GitList

src/openvpn/ssl.c

6fbf66fa	/* * OpenVPN -- An application to securely tunnel IP networks * over a single TCP/UDP port, with support for SSL/TLS-based * session authentication and key exchange, * packet encryption, packet authentication, and * packet compression. *
564a2109	* Copyright (C) 2002-2010 OpenVPN Technologies, Inc. <sales@openvpn.net>
95993a1d	* Copyright (C) 2010 Fox Crypto B.V. <openvpn@fox-it.com>
e3d38865	* Copyright (C) 2008-2013 David Sommerseth <dazo@users.sourceforge.net>
0c1f7ad5	*
6fbf66fa	* This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License version 2 * as published by the Free Software Foundation. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License * along with this program (see the file COPYING included with this * distribution); if not, write to the Free Software Foundation, Inc., * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */
95993a1d	/** * @file Control Channel SSL/Data channel negotiation Module */
6fbf66fa	/* * The routines in this file deal with dynamically negotiating * the data channel HMAC and cipher keys through a TLS session. * * Both the TLS session and the data channel are multiplexed * over the same TCP/UDP port. */
c110b289	#ifdef HAVE_CONFIG_H #include "config.h" #elif defined(_MSC_VER) #include "config-msvc.h" #endif
1bda73a7	#include "syshead.h"
cdc65ea0	#include "win32.h"
6fbf66fa
ec828db6	#if defined(ENABLE_CRYPTO)
6fbf66fa	#include "error.h" #include "common.h" #include "socket.h" #include "misc.h" #include "fdmisc.h" #include "interval.h" #include "perf.h" #include "status.h" #include "gremlin.h"
ce98fd24	#include "pkcs11.h"
7fb0e07e	#include "route.h"
6fbf66fa
95993a1d	#include "ssl.h" #include "ssl_verify.h" #include "ssl_backend.h"
6fbf66fa	#include "memdbg.h" #ifndef ENABLE_OCC static const char ssl_default_options_string[] = "V0 UNDEF"; #endif static inline const char * local_options_string (const struct tls_session session) { #ifdef ENABLE_OCC return session->opt->local_options; #else return ssl_default_options_string; #endif } #ifdef MEASURE_TLS_HANDSHAKE_STATS static int tls_handshake_success; / GLOBAL / static int tls_handshake_error; / GLOBAL / static int tls_packets_generated; / GLOBAL / static int tls_packets_sent; / GLOBAL / #define INCR_SENT ++tls_packets_sent #define INCR_GENERATED ++tls_packets_generated #define INCR_SUCCESS ++tls_handshake_success #define INCR_ERROR ++tls_handshake_error void show_tls_performance_stats(void) { msg (D_TLS_DEBUG_LOW, "TLS Handshakes, success=%f%% (good=%d, bad=%d), retransmits=%f%%", (double) tls_handshake_success / (tls_handshake_success + tls_handshake_error) 100.0, tls_handshake_success, tls_handshake_error, (double) (tls_packets_sent - tls_packets_generated) / tls_packets_generated * 100.0); } #else #define INCR_SENT #define INCR_GENERATED #define INCR_SUCCESS #define INCR_ERROR #endif
3b23b18d	/** * SSL/TLS Cipher suite name translation table */ static const tls_cipher_name_pair tls_cipher_name_translation_table[] = { {"ADH-SEED-SHA", "TLS-DH-anon-WITH-SEED-CBC-SHA"}, {"AES128-GCM-SHA256", "TLS-RSA-WITH-AES-128-GCM-SHA256"}, {"AES128-SHA256", "TLS-RSA-WITH-AES-128-CBC-SHA256"}, {"AES128-SHA", "TLS-RSA-WITH-AES-128-CBC-SHA"}, {"AES256-GCM-SHA384", "TLS-RSA-WITH-AES-256-GCM-SHA384"}, {"AES256-SHA256", "TLS-RSA-WITH-AES-256-CBC-SHA256"}, {"AES256-SHA", "TLS-RSA-WITH-AES-256-CBC-SHA"}, {"CAMELLIA128-SHA256", "TLS-RSA-WITH-CAMELLIA-128-CBC-SHA256"}, {"CAMELLIA128-SHA", "TLS-RSA-WITH-CAMELLIA-128-CBC-SHA"}, {"CAMELLIA256-SHA256", "TLS-RSA-WITH-CAMELLIA-256-CBC-SHA256"}, {"CAMELLIA256-SHA", "TLS-RSA-WITH-CAMELLIA-256-CBC-SHA"}, {"DES-CBC3-SHA", "TLS-RSA-WITH-3DES-EDE-CBC-SHA"}, {"DES-CBC-SHA", "TLS-RSA-WITH-DES-CBC-SHA"}, {"DH-DSS-SEED-SHA", "TLS-DH-DSS-WITH-SEED-CBC-SHA"}, {"DHE-DSS-AES128-GCM-SHA256", "TLS-DHE-DSS-WITH-AES-128-GCM-SHA256"}, {"DHE-DSS-AES128-SHA256", "TLS-DHE-DSS-WITH-AES-128-CBC-SHA256"}, {"DHE-DSS-AES128-SHA", "TLS-DHE-DSS-WITH-AES-128-CBC-SHA"}, {"DHE-DSS-AES256-GCM-SHA384", "TLS-DHE-DSS-WITH-AES-256-GCM-SHA384"}, {"DHE-DSS-AES256-SHA256", "TLS-DHE-DSS-WITH-AES-256-CBC-SHA256"}, {"DHE-DSS-AES256-SHA", "TLS-DHE-DSS-WITH-AES-256-CBC-SHA"}, {"DHE-DSS-CAMELLIA128-SHA256", "TLS-DHE-DSS-WITH-CAMELLIA-128-CBC-SHA256"}, {"DHE-DSS-CAMELLIA128-SHA", "TLS-DHE-DSS-WITH-CAMELLIA-128-CBC-SHA"}, {"DHE-DSS-CAMELLIA256-SHA256", "TLS-DHE-DSS-WITH-CAMELLIA-256-CBC-SHA256"}, {"DHE-DSS-CAMELLIA256-SHA", "TLS-DHE-DSS-WITH-CAMELLIA-256-CBC-SHA"}, {"DHE-DSS-SEED-SHA", "TLS-DHE-DSS-WITH-SEED-CBC-SHA"}, {"DHE-RSA-AES128-GCM-SHA256", "TLS-DHE-RSA-WITH-AES-128-GCM-SHA256"}, {"DHE-RSA-AES128-SHA256", "TLS-DHE-RSA-WITH-AES-128-CBC-SHA256"}, {"DHE-RSA-AES128-SHA", "TLS-DHE-RSA-WITH-AES-128-CBC-SHA"}, {"DHE-RSA-AES256-GCM-SHA384", "TLS-DHE-RSA-WITH-AES-256-GCM-SHA384"}, {"DHE-RSA-AES256-SHA256", "TLS-DHE-RSA-WITH-AES-256-CBC-SHA256"}, {"DHE-RSA-AES256-SHA", "TLS-DHE-RSA-WITH-AES-256-CBC-SHA"}, {"DHE-RSA-CAMELLIA128-SHA256", "TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA256"}, {"DHE-RSA-CAMELLIA128-SHA", "TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA"}, {"DHE-RSA-CAMELLIA256-SHA256", "TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA256"}, {"DHE-RSA-CAMELLIA256-SHA", "TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA"},
e7ec6a3a	{"DHE-RSA-CHACHA20-POLY1305", "TLS-DHE-RSA-WITH-CHACHA20-POLY1305-SHA256"},
3b23b18d	{"DHE-RSA-SEED-SHA", "TLS-DHE-RSA-WITH-SEED-CBC-SHA"}, {"DH-RSA-SEED-SHA", "TLS-DH-RSA-WITH-SEED-CBC-SHA"}, {"ECDH-ECDSA-AES128-GCM-SHA256", "TLS-ECDH-ECDSA-WITH-AES-128-GCM-SHA256"}, {"ECDH-ECDSA-AES128-SHA256", "TLS-ECDH-ECDSA-WITH-AES-128-CBC-SHA256"}, {"ECDH-ECDSA-AES128-SHA", "TLS-ECDH-ECDSA-WITH-AES-128-CBC-SHA"}, {"ECDH-ECDSA-AES256-GCM-SHA384", "TLS-ECDH-ECDSA-WITH-AES-256-GCM-SHA384"}, {"ECDH-ECDSA-AES256-SHA256", "TLS-ECDH-ECDSA-WITH-AES-256-CBC-SHA256"}, {"ECDH-ECDSA-AES256-SHA384", "TLS-ECDH-ECDSA-WITH-AES-256-CBC-SHA384"}, {"ECDH-ECDSA-AES256-SHA", "TLS-ECDH-ECDSA-WITH-AES-256-CBC-SHA"}, {"ECDH-ECDSA-CAMELLIA128-SHA256", "TLS-ECDH-ECDSA-WITH-CAMELLIA-128-CBC-SHA256"}, {"ECDH-ECDSA-CAMELLIA128-SHA", "TLS-ECDH-ECDSA-WITH-CAMELLIA-128-CBC-SHA"}, {"ECDH-ECDSA-CAMELLIA256-SHA256", "TLS-ECDH-ECDSA-WITH-CAMELLIA-256-CBC-SHA256"}, {"ECDH-ECDSA-CAMELLIA256-SHA", "TLS-ECDH-ECDSA-WITH-CAMELLIA-256-CBC-SHA"}, {"ECDH-ECDSA-DES-CBC3-SHA", "TLS-ECDH-ECDSA-WITH-3DES-EDE-CBC-SHA"}, {"ECDH-ECDSA-DES-CBC-SHA", "TLS-ECDH-ECDSA-WITH-DES-CBC-SHA"}, {"ECDH-ECDSA-RC4-SHA", "TLS-ECDH-ECDSA-WITH-RC4-128-SHA"}, {"ECDHE-ECDSA-AES128-GCM-SHA256", "TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256"}, {"ECDHE-ECDSA-AES128-SHA256", "TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256"}, {"ECDHE-ECDSA-AES128-SHA384", "TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA384"}, {"ECDHE-ECDSA-AES128-SHA", "TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA"}, {"ECDHE-ECDSA-AES256-GCM-SHA384", "TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384"}, {"ECDHE-ECDSA-AES256-SHA256", "TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA256"}, {"ECDHE-ECDSA-AES256-SHA384", "TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA384"}, {"ECDHE-ECDSA-AES256-SHA", "TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA"}, {"ECDHE-ECDSA-CAMELLIA128-SHA256", "TLS-ECDHE-ECDSA-WITH-CAMELLIA-128-CBC-SHA256"}, {"ECDHE-ECDSA-CAMELLIA128-SHA", "TLS-ECDHE-ECDSA-WITH-CAMELLIA-128-CBC-SHA"}, {"ECDHE-ECDSA-CAMELLIA256-SHA256", "TLS-ECDHE-ECDSA-WITH-CAMELLIA-256-CBC-SHA256"}, {"ECDHE-ECDSA-CAMELLIA256-SHA", "TLS-ECDHE-ECDSA-WITH-CAMELLIA-256-CBC-SHA"},
e7ec6a3a	{"ECDHE-ECDSA-CHACHA20-POLY1305", "TLS-ECDHE-ECDSA-WITH-CHACHA20-POLY1305-SHA256"},
3b23b18d	{"ECDHE-ECDSA-DES-CBC3-SHA", "TLS-ECDHE-ECDSA-WITH-3DES-EDE-CBC-SHA"}, {"ECDHE-ECDSA-DES-CBC-SHA", "TLS-ECDHE-ECDSA-WITH-DES-CBC-SHA"}, {"ECDHE-ECDSA-RC4-SHA", "TLS-ECDHE-ECDSA-WITH-RC4-128-SHA"}, {"ECDHE-RSA-AES128-GCM-SHA256", "TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256"}, {"ECDHE-RSA-AES128-SHA256", "TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA256"}, {"ECDHE-RSA-AES128-SHA384", "TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA384"}, {"ECDHE-RSA-AES128-SHA", "TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA"}, {"ECDHE-RSA-AES256-GCM-SHA384", "TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384"}, {"ECDHE-RSA-AES256-SHA256", "TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA256"}, {"ECDHE-RSA-AES256-SHA384", "TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384"}, {"ECDHE-RSA-AES256-SHA", "TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA"}, {"ECDHE-RSA-CAMELLIA128-SHA256", "TLS-ECDHE-RSA-WITH-CAMELLIA-128-CBC-SHA256"}, {"ECDHE-RSA-CAMELLIA128-SHA", "TLS-ECDHE-RSA-WITH-CAMELLIA-128-CBC-SHA"}, {"ECDHE-RSA-CAMELLIA256-SHA256", "TLS-ECDHE-RSA-WITH-CAMELLIA-256-CBC-SHA256"}, {"ECDHE-RSA-CAMELLIA256-SHA", "TLS-ECDHE-RSA-WITH-CAMELLIA-256-CBC-SHA"},
e7ec6a3a	{"ECDHE-RSA-CHACHA20-POLY1305", "TLS-ECDHE-RSA-WITH-CHACHA20-POLY1305-SHA256"},
3b23b18d	{"ECDHE-RSA-DES-CBC3-SHA", "TLS-ECDHE-RSA-WITH-3DES-EDE-CBC-SHA"}, {"ECDHE-RSA-DES-CBC-SHA", "TLS-ECDHE-RSA-WITH-DES-CBC-SHA"}, {"ECDHE-RSA-RC4-SHA", "TLS-ECDHE-RSA-WITH-RC4-128-SHA"}, {"ECDH-RSA-AES128-GCM-SHA256", "TLS-ECDH-RSA-WITH-AES-128-GCM-SHA256"}, {"ECDH-RSA-AES128-SHA256", "TLS-ECDH-RSA-WITH-AES-128-CBC-SHA256"}, {"ECDH-RSA-AES128-SHA384", "TLS-ECDH-RSA-WITH-AES-128-CBC-SHA384"}, {"ECDH-RSA-AES128-SHA", "TLS-ECDH-RSA-WITH-AES-128-CBC-SHA"}, {"ECDH-RSA-AES256-GCM-SHA384", "TLS-ECDH-RSA-WITH-AES-256-GCM-SHA384"}, {"ECDH-RSA-AES256-SHA256", "TLS-ECDH-RSA-WITH-AES-256-CBC-SHA256"}, {"ECDH-RSA-AES256-SHA384", "TLS-ECDH-RSA-WITH-AES-256-CBC-SHA384"}, {"ECDH-RSA-AES256-SHA", "TLS-ECDH-RSA-WITH-AES-256-CBC-SHA"}, {"ECDH-RSA-CAMELLIA128-SHA256", "TLS-ECDH-RSA-WITH-CAMELLIA-128-CBC-SHA256"}, {"ECDH-RSA-CAMELLIA128-SHA", "TLS-ECDH-RSA-WITH-CAMELLIA-128-CBC-SHA"}, {"ECDH-RSA-CAMELLIA256-SHA256", "TLS-ECDH-RSA-WITH-CAMELLIA-256-CBC-SHA256"}, {"ECDH-RSA-CAMELLIA256-SHA", "TLS-ECDH-RSA-WITH-CAMELLIA-256-CBC-SHA"}, {"ECDH-RSA-DES-CBC3-SHA", "TLS-ECDH-RSA-WITH-3DES-EDE-CBC-SHA"}, {"ECDH-RSA-DES-CBC-SHA", "TLS-ECDH-RSA-WITH-DES-CBC-SHA"}, {"ECDH-RSA-RC4-SHA", "TLS-ECDH-RSA-WITH-RC4-128-SHA"}, {"EDH-DSS-DES-CBC3-SHA", "TLS-DHE-DSS-WITH-3DES-EDE-CBC-SHA"}, {"EDH-DSS-DES-CBC-SHA", "TLS-DHE-DSS-WITH-DES-CBC-SHA"}, {"EDH-RSA-DES-CBC3-SHA", "TLS-DHE-RSA-WITH-3DES-EDE-CBC-SHA"}, {"EDH-RSA-DES-CBC-SHA", "TLS-DHE-RSA-WITH-DES-CBC-SHA"}, {"EXP-DES-CBC-SHA", "TLS-RSA-EXPORT-WITH-DES40-CBC-SHA"}, {"EXP-EDH-DSS-DES-CBC-SHA", "TLS-DH-DSS-EXPORT-WITH-DES40-CBC-SHA"}, {"EXP-EDH-RSA-DES-CBC-SHA", "TLS-DH-RSA-EXPORT-WITH-DES40-CBC-SHA"}, {"EXP-RC2-CBC-MD5", "TLS-RSA-EXPORT-WITH-RC2-CBC-40-MD5"}, {"EXP-RC4-MD5", "TLS-RSA-EXPORT-WITH-RC4-40-MD5"}, {"NULL-MD5", "TLS-RSA-WITH-NULL-MD5"}, {"NULL-SHA256", "TLS-RSA-WITH-NULL-SHA256"}, {"NULL-SHA", "TLS-RSA-WITH-NULL-SHA"}, {"PSK-3DES-EDE-CBC-SHA", "TLS-PSK-WITH-3DES-EDE-CBC-SHA"}, {"PSK-AES128-CBC-SHA", "TLS-PSK-WITH-AES-128-CBC-SHA"}, {"PSK-AES256-CBC-SHA", "TLS-PSK-WITH-AES-256-CBC-SHA"}, {"PSK-RC4-SHA", "TLS-PSK-WITH-RC4-128-SHA"}, {"RC4-MD5", "TLS-RSA-WITH-RC4-128-MD5"}, {"RC4-SHA", "TLS-RSA-WITH-RC4-128-SHA"}, {"SEED-SHA", "TLS-RSA-WITH-SEED-CBC-SHA"}, {"SRP-DSS-3DES-EDE-CBC-SHA", "TLS-SRP-SHA-DSS-WITH-3DES-EDE-CBC-SHA"}, {"SRP-DSS-AES-128-CBC-SHA", "TLS-SRP-SHA-DSS-WITH-AES-128-CBC-SHA"}, {"SRP-DSS-AES-256-CBC-SHA", "TLS-SRP-SHA-DSS-WITH-AES-256-CBC-SHA"}, {"SRP-RSA-3DES-EDE-CBC-SHA", "TLS-SRP-SHA-RSA-WITH-3DES-EDE-CBC-SHA"}, {"SRP-RSA-AES-128-CBC-SHA", "TLS-SRP-SHA-RSA-WITH-AES-128-CBC-SHA"}, {"SRP-RSA-AES-256-CBC-SHA", "TLS-SRP-SHA-RSA-WITH-AES-256-CBC-SHA"},
0146fd00	#ifdef ENABLE_CRYPTO_OPENSSL
7246ccfd	/* OpenSSL-specific group names */
0146fd00	{"DEFAULT", "DEFAULT"}, {"ALL", "ALL"},
7246ccfd	{"HIGH", "HIGH"}, {"!HIGH", "!HIGH"}, {"MEDIUM", "MEDIUM"}, {"!MEDIUM", "!MEDIUM"}, {"LOW", "LOW"}, {"!LOW", "!LOW"}, {"ECDH", "ECDH"}, {"!ECDH", "!ECDH"}, {"ECDSA", "ECDSA"}, {"!ECDSA", "!ECDSA"}, {"EDH", "EDH"}, {"!EDH", "!EDH"}, {"EXP", "EXP"}, {"!EXP", "!EXP"}, {"RSA", "RSA"}, {"!RSA", "!RSA"}, {"kRSA", "kRSA"}, {"!kRSA", "!kRSA"}, {"SRP", "SRP"}, {"!SRP", "!SRP"},
0146fd00	#endif
