OpenVPN
ssl_pkt.c
Go to the documentation of this file.
1/*
2 * OpenVPN -- An application to securely tunnel IP networks
3 * over a single TCP/UDP port, with support for SSL/TLS-based
4 * session authentication and key exchange,
5 * packet encryption, packet authentication, and
6 * packet compression.
7 *
8 * Copyright (C) 2002-2026 OpenVPN Inc <sales@openvpn.net>
9 *
10 * This program is free software; you can redistribute it and/or modify
11 * it under the terms of the GNU General Public License version 2
12 * as published by the Free Software Foundation.
13 *
14 * This program is distributed in the hope that it will be useful,
15 * but WITHOUT ANY WARRANTY; without even the implied warranty of
16 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 * GNU General Public License for more details.
18 *
19 * You should have received a copy of the GNU General Public License along
20 * with this program; if not, see <https://www.gnu.org/licenses/>.
21 */
22#ifdef HAVE_CONFIG_H
23#include "config.h"
24#endif
25
26#include "syshead.h"
27
28#include "ssl_util.h"
29#include "ssl_pkt.h"
30#include "ssl_common.h"
31#include "crypto.h"
32#include "session_id.h"
33#include "reliable.h"
34#include "tls_crypt.h"
35
36/*
37 * Dependent on hmac size, opcode size, and session_id size.
38 * Will assert if too small.
39 */
40#define SWAP_BUF_SIZE 256
41
59static bool
60swap_hmac(struct buffer *buf, const struct crypto_options *co, bool incoming)
61{
62 ASSERT(co);
63
64 const struct key_ctx *ctx = (incoming ? &co->key_ctx_bi.decrypt : &co->key_ctx_bi.encrypt);
65 ASSERT(ctx->hmac);
66
67 {
68 /* hmac + packet_id (8 bytes) */
69 const int hmac_size = hmac_ctx_size(ctx->hmac) + packet_id_size(true);
70
71 /* opcode (1 byte) + session_id (8 bytes) */
72 const int osid_size = 1 + SID_SIZE;
73
74 int e1, e2;
75 uint8_t *b = BPTR(buf);
76 uint8_t buf1[SWAP_BUF_SIZE];
77 uint8_t buf2[SWAP_BUF_SIZE];
78
79 if (incoming)
80 {
81 e1 = osid_size;
82 e2 = hmac_size;
83 }
84 else
85 {
86 e1 = hmac_size;
87 e2 = osid_size;
88 }
89
90 ASSERT(e1 <= SWAP_BUF_SIZE && e2 <= SWAP_BUF_SIZE);
91
92 if (buf->len >= e1 + e2)
93 {
94 memcpy(buf1, b, e1);
95 memcpy(buf2, b + e1, e2);
96 memcpy(b, buf2, e2);
97 memcpy(b + e2, buf1, e1);
98 return true;
99 }
100 else
101 {
102 return false;
103 }
104 }
105}
106
107#undef SWAP_BUF_SIZE
108
118static void
119tls_wrap_control(struct tls_wrap_ctx *ctx, uint8_t header, struct buffer *buf,
120 struct session_id *session_id)
121{
122 if (ctx->mode == TLS_WRAP_AUTH || ctx->mode == TLS_WRAP_NONE)
123 {
125 ASSERT(buf_write_prepend(buf, &header, sizeof(header)));
126 }
127 if (ctx->mode == TLS_WRAP_AUTH)
128 {
129 struct buffer null = clear_buf();
130
131 /* no encryption, only write hmac */
132 openvpn_encrypt(buf, null, &ctx->opt);
133 ASSERT(swap_hmac(buf, &ctx->opt, false));
134 }
135 else if (ctx->mode == TLS_WRAP_CRYPT)
136 {
137 ASSERT(buf_init(&ctx->work, buf->offset));
138 ASSERT(buf_write(&ctx->work, &header, sizeof(header)));
140 if (!tls_crypt_wrap(buf, &ctx->work, &ctx->opt))
141 {
142 buf->len = 0;
143 return;
144 }
145
147 || (header >> P_OPCODE_SHIFT) == P_CONTROL_WKC_V1)
148 {
149 if (!buf_copy(&ctx->work, ctx->tls_crypt_v2_wkc))
