OpenVPN
ssl.c
Go to the documentation of this file.
1/*
2 * OpenVPN -- An application to securely tunnel IP networks
3 * over a single TCP/UDP port, with support for SSL/TLS-based
4 * session authentication and key exchange,
5 * packet encryption, packet authentication, and
6 * packet compression.
7 *
8 * Copyright (C) 2002-2025 OpenVPN Inc <sales@openvpn.net>
9 * Copyright (C) 2010-2021 Sentyron B.V. <openvpn@sentyron.com>
10 * Copyright (C) 2008-2025 David Sommerseth <dazo@eurephia.org>
11 *
12 * This program is free software; you can redistribute it and/or modify
13 * it under the terms of the GNU General Public License version 2
14 * as published by the Free Software Foundation.
15 *
16 * This program is distributed in the hope that it will be useful,
17 * but WITHOUT ANY WARRANTY; without even the implied warranty of
18 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
19 * GNU General Public License for more details.
20 *
21 * You should have received a copy of the GNU General Public License along
22 * with this program; if not, see <https://www.gnu.org/licenses/>.
23 */
24
30/*
31 * The routines in this file deal with dynamically negotiating
32 * the data channel HMAC and cipher keys through a TLS session.
33 *
34 * Both the TLS session and the data channel are multiplexed
35 * over the same TCP/UDP port.
36 */
37#ifdef HAVE_CONFIG_H
38#include "config.h"
39#endif
40
41#include "syshead.h"
42#include "win32.h"
43
44#include "error.h"
45#include "common.h"
46#include "socket.h"
47#include "misc.h"
48#include "fdmisc.h"
49#include "interval.h"
50#include "status.h"
51#include "gremlin.h"
52#include "pkcs11.h"
53#include "route.h"
54#include "tls_crypt.h"
55
56#include "crypto_epoch.h"
57#include "ssl.h"
58#include "ssl_verify.h"
59#include "ssl_backend.h"
60#include "ssl_ncp.h"
61#include "ssl_util.h"
62#include "auth_token.h"
63#include "mss.h"
64#include "dco.h"
65
66#include "memdbg.h"
67#include "openvpn.h"
68
69#ifdef MEASURE_TLS_HANDSHAKE_STATS
70
71static int tls_handshake_success; /* GLOBAL */
72static int tls_handshake_error; /* GLOBAL */
73static int tls_packets_generated; /* GLOBAL */
74static int tls_packets_sent; /* GLOBAL */
75
76#define INCR_SENT ++tls_packets_sent
77#define INCR_GENERATED ++tls_packets_generated
78#define INCR_SUCCESS ++tls_handshake_success
79#define INCR_ERROR ++tls_handshake_error
80
81void
82show_tls_performance_stats(void)
83{
84 msg(D_TLS_DEBUG_LOW, "TLS Handshakes, success=%f%% (good=%d, bad=%d), retransmits=%f%%",
85 (double)tls_handshake_success / (tls_handshake_success + tls_handshake_error) * 100.0,
86 tls_handshake_success, tls_handshake_error,
87 (double)(tls_packets_sent - tls_packets_generated) / tls_packets_generated * 100.0);
88}
89#else /* ifdef MEASURE_TLS_HANDSHAKE_STATS */
90
91#define INCR_SENT
92#define INCR_GENERATED
93#define INCR_SUCCESS
94#define INCR_ERROR
95
96#endif /* ifdef MEASURE_TLS_HANDSHAKE_STATS */
97
105static void
106tls_limit_reneg_bytes(const char *ciphername, int64_t *reneg_bytes)
107{
108 if (cipher_kt_insecure(ciphername))
109 {
110 if (*reneg_bytes == -1) /* Not user-specified */
111 {
112 msg(M_WARN, "WARNING: cipher with small block size in use, "
113 "reducing reneg-bytes to 64MB to mitigate SWEET32 attacks.");
114 *reneg_bytes = 64 * 1024 * 1024;
115 }
116 }
117}
118
119static uint64_t
120tls_get_limit_aead(const char *ciphername)
121{
122 uint64_t limit = cipher_get_aead_limits(ciphername);
123
124 if (limit == 0)
125 {
126 return 0;
127 }
128
129 /* set limit to 7/8 of the limit so the renegotiation can succeed before
130 * we go over the limit */
131 limit = limit / 8 * 7;
132
133 msg(D_SHOW_KEYS,
134 "Note: AEAD cipher %s will trigger a renegotiation"
135 " at a sum of %" PRIi64 " blocks and packets.",
136 ciphername, limit);
137 return limit;
138}
139
140void
141tls_init_control_channel_frame_parameters(struct frame *frame, int tls_mtu)
142{
143 /*
144 * frame->extra_frame is already initialized with tls_auth buffer requirements,
145 * if --tls-auth is enabled.
146 */
147
148 /* calculates the maximum overhead that control channel frames can have */
149 int overhead = 0;
150
151 /* Socks */
152 overhead += 10;
153
154 /* tls-auth and tls-crypt */
155 overhead += max_int(tls_crypt_buf_overhead(), packet_id_size(true) + OPENVPN_MAX_HMAC_SIZE);
156
157 /* TCP length field and opcode */
158 overhead += 3;
159
160 /* ACK array and remote SESSION ID (part of the ACK array) */
161 overhead += ACK_SIZE(RELIABLE_ACK_SIZE);
162
163 /* Previous OpenVPN version calculated the maximum size and buffer of a
164 * control frame depending on the overhead of the data channel frame
165 * overhead and limited its maximum size to 1250. Since control frames
166 * also need to fit into data channel buffer we have the same
167 * default of 1500 + 100 as data channel buffers have. Increasing
168 * control channel mtu beyond this limit also increases the data channel
169 * buffers */
170 frame->buf.payload_size = max_int(1500, tls_mtu) + 100;
171
172 frame->buf.headroom = overhead;
173 frame->buf.tailroom = overhead;
174
175 frame->tun_mtu = tls_mtu;
176
177 /* Ensure the tun-mtu stays in a valid range */
178 frame->tun_mtu = min_int(frame->tun_mtu, TLS_CHANNEL_BUF_SIZE);
179 frame->tun_mtu = max_int(frame->tun_mtu, TLS_CHANNEL_MTU_MIN);
180}
181
187static size_t
188calc_control_channel_frame_overhead(const struct tls_session *session)
189{
190 const struct key_state *ks = &session->key[KS_PRIMARY];
191 size_t overhead = 0;
192
193 /* opcode */
194 overhead += 1;
195
196 /* our own session id */
197 overhead += SID_SIZE;
198
199 /* ACK array and remote SESSION ID (part of the ACK array) */
200 int ackstosend = reliable_ack_outstanding(ks->rec_ack) + ks->lru_acks->len;
201 overhead += ACK_SIZE(min_int(ackstosend, CONTROL_SEND_ACK_MAX));
202
203 /* Message packet id */
204 overhead += sizeof(packet_id_type);
205
206 if (session->tls_wrap.mode == TLS_WRAP_CRYPT)
207 {
208 overhead += tls_crypt_buf_overhead();
209 }
210 else if (session->tls_wrap.mode == TLS_WRAP_AUTH)
211 {
212 overhead += hmac_ctx_size(session->tls_wrap.opt.key_ctx_bi.encrypt.hmac);
213 overhead += packet_id_size(true);
214 }
215
216 /* Add the typical UDP overhead for an IPv6 UDP packet. TCP+IPv6 has a
217 * larger overhead but the risk of a TCP connection getting dropped because
218 * we try to send a too large packet is basically zero */
219 overhead += datagram_overhead(session->untrusted_addr.dest.addr.sa.sa_family, PROTO_UDP);
220
221 return overhead;
222}
223
224void
225init_ssl_lib(void)
226{
227 tls_init_lib();
228
229 crypto_init_lib();
230}
231
232void
233free_ssl_lib(void)
234{
235 crypto_uninit_lib();
236
237 tls_free_lib();
238}
239
240/*
241 * OpenSSL library calls pem_password_callback if the
242 * private key is protected by a password.
243 */
244
245static struct user_pass passbuf; /* GLOBAL */
246
247void
248pem_password_setup(const char *auth_file)
249{
250 unprotect_user_pass(&passbuf);
251 if (!strlen(passbuf.password))
252 {
253 get_user_pass(&passbuf, auth_file, UP_TYPE_PRIVATE_KEY,
254 GET_USER_PASS_MANAGEMENT | GET_USER_PASS_PASSWORD_ONLY);
255 }
256}
257
258int
259pem_password_callback(char *buf, int size, int rwflag, void *u)
260{
261 if (buf)
262 {
263 /* prompt for password even if --askpass wasn't specified */
264 pem_password_setup(NULL);
265 ASSERT(!passbuf.protected);
266 strncpynt(buf, passbuf.password, (size_t)size);
267 purge_user_pass(&passbuf, false);
268
269 return (int)strlen(buf);
270 }
271 return 0;
272}
273
274/*
275 * Auth username/password handling
276 */
277
278static bool auth_user_pass_enabled; /* GLOBAL */
279static struct user_pass auth_user_pass; /* GLOBAL */
280static struct user_pass auth_token; /* GLOBAL */
281
282#ifdef ENABLE_MANAGEMENT
283static char *auth_challenge; /* GLOBAL */
284#endif
285
286void
291
292void
293auth_user_pass_setup(const char *auth_file, bool is_inline, const struct static_challenge_info *sci)
294{
295 unsigned int flags = GET_USER_PASS_MANAGEMENT;
296
297 if (is_inline)
298 {
299 flags |= GET_USER_PASS_INLINE_CREDS;
300 }
301
302 if (!auth_user_pass.defined && !auth_token.defined)
303 {
304 unprotect_user_pass(&auth_user_pass);
305#ifdef ENABLE_MANAGEMENT
306 if (auth_challenge) /* dynamic challenge/response */
307 {
308 flags |= GET_USER_PASS_DYNAMIC_CHALLENGE;
309 get_user_pass_cr(&auth_user_pass, auth_file, UP_TYPE_AUTH, flags, auth_challenge);
310 }
311 else if (sci) /* static challenge response */
312 {
313 flags |= GET_USER_PASS_STATIC_CHALLENGE;
314 if (sci->flags & SC_ECHO)
315 {
316 flags |= GET_USER_PASS_STATIC_CHALLENGE_ECHO;
317 }
318 if (sci->flags & SC_CONCAT)
319 {
320 flags |= GET_USER_PASS_STATIC_CHALLENGE_CONCAT;
321 }
322 get_user_pass_cr(&auth_user_pass, auth_file, UP_TYPE_AUTH, flags, sci->challenge_text);
323 }
324 else
325#endif /* ifdef ENABLE_MANAGEMENT */
326 {
327 get_user_pass(&auth_user_pass, auth_file, UP_TYPE_AUTH, flags);
328 }
329 }
330}
331
332/*
333 * Disable password caching
334 */
335void
336ssl_set_auth_nocache(void)
337{
338 passbuf.nocache = true;
339 auth_user_pass.nocache = true;
340}
341
342/*
343 * Get the password caching
344 */
345bool
346ssl_get_auth_nocache(void)
347{
348 return passbuf.nocache;
349}
350
351/*
352 * Set an authentication token
353 */
354void
355ssl_set_auth_token(const char *token)
356{
357 set_auth_token(&auth_token, token);
358}
359
360void
365
366/*
367 * Cleans an auth token and checks if it was active
368 */
369bool
370ssl_clean_auth_token(void)
371{
372 bool wasdefined = auth_token.defined;
373 purge_user_pass(&auth_token, true);
374 return wasdefined;
375}
376
377/*
378 * Forget private key password AND auth-user-pass username/password.
379 */
380void
381ssl_purge_auth(const bool auth_user_pass_only)
382{
383 if (!auth_user_pass_only)
384 {
385#ifdef ENABLE_PKCS11
386 pkcs11_logout();
387#endif
388 purge_user_pass(&passbuf, true);
389 }
390 purge_user_pass(&auth_user_pass, true);
391#ifdef ENABLE_MANAGEMENT
392 ssl_purge_auth_challenge();
393#endif
394}
395
396#ifdef ENABLE_MANAGEMENT
397
398void
399ssl_purge_auth_challenge(void)
400{
401 free(auth_challenge);
402 auth_challenge = NULL;
403}
404
405void
406ssl_put_auth_challenge(const char *cr_str)
407{
408 ssl_purge_auth_challenge();
409 auth_challenge = string_alloc(cr_str, NULL);
410}
411
412#endif
413
414/*
415 * Parse a TLS version string, returning a TLS_VER_x constant.
416 * If version string is not recognized and extra == "or-highest",
417 * return tls_version_max().
418 */
419int
420tls_version_parse(const char *vstr, const char *extra)
421{
422 const int max_version = tls_version_max();
423 if (!strcmp(vstr, "1.0") && TLS_VER_1_0 <= max_version)
424 {
425 return TLS_VER_1_0;
426 }
427 else if (!strcmp(vstr, "1.1") && TLS_VER_1_1 <= max_version)
428 {
429 return TLS_VER_1_1;
430 }
431 else if (!strcmp(vstr, "1.2") && TLS_VER_1_2 <= max_version)
432 {
433 return TLS_VER_1_2;
434 }
435 else if (!strcmp(vstr, "1.3") && TLS_VER_1_3 <= max_version)
436 {
437 return TLS_VER_1_3;
438 }
439 else if (extra && !strcmp(extra, "or-highest"))
440 {
441 return max_version;
442 }
443 else
444 {
445 return TLS_VER_BAD;
446 }
447}
448
460static void
461tls_ctx_reload_crl(struct tls_root_ctx *ssl_ctx, const char *crl_file, bool crl_file_inline)
462{
463 /* if something goes wrong with stat(), we'll store 0 as mtime */
464 platform_stat_t crl_stat = { 0 };
465
466 /*
467 * an inline CRL can't change at runtime, therefore there is no need to
468 * reload it. It will be reloaded upon config change + SIGHUP.
469 * Use always '1' as dummy timestamp in this case: it will trigger the
470 * first load, but will prevent any future reload.
471 */
472 if (crl_file_inline)
473 {
474 crl_stat.st_mtime = 1;
475 }
476 else if (platform_stat(crl_file, &crl_stat) < 0)
477 {
478 /* If crl_last_mtime is zero, the CRL file has not been read before. */
479 if (ssl_ctx->crl_last_mtime == 0)
480 {
481 msg(M_FATAL, "ERROR: Failed to stat CRL file during initialization, exiting.");
482 }
483 else
484 {
485 msg(M_WARN, "WARNING: Failed to stat CRL file, not reloading CRL.");
486 }
487 return;
488 }
489
490 /*
491 * Store the CRL if this is the first time or if the file was changed since
492 * the last load.
493 * Note: Windows does not support tv_nsec.
494 */
495 if ((ssl_ctx->crl_last_size == crl_stat.st_size)
496 && (ssl_ctx->crl_last_mtime == crl_stat.st_mtime))
497 {
498 return;
499 }
500
501 ssl_ctx->crl_last_mtime = crl_stat.st_mtime;
502 ssl_ctx->crl_last_size = crl_stat.st_size;
503 backend_tls_ctx_reload_crl(ssl_ctx, crl_file, crl_file_inline);
504}
505
506/*
507 * Initialize SSL context.
508 * All files are in PEM format.
509 */
510void
511init_ssl(const struct options *options, struct tls_root_ctx *new_ctx, bool in_chroot)
512{
513 ASSERT(NULL != new_ctx);
514
515 tls_clear_error();
516
517 if (key_is_external(options))
518 {
519 load_xkey_provider();
520 }
521
522 if (options->tls_server)
523 {
524 tls_ctx_server_new(new_ctx);
525
526 if (options->dh_file)
527 {
528 tls_ctx_load_dh_params(new_ctx, options->dh_file, options->dh_file_inline);
529 }
530 }
531 else /* if client */
532 {
533 tls_ctx_client_new(new_ctx);
534 }
535
536 /* Restrict allowed certificate crypto algorithms */
537 tls_ctx_set_cert_profile(new_ctx, options->tls_cert_profile);
538
539 /* Allowable ciphers */
540 /* Since @SECLEVEL also influences loading of certificates, set the
541 * cipher restrictions before loading certificates */
542 tls_ctx_restrict_ciphers(new_ctx, options->cipher_list);
543 tls_ctx_restrict_ciphers_tls13(new_ctx, options->cipher_list_tls13);
544
545 /* Set the allow groups/curves for TLS if we want to override them */
546 if (options->tls_groups)
547 {
548 tls_ctx_set_tls_groups(new_ctx, options->tls_groups);
549 }
550
551 if (!tls_ctx_set_options(new_ctx, options->ssl_flags))
552 {
553 goto err;
554 }
555
556 if (options->pkcs12_file)
557 {
558 if (0
559 != tls_ctx_load_pkcs12(new_ctx, options->pkcs12_file, options->pkcs12_file_inline,
560 !options->ca_file))
561 {
562 goto err;
563 }
564 }
565#ifdef ENABLE_PKCS11
566 else if (options->pkcs11_providers[0])
567 {
568 if (!tls_ctx_use_pkcs11(new_ctx, options->pkcs11_id_management, options->pkcs11_id))
569 {
570 msg(M_WARN, "Cannot load certificate \"%s\" using PKCS#11 interface",
571 options->pkcs11_id);
572 goto err;
573 }
574 }
575#endif
576#ifdef ENABLE_CRYPTOAPI
577 else if (options->cryptoapi_cert)
578 {
579 tls_ctx_load_cryptoapi(new_ctx, options->cryptoapi_cert);
580 }
581#endif
582#ifdef ENABLE_MANAGEMENT
583 else if (options->management_flags & MF_EXTERNAL_CERT)
584 {
585 char *cert = management_query_cert(management, options->management_certificate);
586 tls_ctx_load_cert_file(new_ctx, cert, true);
587 free(cert);
588 }
589#endif
590 else if (options->cert_file)
591 {
592 tls_ctx_load_cert_file(new_ctx, options->cert_file, options->cert_file_inline);
593 }
594
595 if (options->priv_key_file)
596 {
597 if (0
598 != tls_ctx_load_priv_file(new_ctx, options->priv_key_file,
599 options->priv_key_file_inline))
600 {
601 goto err;
602 }
603 }
604#ifdef ENABLE_MANAGEMENT
605 else if (options->management_flags & MF_EXTERNAL_KEY)
606 {
607 if (tls_ctx_use_management_external_key(new_ctx))
608 {
609 msg(M_WARN, "Cannot initialize mamagement-external-key");
610 goto err;
611 }
612 }
613#endif
614
615 if (options->ca_file || options->ca_path)
616 {
617 tls_ctx_load_ca(new_ctx, options->ca_file, options->ca_file_inline, options->ca_path,
618 options->tls_server);
619 }
620
621 /* Load extra certificates that are part of our own certificate
622 * chain but shouldn't be included in the verify chain */
623 if (options->extra_certs_file)
624 {
625 tls_ctx_load_extra_certs(new_ctx, options->extra_certs_file,
626 options->extra_certs_file_inline);
627 }
628
629 /* Check certificate notBefore and notAfter */
630 tls_ctx_check_cert_time(new_ctx);
631
632 /* Read CRL */
633 if (options->crl_file && !(options->ssl_flags & SSLF_CRL_VERIFY_DIR))
634 {
635 /* If we're running with the chroot option, we may run init_ssl() before
636 * and after chroot-ing. We can use the crl_file path as-is if we're
637 * not going to chroot, or if we already are inside the chroot.
638 *
639 * If we're going to chroot later, we need to prefix the path of the
640 * chroot directory to crl_file.
641 */
642 if (!options->chroot_dir || in_chroot || options->crl_file_inline)
643 {
644 tls_ctx_reload_crl(new_ctx, options->crl_file, options->crl_file_inline);
645 }
646 else
647 {
648 struct gc_arena gc = gc_new();
649 struct buffer crl_file_buf = prepend_dir(options->chroot_dir, options->crl_file, &gc);
650 tls_ctx_reload_crl(new_ctx, BSTR(&crl_file_buf), options->crl_file_inline);
651 gc_free(&gc);
652 }
653 }
654
655 /* Once keys and cert are loaded, load ECDH parameters */
656 if (options->tls_server)
657 {
658 tls_ctx_load_ecdh_params(new_ctx, options->ecdh_curve);
659 }
660
661#ifdef ENABLE_CRYPTO_MBEDTLS
662 /* Personalise the random by mixing in the certificate */
663 tls_ctx_personalise_random(new_ctx);
664#endif
665
666 tls_clear_error();
667 return;
668
669err:
670 tls_clear_error();
671 tls_ctx_free(new_ctx);
672 return;
673}
674
675/*
676 * Map internal constants to ascii names.
677 */
678static const char *
679state_name(int state)
680{
681 switch (state)
682 {
683 case S_UNDEF:
684 return "S_UNDEF";
685
686 case S_INITIAL:
687 return "S_INITIAL";
688
689 case S_PRE_START_SKIP:
690 return "S_PRE_START_SKIP";
691
692 case S_PRE_START:
693 return "S_PRE_START";
694
695 case S_START:
696 return "S_START";
697
698 case S_SENT_KEY:
699 return "S_SENT_KEY";
700
701 case S_GOT_KEY:
702 return "S_GOT_KEY";
703
704 case S_ACTIVE:
705 return "S_ACTIVE";
706
707 case S_ERROR:
708 return "S_ERROR";
709
710 case S_ERROR_PRE:
711 return "S_ERROR_PRE";
712
713 case S_GENERATED_KEYS:
714 return "S_GENERATED_KEYS";
715
716 default:
717 return "S_???";
718 }
719}
720
721static const char *
722ks_auth_name(enum ks_auth_state auth)
723{
724 switch (auth)
725 {
726 case KS_AUTH_TRUE:
727 return "KS_AUTH_TRUE";
728
729 case KS_AUTH_DEFERRED:
730 return "KS_AUTH_DEFERRED";
731
732 case KS_AUTH_FALSE:
733 return "KS_AUTH_FALSE";
734
735 default:
736 return "KS_????";
737 }
738}
739
740static const char *
741session_index_name(int index)
742{
743 switch (index)
744 {
745 case TM_ACTIVE:
746 return "TM_ACTIVE";
747
748 case TM_INITIAL:
749 return "TM_INITIAL";
750
751 case TM_LAME_DUCK:
752 return "TM_LAME_DUCK";
753
754 default:
755 return "TM_???";
756 }
757}
758
759/*
760 * For debugging.
761 */
762static const char *
763print_key_id(struct tls_multi *multi, struct gc_arena *gc)
764{
765 struct buffer out = alloc_buf_gc(256, gc);
766
767 for (int i = 0; i < KEY_SCAN_SIZE; ++i)
768 {
769 struct key_state *ks = get_key_scan(multi, i);
770 buf_printf(&out, " [key#%d state=%s auth=%s id=%d sid=%s]", i, state_name(ks->state),
771 ks_auth_name(ks->authenticated), ks->key_id,
772 session_id_print(&ks->session_id_remote, gc));
773 }
774
775 return BSTR(&out);
776}
777
778bool
779is_hard_reset_method2(int op)
780{
781 if (op == P_CONTROL_HARD_RESET_CLIENT_V2 || op == P_CONTROL_HARD_RESET_SERVER_V2
782 || op == P_CONTROL_HARD_RESET_CLIENT_V3)
783 {
784 return true;
785 }
786
787 return false;
788}
789
813static void
814key_state_init(struct tls_session *session, struct key_state *ks)
815{
816 update_time();
817
818 CLEAR(*ks);
819
820 /*
821 * Build TLS object that reads/writes ciphertext
822 * to/from memory BIOs.
823 */
824 key_state_ssl_init(&ks->ks_ssl, &session->opt->ssl_ctx, session->opt->server, session);
825
826 /* Set control-channel initiation mode */
827 ks->initial_opcode = session->initial_opcode;
828 session->initial_opcode = P_CONTROL_SOFT_RESET_V1;
829 ks->state = S_INITIAL;
830 ks->key_id = session->key_id;
831
832 /*
833 * key_id increments to KEY_ID_MASK then recycles back to 1.
834 * This way you know that if key_id is 0, it is the first key.