3b23b18d	{NULL, NULL} };
66407e11	/** * Update the implicit IV for a key_ctx_bi based on TLS session ids and cipher * used. * * Note that the implicit IV is based on the HMAC key, but only in AEAD modes * where the HMAC key is not used for an actual HMAC. * * @param ctx Encrypt/decrypt key context * @param key HMAC key, used to calculate implicit IV * @param key_len HMAC key length / static void key_ctx_update_implicit_iv(struct key_ctx ctx, uint8_t *key, size_t key_len);
3b23b18d	const tls_cipher_name_pair * tls_get_cipher_name_pair (const char * cipher_name, size_t len) { const tls_cipher_name_pair * pair = tls_cipher_name_translation_table; while (pair->openssl_name != NULL) { if ((strlen(pair->openssl_name) == len && 0 == memcmp (cipher_name, pair->openssl_name, len)) \|\| (strlen(pair->iana_name) == len && 0 == memcmp (cipher_name, pair->iana_name, len))) { return pair; } pair++; } // No entry found, return NULL return NULL; }
6fbf66fa
9e0963c1	/* * Max number of bytes we will add * for data structures common to both * data and control channel packets. * (opcode only).
6fbf66fa	/ void tls_adjust_frame_parameters(struct frame frame) {
9e0963c1	frame_add_to_extra_frame (frame, 1); /* space for opcode */
6fbf66fa	} /* * Max number of bytes we will add * to control channel packet. / static void tls_init_control_channel_frame_parameters(const struct frame data_channel_frame, struct frame frame) { / * frame->extra_frame is already initialized with tls_auth buffer requirements, * if --tls-auth is enabled. / / inherit link MTU and extra_link from data channel / frame->link_mtu = data_channel_frame->link_mtu; frame->extra_link = data_channel_frame->extra_link; / set extra_frame */ tls_adjust_frame_parameters (frame); reliable_ack_adjust_frame_parameters (frame, CONTROL_SEND_ACK_MAX); frame_add_to_extra_frame (frame, SID_SIZE + sizeof (packet_id_type));
fc91d4b0	/* set dynamic link MTU to cap control channel packets at 1250 bytes */ ASSERT (TUN_LINK_DELTA (frame) < min_int (frame->link_mtu, 1250)); frame->link_mtu_dynamic = min_int (frame->link_mtu, 1250) - TUN_LINK_DELTA (frame);
6fbf66fa	} void init_ssl_lib () {
95993a1d	tls_init_lib ();
6fbf66fa
95993a1d	crypto_init_lib ();
6fbf66fa	} void free_ssl_lib () {
b01cb9ef	crypto_uninit_lib ();
54628d1a	prng_uninit();
95993a1d	tls_free_lib();
6fbf66fa	} /* * OpenSSL library calls pem_password_callback if the * private key is protected by a password. / static struct user_pass passbuf; / GLOBAL / void pem_password_setup (const char auth_file) { if (!strlen (passbuf.password))
9ffd00e7	get_user_pass (&passbuf, auth_file, UP_TYPE_PRIVATE_KEY, GET_USER_PASS_MANAGEMENT\|GET_USER_PASS_PASSWORD_ONLY);
6fbf66fa	} int pem_password_callback (char buf, int size, int rwflag, void u) { if (buf) { /* prompt for password even if --askpass wasn't specified / pem_password_setup (NULL); strncpynt (buf, passbuf.password, size); purge_user_pass (&passbuf, false); return strlen (buf); } return 0; } / * Auth username/password handling / static bool auth_user_pass_enabled; / GLOBAL / static struct user_pass auth_user_pass; / GLOBAL */
3cf9dd88	#ifdef ENABLE_CLIENT_CR static char auth_challenge; / GLOBAL */ #endif
6fbf66fa	void
eab3e22f	auth_user_pass_setup (const char auth_file, const struct static_challenge_info sci)
6fbf66fa	{ auth_user_pass_enabled = true; if (!auth_user_pass.defined)
5f31881e	{ #if AUTO_USERID
70f4f82a	get_user_pass_auto_userid (&auth_user_pass, auth_file);
5f31881e	#else
eab3e22f	# ifdef ENABLE_CLIENT_CR if (auth_challenge) /* dynamic challenge/response */
576dc96c	get_user_pass_cr (&auth_user_pass, auth_file, UP_TYPE_AUTH,
9ffd00e7	GET_USER_PASS_MANAGEMENT\|GET_USER_PASS_DYNAMIC_CHALLENGE,
576dc96c	auth_challenge);
eab3e22f	else if (sci) /* static challenge response */
576dc96c	{
9ffd00e7	int flags = GET_USER_PASS_MANAGEMENT\|GET_USER_PASS_STATIC_CHALLENGE;
576dc96c	if (sci->flags & SC_ECHO) flags \|= GET_USER_PASS_STATIC_CHALLENGE_ECHO; get_user_pass_cr (&auth_user_pass, auth_file, UP_TYPE_AUTH, flags, sci->challenge_text); }
eab3e22f	else # endif
9ffd00e7	get_user_pass (&auth_user_pass, auth_file, UP_TYPE_AUTH, GET_USER_PASS_MANAGEMENT);
5f31881e	#endif }
6fbf66fa	} /* * Disable password caching / void ssl_set_auth_nocache (void) { passbuf.nocache = true; auth_user_pass.nocache = true; } /
0db046f2	* Set an authentication token / void ssl_set_auth_token (const char token) { set_auth_token (&auth_user_pass, token); } /*
6fbf66fa	* Forget private key password AND auth-user-pass username/password. */ void
0db046f2	ssl_purge_auth (const bool auth_user_pass_only)
6fbf66fa	{
0db046f2	if (!auth_user_pass_only) {
18b5fbdf	#ifdef ENABLE_PKCS11
0db046f2	pkcs11_logout ();
718526e0	#endif
0db046f2	purge_user_pass (&passbuf, true); }
6fbf66fa	purge_user_pass (&auth_user_pass, true);
3cf9dd88	#ifdef ENABLE_CLIENT_CR ssl_purge_auth_challenge(); #endif } #ifdef ENABLE_CLIENT_CR void ssl_purge_auth_challenge (void) { free (auth_challenge); auth_challenge = NULL;
6fbf66fa	}
3cf9dd88	void ssl_put_auth_challenge (const char *cr_str) { ssl_purge_auth_challenge(); auth_challenge = string_alloc(cr_str, NULL); } #endif
6fbf66fa	/*
4b67f984	* Parse a TLS version string, returning a TLS_VER_x constant. * If version string is not recognized and extra == "or-highest", * return tls_version_max(). */ int
6cb15b90	tls_version_parse(const char vstr, const char extra)
4b67f984	{ const int max_version = tls_version_max(); if (!strcmp(vstr, "1.0") && TLS_VER_1_0 <= max_version) return TLS_VER_1_0; else if (!strcmp(vstr, "1.1") && TLS_VER_1_1 <= max_version) return TLS_VER_1_1; else if (!strcmp(vstr, "1.2") && TLS_VER_1_2 <= max_version) return TLS_VER_1_2; else if (extra && !strcmp(extra, "or-highest")) return max_version; else return TLS_VER_BAD; } /*
6fbf66fa	* Initialize SSL context. * All files are in PEM format. */
62451786	void init_ssl (const struct options options, struct tls_root_ctx new_ctx)
6fbf66fa	{
62451786	ASSERT(NULL != new_ctx); tls_clear_error();
6fbf66fa	if (options->tls_server) {
62451786	tls_ctx_server_new(new_ctx);
bd9aa06f	if (options->dh_file) tls_ctx_load_dh_params(new_ctx, options->dh_file, options->dh_file_inline);
6fbf66fa	} else /* if client */ {
62451786	tls_ctx_client_new(new_ctx);
6fbf66fa	}
b5563f11	tls_ctx_set_options(new_ctx, options->ssl_flags);
ac3e8d62
6fbf66fa	if (options->pkcs12_file) {
289a8bb8	if (0 != tls_ctx_load_pkcs12(new_ctx, options->pkcs12_file, options->pkcs12_file_inline, !options->ca_file)) goto err;
6fbf66fa	}
ce98fd24	#ifdef ENABLE_PKCS11
d1013cfe	else if (options->pkcs11_providers[0]) {
5fe5fe9e	if (!tls_ctx_use_pkcs11 (new_ctx, options->pkcs11_id_management, options->pkcs11_id)) { msg (M_WARN, "Cannot load certificate \"%s\" using PKCS#11 interface", options->pkcs11_id); goto err; }
d1013cfe	}
ce98fd24	#endif
93c22ecc	#ifdef ENABLE_CRYPTOAPI
d1013cfe	else if (options->cryptoapi_cert) {
d494c315	tls_ctx_load_cryptoapi(new_ctx, options->cryptoapi_cert);
d1013cfe	}
6fbf66fa	#endif
cf69617b	#ifdef MANAGMENT_EXTERNAL_KEY
39e3d336	else if ((options->management_flags & MF_EXTERNAL_KEY) && (options->cert_file \|\| options->management_flags & MF_EXTERNAL_CERT))
f4047d74	{
39e3d336	if (options->cert_file) { tls_ctx_use_external_private_key(new_ctx, options->cert_file, options->cert_file_inline); } else { char *external_certificate = management_query_cert(management, options->management_certificate); tls_ctx_use_external_private_key(new_ctx, INLINE_FILE_TAG, external_certificate); free(external_certificate); }
f4047d74	}
cf69617b	#endif
f4047d74	else { /* Load Certificate */ if (options->cert_file) {
c3b2d487	tls_ctx_load_cert_file(new_ctx, options->cert_file, options->cert_file_inline);
f4047d74	}
cf69617b
d67c3147	/* Load Private Key */ if (options->priv_key_file) { if (0 != tls_ctx_load_priv_file(new_ctx, options->priv_key_file, options->priv_key_file_inline)) goto err;
6fbf66fa	}
d67c3147	}
6fbf66fa
05d11e3d	if (options->ca_file \|\| options->ca_path)
e83b8190	{
244da317	tls_ctx_load_ca(new_ctx, options->ca_file, options->ca_file_inline, options->ca_path, options->tls_server);
6fbf66fa	}
e83b8190
7966d75a	/* Load extra certificates that are part of our own certificate chain but shouldn't be included in the verify chain */ if (options->extra_certs_file \|\| options->extra_certs_file_inline) {
244da317	tls_ctx_load_extra_certs(new_ctx, options->extra_certs_file, options->extra_certs_file_inline);
7966d75a	}
091edd8e	/* Check certificate notBefore and notAfter */ tls_ctx_check_cert_time(new_ctx);
609e8131	/* Once keys and cert are loaded, load ECDH parameters */ if (options->tls_server) tls_ctx_load_ecdh_params(new_ctx, options->ecdh_curve);
6fbf66fa	/* Allowable ciphers */
e83313a8	tls_ctx_restrict_ciphers(new_ctx, options->cipher_list);
6fbf66fa
86d8cd68	#ifdef ENABLE_CRYPTO_MBEDTLS
4b87c868	/* Personalise the random by mixing in the certificate */
6efeaa2e	tls_ctx_personalise_random (new_ctx); #endif
62451786	tls_clear_error (); return;
6fbf66fa	err:
df904551	tls_clear_error ();
62451786	tls_ctx_free (new_ctx);
df904551	return;
6fbf66fa	} /* * Map internal constants to ascii names. / static const char state_name (int state) { switch (state) { case S_UNDEF: return "S_UNDEF"; case S_INITIAL: return "S_INITIAL"; case S_PRE_START: return "S_PRE_START"; case S_START: return "S_START"; case S_SENT_KEY: return "S_SENT_KEY"; case S_GOT_KEY: return "S_GOT_KEY"; case S_ACTIVE: return "S_ACTIVE";
6aa7fb8d	case S_NORMAL_OP: return "S_NORMAL_OP";
6fbf66fa	case S_ERROR: return "S_ERROR"; default: return "S_???"; } } static const char * packet_opcode_name (int op) { switch (op) { case P_CONTROL_HARD_RESET_CLIENT_V1: return "P_CONTROL_HARD_RESET_CLIENT_V1"; case P_CONTROL_HARD_RESET_SERVER_V1: return "P_CONTROL_HARD_RESET_SERVER_V1"; case P_CONTROL_HARD_RESET_CLIENT_V2: return "P_CONTROL_HARD_RESET_CLIENT_V2"; case P_CONTROL_HARD_RESET_SERVER_V2: return "P_CONTROL_HARD_RESET_SERVER_V2"; case P_CONTROL_SOFT_RESET_V1: return "P_CONTROL_SOFT_RESET_V1"; case P_CONTROL_V1: return "P_CONTROL_V1"; case P_ACK_V1: return "P_ACK_V1"; case P_DATA_V1: return "P_DATA_V1";
65eedc35	case P_DATA_V2: return "P_DATA_V2";
6fbf66fa	default: return "P_???"; } } static const char * session_index_name (int index) { switch (index) { case TM_ACTIVE: return "TM_ACTIVE"; case TM_UNTRUSTED: return "TM_UNTRUSTED"; case TM_LAME_DUCK: return "TM_LAME_DUCK"; default: return "TM_???"; } } /* * For debugging. / static const char print_key_id (struct tls_multi multi, struct gc_arena gc) { int i; struct buffer out = alloc_buf_gc (256, gc); for (i = 0; i < KEY_SCAN_SIZE; ++i) { struct key_state ks = multi->key_scan[i]; buf_printf (&out, " [key#%d state=%s id=%d sid=%s]", i, state_name (ks->state), ks->key_id, session_id_print (&ks->session_id_remote, gc)); } return BSTR (&out); } / * Given a key_method, return true if op * represents the required form of hard_reset. * * If key_method = 0, return true if any * form of hard reset is used. */ static bool is_hard_reset (int op, int key_method) { if (!key_method \|\| key_method == 1) if (op == P_CONTROL_HARD_RESET_CLIENT_V1 \|\| op == P_CONTROL_HARD_RESET_SERVER_V1) return true; if (!key_method \|\| key_method >= 2) if (op == P_CONTROL_HARD_RESET_CLIENT_V2 \|\| op == P_CONTROL_HARD_RESET_SERVER_V2) return true; return false; }
4c5c5974	/** @addtogroup control_processor * @{ / /* @name Functions for initialization and cleanup of key_state structures * @{ / /* * Initialize a \c key_state structure. * @ingroup control_processor * * This function initializes a \c key_state structure associated with a \c * tls_session. It sets up the structure's SSL-BIO, sets the object's \c * key_state.state to \c S_INITIAL, and sets the session ID and key ID two * appropriate values based on the \c tls_session's internal state. It * also initializes a new set of structures for the \link reliable * Reliability Layer\endlink. * * @param session - A pointer to the \c tls_session structure * associated with the \a ks argument. * @param ks - A pointer to the \c key_state structure to be * initialized. This structure should already have * been allocated before calling this function.
