OpenVPN
ssl_pkt.c
Go to the documentation of this file.
1 /*
2  * OpenVPN -- An application to securely tunnel IP networks
3  * over a single TCP/UDP port, with support for SSL/TLS-based
4  * session authentication and key exchange,
5  * packet encryption, packet authentication, and
6  * packet compression.
7  *
8  * Copyright (C) 2002-2024 OpenVPN Inc <sales@openvpn.net>
9  *
10  * This program is free software; you can redistribute it and/or modify
11  * it under the terms of the GNU General Public License version 2
12  * as published by the Free Software Foundation.
13  *
14  * This program is distributed in the hope that it will be useful,
15  * but WITHOUT ANY WARRANTY; without even the implied warranty of
16  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17  * GNU General Public License for more details.
18  *
19  * You should have received a copy of the GNU General Public License along
20  * with this program; if not, write to the Free Software Foundation, Inc.,
21  * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
22  */
23 #ifdef HAVE_CONFIG_H
24 #include "config.h"
25 #endif
26 
27 #include "syshead.h"
28 
29 #include "ssl_util.h"
30 #include "ssl_pkt.h"
31 #include "ssl_common.h"
32 #include "crypto.h"
33 #include "session_id.h"
34 #include "reliable.h"
35 #include "tls_crypt.h"
36 
37 /*
38  * Dependent on hmac size, opcode size, and session_id size.
39  * Will assert if too small.
40  */
41 #define SWAP_BUF_SIZE 256
42 
60 static bool
61 swap_hmac(struct buffer *buf, const struct crypto_options *co, bool incoming)
62 {
63  ASSERT(co);
64 
65  const struct key_ctx *ctx = (incoming ? &co->key_ctx_bi.decrypt :
66  &co->key_ctx_bi.encrypt);
67  ASSERT(ctx->hmac);
68 
69  {
70  /* hmac + packet_id (8 bytes) */
71  const int hmac_size = hmac_ctx_size(ctx->hmac) + packet_id_size(true);
72 
73  /* opcode (1 byte) + session_id (8 bytes) */
74  const int osid_size = 1 + SID_SIZE;
75 
76  int e1, e2;
77  uint8_t *b = BPTR(buf);
78  uint8_t buf1[SWAP_BUF_SIZE];
79  uint8_t buf2[SWAP_BUF_SIZE];
80 
81  if (incoming)
82  {
83  e1 = osid_size;
84  e2 = hmac_size;
85  }
86  else
87  {
88  e1 = hmac_size;
89  e2 = osid_size;
90  }
91 
92  ASSERT(e1 <= SWAP_BUF_SIZE && e2 <= SWAP_BUF_SIZE);
93 
94  if (buf->len >= e1 + e2)
95  {
96  memcpy(buf1, b, e1);
97  memcpy(buf2, b + e1, e2);
98  memcpy(b, buf2, e2);
99  memcpy(b + e2, buf1, e1);
100  return true;
101  }
102  else
103  {
104  return false;
105  }
106  }
107 }
108 
109 #undef SWAP_BUF_SIZE
110 
120 static void
121 tls_wrap_control(struct tls_wrap_ctx *ctx, uint8_t header, struct buffer *buf,
122  struct session_id *session_id)
123 {
124  if (ctx->mode == TLS_WRAP_AUTH
125  || ctx->mode == TLS_WRAP_NONE)
126  {
128  ASSERT(buf_write_prepend(buf, &header, sizeof(header)));
129  }
130  if (ctx->mode == TLS_WRAP_AUTH)
131  {
132  struct buffer null = clear_buf();
133 
134  /* no encryption, only write hmac */
135  openvpn_encrypt(buf, null, &ctx->opt);
136  ASSERT(swap_hmac(buf, &ctx->opt, false));
137  }
138  else if (ctx->mode == TLS_WRAP_CRYPT)
139  {
140  ASSERT(buf_init(&ctx->work, buf->offset));
141  ASSERT(buf_write(&ctx->work, &header, sizeof(header)));
143  if (!tls_crypt_wrap(buf, &ctx->work, &ctx->opt))
144  {
145  buf->len = 0;
146  return;
147  }
148 
150  || (header >> P_OPCODE_SHIFT) == P_CONTROL_WKC_V1)
151  {
152  if (!buf_copy(&ctx->work,
153  ctx->tls_crypt_v2_wkc))
154  {