150 {
151 msg(D_TLS_ERRORS, "Could not append tls-crypt-v2 client key");
152 buf->len = 0;
153 return;
154 }
155 }
156
157 /* Don't change the original data in buf, it's used by the reliability
158 * layer to resend on failure. */
159 *buf = ctx->work;
160 }
161}
162
163void
164write_control_auth(struct tls_session *session, struct key_state *ks, struct buffer *buf,
165 struct link_socket_actual **to_link_addr, int opcode, int max_ack,
166 bool prepend_ack)
167{
168 ASSERT(ks->key_id >= 0 && ks->key_id <= P_KEY_ID_MASK);
169 ASSERT(opcode >= 0 && opcode <= P_LAST_OPCODE);
170 uint8_t header = (uint8_t)(ks->key_id | (opcode << P_OPCODE_SHIFT));
171
172 /* Workaround for Softether servers. Softether has a bug that it only
173 * allows 4 ACks in packets and drops packets if more ACKs are contained
174 * in a packet (see commit 37aa1ba5 in Softether) */
175 if (session->tls_wrap.mode == TLS_WRAP_NONE && !session->opt->server
176 && !(session->opt->crypto_flags & CO_USE_TLS_KEY_MATERIAL_EXPORT))
177 {
178 max_ack = min_int(max_ack, 4);
179 }
180
183 prepend_ack));
184
185 msg(D_TLS_DEBUG, "%s(): %s", __func__, packet_opcode_name(opcode));
186
188 &session->session_id);
189
190 *to_link_addr = &ks->remote_addr;
191}
192
193bool
194read_control_auth(struct buffer *buf, struct tls_wrap_ctx *ctx,
195 const struct link_socket_actual *from, const struct tls_options *opt)
196{
197 struct gc_arena gc = gc_new();
198 bool ret = false;
199
200 const uint8_t opcode = *(BPTR(buf)) >> P_OPCODE_SHIFT;
201 if ((opcode == P_CONTROL_HARD_RESET_CLIENT_V3 || opcode == P_CONTROL_WKC_V1)
202 && !tls_crypt_v2_extract_client_key(buf, ctx, opt))
203 {
204 msg(D_TLS_ERRORS, "TLS Error: can not extract tls-crypt-v2 client key from %s",
206 goto cleanup;
207 }
208
209 if (ctx->mode == TLS_WRAP_AUTH)
210 {
211 struct buffer null = clear_buf();
212
213 /* move the hmac record to the front of the packet */
214 if (!swap_hmac(buf, &ctx->opt, true))
215 {
216 msg(D_TLS_ERRORS, "TLS Error: cannot locate HMAC in incoming packet from %s",
218 gc_free(&gc);
219 return false;
220 }
221
222 /* authenticate only (no decrypt) and remove the hmac record
223 * from the head of the buffer */
224 openvpn_decrypt(buf, null, &ctx->opt, NULL, BPTR(buf));
225 if (!buf->len)
226 {
227 msg(D_TLS_ERRORS, "TLS Error: incoming packet authentication failed from %s",
229 goto cleanup;
230 }
231 }
232 else if (ctx->mode == TLS_WRAP_CRYPT)
233 {
235 if (!tls_crypt_unwrap(buf, &tmp, &ctx->opt))
236 {
237 msg(D_TLS_ERRORS, "TLS Error: tls-crypt unwrapping failed from %s",
239 goto cleanup;
240 }
241 ASSERT(buf_init(buf, buf->offset));
242 ASSERT(buf_copy(buf, &tmp));
243 buf_clear(&tmp);
244 }
245 else if (ctx->tls_crypt_v2_server_key.cipher)
246 {
247 /* If tls-crypt-v2 is enabled, require *some* wrapping */
248 msg(D_TLS_ERRORS, "TLS Error: could not determine wrapping from %s",
250 /* TODO Do we want to support using tls-crypt-v2 and no control channel
251 * wrapping at all simultaneously? That would allow server admins to
252 * upgrade clients one-by-one without running a second instance, but we
253 * should not enable it by default because it breaks DoS-protection.