835 */
836 ++session->key_id;
837 session->key_id &= P_KEY_ID_MASK;
838 if (!session->key_id)
839 {
840 session->key_id = 1;
841 }
842
843 /* allocate key source material object */
844 ALLOC_OBJ_CLEAR(ks->key_src, struct key_source2);
845
846 /* allocate reliability objects */
847 ALLOC_OBJ_CLEAR(ks->send_reliable, struct reliable);
848 ALLOC_OBJ_CLEAR(ks->rec_reliable, struct reliable);
849 ALLOC_OBJ_CLEAR(ks->rec_ack, struct reliable_ack);
850 ALLOC_OBJ_CLEAR(ks->lru_acks, struct reliable_ack);
851
852 /* allocate buffers */
853 ks->plaintext_read_buf = alloc_buf(TLS_CHANNEL_BUF_SIZE);
854 ks->plaintext_write_buf = alloc_buf(TLS_CHANNEL_BUF_SIZE);
855 ks->ack_write_buf = alloc_buf(BUF_SIZE(&session->opt->frame));
856 reliable_init(ks->send_reliable, BUF_SIZE(&session->opt->frame),
857 session->opt->frame.buf.headroom, TLS_RELIABLE_N_SEND_BUFFERS,
858 ks->key_id ? false : session->opt->xmit_hold);
859 reliable_init(ks->rec_reliable, BUF_SIZE(&session->opt->frame),
860 session->opt->frame.buf.headroom, TLS_RELIABLE_N_REC_BUFFERS, false);
861 reliable_set_timeout(ks->send_reliable, session->opt->packet_timeout);
862
863 /* init packet ID tracker */
864 packet_id_init(&ks->crypto_options.packet_id, session->opt->replay_window,
865 session->opt->replay_time, "SSL", ks->key_id);
866
867 ks->crypto_options.pid_persist = NULL;
868
869#ifdef ENABLE_MANAGEMENT
870 ks->mda_key_id = session->opt->mda_context->mda_key_id_counter++;
871#endif
872
873 /*
874 * Attempt CRL reload before TLS negotiation. Won't be performed if
875 * the file was not modified since the last reload
876 */
877 if (session->opt->crl_file && !(session->opt->ssl_flags & SSLF_CRL_VERIFY_DIR))
878 {
879 tls_ctx_reload_crl(&session->opt->ssl_ctx, session->opt->crl_file,
880 session->opt->crl_file_inline);
881 }
882}
883
884
898static void
899key_state_free(struct key_state *ks, bool clear)
900{
901 ks->state = S_UNDEF;
902
903 key_state_ssl_free(&ks->ks_ssl);
904
905 free_key_ctx_bi(&ks->crypto_options.key_ctx_bi);
906 free_epoch_key_ctx(&ks->crypto_options);
907 free_buf(&ks->plaintext_read_buf);
908 free_buf(&ks->plaintext_write_buf);
909 free_buf(&ks->ack_write_buf);
910 buffer_list_free(ks->paybuf);
911
912 reliable_free(ks->send_reliable);
913 reliable_free(ks->rec_reliable);
914
915 free(ks->rec_ack);
916 free(ks->lru_acks);
917 free(ks->key_src);
918
919 packet_id_free(&ks->crypto_options.packet_id);
920
921 key_state_rm_auth_control_files(&ks->plugin_auth);
922 key_state_rm_auth_control_files(&ks->script_auth);
923
924 if (clear)
925 {
926 secure_memzero(ks, sizeof(*ks));
927 }
928}
929
943static inline bool
944tls_session_user_pass_enabled(struct tls_session *session)
945{
946 return (session->opt->auth_user_pass_verify_script
947 || plugin_defined(session->opt->plugins, OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY)
948#ifdef ENABLE_MANAGEMENT
949 || management_enable_def_auth(management)
950#endif
951 );
952}
953
954
975static void
976tls_session_init(struct tls_multi *multi, struct tls_session *session)
977{
978 struct gc_arena gc = gc_new();
979
980 dmsg(D_TLS_DEBUG, "TLS: tls_session_init: entry");
981
982 CLEAR(*session);
983
984 /* Set options data to point to parent's option structure */
985 session->opt = &multi->opt;
986
987 /* Randomize session # if it is 0 */
988 while (!session_id_defined(&session->session_id))
989 {
990 session_id_random(&session->session_id);
991 }
992
993 /* Are we a TLS server or client? */
994 if (session->opt->server)
995 {
996 session->initial_opcode = P_CONTROL_HARD_RESET_SERVER_V2;
997 }
998 else
999 {
1000 session->initial_opcode = session->opt->tls_crypt_v2 ? P_CONTROL_HARD_RESET_CLIENT_V3
1001 : P_CONTROL_HARD_RESET_CLIENT_V2;
1002 }
1003
1004 /* Initialize control channel authentication parameters */
1005 session->tls_wrap = session->opt->tls_wrap;
1006 session->tls_wrap.work = alloc_buf(BUF_SIZE(&session->opt->frame));
1007
1008 /* initialize packet ID replay window for --tls-auth */
1009 packet_id_init(&session->tls_wrap.opt.packet_id, session->opt->replay_window,
1010 session->opt->replay_time, "TLS_WRAP", session->key_id);
1011
1012 /* If we are using tls-crypt-v2 we manipulate the packet id to be (ab)used
1013 * to indicate early protocol negotiation */
1014 if (session->opt->tls_crypt_v2)
1015 {
1016 session->tls_wrap.opt.packet_id.send.time = now;
1017 session->tls_wrap.opt.packet_id.send.id = EARLY_NEG_START;
1018 }
1019
1020 /* load most recent packet-id to replay protect on --tls-auth */
1021 packet_id_persist_load_obj(session->tls_wrap.opt.pid_persist, &session->tls_wrap.opt.packet_id);
1022
1023 key_state_init(session, &session->key[KS_PRIMARY]);
1024
1025 dmsg(D_TLS_DEBUG, "TLS: tls_session_init: new session object, sid=%s",
1026 session_id_print(&session->session_id, &gc));
1027
1028 gc_free(&gc);
1029}
1030
1046static void
1047tls_session_free(struct tls_session *session, bool clear)
1048{
1049 tls_wrap_free(&session->tls_wrap);
1050 tls_wrap_free(&session->tls_wrap_reneg);
1051
1052 for (size_t i = 0; i < KS_SIZE; ++i)
1053 {
1054 /* we don't need clear=true for this call since
1055 * the structs are part of session and get cleared
1056 * as part of session */
1057 key_state_free(&session->key[i], false);
1058 }
1059
1060 free(session->common_name);
1061
1062 cert_hash_free(session->cert_hash_set);
1063
1064 if (clear)
1065 {
1066 secure_memzero(session, sizeof(*session));
1067 }
1068}
1069
1075static void
1076move_session(struct tls_multi *multi, int dest, int src, bool reinit_src)
1077{
1078 msg(D_TLS_DEBUG_LOW, "TLS: move_session: dest=%s src=%s reinit_src=%d",
1079 session_index_name(dest), session_index_name(src), reinit_src);
1080 ASSERT(src != dest);
1081 ASSERT(src >= 0 && src < TM_SIZE);
1082 ASSERT(dest >= 0 && dest < TM_SIZE);
1083 tls_session_free(&multi->session[dest], false);
1084 multi->session[dest] = multi->session[src];
1085
1086 if (reinit_src)
1087 {
1088 tls_session_init(multi, &multi->session[src]);
1089 }
1090 else
1091 {
1092 secure_memzero(&multi->session[src], sizeof(multi->session[src]));
1093 }
1094
1095 dmsg(D_TLS_DEBUG, "TLS: move_session: exit");
1096}
1097
1098static void
1099reset_session(struct tls_multi *multi, struct tls_session *session)
1100{
1101 tls_session_free(session, false);
1102 tls_session_init(multi, session);
1103}
1104
1105/*
1106 * Used to determine in how many seconds we should be
1107 * called again.
1108 */
1109static inline void
1110compute_earliest_wakeup(interval_t *earliest, time_t seconds_from_now)
1111{
1112 if (seconds_from_now < *earliest)
1113 {
1114 *earliest = (interval_t)seconds_from_now;
1115 }
1116 if (*earliest < 0)
1117 {
1118 *earliest = 0;
1119 }
1120}
1121
1122/*
1123 * Return true if "lame duck" or retiring key has expired and can
1124 * no longer be used.
1125 */
1126static inline bool
1127lame_duck_must_die(const struct tls_session *session, interval_t *wakeup)
1128{
1129 const struct key_state *lame = &session->key[KS_LAME_DUCK];
1130 if (lame->state >= S_INITIAL)
1131 {
1132 ASSERT(lame->must_die); /* a lame duck key must always have an expiration */
1133 if (now < lame->must_die)
1134 {
1135 compute_earliest_wakeup(wakeup, lame->must_die - now);
1136 return false;
1137 }
1138 else
1139 {
1140 return true;
1141 }
1142 }
1143 else if (lame->state == S_ERROR)
1144 {
1145 return true;
1146 }
1147 else
1148 {
1149 return false;
1150 }
1151}
1152
1153struct tls_multi *
1154tls_multi_init(struct tls_options *tls_options)
1155{
1156 struct tls_multi *ret;
1157
1158 ALLOC_OBJ_CLEAR(ret, struct tls_multi);
1159
1160 /* get command line derived options */
1161 ret->opt = *tls_options;
1162 ret->dco_peer_id = -1;
1163 ret->peer_id = MAX_PEER_ID;
1164
1165 return ret;
1166}
1167
1168void
1169tls_multi_init_finalize(struct tls_multi *multi, int tls_mtu)
1170{
1171 tls_init_control_channel_frame_parameters(&multi->opt.frame, tls_mtu);
1172 /* initialize the active and untrusted sessions */
1173
1174 tls_session_init(multi, &multi->session[TM_ACTIVE]);
1175 tls_session_init(multi, &multi->session[TM_INITIAL]);
1176}
1177
1178/*
1179 * Initialize and finalize a standalone tls-auth verification object.
1180 */
1181
1182struct tls_auth_standalone *
1183tls_auth_standalone_init(struct tls_options *tls_options, struct gc_arena *gc)
1184{
1185 struct tls_auth_standalone *tas;
1186
1187 ALLOC_OBJ_CLEAR_GC(tas, struct tls_auth_standalone, gc);
1188
1189 tas->tls_wrap = tls_options->tls_wrap;
1190
1191 /*
1192 * Standalone tls-auth is in read-only mode with respect to TLS
1193 * control channel state. After we build a new client instance
1194 * object, we will process this session-initiating packet for real.
1195 */
1196 tas->tls_wrap.opt.flags |= CO_IGNORE_PACKET_ID;
1197
1198 /* get initial frame parms, still need to finalize */
1199 tas->frame = tls_options->frame;
1200
1201 packet_id_init(&tas->tls_wrap.opt.packet_id, tls_options->replay_window,
1202 tls_options->replay_time, "TAS", 0);
1203
1204 return tas;
1205}
1206
1207void
1208tls_auth_standalone_free(struct tls_auth_standalone *tas)
1209{
1210 if (!tas)
1211 {
1212 return;
1213 }
1214
1215 packet_id_free(&tas->tls_wrap.opt.packet_id);
1216}
1217
1218/*
1219 * Set local and remote option compatibility strings.
1220 * Used to verify compatibility of local and remote option
1221 * sets.
1222 */
1223void
1224tls_multi_init_set_options(struct tls_multi *multi, const char *local, const char *remote)
1225{
1226 /* initialize options string */
1227 multi->opt.local_options = local;
1228 multi->opt.remote_options = remote;
1229}
1230
1231/*
1232 * Cleanup a tls_multi structure and free associated memory allocations.
1233 */
1234void
1235tls_multi_free(struct tls_multi *multi, bool clear)
1236{
1237 ASSERT(multi);
1238
1239 auth_set_client_reason(multi, NULL);
1240
1241 free(multi->peer_info);
1242 free(multi->locked_cn);
1243 free(multi->locked_username);
1244 free(multi->locked_original_username);
1245
1246 cert_hash_free(multi->locked_cert_hash_set);
1247
1248 wipe_auth_token(multi);
1249
1250 free(multi->remote_ciphername);
1251
1252 for (int i = 0; i < TM_SIZE; ++i)
1253 {
1254 tls_session_free(&multi->session[i], false);
1255 }
1256
1257 if (clear)
1258 {
1259 secure_memzero(multi, sizeof(*multi));
1260 }
1261
1262 free(multi);
1263}
1264
1265/*
1266 * For debugging, print contents of key_source2 structure.
1267 */
1268
1269static void
1270key_source_print(const struct key_source *k, const char *prefix)
1271{
1272 struct gc_arena gc = gc_new();
1273
1274 VALGRIND_MAKE_READABLE((void *)k->pre_master, sizeof(k->pre_master));
1275 VALGRIND_MAKE_READABLE((void *)k->random1, sizeof(k->random1));
1276 VALGRIND_MAKE_READABLE((void *)k->random2, sizeof(k->random2));
1277
1278 dmsg(D_SHOW_KEY_SOURCE, "%s pre_master: %s", prefix,
1279 format_hex(k->pre_master, sizeof(k->pre_master), 0, &gc));
1280 dmsg(D_SHOW_KEY_SOURCE, "%s random1: %s", prefix,
1281 format_hex(k->random1, sizeof(k->random1), 0, &gc));
1282 dmsg(D_SHOW_KEY_SOURCE, "%s random2: %s", prefix,
1283 format_hex(k->random2, sizeof(k->random2), 0, &gc));
1284
1285 gc_free(&gc);
1286}
1287
1288static void
1289key_source2_print(const struct key_source2 *k)
1290{
1291 key_source_print(&k->client, "Client");
1292 key_source_print(&k->server, "Server");
1293}
1294
1295static bool
1296openvpn_PRF(const uint8_t *secret, size_t secret_len, const char *label, const uint8_t *client_seed,
1297 size_t client_seed_len, const uint8_t *server_seed, size_t server_seed_len,
1298 const struct session_id *client_sid, const struct session_id *server_sid,
1299 uint8_t *output, size_t output_len)
1300{
1301 /* concatenate seed components */
1302
1303 struct buffer seed =
1304 alloc_buf(strlen(label) + client_seed_len + server_seed_len + SID_SIZE * 2);
1305
1306 ASSERT(buf_write(&seed, label, strlen(label)));
1307 ASSERT(buf_write(&seed, client_seed, client_seed_len));
1308 ASSERT(buf_write(&seed, server_seed, server_seed_len));
1309
1310 if (client_sid)
1311 {
1312 ASSERT(buf_write(&seed, client_sid->id, SID_SIZE));
1313 }
1314 if (server_sid)
1315 {
1316 ASSERT(buf_write(&seed, server_sid->id, SID_SIZE));
1317 }
1318
1319 /* compute PRF */
1320 bool ret = ssl_tls1_PRF(BPTR(&seed), BLEN(&seed), secret, secret_len, output, output_len);
1321
1322 buf_clear(&seed);
1323 free_buf(&seed);
1324
1325 VALGRIND_MAKE_READABLE((void *)output, output_len);
1326 return ret;
1327}
1328
1329static void
1330init_epoch_keys(struct key_state *ks, struct tls_multi *multi, const struct key_type *key_type,
1331 bool server, struct key2 *key2)
1332{
1333 /* For now we hardcode this to be 16 for the software based data channel
1334 * DCO based implementations/HW implementation might adjust this number
1335 * based on their expected speed */
1336 const uint8_t future_key_count = 16;
1337
1338 int key_direction = server ? KEY_DIRECTION_INVERSE : KEY_DIRECTION_NORMAL;
1339 struct key_direction_state kds;
1340 key_direction_state_init(&kds, key_direction);
1341
1342 struct crypto_options *co = &ks->crypto_options;
1343
1344 /* For the epoch key we use the first 32 bytes of key2 cipher keys
1345 * for the initial secret */
1346 struct epoch_key e1_send = { 0 };
1347 e1_send.epoch = 1;
1348 memcpy(&e1_send.epoch_key, key2->keys[kds.out_key].cipher, sizeof(e1_send.epoch_key));
1349
1350 struct epoch_key e1_recv = { 0 };
1351 e1_recv.epoch = 1;
1352 memcpy(&e1_recv.epoch_key, key2->keys[kds.in_key].cipher, sizeof(e1_recv.epoch_key));
1353
1354 /* DCO implementations have two choices at this point.
1355 *
1356 * a) (more likely) they probably to pass E1 directly to kernel
1357 * space at this point and do all the other key derivation in kernel
1358 *
1359 * b) They let userspace do the key derivation and pass all the individual
1360 * keys to the DCO layer.
1361 * */
1362 epoch_init_key_ctx(co, key_type, &e1_send, &e1_recv, future_key_count);
1363
1364 secure_memzero(&e1_send, sizeof(e1_send));
1365 secure_memzero(&e1_recv, sizeof(e1_recv));
1366}
1367
1368static void
1369init_key_contexts(struct key_state *ks, struct tls_multi *multi, const struct key_type *key_type,
1370 bool server, struct key2 *key2, bool dco_enabled)
1371{
1372 struct key_ctx_bi *key = &ks->crypto_options.key_ctx_bi;
1373
1374 /* Initialize key contexts */
1375 int key_direction = server ? KEY_DIRECTION_INVERSE : KEY_DIRECTION_NORMAL;
1376
1377 if (dco_enabled)
1378 {
1379 if (key->encrypt.hmac)
1380 {
1381 msg(M_FATAL, "FATAL: DCO does not support --auth");
1382 }
1383
1384 int ret = init_key_dco_bi(multi, ks, key2, key_direction, key_type->cipher, server);
1385 if (ret < 0)
1386 {
1387 msg(M_FATAL, "Impossible to install key material in DCO: %s", strerror(-ret));
1388 }
1389
1390 /* encrypt/decrypt context are unused with DCO */
1391 CLEAR(key->encrypt);
1392 CLEAR(key->decrypt);
1393 key->initialized = true;
1394 }
1395 else if (multi->opt.crypto_flags & CO_EPOCH_DATA_KEY_FORMAT)
1396 {
1397 if (!cipher_kt_mode_aead(key_type->cipher))
1398 {
1399 msg(M_FATAL,
1400 "AEAD cipher (currently %s) "
1401 "required for epoch data format.",
1402 cipher_kt_name(key_type->cipher));
1403 }
1404 init_epoch_keys(ks, multi, key_type, server, key2);
1405 }
1406 else
1407 {
1408 init_key_ctx_bi(key, key2, key_direction, key_type, "Data Channel");
1409 }
1410}
1411
1412static bool
1413generate_key_expansion_tls_export(struct tls_session *session, struct key2 *key2)
1414{
1415 if (!key_state_export_keying_material(session, EXPORT_KEY_DATA_LABEL,
1416 strlen(EXPORT_KEY_DATA_LABEL), key2->keys,
1417 sizeof(key2->keys)))
1418 {
1419 return false;
1420 }
1421 key2->n = 2;
1422
1423 return true;
1424}
1425
1426static bool
1427generate_key_expansion_openvpn_prf(const struct tls_session *session, struct key2 *key2)
1428{
1429 uint8_t master[48] = { 0 };
1430
1431 const struct key_state *ks = &session->key[KS_PRIMARY];
1432 const struct key_source2 *key_src = ks->key_src;
1433
1434 const struct session_id *client_sid =
1435 session->opt->server ? &ks->session_id_remote : &session->session_id;
1436 const struct session_id *server_sid =
1437 !session->opt->server ? &ks->session_id_remote : &session->session_id;
1438
1439 /* debugging print of source key material */
1440 key_source2_print(key_src);
1441
1442 /* compute master secret */
1443 if (!openvpn_PRF(key_src->client.pre_master, sizeof(key_src->client.pre_master),
1444 KEY_EXPANSION_ID " master secret", key_src->client.random1,
1445 sizeof(key_src->client.random1), key_src->server.random1,
1446 sizeof(key_src->server.random1), NULL, NULL, master, sizeof(master)))
1447 {
1448 return false;
1449 }
1450
1451 /* compute key expansion */
1452 if (!openvpn_PRF(master, sizeof(master), KEY_EXPANSION_ID " key expansion",
1453 key_src->client.random2, sizeof(key_src->client.random2),
1454 key_src->server.random2, sizeof(key_src->server.random2), client_sid,
1455 server_sid, (uint8_t *)key2->keys, sizeof(key2->keys)))
1456 {
1457 return false;
1458 }
1459 secure_memzero(&master, sizeof(master));
1460
1461 key2->n = 2;
1462
1463 return true;
1464}
1465
1466/*
1467 * Using source entropy from local and remote hosts, mix into
1468 * master key.
1469 */
1470static bool
1471generate_key_expansion(struct tls_multi *multi, struct key_state *ks, struct tls_session *session)
1472{
1473 struct key_ctx_bi *key = &ks->crypto_options.key_ctx_bi;
1474 bool ret = false;
1475 struct key2 key2;
1476
1477 if (key->initialized)
1478 {
1479 msg(D_TLS_ERRORS, "TLS Error: key already initialized");
1480 goto exit;
1481 }
1482
1483 bool server = session->opt->server;
1484
1485 if (session->opt->crypto_flags & CO_USE_TLS_KEY_MATERIAL_EXPORT)
1486 {
1487 if (!generate_key_expansion_tls_export(session, &key2))
1488 {
1489 msg(D_TLS_ERRORS, "TLS Error: Keying material export failed");
1490 goto exit;
1491 }
1492 }
1493 else
1494 {
1495 if (!generate_key_expansion_openvpn_prf(session, &key2))
1496 {
1497 msg(D_TLS_ERRORS, "TLS Error: PRF calculation failed. Your system "
1498 "might not support the old TLS 1.0 PRF calculation anymore or "
1499 "the policy does not allow it (e.g. running in FIPS mode). "
1500 "The peer did not announce support for the modern TLS Export "
1501 "feature that replaces the TLS 1.0 PRF (requires OpenVPN "
1502 "2.6.x or higher)");
1503 goto exit;
1504 }
1505 }
1506
1507 key2_print(&key2, &session->opt->key_type, "Master Encrypt", "Master Decrypt");
1508
1509 /* check for weak keys */
1510 for (int i = 0; i < 2; ++i)
1511 {
1512 if (!check_key(&key2.keys[i], &session->opt->key_type))
1513 {
1514 msg(D_TLS_ERRORS, "TLS Error: Bad dynamic key generated");
1515 goto exit;
1516 }
1517 }
1518
1519 init_key_contexts(ks, multi, &session->opt->key_type, server, &key2, session->opt->dco_enabled);
1520 ret = true;
1521
1522exit:
1523 secure_memzero(&key2, sizeof(key2));
1524
1525 return ret;
1526}
1527
1534bool
1535tls_session_generate_data_channel_keys(struct tls_multi *multi, struct tls_session *session)
1536{
1537 bool ret = false;
1538 struct key_state *ks = &session->key[KS_PRIMARY]; /* primary key */
1539
1540 if (ks->authenticated <= KS_AUTH_FALSE)
1541 {
1542 msg(D_TLS_ERRORS, "TLS Error: key_state not authenticated");
1543 goto cleanup;
1544 }
1545
1546 ks->crypto_options.flags = session->opt->crypto_flags;
1547
1548 if (!generate_key_expansion(multi, ks, session))
1549 {
1550 msg(D_TLS_ERRORS, "TLS Error: generate_key_expansion failed");
1551 goto cleanup;
1552 }
1553 tls_limit_reneg_bytes(session->opt->key_type.cipher, &session->opt->renegotiate_bytes);
1554
1555 session->opt->aead_usage_limit = tls_get_limit_aead(session->opt->key_type.cipher);
1556
1557 /* set the state of the keys for the session to generated */
1558 ks->state = S_GENERATED_KEYS;
1559
1560 ret = true;
1561cleanup:
1562 secure_memzero(ks->key_src, sizeof(*ks->key_src));
1563 return ret;
1564}
1565
1566bool
1567tls_session_update_crypto_params_do_work(struct tls_multi *multi, struct tls_session *session,
1568 struct options *options, struct frame *frame,
1569 struct frame *frame_fragment, struct link_socket_info *lsi,
1570 dco_context_t *dco)
1571{
1572 if (session->key[KS_PRIMARY].crypto_options.key_ctx_bi.initialized)
1573 {
1574 /* keys already generated, nothing to do */
1575 return true;
1576 }
1577
1578 init_key_type(&session->opt->key_type, options->ciphername, options->authname, true, true);
1579
1580 bool packet_id_long_form = cipher_kt_mode_ofb_cfb(session->opt->key_type.cipher);
1581 session->opt->crypto_flags &= ~(CO_PACKET_ID_LONG_FORM);
1582 if (packet_id_long_form)
1583 {
1584 session->opt->crypto_flags |= CO_PACKET_ID_LONG_FORM;
1585 }
1586
1587 frame_calculate_dynamic(frame, &session->opt->key_type, options, lsi);
1588
1589 frame_print(frame, D_MTU_INFO, "Data Channel MTU parms");
1590
1591 /*
1592 * mssfix uses data channel framing, which at this point contains
1593 * actual overhead. Fragmentation logic uses frame_fragment, which
1594 * still contains worst case overhead. Replace it with actual overhead
1595 * to prevent unneeded fragmentation.
1596 */
1597
1598 if (frame_fragment)
1599 {
1600 frame_calculate_dynamic(frame_fragment, &session->opt->key_type, options, lsi);
1601 frame_print(frame_fragment, D_MTU_INFO, "Fragmentation MTU parms");
1602 }
1603
1604 if (session->key[KS_PRIMARY].key_id == 0
1605 && session->opt->crypto_flags & CO_USE_DYNAMIC_TLS_CRYPT)
1606 {
1607 /* If dynamic tls-crypt has been negotiated, and we are on the
1608 * first session (key_id = 0), generate a tls-crypt key for the
1609 * following renegotiations */
1610 if (!tls_session_generate_dynamic_tls_crypt_key(session))
1611 {
1612 return false;
1613 }
1614 }
1615
1616 if (dco_enabled(options))
1617 {
1618 /* dco_set_peer() must be called if either keepalive or
1619 * mssfix are set to update in-kernel config */
1620 if (options->ping_send_timeout || frame->mss_fix)
1621 {
1622 int ret = dco_set_peer(dco, multi->dco_peer_id, options->ping_send_timeout,
1623 options->ping_rec_timeout, frame->mss_fix);
1624 if (ret < 0)
1625 {
1626 msg(D_DCO, "Cannot set DCO peer parameters for peer (id=%u): %s",
1627 multi->dco_peer_id, strerror(-ret));
1628 return false;
1629 }
1630 }
1631 }
1632 return tls_session_generate_data_channel_keys(multi, session);
1633}
1634
1635bool
1636tls_session_update_crypto_params(struct tls_multi *multi, struct tls_session *session,
1637 struct options *options, struct frame *frame,
1638 struct frame *frame_fragment, struct link_socket_info *lsi,
1639 dco_context_t *dco)
1640{
1641 if (!check_session_cipher(session, options))
1642 {
1643 return false;
1644 }
1645
1646 /* Import crypto settings that might be set by pull/push */
1647 session->opt->crypto_flags |= options->imported_protocol_flags;
1648
1649 return tls_session_update_crypto_params_do_work(multi, session, options, frame, frame_fragment,
1650 lsi, dco);
1651}
1652
1653
1654static bool
1655random_bytes_to_buf(struct buffer *buf, uint8_t *out, int outlen)
1656{
1657 if (!rand_bytes(out, outlen))
1658 {
1659 msg(M_FATAL,
1660 "ERROR: Random number generator cannot obtain entropy for key generation [SSL]");
1661 }
1662 if (!buf_write(buf, out, outlen))
1663 {
1664 return false;
1665 }
1666 return true;
1667}
1668
1669static bool
1670key_source2_randomize_write(struct key_source2 *k2, struct buffer *buf, bool server)
1671{
1672 struct key_source *k = &k2->client;
1673 if (server)
1674 {
1675 k = &k2->server;
1676 }
1677
1678 CLEAR(*k);
1679
1680 if (!server)
1681 {
1682 if (!random_bytes_to_buf(buf, k->pre_master, sizeof(k->pre_master)))
1683 {
1684 return false;
1685 }
1686 }
1687
1688 if (!random_bytes_to_buf(buf, k->random1, sizeof(k->random1)))
1689 {
1690 return false;
1691 }
1692 if (!random_bytes_to_buf(buf, k->random2, sizeof(k->random2)))
1693 {
1694 return false;
1695 }
1696
1697 return true;
1698}
1699
1700static int
1701key_source2_read(struct key_source2 *k2, struct buffer *buf, bool server)
1702{
1703 struct key_source *k = &k2->client;
1704
1705 if (!server)
1706 {
1707 k = &k2->server;
1708 }
1709
1710 CLEAR(*k);
1711
1712 if (server)
1713 {
1714 if (!buf_read(buf, k->pre_master, sizeof(k->pre_master)))
1715 {
1716 return 0;
1717 }
1718 }
1719
1720 if (!buf_read(buf, k->random1, sizeof(k->random1)))
1721 {
1722 return 0;
1723 }
1724 if (!buf_read(buf, k->random2, sizeof(k->random2)))
1725 {
1726 return 0;
1727 }
1728
1729 return 1;
1730}
1731
1732static void
1733flush_payload_buffer(struct key_state *ks)
1734{
1735 struct buffer *b;
1736
1737 while ((b = buffer_list_peek(ks->paybuf)))
1738 {
1739 key_state_write_plaintext_const(&ks->ks_ssl, b->data, b->len);
1740 buffer_list_pop(ks->paybuf);
1741 }
1742}
1743
1744/*
1745 * Move the active key to the lame duck key and reinitialize the
1746 * active key.
1747 */
1748static void
1749key_state_soft_reset(struct tls_session *session)
1750{
1751 struct key_state *ks = &session->key[KS_PRIMARY]; /* primary key */
1752 struct key_state *ks_lame = &session->key[KS_LAME_DUCK]; /* retiring key */
1753
1754 ks->must_die = now + session->opt->transition_window; /* remaining lifetime of old key */
1755 key_state_free(ks_lame, false);
1756 *ks_lame = *ks;
1757
1758 key_state_init(session, ks);
1759 ks->session_id_remote = ks_lame->session_id_remote;
1760 ks->remote_addr = ks_lame->remote_addr;
1761}
1762
1763void
1768
1769/*
1770 * Read/write strings from/to a struct buffer with a u16 length prefix.
