OpenVPN
ssl.c
Go to the documentation of this file.
1/*
2 * OpenVPN -- An application to securely tunnel IP networks
3 * over a single TCP/UDP port, with support for SSL/TLS-based
4 * session authentication and key exchange,
5 * packet encryption, packet authentication, and
6 * packet compression.
7 *
8 * Copyright (C) 2002-2026 OpenVPN Inc <sales@openvpn.net>
9 * Copyright (C) 2010-2026 Sentyron B.V. <openvpn@sentyron.com>
10 * Copyright (C) 2008-2026 David Sommerseth <dazo@eurephia.org>
11 *
12 * This program is free software; you can redistribute it and/or modify
13 * it under the terms of the GNU General Public License version 2
14 * as published by the Free Software Foundation.
15 *
16 * This program is distributed in the hope that it will be useful,
17 * but WITHOUT ANY WARRANTY; without even the implied warranty of
18 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
19 * GNU General Public License for more details.
20 *
21 * You should have received a copy of the GNU General Public License along
22 * with this program; if not, see <https://www.gnu.org/licenses/>.
23 */
24
30/*
31 * The routines in this file deal with dynamically negotiating
32 * the data channel HMAC and cipher keys through a TLS session.
33 *
34 * Both the TLS session and the data channel are multiplexed
35 * over the same TCP/UDP port.
36 */
37#ifdef HAVE_CONFIG_H
38#include "config.h"
39#endif
40
41#include "syshead.h"
42#include "win32.h"
43
44#include "error.h"
45#include "common.h"
46#include "socket.h"
47#include "misc.h"
48#include "fdmisc.h"
49#include "interval.h"
50#include "status.h"
51#include "gremlin.h"
52#include "pkcs11.h"
53#include "route.h"
54#include "tls_crypt.h"
55
56#include "crypto_epoch.h"
57#include "ssl.h"
58#include "ssl_verify.h"
59#include "ssl_backend.h"
60#include "ssl_ncp.h"
61#include "ssl_util.h"
62#include "auth_token.h"
63#include "mss.h"
64#include "dco.h"
65
66#include "memdbg.h"
67#include "openvpn.h"
68
69#ifdef MEASURE_TLS_HANDSHAKE_STATS
70
71static int tls_handshake_success; /* GLOBAL */
72static int tls_handshake_error; /* GLOBAL */
73static int tls_packets_generated; /* GLOBAL */
74static int tls_packets_sent; /* GLOBAL */
75
76#define INCR_SENT ++tls_packets_sent
77#define INCR_GENERATED ++tls_packets_generated
78#define INCR_SUCCESS ++tls_handshake_success
79#define INCR_ERROR ++tls_handshake_error
80
81void
82show_tls_performance_stats(void)
83{
84 msg(D_TLS_DEBUG_LOW, "TLS Handshakes, success=%f%% (good=%d, bad=%d), retransmits=%f%%",
85 (double)tls_handshake_success / (tls_handshake_success + tls_handshake_error) * 100.0,
86 tls_handshake_success, tls_handshake_error,
87 (double)(tls_packets_sent - tls_packets_generated) / tls_packets_generated * 100.0);
88}
89#else /* ifdef MEASURE_TLS_HANDSHAKE_STATS */
90
91#define INCR_SENT
92#define INCR_GENERATED
93#define INCR_SUCCESS
94#define INCR_ERROR
95
96#endif /* ifdef MEASURE_TLS_HANDSHAKE_STATS */
97
105static void
106tls_limit_reneg_bytes(const char *ciphername, int64_t *reneg_bytes)
107{
108 if (cipher_kt_insecure(ciphername))
109 {
110 if (*reneg_bytes == -1) /* Not user-specified */
111 {
112 msg(M_WARN, "WARNING: cipher with small block size in use, "
113 "reducing reneg-bytes to 64MB to mitigate SWEET32 attacks.");
114 *reneg_bytes = 64 * 1024 * 1024;
115 }
116 }
117}
118
119static uint64_t
120tls_get_limit_aead(const char *ciphername)
121{
122 uint64_t limit = cipher_get_aead_limits(ciphername);
123
124 if (limit == 0)
125 {
126 return 0;
127 }
128
129 /* set limit to 7/8 of the limit so the renegotiation can succeed before
130 * we go over the limit */
131 limit = limit / 8 * 7;
132
133 msg(D_SHOW_KEYS,
134 "Note: AEAD cipher %s will trigger a renegotiation"
135 " at a sum of %" PRIi64 " blocks and packets.",
136 ciphername, limit);
137 return limit;
138}
139
140void
141tls_init_control_channel_frame_parameters(struct frame *frame, int tls_mtu)
142{
143 /*
144 * frame->extra_frame is already initialized with tls_auth buffer requirements,
145 * if --tls-auth is enabled.
146 */
147
148 /* calculates the maximum overhead that control channel frames can have */
149 int overhead = 0;
150
151 /* Socks */
152 overhead += 10;
153
154 /* tls-auth and tls-crypt */
155 overhead += max_int(tls_crypt_buf_overhead(), packet_id_size(true) + OPENVPN_MAX_HMAC_SIZE);
156
157 /* TCP length field and opcode */
158 overhead += 3;
159
160 /* ACK array and remote SESSION ID (part of the ACK array) */
161 overhead += ACK_SIZE(RELIABLE_ACK_SIZE);
162
163 /* Previous OpenVPN version calculated the maximum size and buffer of a
164 * control frame depending on the overhead of the data channel frame
165 * overhead and limited its maximum size to 1250. Since control frames
166 * also need to fit into data channel buffer we have the same
167 * default of 1500 + 100 as data channel buffers have. Increasing
168 * control channel mtu beyond this limit also increases the data channel
169 * buffers */
170 frame->buf.payload_size = max_int(1500, tls_mtu) + 100;
171
172 frame->buf.headroom = overhead;
173 frame->buf.tailroom = overhead;
174
175 frame->tun_mtu = tls_mtu;
176
177 /* Ensure the tun-mtu stays in a valid range */
178 frame->tun_mtu = min_int(frame->tun_mtu, TLS_CHANNEL_BUF_SIZE);
179 frame->tun_mtu = max_int(frame->tun_mtu, TLS_CHANNEL_MTU_MIN);
180}
181
187static size_t
188calc_control_channel_frame_overhead(const struct tls_session *session)
189{
190 const struct key_state *ks = &session->key[KS_PRIMARY];
191 size_t overhead = 0;
192
193 /* opcode */
194 overhead += 1;
195
196 /* our own session id */
197 overhead += SID_SIZE;
198
199 /* ACK array and remote SESSION ID (part of the ACK array) */
200 int ackstosend = reliable_ack_outstanding(ks->rec_ack) + ks->lru_acks->len;
201 overhead += ACK_SIZE(min_int(ackstosend, CONTROL_SEND_ACK_MAX));
202
203 /* Message packet id */
204 overhead += sizeof(packet_id_type);
205
206 if (session->tls_wrap.mode == TLS_WRAP_CRYPT)
207 {
208 overhead += tls_crypt_buf_overhead();
209 }
210 else if (session->tls_wrap.mode == TLS_WRAP_AUTH)
211 {
212 overhead += hmac_ctx_size(session->tls_wrap.opt.key_ctx_bi.encrypt.hmac);
213 overhead += packet_id_size(true);
214 }
215
216 /* Add the typical UDP overhead for an IPv6 UDP packet. TCP+IPv6 has a
217 * larger overhead but the risk of a TCP connection getting dropped because
218 * we try to send a too large packet is basically zero */
219 overhead += datagram_overhead(session->untrusted_addr.dest.addr.sa.sa_family, PROTO_UDP);
220
221 return overhead;
222}
223
224void
225init_ssl_lib(void)
226{
227 tls_init_lib();
228
229 crypto_init_lib();
230}
231
232void
233free_ssl_lib(void)
234{
235 crypto_uninit_lib();
236
237 tls_free_lib();
238}
239
240/*
241 * OpenSSL library calls pem_password_callback if the
242 * private key is protected by a password.
243 */
244
245static struct user_pass passbuf; /* GLOBAL */
246
247void
248pem_password_setup(const char *auth_file)
249{
250 unprotect_user_pass(&passbuf);
251 if (!strlen(passbuf.password))
252 {
253 get_user_pass(&passbuf, auth_file, UP_TYPE_PRIVATE_KEY,
254 GET_USER_PASS_MANAGEMENT | GET_USER_PASS_PASSWORD_ONLY);
255 }
256}
257
258int
259pem_password_callback(char *buf, int size, int rwflag, void *u)
260{
261 if (buf)
262 {
263 /* prompt for password even if --askpass wasn't specified */
264 pem_password_setup(NULL);
265 ASSERT(!passbuf.protected);
266 strncpynt(buf, passbuf.password, (size_t)size);
267 purge_user_pass(&passbuf, false);
268
269 return (int)strlen(buf);
270 }
271 return 0;
272}
273
274/*
275 * Auth username/password handling
276 */
277
278static bool auth_user_pass_enabled; /* GLOBAL */
279static struct user_pass auth_user_pass; /* GLOBAL */
280static struct user_pass auth_token; /* GLOBAL */
281
282#ifdef ENABLE_MANAGEMENT
283static char *auth_challenge; /* GLOBAL */
284#endif
285
286void
291
292void
293auth_user_pass_setup(const char *auth_file, bool is_inline, bool username_only,
294 const struct static_challenge_info *sci)
295{
296 unsigned int flags = GET_USER_PASS_MANAGEMENT;
297
298 if (is_inline)
299 {
300 flags |= GET_USER_PASS_INLINE_CREDS;
301 }
302 if (username_only)
303 {
304 flags |= GET_USER_PASS_USERNAME_ONLY;
305 }
306
307 if (!auth_user_pass.defined && !auth_token.defined)
308 {
309 unprotect_user_pass(&auth_user_pass);
310#ifdef ENABLE_MANAGEMENT
311 if (auth_challenge) /* dynamic challenge/response */
312 {
313 flags |= GET_USER_PASS_DYNAMIC_CHALLENGE;
314 get_user_pass_cr(&auth_user_pass, auth_file, UP_TYPE_AUTH, flags, auth_challenge);
315 }
316 else if (sci) /* static challenge response */
317 {
318 flags |= GET_USER_PASS_STATIC_CHALLENGE;
319 if (sci->flags & SC_ECHO)
320 {
321 flags |= GET_USER_PASS_STATIC_CHALLENGE_ECHO;
322 }
323 if (sci->flags & SC_CONCAT)
324 {
325 flags |= GET_USER_PASS_STATIC_CHALLENGE_CONCAT;
326 }
327 get_user_pass_cr(&auth_user_pass, auth_file, UP_TYPE_AUTH, flags, sci->challenge_text);
328 }
329 else
330#endif /* ifdef ENABLE_MANAGEMENT */
331 {
332 get_user_pass(&auth_user_pass, auth_file, UP_TYPE_AUTH, flags);
333 }
334 }
335}
336
337/*
338 * Disable password caching
339 */
340void
341ssl_set_auth_nocache(void)
342{
343 passbuf.nocache = true;
344 auth_user_pass.nocache = true;
345}
346
347/*
348 * Get the password caching
349 */
350bool
351ssl_get_auth_nocache(void)
352{
353 return passbuf.nocache;
354}
355
356/*
357 * Set an authentication token
358 */
359void
360ssl_set_auth_token(const char *token)
361{
362 set_auth_token(&auth_token, token);
363}
364
365void
370
371/*
372 * Cleans an auth token and checks if it was active
373 */
374bool
375ssl_clean_auth_token(void)
376{
377 bool wasdefined = auth_token.defined;
378 purge_user_pass(&auth_token, true);
379 return wasdefined;
380}
381
382/*
383 * Forget private key password AND auth-user-pass username/password.
384 */
385void
386ssl_purge_auth(const bool auth_user_pass_only)
387{
388 if (!auth_user_pass_only)
389 {
390#ifdef ENABLE_PKCS11
391 pkcs11_logout();
392#endif
393 purge_user_pass(&passbuf, true);
394 }
395 purge_user_pass(&auth_user_pass, true);
396#ifdef ENABLE_MANAGEMENT
397 ssl_purge_auth_challenge();
398#endif
399}
400
401#ifdef ENABLE_MANAGEMENT
402
403void
404ssl_purge_auth_challenge(void)
405{
406 free(auth_challenge);
407 auth_challenge = NULL;
408}
409
410void
411ssl_put_auth_challenge(const char *cr_str)
412{
413 ssl_purge_auth_challenge();
414 auth_challenge = string_alloc(cr_str, NULL);
415}
416
417#endif
418
419/*
420 * Parse a TLS version string, returning a TLS_VER_x constant.
421 * If version string is not recognized and extra == "or-highest",
422 * return tls_version_max().
423 */
424int
425tls_version_parse(const char *vstr, const char *extra)
426{
427 const int max_version = tls_version_max();
428 if (!strcmp(vstr, "1.0") && TLS_VER_1_0 <= max_version)
429 {
430 return TLS_VER_1_0;
431 }
432 else if (!strcmp(vstr, "1.1") && TLS_VER_1_1 <= max_version)
433 {
434 return TLS_VER_1_1;
435 }
436 else if (!strcmp(vstr, "1.2") && TLS_VER_1_2 <= max_version)
437 {
438 return TLS_VER_1_2;
439 }
440 else if (!strcmp(vstr, "1.3") && TLS_VER_1_3 <= max_version)
441 {
442 return TLS_VER_1_3;
443 }
444 else if (extra && !strcmp(extra, "or-highest"))
445 {
446 return max_version;
447 }
448 else
449 {
450 return TLS_VER_BAD;
451 }
452}
453
465static void
466tls_ctx_reload_crl(struct tls_root_ctx *ssl_ctx, const char *crl_file, bool crl_file_inline)
467{
468 /* if something goes wrong with stat(), we'll store 0 as mtime */
469 platform_stat_t crl_stat = { 0 };
470
471 /*
472 * an inline CRL can't change at runtime, therefore there is no need to
473 * reload it. It will be reloaded upon config change + SIGHUP.
474 * Use always '1' as dummy timestamp in this case: it will trigger the
475 * first load, but will prevent any future reload.
476 */
477 if (crl_file_inline)
478 {
479 crl_stat.st_mtime = 1;
480 }
481 else if (platform_stat(crl_file, &crl_stat) < 0)
482 {
483 /* If crl_last_mtime is zero, the CRL file has not been read before. */
484 if (ssl_ctx->crl_last_mtime == 0)
485 {
486 msg(M_FATAL, "ERROR: Failed to stat CRL file during initialization, exiting.");
487 }
488 else
489 {
490 msg(M_WARN, "WARNING: Failed to stat CRL file, not reloading CRL.");
491 }
492 return;
493 }
494
495 /*
496 * Store the CRL if this is the first time or if the file was changed since
497 * the last load.
498 * Note: Windows does not support tv_nsec.
499 */
500 if ((ssl_ctx->crl_last_size == crl_stat.st_size)
501 && (ssl_ctx->crl_last_mtime == crl_stat.st_mtime))
502 {
503 return;
504 }
505
506 ssl_ctx->crl_last_mtime = crl_stat.st_mtime;
507 ssl_ctx->crl_last_size = crl_stat.st_size;
508 backend_tls_ctx_reload_crl(ssl_ctx, crl_file, crl_file_inline);
509}
510
511/*
512 * Initialize SSL context.
513 * All files are in PEM format.
514 */
515struct tls_root_ctx *
516init_ssl(const struct options *options, bool in_chroot)
517{
518 tls_clear_error();
519
520 if (key_is_external(options))
521 {
522 load_xkey_provider();
523 }
524
525 struct tls_root_ctx *new_ctx;
526 ALLOC_OBJ_CLEAR(new_ctx, struct tls_root_ctx);
527
528 if (options->tls_server)
529 {
530 tls_ctx_server_new(new_ctx);
531
532 if (options->dh_file)
533 {
534 tls_ctx_load_dh_params(new_ctx, options->dh_file, options->dh_file_inline);
535 }
536 }
537 else /* if client */
538 {
539 tls_ctx_client_new(new_ctx);
540 }
541
542 /* Restrict allowed certificate crypto algorithms */
543 tls_ctx_set_cert_profile(new_ctx, options->tls_cert_profile);
544
545 /* Allowable ciphers */
546 /* Since @SECLEVEL also influences loading of certificates, set the
547 * cipher restrictions before loading certificates */
548 tls_ctx_restrict_ciphers(new_ctx, options->cipher_list);
549 tls_ctx_restrict_ciphers_tls13(new_ctx, options->cipher_list_tls13);
550
551 /* Set the allow groups/curves for TLS if we want to override them */
552 if (options->tls_groups)
553 {
554 tls_ctx_set_tls_groups(new_ctx, options->tls_groups);
555 }
556
557 if (!tls_ctx_set_options(new_ctx, options->ssl_flags))
558 {
559 goto err;
560 }
561
562 if (options->pkcs12_file)
563 {
564 if (0
565 != tls_ctx_load_pkcs12(new_ctx, options->pkcs12_file, options->pkcs12_file_inline,
566 !options->ca_file))
567 {
568 goto err;
569 }
570 }
571#ifdef ENABLE_PKCS11
572 else if (options->pkcs11_providers[0])
573 {
574 if (!tls_ctx_use_pkcs11(new_ctx, options->pkcs11_id_management, options->pkcs11_id))
575 {
576 msg(M_WARN, "Cannot load certificate \"%s\" using PKCS#11 interface",
577 options->pkcs11_id);
578 goto err;
579 }
580 }
581#endif
582#ifdef ENABLE_CRYPTOAPI
583 else if (options->cryptoapi_cert)
584 {
585 tls_ctx_load_cryptoapi(new_ctx, options->cryptoapi_cert);
586 }
587#endif
588#ifdef ENABLE_MANAGEMENT
589 else if (options->management_flags & MF_EXTERNAL_CERT)
590 {
591 char *cert = management_query_cert(management, options->management_certificate);
592 tls_ctx_load_cert_file(new_ctx, cert, true);
593 free(cert);
594 }
595#endif
596 else if (options->cert_file)
597 {
598 tls_ctx_load_cert_file(new_ctx, options->cert_file, options->cert_file_inline);
599 }
600
601 if (options->priv_key_file)
602 {
603 if (0
604 != tls_ctx_load_priv_file(new_ctx, options->priv_key_file,
605 options->priv_key_file_inline))
606 {
607 goto err;
608 }
609 }
610#ifdef ENABLE_MANAGEMENT
611 else if (options->management_flags & MF_EXTERNAL_KEY)
612 {
613 if (tls_ctx_use_management_external_key(new_ctx))
614 {
615 msg(M_WARN, "Cannot initialize mamagement-external-key");
616 goto err;
617 }
618 }
619#endif
620
621 if (options->ca_file || options->ca_path)
622 {
623 tls_ctx_load_ca(new_ctx, options->ca_file, options->ca_file_inline, options->ca_path,
624 options->tls_server);
625 }
626
627 /* Load extra certificates that are part of our own certificate
628 * chain but shouldn't be included in the verify chain */
629 if (options->extra_certs_file)
630 {
631 tls_ctx_load_extra_certs(new_ctx, options->extra_certs_file,
632 options->extra_certs_file_inline);
633 }
634
635 /* Check certificate notBefore and notAfter */
636 tls_ctx_check_cert_time(new_ctx);
637
638 /* Read CRL */
639 if (options->crl_file && !(options->ssl_flags & SSLF_CRL_VERIFY_DIR))
640 {
641 /* If we're running with the chroot option, we may run init_ssl() before
642 * and after chroot-ing. We can use the crl_file path as-is if we're
643 * not going to chroot, or if we already are inside the chroot.
644 *
645 * If we're going to chroot later, we need to prefix the path of the
646 * chroot directory to crl_file.
647 */
648 if (!options->chroot_dir || in_chroot || options->crl_file_inline)
649 {
650 tls_ctx_reload_crl(new_ctx, options->crl_file, options->crl_file_inline);
651 }
652 else
653 {
654 struct gc_arena gc = gc_new();
655 struct buffer crl_file_buf = prepend_dir(options->chroot_dir, options->crl_file, &gc);
656 tls_ctx_reload_crl(new_ctx, BSTR(&crl_file_buf), options->crl_file_inline);
657 gc_free(&gc);
658 }
659 }
660
661 /* Once keys and cert are loaded, load ECDH parameters */
662 if (options->tls_server)
663 {
664 tls_ctx_load_ecdh_params(new_ctx, options->ecdh_curve);
665 }
666
667#ifdef ENABLE_CRYPTO_MBEDTLS
668 /* Personalise the random by mixing in the certificate */
669 tls_ctx_personalise_random(new_ctx);
670#endif
671
672 tls_clear_error();
673 return new_ctx;
674
675err:
676 tls_clear_error();
677 tls_ctx_free(new_ctx);
678 free(new_ctx);
679 return NULL;
680}
681
682/*
683 * Map internal constants to ascii names.
684 */
685static const char *
686state_name(int state)
687{
688 switch (state)
689 {
690 case S_UNDEF:
691 return "S_UNDEF";
692
693 case S_INITIAL:
694 return "S_INITIAL";
695
696 case S_PRE_START_SKIP:
697 return "S_PRE_START_SKIP";
698
699 case S_PRE_START:
700 return "S_PRE_START";
701
702 case S_START:
703 return "S_START";
704
705 case S_SENT_KEY:
706 return "S_SENT_KEY";
707
708 case S_GOT_KEY:
709 return "S_GOT_KEY";
710
711 case S_ACTIVE:
712 return "S_ACTIVE";
713
714 case S_ERROR:
715 return "S_ERROR";
716
717 case S_ERROR_PRE:
718 return "S_ERROR_PRE";
719
720 case S_GENERATED_KEYS:
721 return "S_GENERATED_KEYS";
722
723 default:
724 return "S_???";
725 }
726}
727
728static const char *
729ks_auth_name(enum ks_auth_state auth)
730{
731 switch (auth)
732 {
733 case KS_AUTH_TRUE:
734 return "KS_AUTH_TRUE";
735
736 case KS_AUTH_DEFERRED:
737 return "KS_AUTH_DEFERRED";
738
739 case KS_AUTH_FALSE:
740 return "KS_AUTH_FALSE";
741
742 default:
743 return "KS_????";
744 }
745}
746
747static const char *
748session_index_name(int index)
749{
750 switch (index)
751 {
752 case TM_ACTIVE:
753 return "TM_ACTIVE";
754
755 case TM_INITIAL:
756 return "TM_INITIAL";
757
758 case TM_LAME_DUCK:
759 return "TM_LAME_DUCK";
760
761 default:
762 return "TM_???";
763 }
764}
765
766/*
767 * For debugging.
768 */
769static const char *
770print_key_id(struct tls_multi *multi, struct gc_arena *gc)
771{
772 struct buffer out = alloc_buf_gc(256, gc);
773
774 for (int i = 0; i < KEY_SCAN_SIZE; ++i)
775 {
776 struct key_state *ks = get_key_scan(multi, i);
777 buf_printf(&out, " [key#%d state=%s auth=%s id=%d sid=%s]", i, state_name(ks->state),
778 ks_auth_name(ks->authenticated), ks->key_id,
779 session_id_print(&ks->session_id_remote, gc));
780 }
781
782 return BSTR(&out);
783}
784
785bool
786is_hard_reset_method2(int op)
787{
788 if (op == P_CONTROL_HARD_RESET_CLIENT_V2 || op == P_CONTROL_HARD_RESET_SERVER_V2
789 || op == P_CONTROL_HARD_RESET_CLIENT_V3)
790 {
791 return true;
792 }
793
794 return false;
795}
796
820static void
821key_state_init(struct tls_session *session, struct key_state *ks)
822{
823 update_time();
824
825 CLEAR(*ks);
826
827 /*
828 * Build TLS object that reads/writes ciphertext
829 * to/from memory BIOs.
830 */
831 key_state_ssl_init(&ks->ks_ssl, session->opt->ssl_ctx, session->opt->server, session);
832
833 /* Set control-channel initiation mode */
834 ks->initial_opcode = session->initial_opcode;
835 session->initial_opcode = P_CONTROL_SOFT_RESET_V1;
836 ks->state = S_INITIAL;
837 ks->key_id = session->key_id;
838
839 /*
840 * key_id increments to KEY_ID_MASK then recycles back to 1.
841 * This way you know that if key_id is 0, it is the first key.
842 */
843 ++session->key_id;
844 session->key_id &= P_KEY_ID_MASK;
845 if (!session->key_id)
846 {
847 session->key_id = 1;
848 }
849
850 /* allocate key source material object */
851 ALLOC_OBJ_CLEAR(ks->key_src, struct key_source2);
852
853 /* allocate reliability objects */
854 ALLOC_OBJ_CLEAR(ks->send_reliable, struct reliable);
855 ALLOC_OBJ_CLEAR(ks->rec_reliable, struct reliable);
856 ALLOC_OBJ_CLEAR(ks->rec_ack, struct reliable_ack);
857 ALLOC_OBJ_CLEAR(ks->lru_acks, struct reliable_ack);
858
859 /* allocate buffers */
860 ks->plaintext_read_buf = alloc_buf(TLS_CHANNEL_BUF_SIZE);
861 ks->plaintext_write_buf = alloc_buf(TLS_CHANNEL_BUF_SIZE);
862 ks->ack_write_buf = alloc_buf(BUF_SIZE(&session->opt->frame));
863 reliable_init(ks->send_reliable, BUF_SIZE(&session->opt->frame),
864 session->opt->frame.buf.headroom, TLS_RELIABLE_N_SEND_BUFFERS,
865 ks->key_id ? false : session->opt->xmit_hold);
866 reliable_init(ks->rec_reliable, BUF_SIZE(&session->opt->frame),
867 session->opt->frame.buf.headroom, TLS_RELIABLE_N_REC_BUFFERS, false);
868 reliable_set_timeout(ks->send_reliable, session->opt->packet_timeout);
869
870 /* init packet ID tracker */
871 packet_id_init(&ks->crypto_options.packet_id, session->opt->replay_window,
872 session->opt->replay_time, "SSL", ks->key_id);
873
874 ks->crypto_options.pid_persist = NULL;
875
876#ifdef ENABLE_MANAGEMENT
877 ks->mda_key_id = session->opt->mda_context->mda_key_id_counter++;
878#endif
879
880 /*
881 * Attempt CRL reload before TLS negotiation. Won't be performed if
882 * the file was not modified since the last reload. This affects
883 * all instances (all instances share the same context).