6fbf66fa	/ static void key_state_init (struct tls_session session, struct key_state *ks) { update_time ();
d7efe640	CLEAR (*ks);
6fbf66fa	/* * Build TLS object that reads/writes ciphertext * to/from memory BIOs. */
d7efe640	key_state_ssl_init(&ks->ks_ssl, &session->opt->ssl_ctx, session->opt->server, session);
6fbf66fa	/* Set control-channel initiation mode / ks->initial_opcode = session->initial_opcode; session->initial_opcode = P_CONTROL_SOFT_RESET_V1; ks->state = S_INITIAL; ks->key_id = session->key_id; / * key_id increments to KEY_ID_MASK then recycles back to 1. * This way you know that if key_id is 0, it is the first key. / ++session->key_id; session->key_id &= P_KEY_ID_MASK; if (!session->key_id) session->key_id = 1; / allocate key source material object / ALLOC_OBJ_CLEAR (ks->key_src, struct key_source2); / allocate reliability objects / ALLOC_OBJ_CLEAR (ks->send_reliable, struct reliable); ALLOC_OBJ_CLEAR (ks->rec_reliable, struct reliable); ALLOC_OBJ_CLEAR (ks->rec_ack, struct reliable_ack); / allocate buffers */
3eee126e	ks->plaintext_read_buf = alloc_buf (TLS_CHANNEL_BUF_SIZE); ks->plaintext_write_buf = alloc_buf (TLS_CHANNEL_BUF_SIZE);
6fbf66fa	ks->ack_write_buf = alloc_buf (BUF_SIZE (&session->opt->frame)); reliable_init (ks->send_reliable, BUF_SIZE (&session->opt->frame),
6add6b2f	FRAME_HEADROOM (&session->opt->frame), TLS_RELIABLE_N_SEND_BUFFERS,
ff0c034d	ks->key_id ? false : session->opt->xmit_hold);
6fbf66fa	reliable_init (ks->rec_reliable, BUF_SIZE (&session->opt->frame),
6add6b2f	FRAME_HEADROOM (&session->opt->frame), TLS_RELIABLE_N_REC_BUFFERS, false);
6fbf66fa	reliable_set_timeout (ks->send_reliable, session->opt->packet_timeout); /* init packet ID tracker */
3ebc31f9	if (session->opt->replay) { packet_id_init (&ks->crypto_options.packet_id, session->opt->tcp_mode, session->opt->replay_window, session->opt->replay_time, "SSL", ks->key_id); }
90efcacb
2d9c6d20	ks->crypto_options.pid_persist = NULL; ks->crypto_options.flags = session->opt->crypto_flags; ks->crypto_options.flags &= session->opt->crypto_flags_and; ks->crypto_options.flags \|= session->opt->crypto_flags_or;
90efcacb	#ifdef MANAGEMENT_DEF_AUTH ks->mda_key_id = session->opt->mda_context->mda_key_id_counter++; #endif
6fbf66fa	}
4c5c5974	/** * Cleanup a \c key_state structure. * @ingroup control_processor * * This function cleans up a \c key_state structure. It frees the * associated SSL-BIO, and the structures allocated for the \link reliable * Reliability Layer\endlink. * * @param ks - A pointer to the \c key_state structure to be * cleaned up. * @param clear - Whether the memory allocated for the \a ks object * should be overwritten with 0s. */
6fbf66fa	static void key_state_free (struct key_state *ks, bool clear) { ks->state = S_UNDEF;
214fc873	key_state_ssl_free(&ks->ks_ssl);
6fbf66fa
8b1a00ca	free_key_ctx_bi (&ks->crypto_options.key_ctx_bi);
6fbf66fa	free_buf (&ks->plaintext_read_buf); free_buf (&ks->plaintext_write_buf); free_buf (&ks->ack_write_buf);
dc85dae6	buffer_list_free(ks->paybuf);
6fbf66fa	if (ks->send_reliable) { reliable_free (ks->send_reliable); free (ks->send_reliable); } if (ks->rec_reliable) { reliable_free (ks->rec_reliable); free (ks->rec_reliable); } if (ks->rec_ack) free (ks->rec_ack); if (ks->key_src) free (ks->key_src);
3ebc31f9	packet_id_free (&ks->crypto_options.packet_id);
6fbf66fa
90efcacb	#ifdef PLUGIN_DEF_AUTH
344ee918	key_state_rm_auth_control_file (ks);
47ae8457	#endif
344ee918
6fbf66fa	if (clear) CLEAR (*ks); }
4c5c5974	/** @} name Functions for initialization and cleanup of key_state structures / /* @} addtogroup control_processor */
3ba6b9ff	/** * Returns whether or not the server should check for username/password * * @param session The current TLS session * * @return true if username and password verification is enabled, * false if not. / static inline bool tls_session_user_pass_enabled(struct tls_session session) { return (session->opt->auth_user_pass_verify_script \|\| plugin_defined (session->opt->plugins, OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY) #ifdef MANAGEMENT_DEF_AUTH \|\| management_enable_def_auth (management) #endif ); }
4c5c5974	/** @addtogroup control_processor * @{ / /* @name Functions for initialization and cleanup of tls_session structures * @{ / /* * Initialize a \c tls_session structure. * @ingroup control_processor * * This function initializes a \c tls_session structure. This includes * generating a random session ID, and initializing the \c KS_PRIMARY \c * key_state in the \c tls_session.key array. * * @param multi - A pointer to the \c tls_multi structure * associated with the \a session argument. * @param session - A pointer to the \c tls_session structure to be * initialized. This structure should already have * been allocated before calling this function.
6fbf66fa	/ static void tls_session_init (struct tls_multi multi, struct tls_session session) { struct gc_arena gc = gc_new (); dmsg (D_TLS_DEBUG, "TLS: tls_session_init: entry"); CLEAR (session); /* Set options data to point to parent's option structure / session->opt = &multi->opt; / Randomize session # if it is 0 / while (!session_id_defined(&session->session_id)) session_id_random (&session->session_id); / Are we a TLS server or client? / ASSERT (session->opt->key_method >= 1); if (session->opt->key_method == 1) { session->initial_opcode = session->opt->server ? P_CONTROL_HARD_RESET_SERVER_V1 : P_CONTROL_HARD_RESET_CLIENT_V1; } else / session->opt->key_method >= 2 / { session->initial_opcode = session->opt->server ? P_CONTROL_HARD_RESET_SERVER_V2 : P_CONTROL_HARD_RESET_CLIENT_V2; } / Initialize control channel authentication parameters / session->tls_auth = session->opt->tls_auth; / initialize packet ID replay window for --tls-auth */
3ebc31f9	packet_id_init (&session->tls_auth.packet_id,
4d453a17	session->opt->tcp_mode,
6fbf66fa	session->opt->replay_window,
ac131052	session->opt->replay_time, "TLS_AUTH", session->key_id);
6fbf66fa	/* load most recent packet-id to replay protect on --tls-auth */
3ebc31f9	packet_id_persist_load_obj (session->tls_auth.pid_persist, &session->tls_auth.packet_id);
6fbf66fa	key_state_init (session, &session->key[KS_PRIMARY]); dmsg (D_TLS_DEBUG, "TLS: tls_session_init: new session object, sid=%s", session_id_print (&session->session_id, &gc)); gc_free (&gc); }
4c5c5974	/** * Clean up a \c tls_session structure. * @ingroup control_processor * * This function cleans up a \c tls_session structure. This includes * cleaning up all associated \c key_state structures. * * @param session - A pointer to the \c tls_session structure to be * cleaned up. * @param clear - Whether the memory allocated for the \a session * object should be overwritten with 0s. */
6fbf66fa	static void tls_session_free (struct tls_session *session, bool clear) { int i;
3ebc31f9	if (packet_id_initialized(&session->tls_auth.packet_id)) packet_id_free (&session->tls_auth.packet_id);
6fbf66fa	for (i = 0; i < KS_SIZE; ++i) key_state_free (&session->key[i], false); if (session->common_name) free (session->common_name);
ec4a500b	cert_hash_free (session->cert_hash_set);
6fbf66fa	if (clear) CLEAR (*session); }
4c5c5974	/** @} name Functions for initialization and cleanup of tls_session structures / /* @} addtogroup control_processor */
6fbf66fa	static void move_session (struct tls_multi* multi, int dest, int src, bool reinit_src) { msg (D_TLS_DEBUG_LOW, "TLS: move_session: dest=%s src=%s reinit_src=%d", session_index_name(dest), session_index_name(src), reinit_src); ASSERT (src != dest); ASSERT (src >= 0 && src < TM_SIZE); ASSERT (dest >= 0 && dest < TM_SIZE); tls_session_free (&multi->session[dest], false); multi->session[dest] = multi->session[src]; if (reinit_src) tls_session_init (multi, &multi->session[src]); else CLEAR (multi->session[src]); dmsg (D_TLS_DEBUG, "TLS: move_session: exit"); } static void reset_session (struct tls_multi multi, struct tls_session session) { tls_session_free (session, false); tls_session_init (multi, session); } /* * Used to determine in how many seconds we should be * called again. / static inline void compute_earliest_wakeup (interval_t earliest, interval_t seconds_from_now) { if (seconds_from_now < earliest) earliest = seconds_from_now; if (earliest < 0) earliest = 0; } /* * Return true if "lame duck" or retiring key has expired and can * no longer be used. / static inline bool lame_duck_must_die (const struct tls_session session, interval_t wakeup) { const struct key_state lame = &session->key[KS_LAME_DUCK]; if (lame->state >= S_INITIAL) { const time_t local_now = now; ASSERT (lame->must_die); /* a lame duck key must always have an expiration / if (local_now < lame->must_die) { compute_earliest_wakeup (wakeup, lame->must_die - local_now); return false; } else return true; } else if (lame->state == S_ERROR) return true; else return false; } struct tls_multi tls_multi_init (struct tls_options tls_options) { struct tls_multi ret; ALLOC_OBJ_CLEAR (ret, struct tls_multi); /* get command line derived options / ret->opt = tls_options; /* set up list of keys to be scanned by data channel encrypt and decrypt routines */ ASSERT (SIZE (ret->key_scan) == 3); ret->key_scan[0] = &ret->session[TM_ACTIVE].key[KS_PRIMARY]; ret->key_scan[1] = &ret->session[TM_ACTIVE].key[KS_LAME_DUCK]; ret->key_scan[2] = &ret->session[TM_LAME_DUCK].key[KS_LAME_DUCK];
65eedc35	/* By default not use P_DATA_V2 */ ret->use_peer_id = false;
6fbf66fa	return ret; } void tls_multi_init_finalize (struct tls_multi* multi, const struct frame* frame) { tls_init_control_channel_frame_parameters (frame, &multi->opt.frame); /* initialize the active and untrusted sessions / tls_session_init (multi, &multi->session[TM_ACTIVE]); if (!multi->opt.single_session) tls_session_init (multi, &multi->session[TM_UNTRUSTED]); } / * Initialize and finalize a standalone tls-auth verification object. / struct tls_auth_standalone tls_auth_standalone_init (struct tls_options tls_options, struct gc_arena gc) { struct tls_auth_standalone tas; ALLOC_OBJ_CLEAR_GC (tas, struct tls_auth_standalone, gc); / set up pointer to HMAC object for TLS packet authentication */
8b1a00ca	tas->tls_auth_options.key_ctx_bi = tls_options->tls_auth.key_ctx_bi;
6fbf66fa	tas->tls_auth_options.flags \|= CO_PACKET_ID_LONG_FORM; /* get initial frame parms, still need to finalize / tas->frame = tls_options->frame; return tas; } void tls_auth_standalone_finalize (struct tls_auth_standalone tas, const struct frame frame) { tls_init_control_channel_frame_parameters (frame, &tas->frame); } / * Set local and remote option compatibility strings. * Used to verify compatibility of local and remote option * sets. / void tls_multi_init_set_options (struct tls_multi multi, const char local, const char remote) { #ifdef ENABLE_OCC /* initialize options string */ multi->opt.local_options = local; multi->opt.remote_options = remote; #endif }
897f8be4	/* * Cleanup a tls_multi structure and free associated memory allocations.
