SHA", "TLS-SRP-SHA-DSS-WITH-AES-128-CBC-SHA"},
221  {"SRP-DSS-AES-256-CBC-SHA", "TLS-SRP-SHA-DSS-WITH-AES-256-CBC-SHA"},
222  {"SRP-RSA-3DES-EDE-CBC-SHA", "TLS-SRP-SHA-RSA-WITH-3DES-EDE-CBC-SHA"},
223  {"SRP-RSA-AES-128-CBC-SHA", "TLS-SRP-SHA-RSA-WITH-AES-128-CBC-SHA"},
224  {"SRP-RSA-AES-256-CBC-SHA", "TLS-SRP-SHA-RSA-WITH-AES-256-CBC-SHA"},
225 #ifdef ENABLE_CRYPTO_OPENSSL
226  /* OpenSSL-specific group names */
227  {"DEFAULT", "DEFAULT"},
228  {"ALL", "ALL"},
229  {"HIGH", "HIGH"}, {"!HIGH", "!HIGH"},
230  {"MEDIUM", "MEDIUM"}, {"!MEDIUM", "!MEDIUM"},
231  {"LOW", "LOW"}, {"!LOW", "!LOW"},
232  {"ECDH", "ECDH"}, {"!ECDH", "!ECDH"},
233  {"ECDSA", "ECDSA"}, {"!ECDSA", "!ECDSA"},
234  {"EDH", "EDH"}, {"!EDH", "!EDH"},
235  {"EXP", "EXP"}, {"!EXP", "!EXP"},
236  {"RSA", "RSA"}, {"!RSA", "!RSA"},
237  {"kRSA", "kRSA"}, {"!kRSA", "!kRSA"},
238  {"SRP", "SRP"}, {"!SRP", "!SRP"},
239 #endif
240  {NULL, NULL}
241 };
242 
254 static void
255 key_ctx_update_implicit_iv(struct key_ctx *ctx, uint8_t *key, size_t key_len);
256 
257 const tls_cipher_name_pair *
258 tls_get_cipher_name_pair(const char *cipher_name, size_t len)
259 {
261 
262  while (pair->openssl_name != NULL)
263  {
264  if ((strlen(pair->openssl_name) == len && 0 == memcmp(cipher_name, pair->openssl_name, len))
265  || (strlen(pair->iana_name) == len && 0 == memcmp(cipher_name, pair->iana_name, len)))
266  {
267  return pair;
268  }
269  pair++;
270  }
271 
272  /* No entry found, return NULL */
273  return NULL;
274 }
275 
283 static void
284 tls_limit_reneg_bytes(const cipher_kt_t *cipher, int *reneg_bytes)
285 {
286  if (cipher && cipher_kt_insecure(cipher))
287  {
288  if (*reneg_bytes == -1) /* Not user-specified */
289  {
290  msg(M_WARN, "WARNING: cipher with small block size in use, "
291  "reducing reneg-bytes to 64MB to mitigate SWEET32 attacks.");
292  *reneg_bytes = 64 * 1024 * 1024;
293  }
294  }
295 }
296 
297 /*
298  * Max number of bytes we will add
299  * for data structures common to both
300  * data and control channel packets.
301  * (opcode only).
302  */
303 void
305 {
306  frame_add_to_extra_frame(frame, 1); /* space for opcode */
307 }
308 
309 /*
310  * Max number of bytes we will add
311  * to control channel packet.
312  */
313 static void
314 tls_init_control_channel_frame_parameters(const struct frame *data_channel_frame,
315  struct frame *frame)
316 {
317  /*
318  * frame->extra_frame is already initialized with tls_auth buffer requirements,
319  * if --tls-auth is enabled.
320  */
321 
322  /* inherit link MTU and extra_link from data channel */
323  frame->link_mtu = data_channel_frame->link_mtu;
324  frame->extra_link = data_channel_frame->extra_link;
325 
326  /* set extra_frame */
330 
331  /* set dynamic link MTU to cap control channel packets at 1250 bytes */
332  ASSERT(TUN_LINK_DELTA(frame) < min_int(frame->link_mtu, 1250));
333  frame->link_mtu_dynamic = min_int(frame->link_mtu, 1250) - TUN_LINK_DELTA(frame);
334 }
335 
336 void
338 {
339  tls_init_lib();
340 
341  crypto_init_lib();
342 }
343 
344 void
346 {
348  prng_uninit();
349 
350  tls_free_lib();
351 }
352 
353 /*
354  * OpenSSL library calls pem_password_callback if the
355  * private key is protected by a password.
356  */
357 
358 static struct user_pass passbuf; /* GLOBAL */
359 
360 void
361 pem_password_setup(const char *auth_file)
362 {
363  if (!strlen(passbuf.password))
364  {
366  }
367 }
368 
369 int
370 pem_password_callback(char *buf, int size, int rwflag, void *u)
371 {
372  if (buf)
373  {
374  /* prompt for password even if --askpass wasn't specified */
375  pem_password_setup(NULL);
376  strncpynt(buf, passbuf.password, size);
377  purge_user_pass(&passbuf, false);
378 
379  return strlen(buf);
380  }
381  return 0;
382 }
383 
384 /*
385  * Auth username/password handling
386  */
387 
388 static bool auth_user_pass_enabled; /* GLOBAL */
389 static struct user_pass auth_user_pass; /* GLOBAL */
390 static struct user_pass auth_token; /* GLOBAL */
391 
392 #ifdef ENABLE_MANAGEMENT
393 static char *auth_challenge; /* GLOBAL */
394 #endif
395 
396 void
397 auth_user_pass_setup(const char *auth_file, const struct static_challenge_info *sci)
398 {
399  auth_user_pass_enabled = true;
401  {
402 #ifdef ENABLE_MANAGEMENT
403  if (auth_challenge) /* dynamic challenge/response */
404  {
406  auth_file,
407  UP_TYPE_AUTH,
409  auth_challenge);
410  }
411  else if (sci) /* static challenge response */
412  {
414  if (sci->flags & SC_ECHO)
415  {
417  }
419  auth_file,
420  UP_TYPE_AUTH,
421  flags,
422  sci->challenge_text);
423  }
424  else
425 #endif /* ifdef ENABLE_MANAGEMENT */
427  }
428 }
429 
430 /*
431  * Disable password caching
432  */
433 void
435 {
436  passbuf.nocache = true;
437  auth_user_pass.nocache = true;
438 }
439 
440 /*
441  * Set an authentication token
442  */
443 void
444 ssl_set_auth_token(const char *token)
445 {
447 }
448 
449 void
451 {
452  set_auth_token_user(&auth_token, username);
453 }
454 
455 /*
456  * Cleans an auth token and checks if it was active
457  */
458 bool
460 {
461  bool wasdefined = auth_token.defined;
462  purge_user_pass(&auth_token, true);
463  return wasdefined;
464 }
465 
466 /*
467  * Forget private key password AND auth-user-pass username/password.
468  */
469 void
470 ssl_purge_auth(const bool auth_user_pass_only)
471 {
472  if (!auth_user_pass_only)
473  {
474 #ifdef ENABLE_PKCS11
475  pkcs11_logout();
476 #endif
477  purge_user_pass(&passbuf, true);
478  }
480 #ifdef ENABLE_MANAGEMENT
482 #endif
483 }
484 
485 #ifdef ENABLE_MANAGEMENT
486 
487 void
489 {
490  free(auth_challenge);
491  auth_challenge = NULL;
492 }
493 
494 void
495 ssl_put_auth_challenge(const char *cr_str)
496 {
498  auth_challenge = string_alloc(cr_str, NULL);
499 }
500 
501 #endif
502 
503 /*
504  * Parse a TLS version string, returning a TLS_VER_x constant.
505  * If version string is not recognized and extra == "or-highest",
506  * return tls_version_max().
507  */
508 int
509 tls_version_parse(const char *vstr, const char *extra)
510 {
511  const int max_version = tls_version_max();
512  if (!strcmp(vstr, "1.0") && TLS_VER_1_0 <= max_version)
513  {
514  return TLS_VER_1_0;
515  }
516  else if (!strcmp(vstr, "1.1") && TLS_VER_1_1 <= max_version)
517  {
518  return TLS_VER_1_1;
519  }
520  else if (!strcmp(vstr, "1.2") && TLS_VER_1_2 <= max_version)
521  {
522  return TLS_VER_1_2;
523  }
524  else if (!strcmp(vstr, "1.3") && TLS_VER_1_3 <= max_version)
525  {
526  return TLS_VER_1_3;
527  }
528  else if (extra && !strcmp(extra, "or-highest"))
529  {
530  return max_version;
531  }
532  else
533  {
534  return TLS_VER_BAD;
535  }
536 }
537 
549 static void
550 tls_ctx_reload_crl(struct tls_root_ctx *ssl_ctx, const char *crl_file,
551  bool crl_file_inline)
552 {
553  /* if something goes wrong with stat(), we'll store 0 as mtime */
554  platform_stat_t crl_stat = {0};
555 
556  /*
557  * an inline CRL can't change at runtime, therefore there is no need to
558  * reload it. It will be reloaded upon config change + SIGHUP.
559  * Use always '1' as dummy timestamp in this case: it will trigger the
560  * first load, but will prevent any future reload.
561  */
562  if (crl_file_inline)
563  {
564  crl_stat.st_mtime = 1;
565  }
566  else if (platform_stat(crl_file, &crl_stat) < 0)
567  {
568  /* If crl_last_mtime is zero, the CRL file has not been read before. */
569  if (ssl_ctx->crl_last_mtime == 0)
570  {
571  msg(M_FATAL, "ERROR: Failed to stat CRL file during initialization, exiting.");
572  }
573  else
574  {
575  msg(M_WARN, "WARNING: Failed to stat CRL file, not reloading CRL.");
576  }
577  return;
578  }
579 
580  /*
581  * Store the CRL if this is the first time or if the file was changed since
582  * the last load.
583  * Note: Windows does not support tv_nsec.
584  */
585  if ((ssl_ctx->crl_last_size == crl_stat.st_size)
586  && (ssl_ctx->crl_last_mtime == crl_stat.st_mtime))
587  {
588  return;
589  }
590 
591  ssl_ctx->crl_last_mtime = crl_stat.st_mtime;
592  ssl_ctx->crl_last_size = crl_stat.st_size;
593  backend_tls_ctx_reload_crl(ssl_ctx, crl_file, crl_file_inline);
594 }
595 
596 /*
597  * Initialize SSL context.
598  * All files are in PEM format.
599  */
600 void
601 init_ssl(const struct options *options, struct tls_root_ctx *new_ctx, bool in_chroot)
602 {
603  ASSERT(NULL != new_ctx);
604 
605  tls_clear_error();
606 
607  if (options->tls_server)
608  {
609  tls_ctx_server_new(new_ctx);
610 
611  if (options->dh_file)
612  {
613  tls_ctx_load_dh_params(new_ctx, options->dh_file,
614  options->dh_file_inline);
615  }
616  }
617  else /* if client */
618  {
619  tls_ctx_client_new(new_ctx);
620  }
621 
622  /* Restrict allowed certificate crypto algorithms */
623  tls_ctx_set_cert_profile(new_ctx, options->tls_cert_profile);
624 
625  /* Allowable ciphers */
626  /* Since @SECLEVEL also influences loading of certificates, set the
627  * cipher restrictions before loading certificates */
628  tls_ctx_restrict_ciphers(new_ctx, options->cipher_list);
630 
631  /* Set the allow groups/curves for TLS if we want to override them */
632  if (options->tls_groups)
633  {
634  tls_ctx_set_tls_groups(new_ctx, options->tls_groups);
635  }
636 
637  if (!tls_ctx_set_options(new_ctx, options->ssl_flags))
638  {
639  goto err;
640  }
641 
642  if (options->pkcs12_file)
643  {
644  if (0 != tls_ctx_load_pkcs12(new_ctx, options->pkcs12_file,
645  options->pkcs12_file_inline, !options->ca_file))
646  {
647  goto err;
648  }
649  }
650 #ifdef ENABLE_PKCS11
651  else if (options->pkcs11_providers[0])
652  {
653  if (!tls_ctx_use_pkcs11(new_ctx, options->pkcs11_id_management, options->pkcs11_id))
654  {
655  msg(M_WARN, "Cannot load certificate \"%s\" using PKCS#11 interface",
656  options->pkcs11_id);
657  goto err;
658  }
659  }
660 #endif
661 #ifdef ENABLE_CRYPTOAPI
662  else if (options->cryptoapi_cert)
663  {
664  tls_ctx_load_cryptoapi(new_ctx, options->cryptoapi_cert);
665  }
666 #endif
667 #ifdef ENABLE_MANAGEMENT
668  else if (options->management_flags & MF_EXTERNAL_CERT)
669  {
670  char *cert = management_query_cert(management,
671  options->management_certificate);
672  tls_ctx_load_cert_file(new_ctx, cert, true);
673  free(cert);
674  }
675 #endif
676  else if (options->cert_file)
677  {
678  tls_ctx_load_cert_file(new_ctx, options->cert_file, options->cert_file_inline);
679  }
680 
681  if (options->priv_key_file)
682  {
683  if (0 != tls_ctx_load_priv_file(new_ctx, options->priv_key_file,
684  options->priv_key_file_inline))
685  {
686  goto err;
687  }
688  }
689 #ifdef ENABLE_MANAGEMENT
690  else if (options->management_flags & MF_EXTERNAL_KEY)
691  {
693  {
694  msg(M_WARN, "Cannot initialize mamagement-external-key");
695  goto err;
696  }
697  }
698 #endif
699 
700  if (options->ca_file || options->ca_path)
701  {
702  tls_ctx_load_ca(new_ctx, options->ca_file, options->ca_file_inline,
703  options->ca_path, options->tls_server);
704  }
705 
706  /* Load extra certificates that are part of our own certificate
707  * chain but shouldn't be included in the verify chain */
708  if (options->extra_certs_file)
709  {
711  }
712 
713  /* Check certificate notBefore and notAfter */
714  tls_ctx_check_cert_time(new_ctx);
715 
716  /* Read CRL */
717  if (options->crl_file && !(options->ssl_flags & SSLF_CRL_VERIFY_DIR))
718  {
719  /* If we're running with the chroot option, we may run init_ssl() before
720  * and after chroot-ing. We can use the crl_file path as-is if we're
721  * not going to chroot, or if we already are inside the chroot.
722  *
723  * If we're going to chroot later, we need to prefix the path of the
724  * chroot directory to crl_file.
725  */
726  if (!options->chroot_dir || in_chroot || options->crl_file_inline)
727  {
728  tls_ctx_reload_crl(new_ctx, options->crl_file, options->crl_file_inline);
729  }
730  else
731  {
732  struct gc_arena gc = gc_new();
733  struct buffer crl_file_buf = prepend_dir(options->chroot_dir, options->crl_file, &gc);
734  tls_ctx_reload_crl(new_ctx, BSTR(&crl_file_buf), options->crl_file_inline);
735  gc_free(&gc);
736  }
737  }
738 
739  /* Once keys and cert are loaded, load ECDH parameters */
740  if (options->tls_server)
741  {
742  tls_ctx_load_ecdh_params(new_ctx, options->ecdh_curve);
743  }
744 
745 #ifdef ENABLE_CRYPTO_MBEDTLS
746  /* Personalise the random by mixing in the certificate */
747  tls_ctx_personalise_random(new_ctx);
748 #endif
749 
750  tls_clear_error();
751  return;
752 
753 err:
754  tls_clear_error();
755  tls_ctx_free(new_ctx);
756  return;
757 }
758 
759 /*
760  * Map internal constants to ascii names.
761  */
762 static const char *
763 state_name(int state)
764 {
765  switch (state)
766  {
767  case S_UNDEF:
768  return "S_UNDEF";
769 
770  case S_INITIAL:
771  return "S_INITIAL";
772 
773  case S_PRE_START:
774  return "S_PRE_START";
775 
776  case S_START:
777  return "S_START";
778 
779  case S_SENT_KEY:
780  return "S_SENT_KEY";
781 
782  case S_GOT_KEY:
783  return "S_GOT_KEY";
784 
785  case S_ACTIVE:
786  return "S_ACTIVE";
787 
788  case S_ERROR:
789  return "S_ERROR";
790 
791  case S_GENERATED_KEYS:
792  return "S_GENERATED_KEYS";
793 
794  default:
795  return "S_???";
796  }
797 }
798 
799 static const char *
801 {
802  switch (auth)
803  {
804  case KS_AUTH_TRUE:
805  return "KS_AUTH_TRUE";
806  case KS_AUTH_DEFERRED:
807  return "KS_AUTH_DEFERRED";
808  case KS_AUTH_FALSE:
809  return "KS_AUTH_FALSE";
810  default:
811  return "KS_????";
812  }
813 }
814 
815 static const char *
817 {
818  switch (op)
819  {
821  return "P_CONTROL_HARD_RESET_CLIENT_V1";
822 
824  return "P_CONTROL_HARD_RESET_SERVER_V1";
825 
827  return "P_CONTROL_HARD_RESET_CLIENT_V2";
828 
830  return "P_CONTROL_HARD_RESET_SERVER_V2";
831 
833  return "P_CONTROL_HARD_RESET_CLIENT_V3";
834 
836  return "P_CONTROL_SOFT_RESET_V1";
837 
838  case P_CONTROL_V1:
839  return "P_CONTROL_V1";
840 
841  case P_ACK_V1:
842  return "P_ACK_V1";
843 
844  case P_DATA_V1:
845  return "P_DATA_V1";
846 
847  case P_DATA_V2:
848  return "P_DATA_V2";
849 
850  default:
851  return "P_???";
852  }
853 }
854 
855 static const char *
857 {
858  switch (index)
859  {
860  case TM_ACTIVE:
861  return "TM_ACTIVE";
862 
863  case TM_UNTRUSTED:
864  return "TM_UNTRUSTED";
865 
866  case TM_LAME_DUCK:
867  return "TM_LAME_DUCK";
868 
869  default:
870  return "TM_???";
871  }
872 }
873 
874 /*
875  * For debugging.
876  */
877 static const char *
878 print_key_id(struct tls_multi *multi, struct gc_arena *gc)
879 {
880  struct buffer out = alloc_buf_gc(256, gc);
881 
882  for (int i = 0; i < KEY_SCAN_SIZE; ++i)
883  {
884  struct key_state *ks = get_key_scan(multi, i);
885  buf_printf(&out, " [key#%d state=%s auth=%s id=%d sid=%s]", i,
887  ks->key_id,
889  }
890 
891  return BSTR(&out);
892 }
893 
894 bool
896 {
899  {
900  return true;
901  }
902 
903  return false;
904 }
905 
929 static void
931 {
932  update_time();
933 
934  CLEAR(*ks);
935 
936  /*
937  * Build TLS object that reads/writes ciphertext
938  * to/from memory BIOs.
939  */
940  key_state_ssl_init(&ks->ks_ssl, &session->opt->ssl_ctx, session->opt->server,
941  session);
942 
943  /* Set control-channel initiation mode */
944  ks->initial_opcode = session->initial_opcode;
946  ks->state = S_INITIAL;
947  ks->key_id = session->key_id;
948 
949  /*
950  * key_id increments to KEY_ID_MASK then recycles back to 1.
951  * This way you know that if key_id is 0, it is the first key.
952  */
953  ++session->key_id;
954  session->key_id &= P_KEY_ID_MASK;
955  if (!session->key_id)
956  {
957  session->key_id = 1;
958  }
959 
960  /* allocate key source material object */
961  ALLOC_OBJ_CLEAR(ks->key_src, struct key_source2);
962 
963  /* allocate reliability objects */
966  ALLOC_OBJ_CLEAR(ks->rec_ack, struct reliable_ack);
967 
968  /* allocate buffers */
971  ks->ack_write_buf = alloc_buf(BUF_SIZE(&session->opt->frame));
972  reliable_init(ks->send_reliable, BUF_SIZE(&session->opt->frame),
974  ks->key_id ? false : session->opt->xmit_hold);
975  reliable_init(ks->rec_reliable, BUF_SIZE(&session->opt->frame),
977  false);
979 
980  /* init packet ID tracker */
981  if (session->opt->replay)
982  {
984  session->opt->replay_window, session->opt->replay_time, "SSL",
985  ks->key_id);
986  }
987 
988  ks->crypto_options.pid_persist = NULL;
989 
990 #ifdef ENABLE_MANAGEMENT
991  ks->mda_key_id = session->opt->mda_context->mda_key_id_counter++;
992 #endif
993 }
994 
995 
1009 static void
1010 key_state_free(struct key_state *ks, bool clear)
1011 {
1012  ks->state = S_UNDEF;
1013 
1014  key_state_ssl_free(&ks->ks_ssl);
1015 
1019  free_buf(&ks->ack_write_buf);
1020  buffer_list_free(ks->paybuf);
1021 
1024 
1025  free(ks->rec_ack);
1026  free(ks->key_src);
1027 
1029 
1032 
1033  if (clear)
1034  {
1035  secure_memzero(ks, sizeof(*ks));
1036  }
1037 }
1038 
1052 static inline bool
1054 {
1055  return (session->opt->auth_user_pass_verify_script
1057 #ifdef ENABLE_MANAGEMENT
1059 #endif
1060  );
1061 }
1062 
1063 
1084 static void
1086 {
1087  struct gc_arena gc = gc_new();
1088 
1089  dmsg(D_TLS_DEBUG, "TLS: tls_session_init: entry");
1090 
1091  CLEAR(*session);
1092 
1093  /* Set options data to point to parent's option structure */
1094  session->opt = &multi->opt;
1095 
1096  /* Randomize session # if it is 0 */
1097  while (!session_id_defined(&session->session_id))
1098  {
1099  session_id_random(&session->session_id);
1100  }
1101 
1102  /* Are we a TLS server or client? */
1103  if (session->opt->server)
1104  {
1106  }
1107  else
1108  {
1109  session->initial_opcode = session->opt->tls_crypt_v2 ?
