OpenVPN
ssl.c
Go to the documentation of this file.
1/*
2 * OpenVPN -- An application to securely tunnel IP networks
3 * over a single TCP/UDP port, with support for SSL/TLS-based
4 * session authentication and key exchange,
5 * packet encryption, packet authentication, and
6 * packet compression.
7 *
8 * Copyright (C) 2002-2024 OpenVPN Inc <sales@openvpn.net>
9 * Copyright (C) 2010-2021 Fox Crypto B.V. <openvpn@foxcrypto.com>
10 * Copyright (C) 2008-2024 David Sommerseth <dazo@eurephia.org>
11 *
12 * This program is free software; you can redistribute it and/or modify
13 * it under the terms of the GNU General Public License version 2
14 * as published by the Free Software Foundation.
15 *
16 * This program is distributed in the hope that it will be useful,
17 * but WITHOUT ANY WARRANTY; without even the implied warranty of
18 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
19 * GNU General Public License for more details.
20 *
21 * You should have received a copy of the GNU General Public License along
22 * with this program; if not, write to the Free Software Foundation, Inc.,
23 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
24 */
25
31/*
32 * The routines in this file deal with dynamically negotiating
33 * the data channel HMAC and cipher keys through a TLS session.
34 *
35 * Both the TLS session and the data channel are multiplexed
36 * over the same TCP/UDP port.
37 */
38#ifdef HAVE_CONFIG_H
39#include "config.h"
40#endif
41
42#include "syshead.h"
43#include "win32.h"
44
45#include "error.h"
46#include "common.h"
47#include "socket.h"
48#include "misc.h"
49#include "fdmisc.h"
50#include "interval.h"
51#include "perf.h"
52#include "status.h"
53#include "gremlin.h"
54#include "pkcs11.h"
55#include "route.h"
56#include "tls_crypt.h"
57
58#include "crypto_epoch.h"
59#include "ssl.h"
60#include "ssl_verify.h"
61#include "ssl_backend.h"
62#include "ssl_ncp.h"
63#include "ssl_util.h"
64#include "auth_token.h"
65#include "mss.h"
66#include "dco.h"
67
68#include "memdbg.h"
69#include "openvpn.h"
70
71#ifdef MEASURE_TLS_HANDSHAKE_STATS
72
73static int tls_handshake_success; /* GLOBAL */
74static int tls_handshake_error; /* GLOBAL */
75static int tls_packets_generated; /* GLOBAL */
76static int tls_packets_sent; /* GLOBAL */
77
78#define INCR_SENT ++tls_packets_sent
79#define INCR_GENERATED ++tls_packets_generated
80#define INCR_SUCCESS ++tls_handshake_success
81#define INCR_ERROR ++tls_handshake_error
82
83void
84show_tls_performance_stats(void)
85{
86 msg(D_TLS_DEBUG_LOW, "TLS Handshakes, success=%f%% (good=%d, bad=%d), retransmits=%f%%",
87 (double) tls_handshake_success / (tls_handshake_success + tls_handshake_error) * 100.0,
88 tls_handshake_success, tls_handshake_error,
89 (double) (tls_packets_sent - tls_packets_generated) / tls_packets_generated * 100.0);
90}
91#else /* ifdef MEASURE_TLS_HANDSHAKE_STATS */
92
93#define INCR_SENT
94#define INCR_GENERATED
95#define INCR_SUCCESS
96#define INCR_ERROR
97
98#endif /* ifdef MEASURE_TLS_HANDSHAKE_STATS */
99
107static void
108tls_limit_reneg_bytes(const char *ciphername, int64_t *reneg_bytes)
109{
110 if (cipher_kt_insecure(ciphername))
111 {
112 if (*reneg_bytes == -1) /* Not user-specified */
113 {
114 msg(M_WARN, "WARNING: cipher with small block size in use, "
115 "reducing reneg-bytes to 64MB to mitigate SWEET32 attacks.");
116 *reneg_bytes = 64 * 1024 * 1024;
117 }
118 }
119}
120
121static uint64_t
122tls_get_limit_aead(const char *ciphername)
123{
124 uint64_t limit = cipher_get_aead_limits(ciphername);
125
126 if (limit == 0)
127 {
128 return 0;
129 }
130
131 /* set limit to 7/8 of the limit so the renegotiation can succeed before
132 * we go over the limit */
133 limit = limit/8 * 7;
134
135 msg(D_SHOW_KEYS, "Note: AEAD cipher %s will trigger a renegotiation"
136 " at a sum of %" PRIi64 " blocks and packets.",
137 ciphername, limit);
138 return limit;
139}
140
141void
142tls_init_control_channel_frame_parameters(struct frame *frame, int tls_mtu)
143{
144 /*
145 * frame->extra_frame is already initialized with tls_auth buffer requirements,
146 * if --tls-auth is enabled.
147 */
148
149 /* calculates the maximum overhead that control channel frames can have */
150 int overhead = 0;
151
152 /* Socks */
153 overhead += 10;
154
155 /* tls-auth and tls-crypt */
156 overhead += max_int(tls_crypt_buf_overhead(),
157 packet_id_size(true) + OPENVPN_MAX_HMAC_SIZE);
158
159 /* TCP length field and opcode */
160 overhead += 3;
161
162 /* ACK array and remote SESSION ID (part of the ACK array) */
163 overhead += ACK_SIZE(RELIABLE_ACK_SIZE);
164
165 /* Previous OpenVPN version calculated the maximum size and buffer of a
166 * control frame depending on the overhead of the data channel frame
167 * overhead and limited its maximum size to 1250. Since control frames
168 * also need to fit into data channel buffer we have the same
169 * default of 1500 + 100 as data channel buffers have. Increasing
170 * control channel mtu beyond this limit also increases the data channel
171 * buffers */
172 frame->buf.payload_size = max_int(1500, tls_mtu) + 100;
173
174 frame->buf.headroom = overhead;
175 frame->buf.tailroom = overhead;
176
177 frame->tun_mtu = tls_mtu;
178
179 /* Ensure the tun-mtu stays in a valid range */
180 frame->tun_mtu = min_int(frame->tun_mtu, TLS_CHANNEL_BUF_SIZE);
181 frame->tun_mtu = max_int(frame->tun_mtu, TLS_CHANNEL_MTU_MIN);
182}
183
189static int
190calc_control_channel_frame_overhead(const struct tls_session *session)
191{
192 const struct key_state *ks = &session->key[KS_PRIMARY];
193 int overhead = 0;
194
195 /* opcode */
196 overhead += 1;
197
198 /* our own session id */
199 overhead += SID_SIZE;
200
201 /* ACK array and remote SESSION ID (part of the ACK array) */
202 int ackstosend = reliable_ack_outstanding(ks->rec_ack) + ks->lru_acks->len;
203 overhead += ACK_SIZE(min_int(ackstosend, CONTROL_SEND_ACK_MAX));
204
205 /* Message packet id */
206 overhead += sizeof(packet_id_type);
207
208 if (session->tls_wrap.mode == TLS_WRAP_CRYPT)
209 {
210 overhead += tls_crypt_buf_overhead();
211 }
212 else if (session->tls_wrap.mode == TLS_WRAP_AUTH)
213 {
214 overhead += hmac_ctx_size(session->tls_wrap.opt.key_ctx_bi.encrypt.hmac);
215 overhead += packet_id_size(true);
216 }
217
218 /* Add the typical UDP overhead for an IPv6 UDP packet. TCP+IPv6 has a
219 * larger overhead but the risk of a TCP connection getting dropped because
220 * we try to send a too large packet is basically zero */
221 overhead += datagram_overhead(session->untrusted_addr.dest.addr.sa.sa_family,
222 PROTO_UDP);
223
224 return overhead;
225}
226
227void
228init_ssl_lib(void)
229{
230 tls_init_lib();
231
232 crypto_init_lib();
233}
234
235void
236free_ssl_lib(void)
237{
238 crypto_uninit_lib();
239
240 tls_free_lib();
241}
242
243/*
244 * OpenSSL library calls pem_password_callback if the
245 * private key is protected by a password.
246 */
247
248static struct user_pass passbuf; /* GLOBAL */
249
250void
259
260int
261pem_password_callback(char *buf, int size, int rwflag, void *u)
262{
263 if (buf)
264 {
265 /* prompt for password even if --askpass wasn't specified */
266 pem_password_setup(NULL);
267 ASSERT(!passbuf.protected);
268 strncpynt(buf, passbuf.password, size);
269 purge_user_pass(&passbuf, false);
270
271 return strlen(buf);
272 }
273 return 0;
274}
275
276/*
277 * Auth username/password handling
278 */
279
280static bool auth_user_pass_enabled; /* GLOBAL */
281static struct user_pass auth_user_pass; /* GLOBAL */
282static struct user_pass auth_token; /* GLOBAL */
283
284#ifdef ENABLE_MANAGEMENT
285static char *auth_challenge; /* GLOBAL */
286#endif
287
288void
293
294void
295auth_user_pass_setup(const char *auth_file, bool is_inline,
296 const struct static_challenge_info *sci)
297{
298 unsigned int flags = GET_USER_PASS_MANAGEMENT;
299
300 if (is_inline)
301 {
302 flags |= GET_USER_PASS_INLINE_CREDS;
303 }
304
305 if (!auth_user_pass.defined && !auth_token.defined)
306 {
307 unprotect_user_pass(&auth_user_pass);
308#ifdef ENABLE_MANAGEMENT
309 if (auth_challenge) /* dynamic challenge/response */
310 {
311 flags |= GET_USER_PASS_DYNAMIC_CHALLENGE;
312 get_user_pass_cr(&auth_user_pass,
313 auth_file,
314 UP_TYPE_AUTH,
315 flags,
316 auth_challenge);
317 }
318 else if (sci) /* static challenge response */
319 {
320 flags |= GET_USER_PASS_STATIC_CHALLENGE;
321 if (sci->flags & SC_ECHO)
322 {
323 flags |= GET_USER_PASS_STATIC_CHALLENGE_ECHO;
324 }
325 if (sci->flags & SC_CONCAT)
326 {
327 flags |= GET_USER_PASS_STATIC_CHALLENGE_CONCAT;
328 }
329 get_user_pass_cr(&auth_user_pass,
330 auth_file,
331 UP_TYPE_AUTH,
332 flags,
333 sci->challenge_text);
334 }
335 else
336#endif /* ifdef ENABLE_MANAGEMENT */
337 {
338 get_user_pass(&auth_user_pass, auth_file, UP_TYPE_AUTH, flags);
339 }
340 }
341}
342
343/*
344 * Disable password caching
345 */
346void
347ssl_set_auth_nocache(void)
348{
349 passbuf.nocache = true;
350 auth_user_pass.nocache = true;
351}
352
353/*
354 * Get the password caching
355 */
356bool
357ssl_get_auth_nocache(void)
358{
359 return passbuf.nocache;
360}
361
362/*
363 * Set an authentication token
364 */
365void
366ssl_set_auth_token(const char *token)
367{
368 set_auth_token(&auth_token, token);
369}
370
371void
376
377/*
378 * Cleans an auth token and checks if it was active
379 */
380bool
381ssl_clean_auth_token(void)
382{
383 bool wasdefined = auth_token.defined;
384 purge_user_pass(&auth_token, true);
385 return wasdefined;
386}
387
388/*
389 * Forget private key password AND auth-user-pass username/password.
390 */
391void
392ssl_purge_auth(const bool auth_user_pass_only)
393{
394 if (!auth_user_pass_only)
395 {
396#ifdef ENABLE_PKCS11
397 pkcs11_logout();
398#endif
399 purge_user_pass(&passbuf, true);
400 }
401 purge_user_pass(&auth_user_pass, true);
402#ifdef ENABLE_MANAGEMENT
403 ssl_purge_auth_challenge();
404#endif
405}
406
407#ifdef ENABLE_MANAGEMENT
408
409void
410ssl_purge_auth_challenge(void)
411{
412 free(auth_challenge);
413 auth_challenge = NULL;
414}
415
416void
417ssl_put_auth_challenge(const char *cr_str)
418{
419 ssl_purge_auth_challenge();
420 auth_challenge = string_alloc(cr_str, NULL);
421}
422
423#endif
424
425/*
426 * Parse a TLS version string, returning a TLS_VER_x constant.
427 * If version string is not recognized and extra == "or-highest",
428 * return tls_version_max().
429 */
430int
431tls_version_parse(const char *vstr, const char *extra)
432{
433 const int max_version = tls_version_max();
434 if (!strcmp(vstr, "1.0") && TLS_VER_1_0 <= max_version)
435 {
436 return TLS_VER_1_0;
437 }
438 else if (!strcmp(vstr, "1.1") && TLS_VER_1_1 <= max_version)
439 {
440 return TLS_VER_1_1;
441 }
442 else if (!strcmp(vstr, "1.2") && TLS_VER_1_2 <= max_version)
443 {
444 return TLS_VER_1_2;
445 }
446 else if (!strcmp(vstr, "1.3") && TLS_VER_1_3 <= max_version)
447 {
448 return TLS_VER_1_3;
449 }
450 else if (extra && !strcmp(extra, "or-highest"))
451 {
452 return max_version;
453 }
454 else
455 {
456 return TLS_VER_BAD;
457 }
458}
459
471static void
472tls_ctx_reload_crl(struct tls_root_ctx *ssl_ctx, const char *crl_file,
473 bool crl_file_inline)
474{
475 /* if something goes wrong with stat(), we'll store 0 as mtime */
476 platform_stat_t crl_stat = {0};
477
478 /*
479 * an inline CRL can't change at runtime, therefore there is no need to
480 * reload it. It will be reloaded upon config change + SIGHUP.
481 * Use always '1' as dummy timestamp in this case: it will trigger the
482 * first load, but will prevent any future reload.
483 */
484 if (crl_file_inline)
485 {
486 crl_stat.st_mtime = 1;
487 }
488 else if (platform_stat(crl_file, &crl_stat) < 0)
489 {
490 /* If crl_last_mtime is zero, the CRL file has not been read before. */
491 if (ssl_ctx->crl_last_mtime == 0)
492 {
493 msg(M_FATAL, "ERROR: Failed to stat CRL file during initialization, exiting.");
494 }
495 else
496 {
497 msg(M_WARN, "WARNING: Failed to stat CRL file, not reloading CRL.");
498 }
499 return;
500 }
501
502 /*
503 * Store the CRL if this is the first time or if the file was changed since
504 * the last load.
505 * Note: Windows does not support tv_nsec.
506 */
507 if ((ssl_ctx->crl_last_size == crl_stat.st_size)
508 && (ssl_ctx->crl_last_mtime == crl_stat.st_mtime))
509 {
510 return;
511 }
512
513 ssl_ctx->crl_last_mtime = crl_stat.st_mtime;
514 ssl_ctx->crl_last_size = crl_stat.st_size;
515 backend_tls_ctx_reload_crl(ssl_ctx, crl_file, crl_file_inline);
516}
517
518/*
519 * Initialize SSL context.
520 * All files are in PEM format.
521 */
522void
523init_ssl(const struct options *options, struct tls_root_ctx *new_ctx, bool in_chroot)
524{
525 ASSERT(NULL != new_ctx);
526
527 tls_clear_error();
528
529 if (key_is_external(options))
530 {
531 load_xkey_provider();
532 }
533
534 if (options->tls_server)
535 {
536 tls_ctx_server_new(new_ctx);
537
538 if (options->dh_file)
539 {
540 tls_ctx_load_dh_params(new_ctx, options->dh_file,
541 options->dh_file_inline);
542 }
543 }
544 else /* if client */
545 {
546 tls_ctx_client_new(new_ctx);
547 }
548
549 /* Restrict allowed certificate crypto algorithms */
550 tls_ctx_set_cert_profile(new_ctx, options->tls_cert_profile);
551
552 /* Allowable ciphers */
553 /* Since @SECLEVEL also influences loading of certificates, set the
554 * cipher restrictions before loading certificates */
555 tls_ctx_restrict_ciphers(new_ctx, options->cipher_list);
556 tls_ctx_restrict_ciphers_tls13(new_ctx, options->cipher_list_tls13);
557
558 /* Set the allow groups/curves for TLS if we want to override them */
559 if (options->tls_groups)
560 {
561 tls_ctx_set_tls_groups(new_ctx, options->tls_groups);
562 }
563
564 if (!tls_ctx_set_options(new_ctx, options->ssl_flags))
565 {
566 goto err;
567 }
568
569 if (options->pkcs12_file)
570 {
571 if (0 != tls_ctx_load_pkcs12(new_ctx, options->pkcs12_file,
572 options->pkcs12_file_inline, !options->ca_file))
573 {
574 goto err;
575 }
576 }
577#ifdef ENABLE_PKCS11
578 else if (options->pkcs11_providers[0])
579 {
580 if (!tls_ctx_use_pkcs11(new_ctx, options->pkcs11_id_management, options->pkcs11_id))
581 {
582 msg(M_WARN, "Cannot load certificate \"%s\" using PKCS#11 interface",
583 options->pkcs11_id);
584 goto err;
585 }
586 }
587#endif
588#ifdef ENABLE_CRYPTOAPI
589 else if (options->cryptoapi_cert)
590 {
591 tls_ctx_load_cryptoapi(new_ctx, options->cryptoapi_cert);
592 }
593#endif
594#ifdef ENABLE_MANAGEMENT
595 else if (options->management_flags & MF_EXTERNAL_CERT)
596 {
597 char *cert = management_query_cert(management,
598 options->management_certificate);
599 tls_ctx_load_cert_file(new_ctx, cert, true);
600 free(cert);
601 }
602#endif
603 else if (options->cert_file)
604 {
605 tls_ctx_load_cert_file(new_ctx, options->cert_file, options->cert_file_inline);
606 }
607
608 if (options->priv_key_file)
609 {
610 if (0 != tls_ctx_load_priv_file(new_ctx, options->priv_key_file,
611 options->priv_key_file_inline))
612 {
613 goto err;
614 }
615 }
616#ifdef ENABLE_MANAGEMENT
617 else if (options->management_flags & MF_EXTERNAL_KEY)
618 {
619 if (tls_ctx_use_management_external_key(new_ctx))
620 {
621 msg(M_WARN, "Cannot initialize mamagement-external-key");
622 goto err;
623 }
624 }
625#endif
626
627 if (options->ca_file || options->ca_path)
628 {
629 tls_ctx_load_ca(new_ctx, options->ca_file, options->ca_file_inline,
630 options->ca_path, options->tls_server);
631 }
632
633 /* Load extra certificates that are part of our own certificate
634 * chain but shouldn't be included in the verify chain */
635 if (options->extra_certs_file)
636 {
637 tls_ctx_load_extra_certs(new_ctx, options->extra_certs_file, options->extra_certs_file_inline);
638 }
639
640 /* Check certificate notBefore and notAfter */
641 tls_ctx_check_cert_time(new_ctx);
642
643 /* Read CRL */
644 if (options->crl_file && !(options->ssl_flags & SSLF_CRL_VERIFY_DIR))
645 {
646 /* If we're running with the chroot option, we may run init_ssl() before
647 * and after chroot-ing. We can use the crl_file path as-is if we're
648 * not going to chroot, or if we already are inside the chroot.
649 *
650 * If we're going to chroot later, we need to prefix the path of the
651 * chroot directory to crl_file.
652 */
653 if (!options->chroot_dir || in_chroot || options->crl_file_inline)
654 {
655 tls_ctx_reload_crl(new_ctx, options->crl_file, options->crl_file_inline);
656 }
657 else
658 {
659 struct gc_arena gc = gc_new();
660 struct buffer crl_file_buf = prepend_dir(options->chroot_dir, options->crl_file, &gc);
661 tls_ctx_reload_crl(new_ctx, BSTR(&crl_file_buf), options->crl_file_inline);
662 gc_free(&gc);
663 }
664 }
665
666 /* Once keys and cert are loaded, load ECDH parameters */
667 if (options->tls_server)
668 {
669 tls_ctx_load_ecdh_params(new_ctx, options->ecdh_curve);
670 }
671
672#ifdef ENABLE_CRYPTO_MBEDTLS
673 /* Personalise the random by mixing in the certificate */
674 tls_ctx_personalise_random(new_ctx);
675#endif
676
677 tls_clear_error();
678 return;
679
680err:
681 tls_clear_error();
682 tls_ctx_free(new_ctx);
683 return;
684}
685
686/*
687 * Map internal constants to ascii names.
688 */
689static const char *
690state_name(int state)
691{
692 switch (state)
693 {
694 case S_UNDEF:
695 return "S_UNDEF";
696
697 case S_INITIAL:
698 return "S_INITIAL";
699
700 case S_PRE_START:
701 return "S_PRE_START";
702
703 case S_START:
704 return "S_START";
705
706 case S_SENT_KEY:
707 return "S_SENT_KEY";
708
709 case S_GOT_KEY:
710 return "S_GOT_KEY";
711
712 case S_ACTIVE:
713 return "S_ACTIVE";
714
715 case S_ERROR:
716 return "S_ERROR";
717
718 case S_ERROR_PRE:
719 return "S_ERROR_PRE";
720
721 case S_GENERATED_KEYS:
722 return "S_GENERATED_KEYS";
723
724 default:
725 return "S_???";
726 }
727}
728
729static const char *
730ks_auth_name(enum ks_auth_state auth)
731{
732 switch (auth)
733 {
734 case KS_AUTH_TRUE:
735 return "KS_AUTH_TRUE";
736
737 case KS_AUTH_DEFERRED:
738 return "KS_AUTH_DEFERRED";
739
740 case KS_AUTH_FALSE:
741 return "KS_AUTH_FALSE";
742
743 default:
744 return "KS_????";
745 }
746}
747
748static const char *
749session_index_name(int index)
750{
751 switch (index)
752 {
753 case TM_ACTIVE:
754 return "TM_ACTIVE";
755
756 case TM_INITIAL:
757 return "TM_INITIAL";
758
759 case TM_LAME_DUCK:
760 return "TM_LAME_DUCK";
761
762 default:
763 return "TM_???";
764 }
765}
766
767/*
768 * For debugging.
769 */
770static const char *
771print_key_id(struct tls_multi *multi, struct gc_arena *gc)
772{
773 struct buffer out = alloc_buf_gc(256, gc);
774
775 for (int i = 0; i < KEY_SCAN_SIZE; ++i)
776 {
777 struct key_state *ks = get_key_scan(multi, i);
778 buf_printf(&out, " [key#%d state=%s auth=%s id=%d sid=%s]", i,
779 state_name(ks->state), ks_auth_name(ks->authenticated),
780 ks->key_id,
781 session_id_print(&ks->session_id_remote, gc));
782 }
783
784 return BSTR(&out);
785}
786
787bool
788is_hard_reset_method2(int op)
789{
790 if (op == P_CONTROL_HARD_RESET_CLIENT_V2 || op == P_CONTROL_HARD_RESET_SERVER_V2
791 || op == P_CONTROL_HARD_RESET_CLIENT_V3)
792 {
793 return true;
794 }
795
796 return false;
797}
798
822static void
823key_state_init(struct tls_session *session, struct key_state *ks)
824{
825 update_time();
826
827 CLEAR(*ks);
828
829 /*
830 * Build TLS object that reads/writes ciphertext
831 * to/from memory BIOs.
832 */
833 key_state_ssl_init(&ks->ks_ssl, &session->opt->ssl_ctx, session->opt->server,
834 session);
835
836 /* Set control-channel initiation mode */
837 ks->initial_opcode = session->initial_opcode;
838 session->initial_opcode = P_CONTROL_SOFT_RESET_V1;
839 ks->state = S_INITIAL;
840 ks->key_id = session->key_id;
841
842 /*
843 * key_id increments to KEY_ID_MASK then recycles back to 1.
844 * This way you know that if key_id is 0, it is the first key.
845 */
846 ++session->key_id;
847 session->key_id &= P_KEY_ID_MASK;
848 if (!session->key_id)
849 {
850 session->key_id = 1;
851 }
852
853 /* allocate key source material object */
854 ALLOC_OBJ_CLEAR(ks->key_src, struct key_source2);
855
856 /* allocate reliability objects */
857 ALLOC_OBJ_CLEAR(ks->send_reliable, struct reliable);
858 ALLOC_OBJ_CLEAR(ks->rec_reliable, struct reliable);
859 ALLOC_OBJ_CLEAR(ks->rec_ack, struct reliable_ack);
860 ALLOC_OBJ_CLEAR(ks->lru_acks, struct reliable_ack);
861
862 /* allocate buffers */
863 ks->plaintext_read_buf = alloc_buf(TLS_CHANNEL_BUF_SIZE);
864 ks->plaintext_write_buf = alloc_buf(TLS_CHANNEL_BUF_SIZE);
865 ks->ack_write_buf = alloc_buf(BUF_SIZE(&session->opt->frame));
866 reliable_init(ks->send_reliable, BUF_SIZE(&session->opt->frame),
867 session->opt->frame.buf.headroom, TLS_RELIABLE_N_SEND_BUFFERS,
868 ks->key_id ? false : session->opt->xmit_hold);
869 reliable_init(ks->rec_reliable, BUF_SIZE(&session->opt->frame),
870 session->opt->frame.buf.headroom, TLS_RELIABLE_N_REC_BUFFERS,
871 false);
872 reliable_set_timeout(ks->send_reliable, session->opt->packet_timeout);
873
874 /* init packet ID tracker */
875 packet_id_init(&ks->crypto_options.packet_id,
876 session->opt->replay_window, session->opt->replay_time, "SSL",
877 ks->key_id);
878
879 ks->crypto_options.pid_persist = NULL;
880
881#ifdef ENABLE_MANAGEMENT
882 ks->mda_key_id = session->opt->mda_context->mda_key_id_counter++;
883#endif
884
885 /*
886 * Attempt CRL reload before TLS negotiation. Won't be performed if
887 * the file was not modified since the last reload
888 */
889 if (session->opt->crl_file
890 && !(session->opt->ssl_flags & SSLF_CRL_VERIFY_DIR))
891 {
892 tls_ctx_reload_crl(&session->opt->ssl_ctx,
893 session->opt->crl_file, session->opt->crl_file_inline);
894 }
895}
896
897
911static void
912key_state_free(struct key_state *ks, bool clear)
913{
914 ks->state = S_UNDEF;
915
916 key_state_ssl_free(&ks->ks_ssl);
917
918 free_key_ctx_bi(&ks->crypto_options.key_ctx_bi);
919 free_epoch_key_ctx(&ks->crypto_options);
920 free_buf(&ks->plaintext_read_buf);
921 free_buf(&ks->plaintext_write_buf);
922 free_buf(&ks->ack_write_buf);
923 buffer_list_free(ks->paybuf);
924
925 reliable_free(ks->send_reliable);
926 reliable_free(ks->rec_reliable);
927
928 free(ks->rec_ack);
929 free(ks->lru_acks);
930 free(ks->key_src);
931
932 packet_id_free(&ks->crypto_options.packet_id);
933
934 key_state_rm_auth_control_files(&ks->plugin_auth);
935 key_state_rm_auth_control_files(&ks->script_auth);
936
937 if (clear)
938 {
939 secure_memzero(ks, sizeof(*ks));
940 }
941}
942
956static inline bool
957tls_session_user_pass_enabled(struct tls_session *session)
958{
959 return (session->opt->auth_user_pass_verify_script
960 || plugin_defined(session->opt->plugins, OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY)
961#ifdef ENABLE_MANAGEMENT
962 || management_enable_def_auth(management)
963#endif
964 );
965}
966
967
988static void
989tls_session_init(struct tls_multi *multi, struct tls_session *session)
990{
991 struct gc_arena gc = gc_new();
992
993 dmsg(D_TLS_DEBUG, "TLS: tls_session_init: entry");
994
995 CLEAR(*session);
996
997 /* Set options data to point to parent's option structure */
998 session->opt = &multi->opt;
999
1000 /* Randomize session # if it is 0 */
1001 while (!session_id_defined(&session->session_id))
1002 {
1003 session_id_random(&session->session_id);
1004 }
1005
1006 /* Are we a TLS server or client? */
1007 if (session->opt->server)
1008 {
1009 session->initial_opcode = P_CONTROL_HARD_RESET_SERVER_V2;
1010 }
1011 else
1012 {
1013 session->initial_opcode = session->opt->tls_crypt_v2 ?
