OpenVPN
ssl_common.h
Go to the documentation of this file.
1 /*
2  * OpenVPN -- An application to securely tunnel IP networks
3  * over a single TCP/UDP port, with support for SSL/TLS-based
4  * session authentication and key exchange,
5  * packet encryption, packet authentication, and
6  * packet compression.
7  *
8  * Copyright (C) 2002-2018 OpenVPN Inc <sales@openvpn.net>
9  * Copyright (C) 2010-2018 Fox Crypto B.V. <openvpn@fox-it.com>
10  *
11  * This program is free software; you can redistribute it and/or modify
12  * it under the terms of the GNU General Public License version 2
13  * as published by the Free Software Foundation.
14  *
15  * This program is distributed in the hope that it will be useful,
16  * but WITHOUT ANY WARRANTY; without even the implied warranty of
17  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18  * GNU General Public License for more details.
19  *
20  * You should have received a copy of the GNU General Public License along
21  * with this program; if not, write to the Free Software Foundation, Inc.,
22  * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
23  */
24 
29 #ifndef SSL_COMMON_H_
30 #define SSL_COMMON_H_
31 
32 #include "session_id.h"
33 #include "socket.h"
34 #include "packet_id.h"
35 #include "crypto.h"
36 #include "options.h"
37 
38 #include "ssl_backend.h"
39 
40 /* passwords */
41 #define UP_TYPE_AUTH "Auth"
42 #define UP_TYPE_PRIVATE_KEY "Private Key"
43 
76 #define S_ERROR -1
77 #define S_UNDEF 0
79 #define S_INITIAL 1
82 #define S_PRE_START 2
85 #define S_START 3
87 #define S_SENT_KEY 4
89 #define S_GOT_KEY 5
92 #define S_ACTIVE 6
96 /* Note that earlier versions also had a S_OP_NORMAL state that was
97  * virtually identical with S_ACTIVE and the code still assumes everything
98  * >= S_ACTIVE to be fully operational */
99 
107 struct key_source {
108  uint8_t pre_master[48];
111  uint8_t random1[32];
114  uint8_t random2[32];
116 };
117 
118 
124 struct key_source2 {
125  struct key_source client;
126  struct key_source server;
127 };
128 
129 
141  KS_AUTH_TRUE
146 };
147 
166 struct key_state
167 {
168  int state;
169 
174  int key_id;
175 
176  struct key_state_ssl ks_ssl; /* contains SSL object and BIOs for the control channel */
177 
178  time_t established; /* when our state went S_ACTIVE */
179  time_t must_negotiate; /* key negotiation times out if not finished before this time */
180  time_t must_die; /* this object is destroyed at this time */
181  time_t peer_last_packet; /* Last time we received a packet in this control session */
182 
183  int initial_opcode; /* our initial P_ opcode */
184  struct session_id session_id_remote; /* peer's random session ID */
185  struct link_socket_actual remote_addr; /* peer's IP addr */
187  struct crypto_options crypto_options;/* data channel crypto options */
189  struct key_source2 *key_src; /* source entropy for key expansion */
191  struct buffer plaintext_read_buf;
192  struct buffer plaintext_write_buf;
193  struct buffer ack_write_buf;
194 
195  struct reliable *send_reliable; /* holds a copy of outgoing packets until ACK received */
196  struct reliable *rec_reliable; /* order incoming ciphertext packets before we pass to TLS */
197  struct reliable_ack *rec_ack; /* buffers all packet IDs we want to ACK back to sender */
198 
199  struct buffer_list *paybuf;
200 
201  counter_type n_bytes; /* how many bytes sent/recvd since last key exchange */
202  counter_type n_packets; /* how many packets sent/recvd since last key exchange */
204  /*
205  * If bad username/password, TLS connection will come up but 'authenticated' will be false.