1771 */
1772
1773static bool
1774write_empty_string(struct buffer *buf)
1775{
1776 if (!buf_write_u16(buf, 0))
1777 {
1778 return false;
1779 }
1780 return true;
1781}
1782
1783static bool
1784write_string(struct buffer *buf, const char *str, const int maxlen)
1785{
1786 const size_t len = strlen(str) + 1;
1787 const size_t real_maxlen = (maxlen >= 0 && maxlen <= UINT16_MAX) ? (size_t)maxlen : UINT16_MAX;
1788 if (len > real_maxlen)
1789 {
1790 return false;
1791 }
1792 if (!buf_write_u16(buf, (uint16_t)len))
1793 {
1794 return false;
1795 }
1796 if (!buf_write(buf, str, len))
1797 {
1798 return false;
1799 }
1800 return true;
1801}
1802
1813static int
1814read_string(struct buffer *buf, char *str, const unsigned int capacity)
1815{
1816 const int len = buf_read_u16(buf);
1817 if (len < 1 || len > (int)capacity)
1818 {
1819 buf_advance(buf, len);
1820
1821 /* will also return 0 for a no string being present */
1822 return -len;
1823 }
1824 if (!buf_read(buf, str, len))
1825 {
1826 return -len;
1827 }
1828 str[len - 1] = '\0';
1829 return len;
1830}
1831
1832static char *
1833read_string_alloc(struct buffer *buf)
1834{
1835 const int len = buf_read_u16(buf);
1836 char *str;
1837
1838 if (len < 1)
1839 {
1840 return NULL;
1841 }
1842 str = (char *)malloc(len);
1843 check_malloc_return(str);
1844 if (!buf_read(buf, str, len))
1845 {
1846 free(str);
1847 return NULL;
1848 }
1849 str[len - 1] = '\0';
1850 return str;
1851}
1852
1868static bool
1869push_peer_info(struct buffer *buf, struct tls_session *session)
1870{
1871 struct gc_arena gc = gc_new();
1872 bool ret = false;
1873 struct buffer out = alloc_buf_gc(512 * 3, &gc);
1874
1875 if (session->opt->push_peer_info_detail > 1)
1876 {
1877 /* push version */
1878 buf_printf(&out, "IV_VER=%s\n", PACKAGE_VERSION);
1879
1880 /* push platform */
1881#if defined(TARGET_LINUX)
1882 buf_printf(&out, "IV_PLAT=linux\n");
1883#elif defined(TARGET_SOLARIS)
1884 buf_printf(&out, "IV_PLAT=solaris\n");
1885#elif defined(TARGET_OPENBSD)
1886 buf_printf(&out, "IV_PLAT=openbsd\n");
1887#elif defined(TARGET_DARWIN)
1888 buf_printf(&out, "IV_PLAT=mac\n");
1889#elif defined(TARGET_NETBSD)
1890 buf_printf(&out, "IV_PLAT=netbsd\n");
1891#elif defined(TARGET_FREEBSD)
1892 buf_printf(&out, "IV_PLAT=freebsd\n");
1893#elif defined(TARGET_ANDROID)
1894 buf_printf(&out, "IV_PLAT=android\n");
1895#elif defined(_WIN32)
1896 buf_printf(&out, "IV_PLAT=win\n");
1897#endif
1898 /* Announce that we do not require strict sequence numbers with
1899 * TCP. (TCP non-linear) */
1900 buf_printf(&out, "IV_TCPNL=1\n");
1901 }
1902
1903 /* These are the IV variable that are sent to peers in p2p mode */
1904 if (session->opt->push_peer_info_detail > 0)
1905 {
1906 /* support for P_DATA_V2 */
1907 int iv_proto = IV_PROTO_DATA_V2;
1908
1909 /* support for the latest --dns option */
1910 iv_proto |= IV_PROTO_DNS_OPTION_V2;
1911
1912 /* support for exit notify via control channel */
1913 iv_proto |= IV_PROTO_CC_EXIT_NOTIFY;
1914
1915 /* currently push-update is not supported when DCO is enabled */
1916 if (!session->opt->dco_enabled)
1917 {
1918 /* support push-updates */
1919 iv_proto |= IV_PROTO_PUSH_UPDATE;
1920 }
1921
1922 if (session->opt->pull)
1923 {
1924 /* support for receiving push_reply before sending
1925 * push request, also signal that the client wants
1926 * to get push-reply messages without requiring a round
1927 * trip for a push request message*/
1928 iv_proto |= IV_PROTO_REQUEST_PUSH;
1929
1930 /* Support keywords in the AUTH_PENDING control message */
1931 iv_proto |= IV_PROTO_AUTH_PENDING_KW;
1932
1933 /* support for AUTH_FAIL,TEMP control message */
1934 iv_proto |= IV_PROTO_AUTH_FAIL_TEMP;
1935
1936 /* support for tun-mtu as part of the push message */
1937 buf_printf(&out, "IV_MTU=%d\n", session->opt->frame.tun_max_mtu);
1938 }
1939
1940 /* support for Negotiable Crypto Parameters */
1941 if (session->opt->mode == MODE_SERVER || session->opt->pull)
1942 {
1943 if (tls_item_in_cipher_list("AES-128-GCM", session->opt->config_ncp_ciphers)
1944 && tls_item_in_cipher_list("AES-256-GCM", session->opt->config_ncp_ciphers))
1945 {
1946 buf_printf(&out, "IV_NCP=2\n");
1947 }
1948 }
1949 else
1950 {
1951 /* We are not using pull or p2mp server, instead do P2P NCP */
1952 iv_proto |= IV_PROTO_NCP_P2P;
1953 }
1954
1955 if (session->opt->data_epoch_supported)
1956 {
1957 iv_proto |= IV_PROTO_DATA_EPOCH;
1958 }
1959
1960 buf_printf(&out, "IV_CIPHERS=%s\n", session->opt->config_ncp_ciphers);
1961
1962 iv_proto |= IV_PROTO_TLS_KEY_EXPORT;
1963 iv_proto |= IV_PROTO_DYN_TLS_CRYPT;
1964
1965 buf_printf(&out, "IV_PROTO=%d\n", iv_proto);
1966
1967 if (session->opt->push_peer_info_detail > 1)
1968 {
1969 /* push compression status */
1970#ifdef USE_COMP
1971 comp_generate_peer_info_string(&session->opt->comp_options, &out);
1972#endif
1973 }
1974
1975 if (session->opt->push_peer_info_detail > 2)
1976 {
1977 /* push mac addr */
1978 struct route_gateway_info rgi;
1979 get_default_gateway(&rgi, 0, session->opt->net_ctx);
1980 if (rgi.flags & RGI_HWADDR_DEFINED)
1981 {
1982 buf_printf(&out, "IV_HWADDR=%s\n", format_hex_ex(rgi.hwaddr, 6, 0, 1, ":", &gc));
1983 }
1984 buf_printf(&out, "IV_SSL=%s\n", get_ssl_library_version());
1985#if defined(_WIN32)
1986 buf_printf(&out, "IV_PLAT_VER=%s\n", win32_version_string(&gc));
1987#else
1988 struct utsname u;
1989 uname(&u);
1990 buf_printf(&out, "IV_PLAT_VER=%s\n", u.release);
1991#endif
1992 }
1993
1994 if (session->opt->push_peer_info_detail > 1)
1995 {
1996 struct env_set *es = session->opt->es;
1997 /* push env vars that begin with UV_, IV_PLAT_VER and IV_GUI_VER */
1998 for (struct env_item *e = es->list; e != NULL; e = e->next)
1999 {
2000 if (e->string)
2001 {
2002 if ((((strncmp(e->string, "UV_", 3) == 0
2003 || strncmp(e->string, "IV_PLAT_VER=", sizeof("IV_PLAT_VER=") - 1) == 0)
2004 && session->opt->push_peer_info_detail > 2)
2005 || (strncmp(e->string, "IV_GUI_VER=", sizeof("IV_GUI_VER=") - 1) == 0)
2006 || (strncmp(e->string, "IV_SSO=", sizeof("IV_SSO=") - 1) == 0))
2007 && buf_safe(&out, strlen(e->string) + 1))
2008 {
2009 buf_printf(&out, "%s\n", e->string);
2010 }
2011 }
2012 }
2013 }
2014
2015 if (!write_string(buf, BSTR(&out), -1))
2016 {
2017 goto error;
2018 }
2019 }
2020 else
2021 {
2022 if (!write_empty_string(buf)) /* no peer info */
2023 {
2024 goto error;
2025 }
2026 }
2027 ret = true;
2028
2029error:
2030 gc_free(&gc);
2031 return ret;
2032}
2033
2034#ifdef USE_COMP
2035static bool
2036write_compat_local_options(struct buffer *buf, const char *options)
2037{
2038 struct gc_arena gc = gc_new();
2039 const char *local_options = options_string_compat_lzo(options, &gc);
2040 bool ret = write_string(buf, local_options, TLS_OPTIONS_LEN);
2041 gc_free(&gc);
2042 return ret;
2043}
2044#endif
2045
2050static bool
2051key_method_2_write(struct buffer *buf, struct tls_multi *multi, struct tls_session *session)
2052{
2053 struct key_state *ks = &session->key[KS_PRIMARY]; /* primary key */
2054
2055 ASSERT(buf_init(buf, 0));
2056
2057 /* write a uint32 0 */
2058 if (!buf_write_u32(buf, 0))
2059 {
2060 goto error;
2061 }
2062
2063 /* write key_method + flags */
2064 if (!buf_write_u8(buf, KEY_METHOD_2))
2065 {
2066 goto error;
2067 }
2068
2069 /* write key source material */
2070 if (!key_source2_randomize_write(ks->key_src, buf, session->opt->server))
2071 {
2072 goto error;
2073 }
2074
2075 /* write options string */
2076 {
2077#ifdef USE_COMP
2078 if (multi->remote_usescomp && session->opt->mode == MODE_SERVER
2079 && multi->opt.comp_options.flags & COMP_F_MIGRATE)
2080 {
2081 if (!write_compat_local_options(buf, session->opt->local_options))
2082 {
2083 goto error;
2084 }
2085 }
2086 else
2087#endif
2088 if (!write_string(buf, session->opt->local_options, TLS_OPTIONS_LEN))
2089 {
2090 goto error;
2091 }
2092 }
2093
2094 /* write username/password if specified or we are using a auth-token */
2095 if (auth_user_pass_enabled || (auth_token.token_defined && auth_token.defined))
2096 {
2097#ifdef ENABLE_MANAGEMENT
2098 auth_user_pass_setup(session->opt->auth_user_pass_file,
2099 session->opt->auth_user_pass_file_inline, session->opt->sci);
2100#else
2101 auth_user_pass_setup(session->opt->auth_user_pass_file,
2102 session->opt->auth_user_pass_file_inline, NULL);
2103#endif
2104 struct user_pass *up = &auth_user_pass;
2105
2106 /*
2107 * If we have a valid auth-token, send that instead of real
2108 * username/password
2109 */
2110 if (auth_token.token_defined && auth_token.defined)
2111 {
2112 up = &auth_token;
2113 }
2114 unprotect_user_pass(up);
2115
2116 if (!write_string(buf, up->username, -1))
2117 {
2118 goto error;
2119 }
2120 else if (!write_string(buf, up->password, -1))
2121 {
2122 goto error;
2123 }
2124 /* save username for auth-token which may get pushed later */
2125 if (session->opt->pull && up != &auth_token)
2126 {
2127 unprotect_user_pass(&auth_token);
2128 strncpynt(auth_token.username, up->username, USER_PASS_LEN);
2129 protect_user_pass(&auth_token);
2130 }
2131 protect_user_pass(up);
2132 /* respect auth-nocache */
2133 purge_user_pass(&auth_user_pass, false);
2134 }
2135 else
2136 {
2137 if (!write_empty_string(buf)) /* no username */
2138 {
2139 goto error;
2140 }
2141 if (!write_empty_string(buf)) /* no password */
2142 {
2143 goto error;
2144 }
2145 }
2146
2147 if (!push_peer_info(buf, session))
2148 {
2149 goto error;
2150 }
2151
2152 if (session->opt->server && session->opt->mode != MODE_SERVER && ks->key_id == 0)
2153 {
2154 /* tls-server option set and not P2MP server, so we
2155 * are a P2P client running in tls-server mode */
2156 p2p_mode_ncp(multi, session);
2157 }
2158
2159 return true;
2160
2161error:
2162 msg(D_TLS_ERRORS, "TLS Error: Key Method #2 write failed");
2163 secure_memzero(ks->key_src, sizeof(*ks->key_src));
2164 return false;
2165}
2166
2167static void
2168export_user_keying_material(struct tls_session *session)
2169{
2170 if (session->opt->ekm_size > 0)
2171 {
2172 const size_t size = session->opt->ekm_size;
2173 struct gc_arena gc = gc_new();
2174
2175 unsigned char *ekm = gc_malloc(size, true, &gc);
2176 if (key_state_export_keying_material(session, session->opt->ekm_label,
2177 session->opt->ekm_label_size, ekm,
2178 session->opt->ekm_size))
2179 {
2180 const size_t len = (size * 2) + 2;
2181
2182 const char *key = format_hex_ex(ekm, size, len, 0, NULL, &gc);
2183 setenv_str(session->opt->es, "exported_keying_material", key);
2184
2185 dmsg(D_TLS_DEBUG_MED, "%s: exported keying material: %s", __func__, key);
2186 secure_memzero(ekm, size);
2187 }
2188 else
2189 {
2190 msg(M_WARN, "WARNING: Export keying material failed!");
2191 setenv_del(session->opt->es, "exported_keying_material");
2192 }
2193 gc_free(&gc);
2194 }
2195}
2196
2201static bool
2202key_method_2_read(struct buffer *buf, struct tls_multi *multi, struct tls_session *session)
2203{
2204 struct key_state *ks = &session->key[KS_PRIMARY]; /* primary key */
2205
2206 struct gc_arena gc = gc_new();
2207 char *options;
2208 struct user_pass *up = NULL;
2209
2210 /* allocate temporary objects */
2211 ALLOC_ARRAY_CLEAR_GC(options, char, TLS_OPTIONS_LEN, &gc);
2212
2213 /* discard leading uint32 */
2214 if (!buf_advance(buf, 4))
2215 {
2216 msg(D_TLS_ERRORS, "TLS ERROR: Plaintext buffer too short (%d bytes).", buf->len);
2217 goto error;
2218 }
2219
2220 /* get key method */
2221 int key_method_flags = buf_read_u8(buf);
2222 if ((key_method_flags & KEY_METHOD_MASK) != 2)
2223 {
2224 msg(D_TLS_ERRORS, "TLS ERROR: Unknown key_method/flags=%d received from remote host",
2225 key_method_flags);
2226 goto error;
2227 }
2228
2229 /* get key source material (not actual keys yet) */
2230 if (!key_source2_read(ks->key_src, buf, session->opt->server))
2231 {
2232 msg(D_TLS_ERRORS,
2233 "TLS Error: Error reading remote data channel key source entropy from plaintext buffer");
2234 goto error;
2235 }
2236
2237 /* get options */
2238 if (read_string(buf, options, TLS_OPTIONS_LEN) < 0)
2239 {
2240 msg(D_TLS_ERRORS, "TLS Error: Failed to read required OCC options string");
2241 goto error;
2242 }
2243
2244 ks->authenticated = KS_AUTH_FALSE;
2245
2246 /* always extract username + password fields from buf, even if not
2247 * authenticating for it, because otherwise we can't get at the
2248 * peer_info data which follows behind
2249 */
2250 ALLOC_OBJ_CLEAR_GC(up, struct user_pass, &gc);
2251 int username_len = read_string(buf, up->username, USER_PASS_LEN);
2252 int password_len = read_string(buf, up->password, USER_PASS_LEN);
2253
2254 /* get peer info from control channel */
2255 free(multi->peer_info);
2256 multi->peer_info = read_string_alloc(buf);
2257 if (multi->peer_info)
2258 {
2259 output_peer_info_env(session->opt->es, multi->peer_info);
2260 }
2261
2262 free(multi->remote_ciphername);
2263 multi->remote_ciphername = options_string_extract_option(options, "cipher", NULL);
2264 multi->remote_usescomp = strstr(options, ",comp-lzo,");
2265
2266 /* In OCC we send '[null-cipher]' instead 'none' */
2267 if (multi->remote_ciphername && strcmp(multi->remote_ciphername, "[null-cipher]") == 0)
2268 {
2269 free(multi->remote_ciphername);
2270 multi->remote_ciphername = string_alloc("none", NULL);
2271 }
2272
2273 if (username_len < 0 || password_len < 0)
2274 {
2275 msg(D_TLS_ERRORS, "TLS Error: Username (%d) or password (%d) too long", abs(username_len),
2276 abs(password_len));
2277 auth_set_client_reason(multi, "Username or password is too long. "
2278 "Maximum length is 128 bytes");
2279
2280 /* treat the same as failed username/password and do not error
2281 * out (goto error) to sent an AUTH_FAILED back to the client */
2282 ks->authenticated = KS_AUTH_FALSE;
2283 }
2284 else if (tls_session_user_pass_enabled(session))
2285 {
2286 /* Perform username/password authentication */
2287 if (!username_len || !password_len)
2288 {
2289 CLEAR(*up);
2290 if (!(session->opt->ssl_flags & SSLF_AUTH_USER_PASS_OPTIONAL))
2291 {
2292 msg(D_TLS_ERRORS, "TLS Error: Auth Username/Password was not provided by peer");
2293 goto error;
2294 }
2295 }
2296
2297 verify_user_pass(up, multi, session);
2298 }
2299 else
2300 {
2301 /* Session verification should have occurred during TLS negotiation*/
2302 if (!session->verified)
2303 {
2304 msg(D_TLS_ERRORS, "TLS Error: Certificate verification failed (key-method 2)");
2305 goto error;
2306 }
2307 ks->authenticated = KS_AUTH_TRUE;
2308 }
2309
2310 /* clear username and password from memory */
2311 secure_memzero(up, sizeof(*up));
2312
2313 /* Perform final authentication checks */
2314 if (ks->authenticated > KS_AUTH_FALSE)
2315 {
2316 verify_final_auth_checks(multi, session);
2317 }
2318
2319 /* check options consistency */
2320 if (!options_cmp_equal(options, session->opt->remote_options))
2321 {
2322 const char *remote_options = session->opt->remote_options;
2323#ifdef USE_COMP
2324 if (multi->opt.comp_options.flags & COMP_F_MIGRATE && multi->remote_usescomp)
2325 {
2326 msg(D_PUSH, "Note: 'compress migrate' detected remote peer "
2327 "with compression enabled.");
2328 remote_options = options_string_compat_lzo(remote_options, &gc);
2329 }
2330#endif
2331
2332 options_warning(options, remote_options);
2333 }
2334
2335 buf_clear(buf);
2336
2337 /*
2338 * Call OPENVPN_PLUGIN_TLS_FINAL plugin if defined, for final
2339 * veto opportunity over authentication decision.
2340 */
2341 if ((ks->authenticated > KS_AUTH_FALSE)
2342 && plugin_defined(session->opt->plugins, OPENVPN_PLUGIN_TLS_FINAL))
2343 {
2344 export_user_keying_material(session);
2345
2346 if (plugin_call(session->opt->plugins, OPENVPN_PLUGIN_TLS_FINAL, NULL, NULL,
2347 session->opt->es)
2348 != OPENVPN_PLUGIN_FUNC_SUCCESS)
2349 {
2350 ks->authenticated = KS_AUTH_FALSE;
2351 }
2352
2353 setenv_del(session->opt->es, "exported_keying_material");
2354 }
2355
2356 if (!session->opt->server && !session->opt->pull && ks->key_id == 0)
2357 {
2358 /* We are a p2p tls-client without pull, enable common
2359 * protocol options */
2360 p2p_mode_ncp(multi, session);
2361 }
2362
2363 gc_free(&gc);
2364 return true;
2365
2366error:
2367 ks->authenticated = KS_AUTH_FALSE;
2368 secure_memzero(ks->key_src, sizeof(*ks->key_src));
2369 if (up)
2370 {
2371 secure_memzero(up, sizeof(*up));
2372 }
2373 buf_clear(buf);
2374 gc_free(&gc);
2375 return false;
2376}
2377
2378static int
2379auth_deferred_expire_window(const struct tls_options *o)
2380{
2381 int ret = o->handshake_window;
2382 const int r2 = o->renegotiate_seconds / 2;
2383
2384 if (o->renegotiate_seconds && r2 < ret)
2385 {
2386 ret = r2;
2387 }
2388 return ret;
2389}
2390
2397static bool
2398session_move_pre_start(const struct tls_session *session, struct key_state *ks,
2399 bool skip_initial_send)
2400{
2401 struct buffer *buf = reliable_get_buf_output_sequenced(ks->send_reliable);
2402 if (!buf)
2403 {
2404 return false;
2405 }
2406
2407 ks->initial = now;
2408 ks->must_negotiate = now + session->opt->handshake_window;
2409 ks->auth_deferred_expire = now + auth_deferred_expire_window(session->opt);
2410
2411 /* null buffer */
2412 reliable_mark_active_outgoing(ks->send_reliable, buf, ks->initial_opcode);
2413
2414 /* If we want to skip sending the initial handshake packet we still generate
2415 * it to increase internal counters etc. but immediately mark it as done */
2416 if (skip_initial_send)
2417 {
2418 reliable_mark_deleted(ks->send_reliable, buf);
2419 }
2420 INCR_GENERATED;
2421
2422 ks->state = skip_initial_send ? S_PRE_START_SKIP : S_PRE_START;
2423
2424 struct gc_arena gc = gc_new();
2425 dmsg(D_TLS_DEBUG, "TLS: Initial Handshake, sid=%s",
2426 session_id_print(&session->session_id, &gc));
2427 gc_free(&gc);
2428
2429#ifdef ENABLE_MANAGEMENT
2430 if (management && ks->initial_opcode != P_CONTROL_SOFT_RESET_V1)
2431 {
2432 management_set_state(management, OPENVPN_STATE_WAIT, NULL, NULL, NULL, NULL, NULL);
2433 }
2434#endif
2435 return true;
2436}
2437
2442static void
2443session_move_active(struct tls_multi *multi, struct tls_session *session,
2444 struct link_socket_info *to_link_socket_info, struct key_state *ks)
2445{
2446 dmsg(D_TLS_DEBUG_MED, "STATE S_ACTIVE");
2447
2448 ks->established = now;
2449 if (check_debug_level(D_HANDSHAKE))
2450 {
2451 print_details(&ks->ks_ssl, "Control Channel:");
2452 }
2453 ks->state = S_ACTIVE;
2454 /* Cancel negotiation timeout */
2455 ks->must_negotiate = 0;
2456 INCR_SUCCESS;
2457
2458 /* Set outgoing address for data channel packets */
2459 link_socket_set_outgoing_addr(to_link_socket_info, &ks->remote_addr, session->common_name,
2460 session->opt->es);
2461
2462 /* Check if we need to advance the tls_multi state machine */
2463 if (multi->multi_state == CAS_NOT_CONNECTED)
2464 {
2465 if (session->opt->mode == MODE_SERVER)
2466 {
2467 /* On a server we continue with running connect scripts next */
2468 multi->multi_state = CAS_WAITING_AUTH;
2469 }
2470 else
2471 {
2472 /* Skip the connect script related states */
2473 multi->multi_state = CAS_WAITING_OPTIONS_IMPORT;
2474 }
2475 }
2476
2477 /* Flush any payload packets that were buffered before our state transitioned to S_ACTIVE */
2478 flush_payload_buffer(ks);
2479
2480#ifdef MEASURE_TLS_HANDSHAKE_STATS
2481 show_tls_performance_stats();
2482#endif
2483}
2484
2485bool
2486session_skip_to_pre_start(struct tls_session *session, struct tls_pre_decrypt_state *state,
2487 struct link_socket_actual *from)
2488{
2489 struct key_state *ks = &session->key[KS_PRIMARY];
2490 ks->session_id_remote = state->peer_session_id;
2491 ks->remote_addr = *from;
2492 session->session_id = state->server_session_id;
2493 session->untrusted_addr = *from;
2494 session->burst = true;
2495
2496 /* The OpenVPN protocol implicitly mandates that packet id always start
2497 * from 0 in the RESET packets as OpenVPN 2.x will not allow gaps in the
2498 * ids and starts always from 0. Since we skip/ignore one (RESET) packet
2499 * in each direction, we need to set the ids to 1 */
2500 ks->rec_reliable->packet_id = 1;
2501 /* for ks->send_reliable->packet_id, session_move_pre_start moves the
2502 * counter to 1 */
2503 session->tls_wrap.opt.packet_id.send.id = 1;
2504 return session_move_pre_start(session, ks, true);
2505}
2506
2510static bool
2511parse_early_negotiation_tlvs(struct buffer *buf, struct key_state *ks)
2512{
2513 while (buf->len > 0)
2514 {
2515 if (buf_len(buf) < 4)
2516 {
2517 goto error;
2518 }
2519 /* read type */
2520 int type = buf_read_u16(buf);
2521 int len = buf_read_u16(buf);
2522 if (type < 0 || len < 0 || buf_len(buf) < len)
2523 {
2524 goto error;
2525 }
2526
2527 switch (type)
2528 {
2529 case TLV_TYPE_EARLY_NEG_FLAGS:
2530 if (len != sizeof(uint16_t))
2531 {
2532 goto error;
2533 }
2534 int flags = buf_read_u16(buf);
2535
2536 if (flags & EARLY_NEG_FLAG_RESEND_WKC)
2537 {
2538 ks->crypto_options.flags |= CO_RESEND_WKC;
2539 }
2540 break;
2541
2542 default:
2543 /* Skip types we do not parse */
2544 buf_advance(buf, len);
2545 }
2546 }
2547 reliable_mark_deleted(ks->rec_reliable, buf);
2548
2549 return true;
2550error:
2551 msg(D_TLS_ERRORS, "TLS Error: Early negotiation malformed packet");
2552 return false;
2553}
2554
2559static bool
2560read_incoming_tls_ciphertext(struct buffer *buf, struct key_state *ks, bool *continue_tls_process)
2561{
2562 int status = 0;
2563 if (buf->len)
2564 {
2565 status = key_state_write_ciphertext(&ks->ks_ssl, buf);
2566 if (status == -1)
2567 {
2568 msg(D_TLS_ERRORS, "TLS Error: Incoming Ciphertext -> TLS object write error");
2569 return false;
2570 }
2571 }
2572 else
2573 {
2574 status = 1;
2575 }
2576 if (status == 1)
2577 {
2578 reliable_mark_deleted(ks->rec_reliable, buf);
2579 *continue_tls_process = true;
2580 dmsg(D_TLS_DEBUG, "Incoming Ciphertext -> TLS");
2581 }
2582 return true;
2583}
2584
2585static bool
2586control_packet_needs_wkc(const struct key_state *ks)
2587{
2588 return (ks->crypto_options.flags & CO_RESEND_WKC) && (ks->send_reliable->packet_id == 1);
2589}
2590
2591
2592static bool
2593read_incoming_tls_plaintext(struct key_state *ks, struct buffer *buf, interval_t *wakeup,
2594 bool *continue_tls_process)
2595{
2596 ASSERT(buf_init(buf, 0));
2597
2598 int status = key_state_read_plaintext(&ks->ks_ssl, buf);
2599
2600 update_time();
2601 if (status == -1)
2602 {
2603 msg(D_TLS_ERRORS, "TLS Error: TLS object -> incoming plaintext read error");
2604 return false;
2605 }
2606 if (status == 1)
2607 {
2608 *continue_tls_process = true;
2609 dmsg(D_TLS_DEBUG, "TLS -> Incoming Plaintext");
2610
2611 /* More data may be available, wake up again asap to check. */
2612 *wakeup = 0;
2613 }
2614 return true;
2615}
2616
2617static bool
2618write_outgoing_tls_ciphertext(struct tls_session *session, bool *continue_tls_process)
2619{
2620 struct key_state *ks = &session->key[KS_PRIMARY];
2621
2622 int rel_avail = reliable_get_num_output_sequenced_available(ks->send_reliable);
2623 if (rel_avail == 0)
2624 {
2625 return true;
2626 }
2627
2628 /* We need to determine how much space is actually available in the control
2629 * channel frame */
2630 int max_pkt_len = min_int(TLS_CHANNEL_BUF_SIZE, session->opt->frame.tun_mtu);
2631
2632 /* Subtract overhead */
2633 max_pkt_len -= (int)calc_control_channel_frame_overhead(session);
2634
2635 /* calculate total available length for outgoing tls ciphertext */
2636 int maxlen = max_pkt_len * rel_avail;
2637
2638 /* Is first packet one that will have a WKC appended? */
2639 if (control_packet_needs_wkc(ks))
2640 {
2641 maxlen -= buf_len(session->tls_wrap.tls_crypt_v2_wkc);
2642 }
2643
2644 /* If we end up with a size that leaves no room for payload, ignore the
2645 * constraints to still be to send a packet. This might have gone negative
2646 * if we have a large wrapped client key. */
2647 if (maxlen < 16)
2648 {
2649 msg(D_TLS_ERRORS,
2650 "Warning: --max-packet-size (%d) setting too low. "
2651 "Sending minimum sized packet.",
2652 session->opt->frame.tun_mtu);
2653 maxlen = 16;
2654 /* We set the maximum length here to ensure a packet with a wrapped
2655 * key can actually carry the 16 byte of payload */
2656 max_pkt_len = TLS_CHANNEL_BUF_SIZE;
2657 }
2658
2659 /* This seems a bit wasteful to allocate every time */
2660 struct gc_arena gc = gc_new();
2661 struct buffer tmp = alloc_buf_gc(maxlen, &gc);
2662
2663 int status = key_state_read_ciphertext(&ks->ks_ssl, &tmp);
2664
2665 if (status == -1)
2666 {
2667 msg(D_TLS_ERRORS, "TLS Error: Ciphertext -> reliable TCP/UDP transport read error");
2668 gc_free(&gc);
2669 return false;
2670 }
2671 if (status == 1)
2672 {
2673 /* Split the TLS ciphertext (TLS record) into multiple small packets
2674 * that respect tls_mtu */
2675 while (tmp.len > 0)
2676 {
2677 int len = max_pkt_len;
2678 int opcode = P_CONTROL_V1;
2679 if (control_packet_needs_wkc(ks))
2680 {
2681 opcode = P_CONTROL_WKC_V1;
2682 len = max_int(0, len - buf_len(session->tls_wrap.tls_crypt_v2_wkc));
2683 }
2684 /* do not send more than available */
2685 len = min_int(len, tmp.len);
2686
2687 struct buffer *buf = reliable_get_buf_output_sequenced(ks->send_reliable);
2688 /* we assert here since we checked for its availability before */
2689 ASSERT(buf);
2690 buf_copy_n(buf, &tmp, len);
2691
2692 reliable_mark_active_outgoing(ks->send_reliable, buf, opcode);
2693 INCR_GENERATED;
2694 *continue_tls_process = true;
2695 }
2696 dmsg(D_TLS_DEBUG, "Outgoing Ciphertext -> Reliable");
2697 }
2698
2699 gc_free(&gc);
2700 return true;
2701}
2702
2703static bool
2704check_outgoing_ciphertext(struct key_state *ks, struct tls_session *session,
2705 bool *continue_tls_process)
2706{
2707 /* Outgoing Ciphertext to reliable buffer */
2708 if (ks->state >= S_START)
2709 {
2710 struct buffer *buf = reliable_get_buf_output_sequenced(ks->send_reliable);
2711 if (buf)
2712 {
2713 if (!write_outgoing_tls_ciphertext(session, continue_tls_process))
2714 {
2715 return false;
2716 }
2717 }
2718 }
2719 return true;
2720}
2721
2722static bool
2723tls_process_state(struct tls_multi *multi, struct tls_session *session, struct buffer *to_link,
2724 struct link_socket_actual **to_link_addr,
2725 struct link_socket_info *to_link_socket_info, interval_t *wakeup)
2726{
2727 /* This variable indicates if we should call this method
2728 * again to process more incoming/outgoing TLS state/data
2729 * We want to repeat this until we either determined that there
2730 * is nothing more to process or that further processing
2731 * should only be done after the outer loop (sending packets etc.)