1111  }
1112 
1113  /* Initialize control channel authentication parameters */
1114  session->tls_wrap = session->opt->tls_wrap;
1115  session->tls_wrap.work = alloc_buf(BUF_SIZE(&session->opt->frame));
1116 
1117  /* initialize packet ID replay window for --tls-auth */
1119  session->opt->replay_window,
1120  session->opt->replay_time,
1121  "TLS_WRAP", session->key_id);
1122 
1123  /* load most recent packet-id to replay protect on --tls-auth */
1125  &session->tls_wrap.opt.packet_id);
1126 
1127  key_state_init(session, &session->key[KS_PRIMARY]);
1128 
1129  dmsg(D_TLS_DEBUG, "TLS: tls_session_init: new session object, sid=%s",
1130  session_id_print(&session->session_id, &gc));
1131 
1132  gc_free(&gc);
1133 }
1134 
1150 static void
1152 {
1153  tls_wrap_free(&session->tls_wrap);
1154 
1155  for (size_t i = 0; i < KS_SIZE; ++i)
1156  {
1157  /* we don't need clear=true for this call since
1158  * the structs are part of session and get cleared
1159  * as part of session */
1160  key_state_free(&session->key[i], false);
1161  }
1162 
1163  free(session->common_name);
1164 
1165  cert_hash_free(session->cert_hash_set);
1166 
1167  if (clear)
1168  {
1169  secure_memzero(session, sizeof(*session));
1170  }
1171 }
1172 
1178 static void
1179 move_session(struct tls_multi *multi, int dest, int src, bool reinit_src)
1180 {
1181  msg(D_TLS_DEBUG_LOW, "TLS: move_session: dest=%s src=%s reinit_src=%d",
1182  session_index_name(dest),
1183  session_index_name(src),
1184  reinit_src);
1185  ASSERT(src != dest);
1186  ASSERT(src >= 0 && src < TM_SIZE);
1187  ASSERT(dest >= 0 && dest < TM_SIZE);
1188  tls_session_free(&multi->session[dest], false);
1189  multi->session[dest] = multi->session[src];
1190 
1191  if (reinit_src)
1192  {
1193  tls_session_init(multi, &multi->session[src]);
1194  }
1195  else
1196  {
1197  secure_memzero(&multi->session[src], sizeof(multi->session[src]));
1198  }
1199 
1200  dmsg(D_TLS_DEBUG, "TLS: move_session: exit");
1201 }
1202 
1203 static void
1205 {
1206  tls_session_free(session, false);
1207  tls_session_init(multi, session);
1208 }
1209 
1210 /*
1211  * Used to determine in how many seconds we should be
1212  * called again.
1213  */
1214 static inline void
1215 compute_earliest_wakeup(interval_t *earliest, interval_t seconds_from_now)
1216 {
1217  if (seconds_from_now < *earliest)
1218  {
1219  *earliest = seconds_from_now;
1220  }
1221  if (*earliest < 0)
1222  {
1223  *earliest = 0;
1224  }
1225 }
1226 
1227 /*
1228  * Return true if "lame duck" or retiring key has expired and can
1229  * no longer be used.
1230  */
1231 static inline bool
1233 {
1234  const struct key_state *lame = &session->key[KS_LAME_DUCK];
1235  if (lame->state >= S_INITIAL)
1236  {
1237  ASSERT(lame->must_die); /* a lame duck key must always have an expiration */
1238  if (now < lame->must_die)
1239  {
1240  compute_earliest_wakeup(wakeup, lame->must_die - now);
1241  return false;
1242  }
1243  else
1244  {
1245  return true;
1246  }
1247  }
1248  else if (lame->state == S_ERROR)
1249  {
1250  return true;
1251  }
1252  else
1253  {
1254  return false;
1255  }
1256 }
1257 
1258 struct tls_multi *
1260 {
1261  struct tls_multi *ret;
1262 
1263  ALLOC_OBJ_CLEAR(ret, struct tls_multi);
1264 
1265  /* get command line derived options */
1266  ret->opt = *tls_options;
1267 
1268  return ret;
1269 }
1270 
1271 void
1272 tls_multi_init_finalize(struct tls_multi *multi, const struct frame *frame)
1273 {
1275 
1276  /* initialize the active and untrusted sessions */
1277 
1278  tls_session_init(multi, &multi->session[TM_ACTIVE]);
1279 
1280  if (!multi->opt.single_session)
1281  {
1282  tls_session_init(multi, &multi->session[TM_UNTRUSTED]);
1283  }
1284 }
1285 
1286 /*
1287  * Initialize and finalize a standalone tls-auth verification object.
1288  */
1289 
1290 struct tls_auth_standalone *
1292  struct gc_arena *gc)
1293 {
1294  struct tls_auth_standalone *tas;
1295 
1296  ALLOC_OBJ_CLEAR_GC(tas, struct tls_auth_standalone, gc);
1297 
1298  tas->tls_wrap = tls_options->tls_wrap;
1299 
1300  /*
1301  * Standalone tls-auth is in read-only mode with respect to TLS
1302  * control channel state. After we build a new client instance
1303  * object, we will process this session-initiating packet for real.
1304  */
1306 
1307  /* get initial frame parms, still need to finalize */
1308  tas->frame = tls_options->frame;
1309 
1310  return tas;
1311 }
1312 
1313 void
1315  const struct frame *frame)
1316 {
1318 }
1319 
1320 /*
1321  * Set local and remote option compatibility strings.
1322  * Used to verify compatibility of local and remote option
1323  * sets.
1324  */
1325 void
1327  const char *local,
1328  const char *remote)
1329 {
1330  /* initialize options string */
1331  multi->opt.local_options = local;
1332  multi->opt.remote_options = remote;
1333 }
1334 
1335 /*
1336  * Cleanup a tls_multi structure and free associated memory allocations.
1337  */
1338 void
1339 tls_multi_free(struct tls_multi *multi, bool clear)
1340 {
1341  ASSERT(multi);
1342 
1343  auth_set_client_reason(multi, NULL);
1344 
1345  free(multi->peer_info);
1346  free(multi->locked_cn);
1347  free(multi->locked_username);
1348 
1350 
1351  wipe_auth_token(multi);
1352 
1353  free(multi->remote_ciphername);
1354 
1355  for (int i = 0; i < TM_SIZE; ++i)
1356  {
1357  tls_session_free(&multi->session[i], false);
1358  }
1359 
1360  if (clear)
1361  {
1362  secure_memzero(multi, sizeof(*multi));
1363  }
1364 
1365  free(multi);
1366 }
1367 
1368 
1369 /*
1370  * Move a packet authentication HMAC + related fields to or from the front
1371  * of the buffer so it can be processed by encrypt/decrypt.
1372  */
1373 
1374 /*
1375  * Dependent on hmac size, opcode size, and session_id size.
1376  * Will assert if too small.
1377  */
1378 #define SWAP_BUF_SIZE 256
1379 
1380 static bool
1381 swap_hmac(struct buffer *buf, const struct crypto_options *co, bool incoming)
1382 {
1383  ASSERT(co);
1384 
1385  const struct key_ctx *ctx = (incoming ? &co->key_ctx_bi.decrypt :
1386  &co->key_ctx_bi.encrypt);
1387  ASSERT(ctx->hmac);
1388 
1389  {
1390  /* hmac + packet_id (8 bytes) */
1391  const int hmac_size = hmac_ctx_size(ctx->hmac) + packet_id_size(true);
1392 
1393  /* opcode + session_id */
1394  const int osid_size = 1 + SID_SIZE;
1395 
1396  int e1, e2;
1397  uint8_t *b = BPTR(buf);
1398  uint8_t buf1[SWAP_BUF_SIZE];
1399  uint8_t buf2[SWAP_BUF_SIZE];
1400 
1401  if (incoming)
1402  {
1403  e1 = osid_size;
1404  e2 = hmac_size;
1405  }
1406  else
1407  {
1408  e1 = hmac_size;
1409  e2 = osid_size;
1410  }
1411 
1412  ASSERT(e1 <= SWAP_BUF_SIZE && e2 <= SWAP_BUF_SIZE);
1413 
1414  if (buf->len >= e1 + e2)
1415  {
1416  memcpy(buf1, b, e1);
1417  memcpy(buf2, b + e1, e2);
1418  memcpy(b, buf2, e2);
1419  memcpy(b + e2, buf1, e1);
1420  return true;
1421  }
1422  else
1423  {
1424  return false;
1425  }
1426  }
1427 }
1428 
1429 #undef SWAP_BUF_SIZE
1430 
1431 /*
1432  * Write a control channel authentication record.
1433  */
1434 static void
1436  struct key_state *ks,
1437  struct buffer *buf,
1438  struct link_socket_actual **to_link_addr,
1439  int opcode,
1440  int max_ack,
1441  bool prepend_ack)
1442 {
1443  uint8_t header = ks->key_id | (opcode << P_OPCODE_SHIFT);
1444  struct buffer null = clear_buf();
1445 
1448  (ks->rec_ack, buf, &ks->session_id_remote, max_ack, prepend_ack));
1449 
1450  msg(D_TLS_DEBUG, "%s(): %s", __func__, packet_opcode_name(opcode));
1451 
1452  if (session->tls_wrap.mode == TLS_WRAP_AUTH
1453  || session->tls_wrap.mode == TLS_WRAP_NONE)
1454  {
1455  ASSERT(session_id_write_prepend(&session->session_id, buf));
1456  ASSERT(buf_write_prepend(buf, &header, sizeof(header)));
1457  }
1458  if (session->tls_wrap.mode == TLS_WRAP_AUTH)
1459  {
1460  /* no encryption, only write hmac */
1461  openvpn_encrypt(buf, null, &session->tls_wrap.opt);
1462  ASSERT(swap_hmac(buf, &session->tls_wrap.opt, false));
1463  }
1464  else if (session->tls_wrap.mode == TLS_WRAP_CRYPT)
1465  {
1466  ASSERT(buf_init(&session->tls_wrap.work, buf->offset));
1467  ASSERT(buf_write(&session->tls_wrap.work, &header, sizeof(header)));
1468  ASSERT(session_id_write(&session->session_id, &session->tls_wrap.work));
1469  if (!tls_crypt_wrap(buf, &session->tls_wrap.work, &session->tls_wrap.opt))
1470  {
1471  buf->len = 0;
1472  return;
1473  }
1474 
1475  if (opcode == P_CONTROL_HARD_RESET_CLIENT_V3)
1476  {
1477  if (!buf_copy(&session->tls_wrap.work,
1478  session->tls_wrap.tls_crypt_v2_wkc))
1479  {
1480  msg(D_TLS_ERRORS, "Could not append tls-crypt-v2 client key");
1481  buf->len = 0;
1482  return;
1483  }
1484  }
1485 
1486  /* Don't change the original data in buf, it's used by the reliability
1487  * layer to resend on failure. */
1488  *buf = session->tls_wrap.work;
1489  }
1490  *to_link_addr = &ks->remote_addr;
1491 }
1492 
1493 /*
1494  * Read a control channel authentication record.
1495  */
1496 static bool
1498  struct tls_wrap_ctx *ctx,
1499  const struct link_socket_actual *from,
1500  const struct tls_options *opt)
1501 {
1502  struct gc_arena gc = gc_new();
1503  bool ret = false;
1504 
1505  const uint8_t opcode = *(BPTR(buf)) >> P_OPCODE_SHIFT;
1506  if (opcode == P_CONTROL_HARD_RESET_CLIENT_V3
1507  && !tls_crypt_v2_extract_client_key(buf, ctx, opt))
1508  {
1509  msg(D_TLS_ERRORS,
1510  "TLS Error: can not extract tls-crypt-v2 client key from %s",
1511  print_link_socket_actual(from, &gc));
1512  goto cleanup;
1513  }
1514 
1515  if (ctx->mode == TLS_WRAP_AUTH)
1516  {
1517  struct buffer null = clear_buf();
1518 
1519  /* move the hmac record to the front of the packet */
1520  if (!swap_hmac(buf, &ctx->opt, true))
1521  {
1522  msg(D_TLS_ERRORS,
1523  "TLS Error: cannot locate HMAC in incoming packet from %s",
1524  print_link_socket_actual(from, &gc));
1525  gc_free(&gc);
1526  return false;
1527  }
1528 
1529  /* authenticate only (no decrypt) and remove the hmac record
1530  * from the head of the buffer */
1531  openvpn_decrypt(buf, null, &ctx->opt, NULL, BPTR(buf));
1532  if (!buf->len)
1533  {
1534  msg(D_TLS_ERRORS,
1535  "TLS Error: incoming packet authentication failed from %s",
1536  print_link_socket_actual(from, &gc));
1537  goto cleanup;
1538  }
1539 
1540  }
1541  else if (ctx->mode == TLS_WRAP_CRYPT)
1542  {
1543  struct buffer tmp = alloc_buf_gc(buf_forward_capacity_total(buf), &gc);
1544  if (!tls_crypt_unwrap(buf, &tmp, &ctx->opt))
1545  {
1546  msg(D_TLS_ERRORS, "TLS Error: tls-crypt unwrapping failed from %s",
1547  print_link_socket_actual(from, &gc));
1548  goto cleanup;
1549  }
1550  ASSERT(buf_init(buf, buf->offset));
1551  ASSERT(buf_copy(buf, &tmp));
1552  buf_clear(&tmp);
1553  }
1554  else if (ctx->tls_crypt_v2_server_key.cipher)
1555  {
1556  /* If tls-crypt-v2 is enabled, require *some* wrapping */
1557  msg(D_TLS_ERRORS, "TLS Error: could not determine wrapping from %s",
1558  print_link_socket_actual(from, &gc));
1559  /* TODO Do we want to support using tls-crypt-v2 and no control channel
1560  * wrapping at all simultaneously? That would allow server admins to
1561  * upgrade clients one-by-one without running a second instance, but we
1562  * should not enable it by default because it breaks DoS-protection.
1563  * So, add something like --tls-crypt-v2-allow-insecure-fallback ? */
1564  goto cleanup;
1565  }
1566 
1567  if (ctx->mode == TLS_WRAP_NONE || ctx->mode == TLS_WRAP_AUTH)
1568  {
1569  /* advance buffer pointer past opcode & session_id since our caller
1570  * already read it */
1571  buf_advance(buf, SID_SIZE + 1);
1572  }
1573 
1574  ret = true;
1575 cleanup:
1576  gc_free(&gc);
1577  return ret;
1578 }
1579 
1580 /*
1581  * For debugging, print contents of key_source2 structure.
1582  */
1583 
1584 static void
1586  const char *prefix)
1587 {
1588  struct gc_arena gc = gc_new();
1589 
1590  VALGRIND_MAKE_READABLE((void *)k->pre_master, sizeof(k->pre_master));
1591  VALGRIND_MAKE_READABLE((void *)k->random1, sizeof(k->random1));
1592  VALGRIND_MAKE_READABLE((void *)k->random2, sizeof(k->random2));
1593 
1595  "%s pre_master: %s",
1596  prefix,
1597  format_hex(k->pre_master, sizeof(k->pre_master), 0, &gc));
1599  "%s random1: %s",
1600  prefix,
1601  format_hex(k->random1, sizeof(k->random1), 0, &gc));
1603  "%s random2: %s",
1604  prefix,
1605  format_hex(k->random2, sizeof(k->random2), 0, &gc));
1606 
1607  gc_free(&gc);
1608 }
1609 
1610 static void
1612 {
1613  key_source_print(&k->client, "Client");
1614  key_source_print(&k->server, "Server");
1615 }
1616 
1617 static bool
1618 openvpn_PRF(const uint8_t *secret,
1619  int secret_len,
1620  const char *label,
1621  const uint8_t *client_seed,
1622  int client_seed_len,
1623  const uint8_t *server_seed,
1624  int server_seed_len,
1625  const struct session_id *client_sid,
1626  const struct session_id *server_sid,
1627  uint8_t *output,
1628  int output_len)
1629 {
1630  /* concatenate seed components */
1631 
1632  struct buffer seed = alloc_buf(strlen(label)
1633  + client_seed_len
1634  + server_seed_len
1635  + SID_SIZE * 2);
1636 
1637  ASSERT(buf_write(&seed, label, strlen(label)));
1638  ASSERT(buf_write(&seed, client_seed, client_seed_len));
1639  ASSERT(buf_write(&seed, server_seed, server_seed_len));
1640 
1641  if (client_sid)
1642  {
1643  ASSERT(buf_write(&seed, client_sid->id, SID_SIZE));
1644  }
1645  if (server_sid)
1646  {
1647  ASSERT(buf_write(&seed, server_sid->id, SID_SIZE));
1648  }
1649 
1650  /* compute PRF */
1651  bool ret = ssl_tls1_PRF(BPTR(&seed), BLEN(&seed), secret, secret_len,
1652  output, output_len);
1653 
1654  buf_clear(&seed);
1655  free_buf(&seed);
1656 
1657  VALGRIND_MAKE_READABLE((void *)output, output_len);
1658  return ret;
1659 }
1660 
1661 static void
1663  const struct key_type *key_type,
1664  bool server,
1665  struct key2 *key2)
1666 {
1667  /* Initialize key contexts */
1668  int key_direction = server ? KEY_DIRECTION_INVERSE : KEY_DIRECTION_NORMAL;
1669  init_key_ctx_bi(key, key2, key_direction, key_type, "Data Channel");
1670 
1671  /* Initialize implicit IVs */
1672  key_ctx_update_implicit_iv(&key->encrypt, (*key2).keys[(int)server].hmac,
1674  key_ctx_update_implicit_iv(&key->decrypt, (*key2).keys[1-(int)server].hmac,
1676 
1677 }
1678 
1679 static bool
1681 {
1683  strlen(EXPORT_KEY_DATA_LABEL),
1684  key2->keys, sizeof(key2->keys)))
1685  {
1686  return false;
1687  }
1688  key2->n = 2;
1689 
1690  return true;
1691 }
1692 
1693 static bool
1695 {
1696  uint8_t master[48] = { 0 };
1697 
1698  const struct key_state *ks = &session->key[KS_PRIMARY];
1699  const struct key_source2 *key_src = ks->key_src;
1700 
1701  const struct session_id *client_sid = session->opt->server ?
1702  &ks->session_id_remote : &session->session_id;
1703  const struct session_id *server_sid = !session->opt->server ?
1704  &ks->session_id_remote : &session->session_id;
1705 
1706  /* debugging print of source key material */
1707  key_source2_print(key_src);
1708 
1709  /* compute master secret */
1710  if (!openvpn_PRF(key_src->client.pre_master,
1711  sizeof(key_src->client.pre_master),
1712  KEY_EXPANSION_ID " master secret",
1713  key_src->client.random1,
1714  sizeof(key_src->client.random1),
1715  key_src->server.random1,
1716  sizeof(key_src->server.random1),
1717  NULL,
1718  NULL,
1719  master,
1720  sizeof(master)))
1721  {
1722  return false;
1723  }
1724 
1725  /* compute key expansion */
1726  if (!openvpn_PRF(master,
1727  sizeof(master),
1728  KEY_EXPANSION_ID " key expansion",
1729  key_src->client.random2,
1730  sizeof(key_src->client.random2),
1731  key_src->server.random2,
1732  sizeof(key_src->server.random2),
1733  client_sid,
1734  server_sid,
1735  (uint8_t *)key2->keys,
1736  sizeof(key2->keys)))
1737  {
1738  return false;
1739  }
1740  secure_memzero(&master, sizeof(master));
1741 
1742 
1743 
1744  /*
1745  * fixup_key only correctly sets DES parity bits if the cipher is a
1746  * DES variant.
1747  *
1748  * The newer OpenSSL and mbed TLS libraries (those that support EKM)
1749  * ignore these bits.
1750  *
1751  * We keep the DES fixup here as compatibility.
1752  * OpenVPN3 never did this fixup anyway. So this code is *probably* not
1753  * required but we keep it for compatibility until we remove DES support
1754  * since it does not hurt either.
1755  */
1756  for (int i = 0; i < 2; ++i)
1757  {
1758  fixup_key(&key2->keys[i], &session->opt->key_type);
1759  }
1760  key2->n = 2;
1761 
1762  return true;
1763 }
1764 
1765 /*
1766  * Using source entropy from local and remote hosts, mix into
1767  * master key.
1768  */
1769 static bool
1771  struct tls_session *session)
1772 {
1773  bool ret = false;
1774  struct key2 key2;
1775 
1776  if (key->initialized)
1777  {
1778  msg(D_TLS_ERRORS, "TLS Error: key already initialized");
1779  goto exit;
1780  }
1781 
1782  bool server = session->opt->server;
1783 
1785  {
1786  if (!generate_key_expansion_tls_export(session, &key2))
1787  {
1788  msg(D_TLS_ERRORS, "TLS Error: Keying material export failed");
1789  goto exit;
1790  }
1791  }
1792  else
1793  {
1794  if (!generate_key_expansion_openvpn_prf(session, &key2))
1795  {
1796  msg(D_TLS_ERRORS, "TLS Error: PRF calcuation failed");
1797  goto exit;
1798  }
1799  }
1800 
1801  key2_print(&key2, &session->opt->key_type,
1802  "Master Encrypt", "Master Decrypt");
1803 
1804  /* check for weak keys */
1805  for (int i = 0; i < 2; ++i)
1806  {
1807  if (!check_key(&key2.keys[i], &session->opt->key_type))
1808  {
1809  msg(D_TLS_ERRORS, "TLS Error: Bad dynamic key generated");
1810  goto exit;
1811  }
1812  }
1813  init_key_contexts(key, &session->opt->key_type, server, &key2);
1814  ret = true;
1815 
1816 exit:
1817  secure_memzero(&key2, sizeof(key2));
1818 
1819  return ret;
1820 }
1821 
1822 static void
1823 key_ctx_update_implicit_iv(struct key_ctx *ctx, uint8_t *key, size_t key_len)
1824 {
1825  const cipher_kt_t *cipher_kt = cipher_ctx_get_cipher_kt(ctx->cipher);
1826 
1827  /* Only use implicit IV in AEAD cipher mode, where HMAC key is not used */
1828  if (cipher_kt_mode_aead(cipher_kt))
1829  {
1830  size_t impl_iv_len = 0;
1832  impl_iv_len = cipher_kt_iv_size(cipher_kt) - sizeof(packet_id_type);
1833  ASSERT(impl_iv_len <= OPENVPN_MAX_IV_LENGTH);
1834  ASSERT(impl_iv_len <= key_len);
1835  memcpy(ctx->implicit_iv, key, impl_iv_len);
1836  ctx->implicit_iv_len = impl_iv_len;
1837  }
1838 }
1839 
1846 bool
1848 {
1849  bool ret = false;
1850  struct key_state *ks = &session->key[KS_PRIMARY]; /* primary key */
1851 
1852  if (ks->authenticated <= KS_AUTH_FALSE)
1853  {
1854  msg(D_TLS_ERRORS, "TLS Error: key_state not authenticated");
1855  goto cleanup;
1856  }
1857 
1858  ks->crypto_options.flags = session->opt->crypto_flags;
1859 
1860  if (!generate_key_expansion(&ks->crypto_options.key_ctx_bi, session))
1861  {
1862  msg(D_TLS_ERRORS, "TLS Error: generate_key_expansion failed");
1863  goto cleanup;
1864  }
1866  &session->opt->renegotiate_bytes);
1867 
1868  /* set the state of the keys for the session to generated */
1869  ks->state = S_GENERATED_KEYS;
1870 
1871  ret = true;
1872 cleanup:
1873  secure_memzero(ks->key_src, sizeof(*ks->key_src));
1874  return ret;
1875 }
1876 
1877 bool
1879  struct options* options, struct frame *frame,
1880  struct frame *frame_fragment)
1881 {
1883  {
1884  /* keys already generated, nothing to do */
1885  return true;
1886 
1887  }
1888  if (strcmp(options->ciphername, session->opt->config_ciphername))
1889  {
1890  msg(D_HANDSHAKE, "Data Channel: using negotiated cipher '%s'",
1891  options->ciphername);
1892  }
1893  else
1894  {
1895  /* Very hacky workaround and quick fix for frame calculation
1896  * different when adjusting frame size when the original and new cipher
1897  * are identical to avoid a regression with client without NCP */
1899  }
1900 
1901  init_key_type(&session->opt->key_type, options->ciphername,
1902  options->authname, true, true);
1903 
1904  bool packet_id_long_form = cipher_kt_mode_ofb_cfb(session->opt->key_type.cipher);
1905  session->opt->crypto_flags &= ~(CO_PACKET_ID_LONG_FORM);
1906  if (packet_id_long_form)
1907  {
1909  }
1910 
1911  /* Update frame parameters: undo worst-case overhead, add actual overhead */
1913  crypto_adjust_frame_parameters(frame, &session->opt->key_type,
1914  options->replay, packet_id_long_form);
1915  frame_finalize(frame, options->ce.link_mtu_defined, options->ce.link_mtu,
1916  options->ce.tun_mtu_defined, options->ce.tun_mtu);
1917  frame_init_mssfix(frame, options);
1918  frame_print(frame, D_MTU_INFO, "Data Channel MTU parms");
1919 
1920  /*
1921  * mssfix uses data channel framing, which at this point contains
1922  * actual overhead. Fragmentation logic uses frame_fragment, which
1923  * still contains worst case overhead. Replace it with actual overhead
1924  * to prevent unneeded fragmentation.