4c5c5974	*/
6fbf66fa	void tls_multi_free (struct tls_multi *multi, bool clear) { int i; ASSERT (multi);
5733ef66	#ifdef MANAGEMENT_DEF_AUTH man_def_auth_set_client_reason(multi, NULL);
aaf72974
a8be7379	#endif
0a48ae36	#if P2MP_SERVER
aaf72974	free (multi->peer_info);
5733ef66	#endif
6fbf66fa	if (multi->locked_cn) free (multi->locked_cn);
71b557ba	if (multi->locked_username) free (multi->locked_username);
ec4a500b	cert_hash_free (multi->locked_cert_hash_set);
6fbf66fa	for (i = 0; i < TM_SIZE; ++i) tls_session_free (&multi->session[i], false); if (clear) CLEAR (*multi); free(multi); }
4c5c5974
6fbf66fa	/* * Move a packet authentication HMAC + related fields to or from the front * of the buffer so it can be processed by encrypt/decrypt. / / * Dependent on hmac size, opcode size, and session_id size. * Will assert if too small. / #define SWAP_BUF_SIZE 256 static bool swap_hmac (struct buffer buf, const struct crypto_options *co, bool incoming) {
8b1a00ca	const struct key_ctx *ctx;
6fbf66fa	ASSERT (co);
8b1a00ca	ctx = (incoming ? &co->key_ctx_bi.decrypt : &co->key_ctx_bi.encrypt);
6fbf66fa	ASSERT (ctx->hmac); { /* hmac + packet_id (8 bytes) */
eab0cf2d	const int hmac_size = hmac_ctx_size (ctx->hmac) + packet_id_size (true);
6fbf66fa	/* opcode + session_id / const int osid_size = 1 + SID_SIZE; int e1, e2; uint8_t b = BPTR (buf); uint8_t buf1[SWAP_BUF_SIZE]; uint8_t buf2[SWAP_BUF_SIZE]; if (incoming) { e1 = osid_size; e2 = hmac_size; } else { e1 = hmac_size; e2 = osid_size; } ASSERT (e1 <= SWAP_BUF_SIZE && e2 <= SWAP_BUF_SIZE); if (buf->len >= e1 + e2) { memcpy (buf1, b, e1); memcpy (buf2, b + e1, e2); memcpy (b, buf2, e2); memcpy (b + e2, buf1, e1); return true; } else return false; } } #undef SWAP_BUF_SIZE /* * Write a control channel authentication record. / static void write_control_auth (struct tls_session session, struct key_state ks, struct buffer buf,
8bc93d7f	struct link_socket_actual **to_link_addr,
6fbf66fa	int opcode, int max_ack, bool prepend_ack) { uint8_t *header; struct buffer null = clear_buf ();
8bc93d7f	ASSERT (link_socket_actual_defined (&ks->remote_addr));
6fbf66fa	ASSERT (reliable_ack_write (ks->rec_ack, buf, &ks->session_id_remote, max_ack, prepend_ack)); ASSERT (session_id_write_prepend (&session->session_id, buf)); ASSERT (header = buf_prepend (buf, 1)); *header = ks->key_id \| (opcode << P_OPCODE_SHIFT);
8b1a00ca	if (session->tls_auth.key_ctx_bi.encrypt.hmac)
6fbf66fa	{ /* no encryption, only write hmac */
66407e11	openvpn_encrypt (buf, null, &session->tls_auth);
6fbf66fa	ASSERT (swap_hmac (buf, &session->tls_auth, false)); }
8bc93d7f	*to_link_addr = &ks->remote_addr;
6fbf66fa	} /* * Read a control channel authentication record. / static bool read_control_auth (struct buffer buf,
3ebc31f9	struct crypto_options *co,
8bc93d7f	const struct link_socket_actual *from)
6fbf66fa	{ struct gc_arena gc = gc_new ();
8b1a00ca	if (co->key_ctx_bi.decrypt.hmac)
6fbf66fa	{ struct buffer null = clear_buf (); /* move the hmac record to the front of the packet */ if (!swap_hmac (buf, co, true)) { msg (D_TLS_ERRORS, "TLS Error: cannot locate HMAC in incoming packet from %s",
8bc93d7f	print_link_socket_actual (from, &gc));
6fbf66fa	gc_free (&gc); return false; } /* authenticate only (no decrypt) and remove the hmac record from the head of the buffer */
66407e11	openvpn_decrypt (buf, null, co, NULL, BPTR (buf));
6fbf66fa	if (!buf->len) { msg (D_TLS_ERRORS, "TLS Error: incoming packet authentication failed from %s",
8bc93d7f	print_link_socket_actual (from, &gc));
6fbf66fa	gc_free (&gc); return false; } } /* advance buffer pointer past opcode & session_id since our caller already read it / buf_advance (buf, SID_SIZE + 1); gc_free (&gc); return true; } / * For debugging, print contents of key_source2 structure. / static void key_source_print (const struct key_source k, const char prefix) { struct gc_arena gc = gc_new (); VALGRIND_MAKE_READABLE ((void )k->pre_master, sizeof (k->pre_master)); VALGRIND_MAKE_READABLE ((void )k->random1, sizeof (k->random1)); VALGRIND_MAKE_READABLE ((void )k->random2, sizeof (k->random2)); dmsg (D_SHOW_KEY_SOURCE, "%s pre_master: %s", prefix, format_hex (k->pre_master, sizeof (k->pre_master), 0, &gc)); dmsg (D_SHOW_KEY_SOURCE, "%s random1: %s", prefix, format_hex (k->random1, sizeof (k->random1), 0, &gc)); dmsg (D_SHOW_KEY_SOURCE, "%s random2: %s", prefix, format_hex (k->random2, sizeof (k->random2), 0, &gc)); gc_free (&gc); } static void key_source2_print (const struct key_source2 k) { key_source_print (&k->client, "Client"); key_source_print (&k->server, "Server"); } /
eab0cf2d	* Generate the hash required by for the \c tls1_PRF function.
6fbf66fa	*
eab0cf2d	* @param md_kt Message digest to use * @param sec Secret to base the hash on * @param sec_len Length of the secret * @param seed Seed to hash * @param seed_len Length of the seed * @param out Output buffer * @param olen Length of the output buffer
6fbf66fa	*/
eab0cf2d	void tls1_P_hash(const md_kt_t *md_kt,
6fbf66fa	const uint8_t sec, int sec_len, const uint8_t seed, int seed_len, uint8_t *out, int olen) { struct gc_arena gc = gc_new ();
672943fb	int chunk;
eab0cf2d	hmac_ctx_t ctx; hmac_ctx_t ctx_tmp; uint8_t A1[MAX_HMAC_KEY_LENGTH];
6fbf66fa	unsigned int A1_len; #ifdef ENABLE_DEBUG const int olen_orig = olen; const uint8_t *out_orig = out; #endif
eab0cf2d	CLEAR(ctx); CLEAR(ctx_tmp);
6fbf66fa	dmsg (D_SHOW_KEY_SOURCE, "tls1_P_hash sec: %s", format_hex (sec, sec_len, 0, &gc)); dmsg (D_SHOW_KEY_SOURCE, "tls1_P_hash seed: %s", format_hex (seed, seed_len, 0, &gc));
eab0cf2d	chunk = md_kt_size(md_kt); A1_len = md_kt_size(md_kt);
6fbf66fa
62242ed2	hmac_ctx_init(&ctx, sec, sec_len, md_kt); hmac_ctx_init(&ctx_tmp, sec, sec_len, md_kt);
eab0cf2d	hmac_ctx_update(&ctx,seed,seed_len); hmac_ctx_final(&ctx, A1);
6fbf66fa	for (;;) {
eab0cf2d	hmac_ctx_reset(&ctx); hmac_ctx_reset(&ctx_tmp); hmac_ctx_update(&ctx,A1,A1_len); hmac_ctx_update(&ctx_tmp,A1,A1_len); hmac_ctx_update(&ctx,seed,seed_len);
6fbf66fa	if (olen > chunk) {
eab0cf2d	hmac_ctx_final(&ctx, out); out+=chunk; olen-=chunk; hmac_ctx_final(&ctx_tmp, A1); /* calc the next A1 value */
6fbf66fa	} else /* last one */ {
eab0cf2d	hmac_ctx_final(&ctx, A1);
6fbf66fa	memcpy(out,A1,olen); break; } }
eab0cf2d	hmac_ctx_cleanup(&ctx); hmac_ctx_cleanup(&ctx_tmp);
6fbf66fa	CLEAR (A1); dmsg (D_SHOW_KEY_SOURCE, "tls1_P_hash out: %s", format_hex (out_orig, olen_orig, 0, &gc)); gc_free (&gc); }
eab0cf2d	/* * Use the TLS PRF function for generating data channel keys. * This code is based on the OpenSSL library. * * TLS generates keys as such: * * master_secret[48] = PRF(pre_master_secret[48], "master secret", * ClientHello.random[32] + ServerHello.random[32]) * * key_block[] = PRF(SecurityParameters.master_secret[48], * "key expansion", * SecurityParameters.server_random[32] + * SecurityParameters.client_random[32]); * * Notes: * * (1) key_block contains a full set of 4 keys. * (2) The pre-master secret is generated by the client. */
6fbf66fa	static void
66407e11	tls1_PRF(const uint8_t *label,
6fbf66fa	int label_len, const uint8_t sec, int slen, uint8_t out1, int olen) { struct gc_arena gc = gc_new ();
eab0cf2d	const md_kt_t md5 = md_kt_get("MD5"); const md_kt_t sha1 = md_kt_get("SHA1");
6fbf66fa	int len,i; const uint8_t S1,S2; uint8_t out2; out2 = (uint8_t ) gc_malloc (olen, false, &gc); len=slen/2; S1=sec; S2= &(sec[len]); len+=(slen&1); /* add for odd, make longer / tls1_P_hash(md5 ,S1,len,label,label_len,out1,olen); tls1_P_hash(sha1,S2,len,label,label_len,out2,olen); for (i=0; i<olen; i++) out1[i]^=out2[i]; memset (out2, 0, olen); dmsg (D_SHOW_KEY_SOURCE, "tls1_PRF out[%d]: %s", olen, format_hex (out1, olen, 0, &gc)); gc_free (&gc); } static void openvpn_PRF (const uint8_t secret, int secret_len, const char label, const uint8_t client_seed, int client_seed_len, const uint8_t server_seed, int server_seed_len, const struct session_id client_sid, const struct session_id server_sid, uint8_t output, int output_len) { /* concatenate seed components / struct buffer seed = alloc_buf (strlen (label) + client_seed_len + server_seed_len + SID_SIZE 2); ASSERT (buf_write (&seed, label, strlen (label))); ASSERT (buf_write (&seed, client_seed, client_seed_len)); ASSERT (buf_write (&seed, server_seed, server_seed_len)); if (client_sid) ASSERT (buf_write (&seed, client_sid->id, SID_SIZE)); if (server_sid) ASSERT (buf_write (&seed, server_sid->id, SID_SIZE)); /* compute PRF / tls1_PRF (BPTR(&seed), BLEN(&seed), secret, secret_len, output, output_len); buf_clear (&seed); free_buf (&seed); VALGRIND_MAKE_READABLE ((void )output, output_len); } /* * Using source entropy from local and remote hosts, mix into * master key. / static bool generate_key_expansion (struct key_ctx_bi key, const struct key_type key_type, const struct key_source2 key_src, const struct session_id client_sid, const struct session_id server_sid, bool server) { uint8_t master[48]; struct key2 key2; bool ret = false; int i; CLEAR (master); CLEAR (key2); /* debugging print of source key material / key_source2_print (key_src); / compute master secret / openvpn_PRF (key_src->client.pre_master, sizeof(key_src->client.pre_master), KEY_EXPANSION_ID " master secret", key_src->client.random1, sizeof(key_src->client.random1), key_src->server.random1, sizeof(key_src->server.random1), NULL, NULL, master, sizeof(master)); / compute key expansion / openvpn_PRF (master, sizeof(master), KEY_EXPANSION_ID " key expansion", key_src->client.random2, sizeof(key_src->client.random2), key_src->server.random2, sizeof(key_src->server.random2), client_sid, server_sid, (uint8_t)key2.keys, sizeof(key2.keys)); key2.n = 2; key2_print (&key2, key_type, "Master Encrypt", "Master Decrypt"); /* check for weak keys / for (i = 0; i < 2; ++i) { fixup_key (&key2.keys[i], key_type); if (!check_key (&key2.keys[i], key_type)) { msg (D_TLS_ERRORS, "TLS Error: Bad dynamic key generated"); goto exit; } } / Initialize OpenSSL key contexts */ ASSERT (server == true \|\| server == false); init_key_ctx (&key->encrypt, &key2.keys[(int)server], key_type,
b5738e5b	OPENVPN_OP_ENCRYPT,
6fbf66fa	"Data Channel Encrypt"); init_key_ctx (&key->decrypt, &key2.keys[1-(int)server], key_type,
b5738e5b	OPENVPN_OP_DECRYPT,
6fbf66fa	"Data Channel Decrypt");
66407e11	/* Initialize implicit IVs */ key_ctx_update_implicit_iv (&key->encrypt, key2.keys[(int)server].hmac, MAX_HMAC_KEY_LENGTH); key_ctx_update_implicit_iv (&key->decrypt, key2.keys[1-(int)server].hmac, MAX_HMAC_KEY_LENGTH);
97894360	key->initialized = true;
6fbf66fa	ret = true; exit: CLEAR (master); CLEAR (key2); return ret; }
66407e11	static void key_ctx_update_implicit_iv(struct key_ctx ctx, uint8_t key, size_t key_len) { const cipher_kt_t cipher_kt = cipher_ctx_get_cipher_kt (ctx->cipher); / Only use implicit IV in AEAD cipher mode, where HMAC key is not used */ if (cipher_kt_mode_aead (cipher_kt)) { size_t impl_iv_len = 0; ASSERT (cipher_kt_iv_size (cipher_kt) >= OPENVPN_AEAD_MIN_IV_LEN); impl_iv_len = cipher_kt_iv_size (cipher_kt) - sizeof (packet_id_type); ASSERT (impl_iv_len <= OPENVPN_MAX_IV_LENGTH); ASSERT (impl_iv_len <= key_len); memcpy (ctx->implicit_iv, key, impl_iv_len); ctx->implicit_iv_len = impl_iv_len; } }
97894360	bool tls_session_update_crypto_params(struct tls_session session, const struct options options, struct frame frame) { bool ret = false; struct key_state ks = &session->key[KS_PRIMARY]; /* primary key / ASSERT (!session->opt->server); ASSERT (ks->authenticated); init_key_type (&session->opt->key_type, options->ciphername, options->ciphername_defined, options->authname, options->authname_defined, options->keysize, true, true); bool packet_id_long_form = cipher_kt_mode_ofb_cfb (session->opt->key_type.cipher); session->opt->crypto_flags_and &= ~(CO_PACKET_ID_LONG_FORM); if (packet_id_long_form) session->opt->crypto_flags_and = CO_PACKET_ID_LONG_FORM; / Update frame parameters: undo worst-case overhead, add actual overhead / frame_add_to_extra_frame (frame, -(crypto_max_overhead())); crypto_adjust_frame_parameters (frame, &session->opt->key_type, options->ciphername_defined, options->use_iv, options->replay, packet_id_long_form); frame_finalize(frame, options->ce.link_mtu_defined, options->ce.link_mtu, options->ce.tun_mtu_defined, options->ce.tun_mtu); frame_print (frame, D_MTU_INFO, "Data Channel MTU parms"); if (!generate_key_expansion (&ks->crypto_options.key_ctx_bi, &session->opt->key_type, ks->key_src, &session->session_id, &ks->session_id_remote, false)) { msg (D_TLS_ERRORS, "TLS Error: server generate_key_expansion failed"); goto cleanup; } ret = true; cleanup: CLEAR (ks->key_src); return ret; }
6fbf66fa	static bool random_bytes_to_buf (struct buffer buf, uint8_t out, int outlen) {
6825182b	if (!rand_bytes (out, outlen))
6fbf66fa	msg (M_FATAL, "ERROR: Random number generator cannot obtain entropy for key generation [SSL]"); if (!buf_write (buf, out, outlen)) return false; return true; } static bool key_source2_randomize_write (struct key_source2 k2, struct buffer buf, bool server) { struct key_source k = &k2->client; if (server) k = &k2->server; CLEAR (k); if (!server) { if (!random_bytes_to_buf (buf, k->pre_master, sizeof (k->pre_master))) return false; } if (!random_bytes_to_buf (buf, k->random1, sizeof (k->random1))) return false; if (!random_bytes_to_buf (buf, k->random2, sizeof (k->random2))) return false; return true; } static int key_source2_read (struct key_source2 k2, struct buffer buf, bool server) { struct key_source k = &k2->client; if (!server) k = &k2->server; CLEAR (k); if (server) { if (!buf_read (buf, k->pre_master, sizeof (k->pre_master))) return 0; } if (!buf_read (buf, k->random1, sizeof (k->random1))) return 0; if (!buf_read (buf, k->random2, sizeof (k->random2))) return 0; return 1; }
