]>
Commit | Line | Data |
---|---|---|
9a160b79 AJ |
1 | /* |
2 | * OpenVPN -- An application to securely tunnel IP networks | |
3 | * over a single TCP/UDP port, with support for SSL/TLS-based | |
4 | * session authentication and key exchange, | |
5 | * packet encryption, packet authentication, and | |
6 | * packet compression. | |
7 | * | |
ccf9d572 | 8 | * Copyright (C) 2002-2023 OpenVPN Inc <sales@openvpn.net> |
ccee09d1 | 9 | * Copyright (C) 2010-2021 Fox Crypto B.V. <openvpn@foxcrypto.com> |
9a160b79 AJ |
10 | * |
11 | * This program is free software; you can redistribute it and/or modify | |
12 | * it under the terms of the GNU General Public License version 2 | |
13 | * as published by the Free Software Foundation. | |
14 | * | |
15 | * This program is distributed in the hope that it will be useful, | |
16 | * but WITHOUT ANY WARRANTY; without even the implied warranty of | |
17 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | |
18 | * GNU General Public License for more details. | |
19 | * | |
caa54ac3 DS |
20 | * You should have received a copy of the GNU General Public License along |
21 | * with this program; if not, write to the Free Software Foundation, Inc., | |
22 | * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. | |
9a160b79 AJ |
23 | */ |
24 | ||
25 | /** | |
26 | * @file Control Channel Common Data Structures | |
27 | */ | |
28 | ||
29 | #ifndef SSL_COMMON_H_ | |
30 | #define SSL_COMMON_H_ | |
31 | ||
32 | #include "session_id.h" | |
33 | #include "socket.h" | |
34 | #include "packet_id.h" | |
35 | #include "crypto.h" | |
36 | #include "options.h" | |
37 | ||
38 | #include "ssl_backend.h" | |
39 | ||
289a8bb8 AJ |
40 | /* passwords */ |
41 | #define UP_TYPE_AUTH "Auth" | |
42 | #define UP_TYPE_PRIVATE_KEY "Private Key" | |
43 | ||
d0811e64 AJ |
44 | /** @addtogroup control_processor |
45 | * @{ */ | |
46 | /** | |
47 | * @name Control channel negotiation states | |
48 | * | |
49 | * These states represent the different phases of control channel | |
50 | * negotiation between OpenVPN peers. OpenVPN servers and clients | |
51 | * progress through the states in a different order, because of their | |
52 | * different roles during exchange of random material. The references to | |
53 | * the \c key_source2 structure in the list below is only valid if %key | |
54 | * method 2 is being used. See the \link key_generation data channel key | |
55 | * generation\endlink related page for more information. | |
56 | * | |
57 | * Clients follow this order: | |
58 | * -# \c S_INITIAL, ready to begin three-way handshake and control | |
59 | * channel negotiation. | |
60 | * -# \c S_PRE_START, have started three-way handshake, waiting for | |
61 | * acknowledgment from remote. | |
62 | * -# \c S_START, initial three-way handshake complete. | |
63 | * -# \c S_SENT_KEY, have sent local part of \c key_source2 random | |
64 | * material. | |
65 | * -# \c S_GOT_KEY, have received remote part of \c key_source2 random | |
66 | * material. | |
34b42549 AS |
67 | * -# \c S_ACTIVE, control channel successfully established |
68 | * -# \c S_GENERATED_KEYS, the data channel keys have been generated | |
d0811e64 AJ |
69 | * |
70 | * Servers follow the same order, except for \c S_SENT_KEY and \c | |
71 | * S_GOT_KEY being reversed, because the server first receives the | |
72 | * client's \c key_source2 random material before generating and sending | |
73 | * its own. | |
74 | * | |
75 | * @{ | |
76 | */ | |
77 | #define S_ERROR -1 /**< Error state. */ | |
78 | #define S_UNDEF 0 /**< Undefined state, used after a \c | |
79 | * key_state is cleaned up. */ | |
80 | #define S_INITIAL 1 /**< Initial \c key_state state after | |
81 | * initialization by \c key_state_init() | |
82 | * before start of three-way handshake. */ | |
83 | #define S_PRE_START 2 /**< Waiting for the remote OpenVPN peer | |
84 | * to acknowledge during the initial | |
85 | * three-way handshake. */ | |
86 | #define S_START 3 /**< Three-way handshake is complete, | |
87 | * start of key exchange. */ | |