1925  */
1926 
1927  if (frame_fragment)
1928  {
1930  crypto_adjust_frame_parameters(frame_fragment, &session->opt->key_type,
1931  options->replay, packet_id_long_form);
1932  frame_set_mtu_dynamic(frame_fragment, options->ce.fragment, SET_MTU_UPPER_BOUND);
1933  frame_print(frame_fragment, D_MTU_INFO, "Fragmentation MTU parms");
1934  }
1935 
1937 }
1938 
1939 bool
1941  struct options *options, struct frame *frame,
1942  struct frame *frame_fragment)
1943 {
1944 
1945  bool cipher_allowed_as_fallback = options->enable_ncp_fallback
1946  && streq(options->ciphername, session->opt->config_ciphername);
1947 
1948  if (!session->opt->server && !cipher_allowed_as_fallback
1949  && !tls_item_in_cipher_list(options->ciphername, options->ncp_ciphers))
1950  {
1951  msg(D_TLS_ERRORS, "Error: negotiated cipher not allowed - %s not in %s",
1952  options->ciphername, options->ncp_ciphers);
1953  /* undo cipher push, abort connection setup */
1954  options->ciphername = session->opt->config_ciphername;
1955  return false;
1956  }
1957 
1958  /* Import crypto settings that might be set by pull/push */
1959  session->opt->crypto_flags |= options->data_channel_crypto_flags;
1960 
1961  return tls_session_update_crypto_params_do_work(session, options, frame, frame_fragment);
1962 }
1963 
1964 
1965 static bool
1967  uint8_t *out,
1968  int outlen)
1969 {
1970  if (!rand_bytes(out, outlen))
1971  {
1972  msg(M_FATAL, "ERROR: Random number generator cannot obtain entropy for key generation [SSL]");
1973  }
1974  if (!buf_write(buf, out, outlen))
1975  {
1976  return false;
1977  }
1978  return true;
1979 }
1980 
1981 static bool
1983  struct buffer *buf,
1984  bool server)
1985 {
1986  struct key_source *k = &k2->client;
1987  if (server)
1988  {
1989  k = &k2->server;
1990  }
1991 
1992  CLEAR(*k);
1993 
1994  if (!server)
1995  {
1996  if (!random_bytes_to_buf(buf, k->pre_master, sizeof(k->pre_master)))
1997  {
1998  return false;
1999  }
2000  }
2001 
2002  if (!random_bytes_to_buf(buf, k->random1, sizeof(k->random1)))
2003  {
2004  return false;
2005  }
2006  if (!random_bytes_to_buf(buf, k->random2, sizeof(k->random2)))
2007  {
2008  return false;
2009  }
2010 
2011  return true;
2012 }
2013 
2014 static int
2016  struct buffer *buf,
2017  bool server)
2018 {
2019  struct key_source *k = &k2->client;
2020 
2021  if (!server)
2022  {
2023  k = &k2->server;
2024  }
2025 
2026  CLEAR(*k);
2027 
2028  if (server)
2029  {
2030  if (!buf_read(buf, k->pre_master, sizeof(k->pre_master)))
2031  {
2032  return 0;
2033  }
2034  }
2035 
2036  if (!buf_read(buf, k->random1, sizeof(k->random1)))
2037  {
2038  return 0;
2039  }
2040  if (!buf_read(buf, k->random2, sizeof(k->random2)))
2041  {
2042  return 0;
2043  }
2044 
2045  return 1;
2046 }
2047 
2048 static void
2050 {
2051  struct buffer *b;
2052 
2053  while ((b = buffer_list_peek(ks->paybuf)))
2054  {
2056  buffer_list_pop(ks->paybuf);
2057  }
2058 }
2059 
2060 /* true if no in/out acknowledgements pending */
2061 #define FULL_SYNC \
2062  (reliable_empty(ks->send_reliable) && reliable_ack_empty(ks->rec_ack))
2063 
2064 /*
2065  * Move the active key to the lame duck key and reinitialize the
2066  * active key.
2067  */
2068 static void
2070 {
2071  struct key_state *ks = &session->key[KS_PRIMARY]; /* primary key */
2072  struct key_state *ks_lame = &session->key[KS_LAME_DUCK]; /* retiring key */
2073 
2074  ks->must_die = now + session->opt->transition_window; /* remaining lifetime of old key */
2075  key_state_free(ks_lame, false);
2076  *ks_lame = *ks;
2077 
2078  key_state_init(session, ks);
2079  ks->session_id_remote = ks_lame->session_id_remote;
2080  ks->remote_addr = ks_lame->remote_addr;
2081 }
2082 
2083 /*
2084  * Read/write strings from/to a struct buffer with a u16 length prefix.
2085  */
2086 
2087 static bool
2089 {
2090  if (!buf_write_u16(buf, 0))
2091  {
2092  return false;
2093  }
2094  return true;
2095 }
2096 
2097 static bool
2098 write_string(struct buffer *buf, const char *str, const int maxlen)
2099 {
2100  const int len = strlen(str) + 1;
2101  if (len < 1 || (maxlen >= 0 && len > maxlen))
2102  {
2103  return false;
2104  }
2105  if (!buf_write_u16(buf, len))
2106  {
2107  return false;
2108  }
2109  if (!buf_write(buf, str, len))
2110  {
2111  return false;
2112  }
2113  return true;
2114 }
2115 
2116 static bool
2117 read_string(struct buffer *buf, char *str, const unsigned int capacity)
2118 {
2119  const int len = buf_read_u16(buf);
2120  if (len < 1 || len > (int)capacity)
2121  {
2122  return false;
2123  }
2124  if (!buf_read(buf, str, len))
2125  {
2126  return false;
2127  }
2128  str[len-1] = '\0';
2129  return true;
2130 }
2131 
2132 static char *
2134 {
2135  const int len = buf_read_u16(buf);
2136  char *str;
2137 
2138  if (len < 1)
2139  {
2140  return NULL;
2141  }
2142  str = (char *) malloc(len);
2143  check_malloc_return(str);
2144  if (!buf_read(buf, str, len))
2145  {
2146  free(str);
2147  return NULL;
2148  }
2149  str[len-1] = '\0';
2150  return str;
2151 }
2152 
2168 static bool
2170 {
2171  struct gc_arena gc = gc_new();
2172  bool ret = false;
2173  struct buffer out = alloc_buf_gc(512 * 3, &gc);
2174 
2175  if (session->opt->push_peer_info_detail > 1)
2176  {
2177  /* push version */
2178  buf_printf(&out, "IV_VER=%s\n", PACKAGE_VERSION);
2179 
2180  /* push platform */
2181 #if defined(TARGET_LINUX)
2182  buf_printf(&out, "IV_PLAT=linux\n");
2183 #elif defined(TARGET_SOLARIS)
2184  buf_printf(&out, "IV_PLAT=solaris\n");
2185 #elif defined(TARGET_OPENBSD)
2186  buf_printf(&out, "IV_PLAT=openbsd\n");
2187 #elif defined(TARGET_DARWIN)
2188  buf_printf(&out, "IV_PLAT=mac\n");
2189 #elif defined(TARGET_NETBSD)
2190  buf_printf(&out, "IV_PLAT=netbsd\n");
2191 #elif defined(TARGET_FREEBSD)
2192  buf_printf(&out, "IV_PLAT=freebsd\n");
2193 #elif defined(TARGET_ANDROID)
2194  buf_printf(&out, "IV_PLAT=android\n");
2195 #elif defined(_WIN32)
2196  buf_printf(&out, "IV_PLAT=win\n");
2197 #endif
2198  }
2199 
2200  /* These are the IV variable that are sent to peers in p2p mode */
2201  if (session->opt->push_peer_info_detail > 0)
2202  {
2203  /* support for P_DATA_V2 */
2204  int iv_proto = IV_PROTO_DATA_V2;
2205 
2206  /* support for receiving push_reply before sending
2207  * push request, also signal that the client wants
2208  * to get push-reply messages without without requiring a round
2209  * trip for a push request message*/
2210  if (session->opt->pull)
2211  {
2212  iv_proto |= IV_PROTO_REQUEST_PUSH;
2213  iv_proto |= IV_PROTO_AUTH_PENDING_KW;
2214  }
2215 
2216  /* support for Negotiable Crypto Parameters */
2217  if (session->opt->mode == MODE_SERVER || session->opt->pull)
2218  {
2219  if (tls_item_in_cipher_list("AES-128-GCM", session->opt->config_ncp_ciphers)
2220  && tls_item_in_cipher_list("AES-256-GCM", session->opt->config_ncp_ciphers))
2221  {
2222 
2223  buf_printf(&out, "IV_NCP=2\n");
2224  }
2225  }
2226  else
2227  {
2228  /* We are not using pull or p2mp server, instead do P2P NCP */
2229  iv_proto |= IV_PROTO_NCP_P2P;
2230  }
2231 
2232  buf_printf(&out, "IV_CIPHERS=%s\n", session->opt->config_ncp_ciphers);
2233 
2234 #ifdef HAVE_EXPORT_KEYING_MATERIAL
2235  iv_proto |= IV_PROTO_TLS_KEY_EXPORT;
2236 #endif
2237 
2238  buf_printf(&out, "IV_PROTO=%d\n", iv_proto);
2239 
2240  if (session->opt->push_peer_info_detail > 1)
2241  {
2242  /* push compression status */
2243 #ifdef USE_COMP
2244  comp_generate_peer_info_string(&session->opt->comp_options, &out);
2245 #endif
2246  }
2247 
2248  if (session->opt->push_peer_info_detail > 2)
2249  {
2250  /* push mac addr */
2251  struct route_gateway_info rgi;
2252  get_default_gateway(&rgi, session->opt->net_ctx);
2253  if (rgi.flags & RGI_HWADDR_DEFINED)
2254  {
2255  buf_printf(&out, "IV_HWADDR=%s\n", format_hex_ex(rgi.hwaddr, 6, 0, 1, ":", &gc));
2256  }
2257  buf_printf(&out, "IV_SSL=%s\n", get_ssl_library_version() );
2258 #if defined(_WIN32)
2259  buf_printf(&out, "IV_PLAT_VER=%s\n", win32_version_string(&gc, false));
2260 #endif
2261  }
2262 
2263  if (session->opt->push_peer_info_detail > 1)
2264  {
2265  struct env_set *es = session->opt->es;
2266  /* push env vars that begin with UV_, IV_PLAT_VER and IV_GUI_VER */
2267  for (struct env_item *e = es->list; e != NULL; e = e->next)
2268  {
2269  if (e->string)
2270  {
2271  if ((((strncmp(e->string, "UV_", 3) == 0
2272  || strncmp(e->string, "IV_PLAT_VER=", sizeof("IV_PLAT_VER=") - 1) == 0)
2273  && session->opt->push_peer_info_detail >= 2)
2274  || (strncmp(e->string, "IV_GUI_VER=", sizeof("IV_GUI_VER=") - 1) == 0)
2275  || (strncmp(e->string, "IV_SSO=", sizeof("IV_SSO=") - 1) == 0)
2276  )
2277  && buf_safe(&out, strlen(e->string) + 1))
2278  {
2279  buf_printf(&out, "%s\n", e->string);
2280  }
2281  }
2282  }
2283  }
2284 
2285  if (!write_string(buf, BSTR(&out), -1))
2286  {
2287  goto error;
2288  }
2289  }
2290  else
2291  {
2292  if (!write_empty_string(buf)) /* no peer info */
2293  {
2294  goto error;
2295  }
2296  }
2297  ret = true;
2298 
2299 error:
2300  gc_free(&gc);
2301  return ret;
2302 }
2303 
2304 #ifdef USE_COMP
2305 static bool
2306 write_compat_local_options(struct buffer *buf, const char *options)
2307 {
2308  struct gc_arena gc = gc_new();
2309  const char *local_options = options_string_compat_lzo(options, &gc);
2310  bool ret = write_string(buf, local_options, TLS_OPTIONS_LEN);
2311  gc_free(&gc);
2312  return ret;
2313 }
2314 #endif
2315 
2320 static bool
2321 key_method_2_write(struct buffer *buf, struct tls_multi *multi, struct tls_session *session)
2322 {
2323  struct key_state *ks = &session->key[KS_PRIMARY]; /* primary key */
2324 
2325  ASSERT(buf_init(buf, 0));
2326 
2327  /* write a uint32 0 */
2328  if (!buf_write_u32(buf, 0))
2329  {
2330  goto error;
2331  }
2332 
2333  /* write key_method + flags */
2334  if (!buf_write_u8(buf, KEY_METHOD_2))
2335  {
2336  goto error;
2337  }
2338 
2339  /* write key source material */
2340  if (!key_source2_randomize_write(ks->key_src, buf, session->opt->server))
2341  {
2342  goto error;
2343  }
2344 
2345  /* write options string */
2346  {
2347 #ifdef USE_COMP
2348  if (multi->remote_usescomp && session->opt->mode == MODE_SERVER
2349  && multi->opt.comp_options.flags & COMP_F_MIGRATE)
2350  {
2351  if (!write_compat_local_options(buf, session->opt->local_options))
2352  {
2353  goto error;
2354  }
2355  }
2356  else
2357 #endif
2358  if (!write_string(buf, session->opt->local_options, TLS_OPTIONS_LEN))
2359  {
2360  goto error;
2361  }
2362  }
2363 
2364  /* write username/password if specified or we are using a auth-token */
2365  if (auth_user_pass_enabled || (auth_token.token_defined && auth_token.defined))
2366  {
2367 #ifdef ENABLE_MANAGEMENT
2368  auth_user_pass_setup(session->opt->auth_user_pass_file, session->opt->sci);
2369 #else
2370  auth_user_pass_setup(session->opt->auth_user_pass_file, NULL);
2371 #endif
2372  struct user_pass *up = &auth_user_pass;
2373 
2374  /*
2375  * If we have a valid auth-token, send that instead of real
2376  * username/password
2377  */
2379  {
2380  up = &auth_token;
2381  }
2382 
2383  if (!write_string(buf, up->username, -1))
2384  {
2385  goto error;
2386  }
2387  else if (!write_string(buf, up->password, -1))
2388  {
2389  goto error;
2390  }
2391  /* if auth-nocache was specified, the auth_user_pass object reaches
2392  * a "complete" state only after having received the push-reply
2393  * message. The push message might contain an auth-token that needs
2394  * the username of auth_user_pass.
2395  *
2396  * For this reason, skip the purge operation here if no push-reply
2397  * message has been received yet.
2398  *
2399  * This normally happens upon first negotiation only.
2400  */
2401  if (!session->opt->pull)
2402  {
2404  }
2405  }
2406  else
2407  {
2408  if (!write_empty_string(buf)) /* no username */
2409  {
2410  goto error;
2411  }
2412  if (!write_empty_string(buf)) /* no password */
2413  {
2414  goto error;
2415  }
2416  }
2417 
2418  if (!push_peer_info(buf, session))
2419  {
2420  goto error;
2421  }
2422 
2423  if (session->opt->server && session->opt->mode != MODE_SERVER
2424  && ks->key_id == 0)
2425  {
2426  /* tls-server option set and not P2MP server, so we
2427  * are a P2P client running in tls-server mode */
2428  p2p_mode_ncp(multi, session);
2429  }
2430 
2431  return true;
2432 
2433 error:
2434  msg(D_TLS_ERRORS, "TLS Error: Key Method #2 write failed");
2435  secure_memzero(ks->key_src, sizeof(*ks->key_src));
2436  return false;
2437 }
2438 
2439 static void
2441  struct tls_session *session)
2442 {
2443  if (session->opt->ekm_size > 0)
2444  {
2445  unsigned int size = session->opt->ekm_size;
2446  struct gc_arena gc = gc_new();
2447 
2448  unsigned char *ekm = gc_malloc(session->opt->ekm_size, true, &gc);
2450  session->opt->ekm_label,
2451  session->opt->ekm_label_size,
2452  ekm, session->opt->ekm_size))
2453  {
2454  unsigned int len = (size * 2) + 2;
2455 
2456  const char *key = format_hex_ex(ekm, size, len, 0, NULL, &gc);
2457  setenv_str(session->opt->es, "exported_keying_material", key);
2458 
2459  dmsg(D_TLS_DEBUG_MED, "%s: exported keying material: %s",
2460  __func__, key);
2461  secure_memzero(ekm, size);
2462  }
2463  else
2464  {
2465  msg(M_WARN, "WARNING: Export keying material failed!");
2466  setenv_del(session->opt->es, "exported_keying_material");
2467  }
2468  gc_free(&gc);
2469  }
2470 }
2471 
2476 static bool
2477 key_method_2_read(struct buffer *buf, struct tls_multi *multi, struct tls_session *session)
2478 {
2479  struct key_state *ks = &session->key[KS_PRIMARY]; /* primary key */
2480 
2481  bool username_status, password_status;
2482 
2483  struct gc_arena gc = gc_new();
2484  char *options;
2485  struct user_pass *up = NULL;
2486 
2487  /* allocate temporary objects */
2488  ALLOC_ARRAY_CLEAR_GC(options, char, TLS_OPTIONS_LEN, &gc);
2489 
2490  /* discard leading uint32 */
2491  if (!buf_advance(buf, 4))
2492  {
2493  msg(D_TLS_ERRORS, "TLS ERROR: Plaintext buffer too short (%d bytes).",
2494  buf->len);
2495  goto error;
2496  }
2497 
2498  /* get key method */
2499  int key_method_flags = buf_read_u8(buf);
2500  if ((key_method_flags & KEY_METHOD_MASK) != 2)
2501  {
2502  msg(D_TLS_ERRORS,
2503  "TLS ERROR: Unknown key_method/flags=%d received from remote host",
2504  key_method_flags);
2505  goto error;
2506  }
2507 
2508  /* get key source material (not actual keys yet) */
2509  if (!key_source2_read(ks->key_src, buf, session->opt->server))
2510  {
2511  msg(D_TLS_ERRORS, "TLS Error: Error reading remote data channel key source entropy from plaintext buffer");
2512  goto error;
2513  }
2514 
2515  /* get options */
2516  if (!read_string(buf, options, TLS_OPTIONS_LEN))
2517  {
2518  msg(D_TLS_ERRORS, "TLS Error: Failed to read required OCC options string");
2519  goto error;
2520  }
2521 
2523 
2524  /* always extract username + password fields from buf, even if not
2525  * authenticating for it, because otherwise we can't get at the
2526  * peer_info data which follows behind
2527  */
2528  ALLOC_OBJ_CLEAR_GC(up, struct user_pass, &gc);
2529  username_status = read_string(buf, up->username, USER_PASS_LEN);
2530  password_status = read_string(buf, up->password, USER_PASS_LEN);
2531 
2532  /* get peer info from control channel */
2533  free(multi->peer_info);
2534  multi->peer_info = read_string_alloc(buf);
2535  if (multi->peer_info)
2536  {
2537  output_peer_info_env(session->opt->es, multi->peer_info);
2538  }
2539 
2540  free(multi->remote_ciphername);
2541  multi->remote_ciphername =
2542  options_string_extract_option(options, "cipher", NULL);
2543  multi->remote_usescomp = strstr(options, ",comp-lzo,");
2544 
2545  /* In OCC we send '[null-cipher]' instead 'none' */
2546  if (multi->remote_ciphername
2547  && strcmp(multi->remote_ciphername, "[null-cipher]") == 0)
2548  {
2549  free(multi->remote_ciphername);
2550  multi->remote_ciphername = string_alloc("none", NULL);
2551  }
2552 
2553  if (tls_session_user_pass_enabled(session))
2554  {
2555  /* Perform username/password authentication */
2556  if (!username_status || !password_status)
2557  {
2558  CLEAR(*up);
2559  if (!(session->opt->ssl_flags & SSLF_AUTH_USER_PASS_OPTIONAL))
2560  {
2561  msg(D_TLS_ERRORS, "TLS Error: Auth Username/Password was not provided by peer");
2562  goto error;
2563  }
2564  }
2565 
2566  verify_user_pass(up, multi, session);
2567  }
2568  else
2569  {
2570  /* Session verification should have occurred during TLS negotiation*/
2571  if (!session->verified)
2572  {
2573  msg(D_TLS_ERRORS,
2574  "TLS Error: Certificate verification failed (key-method 2)");
2575  goto error;
2576  }
2578  }
2579 
2580  /* clear username and password from memory */
2581  secure_memzero(up, sizeof(*up));
2582 
2583  /* Perform final authentication checks */
2584  if (ks->authenticated > KS_AUTH_FALSE)
2585  {
2586  verify_final_auth_checks(multi, session);
2587  }
2588 
2589  /* check options consistency */
2590  if (!session->opt->disable_occ
2591  && !options_cmp_equal(options, session->opt->remote_options))
2592  {
2593  const char *remote_options = session->opt->remote_options;
2594 #ifdef USE_COMP
2595  if (multi->opt.comp_options.flags & COMP_F_MIGRATE && multi->remote_usescomp)
2596  {
2597  msg(D_SHOW_OCC, "Note: 'compress migrate' detected remote peer "
2598  "with compression enabled.");
2599  remote_options = options_string_compat_lzo(remote_options, &gc);
2600  }
2601 #endif
2602 
2603  options_warning(options, remote_options);
2604 
2605  if (session->opt->ssl_flags & SSLF_OPT_VERIFY)
2606  {
2607  msg(D_TLS_ERRORS, "Option inconsistency warnings triggering disconnect due to --opt-verify");
2609  }
2610  }
2611 
2612  buf_clear(buf);
2613 
2614  /*
2615  * Call OPENVPN_PLUGIN_TLS_FINAL plugin if defined, for final
2616  * veto opportunity over authentication decision.