dc85dae6	static void
57513aac	flush_payload_buffer (struct key_state *ks)
dc85dae6	{ struct buffer *b;
57513aac
dc85dae6	while ((b = buffer_list_peek (ks->paybuf))) {
bf707bd2	key_state_write_plaintext_const (&ks->ks_ssl, b->data, b->len);
dc85dae6	buffer_list_pop (ks->paybuf); } }
6fbf66fa	/* true if no in/out acknowledgements pending / #define FULL_SYNC \ (reliable_empty(ks->send_reliable) && reliable_ack_empty (ks->rec_ack)) / * Move the active key to the lame duck key and reinitialize the * active key. / static void key_state_soft_reset (struct tls_session session) {
57513aac	struct key_state ks = &session->key[KS_PRIMARY]; / primary key / struct key_state ks_lame = &session->key[KS_LAME_DUCK]; /* retiring key */
6fbf66fa	ks->must_die = now + session->opt->transition_window; /* remaining lifetime of old key / key_state_free (ks_lame, false); ks_lame = ks; key_state_init (session, ks); ks->session_id_remote = ks_lame->session_id_remote; ks->remote_addr = ks_lame->remote_addr; } / * Read/write strings from/to a struct buffer with a u16 length prefix. */ static bool
fef565a3	write_empty_string (struct buffer *buf) { if (!buf_write_u16 (buf, 0)) return false; return true; } static bool
6fbf66fa	write_string (struct buffer buf, const char str, const int maxlen) { const int len = strlen (str) + 1; if (len < 1 \|\| (maxlen >= 0 && len > maxlen)) return false; if (!buf_write_u16 (buf, len)) return false; if (!buf_write (buf, str, len)) return false; return true; } static bool read_string (struct buffer buf, char str, const unsigned int capacity) { const int len = buf_read_u16 (buf); if (len < 1 \|\| len > (int)capacity) return false; if (!buf_read (buf, str, len)) return false; str[len-1] = '\0'; return true; }
aaf72974	static char * read_string_alloc (struct buffer buf) { const int len = buf_read_u16 (buf); char str; if (len < 1) return NULL; str = (char ) malloc(len); check_malloc_return(str); if (!buf_read (buf, str, len)) { free (str); return NULL; } str[len-1] = '\0'; return str; } void read_string_discard (struct buffer buf) { char *data = read_string_alloc(buf); if (data) free (data); }
6fbf66fa	/* * Handle the reading and writing of key data to and from * the TLS control channel (cleartext). / static bool key_method_1_write (struct buffer buf, struct tls_session *session) { struct key key;
57513aac	struct key_state ks = &session->key[KS_PRIMARY]; / primary key */
6fbf66fa	ASSERT (session->opt->key_method == 1); ASSERT (buf_init (buf, 0)); generate_key_random (&key, &session->opt->key_type); if (!check_key (&key, &session->opt->key_type)) { msg (D_TLS_ERRORS, "TLS Error: Bad encrypting key generated"); return false; } if (!write_key (&key, &session->opt->key_type, buf)) { msg (D_TLS_ERRORS, "TLS Error: write_key failed"); return false; }
8b1a00ca	init_key_ctx (&ks->crypto_options.key_ctx_bi.encrypt, &key, &session->opt->key_type, OPENVPN_OP_ENCRYPT, "Data Channel Encrypt");
6fbf66fa	CLEAR (key); /* send local options string / { const char local_options = local_options_string (session); const int optlen = strlen (local_options) + 1; if (!buf_write (buf, local_options, optlen)) { msg (D_TLS_ERRORS, "TLS Error: KM1 write options failed"); return false; } } return true; } static bool
aaf72974	push_peer_info(struct buffer buf, struct tls_session session) { struct gc_arena gc = gc_new (); bool ret = false; #ifdef ENABLE_PUSH_PEER_INFO
598e03f0	if (session->opt->push_peer_info_detail > 0)
aaf72974	{ struct env_set es = session->opt->es; struct env_item e; struct buffer out = alloc_buf_gc (5123, &gc); / push version / buf_printf (&out, "IV_VER=%s\n", PACKAGE_VERSION); / push platform */ #if defined(TARGET_LINUX) buf_printf (&out, "IV_PLAT=linux\n"); #elif defined(TARGET_SOLARIS) buf_printf (&out, "IV_PLAT=solaris\n"); #elif defined(TARGET_OPENBSD) buf_printf (&out, "IV_PLAT=openbsd\n"); #elif defined(TARGET_DARWIN) buf_printf (&out, "IV_PLAT=mac\n"); #elif defined(TARGET_NETBSD) buf_printf (&out, "IV_PLAT=netbsd\n"); #elif defined(TARGET_FREEBSD) buf_printf (&out, "IV_PLAT=freebsd\n");
a55b3cdb	#elif defined(TARGET_ANDROID) buf_printf (&out, "IV_PLAT=android\n");
aaf72974	#elif defined(WIN32) buf_printf (&out, "IV_PLAT=win\n"); #endif
65eedc35	/* support for P_DATA_V2 */ buf_printf(&out, "IV_PROTO=2\n");
97894360	/* support for Negotiable Crypto Paramters */ if (session->opt->pull) buf_printf(&out, "IV_NCP=2\n");
38d96bd7	/* push compression status */ #ifdef USE_COMP comp_generate_peer_info_string(&session->opt->comp_options, &out);
6c34e74f	#endif
3ddb5643	/* support for redirecting IPv6 gateway */ buf_printf(&out, "IV_RGI6=1\n");
598e03f0	if (session->opt->push_peer_info_detail >= 2) { /* push mac addr */ struct route_gateway_info rgi; get_default_gateway (&rgi); if (rgi.flags & RGI_HWADDR_DEFINED) buf_printf (&out, "IV_HWADDR=%s\n", format_hex_ex (rgi.hwaddr, 6, 0, 1, ":", &gc));
1ec984b1	buf_printf (&out, "IV_SSL=%s\n", get_ssl_library_version() );
cdc65ea0	#if defined(WIN32) buf_printf (&out, "IV_PLAT_VER=%s\n", win32_version_string (&gc, false)); #endif
f3a2cd25	}
598e03f0
960524a9	/* push env vars that begin with UV_, IV_PLAT_VER and IV_GUI_VER */
f3a2cd25	for (e=es->list; e != NULL; e=e->next) { if (e->string)
aaf72974	{
960524a9	if ((((strncmp(e->string, "UV_", 3)==0 \|\| strncmp(e->string, "IV_PLAT_VER=", sizeof("IV_PLAT_VER=")-1)==0) && session->opt->push_peer_info_detail >= 2)
7efaca73	\|\| (strncmp(e->string,"IV_GUI_VER=",sizeof("IV_GUI_VER=")-1)==0))
f3a2cd25	&& buf_safe(&out, strlen(e->string)+1)) buf_printf (&out, "%s\n", e->string);
aaf72974	} } if (!write_string(buf, BSTR(&out), -1)) goto error; } else #endif { if (!write_empty_string (buf)) /* no peer info */ goto error; } ret = true; error: gc_free (&gc); return ret; } static bool
6fbf66fa	key_method_2_write (struct buffer buf, struct tls_session session) {
57513aac	struct key_state ks = &session->key[KS_PRIMARY]; / primary key */
6fbf66fa	ASSERT (session->opt->key_method == 2); ASSERT (buf_init (buf, 0)); /* write a uint32 0 / if (!buf_write_u32 (buf, 0)) goto error; / write key_method + flags / if (!buf_write_u8 (buf, (session->opt->key_method & KEY_METHOD_MASK))) goto error; / write key source material / if (!key_source2_randomize_write (ks->key_src, buf, session->opt->server)) goto error; / write options string / { if (!write_string (buf, local_options_string (session), TLS_OPTIONS_LEN)) goto error; } / write username/password if specified */ if (auth_user_pass_enabled) {
eab3e22f	#ifdef ENABLE_CLIENT_CR
ac1cb5bf	auth_user_pass_setup (session->opt->auth_user_pass_file, session->opt->sci);
eab3e22f	#else
ac1cb5bf	auth_user_pass_setup (session->opt->auth_user_pass_file, NULL);
eab3e22f	#endif
6fbf66fa	if (!write_string (buf, auth_user_pass.username, -1)) goto error; if (!write_string (buf, auth_user_pass.password, -1)) goto error; purge_user_pass (&auth_user_pass, false); }
aaf72974	else { if (!write_empty_string (buf)) /* no username / goto error; if (!write_empty_string (buf)) / no password */ goto error; } if (!push_peer_info (buf, session)) goto error;
6fbf66fa	/* * generate tunnel keys if server */ if (session->opt->server) { if (ks->authenticated) {
8b1a00ca	if (!generate_key_expansion (&ks->crypto_options.key_ctx_bi,
6fbf66fa	&session->opt->key_type, ks->key_src, &ks->session_id_remote, &session->session_id, true)) { msg (D_TLS_ERRORS, "TLS Error: server generate_key_expansion failed"); goto error; } } CLEAR (ks->key_src); } return true; error: msg (D_TLS_ERRORS, "TLS Error: Key Method #2 write failed"); CLEAR (ks->key_src); return false; } static bool key_method_1_read (struct buffer buf, struct tls_session session) { int status; struct key key;
57513aac	struct key_state ks = &session->key[KS_PRIMARY]; / primary key */
6fbf66fa	ASSERT (session->opt->key_method == 1); if (!session->verified) { msg (D_TLS_ERRORS, "TLS Error: Certificate verification failed (key-method 1)"); goto error; } status = read_key (&key, &session->opt->key_type, buf); if (status != 1) { msg (D_TLS_ERRORS, "TLS Error: Error reading data channel key from plaintext buffer"); goto error; } if (!check_key (&key, &session->opt->key_type)) { msg (D_TLS_ERRORS, "TLS Error: Bad decrypting key received from peer"); goto error; } if (buf->len < 1) { msg (D_TLS_ERRORS, "TLS Error: Missing options string"); goto error; } #ifdef ENABLE_OCC /* compare received remote options string with our locally computed options string / if (!session->opt->disable_occ && !options_cmp_equal_safe ((char ) BPTR (buf), session->opt->remote_options, buf->len)) { options_warning_safe ((char *) BPTR (buf), session->opt->remote_options, buf->len); } #endif buf_clear (buf);
8b1a00ca	init_key_ctx (&ks->crypto_options.key_ctx_bi.decrypt, &key, &session->opt->key_type, OPENVPN_OP_DECRYPT, "Data Channel Decrypt");
6fbf66fa	CLEAR (key); ks->authenticated = true; return true; error: buf_clear (buf); CLEAR (key); return false; } static bool key_method_2_read (struct buffer buf, struct tls_multi multi, struct tls_session *session) {
57513aac	struct key_state ks = &session->key[KS_PRIMARY]; / primary key */
d0811e64
6fbf66fa	int key_method_flags;
d0811e64	bool username_status, password_status;
6fbf66fa
d0811e64	struct gc_arena gc = gc_new (); char *options;
a8be7379	struct user_pass *up;
90efcacb
d0811e64	/* allocate temporary objects */ ALLOC_ARRAY_CLEAR_GC (options, char, TLS_OPTIONS_LEN, &gc);
90efcacb
6fbf66fa	ASSERT (session->opt->key_method == 2); /* discard leading uint32 */
c5590a68	if (!buf_advance (buf, 4)) { msg (D_TLS_ERRORS, "TLS ERROR: Plaintext buffer too short (%d bytes).", buf->len); goto error; }
6fbf66fa	/* get key method / key_method_flags = buf_read_u8 (buf); if ((key_method_flags & KEY_METHOD_MASK) != 2) { msg (D_TLS_ERRORS, "TLS ERROR: Unknown key_method/flags=%d received from remote host", key_method_flags); goto error; } / get key source material (not actual keys yet) / if (!key_source2_read (ks->key_src, buf, session->opt->server)) { msg (D_TLS_ERRORS, "TLS Error: Error reading remote data channel key source entropy from plaintext buffer"); goto error; } / get options */ if (!read_string (buf, options, TLS_OPTIONS_LEN)) { msg (D_TLS_ERRORS, "TLS Error: Failed to read required OCC options string"); goto error; } ks->authenticated = false;
d0811e64
a8be7379	/* always extract username + password fields from buf, even if not * authenticating for it, because otherwise we can't get at the * peer_info data which follows behind */ ALLOC_OBJ_CLEAR_GC (up, struct user_pass, &gc); username_status = read_string (buf, up->username, USER_PASS_LEN); password_status = read_string (buf, up->password, USER_PASS_LEN);
1eb9a127	#if P2MP_SERVER
a8be7379	/* get peer info from control channel */ free (multi->peer_info); multi->peer_info = read_string_alloc (buf); if ( multi->peer_info )
46e02127	output_peer_info_env (session->opt->es, multi->peer_info);
a8be7379	#endif
3ba6b9ff	if (tls_session_user_pass_enabled(session))
6fbf66fa	{
d0811e64	/* Perform username/password authentication */
aaf72974	if (!username_status \|\| !password_status)
6fbf66fa	{ CLEAR (*up);
24ce3b27	if (!(session->opt->ssl_flags & SSLF_AUTH_USER_PASS_OPTIONAL)) { msg (D_TLS_ERRORS, "TLS Error: Auth Username/Password was not provided by peer"); goto error; }
6fbf66fa	}
d0811e64	verify_user_pass(up, multi, session);
6fbf66fa	} else {
d0811e64	/* Session verification should have occurred during TLS negotiation*/
6fbf66fa	if (!session->verified) { msg (D_TLS_ERRORS, "TLS Error: Certificate verification failed (key-method 2)"); goto error; } ks->authenticated = true; }
a8be7379	/* clear username and password from memory / CLEAR (up);
88aaf1ae	/* Perform final authentication checks */ if (ks->authenticated)
6fbf66fa	{
88aaf1ae	verify_final_auth_checks(multi, session);
6fbf66fa	} #ifdef ENABLE_OCC /* check options consistency */ if (!session->opt->disable_occ && !options_cmp_equal (options, session->opt->remote_options)) { options_warning (options, session->opt->remote_options);
09cc9c81	if (session->opt->ssl_flags & SSLF_OPT_VERIFY) { msg (D_TLS_ERRORS, "Option inconsistency warnings triggering disconnect due to --opt-verify"); ks->authenticated = false; }
6fbf66fa	} #endif buf_clear (buf); /*
d92819fa	* Call OPENVPN_PLUGIN_TLS_FINAL plugin if defined, for final * veto opportunity over authentication decision. */ if (ks->authenticated && plugin_defined (session->opt->plugins, OPENVPN_PLUGIN_TLS_FINAL)) {
685e486e	key_state_export_keying_material(&ks->ks_ssl, session);
1876ccd0	if (plugin_call (session->opt->plugins, OPENVPN_PLUGIN_TLS_FINAL, NULL, NULL, session->opt->es) != OPENVPN_PLUGIN_FUNC_SUCCESS)
d92819fa	ks->authenticated = false;
685e486e	setenv_del (session->opt->es, "exported_keying_material");
d92819fa	} /*
97894360	* Generate tunnel keys if we're a client. * If --pull is enabled, the first key generation is postponed until after the * pull/push, so we can process pushed cipher directives.