206  */
207  enum ks_auth_state authenticated;
208  time_t auth_deferred_expire;
210 #ifdef ENABLE_MANAGEMENT
211  unsigned int mda_key_id;
212  unsigned int mda_status;
213 #endif
214  unsigned int auth_control_status;
215  time_t acf_last_mod;
216  char *auth_control_file;
217 };
218 
221 {
222  enum {
223  TLS_WRAP_NONE = 0,
224  TLS_WRAP_AUTH,
225  TLS_WRAP_CRYPT,
226  } mode;
227  struct crypto_options opt;
228  struct buffer work;
229  struct key_ctx tls_crypt_v2_server_key;
230  const struct buffer *tls_crypt_v2_wkc;
232  struct buffer tls_crypt_v2_metadata;
233  bool cleanup_key_ctx;
235 };
237 /*
238  * Our const options, obtained directly or derived from
239  * command line options.
240  */
242 {
243  /* our master TLS context from which all SSL objects derived */
244  struct tls_root_ctx ssl_ctx;
246  /* data channel cipher, hmac, and key lengths */
247  struct key_type key_type;
248 
249  /* true if we are a TLS server, client otherwise */
250  bool server;
251 
252  /* if true, don't xmit until first packet from peer is received */
253  bool xmit_hold;
254 
255  /* local and remote options strings
256  * that must match between client and server */
257  const char *local_options;
258  const char *remote_options;
260  /* from command line */
261  bool replay;
262  bool single_session;
263  bool disable_occ;
264  int mode;
265  bool pull;
266  int push_peer_info_detail;
267  int transition_window;
268  int handshake_window;
269  interval_t packet_timeout;
270  int renegotiate_bytes;
271  int renegotiate_packets;
272  interval_t renegotiate_seconds;
274  /* cert verification parms */
275  const char *verify_command;
276  const char *verify_export_cert;
277  int verify_x509_type;
278  const char *verify_x509_name;
279  const char *crl_file;
280  bool crl_file_inline;
281  int ns_cert_type;
282  unsigned remote_cert_ku[MAX_PARMS];
283  const char *remote_cert_eku;
284  uint8_t *verify_hash;
285  hash_algo_type verify_hash_algo;
286 #ifdef ENABLE_X509ALTUSERNAME
287  char *x509_username_field[MAX_PARMS];
288 #else
289  char *x509_username_field[2];
290 #endif
292  /* allow openvpn config info to be
293  * passed over control channel */
294  bool pass_config_info;
296  /* struct crypto_option flags */
297  unsigned int crypto_flags;
298 
299  int replay_window; /* --replay-window parm */
300  int replay_time; /* --replay-window parm */
301  bool tcp_mode;
302 
303  const char *config_ciphername;
304  const char *config_ncp_ciphers;
305  bool ncp_enabled;
307  bool tls_crypt_v2;
308  const char *tls_crypt_v2_verify_script;
311  struct tls_wrap_ctx tls_wrap;
313  struct frame frame;
314 
315  /* used for username/password authentication */
316  const char *auth_user_pass_verify_script;
317  bool auth_user_pass_verify_script_via_file;
318  const char *tmp_dir;
319  const char *auth_user_pass_file;
321  bool auth_token_generate;
324  bool auth_token_call_auth;
325  unsigned int auth_token_lifetime;
326 
327  struct key_ctx auth_token_key;
329  /* use the client-config-dir as a positive authenticator */
330  const char *client_config_dir_exclusive;
332  /* instance-wide environment variable set */
333  struct env_set *es;
334  openvpn_net_ctx_t *net_ctx;
335  const struct plugin_list *plugins;
337  /* compression parms */
338 #ifdef USE_COMP
339  struct compress_options comp_options;
340 #endif
341 
342  /* configuration file SSL-related boolean and low-permutation options */
343 #define SSLF_CLIENT_CERT_NOT_REQUIRED (1<<0)
344 #define SSLF_CLIENT_CERT_OPTIONAL (1<<1)
345 #define SSLF_USERNAME_AS_COMMON_NAME (1<<2)
346 #define SSLF_AUTH_USER_PASS_OPTIONAL (1<<3)
347 #define SSLF_OPT_VERIFY (1<<4)
348 #define SSLF_CRL_VERIFY_DIR (1<<5)
349 #define SSLF_TLS_VERSION_MIN_SHIFT 6
350 #define SSLF_TLS_VERSION_MIN_MASK 0xF /* (uses bit positions 6 to 9) */
351 #define SSLF_TLS_VERSION_MAX_SHIFT 10
