OpenVPN
ssl_pkt.c
Go to the documentation of this file.
1/*
2 * OpenVPN -- An application to securely tunnel IP networks
3 * over a single TCP/UDP port, with support for SSL/TLS-based
4 * session authentication and key exchange,
5 * packet encryption, packet authentication, and
6 * packet compression.
7 *
8 * Copyright (C) 2002-2024 OpenVPN Inc <sales@openvpn.net>
9 *
10 * This program is free software; you can redistribute it and/or modify
11 * it under the terms of the GNU General Public License version 2
12 * as published by the Free Software Foundation.
13 *
14 * This program is distributed in the hope that it will be useful,
15 * but WITHOUT ANY WARRANTY; without even the implied warranty of
16 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 * GNU General Public License for more details.
18 *
19 * You should have received a copy of the GNU General Public License along
20 * with this program; if not, write to the Free Software Foundation, Inc.,
21 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
22 */
23#ifdef HAVE_CONFIG_H
24#include "config.h"
25#endif
26
27#include "syshead.h"
28
29#include "ssl_util.h"
30#include "ssl_pkt.h"
31#include "ssl_common.h"
32#include "crypto.h"
33#include "session_id.h"
34#include "reliable.h"
35#include "tls_crypt.h"
36
37/*
38 * Dependent on hmac size, opcode size, and session_id size.
39 * Will assert if too small.
40 */
41#define SWAP_BUF_SIZE 256
42
60static bool
61swap_hmac(struct buffer *buf, const struct crypto_options *co, bool incoming)
62{
63 ASSERT(co);
64
65 const struct key_ctx *ctx = (incoming ? &co->key_ctx_bi.decrypt :
66 &co->key_ctx_bi.encrypt);
67 ASSERT(ctx->hmac);
68
69 {
70 /* hmac + packet_id (8 bytes) */
71 const int hmac_size = hmac_ctx_size(ctx->hmac) + packet_id_size(true);
72
73 /* opcode (1 byte) + session_id (8 bytes) */
74 const int osid_size = 1 + SID_SIZE;
75
76 int e1, e2;
77 uint8_t *b = BPTR(buf);
78 uint8_t buf1[SWAP_BUF_SIZE];
79 uint8_t buf2[SWAP_BUF_SIZE];
80
81 if (incoming)
82 {
83 e1 = osid_size;
84 e2 = hmac_size;
85 }
86 else
87 {
88 e1 = hmac_size;
89 e2 = osid_size;
90 }
91
92 ASSERT(e1 <= SWAP_BUF_SIZE && e2 <= SWAP_BUF_SIZE);
93
94 if (buf->len >= e1 + e2)
95 {
96 memcpy(buf1, b, e1);
97 memcpy(buf2, b + e1, e2);
98 memcpy(b, buf2, e2);
99 memcpy(b + e2, buf1, e1);
100 return true;
101 }
102 else
103 {
104 return false;
105 }
106 }
107}
108
109#undef SWAP_BUF_SIZE
110
120static void
121tls_wrap_control(struct tls_wrap_ctx *ctx, uint8_t header, struct buffer *buf,
122 struct session_id *session_id)
123{
124 if (ctx->mode == TLS_WRAP_AUTH
125 || ctx->mode == TLS_WRAP_NONE)
126 {
127 ASSERT(session_id_write_prepend(session_id, buf));
128 ASSERT(buf_write_prepend(buf, &header, sizeof(header)));
129 }
130 if (ctx->mode == TLS_WRAP_AUTH)
131 {
132 struct buffer null = clear_buf();
133
134 /* no encryption, only write hmac */
135 openvpn_encrypt(buf, null, &ctx->opt);
136 ASSERT(swap_hmac(buf, &ctx->opt, false));
137 }
138 else if (ctx->mode == TLS_WRAP_CRYPT)
139 {
140 ASSERT(buf_init(&ctx->work, buf->offset));
141 ASSERT(buf_write(&ctx->work, &header, sizeof(header)));
142 ASSERT(session_id_write(session_id, &ctx->work));
143 if (!tls_crypt_wrap(buf, &ctx->work, &ctx->opt))
144 {
145 buf->len = 0;
146 return;
147 }
148
149 if ((header >> P_OPCODE_SHIFT) == P_CONTROL_HARD_RESET_CLIENT_V3
150 || (header >> P_OPCODE_SHIFT) == P_CONTROL_WKC_V1)
151 {
152 if (!buf_copy(&ctx->work,
153 ctx->tls_crypt_v2_wkc))
154 {
155 msg(D_TLS_ERRORS, "Could not append tls-crypt-v2 client key");
156 buf->len = 0;
157 return;
158 }
159 }
160
161 /* Don't change the original data in buf, it's used by the reliability
162 * layer to resend on failure. */
163 *buf = ctx->work;
164 }
165}
166
167void
168write_control_auth(struct tls_session *session,
169 struct key_state *ks,
170 struct buffer *buf,
171 struct link_socket_actual **to_link_addr,
172 int opcode,
173 int max_ack,
174 bool prepend_ack)