6fbf66fa	*/
97894360	if (!session->opt->server && (!session->opt->pull \|\| ks->key_id > 0))
6fbf66fa	{
8b1a00ca	if (!generate_key_expansion (&ks->crypto_options.key_ctx_bi,
6fbf66fa	&session->opt->key_type, ks->key_src, &session->session_id, &ks->session_id_remote, false)) { msg (D_TLS_ERRORS, "TLS Error: client generate_key_expansion failed"); goto error; }
97894360
6fbf66fa	CLEAR (ks->key_src); } gc_free (&gc); return true; error: CLEAR (ks->key_src); buf_clear (buf); gc_free (&gc); return false; }
1c4af9ea	static int auth_deferred_expire_window (const struct tls_options *o) {
112e6704	int ret = o->handshake_window;
1c4af9ea	const int r2 = o->renegotiate_seconds / 2;
112e6704	if (o->renegotiate_seconds && r2 < ret) ret = r2; return ret;
1c4af9ea	}
6fbf66fa	/* * This is the primary routine for processing TLS stuff inside the * the main event loop. When this routine exits * with non-error status, it will set wakeup to the number of seconds when it wants to be called again. * * Return value is true if we have placed a packet in to_link which we want to send to our peer. / static bool tls_process (struct tls_multi multi, struct tls_session session, struct buffer to_link,
8bc93d7f	struct link_socket_actual **to_link_addr,
6fbf66fa	struct link_socket_info to_link_socket_info, interval_t wakeup) { struct gc_arena gc = gc_new (); struct buffer *buf; bool state_change = false; bool active = false;
57513aac	struct key_state ks = &session->key[KS_PRIMARY]; / primary key / struct key_state ks_lame = &session->key[KS_LAME_DUCK]; /* retiring key */
6fbf66fa	/* Make sure we were initialized and that we're not in an error state / ASSERT (ks->state != S_UNDEF); ASSERT (ks->state != S_ERROR); ASSERT (session_id_defined (&session->session_id)); / Should we trigger a soft reset? -- new key, keeps old key for a while */ if (ks->state >= S_ACTIVE && ((session->opt->renegotiate_seconds && now >= ks->established + session->opt->renegotiate_seconds) \|\| (session->opt->renegotiate_bytes && ks->n_bytes >= session->opt->renegotiate_bytes) \|\| (session->opt->renegotiate_packets && ks->n_packets >= session->opt->renegotiate_packets)
3ebc31f9	\|\| (packet_id_close_to_wrapping (&ks->crypto_options.packet_id.send))))
6fbf66fa	{
41104b4e	msg (D_TLS_DEBUG_LOW, "TLS: soft reset sec=%d bytes=" counter_format "/%d pkts=" counter_format "/%d",
6fbf66fa	(int)(ks->established + session->opt->renegotiate_seconds - now), ks->n_bytes, session->opt->renegotiate_bytes, ks->n_packets, session->opt->renegotiate_packets); key_state_soft_reset (session); } /* Kill lame duck key transition_window seconds after primary key negotiation / if (lame_duck_must_die (session, wakeup)) { key_state_free (ks_lame, true); msg (D_TLS_DEBUG_LOW, "TLS: tls_process: killed expiring key"); } do { update_time (); dmsg (D_TLS_DEBUG, "TLS: tls_process: chg=%d ks=%s lame=%s to_link->len=%d wakeup=%d", state_change, state_name (ks->state), state_name (ks_lame->state), to_link->len, wakeup); state_change = false; /* * TLS activity is finished once we get to S_ACTIVE, * though we will still process acknowledgements. * * CHANGED with 2.0 -> now we may send tunnel configuration * info over the control channel. / if (true) { / Initial handshake */ if (ks->state == S_INITIAL) { buf = reliable_get_buf_output_sequenced (ks->send_reliable); if (buf) {
1c4af9ea	ks->must_negotiate = now + session->opt->handshake_window; ks->auth_deferred_expire = now + auth_deferred_expire_window (session->opt);
6fbf66fa	/* null buffer */ reliable_mark_active_outgoing (ks->send_reliable, buf, ks->initial_opcode); INCR_GENERATED; ks->state = S_PRE_START; state_change = true; dmsg (D_TLS_DEBUG, "TLS: Initial Handshake, sid=%s", session_id_print (&session->session_id, &gc)); #ifdef ENABLE_MANAGEMENT if (management && ks->initial_opcode != P_CONTROL_SOFT_RESET_V1) { management_set_state (management, OPENVPN_STATE_WAIT, NULL,
2191c471	NULL, NULL, NULL, NULL);
6fbf66fa	} #endif } } /* Are we timed out on receive? / if (now >= ks->must_negotiate) { if (ks->state < S_ACTIVE) { msg (D_TLS_ERRORS, "TLS Error: TLS key negotiation failed to occur within %d seconds (check your network connectivity)", session->opt->handshake_window); goto error; } else / assume that ks->state == S_ACTIVE */ {
6aa7fb8d	dmsg (D_TLS_DEBUG_MED, "STATE S_NORMAL_OP"); ks->state = S_NORMAL_OP;
6fbf66fa	ks->must_negotiate = 0; } } /* Wait for Initial Handshake ACK / if (ks->state == S_PRE_START && FULL_SYNC) { ks->state = S_START; state_change = true; dmsg (D_TLS_DEBUG_MED, "STATE S_START"); } / Wait for ACK */ if (((ks->state == S_GOT_KEY && !session->opt->server) \|\| (ks->state == S_SENT_KEY && session->opt->server))) { if (FULL_SYNC) { ks->established = now; dmsg (D_TLS_DEBUG_MED, "STATE S_ACTIVE"); if (check_debug_level (D_HANDSHAKE))
963ad54e	print_details (&ks->ks_ssl, "Control Channel:");
6fbf66fa	state_change = true; ks->state = S_ACTIVE; INCR_SUCCESS; /* Set outgoing address for data channel packets */ link_socket_set_outgoing_addr (NULL, to_link_socket_info, &ks->remote_addr, session->common_name, session->opt->es);
57513aac	/* Flush any payload packets that were buffered before our state transitioned to S_ACTIVE */ flush_payload_buffer (ks);
dc85dae6
6fbf66fa	#ifdef MEASURE_TLS_HANDSHAKE_STATS show_tls_performance_stats(); #endif } } /* Reliable buffer to outgoing TCP/UDP (send up to CONTROL_SEND_ACK_MAX ACKs for previously received packets) / if (!to_link->len && reliable_can_send (ks->send_reliable)) { int opcode; struct buffer b; buf = reliable_send (ks->send_reliable, &opcode); ASSERT (buf); b = buf; INCR_SENT; write_control_auth (session, ks, &b, to_link_addr, opcode, CONTROL_SEND_ACK_MAX, true); to_link = b; active = true; state_change = true; dmsg (D_TLS_DEBUG, "Reliable -> TCP/UDP"); break; } #ifndef TLS_AGGREGATE_ACK / Send 1 or more ACKs (each received control packet gets one ACK) / if (!to_link->len && !reliable_ack_empty (ks->rec_ack)) { buf = &ks->ack_write_buf; ASSERT (buf_init (buf, FRAME_HEADROOM (&multi->opt.frame))); write_control_auth (session, ks, buf, to_link_addr, P_ACK_V1, RELIABLE_ACK_SIZE, false); to_link = buf; active = true; state_change = true; dmsg (D_TLS_DEBUG, "Dedicated ACK -> TCP/UDP"); break; } #endif / Write incoming ciphertext to TLS object */ buf = reliable_get_buf_sequenced (ks->rec_reliable); if (buf) { int status = 0; if (buf->len) {
bf707bd2	status = key_state_write_ciphertext (&ks->ks_ssl, buf);
6fbf66fa	if (status == -1) { msg (D_TLS_ERRORS, "TLS Error: Incoming Ciphertext -> TLS object write error"); goto error; } } else { status = 1; } if (status == 1) { reliable_mark_deleted (ks->rec_reliable, buf, true); state_change = true; dmsg (D_TLS_DEBUG, "Incoming Ciphertext -> TLS"); } } /* Read incoming plaintext from TLS object */ buf = &ks->plaintext_read_buf; if (!buf->len) { int status; ASSERT (buf_init (buf, 0));
dd5e1102	status = key_state_read_plaintext (&ks->ks_ssl, buf, TLS_CHANNEL_BUF_SIZE);
6fbf66fa	update_time (); if (status == -1) { msg (D_TLS_ERRORS, "TLS Error: TLS object -> incoming plaintext read error"); goto error; } if (status == 1) { state_change = true; dmsg (D_TLS_DEBUG, "TLS -> Incoming Plaintext"); } #if 0 /* show null plaintext reads / if (!status) msg (M_INFO, "TLS plaintext read -> NULL return"); #endif } / Send Key / buf = &ks->plaintext_write_buf; if (!buf->len && ((ks->state == S_START && !session->opt->server) \|\| (ks->state == S_GOT_KEY && session->opt->server))) { if (session->opt->key_method == 1) { if (!key_method_1_write (buf, session)) goto error; } else if (session->opt->key_method == 2) { if (!key_method_2_write (buf, session)) goto error; } else { ASSERT (0); } state_change = true; dmsg (D_TLS_DEBUG_MED, "STATE S_SENT_KEY"); ks->state = S_SENT_KEY; } / Receive Key / buf = &ks->plaintext_read_buf; if (buf->len && ((ks->state == S_SENT_KEY && !session->opt->server) \|\| (ks->state == S_START && session->opt->server))) { if (session->opt->key_method == 1) { if (!key_method_1_read (buf, session)) goto error; } else if (session->opt->key_method == 2) { if (!key_method_2_read (buf, multi, session)) goto error; } else { ASSERT (0); } state_change = true; dmsg (D_TLS_DEBUG_MED, "STATE S_GOT_KEY"); ks->state = S_GOT_KEY; } / Write outgoing plaintext to TLS object */ buf = &ks->plaintext_write_buf; if (buf->len) {
bf707bd2	int status = key_state_write_plaintext (&ks->ks_ssl, buf);
6fbf66fa	if (status == -1) { msg (D_TLS_ERRORS, "TLS ERROR: Outgoing Plaintext -> TLS object write error"); goto error; } if (status == 1) { state_change = true; dmsg (D_TLS_DEBUG, "Outgoing Plaintext -> TLS"); } } /* Outgoing Ciphertext to reliable buffer */ if (ks->state >= S_START) { buf = reliable_get_buf_output_sequenced (ks->send_reliable); if (buf) {
dd5e1102	int status = key_state_read_ciphertext (&ks->ks_ssl, buf, PAYLOAD_SIZE_DYNAMIC (&multi->opt.frame));
6fbf66fa	if (status == -1) { msg (D_TLS_ERRORS, "TLS Error: Ciphertext -> reliable TCP/UDP transport read error"); goto error; } if (status == 1) { reliable_mark_active_outgoing (ks->send_reliable, buf, P_CONTROL_V1); INCR_GENERATED; state_change = true; dmsg (D_TLS_DEBUG, "Outgoing Ciphertext -> Reliable"); } } } } } while (state_change); update_time (); #ifdef TLS_AGGREGATE_ACK /* Send 1 or more ACKs (each received control packet gets one ACK) / if (!to_link->len && !reliable_ack_empty (ks->rec_ack)) { buf = &ks->ack_write_buf; ASSERT (buf_init (buf, FRAME_HEADROOM (&multi->opt.frame))); write_control_auth (session, ks, buf, to_link_addr, P_ACK_V1, RELIABLE_ACK_SIZE, false); to_link = buf; active = true; state_change = true; dmsg (D_TLS_DEBUG, "Dedicated ACK -> TCP/UDP"); } #endif / When should we wake up again? / { if (ks->state >= S_INITIAL) { compute_earliest_wakeup (wakeup, reliable_send_timeout (ks->send_reliable)); if (ks->must_negotiate) compute_earliest_wakeup (wakeup, ks->must_negotiate - now); } if (ks->established && session->opt->renegotiate_seconds) compute_earliest_wakeup (wakeup, ks->established + session->opt->renegotiate_seconds - now); / prevent event-loop spinning by setting minimum wakeup of 1 second / if (wakeup <= 0) { wakeup = 1; / if we had something to send to remote, but to_link was busy, let caller know we need to be called again soon / active = true; } dmsg (D_TLS_DEBUG, "TLS: tls_process: timeout set to %d", wakeup); gc_free (&gc); return active; } error:
95993a1d	tls_clear_error();
6fbf66fa	ks->state = S_ERROR; msg (D_TLS_ERRORS, "TLS Error: TLS handshake failed"); INCR_ERROR; gc_free (&gc); return false; } /* * Called by the top-level event loop. * * Basically decides if we should call tls_process for * the active or untrusted sessions. */
344ee918	int
6fbf66fa	tls_multi_process (struct tls_multi multi, struct buffer to_link,
8bc93d7f	struct link_socket_actual **to_link_addr,
6fbf66fa	struct link_socket_info to_link_socket_info, interval_t wakeup) { struct gc_arena gc = gc_new (); int i;
344ee918	int active = TLSMP_INACTIVE;
6fbf66fa	bool error = false;
344ee918	int tas;
6fbf66fa	perf_push (PERF_TLS_MULTI_PROCESS);
95993a1d	tls_clear_error ();
6fbf66fa	/* * Process each session object having state of S_INITIAL or greater, * and which has a defined remote IP addr. / for (i = 0; i < TM_SIZE; ++i) { struct tls_session session = &multi->session[i]; struct key_state ks = &session->key[KS_PRIMARY]; struct key_state ks_lame = &session->key[KS_LAME_DUCK]; /* set initial remote address */ if (i == TM_ACTIVE && ks->state == S_INITIAL &&
8bc93d7f	link_socket_actual_defined (&to_link_socket_info->lsa->actual))
6fbf66fa	ks->remote_addr = to_link_socket_info->lsa->actual; dmsg (D_TLS_DEBUG, "TLS: tls_multi_process: i=%d state=%s, mysid=%s, stored-sid=%s, stored-ip=%s", i, state_name (ks->state), session_id_print (&session->session_id, &gc), session_id_print (&ks->session_id_remote, &gc),
8bc93d7f	print_link_socket_actual (&ks->remote_addr, &gc));
6fbf66fa
8bc93d7f	if (ks->state >= S_INITIAL && link_socket_actual_defined (&ks->remote_addr))