1014 P_CONTROL_HARD_RESET_CLIENT_V3 : P_CONTROL_HARD_RESET_CLIENT_V2;
1015 }
1016
1017 /* Initialize control channel authentication parameters */
1018 session->tls_wrap = session->opt->tls_wrap;
1019 session->tls_wrap.work = alloc_buf(BUF_SIZE(&session->opt->frame));
1020
1021 /* initialize packet ID replay window for --tls-auth */
1022 packet_id_init(&session->tls_wrap.opt.packet_id,
1023 session->opt->replay_window,
1024 session->opt->replay_time,
1025 "TLS_WRAP", session->key_id);
1026
1027 /* If we are using tls-crypt-v2 we manipulate the packet id to be (ab)used
1028 * to indicate early protocol negotiation */
1029 if (session->opt->tls_crypt_v2)
1030 {
1031 session->tls_wrap.opt.packet_id.send.time = now;
1032 session->tls_wrap.opt.packet_id.send.id = EARLY_NEG_START;
1033 }
1034
1035 /* load most recent packet-id to replay protect on --tls-auth */
1036 packet_id_persist_load_obj(session->tls_wrap.opt.pid_persist,
1037 &session->tls_wrap.opt.packet_id);
1038
1039 key_state_init(session, &session->key[KS_PRIMARY]);
1040
1041 dmsg(D_TLS_DEBUG, "TLS: tls_session_init: new session object, sid=%s",
1042 session_id_print(&session->session_id, &gc));
1043
1044 gc_free(&gc);
1045}
1046
1062static void
1063tls_session_free(struct tls_session *session, bool clear)
1064{
1065 tls_wrap_free(&session->tls_wrap);
1066 tls_wrap_free(&session->tls_wrap_reneg);
1067
1068 for (size_t i = 0; i < KS_SIZE; ++i)
1069 {
1070 /* we don't need clear=true for this call since
1071 * the structs are part of session and get cleared
1072 * as part of session */
1073 key_state_free(&session->key[i], false);
1074 }
1075
1076 free(session->common_name);
1077
1078 cert_hash_free(session->cert_hash_set);
1079
1080 if (clear)
1081 {
1082 secure_memzero(session, sizeof(*session));
1083 }
1084}
1085
1091static void
1092move_session(struct tls_multi *multi, int dest, int src, bool reinit_src)
1093{
1094 msg(D_TLS_DEBUG_LOW, "TLS: move_session: dest=%s src=%s reinit_src=%d",
1095 session_index_name(dest),
1096 session_index_name(src),
1097 reinit_src);
1098 ASSERT(src != dest);
1099 ASSERT(src >= 0 && src < TM_SIZE);
1100 ASSERT(dest >= 0 && dest < TM_SIZE);
1101 tls_session_free(&multi->session[dest], false);
1102 multi->session[dest] = multi->session[src];
1103
1104 if (reinit_src)
1105 {
1106 tls_session_init(multi, &multi->session[src]);
1107 }
1108 else
1109 {
1110 secure_memzero(&multi->session[src], sizeof(multi->session[src]));
1111 }
1112
1113 dmsg(D_TLS_DEBUG, "TLS: move_session: exit");
1114}
1115
1116static void
1117reset_session(struct tls_multi *multi, struct tls_session *session)
1118{
1119 tls_session_free(session, false);
1120 tls_session_init(multi, session);
1121}
1122
1123/*
1124 * Used to determine in how many seconds we should be
1125 * called again.
1126 */
1127static inline void
1128compute_earliest_wakeup(interval_t *earliest, interval_t seconds_from_now)
1129{
1130 if (seconds_from_now < *earliest)
1131 {
1132 *earliest = seconds_from_now;
1133 }
1134 if (*earliest < 0)
1135 {
1136 *earliest = 0;
1137 }
1138}
1139
1140/*
1141 * Return true if "lame duck" or retiring key has expired and can
1142 * no longer be used.
1143 */
1144static inline bool
1145lame_duck_must_die(const struct tls_session *session, interval_t *wakeup)
1146{
1147 const struct key_state *lame = &session->key[KS_LAME_DUCK];
1148 if (lame->state >= S_INITIAL)
1149 {
1150 ASSERT(lame->must_die); /* a lame duck key must always have an expiration */
1151 if (now < lame->must_die)
1152 {
1153 compute_earliest_wakeup(wakeup, lame->must_die - now);
1154 return false;
1155 }
1156 else
1157 {
1158 return true;
1159 }
1160 }
1161 else if (lame->state == S_ERROR)
1162 {
1163 return true;
1164 }
1165 else
1166 {
1167 return false;
1168 }
1169}
1170
1171struct tls_multi *
1172tls_multi_init(struct tls_options *tls_options)
1173{
1174 struct tls_multi *ret;
1175
1176 ALLOC_OBJ_CLEAR(ret, struct tls_multi);
1177
1178 /* get command line derived options */
1179 ret->opt = *tls_options;
1180 ret->dco_peer_id = -1;
1181 ret->peer_id = MAX_PEER_ID;
1182
1183 return ret;
1184}
1185
1186void
1187tls_multi_init_finalize(struct tls_multi *multi, int tls_mtu)
1188{
1189 tls_init_control_channel_frame_parameters(&multi->opt.frame, tls_mtu);
1190 /* initialize the active and untrusted sessions */
1191
1192 tls_session_init(multi, &multi->session[TM_ACTIVE]);
1193 tls_session_init(multi, &multi->session[TM_INITIAL]);
1194}
1195
1196/*
1197 * Initialize and finalize a standalone tls-auth verification object.
1198 */
1199
1200struct tls_auth_standalone *
1201tls_auth_standalone_init(struct tls_options *tls_options,
1202 struct gc_arena *gc)
1203{
1204 struct tls_auth_standalone *tas;
1205
1206 ALLOC_OBJ_CLEAR_GC(tas, struct tls_auth_standalone, gc);
1207
1208 tas->tls_wrap = tls_options->tls_wrap;
1209
1210 /*
1211 * Standalone tls-auth is in read-only mode with respect to TLS
1212 * control channel state. After we build a new client instance
1213 * object, we will process this session-initiating packet for real.
1214 */
1215 tas->tls_wrap.opt.flags |= CO_IGNORE_PACKET_ID;
1216
1217 /* get initial frame parms, still need to finalize */
1218 tas->frame = tls_options->frame;
1219
1220 packet_id_init(&tas->tls_wrap.opt.packet_id, tls_options->replay_window,
1221 tls_options->replay_time, "TAS", 0);
1222
1223 return tas;
1224}
1225
1226void
1227tls_auth_standalone_free(struct tls_auth_standalone *tas)
1228{
1229 if (!tas)
1230 {
1231 return;
1232 }
1233
1234 packet_id_free(&tas->tls_wrap.opt.packet_id);
1235}
1236
1237/*
1238 * Set local and remote option compatibility strings.
1239 * Used to verify compatibility of local and remote option
1240 * sets.
1241 */
1242void
1243tls_multi_init_set_options(struct tls_multi *multi,
1244 const char *local,
1245 const char *remote)
1246{
1247 /* initialize options string */
1248 multi->opt.local_options = local;
1249 multi->opt.remote_options = remote;
1250}
1251
1252/*
1253 * Cleanup a tls_multi structure and free associated memory allocations.
1254 */
1255void
1256tls_multi_free(struct tls_multi *multi, bool clear)
1257{
1258 ASSERT(multi);
1259
1260 auth_set_client_reason(multi, NULL);
1261
1262 free(multi->peer_info);
1263 free(multi->locked_cn);
1264 free(multi->locked_username);
1265
1266 cert_hash_free(multi->locked_cert_hash_set);
1267
1268 wipe_auth_token(multi);
1269
1270 free(multi->remote_ciphername);
1271
1272 for (int i = 0; i < TM_SIZE; ++i)
1273 {
1274 tls_session_free(&multi->session[i], false);
1275 }
1276
1277 if (clear)
1278 {
1279 secure_memzero(multi, sizeof(*multi));
1280 }
1281
1282 free(multi);
1283}
1284
1285/*
1286 * For debugging, print contents of key_source2 structure.
1287 */
1288
1289static void
1290key_source_print(const struct key_source *k,
1291 const char *prefix)
1292{
1293 struct gc_arena gc = gc_new();
1294
1295 VALGRIND_MAKE_READABLE((void *)k->pre_master, sizeof(k->pre_master));
1296 VALGRIND_MAKE_READABLE((void *)k->random1, sizeof(k->random1));
1297 VALGRIND_MAKE_READABLE((void *)k->random2, sizeof(k->random2));
1298
1299 dmsg(D_SHOW_KEY_SOURCE,
1300 "%s pre_master: %s",
1301 prefix,
1302 format_hex(k->pre_master, sizeof(k->pre_master), 0, &gc));
1303 dmsg(D_SHOW_KEY_SOURCE,
1304 "%s random1: %s",
1305 prefix,
1306 format_hex(k->random1, sizeof(k->random1), 0, &gc));
1307 dmsg(D_SHOW_KEY_SOURCE,
1308 "%s random2: %s",
1309 prefix,
1310 format_hex(k->random2, sizeof(k->random2), 0, &gc));
1311
1312 gc_free(&gc);
1313}
1314
1315static void
1316key_source2_print(const struct key_source2 *k)
1317{
1318 key_source_print(&k->client, "Client");
1319 key_source_print(&k->server, "Server");
1320}
1321
1322static bool
1323openvpn_PRF(const uint8_t *secret,
1324 int secret_len,
1325 const char *label,
1326 const uint8_t *client_seed,
1327 int client_seed_len,
1328 const uint8_t *server_seed,
1329 int server_seed_len,
1330 const struct session_id *client_sid,
1331 const struct session_id *server_sid,
1332 uint8_t *output,
1333 int output_len)
1334{
1335 /* concatenate seed components */
1336
1337 struct buffer seed = alloc_buf(strlen(label)
1338 + client_seed_len
1339 + server_seed_len
1340 + SID_SIZE * 2);
1341
1342 ASSERT(buf_write(&seed, label, strlen(label)));
1343 ASSERT(buf_write(&seed, client_seed, client_seed_len));
1344 ASSERT(buf_write(&seed, server_seed, server_seed_len));
1345
1346 if (client_sid)
1347 {
1348 ASSERT(buf_write(&seed, client_sid->id, SID_SIZE));
1349 }
1350 if (server_sid)
1351 {
1352 ASSERT(buf_write(&seed, server_sid->id, SID_SIZE));
1353 }
1354
1355 /* compute PRF */
1356 bool ret = ssl_tls1_PRF(BPTR(&seed), BLEN(&seed), secret, secret_len,
1357 output, output_len);
1358
1359 buf_clear(&seed);
1360 free_buf(&seed);
1361
1362 VALGRIND_MAKE_READABLE((void *)output, output_len);
1363 return ret;
1364}
1365
1366static void
1367init_epoch_keys(struct key_state *ks,
1368 struct tls_multi *multi,
1369 const struct key_type *key_type,
1370 bool server,
1371 struct key2 *key2)
1372{
1373 /* For now we hardcode this to be 16 for the software based data channel
1374 * DCO based implementations/HW implementation might adjust this number
1375 * based on their expected speed */
1376 const int future_key_count = 16;
1377
1378 int key_direction = server ? KEY_DIRECTION_INVERSE : KEY_DIRECTION_NORMAL;
1379 struct key_direction_state kds;
1380 key_direction_state_init(&kds, key_direction);
1381
1382 struct crypto_options *co = &ks->crypto_options;
1383
1384 /* For the epoch key we use the first 32 bytes of key2 cipher keys
1385 * for the initial secret */
1386 struct epoch_key e1_send = { 0 };
1387 e1_send.epoch = 1;
1388 memcpy(&e1_send.epoch_key, key2->keys[kds.out_key].cipher, sizeof(e1_send.epoch_key));
1389
1390 struct epoch_key e1_recv = { 0 };
1391 e1_recv.epoch = 1;
1392 memcpy(&e1_recv.epoch_key, key2->keys[kds.in_key].cipher, sizeof(e1_recv.epoch_key));
1393
1394 /* DCO implementations have two choices at this point.
1395 *
1396 * a) (more likely) they probably to pass E1 directly to kernel
1397 * space at this point and do all the other key derivation in kernel
1398 *
1399 * b) They let userspace do the key derivation and pass all the individual
1400 * keys to the DCO layer.
1401 * */
1402 epoch_init_key_ctx(co, key_type, &e1_send, &e1_recv, future_key_count);
1403
1404 secure_memzero(&e1_send, sizeof(e1_send));
1405 secure_memzero(&e1_recv, sizeof(e1_recv));
1406}
1407
1408static void
1409init_key_contexts(struct key_state *ks,
1410 struct tls_multi *multi,
1411 const struct key_type *key_type,
1412 bool server,
1413 struct key2 *key2,
1414 bool dco_enabled)
1415{
1416 struct key_ctx_bi *key = &ks->crypto_options.key_ctx_bi;
1417
1418 /* Initialize key contexts */
1419 int key_direction = server ? KEY_DIRECTION_INVERSE : KEY_DIRECTION_NORMAL;
1420
1421 if (dco_enabled)
1422 {
1423 if (key->encrypt.hmac)
1424 {
1425 msg(M_FATAL, "FATAL: DCO does not support --auth");
1426 }
1427
1428 int ret = init_key_dco_bi(multi, ks, key2, key_direction,
1429 key_type->cipher, server);
1430 if (ret < 0)
1431 {
1432 msg(M_FATAL, "Impossible to install key material in DCO: %s",
1433 strerror(-ret));
1434 }
1435
1436 /* encrypt/decrypt context are unused with DCO */
1437 CLEAR(key->encrypt);
1438 CLEAR(key->decrypt);
1439 key->initialized = true;
1440 }
1441 else if (multi->opt.crypto_flags & CO_EPOCH_DATA_KEY_FORMAT)
1442 {
1443 if (!cipher_kt_mode_aead(key_type->cipher))
1444 {
1445 msg(M_FATAL, "AEAD cipher (currently %s) "
1446 "required for epoch data format.",
1447 cipher_kt_name(key_type->cipher));
1448 }
1449 init_epoch_keys(ks, multi, key_type, server, key2);
1450 }
1451 else
1452 {
1453 init_key_ctx_bi(key, key2, key_direction, key_type, "Data Channel");
1454 }
1455}
1456
1457static bool
1458generate_key_expansion_tls_export(struct tls_session *session, struct key2 *key2)
1459{
1460 if (!key_state_export_keying_material(session, EXPORT_KEY_DATA_LABEL,
1461 strlen(EXPORT_KEY_DATA_LABEL),
1462 key2->keys, sizeof(key2->keys)))
1463 {
1464 return false;
1465 }
1466 key2->n = 2;
1467
1468 return true;
1469}
1470
1471static bool
1472generate_key_expansion_openvpn_prf(const struct tls_session *session, struct key2 *key2)
1473{
1474 uint8_t master[48] = { 0 };
1475
1476 const struct key_state *ks = &session->key[KS_PRIMARY];
1477 const struct key_source2 *key_src = ks->key_src;
1478
1479 const struct session_id *client_sid = session->opt->server ?
1480 &ks->session_id_remote : &session->session_id;
1481 const struct session_id *server_sid = !session->opt->server ?
1482 &ks->session_id_remote : &session->session_id;
1483
1484 /* debugging print of source key material */
1485 key_source2_print(key_src);
1486
1487 /* compute master secret */
1488 if (!openvpn_PRF(key_src->client.pre_master,
1489 sizeof(key_src->client.pre_master),
1490 KEY_EXPANSION_ID " master secret",
1491 key_src->client.random1,
1492 sizeof(key_src->client.random1),
1493 key_src->server.random1,
1494 sizeof(key_src->server.random1),
1495 NULL,
1496 NULL,
1497 master,
1498 sizeof(master)))
1499 {
1500 return false;
1501 }
1502
1503 /* compute key expansion */
1504 if (!openvpn_PRF(master,
1505 sizeof(master),
1506 KEY_EXPANSION_ID " key expansion",
1507 key_src->client.random2,
1508 sizeof(key_src->client.random2),
1509 key_src->server.random2,
1510 sizeof(key_src->server.random2),
1511 client_sid,
1512 server_sid,
1513 (uint8_t *)key2->keys,
1514 sizeof(key2->keys)))
1515 {
1516 return false;
1517 }
1518 secure_memzero(&master, sizeof(master));
1519
1520 key2->n = 2;
1521
1522 return true;
1523}
1524
1525/*
1526 * Using source entropy from local and remote hosts, mix into
1527 * master key.
1528 */
1529static bool
1530generate_key_expansion(struct tls_multi *multi, struct key_state *ks,
1531 struct tls_session *session)
1532{
1533 struct key_ctx_bi *key = &ks->crypto_options.key_ctx_bi;
1534 bool ret = false;
1535 struct key2 key2;
1536
1537 if (key->initialized)
1538 {
1539 msg(D_TLS_ERRORS, "TLS Error: key already initialized");
1540 goto exit;
1541 }
1542
1543 bool server = session->opt->server;
1544
1545 if (session->opt->crypto_flags & CO_USE_TLS_KEY_MATERIAL_EXPORT)
1546 {
1547 if (!generate_key_expansion_tls_export(session, &key2))
1548 {
1549 msg(D_TLS_ERRORS, "TLS Error: Keying material export failed");
1550 goto exit;
1551 }
1552 }
1553 else
1554 {
1555 if (!generate_key_expansion_openvpn_prf(session, &key2))
1556 {
1557 msg(D_TLS_ERRORS, "TLS Error: PRF calculation failed. Your system "
1558 "might not support the old TLS 1.0 PRF calculation anymore or "
1559 "the policy does not allow it (e.g. running in FIPS mode). "
1560 "The peer did not announce support for the modern TLS Export "
1561 "feature that replaces the TLS 1.0 PRF (requires OpenVPN "
1562 "2.6.x or higher)");
1563 goto exit;
1564 }
1565 }
1566
1567 key2_print(&key2, &session->opt->key_type,
1568 "Master Encrypt", "Master Decrypt");
1569
1570 /* check for weak keys */
1571 for (int i = 0; i < 2; ++i)
1572 {
1573 if (!check_key(&key2.keys[i], &session->opt->key_type))
1574 {
1575 msg(D_TLS_ERRORS, "TLS Error: Bad dynamic key generated");
1576 goto exit;
1577 }
1578 }
1579
1580 init_key_contexts(ks, multi, &session->opt->key_type, server, &key2,
1581 session->opt->dco_enabled);
1582 ret = true;
1583
1584exit:
1585 secure_memzero(&key2, sizeof(key2));
1586
1587 return ret;
1588}
1589
1596bool
1597tls_session_generate_data_channel_keys(struct tls_multi *multi,
1598 struct tls_session *session)
1599{
1600 bool ret = false;
1601 struct key_state *ks = &session->key[KS_PRIMARY]; /* primary key */
1602
1603 if (ks->authenticated <= KS_AUTH_FALSE)
1604 {
1605 msg(D_TLS_ERRORS, "TLS Error: key_state not authenticated");
1606 goto cleanup;
1607 }
1608
1609 ks->crypto_options.flags = session->opt->crypto_flags;
1610
1611 if (!generate_key_expansion(multi, ks, session))
1612 {
1613 msg(D_TLS_ERRORS, "TLS Error: generate_key_expansion failed");
1614 goto cleanup;
1615 }
1616 tls_limit_reneg_bytes(session->opt->key_type.cipher,
1617 &session->opt->renegotiate_bytes);
1618
1619 session->opt->aead_usage_limit = tls_get_limit_aead(session->opt->key_type.cipher);
1620
1621 /* set the state of the keys for the session to generated */
1622 ks->state = S_GENERATED_KEYS;
1623
1624 ret = true;
1625cleanup:
1626 secure_memzero(ks->key_src, sizeof(*ks->key_src));
1627 return ret;
1628}
1629
1630bool
1631tls_session_update_crypto_params_do_work(struct tls_multi *multi,
1632 struct tls_session *session,
1633 struct options *options,
1634 struct frame *frame,
1635 struct frame *frame_fragment,
1636 struct link_socket_info *lsi,
1637 dco_context_t *dco)
1638{
1639 if (session->key[KS_PRIMARY].crypto_options.key_ctx_bi.initialized)
1640 {
1641 /* keys already generated, nothing to do */
1642 return true;
1643
1644 }
1645
1646 init_key_type(&session->opt->key_type, options->ciphername,
1647 options->authname, true, true);
1648
1649 bool packet_id_long_form = cipher_kt_mode_ofb_cfb(session->opt->key_type.cipher);
1650 session->opt->crypto_flags &= ~(CO_PACKET_ID_LONG_FORM);
1651 if (packet_id_long_form)
1652 {
1653 session->opt->crypto_flags |= CO_PACKET_ID_LONG_FORM;
1654 }
1655
1656 frame_calculate_dynamic(frame, &session->opt->key_type, options, lsi);
1657
1658 frame_print(frame, D_MTU_INFO, "Data Channel MTU parms");
1659
1660 /*
1661 * mssfix uses data channel framing, which at this point contains
1662 * actual overhead. Fragmentation logic uses frame_fragment, which
1663 * still contains worst case overhead. Replace it with actual overhead
1664 * to prevent unneeded fragmentation.
1665 */
1666
1667 if (frame_fragment)
1668 {
1669 frame_calculate_dynamic(frame_fragment, &session->opt->key_type, options, lsi);
1670 frame_print(frame_fragment, D_MTU_INFO, "Fragmentation MTU parms");
1671 }
1672
1673 if (session->key[KS_PRIMARY].key_id == 0
1674 && session->opt->crypto_flags & CO_USE_DYNAMIC_TLS_CRYPT)
1675 {
1676 /* If dynamic tls-crypt has been negotiated, and we are on the
1677 * first session (key_id = 0), generate a tls-crypt key for the
1678 * following renegotiations */
1679 if (!tls_session_generate_dynamic_tls_crypt_key(session))
1680 {
1681 return false;
1682 }
1683 }
1684
1685 if (dco_enabled(options))
1686 {
1687 /* dco_set_peer() must be called if either keepalive or
1688 * mssfix are set to update in-kernel config */
1689 if (options->ping_send_timeout || frame->mss_fix)
1690 {
1691 int ret = dco_set_peer(dco, multi->dco_peer_id,
1692 options->ping_send_timeout,
1693 options->ping_rec_timeout,
1694 frame->mss_fix);
1695 if (ret < 0)
1696 {
1697 msg(D_DCO, "Cannot set DCO peer parameters for peer (id=%u): %s",
1698 multi->dco_peer_id, strerror(-ret));
1699 return false;
1700 }
1701 }
1702 }
1703 return tls_session_generate_data_channel_keys(multi, session);
1704}
1705
1706bool
1707tls_session_update_crypto_params(struct tls_multi *multi,
1708 struct tls_session *session,
1709 struct options *options, struct frame *frame,
1710 struct frame *frame_fragment,
1711 struct link_socket_info *lsi,
1712 dco_context_t *dco)
1713{
1714 if (!check_session_cipher(session, options))
1715 {
1716 return false;
1717 }
1718
1719 /* Import crypto settings that might be set by pull/push */
1720 session->opt->crypto_flags |= options->imported_protocol_flags;
1721
1722 return tls_session_update_crypto_params_do_work(multi, session, options,
1723 frame, frame_fragment, lsi, dco);
1724}
1725
1726
1727static bool
1728random_bytes_to_buf(struct buffer *buf,
1729 uint8_t *out,
1730 int outlen)
1731{
1732 if (!rand_bytes(out, outlen))
1733 {
1734 msg(M_FATAL, "ERROR: Random number generator cannot obtain entropy for key generation [SSL]");
1735 }
1736 if (!buf_write(buf, out, outlen))
1737 {
1738 return false;
1739 }
1740 return true;
1741}
1742
1743static bool
1744key_source2_randomize_write(struct key_source2 *k2,
1745 struct buffer *buf,
1746 bool server)
1747{
1748 struct key_source *k = &k2->client;
1749 if (server)
1750 {
1751 k = &k2->server;
1752 }
1753
1754 CLEAR(*k);
1755
1756 if (!server)
1757 {
1758 if (!random_bytes_to_buf(buf, k->pre_master, sizeof(k->pre_master)))
1759 {
1760 return false;
1761 }
1762 }
1763
1764 if (!random_bytes_to_buf(buf, k->random1, sizeof(k->random1)))
1765 {
1766 return false;
1767 }
1768 if (!random_bytes_to_buf(buf, k->random2, sizeof(k->random2)))
1769 {
1770 return false;
1771 }
1772
1773 return true;
1774}
1775
1776static int
1777key_source2_read(struct key_source2 *k2,
1778 struct buffer *buf,
1779 bool server)
1780{
1781 struct key_source *k = &k2->client;
1782
1783 if (!server)
1784 {
1785 k = &k2->server;
1786 }
1787
1788 CLEAR(*k);
1789
1790 if (server)
1791 {
1792 if (!buf_read(buf, k->pre_master, sizeof(k->pre_master)))
1793 {
1794 return 0;
1795 }
1796 }
1797
1798 if (!buf_read(buf, k->random1, sizeof(k->random1)))
1799 {
1800 return 0;
1801 }
1802 if (!buf_read(buf, k->random2, sizeof(k->random2)))
1803 {
1804 return 0;
1805 }
1806
1807 return 1;
1808}
1809
1810static void
1811flush_payload_buffer(struct key_state *ks)
1812{
1813 struct buffer *b;
1814
1815 while ((b = buffer_list_peek(ks->paybuf)))
1816 {
1817 key_state_write_plaintext_const(&ks->ks_ssl, b->data, b->len);
1818 buffer_list_pop(ks->paybuf);
1819 }
1820}
1821
1822/*
1823 * Move the active key to the lame duck key and reinitialize the
1824 * active key.
1825 */
1826static void
1827key_state_soft_reset(struct tls_session *session)
1828{
1829 struct key_state *ks = &session->key[KS_PRIMARY]; /* primary key */
1830 struct key_state *ks_lame = &session->key[KS_LAME_DUCK]; /* retiring key */
1831
1832 ks->must_die = now + session->opt->transition_window; /* remaining lifetime of old key */
1833 key_state_free(ks_lame, false);
1834 *ks_lame = *ks;
1835
1836 key_state_init(session, ks);
1837 ks->session_id_remote = ks_lame->session_id_remote;
1838 ks->remote_addr = ks_lame->remote_addr;
1839}
1840
1841void
1846
1847/*
1848 * Read/write strings from/to a struct buffer with a u16 length prefix.
