aboutsummaryrefslogtreecommitdiff
path: root/ssl.c
diff options
context:
space:
mode:
authorjames <james@e7ae566f-a301-0410-adde-c780ea21d3b5>2005-09-26 05:28:27 +0000
committerjames <james@e7ae566f-a301-0410-adde-c780ea21d3b5>2005-09-26 05:28:27 +0000
commit6fbf66fad3367b24fd6743bcd50254902fd9c8d5 (patch)
tree9802876e3771744eead18917bb47ff6e90ac39f5 /ssl.c
downloadopenvpn-6fbf66fad3367b24fd6743bcd50254902fd9c8d5.tar.xz
This is the start of the BETA21 branch.
It includes the --topology feature, and TAP-Win32 driver changes to allow non-admin access. git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@580 e7ae566f-a301-0410-adde-c780ea21d3b5
Diffstat (limited to 'ssl.c')
-rw-r--r--ssl.c4099
1 files changed, 4099 insertions, 0 deletions
diff --git a/ssl.c b/ssl.c
new file mode 100644
index 0000000..52bf8df
--- /dev/null
+++ b/ssl.c
@@ -0,0 +1,4099 @@
+/*
+ * OpenVPN -- An application to securely tunnel IP networks
+ * over a single TCP/UDP port, with support for SSL/TLS-based
+ * session authentication and key exchange,
+ * packet encryption, packet authentication, and
+ * packet compression.
+ *
+ * Copyright (C) 2002-2005 OpenVPN Solutions LLC <info@openvpn.net>
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2
+ * as published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program (see the file COPYING included with this
+ * distribution); if not, write to the Free Software Foundation, Inc.,
+ * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+ */
+
+/*
+ * The routines in this file deal with dynamically negotiating
+ * the data channel HMAC and cipher keys through a TLS session.
+ *
+ * Both the TLS session and the data channel are multiplexed
+ * over the same TCP/UDP port.
+ */
+
+#ifdef WIN32
+#include "config-win32.h"
+#else
+#include "config.h"
+#endif
+
+#if defined(USE_CRYPTO) && defined(USE_SSL)
+
+#include "syshead.h"
+
+#include "ssl.h"
+#include "error.h"
+#include "common.h"
+#include "integer.h"
+#include "socket.h"
+#include "thread.h"
+#include "misc.h"
+#include "fdmisc.h"
+#include "interval.h"
+#include "perf.h"
+#include "status.h"
+#include "gremlin.h"
+
+#ifdef WIN32
+#include "cryptoapi.h"
+#endif
+
+#include "memdbg.h"
+
+#ifndef ENABLE_OCC
+static const char ssl_default_options_string[] = "V0 UNDEF";
+#endif
+
+static inline const char *
+local_options_string (const struct tls_session *session)
+{
+#ifdef ENABLE_OCC
+ return session->opt->local_options;
+#else
+ return ssl_default_options_string;
+#endif
+}
+
+#ifdef MEASURE_TLS_HANDSHAKE_STATS
+
+static int tls_handshake_success; /* GLOBAL */
+static int tls_handshake_error; /* GLOBAL */
+static int tls_packets_generated; /* GLOBAL */
+static int tls_packets_sent; /* GLOBAL */
+
+#define INCR_SENT ++tls_packets_sent
+#define INCR_GENERATED ++tls_packets_generated
+#define INCR_SUCCESS ++tls_handshake_success
+#define INCR_ERROR ++tls_handshake_error
+
+void
+show_tls_performance_stats(void)
+{
+ msg (D_TLS_DEBUG_LOW, "TLS Handshakes, success=%f%% (good=%d, bad=%d), retransmits=%f%%",
+ (double) tls_handshake_success / (tls_handshake_success + tls_handshake_error) * 100.0,
+ tls_handshake_success, tls_handshake_error,
+ (double) (tls_packets_sent - tls_packets_generated) / tls_packets_generated * 100.0);
+}
+#else
+
+#define INCR_SENT
+#define INCR_GENERATED
+#define INCR_SUCCESS
+#define INCR_ERROR
+
+#endif
+
+#ifdef BIO_DEBUG
+
+#warning BIO_DEBUG defined
+
+static FILE *biofp; /* GLOBAL */
+static bool biofp_toggle; /* GLOBAL */
+static time_t biofp_last_open; /* GLOBAL */
+static const int biofp_reopen_interval = 600; /* GLOBAL */
+
+static void
+close_biofp()
+{
+ if (biofp)
+ {
+ ASSERT (!fclose (biofp));
+ biofp = NULL;
+ }
+}
+
+static void
+open_biofp()
+{
+ const time_t current = time (NULL);
+ const pid_t pid = getpid ();
+
+ if (biofp_last_open + biofp_reopen_interval < current)
+ close_biofp();
+ if (!biofp)
+ {
+ char fn[256];
+ openvpn_snprintf(fn, sizeof(fn), "bio/%d-%d.log", pid, biofp_toggle);
+ biofp = fopen (fn, "w");
+ ASSERT (biofp);
+ biofp_last_open = time (NULL);
+ biofp_toggle ^= 1;
+ }
+}
+
+static void
+bio_debug_data (const char *mode, BIO *bio, const uint8_t *buf, int len, const char *desc)
+{
+ struct gc_arena gc = gc_new ();
+ if (len > 0)
+ {
+ open_biofp();
+ fprintf(biofp, "BIO_%s %s time=" time_format " bio=" ptr_format " len=%d data=%s\n",
+ mode, desc, time (NULL), (ptr_type)bio, len, format_hex (buf, len, 0, &gc));
+ fflush (biofp);
+ }
+ gc_free (&gc);
+}
+
+static void
+bio_debug_oc (const char *mode, BIO *bio)
+{
+ open_biofp();
+ fprintf(biofp, "BIO %s time=" time_format " bio=" ptr_format "\n",
+ mode, time (NULL), (ptr_type)bio);
+ fflush (biofp);
+}
+
+#endif
+
+/*
+ * Max number of bytes we will add
+ * for data structures common to both
+ * data and control channel packets.
+ * (opcode only).
+ */
+void
+tls_adjust_frame_parameters(struct frame *frame)
+{
+ frame_add_to_extra_frame (frame, 1); /* space for opcode */
+}
+
+/*
+ * Max number of bytes we will add
+ * to control channel packet.
+ */
+static void
+tls_init_control_channel_frame_parameters(const struct frame *data_channel_frame,
+ struct frame *frame)
+{
+ /*
+ * frame->extra_frame is already initialized with tls_auth buffer requirements,
+ * if --tls-auth is enabled.
+ */
+
+ /* inherit link MTU and extra_link from data channel */
+ frame->link_mtu = data_channel_frame->link_mtu;
+ frame->extra_link = data_channel_frame->extra_link;
+
+ /* set extra_frame */
+ tls_adjust_frame_parameters (frame);
+ reliable_ack_adjust_frame_parameters (frame, CONTROL_SEND_ACK_MAX);
+ frame_add_to_extra_frame (frame, SID_SIZE + sizeof (packet_id_type));
+
+ /* set dynamic link MTU to minimum value */
+ frame_set_mtu_dynamic (frame, 0, SET_MTU_TUN);
+}
+
+/*
+ * Allocate space in SSL objects
+ * in which to store a struct tls_session
+ * pointer back to parent.
+ */
+
+static int mydata_index; /* GLOBAL */
+
+static void
+ssl_set_mydata_index ()
+{
+ mydata_index = SSL_get_ex_new_index (0, "struct session *", NULL, NULL, NULL);
+ ASSERT (mydata_index >= 0);
+}
+
+void
+init_ssl_lib ()
+{
+ SSL_library_init ();
+ SSL_load_error_strings ();
+ OpenSSL_add_all_algorithms ();
+
+ init_crypto_lib();
+
+ /*
+ * If you build the OpenSSL library and OpenVPN with
+ * CRYPTO_MDEBUG, you will get a listing of OpenSSL
+ * memory leaks on program termination.
+ */
+#ifdef CRYPTO_MDEBUG
+ CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_ON);
+#endif
+
+ ssl_set_mydata_index ();
+}
+
+void
+free_ssl_lib ()
+{
+#ifdef CRYPTO_MDEBUG
+ FILE* fp = fopen ("sdlog", "w");
+ ASSERT (fp);
+ CRYPTO_mem_leaks_fp (fp);
+ fclose (fp);
+#endif
+
+ uninit_crypto_lib ();
+ EVP_cleanup ();
+ ERR_free_strings ();
+}
+
+/*
+ * OpenSSL library calls pem_password_callback if the
+ * private key is protected by a password.
+ */
+
+static struct user_pass passbuf; /* GLOBAL */
+
+void
+pem_password_setup (const char *auth_file)
+{
+ if (!strlen (passbuf.password))
+ get_user_pass (&passbuf, auth_file, true, UP_TYPE_PRIVATE_KEY, GET_USER_PASS_MANAGEMENT|GET_USER_PASS_SENSITIVE);
+}
+
+int
+pem_password_callback (char *buf, int size, int rwflag, void *u)
+{
+ if (buf)
+ {
+ /* prompt for password even if --askpass wasn't specified */
+ pem_password_setup (NULL);
+ strncpynt (buf, passbuf.password, size);
+ purge_user_pass (&passbuf, false);
+
+ return strlen (buf);
+ }
+ return 0;
+}
+
+/*
+ * Auth username/password handling
+ */
+
+static bool auth_user_pass_enabled; /* GLOBAL */
+static struct user_pass auth_user_pass; /* GLOBAL */
+
+void
+auth_user_pass_setup (const char *auth_file)
+{
+ auth_user_pass_enabled = true;
+ if (!auth_user_pass.defined)
+ get_user_pass (&auth_user_pass, auth_file, false, UP_TYPE_AUTH, GET_USER_PASS_MANAGEMENT|GET_USER_PASS_SENSITIVE);
+}
+
+/*
+ * Disable password caching
+ */
+void
+ssl_set_auth_nocache (void)
+{
+ passbuf.nocache = true;
+ auth_user_pass.nocache = true;
+}
+
+/*
+ * Forget private key password AND auth-user-pass username/password.
+ */
+void
+ssl_purge_auth (void)
+{
+#if 1 /* JYFIXME -- todo: bad private key should trigger a signal, then this code can be included */
+ purge_user_pass (&passbuf, true);
+#endif
+ purge_user_pass (&auth_user_pass, true);
+}
+
+/*
+ * OpenSSL callback to get a temporary RSA key, mostly
+ * used for export ciphers.
+ */
+static RSA *
+tmp_rsa_cb (SSL * s, int is_export, int keylength)
+{
+ static RSA *rsa_tmp = NULL;
+ if (rsa_tmp == NULL)
+ {
+ msg (D_HANDSHAKE, "Generating temp (%d bit) RSA key", keylength);
+ rsa_tmp = RSA_generate_key (keylength, RSA_F4, NULL, NULL);
+ }
+ return (rsa_tmp);
+}
+
+/*
+ * Extract a field from an X509 subject name.
+ *
+ * Example:
+ *
+ * /C=US/ST=CO/L=Denver/O=ORG/CN=Test-CA/Email=jim@yonan.net
+ *
+ * The common name is 'Test-CA'
+ */
+static void
+extract_x509_field (const char *x509, const char *field_name, char *out, int size)
+{
+ char field_buf[256];
+ struct buffer x509_buf;
+
+ ASSERT (size > 0);
+ *out = '\0';
+ buf_set_read (&x509_buf, (uint8_t *)x509, strlen (x509));
+ while (buf_parse (&x509_buf, '/', field_buf, sizeof (field_buf)))
+ {
+ struct buffer component_buf;
+ char field_name_buf[64];
+ char field_value_buf[256];
+ buf_set_read (&component_buf, (const uint8_t *) field_buf, strlen (field_buf));
+ buf_parse (&component_buf, '=', field_name_buf, sizeof (field_name_buf));
+ buf_parse (&component_buf, '=', field_value_buf, sizeof (field_value_buf));
+ if (!strcmp (field_name_buf, field_name))
+ {
+ strncpynt (out, field_value_buf, size);
+ break;
+ }
+ }
+}
+
+static void
+setenv_untrusted (struct tls_session *session)
+{
+ setenv_sockaddr (session->opt->es, "untrusted", &session->untrusted_sockaddr, SA_IP_PORT);
+}
+
+static void
+set_common_name (struct tls_session *session, const char *common_name)
+{
+ if (session->common_name)
+ {
+ free (session->common_name);
+ session->common_name = NULL;
+ }
+ if (common_name)
+ {
+ session->common_name = string_alloc (common_name, NULL);
+ }
+}
+
+/*
+ * nsCertType checking
+ */
+
+#define verify_nsCertType(x, usage) (((x)->ex_flags & EXFLAG_NSCERT) && ((x)->ex_nscert & (usage)))
+
+static const char *
+print_nsCertType (int type)
+{
+ switch (type)
+ {
+ case NS_SSL_SERVER:
+ return "SERVER";
+ case NS_SSL_CLIENT:
+ return "CLIENT";
+ default:
+ return "?";
+ }
+}
+
+/*
+ * Our verify callback function -- check
+ * that an incoming peer certificate is good.