884 */
885 if (session->opt->crl_file && !(session->opt->ssl_flags & SSLF_CRL_VERIFY_DIR))
886 {
887 tls_ctx_reload_crl(session->opt->ssl_ctx, session->opt->crl_file,
888 session->opt->crl_file_inline);
889 }
890}
891
892
906static void
907key_state_free(struct key_state *ks, bool clear)
908{
909 ks->state = S_UNDEF;
910
911 key_state_ssl_free(&ks->ks_ssl);
912
913 free_key_ctx_bi(&ks->crypto_options.key_ctx_bi);
914 free_epoch_key_ctx(&ks->crypto_options);
915 free_buf(&ks->plaintext_read_buf);
916 free_buf(&ks->plaintext_write_buf);
917 free_buf(&ks->ack_write_buf);
918 buffer_list_free(ks->paybuf);
919
920 reliable_free(ks->send_reliable);
921 reliable_free(ks->rec_reliable);
922
923 free(ks->rec_ack);
924 free(ks->lru_acks);
925 free(ks->key_src);
926
927 packet_id_free(&ks->crypto_options.packet_id);
928
929 key_state_rm_auth_control_files(&ks->plugin_auth);
930 key_state_rm_auth_control_files(&ks->script_auth);
931
932 if (clear)
933 {
934 secure_memzero(ks, sizeof(*ks));
935 }
936}
937
951static inline bool
952tls_session_user_pass_enabled(struct tls_session *session)
953{
954 return (session->opt->auth_user_pass_verify_script
955 || plugin_defined(session->opt->plugins, OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY)
956#ifdef ENABLE_MANAGEMENT
957 || management_enable_def_auth(management)
958#endif
959 );
960}
961
962
983static void
984tls_session_init(struct tls_multi *multi, struct tls_session *session)
985{
986 struct gc_arena gc = gc_new();
987
988 dmsg(D_TLS_DEBUG, "TLS: tls_session_init: entry");
989
990 CLEAR(*session);
991
992 /* Set options data to point to parent's option structure */
993 session->opt = &multi->opt;
994
995 /* Randomize session # if it is 0 */
996 while (!session_id_defined(&session->session_id))
997 {
998 session_id_random(&session->session_id);
999 }
1000
1001 /* Are we a TLS server or client? */
1002 if (session->opt->server)
1003 {
1004 session->initial_opcode = P_CONTROL_HARD_RESET_SERVER_V2;
1005 }
1006 else
1007 {
1008 session->initial_opcode = session->opt->tls_crypt_v2 ? P_CONTROL_HARD_RESET_CLIENT_V3
1009 : P_CONTROL_HARD_RESET_CLIENT_V2;
1010 }
1011
1012 /* Initialize control channel authentication parameters */
1013 session->tls_wrap = session->opt->tls_wrap;
1014 session->tls_wrap.work = alloc_buf(BUF_SIZE(&session->opt->frame));
1015
1016 /* initialize packet ID replay window for --tls-auth */
1017 packet_id_init(&session->tls_wrap.opt.packet_id, session->opt->replay_window,
1018 session->opt->replay_time, "TLS_WRAP", session->key_id);
1019
1020 /* If we are using tls-crypt-v2 we manipulate the packet id to be (ab)used
1021 * to indicate early protocol negotiation */
1022 if (session->opt->tls_crypt_v2)
1023 {
1024 session->tls_wrap.opt.packet_id.send.time = now;
1025 session->tls_wrap.opt.packet_id.send.id = EARLY_NEG_START;
1026 }
1027
1028 /* load most recent packet-id to replay protect on --tls-auth */
1029 packet_id_persist_load_obj(session->tls_wrap.opt.pid_persist, &session->tls_wrap.opt.packet_id);
1030
1031 key_state_init(session, &session->key[KS_PRIMARY]);
1032
1033 dmsg(D_TLS_DEBUG, "TLS: tls_session_init: new session object, sid=%s",
1034 session_id_print(&session->session_id, &gc));
1035
1036 gc_free(&gc);
1037}
1038
1054static void
1055tls_session_free(struct tls_session *session, bool clear)
1056{
1057 tls_wrap_free(&session->tls_wrap);
1058 tls_wrap_free(&session->tls_wrap_reneg);
1059
1060 for (size_t i = 0; i < KS_SIZE; ++i)
1061 {
1062 /* we don't need clear=true for this call since
1063 * the structs are part of session and get cleared
1064 * as part of session */
1065 key_state_free(&session->key[i], false);
1066 }
1067
1068 free(session->common_name);
1069
1070 cert_hash_free(session->cert_hash_set);
1071
1072 if (clear)
1073 {
1074 secure_memzero(session, sizeof(*session));
1075 }
1076}
1077
1083static void
1084move_session(struct tls_multi *multi, int dest, int src, bool reinit_src)
1085{
1086 msg(D_TLS_DEBUG_LOW, "TLS: move_session: dest=%s src=%s reinit_src=%d",
1087 session_index_name(dest), session_index_name(src), reinit_src);
1088 ASSERT(src != dest);
1089 ASSERT(src >= 0 && src < TM_SIZE);
1090 ASSERT(dest >= 0 && dest < TM_SIZE);
1091 tls_session_free(&multi->session[dest], false);
1092 multi->session[dest] = multi->session[src];
1093
1094 if (reinit_src)
1095 {
1096 tls_session_init(multi, &multi->session[src]);
1097 }
1098 else
1099 {
1100 secure_memzero(&multi->session[src], sizeof(multi->session[src]));
1101 }
1102
1103 dmsg(D_TLS_DEBUG, "TLS: move_session: exit");
1104}
1105
1106static void
1107reset_session(struct tls_multi *multi, struct tls_session *session)
1108{
1109 tls_session_free(session, false);
1110 tls_session_init(multi, session);
1111}
1112
1113/*
1114 * Used to determine in how many seconds we should be
1115 * called again.
1116 */
1117static inline void
1118compute_earliest_wakeup(interval_t *earliest, time_t seconds_from_now)
1119{
1120 if (seconds_from_now < *earliest)
1121 {
1122 *earliest = (interval_t)seconds_from_now;
1123 }
1124 if (*earliest < 0)
1125 {
1126 *earliest = 0;
1127 }
1128}
1129
1130/*
1131 * Return true if "lame duck" or retiring key has expired and can
1132 * no longer be used.
1133 */
1134static inline bool
1135lame_duck_must_die(const struct tls_session *session, interval_t *wakeup)
1136{
1137 const struct key_state *lame = &session->key[KS_LAME_DUCK];
1138 if (lame->state >= S_INITIAL)
1139 {
1140 ASSERT(lame->must_die); /* a lame duck key must always have an expiration */
1141 if (now < lame->must_die)
1142 {
1143 compute_earliest_wakeup(wakeup, lame->must_die - now);
1144 return false;
1145 }
1146 else
1147 {
1148 return true;
1149 }
1150 }
1151 else if (lame->state == S_ERROR)
1152 {
1153 return true;
1154 }
1155 else
1156 {
1157 return false;
1158 }
1159}
1160
1161struct tls_multi *
1162tls_multi_init(struct tls_options *tls_options)
1163{
1164 struct tls_multi *ret;
1165
1166 ALLOC_OBJ_CLEAR(ret, struct tls_multi);
1167
1168 /* get command line derived options */
1169 ret->opt = *tls_options;
1170 ret->dco_peer_id = -1;
1171 ret->peer_id = MAX_PEER_ID;
1172
1173 return ret;
1174}
1175
1176void
1177tls_multi_init_finalize(struct tls_multi *multi, int tls_mtu)
1178{
1179 tls_init_control_channel_frame_parameters(&multi->opt.frame, tls_mtu);
1180 /* initialize the active and untrusted sessions */
1181
1182 tls_session_init(multi, &multi->session[TM_ACTIVE]);
1183 tls_session_init(multi, &multi->session[TM_INITIAL]);
1184}
1185
1186/*
1187 * Initialize and finalize a standalone tls-auth verification object.
1188 */
1189
1190struct tls_auth_standalone *
1191tls_auth_standalone_init(struct tls_options *tls_options, struct gc_arena *gc)
1192{
1193 struct tls_auth_standalone *tas;
1194
1195 ALLOC_OBJ_CLEAR_GC(tas, struct tls_auth_standalone, gc);
1196
1197 tas->tls_wrap = tls_options->tls_wrap;
1198
1199 /*
1200 * Standalone tls-auth is in read-only mode with respect to TLS
1201 * control channel state. After we build a new client instance
1202 * object, we will process this session-initiating packet for real.
1203 */
1204 tas->tls_wrap.opt.flags |= CO_IGNORE_PACKET_ID;
1205
1206 /* get initial frame parms, still need to finalize */
1207 tas->frame = tls_options->frame;
1208
1209 packet_id_init(&tas->tls_wrap.opt.packet_id, tls_options->replay_window,
1210 tls_options->replay_time, "TAS", 0);
1211
1212 return tas;
1213}
1214
1215void
1216tls_auth_standalone_free(struct tls_auth_standalone *tas)
1217{
1218 if (!tas)
1219 {
1220 return;
1221 }
1222
1223 packet_id_free(&tas->tls_wrap.opt.packet_id);
1224}
1225
1226/*
1227 * Set local and remote option compatibility strings.
1228 * Used to verify compatibility of local and remote option
1229 * sets.
1230 */
1231void
1232tls_multi_init_set_options(struct tls_multi *multi, const char *local, const char *remote)
1233{
1234 /* initialize options string */
1235 multi->opt.local_options = local;
1236 multi->opt.remote_options = remote;
1237}
1238
1239/*
1240 * Cleanup a tls_multi structure and free associated memory allocations.
1241 */
1242void
1243tls_multi_free(struct tls_multi *multi, bool clear)
1244{
1245 ASSERT(multi);
1246
1247 auth_set_client_reason(multi, NULL);
1248
1249 free(multi->peer_info);
1250 free(multi->locked_cn);
1251 free(multi->locked_username);
1252 free(multi->locked_original_username);
1253
1254 cert_hash_free(multi->locked_cert_hash_set);
1255
1256 wipe_auth_token(multi);
1257
1258 free(multi->remote_ciphername);
1259
1260 for (int i = 0; i < TM_SIZE; ++i)
1261 {
1262 tls_session_free(&multi->session[i], false);
1263 }
1264
1265 if (clear)
1266 {
1267 secure_memzero(multi, sizeof(*multi));
1268 }
1269
1270 free(multi);
1271}
1272
1273/*
1274 * For debugging, print contents of key_source2 structure.
1275 */
1276
1277static void
1278key_source_print(const struct key_source *k, const char *prefix)
1279{
1280 struct gc_arena gc = gc_new();
1281
1282 VALGRIND_MAKE_READABLE((void *)k->pre_master, sizeof(k->pre_master));
1283 VALGRIND_MAKE_READABLE((void *)k->random1, sizeof(k->random1));
1284 VALGRIND_MAKE_READABLE((void *)k->random2, sizeof(k->random2));
1285
1286 dmsg(D_SHOW_KEY_SOURCE, "%s pre_master: %s", prefix,
1287 format_hex(k->pre_master, sizeof(k->pre_master), 0, &gc));
1288 dmsg(D_SHOW_KEY_SOURCE, "%s random1: %s", prefix,
1289 format_hex(k->random1, sizeof(k->random1), 0, &gc));
1290 dmsg(D_SHOW_KEY_SOURCE, "%s random2: %s", prefix,
1291 format_hex(k->random2, sizeof(k->random2), 0, &gc));
1292
1293 gc_free(&gc);
1294}
1295
1296static void
1297key_source2_print(const struct key_source2 *k)
1298{
1299 key_source_print(&k->client, "Client");
1300 key_source_print(&k->server, "Server");
1301}
1302
1303static bool
1304openvpn_PRF(const uint8_t *secret, size_t secret_len, const char *label, const uint8_t *client_seed,
1305 size_t client_seed_len, const uint8_t *server_seed, size_t server_seed_len,
1306 const struct session_id *client_sid, const struct session_id *server_sid,
1307 uint8_t *output, size_t output_len)
1308{
1309 /* concatenate seed components */
1310
1311 struct buffer seed =
1312 alloc_buf(strlen(label) + client_seed_len + server_seed_len + SID_SIZE * 2);
1313
1314 ASSERT(buf_write(&seed, label, strlen(label)));
1315 ASSERT(buf_write(&seed, client_seed, client_seed_len));
1316 ASSERT(buf_write(&seed, server_seed, server_seed_len));
1317
1318 if (client_sid)
1319 {
1320 ASSERT(buf_write(&seed, client_sid->id, SID_SIZE));
1321 }
1322 if (server_sid)
1323 {
1324 ASSERT(buf_write(&seed, server_sid->id, SID_SIZE));
1325 }
1326
1327 /* compute PRF */
1328 bool ret = ssl_tls1_PRF(BPTR(&seed), BLENZ(&seed), secret, secret_len, output, output_len);
1329
1330 buf_clear(&seed);
1331 free_buf(&seed);
1332
1333 VALGRIND_MAKE_READABLE((void *)output, output_len);
1334 return ret;
1335}
1336
1337static void
1338init_epoch_keys(struct key_state *ks, struct tls_multi *multi, const struct key_type *key_type,
1339 bool server, struct key2 *key2)
1340{
1341 /* For now we hardcode this to be 16 for the software based data channel
1342 * DCO based implementations/HW implementation might adjust this number
1343 * based on their expected speed */
1344 const uint8_t future_key_count = 16;
1345
1346 int key_direction = server ? KEY_DIRECTION_INVERSE : KEY_DIRECTION_NORMAL;
1347 struct key_direction_state kds;
1348 key_direction_state_init(&kds, key_direction);
1349
1350 struct crypto_options *co = &ks->crypto_options;
1351
1352 /* For the epoch key we use the first 32 bytes of key2 cipher keys
1353 * for the initial secret */
1354 struct epoch_key e1_send = { 0 };
1355 e1_send.epoch = 1;
1356 memcpy(&e1_send.epoch_key, key2->keys[kds.out_key].cipher, sizeof(e1_send.epoch_key));
1357
1358 struct epoch_key e1_recv = { 0 };
1359 e1_recv.epoch = 1;
1360 memcpy(&e1_recv.epoch_key, key2->keys[kds.in_key].cipher, sizeof(e1_recv.epoch_key));
1361
1362 /* DCO implementations have two choices at this point.
1363 *
1364 * a) (more likely) they probably to pass E1 directly to kernel
1365 * space at this point and do all the other key derivation in kernel
1366 *
1367 * b) They let userspace do the key derivation and pass all the individual
1368 * keys to the DCO layer.
1369 * */
1370 epoch_init_key_ctx(co, key_type, &e1_send, &e1_recv, future_key_count);
1371
1372 secure_memzero(&e1_send, sizeof(e1_send));
1373 secure_memzero(&e1_recv, sizeof(e1_recv));
1374}
1375
1376static void
1377init_key_contexts(struct key_state *ks, struct tls_multi *multi, const struct key_type *key_type,
1378 bool server, struct key2 *key2, bool dco_enabled)
1379{
1380 struct key_ctx_bi *key = &ks->crypto_options.key_ctx_bi;
1381
1382 /* Initialize key contexts */
1383 int key_direction = server ? KEY_DIRECTION_INVERSE : KEY_DIRECTION_NORMAL;
1384
1385 if (dco_enabled)
1386 {
1387 if (key->encrypt.hmac)
1388 {
1389 msg(M_FATAL, "FATAL: DCO does not support --auth");
1390 }
1391
1392 int ret = init_key_dco_bi(multi, ks, key2, key_direction, key_type->cipher, server);
1393 if (ret < 0)
1394 {
1395 msg(M_FATAL, "Impossible to install key material in DCO: %s", strerror(-ret));
1396 }
1397
1398 /* encrypt/decrypt context are unused with DCO */
1399 CLEAR(key->encrypt);
1400 CLEAR(key->decrypt);
1401 key->initialized = true;
1402 }
1403 else if (multi->opt.crypto_flags & CO_EPOCH_DATA_KEY_FORMAT)
1404 {
1405 if (!cipher_kt_mode_aead(key_type->cipher))
1406 {
1407 msg(M_FATAL,
1408 "AEAD cipher (currently %s) "
1409 "required for epoch data format.",
1410 cipher_kt_name(key_type->cipher));
1411 }
1412 init_epoch_keys(ks, multi, key_type, server, key2);
1413 }
1414 else
1415 {
1416 init_key_ctx_bi(key, key2, key_direction, key_type, "Data Channel");
1417 }
1418}
1419
1420static bool
1421generate_key_expansion_tls_export(struct tls_session *session, struct key2 *key2)
1422{
1423 if (!key_state_export_keying_material(session, EXPORT_KEY_DATA_LABEL,
1424 strlen(EXPORT_KEY_DATA_LABEL), key2->keys,
1425 sizeof(key2->keys)))
1426 {
1427 return false;
1428 }
1429 key2->n = 2;
1430
1431 return true;
1432}
1433
1434static bool
1435generate_key_expansion_openvpn_prf(const struct tls_session *session, struct key2 *key2)
1436{
1437 uint8_t master[48] = { 0 };
1438
1439 const struct key_state *ks = &session->key[KS_PRIMARY];
1440 const struct key_source2 *key_src = ks->key_src;
1441
1442 const struct session_id *client_sid =
1443 session->opt->server ? &ks->session_id_remote : &session->session_id;
1444 const struct session_id *server_sid =
1445 !session->opt->server ? &ks->session_id_remote : &session->session_id;
1446
1447 /* debugging print of source key material */
1448 key_source2_print(key_src);
1449
1450 /* compute master secret */
1451 if (!openvpn_PRF(key_src->client.pre_master, sizeof(key_src->client.pre_master),
1452 KEY_EXPANSION_ID " master secret", key_src->client.random1,
1453 sizeof(key_src->client.random1), key_src->server.random1,
1454 sizeof(key_src->server.random1), NULL, NULL, master, sizeof(master)))
1455 {
1456 return false;
1457 }
1458
1459 /* compute key expansion */
1460 if (!openvpn_PRF(master, sizeof(master), KEY_EXPANSION_ID " key expansion",
1461 key_src->client.random2, sizeof(key_src->client.random2),
1462 key_src->server.random2, sizeof(key_src->server.random2), client_sid,
1463 server_sid, (uint8_t *)key2->keys, sizeof(key2->keys)))
1464 {
1465 return false;
1466 }
1467 secure_memzero(&master, sizeof(master));
1468
1469 key2->n = 2;
1470
1471 return true;
1472}
1473
1474/*
1475 * Using source entropy from local and remote hosts, mix into
1476 * master key.
1477 */
1478static bool
1479generate_key_expansion(struct tls_multi *multi, struct key_state *ks, struct tls_session *session)
1480{
1481 struct key_ctx_bi *key = &ks->crypto_options.key_ctx_bi;
1482 bool ret = false;
1483 struct key2 key2;
1484
1485 if (key->initialized)
1486 {
1487 msg(D_TLS_ERRORS, "TLS Error: key already initialized");
1488 goto exit;
1489 }
1490
1491 bool server = session->opt->server;
1492
1493 if (session->opt->crypto_flags & CO_USE_TLS_KEY_MATERIAL_EXPORT)
1494 {
1495 if (!generate_key_expansion_tls_export(session, &key2))
1496 {
1497 msg(D_TLS_ERRORS, "TLS Error: Keying material export failed");
1498 goto exit;
1499 }
1500 }
1501 else
1502 {
1503 if (!generate_key_expansion_openvpn_prf(session, &key2))
1504 {
1505 msg(D_TLS_ERRORS, "TLS Error: PRF calculation failed. Your system "
1506 "might not support the old TLS 1.0 PRF calculation anymore or "
1507 "the policy does not allow it (e.g. running in FIPS mode). "
1508 "The peer did not announce support for the modern TLS Export "
1509 "feature that replaces the TLS 1.0 PRF (requires OpenVPN "
1510 "2.6.x or higher)");
1511 goto exit;
1512 }
1513 }
1514
1515 key2_print(&key2, &session->opt->key_type, "Master Encrypt", "Master Decrypt");
1516
1517 /* check for weak keys */
1518 for (int i = 0; i < 2; ++i)
1519 {
1520 if (!check_key(&key2.keys[i], &session->opt->key_type))
1521 {
1522 msg(D_TLS_ERRORS, "TLS Error: Bad dynamic key generated");
1523 goto exit;
1524 }
1525 }
1526
1527 init_key_contexts(ks, multi, &session->opt->key_type, server, &key2, session->opt->dco_enabled);
1528 ret = true;
1529
1530exit:
1531 secure_memzero(&key2, sizeof(key2));
1532
1533 return ret;
1534}
1535
1542bool
1543tls_session_generate_data_channel_keys(struct tls_multi *multi, struct tls_session *session)
1544{
1545 bool ret = false;
1546 struct key_state *ks = &session->key[KS_PRIMARY]; /* primary key */
1547
1548 if (ks->authenticated <= KS_AUTH_FALSE)
1549 {
1550 msg(D_TLS_ERRORS, "TLS Error: key_state not authenticated");
1551 goto cleanup;
1552 }
1553
1554 ks->crypto_options.flags = session->opt->crypto_flags;
1555
1556 if (!generate_key_expansion(multi, ks, session))
1557 {
1558 msg(D_TLS_ERRORS, "TLS Error: generate_key_expansion failed");
1559 goto cleanup;
1560 }
1561 tls_limit_reneg_bytes(session->opt->key_type.cipher, &session->opt->renegotiate_bytes);
1562
1563 session->opt->aead_usage_limit = tls_get_limit_aead(session->opt->key_type.cipher);
1564
1565 /* set the state of the keys for the session to generated */
1566 ks->state = S_GENERATED_KEYS;
1567
1568 ret = true;
1569cleanup:
1570 secure_memzero(ks->key_src, sizeof(*ks->key_src));
1571 return ret;
1572}
1573
1574bool
1575tls_session_update_crypto_params_do_work(struct tls_multi *multi, struct tls_session *session,
1576 struct options *options, struct frame *frame,
1577 struct frame *frame_fragment, struct link_socket_info *lsi,
1578 dco_context_t *dco)
1579{
1580 if (session->key[KS_PRIMARY].crypto_options.key_ctx_bi.initialized)
1581 {
1582 /* keys already generated, nothing to do */
1583 return true;
1584 }
1585
1586 init_key_type(&session->opt->key_type, options->ciphername, options->authname, true, true);
1587
1588 bool packet_id_long_form = cipher_kt_mode_ofb_cfb(session->opt->key_type.cipher);
1589 session->opt->crypto_flags &= ~(CO_PACKET_ID_LONG_FORM);
1590 if (packet_id_long_form)
1591 {
1592 session->opt->crypto_flags |= CO_PACKET_ID_LONG_FORM;
1593 }
1594
1595 frame_calculate_dynamic(frame, &session->opt->key_type, options, lsi);
1596
1597 frame_print(frame, D_MTU_INFO, "Data Channel MTU parms");
1598
1599 /*
1600 * mssfix uses data channel framing, which at this point contains
1601 * actual overhead. Fragmentation logic uses frame_fragment, which
1602 * still contains worst case overhead. Replace it with actual overhead
1603 * to prevent unneeded fragmentation.
1604 */
1605
1606 if (frame_fragment)
1607 {
1608 frame_calculate_dynamic(frame_fragment, &session->opt->key_type, options, lsi);
1609 frame_print(frame_fragment, D_MTU_INFO, "Fragmentation MTU parms");
1610 }
1611
1612 if (session->key[KS_PRIMARY].key_id == 0
1613 && session->opt->crypto_flags & CO_USE_DYNAMIC_TLS_CRYPT)
1614 {
1615 /* If dynamic tls-crypt has been negotiated, and we are on the
1616 * first session (key_id = 0), generate a tls-crypt key for the
1617 * following renegotiations */
1618 if (!tls_session_generate_dynamic_tls_crypt_key(session))
1619 {
1620 return false;
1621 }
1622 }
1623
1624 if (dco_enabled(options))
1625 {
1626 /* dco_set_peer() must be called if either keepalive or
1627 * mssfix are set to update in-kernel config */
1628 if (options->ping_send_timeout || frame->mss_fix)
1629 {
1630 int ret = dco_set_peer(dco, multi->dco_peer_id, options->ping_send_timeout,
1631 options->ping_rec_timeout, frame->mss_fix);
1632 if (ret < 0)
1633 {
1634 msg(D_DCO, "Cannot set DCO peer parameters for peer (id=%u): %s",
1635 multi->dco_peer_id, strerror(-ret));
1636 return false;
1637 }
1638 }
1639 }
1640 return tls_session_generate_data_channel_keys(multi, session);
1641}
1642
1643bool
1644tls_session_update_crypto_params(struct tls_multi *multi, struct tls_session *session,
1645 struct options *options, struct frame *frame,
1646 struct frame *frame_fragment, struct link_socket_info *lsi,
1647 dco_context_t *dco)
1648{
1649 if (!check_session_cipher(session, options))
1650 {
1651 return false;
1652 }
1653
1654 /* Import crypto settings that might be set by pull/push */
1655 session->opt->crypto_flags |= options->imported_protocol_flags;
1656
1657 return tls_session_update_crypto_params_do_work(multi, session, options, frame, frame_fragment,
1658 lsi, dco);
1659}
1660
1661
1662static bool
1663random_bytes_to_buf(struct buffer *buf, uint8_t *out, int outlen)
1664{
1665 if (!rand_bytes(out, outlen))
1666 {
1667 msg(M_FATAL,
1668 "ERROR: Random number generator cannot obtain entropy for key generation [SSL]");
1669 }
1670 if (!buf_write(buf, out, outlen))
1671 {
1672 return false;
1673 }
1674 return true;
1675}
1676
1677static bool
1678key_source2_randomize_write(struct key_source2 *k2, struct buffer *buf, bool server)
1679{
1680 struct key_source *k = &k2->client;
1681 if (server)
1682 {
1683 k = &k2->server;
1684 }
1685
1686 CLEAR(*k);
1687
1688 if (!server)
1689 {
1690 if (!random_bytes_to_buf(buf, k->pre_master, sizeof(k->pre_master)))
1691 {
1692 return false;
1693 }
1694 }
1695
1696 if (!random_bytes_to_buf(buf, k->random1, sizeof(k->random1)))
1697 {
1698 return false;
1699 }
1700 if (!random_bytes_to_buf(buf, k->random2, sizeof(k->random2)))
1701 {
1702 return false;
1703 }
1704
1705 return true;
1706}
1707
1708static int
1709key_source2_read(struct key_source2 *k2, struct buffer *buf, bool server)
1710{
1711 struct key_source *k = &k2->client;
1712
1713 if (!server)
1714 {
1715 k = &k2->server;
1716 }
1717
1718 CLEAR(*k);
1719
1720 if (server)
1721 {
1722 if (!buf_read(buf, k->pre_master, sizeof(k->pre_master)))
1723 {
1724 return 0;
1725 }
1726 }
1727
1728 if (!buf_read(buf, k->random1, sizeof(k->random1)))
1729 {
1730 return 0;
1731 }
1732 if (!buf_read(buf, k->random2, sizeof(k->random2)))
1733 {
1734 return 0;
1735 }
1736
1737 return 1;
1738}
1739
1740static void
1741flush_payload_buffer(struct key_state *ks)
1742{
1743 struct buffer *b;
1744
1745 while ((b = buffer_list_peek(ks->paybuf)))
1746 {
1747 key_state_write_plaintext_const(&ks->ks_ssl, b->data, b->len);
1748 buffer_list_pop(ks->paybuf);
1749 }
1750}
1751
1752/*
1753 * Move the active key to the lame duck key and reinitialize the
1754 * active key.
1755 */
1756static void
1757key_state_soft_reset(struct tls_session *session)
1758{
1759 struct key_state *ks = &session->key[KS_PRIMARY]; /* primary key */
1760 struct key_state *ks_lame = &session->key[KS_LAME_DUCK]; /* retiring key */
1761
1762 ks->must_die = now + session->opt->transition_window; /* remaining lifetime of old key */
1763 key_state_free(ks_lame, false);
1764 *ks_lame = *ks;
1765
1766 key_state_init(session, ks);
1767 ks->session_id_remote = ks_lame->session_id_remote;
1768 ks->remote_addr = ks_lame->remote_addr;
1769}
1770
1771void
1776
1777/*
1778 * Read/write strings from/to a struct buffer with a u16 length prefix.