1849 */
1850
1851static bool
1852write_empty_string(struct buffer *buf)
1853{
1854 if (!buf_write_u16(buf, 0))
1855 {
1856 return false;
1857 }
1858 return true;
1859}
1860
1861static bool
1862write_string(struct buffer *buf, const char *str, const int maxlen)
1863{
1864 const int len = strlen(str) + 1;
1865 if (len < 1 || (maxlen >= 0 && len > maxlen))
1866 {
1867 return false;
1868 }
1869 if (!buf_write_u16(buf, len))
1870 {
1871 return false;
1872 }
1873 if (!buf_write(buf, str, len))
1874 {
1875 return false;
1876 }
1877 return true;
1878}
1879
1890static int
1891read_string(struct buffer *buf, char *str, const unsigned int capacity)
1892{
1893 const int len = buf_read_u16(buf);
1894 if (len < 1 || len > (int)capacity)
1895 {
1896 buf_advance(buf, len);
1897
1898 /* will also return 0 for a no string being present */
1899 return -len;
1900 }
1901 if (!buf_read(buf, str, len))
1902 {
1903 return -len;
1904 }
1905 str[len-1] = '\0';
1906 return len;
1907}
1908
1909static char *
1910read_string_alloc(struct buffer *buf)
1911{
1912 const int len = buf_read_u16(buf);
1913 char *str;
1914
1915 if (len < 1)
1916 {
1917 return NULL;
1918 }
1919 str = (char *) malloc(len);
1920 check_malloc_return(str);
1921 if (!buf_read(buf, str, len))
1922 {
1923 free(str);
1924 return NULL;
1925 }
1926 str[len-1] = '\0';
1927 return str;
1928}
1929
1945static bool
1946push_peer_info(struct buffer *buf, struct tls_session *session)
1947{
1948 struct gc_arena gc = gc_new();
1949 bool ret = false;
1950 struct buffer out = alloc_buf_gc(512 * 3, &gc);
1951
1952 if (session->opt->push_peer_info_detail > 1)
1953 {
1954 /* push version */
1955 buf_printf(&out, "IV_VER=%s\n", PACKAGE_VERSION);
1956
1957 /* push platform */
1958#if defined(TARGET_LINUX)
1959 buf_printf(&out, "IV_PLAT=linux\n");
1960#elif defined(TARGET_SOLARIS)
1961 buf_printf(&out, "IV_PLAT=solaris\n");
1962#elif defined(TARGET_OPENBSD)
1963 buf_printf(&out, "IV_PLAT=openbsd\n");
1964#elif defined(TARGET_DARWIN)
1965 buf_printf(&out, "IV_PLAT=mac\n");
1966#elif defined(TARGET_NETBSD)
1967 buf_printf(&out, "IV_PLAT=netbsd\n");
1968#elif defined(TARGET_FREEBSD)
1969 buf_printf(&out, "IV_PLAT=freebsd\n");
1970#elif defined(TARGET_ANDROID)
1971 buf_printf(&out, "IV_PLAT=android\n");
1972#elif defined(_WIN32)
1973 buf_printf(&out, "IV_PLAT=win\n");
1974#endif
1975 /* Announce that we do not require strict sequence numbers with
1976 * TCP. (TCP non-linear) */
1977 buf_printf(&out, "IV_TCPNL=1\n");
1978 }
1979
1980 /* These are the IV variable that are sent to peers in p2p mode */
1981 if (session->opt->push_peer_info_detail > 0)
1982 {
1983 /* support for P_DATA_V2 */
1984 int iv_proto = IV_PROTO_DATA_V2;
1985
1986 /* support for the latest --dns option */
1987 iv_proto |= IV_PROTO_DNS_OPTION_V2;
1988
1989 /* support for exit notify via control channel */
1990 iv_proto |= IV_PROTO_CC_EXIT_NOTIFY;
1991
1992 if (session->opt->pull)
1993 {
1994 /* support for receiving push_reply before sending
1995 * push request, also signal that the client wants
1996 * to get push-reply messages without requiring a round
1997 * trip for a push request message*/
1998 iv_proto |= IV_PROTO_REQUEST_PUSH;
1999
2000 /* Support keywords in the AUTH_PENDING control message */
2001 iv_proto |= IV_PROTO_AUTH_PENDING_KW;
2002
2003 /* support for AUTH_FAIL,TEMP control message */
2004 iv_proto |= IV_PROTO_AUTH_FAIL_TEMP;
2005
2006 /* support for tun-mtu as part of the push message */
2007 buf_printf(&out, "IV_MTU=%d\n", session->opt->frame.tun_max_mtu);
2008 }
2009
2010 /* support for Negotiable Crypto Parameters */
2011 if (session->opt->mode == MODE_SERVER || session->opt->pull)
2012 {
2013 if (tls_item_in_cipher_list("AES-128-GCM", session->opt->config_ncp_ciphers)
2014 && tls_item_in_cipher_list("AES-256-GCM", session->opt->config_ncp_ciphers))
2015 {
2016
2017 buf_printf(&out, "IV_NCP=2\n");
2018 }
2019 }
2020 else
2021 {
2022 /* We are not using pull or p2mp server, instead do P2P NCP */
2023 iv_proto |= IV_PROTO_NCP_P2P;
2024 }
2025
2026 if (session->opt->data_epoch_supported)
2027 {
2028 iv_proto |= IV_PROTO_DATA_EPOCH;
2029 }
2030
2031 buf_printf(&out, "IV_CIPHERS=%s\n", session->opt->config_ncp_ciphers);
2032
2033#ifdef HAVE_EXPORT_KEYING_MATERIAL
2034 iv_proto |= IV_PROTO_TLS_KEY_EXPORT;
2035 iv_proto |= IV_PROTO_DYN_TLS_CRYPT;
2036#endif
2037
2038 buf_printf(&out, "IV_PROTO=%d\n", iv_proto);
2039
2040 if (session->opt->push_peer_info_detail > 1)
2041 {
2042 /* push compression status */
2043#ifdef USE_COMP
2044 comp_generate_peer_info_string(&session->opt->comp_options, &out);
2045#endif
2046 }
2047
2048 if (session->opt->push_peer_info_detail > 2)
2049 {
2050 /* push mac addr */
2051 struct route_gateway_info rgi;
2052 get_default_gateway(&rgi, 0, session->opt->net_ctx);
2053 if (rgi.flags & RGI_HWADDR_DEFINED)
2054 {
2055 buf_printf(&out, "IV_HWADDR=%s\n", format_hex_ex(rgi.hwaddr, 6, 0, 1, ":", &gc));
2056 }
2057 buf_printf(&out, "IV_SSL=%s\n", get_ssl_library_version() );
2058#if defined(_WIN32)
2059 buf_printf(&out, "IV_PLAT_VER=%s\n", win32_version_string(&gc, false));
2060#else
2061 struct utsname u;
2062 uname(&u);
2063 buf_printf(&out, "IV_PLAT_VER=%s\n", u.release);
2064#endif
2065 }
2066
2067 if (session->opt->push_peer_info_detail > 1)
2068 {
2069 struct env_set *es = session->opt->es;
2070 /* push env vars that begin with UV_, IV_PLAT_VER and IV_GUI_VER */
2071 for (struct env_item *e = es->list; e != NULL; e = e->next)
2072 {
2073 if (e->string)
2074 {
2075 if ((((strncmp(e->string, "UV_", 3) == 0
2076 || strncmp(e->string, "IV_PLAT_VER=", sizeof("IV_PLAT_VER=") - 1) == 0)
2077 && session->opt->push_peer_info_detail > 2)
2078 || (strncmp(e->string, "IV_GUI_VER=", sizeof("IV_GUI_VER=") - 1) == 0)
2079 || (strncmp(e->string, "IV_SSO=", sizeof("IV_SSO=") - 1) == 0)
2080 )
2081 && buf_safe(&out, strlen(e->string) + 1))
2082 {
2083 buf_printf(&out, "%s\n", e->string);
2084 }
2085 }
2086 }
2087 }
2088
2089 if (!write_string(buf, BSTR(&out), -1))
2090 {
2091 goto error;
2092 }
2093 }
2094 else
2095 {
2096 if (!write_empty_string(buf)) /* no peer info */
2097 {
2098 goto error;
2099 }
2100 }
2101 ret = true;
2102
2103error:
2104 gc_free(&gc);
2105 return ret;
2106}
2107
2108#ifdef USE_COMP
2109static bool
2110write_compat_local_options(struct buffer *buf, const char *options)
2111{
2112 struct gc_arena gc = gc_new();
2113 const char *local_options = options_string_compat_lzo(options, &gc);
2114 bool ret = write_string(buf, local_options, TLS_OPTIONS_LEN);
2115 gc_free(&gc);
2116 return ret;
2117}
2118#endif
2119
2124static bool
2125key_method_2_write(struct buffer *buf, struct tls_multi *multi, struct tls_session *session)
2126{
2127 struct key_state *ks = &session->key[KS_PRIMARY]; /* primary key */
2128
2129 ASSERT(buf_init(buf, 0));
2130
2131 /* write a uint32 0 */
2132 if (!buf_write_u32(buf, 0))
2133 {
2134 goto error;
2135 }
2136
2137 /* write key_method + flags */
2138 if (!buf_write_u8(buf, KEY_METHOD_2))
2139 {
2140 goto error;
2141 }
2142
2143 /* write key source material */
2144 if (!key_source2_randomize_write(ks->key_src, buf, session->opt->server))
2145 {
2146 goto error;
2147 }
2148
2149 /* write options string */
2150 {
2151#ifdef USE_COMP
2152 if (multi->remote_usescomp && session->opt->mode == MODE_SERVER
2153 && multi->opt.comp_options.flags & COMP_F_MIGRATE)
2154 {
2155 if (!write_compat_local_options(buf, session->opt->local_options))
2156 {
2157 goto error;
2158 }
2159 }
2160 else
2161#endif
2162 if (!write_string(buf, session->opt->local_options, TLS_OPTIONS_LEN))
2163 {
2164 goto error;
2165 }
2166 }
2167
2168 /* write username/password if specified or we are using a auth-token */
2169 if (auth_user_pass_enabled || (auth_token.token_defined && auth_token.defined))
2170 {
2171#ifdef ENABLE_MANAGEMENT
2172 auth_user_pass_setup(session->opt->auth_user_pass_file,
2173 session->opt->auth_user_pass_file_inline,
2174 session->opt->sci);
2175#else
2176 auth_user_pass_setup(session->opt->auth_user_pass_file,
2177 session->opt->auth_user_pass_file_inline, NULL);
2178#endif
2179 struct user_pass *up = &auth_user_pass;
2180
2181 /*
2182 * If we have a valid auth-token, send that instead of real
2183 * username/password
2184 */
2185 if (auth_token.token_defined && auth_token.defined)
2186 {
2187 up = &auth_token;
2188 }
2189 unprotect_user_pass(up);
2190
2191 if (!write_string(buf, up->username, -1))
2192 {
2193 goto error;
2194 }
2195 else if (!write_string(buf, up->password, -1))
2196 {
2197 goto error;
2198 }
2199 /* save username for auth-token which may get pushed later */
2200 if (session->opt->pull && up != &auth_token)
2201 {
2202 unprotect_user_pass(&auth_token);
2203 strncpynt(auth_token.username, up->username, USER_PASS_LEN);
2204 protect_user_pass(&auth_token);
2205 }
2206 protect_user_pass(up);
2207 /* respect auth-nocache */
2208 purge_user_pass(&auth_user_pass, false);
2209 }
2210 else
2211 {
2212 if (!write_empty_string(buf)) /* no username */
2213 {
2214 goto error;
2215 }
2216 if (!write_empty_string(buf)) /* no password */
2217 {
2218 goto error;
2219 }
2220 }
2221
2222 if (!push_peer_info(buf, session))
2223 {
2224 goto error;
2225 }
2226
2227 if (session->opt->server && session->opt->mode != MODE_SERVER
2228 && ks->key_id == 0)
2229 {
2230 /* tls-server option set and not P2MP server, so we
2231 * are a P2P client running in tls-server mode */
2232 p2p_mode_ncp(multi, session);
2233 }
2234
2235 return true;
2236
2237error:
2238 msg(D_TLS_ERRORS, "TLS Error: Key Method #2 write failed");
2239 secure_memzero(ks->key_src, sizeof(*ks->key_src));
2240 return false;
2241}
2242
2243static void
2244export_user_keying_material(struct tls_session *session)
2245{
2246 if (session->opt->ekm_size > 0)
2247 {
2248 unsigned int size = session->opt->ekm_size;
2249 struct gc_arena gc = gc_new();
2250
2251 unsigned char *ekm = gc_malloc(session->opt->ekm_size, true, &gc);
2252 if (key_state_export_keying_material(session,
2253 session->opt->ekm_label,
2254 session->opt->ekm_label_size,
2255 ekm, session->opt->ekm_size))
2256 {
2257 unsigned int len = (size * 2) + 2;
2258
2259 const char *key = format_hex_ex(ekm, size, len, 0, NULL, &gc);
2260 setenv_str(session->opt->es, "exported_keying_material", key);
2261
2262 dmsg(D_TLS_DEBUG_MED, "%s: exported keying material: %s",
2263 __func__, key);
2264 secure_memzero(ekm, size);
2265 }
2266 else
2267 {
2268 msg(M_WARN, "WARNING: Export keying material failed!");
2269 setenv_del(session->opt->es, "exported_keying_material");
2270 }
2271 gc_free(&gc);
2272 }
2273}
2274
2279static bool
2280key_method_2_read(struct buffer *buf, struct tls_multi *multi, struct tls_session *session)
2281{
2282 struct key_state *ks = &session->key[KS_PRIMARY]; /* primary key */
2283
2284 struct gc_arena gc = gc_new();
2285 char *options;
2286 struct user_pass *up = NULL;
2287
2288 /* allocate temporary objects */
2289 ALLOC_ARRAY_CLEAR_GC(options, char, TLS_OPTIONS_LEN, &gc);
2290
2291 /* discard leading uint32 */
2292 if (!buf_advance(buf, 4))
2293 {
2294 msg(D_TLS_ERRORS, "TLS ERROR: Plaintext buffer too short (%d bytes).",
2295 buf->len);
2296 goto error;
2297 }
2298
2299 /* get key method */
2300 int key_method_flags = buf_read_u8(buf);
2301 if ((key_method_flags & KEY_METHOD_MASK) != 2)
2302 {
2303 msg(D_TLS_ERRORS,
2304 "TLS ERROR: Unknown key_method/flags=%d received from remote host",
2305 key_method_flags);
2306 goto error;
2307 }
2308
2309 /* get key source material (not actual keys yet) */
2310 if (!key_source2_read(ks->key_src, buf, session->opt->server))
2311 {
2312 msg(D_TLS_ERRORS, "TLS Error: Error reading remote data channel key source entropy from plaintext buffer");
2313 goto error;
2314 }
2315
2316 /* get options */
2317 if (read_string(buf, options, TLS_OPTIONS_LEN) < 0)
2318 {
2319 msg(D_TLS_ERRORS, "TLS Error: Failed to read required OCC options string");
2320 goto error;
2321 }
2322
2323 ks->authenticated = KS_AUTH_FALSE;
2324
2325 /* always extract username + password fields from buf, even if not
2326 * authenticating for it, because otherwise we can't get at the
2327 * peer_info data which follows behind
2328 */
2329 ALLOC_OBJ_CLEAR_GC(up, struct user_pass, &gc);
2330 int username_len = read_string(buf, up->username, USER_PASS_LEN);
2331 int password_len = read_string(buf, up->password, USER_PASS_LEN);
2332
2333 /* get peer info from control channel */
2334 free(multi->peer_info);
2335 multi->peer_info = read_string_alloc(buf);
2336 if (multi->peer_info)
2337 {
2338 output_peer_info_env(session->opt->es, multi->peer_info);
2339 }
2340
2341 free(multi->remote_ciphername);
2342 multi->remote_ciphername =
2343 options_string_extract_option(options, "cipher", NULL);
2344 multi->remote_usescomp = strstr(options, ",comp-lzo,");
2345
2346 /* In OCC we send '[null-cipher]' instead 'none' */
2347 if (multi->remote_ciphername
2348 && strcmp(multi->remote_ciphername, "[null-cipher]") == 0)
2349 {
2350 free(multi->remote_ciphername);
2351 multi->remote_ciphername = string_alloc("none", NULL);
2352 }
2353
2354 if (username_len < 0 || password_len < 0)
2355 {
2356 msg(D_TLS_ERRORS, "TLS Error: Username (%d) or password (%d) too long",
2357 abs(username_len), abs(password_len));
2358 auth_set_client_reason(multi, "Username or password is too long. "
2359 "Maximum length is 128 bytes");
2360
2361 /* treat the same as failed username/password and do not error
2362 * out (goto error) to sent an AUTH_FAILED back to the client */
2363 ks->authenticated = KS_AUTH_FALSE;
2364 }
2365 else if (tls_session_user_pass_enabled(session))
2366 {
2367 /* Perform username/password authentication */
2368 if (!username_len || !password_len)
2369 {
2370 CLEAR(*up);
2371 if (!(session->opt->ssl_flags & SSLF_AUTH_USER_PASS_OPTIONAL))
2372 {
2373 msg(D_TLS_ERRORS, "TLS Error: Auth Username/Password was not provided by peer");
2374 goto error;
2375 }
2376 }
2377
2378 verify_user_pass(up, multi, session);
2379 }
2380 else
2381 {
2382 /* Session verification should have occurred during TLS negotiation*/
2383 if (!session->verified)
2384 {
2385 msg(D_TLS_ERRORS,
2386 "TLS Error: Certificate verification failed (key-method 2)");
2387 goto error;
2388 }
2389 ks->authenticated = KS_AUTH_TRUE;
2390 }
2391
2392 /* clear username and password from memory */
2393 secure_memzero(up, sizeof(*up));
2394
2395 /* Perform final authentication checks */
2396 if (ks->authenticated > KS_AUTH_FALSE)
2397 {
2398 verify_final_auth_checks(multi, session);
2399 }
2400
2401 /* check options consistency */
2402 if (!options_cmp_equal(options, session->opt->remote_options))
2403 {
2404 const char *remote_options = session->opt->remote_options;
2405#ifdef USE_COMP
2406 if (multi->opt.comp_options.flags & COMP_F_MIGRATE && multi->remote_usescomp)
2407 {
2408 msg(D_PUSH, "Note: 'compress migrate' detected remote peer "
2409 "with compression enabled.");
2410 remote_options = options_string_compat_lzo(remote_options, &gc);
2411 }
2412#endif
2413
2414 options_warning(options, remote_options);
2415
2416 if (session->opt->ssl_flags & SSLF_OPT_VERIFY)
2417 {
2418 msg(D_TLS_ERRORS, "Option inconsistency warnings triggering disconnect due to --opt-verify");
2419 ks->authenticated = KS_AUTH_FALSE;
2420 }
2421 }
2422
2423 buf_clear(buf);
2424
2425 /*
2426 * Call OPENVPN_PLUGIN_TLS_FINAL plugin if defined, for final
2427 * veto opportunity over authentication decision.
2428 */
2429 if ((ks->authenticated > KS_AUTH_FALSE)
2430 && plugin_defined(session->opt->plugins, OPENVPN_PLUGIN_TLS_FINAL))
2431 {
2432 export_user_keying_material(session);
2433
2434 if (plugin_call(session->opt->plugins, OPENVPN_PLUGIN_TLS_FINAL, NULL, NULL, session->opt->es) != OPENVPN_PLUGIN_FUNC_SUCCESS)
2435 {
2436 ks->authenticated = KS_AUTH_FALSE;
2437 }
2438
2439 setenv_del(session->opt->es, "exported_keying_material");
2440 }
2441
2442 if (!session->opt->server && !session->opt->pull && ks->key_id == 0)
2443 {
2444 /* We are a p2p tls-client without pull, enable common
2445 * protocol options */
2446 p2p_mode_ncp(multi, session);
2447 }
2448
2449 gc_free(&gc);
2450 return true;
2451
2452error:
2453 ks->authenticated = KS_AUTH_FALSE;
2454 secure_memzero(ks->key_src, sizeof(*ks->key_src));
2455 if (up)
2456 {
2457 secure_memzero(up, sizeof(*up));
2458 }
2459 buf_clear(buf);
2460 gc_free(&gc);
2461 return false;
2462}
2463
2464static int
2465auth_deferred_expire_window(const struct tls_options *o)
2466{
2467 int ret = o->handshake_window;
2468 const int r2 = o->renegotiate_seconds / 2;
2469
2470 if (o->renegotiate_seconds && r2 < ret)
2471 {
2472 ret = r2;
2473 }
2474 return ret;
2475}
2476
2483static bool
2484session_move_pre_start(const struct tls_session *session,
2485 struct key_state *ks, bool skip_initial_send)
2486{
2487 struct buffer *buf = reliable_get_buf_output_sequenced(ks->send_reliable);
2488 if (!buf)
2489 {
2490 return false;
2491 }
2492
2493 ks->initial = now;
2494 ks->must_negotiate = now + session->opt->handshake_window;
2495 ks->auth_deferred_expire = now + auth_deferred_expire_window(session->opt);
2496
2497 /* null buffer */
2498 reliable_mark_active_outgoing(ks->send_reliable, buf, ks->initial_opcode);
2499
2500 /* If we want to skip sending the initial handshake packet we still generate
2501 * it to increase internal counters etc. but immediately mark it as done */
2502 if (skip_initial_send)
2503 {
2504 reliable_mark_deleted(ks->send_reliable, buf);
2505 }
2506 INCR_GENERATED;
2507
2508 ks->state = S_PRE_START;
2509
2510 struct gc_arena gc = gc_new();
2511 dmsg(D_TLS_DEBUG, "TLS: Initial Handshake, sid=%s",
2512 session_id_print(&session->session_id, &gc));
2513 gc_free(&gc);
2514
2515#ifdef ENABLE_MANAGEMENT
2516 if (management && ks->initial_opcode != P_CONTROL_SOFT_RESET_V1)
2517 {
2518 management_set_state(management,
2519 OPENVPN_STATE_WAIT,
2520 NULL,
2521 NULL,
2522 NULL,
2523 NULL,
2524 NULL);
2525 }
2526#endif
2527 return true;
2528
2529}
2530
2535static void
2536session_move_active(struct tls_multi *multi, struct tls_session *session,
2537 struct link_socket_info *to_link_socket_info,
2538 struct key_state *ks)
2539{
2540 dmsg(D_TLS_DEBUG_MED, "STATE S_ACTIVE");
2541
2542 ks->established = now;
2543 if (check_debug_level(D_HANDSHAKE))
2544 {
2545 print_details(&ks->ks_ssl, "Control Channel:");
2546 }
2547 ks->state = S_ACTIVE;
2548 /* Cancel negotiation timeout */
2549 ks->must_negotiate = 0;
2550 INCR_SUCCESS;
2551
2552 /* Set outgoing address for data channel packets */
2553 link_socket_set_outgoing_addr(to_link_socket_info, &ks->remote_addr,
2554 session->common_name, session->opt->es);
2555
2556 /* Check if we need to advance the tls_multi state machine */
2557 if (multi->multi_state == CAS_NOT_CONNECTED)
2558 {
2559 if (session->opt->mode == MODE_SERVER)
2560 {
2561 /* On a server we continue with running connect scripts next */
2562 multi->multi_state = CAS_WAITING_AUTH;
2563 }
2564 else
2565 {
2566 /* Skip the connect script related states */
2567 multi->multi_state = CAS_WAITING_OPTIONS_IMPORT;
2568 }
2569 }
2570
2571 /* Flush any payload packets that were buffered before our state transitioned to S_ACTIVE */
2572 flush_payload_buffer(ks);
2573
2574#ifdef MEASURE_TLS_HANDSHAKE_STATS
2575 show_tls_performance_stats();
2576#endif
2577}
2578
2579bool
2580session_skip_to_pre_start(struct tls_session *session,
2581 struct tls_pre_decrypt_state *state,
2582 struct link_socket_actual *from)
2583{
2584 struct key_state *ks = &session->key[KS_PRIMARY];
2585 ks->session_id_remote = state->peer_session_id;
2586 ks->remote_addr = *from;
2587 session->session_id = state->server_session_id;
2588 session->untrusted_addr = *from;
2589 session->burst = true;
2590
2591 /* The OpenVPN protocol implicitly mandates that packet id always start
2592 * from 0 in the RESET packets as OpenVPN 2.x will not allow gaps in the
2593 * ids and starts always from 0. Since we skip/ignore one (RESET) packet
2594 * in each direction, we need to set the ids to 1 */
2595 ks->rec_reliable->packet_id = 1;
2596 /* for ks->send_reliable->packet_id, session_move_pre_start moves the
2597 * counter to 1 */
2598 session->tls_wrap.opt.packet_id.send.id = 1;
2599 return session_move_pre_start(session, ks, true);
2600}
2601
2605static bool
2606parse_early_negotiation_tlvs(struct buffer *buf, struct key_state *ks)
2607{
2608 while (buf->len > 0)
2609 {
2610 if (buf_len(buf) < 4)
2611 {
2612 goto error;
2613 }
2614 /* read type */
2615 uint16_t type = buf_read_u16(buf);
2616 uint16_t len = buf_read_u16(buf);
2617 if (buf_len(buf) < len)
2618 {
2619 goto error;
2620 }
2621
2622 switch (type)
2623 {
2624 case TLV_TYPE_EARLY_NEG_FLAGS:
2625 if (len != sizeof(uint16_t))
2626 {
2627 goto error;
2628 }
2629 uint16_t flags = buf_read_u16(buf);
2630
2631 if (flags & EARLY_NEG_FLAG_RESEND_WKC)
2632 {
2633 ks->crypto_options.flags |= CO_RESEND_WKC;
2634 }
2635 break;
2636
2637 default:
2638 /* Skip types we do not parse */
2639 buf_advance(buf, len);
2640 }
2641 }
2642 reliable_mark_deleted(ks->rec_reliable, buf);
2643
2644 return true;
2645error:
2646 msg(D_TLS_ERRORS, "TLS Error: Early negotiation malformed packet");
2647 return false;
2648}
2649
2654static bool
2655read_incoming_tls_ciphertext(struct buffer *buf, struct key_state *ks,
2656 bool *continue_tls_process)
2657{
2658 int status = 0;
2659 if (buf->len)
2660 {
2661 status = key_state_write_ciphertext(&ks->ks_ssl, buf);
2662 if (status == -1)
2663 {
2664 msg(D_TLS_ERRORS,
2665 "TLS Error: Incoming Ciphertext -> TLS object write error");
2666 return false;
2667 }
2668 }
2669 else
2670 {
2671 status = 1;
2672 }
2673 if (status == 1)
2674 {
2675 reliable_mark_deleted(ks->rec_reliable, buf);
2676 *continue_tls_process = true;
2677 dmsg(D_TLS_DEBUG, "Incoming Ciphertext -> TLS");
2678 }
2679 return true;
2680}
2681
2682static bool
2683control_packet_needs_wkc(const struct key_state *ks)
2684{
2685 return (ks->crypto_options.flags & CO_RESEND_WKC)
2686 && (ks->send_reliable->packet_id == 1);
2687}
2688
2689
2690static bool
2691read_incoming_tls_plaintext(struct key_state *ks, struct buffer *buf,
2692 interval_t *wakeup, bool *continue_tls_process)
2693{
2694 ASSERT(buf_init(buf, 0));
2695
2696 int status = key_state_read_plaintext(&ks->ks_ssl, buf);
2697
2698 update_time();
2699 if (status == -1)
2700 {
2701 msg(D_TLS_ERRORS, "TLS Error: TLS object -> incoming plaintext read error");
2702 return false;
2703 }
2704 if (status == 1)
2705 {
2706 *continue_tls_process = true;
2707 dmsg(D_TLS_DEBUG, "TLS -> Incoming Plaintext");
2708
2709 /* More data may be available, wake up again asap to check. */
2710 *wakeup = 0;
2711 }
2712 return true;
2713}
2714
2715static bool
2716write_outgoing_tls_ciphertext(struct tls_session *session, bool *continue_tls_process)
2717{
2718 struct key_state *ks = &session->key[KS_PRIMARY];
2719
2720 int rel_avail = reliable_get_num_output_sequenced_available(ks->send_reliable);
2721 if (rel_avail == 0)
2722 {
2723 return true;
2724 }
2725
2726 /* We need to determine how much space is actually available in the control
2727 * channel frame */
2728 int max_pkt_len = min_int(TLS_CHANNEL_BUF_SIZE, session->opt->frame.tun_mtu);
2729
2730 /* Subtract overhead */
2731 max_pkt_len -= calc_control_channel_frame_overhead(session);
2732
2733 /* calculate total available length for outgoing tls ciphertext */
2734 int maxlen = max_pkt_len * rel_avail;
2735
2736 /* Is first packet one that will have a WKC appended? */
2737 if (control_packet_needs_wkc(ks))
2738 {
2739 maxlen -= buf_len(session->tls_wrap.tls_crypt_v2_wkc);
2740 }
2741
2742 /* If we end up with a size that leaves no room for payload, ignore the
2743 * constraints to still be to send a packet. This might have gone negative
2744 * if we have a large wrapped client key. */
2745 if (maxlen < 16)
2746 {
2747 msg(D_TLS_ERRORS, "Warning: --max-packet-size (%d) setting too low. "
2748 "Sending minimum sized packet.",
2749 session->opt->frame.tun_mtu);
2750 maxlen = 16;
2751 /* We set the maximum length here to ensure a packet with a wrapped
2752 * key can actually carry the 16 byte of payload */
2753 max_pkt_len = TLS_CHANNEL_BUF_SIZE;
2754 }
2755
2756 /* This seems a bit wasteful to allocate every time */
2757 struct gc_arena gc = gc_new();
2758 struct buffer tmp = alloc_buf_gc(maxlen, &gc);
2759
2760 int status = key_state_read_ciphertext(&ks->ks_ssl, &tmp);
2761
2762 if (status == -1)
2763 {
2764 msg(D_TLS_ERRORS,
2765 "TLS Error: Ciphertext -> reliable TCP/UDP transport read error");
2766 gc_free(&gc);
2767 return false;
2768 }
2769 if (status == 1)
2770 {
2771 /* Split the TLS ciphertext (TLS record) into multiple small packets
2772 * that respect tls_mtu */
2773 while (tmp.len > 0)
2774 {
2775 int len = max_pkt_len;
2776 int opcode = P_CONTROL_V1;
2777 if (control_packet_needs_wkc(ks))
2778 {
2779 opcode = P_CONTROL_WKC_V1;
2780 len = max_int(0, len - buf_len(session->tls_wrap.tls_crypt_v2_wkc));
2781 }
2782 /* do not send more than available */
2783 len = min_int(len, tmp.len);
2784
2785 struct buffer *buf = reliable_get_buf_output_sequenced(ks->send_reliable);
2786 /* we assert here since we checked for its availability before */
2787 ASSERT(buf);
2788 buf_copy_n(buf, &tmp, len);
2789
2790 reliable_mark_active_outgoing(ks->send_reliable, buf, opcode);
2791 INCR_GENERATED;
2792 *continue_tls_process = true;
2793 }
2794 dmsg(D_TLS_DEBUG, "Outgoing Ciphertext -> Reliable");
2795 }
2796
2797 gc_free(&gc);
2798 return true;
2799}
2800
2801static bool
2802check_outgoing_ciphertext(struct key_state *ks, struct tls_session *session,
2803 bool *continue_tls_process)
2804{
2805 /* Outgoing Ciphertext to reliable buffer */
2806 if (ks->state >= S_START)
2807 {
2808 struct buffer *buf = reliable_get_buf_output_sequenced(ks->send_reliable);
2809 if (buf)
2810 {
2811 if (!write_outgoing_tls_ciphertext(session, continue_tls_process))
2812 {
2813 return false;
2814 }
2815 }
2816 }
2817 return true;
2818}
2819
2820static bool
2821tls_process_state(struct tls_multi *multi,
2822 struct tls_session *session,
2823 struct buffer *to_link,
2824 struct link_socket_actual **to_link_addr,
2825 struct link_socket_info *to_link_socket_info,
2826 interval_t *wakeup)
2827{
2828 /* This variable indicates if we should call this method
2829 * again to process more incoming/outgoing TLS state/data
2830 * We want to repeat this until we either determined that there
2831 * is nothing more to process or that further processing
2832 * should only be done after the outer loop (sending packets etc.)