+ */
+
+static int
+verify_callback (int preverify_ok, X509_STORE_CTX * ctx)
+{
+ char subject[256];
+ char envname[64];
+ char common_name[TLS_CN_LEN];
+ SSL *ssl;
+ struct tls_session *session;
+ const struct tls_options *opt;
+ const int max_depth = 8;
+
+ /* get the tls_session pointer */
+ ssl = X509_STORE_CTX_get_ex_data (ctx, SSL_get_ex_data_X509_STORE_CTX_idx());
+ ASSERT (ssl);
+ session = (struct tls_session *) SSL_get_ex_data (ssl, mydata_index);
+ ASSERT (session);
+ opt = session->opt;
+ ASSERT (opt);
+
+ session->verified = false;
+
+ /* get the X509 name */
+ X509_NAME_oneline (X509_get_subject_name (ctx->current_cert), subject,
+ sizeof (subject));
+ subject[sizeof (subject) - 1] = '\0';
+
+ /* enforce character class restrictions in X509 name */
+ string_mod (subject, X509_NAME_CHAR_CLASS, 0, '_');
+
+ /* extract the common name */
+ extract_x509_field (subject, "CN", common_name, TLS_CN_LEN);
+ string_mod (common_name, COMMON_NAME_CHAR_CLASS, 0, '_');
+
+#if 0 /* print some debugging info */
+ msg (D_LOW, "LOCAL OPT: %s", opt->local_options);
+ msg (D_LOW, "X509: %s", subject);
+#endif
+
+ /* did peer present cert which was signed our root cert? */
+ if (!preverify_ok)
+ {
+ /* Remote site specified a certificate, but it's not correct */
+ msg (D_TLS_ERRORS, "VERIFY ERROR: depth=%d, error=%s: %s",
+ ctx->error_depth, X509_verify_cert_error_string (ctx->error), subject);
+ goto err; /* Reject connection */
+ }
+
+ /* warn if cert chain is too deep */
+ if (ctx->error_depth >= max_depth)
+ msg (M_WARN, "TLS Warning: Convoluted certificate chain detected with depth [%d] greater than %d", ctx->error_depth, max_depth);
+
+ /* save common name in session object */
+ if (ctx->error_depth == 0)
+ set_common_name (session, common_name);
+
+ /* export subject name string as environmental variable */
+ session->verify_maxlevel = max_int (session->verify_maxlevel, ctx->error_depth);
+ openvpn_snprintf (envname, sizeof(envname), "tls_id_%d", ctx->error_depth);
+ setenv_str (opt->es, envname, subject);
+
+#if 0
+ /* export common name string as environmental variable */
+ openvpn_snprintf (envname, sizeof(envname), "tls_common_name_%d", ctx->error_depth);
+ setenv_str (opt->es, envname, common_name);
+#endif
+
+ /* export serial number as environmental variable */
+ {
+ const int serial = (int) ASN1_INTEGER_get (X509_get_serialNumber (ctx->current_cert));
+ openvpn_snprintf (envname, sizeof(envname), "tls_serial_%d", ctx->error_depth);
+ setenv_int (opt->es, envname, serial);
+ }
+
+ /* export current untrusted IP */
+ setenv_untrusted (session);
+
+ /* verify certificate nsCertType */
+ if (opt->ns_cert_type && ctx->error_depth == 0)
+ {
+ if (verify_nsCertType (ctx->current_cert, opt->ns_cert_type))
+ {
+ msg (D_HANDSHAKE, "VERIFY OK: nsCertType=%s",
+ print_nsCertType (opt->ns_cert_type));
+ }
+ else
+ {
+ msg (D_HANDSHAKE, "VERIFY nsCertType ERROR: %s, require nsCertType=%s",
+ subject, print_nsCertType (opt->ns_cert_type));
+ goto err; /* Reject connection */
+ }
+ }
+
+ /* verify X509 name or common name against --tls-remote */
+ if (opt->verify_x509name && strlen (opt->verify_x509name) > 0 && ctx->error_depth == 0)
+ {
+ if (strcmp (opt->verify_x509name, subject) == 0
+ || strncmp (opt->verify_x509name, common_name, strlen (opt->verify_x509name)) == 0)
+ msg (D_HANDSHAKE, "VERIFY X509NAME OK: %s", subject);
+ else
+ {
+ msg (D_HANDSHAKE, "VERIFY X509NAME ERROR: %s, must be %s",
+ subject, opt->verify_x509name);
+ goto err; /* Reject connection */
+ }
+ }
+
+ /* call --tls-verify plug-in(s) */
+ if (plugin_defined (opt->plugins, OPENVPN_PLUGIN_TLS_VERIFY))
+ {
+ char command[256];
+ struct buffer out;
+ int ret;
+
+ buf_set_write (&out, (uint8_t*)command, sizeof (command));
+ buf_printf (&out, "%d %s",
+ ctx->error_depth,
+ subject);
+
+ ret = plugin_call (opt->plugins, OPENVPN_PLUGIN_TLS_VERIFY, command, opt->es);
+
+ if (!ret)
+ {
+ msg (D_HANDSHAKE, "VERIFY PLUGIN OK: depth=%d, %s",
+ ctx->error_depth, subject);
+ }
+ else
+ {
+ msg (D_HANDSHAKE, "VERIFY PLUGIN ERROR: depth=%d, %s",
+ ctx->error_depth, subject);
+ goto err; /* Reject connection */
+ }
+ }
+
+ /* run --tls-verify script */
+ if (opt->verify_command)
+ {
+ char command[256];
+ struct buffer out;
+ int ret;
+
+ setenv_str (opt->es, "script_type", "tls-verify");
+
+ buf_set_write (&out, (uint8_t*)command, sizeof (command));
+ buf_printf (&out, "%s %d %s",
+ opt->verify_command,
+ ctx->error_depth,
+ subject);
+ dmsg (D_TLS_DEBUG, "TLS: executing verify command: %s", command);
+ ret = openvpn_system (command, opt->es, S_SCRIPT);
+
+ if (system_ok (ret))
+ {
+ msg (D_HANDSHAKE, "VERIFY SCRIPT OK: depth=%d, %s",
+ ctx->error_depth, subject);
+ }
+ else
+ {
+ if (!system_executed (ret))
+ msg (M_ERR, "Verify command failed to execute: %s", command);
+ msg (D_HANDSHAKE, "VERIFY SCRIPT ERROR: depth=%d, %s",
+ ctx->error_depth, subject);
+ goto err; /* Reject connection */
+ }
+ }
+
+ /* check peer cert against CRL */
+ if (opt->crl_file)
+ {
+ X509_CRL *crl=NULL;
+ X509_REVOKED *revoked;
+ BIO *in=NULL;
+ int n,i,retval = 0;
+
+ in=BIO_new(BIO_s_file());
+
+ if (in == NULL) {
+ msg (M_ERR, "CRL: BIO err");
+ goto end;
+ }
+ if (BIO_read_filename(in, opt->crl_file) <= 0) {
+ msg (M_ERR, "CRL: cannot read: %s", opt->crl_file);
+ goto end;
+ }
+ crl=PEM_read_bio_X509_CRL(in,NULL,NULL,NULL);
+ if (crl == NULL) {
+ msg (M_ERR, "CRL: cannot read CRL from file %s", opt->crl_file);
+ goto end;
+ }
+
+ if (X509_NAME_cmp(X509_CRL_get_issuer(crl), X509_get_issuer_name(ctx->current_cert)) != 0) {
+ msg (M_WARN, "CRL: CRL %s is from a different issuer than the issuer of certificate %s", opt->crl_file, subject);
+ retval = 1;
+ goto end;
+ }
+
+ n = sk_num(X509_CRL_get_REVOKED(crl));
+
+ for (i = 0; i < n; i++) {
+ revoked = (X509_REVOKED *)sk_value(X509_CRL_get_REVOKED(crl), i);
+ if (ASN1_INTEGER_cmp(revoked->serialNumber, X509_get_serialNumber(ctx->current_cert)) == 0) {
+ msg (D_HANDSHAKE, "CRL CHECK FAILED: %s is REVOKED",subject);
+ goto end;
+ }
+ }
+
+ retval = 1;
+ msg (D_HANDSHAKE, "CRL CHECK OK: %s",subject);
+
+ end:
+
+ BIO_free(in);
+ if (crl)
+ X509_CRL_free (crl);
+ if (!retval)
+ goto err;
+ }
+
+ msg (D_HANDSHAKE, "VERIFY OK: depth=%d, %s", ctx->error_depth, subject);
+
+ session->verified = true;
+ return 1; /* Accept connection */
+
+ err:
+ ERR_clear_error ();
+ return 0; /* Reject connection */
+}
+
+void
+tls_set_common_name (struct tls_multi *multi, const char *common_name)
+{
+ if (multi)
+ set_common_name (&multi->session[TM_ACTIVE], common_name);
+}
+
+const char *
+tls_common_name (struct tls_multi *multi, bool null)
+{
+ const char *ret = NULL;
+ if (multi)
+ ret = multi->session[TM_ACTIVE].common_name;
+ if (ret && strlen (ret))
+ return ret;
+ else if (null)
+ return NULL;
+ else
+ return "UNDEF";
+}
+
+void
+tls_lock_common_name (struct tls_multi *multi)
+{
+ const char *cn = multi->session[TM_ACTIVE].common_name;
+ if (cn && !multi->locked_cn)
+ multi->locked_cn = string_alloc (cn, NULL);
+}
+
+/*
+ * Return true if at least one valid key state exists
+ * which has passed authentication. If we are using
+ * username/password authentication, and the authentication
+ * failed, we may have a live S_ACTIVE/S_NORMAL key state
+ * even though the 'authenticated' var might be false.
+ *
+ * This is so that we can return an AUTH_FAILED error
+ * message to the client over the TLS channel.
+ *
+ * If 'authenticated' is false, tunnel traffic forwarding
+ * is disabled but TLS channel data can still be sent
+ * or received.
+ */
+bool
+tls_authenticated (struct tls_multi *multi)
+{
+ if (multi)
+ {
+ int i;
+ for (i = 0; i < KEY_SCAN_SIZE; ++i)
+ {
+ const struct key_state *ks = multi->key_scan[i];
+ if (DECRYPT_KEY_ENABLED (multi, ks) && ks->authenticated)
+ return true;
+ }
+ }
+ return false;
+}
+
+void
+tls_deauthenticate (struct tls_multi *multi)
+{
+ if (multi)
+ {
+ int i, j;
+ for (i = 0; i < TM_SIZE; ++i)
+ for (j = 0; j < KS_SIZE; ++j)
+ multi->session[i].key[j].authenticated = false;
+ }
+}
+
+/*
+ * Print debugging information on SSL/TLS session negotiation.
+ */
+static void
+info_callback (INFO_CALLBACK_SSL_CONST SSL * s, int where, int ret)
+{
+ if (where & SSL_CB_LOOP)
+ {
+ dmsg (D_HANDSHAKE_VERBOSE, "SSL state (%s): %s",
+ where & SSL_ST_CONNECT ? "connect" :
+ where & SSL_ST_ACCEPT ? "accept" :
+ "undefined", SSL_state_string_long (s));
+ }
+ else if (where & SSL_CB_ALERT)
+ {
+ dmsg (D_HANDSHAKE_VERBOSE, "SSL alert (%s): %s: %s",
+ where & SSL_CB_READ ? "read" : "write",
+ SSL_alert_type_string_long (ret),
+ SSL_alert_desc_string_long (ret));
+ }
+}
+
+/*
+ * Initialize SSL context.
+ * All files are in PEM format.
+ */
+SSL_CTX *
+init_ssl (const struct options *options)
+{
+ SSL_CTX *ctx = NULL;
+ DH *dh;
+ BIO *bio;
+ bool using_cert_file = false;
+
+ ERR_clear_error ();
+
+ if (options->tls_server)
+ {
+ ctx = SSL_CTX_new (TLSv1_server_method ());
+ if (ctx == NULL)
+ msg (M_SSLERR, "SSL_CTX_new TLSv1_server_method");
+
+ SSL_CTX_set_tmp_rsa_callback (ctx, tmp_rsa_cb);
+
+ /* Get Diffie Hellman Parameters */
+ if (!(bio = BIO_new_file (options->dh_file, "r")))
+ msg (M_SSLERR, "Cannot open %s for DH parameters", options->dh_file);
+ dh = PEM_read_bio_DHparams (bio, NULL, NULL, NULL);
+ BIO_free (bio);
+ if (!dh)
+ msg (M_SSLERR, "Cannot load DH parameters from %s", options->dh_file);
+ if (!SSL_CTX_set_tmp_dh (ctx, dh))
+ msg (M_SSLERR, "SSL_CTX_set_tmp_dh");
+ msg (D_TLS_DEBUG_LOW, "Diffie-Hellman initialized with %d bit key",
+ 8 * DH_size (dh));
+ DH_free (dh);
+ }
+ else /* if client */
+ {
+ ctx = SSL_CTX_new (TLSv1_client_method ());
+ if (ctx == NULL)
+ msg (M_SSLERR, "SSL_CTX_new TLSv1_client_method");
+ }
+
+ /* Set SSL options */
+ SSL_CTX_set_session_cache_mode (ctx, SSL_SESS_CACHE_OFF);
+ SSL_CTX_set_options (ctx, SSL_OP_SINGLE_DH_USE);
+
+ /* Set callback for getting password from user to decrypt private key */
+ SSL_CTX_set_default_passwd_cb (ctx, pem_password_callback);
+
+ if (options->pkcs12_file)
+ {
+ /* Use PKCS #12 file for key, cert and CA certs */
+
+ FILE *fp;
+ EVP_PKEY *pkey;
+ X509 *cert;
+ STACK_OF(X509) *ca = NULL;
+ PKCS12 *p12;
+ int i;
+ char password[256];
+
+ /* Load the PKCS #12 file */
+ if (!(fp = fopen(options->pkcs12_file, "rb")))
+ msg (M_SSLERR, "Error opening file %s", options->pkcs12_file);
+ p12 = d2i_PKCS12_fp(fp, NULL);
+ fclose (fp);
+ if (!p12) msg (M_SSLERR, "Error reading PKCS#12 file %s", options->pkcs12_file);
+
+ /* Parse the PKCS #12 file */
+ if (!PKCS12_parse(p12, "", &pkey, &cert, &ca))
+ {
+ pem_password_callback (password, sizeof(password) - 1, 0, NULL);
+ /* Reparse the PKCS #12 file with password */
+ ca = NULL;
+ if (!PKCS12_parse(p12, password, &pkey, &cert, &ca))
+ {
+ PKCS12_free(p12);
+ msg (M_WARN|M_SSL, "Error parsing PKCS#12 file %s", options->pkcs12_file);
+ goto err;
+ }
+ }
+ PKCS12_free(p12);
+
+ /* Load Certificate */
+ if (!SSL_CTX_use_certificate (ctx, cert))
+ msg (M_SSLERR, "Cannot use certificate");
+
+ /* Load Private Key */
+ if (!SSL_CTX_use_PrivateKey (ctx, pkey))
+ msg (M_SSLERR, "Cannot use private key");
+ warn_if_group_others_accessible (options->pkcs12_file);
+
+ /* Check Private Key */
+ if (!SSL_CTX_check_private_key (ctx))
+ msg (M_SSLERR, "Private key does not match the certificate");
+
+ /* Set Certificate Verification chain */
+ if (ca && sk_num(ca))
+ {
+ for (i = 0; i < sk_X509_num(ca); i++)
+ {
+ if (!X509_STORE_add_cert(ctx->cert_store,sk_X509_value(ca, i)))
+ msg (M_SSLERR, "Cannot add certificate to certificate chain (X509_STORE_add_cert)");
+ if (!SSL_CTX_add_client_CA(ctx, sk_X509_value(ca, i)))
+ msg (M_SSLERR, "Cannot add certificate to client CA list (SSL_CTX_add_client_CA)");
+ }
+ }
+ }
+ else
+ {
+ /* Use seperate PEM files for key, cert and CA certs */
+
+#ifdef WIN32
+ if (options->cryptoapi_cert)
+ {
+ /* Load Certificate and Private Key */
+ if (!SSL_CTX_use_CryptoAPI_certificate (ctx, options->cryptoapi_cert))
+ msg (M_SSLERR, "Cannot load certificate \"%s\" from Microsoft Certificate Store",
+ options->cryptoapi_cert);
+ }
+ else
+#endif
+ {
+ /* Load Certificate */
+ if (options->cert_file)
+ {
+ using_cert_file = true;
+ if (!SSL_CTX_use_certificate_file (ctx, options->cert_file, SSL_FILETYPE_PEM))
+ msg (M_SSLERR, "Cannot load certificate file %s", options->cert_file);
+ }
+
+ /* Load Private Key */
+ if (options->priv_key_file)
+ {
+ if (!SSL_CTX_use_PrivateKey_file (ctx, options->priv_key_file, SSL_FILETYPE_PEM))
+ {
+#ifdef ENABLE_MANAGEMENT
+ if (management && (ERR_GET_REASON (ERR_peek_error()) == EVP_R_BAD_DECRYPT))
+ management_auth_failure (management, UP_TYPE_PRIVATE_KEY);
+#endif
+ msg (M_WARN|M_SSL, "Cannot load private key file %s", options->priv_key_file);
+ goto err;
+ }
+ warn_if_group_others_accessible (options->priv_key_file);
+
+ /* Check Private Key */
+ if (!SSL_CTX_check_private_key (ctx))
+ msg (M_SSLERR, "Private key does not match the certificate");
+ }
+ }
+
+ /* Load CA file for verifying peer supplied certificate */
+ ASSERT (options->ca_file);
+ if (!SSL_CTX_load_verify_locations (ctx, options->ca_file, NULL))
+ msg (M_SSLERR, "Cannot load CA certificate file %s (SSL_CTX_load_verify_locations)", options->ca_file);
+
+ /* Load names of CAs from file and use it as a client CA list */
+ {
+ STACK_OF(X509_NAME) *cert_names;
+ cert_names = SSL_load_client_CA_file (options->ca_file);
+ if (!cert_names)
+ msg (M_SSLERR, "Cannot load CA certificate file %s (SSL_load_client_CA_file)", options->ca_file);
+ SSL_CTX_set_client_CA_list (ctx, cert_names);
+ }
+
+ }
+
+ /* Enable the use of certificate chains */
+ if (using_cert_file)
+ {
+ if (!SSL_CTX_use_certificate_chain_file (ctx, options->cert_file))
+ msg (M_SSLERR, "Cannot load certificate chain file %s (SSL_use_certificate_chain_file)", options->cert_file);
+ }
+
+ /* Require peer certificate verification */
+#if P2MP_SERVER
+ if (options->client_cert_not_required)
+ {
+ msg (M_WARN, "WARNING: This configuration may accept clients which do not present a certificate");
+ }
+ else
+#endif
+ SSL_CTX_set_verify (ctx, SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
+ verify_callback);
+
+ /* Connection information callback */
+ SSL_CTX_set_info_callback (ctx, info_callback);
+
+ /* Allowable ciphers */
+ if (options->cipher_list)
+ {
+ if (!SSL_CTX_set_cipher_list (ctx, options->cipher_list))
+ msg (M_SSLERR, "Problem with cipher list: %s", options->cipher_list);
+ }
+
+ ERR_clear_error ();
+
+ return ctx;
+
+ err:
+ ERR_clear_error ();
+ if (ctx)
+ SSL_CTX_free (ctx);
+ return NULL;
+}
+
+/*
+ * Print a one line summary of SSL/TLS session handshake.
