OpenVPN
ssl.c
Go to the documentation of this file.
1/*
2 * OpenVPN -- An application to securely tunnel IP networks
3 * over a single TCP/UDP port, with support for SSL/TLS-based
4 * session authentication and key exchange,
5 * packet encryption, packet authentication, and
6 * packet compression.
7 *
8 * Copyright (C) 2002-2026 OpenVPN Inc <sales@openvpn.net>
9 * Copyright (C) 2010-2026 Sentyron B.V. <openvpn@sentyron.com>
10 * Copyright (C) 2008-2026 David Sommerseth <dazo@eurephia.org>
11 *
12 * This program is free software; you can redistribute it and/or modify
13 * it under the terms of the GNU General Public License version 2
14 * as published by the Free Software Foundation.
15 *
16 * This program is distributed in the hope that it will be useful,
17 * but WITHOUT ANY WARRANTY; without even the implied warranty of
18 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
19 * GNU General Public License for more details.
20 *
21 * You should have received a copy of the GNU General Public License along
22 * with this program; if not, see <https://www.gnu.org/licenses/>.
23 */
24
30/*
31 * The routines in this file deal with dynamically negotiating
32 * the data channel HMAC and cipher keys through a TLS session.
33 *
34 * Both the TLS session and the data channel are multiplexed
35 * over the same TCP/UDP port.
36 */
37#ifdef HAVE_CONFIG_H
38#include "config.h"
39#endif
40
41#include "syshead.h"
42#include "win32.h"
43
44#include "error.h"
45#include "common.h"
46#include "socket.h"
47#include "misc.h"
48#include "fdmisc.h"
49#include "interval.h"
50#include "status.h"
51#include "gremlin.h"
52#include "pkcs11.h"
53#include "route.h"
54#include "tls_crypt.h"
55
56#include "crypto_epoch.h"
57#include "ssl.h"
58#include "ssl_verify.h"
59#include "ssl_backend.h"
60#include "ssl_ncp.h"
61#include "ssl_util.h"
62#include "auth_token.h"
63#include "mss.h"
64#include "dco.h"
65
66#include "memdbg.h"
67#include "openvpn.h"
68
69#ifdef MEASURE_TLS_HANDSHAKE_STATS
70
71static int tls_handshake_success; /* GLOBAL */
72static int tls_handshake_error; /* GLOBAL */
73static int tls_packets_generated; /* GLOBAL */
74static int tls_packets_sent; /* GLOBAL */
75
76#define INCR_SENT ++tls_packets_sent
77#define INCR_GENERATED ++tls_packets_generated
78#define INCR_SUCCESS ++tls_handshake_success
79#define INCR_ERROR ++tls_handshake_error
80
81void
82show_tls_performance_stats(void)
83{
84 msg(D_TLS_DEBUG_LOW, "TLS Handshakes, success=%f%% (good=%d, bad=%d), retransmits=%f%%",
85 (double)tls_handshake_success / (tls_handshake_success + tls_handshake_error) * 100.0,
86 tls_handshake_success, tls_handshake_error,
87 (double)(tls_packets_sent - tls_packets_generated) / tls_packets_generated * 100.0);
88}
89#else /* ifdef MEASURE_TLS_HANDSHAKE_STATS */
90
91#define INCR_SENT
92#define INCR_GENERATED
93#define INCR_SUCCESS
94#define INCR_ERROR
95
96#endif /* ifdef MEASURE_TLS_HANDSHAKE_STATS */
97
105static void
106tls_limit_reneg_bytes(const char *ciphername, int64_t *reneg_bytes)
107{
108 if (cipher_kt_insecure(ciphername))
109 {
110 if (*reneg_bytes == -1) /* Not user-specified */
111 {
112 msg(M_WARN, "WARNING: cipher with small block size in use, "
113 "reducing reneg-bytes to 64MB to mitigate SWEET32 attacks.");
114 *reneg_bytes = 64 * 1024 * 1024;
115 }
116 }
117}
118
119static uint64_t
120tls_get_limit_aead(const char *ciphername)
121{
122 uint64_t limit = cipher_get_aead_limits(ciphername);
123
124 if (limit == 0)
125 {
126 return 0;
127 }
128
129 /* set limit to 7/8 of the limit so the renegotiation can succeed before
130 * we go over the limit */
131 limit = limit / 8 * 7;
132
133 msg(D_SHOW_KEYS,
134 "Note: AEAD cipher %s will trigger a renegotiation"
135 " at a sum of %" PRIi64 " blocks and packets.",
136 ciphername, limit);
137 return limit;
138}
139
140void
141tls_init_control_channel_frame_parameters(struct frame *frame, int tls_mtu)
142{
143 /*
144 * frame->extra_frame is already initialized with tls_auth buffer requirements,
145 * if --tls-auth is enabled.
146 */
147
148 /* calculates the maximum overhead that control channel frames can have */
149 int overhead = 0;
150
151 /* Socks */
152 overhead += 10;
153
154 /* tls-auth and tls-crypt */
155 overhead += max_int(tls_crypt_buf_overhead(), packet_id_size(true) + OPENVPN_MAX_HMAC_SIZE);
156
157 /* TCP length field and opcode */
158 overhead += 3;
159
160 /* ACK array and remote SESSION ID (part of the ACK array) */
161 overhead += ACK_SIZE(RELIABLE_ACK_SIZE);
162
163 /* Previous OpenVPN version calculated the maximum size and buffer of a
164 * control frame depending on the overhead of the data channel frame
165 * overhead and limited its maximum size to 1250. Since control frames
166 * also need to fit into data channel buffer we have the same
167 * default of 1500 + 100 as data channel buffers have. Increasing
168 * control channel mtu beyond this limit also increases the data channel
169 * buffers */
170 frame->buf.payload_size = max_int(1500, tls_mtu) + 100;
171
172 frame->buf.headroom = overhead;
173 frame->buf.tailroom = overhead;
174
175 frame->tun_mtu = tls_mtu;
176
177 /* Ensure the tun-mtu stays in a valid range */
178 frame->tun_mtu = min_int(frame->tun_mtu, TLS_CHANNEL_BUF_SIZE);
179 frame->tun_mtu = max_int(frame->tun_mtu, TLS_CHANNEL_MTU_MIN);
180}
181
187static size_t
188calc_control_channel_frame_overhead(const struct tls_session *session)
189{
190 const struct key_state *ks = &session->key[KS_PRIMARY];
191 size_t overhead = 0;
192
193 /* opcode */
194 overhead += 1;
195
196 /* our own session id */
197 overhead += SID_SIZE;
198
199 /* ACK array and remote SESSION ID (part of the ACK array) */
200 int ackstosend = reliable_ack_outstanding(ks->rec_ack) + ks->lru_acks->len;
201 overhead += ACK_SIZE(min_int(ackstosend, CONTROL_SEND_ACK_MAX));
202
203 /* Message packet id */
204 overhead += sizeof(packet_id_type);
205
206 if (session->tls_wrap.mode == TLS_WRAP_CRYPT)
207 {
208 overhead += tls_crypt_buf_overhead();
209 }
210 else if (session->tls_wrap.mode == TLS_WRAP_AUTH)
211 {
212 overhead += hmac_ctx_size(session->tls_wrap.opt.key_ctx_bi.encrypt.hmac);
213 overhead += packet_id_size(true);
214 }
215
216 /* Add the typical UDP overhead for an IPv6 UDP packet. TCP+IPv6 has a
217 * larger overhead but the risk of a TCP connection getting dropped because
218 * we try to send a too large packet is basically zero */
219 overhead += datagram_overhead(session->untrusted_addr.dest.addr.sa.sa_family, PROTO_UDP);
220
221 return overhead;
222}
223
224void
225init_ssl_lib(void)
226{
227 tls_init_lib();
228
229 crypto_init_lib();
230}
231
232void
233free_ssl_lib(void)
234{
235 crypto_uninit_lib();
236
237 tls_free_lib();
238}
239
240/*
241 * OpenSSL library calls pem_password_callback if the
242 * private key is protected by a password.
243 */
244
245static struct user_pass passbuf; /* GLOBAL */
246
247void
248pem_password_setup(const char *auth_file)
249{
250 unprotect_user_pass(&passbuf);
251 if (!strlen(passbuf.password))
252 {
253 get_user_pass(&passbuf, auth_file, UP_TYPE_PRIVATE_KEY,
254 GET_USER_PASS_MANAGEMENT | GET_USER_PASS_PASSWORD_ONLY);
255 }
256}
257
258int
259pem_password_callback(char *buf, int size, int rwflag, void *u)
260{
261 if (buf)
262 {
263 /* prompt for password even if --askpass wasn't specified */
264 pem_password_setup(NULL);
265 ASSERT(!passbuf.protected);
266 strncpynt(buf, passbuf.password, (size_t)size);
267 purge_user_pass(&passbuf, false);
268
269 return (int)strlen(buf);
270 }
271 return 0;
272}
273
274/*
275 * Auth username/password handling
276 */
277
278static bool auth_user_pass_enabled; /* GLOBAL */
279static struct user_pass auth_user_pass; /* GLOBAL */
280static struct user_pass auth_token; /* GLOBAL */
281
282#ifdef ENABLE_MANAGEMENT
283static char *auth_challenge; /* GLOBAL */
284#endif
285
286void
291
292void
293auth_user_pass_setup(const char *auth_file, bool is_inline, const struct static_challenge_info *sci)
294{
295 unsigned int flags = GET_USER_PASS_MANAGEMENT;
296
297 if (is_inline)
298 {
299 flags |= GET_USER_PASS_INLINE_CREDS;
300 }
301
302 if (!auth_user_pass.defined && !auth_token.defined)
303 {
304 unprotect_user_pass(&auth_user_pass);
305#ifdef ENABLE_MANAGEMENT
306 if (auth_challenge) /* dynamic challenge/response */
307 {
308 flags |= GET_USER_PASS_DYNAMIC_CHALLENGE;
309 get_user_pass_cr(&auth_user_pass, auth_file, UP_TYPE_AUTH, flags, auth_challenge);
310 }
311 else if (sci) /* static challenge response */
312 {
313 flags |= GET_USER_PASS_STATIC_CHALLENGE;
314 if (sci->flags & SC_ECHO)
315 {
316 flags |= GET_USER_PASS_STATIC_CHALLENGE_ECHO;
317 }
318 if (sci->flags & SC_CONCAT)
319 {
320 flags |= GET_USER_PASS_STATIC_CHALLENGE_CONCAT;
321 }
322 get_user_pass_cr(&auth_user_pass, auth_file, UP_TYPE_AUTH, flags, sci->challenge_text);
323 }
324 else
325#endif /* ifdef ENABLE_MANAGEMENT */
326 {
327 get_user_pass(&auth_user_pass, auth_file, UP_TYPE_AUTH, flags);
328 }
329 }
330}
331
332/*
333 * Disable password caching
334 */
335void
336ssl_set_auth_nocache(void)
337{
338 passbuf.nocache = true;
339 auth_user_pass.nocache = true;
340}
341
342/*
343 * Get the password caching
344 */
345bool
346ssl_get_auth_nocache(void)
347{
348 return passbuf.nocache;
349}
350
351/*
352 * Set an authentication token
353 */
354void
355ssl_set_auth_token(const char *token)
356{
357 set_auth_token(&auth_token, token);
358}
359
360void
365
366/*
367 * Cleans an auth token and checks if it was active
368 */
369bool
370ssl_clean_auth_token(void)
371{
372 bool wasdefined = auth_token.defined;
373 purge_user_pass(&auth_token, true);
374 return wasdefined;
375}
376
377/*
378 * Forget private key password AND auth-user-pass username/password.
379 */
380void
381ssl_purge_auth(const bool auth_user_pass_only)
382{
383 if (!auth_user_pass_only)
384 {
385#ifdef ENABLE_PKCS11
386 pkcs11_logout();
387#endif
388 purge_user_pass(&passbuf, true);
389 }
390 purge_user_pass(&auth_user_pass, true);
391#ifdef ENABLE_MANAGEMENT
392 ssl_purge_auth_challenge();
393#endif
394}
395
396#ifdef ENABLE_MANAGEMENT
397
398void
399ssl_purge_auth_challenge(void)
400{
401 free(auth_challenge);
402 auth_challenge = NULL;
403}
404
405void
406ssl_put_auth_challenge(const char *cr_str)
407{
408 ssl_purge_auth_challenge();
409 auth_challenge = string_alloc(cr_str, NULL);
410}
411
412#endif
413
414/*
415 * Parse a TLS version string, returning a TLS_VER_x constant.
416 * If version string is not recognized and extra == "or-highest",
417 * return tls_version_max().
418 */
419int
420tls_version_parse(const char *vstr, const char *extra)
421{
422 const int max_version = tls_version_max();
423 if (!strcmp(vstr, "1.0") && TLS_VER_1_0 <= max_version)
424 {
425 return TLS_VER_1_0;
426 }
427 else if (!strcmp(vstr, "1.1") && TLS_VER_1_1 <= max_version)
428 {
429 return TLS_VER_1_1;
430 }
431 else if (!strcmp(vstr, "1.2") && TLS_VER_1_2 <= max_version)
432 {
433 return TLS_VER_1_2;
434 }
435 else if (!strcmp(vstr, "1.3") && TLS_VER_1_3 <= max_version)
436 {
437 return TLS_VER_1_3;
438 }
439 else if (extra && !strcmp(extra, "or-highest"))
440 {
441 return max_version;
442 }
443 else
444 {
445 return TLS_VER_BAD;
446 }
447}
448
460static void
461tls_ctx_reload_crl(struct tls_root_ctx *ssl_ctx, const char *crl_file, bool crl_file_inline)
462{
463 /* if something goes wrong with stat(), we'll store 0 as mtime */
464 platform_stat_t crl_stat = { 0 };
465
466 /*
467 * an inline CRL can't change at runtime, therefore there is no need to
468 * reload it. It will be reloaded upon config change + SIGHUP.
469 * Use always '1' as dummy timestamp in this case: it will trigger the
470 * first load, but will prevent any future reload.
471 */
472 if (crl_file_inline)
473 {
474 crl_stat.st_mtime = 1;
475 }
476 else if (platform_stat(crl_file, &crl_stat) < 0)
477 {
478 /* If crl_last_mtime is zero, the CRL file has not been read before. */
479 if (ssl_ctx->crl_last_mtime == 0)
480 {
481 msg(M_FATAL, "ERROR: Failed to stat CRL file during initialization, exiting.");
482 }
483 else
484 {
485 msg(M_WARN, "WARNING: Failed to stat CRL file, not reloading CRL.");
486 }
487 return;
488 }
489
490 /*
491 * Store the CRL if this is the first time or if the file was changed since
492 * the last load.
493 * Note: Windows does not support tv_nsec.
494 */
495 if ((ssl_ctx->crl_last_size == crl_stat.st_size)
496 && (ssl_ctx->crl_last_mtime == crl_stat.st_mtime))
497 {
498 return;
499 }
500
501 ssl_ctx->crl_last_mtime = crl_stat.st_mtime;
502 ssl_ctx->crl_last_size = crl_stat.st_size;
503 backend_tls_ctx_reload_crl(ssl_ctx, crl_file, crl_file_inline);
504}
505
506/*
507 * Initialize SSL context.
508 * All files are in PEM format.
509 */
510struct tls_root_ctx *
511init_ssl(const struct options *options, bool in_chroot)
512{
513 tls_clear_error();
514
515 if (key_is_external(options))
516 {
517 load_xkey_provider();
518 }
519
520 struct tls_root_ctx *new_ctx;
521 ALLOC_OBJ_CLEAR(new_ctx, struct tls_root_ctx);
522
523 if (options->tls_server)
524 {
525 tls_ctx_server_new(new_ctx);
526
527 if (options->dh_file)
528 {
529 tls_ctx_load_dh_params(new_ctx, options->dh_file, options->dh_file_inline);
530 }
531 }
532 else /* if client */
533 {
534 tls_ctx_client_new(new_ctx);
535 }
536
537 /* Restrict allowed certificate crypto algorithms */
538 tls_ctx_set_cert_profile(new_ctx, options->tls_cert_profile);
539
540 /* Allowable ciphers */
541 /* Since @SECLEVEL also influences loading of certificates, set the
542 * cipher restrictions before loading certificates */
543 tls_ctx_restrict_ciphers(new_ctx, options->cipher_list);
544 tls_ctx_restrict_ciphers_tls13(new_ctx, options->cipher_list_tls13);
545
546 /* Set the allow groups/curves for TLS if we want to override them */
547 if (options->tls_groups)
548 {
549 tls_ctx_set_tls_groups(new_ctx, options->tls_groups);
550 }
551
552 if (!tls_ctx_set_options(new_ctx, options->ssl_flags))
553 {
554 goto err;
555 }
556
557 if (options->pkcs12_file)
558 {
559 if (0
560 != tls_ctx_load_pkcs12(new_ctx, options->pkcs12_file, options->pkcs12_file_inline,
561 !options->ca_file))
562 {
563 goto err;
564 }
565 }
566#ifdef ENABLE_PKCS11
567 else if (options->pkcs11_providers[0])
568 {
569 if (!tls_ctx_use_pkcs11(new_ctx, options->pkcs11_id_management, options->pkcs11_id))
570 {
571 msg(M_WARN, "Cannot load certificate \"%s\" using PKCS#11 interface",
572 options->pkcs11_id);
573 goto err;
574 }
575 }
576#endif
577#ifdef ENABLE_CRYPTOAPI
578 else if (options->cryptoapi_cert)
579 {
580 tls_ctx_load_cryptoapi(new_ctx, options->cryptoapi_cert);
581 }
582#endif
583#ifdef ENABLE_MANAGEMENT
584 else if (options->management_flags & MF_EXTERNAL_CERT)
585 {
586 char *cert = management_query_cert(management, options->management_certificate);
587 tls_ctx_load_cert_file(new_ctx, cert, true);
588 free(cert);
589 }
590#endif
591 else if (options->cert_file)
592 {
593 tls_ctx_load_cert_file(new_ctx, options->cert_file, options->cert_file_inline);
594 }
595
596 if (options->priv_key_file)
597 {
598 if (0
599 != tls_ctx_load_priv_file(new_ctx, options->priv_key_file,
600 options->priv_key_file_inline))
601 {
602 goto err;
603 }
604 }
605#ifdef ENABLE_MANAGEMENT
606 else if (options->management_flags & MF_EXTERNAL_KEY)
607 {
608 if (tls_ctx_use_management_external_key(new_ctx))
609 {
610 msg(M_WARN, "Cannot initialize mamagement-external-key");
611 goto err;
612 }
613 }
614#endif
615
616 if (options->ca_file || options->ca_path)
617 {
618 tls_ctx_load_ca(new_ctx, options->ca_file, options->ca_file_inline, options->ca_path,
619 options->tls_server);
620 }
621
622 /* Load extra certificates that are part of our own certificate
623 * chain but shouldn't be included in the verify chain */
624 if (options->extra_certs_file)
625 {
626 tls_ctx_load_extra_certs(new_ctx, options->extra_certs_file,
627 options->extra_certs_file_inline);
628 }
629
630 /* Check certificate notBefore and notAfter */
631 tls_ctx_check_cert_time(new_ctx);
632
633 /* Read CRL */
634 if (options->crl_file && !(options->ssl_flags & SSLF_CRL_VERIFY_DIR))
635 {
636 /* If we're running with the chroot option, we may run init_ssl() before
637 * and after chroot-ing. We can use the crl_file path as-is if we're
638 * not going to chroot, or if we already are inside the chroot.
639 *
640 * If we're going to chroot later, we need to prefix the path of the
641 * chroot directory to crl_file.
642 */
643 if (!options->chroot_dir || in_chroot || options->crl_file_inline)
644 {
645 tls_ctx_reload_crl(new_ctx, options->crl_file, options->crl_file_inline);
646 }
647 else
648 {
649 struct gc_arena gc = gc_new();
650 struct buffer crl_file_buf = prepend_dir(options->chroot_dir, options->crl_file, &gc);
651 tls_ctx_reload_crl(new_ctx, BSTR(&crl_file_buf), options->crl_file_inline);
652 gc_free(&gc);
653 }
654 }
655
656 /* Once keys and cert are loaded, load ECDH parameters */
657 if (options->tls_server)
658 {
659 tls_ctx_load_ecdh_params(new_ctx, options->ecdh_curve);
660 }
661
662#ifdef ENABLE_CRYPTO_MBEDTLS
663 /* Personalise the random by mixing in the certificate */
664 tls_ctx_personalise_random(new_ctx);
665#endif
666
667 tls_clear_error();
668 return new_ctx;
669
670err:
671 tls_clear_error();
672 tls_ctx_free(new_ctx);
673 free(new_ctx);
674 return NULL;
675}
676
677/*
678 * Map internal constants to ascii names.
679 */
680static const char *
681state_name(int state)
682{
683 switch (state)
684 {
685 case S_UNDEF:
686 return "S_UNDEF";
687
688 case S_INITIAL:
689 return "S_INITIAL";
690
691 case S_PRE_START_SKIP:
692 return "S_PRE_START_SKIP";
693
694 case S_PRE_START:
695 return "S_PRE_START";
696
697 case S_START:
698 return "S_START";
699
700 case S_SENT_KEY:
701 return "S_SENT_KEY";
702
703 case S_GOT_KEY:
704 return "S_GOT_KEY";
705
706 case S_ACTIVE:
707 return "S_ACTIVE";
708
709 case S_ERROR:
710 return "S_ERROR";
711
712 case S_ERROR_PRE:
713 return "S_ERROR_PRE";
714
715 case S_GENERATED_KEYS:
716 return "S_GENERATED_KEYS";
717
718 default:
719 return "S_???";
720 }
721}
722
723static const char *
724ks_auth_name(enum ks_auth_state auth)
725{
726 switch (auth)
727 {
728 case KS_AUTH_TRUE:
729 return "KS_AUTH_TRUE";
730
731 case KS_AUTH_DEFERRED:
732 return "KS_AUTH_DEFERRED";
733
734 case KS_AUTH_FALSE:
735 return "KS_AUTH_FALSE";
736
737 default:
738 return "KS_????";
739 }
740}
741
742static const char *
743session_index_name(int index)
744{
745 switch (index)
746 {
747 case TM_ACTIVE:
748 return "TM_ACTIVE";
749
750 case TM_INITIAL:
751 return "TM_INITIAL";
752
753 case TM_LAME_DUCK:
754 return "TM_LAME_DUCK";
755
756 default:
757 return "TM_???";
758 }
759}
760
761/*
762 * For debugging.
763 */
764static const char *
765print_key_id(struct tls_multi *multi, struct gc_arena *gc)
766{
767 struct buffer out = alloc_buf_gc(256, gc);
768
769 for (int i = 0; i < KEY_SCAN_SIZE; ++i)
770 {
771 struct key_state *ks = get_key_scan(multi, i);
772 buf_printf(&out, " [key#%d state=%s auth=%s id=%d sid=%s]", i, state_name(ks->state),
773 ks_auth_name(ks->authenticated), ks->key_id,
774 session_id_print(&ks->session_id_remote, gc));
775 }
776
777 return BSTR(&out);
778}
779
780bool
781is_hard_reset_method2(int op)
782{
783 if (op == P_CONTROL_HARD_RESET_CLIENT_V2 || op == P_CONTROL_HARD_RESET_SERVER_V2
784 || op == P_CONTROL_HARD_RESET_CLIENT_V3)
785 {
786 return true;
787 }
788
789 return false;
790}
791
815static void
816key_state_init(struct tls_session *session, struct key_state *ks)
817{
818 update_time();
819
820 CLEAR(*ks);
821
822 /*
823 * Build TLS object that reads/writes ciphertext
824 * to/from memory BIOs.
825 */
826 key_state_ssl_init(&ks->ks_ssl, session->opt->ssl_ctx, session->opt->server, session);
827
828 /* Set control-channel initiation mode */
829 ks->initial_opcode = session->initial_opcode;
830 session->initial_opcode = P_CONTROL_SOFT_RESET_V1;
831 ks->state = S_INITIAL;
832 ks->key_id = session->key_id;
833
834 /*
835 * key_id increments to KEY_ID_MASK then recycles back to 1.
836 * This way you know that if key_id is 0, it is the first key.
837 */
838 ++session->key_id;
839 session->key_id &= P_KEY_ID_MASK;
840 if (!session->key_id)
841 {
842 session->key_id = 1;
843 }
844
845 /* allocate key source material object */
846 ALLOC_OBJ_CLEAR(ks->key_src, struct key_source2);
847
848 /* allocate reliability objects */
849 ALLOC_OBJ_CLEAR(ks->send_reliable, struct reliable);
850 ALLOC_OBJ_CLEAR(ks->rec_reliable, struct reliable);
851 ALLOC_OBJ_CLEAR(ks->rec_ack, struct reliable_ack);
852 ALLOC_OBJ_CLEAR(ks->lru_acks, struct reliable_ack);
853
854 /* allocate buffers */
855 ks->plaintext_read_buf = alloc_buf(TLS_CHANNEL_BUF_SIZE);
856 ks->plaintext_write_buf = alloc_buf(TLS_CHANNEL_BUF_SIZE);
857 ks->ack_write_buf = alloc_buf(BUF_SIZE(&session->opt->frame));
858 reliable_init(ks->send_reliable, BUF_SIZE(&session->opt->frame),
859 session->opt->frame.buf.headroom, TLS_RELIABLE_N_SEND_BUFFERS,
860 ks->key_id ? false : session->opt->xmit_hold);
861 reliable_init(ks->rec_reliable, BUF_SIZE(&session->opt->frame),
862 session->opt->frame.buf.headroom, TLS_RELIABLE_N_REC_BUFFERS, false);
863 reliable_set_timeout(ks->send_reliable, session->opt->packet_timeout);
864
865 /* init packet ID tracker */
866 packet_id_init(&ks->crypto_options.packet_id, session->opt->replay_window,
867 session->opt->replay_time, "SSL", ks->key_id);
868
869 ks->crypto_options.pid_persist = NULL;
870
871#ifdef ENABLE_MANAGEMENT
872 ks->mda_key_id = session->opt->mda_context->mda_key_id_counter++;
873#endif
874
875 /*
876 * Attempt CRL reload before TLS negotiation. Won't be performed if
877 * the file was not modified since the last reload. This affects
878 * all instances (all instances share the same context).