352 #define SSLF_TLS_VERSION_MAX_MASK 0xF /* (uses bit positions 10 to 13) */
353  unsigned int ssl_flags;
354 
355 #ifdef ENABLE_MANAGEMENT
356  struct man_def_auth_context *mda_context;
357 #endif
359  const struct x509_track *x509_track;
361 #ifdef ENABLE_MANAGEMENT
362  const struct static_challenge_info *sci;
363 #endif
365  /* --gremlin bits */
366  int gremlin;
367 
368  /* Keying Material Exporter [RFC 5705] parameters */
369  const char *ekm_label;
370  size_t ekm_label_size;
371  size_t ekm_size;
372 };
373 
381 #define KS_PRIMARY 0
382 #define KS_LAME_DUCK 1
384 #define KS_SIZE 2
404 struct tls_session
405 {
406  /* const options and config info */
407  struct tls_options *opt;
408 
409  /* during hard reset used to control burst retransmit */
410  bool burst;
411 
412  /* authenticate control packets */
413  struct tls_wrap_ctx tls_wrap;
414 
415  int initial_opcode; /* our initial P_ opcode */
416  struct session_id session_id; /* our random session ID */
423  int key_id;
424 
425  int limit_next; /* used for traffic shaping on the control channel */
427  int verify_maxlevel;
429  char *common_name;
430 
432 
433 #ifdef ENABLE_PF
434  uint32_t common_name_hashval;
435 #endif
437  bool verified; /* true if peer certificate was verified against CA */
439  /* not-yet-authenticated incoming client */
440  struct link_socket_actual untrusted_addr;
441 
443 };
462 #define TM_ACTIVE 0
463 #define TM_UNTRUSTED 1
465 #define TM_LAME_DUCK 2
466 #define TM_SIZE 3
472 /*
473  * The number of keys we will scan on encrypt or decrypt. The first
474  * is the "active" key. The second is the lame_duck or retiring key
475  * associated with the active key's session ID. The third is a detached
476  * lame duck session that only occurs in situations where a key renegotiate
477  * failed on the active key, but a lame duck key was still valid. By
478  * preserving the lame duck session, we can be assured of having a data
479  * channel key available even when network conditions are so bad that
480  * we can't negotiate a new key within the time allotted.
481  */
482 #define KEY_SCAN_SIZE 3
483 
497 struct tls_multi
498 {
499  /* used to coordinate access between main thread and TLS thread */
500  /*MUTEX_PTR_DEFINE (mutex);*/
501 
502  /* const options and config info */
503  struct tls_options opt;
504 
505  /*
506  * used by tls_pre_encrypt to communicate the encrypt key
507  * to tls_post_encrypt()
508  */
509  struct key_state *save_ks; /* temporary pointer used between pre/post routines */
510 
511  /*
512  * Used to return outgoing address from
513  * tls_multi_process.
514  */
515  struct link_socket_actual to_link_addr;
516 
517  int n_sessions;
520  /*
521  * Number of errors.
522  */
523  int n_hard_errors; /* errors due to TLS negotiation failure */
524  int n_soft_errors; /* errors due to unrecognized or failed-to-authenticate incoming packets */
525 
526  /*
527  * Our locked common name, username, and cert hashes (cannot change during the life of this tls_multi object)
528  */
529  char *locked_cn;
530  char *locked_username;
531  struct cert_hash_set *locked_cert_hash_set;
533  /* Time of last call to tls_authentication_status */
534  time_t tas_last;
535 
536  /*
537  * An error message to send to client on AUTH_FAILED
538  */
539  char *client_reason;
540 
541  /*
542  * A multi-line string of general-purpose info received from peer
543  * over control channel.
544  */
545  char *peer_info;
546  char *auth_token;
550  char *auth_token_initial;
554 #define AUTH_TOKEN_HMAC_OK (1<<0)
555 
556 #define AUTH_TOKEN_EXPIRED (1<<1)
557 
558 #define AUTH_TOKEN_VALID_EMPTYUSER (1<<2)
559 
566  int auth_token_state_flags;
569  /* For P_DATA_V2 */
570  uint32_t peer_id;
571  bool use_peer_id;
572 
573  char *remote_ciphername;
575  /*
576  * Our session objects.