2732 * has run once more */
2733 bool continue_tls_process = false;
2734 struct key_state *ks = &session->key[KS_PRIMARY]; /* primary key */
2735
2736 /* Initial handshake */
2737 if (ks->state == S_INITIAL)
2738 {
2739 continue_tls_process = session_move_pre_start(session, ks, false);
2740 }
2741
2742 /* Are we timed out on receive? */
2743 if (now >= ks->must_negotiate && ks->state >= S_UNDEF && ks->state < S_ACTIVE)
2744 {
2745 msg(D_TLS_ERRORS,
2746 "TLS Error: TLS key negotiation failed to occur within %d seconds (check your network connectivity)",
2747 session->opt->handshake_window);
2748 goto error;
2749 }
2750
2751 /* Check if the initial three-way Handshake is complete.
2752 * We consider the handshake to be complete when our own initial
2753 * packet has been successfully ACKed. */
2754 if (ks->state == S_PRE_START && reliable_empty(ks->send_reliable))
2755 {
2756 ks->state = S_START;
2757 continue_tls_process = true;
2758
2759 /* New connection, remove any old X509 env variables */
2760 tls_x509_clear_env(session->opt->es);
2761 dmsg(D_TLS_DEBUG_MED, "STATE S_START");
2762 }
2763
2764 /* Wait for ACK */
2765 if (((ks->state == S_GOT_KEY && !session->opt->server)
2766 || (ks->state == S_SENT_KEY && session->opt->server))
2767 && reliable_empty(ks->send_reliable))
2768 {
2769 session_move_active(multi, session, to_link_socket_info, ks);
2770 continue_tls_process = true;
2771 }
2772
2773 /* Reliable buffer to outgoing TCP/UDP (send up to CONTROL_SEND_ACK_MAX ACKs
2774 * for previously received packets) */
2775 if (!to_link->len && reliable_can_send(ks->send_reliable))
2776 {
2777 int opcode;
2778
2779 struct buffer *buf = reliable_send(ks->send_reliable, &opcode);
2780 ASSERT(buf);
2781 struct buffer b = *buf;
2782 INCR_SENT;
2783
2784 write_control_auth(session, ks, &b, to_link_addr, opcode, CONTROL_SEND_ACK_MAX, true);
2785 *to_link = b;
2786 dmsg(D_TLS_DEBUG, "Reliable -> TCP/UDP");
2787
2788 /* This changed the state of the outgoing buffer. In order to avoid
2789 * running this function again/further and invalidating the key_state
2790 * buffer and accessing the buffer that is now in to_link after it being
2791 * freed for a potential error, we shortcircuit exiting of the outer
2792 * process here. */
2793 return false;
2794 }
2795
2796 if (ks->state == S_ERROR_PRE)
2797 {
2798 /* When we end up here, we had one last chance to send an outstanding
2799 * packet that contained an alert. We do not ensure that this packet
2800 * has been successfully delivered (ie wait for the ACK etc)
2801 * but rather stop processing now */
2802 ks->state = S_ERROR;
2803 return false;
2804 }
2805
2806 /* Write incoming ciphertext to TLS object */
2807 struct reliable_entry *entry = reliable_get_entry_sequenced(ks->rec_reliable);
2808 if (entry)
2809 {
2810 /* The first packet from the peer (the reset packet) is special and
2811 * contains early protocol negotiation */
2812 if (entry->packet_id == 0 && is_hard_reset_method2(entry->opcode))
2813 {
2814 if (!parse_early_negotiation_tlvs(&entry->buf, ks))
2815 {
2816 goto error;
2817 }
2818 }
2819 else
2820 {
2821 if (!read_incoming_tls_ciphertext(&entry->buf, ks, &continue_tls_process))
2822 {
2823 goto error;
2824 }
2825 }
2826 }
2827
2828 /* Read incoming plaintext from TLS object */
2829 struct buffer *buf = &ks->plaintext_read_buf;
2830 if (!buf->len)
2831 {
2832 if (!read_incoming_tls_plaintext(ks, buf, wakeup, &continue_tls_process))
2833 {
2834 goto error;
2835 }
2836 }
2837
2838 /* Send Key */
2839 buf = &ks->plaintext_write_buf;
2840 if (!buf->len
2841 && ((ks->state == S_START && !session->opt->server)
2842 || (ks->state == S_GOT_KEY && session->opt->server)))
2843 {
2844 if (!key_method_2_write(buf, multi, session))
2845 {
2846 goto error;
2847 }
2848
2849 continue_tls_process = true;
2850 dmsg(D_TLS_DEBUG_MED, "STATE S_SENT_KEY");
2851 ks->state = S_SENT_KEY;
2852 }
2853
2854 /* Receive Key */
2855 buf = &ks->plaintext_read_buf;
2856 if (buf->len
2857 && ((ks->state == S_SENT_KEY && !session->opt->server)
2858 || (ks->state == S_START && session->opt->server)))
2859 {
2860 if (!key_method_2_read(buf, multi, session))
2861 {
2862 goto error;
2863 }
2864
2865 continue_tls_process = true;
2866 dmsg(D_TLS_DEBUG_MED, "STATE S_GOT_KEY");
2867 ks->state = S_GOT_KEY;
2868 }
2869
2870 /* Write outgoing plaintext to TLS object */
2871 buf = &ks->plaintext_write_buf;
2872 if (buf->len)
2873 {
2874 int status = key_state_write_plaintext(&ks->ks_ssl, buf);
2875 if (status == -1)
2876 {
2877 msg(D_TLS_ERRORS, "TLS ERROR: Outgoing Plaintext -> TLS object write error");
2878 goto error;
2879 }
2880 if (status == 1)
2881 {
2882 continue_tls_process = true;
2883 dmsg(D_TLS_DEBUG, "Outgoing Plaintext -> TLS");
2884 }
2885 }
2886 if (!check_outgoing_ciphertext(ks, session, &continue_tls_process))
2887 {
2888 goto error;
2889 }
2890
2891 return continue_tls_process;
2892error:
2893 tls_clear_error();
2894
2895 /* Shut down the TLS session but do a last read from the TLS
2896 * object to be able to read potential TLS alerts */
2897 key_state_ssl_shutdown(&ks->ks_ssl);
2898 check_outgoing_ciphertext(ks, session, &continue_tls_process);
2899
2900 /* Put ourselves in the pre error state that will only send out the
2901 * control channel packets but nothing else */
2902 ks->state = S_ERROR_PRE;
2903
2904 msg(D_TLS_ERRORS, "TLS Error: TLS handshake failed");
2905 INCR_ERROR;
2906 return true;
2907}
2908
2913static bool
2914should_trigger_renegotiation(const struct tls_session *session, const struct key_state *ks)
2915{
2916 /* Time limit */
2917 if (session->opt->renegotiate_seconds
2918 && now >= ks->established + session->opt->renegotiate_seconds)
2919 {
2920 return true;
2921 }
2922
2923 /* Byte limit */
2924 if (session->opt->renegotiate_bytes > 0 && ks->n_bytes >= session->opt->renegotiate_bytes)
2925 {
2926 return true;
2927 }
2928
2929 /* Packet limit */
2930 if (session->opt->renegotiate_packets && ks->n_packets >= session->opt->renegotiate_packets)
2931 {
2932 return true;
2933 }
2934
2935 /* epoch key id approaching the 16 bit limit */
2936 if (ks->crypto_options.flags & CO_EPOCH_DATA_KEY_FORMAT)
2937 {
2938 /* We only need to check the send key as we always keep send
2939 * key epoch >= recv key epoch in \c epoch_replace_update_recv_key */
2940 if (ks->crypto_options.epoch_key_send.epoch >= 0xF000)
2941 {
2942 return true;
2943 }
2944 else
2945 {
2946 return false;
2947 }
2948 }
2949
2950
2951 /* Packet id approach the limit of the packet id */
2952 if (packet_id_close_to_wrapping(&ks->crypto_options.packet_id.send))
2953 {
2954 return true;
2955 }
2956
2957 /* Check the AEAD usage limit of cleartext blocks + packets.
2958 *
2959 * Contrary to when epoch data mode is active, where only the sender side
2960 * checks the limit, here we check both receive and send limit since
2961 * we assume that only one side is aware of the limit.
2962 *
2963 * Since if both sides were aware, then both sides will probably also
2964 * switch to use epoch data channel instead, so this code is not
2965 * in effect then.
2966 *
2967 * When epoch are in use the crypto layer will handle this internally
2968 * with new epochs instead of triggering a renegotiation */
2969 const struct key_ctx_bi *key_ctx_bi = &ks->crypto_options.key_ctx_bi;
2970 const uint64_t usage_limit = session->opt->aead_usage_limit;
2971
2972 if (aead_usage_limit_reached(usage_limit, &key_ctx_bi->encrypt,
2973 ks->crypto_options.packet_id.send.id)
2974 || aead_usage_limit_reached(usage_limit, &key_ctx_bi->decrypt,
2975 ks->crypto_options.packet_id.rec.id))
2976 {
2977 return true;
2978 }
2979
2980 if (cipher_decrypt_verify_fail_warn(&key_ctx_bi->decrypt))
2981 {
2982 return true;
2983 }
2984
2985 return false;
2986}
2987/*
2988 * This is the primary routine for processing TLS stuff inside the
2989 * the main event loop. When this routine exits
2990 * with non-error status, it will set *wakeup to the number of seconds
2991 * when it wants to be called again.
2992 *
2993 * Return value is true if we have placed a packet in *to_link which we
2994 * want to send to our peer.
2995 */
2996static bool
2997tls_process(struct tls_multi *multi, struct tls_session *session, struct buffer *to_link,
2998 struct link_socket_actual **to_link_addr, struct link_socket_info *to_link_socket_info,
2999 interval_t *wakeup)
3000{
3001 struct key_state *ks = &session->key[KS_PRIMARY]; /* primary key */
3002 struct key_state *ks_lame = &session->key[KS_LAME_DUCK]; /* retiring key */
3003
3004 /* Make sure we were initialized and that we're not in an error state */
3005 ASSERT(ks->state != S_UNDEF);
3006 ASSERT(ks->state != S_ERROR);
3007 ASSERT(session_id_defined(&session->session_id));
3008
3009 /* Should we trigger a soft reset? -- new key, keeps old key for a while */
3010 if (ks->state >= S_GENERATED_KEYS && should_trigger_renegotiation(session, ks))
3011 {
3012 msg(D_TLS_DEBUG_LOW,
3013 "TLS: soft reset sec=%d/%d bytes=" counter_format "/%" PRIi64 " pkts=" counter_format
3014 "/%" PRIi64 " aead_limit_send=%" PRIu64 "/%" PRIu64 " aead_limit_recv=%" PRIu64
3015 "/%" PRIu64,
3016 (int)(now - ks->established), session->opt->renegotiate_seconds, ks->n_bytes,
3017 session->opt->renegotiate_bytes, ks->n_packets, session->opt->renegotiate_packets,
3018 ks->crypto_options.key_ctx_bi.encrypt.plaintext_blocks + ks->n_packets,
3019 session->opt->aead_usage_limit,
3020 ks->crypto_options.key_ctx_bi.decrypt.plaintext_blocks + ks->n_packets,
3021 session->opt->aead_usage_limit);
3022 key_state_soft_reset(session);
3023 }
3024
3025 /* Kill lame duck key transition_window seconds after primary key negotiation */
3026 if (lame_duck_must_die(session, wakeup))
3027 {
3028 key_state_free(ks_lame, true);
3029 msg(D_TLS_DEBUG_LOW, "TLS: tls_process: killed expiring key");
3030 }
3031
3032 bool continue_tls_process = true;
3033 while (continue_tls_process)
3034 {
3035 update_time();
3036
3037 dmsg(D_TLS_DEBUG, "TLS: tls_process: chg=%d ks=%s lame=%s to_link->len=%d wakeup=%d",
3038 continue_tls_process, state_name(ks->state), state_name(ks_lame->state), to_link->len,
3039 *wakeup);
3040 continue_tls_process =
3041 tls_process_state(multi, session, to_link, to_link_addr, to_link_socket_info, wakeup);
3042
3043 if (ks->state == S_ERROR)
3044 {
3045 return false;
3046 }
3047 }
3048
3049 update_time();
3050
3051 /* We often send acks back to back to a following control packet. This
3052 * normally does not create a problem (apart from an extra packet).
3053 * However, with the P_CONTROL_WKC_V1 we need to ensure that the packet
3054 * gets resent if not received by remote, so instead we use an empty
3055 * control packet in this special case */
3056
3057 /* Send 1 or more ACKs (each received control packet gets one ACK) */
3058 if (!to_link->len && !reliable_ack_empty(ks->rec_ack))
3059 {
3060 if (control_packet_needs_wkc(ks))
3061 {
3062 struct buffer *buf = reliable_get_buf_output_sequenced(ks->send_reliable);
3063 if (!buf)
3064 {
3065 return false;
3066 }
3067
3068 /* We do not write anything to the buffer, this way this will be
3069 * an empty control packet that gets the ack piggybacked and
3070 * also appended the wrapped client key since it has a WCK opcode */
3071 reliable_mark_active_outgoing(ks->send_reliable, buf, P_CONTROL_WKC_V1);
3072 }
3073 else
3074 {
3075 struct buffer buf = ks->ack_write_buf;
3076 ASSERT(buf_init(&buf, multi->opt.frame.buf.headroom));
3077 write_control_auth(session, ks, &buf, to_link_addr, P_ACK_V1, RELIABLE_ACK_SIZE, false);
3078 *to_link = buf;
3079 dmsg(D_TLS_DEBUG, "Dedicated ACK -> TCP/UDP");
3080 }
3081 }
3082
3083 /* When should we wake up again? */
3084 if (ks->state >= S_INITIAL || ks->state == S_ERROR_PRE)
3085 {
3086 compute_earliest_wakeup(wakeup, reliable_send_timeout(ks->send_reliable));
3087
3088 if (ks->must_negotiate)
3089 {
3090 compute_earliest_wakeup(wakeup, ks->must_negotiate - now);
3091 }
3092 }
3093
3094 if (ks->established && session->opt->renegotiate_seconds)
3095 {
3096 compute_earliest_wakeup(wakeup, ks->established + session->opt->renegotiate_seconds - now);
3097 }
3098
3099 dmsg(D_TLS_DEBUG, "TLS: tls_process: timeout set to %d", *wakeup);
3100
3101 /* prevent event-loop spinning by setting minimum wakeup of 1 second */
3102 if (*wakeup <= 0)
3103 {
3104 *wakeup = 1;
3105
3106 /* if we had something to send to remote, but to_link was busy,
3107 * let caller know we need to be called again soon */
3108 return true;
3109 }
3110
3111 /* If any of the state changes resulted in the to_link buffer being
3112 * set, we are also active */
3113 if (to_link->len)
3114 {
3115 return true;
3116 }
3117
3118 return false;
3119}
3120
3121
3129static void
3130check_session_buf_not_used(struct buffer *to_link, struct tls_session *session)
3131{
3132 uint8_t *dataptr = to_link->data;
3133 if (!dataptr)
3134 {
3135 return;
3136 }
3137
3138 /* Checks buffers in tls_wrap */
3139 if (session->tls_wrap.work.data == dataptr)
3140 {
3141 msg(M_INFO, "Warning buffer of freed TLS session is "
3142 "still in use (tls_wrap.work.data)");
3143 goto used;
3144 }
3145
3146 for (int i = 0; i < KS_SIZE; i++)
3147 {
3148 struct key_state *ks = &session->key[i];
3149 if (ks->state == S_UNDEF)
3150 {
3151 continue;
3152 }
3153
3154 /* we don't expect send_reliable to be NULL when state is
3155 * not S_UNDEF, but people have reported crashes nonetheless,
3156 * therefore we better catch this event, report and exit.
3157 */
3158 if (!ks->send_reliable)
3159 {
3160 msg(M_FATAL,
3161 "ERROR: session->key[%d]->send_reliable is NULL "
3162 "while key state is %s. Exiting.",
3163 i, state_name(ks->state));
3164 }
3165
3166 for (int j = 0; j < ks->send_reliable->size; j++)
3167 {
3168 if (ks->send_reliable->array[j].buf.data == dataptr)
3169 {
3170 msg(M_INFO,
3171 "Warning buffer of freed TLS session is still in"
3172 " use (session->key[%d].send_reliable->array[%d])",
3173 i, j);
3174
3175 goto used;
3176 }
3177 }
3178 }
3179 return;
3180
3181used:
3182 to_link->len = 0;
3183 to_link->data = 0;
3184 /* for debugging, you can add an ASSERT(0); here to trigger an abort */
3185}
3186/*
3187 * Called by the top-level event loop.
3188 *
3189 * Basically decides if we should call tls_process for
3190 * the active or untrusted sessions.
3191 */
3192
3193int
3194tls_multi_process(struct tls_multi *multi, struct buffer *to_link,
3195 struct link_socket_actual **to_link_addr,
3196 struct link_socket_info *to_link_socket_info, interval_t *wakeup)
3197{
3198 struct gc_arena gc = gc_new();
3199 int active = TLSMP_INACTIVE;
3200 bool error = false;
3201
3202 tls_clear_error();
3203
3204 /*
3205 * Process each session object having state of S_INITIAL or greater,
3206 * and which has a defined remote IP addr.
3207 */
3208
3209 for (int i = 0; i < TM_SIZE; ++i)
3210 {
3211 struct tls_session *session = &multi->session[i];
3212 struct key_state *ks = &session->key[KS_PRIMARY];
3213 struct key_state *ks_lame = &session->key[KS_LAME_DUCK];
3214
3215 /* set initial remote address. This triggers connecting with that
3216 * session. So we only do that if the TM_ACTIVE session is not
3217 * established */
3218 if (i == TM_INITIAL && ks->state == S_INITIAL && get_primary_key(multi)->state <= S_INITIAL
3219 && link_socket_actual_defined(&to_link_socket_info->lsa->actual))
3220 {
3221 ks->remote_addr = to_link_socket_info->lsa->actual;
3222 }
3223
3224 dmsg(D_TLS_DEBUG,
3225 "TLS: tls_multi_process: i=%d state=%s, mysid=%s, stored-sid=%s, stored-ip=%s", i,
3226 state_name(ks->state), session_id_print(&session->session_id, &gc),
3227 session_id_print(&ks->session_id_remote, &gc),
3228 print_link_socket_actual(&ks->remote_addr, &gc));
3229
3230 if ((ks->state >= S_INITIAL || ks->state == S_ERROR_PRE)
3231 && link_socket_actual_defined(&ks->remote_addr))
3232 {
3233 struct link_socket_actual *tla = NULL;
3234
3235 update_time();
3236
3237 if (tls_process(multi, session, to_link, &tla, to_link_socket_info, wakeup))
3238 {
3239 active = TLSMP_ACTIVE;
3240 }
3241
3242 /*
3243 * If tls_process produced an outgoing packet,
3244 * return the link_socket_actual object (which
3245 * contains the outgoing address).
3246 */
3247 if (tla)
3248 {
3249 multi->to_link_addr = *tla;
3250 *to_link_addr = &multi->to_link_addr;
3251 }
3252
3253 /*
3254 * If tls_process hits an error:
3255 * (1) If the session has an unexpired lame duck key, preserve it.
3256 * (2) Reinitialize the session.
3257 * (3) Increment soft error count
3258 */
3259 if (ks->state == S_ERROR)
3260 {
3261 ++multi->n_soft_errors;
3262
3263 if (i == TM_ACTIVE || (i == TM_INITIAL && get_primary_key(multi)->state < S_ACTIVE))
3264 {
3265 error = true;
3266 }
3267
3268 if (i == TM_ACTIVE && ks_lame->state >= S_GENERATED_KEYS
3269 && !multi->opt.single_session)
3270 {
3271 move_session(multi, TM_LAME_DUCK, TM_ACTIVE, true);
3272 }
3273 else
3274 {
3275 check_session_buf_not_used(to_link, session);
3276 reset_session(multi, session);
3277 }
3278 }
3279 }
3280 }
3281
3282 update_time();
3283
3284 enum tls_auth_status tas = tls_authentication_status(multi);
3285
3286 /* If we have successfully authenticated and are still waiting for the authentication to finish
3287 * move the state machine for the multi context forward */
3288
3289 if (multi->multi_state >= CAS_CONNECT_DONE)
3290 {
3291 /* Only generate keys for the TM_ACTIVE session. We defer generating
3292 * keys for TM_INITIAL until we actually trust it.
3293 * For TM_LAME_DUCK it makes no sense to generate new keys. */
3294 struct tls_session *session = &multi->session[TM_ACTIVE];
3295 struct key_state *ks = &session->key[KS_PRIMARY];
3296
3297 if (ks->state == S_ACTIVE && ks->authenticated == KS_AUTH_TRUE)
3298 {
3299 /* Session is now fully authenticated.
3300 * tls_session_generate_data_channel_keys will move ks->state
3301 * from S_ACTIVE to S_GENERATED_KEYS */
3302 if (!tls_session_generate_data_channel_keys(multi, session))
3303 {
3304 msg(D_TLS_ERRORS, "TLS Error: generate_key_expansion failed");
3305 ks->authenticated = KS_AUTH_FALSE;
3306 key_state_ssl_shutdown(&ks->ks_ssl);
3307 ks->state = S_ERROR_PRE;
3308 }
3309
3310 /* Update auth token on the client if needed on renegotiation
3311 * (key id !=0) */
3312 if (session->key[KS_PRIMARY].key_id != 0)
3313 {
3314 resend_auth_token_renegotiation(multi, session);
3315 }
3316 }
3317 }
3318
3319 if (multi->multi_state == CAS_WAITING_AUTH && tas == TLS_AUTHENTICATION_SUCCEEDED)
3320 {
3321 multi->multi_state = CAS_PENDING;
3322 }
3323
3324 /*
3325 * If lame duck session expires, kill it.
3326 */
3327 if (lame_duck_must_die(&multi->session[TM_LAME_DUCK], wakeup))
3328 {
3329 tls_session_free(&multi->session[TM_LAME_DUCK], true);
3330 msg(D_TLS_DEBUG_LOW, "TLS: tls_multi_process: killed expiring key");
3331 }
3332
3333 /*
3334 * If untrusted session achieves TLS authentication,
3335 * move it to active session, usurping any prior session.
3336 *
3337 * A semi-trusted session is one in which the certificate authentication
3338 * succeeded (if cert verification is enabled) but the username/password
3339 * verification failed. A semi-trusted session can forward data on the
3340 * TLS control channel but not on the tunnel channel.
3341 */
3342 if (TLS_AUTHENTICATED(multi, &multi->session[TM_INITIAL].key[KS_PRIMARY]))
3343 {
3344 move_session(multi, TM_ACTIVE, TM_INITIAL, true);
3345 tas = tls_authentication_status(multi);
3346 msg(D_TLS_DEBUG_LOW,
3347 "TLS: tls_multi_process: initial untrusted "
3348 "session promoted to %strusted",
3349 tas == TLS_AUTHENTICATION_SUCCEEDED ? "" : "semi-");
3350
3351 if (multi->multi_state == CAS_CONNECT_DONE)
3352 {
3353 multi->multi_state = CAS_RECONNECT_PENDING;
3354 active = TLSMP_RECONNECT;
3355 }
3356 }
3357
3358 /*
3359 * A hard error means that TM_ACTIVE hit an S_ERROR state and that no
3360 * other key state objects are S_ACTIVE or higher.
