OpenVPN
ssl_pkt.h
Go to the documentation of this file.
1 /*
2  * OpenVPN -- An application to securely tunnel IP networks
3  * over a single TCP/UDP port, with support for SSL/TLS-based
4  * session authentication and key exchange,
5  * packet encryption, packet authentication, and
6  * packet compression.
7  *
8  * Copyright (C) 2002-2021 OpenVPN Inc <sales@openvpn.net>
9  *
10  * This program is free software; you can redistribute it and/or modify
11  * it under the terms of the GNU General Public License version 2
12  * as published by the Free Software Foundation.
13  *
14  * This program is distributed in the hope that it will be useful,
15  * but WITHOUT ANY WARRANTY; without even the implied warranty of
16  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17  * GNU General Public License for more details.
18  *
19  * You should have received a copy of the GNU General Public License along
20  * with this program; if not, write to the Free Software Foundation, Inc.,
21  * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
22  */
23 
30 #ifndef SSL_PKT_H
31 #define SSL_PKT_H
32 
33 #include "buffer.h"
34 #include "ssl_backend.h"
35 #include "ssl_common.h"
36 
37 /* packet opcode (high 5 bits) and key-id (low 3 bits) are combined in one byte */
38 #define P_KEY_ID_MASK 0x07
39 #define P_OPCODE_SHIFT 3
40 
41 /* packet opcodes -- the V1 is intended to allow protocol changes in the future */
42 #define P_CONTROL_HARD_RESET_CLIENT_V1 1 /* initial key from client, forget previous state */
43 #define P_CONTROL_HARD_RESET_SERVER_V1 2 /* initial key from server, forget previous state */
44 #define P_CONTROL_SOFT_RESET_V1 3 /* new key, graceful transition from old to new key */
45 #define P_CONTROL_V1 4 /* control channel packet (usually TLS ciphertext) */
46 #define P_ACK_V1 5 /* acknowledgement for packets received */
47 #define P_DATA_V1 6 /* data channel packet */
48 #define P_DATA_V2 9 /* data channel packet with peer-id */
49 
50 /* indicates key_method >= 2 */
51 #define P_CONTROL_HARD_RESET_CLIENT_V2 7 /* initial key from client, forget previous state */
52 #define P_CONTROL_HARD_RESET_SERVER_V2 8 /* initial key from server, forget previous state */
53 
54 /* indicates key_method >= 2 and client-specific tls-crypt key */
55 #define P_CONTROL_HARD_RESET_CLIENT_V3 10 /* initial key from client, forget previous state */
56 
57 /* Variant of P_CONTROL_V1 but with appended wrapped key
58  * like P_CONTROL_HARD_RESET_CLIENT_V3 */
59 #define P_CONTROL_WKC_V1 11
60 
61 /* define the range of legal opcodes
62  * Since we do no longer support key-method 1 we consider
63  * the v1 op codes invalid */
64 #define P_FIRST_OPCODE 3
65 #define P_LAST_OPCODE 11
66 
67 /*
68  * Define number of buffers for send and receive in the reliability layer.
69  */
70 #define TLS_RELIABLE_N_SEND_BUFFERS 6 /* also window size for reliability layer */
71 #define TLS_RELIABLE_N_REC_BUFFERS 12
72 
73 /*
74  * Used in --mode server mode to check tls-auth signature on initial
75  * packets received from new clients.
76  */
78 {
80  struct frame frame;
81 };
82 
97 };
98 
105  struct buffer newbuf;
108 };
109 
115 
150 tls_pre_decrypt_lite(const struct tls_auth_standalone *tas,
151  struct tls_pre_decrypt_state *state,
152  const struct link_socket_actual *from,
153  const struct buffer *buf);
154 
155 /* Creates an SHA256 HMAC context with a random key that is used for the
156  * session id.
157  *
158  * We do not support loading this from a config file since continuing session
159  * between restarts of OpenVPN has never been supported and that includes
160  * early session setup.
161  */
163 
175 struct session_id
176 calculate_session_id_hmac(struct session_id client_sid,
177  const struct openvpn_sockaddr *from,
178  hmac_ctx_t *hmac,
179  int handwindow, int offset);
180 
190 bool
192  const struct openvpn_sockaddr *from,
193  hmac_ctx_t *hmac,
194  int handwindow);
195 
196 /*
197  * Write a control channel authentication record.