88 | #define S_SENT_KEY 4 /**< Local OpenVPN process has sent its | |
89 | * part of the key material. */ | |
90 | #define S_GOT_KEY 5 /**< Local OpenVPN process has received | |
91 | * the remote's part of the key | |
92 | * material. */ | |
93 | #define S_ACTIVE 6 /**< Operational \c key_state state | |
94 | * immediately after negotiation has | |
95 | * completed while still within the | |
34b42549 AS |
96 | * handshake window. Deferred auth and |
97 | * client connect can still be pending. */ | |
d75e0736 | 98 | #define S_GENERATED_KEYS 7 /**< The data channel keys have been generated |
abe49856 DS |
99 | * The TLS session is fully authenticated |
100 | * when reaching this state. */ | |
d75e0736 | 101 | |
c13d20fa AS |
102 | /* Note that earlier versions also had a S_OP_NORMAL state that was |
103 | * virtually identical with S_ACTIVE and the code still assumes everything | |
104 | * >= S_ACTIVE to be fully operational */ | |
d0811e64 AJ |
105 | /** @} name Control channel negotiation states */ |
106 | /** @} addtogroup control_processor */ | |
107 | ||
67d8a0d4 AJ |
108 | /** |
109 | * Container for one half of random material to be used in %key method 2 | |
110 | * \ref key_generation "data channel key generation". | |
111 | * @ingroup control_processor | |
112 | */ | |
113 | struct key_source { | |
81d882d5 | 114 | uint8_t pre_master[48]; /**< Random used for master secret |
67d8a0d4 AJ |
115 | * generation, provided only by client |
116 | * OpenVPN peer. */ | |
81d882d5 | 117 | uint8_t random1[32]; /**< Seed used for master secret |
67d8a0d4 AJ |
118 | * generation, provided by both client |
119 | * and server. */ | |
81d882d5 | 120 | uint8_t random2[32]; /**< Seed used for key expansion, provided |
67d8a0d4 AJ |
121 | * by both client and server. */ |
122 | }; | |
123 | ||
124 | ||
125 | /** | |
126 | * Container for both halves of random material to be used in %key method | |
127 | * 2 \ref key_generation "data channel key generation". | |
128 | * @ingroup control_processor | |
129 | */ | |
130 | struct key_source2 { | |
81d882d5 DS |
131 | struct key_source client; /**< Random provided by client. */ |
132 | struct key_source server; /**< Random provided by server. */ | |
67d8a0d4 AJ |
133 | }; |
134 | ||
5608041c AS |
135 | |
136 | /** | |
137 | * This reflects the (server side) authentication state after the TLS | |
138 | * session has been established and key_method_2_read is called. If async auth | |
139 | * is enabled the state will first move to KS_AUTH_DEFERRED before eventually | |
140 | * being set to KS_AUTH_TRUE or KS_AUTH_FALSE | |
141 | * Only KS_AUTH_TRUE is fully authenticated | |
142 | */ | |
a5e6f2d2 | 143 | enum ks_auth_state { |
abe49856 DS |
144 | KS_AUTH_FALSE, /**< Key state is not authenticated */ |
145 | KS_AUTH_DEFERRED, /**< Key state authentication is being deferred, | |
146 | * by async auth */ | |
147 | KS_AUTH_TRUE /**< Key state is authenticated. TLS and user/pass | |
148 | * succeeded. This includes AUTH_PENDING/OOB | |
149 | * authentication as those hold the | |
150 | * connection artificially in KS_AUTH_DEFERRED | |
151 | */ | |
a5e6f2d2 AS |
152 | }; |
153 | ||
c5fec838 AS |
154 | struct auth_deferred_status |
155 | { | |
156 | char *auth_control_file; | |
157 | char *auth_pending_file; | |
8893fe49 | 158 | char *auth_failed_reason_file; |
c5fec838 AS |
159 | unsigned int auth_control_status; |
160 | }; | |
161 | ||
9a430502 AS |
162 | /* key_state_test_auth_control_file return values, these specify the |
163 | * current status of a deferred authentication */ | |
164 | enum auth_deferred_result { | |
165 | ACF_PENDING, /**< deferred auth still pending */ | |
166 | ACF_SUCCEEDED, /**< deferred auth has suceeded */ | |
167 | ACF_DISABLED, /**< deferred auth is not used */ | |
168 | ACF_FAILED /**< deferred auth has failed */ | |
169 | }; | |
170 | ||
a2d851d4 AQ |
171 | enum dco_key_status { |
172 | DCO_NOT_INSTALLED, | |
173 | DCO_INSTALLED_PRIMARY, | |
174 | DCO_INSTALLED_SECONDARY | |
175 | }; | |
176 | ||
67d8a0d4 AJ |
177 | /** |
178 | * Security parameter state of one TLS and data channel %key session. | |