175{
176 uint8_t header = ks->key_id | (opcode << P_OPCODE_SHIFT);
177
178 /* Workaround for Softether servers. Softether has a bug that it only
179 * allows 4 ACks in packets and drops packets if more ACKs are contained
180 * in a packet (see commit 37aa1ba5 in Softether) */
181 if (session->tls_wrap.mode == TLS_WRAP_NONE && !session->opt->server
182 && !(session->opt->crypto_flags & CO_USE_TLS_KEY_MATERIAL_EXPORT))
183 {
184 max_ack = min_int(max_ack, 4);
185 }
186
187 ASSERT(link_socket_actual_defined(&ks->remote_addr));
188 ASSERT(reliable_ack_write
189 (ks->rec_ack, ks->lru_acks, buf, &ks->session_id_remote,
190 max_ack, prepend_ack));
191
192 msg(D_TLS_DEBUG, "%s(): %s", __func__, packet_opcode_name(opcode));
193
194 tls_wrap_control(tls_session_get_tls_wrap(session, ks->key_id), header, buf, &session->session_id);
195
196 *to_link_addr = &ks->remote_addr;
197}
198
199bool
200read_control_auth(struct buffer *buf,
201 struct tls_wrap_ctx *ctx,
202 const struct link_socket_actual *from,
203 const struct tls_options *opt,
204 bool initial_packet)
205{
206 struct gc_arena gc = gc_new();
207 bool ret = false;
208
209 const uint8_t opcode = *(BPTR(buf)) >> P_OPCODE_SHIFT;
210 if ((opcode == P_CONTROL_HARD_RESET_CLIENT_V3
211 || opcode == P_CONTROL_WKC_V1)
212 && !tls_crypt_v2_extract_client_key(buf, ctx, opt, initial_packet))
213 {
214 msg(D_TLS_ERRORS,
215 "TLS Error: can not extract tls-crypt-v2 client key from %s",
216 print_link_socket_actual(from, &gc));
217 goto cleanup;
218 }
219
220 if (ctx->mode == TLS_WRAP_AUTH)
221 {
222 struct buffer null = clear_buf();
223
224 /* move the hmac record to the front of the packet */
225 if (!swap_hmac(buf, &ctx->opt, true))
226 {
227 msg(D_TLS_ERRORS,
228 "TLS Error: cannot locate HMAC in incoming packet from %s",
229 print_link_socket_actual(from, &gc));
230 gc_free(&gc);
231 return false;
232 }
233
234 /* authenticate only (no decrypt) and remove the hmac record
235 * from the head of the buffer */
236 openvpn_decrypt(buf, null, &ctx->opt, NULL, BPTR(buf));
237 if (!buf->len)
238 {
239 msg(D_TLS_ERRORS,
240 "TLS Error: incoming packet authentication failed from %s",
241 print_link_socket_actual(from, &gc));
242 goto cleanup;
243 }
244
245 }
246 else if (ctx->mode == TLS_WRAP_CRYPT)
247 {
248 struct buffer tmp = alloc_buf_gc(buf_forward_capacity_total(buf), &gc);
249 if (!tls_crypt_unwrap(buf, &tmp, &ctx->opt))
250 {
251 msg(D_TLS_ERRORS, "TLS Error: tls-crypt unwrapping failed from %s",
252 print_link_socket_actual(from, &gc));
253 goto cleanup;
254 }
255 ASSERT(buf_init(buf, buf->offset));
256 ASSERT(buf_copy(buf, &tmp));
257 buf_clear(&tmp);
258 }
259 else if (ctx->tls_crypt_v2_server_key.cipher)
260 {
261 /* If tls-crypt-v2 is enabled, require *some* wrapping */
262 msg(D_TLS_ERRORS, "TLS Error: could not determine wrapping from %s",
263 print_link_socket_actual(from, &gc));
264 /* TODO Do we want to support using tls-crypt-v2 and no control channel
265 * wrapping at all simultaneously? That would allow server admins to
266 * upgrade clients one-by-one without running a second instance, but we
267 * should not enable it by default because it breaks DoS-protection.
268 * So, add something like --tls-crypt-v2-allow-insecure-fallback ? */
269 goto cleanup;
270 }
271
272 if (ctx->mode == TLS_WRAP_NONE || ctx->mode == TLS_WRAP_AUTH)
273 {
274 /* advance buffer pointer past opcode & session_id since our caller
275 * already read it */
276 buf_advance(buf, SID_SIZE + 1);
277 }
278
279 ret = true;
280cleanup:
281 gc_free(&gc);
282 return ret;
283}
284
285void
295
296/*
297 * This function is similar to tls_pre_decrypt, except it is called
298 * when we are in server mode and receive an initial incoming
299 * packet. Note that we don't modify
300 * any state in our parameter objects. The purpose is solely to
301 * determine whether we should generate a client instance
302 * object, in which case true is returned.