3361 */
3362 if (error)
3363 {
3364 for (int i = 0; i < KEY_SCAN_SIZE; ++i)
3365 {
3366 if (get_key_scan(multi, i)->state >= S_ACTIVE)
3367 {
3368 goto nohard;
3369 }
3370 }
3371 ++multi->n_hard_errors;
3372 }
3373nohard:
3374
3375#ifdef ENABLE_DEBUG
3376 /* DEBUGGING -- flood peer with repeating connection attempts */
3377 {
3378 const int throw_level = GREMLIN_CONNECTION_FLOOD_LEVEL(multi->opt.gremlin);
3379 if (throw_level)
3380 {
3381 for (int i = 0; i < KEY_SCAN_SIZE; ++i)
3382 {
3383 if (get_key_scan(multi, i)->state >= throw_level)
3384 {
3385 ++multi->n_hard_errors;
3386 ++multi->n_soft_errors;
3387 }
3388 }
3389 }
3390 }
3391#endif
3392
3393 gc_free(&gc);
3394
3395 return (tas == TLS_AUTHENTICATION_FAILED) ? TLSMP_KILL : active;
3396}
3397
3402static void
3403print_key_id_not_found_reason(struct tls_multi *multi, const struct link_socket_actual *from,
3404 int key_id)
3405{
3406 struct gc_arena gc = gc_new();
3407 const char *source = print_link_socket_actual(from, &gc);
3408
3409
3410 for (int i = 0; i < KEY_SCAN_SIZE; ++i)
3411 {
3412 struct key_state *ks = get_key_scan(multi, i);
3413 if (ks->key_id != key_id)
3414 {
3415 continue;
3416 }
3417
3418 /* Our key state has been progressed far enough to be part of a valid
3419 * session but has not generated keys. */
3420 if (ks->state >= S_INITIAL && ks->state < S_GENERATED_KEYS)
3421 {
3422 msg(D_MULTI_DROPPED, "Key %s [%d] not initialized (yet), dropping packet.", source,
3423 key_id);
3424 gc_free(&gc);
3425 return;
3426 }
3427 if (ks->state >= S_ACTIVE && ks->authenticated != KS_AUTH_TRUE)
3428 {
3429 msg(D_MULTI_DROPPED, "Key %s [%d] not authorized%s, dropping packet.", source, key_id,
3430 (ks->authenticated == KS_AUTH_DEFERRED) ? " (deferred)" : "");
3431 gc_free(&gc);
3432 return;
3433 }
3434 }
3435
3436 msg(D_TLS_ERRORS,
3437 "TLS Error: local/remote TLS keys are out of sync: %s "
3438 "(received key id: %d, known key ids: %s)",
3439 source, key_id, print_key_id(multi, &gc));
3440 gc_free(&gc);
3441}
3442
3450static inline void
3451handle_data_channel_packet(struct tls_multi *multi, const struct link_socket_actual *from,
3452 struct buffer *buf, struct crypto_options **opt, bool floated,
3453 const uint8_t **ad_start)
3454{
3455 struct gc_arena gc = gc_new();
3456
3457 uint8_t c = *BPTR(buf);
3458 int op = c >> P_OPCODE_SHIFT;
3459 int key_id = c & P_KEY_ID_MASK;
3460
3461 for (int i = 0; i < KEY_SCAN_SIZE; ++i)
3462 {
3463 struct key_state *ks = get_key_scan(multi, i);
3464
3465 /*
3466 * This is the basic test of TLS state compatibility between a local OpenVPN
3467 * instance and its remote peer.
3468 *
3469 * If the test fails, it tells us that we are getting a packet from a source
3470 * which claims reference to a prior negotiated TLS session, but the local
3471 * OpenVPN instance has no memory of such a negotiation.
3472 *
3473 * It almost always occurs on UDP sessions when the passive side of the
3474 * connection is restarted without the active side restarting as well (the
3475 * passive side is the server which only listens for the connections, the
3476 * active side is the client which initiates connections).
3477 */
3478 if (ks->state >= S_GENERATED_KEYS && key_id == ks->key_id
3479 && ks->authenticated == KS_AUTH_TRUE
3480 && (floated || link_socket_actual_match(from, &ks->remote_addr)))
3481 {
3482 ASSERT(ks->crypto_options.key_ctx_bi.initialized);
3483 /* return appropriate data channel decrypt key in opt */
3484 *opt = &ks->crypto_options;
3485 if (op == P_DATA_V2)
3486 {
3487 *ad_start = BPTR(buf);
3488 }
3489 ASSERT(buf_advance(buf, 1));
3490 if (op == P_DATA_V1)
3491 {
3492 *ad_start = BPTR(buf);
3493 }
3494 else if (op == P_DATA_V2)
3495 {
3496 if (buf->len < 4)
3497 {
3498 msg(D_TLS_ERRORS,
3499 "Protocol error: received P_DATA_V2 from %s but length is < 4",
3500 print_link_socket_actual(from, &gc));
3501 ++multi->n_soft_errors;
3502 goto done;
3503 }
3504 ASSERT(buf_advance(buf, 3));
3505 }
3506
3507 ++ks->n_packets;
3508 ks->n_bytes += buf->len;
3509 dmsg(D_TLS_KEYSELECT, "TLS: tls_pre_decrypt, key_id=%d, IP=%s", key_id,
3510 print_link_socket_actual(from, &gc));
3511 gc_free(&gc);
3512 return;
3513 }
3514 }
3515
3516 print_key_id_not_found_reason(multi, from, key_id);
3517
3518done:
3519 gc_free(&gc);
3520 tls_clear_error();
3521 buf->len = 0;
3522 *opt = NULL;
3523}
3524
3525/*
3526 *
3527 * When we are in TLS mode, this is the first routine which sees
3528 * an incoming packet.
3529 *
3530 * If it's a data packet, we set opt so that our caller can
3531 * decrypt it. We also give our caller the appropriate decryption key.
3532 *
3533 * If it's a control packet, we authenticate it and process it,
3534 * possibly creating a new tls_session if it represents the
3535 * first packet of a new session. For control packets, we will
3536 * also zero the size of *buf so that our caller ignores the
3537 * packet on our return.
3538 *
3539 * Note that openvpn only allows one active session at a time,
3540 * so a new session (once authenticated) will always usurp
3541 * an old session.
3542 *
3543 * Return true if input was an authenticated control channel
3544 * packet.
3545 *
3546 * If we are running in TLS thread mode, all public routines
3547 * below this point must be called with the L_TLS lock held.
3548 */
3549
3550bool
3551tls_pre_decrypt(struct tls_multi *multi, const struct link_socket_actual *from, struct buffer *buf,
3552 struct crypto_options **opt, bool floated, const uint8_t **ad_start)
3553{
3554 if (buf->len <= 0)
3555 {
3556 buf->len = 0;
3557 *opt = NULL;
3558 return false;
3559 }
3560
3561 struct gc_arena gc = gc_new();
3562 bool ret = false;
3563
3564 /* get opcode */
3565 uint8_t pkt_firstbyte = *BPTR(buf);
3566 int op = pkt_firstbyte >> P_OPCODE_SHIFT;
3567
3568 if ((op == P_DATA_V1) || (op == P_DATA_V2))
3569 {
3570 handle_data_channel_packet(multi, from, buf, opt, floated, ad_start);
3571 return false;
3572 }
3573
3574 /* get key_id */
3575 int key_id = pkt_firstbyte & P_KEY_ID_MASK;
3576
3577 /* control channel packet */
3578 bool do_burst = false;
3579 bool new_link = false;
3580 struct session_id sid; /* remote session ID */
3581
3582 /* verify legal opcode */
3583 if (op < P_FIRST_OPCODE || op > P_LAST_OPCODE)
3584 {
3585 if (op == P_CONTROL_HARD_RESET_CLIENT_V1 || op == P_CONTROL_HARD_RESET_SERVER_V1)
3586 {
3587 msg(D_TLS_ERRORS, "Peer tried unsupported key-method 1");
3588 }
3589 msg(D_TLS_ERRORS, "TLS Error: unknown opcode received from %s op=%d",
3590 print_link_socket_actual(from, &gc), op);
3591 goto error;
3592 }
3593
3594 /* hard reset ? */
3595 if (is_hard_reset_method2(op))
3596 {
3597 /* verify client -> server or server -> client connection */
3598 if (((op == P_CONTROL_HARD_RESET_CLIENT_V2 || op == P_CONTROL_HARD_RESET_CLIENT_V3)
3599 && !multi->opt.server)
3600 || ((op == P_CONTROL_HARD_RESET_SERVER_V2) && multi->opt.server))
3601 {
3602 msg(D_TLS_ERRORS,
3603 "TLS Error: client->client or server->server connection attempted from %s",
3604 print_link_socket_actual(from, &gc));
3605 goto error;
3606 }
3607 }
3608
3609 /*
3610 * Authenticate Packet
3611 */
3612 dmsg(D_TLS_DEBUG, "TLS: control channel, op=%s, IP=%s", packet_opcode_name(op),
3613 print_link_socket_actual(from, &gc));
3614
3615 /* get remote session-id */
3616 {
3617 struct buffer tmp = *buf;
3618 buf_advance(&tmp, 1);
3619 if (!session_id_read(&sid, &tmp) || !session_id_defined(&sid))
3620 {
3621 msg(D_TLS_ERRORS, "TLS Error: session-id not found in packet from %s",
3622 print_link_socket_actual(from, &gc));
3623 goto error;
3624 }
3625 }
3626
3627 int i;
3628 /* use session ID to match up packet with appropriate tls_session object */
3629 for (i = 0; i < TM_SIZE; ++i)
3630 {
3631 struct tls_session *session = &multi->session[i];
3632 struct key_state *ks = &session->key[KS_PRIMARY];
3633
3634 dmsg(
3635 D_TLS_DEBUG,
3636 "TLS: initial packet test, i=%d state=%s, mysid=%s, rec-sid=%s, rec-ip=%s, stored-sid=%s, stored-ip=%s",
3637 i, state_name(ks->state), session_id_print(&session->session_id, &gc),
3638 session_id_print(&sid, &gc), print_link_socket_actual(from, &gc),
3639 session_id_print(&ks->session_id_remote, &gc),
3640 print_link_socket_actual(&ks->remote_addr, &gc));
3641
3642 if (session_id_equal(&ks->session_id_remote, &sid))
3643 /* found a match */
3644 {
3645 if (i == TM_LAME_DUCK)
3646 {
3647 msg(D_TLS_ERRORS, "TLS ERROR: received control packet with stale session-id=%s",
3648 session_id_print(&sid, &gc));
3649 goto error;
3650 }
3651 dmsg(D_TLS_DEBUG, "TLS: found match, session[%d], sid=%s", i,
3652 session_id_print(&sid, &gc));
3653 break;
3654 }
3655 }
3656
3657 /*
3658 * Hard reset and session id does not match any session in
3659 * multi->session: Possible initial packet. New sessions always start
3660 * as TM_INITIAL
3661 */
3662 if (i == TM_SIZE && is_hard_reset_method2(op))
3663 {
3664 /*
3665 * No match with existing sessions,
3666 * probably a new session.
3667 */
3668 struct tls_session *session = &multi->session[TM_INITIAL];
3669
3670 /*
3671 * If --single-session, don't allow any hard-reset connection request
3672 * unless it is the first packet of the session.
3673 */
3674 if (multi->opt.single_session && multi->n_sessions)
3675 {
3676 msg(D_TLS_ERRORS,
3677 "TLS Error: Cannot accept new session request from %s due "
3678 "to session context expire or --single-session",
3679 print_link_socket_actual(from, &gc));
3680 goto error;
3681 }
3682
3683 if (!read_control_auth(buf, tls_session_get_tls_wrap(session, key_id), from, session->opt,
3684 true))
3685 {
3686 goto error;
3687 }
3688
3689#ifdef ENABLE_MANAGEMENT
3690 if (management)
3691 {
3692 management_set_state(management, OPENVPN_STATE_AUTH, NULL, NULL, NULL, NULL, NULL);
3693 }
3694#endif
3695
3696 /*
3697 * New session-initiating control packet is authenticated at this point,
3698 * assuming that the --tls-auth command line option was used.
3699 *
3700 * Without --tls-auth, we leave authentication entirely up to TLS.
3701 */
3702 msg(D_TLS_DEBUG_LOW, "TLS: Initial packet from %s, sid=%s",
3703 print_link_socket_actual(from, &gc), session_id_print(&sid, &gc));
3704
3705 do_burst = true;
3706 new_link = true;
3707 i = TM_INITIAL;
3708 session->untrusted_addr = *from;
3709 }
3710 else
3711 {
3712 /*
3713 * Packet must belong to an existing session.
3714 */
3715 if (i != TM_ACTIVE && i != TM_INITIAL)
3716 {
3717 msg(D_TLS_ERRORS, "TLS Error: Unroutable control packet received from %s (si=%d op=%s)",
3718 print_link_socket_actual(from, &gc), i, packet_opcode_name(op));
3719 goto error;
3720 }
3721
3722 struct tls_session *session = &multi->session[i];
3723 struct key_state *ks = &session->key[KS_PRIMARY];
3724 /*
3725 * Verify remote IP address
3726 */
3727 if (!new_link && !link_socket_actual_match(&ks->remote_addr, from))
3728 {
3729 msg(D_TLS_ERRORS, "TLS Error: Received control packet from unexpected IP addr: %s",
3730 print_link_socket_actual(from, &gc));
3731 goto error;
3732 }
3733
3734 /*
3735 * Remote is requesting a key renegotiation. We only allow renegotiation
3736 * when the previous session is fully established to avoid weird corner
3737 * cases.
3738 */
3739 if (op == P_CONTROL_SOFT_RESET_V1 && ks->state >= S_GENERATED_KEYS)
3740 {
3741 if (!read_control_auth(buf, tls_session_get_tls_wrap(session, key_id), from,
3742 session->opt, false))
3743 {
3744 goto error;
3745 }
3746
3747 key_state_soft_reset(session);
3748
3749 dmsg(D_TLS_DEBUG, "TLS: received P_CONTROL_SOFT_RESET_V1 s=%d sid=%s", i,
3750 session_id_print(&sid, &gc));
3751 }
3752 else
3753 {
3754 bool initial_packet = false;
3755 if (ks->state == S_PRE_START_SKIP)
3756 {
3757 /* When we are coming from the session_skip_to_pre_start
3758 * method, we allow this initial packet to setup the
3759 * tls-crypt-v2 peer specific key */
3760 initial_packet = true;
3761 ks->state = S_PRE_START;
3762 }
3763 /*
3764 * Remote responding to our key renegotiation request?
3765 */
3766 if (op == P_CONTROL_SOFT_RESET_V1)
3767 {
3768 do_burst = true;
3769 }
3770
3771 if (!read_control_auth(buf, tls_session_get_tls_wrap(session, key_id), from,
3772 session->opt, initial_packet))
3773 {
3774 /* if an initial packet in read_control_auth, we rather
3775 * error out than anything else */
3776 if (initial_packet)
3777 {
3778 multi->n_hard_errors++;
3779 }
3780 goto error;
3781 }
3782
3783 dmsg(D_TLS_DEBUG, "TLS: received control channel packet s#=%d sid=%s", i,
3784 session_id_print(&sid, &gc));
3785 }
3786 }
3787
3788 /*
3789 * We have an authenticated control channel packet (if --tls-auth/tls-crypt
3790 * or tls-crypt-v2 was set).
3791 * Now pass to our reliability layer which deals with
3792 * packet acknowledgements, retransmits, sequencing, etc.
3793 */
3794 struct tls_session *session = &multi->session[i];
3795 struct key_state *ks = &session->key[KS_PRIMARY];
3796
3797 /* Make sure we were initialized and that we're not in an error state */
3798 ASSERT(ks->state != S_UNDEF);
3799 ASSERT(ks->state != S_ERROR);
3800 ASSERT(session_id_defined(&session->session_id));
3801
3802 /* Let our caller know we processed a control channel packet */
3803 ret = true;
3804
3805 /*
3806 * Set our remote address and remote session_id
3807 */
3808 if (new_link)
3809 {
3810 ks->session_id_remote = sid;
3811 ks->remote_addr = *from;
3812 ++multi->n_sessions;
3813 }
3814 else if (!link_socket_actual_match(&ks->remote_addr, from))
3815 {
3816 msg(D_TLS_ERRORS,
3817 "TLS Error: Existing session control channel packet from unknown IP address: %s",
3818 print_link_socket_actual(from, &gc));
3819 goto error;
3820 }
3821
3822 /*
3823 * Should we do a retransmit of all unacknowledged packets in
3824 * the send buffer? This improves the start-up efficiency of the
3825 * initial key negotiation after the 2nd peer comes online.
3826 */
3827 if (do_burst && !session->burst)
3828 {
3829 reliable_schedule_now(ks->send_reliable);
3830 session->burst = true;
3831 }
3832
3833 /* Check key_id */
3834 if (ks->key_id != key_id)
3835 {
3836 msg(D_TLS_ERRORS, "TLS ERROR: local/remote key IDs out of sync (%d/%d) ID: %s", ks->key_id,
3837 key_id, print_key_id(multi, &gc));
3838 goto error;
3839 }
3840
3841 /*
3842 * Process incoming ACKs for packets we can now
3843 * delete from reliable send buffer
3844 */
3845 {
3846 /* buffers all packet IDs to delete from send_reliable */
3847 struct reliable_ack send_ack;
3848
3849 if (!reliable_ack_read(&send_ack, buf, &session->session_id))
3850 {
3851 msg(D_TLS_ERRORS, "TLS Error: reading acknowledgement record from packet");
3852 goto error;
3853 }
3854 reliable_send_purge(ks->send_reliable, &send_ack);
3855 }
3856
3857 if (op != P_ACK_V1 && reliable_can_get(ks->rec_reliable))
3858 {
3859 packet_id_type id;
3860
3861 /* Extract the packet ID from the packet */
3862 if (reliable_ack_read_packet_id(buf, &id))
3863 {
3864 /* Avoid deadlock by rejecting packet that would de-sequentialize receive buffer */
3865 if (reliable_wont_break_sequentiality(ks->rec_reliable, id))
3866 {
3867 if (reliable_not_replay(ks->rec_reliable, id))
3868 {
3869 /* Save incoming ciphertext packet to reliable buffer */
3870 struct buffer *in = reliable_get_buf(ks->rec_reliable);
3871 ASSERT(in);
3872 if (!buf_copy(in, buf))
3873 {
3874 msg(D_MULTI_DROPPED, "Incoming control channel packet too big, dropping.");
3875 goto error;
3876 }
3877 reliable_mark_active_incoming(ks->rec_reliable, in, id, op);
3878 }
3879
3880 /* Process outgoing acknowledgment for packet just received, even if it's a replay
3881 */
3882 reliable_ack_acknowledge_packet_id(ks->rec_ack, id);
3883 }
3884 }
3885 }
3886 /* Remember that we received a valid control channel packet */
3887 ks->peer_last_packet = now;
3888
3889done:
3890 buf->len = 0;
3891 *opt = NULL;
3892 gc_free(&gc);
3893 return ret;
3894
3895error:
3896 ++multi->n_soft_errors;
3897 tls_clear_error();
3898 goto done;
3899}
3900
3901
3902struct key_state *
3903tls_select_encryption_key(struct tls_multi *multi)
3904{
3905 struct key_state *ks_select = NULL;
3906 for (int i = 0; i < KEY_SCAN_SIZE; ++i)
3907 {
3908 struct key_state *ks = get_key_scan(multi, i);
3909 if (ks->state >= S_GENERATED_KEYS && ks->authenticated == KS_AUTH_TRUE)
3910 {
3911 ASSERT(ks->crypto_options.key_ctx_bi.initialized);
3912
3913 if (!ks_select)
3914 {
3915 ks_select = ks;
3916 }
3917 if (now >= ks->auth_deferred_expire)
3918 {
3919 ks_select = ks;
3920 break;
3921 }
3922 }
3923 }
3924 return ks_select;
3925}
3926
3927
3928/* Choose the key with which to encrypt a data packet */
3929void
3930tls_pre_encrypt(struct tls_multi *multi, struct buffer *buf, struct crypto_options **opt)
3931{
3932 multi->save_ks = NULL;
3933 if (buf->len <= 0)
3934 {
3935 buf->len = 0;
3936 *opt = NULL;
3937 return;
3938 }
3939
3940 struct key_state *ks_select = tls_select_encryption_key(multi);
3941
3942 if (ks_select)
3943 {
3944 *opt = &ks_select->crypto_options;
3945 multi->save_ks = ks_select;
3946 dmsg(D_TLS_KEYSELECT, "TLS: tls_pre_encrypt: key_id=%d", ks_select->key_id);
3947 return;
3948 }
3949 else
3950 {
3951 struct gc_arena gc = gc_new();
3952 dmsg(D_TLS_KEYSELECT, "TLS Warning: no data channel send key available: %s",
3953 print_key_id(multi, &gc));
3954 gc_free(&gc);
3955
3956 *opt = NULL;
3957 buf->len = 0;
3958 }
3959}
3960
3961void
3962tls_prepend_opcode_v1(const struct tls_multi *multi, struct buffer *buf)
3963{
3964 struct key_state *ks = multi->save_ks;
3965
3966 msg(D_TLS_DEBUG, __func__);
3967
3968 ASSERT(ks);
3969 ASSERT(ks->key_id <= P_KEY_ID_MASK);
3970
3971 uint8_t op = (P_DATA_V1 << P_OPCODE_SHIFT) | (uint8_t)ks->key_id;
3972 ASSERT(buf_write_prepend(buf, &op, 1));
3973}
3974
3975void
3976tls_prepend_opcode_v2(const struct tls_multi *multi, struct buffer *buf)
3977{
3978 struct key_state *ks = multi->save_ks;
3979 uint32_t peer;
3980
3981 msg(D_TLS_DEBUG, __func__);
3982
3983 ASSERT(ks);
3984
3985 peer = htonl(((P_DATA_V2 << P_OPCODE_SHIFT) | ks->key_id) << 24 | (multi->peer_id & 0xFFFFFF));
3986 ASSERT(buf_write_prepend(buf, &peer, 4));
3987}
3988
3989void
3990tls_post_encrypt(struct tls_multi *multi, struct buffer *buf)
3991{
3992 struct key_state *ks = multi->save_ks;
3993 multi->save_ks = NULL;
3994
3995 if (buf->len > 0)
3996 {
3997 ASSERT(ks);
3998
3999 ++ks->n_packets;
4000 ks->n_bytes += buf->len;
4001 }
4002}
4003
4004/*
4005 * Send a payload over the TLS control channel.
4006 * Called externally.
4007 */
4008
4009bool
4010tls_send_payload(struct key_state *ks, const uint8_t *data, size_t size)
4011{
4012 bool ret = false;
4013
4014 tls_clear_error();
4015
4016 ASSERT(ks);
4017
4018 if (ks->state >= S_ACTIVE)
4019 {
4020 ASSERT(size <= INT_MAX);
4021 if (key_state_write_plaintext_const(&ks->ks_ssl, data, (int)size) == 1)
4022 {
4023 ret = true;
4024 }
4025 }
4026 else
4027 {
4028 if (!ks->paybuf)
4029 {
4030 ks->paybuf = buffer_list_new();
4031 }
4032 buffer_list_push_data(ks->paybuf, data, size);
4033 ret = true;
4034 }
4035
4036
4037 tls_clear_error();
4038
4039 return ret;
4040}
4041
4042bool
4043tls_rec_payload(struct tls_multi *multi, struct buffer *buf)
4044{
4045 bool ret = false;
4046
4047 tls_clear_error();
4048
4049 ASSERT(multi);
4050
4051 struct key_state *ks = get_key_scan(multi, 0);
4052
4053 if (ks->state >= S_ACTIVE && BLEN(&ks->plaintext_read_buf))
4054 {
4055 if (buf_copy(buf, &ks->plaintext_read_buf))
4056 {
4057 ret = true;
4058 }
4059 ks->plaintext_read_buf.len = 0;
4060 }
4061
4062 tls_clear_error();
4063
4064 return ret;
4065}
4066
4067void
4068tls_update_remote_addr(struct tls_multi *multi, const struct link_socket_actual *addr)
4069{
4070 struct gc_arena gc = gc_new();
4071 for (int i = 0; i < TM_SIZE; ++i)
4072 {
4073 struct tls_session *session = &multi->session[i];
4074
4075 for (int j = 0; j < KS_SIZE; ++j)
4076 {
4077 struct key_state *ks = &session->key[j];
4078
4079 if (!link_socket_actual_defined(&ks->remote_addr)
4080 || link_socket_actual_match(addr, &ks->remote_addr))
4081 {
4082 continue;
4083 }
4084
4085 dmsg(D_TLS_KEYSELECT, "TLS: tls_update_remote_addr from IP=%s to IP=%s",
4086 print_link_socket_actual(&ks->remote_addr, &gc),
4087 print_link_socket_actual(addr, &gc));
4088
4089 ks->remote_addr = *addr;
4090 }
4091 }
4092 gc_free(&gc);
4093}
4094
4095void
4096show_available_tls_ciphers(const char *cipher_list, const char *cipher_list_tls13,
4097 const char *tls_cert_profile)
4098{
4099 printf("Available TLS Ciphers, listed in order of preference:\n");
4100
4101 if (tls_version_max() >= TLS_VER_1_3)
4102 {
4103 printf("\nFor TLS 1.3 and newer (--tls-ciphersuites):\n\n");
4104 show_available_tls_ciphers_list(cipher_list_tls13, tls_cert_profile, true);
4105 }
4106
4107 printf("\nFor TLS 1.2 and older (--tls-cipher):\n\n");
4108 show_available_tls_ciphers_list(cipher_list, tls_cert_profile, false);
4109
4110 printf("\n"
4111 "Note: Whether a cipher suite in this list can actually work depends\n"
4112 "on the specific setup of both peers. See the man page entries of\n"
4113 "--tls-cipher and --show-tls for more details.\n\n");
4114}
4115
4116/*
4117 * Dump a human-readable rendition of an openvpn packet
4118 * into a garbage collectable string which is returned.
4119 */
4120const char *
4121protocol_dump(struct buffer *buffer, unsigned int flags, struct gc_arena *gc)
4122{
4123 struct buffer out = alloc_buf_gc(256, gc);
4124 struct buffer buf = *buffer;
4125
4126 uint8_t c;
4127 int op;
4128 int key_id;
4129
4130 int tls_auth_hmac_size = (flags & PD_TLS_AUTH_HMAC_SIZE_MASK);
4131
4132 if (buf.len <= 0)
4133 {
4134 buf_printf(&out, "DATA UNDEF len=%d", buf.len);
4135 goto done;
4136 }
4137
4138 if (!(flags & PD_TLS))
4139 {
4140 goto print_data;
4141 }
4142
4143 /*
4144 * Initial byte (opcode)
4145 */
4146 if (!buf_read(&buf, &c, sizeof(c)))
4147 {
4148 goto done;
4149 }
4150 op = (c >> P_OPCODE_SHIFT);
4151 key_id = c & P_KEY_ID_MASK;
4152 buf_printf(&out, "%s kid=%d", packet_opcode_name(op), key_id);
4153
4154 if ((op == P_DATA_V1) || (op == P_DATA_V2))
4155 {
4156 goto print_data;
4157 }
4158
4159 /*
4160 * Session ID
4161 */
4162 {
4163 struct session_id sid;
4164
4165 if (!session_id_read(&sid, &buf))
4166 {
4167 goto done;
4168 }
4169 if (flags & PD_VERBOSE)
4170 {
4171 buf_printf(&out, " sid=%s", session_id_print(&sid, gc));
4172 }
4173 }
4174
4175 /*
4176 * tls-auth hmac + packet_id
4177 */
4178 if (tls_auth_hmac_size)
4179 {
4180 struct packet_id_net pin;
4181 uint8_t tls_auth_hmac[MAX_HMAC_KEY_LENGTH];
4182
4183 ASSERT(tls_auth_hmac_size <= MAX_HMAC_KEY_LENGTH);
4184
4185 if (!buf_read(&buf, tls_auth_hmac, tls_auth_hmac_size))
4186 {
4187 goto done;
4188 }
4189 if (flags & PD_VERBOSE)
4190 {
4191 buf_printf(&out, " tls_hmac=%s", format_hex(tls_auth_hmac, tls_auth_hmac_size, 0, gc));
4192 }
4193
4194 if (!packet_id_read(&pin, &buf, true))
4195 {
4196 goto done;
4197 }
4198 buf_printf(&out, " pid=%s", packet_id_net_print(&pin, (flags & PD_VERBOSE), gc));
4199 }
4200 /*
4201 * packet_id + tls-crypt hmac
4202 */
4203 if (flags & PD_TLS_CRYPT)
4204 {
4205 struct packet_id_net pin;
4206 uint8_t tls_crypt_hmac[TLS_CRYPT_TAG_SIZE];
4207
4208 if (!packet_id_read(&pin, &buf, true))
4209 {
4210 goto done;
4211 }
4212 buf_printf(&out, " pid=%s", packet_id_net_print(&pin, (flags & PD_VERBOSE), gc));
4213 if (!buf_read(&buf, tls_crypt_hmac, TLS_CRYPT_TAG_SIZE))
4214 {
4215 goto done;
4216 }
4217 if (flags & PD_VERBOSE)
4218 {
4219 buf_printf(&out, " tls_crypt_hmac=%s",
4220 format_hex(tls_crypt_hmac, TLS_CRYPT_TAG_SIZE, 0, gc));
4221 }
4222 /*
4223 * Remainder is encrypted and optional wKc
4224 */
4225 goto done;
4226 }
4227
4228 /*
4229 * ACK list
4230 */
4231 buf_printf(&out, " %s", reliable_ack_print(&buf, (flags & PD_VERBOSE), gc));
4232
4233 if (op == P_ACK_V1)
4234 {
4235 goto print_data;
4236 }
4237
4238 /*
4239 * Packet ID
4240 */
4241 {
4242 packet_id_type l;
4243 if (!buf_read(&buf, &l, sizeof(l)))
4244 {
4245 goto done;
4246 }
4247 l = ntohpid(l);
4248 buf_printf(&out, " pid=" packet_id_format, (packet_id_print_type)l);
4249 }
4250
4251print_data:
4252 if (flags & PD_SHOW_DATA)
4253 {
4254 buf_printf(&out, " DATA %s", format_hex(BPTR(&buf), BLEN(&buf), 80, gc));
4255 }
4256 else
4257 {
4258 buf_printf(&out, " DATA len=%d", buf.len);
4259 }
4260
4261done:
4262 return BSTR(&out);
4263}
wipe_auth_token
void wipe_auth_token(struct tls_multi *multi)
Wipes the authentication token out of the memory, frees and cleans up related buffers and flags.