2617  */
2618  if ((ks->authenticated > KS_AUTH_FALSE)
2620  {
2621  export_user_keying_material(&ks->ks_ssl, session);
2622 
2623  if (plugin_call(session->opt->plugins, OPENVPN_PLUGIN_TLS_FINAL, NULL, NULL, session->opt->es) != OPENVPN_PLUGIN_FUNC_SUCCESS)
2624  {
2626  }
2627 
2628  setenv_del(session->opt->es, "exported_keying_material");
2629  }
2630 
2631  if (!session->opt->server && !session->opt->pull && ks->key_id == 0)
2632  {
2633  /* We are a p2p tls-client without pull, enable common
2634  * protocol options */
2635  p2p_mode_ncp(multi, session);
2636  }
2637 
2638  gc_free(&gc);
2639  return true;
2640 
2641 error:
2643  secure_memzero(ks->key_src, sizeof(*ks->key_src));
2644  if (up)
2645  {
2646  secure_memzero(up, sizeof(*up));
2647  }
2648  buf_clear(buf);
2649  gc_free(&gc);
2650  return false;
2651 }
2652 
2653 static int
2655 {
2656  int ret = o->handshake_window;
2657  const int r2 = o->renegotiate_seconds / 2;
2658 
2659  if (o->renegotiate_seconds && r2 < ret)
2660  {
2661  ret = r2;
2662  }
2663  return ret;
2664 }
2665 
2666 /*
2667  * This is the primary routine for processing TLS stuff inside the
2668  * the main event loop. When this routine exits
2669  * with non-error status, it will set *wakeup to the number of seconds
2670  * when it wants to be called again.
2671  *
2672  * Return value is true if we have placed a packet in *to_link which we
2673  * want to send to our peer.
2674  */
2675 static bool
2676 tls_process(struct tls_multi *multi,
2677  struct tls_session *session,
2678  struct buffer *to_link,
2679  struct link_socket_actual **to_link_addr,
2680  struct link_socket_info *to_link_socket_info,
2681  interval_t *wakeup)
2682 {
2683  struct gc_arena gc = gc_new();
2684  struct buffer *buf;
2685  bool state_change = false;
2686  bool active = false;
2687  struct key_state *ks = &session->key[KS_PRIMARY]; /* primary key */
2688  struct key_state *ks_lame = &session->key[KS_LAME_DUCK]; /* retiring key */
2689 
2690  /* Make sure we were initialized and that we're not in an error state */
2691  ASSERT(ks->state != S_UNDEF);
2692  ASSERT(ks->state != S_ERROR);
2693  ASSERT(session_id_defined(&session->session_id));
2694 
2695  /* Should we trigger a soft reset? -- new key, keeps old key for a while */
2696  if (ks->state >= S_ACTIVE
2697  && ((session->opt->renegotiate_seconds
2698  && now >= ks->established + session->opt->renegotiate_seconds)
2699  || (session->opt->renegotiate_bytes > 0
2700  && ks->n_bytes >= session->opt->renegotiate_bytes)
2701  || (session->opt->renegotiate_packets
2702  && ks->n_packets >= session->opt->renegotiate_packets)
2704  {
2705  msg(D_TLS_DEBUG_LOW, "TLS: soft reset sec=%d/%d bytes=" counter_format
2706  "/%d pkts=" counter_format "/%d",
2707  (int) (now - ks->established), session->opt->renegotiate_seconds,
2708  ks->n_bytes, session->opt->renegotiate_bytes,
2709  ks->n_packets, session->opt->renegotiate_packets);
2710  key_state_soft_reset(session);
2711  }
2712 
2713  /* Kill lame duck key transition_window seconds after primary key negotiation */
2714  if (lame_duck_must_die(session, wakeup))
2715  {
2716  key_state_free(ks_lame, true);
2717  msg(D_TLS_DEBUG_LOW, "TLS: tls_process: killed expiring key");
2718  }
2719 
2720  do
2721  {
2722  update_time();
2723 
2724  dmsg(D_TLS_DEBUG, "TLS: tls_process: chg=%d ks=%s lame=%s to_link->len=%d wakeup=%d",
2725  state_change,
2726  state_name(ks->state),
2727  state_name(ks_lame->state),
2728  to_link->len,
2729  *wakeup);
2730 
2731  state_change = false;
2732 
2733  /*
2734  * TLS activity is finished once we get to S_ACTIVE,
2735  * though we will still process acknowledgements.
2736  *
2737  * CHANGED with 2.0 -> now we may send tunnel configuration
2738  * info over the control channel.
2739  */
2740 
2741  /* Initial handshake */
2742  if (ks->state == S_INITIAL)
2743  {
2745  if (buf)
2746  {
2747  ks->initial = now;
2748  ks->must_negotiate = now + session->opt->handshake_window;
2750 
2751  /* null buffer */
2754 
2755  ks->state = S_PRE_START;
2756  state_change = true;
2757  dmsg(D_TLS_DEBUG, "TLS: Initial Handshake, sid=%s",
2758  session_id_print(&session->session_id, &gc));
2759 
2760 #ifdef ENABLE_MANAGEMENT
2762  {
2765  NULL,
2766  NULL,
2767  NULL,
2768  NULL,
2769  NULL);
2770  }
2771 #endif
2772  }
2773  }
2774 
2775  /* Are we timed out on receive? */
2776  if (now >= ks->must_negotiate && ks->state < S_ACTIVE)
2777  {
2778  msg(D_TLS_ERRORS,
2779  "TLS Error: TLS key negotiation failed to occur within %d seconds (check your network connectivity)",
2780  session->opt->handshake_window);
2781  goto error;
2782  }
2783 
2784  /* Wait for Initial Handshake ACK */
2785  if (ks->state == S_PRE_START && FULL_SYNC)
2786  {
2787  ks->state = S_START;
2788  state_change = true;
2789 
2790  /*
2791  * Attempt CRL reload before TLS negotiation. Won't be performed if
2792  * the file was not modified since the last reload
2793  */
2794  if (session->opt->crl_file
2795  && !(session->opt->ssl_flags & SSLF_CRL_VERIFY_DIR))
2796  {
2797  tls_ctx_reload_crl(&session->opt->ssl_ctx,
2798  session->opt->crl_file, session->opt->crl_file_inline);
2799  }
2800 
2801  /* New connection, remove any old X509 env variables */
2802  tls_x509_clear_env(session->opt->es);
2803 
2804  dmsg(D_TLS_DEBUG_MED, "STATE S_START");
2805  }
2806 
2807  /* Wait for ACK */
2808  if (((ks->state == S_GOT_KEY && !session->opt->server)
2809  || (ks->state == S_SENT_KEY && session->opt->server)))
2810  {
2811  if (FULL_SYNC)
2812  {
2813  ks->established = now;
2814  dmsg(D_TLS_DEBUG_MED, "STATE S_ACTIVE");
2816  {
2817  print_details(&ks->ks_ssl, "Control Channel:");
2818  }
2819  state_change = true;
2820  ks->state = S_ACTIVE;
2821  /* Cancel negotiation timeout */
2822  ks->must_negotiate = 0;
2823  INCR_SUCCESS;
2824 
2825  /* Set outgoing address for data channel packets */
2826  link_socket_set_outgoing_addr(to_link_socket_info, &ks->remote_addr, session->common_name, session->opt->es);
2827 
2828  /* Check if we need to advance the tls_multi state machine */
2829  if (multi->multi_state == CAS_NOT_CONNECTED)
2830  {
2831  if (session->opt->mode == MODE_SERVER)
2832  {
2833  /* On a server we continue with running connect scripts next */
2834  multi->multi_state = CAS_WAITING_AUTH;
2835  }
2836  else
2837  {
2838  /* Skip the connect script related states */
2840  }
2841  }
2842 
2843  /* Flush any payload packets that were buffered before our state transitioned to S_ACTIVE */
2845 
2846 #ifdef MEASURE_TLS_HANDSHAKE_STATS
2847  show_tls_performance_stats();
2848 #endif
2849  }
2850  }
2851 
2852  /* Reliable buffer to outgoing TCP/UDP (send up to CONTROL_SEND_ACK_MAX ACKs
2853  * for previously received packets) */
2854  if (!to_link->len && reliable_can_send(ks->send_reliable))
2855  {
2856  int opcode;
2857  struct buffer b;
2858 
2859  buf = reliable_send(ks->send_reliable, &opcode);
2860  ASSERT(buf);
2861  b = *buf;
2862  INCR_SENT;
2863 
2864  write_control_auth(session, ks, &b, to_link_addr, opcode,
2865  CONTROL_SEND_ACK_MAX, true);
2866  *to_link = b;
2867  active = true;
2868  state_change = true;
2869  dmsg(D_TLS_DEBUG, "Reliable -> TCP/UDP");
2870  break;
2871  }
2872 
2873  /* Write incoming ciphertext to TLS object */
2875  if (buf)
2876  {
2877  int status = 0;
2878  if (buf->len)
2879  {
2880  status = key_state_write_ciphertext(&ks->ks_ssl, buf);
2881  if (status == -1)
2882  {
2883  msg(D_TLS_ERRORS,
2884  "TLS Error: Incoming Ciphertext -> TLS object write error");
2885  goto error;
2886  }
2887  }
2888  else
2889  {
2890  status = 1;
2891  }
2892  if (status == 1)
2893  {
2894  reliable_mark_deleted(ks->rec_reliable, buf, true);
2895  state_change = true;
2896  dmsg(D_TLS_DEBUG, "Incoming Ciphertext -> TLS");
2897  }
2898  }
2899 
2900  /* Read incoming plaintext from TLS object */
2901  buf = &ks->plaintext_read_buf;
2902  if (!buf->len)
2903  {
2904  int status;
2905 
2906  ASSERT(buf_init(buf, 0));
2908  update_time();
2909  if (status == -1)
2910  {
2911  msg(D_TLS_ERRORS, "TLS Error: TLS object -> incoming plaintext read error");
2912  goto error;
2913  }
2914  if (status == 1)
2915  {
2916  state_change = true;
2917  dmsg(D_TLS_DEBUG, "TLS -> Incoming Plaintext");
2918 
2919  /* More data may be available, wake up again asap to check. */
2920  *wakeup = 0;
2921  }
2922  }
2923 
2924  /* Send Key */
2925  buf = &ks->plaintext_write_buf;
2926  if (!buf->len && ((ks->state == S_START && !session->opt->server)
2927  || (ks->state == S_GOT_KEY && session->opt->server)))
2928  {
2929  if (!key_method_2_write(buf, multi, session))
2930  {
2931  goto error;
2932  }
2933 
2934  state_change = true;
2935  dmsg(D_TLS_DEBUG_MED, "STATE S_SENT_KEY");
2936  ks->state = S_SENT_KEY;
2937  }
2938 
2939  /* Receive Key */
2940  buf = &ks->plaintext_read_buf;
2941  if (buf->len
2942  && ((ks->state == S_SENT_KEY && !session->opt->server)
2943  || (ks->state == S_START && session->opt->server)))
2944  {
2945  if (!key_method_2_read(buf, multi, session))
2946  {
2947  goto error;
2948  }
2949 
2950  state_change = true;
2951  dmsg(D_TLS_DEBUG_MED, "STATE S_GOT_KEY");
2952  ks->state = S_GOT_KEY;
2953  }
2954 
2955  /* Write outgoing plaintext to TLS object */
2956  buf = &ks->plaintext_write_buf;
2957  if (buf->len)
2958  {
2959  int status = key_state_write_plaintext(&ks->ks_ssl, buf);
2960  if (status == -1)
2961  {
2962  msg(D_TLS_ERRORS,
2963  "TLS ERROR: Outgoing Plaintext -> TLS object write error");
2964  goto error;
2965  }
2966  if (status == 1)
2967  {
2968  state_change = true;
2969  dmsg(D_TLS_DEBUG, "Outgoing Plaintext -> TLS");
2970  }
2971  }
2972 
2973  /* Outgoing Ciphertext to reliable buffer */
2974  if (ks->state >= S_START)
2975  {
2977  if (buf)
2978  {
2980  if (status == -1)
2981  {
2982  msg(D_TLS_ERRORS,
2983  "TLS Error: Ciphertext -> reliable TCP/UDP transport read error");
2984  goto error;
2985  }
2986  if (status == 1)
2987  {
2990  state_change = true;
2991  dmsg(D_TLS_DEBUG, "Outgoing Ciphertext -> Reliable");
2992  }
2993  }
2994  }
2995  }
2996  while (state_change);
2997 
2998  update_time();
2999 
3000  /* Send 1 or more ACKs (each received control packet gets one ACK) */
3001  if (!to_link->len && !reliable_ack_empty(ks->rec_ack))
3002  {
3003  struct buffer buf = ks->ack_write_buf;
3004  ASSERT(buf_init(&buf, FRAME_HEADROOM(&multi->opt.frame)));
3005  write_control_auth(session, ks, &buf, to_link_addr, P_ACK_V1,
3006  RELIABLE_ACK_SIZE, false);
3007  *to_link = buf;
3008  active = true;
3009  dmsg(D_TLS_DEBUG, "Dedicated ACK -> TCP/UDP");
3010  }
3011 
3012  /* When should we wake up again? */
3013  {
3014  if (ks->state >= S_INITIAL)
3015  {
3016  compute_earliest_wakeup(wakeup,
3018 
3019  if (ks->must_negotiate)
3020  {
3022  }
3023  }
3024 
3025  if (ks->established && session->opt->renegotiate_seconds)
3026  {
3027  compute_earliest_wakeup(wakeup,
3028  ks->established + session->opt->renegotiate_seconds - now);
3029  }
3030 
3031  /* prevent event-loop spinning by setting minimum wakeup of 1 second */
3032  if (*wakeup <= 0)
3033  {
3034  *wakeup = 1;
3035 
3036  /* if we had something to send to remote, but to_link was busy,
3037  * let caller know we need to be called again soon */
3038  active = true;
3039  }
3040 
3041  dmsg(D_TLS_DEBUG, "TLS: tls_process: timeout set to %d", *wakeup);
3042 
3043  gc_free(&gc);
3044  return active;
3045  }
3046 
3047 error:
3048  tls_clear_error();
3049  ks->state = S_ERROR;
3050  msg(D_TLS_ERRORS, "TLS Error: TLS handshake failed");
3051  INCR_ERROR;
3052  gc_free(&gc);
3053  return false;
3054 }
3055 
3056 /*
3057  * Called by the top-level event loop.
3058  *
3059  * Basically decides if we should call tls_process for
3060  * the active or untrusted sessions.
3061  */
3062 
3063 int
3065  struct buffer *to_link,
3066  struct link_socket_actual **to_link_addr,
3067  struct link_socket_info *to_link_socket_info,
3068  interval_t *wakeup)
3069 {
3070  struct gc_arena gc = gc_new();
3071  int active = TLSMP_INACTIVE;
3072  bool error = false;
3073 
3075 
3076  tls_clear_error();
3077 
3078  /*
3079  * Process each session object having state of S_INITIAL or greater,
3080  * and which has a defined remote IP addr.
3081  */
3082 
3083  for (int i = 0; i < TM_SIZE; ++i)
3084  {
3085  struct tls_session *session = &multi->session[i];
3086  struct key_state *ks = &session->key[KS_PRIMARY];
3087  struct key_state *ks_lame = &session->key[KS_LAME_DUCK];
3088 
3089  /* set initial remote address */
3090  if (i == TM_ACTIVE && ks->state == S_INITIAL
3091  && link_socket_actual_defined(&to_link_socket_info->lsa->actual))
3092  {
3093  ks->remote_addr = to_link_socket_info->lsa->actual;
3094  }
3095 
3096  dmsg(D_TLS_DEBUG,
3097  "TLS: tls_multi_process: i=%d state=%s, mysid=%s, stored-sid=%s, stored-ip=%s",
3098  i,
3099  state_name(ks->state),
3100  session_id_print(&session->session_id, &gc),
3103 
3105  {
3106  struct link_socket_actual *tla = NULL;
3107 
3108  update_time();
3109 
3110  if (tls_process(multi, session, to_link, &tla,
3111  to_link_socket_info, wakeup))
3112  {
3113  active = TLSMP_ACTIVE;
3114  }
3115 
3116  /*
3117  * If tls_process produced an outgoing packet,
3118  * return the link_socket_actual object (which
3119  * contains the outgoing address).
3120  */
3121  if (tla)
3122  {
3123  multi->to_link_addr = *tla;
3124  *to_link_addr = &multi->to_link_addr;
3125  }
3126 
3127  /*
3128  * If tls_process hits an error:
3129  * (1) If the session has an unexpired lame duck key, preserve it.
3130  * (2) Reinitialize the session.
3131  * (3) Increment soft error count
3132  */
3133  if (ks->state == S_ERROR)
3134  {
3135  ++multi->n_soft_errors;
3136 
3137  if (i == TM_ACTIVE)
3138  {
3139  error = true;
3140  }
3141 
3142  if (i == TM_ACTIVE
3143  && ks_lame->state >= S_ACTIVE
3144  && !multi->opt.single_session)
3145  {
3146  move_session(multi, TM_LAME_DUCK, TM_ACTIVE, true);
3147  }
3148  else
3149  {
3150  reset_session(multi, session);
3151  }
3152  }
3153  }
3154  }
3155 
3156  update_time();
3157 
3158  enum tls_auth_status tas = tls_authentication_status(multi);
3159 
3160  /* If we have successfully authenticated and are still waiting for the authentication to finish
3161  * move the state machine for the multi context forward */
3162 
3163  if (multi->multi_state >= CAS_CONNECT_DONE)
3164  {
3165  for (int i = 0; i < TM_SIZE; ++i)
3166  {
3167  struct tls_session *session = &multi->session[i];
3168  struct key_state *ks = &session->key[KS_PRIMARY];
3169 
3170  if (ks->state == S_ACTIVE && ks->authenticated == KS_AUTH_TRUE)
3171  {
3172  /* Session is now fully authenticated.
3173  * tls_session_generate_data_channel_keys will move ks->state
3174  * from S_ACTIVE to S_GENERATED_KEYS */
3176  {
3177  msg(D_TLS_ERRORS, "TLS Error: generate_key_expansion failed");
3179  ks->state = S_ERROR;
3180  }
3181 
3182  /* Update auth token on the client if needed */
3183  resend_auth_token_renegotiation(multi, session);
3184  }
3185  }
3186  }
3187 
3189  {
3190  multi->multi_state = CAS_PENDING;
3191  }
3192 
3193  /*
3194  * If lame duck session expires, kill it.
3195  */
3196  if (lame_duck_must_die(&multi->session[TM_LAME_DUCK], wakeup))
3197  {
3198  tls_session_free(&multi->session[TM_LAME_DUCK], true);
3199  msg(D_TLS_DEBUG_LOW, "TLS: tls_multi_process: killed expiring key");
3200  }
3201 
3202  /*
3203  * If untrusted session achieves TLS authentication,
3204  * move it to active session, usurping any prior session.
3205  *
3206  * A semi-trusted session is one in which the certificate authentication
3207  * succeeded (if cert verification is enabled) but the username/password
3208  * verification failed. A semi-trusted session can forward data on the
3209  * TLS control channel but not on the tunnel channel.
3210  */
3211  if (TLS_AUTHENTICATED(multi, &multi->session[TM_UNTRUSTED].key[KS_PRIMARY]))
3212  {
3213  move_session(multi, TM_ACTIVE, TM_UNTRUSTED, true);
3214  msg(D_TLS_DEBUG_LOW, "TLS: tls_multi_process: untrusted session promoted to %strusted",
3215  tas == TLS_AUTHENTICATION_SUCCEEDED ? "" : "semi-");
3216  }
3217 
3218  /*
3219  * A hard error means that TM_ACTIVE hit an S_ERROR state and that no
3220  * other key state objects are S_ACTIVE or higher.
3221  */
3222  if (error)
3223  {
3224  for (int i = 0; i < KEY_SCAN_SIZE; ++i)
3225  {
3226  if (get_key_scan(multi, i)->state >= S_ACTIVE)
3227  {
3228  goto nohard;
3229  }
3230  }
3231  ++multi->n_hard_errors;
3232  }
3233 nohard:
3234 
3235 #ifdef ENABLE_DEBUG
3236  /* DEBUGGING -- flood peer with repeating connection attempts */
3237  {
3238  const int throw_level = GREMLIN_CONNECTION_FLOOD_LEVEL(multi->opt.gremlin);
3239  if (throw_level)
3240  {
3241  for (int i = 0; i < KEY_SCAN_SIZE; ++i)
3242  {
3243  if (get_key_scan(multi, i)->state >= throw_level)
3244  {
3245  ++multi->n_hard_errors;
3246  ++multi->n_soft_errors;
3247  }
3248  }
3249  }
3250  }
3251 #endif
3252 
3253  perf_pop();
3254  gc_free(&gc);
3255 
3256  return (tas == TLS_AUTHENTICATION_FAILED) ? TLSMP_KILL : active;
3257 }
3258 
3259 /*
3260  * Pre and post-process the encryption & decryption buffers in order
3261  * to implement a multiplexed TLS channel over the TCP/UDP port.
3262  */
3263 
3264 static inline void
3266  const struct link_socket_actual *from,
3267  struct buffer *buf,
3268  struct crypto_options **opt,
3269  bool floated,
3270  const uint8_t **ad_start)
3271 {
3272  struct gc_arena gc = gc_new();
3273 
3274  uint8_t c = *BPTR(buf);
3275  int op = c >> P_OPCODE_SHIFT;
3276  int key_id = c & P_KEY_ID_MASK;
3277 
3278  /* data channel packet */
3279  for (int i = 0; i < KEY_SCAN_SIZE; ++i)
3280  {
3281  struct key_state *ks = get_key_scan(multi, i);
3282 
3283  /*
3284  * This is the basic test of TLS state compatibility between a local OpenVPN
3285  * instance and its remote peer.
3286  *
3287  * If the test fails, it tells us that we are getting a packet from a source
3288  * which claims reference to a prior negotiated TLS session, but the local
3289  * OpenVPN instance has no memory of such a negotiation.