2833 * has run once more */
2834 bool continue_tls_process = false;
2835 struct key_state *ks = &session->key[KS_PRIMARY]; /* primary key */
2836
2837 /* Initial handshake */
2838 if (ks->state == S_INITIAL)
2839 {
2840 continue_tls_process = session_move_pre_start(session, ks, false);
2841 }
2842
2843 /* Are we timed out on receive? */
2844 if (now >= ks->must_negotiate && ks->state >= S_UNDEF && ks->state < S_ACTIVE)
2845 {
2846 msg(D_TLS_ERRORS,
2847 "TLS Error: TLS key negotiation failed to occur within %d seconds (check your network connectivity)",
2848 session->opt->handshake_window);
2849 goto error;
2850 }
2851
2852 /* Check if the initial three-way Handshake is complete.
2853 * We consider the handshake to be complete when our own initial
2854 * packet has been successfully ACKed. */
2855 if (ks->state == S_PRE_START && reliable_empty(ks->send_reliable))
2856 {
2857 ks->state = S_START;
2858 continue_tls_process = true;
2859
2860 /* New connection, remove any old X509 env variables */
2861 tls_x509_clear_env(session->opt->es);
2862 dmsg(D_TLS_DEBUG_MED, "STATE S_START");
2863 }
2864
2865 /* Wait for ACK */
2866 if (((ks->state == S_GOT_KEY && !session->opt->server)
2867 || (ks->state == S_SENT_KEY && session->opt->server))
2868 && reliable_empty(ks->send_reliable))
2869 {
2870 session_move_active(multi, session, to_link_socket_info, ks);
2871 continue_tls_process = true;
2872 }
2873
2874 /* Reliable buffer to outgoing TCP/UDP (send up to CONTROL_SEND_ACK_MAX ACKs
2875 * for previously received packets) */
2876 if (!to_link->len && reliable_can_send(ks->send_reliable))
2877 {
2878 int opcode;
2879
2880 struct buffer *buf = reliable_send(ks->send_reliable, &opcode);
2881 ASSERT(buf);
2882 struct buffer b = *buf;
2883 INCR_SENT;
2884
2885 write_control_auth(session, ks, &b, to_link_addr, opcode,
2886 CONTROL_SEND_ACK_MAX, true);
2887 *to_link = b;
2888 dmsg(D_TLS_DEBUG, "Reliable -> TCP/UDP");
2889
2890 /* This changed the state of the outgoing buffer. In order to avoid
2891 * running this function again/further and invalidating the key_state
2892 * buffer and accessing the buffer that is now in to_link after it being
2893 * freed for a potential error, we shortcircuit exiting of the outer
2894 * process here. */
2895 return false;
2896 }
2897
2898 if (ks->state == S_ERROR_PRE)
2899 {
2900 /* When we end up here, we had one last chance to send an outstanding
2901 * packet that contained an alert. We do not ensure that this packet
2902 * has been successfully delivered (ie wait for the ACK etc)
2903 * but rather stop processing now */
2904 ks->state = S_ERROR;
2905 return false;
2906 }
2907
2908 /* Write incoming ciphertext to TLS object */
2909 struct reliable_entry *entry = reliable_get_entry_sequenced(ks->rec_reliable);
2910 if (entry)
2911 {
2912 /* The first packet from the peer (the reset packet) is special and
2913 * contains early protocol negotiation */
2914 if (entry->packet_id == 0 && is_hard_reset_method2(entry->opcode))
2915 {
2916 if (!parse_early_negotiation_tlvs(&entry->buf, ks))
2917 {
2918 goto error;
2919 }
2920 }
2921 else
2922 {
2923 if (!read_incoming_tls_ciphertext(&entry->buf, ks, &continue_tls_process))
2924 {
2925 goto error;
2926 }
2927 }
2928 }
2929
2930 /* Read incoming plaintext from TLS object */
2931 struct buffer *buf = &ks->plaintext_read_buf;
2932 if (!buf->len)
2933 {
2934 if (!read_incoming_tls_plaintext(ks, buf, wakeup, &continue_tls_process))
2935 {
2936 goto error;
2937 }
2938 }
2939
2940 /* Send Key */
2941 buf = &ks->plaintext_write_buf;
2942 if (!buf->len && ((ks->state == S_START && !session->opt->server)
2943 || (ks->state == S_GOT_KEY && session->opt->server)))
2944 {
2945 if (!key_method_2_write(buf, multi, session))
2946 {
2947 goto error;
2948 }
2949
2950 continue_tls_process = true;
2951 dmsg(D_TLS_DEBUG_MED, "STATE S_SENT_KEY");
2952 ks->state = S_SENT_KEY;
2953 }
2954
2955 /* Receive Key */
2956 buf = &ks->plaintext_read_buf;
2957 if (buf->len
2958 && ((ks->state == S_SENT_KEY && !session->opt->server)
2959 || (ks->state == S_START && session->opt->server)))
2960 {
2961 if (!key_method_2_read(buf, multi, session))
2962 {
2963 goto error;
2964 }
2965
2966 continue_tls_process = true;
2967 dmsg(D_TLS_DEBUG_MED, "STATE S_GOT_KEY");
2968 ks->state = S_GOT_KEY;
2969 }
2970
2971 /* Write outgoing plaintext to TLS object */
2972 buf = &ks->plaintext_write_buf;
2973 if (buf->len)
2974 {
2975 int status = key_state_write_plaintext(&ks->ks_ssl, buf);
2976 if (status == -1)
2977 {
2978 msg(D_TLS_ERRORS,
2979 "TLS ERROR: Outgoing Plaintext -> TLS object write error");
2980 goto error;
2981 }
2982 if (status == 1)
2983 {
2984 continue_tls_process = true;
2985 dmsg(D_TLS_DEBUG, "Outgoing Plaintext -> TLS");
2986 }
2987 }
2988 if (!check_outgoing_ciphertext(ks, session, &continue_tls_process))
2989 {
2990 goto error;
2991 }
2992
2993 return continue_tls_process;
2994error:
2995 tls_clear_error();
2996
2997 /* Shut down the TLS session but do a last read from the TLS
2998 * object to be able to read potential TLS alerts */
2999 key_state_ssl_shutdown(&ks->ks_ssl);
3000 check_outgoing_ciphertext(ks, session, &continue_tls_process);
3001
3002 /* Put ourselves in the pre error state that will only send out the
3003 * control channel packets but nothing else */
3004 ks->state = S_ERROR_PRE;
3005
3006 msg(D_TLS_ERRORS, "TLS Error: TLS handshake failed");
3007 INCR_ERROR;
3008 return true;
3009}
3010
3015static bool
3016should_trigger_renegotiation(const struct tls_session *session, const struct key_state *ks)
3017{
3018 /* Time limit */
3019 if (session->opt->renegotiate_seconds
3020 && now >= ks->established + session->opt->renegotiate_seconds)
3021 {
3022 return true;
3023 }
3024
3025 /* Byte limit */
3026 if (session->opt->renegotiate_bytes > 0
3027 && ks->n_bytes >= session->opt->renegotiate_bytes)
3028 {
3029 return true;
3030 }
3031
3032 /* Packet limit */
3033 if (session->opt->renegotiate_packets
3034 && ks->n_packets >= session->opt->renegotiate_packets)
3035 {
3036 return true;
3037 }
3038
3039 /* epoch key id approaching the 16 bit limit */
3040 if (ks->crypto_options.flags & CO_EPOCH_DATA_KEY_FORMAT)
3041 {
3042 /* We only need to check the send key as we always keep send
3043 * key epoch >= recv key epoch in \c epoch_replace_update_recv_key */
3044 if (ks->crypto_options.epoch_key_send.epoch >= 0xF000)
3045 {
3046 return true;
3047 }
3048 else
3049 {
3050 return false;
3051 }
3052 }
3053
3054
3055 /* Packet id approach the limit of the packet id */
3056 if (packet_id_close_to_wrapping(&ks->crypto_options.packet_id.send))
3057 {
3058 return true;
3059 }
3060
3061 /* Check the AEAD usage limit of cleartext blocks + packets.
3062 *
3063 * Contrary to when epoch data mode is active, where only the sender side
3064 * checks the limit, here we check both receive and send limit since
3065 * we assume that only one side is aware of the limit.
3066 *
3067 * Since if both sides were aware, then both sides will probably also
3068 * switch to use epoch data channel instead, so this code is not
3069 * in effect then.
3070 *
3071 * When epoch are in use the crypto layer will handle this internally
3072 * with new epochs instead of triggering a renegotiation */
3073 const struct key_ctx_bi *key_ctx_bi = &ks->crypto_options.key_ctx_bi;
3074 const uint64_t usage_limit = session->opt->aead_usage_limit;
3075
3076 if (aead_usage_limit_reached(usage_limit, &key_ctx_bi->encrypt,
3077 ks->crypto_options.packet_id.send.id)
3078 || aead_usage_limit_reached(usage_limit, &key_ctx_bi->decrypt,
3079 ks->crypto_options.packet_id.rec.id))
3080 {
3081 return true;
3082 }
3083
3084 if (cipher_decrypt_verify_fail_warn(&key_ctx_bi->decrypt))
3085 {
3086 return true;
3087 }
3088
3089 return false;
3090}
3091/*
3092 * This is the primary routine for processing TLS stuff inside the
3093 * the main event loop. When this routine exits
3094 * with non-error status, it will set *wakeup to the number of seconds
3095 * when it wants to be called again.
3096 *
3097 * Return value is true if we have placed a packet in *to_link which we
3098 * want to send to our peer.
3099 */
3100static bool
3101tls_process(struct tls_multi *multi,
3102 struct tls_session *session,
3103 struct buffer *to_link,
3104 struct link_socket_actual **to_link_addr,
3105 struct link_socket_info *to_link_socket_info,
3106 interval_t *wakeup)
3107{
3108 struct key_state *ks = &session->key[KS_PRIMARY]; /* primary key */
3109 struct key_state *ks_lame = &session->key[KS_LAME_DUCK]; /* retiring key */
3110
3111 /* Make sure we were initialized and that we're not in an error state */
3112 ASSERT(ks->state != S_UNDEF);
3113 ASSERT(ks->state != S_ERROR);
3114 ASSERT(session_id_defined(&session->session_id));
3115
3116 /* Should we trigger a soft reset? -- new key, keeps old key for a while */
3117 if (ks->state >= S_GENERATED_KEYS
3118 && should_trigger_renegotiation(session, ks))
3119 {
3120 msg(D_TLS_DEBUG_LOW, "TLS: soft reset sec=%d/%d bytes=" counter_format
3121 "/%" PRIi64 " pkts=" counter_format "/%" PRIi64
3122 " aead_limit_send=%" PRIu64 "/%" PRIu64
3123 " aead_limit_recv=%" PRIu64 "/%" PRIu64,
3124 (int) (now - ks->established), session->opt->renegotiate_seconds,
3125 ks->n_bytes, session->opt->renegotiate_bytes,
3126 ks->n_packets, session->opt->renegotiate_packets,
3127 ks->crypto_options.key_ctx_bi.encrypt.plaintext_blocks + ks->n_packets,
3128 session->opt->aead_usage_limit,
3129 ks->crypto_options.key_ctx_bi.decrypt.plaintext_blocks + ks->n_packets,
3130 session->opt->aead_usage_limit
3131 );
3132 key_state_soft_reset(session);
3133 }
3134
3135 /* Kill lame duck key transition_window seconds after primary key negotiation */
3136 if (lame_duck_must_die(session, wakeup))
3137 {
3138 key_state_free(ks_lame, true);
3139 msg(D_TLS_DEBUG_LOW, "TLS: tls_process: killed expiring key");
3140 }
3141
3142 bool continue_tls_process = true;
3143 while (continue_tls_process)
3144 {
3145 update_time();
3146
3147 dmsg(D_TLS_DEBUG, "TLS: tls_process: chg=%d ks=%s lame=%s to_link->len=%d wakeup=%d",
3148 continue_tls_process,
3149 state_name(ks->state),
3150 state_name(ks_lame->state),
3151 to_link->len,
3152 *wakeup);
3153 continue_tls_process = tls_process_state(multi, session, to_link, to_link_addr,
3154 to_link_socket_info, wakeup);
3155
3156 if (ks->state == S_ERROR)
3157 {
3158 return false;
3159 }
3160
3161 }
3162
3163 update_time();
3164
3165 /* We often send acks back to back to a following control packet. This
3166 * normally does not create a problem (apart from an extra packet).
3167 * However, with the P_CONTROL_WKC_V1 we need to ensure that the packet
3168 * gets resent if not received by remote, so instead we use an empty
3169 * control packet in this special case */
3170
3171 /* Send 1 or more ACKs (each received control packet gets one ACK) */
3172 if (!to_link->len && !reliable_ack_empty(ks->rec_ack))
3173 {
3174 if (control_packet_needs_wkc(ks))
3175 {
3176 struct buffer *buf = reliable_get_buf_output_sequenced(ks->send_reliable);
3177 if (!buf)
3178 {
3179 return false;
3180 }
3181
3182 /* We do not write anything to the buffer, this way this will be
3183 * an empty control packet that gets the ack piggybacked and
3184 * also appended the wrapped client key since it has a WCK opcode */
3185 reliable_mark_active_outgoing(ks->send_reliable, buf, P_CONTROL_WKC_V1);
3186 }
3187 else
3188 {
3189 struct buffer buf = ks->ack_write_buf;
3190 ASSERT(buf_init(&buf, multi->opt.frame.buf.headroom));
3191 write_control_auth(session, ks, &buf, to_link_addr, P_ACK_V1,
3192 RELIABLE_ACK_SIZE, false);
3193 *to_link = buf;
3194 dmsg(D_TLS_DEBUG, "Dedicated ACK -> TCP/UDP");
3195 }
3196 }
3197
3198 /* When should we wake up again? */
3199 if (ks->state >= S_INITIAL || ks->state == S_ERROR_PRE)
3200 {
3201 compute_earliest_wakeup(wakeup,
3202 reliable_send_timeout(ks->send_reliable));
3203
3204 if (ks->must_negotiate)
3205 {
3206 compute_earliest_wakeup(wakeup, ks->must_negotiate - now);
3207 }
3208 }
3209
3210 if (ks->established && session->opt->renegotiate_seconds)
3211 {
3212 compute_earliest_wakeup(wakeup,
3213 ks->established + session->opt->renegotiate_seconds - now);
3214 }
3215
3216 dmsg(D_TLS_DEBUG, "TLS: tls_process: timeout set to %d", *wakeup);
3217
3218 /* prevent event-loop spinning by setting minimum wakeup of 1 second */
3219 if (*wakeup <= 0)
3220 {
3221 *wakeup = 1;
3222
3223 /* if we had something to send to remote, but to_link was busy,
3224 * let caller know we need to be called again soon */
3225 return true;
3226 }
3227
3228 /* If any of the state changes resulted in the to_link buffer being
3229 * set, we are also active */
3230 if (to_link->len)
3231 {
3232 return true;
3233 }
3234
3235 return false;
3236}
3237
3238
3246static void
3247check_session_buf_not_used(struct buffer *to_link, struct tls_session *session)
3248{
3249 uint8_t *dataptr = to_link->data;
3250 if (!dataptr)
3251 {
3252 return;
3253 }
3254
3255 /* Checks buffers in tls_wrap */
3256 if (session->tls_wrap.work.data == dataptr)
3257 {
3258 msg(M_INFO, "Warning buffer of freed TLS session is "
3259 "still in use (tls_wrap.work.data)");
3260 goto used;
3261 }
3262
3263 for (int i = 0; i < KS_SIZE; i++)
3264 {
3265 struct key_state *ks = &session->key[i];
3266 if (ks->state == S_UNDEF)
3267 {
3268 continue;
3269 }
3270
3271 /* we don't expect send_reliable to be NULL when state is
3272 * not S_UNDEF, but people have reported crashes nonetheless,
3273 * therefore we better catch this event, report and exit.
3274 */
3275 if (!ks->send_reliable)
3276 {
3277 msg(M_FATAL, "ERROR: session->key[%d]->send_reliable is NULL "
3278 "while key state is %s. Exiting.",
3279 i, state_name(ks->state));
3280 }
3281
3282 for (int j = 0; j < ks->send_reliable->size; j++)
3283 {
3284 if (ks->send_reliable->array[j].buf.data == dataptr)
3285 {
3286 msg(M_INFO, "Warning buffer of freed TLS session is still in"
3287 " use (session->key[%d].send_reliable->array[%d])",
3288 i, j);
3289
3290 goto used;
3291 }
3292 }
3293 }
3294 return;
3295
3296used:
3297 to_link->len = 0;
3298 to_link->data = 0;
3299 /* for debugging, you can add an ASSERT(0); here to trigger an abort */
3300}
3301/*
3302 * Called by the top-level event loop.
3303 *
3304 * Basically decides if we should call tls_process for
3305 * the active or untrusted sessions.
3306 */
3307
3308int
3309tls_multi_process(struct tls_multi *multi,
3310 struct buffer *to_link,
3311 struct link_socket_actual **to_link_addr,
3312 struct link_socket_info *to_link_socket_info,
3313 interval_t *wakeup)
3314{
3315 struct gc_arena gc = gc_new();
3316 int active = TLSMP_INACTIVE;
3317 bool error = false;
3318
3319 perf_push(PERF_TLS_MULTI_PROCESS);
3320
3321 tls_clear_error();
3322
3323 /*
3324 * Process each session object having state of S_INITIAL or greater,
3325 * and which has a defined remote IP addr.
3326 */
3327
3328 for (int i = 0; i < TM_SIZE; ++i)
3329 {
3330 struct tls_session *session = &multi->session[i];
3331 struct key_state *ks = &session->key[KS_PRIMARY];
3332 struct key_state *ks_lame = &session->key[KS_LAME_DUCK];
3333
3334 /* set initial remote address. This triggers connecting with that
3335 * session. So we only do that if the TM_ACTIVE session is not
3336 * established */
3337 if (i == TM_INITIAL && ks->state == S_INITIAL
3338 && get_primary_key(multi)->state <= S_INITIAL
3339 && link_socket_actual_defined(&to_link_socket_info->lsa->actual))
3340 {
3341 ks->remote_addr = to_link_socket_info->lsa->actual;
3342 }
3343
3344 dmsg(D_TLS_DEBUG,
3345 "TLS: tls_multi_process: i=%d state=%s, mysid=%s, stored-sid=%s, stored-ip=%s",
3346 i,
3347 state_name(ks->state),
3348 session_id_print(&session->session_id, &gc),
3349 session_id_print(&ks->session_id_remote, &gc),
3350 print_link_socket_actual(&ks->remote_addr, &gc));
3351
3352 if ((ks->state >= S_INITIAL || ks->state == S_ERROR_PRE) && link_socket_actual_defined(&ks->remote_addr))
3353 {
3354 struct link_socket_actual *tla = NULL;
3355
3356 update_time();
3357
3358 if (tls_process(multi, session, to_link, &tla,
3359 to_link_socket_info, wakeup))
3360 {
3361 active = TLSMP_ACTIVE;
3362 }
3363
3364 /*
3365 * If tls_process produced an outgoing packet,
3366 * return the link_socket_actual object (which
3367 * contains the outgoing address).
3368 */
3369 if (tla)
3370 {
3371 multi->to_link_addr = *tla;
3372 *to_link_addr = &multi->to_link_addr;
3373 }
3374
3375 /*
3376 * If tls_process hits an error:
3377 * (1) If the session has an unexpired lame duck key, preserve it.
3378 * (2) Reinitialize the session.
3379 * (3) Increment soft error count
3380 */
3381 if (ks->state == S_ERROR)
3382 {
3383 ++multi->n_soft_errors;
3384
3385 if (i == TM_ACTIVE
3386 || (i == TM_INITIAL && get_primary_key(multi)->state < S_ACTIVE))
3387 {
3388 error = true;
3389 }
3390
3391 if (i == TM_ACTIVE
3392 && ks_lame->state >= S_GENERATED_KEYS
3393 && !multi->opt.single_session)
3394 {
3395 move_session(multi, TM_LAME_DUCK, TM_ACTIVE, true);
3396 }
3397 else
3398 {
3399 check_session_buf_not_used(to_link, session);
3400 reset_session(multi, session);
3401 }
3402 }
3403 }
3404 }
3405
3406 update_time();
3407
3408 enum tls_auth_status tas = tls_authentication_status(multi);
3409
3410 /* If we have successfully authenticated and are still waiting for the authentication to finish
3411 * move the state machine for the multi context forward */
3412
3413 if (multi->multi_state >= CAS_CONNECT_DONE)
3414 {
3415 /* Only generate keys for the TM_ACTIVE session. We defer generating
3416 * keys for TM_INITIAL until we actually trust it.
3417 * For TM_LAME_DUCK it makes no sense to generate new keys. */
3418 struct tls_session *session = &multi->session[TM_ACTIVE];
3419 struct key_state *ks = &session->key[KS_PRIMARY];
3420
3421 if (ks->state == S_ACTIVE && ks->authenticated == KS_AUTH_TRUE)
3422 {
3423 /* Session is now fully authenticated.
3424 * tls_session_generate_data_channel_keys will move ks->state
3425 * from S_ACTIVE to S_GENERATED_KEYS */
3426 if (!tls_session_generate_data_channel_keys(multi, session))
3427 {
3428 msg(D_TLS_ERRORS, "TLS Error: generate_key_expansion failed");
3429 ks->authenticated = KS_AUTH_FALSE;
3430 key_state_ssl_shutdown(&ks->ks_ssl);
3431 ks->state = S_ERROR_PRE;
3432 }
3433
3434 /* Update auth token on the client if needed on renegotiation
3435 * (key id !=0) */
3436 if (session->key[KS_PRIMARY].key_id != 0)
3437 {
3438 resend_auth_token_renegotiation(multi, session);
3439 }
3440 }
3441 }
3442
3443 if (multi->multi_state == CAS_WAITING_AUTH && tas == TLS_AUTHENTICATION_SUCCEEDED)
3444 {
3445 multi->multi_state = CAS_PENDING;
3446 }
3447
3448 /*
3449 * If lame duck session expires, kill it.
3450 */
3451 if (lame_duck_must_die(&multi->session[TM_LAME_DUCK], wakeup))
3452 {
3453 tls_session_free(&multi->session[TM_LAME_DUCK], true);
3454 msg(D_TLS_DEBUG_LOW, "TLS: tls_multi_process: killed expiring key");
3455 }
3456
3457 /*
3458 * If untrusted session achieves TLS authentication,
3459 * move it to active session, usurping any prior session.
3460 *
3461 * A semi-trusted session is one in which the certificate authentication
3462 * succeeded (if cert verification is enabled) but the username/password
3463 * verification failed. A semi-trusted session can forward data on the
3464 * TLS control channel but not on the tunnel channel.
3465 */
3466 if (TLS_AUTHENTICATED(multi, &multi->session[TM_INITIAL].key[KS_PRIMARY]))
3467 {
3468 move_session(multi, TM_ACTIVE, TM_INITIAL, true);
3469 tas = tls_authentication_status(multi);
3470 msg(D_TLS_DEBUG_LOW, "TLS: tls_multi_process: initial untrusted "
3471 "session promoted to %strusted",
3472 tas == TLS_AUTHENTICATION_SUCCEEDED ? "" : "semi-");
3473
3474 if (multi->multi_state == CAS_CONNECT_DONE)
3475 {
3476 multi->multi_state = CAS_RECONNECT_PENDING;
3477 active = TLSMP_RECONNECT;
3478 }
3479 }
3480
3481 /*
3482 * A hard error means that TM_ACTIVE hit an S_ERROR state and that no
3483 * other key state objects are S_ACTIVE or higher.