254 * So, add something like --tls-crypt-v2-allow-insecure-fallback ? */
255 goto cleanup;
256 }
257
258 if (ctx->mode == TLS_WRAP_NONE || ctx->mode == TLS_WRAP_AUTH)
259 {
260 /* advance buffer pointer past opcode & session_id since our caller
261 * already read it */
262 buf_advance(buf, SID_SIZE + 1);
263 }
264
265 ret = true;
266cleanup:
267 gc_free(&gc);
268 return ret;
269}
270
271void
281
282/*
283 * This function is similar to tls_pre_decrypt, except it is called
284 * when we are in server mode and receive an initial incoming
285 * packet. Note that we don't modify any state in our parameter
286 * objects except state. The purpose is solely to
287 * determine whether we should generate a client instance
288 * object, in which case true is returned.
289 *
290 * This function is essentially the first-line HMAC firewall
291 * on the UDP port listener in --mode server mode.
292 */
295 const struct link_socket_actual *from, const struct buffer *buf)
296{
297 struct gc_arena gc = gc_new();
298 /* A packet needs to have at least an opcode and session id */
299 if (BLENZ(buf) < 1 + SID_SIZE)
300 {
301 dmsg(D_TLS_STATE_ERRORS, "TLS State Error: Too short packet (length %d) received from %s",
302 buf->len, print_link_socket_actual(from, &gc));
303 goto error;
304 }
305
306 /* get opcode and key ID */
307 uint8_t pkt_firstbyte = *BPTR(buf);
308 int op = pkt_firstbyte >> P_OPCODE_SHIFT;
309 int key_id = pkt_firstbyte & P_KEY_ID_MASK;
310
311 /* this packet is from an as-yet untrusted source, so
312 * scrutinize carefully */
313
314 /* Allow only the reset packet or the first packet of the actual handshake. */
316 && op != P_CONTROL_V1 && op != P_CONTROL_WKC_V1 && op != P_ACK_V1)
317 {
318 /*
319 * This can occur due to bogus data or DoS packets.
320 */
321 dmsg(D_TLS_STATE_ERRORS, "TLS State Error: No TLS state for client %s, opcode=%d",
322 print_link_socket_actual(from, &gc), op);
323 goto error;
324 }
325
326 if (key_id != 0)
327 {
329 "TLS State Error: Unknown key ID (%d) received from %s -- 0 was expected", key_id,
331 goto error;
332 }
333
334 /* read peer session id, we do this at this point since
335 * read_control_auth will skip over it */
336 struct buffer tmp = *buf;
337 buf_advance(&tmp, 1);
338 if (!session_id_read(&state->peer_session_id, &tmp)
340 {
341 msg(D_TLS_ERRORS, "TLS Error: session-id not found in packet from %s",
343 goto error;
344 }
345
346 state->newbuf = clone_buf(buf);
347 state->tls_wrap_tmp = tas->tls_wrap;
348
349 /* HMAC test and unwrapping the encrypted part of the control message
350 * into newbuf or just setting newbuf to point to the start of control
351 * message */
352 bool status = read_control_auth(&state->newbuf, &state->tls_wrap_tmp, from, NULL);
353
354 if (!status)
355 {
356 goto error;
357 }
358
359 /*
360 * At this point, if --tls-auth is being used, we know that
361 * the packet has passed the HMAC test, but we don't know if
362 * it is a replay yet. We will attempt to defeat replays
363 * by not advancing to the S_START state until we
364 * receive an ACK from our first reply to the client
365 * that includes an HMAC of our randomly generated 64 bit
366 * session ID.
367 *
368 * On the other hand if --tls-auth is not being used, we
369 * will proceed to begin the TLS authentication
370 * handshake with only cursory integrity checks having
371 * been performed, since we will be leaving the task
372 * of authentication solely up to TLS.