879 */
880 if (session->opt->crl_file && !(session->opt->ssl_flags & SSLF_CRL_VERIFY_DIR))
881 {
882 tls_ctx_reload_crl(session->opt->ssl_ctx, session->opt->crl_file,
883 session->opt->crl_file_inline);
884 }
885}
886
887
901static void
902key_state_free(struct key_state *ks, bool clear)
903{
904 ks->state = S_UNDEF;
905
906 key_state_ssl_free(&ks->ks_ssl);
907
908 free_key_ctx_bi(&ks->crypto_options.key_ctx_bi);
909 free_epoch_key_ctx(&ks->crypto_options);
910 free_buf(&ks->plaintext_read_buf);
911 free_buf(&ks->plaintext_write_buf);
912 free_buf(&ks->ack_write_buf);
913 buffer_list_free(ks->paybuf);
914
915 reliable_free(ks->send_reliable);
916 reliable_free(ks->rec_reliable);
917
918 free(ks->rec_ack);
919 free(ks->lru_acks);
920 free(ks->key_src);
921
922 packet_id_free(&ks->crypto_options.packet_id);
923
924 key_state_rm_auth_control_files(&ks->plugin_auth);
925 key_state_rm_auth_control_files(&ks->script_auth);
926
927 if (clear)
928 {
929 secure_memzero(ks, sizeof(*ks));
930 }
931}
932
946static inline bool
947tls_session_user_pass_enabled(struct tls_session *session)
948{
949 return (session->opt->auth_user_pass_verify_script
950 || plugin_defined(session->opt->plugins, OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY)
951#ifdef ENABLE_MANAGEMENT
952 || management_enable_def_auth(management)
953#endif
954 );
955}
956
957
978static void
979tls_session_init(struct tls_multi *multi, struct tls_session *session)
980{
981 struct gc_arena gc = gc_new();
982
983 dmsg(D_TLS_DEBUG, "TLS: tls_session_init: entry");
984
985 CLEAR(*session);
986
987 /* Set options data to point to parent's option structure */
988 session->opt = &multi->opt;
989
990 /* Randomize session # if it is 0 */
991 while (!session_id_defined(&session->session_id))
992 {
993 session_id_random(&session->session_id);
994 }
995
996 /* Are we a TLS server or client? */
997 if (session->opt->server)
998 {
999 session->initial_opcode = P_CONTROL_HARD_RESET_SERVER_V2;
1000 }
1001 else
1002 {
1003 session->initial_opcode = session->opt->tls_crypt_v2 ? P_CONTROL_HARD_RESET_CLIENT_V3
1004 : P_CONTROL_HARD_RESET_CLIENT_V2;
1005 }
1006
1007 /* Initialize control channel authentication parameters */
1008 session->tls_wrap = session->opt->tls_wrap;
1009 session->tls_wrap.work = alloc_buf(BUF_SIZE(&session->opt->frame));
1010
1011 /* initialize packet ID replay window for --tls-auth */
1012 packet_id_init(&session->tls_wrap.opt.packet_id, session->opt->replay_window,
1013 session->opt->replay_time, "TLS_WRAP", session->key_id);
1014
1015 /* If we are using tls-crypt-v2 we manipulate the packet id to be (ab)used
1016 * to indicate early protocol negotiation */
1017 if (session->opt->tls_crypt_v2)
1018 {
1019 session->tls_wrap.opt.packet_id.send.time = now;
1020 session->tls_wrap.opt.packet_id.send.id = EARLY_NEG_START;
1021 }
1022
1023 /* load most recent packet-id to replay protect on --tls-auth */
1024 packet_id_persist_load_obj(session->tls_wrap.opt.pid_persist, &session->tls_wrap.opt.packet_id);
1025
1026 key_state_init(session, &session->key[KS_PRIMARY]);
1027
1028 dmsg(D_TLS_DEBUG, "TLS: tls_session_init: new session object, sid=%s",
1029 session_id_print(&session->session_id, &gc));
1030
1031 gc_free(&gc);
1032}
1033
1049static void
1050tls_session_free(struct tls_session *session, bool clear)
1051{
1052 tls_wrap_free(&session->tls_wrap);
1053 tls_wrap_free(&session->tls_wrap_reneg);
1054
1055 for (size_t i = 0; i < KS_SIZE; ++i)
1056 {
1057 /* we don't need clear=true for this call since
1058 * the structs are part of session and get cleared
1059 * as part of session */
1060 key_state_free(&session->key[i], false);
1061 }
1062
1063 free(session->common_name);
1064
1065 cert_hash_free(session->cert_hash_set);
1066
1067 if (clear)
1068 {
1069 secure_memzero(session, sizeof(*session));
1070 }
1071}
1072
1078static void
1079move_session(struct tls_multi *multi, int dest, int src, bool reinit_src)
1080{
1081 msg(D_TLS_DEBUG_LOW, "TLS: move_session: dest=%s src=%s reinit_src=%d",
1082 session_index_name(dest), session_index_name(src), reinit_src);
1083 ASSERT(src != dest);
1084 ASSERT(src >= 0 && src < TM_SIZE);
1085 ASSERT(dest >= 0 && dest < TM_SIZE);
1086 tls_session_free(&multi->session[dest], false);
1087 multi->session[dest] = multi->session[src];
1088
1089 if (reinit_src)
1090 {
1091 tls_session_init(multi, &multi->session[src]);
1092 }
1093 else
1094 {
1095 secure_memzero(&multi->session[src], sizeof(multi->session[src]));
1096 }
1097
1098 dmsg(D_TLS_DEBUG, "TLS: move_session: exit");
1099}
1100
1101static void
1102reset_session(struct tls_multi *multi, struct tls_session *session)
1103{
1104 tls_session_free(session, false);
1105 tls_session_init(multi, session);
1106}
1107
1108/*
1109 * Used to determine in how many seconds we should be
1110 * called again.
1111 */
1112static inline void
1113compute_earliest_wakeup(interval_t *earliest, time_t seconds_from_now)
1114{
1115 if (seconds_from_now < *earliest)
1116 {
1117 *earliest = (interval_t)seconds_from_now;
1118 }
1119 if (*earliest < 0)
1120 {
1121 *earliest = 0;
1122 }
1123}
1124
1125/*
1126 * Return true if "lame duck" or retiring key has expired and can
1127 * no longer be used.
1128 */
1129static inline bool
1130lame_duck_must_die(const struct tls_session *session, interval_t *wakeup)
1131{
1132 const struct key_state *lame = &session->key[KS_LAME_DUCK];
1133 if (lame->state >= S_INITIAL)
1134 {
1135 ASSERT(lame->must_die); /* a lame duck key must always have an expiration */
1136 if (now < lame->must_die)
1137 {
1138 compute_earliest_wakeup(wakeup, lame->must_die - now);
1139 return false;
1140 }
1141 else
1142 {
1143 return true;
1144 }
1145 }
1146 else if (lame->state == S_ERROR)
1147 {
1148 return true;
1149 }
1150 else
1151 {
1152 return false;
1153 }
1154}
1155
1156struct tls_multi *
1157tls_multi_init(struct tls_options *tls_options)
1158{
1159 struct tls_multi *ret;
1160
1161 ALLOC_OBJ_CLEAR(ret, struct tls_multi);
1162
1163 /* get command line derived options */
1164 ret->opt = *tls_options;
1165 ret->dco_peer_id = -1;
1166 ret->peer_id = MAX_PEER_ID;
1167
1168 return ret;
1169}
1170
1171void
1172tls_multi_init_finalize(struct tls_multi *multi, int tls_mtu)
1173{
1174 tls_init_control_channel_frame_parameters(&multi->opt.frame, tls_mtu);
1175 /* initialize the active and untrusted sessions */
1176
1177 tls_session_init(multi, &multi->session[TM_ACTIVE]);
1178 tls_session_init(multi, &multi->session[TM_INITIAL]);
1179}
1180
1181/*
1182 * Initialize and finalize a standalone tls-auth verification object.
1183 */
1184
1185struct tls_auth_standalone *
1186tls_auth_standalone_init(struct tls_options *tls_options, struct gc_arena *gc)
1187{
1188 struct tls_auth_standalone *tas;
1189
1190 ALLOC_OBJ_CLEAR_GC(tas, struct tls_auth_standalone, gc);
1191
1192 tas->tls_wrap = tls_options->tls_wrap;
1193
1194 /*
1195 * Standalone tls-auth is in read-only mode with respect to TLS
1196 * control channel state. After we build a new client instance
1197 * object, we will process this session-initiating packet for real.
1198 */
1199 tas->tls_wrap.opt.flags |= CO_IGNORE_PACKET_ID;
1200
1201 /* get initial frame parms, still need to finalize */
1202 tas->frame = tls_options->frame;
1203
1204 packet_id_init(&tas->tls_wrap.opt.packet_id, tls_options->replay_window,
1205 tls_options->replay_time, "TAS", 0);
1206
1207 return tas;
1208}
1209
1210void
1211tls_auth_standalone_free(struct tls_auth_standalone *tas)
1212{
1213 if (!tas)
1214 {
1215 return;
1216 }
1217
1218 packet_id_free(&tas->tls_wrap.opt.packet_id);
1219}
1220
1221/*
1222 * Set local and remote option compatibility strings.
1223 * Used to verify compatibility of local and remote option
1224 * sets.
1225 */
1226void
1227tls_multi_init_set_options(struct tls_multi *multi, const char *local, const char *remote)
1228{
1229 /* initialize options string */
1230 multi->opt.local_options = local;
1231 multi->opt.remote_options = remote;
1232}
1233
1234/*
1235 * Cleanup a tls_multi structure and free associated memory allocations.
1236 */
1237void
1238tls_multi_free(struct tls_multi *multi, bool clear)
1239{
1240 ASSERT(multi);
1241
1242 auth_set_client_reason(multi, NULL);
1243
1244 free(multi->peer_info);
1245 free(multi->locked_cn);
1246 free(multi->locked_username);
1247 free(multi->locked_original_username);
1248
1249 cert_hash_free(multi->locked_cert_hash_set);
1250
1251 wipe_auth_token(multi);
1252
1253 free(multi->remote_ciphername);
1254
1255 for (int i = 0; i < TM_SIZE; ++i)
1256 {
1257 tls_session_free(&multi->session[i], false);
1258 }
1259
1260 if (clear)
1261 {
1262 secure_memzero(multi, sizeof(*multi));
1263 }
1264
1265 free(multi);
1266}
1267
1268/*
1269 * For debugging, print contents of key_source2 structure.
1270 */
1271
1272static void
1273key_source_print(const struct key_source *k, const char *prefix)
1274{
1275 struct gc_arena gc = gc_new();
1276
1277 VALGRIND_MAKE_READABLE((void *)k->pre_master, sizeof(k->pre_master));
1278 VALGRIND_MAKE_READABLE((void *)k->random1, sizeof(k->random1));
1279 VALGRIND_MAKE_READABLE((void *)k->random2, sizeof(k->random2));
1280
1281 dmsg(D_SHOW_KEY_SOURCE, "%s pre_master: %s", prefix,
1282 format_hex(k->pre_master, sizeof(k->pre_master), 0, &gc));
1283 dmsg(D_SHOW_KEY_SOURCE, "%s random1: %s", prefix,
1284 format_hex(k->random1, sizeof(k->random1), 0, &gc));
1285 dmsg(D_SHOW_KEY_SOURCE, "%s random2: %s", prefix,
1286 format_hex(k->random2, sizeof(k->random2), 0, &gc));
1287
1288 gc_free(&gc);
1289}
1290
1291static void
1292key_source2_print(const struct key_source2 *k)
1293{
1294 key_source_print(&k->client, "Client");
1295 key_source_print(&k->server, "Server");
1296}
1297
1298static bool
1299openvpn_PRF(const uint8_t *secret, size_t secret_len, const char *label, const uint8_t *client_seed,
1300 size_t client_seed_len, const uint8_t *server_seed, size_t server_seed_len,
1301 const struct session_id *client_sid, const struct session_id *server_sid,
1302 uint8_t *output, size_t output_len)
1303{
1304 /* concatenate seed components */
1305
1306 struct buffer seed =
1307 alloc_buf(strlen(label) + client_seed_len + server_seed_len + SID_SIZE * 2);
1308
1309 ASSERT(buf_write(&seed, label, strlen(label)));
1310 ASSERT(buf_write(&seed, client_seed, client_seed_len));
1311 ASSERT(buf_write(&seed, server_seed, server_seed_len));
1312
1313 if (client_sid)
1314 {
1315 ASSERT(buf_write(&seed, client_sid->id, SID_SIZE));
1316 }
1317 if (server_sid)
1318 {
1319 ASSERT(buf_write(&seed, server_sid->id, SID_SIZE));
1320 }
1321
1322 /* compute PRF */
1323 bool ret = ssl_tls1_PRF(BPTR(&seed), BLEN(&seed), secret, secret_len, output, output_len);
1324
1325 buf_clear(&seed);
1326 free_buf(&seed);
1327
1328 VALGRIND_MAKE_READABLE((void *)output, output_len);
1329 return ret;
1330}
1331
1332static void
1333init_epoch_keys(struct key_state *ks, struct tls_multi *multi, const struct key_type *key_type,
1334 bool server, struct key2 *key2)
1335{
1336 /* For now we hardcode this to be 16 for the software based data channel
1337 * DCO based implementations/HW implementation might adjust this number
1338 * based on their expected speed */
1339 const uint8_t future_key_count = 16;
1340
1341 int key_direction = server ? KEY_DIRECTION_INVERSE : KEY_DIRECTION_NORMAL;
1342 struct key_direction_state kds;
1343 key_direction_state_init(&kds, key_direction);
1344
1345 struct crypto_options *co = &ks->crypto_options;
1346
1347 /* For the epoch key we use the first 32 bytes of key2 cipher keys
1348 * for the initial secret */
1349 struct epoch_key e1_send = { 0 };
1350 e1_send.epoch = 1;
1351 memcpy(&e1_send.epoch_key, key2->keys[kds.out_key].cipher, sizeof(e1_send.epoch_key));
1352
1353 struct epoch_key e1_recv = { 0 };
1354 e1_recv.epoch = 1;
1355 memcpy(&e1_recv.epoch_key, key2->keys[kds.in_key].cipher, sizeof(e1_recv.epoch_key));
1356
1357 /* DCO implementations have two choices at this point.
1358 *
1359 * a) (more likely) they probably to pass E1 directly to kernel
1360 * space at this point and do all the other key derivation in kernel
1361 *
1362 * b) They let userspace do the key derivation and pass all the individual
1363 * keys to the DCO layer.
1364 * */
1365 epoch_init_key_ctx(co, key_type, &e1_send, &e1_recv, future_key_count);
1366
1367 secure_memzero(&e1_send, sizeof(e1_send));
1368 secure_memzero(&e1_recv, sizeof(e1_recv));
1369}
1370
1371static void
1372init_key_contexts(struct key_state *ks, struct tls_multi *multi, const struct key_type *key_type,
1373 bool server, struct key2 *key2, bool dco_enabled)
1374{
1375 struct key_ctx_bi *key = &ks->crypto_options.key_ctx_bi;
1376
1377 /* Initialize key contexts */
1378 int key_direction = server ? KEY_DIRECTION_INVERSE : KEY_DIRECTION_NORMAL;
1379
1380 if (dco_enabled)
1381 {
1382 if (key->encrypt.hmac)
1383 {
1384 msg(M_FATAL, "FATAL: DCO does not support --auth");
1385 }
1386
1387 int ret = init_key_dco_bi(multi, ks, key2, key_direction, key_type->cipher, server);
1388 if (ret < 0)
1389 {
1390 msg(M_FATAL, "Impossible to install key material in DCO: %s", strerror(-ret));
1391 }
1392
1393 /* encrypt/decrypt context are unused with DCO */
1394 CLEAR(key->encrypt);
1395 CLEAR(key->decrypt);
1396 key->initialized = true;
1397 }
1398 else if (multi->opt.crypto_flags & CO_EPOCH_DATA_KEY_FORMAT)
1399 {
1400 if (!cipher_kt_mode_aead(key_type->cipher))
1401 {
1402 msg(M_FATAL,
1403 "AEAD cipher (currently %s) "
1404 "required for epoch data format.",
1405 cipher_kt_name(key_type->cipher));
1406 }
1407 init_epoch_keys(ks, multi, key_type, server, key2);
1408 }
1409 else
1410 {
1411 init_key_ctx_bi(key, key2, key_direction, key_type, "Data Channel");
1412 }
1413}
1414
1415static bool
1416generate_key_expansion_tls_export(struct tls_session *session, struct key2 *key2)
1417{
1418 if (!key_state_export_keying_material(session, EXPORT_KEY_DATA_LABEL,
1419 strlen(EXPORT_KEY_DATA_LABEL), key2->keys,
1420 sizeof(key2->keys)))
1421 {
1422 return false;
1423 }
1424 key2->n = 2;
1425
1426 return true;
1427}
1428
1429static bool
1430generate_key_expansion_openvpn_prf(const struct tls_session *session, struct key2 *key2)
1431{
1432 uint8_t master[48] = { 0 };
1433
1434 const struct key_state *ks = &session->key[KS_PRIMARY];
1435 const struct key_source2 *key_src = ks->key_src;
1436
1437 const struct session_id *client_sid =
1438 session->opt->server ? &ks->session_id_remote : &session->session_id;
1439 const struct session_id *server_sid =
1440 !session->opt->server ? &ks->session_id_remote : &session->session_id;
1441
1442 /* debugging print of source key material */
1443 key_source2_print(key_src);
1444
1445 /* compute master secret */
1446 if (!openvpn_PRF(key_src->client.pre_master, sizeof(key_src->client.pre_master),
1447 KEY_EXPANSION_ID " master secret", key_src->client.random1,
1448 sizeof(key_src->client.random1), key_src->server.random1,
1449 sizeof(key_src->server.random1), NULL, NULL, master, sizeof(master)))
1450 {
1451 return false;
1452 }
1453
1454 /* compute key expansion */
1455 if (!openvpn_PRF(master, sizeof(master), KEY_EXPANSION_ID " key expansion",
1456 key_src->client.random2, sizeof(key_src->client.random2),
1457 key_src->server.random2, sizeof(key_src->server.random2), client_sid,
1458 server_sid, (uint8_t *)key2->keys, sizeof(key2->keys)))
1459 {
1460 return false;
1461 }
1462 secure_memzero(&master, sizeof(master));
1463
1464 key2->n = 2;
1465
1466 return true;
1467}
1468
1469/*
1470 * Using source entropy from local and remote hosts, mix into
1471 * master key.
1472 */
1473static bool
1474generate_key_expansion(struct tls_multi *multi, struct key_state *ks, struct tls_session *session)
1475{
1476 struct key_ctx_bi *key = &ks->crypto_options.key_ctx_bi;
1477 bool ret = false;
1478 struct key2 key2;
1479
1480 if (key->initialized)
1481 {
1482 msg(D_TLS_ERRORS, "TLS Error: key already initialized");
1483 goto exit;
1484 }
1485
1486 bool server = session->opt->server;
1487
1488 if (session->opt->crypto_flags & CO_USE_TLS_KEY_MATERIAL_EXPORT)
1489 {
1490 if (!generate_key_expansion_tls_export(session, &key2))
1491 {
1492 msg(D_TLS_ERRORS, "TLS Error: Keying material export failed");
1493 goto exit;
1494 }
1495 }
1496 else
1497 {
1498 if (!generate_key_expansion_openvpn_prf(session, &key2))
1499 {
1500 msg(D_TLS_ERRORS, "TLS Error: PRF calculation failed. Your system "
1501 "might not support the old TLS 1.0 PRF calculation anymore or "
1502 "the policy does not allow it (e.g. running in FIPS mode). "
1503 "The peer did not announce support for the modern TLS Export "
1504 "feature that replaces the TLS 1.0 PRF (requires OpenVPN "
1505 "2.6.x or higher)");
1506 goto exit;
1507 }
1508 }
1509
1510 key2_print(&key2, &session->opt->key_type, "Master Encrypt", "Master Decrypt");
1511
1512 /* check for weak keys */
1513 for (int i = 0; i < 2; ++i)
1514 {
1515 if (!check_key(&key2.keys[i], &session->opt->key_type))
1516 {
1517 msg(D_TLS_ERRORS, "TLS Error: Bad dynamic key generated");
1518 goto exit;
1519 }
1520 }
1521
1522 init_key_contexts(ks, multi, &session->opt->key_type, server, &key2, session->opt->dco_enabled);
1523 ret = true;
1524
1525exit:
1526 secure_memzero(&key2, sizeof(key2));
1527
1528 return ret;
1529}
1530
1537bool
1538tls_session_generate_data_channel_keys(struct tls_multi *multi, struct tls_session *session)
1539{
1540 bool ret = false;
1541 struct key_state *ks = &session->key[KS_PRIMARY]; /* primary key */
1542
1543 if (ks->authenticated <= KS_AUTH_FALSE)
1544 {
1545 msg(D_TLS_ERRORS, "TLS Error: key_state not authenticated");
1546 goto cleanup;
1547 }
1548
1549 ks->crypto_options.flags = session->opt->crypto_flags;
1550
1551 if (!generate_key_expansion(multi, ks, session))
1552 {
1553 msg(D_TLS_ERRORS, "TLS Error: generate_key_expansion failed");
1554 goto cleanup;
1555 }
1556 tls_limit_reneg_bytes(session->opt->key_type.cipher, &session->opt->renegotiate_bytes);
1557
1558 session->opt->aead_usage_limit = tls_get_limit_aead(session->opt->key_type.cipher);
1559
1560 /* set the state of the keys for the session to generated */
1561 ks->state = S_GENERATED_KEYS;
1562
1563 ret = true;
1564cleanup:
1565 secure_memzero(ks->key_src, sizeof(*ks->key_src));
1566 return ret;
1567}
1568
1569bool
1570tls_session_update_crypto_params_do_work(struct tls_multi *multi, struct tls_session *session,
1571 struct options *options, struct frame *frame,
1572 struct frame *frame_fragment, struct link_socket_info *lsi,
1573 dco_context_t *dco)
1574{
1575 if (session->key[KS_PRIMARY].crypto_options.key_ctx_bi.initialized)
1576 {
1577 /* keys already generated, nothing to do */
1578 return true;
1579 }
1580
1581 init_key_type(&session->opt->key_type, options->ciphername, options->authname, true, true);
1582
1583 bool packet_id_long_form = cipher_kt_mode_ofb_cfb(session->opt->key_type.cipher);
1584 session->opt->crypto_flags &= ~(CO_PACKET_ID_LONG_FORM);
1585 if (packet_id_long_form)
1586 {
1587 session->opt->crypto_flags |= CO_PACKET_ID_LONG_FORM;
1588 }
1589
1590 frame_calculate_dynamic(frame, &session->opt->key_type, options, lsi);
1591
1592 frame_print(frame, D_MTU_INFO, "Data Channel MTU parms");
1593
1594 /*
1595 * mssfix uses data channel framing, which at this point contains
1596 * actual overhead. Fragmentation logic uses frame_fragment, which
1597 * still contains worst case overhead. Replace it with actual overhead
1598 * to prevent unneeded fragmentation.
1599 */
1600
1601 if (frame_fragment)
1602 {
1603 frame_calculate_dynamic(frame_fragment, &session->opt->key_type, options, lsi);
1604 frame_print(frame_fragment, D_MTU_INFO, "Fragmentation MTU parms");
1605 }
1606
1607 if (session->key[KS_PRIMARY].key_id == 0
1608 && session->opt->crypto_flags & CO_USE_DYNAMIC_TLS_CRYPT)
1609 {
1610 /* If dynamic tls-crypt has been negotiated, and we are on the
1611 * first session (key_id = 0), generate a tls-crypt key for the
1612 * following renegotiations */
1613 if (!tls_session_generate_dynamic_tls_crypt_key(session))
1614 {
1615 return false;
1616 }
1617 }
1618
1619 if (dco_enabled(options))
1620 {
1621 /* dco_set_peer() must be called if either keepalive or
1622 * mssfix are set to update in-kernel config */
1623 if (options->ping_send_timeout || frame->mss_fix)
1624 {
1625 int ret = dco_set_peer(dco, multi->dco_peer_id, options->ping_send_timeout,
1626 options->ping_rec_timeout, frame->mss_fix);
1627 if (ret < 0)
1628 {
1629 msg(D_DCO, "Cannot set DCO peer parameters for peer (id=%u): %s",
1630 multi->dco_peer_id, strerror(-ret));
1631 return false;
1632 }
1633 }
1634 }
1635 return tls_session_generate_data_channel_keys(multi, session);
1636}
1637
1638bool
1639tls_session_update_crypto_params(struct tls_multi *multi, struct tls_session *session,
1640 struct options *options, struct frame *frame,
1641 struct frame *frame_fragment, struct link_socket_info *lsi,
1642 dco_context_t *dco)
1643{
1644 if (!check_session_cipher(session, options))
1645 {
1646 return false;
1647 }
1648
1649 /* Import crypto settings that might be set by pull/push */
1650 session->opt->crypto_flags |= options->imported_protocol_flags;
1651
1652 return tls_session_update_crypto_params_do_work(multi, session, options, frame, frame_fragment,
1653 lsi, dco);
1654}
1655
1656
1657static bool
1658random_bytes_to_buf(struct buffer *buf, uint8_t *out, int outlen)
1659{
1660 if (!rand_bytes(out, outlen))
1661 {
1662 msg(M_FATAL,
1663 "ERROR: Random number generator cannot obtain entropy for key generation [SSL]");
1664 }
1665 if (!buf_write(buf, out, outlen))
1666 {
1667 return false;
1668 }
1669 return true;
1670}
1671
1672static bool
1673key_source2_randomize_write(struct key_source2 *k2, struct buffer *buf, bool server)
1674{
1675 struct key_source *k = &k2->client;
1676 if (server)
1677 {
1678 k = &k2->server;
1679 }
1680
1681 CLEAR(*k);
1682
1683 if (!server)
1684 {
1685 if (!random_bytes_to_buf(buf, k->pre_master, sizeof(k->pre_master)))
1686 {
1687 return false;
1688 }
1689 }
1690
1691 if (!random_bytes_to_buf(buf, k->random1, sizeof(k->random1)))
1692 {
1693 return false;
1694 }
1695 if (!random_bytes_to_buf(buf, k->random2, sizeof(k->random2)))
1696 {
1697 return false;
1698 }
1699
1700 return true;
1701}
1702
1703static int
1704key_source2_read(struct key_source2 *k2, struct buffer *buf, bool server)
1705{
1706 struct key_source *k = &k2->client;
1707
1708 if (!server)
1709 {
1710 k = &k2->server;
1711 }
1712
1713 CLEAR(*k);
1714
1715 if (server)
1716 {
1717 if (!buf_read(buf, k->pre_master, sizeof(k->pre_master)))
1718 {
1719 return 0;
1720 }
1721 }
1722
1723 if (!buf_read(buf, k->random1, sizeof(k->random1)))
1724 {
1725 return 0;
1726 }
1727 if (!buf_read(buf, k->random2, sizeof(k->random2)))
1728 {
1729 return 0;
1730 }
1731
1732 return 1;
1733}
1734
1735static void
1736flush_payload_buffer(struct key_state *ks)
1737{
1738 struct buffer *b;
1739
1740 while ((b = buffer_list_peek(ks->paybuf)))
1741 {
1742 key_state_write_plaintext_const(&ks->ks_ssl, b->data, b->len);
1743 buffer_list_pop(ks->paybuf);
1744 }
1745}
1746
1747/*
1748 * Move the active key to the lame duck key and reinitialize the
1749 * active key.
1750 */
1751static void
1752key_state_soft_reset(struct tls_session *session)
1753{
1754 struct key_state *ks = &session->key[KS_PRIMARY]; /* primary key */
1755 struct key_state *ks_lame = &session->key[KS_LAME_DUCK]; /* retiring key */
1756
1757 ks->must_die = now + session->opt->transition_window; /* remaining lifetime of old key */
1758 key_state_free(ks_lame, false);
1759 *ks_lame = *ks;
1760
1761 key_state_init(session, ks);
1762 ks->session_id_remote = ks_lame->session_id_remote;
1763 ks->remote_addr = ks_lame->remote_addr;
1764}
1765
1766void
1771
1772/*
1773 * Read/write strings from/to a struct buffer with a u16 length prefix.
