Not used yet, but prepare for sending and receiving tls-crypt-v2 handshake
messages.
Signed-off-by: Steffan Karger <steffan.karger@fox-it.com>
Acked-by: Antonio Quartulli <antonio@openvpn.net>
Message-Id: <1540208715-14044-4-git-send-email-steffan.karger@fox-it.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg17790.html
Signed-off-by: David Sommerseth <davids@openvpn.net>
... | ... |
@@ -985,7 +985,8 @@ is_openvpn_protocol(const struct buffer *buf) |
985 | 985 |
{ |
986 | 986 |
return p[0] == 0 |
987 | 987 |
&& p[1] >= 14 |
988 |
- && p[2] == (P_CONTROL_HARD_RESET_CLIENT_V2<<P_OPCODE_SHIFT); |
|
988 |
+ && (p[2] == (P_CONTROL_HARD_RESET_CLIENT_V2 << P_OPCODE_SHIFT) |
|
989 |
+ || p[2] == (P_CONTROL_HARD_RESET_CLIENT_V3 << P_OPCODE_SHIFT)); |
|
989 | 990 |
} |
990 | 991 |
else if (len >= 2) |
991 | 992 |
{ |
... | ... |
@@ -785,6 +785,9 @@ packet_opcode_name(int op) |
785 | 785 |
case P_CONTROL_HARD_RESET_SERVER_V2: |
786 | 786 |
return "P_CONTROL_HARD_RESET_SERVER_V2"; |
787 | 787 |
|
788 |
+ case P_CONTROL_HARD_RESET_CLIENT_V3: |
|
789 |
+ return "P_CONTROL_HARD_RESET_CLIENT_V3"; |
|
790 |
+ |
|
788 | 791 |
case P_CONTROL_SOFT_RESET_V1: |
789 | 792 |
return "P_CONTROL_SOFT_RESET_V1"; |
790 | 793 |
|
... | ... |
@@ -857,7 +860,8 @@ is_hard_reset(int op, int key_method) |
857 | 857 |
|
858 | 858 |
if (!key_method || key_method >= 2) |
859 | 859 |
{ |
860 |
- if (op == P_CONTROL_HARD_RESET_CLIENT_V2 || op == P_CONTROL_HARD_RESET_SERVER_V2) |
|
860 |
+ if (op == P_CONTROL_HARD_RESET_CLIENT_V2 || op == P_CONTROL_HARD_RESET_SERVER_V2 |
|
861 |
+ || op == P_CONTROL_HARD_RESET_CLIENT_V3) |
|
861 | 862 |
{ |
862 | 863 |
return true; |
863 | 864 |
} |
... | ... |
@@ -1088,8 +1092,15 @@ tls_session_init(struct tls_multi *multi, struct tls_session *session) |
1088 | 1088 |
} |
1089 | 1089 |
else /* session->opt->key_method >= 2 */ |
1090 | 1090 |
{ |
1091 |
- session->initial_opcode = session->opt->server ? |
|
1092 |
- P_CONTROL_HARD_RESET_SERVER_V2 : P_CONTROL_HARD_RESET_CLIENT_V2; |
|
1091 |
+ if (session->opt->server) |
|
1092 |
+ { |
|
1093 |
+ session->initial_opcode = P_CONTROL_HARD_RESET_SERVER_V2; |
|
1094 |
+ } |
|
1095 |
+ else |
|
1096 |
+ { |
|
1097 |
+ session->initial_opcode = session->opt->tls_crypt_v2 ? |
|
1098 |
+ P_CONTROL_HARD_RESET_CLIENT_V3 : P_CONTROL_HARD_RESET_CLIENT_V2; |
|
1099 |
+ } |
|
1093 | 1100 |
} |
1094 | 1101 |
|
1095 | 1102 |
/* Initialize control channel authentication parameters */ |
... | ... |
@@ -3420,7 +3431,8 @@ tls_pre_decrypt(struct tls_multi *multi, |
3420 | 3420 |
{ |
3421 | 3421 |
/* verify client -> server or server -> client connection */ |
3422 | 3422 |
if (((op == P_CONTROL_HARD_RESET_CLIENT_V1 |
3423 |
- || op == P_CONTROL_HARD_RESET_CLIENT_V2) && !multi->opt.server) |
|
3423 |
+ || op == P_CONTROL_HARD_RESET_CLIENT_V2 |
|
3424 |
+ || op == P_CONTROL_HARD_RESET_CLIENT_V3) && !multi->opt.server) |
|
3424 | 3425 |
|| ((op == P_CONTROL_HARD_RESET_SERVER_V1 |
3425 | 3426 |
|| op == P_CONTROL_HARD_RESET_SERVER_V2) && multi->opt.server)) |
3426 | 3427 |
{ |
... | ... |
@@ -3805,7 +3817,8 @@ tls_pre_decrypt_lite(const struct tls_auth_standalone *tas, |
3805 | 3805 |
/* this packet is from an as-yet untrusted source, so |
3806 | 3806 |
* scrutinize carefully */ |
3807 | 3807 |
|
3808 |
- if (op != P_CONTROL_HARD_RESET_CLIENT_V2) |
|
3808 |
+ if (op != P_CONTROL_HARD_RESET_CLIENT_V2 |
|
3809 |
+ && op != P_CONTROL_HARD_RESET_CLIENT_V3) |
|
3809 | 3810 |
{ |
3810 | 3811 |
/* |
3811 | 3812 |
* This can occur due to bogus data or DoS packets. |
... | ... |
@@ -63,9 +63,12 @@ |
63 | 63 |
#define P_CONTROL_HARD_RESET_CLIENT_V2 7 /* initial key from client, forget previous state */ |
64 | 64 |
#define P_CONTROL_HARD_RESET_SERVER_V2 8 /* initial key from server, forget previous state */ |
65 | 65 |
|
66 |
+/* indicates key_method >= 2 and client-specific tls-crypt key */ |
|
67 |
+#define P_CONTROL_HARD_RESET_CLIENT_V3 10 /* initial key from client, forget previous state */ |
|
68 |
+ |
|
66 | 69 |
/* define the range of legal opcodes */ |
67 | 70 |
#define P_FIRST_OPCODE 1 |
68 |
-#define P_LAST_OPCODE 9 |
|
71 |
+#define P_LAST_OPCODE 10 |
|
69 | 72 |
|
70 | 73 |
/* |
71 | 74 |
* Set the max number of acknowledgments that can "hitch a ride" on an outgoing |