6fbf66fa	{
8bc93d7f	struct link_socket_actual *tla = NULL;
6fbf66fa	update_time ();
8bc93d7f	if (tls_process (multi, session, to_link, &tla,
6fbf66fa	to_link_socket_info, wakeup))
344ee918	active = TLSMP_ACTIVE;
6fbf66fa	/*
8bc93d7f	* If tls_process produced an outgoing packet, * return the link_socket_actual object (which * contains the outgoing address). / if (tla) { multi->to_link_addr = tla; to_link_addr = &multi->to_link_addr; } /
6fbf66fa	* If tls_process hits an error: * (1) If the session has an unexpired lame duck key, preserve it. * (2) Reinitialize the session. * (3) Increment soft error count */ if (ks->state == S_ERROR) { ++multi->n_soft_errors; if (i == TM_ACTIVE) error = true; if (i == TM_ACTIVE && ks_lame->state >= S_ACTIVE && !multi->opt.single_session) move_session (multi, TM_LAME_DUCK, TM_ACTIVE, true); else reset_session (multi, session); } } } update_time ();
344ee918	tas = tls_authentication_status (multi, TLS_MULTI_AUTH_STATUS_INTERVAL);
6fbf66fa	/* * If lame duck session expires, kill it. / if (lame_duck_must_die (&multi->session[TM_LAME_DUCK], wakeup)) { tls_session_free (&multi->session[TM_LAME_DUCK], true); msg (D_TLS_DEBUG_LOW, "TLS: tls_multi_process: killed expiring key"); } / * If untrusted session achieves TLS authentication, * move it to active session, usurping any prior session. * * A semi-trusted session is one in which the certificate authentication * succeeded (if cert verification is enabled) but the username/password * verification failed. A semi-trusted session can forward data on the * TLS control channel but not on the tunnel channel. */ if (DECRYPT_KEY_ENABLED (multi, &multi->session[TM_UNTRUSTED].key[KS_PRIMARY])) { move_session (multi, TM_ACTIVE, TM_UNTRUSTED, true); msg (D_TLS_DEBUG_LOW, "TLS: tls_multi_process: untrusted session promoted to %strusted",
344ee918	tas == TLS_AUTHENTICATION_SUCCEEDED ? "" : "semi-");
6fbf66fa	} /* * A hard error means that TM_ACTIVE hit an S_ERROR state and that no * other key state objects are S_ACTIVE or higher. / if (error) { for (i = 0; i < (int) SIZE (multi->key_scan); ++i) { if (multi->key_scan[i]->state >= S_ACTIVE) goto nohard; } ++multi->n_hard_errors; } nohard: #ifdef ENABLE_DEBUG / DEBUGGING -- flood peer with repeating connection attempts */ { const int throw_level = GREMLIN_CONNECTION_FLOOD_LEVEL (multi->opt.gremlin); if (throw_level) { for (i = 0; i < (int) SIZE (multi->key_scan); ++i) { if (multi->key_scan[i]->state >= throw_level) { ++multi->n_hard_errors; ++multi->n_soft_errors; } } } } #endif perf_pop (); gc_free (&gc);
344ee918	return (tas == TLS_AUTHENTICATION_FAILED) ? TLSMP_KILL : active;
6fbf66fa	} /* * Pre and post-process the encryption & decryption buffers in order * to implement a multiplexed TLS channel over the TCP/UDP port. / / * * When we are in TLS mode, this is the first routine which sees * an incoming packet. * * If it's a data packet, we set opt so that our caller can * decrypt it. We also give our caller the appropriate decryption key. * * If it's a control packet, we authenticate it and process it, * possibly creating a new tls_session if it represents the * first packet of a new session. For control packets, we will * also zero the size of buf so that our caller ignores the packet on our return. * * Note that openvpn only allows one active session at a time, * so a new session (once authenticated) will always usurp * an old session. * * Return true if input was an authenticated control channel * packet. * * If we are running in TLS thread mode, all public routines * below this point must be called with the L_TLS lock held. / bool tls_pre_decrypt (struct tls_multi multi,
8bc93d7f	const struct link_socket_actual *from,
6fbf66fa	struct buffer *buf,
2d9c6d20	struct crypto_options **opt,
66407e11	bool floated, const uint8_t **ad_start)
6fbf66fa	{ struct gc_arena gc = gc_new (); bool ret = false; if (buf->len > 0) { int i; int op; int key_id; /* get opcode and key ID / { uint8_t c = BPTR (buf); op = c >> P_OPCODE_SHIFT; key_id = c & P_KEY_ID_MASK; }
65eedc35	if ((op == P_DATA_V1) \|\| (op == P_DATA_V2)) { /* data channel packet */
6fbf66fa	for (i = 0; i < KEY_SCAN_SIZE; ++i) { struct key_state ks = multi->key_scan[i]; / * This is the basic test of TLS state compatibility between a local OpenVPN * instance and its remote peer. * * If the test fails, it tells us that we are getting a packet from a source * which claims reference to a prior negotiated TLS session, but the local * OpenVPN instance has no memory of such a negotiation. * * It almost always occurs on UDP sessions when the passive side of the * connection is restarted without the active side restarting as well (the * passive side is the server which only listens for the connections, the * active side is the client which initiates connections). */ if (DECRYPT_KEY_ENABLED (multi, ks) && key_id == ks->key_id && ks->authenticated
47ae8457	#ifdef ENABLE_DEF_AUTH
344ee918	&& !ks->auth_deferred
47ae8457	#endif
65eedc35	&& (floated \|\| link_socket_actual_match (from, &ks->remote_addr)))
6fbf66fa	{
97894360	if (!ks->crypto_options.key_ctx_bi.initialized) { msg (D_TLS_DEBUG_LOW, "Key %s [%d] not initialized (yet), dropping packet.", print_link_socket_actual (from, &gc), key_id); goto error_lite; }
6fbf66fa	/* return appropriate data channel decrypt key in opt */
2d9c6d20	*opt = &ks->crypto_options;
65eedc35	if (op == P_DATA_V2) {
66407e11	ad_start = BPTR(buf); } ASSERT (buf_advance (buf, 1)); if (op == P_DATA_V1) { ad_start = BPTR(buf); } else if (op == P_DATA_V2) {
65eedc35	if (buf->len < 4) { msg (D_TLS_ERRORS, "Protocol error: received P_DATA_V2 from %s but length is < 4", print_link_socket_actual (from, &gc)); goto error; } ASSERT (buf_advance (buf, 3)); }
6fbf66fa	++ks->n_packets; ks->n_bytes += buf->len;
1c4af9ea	dmsg (D_TLS_KEYSELECT, "TLS: tls_pre_decrypt, key_id=%d, IP=%s",
8bc93d7f	key_id, print_link_socket_actual (from, &gc));
6fbf66fa	gc_free (&gc); return ret; } #if 0 /* keys out of sync? */ else {
344ee918	dmsg (D_TLS_ERRORS, "TLS_PRE_DECRYPT: [%d] dken=%d rkid=%d lkid=%d auth=%d def=%d match=%d", i, DECRYPT_KEY_ENABLED (multi, ks), key_id, ks->key_id, ks->authenticated,
47ae8457	#ifdef ENABLE_DEF_AUTH
344ee918	ks->auth_deferred,
47ae8457	#else -1, #endif
344ee918	link_socket_actual_match (from, &ks->remote_addr));
6fbf66fa	} #endif } msg (D_TLS_ERRORS, "TLS Error: local/remote TLS keys are out of sync: %s [%d]",
8bc93d7f	print_link_socket_actual (from, &gc), key_id);
47ae8457	goto error_lite;
6fbf66fa	} else /* control channel packet / { bool do_burst = false; bool new_link = false; struct session_id sid; / remote session ID / / verify legal opcode */ if (op < P_FIRST_OPCODE \|\| op > P_LAST_OPCODE) { msg (D_TLS_ERRORS, "TLS Error: unknown opcode received from %s op=%d",
8bc93d7f	print_link_socket_actual (from, &gc), op);
6fbf66fa	goto error; } /* hard reset ? / if (is_hard_reset (op, 0)) { / verify client -> server or server -> client connection */ if (((op == P_CONTROL_HARD_RESET_CLIENT_V1 \|\| op == P_CONTROL_HARD_RESET_CLIENT_V2) && !multi->opt.server) \|\| ((op == P_CONTROL_HARD_RESET_SERVER_V1 \|\| op == P_CONTROL_HARD_RESET_SERVER_V2) && multi->opt.server)) { msg (D_TLS_ERRORS, "TLS Error: client->client or server->server connection attempted from %s",
8bc93d7f	print_link_socket_actual (from, &gc));
6fbf66fa	goto error; } } /* * Authenticate Packet */ dmsg (D_TLS_DEBUG, "TLS: control channel, op=%s, IP=%s",
8bc93d7f	packet_opcode_name (op), print_link_socket_actual (from, &gc));
6fbf66fa	/* get remote session-id / { struct buffer tmp = buf; buf_advance (&tmp, 1); if (!session_id_read (&sid, &tmp) \|\| !session_id_defined (&sid)) { msg (D_TLS_ERRORS, "TLS Error: session-id not found in packet from %s",
8bc93d7f	print_link_socket_actual (from, &gc));
6fbf66fa	goto error; } } /* use session ID to match up packet with appropriate tls_session object / for (i = 0; i < TM_SIZE; ++i) { struct tls_session session = &multi->session[i]; struct key_state *ks = &session->key[KS_PRIMARY]; dmsg (D_TLS_DEBUG, "TLS: initial packet test, i=%d state=%s, mysid=%s, rec-sid=%s, rec-ip=%s, stored-sid=%s, stored-ip=%s", i, state_name (ks->state), session_id_print (&session->session_id, &gc), session_id_print (&sid, &gc),
8bc93d7f	print_link_socket_actual (from, &gc),
6fbf66fa	session_id_print (&ks->session_id_remote, &gc),
8bc93d7f	print_link_socket_actual (&ks->remote_addr, &gc));
6fbf66fa	if (session_id_equal (&ks->session_id_remote, &sid)) /* found a match / { if (i == TM_LAME_DUCK) { msg (D_TLS_ERRORS, "TLS ERROR: received control packet with stale session-id=%s", session_id_print (&sid, &gc)); goto error; } dmsg (D_TLS_DEBUG, "TLS: found match, session[%d], sid=%s", i, session_id_print (&sid, &gc)); break; } } / * Initial packet received. / if (i == TM_SIZE && is_hard_reset (op, 0)) { struct tls_session session = &multi->session[TM_ACTIVE]; struct key_state ks = &session->key[KS_PRIMARY]; if (!is_hard_reset (op, multi->opt.key_method)) { msg (D_TLS_ERRORS, "TLS ERROR: initial packet local/remote key_method mismatch, local key_method=%d, op=%s", multi->opt.key_method, packet_opcode_name (op)); goto error; } / * If we have no session currently in progress, the initial packet will * open a new session in TM_ACTIVE rather than TM_UNTRUSTED. */ if (!session_id_defined (&ks->session_id_remote)) { if (multi->opt.single_session && multi->n_sessions) { msg (D_TLS_ERRORS,
92bbb061	"TLS Error: Cannot accept new session request from %s due to session context expire or --single-session [1]",
8bc93d7f	print_link_socket_actual (from, &gc));
6fbf66fa	goto error; } #ifdef ENABLE_MANAGEMENT if (management) { management_set_state (management, OPENVPN_STATE_AUTH, NULL,
2191c471	NULL, NULL, NULL, NULL);
6fbf66fa	} #endif msg (D_TLS_DEBUG_LOW, "TLS: Initial packet from %s, sid=%s",
8bc93d7f	print_link_socket_actual (from, &gc),
6fbf66fa	session_id_print (&sid, &gc)); do_burst = true; new_link = true; i = TM_ACTIVE;
8bc93d7f	session->untrusted_addr = *from;
6fbf66fa	} } if (i == TM_SIZE && is_hard_reset (op, 0)) { /* * No match with existing sessions, * probably a new session. / struct tls_session session = &multi->session[TM_UNTRUSTED]; /* * If --single-session, don't allow any hard-reset connection request * unless it the the first packet of the session. */ if (multi->opt.single_session) { msg (D_TLS_ERRORS,
92bbb061	"TLS Error: Cannot accept new session request from %s due to session context expire or --single-session [2]",
8bc93d7f	print_link_socket_actual (from, &gc));
6fbf66fa	goto error; } if (!is_hard_reset (op, multi->opt.key_method)) { msg (D_TLS_ERRORS, "TLS ERROR: new session local/remote key_method mismatch, local key_method=%d, op=%s", multi->opt.key_method, packet_opcode_name (op)); goto error; } if (!read_control_auth (buf, &session->tls_auth, from)) goto error; /* * New session-initiating control packet is authenticated at this point, * assuming that the --tls-auth command line option was used. * * Without --tls-auth, we leave authentication entirely up to TLS. */ msg (D_TLS_DEBUG_LOW, "TLS: new session incoming connection from %s",
8bc93d7f	print_link_socket_actual (from, &gc));
6fbf66fa	new_link = true; i = TM_UNTRUSTED;
8bc93d7f	session->untrusted_addr = *from;
6fbf66fa	} else { struct tls_session session = &multi->session[i]; struct key_state ks = &session->key[KS_PRIMARY]; /* * Packet must belong to an existing session. */ if (i != TM_ACTIVE && i != TM_UNTRUSTED) { msg (D_TLS_ERRORS, "TLS Error: Unroutable control packet received from %s (si=%d op=%s)",
8bc93d7f	print_link_socket_actual (from, &gc),
6fbf66fa	i, packet_opcode_name (op)); goto error; } /* * Verify remote IP address */
8bc93d7f	if (!new_link && !link_socket_actual_match (&ks->remote_addr, from))
6fbf66fa	{ msg (D_TLS_ERRORS, "TLS Error: Received control packet from unexpected IP addr: %s",
8bc93d7f	print_link_socket_actual (from, &gc));