1779 */
1780
1781static bool
1782write_empty_string(struct buffer *buf)
1783{
1784 if (!buf_write_u16(buf, 0))
1785 {
1786 return false;
1787 }
1788 return true;
1789}
1790
1791static bool
1792write_string(struct buffer *buf, const char *str, const int maxlen)
1793{
1794 const size_t len = strlen(str) + 1;
1795 const size_t real_maxlen = (maxlen >= 0 && maxlen <= UINT16_MAX) ? (size_t)maxlen : UINT16_MAX;
1796 if (len > real_maxlen)
1797 {
1798 return false;
1799 }
1800 if (!buf_write_u16(buf, (uint16_t)len))
1801 {
1802 return false;
1803 }
1804 if (!buf_write(buf, str, len))
1805 {
1806 return false;
1807 }
1808 return true;
1809}
1810
1821static int
1822read_string(struct buffer *buf, char *str, const unsigned int capacity)
1823{
1824 const int len = buf_read_u16(buf);
1825 if (len < 1 || len > (int)capacity)
1826 {
1827 buf_advance(buf, len);
1828
1829 /* will also return 0 for a no string being present */
1830 return -len;
1831 }
1832 if (!buf_read(buf, str, len))
1833 {
1834 return -len;
1835 }
1836 str[len - 1] = '\0';
1837 return len;
1838}
1839
1840static char *
1841read_string_alloc(struct buffer *buf)
1842{
1843 const int len = buf_read_u16(buf);
1844 char *str;
1845
1846 if (len < 1)
1847 {
1848 return NULL;
1849 }
1850 str = (char *)malloc(len);
1851 check_malloc_return(str);
1852 if (!buf_read(buf, str, len))
1853 {
1854 free(str);
1855 return NULL;
1856 }
1857 str[len - 1] = '\0';
1858 return str;
1859}
1860
1876static bool
1877push_peer_info(struct buffer *buf, struct tls_session *session)
1878{
1879 struct gc_arena gc = gc_new();
1880 bool ret = false;
1881 struct buffer out = alloc_buf_gc(512 * 3, &gc);
1882
1883 if (session->opt->push_peer_info_detail > 1)
1884 {
1885 /* push version */
1886 buf_printf(&out, "IV_VER=%s\n", PACKAGE_VERSION);
1887
1888 /* push platform */
1889#if defined(TARGET_LINUX)
1890 buf_printf(&out, "IV_PLAT=linux\n");
1891#elif defined(TARGET_SOLARIS)
1892 buf_printf(&out, "IV_PLAT=solaris\n");
1893#elif defined(TARGET_OPENBSD)
1894 buf_printf(&out, "IV_PLAT=openbsd\n");
1895#elif defined(TARGET_DARWIN)
1896 buf_printf(&out, "IV_PLAT=mac\n");
1897#elif defined(TARGET_NETBSD)
1898 buf_printf(&out, "IV_PLAT=netbsd\n");
1899#elif defined(TARGET_FREEBSD)
1900 buf_printf(&out, "IV_PLAT=freebsd\n");
1901#elif defined(TARGET_ANDROID)
1902 buf_printf(&out, "IV_PLAT=android\n");
1903#elif defined(_WIN32)
1904 buf_printf(&out, "IV_PLAT=win\n");
1905#endif
1906 /* Announce that we do not require strict sequence numbers with
1907 * TCP. (TCP non-linear) */
1908 buf_printf(&out, "IV_TCPNL=1\n");
1909 }
1910
1911 /* These are the IV variable that are sent to peers in p2p mode */
1912 if (session->opt->push_peer_info_detail > 0)
1913 {
1914 /* support for P_DATA_V2 */
1915 int iv_proto = IV_PROTO_DATA_V2;
1916
1917 /* support for the latest --dns option */
1918 iv_proto |= IV_PROTO_DNS_OPTION_V2;
1919
1920 /* support for exit notify via control channel */
1921 iv_proto |= IV_PROTO_CC_EXIT_NOTIFY;
1922
1923 /* currently push-update is not supported when DCO is enabled */
1924 if (!session->opt->dco_enabled)
1925 {
1926 /* support push-updates */
1927 iv_proto |= IV_PROTO_PUSH_UPDATE;
1928 }
1929
1930 if (session->opt->pull)
1931 {
1932 /* support for receiving push_reply before sending
1933 * push request, also signal that the client wants
1934 * to get push-reply messages without requiring a round
1935 * trip for a push request message*/
1936 iv_proto |= IV_PROTO_REQUEST_PUSH;
1937
1938 /* Support keywords in the AUTH_PENDING control message */
1939 iv_proto |= IV_PROTO_AUTH_PENDING_KW;
1940
1941 /* support for AUTH_FAIL,TEMP control message */
1942 iv_proto |= IV_PROTO_AUTH_FAIL_TEMP;
1943
1944 /* support for tun-mtu as part of the push message */
1945 buf_printf(&out, "IV_MTU=%d\n", session->opt->frame.tun_max_mtu);
1946 }
1947
1948 /* support for Negotiable Crypto Parameters */
1949 if (session->opt->mode == MODE_SERVER || session->opt->pull)
1950 {
1951 if (tls_item_in_cipher_list("AES-128-GCM", session->opt->config_ncp_ciphers)
1952 && tls_item_in_cipher_list("AES-256-GCM", session->opt->config_ncp_ciphers))
1953 {
1954 buf_printf(&out, "IV_NCP=2\n");
1955 }
1956 }
1957 else
1958 {
1959 /* We are not using pull or p2mp server, instead do P2P NCP */
1960 iv_proto |= IV_PROTO_NCP_P2P;
1961 }
1962
1963 if (session->opt->data_epoch_supported)
1964 {
1965 iv_proto |= IV_PROTO_DATA_EPOCH;
1966 }
1967
1968 buf_printf(&out, "IV_CIPHERS=%s\n", session->opt->config_ncp_ciphers);
1969
1970 iv_proto |= IV_PROTO_TLS_KEY_EXPORT;
1971 iv_proto |= IV_PROTO_DYN_TLS_CRYPT;
1972
1973 buf_printf(&out, "IV_PROTO=%d\n", iv_proto);
1974
1975 if (session->opt->push_peer_info_detail > 1)
1976 {
1977 /* push compression status */
1978#ifdef USE_COMP
1979 comp_generate_peer_info_string(&session->opt->comp_options, &out);
1980#endif
1981 }
1982
1983 if (session->opt->push_peer_info_detail > 2)
1984 {
1985 /* push mac addr */
1986 struct route_gateway_info rgi;
1987 get_default_gateway(&rgi, 0, session->opt->net_ctx);
1988 if (rgi.flags & RGI_HWADDR_DEFINED)
1989 {
1990 buf_printf(&out, "IV_HWADDR=%s\n", format_hex_ex(rgi.hwaddr, 6, 0, 1, ":", &gc));
1991 }
1992 buf_printf(&out, "IV_SSL=%s\n", get_ssl_library_version());
1993#if defined(_WIN32)
1994 buf_printf(&out, "IV_PLAT_VER=%s\n", win32_version_string(&gc));
1995#else
1996 struct utsname u;
1997 uname(&u);
1998 buf_printf(&out, "IV_PLAT_VER=%s\n", u.release);
1999#endif
2000 }
2001
2002 if (session->opt->push_peer_info_detail > 1)
2003 {
2004 struct env_set *es = session->opt->es;
2005 /* push env vars that begin with UV_, IV_PLAT_VER and IV_GUI_VER */
2006 for (struct env_item *e = es->list; e != NULL; e = e->next)
2007 {
2008 if (e->string)
2009 {
2010 if ((((strncmp(e->string, "UV_", 3) == 0
2011 || strncmp(e->string, "IV_PLAT_VER=", sizeof("IV_PLAT_VER=") - 1) == 0)
2012 && session->opt->push_peer_info_detail > 2)
2013 || (strncmp(e->string, "IV_GUI_VER=", sizeof("IV_GUI_VER=") - 1) == 0)
2014 || (strncmp(e->string, "IV_SSO=", sizeof("IV_SSO=") - 1) == 0))
2015 && buf_safe(&out, strlen(e->string) + 1))
2016 {
2017 buf_printf(&out, "%s\n", e->string);
2018 }
2019 }
2020 }
2021 }
2022
2023 if (!write_string(buf, BSTR(&out), -1))
2024 {
2025 goto error;
2026 }
2027 }
2028 else
2029 {
2030 if (!write_empty_string(buf)) /* no peer info */
2031 {
2032 goto error;
2033 }
2034 }
2035 ret = true;
2036
2037error:
2038 gc_free(&gc);
2039 return ret;
2040}
2041
2042#ifdef USE_COMP
2043static bool
2044write_compat_local_options(struct buffer *buf, const char *options)
2045{
2046 struct gc_arena gc = gc_new();
2047 const char *local_options = options_string_compat_lzo(options, &gc);
2048 bool ret = write_string(buf, local_options, TLS_OPTIONS_LEN);
2049 gc_free(&gc);
2050 return ret;
2051}
2052#endif
2053
2058static bool
2059key_method_2_write(struct buffer *buf, struct tls_multi *multi, struct tls_session *session)
2060{
2061 struct key_state *ks = &session->key[KS_PRIMARY]; /* primary key */
2062
2063 ASSERT(buf_init(buf, 0));
2064
2065 /* write a uint32 0 */
2066 if (!buf_write_u32(buf, 0))
2067 {
2068 goto error;
2069 }
2070
2071 /* write key_method + flags */
2072 if (!buf_write_u8(buf, KEY_METHOD_2))
2073 {
2074 goto error;
2075 }
2076
2077 /* write key source material */
2078 if (!key_source2_randomize_write(ks->key_src, buf, session->opt->server))
2079 {
2080 goto error;
2081 }
2082
2083 /* write options string */
2084 {
2085#ifdef USE_COMP
2086 if (multi->remote_usescomp && session->opt->mode == MODE_SERVER
2087 && multi->opt.comp_options.flags & COMP_F_MIGRATE)
2088 {
2089 if (!write_compat_local_options(buf, session->opt->local_options))
2090 {
2091 goto error;
2092 }
2093 }
2094 else
2095#endif
2096 if (!write_string(buf, session->opt->local_options, TLS_OPTIONS_LEN))
2097 {
2098 goto error;
2099 }
2100 }
2101
2102 /* write username/password if specified or we are using a auth-token */
2103 if (auth_user_pass_enabled || (auth_token.token_defined && auth_token.defined))
2104 {
2105#ifdef ENABLE_MANAGEMENT
2106 auth_user_pass_setup(session->opt->auth_user_pass_file,
2107 session->opt->auth_user_pass_file_inline,
2108 session->opt->auth_user_pass_username_only, session->opt->sci);
2109#else
2110 auth_user_pass_setup(session->opt->auth_user_pass_file,
2111 session->opt->auth_user_pass_file_inline,
2112 session->opt->auth_user_pass_username_only, NULL);
2113#endif
2114 struct user_pass *up = &auth_user_pass;
2115
2116 /*
2117 * If we have a valid auth-token, send that instead of real
2118 * username/password
2119 */
2120 if (auth_token.token_defined && auth_token.defined)
2121 {
2122 up = &auth_token;
2123 }
2124 unprotect_user_pass(up);
2125
2126 if (!write_string(buf, up->username, -1))
2127 {
2128 msg(M_WARN, "WARNING: Failed to write auth username to TLS buffer");
2129 goto error;
2130 }
2131 else if (!write_string(buf, up->password, -1))
2132 {
2133 msg(M_WARN, "WARNING: Failed to write auth password to TLS buffer");
2134 goto error;
2135 }
2136 /* save username for auth-token which may get pushed later */
2137 if (session->opt->pull && up != &auth_token)
2138 {
2139 unprotect_user_pass(&auth_token);
2140 strncpynt(auth_token.username, up->username, USER_PASS_LEN);
2141 protect_user_pass(&auth_token);
2142 }
2143 protect_user_pass(up);
2144 /* respect auth-nocache */
2145 purge_user_pass(&auth_user_pass, false);
2146 }
2147 else
2148 {
2149 if (!write_empty_string(buf)) /* no username */
2150 {
2151 goto error;
2152 }
2153 if (!write_empty_string(buf)) /* no password */
2154 {
2155 goto error;
2156 }
2157 }
2158
2159 if (!push_peer_info(buf, session))
2160 {
2161 goto error;
2162 }
2163
2164 if (session->opt->server && session->opt->mode != MODE_SERVER && ks->key_id == 0)
2165 {
2166 /* tls-server option set and not P2MP server, so we
2167 * are a P2P client running in tls-server mode */
2168 p2p_mode_ncp(multi, session);
2169 }
2170
2171 return true;
2172
2173error:
2174 msg(D_TLS_ERRORS, "TLS Error: Key Method #2 write failed");
2175 secure_memzero(ks->key_src, sizeof(*ks->key_src));
2176 return false;
2177}
2178
2179static void
2180export_user_keying_material(struct tls_session *session)
2181{
2182 if (session->opt->ekm_size > 0)
2183 {
2184 const size_t size = session->opt->ekm_size;
2185 struct gc_arena gc = gc_new();
2186
2187 unsigned char *ekm = gc_malloc(size, true, &gc);
2188 if (key_state_export_keying_material(session, session->opt->ekm_label,
2189 session->opt->ekm_label_size, ekm,
2190 session->opt->ekm_size))
2191 {
2192 const size_t len = (size * 2) + 2;
2193
2194 const char *key = format_hex_ex(ekm, size, len, 0, NULL, &gc);
2195 setenv_str(session->opt->es, "exported_keying_material", key);
2196
2197 dmsg(D_TLS_DEBUG_MED, "%s: exported keying material: %s", __func__, key);
2198 secure_memzero(ekm, size);
2199 }
2200 else
2201 {
2202 msg(M_WARN, "WARNING: Export keying material failed!");
2203 setenv_del(session->opt->es, "exported_keying_material");
2204 }
2205 gc_free(&gc);
2206 }
2207}
2208
2213static bool
2214key_method_2_read(struct buffer *buf, struct tls_multi *multi, struct tls_session *session)
2215{
2216 struct key_state *ks = &session->key[KS_PRIMARY]; /* primary key */
2217
2218 struct gc_arena gc = gc_new();
2219 char *options;
2220 struct user_pass *up = NULL;
2221
2222 /* allocate temporary objects */
2223 ALLOC_ARRAY_CLEAR_GC(options, char, TLS_OPTIONS_LEN, &gc);
2224
2225 /* discard leading uint32 */
2226 if (!buf_advance(buf, 4))
2227 {
2228 msg(D_TLS_ERRORS, "TLS ERROR: Plaintext buffer too short (%d bytes).", buf->len);
2229 goto error;
2230 }
2231
2232 /* get key method */
2233 int key_method_flags = buf_read_u8(buf);
2234 if ((key_method_flags & KEY_METHOD_MASK) != 2)
2235 {
2236 msg(D_TLS_ERRORS, "TLS ERROR: Unknown key_method/flags=%d received from remote host",
2237 key_method_flags);
2238 goto error;
2239 }
2240
2241 /* get key source material (not actual keys yet) */
2242 if (!key_source2_read(ks->key_src, buf, session->opt->server))
2243 {
2244 msg(D_TLS_ERRORS,
2245 "TLS Error: Error reading remote data channel key source entropy from plaintext buffer");
2246 goto error;
2247 }
2248
2249 /* get options */
2250 if (read_string(buf, options, TLS_OPTIONS_LEN) < 0)
2251 {
2252 msg(D_TLS_ERRORS, "TLS Error: Failed to read required OCC options string");
2253 goto error;
2254 }
2255
2256 ks->authenticated = KS_AUTH_FALSE;
2257
2258 /* always extract username + password fields from buf, even if not
2259 * authenticating for it, because otherwise we can't get at the
2260 * peer_info data which follows behind
2261 */
2262 ALLOC_OBJ_CLEAR_GC(up, struct user_pass, &gc);
2263 int username_len = read_string(buf, up->username, USER_PASS_LEN);
2264 int password_len = read_string(buf, up->password, USER_PASS_LEN);
2265
2266 /* get peer info from control channel */
2267 free(multi->peer_info);
2268 multi->peer_info = read_string_alloc(buf);
2269 if (multi->peer_info)
2270 {
2271 output_peer_info_env(session->opt->es, multi->peer_info);
2272 }
2273
2274 free(multi->remote_ciphername);
2275 multi->remote_ciphername = options_string_extract_option(options, "cipher", NULL);
2276 multi->remote_usescomp = strstr(options, ",comp-lzo,");
2277
2278 /* In OCC we send '[null-cipher]' instead 'none' */
2279 if (multi->remote_ciphername && strcmp(multi->remote_ciphername, "[null-cipher]") == 0)
2280 {
2281 free(multi->remote_ciphername);
2282 multi->remote_ciphername = string_alloc("none", NULL);
2283 }
2284
2285 if (username_len < 0 || password_len < 0)
2286 {
2287 msg(D_TLS_ERRORS, "TLS Error: Username (%d) or password (%d) too long", abs(username_len),
2288 abs(password_len));
2289 auth_set_client_reason(multi, "Username or password is too long. "
2290 "Maximum length is 128 bytes");
2291
2292 /* treat the same as failed username/password and do not error
2293 * out (goto error) to sent an AUTH_FAILED back to the client */
2294 ks->authenticated = KS_AUTH_FALSE;
2295 }
2296 else if (tls_session_user_pass_enabled(session))
2297 {
2298 /* Perform username/password authentication */
2299 if (!username_len || !password_len)
2300 {
2301 CLEAR(*up);
2302 if (!(session->opt->ssl_flags & SSLF_AUTH_USER_PASS_OPTIONAL))
2303 {
2304 msg(D_TLS_ERRORS, "TLS Error: Auth Username/Password was not provided by peer");
2305 goto error;
2306 }
2307 }
2308
2309 verify_user_pass(up, multi, session);
2310 }
2311 else
2312 {
2313 /* Session verification should have occurred during TLS negotiation*/
2314 if (!session->verified)
2315 {
2316 msg(D_TLS_ERRORS, "TLS Error: Certificate verification failed (key-method 2)");
2317 goto error;
2318 }
2319 ks->authenticated = KS_AUTH_TRUE;
2320 }
2321
2322 /* clear username and password from memory */
2323 secure_memzero(up, sizeof(*up));
2324
2325 /* Perform final authentication checks */
2326 if (ks->authenticated > KS_AUTH_FALSE)
2327 {
2328 verify_final_auth_checks(multi, session);
2329 }
2330
2331 /* check options consistency */
2332 if (!options_cmp_equal(options, session->opt->remote_options))
2333 {
2334 const char *remote_options = session->opt->remote_options;
2335#ifdef USE_COMP
2336 if (multi->opt.comp_options.flags & COMP_F_MIGRATE && multi->remote_usescomp)
2337 {
2338 msg(D_PUSH, "Note: 'compress migrate' detected remote peer "
2339 "with compression enabled.");
2340 remote_options = options_string_compat_lzo(remote_options, &gc);
2341 }
2342#endif
2343
2344 options_warning(options, remote_options);
2345 }
2346
2347 buf_clear(buf);
2348
2349 /*
2350 * Call OPENVPN_PLUGIN_TLS_FINAL plugin if defined, for final
2351 * veto opportunity over authentication decision.
2352 */
2353 if ((ks->authenticated > KS_AUTH_FALSE)
2354 && plugin_defined(session->opt->plugins, OPENVPN_PLUGIN_TLS_FINAL))
2355 {
2356 export_user_keying_material(session);
2357
2358 if (plugin_call(session->opt->plugins, OPENVPN_PLUGIN_TLS_FINAL, NULL, NULL,
2359 session->opt->es)
2360 != OPENVPN_PLUGIN_FUNC_SUCCESS)
2361 {
2362 ks->authenticated = KS_AUTH_FALSE;
2363 }
2364
2365 setenv_del(session->opt->es, "exported_keying_material");
2366 }
2367
2368 if (!session->opt->server && !session->opt->pull && ks->key_id == 0)
2369 {
2370 /* We are a p2p tls-client without pull, enable common
2371 * protocol options */
2372 p2p_mode_ncp(multi, session);
2373 }
2374
2375 gc_free(&gc);
2376 return true;
2377
2378error:
2379 ks->authenticated = KS_AUTH_FALSE;
2380 secure_memzero(ks->key_src, sizeof(*ks->key_src));
2381 if (up)
2382 {
2383 secure_memzero(up, sizeof(*up));
2384 }
2385 buf_clear(buf);
2386 gc_free(&gc);
2387 return false;
2388}
2389
2390static int
2391auth_deferred_expire_window(const struct tls_options *o)
2392{
2393 int ret = o->handshake_window;
2394 const int r2 = o->renegotiate_seconds / 2;
2395
2396 if (o->renegotiate_seconds && r2 < ret)
2397 {
2398 ret = r2;
2399 }
2400 return ret;
2401}
2402
2409static bool
2410session_move_pre_start(const struct tls_session *session, struct key_state *ks,
2411 bool skip_initial_send)
2412{
2413 struct buffer *buf = reliable_get_buf_output_sequenced(ks->send_reliable);
2414 if (!buf)
2415 {
2416 return false;
2417 }
2418
2419 ks->initial = now;
2420 ks->must_negotiate = now + session->opt->handshake_window;
2421 ks->auth_deferred_expire = now + auth_deferred_expire_window(session->opt);
2422
2423 /* null buffer */
2424 reliable_mark_active_outgoing(ks->send_reliable, buf, ks->initial_opcode);
2425
2426 /* If we want to skip sending the initial handshake packet we still generate
2427 * it to increase internal counters etc. but immediately mark it as done */
2428 if (skip_initial_send)
2429 {
2430 reliable_mark_deleted(ks->send_reliable, buf);
2431 }
2432 INCR_GENERATED;
2433
2434 ks->state = skip_initial_send ? S_PRE_START_SKIP : S_PRE_START;
2435
2436 struct gc_arena gc = gc_new();
2437 dmsg(D_TLS_DEBUG, "TLS: Initial Handshake, sid=%s",
2438 session_id_print(&session->session_id, &gc));
2439 gc_free(&gc);
2440
2441#ifdef ENABLE_MANAGEMENT
2442 if (management && ks->initial_opcode != P_CONTROL_SOFT_RESET_V1)
2443 {
2444 management_set_state(management, OPENVPN_STATE_WAIT, NULL, NULL, NULL, NULL, NULL);
2445 }
2446#endif
2447 return true;
2448}
2449
2454static void
2455session_move_active(struct tls_multi *multi, struct tls_session *session,
2456 struct link_socket_info *to_link_socket_info, struct key_state *ks)
2457{
2458 dmsg(D_TLS_DEBUG_MED, "STATE S_ACTIVE");
2459
2460 ks->established = now;
2461 if (check_debug_level(D_HANDSHAKE))
2462 {
2463 print_details(&ks->ks_ssl, "Control Channel:");
2464 }
2465 ks->state = S_ACTIVE;
2466 /* Cancel negotiation timeout */
2467 ks->must_negotiate = 0;
2468 INCR_SUCCESS;
2469
2470 /* Set outgoing address for data channel packets */
2471 link_socket_set_outgoing_addr(to_link_socket_info, &ks->remote_addr, session->common_name,
2472 session->opt->es);
2473
2474 /* Check if we need to advance the tls_multi state machine */
2475 if (multi->multi_state == CAS_NOT_CONNECTED)
2476 {
2477 if (session->opt->mode == MODE_SERVER)
2478 {
2479 /* On a server we continue with running connect scripts next */
2480 multi->multi_state = CAS_WAITING_AUTH;
2481 }
2482 else
2483 {
2484 /* Skip the connect script related states */
2485 multi->multi_state = CAS_WAITING_OPTIONS_IMPORT;
2486 }
2487 }
2488
2489 /* Flush any payload packets that were buffered before our state transitioned to S_ACTIVE */
2490 flush_payload_buffer(ks);
2491
2492#ifdef MEASURE_TLS_HANDSHAKE_STATS
2493 show_tls_performance_stats();
2494#endif
2495}
2496
2497bool
2498session_skip_to_pre_start(struct tls_session *session, struct tls_pre_decrypt_state *state,
2499 struct link_socket_actual *from)
2500{
2501 struct key_state *ks = &session->key[KS_PRIMARY];
2502 ks->session_id_remote = state->peer_session_id;
2503 ks->remote_addr = *from;
2504 session->session_id = state->server_session_id;
2505 session->untrusted_addr = *from;
2506 session->burst = true;
2507
2508 /* The OpenVPN protocol implicitly mandates that packet id always start
2509 * from 0 in the RESET packets as OpenVPN 2.x will not allow gaps in the
2510 * ids and starts always from 0. Since we skip/ignore one (RESET) packet
2511 * in each direction, we need to set the ids to 1 */
2512 ks->rec_reliable->packet_id = 1;
2513 /* for ks->send_reliable->packet_id, session_move_pre_start moves the
2514 * counter to 1 */
2515 session->tls_wrap.opt.packet_id.send.id = 1;
2516 return session_move_pre_start(session, ks, true);
2517}
2518
2522static bool
2523parse_early_negotiation_tlvs(struct buffer *buf, struct key_state *ks)
2524{
2525 while (buf->len > 0)
2526 {
2527 if (buf_len(buf) < 4)
2528 {
2529 goto error;
2530 }
2531 /* read type */
2532 int type = buf_read_u16(buf);
2533 int len = buf_read_u16(buf);
2534 if (type < 0 || len < 0 || buf_len(buf) < len)
2535 {
2536 goto error;
2537 }
2538
2539 switch (type)
2540 {
2541 case TLV_TYPE_EARLY_NEG_FLAGS:
2542 if (len != sizeof(uint16_t))
2543 {
2544 goto error;
2545 }
2546 int flags = buf_read_u16(buf);
2547
2548 if (flags & EARLY_NEG_FLAG_RESEND_WKC)
2549 {
2550 ks->crypto_options.flags |= CO_RESEND_WKC;
2551 }
2552 break;
2553
2554 default:
2555 /* Skip types we do not parse */
2556 buf_advance(buf, len);
2557 }
2558 }
2559 reliable_mark_deleted(ks->rec_reliable, buf);
2560
2561 return true;
2562error:
2563 msg(D_TLS_ERRORS, "TLS Error: Early negotiation malformed packet");
2564 return false;
2565}
2566
2571static bool
2572read_incoming_tls_ciphertext(struct buffer *buf, struct key_state *ks, bool *continue_tls_process)
2573{
2574 int status = 0;
2575 if (buf->len)
2576 {
2577 status = key_state_write_ciphertext(&ks->ks_ssl, buf);
2578 if (status == -1)
2579 {
2580 msg(D_TLS_ERRORS, "TLS Error: Incoming Ciphertext -> TLS object write error");
2581 return false;
2582 }
2583 }
2584 else
2585 {
2586 status = 1;
2587 }
2588 if (status == 1)
2589 {
2590 reliable_mark_deleted(ks->rec_reliable, buf);
2591 *continue_tls_process = true;
2592 dmsg(D_TLS_DEBUG, "Incoming Ciphertext -> TLS");
2593 }
2594 return true;
2595}
2596
2597static bool
2598control_packet_needs_wkc(const struct key_state *ks)
2599{
2600 return (ks->crypto_options.flags & CO_RESEND_WKC) && (ks->send_reliable->packet_id == 1);
2601}
2602
2603
2604static bool
2605read_incoming_tls_plaintext(struct key_state *ks, struct buffer *buf, interval_t *wakeup,
2606 bool *continue_tls_process)
2607{
2608 ASSERT(buf_init(buf, 0));
2609
2610 int status = key_state_read_plaintext(&ks->ks_ssl, buf);
2611
2612 update_time();
2613 if (status == -1)
2614 {
2615 msg(D_TLS_ERRORS, "TLS Error: TLS object -> incoming plaintext read error");
2616 return false;
2617 }
2618 if (status == 1)
2619 {
2620 *continue_tls_process = true;
2621 dmsg(D_TLS_DEBUG, "TLS -> Incoming Plaintext");
2622
2623 /* More data may be available, wake up again asap to check. */
2624 *wakeup = 0;
2625 }
2626 return true;
2627}
2628
2629static bool
2630write_outgoing_tls_ciphertext(struct tls_session *session, bool *continue_tls_process)
2631{
2632 struct key_state *ks = &session->key[KS_PRIMARY];
2633
2634 int rel_avail = reliable_get_num_output_sequenced_available(ks->send_reliable);
2635 if (rel_avail == 0)
2636 {
2637 return true;
2638 }
2639
2640 /* We need to determine how much space is actually available in the control
2641 * channel frame */
2642 int max_pkt_len = min_int(TLS_CHANNEL_BUF_SIZE, session->opt->frame.tun_mtu);
2643
2644 /* Subtract overhead */
2645 max_pkt_len -= (int)calc_control_channel_frame_overhead(session);
2646
2647 /* calculate total available length for outgoing tls ciphertext */
2648 int maxlen = max_pkt_len * rel_avail;
2649
2650 /* Is first packet one that will have a WKC appended? */
2651 if (control_packet_needs_wkc(ks))
2652 {
2653 maxlen -= buf_len(session->tls_wrap.tls_crypt_v2_wkc);
2654 }
2655
2656 /* If we end up with a size that leaves no room for payload, ignore the
2657 * constraints to still be to send a packet. This might have gone negative
2658 * if we have a large wrapped client key. */
2659 if (maxlen < 16)
2660 {
2661 msg(D_TLS_ERRORS,
2662 "Warning: --max-packet-size (%d) setting too low. "
2663 "Sending minimum sized packet.",
2664 session->opt->frame.tun_mtu);
2665 maxlen = 16;
2666 /* We set the maximum length here to ensure a packet with a wrapped
2667 * key can actually carry the 16 byte of payload */
2668 max_pkt_len = TLS_CHANNEL_BUF_SIZE;
2669 }
2670
2671 /* This seems a bit wasteful to allocate every time */
2672 struct gc_arena gc = gc_new();
2673 struct buffer tmp = alloc_buf_gc(maxlen, &gc);
2674
2675 int status = key_state_read_ciphertext(&ks->ks_ssl, &tmp);
2676
2677 if (status == -1)
2678 {
2679 msg(D_TLS_ERRORS, "TLS Error: Ciphertext -> reliable TCP/UDP transport read error");
2680 gc_free(&gc);
2681 return false;
2682 }
2683 if (status == 1)
2684 {
2685 /* Split the TLS ciphertext (TLS record) into multiple small packets
2686 * that respect tls_mtu */
2687 while (tmp.len > 0)
2688 {
2689 int len = max_pkt_len;
2690 int opcode = P_CONTROL_V1;
2691 if (control_packet_needs_wkc(ks))
2692 {
2693 opcode = P_CONTROL_WKC_V1;
2694 len = max_int(0, len - buf_len(session->tls_wrap.tls_crypt_v2_wkc));
2695 }
2696 /* do not send more than available */
2697 len = min_int(len, tmp.len);
2698
2699 struct buffer *buf = reliable_get_buf_output_sequenced(ks->send_reliable);
2700 /* we assert here since we checked for its availability before */
2701 ASSERT(buf);
2702 buf_copy_n(buf, &tmp, len);
2703
2704 reliable_mark_active_outgoing(ks->send_reliable, buf, opcode);
2705 INCR_GENERATED;
2706 *continue_tls_process = true;
2707 }
2708 dmsg(D_TLS_DEBUG, "Outgoing Ciphertext -> Reliable");
2709 }
2710
2711 gc_free(&gc);
2712 return true;
2713}
2714
2715static bool
2716check_outgoing_ciphertext(struct key_state *ks, struct tls_session *session,
2717 bool *continue_tls_process)
2718{
2719 /* Outgoing Ciphertext to reliable buffer */
2720 if (ks->state >= S_START)
2721 {
2722 struct buffer *buf = reliable_get_buf_output_sequenced(ks->send_reliable);
2723 if (buf)
2724 {
2725 if (!write_outgoing_tls_ciphertext(session, continue_tls_process))
2726 {
2727 return false;
2728 }
2729 }
2730 }
2731 return true;
2732}
2733
2734static bool
2735tls_process_state(struct tls_multi *multi, struct tls_session *session, struct buffer *to_link,
2736 struct link_socket_actual **to_link_addr,
2737 struct link_socket_info *to_link_socket_info, interval_t *wakeup)
2738{
2739 /* This variable indicates if we should call this method
2740 * again to process more incoming/outgoing TLS state/data
2741 * We want to repeat this until we either determined that there
2742 * is nothing more to process or that further processing
2743 * should only be done after the outer loop (sending packets etc.)