179 | * @ingroup control_processor | |
180 | * | |
181 | * This structure represents one security parameter session between | |
182 | * OpenVPN peers. It includes the control channel TLS state and the data | |
183 | * channel crypto state. It also contains the reliability layer | |
184 | * structures used for control channel messages. | |
185 | * | |
186 | * A new \c key_state structure is initialized for each hard or soft | |
187 | * reset. | |
188 | * | |
189 | * @see | |
190 | * - This structure should be initialized using the \c key_state_init() | |
191 | * function. | |
192 | * - This structure should be cleaned up using the \c key_state_free() | |
193 | * function. | |
194 | */ | |
195 | struct key_state | |
196 | { | |
81d882d5 | 197 | int state; |
71604992 | 198 | /** The state of the auth-token sent from the client */ |
9a516170 | 199 | unsigned int auth_token_state_flags; |
97894360 | 200 | |
81d882d5 DS |
201 | /** |
202 | * Key id for this key_state, inherited from struct tls_session. | |
203 | * @see tls_session::key_id. | |
204 | */ | |
205 | int key_id; | |
67d8a0d4 | 206 | |
a2d851d4 AQ |
207 | /** |
208 | * Key id for this key_state, inherited from struct tls_session. | |
209 | * @see tls_multi::peer_id. | |
210 | */ | |
211 | uint32_t peer_id; | |
212 | ||
81d882d5 | 213 | struct key_state_ssl ks_ssl; /* contains SSL object and BIOs for the control channel */ |
67d8a0d4 | 214 | |
53229047 | 215 | time_t initial; /* when we created this session */ |
81d882d5 DS |
216 | time_t established; /* when our state went S_ACTIVE */ |
217 | time_t must_negotiate; /* key negotiation times out if not finished before this time */ | |
218 | time_t must_die; /* this object is destroyed at this time */ | |
3f8fb2b2 | 219 | time_t peer_last_packet; /* Last time we received a packet in this control session */ |
67d8a0d4 | 220 | |
81d882d5 DS |
221 | int initial_opcode; /* our initial P_ opcode */ |
222 | struct session_id session_id_remote; /* peer's random session ID */ | |
223 | struct link_socket_actual remote_addr; /* peer's IP addr */ | |
67d8a0d4 | 224 | |
81d882d5 | 225 | struct crypto_options crypto_options;/* data channel crypto options */ |
67d8a0d4 | 226 | |
81d882d5 | 227 | struct key_source2 *key_src; /* source entropy for key expansion */ |
67d8a0d4 | 228 | |
81d882d5 DS |
229 | struct buffer plaintext_read_buf; |
230 | struct buffer plaintext_write_buf; | |
231 | struct buffer ack_write_buf; | |
67d8a0d4 | 232 | |
81d882d5 DS |
233 | struct reliable *send_reliable; /* holds a copy of outgoing packets until ACK received */ |
234 | struct reliable *rec_reliable; /* order incoming ciphertext packets before we pass to TLS */ | |
235 | struct reliable_ack *rec_ack; /* buffers all packet IDs we want to ACK back to sender */ | |
c8796095 | 236 | struct reliable_ack *lru_acks; /* keeps the most recently acked packages*/ |
67d8a0d4 | 237 | |
65a21eb1 AS |
238 | /** Holds outgoing message for the control channel until ks->state reaches |
239 | * S_ACTIVE */ | |
81d882d5 | 240 | struct buffer_list *paybuf; |
81d882d5 DS |
241 | counter_type n_bytes; /* how many bytes sent/recvd since last key exchange */ |
242 | counter_type n_packets; /* how many packets sent/recvd since last key exchange */ | |
67d8a0d4 | 243 | |
81d882d5 DS |
244 | /* |
245 | * If bad username/password, TLS connection will come up but 'authenticated' will be false. | |
246 | */ | |
a5e6f2d2 | 247 | enum ks_auth_state authenticated; |
81d882d5 | 248 | time_t auth_deferred_expire; |
67d8a0d4 | 249 | |
99d217b2 | 250 | #ifdef ENABLE_MANAGEMENT |
81d882d5 | 251 | unsigned int mda_key_id; |
9a430502 | 252 | enum auth_deferred_result mda_status; |
67d8a0d4 | 253 | #endif |
81d882d5 | 254 | time_t acf_last_mod; |
c5fec838 AS |
255 | |
256 | struct auth_deferred_status plugin_auth; | |
28e61030 | 257 | struct auth_deferred_status script_auth; |
a2d851d4 AQ |
258 | |
259 | enum dco_key_status dco_status; | |
67d8a0d4 AJ |
260 | }; |
261 | ||
c6e24fa3 SK |
262 | /** Control channel wrapping (--tls-auth/--tls-crypt) context */ |