3484 */
3485 if (error)
3486 {
3487 for (int i = 0; i < KEY_SCAN_SIZE; ++i)
3488 {
3489 if (get_key_scan(multi, i)->state >= S_ACTIVE)
3490 {
3491 goto nohard;
3492 }
3493 }
3494 ++multi->n_hard_errors;
3495 }
3496nohard:
3497
3498#ifdef ENABLE_DEBUG
3499 /* DEBUGGING -- flood peer with repeating connection attempts */
3500 {
3501 const int throw_level = GREMLIN_CONNECTION_FLOOD_LEVEL(multi->opt.gremlin);
3502 if (throw_level)
3503 {
3504 for (int i = 0; i < KEY_SCAN_SIZE; ++i)
3505 {
3506 if (get_key_scan(multi, i)->state >= throw_level)
3507 {
3508 ++multi->n_hard_errors;
3509 ++multi->n_soft_errors;
3510 }
3511 }
3512 }
3513 }
3514#endif
3515
3516 perf_pop();
3517 gc_free(&gc);
3518
3519 return (tas == TLS_AUTHENTICATION_FAILED) ? TLSMP_KILL : active;
3520}
3521
3526static void
3527print_key_id_not_found_reason(struct tls_multi *multi,
3528 const struct link_socket_actual *from, int key_id)
3529{
3530 struct gc_arena gc = gc_new();
3531 const char *source = print_link_socket_actual(from, &gc);
3532
3533
3534 for (int i = 0; i < KEY_SCAN_SIZE; ++i)
3535 {
3536 struct key_state *ks = get_key_scan(multi, i);
3537 if (ks->key_id != key_id)
3538 {
3539 continue;
3540 }
3541
3542 /* Our key state has been progressed far enough to be part of a valid
3543 * session but has not generated keys. */
3544 if (ks->state >= S_INITIAL && ks->state < S_GENERATED_KEYS)
3545 {
3546 msg(D_MULTI_DROPPED,
3547 "Key %s [%d] not initialized (yet), dropping packet.",
3548 source, key_id);
3549 gc_free(&gc);
3550 return;
3551 }
3552 if (ks->state >= S_ACTIVE && ks->authenticated != KS_AUTH_TRUE)
3553 {
3554 msg(D_MULTI_DROPPED,
3555 "Key %s [%d] not authorized%s, dropping packet.",
3556 source, key_id,
3557 (ks->authenticated == KS_AUTH_DEFERRED) ? " (deferred)" : "");
3558 gc_free(&gc);
3559 return;
3560 }
3561 }
3562
3563 msg(D_TLS_ERRORS,
3564 "TLS Error: local/remote TLS keys are out of sync: %s "
3565 "(received key id: %d, known key ids: %s)",
3566 source, key_id,
3567 print_key_id(multi, &gc));
3568 gc_free(&gc);
3569}
3570
3578static inline void
3579handle_data_channel_packet(struct tls_multi *multi,
3580 const struct link_socket_actual *from,
3581 struct buffer *buf,
3582 struct crypto_options **opt,
3583 bool floated,
3584 const uint8_t **ad_start)
3585{
3586 struct gc_arena gc = gc_new();
3587
3588 uint8_t c = *BPTR(buf);
3589 int op = c >> P_OPCODE_SHIFT;
3590 int key_id = c & P_KEY_ID_MASK;
3591
3592 for (int i = 0; i < KEY_SCAN_SIZE; ++i)
3593 {
3594 struct key_state *ks = get_key_scan(multi, i);
3595
3596 /*
3597 * This is the basic test of TLS state compatibility between a local OpenVPN
3598 * instance and its remote peer.
3599 *
3600 * If the test fails, it tells us that we are getting a packet from a source
3601 * which claims reference to a prior negotiated TLS session, but the local
3602 * OpenVPN instance has no memory of such a negotiation.
3603 *
3604 * It almost always occurs on UDP sessions when the passive side of the
3605 * connection is restarted without the active side restarting as well (the
3606 * passive side is the server which only listens for the connections, the
3607 * active side is the client which initiates connections).
3608 */
3609 if (ks->state >= S_GENERATED_KEYS && key_id == ks->key_id
3610 && ks->authenticated == KS_AUTH_TRUE
3611 && (floated || link_socket_actual_match(from, &ks->remote_addr)))
3612 {
3613 ASSERT(ks->crypto_options.key_ctx_bi.initialized);
3614 /* return appropriate data channel decrypt key in opt */
3615 *opt = &ks->crypto_options;
3616 if (op == P_DATA_V2)
3617 {
3618 *ad_start = BPTR(buf);
3619 }
3620 ASSERT(buf_advance(buf, 1));
3621 if (op == P_DATA_V1)
3622 {
3623 *ad_start = BPTR(buf);
3624 }
3625 else if (op == P_DATA_V2)
3626 {
3627 if (buf->len < 4)
3628 {
3629 msg(D_TLS_ERRORS, "Protocol error: received P_DATA_V2 from %s but length is < 4",
3630 print_link_socket_actual(from, &gc));
3631 ++multi->n_soft_errors;
3632 goto done;
3633 }
3634 ASSERT(buf_advance(buf, 3));
3635 }
3636
3637 ++ks->n_packets;
3638 ks->n_bytes += buf->len;
3639 dmsg(D_TLS_KEYSELECT,
3640 "TLS: tls_pre_decrypt, key_id=%d, IP=%s",
3641 key_id, print_link_socket_actual(from, &gc));
3642 gc_free(&gc);
3643 return;
3644 }
3645 }
3646
3647 print_key_id_not_found_reason(multi, from, key_id);
3648
3649done:
3650 gc_free(&gc);
3651 tls_clear_error();
3652 buf->len = 0;
3653 *opt = NULL;
3654}
3655
3656/*
3657 *
3658 * When we are in TLS mode, this is the first routine which sees
3659 * an incoming packet.
3660 *
3661 * If it's a data packet, we set opt so that our caller can
3662 * decrypt it. We also give our caller the appropriate decryption key.
3663 *
3664 * If it's a control packet, we authenticate it and process it,
3665 * possibly creating a new tls_session if it represents the
3666 * first packet of a new session. For control packets, we will
3667 * also zero the size of *buf so that our caller ignores the
3668 * packet on our return.
3669 *
3670 * Note that openvpn only allows one active session at a time,
3671 * so a new session (once authenticated) will always usurp
3672 * an old session.
3673 *
3674 * Return true if input was an authenticated control channel
3675 * packet.
3676 *
3677 * If we are running in TLS thread mode, all public routines
3678 * below this point must be called with the L_TLS lock held.
3679 */
3680
3681bool
3682tls_pre_decrypt(struct tls_multi *multi,
3683 const struct link_socket_actual *from,
3684 struct buffer *buf,
3685 struct crypto_options **opt,
3686 bool floated,
3687 const uint8_t **ad_start)
3688{
3689
3690 if (buf->len <= 0)
3691 {
3692 buf->len = 0;
3693 *opt = NULL;
3694 return false;
3695 }
3696
3697 struct gc_arena gc = gc_new();
3698 bool ret = false;
3699
3700 /* get opcode */
3701 uint8_t pkt_firstbyte = *BPTR(buf);
3702 int op = pkt_firstbyte >> P_OPCODE_SHIFT;
3703
3704 if ((op == P_DATA_V1) || (op == P_DATA_V2))
3705 {
3706 handle_data_channel_packet(multi, from, buf, opt, floated, ad_start);
3707 return false;
3708 }
3709
3710 /* get key_id */
3711 int key_id = pkt_firstbyte & P_KEY_ID_MASK;
3712
3713 /* control channel packet */
3714 bool do_burst = false;
3715 bool new_link = false;
3716 struct session_id sid; /* remote session ID */
3717
3718 /* verify legal opcode */
3719 if (op < P_FIRST_OPCODE || op > P_LAST_OPCODE)
3720 {
3721 if (op == P_CONTROL_HARD_RESET_CLIENT_V1
3722 || op == P_CONTROL_HARD_RESET_SERVER_V1)
3723 {
3724 msg(D_TLS_ERRORS, "Peer tried unsupported key-method 1");
3725 }
3726 msg(D_TLS_ERRORS,
3727 "TLS Error: unknown opcode received from %s op=%d",
3728 print_link_socket_actual(from, &gc), op);
3729 goto error;
3730 }
3731
3732 /* hard reset ? */
3733 if (is_hard_reset_method2(op))
3734 {
3735 /* verify client -> server or server -> client connection */
3736 if (((op == P_CONTROL_HARD_RESET_CLIENT_V2
3737 || op == P_CONTROL_HARD_RESET_CLIENT_V3) && !multi->opt.server)
3738 || ((op == P_CONTROL_HARD_RESET_SERVER_V2) && multi->opt.server))
3739 {
3740 msg(D_TLS_ERRORS,
3741 "TLS Error: client->client or server->server connection attempted from %s",
3742 print_link_socket_actual(from, &gc));
3743 goto error;
3744 }
3745 }
3746
3747 /*
3748 * Authenticate Packet
3749 */
3750 dmsg(D_TLS_DEBUG, "TLS: control channel, op=%s, IP=%s",
3751 packet_opcode_name(op), print_link_socket_actual(from, &gc));
3752
3753 /* get remote session-id */
3754 {
3755 struct buffer tmp = *buf;
3756 buf_advance(&tmp, 1);
3757 if (!session_id_read(&sid, &tmp) || !session_id_defined(&sid))
3758 {
3759 msg(D_TLS_ERRORS,
3760 "TLS Error: session-id not found in packet from %s",
3761 print_link_socket_actual(from, &gc));
3762 goto error;
3763 }
3764 }
3765
3766 int i;
3767 /* use session ID to match up packet with appropriate tls_session object */
3768 for (i = 0; i < TM_SIZE; ++i)
3769 {
3770 struct tls_session *session = &multi->session[i];
3771 struct key_state *ks = &session->key[KS_PRIMARY];
3772
3773 dmsg(D_TLS_DEBUG,
3774 "TLS: initial packet test, i=%d state=%s, mysid=%s, rec-sid=%s, rec-ip=%s, stored-sid=%s, stored-ip=%s",
3775 i,
3776 state_name(ks->state),
3777 session_id_print(&session->session_id, &gc),
3778 session_id_print(&sid, &gc),
3779 print_link_socket_actual(from, &gc),
3780 session_id_print(&ks->session_id_remote, &gc),
3781 print_link_socket_actual(&ks->remote_addr, &gc));
3782
3783 if (session_id_equal(&ks->session_id_remote, &sid))
3784 /* found a match */
3785 {
3786 if (i == TM_LAME_DUCK)
3787 {
3788 msg(D_TLS_ERRORS,
3789 "TLS ERROR: received control packet with stale session-id=%s",
3790 session_id_print(&sid, &gc));
3791 goto error;
3792 }
3793 dmsg(D_TLS_DEBUG,
3794 "TLS: found match, session[%d], sid=%s",
3795 i, session_id_print(&sid, &gc));
3796 break;
3797 }
3798 }
3799
3800 /*
3801 * Hard reset and session id does not match any session in
3802 * multi->session: Possible initial packet. New sessions always start
3803 * as TM_INITIAL
3804 */
3805 if (i == TM_SIZE && is_hard_reset_method2(op))
3806 {
3807 /*
3808 * No match with existing sessions,
3809 * probably a new session.
3810 */
3811 struct tls_session *session = &multi->session[TM_INITIAL];
3812
3813 /*
3814 * If --single-session, don't allow any hard-reset connection request
3815 * unless it is the first packet of the session.
3816 */
3817 if (multi->opt.single_session && multi->n_sessions)
3818 {
3819 msg(D_TLS_ERRORS,
3820 "TLS Error: Cannot accept new session request from %s due "
3821 "to session context expire or --single-session",
3822 print_link_socket_actual(from, &gc));
3823 goto error;
3824 }
3825
3826 if (!read_control_auth(buf, tls_session_get_tls_wrap(session, key_id), from,
3827 session->opt))
3828 {
3829 goto error;
3830 }
3831
3832#ifdef ENABLE_MANAGEMENT
3833 if (management)
3834 {
3835 management_set_state(management,
3836 OPENVPN_STATE_AUTH,
3837 NULL,
3838 NULL,
3839 NULL,
3840 NULL,
3841 NULL);
3842 }
3843#endif
3844
3845 /*
3846 * New session-initiating control packet is authenticated at this point,
3847 * assuming that the --tls-auth command line option was used.
3848 *
3849 * Without --tls-auth, we leave authentication entirely up to TLS.
3850 */
3851 msg(D_TLS_DEBUG_LOW,
3852 "TLS: Initial packet from %s, sid=%s",
3853 print_link_socket_actual(from, &gc),
3854 session_id_print(&sid, &gc));
3855
3856 do_burst = true;
3857 new_link = true;
3858 i = TM_INITIAL;
3859 session->untrusted_addr = *from;
3860 }
3861 else
3862 {
3863 struct tls_session *session = &multi->session[i];
3864 struct key_state *ks = &session->key[KS_PRIMARY];
3865
3866 /*
3867 * Packet must belong to an existing session.
3868 */
3869 if (i != TM_ACTIVE && i != TM_INITIAL)
3870 {
3871 msg(D_TLS_ERRORS,
3872 "TLS Error: Unroutable control packet received from %s (si=%d op=%s)",
3873 print_link_socket_actual(from, &gc),
3874 i,
3875 packet_opcode_name(op));
3876 goto error;
3877 }
3878
3879 /*
3880 * Verify remote IP address
3881 */
3882 if (!new_link && !link_socket_actual_match(&ks->remote_addr, from))
3883 {
3884 msg(D_TLS_ERRORS, "TLS Error: Received control packet from unexpected IP addr: %s",
3885 print_link_socket_actual(from, &gc));
3886 goto error;
3887 }
3888
3889 /*
3890 * Remote is requesting a key renegotiation. We only allow renegotiation
3891 * when the previous session is fully established to avoid weird corner
3892 * cases.
3893 */
3894 if (op == P_CONTROL_SOFT_RESET_V1 && ks->state >= S_GENERATED_KEYS)
3895 {
3896 if (!read_control_auth(buf, tls_session_get_tls_wrap(session, key_id),
3897 from, session->opt))
3898 {
3899 goto error;
3900 }
3901
3902 key_state_soft_reset(session);
3903
3904 dmsg(D_TLS_DEBUG,
3905 "TLS: received P_CONTROL_SOFT_RESET_V1 s=%d sid=%s",
3906 i, session_id_print(&sid, &gc));
3907 }
3908 else
3909 {
3910 /*
3911 * Remote responding to our key renegotiation request?
3912 */
3913 if (op == P_CONTROL_SOFT_RESET_V1)
3914 {
3915 do_burst = true;
3916 }
3917
3918 if (!read_control_auth(buf, tls_session_get_tls_wrap(session, key_id),
3919 from, session->opt))
3920 {
3921 goto error;
3922 }
3923
3924 dmsg(D_TLS_DEBUG,
3925 "TLS: received control channel packet s#=%d sid=%s",
3926 i, session_id_print(&sid, &gc));
3927 }
3928 }
3929
3930 /*
3931 * We have an authenticated control channel packet (if --tls-auth/tls-crypt
3932 * or tls-crypt-v2 was set).
3933 * Now pass to our reliability layer which deals with
3934 * packet acknowledgements, retransmits, sequencing, etc.
3935 */
3936 struct tls_session *session = &multi->session[i];
3937 struct key_state *ks = &session->key[KS_PRIMARY];
3938
3939 /* Make sure we were initialized and that we're not in an error state */
3940 ASSERT(ks->state != S_UNDEF);
3941 ASSERT(ks->state != S_ERROR);
3942 ASSERT(session_id_defined(&session->session_id));
3943
3944 /* Let our caller know we processed a control channel packet */
3945 ret = true;
3946
3947 /*
3948 * Set our remote address and remote session_id
3949 */
3950 if (new_link)
3951 {
3952 ks->session_id_remote = sid;
3953 ks->remote_addr = *from;
3954 ++multi->n_sessions;
3955 }
3956 else if (!link_socket_actual_match(&ks->remote_addr, from))
3957 {
3958 msg(D_TLS_ERRORS,
3959 "TLS Error: Existing session control channel packet from unknown IP address: %s",
3960 print_link_socket_actual(from, &gc));
3961 goto error;
3962 }
3963
3964 /*
3965 * Should we do a retransmit of all unacknowledged packets in
3966 * the send buffer? This improves the start-up efficiency of the
3967 * initial key negotiation after the 2nd peer comes online.
3968 */
3969 if (do_burst && !session->burst)
3970 {
3971 reliable_schedule_now(ks->send_reliable);
3972 session->burst = true;
3973 }
3974
3975 /* Check key_id */
3976 if (ks->key_id != key_id)
3977 {
3978 msg(D_TLS_ERRORS,
3979 "TLS ERROR: local/remote key IDs out of sync (%d/%d) ID: %s",
3980 ks->key_id, key_id, print_key_id(multi, &gc));
3981 goto error;
3982 }
3983
3984 /*
3985 * Process incoming ACKs for packets we can now
3986 * delete from reliable send buffer
3987 */
3988 {
3989 /* buffers all packet IDs to delete from send_reliable */
3990 struct reliable_ack send_ack;
3991
3992 if (!reliable_ack_read(&send_ack, buf, &session->session_id))
3993 {
3994 msg(D_TLS_ERRORS,
3995 "TLS Error: reading acknowledgement record from packet");
3996 goto error;
3997 }
3998 reliable_send_purge(ks->send_reliable, &send_ack);
3999 }
4000
4001 if (op != P_ACK_V1 && reliable_can_get(ks->rec_reliable))
4002 {
4003 packet_id_type id;
4004
4005 /* Extract the packet ID from the packet */
4006 if (reliable_ack_read_packet_id(buf, &id))
4007 {
4008 /* Avoid deadlock by rejecting packet that would de-sequentialize receive buffer */
4009 if (reliable_wont_break_sequentiality(ks->rec_reliable, id))
4010 {
4011 if (reliable_not_replay(ks->rec_reliable, id))
4012 {
4013 /* Save incoming ciphertext packet to reliable buffer */
4014 struct buffer *in = reliable_get_buf(ks->rec_reliable);
4015 ASSERT(in);
4016 if (!buf_copy(in, buf))
4017 {
4018 msg(D_MULTI_DROPPED,
4019 "Incoming control channel packet too big, dropping.");
4020 goto error;
4021 }
4022 reliable_mark_active_incoming(ks->rec_reliable, in, id, op);
4023 }
4024
4025 /* Process outgoing acknowledgment for packet just received, even if it's a replay */
4026 reliable_ack_acknowledge_packet_id(ks->rec_ack, id);
4027 }
4028 }
4029 }
4030 /* Remember that we received a valid control channel packet */
4031 ks->peer_last_packet = now;
4032
4033done:
4034 buf->len = 0;
4035 *opt = NULL;
4036 gc_free(&gc);
4037 return ret;
4038
4039error:
4040 ++multi->n_soft_errors;
4041 tls_clear_error();
4042 goto done;
4043}
4044
4045
4046struct key_state *
4047tls_select_encryption_key(struct tls_multi *multi)
4048{
4049 struct key_state *ks_select = NULL;
4050 for (int i = 0; i < KEY_SCAN_SIZE; ++i)
4051 {
4052 struct key_state *ks = get_key_scan(multi, i);
4053 if (ks->state >= S_GENERATED_KEYS && ks->authenticated == KS_AUTH_TRUE)
4054 {
4055 ASSERT(ks->crypto_options.key_ctx_bi.initialized);
4056
4057 if (!ks_select)
4058 {
4059 ks_select = ks;
4060 }
4061 if (now >= ks->auth_deferred_expire)
4062 {
4063 ks_select = ks;
4064 break;
4065 }
4066 }
4067 }
4068 return ks_select;
4069}
4070
4071
4072/* Choose the key with which to encrypt a data packet */
4073void
4074tls_pre_encrypt(struct tls_multi *multi,
4075 struct buffer *buf, struct crypto_options **opt)
4076{
4077 multi->save_ks = NULL;
4078 if (buf->len <= 0)
4079 {
4080 buf->len = 0;
4081 *opt = NULL;
4082 return;
4083 }
4084
4085 struct key_state *ks_select = tls_select_encryption_key(multi);
4086
4087 if (ks_select)
4088 {
4089 *opt = &ks_select->crypto_options;
4090 multi->save_ks = ks_select;
4091 dmsg(D_TLS_KEYSELECT, "TLS: tls_pre_encrypt: key_id=%d", ks_select->key_id);
4092 return;
4093 }
4094 else
4095 {
4096 struct gc_arena gc = gc_new();
4097 dmsg(D_TLS_KEYSELECT, "TLS Warning: no data channel send key available: %s",
4098 print_key_id(multi, &gc));
4099 gc_free(&gc);
4100
4101 *opt = NULL;
4102 buf->len = 0;
4103 }
4104}
4105
4106void
4107tls_prepend_opcode_v1(const struct tls_multi *multi, struct buffer *buf)
4108{
4109 struct key_state *ks = multi->save_ks;
4110 uint8_t op;
4111
4112 msg(D_TLS_DEBUG, __func__);
4113
4114 ASSERT(ks);
4115
4116 op = (P_DATA_V1 << P_OPCODE_SHIFT) | ks->key_id;
4117 ASSERT(buf_write_prepend(buf, &op, 1));
4118}
4119
4120void
4121tls_prepend_opcode_v2(const struct tls_multi *multi, struct buffer *buf)
4122{
4123 struct key_state *ks = multi->save_ks;
4124 uint32_t peer;
4125
4126 msg(D_TLS_DEBUG, __func__);
4127
4128 ASSERT(ks);
4129
4130 peer = htonl(((P_DATA_V2 << P_OPCODE_SHIFT) | ks->key_id) << 24
4131 | (multi->peer_id & 0xFFFFFF));
4132 ASSERT(buf_write_prepend(buf, &peer, 4));
4133}
4134
4135void
4136tls_post_encrypt(struct tls_multi *multi, struct buffer *buf)
4137{
4138 struct key_state *ks = multi->save_ks;
4139 multi->save_ks = NULL;
4140
4141 if (buf->len > 0)
4142 {
4143 ASSERT(ks);
4144
4145 ++ks->n_packets;
4146 ks->n_bytes += buf->len;
4147 }
4148}
4149
4150/*
4151 * Send a payload over the TLS control channel.
4152 * Called externally.
4153 */
4154
4155bool
4156tls_send_payload(struct key_state *ks,
4157 const uint8_t *data,
4158 int size)
4159{
4160 bool ret = false;
4161
4162 tls_clear_error();
4163
4164 ASSERT(ks);
4165
4166 if (ks->state >= S_ACTIVE)
4167 {
4168 if (key_state_write_plaintext_const(&ks->ks_ssl, data, size) == 1)
4169 {
4170 ret = true;
4171 }
4172 }
4173 else
4174 {
4175 if (!ks->paybuf)
4176 {
4177 ks->paybuf = buffer_list_new();
4178 }
4179 buffer_list_push_data(ks->paybuf, data, (size_t)size);
4180 ret = true;
4181 }
4182
4183
4184 tls_clear_error();
4185
4186 return ret;
4187}
4188
4189bool
4190tls_rec_payload(struct tls_multi *multi,
4191 struct buffer *buf)
4192{
4193 bool ret = false;
4194
4195 tls_clear_error();
4196
4197 ASSERT(multi);
4198
4199 struct key_state *ks = get_key_scan(multi, 0);
4200
4201 if (ks->state >= S_ACTIVE && BLEN(&ks->plaintext_read_buf))
4202 {
4203 if (buf_copy(buf, &ks->plaintext_read_buf))
4204 {
4205 ret = true;
4206 }
4207 ks->plaintext_read_buf.len = 0;
4208 }
4209
4210 tls_clear_error();
4211
4212 return ret;
4213}
4214
4215void
4216tls_update_remote_addr(struct tls_multi *multi, const struct link_socket_actual *addr)
4217{
4218 struct gc_arena gc = gc_new();
4219 for (int i = 0; i < TM_SIZE; ++i)
4220 {
4221 struct tls_session *session = &multi->session[i];
4222
4223 for (int j = 0; j < KS_SIZE; ++j)
4224 {
4225 struct key_state *ks = &session->key[j];
4226
4227 if (!link_socket_actual_defined(&ks->remote_addr)
4228 || link_socket_actual_match(addr, &ks->remote_addr))
4229 {
4230 continue;
4231 }
4232
4233 dmsg(D_TLS_KEYSELECT, "TLS: tls_update_remote_addr from IP=%s to IP=%s",
4234 print_link_socket_actual(&ks->remote_addr, &gc),
4235 print_link_socket_actual(addr, &gc));
4236
4237 ks->remote_addr = *addr;
4238 }
4239 }
4240 gc_free(&gc);
4241}
4242
4243void
4244show_available_tls_ciphers(const char *cipher_list,
4245 const char *cipher_list_tls13,
4246 const char *tls_cert_profile)
4247{
4248 printf("Available TLS Ciphers, listed in order of preference:\n");
4249
4250 if (tls_version_max() >= TLS_VER_1_3)
4251 {
4252 printf("\nFor TLS 1.3 and newer (--tls-ciphersuites):\n\n");
4253 show_available_tls_ciphers_list(cipher_list_tls13, tls_cert_profile, true);
4254 }
4255
4256 printf("\nFor TLS 1.2 and older (--tls-cipher):\n\n");
4257 show_available_tls_ciphers_list(cipher_list, tls_cert_profile, false);
4258
4259 printf("\n"
4260 "Be aware that that whether a cipher suite in this list can actually work\n"
4261 "depends on the specific setup of both peers. See the man page entries of\n"
4262 "--tls-cipher and --show-tls for more details.\n\n"
4263 );
4264}
4265
4266/*
4267 * Dump a human-readable rendition of an openvpn packet
4268 * into a garbage collectable string which is returned.
4269 */
4270const char *
4271protocol_dump(struct buffer *buffer, unsigned int flags, struct gc_arena *gc)
4272{
4273 struct buffer out = alloc_buf_gc(256, gc);
4274 struct buffer buf = *buffer;
4275
4276 uint8_t c;
4277 int op;
4278 int key_id;
4279
4280 int tls_auth_hmac_size = (flags & PD_TLS_AUTH_HMAC_SIZE_MASK);
4281
4282 if (buf.len <= 0)
4283 {
4284 buf_printf(&out, "DATA UNDEF len=%d", buf.len);
4285 goto done;
4286 }
4287
4288 if (!(flags & PD_TLS))
4289 {
4290 goto print_data;
4291 }
4292
4293 /*
4294 * Initial byte (opcode)
4295 */
4296 if (!buf_read(&buf, &c, sizeof(c)))
4297 {
4298 goto done;
4299 }
4300 op = (c >> P_OPCODE_SHIFT);
4301 key_id = c & P_KEY_ID_MASK;
4302 buf_printf(&out, "%s kid=%d", packet_opcode_name(op), key_id);
4303
4304 if ((op == P_DATA_V1) || (op == P_DATA_V2))
4305 {
4306 goto print_data;
4307 }
4308
4309 /*
4310 * Session ID
4311 */
4312 {
4313 struct session_id sid;
4314
4315 if (!session_id_read(&sid, &buf))
4316 {
4317 goto done;
4318 }
4319 if (flags & PD_VERBOSE)
4320 {
4321 buf_printf(&out, " sid=%s", session_id_print(&sid, gc));
4322 }
4323 }
4324
4325 /*
4326 * tls-auth hmac + packet_id
4327 */
4328 if (tls_auth_hmac_size)
4329 {
4330 struct packet_id_net pin;
4331 uint8_t tls_auth_hmac[MAX_HMAC_KEY_LENGTH];
4332
4333 ASSERT(tls_auth_hmac_size <= MAX_HMAC_KEY_LENGTH);
4334
4335 if (!buf_read(&buf, tls_auth_hmac, tls_auth_hmac_size))
4336 {
4337 goto done;
4338 }
4339 if (flags & PD_VERBOSE)
4340 {
4341 buf_printf(&out, " tls_hmac=%s", format_hex(tls_auth_hmac, tls_auth_hmac_size, 0, gc));
4342 }
4343
4344 if (!packet_id_read(&pin, &buf, true))
4345 {
4346 goto done;
4347 }
4348 buf_printf(&out, " pid=%s", packet_id_net_print(&pin, (flags & PD_VERBOSE), gc));
4349 }
4350 /*
4351 * packet_id + tls-crypt hmac
4352 */
4353 if (flags & PD_TLS_CRYPT)
4354 {
4355 struct packet_id_net pin;
4356 uint8_t tls_crypt_hmac[TLS_CRYPT_TAG_SIZE];
4357
4358 if (!packet_id_read(&pin, &buf, true))
4359 {
4360 goto done;
4361 }
4362 buf_printf(&out, " pid=%s", packet_id_net_print(&pin, (flags & PD_VERBOSE), gc));
4363 if (!buf_read(&buf, tls_crypt_hmac, TLS_CRYPT_TAG_SIZE))
4364 {
4365 goto done;
4366 }
4367 if (flags & PD_VERBOSE)
4368 {
4369 buf_printf(&out, " tls_crypt_hmac=%s", format_hex(tls_crypt_hmac, TLS_CRYPT_TAG_SIZE, 0, gc));
4370 }
4371 /*
4372 * Remainder is encrypted and optional wKc
4373 */
4374 goto done;
4375 }
4376
4377 /*
4378 * ACK list
4379 */
4380 buf_printf(&out, " %s", reliable_ack_print(&buf, (flags & PD_VERBOSE), gc));
4381
4382 if (op == P_ACK_V1)
4383 {
4384 goto print_data;
4385 }
4386
4387 /*
4388 * Packet ID
4389 */
4390 {
4391 packet_id_type l;
4392 if (!buf_read(&buf, &l, sizeof(l)))
4393 {
4394 goto done;
4395 }
4396 l = ntohpid(l);
4397 buf_printf(&out, " pid=" packet_id_format, (packet_id_print_type)l);
4398 }
4399
4400print_data:
4401 if (flags & PD_SHOW_DATA)
4402 {
4403 buf_printf(&out, " DATA %s", format_hex(BPTR(&buf), BLEN(&buf), 80, gc));
4404 }
4405 else
4406 {
4407 buf_printf(&out, " DATA len=%d", buf.len);
4408 }
4409
4410done:
4411 return BSTR(&out);
4412}
wipe_auth_token
void wipe_auth_token(struct tls_multi *multi)
Wipes the authentication token out of the memory, frees and cleans up related buffers and flags.