373 */
374 gc_free(&gc);
375 if (op == P_CONTROL_V1)
376 {
378 }
379 else if (op == P_ACK_V1)
380 {
382 }
383 else if (op == P_CONTROL_HARD_RESET_CLIENT_V3)
384 {
386 }
387 else if (op == P_CONTROL_WKC_V1)
388 {
390 }
391 else
392 {
394 }
395
396error:
398 gc_free(&gc);
399 return VERDICT_INVALID;
400}
401
402
403struct buffer
405 struct session_id *own_sid, struct session_id *remote_sid, uint8_t header,
406 bool request_resend_wkc)
407{
408 /* Copy buffer here to point at the same data but allow tls_wrap_control
409 * to potentially change buf to point to another buffer without
410 * modifying the buffer in tas */
411 struct buffer buf = tas->workbuf;
412 ASSERT(buf_init(&buf, tas->frame.buf.headroom));
413
414 /* Reliable ACK structure */
415 /* Length of the ACK structure - 1 ACK */
416 buf_write_u8(&buf, 1);
417
418 /* ACKed packet - first packet's id is always 0 */
419 buf_write_u32(&buf, 0);
420
421 /* Remote session id */
422 buf_write(&buf, remote_sid->id, SID_SIZE);
423
424 /* Packet ID of our own packet: Our reset packet is always using
425 * packet id 0 since it is the first packet */
427
428 ASSERT(buf_write(&buf, &net_pid, sizeof(net_pid)));
429
430 /* Add indication for tls-crypt-v2 to resend the WKc with the reply */
432 {
433 buf_write_u16(&buf, TLV_TYPE_EARLY_NEG_FLAGS); /* TYPE: flags */
434 buf_write_u16(&buf, sizeof(uint16_t));
436 }
437
438 /* Add tls-auth/tls-crypt wrapping, this might replace buf with
439 * ctx->work */
440 tls_wrap_control(ctx, header, &buf, own_sid);
441
442 return buf;
443}
444
447{
448 /* We assume that SHA256 is always available */
449 ASSERT(md_valid("SHA256"));
451
453 ASSERT(rand_bytes(key, sizeof(key)));
454
455 hmac_ctx_init(hmac_ctx, key, "SHA256");
456 return hmac_ctx;
457}
458
459struct session_id
460calculate_session_id_hmac(struct session_id client_sid, const struct openvpn_sockaddr *from,
461 hmac_ctx_t *hmac, int handwindow, int offset)
462{
463 union
464 {
465 uint8_t hmac_result[SHA256_DIGEST_LENGTH];
466 struct session_id sid;
467 } result;
468
469 /* Get the valid time quantisation for our hmac,
470 * we divide time by handwindow/2 and allow the previous
471 * and future session time if specified by offset */
472 uint32_t session_id_time = ntohl((uint32_t)(now / ((handwindow + 1) / 2) + offset));
473
474 hmac_ctx_reset(hmac);
475 /* We do not care about endian here since it does not need to be
476 * portable */
477 hmac_ctx_update(hmac, (const uint8_t *)&session_id_time, sizeof(session_id_time));
478
479 /* add client IP and port */
480 switch (from->addr.sa.sa_family)
481 {
482 case AF_INET:
483 hmac_ctx_update(hmac, (const uint8_t *)&from->addr.in4, sizeof(struct sockaddr_in));
484 break;
485
486 case AF_INET6:
487 hmac_ctx_update(hmac, (const uint8_t *)&from->addr.in6, sizeof(struct sockaddr_in6));
488 break;
489 }
490
491 /* add session id of client */
492 hmac_ctx_update(hmac, client_sid.id, SID_SIZE);
493
494 hmac_ctx_final(hmac, result.hmac_result);
495
496 return result.sid;
497}
498
499bool
501 const struct openvpn_sockaddr *from,
502 hmac_ctx_t *hmac,
503 int handwindow,
504 bool pkt_is_ack)
505{
506 if (!from)
507 {
508 return false;
509 }
510
511 struct buffer buf = state->newbuf;
512 struct reliable_ack ack;
513
514 if (!reliable_ack_parse(&buf, &ack, &state->server_session_id))
515 {
516 return false;
517 }
518
519 /* Check if the packet ID of the packet or ACKED packet is <= 1 */
520 for (int i = 0; i < ack.len; i++)
521 {
522 /* This packet ACKs a packet that has a higher packet id than the
523 * ones expected in the three-way handshake, consider it as invalid
524 * for the session */
525 if (ack.packet_id[i] > 1)
526 {
527 return false;
528 }
529 }
530
531 if (!pkt_is_ack)
532 {
533 packet_id_type message_id;
534 /* Extract the packet ID from the packet */
535 if (!reliable_ack_read_packet_id(&buf, &message_id))
536 {
537 return false;
538 }
539
540 /* similar check. Anything larger than 1 is not considered part of the
541 * three-way handshake */
542 if (message_id > 1)
543 {
544 return false;
545 }
546 }
547
548
549 /* check adjacent timestamps too, the handwindow is split in 2 for the
550 * offset, so we check the current timeslot and the two before that */
551 for (int offset = -2; offset <= 0; offset++)
552 {
553 struct session_id expected_id =
554 calculate_session_id_hmac(state->peer_session_id, from, hmac, handwindow, offset);
555
556 if (memcmp_constant_time(&expected_id, &state->server_session_id, SID_SIZE) == 0)
557 {
558 return true;
559 }
560 }
561 return false;
562}
563
564struct buffer
566{
567 /* commands on the control channel are seperated by 0x00 bytes.