263 | struct tls_wrap_ctx | |
264 | { | |
81d882d5 DS |
265 | enum { |
266 | TLS_WRAP_NONE = 0, /**< No control channel wrapping */ | |
267 | TLS_WRAP_AUTH, /**< Control channel authentication */ | |
268 | TLS_WRAP_CRYPT, /**< Control channel encryption and authentication */ | |
269 | } mode; /**< Control channel wrapping mode */ | |
270 | struct crypto_options opt; /**< Crypto state */ | |
271 | struct buffer work; /**< Work buffer (only for --tls-crypt) */ | |
19dffdbd SK |
272 | struct key_ctx tls_crypt_v2_server_key; /**< Decrypts client keys */ |
273 | const struct buffer *tls_crypt_v2_wkc; /**< Wrapped client key, | |
f57431cd | 274 | * sent to server */ |
19dffdbd SK |
275 | struct buffer tls_crypt_v2_metadata; /**< Received from client */ |
276 | bool cleanup_key_ctx; /**< opt.key_ctx_bi is owned by | |
f57431cd | 277 | * this context */ |
6a05768a AS |
278 | /** original key data to be xored in to the key for dynamic tls-crypt. |
279 | * | |
280 | * We keep the original key data to ensure that the newly generated key | |
281 | * for the dynamic tls-crypt has the same level of quality by using | |
282 | * xor with the original key. This gives us the same same entropy/randomness | |
283 | * as the original tls-crypt key to ensure the post-quantum use case of | |
284 | * tls-crypt still holds true | |
285 | * */ | |
286 | struct key2 original_wrap_keydata; | |
c6e24fa3 SK |
287 | }; |
288 | ||
67d8a0d4 AJ |
289 | /* |
290 | * Our const options, obtained directly or derived from | |
291 | * command line options. | |
292 | */ | |
293 | struct tls_options | |
294 | { | |
81d882d5 DS |
295 | /* our master TLS context from which all SSL objects derived */ |
296 | struct tls_root_ctx ssl_ctx; | |
67d8a0d4 | 297 | |
81d882d5 DS |
298 | /* data channel cipher, hmac, and key lengths */ |
299 | struct key_type key_type; | |
67d8a0d4 | 300 | |
81d882d5 DS |
301 | /* true if we are a TLS server, client otherwise */ |
302 | bool server; | |
67d8a0d4 | 303 | |
81d882d5 DS |
304 | /* if true, don't xmit until first packet from peer is received */ |
305 | bool xmit_hold; | |
67d8a0d4 | 306 | |
81d882d5 DS |
307 | /* local and remote options strings |
308 | * that must match between client and server */ | |
309 | const char *local_options; | |
310 | const char *remote_options; | |
67d8a0d4 | 311 | |
81d882d5 | 312 | /* from command line */ |
81d882d5 | 313 | bool single_session; |
81d882d5 | 314 | bool disable_occ; |
81d882d5 DS |
315 | int mode; |
316 | bool pull; | |
8c72d798 AS |
317 | /** |
318 | * The detail of info we push in peer info | |
319 | * | |
320 | * 0 - nothing at all, P2MP server only | |
321 | * 1 - only the most basic information to negotiate cipher and features | |
322 | * for P2P NCP | |
323 | * 2 - normal setting for clients | |
324 | * 3 - full information including "sensitive data" like IV_HWADDR | |
325 | * enabled by --push-peer-info | |
326 | */ | |
81d882d5 | 327 | int push_peer_info_detail; |
81d882d5 DS |
328 | int transition_window; |
329 | int handshake_window; | |
330 | interval_t packet_timeout; | |
331 | int renegotiate_bytes; | |
332 | int renegotiate_packets; | |
333 | interval_t renegotiate_seconds; | |
334 | ||
335 | /* cert verification parms */ | |
336 | const char *verify_command; | |
81d882d5 DS |
337 | int verify_x509_type; |
338 | const char *verify_x509_name; | |
339 | const char *crl_file; | |
cb2e9218 | 340 | bool crl_file_inline; |
81d882d5 DS |
341 | int ns_cert_type; |
342 | unsigned remote_cert_ku[MAX_PARMS]; | |
343 | const char *remote_cert_eku; | |
d1fe6d52 | 344 | struct verify_hash_list *verify_hash; |
c3a7065d | 345 | int verify_hash_depth; |
c3746da7 | 346 | bool verify_hash_no_ca; |
2193d7c0 | 347 | hash_algo_type verify_hash_algo; |
3b04c34d VG |
348 | #ifdef ENABLE_X509ALTUSERNAME |
349 | char *x509_username_field[MAX_PARMS]; | |
350 | #else | |
351 | char *x509_username_field[2]; | |
352 | #endif | |
81d882d5 | 353 | |
81d882d5 DS |
354 | /* struct crypto_option flags */ |
355 | unsigned int crypto_flags; | |
356 | ||