303 *
304 * This function is essentially the first-line HMAC firewall
305 * on the UDP port listener in --mode server mode.
306 */
307enum first_packet_verdict
308tls_pre_decrypt_lite(const struct tls_auth_standalone *tas,
309 struct tls_pre_decrypt_state *state,
310 const struct link_socket_actual *from,
311 const struct buffer *buf)
312{
313 struct gc_arena gc = gc_new();
314 /* A packet needs to have at least an opcode and session id */
315 if (buf->len < (1 + SID_SIZE))
316 {
317 dmsg(D_TLS_STATE_ERRORS,
318 "TLS State Error: Too short packet (length %d) received from %s",
319 buf->len, print_link_socket_actual(from, &gc));
320 goto error;
321 }
322
323 /* get opcode and key ID */
324 uint8_t pkt_firstbyte = *BPTR(buf);
325 int op = pkt_firstbyte >> P_OPCODE_SHIFT;
326 int key_id = pkt_firstbyte & P_KEY_ID_MASK;
327
328 /* this packet is from an as-yet untrusted source, so
329 * scrutinize carefully */
330
331 /* Allow only the reset packet or the first packet of the actual handshake. */
332 if (op != P_CONTROL_HARD_RESET_CLIENT_V2
333 && op != P_CONTROL_HARD_RESET_CLIENT_V3
334 && op != P_CONTROL_V1
335 && op != P_CONTROL_WKC_V1
336 && op != P_ACK_V1)
337 {
338 /*
339 * This can occur due to bogus data or DoS packets.
340 */
341 dmsg(D_TLS_STATE_ERRORS,
342 "TLS State Error: No TLS state for client %s, opcode=%d",
343 print_link_socket_actual(from, &gc),
344 op);
345 goto error;
346 }
347
348 if (key_id != 0)
349 {
350 dmsg(D_TLS_STATE_ERRORS,
351 "TLS State Error: Unknown key ID (%d) received from %s -- 0 was expected",
352 key_id,
353 print_link_socket_actual(from, &gc));
354 goto error;
355 }
356
357 /* read peer session id, we do this at this point since
358 * read_control_auth will skip over it */
359 struct buffer tmp = *buf;
360 buf_advance(&tmp, 1);
361 if (!session_id_read(&state->peer_session_id, &tmp)
362 || !session_id_defined(&state->peer_session_id))
363 {
364 msg(D_TLS_ERRORS,
365 "TLS Error: session-id not found in packet from %s",
366 print_link_socket_actual(from, &gc));
367 goto error;
368 }
369
370 state->newbuf = clone_buf(buf);
371 state->tls_wrap_tmp = tas->tls_wrap;
372
373 /* HMAC test and unwrapping the encrypted part of the control message
374 * into newbuf or just setting newbuf to point to the start of control
375 * message */
376 bool status = read_control_auth(&state->newbuf, &state->tls_wrap_tmp,
377 from, NULL, true);
378
379 if (!status)
380 {
381 goto error;
382 }
383
384 /*
385 * At this point, if --tls-auth is being used, we know that
386 * the packet has passed the HMAC test, but we don't know if
387 * it is a replay yet. We will attempt to defeat replays
388 * by not advancing to the S_START state until we
389 * receive an ACK from our first reply to the client
390 * that includes an HMAC of our randomly generated 64 bit
391 * session ID.
392 *
393 * On the other hand if --tls-auth is not being used, we
394 * will proceed to begin the TLS authentication
395 * handshake with only cursory integrity checks having
396 * been performed, since we will be leaving the task
397 * of authentication solely up to TLS.