568 * cmdlen does not include the 0 byte of the string */
569 int cmdlen = (int)strnlen(BSTR(buf), BLENZ(buf));
570
571 if (cmdlen >= BLEN(buf))
572 {
573 buf_advance(buf, cmdlen);
574 /* Return empty buffer */
575 struct buffer empty = { 0 };
576 return empty;
577 }
578
579 /* include the NUL byte and ensure NUL termination */
580 cmdlen += 1;
581
582 /* Construct a buffer that only holds the current command and
583 * its closing NUL byte */
585 buf_write(&cmdbuf, BPTR(buf), cmdlen);
586
587 /* Remove \r and \n at the end of the buffer to avoid
588 * problems with scripts and other that add extra \r and \n */
590
591 /* check we have only printable characters or null byte in the
592 * command string and no newlines */
594 {
595 msg(D_PUSH_ERRORS, "WARNING: Received control with invalid characters: %s",
596 format_hex(BPTR(&cmdbuf), BLEN(&cmdbuf), 256, gc));
597 cmdbuf.len = 0;
598 }
599
600 buf_advance(buf, cmdlen);
601 return cmdbuf;
602}
void free_buf(struct buffer *buf)
Definition buffer.c:189
void buf_clear(struct buffer *buf)
Definition buffer.c:168
struct buffer clone_buf(const struct buffer *buf)
Definition buffer.c:115
bool string_check_buf(struct buffer *buf, const unsigned int inclusive, const unsigned int exclusive)
Check a buffer if it only consists of allowed characters.
Definition buffer.c:1092
struct buffer alloc_buf_gc(size_t size, struct gc_arena *gc)
Definition buffer.c:88
void buf_chomp(struct buffer *buf)
Definition buffer.c:558
static bool buf_write_u16(struct buffer *dest, uint16_t data)
Definition buffer.h:691
#define BSTR(buf)
Definition buffer.h:129
static struct buffer clear_buf(void)
Return an empty struct buffer.
Definition buffer.h:223
static bool buf_copy(struct buffer *dest, const struct buffer *src)
Definition buffer.h:705
#define BPTR(buf)
Definition buffer.h:123
static bool buf_write_u32(struct buffer *dest, uint32_t data)
Definition buffer.h:698
static bool buf_write_prepend(struct buffer *dest, const void *src, int size)
Definition buffer.h:673
#define CC_CRLF
carriage return or newline
Definition buffer.h:915
static void secure_memzero(void *data, size_t len)
Securely zeroise memory.
Definition buffer.h:415
static bool buf_advance(struct buffer *buf, ssize_t size)
Definition buffer.h:617
static bool buf_write(struct buffer *dest, const void *src, size_t size)
Definition buffer.h:661
static bool buf_write_u8(struct buffer *dest, uint8_t data)
Definition buffer.h:685
#define BLEN(buf)
Definition buffer.h:126
static char * format_hex(const uint8_t *data, size_t size, size_t maxoutput, struct gc_arena *gc)
Definition buffer.h:504
#define BLENZ(buf)
Definition buffer.h:127
#define CC_NULL
null character \0
Definition buffer.h:879
static void gc_free(struct gc_arena *a)
Definition buffer.h:1049
#define CC_PRINT
printable (>= 32, != 127)
Definition buffer.h:886
#define buf_init(buf, offset)
Definition buffer.h:210
static struct gc_arena gc_new(void)
Definition buffer.h:1041
static int buf_forward_capacity_total(const struct buffer *buf)
Definition buffer.h:558
void free_key_ctx_bi(struct key_ctx_bi *ctx)
Definition crypto.c:1100
Data Channel Cryptography Module.