198  */
199 void
201  struct key_state *ks,
202  struct buffer *buf,
203  struct link_socket_actual **to_link_addr,
204  int opcode,
205  int max_ack,
206  bool prepend_ack);
207 
208 
209 /*
210  * Read a control channel authentication record.
211  */
212 bool
213 read_control_auth(struct buffer *buf,
214  struct tls_wrap_ctx *ctx,
215  const struct link_socket_actual *from,
216  const struct tls_options *opt);
217 
218 
225 struct buffer
227  struct tls_auth_standalone *tas,
228  struct session_id *own_sid,
229  struct session_id *remote_sid,
230  uint8_t header,
231  bool request_resend_wkc);
232 
233 static inline const char *
235 {
236  switch (op)
237  {
239  return "P_CONTROL_HARD_RESET_CLIENT_V1";
240 
242  return "P_CONTROL_HARD_RESET_SERVER_V1";
243 
245  return "P_CONTROL_HARD_RESET_CLIENT_V2";
246 
248  return "P_CONTROL_HARD_RESET_SERVER_V2";
249 
251  return "P_CONTROL_HARD_RESET_CLIENT_V3";
252 
254  return "P_CONTROL_SOFT_RESET_V1";
255 
256  case P_CONTROL_V1:
257  return "P_CONTROL_V1";
258 
259  case P_CONTROL_WKC_V1:
260  return "P_CONTROL_WKC_V1";
261 
262  case P_ACK_V1:
263  return "P_ACK_V1";
264 
265  case P_DATA_V1:
266  return "P_DATA_V1";
267 
268  case P_DATA_V2:
269  return "P_DATA_V2";
270 
271  default:
272  return "P_???";
273  }
274 }
275 
276 /* initial packet id (instead of 0) that indicates that the peer supports
277  * early protocol negotiation. This will make the packet id turn a bit faster
278  * but the network time part of the packet id takes care of that. And
279  * this is also a rather theoretical scenario as it still needs more than
280  * 2^31 control channel packets to happen */
281 #define EARLY_NEG_MASK 0xff000000
282 #define EARLY_NEG_START 0x0f000000
283 
284 
285 /* Early negotiation that part of the server response in the RESET_V2 packet.
286  * Since clients that announce early negotiation support will treat the payload
287  * of reset packets special and parse it as TLV messages.
288  * as TLV (type, length, value) */
289 #define TLV_TYPE_EARLY_NEG_FLAGS 0x0001
290 #define EARLY_NEG_FLAG_RESEND_WKC 0x0001
291 #endif /* ifndef SSL_PKT_H */
VERDICT_VALID_RESET_V2
@ VERDICT_VALID_RESET_V2
This packet is a valid reset packet from the peer (all but tls-crypt-v2)
Definition: ssl_pkt.h:85
tls_reset_standalone
struct buffer tls_reset_standalone(struct tls_wrap_ctx *ctx, struct tls_auth_standalone *tas, struct session_id *own_sid, struct session_id *remote_sid, uint8_t header, bool request_resend_wkc)
This function creates a reset packet using the information from the tls pre decrypt state.
Definition: ssl_pkt.c:430
P_DATA_V2
#define P_DATA_V2
Definition: ssl_pkt.h:48
session_id_hmac_init
hmac_ctx_t * session_id_hmac_init(void)
Definition: ssl_pkt.c:471
ssl_backend.h
VERDICT_INVALID
@ VERDICT_INVALID
the packet failed on of the various checks
Definition: ssl_pkt.h:96
hmac_ctx_t
mbedtls_md_context_t hmac_ctx_t
Generic HMAC context.
Definition: crypto_mbedtls.h:46
P_CONTROL_HARD_RESET_CLIENT_V1
#define P_CONTROL_HARD_RESET_CLIENT_V1
Definition: ssl_pkt.h:42
P_CONTROL_HARD_RESET_CLIENT_V2
#define P_CONTROL_HARD_RESET_CLIENT_V2
Definition: ssl_pkt.h:51
first_packet_verdict
first_packet_verdict
Definition: ssl_pkt.h:83
tls_pre_decrypt_lite
enum first_packet_verdict tls_pre_decrypt_lite(const struct tls_auth_standalone *tas, struct tls_pre_decrypt_state *state, const struct link_socket_actual *from, const struct buffer *buf)
Inspect an incoming packet for which no VPN tunnel is active, and determine whether a new VPN tunnel ...
Definition: ssl_pkt.c:309
P_CONTROL_WKC_V1
#define P_CONTROL_WKC_V1
Definition: ssl_pkt.h:59
VERDICT_VALID_CONTROL_V1
@ VERDICT_VALID_CONTROL_V1
This packet is a valid control packet from the peer.
