OpenVPN
ssl.h
Go to the documentation of this file.
1/*
2 * OpenVPN -- An application to securely tunnel IP networks
3 * over a single TCP/UDP port, with support for SSL/TLS-based
4 * session authentication and key exchange,
5 * packet encryption, packet authentication, and
6 * packet compression.
7 *
8 * Copyright (C) 2002-2025 OpenVPN Inc <sales@openvpn.net>
9 * Copyright (C) 2010-2021 Fox Crypto B.V. <openvpn@foxcrypto.com>
10 *
11 * This program is free software; you can redistribute it and/or modify
12 * it under the terms of the GNU General Public License version 2
13 * as published by the Free Software Foundation.
14 *
15 * This program is distributed in the hope that it will be useful,
16 * but WITHOUT ANY WARRANTY; without even the implied warranty of
17 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 * GNU General Public License for more details.
19 *
20 * You should have received a copy of the GNU General Public License along
21 * with this program; if not, see <https://www.gnu.org/licenses/>.
22 */
23
29#ifndef OPENVPN_SSL_H
30#define OPENVPN_SSL_H
31
32#include "basic.h"
33#include "common.h"
34#include "crypto.h"
35#include "packet_id.h"
36#include "session_id.h"
37#include "reliable.h"
38#include "socket.h"
39#include "mtu.h"
40#include "options.h"
41#include "plugin.h"
42
43#include "ssl_common.h"
44#include "ssl_backend.h"
45#include "ssl_pkt.h"
46#include "tls_crypt.h"
47
48/* Used in the TLS PRF function */
49#define KEY_EXPANSION_ID "OpenVPN"
50
51/*
52 * Set the max number of acknowledgments that can "hitch a ride" on an outgoing
53 * non-P_ACK_V1 control packet.
54 */
55#define CONTROL_SEND_ACK_MAX 4
56
57/*
58 * Various timeouts
59 */
60#define TLS_MULTI_REFRESH 15 /* call tls_multi_process once every n seconds */
61#define TLS_MULTI_HORIZON \
62 2 /* call tls_multi_process frequently for n seconds after \
63 * every packet sent/received action */
64
65/*
66 * Buffer sizes (also see mtu.h).
67 */
68
69/* Maximum length of OCC options string passed as part of auth handshake */
70#define TLS_OPTIONS_LEN 512
71
72/* Definitions of the bits in the IV_PROTO bitfield
73 *
74 * In older OpenVPN versions this used in a comparison
75 * IV_PROTO >= 2 to determine if DATA_V2 is supported.
76 * Therefore any client announcing any of the flags must
77 * also announce IV_PROTO_DATA_V2. We also treat bit 0
78 * as reserved for this reason */
79
81#define IV_PROTO_DATA_V2 (1 << 1)
82
85#define IV_PROTO_REQUEST_PUSH (1 << 2)
86
88#define IV_PROTO_TLS_KEY_EXPORT (1 << 3)
89
91#define IV_PROTO_AUTH_PENDING_KW (1 << 4)
92
96#define IV_PROTO_NCP_P2P (1 << 5)
97
99#define IV_PROTO_DNS_OPTION (1 << 6)
100
103#define IV_PROTO_CC_EXIT_NOTIFY (1 << 7)
104
106#define IV_PROTO_AUTH_FAIL_TEMP (1 << 8)
107
109#define IV_PROTO_DYN_TLS_CRYPT (1 << 9)
110
112#define IV_PROTO_DATA_EPOCH (1 << 10)
113
115#define IV_PROTO_DNS_OPTION_V2 (1 << 11)
116
118#define IV_PROTO_PUSH_UPDATE (1 << 12)
119
120/* Default field in X509 to be username */
121#define X509_USERNAME_FIELD_DEFAULT "CN"
123#define KEY_METHOD_2 2
124
125/* key method taken from lower 4 bits */
126#define KEY_METHOD_MASK 0x0F
127
128/*
129 * Measure success rate of TLS handshakes, for debugging only
130 */
131/* #define MEASURE_TLS_HANDSHAKE_STATS */
132
133/*
134 * Prepare the SSL library for use
135 */
136void init_ssl_lib(void);
137
138/*
139 * Free any internal state that the SSL library might have
140 */
141void free_ssl_lib(void);
142
147void init_ssl(const struct options *options, struct tls_root_ctx *ctx, bool in_chroot);
148
170
185void tls_multi_init_finalize(struct tls_multi *multi, int tls_mtu);
186
187/*
188 * Initialize a standalone tls-auth verification object.