398 */
399 gc_free(&gc);
400 if (op == P_CONTROL_V1)
401 {
402 return VERDICT_VALID_CONTROL_V1;
403 }
404 else if (op == P_ACK_V1)
405 {
406 return VERDICT_VALID_ACK_V1;
407 }
408 else if (op == P_CONTROL_HARD_RESET_CLIENT_V3)
409 {
410 return VERDICT_VALID_RESET_V3;
411 }
412 else if (op == P_CONTROL_WKC_V1)
413 {
414 return VERDICT_VALID_WKC_V1;
415 }
416 else
417 {
418 return VERDICT_VALID_RESET_V2;
419 }
420
421error:
422 tls_clear_error();
423 gc_free(&gc);
424 return VERDICT_INVALID;
425}
426
427
428struct buffer
429tls_reset_standalone(struct tls_wrap_ctx *ctx,
430 struct tls_auth_standalone *tas,
431 struct session_id *own_sid,
432 struct session_id *remote_sid,
433 uint8_t header,
434 bool request_resend_wkc)
435{
436 /* Copy buffer here to point at the same data but allow tls_wrap_control
437 * to potentially change buf to point to another buffer without
438 * modifying the buffer in tas */
439 struct buffer buf = tas->workbuf;
440 ASSERT(buf_init(&buf, tas->frame.buf.headroom));
441
442 /* Reliable ACK structure */
443 /* Length of the ACK structure - 1 ACK */
444 buf_write_u8(&buf, 1);
445
446 /* ACKed packet - first packet's id is always 0 */
447 buf_write_u32(&buf, 0);
448
449 /* Remote session id */
450 buf_write(&buf, remote_sid->id, SID_SIZE);
451
452 /* Packet ID of our own packet: Our reset packet is always using
453 * packet id 0 since it is the first packet */
454 packet_id_type net_pid = htonpid(0);
455
456 ASSERT(buf_write(&buf, &net_pid, sizeof(net_pid)));
457
458 /* Add indication for tls-crypt-v2 to resend the WKc with the reply */
459 if (request_resend_wkc)
460 {
461 buf_write_u16(&buf, TLV_TYPE_EARLY_NEG_FLAGS); /* TYPE: flags */
462 buf_write_u16(&buf, sizeof(uint16_t));
463 buf_write_u16(&buf, EARLY_NEG_FLAG_RESEND_WKC);
464 }
465
466 /* Add tls-auth/tls-crypt wrapping, this might replace buf with
467 * ctx->work */
468 tls_wrap_control(ctx, header, &buf, own_sid);
469
470 return buf;
471}
472
473hmac_ctx_t *
474session_id_hmac_init(void)
475{
476 /* We assume that SHA256 is always available */
477 ASSERT(md_valid("SHA256"));
478 hmac_ctx_t *hmac_ctx = hmac_ctx_new();
479
480 uint8_t key[SHA256_DIGEST_LENGTH];
481 ASSERT(rand_bytes(key, sizeof(key)));
482
483 hmac_ctx_init(hmac_ctx, key, "SHA256");
484 return hmac_ctx;
485}
486
487struct session_id
488calculate_session_id_hmac(struct session_id client_sid,
489 const struct openvpn_sockaddr *from,
490 hmac_ctx_t *hmac,
491 int handwindow, int offset)
492{
493 union {
494 uint8_t hmac_result[SHA256_DIGEST_LENGTH];
495 struct session_id sid;
496 } result;
497
498 /* Get the valid time quantisation for our hmac,
499 * we divide time by handwindow/2 and allow the previous
500 * and future session time if specified by offset */
501 uint32_t session_id_time = ntohl(now/((handwindow+1)/2) + offset);
502
503 hmac_ctx_reset(hmac);
504 /* We do not care about endian here since it does not need to be
505 * portable */
506 hmac_ctx_update(hmac, (const uint8_t *) &session_id_time,
507 sizeof(session_id_time));
508
509 /* add client IP and port */
510 switch (from->addr.sa.sa_family)
511 {
512 case AF_INET:
513 hmac_ctx_update(hmac, (const uint8_t *) &from->addr.in4, sizeof(struct sockaddr_in));
514 break;
515
516 case AF_INET6:
517 hmac_ctx_update(hmac, (const uint8_t *) &from->addr.in6, sizeof(struct sockaddr_in6));
518 break;
519 }
520
521 /* add session id of client */
522 hmac_ctx_update(hmac, client_sid.id, SID_SIZE);
523
524 hmac_ctx_final(hmac, result.hmac_result);
525
526 return result.sid;
527}
528
529bool
530check_session_id_hmac(struct tls_pre_decrypt_state *state,
531 const struct openvpn_sockaddr *from,
532 hmac_ctx_t *hmac,
533 int handwindow)
534{
535 if (!from)
536 {
537 return false;
538 }
539
540 struct buffer buf = state->newbuf;
541 struct reliable_ack ack;
542
543 if (!reliable_ack_parse(&buf, &ack, &state->server_session_id))
544 {
545 return false;
546 }
547
548 /* check adjacent timestamps too */
549 for (int offset = -2; offset <= 1; offset++)
550 {
551 struct session_id expected_id =
552 calculate_session_id_hmac(state->peer_session_id, from, hmac, handwindow, offset);
553
554 if (memcmp_constant_time(&expected_id, &state->server_session_id, SID_SIZE))
555 {
556 return true;
557 }
558 }
559 return false;
560}
561
562struct buffer
563extract_command_buffer(struct buffer *buf, struct gc_arena *gc)
564{
565 /* commands on the control channel are seperated by 0x00 bytes.