Definition auth_token.c:395
resend_auth_token_renegotiation
void resend_auth_token_renegotiation(struct tls_multi *multi, struct tls_session *session)
Checks if a client should be sent a new auth token to update its current auth-token.
Definition auth_token.c:454
auth_token.h
buffer_list_push_data
struct buffer_entry * buffer_list_push_data(struct buffer_list *ol, const void *data, size_t size)
Allocates and appends a new buffer containing data of length size.
Definition buffer.c:1207
free_buf
void free_buf(struct buffer *buf)
Definition buffer.c:184
buf_clear
void buf_clear(struct buffer *buf)
Definition buffer.c:163
buffer_list_pop
void buffer_list_pop(struct buffer_list *ol)
Definition buffer.c:1298
buf_printf
bool buf_printf(struct buffer *buf, const char *format,...)
Definition buffer.c:241
buffer_list_new
struct buffer_list * buffer_list_new(void)
Allocate an empty buffer list of capacity max_size.
Definition buffer.c:1153
buffer_list_peek
struct buffer * buffer_list_peek(struct buffer_list *ol)
Retrieve the head buffer.
Definition buffer.c:1234
buffer_list_free
void buffer_list_free(struct buffer_list *ol)
Frees a buffer list and all the buffers in it.
Definition buffer.c:1162
gc_malloc
void * gc_malloc(size_t size, bool clear, struct gc_arena *a)
Definition buffer.c:336
alloc_buf_gc
struct buffer alloc_buf_gc(size_t size, struct gc_arena *gc)
Definition buffer.c:89
format_hex_ex
char * format_hex_ex(const uint8_t *data, size_t size, size_t maxoutput, unsigned int space_break_flags, const char *separator, struct gc_arena *gc)
Definition buffer.c:483
alloc_buf
struct buffer alloc_buf(size_t size)
Definition buffer.c:63
string_alloc
char * string_alloc(const char *str, struct gc_arena *gc)
Definition buffer.c:648
buf_write_u16
static bool buf_write_u16(struct buffer *dest, uint16_t data)
Definition buffer.h:690
BSTR
#define BSTR(buf)
Definition buffer.h:128
buf_copy
static bool buf_copy(struct buffer *dest, const struct buffer *src)
Definition buffer.h:704
BPTR
#define BPTR(buf)
Definition buffer.h:123
buf_write_u32
static bool buf_write_u32(struct buffer *dest, uint32_t data)
Definition buffer.h:697
buf_write_prepend
static bool buf_write_prepend(struct buffer *dest, const void *src, int size)
Definition buffer.h:672
buf_read_u16
static int buf_read_u16(struct buffer *buf)
Definition buffer.h:797
buf_copy_n
static bool buf_copy_n(struct buffer *dest, struct buffer *src, int n)
Definition buffer.h:710
ALLOC_ARRAY_CLEAR_GC
#define ALLOC_ARRAY_CLEAR_GC(dptr, type, n, gc)
Definition buffer.h:1086
buf_safe
static bool buf_safe(const struct buffer *buf, size_t len)
Definition buffer.h:518
buf_read
static bool buf_read(struct buffer *src, void *dest, int size)
Definition buffer.h:762
buf_advance
static bool buf_advance(struct buffer *buf, int size)
Definition buffer.h:616
buf_len
static int buf_len(const struct buffer *buf)
Definition buffer.h:253
secure_memzero
static void secure_memzero(void *data, size_t len)
Securely zeroise memory.
Definition buffer.h:414
buf_write
static bool buf_write(struct buffer *dest, const void *src, size_t size)
Definition buffer.h:660
buf_write_u8
static bool buf_write_u8(struct buffer *dest, uint8_t data)
Definition buffer.h:684
ALLOC_OBJ_CLEAR_GC
#define ALLOC_OBJ_CLEAR_GC(dptr, type, gc)
Definition buffer.h:1101
buf_read_u8
static int buf_read_u8(struct buffer *buf)
Definition buffer.h:786
BLEN
#define BLEN(buf)
Definition buffer.h:126
format_hex
static char * format_hex(const uint8_t *data, size_t size, size_t maxoutput, struct gc_arena *gc)
Definition buffer.h:503
strncpynt
static void strncpynt(char *dest, const char *src, size_t maxlen)
Definition buffer.h:361
check_malloc_return
static void check_malloc_return(void *p)
Definition buffer.h:1107
gc_free
static void gc_free(struct gc_arena *a)
Definition buffer.h:1025
ALLOC_OBJ_CLEAR
#define ALLOC_OBJ_CLEAR(dptr, type)
Definition buffer.h:1064
buf_init
#define buf_init(buf, offset)
Definition buffer.h:209
gc_new
static struct gc_arena gc_new(void)
Definition buffer.h:1017
interval_t
int interval_t
Definition common.h:37
TLS_CHANNEL_BUF_SIZE
#define TLS_CHANNEL_BUF_SIZE
Definition common.h:70
counter_format
#define counter_format
Definition common.h:32
TLS_CHANNEL_MTU_MIN
#define TLS_CHANNEL_MTU_MIN
Definition common.h:83
COMP_F_MIGRATE
#define COMP_F_MIGRATE
push stub-v2 or comp-lzo no when we see a client with comp-lzo in occ
Definition comp.h:47
free_key_ctx_bi
void free_key_ctx_bi(struct key_ctx_bi *ctx)
Definition crypto.c:1100
key2_print
void key2_print(const struct key2 *k, const struct key_type *kt, const char *prefix0, const char *prefix1)
Prints the keys in a key2 structure.
Definition crypto.c:1180
init_key_type
void init_key_type(struct key_type *kt, const char *ciphername, const char *authname, bool tls_mode, bool warn)
Initialize a key_type structure with.
Definition crypto.c:875
check_key
bool check_key(struct key *key, const struct key_type *kt)
Definition crypto.c:1126
cipher_get_aead_limits
uint64_t cipher_get_aead_limits(const char *ciphername)
Check if the cipher is an AEAD cipher and needs to be limited to a certain number of number of blocks...
Definition crypto.c:345
init_key_ctx_bi
void init_key_ctx_bi(struct key_ctx_bi *ctx, const struct key2 *key2, int key_direction, const struct key_type *kt, const char *name)
Definition crypto.c:1062
key_direction_state_init
void key_direction_state_init(struct key_direction_state *kds, int key_direction)
Definition crypto.c:1672
KEY_DIRECTION_NORMAL
#define KEY_DIRECTION_NORMAL
Definition crypto.h:232
CO_PACKET_ID_LONG_FORM
#define CO_PACKET_ID_LONG_FORM
Bit-flag indicating whether to use OpenVPN's long packet ID format.
Definition crypto.h:347
CO_USE_TLS_KEY_MATERIAL_EXPORT
#define CO_USE_TLS_KEY_MATERIAL_EXPORT
Bit-flag indicating that data channel key derivation is done using TLS keying material export [RFC570...
Definition crypto.h:359
CO_USE_DYNAMIC_TLS_CRYPT
#define CO_USE_DYNAMIC_TLS_CRYPT
Bit-flag indicating that renegotiations are using tls-crypt with a TLS-EKM derived key.
Definition crypto.h:375
CO_IGNORE_PACKET_ID
#define CO_IGNORE_PACKET_ID
Bit-flag indicating whether to ignore the packet ID of a received packet.
Definition crypto.h:350
CO_RESEND_WKC
#define CO_RESEND_WKC
Bit-flag indicating that the client is expected to resend the wrapped client key with the 2nd packet ...
Definition crypto.h:363
CO_EPOCH_DATA_KEY_FORMAT
#define CO_EPOCH_DATA_KEY_FORMAT
Bit-flag indicating the epoch the data format.
Definition crypto.h:379
cipher_decrypt_verify_fail_warn
static bool cipher_decrypt_verify_fail_warn(const struct key_ctx *ctx)
Check if the number of failed decryption is approaching the limit and we should try to move to a new ...
Definition crypto.h:724
KEY_DIRECTION_INVERSE
#define KEY_DIRECTION_INVERSE
Definition crypto.h:233
aead_usage_limit_reached
static bool aead_usage_limit_reached(const uint64_t limit, const struct key_ctx *key_ctx, int64_t higest_pid)
Checks if the usage limit for an AEAD cipher is reached.
Definition crypto.h:753
ssl_tls1_PRF
bool ssl_tls1_PRF(const uint8_t *seed, size_t seed_len, const uint8_t *secret, size_t secret_len, uint8_t *output, size_t output_len)
Calculates the TLS 1.0-1.1 PRF function.
Definition crypto_openssl.c:1424
crypto_uninit_lib
void crypto_uninit_lib(void)
Definition crypto_openssl.c:204
cipher_kt_mode_aead
bool cipher_kt_mode_aead(const char *ciphername)
Check if the supplied cipher is a supported AEAD mode cipher.
Definition crypto_openssl.c:812
crypto_init_lib
void crypto_init_lib(void)
Definition crypto_openssl.c:189
cipher_kt_mode_ofb_cfb
bool cipher_kt_mode_ofb_cfb(const char *ciphername)
Check if the supplied cipher is a supported OFB or CFB mode cipher.
Definition crypto_openssl.c:799
hmac_ctx_size
int hmac_ctx_size(hmac_ctx_t *ctx)
cipher_kt_insecure
bool cipher_kt_insecure(const char *ciphername)
Returns true if we consider this cipher to be insecure.
Definition crypto_openssl.c:753
rand_bytes
int rand_bytes(uint8_t *output, int len)
Wrapper for secure random number generator.
Definition crypto_openssl.c:583
cipher_kt_name
const char * cipher_kt_name(const char *ciphername)
Retrieve a normalised string describing the cipher (e.g.
Definition crypto_openssl.c:653
MAX_HMAC_KEY_LENGTH
#define MAX_HMAC_KEY_LENGTH
Definition crypto_backend.h:495
OPENVPN_MAX_HMAC_SIZE
#define OPENVPN_MAX_HMAC_SIZE
Definition crypto_backend.h:48
free_epoch_key_ctx
void free_epoch_key_ctx(struct crypto_options *co)
Frees the extra data structures used by epoch keys in crypto_options.
Definition crypto_epoch.c:326
epoch_init_key_ctx
void epoch_init_key_ctx(struct crypto_options *co, const struct key_type *key_type, const struct epoch_key *e1_send, const struct epoch_key *e1_recv, uint16_t future_key_count)
Initialises data channel keys and internal structures for epoch data keys using the provided E0 epoch...
Definition crypto_epoch.c:341
crypto_epoch.h
dco_set_peer
static int dco_set_peer(dco_context_t *dco, unsigned int peerid, int keepalive_interval, int keepalive_timeout, int mss)
Definition dco.h:341
dco_context_t
void * dco_context_t
Definition dco.h:259
init_key_dco_bi
static int init_key_dco_bi(struct tls_multi *multi, struct key_state *ks, const struct key2 *key2, int key_direction, const char *ciphername, bool server)
Definition dco.h:321
setenv_str
void setenv_str(struct env_set *es, const char *name, const char *value)
Definition env_set.c:307
setenv_del
void setenv_del(struct env_set *es, const char *name)
Definition env_set.c:352
D_TLS_DEBUG_LOW
#define D_TLS_DEBUG_LOW
Definition errlevel.h:76
D_PUSH
#define D_PUSH
Definition errlevel.h:82
D_TLS_DEBUG_MED
#define D_TLS_DEBUG_MED
Definition errlevel.h:156
D_DCO
#define D_DCO
Definition errlevel.h:93
D_SHOW_KEYS
#define D_SHOW_KEYS
Definition errlevel.h:120
D_MULTI_DROPPED
#define D_MULTI_DROPPED
Definition errlevel.h:100
D_HANDSHAKE
#define D_HANDSHAKE
Definition errlevel.h:71
D_SHOW_KEY_SOURCE
#define D_SHOW_KEY_SOURCE
Definition errlevel.h:121
D_TLS_KEYSELECT
#define D_TLS_KEYSELECT
Definition errlevel.h:145
D_MTU_INFO
#define D_MTU_INFO
Definition errlevel.h:104
D_TLS_ERRORS
#define D_TLS_ERRORS
Definition errlevel.h:58
M_INFO
#define M_INFO
Definition errlevel.h:54
D_TLS_DEBUG
#define D_TLS_DEBUG
Definition errlevel.h:164
S_ACTIVE
#define S_ACTIVE
Operational key_state state immediately after negotiation has completed while still within the handsh...
Definition ssl_common.h:100
tls_auth_standalone_init
struct tls_auth_standalone * tls_auth_standalone_init(struct tls_options *tls_options, struct gc_arena *gc)
Definition ssl.c:1183
TM_INITIAL
#define TM_INITIAL
As yet un-trusted tls_session \ being negotiated.
Definition ssl_common.h:547
KS_SIZE
#define KS_SIZE
Size of the tls_session.key array.
Definition ssl_common.h:470
key_state_free
static void key_state_free(struct key_state *ks, bool clear)
Cleanup a key_state structure.
Definition ssl.c:899
tls_session_free
static void tls_session_free(struct tls_session *session, bool clear)
Clean up a tls_session structure.
Definition ssl.c:1047
tls_init_control_channel_frame_parameters
void tls_init_control_channel_frame_parameters(struct frame *frame, int tls_mtu)
Definition ssl.c:141
tls_multi_free
void tls_multi_free(struct tls_multi *multi, bool clear)
Cleanup a tls_multi structure and free associated memory allocations.
Definition ssl.c:1235
S_ERROR_PRE
#define S_ERROR_PRE
Error state but try to send out alerts before killing the keystore and moving it to S_ERROR.
Definition ssl_common.h:79
KS_PRIMARY
#define KS_PRIMARY
Primary key state index.
Definition ssl_common.h:466
S_PRE_START_SKIP
#define S_PRE_START_SKIP
Waiting for the remote OpenVPN peer to acknowledge during the initial three-way handshake.
Definition ssl_common.h:87
S_UNDEF
#define S_UNDEF
Undefined state, used after a key_state is cleaned up.
Definition ssl_common.h:82
S_START
#define S_START
Three-way handshake is complete, start of key exchange.
Definition ssl_common.h:93
S_GOT_KEY
#define S_GOT_KEY
Local OpenVPN process has received the remote's part of the key material.
Definition ssl_common.h:97
S_PRE_START
#define S_PRE_START
Waiting for the remote OpenVPN peer to acknowledge during the initial three-way handshake.
Definition ssl_common.h:90
tls_multi_init
struct tls_multi * tls_multi_init(struct tls_options *tls_options)
Allocate and initialize a tls_multi structure.
Definition ssl.c:1154
tls_multi_init_finalize
void tls_multi_init_finalize(struct tls_multi *multi, int tls_mtu)
Finalize initialization of a tls_multi structure.
Definition ssl.c:1169
TM_LAME_DUCK
#define TM_LAME_DUCK
Old tls_session.
Definition ssl_common.h:550
tls_session_init
static void tls_session_init(struct tls_multi *multi, struct tls_session *session)
Initialize a tls_session structure.
Definition ssl.c:976
TM_SIZE
#define TM_SIZE
Size of the tls_multi.session \ array.
Definition ssl_common.h:551
tls_auth_standalone_free
void tls_auth_standalone_free(struct tls_auth_standalone *tas)
Frees a standalone tls-auth verification object.
Definition ssl.c:1208
TM_ACTIVE
#define TM_ACTIVE
Active tls_session.
Definition ssl_common.h:546
S_GENERATED_KEYS
#define S_GENERATED_KEYS
The data channel keys have been generated The TLS session is fully authenticated when reaching this s...
Definition ssl_common.h:105
KS_LAME_DUCK
#define KS_LAME_DUCK
Key state index that will retire \ soon.
Definition ssl_common.h:467
S_SENT_KEY
#define S_SENT_KEY
Local OpenVPN process has sent its part of the key material.
Definition ssl_common.h:95
S_ERROR
#define S_ERROR
Error state.
Definition ssl_common.h:78
S_INITIAL
#define S_INITIAL
Initial key_state state after initialization by key_state_init() before start of three-way handshake.
Definition ssl_common.h:84
key_state_init
static void key_state_init(struct tls_session *session, struct key_state *ks)
Initialize a key_state structure.
Definition ssl.c:814
tls_multi_init_set_options
void tls_multi_init_set_options(struct tls_multi *multi, const char *local, const char *remote)
Definition ssl.c:1224
key_state_read_plaintext
int key_state_read_plaintext(struct key_state_ssl *ks_ssl, struct buffer *buf)
Extract plaintext data from the TLS module.
Definition ssl_openssl.c:2258
key_state_write_ciphertext
int key_state_write_ciphertext(struct key_state_ssl *ks_ssl, struct buffer *buf)
Insert a ciphertext buffer into the TLS module.
Definition ssl_openssl.c:2245
key_state_read_ciphertext
int key_state_read_ciphertext(struct key_state_ssl *ks_ssl, struct buffer *buf)
Extract ciphertext data from the TLS module.
Definition ssl_openssl.c:2233
key_state_write_plaintext_const
int key_state_write_plaintext_const(struct key_state_ssl *ks_ssl, const uint8_t *data, int len)
Insert plaintext data into the TLS module.
Definition ssl_openssl.c:2221
key_state_write_plaintext
int key_state_write_plaintext(struct key_state_ssl *ks_ssl, struct buffer *buf)
Insert a plaintext buffer into the TLS module.
Definition ssl_openssl.c:2208
tls_post_encrypt
void tls_post_encrypt(struct tls_multi *multi, struct buffer *buf)
Perform some accounting for the key state used.
Definition ssl.c:3990
tls_select_encryption_key
struct key_state * tls_select_encryption_key(struct tls_multi *multi)
Selects the primary encryption that should be used to encrypt data of an outgoing packet.
Definition ssl.c:3903
TLS_AUTHENTICATED
#define TLS_AUTHENTICATED(multi, ks)
Check whether the ks key_state has finished the key exchange part of the OpenVPN hand shake.
Definition ssl_verify.h:113
tls_prepend_opcode_v1
void tls_prepend_opcode_v1(const struct tls_multi *multi, struct buffer *buf)
Prepend a one-byte OpenVPN data channel P_DATA_V1 opcode to the packet.
Definition ssl.c:3962
tls_pre_encrypt
void tls_pre_encrypt(struct tls_multi *multi, struct buffer *buf, struct crypto_options **opt)
Choose the appropriate security parameters with which to process an outgoing packet.
Definition ssl.c:3930
tls_prepend_opcode_v2
void tls_prepend_opcode_v2(const struct tls_multi *multi, struct buffer *buf)
Prepend an OpenVPN data channel P_DATA_V2 header to the packet.
Definition ssl.c:3976
tls_pre_decrypt
bool tls_pre_decrypt(struct tls_multi *multi, const struct link_socket_actual *from, struct buffer *buf, struct crypto_options **opt, bool floated, const uint8_t **ad_start)
Determine whether an incoming packet is a data channel or control channel packet, and process accordi...
Definition ssl.c:3551
reliable_free
void reliable_free(struct reliable *rel)
Free allocated memory associated with a reliable structure and the pointer itself.
Definition reliable.c:364
reliable_ack_read
bool reliable_ack_read(struct reliable_ack *ack, struct buffer *buf, const struct session_id *sid)
Read an acknowledgment record from a received packet.
Definition reliable.c:144
reliable_get_buf_output_sequenced
struct buffer * reliable_get_buf_output_sequenced(struct reliable *rel)
Get the buffer of free reliable entry and check whether the outgoing acknowledgment sequence is still...
Definition reliable.c:562
reliable_schedule_now
void reliable_schedule_now(struct reliable *rel)
Reschedule all entries of a reliable structure to be ready for (re)sending immediately.
Definition reliable.c:675
reliable_ack_read_packet_id
bool reliable_ack_read_packet_id(struct buffer *buf, packet_id_type *pid)
Read the packet ID of a received packet.
Definition reliable.c:109
reliable_ack_outstanding
static int reliable_ack_outstanding(struct reliable_ack *ack)
Returns the number of packets that need to be acked.
Definition reliable.h:189
reliable_mark_active_incoming
void reliable_mark_active_incoming(struct reliable *rel, struct buffer *buf, packet_id_type pid, int opcode)
Mark the reliable entry associated with the given buffer as active incoming.
Definition reliable.c:736
reliable_mark_active_outgoing
void reliable_mark_active_outgoing(struct reliable *rel, struct buffer *buf, int opcode)
Mark the reliable entry associated with the given buffer as active outgoing.
Definition reliable.c:769
reliable_ack_print
const char * reliable_ack_print(struct buffer *buf, bool verbose, struct gc_arena *gc)
Definition reliable.c:305
reliable_ack_acknowledge_packet_id
bool reliable_ack_acknowledge_packet_id(struct reliable_ack *ack, packet_id_type pid)
Record a packet ID for later acknowledgment.
Definition reliable.c:127
reliable_set_timeout
static void reliable_set_timeout(struct reliable *rel, interval_t timeout)
Definition reliable.h:526
reliable_can_get
bool reliable_can_get(const struct reliable *rel)
Check whether a reliable structure has any free buffers available for use.
Definition reliable.c:454
reliable_send_purge
void reliable_send_purge(struct reliable *rel, const struct reliable_ack *ack)
Remove acknowledged packets from a reliable structure.
Definition reliable.c:395
reliable_get_buf
struct buffer * reliable_get_buf(struct reliable *rel)
Get the buffer of a free reliable entry in which to store a packet.
Definition reliable.c:518
reliable_send
struct buffer * reliable_send(struct reliable *rel, int *opcode)
Get the next packet to send to the remote peer.
Definition reliable.c:638
reliable_can_send
bool reliable_can_send(const struct reliable *rel)
Check whether a reliable structure has any active entries ready to be (re)sent.
Definition reliable.c:612
reliable_empty
bool reliable_empty(const struct reliable *rel)
Check whether a reliable structure is empty.
Definition reliable.c:380
reliable_not_replay
bool reliable_not_replay(const struct reliable *rel, packet_id_type id)
Check that a received packet's ID is not a replay.
Definition reliable.c:472
RELIABLE_ACK_SIZE
#define RELIABLE_ACK_SIZE
The maximum number of packet IDs \ waiting to be acknowledged which can \ be stored in one reliable_a...
Definition reliable.h:43
reliable_send_timeout
interval_t reliable_send_timeout(const struct reliable *rel)
Determined how many seconds until the earliest resend should be attempted.
Definition reliable.c:698
reliable_get_entry_sequenced
struct reliable_entry * reliable_get_entry_sequenced(struct reliable *rel)
Get the buffer of the next sequential and active entry.
Definition reliable.c:597
reliable_init
void reliable_init(struct reliable *rel, int buf_size, int offset, int array_size, bool hold)
Initialize a reliable structure.
Definition reliable.c:348
reliable_mark_deleted
void reliable_mark_deleted(struct reliable *rel, struct buffer *buf)
Remove an entry from a reliable structure.
Definition reliable.c:796
reliable_get_num_output_sequenced_available
int reliable_get_num_output_sequenced_available(struct reliable *rel)
Counts the number of free buffers in output that can be potentially used for sending.
Definition reliable.c:533
reliable_wont_break_sequentiality
bool reliable_wont_break_sequentiality(const struct reliable *rel, packet_id_type id)
Check that a received packet's ID can safely be stored in the reliable structure's processing window.
Definition reliable.c:499
ACK_SIZE
#define ACK_SIZE(n)
Definition reliable.h:70
reliable_ack_empty
static bool reliable_ack_empty(struct reliable_ack *ack)
Check whether an acknowledgment structure contains any packet IDs to be acknowledged.
Definition reliable.h:176
TLS_CRYPT_TAG_SIZE
#define TLS_CRYPT_TAG_SIZE
Definition tls_crypt.h:88
tls_session_generate_dynamic_tls_crypt_key
bool tls_session_generate_dynamic_tls_crypt_key(struct tls_session *session)
Generates a TLS-Crypt key to be used with dynamic tls-crypt using the TLS EKM exporter function.
Definition tls_crypt.c:96
tls_crypt_buf_overhead
int tls_crypt_buf_overhead(void)
Returns the maximum overhead (in bytes) added to the destination buffer by tls_crypt_wrap().
Definition tls_crypt.c:55
min_int
static int min_int(int x, int y)
Definition integer.h:105
max_int
static int max_int(int x, int y)
Definition integer.h:92
status
static SERVICE_STATUS status
Definition interactive.c:51
management_query_cert
char * management_query_cert(struct management *man, const char *cert_name)
Definition manage.c:3805
management_set_state
void management_set_state(struct management *man, const int state, const char *detail, const in_addr_t *tun_local_ip, const struct in6_addr *tun_local_ip6, const struct openvpn_sockaddr *local, const struct openvpn_sockaddr *remote)
Definition manage.c:2789
MF_EXTERNAL_KEY
#define MF_EXTERNAL_KEY
Definition manage.h:36
OPENVPN_STATE_AUTH
#define OPENVPN_STATE_AUTH
Definition manage.h:458
OPENVPN_STATE_WAIT
#define OPENVPN_STATE_WAIT
Definition manage.h:457
MF_EXTERNAL_CERT
#define MF_EXTERNAL_CERT
Definition manage.h:42
management_enable_def_auth
static bool management_enable_def_auth(const struct management *man)
Definition manage.h:438
VALGRIND_MAKE_READABLE
#define VALGRIND_MAKE_READABLE(addr, len)
Definition memdbg.h:53
unprotect_user_pass
void unprotect_user_pass(struct user_pass *up)
Decrypt username and password buffers in user_pass.
Definition misc.c:808
get_user_pass_cr
bool get_user_pass_cr(struct user_pass *up, const char *auth_file, const char *prefix, const unsigned int flags, const char *auth_challenge)
Retrieves the user credentials from various sources depending on the flags.
Definition misc.c:201
purge_user_pass
void purge_user_pass(struct user_pass *up, const bool force)
Definition misc.c:470
set_auth_token_user
void set_auth_token_user(struct user_pass *tk, const char *username)
Sets the auth-token username by base64 decoding the passed username.
Definition misc.c:516
output_peer_info_env
void output_peer_info_env(struct env_set *es, const char *peer_info)
Definition misc.c:755
prepend_dir
struct buffer prepend_dir(const char *dir, const char *path, struct gc_arena *gc)
Prepend a directory to a path.