3290  *
3291  * It almost always occurs on UDP sessions when the passive side of the
3292  * connection is restarted without the active side restarting as well (the
3293  * passive side is the server which only listens for the connections, the
3294  * active side is the client which initiates connections).
3295  */
3296  if (ks->state >= S_GENERATED_KEYS && key_id == ks->key_id
3297  && (floated || link_socket_actual_match(from, &ks->remote_addr)))
3298  {
3301  {
3303  "Key %s [%d] not initialized (yet), dropping packet.",
3304  print_link_socket_actual(from, &gc), key_id);
3305  goto done;
3306  }
3307 
3308  /* return appropriate data channel decrypt key in opt */
3309  *opt = &ks->crypto_options;
3310  if (op == P_DATA_V2)
3311  {
3312  *ad_start = BPTR(buf);
3313  }
3314  ASSERT(buf_advance(buf, 1));
3315  if (op == P_DATA_V1)
3316  {
3317  *ad_start = BPTR(buf);
3318  }
3319  else if (op == P_DATA_V2)
3320  {
3321  if (buf->len < 4)
3322  {
3323  msg(D_TLS_ERRORS, "Protocol error: received P_DATA_V2 from %s but length is < 4",
3324  print_link_socket_actual(from, &gc));
3325  ++multi->n_soft_errors;
3326  goto done;
3327  }
3328  ASSERT(buf_advance(buf, 3));
3329  }
3330 
3331  ++ks->n_packets;
3332  ks->n_bytes += buf->len;
3334  "TLS: tls_pre_decrypt, key_id=%d, IP=%s",
3335  key_id, print_link_socket_actual(from, &gc));
3336  gc_free(&gc);
3337  return;
3338  }
3339  }
3340 
3341  msg(D_TLS_ERRORS,
3342  "TLS Error: local/remote TLS keys are out of sync: %s "
3343  "(received key id: %d, known key ids: %s)",
3344  print_link_socket_actual(from, &gc), key_id,
3345  print_key_id(multi, &gc));
3346 
3347 done:
3348  tls_clear_error();
3349  buf->len = 0;
3350  *opt = NULL;
3351  gc_free(&gc);
3352 }
3353 
3354 /*
3355  *
3356  * When we are in TLS mode, this is the first routine which sees
3357  * an incoming packet.
3358  *
3359  * If it's a data packet, we set opt so that our caller can
3360  * decrypt it. We also give our caller the appropriate decryption key.
3361  *
3362  * If it's a control packet, we authenticate it and process it,
3363  * possibly creating a new tls_session if it represents the
3364  * first packet of a new session. For control packets, we will
3365  * also zero the size of *buf so that our caller ignores the
3366  * packet on our return.
3367  *
3368  * Note that openvpn only allows one active session at a time,
3369  * so a new session (once authenticated) will always usurp
3370  * an old session.
3371  *
3372  * Return true if input was an authenticated control channel
3373  * packet.
3374  *
3375  * If we are running in TLS thread mode, all public routines
3376  * below this point must be called with the L_TLS lock held.
3377  */
3378 
3379 bool
3381  const struct link_socket_actual *from,
3382  struct buffer *buf,
3383  struct crypto_options **opt,
3384  bool floated,
3385  const uint8_t **ad_start)
3386 {
3387 
3388  if (buf->len <= 0)
3389  {
3390  buf->len = 0;
3391  *opt = NULL;
3392  return false;
3393  }
3394 
3395  struct gc_arena gc = gc_new();
3396  bool ret = false;
3397 
3398  /* get opcode */
3399  uint8_t pkt_firstbyte = *BPTR(buf);
3400  int op = pkt_firstbyte >> P_OPCODE_SHIFT;
3401 
3402  if ((op == P_DATA_V1) || (op == P_DATA_V2))
3403  {
3404  handle_data_channel_packet(multi, from, buf, opt, floated, ad_start);
3405  return false;
3406  }
3407 
3408  /* get key_id */
3409  int key_id = pkt_firstbyte & P_KEY_ID_MASK;
3410 
3411  /* control channel packet */
3412  bool do_burst = false;
3413  bool new_link = false;
3414  struct session_id sid; /* remote session ID */
3415 
3416  /* verify legal opcode */
3417  if (op < P_FIRST_OPCODE || op > P_LAST_OPCODE)
3418  {
3421  {
3422  msg(D_TLS_ERRORS, "Peer tried unsupported key-method 1");
3423  }
3424  msg(D_TLS_ERRORS,
3425  "TLS Error: unknown opcode received from %s op=%d",
3426  print_link_socket_actual(from, &gc), op);
3427  goto error;
3428  }
3429 
3430  /* hard reset ? */
3431  if (is_hard_reset_method2(op))
3432  {
3433  /* verify client -> server or server -> client connection */
3434  if (((op == P_CONTROL_HARD_RESET_CLIENT_V2
3435  || op == P_CONTROL_HARD_RESET_CLIENT_V3) && !multi->opt.server)
3436  || ((op == P_CONTROL_HARD_RESET_SERVER_V2) && multi->opt.server))
3437  {
3438  msg(D_TLS_ERRORS,
3439  "TLS Error: client->client or server->server connection attempted from %s",
3440  print_link_socket_actual(from, &gc));
3441  goto error;
3442  }
3443  }
3444 
3445  /*
3446  * Authenticate Packet
3447  */
3448  dmsg(D_TLS_DEBUG, "TLS: control channel, op=%s, IP=%s",
3450 
3451  /* get remote session-id */
3452  {
3453  struct buffer tmp = *buf;
3454  buf_advance(&tmp, 1);
3455  if (!session_id_read(&sid, &tmp) || !session_id_defined(&sid))
3456  {
3457  msg(D_TLS_ERRORS,
3458  "TLS Error: session-id not found in packet from %s",
3459  print_link_socket_actual(from, &gc));
3460  goto error;
3461  }
3462  }
3463 
3464  int i;
3465  /* use session ID to match up packet with appropriate tls_session object */
3466  for (i = 0; i < TM_SIZE; ++i)
3467  {
3468  struct tls_session *session = &multi->session[i];
3469  struct key_state *ks = &session->key[KS_PRIMARY];
3470 
3471  dmsg(D_TLS_DEBUG,
3472  "TLS: initial packet test, i=%d state=%s, mysid=%s, rec-sid=%s, rec-ip=%s, stored-sid=%s, stored-ip=%s",
3473  i,
3474  state_name(ks->state),
3475  session_id_print(&session->session_id, &gc),
3476  session_id_print(&sid, &gc),
3477  print_link_socket_actual(from, &gc),
3480 
3481  if (session_id_equal(&ks->session_id_remote, &sid))
3482  /* found a match */
3483  {
3484  if (i == TM_LAME_DUCK)
3485  {
3486  msg(D_TLS_ERRORS,
3487  "TLS ERROR: received control packet with stale session-id=%s",
3488  session_id_print(&sid, &gc));
3489  goto error;
3490  }
3491  dmsg(D_TLS_DEBUG,
3492  "TLS: found match, session[%d], sid=%s",
3493  i, session_id_print(&sid, &gc));
3494  break;
3495  }
3496  }
3497 
3498  /*
3499  * Hard reset and session id does not match any session in
3500  * multi->session: Possible initial packet
3501  */
3502  if (i == TM_SIZE && is_hard_reset_method2(op))
3503  {
3504  struct tls_session *session = &multi->session[TM_ACTIVE];
3505  const struct key_state *ks = get_primary_key(multi);
3506 
3507  /*
3508  * If we have no session currently in progress, the initial packet will
3509  * open a new session in TM_ACTIVE rather than TM_UNTRUSTED.
3510  */
3512  {
3513  if (multi->opt.single_session && multi->n_sessions)
3514  {
3515  msg(D_TLS_ERRORS,
3516  "TLS Error: Cannot accept new session request from %s due to session context expire or --single-session [1]",
3517  print_link_socket_actual(from, &gc));
3518  goto error;
3519  }
3520 
3521 #ifdef ENABLE_MANAGEMENT
3522  if (management)
3523  {
3526  NULL,
3527  NULL,
3528  NULL,
3529  NULL,
3530  NULL);
3531  }
3532 #endif
3533 
3535  "TLS: Initial packet from %s, sid=%s",
3536  print_link_socket_actual(from, &gc),
3537  session_id_print(&sid, &gc));
3538 
3539  do_burst = true;
3540  new_link = true;
3541  i = TM_ACTIVE;
3542  session->untrusted_addr = *from;
3543  }
3544  }
3545 
3546  /*
3547  * If we detected new session in the last if block, variable i has
3548  * changed to TM_ACTIVE, so check the condition again.
3549  */
3550  if (i == TM_SIZE && is_hard_reset_method2(op))
3551  {
3552  /*
3553  * No match with existing sessions,
3554  * probably a new session.
3555  */
3556  struct tls_session *session = &multi->session[TM_UNTRUSTED];
3557 
3558  /*
3559  * If --single-session, don't allow any hard-reset connection request
3560  * unless it the first packet of the session.
3561  */
3562  if (multi->opt.single_session)
3563  {
3564  msg(D_TLS_ERRORS,
3565  "TLS Error: Cannot accept new session request from %s due to session context expire or --single-session [2]",
3566  print_link_socket_actual(from, &gc));
3567  goto error;
3568  }
3569 
3570  if (!read_control_auth(buf, &session->tls_wrap, from,
3571  session->opt))
3572  {
3573  goto error;
3574  }
3575 
3576  /*
3577  * New session-initiating control packet is authenticated at this point,
3578  * assuming that the --tls-auth command line option was used.
3579  *
3580  * Without --tls-auth, we leave authentication entirely up to TLS.
3581  */
3583  "TLS: new session incoming connection from %s",
3584  print_link_socket_actual(from, &gc));
3585 
3586  new_link = true;
3587  i = TM_UNTRUSTED;
3588  session->untrusted_addr = *from;
3589  }
3590  else
3591  {
3592  struct tls_session *session = &multi->session[i];
3593  struct key_state *ks = &session->key[KS_PRIMARY];
3594 
3595  /*
3596  * Packet must belong to an existing session.
3597  */
3598  if (i != TM_ACTIVE && i != TM_UNTRUSTED)
3599  {
3600  msg(D_TLS_ERRORS,
3601  "TLS Error: Unroutable control packet received from %s (si=%d op=%s)",
3602  print_link_socket_actual(from, &gc),
3603  i,
3604  packet_opcode_name(op));
3605  goto error;
3606  }
3607 
3608  /*
3609  * Verify remote IP address
3610  */
3611  if (!new_link && !link_socket_actual_match(&ks->remote_addr, from))
3612  {
3613  msg(D_TLS_ERRORS, "TLS Error: Received control packet from unexpected IP addr: %s",
3614  print_link_socket_actual(from, &gc));
3615  goto error;
3616  }
3617 
3618  /*
3619  * Remote is requesting a key renegotiation
3620  */
3621  if (op == P_CONTROL_SOFT_RESET_V1 && TLS_AUTHENTICATED(multi, ks))
3622  {
3623  if (!read_control_auth(buf, &session->tls_wrap, from,
3624  session->opt))
3625  {
3626  goto error;
3627  }
3628 
3629  key_state_soft_reset(session);
3630 
3631  dmsg(D_TLS_DEBUG,
3632  "TLS: received P_CONTROL_SOFT_RESET_V1 s=%d sid=%s",
3633  i, session_id_print(&sid, &gc));
3634  }
3635  else
3636  {
3637  /*
3638  * Remote responding to our key renegotiation request?
3639  */
3640  if (op == P_CONTROL_SOFT_RESET_V1)
3641  {
3642  do_burst = true;
3643  }
3644 
3645  if (!read_control_auth(buf, &session->tls_wrap, from,
3646  session->opt))
3647  {
3648  goto error;
3649  }
3650 
3651  dmsg(D_TLS_DEBUG,
3652  "TLS: received control channel packet s#=%d sid=%s",
3653  i, session_id_print(&sid, &gc));
3654  }
3655  }
3656 
3657  /*
3658  * We have an authenticated control channel packet (if --tls-auth was set).
3659  * Now pass to our reliability layer which deals with
3660  * packet acknowledgements, retransmits, sequencing, etc.
3661  */
3662  struct tls_session *session = &multi->session[i];
3663  struct key_state *ks = &session->key[KS_PRIMARY];
3664 
3665  /* Make sure we were initialized and that we're not in an error state */
3666  ASSERT(ks->state != S_UNDEF);
3667  ASSERT(ks->state != S_ERROR);
3668  ASSERT(session_id_defined(&session->session_id));
3669 
3670  /* Let our caller know we processed a control channel packet */
3671  ret = true;
3672 
3673  /*
3674  * Set our remote address and remote session_id
3675  */
3676  if (new_link)
3677  {
3678  ks->session_id_remote = sid;
3679  ks->remote_addr = *from;
3680  ++multi->n_sessions;
3681  }
3682  else if (!link_socket_actual_match(&ks->remote_addr, from))
3683  {
3684  msg(D_TLS_ERRORS,
3685  "TLS Error: Existing session control channel packet from unknown IP address: %s",
3686  print_link_socket_actual(from, &gc));
3687  goto error;
3688  }
3689 
3690  /*
3691  * Should we do a retransmit of all unacknowledged packets in
3692  * the send buffer? This improves the start-up efficiency of the
3693  * initial key negotiation after the 2nd peer comes online.
3694  */
3695  if (do_burst && !session->burst)
3696  {
3698  session->burst = true;
3699  }
3700 
3701  /* Check key_id */
3702  if (ks->key_id != key_id)
3703  {
3704  msg(D_TLS_ERRORS,
3705  "TLS ERROR: local/remote key IDs out of sync (%d/%d) ID: %s",
3706  ks->key_id, key_id, print_key_id(multi, &gc));
3707  goto error;
3708  }
3709 
3710  /*
3711  * Process incoming ACKs for packets we can now
3712  * delete from reliable send buffer
3713  */
3714  {
3715  /* buffers all packet IDs to delete from send_reliable */
3716  struct reliable_ack send_ack;
3717 
3718  send_ack.len = 0;
3719  if (!reliable_ack_read(&send_ack, buf, &session->session_id))
3720  {
3721  msg(D_TLS_ERRORS,
3722  "TLS Error: reading acknowledgement record from packet");
3723  goto error;
3724  }
3725  reliable_send_purge(ks->send_reliable, &send_ack);
3726  }
3727 
3728  if (op != P_ACK_V1 && reliable_can_get(ks->rec_reliable))
3729  {
3730  packet_id_type id;
3731 
3732  /* Extract the packet ID from the packet */
3733  if (reliable_ack_read_packet_id(buf, &id))
3734  {
3735  /* Avoid deadlock by rejecting packet that would de-sequentialize receive buffer */
3737  {
3738  if (reliable_not_replay(ks->rec_reliable, id))
3739  {
3740  /* Save incoming ciphertext packet to reliable buffer */
3741  struct buffer *in = reliable_get_buf(ks->rec_reliable);
3742  ASSERT(in);
3743  if (!buf_copy(in, buf))
3744  {
3746  "Incoming control channel packet too big, dropping.");
3747  goto error;
3748  }
3750  }
3751 
3752  /* Process outgoing acknowledgment for packet just received, even if it's a replay */
3754  }
3755  }
3756  }
3757  /* Remember that we received a valid control channel packet */
3758  ks->peer_last_packet = now;
3759 
3760 done:
3761  buf->len = 0;
3762  *opt = NULL;
3763  gc_free(&gc);
3764  return ret;
3765 
3766 error:
3767  ++multi->n_soft_errors;
3768  tls_clear_error();
3769  goto done;
3770 }
3771 
3772 /*
3773  * This function is similar to tls_pre_decrypt, except it is called
3774  * when we are in server mode and receive an initial incoming
3775  * packet. Note that we don't modify
3776  * any state in our parameter objects. The purpose is solely to
3777  * determine whether we should generate a client instance
3778  * object, in which case true is returned.
3779  *
3780  * This function is essentially the first-line HMAC firewall
3781  * on the UDP port listener in --mode server mode.
3782  */
3783 bool
3785  const struct link_socket_actual *from,
3786  const struct buffer *buf)
3787 
3788 {
3789  if (buf->len <= 0)
3790  {
3791  return false;
3792  }
3793  struct gc_arena gc = gc_new();
3794 
3795  /* get opcode and key ID */
3796  uint8_t pkt_firstbyte = *BPTR(buf);
3797  int op = pkt_firstbyte >> P_OPCODE_SHIFT;
3798  int key_id = pkt_firstbyte & P_KEY_ID_MASK;
3799 
3800  /* this packet is from an as-yet untrusted source, so
3801  * scrutinize carefully */
3802 
3805  {
3806  /*
3807  * This can occur due to bogus data or DoS packets.
3808  */
3810  "TLS State Error: No TLS state for client %s, opcode=%d",
3811  print_link_socket_actual(from, &gc),
3812  op);
3813  goto error;
3814  }
3815 
3816  if (key_id != 0)
3817  {
3819  "TLS State Error: Unknown key ID (%d) received from %s -- 0 was expected",
3820  key_id,
3821  print_link_socket_actual(from, &gc));
3822  goto error;
3823  }
3824 
3825  if (buf->len > EXPANDED_SIZE_DYNAMIC(&tas->frame))
3826  {
3828  "TLS State Error: Large packet (size %d) received from %s -- a packet no larger than %d bytes was expected",
3829  buf->len,
3830  print_link_socket_actual(from, &gc),
3831  EXPANDED_SIZE_DYNAMIC(&tas->frame));
3832  goto error;
3833  }
3834 
3835 
3836  struct buffer newbuf = clone_buf(buf);
3837  struct tls_wrap_ctx tls_wrap_tmp = tas->tls_wrap;
3838 
3839  /* HMAC test, if --tls-auth was specified */
3840  bool status = read_control_auth(&newbuf, &tls_wrap_tmp, from, NULL);
3841  free_buf(&newbuf);
3842  free_buf(&tls_wrap_tmp.tls_crypt_v2_metadata);
3843  if (tls_wrap_tmp.cleanup_key_ctx)
3844  {
3845  free_key_ctx_bi(&tls_wrap_tmp.opt.key_ctx_bi);
3846  }
3847  if (!status)
3848  {
3849  goto error;
3850  }
3851 
3852  /*
3853  * At this point, if --tls-auth is being used, we know that
3854  * the packet has passed the HMAC test, but we don't know if
3855  * it is a replay yet. We will attempt to defeat replays
3856  * by not advancing to the S_START state until we
3857  * receive an ACK from our first reply to the client
3858  * that includes an HMAC of our randomly generated 64 bit
3859  * session ID.
3860  *
3861  * On the other hand if --tls-auth is not being used, we
3862  * will proceed to begin the TLS authentication
3863  * handshake with only cursory integrity checks having
3864  * been performed, since we will be leaving the task
3865  * of authentication solely up to TLS.
3866  */
3867  gc_free(&gc);
3868  return true;
3869 
3870 error:
3871  tls_clear_error();
3872  gc_free(&gc);
3873  return false;
3874 }
3875 
3877 {
3878  struct key_state *ks_select = NULL;
3879  for (int i = 0; i < KEY_SCAN_SIZE; ++i)
3880  {
3881  struct key_state *ks = get_key_scan(multi, i);
3882  if (ks->state >= S_GENERATED_KEYS)
3883  {
3886 
3887  if (!ks_select)
3888  {
3889  ks_select = ks;
3890  }
3891  if (now >= ks->auth_deferred_expire)
3892  {
3893  ks_select = ks;
3894  break;
3895  }
3896  }
3897  }
3898  return ks_select;
3899 }
3900 
3901 
3902 /* Choose the key with which to encrypt a data packet */
3903 void
3905  struct buffer *buf, struct crypto_options **opt)
3906 {
3907  multi->save_ks = NULL;
3908  if (buf->len <= 0)
3909  {
3910  buf->len = 0;
3911  *opt = NULL;
3912  return;
3913  }
3914 
3915  struct key_state *ks_select = tls_select_encryption_key(multi);
3916 
3917  if (ks_select)
3918  {
3919  *opt = &ks_select->crypto_options;
3920  multi->save_ks = ks_select;
3921  dmsg(D_TLS_KEYSELECT, "TLS: tls_pre_encrypt: key_id=%d", ks_select->key_id);
3922  return;
3923  }
3924  else
3925  {
3926  struct gc_arena gc = gc_new();
3927  dmsg(D_TLS_KEYSELECT, "TLS Warning: no data channel send key available: %s",
3928  print_key_id(multi, &gc));
3929  gc_free(&gc);
3930 
3931  *opt = NULL;
3932  buf->len = 0;
3933  }
3934 }
3935 
3936 void
3937 tls_prepend_opcode_v1(const struct tls_multi *multi, struct buffer *buf)
3938 {
3939  struct key_state *ks = multi->save_ks;
3940  uint8_t op;
3941 
3942  msg(D_TLS_DEBUG, __func__);
3943 
3944  ASSERT(ks);
3945 
3946  op = (P_DATA_V1 << P_OPCODE_SHIFT) | ks->key_id;
3947  ASSERT(buf_write_prepend(buf, &op, 1));
3948 }
3949 
3950 void
3951 tls_prepend_opcode_v2(const struct tls_multi *multi, struct buffer *buf)
3952 {
3953  struct key_state *ks = multi->save_ks;
3954  uint32_t peer;
3955 
3956  msg(D_TLS_DEBUG, __func__);
3957 
3958  ASSERT(ks);
3959 
3960  peer = htonl(((P_DATA_V2 << P_OPCODE_SHIFT) | ks->key_id) << 24
3961  | (multi->peer_id & 0xFFFFFF));
3962  ASSERT(buf_write_prepend(buf, &peer, 4));
3963 }
3964 
3965 void
3966 tls_post_encrypt(struct tls_multi *multi, struct buffer *buf)
3967 {
3968  struct key_state *ks = multi->save_ks;
3969  multi->save_ks = NULL;
3970 
3971  if (buf->len > 0)
3972  {
3973  ASSERT(ks);
3974 
3975  ++ks->n_packets;
3976  ks->n_bytes += buf->len;
3977  }
3978 }
3979 
3980 /*
3981  * Send a payload over the TLS control channel.
3982  * Called externally.