+ */
+static void
+print_details (SSL * c_ssl, const char *prefix)
+{
+ SSL_CIPHER *ciph;
+ X509 *cert;
+ char s1[256];
+ char s2[256];
+
+ s1[0] = s2[0] = 0;
+ ciph = SSL_get_current_cipher (c_ssl);
+ openvpn_snprintf (s1, sizeof (s1), "%s %s, cipher %s %s",
+ prefix,
+ SSL_get_version (c_ssl),
+ SSL_CIPHER_get_version (ciph),
+ SSL_CIPHER_get_name (ciph));
+ cert = SSL_get_peer_certificate (c_ssl);
+ if (cert != NULL)
+ {
+ EVP_PKEY *pkey = X509_get_pubkey (cert);
+ if (pkey != NULL)
+ {
+ if (pkey->type == EVP_PKEY_RSA && pkey->pkey.rsa != NULL
+ && pkey->pkey.rsa->n != NULL)
+ {
+ openvpn_snprintf (s2, sizeof (s2), ", %d bit RSA",
+ BN_num_bits (pkey->pkey.rsa->n));
+ }
+ else if (pkey->type == EVP_PKEY_DSA && pkey->pkey.dsa != NULL
+ && pkey->pkey.dsa->p != NULL)
+ {
+ openvpn_snprintf (s2, sizeof (s2), ", %d bit DSA",
+ BN_num_bits (pkey->pkey.dsa->p));
+ }
+ EVP_PKEY_free (pkey);
+ }
+ X509_free (cert);
+ }
+ /* The SSL API does not allow us to look at temporary RSA/DH keys,
+ * otherwise we should print their lengths too */
+ msg (D_HANDSHAKE, "%s%s", s1, s2);
+}
+
+/*
+ * Show the TLS ciphers that are available for us to use
+ * in the OpenSSL library.
+ */
+void
+show_available_tls_ciphers ()
+{
+ SSL_CTX *ctx;
+ SSL *ssl;
+ const char *cipher_name;
+ int priority = 0;
+
+ ctx = SSL_CTX_new (TLSv1_method ());
+ if (!ctx)
+ msg (M_SSLERR, "Cannot create SSL_CTX object");
+ ssl = SSL_new (ctx);
+ if (!ssl)
+ msg (M_SSLERR, "Cannot create SSL object");
+
+ printf ("Available TLS Ciphers,\n");
+ printf ("listed in order of preference:\n\n");
+ while ((cipher_name = SSL_get_cipher_list (ssl, priority++)))
+ printf ("%s\n", cipher_name);
+ printf ("\n");
+
+ SSL_free (ssl);
+ SSL_CTX_free (ctx);
+}
+
+/*
+ * The OpenSSL library has a notion of preference in TLS
+ * ciphers. Higher preference == more secure.
+ * Return the highest preference cipher.
+ */
+void
+get_highest_preference_tls_cipher (char *buf, int size)
+{
+ SSL_CTX *ctx;
+ SSL *ssl;
+ const char *cipher_name;
+
+ ctx = SSL_CTX_new (TLSv1_method ());
+ if (!ctx)
+ msg (M_SSLERR, "Cannot create SSL_CTX object");
+ ssl = SSL_new (ctx);
+ if (!ssl)
+ msg (M_SSLERR, "Cannot create SSL object");
+
+ cipher_name = SSL_get_cipher_list (ssl, 0);
+ strncpynt (buf, cipher_name, size);
+
+ SSL_free (ssl);
+ SSL_CTX_free (ctx);
+}
+
+/*
+ * Map internal constants to ascii names.
+ */
+static const char *
+state_name (int state)
+{
+ switch (state)
+ {
+ case S_UNDEF:
+ return "S_UNDEF";
+ case S_INITIAL:
+ return "S_INITIAL";
+ case S_PRE_START:
+ return "S_PRE_START";
+ case S_START:
+ return "S_START";
+ case S_SENT_KEY:
+ return "S_SENT_KEY";
+ case S_GOT_KEY:
+ return "S_GOT_KEY";
+ case S_ACTIVE:
+ return "S_ACTIVE";
+ case S_NORMAL:
+ return "S_NORMAL";
+ case S_ERROR:
+ return "S_ERROR";
+ default:
+ return "S_???";
+ }
+}
+
+static const char *
+packet_opcode_name (int op)
+{
+ switch (op)
+ {
+ case P_CONTROL_HARD_RESET_CLIENT_V1:
+ return "P_CONTROL_HARD_RESET_CLIENT_V1";
+ case P_CONTROL_HARD_RESET_SERVER_V1:
+ return "P_CONTROL_HARD_RESET_SERVER_V1";
+ case P_CONTROL_HARD_RESET_CLIENT_V2:
+ return "P_CONTROL_HARD_RESET_CLIENT_V2";
+ case P_CONTROL_HARD_RESET_SERVER_V2:
+ return "P_CONTROL_HARD_RESET_SERVER_V2";
+ case P_CONTROL_SOFT_RESET_V1:
+ return "P_CONTROL_SOFT_RESET_V1";
+ case P_CONTROL_V1:
+ return "P_CONTROL_V1";
+ case P_ACK_V1:
+ return "P_ACK_V1";
+ case P_DATA_V1:
+ return "P_DATA_V1";
+ default:
+ return "P_???";
+ }
+}
+
+static const char *
+session_index_name (int index)
+{
+ switch (index)
+ {
+ case TM_ACTIVE:
+ return "TM_ACTIVE";
+ case TM_UNTRUSTED:
+ return "TM_UNTRUSTED";
+ case TM_LAME_DUCK:
+ return "TM_LAME_DUCK";
+ default:
+ return "TM_???";
+ }
+}
+
+/*
+ * For debugging.
+ */
+static const char *
+print_key_id (struct tls_multi *multi, struct gc_arena *gc)
+{
+ int i;
+ struct buffer out = alloc_buf_gc (256, gc);
+
+ for (i = 0; i < KEY_SCAN_SIZE; ++i)
+ {
+ struct key_state *ks = multi->key_scan[i];
+ buf_printf (&out, " [key#%d state=%s id=%d sid=%s]", i,
+ state_name (ks->state), ks->key_id,
+ session_id_print (&ks->session_id_remote, gc));
+ }
+
+ return BSTR (&out);
+}
+
+/*
+ * Given a key_method, return true if op
+ * represents the required form of hard_reset.
+ *
+ * If key_method = 0, return true if any
+ * form of hard reset is used.
+ */
+static bool
+is_hard_reset (int op, int key_method)
+{
+ if (!key_method || key_method == 1)
+ if (op == P_CONTROL_HARD_RESET_CLIENT_V1 || op == P_CONTROL_HARD_RESET_SERVER_V1)
+ return true;
+
+ if (!key_method || key_method >= 2)
+ if (op == P_CONTROL_HARD_RESET_CLIENT_V2 || op == P_CONTROL_HARD_RESET_SERVER_V2)
+ return true;
+
+ return false;
+}
+
+/*
+ * OpenVPN's interface to SSL/TLS authentication,
+ * encryption, and decryption is exclusively
+ * through "memory BIOs".
+ */
+static BIO *
+getbio (BIO_METHOD * type, const char *desc)
+{
+ BIO *ret;
+ ret = BIO_new (type);
+ if (!ret)
+ msg (M_SSLERR, "Error creating %s BIO", desc);
+ return ret;
+}
+
+/*
+ * Write to an OpenSSL BIO in non-blocking mode.
+ */
+static int
+bio_write (struct tls_multi* multi, BIO *bio, const uint8_t *data, int size, const char *desc)
+{
+ int i;
+ int ret = 0;
+ ASSERT (size >= 0);
+ if (size)
+ {
+ /*
+ * Free the L_TLS lock prior to calling BIO routines
+ * so that foreground thread can still call
+ * tls_pre_decrypt or tls_pre_encrypt,
+ * allowing tunnel packet forwarding to continue.
+ */
+#ifdef BIO_DEBUG
+ bio_debug_data ("write", bio, data, size, desc);
+#endif
+ i = BIO_write (bio, data, size);
+
+ if (i < 0)
+ {
+ if (BIO_should_retry (bio))
+ {
+ ;
+ }
+ else
+ {
+ msg (D_TLS_ERRORS | M_SSL, "TLS ERROR: BIO write %s error",
+ desc);
+ ret = -1;
+ ERR_clear_error ();
+ }
+ }
+ else if (i != size)
+ {
+ msg (D_TLS_ERRORS | M_SSL,
+ "TLS ERROR: BIO write %s incomplete %d/%d", desc, i, size);
+ ret = -1;
+ ERR_clear_error ();
+ }
+ else
+ { /* successful write */
+ dmsg (D_HANDSHAKE_VERBOSE, "BIO write %s %d bytes", desc, i);
+ ret = 1;
+ }
+ }
+ return ret;
+}
+
+/*
+ * Read from an OpenSSL BIO in non-blocking mode.
+ */
+static int
+bio_read (struct tls_multi* multi, BIO *bio, struct buffer *buf, int maxlen, const char *desc)
+{
+ int i;
+ int ret = 0;
+ ASSERT (buf->len >= 0);
+ if (buf->len)
+ {
+ ;
+ }
+ else
+ {
+ int len = buf_forward_capacity (buf);
+ if (maxlen < len)
+ len = maxlen;
+
+ /*
+ * BIO_read brackets most of the serious RSA
+ * key negotiation number crunching.
+ */
+ i = BIO_read (bio, BPTR (buf), len);
+
+ VALGRIND_MAKE_READABLE ((void *) &i, sizeof (i));
+
+#ifdef BIO_DEBUG
+ bio_debug_data ("read", bio, BPTR (buf), i, desc);
+#endif
+ if (i < 0)
+ {
+ if (BIO_should_retry (bio))
+ {
+ ;
+ }
+ else
+ {
+ msg (D_TLS_ERRORS | M_SSL, "TLS_ERROR: BIO read %s error",
+ desc);
+ buf->len = 0;
+ ret = -1;
+ ERR_clear_error ();
+ }
+ }
+ else if (!i)
+ {
+ buf->len = 0;
+ }
+ else
+ { /* successful read */
+ dmsg (D_HANDSHAKE_VERBOSE, "BIO read %s %d bytes", desc, i);
+ buf->len = i;
+ ret = 1;
+ VALGRIND_MAKE_READABLE ((void *) BPTR (buf), BLEN (buf));
+ }
+ }
+ return ret;
+}
+
+/*
+ * Inline functions for reading from and writing
+ * to BIOs.