2744 * has run once more */
2745 bool continue_tls_process = false;
2746 struct key_state *ks = &session->key[KS_PRIMARY]; /* primary key */
2747
2748 /* Initial handshake */
2749 if (ks->state == S_INITIAL)
2750 {
2751 continue_tls_process = session_move_pre_start(session, ks, false);
2752 }
2753
2754 /* Are we timed out on receive? */
2755 if (now >= ks->must_negotiate && ks->state >= S_UNDEF && ks->state < S_ACTIVE)
2756 {
2757 msg(D_TLS_ERRORS,
2758 "TLS Error: TLS key negotiation failed to occur within %d seconds (check your network connectivity)",
2759 session->opt->handshake_window);
2760 goto error;
2761 }
2762
2763 /* Check if the initial three-way Handshake is complete.
2764 * We consider the handshake to be complete when our own initial
2765 * packet has been successfully ACKed. */
2766 if (ks->state == S_PRE_START && reliable_empty(ks->send_reliable))
2767 {
2768 ks->state = S_START;
2769 continue_tls_process = true;
2770
2771 /* New connection, remove any old X509 env variables */
2772 tls_x509_clear_env(session->opt->es);
2773 dmsg(D_TLS_DEBUG_MED, "STATE S_START");
2774 }
2775
2776 /* Wait for ACK */
2777 if (((ks->state == S_GOT_KEY && !session->opt->server)
2778 || (ks->state == S_SENT_KEY && session->opt->server))
2779 && reliable_empty(ks->send_reliable))
2780 {
2781 session_move_active(multi, session, to_link_socket_info, ks);
2782 continue_tls_process = true;
2783 }
2784
2785 /* Reliable buffer to outgoing TCP/UDP (send up to CONTROL_SEND_ACK_MAX ACKs
2786 * for previously received packets) */
2787 if (!to_link->len && reliable_can_send(ks->send_reliable))
2788 {
2789 int opcode;
2790
2791 struct buffer *buf = reliable_send(ks->send_reliable, &opcode);
2792 ASSERT(buf);
2793 struct buffer b = *buf;
2794 INCR_SENT;
2795
2796 write_control_auth(session, ks, &b, to_link_addr, opcode, CONTROL_SEND_ACK_MAX, true);
2797 *to_link = b;
2798 dmsg(D_TLS_DEBUG, "Reliable -> TCP/UDP");
2799
2800 /* This changed the state of the outgoing buffer. In order to avoid
2801 * running this function again/further and invalidating the key_state
2802 * buffer and accessing the buffer that is now in to_link after it being
2803 * freed for a potential error, we shortcircuit exiting of the outer
2804 * process here. */
2805 return false;
2806 }
2807
2808 if (ks->state == S_ERROR_PRE)
2809 {
2810 /* When we end up here, we had one last chance to send an outstanding
2811 * packet that contained an alert. We do not ensure that this packet
2812 * has been successfully delivered (ie wait for the ACK etc)
2813 * but rather stop processing now */
2814 ks->state = S_ERROR;
2815 return false;
2816 }
2817
2818 /* Write incoming ciphertext to TLS object */
2819 struct reliable_entry *entry = reliable_get_entry_sequenced(ks->rec_reliable);
2820 if (entry)
2821 {
2822 /* The first packet from the peer (the reset packet) is special and
2823 * contains early protocol negotiation */
2824 if (entry->packet_id == 0 && is_hard_reset_method2(entry->opcode))
2825 {
2826 if (!parse_early_negotiation_tlvs(&entry->buf, ks))
2827 {
2828 goto error;
2829 }
2830 }
2831 else
2832 {
2833 if (!read_incoming_tls_ciphertext(&entry->buf, ks, &continue_tls_process))
2834 {
2835 goto error;
2836 }
2837 }
2838 }
2839
2840 /* Read incoming plaintext from TLS object */
2841 struct buffer *buf = &ks->plaintext_read_buf;
2842 if (!buf->len)
2843 {
2844 if (!read_incoming_tls_plaintext(ks, buf, wakeup, &continue_tls_process))
2845 {
2846 goto error;
2847 }
2848 }
2849
2850 /* Send Key */
2851 buf = &ks->plaintext_write_buf;
2852 if (!buf->len
2853 && ((ks->state == S_START && !session->opt->server)
2854 || (ks->state == S_GOT_KEY && session->opt->server)))
2855 {
2856 if (!key_method_2_write(buf, multi, session))
2857 {
2858 goto error;
2859 }
2860
2861 continue_tls_process = true;
2862 dmsg(D_TLS_DEBUG_MED, "STATE S_SENT_KEY");
2863 ks->state = S_SENT_KEY;
2864 }
2865
2866 /* Receive Key */
2867 buf = &ks->plaintext_read_buf;
2868 if (buf->len
2869 && ((ks->state == S_SENT_KEY && !session->opt->server)
2870 || (ks->state == S_START && session->opt->server)))
2871 {
2872 if (!key_method_2_read(buf, multi, session))
2873 {
2874 goto error;
2875 }
2876
2877 continue_tls_process = true;
2878 dmsg(D_TLS_DEBUG_MED, "STATE S_GOT_KEY");
2879 ks->state = S_GOT_KEY;
2880 }
2881
2882 /* Write outgoing plaintext to TLS object */
2883 buf = &ks->plaintext_write_buf;
2884 if (buf->len)
2885 {
2886 int status = key_state_write_plaintext(&ks->ks_ssl, buf);
2887 if (status == -1)
2888 {
2889 msg(D_TLS_ERRORS, "TLS ERROR: Outgoing Plaintext -> TLS object write error");
2890 goto error;
2891 }
2892 if (status == 1)
2893 {
2894 continue_tls_process = true;
2895 dmsg(D_TLS_DEBUG, "Outgoing Plaintext -> TLS");
2896 }
2897 }
2898 if (!check_outgoing_ciphertext(ks, session, &continue_tls_process))
2899 {
2900 goto error;
2901 }
2902
2903 return continue_tls_process;
2904error:
2905 tls_clear_error();
2906
2907 /* Shut down the TLS session but do a last read from the TLS
2908 * object to be able to read potential TLS alerts */
2909 key_state_ssl_shutdown(&ks->ks_ssl);
2910 check_outgoing_ciphertext(ks, session, &continue_tls_process);
2911
2912 /* Put ourselves in the pre error state that will only send out the
2913 * control channel packets but nothing else */
2914 ks->state = S_ERROR_PRE;
2915
2916 msg(D_TLS_ERRORS, "TLS Error: TLS handshake failed");
2917 INCR_ERROR;
2918 return true;
2919}
2920
2921#if defined(__GNUC__) || defined(__clang__)
2922#pragma GCC diagnostic push
2923#pragma GCC diagnostic ignored "-Wsign-compare"
2924#endif
2925
2930static bool
2931should_trigger_renegotiation(const struct tls_session *session, const struct key_state *ks)
2932{
2933 /* Time limit */
2934 if (session->opt->renegotiate_seconds
2935 && now >= ks->established + session->opt->renegotiate_seconds)
2936 {
2937 return true;
2938 }
2939
2940 /* Byte limit */
2941 if (session->opt->renegotiate_bytes > 0 && ks->n_bytes >= session->opt->renegotiate_bytes)
2942 {
2943 return true;
2944 }
2945
2946 /* Packet limit */
2947 if (session->opt->renegotiate_packets && ks->n_packets >= session->opt->renegotiate_packets)
2948 {
2949 return true;
2950 }
2951
2952 /* epoch key id approaching the 16 bit limit */
2953 if (ks->crypto_options.flags & CO_EPOCH_DATA_KEY_FORMAT)
2954 {
2955 /* We only need to check the send key as we always keep send
2956 * key epoch >= recv key epoch in \c epoch_replace_update_recv_key */
2957 if (ks->crypto_options.epoch_key_send.epoch >= 0xF000)
2958 {
2959 return true;
2960 }
2961 else
2962 {
2963 return false;
2964 }
2965 }
2966
2967
2968 /* Packet id approach the limit of the packet id */
2969 if (packet_id_close_to_wrapping(&ks->crypto_options.packet_id.send))
2970 {
2971 return true;
2972 }
2973
2974 /* Check the AEAD usage limit of cleartext blocks + packets.
2975 *
2976 * Contrary to when epoch data mode is active, where only the sender side
2977 * checks the limit, here we check both receive and send limit since
2978 * we assume that only one side is aware of the limit.
2979 *
2980 * Since if both sides were aware, then both sides will probably also
2981 * switch to use epoch data channel instead, so this code is not
2982 * in effect then.
2983 *
2984 * When epoch are in use the crypto layer will handle this internally
2985 * with new epochs instead of triggering a renegotiation */
2986 const struct key_ctx_bi *key_ctx_bi = &ks->crypto_options.key_ctx_bi;
2987 const uint64_t usage_limit = session->opt->aead_usage_limit;
2988
2989 if (aead_usage_limit_reached(usage_limit, &key_ctx_bi->encrypt,
2990 ks->crypto_options.packet_id.send.id)
2991 || aead_usage_limit_reached(usage_limit, &key_ctx_bi->decrypt,
2992 ks->crypto_options.packet_id.rec.id))
2993 {
2994 return true;
2995 }
2996
2997 if (cipher_decrypt_verify_fail_warn(&key_ctx_bi->decrypt))
2998 {
2999 return true;
3000 }
3001
3002 return false;
3003}
3004
3005#if defined(__GNUC__) || defined(__clang__)
3006#pragma GCC diagnostic pop
3007#endif
3008
3009/*
3010 * This is the primary routine for processing TLS stuff inside the
3011 * the main event loop. When this routine exits
3012 * with non-error status, it will set *wakeup to the number of seconds
3013 * when it wants to be called again.
3014 *
3015 * Return value is true if we have placed a packet in *to_link which we
3016 * want to send to our peer.
3017 */
3018static bool
3019tls_process(struct tls_multi *multi, struct tls_session *session, struct buffer *to_link,
3020 struct link_socket_actual **to_link_addr, struct link_socket_info *to_link_socket_info,
3021 interval_t *wakeup)
3022{
3023 struct key_state *ks = &session->key[KS_PRIMARY]; /* primary key */
3024 struct key_state *ks_lame = &session->key[KS_LAME_DUCK]; /* retiring key */
3025
3026 /* Make sure we were initialized and that we're not in an error state */
3027 ASSERT(ks->state != S_UNDEF);
3028 ASSERT(ks->state != S_ERROR);
3029 ASSERT(session_id_defined(&session->session_id));
3030
3031 /* Should we trigger a soft reset? -- new key, keeps old key for a while */
3032 if (ks->state >= S_GENERATED_KEYS && should_trigger_renegotiation(session, ks))
3033 {
3034 msg(D_TLS_DEBUG_LOW,
3035 "TLS: soft reset sec=%d/%d bytes=" counter_format "/%" PRIi64 " pkts=" counter_format
3036 "/%" PRIi64 " aead_limit_send=%" PRIu64 "/%" PRIu64 " aead_limit_recv=%" PRIu64
3037 "/%" PRIu64,
3038 (int)(now - ks->established), session->opt->renegotiate_seconds, ks->n_bytes,
3039 session->opt->renegotiate_bytes, ks->n_packets, session->opt->renegotiate_packets,
3040 ks->crypto_options.key_ctx_bi.encrypt.plaintext_blocks + ks->n_packets,
3041 session->opt->aead_usage_limit,
3042 ks->crypto_options.key_ctx_bi.decrypt.plaintext_blocks + ks->n_packets,
3043 session->opt->aead_usage_limit);
3044 key_state_soft_reset(session);
3045 }
3046
3047 /* Kill lame duck key transition_window seconds after primary key negotiation */
3048 if (lame_duck_must_die(session, wakeup))
3049 {
3050 key_state_free(ks_lame, true);
3051 msg(D_TLS_DEBUG_LOW, "TLS: tls_process: killed expiring key");
3052 }
3053
3054 bool continue_tls_process = true;
3055 while (continue_tls_process)
3056 {
3057 update_time();
3058
3059 dmsg(D_TLS_DEBUG, "TLS: tls_process: chg=%d ks=%s lame=%s to_link->len=%d wakeup=%d",
3060 continue_tls_process, state_name(ks->state), state_name(ks_lame->state), to_link->len,
3061 *wakeup);
3062 continue_tls_process =
3063 tls_process_state(multi, session, to_link, to_link_addr, to_link_socket_info, wakeup);
3064
3065 if (ks->state == S_ERROR)
3066 {
3067 return false;
3068 }
3069 }
3070
3071 update_time();
3072
3073 /* We often send acks back to back to a following control packet. This
3074 * normally does not create a problem (apart from an extra packet).
3075 * However, with the P_CONTROL_WKC_V1 we need to ensure that the packet
3076 * gets resent if not received by remote, so instead we use an empty
3077 * control packet in this special case */
3078
3079 /* Send 1 or more ACKs (each received control packet gets one ACK) */
3080 if (!to_link->len && !reliable_ack_empty(ks->rec_ack))
3081 {
3082 if (control_packet_needs_wkc(ks))
3083 {
3084 struct buffer *buf = reliable_get_buf_output_sequenced(ks->send_reliable);
3085 if (!buf)
3086 {
3087 return false;
3088 }
3089
3090 /* We do not write anything to the buffer, this way this will be
3091 * an empty control packet that gets the ack piggybacked and
3092 * also appended the wrapped client key since it has a WCK opcode */
3093 reliable_mark_active_outgoing(ks->send_reliable, buf, P_CONTROL_WKC_V1);
3094 }
3095 else
3096 {
3097 struct buffer buf = ks->ack_write_buf;
3098 ASSERT(buf_init(&buf, multi->opt.frame.buf.headroom));
3099 write_control_auth(session, ks, &buf, to_link_addr, P_ACK_V1, RELIABLE_ACK_SIZE, false);
3100 *to_link = buf;
3101 dmsg(D_TLS_DEBUG, "Dedicated ACK -> TCP/UDP");
3102 }
3103 }
3104
3105 /* When should we wake up again? */
3106 if (ks->state >= S_INITIAL || ks->state == S_ERROR_PRE)
3107 {
3108 compute_earliest_wakeup(wakeup, reliable_send_timeout(ks->send_reliable));
3109
3110 if (ks->must_negotiate)
3111 {
3112 compute_earliest_wakeup(wakeup, ks->must_negotiate - now);
3113 }
3114 }
3115
3116 if (ks->established && session->opt->renegotiate_seconds)
3117 {
3118 compute_earliest_wakeup(wakeup, ks->established + session->opt->renegotiate_seconds - now);
3119 }
3120
3121 dmsg(D_TLS_DEBUG, "TLS: tls_process: timeout set to %d", *wakeup);
3122
3123 /* prevent event-loop spinning by setting minimum wakeup of 1 second */
3124 if (*wakeup <= 0)
3125 {
3126 *wakeup = 1;
3127
3128 /* if we had something to send to remote, but to_link was busy,
3129 * let caller know we need to be called again soon */
3130 return true;
3131 }
3132
3133 /* If any of the state changes resulted in the to_link buffer being
3134 * set, we are also active */
3135 if (to_link->len)
3136 {
3137 return true;
3138 }
3139
3140 return false;
3141}
3142
3143
3151static void
3152check_session_buf_not_used(struct buffer *to_link, struct tls_session *session)
3153{
3154 uint8_t *dataptr = to_link->data;
3155 if (!dataptr)
3156 {
3157 return;
3158 }
3159
3160 /* Checks buffers in tls_wrap */
3161 if (session->tls_wrap.work.data == dataptr)
3162 {
3163 msg(M_INFO, "Warning buffer of freed TLS session is "
3164 "still in use (tls_wrap.work.data)");
3165 goto used;
3166 }
3167
3168 for (int i = 0; i < KS_SIZE; i++)
3169 {
3170 struct key_state *ks = &session->key[i];
3171 if (ks->state == S_UNDEF)
3172 {
3173 continue;
3174 }
3175
3176 /* we don't expect send_reliable to be NULL when state is
3177 * not S_UNDEF, but people have reported crashes nonetheless,
3178 * therefore we better catch this event, report and exit.
3179 */
3180 if (!ks->send_reliable)
3181 {
3182 msg(M_FATAL,
3183 "ERROR: session->key[%d]->send_reliable is NULL "
3184 "while key state is %s. Exiting.",
3185 i, state_name(ks->state));
3186 }
3187
3188 for (int j = 0; j < ks->send_reliable->size; j++)
3189 {
3190 if (ks->send_reliable->array[j].buf.data == dataptr)
3191 {
3192 msg(M_INFO,
3193 "Warning buffer of freed TLS session is still in"
3194 " use (session->key[%d].send_reliable->array[%d])",
3195 i, j);
3196
3197 goto used;
3198 }
3199 }
3200 }
3201 return;
3202
3203used:
3204 to_link->len = 0;
3205 to_link->data = 0;
3206 /* for debugging, you can add an ASSERT(0); here to trigger an abort */
3207}
3208/*
3209 * Called by the top-level event loop.
3210 *
3211 * Basically decides if we should call tls_process for
3212 * the active or untrusted sessions.
3213 */
3214
3215int
3216tls_multi_process(struct tls_multi *multi, struct buffer *to_link,
3217 struct link_socket_actual **to_link_addr,
3218 struct link_socket_info *to_link_socket_info, interval_t *wakeup)
3219{
3220 struct gc_arena gc = gc_new();
3221 int active = TLSMP_INACTIVE;
3222 bool error = false;
3223
3224 tls_clear_error();
3225
3226 /*
3227 * Process each session object having state of S_INITIAL or greater,
3228 * and which has a defined remote IP addr.
3229 */
3230
3231 for (int i = 0; i < TM_SIZE; ++i)
3232 {
3233 struct tls_session *session = &multi->session[i];
3234 struct key_state *ks = &session->key[KS_PRIMARY];
3235 struct key_state *ks_lame = &session->key[KS_LAME_DUCK];
3236
3237 /* set initial remote address. This triggers connecting with that
3238 * session. So we only do that if the TM_ACTIVE session is not
3239 * established */
3240 if (i == TM_INITIAL && ks->state == S_INITIAL && get_primary_key(multi)->state <= S_INITIAL
3241 && link_socket_actual_defined(&to_link_socket_info->lsa->actual))
3242 {
3243 ks->remote_addr = to_link_socket_info->lsa->actual;
3244 }
3245
3246 dmsg(D_TLS_DEBUG,
3247 "TLS: tls_multi_process: i=%d state=%s, mysid=%s, stored-sid=%s, stored-ip=%s", i,
3248 state_name(ks->state), session_id_print(&session->session_id, &gc),
3249 session_id_print(&ks->session_id_remote, &gc),
3250 print_link_socket_actual(&ks->remote_addr, &gc));
3251
3252 if ((ks->state >= S_INITIAL || ks->state == S_ERROR_PRE)
3253 && link_socket_actual_defined(&ks->remote_addr))
3254 {
3255 struct link_socket_actual *tla = NULL;
3256
3257 update_time();
3258
3259 if (tls_process(multi, session, to_link, &tla, to_link_socket_info, wakeup))
3260 {
3261 active = TLSMP_ACTIVE;
3262 }
3263
3264 /*
3265 * If tls_process produced an outgoing packet,
3266 * return the link_socket_actual object (which
3267 * contains the outgoing address).
3268 */
3269 if (tla)
3270 {
3271 multi->to_link_addr = *tla;
3272 *to_link_addr = &multi->to_link_addr;
3273 }
3274
3275 /*
3276 * If tls_process hits an error:
3277 * (1) If the session has an unexpired lame duck key, preserve it.
3278 * (2) Reinitialize the session.
3279 * (3) Increment soft error count
3280 */
3281 if (ks->state == S_ERROR)
3282 {
3283 ++multi->n_soft_errors;
3284
3285 if (i == TM_ACTIVE || (i == TM_INITIAL && get_primary_key(multi)->state < S_ACTIVE))
3286 {
3287 error = true;
3288 }
3289
3290 if (i == TM_ACTIVE && ks_lame->state >= S_GENERATED_KEYS
3291 && !multi->opt.single_session)
3292 {
3293 check_session_buf_not_used(to_link, session);
3294 move_session(multi, TM_LAME_DUCK, TM_ACTIVE, true);
3295 }
3296 else
3297 {
3298 check_session_buf_not_used(to_link, session);
3299 reset_session(multi, session);
3300 }
3301 }
3302 }
3303 }
3304
3305 update_time();
3306
3307 enum tls_auth_status tas = tls_authentication_status(multi);
3308
3309 /* If we have successfully authenticated and are still waiting for the authentication to finish
3310 * move the state machine for the multi context forward */
3311
3312 if (multi->multi_state >= CAS_CONNECT_DONE)
3313 {
3314 /* Only generate keys for the TM_ACTIVE session. We defer generating
3315 * keys for TM_INITIAL until we actually trust it.
3316 * For TM_LAME_DUCK it makes no sense to generate new keys. */
3317 struct tls_session *session = &multi->session[TM_ACTIVE];
3318 struct key_state *ks = &session->key[KS_PRIMARY];
3319
3320 if (ks->state == S_ACTIVE && ks->authenticated == KS_AUTH_TRUE)
3321 {
3322 /* Session is now fully authenticated.
3323 * tls_session_generate_data_channel_keys will move ks->state
3324 * from S_ACTIVE to S_GENERATED_KEYS */
3325 if (!tls_session_generate_data_channel_keys(multi, session))
3326 {
3327 msg(D_TLS_ERRORS, "TLS Error: generate_key_expansion failed");
3328 ks->authenticated = KS_AUTH_FALSE;
3329 key_state_ssl_shutdown(&ks->ks_ssl);
3330 ks->state = S_ERROR_PRE;
3331 }
3332
3333 /* Update auth token on the client if needed on renegotiation
3334 * (key id !=0) */
3335 if (session->key[KS_PRIMARY].key_id != 0)
3336 {
3337 resend_auth_token_renegotiation(multi, session);
3338 }
3339 }
3340 }
3341
3342 if (multi->multi_state == CAS_WAITING_AUTH && tas == TLS_AUTHENTICATION_SUCCEEDED)
3343 {
3344 multi->multi_state = CAS_PENDING;
3345 }
3346
3347 /*
3348 * If lame duck session expires, kill it.
3349 */
3350 if (lame_duck_must_die(&multi->session[TM_LAME_DUCK], wakeup))
3351 {
3352 tls_session_free(&multi->session[TM_LAME_DUCK], true);
3353 msg(D_TLS_DEBUG_LOW, "TLS: tls_multi_process: killed expiring key");
3354 }
3355
3356 /*
3357 * If untrusted session achieves TLS authentication,
3358 * move it to active session, usurping any prior session.
3359 *
3360 * A semi-trusted session is one in which the certificate authentication
3361 * succeeded (if cert verification is enabled) but the username/password
3362 * verification failed. A semi-trusted session can forward data on the
3363 * TLS control channel but not on the tunnel channel.
3364 */
3365 if (TLS_AUTHENTICATED(multi, &multi->session[TM_INITIAL].key[KS_PRIMARY]))
3366 {
3367 check_session_buf_not_used(to_link, &multi->session[TM_ACTIVE]);
3368 move_session(multi, TM_ACTIVE, TM_INITIAL, true);
3369 tas = tls_authentication_status(multi);
3370 msg(D_TLS_DEBUG_LOW,
3371 "TLS: tls_multi_process: initial untrusted "
3372 "session promoted to %strusted",
3373 tas == TLS_AUTHENTICATION_SUCCEEDED ? "" : "semi-");
3374
3375 if (multi->multi_state == CAS_CONNECT_DONE)
3376 {
3377 multi->multi_state = CAS_RECONNECT_PENDING;
3378 active = TLSMP_RECONNECT;
3379 }
3380 }
3381
3382 /*
3383 * A hard error means that TM_ACTIVE hit an S_ERROR state and that no
3384 * other key state objects are S_ACTIVE or higher.