1774 */
1775
1776static bool
1777write_empty_string(struct buffer *buf)
1778{
1779 if (!buf_write_u16(buf, 0))
1780 {
1781 return false;
1782 }
1783 return true;
1784}
1785
1786static bool
1787write_string(struct buffer *buf, const char *str, const int maxlen)
1788{
1789 const size_t len = strlen(str) + 1;
1790 const size_t real_maxlen = (maxlen >= 0 && maxlen <= UINT16_MAX) ? (size_t)maxlen : UINT16_MAX;
1791 if (len > real_maxlen)
1792 {
1793 return false;
1794 }
1795 if (!buf_write_u16(buf, (uint16_t)len))
1796 {
1797 return false;
1798 }
1799 if (!buf_write(buf, str, len))
1800 {
1801 return false;
1802 }
1803 return true;
1804}
1805
1816static int
1817read_string(struct buffer *buf, char *str, const unsigned int capacity)
1818{
1819 const int len = buf_read_u16(buf);
1820 if (len < 1 || len > (int)capacity)
1821 {
1822 buf_advance(buf, len);
1823
1824 /* will also return 0 for a no string being present */
1825 return -len;
1826 }
1827 if (!buf_read(buf, str, len))
1828 {
1829 return -len;
1830 }
1831 str[len - 1] = '\0';
1832 return len;
1833}
1834
1835static char *
1836read_string_alloc(struct buffer *buf)
1837{
1838 const int len = buf_read_u16(buf);
1839 char *str;
1840
1841 if (len < 1)
1842 {
1843 return NULL;
1844 }
1845 str = (char *)malloc(len);
1846 check_malloc_return(str);
1847 if (!buf_read(buf, str, len))
1848 {
1849 free(str);
1850 return NULL;
1851 }
1852 str[len - 1] = '\0';
1853 return str;
1854}
1855
1871static bool
1872push_peer_info(struct buffer *buf, struct tls_session *session)
1873{
1874 struct gc_arena gc = gc_new();
1875 bool ret = false;
1876 struct buffer out = alloc_buf_gc(512 * 3, &gc);
1877
1878 if (session->opt->push_peer_info_detail > 1)
1879 {
1880 /* push version */
1881 buf_printf(&out, "IV_VER=%s\n", PACKAGE_VERSION);
1882
1883 /* push platform */
1884#if defined(TARGET_LINUX)
1885 buf_printf(&out, "IV_PLAT=linux\n");
1886#elif defined(TARGET_SOLARIS)
1887 buf_printf(&out, "IV_PLAT=solaris\n");
1888#elif defined(TARGET_OPENBSD)
1889 buf_printf(&out, "IV_PLAT=openbsd\n");
1890#elif defined(TARGET_DARWIN)
1891 buf_printf(&out, "IV_PLAT=mac\n");
1892#elif defined(TARGET_NETBSD)
1893 buf_printf(&out, "IV_PLAT=netbsd\n");
1894#elif defined(TARGET_FREEBSD)
1895 buf_printf(&out, "IV_PLAT=freebsd\n");
1896#elif defined(TARGET_ANDROID)
1897 buf_printf(&out, "IV_PLAT=android\n");
1898#elif defined(_WIN32)
1899 buf_printf(&out, "IV_PLAT=win\n");
1900#endif
1901 /* Announce that we do not require strict sequence numbers with
1902 * TCP. (TCP non-linear) */
1903 buf_printf(&out, "IV_TCPNL=1\n");
1904 }
1905
1906 /* These are the IV variable that are sent to peers in p2p mode */
1907 if (session->opt->push_peer_info_detail > 0)
1908 {
1909 /* support for P_DATA_V2 */
1910 int iv_proto = IV_PROTO_DATA_V2;
1911
1912 /* support for the latest --dns option */
1913 iv_proto |= IV_PROTO_DNS_OPTION_V2;
1914
1915 /* support for exit notify via control channel */
1916 iv_proto |= IV_PROTO_CC_EXIT_NOTIFY;
1917
1918 /* currently push-update is not supported when DCO is enabled */
1919 if (!session->opt->dco_enabled)
1920 {
1921 /* support push-updates */
1922 iv_proto |= IV_PROTO_PUSH_UPDATE;
1923 }
1924
1925 if (session->opt->pull)
1926 {
1927 /* support for receiving push_reply before sending
1928 * push request, also signal that the client wants
1929 * to get push-reply messages without requiring a round
1930 * trip for a push request message*/
1931 iv_proto |= IV_PROTO_REQUEST_PUSH;
1932
1933 /* Support keywords in the AUTH_PENDING control message */
1934 iv_proto |= IV_PROTO_AUTH_PENDING_KW;
1935
1936 /* support for AUTH_FAIL,TEMP control message */
1937 iv_proto |= IV_PROTO_AUTH_FAIL_TEMP;
1938
1939 /* support for tun-mtu as part of the push message */
1940 buf_printf(&out, "IV_MTU=%d\n", session->opt->frame.tun_max_mtu);
1941 }
1942
1943 /* support for Negotiable Crypto Parameters */
1944 if (session->opt->mode == MODE_SERVER || session->opt->pull)
1945 {
1946 if (tls_item_in_cipher_list("AES-128-GCM", session->opt->config_ncp_ciphers)
1947 && tls_item_in_cipher_list("AES-256-GCM", session->opt->config_ncp_ciphers))
1948 {
1949 buf_printf(&out, "IV_NCP=2\n");
1950 }
1951 }
1952 else
1953 {
1954 /* We are not using pull or p2mp server, instead do P2P NCP */
1955 iv_proto |= IV_PROTO_NCP_P2P;
1956 }
1957
1958 if (session->opt->data_epoch_supported)
1959 {
1960 iv_proto |= IV_PROTO_DATA_EPOCH;
1961 }
1962
1963 buf_printf(&out, "IV_CIPHERS=%s\n", session->opt->config_ncp_ciphers);
1964
1965 iv_proto |= IV_PROTO_TLS_KEY_EXPORT;
1966 iv_proto |= IV_PROTO_DYN_TLS_CRYPT;
1967
1968 buf_printf(&out, "IV_PROTO=%d\n", iv_proto);
1969
1970 if (session->opt->push_peer_info_detail > 1)
1971 {
1972 /* push compression status */
1973#ifdef USE_COMP
1974 comp_generate_peer_info_string(&session->opt->comp_options, &out);
1975#endif
1976 }
1977
1978 if (session->opt->push_peer_info_detail > 2)
1979 {
1980 /* push mac addr */
1981 struct route_gateway_info rgi;
1982 get_default_gateway(&rgi, 0, session->opt->net_ctx);
1983 if (rgi.flags & RGI_HWADDR_DEFINED)
1984 {
1985 buf_printf(&out, "IV_HWADDR=%s\n", format_hex_ex(rgi.hwaddr, 6, 0, 1, ":", &gc));
1986 }
1987 buf_printf(&out, "IV_SSL=%s\n", get_ssl_library_version());
1988#if defined(_WIN32)
1989 buf_printf(&out, "IV_PLAT_VER=%s\n", win32_version_string(&gc));
1990#else
1991 struct utsname u;
1992 uname(&u);
1993 buf_printf(&out, "IV_PLAT_VER=%s\n", u.release);
1994#endif
1995 }
1996
1997 if (session->opt->push_peer_info_detail > 1)
1998 {
1999 struct env_set *es = session->opt->es;
2000 /* push env vars that begin with UV_, IV_PLAT_VER and IV_GUI_VER */
2001 for (struct env_item *e = es->list; e != NULL; e = e->next)
2002 {
2003 if (e->string)
2004 {
2005 if ((((strncmp(e->string, "UV_", 3) == 0
2006 || strncmp(e->string, "IV_PLAT_VER=", sizeof("IV_PLAT_VER=") - 1) == 0)
2007 && session->opt->push_peer_info_detail > 2)
2008 || (strncmp(e->string, "IV_GUI_VER=", sizeof("IV_GUI_VER=") - 1) == 0)
2009 || (strncmp(e->string, "IV_SSO=", sizeof("IV_SSO=") - 1) == 0))
2010 && buf_safe(&out, strlen(e->string) + 1))
2011 {
2012 buf_printf(&out, "%s\n", e->string);
2013 }
2014 }
2015 }
2016 }
2017
2018 if (!write_string(buf, BSTR(&out), -1))
2019 {
2020 goto error;
2021 }
2022 }
2023 else
2024 {
2025 if (!write_empty_string(buf)) /* no peer info */
2026 {
2027 goto error;
2028 }
2029 }
2030 ret = true;
2031
2032error:
2033 gc_free(&gc);
2034 return ret;
2035}
2036
2037#ifdef USE_COMP
2038static bool
2039write_compat_local_options(struct buffer *buf, const char *options)
2040{
2041 struct gc_arena gc = gc_new();
2042 const char *local_options = options_string_compat_lzo(options, &gc);
2043 bool ret = write_string(buf, local_options, TLS_OPTIONS_LEN);
2044 gc_free(&gc);
2045 return ret;
2046}
2047#endif
2048
2053static bool
2054key_method_2_write(struct buffer *buf, struct tls_multi *multi, struct tls_session *session)
2055{
2056 struct key_state *ks = &session->key[KS_PRIMARY]; /* primary key */
2057
2058 ASSERT(buf_init(buf, 0));
2059
2060 /* write a uint32 0 */
2061 if (!buf_write_u32(buf, 0))
2062 {
2063 goto error;
2064 }
2065
2066 /* write key_method + flags */
2067 if (!buf_write_u8(buf, KEY_METHOD_2))
2068 {
2069 goto error;
2070 }
2071
2072 /* write key source material */
2073 if (!key_source2_randomize_write(ks->key_src, buf, session->opt->server))
2074 {
2075 goto error;
2076 }
2077
2078 /* write options string */
2079 {
2080#ifdef USE_COMP
2081 if (multi->remote_usescomp && session->opt->mode == MODE_SERVER
2082 && multi->opt.comp_options.flags & COMP_F_MIGRATE)
2083 {
2084 if (!write_compat_local_options(buf, session->opt->local_options))
2085 {
2086 goto error;
2087 }
2088 }
2089 else
2090#endif
2091 if (!write_string(buf, session->opt->local_options, TLS_OPTIONS_LEN))
2092 {
2093 goto error;
2094 }
2095 }
2096
2097 /* write username/password if specified or we are using a auth-token */
2098 if (auth_user_pass_enabled || (auth_token.token_defined && auth_token.defined))
2099 {
2100#ifdef ENABLE_MANAGEMENT
2101 auth_user_pass_setup(session->opt->auth_user_pass_file,
2102 session->opt->auth_user_pass_file_inline, session->opt->sci);
2103#else
2104 auth_user_pass_setup(session->opt->auth_user_pass_file,
2105 session->opt->auth_user_pass_file_inline, NULL);
2106#endif
2107 struct user_pass *up = &auth_user_pass;
2108
2109 /*
2110 * If we have a valid auth-token, send that instead of real
2111 * username/password
2112 */
2113 if (auth_token.token_defined && auth_token.defined)
2114 {
2115 up = &auth_token;
2116 }
2117 unprotect_user_pass(up);
2118
2119 if (!write_string(buf, up->username, -1))
2120 {
2121 goto error;
2122 }
2123 else if (!write_string(buf, up->password, -1))
2124 {
2125 goto error;
2126 }
2127 /* save username for auth-token which may get pushed later */
2128 if (session->opt->pull && up != &auth_token)
2129 {
2130 unprotect_user_pass(&auth_token);
2131 strncpynt(auth_token.username, up->username, USER_PASS_LEN);
2132 protect_user_pass(&auth_token);
2133 }
2134 protect_user_pass(up);
2135 /* respect auth-nocache */
2136 purge_user_pass(&auth_user_pass, false);
2137 }
2138 else
2139 {
2140 if (!write_empty_string(buf)) /* no username */
2141 {
2142 goto error;
2143 }
2144 if (!write_empty_string(buf)) /* no password */
2145 {
2146 goto error;
2147 }
2148 }
2149
2150 if (!push_peer_info(buf, session))
2151 {
2152 goto error;
2153 }
2154
2155 if (session->opt->server && session->opt->mode != MODE_SERVER && ks->key_id == 0)
2156 {
2157 /* tls-server option set and not P2MP server, so we
2158 * are a P2P client running in tls-server mode */
2159 p2p_mode_ncp(multi, session);
2160 }
2161
2162 return true;
2163
2164error:
2165 msg(D_TLS_ERRORS, "TLS Error: Key Method #2 write failed");
2166 secure_memzero(ks->key_src, sizeof(*ks->key_src));
2167 return false;
2168}
2169
2170static void
2171export_user_keying_material(struct tls_session *session)
2172{
2173 if (session->opt->ekm_size > 0)
2174 {
2175 const size_t size = session->opt->ekm_size;
2176 struct gc_arena gc = gc_new();
2177
2178 unsigned char *ekm = gc_malloc(size, true, &gc);
2179 if (key_state_export_keying_material(session, session->opt->ekm_label,
2180 session->opt->ekm_label_size, ekm,
2181 session->opt->ekm_size))
2182 {
2183 const size_t len = (size * 2) + 2;
2184
2185 const char *key = format_hex_ex(ekm, size, len, 0, NULL, &gc);
2186 setenv_str(session->opt->es, "exported_keying_material", key);
2187
2188 dmsg(D_TLS_DEBUG_MED, "%s: exported keying material: %s", __func__, key);
2189 secure_memzero(ekm, size);
2190 }
2191 else
2192 {
2193 msg(M_WARN, "WARNING: Export keying material failed!");
2194 setenv_del(session->opt->es, "exported_keying_material");
2195 }
2196 gc_free(&gc);
2197 }
2198}
2199
2204static bool
2205key_method_2_read(struct buffer *buf, struct tls_multi *multi, struct tls_session *session)
2206{
2207 struct key_state *ks = &session->key[KS_PRIMARY]; /* primary key */
2208
2209 struct gc_arena gc = gc_new();
2210 char *options;
2211 struct user_pass *up = NULL;
2212
2213 /* allocate temporary objects */
2214 ALLOC_ARRAY_CLEAR_GC(options, char, TLS_OPTIONS_LEN, &gc);
2215
2216 /* discard leading uint32 */
2217 if (!buf_advance(buf, 4))
2218 {
2219 msg(D_TLS_ERRORS, "TLS ERROR: Plaintext buffer too short (%d bytes).", buf->len);
2220 goto error;
2221 }
2222
2223 /* get key method */
2224 int key_method_flags = buf_read_u8(buf);
2225 if ((key_method_flags & KEY_METHOD_MASK) != 2)
2226 {
2227 msg(D_TLS_ERRORS, "TLS ERROR: Unknown key_method/flags=%d received from remote host",
2228 key_method_flags);
2229 goto error;
2230 }
2231
2232 /* get key source material (not actual keys yet) */
2233 if (!key_source2_read(ks->key_src, buf, session->opt->server))
2234 {
2235 msg(D_TLS_ERRORS,
2236 "TLS Error: Error reading remote data channel key source entropy from plaintext buffer");
2237 goto error;
2238 }
2239
2240 /* get options */
2241 if (read_string(buf, options, TLS_OPTIONS_LEN) < 0)
2242 {
2243 msg(D_TLS_ERRORS, "TLS Error: Failed to read required OCC options string");
2244 goto error;
2245 }
2246
2247 ks->authenticated = KS_AUTH_FALSE;
2248
2249 /* always extract username + password fields from buf, even if not
2250 * authenticating for it, because otherwise we can't get at the
2251 * peer_info data which follows behind
2252 */
2253 ALLOC_OBJ_CLEAR_GC(up, struct user_pass, &gc);
2254 int username_len = read_string(buf, up->username, USER_PASS_LEN);
2255 int password_len = read_string(buf, up->password, USER_PASS_LEN);
2256
2257 /* get peer info from control channel */
2258 free(multi->peer_info);
2259 multi->peer_info = read_string_alloc(buf);
2260 if (multi->peer_info)
2261 {
2262 output_peer_info_env(session->opt->es, multi->peer_info);
2263 }
2264
2265 free(multi->remote_ciphername);
2266 multi->remote_ciphername = options_string_extract_option(options, "cipher", NULL);
2267 multi->remote_usescomp = strstr(options, ",comp-lzo,");
2268
2269 /* In OCC we send '[null-cipher]' instead 'none' */
2270 if (multi->remote_ciphername && strcmp(multi->remote_ciphername, "[null-cipher]") == 0)
2271 {
2272 free(multi->remote_ciphername);
2273 multi->remote_ciphername = string_alloc("none", NULL);
2274 }
2275
2276 if (username_len < 0 || password_len < 0)
2277 {
2278 msg(D_TLS_ERRORS, "TLS Error: Username (%d) or password (%d) too long", abs(username_len),
2279 abs(password_len));
2280 auth_set_client_reason(multi, "Username or password is too long. "
2281 "Maximum length is 128 bytes");
2282
2283 /* treat the same as failed username/password and do not error
2284 * out (goto error) to sent an AUTH_FAILED back to the client */
2285 ks->authenticated = KS_AUTH_FALSE;
2286 }
2287 else if (tls_session_user_pass_enabled(session))
2288 {
2289 /* Perform username/password authentication */
2290 if (!username_len || !password_len)
2291 {
2292 CLEAR(*up);
2293 if (!(session->opt->ssl_flags & SSLF_AUTH_USER_PASS_OPTIONAL))
2294 {
2295 msg(D_TLS_ERRORS, "TLS Error: Auth Username/Password was not provided by peer");
2296 goto error;
2297 }
2298 }
2299
2300 verify_user_pass(up, multi, session);
2301 }
2302 else
2303 {
2304 /* Session verification should have occurred during TLS negotiation*/
2305 if (!session->verified)
2306 {
2307 msg(D_TLS_ERRORS, "TLS Error: Certificate verification failed (key-method 2)");
2308 goto error;
2309 }
2310 ks->authenticated = KS_AUTH_TRUE;
2311 }
2312
2313 /* clear username and password from memory */
2314 secure_memzero(up, sizeof(*up));
2315
2316 /* Perform final authentication checks */
2317 if (ks->authenticated > KS_AUTH_FALSE)
2318 {
2319 verify_final_auth_checks(multi, session);
2320 }
2321
2322 /* check options consistency */
2323 if (!options_cmp_equal(options, session->opt->remote_options))
2324 {
2325 const char *remote_options = session->opt->remote_options;
2326#ifdef USE_COMP
2327 if (multi->opt.comp_options.flags & COMP_F_MIGRATE && multi->remote_usescomp)
2328 {
2329 msg(D_PUSH, "Note: 'compress migrate' detected remote peer "
2330 "with compression enabled.");
2331 remote_options = options_string_compat_lzo(remote_options, &gc);
2332 }
2333#endif
2334
2335 options_warning(options, remote_options);
2336 }
2337
2338 buf_clear(buf);
2339
2340 /*
2341 * Call OPENVPN_PLUGIN_TLS_FINAL plugin if defined, for final
2342 * veto opportunity over authentication decision.
2343 */
2344 if ((ks->authenticated > KS_AUTH_FALSE)
2345 && plugin_defined(session->opt->plugins, OPENVPN_PLUGIN_TLS_FINAL))
2346 {
2347 export_user_keying_material(session);
2348
2349 if (plugin_call(session->opt->plugins, OPENVPN_PLUGIN_TLS_FINAL, NULL, NULL,
2350 session->opt->es)
2351 != OPENVPN_PLUGIN_FUNC_SUCCESS)
2352 {
2353 ks->authenticated = KS_AUTH_FALSE;
2354 }
2355
2356 setenv_del(session->opt->es, "exported_keying_material");
2357 }
2358
2359 if (!session->opt->server && !session->opt->pull && ks->key_id == 0)
2360 {
2361 /* We are a p2p tls-client without pull, enable common
2362 * protocol options */
2363 p2p_mode_ncp(multi, session);
2364 }
2365
2366 gc_free(&gc);
2367 return true;
2368
2369error:
2370 ks->authenticated = KS_AUTH_FALSE;
2371 secure_memzero(ks->key_src, sizeof(*ks->key_src));
2372 if (up)
2373 {
2374 secure_memzero(up, sizeof(*up));
2375 }
2376 buf_clear(buf);
2377 gc_free(&gc);
2378 return false;
2379}
2380
2381static int
2382auth_deferred_expire_window(const struct tls_options *o)
2383{
2384 int ret = o->handshake_window;
2385 const int r2 = o->renegotiate_seconds / 2;
2386
2387 if (o->renegotiate_seconds && r2 < ret)
2388 {
2389 ret = r2;
2390 }
2391 return ret;
2392}
2393
2400static bool
2401session_move_pre_start(const struct tls_session *session, struct key_state *ks,
2402 bool skip_initial_send)
2403{
2404 struct buffer *buf = reliable_get_buf_output_sequenced(ks->send_reliable);
2405 if (!buf)
2406 {
2407 return false;
2408 }
2409
2410 ks->initial = now;
2411 ks->must_negotiate = now + session->opt->handshake_window;
2412 ks->auth_deferred_expire = now + auth_deferred_expire_window(session->opt);
2413
2414 /* null buffer */
2415 reliable_mark_active_outgoing(ks->send_reliable, buf, ks->initial_opcode);
2416
2417 /* If we want to skip sending the initial handshake packet we still generate
2418 * it to increase internal counters etc. but immediately mark it as done */
2419 if (skip_initial_send)
2420 {
2421 reliable_mark_deleted(ks->send_reliable, buf);
2422 }
2423 INCR_GENERATED;
2424
2425 ks->state = skip_initial_send ? S_PRE_START_SKIP : S_PRE_START;
2426
2427 struct gc_arena gc = gc_new();
2428 dmsg(D_TLS_DEBUG, "TLS: Initial Handshake, sid=%s",
2429 session_id_print(&session->session_id, &gc));
2430 gc_free(&gc);
2431
2432#ifdef ENABLE_MANAGEMENT
2433 if (management && ks->initial_opcode != P_CONTROL_SOFT_RESET_V1)
2434 {
2435 management_set_state(management, OPENVPN_STATE_WAIT, NULL, NULL, NULL, NULL, NULL);
2436 }
2437#endif
2438 return true;
2439}
2440
2445static void
2446session_move_active(struct tls_multi *multi, struct tls_session *session,
2447 struct link_socket_info *to_link_socket_info, struct key_state *ks)
2448{
2449 dmsg(D_TLS_DEBUG_MED, "STATE S_ACTIVE");
2450
2451 ks->established = now;
2452 if (check_debug_level(D_HANDSHAKE))
2453 {
2454 print_details(&ks->ks_ssl, "Control Channel:");
2455 }
2456 ks->state = S_ACTIVE;
2457 /* Cancel negotiation timeout */
2458 ks->must_negotiate = 0;
2459 INCR_SUCCESS;
2460
2461 /* Set outgoing address for data channel packets */
2462 link_socket_set_outgoing_addr(to_link_socket_info, &ks->remote_addr, session->common_name,
2463 session->opt->es);
2464
2465 /* Check if we need to advance the tls_multi state machine */
2466 if (multi->multi_state == CAS_NOT_CONNECTED)
2467 {
2468 if (session->opt->mode == MODE_SERVER)
2469 {
2470 /* On a server we continue with running connect scripts next */
2471 multi->multi_state = CAS_WAITING_AUTH;
2472 }
2473 else
2474 {
2475 /* Skip the connect script related states */
2476 multi->multi_state = CAS_WAITING_OPTIONS_IMPORT;
2477 }
2478 }
2479
2480 /* Flush any payload packets that were buffered before our state transitioned to S_ACTIVE */
2481 flush_payload_buffer(ks);
2482
2483#ifdef MEASURE_TLS_HANDSHAKE_STATS
2484 show_tls_performance_stats();
2485#endif
2486}
2487
2488bool
2489session_skip_to_pre_start(struct tls_session *session, struct tls_pre_decrypt_state *state,
2490 struct link_socket_actual *from)
2491{
2492 struct key_state *ks = &session->key[KS_PRIMARY];
2493 ks->session_id_remote = state->peer_session_id;
2494 ks->remote_addr = *from;
2495 session->session_id = state->server_session_id;
2496 session->untrusted_addr = *from;
2497 session->burst = true;
2498
2499 /* The OpenVPN protocol implicitly mandates that packet id always start
2500 * from 0 in the RESET packets as OpenVPN 2.x will not allow gaps in the
2501 * ids and starts always from 0. Since we skip/ignore one (RESET) packet
2502 * in each direction, we need to set the ids to 1 */
2503 ks->rec_reliable->packet_id = 1;
2504 /* for ks->send_reliable->packet_id, session_move_pre_start moves the
2505 * counter to 1 */
2506 session->tls_wrap.opt.packet_id.send.id = 1;
2507 return session_move_pre_start(session, ks, true);
2508}
2509
2513static bool
2514parse_early_negotiation_tlvs(struct buffer *buf, struct key_state *ks)
2515{
2516 while (buf->len > 0)
2517 {
2518 if (buf_len(buf) < 4)
2519 {
2520 goto error;
2521 }
2522 /* read type */
2523 int type = buf_read_u16(buf);
2524 int len = buf_read_u16(buf);
2525 if (type < 0 || len < 0 || buf_len(buf) < len)
2526 {
2527 goto error;
2528 }
2529
2530 switch (type)
2531 {
2532 case TLV_TYPE_EARLY_NEG_FLAGS:
2533 if (len != sizeof(uint16_t))
2534 {
2535 goto error;
2536 }
2537 int flags = buf_read_u16(buf);
2538
2539 if (flags & EARLY_NEG_FLAG_RESEND_WKC)
2540 {
2541 ks->crypto_options.flags |= CO_RESEND_WKC;
2542 }
2543 break;
2544
2545 default:
2546 /* Skip types we do not parse */
2547 buf_advance(buf, len);
2548 }
2549 }
2550 reliable_mark_deleted(ks->rec_reliable, buf);
2551
2552 return true;
2553error:
2554 msg(D_TLS_ERRORS, "TLS Error: Early negotiation malformed packet");
2555 return false;
2556}
2557
2562static bool
2563read_incoming_tls_ciphertext(struct buffer *buf, struct key_state *ks, bool *continue_tls_process)
2564{
2565 int status = 0;
2566 if (buf->len)
2567 {
2568 status = key_state_write_ciphertext(&ks->ks_ssl, buf);
2569 if (status == -1)
2570 {
2571 msg(D_TLS_ERRORS, "TLS Error: Incoming Ciphertext -> TLS object write error");
2572 return false;
2573 }
2574 }
2575 else
2576 {
2577 status = 1;
2578 }
2579 if (status == 1)
2580 {
2581 reliable_mark_deleted(ks->rec_reliable, buf);
2582 *continue_tls_process = true;
2583 dmsg(D_TLS_DEBUG, "Incoming Ciphertext -> TLS");
2584 }
2585 return true;
2586}
2587
2588static bool
2589control_packet_needs_wkc(const struct key_state *ks)
2590{
2591 return (ks->crypto_options.flags & CO_RESEND_WKC) && (ks->send_reliable->packet_id == 1);
2592}
2593
2594
2595static bool
2596read_incoming_tls_plaintext(struct key_state *ks, struct buffer *buf, interval_t *wakeup,
2597 bool *continue_tls_process)
2598{
2599 ASSERT(buf_init(buf, 0));
2600
2601 int status = key_state_read_plaintext(&ks->ks_ssl, buf);
2602
2603 update_time();
2604 if (status == -1)
2605 {
2606 msg(D_TLS_ERRORS, "TLS Error: TLS object -> incoming plaintext read error");
2607 return false;
2608 }
2609 if (status == 1)
2610 {
2611 *continue_tls_process = true;
2612 dmsg(D_TLS_DEBUG, "TLS -> Incoming Plaintext");
2613
2614 /* More data may be available, wake up again asap to check. */
2615 *wakeup = 0;
2616 }
2617 return true;
2618}
2619
2620static bool
2621write_outgoing_tls_ciphertext(struct tls_session *session, bool *continue_tls_process)
2622{
2623 struct key_state *ks = &session->key[KS_PRIMARY];
2624
2625 int rel_avail = reliable_get_num_output_sequenced_available(ks->send_reliable);
2626 if (rel_avail == 0)
2627 {
2628 return true;
2629 }
2630
2631 /* We need to determine how much space is actually available in the control
2632 * channel frame */
2633 int max_pkt_len = min_int(TLS_CHANNEL_BUF_SIZE, session->opt->frame.tun_mtu);
2634
2635 /* Subtract overhead */
2636 max_pkt_len -= (int)calc_control_channel_frame_overhead(session);
2637
2638 /* calculate total available length for outgoing tls ciphertext */
2639 int maxlen = max_pkt_len * rel_avail;
2640
2641 /* Is first packet one that will have a WKC appended? */
2642 if (control_packet_needs_wkc(ks))
2643 {
2644 maxlen -= buf_len(session->tls_wrap.tls_crypt_v2_wkc);
2645 }
2646
2647 /* If we end up with a size that leaves no room for payload, ignore the
2648 * constraints to still be to send a packet. This might have gone negative
2649 * if we have a large wrapped client key. */
2650 if (maxlen < 16)
2651 {
2652 msg(D_TLS_ERRORS,
2653 "Warning: --max-packet-size (%d) setting too low. "
2654 "Sending minimum sized packet.",
2655 session->opt->frame.tun_mtu);
2656 maxlen = 16;
2657 /* We set the maximum length here to ensure a packet with a wrapped
2658 * key can actually carry the 16 byte of payload */
2659 max_pkt_len = TLS_CHANNEL_BUF_SIZE;
2660 }
2661
2662 /* This seems a bit wasteful to allocate every time */
2663 struct gc_arena gc = gc_new();
2664 struct buffer tmp = alloc_buf_gc(maxlen, &gc);
2665
2666 int status = key_state_read_ciphertext(&ks->ks_ssl, &tmp);
2667
2668 if (status == -1)
2669 {
2670 msg(D_TLS_ERRORS, "TLS Error: Ciphertext -> reliable TCP/UDP transport read error");
2671 gc_free(&gc);
2672 return false;
2673 }
2674 if (status == 1)
2675 {
2676 /* Split the TLS ciphertext (TLS record) into multiple small packets
2677 * that respect tls_mtu */
2678 while (tmp.len > 0)
2679 {
2680 int len = max_pkt_len;
2681 int opcode = P_CONTROL_V1;
2682 if (control_packet_needs_wkc(ks))
2683 {
2684 opcode = P_CONTROL_WKC_V1;
2685 len = max_int(0, len - buf_len(session->tls_wrap.tls_crypt_v2_wkc));
2686 }
2687 /* do not send more than available */
2688 len = min_int(len, tmp.len);
2689
2690 struct buffer *buf = reliable_get_buf_output_sequenced(ks->send_reliable);
2691 /* we assert here since we checked for its availability before */
2692 ASSERT(buf);
2693 buf_copy_n(buf, &tmp, len);
2694
2695 reliable_mark_active_outgoing(ks->send_reliable, buf, opcode);
2696 INCR_GENERATED;
2697 *continue_tls_process = true;
2698 }
2699 dmsg(D_TLS_DEBUG, "Outgoing Ciphertext -> Reliable");
2700 }
2701
2702 gc_free(&gc);
2703 return true;
2704}
2705
2706static bool
2707check_outgoing_ciphertext(struct key_state *ks, struct tls_session *session,
2708 bool *continue_tls_process)
2709{
2710 /* Outgoing Ciphertext to reliable buffer */
2711 if (ks->state >= S_START)
2712 {
2713 struct buffer *buf = reliable_get_buf_output_sequenced(ks->send_reliable);
2714 if (buf)
2715 {
2716 if (!write_outgoing_tls_ciphertext(session, continue_tls_process))
2717 {
2718 return false;
2719 }
2720 }
2721 }
2722 return true;
2723}
2724
2725static bool
2726tls_process_state(struct tls_multi *multi, struct tls_session *session, struct buffer *to_link,
2727 struct link_socket_actual **to_link_addr,
2728 struct link_socket_info *to_link_socket_info, interval_t *wakeup)
2729{
2730 /* This variable indicates if we should call this method
2731 * again to process more incoming/outgoing TLS state/data
2732 * We want to repeat this until we either determined that there
2733 * is nothing more to process or that further processing
2734 * should only be done after the outer loop (sending packets etc.)
