#endif
-/** @addtogroup control_processor
- * @{ */
-/** @name Index of key_state objects within a tls_session structure
- *
- * This is the index of \c tls_session.key
- *
- * @{ */
-#define KS_PRIMARY 0 /**< Primary %key state index. */
-#define KS_LAME_DUCK 1 /**< %Key state index that will retire
- * soon. */
-#define KS_SIZE 2 /**< Size of the \c tls_session.key array. */
-/** @} name Index of key_state objects within a tls_session structure */
-/** @} addtogroup control_processor */
-
-
-/**
- * Security parameter state of a single session within a VPN tunnel.
- * @ingroup control_processor
- *
- * This structure represents an OpenVPN peer-to-peer control channel
- * session.
- *
- * A \c tls_session remains over soft resets, but a new instance is
- * initialized for each hard reset.
- *
- * @see
- * - This structure should be initialized using the \c tls_session_init()
- * function.
- * - This structure should be cleaned up using the \c tls_session_free()
- * function.
- */
-struct tls_session
-{
- /* const options and config info */
- const struct tls_options *opt;
-
- /* during hard reset used to control burst retransmit */
- bool burst;
-
- /* authenticate control packets */
- struct crypto_options tls_auth;
- struct packet_id tls_auth_pid;
-
- int initial_opcode; /* our initial P_ opcode */
- struct session_id session_id; /* our random session ID */
- int key_id; /* increments with each soft reset (for key renegotiation) */
-
- int limit_next; /* used for traffic shaping on the control channel */
-
- int verify_maxlevel;
-
- char *common_name;
-
- struct cert_hash_set *cert_hash_set;
-
-#ifdef ENABLE_PF
- uint32_t common_name_hashval;
-#endif
-
- bool verified; /* true if peer certificate was verified against CA */
-
- /* not-yet-authenticated incoming client */
- struct link_socket_actual untrusted_addr;
-
- struct key_state key[KS_SIZE];
-};
-
-
-
-/** @addtogroup control_processor
- * @{ */
-/** @name Index of tls_session objects within a tls_multi structure
- *
- * This is the index of \c tls_multi.session
- *
- * Normally three tls_session objects are maintained by an active openvpn
- * session. The first is the current, TLS authenticated session, the
- * second is used to process connection requests from a new client that
- * would usurp the current session if successfully authenticated, and the
- * third is used as a repository for a "lame-duck" %key in the event that
- * the primary session resets due to error while the lame-duck %key still
- * has time left before its expiration. Lame duck keys are used to
- * maintain the continuity of the data channel connection while a new %key
- * is being negotiated.
- *
- * @{ */
-#define TM_ACTIVE 0 /**< Active \c tls_session. */
-#define TM_UNTRUSTED 1 /**< As yet un-trusted \c tls_session
- * being negotiated. */
-#define TM_LAME_DUCK 2 /**< Old \c tls_session. */
-#define TM_SIZE 3 /**< Size of the \c tls_multi.session
- * array. */
-/** @} name Index of tls_session objects within a tls_multi structure */
-/** @} addtogroup control_processor */
-
-
-/*
- * The number of keys we will scan on encrypt or decrypt. The first
- * is the "active" key. The second is the lame_duck or retiring key
- * associated with the active key's session ID. The third is a detached
- * lame duck session that only occurs in situations where a key renegotiate
- * failed on the active key, but a lame duck key was still valid. By
- * preserving the lame duck session, we can be assured of having a data
- * channel key available even when network conditions are so bad that
- * we can't negotiate a new key within the time allotted.
- */
-#define KEY_SCAN_SIZE 3
-
-/** @name Functions for initialization and cleanup of tls_multi structures
- * @{ */
-
-/**
- * Security parameter state for a single VPN tunnel.
- * @ingroup control_processor
- *
- * An active VPN tunnel running with TLS enabled has one \c tls_multi
- * object, in which it stores all control channel and data channel
- * security parameter state. This structure can contain multiple,
- * possibly simultaneously active, \c tls_context objects to allow for
- * interruption-less transitions during session renegotiations. Each \c
- * tls_context represents one control channel session, which can span
- * multiple data channel security parameter sessions stored in \c
- * key_state structures.