189 */
191 struct gc_arena *gc);
192
198
199/*
200 * Setups the control channel frame size parameters from the data channel
201 * parameters
202 */
203void tls_init_control_channel_frame_parameters(struct frame *frame, int tls_mtu);
204
205/*
206 * Set local and remote option compatibility strings.
207 * Used to verify compatibility of local and remote option
208 * sets.
209 */
210void tls_multi_init_set_options(struct tls_multi *multi, const char *local, const char *remote);
211
224void tls_multi_free(struct tls_multi *multi, bool clear);
225
230#define TLSMP_INACTIVE 0
231#define TLSMP_ACTIVE 1
232#define TLSMP_KILL 2
233#define TLSMP_RECONNECT 3
234
235/*
236 * Called by the top-level event loop.
237 *
238 * Basically decides if we should call tls_process for
239 * the active or untrusted sessions.
240 */
241int tls_multi_process(struct tls_multi *multi, struct buffer *to_link,
242 struct link_socket_actual **to_link_addr,
243 struct link_socket_info *to_link_socket_info, interval_t *wakeup);
244
245
246/**************************************************************************/
299bool tls_pre_decrypt(struct tls_multi *multi, const struct link_socket_actual *from,
300 struct buffer *buf, struct crypto_options **opt, bool floated,
301 const uint8_t **ad_start);
302
303
304/**************************************************************************/
322void tls_pre_encrypt(struct tls_multi *multi, struct buffer *buf, struct crypto_options **opt);
323
333struct key_state *tls_select_encryption_key(struct tls_multi *multi);
334
347void tls_prepend_opcode_v1(const struct tls_multi *multi, struct buffer *buf);
348
365void tls_prepend_opcode_v2(const struct tls_multi *multi, struct buffer *buf);
366
374void tls_post_encrypt(struct tls_multi *multi, struct buffer *buf);
375
378/*
379 * Setup private key file password. If auth_file is given, use the
380 * credentials stored in the file.
381 */
382void pem_password_setup(const char *auth_file);
383
384/* Enables the use of user/password authentication */
385void enable_auth_user_pass(void);
386
387/*
388 * Setup authentication username and password. If auth_file is given, use the
389 * credentials stored in the file, however, if is_inline is true then auth_file
390 * contains the username/password inline.
391 */
392void auth_user_pass_setup(const char *auth_file, bool is_inline,
393 const struct static_challenge_info *sc_info);
394
395/*
396 * Ensure that no caching is performed on authentication information
397 */
398void ssl_set_auth_nocache(void);
399
400/*
401 * Getter method for retrieving the auth-nocache option.
402 */
403bool ssl_get_auth_nocache(void);
404
405/*
406 * Purge any stored authentication information, both for key files and tunnel
407 * authentication. If PCKS #11 is enabled, purge authentication for that too.
408 * Note that auth_token is not cleared.