357 | int replay_window; /* --replay-window parm */ | |
358 | int replay_time; /* --replay-window parm */ | |
359 | bool tcp_mode; | |
360 | ||
361 | const char *config_ciphername; | |
868b200c | 362 | const char *config_ncp_ciphers; |
81d882d5 | 363 | |
283290bf | 364 | bool tls_crypt_v2; |
ff931c5e | 365 | const char *tls_crypt_v2_verify_script; |
283290bf | 366 | |
81d882d5 DS |
367 | /** TLS handshake wrapping state */ |
368 | struct tls_wrap_ctx tls_wrap; | |
369 | ||
81d882d5 DS |
370 | struct frame frame; |
371 | ||
372 | /* used for username/password authentication */ | |
373 | const char *auth_user_pass_verify_script; | |
23eec2d2 | 374 | const char *client_crresponse_script; |
81d882d5 DS |
375 | bool auth_user_pass_verify_script_via_file; |
376 | const char *tmp_dir; | |
377 | const char *auth_user_pass_file; | |
7d48d31b | 378 | bool auth_user_pass_file_inline; |
1b9a88a2 | 379 | |
1b9a88a2 AS |
380 | bool auth_token_generate; /**< Generate auth-tokens on successful |
381 | * user/pass auth,seet via | |
382 | * options->auth_token_generate. */ | |
c8723aa7 | 383 | bool auth_token_call_auth; /**< always call normal authentication */ |
81d882d5 | 384 | unsigned int auth_token_lifetime; |
9a516170 | 385 | unsigned int auth_token_renewal; |
67d8a0d4 | 386 | |
1b9a88a2 | 387 | struct key_ctx auth_token_key; |
1b9a88a2 | 388 | |
81d882d5 DS |
389 | /* use the client-config-dir as a positive authenticator */ |
390 | const char *client_config_dir_exclusive; | |
67d8a0d4 | 391 | |
81d882d5 DS |
392 | /* instance-wide environment variable set */ |
393 | struct env_set *es; | |
aec4a3d1 | 394 | openvpn_net_ctx_t *net_ctx; |
81d882d5 | 395 | const struct plugin_list *plugins; |
67d8a0d4 | 396 | |
81d882d5 | 397 | /* compression parms */ |
38d96bd7 | 398 | #ifdef USE_COMP |
81d882d5 | 399 | struct compress_options comp_options; |
38d96bd7 JY |
400 | #endif |
401 | ||
81d882d5 DS |
402 | /* configuration file SSL-related boolean and low-permutation options */ |
403 | #define SSLF_CLIENT_CERT_NOT_REQUIRED (1<<0) | |
404 | #define SSLF_CLIENT_CERT_OPTIONAL (1<<1) | |
405 | #define SSLF_USERNAME_AS_COMMON_NAME (1<<2) | |
406 | #define SSLF_AUTH_USER_PASS_OPTIONAL (1<<3) | |
407 | #define SSLF_OPT_VERIFY (1<<4) | |
408 | #define SSLF_CRL_VERIFY_DIR (1<<5) | |
409 | #define SSLF_TLS_VERSION_MIN_SHIFT 6 | |
410 | #define SSLF_TLS_VERSION_MIN_MASK 0xF /* (uses bit positions 6 to 9) */ | |
411 | #define SSLF_TLS_VERSION_MAX_SHIFT 10 | |
412 | #define SSLF_TLS_VERSION_MAX_MASK 0xF /* (uses bit positions 10 to 13) */ | |
4524feb2 | 413 | #define SSLF_TLS_DEBUG_ENABLED (1<<14) |
81d882d5 | 414 | unsigned int ssl_flags; |
67d8a0d4 | 415 | |
99d217b2 | 416 | #ifdef ENABLE_MANAGEMENT |
81d882d5 | 417 | struct man_def_auth_context *mda_context; |
67d8a0d4 AJ |
418 | #endif |
419 | ||
81d882d5 | 420 | const struct x509_track *x509_track; |
67d8a0d4 | 421 | |
66b9409b | 422 | #ifdef ENABLE_MANAGEMENT |
81d882d5 | 423 | const struct static_challenge_info *sci; |
67d8a0d4 AJ |
424 | #endif |
425 | ||
81d882d5 DS |
426 | /* --gremlin bits */ |
427 | int gremlin; | |
685e486e | 428 | |
81d882d5 DS |
429 | /* Keying Material Exporter [RFC 5705] parameters */ |
430 | const char *ekm_label; | |
431 | size_t ekm_label_size; | |
432 | size_t ekm_size; | |
a2d851d4 AQ |
433 | |
434 | bool dco_enabled; /**< Whether keys have to be installed in DCO or not */ | |
67d8a0d4 AJ |
435 | }; |
436 | ||
49620510 AJ |
437 | /** @addtogroup control_processor |
438 | * @{ */ | |
439 | /** @name Index of key_state objects within a tls_session structure | |
440 | * | |
441 | * This is the index of \c tls_session.key | |
442 | * | |
443 | * @{ */ | |
444 | #define KS_PRIMARY 0 /**< Primary %key state index. */ | |
445 | #define KS_LAME_DUCK 1 /**< %Key state index that will retire | |
446 | * soon. */ | |
447 | #define KS_SIZE 2 /**< Size of the \c tls_session.key array. */ | |
448 | /** @} name Index of key_state objects within a tls_session structure */ | |
449 | /** @} addtogroup control_processor */ | |
450 | ||
49620510 AJ |
451 | /** |