+ */
+
+static void
+bio_write_post (const int status, struct buffer *buf)
+{
+ if (status == 1) /* success status return from bio_write? */
+ {
+ memset (BPTR (buf), 0, BLEN (buf)); /* erase data just written */
+ buf->len = 0;
+ }
+}
+
+static int
+key_state_write_plaintext (struct tls_multi *multi, struct key_state *ks, struct buffer *buf)
+{
+ int ret;
+ perf_push (PERF_BIO_WRITE_PLAINTEXT);
+ ret = bio_write (multi, ks->ssl_bio, BPTR(buf), BLEN(buf), "tls_write_plaintext");
+ bio_write_post (ret, buf);
+ perf_pop ();
+ return ret;
+}
+
+static int
+key_state_write_plaintext_const (struct tls_multi *multi, struct key_state *ks, const uint8_t *data, int len)
+{
+ int ret;
+ perf_push (PERF_BIO_WRITE_PLAINTEXT);
+ ret = bio_write (multi, ks->ssl_bio, data, len, "tls_write_plaintext_const");
+ perf_pop ();
+ return ret;
+}
+
+static int
+key_state_write_ciphertext (struct tls_multi *multi, struct key_state *ks, struct buffer *buf)
+{
+ int ret;
+ perf_push (PERF_BIO_WRITE_CIPHERTEXT);
+ ret = bio_write (multi, ks->ct_in, BPTR(buf), BLEN(buf), "tls_write_ciphertext");
+ bio_write_post (ret, buf);
+ perf_pop ();
+ return ret;
+}
+
+static int
+key_state_read_plaintext (struct tls_multi *multi, struct key_state *ks, struct buffer *buf,
+ int maxlen)
+{
+ int ret;
+ perf_push (PERF_BIO_READ_PLAINTEXT);
+ ret = bio_read (multi, ks->ssl_bio, buf, maxlen, "tls_read_plaintext");
+ perf_pop ();
+ return ret;
+}
+
+static int
+key_state_read_ciphertext (struct tls_multi *multi, struct key_state *ks, struct buffer *buf,
+ int maxlen)
+{
+ int ret;
+ perf_push (PERF_BIO_READ_CIPHERTEXT);
+ ret = bio_read (multi, ks->ct_out, buf, maxlen, "tls_read_ciphertext");
+ perf_pop ();
+ return ret;
+}
+
+/*
+ * Initialize a key_state. Each key_state corresponds to
+ * a specific SSL/TLS session.
+ */
+static void
+key_state_init (struct tls_session *session, struct key_state *ks)
+{
+ update_time ();
+
+ /*
+ * Build TLS object that reads/writes ciphertext
+ * to/from memory BIOs.
+ */
+ CLEAR (*ks);
+
+ ks->ssl = SSL_new (session->opt->ssl_ctx);
+ if (!ks->ssl)
+ msg (M_SSLERR, "SSL_new failed");
+
+ /* put session * in ssl object so we can access it
+ from verify callback*/
+ SSL_set_ex_data (ks->ssl, mydata_index, session);
+
+ ks->ssl_bio = getbio (BIO_f_ssl (), "ssl_bio");
+ ks->ct_in = getbio (BIO_s_mem (), "ct_in");
+ ks->ct_out = getbio (BIO_s_mem (), "ct_out");
+
+#ifdef BIO_DEBUG
+ bio_debug_oc ("open ssl_bio", ks->ssl_bio);
+ bio_debug_oc ("open ct_in", ks->ct_in);
+ bio_debug_oc ("open ct_out", ks->ct_out);
+#endif
+
+ if (session->opt->server)
+ SSL_set_accept_state (ks->ssl);
+ else
+ SSL_set_connect_state (ks->ssl);
+
+ SSL_set_bio (ks->ssl, ks->ct_in, ks->ct_out);
+ BIO_set_ssl (ks->ssl_bio, ks->ssl, BIO_NOCLOSE);
+
+ /* Set control-channel initiation mode */
+ ks->initial_opcode = session->initial_opcode;
+ session->initial_opcode = P_CONTROL_SOFT_RESET_V1;
+ ks->state = S_INITIAL;
+ ks->key_id = session->key_id;
+
+ /*
+ * key_id increments to KEY_ID_MASK then recycles back to 1.
+ * This way you know that if key_id is 0, it is the first key.
+ */
+ ++session->key_id;
+ session->key_id &= P_KEY_ID_MASK;
+ if (!session->key_id)
+ session->key_id = 1;
+
+ /* allocate key source material object */
+ ALLOC_OBJ_CLEAR (ks->key_src, struct key_source2);
+
+ /* allocate reliability objects */
+ ALLOC_OBJ_CLEAR (ks->send_reliable, struct reliable);
+ ALLOC_OBJ_CLEAR (ks->rec_reliable, struct reliable);
+ ALLOC_OBJ_CLEAR (ks->rec_ack, struct reliable_ack);
+
+ /* allocate buffers */
+ ks->plaintext_read_buf = alloc_buf (PLAINTEXT_BUFFER_SIZE);
+ ks->plaintext_write_buf = alloc_buf (PLAINTEXT_BUFFER_SIZE);
+ ks->ack_write_buf = alloc_buf (BUF_SIZE (&session->opt->frame));
+ reliable_init (ks->send_reliable, BUF_SIZE (&session->opt->frame),
+ FRAME_HEADROOM (&session->opt->frame), TLS_RELIABLE_N_SEND_BUFFERS);
+ reliable_init (ks->rec_reliable, BUF_SIZE (&session->opt->frame),
+ FRAME_HEADROOM (&session->opt->frame), TLS_RELIABLE_N_REC_BUFFERS);
+ reliable_set_timeout (ks->send_reliable, session->opt->packet_timeout);
+
+ /* init packet ID tracker */
+ packet_id_init (&ks->packet_id,
+ session->opt->replay_window,
+ session->opt->replay_time);
+}
+
+static void
+key_state_free (struct key_state *ks, bool clear)
+{
+ ks->state = S_UNDEF;
+
+ if (ks->ssl) {
+#ifdef BIO_DEBUG
+ bio_debug_oc ("close ssl_bio", ks->ssl_bio);
+ bio_debug_oc ("close ct_in", ks->ct_in);
+ bio_debug_oc ("close ct_out", ks->ct_out);
+#endif
+ BIO_free_all(ks->ssl_bio);
+ SSL_free (ks->ssl);
+ }
+
+ free_key_ctx_bi (&ks->key);
+ free_buf (&ks->plaintext_read_buf);
+ free_buf (&ks->plaintext_write_buf);
+ free_buf (&ks->ack_write_buf);
+
+ if (ks->send_reliable)
+ {
+ reliable_free (ks->send_reliable);
+ free (ks->send_reliable);
+ }
+
+ if (ks->rec_reliable)
+ {
+ reliable_free (ks->rec_reliable);
+ free (ks->rec_reliable);
+ }
+
+ if (ks->rec_ack)
+ free (ks->rec_ack);
+
+ if (ks->key_src)
+ free (ks->key_src);
+
+ packet_id_free (&ks->packet_id);
+
+ if (clear)
+ CLEAR (*ks);
+}
+
+/*
+ * Must be called if we move a tls_session in memory.
+ */
+static inline void tls_session_set_self_referential_pointers (struct tls_session* session) {
+ session->tls_auth.packet_id = &session->tls_auth_pid;
+}
+
+/*
+ * Initialize a TLS session. A TLS session normally has 2 key_state objects,
+ * one for the current key, and one for the lame duck (i.e. retiring) key.
+ */
+static void
+tls_session_init (struct tls_multi *multi, struct tls_session *session)
+{
+ struct gc_arena gc = gc_new ();
+
+ dmsg (D_TLS_DEBUG, "TLS: tls_session_init: entry");
+
+ CLEAR (*session);
+
+ /* Set options data to point to parent's option structure */
+ session->opt = &multi->opt;
+
+ /* Randomize session # if it is 0 */
+ while (!session_id_defined(&session->session_id))
+ session_id_random (&session->session_id);
+
+ /* Are we a TLS server or client? */
+ ASSERT (session->opt->key_method >= 1);
+ if (session->opt->key_method == 1)
+ {
+ session->initial_opcode = session->opt->server ?
+ P_CONTROL_HARD_RESET_SERVER_V1 : P_CONTROL_HARD_RESET_CLIENT_V1;
+ }
+ else /* session->opt->key_method >= 2 */
+ {
+ session->initial_opcode = session->opt->server ?
+ P_CONTROL_HARD_RESET_SERVER_V2 : P_CONTROL_HARD_RESET_CLIENT_V2;
+ }
+
+ /* Initialize control channel authentication parameters */
+ session->tls_auth = session->opt->tls_auth;
+
+ /* Set session internal pointers (also called if session object is moved in memory) */
+ tls_session_set_self_referential_pointers (session);
+
+ /* initialize packet ID replay window for --tls-auth */
+ packet_id_init (session->tls_auth.packet_id,
+ session->opt->replay_window,
+ session->opt->replay_time);
+
+ /* load most recent packet-id to replay protect on --tls-auth */
+ packet_id_persist_load_obj (session->tls_auth.pid_persist, session->tls_auth.packet_id);
+
+ key_state_init (session, &session->key[KS_PRIMARY]);
+
+ dmsg (D_TLS_DEBUG, "TLS: tls_session_init: new session object, sid=%s",
+ session_id_print (&session->session_id, &gc));
+
+ gc_free (&gc);
+}
+
+static void
+tls_session_free (struct tls_session *session, bool clear)
+{
+ int i;
+
+ if (session->tls_auth.packet_id)
+ packet_id_free (session->tls_auth.packet_id);
+
+ for (i = 0; i < KS_SIZE; ++i)
+ key_state_free (&session->key[i], false);
+
+ if (session->common_name)
+ free (session->common_name);
+
+ if (clear)
+ CLEAR (*session);
+}
+
+static void
+move_session (struct tls_multi* multi, int dest, int src, bool reinit_src)
+{
+ msg (D_TLS_DEBUG_LOW, "TLS: move_session: dest=%s src=%s reinit_src=%d",
+ session_index_name(dest),
+ session_index_name(src),
+ reinit_src);
+ ASSERT (src != dest);
+ ASSERT (src >= 0 && src < TM_SIZE);
+ ASSERT (dest >= 0 && dest < TM_SIZE);
+ tls_session_free (&multi->session[dest], false);
+ multi->session[dest] = multi->session[src];
+ tls_session_set_self_referential_pointers (&multi->session[dest]);
+
+ if (reinit_src)
+ tls_session_init (multi, &multi->session[src]);
+ else
+ CLEAR (multi->session[src]);
+
+ dmsg (D_TLS_DEBUG, "TLS: move_session: exit");
+}
+
+static void
+reset_session (struct tls_multi *multi, struct tls_session *session)
+{
+ tls_session_free (session, false);
+ tls_session_init (multi, session);
+}
+
+#if 0
+/*
+ * Transmit a TLS reset on our untrusted channel.
+ */
+static void
+initiate_untrusted_session (struct tls_multi *multi, struct sockaddr_in *to)
+{
+ struct tls_session *session = &multi->session[TM_UNTRUSTED];
+ struct key_state *ks = &session->key[KS_PRIMARY];
+
+ reset_session (multi, session);
+ ks->remote_addr = *to;
+ msg (D_TLS_DEBUG_LOW, "TLS: initiate_untrusted_session: addr=%s", print_sockaddr (to));
+}
+#endif
+
+/*
+ * Used to determine in how many seconds we should be
+ * called again.
+ */
+static inline void
+compute_earliest_wakeup (interval_t *earliest, interval_t seconds_from_now) {
+ if (seconds_from_now < *earliest)
+ *earliest = seconds_from_now;
+ if (*earliest < 0)
+ *earliest = 0;
+}
+
+/*
+ * Return true if "lame duck" or retiring key has expired and can
+ * no longer be used.
+ */
+static inline bool
+lame_duck_must_die (const struct tls_session* session, interval_t *wakeup)
+{
+ const struct key_state* lame = &session->key[KS_LAME_DUCK];
+ if (lame->state >= S_INITIAL)
+ {
+ const time_t local_now = now;
+ ASSERT (lame->must_die); /* a lame duck key must always have an expiration */
+ if (local_now < lame->must_die)
+ {
+ compute_earliest_wakeup (wakeup, lame->must_die - local_now);
+ return false;
+ }
+ else
+ return true;
+ }
+ else if (lame->state == S_ERROR)
+ return true;
+ else
+ return false;
+}
+
+/*
+ * A tls_multi object fully encapsulates OpenVPN's TLS state.
+ * See ssl.h for more comments.
+ */
+struct tls_multi *
+tls_multi_init (struct tls_options *tls_options)
+{
+ struct tls_multi *ret;
+
+ ALLOC_OBJ_CLEAR (ret, struct tls_multi);
+
+ /* get command line derived options */
+ ret->opt = *tls_options;
+
+ /* set up pointer to HMAC object for TLS packet authentication */
+ ret->opt.tls_auth.key_ctx_bi = &ret->opt.tls_auth_key;
+
+ /* set up list of keys to be scanned by data channel encrypt and decrypt routines */
+ ASSERT (SIZE (ret->key_scan) == 3);
+ ret->key_scan[0] = &ret->session[TM_ACTIVE].key[KS_PRIMARY];
+ ret->key_scan[1] = &ret->session[TM_ACTIVE].key[KS_LAME_DUCK];
+ ret->key_scan[2] = &ret->session[TM_LAME_DUCK].key[KS_LAME_DUCK];
+
+ return ret;
+}
+
+/*
+ * Finalize our computation of frame sizes.
+ */
+void
+tls_multi_init_finalize (struct tls_multi* multi, const struct frame* frame)
+{
+ tls_init_control_channel_frame_parameters (frame, &multi->opt.frame);
+
+ /* initialize the active and untrusted sessions */
+
+ tls_session_init (multi, &multi->session[TM_ACTIVE]);
+
+ if (!multi->opt.single_session)
+ tls_session_init (multi, &multi->session[TM_UNTRUSTED]);
+}
+
+/*
+ * Initialize and finalize a standalone tls-auth verification object.
+ */
+
+struct tls_auth_standalone *
+tls_auth_standalone_init (struct tls_options *tls_options,
+ struct gc_arena *gc)
+{
+ struct tls_auth_standalone *tas;
+
+ ALLOC_OBJ_CLEAR_GC (tas, struct tls_auth_standalone, gc);
+
+ /* set up pointer to HMAC object for TLS packet authentication */
+ tas->tls_auth_key = tls_options->tls_auth_key;
+ tas->tls_auth_options.key_ctx_bi = &tas->tls_auth_key;
+ tas->tls_auth_options.flags |= CO_PACKET_ID_LONG_FORM;
+
+ /* get initial frame parms, still need to finalize */
+ tas->frame = tls_options->frame;
+
+ return tas;
+}
+
+void
+tls_auth_standalone_finalize (struct tls_auth_standalone *tas,
+ const struct frame *frame)
+{
+ tls_init_control_channel_frame_parameters (frame, &tas->frame);
+}
+
+/*
+ * Set local and remote option compatibility strings.