155  msg(D_TLS_ERRORS, "Could not append tls-crypt-v2 client key");
156  buf->len = 0;
157  return;
158  }
159  }
160 
161  /* Don't change the original data in buf, it's used by the reliability
162  * layer to resend on failure. */
163  *buf = ctx->work;
164  }
165 }
166 
167 void
169  struct key_state *ks,
170  struct buffer *buf,
171  struct link_socket_actual **to_link_addr,
172  int opcode,
173  int max_ack,
174  bool prepend_ack)
175 {
176  uint8_t header = ks->key_id | (opcode << P_OPCODE_SHIFT);
177 
178  /* Workaround for Softether servers. Softether has a bug that it only
179  * allows 4 ACks in packets and drops packets if more ACKs are contained
180  * in a packet (see commit 37aa1ba5 in Softether) */
181  if (session->tls_wrap.mode == TLS_WRAP_NONE && !session->opt->server
182  && !(session->opt->crypto_flags & CO_USE_TLS_KEY_MATERIAL_EXPORT))
183  {
184  max_ack = min_int(max_ack, 4);
185  }
186 
189  (ks->rec_ack, ks->lru_acks, buf, &ks->session_id_remote,
190  max_ack, prepend_ack));
191 
192  msg(D_TLS_DEBUG, "%s(): %s", __func__, packet_opcode_name(opcode));
193 
194  tls_wrap_control(tls_session_get_tls_wrap(session, ks->key_id), header, buf, &session->session_id);
195 
196  *to_link_addr = &ks->remote_addr;
197 }
198 
199 bool
201  struct tls_wrap_ctx *ctx,
202  const struct link_socket_actual *from,
203  const struct tls_options *opt)
204 {
205  struct gc_arena gc = gc_new();
206  bool ret = false;
207 
208  const uint8_t opcode = *(BPTR(buf)) >> P_OPCODE_SHIFT;
209  if ((opcode == P_CONTROL_HARD_RESET_CLIENT_V3
210  || opcode == P_CONTROL_WKC_V1)
211  && !tls_crypt_v2_extract_client_key(buf, ctx, opt))
212  {
214  "TLS Error: can not extract tls-crypt-v2 client key from %s",
215  print_link_socket_actual(from, &gc));
216  goto cleanup;
217  }
218 
219  if (ctx->mode == TLS_WRAP_AUTH)
220  {
221  struct buffer null = clear_buf();
222 
223  /* move the hmac record to the front of the packet */
224  if (!swap_hmac(buf, &ctx->opt, true))
225  {
227  "TLS Error: cannot locate HMAC in incoming packet from %s",
228  print_link_socket_actual(from, &gc));
229  gc_free(&gc);
230  return false;
231  }
232 
233  /* authenticate only (no decrypt) and remove the hmac record
234  * from the head of the buffer */
235  openvpn_decrypt(buf, null, &ctx->opt, NULL, BPTR(buf));
236  if (!buf->len)
237  {
239  "TLS Error: incoming packet authentication failed from %s",
240  print_link_socket_actual(from, &gc));
241  goto cleanup;
242  }
243 
244  }
245  else if (ctx->mode == TLS_WRAP_CRYPT)
246  {
247  struct buffer tmp = alloc_buf_gc(buf_forward_capacity_total(buf), &gc);
248  if (!tls_crypt_unwrap(buf, &tmp, &ctx->opt))
249  {
250  msg(D_TLS_ERRORS, "TLS Error: tls-crypt unwrapping failed from %s",
251  print_link_socket_actual(from, &gc));
252  goto cleanup;
253  }
254  ASSERT(buf_init(buf, buf->offset));
255  ASSERT(buf_copy(buf, &tmp));
256  buf_clear(&tmp);
257  }
258  else if (ctx->tls_crypt_v2_server_key.cipher)
259  {
260  /* If tls-crypt-v2 is enabled, require *some* wrapping */
261  msg(D_TLS_ERRORS, "TLS Error: could not determine wrapping from %s",
262  print_link_socket_actual(from, &gc));
263  /* TODO Do we want to support using tls-crypt-v2 and no control channel
264  * wrapping at all simultaneously? That would allow server admins to
265  * upgrade clients one-by-one without running a second instance, but we
266  * should not enable it by default because it breaks DoS-protection.