6fbf66fa	goto error; } /* * Remote is requesting a key renegotiation / if (op == P_CONTROL_SOFT_RESET_V1 && DECRYPT_KEY_ENABLED (multi, ks)) { if (!read_control_auth (buf, &session->tls_auth, from)) goto error; key_state_soft_reset (session); dmsg (D_TLS_DEBUG, "TLS: received P_CONTROL_SOFT_RESET_V1 s=%d sid=%s", i, session_id_print (&sid, &gc)); } else { / * Remote responding to our key renegotiation request? / if (op == P_CONTROL_SOFT_RESET_V1) do_burst = true; if (!read_control_auth (buf, &session->tls_auth, from)) goto error; dmsg (D_TLS_DEBUG, "TLS: received control channel packet s#=%d sid=%s", i, session_id_print (&sid, &gc)); } } / * We have an authenticated packet (if --tls-auth was set). * Now pass to our reliability level which deals with * packet acknowledgements, retransmits, sequencing, etc. / { struct tls_session session = &multi->session[i]; struct key_state ks = &session->key[KS_PRIMARY]; / Make sure we were initialized and that we're not in an error state / ASSERT (ks->state != S_UNDEF); ASSERT (ks->state != S_ERROR); ASSERT (session_id_defined (&session->session_id)); / Let our caller know we processed a control channel packet / ret = true; / * Set our remote address and remote session_id / if (new_link) { ks->session_id_remote = sid; ks->remote_addr = from; ++multi->n_sessions; }
8bc93d7f	else if (!link_socket_actual_match (&ks->remote_addr, from))
6fbf66fa	{ msg (D_TLS_ERRORS, "TLS Error: Existing session control channel packet from unknown IP address: %s",
8bc93d7f	print_link_socket_actual (from, &gc));
6fbf66fa	goto error; } /* * Should we do a retransmit of all unacknowledged packets in * the send buffer? This improves the start-up efficiency of the * initial key negotiation after the 2nd peer comes online. / if (do_burst && !session->burst) { reliable_schedule_now (ks->send_reliable); session->burst = true; } / Check key_id / if (ks->key_id != key_id) { msg (D_TLS_ERRORS, "TLS ERROR: local/remote key IDs out of sync (%d/%d) ID: %s", ks->key_id, key_id, print_key_id (multi, &gc)); goto error; } / * Process incoming ACKs for packets we can now * delete from reliable send buffer / { / buffers all packet IDs to delete from send_reliable / struct reliable_ack send_ack; send_ack.len = 0; if (!reliable_ack_read (&send_ack, buf, &session->session_id)) { msg (D_TLS_ERRORS, "TLS Error: reading acknowledgement record from packet"); goto error; } reliable_send_purge (ks->send_reliable, &send_ack); } if (op != P_ACK_V1 && reliable_can_get (ks->rec_reliable)) { packet_id_type id; / Extract the packet ID from the packet / if (reliable_ack_read_packet_id (buf, &id)) { / Avoid deadlock by rejecting packet that would de-sequentialize receive buffer / if (reliable_wont_break_sequentiality (ks->rec_reliable, id)) { if (reliable_not_replay (ks->rec_reliable, id)) { / Save incoming ciphertext packet to reliable buffer / struct buffer in = reliable_get_buf (ks->rec_reliable); ASSERT (in); ASSERT (buf_copy (in, buf)); reliable_mark_active_incoming (ks->rec_reliable, in, id, op); } /* Process outgoing acknowledgment for packet just received, even if it's a replay */ reliable_ack_acknowledge_packet_id (ks->rec_ack, id); } } } } } } done: buf->len = 0;
2d9c6d20	*opt = NULL;
6fbf66fa	gc_free (&gc); return ret; error: ++multi->n_soft_errors;
47ae8457	error_lite:
95993a1d	tls_clear_error();
6fbf66fa	goto done; } /* * This function is similar to tls_pre_decrypt, except it is called * when we are in server mode and receive an initial incoming * packet. Note that we don't modify * any state in our parameter objects. The purpose is solely to * determine whether we should generate a client instance * object, in which case true is returned. * * This function is essentially the first-line HMAC firewall * on the UDP port listener in --mode server mode. / bool tls_pre_decrypt_lite (const struct tls_auth_standalone tas,
8bc93d7f	const struct link_socket_actual *from,
6fbf66fa	const struct buffer *buf)
8bc93d7f
6fbf66fa	{ struct gc_arena gc = gc_new (); bool ret = false; if (buf->len > 0) { int op; int key_id; /* get opcode and key ID / { uint8_t c = BPTR (buf); op = c >> P_OPCODE_SHIFT; key_id = c & P_KEY_ID_MASK; } /* this packet is from an as-yet untrusted source, so scrutinize carefully / if (op != P_CONTROL_HARD_RESET_CLIENT_V2) { / * This can occur due to bogus data or DoS packets. */ dmsg (D_TLS_STATE_ERRORS, "TLS State Error: No TLS state for client %s, opcode=%d",
8bc93d7f	print_link_socket_actual (from, &gc),
6fbf66fa	op); goto error; } if (key_id != 0) { dmsg (D_TLS_STATE_ERRORS, "TLS State Error: Unknown key ID (%d) received from %s -- 0 was expected", key_id,
8bc93d7f	print_link_socket_actual (from, &gc));
6fbf66fa	goto error; } if (buf->len > EXPANDED_SIZE_DYNAMIC (&tas->frame)) { dmsg (D_TLS_STATE_ERRORS, "TLS State Error: Large packet (size %d) received from %s -- a packet no larger than %d bytes was expected", buf->len,
8bc93d7f	print_link_socket_actual (from, &gc),
6fbf66fa	EXPANDED_SIZE_DYNAMIC (&tas->frame)); goto error; } { struct buffer newbuf = clone_buf (buf); struct crypto_options co = tas->tls_auth_options; bool status; /* * We are in read-only mode at this point with respect to TLS * control channel state. After we build a new client instance * object, we will process this session-initiating packet for real. / co.flags \|= CO_IGNORE_PACKET_ID; / HMAC test, if --tls-auth was specified / status = read_control_auth (&newbuf, &co, from); free_buf (&newbuf); if (!status) goto error; / * At this point, if --tls-auth is being used, we know that * the packet has passed the HMAC test, but we don't know if * it is a replay yet. We will attempt to defeat replays * by not advancing to the S_START state until we * receive an ACK from our first reply to the client * that includes an HMAC of our randomly generated 64 bit * session ID. * * On the other hand if --tls-auth is not being used, we * will proceed to begin the TLS authentication * handshake with only cursory integrity checks having * been performed, since we will be leaving the task * of authentication solely up to TLS. */ ret = true; } } gc_free (&gc); return ret; error:
95993a1d	tls_clear_error();
6fbf66fa	gc_free (&gc); return ret; } /* Choose the key with which to encrypt a data packet / void tls_pre_encrypt (struct tls_multi multi,
2d9c6d20	struct buffer buf, struct crypto_options *opt)
6fbf66fa	{ multi->save_ks = NULL; if (buf->len > 0) { int i;
1c4af9ea	struct key_state *ks_select = NULL;
6fbf66fa	for (i = 0; i < KEY_SCAN_SIZE; ++i) { struct key_state *ks = multi->key_scan[i];
344ee918	if (ks->state >= S_ACTIVE && ks->authenticated
97894360	&& ks->crypto_options.key_ctx_bi.initialized
47ae8457	#ifdef ENABLE_DEF_AUTH
344ee918	&& !ks->auth_deferred
47ae8457	#endif
1c4af9ea	)
6fbf66fa	{
1c4af9ea	if (!ks_select) ks_select = ks; if (now >= ks->auth_deferred_expire) { ks_select = ks; break; }
6fbf66fa	} }
1c4af9ea	if (ks_select) {
2d9c6d20	*opt = &ks_select->crypto_options;
1c4af9ea	multi->save_ks = ks_select; dmsg (D_TLS_KEYSELECT, "TLS: tls_pre_encrypt: key_id=%d", ks_select->key_id); return; } else { struct gc_arena gc = gc_new (); dmsg (D_TLS_KEYSELECT, "TLS Warning: no data channel send key available: %s", print_key_id (multi, &gc)); gc_free (&gc); }
6fbf66fa	} buf->len = 0;
2d9c6d20	*opt = NULL;
6fbf66fa	} void
66407e11	tls_prepend_opcode_v1 (const struct tls_multi multi, struct buffer buf)
6fbf66fa	{
66407e11	struct key_state ks = multi->save_ks; uint8_t op; msg (D_TLS_DEBUG, __func__); ASSERT (ks); op = (P_DATA_V1 << P_OPCODE_SHIFT) \| ks->key_id; ASSERT (buf_write_prepend (buf, &op, 1)); } void tls_prepend_opcode_v2 (const struct tls_multi multi, struct buffer buf) { struct key_state ks = multi->save_ks;
65eedc35	uint32_t peer;
6fbf66fa
66407e11	msg (D_TLS_DEBUG, __func__); ASSERT (ks); peer = htonl(((P_DATA_V2 << P_OPCODE_SHIFT) \| ks->key_id) << 24 \| (multi->peer_id & 0xFFFFFF)); ASSERT (buf_write_prepend (buf, &peer, 4)); } void tls_post_encrypt (struct tls_multi multi, struct buffer buf) { struct key_state *ks = multi->save_ks;
6fbf66fa	multi->save_ks = NULL;
66407e11
6fbf66fa	if (buf->len > 0) { ASSERT (ks);
65eedc35
6fbf66fa	++ks->n_packets; ks->n_bytes += buf->len; } } /* * Send a payload over the TLS control channel. * Called externally. / bool tls_send_payload (struct tls_multi multi, const uint8_t data, int size) { struct tls_session session; struct key_state *ks; bool ret = false;
95993a1d	tls_clear_error();
6fbf66fa	ASSERT (multi); session = &multi->session[TM_ACTIVE]; ks = &session->key[KS_PRIMARY]; if (ks->state >= S_ACTIVE) {
bf707bd2	if (key_state_write_plaintext_const (&ks->ks_ssl, data, size) == 1)
6fbf66fa	ret = true; }
dc85dae6	else { if (!ks->paybuf) ks->paybuf = buffer_list_new (0); buffer_list_push_data (ks->paybuf, data, (size_t)size); ret = true; }
6fbf66fa
95993a1d	tls_clear_error();
6fbf66fa	return ret; } bool tls_rec_payload (struct tls_multi multi, struct buffer buf) { struct tls_session session; struct key_state ks; bool ret = false;
95993a1d	tls_clear_error();
6fbf66fa	ASSERT (multi); session = &multi->session[TM_ACTIVE]; ks = &session->key[KS_PRIMARY]; if (ks->state >= S_ACTIVE && BLEN (&ks->plaintext_read_buf)) { if (buf_copy (buf, &ks->plaintext_read_buf)) ret = true; ks->plaintext_read_buf.len = 0; }
95993a1d	tls_clear_error();
6fbf66fa	return ret; }
65eedc35	void tls_update_remote_addr (struct tls_multi multi, const struct link_socket_actual addr) { struct gc_arena gc = gc_new (); int i, j; for (i = 0; i < TM_SIZE; ++i) { struct tls_session session = &multi->session[i]; for (j = 0; j < KS_SIZE; ++j) { struct key_state ks = &session->key[j]; if (!link_socket_actual_defined(&ks->remote_addr) \|\| link_socket_actual_match (addr, &ks->remote_addr)) continue; dmsg (D_TLS_KEYSELECT, "TLS: tls_update_remote_addr from IP=%s to IP=%s", print_link_socket_actual (&ks->remote_addr, &gc), print_link_socket_actual (addr, &gc)); ks->remote_addr = *addr; } } gc_free (&gc); }
6fbf66fa	/* * Dump a human-readable rendition of an openvpn packet * into a garbage collectable string which is returned. / const char protocol_dump (struct buffer buffer, unsigned int flags, struct gc_arena gc) { struct buffer out = alloc_buf_gc (256, gc); struct buffer buf = buffer; uint8_t c; int op; int key_id; int tls_auth_hmac_size = (flags & PD_TLS_AUTH_HMAC_SIZE_MASK); if (buf.len <= 0) { buf_printf (&out, "DATA UNDEF len=%d", buf.len); goto done; } if (!(flags & PD_TLS)) goto print_data; / * Initial byte (opcode) */ if (!buf_read (&buf, &c, sizeof (c))) goto done; op = (c >> P_OPCODE_SHIFT); key_id = c & P_KEY_ID_MASK; buf_printf (&out, "%s kid=%d", packet_opcode_name (op), key_id);
65eedc35	if ((op == P_DATA_V1) \|\| (op == P_DATA_V2))
6fbf66fa	goto print_data; /* * Session ID / { struct session_id sid; if (!session_id_read (&sid, &buf)) goto done; if (flags & PD_VERBOSE) buf_printf (&out, " sid=%s", session_id_print (&sid, gc)); } / * tls-auth hmac + packet_id / if (tls_auth_hmac_size) { struct packet_id_net pin; uint8_t tls_auth_hmac[MAX_HMAC_KEY_LENGTH]; ASSERT (tls_auth_hmac_size <= MAX_HMAC_KEY_LENGTH); if (!buf_read (&buf, tls_auth_hmac, tls_auth_hmac_size)) goto done; if (flags & PD_VERBOSE) buf_printf (&out, " tls_hmac=%s", format_hex (tls_auth_hmac, tls_auth_hmac_size, 0, gc)); if (!packet_id_read (&pin, &buf, true)) goto done; buf_printf(&out, " pid=%s", packet_id_net_print (&pin, (flags & PD_VERBOSE), gc)); } / * ACK list / buf_printf (&out, " %s", reliable_ack_print(&buf, (flags & PD_VERBOSE), gc)); if (op == P_ACK_V1) goto done; / * Packet ID */ { packet_id_type l; if (!buf_read (&buf, &l, sizeof (l))) goto done; l = ntohpid (l); buf_printf (&out, " pid=" packet_id_format, (packet_id_print_type)l); } print_data: if (flags & PD_SHOW_DATA) buf_printf (&out, " DATA %s", format_hex (BPTR (&buf), BLEN (&buf), 80, gc)); else buf_printf (&out, " DATA len=%d", buf.len); done: return BSTR (&out); } #else static void dummy(void) {}
ec828db6	#endif /* ENABLE_CRYPTO */