+ * Used to verify compatibility of local and remote option
+ * sets.
+ */
+void
+tls_multi_init_set_options (struct tls_multi* multi,
+ const char *local,
+ const char *remote)
+{
+#ifdef ENABLE_OCC
+ /* initialize options string */
+ multi->opt.local_options = local;
+ multi->opt.remote_options = remote;
+#endif
+}
+
+void
+tls_multi_free (struct tls_multi *multi, bool clear)
+{
+ int i;
+
+ ASSERT (multi);
+
+ if (multi->locked_cn)
+ free (multi->locked_cn);
+
+ for (i = 0; i < TM_SIZE; ++i)
+ tls_session_free (&multi->session[i], false);
+
+ if (clear)
+ CLEAR (*multi);
+
+ free(multi);
+}
+
+/*
+ * Move a packet authentication HMAC + related fields to or from the front
+ * of the buffer so it can be processed by encrypt/decrypt.
+ */
+
+/*
+ * Dependent on hmac size, opcode size, and session_id size.
+ * Will assert if too small.
+ */
+#define SWAP_BUF_SIZE 256
+
+static bool
+swap_hmac (struct buffer *buf, const struct crypto_options *co, bool incoming)
+{
+ struct key_ctx *ctx;
+
+ ASSERT (co);
+
+ ctx = (incoming ? &co->key_ctx_bi->decrypt : &co->key_ctx_bi->encrypt);
+ ASSERT (ctx->hmac);
+
+ {
+ /* hmac + packet_id (8 bytes) */
+ const int hmac_size = HMAC_size (ctx->hmac) + packet_id_size (true);
+
+ /* opcode + session_id */
+ const int osid_size = 1 + SID_SIZE;
+
+ int e1, e2;
+ uint8_t *b = BPTR (buf);
+ uint8_t buf1[SWAP_BUF_SIZE];
+ uint8_t buf2[SWAP_BUF_SIZE];
+
+ if (incoming)
+ {
+ e1 = osid_size;
+ e2 = hmac_size;
+ }
+ else
+ {
+ e1 = hmac_size;
+ e2 = osid_size;
+ }
+
+ ASSERT (e1 <= SWAP_BUF_SIZE && e2 <= SWAP_BUF_SIZE);
+
+ if (buf->len >= e1 + e2)
+ {
+ memcpy (buf1, b, e1);
+ memcpy (buf2, b + e1, e2);
+ memcpy (b, buf2, e2);
+ memcpy (b + e2, buf1, e1);
+ return true;
+ }
+ else
+ return false;
+ }
+}
+
+#undef SWAP_BUF_SIZE
+
+/*
+ * Write a control channel authentication record.
+ */
+static void
+write_control_auth (struct tls_session *session,
+ struct key_state *ks,
+ struct buffer *buf,
+ struct sockaddr_in *to_link_addr,
+ int opcode,
+ int max_ack,
+ bool prepend_ack)
+{
+ uint8_t *header;
+ struct buffer null = clear_buf ();
+
+ ASSERT (addr_defined (&ks->remote_addr));
+ ASSERT (reliable_ack_write
+ (ks->rec_ack, buf, &ks->session_id_remote, max_ack, prepend_ack));
+ ASSERT (session_id_write_prepend (&session->session_id, buf));
+ ASSERT (header = buf_prepend (buf, 1));
+ *header = ks->key_id | (opcode << P_OPCODE_SHIFT);
+ if (session->tls_auth.key_ctx_bi->encrypt.hmac)
+ {
+ /* no encryption, only write hmac */
+ openvpn_encrypt (buf, null, &session->tls_auth, NULL);
+ ASSERT (swap_hmac (buf, &session->tls_auth, false));
+ }
+ *to_link_addr = ks->remote_addr;
+}
+
+/*
+ * Read a control channel authentication record.
+ */
+static bool
+read_control_auth (struct buffer *buf,
+ const struct crypto_options *co,
+ const struct sockaddr_in *from)
+{
+ struct gc_arena gc = gc_new ();
+
+ if (co->key_ctx_bi->decrypt.hmac)
+ {
+ struct buffer null = clear_buf ();
+
+ /* move the hmac record to the front of the packet */
+ if (!swap_hmac (buf, co, true))
+ {
+ msg (D_TLS_ERRORS,
+ "TLS Error: cannot locate HMAC in incoming packet from %s",
+ print_sockaddr (from, &gc));
+ gc_free (&gc);
+ return false;
+ }
+
+ /* authenticate only (no decrypt) and remove the hmac record
+ from the head of the buffer */
+ openvpn_decrypt (buf, null, co, NULL);
+ if (!buf->len)
+ {
+ msg (D_TLS_ERRORS,
+ "TLS Error: incoming packet authentication failed from %s",
+ print_sockaddr (from, &gc));
+ gc_free (&gc);
+ return false;
+ }
+
+ }
+
+ /* advance buffer pointer past opcode & session_id since our caller
+ already read it */
+ buf_advance (buf, SID_SIZE + 1);
+
+ gc_free (&gc);
+ return true;
+}
+
+/*
+ * For debugging, print contents of key_source2 structure.
+ */
+
+static void
+key_source_print (const struct key_source *k,
+ const char *prefix)
+{
+ struct gc_arena gc = gc_new ();
+
+ VALGRIND_MAKE_READABLE ((void *)k->pre_master, sizeof (k->pre_master));
+ VALGRIND_MAKE_READABLE ((void *)k->random1, sizeof (k->random1));
+ VALGRIND_MAKE_READABLE ((void *)k->random2, sizeof (k->random2));
+
+ dmsg (D_SHOW_KEY_SOURCE,
+ "%s pre_master: %s",
+ prefix,
+ format_hex (k->pre_master, sizeof (k->pre_master), 0, &gc));
+ dmsg (D_SHOW_KEY_SOURCE,
+ "%s random1: %s",
+ prefix,
+ format_hex (k->random1, sizeof (k->random1), 0, &gc));
+ dmsg (D_SHOW_KEY_SOURCE,
+ "%s random2: %s",
+ prefix,
+ format_hex (k->random2, sizeof (k->random2), 0, &gc));
+
+ gc_free (&gc);
+}
+
+static void
+key_source2_print (const struct key_source2 *k)
+{
+ key_source_print (&k->client, "Client");
+ key_source_print (&k->server, "Server");
+}
+
+/*
+ * Use the TLS PRF function for generating data channel keys.
+ * This code is taken from the OpenSSL library.
+ *
+ * TLS generates keys as such:
+ *
+ * master_secret[48] = PRF(pre_master_secret[48], "master secret",
+ * ClientHello.random[32] + ServerHello.random[32])
+ *
+ * key_block[] = PRF(SecurityParameters.master_secret[48],
+ * "key expansion",
+ * SecurityParameters.server_random[32] +
+ * SecurityParameters.client_random[32]);
+ *
+ * Notes:
+ *
+ * (1) key_block contains a full set of 4 keys.
+ * (2) The pre-master secret is generated by the client.
+ */
+
+static void
+tls1_P_hash(const EVP_MD *md,
+ const uint8_t *sec,
+ int sec_len,
+ const uint8_t *seed,
+ int seed_len,
+ uint8_t *out,
+ int olen)
+{
+ struct gc_arena gc = gc_new ();
+ int chunk,n;
+ unsigned int j;
+ HMAC_CTX ctx;
+ HMAC_CTX ctx_tmp;
+ uint8_t A1[EVP_MAX_MD_SIZE];
+ unsigned int A1_len;
+
+#ifdef ENABLE_DEBUG
+ const int olen_orig = olen;
+ const uint8_t *out_orig = out;
+#endif
+
+ dmsg (D_SHOW_KEY_SOURCE, "tls1_P_hash sec: %s", format_hex (sec, sec_len, 0, &gc));
+ dmsg (D_SHOW_KEY_SOURCE, "tls1_P_hash seed: %s", format_hex (seed, seed_len, 0, &gc));
+
+ chunk=EVP_MD_size(md);
+
+ HMAC_CTX_init(&ctx);
+ HMAC_CTX_init(&ctx_tmp);
+ HMAC_Init_ex(&ctx,sec,sec_len,md, NULL);
+ HMAC_Init_ex(&ctx_tmp,sec,sec_len,md, NULL);
+ HMAC_Update(&ctx,seed,seed_len);
+ HMAC_Final(&ctx,A1,&A1_len);
+
+ n=0;
+ for (;;)
+ {
+ HMAC_Init_ex(&ctx,NULL,0,NULL,NULL); /* re-init */
+ HMAC_Init_ex(&ctx_tmp,NULL,0,NULL,NULL); /* re-init */
+ HMAC_Update(&ctx,A1,A1_len);
+ HMAC_Update(&ctx_tmp,A1,A1_len);
+ HMAC_Update(&ctx,seed,seed_len);
+
+ if (olen > chunk)
+ {
+ HMAC_Final(&ctx,out,&j);
+ out+=j;
+ olen-=j;
+ HMAC_Final(&ctx_tmp,A1,&A1_len); /* calc the next A1 value */
+ }
+ else /* last one */
+ {
+ HMAC_Final(&ctx,A1,&A1_len);
+ memcpy(out,A1,olen);
+ break;
+ }
+ }
+ HMAC_CTX_cleanup(&ctx);
+ HMAC_CTX_cleanup(&ctx_tmp);
+ CLEAR (A1);
+
+ dmsg (D_SHOW_KEY_SOURCE, "tls1_P_hash out: %s", format_hex (out_orig, olen_orig, 0, &gc));
+ gc_free (&gc);
+}
+
+static void
+tls1_PRF(uint8_t *label,
+ int label_len,
+ const uint8_t *sec,
+ int slen,
+ uint8_t *out1,
+ int olen)
+{
+ struct gc_arena gc = gc_new ();
+ const EVP_MD *md5 = EVP_md5();
+ const EVP_MD *sha1 = EVP_sha1();
+ int len,i;
+ const uint8_t *S1,*S2;
+ uint8_t *out2;
+
+ out2 = (uint8_t *) gc_malloc (olen, false, &gc);
+
+ len=slen/2;
+ S1=sec;
+ S2= &(sec[len]);
+ len+=(slen&1); /* add for odd, make longer */
+
+
+ tls1_P_hash(md5 ,S1,len,label,label_len,out1,olen);
+ tls1_P_hash(sha1,S2,len,label,label_len,out2,olen);
+
+ for (i=0; i<olen; i++)
+ out1[i]^=out2[i];
+
+ memset (out2, 0, olen);
+
+ dmsg (D_SHOW_KEY_SOURCE, "tls1_PRF out[%d]: %s", olen, format_hex (out1, olen, 0, &gc));
+
+ gc_free (&gc);
+}
+
+static void
+openvpn_PRF (const uint8_t *secret,
+ int secret_len,
+ const char *label,
+ const uint8_t *client_seed,
+ int client_seed_len,
+ const uint8_t *server_seed,
+ int server_seed_len,
+ const struct session_id *client_sid,
+ const struct session_id *server_sid,
+ uint8_t *output,
+ int output_len)
+{
+ /* concatenate seed components */
+
+ struct buffer seed = alloc_buf (strlen (label)
+ + client_seed_len
+ + server_seed_len
+ + SID_SIZE * 2);
+
+ ASSERT (buf_write (&seed, label, strlen (label)));
+ ASSERT (buf_write (&seed, client_seed, client_seed_len));
+ ASSERT (buf_write (&seed, server_seed, server_seed_len));
+
+ if (client_sid)
+ ASSERT (buf_write (&seed, client_sid->id, SID_SIZE));
+ if (server_sid)
+ ASSERT (buf_write (&seed, server_sid->id, SID_SIZE));
+
+ /* compute PRF */
+ tls1_PRF (BPTR(&seed), BLEN(&seed), secret, secret_len, output, output_len);
+
+ buf_clear (&seed);
+ free_buf (&seed);
+
+ VALGRIND_MAKE_READABLE ((void *)output, output_len);
+}
+
+/*
+ * Using source entropy from local and remote hosts, mix into
+ * master key.