267  * So, add something like --tls-crypt-v2-allow-insecure-fallback ? */
268  goto cleanup;
269  }
270 
271  if (ctx->mode == TLS_WRAP_NONE || ctx->mode == TLS_WRAP_AUTH)
272  {
273  /* advance buffer pointer past opcode & session_id since our caller
274  * already read it */
275  buf_advance(buf, SID_SIZE + 1);
276  }
277 
278  ret = true;
279 cleanup:
280  gc_free(&gc);
281  return ret;
282 }
283 
284 void
286 {
287  free_buf(&state->newbuf);
289  if (state->tls_wrap_tmp.cleanup_key_ctx)
290  {
292  }
293 }
294 
295 /*
296  * This function is similar to tls_pre_decrypt, except it is called
297  * when we are in server mode and receive an initial incoming
298  * packet. Note that we don't modify
299  * any state in our parameter objects. The purpose is solely to
300  * determine whether we should generate a client instance
301  * object, in which case true is returned.
302  *
303  * This function is essentially the first-line HMAC firewall
304  * on the UDP port listener in --mode server mode.
305  */
308  struct tls_pre_decrypt_state *state,
309  const struct link_socket_actual *from,
310  const struct buffer *buf)
311 {
312  struct gc_arena gc = gc_new();
313  /* A packet needs to have at least an opcode and session id */
314  if (buf->len < (1 + SID_SIZE))
315  {
317  "TLS State Error: Too short packet (length %d) received from %s",
318  buf->len, print_link_socket_actual(from, &gc));
319  goto error;
320  }
321 
322  /* get opcode and key ID */
323  uint8_t pkt_firstbyte = *BPTR(buf);
324  int op = pkt_firstbyte >> P_OPCODE_SHIFT;
325  int key_id = pkt_firstbyte & P_KEY_ID_MASK;
326 
327  /* this packet is from an as-yet untrusted source, so
328  * scrutinize carefully */
329 
330  /* Allow only the reset packet or the first packet of the actual handshake. */
333  && op != P_CONTROL_V1
334  && op != P_CONTROL_WKC_V1
335  && op != P_ACK_V1)
336  {
337  /*
338  * This can occur due to bogus data or DoS packets.
339  */
341  "TLS State Error: No TLS state for client %s, opcode=%d",
342  print_link_socket_actual(from, &gc),
343  op);
344  goto error;
345  }
346 
347  if (key_id != 0)
348  {
350  "TLS State Error: Unknown key ID (%d) received from %s -- 0 was expected",
351  key_id,
352  print_link_socket_actual(from, &gc));
353  goto error;
354  }
355 
356  /* read peer session id, we do this at this point since
357  * read_control_auth will skip over it */
358  struct buffer tmp = *buf;
359  buf_advance(&tmp, 1);
360  if (!session_id_read(&state->peer_session_id, &tmp)
361  || !session_id_defined(&state->peer_session_id))
362  {
364  "TLS Error: session-id not found in packet from %s",
365  print_link_socket_actual(from, &gc));
366  goto error;
367  }
368 
369  state->newbuf = clone_buf(buf);
370  state->tls_wrap_tmp = tas->tls_wrap;
371 
372  /* HMAC test and unwrapping the encrypted part of the control message
373  * into newbuf or just setting newbuf to point to the start of control
374  * message */
375  bool status = read_control_auth(&state->newbuf, &state->tls_wrap_tmp,
376  from, NULL);
377 
378  if (!status)
379  {
380  goto error;
381  }
382 
383  /*
384  * At this point, if --tls-auth is being used, we know that
385  * the packet has passed the HMAC test, but we don't know if
386  * it is a replay yet. We will attempt to defeat replays
387  * by not advancing to the S_START state until we
388  * receive an ACK from our first reply to the client
389  * that includes an HMAC of our randomly generated 64 bit
390  * session ID.
391  *
392  * On the other hand if --tls-auth is not being used, we
393  * will proceed to begin the TLS authentication
394  * handshake with only cursory integrity checks having
395  * been performed, since we will be leaving the task
396  * of authentication solely up to TLS.
