OpenVPN
ssl_pkt.h
Go to the documentation of this file.
1 /*
2  * OpenVPN -- An application to securely tunnel IP networks
3  * over a single TCP/UDP port, with support for SSL/TLS-based
4  * session authentication and key exchange,
5  * packet encryption, packet authentication, and
6  * packet compression.
7  *
8  * Copyright (C) 2002-2024 OpenVPN Inc <sales@openvpn.net>
9  *
10  * This program is free software; you can redistribute it and/or modify
11  * it under the terms of the GNU General Public License version 2
12  * as published by the Free Software Foundation.
13  *
14  * This program is distributed in the hope that it will be useful,
15  * but WITHOUT ANY WARRANTY; without even the implied warranty of
16  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17  * GNU General Public License for more details.
18  *
19  * You should have received a copy of the GNU General Public License along
20  * with this program; if not, write to the Free Software Foundation, Inc.,
21  * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
22  */
23 
30 #ifndef SSL_PKT_H
31 #define SSL_PKT_H
32 
33 #include "buffer.h"
34 #include "ssl_backend.h"
35 #include "ssl_common.h"
36 
37 /* packet opcode (high 5 bits) and key-id (low 3 bits) are combined in one byte */
38 #define P_KEY_ID_MASK 0x07
39 #define P_OPCODE_SHIFT 3
40 
41 /* packet opcodes -- the V1 is intended to allow protocol changes in the future */
42 #define P_CONTROL_HARD_RESET_CLIENT_V1 1 /* initial key from client, forget previous state */
43 #define P_CONTROL_HARD_RESET_SERVER_V1 2 /* initial key from server, forget previous state */
44 #define P_CONTROL_SOFT_RESET_V1 3 /* new key, graceful transition from old to new key */
45 #define P_CONTROL_V1 4 /* control channel packet (usually TLS ciphertext) */
46 #define P_ACK_V1 5 /* acknowledgement for packets received */
47 #define P_DATA_V1 6 /* data channel packet */
48 #define P_DATA_V2 9 /* data channel packet with peer-id */
49 
50 /* indicates key_method >= 2 */
51 #define P_CONTROL_HARD_RESET_CLIENT_V2 7 /* initial key from client, forget previous state */
52 #define P_CONTROL_HARD_RESET_SERVER_V2 8 /* initial key from server, forget previous state */
53 
54 /* indicates key_method >= 2 and client-specific tls-crypt key */
55 #define P_CONTROL_HARD_RESET_CLIENT_V3 10 /* initial key from client, forget previous state */
56 
57 /* Variant of P_CONTROL_V1 but with appended wrapped key
58  * like P_CONTROL_HARD_RESET_CLIENT_V3 */
59 #define P_CONTROL_WKC_V1 11
60 
61 /* define the range of legal opcodes
62  * Since we do no longer support key-method 1 we consider
63  * the v1 op codes invalid */
64 #define P_FIRST_OPCODE 3
65 #define P_LAST_OPCODE 11
66 
67 /*
68  * Define number of buffers for send and receive in the reliability layer.
69  */
70 #define TLS_RELIABLE_N_SEND_BUFFERS 6 /* also window size for reliability layer */
71 #define TLS_RELIABLE_N_REC_BUFFERS 12
72 
73 /*
74  * Used in --mode server mode to check tls-auth signature on initial
75  * packets received from new clients.
76  */
78 {
80  struct buffer workbuf;
81  struct frame frame;
82 };
83 
98 };
99 
106  struct buffer newbuf;
109 };
110 
116 
151 tls_pre_decrypt_lite(const struct tls_auth_standalone *tas,
152  struct tls_pre_decrypt_state *state,
153  const struct link_socket_actual *from,
154  const struct buffer *buf);
155 
156 /* Creates an SHA256 HMAC context with a random key that is used for the
157  * session id.
158  *
159  * We do not support loading this from a config file since continuing session
160  * between restarts of OpenVPN has never been supported and that includes
161  * early session setup.
162  */
164 
176 struct session_id
177 calculate_session_id_hmac(struct session_id client_sid,
178  const struct openvpn_sockaddr *from,
179  hmac_ctx_t *hmac,
180  int handwindow, int offset);
181 
191 bool
193  const struct openvpn_sockaddr *from,
194  hmac_ctx_t *hmac,
195  int handwindow);
196 
197 /*
198  * Write a control channel authentication record.
199  */
200 void
202  struct key_state *ks,
203  struct buffer *buf,
204  struct link_socket_actual **to_link_addr,
205  int opcode,
206  int max_ack,
207  bool prepend_ack);
208 
209 
210 /*
211  * Read a control channel authentication record.