+ */
+static bool
+generate_key_expansion (struct key_ctx_bi *key,
+ const struct key_type *key_type,
+ const struct key_source2 *key_src,
+ const struct session_id *client_sid,
+ const struct session_id *server_sid,
+ bool server)
+{
+ uint8_t master[48];
+ struct key2 key2;
+ bool ret = false;
+ int i;
+
+ CLEAR (master);
+ CLEAR (key2);
+
+ /* debugging print of source key material */
+ key_source2_print (key_src);
+
+ /* compute master secret */
+ openvpn_PRF (key_src->client.pre_master,
+ sizeof(key_src->client.pre_master),
+ KEY_EXPANSION_ID " master secret",
+ key_src->client.random1,
+ sizeof(key_src->client.random1),
+ key_src->server.random1,
+ sizeof(key_src->server.random1),
+ NULL,
+ NULL,
+ master,
+ sizeof(master));
+
+ /* compute key expansion */
+ openvpn_PRF (master,
+ sizeof(master),
+ KEY_EXPANSION_ID " key expansion",
+ key_src->client.random2,
+ sizeof(key_src->client.random2),
+ key_src->server.random2,
+ sizeof(key_src->server.random2),
+ client_sid,
+ server_sid,
+ (uint8_t*)key2.keys,
+ sizeof(key2.keys));
+
+ key2.n = 2;
+
+ key2_print (&key2, key_type, "Master Encrypt", "Master Decrypt");
+
+ /* check for weak keys */
+ for (i = 0; i < 2; ++i)
+ {
+ fixup_key (&key2.keys[i], key_type);
+ if (!check_key (&key2.keys[i], key_type))
+ {
+ msg (D_TLS_ERRORS, "TLS Error: Bad dynamic key generated");
+ goto exit;
+ }
+ }
+
+ /* Initialize OpenSSL key contexts */
+
+ ASSERT (server == true || server == false);
+
+ init_key_ctx (&key->encrypt,
+ &key2.keys[(int)server],
+ key_type,
+ DO_ENCRYPT,
+ "Data Channel Encrypt");
+
+ init_key_ctx (&key->decrypt,
+ &key2.keys[1-(int)server],
+ key_type,
+ DO_DECRYPT,
+ "Data Channel Decrypt");
+
+ ret = true;
+
+ exit:
+ CLEAR (master);
+ CLEAR (key2);
+
+ return ret;
+}
+
+static bool
+random_bytes_to_buf (struct buffer *buf,
+ uint8_t *out,
+ int outlen)
+{
+ if (!RAND_bytes (out, outlen))
+ msg (M_FATAL, "ERROR: Random number generator cannot obtain entropy for key generation [SSL]");
+ if (!buf_write (buf, out, outlen))
+ return false;
+ return true;
+}
+
+static bool
+key_source2_randomize_write (struct key_source2 *k2,
+ struct buffer *buf,
+ bool server)
+{
+ struct key_source *k = &k2->client;
+ if (server)
+ k = &k2->server;
+
+ CLEAR (*k);
+
+ if (!server)
+ {
+ if (!random_bytes_to_buf (buf, k->pre_master, sizeof (k->pre_master)))
+ return false;
+ }
+
+ if (!random_bytes_to_buf (buf, k->random1, sizeof (k->random1)))
+ return false;
+ if (!random_bytes_to_buf (buf, k->random2, sizeof (k->random2)))
+ return false;
+
+ return true;
+}
+
+static int
+key_source2_read (struct key_source2 *k2,
+ struct buffer *buf,
+ bool server)
+{
+ struct key_source *k = &k2->client;
+
+ if (!server)
+ k = &k2->server;
+
+ CLEAR (*k);
+
+ if (server)
+ {
+ if (!buf_read (buf, k->pre_master, sizeof (k->pre_master)))
+ return 0;
+ }
+
+ if (!buf_read (buf, k->random1, sizeof (k->random1)))
+ return 0;
+ if (!buf_read (buf, k->random2, sizeof (k->random2)))
+ return 0;
+
+ return 1;
+}
+
+/*
+ * Macros for key_state_soft_reset & tls_process
+ */
+#define ks (&session->key[KS_PRIMARY]) /* primary key */
+#define ks_lame (&session->key[KS_LAME_DUCK]) /* retiring key */
+
+/* true if no in/out acknowledgements pending */
+#define FULL_SYNC \
+ (reliable_empty(ks->send_reliable) && reliable_ack_empty (ks->rec_ack))
+
+/*
+ * Move the active key to the lame duck key and reinitialize the
+ * active key.
+ */
+static void
+key_state_soft_reset (struct tls_session *session)
+{
+ ks->must_die = now + session->opt->transition_window; /* remaining lifetime of old key */
+ key_state_free (ks_lame, false);
+ *ks_lame = *ks;
+
+ key_state_init (session, ks);
+ ks->session_id_remote = ks_lame->session_id_remote;
+ ks->remote_addr = ks_lame->remote_addr;
+}
+
+/*
+ * Read/write strings from/to a struct buffer with a u16 length prefix.
+ */
+
+static bool
+write_string (struct buffer *buf, const char *str, const int maxlen)
+{
+ const int len = strlen (str) + 1;
+ if (len < 1 || (maxlen >= 0 && len > maxlen))
+ return false;
+ if (!buf_write_u16 (buf, len))
+ return false;
+ if (!buf_write (buf, str, len))
+ return false;
+ return true;
+}
+
+static bool
+read_string (struct buffer *buf, char *str, const unsigned int capacity)
+{
+ const int len = buf_read_u16 (buf);
+ if (len < 1 || len > (int)capacity)
+ return false;
+ if (!buf_read (buf, str, len))
+ return false;
+ str[len-1] = '\0';
+ return true;
+}
+
+/*
+ * Authenticate a client using username/password.
+ * Runs on server.
+ *
+ * If you want to add new authentication methods,
+ * this is the place to start.
+ */
+
+static bool
+verify_user_pass_script (struct tls_session *session, const struct user_pass *up)
+{
+ struct gc_arena gc = gc_new ();
+ struct buffer cmd = alloc_buf_gc (256, &gc);
+ const char *tmp_file = "";
+ int retval;
+ bool ret = false;
+
+ /* Is username defined? */
+ if (strlen (up->username))
+ {
+ /* Set environmental variables prior to calling script */
+ setenv_str (session->opt->es, "script_type", "user-pass-verify");
+
+ if (session->opt->auth_user_pass_verify_script_via_file)
+ {
+ struct status_output *so;
+
+ tmp_file = create_temp_filename (session->opt->tmp_dir, &gc);
+ so = status_open (tmp_file, 0, -1, NULL, STATUS_OUTPUT_WRITE);
+ status_printf (so, "%s", up->username);
+ status_printf (so, "%s", up->password);
+ if (!status_close (so))
+ {
+ msg (D_TLS_ERRORS, "TLS Auth Error: could not write username/password to file: %s",
+ tmp_file);
+ goto done;
+ }
+ }
+ else
+ {
+ setenv_str (session->opt->es, "username", up->username);
+ setenv_str (session->opt->es, "password", up->password);
+ }
+
+ /* setenv incoming cert common name for script */
+ setenv_str (session->opt->es, "common_name", session->common_name);
+
+ /* setenv client real IP address */
+ setenv_untrusted (session);
+
+ /* format command line */
+ buf_printf (&cmd, "%s %s", session->opt->auth_user_pass_verify_script, tmp_file);
+
+ /* call command */
+ retval = openvpn_system (BSTR (&cmd), session->opt->es, S_SCRIPT);
+
+ /* test return status of command */
+ if (system_ok (retval))
+ ret = true;
+ else if (!system_executed (retval))
+ msg (D_TLS_ERRORS, "TLS Auth Error: user-pass-verify script failed to execute: %s", BSTR (&cmd));
+
+ if (!session->opt->auth_user_pass_verify_script_via_file)
+ setenv_del (session->opt->es, "password");
+ }
+ else
+ {
+ msg (D_TLS_ERRORS, "TLS Auth Error: peer provided a blank username");
+ }
+
+ done:
+ if (strlen (tmp_file) > 0)
+ delete_file (tmp_file);
+
+ gc_free (&gc);
+ return ret;
+}
+
+static bool
+verify_user_pass_plugin (struct tls_session *session, const struct user_pass *up, const char *raw_username)
+{
+ int retval;
+ bool ret = false;
+
+ /* Is username defined? */
+ if (strlen (up->username))
+ {
+ /* set username/password in private env space */
+ setenv_str (session->opt->es, "username", raw_username);
+ setenv_str (session->opt->es, "password", up->password);
+
+ /* setenv incoming cert common name for script */
+ setenv_str (session->opt->es, "common_name", session->common_name);
+
+ /* setenv client real IP address */
+ setenv_untrusted (session);
+
+ /* call command */
+ retval = plugin_call (session->opt->plugins, OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY, NULL, session->opt->es);
+
+ if (!retval)
+ ret = true;
+
+ setenv_del (session->opt->es, "password");
+ setenv_str (session->opt->es, "username", up->username);
+ }
+ else
+ {
+ msg (D_TLS_ERRORS, "TLS Auth Error: peer provided a blank username");
+ }
+
+ return ret;
+}
+
+/*
+ * Handle the reading and writing of key data to and from
+ * the TLS control channel (cleartext).
+ */
+
+static bool
+key_method_1_write (struct buffer *buf, struct tls_session *session)
+{
+ struct key key;
+
+ ASSERT (session->opt->key_method == 1);
+ ASSERT (buf_init (buf, 0));
+
+ generate_key_random (&key, &session->opt->key_type);
+ if (!check_key (&key, &session->opt->key_type))
+ {
+ msg (D_TLS_ERRORS, "TLS Error: Bad encrypting key generated");
+ return false;
+ }
+
+ if (!write_key (&key, &session->opt->key_type, buf))
+ {
+ msg (D_TLS_ERRORS, "TLS Error: write_key failed");
+ return false;
+ }
+
+ init_key_ctx (&ks->key.encrypt, &key, &session->opt->key_type,
+ DO_ENCRYPT, "Data Channel Encrypt");
+ CLEAR (key);
+
+ /* send local options string */
+ {
+ const char *local_options = local_options_string (session);
+ const int optlen = strlen (local_options) + 1;
+ if (!buf_write (buf, local_options, optlen))
+ {
+ msg (D_TLS_ERRORS, "TLS Error: KM1 write options failed");
+ return false;
+ }
+ }
+
+ return true;
+}
+
+static bool
+key_method_2_write (struct buffer *buf, struct tls_session *session)
+{
+ ASSERT (session->opt->key_method == 2);
+ ASSERT (buf_init (buf, 0));
+
+ /* write a uint32 0 */
+ if (!buf_write_u32 (buf, 0))
+ goto error;
+
+ /* write key_method + flags */
+ if (!buf_write_u8 (buf, (session->opt->key_method & KEY_METHOD_MASK)))
+ goto error;
+
+ /* write key source material */
+ if (!key_source2_randomize_write (ks->key_src, buf, session->opt->server))
+ goto error;
+
+ /* write options string */
+ {
+ if (!write_string (buf, local_options_string (session), TLS_OPTIONS_LEN))
+ goto error;
+ }
+
+ /* write username/password if specified */
+ if (auth_user_pass_enabled)
+ {
+ auth_user_pass_setup (NULL);
+ if (!write_string (buf, auth_user_pass.username, -1))
+ goto error;
+ if (!write_string (buf, auth_user_pass.password, -1))
+ goto error;
+ purge_user_pass (&auth_user_pass, false);
+ }
+
+ /*
+ * generate tunnel keys if server
+ */
+ if (session->opt->server)
+ {
+ if (ks->authenticated)
+ {
+ if (!generate_key_expansion (&ks->key,
+ &session->opt->key_type,
+ ks->key_src,
+ &ks->session_id_remote,
+ &session->session_id,
+ true))
+ {
+ msg (D_TLS_ERRORS, "TLS Error: server generate_key_expansion failed");
+ goto error;
+ }
+ }
+
+ CLEAR (*ks->key_src);
+ }
+
+ return true;
+
+ error:
+ msg (D_TLS_ERRORS, "TLS Error: Key Method #2 write failed");
+ CLEAR (*ks->key_src);
+ return false;
+}
+
+static bool
+key_method_1_read (struct buffer *buf, struct tls_session *session)
+{
+ int status;
+ struct key key;
+
+ ASSERT (session->opt->key_method == 1);
+
+ if (!session->verified)
+ {
+ msg (D_TLS_ERRORS,
+ "TLS Error: Certificate verification failed (key-method 1)");
+ goto error;
+ }
+
+ status = read_key (&key, &session->opt->key_type, buf);
+ if (status != 1)
+ {
+ msg (D_TLS_ERRORS,
+ "TLS Error: Error reading data channel key from plaintext buffer");
+ goto error;
+ }
+
+ if (!check_key (&key, &session->opt->key_type))
+ {
+ msg (D_TLS_ERRORS, "TLS Error: Bad decrypting key received from peer");
+ goto error;
+ }
+
+ if (buf->len < 1)
+ {
+ msg (D_TLS_ERRORS, "TLS Error: Missing options string");
+ goto error;
+ }
+
+#ifdef ENABLE_OCC
+ /* compare received remote options string
+ with our locally computed options string */
+ if (!session->opt->disable_occ &&
+ !options_cmp_equal_safe ((char *) BPTR (buf), session->opt->remote_options, buf->len))
+ {
+ options_warning_safe ((char *) BPTR (buf), session->opt->remote_options, buf->len);
+ }
+#endif
+
+ buf_clear (buf);
+
+ init_key_ctx (&ks->key.decrypt, &key, &session->opt->key_type,
+ DO_DECRYPT, "Data Channel Decrypt");
+ CLEAR (key);
+ ks->authenticated = true;
+ return true;
+
+ error:
+ buf_clear (buf);
+ CLEAR (key);
+ return false;
+}
+
+static bool
+key_method_2_read (struct buffer *buf, struct tls_multi *multi, struct tls_session *session)
+{
+ struct gc_arena gc = gc_new ();
+ int key_method_flags;
+ char *options;
+ struct user_pass *up;
+
+ ASSERT (session->opt->key_method == 2);
+
+ /* allocate temporary objects */
+ ALLOC_ARRAY_CLEAR_GC (options, char, TLS_OPTIONS_LEN, &gc);
+
+ /* discard leading uint32 */
+ ASSERT (buf_advance (buf, 4));
+
+ /* get key method */
+ key_method_flags = buf_read_u8 (buf);
+ if ((key_method_flags & KEY_METHOD_MASK) != 2)
+ {
+ msg (D_TLS_ERRORS,
+ "TLS ERROR: Unknown key_method/flags=%d received from remote host",
+ key_method_flags);
+ goto error;
+ }
+
+ /* get key source material (not actual keys yet) */
+ if (!key_source2_read (ks->key_src, buf, session->opt->server))
+ {
+ msg (D_TLS_ERRORS, "TLS Error: Error reading remote data channel key source entropy from plaintext buffer");
+ goto error;
+ }
+
+ /* get options */
+ if (!read_string (buf, options, TLS_OPTIONS_LEN))
+ {
+ msg (D_TLS_ERRORS, "TLS Error: Failed to read required OCC options string");
+ goto error;
+ }
+
+ /* should we check username/password? */
+ ks->authenticated = false;
+ if (session->opt->auth_user_pass_verify_script
+ || plugin_defined (session->opt->plugins, OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY))
+ {
+ bool s1 = true;
+ bool s2 = true;
+ char *raw_username;
+
+ /* get username/password from plaintext buffer */
+ ALLOC_OBJ_CLEAR_GC (up, struct user_pass, &gc);
+ if (!read_string (buf, up->username, USER_PASS_LEN)
+ || !read_string (buf, up->password, USER_PASS_LEN))
+ {
+ msg (D_TLS_ERRORS, "TLS Error: Auth Username/Password was not provided by peer");
+ CLEAR (*up);
+ goto error;
+ }
+
+ /* preserve raw username before string_mod remapping, for plugins */
+ ALLOC_ARRAY_CLEAR_GC (raw_username, char, USER_PASS_LEN, &gc);
+ strcpy (raw_username, up->username);
+ string_mod (raw_username, CC_PRINT, CC_CRLF, '_');
+
+ /* enforce character class restrictions in username/password */
+ string_mod (up->username, COMMON_NAME_CHAR_CLASS, 0, '_');
+ string_mod (up->password, CC_PRINT, CC_CRLF, '_');
+
+ /* call plugin(s) and/or script */
+ if (plugin_defined (session->opt->plugins, OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY))
+ s1 = verify_user_pass_plugin (session, up, raw_username);
+ if (session->opt->auth_user_pass_verify_script)
+ s2 = verify_user_pass_script (session, up);
+
+ /* auth succeeded? */
+ if (s1 && s2)
+ {
+ ks->authenticated = true;
+ if (session->opt->username_as_common_name)
+ set_common_name (session, up->username);
+ msg (D_HANDSHAKE, "TLS: Username/Password authentication succeeded for username '%s' %s",
+ up->username,
+ session->opt->username_as_common_name ? "[CN SET]" : "");
+ }
+ else
+ {
+ msg (D_TLS_ERRORS, "TLS Auth Error: Auth Username/Password verification failed for peer");
+ }
+
+ CLEAR (*up);
+ }
+ else
+ {
+ if (!session->verified)
+ {
+ msg (D_TLS_ERRORS,
+ "TLS Error: Certificate verification failed (key-method 2)");
+ goto error;
+ }
+ ks->authenticated = true;
+ }
+
+ /* While it shouldn't really happen, don't allow the common name to be NULL */
+ if (!session->common_name)
+ set_common_name (session, "");
+
+ /* Don't allow the CN to change once it's been locked */
+ if (ks->authenticated && multi->locked_cn)
+ {
+ const char *cn = session->common_name;
+ if (cn && strcmp (cn, multi->locked_cn))
+ {
+ msg (D_TLS_ERRORS, "TLS Auth Error: TLS object CN attempted to change from '%s' to '%s' -- tunnel disabled",
+ multi->locked_cn,
+ cn);
+
+ /* change the common name back to its original value and disable the tunnel */
+ set_common_name (session, multi->locked_cn);
+ tls_deauthenticate (multi);
+ }
+ }
+
+ /* verify --client-config-dir based authentication */
+ if (ks->authenticated && session->opt->client_config_dir_exclusive)
+ {
+ const char *cn = session->common_name;
+ const char *path = gen_path (session->opt->client_config_dir_exclusive, cn, &gc);
+ if (!cn || !strcmp (cn, CCD_DEFAULT) || !test_file (path))
+ {
+ ks->authenticated = false;
+ msg (D_TLS_ERRORS, "TLS Auth Error: --client-config-dir authentication failed for common name '%s' file='%s'",
+ session->common_name,
+ path ? path : "UNDEF");
+ }
+ }
+
+#ifdef ENABLE_OCC
+ /* check options consistency */
+ if (!session->opt->disable_occ &&
+ !options_cmp_equal (options, session->opt->remote_options))
+ {
+ options_warning (options, session->opt->remote_options);
+ }
+#endif
+
+ buf_clear (buf);
+
+ /*
+ * generate tunnel keys if client
+ */
+ if (!session->opt->server)
+ {
+ if (!generate_key_expansion (&ks->key,
+ &session->opt->key_type,
+ ks->key_src,
+ &session->session_id,
+ &ks->session_id_remote,
+ false))
+ {
+ msg (D_TLS_ERRORS, "TLS Error: client generate_key_expansion failed");
+ goto error;
+ }
+
+ CLEAR (*ks->key_src);
+ }
+
+ gc_free (&gc);
+ return true;
+
+ error:
+ CLEAR (*ks->key_src);
+ buf_clear (buf);
+ gc_free (&gc);
+ return false;
+}
+
+/*
+ * This is the primary routine for processing TLS stuff inside the
+ * the main event loop. When this routine exits
+ * with non-error status, it will set *wakeup to the number of seconds
+ * when it wants to be called again.
