OpenVPN
|
#include "syshead.h"
#include "win32.h"
#include "error.h"
#include "common.h"
#include "ssl_ncp.h"
#include "ssl_util.h"
#include "openvpn.h"
Go to the source code of this file.
Functions | |
static int | tls_peer_info_ncp_ver (const char *peer_info) |
Return the Negotiable Crypto Parameters version advertised in the peer info string, or 0 if none specified. More... | |
bool | tls_peer_supports_ncp (const char *peer_info) |
Returns whether the client supports NCP either by announcing IV_NCP>=2 or the IV_CIPHERS list. More... | |
char * | mutate_ncp_cipher_list (const char *list, struct gc_arena *gc) |
Check whether the ciphers in the supplied list are supported. More... | |
void | append_cipher_to_ncp_list (struct options *o, const char *ciphername) |
Appends the cipher specified by the ciphernamer parameter to to the o->ncp_ciphers list. More... | |
bool | tls_item_in_cipher_list (const char *item, const char *list) |
Return true iff item is present in the colon-separated zero-terminated cipher list. More... | |
const char * | tls_peer_ncp_list (const char *peer_info, struct gc_arena *gc) |
Returns the support cipher list from the peer according to the IV_NCP and IV_CIPHER values in peer_info. More... | |
char * | ncp_get_best_cipher (const char *server_list, const char *peer_info, const char *remote_cipher, struct gc_arena *gc) |
Iterates through the ciphers in server_list and return the first cipher that is also supported by the peer according to the IV_NCP and IV_CIPHER values in peer_info. More... | |
static bool | tls_poor_mans_ncp (struct options *o, const char *remote_ciphername) |
"Poor man's NCP": Use peer cipher if it is an allowed (NCP) cipher. More... | |
bool | check_pull_client_ncp (struct context *c, const int found) |
Checks whether the cipher negotiation is in an acceptable state and we continue to connect or should abort. More... | |
const char * | get_p2p_ncp_cipher (struct tls_session *session, const char *peer_info, struct gc_arena *gc) |
Determines the best common cipher from both peers IV_CIPHER lists. More... | |
static void | p2p_ncp_set_options (struct tls_multi *multi, struct tls_session *session) |
void | p2p_mode_ncp (struct tls_multi *multi, struct tls_session *session) |
Determines if there is common cipher of both peer by looking at the IV_CIPHER peer info. More... | |
bool | check_session_cipher (struct tls_session *session, struct options *options) |
Checks if the cipher is allowed, otherwise returns false and reset the cipher to the config cipher. More... | |
void append_cipher_to_ncp_list | ( | struct options * | o, |
const char * | ciphername | ||
) |
Appends the cipher specified by the ciphernamer parameter to to the o->ncp_ciphers list.
o | options struct to modify. Its gc is also used |
ciphername | the ciphername to add |
Definition at line 195 of file ssl_ncp.c.
References ASSERT, options::gc, gc_malloc(), and options::ncp_ciphers.
Referenced by options_set_backwards_compatible_options().
bool check_pull_client_ncp | ( | struct context * | c, |
int | found | ||
) |
Checks whether the cipher negotiation is in an acceptable state and we continue to connect or should abort.
Definition at line 315 of file ssl_ncp.c.
References context::c2, D_PUSH_DEBUG, D_TLS_ERRORS, options::enable_ncp_fallback, msg, options::ncp_ciphers, OPT_P_NCP, context::options, tls_multi::remote_ciphername, context_2::tls_multi, and tls_poor_mans_ncp().
Referenced by do_deferred_options().
bool check_session_cipher | ( | struct tls_session * | session, |
struct options * | options | ||
) |
Checks if the cipher is allowed, otherwise returns false and reset the cipher to the config cipher.
Definition at line 511 of file ssl_ncp.c.
References options::ciphername, D_TLS_ERRORS, options::enable_ncp_fallback, msg, options::ncp_ciphers, streq, and tls_item_in_cipher_list().
Referenced by tls_session_update_crypto_params().
const char* get_p2p_ncp_cipher | ( | struct tls_session * | session, |
const char * | peer_info, | ||
struct gc_arena * | gc | ||
) |
Determines the best common cipher from both peers IV_CIPHER lists.
The first cipher from the tls-server that is also in the tls-client IV_CIPHER list will be returned. If no common cipher can be found, both peer will continue to use whatever cipher is their default and NULL will be returned.
session | tls_session |
peer_info | peer info of the peer |
gc | gc arena that will be used to allocate the returned cipher |
Definition at line 360 of file ssl_ncp.c.
References extract_var_peer_info(), gc_free(), gc_new(), string_alloc(), strsep(), and tls_item_in_cipher_list().
Referenced by do_deferred_p2p_ncp(), and p2p_mode_ncp().
char* mutate_ncp_cipher_list | ( | const char * | list, |
struct gc_arena * | gc | ||
) |
Check whether the ciphers in the supplied list are supported.
list | Colon-separated list of ciphers @parms gc gc_arena to allocate the returned string |
Definition at line 95 of file ssl_ncp.c.