3983  */
3984 
3985 bool
3987  const uint8_t *data,
3988  int size)
3989 {
3990  struct key_state *ks;
3991  bool ret = false;
3992 
3993  tls_clear_error();
3994 
3995  ASSERT(multi);
3996 
3997  ks = get_key_scan(multi, 0);
3998 
3999  if (ks->state >= S_ACTIVE)
4000  {
4001  if (key_state_write_plaintext_const(&ks->ks_ssl, data, size) == 1)
4002  {
4003  ret = true;
4004  }
4005  }
4006  else
4007  {
4008  if (!ks->paybuf)
4009  {
4010  ks->paybuf = buffer_list_new(0);
4011  }
4012  buffer_list_push_data(ks->paybuf, data, (size_t)size);
4013  ret = true;
4014  }
4015 
4016 
4017  tls_clear_error();
4018 
4019  return ret;
4020 }
4021 
4022 bool
4024  struct buffer *buf)
4025 {
4026  bool ret = false;
4027 
4028  tls_clear_error();
4029 
4030  ASSERT(multi);
4031 
4032  struct key_state *ks = get_key_scan(multi, 0);
4033 
4034  if (ks->state >= S_ACTIVE && BLEN(&ks->plaintext_read_buf))
4035  {
4036  if (buf_copy(buf, &ks->plaintext_read_buf))
4037  {
4038  ret = true;
4039  }
4040  ks->plaintext_read_buf.len = 0;
4041  }
4042 
4043  tls_clear_error();
4044 
4045  return ret;
4046 }
4047 
4048 void
4049 tls_update_remote_addr(struct tls_multi *multi, const struct link_socket_actual *addr)
4050 {
4051  struct gc_arena gc = gc_new();
4052  for (int i = 0; i < TM_SIZE; ++i)
4053  {
4054  struct tls_session *session = &multi->session[i];
4055 
4056  for (int j = 0; j < KS_SIZE; ++j)
4057  {
4058  struct key_state *ks = &session->key[j];
4059 
4061  || link_socket_actual_match(addr, &ks->remote_addr))
4062  {
4063  continue;
4064  }
4065 
4066  dmsg(D_TLS_KEYSELECT, "TLS: tls_update_remote_addr from IP=%s to IP=%s",
4068  print_link_socket_actual(addr, &gc));
4069 
4070  ks->remote_addr = *addr;
4071  }
4072  }
4073  gc_free(&gc);
4074 }
4075 
4076 void
4077 show_available_tls_ciphers(const char *cipher_list,
4078  const char *cipher_list_tls13,
4079  const char *tls_cert_profile)
4080 {
4081  printf("Available TLS Ciphers, listed in order of preference:\n");
4082 
4083  if (tls_version_max() >= TLS_VER_1_3)
4084  {
4085  printf("\nFor TLS 1.3 and newer (--tls-ciphersuites):\n\n");
4086  show_available_tls_ciphers_list(cipher_list_tls13, tls_cert_profile, true);
4087  }
4088 
4089  printf("\nFor TLS 1.2 and older (--tls-cipher):\n\n");
4090  show_available_tls_ciphers_list(cipher_list, tls_cert_profile, false);
4091 
4092  printf("\n"
4093  "Be aware that that whether a cipher suite in this list can actually work\n"
4094  "depends on the specific setup of both peers. See the man page entries of\n"
4095  "--tls-cipher and --show-tls for more details.\n\n"
4096  );
4097 }
4098 
4099 /*
4100  * Dump a human-readable rendition of an openvpn packet
4101  * into a garbage collectable string which is returned.
4102  */
4103 const char *
4104 protocol_dump(struct buffer *buffer, unsigned int flags, struct gc_arena *gc)
4105 {
4106  struct buffer out = alloc_buf_gc(256, gc);
4107  struct buffer buf = *buffer;
4108 
4109  uint8_t c;
4110  int op;
4111  int key_id;
4112 
4113  int tls_auth_hmac_size = (flags & PD_TLS_AUTH_HMAC_SIZE_MASK);
4114 
4115  if (buf.len <= 0)
4116  {
4117  buf_printf(&out, "DATA UNDEF len=%d", buf.len);
4118  goto done;
4119  }
4120 
4121  if (!(flags & PD_TLS))
4122  {
4123  goto print_data;
4124  }
4125 
4126  /*
4127  * Initial byte (opcode)
4128  */
4129  if (!buf_read(&buf, &c, sizeof(c)))
4130  {
4131  goto done;
4132  }
4133  op = (c >> P_OPCODE_SHIFT);
4134  key_id = c & P_KEY_ID_MASK;
4135  buf_printf(&out, "%s kid=%d", packet_opcode_name(op), key_id);
4136 
4137  if ((op == P_DATA_V1) || (op == P_DATA_V2))
4138  {
4139  goto print_data;
4140  }
4141 
4142  /*
4143  * Session ID
4144  */
4145  {
4146  struct session_id sid;
4147 
4148  if (!session_id_read(&sid, &buf))
4149  {
4150  goto done;
4151  }
4152  if (flags & PD_VERBOSE)
4153  {
4154  buf_printf(&out, " sid=%s", session_id_print(&sid, gc));
4155  }
4156  }
4157 
4158  /*
4159  * tls-auth hmac + packet_id
4160  */
4161  if (tls_auth_hmac_size)
4162  {
4163  struct packet_id_net pin;
4164  uint8_t tls_auth_hmac[MAX_HMAC_KEY_LENGTH];
4165 
4166  ASSERT(tls_auth_hmac_size <= MAX_HMAC_KEY_LENGTH);
4167 
4168  if (!buf_read(&buf, tls_auth_hmac, tls_auth_hmac_size))
4169  {
4170  goto done;
4171  }
4172  if (flags & PD_VERBOSE)
4173  {
4174  buf_printf(&out, " tls_hmac=%s", format_hex(tls_auth_hmac, tls_auth_hmac_size, 0, gc));
4175  }
4176 
4177  if (!packet_id_read(&pin, &buf, true))
4178  {
4179  goto done;
4180  }
4181  buf_printf(&out, " pid=%s", packet_id_net_print(&pin, (flags & PD_VERBOSE), gc));
4182  }
4183 
4184  /*
4185  * ACK list
4186  */
4187  buf_printf(&out, " %s", reliable_ack_print(&buf, (flags & PD_VERBOSE), gc));
4188 
4189  if (op == P_ACK_V1)
4190  {
4191  goto done;
4192  }
4193 
4194  /*
4195  * Packet ID
4196  */
4197  {
4198  packet_id_type l;
4199  if (!buf_read(&buf, &l, sizeof(l)))
4200  {
4201  goto done;
4202  }
4203  l = ntohpid(l);
4205  }
4206 
4207 print_data:
4208  if (flags & PD_SHOW_DATA)
4209  {
4210  buf_printf(&out, " DATA %s", format_hex(BPTR(&buf), BLEN(&buf), 80, gc));
4211  }
4212  else
4213  {
4214  buf_printf(&out, " DATA len=%d", buf.len);
4215  }
4216 
4217 done:
4218  return BSTR(&out);
4219 }
4220 
4221 void
4223 {
4225 }
static void tls_init_control_channel_frame_parameters(const struct frame *data_channel_frame, struct frame *frame)
Definition: ssl.c:314
struct reliable * rec_reliable
Definition: ssl_common.h:236
#define IV_PROTO_NCP_P2P
Support doing NCP in P2P mode.
Definition: ssl.h:125
#define TLSMP_ACTIVE
Definition: ssl.h:245
bool cipher_kt_mode_aead(const cipher_kt_t *cipher)
Check if the supplied cipher is a supported AEAD mode cipher.
char * management_query_cert(struct management *man, const char *cert_name)
Definition: manage.c:3703
static bool buf_write_u8(struct buffer *dest, int data)
Definition: buffer.h:713
void reliable_free(struct reliable *rel)
Free allocated memory associated with a reliable structure and the pointer itself.
Definition: reliable.c:327
static const char * packet_opcode_name(int op)
Definition: ssl.c:816
const cipher_kt_t * cipher_ctx_get_cipher_kt(const cipher_ctx_t *ctx)
Returns the static cipher parameters for this context.
void options_warning(char *actual, const char *expected)
Definition: options.c:4068
const char * ecdh_curve
Definition: options.h:554
struct key_type key_type
Definition: ssl_common.h:288
#define EXPANDED_SIZE_DYNAMIC(f)
Definition: mtu.h:173
#define P_CONTROL_HARD_RESET_SERVER_V1
Definition: ssl.h:55
static const char * print_key_id(struct tls_multi *multi, struct gc_arena *gc)
Definition: ssl.c:878
size_t implicit_iv_len
The length of implicit_iv.
Definition: crypto.h:170
static bool key_method_2_write(struct buffer *buf, struct tls_multi *multi, struct tls_session *session)
Handle the writing of key data, peer-info, username/password, OCC to the TLS control channel (clearte...
Definition: ssl.c:2321
Security parameter state for processing data channel packets.
Definition: crypto.h:232
struct key_state_ssl ks_ssl
Definition: ssl_common.h:215
#define D_TLS_KEYSELECT
Definition: errlevel.h:142
const char * management_certificate
Definition: options.h:410
static void tls_wrap_free(struct tls_wrap_ctx *tls_wrap)
Free the elements of a tls_wrap_ctx structure.
Definition: ssl.h:525
#define CO_PACKET_ID_LONG_FORM
Bit-flag indicating whether to use OpenVPN&#39;s long packet ID format.
Definition: crypto.h:245
static void strncpynt(char *dest, const char *src, size_t maxlen)
Definition: buffer.h:348
#define TM_ACTIVE
Active tls_session.
Definition: ssl_common.h:508
static bool openvpn_PRF(const uint8_t *secret, int secret_len, const char *label, const uint8_t *client_seed, int client_seed_len, const uint8_t *server_seed, int server_seed_len, const struct session_id *client_sid, const struct session_id *server_sid, uint8_t *output, int output_len)
Definition: ssl.c:1618
Security parameter state of one TLS and data channel key session.
Definition: ssl_common.h:203
static void compute_earliest_wakeup(interval_t *earliest, interval_t seconds_from_now)
Definition: ssl.c:1215
bool tun_mtu_defined
Definition: options.h:118
struct buffer work
Work buffer (only for –tls-crypt)
Definition: ssl_common.h:269
unsigned int management_flags
Definition: options.h:409
struct packet_id packet_id
Current packet ID state for both sending and receiving directions.
Definition: crypto.h:238
struct key_state key[KS_SIZE]
Definition: ssl_common.h:488
#define TLSMP_INACTIVE
Definition: ssl.h:244
const char * crl_file
Definition: ssl_common.h:330
struct buffer plaintext_read_buf
Definition: ssl_common.h:231
int n_sessions
Number of sessions negotiated thus far.
Definition: ssl_common.h:586
unsigned int crypto_max_overhead(void)
Return the worst-case OpenVPN crypto overhead (in bytes)
Definition: crypto.c:716
void tls_auth_standalone_finalize(struct tls_auth_standalone *tas, const struct frame *frame)
Definition: ssl.c:1314
bool tls_crypt_v2
Definition: ssl_common.h:355
#define SSLF_CRL_VERIFY_DIR
Definition: ssl_common.h:396
void ssl_clean_user_pass(void)
Cleans the saved user/password unless auth-nocache is in use.
Definition: ssl.c:4222
void free_buf(struct buffer *buf)
Definition: buffer.c:185
void ssl_put_auth_challenge(const char *cr_str)
Definition: ssl.c:495
#define D_TLS_DEBUG_LOW
Definition: errlevel.h:77
const char * cipher_list
Definition: options.h:550
static bool write_string(struct buffer *buf, const char *str, const int maxlen)
Definition: ssl.c:2098
unsigned int flags
Bit-flags determining behavior of security operation functions.
Definition: crypto.h:261
bool tls_server
Definition: options.h:535
static void export_user_keying_material(struct key_state_ssl *ssl, struct tls_session *session)
Definition: ssl.c:2440
void tls_ctx_load_cryptoapi(struct tls_root_ctx *ctx, const char *cryptoapi_cert)
Definition: ssl_openssl.c:881
char * string_alloc(const char *str, struct gc_arena *gc)
Definition: buffer.c:685
#define S_PRE_START
Waiting for the remote OpenVPN peer to acknowledge during the initial three-way handshake.
Definition: ssl_common.h:86
static const char * session_index_name(int index)
Definition: ssl.c:856
bool enable_ncp_fallback
If defined fall back to ciphername if NCP fails.
Definition: options.h:517
static bool session_id_equal(const struct session_id *sid1, const struct session_id *sid2)
Definition: session_id.h:48
#define D_TLS_DEBUG
Definition: errlevel.h:159
#define USER_PASS_LEN
Definition: misc.h:68
struct key keys[2]
Two unidirectional sets of key material.
Definition: crypto.h:185
struct buffer tls_crypt_v2_metadata
Received from client.
Definition: ssl_common.h:273
#define IV_PROTO_DATA_V2
Support P_DATA_V2.
Definition: ssl.h:110
static void tls_limit_reneg_bytes(const cipher_kt_t *cipher, int *reneg_bytes)
Limit the reneg_bytes value when using a small-block (<128 bytes) cipher.
Definition: ssl.c:284
const char * cert_file
Definition: options.h:542
struct packet_id_persist * pid_persist
Persistent packet ID state for keeping state between successive OpenVPN process startups.
Definition: crypto.h:240
bool options_cmp_equal(char *actual, const char *expected)
Definition: options.c:4062
const char * tls_cert_profile
Definition: options.h:553
#define GET_USER_PASS_STATIC_CHALLENGE
Definition: misc.h:117
#define streq(x, y)
Definition: options.h:667
const char * chroot_dir
Definition: options.h:326
Container for both halves of random material to be used in key method 2 data channel key generation...
Definition: ssl_common.h:145
static bool session_id_write(const struct session_id *sid, struct buffer *buf)
Definition: session_id.h:73
static void secure_memzero(void *data, size_t len)
Securely zeroise memory.
Definition: buffer.h:401
#define TLS_OPTIONS_LEN
Definition: ssl.h:99
void tls_ctx_load_ecdh_params(struct tls_root_ctx *ctx, const char *curve_name)
Load Elliptic Curve Parameters, and load them into the library-specific TLS context.
Definition: ssl_openssl.c:689
bool tls_session_generate_data_channel_keys(struct tls_session *session)
Generate data channel keys for the supplied TLS session.
Definition: ssl.c:1847
bool ssl_tls1_PRF(const uint8_t *seed, int seed_len, const uint8_t *secret, int secret_len, uint8_t *output, int output_len)
Calculates the TLS 1.0-1.1 PRF function.
int key_state_write_plaintext_const(struct key_state_ssl *ks_ssl, const uint8_t *data, int len)
Insert plaintext data into the TLS module.
Definition: ssl_openssl.c:1947
static bool buf_advance(struct buffer *buf, int size)
Definition: buffer.h:639
void packet_id_persist_load_obj(const struct packet_id_persist *p, struct packet_id *pid)
Definition: packet_id.c:521
Packet geometry parameters.
Definition: mtu.h:93
struct key_state * save_ks
Definition: ssl_common.h:578
#define UP_TYPE_AUTH
Definition: ssl_common.h:41
#define OPENVPN_MAX_IV_LENGTH
Maximum length of an IV.
static bool generate_key_expansion_tls_export(struct tls_session *session, struct key2 *key2)
Definition: ssl.c:1680
bool cipher_kt_mode_ofb_cfb(const cipher_kt_t *cipher)
Check if the supplied cipher is a supported OFB or CFB mode cipher.
#define IV_PROTO_AUTH_PENDING_KW
Supports signaling keywords with AUTH_PENDING, e.g.
Definition: ssl.h:120
void fixup_key(struct key *key, const struct key_type *kt)
Definition: crypto.c:968
static void key_state_soft_reset(struct tls_session *session)
Definition: ssl.c:2069
enum ks_auth_state authenticated
Definition: ssl_common.h:247
const char * ca_path
Definition: options.h:539
struct tls_options * opt
Definition: ssl_common.h:457
time_t must_negotiate
Definition: ssl_common.h:219
#define SSLF_AUTH_USER_PASS_OPTIONAL
Definition: ssl_common.h:394
char * peer_info
Definition: ssl_common.h:619
const char * ca_file
Definition: options.h:537
const char * print_link_socket_actual(const struct link_socket_actual *act, struct gc_arena *gc)
Definition: socket.c:2795
#define RELIABLE_ACK_SIZE
The maximum number of packet IDs waiting to be acknowledged which can be stored in one reliable_ack s...
Definition: reliable.h:46
bool extra_certs_file_inline
Definition: options.h:545
bool cert_file_inline
Definition: options.h:543
static void gc_free(struct gc_arena *a)
Definition: buffer.h:1023
struct tls_root_ctx ssl_ctx
Definition: ssl_common.h:285
void init_key_type(struct key_type *kt, const char *ciphername, const char *authname, bool tls_mode, bool warn)
Initialize a key_type structure with.
Definition: crypto.c:741
bool verified
Definition: ssl_common.h:483
void backend_tls_ctx_reload_crl(struct tls_root_ctx *ssl_ctx, const char *crl_file, bool crl_inline)
Reload the Certificate Revocation List for the SSL channel.
Definition: ssl_openssl.c:1050
client with pull or p2p waiting for first time options import
Definition: ssl_common.h:548
static void frame_add_to_extra_frame(struct frame *frame, const unsigned int increment)
Definition: mtu.h:274
void tls_post_encrypt(struct tls_multi *multi, struct buffer *buf)
Perform some accounting for the key state used.
Definition: ssl.c:3966
static const struct key_state * get_primary_key(const struct tls_multi *multi)
gets an item of key_state objects in the order they should be scanned by data channel modules...
Definition: ssl_common.h:681
static int plugin_call(const struct plugin_list *pl, const int type, const struct argv *av, struct plugin_return *pr, struct env_set *es)
Definition: plugin.h:202
void ssl_set_auth_token_user(const char *username)
Definition: ssl.c:450
const char * auth_user_pass_verify_script
Definition: ssl_common.h:364
const char * priv_key_file
Definition: options.h:546
enum multi_status multi_state
Definition: ssl_common.h:588
void session_id_random(struct session_id *sid)
Definition: session_id.c:51
Security parameter state for a single VPN tunnel.
Definition: ssl_common.h:566
#define D_TLS_ERRORS
Definition: errlevel.h:59
static void handle_data_channel_packet(struct tls_multi *multi, const struct link_socket_actual *from, struct buffer *buf, struct crypto_options **opt, bool floated, const uint8_t **ad_start)
Definition: ssl.c:3265
struct buffer_list * buffer_list_new(const int max_size)
Allocate an empty buffer list of capacity max_size.
Definition: buffer.c:1197
static bool tls_process(struct tls_multi *multi, struct tls_session *session, struct buffer *to_link, struct link_socket_actual **to_link_addr, struct link_socket_info *to_link_socket_info, interval_t *wakeup)
Definition: ssl.c:2676
int pem_password_callback(char *buf, int size, int rwflag, void *u)
Callback to retrieve the user&#39;s password.
Definition: ssl.c:370
void key_state_ssl_free(struct key_state_ssl *ks_ssl)
Free the SSL channel part of the given key state.
Definition: ssl_openssl.c:1914
#define SID_SIZE
Definition: session_id.h:45
void tls_multi_free(struct tls_multi *multi, bool clear)
Cleanup a tls_multi structure and free associated memory allocations.
Definition: ssl.c:1339
#define SET_MTU_UPPER_BOUND
Definition: mtu.h:221
const char * auth_user_pass_file
Definition: ssl_common.h:367
int n
The number of key objects stored in the key2.keys array.
Definition: crypto.h:183
struct reliable_ack * rec_ack
Definition: ssl_common.h:237
struct buffer alloc_buf(size_t size)
Definition: buffer.c:64
void buffer_list_free(struct buffer_list *ol)
Frees a buffer list and all the buffers in it.
Definition: buffer.c:1207
const char * config_ncp_ciphers
Definition: ssl_common.h:353
int handshake_window
Definition: ssl_common.h:319
void p2p_mode_ncp(struct tls_multi *multi, struct tls_session *session)
Determines if there is common cipher of both peer by looking at the IV_CIPHER peer info...
Definition: ssl_ncp.c:443
struct crypto_options opt
Crypto state.
Definition: ssl_common.h:268
void tls_update_remote_addr(struct tls_multi *multi, const struct link_socket_actual *addr)
Updates remote address in TLS sessions.
Definition: ssl.c:4049
#define S_UNDEF
Undefined state, used after a key_state is cleaned up.
Definition: ssl_common.h:78
bool is_hard_reset_method2(int op)
Given a key_method, return true if opcode represents the one of the hard_reset op codes for key-metho...
Definition: ssl.c:895
struct cert_hash_set * cert_hash_set
Definition: ssl_common.h:481
static bool lame_duck_must_die(const struct tls_session *session, interval_t *wakeup)
Definition: ssl.c:1232
static void init_key_contexts(struct key_ctx_bi *key, const struct key_type *key_type, bool server, struct key2 *key2)
Definition: ssl.c:1662
#define packet_id_format
Definition: packet_id.h:95
static void perf_pop(void)
Definition: perf.h:82
Key state is authenticated.
Definition: ssl_common.h:162
const char * options_string_compat_lzo(const char *options, struct gc_arena *gc)
Takes a locally produced OCC string for TLS server mode and modifies as if the option comp-lzo was en...
Definition: ssl_util.c:80
bool buf_printf(struct buffer *buf, const char *format,...)
Definition: buffer.c:242
#define D_MULTI_DROPPED
Definition: errlevel.h:101
static bool read_string(struct buffer *buf, char *str, const unsigned int capacity)
Definition: ssl.c:2117
static void perf_push(int type)
Definition: perf.h:78
void tls_prepend_opcode_v2(const struct tls_multi *multi, struct buffer *buf)
Prepend an OpenVPN data channel P_DATA_V2 header to the packet.
Definition: ssl.c:3951
static bool read_control_auth(struct buffer *buf, struct tls_wrap_ctx *ctx, const struct link_socket_actual *from, const struct tls_options *opt)
Definition: ssl.c:1497
time_t crl_last_mtime
CRL last modification time.
Definition: ssl_mbedtls.h:114
struct man_def_auth_context * mda_context
Definition: ssl_common.h:405
static char * format_hex(const uint8_t *data, int size, int maxoutput, struct gc_arena *gc)
Definition: buffer.h:526
#define EXPORT_KEY_DATA_LABEL
Definition: ssl_backend.h:392
void setenv_str(struct env_set *es, const char *name, const char *value)
Definition: env_set.c:285
bool defined
Definition: misc.h:58
#define D_MTU_INFO
Definition: errlevel.h:105
#define TLS_AUTHENTICATED(multi, ks)
Check whether the ks key_state has finished the key exchange part of the OpenVPN hand shake...
Definition: ssl_verify.h:109
static int buf_read_u8(struct buffer *buf)
Definition: buffer.h:812
const char * win32_version_string(struct gc_arena *gc, bool add_name)
Definition: win32.c:1355
#define dmsg(flags,...)