566 * cmdlen does not include the 0 byte of the string */
567 int cmdlen = (int)strnlen(BSTR(buf), BLEN(buf));
568
569 if (cmdlen >= BLEN(buf))
570 {
571 buf_advance(buf, cmdlen);
572 /* Return empty buffer */
573 struct buffer empty = { 0 };
574 return empty;
575 }
576
577 /* include the NUL byte and ensure NUL termination */
578 cmdlen += 1;
579
580 /* Construct a buffer that only holds the current command and
581 * its closing NUL byte */
582 struct buffer cmdbuf = alloc_buf_gc(cmdlen, gc);
583 buf_write(&cmdbuf, BPTR(buf), cmdlen);
584
585 /* Remove \r and \n at the end of the buffer to avoid
586 * problems with scripts and other that add extra \r and \n */
587 buf_chomp(&cmdbuf);
588
589 /* check we have only printable characters or null byte in the
590 * command string and no newlines */
591 if (!string_check_buf(&cmdbuf, CC_PRINT | CC_NULL, CC_CRLF))
592 {
593 msg(D_PUSH_ERRORS, "WARNING: Received control with invalid characters: %s",
594 format_hex(BPTR(&cmdbuf), BLEN(&cmdbuf), 256, gc));
595 cmdbuf.len = 0;
596 }
597
598 buf_advance(buf, cmdlen);
599 return cmdbuf;
600}
free_buf
void free_buf(struct buffer *buf)
Definition buffer.c:183
buf_clear
void buf_clear(struct buffer *buf)
Definition buffer.c:162
clone_buf
struct buffer clone_buf(const struct buffer *buf)
Definition buffer.c:115
string_check_buf
bool string_check_buf(struct buffer *buf, const unsigned int inclusive, const unsigned int exclusive)
Check a buffer if it only consists of allowed characters.
Definition buffer.c:1073
alloc_buf_gc
struct buffer alloc_buf_gc(size_t size, struct gc_arena *gc)
Definition buffer.c:88
buf_chomp
void buf_chomp(struct buffer *buf)
Definition buffer.c:554
buf_write_u16
static bool buf_write_u16(struct buffer *dest, uint16_t data)
Definition buffer.h:698
format_hex
static char * format_hex(const uint8_t *data, int size, int maxoutput, struct gc_arena *gc)
Definition buffer.h:505
BSTR
#define BSTR(buf)
Definition buffer.h:129
clear_buf
static struct buffer clear_buf(void)
Return an empty struct buffer.
Definition buffer.h:222
buf_copy
static bool buf_copy(struct buffer *dest, const struct buffer *src)
Definition buffer.h:712
BPTR
#define BPTR(buf)
Definition buffer.h:124
buf_write_u32
static bool buf_write_u32(struct buffer *dest, uint32_t data)
Definition buffer.h:705
buf_write_prepend
static bool buf_write_prepend(struct buffer *dest, const void *src, int size)
Definition buffer.h:680
CC_CRLF
#define CC_CRLF
carriage return or newline
Definition buffer.h:920
buf_advance
static bool buf_advance(struct buffer *buf, int size)
Definition buffer.h:618
buf_write
static bool buf_write(struct buffer *dest, const void *src, size_t size)
Definition buffer.h:668
buf_write_u8
static bool buf_write_u8(struct buffer *dest, uint8_t data)
Definition buffer.h:692
BLEN
#define BLEN(buf)
Definition buffer.h:127
CC_NULL
#define CC_NULL
null character \0
Definition buffer.h:884
gc_free
static void gc_free(struct gc_arena *a)
Definition buffer.h:1033
CC_PRINT
#define CC_PRINT
printable (>= 32, != 127)
Definition buffer.h:891
buf_init
#define buf_init(buf, offset)
Definition buffer.h:209
gc_new
static struct gc_arena gc_new(void)
Definition buffer.h:1025
buf_forward_capacity_total
static int buf_forward_capacity_total(const struct buffer *buf)
Definition buffer.h:559
free_key_ctx_bi
void free_key_ctx_bi(struct key_ctx_bi *ctx)
Definition crypto.c:1125
crypto.h
Data Channel Cryptography Module.
CO_USE_TLS_KEY_MATERIAL_EXPORT
#define CO_USE_TLS_KEY_MATERIAL_EXPORT
Bit-flag indicating that data channel key derivation is done using TLS keying material export [RFC570...
Definition crypto.h:356
memcmp_constant_time
int memcmp_constant_time(const void *a, const void *b, size_t size)
As memcmp(), but constant-time.
Definition crypto_openssl.c:1346
hmac_ctx_update
void hmac_ctx_update(hmac_ctx_t *ctx, const uint8_t *src, int src_len)
hmac_ctx_new
hmac_ctx_t * hmac_ctx_new(void)
Definition crypto_openssl.c:1187
hmac_ctx_reset
void hmac_ctx_reset(hmac_ctx_t *ctx)
hmac_ctx_init
void hmac_ctx_init(hmac_ctx_t *ctx, const uint8_t *key, const char *mdname)
hmac_ctx_final
void hmac_ctx_final(hmac_ctx_t *ctx, uint8_t *dst)
md_valid
bool md_valid(const char *digest)
Return if a message digest parameters is valid given the name of the digest.