References alloc_buf(), buf_forward_capacity(), buf_len(), buf_null_terminate(), buf_puts(), buf_str(), cipher_kt_mode_aead(), cipher_kt_mode_cbc(), cipher_kt_mode_ofb_cfb(), cipher_kt_name(), cipher_valid(), free_buf(), M_WARN, MAX_NCP_CIPHERS_LENGTH, msg, and string_alloc().
Referenced by options_postprocess_mutate(), and test_check_ncp_ciphers_list().
char* ncp_get_best_cipher | ( | const char * | server_list, |
const char * | peer_info, | ||
const char * | remote_cipher, | ||
struct gc_arena * | gc | ||
) |
Iterates through the ciphers in server_list and return the first cipher that is also supported by the peer according to the IV_NCP and IV_CIPHER values in peer_info.
We also accept a cipher that is the remote cipher of the client for "Poor man's NCP": Use peer cipher if it is an allowed (NCP) cipher. Allows non-NCP peers to upgrade their cipher individually.
Make sure to call tls_session_update_crypto_params() after calling this function.
gc | gc arena that is ONLY used to allocate the returned string |
Definition at line 248 of file ssl_ncp.c.
References gc_free(), gc_new(), streq, string_alloc(), strsep(), tls_item_in_cipher_list(), and tls_peer_ncp_list().
Referenced by multi_client_set_protocol_options(), test_ncp_best(), and test_poor_man().
void p2p_mode_ncp | ( | struct tls_multi * | multi, |
struct tls_session * | session | ||
) |
Determines if there is common cipher of both peer by looking at the IV_CIPHER peer info.
In contrast of the server mode NCP that tries to accomandate all kind of corner cases in P2P mode NCP only takes IV_CIPHER into account and falls back to previous behaviour if this fails.
Definition at line 470 of file ssl_ncp.c.
References alloc_buf_gc(), BSTR, buf_printf(), cipher_defined(), cipher_kt_name(), CO_USE_TLS_KEY_MATERIAL_EXPORT, D_TLS_DEBUG_LOW, gc_free(), gc_new(), get_p2p_ncp_cipher(), msg, p2p_ncp_set_options(), tls_multi::peer_id, tls_multi::peer_info, and tls_multi::use_peer_id.
Referenced by key_method_2_read(), and key_method_2_write().
|
static |
Definition at line 411 of file ssl_ncp.c.
References CO_USE_CC_EXIT_NOTIFY, CO_USE_DYNAMIC_TLS_CRYPT, CO_USE_TLS_KEY_MATERIAL_EXPORT, EXPORT_P2P_PEERID_LABEL, extract_iv_proto(), IV_PROTO_CC_EXIT_NOTIFY, IV_PROTO_DATA_V2, IV_PROTO_DYN_TLS_CRYPT, IV_PROTO_NCP_P2P, IV_PROTO_TLS_KEY_EXPORT, key_state_export_keying_material(), M_NONFATAL, msg, tls_multi::peer_id, tls_multi::peer_info, and tls_multi::use_peer_id.
Referenced by p2p_mode_ncp().
bool tls_item_in_cipher_list | ( | const char * | item, |
const char * | list | ||
) |
Return true iff item is present in the colon-separated zero-terminated cipher list.
Definition at line 207 of file ssl_ncp.c.
References string_alloc().
Referenced by check_session_cipher(), do_init_crypto_tls_c1(), get_p2p_ncp_cipher(), ncp_get_best_cipher(), options_postprocess_cipher(), options_postprocess_setdefault_ncpciphers(), options_set_backwards_compatible_options(), options_string(), push_peer_info(), and tls_poor_mans_ncp().
|
static |
Return the Negotiable Crypto Parameters version advertised in the peer info string, or 0 if none specified.
Definition at line 57 of file ssl_ncp.c.
Referenced by tls_peer_ncp_list(), and tls_peer_supports_ncp().
const char* tls_peer_ncp_list | ( | const char * | peer_info, |
struct gc_arena * | gc | ||
) |
Returns the support cipher list from the peer according to the IV_NCP and IV_CIPHER values in peer_info.
Definition at line 227 of file ssl_ncp.c.
References extract_var_peer_info(), and tls_peer_info_ncp_ver().
Referenced by multi_client_set_protocol_options(), ncp_get_best_cipher(), and test_extract_client_ciphers().
bool tls_peer_supports_ncp | ( | const char * | peer_info | ) |
Returns whether the client supports NCP either by announcing IV_NCP>=2 or the IV_CIPHERS list.
Definition at line 77 of file ssl_ncp.c.
References tls_peer_info_ncp_ver().
Referenced by prepare_push_reply(), and test_extract_client_ciphers().
|
static |
"Poor man's NCP": Use peer cipher if it is an allowed (NCP) cipher.
Allows non-NCP peers to upgrade their cipher individually.
Returns true if we switched to the peer's cipher
Make sure to call tls_session_update_crypto_params() after calling this function.
Definition at line 302 of file ssl_ncp.c.
References options::ciphername, D_TLS_DEBUG_LOW, options::gc, msg, options::ncp_ciphers, string_alloc(), and tls_item_in_cipher_list().
Referenced by check_pull_client_ncp().