Definition: error.h:157
int cipher_kt_iv_size(const cipher_kt_t *cipher_kt)
Returns the size of the IV used by the cipher, in bytes, or 0 if no IV is used.
bool cipher_kt_insecure(const cipher_kt_t *cipher)
Returns true if we consider this cipher to be insecure.
const char * protocol_dump(struct buffer *buffer, unsigned int flags, struct gc_arena *gc)
Definition: ssl.c:4104
const char * cryptoapi_cert
Definition: options.h:582
#define TLS_VER_1_1
Definition: ssl_backend.h:115
const char * ekm_label
Definition: ssl_common.h:418
static void flush_payload_buffer(struct key_state *ks)
Definition: ssl.c:2049
bool packet_id_read(struct packet_id_net *pin, struct buffer *buf, bool long_form)
Definition: packet_id.c:298
struct buffer * reliable_get_buf(struct reliable *rel)
Get the buffer of a free reliable entry in which to store a packet.
Definition: reliable.c:485
static bool push_peer_info(struct buffer *buf, struct tls_session *session)
Prepares the IV_ and UV_ variables that are part of the exchange to signal the peer&#39;s capabilities...
Definition: ssl.c:2169
int key_state_write_plaintext(struct key_state_ssl *ks_ssl, struct buffer *buf)
Insert a plaintext buffer into the TLS module.
Definition: ssl_openssl.c:1929
bool tls_item_in_cipher_list(const char *item, const char *list)
Return true iff item is present in the colon-separated zero-terminated cipher list.
Definition: ssl_ncp.c:189
#define TLS_VER_BAD
Parse a TLS version specifier.
Definition: ssl_backend.h:112
struct key_state * tls_select_encryption_key(struct tls_multi *multi)
Selects the primary encryption that should be used to encrypt data of an outgoing packet...
Definition: ssl.c:3876
#define ASSERT(x)
Definition: error.h:204
#define IV_PROTO_REQUEST_PUSH
Assume client will send a push request and server does not need to wait for a push-request to send a ...
Definition: ssl.h:114
uint8_t random1[32]
Seed used for master secret generation, provided by both client and server.
Definition: ssl_common.h:132
void tls_free_lib(void)
Free any global SSL library-specific data structures.
Definition: ssl_openssl.c:91
bool check_key(struct key *key, const struct key_type *kt)
Definition: crypto.c:929
#define OPENVPN_STATE_AUTH
Definition: manage.h:478
static bool check_debug_level(unsigned int level)
Definition: error.h:234
unsigned int crypto_flags
Definition: ssl_common.h:346
bool tls_pre_decrypt_lite(const struct tls_auth_standalone *tas, const struct link_socket_actual *from, const struct buffer *buf)
Inspect an incoming packet for which no VPN tunnel is active, and determine whether a new VPN tunnel ...
Definition: ssl.c:3784
#define OPENVPN_PLUGIN_FUNC_SUCCESS
struct tls_session session[TM_SIZE]
Array of tls_session objects representing control channel sessions with the remote peer...
Definition: ssl_common.h:651
const char * get_ssl_library_version(void)
return a pointer to a static memory area containing the name and version number of the SSL library in...
Definition: ssl_openssl.c:2249
static struct user_pass auth_user_pass
Definition: ssl.c:389
void ssl_set_auth_token(const char *token)
Definition: ssl.c:444
const char * config_ciphername
Definition: ssl_common.h:352
bool tls_session_update_crypto_params(struct tls_session *session, struct options *options, struct frame *frame, struct frame *frame_fragment)
Update TLS session crypto parameters (cipher and auth) and derive data channel keys based on the supp...
Definition: ssl.c:1940
const char * pkcs12_file
Definition: options.h:548
struct reliable * send_reliable
Definition: ssl_common.h:235
int renegotiate_bytes
Definition: ssl_common.h:321
#define SSLF_OPT_VERIFY
Definition: ssl_common.h:395
bool link_mtu_defined
Definition: options.h:122
char username[USER_PASS_LEN]
Definition: misc.h:70
#define IV_PROTO_TLS_KEY_EXPORT
Supports key derivation via TLS key material exporter [RFC5705].
Definition: ssl.h:117
void packet_id_free(struct packet_id *p)
Definition: packet_id.c:101
static bool buf_read(struct buffer *src, void *dest, int size)
Definition: buffer.h:800
#define MODE_SERVER
Definition: options.h:223
void tls_pre_encrypt(struct tls_multi *multi, struct buffer *buf, struct crypto_options **opt)
Choose the appropriate security parameters with which to process an outgoing packet.
Definition: ssl.c:3904
unsigned int data_channel_crypto_flags
Definition: options.h:664
bool initialized
Definition: crypto.h:225
int offset
Offset in bytes of the actual content within the allocated memory.
Definition: buffer.h:64
void tls_ctx_client_new(struct tls_root_ctx *ctx)
Initialises a library-specific TLS context for a client.
Definition: ssl_openssl.c:126
#define TLS_VER_1_2
Definition: ssl_backend.h:116
struct link_socket_actual to_link_addr
Definition: ssl_common.h:584
#define OPENVPN_AEAD_MIN_IV_LEN
Minimal IV length for AEAD mode ciphers (in bytes): 4-byte packet id + 8 bytes implicit IV...
Definition: crypto.h:272
void reliable_mark_active_outgoing(struct reliable *rel, struct buffer *buf, int opcode)
Mark the reliable entry associated with the given buffer as active outgoing.
Definition: reliable.c:715
list flags
int len
Length in bytes of the actual content within the allocated memory.
Definition: buffer.h:66
void tls_ctx_set_cert_profile(struct tls_root_ctx *ctx, const char *profile)
Set the TLS certificate profile.
Definition: ssl_openssl.c:524
#define SWAP_BUF_SIZE
Definition: ssl.c:1378
void setenv_del(struct env_set *es, const char *name)
Definition: env_set.c:330
#define S_ACTIVE
Operational key_state state immediately after negotiation has completed while still within the handsh...
Definition: ssl_common.h:102
const char * ncp_ciphers
Definition: options.h:519
bool cleanup_key_ctx
opt.key_ctx_bi is owned by this context
Definition: ssl_common.h:274
static void reliable_set_timeout(struct reliable *rel, interval_t timeout)
Definition: reliable.h:476
off_t crl_last_size
size of last loaded CRL
Definition: ssl_mbedtls.h:115
const char * packet_id_net_print(const struct packet_id_net *pin, bool print_timestamp, struct gc_arena *gc)
Definition: packet_id.c:388
void prng_uninit(void)
Definition: crypto.c:1734
struct tls_auth_standalone * tls_auth_standalone_init(struct tls_options *tls_options, struct gc_arena *gc)
Definition: ssl.c:1291
static char * auth_challenge
Definition: ssl.c:393
static bool key_source2_randomize_write(struct key_source2 *k2, struct buffer *buf, bool server)
Definition: ssl.c:1982
uint8_t id[8]
Definition: session_id.h:40
size_t ekm_size
Definition: ssl_common.h:420
struct link_socket_actual remote_addr
Definition: ssl_common.h:225
bool nocache
Definition: misc.h:62
#define CLEAR(x)
Definition: basic.h:33
char * options_string_extract_option(const char *options_string, const char *opt_name, struct gc_arena *gc)
Given an OpenVPN options string, extract the value of an option.
Definition: options.c:4241
#define BPTR(buf)
Definition: buffer.h:124
void packet_id_init(struct packet_id *p, int seq_backtrack, int time_backtrack, const char *name, int unit)
Definition: packet_id.c:78
bool reliable_ack_write(struct reliable_ack *ack, struct buffer *buf, const struct session_id *sid, int max, bool prepend)
Write a packet ID acknowledgment record to a buffer.
Definition: reliable.c:213
#define BUF_SIZE(f)
Definition: mtu.h:194
static bool generate_key_expansion_openvpn_prf(const struct tls_session *session, struct key2 *key2)
Definition: ssl.c:1694
static bool write_empty_string(struct buffer *buf)
Definition: ssl.c:2088
#define KEY_DIRECTION_NORMAL
Definition: crypto.h:174
void print_details(struct key_state_ssl *ks_ssl, const char *prefix)
Definition: ssl_openssl.c:2087
Control channel wrapping (–tls-auth/–tls-crypt) context.
Definition: ssl_common.h:261
bool crl_file_inline
Definition: options.h:560
void get_default_gateway(struct route_gateway_info *rgi, openvpn_net_ctx_t *ctx)
Definition: route.c:2723
static void move_session(struct tls_multi *multi, int dest, int src, bool reinit_src)
Definition: ssl.c:1179
#define KEY_SCAN_SIZE
Definition: ssl_common.h:530
uint8_t random2[32]
Seed used for key expansion, provided by both client and server.
Definition: ssl_common.h:135
#define OPENVPN_STATE_WAIT
Definition: manage.h:477
#define GET_USER_PASS_STATIC_CHALLENGE_ECHO
Definition: misc.h:118
interval_t packet_timeout
Definition: ssl_common.h:320
void resend_auth_token_renegotiation(struct tls_multi *multi, struct tls_session *session)
Checks if a client should be sent a new auth token to update its current auth-token.
Definition: auth_token.c:432
void tls_prepend_opcode_v1(const struct tls_multi *multi, struct buffer *buf)
Prepend a one-byte OpenVPN data channel P_DATA_V1 opcode to the packet.
Definition: ssl.c:3937
#define S_ERROR
Error state.
Definition: ssl_common.h:77
int tun_mtu
Definition: options.h:117
interval_t renegotiate_seconds
Definition: ssl_common.h:323
Key state authentication is being deferred, by async auth.
Definition: ssl_common.h:160
#define KS_SIZE
Size of the tls_session.key array.
Definition: ssl_common.h:434
struct env_item * list
Definition: env_set.h:44
#define P_KEY_ID_MASK
Definition: ssl.h:50
void tls_ctx_free(struct tls_root_ctx *ctx)
Frees the library-specific TLSv1 context.
Definition: ssl_openssl.c:144
unsigned int packet_id_print_type
Definition: packet_id.h:96
void key_state_ssl_init(struct key_state_ssl *ks_ssl, const struct tls_root_ctx *ssl_ctx, bool is_server, struct tls_session *session)
Initialise the SSL channel part of the given key state.
Definition: ssl_openssl.c:1874
struct session_id session_id_remote
Definition: ssl_common.h:224
const char * iana_name
Definition: ssl_backend.h:62
static bool packet_id_close_to_wrapping(const struct packet_id_send *p)
Definition: packet_id.h:311
int rand_bytes(uint8_t *output, int len)
Wrapper for secure random number generator.
#define counter_format
Definition: common.h:31
void frame_print(const struct frame *frame, int level, const char *prefix)
Definition: mtu.c:139
static struct gc_arena gc_new(void)
Definition: buffer.h:1015
Container for one half of random material to be used in key method 2 data channel key generation...
Definition: ssl_common.h:128
bool ca_file_inline
Definition: options.h:538
#define KS_PRIMARY
Primary key state index.
Definition: ssl_common.h:430
Key state is not authenticated.
Definition: ssl_common.h:159
bool single_session
Definition: ssl_common.h:303
bool tls_crypt_wrap(const struct buffer *src, struct buffer *dst, struct crypto_options *opt)
Wrap a control channel packet (both authenticates and encrypts the data).
Definition: tls_crypt.c:106
time_t now
Definition: otime.c:36
void reliable_ack_adjust_frame_parameters(struct frame *frame, int max)
Definition: reliable.c:258
#define malloc
Definition: cmocka.c:1795
#define P_CONTROL_HARD_RESET_SERVER_V2
Definition: ssl.h:64
const char * authname
Definition: options.h:520
#define S_START
Three-way handshake is complete, start of key exchange.
Definition: ssl_common.h:91
#define INCR_SUCCESS
Definition: ssl.c:92
openvpn_net_ctx_t * net_ctx
Definition: ssl_common.h:382
time_t established
Definition: ssl_common.h:218
void show_available_tls_ciphers(const char *cipher_list, const char *cipher_list_tls13, const char *tls_cert_profile)
Definition: ssl.c:4077
#define ALLOC_OBJ_CLEAR(dptr, type)
Definition: buffer.h:1050
#define TM_UNTRUSTED
As yet un-trusted tls_session being negotiated.
Definition: ssl_common.h:509
static const char * ks_auth_name(enum ks_auth_state auth)
Definition: ssl.c:800
unsigned int mda_key_id
Definition: ssl_common.h:251
struct crypto_options crypto_options
Definition: ssl_common.h:227
#define ENABLE_MANAGEMENT
Definition: config-msvc.h:12
ks_auth_state
This reflects the (server side) authentication state after the TLS session has been established and k...
Definition: ssl_common.h:158
#define P_LAST_OPCODE
Definition: ssl.h:73
struct tls_multi * tls_multi_init(struct tls_options *tls_options)
Allocate and initialize a tls_multi structure.
Definition: ssl.c:1259
char * locked_cn
Definition: ssl_common.h:599
bool reliable_not_replay(const struct reliable *rel, packet_id_type id)
Check that a received packet&#39;s ID is not a replay.
Definition: reliable.c:438
struct buffer * reliable_get_buf_output_sequenced(struct reliable *rel)
Get the buffer of free reliable entry and check whether the outgoing acknowledgment sequence is still...
Definition: reliable.c:502
void free_ssl_lib(void)
Definition: ssl.c:345
static void key_ctx_update_implicit_iv(struct key_ctx *ctx, uint8_t *key, size_t key_len)
Update the implicit IV for a key_ctx_bi based on TLS session ids and cipher used. ...
Definition: ssl.c:1823
int extra_link
Maximum number of bytes in excess of external network interface&#39;s MTU that might be read from or writ...
Definition: mtu.h:122
#define FRAME_HEADROOM(f)
Definition: mtu.h:187
#define ntohpid(x)
Definition: packet_id.h:64
const struct static_challenge_info * sci
Definition: ssl_common.h:411
static bool generate_key_expansion(struct key_ctx_bi *key, struct tls_session *session)
Definition: ssl.c:1770
const char * reliable_ack_print(struct buffer *buf, bool verbose, struct gc_arena *gc)
Definition: reliable.c:265
int n_hard_errors
Definition: ssl_common.h:593
void auth_set_client_reason(struct tls_multi *multi, const char *client_reason)
Sets the reason why authentication of a client failed.
Definition: ssl_verify.c:833
int transition_window
Definition: ssl_common.h:318
#define KEY_DIRECTION_INVERSE
Definition: crypto.h:175
void * gc_malloc(size_t size, bool clear, struct gc_arena *a)
Definition: buffer.c:405
enum tls_auth_status tls_authentication_status(struct tls_multi *multi)
Return current session authentication state of the tls_multi structure This will return TLS_AUTHENTIC...
Definition: ssl_verify.c:1135
void frame_init_mssfix(struct frame *frame, const struct options *options)
Set the –mssfix option.
Definition: mtu.c:130
bool key_state_export_keying_material(struct tls_session *session, const char *label, size_t label_size, void *ekm, size_t ekm_size)
Keying Material Exporters [RFC 5705] allows additional keying material to be derived from existing TL...
Definition: ssl_openssl.c:159
static struct user_pass passbuf
Definition: ssl.c:358
cipher_ctx_t * cipher
Generic cipher context.
Definition: crypto.h:166
#define TLS_RELIABLE_N_SEND_BUFFERS
Definition: ssl.h:84
bool xmit_hold
Definition: ssl_common.h:294
#define GET_USER_PASS_PASSWORD_ONLY
Definition: misc.h:110
void wipe_auth_token(struct tls_multi *multi)
Wipes the authentication token out of the memory, frees and cleans up related buffers and flags...
Definition: auth_token.c:411
#define D_TLS_STATE_ERRORS
Definition: errlevel.h:130
#define S_INITIAL
Initial key_state state after initialization by key_state_init() before start of three-way handshake...
Definition: ssl_common.h:81
unsigned int flags
Definition: route.h:153
#define INCR_ERROR
Definition: ssl.c:93
const char * ciphername
Definition: options.h:516
void tls_ctx_restrict_ciphers(struct tls_root_ctx *ctx, const char *ciphers)
Restrict the list of ciphers that can be used within the TLS context for TLS 1.2 and below...
Definition: ssl_openssl.c:433
static bool buf_write_u16(struct buffer *dest, int data)
Definition: buffer.h:720
void pem_password_setup(const char *auth_file)
Definition: ssl.c:361
interval_t reliable_send_timeout(const struct reliable *rel)
Determined how many seconds until the earliest resend should be attempted.
Definition: reliable.c:645
void ssl_purge_auth(const bool auth_user_pass_only)
Definition: ssl.c:470
static bool swap_hmac(struct buffer *buf, const struct crypto_options *co, bool incoming)
Definition: ssl.c:1381
int key_id
The current active key id, used to keep track of renegotiations.
Definition: ssl_common.h:473
static bool link_socket_actual_defined(const struct link_socket_actual *act)
Definition: socket.h:685
static struct user_pass auth_token
Definition: ssl.c:390
Container for one set of cipher and/or HMAC contexts.
Definition: crypto.h:164
#define P_CONTROL_V1
Definition: ssl.h:57
#define OPENVPN_PLUGIN_TLS_FINAL
static void reset_session(struct tls_multi *multi, struct tls_session *session)
Definition: ssl.c:1204
struct buffer_list * paybuf
Definition: ssl_common.h:239
mbedtls_cipher_info_t cipher_kt_t
Generic cipher key type context.
static bool reliable_ack_empty(struct reliable_ack *ack)
Check whether an acknowledgment structure contains any packet IDs to be acknowledged.
Definition: reliable.h:160
void tls_ctx_restrict_ciphers_tls13(struct tls_root_ctx *ctx, const char *ciphers)
Restrict the list of ciphers that can be used within the TLS context for TLS 1.3 and higher...
Definition: ssl_openssl.c:495
#define TLS_RELIABLE_N_REC_BUFFERS
Definition: ssl.h:85
void tls_adjust_frame_parameters(struct frame *frame)
Definition: ssl.c:304
struct key_ctx encrypt
Cipher and/or HMAC contexts for sending direction.
Definition: crypto.h:221
static bool session_id_defined(const struct session_id *sid1)
Definition: session_id.h:55
const char * extra_certs_file
Definition: options.h:544
void tls_ctx_server_new(struct tls_root_ctx *ctx)
Initialise a library-specific TLS context for a server.
Definition: ssl_openssl.c:108
int key_state_read_plaintext(struct key_state_ssl *ks_ssl, struct buffer *buf, int maxlen)
Extract plaintext data from the TLS module.
Definition: ssl_openssl.c:1991
int replay_window
Definition: ssl_common.h:348
void init_key_ctx_bi(struct key_ctx_bi *ctx, const struct key2 *key2, int key_direction, const struct key_type *kt, const char *name)
Definition: crypto.c:867
void set_auth_token(struct user_pass *up, struct user_pass *tk, const char *token)
Sets the auth-token to token.
Definition: misc.c:490
unsigned int ssl_flags
Definition: options.h:569
const struct buffer * tls_crypt_v2_wkc
Wrapped client key, sent to server.
Definition: ssl_common.h:271
#define CO_USE_TLS_KEY_MATERIAL_EXPORT
Bit-flag indicating that data channel key derivation is done using TLS keying material export [RFC570...
Definition: crypto.h:257
static bool session_id_read(struct session_id *sid, struct buffer *buf)
Definition: session_id.h:61
#define P_CONTROL_HARD_RESET_CLIENT_V2
Definition: ssl.h:63
struct cert_hash_set * locked_cert_hash_set
Definition: ssl_common.h:601
struct tls_wrap_ctx tls_wrap
Definition: ssl.h:146
void ssl_set_auth_nocache(void)
Definition: ssl.c:434
int hmac_ctx_size(const hmac_ctx_t *ctx)
struct tls_wrap_ctx tls_wrap
Definition: ssl_common.h:463
#define PERF_TLS_MULTI_PROCESS
Definition: perf.h:42
struct tls_options opt
Definition: ssl_common.h:572
void buf_clear(struct buffer *buf)
Definition: buffer.c:164
int n_soft_errors
Definition: ssl_common.h:594
void crypto_adjust_frame_parameters(struct frame *frame, const struct key_type *kt, bool packet_id, bool packet_id_long_form)
Calculate crypto overhead and adjust frame to account for that.
Definition: crypto.c:682
const char * challenge_text
Definition: misc.h:97
static struct key_state * get_key_scan(struct tls_multi *multi, int index)
gets an item of key_state objects in the order they should be scanned by data channel modules...
Definition: ssl_common.h:661
const struct plugin_list * plugins
Definition: ssl_common.h:383
struct buffer plaintext_write_buf
Definition: ssl_common.h:232
struct env_item * next
Definition: env_set.h:39
static bool buf_copy(struct buffer *dest, const struct buffer *src)
Definition: buffer.h:734
struct link_socket_actual untrusted_addr
Definition: ssl_common.h:486
hmac_ctx_t * hmac
Generic HMAC context.
Definition: crypto.h:167
#define S_GOT_KEY
Local OpenVPN process has received the remote&#39;s part of the key material.
Definition: ssl_common.h:97
char * format_hex_ex(const uint8_t *data, int size, int maxoutput, unsigned int space_break_flags, const char *separator, struct gc_arena *gc)
Definition: buffer.c:519
struct auth_deferred_status script_auth
Definition: ssl_common.h:257
#define RGI_HWADDR_DEFINED
Definition: route.h:149
#define PAYLOAD_SIZE_DYNAMIC(f)
Definition: mtu.h:166
void free_key_ctx_bi(struct key_ctx_bi *ctx)
Definition: crypto.c:904
#define PD_TLS_AUTH_HMAC_SIZE_MASK
Definition: ssl.h:573
#define CO_IGNORE_PACKET_ID
Bit-flag indicating whether to ignore the packet ID of a received packet.
Definition: crypto.h:248
char * remote_ciphername
cipher specified in peer&#39;s config file
Definition: ssl_common.h:645
#define INCR_SENT
Definition: ssl.c:90
bool tls_rec_payload(struct tls_multi *multi, struct buffer *buf)
Definition: ssl.c:4023
static void key_source2_print(const struct key_source2 *k)
Definition: ssl.c:1611
void tls_multi_init_set_options(struct tls_multi *multi, const char *local, const char *remote)
Definition: ssl.c:1326
struct connection_entry ce
Definition: options.h:252
#define SC_ECHO
Definition: misc.h:94
void tls_ctx_load_extra_certs(struct tls_root_ctx *ctx, const char *extra_certs_file, bool extra_certs_file_inline)
Load extra certificate authority certificates from the given file or path.
Definition: ssl_openssl.c:1645
Get a tls_cipher_name_pair containing OpenSSL and IANA names for supplied TLS cipher name...
Definition: ssl_backend.h:62
struct packet_id_send send
Definition: packet_id.h:207
uint8_t * data
Pointer to the allocated memory.