Definition misc.c:777
protect_user_pass
void protect_user_pass(struct user_pass *up)
Encrypt username and password buffers in user_pass.
Definition misc.c:788
set_auth_token
void set_auth_token(struct user_pass *tk, const char *token)
Sets the auth-token to token.
Definition misc.c:496
USER_PASS_LEN
#define USER_PASS_LEN
Definition misc.h:64
GET_USER_PASS_STATIC_CHALLENGE_CONCAT
#define GET_USER_PASS_STATIC_CHALLENGE_CONCAT
indicates password and response should be concatenated
Definition misc.h:125
GET_USER_PASS_MANAGEMENT
#define GET_USER_PASS_MANAGEMENT
Definition misc.h:110
GET_USER_PASS_PASSWORD_ONLY
#define GET_USER_PASS_PASSWORD_ONLY
Definition misc.h:112
GET_USER_PASS_STATIC_CHALLENGE_ECHO
#define GET_USER_PASS_STATIC_CHALLENGE_ECHO
SCRV1 protocol – echo response.
Definition misc.h:120
GET_USER_PASS_INLINE_CREDS
#define GET_USER_PASS_INLINE_CREDS
indicates that auth_file is actually inline creds
Definition misc.h:123
GET_USER_PASS_STATIC_CHALLENGE
#define GET_USER_PASS_STATIC_CHALLENGE
SCRV1 protocol – static challenge.
Definition misc.h:119
SC_CONCAT
#define SC_CONCAT
Definition misc.h:92
SC_ECHO
#define SC_ECHO
Definition misc.h:91
get_user_pass
static bool get_user_pass(struct user_pass *up, const char *auth_file, const char *prefix, const unsigned int flags)
Retrieves the user credentials from various sources depending on the flags.
Definition misc.h:150
GET_USER_PASS_DYNAMIC_CHALLENGE
#define GET_USER_PASS_DYNAMIC_CHALLENGE
CRV1 protocol – dynamic challenge.
Definition misc.h:118
frame_calculate_dynamic
void frame_calculate_dynamic(struct frame *frame, struct key_type *kt, const struct options *options, struct link_socket_info *lsi)
Set the –mssfix option.
Definition mss.c:317
frame_print
void frame_print(const struct frame *frame, msglvl_t msglevel, const char *prefix)
Definition mtu.c:190
BUF_SIZE
#define BUF_SIZE(f)
Definition mtu.h:178
CLEAR
#define CLEAR(x)
Definition basic.h:32
check_debug_level
static bool check_debug_level(msglvl_t level)
Definition error.h:259
M_FATAL
#define M_FATAL
Definition error.h:90
dmsg
#define dmsg(flags,...)
Definition error.h:172
msg
#define msg(flags,...)
Definition error.h:152
ASSERT
#define ASSERT(x)
Definition error.h:219
M_WARN
#define M_WARN
Definition error.h:92
MAX_PEER_ID
#define MAX_PEER_ID
Definition openvpn.h:550
options_cmp_equal
bool options_cmp_equal(char *actual, const char *expected)
Definition options.c:4559
key_is_external
bool key_is_external(const struct options *options)
Definition options.c:5569
options_string_extract_option
char * options_string_extract_option(const char *options_string, const char *opt_name, struct gc_arena *gc)
Given an OpenVPN options string, extract the value of an option.
Definition options.c:4716
options_warning
void options_warning(char *actual, const char *expected)
Definition options.c:4565
MODE_SERVER
#define MODE_SERVER
Definition options.h:264
dco_enabled
static bool dco_enabled(const struct options *o)
Returns whether the current configuration has dco enabled.
Definition options.h:992
now
time_t now
Definition otime.c:33
update_time
static void update_time(void)
Definition otime.h:84
packet_id_persist_load_obj
void packet_id_persist_load_obj(const struct packet_id_persist *p, struct packet_id *pid)
Definition packet_id.c:549
packet_id_init
void packet_id_init(struct packet_id *p, int seq_backtrack, int time_backtrack, const char *name, int unit)
Definition packet_id.c:96
packet_id_free
void packet_id_free(struct packet_id *p)
Definition packet_id.c:126
packet_id_read
bool packet_id_read(struct packet_id_net *pin, struct buffer *buf, bool long_form)
Definition packet_id.c:319
packet_id_net_print
const char * packet_id_net_print(const struct packet_id_net *pin, bool print_timestamp, struct gc_arena *gc)
Definition packet_id.c:423
packet_id_format
#define packet_id_format
Definition packet_id.h:76
packet_id_print_type
uint64_t packet_id_print_type
Definition packet_id.h:77
packet_id_type
uint32_t packet_id_type
Definition packet_id.h:45
packet_id_close_to_wrapping
static bool packet_id_close_to_wrapping(const struct packet_id_send *p)
Definition packet_id.h:328
ntohpid
#define ntohpid(x)
Definition packet_id.h:64
packet_id_size
static int packet_id_size(bool long_form)
Definition packet_id.h:322
platform_stat
int platform_stat(const char *path, platform_stat_t *buf)
Definition platform.c:526
platform_stat_t
struct _stat platform_stat_t
Definition platform.h:118
plugin_defined
bool plugin_defined(const struct plugin_list *pl, const int type)
Definition plugin.c:904
plugin_call
static int plugin_call(const struct plugin_list *pl, const int type, const struct argv *av, struct plugin_return *pr, struct env_set *es)
Definition plugin.h:195
get_default_gateway
void get_default_gateway(struct route_gateway_info *rgi, in_addr_t dest, openvpn_net_ctx_t *ctx)
Retrieves the best gateway for a given destination based on the routing table.
Definition route.c:2570
RGI_HWADDR_DEFINED
#define RGI_HWADDR_DEFINED
Definition route.h:161
session_id_random
void session_id_random(struct session_id *sid)
Definition session_id.c:48
session_id_print
const char * session_id_print(const struct session_id *sid, struct gc_arena *gc)
Definition session_id.c:54
session_id_equal
static bool session_id_equal(const struct session_id *sid1, const struct session_id *sid2)
Definition session_id.h:47
session_id_defined
static bool session_id_defined(const struct session_id *sid1)
Definition session_id.h:53
session_id_read
static bool session_id_read(struct session_id *sid, struct buffer *buf)
Definition session_id.h:59
SID_SIZE
#define SID_SIZE
Definition session_id.h:44
link_socket_set_outgoing_addr
static void link_socket_set_outgoing_addr(struct link_socket_info *info, const struct link_socket_actual *act, const char *common_name, struct env_set *es)
Definition socket.h:514
print_link_socket_actual
const char * print_link_socket_actual(const struct link_socket_actual *act, struct gc_arena *gc)
Definition socket_util.c:117
link_socket_actual_defined
static bool link_socket_actual_defined(const struct link_socket_actual *act)
Definition socket_util.h:328
datagram_overhead
static int datagram_overhead(sa_family_t af, int proto)
Definition socket_util.h:309
link_socket_actual_match
static bool link_socket_actual_match(const struct link_socket_actual *a1, const struct link_socket_actual *a2)
Definition socket_util.h:486
PROTO_UDP
@ PROTO_UDP
Definition socket_util.h:177
ssl_purge_auth
void ssl_purge_auth(const bool auth_user_pass_only)
Definition ssl.c:381
ssl_set_auth_token_user
void ssl_set_auth_token_user(const char *username)
Definition ssl.c:361
generate_key_expansion
static bool generate_key_expansion(struct tls_multi *multi, struct key_state *ks, struct tls_session *session)
Definition ssl.c:1471
tls_process
static bool tls_process(struct tls_multi *multi, struct tls_session *session, struct buffer *to_link, struct link_socket_actual **to_link_addr, struct link_socket_info *to_link_socket_info, interval_t *wakeup)
Definition ssl.c:2997
tls_session_user_pass_enabled
static bool tls_session_user_pass_enabled(struct tls_session *session)
Returns whether or not the server should check for username/password.
Definition ssl.c:944
auth_deferred_expire_window
static int auth_deferred_expire_window(const struct tls_options *o)
Definition ssl.c:2379
passbuf
static struct user_pass passbuf
Definition ssl.c:245
print_key_id
static const char * print_key_id(struct tls_multi *multi, struct gc_arena *gc)
Definition ssl.c:763
INCR_GENERATED
#define INCR_GENERATED
Definition ssl.c:92
auth_token
static struct user_pass auth_token
Definition ssl.c:280
init_epoch_keys
static void init_epoch_keys(struct key_state *ks, struct tls_multi *multi, const struct key_type *key_type, bool server, struct key2 *key2)
Definition ssl.c:1330
compute_earliest_wakeup
static void compute_earliest_wakeup(interval_t *earliest, time_t seconds_from_now)
Definition ssl.c:1110
lame_duck_must_die
static bool lame_duck_must_die(const struct tls_session *session, interval_t *wakeup)
Definition ssl.c:1127
ssl_set_auth_nocache
void ssl_set_auth_nocache(void)
Definition ssl.c:336
ks_auth_name
static const char * ks_auth_name(enum ks_auth_state auth)
Definition ssl.c:722
key_source2_read
static int key_source2_read(struct key_source2 *k2, struct buffer *buf, bool server)
Definition ssl.c:1701
move_session
static void move_session(struct tls_multi *multi, int dest, int src, bool reinit_src)
Definition ssl.c:1076
handle_data_channel_packet
static void handle_data_channel_packet(struct tls_multi *multi, const struct link_socket_actual *from, struct buffer *buf, struct crypto_options **opt, bool floated, const uint8_t **ad_start)
Check the keyid of the an incoming data channel packet and return the matching crypto parameters in o...
Definition ssl.c:3451
tls_send_payload
bool tls_send_payload(struct key_state *ks, const uint8_t *data, size_t size)
Definition ssl.c:4010
export_user_keying_material
static void export_user_keying_material(struct tls_session *session)
Definition ssl.c:2168
ssl_put_auth_challenge
void ssl_put_auth_challenge(const char *cr_str)
Definition ssl.c:406
INCR_SUCCESS
#define INCR_SUCCESS
Definition ssl.c:93
pem_password_callback
int pem_password_callback(char *buf, int size, int rwflag, void *u)
Callback to retrieve the user's password.
Definition ssl.c:259
control_packet_needs_wkc
static bool control_packet_needs_wkc(const struct key_state *ks)
Definition ssl.c:2586
tls_update_remote_addr
void tls_update_remote_addr(struct tls_multi *multi, const struct link_socket_actual *addr)
Updates remote address in TLS sessions.
Definition ssl.c:4068
read_incoming_tls_ciphertext
static bool read_incoming_tls_ciphertext(struct buffer *buf, struct key_state *ks, bool *continue_tls_process)
Read incoming ciphertext and passes it to the buffer of the SSL library.
Definition ssl.c:2560
key_source2_print
static void key_source2_print(const struct key_source2 *k)
Definition ssl.c:1289
auth_user_pass
static struct user_pass auth_user_pass
Definition ssl.c:279
tls_rec_payload
bool tls_rec_payload(struct tls_multi *multi, struct buffer *buf)
Definition ssl.c:4043
write_outgoing_tls_ciphertext
static bool write_outgoing_tls_ciphertext(struct tls_session *session, bool *continue_tls_process)
Definition ssl.c:2618
check_outgoing_ciphertext
static bool check_outgoing_ciphertext(struct key_state *ks, struct tls_session *session, bool *continue_tls_process)
Definition ssl.c:2704
check_session_buf_not_used
static void check_session_buf_not_used(struct buffer *to_link, struct tls_session *session)
This is a safe guard function to double check that a buffer from a session is not used in a session t...
Definition ssl.c:3130
tls_session_generate_data_channel_keys
bool tls_session_generate_data_channel_keys(struct tls_multi *multi, struct tls_session *session)
Generate data channel keys for the supplied TLS session.
Definition ssl.c:1535
flush_payload_buffer
static void flush_payload_buffer(struct key_state *ks)
Definition ssl.c:1733
init_key_contexts
static void init_key_contexts(struct key_state *ks, struct tls_multi *multi, const struct key_type *key_type, bool server, struct key2 *key2, bool dco_enabled)
Definition ssl.c:1369
print_key_id_not_found_reason
static void print_key_id_not_found_reason(struct tls_multi *multi, const struct link_socket_actual *from, int key_id)
We have not found a matching key to decrypt data channel packet, try to generate a sensible error mes...
Definition ssl.c:3403
tls_session_update_crypto_params_do_work
bool tls_session_update_crypto_params_do_work(struct tls_multi *multi, struct tls_session *session, struct options *options, struct frame *frame, struct frame *frame_fragment, struct link_socket_info *lsi, dco_context_t *dco)
Definition ssl.c:1567
tls_session_soft_reset
void tls_session_soft_reset(struct tls_multi *tls_multi)
Definition ssl.c:1764
init_ssl
void init_ssl(const struct options *options, struct tls_root_ctx *new_ctx, bool in_chroot)
Build master SSL context object that serves for the whole of OpenVPN instantiation.
Definition ssl.c:511
is_hard_reset_method2
bool is_hard_reset_method2(int op)
Given a key_method, return true if opcode represents the one of the hard_reset op codes for key-metho...
Definition ssl.c:779
read_string_alloc
static char * read_string_alloc(struct buffer *buf)
Definition ssl.c:1833
should_trigger_renegotiation
static bool should_trigger_renegotiation(const struct tls_session *session, const struct key_state *ks)
Determines if a renegotiation should be triggerred based on the various factors that can trigger one.
Definition ssl.c:2914
tls_version_parse
int tls_version_parse(const char *vstr, const char *extra)
Definition ssl.c:420
read_string
static int read_string(struct buffer *buf, char *str, const unsigned int capacity)
Read a string that is encoded as a 2 byte header with the length from the buffer buf.
Definition ssl.c:1814
session_skip_to_pre_start
bool session_skip_to_pre_start(struct tls_session *session, struct tls_pre_decrypt_state *state, struct link_socket_actual *from)
Definition ssl.c:2486
session_index_name
static const char * session_index_name(int index)
Definition ssl.c:741
session_move_active
static void session_move_active(struct tls_multi *multi, struct tls_session *session, struct link_socket_info *to_link_socket_info, struct key_state *ks)
Moves the key to state to S_ACTIVE and also advances the multi_state state machine if this is the ini...
Definition ssl.c:2443
tls_get_limit_aead
static uint64_t tls_get_limit_aead(const char *ciphername)
Definition ssl.c:120
random_bytes_to_buf
static bool random_bytes_to_buf(struct buffer *buf, uint8_t *out, int outlen)
Definition ssl.c:1655
ssl_set_auth_token
void ssl_set_auth_token(const char *token)
Definition ssl.c:355
openvpn_PRF
static bool openvpn_PRF(const uint8_t *secret, size_t secret_len, const char *label, const uint8_t *client_seed, size_t client_seed_len, const uint8_t *server_seed, size_t server_seed_len, const struct session_id *client_sid, const struct session_id *server_sid, uint8_t *output, size_t output_len)
Definition ssl.c:1296
INCR_SENT
#define INCR_SENT
Definition ssl.c:91
tls_multi_process
int tls_multi_process(struct tls_multi *multi, struct buffer *to_link, struct link_socket_actual **to_link_addr, struct link_socket_info *to_link_socket_info, interval_t *wakeup)
Definition ssl.c:3194
tls_process_state
static bool tls_process_state(struct tls_multi *multi, struct tls_session *session, struct buffer *to_link, struct link_socket_actual **to_link_addr, struct link_socket_info *to_link_socket_info, interval_t *wakeup)
Definition ssl.c:2723
ssl_get_auth_nocache
bool ssl_get_auth_nocache(void)
Definition ssl.c:346
key_method_2_write
static bool key_method_2_write(struct buffer *buf, struct tls_multi *multi, struct tls_session *session)
Handle the writing of key data, peer-info, username/password, OCC to the TLS control channel (clearte...
Definition ssl.c:2051
pem_password_setup
void pem_password_setup(const char *auth_file)
Definition ssl.c:248
init_ssl_lib
void init_ssl_lib(void)
Definition ssl.c:225
key_source_print
static void key_source_print(const struct key_source *k, const char *prefix)
Definition ssl.c:1270
tls_session_update_crypto_params
bool tls_session_update_crypto_params(struct tls_multi *multi, struct tls_session *session, struct options *options, struct frame *frame, struct frame *frame_fragment, struct link_socket_info *lsi, dco_context_t *dco)
Update TLS session crypto parameters (cipher and auth) and derive data channel keys based on the supp...
Definition ssl.c:1636
write_empty_string
static bool write_empty_string(struct buffer *buf)
Definition ssl.c:1774
tls_limit_reneg_bytes
static void tls_limit_reneg_bytes(const char *ciphername, int64_t *reneg_bytes)
Limit the reneg_bytes value when using a small-block (<128 bytes) cipher.
Definition ssl.c:106
free_ssl_lib
void free_ssl_lib(void)
Definition ssl.c:233
key_state_soft_reset
static void key_state_soft_reset(struct tls_session *session)
Definition ssl.c:1749
parse_early_negotiation_tlvs
static bool parse_early_negotiation_tlvs(struct buffer *buf, struct key_state *ks)
Parses the TLVs (type, length, value) in the early negotiation.
Definition ssl.c:2511
auth_user_pass_enabled
static bool auth_user_pass_enabled
Definition ssl.c:278
auth_challenge
static char * auth_challenge
Definition ssl.c:283
key_source2_randomize_write
static bool key_source2_randomize_write(struct key_source2 *k2, struct buffer *buf, bool server)
Definition ssl.c:1670
state_name
static const char * state_name(int state)
Definition ssl.c:679
generate_key_expansion_openvpn_prf
static bool generate_key_expansion_openvpn_prf(const struct tls_session *session, struct key2 *key2)
Definition ssl.c:1427
reset_session
static void reset_session(struct tls_multi *multi, struct tls_session *session)
Definition ssl.c:1099
INCR_ERROR
#define INCR_ERROR
Definition ssl.c:94
tls_ctx_reload_crl
static void tls_ctx_reload_crl(struct tls_root_ctx *ssl_ctx, const char *crl_file, bool crl_file_inline)
Load (or possibly reload) the CRL file into the SSL context.
Definition ssl.c:461
calc_control_channel_frame_overhead
static size_t calc_control_channel_frame_overhead(const struct tls_session *session)
calculate the maximum overhead that control channel frames have This includes header,...
Definition ssl.c:188
auth_user_pass_setup
void auth_user_pass_setup(const char *auth_file, bool is_inline, const struct static_challenge_info *sci)
Definition ssl.c:293
generate_key_expansion_tls_export
static bool generate_key_expansion_tls_export(struct tls_session *session, struct key2 *key2)
Definition ssl.c:1413
ssl_clean_auth_token
bool ssl_clean_auth_token(void)
Definition ssl.c:370
push_peer_info
static bool push_peer_info(struct buffer *buf, struct tls_session *session)
Prepares the IV_ and UV_ variables that are part of the exchange to signal the peer's capabilities.
Definition ssl.c:1869
write_string
static bool write_string(struct buffer *buf, const char *str, const int maxlen)
Definition ssl.c:1784
enable_auth_user_pass
void enable_auth_user_pass(void)
Definition ssl.c:287
ssl_purge_auth_challenge
void ssl_purge_auth_challenge(void)
Definition ssl.c:399
show_available_tls_ciphers
void show_available_tls_ciphers(const char *cipher_list, const char *cipher_list_tls13, const char *tls_cert_profile)
Definition ssl.c:4096
read_incoming_tls_plaintext
static bool read_incoming_tls_plaintext(struct key_state *ks, struct buffer *buf, interval_t *wakeup, bool *continue_tls_process)
Definition ssl.c:2593
key_method_2_read
static bool key_method_2_read(struct buffer *buf, struct tls_multi *multi, struct tls_session *session)
Handle reading key data, peer-info, username/password, OCC from the TLS control channel (cleartext).
Definition ssl.c:2202
session_move_pre_start
static bool session_move_pre_start(const struct tls_session *session, struct key_state *ks, bool skip_initial_send)
Move the session from S_INITIAL to S_PRE_START.
Definition ssl.c:2398
protocol_dump
const char * protocol_dump(struct buffer *buffer, unsigned int flags, struct gc_arena *gc)
Definition ssl.c:4121
ssl.h
Control Channel SSL/Data channel negotiation module.
IV_PROTO_CC_EXIT_NOTIFY
#define IV_PROTO_CC_EXIT_NOTIFY
Support for explicit exit notify via control channel This also includes support for the protocol-flag...
Definition ssl.h:102
TLSMP_RECONNECT
#define TLSMP_RECONNECT
Definition ssl.h:232
IV_PROTO_DATA_EPOCH
#define IV_PROTO_DATA_EPOCH
Support the extended packet id and epoch format for data channel packets.
Definition ssl.h:111
load_xkey_provider
void load_xkey_provider(void)
Load ovpn.xkey provider used for external key signing.
Definition ssl_openssl.c:2661
tls_wrap_free
static void tls_wrap_free(struct tls_wrap_ctx *tls_wrap)
Free the elements of a tls_wrap_ctx structure.
Definition ssl.h:472
IV_PROTO_AUTH_FAIL_TEMP
#define IV_PROTO_AUTH_FAIL_TEMP
Support for AUTH_FAIL,TEMP messages.
Definition ssl.h:105
IV_PROTO_DATA_V2
#define IV_PROTO_DATA_V2
Support P_DATA_V2.
Definition ssl.h:80
KEY_METHOD_2
#define KEY_METHOD_2
Definition ssl.h:122
CONTROL_SEND_ACK_MAX
#define CONTROL_SEND_ACK_MAX
Definition ssl.h:55
TLSMP_ACTIVE
#define TLSMP_ACTIVE
Definition ssl.h:230
KEY_EXPANSION_ID
#define KEY_EXPANSION_ID
Definition ssl.h:49
IV_PROTO_TLS_KEY_EXPORT
#define IV_PROTO_TLS_KEY_EXPORT
Supports key derivation via TLS key material exporter [RFC5705].
Definition ssl.h:87
PD_TLS_CRYPT
#define PD_TLS_CRYPT
Definition ssl.h:525
PD_TLS
#define PD_TLS
Definition ssl.h:523
IV_PROTO_PUSH_UPDATE
#define IV_PROTO_PUSH_UPDATE
Supports push-update.
Definition ssl.h:117
IV_PROTO_AUTH_PENDING_KW
#define IV_PROTO_AUTH_PENDING_KW
Supports signaling keywords with AUTH_PENDING, e.g.
Definition ssl.h:90
PD_VERBOSE
#define PD_VERBOSE
Definition ssl.h:524
IV_PROTO_DYN_TLS_CRYPT
#define IV_PROTO_DYN_TLS_CRYPT
Support to dynamic tls-crypt (renegotiation with TLS-EKM derived tls-crypt key)
Definition ssl.h:108
TLSMP_KILL
#define TLSMP_KILL
Definition ssl.h:231
PD_SHOW_DATA
#define PD_SHOW_DATA
Definition ssl.h:522
IV_PROTO_REQUEST_PUSH
#define IV_PROTO_REQUEST_PUSH
Assume client will send a push request and server does not need to wait for a push-request to send a ...
Definition ssl.h:84
KEY_METHOD_MASK
#define KEY_METHOD_MASK
Definition ssl.h:125
IV_PROTO_DNS_OPTION_V2
#define IV_PROTO_DNS_OPTION_V2
Supports the –dns option after all the incompatible changes.
Definition ssl.h:114
PD_TLS_AUTH_HMAC_SIZE_MASK
#define PD_TLS_AUTH_HMAC_SIZE_MASK
Definition ssl.h:521
IV_PROTO_NCP_P2P
#define IV_PROTO_NCP_P2P
Support doing NCP in P2P mode.
Definition ssl.h:95
TLSMP_INACTIVE
#define TLSMP_INACTIVE
Definition ssl.h:229
TLS_OPTIONS_LEN
#define TLS_OPTIONS_LEN
Definition ssl.h:69
ssl_backend.h
Control Channel SSL library backend module.
tls_ctx_set_tls_groups
void tls_ctx_set_tls_groups(struct tls_root_ctx *ctx, const char *groups)
Set the (elliptic curve) group allowed for signatures and key exchange.
Definition ssl_openssl.c:558
tls_ctx_free
void tls_ctx_free(struct tls_root_ctx *ctx)
Frees the library-specific TLSv1 context.
Definition ssl_openssl.c:139
get_ssl_library_version
const char * get_ssl_library_version(void)
return a pointer to a static memory area containing the name and version number of the SSL library in...
Definition ssl_openssl.c:2628
tls_clear_error
void tls_clear_error(void)
Clear the underlying SSL library's error state.
key_state_export_keying_material
bool key_state_export_keying_material(struct tls_session *session, const char *label, size_t label_size, void *ekm, size_t ekm_size)
Keying Material Exporters [RFC 5705] allows additional keying material to be derived from existing TL...
Definition ssl_openssl.c:155
TLS_VER_BAD
#define TLS_VER_BAD
Parse a TLS version specifier.
Definition ssl_backend.h:103
show_available_tls_ciphers_list
void show_available_tls_ciphers_list(const char *cipher_list, const char *tls_cert_profile, bool tls13)
Show the TLS ciphers that are available for us to use in the library depending on the TLS version.
Definition ssl_openssl.c:2517
TLS_VER_1_0
#define TLS_VER_1_0
Definition ssl_backend.h:105
tls_ctx_server_new
void tls_ctx_server_new(struct tls_root_ctx *ctx)
Initialise a library-specific TLS context for a server.
Definition ssl_openssl.c:103
EXPORT_KEY_DATA_LABEL
#define EXPORT_KEY_DATA_LABEL
Definition ssl_backend.h:390
key_state_ssl_free
void key_state_ssl_free(struct key_state_ssl *ks_ssl)
Free the SSL channel part of the given key state.
Definition ssl_openssl.c:2193
TLS_VER_1_2
#define TLS_VER_1_2
Definition ssl_backend.h:107
tls_ctx_load_priv_file
int tls_ctx_load_priv_file(struct tls_root_ctx *ctx, const char *priv_key_file, bool priv_key_file_inline)
Load private key file into the given TLS context.
Definition ssl_openssl.c:1264
key_state_ssl_shutdown
void key_state_ssl_shutdown(struct key_state_ssl *ks_ssl)
Sets a TLS session to be shutdown state, so the TLS library will generate a shutdown alert.
Definition ssl_openssl.c:2187
tls_ctx_load_extra_certs
void tls_ctx_load_extra_certs(struct tls_root_ctx *ctx, const char *extra_certs_file, bool extra_certs_file_inline)
Load extra certificate authority certificates from the given file or path.
Definition ssl_openssl.c:1930
tls_ctx_check_cert_time
void tls_ctx_check_cert_time(const struct tls_root_ctx *ctx)
Check our certificate notBefore and notAfter fields, and warn if the cert is either not yet valid or ...
Definition ssl_openssl.c:616
tls_ctx_restrict_ciphers_tls13
void tls_ctx_restrict_ciphers_tls13(struct tls_root_ctx *ctx, const char *ciphers)
Restrict the list of ciphers that can be used within the TLS context for TLS 1.3 and higher.
Definition ssl_openssl.c:489
tls_ctx_load_pkcs12
int tls_ctx_load_pkcs12(struct tls_root_ctx *ctx, const char *pkcs12_file, bool pkcs12_file_inline, bool load_ca_file)
Load PKCS #12 file for key, cert and (optionally) CA certs, and add to library-specific TLS context.
Definition ssl_openssl.c:899
key_state_ssl_init
void key_state_ssl_init(struct key_state_ssl *ks_ssl, const struct tls_root_ctx *ssl_ctx, bool is_server, struct tls_session *session)
Initialise the SSL channel part of the given key state.
Definition ssl_openssl.c:2146
tls_free_lib
void tls_free_lib(void)
Free any global SSL library-specific data structures.