2735 * has run once more */
2736 bool continue_tls_process = false;
2737 struct key_state *ks = &session->key[KS_PRIMARY]; /* primary key */
2738
2739 /* Initial handshake */
2740 if (ks->state == S_INITIAL)
2741 {
2742 continue_tls_process = session_move_pre_start(session, ks, false);
2743 }
2744
2745 /* Are we timed out on receive? */
2746 if (now >= ks->must_negotiate && ks->state >= S_UNDEF && ks->state < S_ACTIVE)
2747 {
2748 msg(D_TLS_ERRORS,
2749 "TLS Error: TLS key negotiation failed to occur within %d seconds (check your network connectivity)",
2750 session->opt->handshake_window);
2751 goto error;
2752 }
2753
2754 /* Check if the initial three-way Handshake is complete.
2755 * We consider the handshake to be complete when our own initial
2756 * packet has been successfully ACKed. */
2757 if (ks->state == S_PRE_START && reliable_empty(ks->send_reliable))
2758 {
2759 ks->state = S_START;
2760 continue_tls_process = true;
2761
2762 /* New connection, remove any old X509 env variables */
2763 tls_x509_clear_env(session->opt->es);
2764 dmsg(D_TLS_DEBUG_MED, "STATE S_START");
2765 }
2766
2767 /* Wait for ACK */
2768 if (((ks->state == S_GOT_KEY && !session->opt->server)
2769 || (ks->state == S_SENT_KEY && session->opt->server))
2770 && reliable_empty(ks->send_reliable))
2771 {
2772 session_move_active(multi, session, to_link_socket_info, ks);
2773 continue_tls_process = true;
2774 }
2775
2776 /* Reliable buffer to outgoing TCP/UDP (send up to CONTROL_SEND_ACK_MAX ACKs
2777 * for previously received packets) */
2778 if (!to_link->len && reliable_can_send(ks->send_reliable))
2779 {
2780 int opcode;
2781
2782 struct buffer *buf = reliable_send(ks->send_reliable, &opcode);
2783 ASSERT(buf);
2784 struct buffer b = *buf;
2785 INCR_SENT;
2786
2787 write_control_auth(session, ks, &b, to_link_addr, opcode, CONTROL_SEND_ACK_MAX, true);
2788 *to_link = b;
2789 dmsg(D_TLS_DEBUG, "Reliable -> TCP/UDP");
2790
2791 /* This changed the state of the outgoing buffer. In order to avoid
2792 * running this function again/further and invalidating the key_state
2793 * buffer and accessing the buffer that is now in to_link after it being
2794 * freed for a potential error, we shortcircuit exiting of the outer
2795 * process here. */
2796 return false;
2797 }
2798
2799 if (ks->state == S_ERROR_PRE)
2800 {
2801 /* When we end up here, we had one last chance to send an outstanding
2802 * packet that contained an alert. We do not ensure that this packet
2803 * has been successfully delivered (ie wait for the ACK etc)
2804 * but rather stop processing now */
2805 ks->state = S_ERROR;
2806 return false;
2807 }
2808
2809 /* Write incoming ciphertext to TLS object */
2810 struct reliable_entry *entry = reliable_get_entry_sequenced(ks->rec_reliable);
2811 if (entry)
2812 {
2813 /* The first packet from the peer (the reset packet) is special and
2814 * contains early protocol negotiation */
2815 if (entry->packet_id == 0 && is_hard_reset_method2(entry->opcode))
2816 {
2817 if (!parse_early_negotiation_tlvs(&entry->buf, ks))
2818 {
2819 goto error;
2820 }
2821 }
2822 else
2823 {
2824 if (!read_incoming_tls_ciphertext(&entry->buf, ks, &continue_tls_process))
2825 {
2826 goto error;
2827 }
2828 }
2829 }
2830
2831 /* Read incoming plaintext from TLS object */
2832 struct buffer *buf = &ks->plaintext_read_buf;
2833 if (!buf->len)
2834 {
2835 if (!read_incoming_tls_plaintext(ks, buf, wakeup, &continue_tls_process))
2836 {
2837 goto error;
2838 }
2839 }
2840
2841 /* Send Key */
2842 buf = &ks->plaintext_write_buf;
2843 if (!buf->len
2844 && ((ks->state == S_START && !session->opt->server)
2845 || (ks->state == S_GOT_KEY && session->opt->server)))
2846 {
2847 if (!key_method_2_write(buf, multi, session))
2848 {
2849 goto error;
2850 }
2851
2852 continue_tls_process = true;
2853 dmsg(D_TLS_DEBUG_MED, "STATE S_SENT_KEY");
2854 ks->state = S_SENT_KEY;
2855 }
2856
2857 /* Receive Key */
2858 buf = &ks->plaintext_read_buf;
2859 if (buf->len
2860 && ((ks->state == S_SENT_KEY && !session->opt->server)
2861 || (ks->state == S_START && session->opt->server)))
2862 {
2863 if (!key_method_2_read(buf, multi, session))
2864 {
2865 goto error;
2866 }
2867
2868 continue_tls_process = true;
2869 dmsg(D_TLS_DEBUG_MED, "STATE S_GOT_KEY");
2870 ks->state = S_GOT_KEY;
2871 }
2872
2873 /* Write outgoing plaintext to TLS object */
2874 buf = &ks->plaintext_write_buf;
2875 if (buf->len)
2876 {
2877 int status = key_state_write_plaintext(&ks->ks_ssl, buf);
2878 if (status == -1)
2879 {
2880 msg(D_TLS_ERRORS, "TLS ERROR: Outgoing Plaintext -> TLS object write error");
2881 goto error;
2882 }
2883 if (status == 1)
2884 {
2885 continue_tls_process = true;
2886 dmsg(D_TLS_DEBUG, "Outgoing Plaintext -> TLS");
2887 }
2888 }
2889 if (!check_outgoing_ciphertext(ks, session, &continue_tls_process))
2890 {
2891 goto error;
2892 }
2893
2894 return continue_tls_process;
2895error:
2896 tls_clear_error();
2897
2898 /* Shut down the TLS session but do a last read from the TLS
2899 * object to be able to read potential TLS alerts */
2900 key_state_ssl_shutdown(&ks->ks_ssl);
2901 check_outgoing_ciphertext(ks, session, &continue_tls_process);
2902
2903 /* Put ourselves in the pre error state that will only send out the
2904 * control channel packets but nothing else */
2905 ks->state = S_ERROR_PRE;
2906
2907 msg(D_TLS_ERRORS, "TLS Error: TLS handshake failed");
2908 INCR_ERROR;
2909 return true;
2910}
2911
2916static bool
2917should_trigger_renegotiation(const struct tls_session *session, const struct key_state *ks)
2918{
2919 /* Time limit */
2920 if (session->opt->renegotiate_seconds
2921 && now >= ks->established + session->opt->renegotiate_seconds)
2922 {
2923 return true;
2924 }
2925
2926 /* Byte limit */
2927 if (session->opt->renegotiate_bytes > 0 && ks->n_bytes >= session->opt->renegotiate_bytes)
2928 {
2929 return true;
2930 }
2931
2932 /* Packet limit */
2933 if (session->opt->renegotiate_packets && ks->n_packets >= session->opt->renegotiate_packets)
2934 {
2935 return true;
2936 }
2937
2938 /* epoch key id approaching the 16 bit limit */
2939 if (ks->crypto_options.flags & CO_EPOCH_DATA_KEY_FORMAT)
2940 {
2941 /* We only need to check the send key as we always keep send
2942 * key epoch >= recv key epoch in \c epoch_replace_update_recv_key */
2943 if (ks->crypto_options.epoch_key_send.epoch >= 0xF000)
2944 {
2945 return true;
2946 }
2947 else
2948 {
2949 return false;
2950 }
2951 }
2952
2953
2954 /* Packet id approach the limit of the packet id */
2955 if (packet_id_close_to_wrapping(&ks->crypto_options.packet_id.send))
2956 {
2957 return true;
2958 }
2959
2960 /* Check the AEAD usage limit of cleartext blocks + packets.
2961 *
2962 * Contrary to when epoch data mode is active, where only the sender side
2963 * checks the limit, here we check both receive and send limit since
2964 * we assume that only one side is aware of the limit.
2965 *
2966 * Since if both sides were aware, then both sides will probably also
2967 * switch to use epoch data channel instead, so this code is not
2968 * in effect then.
2969 *
2970 * When epoch are in use the crypto layer will handle this internally
2971 * with new epochs instead of triggering a renegotiation */
2972 const struct key_ctx_bi *key_ctx_bi = &ks->crypto_options.key_ctx_bi;
2973 const uint64_t usage_limit = session->opt->aead_usage_limit;
2974
2975 if (aead_usage_limit_reached(usage_limit, &key_ctx_bi->encrypt,
2976 ks->crypto_options.packet_id.send.id)
2977 || aead_usage_limit_reached(usage_limit, &key_ctx_bi->decrypt,
2978 ks->crypto_options.packet_id.rec.id))
2979 {
2980 return true;
2981 }
2982
2983 if (cipher_decrypt_verify_fail_warn(&key_ctx_bi->decrypt))
2984 {
2985 return true;
2986 }
2987
2988 return false;
2989}
2990/*
2991 * This is the primary routine for processing TLS stuff inside the
2992 * the main event loop. When this routine exits
2993 * with non-error status, it will set *wakeup to the number of seconds
2994 * when it wants to be called again.
2995 *
2996 * Return value is true if we have placed a packet in *to_link which we
2997 * want to send to our peer.
2998 */
2999static bool
3000tls_process(struct tls_multi *multi, struct tls_session *session, struct buffer *to_link,
3001 struct link_socket_actual **to_link_addr, struct link_socket_info *to_link_socket_info,
3002 interval_t *wakeup)
3003{
3004 struct key_state *ks = &session->key[KS_PRIMARY]; /* primary key */
3005 struct key_state *ks_lame = &session->key[KS_LAME_DUCK]; /* retiring key */
3006
3007 /* Make sure we were initialized and that we're not in an error state */
3008 ASSERT(ks->state != S_UNDEF);
3009 ASSERT(ks->state != S_ERROR);
3010 ASSERT(session_id_defined(&session->session_id));
3011
3012 /* Should we trigger a soft reset? -- new key, keeps old key for a while */
3013 if (ks->state >= S_GENERATED_KEYS && should_trigger_renegotiation(session, ks))
3014 {
3015 msg(D_TLS_DEBUG_LOW,
3016 "TLS: soft reset sec=%d/%d bytes=" counter_format "/%" PRIi64 " pkts=" counter_format
3017 "/%" PRIi64 " aead_limit_send=%" PRIu64 "/%" PRIu64 " aead_limit_recv=%" PRIu64
3018 "/%" PRIu64,
3019 (int)(now - ks->established), session->opt->renegotiate_seconds, ks->n_bytes,
3020 session->opt->renegotiate_bytes, ks->n_packets, session->opt->renegotiate_packets,
3021 ks->crypto_options.key_ctx_bi.encrypt.plaintext_blocks + ks->n_packets,
3022 session->opt->aead_usage_limit,
3023 ks->crypto_options.key_ctx_bi.decrypt.plaintext_blocks + ks->n_packets,
3024 session->opt->aead_usage_limit);
3025 key_state_soft_reset(session);
3026 }
3027
3028 /* Kill lame duck key transition_window seconds after primary key negotiation */
3029 if (lame_duck_must_die(session, wakeup))
3030 {
3031 key_state_free(ks_lame, true);
3032 msg(D_TLS_DEBUG_LOW, "TLS: tls_process: killed expiring key");
3033 }
3034
3035 bool continue_tls_process = true;
3036 while (continue_tls_process)
3037 {
3038 update_time();
3039
3040 dmsg(D_TLS_DEBUG, "TLS: tls_process: chg=%d ks=%s lame=%s to_link->len=%d wakeup=%d",
3041 continue_tls_process, state_name(ks->state), state_name(ks_lame->state), to_link->len,
3042 *wakeup);
3043 continue_tls_process =
3044 tls_process_state(multi, session, to_link, to_link_addr, to_link_socket_info, wakeup);
3045
3046 if (ks->state == S_ERROR)
3047 {
3048 return false;
3049 }
3050 }
3051
3052 update_time();
3053
3054 /* We often send acks back to back to a following control packet. This
3055 * normally does not create a problem (apart from an extra packet).
3056 * However, with the P_CONTROL_WKC_V1 we need to ensure that the packet
3057 * gets resent if not received by remote, so instead we use an empty
3058 * control packet in this special case */
3059
3060 /* Send 1 or more ACKs (each received control packet gets one ACK) */
3061 if (!to_link->len && !reliable_ack_empty(ks->rec_ack))
3062 {
3063 if (control_packet_needs_wkc(ks))
3064 {
3065 struct buffer *buf = reliable_get_buf_output_sequenced(ks->send_reliable);
3066 if (!buf)
3067 {
3068 return false;
3069 }
3070
3071 /* We do not write anything to the buffer, this way this will be
3072 * an empty control packet that gets the ack piggybacked and
3073 * also appended the wrapped client key since it has a WCK opcode */
3074 reliable_mark_active_outgoing(ks->send_reliable, buf, P_CONTROL_WKC_V1);
3075 }
3076 else
3077 {
3078 struct buffer buf = ks->ack_write_buf;
3079 ASSERT(buf_init(&buf, multi->opt.frame.buf.headroom));
3080 write_control_auth(session, ks, &buf, to_link_addr, P_ACK_V1, RELIABLE_ACK_SIZE, false);
3081 *to_link = buf;
3082 dmsg(D_TLS_DEBUG, "Dedicated ACK -> TCP/UDP");
3083 }
3084 }
3085
3086 /* When should we wake up again? */
3087 if (ks->state >= S_INITIAL || ks->state == S_ERROR_PRE)
3088 {
3089 compute_earliest_wakeup(wakeup, reliable_send_timeout(ks->send_reliable));
3090
3091 if (ks->must_negotiate)
3092 {
3093 compute_earliest_wakeup(wakeup, ks->must_negotiate - now);
3094 }
3095 }
3096
3097 if (ks->established && session->opt->renegotiate_seconds)
3098 {
3099 compute_earliest_wakeup(wakeup, ks->established + session->opt->renegotiate_seconds - now);
3100 }
3101
3102 dmsg(D_TLS_DEBUG, "TLS: tls_process: timeout set to %d", *wakeup);
3103
3104 /* prevent event-loop spinning by setting minimum wakeup of 1 second */
3105 if (*wakeup <= 0)
3106 {
3107 *wakeup = 1;
3108
3109 /* if we had something to send to remote, but to_link was busy,
3110 * let caller know we need to be called again soon */
3111 return true;
3112 }
3113
3114 /* If any of the state changes resulted in the to_link buffer being
3115 * set, we are also active */
3116 if (to_link->len)
3117 {
3118 return true;
3119 }
3120
3121 return false;
3122}
3123
3124
3132static void
3133check_session_buf_not_used(struct buffer *to_link, struct tls_session *session)
3134{
3135 uint8_t *dataptr = to_link->data;
3136 if (!dataptr)
3137 {
3138 return;
3139 }
3140
3141 /* Checks buffers in tls_wrap */
3142 if (session->tls_wrap.work.data == dataptr)
3143 {
3144 msg(M_INFO, "Warning buffer of freed TLS session is "
3145 "still in use (tls_wrap.work.data)");
3146 goto used;
3147 }
3148
3149 for (int i = 0; i < KS_SIZE; i++)
3150 {
3151 struct key_state *ks = &session->key[i];
3152 if (ks->state == S_UNDEF)
3153 {
3154 continue;
3155 }
3156
3157 /* we don't expect send_reliable to be NULL when state is
3158 * not S_UNDEF, but people have reported crashes nonetheless,
3159 * therefore we better catch this event, report and exit.
3160 */
3161 if (!ks->send_reliable)
3162 {
3163 msg(M_FATAL,
3164 "ERROR: session->key[%d]->send_reliable is NULL "
3165 "while key state is %s. Exiting.",
3166 i, state_name(ks->state));
3167 }
3168
3169 for (int j = 0; j < ks->send_reliable->size; j++)
3170 {
3171 if (ks->send_reliable->array[j].buf.data == dataptr)
3172 {
3173 msg(M_INFO,
3174 "Warning buffer of freed TLS session is still in"
3175 " use (session->key[%d].send_reliable->array[%d])",
3176 i, j);
3177
3178 goto used;
3179 }
3180 }
3181 }
3182 return;
3183
3184used:
3185 to_link->len = 0;
3186 to_link->data = 0;
3187 /* for debugging, you can add an ASSERT(0); here to trigger an abort */
3188}
3189/*
3190 * Called by the top-level event loop.
3191 *
3192 * Basically decides if we should call tls_process for
3193 * the active or untrusted sessions.
3194 */
3195
3196int
3197tls_multi_process(struct tls_multi *multi, struct buffer *to_link,
3198 struct link_socket_actual **to_link_addr,
3199 struct link_socket_info *to_link_socket_info, interval_t *wakeup)
3200{
3201 struct gc_arena gc = gc_new();
3202 int active = TLSMP_INACTIVE;
3203 bool error = false;
3204
3205 tls_clear_error();
3206
3207 /*
3208 * Process each session object having state of S_INITIAL or greater,
3209 * and which has a defined remote IP addr.
3210 */
3211
3212 for (int i = 0; i < TM_SIZE; ++i)
3213 {
3214 struct tls_session *session = &multi->session[i];
3215 struct key_state *ks = &session->key[KS_PRIMARY];
3216 struct key_state *ks_lame = &session->key[KS_LAME_DUCK];
3217
3218 /* set initial remote address. This triggers connecting with that
3219 * session. So we only do that if the TM_ACTIVE session is not
3220 * established */
3221 if (i == TM_INITIAL && ks->state == S_INITIAL && get_primary_key(multi)->state <= S_INITIAL
3222 && link_socket_actual_defined(&to_link_socket_info->lsa->actual))
3223 {
3224 ks->remote_addr = to_link_socket_info->lsa->actual;
3225 }
3226
3227 dmsg(D_TLS_DEBUG,
3228 "TLS: tls_multi_process: i=%d state=%s, mysid=%s, stored-sid=%s, stored-ip=%s", i,
3229 state_name(ks->state), session_id_print(&session->session_id, &gc),
3230 session_id_print(&ks->session_id_remote, &gc),
3231 print_link_socket_actual(&ks->remote_addr, &gc));
3232
3233 if ((ks->state >= S_INITIAL || ks->state == S_ERROR_PRE)
3234 && link_socket_actual_defined(&ks->remote_addr))
3235 {
3236 struct link_socket_actual *tla = NULL;
3237
3238 update_time();
3239
3240 if (tls_process(multi, session, to_link, &tla, to_link_socket_info, wakeup))
3241 {
3242 active = TLSMP_ACTIVE;
3243 }
3244
3245 /*
3246 * If tls_process produced an outgoing packet,
3247 * return the link_socket_actual object (which
3248 * contains the outgoing address).
3249 */
3250 if (tla)
3251 {
3252 multi->to_link_addr = *tla;
3253 *to_link_addr = &multi->to_link_addr;
3254 }
3255
3256 /*
3257 * If tls_process hits an error:
3258 * (1) If the session has an unexpired lame duck key, preserve it.
3259 * (2) Reinitialize the session.
3260 * (3) Increment soft error count
3261 */
3262 if (ks->state == S_ERROR)
3263 {
3264 ++multi->n_soft_errors;
3265
3266 if (i == TM_ACTIVE || (i == TM_INITIAL && get_primary_key(multi)->state < S_ACTIVE))
3267 {
3268 error = true;
3269 }
3270
3271 if (i == TM_ACTIVE && ks_lame->state >= S_GENERATED_KEYS
3272 && !multi->opt.single_session)
3273 {
3274 move_session(multi, TM_LAME_DUCK, TM_ACTIVE, true);
3275 }
3276 else
3277 {
3278 check_session_buf_not_used(to_link, session);
3279 reset_session(multi, session);
3280 }
3281 }
3282 }
3283 }
3284
3285 update_time();
3286
3287 enum tls_auth_status tas = tls_authentication_status(multi);
3288
3289 /* If we have successfully authenticated and are still waiting for the authentication to finish
3290 * move the state machine for the multi context forward */
3291
3292 if (multi->multi_state >= CAS_CONNECT_DONE)
3293 {
3294 /* Only generate keys for the TM_ACTIVE session. We defer generating
3295 * keys for TM_INITIAL until we actually trust it.
3296 * For TM_LAME_DUCK it makes no sense to generate new keys. */
3297 struct tls_session *session = &multi->session[TM_ACTIVE];
3298 struct key_state *ks = &session->key[KS_PRIMARY];
3299
3300 if (ks->state == S_ACTIVE && ks->authenticated == KS_AUTH_TRUE)
3301 {
3302 /* Session is now fully authenticated.
3303 * tls_session_generate_data_channel_keys will move ks->state
3304 * from S_ACTIVE to S_GENERATED_KEYS */
3305 if (!tls_session_generate_data_channel_keys(multi, session))
3306 {
3307 msg(D_TLS_ERRORS, "TLS Error: generate_key_expansion failed");
3308 ks->authenticated = KS_AUTH_FALSE;
3309 key_state_ssl_shutdown(&ks->ks_ssl);
3310 ks->state = S_ERROR_PRE;
3311 }
3312
3313 /* Update auth token on the client if needed on renegotiation
3314 * (key id !=0) */
3315 if (session->key[KS_PRIMARY].key_id != 0)
3316 {
3317 resend_auth_token_renegotiation(multi, session);
3318 }
3319 }
3320 }
3321
3322 if (multi->multi_state == CAS_WAITING_AUTH && tas == TLS_AUTHENTICATION_SUCCEEDED)
3323 {
3324 multi->multi_state = CAS_PENDING;
3325 }
3326
3327 /*
3328 * If lame duck session expires, kill it.
3329 */
3330 if (lame_duck_must_die(&multi->session[TM_LAME_DUCK], wakeup))
3331 {
3332 tls_session_free(&multi->session[TM_LAME_DUCK], true);
3333 msg(D_TLS_DEBUG_LOW, "TLS: tls_multi_process: killed expiring key");
3334 }
3335
3336 /*
3337 * If untrusted session achieves TLS authentication,
3338 * move it to active session, usurping any prior session.
3339 *
3340 * A semi-trusted session is one in which the certificate authentication
3341 * succeeded (if cert verification is enabled) but the username/password
3342 * verification failed. A semi-trusted session can forward data on the
3343 * TLS control channel but not on the tunnel channel.
3344 */
3345 if (TLS_AUTHENTICATED(multi, &multi->session[TM_INITIAL].key[KS_PRIMARY]))
3346 {
3347 move_session(multi, TM_ACTIVE, TM_INITIAL, true);
3348 tas = tls_authentication_status(multi);
3349 msg(D_TLS_DEBUG_LOW,
3350 "TLS: tls_multi_process: initial untrusted "
3351 "session promoted to %strusted",
3352 tas == TLS_AUTHENTICATION_SUCCEEDED ? "" : "semi-");
3353
3354 if (multi->multi_state == CAS_CONNECT_DONE)
3355 {
3356 multi->multi_state = CAS_RECONNECT_PENDING;
3357 active = TLSMP_RECONNECT;
3358 }
3359 }
3360
3361 /*
3362 * A hard error means that TM_ACTIVE hit an S_ERROR state and that no
3363 * other key state objects are S_ACTIVE or higher.