#define CO_USE_TLS_KEY_MATERIAL_EXPORT
Bit-flag indicating that data channel key derivation is done using TLS keying material export [RFC570...
Definition crypto.h:359
int memcmp_constant_time(const void *a, const void *b, size_t size)
As memcmp(), but constant-time.
void hmac_ctx_update(hmac_ctx_t *ctx, const uint8_t *src, int src_len)
hmac_ctx_t * hmac_ctx_new(void)
void hmac_ctx_reset(hmac_ctx_t *ctx)
void hmac_ctx_init(hmac_ctx_t *ctx, const uint8_t *key, const char *mdname)
void hmac_ctx_final(hmac_ctx_t *ctx, uint8_t *dst)
bool md_valid(const char *digest)
Return if a message digest parameters is valid given the name of the digest.
int hmac_ctx_size(hmac_ctx_t *ctx)
int rand_bytes(uint8_t *output, int len)
Wrapper for secure random number generator.
#define SHA256_DIGEST_LENGTH
#define D_TLS_STATE_ERRORS
Definition errlevel.h:133
#define D_PUSH_ERRORS
Definition errlevel.h:66
#define D_TLS_ERRORS
Definition errlevel.h:58
#define D_TLS_DEBUG
Definition errlevel.h:164
enum first_packet_verdict tls_pre_decrypt_lite(const struct tls_auth_standalone *tas, struct tls_pre_decrypt_state *state, const struct link_socket_actual *from, const struct buffer *buf)
Inspect an incoming packet for which no VPN tunnel is active, and determine whether a new VPN tunnel ...
Definition ssl_pkt.c:294
void openvpn_encrypt(struct buffer *buf, struct buffer work, struct crypto_options *opt)
Encrypt and HMAC sign a packet so that it can be sent as a data channel VPN tunnel packet to a remote...
Definition crypto.c:329
bool openvpn_decrypt(struct buffer *buf, struct buffer work, struct crypto_options *opt, const struct frame *frame, const uint8_t *ad_start)
HMAC verify and decrypt a data channel packet received from a remote OpenVPN peer.
Definition crypto.c:779
bool reliable_ack_read_packet_id(struct buffer *buf, packet_id_type *pid)
Read the packet ID of a received packet.
Definition reliable.c:109
bool reliable_ack_parse(struct buffer *buf, struct reliable_ack *ack, struct session_id *session_id_remote)
Parse an acknowledgment record from a received packet.
Definition reliable.c:166
bool reliable_ack_write(struct reliable_ack *ack, struct reliable_ack *ack_mru, struct buffer *buf, const struct session_id *sid, int max, bool prepend)
Write a packet ID acknowledgment record to a buffer.
Definition reliable.c:248
bool tls_crypt_v2_extract_client_key(struct buffer *buf, struct tls_wrap_ctx *ctx, const struct tls_options *opt)
Extract a tls-crypt-v2 client key from a P_CONTROL_HARD_RESET_CLIENT_V3 message, and load the key int...
Definition tls_crypt.c:610
bool tls_crypt_unwrap(const struct buffer *src, struct buffer *dst, struct crypto_options *opt)
Unwrap a control channel packet (decrypts, authenticates and performs replay checks).
Definition tls_crypt.c:211
bool tls_crypt_wrap(const struct buffer *src, struct buffer *dst, struct crypto_options *opt)
Wrap a control channel packet (both authenticates and encrypts the data).
Definition tls_crypt.c:138
static int min_int(int x, int y)
Definition integer.h:105
static SERVICE_STATUS status
Definition interactive.c:52
#define dmsg(flags,...)
Definition error.h:172
#define msg(flags,...)