452 | * Security parameter state of a single session within a VPN tunnel. | |
453 | * @ingroup control_processor | |
454 | * | |
455 | * This structure represents an OpenVPN peer-to-peer control channel | |
456 | * session. | |
457 | * | |
458 | * A \c tls_session remains over soft resets, but a new instance is | |
459 | * initialized for each hard reset. | |
460 | * | |
461 | * @see | |
462 | * - This structure should be initialized using the \c tls_session_init() | |
463 | * function. | |
464 | * - This structure should be cleaned up using the \c tls_session_free() | |
465 | * function. | |
466 | */ | |
467 | struct tls_session | |
468 | { | |
81d882d5 DS |
469 | /* const options and config info */ |
470 | struct tls_options *opt; | |
49620510 | 471 | |
81d882d5 DS |
472 | /* during hard reset used to control burst retransmit */ |
473 | bool burst; | |
49620510 | 474 | |
81d882d5 DS |
475 | /* authenticate control packets */ |
476 | struct tls_wrap_ctx tls_wrap; | |
49620510 | 477 | |
6a05768a AS |
478 | /* Specific tls-crypt for renegotiations, if this is valid, |
479 | * tls_wrap_reneg.mode is TLS_WRAP_CRYPT, otherwise ignore it */ | |
480 | struct tls_wrap_ctx tls_wrap_reneg; | |
481 | ||
81d882d5 DS |
482 | int initial_opcode; /* our initial P_ opcode */ |
483 | struct session_id session_id; /* our random session ID */ | |
97894360 | 484 | |
81d882d5 DS |
485 | /** |
486 | * The current active key id, used to keep track of renegotiations. | |
487 | * key_id increments with each soft reset to KEY_ID_MASK then recycles back | |
488 | * to 1. This way you know that if key_id is 0, it is the first key. | |
489 | */ | |
490 | int key_id; | |
49620510 | 491 | |
81d882d5 | 492 | int limit_next; /* used for traffic shaping on the control channel */ |
49620510 | 493 | |
81d882d5 | 494 | int verify_maxlevel; |
49620510 | 495 | |
81d882d5 | 496 | char *common_name; |
49620510 | 497 | |
81d882d5 | 498 | struct cert_hash_set *cert_hash_set; |
49620510 | 499 | |
81d882d5 | 500 | bool verified; /* true if peer certificate was verified against CA */ |
49620510 | 501 | |
81d882d5 DS |
502 | /* not-yet-authenticated incoming client */ |
503 | struct link_socket_actual untrusted_addr; | |
49620510 | 504 | |
81d882d5 | 505 | struct key_state key[KS_SIZE]; |
49620510 AJ |
506 | }; |
507 | ||
508 | /** @addtogroup control_processor | |
509 | * @{ */ | |
510 | /** @name Index of tls_session objects within a tls_multi structure | |
511 | * | |
512 | * This is the index of \c tls_multi.session | |
513 | * | |
514 | * Normally three tls_session objects are maintained by an active openvpn | |
515 | * session. The first is the current, TLS authenticated session, the | |
516 | * second is used to process connection requests from a new client that | |
517 | * would usurp the current session if successfully authenticated, and the | |
518 | * third is used as a repository for a "lame-duck" %key in the event that | |
519 | * the primary session resets due to error while the lame-duck %key still | |
520 | * has time left before its expiration. Lame duck keys are used to | |
521 | * maintain the continuity of the data channel connection while a new %key | |
522 | * is being negotiated. | |
523 | * | |
524 | * @{ */ | |
525 | #define TM_ACTIVE 0 /**< Active \c tls_session. */ | |
7dcde87b | 526 | #define TM_INITIAL 1 /**< As yet un-trusted \c tls_session |
49620510 AJ |
527 | * being negotiated. */ |
528 | #define TM_LAME_DUCK 2 /**< Old \c tls_session. */ | |
529 | #define TM_SIZE 3 /**< Size of the \c tls_multi.session | |
530 | * array. */ | |
531 | /** @} name Index of tls_session objects within a tls_multi structure */ | |
532 | /** @} addtogroup control_processor */ | |
533 | ||
534 | ||
535 | /* | |
536 | * The number of keys we will scan on encrypt or decrypt. The first | |
537 | * is the "active" key. The second is the lame_duck or retiring key | |
538 | * associated with the active key's session ID. The third is a detached | |
539 | * lame duck session that only occurs in situations where a key renegotiate | |