- */
-struct tls_multi
-{
- /* const options and config info */
- struct tls_options opt;
-
- struct key_state* key_scan[KEY_SCAN_SIZE];
- /**< List of \c key_state objects in the
- * order they should be scanned by data
- * channel modules. */
-
- /*
- * used by tls_pre_encrypt to communicate the encrypt key
- * to tls_post_encrypt()
- */
- struct key_state *save_ks; /* temporary pointer used between pre/post routines */
-
- /*
- * Used to return outgoing address from
- * tls_multi_process.
- */
- struct link_socket_actual to_link_addr;
-
- int n_sessions; /**< Number of sessions negotiated thus
- * far. */
-
- /*
- * Number of errors.
- */
- int n_hard_errors; /* errors due to TLS negotiation failure */
- int n_soft_errors; /* errors due to unrecognized or failed-to-authenticate incoming packets */
-
- /*
- * Our locked common name, username, and cert hashes (cannot change during the life of this tls_multi object)
- */
- char *locked_cn;
- char *locked_username;
- struct cert_hash_set *locked_cert_hash_set;
-
-#ifdef ENABLE_DEF_AUTH
- /*
- * An error message to send to client on AUTH_FAILED
- */
- char *client_reason;
-
- /*
- * A multi-line string of general-purpose info received from peer
- * over control channel.
- */
- char *peer_info;
-
- /* Time of last call to tls_authentication_status */
- time_t tas_last;
-#endif
-
- /*
- * Our session objects.
- */
- struct tls_session session[TM_SIZE];
- /**< Array of \c tls_session objects
- * representing control channel
- * sessions with the remote peer. */
-};
-
/*
* Used in --mode server mode to check tls-auth signature on initial
* packets received from new clients.
int gremlin;
};
+/** @addtogroup control_processor
+ * @{ */
+/** @name Index of key_state objects within a tls_session structure
+ *
+ * This is the index of \c tls_session.key
+ *
+ * @{ */
+#define KS_PRIMARY 0 /**< Primary %key state index. */
+#define KS_LAME_DUCK 1 /**< %Key state index that will retire
+ * soon. */
+#define KS_SIZE 2 /**< Size of the \c tls_session.key array. */
+/** @} name Index of key_state objects within a tls_session structure */
+/** @} addtogroup control_processor */
+
+
+/**
+ * Security parameter state of a single session within a VPN tunnel.
+ * @ingroup control_processor
+ *
+ * This structure represents an OpenVPN peer-to-peer control channel
+ * session.
+ *
+ * A \c tls_session remains over soft resets, but a new instance is
+ * initialized for each hard reset.
+ *
+ * @see
+ * - This structure should be initialized using the \c tls_session_init()
+ * function.
+ * - This structure should be cleaned up using the \c tls_session_free()
+ * function.
+ */
+struct tls_session
+{
+ /* const options and config info */
+ struct tls_options *opt;
+
+ /* during hard reset used to control burst retransmit */
+ bool burst;
+
+ /* authenticate control packets */
+ struct crypto_options tls_auth;
+ struct packet_id tls_auth_pid;
+
+ int initial_opcode; /* our initial P_ opcode */
+ struct session_id session_id; /* our random session ID */
+ int key_id; /* increments with each soft reset (for key renegotiation) */
+
+ int limit_next; /* used for traffic shaping on the control channel */
+
+ int verify_maxlevel;
+
+ char *common_name;
+
+ struct cert_hash_set *cert_hash_set;
+
+#ifdef ENABLE_PF
+ uint32_t common_name_hashval;
+#endif
+
+ bool verified; /* true if peer certificate was verified against CA */
+
+ /* not-yet-authenticated incoming client */
+ struct link_socket_actual untrusted_addr;
+
+ struct key_state key[KS_SIZE];
+};
+
+/** @addtogroup control_processor
+ * @{ */
+/** @name Index of tls_session objects within a tls_multi structure
+ *
+ * This is the index of \c tls_multi.session
+ *
+ * Normally three tls_session objects are maintained by an active openvpn
+ * session. The first is the current, TLS authenticated session, the
+ * second is used to process connection requests from a new client that
+ * would usurp the current session if successfully authenticated, and the
+ * third is used as a repository for a "lame-duck" %key in the event that
+ * the primary session resets due to error while the lame-duck %key still
+ * has time left before its expiration. Lame duck keys are used to
+ * maintain the continuity of the data channel connection while a new %key
+ * is being negotiated.