3385 */
3386 if (error)
3387 {
3388 for (int i = 0; i < KEY_SCAN_SIZE; ++i)
3389 {
3390 if (get_key_scan(multi, i)->state >= S_ACTIVE)
3391 {
3392 goto nohard;
3393 }
3394 }
3395 ++multi->n_hard_errors;
3396 }
3397nohard:
3398
3399#ifdef ENABLE_DEBUG
3400 /* DEBUGGING -- flood peer with repeating connection attempts */
3401 {
3402 const int throw_level = GREMLIN_CONNECTION_FLOOD_LEVEL(multi->opt.gremlin);
3403 if (throw_level)
3404 {
3405 for (int i = 0; i < KEY_SCAN_SIZE; ++i)
3406 {
3407 if (get_key_scan(multi, i)->state >= throw_level)
3408 {
3409 ++multi->n_hard_errors;
3410 ++multi->n_soft_errors;
3411 }
3412 }
3413 }
3414 }
3415#endif
3416
3417 gc_free(&gc);
3418
3419 return (tas == TLS_AUTHENTICATION_FAILED) ? TLSMP_KILL : active;
3420}
3421
3426static void
3427print_key_id_not_found_reason(struct tls_multi *multi, const struct link_socket_actual *from,
3428 int key_id)
3429{
3430 struct gc_arena gc = gc_new();
3431 const char *source = print_link_socket_actual(from, &gc);
3432
3433
3434 for (int i = 0; i < KEY_SCAN_SIZE; ++i)
3435 {
3436 struct key_state *ks = get_key_scan(multi, i);
3437 if (ks->key_id != key_id)
3438 {
3439 continue;
3440 }
3441
3442 /* Our key state has been progressed far enough to be part of a valid
3443 * session but has not generated keys. */
3444 if (ks->state >= S_INITIAL && ks->state < S_GENERATED_KEYS)
3445 {
3446 msg(D_MULTI_DROPPED, "Key %s [%d] not initialized (yet), dropping packet.", source,
3447 key_id);
3448 gc_free(&gc);
3449 return;
3450 }
3451 if (ks->state >= S_ACTIVE && ks->authenticated != KS_AUTH_TRUE)
3452 {
3453 msg(D_MULTI_DROPPED, "Key %s [%d] not authorized%s, dropping packet.", source, key_id,
3454 (ks->authenticated == KS_AUTH_DEFERRED) ? " (deferred)" : "");
3455 gc_free(&gc);
3456 return;
3457 }
3458 }
3459
3460 msg(D_TLS_ERRORS,
3461 "TLS Error: local/remote TLS keys are out of sync: %s "
3462 "(received key id: %d, known key ids: %s)",
3463 source, key_id, print_key_id(multi, &gc));
3464 gc_free(&gc);
3465}
3466
3474static inline void
3475handle_data_channel_packet(struct tls_multi *multi, const struct link_socket_actual *from,
3476 struct buffer *buf, struct crypto_options **opt, bool floated,
3477 const uint8_t **ad_start)
3478{
3479 struct gc_arena gc = gc_new();
3480
3481 uint8_t c = *BPTR(buf);
3482 int op = c >> P_OPCODE_SHIFT;
3483 int key_id = c & P_KEY_ID_MASK;
3484
3485 for (int i = 0; i < KEY_SCAN_SIZE; ++i)
3486 {
3487 struct key_state *ks = get_key_scan(multi, i);
3488
3489 /*
3490 * This is the basic test of TLS state compatibility between a local OpenVPN
3491 * instance and its remote peer.
3492 *
3493 * If the test fails, it tells us that we are getting a packet from a source
3494 * which claims reference to a prior negotiated TLS session, but the local
3495 * OpenVPN instance has no memory of such a negotiation.
3496 *
3497 * It almost always occurs on UDP sessions when the passive side of the
3498 * connection is restarted without the active side restarting as well (the
3499 * passive side is the server which only listens for the connections, the
3500 * active side is the client which initiates connections).
3501 */
3502 if (ks->state >= S_GENERATED_KEYS && key_id == ks->key_id
3503 && ks->authenticated == KS_AUTH_TRUE
3504 && (floated || link_socket_actual_match(from, &ks->remote_addr)))
3505 {
3506 ASSERT(ks->crypto_options.key_ctx_bi.initialized);
3507 /* return appropriate data channel decrypt key in opt */
3508 *opt = &ks->crypto_options;
3509 if (op == P_DATA_V2)
3510 {
3511 *ad_start = BPTR(buf);
3512 }
3513 ASSERT(buf_advance(buf, 1));
3514 if (op == P_DATA_V1)
3515 {
3516 *ad_start = BPTR(buf);
3517 }
3518 else if (op == P_DATA_V2)
3519 {
3520 if (buf->len < 4)
3521 {
3522 msg(D_TLS_ERRORS,
3523 "Protocol error: received P_DATA_V2 from %s but length is < 4",
3524 print_link_socket_actual(from, &gc));
3525 ++multi->n_soft_errors;
3526 goto done;
3527 }
3528 ASSERT(buf_advance(buf, 3));
3529 }
3530
3531 ++ks->n_packets;
3532 ks->n_bytes += buf->len;
3533 dmsg(D_TLS_KEYSELECT, "TLS: tls_pre_decrypt, key_id=%d, IP=%s", key_id,
3534 print_link_socket_actual(from, &gc));
3535 gc_free(&gc);
3536 return;
3537 }
3538 }
3539
3540 print_key_id_not_found_reason(multi, from, key_id);
3541
3542done:
3543 gc_free(&gc);
3544 tls_clear_error();
3545 buf->len = 0;
3546 *opt = NULL;
3547}
3548
3549/*
3550 *
3551 * When we are in TLS mode, this is the first routine which sees
3552 * an incoming packet.
3553 *
3554 * If it's a data packet, we set opt so that our caller can
3555 * decrypt it. We also give our caller the appropriate decryption key.
3556 *
3557 * If it's a control packet, we authenticate it and process it,
3558 * possibly creating a new tls_session if it represents the
3559 * first packet of a new session. For control packets, we will
3560 * also zero the size of *buf so that our caller ignores the
3561 * packet on our return.
3562 *
3563 * Note that openvpn only allows one active session at a time,
3564 * so a new session (once authenticated) will always usurp
3565 * an old session.
3566 *
3567 * Return true if input was an authenticated control channel
3568 * packet.
3569 *
3570 * If we are running in TLS thread mode, all public routines
3571 * below this point must be called with the L_TLS lock held.
3572 */
3573
3574bool
3575tls_pre_decrypt(struct tls_multi *multi, const struct link_socket_actual *from, struct buffer *buf,
3576 struct crypto_options **opt, bool floated, const uint8_t **ad_start)
3577{
3578 if (buf->len <= 0)
3579 {
3580 buf->len = 0;
3581 *opt = NULL;
3582 return false;
3583 }
3584
3585 struct gc_arena gc = gc_new();
3586 bool ret = false;
3587
3588 /* get opcode */
3589 uint8_t pkt_firstbyte = *BPTR(buf);
3590 int op = pkt_firstbyte >> P_OPCODE_SHIFT;
3591
3592 if ((op == P_DATA_V1) || (op == P_DATA_V2))
3593 {
3594 handle_data_channel_packet(multi, from, buf, opt, floated, ad_start);
3595 return false;
3596 }
3597
3598 /* get key_id */
3599 int key_id = pkt_firstbyte & P_KEY_ID_MASK;
3600
3601 /* control channel packet */
3602 bool do_burst = false;
3603 bool new_link = false;
3604 struct session_id sid; /* remote session ID */
3605
3606 /* verify legal opcode */
3607 if (op < P_FIRST_OPCODE || op > P_LAST_OPCODE)
3608 {
3609 if (op == P_CONTROL_HARD_RESET_CLIENT_V1 || op == P_CONTROL_HARD_RESET_SERVER_V1)
3610 {
3611 msg(D_TLS_ERRORS, "Peer tried unsupported key-method 1");
3612 }
3613 msg(D_TLS_ERRORS, "TLS Error: unknown opcode received from %s op=%d",
3614 print_link_socket_actual(from, &gc), op);
3615 goto error;
3616 }
3617
3618 /* hard reset ? */
3619 if (is_hard_reset_method2(op))
3620 {
3621 /* verify client -> server or server -> client connection */
3622 if (((op == P_CONTROL_HARD_RESET_CLIENT_V2 || op == P_CONTROL_HARD_RESET_CLIENT_V3)
3623 && !multi->opt.server)
3624 || ((op == P_CONTROL_HARD_RESET_SERVER_V2) && multi->opt.server))
3625 {
3626 msg(D_TLS_ERRORS,
3627 "TLS Error: client->client or server->server connection attempted from %s",
3628 print_link_socket_actual(from, &gc));
3629 goto error;
3630 }
3631 }
3632
3633 /*
3634 * Authenticate Packet
3635 */
3636 dmsg(D_TLS_DEBUG, "TLS: control channel, op=%s, IP=%s", packet_opcode_name(op),
3637 print_link_socket_actual(from, &gc));
3638
3639 /* get remote session-id */
3640 {
3641 struct buffer tmp = *buf;
3642 buf_advance(&tmp, 1);
3643 if (!session_id_read(&sid, &tmp) || !session_id_defined(&sid))
3644 {
3645 msg(D_TLS_ERRORS, "TLS Error: session-id not found in packet from %s",
3646 print_link_socket_actual(from, &gc));
3647 goto error;
3648 }
3649 }
3650
3651 int i;
3652 /* use session ID to match up packet with appropriate tls_session object */
3653 for (i = 0; i < TM_SIZE; ++i)
3654 {
3655 struct tls_session *session = &multi->session[i];
3656 struct key_state *ks = &session->key[KS_PRIMARY];
3657
3658 dmsg(
3659 D_TLS_DEBUG,
3660 "TLS: initial packet test, i=%d state=%s, mysid=%s, rec-sid=%s, rec-ip=%s, stored-sid=%s, stored-ip=%s",
3661 i, state_name(ks->state), session_id_print(&session->session_id, &gc),
3662 session_id_print(&sid, &gc), print_link_socket_actual(from, &gc),
3663 session_id_print(&ks->session_id_remote, &gc),
3664 print_link_socket_actual(&ks->remote_addr, &gc));
3665
3666 if (session_id_equal(&ks->session_id_remote, &sid))
3667 /* found a match */
3668 {
3669 if (i == TM_LAME_DUCK)
3670 {
3671 msg(D_TLS_ERRORS, "TLS ERROR: received control packet with stale session-id=%s",
3672 session_id_print(&sid, &gc));
3673 goto error;
3674 }
3675 dmsg(D_TLS_DEBUG, "TLS: found match, session[%d], sid=%s", i,
3676 session_id_print(&sid, &gc));
3677 break;
3678 }
3679 }
3680
3681 /*
3682 * Hard reset and session id does not match any session in
3683 * multi->session: Possible initial packet. New sessions always start
3684 * as TM_INITIAL
3685 */
3686 if (i == TM_SIZE && is_hard_reset_method2(op))
3687 {
3688 /*
3689 * No match with existing sessions,
3690 * probably a new session.
3691 */
3692 struct tls_session *session = &multi->session[TM_INITIAL];
3693
3694 /*
3695 * If --single-session, don't allow any hard-reset connection request
3696 * unless it is the first packet of the session.
3697 */
3698 if (multi->opt.single_session && multi->n_sessions)
3699 {
3700 msg(D_TLS_ERRORS,
3701 "TLS Error: Cannot accept new session request from %s due "
3702 "to session context expire or --single-session",
3703 print_link_socket_actual(from, &gc));
3704 goto error;
3705 }
3706
3707 if (!read_control_auth(buf, tls_session_get_tls_wrap(session, key_id), from, session->opt,
3708 true))
3709 {
3710 goto error;
3711 }
3712
3713#ifdef ENABLE_MANAGEMENT
3714 if (management)
3715 {
3716 management_set_state(management, OPENVPN_STATE_AUTH, NULL, NULL, NULL, NULL, NULL);
3717 }
3718#endif
3719
3720 /*
3721 * New session-initiating control packet is authenticated at this point,
3722 * assuming that the --tls-auth command line option was used.
3723 *
3724 * Without --tls-auth, we leave authentication entirely up to TLS.
3725 */
3726 msg(D_TLS_DEBUG_LOW, "TLS: Initial packet from %s, sid=%s",
3727 print_link_socket_actual(from, &gc), session_id_print(&sid, &gc));
3728
3729 do_burst = true;
3730 new_link = true;
3731 i = TM_INITIAL;
3732 session->untrusted_addr = *from;
3733 }
3734 else
3735 {
3736 /*
3737 * Packet must belong to an existing session.
3738 */
3739 if (i != TM_ACTIVE && i != TM_INITIAL)
3740 {
3741 msg(D_TLS_ERRORS, "TLS Error: Unroutable control packet received from %s (si=%d op=%s)",
3742 print_link_socket_actual(from, &gc), i, packet_opcode_name(op));
3743 goto error;
3744 }
3745
3746 struct tls_session *session = &multi->session[i];
3747 struct key_state *ks = &session->key[KS_PRIMARY];
3748 /*
3749 * Verify remote IP address
3750 */
3751 if (!new_link && !link_socket_actual_match(&ks->remote_addr, from))
3752 {
3753 msg(D_TLS_ERRORS, "TLS Error: Received control packet from unexpected IP addr: %s",
3754 print_link_socket_actual(from, &gc));
3755 goto error;
3756 }
3757
3758 /*
3759 * Remote is requesting a key renegotiation. We only allow renegotiation
3760 * when the previous session is fully established to avoid weird corner
3761 * cases.
3762 */
3763 if (op == P_CONTROL_SOFT_RESET_V1 && ks->state >= S_GENERATED_KEYS)
3764 {
3765 if (!read_control_auth(buf, tls_session_get_tls_wrap(session, key_id), from,
3766 session->opt, false))
3767 {
3768 goto error;
3769 }
3770
3771 key_state_soft_reset(session);
3772
3773 dmsg(D_TLS_DEBUG, "TLS: received P_CONTROL_SOFT_RESET_V1 s=%d sid=%s", i,
3774 session_id_print(&sid, &gc));
3775 }
3776 else
3777 {
3778 bool initial_packet = false;
3779 if (ks->state == S_PRE_START_SKIP)
3780 {
3781 /* When we are coming from the session_skip_to_pre_start
3782 * method, we allow this initial packet to setup the
3783 * tls-crypt-v2 peer specific key */
3784 initial_packet = true;
3785 ks->state = S_PRE_START;
3786 }
3787 /*
3788 * Remote responding to our key renegotiation request?
3789 */
3790 if (op == P_CONTROL_SOFT_RESET_V1)
3791 {
3792 do_burst = true;
3793 }
3794
3795 if (!read_control_auth(buf, tls_session_get_tls_wrap(session, key_id), from,
3796 session->opt, initial_packet))
3797 {
3798 /* if an initial packet in read_control_auth, we rather
3799 * error out than anything else */
3800 if (initial_packet)
3801 {
3802 multi->n_hard_errors++;
3803 }
3804 goto error;
3805 }
3806
3807 dmsg(D_TLS_DEBUG, "TLS: received control channel packet s#=%d sid=%s", i,
3808 session_id_print(&sid, &gc));
3809 }
3810 }
3811
3812 /*
3813 * We have an authenticated control channel packet (if --tls-auth/tls-crypt
3814 * or tls-crypt-v2 was set).
3815 * Now pass to our reliability layer which deals with
3816 * packet acknowledgements, retransmits, sequencing, etc.
3817 */
3818 struct tls_session *session = &multi->session[i];
3819 struct key_state *ks = &session->key[KS_PRIMARY];
3820
3821 /* Make sure we were initialized and that we're not in an error state */
3822 ASSERT(ks->state != S_UNDEF);
3823 ASSERT(ks->state != S_ERROR);
3824 ASSERT(session_id_defined(&session->session_id));
3825
3826 /* Let our caller know we processed a control channel packet */
3827 ret = true;
3828
3829 /*
3830 * Set our remote address and remote session_id
3831 */
3832 if (new_link)
3833 {
3834 ks->session_id_remote = sid;
3835 ks->remote_addr = *from;
3836 ++multi->n_sessions;
3837 }
3838 else if (!link_socket_actual_match(&ks->remote_addr, from))
3839 {
3840 msg(D_TLS_ERRORS,
3841 "TLS Error: Existing session control channel packet from unknown IP address: %s",
3842 print_link_socket_actual(from, &gc));
3843 goto error;
3844 }
3845
3846 /*
3847 * Should we do a retransmit of all unacknowledged packets in
3848 * the send buffer? This improves the start-up efficiency of the
3849 * initial key negotiation after the 2nd peer comes online.
3850 */
3851 if (do_burst && !session->burst)
3852 {
3853 reliable_schedule_now(ks->send_reliable);
3854 session->burst = true;
3855 }
3856
3857 /* Check key_id */
3858 if (ks->key_id != key_id)
3859 {
3860 msg(D_TLS_ERRORS, "TLS ERROR: local/remote key IDs out of sync (%d/%d) ID: %s", ks->key_id,
3861 key_id, print_key_id(multi, &gc));
3862 goto error;
3863 }
3864
3865 /*
3866 * Process incoming ACKs for packets we can now
3867 * delete from reliable send buffer
3868 */
3869 {
3870 /* buffers all packet IDs to delete from send_reliable */
3871 struct reliable_ack send_ack;
3872
3873 if (!reliable_ack_read(&send_ack, buf, &session->session_id))
3874 {
3875 msg(D_TLS_ERRORS, "TLS Error: reading acknowledgement record from packet");
3876 goto error;
3877 }
3878 reliable_send_purge(ks->send_reliable, &send_ack);
3879 }
3880
3881 if (op != P_ACK_V1 && reliable_can_get(ks->rec_reliable))
3882 {
3883 packet_id_type id;
3884
3885 /* Extract the packet ID from the packet */
3886 if (reliable_ack_read_packet_id(buf, &id))
3887 {
3888 /* Avoid deadlock by rejecting packet that would de-sequentialize receive buffer */
3889 if (reliable_wont_break_sequentiality(ks->rec_reliable, id))
3890 {
3891 if (reliable_not_replay(ks->rec_reliable, id))
3892 {
3893 /* Save incoming ciphertext packet to reliable buffer */
3894 struct buffer *in = reliable_get_buf(ks->rec_reliable);
3895 ASSERT(in);
3896 if (!buf_copy(in, buf))
3897 {
3898 msg(D_MULTI_DROPPED, "Incoming control channel packet too big, dropping.");
3899 goto error;
3900 }
3901 reliable_mark_active_incoming(ks->rec_reliable, in, id, op);
3902 }
3903
3904 /* Process outgoing acknowledgment for packet just received, even if it's a replay
3905 */
3906 reliable_ack_acknowledge_packet_id(ks->rec_ack, id);
3907 }
3908 }
3909 }
3910 /* Remember that we received a valid control channel packet */
3911 ks->peer_last_packet = now;
3912
3913done:
3914 buf->len = 0;
3915 *opt = NULL;
3916 gc_free(&gc);
3917 return ret;
3918
3919error:
3920 ++multi->n_soft_errors;
3921 tls_clear_error();
3922 goto done;
3923}
3924
3925
3926struct key_state *
3927tls_select_encryption_key(struct tls_multi *multi)
3928{
3929 struct key_state *ks_select = NULL;
3930 for (int i = 0; i < KEY_SCAN_SIZE; ++i)
3931 {
3932 struct key_state *ks = get_key_scan(multi, i);
3933 if (ks->state >= S_GENERATED_KEYS && ks->authenticated == KS_AUTH_TRUE)
3934 {
3935 ASSERT(ks->crypto_options.key_ctx_bi.initialized);
3936
3937 if (!ks_select)
3938 {
3939 ks_select = ks;
3940 }
3941 if (now >= ks->auth_deferred_expire)
3942 {
3943 ks_select = ks;
3944 break;
3945 }
3946 }
3947 }
3948 return ks_select;
3949}
3950
3951
3952/* Choose the key with which to encrypt a data packet */
3953void
3954tls_pre_encrypt(struct tls_multi *multi, struct buffer *buf, struct crypto_options **opt)
3955{
3956 multi->save_ks = NULL;
3957 if (buf->len <= 0)
3958 {
3959 buf->len = 0;
3960 *opt = NULL;
3961 return;
3962 }
3963
3964 struct key_state *ks_select = tls_select_encryption_key(multi);
3965
3966 if (ks_select)
3967 {
3968 *opt = &ks_select->crypto_options;
3969 multi->save_ks = ks_select;
3970 dmsg(D_TLS_KEYSELECT, "TLS: tls_pre_encrypt: key_id=%d", ks_select->key_id);
3971 return;
3972 }
3973 else
3974 {
3975 struct gc_arena gc = gc_new();
3976 dmsg(D_TLS_KEYSELECT, "TLS Warning: no data channel send key available: %s",
3977 print_key_id(multi, &gc));
3978 gc_free(&gc);
3979
3980 *opt = NULL;
3981 buf->len = 0;
3982 }
3983}
3984
3985void
3986tls_prepend_opcode_v1(const struct tls_multi *multi, struct buffer *buf)
3987{
3988 struct key_state *ks = multi->save_ks;
3989
3990 msg(D_TLS_DEBUG, __func__);
3991
3992 ASSERT(ks);
3993 ASSERT(ks->key_id <= P_KEY_ID_MASK);
3994
3995 uint8_t op = (P_DATA_V1 << P_OPCODE_SHIFT) | (uint8_t)ks->key_id;
3996 ASSERT(buf_write_prepend(buf, &op, 1));
3997}
3998
3999void
4000tls_prepend_opcode_v2(const struct tls_multi *multi, struct buffer *buf)
4001{
4002 struct key_state *ks = multi->save_ks;
4003 uint32_t peer;
4004
4005 msg(D_TLS_DEBUG, __func__);
4006
4007 ASSERT(ks);
4008
4009 peer = htonl(((P_DATA_V2 << P_OPCODE_SHIFT) | ks->key_id) << 24 | (multi->peer_id & 0xFFFFFF));
4010 ASSERT(buf_write_prepend(buf, &peer, 4));
4011}
4012
4013void
4014tls_post_encrypt(struct tls_multi *multi, struct buffer *buf)
4015{
4016 struct key_state *ks = multi->save_ks;
4017 multi->save_ks = NULL;
4018
4019 if (buf->len > 0)
4020 {
4021 ASSERT(ks);
4022
4023 ++ks->n_packets;
4024 ks->n_bytes += buf->len;
4025 }
4026}
4027
4028/*
4029 * Send a payload over the TLS control channel.
4030 * Called externally.
4031 */
4032
4033bool
4034tls_send_payload(struct key_state *ks, const uint8_t *data, size_t size)
4035{
4036 bool ret = false;
4037
4038 tls_clear_error();
4039
4040 ASSERT(ks);
4041
4042 if (ks->state >= S_ACTIVE)
4043 {
4044 ASSERT(size <= INT_MAX);
4045 if (key_state_write_plaintext_const(&ks->ks_ssl, data, (int)size) == 1)
4046 {
4047 ret = true;
4048 }
4049 }
4050 else
4051 {
4052 if (!ks->paybuf)
4053 {
4054 ks->paybuf = buffer_list_new();
4055 }
4056 buffer_list_push_data(ks->paybuf, data, size);
4057 ret = true;
4058 }
4059
4060
4061 tls_clear_error();
4062
4063 return ret;
4064}
4065
4066bool
4067tls_rec_payload(struct tls_multi *multi, struct buffer *buf)
4068{
4069 bool ret = false;
4070
4071 tls_clear_error();
4072
4073 ASSERT(multi);
4074
4075 struct key_state *ks = get_key_scan(multi, 0);
4076
4077 if (ks->state >= S_ACTIVE && BLEN(&ks->plaintext_read_buf))
4078 {
4079 if (buf_copy(buf, &ks->plaintext_read_buf))
4080 {
4081 ret = true;
4082 }
4083 ks->plaintext_read_buf.len = 0;
4084 }
4085
4086 tls_clear_error();
4087
4088 return ret;
4089}
4090
4091void
4092tls_update_remote_addr(struct tls_multi *multi, const struct link_socket_actual *addr)
4093{
4094 struct gc_arena gc = gc_new();
4095 for (int i = 0; i < TM_SIZE; ++i)
4096 {
4097 struct tls_session *session = &multi->session[i];
4098
4099 for (int j = 0; j < KS_SIZE; ++j)
4100 {
4101 struct key_state *ks = &session->key[j];
4102
4103 if (!link_socket_actual_defined(&ks->remote_addr)
4104 || link_socket_actual_match(addr, &ks->remote_addr))
4105 {
4106 continue;
4107 }
4108
4109 dmsg(D_TLS_KEYSELECT, "TLS: tls_update_remote_addr from IP=%s to IP=%s",
4110 print_link_socket_actual(&ks->remote_addr, &gc),
4111 print_link_socket_actual(addr, &gc));
4112
4113 ks->remote_addr = *addr;
4114 }
4115 }
4116 gc_free(&gc);
4117}
4118
4119void
4120show_available_tls_ciphers(const char *cipher_list, const char *cipher_list_tls13,
4121 const char *tls_cert_profile)
4122{
4123 printf("Available TLS Ciphers, listed in order of preference:\n");
4124
4125 if (tls_version_max() >= TLS_VER_1_3)
4126 {
4127 printf("\nFor TLS 1.3 and newer (--tls-ciphersuites):\n\n");
4128 show_available_tls_ciphers_list(cipher_list_tls13, tls_cert_profile, true);
4129 }
4130
4131 printf("\nFor TLS 1.2 and older (--tls-cipher):\n\n");
4132 show_available_tls_ciphers_list(cipher_list, tls_cert_profile, false);
4133
4134 printf("\n"
4135 "Note: Whether a cipher suite in this list can actually work depends\n"
4136 "on the specific setup of both peers. See the man page entries of\n"
4137 "--tls-cipher and --show-tls for more details.\n\n");
4138}
4139
4140/*
4141 * Dump a human-readable rendition of an openvpn packet
4142 * into a garbage collectable string which is returned.
4143 */
4144const char *
4145protocol_dump(struct buffer *buffer, unsigned int flags, struct gc_arena *gc)
4146{
4147 struct buffer out = alloc_buf_gc(256, gc);
4148 struct buffer buf = *buffer;
4149
4150 uint8_t c;
4151 int op;
4152 int key_id;
4153
4154 int tls_auth_hmac_size = (flags & PD_TLS_AUTH_HMAC_SIZE_MASK);
4155
4156 if (buf.len <= 0)
4157 {
4158 buf_printf(&out, "DATA UNDEF len=%d", buf.len);
4159 goto done;
4160 }
4161
4162 if (!(flags & PD_TLS))
4163 {
4164 goto print_data;
4165 }
4166
4167 /*
4168 * Initial byte (opcode)
4169 */
4170 if (!buf_read(&buf, &c, sizeof(c)))
4171 {
4172 goto done;
4173 }
4174 op = (c >> P_OPCODE_SHIFT);
4175 key_id = c & P_KEY_ID_MASK;
4176 buf_printf(&out, "%s kid=%d", packet_opcode_name(op), key_id);
4177
4178 if ((op == P_DATA_V1) || (op == P_DATA_V2))
4179 {
4180 goto print_data;
4181 }
4182
4183 /*
4184 * Session ID
4185 */
4186 {
4187 struct session_id sid;
4188
4189 if (!session_id_read(&sid, &buf))
4190 {
4191 goto done;
4192 }
4193 if (flags & PD_VERBOSE)
4194 {
4195 buf_printf(&out, " sid=%s", session_id_print(&sid, gc));
4196 }
4197 }
4198
4199 /*
4200 * tls-auth hmac + packet_id
4201 */
4202 if (tls_auth_hmac_size)
4203 {
4204 struct packet_id_net pin;
4205 uint8_t tls_auth_hmac[MAX_HMAC_KEY_LENGTH];
4206
4207 ASSERT(tls_auth_hmac_size <= MAX_HMAC_KEY_LENGTH);
4208
4209 if (!buf_read(&buf, tls_auth_hmac, tls_auth_hmac_size))
4210 {
4211 goto done;
4212 }
4213 if (flags & PD_VERBOSE)
4214 {
4215 buf_printf(&out, " tls_hmac=%s", format_hex(tls_auth_hmac, tls_auth_hmac_size, 0, gc));
4216 }
4217
4218 if (!packet_id_read(&pin, &buf, true))
4219 {
4220 goto done;
4221 }
4222 buf_printf(&out, " pid=%s", packet_id_net_print(&pin, (flags & PD_VERBOSE), gc));
4223 }
4224 /*
4225 * packet_id + tls-crypt hmac
4226 */
4227 if (flags & PD_TLS_CRYPT)
4228 {
4229 struct packet_id_net pin;
4230 uint8_t tls_crypt_hmac[TLS_CRYPT_TAG_SIZE];
4231
4232 if (!packet_id_read(&pin, &buf, true))
4233 {
4234 goto done;
4235 }
4236 buf_printf(&out, " pid=%s", packet_id_net_print(&pin, (flags & PD_VERBOSE), gc));
4237 if (!buf_read(&buf, tls_crypt_hmac, TLS_CRYPT_TAG_SIZE))
4238 {
4239 goto done;
4240 }
4241 if (flags & PD_VERBOSE)
4242 {
4243 buf_printf(&out, " tls_crypt_hmac=%s",
4244 format_hex(tls_crypt_hmac, TLS_CRYPT_TAG_SIZE, 0, gc));
4245 }
4246 /*
4247 * Remainder is encrypted and optional wKc
4248 */
4249 goto done;
4250 }
4251
4252 /*
4253 * ACK list
4254 */
4255 buf_printf(&out, " %s", reliable_ack_print(&buf, (flags & PD_VERBOSE), gc));
4256
4257 if (op == P_ACK_V1)
4258 {
4259 goto print_data;
4260 }
4261
4262 /*
4263 * Packet ID
4264 */
4265 {
4266 packet_id_type l;
4267 if (!buf_read(&buf, &l, sizeof(l)))
4268 {
4269 goto done;
4270 }
4271 l = ntohpid(l);
4272 buf_printf(&out, " pid=" packet_id_format, (packet_id_print_type)l);
4273 }
4274
4275print_data:
4276 if (flags & PD_SHOW_DATA)
4277 {
4278 buf_printf(&out, " DATA %s", format_hex(BPTR(&buf), BLEN(&buf), 80, gc));
4279 }
4280 else
4281 {
4282 buf_printf(&out, " DATA len=%d", buf.len);
4283 }
4284
4285done:
4286 return BSTR(&out);
4287}
wipe_auth_token
void wipe_auth_token(struct tls_multi *multi)
Wipes the authentication token out of the memory, frees and cleans up related buffers and flags.