577  */
578  struct tls_session session[TM_SIZE];
582 };
583 
587 static inline struct key_state *
588 get_key_scan(struct tls_multi *multi, int index)
589 {
590  switch (index)
591  {
592  case 0:
593  return &multi->session[TM_ACTIVE].key[KS_PRIMARY];
594  case 1:
595  return &multi->session[TM_ACTIVE].key[KS_LAME_DUCK];
596  case 2:
597  return &multi->session[TM_LAME_DUCK].key[KS_LAME_DUCK];
598  default:
599  ASSERT(false);
600  return NULL; /* NOTREACHED */
601  }
602 }
604 #endif /* SSL_COMMON_H_ */
Security parameter state for processing data channel packets.
Definition: crypto.h:232
#define TM_ACTIVE
Active tls_session.
Definition: ssl_common.h:475
Security parameter state of one TLS and data channel key session.
Definition: ssl_common.h:178
struct key_state key[KS_SIZE]
Definition: ssl_common.h:455
Container for both halves of random material to be used in key method 2 data channel key generation...
Definition: ssl_common.h:136
Packet geometry parameters.
Definition: mtu.h:93
Security parameter state for a single VPN tunnel.
Definition: ssl_common.h:512
Key state is authenticated.
Definition: ssl_common.h:153
hash_algo_type
Types referencing specific message digest hashing algorithms.
#define MAX_PARMS
Definition: options.h:51
void * openvpn_net_ctx_t
Definition: networking.h:26
#define ASSERT(x)
Definition: error.h:221
uint8_t random1[32]
Seed used for master secret generation, provided by both client and server.
Definition: ssl_common.h:123
struct tls_session session[TM_SIZE]
Array of tls_session objects representing control channel sessions with the remote peer...
Definition: ssl_common.h:593
Structure containing the hashes for a full certificate chain.
Definition: ssl_verify.h:59
Control channel wrapping (–tls-auth/–tls-crypt) context.
Definition: ssl_common.h:232
uint8_t random2[32]
Seed used for key expansion, provided by both client and server.
Definition: ssl_common.h:126
Key state authentication is being deferred, by async auth.
Definition: ssl_common.h:151
#define KS_SIZE
Size of the tls_session.key array.
Definition: ssl_common.h:397
Container for one half of random material to be used in key method 2 data channel key generation...
Definition: ssl_common.h:119
#define KS_PRIMARY
Primary key state index.
Definition: ssl_common.h:393
Key state is not authenticated.
Definition: ssl_common.h:150
ks_auth_state
This reflects the (server side) authentication state after the TLS session has been established and k...
Definition: ssl_common.h:149
unsigned __int32 uint32_t
Definition: config-msvc.h:157
static struct user_pass auth_token
Definition: ssl.c:389
Container for one set of cipher and/or HMAC contexts.
Definition: crypto.h:164
unsigned int counter_type
Definition: common.h:38
static struct key_state * get_key_scan(struct tls_multi *multi, int index)
gets an item of key_state objects in the order they should be scanned by data channel modules...
Definition: ssl_common.h:603
#define TM_SIZE
Size of the tls_multi.session array.
Definition: ssl_common.h:480
unsigned __int8 uint8_t
Definition: config-msvc.h:159
Structure that wraps the TLS context.
Definition: ssl_mbedtls.h:104
#define KS_LAME_DUCK
Key state index that will retire soon.
Definition: ssl_common.h:394
Security parameter state of a single session within a VPN tunnel.
Definition: ssl_common.h:417
The acknowledgment structure in which packet IDs are stored for later acknowledgment.
Definition: reliable.h:64
Wrapper structure for dynamically allocated memory.
Definition: buffer.h:60
The reliability layer storage structure for one VPN tunnel&#39;s control channel in one direction...
Definition: reliable.h:88
#define TM_LAME_DUCK
Old tls_session.
Definition: ssl_common.h:479
int interval_t
Definition: common.h:45
uint8_t pre_master[48]
Random used for master secret generation, provided only by client OpenVPN peer.
Definition: ssl_common.h:120
Container for unidirectional cipher and HMAC key material.
Definition: crypto.h:151