409 */
410void ssl_purge_auth(const bool auth_user_pass_only);
411
412void ssl_set_auth_token(const char *token);
413
414void ssl_set_auth_token_user(const char *username);
415
416bool ssl_clean_auth_token(void);
417
418#ifdef ENABLE_MANAGEMENT
419
420void ssl_purge_auth_challenge(void);
421
422void ssl_put_auth_challenge(const char *cr_str);
423
424#endif
425
426/*
427 * Send a payload over the TLS control channel
428 */
429bool tls_send_payload(struct key_state *ks, const uint8_t *data, int size);
430
431/*
432 * Receive a payload through the TLS control channel
433 */
434bool tls_rec_payload(struct tls_multi *multi, struct buffer *buf);
435
442void tls_update_remote_addr(struct tls_multi *multi, const struct link_socket_actual *addr);
443
463 struct options *options, struct frame *frame,
464 struct frame *frame_fragment, struct link_socket_info *lsi,
465 dco_context_t *dco);
466
467/*
468 * inline functions
469 */
470
472static inline void
473tls_wrap_free(struct tls_wrap_ctx *tls_wrap)
474{
475 if (packet_id_initialized(&tls_wrap->opt.packet_id))
476 {
477 packet_id_free(&tls_wrap->opt.packet_id);
478 }
479
480 if (tls_wrap->cleanup_key_ctx)
481 {
482 free_key_ctx_bi(&tls_wrap->opt.key_ctx_bi);
483 }
484
486 free_buf(&tls_wrap->work);
487 secure_memzero(&tls_wrap->original_wrap_keydata, sizeof(tls_wrap->original_wrap_keydata));
488}
489
490static inline bool
491tls_initial_packet_received(const struct tls_multi *multi)
492{
493 return multi->n_sessions > 0;
494}
495
496static inline int
497tls_test_payload_len(const struct tls_multi *multi)
498{
499 if (multi)
500 {
501 const struct key_state *ks = get_primary_key(multi);
502 if (ks->state >= S_ACTIVE)
503 {
504 return BLEN(&ks->plaintext_read_buf);
505 }
506 }
507 return 0;
508}
509
510static inline void
512{
513 if (multi)
514 {
515 multi->opt.single_session = true;
516 }
517}
518
519/*
520 * protocol_dump() flags
521 */
522#define PD_TLS_AUTH_HMAC_SIZE_MASK 0xFF
523#define PD_SHOW_DATA (1 << 8)
524#define PD_TLS (1 << 9)
525#define PD_VERBOSE (1 << 10)
526#define PD_TLS_CRYPT (1 << 11)
527
528const char *protocol_dump(struct buffer *buffer, unsigned int flags, struct gc_arena *gc);
529
530/*
531 * debugging code
532 */
533
534#ifdef MEASURE_TLS_HANDSHAKE_STATS
535void show_tls_performance_stats(void);
536
537#endif
538
544bool is_hard_reset_method2(int op);
545
546/*
547 * Show the TLS ciphers that are available for us to use in the SSL
548 * library with headers hinting their usage and warnings about usage.
549 *
550 * @param cipher_list list of allowed TLS cipher, or NULL.
551 * @param cipher_list_tls13 list of allowed TLS 1.3+ cipher, or NULL
552 * @param tls_cert_profile TLS certificate crypto profile name.
553 */
554void show_available_tls_ciphers(const char *cipher_list, const char *cipher_list_tls13,
555 const char *tls_cert_profile);
556
557
565
566void tls_session_soft_reset(struct tls_multi *multi);
567
571void load_xkey_provider(void);
572
573/* Special method to skip the three way handshake RESET stages. This is
574 * used by the HMAC code when seeing a packet that matches the previous
575 * HMAC based stateless server state */
577 struct link_socket_actual *from);
578
579#endif /* ifndef OPENVPN_SSL_H */
void free_buf(struct buffer *buf)
Definition buffer.c:184
static void secure_memzero(void *data, size_t len)
Securely zeroise memory.
Definition buffer.h:414
#define BLEN(buf)
Definition buffer.h:126
int interval_t
Definition common.h:35
void free_key_ctx_bi(struct key_ctx_bi *ctx)
Definition crypto.c:1094
Data Channel Cryptography Module.
void * dco_context_t
Definition dco.h:261
#define S_ACTIVE
Operational key_state state immediately after negotiation has completed while still within the handsh...