Definition auth_token.c:398
resend_auth_token_renegotiation
void resend_auth_token_renegotiation(struct tls_multi *multi, struct tls_session *session)
Checks if a client should be sent a new auth token to update its current auth-token.
Definition auth_token.c:457
auth_token.h
buffer_list_push_data
struct buffer_entry * buffer_list_push_data(struct buffer_list *ol, const void *data, size_t size)
Allocates and appends a new buffer containing data of length size.
Definition buffer.c:1227
free_buf
void free_buf(struct buffer *buf)
Definition buffer.c:184
buf_clear
void buf_clear(struct buffer *buf)
Definition buffer.c:163
buffer_list_pop
void buffer_list_pop(struct buffer_list *ol)
Definition buffer.c:1319
buf_printf
bool buf_printf(struct buffer *buf, const char *format,...)
Definition buffer.c:241
buffer_list_new
struct buffer_list * buffer_list_new(void)
Allocate an empty buffer list of capacity max_size.
Definition buffer.c:1173
buffer_list_peek
struct buffer * buffer_list_peek(struct buffer_list *ol)
Retrieve the head buffer.
Definition buffer.c:1255
buffer_list_free
void buffer_list_free(struct buffer_list *ol)
Frees a buffer list and all the buffers in it.
Definition buffer.c:1182
gc_malloc
void * gc_malloc(size_t size, bool clear, struct gc_arena *a)
Definition buffer.c:336
alloc_buf_gc
struct buffer alloc_buf_gc(size_t size, struct gc_arena *gc)
Definition buffer.c:89
format_hex_ex
char * format_hex_ex(const uint8_t *data, size_t size, size_t maxoutput, unsigned int space_break_flags, const char *separator, struct gc_arena *gc)
Definition buffer.c:483
alloc_buf
struct buffer alloc_buf(size_t size)
Definition buffer.c:63
string_alloc
char * string_alloc(const char *str, struct gc_arena *gc)
Definition buffer.c:648
buf_write_u16
static bool buf_write_u16(struct buffer *dest, uint16_t data)
Definition buffer.h:691
BSTR
#define BSTR(buf)
Definition buffer.h:129
buf_copy
static bool buf_copy(struct buffer *dest, const struct buffer *src)
Definition buffer.h:705
BPTR
#define BPTR(buf)
Definition buffer.h:123
buf_write_u32
static bool buf_write_u32(struct buffer *dest, uint32_t data)
Definition buffer.h:698
buf_write_prepend
static bool buf_write_prepend(struct buffer *dest, const void *src, int size)
Definition buffer.h:673
buf_read_u16
static int buf_read_u16(struct buffer *buf)
Definition buffer.h:798
buf_copy_n
static bool buf_copy_n(struct buffer *dest, struct buffer *src, int n)
Definition buffer.h:711
ALLOC_ARRAY_CLEAR_GC
#define ALLOC_ARRAY_CLEAR_GC(dptr, type, n, gc)
Definition buffer.h:1110
buf_safe
static bool buf_safe(const struct buffer *buf, size_t len)
Definition buffer.h:519
buf_read
static bool buf_read(struct buffer *src, void *dest, int size)
Definition buffer.h:763
buf_len
static int buf_len(const struct buffer *buf)
Definition buffer.h:254
secure_memzero
static void secure_memzero(void *data, size_t len)
Securely zeroise memory.
Definition buffer.h:415
buf_advance
static bool buf_advance(struct buffer *buf, ssize_t size)
Definition buffer.h:617
buf_write
static bool buf_write(struct buffer *dest, const void *src, size_t size)
Definition buffer.h:661
buf_write_u8
static bool buf_write_u8(struct buffer *dest, uint8_t data)
Definition buffer.h:685
ALLOC_OBJ_CLEAR_GC
#define ALLOC_OBJ_CLEAR_GC(dptr, type, gc)
Definition buffer.h:1125
buf_read_u8
static int buf_read_u8(struct buffer *buf)
Definition buffer.h:787
BLEN
#define BLEN(buf)
Definition buffer.h:126
format_hex
static char * format_hex(const uint8_t *data, size_t size, size_t maxoutput, struct gc_arena *gc)
Definition buffer.h:504
BLENZ
#define BLENZ(buf)
Definition buffer.h:127
strncpynt
static void strncpynt(char *dest, const char *src, size_t maxlen)
Definition buffer.h:362
check_malloc_return
static void check_malloc_return(void *p)
Definition buffer.h:1131
gc_free
static void gc_free(struct gc_arena *a)
Definition buffer.h:1049
ALLOC_OBJ_CLEAR
#define ALLOC_OBJ_CLEAR(dptr, type)
Definition buffer.h:1088
buf_init
#define buf_init(buf, offset)
Definition buffer.h:210
gc_new
static struct gc_arena gc_new(void)
Definition buffer.h:1041
interval_t
int interval_t
Definition common.h:37
TLS_CHANNEL_BUF_SIZE
#define TLS_CHANNEL_BUF_SIZE
Definition common.h:70
counter_format
#define counter_format
Definition common.h:32
TLS_CHANNEL_MTU_MIN
#define TLS_CHANNEL_MTU_MIN
Definition common.h:83
COMP_F_MIGRATE
#define COMP_F_MIGRATE
push stub-v2 or comp-lzo no when we see a client with comp-lzo in occ
Definition comp.h:47
free_key_ctx_bi
void free_key_ctx_bi(struct key_ctx_bi *ctx)
Definition crypto.c:1100
key2_print
void key2_print(const struct key2 *k, const struct key_type *kt, const char *prefix0, const char *prefix1)
Prints the keys in a key2 structure.
Definition crypto.c:1180
init_key_type
void init_key_type(struct key_type *kt, const char *ciphername, const char *authname, bool tls_mode, bool warn)
Initialize a key_type structure with.
Definition crypto.c:875
check_key
bool check_key(struct key *key, const struct key_type *kt)
Definition crypto.c:1126
cipher_get_aead_limits
uint64_t cipher_get_aead_limits(const char *ciphername)
Check if the cipher is an AEAD cipher and needs to be limited to a certain number of number of blocks...
Definition crypto.c:345
init_key_ctx_bi
void init_key_ctx_bi(struct key_ctx_bi *ctx, const struct key2 *key2, int key_direction, const struct key_type *kt, const char *name)
Definition crypto.c:1062
key_direction_state_init
void key_direction_state_init(struct key_direction_state *kds, int key_direction)
Definition crypto.c:1684
KEY_DIRECTION_NORMAL
#define KEY_DIRECTION_NORMAL
Definition crypto.h:232
CO_PACKET_ID_LONG_FORM
#define CO_PACKET_ID_LONG_FORM
Bit-flag indicating whether to use OpenVPN's long packet ID format.
Definition crypto.h:347
CO_USE_TLS_KEY_MATERIAL_EXPORT
#define CO_USE_TLS_KEY_MATERIAL_EXPORT
Bit-flag indicating that data channel key derivation is done using TLS keying material export [RFC570...
Definition crypto.h:359
CO_USE_DYNAMIC_TLS_CRYPT
#define CO_USE_DYNAMIC_TLS_CRYPT
Bit-flag indicating that renegotiations are using tls-crypt with a TLS-EKM derived key.
Definition crypto.h:375
CO_IGNORE_PACKET_ID
#define CO_IGNORE_PACKET_ID
Bit-flag indicating whether to ignore the packet ID of a received packet.
Definition crypto.h:350
CO_RESEND_WKC
#define CO_RESEND_WKC
Bit-flag indicating that the client is expected to resend the wrapped client key with the 2nd packet ...
Definition crypto.h:363
CO_EPOCH_DATA_KEY_FORMAT
#define CO_EPOCH_DATA_KEY_FORMAT
Bit-flag indicating the epoch the data format.
Definition crypto.h:379
cipher_decrypt_verify_fail_warn
static bool cipher_decrypt_verify_fail_warn(const struct key_ctx *ctx)
Check if the number of failed decryption is approaching the limit and we should try to move to a new ...
Definition crypto.h:731
KEY_DIRECTION_INVERSE
#define KEY_DIRECTION_INVERSE
Definition crypto.h:233
aead_usage_limit_reached
static bool aead_usage_limit_reached(const uint64_t limit, const struct key_ctx *key_ctx, int64_t higest_pid)
Checks if the usage limit for an AEAD cipher is reached.
Definition crypto.h:760
ssl_tls1_PRF
bool ssl_tls1_PRF(const uint8_t *seed, size_t seed_len, const uint8_t *secret, size_t secret_len, uint8_t *output, size_t output_len)
Calculates the TLS 1.0-1.1 PRF function.
Definition crypto_openssl.c:1408
crypto_uninit_lib
void crypto_uninit_lib(void)
Definition crypto_openssl.c:204
cipher_kt_mode_aead
bool cipher_kt_mode_aead(const char *ciphername)
Check if the supplied cipher is a supported AEAD mode cipher.
Definition crypto_openssl.c:815
crypto_init_lib
void crypto_init_lib(void)
Definition crypto_openssl.c:189
cipher_kt_mode_ofb_cfb
bool cipher_kt_mode_ofb_cfb(const char *ciphername)
Check if the supplied cipher is a supported OFB or CFB mode cipher.
Definition crypto_openssl.c:802
hmac_ctx_size
int hmac_ctx_size(hmac_ctx_t *ctx)
cipher_kt_insecure
bool cipher_kt_insecure(const char *ciphername)
Returns true if we consider this cipher to be insecure.
Definition crypto_openssl.c:756
rand_bytes
int rand_bytes(uint8_t *output, int len)
Wrapper for secure random number generator.
Definition crypto_openssl.c:583
cipher_kt_name
const char * cipher_kt_name(const char *ciphername)
Retrieve a normalised string describing the cipher (e.g.
Definition crypto_openssl.c:653
MAX_HMAC_KEY_LENGTH
#define MAX_HMAC_KEY_LENGTH
Definition crypto_backend.h:502
OPENVPN_MAX_HMAC_SIZE
#define OPENVPN_MAX_HMAC_SIZE
Definition crypto_backend.h:55
free_epoch_key_ctx
void free_epoch_key_ctx(struct crypto_options *co)
Frees the extra data structures used by epoch keys in crypto_options.
Definition crypto_epoch.c:338
epoch_init_key_ctx
void epoch_init_key_ctx(struct crypto_options *co, const struct key_type *key_type, const struct epoch_key *e1_send, const struct epoch_key *e1_recv, uint16_t future_key_count)
Initialises data channel keys and internal structures for epoch data keys using the provided E0 epoch...
Definition crypto_epoch.c:353
crypto_epoch.h
dco_set_peer
static int dco_set_peer(dco_context_t *dco, unsigned int peerid, int keepalive_interval, int keepalive_timeout, int mss)
Definition dco.h:341
dco_context_t
void * dco_context_t
Definition dco.h:259
init_key_dco_bi
static int init_key_dco_bi(struct tls_multi *multi, struct key_state *ks, const struct key2 *key2, int key_direction, const char *ciphername, bool server)
Definition dco.h:321
setenv_str
void setenv_str(struct env_set *es, const char *name, const char *value)
Definition env_set.c:307
setenv_del
void setenv_del(struct env_set *es, const char *name)
Definition env_set.c:352
D_TLS_DEBUG_LOW
#define D_TLS_DEBUG_LOW
Definition errlevel.h:76
D_PUSH
#define D_PUSH
Definition errlevel.h:82
D_TLS_DEBUG_MED
#define D_TLS_DEBUG_MED
Definition errlevel.h:156
D_DCO
#define D_DCO
Definition errlevel.h:93
D_SHOW_KEYS
#define D_SHOW_KEYS
Definition errlevel.h:120
D_MULTI_DROPPED
#define D_MULTI_DROPPED
Definition errlevel.h:100
D_HANDSHAKE
#define D_HANDSHAKE
Definition errlevel.h:71
D_SHOW_KEY_SOURCE
#define D_SHOW_KEY_SOURCE
Definition errlevel.h:121
D_TLS_KEYSELECT
#define D_TLS_KEYSELECT
Definition errlevel.h:145
D_MTU_INFO
#define D_MTU_INFO
Definition errlevel.h:104
D_TLS_ERRORS
#define D_TLS_ERRORS
Definition errlevel.h:58
M_INFO
#define M_INFO
Definition errlevel.h:54
D_TLS_DEBUG
#define D_TLS_DEBUG
Definition errlevel.h:164
S_ACTIVE
#define S_ACTIVE
Operational key_state state immediately after negotiation has completed while still within the handsh...
Definition ssl_common.h:100
tls_auth_standalone_init
struct tls_auth_standalone * tls_auth_standalone_init(struct tls_options *tls_options, struct gc_arena *gc)
Definition ssl.c:1191
TM_INITIAL
#define TM_INITIAL
As yet un-trusted tls_session \ being negotiated.
Definition ssl_common.h:546
KS_SIZE
#define KS_SIZE
Size of the tls_session.key array.
Definition ssl_common.h:469
key_state_free
static void key_state_free(struct key_state *ks, bool clear)
Cleanup a key_state structure.
Definition ssl.c:907
tls_session_free
static void tls_session_free(struct tls_session *session, bool clear)
Clean up a tls_session structure.
Definition ssl.c:1055
tls_init_control_channel_frame_parameters
void tls_init_control_channel_frame_parameters(struct frame *frame, int tls_mtu)
Definition ssl.c:141
tls_multi_free
void tls_multi_free(struct tls_multi *multi, bool clear)
Cleanup a tls_multi structure and free associated memory allocations.
Definition ssl.c:1243
S_ERROR_PRE
#define S_ERROR_PRE
Error state but try to send out alerts before killing the keystore and moving it to S_ERROR.
Definition ssl_common.h:79
KS_PRIMARY
#define KS_PRIMARY
Primary key state index.
Definition ssl_common.h:465
S_PRE_START_SKIP
#define S_PRE_START_SKIP
Waiting for the remote OpenVPN peer to acknowledge during the initial three-way handshake.
Definition ssl_common.h:87
S_UNDEF
#define S_UNDEF
Undefined state, used after a key_state is cleaned up.
Definition ssl_common.h:82
S_START
#define S_START
Three-way handshake is complete, start of key exchange.
Definition ssl_common.h:93
S_GOT_KEY
#define S_GOT_KEY
Local OpenVPN process has received the remote's part of the key material.
Definition ssl_common.h:97
S_PRE_START
#define S_PRE_START
Waiting for the remote OpenVPN peer to acknowledge during the initial three-way handshake.
Definition ssl_common.h:90
tls_multi_init
struct tls_multi * tls_multi_init(struct tls_options *tls_options)
Allocate and initialize a tls_multi structure.
Definition ssl.c:1162
tls_multi_init_finalize
void tls_multi_init_finalize(struct tls_multi *multi, int tls_mtu)
Finalize initialization of a tls_multi structure.
Definition ssl.c:1177
TM_LAME_DUCK
#define TM_LAME_DUCK
Old tls_session.
Definition ssl_common.h:549
tls_session_init
static void tls_session_init(struct tls_multi *multi, struct tls_session *session)
Initialize a tls_session structure.
Definition ssl.c:984
TM_SIZE
#define TM_SIZE
Size of the tls_multi.session \ array.
Definition ssl_common.h:550
tls_auth_standalone_free
void tls_auth_standalone_free(struct tls_auth_standalone *tas)
Frees a standalone tls-auth verification object.
Definition ssl.c:1216
TM_ACTIVE
#define TM_ACTIVE
Active tls_session.
Definition ssl_common.h:545
S_GENERATED_KEYS
#define S_GENERATED_KEYS
The data channel keys have been generated The TLS session is fully authenticated when reaching this s...
Definition ssl_common.h:105
KS_LAME_DUCK
#define KS_LAME_DUCK
Key state index that will retire \ soon.
Definition ssl_common.h:466
S_SENT_KEY
#define S_SENT_KEY
Local OpenVPN process has sent its part of the key material.
Definition ssl_common.h:95
S_ERROR
#define S_ERROR
Error state.
Definition ssl_common.h:78
S_INITIAL
#define S_INITIAL
Initial key_state state after initialization by key_state_init() before start of three-way handshake.
Definition ssl_common.h:84
key_state_init
static void key_state_init(struct tls_session *session, struct key_state *ks)
Initialize a key_state structure.
Definition ssl.c:821
tls_multi_init_set_options
void tls_multi_init_set_options(struct tls_multi *multi, const char *local, const char *remote)
Definition ssl.c:1232
key_state_read_plaintext
int key_state_read_plaintext(struct key_state_ssl *ks_ssl, struct buffer *buf)
Extract plaintext data from the TLS module.
Definition ssl_openssl.c:2330
key_state_write_ciphertext
int key_state_write_ciphertext(struct key_state_ssl *ks_ssl, struct buffer *buf)
Insert a ciphertext buffer into the TLS module.
Definition ssl_openssl.c:2317
key_state_read_ciphertext
int key_state_read_ciphertext(struct key_state_ssl *ks_ssl, struct buffer *buf)
Extract ciphertext data from the TLS module.
Definition ssl_openssl.c:2305
key_state_write_plaintext_const
int key_state_write_plaintext_const(struct key_state_ssl *ks_ssl, const uint8_t *data, int len)
Insert plaintext data into the TLS module.
Definition ssl_openssl.c:2293
key_state_write_plaintext
int key_state_write_plaintext(struct key_state_ssl *ks_ssl, struct buffer *buf)
Insert a plaintext buffer into the TLS module.
Definition ssl_openssl.c:2280
tls_post_encrypt
void tls_post_encrypt(struct tls_multi *multi, struct buffer *buf)
Perform some accounting for the key state used.
Definition ssl.c:4014
tls_select_encryption_key
struct key_state * tls_select_encryption_key(struct tls_multi *multi)
Selects the primary encryption that should be used to encrypt data of an outgoing packet.
Definition ssl.c:3927
TLS_AUTHENTICATED
#define TLS_AUTHENTICATED(multi, ks)
Check whether the ks key_state has finished the key exchange part of the OpenVPN hand shake.
Definition ssl_verify.h:113
tls_prepend_opcode_v1
void tls_prepend_opcode_v1(const struct tls_multi *multi, struct buffer *buf)
Prepend a one-byte OpenVPN data channel P_DATA_V1 opcode to the packet.
Definition ssl.c:3986
tls_pre_encrypt
void tls_pre_encrypt(struct tls_multi *multi, struct buffer *buf, struct crypto_options **opt)
Choose the appropriate security parameters with which to process an outgoing packet.
Definition ssl.c:3954
tls_prepend_opcode_v2
void tls_prepend_opcode_v2(const struct tls_multi *multi, struct buffer *buf)
Prepend an OpenVPN data channel P_DATA_V2 header to the packet.
Definition ssl.c:4000
tls_pre_decrypt
bool tls_pre_decrypt(struct tls_multi *multi, const struct link_socket_actual *from, struct buffer *buf, struct crypto_options **opt, bool floated, const uint8_t **ad_start)
Determine whether an incoming packet is a data channel or control channel packet, and process accordi...
Definition ssl.c:3575
reliable_free
void reliable_free(struct reliable *rel)
Free allocated memory associated with a reliable structure and the pointer itself.
Definition reliable.c:364
reliable_ack_read
bool reliable_ack_read(struct reliable_ack *ack, struct buffer *buf, const struct session_id *sid)
Read an acknowledgment record from a received packet.
Definition reliable.c:144
reliable_get_buf_output_sequenced
struct buffer * reliable_get_buf_output_sequenced(struct reliable *rel)
Get the buffer of free reliable entry and check whether the outgoing acknowledgment sequence is still...
Definition reliable.c:562
reliable_schedule_now
void reliable_schedule_now(struct reliable *rel)
Reschedule all entries of a reliable structure to be ready for (re)sending immediately.
Definition reliable.c:675
reliable_ack_read_packet_id
bool reliable_ack_read_packet_id(struct buffer *buf, packet_id_type *pid)
Read the packet ID of a received packet.
Definition reliable.c:109
reliable_ack_outstanding
static int reliable_ack_outstanding(struct reliable_ack *ack)
Returns the number of packets that need to be acked.
Definition reliable.h:189
reliable_mark_active_incoming
void reliable_mark_active_incoming(struct reliable *rel, struct buffer *buf, packet_id_type pid, int opcode)
Mark the reliable entry associated with the given buffer as active incoming.
Definition reliable.c:736
reliable_mark_active_outgoing
void reliable_mark_active_outgoing(struct reliable *rel, struct buffer *buf, int opcode)
Mark the reliable entry associated with the given buffer as active outgoing.
Definition reliable.c:769
reliable_ack_print
const char * reliable_ack_print(struct buffer *buf, bool verbose, struct gc_arena *gc)
Definition reliable.c:305
reliable_ack_acknowledge_packet_id
bool reliable_ack_acknowledge_packet_id(struct reliable_ack *ack, packet_id_type pid)
Record a packet ID for later acknowledgment.
Definition reliable.c:127
reliable_set_timeout
static void reliable_set_timeout(struct reliable *rel, interval_t timeout)
Definition reliable.h:526
reliable_can_get
bool reliable_can_get(const struct reliable *rel)
Check whether a reliable structure has any free buffers available for use.
Definition reliable.c:454
reliable_send_purge
void reliable_send_purge(struct reliable *rel, const struct reliable_ack *ack)
Remove acknowledged packets from a reliable structure.
Definition reliable.c:395
reliable_get_buf
struct buffer * reliable_get_buf(struct reliable *rel)
Get the buffer of a free reliable entry in which to store a packet.
Definition reliable.c:518
reliable_send
struct buffer * reliable_send(struct reliable *rel, int *opcode)
Get the next packet to send to the remote peer.
Definition reliable.c:638
reliable_can_send
bool reliable_can_send(const struct reliable *rel)
Check whether a reliable structure has any active entries ready to be (re)sent.
Definition reliable.c:612
reliable_empty
bool reliable_empty(const struct reliable *rel)
Check whether a reliable structure is empty.
Definition reliable.c:380
reliable_not_replay
bool reliable_not_replay(const struct reliable *rel, packet_id_type id)
Check that a received packet's ID is not a replay.
Definition reliable.c:472
RELIABLE_ACK_SIZE
#define RELIABLE_ACK_SIZE
The maximum number of packet IDs \ waiting to be acknowledged which can \ be stored in one reliable_a...
Definition reliable.h:43
reliable_send_timeout
interval_t reliable_send_timeout(const struct reliable *rel)
Determined how many seconds until the earliest resend should be attempted.
Definition reliable.c:698
reliable_get_entry_sequenced
struct reliable_entry * reliable_get_entry_sequenced(struct reliable *rel)
Get the buffer of the next sequential and active entry.
Definition reliable.c:597
reliable_init
void reliable_init(struct reliable *rel, int buf_size, int offset, int array_size, bool hold)
Initialize a reliable structure.
Definition reliable.c:348
reliable_mark_deleted
void reliable_mark_deleted(struct reliable *rel, struct buffer *buf)
Remove an entry from a reliable structure.
Definition reliable.c:796
reliable_get_num_output_sequenced_available
int reliable_get_num_output_sequenced_available(struct reliable *rel)
Counts the number of free buffers in output that can be potentially used for sending.
Definition reliable.c:533
reliable_wont_break_sequentiality
bool reliable_wont_break_sequentiality(const struct reliable *rel, packet_id_type id)
Check that a received packet's ID can safely be stored in the reliable structure's processing window.
Definition reliable.c:499
ACK_SIZE
#define ACK_SIZE(n)
Definition reliable.h:70
reliable_ack_empty
static bool reliable_ack_empty(struct reliable_ack *ack)
Check whether an acknowledgment structure contains any packet IDs to be acknowledged.
Definition reliable.h:176
TLS_CRYPT_TAG_SIZE
#define TLS_CRYPT_TAG_SIZE
Definition tls_crypt.h:88
tls_session_generate_dynamic_tls_crypt_key
bool tls_session_generate_dynamic_tls_crypt_key(struct tls_session *session)
Generates a TLS-Crypt key to be used with dynamic tls-crypt using the TLS EKM exporter function.
Definition tls_crypt.c:96
tls_crypt_buf_overhead
int tls_crypt_buf_overhead(void)
Returns the maximum overhead (in bytes) added to the destination buffer by tls_crypt_wrap().
Definition tls_crypt.c:55
min_int
static int min_int(int x, int y)
Definition integer.h:105
max_int
static int max_int(int x, int y)
Definition integer.h:92
status
static SERVICE_STATUS status
Definition interactive.c:51
management_query_cert
char * management_query_cert(struct management *man, const char *cert_name)
Definition manage.c:3905
management_set_state
void management_set_state(struct management *man, const int state, const char *detail, const in_addr_t *tun_local_ip, const struct in6_addr *tun_local_ip6, const struct openvpn_sockaddr *local, const struct openvpn_sockaddr *remote)
Definition manage.c:2884
MF_EXTERNAL_KEY
#define MF_EXTERNAL_KEY
Definition manage.h:36
OPENVPN_STATE_AUTH
#define OPENVPN_STATE_AUTH
Definition manage.h:460
OPENVPN_STATE_WAIT
#define OPENVPN_STATE_WAIT
Definition manage.h:459
MF_EXTERNAL_CERT
#define MF_EXTERNAL_CERT
Definition manage.h:42
management_enable_def_auth
static bool management_enable_def_auth(const struct management *man)
Definition manage.h:440
VALGRIND_MAKE_READABLE
#define VALGRIND_MAKE_READABLE(addr, len)
Definition memdbg.h:53
unprotect_user_pass
void unprotect_user_pass(struct user_pass *up)
Decrypt username and password buffers in user_pass.
Definition misc.c:812
get_user_pass_cr
bool get_user_pass_cr(struct user_pass *up, const char *auth_file, const char *prefix, const unsigned int flags, const char *auth_challenge)
Retrieves the user credentials from various sources depending on the flags.
Definition misc.c:201
purge_user_pass
void purge_user_pass(struct user_pass *up, const bool force)
Definition misc.c:474
set_auth_token_user
void set_auth_token_user(struct user_pass *tk, const char *username)
Sets the auth-token username by base64 decoding the passed username.
Definition misc.c:520
output_peer_info_env
void output_peer_info_env(struct env_set *es, const char *peer_info)
Definition misc.c:759
prepend_dir
struct buffer prepend_dir(const char *dir, const char *path, struct gc_arena *gc)
Prepend a directory to a path.