Definition error.h:152
#define ASSERT(x)
Definition error.h:219
time_t now
Definition otime.c:33
#define htonpid(x)
Definition packet_id.h:61
uint32_t packet_id_type
Definition packet_id.h:45
static int packet_id_size(bool long_form)
Definition packet_id.h:322
Reliability Layer module header file.
static bool session_id_write_prepend(const struct session_id *sid, struct buffer *buf)
Definition session_id.h:65
static bool session_id_write(const struct session_id *sid, struct buffer *buf)
Definition session_id.h:71
static bool session_id_defined(const struct session_id *sid1)
Definition session_id.h:53
static bool session_id_read(struct session_id *sid, struct buffer *buf)
Definition session_id.h:59
#define SID_SIZE
Definition session_id.h:44
const char * print_link_socket_actual(const struct link_socket_actual *act, struct gc_arena *gc)
static bool link_socket_actual_defined(const struct link_socket_actual *act)
void tls_clear_error(void)
Clear the underlying SSL library's error state.
Control Channel Common Data Structures.
static void tls_wrap_control(struct tls_wrap_ctx *ctx, uint8_t header, struct buffer *buf, struct session_id *session_id)
Wraps a TLS control packet by adding tls-auth HMAC or tls-crypt(-v2) encryption and opcode header inc...
Definition ssl_pkt.c:119
struct session_id calculate_session_id_hmac(struct session_id client_sid, const struct openvpn_sockaddr *from, hmac_ctx_t *hmac, int handwindow, int offset)
Calculates the HMAC based server session id based on a client session id and socket addr.
Definition ssl_pkt.c:460
void free_tls_pre_decrypt_state(struct tls_pre_decrypt_state *state)
Definition ssl_pkt.c:272
void write_control_auth(struct tls_session *session, struct key_state *ks, struct buffer *buf, struct link_socket_actual **to_link_addr, int opcode, int max_ack, bool prepend_ack)
Definition ssl_pkt.c:164
static bool swap_hmac(struct buffer *buf, const struct crypto_options *co, bool incoming)
Move a packet authentication HMAC + related fields to or from the front of the buffer so it can be pr...
Definition ssl_pkt.c:60
hmac_ctx_t * session_id_hmac_init(void)
Definition ssl_pkt.c:446
struct buffer extract_command_buffer(struct buffer *buf, struct gc_arena *gc)
Extracts a control channel message from buf and adjusts the size of buf after the message has been ex...
Definition ssl_pkt.c:565
#define SWAP_BUF_SIZE
Definition ssl_pkt.c:40
bool check_session_hmac_and_pkt_id(struct tls_pre_decrypt_state *state, const struct openvpn_sockaddr *from, hmac_ctx_t *hmac, int handwindow, bool pkt_is_ack)
Checks if a control packet has a correct HMAC server session id.
Definition ssl_pkt.c:500
bool read_control_auth(struct buffer *buf, struct tls_wrap_ctx *ctx, const struct link_socket_actual *from, const struct tls_options *opt)
Read a control channel authentication record.
Definition ssl_pkt.c:194
struct buffer tls_reset_standalone(struct tls_wrap_ctx *ctx, struct tls_auth_standalone *tas, struct session_id *own_sid, struct session_id *remote_sid, uint8_t header, bool request_resend_wkc)
This function creates a reset packet using the information from the tls pre decrypt state.
Definition ssl_pkt.c:404
SSL control channel wrap/unwrap and decode functions.
#define EARLY_NEG_FLAG_RESEND_WKC
Definition ssl_pkt.h:321
#define P_OPCODE_SHIFT
Definition ssl_pkt.h:39
#define TLV_TYPE_EARLY_NEG_FLAGS
Definition ssl_pkt.h:320
#define P_ACK_V1
Definition ssl_pkt.h:46
#define P_CONTROL_WKC_V1
Definition ssl_pkt.h:59
#define P_KEY_ID_MASK
Definition ssl_pkt.h:38
static const char * packet_opcode_name(int op)
Definition ssl_pkt.h:239
#define P_CONTROL_V1
Definition ssl_pkt.h:45
first_packet_verdict
Definition ssl_pkt.h:85
@ VERDICT_VALID_ACK_V1
This packet is a valid ACK control packet from the peer, i.e.
Definition ssl_pkt.h:94
@ VERDICT_VALID_WKC_V1
The packet is a valid control packet with appended wrapped client key.