Definition auth_token.c:401
resend_auth_token_renegotiation
void resend_auth_token_renegotiation(struct tls_multi *multi, struct tls_session *session)
Checks if a client should be sent a new auth token to update its current auth-token.
Definition auth_token.c:461
auth_token.h
buffer_list_push_data
struct buffer_entry * buffer_list_push_data(struct buffer_list *ol, const void *data, size_t size)
Allocates and appends a new buffer containing data of length size.
Definition buffer.c:1212
free_buf
void free_buf(struct buffer *buf)
Definition buffer.c:183
buf_clear
void buf_clear(struct buffer *buf)
Definition buffer.c:162
buffer_list_pop
void buffer_list_pop(struct buffer_list *ol)
Definition buffer.c:1304
buf_printf
bool buf_printf(struct buffer *buf, const char *format,...)
Definition buffer.c:240
format_hex_ex
char * format_hex_ex(const uint8_t *data, int size, int maxoutput, unsigned int space_break_flags, const char *separator, struct gc_arena *gc)
Definition buffer.c:483
buffer_list_new
struct buffer_list * buffer_list_new(void)
Allocate an empty buffer list of capacity max_size.
Definition buffer.c:1158
buffer_list_peek
struct buffer * buffer_list_peek(struct buffer_list *ol)
Retrieve the head buffer.
Definition buffer.c:1239
buffer_list_free
void buffer_list_free(struct buffer_list *ol)
Frees a buffer list and all the buffers in it.
Definition buffer.c:1167
gc_malloc
void * gc_malloc(size_t size, bool clear, struct gc_arena *a)
Definition buffer.c:336
alloc_buf_gc
struct buffer alloc_buf_gc(size_t size, struct gc_arena *gc)
Definition buffer.c:88
alloc_buf
struct buffer alloc_buf(size_t size)
Definition buffer.c:62
string_alloc
char * string_alloc(const char *str, struct gc_arena *gc)
Definition buffer.c:649
buf_write_u16
static bool buf_write_u16(struct buffer *dest, uint16_t data)
Definition buffer.h:698
format_hex
static char * format_hex(const uint8_t *data, int size, int maxoutput, struct gc_arena *gc)
Definition buffer.h:505
BSTR
#define BSTR(buf)
Definition buffer.h:129
buf_copy
static bool buf_copy(struct buffer *dest, const struct buffer *src)
Definition buffer.h:712
BPTR
#define BPTR(buf)
Definition buffer.h:124
buf_write_u32
static bool buf_write_u32(struct buffer *dest, uint32_t data)
Definition buffer.h:705
buf_write_prepend
static bool buf_write_prepend(struct buffer *dest, const void *src, int size)
Definition buffer.h:680
buf_read_u16
static int buf_read_u16(struct buffer *buf)
Definition buffer.h:803
buf_copy_n
static bool buf_copy_n(struct buffer *dest, struct buffer *src, int n)
Definition buffer.h:718
ALLOC_ARRAY_CLEAR_GC
#define ALLOC_ARRAY_CLEAR_GC(dptr, type, n, gc)
Definition buffer.h:1082
buf_safe
static bool buf_safe(const struct buffer *buf, size_t len)
Definition buffer.h:520
buf_read
static bool buf_read(struct buffer *src, void *dest, int size)
Definition buffer.h:778
buf_advance
static bool buf_advance(struct buffer *buf, int size)
Definition buffer.h:618
buf_len
static int buf_len(const struct buffer *buf)
Definition buffer.h:253
secure_memzero
static void secure_memzero(void *data, size_t len)
Securely zeroise memory.
Definition buffer.h:414
buf_write
static bool buf_write(struct buffer *dest, const void *src, size_t size)
Definition buffer.h:668
buf_write_u8
static bool buf_write_u8(struct buffer *dest, uint8_t data)
Definition buffer.h:692
ALLOC_OBJ_CLEAR_GC
#define ALLOC_OBJ_CLEAR_GC(dptr, type, gc)
Definition buffer.h:1097
buf_read_u8
static int buf_read_u8(struct buffer *buf)
Definition buffer.h:790
BLEN
#define BLEN(buf)
Definition buffer.h:127
strncpynt
static void strncpynt(char *dest, const char *src, size_t maxlen)
Definition buffer.h:361
check_malloc_return
static void check_malloc_return(void *p)
Definition buffer.h:1103
gc_free
static void gc_free(struct gc_arena *a)
Definition buffer.h:1033
ALLOC_OBJ_CLEAR
#define ALLOC_OBJ_CLEAR(dptr, type)
Definition buffer.h:1060
buf_init
#define buf_init(buf, offset)
Definition buffer.h:209
gc_new
static struct gc_arena gc_new(void)
Definition buffer.h:1025
interval_t
int interval_t
Definition common.h:36
TLS_CHANNEL_BUF_SIZE
#define TLS_CHANNEL_BUF_SIZE
Definition common.h:69
counter_format
#define counter_format
Definition common.h:31
TLS_CHANNEL_MTU_MIN
#define TLS_CHANNEL_MTU_MIN
Definition common.h:82
COMP_F_MIGRATE
#define COMP_F_MIGRATE
Definition comp.h:42
free_key_ctx_bi
void free_key_ctx_bi(struct key_ctx_bi *ctx)
Definition crypto.c:1125
key2_print
void key2_print(const struct key2 *k, const struct key_type *kt, const char *prefix0, const char *prefix1)
Prints the keys in a key2 structure.
Definition crypto.c:1208
init_key_type
void init_key_type(struct key_type *kt, const char *ciphername, const char *authname, bool tls_mode, bool warn)
Initialize a key_type structure with.
Definition crypto.c:893
check_key
bool check_key(struct key *key, const struct key_type *kt)
Definition crypto.c:1151
cipher_get_aead_limits
uint64_t cipher_get_aead_limits(const char *ciphername)
Check if the cipher is an AEAD cipher and needs to be limited to a certain number of number of blocks...
Definition crypto.c:353
init_key_ctx_bi
void init_key_ctx_bi(struct key_ctx_bi *ctx, const struct key2 *key2, int key_direction, const struct key_type *kt, const char *name)
Definition crypto.c:1087
key_direction_state_init
void key_direction_state_init(struct key_direction_state *kds, int key_direction)
Definition crypto.c:1705
KEY_DIRECTION_NORMAL
#define KEY_DIRECTION_NORMAL
Definition crypto.h:231
CO_PACKET_ID_LONG_FORM
#define CO_PACKET_ID_LONG_FORM
Bit-flag indicating whether to use OpenVPN's long packet ID format.
Definition crypto.h:344
CO_USE_TLS_KEY_MATERIAL_EXPORT
#define CO_USE_TLS_KEY_MATERIAL_EXPORT
Bit-flag indicating that data channel key derivation is done using TLS keying material export [RFC570...
Definition crypto.h:356
CO_USE_DYNAMIC_TLS_CRYPT
#define CO_USE_DYNAMIC_TLS_CRYPT
Bit-flag indicating that renegotiations are using tls-crypt with a TLS-EKM derived key.
Definition crypto.h:372
CO_IGNORE_PACKET_ID
#define CO_IGNORE_PACKET_ID
Bit-flag indicating whether to ignore the packet ID of a received packet.
Definition crypto.h:347
CO_RESEND_WKC
#define CO_RESEND_WKC
Bit-flag indicating that the client is expected to resend the wrapped client key with the 2nd packet ...
Definition crypto.h:360
CO_EPOCH_DATA_KEY_FORMAT
#define CO_EPOCH_DATA_KEY_FORMAT
Bit-flag indicating the epoch the data format.
Definition crypto.h:376
cipher_decrypt_verify_fail_warn
static bool cipher_decrypt_verify_fail_warn(const struct key_ctx *ctx)
Check if the number of failed decryption is approaching the limit and we should try to move to a new ...
Definition crypto.h:736
KEY_DIRECTION_INVERSE
#define KEY_DIRECTION_INVERSE
Definition crypto.h:232
aead_usage_limit_reached
static bool aead_usage_limit_reached(const uint64_t limit, const struct key_ctx *key_ctx, int64_t higest_pid)
Checks if the usage limit for an AEAD cipher is reached.
Definition crypto.h:765
ssl_tls1_PRF
bool ssl_tls1_PRF(const uint8_t *seed, int seed_len, const uint8_t *secret, int secret_len, uint8_t *output, int output_len)
Calculates the TLS 1.0-1.1 PRF function.
Definition crypto_openssl.c:1410
crypto_uninit_lib
void crypto_uninit_lib(void)
Definition crypto_openssl.c:210
cipher_kt_mode_aead
bool cipher_kt_mode_aead(const char *ciphername)
Check if the supplied cipher is a supported AEAD mode cipher.
Definition crypto_openssl.c:817
crypto_init_lib
void crypto_init_lib(void)
Definition crypto_openssl.c:195
cipher_kt_mode_ofb_cfb
bool cipher_kt_mode_ofb_cfb(const char *ciphername)
Check if the supplied cipher is a supported OFB or CFB mode cipher.
Definition crypto_openssl.c:805
hmac_ctx_size
int hmac_ctx_size(hmac_ctx_t *ctx)
cipher_kt_insecure
bool cipher_kt_insecure(const char *ciphername)
Returns true if we consider this cipher to be insecure.
Definition crypto_openssl.c:760
rand_bytes
int rand_bytes(uint8_t *output, int len)
Wrapper for secure random number generator.
Definition crypto_openssl.c:593
cipher_kt_name
const char * cipher_kt_name(const char *ciphername)
Retrieve a normalised string describing the cipher (e.g.
Definition crypto_openssl.c:660
MAX_HMAC_KEY_LENGTH
#define MAX_HMAC_KEY_LENGTH
Definition crypto_backend.h:496
OPENVPN_MAX_HMAC_SIZE
#define OPENVPN_MAX_HMAC_SIZE
Definition crypto_backend.h:49
free_epoch_key_ctx
void free_epoch_key_ctx(struct crypto_options *co)
Frees the extra data structures used by epoch keys in crypto_options.
Definition crypto_epoch.c:338
epoch_init_key_ctx
void epoch_init_key_ctx(struct crypto_options *co, const struct key_type *key_type, const struct epoch_key *e1_send, const struct epoch_key *e1_recv, uint16_t future_key_count)
Initialises data channel keys and internal structures for epoch data keys using the provided E0 epoch...
Definition crypto_epoch.c:353
crypto_epoch.h
dco_set_peer
static int dco_set_peer(dco_context_t *dco, unsigned int peerid, int keepalive_interval, int keepalive_timeout, int mss)
Definition dco.h:350
dco_context_t
void * dco_context_t
Definition dco.h:267
init_key_dco_bi
static int init_key_dco_bi(struct tls_multi *multi, struct key_state *ks, const struct key2 *key2, int key_direction, const char *ciphername, bool server)
Definition dco.h:329
setenv_str
void setenv_str(struct env_set *es, const char *name, const char *value)
Definition env_set.c:283
setenv_del
void setenv_del(struct env_set *es, const char *name)
Definition env_set.c:328
D_TLS_DEBUG_LOW
#define D_TLS_DEBUG_LOW
Definition errlevel.h:77
D_PUSH
#define D_PUSH
Definition errlevel.h:83
D_TLS_DEBUG_MED
#define D_TLS_DEBUG_MED
Definition errlevel.h:157
D_DCO
#define D_DCO
Definition errlevel.h:94
D_SHOW_KEYS
#define D_SHOW_KEYS
Definition errlevel.h:121
D_MULTI_DROPPED
#define D_MULTI_DROPPED
Definition errlevel.h:101
D_HANDSHAKE
#define D_HANDSHAKE
Definition errlevel.h:72
D_SHOW_KEY_SOURCE
#define D_SHOW_KEY_SOURCE
Definition errlevel.h:122
D_TLS_KEYSELECT
#define D_TLS_KEYSELECT
Definition errlevel.h:146
D_MTU_INFO
#define D_MTU_INFO
Definition errlevel.h:105
D_TLS_ERRORS
#define D_TLS_ERRORS
Definition errlevel.h:59
M_INFO
#define M_INFO
Definition errlevel.h:55
D_TLS_DEBUG
#define D_TLS_DEBUG
Definition errlevel.h:165
S_ACTIVE
#define S_ACTIVE
Operational key_state state immediately after negotiation has completed while still within the handsh...
Definition ssl_common.h:97
tls_auth_standalone_init
struct tls_auth_standalone * tls_auth_standalone_init(struct tls_options *tls_options, struct gc_arena *gc)
Definition ssl.c:1201
TM_INITIAL
#define TM_INITIAL
As yet un-trusted tls_session being negotiated.
Definition ssl_common.h:536
KS_SIZE
#define KS_SIZE
Size of the tls_session.key array.
Definition ssl_common.h:459
key_state_free
static void key_state_free(struct key_state *ks, bool clear)
Cleanup a key_state structure.
Definition ssl.c:912
tls_session_free
static void tls_session_free(struct tls_session *session, bool clear)
Clean up a tls_session structure.
Definition ssl.c:1063
tls_init_control_channel_frame_parameters
void tls_init_control_channel_frame_parameters(struct frame *frame, int tls_mtu)
Definition ssl.c:142
tls_multi_free
void tls_multi_free(struct tls_multi *multi, bool clear)
Cleanup a tls_multi structure and free associated memory allocations.
Definition ssl.c:1256
S_ERROR_PRE
#define S_ERROR_PRE
Error state but try to send out alerts before killing the keystore and moving it to S_ERROR.
Definition ssl_common.h:79
KS_PRIMARY
#define KS_PRIMARY
Primary key state index.
Definition ssl_common.h:456
S_UNDEF
#define S_UNDEF
Undefined state, used after a key_state is cleaned up.
Definition ssl_common.h:82
S_START
#define S_START
Three-way handshake is complete, start of key exchange.
Definition ssl_common.h:90
S_GOT_KEY
#define S_GOT_KEY
Local OpenVPN process has received the remote's part of the key material.
Definition ssl_common.h:94
S_PRE_START
#define S_PRE_START
Waiting for the remote OpenVPN peer to acknowledge during the initial three-way handshake.
Definition ssl_common.h:87
tls_multi_init
struct tls_multi * tls_multi_init(struct tls_options *tls_options)
Allocate and initialize a tls_multi structure.
Definition ssl.c:1172
tls_multi_init_finalize
void tls_multi_init_finalize(struct tls_multi *multi, int tls_mtu)
Finalize initialization of a tls_multi structure.
Definition ssl.c:1187
TM_LAME_DUCK
#define TM_LAME_DUCK
Old tls_session.
Definition ssl_common.h:538
tls_session_init
static void tls_session_init(struct tls_multi *multi, struct tls_session *session)
Initialize a tls_session structure.
Definition ssl.c:989
TM_SIZE
#define TM_SIZE
Size of the tls_multi.session array.
Definition ssl_common.h:539
tls_auth_standalone_free
void tls_auth_standalone_free(struct tls_auth_standalone *tas)
Frees a standalone tls-auth verification object.
Definition ssl.c:1227
TM_ACTIVE
#define TM_ACTIVE
Active tls_session.
Definition ssl_common.h:535
S_GENERATED_KEYS
#define S_GENERATED_KEYS
The data channel keys have been generated The TLS session is fully authenticated when reaching this s...
Definition ssl_common.h:102
KS_LAME_DUCK
#define KS_LAME_DUCK
Key state index that will retire soon.
Definition ssl_common.h:457
S_SENT_KEY
#define S_SENT_KEY
Local OpenVPN process has sent its part of the key material.
Definition ssl_common.h:92
S_ERROR
#define S_ERROR
Error state.
Definition ssl_common.h:78
S_INITIAL
#define S_INITIAL
Initial key_state state after initialization by key_state_init() before start of three-way handshake.
Definition ssl_common.h:84
key_state_init
static void key_state_init(struct tls_session *session, struct key_state *ks)
Initialize a key_state structure.
Definition ssl.c:823
tls_multi_init_set_options
void tls_multi_init_set_options(struct tls_multi *multi, const char *local, const char *remote)
Definition ssl.c:1243
key_state_read_plaintext
int key_state_read_plaintext(struct key_state_ssl *ks_ssl, struct buffer *buf)
Extract plaintext data from the TLS module.
Definition ssl_openssl.c:2286
key_state_write_ciphertext
int key_state_write_ciphertext(struct key_state_ssl *ks_ssl, struct buffer *buf)
Insert a ciphertext buffer into the TLS module.
Definition ssl_openssl.c:2271
key_state_read_ciphertext
int key_state_read_ciphertext(struct key_state_ssl *ks_ssl, struct buffer *buf)
Extract ciphertext data from the TLS module.
Definition ssl_openssl.c:2257
key_state_write_plaintext_const
int key_state_write_plaintext_const(struct key_state_ssl *ks_ssl, const uint8_t *data, int len)
Insert plaintext data into the TLS module.
Definition ssl_openssl.c:2243
key_state_write_plaintext
int key_state_write_plaintext(struct key_state_ssl *ks_ssl, struct buffer *buf)
Insert a plaintext buffer into the TLS module.
Definition ssl_openssl.c:2227
tls_post_encrypt
void tls_post_encrypt(struct tls_multi *multi, struct buffer *buf)
Perform some accounting for the key state used.
Definition ssl.c:4136
tls_select_encryption_key
struct key_state * tls_select_encryption_key(struct tls_multi *multi)
Selects the primary encryption that should be used to encrypt data of an outgoing packet.
Definition ssl.c:4047
TLS_AUTHENTICATED
#define TLS_AUTHENTICATED(multi, ks)
Check whether the ks key_state has finished the key exchange part of the OpenVPN hand shake.
Definition ssl_verify.h:110
tls_prepend_opcode_v1
void tls_prepend_opcode_v1(const struct tls_multi *multi, struct buffer *buf)
Prepend a one-byte OpenVPN data channel P_DATA_V1 opcode to the packet.
Definition ssl.c:4107
tls_pre_encrypt
void tls_pre_encrypt(struct tls_multi *multi, struct buffer *buf, struct crypto_options **opt)
Choose the appropriate security parameters with which to process an outgoing packet.
Definition ssl.c:4074
tls_prepend_opcode_v2
void tls_prepend_opcode_v2(const struct tls_multi *multi, struct buffer *buf)
Prepend an OpenVPN data channel P_DATA_V2 header to the packet.
Definition ssl.c:4121
tls_pre_decrypt
bool tls_pre_decrypt(struct tls_multi *multi, const struct link_socket_actual *from, struct buffer *buf, struct crypto_options **opt, bool floated, const uint8_t **ad_start)
Determine whether an incoming packet is a data channel or control channel packet, and process accordi...
Definition ssl.c:3682
reliable_free
void reliable_free(struct reliable *rel)
Free allocated memory associated with a reliable structure and the pointer itself.
Definition reliable.c:375
reliable_ack_read
bool reliable_ack_read(struct reliable_ack *ack, struct buffer *buf, const struct session_id *sid)
Read an acknowledgment record from a received packet.
Definition reliable.c:149
reliable_get_buf_output_sequenced
struct buffer * reliable_get_buf_output_sequenced(struct reliable *rel)
Get the buffer of free reliable entry and check whether the outgoing acknowledgment sequence is still...
Definition reliable.c:582
reliable_schedule_now
void reliable_schedule_now(struct reliable *rel)
Reschedule all entries of a reliable structure to be ready for (re)sending immediately.
Definition reliable.c:701
reliable_ack_read_packet_id
bool reliable_ack_read_packet_id(struct buffer *buf, packet_id_type *pid)
Read the packet ID of a received packet.
Definition reliable.c:114
reliable_ack_outstanding
static int reliable_ack_outstanding(struct reliable_ack *ack)
Returns the number of packets that need to be acked.
Definition reliable.h:189
reliable_mark_active_incoming
void reliable_mark_active_incoming(struct reliable *rel, struct buffer *buf, packet_id_type pid, int opcode)
Mark the reliable entry associated with the given buffer as active incoming.
Definition reliable.c:757
reliable_mark_active_outgoing
void reliable_mark_active_outgoing(struct reliable *rel, struct buffer *buf, int opcode)
Mark the reliable entry associated with the given buffer as active outgoing.
Definition reliable.c:790
reliable_ack_print
const char * reliable_ack_print(struct buffer *buf, bool verbose, struct gc_arena *gc)
Definition reliable.c:313
reliable_ack_acknowledge_packet_id
bool reliable_ack_acknowledge_packet_id(struct reliable_ack *ack, packet_id_type pid)
Record a packet ID for later acknowledgment.
Definition reliable.c:132
reliable_set_timeout
static void reliable_set_timeout(struct reliable *rel, interval_t timeout)
Definition reliable.h:531
reliable_can_get
bool reliable_can_get(const struct reliable *rel)
Check whether a reliable structure has any free buffers available for use.
Definition reliable.c:469
reliable_send_purge
void reliable_send_purge(struct reliable *rel, const struct reliable_ack *ack)
Remove acknowledged packets from a reliable structure.
Definition reliable.c:408
reliable_get_buf
struct buffer * reliable_get_buf(struct reliable *rel)
Get the buffer of a free reliable entry in which to store a packet.
Definition reliable.c:535
reliable_send
struct buffer * reliable_send(struct reliable *rel, int *opcode)
Get the next packet to send to the remote peer.
Definition reliable.c:662
reliable_can_send
bool reliable_can_send(const struct reliable *rel)
Check whether a reliable structure has any active entries ready to be (re)sent.
Definition reliable.c:634
reliable_empty
bool reliable_empty(const struct reliable *rel)
Check whether a reliable structure is empty.
Definition reliable.c:392
reliable_not_replay
bool reliable_not_replay(const struct reliable *rel, packet_id_type id)
Check that a received packet's ID is not a replay.
Definition reliable.c:488
RELIABLE_ACK_SIZE
#define RELIABLE_ACK_SIZE
The maximum number of packet IDs waiting to be acknowledged which can be stored in one reliable_ack s...
Definition reliable.h:44
reliable_send_timeout
interval_t reliable_send_timeout(const struct reliable *rel)
Determined how many seconds until the earliest resend should be attempted.
Definition reliable.c:720
reliable_get_entry_sequenced
struct reliable_entry * reliable_get_entry_sequenced(struct reliable *rel)
Get the buffer of the next sequential and active entry.
Definition reliable.c:618
reliable_init
void reliable_init(struct reliable *rel, int buf_size, int offset, int array_size, bool hold)
Initialize a reliable structure.
Definition reliable.c:357
reliable_mark_deleted
void reliable_mark_deleted(struct reliable *rel, struct buffer *buf)
Remove an entry from a reliable structure.
Definition reliable.c:817
reliable_get_num_output_sequenced_available
int reliable_get_num_output_sequenced_available(struct reliable *rel)
Counts the number of free buffers in output that can be potentially used for sending.
Definition reliable.c:551
reliable_wont_break_sequentiality
bool reliable_wont_break_sequentiality(const struct reliable *rel, packet_id_type id)
Check that a received packet's ID can safely be stored in the reliable structure's processing window.
Definition reliable.c:515
ACK_SIZE
#define ACK_SIZE(n)
Definition reliable.h:68
reliable_ack_empty
static bool reliable_ack_empty(struct reliable_ack *ack)
Check whether an acknowledgment structure contains any packet IDs to be acknowledged.
Definition reliable.h:176
TLS_CRYPT_TAG_SIZE
#define TLS_CRYPT_TAG_SIZE
Definition tls_crypt.h:89
tls_session_generate_dynamic_tls_crypt_key
bool tls_session_generate_dynamic_tls_crypt_key(struct tls_session *session)
Generates a TLS-Crypt key to be used with dynamic tls-crypt using the TLS EKM exporter function.
Definition tls_crypt.c:98
tls_crypt_buf_overhead
int tls_crypt_buf_overhead(void)
Returns the maximum overhead (in bytes) added to the destination buffer by tls_crypt_wrap().
Definition tls_crypt.c:55
min_int
static int min_int(int x, int y)
Definition integer.h:102
max_int
static int max_int(int x, int y)
Definition integer.h:89
status
static SERVICE_STATUS status
Definition interactive.c:53
management_query_cert
char * management_query_cert(struct management *man, const char *cert_name)
Definition manage.c:3787
management_set_state
void management_set_state(struct management *man, const int state, const char *detail, const in_addr_t *tun_local_ip, const struct in6_addr *tun_local_ip6, const struct openvpn_sockaddr *local, const struct openvpn_sockaddr *remote)
Definition manage.c:2749
MF_EXTERNAL_KEY
#define MF_EXTERNAL_KEY
Definition manage.h:37
OPENVPN_STATE_AUTH
#define OPENVPN_STATE_AUTH
Definition manage.h:479
OPENVPN_STATE_WAIT
#define OPENVPN_STATE_WAIT
Definition manage.h:478
MF_EXTERNAL_CERT
#define MF_EXTERNAL_CERT
Definition manage.h:43
management_enable_def_auth
static bool management_enable_def_auth(const struct management *man)
Definition manage.h:459
VALGRIND_MAKE_READABLE
#define VALGRIND_MAKE_READABLE(addr, len)
Definition memdbg.h:53
unprotect_user_pass
void unprotect_user_pass(struct user_pass *up)
Decrypt username and password buffers in user_pass.
Definition misc.c:824
get_user_pass_cr
bool get_user_pass_cr(struct user_pass *up, const char *auth_file, const char *prefix, const unsigned int flags, const char *auth_challenge)
Retrieves the user credentials from various sources depending on the flags.
Definition misc.c:211
purge_user_pass
void purge_user_pass(struct user_pass *up, const bool force)
Definition misc.c:485
set_auth_token_user
void set_auth_token_user(struct user_pass *tk, const char *username)
Sets the auth-token username by base64 decoding the passed username.