397  */
398  gc_free(&gc);
399  if (op == P_CONTROL_V1)
400  {
402  }
403  else if (op == P_ACK_V1)
404  {
405  return VERDICT_VALID_ACK_V1;
406  }
407  else if (op == P_CONTROL_HARD_RESET_CLIENT_V3)
408  {
409  return VERDICT_VALID_RESET_V3;
410  }
411  else if (op == P_CONTROL_WKC_V1)
412  {
413  return VERDICT_VALID_WKC_V1;
414  }
415  else
416  {
417  return VERDICT_VALID_RESET_V2;
418  }
419 
420 error:
421  tls_clear_error();
422  gc_free(&gc);
423  return VERDICT_INVALID;
424 }
425 
426 
427 struct buffer
429  struct tls_auth_standalone *tas,
430  struct session_id *own_sid,
431  struct session_id *remote_sid,
432  uint8_t header,
433  bool request_resend_wkc)
434 {
435  /* Copy buffer here to point at the same data but allow tls_wrap_control
436  * to potentially change buf to point to another buffer without
437  * modifying the buffer in tas */
438  struct buffer buf = tas->workbuf;
439  ASSERT(buf_init(&buf, tas->frame.buf.headroom));
440 
441  /* Reliable ACK structure */
442  /* Length of the ACK structure - 1 ACK */
443  buf_write_u8(&buf, 1);
444 
445  /* ACKed packet - first packet's id is always 0 */
446  buf_write_u32(&buf, 0);
447 
448  /* Remote session id */
449  buf_write(&buf, remote_sid->id, SID_SIZE);
450 
451  /* Packet ID of our own packet: Our reset packet is always using
452  * packet id 0 since it is the first packet */
453  packet_id_type net_pid = htonpid(0);
454 
455  ASSERT(buf_write(&buf, &net_pid, sizeof(net_pid)));
456 
457  /* Add indication for tls-crypt-v2 to resend the WKc with the reply */
458  if (request_resend_wkc)
459  {
460  buf_write_u16(&buf, TLV_TYPE_EARLY_NEG_FLAGS); /* TYPE: flags */
461  buf_write_u16(&buf, sizeof(uint16_t));
463  }
464 
465  /* Add tls-auth/tls-crypt wrapping, this might replace buf with
466  * ctx->work */
467  tls_wrap_control(ctx, header, &buf, own_sid);
468 
469  return buf;
470 }
471 
472 hmac_ctx_t *
474 {
475  /* We assume that SHA256 is always available */
476  ASSERT(md_valid("SHA256"));
477  hmac_ctx_t *hmac_ctx = hmac_ctx_new();
478 
479  uint8_t key[SHA256_DIGEST_LENGTH];
480  ASSERT(rand_bytes(key, sizeof(key)));
481 
482  hmac_ctx_init(hmac_ctx, key, "SHA256");
483  return hmac_ctx;
484 }
485 
486 struct session_id
488  const struct openvpn_sockaddr *from,
489  hmac_ctx_t *hmac,
490  int handwindow, int offset)
491 {
492  union {
493  uint8_t hmac_result[SHA256_DIGEST_LENGTH];
494  struct session_id sid;
495  } result;
496 
497  /* Get the valid time quantisation for our hmac,
498  * we divide time by handwindow/2 and allow the previous
499  * and future session time if specified by offset */
500  uint32_t session_id_time = ntohl(now/((handwindow+1)/2) + offset);
501 
502  hmac_ctx_reset(hmac);
503  /* We do not care about endian here since it does not need to be
504  * portable */
505  hmac_ctx_update(hmac, (const uint8_t *) &session_id_time,
506  sizeof(session_id_time));
507 
508  /* add client IP and port */
509  switch (from->addr.sa.sa_family)
510  {
511  case AF_INET:
512  hmac_ctx_update(hmac, (const uint8_t *) &from->addr.in4, sizeof(struct sockaddr_in));
513  break;
514 
515  case AF_INET6:
516  hmac_ctx_update(hmac, (const uint8_t *) &from->addr.in6, sizeof(struct sockaddr_in6));
517  break;
518  }
519 
520  /* add session id of client */
521  hmac_ctx_update(hmac, client_sid.id, SID_SIZE);
522 
523  hmac_ctx_final(hmac, result.hmac_result);
524 
525  return result.sid;
526 }
527 
528 bool
530  const struct openvpn_sockaddr *from,
531  hmac_ctx_t *hmac,
532  int handwindow)
533 {
534  if (!from)
535  {
536  return false;
537  }
538 
539  struct buffer buf = state->newbuf;
540  struct reliable_ack ack;
541 
542  if (!reliable_ack_parse(&buf, &ack, &state->server_session_id))
543  {
544  return false;
545  }
546 
547  /* check adjacent timestamps too */
548  for (int offset = -2; offset <= 1; offset++)
549  {
550  struct session_id expected_id =
551  calculate_session_id_hmac(state->peer_session_id, from, hmac, handwindow, offset);
552 
553  if (memcmp_constant_time(&expected_id, &state->server_session_id, SID_SIZE))
554  {
555  return true;
556  }
557  }
558  return false;
559 }
VERDICT_VALID_RESET_V2
@ VERDICT_VALID_RESET_V2
This packet is a valid reset packet from the peer (all but tls-crypt-v2)
Definition: ssl_pkt.h:86
D_TLS_DEBUG
#define D_TLS_DEBUG
Definition: errlevel.h:165
D_TLS_STATE_ERRORS
#define D_TLS_STATE_ERRORS
Definition: errlevel.h:134
SWAP_BUF_SIZE
#define SWAP_BUF_SIZE
Definition: ssl_pkt.c:41
P_KEY_ID_MASK
#define P_KEY_ID_MASK
Definition: ssl_pkt.h:38
VERDICT_INVALID
@ VERDICT_INVALID
the packet failed on of the various checks
Definition: ssl_pkt.h:97
gc_new
static struct gc_arena gc_new(void)
Definition: buffer.h:1030
hmac_ctx_t
mbedtls_md_context_t hmac_ctx_t
Generic HMAC context.