Definition: ssl_pkt.h:89
openvpn_sockaddr
Definition: socket.h:65
free_tls_pre_decrypt_state
void free_tls_pre_decrypt_state(struct tls_pre_decrypt_state *state)
Definition: ssl_pkt.c:287
frame
Packet geometry parameters.
Definition: mtu.h:98
tls_pre_decrypt_state::server_session_id
struct session_id server_session_id
Definition: ssl_pkt.h:107
key_state
Security parameter state of one TLS and data channel key session.
Definition: ssl_common.h:195
tls_pre_decrypt_state::tls_wrap_tmp
struct tls_wrap_ctx tls_wrap_tmp
Definition: ssl_pkt.h:104
session_id
Definition: session_id.h:38
write_control_auth
void write_control_auth(struct tls_session *session, struct key_state *ks, struct buffer *buf, struct link_socket_actual **to_link_addr, int opcode, int max_ack, bool prepend_ack)
Definition: ssl_pkt.c:170
P_CONTROL_HARD_RESET_CLIENT_V3
#define P_CONTROL_HARD_RESET_CLIENT_V3
Definition: ssl_pkt.h:55
P_CONTROL_SOFT_RESET_V1
#define P_CONTROL_SOFT_RESET_V1
Definition: ssl_pkt.h:44
tls_pre_decrypt_state::peer_session_id
struct session_id peer_session_id
Definition: ssl_pkt.h:106
tls_options
Definition: ssl_common.h:284
read_control_auth
bool read_control_auth(struct buffer *buf, struct tls_wrap_ctx *ctx, const struct link_socket_actual *from, const struct tls_options *opt)
Definition: ssl_pkt.c:202
tls_pre_decrypt_state::newbuf
struct buffer newbuf
Definition: ssl_pkt.h:105
tls_wrap_ctx
Control channel wrapping (–tls-auth/–tls-crypt) context.
Definition: ssl_common.h:263
tls_pre_decrypt_state
struct that stores the temporary data for the tls lite decrypt functions
Definition: ssl_pkt.h:103
calculate_session_id_hmac
struct session_id calculate_session_id_hmac(struct session_id client_sid, const struct openvpn_sockaddr *from, hmac_ctx_t *hmac, int handwindow, int offset)
Calculates the HMAC based server session id based on a client session id and socket addr.
Definition: ssl_pkt.c:485
buffer
Wrapper structure for dynamically allocated memory.
Definition: buffer.h:60
check_session_id_hmac
bool check_session_id_hmac(struct tls_pre_decrypt_state *state, const struct openvpn_sockaddr *from, hmac_ctx_t *hmac, int handwindow)
Checks if a control packet has a correct HMAC server session id.
Definition: ssl_pkt.c:527
tls_session
Security parameter state of a single session within a VPN tunnel.
Definition: ssl_common.h:460
buffer.h
tls_auth_standalone::tls_wrap
struct tls_wrap_ctx tls_wrap
Definition: ssl_pkt.h:79
P_ACK_V1
#define P_ACK_V1
Definition: ssl_pkt.h:46
VERDICT_VALID_RESET_V3
@ VERDICT_VALID_RESET_V3
This is a valid v3 reset (tls-crypt-v2)
Definition: ssl_pkt.h:87
P_CONTROL_V1
#define P_CONTROL_V1
Definition: ssl_pkt.h:45
ssl_common.h
session
Definition: keyingmaterialexporter.c:56
P_CONTROL_HARD_RESET_SERVER_V1
#define P_CONTROL_HARD_RESET_SERVER_V1
Definition: ssl_pkt.h:43
VERDICT_VALID_ACK_V1
@ VERDICT_VALID_ACK_V1
This packet is a valid ACK control packet from the peer, i.e.
Definition: ssl_pkt.h:92
VERDICT_VALID_WKC_V1
@ VERDICT_VALID_WKC_V1
The packet is a valid control packet with appended wrapped client key.
Definition: ssl_pkt.h:94
P_DATA_V1
#define P_DATA_V1
Definition: ssl_pkt.h:47
P_CONTROL_HARD_RESET_SERVER_V2
#define P_CONTROL_HARD_RESET_SERVER_V2
Definition: ssl_pkt.h:52
packet_opcode_name
static const char * packet_opcode_name(int op)
Definition: ssl_pkt.h:234
tls_auth_standalone
Definition: ssl_pkt.h:77