Definition misc.c:781
protect_user_pass
void protect_user_pass(struct user_pass *up)
Encrypt username and password buffers in user_pass.
Definition misc.c:792
set_auth_token
void set_auth_token(struct user_pass *tk, const char *token)
Sets the auth-token to token.
Definition misc.c:500
USER_PASS_LEN
#define USER_PASS_LEN
Definition misc.h:67
GET_USER_PASS_STATIC_CHALLENGE_CONCAT
#define GET_USER_PASS_STATIC_CHALLENGE_CONCAT
indicates password and response should be concatenated
Definition misc.h:128
GET_USER_PASS_MANAGEMENT
#define GET_USER_PASS_MANAGEMENT
Definition misc.h:113
GET_USER_PASS_PASSWORD_ONLY
#define GET_USER_PASS_PASSWORD_ONLY
Definition misc.h:115
GET_USER_PASS_USERNAME_ONLY
#define GET_USER_PASS_USERNAME_ONLY
indicate that only username should be prompted for auth-user-pass
Definition misc.h:130
GET_USER_PASS_STATIC_CHALLENGE_ECHO
#define GET_USER_PASS_STATIC_CHALLENGE_ECHO
SCRV1 protocol – echo response.
Definition misc.h:123
GET_USER_PASS_INLINE_CREDS
#define GET_USER_PASS_INLINE_CREDS
indicates that auth_file is actually inline creds
Definition misc.h:126
GET_USER_PASS_STATIC_CHALLENGE
#define GET_USER_PASS_STATIC_CHALLENGE
SCRV1 protocol – static challenge.
Definition misc.h:122
SC_CONCAT
#define SC_CONCAT
Definition misc.h:95
SC_ECHO
#define SC_ECHO
Definition misc.h:94
get_user_pass
static bool get_user_pass(struct user_pass *up, const char *auth_file, const char *prefix, const unsigned int flags)
Retrieves the user credentials from various sources depending on the flags.
Definition misc.h:155
GET_USER_PASS_DYNAMIC_CHALLENGE
#define GET_USER_PASS_DYNAMIC_CHALLENGE
CRV1 protocol – dynamic challenge.
Definition misc.h:121
frame_calculate_dynamic
void frame_calculate_dynamic(struct frame *frame, struct key_type *kt, const struct options *options, struct link_socket_info *lsi)
Set the –mssfix option.
Definition mss.c:317
frame_print
void frame_print(const struct frame *frame, msglvl_t msglevel, const char *prefix)
Definition mtu.c:190
BUF_SIZE
#define BUF_SIZE(f)
Definition mtu.h:183
CLEAR
#define CLEAR(x)
Definition basic.h:32
check_debug_level
static bool check_debug_level(msglvl_t level)
Definition error.h:251
M_FATAL
#define M_FATAL
Definition error.h:90
dmsg
#define dmsg(flags,...)
Definition error.h:172
msg
#define msg(flags,...)
Definition error.h:152
ASSERT
#define ASSERT(x)
Definition error.h:219
M_WARN
#define M_WARN
Definition error.h:92
MAX_PEER_ID
#define MAX_PEER_ID
Definition openvpn.h:550
options_cmp_equal
bool options_cmp_equal(char *actual, const char *expected)
Definition options.c:4544
key_is_external
bool key_is_external(const struct options *options)
Definition options.c:5563
options_string_extract_option
char * options_string_extract_option(const char *options_string, const char *opt_name, struct gc_arena *gc)
Given an OpenVPN options string, extract the value of an option.
Definition options.c:4706
options_warning
void options_warning(char *actual, const char *expected)
Definition options.c:4550
MODE_SERVER
#define MODE_SERVER
Definition options.h:263
dco_enabled
static bool dco_enabled(const struct options *o)
Returns whether the current configuration has dco enabled.
Definition options.h:987
now
time_t now
Definition otime.c:33
update_time
static void update_time(void)
Definition otime.h:84
packet_id_persist_load_obj
void packet_id_persist_load_obj(const struct packet_id_persist *p, struct packet_id *pid)
Definition packet_id.c:549
packet_id_init
void packet_id_init(struct packet_id *p, int seq_backtrack, int time_backtrack, const char *name, int unit)
Definition packet_id.c:96
packet_id_free
void packet_id_free(struct packet_id *p)
Definition packet_id.c:126
packet_id_read
bool packet_id_read(struct packet_id_net *pin, struct buffer *buf, bool long_form)
Definition packet_id.c:319
packet_id_net_print
const char * packet_id_net_print(const struct packet_id_net *pin, bool print_timestamp, struct gc_arena *gc)
Definition packet_id.c:423
packet_id_format
#define packet_id_format
Definition packet_id.h:76
packet_id_print_type
uint64_t packet_id_print_type
Definition packet_id.h:77
packet_id_type
uint32_t packet_id_type
Definition packet_id.h:45
packet_id_close_to_wrapping
static bool packet_id_close_to_wrapping(const struct packet_id_send *p)
Definition packet_id.h:328
ntohpid
#define ntohpid(x)
Definition packet_id.h:64
packet_id_size
static int packet_id_size(bool long_form)
Definition packet_id.h:322
platform_stat
int platform_stat(const char *path, platform_stat_t *buf)
Definition platform.c:526
platform_stat_t
struct _stat platform_stat_t
Definition platform.h:118
plugin_defined
bool plugin_defined(const struct plugin_list *pl, const int type)
Definition plugin.c:904
plugin_call
static int plugin_call(const struct plugin_list *pl, const int type, const struct argv *av, struct plugin_return *pr, struct env_set *es)
Definition plugin.h:195
get_default_gateway
void get_default_gateway(struct route_gateway_info *rgi, in_addr_t dest, openvpn_net_ctx_t *ctx)
Retrieves the best gateway for a given destination based on the routing table.
Definition route.c:2565
RGI_HWADDR_DEFINED
#define RGI_HWADDR_DEFINED
Definition route.h:161
session_id_random
void session_id_random(struct session_id *sid)
Definition session_id.c:48
session_id_print
const char * session_id_print(const struct session_id *sid, struct gc_arena *gc)
Definition session_id.c:54
session_id_equal
static bool session_id_equal(const struct session_id *sid1, const struct session_id *sid2)
Definition session_id.h:47
session_id_defined
static bool session_id_defined(const struct session_id *sid1)
Definition session_id.h:53
session_id_read
static bool session_id_read(struct session_id *sid, struct buffer *buf)
Definition session_id.h:59
SID_SIZE
#define SID_SIZE
Definition session_id.h:44
link_socket_set_outgoing_addr
static void link_socket_set_outgoing_addr(struct link_socket_info *info, const struct link_socket_actual *act, const char *common_name, struct env_set *es)
Definition socket.h:532
print_link_socket_actual
const char * print_link_socket_actual(const struct link_socket_actual *act, struct gc_arena *gc)
Definition socket_util.c:117
link_socket_actual_defined
static bool link_socket_actual_defined(const struct link_socket_actual *act)
Definition socket_util.h:328
datagram_overhead
static int datagram_overhead(sa_family_t af, int proto)
Definition socket_util.h:309
link_socket_actual_match
static bool link_socket_actual_match(const struct link_socket_actual *a1, const struct link_socket_actual *a2)
Definition socket_util.h:486
PROTO_UDP
@ PROTO_UDP
Definition socket_util.h:177
ssl_purge_auth
void ssl_purge_auth(const bool auth_user_pass_only)
Definition ssl.c:386
ssl_set_auth_token_user
void ssl_set_auth_token_user(const char *username)
Definition ssl.c:366
generate_key_expansion
static bool generate_key_expansion(struct tls_multi *multi, struct key_state *ks, struct tls_session *session)
Definition ssl.c:1479
init_ssl
struct tls_root_ctx * init_ssl(const struct options *options, bool in_chroot)
Build master SSL context object that serves for the whole of OpenVPN instantiation.
Definition ssl.c:516
tls_process
static bool tls_process(struct tls_multi *multi, struct tls_session *session, struct buffer *to_link, struct link_socket_actual **to_link_addr, struct link_socket_info *to_link_socket_info, interval_t *wakeup)
Definition ssl.c:3019
tls_session_user_pass_enabled
static bool tls_session_user_pass_enabled(struct tls_session *session)
Returns whether or not the server should check for username/password.
Definition ssl.c:952
auth_deferred_expire_window
static int auth_deferred_expire_window(const struct tls_options *o)
Definition ssl.c:2391
passbuf
static struct user_pass passbuf
Definition ssl.c:245
print_key_id
static const char * print_key_id(struct tls_multi *multi, struct gc_arena *gc)
Definition ssl.c:770
INCR_GENERATED
#define INCR_GENERATED
Definition ssl.c:92
auth_token
static struct user_pass auth_token
Definition ssl.c:280
init_epoch_keys
static void init_epoch_keys(struct key_state *ks, struct tls_multi *multi, const struct key_type *key_type, bool server, struct key2 *key2)
Definition ssl.c:1338
compute_earliest_wakeup
static void compute_earliest_wakeup(interval_t *earliest, time_t seconds_from_now)
Definition ssl.c:1118
lame_duck_must_die
static bool lame_duck_must_die(const struct tls_session *session, interval_t *wakeup)
Definition ssl.c:1135
ssl_set_auth_nocache
void ssl_set_auth_nocache(void)
Definition ssl.c:341
ks_auth_name
static const char * ks_auth_name(enum ks_auth_state auth)
Definition ssl.c:729
key_source2_read
static int key_source2_read(struct key_source2 *k2, struct buffer *buf, bool server)
Definition ssl.c:1709
move_session
static void move_session(struct tls_multi *multi, int dest, int src, bool reinit_src)
Definition ssl.c:1084
handle_data_channel_packet
static void handle_data_channel_packet(struct tls_multi *multi, const struct link_socket_actual *from, struct buffer *buf, struct crypto_options **opt, bool floated, const uint8_t **ad_start)
Check the keyid of the an incoming data channel packet and return the matching crypto parameters in o...
Definition ssl.c:3475
tls_send_payload
bool tls_send_payload(struct key_state *ks, const uint8_t *data, size_t size)
Definition ssl.c:4034
export_user_keying_material
static void export_user_keying_material(struct tls_session *session)
Definition ssl.c:2180
ssl_put_auth_challenge
void ssl_put_auth_challenge(const char *cr_str)
Definition ssl.c:411
INCR_SUCCESS
#define INCR_SUCCESS
Definition ssl.c:93
pem_password_callback
int pem_password_callback(char *buf, int size, int rwflag, void *u)
Callback to retrieve the user's password.
Definition ssl.c:259
control_packet_needs_wkc
static bool control_packet_needs_wkc(const struct key_state *ks)
Definition ssl.c:2598
tls_update_remote_addr
void tls_update_remote_addr(struct tls_multi *multi, const struct link_socket_actual *addr)
Updates remote address in TLS sessions.
Definition ssl.c:4092
read_incoming_tls_ciphertext
static bool read_incoming_tls_ciphertext(struct buffer *buf, struct key_state *ks, bool *continue_tls_process)
Read incoming ciphertext and passes it to the buffer of the SSL library.
Definition ssl.c:2572
key_source2_print
static void key_source2_print(const struct key_source2 *k)
Definition ssl.c:1297
auth_user_pass
static struct user_pass auth_user_pass
Definition ssl.c:279
tls_rec_payload
bool tls_rec_payload(struct tls_multi *multi, struct buffer *buf)
Definition ssl.c:4067
write_outgoing_tls_ciphertext
static bool write_outgoing_tls_ciphertext(struct tls_session *session, bool *continue_tls_process)
Definition ssl.c:2630
check_outgoing_ciphertext
static bool check_outgoing_ciphertext(struct key_state *ks, struct tls_session *session, bool *continue_tls_process)
Definition ssl.c:2716
check_session_buf_not_used
static void check_session_buf_not_used(struct buffer *to_link, struct tls_session *session)
This is a safe guard function to double check that a buffer from a session is not used in a session t...
Definition ssl.c:3152
tls_session_generate_data_channel_keys
bool tls_session_generate_data_channel_keys(struct tls_multi *multi, struct tls_session *session)
Generate data channel keys for the supplied TLS session.
Definition ssl.c:1543
flush_payload_buffer
static void flush_payload_buffer(struct key_state *ks)
Definition ssl.c:1741
init_key_contexts
static void init_key_contexts(struct key_state *ks, struct tls_multi *multi, const struct key_type *key_type, bool server, struct key2 *key2, bool dco_enabled)
Definition ssl.c:1377
print_key_id_not_found_reason
static void print_key_id_not_found_reason(struct tls_multi *multi, const struct link_socket_actual *from, int key_id)
We have not found a matching key to decrypt data channel packet, try to generate a sensible error mes...
Definition ssl.c:3427
tls_session_update_crypto_params_do_work
bool tls_session_update_crypto_params_do_work(struct tls_multi *multi, struct tls_session *session, struct options *options, struct frame *frame, struct frame *frame_fragment, struct link_socket_info *lsi, dco_context_t *dco)
Definition ssl.c:1575
tls_session_soft_reset
void tls_session_soft_reset(struct tls_multi *tls_multi)
Definition ssl.c:1772
auth_user_pass_setup
void auth_user_pass_setup(const char *auth_file, bool is_inline, bool username_only, const struct static_challenge_info *sci)
Definition ssl.c:293
is_hard_reset_method2
bool is_hard_reset_method2(int op)
Given a key_method, return true if opcode represents the one of the hard_reset op codes for key-metho...
Definition ssl.c:786
read_string_alloc
static char * read_string_alloc(struct buffer *buf)
Definition ssl.c:1841
should_trigger_renegotiation
static bool should_trigger_renegotiation(const struct tls_session *session, const struct key_state *ks)
Determines if a renegotiation should be triggerred based on the various factors that can trigger one.
Definition ssl.c:2931
tls_version_parse
int tls_version_parse(const char *vstr, const char *extra)
Definition ssl.c:425
read_string
static int read_string(struct buffer *buf, char *str, const unsigned int capacity)
Read a string that is encoded as a 2 byte header with the length from the buffer buf.
Definition ssl.c:1822
session_skip_to_pre_start
bool session_skip_to_pre_start(struct tls_session *session, struct tls_pre_decrypt_state *state, struct link_socket_actual *from)
Definition ssl.c:2498
session_index_name
static const char * session_index_name(int index)
Definition ssl.c:748
session_move_active
static void session_move_active(struct tls_multi *multi, struct tls_session *session, struct link_socket_info *to_link_socket_info, struct key_state *ks)
Moves the key to state to S_ACTIVE and also advances the multi_state state machine if this is the ini...
Definition ssl.c:2455
tls_get_limit_aead
static uint64_t tls_get_limit_aead(const char *ciphername)
Definition ssl.c:120
random_bytes_to_buf
static bool random_bytes_to_buf(struct buffer *buf, uint8_t *out, int outlen)
Definition ssl.c:1663
ssl_set_auth_token
void ssl_set_auth_token(const char *token)
Definition ssl.c:360
openvpn_PRF
static bool openvpn_PRF(const uint8_t *secret, size_t secret_len, const char *label, const uint8_t *client_seed, size_t client_seed_len, const uint8_t *server_seed, size_t server_seed_len, const struct session_id *client_sid, const struct session_id *server_sid, uint8_t *output, size_t output_len)
Definition ssl.c:1304
INCR_SENT
#define INCR_SENT
Definition ssl.c:91
tls_multi_process
int tls_multi_process(struct tls_multi *multi, struct buffer *to_link, struct link_socket_actual **to_link_addr, struct link_socket_info *to_link_socket_info, interval_t *wakeup)
Definition ssl.c:3216
tls_process_state
static bool tls_process_state(struct tls_multi *multi, struct tls_session *session, struct buffer *to_link, struct link_socket_actual **to_link_addr, struct link_socket_info *to_link_socket_info, interval_t *wakeup)
Definition ssl.c:2735
ssl_get_auth_nocache
bool ssl_get_auth_nocache(void)
Definition ssl.c:351
key_method_2_write
static bool key_method_2_write(struct buffer *buf, struct tls_multi *multi, struct tls_session *session)
Handle the writing of key data, peer-info, username/password, OCC to the TLS control channel (clearte...
Definition ssl.c:2059
pem_password_setup
void pem_password_setup(const char *auth_file)
Definition ssl.c:248
init_ssl_lib
void init_ssl_lib(void)
Definition ssl.c:225
key_source_print
static void key_source_print(const struct key_source *k, const char *prefix)
Definition ssl.c:1278
tls_session_update_crypto_params
bool tls_session_update_crypto_params(struct tls_multi *multi, struct tls_session *session, struct options *options, struct frame *frame, struct frame *frame_fragment, struct link_socket_info *lsi, dco_context_t *dco)
Update TLS session crypto parameters (cipher and auth) and derive data channel keys based on the supp...
Definition ssl.c:1644
write_empty_string
static bool write_empty_string(struct buffer *buf)
Definition ssl.c:1782
tls_limit_reneg_bytes
static void tls_limit_reneg_bytes(const char *ciphername, int64_t *reneg_bytes)
Limit the reneg_bytes value when using a small-block (<128 bytes) cipher.
Definition ssl.c:106
free_ssl_lib
void free_ssl_lib(void)
Definition ssl.c:233
key_state_soft_reset
static void key_state_soft_reset(struct tls_session *session)
Definition ssl.c:1757
parse_early_negotiation_tlvs
static bool parse_early_negotiation_tlvs(struct buffer *buf, struct key_state *ks)
Parses the TLVs (type, length, value) in the early negotiation.
Definition ssl.c:2523
auth_user_pass_enabled
static bool auth_user_pass_enabled
Definition ssl.c:278
auth_challenge
static char * auth_challenge
Definition ssl.c:283
key_source2_randomize_write
static bool key_source2_randomize_write(struct key_source2 *k2, struct buffer *buf, bool server)
Definition ssl.c:1678
state_name
static const char * state_name(int state)
Definition ssl.c:686
generate_key_expansion_openvpn_prf
static bool generate_key_expansion_openvpn_prf(const struct tls_session *session, struct key2 *key2)
Definition ssl.c:1435
reset_session
static void reset_session(struct tls_multi *multi, struct tls_session *session)
Definition ssl.c:1107
INCR_ERROR
#define INCR_ERROR
Definition ssl.c:94
tls_ctx_reload_crl
static void tls_ctx_reload_crl(struct tls_root_ctx *ssl_ctx, const char *crl_file, bool crl_file_inline)
Load (or possibly reload) the CRL file into the SSL context.
Definition ssl.c:466
calc_control_channel_frame_overhead
static size_t calc_control_channel_frame_overhead(const struct tls_session *session)
calculate the maximum overhead that control channel frames have This includes header,...
Definition ssl.c:188
generate_key_expansion_tls_export
static bool generate_key_expansion_tls_export(struct tls_session *session, struct key2 *key2)
Definition ssl.c:1421
ssl_clean_auth_token
bool ssl_clean_auth_token(void)
Definition ssl.c:375
push_peer_info
static bool push_peer_info(struct buffer *buf, struct tls_session *session)
Prepares the IV_ and UV_ variables that are part of the exchange to signal the peer's capabilities.
Definition ssl.c:1877
write_string
static bool write_string(struct buffer *buf, const char *str, const int maxlen)
Definition ssl.c:1792
enable_auth_user_pass
void enable_auth_user_pass(void)
Definition ssl.c:287
ssl_purge_auth_challenge
void ssl_purge_auth_challenge(void)
Definition ssl.c:404
show_available_tls_ciphers
void show_available_tls_ciphers(const char *cipher_list, const char *cipher_list_tls13, const char *tls_cert_profile)
Definition ssl.c:4120
read_incoming_tls_plaintext
static bool read_incoming_tls_plaintext(struct key_state *ks, struct buffer *buf, interval_t *wakeup, bool *continue_tls_process)
Definition ssl.c:2605
key_method_2_read
static bool key_method_2_read(struct buffer *buf, struct tls_multi *multi, struct tls_session *session)
Handle reading key data, peer-info, username/password, OCC from the TLS control channel (cleartext).
Definition ssl.c:2214
session_move_pre_start
static bool session_move_pre_start(const struct tls_session *session, struct key_state *ks, bool skip_initial_send)
Move the session from S_INITIAL to S_PRE_START.
Definition ssl.c:2410
protocol_dump
const char * protocol_dump(struct buffer *buffer, unsigned int flags, struct gc_arena *gc)
Definition ssl.c:4145
ssl.h
Control Channel SSL/Data channel negotiation module.
IV_PROTO_CC_EXIT_NOTIFY
#define IV_PROTO_CC_EXIT_NOTIFY
Support for explicit exit notify via control channel This also includes support for the protocol-flag...
Definition ssl.h:102
TLSMP_RECONNECT
#define TLSMP_RECONNECT
Definition ssl.h:232
IV_PROTO_DATA_EPOCH
#define IV_PROTO_DATA_EPOCH
Support the extended packet id and epoch format for data channel packets.
Definition ssl.h:111
load_xkey_provider
void load_xkey_provider(void)
Load ovpn.xkey provider used for external key signing.
Definition ssl_openssl.c:2733
tls_wrap_free
static void tls_wrap_free(struct tls_wrap_ctx *tls_wrap)
Free the elements of a tls_wrap_ctx structure.
Definition ssl.h:472
IV_PROTO_AUTH_FAIL_TEMP
#define IV_PROTO_AUTH_FAIL_TEMP
Support for AUTH_FAIL,TEMP messages.
Definition ssl.h:105
IV_PROTO_DATA_V2
#define IV_PROTO_DATA_V2
Support P_DATA_V2.
Definition ssl.h:80
KEY_METHOD_2
#define KEY_METHOD_2
Definition ssl.h:122
CONTROL_SEND_ACK_MAX
#define CONTROL_SEND_ACK_MAX
Definition ssl.h:55
TLSMP_ACTIVE
#define TLSMP_ACTIVE
Definition ssl.h:230
KEY_EXPANSION_ID
#define KEY_EXPANSION_ID
Definition ssl.h:49
IV_PROTO_TLS_KEY_EXPORT
#define IV_PROTO_TLS_KEY_EXPORT
Supports key derivation via TLS key material exporter [RFC5705].
Definition ssl.h:87
PD_TLS_CRYPT
#define PD_TLS_CRYPT
Definition ssl.h:525
PD_TLS
#define PD_TLS
Definition ssl.h:523
IV_PROTO_PUSH_UPDATE
#define IV_PROTO_PUSH_UPDATE
Supports push-update.
Definition ssl.h:117
IV_PROTO_AUTH_PENDING_KW
#define IV_PROTO_AUTH_PENDING_KW
Supports signaling keywords with AUTH_PENDING, e.g.
Definition ssl.h:90
PD_VERBOSE
#define PD_VERBOSE
Definition ssl.h:524
IV_PROTO_DYN_TLS_CRYPT
#define IV_PROTO_DYN_TLS_CRYPT
Support to dynamic tls-crypt (renegotiation with TLS-EKM derived tls-crypt key)
Definition ssl.h:108
TLSMP_KILL
#define TLSMP_KILL
Definition ssl.h:231
PD_SHOW_DATA
#define PD_SHOW_DATA
Definition ssl.h:522
IV_PROTO_REQUEST_PUSH
#define IV_PROTO_REQUEST_PUSH
Assume client will send a push request and server does not need to wait for a push-request to send a ...
Definition ssl.h:84
KEY_METHOD_MASK
#define KEY_METHOD_MASK
Definition ssl.h:125
IV_PROTO_DNS_OPTION_V2
#define IV_PROTO_DNS_OPTION_V2
Supports the –dns option after all the incompatible changes.
Definition ssl.h:114
PD_TLS_AUTH_HMAC_SIZE_MASK
#define PD_TLS_AUTH_HMAC_SIZE_MASK
Definition ssl.h:521
IV_PROTO_NCP_P2P
#define IV_PROTO_NCP_P2P
Support doing NCP in P2P mode.
Definition ssl.h:95
TLSMP_INACTIVE
#define TLSMP_INACTIVE
Definition ssl.h:229
TLS_OPTIONS_LEN
#define TLS_OPTIONS_LEN
Definition ssl.h:69
ssl_backend.h
Control Channel SSL library backend module.
tls_ctx_set_tls_groups
void tls_ctx_set_tls_groups(struct tls_root_ctx *ctx, const char *groups)
Set the (elliptic curve) group allowed for signatures and key exchange.
Definition ssl_openssl.c:580
tls_ctx_free
void tls_ctx_free(struct tls_root_ctx *ctx)
Frees the library-specific TLSv1 context.
Definition ssl_openssl.c:139
get_ssl_library_version
const char * get_ssl_library_version(void)
return a pointer to a static memory area containing the name and version number of the SSL library in...
Definition ssl_openssl.c:2700
tls_clear_error
void tls_clear_error(void)
Clear the underlying SSL library's error state.
key_state_export_keying_material
bool key_state_export_keying_material(struct tls_session *session, const char *label, size_t label_size, void *ekm, size_t ekm_size)
Keying Material Exporters [RFC 5705] allows additional keying material to be derived from existing TL...
Definition ssl_openssl.c:159
TLS_VER_BAD
#define TLS_VER_BAD
Parse a TLS version specifier.
Definition ssl_backend.h:103
show_available_tls_ciphers_list
void show_available_tls_ciphers_list(const char *cipher_list, const char *tls_cert_profile, bool tls13)
Show the TLS ciphers that are available for us to use in the library depending on the TLS version.
Definition ssl_openssl.c:2589
TLS_VER_1_0
#define TLS_VER_1_0
Definition ssl_backend.h:105
tls_ctx_server_new
void tls_ctx_server_new(struct tls_root_ctx *ctx)
Initialise a library-specific TLS context for a server.
Definition ssl_openssl.c:103
EXPORT_KEY_DATA_LABEL
#define EXPORT_KEY_DATA_LABEL
Definition ssl_backend.h:390
key_state_ssl_free
void key_state_ssl_free(struct key_state_ssl *ks_ssl)
Free the SSL channel part of the given key state.
Definition ssl_openssl.c:2265
TLS_VER_1_2
#define TLS_VER_1_2
Definition ssl_backend.h:107
tls_ctx_load_priv_file
int tls_ctx_load_priv_file(struct tls_root_ctx *ctx, const char *priv_key_file, bool priv_key_file_inline)
Load private key file into the given TLS context.
Definition ssl_openssl.c:1341
key_state_ssl_shutdown
void key_state_ssl_shutdown(struct key_state_ssl *ks_ssl)
Sets a TLS session to be shutdown state, so the TLS library will generate a shutdown alert.
Definition ssl_openssl.c:2259
tls_ctx_load_extra_certs
void tls_ctx_load_extra_certs(struct tls_root_ctx *ctx, const char *extra_certs_file, bool extra_certs_file_inline)
Load extra certificate authority certificates from the given file or path.
Definition ssl_openssl.c:2001
tls_ctx_check_cert_time
void tls_ctx_check_cert_time(const struct tls_root_ctx *ctx)
Check our certificate notBefore and notAfter fields, and warn if the cert is either not yet valid or ...
Definition ssl_openssl.c:639
tls_ctx_restrict_ciphers_tls13
void tls_ctx_restrict_ciphers_tls13(struct tls_root_ctx *ctx, const char *ciphers)
Restrict the list of ciphers that can be used within the TLS context for TLS 1.3 and higher.
Definition ssl_openssl.c:510
tls_ctx_load_pkcs12
int tls_ctx_load_pkcs12(struct tls_root_ctx *ctx, const char *pkcs12_file, bool pkcs12_file_inline, bool load_ca_file)
Load PKCS #12 file for key, cert and (optionally) CA certs, and add to library-specific TLS context.
Definition ssl_openssl.c:976
key_state_ssl_init
void key_state_ssl_init(struct key_state_ssl *ks_ssl, const struct tls_root_ctx *ssl_ctx, bool is_server, struct tls_session *session)
Initialise the SSL channel part of the given key state.