Definition crypto_openssl.c:1039
hmac_ctx_size
int hmac_ctx_size(hmac_ctx_t *ctx)
rand_bytes
int rand_bytes(uint8_t *output, int len)
Wrapper for secure random number generator.
Definition crypto_openssl.c:593
hmac_ctx_t
mbedtls_md_context_t hmac_ctx_t
Generic HMAC context.
Definition crypto_mbedtls.h:48
SHA256_DIGEST_LENGTH
#define SHA256_DIGEST_LENGTH
Definition crypto_mbedtls.h:79
D_TLS_STATE_ERRORS
#define D_TLS_STATE_ERRORS
Definition errlevel.h:134
D_PUSH_ERRORS
#define D_PUSH_ERRORS
Definition errlevel.h:67
D_TLS_ERRORS
#define D_TLS_ERRORS
Definition errlevel.h:59
D_TLS_DEBUG
#define D_TLS_DEBUG
Definition errlevel.h:165
tls_pre_decrypt_lite
enum first_packet_verdict tls_pre_decrypt_lite(const struct tls_auth_standalone *tas, struct tls_pre_decrypt_state *state, const struct link_socket_actual *from, const struct buffer *buf)
Inspect an incoming packet for which no VPN tunnel is active, and determine whether a new VPN tunnel ...
Definition ssl_pkt.c:308
openvpn_encrypt
void openvpn_encrypt(struct buffer *buf, struct buffer work, struct crypto_options *opt)
Encrypt and HMAC sign a packet so that it can be sent as a data channel VPN tunnel packet to a remote...
Definition crypto.c:336
openvpn_decrypt
bool openvpn_decrypt(struct buffer *buf, struct buffer work, struct crypto_options *opt, const struct frame *frame, const uint8_t *ad_start)
HMAC verify and decrypt a data channel packet received from a remote OpenVPN peer.
Definition crypto.c:794
reliable_ack_parse
bool reliable_ack_parse(struct buffer *buf, struct reliable_ack *ack, struct session_id *session_id_remote)
Parse an acknowledgment record from a received packet.
Definition reliable.c:173
reliable_ack_write
bool reliable_ack_write(struct reliable_ack *ack, struct reliable_ack *ack_mru, struct buffer *buf, const struct session_id *sid, int max, bool prepend)
Write a packet ID acknowledgment record to a buffer.
Definition reliable.c:255
tls_crypt_v2_extract_client_key
bool tls_crypt_v2_extract_client_key(struct buffer *buf, struct tls_wrap_ctx *ctx, const struct tls_options *opt, bool initial_packet)
Extract a tls-crypt-v2 client key from a P_CONTROL_HARD_RESET_CLIENT_V3 message, and load the key int...
Definition tls_crypt.c:615
tls_crypt_unwrap
bool tls_crypt_unwrap(const struct buffer *src, struct buffer *dst, struct crypto_options *opt)
Unwrap a control channel packet (decrypts, authenticates and performs replay checks).
Definition tls_crypt.c:220
tls_crypt_wrap
bool tls_crypt_wrap(const struct buffer *src, struct buffer *dst, struct crypto_options *opt)
Wrap a control channel packet (both authenticates and encrypts the data).
Definition tls_crypt.c:143
min_int
static int min_int(int x, int y)
Definition integer.h:102
status
static SERVICE_STATUS status
Definition interactive.c:53
dmsg
#define dmsg(flags,...)
Definition error.h:148
msg
#define msg(flags,...)
Definition error.h:144
ASSERT
#define ASSERT(x)
Definition error.h:195
now
time_t now
Definition otime.c:34
htonpid
#define htonpid(x)
Definition packet_id.h:62
packet_id_type
uint32_t packet_id_type
Definition packet_id.h:46
packet_id_size
static int packet_id_size(bool long_form)
Definition packet_id.h:316
reliable.h
Reliability Layer module header file.
session_id.h
session_id_write_prepend
static bool session_id_write_prepend(const struct session_id *sid, struct buffer *buf)
Definition session_id.h:67
session_id_write
static bool session_id_write(const struct session_id *sid, struct buffer *buf)
Definition session_id.h:73
session_id_defined
static bool session_id_defined(const struct session_id *sid1)
Definition session_id.h:55
session_id_read
static bool session_id_read(struct session_id *sid, struct buffer *buf)
Definition session_id.h:61
SID_SIZE
#define SID_SIZE
Definition session_id.h:45
print_link_socket_actual
const char * print_link_socket_actual(const struct link_socket_actual *act, struct gc_arena *gc)
Definition socket.c:2916
link_socket_actual_defined
static bool link_socket_actual_defined(const struct link_socket_actual *act)
Definition socket.h:726
tls_clear_error
void tls_clear_error(void)
Clear the underlying SSL library's error state.
ssl_common.h
Control Channel Common Data Structures.
check_session_id_hmac
bool check_session_id_hmac(struct tls_pre_decrypt_state *state, const struct openvpn_sockaddr *from, hmac_ctx_t *hmac, int handwindow)
Checks if a control packet has a correct HMAC server session id.