Definition ssl_common.h:100
struct tls_auth_standalone * tls_auth_standalone_init(struct tls_options *tls_options, struct gc_arena *gc)
Definition ssl.c:1184
void tls_init_control_channel_frame_parameters(struct frame *frame, int tls_mtu)
Definition ssl.c:142
void tls_multi_free(struct tls_multi *multi, bool clear)
Cleanup a tls_multi structure and free associated memory allocations.
Definition ssl.c:1236
struct tls_multi * tls_multi_init(struct tls_options *tls_options)
Allocate and initialize a tls_multi structure.
Definition ssl.c:1155
void tls_multi_init_finalize(struct tls_multi *multi, int tls_mtu)
Finalize initialization of a tls_multi structure.
Definition ssl.c:1170
void tls_auth_standalone_free(struct tls_auth_standalone *tas)
Frees a standalone tls-auth verification object.
Definition ssl.c:1209
void tls_multi_init_set_options(struct tls_multi *multi, const char *local, const char *remote)
Definition ssl.c:1225
void tls_post_encrypt(struct tls_multi *multi, struct buffer *buf)
Perform some accounting for the key state used.
Definition ssl.c:3997
struct key_state * tls_select_encryption_key(struct tls_multi *multi)
Selects the primary encryption that should be used to encrypt data of an outgoing packet.
Definition ssl.c:3910
void tls_prepend_opcode_v1(const struct tls_multi *multi, struct buffer *buf)
Prepend a one-byte OpenVPN data channel P_DATA_V1 opcode to the packet.
Definition ssl.c:3969
void tls_pre_encrypt(struct tls_multi *multi, struct buffer *buf, struct crypto_options **opt)
Choose the appropriate security parameters with which to process an outgoing packet.
Definition ssl.c:3937
void tls_prepend_opcode_v2(const struct tls_multi *multi, struct buffer *buf)
Prepend an OpenVPN data channel P_DATA_V2 header to the packet.
Definition ssl.c:3983
bool tls_pre_decrypt(struct tls_multi *multi, const struct link_socket_actual *from, struct buffer *buf, struct crypto_options **opt, bool floated, const uint8_t **ad_start)
Determine whether an incoming packet is a data channel or control channel packet, and process accordi...
Definition ssl.c:3557
void packet_id_free(struct packet_id *p)
Definition packet_id.c:121
static bool packet_id_initialized(const struct packet_id *pid)
Is this struct packet_id initialized?
Definition packet_id.h:271
Reliability Layer module header file.
void ssl_purge_auth(const bool auth_user_pass_only)
Definition ssl.c:382
void ssl_set_auth_token_user(const char *username)
Definition ssl.c:362
void tls_session_soft_reset(struct tls_multi *multi)
Definition ssl.c:1765
void load_xkey_provider(void)
Load ovpn.xkey provider used for external key signing.
void ssl_set_auth_nocache(void)
Definition ssl.c:337
static void tls_wrap_free(struct tls_wrap_ctx *tls_wrap)
Free the elements of a tls_wrap_ctx structure.
Definition ssl.h:472
void ssl_put_auth_challenge(const char *cr_str)
Definition ssl.c:407
void auth_user_pass_setup(const char *auth_file, bool is_inline, const struct static_challenge_info *sc_info)
Definition ssl.c:294
void tls_update_remote_addr(struct tls_multi *multi, const struct link_socket_actual *addr)
Updates remote address in TLS sessions.
Definition ssl.c:4074
bool tls_send_payload(struct key_state *ks, const uint8_t *data, int size)
Definition ssl.c:4017
bool tls_rec_payload(struct tls_multi *multi, struct buffer *buf)
Definition ssl.c:4049
bool tls_session_generate_data_channel_keys(struct tls_multi *multi, struct tls_session *session)
Generate data channel keys for the supplied TLS session.
Definition ssl.c:1536
static bool tls_initial_packet_received(const struct tls_multi *multi)
Definition ssl.h:490
bool is_hard_reset_method2(int op)
Given a key_method, return true if opcode represents the one of the hard_reset op codes for key-metho...