Definition ssl_openssl.c:2218
tls_free_lib
void tls_free_lib(void)
Free any global SSL library-specific data structures.
Definition ssl_openssl.c:98
tls_ctx_load_ecdh_params
void tls_ctx_load_ecdh_params(struct tls_root_ctx *ctx, const char *curve_name)
Load Elliptic Curve Parameters, and load them into the library-specific TLS context.
Definition ssl_openssl.c:787
TLS_VER_1_3
#define TLS_VER_1_3
Definition ssl_backend.h:108
TLS_VER_1_1
#define TLS_VER_1_1
Definition ssl_backend.h:106
tls_init_lib
void tls_init_lib(void)
Perform any static initialisation necessary by the library.
Definition ssl_openssl.c:91
print_details
void print_details(struct key_state_ssl *ks_ssl, const char *prefix)
Print a one line summary of SSL/TLS session handshake.
Definition ssl_openssl.c:2559
tls_version_max
int tls_version_max(void)
Return the maximum TLS version (as a TLS_VER_x constant) supported by current SSL implementation.
Definition ssl_openssl.c:207
backend_tls_ctx_reload_crl
void backend_tls_ctx_reload_crl(struct tls_root_ctx *ssl_ctx, const char *crl_file, bool crl_inline)
Reload the Certificate Revocation List for the SSL channel.
Definition ssl_openssl.c:1395
tls_ctx_restrict_ciphers
void tls_ctx_restrict_ciphers(struct tls_root_ctx *ctx, const char *ciphers)
Restrict the list of ciphers that can be used within the TLS context for TLS 1.2 and below.
Definition ssl_openssl.c:449
tls_ctx_load_ca
void tls_ctx_load_ca(struct tls_root_ctx *ctx, const char *ca_file, bool ca_file_inline, const char *ca_path, bool tls_server)
Load certificate authority certificates from the given file or path.
Definition ssl_openssl.c:1850
tls_ctx_set_cert_profile
void tls_ctx_set_cert_profile(struct tls_root_ctx *ctx, const char *profile)
Set the TLS certificate profile.
Definition ssl_openssl.c:538
tls_ctx_use_management_external_key
int tls_ctx_use_management_external_key(struct tls_root_ctx *ctx)
Tell the management interface to load the given certificate and the external private key matching the...
Definition ssl_openssl.c:1771
tls_ctx_load_cryptoapi
void tls_ctx_load_cryptoapi(struct tls_root_ctx *ctx, const char *cryptoapi_cert)
Use Windows cryptoapi for key and cert, and add to library-specific TLS context.
Definition ssl_openssl.c:1109
tls_ctx_set_options
bool tls_ctx_set_options(struct tls_root_ctx *ctx, unsigned int ssl_flags)
Set any library specific options.
Definition ssl_openssl.c:326
tls_ctx_load_dh_params
void tls_ctx_load_dh_params(struct tls_root_ctx *ctx, const char *dh_file, bool dh_file_inline)
Load Diffie Hellman Parameters, and load them into the library-specific TLS context.
Definition ssl_openssl.c:729
tls_ctx_client_new
void tls_ctx_client_new(struct tls_root_ctx *ctx)
Initialises a library-specific TLS context for a client.
Definition ssl_openssl.c:121
tls_ctx_load_cert_file
void tls_ctx_load_cert_file(struct tls_root_ctx *ctx, const char *cert_file, bool cert_file_inline)
Load certificate file into the given TLS context.
Definition ssl_openssl.c:1328
KEY_SCAN_SIZE
#define KEY_SCAN_SIZE
Definition ssl_common.h:567
get_key_scan
static struct key_state * get_key_scan(struct tls_multi *multi, int index)
gets an item of key_state objects in the order they should be scanned by data channel modules.
Definition ssl_common.h:733
UP_TYPE_PRIVATE_KEY
#define UP_TYPE_PRIVATE_KEY
Definition ssl_common.h:42
SSLF_AUTH_USER_PASS_OPTIONAL
#define SSLF_AUTH_USER_PASS_OPTIONAL
Definition ssl_common.h:427
CAS_CONNECT_DONE
@ CAS_CONNECT_DONE
Definition ssl_common.h:594
CAS_WAITING_AUTH
@ CAS_WAITING_AUTH
Initial TLS connection established but deferred auth is not yet finished.
Definition ssl_common.h:582
CAS_PENDING
@ CAS_PENDING
Options import (Connect script/plugin, ccd,...)
Definition ssl_common.h:583
CAS_WAITING_OPTIONS_IMPORT
@ CAS_WAITING_OPTIONS_IMPORT
client with pull or p2p waiting for first time options import
Definition ssl_common.h:587
CAS_NOT_CONNECTED
@ CAS_NOT_CONNECTED
Definition ssl_common.h:581
CAS_RECONNECT_PENDING
@ CAS_RECONNECT_PENDING
session has already successful established (CAS_CONNECT_DONE) but has a reconnect and needs to redo s...
Definition ssl_common.h:593
ks_auth_state
ks_auth_state
This reflects the (server side) authentication state after the TLS session has been established and k...
Definition ssl_common.h:153
KS_AUTH_TRUE
@ KS_AUTH_TRUE
Key state is authenticated.
Definition ssl_common.h:157
KS_AUTH_FALSE
@ KS_AUTH_FALSE
Key state is not authenticated
Definition ssl_common.h:154
KS_AUTH_DEFERRED
@ KS_AUTH_DEFERRED
Key state authentication is being deferred, by async auth.
Definition ssl_common.h:155
SSLF_CRL_VERIFY_DIR
#define SSLF_CRL_VERIFY_DIR
Definition ssl_common.h:429
UP_TYPE_AUTH
#define UP_TYPE_AUTH
Definition ssl_common.h:41
get_primary_key
static const struct key_state * get_primary_key(const struct tls_multi *multi)
gets an item of key_state objects in the order they should be scanned by data channel modules.
Definition ssl_common.h:756
check_session_cipher
bool check_session_cipher(struct tls_session *session, struct options *options)
Checks if the cipher is allowed, otherwise returns false and reset the cipher to the config cipher.
Definition ssl_ncp.c:515
p2p_mode_ncp
void p2p_mode_ncp(struct tls_multi *multi, struct tls_session *session)
Determines if there is common cipher of both peer by looking at the IV_CIPHER peer info.
Definition ssl_ncp.c:472
tls_item_in_cipher_list
bool tls_item_in_cipher_list(const char *item, const char *list)
Return true iff item is present in the colon-separated zero-terminated cipher list.
Definition ssl_ncp.c:206
ssl_ncp.h
Control Channel SSL/Data dynamic negotiation Module This file is split from ssl.h to be able to unit ...
write_control_auth
void write_control_auth(struct tls_session *session, struct key_state *ks, struct buffer *buf, struct link_socket_actual **to_link_addr, int opcode, int max_ack, bool prepend_ack)
Definition ssl_pkt.c:164
read_control_auth
bool read_control_auth(struct buffer *buf, struct tls_wrap_ctx *ctx, const struct link_socket_actual *from, const struct tls_options *opt, bool initial_packet)
Read a control channel authentication record.
Definition ssl_pkt.c:194
EARLY_NEG_FLAG_RESEND_WKC
#define EARLY_NEG_FLAG_RESEND_WKC
Definition ssl_pkt.h:323
P_DATA_V1
#define P_DATA_V1
Definition ssl_pkt.h:47
P_DATA_V2
#define P_DATA_V2
Definition ssl_pkt.h:48
P_OPCODE_SHIFT
#define P_OPCODE_SHIFT
Definition ssl_pkt.h:39
TLV_TYPE_EARLY_NEG_FLAGS
#define TLV_TYPE_EARLY_NEG_FLAGS
Definition ssl_pkt.h:322
P_ACK_V1
#define P_ACK_V1
Definition ssl_pkt.h:46
P_CONTROL_WKC_V1
#define P_CONTROL_WKC_V1
Definition ssl_pkt.h:59
P_CONTROL_HARD_RESET_CLIENT_V1
#define P_CONTROL_HARD_RESET_CLIENT_V1
Definition ssl_pkt.h:42
P_KEY_ID_MASK
#define P_KEY_ID_MASK
Definition ssl_pkt.h:38
TLS_RELIABLE_N_REC_BUFFERS
#define TLS_RELIABLE_N_REC_BUFFERS
Definition ssl_pkt.h:71
packet_opcode_name
static const char * packet_opcode_name(int op)
Definition ssl_pkt.h:241
P_CONTROL_HARD_RESET_SERVER_V2
#define P_CONTROL_HARD_RESET_SERVER_V2
Definition ssl_pkt.h:52
P_CONTROL_SOFT_RESET_V1
#define P_CONTROL_SOFT_RESET_V1
Definition ssl_pkt.h:44
P_CONTROL_V1
#define P_CONTROL_V1
Definition ssl_pkt.h:45
P_LAST_OPCODE
#define P_LAST_OPCODE
Definition ssl_pkt.h:65
EARLY_NEG_START
#define EARLY_NEG_START
Definition ssl_pkt.h:315
P_CONTROL_HARD_RESET_CLIENT_V2
#define P_CONTROL_HARD_RESET_CLIENT_V2
Definition ssl_pkt.h:51
P_CONTROL_HARD_RESET_SERVER_V1
#define P_CONTROL_HARD_RESET_SERVER_V1
Definition ssl_pkt.h:43
tls_session_get_tls_wrap
static struct tls_wrap_ctx * tls_session_get_tls_wrap(struct tls_session *session, int key_id)
Determines if the current session should use the renegotiation tls wrap struct instead the normal one...
Definition ssl_pkt.h:292
P_CONTROL_HARD_RESET_CLIENT_V3
#define P_CONTROL_HARD_RESET_CLIENT_V3
Definition ssl_pkt.h:55
TLS_RELIABLE_N_SEND_BUFFERS
#define TLS_RELIABLE_N_SEND_BUFFERS
Definition ssl_pkt.h:70
options_string_compat_lzo
const char * options_string_compat_lzo(const char *options, struct gc_arena *gc)
Takes a locally produced OCC string for TLS server mode and modifies as if the option comp-lzo was en...
Definition ssl_util.c:76
ssl_util.h
SSL utility functions.
key_state_rm_auth_control_files
void key_state_rm_auth_control_files(struct auth_deferred_status *ads)
Removes auth_pending and auth_control files from file system and key_state structure.
Definition ssl_verify.c:965
tls_x509_clear_env
void tls_x509_clear_env(struct env_set *es)
Remove any X509_ env variables from env_set es.
Definition ssl_verify.c:1861
verify_final_auth_checks
void verify_final_auth_checks(struct tls_multi *multi, struct tls_session *session)
Perform final authentication checks, including locking of the cn, the allowed certificate hashes,...
Definition ssl_verify.c:1799
auth_set_client_reason
void auth_set_client_reason(struct tls_multi *multi, const char *client_reason)
Sets the reason why authentication of a client failed.
Definition ssl_verify.c:814
tls_authentication_status
enum tls_auth_status tls_authentication_status(struct tls_multi *multi)
Return current session authentication state of the tls_multi structure This will return TLS_AUTHENTIC...
Definition ssl_verify.c:1148
verify_user_pass
void verify_user_pass(struct user_pass *up, struct tls_multi *multi, struct tls_session *session)
Main username/password verification entry point.
Definition ssl_verify.c:1606
cert_hash_free
void cert_hash_free(struct cert_hash_set *chs)
Frees the given set of certificate hashes.
Definition ssl_verify.c:215
ssl_verify.h
Control Channel Verification Module.
tls_auth_status
tls_auth_status
Definition ssl_verify.h:74
TLS_AUTHENTICATION_SUCCEEDED
@ TLS_AUTHENTICATION_SUCCEEDED
Definition ssl_verify.h:75
TLS_AUTHENTICATION_FAILED
@ TLS_AUTHENTICATION_FAILED
Definition ssl_verify.h:76
buffer
Wrapper structure for dynamically allocated memory.
Definition buffer.h:60
buffer::data
uint8_t * data
Pointer to the allocated memory.
Definition buffer.h:67
buffer::len
int len
Length in bytes of the actual content within the allocated memory.
Definition buffer.h:65
crypto_options
Security parameter state for processing data channel packets.
Definition crypto.h:293
crypto_options::epoch_key_send
struct epoch_key epoch_key_send
last epoch_key used for generation of the current send data keys.
Definition crypto.h:303
crypto_options::flags
unsigned int flags
Bit-flags determining behavior of security operation functions.
Definition crypto.h:386
crypto_options::pid_persist
struct packet_id_persist * pid_persist
Persistent packet ID state for keeping state between successive OpenVPN process startups.
Definition crypto.h:342
crypto_options::key_ctx_bi
struct key_ctx_bi key_ctx_bi
OpenSSL cipher and HMAC contexts for both sending and receiving directions.
Definition crypto.h:294
crypto_options::packet_id
struct packet_id packet_id
Current packet ID state for both sending and receiving directions.
Definition crypto.h:333
env_item
Definition env_set.h:37
env_set
Definition env_set.h:43
env_set::list
struct env_item * list
Definition env_set.h:45
epoch_key
Definition crypto.h:192
epoch_key::epoch_key
uint8_t epoch_key[SHA256_DIGEST_LENGTH]
Definition crypto.h:193
epoch_key::epoch
uint16_t epoch
Definition crypto.h:194
frame
Packet geometry parameters.
Definition mtu.h:108
frame::tun_mtu
int tun_mtu
the (user) configured tun-mtu.
Definition mtu.h:142
frame::payload_size
int payload_size
the maximum size that a payload that our buffers can hold from either tun device or network link.
Definition mtu.h:113
frame::headroom
int headroom
the headroom in the buffer, this is choosen to allow all potential header to be added before the pack...
Definition mtu.h:119
frame::mss_fix
uint16_t mss_fix
The actual MSS value that should be written to the payload packets.
Definition mtu.h:129
frame::buf
struct frame::@8 buf
frame::tailroom
int tailroom
the tailroom in the buffer.
Definition mtu.h:123
gc_arena
Garbage collection arena used to keep track of dynamically allocated memory.
Definition buffer.h:116
key2
Container for bidirectional cipher and HMAC key material.
Definition crypto.h:240
key2::n
int n
The number of key objects stored in the key2.keys array.
Definition crypto.h:241
key2::keys
struct key keys[2]
Two unidirectional sets of key material.
Definition crypto.h:243
key_ctx_bi
Container for two sets of OpenSSL cipher and/or HMAC contexts for both sending and receiving directio...
Definition crypto.h:280
key_ctx_bi::initialized
bool initialized
Definition crypto.h:285
key_ctx_bi::decrypt
struct key_ctx decrypt
cipher and/or HMAC contexts for receiving direction.
Definition crypto.h:283
key_ctx_bi::encrypt
struct key_ctx encrypt
Cipher and/or HMAC contexts for sending direction.
Definition crypto.h:281
key_ctx::plaintext_blocks
uint64_t plaintext_blocks
Counter for the number of plaintext block encrypted using this cipher with the current key in number ...
Definition crypto.h:222
key_direction_state
Key ordering of the key2.keys array.
Definition crypto.h:259
key_direction_state::in_key
int in_key
Index into the key2.keys array for the receiving direction.
Definition crypto.h:262
key_direction_state::out_key
int out_key
Index into the key2.keys array for the sending direction.
Definition crypto.h:260
key_source2
Container for both halves of random material to be used in key method 2 data channel key generation.
Definition ssl_common.h:139
key_source2::client
struct key_source client
Random provided by client.
Definition ssl_common.h:140
key_source2::server
struct key_source server
Random provided by server.
Definition ssl_common.h:141
key_source
Container for one half of random material to be used in key method 2 data channel key generation.
Definition ssl_common.h:121
key_source::random1
uint8_t random1[32]
Seed used for master secret generation, provided by both client and server.
Definition ssl_common.h:125
key_source::pre_master
uint8_t pre_master[48]
Random used for master secret generation, provided only by client OpenVPN peer.
Definition ssl_common.h:122
key_source::random2
uint8_t random2[32]
Seed used for key expansion, provided by both client and server.
Definition ssl_common.h:128
key_state
Security parameter state of one TLS and data channel key session.
Definition ssl_common.h:208
key_state::paybuf
struct buffer_list * paybuf
Holds outgoing message for the control channel until ks->state reaches S_ACTIVE.
Definition ssl_common.h:252
key_state::crypto_options
struct crypto_options crypto_options
Definition ssl_common.h:237
key_state::ack_write_buf
struct buffer ack_write_buf
Definition ssl_common.h:243
key_state::plaintext_read_buf
struct buffer plaintext_read_buf
Definition ssl_common.h:241
key_state::state
int state
Definition ssl_common.h:209
key_state::plugin_auth
struct auth_deferred_status plugin_auth
Definition ssl_common.h:268
key_state::must_die
time_t must_die
Definition ssl_common.h:230
key_state::plaintext_write_buf
struct buffer plaintext_write_buf
Definition ssl_common.h:242
key_state::remote_addr
struct link_socket_actual remote_addr
Definition ssl_common.h:235
key_state::established
time_t established
Definition ssl_common.h:228
key_state::ks_ssl
struct key_state_ssl ks_ssl
Definition ssl_common.h:225
key_state::must_negotiate
time_t must_negotiate
Definition ssl_common.h:229
key_state::rec_ack
struct reliable_ack * rec_ack
Definition ssl_common.h:247
key_state::rec_reliable
struct reliable * rec_reliable
Definition ssl_common.h:246
key_state::session_id_remote
struct session_id session_id_remote
Definition ssl_common.h:234
key_state::mda_key_id
unsigned int mda_key_id
Definition ssl_common.h:263
key_state::script_auth
struct auth_deferred_status script_auth
Definition ssl_common.h:269
key_state::initial
time_t initial
Definition ssl_common.h:227
key_state::authenticated
enum ks_auth_state authenticated
Definition ssl_common.h:259
key_state::key_id
int key_id
Key id for this key_state, inherited from struct tls_session.
Definition ssl_common.h:217
key_state::peer_last_packet
time_t peer_last_packet
Definition ssl_common.h:231
key_state::send_reliable
struct reliable * send_reliable
Definition ssl_common.h:245
key_state::auth_deferred_expire
time_t auth_deferred_expire
Definition ssl_common.h:260
key_state::initial_opcode
int initial_opcode
Definition ssl_common.h:233
key_state::lru_acks
struct reliable_ack * lru_acks
Definition ssl_common.h:248
key_state::key_src
struct key_source2 * key_src
Definition ssl_common.h:239
key_state::n_bytes
counter_type n_bytes
Definition ssl_common.h:253
key_state::n_packets
counter_type n_packets
Definition ssl_common.h:254
key_type
Definition crypto.h:141
key_type::cipher
const char * cipher
const name of the cipher
Definition crypto.h:142
key
Container for unidirectional cipher and HMAC key material.
Definition crypto.h:152
key::cipher
uint8_t cipher[MAX_CIPHER_KEY_LENGTH]
Key material for cipher operations.
Definition crypto.h:153
key::hmac
uint8_t hmac[MAX_HMAC_KEY_LENGTH]
Key material for HMAC operations.
Definition crypto.h:155
link_socket_actual
Definition socket_util.h:50
link_socket_addr::actual
struct link_socket_actual actual
Definition socket.h:82
link_socket_info
Definition socket.h:86
link_socket_info::lsa
struct link_socket_addr * lsa
Definition socket.h:87
options::imported_protocol_flags
unsigned int imported_protocol_flags
Definition options.h:718
options::crl_file_inline
bool crl_file_inline
Definition options.h:614
options::cryptoapi_cert
const char * cryptoapi_cert
Definition options.h:636
options::pkcs12_file_inline
bool pkcs12_file_inline
Definition options.h:603
options::ca_file
const char * ca_file
Definition options.h:591
options::ssl_flags
unsigned int ssl_flags
Definition options.h:623
options::authname
const char * authname
Definition options.h:579
options::dh_file_inline
bool dh_file_inline
Definition options.h:595
options::pkcs12_file
const char * pkcs12_file
Definition options.h:602
options::tls_groups
const char * tls_groups
Definition options.h:606
options::tls_cert_profile
const char * tls_cert_profile
Definition options.h:607
options::management_flags
unsigned int management_flags
Definition options.h:457
options::ciphername
const char * ciphername
Definition options.h:573
options::tls_server
bool tls_server
Definition options.h:589
options::extra_certs_file
const char * extra_certs_file
Definition options.h:598
options::priv_key_file_inline
bool priv_key_file_inline
Definition options.h:601
options::crl_file
const char * crl_file
Definition options.h:613
options::dh_file
const char * dh_file
Definition options.h:594
options::ca_file_inline
bool ca_file_inline
Definition options.h:592
options::extra_certs_file_inline
bool extra_certs_file_inline
Definition options.h:599
options::cipher_list_tls13
const char * cipher_list_tls13
Definition options.h:605
options::ecdh_curve
const char * ecdh_curve
Definition options.h:608
options::cipher_list
const char * cipher_list
Definition options.h:604
options::management_certificate
const char * management_certificate
Definition options.h:454
options::chroot_dir
const char * chroot_dir
Definition options.h:377
options::ca_path
const char * ca_path
Definition options.h:593
options::ping_rec_timeout
int ping_rec_timeout
Definition options.h:349
options::ping_send_timeout
int ping_send_timeout
Definition options.h:348
options::priv_key_file
const char * priv_key_file
Definition options.h:600
options::cert_file
const char * cert_file
Definition options.h:596
options::cert_file_inline
bool cert_file_inline
Definition options.h:597
packet_id_net
Data structure for describing the packet id that is received/send to the network.
Definition packet_id.h:191
packet_id_rec::id
uint64_t id
Definition packet_id.h:117
packet_id_send::id
uint64_t id
Definition packet_id.h:153
packet_id::send
struct packet_id_send send
Definition packet_id.h:200
packet_id::rec
struct packet_id_rec rec
Definition packet_id.h:201
reliable_ack
The acknowledgment structure in which packet IDs are stored for later acknowledgment.
Definition reliable.h:64
reliable_ack::len
int len
Definition reliable.h:65
reliable_entry
The structure in which the reliability layer stores a single incoming or outgoing packet.
Definition reliable.h:77
reliable_entry::buf
struct buffer buf
Definition reliable.h:86
reliable_entry::opcode
int opcode
Definition reliable.h:85
reliable_entry::packet_id
packet_id_type packet_id
Definition reliable.h:81
reliable
The reliability layer storage structure for one VPN tunnel's control channel in one direction.
Definition reliable.h:94
reliable::array
struct reliable_entry array[RELIABLE_CAPACITY]
Definition reliable.h:100
reliable::size
int size
Definition reliable.h:95
reliable::packet_id
packet_id_type packet_id
Definition reliable.h:97
route_gateway_info
Definition route.h:158
route_gateway_info::hwaddr
uint8_t hwaddr[6]
Definition route.h:177
route_gateway_info::flags
unsigned int flags
Definition route.h:165
session_id
Definition session_id.h:38
static_challenge_info
Definition misc.h:93
static_challenge_info::flags
unsigned int flags
Definition misc.h:96
static_challenge_info::challenge_text
const char * challenge_text
Definition misc.h:98
tls_auth_standalone
Definition ssl_pkt.h:78
tls_auth_standalone::frame
struct frame frame
Definition ssl_pkt.h:81
tls_auth_standalone::tls_wrap
struct tls_wrap_ctx tls_wrap
Definition ssl_pkt.h:79
tls_multi
Security parameter state for a single VPN tunnel.
Definition ssl_common.h:612
tls_multi::n_hard_errors
int n_hard_errors
Definition ssl_common.h:638
tls_multi::remote_usescomp
bool remote_usescomp
remote announced comp-lzo in OCC string
Definition ssl_common.h:704
tls_multi::to_link_addr
struct link_socket_actual to_link_addr
Definition ssl_common.h:629
tls_multi::peer_info
char * peer_info
A multi-line string of general-purpose info received from peer over control channel.
Definition ssl_common.h:673
tls_multi::save_ks
struct key_state * save_ks
Definition ssl_common.h:623
tls_multi::remote_ciphername
char * remote_ciphername
cipher specified in peer's config file
Definition ssl_common.h:703
tls_multi::locked_username
char * locked_username
The locked username is the username we assume the client is using.
Definition ssl_common.h:650
tls_multi::multi_state
enum multi_status multi_state
Definition ssl_common.h:633
tls_multi::opt
struct tls_options opt
Definition ssl_common.h:617
tls_multi::session
struct tls_session session[TM_SIZE]
Array of tls_session objects representing control channel sessions with the remote peer.
Definition ssl_common.h:712
tls_multi::locked_cert_hash_set
struct cert_hash_set * locked_cert_hash_set
Definition ssl_common.h:656
tls_multi::locked_cn
char * locked_cn
Our locked common name, username, and cert hashes (cannot change during the life of this tls_multi ob...
Definition ssl_common.h:645
tls_multi::peer_id
uint32_t peer_id
Definition ssl_common.h:700
tls_multi::locked_original_username
char * locked_original_username
The username that client initially used before being overridden by –override-user.
Definition ssl_common.h:654
tls_multi::n_sessions
int n_sessions
Number of sessions negotiated thus far.
Definition ssl_common.h:631
tls_multi::dco_peer_id
int dco_peer_id
This is the handle that DCO uses to identify this session with the kernel.
Definition ssl_common.h:724
tls_multi::n_soft_errors
int n_soft_errors
Definition ssl_common.h:639
tls_options
Definition ssl_common.h:307
tls_options::gremlin
int gremlin
Definition ssl_common.h:448
tls_options::server
bool server
Definition ssl_common.h:317
tls_options::tls_wrap
struct tls_wrap_ctx tls_wrap
TLS handshake wrapping state.
Definition ssl_common.h:387
tls_options::crypto_flags
unsigned int crypto_flags
Definition ssl_common.h:368
tls_options::replay_time
int replay_time
Definition ssl_common.h:371
tls_options::renegotiate_seconds
interval_t renegotiate_seconds
Definition ssl_common.h:350
tls_options::frame
struct frame frame
Definition ssl_common.h:389
tls_options::remote_options
const char * remote_options
Definition ssl_common.h:325
tls_options::single_session
bool single_session
Definition ssl_common.h:328
tls_options::local_options
const char * local_options
Definition ssl_common.h:324
tls_options::handshake_window
int handshake_window
Definition ssl_common.h:343
tls_options::replay_window
int replay_window
Definition ssl_common.h:370
tls_pre_decrypt_state
struct that stores the temporary data for the tls lite decrypt functions
Definition ssl_pkt.h:106
tls_root_ctx
Structure that wraps the TLS context.
Definition ssl_mbedtls.h:114
tls_root_ctx::crl_last_size
off_t crl_last_size
size of last loaded CRL
Definition ssl_mbedtls.h:127
tls_root_ctx::crl_last_mtime
time_t crl_last_mtime
CRL last modification time.
Definition ssl_mbedtls.h:126
tls_session
Security parameter state of a single session within a VPN tunnel.
Definition ssl_common.h:490
tls_session::key_id
int key_id
The current active key id, used to keep track of renegotiations.
Definition ssl_common.h:512
tls_session::key
struct key_state key[KS_SIZE]
Definition ssl_common.h:525
tls_wrap_ctx::opt
struct crypto_options opt
Crypto state.
Definition ssl_common.h:283
user_pass
Definition misc.h:55
user_pass::token_defined
bool token_defined
Definition misc.h:59
user_pass::protected
bool protected
Definition misc.h:61
user_pass::defined
bool defined
Definition misc.h:56
user_pass::password
char password[USER_PASS_LEN]
Definition misc.h:71
user_pass::nocache
bool nocache
Definition misc.h:60
user_pass::username
char username[USER_PASS_LEN]
Definition misc.h:70
es
struct env_set * es
Definition test_pkcs11.c:138
cleanup
static int cleanup(void **state)
Definition test_pkcs11.c:289
gc
struct gc_arena gc
Definition test_ssl.c:133
tls_crypt.h
win32_version_string
const char * win32_version_string(struct gc_arena *gc)
Get Windows version string with architecture info.
Definition win32.c:1380
Generated by doxygen 1.9.8