Definition ssl_pkt.c:530
tls_wrap_control
static void tls_wrap_control(struct tls_wrap_ctx *ctx, uint8_t header, struct buffer *buf, struct session_id *session_id)
Wraps a TLS control packet by adding tls-auth HMAC or tls-crypt(-v2) encryption and opcode header inc...
Definition ssl_pkt.c:121
calculate_session_id_hmac
struct session_id calculate_session_id_hmac(struct session_id client_sid, const struct openvpn_sockaddr *from, hmac_ctx_t *hmac, int handwindow, int offset)
Calculates the HMAC based server session id based on a client session id and socket addr.
Definition ssl_pkt.c:488
free_tls_pre_decrypt_state
void free_tls_pre_decrypt_state(struct tls_pre_decrypt_state *state)
Definition ssl_pkt.c:286
write_control_auth
void write_control_auth(struct tls_session *session, struct key_state *ks, struct buffer *buf, struct link_socket_actual **to_link_addr, int opcode, int max_ack, bool prepend_ack)
Definition ssl_pkt.c:168
swap_hmac
static bool swap_hmac(struct buffer *buf, const struct crypto_options *co, bool incoming)
Move a packet authentication HMAC + related fields to or from the front of the buffer so it can be pr...
Definition ssl_pkt.c:61
session_id_hmac_init
hmac_ctx_t * session_id_hmac_init(void)
Definition ssl_pkt.c:474
extract_command_buffer
struct buffer extract_command_buffer(struct buffer *buf, struct gc_arena *gc)
Extracts a control channel message from buf and adjusts the size of buf after the message has been ex...
Definition ssl_pkt.c:563
SWAP_BUF_SIZE
#define SWAP_BUF_SIZE
Definition ssl_pkt.c:41
read_control_auth
bool read_control_auth(struct buffer *buf, struct tls_wrap_ctx *ctx, const struct link_socket_actual *from, const struct tls_options *opt, bool initial_packet)
Read a control channel authentication record.
Definition ssl_pkt.c:200
tls_reset_standalone
struct buffer tls_reset_standalone(struct tls_wrap_ctx *ctx, struct tls_auth_standalone *tas, struct session_id *own_sid, struct session_id *remote_sid, uint8_t header, bool request_resend_wkc)
This function creates a reset packet using the information from the tls pre decrypt state.
Definition ssl_pkt.c:429
ssl_pkt.h
SSL control channel wrap/unwrap and decode functions.
EARLY_NEG_FLAG_RESEND_WKC
#define EARLY_NEG_FLAG_RESEND_WKC
Definition ssl_pkt.h:339
P_OPCODE_SHIFT
#define P_OPCODE_SHIFT
Definition ssl_pkt.h:40
TLV_TYPE_EARLY_NEG_FLAGS
#define TLV_TYPE_EARLY_NEG_FLAGS
Definition ssl_pkt.h:338
P_ACK_V1
#define P_ACK_V1
Definition ssl_pkt.h:47
P_CONTROL_WKC_V1
#define P_CONTROL_WKC_V1
Definition ssl_pkt.h:60
P_KEY_ID_MASK
#define P_KEY_ID_MASK
Definition ssl_pkt.h:39
packet_opcode_name
static const char * packet_opcode_name(int op)
Definition ssl_pkt.h:257
P_CONTROL_V1
#define P_CONTROL_V1
Definition ssl_pkt.h:46
first_packet_verdict
first_packet_verdict
Definition ssl_pkt.h:85
VERDICT_VALID_ACK_V1
@ VERDICT_VALID_ACK_V1
This packet is a valid ACK control packet from the peer, i.e.
Definition ssl_pkt.h:94
VERDICT_VALID_WKC_V1
@ VERDICT_VALID_WKC_V1
The packet is a valid control packet with appended wrapped client key.
Definition ssl_pkt.h:96
VERDICT_VALID_RESET_V2
@ VERDICT_VALID_RESET_V2
This packet is a valid reset packet from the peer (all but tls-crypt-v2)
Definition ssl_pkt.h:87
VERDICT_INVALID
@ VERDICT_INVALID
the packet failed on of the various checks
Definition ssl_pkt.h:98
VERDICT_VALID_RESET_V3
@ VERDICT_VALID_RESET_V3
This is a valid v3 reset (tls-crypt-v2)
Definition ssl_pkt.h:89
VERDICT_VALID_CONTROL_V1
@ VERDICT_VALID_CONTROL_V1
This packet is a valid control packet from the peer.
Definition ssl_pkt.h:91
P_CONTROL_HARD_RESET_CLIENT_V2
#define P_CONTROL_HARD_RESET_CLIENT_V2
Definition ssl_pkt.h:52
tls_session_get_tls_wrap
static struct tls_wrap_ctx * tls_session_get_tls_wrap(struct tls_session *session, int key_id)
Determines if the current session should use the renegotiation tls wrap struct instead the normal one...