3364 */
3365 if (error)
3366 {
3367 for (int i = 0; i < KEY_SCAN_SIZE; ++i)
3368 {
3369 if (get_key_scan(multi, i)->state >= S_ACTIVE)
3370 {
3371 goto nohard;
3372 }
3373 }
3374 ++multi->n_hard_errors;
3375 }
3376nohard:
3377
3378#ifdef ENABLE_DEBUG
3379 /* DEBUGGING -- flood peer with repeating connection attempts */
3380 {
3381 const int throw_level = GREMLIN_CONNECTION_FLOOD_LEVEL(multi->opt.gremlin);
3382 if (throw_level)
3383 {
3384 for (int i = 0; i < KEY_SCAN_SIZE; ++i)
3385 {
3386 if (get_key_scan(multi, i)->state >= throw_level)
3387 {
3388 ++multi->n_hard_errors;
3389 ++multi->n_soft_errors;
3390 }
3391 }
3392 }
3393 }
3394#endif
3395
3396 gc_free(&gc);
3397
3398 return (tas == TLS_AUTHENTICATION_FAILED) ? TLSMP_KILL : active;
3399}
3400
3405static void
3406print_key_id_not_found_reason(struct tls_multi *multi, const struct link_socket_actual *from,
3407 int key_id)
3408{
3409 struct gc_arena gc = gc_new();
3410 const char *source = print_link_socket_actual(from, &gc);
3411
3412
3413 for (int i = 0; i < KEY_SCAN_SIZE; ++i)
3414 {
3415 struct key_state *ks = get_key_scan(multi, i);
3416 if (ks->key_id != key_id)
3417 {
3418 continue;
3419 }
3420
3421 /* Our key state has been progressed far enough to be part of a valid
3422 * session but has not generated keys. */
3423 if (ks->state >= S_INITIAL && ks->state < S_GENERATED_KEYS)
3424 {
3425 msg(D_MULTI_DROPPED, "Key %s [%d] not initialized (yet), dropping packet.", source,
3426 key_id);
3427 gc_free(&gc);
3428 return;
3429 }
3430 if (ks->state >= S_ACTIVE && ks->authenticated != KS_AUTH_TRUE)
3431 {
3432 msg(D_MULTI_DROPPED, "Key %s [%d] not authorized%s, dropping packet.", source, key_id,
3433 (ks->authenticated == KS_AUTH_DEFERRED) ? " (deferred)" : "");
3434 gc_free(&gc);
3435 return;
3436 }
3437 }
3438
3439 msg(D_TLS_ERRORS,
3440 "TLS Error: local/remote TLS keys are out of sync: %s "
3441 "(received key id: %d, known key ids: %s)",
3442 source, key_id, print_key_id(multi, &gc));
3443 gc_free(&gc);
3444}
3445
3453static inline void
3454handle_data_channel_packet(struct tls_multi *multi, const struct link_socket_actual *from,
3455 struct buffer *buf, struct crypto_options **opt, bool floated,
3456 const uint8_t **ad_start)
3457{
3458 struct gc_arena gc = gc_new();
3459
3460 uint8_t c = *BPTR(buf);
3461 int op = c >> P_OPCODE_SHIFT;
3462 int key_id = c & P_KEY_ID_MASK;
3463
3464 for (int i = 0; i < KEY_SCAN_SIZE; ++i)
3465 {
3466 struct key_state *ks = get_key_scan(multi, i);
3467
3468 /*
3469 * This is the basic test of TLS state compatibility between a local OpenVPN
3470 * instance and its remote peer.
3471 *
3472 * If the test fails, it tells us that we are getting a packet from a source
3473 * which claims reference to a prior negotiated TLS session, but the local
3474 * OpenVPN instance has no memory of such a negotiation.
3475 *
3476 * It almost always occurs on UDP sessions when the passive side of the
3477 * connection is restarted without the active side restarting as well (the
3478 * passive side is the server which only listens for the connections, the
3479 * active side is the client which initiates connections).
3480 */
3481 if (ks->state >= S_GENERATED_KEYS && key_id == ks->key_id
3482 && ks->authenticated == KS_AUTH_TRUE
3483 && (floated || link_socket_actual_match(from, &ks->remote_addr)))
3484 {
3485 ASSERT(ks->crypto_options.key_ctx_bi.initialized);
3486 /* return appropriate data channel decrypt key in opt */
3487 *opt = &ks->crypto_options;
3488 if (op == P_DATA_V2)
3489 {
3490 *ad_start = BPTR(buf);
3491 }
3492 ASSERT(buf_advance(buf, 1));
3493 if (op == P_DATA_V1)
3494 {
3495 *ad_start = BPTR(buf);
3496 }
3497 else if (op == P_DATA_V2)
3498 {
3499 if (buf->len < 4)
3500 {
3501 msg(D_TLS_ERRORS,
3502 "Protocol error: received P_DATA_V2 from %s but length is < 4",
3503 print_link_socket_actual(from, &gc));
3504 ++multi->n_soft_errors;
3505 goto done;
3506 }
3507 ASSERT(buf_advance(buf, 3));
3508 }
3509
3510 ++ks->n_packets;
3511 ks->n_bytes += buf->len;
3512 dmsg(D_TLS_KEYSELECT, "TLS: tls_pre_decrypt, key_id=%d, IP=%s", key_id,
3513 print_link_socket_actual(from, &gc));
3514 gc_free(&gc);
3515 return;
3516 }
3517 }
3518
3519 print_key_id_not_found_reason(multi, from, key_id);
3520
3521done:
3522 gc_free(&gc);
3523 tls_clear_error();
3524 buf->len = 0;
3525 *opt = NULL;
3526}
3527
3528/*
3529 *
3530 * When we are in TLS mode, this is the first routine which sees
3531 * an incoming packet.
3532 *
3533 * If it's a data packet, we set opt so that our caller can
3534 * decrypt it. We also give our caller the appropriate decryption key.
3535 *
3536 * If it's a control packet, we authenticate it and process it,
3537 * possibly creating a new tls_session if it represents the
3538 * first packet of a new session. For control packets, we will
3539 * also zero the size of *buf so that our caller ignores the
3540 * packet on our return.
3541 *
3542 * Note that openvpn only allows one active session at a time,
3543 * so a new session (once authenticated) will always usurp
3544 * an old session.
3545 *
3546 * Return true if input was an authenticated control channel
3547 * packet.
3548 *
3549 * If we are running in TLS thread mode, all public routines
3550 * below this point must be called with the L_TLS lock held.
3551 */
3552
3553bool
3554tls_pre_decrypt(struct tls_multi *multi, const struct link_socket_actual *from, struct buffer *buf,
3555 struct crypto_options **opt, bool floated, const uint8_t **ad_start)
3556{
3557 if (buf->len <= 0)
3558 {
3559 buf->len = 0;
3560 *opt = NULL;
3561 return false;
3562 }
3563
3564 struct gc_arena gc = gc_new();
3565 bool ret = false;
3566
3567 /* get opcode */
3568 uint8_t pkt_firstbyte = *BPTR(buf);
3569 int op = pkt_firstbyte >> P_OPCODE_SHIFT;
3570
3571 if ((op == P_DATA_V1) || (op == P_DATA_V2))
3572 {
3573 handle_data_channel_packet(multi, from, buf, opt, floated, ad_start);
3574 return false;
3575 }
3576
3577 /* get key_id */
3578 int key_id = pkt_firstbyte & P_KEY_ID_MASK;
3579
3580 /* control channel packet */
3581 bool do_burst = false;
3582 bool new_link = false;
3583 struct session_id sid; /* remote session ID */
3584
3585 /* verify legal opcode */
3586 if (op < P_FIRST_OPCODE || op > P_LAST_OPCODE)
3587 {
3588 if (op == P_CONTROL_HARD_RESET_CLIENT_V1 || op == P_CONTROL_HARD_RESET_SERVER_V1)
3589 {
3590 msg(D_TLS_ERRORS, "Peer tried unsupported key-method 1");
3591 }
3592 msg(D_TLS_ERRORS, "TLS Error: unknown opcode received from %s op=%d",
3593 print_link_socket_actual(from, &gc), op);
3594 goto error;
3595 }
3596
3597 /* hard reset ? */
3598 if (is_hard_reset_method2(op))
3599 {
3600 /* verify client -> server or server -> client connection */
3601 if (((op == P_CONTROL_HARD_RESET_CLIENT_V2 || op == P_CONTROL_HARD_RESET_CLIENT_V3)
3602 && !multi->opt.server)
3603 || ((op == P_CONTROL_HARD_RESET_SERVER_V2) && multi->opt.server))
3604 {
3605 msg(D_TLS_ERRORS,
3606 "TLS Error: client->client or server->server connection attempted from %s",
3607 print_link_socket_actual(from, &gc));
3608 goto error;
3609 }
3610 }
3611
3612 /*
3613 * Authenticate Packet
3614 */
3615 dmsg(D_TLS_DEBUG, "TLS: control channel, op=%s, IP=%s", packet_opcode_name(op),
3616 print_link_socket_actual(from, &gc));
3617
3618 /* get remote session-id */
3619 {
3620 struct buffer tmp = *buf;
3621 buf_advance(&tmp, 1);
3622 if (!session_id_read(&sid, &tmp) || !session_id_defined(&sid))
3623 {
3624 msg(D_TLS_ERRORS, "TLS Error: session-id not found in packet from %s",
3625 print_link_socket_actual(from, &gc));
3626 goto error;
3627 }
3628 }
3629
3630 int i;
3631 /* use session ID to match up packet with appropriate tls_session object */
3632 for (i = 0; i < TM_SIZE; ++i)
3633 {
3634 struct tls_session *session = &multi->session[i];
3635 struct key_state *ks = &session->key[KS_PRIMARY];
3636
3637 dmsg(
3638 D_TLS_DEBUG,
3639 "TLS: initial packet test, i=%d state=%s, mysid=%s, rec-sid=%s, rec-ip=%s, stored-sid=%s, stored-ip=%s",
3640 i, state_name(ks->state), session_id_print(&session->session_id, &gc),
3641 session_id_print(&sid, &gc), print_link_socket_actual(from, &gc),
3642 session_id_print(&ks->session_id_remote, &gc),
3643 print_link_socket_actual(&ks->remote_addr, &gc));
3644
3645 if (session_id_equal(&ks->session_id_remote, &sid))
3646 /* found a match */
3647 {
3648 if (i == TM_LAME_DUCK)
3649 {
3650 msg(D_TLS_ERRORS, "TLS ERROR: received control packet with stale session-id=%s",
3651 session_id_print(&sid, &gc));
3652 goto error;
3653 }
3654 dmsg(D_TLS_DEBUG, "TLS: found match, session[%d], sid=%s", i,
3655 session_id_print(&sid, &gc));
3656 break;
3657 }
3658 }
3659
3660 /*
3661 * Hard reset and session id does not match any session in
3662 * multi->session: Possible initial packet. New sessions always start
3663 * as TM_INITIAL
3664 */
3665 if (i == TM_SIZE && is_hard_reset_method2(op))
3666 {
3667 /*
3668 * No match with existing sessions,
3669 * probably a new session.
3670 */
3671 struct tls_session *session = &multi->session[TM_INITIAL];
3672
3673 /*
3674 * If --single-session, don't allow any hard-reset connection request
3675 * unless it is the first packet of the session.
3676 */
3677 if (multi->opt.single_session && multi->n_sessions)
3678 {
3679 msg(D_TLS_ERRORS,
3680 "TLS Error: Cannot accept new session request from %s due "
3681 "to session context expire or --single-session",
3682 print_link_socket_actual(from, &gc));
3683 goto error;
3684 }
3685
3686 if (!read_control_auth(buf, tls_session_get_tls_wrap(session, key_id), from, session->opt,
3687 true))
3688 {
3689 goto error;
3690 }
3691
3692#ifdef ENABLE_MANAGEMENT
3693 if (management)
3694 {
3695 management_set_state(management, OPENVPN_STATE_AUTH, NULL, NULL, NULL, NULL, NULL);
3696 }
3697#endif
3698
3699 /*
3700 * New session-initiating control packet is authenticated at this point,
3701 * assuming that the --tls-auth command line option was used.
3702 *
3703 * Without --tls-auth, we leave authentication entirely up to TLS.
3704 */
3705 msg(D_TLS_DEBUG_LOW, "TLS: Initial packet from %s, sid=%s",
3706 print_link_socket_actual(from, &gc), session_id_print(&sid, &gc));
3707
3708 do_burst = true;
3709 new_link = true;
3710 i = TM_INITIAL;
3711 session->untrusted_addr = *from;
3712 }
3713 else
3714 {
3715 /*
3716 * Packet must belong to an existing session.
3717 */
3718 if (i != TM_ACTIVE && i != TM_INITIAL)
3719 {
3720 msg(D_TLS_ERRORS, "TLS Error: Unroutable control packet received from %s (si=%d op=%s)",
3721 print_link_socket_actual(from, &gc), i, packet_opcode_name(op));
3722 goto error;
3723 }
3724
3725 struct tls_session *session = &multi->session[i];
3726 struct key_state *ks = &session->key[KS_PRIMARY];
3727 /*
3728 * Verify remote IP address
3729 */
3730 if (!new_link && !link_socket_actual_match(&ks->remote_addr, from))
3731 {
3732 msg(D_TLS_ERRORS, "TLS Error: Received control packet from unexpected IP addr: %s",
3733 print_link_socket_actual(from, &gc));
3734 goto error;
3735 }
3736
3737 /*
3738 * Remote is requesting a key renegotiation. We only allow renegotiation
3739 * when the previous session is fully established to avoid weird corner
3740 * cases.
3741 */
3742 if (op == P_CONTROL_SOFT_RESET_V1 && ks->state >= S_GENERATED_KEYS)
3743 {
3744 if (!read_control_auth(buf, tls_session_get_tls_wrap(session, key_id), from,
3745 session->opt, false))
3746 {
3747 goto error;
3748 }
3749
3750 key_state_soft_reset(session);
3751
3752 dmsg(D_TLS_DEBUG, "TLS: received P_CONTROL_SOFT_RESET_V1 s=%d sid=%s", i,
3753 session_id_print(&sid, &gc));
3754 }
3755 else
3756 {
3757 bool initial_packet = false;
3758 if (ks->state == S_PRE_START_SKIP)
3759 {
3760 /* When we are coming from the session_skip_to_pre_start
3761 * method, we allow this initial packet to setup the
3762 * tls-crypt-v2 peer specific key */
3763 initial_packet = true;
3764 ks->state = S_PRE_START;
3765 }
3766 /*
3767 * Remote responding to our key renegotiation request?
3768 */
3769 if (op == P_CONTROL_SOFT_RESET_V1)
3770 {
3771 do_burst = true;
3772 }
3773
3774 if (!read_control_auth(buf, tls_session_get_tls_wrap(session, key_id), from,
3775 session->opt, initial_packet))
3776 {
3777 /* if an initial packet in read_control_auth, we rather
3778 * error out than anything else */
3779 if (initial_packet)
3780 {
3781 multi->n_hard_errors++;
3782 }
3783 goto error;
3784 }
3785
3786 dmsg(D_TLS_DEBUG, "TLS: received control channel packet s#=%d sid=%s", i,
3787 session_id_print(&sid, &gc));
3788 }
3789 }
3790
3791 /*
3792 * We have an authenticated control channel packet (if --tls-auth/tls-crypt
3793 * or tls-crypt-v2 was set).
3794 * Now pass to our reliability layer which deals with
3795 * packet acknowledgements, retransmits, sequencing, etc.
3796 */
3797 struct tls_session *session = &multi->session[i];
3798 struct key_state *ks = &session->key[KS_PRIMARY];
3799
3800 /* Make sure we were initialized and that we're not in an error state */
3801 ASSERT(ks->state != S_UNDEF);
3802 ASSERT(ks->state != S_ERROR);
3803 ASSERT(session_id_defined(&session->session_id));
3804
3805 /* Let our caller know we processed a control channel packet */
3806 ret = true;
3807
3808 /*
3809 * Set our remote address and remote session_id
3810 */
3811 if (new_link)
3812 {
3813 ks->session_id_remote = sid;
3814 ks->remote_addr = *from;
3815 ++multi->n_sessions;
3816 }
3817 else if (!link_socket_actual_match(&ks->remote_addr, from))
3818 {
3819 msg(D_TLS_ERRORS,
3820 "TLS Error: Existing session control channel packet from unknown IP address: %s",
3821 print_link_socket_actual(from, &gc));
3822 goto error;
3823 }
3824
3825 /*
3826 * Should we do a retransmit of all unacknowledged packets in
3827 * the send buffer? This improves the start-up efficiency of the
3828 * initial key negotiation after the 2nd peer comes online.
3829 */
3830 if (do_burst && !session->burst)
3831 {
3832 reliable_schedule_now(ks->send_reliable);
3833 session->burst = true;
3834 }
3835
3836 /* Check key_id */
3837 if (ks->key_id != key_id)
3838 {
3839 msg(D_TLS_ERRORS, "TLS ERROR: local/remote key IDs out of sync (%d/%d) ID: %s", ks->key_id,
3840 key_id, print_key_id(multi, &gc));
3841 goto error;
3842 }
3843
3844 /*
3845 * Process incoming ACKs for packets we can now
3846 * delete from reliable send buffer
3847 */
3848 {
3849 /* buffers all packet IDs to delete from send_reliable */
3850 struct reliable_ack send_ack;
3851
3852 if (!reliable_ack_read(&send_ack, buf, &session->session_id))
3853 {
3854 msg(D_TLS_ERRORS, "TLS Error: reading acknowledgement record from packet");
3855 goto error;
3856 }
3857 reliable_send_purge(ks->send_reliable, &send_ack);
3858 }
3859
3860 if (op != P_ACK_V1 && reliable_can_get(ks->rec_reliable))
3861 {
3862 packet_id_type id;
3863
3864 /* Extract the packet ID from the packet */
3865 if (reliable_ack_read_packet_id(buf, &id))
3866 {
3867 /* Avoid deadlock by rejecting packet that would de-sequentialize receive buffer */
3868 if (reliable_wont_break_sequentiality(ks->rec_reliable, id))
3869 {
3870 if (reliable_not_replay(ks->rec_reliable, id))
3871 {
3872 /* Save incoming ciphertext packet to reliable buffer */
3873 struct buffer *in = reliable_get_buf(ks->rec_reliable);
3874 ASSERT(in);
3875 if (!buf_copy(in, buf))
3876 {
3877 msg(D_MULTI_DROPPED, "Incoming control channel packet too big, dropping.");
3878 goto error;
3879 }
3880 reliable_mark_active_incoming(ks->rec_reliable, in, id, op);
3881 }
3882
3883 /* Process outgoing acknowledgment for packet just received, even if it's a replay
3884 */
3885 reliable_ack_acknowledge_packet_id(ks->rec_ack, id);
3886 }
3887 }
3888 }
3889 /* Remember that we received a valid control channel packet */
3890 ks->peer_last_packet = now;
3891
3892done:
3893 buf->len = 0;
3894 *opt = NULL;
3895 gc_free(&gc);
3896 return ret;
3897
3898error:
3899 ++multi->n_soft_errors;
3900 tls_clear_error();
3901 goto done;
3902}
3903
3904
3905struct key_state *
3906tls_select_encryption_key(struct tls_multi *multi)
3907{
3908 struct key_state *ks_select = NULL;
3909 for (int i = 0; i < KEY_SCAN_SIZE; ++i)
3910 {
3911 struct key_state *ks = get_key_scan(multi, i);
3912 if (ks->state >= S_GENERATED_KEYS && ks->authenticated == KS_AUTH_TRUE)
3913 {
3914 ASSERT(ks->crypto_options.key_ctx_bi.initialized);
3915
3916 if (!ks_select)
3917 {
3918 ks_select = ks;
3919 }
3920 if (now >= ks->auth_deferred_expire)
3921 {
3922 ks_select = ks;
3923 break;
3924 }
3925 }
3926 }
3927 return ks_select;
3928}
3929
3930
3931/* Choose the key with which to encrypt a data packet */
3932void
3933tls_pre_encrypt(struct tls_multi *multi, struct buffer *buf, struct crypto_options **opt)
3934{
3935 multi->save_ks = NULL;
3936 if (buf->len <= 0)
3937 {
3938 buf->len = 0;
3939 *opt = NULL;
3940 return;
3941 }
3942
3943 struct key_state *ks_select = tls_select_encryption_key(multi);
3944
3945 if (ks_select)
3946 {
3947 *opt = &ks_select->crypto_options;
3948 multi->save_ks = ks_select;
3949 dmsg(D_TLS_KEYSELECT, "TLS: tls_pre_encrypt: key_id=%d", ks_select->key_id);
3950 return;
3951 }
3952 else
3953 {
3954 struct gc_arena gc = gc_new();
3955 dmsg(D_TLS_KEYSELECT, "TLS Warning: no data channel send key available: %s",
3956 print_key_id(multi, &gc));
3957 gc_free(&gc);
3958
3959 *opt = NULL;
3960 buf->len = 0;
3961 }
3962}
3963
3964void
3965tls_prepend_opcode_v1(const struct tls_multi *multi, struct buffer *buf)
3966{
3967 struct key_state *ks = multi->save_ks;
3968
3969 msg(D_TLS_DEBUG, __func__);
3970
3971 ASSERT(ks);
3972 ASSERT(ks->key_id <= P_KEY_ID_MASK);
3973
3974 uint8_t op = (P_DATA_V1 << P_OPCODE_SHIFT) | (uint8_t)ks->key_id;
3975 ASSERT(buf_write_prepend(buf, &op, 1));
3976}
3977
3978void
3979tls_prepend_opcode_v2(const struct tls_multi *multi, struct buffer *buf)
3980{
3981 struct key_state *ks = multi->save_ks;
3982 uint32_t peer;
3983
3984 msg(D_TLS_DEBUG, __func__);
3985
3986 ASSERT(ks);
3987
3988 peer = htonl(((P_DATA_V2 << P_OPCODE_SHIFT) | ks->key_id) << 24 | (multi->peer_id & 0xFFFFFF));
3989 ASSERT(buf_write_prepend(buf, &peer, 4));
3990}
3991
3992void
3993tls_post_encrypt(struct tls_multi *multi, struct buffer *buf)
3994{
3995 struct key_state *ks = multi->save_ks;
3996 multi->save_ks = NULL;
3997
3998 if (buf->len > 0)
3999 {
4000 ASSERT(ks);
4001
4002 ++ks->n_packets;
4003 ks->n_bytes += buf->len;
4004 }
4005}
4006
4007/*
4008 * Send a payload over the TLS control channel.
4009 * Called externally.
4010 */
4011
4012bool
4013tls_send_payload(struct key_state *ks, const uint8_t *data, size_t size)
4014{
4015 bool ret = false;
4016
4017 tls_clear_error();
4018
4019 ASSERT(ks);
4020
4021 if (ks->state >= S_ACTIVE)
4022 {
4023 ASSERT(size <= INT_MAX);
4024 if (key_state_write_plaintext_const(&ks->ks_ssl, data, (int)size) == 1)
4025 {
4026 ret = true;
4027 }
4028 }
4029 else
4030 {
4031 if (!ks->paybuf)
4032 {
4033 ks->paybuf = buffer_list_new();
4034 }
4035 buffer_list_push_data(ks->paybuf, data, size);
4036 ret = true;
4037 }
4038
4039
4040 tls_clear_error();
4041
4042 return ret;
4043}
4044
4045bool
4046tls_rec_payload(struct tls_multi *multi, struct buffer *buf)
4047{
4048 bool ret = false;
4049
4050 tls_clear_error();
4051
4052 ASSERT(multi);
4053
4054 struct key_state *ks = get_key_scan(multi, 0);
4055
4056 if (ks->state >= S_ACTIVE && BLEN(&ks->plaintext_read_buf))
4057 {
4058 if (buf_copy(buf, &ks->plaintext_read_buf))
4059 {
4060 ret = true;
4061 }
4062 ks->plaintext_read_buf.len = 0;
4063 }
4064
4065 tls_clear_error();
4066
4067 return ret;
4068}
4069
4070void
4071tls_update_remote_addr(struct tls_multi *multi, const struct link_socket_actual *addr)
4072{
4073 struct gc_arena gc = gc_new();
4074 for (int i = 0; i < TM_SIZE; ++i)
4075 {
4076 struct tls_session *session = &multi->session[i];
4077
4078 for (int j = 0; j < KS_SIZE; ++j)
4079 {
4080 struct key_state *ks = &session->key[j];
4081
4082 if (!link_socket_actual_defined(&ks->remote_addr)
4083 || link_socket_actual_match(addr, &ks->remote_addr))
4084 {
4085 continue;
4086 }
4087
4088 dmsg(D_TLS_KEYSELECT, "TLS: tls_update_remote_addr from IP=%s to IP=%s",
4089 print_link_socket_actual(&ks->remote_addr, &gc),
4090 print_link_socket_actual(addr, &gc));
4091
4092 ks->remote_addr = *addr;
4093 }
4094 }
4095 gc_free(&gc);
4096}
4097
4098void
4099show_available_tls_ciphers(const char *cipher_list, const char *cipher_list_tls13,
4100 const char *tls_cert_profile)
4101{
4102 printf("Available TLS Ciphers, listed in order of preference:\n");
4103
4104 if (tls_version_max() >= TLS_VER_1_3)
4105 {
4106 printf("\nFor TLS 1.3 and newer (--tls-ciphersuites):\n\n");
4107 show_available_tls_ciphers_list(cipher_list_tls13, tls_cert_profile, true);
4108 }
4109
4110 printf("\nFor TLS 1.2 and older (--tls-cipher):\n\n");
4111 show_available_tls_ciphers_list(cipher_list, tls_cert_profile, false);
4112
4113 printf("\n"
4114 "Note: Whether a cipher suite in this list can actually work depends\n"
4115 "on the specific setup of both peers. See the man page entries of\n"
4116 "--tls-cipher and --show-tls for more details.\n\n");
4117}
4118
4119/*
4120 * Dump a human-readable rendition of an openvpn packet
4121 * into a garbage collectable string which is returned.
4122 */
4123const char *
4124protocol_dump(struct buffer *buffer, unsigned int flags, struct gc_arena *gc)
4125{
4126 struct buffer out = alloc_buf_gc(256, gc);
4127 struct buffer buf = *buffer;
4128
4129 uint8_t c;
4130 int op;
4131 int key_id;
4132
4133 int tls_auth_hmac_size = (flags & PD_TLS_AUTH_HMAC_SIZE_MASK);
4134
4135 if (buf.len <= 0)
4136 {
4137 buf_printf(&out, "DATA UNDEF len=%d", buf.len);
4138 goto done;
4139 }
4140
4141 if (!(flags & PD_TLS))
4142 {
4143 goto print_data;
4144 }
4145
4146 /*
4147 * Initial byte (opcode)
4148 */
4149 if (!buf_read(&buf, &c, sizeof(c)))
4150 {
4151 goto done;
4152 }
4153 op = (c >> P_OPCODE_SHIFT);
4154 key_id = c & P_KEY_ID_MASK;
4155 buf_printf(&out, "%s kid=%d", packet_opcode_name(op), key_id);
4156
4157 if ((op == P_DATA_V1) || (op == P_DATA_V2))
4158 {
4159 goto print_data;
4160 }
4161
4162 /*
4163 * Session ID
4164 */
4165 {
4166 struct session_id sid;
4167
4168 if (!session_id_read(&sid, &buf))
4169 {
4170 goto done;
4171 }
4172 if (flags & PD_VERBOSE)
4173 {
4174 buf_printf(&out, " sid=%s", session_id_print(&sid, gc));
4175 }
4176 }
4177
4178 /*
4179 * tls-auth hmac + packet_id
4180 */
4181 if (tls_auth_hmac_size)
4182 {
4183 struct packet_id_net pin;
4184 uint8_t tls_auth_hmac[MAX_HMAC_KEY_LENGTH];
4185
4186 ASSERT(tls_auth_hmac_size <= MAX_HMAC_KEY_LENGTH);
4187
4188 if (!buf_read(&buf, tls_auth_hmac, tls_auth_hmac_size))
4189 {
4190 goto done;
4191 }
4192 if (flags & PD_VERBOSE)
4193 {
4194 buf_printf(&out, " tls_hmac=%s", format_hex(tls_auth_hmac, tls_auth_hmac_size, 0, gc));
4195 }
4196
4197 if (!packet_id_read(&pin, &buf, true))
4198 {
4199 goto done;
4200 }
4201 buf_printf(&out, " pid=%s", packet_id_net_print(&pin, (flags & PD_VERBOSE), gc));
4202 }
4203 /*
4204 * packet_id + tls-crypt hmac
4205 */
4206 if (flags & PD_TLS_CRYPT)
4207 {
4208 struct packet_id_net pin;
4209 uint8_t tls_crypt_hmac[TLS_CRYPT_TAG_SIZE];
4210
4211 if (!packet_id_read(&pin, &buf, true))
4212 {
4213 goto done;
4214 }
4215 buf_printf(&out, " pid=%s", packet_id_net_print(&pin, (flags & PD_VERBOSE), gc));
4216 if (!buf_read(&buf, tls_crypt_hmac, TLS_CRYPT_TAG_SIZE))
4217 {
4218 goto done;
4219 }
4220 if (flags & PD_VERBOSE)
4221 {
4222 buf_printf(&out, " tls_crypt_hmac=%s",
4223 format_hex(tls_crypt_hmac, TLS_CRYPT_TAG_SIZE, 0, gc));
4224 }
4225 /*
4226 * Remainder is encrypted and optional wKc
4227 */
4228 goto done;
4229 }
4230
4231 /*
4232 * ACK list
4233 */
4234 buf_printf(&out, " %s", reliable_ack_print(&buf, (flags & PD_VERBOSE), gc));
4235
4236 if (op == P_ACK_V1)
4237 {
4238 goto print_data;
4239 }
4240
4241 /*
4242 * Packet ID
4243 */
4244 {
4245 packet_id_type l;
4246 if (!buf_read(&buf, &l, sizeof(l)))
4247 {
4248 goto done;
4249 }
4250 l = ntohpid(l);
4251 buf_printf(&out, " pid=" packet_id_format, (packet_id_print_type)l);
4252 }
4253
4254print_data:
4255 if (flags & PD_SHOW_DATA)
4256 {
4257 buf_printf(&out, " DATA %s", format_hex(BPTR(&buf), BLEN(&buf), 80, gc));
4258 }
4259 else
4260 {
4261 buf_printf(&out, " DATA len=%d", buf.len);
4262 }
4263
4264done:
4265 return BSTR(&out);
4266}
wipe_auth_token
void wipe_auth_token(struct tls_multi *multi)
Wipes the authentication token out of the memory, frees and cleans up related buffers and flags.