Definition: crypto_mbedtls.h:46
buf_forward_capacity_total
static int buf_forward_capacity_total(const struct buffer *buf)
Definition: buffer.h:564
buffer::len
int len
Length in bytes of the actual content within the allocated memory.
Definition: buffer.h:66
P_CONTROL_HARD_RESET_CLIENT_V2
#define P_CONTROL_HARD_RESET_CLIENT_V2
Definition: ssl_pkt.h:51
tls_wrap_ctx::tls_crypt_v2_wkc
const struct buffer * tls_crypt_v2_wkc
Wrapped client key, sent to server.
Definition: ssl_common.h:276
key_state::rec_ack
struct reliable_ack * rec_ack
Definition: ssl_common.h:238
buf_init
#define buf_init(buf, offset)
Definition: buffer.h:209
tls_crypt_unwrap
bool tls_crypt_unwrap(const struct buffer *src, struct buffer *dst, struct crypto_options *opt)
Unwrap a control channel packet (decrypts, authenticates and performs replay checks).
Definition: tls_crypt.c:222
buf_write_u32
static bool buf_write_u32(struct buffer *dest, uint32_t data)
Definition: buffer.h:710
first_packet_verdict
first_packet_verdict
Definition: ssl_pkt.h:84
tls_reset_standalone
struct buffer tls_reset_standalone(struct tls_wrap_ctx *ctx, struct tls_auth_standalone *tas, struct session_id *own_sid, struct session_id *remote_sid, uint8_t header, bool request_resend_wkc)
This function creates a reset packet using the information from the tls pre decrypt state.
Definition: ssl_pkt.c:428
tls_pre_decrypt_lite
enum first_packet_verdict tls_pre_decrypt_lite(const struct tls_auth_standalone *tas, struct tls_pre_decrypt_state *state, const struct link_socket_actual *from, const struct buffer *buf)
Inspect an incoming packet for which no VPN tunnel is active, and determine whether a new VPN tunnel ...
Definition: ssl_pkt.c:307
alloc_buf_gc
struct buffer alloc_buf_gc(size_t size, struct gc_arena *gc)
Definition: buffer.c:88
key_ctx::cipher
cipher_ctx_t * cipher
Generic cipher context.
Definition: crypto.h:164
key_state::lru_acks
struct reliable_ack * lru_acks
Definition: ssl_common.h:239
P_CONTROL_WKC_V1
#define P_CONTROL_WKC_V1
Definition: ssl_pkt.h:59
session_id_hmac_init
hmac_ctx_t * session_id_hmac_init(void)
Definition: ssl_pkt.c:473
session_id_write
static bool session_id_write(const struct session_id *sid, struct buffer *buf)
Definition: session_id.h:73
VERDICT_VALID_CONTROL_V1
@ VERDICT_VALID_CONTROL_V1
This packet is a valid control packet from the peer.
Definition: ssl_pkt.h:90
buf_clear
void buf_clear(struct buffer *buf)
Definition: buffer.c:162
free_tls_pre_decrypt_state
void free_tls_pre_decrypt_state(struct tls_pre_decrypt_state *state)
Definition: ssl_pkt.c:285
key_ctx_bi::encrypt
struct key_ctx encrypt
Cipher and/or HMAC contexts for sending direction.
Definition: crypto.h:219
dmsg
#define dmsg(flags,...)
Definition: error.h:148
swap_hmac
static bool swap_hmac(struct buffer *buf, const struct crypto_options *co, bool incoming)
Move a packet authentication HMAC + related fields to or from the front of the buffer so it can be pr...