Definition misc.c:530
output_peer_info_env
void output_peer_info_env(struct env_set *es, const char *peer_info)
Definition misc.c:771
prepend_dir
struct buffer prepend_dir(const char *dir, const char *path, struct gc_arena *gc)
Prepend a directory to a path.
Definition misc.c:793
protect_user_pass
void protect_user_pass(struct user_pass *up)
Encrypt username and password buffers in user_pass.
Definition misc.c:804
set_auth_token
void set_auth_token(struct user_pass *tk, const char *token)
Sets the auth-token to token.
Definition misc.c:510
USER_PASS_LEN
#define USER_PASS_LEN
Definition misc.h:69
GET_USER_PASS_STATIC_CHALLENGE_CONCAT
#define GET_USER_PASS_STATIC_CHALLENGE_CONCAT
Definition misc.h:122
GET_USER_PASS_MANAGEMENT
#define GET_USER_PASS_MANAGEMENT
Definition misc.h:109
GET_USER_PASS_PASSWORD_ONLY
#define GET_USER_PASS_PASSWORD_ONLY
Definition misc.h:111
GET_USER_PASS_STATIC_CHALLENGE_ECHO
#define GET_USER_PASS_STATIC_CHALLENGE_ECHO
Definition misc.h:119
GET_USER_PASS_INLINE_CREDS
#define GET_USER_PASS_INLINE_CREDS
Definition misc.h:121
GET_USER_PASS_STATIC_CHALLENGE
#define GET_USER_PASS_STATIC_CHALLENGE
Definition misc.h:118
SC_CONCAT
#define SC_CONCAT
Definition misc.h:95
SC_ECHO
#define SC_ECHO
Definition misc.h:94
get_user_pass
static bool get_user_pass(struct user_pass *up, const char *auth_file, const char *prefix, const unsigned int flags)
Retrieves the user credentials from various sources depending on the flags.
Definition misc.h:150
GET_USER_PASS_DYNAMIC_CHALLENGE
#define GET_USER_PASS_DYNAMIC_CHALLENGE
Definition misc.h:117
frame_calculate_dynamic
void frame_calculate_dynamic(struct frame *frame, struct key_type *kt, const struct options *options, struct link_socket_info *lsi)
Set the –mssfix option.
Definition mss.c:335
frame_print
void frame_print(const struct frame *frame, int level, const char *prefix)
Definition mtu.c:195
BUF_SIZE
#define BUF_SIZE(f)
Definition mtu.h:172
CLEAR
#define CLEAR(x)
Definition basic.h:33
M_FATAL
#define M_FATAL
Definition error.h:89
check_debug_level
static bool check_debug_level(unsigned int level)
Definition error.h:220
dmsg
#define dmsg(flags,...)
Definition error.h:148
msg
#define msg(flags,...)
Definition error.h:144
ASSERT
#define ASSERT(x)
Definition error.h:195
M_WARN
#define M_WARN
Definition error.h:91
MAX_PEER_ID
#define MAX_PEER_ID
Definition openvpn.h:546
options_cmp_equal
bool options_cmp_equal(char *actual, const char *expected)
Definition options.c:4587
key_is_external
bool key_is_external(const struct options *options)
Definition options.c:5818
options_string_extract_option
char * options_string_extract_option(const char *options_string, const char *opt_name, struct gc_arena *gc)
Given an OpenVPN options string, extract the value of an option.
Definition options.c:4766
options_warning
void options_warning(char *actual, const char *expected)
Definition options.c:4593
MODE_SERVER
#define MODE_SERVER
Definition options.h:259
dco_enabled
static bool dco_enabled(const struct options *o)
Returns whether the current configuration has dco enabled.
Definition options.h:929
now
time_t now
Definition otime.c:34
update_time
static void update_time(void)
Definition otime.h:77
packet_id_persist_load_obj
void packet_id_persist_load_obj(const struct packet_id_persist *p, struct packet_id *pid)
Definition packet_id.c:561
packet_id_init
void packet_id_init(struct packet_id *p, int seq_backtrack, int time_backtrack, const char *name, int unit)
Definition packet_id.c:96
packet_id_free
void packet_id_free(struct packet_id *p)
Definition packet_id.c:127
packet_id_read
bool packet_id_read(struct packet_id_net *pin, struct buffer *buf, bool long_form)
Definition packet_id.c:323
packet_id_net_print
const char * packet_id_net_print(const struct packet_id_net *pin, bool print_timestamp, struct gc_arena *gc)
Definition packet_id.c:428
packet_id_format
#define packet_id_format
Definition packet_id.h:77
packet_id_print_type
uint64_t packet_id_print_type
Definition packet_id.h:78
packet_id_type
uint32_t packet_id_type
Definition packet_id.h:46
packet_id_close_to_wrapping
static bool packet_id_close_to_wrapping(const struct packet_id_send *p)
Definition packet_id.h:322
ntohpid
#define ntohpid(x)
Definition packet_id.h:65
packet_id_size
static int packet_id_size(bool long_form)
Definition packet_id.h:316
perf_push
static void perf_push(int type)
Definition perf.h:78
PERF_TLS_MULTI_PROCESS
#define PERF_TLS_MULTI_PROCESS
Definition perf.h:42
perf_pop
static void perf_pop(void)
Definition perf.h:82
platform_stat
int platform_stat(const char *path, platform_stat_t *buf)
Definition platform.c:527
platform_stat_t
struct _stat platform_stat_t
Definition platform.h:142
plugin_defined
bool plugin_defined(const struct plugin_list *pl, const int type)
Definition plugin.c:932
plugin_call
static int plugin_call(const struct plugin_list *pl, const int type, const struct argv *av, struct plugin_return *pr, struct env_set *es)
Definition plugin.h:202
get_default_gateway
void get_default_gateway(struct route_gateway_info *rgi, in_addr_t dest, openvpn_net_ctx_t *ctx)
Retrieves the best gateway for a given destination based on the routing table.
Definition route.c:2785
RGI_HWADDR_DEFINED
#define RGI_HWADDR_DEFINED
Definition route.h:149
session_id_random
void session_id_random(struct session_id *sid)
Definition session_id.c:49
session_id_print
const char * session_id_print(const struct session_id *sid, struct gc_arena *gc)
Definition session_id.c:55
session_id_equal
static bool session_id_equal(const struct session_id *sid1, const struct session_id *sid2)
Definition session_id.h:48
session_id_defined
static bool session_id_defined(const struct session_id *sid1)
Definition session_id.h:55
session_id_read
static bool session_id_read(struct session_id *sid, struct buffer *buf)
Definition session_id.h:61
SID_SIZE
#define SID_SIZE
Definition session_id.h:45
print_link_socket_actual
const char * print_link_socket_actual(const struct link_socket_actual *act, struct gc_arena *gc)
Definition socket.c:2893
link_socket_actual_defined
static bool link_socket_actual_defined(const struct link_socket_actual *act)
Definition socket.h:726
datagram_overhead
static int datagram_overhead(sa_family_t af, int proto)
Definition socket.h:629
link_socket_actual_match
static bool link_socket_actual_match(const struct link_socket_actual *a1, const struct link_socket_actual *a2)
Definition socket.h:883
PROTO_UDP
@ PROTO_UDP
Definition socket.h:568
link_socket_set_outgoing_addr
static void link_socket_set_outgoing_addr(struct link_socket_info *info, const struct link_socket_actual *act, const char *common_name, struct env_set *es)
Definition socket.h:984
ssl_purge_auth
void ssl_purge_auth(const bool auth_user_pass_only)
Definition ssl.c:392
ssl_set_auth_token_user
void ssl_set_auth_token_user(const char *username)
Definition ssl.c:372
generate_key_expansion
static bool generate_key_expansion(struct tls_multi *multi, struct key_state *ks, struct tls_session *session)
Definition ssl.c:1530
tls_process
static bool tls_process(struct tls_multi *multi, struct tls_session *session, struct buffer *to_link, struct link_socket_actual **to_link_addr, struct link_socket_info *to_link_socket_info, interval_t *wakeup)
Definition ssl.c:3101
tls_session_user_pass_enabled
static bool tls_session_user_pass_enabled(struct tls_session *session)
Returns whether or not the server should check for username/password.
Definition ssl.c:957
auth_deferred_expire_window
static int auth_deferred_expire_window(const struct tls_options *o)
Definition ssl.c:2465
passbuf
static struct user_pass passbuf
Definition ssl.c:248
print_key_id
static const char * print_key_id(struct tls_multi *multi, struct gc_arena *gc)
Definition ssl.c:771
INCR_GENERATED
#define INCR_GENERATED
Definition ssl.c:94
auth_token
static struct user_pass auth_token
Definition ssl.c:282
init_epoch_keys
static void init_epoch_keys(struct key_state *ks, struct tls_multi *multi, const struct key_type *key_type, bool server, struct key2 *key2)
Definition ssl.c:1367
lame_duck_must_die
static bool lame_duck_must_die(const struct tls_session *session, interval_t *wakeup)
Definition ssl.c:1145
ssl_set_auth_nocache
void ssl_set_auth_nocache(void)
Definition ssl.c:347
ks_auth_name
static const char * ks_auth_name(enum ks_auth_state auth)
Definition ssl.c:730
key_source2_read
static int key_source2_read(struct key_source2 *k2, struct buffer *buf, bool server)
Definition ssl.c:1777
move_session
static void move_session(struct tls_multi *multi, int dest, int src, bool reinit_src)
Definition ssl.c:1092
handle_data_channel_packet
static void handle_data_channel_packet(struct tls_multi *multi, const struct link_socket_actual *from, struct buffer *buf, struct crypto_options **opt, bool floated, const uint8_t **ad_start)
Check the keyid of the an incoming data channel packet and return the matching crypto parameters in o...
Definition ssl.c:3579
export_user_keying_material
static void export_user_keying_material(struct tls_session *session)
Definition ssl.c:2244
ssl_put_auth_challenge
void ssl_put_auth_challenge(const char *cr_str)
Definition ssl.c:417
INCR_SUCCESS
#define INCR_SUCCESS
Definition ssl.c:95
pem_password_callback
int pem_password_callback(char *buf, int size, int rwflag, void *u)
Callback to retrieve the user's password.
Definition ssl.c:261
control_packet_needs_wkc
static bool control_packet_needs_wkc(const struct key_state *ks)
Definition ssl.c:2683
tls_update_remote_addr
void tls_update_remote_addr(struct tls_multi *multi, const struct link_socket_actual *addr)
Updates remote address in TLS sessions.
Definition ssl.c:4216
read_incoming_tls_ciphertext
static bool read_incoming_tls_ciphertext(struct buffer *buf, struct key_state *ks, bool *continue_tls_process)
Read incoming ciphertext and passes it to the buffer of the SSL library.
Definition ssl.c:2655
tls_send_payload
bool tls_send_payload(struct key_state *ks, const uint8_t *data, int size)
Definition ssl.c:4156
key_source2_print
static void key_source2_print(const struct key_source2 *k)
Definition ssl.c:1316
auth_user_pass
static struct user_pass auth_user_pass
Definition ssl.c:281
compute_earliest_wakeup
static void compute_earliest_wakeup(interval_t *earliest, interval_t seconds_from_now)
Definition ssl.c:1128
tls_rec_payload
bool tls_rec_payload(struct tls_multi *multi, struct buffer *buf)
Definition ssl.c:4190
write_outgoing_tls_ciphertext
static bool write_outgoing_tls_ciphertext(struct tls_session *session, bool *continue_tls_process)
Definition ssl.c:2716
check_outgoing_ciphertext
static bool check_outgoing_ciphertext(struct key_state *ks, struct tls_session *session, bool *continue_tls_process)
Definition ssl.c:2802
check_session_buf_not_used
static void check_session_buf_not_used(struct buffer *to_link, struct tls_session *session)
This is a safe guard function to double check that a buffer from a session is not used in a session t...
Definition ssl.c:3247
calc_control_channel_frame_overhead
static int calc_control_channel_frame_overhead(const struct tls_session *session)
calculate the maximum overhead that control channel frames have This includes header,...
Definition ssl.c:190
tls_session_generate_data_channel_keys
bool tls_session_generate_data_channel_keys(struct tls_multi *multi, struct tls_session *session)
Generate data channel keys for the supplied TLS session.
Definition ssl.c:1597
flush_payload_buffer
static void flush_payload_buffer(struct key_state *ks)
Definition ssl.c:1811
init_key_contexts
static void init_key_contexts(struct key_state *ks, struct tls_multi *multi, const struct key_type *key_type, bool server, struct key2 *key2, bool dco_enabled)
Definition ssl.c:1409
print_key_id_not_found_reason
static void print_key_id_not_found_reason(struct tls_multi *multi, const struct link_socket_actual *from, int key_id)
We have not found a matching key to decrypt data channel packet, try to generate a sensible error mes...
Definition ssl.c:3527
tls_session_update_crypto_params_do_work
bool tls_session_update_crypto_params_do_work(struct tls_multi *multi, struct tls_session *session, struct options *options, struct frame *frame, struct frame *frame_fragment, struct link_socket_info *lsi, dco_context_t *dco)
Definition ssl.c:1631
tls_session_soft_reset
void tls_session_soft_reset(struct tls_multi *tls_multi)
Definition ssl.c:1842
openvpn_PRF
static bool openvpn_PRF(const uint8_t *secret, int secret_len, const char *label, const uint8_t *client_seed, int client_seed_len, const uint8_t *server_seed, int server_seed_len, const struct session_id *client_sid, const struct session_id *server_sid, uint8_t *output, int output_len)
Definition ssl.c:1323
init_ssl
void init_ssl(const struct options *options, struct tls_root_ctx *new_ctx, bool in_chroot)
Build master SSL context object that serves for the whole of OpenVPN instantiation.
Definition ssl.c:523
is_hard_reset_method2
bool is_hard_reset_method2(int op)
Given a key_method, return true if opcode represents the one of the hard_reset op codes for key-metho...
Definition ssl.c:788
read_string_alloc
static char * read_string_alloc(struct buffer *buf)
Definition ssl.c:1910
should_trigger_renegotiation
static bool should_trigger_renegotiation(const struct tls_session *session, const struct key_state *ks)
Determines if a renegotiation should be triggerred based on the various factors that can trigger one.
Definition ssl.c:3016
tls_version_parse
int tls_version_parse(const char *vstr, const char *extra)
Definition ssl.c:431
read_string
static int read_string(struct buffer *buf, char *str, const unsigned int capacity)
Read a string that is encoded as a 2 byte header with the length from the buffer buf.
Definition ssl.c:1891
session_skip_to_pre_start
bool session_skip_to_pre_start(struct tls_session *session, struct tls_pre_decrypt_state *state, struct link_socket_actual *from)
Definition ssl.c:2580
session_index_name
static const char * session_index_name(int index)
Definition ssl.c:749
session_move_active
static void session_move_active(struct tls_multi *multi, struct tls_session *session, struct link_socket_info *to_link_socket_info, struct key_state *ks)
Moves the key to state to S_ACTIVE and also advances the multi_state state machine if this is the ini...
Definition ssl.c:2536
tls_get_limit_aead
static uint64_t tls_get_limit_aead(const char *ciphername)
Definition ssl.c:122
random_bytes_to_buf
static bool random_bytes_to_buf(struct buffer *buf, uint8_t *out, int outlen)
Definition ssl.c:1728
ssl_set_auth_token
void ssl_set_auth_token(const char *token)
Definition ssl.c:366
INCR_SENT
#define INCR_SENT
Definition ssl.c:93
tls_multi_process
int tls_multi_process(struct tls_multi *multi, struct buffer *to_link, struct link_socket_actual **to_link_addr, struct link_socket_info *to_link_socket_info, interval_t *wakeup)
Definition ssl.c:3309
tls_process_state
static bool tls_process_state(struct tls_multi *multi, struct tls_session *session, struct buffer *to_link, struct link_socket_actual **to_link_addr, struct link_socket_info *to_link_socket_info, interval_t *wakeup)
Definition ssl.c:2821
ssl_get_auth_nocache
bool ssl_get_auth_nocache(void)
Definition ssl.c:357
key_method_2_write
static bool key_method_2_write(struct buffer *buf, struct tls_multi *multi, struct tls_session *session)
Handle the writing of key data, peer-info, username/password, OCC to the TLS control channel (clearte...
Definition ssl.c:2125
pem_password_setup
void pem_password_setup(const char *auth_file)
Definition ssl.c:251
init_ssl_lib
void init_ssl_lib(void)
Definition ssl.c:228
key_source_print
static void key_source_print(const struct key_source *k, const char *prefix)
Definition ssl.c:1290
tls_session_update_crypto_params
bool tls_session_update_crypto_params(struct tls_multi *multi, struct tls_session *session, struct options *options, struct frame *frame, struct frame *frame_fragment, struct link_socket_info *lsi, dco_context_t *dco)
Update TLS session crypto parameters (cipher and auth) and derive data channel keys based on the supp...
Definition ssl.c:1707
write_empty_string
static bool write_empty_string(struct buffer *buf)
Definition ssl.c:1852
tls_limit_reneg_bytes
static void tls_limit_reneg_bytes(const char *ciphername, int64_t *reneg_bytes)
Limit the reneg_bytes value when using a small-block (<128 bytes) cipher.
Definition ssl.c:108
free_ssl_lib
void free_ssl_lib(void)
Definition ssl.c:236
key_state_soft_reset
static void key_state_soft_reset(struct tls_session *session)
Definition ssl.c:1827
parse_early_negotiation_tlvs
static bool parse_early_negotiation_tlvs(struct buffer *buf, struct key_state *ks)
Parses the TLVs (type, length, value) in the early negotiation.
Definition ssl.c:2606
auth_user_pass_enabled
static bool auth_user_pass_enabled
Definition ssl.c:280
auth_challenge
static char * auth_challenge
Definition ssl.c:285
key_source2_randomize_write
static bool key_source2_randomize_write(struct key_source2 *k2, struct buffer *buf, bool server)
Definition ssl.c:1744
state_name
static const char * state_name(int state)
Definition ssl.c:690
generate_key_expansion_openvpn_prf
static bool generate_key_expansion_openvpn_prf(const struct tls_session *session, struct key2 *key2)
Definition ssl.c:1472
reset_session
static void reset_session(struct tls_multi *multi, struct tls_session *session)
Definition ssl.c:1117
INCR_ERROR
#define INCR_ERROR
Definition ssl.c:96
tls_ctx_reload_crl
static void tls_ctx_reload_crl(struct tls_root_ctx *ssl_ctx, const char *crl_file, bool crl_file_inline)
Load (or possibly reload) the CRL file into the SSL context.
Definition ssl.c:472
auth_user_pass_setup
void auth_user_pass_setup(const char *auth_file, bool is_inline, const struct static_challenge_info *sci)
Definition ssl.c:295
generate_key_expansion_tls_export
static bool generate_key_expansion_tls_export(struct tls_session *session, struct key2 *key2)
Definition ssl.c:1458
ssl_clean_auth_token
bool ssl_clean_auth_token(void)
Definition ssl.c:381
push_peer_info
static bool push_peer_info(struct buffer *buf, struct tls_session *session)
Prepares the IV_ and UV_ variables that are part of the exchange to signal the peer's capabilities.
Definition ssl.c:1946
write_string
static bool write_string(struct buffer *buf, const char *str, const int maxlen)
Definition ssl.c:1862
enable_auth_user_pass
void enable_auth_user_pass(void)
Definition ssl.c:289
ssl_purge_auth_challenge
void ssl_purge_auth_challenge(void)
Definition ssl.c:410
show_available_tls_ciphers
void show_available_tls_ciphers(const char *cipher_list, const char *cipher_list_tls13, const char *tls_cert_profile)
Definition ssl.c:4244
read_incoming_tls_plaintext
static bool read_incoming_tls_plaintext(struct key_state *ks, struct buffer *buf, interval_t *wakeup, bool *continue_tls_process)
Definition ssl.c:2691
key_method_2_read
static bool key_method_2_read(struct buffer *buf, struct tls_multi *multi, struct tls_session *session)
Handle reading key data, peer-info, username/password, OCC from the TLS control channel (cleartext).
Definition ssl.c:2280
session_move_pre_start
static bool session_move_pre_start(const struct tls_session *session, struct key_state *ks, bool skip_initial_send)
Move the session from S_INITIAL to S_PRE_START.
Definition ssl.c:2484
protocol_dump
const char * protocol_dump(struct buffer *buffer, unsigned int flags, struct gc_arena *gc)
Definition ssl.c:4271
ssl.h
Control Channel SSL/Data channel negotiation module.
IV_PROTO_CC_EXIT_NOTIFY
#define IV_PROTO_CC_EXIT_NOTIFY
Support for explicit exit notify via control channel This also includes support for the protocol-flag...
Definition ssl.h:102
TLSMP_RECONNECT
#define TLSMP_RECONNECT
Definition ssl.h:231
IV_PROTO_DATA_EPOCH
#define IV_PROTO_DATA_EPOCH
Support the extended packet id and epoch format for data channel packets.
Definition ssl.h:111
load_xkey_provider
void load_xkey_provider(void)
Load ovpn.xkey provider used for external key signing.
Definition ssl_openssl.c:2679
tls_wrap_free
static void tls_wrap_free(struct tls_wrap_ctx *tls_wrap)
Free the elements of a tls_wrap_ctx structure.
Definition ssl.h:485
IV_PROTO_AUTH_FAIL_TEMP
#define IV_PROTO_AUTH_FAIL_TEMP
Support for AUTH_FAIL,TEMP messages.
Definition ssl.h:105
IV_PROTO_DATA_V2
#define IV_PROTO_DATA_V2
Support P_DATA_V2.
Definition ssl.h:80
KEY_METHOD_2
#define KEY_METHOD_2
Definition ssl.h:119
CONTROL_SEND_ACK_MAX
#define CONTROL_SEND_ACK_MAX
Definition ssl.h:56
TLSMP_ACTIVE
#define TLSMP_ACTIVE
Definition ssl.h:229
KEY_EXPANSION_ID
#define KEY_EXPANSION_ID
Definition ssl.h:50
IV_PROTO_TLS_KEY_EXPORT
#define IV_PROTO_TLS_KEY_EXPORT
Supports key derivation via TLS key material exporter [RFC5705].
Definition ssl.h:87
PD_TLS_CRYPT
#define PD_TLS_CRYPT
Definition ssl.h:538
PD_TLS
#define PD_TLS
Definition ssl.h:536
IV_PROTO_AUTH_PENDING_KW
#define IV_PROTO_AUTH_PENDING_KW
Supports signaling keywords with AUTH_PENDING, e.g.
Definition ssl.h:90
PD_VERBOSE
#define PD_VERBOSE
Definition ssl.h:537
IV_PROTO_DYN_TLS_CRYPT
#define IV_PROTO_DYN_TLS_CRYPT
Support to dynamic tls-crypt (renegotiation with TLS-EKM derived tls-crypt key)
Definition ssl.h:108
TLSMP_KILL
#define TLSMP_KILL
Definition ssl.h:230
PD_SHOW_DATA
#define PD_SHOW_DATA
Definition ssl.h:535
IV_PROTO_REQUEST_PUSH
#define IV_PROTO_REQUEST_PUSH
Assume client will send a push request and server does not need to wait for a push-request to send a ...
Definition ssl.h:84
KEY_METHOD_MASK
#define KEY_METHOD_MASK
Definition ssl.h:122
IV_PROTO_DNS_OPTION_V2
#define IV_PROTO_DNS_OPTION_V2
Supports the –dns option after all the incompatible changes.
Definition ssl.h:114
PD_TLS_AUTH_HMAC_SIZE_MASK
#define PD_TLS_AUTH_HMAC_SIZE_MASK
Definition ssl.h:534
IV_PROTO_NCP_P2P
#define IV_PROTO_NCP_P2P
Support doing NCP in P2P mode.
Definition ssl.h:95
TLSMP_INACTIVE
#define TLSMP_INACTIVE
Definition ssl.h:228
TLS_OPTIONS_LEN
#define TLS_OPTIONS_LEN
Definition ssl.h:69
ssl_backend.h
Control Channel SSL library backend module.
tls_ctx_set_tls_groups
void tls_ctx_set_tls_groups(struct tls_root_ctx *ctx, const char *groups)
Set the (elliptic curve) group allowed for signatures and key exchange.
Definition ssl_openssl.c:560
tls_ctx_free
void tls_ctx_free(struct tls_root_ctx *ctx)
Frees the library-specific TLSv1 context.
Definition ssl_openssl.c:140
get_ssl_library_version
const char * get_ssl_library_version(void)
return a pointer to a static memory area containing the name and version number of the SSL library in...
Definition ssl_openssl.c:2646
tls_clear_error
void tls_clear_error(void)
Clear the underlying SSL library's error state.
key_state_export_keying_material
bool key_state_export_keying_material(struct tls_session *session, const char *label, size_t label_size, void *ekm, size_t ekm_size)
Keying Material Exporters [RFC 5705] allows additional keying material to be derived from existing TL...
Definition ssl_openssl.c:156
TLS_VER_BAD
#define TLS_VER_BAD
Parse a TLS version specifier.
Definition ssl_backend.h:104
show_available_tls_ciphers_list
void show_available_tls_ciphers_list(const char *cipher_list, const char *tls_cert_profile, bool tls13)
Show the TLS ciphers that are available for us to use in the library depending on the TLS version.
Definition ssl_openssl.c:2531
TLS_VER_1_0
#define TLS_VER_1_0
Definition ssl_backend.h:106
tls_ctx_server_new
void tls_ctx_server_new(struct tls_root_ctx *ctx)
Initialise a library-specific TLS context for a server.
Definition ssl_openssl.c:104
EXPORT_KEY_DATA_LABEL
#define EXPORT_KEY_DATA_LABEL
Definition ssl_backend.h:391
key_state_ssl_free
void key_state_ssl_free(struct key_state_ssl *ks_ssl)
Free the SSL channel part of the given key state.
Definition ssl_openssl.c:2212
TLS_VER_1_2
#define TLS_VER_1_2
Definition ssl_backend.h:108
tls_ctx_load_priv_file
int tls_ctx_load_priv_file(struct tls_root_ctx *ctx, const char *priv_key_file, bool priv_key_file_inline)
Load private key file into the given TLS context.
Definition ssl_openssl.c:1271
key_state_ssl_shutdown
void key_state_ssl_shutdown(struct key_state_ssl *ks_ssl)
Sets a TLS session to be shutdown state, so the TLS library will generate a shutdown alert.
Definition ssl_openssl.c:2206
tls_ctx_load_extra_certs
void tls_ctx_load_extra_certs(struct tls_root_ctx *ctx, const char *extra_certs_file, bool extra_certs_file_inline)
Load extra certificate authority certificates from the given file or path.
Definition ssl_openssl.c:1947
tls_ctx_check_cert_time
void tls_ctx_check_cert_time(const struct tls_root_ctx *ctx)
Check our certificate notBefore and notAfter fields, and warn if the cert is either not yet valid or ...
Definition ssl_openssl.c:620
tls_ctx_restrict_ciphers_tls13
void tls_ctx_restrict_ciphers_tls13(struct tls_root_ctx *ctx, const char *ciphers)
Restrict the list of ciphers that can be used within the TLS context for TLS 1.3 and higher.
Definition ssl_openssl.c:492
tls_ctx_load_pkcs12
int tls_ctx_load_pkcs12(struct tls_root_ctx *ctx, const char *pkcs12_file, bool pkcs12_file_inline, bool load_ca_file)
Load PKCS #12 file for key, cert and (optionally) CA certs, and add to library-specific TLS context.
Definition ssl_openssl.c:908
key_state_ssl_init
void key_state_ssl_init(struct key_state_ssl *ks_ssl, const struct tls_root_ctx *ssl_ctx, bool is_server, struct tls_session *session)
Initialise the SSL channel part of the given key state.