Definition ssl.c:780
bool session_skip_to_pre_start(struct tls_session *session, struct tls_pre_decrypt_state *state, struct link_socket_actual *from)
Definition ssl.c:2489
void ssl_set_auth_token(const char *token)
Definition ssl.c:356
int tls_multi_process(struct tls_multi *multi, struct buffer *to_link, struct link_socket_actual **to_link_addr, struct link_socket_info *to_link_socket_info, interval_t *wakeup)
Definition ssl.c:3197
static void tls_set_single_session(struct tls_multi *multi)
Definition ssl.h:510
bool ssl_get_auth_nocache(void)
Definition ssl.c:347
void pem_password_setup(const char *auth_file)
Definition ssl.c:249
void init_ssl_lib(void)
Definition ssl.c:226
bool tls_session_update_crypto_params(struct tls_multi *multi, struct tls_session *session, struct options *options, struct frame *frame, struct frame *frame_fragment, struct link_socket_info *lsi, dco_context_t *dco)
Update TLS session crypto parameters (cipher and auth) and derive data channel keys based on the supp...
Definition ssl.c:1637
void free_ssl_lib(void)
Definition ssl.c:234
void init_ssl(const struct options *options, struct tls_root_ctx *ctx, bool in_chroot)
Build master SSL context object that serves for the whole of OpenVPN instantiation.
Definition ssl.c:512
static int tls_test_payload_len(const struct tls_multi *multi)
Definition ssl.h:496
bool ssl_clean_auth_token(void)
Definition ssl.c:371
void enable_auth_user_pass(void)
Definition ssl.c:288
void ssl_purge_auth_challenge(void)
Definition ssl.c:400
void show_available_tls_ciphers(const char *cipher_list, const char *cipher_list_tls13, const char *tls_cert_profile)
Definition ssl.c:4102
const char * protocol_dump(struct buffer *buffer, unsigned int flags, struct gc_arena *gc)
Definition ssl.c:4127
Control Channel SSL library backend module.
Control Channel Common Data Structures.
static const struct key_state * get_primary_key(const struct tls_multi *multi)
gets an item of key_state objects in the order they should be scanned by data channel modules.
Definition ssl_common.h:756
SSL control channel wrap/unwrap and decode functions.
Wrapper structure for dynamically allocated memory.
Definition buffer.h:60
Security parameter state for processing data channel packets.
Definition crypto.h:293
struct key_ctx_bi key_ctx_bi
OpenSSL cipher and HMAC contexts for both sending and receiving directions.
Definition crypto.h:294
struct packet_id packet_id
Current packet ID state for both sending and receiving directions.
Definition crypto.h:331
Packet geometry parameters.
Definition mtu.h:103
Garbage collection arena used to keep track of dynamically allocated memory.
Definition buffer.h:116
Security parameter state of one TLS and data channel key session.
Definition ssl_common.h:208
struct buffer plaintext_read_buf
Definition ssl_common.h:241
Security parameter state for a single VPN tunnel.
Definition ssl_common.h:612
struct tls_options opt
Definition ssl_common.h:617
int n_sessions
Number of sessions negotiated thus far.
Definition ssl_common.h:631
bool single_session
Definition ssl_common.h:326
struct that stores the temporary data for the tls lite decrypt functions
Definition ssl_pkt.h:106
Structure that wraps the TLS context.
Security parameter state of a single session within a VPN tunnel.
Definition ssl_common.h:490
Control channel wrapping (–tls-auth/–tls-crypt) context.
Definition ssl_common.h:276
struct buffer tls_crypt_v2_metadata
Received from client.
Definition ssl_common.h:288
bool cleanup_key_ctx
opt.key_ctx_bi is owned by this context
Definition ssl_common.h:289
struct crypto_options opt
Crypto state.
Definition ssl_common.h:283
struct buffer work
Work buffer (only for –tls-crypt)
Definition ssl_common.h:284
struct key2 original_wrap_keydata
original key data to be xored in to the key for dynamic tls-crypt.
Definition ssl_common.h:299
struct gc_arena gc
Definition test_ssl.c:154