+ *
+ * @{ */
+#define TM_ACTIVE 0 /**< Active \c tls_session. */
+#define TM_UNTRUSTED 1 /**< As yet un-trusted \c tls_session
+ * being negotiated. */
+#define TM_LAME_DUCK 2 /**< Old \c tls_session. */
+#define TM_SIZE 3 /**< Size of the \c tls_multi.session
+ * array. */
+/** @} name Index of tls_session objects within a tls_multi structure */
+/** @} addtogroup control_processor */
+
+
+/*
+ * The number of keys we will scan on encrypt or decrypt. The first
+ * is the "active" key. The second is the lame_duck or retiring key
+ * associated with the active key's session ID. The third is a detached
+ * lame duck session that only occurs in situations where a key renegotiate
+ * failed on the active key, but a lame duck key was still valid. By
+ * preserving the lame duck session, we can be assured of having a data
+ * channel key available even when network conditions are so bad that
+ * we can't negotiate a new key within the time allotted.
+ */
+#define KEY_SCAN_SIZE 3
+
+
+/**
+ * Security parameter state for a single VPN tunnel.
+ * @ingroup control_processor
+ *
+ * An active VPN tunnel running with TLS enabled has one \c tls_multi
+ * object, in which it stores all control channel and data channel
+ * security parameter state. This structure can contain multiple,
+ * possibly simultaneously active, \c tls_context objects to allow for
+ * interruption-less transitions during session renegotiations. Each \c
+ * tls_context represents one control channel session, which can span
+ * multiple data channel security parameter sessions stored in \c
+ * key_state structures.
+ */
+struct tls_multi
+{
+ /* used to coordinate access between main thread and TLS thread */
+ /*MUTEX_PTR_DEFINE (mutex);*/
+
+ /* const options and config info */
+ struct tls_options opt;
+
+ struct key_state* key_scan[KEY_SCAN_SIZE];
+ /**< List of \c key_state objects in the
+ * order they should be scanned by data
+ * channel modules. */
+
+ /*
+ * used by tls_pre_encrypt to communicate the encrypt key
+ * to tls_post_encrypt()
+ */
+ struct key_state *save_ks; /* temporary pointer used between pre/post routines */
+
+ /*
+ * Used to return outgoing address from
+ * tls_multi_process.
+ */
+ struct link_socket_actual to_link_addr;
+
+ int n_sessions; /**< Number of sessions negotiated thus
+ * far. */
+
+ /*
+ * Number of errors.
+ */
+ int n_hard_errors; /* errors due to TLS negotiation failure */
+ int n_soft_errors; /* errors due to unrecognized or failed-to-authenticate incoming packets */
+
+ /*
+ * Our locked common name, username, and cert hashes (cannot change during the life of this tls_multi object)
+ */
+ char *locked_cn;
+ char *locked_username;
+ struct cert_hash_set *locked_cert_hash_set;
+
+#ifdef ENABLE_DEF_AUTH
+ /*
+ * An error message to send to client on AUTH_FAILED
+ */
+ char *client_reason;
+
+ /*
+ * A multi-line string of general-purpose info received from peer
+ * over control channel.
+ */
+ char *peer_info;
+
+ /* Time of last call to tls_authentication_status */
+ time_t tas_last;
+#endif
+
+ /*
+ * Our session objects.
+ */
+ struct tls_session session[TM_SIZE];
+ /**< Array of \c tls_session objects
+ * representing control channel
+ * sessions with the remote peer. */
+};
+
+
#endif /* SSL_COMMON_H_ */
projects / thirdparty / openvpn.git / commitdiff