Definition: buffer.h:68
const char * local_options
Definition: ssl_common.h:298
#define TM_SIZE
Size of the tls_multi.session array.
Definition: ssl_common.h:513
#define TLS_VER_1_0
Definition: ssl_backend.h:114
struct key_ctx decrypt
cipher and/or HMAC contexts for receiving direction.
Definition: crypto.h:223
struct key_source client
Random provided by client.
Definition: ssl_common.h:146
bool tls_session_update_crypto_params_do_work(struct tls_session *session, struct options *options, struct frame *frame, struct frame *frame_fragment)
Definition: ssl.c:1878
int platform_stat(const char *path, platform_stat_t *buf)
Definition: platform.c:389
#define TLS_VER_1_3
Definition: ssl_backend.h:117
const char * tls_groups
Definition: options.h:552
#define MAX_HMAC_KEY_LENGTH
void openvpn_encrypt(struct buffer *buf, struct buffer work, struct crypto_options *opt)
Encrypt and HMAC sign a packet so that it can be sent as a data channel VPN tunnel packet to a remote...
Definition: crypto.c:299
Container for bidirectional cipher and HMAC key material.
Definition: crypto.h:181
static void link_socket_set_outgoing_addr(struct link_socket_info *info, const struct link_socket_actual *act, const char *common_name, struct env_set *es)
Definition: socket.h:972
void tls_ctx_check_cert_time(const struct tls_root_ctx *ctx)
Check our certificate notBefore and notAfter fields, and warn if the cert is either not yet valid or ...
Definition: ssl_openssl.c:609
void show_available_tls_ciphers_list(const char *cipher_list, const char *tls_cert_profile, bool tls13)
Definition: ssl_openssl.c:2111
int tls_version_parse(const char *vstr, const char *extra)
Definition: ssl.c:509
static bool tls_session_user_pass_enabled(struct tls_session *session)
Returns whether or not the server should check for username/password.
Definition: ssl.c:1053
void tls_ctx_set_tls_groups(struct tls_root_ctx *ctx, const char *groups)
Set the (elliptic curve) group allowed for signatures and key exchange.
Definition: ssl_openssl.c:558
#define P_DATA_V1
Definition: ssl.h:59
#define CONTROL_SEND_ACK_MAX
Definition: ssl.h:79
#define BLEN(buf)
Definition: buffer.h:127
void tls_ctx_load_cert_file(struct tls_root_ctx *ctx, const char *cert_file, bool cert_file_inline)
Use Windows cryptoapi for key and cert, and add to library-specific TLS context.
Definition: ssl_openssl.c:928
time_t auth_deferred_expire
Definition: ssl_common.h:248
struct key_source server
Random provided by server.
Definition: ssl_common.h:147
static void tls_session_init(struct tls_multi *multi, struct tls_session *session)
Initialize a tls_session structure.
Definition: ssl.c:1085
bool reliable_wont_break_sequentiality(const struct reliable *rel, packet_id_type id)
Check that a received packet&#39;s ID can safely be stored in the reliable structure&#39;s processing window...
Definition: reliable.c:465
void init_ssl_lib(void)
Definition: ssl.c:337
bool pkcs12_file_inline
Definition: options.h:549
void key_state_rm_auth_control_files(struct auth_deferred_status *ads)
Removes auth_pending and auth_control files from file system and key_state structure.
Definition: ssl_verify.c:982
void verify_user_pass(struct user_pass *up, struct tls_multi *multi, struct tls_session *session)
Main username/password verification entry point.
Definition: ssl_verify.c:1466
#define P_OPCODE_SHIFT
Definition: ssl.h:51
struct buffer * reliable_get_buf_sequenced(struct reliable *rel)
Get the buffer of the next sequential and active entry.
Definition: reliable.c:538
#define msg(flags,...)
Definition: error.h:153
void auth_user_pass_setup(const char *auth_file, const struct static_challenge_info *sci)
Definition: ssl.c:397
struct frame frame
Definition: ssl.h:147
#define D_HANDSHAKE
Definition: errlevel.h:72
static bool get_user_pass(struct user_pass *up, const char *auth_file, const char *prefix, const unsigned int flags)
Definition: misc.h:129
int key_id
Key id for this key_state, inherited from struct tls_session.
Definition: ssl_common.h:213
#define GET_USER_PASS_DYNAMIC_CHALLENGE
Definition: misc.h:116
bool openvpn_decrypt(struct buffer *buf, struct buffer work, struct crypto_options *opt, const struct frame *frame, const uint8_t *ad_start)
HMAC verify and decrypt a data channel packet received from a remote OpenVPN peer.
Definition: crypto.c:656
#define D_SHOW_KEY_SOURCE
Definition: errlevel.h:118
#define TLSMP_KILL
Definition: ssl.h:246
struct buffer * reliable_send(struct reliable *rel, int *opcode)
Get the next packet to send to the remote peer.
Definition: reliable.c:582
void reliable_mark_deleted(struct reliable *rel, struct buffer *buf, bool inc_pid)
Remove an entry from a reliable structure.
Definition: reliable.c:742
struct session_id session_id
Definition: ssl_common.h:466
bool get_user_pass_cr(struct user_pass *up, const char *auth_file, const char *prefix, const unsigned int flags, const char *auth_challenge)
Definition: misc.c:136
bool tls_pre_decrypt(struct tls_multi *multi, const struct link_socket_actual *from, struct buffer *buf, struct crypto_options **opt, bool floated, const uint8_t **ad_start)
Determine whether an incoming packet is a data channel or control channel packet, and process accordi...
Definition: ssl.c:3380
#define ALLOC_ARRAY_CLEAR_GC(dptr, type, n, gc)
Definition: buffer.h:1072
void purge_user_pass(struct user_pass *up, const bool force)
Definition: misc.c:469
enum tls_wrap_ctx::@11 mode
Control channel wrapping mode.
Structure that wraps the TLS context.
Definition: ssl_mbedtls.h:104
static bool buf_write_u32(struct buffer *dest, int data)
Definition: buffer.h:727
void frame_set_mtu_dynamic(struct frame *frame, int mtu, unsigned int flags)
Definition: mtu.c:87
unsigned int flags
Definition: misc.h:95
#define ALLOC_OBJ_CLEAR_GC(dptr, type, gc)
Definition: buffer.h:1087
static char * read_string_alloc(struct buffer *buf)
Definition: ssl.c:2133
#define OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY
void set_auth_token_user(struct user_pass *tk, const char *username)
Sets the auth-token username by base64 decoding the passed username.
Definition: misc.c:518
void init_ssl(const struct options *options, struct tls_root_ctx *new_ctx, bool in_chroot)
Build master SSL context object that serves for the whole of OpenVPN instantiation.
Definition: ssl.c:601
bool plugin_defined(const struct plugin_list *pl, const int type)
Definition: plugin.c:892
bool ssl_clean_auth_token(void)
Definition: ssl.c:459
static void key_state_free(struct key_state *ks, bool clear)
Cleanup a key_state structure.
Definition: ssl.c:1010
#define KS_LAME_DUCK
Key state index that will retire soon.
Definition: ssl_common.h:431
static void check_malloc_return(const void *p)
Definition: buffer.h:1093
#define P_CONTROL_SOFT_RESET_V1
Definition: ssl.h:56
struct key_source2 * key_src
Definition: ssl_common.h:229
int initial_opcode
Definition: ssl_common.h:465
struct key_ctx_bi key_ctx_bi
OpenSSL cipher and HMAC contexts for both sending and receiving directions.
Definition: crypto.h:234
Security parameter state of a single session within a VPN tunnel.
Definition: ssl_common.h:454
#define VALGRIND_MAKE_READABLE(addr, len)
Definition: memdbg.h:53
#define S_SENT_KEY
Local OpenVPN process has sent its part of the key material.
Definition: ssl_common.h:94
bool tls_ctx_set_options(struct tls_root_ctx *ctx, unsigned int ssl_flags)
Set any library specific options.
Definition: ssl_openssl.c:313
void output_peer_info_env(struct env_set *es, const char *peer_info)
Definition: misc.c:757
static void write_control_auth(struct tls_session *session, struct key_state *ks, struct buffer *buf, struct link_socket_actual **to_link_addr, int opcode, int max_ack, bool prepend_ack)
Definition: ssl.c:1435
#define S_GENERATED_KEYS
The data channel keys have been generated The TLS session is fully authenticated when reaching this s...
Definition: ssl_common.h:111
static bool buf_safe(const struct buffer *buf, size_t len)
Definition: buffer.h:541
Definition: misc.h:56
int renegotiate_packets
Definition: ssl_common.h:322
int push_peer_info_detail
The detail of info we push in peer info.
Definition: ssl_common.h:317
The acknowledgment structure in which packet IDs are stored for later acknowledgment.
Definition: reliable.h:70
int initial_opcode
Definition: ssl_common.h:223
bool disable_occ
Definition: ssl_common.h:304
Wrapper structure for dynamically allocated memory.
Definition: buffer.h:60
#define M_FATAL
Definition: error.h:98
bool reliable_ack_read_packet_id(struct buffer *buf, packet_id_type *pid)
Read the packet ID of a received packet.
Definition: reliable.c:123
struct frame frame
Definition: ssl_common.h:361
#define KEY_METHOD_2
Definition: ssl.h:130
time_t peer_last_packet
Definition: ssl_common.h:221
void tls_multi_init_finalize(struct tls_multi *multi, const struct frame *frame)
Finalize initialization of a tls_multi structure.
Definition: ssl.c:1272
bool crl_file_inline
Definition: ssl_common.h:331
#define buf_init(buf, offset)
Definition: buffer.h:196
bool tls_send_payload(struct tls_multi *multi, const uint8_t *data, int size)
Definition: ssl.c:3986
int tls_ctx_load_pkcs12(struct tls_root_ctx *ctx, const char *pkcs12_file, bool pkcs12_file_inline, bool load_ca_file)
Load PKCS #12 file for key, cert and (optionally) CA certs, and add to library-specific TLS context...
Definition: ssl_openssl.c:754
static bool management_enable_def_auth(const struct management *man)
Definition: manage.h:458
static bool buf_write_prepend(struct buffer *dest, const void *src, int size)
Definition: buffer.h:701
void tls_ctx_load_dh_params(struct tls_root_ctx *ctx, const char *dh_file, bool dh_file_inline)
Load Diffie Hellman Parameters, and load them into the library-specific TLS context.
Definition: ssl_openssl.c:645
void frame_finalize(struct frame *frame, bool link_mtu_defined, int link_mtu, bool tun_mtu_defined, int tun_mtu)
Definition: mtu.c:56
unsigned int mda_key_id_counter
Definition: manage.h:51
const char * cipher_list_tls13
Definition: options.h:551
bool reliable_can_send(const struct reliable *rel)
Check whether a reliable structure has any active entries ready to be (re)sent.
Definition: reliable.c:554
void management_set_state(struct management *man, const int state, const char *detail, const in_addr_t *tun_local_ip, const struct in6_addr *tun_local_ip6, const struct openvpn_sockaddr *local, const struct openvpn_sockaddr *remote)
Definition: manage.c:2665
char * locked_username
Definition: ssl_common.h:600
char * common_name
Definition: ssl_common.h:479
void reliable_init(struct reliable *rel, int buf_size, int offset, int array_size, bool hold)
Initialize a reliable structure.
Definition: reliable.c:309
bool tls_crypt_v2_extract_client_key(struct buffer *buf, struct tls_wrap_ctx *ctx, const struct tls_options *opt)
Extract a tls-crypt-v2 client key from a P_CONTROL_HARD_RESET_CLIENT_V3 message, and load the key int...
Definition: tls_crypt.c:570
void crypto_uninit_lib(void)
The reliability layer storage structure for one VPN tunnel&#39;s control channel in one direction...
Definition: reliable.h:97
size_t ekm_label_size
Definition: ssl_common.h:419
int link_mtu
Maximum packet size to be sent over the external network interface.
Definition: mtu.h:94
struct auth_deferred_status plugin_auth
Definition: ssl_common.h:256
#define D_TLS_DEBUG_MED
Definition: errlevel.h:151
#define TM_LAME_DUCK
Old tls_session.
Definition: ssl_common.h:512
struct buffer alloc_buf_gc(size_t size, struct gc_arena *gc)
Definition: buffer.c:90
uint8_t hwaddr[6]
Definition: route.h:163
uint32_t peer_id
Definition: ssl_common.h:642
int key_state_write_ciphertext(struct key_state_ssl *ks_ssl, struct buffer *buf)
Insert a ciphertext buffer into the TLS module.
Definition: ssl_openssl.c:1976
static void frame_remove_from_extra_frame(struct frame *frame, const unsigned int decrement)
Definition: mtu.h:280
uint32_t packet_id_type
Definition: packet_id.h:49
#define PD_VERBOSE
Definition: ssl.h:576
static const char * state_name(int state)
Definition: ssl.c:763
void tls_init_lib(void)
Perform any static initialisation necessary by the library.
Definition: ssl_openssl.c:77
bool tls_crypt_unwrap(const struct buffer *src, struct buffer *dst, struct crypto_options *opt)
Unwrap a control channel packet (decrypts, authenticates and performs replay checks).
Definition: tls_crypt.c:183
#define M_WARN
Definition: error.h:100
void tls_clear_error(void)
Clear the underlying SSL library&#39;s error state.
Definition: ssl_openssl.c:102
void ssl_purge_auth_challenge(void)
Definition: ssl.c:488
static int min_int(int x, int y)
Definition: integer.h:82
#define PACKAGE_VERSION
Definition: config.h:742
static int buf_forward_capacity_total(const struct buffer *buf)
Definition: buffer.h:580
bool reliable_can_get(const struct reliable *rel)
Check whether a reliable structure has any free buffers available for use.
Definition: reliable.c:419
#define free
Definition: cmocka.c:1850
void tls_x509_clear_env(struct env_set *es)
Remove any X509_ env variables from env_set es.
Definition: ssl_verify.c:1703
int tls_version_max(void)
Return the maximum TLS version (as a TLS_VER_x constant) supported by current SSL implementation...
Definition: ssl_openssl.c:210
tls_auth_status
Definition: ssl_verify.h:68
#define PD_TLS
Definition: ssl.h:575
#define P_CONTROL_HARD_RESET_CLIENT_V1
Definition: ssl.h:54
void key2_print(const struct key2 *k, const struct key_type *kt, const char *prefix0, const char *prefix1)
Definition: crypto.c:1059
Garbage collection arena used to keep track of dynamically allocated memory.
Definition: buffer.h:116
bool reliable_ack_read(struct reliable_ack *ack, struct buffer *buf, const struct session_id *sid)
Read an acknowledgment record from a received packet.
Definition: reliable.c:158
const char * openssl_name
Definition: ssl_backend.h:62
static bool link_socket_actual_match(const struct link_socket_actual *a1, const struct link_socket_actual *a2)
Definition: socket.h:872
time_t initial
Definition: ssl_common.h:217
int tls_ctx_use_management_external_key(struct tls_root_ctx *ctx)
Tell the management interface to load the given certificate and the external private key matching the...
Definition: ssl_openssl.c:1436
static bool buf_write(struct buffer *dest, const void *src, size_t size)
Definition: buffer.h:689
void cert_hash_free(struct cert_hash_set *chs)
Frees the given set of certificate hashes.
Definition: ssl_verify.c:219
#define FULL_SYNC
Definition: ssl.c:2061
static int buf_read_u16(struct buffer *buf)
Definition: buffer.h:825
static struct buffer clear_buf(void)
Return an empty struct buffer.
Definition: buffer.h:209
int interval_t
Definition: common.h:36
#define UP_TYPE_PRIVATE_KEY
Definition: ssl_common.h:42
static void key_source_print(const struct key_source *k, const char *prefix)
Definition: ssl.c:1585
counter_type n_bytes
Definition: ssl_common.h:241
struct buffer ack_write_buf
Definition: ssl_common.h:233
const char * session_id_print(const struct session_id *sid, struct gc_arena *gc)
Definition: session_id.c:57
uint8_t implicit_iv[OPENVPN_MAX_IV_LENGTH]
The implicit part of the IV.
Definition: crypto.h:168
int key_state_read_ciphertext(struct key_state_ssl *ks_ssl, struct buffer *buf, int maxlen)
Extract ciphertext data from the TLS module.
Definition: ssl_openssl.c:1961
static const tls_cipher_name_pair tls_cipher_name_translation_table[]
SSL/TLS Cipher suite name translation table.
Definition: ssl.c:100
static void key_state_init(struct tls_session *session, struct key_state *ks)
Initialize a key_state structure.
Definition: ssl.c:930
static int key_source2_read(struct key_source2 *k2, struct buffer *buf, bool server)
Definition: ssl.c:2015
#define BSTR(buf)
Definition: buffer.h:129
static bool auth_user_pass_enabled
Definition: ssl.c:388
#define TUN_LINK_DELTA(f)
Definition: mtu.h:151
TLS connection established but deferred auth not finished.
Definition: ssl_common.h:543
#define KEY_METHOD_MASK
Definition: ssl.h:133
const char * dh_file
Definition: options.h:540
time_t must_die
Definition: ssl_common.h:220
#define KEY_EXPANSION_ID
Definition: ssl.h:47
static void tls_session_free(struct tls_session *session, bool clear)
Clean up a tls_session structure.
Definition: ssl.c:1151
char password[USER_PASS_LEN]
Definition: misc.h:71
#define P_CONTROL_HARD_RESET_CLIENT_V3
Definition: ssl.h:67
struct buffer clone_buf(const struct buffer *buf)
Definition: buffer.c:117
void verify_final_auth_checks(struct tls_multi *multi, struct tls_session *session)
Perform final authentication checks, including locking of the cn, the allowed certificate hashes...
Definition: ssl_verify.c:1641
static bool random_bytes_to_buf(struct buffer *buf, uint8_t *out, int outlen)
Definition: ssl.c:1966
void tls_ctx_load_ca(struct tls_root_ctx *ctx, const char *ca_file, bool ca_file_inline, const char *ca_path, bool tls_server)
Load certificate authority certificates from the given file or path.
Definition: ssl_openssl.c:1496
void reliable_mark_active_incoming(struct reliable *rel, struct buffer *buf, packet_id_type pid, int opcode)
Mark the reliable entry associated with the given buffer as active incoming.
Definition: reliable.c:682
const cipher_kt_t * cipher
Cipher static parameters.
Definition: crypto.h:143
static void update_time(void)
Definition: otime.h:77
static SERVICE_STATUS status
Definition: interactive.c:56
bool replay
Definition: options.h:524
static int auth_deferred_expire_window(const struct tls_options *o)
Definition: ssl.c:2654
counter_type n_packets
Definition: ssl_common.h:242
bool dh_file_inline
Definition: options.h:541
bool token_defined
Definition: misc.h:61
#define D_SHOW_OCC
Definition: errlevel.h:96
bool remote_usescomp
remote announced comp-lzo in OCC string
Definition: ssl_common.h:646
int tls_ctx_load_priv_file(struct tls_root_ctx *ctx, const char *priv_key_file, bool priv_key_file_inline)
Load private key file into the given TLS context.
Definition: ssl_openssl.c:989
#define TLS_CHANNEL_BUF_SIZE
Definition: common.h:69
#define MF_EXTERNAL_CERT
Definition: manage.h:341
void buffer_list_pop(struct buffer_list *ol)
Definition: buffer.c:1344
#define P_ACK_V1
Definition: ssl.h:58
struct buffer * buffer_list_peek(struct buffer_list *ol)
Retrieve the head buffer.
Definition: buffer.c:1279
struct key_ctx tls_crypt_v2_server_key
Decrypts client keys.
Definition: ssl_common.h:270
struct buffer prepend_dir(const char *dir, const char *path, struct gc_arena *gc)
Prepend a directory to a path.
Definition: misc.c:799
static void tls_ctx_reload_crl(struct tls_root_ctx *ssl_ctx, const char *crl_file, bool crl_file_inline)
Load (or possibly reload) the CRL file into the SSL context.
Definition: ssl.c:550
struct buffer_entry * buffer_list_push_data(struct buffer_list *ol, const void *data, size_t size)
Allocates and appends a new buffer containing data of length size.
Definition: buffer.c:1252
#define MF_EXTERNAL_KEY
Definition: manage.h:335
const char * remote_options
Definition: ssl_common.h:299
#define P_DATA_V2
Definition: ssl.h:60
const tls_cipher_name_pair * tls_get_cipher_name_pair(const char *cipher_name, size_t len)
Definition: ssl.c:258
int replay_time
Definition: ssl_common.h:349
void reliable_schedule_now(struct reliable *rel)
Reschedule all entries of a reliable structure to be ready for (re)sending immediately.
Definition: reliable.c:626
void reliable_send_purge(struct reliable *rel, const struct reliable_ack *ack)
Remove acknowledged packets from a reliable structure.
Definition: reliable.c:360
static int packet_id_size(bool long_form)
Definition: packet_id.h:305
void crypto_init_lib(void)
unsigned int ssl_flags
Definition: ssl_common.h:402
struct _stat platform_stat_t
Definition: platform.h:148
#define PD_SHOW_DATA
Definition: ssl.h:574
uint8_t pre_master[48]
Random used for master secret generation, provided only by client OpenVPN peer.
Definition: ssl_common.h:129
struct env_set * es
Definition: ssl_common.h:381
bool priv_key_file_inline
Definition: options.h:547
static bool session_id_write_prepend(const struct session_id *sid, struct buffer *buf)
Definition: session_id.h:67
static bool key_method_2_read(struct buffer *buf, struct tls_multi *multi, struct tls_session *session)
Handle reading key data, peer-info, username/password, OCC from the TLS control channel (cleartext)...
Definition: ssl.c:2477
int fragment
Definition: options.h:127
Container for two sets of OpenSSL cipher and/or HMAC contexts for both sending and receiving directio...
Definition: crypto.h:219
Container for unidirectional cipher and HMAC key material.
Definition: crypto.h:151
struct tls_wrap_ctx tls_wrap
TLS handshake wrapping state.
Definition: ssl_common.h:359
#define GET_USER_PASS_MANAGEMENT
Definition: misc.h:108
bool reliable_ack_acknowledge_packet_id(struct reliable_ack *ack, packet_id_type pid)
Record a packet ID for later acknowledgment.
Definition: reliable.c:141
int link_mtu_dynamic
Dynamic MTU value for the external network interface.
Definition: mtu.h:97
int link_mtu
Definition: options.h:121
#define INCR_GENERATED
Definition: ssl.c:91
int tls_multi_process(struct tls_multi *multi, struct buffer *to_link, struct link_socket_actual **to_link_addr, struct link_socket_info *to_link_socket_info, interval_t *wakeup)
Definition: ssl.c:3064
const char * crl_file
Definition: options.h:559