Definition ssl_openssl.c:98
tls_ctx_load_ecdh_params
void tls_ctx_load_ecdh_params(struct tls_root_ctx *ctx, const char *curve_name)
Load Elliptic Curve Parameters, and load them into the library-specific TLS context.
Definition ssl_openssl.c:710
TLS_VER_1_3
#define TLS_VER_1_3
Definition ssl_backend.h:108
TLS_VER_1_1
#define TLS_VER_1_1
Definition ssl_backend.h:106
tls_init_lib
void tls_init_lib(void)
Perform any static initialisation necessary by the library.
Definition ssl_openssl.c:91
print_details
void print_details(struct key_state_ssl *ks_ssl, const char *prefix)
Print a one line summary of SSL/TLS session handshake.
Definition ssl_openssl.c:2487
tls_version_max
int tls_version_max(void)
Return the maximum TLS version (as a TLS_VER_x constant) supported by current SSL implementation.
Definition ssl_openssl.c:203
backend_tls_ctx_reload_crl
void backend_tls_ctx_reload_crl(struct tls_root_ctx *ssl_ctx, const char *crl_file, bool crl_inline)
Reload the Certificate Revocation List for the SSL channel.
Definition ssl_openssl.c:1318
tls_ctx_restrict_ciphers
void tls_ctx_restrict_ciphers(struct tls_root_ctx *ctx, const char *ciphers)
Restrict the list of ciphers that can be used within the TLS context for TLS 1.2 and below.
Definition ssl_openssl.c:428
tls_ctx_load_ca
void tls_ctx_load_ca(struct tls_root_ctx *ctx, const char *ca_file, bool ca_file_inline, const char *ca_path, bool tls_server)
Load certificate authority certificates from the given file or path.
Definition ssl_openssl.c:1783
tls_ctx_set_cert_profile
void tls_ctx_set_cert_profile(struct tls_root_ctx *ctx, const char *profile)
Set the TLS certificate profile.
Definition ssl_openssl.c:517
tls_ctx_use_management_external_key
int tls_ctx_use_management_external_key(struct tls_root_ctx *ctx)
Tell the management interface to load the given certificate and the external private key matching the...
Definition ssl_openssl.c:1704
tls_ctx_load_cryptoapi
void tls_ctx_load_cryptoapi(struct tls_root_ctx *ctx, const char *cryptoapi_cert)
Use Windows cryptoapi for key and cert, and add to library-specific TLS context.
Definition ssl_openssl.c:1032
tls_ctx_set_options
bool tls_ctx_set_options(struct tls_root_ctx *ctx, unsigned int ssl_flags)
Set any library specific options.
Definition ssl_openssl.c:306
tls_ctx_load_dh_params
void tls_ctx_load_dh_params(struct tls_root_ctx *ctx, const char *dh_file, bool dh_file_inline)
Load Diffie Hellman Parameters, and load them into the library-specific TLS context.
Definition ssl_openssl.c:652
tls_ctx_client_new
void tls_ctx_client_new(struct tls_root_ctx *ctx)
Initialises a library-specific TLS context for a client.
Definition ssl_openssl.c:121
tls_ctx_load_cert_file
void tls_ctx_load_cert_file(struct tls_root_ctx *ctx, const char *cert_file, bool cert_file_inline)
Load certificate file into the given TLS context.
Definition ssl_openssl.c:1251
KEY_SCAN_SIZE
#define KEY_SCAN_SIZE
Definition ssl_common.h:568
get_key_scan
static struct key_state * get_key_scan(struct tls_multi *multi, int index)
gets an item of key_state objects in the order they should be scanned by data channel modules.
Definition ssl_common.h:734
UP_TYPE_PRIVATE_KEY
#define UP_TYPE_PRIVATE_KEY
Definition ssl_common.h:42
SSLF_AUTH_USER_PASS_OPTIONAL
#define SSLF_AUTH_USER_PASS_OPTIONAL
Definition ssl_common.h:428
CAS_CONNECT_DONE
@ CAS_CONNECT_DONE
Definition ssl_common.h:595
CAS_WAITING_AUTH
@ CAS_WAITING_AUTH
Initial TLS connection established but deferred auth is not yet finished.
Definition ssl_common.h:583
CAS_PENDING
@ CAS_PENDING
Options import (Connect script/plugin, ccd,...)
Definition ssl_common.h:584
CAS_WAITING_OPTIONS_IMPORT
@ CAS_WAITING_OPTIONS_IMPORT
client with pull or p2p waiting for first time options import
Definition ssl_common.h:588
CAS_NOT_CONNECTED
@ CAS_NOT_CONNECTED
Definition ssl_common.h:582
CAS_RECONNECT_PENDING
@ CAS_RECONNECT_PENDING
session has already successful established (CAS_CONNECT_DONE) but has a reconnect and needs to redo s...
Definition ssl_common.h:594
ks_auth_state
ks_auth_state
This reflects the (server side) authentication state after the TLS session has been established and k...
Definition ssl_common.h:153
KS_AUTH_TRUE
@ KS_AUTH_TRUE
Key state is authenticated.
Definition ssl_common.h:157
KS_AUTH_FALSE
@ KS_AUTH_FALSE
Key state is not authenticated
Definition ssl_common.h:154
KS_AUTH_DEFERRED
@ KS_AUTH_DEFERRED
Key state authentication is being deferred, by async auth.
Definition ssl_common.h:155
SSLF_CRL_VERIFY_DIR
#define SSLF_CRL_VERIFY_DIR
Definition ssl_common.h:430
UP_TYPE_AUTH
#define UP_TYPE_AUTH
Definition ssl_common.h:41
get_primary_key
static const struct key_state * get_primary_key(const struct tls_multi *multi)
gets an item of key_state objects in the order they should be scanned by data channel modules.
Definition ssl_common.h:757
check_session_cipher
bool check_session_cipher(struct tls_session *session, struct options *options)
Checks if the cipher is allowed, otherwise returns false and reset the cipher to the config cipher.
Definition ssl_ncp.c:515
p2p_mode_ncp
void p2p_mode_ncp(struct tls_multi *multi, struct tls_session *session)
Determines if there is common cipher of both peer by looking at the IV_CIPHER peer info.
Definition ssl_ncp.c:472
tls_item_in_cipher_list
bool tls_item_in_cipher_list(const char *item, const char *list)
Return true iff item is present in the colon-separated zero-terminated cipher list.
Definition ssl_ncp.c:206
ssl_ncp.h
Control Channel SSL/Data dynamic negotiation Module This file is split from ssl.h to be able to unit ...
write_control_auth
void write_control_auth(struct tls_session *session, struct key_state *ks, struct buffer *buf, struct link_socket_actual **to_link_addr, int opcode, int max_ack, bool prepend_ack)
Definition ssl_pkt.c:164
read_control_auth
bool read_control_auth(struct buffer *buf, struct tls_wrap_ctx *ctx, const struct link_socket_actual *from, const struct tls_options *opt, bool initial_packet)
Read a control channel authentication record.
Definition ssl_pkt.c:194
EARLY_NEG_FLAG_RESEND_WKC
#define EARLY_NEG_FLAG_RESEND_WKC
Definition ssl_pkt.h:323
P_DATA_V1
#define P_DATA_V1
Definition ssl_pkt.h:47
P_DATA_V2
#define P_DATA_V2
Definition ssl_pkt.h:48
P_OPCODE_SHIFT
#define P_OPCODE_SHIFT
Definition ssl_pkt.h:39
TLV_TYPE_EARLY_NEG_FLAGS
#define TLV_TYPE_EARLY_NEG_FLAGS
Definition ssl_pkt.h:322
P_ACK_V1
#define P_ACK_V1
Definition ssl_pkt.h:46
P_CONTROL_WKC_V1
#define P_CONTROL_WKC_V1
Definition ssl_pkt.h:59
P_CONTROL_HARD_RESET_CLIENT_V1
#define P_CONTROL_HARD_RESET_CLIENT_V1
Definition ssl_pkt.h:42
P_KEY_ID_MASK
#define P_KEY_ID_MASK
Definition ssl_pkt.h:38
TLS_RELIABLE_N_REC_BUFFERS
#define TLS_RELIABLE_N_REC_BUFFERS
Definition ssl_pkt.h:71
packet_opcode_name
static const char * packet_opcode_name(int op)
Definition ssl_pkt.h:241
P_CONTROL_HARD_RESET_SERVER_V2
#define P_CONTROL_HARD_RESET_SERVER_V2
Definition ssl_pkt.h:52
P_CONTROL_SOFT_RESET_V1
#define P_CONTROL_SOFT_RESET_V1
Definition ssl_pkt.h:44
P_CONTROL_V1
#define P_CONTROL_V1
Definition ssl_pkt.h:45
P_LAST_OPCODE
#define P_LAST_OPCODE
Definition ssl_pkt.h:65
EARLY_NEG_START
#define EARLY_NEG_START
Definition ssl_pkt.h:315
P_CONTROL_HARD_RESET_CLIENT_V2
#define P_CONTROL_HARD_RESET_CLIENT_V2
Definition ssl_pkt.h:51
P_CONTROL_HARD_RESET_SERVER_V1
#define P_CONTROL_HARD_RESET_SERVER_V1
Definition ssl_pkt.h:43
tls_session_get_tls_wrap
static struct tls_wrap_ctx * tls_session_get_tls_wrap(struct tls_session *session, int key_id)
Determines if the current session should use the renegotiation tls wrap struct instead the normal one...
Definition ssl_pkt.h:292
P_CONTROL_HARD_RESET_CLIENT_V3
#define P_CONTROL_HARD_RESET_CLIENT_V3
Definition ssl_pkt.h:55
TLS_RELIABLE_N_SEND_BUFFERS
#define TLS_RELIABLE_N_SEND_BUFFERS
Definition ssl_pkt.h:70
options_string_compat_lzo
const char * options_string_compat_lzo(const char *options, struct gc_arena *gc)
Takes a locally produced OCC string for TLS server mode and modifies as if the option comp-lzo was en...
Definition ssl_util.c:76
ssl_util.h
SSL utility functions.
key_state_rm_auth_control_files
void key_state_rm_auth_control_files(struct auth_deferred_status *ads)
Removes auth_pending and auth_control files from file system and key_state structure.
Definition ssl_verify.c:962
tls_x509_clear_env
void tls_x509_clear_env(struct env_set *es)
Remove any X509_ env variables from env_set es.
Definition ssl_verify.c:1858
verify_final_auth_checks
void verify_final_auth_checks(struct tls_multi *multi, struct tls_session *session)
Perform final authentication checks, including locking of the cn, the allowed certificate hashes,...
Definition ssl_verify.c:1796
auth_set_client_reason
void auth_set_client_reason(struct tls_multi *multi, const char *client_reason)
Sets the reason why authentication of a client failed.
Definition ssl_verify.c:803
tls_authentication_status
enum tls_auth_status tls_authentication_status(struct tls_multi *multi)
Return current session authentication state of the tls_multi structure This will return TLS_AUTHENTIC...
Definition ssl_verify.c:1145
verify_user_pass
void verify_user_pass(struct user_pass *up, struct tls_multi *multi, struct tls_session *session)
Main username/password verification entry point.
Definition ssl_verify.c:1603
cert_hash_free
void cert_hash_free(struct cert_hash_set *chs)
Frees the given set of certificate hashes.
Definition ssl_verify.c:215
ssl_verify.h
Control Channel Verification Module.
tls_auth_status
tls_auth_status
Definition ssl_verify.h:74
TLS_AUTHENTICATION_SUCCEEDED
@ TLS_AUTHENTICATION_SUCCEEDED
Definition ssl_verify.h:75
TLS_AUTHENTICATION_FAILED
@ TLS_AUTHENTICATION_FAILED
Definition ssl_verify.h:76
buffer
Wrapper structure for dynamically allocated memory.
Definition buffer.h:60
buffer::data
uint8_t * data
Pointer to the allocated memory.
Definition buffer.h:67
buffer::len
int len
Length in bytes of the actual content within the allocated memory.
Definition buffer.h:65
crypto_options
Security parameter state for processing data channel packets.
Definition crypto.h:293
crypto_options::epoch_key_send
struct epoch_key epoch_key_send
last epoch_key used for generation of the current send data keys.
Definition crypto.h:303
crypto_options::flags
unsigned int flags
Bit-flags determining behavior of security operation functions.
Definition crypto.h:386
crypto_options::pid_persist
struct packet_id_persist * pid_persist
Persistent packet ID state for keeping state between successive OpenVPN process startups.
Definition crypto.h:342
crypto_options::key_ctx_bi
struct key_ctx_bi key_ctx_bi
OpenSSL cipher and HMAC contexts for both sending and receiving directions.
Definition crypto.h:294
crypto_options::packet_id
struct packet_id packet_id
Current packet ID state for both sending and receiving directions.
Definition crypto.h:333
env_item
Definition env_set.h:37
env_set
Definition env_set.h:43
env_set::list
struct env_item * list
Definition env_set.h:45
epoch_key
Definition crypto.h:192
epoch_key::epoch_key
uint8_t epoch_key[SHA256_DIGEST_LENGTH]
Definition crypto.h:193
epoch_key::epoch
uint16_t epoch
Definition crypto.h:194
frame
Packet geometry parameters.
Definition mtu.h:103
frame::tun_mtu
int tun_mtu
the (user) configured tun-mtu.
Definition mtu.h:137
frame::payload_size
int payload_size
the maximum size that a payload that our buffers can hold from either tun device or network link.
Definition mtu.h:108
frame::headroom
int headroom
the headroom in the buffer, this is choosen to allow all potential header to be added before the pack...
Definition mtu.h:114
frame::mss_fix
uint16_t mss_fix
The actual MSS value that should be written to the payload packets.
Definition mtu.h:124
frame::buf
struct frame::@8 buf
frame::tailroom
int tailroom
the tailroom in the buffer.
Definition mtu.h:118
gc_arena
Garbage collection arena used to keep track of dynamically allocated memory.
Definition buffer.h:116
key2
Container for bidirectional cipher and HMAC key material.
Definition crypto.h:240
key2::n
int n
The number of key objects stored in the key2.keys array.
Definition crypto.h:241
key2::keys
struct key keys[2]
Two unidirectional sets of key material.
Definition crypto.h:243
key_ctx_bi
Container for two sets of OpenSSL cipher and/or HMAC contexts for both sending and receiving directio...
Definition crypto.h:280
key_ctx_bi::initialized
bool initialized
Definition crypto.h:285
key_ctx_bi::decrypt
struct key_ctx decrypt
cipher and/or HMAC contexts for receiving direction.
Definition crypto.h:283
key_ctx_bi::encrypt
struct key_ctx encrypt
Cipher and/or HMAC contexts for sending direction.
Definition crypto.h:281
key_ctx::plaintext_blocks
uint64_t plaintext_blocks
Counter for the number of plaintext block encrypted using this cipher with the current key in number ...
Definition crypto.h:222
key_direction_state
Key ordering of the key2.keys array.
Definition crypto.h:259
key_direction_state::in_key
int in_key
Index into the key2.keys array for the receiving direction.
Definition crypto.h:262
key_direction_state::out_key
int out_key
Index into the key2.keys array for the sending direction.
Definition crypto.h:260
key_source2
Container for both halves of random material to be used in key method 2 data channel key generation.
Definition ssl_common.h:139
key_source2::client
struct key_source client
Random provided by client.
Definition ssl_common.h:140
key_source2::server
struct key_source server
Random provided by server.
Definition ssl_common.h:141
key_source
Container for one half of random material to be used in key method 2 data channel key generation.
Definition ssl_common.h:121
key_source::random1
uint8_t random1[32]
Seed used for master secret generation, provided by both client and server.
Definition ssl_common.h:125
key_source::pre_master
uint8_t pre_master[48]
Random used for master secret generation, provided only by client OpenVPN peer.
Definition ssl_common.h:122
key_source::random2
uint8_t random2[32]
Seed used for key expansion, provided by both client and server.
Definition ssl_common.h:128
key_state
Security parameter state of one TLS and data channel key session.
Definition ssl_common.h:208
key_state::paybuf
struct buffer_list * paybuf
Holds outgoing message for the control channel until ks->state reaches S_ACTIVE.
Definition ssl_common.h:252
key_state::crypto_options
struct crypto_options crypto_options
Definition ssl_common.h:237
key_state::ack_write_buf
struct buffer ack_write_buf
Definition ssl_common.h:243
key_state::plaintext_read_buf
struct buffer plaintext_read_buf
Definition ssl_common.h:241
key_state::state
int state
Definition ssl_common.h:209
key_state::plugin_auth
struct auth_deferred_status plugin_auth
Definition ssl_common.h:268
key_state::must_die
time_t must_die
Definition ssl_common.h:230
key_state::plaintext_write_buf
struct buffer plaintext_write_buf
Definition ssl_common.h:242
key_state::remote_addr
struct link_socket_actual remote_addr
Definition ssl_common.h:235
key_state::established
time_t established
Definition ssl_common.h:228
key_state::ks_ssl
struct key_state_ssl ks_ssl
Definition ssl_common.h:225
key_state::must_negotiate
time_t must_negotiate
Definition ssl_common.h:229
key_state::rec_ack
struct reliable_ack * rec_ack
Definition ssl_common.h:247
key_state::rec_reliable
struct reliable * rec_reliable
Definition ssl_common.h:246
key_state::session_id_remote
struct session_id session_id_remote
Definition ssl_common.h:234
key_state::mda_key_id
unsigned int mda_key_id
Definition ssl_common.h:263
key_state::script_auth
struct auth_deferred_status script_auth
Definition ssl_common.h:269
key_state::initial
time_t initial
Definition ssl_common.h:227
key_state::authenticated
enum ks_auth_state authenticated
Definition ssl_common.h:259
key_state::key_id
int key_id
Key id for this key_state, inherited from struct tls_session.
Definition ssl_common.h:217
key_state::peer_last_packet
time_t peer_last_packet
Definition ssl_common.h:231
key_state::send_reliable
struct reliable * send_reliable
Definition ssl_common.h:245
key_state::auth_deferred_expire
time_t auth_deferred_expire
Definition ssl_common.h:260
key_state::initial_opcode
int initial_opcode
Definition ssl_common.h:233
key_state::lru_acks
struct reliable_ack * lru_acks
Definition ssl_common.h:248
key_state::key_src
struct key_source2 * key_src
Definition ssl_common.h:239
key_state::n_bytes
counter_type n_bytes
Definition ssl_common.h:253
key_state::n_packets
counter_type n_packets
Definition ssl_common.h:254
key_type
Definition crypto.h:141
key_type::cipher
const char * cipher
const name of the cipher
Definition crypto.h:142
key
Container for unidirectional cipher and HMAC key material.
Definition crypto.h:152
key::cipher
uint8_t cipher[MAX_CIPHER_KEY_LENGTH]
Key material for cipher operations.
Definition crypto.h:153
key::hmac
uint8_t hmac[MAX_HMAC_KEY_LENGTH]
Key material for HMAC operations.
Definition crypto.h:155
link_socket_actual
Definition socket_util.h:50
link_socket_addr::actual
struct link_socket_actual actual
Definition socket.h:82
link_socket_info
Definition socket.h:86
link_socket_info::lsa
struct link_socket_addr * lsa
Definition socket.h:87
options::imported_protocol_flags
unsigned int imported_protocol_flags
Definition options.h:723
options::crl_file_inline
bool crl_file_inline
Definition options.h:617
options::cryptoapi_cert
const char * cryptoapi_cert
Definition options.h:639
options::pkcs12_file_inline
bool pkcs12_file_inline
Definition options.h:606
options::ca_file
const char * ca_file
Definition options.h:594
options::ssl_flags
unsigned int ssl_flags
Definition options.h:626
options::authname
const char * authname
Definition options.h:579
options::dh_file_inline
bool dh_file_inline
Definition options.h:598
options::pkcs12_file
const char * pkcs12_file
Definition options.h:605
options::tls_groups
const char * tls_groups
Definition options.h:609
options::tls_cert_profile
const char * tls_cert_profile
Definition options.h:610
options::management_flags
unsigned int management_flags
Definition options.h:458
options::ciphername
const char * ciphername
Definition options.h:573
options::tls_server
bool tls_server
Definition options.h:592
options::extra_certs_file
const char * extra_certs_file
Definition options.h:601
options::priv_key_file_inline
bool priv_key_file_inline
Definition options.h:604
options::crl_file
const char * crl_file
Definition options.h:616
options::dh_file
const char * dh_file
Definition options.h:597
options::ca_file_inline
bool ca_file_inline
Definition options.h:595
options::extra_certs_file_inline
bool extra_certs_file_inline
Definition options.h:602
options::cipher_list_tls13
const char * cipher_list_tls13
Definition options.h:608
options::ecdh_curve
const char * ecdh_curve
Definition options.h:611
options::cipher_list
const char * cipher_list
Definition options.h:607
options::management_certificate
const char * management_certificate
Definition options.h:455
options::chroot_dir
const char * chroot_dir
Definition options.h:378
options::ca_path
const char * ca_path
Definition options.h:596
options::ping_rec_timeout
int ping_rec_timeout
Definition options.h:350
options::ping_send_timeout
int ping_send_timeout
Definition options.h:349
options::priv_key_file
const char * priv_key_file
Definition options.h:603
options::cert_file
const char * cert_file
Definition options.h:599
options::cert_file_inline
bool cert_file_inline
Definition options.h:600
packet_id_net
Data structure for describing the packet id that is received/send to the network.
Definition packet_id.h:191
packet_id_rec::id
uint64_t id
Definition packet_id.h:117
packet_id_send::id
uint64_t id
Definition packet_id.h:153
packet_id::send
struct packet_id_send send
Definition packet_id.h:200
packet_id::rec
struct packet_id_rec rec
Definition packet_id.h:201
reliable_ack
The acknowledgment structure in which packet IDs are stored for later acknowledgment.
Definition reliable.h:64
reliable_ack::len
int len
Definition reliable.h:65
reliable_entry
The structure in which the reliability layer stores a single incoming or outgoing packet.
Definition reliable.h:77
reliable_entry::buf
struct buffer buf
Definition reliable.h:86
reliable_entry::opcode
int opcode
Definition reliable.h:85
reliable_entry::packet_id
packet_id_type packet_id
Definition reliable.h:81
reliable
The reliability layer storage structure for one VPN tunnel's control channel in one direction.
Definition reliable.h:94
reliable::array
struct reliable_entry array[RELIABLE_CAPACITY]
Definition reliable.h:100
reliable::size
int size
Definition reliable.h:95
reliable::packet_id
packet_id_type packet_id
Definition reliable.h:97
route_gateway_info
Definition route.h:158
route_gateway_info::hwaddr
uint8_t hwaddr[6]
Definition route.h:177
route_gateway_info::flags
unsigned int flags
Definition route.h:165
session_id
Definition session_id.h:38
static_challenge_info
Definition misc.h:90
static_challenge_info::flags
unsigned int flags
Definition misc.h:93
static_challenge_info::challenge_text
const char * challenge_text
Definition misc.h:95
tls_auth_standalone
Definition ssl_pkt.h:78
tls_auth_standalone::frame
struct frame frame
Definition ssl_pkt.h:81
tls_auth_standalone::tls_wrap
struct tls_wrap_ctx tls_wrap
Definition ssl_pkt.h:79
tls_multi
Security parameter state for a single VPN tunnel.
Definition ssl_common.h:613
tls_multi::n_hard_errors
int n_hard_errors
Definition ssl_common.h:639
tls_multi::remote_usescomp
bool remote_usescomp
remote announced comp-lzo in OCC string
Definition ssl_common.h:705
tls_multi::to_link_addr
struct link_socket_actual to_link_addr
Definition ssl_common.h:630
tls_multi::peer_info
char * peer_info
A multi-line string of general-purpose info received from peer over control channel.
Definition ssl_common.h:674
tls_multi::save_ks
struct key_state * save_ks
Definition ssl_common.h:624
tls_multi::remote_ciphername
char * remote_ciphername
cipher specified in peer's config file
Definition ssl_common.h:704
tls_multi::locked_username
char * locked_username
The locked username is the username we assume the client is using.
Definition ssl_common.h:651
tls_multi::multi_state
enum multi_status multi_state
Definition ssl_common.h:634
tls_multi::opt
struct tls_options opt
Definition ssl_common.h:618
tls_multi::session
struct tls_session session[TM_SIZE]
Array of tls_session objects representing control channel sessions with the remote peer.
Definition ssl_common.h:713
tls_multi::locked_cert_hash_set
struct cert_hash_set * locked_cert_hash_set
Definition ssl_common.h:657
tls_multi::locked_cn
char * locked_cn
Our locked common name, username, and cert hashes (cannot change during the life of this tls_multi ob...
Definition ssl_common.h:646
tls_multi::peer_id
uint32_t peer_id
Definition ssl_common.h:701
tls_multi::locked_original_username
char * locked_original_username
The username that client initially used before being overridden by –override-user.
Definition ssl_common.h:655
tls_multi::n_sessions
int n_sessions
Number of sessions negotiated thus far.
Definition ssl_common.h:632
tls_multi::dco_peer_id
int dco_peer_id
This is the handle that DCO uses to identify this session with the kernel.
Definition ssl_common.h:725
tls_multi::n_soft_errors
int n_soft_errors
Definition ssl_common.h:640
tls_options
Definition ssl_common.h:307
tls_options::gremlin
int gremlin
Definition ssl_common.h:449
tls_options::server
bool server
Definition ssl_common.h:315
tls_options::tls_wrap
struct tls_wrap_ctx tls_wrap
TLS handshake wrapping state.
Definition ssl_common.h:389
tls_options::crypto_flags
unsigned int crypto_flags
Definition ssl_common.h:370
tls_options::replay_time
int replay_time
Definition ssl_common.h:373
tls_options::renegotiate_seconds
interval_t renegotiate_seconds
Definition ssl_common.h:348
tls_options::frame
struct frame frame
Definition ssl_common.h:391
tls_options::remote_options
const char * remote_options
Definition ssl_common.h:323
tls_options::single_session
bool single_session
Definition ssl_common.h:326
tls_options::local_options
const char * local_options
Definition ssl_common.h:322
tls_options::handshake_window
int handshake_window
Definition ssl_common.h:341
tls_options::replay_window
int replay_window
Definition ssl_common.h:372
tls_pre_decrypt_state
struct that stores the temporary data for the tls lite decrypt functions
Definition ssl_pkt.h:106
tls_root_ctx
Structure that wraps the TLS context.
Definition ssl_mbedtls.h:114
tls_root_ctx::crl_last_size
off_t crl_last_size
size of last loaded CRL
Definition ssl_mbedtls.h:125
tls_root_ctx::crl_last_mtime
time_t crl_last_mtime
CRL last modification time.
Definition ssl_mbedtls.h:124
tls_session
Security parameter state of a single session within a VPN tunnel.
Definition ssl_common.h:491
tls_session::key_id
int key_id
The current active key id, used to keep track of renegotiations.
Definition ssl_common.h:513
tls_session::key
struct key_state key[KS_SIZE]
Definition ssl_common.h:526
tls_wrap_ctx::opt
struct crypto_options opt
Crypto state.
Definition ssl_common.h:283
user_pass
Definition misc.h:52
user_pass::token_defined
bool token_defined
Definition misc.h:56
user_pass::protected
bool protected
Definition misc.h:58
user_pass::defined
bool defined
Definition misc.h:53
user_pass::password
char password[USER_PASS_LEN]
Definition misc.h:68
user_pass::nocache
bool nocache
Definition misc.h:57
user_pass::username
char username[USER_PASS_LEN]
Definition misc.h:67
es
struct env_set * es
Definition test_pkcs11.c:138
cleanup
static int cleanup(void **state)
Definition test_pkcs11.c:289
gc
struct gc_arena gc
Definition test_ssl.c:131
tls_crypt.h
win32_version_string
const char * win32_version_string(struct gc_arena *gc)
Get Windows version string with architecture info.
Definition win32.c:1381
Generated by doxygen 1.9.8