Definition: ssl_pkt.c:61
buf_copy
static bool buf_copy(struct buffer *dest, const struct buffer *src)
Definition: buffer.h:717
openvpn_sockaddr
Definition: socket.h:65
hmac_ctx_update
void hmac_ctx_update(hmac_ctx_t *ctx, const uint8_t *src, int src_len)
clear_buf
static struct buffer clear_buf(void)
Return an empty struct buffer.
Definition: buffer.h:222
reliable_ack_parse
bool reliable_ack_parse(struct buffer *buf, struct reliable_ack *ack, struct session_id *session_id_remote)
Parse an acknowledgment record from a received packet.
Definition: reliable.c:173
session_id.h
P_OPCODE_SHIFT
#define P_OPCODE_SHIFT
Definition: ssl_pkt.h:39
clone_buf
struct buffer clone_buf(const struct buffer *buf)
Definition: buffer.c:115
tls_crypt.h
tls_auth_standalone::workbuf
struct buffer workbuf
Definition: ssl_pkt.h:80
read_control_auth
bool read_control_auth(struct buffer *buf, struct tls_wrap_ctx *ctx, const struct link_socket_actual *from, const struct tls_options *opt)
Definition: ssl_pkt.c:200
tls_pre_decrypt_state::server_session_id
struct session_id server_session_id
Definition: ssl_pkt.h:108
key_state
Security parameter state of one TLS and data channel key session.
Definition: ssl_common.h:198
key
Container for unidirectional cipher and HMAC key material.
Definition: crypto.h:149
tls_pre_decrypt_state::tls_wrap_tmp
struct tls_wrap_ctx tls_wrap_tmp
Definition: ssl_pkt.h:105
EARLY_NEG_FLAG_RESEND_WKC
#define EARLY_NEG_FLAG_RESEND_WKC
Definition: ssl_pkt.h:316
session_id
Definition: session_id.h:38
tls_auth_standalone::frame
struct frame frame
Definition: ssl_pkt.h:81
ssl_util.h
free_key_ctx_bi
void free_key_ctx_bi(struct key_ctx_bi *ctx)
Definition: crypto.c:906
tls_wrap_ctx::opt
struct crypto_options opt
Crypto state.
Definition: ssl_common.h:273
reliable.h
htonpid
#define htonpid(x)
Definition: packet_id.h:56
P_CONTROL_HARD_RESET_CLIENT_V3
#define P_CONTROL_HARD_RESET_CLIENT_V3
Definition: ssl_pkt.h:55
link_socket_actual_defined
static bool link_socket_actual_defined(const struct link_socket_actual *act)
Definition: socket.h:713
ASSERT
#define ASSERT(x)
Definition: error.h:195
tls_wrap_ctx::tls_crypt_v2_server_key
struct key_ctx tls_crypt_v2_server_key
Decrypts client keys.
Definition: ssl_common.h:275
tls_pre_decrypt_state::peer_session_id
struct session_id peer_session_id
Definition: ssl_pkt.h:107
buf_advance
static bool buf_advance(struct buffer *buf, int size)
Definition: buffer.h:623
buf_write_u16
static bool buf_write_u16(struct buffer *dest, uint16_t data)
Definition: buffer.h:703
tls_options
Definition: ssl_common.h:296
SID_SIZE
#define SID_SIZE
Definition: session_id.h:45
buf_write_prepend
static bool buf_write_prepend(struct buffer *dest, const void *src, int size)
Definition: buffer.h:685
buf_write_u8
static bool buf_write_u8(struct buffer *dest, uint8_t data)
Definition: buffer.h:697
tls_pre_decrypt_state::newbuf
struct buffer newbuf
Definition: ssl_pkt.h:106
tls_wrap_ctx
Control channel wrapping (–tls-auth/–tls-crypt) context.
Definition: ssl_common.h:266
key_state::remote_addr
struct link_socket_actual remote_addr
Definition: ssl_common.h:226
tls_wrap_ctx::work
struct buffer work
Work buffer (only for –tls-crypt)
Definition: ssl_common.h:274
session_id_read
static bool session_id_read(struct session_id *sid, struct buffer *buf)
Definition: session_id.h:61
openvpn_encrypt
void openvpn_encrypt(struct buffer *buf, struct buffer work, struct crypto_options *opt)
Encrypt and HMAC sign a packet so that it can be sent as a data channel VPN tunnel packet to a remote...