540 | * failed on the active key, but a lame duck key was still valid. By | |
541 | * preserving the lame duck session, we can be assured of having a data | |
542 | * channel key available even when network conditions are so bad that | |
543 | * we can't negotiate a new key within the time allotted. | |
544 | */ | |
545 | #define KEY_SCAN_SIZE 3 | |
546 | ||
0767d5b4 | 547 | |
b9451bef AS |
548 | /* multi state (originally client authentication state (=CAS)) |
549 | * CAS_NOT_CONNECTED must be 0 since non multi code paths still check | |
550 | * this variable but do not explicitly initialise it and depend | |
551 | * on zero initialisation */ | |
d0127760 AS |
552 | |
553 | /* CAS_NOT_CONNECTED is the initial state for every context. When the *first* | |
554 | * tls_session reaches S_ACTIVE, this state machine moves to CAS_PENDING (server) | |
555 | * or CAS_CONNECT_DONE (client/p2p) as clients skip the stages associated with | |
556 | * connect scripts/plugins */ | |
557 | enum multi_status { | |
558 | CAS_NOT_CONNECTED, | |
b9451bef AS |
559 | CAS_WAITING_AUTH, /**< Initial TLS connection established but deferred auth is not yet finished */ |
560 | CAS_PENDING, /**< Options import (Connect script/plugin, ccd,...) */ | |
561 | CAS_PENDING_DEFERRED, /**< Waiting on an async option import handler */ | |
562 | CAS_PENDING_DEFERRED_PARTIAL, /**< at least handler succeeded but another is still pending */ | |
563 | CAS_FAILED, /**< Option import failed or explicitly denied the client */ | |
34b42549 | 564 | CAS_WAITING_OPTIONS_IMPORT, /**< client with pull or p2p waiting for first time options import */ |
cde3edb1 AS |
565 | CAS_RECONNECT_PENDING, /**< session has already successful established (CAS_CONNECT_DONE) |
566 | * but has a reconnect and needs to redo some initialisation, this state is | |
567 | * similar CAS_WAITING_OPTIONS_IMPORT but skips a few things. The normal connection | |
568 | * skips this step. */ | |
d0127760 | 569 | CAS_CONNECT_DONE, |
0767d5b4 AS |
570 | }; |
571 | ||
572 | ||
49620510 AJ |
573 | /** |
574 | * Security parameter state for a single VPN tunnel. | |
575 | * @ingroup control_processor | |
576 | * | |
577 | * An active VPN tunnel running with TLS enabled has one \c tls_multi | |
578 | * object, in which it stores all control channel and data channel | |
579 | * security parameter state. This structure can contain multiple, | |
580 | * possibly simultaneously active, \c tls_context objects to allow for | |
581 | * interruption-less transitions during session renegotiations. Each \c | |
582 | * tls_context represents one control channel session, which can span | |
583 | * multiple data channel security parameter sessions stored in \c | |
584 | * key_state structures. | |
585 | */ | |
586 | struct tls_multi | |
587 | { | |
81d882d5 DS |
588 | /* used to coordinate access between main thread and TLS thread */ |
589 | /*MUTEX_PTR_DEFINE (mutex);*/ | |
590 | ||
591 | /* const options and config info */ | |
592 | struct tls_options opt; | |
593 | ||
81d882d5 DS |
594 | /* |
595 | * used by tls_pre_encrypt to communicate the encrypt key | |
596 | * to tls_post_encrypt() | |
597 | */ | |
598 | struct key_state *save_ks; /* temporary pointer used between pre/post routines */ | |
599 | ||
600 | /* | |
601 | * Used to return outgoing address from | |
602 | * tls_multi_process. | |
603 | */ | |
604 | struct link_socket_actual to_link_addr; | |
605 | ||
606 | int n_sessions; /**< Number of sessions negotiated thus | |
49620510 | 607 | * far. */ |
d0127760 | 608 | enum multi_status multi_state; |
49620510 | 609 | |
81d882d5 DS |
610 | /* |
611 | * Number of errors. | |
612 | */ | |
613 | int n_hard_errors; /* errors due to TLS negotiation failure */ | |
614 | int n_soft_errors; /* errors due to unrecognized or failed-to-authenticate incoming packets */ | |
49620510 | 615 | |
81d882d5 DS |
616 | /* |
617 | * Our locked common name, username, and cert hashes (cannot change during the life of this tls_multi object) | |
618 | */ | |
619 | char *locked_cn; | |
620 | char *locked_username; | |