+ *
+ * Return value is true if we have placed a packet in *to_link which we
+ * want to send to our peer.
+ */
+static bool
+tls_process (struct tls_multi *multi,
+ struct tls_session *session,
+ struct buffer *to_link,
+ struct sockaddr_in *to_link_addr,
+ struct link_socket_info *to_link_socket_info,
+ interval_t *wakeup)
+{
+ struct gc_arena gc = gc_new ();
+ struct buffer *buf;
+ bool state_change = false;
+ bool active = false;
+
+ /* Make sure we were initialized and that we're not in an error state */
+ ASSERT (ks->state != S_UNDEF);
+ ASSERT (ks->state != S_ERROR);
+ ASSERT (session_id_defined (&session->session_id));
+
+ /* Should we trigger a soft reset? -- new key, keeps old key for a while */
+ if (ks->state >= S_ACTIVE &&
+ ((session->opt->renegotiate_seconds
+ && now >= ks->established + session->opt->renegotiate_seconds)
+ || (session->opt->renegotiate_bytes
+ && ks->n_bytes >= session->opt->renegotiate_bytes)
+ || (session->opt->renegotiate_packets
+ && ks->n_packets >= session->opt->renegotiate_packets)
+ || (packet_id_close_to_wrapping (&ks->packet_id.send))))
+ {
+ msg (D_TLS_DEBUG_LOW, "TLS: soft reset sec=%d bytes=%d/%d pkts=%d/%d",
+ (int)(ks->established + session->opt->renegotiate_seconds - now),
+ ks->n_bytes, session->opt->renegotiate_bytes,
+ ks->n_packets, session->opt->renegotiate_packets);
+ key_state_soft_reset (session);
+ }
+
+ /* Kill lame duck key transition_window seconds after primary key negotiation */
+ if (lame_duck_must_die (session, wakeup)) {
+ key_state_free (ks_lame, true);
+ msg (D_TLS_DEBUG_LOW, "TLS: tls_process: killed expiring key");
+ }
+
+ /*mutex_cycle (multi->mutex);*/
+
+ do
+ {
+ update_time ();
+
+ dmsg (D_TLS_DEBUG, "TLS: tls_process: chg=%d ks=%s lame=%s to_link->len=%d wakeup=%d",
+ state_change,
+ state_name (ks->state),
+ state_name (ks_lame->state),
+ to_link->len,
+ *wakeup);
+
+ state_change = false;
+
+ /*
+ * TLS activity is finished once we get to S_ACTIVE,
+ * though we will still process acknowledgements.
+ *
+ * CHANGED with 2.0 -> now we may send tunnel configuration
+ * info over the control channel.
+ */
+ if (true)
+ {
+ /* Initial handshake */
+ if (ks->state == S_INITIAL)
+ {
+ buf = reliable_get_buf_output_sequenced (ks->send_reliable);
+ if (buf)
+ {
+ ks->must_negotiate = now + session->opt->handshake_window;
+
+ /* null buffer */
+ reliable_mark_active_outgoing (ks->send_reliable, buf, ks->initial_opcode);
+ INCR_GENERATED;
+
+ ks->state = S_PRE_START;
+ state_change = true;
+ dmsg (D_TLS_DEBUG, "TLS: Initial Handshake, sid=%s",
+ session_id_print (&session->session_id, &gc));
+
+#ifdef ENABLE_MANAGEMENT
+ if (management && ks->initial_opcode != P_CONTROL_SOFT_RESET_V1)
+ {
+ management_set_state (management,
+ OPENVPN_STATE_WAIT,
+ NULL,
+ 0);
+ }
+#endif
+ }
+ }
+
+ /* Are we timed out on receive? */
+ if (now >= ks->must_negotiate)
+ {
+ if (ks->state < S_ACTIVE)
+ {
+ msg (D_TLS_ERRORS,
+ "TLS Error: TLS key negotiation failed to occur within %d seconds (check your network connectivity)",
+ session->opt->handshake_window);
+ goto error;
+ }
+ else /* assume that ks->state == S_ACTIVE */
+ {
+ dmsg (D_TLS_DEBUG_MED, "STATE S_NORMAL");
+ ks->state = S_NORMAL;
+ ks->must_negotiate = 0;
+ }
+ }
+
+ /* Wait for Initial Handshake ACK */
+ if (ks->state == S_PRE_START && FULL_SYNC)
+ {
+ ks->state = S_START;
+ state_change = true;
+ dmsg (D_TLS_DEBUG_MED, "STATE S_START");
+ }
+
+ /* Wait for ACK */
+ if (((ks->state == S_GOT_KEY && !session->opt->server) ||
+ (ks->state == S_SENT_KEY && session->opt->server)))
+ {
+ if (FULL_SYNC)
+ {
+ ks->established = now;
+ dmsg (D_TLS_DEBUG_MED, "STATE S_ACTIVE");
+ if (check_debug_level (D_HANDSHAKE))
+ print_details (ks->ssl, "Control Channel:");
+ state_change = true;
+ ks->state = S_ACTIVE;
+ INCR_SUCCESS;
+
+ /* Set outgoing address for data channel packets */
+ link_socket_set_outgoing_addr (NULL, to_link_socket_info, &ks->remote_addr, session->common_name, session->opt->es);
+
+#ifdef MEASURE_TLS_HANDSHAKE_STATS
+ show_tls_performance_stats();
+#endif
+ }
+ }
+
+ /* Reliable buffer to outgoing TCP/UDP (send up to CONTROL_SEND_ACK_MAX ACKs
+ for previously received packets) */
+ if (!to_link->len && reliable_can_send (ks->send_reliable))
+ {
+ int opcode;
+ struct buffer b;
+
+ buf = reliable_send (ks->send_reliable, &opcode);
+ ASSERT (buf);
+ b = *buf;
+ INCR_SENT;
+
+ write_control_auth (session, ks, &b, to_link_addr, opcode,
+ CONTROL_SEND_ACK_MAX, true);
+ *to_link = b;
+ active = true;
+ state_change = true;
+ dmsg (D_TLS_DEBUG, "Reliable -> TCP/UDP");
+ break;
+ }
+
+#ifndef TLS_AGGREGATE_ACK
+ /* Send 1 or more ACKs (each received control packet gets one ACK) */
+ if (!to_link->len && !reliable_ack_empty (ks->rec_ack))
+ {
+ buf = &ks->ack_write_buf;
+ ASSERT (buf_init (buf, FRAME_HEADROOM (&multi->opt.frame)));
+ write_control_auth (session, ks, buf, to_link_addr, P_ACK_V1,
+ RELIABLE_ACK_SIZE, false);
+ *to_link = *buf;
+ active = true;
+ state_change = true;
+ dmsg (D_TLS_DEBUG, "Dedicated ACK -> TCP/UDP");
+ break;
+ }
+#endif
+
+ /* Write incoming ciphertext to TLS object */
+ buf = reliable_get_buf_sequenced (ks->rec_reliable);
+ if (buf)
+ {
+ int status = 0;
+ if (buf->len)
+ {
+ status = key_state_write_ciphertext (multi, ks, buf);
+ if (status == -1)
+ {
+ msg (D_TLS_ERRORS,
+ "TLS Error: Incoming Ciphertext -> TLS object write error");
+ goto error;
+ }
+ }
+ else
+ {
+ status = 1;
+ }
+ if (status == 1)
+ {
+ reliable_mark_deleted (ks->rec_reliable, buf, true);
+ state_change = true;
+ dmsg (D_TLS_DEBUG, "Incoming Ciphertext -> TLS");
+ }
+ }
+
+ /* Read incoming plaintext from TLS object */
+ buf = &ks->plaintext_read_buf;
+ if (!buf->len)
+ {
+ int status;
+
+ ASSERT (buf_init (buf, 0));
+ status = key_state_read_plaintext (multi, ks, buf, PLAINTEXT_BUFFER_SIZE);
+ update_time ();
+ if (status == -1)
+ {
+ msg (D_TLS_ERRORS, "TLS Error: TLS object -> incoming plaintext read error");
+ goto error;
+ }
+ if (status == 1)
+ {
+ state_change = true;
+ dmsg (D_TLS_DEBUG, "TLS -> Incoming Plaintext");
+ }
+#if 0 /* show null plaintext reads */
+ if (!status)
+ msg (M_INFO, "TLS plaintext read -> NULL return");
+#endif
+ }
+
+ /* Send Key */
+ buf = &ks->plaintext_write_buf;
+ if (!buf->len && ((ks->state == S_START && !session->opt->server) ||
+ (ks->state == S_GOT_KEY && session->opt->server)))
+ {
+ if (session->opt->key_method == 1)
+ {
+ if (!key_method_1_write (buf, session))
+ goto error;
+ }
+ else if (session->opt->key_method == 2)
+ {
+ if (!key_method_2_write (buf, session))
+ goto error;
+ }
+ else
+ {
+ ASSERT (0);
+ }
+
+ state_change = true;
+ dmsg (D_TLS_DEBUG_MED, "STATE S_SENT_KEY");
+ ks->state = S_SENT_KEY;
+ }
+
+ /* Receive Key */
+ buf = &ks->plaintext_read_buf;
+ if (buf->len
+ && ((ks->state == S_SENT_KEY && !session->opt->server)
+ || (ks->state == S_START && session->opt->server)))
+ {
+ if (session->opt->key_method == 1)
+ {
+ if (!key_method_1_read (buf, session))
+ goto error;
+ }
+ else if (session->opt->key_method == 2)
+ {
+ if (!key_method_2_read (buf, multi, session))
+ goto error;
+ }
+ else
+ {
+ ASSERT (0);
+ }
+
+ state_change = true;
+ dmsg (D_TLS_DEBUG_MED, "STATE S_GOT_KEY");
+ ks->state = S_GOT_KEY;
+ }
+
+ /* Write outgoing plaintext to TLS object */
+ buf = &ks->plaintext_write_buf;
+ if (buf->len)
+ {
+ int status = key_state_write_plaintext (multi, ks, buf);
+ if (status == -1)
+ {
+ msg (D_TLS_ERRORS,
+ "TLS ERROR: Outgoing Plaintext -> TLS object write error");
+ goto error;
+ }
+ if (status == 1)
+ {
+ state_change = true;
+ dmsg (D_TLS_DEBUG, "Outgoing Plaintext -> TLS");
+ }
+ }
+
+ /* Outgoing Ciphertext to reliable buffer */
+ if (ks->state >= S_START)
+ {
+ buf = reliable_get_buf_output_sequenced (ks->send_reliable);
+ if (buf)
+ {
+ int status = key_state_read_ciphertext (multi, ks, buf, PAYLOAD_SIZE_DYNAMIC (&multi->opt.frame));
+ if (status == -1)
+ {
+ msg (D_TLS_ERRORS,
+ "TLS Error: Ciphertext -> reliable TCP/UDP transport read error");
+ goto error;
+ }
+ if (status == 1)
+ {
+ reliable_mark_active_outgoing (ks->send_reliable, buf, P_CONTROL_V1);
+ INCR_GENERATED;
+ state_change = true;
+ dmsg (D_TLS_DEBUG, "Outgoing Ciphertext -> Reliable");
+ }
+ }
+ }
+ }
+ /*mutex_cycle (multi->mutex);*/
+ }
+ while (state_change);
+
+ update_time ();
+
+#ifdef TLS_AGGREGATE_ACK
+ /* Send 1 or more ACKs (each received control packet gets one ACK) */
+ if (!to_link->len && !reliable_ack_empty (ks->rec_ack))
+ {
+ buf = &ks->ack_write_buf;
+ ASSERT (buf_init (buf, FRAME_HEADROOM (&multi->opt.frame)));
+ write_control_auth (session, ks, buf, to_link_addr, P_ACK_V1,
+ RELIABLE_ACK_SIZE, false);
+ *to_link = *buf;
+ active = true;
+ state_change = true;
+ dmsg (D_TLS_DEBUG, "Dedicated ACK -> TCP/UDP");
+ }
+#endif
+
+ /* When should we wake up again? */
+ {
+ if (ks->state >= S_INITIAL)
+ {
+ compute_earliest_wakeup (wakeup,
+ reliable_send_timeout (ks->send_reliable));
+
+ if (ks->must_negotiate)
+ compute_earliest_wakeup (wakeup, ks->must_negotiate - now);
+ }
+
+ if (ks->established && session->opt->renegotiate_seconds)
+ compute_earliest_wakeup (wakeup,
+ ks->established + session->opt->renegotiate_seconds - now);
+
+ /* prevent event-loop spinning by setting minimum wakeup of 1 second */
+ if (*wakeup <= 0)
+ {
+ *wakeup = 1;
+
+ /* if we had something to send to remote, but to_link was busy,
+ let caller know we need to be called again soon */
+ active = true;
+ }
+
+ dmsg (D_TLS_DEBUG, "TLS: tls_process: timeout set to %d", *wakeup);
+
+ gc_free (&gc);
+ return active;
+ }
+
+error:
+ ERR_clear_error ();
+ ks->state = S_ERROR;
+ msg (D_TLS_ERRORS, "TLS Error: TLS handshake failed");
+ INCR_ERROR;
+ gc_free (&gc);
+ return false;
+}
+
+#undef ks
+#undef ks_lame
+
+/*
+ * Called by the top-level event loop.