Definition auth_token.c:395
resend_auth_token_renegotiation
void resend_auth_token_renegotiation(struct tls_multi *multi, struct tls_session *session)
Checks if a client should be sent a new auth token to update its current auth-token.
Definition auth_token.c:454
auth_token.h
buffer_list_push_data
struct buffer_entry * buffer_list_push_data(struct buffer_list *ol, const void *data, size_t size)
Allocates and appends a new buffer containing data of length size.
Definition buffer.c:1207
free_buf
void free_buf(struct buffer *buf)
Definition buffer.c:184
buf_clear
void buf_clear(struct buffer *buf)
Definition buffer.c:163
buffer_list_pop
void buffer_list_pop(struct buffer_list *ol)
Definition buffer.c:1298
buf_printf
bool buf_printf(struct buffer *buf, const char *format,...)
Definition buffer.c:241
buffer_list_new
struct buffer_list * buffer_list_new(void)
Allocate an empty buffer list of capacity max_size.
Definition buffer.c:1153
buffer_list_peek
struct buffer * buffer_list_peek(struct buffer_list *ol)
Retrieve the head buffer.
Definition buffer.c:1234
buffer_list_free
void buffer_list_free(struct buffer_list *ol)
Frees a buffer list and all the buffers in it.
Definition buffer.c:1162
gc_malloc
void * gc_malloc(size_t size, bool clear, struct gc_arena *a)
Definition buffer.c:336
alloc_buf_gc
struct buffer alloc_buf_gc(size_t size, struct gc_arena *gc)
Definition buffer.c:89
format_hex_ex
char * format_hex_ex(const uint8_t *data, size_t size, size_t maxoutput, unsigned int space_break_flags, const char *separator, struct gc_arena *gc)
Definition buffer.c:483
alloc_buf
struct buffer alloc_buf(size_t size)
Definition buffer.c:63
string_alloc
char * string_alloc(const char *str, struct gc_arena *gc)
Definition buffer.c:648
buf_write_u16
static bool buf_write_u16(struct buffer *dest, uint16_t data)
Definition buffer.h:690
BSTR
#define BSTR(buf)
Definition buffer.h:128
buf_copy
static bool buf_copy(struct buffer *dest, const struct buffer *src)
Definition buffer.h:704
BPTR
#define BPTR(buf)
Definition buffer.h:123
buf_write_u32
static bool buf_write_u32(struct buffer *dest, uint32_t data)
Definition buffer.h:697
buf_write_prepend
static bool buf_write_prepend(struct buffer *dest, const void *src, int size)
Definition buffer.h:672
buf_read_u16
static int buf_read_u16(struct buffer *buf)
Definition buffer.h:797
buf_copy_n
static bool buf_copy_n(struct buffer *dest, struct buffer *src, int n)
Definition buffer.h:710
ALLOC_ARRAY_CLEAR_GC
#define ALLOC_ARRAY_CLEAR_GC(dptr, type, n, gc)
Definition buffer.h:1086
buf_safe
static bool buf_safe(const struct buffer *buf, size_t len)
Definition buffer.h:518
buf_read
static bool buf_read(struct buffer *src, void *dest, int size)
Definition buffer.h:762
buf_len
static int buf_len(const struct buffer *buf)
Definition buffer.h:253
secure_memzero
static void secure_memzero(void *data, size_t len)
Securely zeroise memory.
Definition buffer.h:414
buf_advance
static bool buf_advance(struct buffer *buf, ssize_t size)
Definition buffer.h:616
buf_write
static bool buf_write(struct buffer *dest, const void *src, size_t size)
Definition buffer.h:660
buf_write_u8
static bool buf_write_u8(struct buffer *dest, uint8_t data)
Definition buffer.h:684
ALLOC_OBJ_CLEAR_GC
#define ALLOC_OBJ_CLEAR_GC(dptr, type, gc)
Definition buffer.h:1101
buf_read_u8
static int buf_read_u8(struct buffer *buf)
Definition buffer.h:786
BLEN
#define BLEN(buf)
Definition buffer.h:126
format_hex
static char * format_hex(const uint8_t *data, size_t size, size_t maxoutput, struct gc_arena *gc)
Definition buffer.h:503
strncpynt
static void strncpynt(char *dest, const char *src, size_t maxlen)
Definition buffer.h:361
check_malloc_return
static void check_malloc_return(void *p)
Definition buffer.h:1107
gc_free
static void gc_free(struct gc_arena *a)
Definition buffer.h:1025
ALLOC_OBJ_CLEAR
#define ALLOC_OBJ_CLEAR(dptr, type)
Definition buffer.h:1064
buf_init
#define buf_init(buf, offset)
Definition buffer.h:209
gc_new
static struct gc_arena gc_new(void)
Definition buffer.h:1017
interval_t
int interval_t
Definition common.h:37
TLS_CHANNEL_BUF_SIZE
#define TLS_CHANNEL_BUF_SIZE
Definition common.h:70
counter_format
#define counter_format
Definition common.h:32
TLS_CHANNEL_MTU_MIN
#define TLS_CHANNEL_MTU_MIN
Definition common.h:83
COMP_F_MIGRATE
#define COMP_F_MIGRATE
push stub-v2 or comp-lzo no when we see a client with comp-lzo in occ
Definition comp.h:47
free_key_ctx_bi
void free_key_ctx_bi(struct key_ctx_bi *ctx)
Definition crypto.c:1100
key2_print
void key2_print(const struct key2 *k, const struct key_type *kt, const char *prefix0, const char *prefix1)
Prints the keys in a key2 structure.
Definition crypto.c:1180
init_key_type
void init_key_type(struct key_type *kt, const char *ciphername, const char *authname, bool tls_mode, bool warn)
Initialize a key_type structure with.
Definition crypto.c:875
check_key
bool check_key(struct key *key, const struct key_type *kt)
Definition crypto.c:1126
cipher_get_aead_limits
uint64_t cipher_get_aead_limits(const char *ciphername)
Check if the cipher is an AEAD cipher and needs to be limited to a certain number of number of blocks...
Definition crypto.c:345
init_key_ctx_bi
void init_key_ctx_bi(struct key_ctx_bi *ctx, const struct key2 *key2, int key_direction, const struct key_type *kt, const char *name)
Definition crypto.c:1062
key_direction_state_init
void key_direction_state_init(struct key_direction_state *kds, int key_direction)
Definition crypto.c:1684
KEY_DIRECTION_NORMAL
#define KEY_DIRECTION_NORMAL
Definition crypto.h:232
CO_PACKET_ID_LONG_FORM
#define CO_PACKET_ID_LONG_FORM
Bit-flag indicating whether to use OpenVPN's long packet ID format.
Definition crypto.h:347
CO_USE_TLS_KEY_MATERIAL_EXPORT
#define CO_USE_TLS_KEY_MATERIAL_EXPORT
Bit-flag indicating that data channel key derivation is done using TLS keying material export [RFC570...
Definition crypto.h:359
CO_USE_DYNAMIC_TLS_CRYPT
#define CO_USE_DYNAMIC_TLS_CRYPT
Bit-flag indicating that renegotiations are using tls-crypt with a TLS-EKM derived key.
Definition crypto.h:375
CO_IGNORE_PACKET_ID
#define CO_IGNORE_PACKET_ID
Bit-flag indicating whether to ignore the packet ID of a received packet.
Definition crypto.h:350
CO_RESEND_WKC
#define CO_RESEND_WKC
Bit-flag indicating that the client is expected to resend the wrapped client key with the 2nd packet ...
Definition crypto.h:363
CO_EPOCH_DATA_KEY_FORMAT
#define CO_EPOCH_DATA_KEY_FORMAT
Bit-flag indicating the epoch the data format.
Definition crypto.h:379
cipher_decrypt_verify_fail_warn
static bool cipher_decrypt_verify_fail_warn(const struct key_ctx *ctx)
Check if the number of failed decryption is approaching the limit and we should try to move to a new ...
Definition crypto.h:731
KEY_DIRECTION_INVERSE
#define KEY_DIRECTION_INVERSE
Definition crypto.h:233
aead_usage_limit_reached
static bool aead_usage_limit_reached(const uint64_t limit, const struct key_ctx *key_ctx, int64_t higest_pid)
Checks if the usage limit for an AEAD cipher is reached.
Definition crypto.h:760
ssl_tls1_PRF
bool ssl_tls1_PRF(const uint8_t *seed, size_t seed_len, const uint8_t *secret, size_t secret_len, uint8_t *output, size_t output_len)
Calculates the TLS 1.0-1.1 PRF function.
Definition crypto_openssl.c:1415
crypto_uninit_lib
void crypto_uninit_lib(void)
Definition crypto_openssl.c:204
cipher_kt_mode_aead
bool cipher_kt_mode_aead(const char *ciphername)
Check if the supplied cipher is a supported AEAD mode cipher.
Definition crypto_openssl.c:812
crypto_init_lib
void crypto_init_lib(void)
Definition crypto_openssl.c:189
cipher_kt_mode_ofb_cfb
bool cipher_kt_mode_ofb_cfb(const char *ciphername)
Check if the supplied cipher is a supported OFB or CFB mode cipher.
Definition crypto_openssl.c:799
hmac_ctx_size
int hmac_ctx_size(hmac_ctx_t *ctx)
cipher_kt_insecure
bool cipher_kt_insecure(const char *ciphername)
Returns true if we consider this cipher to be insecure.
Definition crypto_openssl.c:753
rand_bytes
int rand_bytes(uint8_t *output, int len)
Wrapper for secure random number generator.
Definition crypto_openssl.c:583
cipher_kt_name
const char * cipher_kt_name(const char *ciphername)
Retrieve a normalised string describing the cipher (e.g.
Definition crypto_openssl.c:653
MAX_HMAC_KEY_LENGTH
#define MAX_HMAC_KEY_LENGTH
Definition crypto_backend.h:502
OPENVPN_MAX_HMAC_SIZE
#define OPENVPN_MAX_HMAC_SIZE
Definition crypto_backend.h:55
free_epoch_key_ctx
void free_epoch_key_ctx(struct crypto_options *co)
Frees the extra data structures used by epoch keys in crypto_options.
Definition crypto_epoch.c:337
epoch_init_key_ctx
void epoch_init_key_ctx(struct crypto_options *co, const struct key_type *key_type, const struct epoch_key *e1_send, const struct epoch_key *e1_recv, uint16_t future_key_count)
Initialises data channel keys and internal structures for epoch data keys using the provided E0 epoch...
Definition crypto_epoch.c:352
crypto_epoch.h
dco_set_peer
static int dco_set_peer(dco_context_t *dco, unsigned int peerid, int keepalive_interval, int keepalive_timeout, int mss)
Definition dco.h:341
dco_context_t
void * dco_context_t
Definition dco.h:259
init_key_dco_bi
static int init_key_dco_bi(struct tls_multi *multi, struct key_state *ks, const struct key2 *key2, int key_direction, const char *ciphername, bool server)
Definition dco.h:321
setenv_str
void setenv_str(struct env_set *es, const char *name, const char *value)
Definition env_set.c:307
setenv_del
void setenv_del(struct env_set *es, const char *name)
Definition env_set.c:352
D_TLS_DEBUG_LOW
#define D_TLS_DEBUG_LOW
Definition errlevel.h:76
D_PUSH
#define D_PUSH
Definition errlevel.h:82
D_TLS_DEBUG_MED
#define D_TLS_DEBUG_MED
Definition errlevel.h:156
D_DCO
#define D_DCO
Definition errlevel.h:93
D_SHOW_KEYS
#define D_SHOW_KEYS
Definition errlevel.h:120
D_MULTI_DROPPED
#define D_MULTI_DROPPED
Definition errlevel.h:100
D_HANDSHAKE
#define D_HANDSHAKE
Definition errlevel.h:71
D_SHOW_KEY_SOURCE
#define D_SHOW_KEY_SOURCE
Definition errlevel.h:121
D_TLS_KEYSELECT
#define D_TLS_KEYSELECT
Definition errlevel.h:145
D_MTU_INFO
#define D_MTU_INFO
Definition errlevel.h:104
D_TLS_ERRORS
#define D_TLS_ERRORS
Definition errlevel.h:58
M_INFO
#define M_INFO
Definition errlevel.h:54
D_TLS_DEBUG
#define D_TLS_DEBUG
Definition errlevel.h:164
S_ACTIVE
#define S_ACTIVE
Operational key_state state immediately after negotiation has completed while still within the handsh...
Definition ssl_common.h:100
tls_auth_standalone_init
struct tls_auth_standalone * tls_auth_standalone_init(struct tls_options *tls_options, struct gc_arena *gc)
Definition ssl.c:1186
TM_INITIAL
#define TM_INITIAL
As yet un-trusted tls_session \ being negotiated.
Definition ssl_common.h:545
KS_SIZE
#define KS_SIZE
Size of the tls_session.key array.
Definition ssl_common.h:468
key_state_free
static void key_state_free(struct key_state *ks, bool clear)
Cleanup a key_state structure.
Definition ssl.c:902
tls_session_free
static void tls_session_free(struct tls_session *session, bool clear)
Clean up a tls_session structure.
Definition ssl.c:1050
tls_init_control_channel_frame_parameters
void tls_init_control_channel_frame_parameters(struct frame *frame, int tls_mtu)
Definition ssl.c:141
tls_multi_free
void tls_multi_free(struct tls_multi *multi, bool clear)
Cleanup a tls_multi structure and free associated memory allocations.
Definition ssl.c:1238
S_ERROR_PRE
#define S_ERROR_PRE
Error state but try to send out alerts before killing the keystore and moving it to S_ERROR.
Definition ssl_common.h:79
KS_PRIMARY
#define KS_PRIMARY
Primary key state index.
Definition ssl_common.h:464
S_PRE_START_SKIP
#define S_PRE_START_SKIP
Waiting for the remote OpenVPN peer to acknowledge during the initial three-way handshake.
Definition ssl_common.h:87
S_UNDEF
#define S_UNDEF
Undefined state, used after a key_state is cleaned up.
Definition ssl_common.h:82
S_START
#define S_START
Three-way handshake is complete, start of key exchange.
Definition ssl_common.h:93
S_GOT_KEY
#define S_GOT_KEY
Local OpenVPN process has received the remote's part of the key material.
Definition ssl_common.h:97
S_PRE_START
#define S_PRE_START
Waiting for the remote OpenVPN peer to acknowledge during the initial three-way handshake.
Definition ssl_common.h:90
tls_multi_init
struct tls_multi * tls_multi_init(struct tls_options *tls_options)
Allocate and initialize a tls_multi structure.
Definition ssl.c:1157
tls_multi_init_finalize
void tls_multi_init_finalize(struct tls_multi *multi, int tls_mtu)
Finalize initialization of a tls_multi structure.
Definition ssl.c:1172
TM_LAME_DUCK
#define TM_LAME_DUCK
Old tls_session.
Definition ssl_common.h:548
tls_session_init
static void tls_session_init(struct tls_multi *multi, struct tls_session *session)
Initialize a tls_session structure.
Definition ssl.c:979
TM_SIZE
#define TM_SIZE
Size of the tls_multi.session \ array.
Definition ssl_common.h:549
tls_auth_standalone_free
void tls_auth_standalone_free(struct tls_auth_standalone *tas)
Frees a standalone tls-auth verification object.
Definition ssl.c:1211
TM_ACTIVE
#define TM_ACTIVE
Active tls_session.
Definition ssl_common.h:544
S_GENERATED_KEYS
#define S_GENERATED_KEYS
The data channel keys have been generated The TLS session is fully authenticated when reaching this s...
Definition ssl_common.h:105
KS_LAME_DUCK
#define KS_LAME_DUCK
Key state index that will retire \ soon.
Definition ssl_common.h:465
S_SENT_KEY
#define S_SENT_KEY
Local OpenVPN process has sent its part of the key material.
Definition ssl_common.h:95
S_ERROR
#define S_ERROR
Error state.
Definition ssl_common.h:78
S_INITIAL
#define S_INITIAL
Initial key_state state after initialization by key_state_init() before start of three-way handshake.
Definition ssl_common.h:84
key_state_init
static void key_state_init(struct tls_session *session, struct key_state *ks)
Initialize a key_state structure.
Definition ssl.c:816
tls_multi_init_set_options
void tls_multi_init_set_options(struct tls_multi *multi, const char *local, const char *remote)
Definition ssl.c:1227
key_state_read_plaintext
int key_state_read_plaintext(struct key_state_ssl *ks_ssl, struct buffer *buf)
Extract plaintext data from the TLS module.
Definition ssl_openssl.c:2260
key_state_write_ciphertext
int key_state_write_ciphertext(struct key_state_ssl *ks_ssl, struct buffer *buf)
Insert a ciphertext buffer into the TLS module.
Definition ssl_openssl.c:2247
key_state_read_ciphertext
int key_state_read_ciphertext(struct key_state_ssl *ks_ssl, struct buffer *buf)
Extract ciphertext data from the TLS module.
Definition ssl_openssl.c:2235
key_state_write_plaintext_const
int key_state_write_plaintext_const(struct key_state_ssl *ks_ssl, const uint8_t *data, int len)
Insert plaintext data into the TLS module.
Definition ssl_openssl.c:2223
key_state_write_plaintext
int key_state_write_plaintext(struct key_state_ssl *ks_ssl, struct buffer *buf)
Insert a plaintext buffer into the TLS module.
Definition ssl_openssl.c:2210
tls_post_encrypt
void tls_post_encrypt(struct tls_multi *multi, struct buffer *buf)
Perform some accounting for the key state used.
Definition ssl.c:3993
tls_select_encryption_key
struct key_state * tls_select_encryption_key(struct tls_multi *multi)
Selects the primary encryption that should be used to encrypt data of an outgoing packet.
Definition ssl.c:3906
TLS_AUTHENTICATED
#define TLS_AUTHENTICATED(multi, ks)
Check whether the ks key_state has finished the key exchange part of the OpenVPN hand shake.
Definition ssl_verify.h:113
tls_prepend_opcode_v1
void tls_prepend_opcode_v1(const struct tls_multi *multi, struct buffer *buf)
Prepend a one-byte OpenVPN data channel P_DATA_V1 opcode to the packet.
Definition ssl.c:3965
tls_pre_encrypt
void tls_pre_encrypt(struct tls_multi *multi, struct buffer *buf, struct crypto_options **opt)
Choose the appropriate security parameters with which to process an outgoing packet.
Definition ssl.c:3933
tls_prepend_opcode_v2
void tls_prepend_opcode_v2(const struct tls_multi *multi, struct buffer *buf)
Prepend an OpenVPN data channel P_DATA_V2 header to the packet.
Definition ssl.c:3979
tls_pre_decrypt
bool tls_pre_decrypt(struct tls_multi *multi, const struct link_socket_actual *from, struct buffer *buf, struct crypto_options **opt, bool floated, const uint8_t **ad_start)
Determine whether an incoming packet is a data channel or control channel packet, and process accordi...
Definition ssl.c:3554
reliable_free
void reliable_free(struct reliable *rel)
Free allocated memory associated with a reliable structure and the pointer itself.
Definition reliable.c:364
reliable_ack_read
bool reliable_ack_read(struct reliable_ack *ack, struct buffer *buf, const struct session_id *sid)
Read an acknowledgment record from a received packet.
Definition reliable.c:144
reliable_get_buf_output_sequenced
struct buffer * reliable_get_buf_output_sequenced(struct reliable *rel)
Get the buffer of free reliable entry and check whether the outgoing acknowledgment sequence is still...
Definition reliable.c:562
reliable_schedule_now
void reliable_schedule_now(struct reliable *rel)
Reschedule all entries of a reliable structure to be ready for (re)sending immediately.
Definition reliable.c:675
reliable_ack_read_packet_id
bool reliable_ack_read_packet_id(struct buffer *buf, packet_id_type *pid)
Read the packet ID of a received packet.
Definition reliable.c:109
reliable_ack_outstanding
static int reliable_ack_outstanding(struct reliable_ack *ack)
Returns the number of packets that need to be acked.
Definition reliable.h:189
reliable_mark_active_incoming
void reliable_mark_active_incoming(struct reliable *rel, struct buffer *buf, packet_id_type pid, int opcode)
Mark the reliable entry associated with the given buffer as active incoming.
Definition reliable.c:736
reliable_mark_active_outgoing
void reliable_mark_active_outgoing(struct reliable *rel, struct buffer *buf, int opcode)
Mark the reliable entry associated with the given buffer as active outgoing.
Definition reliable.c:769
reliable_ack_print
const char * reliable_ack_print(struct buffer *buf, bool verbose, struct gc_arena *gc)
Definition reliable.c:305
reliable_ack_acknowledge_packet_id
bool reliable_ack_acknowledge_packet_id(struct reliable_ack *ack, packet_id_type pid)
Record a packet ID for later acknowledgment.
Definition reliable.c:127
reliable_set_timeout
static void reliable_set_timeout(struct reliable *rel, interval_t timeout)
Definition reliable.h:526
reliable_can_get
bool reliable_can_get(const struct reliable *rel)
Check whether a reliable structure has any free buffers available for use.
Definition reliable.c:454
reliable_send_purge
void reliable_send_purge(struct reliable *rel, const struct reliable_ack *ack)
Remove acknowledged packets from a reliable structure.
Definition reliable.c:395
reliable_get_buf
struct buffer * reliable_get_buf(struct reliable *rel)
Get the buffer of a free reliable entry in which to store a packet.
Definition reliable.c:518
reliable_send
struct buffer * reliable_send(struct reliable *rel, int *opcode)
Get the next packet to send to the remote peer.
Definition reliable.c:638
reliable_can_send
bool reliable_can_send(const struct reliable *rel)
Check whether a reliable structure has any active entries ready to be (re)sent.
Definition reliable.c:612
reliable_empty
bool reliable_empty(const struct reliable *rel)
Check whether a reliable structure is empty.
Definition reliable.c:380
reliable_not_replay
bool reliable_not_replay(const struct reliable *rel, packet_id_type id)
Check that a received packet's ID is not a replay.
Definition reliable.c:472
RELIABLE_ACK_SIZE
#define RELIABLE_ACK_SIZE
The maximum number of packet IDs \ waiting to be acknowledged which can \ be stored in one reliable_a...
Definition reliable.h:43
reliable_send_timeout
interval_t reliable_send_timeout(const struct reliable *rel)
Determined how many seconds until the earliest resend should be attempted.
Definition reliable.c:698
reliable_get_entry_sequenced
struct reliable_entry * reliable_get_entry_sequenced(struct reliable *rel)
Get the buffer of the next sequential and active entry.
Definition reliable.c:597
reliable_init
void reliable_init(struct reliable *rel, int buf_size, int offset, int array_size, bool hold)
Initialize a reliable structure.
Definition reliable.c:348
reliable_mark_deleted
void reliable_mark_deleted(struct reliable *rel, struct buffer *buf)
Remove an entry from a reliable structure.
Definition reliable.c:796
reliable_get_num_output_sequenced_available
int reliable_get_num_output_sequenced_available(struct reliable *rel)
Counts the number of free buffers in output that can be potentially used for sending.
Definition reliable.c:533
reliable_wont_break_sequentiality
bool reliable_wont_break_sequentiality(const struct reliable *rel, packet_id_type id)
Check that a received packet's ID can safely be stored in the reliable structure's processing window.
Definition reliable.c:499
ACK_SIZE
#define ACK_SIZE(n)
Definition reliable.h:70
reliable_ack_empty
static bool reliable_ack_empty(struct reliable_ack *ack)
Check whether an acknowledgment structure contains any packet IDs to be acknowledged.
Definition reliable.h:176
TLS_CRYPT_TAG_SIZE
#define TLS_CRYPT_TAG_SIZE
Definition tls_crypt.h:88
tls_session_generate_dynamic_tls_crypt_key
bool tls_session_generate_dynamic_tls_crypt_key(struct tls_session *session)
Generates a TLS-Crypt key to be used with dynamic tls-crypt using the TLS EKM exporter function.
Definition tls_crypt.c:96
tls_crypt_buf_overhead
int tls_crypt_buf_overhead(void)
Returns the maximum overhead (in bytes) added to the destination buffer by tls_crypt_wrap().
Definition tls_crypt.c:55
min_int
static int min_int(int x, int y)
Definition integer.h:105
max_int
static int max_int(int x, int y)
Definition integer.h:92
status
static SERVICE_STATUS status
Definition interactive.c:51
management_query_cert
char * management_query_cert(struct management *man, const char *cert_name)
Definition manage.c:3790
management_set_state
void management_set_state(struct management *man, const int state, const char *detail, const in_addr_t *tun_local_ip, const struct in6_addr *tun_local_ip6, const struct openvpn_sockaddr *local, const struct openvpn_sockaddr *remote)
Definition manage.c:2775
MF_EXTERNAL_KEY
#define MF_EXTERNAL_KEY
Definition manage.h:36
OPENVPN_STATE_AUTH
#define OPENVPN_STATE_AUTH
Definition manage.h:458
OPENVPN_STATE_WAIT
#define OPENVPN_STATE_WAIT
Definition manage.h:457
MF_EXTERNAL_CERT
#define MF_EXTERNAL_CERT
Definition manage.h:42
management_enable_def_auth
static bool management_enable_def_auth(const struct management *man)
Definition manage.h:438
VALGRIND_MAKE_READABLE
#define VALGRIND_MAKE_READABLE(addr, len)
Definition memdbg.h:53
unprotect_user_pass
void unprotect_user_pass(struct user_pass *up)
Decrypt username and password buffers in user_pass.
Definition misc.c:808
get_user_pass_cr
bool get_user_pass_cr(struct user_pass *up, const char *auth_file, const char *prefix, const unsigned int flags, const char *auth_challenge)
Retrieves the user credentials from various sources depending on the flags.
Definition misc.c:201
purge_user_pass
void purge_user_pass(struct user_pass *up, const bool force)
Definition misc.c:470
set_auth_token_user
void set_auth_token_user(struct user_pass *tk, const char *username)
Sets the auth-token username by base64 decoding the passed username.
Definition misc.c:516
output_peer_info_env
void output_peer_info_env(struct env_set *es, const char *peer_info)
Definition misc.c:755
prepend_dir
struct buffer prepend_dir(const char *dir, const char *path, struct gc_arena *gc)
Prepend a directory to a path.