Definition: crypto.c:295
tls_pre_decrypt_state
struct that stores the temporary data for the tls lite decrypt functions
Definition: ssl_pkt.h:104
tls_crypt_wrap
bool tls_crypt_wrap(const struct buffer *src, struct buffer *dst, struct crypto_options *opt)
Wrap a control channel packet (both authenticates and encrypts the data).
Definition: tls_crypt.c:145
key_ctx
Container for one set of cipher and/or HMAC contexts.
Definition: crypto.h:162
tls_wrap_ctx::tls_crypt_v2_metadata
struct buffer tls_crypt_v2_metadata
Received from client.
Definition: ssl_common.h:278
write_control_auth
void write_control_auth(struct tls_session *session, struct key_state *ks, struct buffer *buf, struct link_socket_actual **to_link_addr, int opcode, int max_ack, bool prepend_ack)
Definition: ssl_pkt.c:168
crypto.h
key_state::session_id_remote
struct session_id session_id_remote
Definition: ssl_common.h:225
openvpn_decrypt
bool openvpn_decrypt(struct buffer *buf, struct buffer work, struct crypto_options *opt, const struct frame *frame, const uint8_t *ad_start)
HMAC verify and decrypt a data channel packet received from a remote OpenVPN peer.
Definition: crypto.c:645
hmac_ctx_final
void hmac_ctx_final(hmac_ctx_t *ctx, uint8_t *dst)
packet_id_type
uint32_t packet_id_type
Definition: packet_id.h:44
buffer
Wrapper structure for dynamically allocated memory.
Definition: buffer.h:60
calculate_session_id_hmac
struct session_id calculate_session_id_hmac(struct session_id client_sid, const struct openvpn_sockaddr *from, hmac_ctx_t *hmac, int handwindow, int offset)
Calculates the HMAC based server session id based on a client session id and socket addr.
Definition: ssl_pkt.c:487
hmac_ctx_reset
void hmac_ctx_reset(hmac_ctx_t *ctx)
rand_bytes
int rand_bytes(uint8_t *output, int len)
Wrapper for secure random number generator.
Definition: crypto_openssl.c:592
D_TLS_ERRORS
#define D_TLS_ERRORS
Definition: errlevel.h:59
buf_write
static bool buf_write(struct buffer *dest, const void *src, size_t size)
Definition: buffer.h:673
tls_session
Security parameter state of a single session within a VPN tunnel.
Definition: ssl_common.h:471
frame::buf
struct frame::@6 buf
syshead.h
BPTR
#define BPTR(buf)
Definition: buffer.h:124
session_id::id
uint8_t id[8]
Definition: session_id.h:40
session_id_defined
static bool session_id_defined(const struct session_id *sid1)
Definition: session_id.h:55
gc_arena
Garbage collection arena used to keep track of dynamically allocated memory.
Definition: buffer.h:116
key_state::key_id
int key_id
Key id for this key_state, inherited from struct tls_session.
Definition: ssl_common.h:208
buffer::offset
int offset
Offset in bytes of the actual content within the allocated memory.
Definition: buffer.h:64
tls_wrap_control
static void tls_wrap_control(struct tls_wrap_ctx *ctx, uint8_t header, struct buffer *buf, struct session_id *session_id)
Wraps a TLS control packet by adding tls-auth HMAC or tls-crypt(-v2) encryption and opcode header inc...
Definition: ssl_pkt.c:121
tls_auth_standalone::tls_wrap
struct tls_wrap_ctx tls_wrap
Definition: ssl_pkt.h:79
free_buf
void free_buf(struct buffer *buf)
Definition: buffer.c:183
memcmp_constant_time
int memcmp_constant_time(const void *a, const void *b, size_t size)
As memcmp(), but constant-time.
Definition: crypto_openssl.c:1345
SHA256_DIGEST_LENGTH
#define SHA256_DIGEST_LENGTH
Definition: crypto_mbedtls.h:77
ssl_pkt.h
tls_crypt_v2_extract_client_key
bool tls_crypt_v2_extract_client_key(struct buffer *buf, struct tls_wrap_ctx *ctx, const struct tls_options *opt)
Extract a tls-crypt-v2 client key from a P_CONTROL_HARD_RESET_CLIENT_V3 message, and load the key int...