Definition ssl_openssl.c:2166
tls_free_lib
void tls_free_lib(void)
Free any global SSL library-specific data structures.
Definition ssl_openssl.c:99
tls_ctx_load_ecdh_params
void tls_ctx_load_ecdh_params(struct tls_root_ctx *ctx, const char *curve_name)
Load Elliptic Curve Parameters, and load them into the library-specific TLS context.
Definition ssl_openssl.c:717
TLS_VER_1_3
#define TLS_VER_1_3
Definition ssl_backend.h:109
TLS_VER_1_1
#define TLS_VER_1_1
Definition ssl_backend.h:107
tls_init_lib
void tls_init_lib(void)
Perform any static initialisation necessary by the library.
Definition ssl_openssl.c:92
print_details
void print_details(struct key_state_ssl *ks_ssl, const char *prefix)
Print a one line summary of SSL/TLS session handshake.
Definition ssl_openssl.c:2502
tls_version_max
int tls_version_max(void)
Return the maximum TLS version (as a TLS_VER_x constant) supported by current SSL implementation.
Definition ssl_openssl.c:207
backend_tls_ctx_reload_crl
void backend_tls_ctx_reload_crl(struct tls_root_ctx *ssl_ctx, const char *crl_file, bool crl_inline)
Reload the Certificate Revocation List for the SSL channel.
Definition ssl_openssl.c:1326
tls_ctx_restrict_ciphers
void tls_ctx_restrict_ciphers(struct tls_root_ctx *ctx, const char *ciphers)
Restrict the list of ciphers that can be used within the TLS context for TLS 1.2 and below.
Definition ssl_openssl.c:430
tls_ctx_load_ca
void tls_ctx_load_ca(struct tls_root_ctx *ctx, const char *ca_file, bool ca_file_inline, const char *ca_path, bool tls_server)
Load certificate authority certificates from the given file or path.
Definition ssl_openssl.c:1798
tls_ctx_set_cert_profile
void tls_ctx_set_cert_profile(struct tls_root_ctx *ctx, const char *profile)
Set the TLS certificate profile.
Definition ssl_openssl.c:521
tls_ctx_use_management_external_key
int tls_ctx_use_management_external_key(struct tls_root_ctx *ctx)
Tell the management interface to load the given certificate and the external private key matching the...
Definition ssl_openssl.c:1718
tls_ctx_load_cryptoapi
void tls_ctx_load_cryptoapi(struct tls_root_ctx *ctx, const char *cryptoapi_cert)
Use Windows cryptoapi for key and cert, and add to library-specific TLS context.
Definition ssl_openssl.c:1038
tls_ctx_set_options
bool tls_ctx_set_options(struct tls_root_ctx *ctx, unsigned int ssl_flags)
Set any library specific options.
Definition ssl_openssl.c:310
tls_ctx_load_dh_params
void tls_ctx_load_dh_params(struct tls_root_ctx *ctx, const char *dh_file, bool dh_file_inline)
Load Diffie Hellman Parameters, and load them into the library-specific TLS context.
Definition ssl_openssl.c:656
tls_ctx_client_new
void tls_ctx_client_new(struct tls_root_ctx *ctx)
Initialises a library-specific TLS context for a client.
Definition ssl_openssl.c:122
tls_ctx_load_cert_file
void tls_ctx_load_cert_file(struct tls_root_ctx *ctx, const char *cert_file, bool cert_file_inline)
Load certificate file into the given TLS context.
Definition ssl_openssl.c:1257
KEY_SCAN_SIZE
#define KEY_SCAN_SIZE
Definition ssl_common.h:555
get_key_scan
static struct key_state * get_key_scan(struct tls_multi *multi, int index)
gets an item of key_state objects in the order they should be scanned by data channel modules.
Definition ssl_common.h:705
UP_TYPE_PRIVATE_KEY
#define UP_TYPE_PRIVATE_KEY
Definition ssl_common.h:43
SSLF_AUTH_USER_PASS_OPTIONAL
#define SSLF_AUTH_USER_PASS_OPTIONAL
Definition ssl_common.h:418
CAS_CONNECT_DONE
@ CAS_CONNECT_DONE
Definition ssl_common.h:579
CAS_WAITING_AUTH
@ CAS_WAITING_AUTH
Initial TLS connection established but deferred auth is not yet finished.
Definition ssl_common.h:569
CAS_PENDING
@ CAS_PENDING
Options import (Connect script/plugin, ccd,...)
Definition ssl_common.h:570
CAS_WAITING_OPTIONS_IMPORT
@ CAS_WAITING_OPTIONS_IMPORT
client with pull or p2p waiting for first time options import
Definition ssl_common.h:574
CAS_NOT_CONNECTED
@ CAS_NOT_CONNECTED
Definition ssl_common.h:568
CAS_RECONNECT_PENDING
@ CAS_RECONNECT_PENDING
session has already successful established (CAS_CONNECT_DONE) but has a reconnect and needs to redo s...
Definition ssl_common.h:575
ks_auth_state
ks_auth_state
This reflects the (server side) authentication state after the TLS session has been established and k...
Definition ssl_common.h:147
KS_AUTH_TRUE
@ KS_AUTH_TRUE
Key state is authenticated.
Definition ssl_common.h:151
KS_AUTH_FALSE
@ KS_AUTH_FALSE
Key state is not authenticated
Definition ssl_common.h:148
KS_AUTH_DEFERRED
@ KS_AUTH_DEFERRED
Key state authentication is being deferred, by async auth.
Definition ssl_common.h:149
SSLF_CRL_VERIFY_DIR
#define SSLF_CRL_VERIFY_DIR
Definition ssl_common.h:420
UP_TYPE_AUTH
#define UP_TYPE_AUTH
Definition ssl_common.h:42
get_primary_key
static const struct key_state * get_primary_key(const struct tls_multi *multi)
gets an item of key_state objects in the order they should be scanned by data channel modules.
Definition ssl_common.h:728
SSLF_OPT_VERIFY
#define SSLF_OPT_VERIFY
Definition ssl_common.h:419
check_session_cipher
bool check_session_cipher(struct tls_session *session, struct options *options)
Checks if the cipher is allowed, otherwise returns false and reset the cipher to the config cipher.
Definition ssl_ncp.c:530
p2p_mode_ncp
void p2p_mode_ncp(struct tls_multi *multi, struct tls_session *session)
Determines if there is common cipher of both peer by looking at the IV_CIPHER peer info.
Definition ssl_ncp.c:486
tls_item_in_cipher_list
bool tls_item_in_cipher_list(const char *item, const char *list)
Return true iff item is present in the colon-separated zero-terminated cipher list.
Definition ssl_ncp.c:210
ssl_ncp.h
Control Channel SSL/Data dynamic negotiation Module This file is split from ssl.h to be able to unit ...
write_control_auth
void write_control_auth(struct tls_session *session, struct key_state *ks, struct buffer *buf, struct link_socket_actual **to_link_addr, int opcode, int max_ack, bool prepend_ack)
Definition ssl_pkt.c:168
read_control_auth
bool read_control_auth(struct buffer *buf, struct tls_wrap_ctx *ctx, const struct link_socket_actual *from, const struct tls_options *opt)
Definition ssl_pkt.c:200
EARLY_NEG_FLAG_RESEND_WKC
#define EARLY_NEG_FLAG_RESEND_WKC
Definition ssl_pkt.h:331
P_DATA_V1
#define P_DATA_V1
Definition ssl_pkt.h:48
P_DATA_V2
#define P_DATA_V2
Definition ssl_pkt.h:49
P_OPCODE_SHIFT
#define P_OPCODE_SHIFT
Definition ssl_pkt.h:40
TLV_TYPE_EARLY_NEG_FLAGS
#define TLV_TYPE_EARLY_NEG_FLAGS
Definition ssl_pkt.h:330
P_ACK_V1
#define P_ACK_V1
Definition ssl_pkt.h:47
P_CONTROL_WKC_V1
#define P_CONTROL_WKC_V1
Definition ssl_pkt.h:60
P_CONTROL_HARD_RESET_CLIENT_V1
#define P_CONTROL_HARD_RESET_CLIENT_V1
Definition ssl_pkt.h:43
P_KEY_ID_MASK
#define P_KEY_ID_MASK
Definition ssl_pkt.h:39
TLS_RELIABLE_N_REC_BUFFERS
#define TLS_RELIABLE_N_REC_BUFFERS
Definition ssl_pkt.h:72
packet_opcode_name
static const char * packet_opcode_name(int op)
Definition ssl_pkt.h:249
P_CONTROL_HARD_RESET_SERVER_V2
#define P_CONTROL_HARD_RESET_SERVER_V2
Definition ssl_pkt.h:53
P_CONTROL_SOFT_RESET_V1
#define P_CONTROL_SOFT_RESET_V1
Definition ssl_pkt.h:45
P_CONTROL_V1
#define P_CONTROL_V1
Definition ssl_pkt.h:46
P_LAST_OPCODE
#define P_LAST_OPCODE
Definition ssl_pkt.h:66
EARLY_NEG_START
#define EARLY_NEG_START
Definition ssl_pkt.h:323
P_CONTROL_HARD_RESET_CLIENT_V2
#define P_CONTROL_HARD_RESET_CLIENT_V2
Definition ssl_pkt.h:52
P_CONTROL_HARD_RESET_SERVER_V1
#define P_CONTROL_HARD_RESET_SERVER_V1
Definition ssl_pkt.h:44
tls_session_get_tls_wrap
static struct tls_wrap_ctx * tls_session_get_tls_wrap(struct tls_session *session, int key_id)
Determines if the current session should use the renegotiation tls wrap struct instead the normal one...
Definition ssl_pkt.h:300
P_CONTROL_HARD_RESET_CLIENT_V3
#define P_CONTROL_HARD_RESET_CLIENT_V3
Definition ssl_pkt.h:56
TLS_RELIABLE_N_SEND_BUFFERS
#define TLS_RELIABLE_N_SEND_BUFFERS
Definition ssl_pkt.h:71
options_string_compat_lzo
const char * options_string_compat_lzo(const char *options, struct gc_arena *gc)
Takes a locally produced OCC string for TLS server mode and modifies as if the option comp-lzo was en...
Definition ssl_util.c:78
ssl_util.h
SSL utility functions.
key_state_rm_auth_control_files
void key_state_rm_auth_control_files(struct auth_deferred_status *ads)
Removes auth_pending and auth_control files from file system and key_state structure.
Definition ssl_verify.c:958
tls_x509_clear_env
void tls_x509_clear_env(struct env_set *es)
Remove any X509_ env variables from env_set es.
Definition ssl_verify.c:1827
verify_final_auth_checks
void verify_final_auth_checks(struct tls_multi *multi, struct tls_session *session)
Perform final authentication checks, including locking of the cn, the allowed certificate hashes,...
Definition ssl_verify.c:1765
auth_set_client_reason
void auth_set_client_reason(struct tls_multi *multi, const char *client_reason)
Sets the reason why authentication of a client failed.
Definition ssl_verify.c:808
tls_authentication_status
enum tls_auth_status tls_authentication_status(struct tls_multi *multi)
Return current session authentication state of the tls_multi structure This will return TLS_AUTHENTIC...
Definition ssl_verify.c:1144
verify_user_pass
void verify_user_pass(struct user_pass *up, struct tls_multi *multi, struct tls_session *session)
Main username/password verification entry point.
Definition ssl_verify.c:1581
cert_hash_free
void cert_hash_free(struct cert_hash_set *chs)
Frees the given set of certificate hashes.
Definition ssl_verify.c:218
ssl_verify.h
Control Channel Verification Module.
tls_auth_status
tls_auth_status
Definition ssl_verify.h:70
TLS_AUTHENTICATION_SUCCEEDED
@ TLS_AUTHENTICATION_SUCCEEDED
Definition ssl_verify.h:71
TLS_AUTHENTICATION_FAILED
@ TLS_AUTHENTICATION_FAILED
Definition ssl_verify.h:72
buffer
Wrapper structure for dynamically allocated memory.
Definition buffer.h:61
buffer::data
uint8_t * data
Pointer to the allocated memory.
Definition buffer.h:68
buffer::len
int len
Length in bytes of the actual content within the allocated memory.
Definition buffer.h:66
crypto_options
Security parameter state for processing data channel packets.
Definition crypto.h:292
crypto_options::epoch_key_send
struct epoch_key epoch_key_send
last epoch_key used for generation of the current send data keys.
Definition crypto.h:301
crypto_options::flags
unsigned int flags
Bit-flags determining behavior of security operation functions.
Definition crypto.h:383
crypto_options::pid_persist
struct packet_id_persist * pid_persist
Persistent packet ID state for keeping state between successive OpenVPN process startups.
Definition crypto.h:339
crypto_options::key_ctx_bi
struct key_ctx_bi key_ctx_bi
OpenSSL cipher and HMAC contexts for both sending and receiving directions.
Definition crypto.h:293
crypto_options::packet_id
struct packet_id packet_id
Current packet ID state for both sending and receiving directions.
Definition crypto.h:330
env_item
Definition env_set.h:37
env_set
Definition env_set.h:42
env_set::list
struct env_item * list
Definition env_set.h:44
epoch_key
Definition crypto.h:191
epoch_key::epoch_key
uint8_t epoch_key[SHA256_DIGEST_LENGTH]
Definition crypto.h:192
epoch_key::epoch
uint16_t epoch
Definition crypto.h:193
frame
Packet geometry parameters.
Definition mtu.h:98
frame::tun_mtu
int tun_mtu
the (user) configured tun-mtu.
Definition mtu.h:131
frame::payload_size
int payload_size
the maximum size that a payload that our buffers can hold from either tun device or network link.
Definition mtu.h:102
frame::headroom
int headroom
the headroom in the buffer, this is choosen to allow all potential header to be added before the pack...
Definition mtu.h:108
frame::mss_fix
uint16_t mss_fix
The actual MSS value that should be written to the payload packets.
Definition mtu.h:118
frame::buf
struct frame::@8 buf
frame::tailroom
int tailroom
the tailroom in the buffer.
Definition mtu.h:112
gc_arena
Garbage collection arena used to keep track of dynamically allocated memory.
Definition buffer.h:117
key2
Container for bidirectional cipher and HMAC key material.
Definition crypto.h:239
key2::n
int n
The number of key objects stored in the key2.keys array.
Definition crypto.h:240
key2::keys
struct key keys[2]
Two unidirectional sets of key material.
Definition crypto.h:242
key_ctx_bi
Container for two sets of OpenSSL cipher and/or HMAC contexts for both sending and receiving directio...
Definition crypto.h:279
key_ctx_bi::initialized
bool initialized
Definition crypto.h:284
key_ctx_bi::decrypt
struct key_ctx decrypt
cipher and/or HMAC contexts for receiving direction.
Definition crypto.h:282
key_ctx_bi::encrypt
struct key_ctx encrypt
Cipher and/or HMAC contexts for sending direction.
Definition crypto.h:280
key_ctx::plaintext_blocks
uint64_t plaintext_blocks
Counter for the number of plaintext block encrypted using this cipher with the current key in number ...
Definition crypto.h:221
key_direction_state
Key ordering of the key2.keys array.
Definition crypto.h:258
key_direction_state::in_key
int in_key
Index into the key2.keys array for the receiving direction.
Definition crypto.h:261
key_direction_state::out_key
int out_key
Index into the key2.keys array for the sending direction.
Definition crypto.h:259
key_source2
Container for both halves of random material to be used in key method 2 data channel key generation.
Definition ssl_common.h:134
key_source2::client
struct key_source client
Random provided by client.
Definition ssl_common.h:135
key_source2::server
struct key_source server
Random provided by server.
Definition ssl_common.h:136
key_source
Container for one half of random material to be used in key method 2 data channel key generation.
Definition ssl_common.h:117
key_source::random1
uint8_t random1[32]
Seed used for master secret generation, provided by both client and server.
Definition ssl_common.h:121
key_source::pre_master
uint8_t pre_master[48]
Random used for master secret generation, provided only by client OpenVPN peer.
Definition ssl_common.h:118
key_source::random2
uint8_t random2[32]
Seed used for key expansion, provided by both client and server.
Definition ssl_common.h:124
key_state
Security parameter state of one TLS and data channel key session.
Definition ssl_common.h:200
key_state::paybuf
struct buffer_list * paybuf
Holds outgoing message for the control channel until ks->state reaches S_ACTIVE.
Definition ssl_common.h:244
key_state::crypto_options
struct crypto_options crypto_options
Definition ssl_common.h:229
key_state::ack_write_buf
struct buffer ack_write_buf
Definition ssl_common.h:235
key_state::plaintext_read_buf
struct buffer plaintext_read_buf
Definition ssl_common.h:233
key_state::state
int state
Definition ssl_common.h:201
key_state::plugin_auth
struct auth_deferred_status plugin_auth
Definition ssl_common.h:260
key_state::must_die
time_t must_die
Definition ssl_common.h:222
key_state::plaintext_write_buf
struct buffer plaintext_write_buf
Definition ssl_common.h:234
key_state::remote_addr
struct link_socket_actual remote_addr
Definition ssl_common.h:227
key_state::established
time_t established
Definition ssl_common.h:220
key_state::ks_ssl
struct key_state_ssl ks_ssl
Definition ssl_common.h:217
key_state::must_negotiate
time_t must_negotiate
Definition ssl_common.h:221
key_state::rec_ack
struct reliable_ack * rec_ack
Definition ssl_common.h:239
key_state::rec_reliable
struct reliable * rec_reliable
Definition ssl_common.h:238
key_state::session_id_remote
struct session_id session_id_remote
Definition ssl_common.h:226
key_state::mda_key_id
unsigned int mda_key_id
Definition ssl_common.h:255
key_state::script_auth
struct auth_deferred_status script_auth
Definition ssl_common.h:261
key_state::initial
time_t initial
Definition ssl_common.h:219
key_state::authenticated
enum ks_auth_state authenticated
Definition ssl_common.h:251
key_state::key_id
int key_id
Key id for this key_state, inherited from struct tls_session.
Definition ssl_common.h:209
key_state::peer_last_packet
time_t peer_last_packet
Definition ssl_common.h:223
key_state::send_reliable
struct reliable * send_reliable
Definition ssl_common.h:237
key_state::auth_deferred_expire
time_t auth_deferred_expire
Definition ssl_common.h:252
key_state::initial_opcode
int initial_opcode
Definition ssl_common.h:225
key_state::lru_acks
struct reliable_ack * lru_acks
Definition ssl_common.h:240
key_state::key_src
struct key_source2 * key_src
Definition ssl_common.h:231
key_state::n_bytes
counter_type n_bytes
Definition ssl_common.h:245
key_state::n_packets
counter_type n_packets
Definition ssl_common.h:246
key_type
Definition crypto.h:141
key_type::cipher
const char * cipher
const name of the cipher
Definition crypto.h:142
key
Container for unidirectional cipher and HMAC key material.
Definition crypto.h:152
key::cipher
uint8_t cipher[MAX_CIPHER_KEY_LENGTH]
Key material for cipher operations.
Definition crypto.h:153
key::hmac
uint8_t hmac[MAX_HMAC_KEY_LENGTH]
Key material for HMAC operations.
Definition crypto.h:155
link_socket_actual
Definition socket.h:87
link_socket_addr::actual
struct link_socket_actual actual
Definition socket.h:110
link_socket_info
Definition socket.h:114
link_socket_info::lsa
struct link_socket_addr * lsa
Definition socket.h:115
options::imported_protocol_flags
unsigned int imported_protocol_flags
Definition options.h:722
options::crl_file_inline
bool crl_file_inline
Definition options.h:616
options::cryptoapi_cert
const char * cryptoapi_cert
Definition options.h:638
options::pkcs12_file_inline
bool pkcs12_file_inline
Definition options.h:605
options::ca_file
const char * ca_file
Definition options.h:593
options::ssl_flags
unsigned int ssl_flags
Definition options.h:625
options::authname
const char * authname
Definition options.h:578
options::dh_file_inline
bool dh_file_inline
Definition options.h:597
options::pkcs12_file
const char * pkcs12_file
Definition options.h:604
options::tls_groups
const char * tls_groups
Definition options.h:608
options::tls_cert_profile
const char * tls_cert_profile
Definition options.h:609
options::management_flags
unsigned int management_flags
Definition options.h:459
options::ciphername
const char * ciphername
Definition options.h:572
options::tls_server
bool tls_server
Definition options.h:591
options::extra_certs_file
const char * extra_certs_file
Definition options.h:600
options::priv_key_file_inline
bool priv_key_file_inline
Definition options.h:603
options::crl_file
const char * crl_file
Definition options.h:615
options::dh_file
const char * dh_file
Definition options.h:596
options::ca_file_inline
bool ca_file_inline
Definition options.h:594
options::extra_certs_file_inline
bool extra_certs_file_inline
Definition options.h:601
options::cipher_list_tls13
const char * cipher_list_tls13
Definition options.h:607
options::ecdh_curve
const char * ecdh_curve
Definition options.h:610
options::cipher_list
const char * cipher_list
Definition options.h:606
options::management_certificate
const char * management_certificate
Definition options.h:456
options::chroot_dir
const char * chroot_dir
Definition options.h:377
options::ca_path
const char * ca_path
Definition options.h:595
options::ping_rec_timeout
int ping_rec_timeout
Definition options.h:349
options::ping_send_timeout
int ping_send_timeout
Definition options.h:348
options::priv_key_file
const char * priv_key_file
Definition options.h:602
options::cert_file
const char * cert_file
Definition options.h:598
options::cert_file_inline
bool cert_file_inline
Definition options.h:599
packet_id_net
Data structure for describing the packet id that is received/send to the network.
Definition packet_id.h:192
packet_id_rec::id
uint64_t id
Definition packet_id.h:118
packet_id_send::id
uint64_t id
Definition packet_id.h:154
packet_id::send
struct packet_id_send send
Definition packet_id.h:201
packet_id::rec
struct packet_id_rec rec
Definition packet_id.h:202
reliable_ack
The acknowledgment structure in which packet IDs are stored for later acknowledgment.
Definition reliable.h:62
reliable_ack::len
int len
Definition reliable.h:63
reliable_entry
The structure in which the reliability layer stores a single incoming or outgoing packet.
Definition reliable.h:75
reliable_entry::buf
struct buffer buf
Definition reliable.h:84
reliable_entry::opcode
int opcode
Definition reliable.h:83
reliable_entry::packet_id
packet_id_type packet_id
Definition reliable.h:79
reliable
The reliability layer storage structure for one VPN tunnel's control channel in one direction.
Definition reliable.h:92
reliable::array
struct reliable_entry array[RELIABLE_CAPACITY]
Definition reliable.h:98
reliable::size
int size
Definition reliable.h:93
reliable::packet_id
packet_id_type packet_id
Definition reliable.h:95
route_gateway_info
Definition route.h:146
route_gateway_info::hwaddr
uint8_t hwaddr[6]
Definition route.h:165
route_gateway_info::flags
unsigned int flags
Definition route.h:153
session_id
Definition session_id.h:39
static_challenge_info
Definition misc.h:93
static_challenge_info::flags
unsigned int flags
Definition misc.h:96
static_challenge_info::challenge_text
const char * challenge_text
Definition misc.h:98
tls_auth_standalone
Definition ssl_pkt.h:79
tls_auth_standalone::frame
struct frame frame
Definition ssl_pkt.h:82
tls_auth_standalone::tls_wrap
struct tls_wrap_ctx tls_wrap
Definition ssl_pkt.h:80
tls_multi
Security parameter state for a single VPN tunnel.
Definition ssl_common.h:597
tls_multi::n_hard_errors
int n_hard_errors
Definition ssl_common.h:623
tls_multi::remote_usescomp
bool remote_usescomp
remote announced comp-lzo in OCC string
Definition ssl_common.h:676
tls_multi::to_link_addr
struct link_socket_actual to_link_addr
Definition ssl_common.h:614
tls_multi::peer_info
char * peer_info
Definition ssl_common.h:649
tls_multi::save_ks
struct key_state * save_ks
Definition ssl_common.h:608
tls_multi::remote_ciphername
char * remote_ciphername
cipher specified in peer's config file
Definition ssl_common.h:675
tls_multi::locked_username
char * locked_username
Definition ssl_common.h:630
tls_multi::multi_state
enum multi_status multi_state
Definition ssl_common.h:618
tls_multi::opt
struct tls_options opt
Definition ssl_common.h:602
tls_multi::session
struct tls_session session[TM_SIZE]
Array of tls_session objects representing control channel sessions with the remote peer.
Definition ssl_common.h:681
tls_multi::locked_cert_hash_set
struct cert_hash_set * locked_cert_hash_set
Definition ssl_common.h:631
tls_multi::locked_cn
char * locked_cn
Definition ssl_common.h:629
tls_multi::peer_id
uint32_t peer_id
Definition ssl_common.h:672
tls_multi::n_sessions
int n_sessions
Number of sessions negotiated thus far.
Definition ssl_common.h:616
tls_multi::dco_peer_id
int dco_peer_id
This is the handle that DCO uses to identify this session with the kernel.
Definition ssl_common.h:696
tls_multi::n_soft_errors
int n_soft_errors
Definition ssl_common.h:624
tls_options
Definition ssl_common.h:298
tls_options::gremlin
int gremlin
Definition ssl_common.h:439
tls_options::server
bool server
Definition ssl_common.h:306
tls_options::tls_wrap
struct tls_wrap_ctx tls_wrap
TLS handshake wrapping state.
Definition ssl_common.h:379
tls_options::crypto_flags
unsigned int crypto_flags
Definition ssl_common.h:361
tls_options::replay_time
int replay_time
Definition ssl_common.h:364
tls_options::renegotiate_seconds
interval_t renegotiate_seconds
Definition ssl_common.h:339
tls_options::frame
struct frame frame
Definition ssl_common.h:381
tls_options::remote_options
const char * remote_options
Definition ssl_common.h:314
tls_options::single_session
bool single_session
Definition ssl_common.h:317
tls_options::local_options
const char * local_options
Definition ssl_common.h:313
tls_options::handshake_window
int handshake_window
Definition ssl_common.h:332
tls_options::replay_window
int replay_window
Definition ssl_common.h:363
tls_pre_decrypt_state
struct that stores the temporary data for the tls lite decrypt functions
Definition ssl_pkt.h:105
tls_root_ctx
Structure that wraps the TLS context.
Definition ssl_mbedtls.h:107
tls_root_ctx::crl_last_size
off_t crl_last_size
size of last loaded CRL
Definition ssl_mbedtls.h:118
tls_root_ctx::crl_last_mtime
time_t crl_last_mtime
CRL last modification time.
Definition ssl_mbedtls.h:117
tls_session
Security parameter state of a single session within a VPN tunnel.
Definition ssl_common.h:480
tls_session::key_id
int key_id
The current active key id, used to keep track of renegotiations.
Definition ssl_common.h:502
tls_session::key
struct key_state key[KS_SIZE]
Definition ssl_common.h:515
tls_wrap_ctx::opt
struct crypto_options opt
Crypto state.
Definition ssl_common.h:274
user_pass
Definition misc.h:57
user_pass::token_defined
bool token_defined
Definition misc.h:61
user_pass::protected
bool protected
Definition misc.h:63
user_pass::defined
bool defined
Definition misc.h:58
user_pass::password
char password[USER_PASS_LEN]
Definition misc.h:73
user_pass::nocache
bool nocache
Definition misc.h:62
user_pass::username
char username[USER_PASS_LEN]
Definition misc.h:72
es
struct env_set * es
Definition test_pkcs11.c:141
cleanup
static int cleanup(void **state)
Definition test_pkcs11.c:290
gc
struct gc_arena gc
Definition test_ssl.c:155
tls_crypt.h
win32_version_string
const char * win32_version_string(struct gc_arena *gc, bool add_name)
Definition win32.c:1424
Generated by doxygen 1.9.8