212  */
213 bool
214 read_control_auth(struct buffer *buf,
215  struct tls_wrap_ctx *ctx,
216  const struct link_socket_actual *from,
217  const struct tls_options *opt);
218 
219 
225 struct buffer
227  struct tls_auth_standalone *tas,
228  struct session_id *own_sid,
229  struct session_id *remote_sid,
230  uint8_t header,
231  bool request_resend_wkc);
232 
233 static inline const char *
235 {
236  switch (op)
237  {
239  return "P_CONTROL_HARD_RESET_CLIENT_V1";
240 
242  return "P_CONTROL_HARD_RESET_SERVER_V1";
243 
245  return "P_CONTROL_HARD_RESET_CLIENT_V2";
246 
248  return "P_CONTROL_HARD_RESET_SERVER_V2";
249 
251  return "P_CONTROL_HARD_RESET_CLIENT_V3";
252 
254  return "P_CONTROL_SOFT_RESET_V1";
255 
256  case P_CONTROL_V1:
257  return "P_CONTROL_V1";
258 
259  case P_CONTROL_WKC_V1:
260  return "P_CONTROL_WKC_V1";
261 
262  case P_ACK_V1:
263  return "P_ACK_V1";
264 
265  case P_DATA_V1:
266  return "P_DATA_V1";
267 
268  case P_DATA_V2:
269  return "P_DATA_V2";
270 
271  default:
272  return "P_???";
273  }
274 }
275 
284 static inline struct tls_wrap_ctx *
286 {
287  /* OpenVPN has the hardcoded assumption in its protocol that
288  * key-id 0 is always first session and renegotiations use key-id
289  * 1 to 7 and wrap around to 1 after that. So key-id > 0 is equivalent
290  * to "this is a renegotiation"
291  */
292  if (key_id > 0 && session->tls_wrap_reneg.mode == TLS_WRAP_CRYPT)
293  {
294  return &session->tls_wrap_reneg;
295  }
296  else
297  {
298  return &session->tls_wrap;
299  }
300 }
301 
302 /* initial packet id (instead of 0) that indicates that the peer supports
303  * early protocol negotiation. This will make the packet id turn a bit faster
304  * but the network time part of the packet id takes care of that. And
305  * this is also a rather theoretical scenario as it still needs more than
306  * 2^31 control channel packets to happen */
307 #define EARLY_NEG_MASK 0xff000000
308 #define EARLY_NEG_START 0x0f000000
309 
310 
311 /* Early negotiation that part of the server response in the RESET_V2 packet.
312  * Since clients that announce early negotiation support will treat the payload
313  * of reset packets special and parse it as TLV messages.
314  * as TLV (type, length, value) */
315 #define TLV_TYPE_EARLY_NEG_FLAGS 0x0001
316 #define EARLY_NEG_FLAG_RESEND_WKC 0x0001
317 #endif /* ifndef SSL_PKT_H */
VERDICT_VALID_RESET_V2
@ VERDICT_VALID_RESET_V2
This packet is a valid reset packet from the peer (all but tls-crypt-v2)
Definition: ssl_pkt.h:86
tls_reset_standalone
struct buffer tls_reset_standalone(struct tls_wrap_ctx *ctx, struct tls_auth_standalone *tas, struct session_id *own_sid, struct session_id *remote_sid, uint8_t header, bool request_resend_wkc)
This function creates a reset packet using the information from the tls pre decrypt state.
Definition: ssl_pkt.c:428
P_DATA_V2
#define P_DATA_V2
Definition: ssl_pkt.h:48
session_id_hmac_init
hmac_ctx_t * session_id_hmac_init(void)
Definition: ssl_pkt.c:473
ssl_backend.h
VERDICT_INVALID
@ VERDICT_INVALID
the packet failed on of the various checks
Definition: ssl_pkt.h:97
hmac_ctx_t
mbedtls_md_context_t hmac_ctx_t
Generic HMAC context.
Definition: crypto_mbedtls.h:46
P_CONTROL_HARD_RESET_CLIENT_V1
#define P_CONTROL_HARD_RESET_CLIENT_V1
Definition: ssl_pkt.h:42
P_CONTROL_HARD_RESET_CLIENT_V2
#define P_CONTROL_HARD_RESET_CLIENT_V2
Definition: ssl_pkt.h:51
first_packet_verdict
first_packet_verdict
Definition: ssl_pkt.h:84
tls_pre_decrypt_lite
enum first_packet_verdict tls_pre_decrypt_lite(const struct tls_auth_standalone *tas, struct tls_pre_decrypt_state *state, const struct link_socket_actual *from, const struct buffer *buf)
Inspect an incoming packet for which no VPN tunnel is active, and determine whether a new VPN tunnel ...
Definition: ssl_pkt.c:307
P_CONTROL_WKC_V1
#define P_CONTROL_WKC_V1
Definition: ssl_pkt.h:59
VERDICT_VALID_CONTROL_V1
@ VERDICT_VALID_CONTROL_V1
This packet is a valid control packet from the peer.