Definition: tls_crypt.c:613
status
static SERVICE_STATUS status
Definition: interactive.c:53
packet_id_size
static int packet_id_size(bool long_form)
Definition: packet_id.h:310
print_link_socket_actual
const char * print_link_socket_actual(const struct link_socket_actual *act, struct gc_arena *gc)
Definition: socket.c:2823
min_int
static int min_int(int x, int y)
Definition: integer.h:89
gc_free
static void gc_free(struct gc_arena *a)
Definition: buffer.h:1038
session_id_write_prepend
static bool session_id_write_prepend(const struct session_id *sid, struct buffer *buf)
Definition: session_id.h:67
P_ACK_V1
#define P_ACK_V1
Definition: ssl_pkt.h:46
VERDICT_VALID_RESET_V3
@ VERDICT_VALID_RESET_V3
This is a valid v3 reset (tls-crypt-v2)
Definition: ssl_pkt.h:88
crypto_options::key_ctx_bi
struct key_ctx_bi key_ctx_bi
OpenSSL cipher and HMAC contexts for both sending and receiving directions.
Definition: crypto.h:232
now
time_t now
Definition: otime.c:34
check_session_id_hmac
bool check_session_id_hmac(struct tls_pre_decrypt_state *state, const struct openvpn_sockaddr *from, hmac_ctx_t *hmac, int handwindow)
Checks if a control packet has a correct HMAC server session id.
Definition: ssl_pkt.c:529
P_CONTROL_V1
#define P_CONTROL_V1
Definition: ssl_pkt.h:45
config.h
hmac_ctx_new
hmac_ctx_t * hmac_ctx_new(void)
Definition: crypto_openssl.c:1186
ssl_common.h
tls_session_get_tls_wrap
static struct tls_wrap_ctx * tls_session_get_tls_wrap(struct tls_session *session, int key_id)
Determines if the current session should use the renegotiation tls wrap struct instead the normal one...
Definition: ssl_pkt.h:285
hmac_ctx_init
void hmac_ctx_init(hmac_ctx_t *ctx, const uint8_t *key, const char *mdname)
session
Definition: keyingmaterialexporter.c:56
md_valid
bool md_valid(const char *digest)
Return if a message digest parameters is valid given the name of the digest.
Definition: crypto_openssl.c:1038
reliable_ack_write
bool reliable_ack_write(struct reliable_ack *ack, struct reliable_ack *ack_mru, struct buffer *buf, const struct session_id *sid, int max, bool prepend)
Write a packet ID acknowledgment record to a buffer.
Definition: reliable.c:255
key_ctx::hmac
hmac_ctx_t * hmac
Generic HMAC context.
Definition: crypto.h:165
VERDICT_VALID_ACK_V1
@ VERDICT_VALID_ACK_V1
This packet is a valid ACK control packet from the peer, i.e.
Definition: ssl_pkt.h:93
CO_USE_TLS_KEY_MATERIAL_EXPORT
#define CO_USE_TLS_KEY_MATERIAL_EXPORT
Bit-flag indicating that data channel key derivation is done using TLS keying material export [RFC570...
Definition: crypto.h:262
tls_wrap_ctx::mode
enum tls_wrap_ctx::@17 mode
Control channel wrapping mode.
reliable_ack
The acknowledgment structure in which packet IDs are stored for later acknowledgment.
Definition: reliable.h:61
VERDICT_VALID_WKC_V1
@ VERDICT_VALID_WKC_V1
The packet is a valid control packet with appended wrapped client key.
Definition: ssl_pkt.h:95
msg
#define msg(flags,...)
Definition: error.h:144
tls_clear_error
void tls_clear_error(void)
Clear the underlying SSL library's error state.
key_ctx_bi::decrypt
struct key_ctx decrypt
cipher and/or HMAC contexts for receiving direction.
Definition: crypto.h:221
tls_wrap_ctx::cleanup_key_ctx
bool cleanup_key_ctx
opt.key_ctx_bi is owned by this context
Definition: ssl_common.h:279
frame::headroom
int headroom
the headroom in the buffer, this is choosen to allow all potential header to be added before the pack...
Definition: mtu.h:108
hmac_ctx_size
int hmac_ctx_size(hmac_ctx_t *ctx)
crypto_options
Security parameter state for processing data channel packets.
Definition: crypto.h:230
packet_opcode_name
static const char * packet_opcode_name(int op)
Definition: ssl_pkt.h:234
tls_auth_standalone
Definition: ssl_pkt.h:77
TLV_TYPE_EARLY_NEG_FLAGS
#define TLV_TYPE_EARLY_NEG_FLAGS
Definition: ssl_pkt.h:315
cleanup
static int cleanup(void **state)
Definition: test_pkcs11.c:280