Definition ssl_pkt.h:308
P_CONTROL_HARD_RESET_CLIENT_V3
#define P_CONTROL_HARD_RESET_CLIENT_V3
Definition ssl_pkt.h:56
ssl_util.h
SSL utility functions.
buffer
Wrapper structure for dynamically allocated memory.
Definition buffer.h:61
buffer::len
int len
Length in bytes of the actual content within the allocated memory.
Definition buffer.h:66
buffer::offset
int offset
Offset in bytes of the actual content within the allocated memory.
Definition buffer.h:64
crypto_options
Security parameter state for processing data channel packets.
Definition crypto.h:292
crypto_options::key_ctx_bi
struct key_ctx_bi key_ctx_bi
OpenSSL cipher and HMAC contexts for both sending and receiving directions.
Definition crypto.h:293
gc_arena
Garbage collection arena used to keep track of dynamically allocated memory.
Definition buffer.h:117
key_ctx_bi::decrypt
struct key_ctx decrypt
cipher and/or HMAC contexts for receiving direction.
Definition crypto.h:282
key_ctx_bi::encrypt
struct key_ctx encrypt
Cipher and/or HMAC contexts for sending direction.
Definition crypto.h:280
key_ctx
Container for one set of cipher and/or HMAC contexts.
Definition crypto.h:201
key_ctx::cipher
cipher_ctx_t * cipher
Generic cipher context.
Definition crypto.h:202
key_ctx::hmac
hmac_ctx_t * hmac
Generic HMAC context.
Definition crypto.h:203
key_state
Security parameter state of one TLS and data channel key session.
Definition ssl_common.h:203
key_state::remote_addr
struct link_socket_actual remote_addr
Definition ssl_common.h:230
key_state::rec_ack
struct reliable_ack * rec_ack
Definition ssl_common.h:242
key_state::session_id_remote
struct session_id session_id_remote
Definition ssl_common.h:229
key_state::key_id
int key_id
Key id for this key_state, inherited from struct tls_session.
Definition ssl_common.h:212
key_state::lru_acks
struct reliable_ack * lru_acks
Definition ssl_common.h:243
key
Container for unidirectional cipher and HMAC key material.
Definition crypto.h:152
link_socket_actual
Definition socket.h:87
openvpn_sockaddr
Definition socket.h:66
reliable_ack
The acknowledgment structure in which packet IDs are stored for later acknowledgment.
Definition reliable.h:62
reliable_ack::len
int len
Definition reliable.h:63
session_id
Definition session_id.h:39
tls_auth_standalone
Definition ssl_pkt.h:79
tls_options
Definition ssl_common.h:301
tls_pre_decrypt_state
struct that stores the temporary data for the tls lite decrypt functions
Definition ssl_pkt.h:105
tls_pre_decrypt_state::peer_session_id
struct session_id peer_session_id
Definition ssl_pkt.h:108
tls_pre_decrypt_state::server_session_id
struct session_id server_session_id
Definition ssl_pkt.h:109
tls_pre_decrypt_state::newbuf
struct buffer newbuf
Definition ssl_pkt.h:107
tls_pre_decrypt_state::tls_wrap_tmp
struct tls_wrap_ctx tls_wrap_tmp
Definition ssl_pkt.h:106
tls_session
Security parameter state of a single session within a VPN tunnel.
Definition ssl_common.h:483
tls_wrap_ctx
Control channel wrapping (–tls-auth/–tls-crypt) context.
Definition ssl_common.h:271
tls_wrap_ctx::tls_crypt_v2_metadata
struct buffer tls_crypt_v2_metadata
Received from client.
Definition ssl_common.h:282
tls_wrap_ctx::cleanup_key_ctx
bool cleanup_key_ctx
opt.key_ctx_bi is owned by this context
Definition ssl_common.h:283
tls_wrap_ctx::opt
struct crypto_options opt
Crypto state.
Definition ssl_common.h:277
tls_wrap_ctx::mode
enum tls_wrap_ctx::@28 mode
Control channel wrapping mode.
tls_wrap_ctx::work
struct buffer work
Work buffer (only for –tls-crypt)
Definition ssl_common.h:278
tls_wrap_ctx::tls_crypt_v2_server_key
struct key_ctx tls_crypt_v2_server_key
Decrypts client keys.
Definition ssl_common.h:279
tls_wrap_ctx::tls_crypt_v2_wkc
const struct buffer * tls_crypt_v2_wkc
Wrapped client key, sent to server.
Definition ssl_common.h:280
cleanup
static int cleanup(void **state)
Definition test_pkcs11.c:290
gc
struct gc_arena gc
Definition test_ssl.c:155
tls_crypt.h
Generated by doxygen 1.9.8