Definition misc.c:777
protect_user_pass
void protect_user_pass(struct user_pass *up)
Encrypt username and password buffers in user_pass.
Definition misc.c:788
set_auth_token
void set_auth_token(struct user_pass *tk, const char *token)
Sets the auth-token to token.
Definition misc.c:496
USER_PASS_LEN
#define USER_PASS_LEN
Definition misc.h:64
GET_USER_PASS_STATIC_CHALLENGE_CONCAT
#define GET_USER_PASS_STATIC_CHALLENGE_CONCAT
indicates password and response should be concatenated
Definition misc.h:125
GET_USER_PASS_MANAGEMENT
#define GET_USER_PASS_MANAGEMENT
Definition misc.h:110
GET_USER_PASS_PASSWORD_ONLY
#define GET_USER_PASS_PASSWORD_ONLY
Definition misc.h:112
GET_USER_PASS_STATIC_CHALLENGE_ECHO
#define GET_USER_PASS_STATIC_CHALLENGE_ECHO
SCRV1 protocol – echo response.
Definition misc.h:120
GET_USER_PASS_INLINE_CREDS
#define GET_USER_PASS_INLINE_CREDS
indicates that auth_file is actually inline creds
Definition misc.h:123
GET_USER_PASS_STATIC_CHALLENGE
#define GET_USER_PASS_STATIC_CHALLENGE
SCRV1 protocol – static challenge.
Definition misc.h:119
SC_CONCAT
#define SC_CONCAT
Definition misc.h:92
SC_ECHO
#define SC_ECHO
Definition misc.h:91
get_user_pass
static bool get_user_pass(struct user_pass *up, const char *auth_file, const char *prefix, const unsigned int flags)
Retrieves the user credentials from various sources depending on the flags.
Definition misc.h:150
GET_USER_PASS_DYNAMIC_CHALLENGE
#define GET_USER_PASS_DYNAMIC_CHALLENGE
CRV1 protocol – dynamic challenge.
Definition misc.h:118
frame_calculate_dynamic
void frame_calculate_dynamic(struct frame *frame, struct key_type *kt, const struct options *options, struct link_socket_info *lsi)
Set the –mssfix option.
Definition mss.c:317
frame_print
void frame_print(const struct frame *frame, msglvl_t msglevel, const char *prefix)
Definition mtu.c:190
BUF_SIZE
#define BUF_SIZE(f)
Definition mtu.h:183
CLEAR
#define CLEAR(x)
Definition basic.h:32
check_debug_level
static bool check_debug_level(msglvl_t level)
Definition error.h:251
M_FATAL
#define M_FATAL
Definition error.h:90
dmsg
#define dmsg(flags,...)
Definition error.h:172
msg
#define msg(flags,...)
Definition error.h:152
ASSERT
#define ASSERT(x)
Definition error.h:219
M_WARN
#define M_WARN
Definition error.h:92
MAX_PEER_ID
#define MAX_PEER_ID
Definition openvpn.h:550
options_cmp_equal
bool options_cmp_equal(char *actual, const char *expected)
Definition options.c:4543
key_is_external
bool key_is_external(const struct options *options)
Definition options.c:5553
options_string_extract_option
char * options_string_extract_option(const char *options_string, const char *opt_name, struct gc_arena *gc)
Given an OpenVPN options string, extract the value of an option.
Definition options.c:4700
options_warning
void options_warning(char *actual, const char *expected)
Definition options.c:4549
MODE_SERVER
#define MODE_SERVER
Definition options.h:264
dco_enabled
static bool dco_enabled(const struct options *o)
Returns whether the current configuration has dco enabled.
Definition options.h:990
now
time_t now
Definition otime.c:33
update_time
static void update_time(void)
Definition otime.h:84
packet_id_persist_load_obj
void packet_id_persist_load_obj(const struct packet_id_persist *p, struct packet_id *pid)
Definition packet_id.c:549
packet_id_init
void packet_id_init(struct packet_id *p, int seq_backtrack, int time_backtrack, const char *name, int unit)
Definition packet_id.c:96
packet_id_free
void packet_id_free(struct packet_id *p)
Definition packet_id.c:126
packet_id_read
bool packet_id_read(struct packet_id_net *pin, struct buffer *buf, bool long_form)
Definition packet_id.c:319
packet_id_net_print
const char * packet_id_net_print(const struct packet_id_net *pin, bool print_timestamp, struct gc_arena *gc)
Definition packet_id.c:423
packet_id_format
#define packet_id_format
Definition packet_id.h:76
packet_id_print_type
uint64_t packet_id_print_type
Definition packet_id.h:77
packet_id_type
uint32_t packet_id_type
Definition packet_id.h:45
packet_id_close_to_wrapping
static bool packet_id_close_to_wrapping(const struct packet_id_send *p)
Definition packet_id.h:328
ntohpid
#define ntohpid(x)
Definition packet_id.h:64
packet_id_size
static int packet_id_size(bool long_form)
Definition packet_id.h:322
platform_stat
int platform_stat(const char *path, platform_stat_t *buf)
Definition platform.c:526
platform_stat_t
struct _stat platform_stat_t
Definition platform.h:118
plugin_defined
bool plugin_defined(const struct plugin_list *pl, const int type)
Definition plugin.c:904
plugin_call
static int plugin_call(const struct plugin_list *pl, const int type, const struct argv *av, struct plugin_return *pr, struct env_set *es)
Definition plugin.h:195
get_default_gateway
void get_default_gateway(struct route_gateway_info *rgi, in_addr_t dest, openvpn_net_ctx_t *ctx)
Retrieves the best gateway for a given destination based on the routing table.
Definition route.c:2566
RGI_HWADDR_DEFINED
#define RGI_HWADDR_DEFINED
Definition route.h:161
session_id_random
void session_id_random(struct session_id *sid)
Definition session_id.c:48
session_id_print
const char * session_id_print(const struct session_id *sid, struct gc_arena *gc)
Definition session_id.c:54
session_id_equal
static bool session_id_equal(const struct session_id *sid1, const struct session_id *sid2)
Definition session_id.h:47
session_id_defined
static bool session_id_defined(const struct session_id *sid1)
Definition session_id.h:53
session_id_read
static bool session_id_read(struct session_id *sid, struct buffer *buf)
Definition session_id.h:59
SID_SIZE
#define SID_SIZE
Definition session_id.h:44
link_socket_set_outgoing_addr
static void link_socket_set_outgoing_addr(struct link_socket_info *info, const struct link_socket_actual *act, const char *common_name, struct env_set *es)
Definition socket.h:514
print_link_socket_actual
const char * print_link_socket_actual(const struct link_socket_actual *act, struct gc_arena *gc)
Definition socket_util.c:117
link_socket_actual_defined
static bool link_socket_actual_defined(const struct link_socket_actual *act)
Definition socket_util.h:328
datagram_overhead
static int datagram_overhead(sa_family_t af, int proto)
Definition socket_util.h:309
link_socket_actual_match
static bool link_socket_actual_match(const struct link_socket_actual *a1, const struct link_socket_actual *a2)
Definition socket_util.h:486
PROTO_UDP
@ PROTO_UDP
Definition socket_util.h:177
ssl_purge_auth
void ssl_purge_auth(const bool auth_user_pass_only)
Definition ssl.c:381
ssl_set_auth_token_user
void ssl_set_auth_token_user(const char *username)
Definition ssl.c:361
generate_key_expansion
static bool generate_key_expansion(struct tls_multi *multi, struct key_state *ks, struct tls_session *session)
Definition ssl.c:1474
init_ssl
struct tls_root_ctx * init_ssl(const struct options *options, bool in_chroot)
Build master SSL context object that serves for the whole of OpenVPN instantiation.
Definition ssl.c:511
tls_process
static bool tls_process(struct tls_multi *multi, struct tls_session *session, struct buffer *to_link, struct link_socket_actual **to_link_addr, struct link_socket_info *to_link_socket_info, interval_t *wakeup)
Definition ssl.c:3000
tls_session_user_pass_enabled
static bool tls_session_user_pass_enabled(struct tls_session *session)
Returns whether or not the server should check for username/password.
Definition ssl.c:947
auth_deferred_expire_window
static int auth_deferred_expire_window(const struct tls_options *o)
Definition ssl.c:2382
passbuf
static struct user_pass passbuf
Definition ssl.c:245
print_key_id
static const char * print_key_id(struct tls_multi *multi, struct gc_arena *gc)
Definition ssl.c:765
INCR_GENERATED
#define INCR_GENERATED
Definition ssl.c:92
auth_token
static struct user_pass auth_token
Definition ssl.c:280
init_epoch_keys
static void init_epoch_keys(struct key_state *ks, struct tls_multi *multi, const struct key_type *key_type, bool server, struct key2 *key2)
Definition ssl.c:1333
compute_earliest_wakeup
static void compute_earliest_wakeup(interval_t *earliest, time_t seconds_from_now)
Definition ssl.c:1113
lame_duck_must_die
static bool lame_duck_must_die(const struct tls_session *session, interval_t *wakeup)
Definition ssl.c:1130
ssl_set_auth_nocache
void ssl_set_auth_nocache(void)
Definition ssl.c:336
ks_auth_name
static const char * ks_auth_name(enum ks_auth_state auth)
Definition ssl.c:724
key_source2_read
static int key_source2_read(struct key_source2 *k2, struct buffer *buf, bool server)
Definition ssl.c:1704
move_session
static void move_session(struct tls_multi *multi, int dest, int src, bool reinit_src)
Definition ssl.c:1079
handle_data_channel_packet
static void handle_data_channel_packet(struct tls_multi *multi, const struct link_socket_actual *from, struct buffer *buf, struct crypto_options **opt, bool floated, const uint8_t **ad_start)
Check the keyid of the an incoming data channel packet and return the matching crypto parameters in o...
Definition ssl.c:3454
tls_send_payload
bool tls_send_payload(struct key_state *ks, const uint8_t *data, size_t size)
Definition ssl.c:4013
export_user_keying_material
static void export_user_keying_material(struct tls_session *session)
Definition ssl.c:2171
ssl_put_auth_challenge
void ssl_put_auth_challenge(const char *cr_str)
Definition ssl.c:406
INCR_SUCCESS
#define INCR_SUCCESS
Definition ssl.c:93
pem_password_callback
int pem_password_callback(char *buf, int size, int rwflag, void *u)
Callback to retrieve the user's password.
Definition ssl.c:259
control_packet_needs_wkc
static bool control_packet_needs_wkc(const struct key_state *ks)
Definition ssl.c:2589
tls_update_remote_addr
void tls_update_remote_addr(struct tls_multi *multi, const struct link_socket_actual *addr)
Updates remote address in TLS sessions.
Definition ssl.c:4071
read_incoming_tls_ciphertext
static bool read_incoming_tls_ciphertext(struct buffer *buf, struct key_state *ks, bool *continue_tls_process)
Read incoming ciphertext and passes it to the buffer of the SSL library.
Definition ssl.c:2563
key_source2_print
static void key_source2_print(const struct key_source2 *k)
Definition ssl.c:1292
auth_user_pass
static struct user_pass auth_user_pass
Definition ssl.c:279
tls_rec_payload
bool tls_rec_payload(struct tls_multi *multi, struct buffer *buf)
Definition ssl.c:4046
write_outgoing_tls_ciphertext
static bool write_outgoing_tls_ciphertext(struct tls_session *session, bool *continue_tls_process)
Definition ssl.c:2621
check_outgoing_ciphertext
static bool check_outgoing_ciphertext(struct key_state *ks, struct tls_session *session, bool *continue_tls_process)
Definition ssl.c:2707
check_session_buf_not_used
static void check_session_buf_not_used(struct buffer *to_link, struct tls_session *session)
This is a safe guard function to double check that a buffer from a session is not used in a session t...
Definition ssl.c:3133
tls_session_generate_data_channel_keys
bool tls_session_generate_data_channel_keys(struct tls_multi *multi, struct tls_session *session)
Generate data channel keys for the supplied TLS session.
Definition ssl.c:1538
flush_payload_buffer
static void flush_payload_buffer(struct key_state *ks)
Definition ssl.c:1736
init_key_contexts
static void init_key_contexts(struct key_state *ks, struct tls_multi *multi, const struct key_type *key_type, bool server, struct key2 *key2, bool dco_enabled)
Definition ssl.c:1372
print_key_id_not_found_reason
static void print_key_id_not_found_reason(struct tls_multi *multi, const struct link_socket_actual *from, int key_id)
We have not found a matching key to decrypt data channel packet, try to generate a sensible error mes...
Definition ssl.c:3406
tls_session_update_crypto_params_do_work
bool tls_session_update_crypto_params_do_work(struct tls_multi *multi, struct tls_session *session, struct options *options, struct frame *frame, struct frame *frame_fragment, struct link_socket_info *lsi, dco_context_t *dco)
Definition ssl.c:1570
tls_session_soft_reset
void tls_session_soft_reset(struct tls_multi *tls_multi)
Definition ssl.c:1767
is_hard_reset_method2
bool is_hard_reset_method2(int op)
Given a key_method, return true if opcode represents the one of the hard_reset op codes for key-metho...
Definition ssl.c:781
read_string_alloc
static char * read_string_alloc(struct buffer *buf)
Definition ssl.c:1836
should_trigger_renegotiation
static bool should_trigger_renegotiation(const struct tls_session *session, const struct key_state *ks)
Determines if a renegotiation should be triggerred based on the various factors that can trigger one.
Definition ssl.c:2917
tls_version_parse
int tls_version_parse(const char *vstr, const char *extra)
Definition ssl.c:420
read_string
static int read_string(struct buffer *buf, char *str, const unsigned int capacity)
Read a string that is encoded as a 2 byte header with the length from the buffer buf.
Definition ssl.c:1817
session_skip_to_pre_start
bool session_skip_to_pre_start(struct tls_session *session, struct tls_pre_decrypt_state *state, struct link_socket_actual *from)
Definition ssl.c:2489
session_index_name
static const char * session_index_name(int index)
Definition ssl.c:743
session_move_active
static void session_move_active(struct tls_multi *multi, struct tls_session *session, struct link_socket_info *to_link_socket_info, struct key_state *ks)
Moves the key to state to S_ACTIVE and also advances the multi_state state machine if this is the ini...
Definition ssl.c:2446
tls_get_limit_aead
static uint64_t tls_get_limit_aead(const char *ciphername)
Definition ssl.c:120
random_bytes_to_buf
static bool random_bytes_to_buf(struct buffer *buf, uint8_t *out, int outlen)
Definition ssl.c:1658
ssl_set_auth_token
void ssl_set_auth_token(const char *token)
Definition ssl.c:355
openvpn_PRF
static bool openvpn_PRF(const uint8_t *secret, size_t secret_len, const char *label, const uint8_t *client_seed, size_t client_seed_len, const uint8_t *server_seed, size_t server_seed_len, const struct session_id *client_sid, const struct session_id *server_sid, uint8_t *output, size_t output_len)
Definition ssl.c:1299
INCR_SENT
#define INCR_SENT
Definition ssl.c:91
tls_multi_process
int tls_multi_process(struct tls_multi *multi, struct buffer *to_link, struct link_socket_actual **to_link_addr, struct link_socket_info *to_link_socket_info, interval_t *wakeup)
Definition ssl.c:3197
tls_process_state
static bool tls_process_state(struct tls_multi *multi, struct tls_session *session, struct buffer *to_link, struct link_socket_actual **to_link_addr, struct link_socket_info *to_link_socket_info, interval_t *wakeup)
Definition ssl.c:2726
ssl_get_auth_nocache
bool ssl_get_auth_nocache(void)
Definition ssl.c:346
key_method_2_write
static bool key_method_2_write(struct buffer *buf, struct tls_multi *multi, struct tls_session *session)
Handle the writing of key data, peer-info, username/password, OCC to the TLS control channel (clearte...
Definition ssl.c:2054
pem_password_setup
void pem_password_setup(const char *auth_file)
Definition ssl.c:248
init_ssl_lib
void init_ssl_lib(void)
Definition ssl.c:225
key_source_print
static void key_source_print(const struct key_source *k, const char *prefix)
Definition ssl.c:1273
tls_session_update_crypto_params
bool tls_session_update_crypto_params(struct tls_multi *multi, struct tls_session *session, struct options *options, struct frame *frame, struct frame *frame_fragment, struct link_socket_info *lsi, dco_context_t *dco)
Update TLS session crypto parameters (cipher and auth) and derive data channel keys based on the supp...
Definition ssl.c:1639
write_empty_string
static bool write_empty_string(struct buffer *buf)
Definition ssl.c:1777
tls_limit_reneg_bytes
static void tls_limit_reneg_bytes(const char *ciphername, int64_t *reneg_bytes)
Limit the reneg_bytes value when using a small-block (<128 bytes) cipher.
Definition ssl.c:106
free_ssl_lib
void free_ssl_lib(void)
Definition ssl.c:233
key_state_soft_reset
static void key_state_soft_reset(struct tls_session *session)
Definition ssl.c:1752
parse_early_negotiation_tlvs
static bool parse_early_negotiation_tlvs(struct buffer *buf, struct key_state *ks)
Parses the TLVs (type, length, value) in the early negotiation.
Definition ssl.c:2514
auth_user_pass_enabled
static bool auth_user_pass_enabled
Definition ssl.c:278
auth_challenge
static char * auth_challenge
Definition ssl.c:283
key_source2_randomize_write
static bool key_source2_randomize_write(struct key_source2 *k2, struct buffer *buf, bool server)
Definition ssl.c:1673
state_name
static const char * state_name(int state)
Definition ssl.c:681
generate_key_expansion_openvpn_prf
static bool generate_key_expansion_openvpn_prf(const struct tls_session *session, struct key2 *key2)
Definition ssl.c:1430
reset_session
static void reset_session(struct tls_multi *multi, struct tls_session *session)
Definition ssl.c:1102
INCR_ERROR
#define INCR_ERROR
Definition ssl.c:94
tls_ctx_reload_crl
static void tls_ctx_reload_crl(struct tls_root_ctx *ssl_ctx, const char *crl_file, bool crl_file_inline)
Load (or possibly reload) the CRL file into the SSL context.
Definition ssl.c:461
calc_control_channel_frame_overhead
static size_t calc_control_channel_frame_overhead(const struct tls_session *session)
calculate the maximum overhead that control channel frames have This includes header,...
Definition ssl.c:188
auth_user_pass_setup
void auth_user_pass_setup(const char *auth_file, bool is_inline, const struct static_challenge_info *sci)
Definition ssl.c:293
generate_key_expansion_tls_export
static bool generate_key_expansion_tls_export(struct tls_session *session, struct key2 *key2)
Definition ssl.c:1416
ssl_clean_auth_token
bool ssl_clean_auth_token(void)
Definition ssl.c:370
push_peer_info
static bool push_peer_info(struct buffer *buf, struct tls_session *session)
Prepares the IV_ and UV_ variables that are part of the exchange to signal the peer's capabilities.
Definition ssl.c:1872
write_string
static bool write_string(struct buffer *buf, const char *str, const int maxlen)
Definition ssl.c:1787
enable_auth_user_pass
void enable_auth_user_pass(void)
Definition ssl.c:287
ssl_purge_auth_challenge
void ssl_purge_auth_challenge(void)
Definition ssl.c:399
show_available_tls_ciphers
void show_available_tls_ciphers(const char *cipher_list, const char *cipher_list_tls13, const char *tls_cert_profile)
Definition ssl.c:4099
read_incoming_tls_plaintext
static bool read_incoming_tls_plaintext(struct key_state *ks, struct buffer *buf, interval_t *wakeup, bool *continue_tls_process)
Definition ssl.c:2596
key_method_2_read
static bool key_method_2_read(struct buffer *buf, struct tls_multi *multi, struct tls_session *session)
Handle reading key data, peer-info, username/password, OCC from the TLS control channel (cleartext).
Definition ssl.c:2205
session_move_pre_start
static bool session_move_pre_start(const struct tls_session *session, struct key_state *ks, bool skip_initial_send)
Move the session from S_INITIAL to S_PRE_START.
Definition ssl.c:2401
protocol_dump
const char * protocol_dump(struct buffer *buffer, unsigned int flags, struct gc_arena *gc)
Definition ssl.c:4124
ssl.h
Control Channel SSL/Data channel negotiation module.
IV_PROTO_CC_EXIT_NOTIFY
#define IV_PROTO_CC_EXIT_NOTIFY
Support for explicit exit notify via control channel This also includes support for the protocol-flag...
Definition ssl.h:102
TLSMP_RECONNECT
#define TLSMP_RECONNECT
Definition ssl.h:232
IV_PROTO_DATA_EPOCH
#define IV_PROTO_DATA_EPOCH
Support the extended packet id and epoch format for data channel packets.
Definition ssl.h:111
load_xkey_provider
void load_xkey_provider(void)
Load ovpn.xkey provider used for external key signing.
Definition ssl_openssl.c:2663
tls_wrap_free
static void tls_wrap_free(struct tls_wrap_ctx *tls_wrap)
Free the elements of a tls_wrap_ctx structure.
Definition ssl.h:472
IV_PROTO_AUTH_FAIL_TEMP
#define IV_PROTO_AUTH_FAIL_TEMP
Support for AUTH_FAIL,TEMP messages.
Definition ssl.h:105
IV_PROTO_DATA_V2
#define IV_PROTO_DATA_V2
Support P_DATA_V2.
Definition ssl.h:80
KEY_METHOD_2
#define KEY_METHOD_2
Definition ssl.h:122
CONTROL_SEND_ACK_MAX
#define CONTROL_SEND_ACK_MAX
Definition ssl.h:55
TLSMP_ACTIVE
#define TLSMP_ACTIVE
Definition ssl.h:230
KEY_EXPANSION_ID
#define KEY_EXPANSION_ID
Definition ssl.h:49
IV_PROTO_TLS_KEY_EXPORT
#define IV_PROTO_TLS_KEY_EXPORT
Supports key derivation via TLS key material exporter [RFC5705].
Definition ssl.h:87
PD_TLS_CRYPT
#define PD_TLS_CRYPT
Definition ssl.h:525
PD_TLS
#define PD_TLS
Definition ssl.h:523
IV_PROTO_PUSH_UPDATE
#define IV_PROTO_PUSH_UPDATE
Supports push-update.
Definition ssl.h:117
IV_PROTO_AUTH_PENDING_KW
#define IV_PROTO_AUTH_PENDING_KW
Supports signaling keywords with AUTH_PENDING, e.g.
Definition ssl.h:90
PD_VERBOSE
#define PD_VERBOSE
Definition ssl.h:524
IV_PROTO_DYN_TLS_CRYPT
#define IV_PROTO_DYN_TLS_CRYPT
Support to dynamic tls-crypt (renegotiation with TLS-EKM derived tls-crypt key)
Definition ssl.h:108
TLSMP_KILL
#define TLSMP_KILL
Definition ssl.h:231
PD_SHOW_DATA
#define PD_SHOW_DATA
Definition ssl.h:522
IV_PROTO_REQUEST_PUSH
#define IV_PROTO_REQUEST_PUSH
Assume client will send a push request and server does not need to wait for a push-request to send a ...
Definition ssl.h:84
KEY_METHOD_MASK
#define KEY_METHOD_MASK
Definition ssl.h:125
IV_PROTO_DNS_OPTION_V2
#define IV_PROTO_DNS_OPTION_V2
Supports the –dns option after all the incompatible changes.
Definition ssl.h:114
PD_TLS_AUTH_HMAC_SIZE_MASK
#define PD_TLS_AUTH_HMAC_SIZE_MASK
Definition ssl.h:521
IV_PROTO_NCP_P2P
#define IV_PROTO_NCP_P2P
Support doing NCP in P2P mode.
Definition ssl.h:95
TLSMP_INACTIVE
#define TLSMP_INACTIVE
Definition ssl.h:229
TLS_OPTIONS_LEN
#define TLS_OPTIONS_LEN
Definition ssl.h:69
ssl_backend.h
Control Channel SSL library backend module.
tls_ctx_set_tls_groups
void tls_ctx_set_tls_groups(struct tls_root_ctx *ctx, const char *groups)
Set the (elliptic curve) group allowed for signatures and key exchange.
Definition ssl_openssl.c:560
tls_ctx_free
void tls_ctx_free(struct tls_root_ctx *ctx)
Frees the library-specific TLSv1 context.
Definition ssl_openssl.c:139
get_ssl_library_version
const char * get_ssl_library_version(void)
return a pointer to a static memory area containing the name and version number of the SSL library in...
Definition ssl_openssl.c:2630
tls_clear_error
void tls_clear_error(void)
Clear the underlying SSL library's error state.
key_state_export_keying_material
bool key_state_export_keying_material(struct tls_session *session, const char *label, size_t label_size, void *ekm, size_t ekm_size)
Keying Material Exporters [RFC 5705] allows additional keying material to be derived from existing TL...
Definition ssl_openssl.c:157
TLS_VER_BAD
#define TLS_VER_BAD
Parse a TLS version specifier.
Definition ssl_backend.h:103
show_available_tls_ciphers_list
void show_available_tls_ciphers_list(const char *cipher_list, const char *tls_cert_profile, bool tls13)
Show the TLS ciphers that are available for us to use in the library depending on the TLS version.
Definition ssl_openssl.c:2519
TLS_VER_1_0
#define TLS_VER_1_0
Definition ssl_backend.h:105
tls_ctx_server_new
void tls_ctx_server_new(struct tls_root_ctx *ctx)
Initialise a library-specific TLS context for a server.
Definition ssl_openssl.c:103
EXPORT_KEY_DATA_LABEL
#define EXPORT_KEY_DATA_LABEL
Definition ssl_backend.h:390
key_state_ssl_free
void key_state_ssl_free(struct key_state_ssl *ks_ssl)
Free the SSL channel part of the given key state.
Definition ssl_openssl.c:2195
TLS_VER_1_2
#define TLS_VER_1_2
Definition ssl_backend.h:107
tls_ctx_load_priv_file
int tls_ctx_load_priv_file(struct tls_root_ctx *ctx, const char *priv_key_file, bool priv_key_file_inline)
Load private key file into the given TLS context.
Definition ssl_openssl.c:1266
key_state_ssl_shutdown
void key_state_ssl_shutdown(struct key_state_ssl *ks_ssl)
Sets a TLS session to be shutdown state, so the TLS library will generate a shutdown alert.
Definition ssl_openssl.c:2189
tls_ctx_load_extra_certs
void tls_ctx_load_extra_certs(struct tls_root_ctx *ctx, const char *extra_certs_file, bool extra_certs_file_inline)
Load extra certificate authority certificates from the given file or path.
Definition ssl_openssl.c:1932
tls_ctx_check_cert_time
void tls_ctx_check_cert_time(const struct tls_root_ctx *ctx)
Check our certificate notBefore and notAfter fields, and warn if the cert is either not yet valid or ...
Definition ssl_openssl.c:618
tls_ctx_restrict_ciphers_tls13
void tls_ctx_restrict_ciphers_tls13(struct tls_root_ctx *ctx, const char *ciphers)
Restrict the list of ciphers that can be used within the TLS context for TLS 1.3 and higher.
Definition ssl_openssl.c:491
tls_ctx_load_pkcs12
int tls_ctx_load_pkcs12(struct tls_root_ctx *ctx, const char *pkcs12_file, bool pkcs12_file_inline, bool load_ca_file)
Load PKCS #12 file for key, cert and (optionally) CA certs, and add to library-specific TLS context.
Definition ssl_openssl.c:901
key_state_ssl_init
void key_state_ssl_init(struct key_state_ssl *ks_ssl, const struct tls_root_ctx *ssl_ctx, bool is_server, struct tls_session *session)
Initialise the SSL channel part of the given key state.
Definition ssl_openssl.c:2148
tls_free_lib
void tls_free_lib(void)
Free any global SSL library-specific data structures.