621 | struct cert_hash_set *locked_cert_hash_set; | |
49620510 | 622 | |
d49df6bd | 623 | /** Time of last when we updated the cached state of |
9a430502 AS |
624 | * tls_authentication_status deferred files */ |
625 | time_t tas_cache_last_update; | |
a8be7379 | 626 | |
d49df6bd AS |
627 | /** The number of times we updated the cache */ |
628 | unsigned int tas_cache_num_updates; | |
629 | ||
fba0e8b8 AS |
630 | /* |
631 | * An error message to send to client on AUTH_FAILED | |
632 | */ | |
633 | char *client_reason; | |
634 | ||
81d882d5 DS |
635 | /* |
636 | * A multi-line string of general-purpose info received from peer | |
637 | * over control channel. | |
638 | */ | |
639 | char *peer_info; | |
1b9a88a2 AS |
640 | char *auth_token; /**< If server sends a generated auth-token, |
641 | * this is the token to use for future | |
642 | * user/pass authentications in this session. | |
643 | */ | |
644 | char *auth_token_initial; | |
d75e0736 AS |
645 | /**< The first auth-token we sent to a client. We use this to remember |
646 | * the session ID and initial timestamp when generating new auth-token. | |
1b9a88a2 AS |
647 | */ |
648 | #define AUTH_TOKEN_HMAC_OK (1<<0) | |
649 | /**< Auth-token sent from client has valid hmac */ | |
650 | #define AUTH_TOKEN_EXPIRED (1<<1) | |
651 | /**< Auth-token sent from client has expired */ | |
c8723aa7 AS |
652 | #define AUTH_TOKEN_VALID_EMPTYUSER (1<<2) |
653 | /**< | |
654 | * Auth-token is only valid for an empty username | |
655 | * and not the username actually supplied from the client | |
656 | * | |
48a4c81b | 657 | * OpenVPN 3 clients sometimes wipes or replaces the username with a |
c8723aa7 AS |
658 | * username hint from their config. |
659 | */ | |
49620510 | 660 | |
81d882d5 DS |
661 | /* For P_DATA_V2 */ |
662 | uint32_t peer_id; | |
663 | bool use_peer_id; | |
65eedc35 | 664 | |
81d882d5 | 665 | char *remote_ciphername; /**< cipher specified in peer's config file */ |
8fa8a175 | 666 | bool remote_usescomp; /**< remote announced comp-lzo in OCC string */ |
6e5ad2fa | 667 | |
81d882d5 DS |
668 | /* |
669 | * Our session objects. | |
670 | */ | |
671 | struct tls_session session[TM_SIZE]; | |
672 | /**< Array of \c tls_session objects | |
673 | * representing control channel | |
674 | * sessions with the remote peer. */ | |
a2d851d4 AQ |
675 | |
676 | /* Only used when DCO is used to remember how many keys we installed | |
677 | * for this session */ | |
678 | int dco_keys_installed; | |
8d4dbb56 AS |
679 | /** |
680 | * This is the handle that DCO uses to identify this session with the | |
681 | * kernel. | |
682 | * | |
683 | * We keep this separate as the normal peer_id can change during | |
684 | * p2p NCP and we need to track the id that is really used. | |
685 | */ | |
686 | int dco_peer_id; | |
a2d851d4 AQ |
687 | |
688 | dco_context_t *dco; | |
49620510 AJ |
689 | }; |
690 | ||
cc5a7163 AS |
691 | /** gets an item of \c key_state objects in the |
692 | * order they should be scanned by data | |
693 | * channel modules. */ | |
694 | static inline struct key_state * | |
695 | get_key_scan(struct tls_multi *multi, int index) | |
696 | { | |
697 | switch (index) | |
698 | { | |
699 | case 0: | |
700 | return &multi->session[TM_ACTIVE].key[KS_PRIMARY]; | |
abe49856 | 701 | |
cc5a7163 AS |
702 | case 1: |
703 | return &multi->session[TM_ACTIVE].key[KS_LAME_DUCK]; | |
abe49856 | 704 | |
cc5a7163 AS |
705 | case 2: |
706 | return &multi->session[TM_LAME_DUCK].key[KS_LAME_DUCK]; | |
abe49856 | 707 | |
cc5a7163 AS |
708 | default: |
709 | ASSERT(false); | |
86d7e990 | 710 | return NULL; /* NOTREACHED */ |
cc5a7163 AS |
711 | } |
712 | } | |
713 | ||
a80bec33 AS |
714 | /** gets an item of \c key_state objects in the |
715 | * order they should be scanned by data | |
716 | * channel modules. */ | |
717 | static inline const struct key_state * | |
718 | get_primary_key(const struct tls_multi *multi) | |
719 | { | |
abe49856 | 720 | return &multi->session[TM_ACTIVE].key[KS_PRIMARY]; |
a80bec33 AS |
721 | } |
722 | ||
9a160b79 | 723 | #endif /* SSL_COMMON_H_ */ |