Definition: ssl_pkt.h:90
openvpn_sockaddr
Definition: socket.h:65
free_tls_pre_decrypt_state
void free_tls_pre_decrypt_state(struct tls_pre_decrypt_state *state)
Definition: ssl_pkt.c:285
tls_wrap_ctx::TLS_WRAP_CRYPT
@ TLS_WRAP_CRYPT
Control channel encryption and authentication.
Definition: ssl_common.h:271
tls_auth_standalone::workbuf
struct buffer workbuf
Definition: ssl_pkt.h:80
frame
Packet geometry parameters.
Definition: mtu.h:98
tls_pre_decrypt_state::server_session_id
struct session_id server_session_id
Definition: ssl_pkt.h:108
key_state
Security parameter state of one TLS and data channel key session.
Definition: ssl_common.h:198
tls_pre_decrypt_state::tls_wrap_tmp
struct tls_wrap_ctx tls_wrap_tmp
Definition: ssl_pkt.h:105
session_id
Definition: session_id.h:38
write_control_auth
void write_control_auth(struct tls_session *session, struct key_state *ks, struct buffer *buf, struct link_socket_actual **to_link_addr, int opcode, int max_ack, bool prepend_ack)
Definition: ssl_pkt.c:168
P_CONTROL_HARD_RESET_CLIENT_V3
#define P_CONTROL_HARD_RESET_CLIENT_V3
Definition: ssl_pkt.h:55
P_CONTROL_SOFT_RESET_V1
#define P_CONTROL_SOFT_RESET_V1
Definition: ssl_pkt.h:44
tls_pre_decrypt_state::peer_session_id
struct session_id peer_session_id
Definition: ssl_pkt.h:107
tls_options
Definition: ssl_common.h:296
read_control_auth
bool read_control_auth(struct buffer *buf, struct tls_wrap_ctx *ctx, const struct link_socket_actual *from, const struct tls_options *opt)
Definition: ssl_pkt.c:200
tls_pre_decrypt_state::newbuf
struct buffer newbuf
Definition: ssl_pkt.h:106
tls_wrap_ctx
Control channel wrapping (–tls-auth/–tls-crypt) context.
Definition: ssl_common.h:266
tls_pre_decrypt_state
struct that stores the temporary data for the tls lite decrypt functions
Definition: ssl_pkt.h:104
calculate_session_id_hmac
struct session_id calculate_session_id_hmac(struct session_id client_sid, const struct openvpn_sockaddr *from, hmac_ctx_t *hmac, int handwindow, int offset)
Calculates the HMAC based server session id based on a client session id and socket addr.
Definition: ssl_pkt.c:487
buffer
Wrapper structure for dynamically allocated memory.
Definition: buffer.h:60
check_session_id_hmac
bool check_session_id_hmac(struct tls_pre_decrypt_state *state, const struct openvpn_sockaddr *from, hmac_ctx_t *hmac, int handwindow)
Checks if a control packet has a correct HMAC server session id.
Definition: ssl_pkt.c:529
tls_session
Security parameter state of a single session within a VPN tunnel.
Definition: ssl_common.h:471
buffer.h
tls_auth_standalone::tls_wrap
struct tls_wrap_ctx tls_wrap
Definition: ssl_pkt.h:79
P_ACK_V1
#define P_ACK_V1
Definition: ssl_pkt.h:46
VERDICT_VALID_RESET_V3
@ VERDICT_VALID_RESET_V3
This is a valid v3 reset (tls-crypt-v2)
Definition: ssl_pkt.h:88
P_CONTROL_V1
#define P_CONTROL_V1
Definition: ssl_pkt.h:45
ssl_common.h
tls_session_get_tls_wrap
static struct tls_wrap_ctx * tls_session_get_tls_wrap(struct tls_session *session, int key_id)
Determines if the current session should use the renegotiation tls wrap struct instead the normal one...
Definition: ssl_pkt.h:285
session
Definition: keyingmaterialexporter.c:56
P_CONTROL_HARD_RESET_SERVER_V1
#define P_CONTROL_HARD_RESET_SERVER_V1
Definition: ssl_pkt.h:43
VERDICT_VALID_ACK_V1
@ VERDICT_VALID_ACK_V1
This packet is a valid ACK control packet from the peer, i.e.
Definition: ssl_pkt.h:93
VERDICT_VALID_WKC_V1
@ VERDICT_VALID_WKC_V1
The packet is a valid control packet with appended wrapped client key.
Definition: ssl_pkt.h:95
P_DATA_V1
#define P_DATA_V1
Definition: ssl_pkt.h:47
P_CONTROL_HARD_RESET_SERVER_V2
#define P_CONTROL_HARD_RESET_SERVER_V2
Definition: ssl_pkt.h:52
packet_opcode_name
static const char * packet_opcode_name(int op)
Definition: ssl_pkt.h:234
tls_auth_standalone
Definition: ssl_pkt.h:77