Definition ssl_openssl.c:98
tls_ctx_load_ecdh_params
void tls_ctx_load_ecdh_params(struct tls_root_ctx *ctx, const char *curve_name)
Load Elliptic Curve Parameters, and load them into the library-specific TLS context.
Definition ssl_openssl.c:712
TLS_VER_1_3
#define TLS_VER_1_3
Definition ssl_backend.h:108
TLS_VER_1_1
#define TLS_VER_1_1
Definition ssl_backend.h:106
tls_init_lib
void tls_init_lib(void)
Perform any static initialisation necessary by the library.
Definition ssl_openssl.c:91
print_details
void print_details(struct key_state_ssl *ks_ssl, const char *prefix)
Print a one line summary of SSL/TLS session handshake.
Definition ssl_openssl.c:2489
tls_version_max
int tls_version_max(void)
Return the maximum TLS version (as a TLS_VER_x constant) supported by current SSL implementation.
Definition ssl_openssl.c:205
backend_tls_ctx_reload_crl
void backend_tls_ctx_reload_crl(struct tls_root_ctx *ssl_ctx, const char *crl_file, bool crl_inline)
Reload the Certificate Revocation List for the SSL channel.
Definition ssl_openssl.c:1320
tls_ctx_restrict_ciphers
void tls_ctx_restrict_ciphers(struct tls_root_ctx *ctx, const char *ciphers)
Restrict the list of ciphers that can be used within the TLS context for TLS 1.2 and below.
Definition ssl_openssl.c:430
tls_ctx_load_ca
void tls_ctx_load_ca(struct tls_root_ctx *ctx, const char *ca_file, bool ca_file_inline, const char *ca_path, bool tls_server)
Load certificate authority certificates from the given file or path.
Definition ssl_openssl.c:1785
tls_ctx_set_cert_profile
void tls_ctx_set_cert_profile(struct tls_root_ctx *ctx, const char *profile)
Set the TLS certificate profile.
Definition ssl_openssl.c:519
tls_ctx_use_management_external_key
int tls_ctx_use_management_external_key(struct tls_root_ctx *ctx)
Tell the management interface to load the given certificate and the external private key matching the...
Definition ssl_openssl.c:1706
tls_ctx_load_cryptoapi
void tls_ctx_load_cryptoapi(struct tls_root_ctx *ctx, const char *cryptoapi_cert)
Use Windows cryptoapi for key and cert, and add to library-specific TLS context.
Definition ssl_openssl.c:1034
tls_ctx_set_options
bool tls_ctx_set_options(struct tls_root_ctx *ctx, unsigned int ssl_flags)
Set any library specific options.
Definition ssl_openssl.c:308
tls_ctx_load_dh_params
void tls_ctx_load_dh_params(struct tls_root_ctx *ctx, const char *dh_file, bool dh_file_inline)
Load Diffie Hellman Parameters, and load them into the library-specific TLS context.
Definition ssl_openssl.c:654
tls_ctx_client_new
void tls_ctx_client_new(struct tls_root_ctx *ctx)
Initialises a library-specific TLS context for a client.
Definition ssl_openssl.c:121
tls_ctx_load_cert_file
void tls_ctx_load_cert_file(struct tls_root_ctx *ctx, const char *cert_file, bool cert_file_inline)
Load certificate file into the given TLS context.
Definition ssl_openssl.c:1253
KEY_SCAN_SIZE
#define KEY_SCAN_SIZE
Definition ssl_common.h:566
get_key_scan
static struct key_state * get_key_scan(struct tls_multi *multi, int index)
gets an item of key_state objects in the order they should be scanned by data channel modules.
Definition ssl_common.h:732
UP_TYPE_PRIVATE_KEY
#define UP_TYPE_PRIVATE_KEY
Definition ssl_common.h:42
SSLF_AUTH_USER_PASS_OPTIONAL
#define SSLF_AUTH_USER_PASS_OPTIONAL
Definition ssl_common.h:426
CAS_CONNECT_DONE
@ CAS_CONNECT_DONE
Definition ssl_common.h:593
CAS_WAITING_AUTH
@ CAS_WAITING_AUTH
Initial TLS connection established but deferred auth is not yet finished.
Definition ssl_common.h:581
CAS_PENDING
@ CAS_PENDING
Options import (Connect script/plugin, ccd,...)
Definition ssl_common.h:582
CAS_WAITING_OPTIONS_IMPORT
@ CAS_WAITING_OPTIONS_IMPORT
client with pull or p2p waiting for first time options import
Definition ssl_common.h:586
CAS_NOT_CONNECTED
@ CAS_NOT_CONNECTED
Definition ssl_common.h:580
CAS_RECONNECT_PENDING
@ CAS_RECONNECT_PENDING
session has already successful established (CAS_CONNECT_DONE) but has a reconnect and needs to redo s...
Definition ssl_common.h:592
ks_auth_state
ks_auth_state
This reflects the (server side) authentication state after the TLS session has been established and k...
Definition ssl_common.h:153
KS_AUTH_TRUE
@ KS_AUTH_TRUE
Key state is authenticated.
Definition ssl_common.h:157
KS_AUTH_FALSE
@ KS_AUTH_FALSE
Key state is not authenticated
Definition ssl_common.h:154
KS_AUTH_DEFERRED
@ KS_AUTH_DEFERRED
Key state authentication is being deferred, by async auth.
Definition ssl_common.h:155
SSLF_CRL_VERIFY_DIR
#define SSLF_CRL_VERIFY_DIR
Definition ssl_common.h:428
UP_TYPE_AUTH
#define UP_TYPE_AUTH
Definition ssl_common.h:41
get_primary_key
static const struct key_state * get_primary_key(const struct tls_multi *multi)
gets an item of key_state objects in the order they should be scanned by data channel modules.
Definition ssl_common.h:755
check_session_cipher
bool check_session_cipher(struct tls_session *session, struct options *options)
Checks if the cipher is allowed, otherwise returns false and reset the cipher to the config cipher.
Definition ssl_ncp.c:515
p2p_mode_ncp
void p2p_mode_ncp(struct tls_multi *multi, struct tls_session *session)
Determines if there is common cipher of both peer by looking at the IV_CIPHER peer info.
Definition ssl_ncp.c:472
tls_item_in_cipher_list
bool tls_item_in_cipher_list(const char *item, const char *list)
Return true iff item is present in the colon-separated zero-terminated cipher list.
Definition ssl_ncp.c:206
ssl_ncp.h
Control Channel SSL/Data dynamic negotiation Module This file is split from ssl.h to be able to unit ...
write_control_auth
void write_control_auth(struct tls_session *session, struct key_state *ks, struct buffer *buf, struct link_socket_actual **to_link_addr, int opcode, int max_ack, bool prepend_ack)
Definition ssl_pkt.c:164
read_control_auth
bool read_control_auth(struct buffer *buf, struct tls_wrap_ctx *ctx, const struct link_socket_actual *from, const struct tls_options *opt, bool initial_packet)
Read a control channel authentication record.
Definition ssl_pkt.c:194
EARLY_NEG_FLAG_RESEND_WKC
#define EARLY_NEG_FLAG_RESEND_WKC
Definition ssl_pkt.h:323
P_DATA_V1
#define P_DATA_V1
Definition ssl_pkt.h:47
P_DATA_V2
#define P_DATA_V2
Definition ssl_pkt.h:48
P_OPCODE_SHIFT
#define P_OPCODE_SHIFT
Definition ssl_pkt.h:39
TLV_TYPE_EARLY_NEG_FLAGS
#define TLV_TYPE_EARLY_NEG_FLAGS
Definition ssl_pkt.h:322
P_ACK_V1
#define P_ACK_V1
Definition ssl_pkt.h:46
P_CONTROL_WKC_V1
#define P_CONTROL_WKC_V1
Definition ssl_pkt.h:59
P_CONTROL_HARD_RESET_CLIENT_V1
#define P_CONTROL_HARD_RESET_CLIENT_V1
Definition ssl_pkt.h:42
P_KEY_ID_MASK
#define P_KEY_ID_MASK
Definition ssl_pkt.h:38
TLS_RELIABLE_N_REC_BUFFERS
#define TLS_RELIABLE_N_REC_BUFFERS
Definition ssl_pkt.h:71
packet_opcode_name
static const char * packet_opcode_name(int op)
Definition ssl_pkt.h:241
P_CONTROL_HARD_RESET_SERVER_V2
#define P_CONTROL_HARD_RESET_SERVER_V2
Definition ssl_pkt.h:52
P_CONTROL_SOFT_RESET_V1
#define P_CONTROL_SOFT_RESET_V1
Definition ssl_pkt.h:44
P_CONTROL_V1
#define P_CONTROL_V1
Definition ssl_pkt.h:45
P_LAST_OPCODE
#define P_LAST_OPCODE
Definition ssl_pkt.h:65
EARLY_NEG_START
#define EARLY_NEG_START
Definition ssl_pkt.h:315
P_CONTROL_HARD_RESET_CLIENT_V2
#define P_CONTROL_HARD_RESET_CLIENT_V2
Definition ssl_pkt.h:51
P_CONTROL_HARD_RESET_SERVER_V1
#define P_CONTROL_HARD_RESET_SERVER_V1
Definition ssl_pkt.h:43
tls_session_get_tls_wrap
static struct tls_wrap_ctx * tls_session_get_tls_wrap(struct tls_session *session, int key_id)
Determines if the current session should use the renegotiation tls wrap struct instead the normal one...
Definition ssl_pkt.h:292
P_CONTROL_HARD_RESET_CLIENT_V3
#define P_CONTROL_HARD_RESET_CLIENT_V3
Definition ssl_pkt.h:55
TLS_RELIABLE_N_SEND_BUFFERS
#define TLS_RELIABLE_N_SEND_BUFFERS
Definition ssl_pkt.h:70
options_string_compat_lzo
const char * options_string_compat_lzo(const char *options, struct gc_arena *gc)
Takes a locally produced OCC string for TLS server mode and modifies as if the option comp-lzo was en...
Definition ssl_util.c:76
ssl_util.h
SSL utility functions.
key_state_rm_auth_control_files
void key_state_rm_auth_control_files(struct auth_deferred_status *ads)
Removes auth_pending and auth_control files from file system and key_state structure.
Definition ssl_verify.c:954
tls_x509_clear_env
void tls_x509_clear_env(struct env_set *es)
Remove any X509_ env variables from env_set es.
Definition ssl_verify.c:1850
verify_final_auth_checks
void verify_final_auth_checks(struct tls_multi *multi, struct tls_session *session)
Perform final authentication checks, including locking of the cn, the allowed certificate hashes,...
Definition ssl_verify.c:1788
auth_set_client_reason
void auth_set_client_reason(struct tls_multi *multi, const char *client_reason)
Sets the reason why authentication of a client failed.
Definition ssl_verify.c:803
tls_authentication_status
enum tls_auth_status tls_authentication_status(struct tls_multi *multi)
Return current session authentication state of the tls_multi structure This will return TLS_AUTHENTIC...
Definition ssl_verify.c:1137
verify_user_pass
void verify_user_pass(struct user_pass *up, struct tls_multi *multi, struct tls_session *session)
Main username/password verification entry point.
Definition ssl_verify.c:1595
cert_hash_free
void cert_hash_free(struct cert_hash_set *chs)
Frees the given set of certificate hashes.
Definition ssl_verify.c:215
ssl_verify.h
Control Channel Verification Module.
tls_auth_status
tls_auth_status
Definition ssl_verify.h:74
TLS_AUTHENTICATION_SUCCEEDED
@ TLS_AUTHENTICATION_SUCCEEDED
Definition ssl_verify.h:75
TLS_AUTHENTICATION_FAILED
@ TLS_AUTHENTICATION_FAILED
Definition ssl_verify.h:76
buffer
Wrapper structure for dynamically allocated memory.
Definition buffer.h:60
buffer::data
uint8_t * data
Pointer to the allocated memory.
Definition buffer.h:67
buffer::len
int len
Length in bytes of the actual content within the allocated memory.
Definition buffer.h:65
crypto_options
Security parameter state for processing data channel packets.
Definition crypto.h:293
crypto_options::epoch_key_send
struct epoch_key epoch_key_send
last epoch_key used for generation of the current send data keys.
Definition crypto.h:303
crypto_options::flags
unsigned int flags
Bit-flags determining behavior of security operation functions.
Definition crypto.h:386
crypto_options::pid_persist
struct packet_id_persist * pid_persist
Persistent packet ID state for keeping state between successive OpenVPN process startups.
Definition crypto.h:342
crypto_options::key_ctx_bi
struct key_ctx_bi key_ctx_bi
OpenSSL cipher and HMAC contexts for both sending and receiving directions.
Definition crypto.h:294
crypto_options::packet_id
struct packet_id packet_id
Current packet ID state for both sending and receiving directions.
Definition crypto.h:333
env_item
Definition env_set.h:37
env_set
Definition env_set.h:43
env_set::list
struct env_item * list
Definition env_set.h:45
epoch_key
Definition crypto.h:192
epoch_key::epoch_key
uint8_t epoch_key[SHA256_DIGEST_LENGTH]
Definition crypto.h:193
epoch_key::epoch
uint16_t epoch
Definition crypto.h:194
frame
Packet geometry parameters.
Definition mtu.h:108
frame::tun_mtu
int tun_mtu
the (user) configured tun-mtu.
Definition mtu.h:142
frame::payload_size
int payload_size
the maximum size that a payload that our buffers can hold from either tun device or network link.
Definition mtu.h:113
frame::headroom
int headroom
the headroom in the buffer, this is choosen to allow all potential header to be added before the pack...
Definition mtu.h:119
frame::mss_fix
uint16_t mss_fix
The actual MSS value that should be written to the payload packets.
Definition mtu.h:129
frame::buf
struct frame::@8 buf
frame::tailroom
int tailroom
the tailroom in the buffer.
Definition mtu.h:123
gc_arena
Garbage collection arena used to keep track of dynamically allocated memory.
Definition buffer.h:116
key2
Container for bidirectional cipher and HMAC key material.
Definition crypto.h:240
key2::n
int n
The number of key objects stored in the key2.keys array.
Definition crypto.h:241
key2::keys
struct key keys[2]
Two unidirectional sets of key material.
Definition crypto.h:243
key_ctx_bi
Container for two sets of OpenSSL cipher and/or HMAC contexts for both sending and receiving directio...
Definition crypto.h:280
key_ctx_bi::initialized
bool initialized
Definition crypto.h:285
key_ctx_bi::decrypt
struct key_ctx decrypt
cipher and/or HMAC contexts for receiving direction.
Definition crypto.h:283
key_ctx_bi::encrypt
struct key_ctx encrypt
Cipher and/or HMAC contexts for sending direction.
Definition crypto.h:281
key_ctx::plaintext_blocks
uint64_t plaintext_blocks
Counter for the number of plaintext block encrypted using this cipher with the current key in number ...
Definition crypto.h:222
key_direction_state
Key ordering of the key2.keys array.
Definition crypto.h:259
key_direction_state::in_key
int in_key
Index into the key2.keys array for the receiving direction.
Definition crypto.h:262
key_direction_state::out_key
int out_key
Index into the key2.keys array for the sending direction.
Definition crypto.h:260
key_source2
Container for both halves of random material to be used in key method 2 data channel key generation.
Definition ssl_common.h:139
key_source2::client
struct key_source client
Random provided by client.
Definition ssl_common.h:140
key_source2::server
struct key_source server
Random provided by server.
Definition ssl_common.h:141
key_source
Container for one half of random material to be used in key method 2 data channel key generation.
Definition ssl_common.h:121
key_source::random1
uint8_t random1[32]
Seed used for master secret generation, provided by both client and server.
Definition ssl_common.h:125
key_source::pre_master
uint8_t pre_master[48]
Random used for master secret generation, provided only by client OpenVPN peer.
Definition ssl_common.h:122
key_source::random2
uint8_t random2[32]
Seed used for key expansion, provided by both client and server.
Definition ssl_common.h:128
key_state
Security parameter state of one TLS and data channel key session.
Definition ssl_common.h:208
key_state::paybuf
struct buffer_list * paybuf
Holds outgoing message for the control channel until ks->state reaches S_ACTIVE.
Definition ssl_common.h:252
key_state::crypto_options
struct crypto_options crypto_options
Definition ssl_common.h:237
key_state::ack_write_buf
struct buffer ack_write_buf
Definition ssl_common.h:243
key_state::plaintext_read_buf
struct buffer plaintext_read_buf
Definition ssl_common.h:241
key_state::state
int state
Definition ssl_common.h:209
key_state::plugin_auth
struct auth_deferred_status plugin_auth
Definition ssl_common.h:268
key_state::must_die
time_t must_die
Definition ssl_common.h:230
key_state::plaintext_write_buf
struct buffer plaintext_write_buf
Definition ssl_common.h:242
key_state::remote_addr
struct link_socket_actual remote_addr
Definition ssl_common.h:235
key_state::established
time_t established
Definition ssl_common.h:228
key_state::ks_ssl
struct key_state_ssl ks_ssl
Definition ssl_common.h:225
key_state::must_negotiate
time_t must_negotiate
Definition ssl_common.h:229
key_state::rec_ack
struct reliable_ack * rec_ack
Definition ssl_common.h:247
key_state::rec_reliable
struct reliable * rec_reliable
Definition ssl_common.h:246
key_state::session_id_remote
struct session_id session_id_remote
Definition ssl_common.h:234
key_state::mda_key_id
unsigned int mda_key_id
Definition ssl_common.h:263
key_state::script_auth
struct auth_deferred_status script_auth
Definition ssl_common.h:269
key_state::initial
time_t initial
Definition ssl_common.h:227
key_state::authenticated
enum ks_auth_state authenticated
Definition ssl_common.h:259
key_state::key_id
int key_id
Key id for this key_state, inherited from struct tls_session.
Definition ssl_common.h:217
key_state::peer_last_packet
time_t peer_last_packet
Definition ssl_common.h:231
key_state::send_reliable
struct reliable * send_reliable
Definition ssl_common.h:245
key_state::auth_deferred_expire
time_t auth_deferred_expire
Definition ssl_common.h:260
key_state::initial_opcode
int initial_opcode
Definition ssl_common.h:233
key_state::lru_acks
struct reliable_ack * lru_acks
Definition ssl_common.h:248
key_state::key_src
struct key_source2 * key_src
Definition ssl_common.h:239
key_state::n_bytes
counter_type n_bytes
Definition ssl_common.h:253
key_state::n_packets
counter_type n_packets
Definition ssl_common.h:254
key_type
Definition crypto.h:141
key_type::cipher
const char * cipher
const name of the cipher
Definition crypto.h:142
key
Container for unidirectional cipher and HMAC key material.
Definition crypto.h:152
key::cipher
uint8_t cipher[MAX_CIPHER_KEY_LENGTH]
Key material for cipher operations.
Definition crypto.h:153
key::hmac
uint8_t hmac[MAX_HMAC_KEY_LENGTH]
Key material for HMAC operations.
Definition crypto.h:155
link_socket_actual
Definition socket_util.h:50
link_socket_addr::actual
struct link_socket_actual actual
Definition socket.h:82
link_socket_info
Definition socket.h:86
link_socket_info::lsa
struct link_socket_addr * lsa
Definition socket.h:87
options::imported_protocol_flags
unsigned int imported_protocol_flags
Definition options.h:721
options::crl_file_inline
bool crl_file_inline
Definition options.h:617
options::cryptoapi_cert
const char * cryptoapi_cert
Definition options.h:639
options::pkcs12_file_inline
bool pkcs12_file_inline
Definition options.h:606
options::ca_file
const char * ca_file
Definition options.h:594
options::ssl_flags
unsigned int ssl_flags
Definition options.h:626
options::authname
const char * authname
Definition options.h:579
options::dh_file_inline
bool dh_file_inline
Definition options.h:598
options::pkcs12_file
const char * pkcs12_file
Definition options.h:605
options::tls_groups
const char * tls_groups
Definition options.h:609
options::tls_cert_profile
const char * tls_cert_profile
Definition options.h:610
options::management_flags
unsigned int management_flags
Definition options.h:458
options::ciphername
const char * ciphername
Definition options.h:573
options::tls_server
bool tls_server
Definition options.h:592
options::extra_certs_file
const char * extra_certs_file
Definition options.h:601
options::priv_key_file_inline
bool priv_key_file_inline
Definition options.h:604
options::crl_file
const char * crl_file
Definition options.h:616
options::dh_file
const char * dh_file
Definition options.h:597
options::ca_file_inline
bool ca_file_inline
Definition options.h:595
options::extra_certs_file_inline
bool extra_certs_file_inline
Definition options.h:602
options::cipher_list_tls13
const char * cipher_list_tls13
Definition options.h:608
options::ecdh_curve
const char * ecdh_curve
Definition options.h:611
options::cipher_list
const char * cipher_list
Definition options.h:607
options::management_certificate
const char * management_certificate
Definition options.h:455
options::chroot_dir
const char * chroot_dir
Definition options.h:378
options::ca_path
const char * ca_path
Definition options.h:596
options::ping_rec_timeout
int ping_rec_timeout
Definition options.h:350
options::ping_send_timeout
int ping_send_timeout
Definition options.h:349
options::priv_key_file
const char * priv_key_file
Definition options.h:603
options::cert_file
const char * cert_file
Definition options.h:599
options::cert_file_inline
bool cert_file_inline
Definition options.h:600
packet_id_net
Data structure for describing the packet id that is received/send to the network.
Definition packet_id.h:191
packet_id_rec::id
uint64_t id
Definition packet_id.h:117
packet_id_send::id
uint64_t id
Definition packet_id.h:153
packet_id::send
struct packet_id_send send
Definition packet_id.h:200
packet_id::rec
struct packet_id_rec rec
Definition packet_id.h:201
reliable_ack
The acknowledgment structure in which packet IDs are stored for later acknowledgment.
Definition reliable.h:64
reliable_ack::len
int len
Definition reliable.h:65
reliable_entry
The structure in which the reliability layer stores a single incoming or outgoing packet.
Definition reliable.h:77
reliable_entry::buf
struct buffer buf
Definition reliable.h:86
reliable_entry::opcode
int opcode
Definition reliable.h:85
reliable_entry::packet_id
packet_id_type packet_id
Definition reliable.h:81
reliable
The reliability layer storage structure for one VPN tunnel's control channel in one direction.
Definition reliable.h:94
reliable::array
struct reliable_entry array[RELIABLE_CAPACITY]
Definition reliable.h:100
reliable::size
int size
Definition reliable.h:95
reliable::packet_id
packet_id_type packet_id
Definition reliable.h:97
route_gateway_info
Definition route.h:158
route_gateway_info::hwaddr
uint8_t hwaddr[6]
Definition route.h:177
route_gateway_info::flags
unsigned int flags
Definition route.h:165
session_id
Definition session_id.h:38
static_challenge_info
Definition misc.h:90
static_challenge_info::flags
unsigned int flags
Definition misc.h:93
static_challenge_info::challenge_text
const char * challenge_text
Definition misc.h:95
tls_auth_standalone
Definition ssl_pkt.h:78
tls_auth_standalone::frame
struct frame frame
Definition ssl_pkt.h:81
tls_auth_standalone::tls_wrap
struct tls_wrap_ctx tls_wrap
Definition ssl_pkt.h:79
tls_multi
Security parameter state for a single VPN tunnel.
Definition ssl_common.h:611
tls_multi::n_hard_errors
int n_hard_errors
Definition ssl_common.h:637
tls_multi::remote_usescomp
bool remote_usescomp
remote announced comp-lzo in OCC string
Definition ssl_common.h:703
tls_multi::to_link_addr
struct link_socket_actual to_link_addr
Definition ssl_common.h:628
tls_multi::peer_info
char * peer_info
A multi-line string of general-purpose info received from peer over control channel.
Definition ssl_common.h:672
tls_multi::save_ks
struct key_state * save_ks
Definition ssl_common.h:622
tls_multi::remote_ciphername
char * remote_ciphername
cipher specified in peer's config file
Definition ssl_common.h:702
tls_multi::locked_username
char * locked_username
The locked username is the username we assume the client is using.
Definition ssl_common.h:649
tls_multi::multi_state
enum multi_status multi_state
Definition ssl_common.h:632
tls_multi::opt
struct tls_options opt
Definition ssl_common.h:616
tls_multi::session
struct tls_session session[TM_SIZE]
Array of tls_session objects representing control channel sessions with the remote peer.
Definition ssl_common.h:711
tls_multi::locked_cert_hash_set
struct cert_hash_set * locked_cert_hash_set
Definition ssl_common.h:655
tls_multi::locked_cn
char * locked_cn
Our locked common name, username, and cert hashes (cannot change during the life of this tls_multi ob...
Definition ssl_common.h:644
tls_multi::peer_id
uint32_t peer_id
Definition ssl_common.h:699
tls_multi::locked_original_username
char * locked_original_username
The username that client initially used before being overridden by –override-user.
Definition ssl_common.h:653
tls_multi::n_sessions
int n_sessions
Number of sessions negotiated thus far.
Definition ssl_common.h:630
tls_multi::dco_peer_id
int dco_peer_id
This is the handle that DCO uses to identify this session with the kernel.
Definition ssl_common.h:723
tls_multi::n_soft_errors
int n_soft_errors
Definition ssl_common.h:638
tls_options
Definition ssl_common.h:307
tls_options::gremlin
int gremlin
Definition ssl_common.h:447
tls_options::server
bool server
Definition ssl_common.h:317
tls_options::tls_wrap
struct tls_wrap_ctx tls_wrap
TLS handshake wrapping state.
Definition ssl_common.h:387
tls_options::crypto_flags
unsigned int crypto_flags
Definition ssl_common.h:368
tls_options::replay_time
int replay_time
Definition ssl_common.h:371
tls_options::renegotiate_seconds
interval_t renegotiate_seconds
Definition ssl_common.h:350
tls_options::frame
struct frame frame
Definition ssl_common.h:389
tls_options::remote_options
const char * remote_options
Definition ssl_common.h:325
tls_options::single_session
bool single_session
Definition ssl_common.h:328
tls_options::local_options
const char * local_options
Definition ssl_common.h:324
tls_options::handshake_window
int handshake_window
Definition ssl_common.h:343
tls_options::replay_window
int replay_window
Definition ssl_common.h:370
tls_pre_decrypt_state
struct that stores the temporary data for the tls lite decrypt functions
Definition ssl_pkt.h:106
tls_root_ctx
Structure that wraps the TLS context.
Definition ssl_mbedtls.h:114
tls_root_ctx::crl_last_size
off_t crl_last_size
size of last loaded CRL
Definition ssl_mbedtls.h:127
tls_root_ctx::crl_last_mtime
time_t crl_last_mtime
CRL last modification time.
Definition ssl_mbedtls.h:126
tls_session
Security parameter state of a single session within a VPN tunnel.
Definition ssl_common.h:489
tls_session::key_id
int key_id
The current active key id, used to keep track of renegotiations.
Definition ssl_common.h:511
tls_session::key
struct key_state key[KS_SIZE]
Definition ssl_common.h:524
tls_wrap_ctx::opt
struct crypto_options opt
Crypto state.
Definition ssl_common.h:283
user_pass
Definition misc.h:52
user_pass::token_defined
bool token_defined
Definition misc.h:56
user_pass::protected
bool protected
Definition misc.h:58
user_pass::defined
bool defined
Definition misc.h:53
user_pass::password
char password[USER_PASS_LEN]
Definition misc.h:68
user_pass::nocache
bool nocache
Definition misc.h:57
user_pass::username
char username[USER_PASS_LEN]
Definition misc.h:67
es
struct env_set * es
Definition test_pkcs11.c:138
cleanup
static int cleanup(void **state)
Definition test_pkcs11.c:289
gc
struct gc_arena gc
Definition test_ssl.c:131
tls_crypt.h
win32_version_string
const char * win32_version_string(struct gc_arena *gc)
Get Windows version string with architecture info.
Definition win32.c:1381
Generated by doxygen 1.9.8