Definition ssl_pkt.h:96
@ VERDICT_VALID_RESET_V2
This packet is a valid reset packet from the peer (all but tls-crypt-v2)
Definition ssl_pkt.h:87
@ VERDICT_INVALID
the packet failed on of the various checks
Definition ssl_pkt.h:98
@ VERDICT_VALID_RESET_V3
This is a valid v3 reset (tls-crypt-v2)
Definition ssl_pkt.h:89
@ VERDICT_VALID_CONTROL_V1
This packet is a valid control packet from the peer.
Definition ssl_pkt.h:91
#define P_LAST_OPCODE
Definition ssl_pkt.h:65
#define P_CONTROL_HARD_RESET_CLIENT_V2
Definition ssl_pkt.h:51
static struct tls_wrap_ctx * tls_session_get_tls_wrap(struct tls_session *session, int key_id)
Determines if the current session should use the renegotiation tls wrap struct instead the normal one...
Definition ssl_pkt.h:290
#define P_CONTROL_HARD_RESET_CLIENT_V3
Definition ssl_pkt.h:55
SSL utility functions.
Wrapper structure for dynamically allocated memory.
Definition buffer.h:60
int len
Length in bytes of the actual content within the allocated memory.
Definition buffer.h:65
int offset
Offset in bytes of the actual content within the allocated memory.
Definition buffer.h:63
Security parameter state for processing data channel packets.
Definition crypto.h:293
struct key_ctx_bi key_ctx_bi
OpenSSL cipher and HMAC contexts for both sending and receiving directions.
Definition crypto.h:294
Garbage collection arena used to keep track of dynamically allocated memory.
Definition buffer.h:116
struct key_ctx decrypt
cipher and/or HMAC contexts for receiving direction.
Definition crypto.h:283
struct key_ctx encrypt
Cipher and/or HMAC contexts for sending direction.
Definition crypto.h:281
Container for one set of cipher and/or HMAC contexts.
Definition crypto.h:202
cipher_ctx_t * cipher
Generic cipher context.
Definition crypto.h:203
hmac_ctx_t * hmac
Generic HMAC context.
Definition crypto.h:204
Security parameter state of one TLS and data channel key session.
Definition ssl_common.h:208
struct link_socket_actual remote_addr
Definition ssl_common.h:235
struct reliable_ack * rec_ack
Definition ssl_common.h:247
struct session_id session_id_remote
Definition ssl_common.h:234
int key_id
Key id for this key_state, inherited from struct tls_session.
Definition ssl_common.h:217
struct reliable_ack * lru_acks
Definition ssl_common.h:248
Container for unidirectional cipher and HMAC key material.
Definition crypto.h:152
The acknowledgment structure in which packet IDs are stored for later acknowledgment.
Definition reliable.h:64
struct that stores the temporary data for the tls lite decrypt functions
Definition ssl_pkt.h:106
struct session_id peer_session_id
Definition ssl_pkt.h:109
struct session_id server_session_id
Definition ssl_pkt.h:110
struct buffer newbuf
Definition ssl_pkt.h:108
struct tls_wrap_ctx tls_wrap_tmp
Definition ssl_pkt.h:107
Security parameter state of a single session within a VPN tunnel.
Definition ssl_common.h:489
Control channel wrapping (–tls-auth/–tls-crypt) context.
Definition ssl_common.h:276
bool cleanup_key_ctx
opt.key_ctx_bi is owned by this context
Definition ssl_common.h:288
struct crypto_options opt
Crypto state.
Definition ssl_common.h:283
enum tls_wrap_ctx::@28 mode
Control channel wrapping mode.
struct buffer work
Work buffer (only for –tls-crypt)
Definition ssl_common.h:284
struct key_ctx tls_crypt_v2_server_key
Decrypts client keys.
Definition ssl_common.h:285
const struct buffer * tls_crypt_v2_wkc
Wrapped client key, sent to server.
Definition ssl_common.h:286
struct key2 original_wrap_keydata
original key data to be xored in to the key for dynamic tls-crypt.
Definition ssl_common.h:298
static int cleanup(void **state)
struct gc_arena gc
Definition test_ssl.c:133