+ *
+ * Basically decides if we should call tls_process for
+ * the active or untrusted sessions.
+ */
+
+bool
+tls_multi_process (struct tls_multi *multi,
+ struct buffer *to_link,
+ struct sockaddr_in *to_link_addr,
+ struct link_socket_info *to_link_socket_info,
+ interval_t *wakeup)
+{
+ struct gc_arena gc = gc_new ();
+ int i;
+ bool active = false;
+ bool error = false;
+
+ perf_push (PERF_TLS_MULTI_PROCESS);
+
+ ERR_clear_error ();
+
+ /*
+ * Process each session object having state of S_INITIAL or greater,
+ * and which has a defined remote IP addr.
+ */
+
+ for (i = 0; i < TM_SIZE; ++i)
+ {
+ struct tls_session *session = &multi->session[i];
+ struct key_state *ks = &session->key[KS_PRIMARY];
+ struct key_state *ks_lame = &session->key[KS_LAME_DUCK];
+
+ /* set initial remote address */
+ if (i == TM_ACTIVE && ks->state == S_INITIAL &&
+ addr_defined (&to_link_socket_info->lsa->actual))
+ ks->remote_addr = to_link_socket_info->lsa->actual;
+
+ dmsg (D_TLS_DEBUG,
+ "TLS: tls_multi_process: i=%d state=%s, mysid=%s, stored-sid=%s, stored-ip=%s",
+ i,
+ state_name (ks->state),
+ session_id_print (&session->session_id, &gc),
+ session_id_print (&ks->session_id_remote, &gc),
+ print_sockaddr (&ks->remote_addr, &gc));
+
+ if (ks->state >= S_INITIAL && addr_defined (&ks->remote_addr))
+ {
+ update_time ();
+
+ if (tls_process (multi, session, to_link, to_link_addr,
+ to_link_socket_info, wakeup))
+ active = true;
+
+ /*
+ * If tls_process hits an error:
+ * (1) If the session has an unexpired lame duck key, preserve it.
+ * (2) Reinitialize the session.
+ * (3) Increment soft error count
+ */
+ if (ks->state == S_ERROR)
+ {
+ ++multi->n_soft_errors;
+
+ if (i == TM_ACTIVE)
+ error = true;
+
+ if (i == TM_ACTIVE
+ && ks_lame->state >= S_ACTIVE
+ && !multi->opt.single_session)
+ move_session (multi, TM_LAME_DUCK, TM_ACTIVE, true);
+ else
+ reset_session (multi, session);
+ }
+ }
+ /*mutex_cycle (multi->mutex);*/
+ }
+
+ update_time ();
+
+ /*
+ * If lame duck session expires, kill it.
+ */
+ if (lame_duck_must_die (&multi->session[TM_LAME_DUCK], wakeup)) {
+ tls_session_free (&multi->session[TM_LAME_DUCK], true);
+ msg (D_TLS_DEBUG_LOW, "TLS: tls_multi_process: killed expiring key");
+ }
+
+ /*
+ * If untrusted session achieves TLS authentication,
+ * move it to active session, usurping any prior session.
+ *
+ * A semi-trusted session is one in which the certificate authentication
+ * succeeded (if cert verification is enabled) but the username/password
+ * verification failed. A semi-trusted session can forward data on the
+ * TLS control channel but not on the tunnel channel.
+ */
+ if (DECRYPT_KEY_ENABLED (multi, &multi->session[TM_UNTRUSTED].key[KS_PRIMARY])) {
+ move_session (multi, TM_ACTIVE, TM_UNTRUSTED, true);
+ msg (D_TLS_DEBUG_LOW, "TLS: tls_multi_process: untrusted session promoted to %strusted",
+ tls_authenticated (multi) ? "" : "semi-");
+ }
+
+ /*
+ * A hard error means that TM_ACTIVE hit an S_ERROR state and that no
+ * other key state objects are S_ACTIVE or higher.
+ */
+ if (error)
+ {
+ for (i = 0; i < (int) SIZE (multi->key_scan); ++i)
+ {
+ if (multi->key_scan[i]->state >= S_ACTIVE)
+ goto nohard;
+ }
+ ++multi->n_hard_errors;
+ }
+ nohard:
+
+#ifdef ENABLE_DEBUG
+ /* DEBUGGING -- flood peer with repeating connection attempts */
+ {
+ const int throw_level = GREMLIN_CONNECTION_FLOOD_LEVEL (multi->opt.gremlin);
+ if (throw_level)
+ {
+ for (i = 0; i < (int) SIZE (multi->key_scan); ++i)
+ {
+ if (multi->key_scan[i]->state >= throw_level)
+ {
+ ++multi->n_hard_errors;
+ ++multi->n_soft_errors;
+ }
+ }
+ }
+ }
+#endif
+
+ perf_pop ();
+ gc_free (&gc);
+ return active;
+}
+
+/*
+ * Pre and post-process the encryption & decryption buffers in order
+ * to implement a multiplexed TLS channel over the TCP/UDP port.
+ */
+
+/*
+ *
+ * When we are in TLS mode, this is the first routine which sees
+ * an incoming packet.
+ *
+ * If it's a data packet, we set opt so that our caller can
+ * decrypt it. We also give our caller the appropriate decryption key.
+ *
+ * If it's a control packet, we authenticate it and process it,
+ * possibly creating a new tls_session if it represents the
+ * first packet of a new session. For control packets, we will
+ * also zero the size of *buf so that our caller ignores the
+ * packet on our return.
+ *
+ * Note that openvpn only allows one active session at a time,
+ * so a new session (once authenticated) will always usurp
+ * an old session.
+ *
+ * Return true if input was an authenticated control channel
+ * packet.
+ *
+ * If we are running in TLS thread mode, all public routines
+ * below this point must be called with the L_TLS lock held.
+ */
+
+bool
+tls_pre_decrypt (struct tls_multi *multi,
+ struct sockaddr_in *from,
+ struct buffer *buf,
+ struct crypto_options *opt)
+{
+ struct gc_arena gc = gc_new ();
+ bool ret = false;
+
+ if (buf->len > 0)
+ {
+ int i;
+ int op;
+ int key_id;
+
+ /* get opcode and key ID */
+ {
+ uint8_t c = *BPTR (buf);
+ op = c >> P_OPCODE_SHIFT;
+ key_id = c & P_KEY_ID_MASK;
+ }
+
+ if (op == P_DATA_V1)
+ { /* data channel packet */
+ for (i = 0; i < KEY_SCAN_SIZE; ++i)
+ {
+ struct key_state *ks = multi->key_scan[i];
+
+ /*
+ * This is the basic test of TLS state compatibility between a local OpenVPN
+ * instance and its remote peer.
+ *
+ * If the test fails, it tells us that we are getting a packet from a source
+ * which claims reference to a prior negotiated TLS session, but the local
+ * OpenVPN instance has no memory of such a negotiation.
+ *
+ * It almost always occurs on UDP sessions when the passive side of the
+ * connection is restarted without the active side restarting as well (the
+ * passive side is the server which only listens for the connections, the
+ * active side is the client which initiates connections).
+ */
+ if (DECRYPT_KEY_ENABLED (multi, ks)
+ && key_id == ks->key_id
+ && ks->authenticated
+ && addr_port_match(from, &ks->remote_addr))
+ {
+ /* return appropriate data channel decrypt key in opt */
+ opt->key_ctx_bi = &ks->key;
+ opt->packet_id = multi->opt.replay ? &ks->packet_id : NULL;
+ opt->pid_persist = NULL;
+ opt->flags &= multi->opt.crypto_flags_and;
+ opt->flags |= multi->opt.crypto_flags_or;
+ ASSERT (buf_advance (buf, 1));
+ ++ks->n_packets;
+ ks->n_bytes += buf->len;
+ dmsg (D_TLS_DEBUG,
+ "TLS: data channel, key_id=%d, IP=%s",
+ key_id, print_sockaddr (from, &gc));
+ gc_free (&gc);
+ return ret;
+ }
+#if 0 /* keys out of sync? */
+ else
+ {
+ dmsg (D_TLS_DEBUG, "TLS_PRE_DECRYPT: [%d] dken=%d rkid=%d lkid=%d auth=%d match=%d",
+ i,
+ DECRYPT_KEY_ENABLED (multi, ks),
+ key_id,
+ ks->key_id,
+ ks->authenticated,
+ addr_port_match (from, &ks->remote_addr));
+ }
+#endif
+ }
+
+ msg (D_TLS_ERRORS,
+ "TLS Error: local/remote TLS keys are out of sync: %s [%d]",
+ print_sockaddr (from, &gc), key_id);
+ goto error;
+ }
+ else /* control channel packet */
+ {
+ bool do_burst = false;
+ bool new_link = false;
+ struct session_id sid; /* remote session ID */
+
+ /* verify legal opcode */
+ if (op < P_FIRST_OPCODE || op > P_LAST_OPCODE)
+ {
+ msg (D_TLS_ERRORS,
+ "TLS Error: unknown opcode received from %s op=%d",
+ print_sockaddr (from, &gc), op);
+ goto error;
+ }
+
+ /* hard reset ? */
+ if (is_hard_reset (op, 0))
+ {
+ /* verify client -> server or server -> client connection */
+ if (((op == P_CONTROL_HARD_RESET_CLIENT_V1
+ || op == P_CONTROL_HARD_RESET_CLIENT_V2) && !multi->opt.server)
+ || ((op == P_CONTROL_HARD_RESET_SERVER_V1
+ || op == P_CONTROL_HARD_RESET_SERVER_V2) && multi->opt.server))
+ {
+ msg (D_TLS_ERRORS,
+ "TLS Error: client->client or server->server connection attempted from %s",
+ print_sockaddr (from, &gc));
+ goto error;
+ }
+ }
+
+ /*
+ * Authenticate Packet
+ */
+ dmsg (D_TLS_DEBUG, "TLS: control channel, op=%s, IP=%s",
+ packet_opcode_name (op), print_sockaddr (from, &gc));
+
+ /* get remote session-id */
+ {
+ struct buffer tmp = *buf;
+ buf_advance (&tmp, 1);
+ if (!session_id_read (&sid, &tmp) || !session_id_defined (&sid))
+ {
+ msg (D_TLS_ERRORS,
+ "TLS Error: session-id not found in packet from %s",
+ print_sockaddr (from, &gc));
+ goto error;
+ }
+ }
+
+ /* use session ID to match up packet with appropriate tls_session object */
+ for (i = 0; i < TM_SIZE; ++i)
+ {
+ struct tls_session *session = &multi->session[i];
+ struct key_state *ks = &session->key[KS_PRIMARY];
+
+ dmsg (D_TLS_DEBUG,
+ "TLS: initial packet test, i=%d state=%s, mysid=%s, rec-sid=%s, rec-ip=%s, stored-sid=%s, stored-ip=%s",
+ i,
+ state_name (ks->state),
+ session_id_print (&session->session_id, &gc),
+ session_id_print (&sid, &gc),
+ print_sockaddr (from, &gc),
+ session_id_print (&ks->session_id_remote, &gc),
+ print_sockaddr (&ks->remote_addr, &gc));
+
+ if (session_id_equal (&ks->session_id_remote, &sid))
+ /* found a match */
+ {
+ if (i == TM_LAME_DUCK) {
+ msg (D_TLS_ERRORS,
+ "TLS ERROR: received control packet with stale session-id=%s",
+ session_id_print (&sid, &gc));
+ goto error;
+ }
+ dmsg (D_TLS_DEBUG,
+ "TLS: found match, session[%d], sid=%s",
+ i, session_id_print (&sid, &gc));
+ break;
+ }
+ }
+
+ /*
+ * Initial packet received.
+ */
+
+ if (i == TM_SIZE && is_hard_reset (op, 0))
+ {
+ struct tls_session *session = &multi->session[TM_ACTIVE];
+ struct key_state *ks = &session->key[KS_PRIMARY];
+
+ if (!is_hard_reset (op, multi->opt.key_method))
+ {
+ msg (D_TLS_ERRORS, "TLS ERROR: initial packet local/remote key_method mismatch, local key_method=%d, op=%s",
+ multi->opt.key_method,
+ packet_opcode_name (op));
+ goto error;
+ }
+
+ /*
+ * If we have no session currently in progress, the initial packet will
+ * open a new session in TM_ACTIVE rather than TM_UNTRUSTED.
+ */
+ if (!session_id_defined (&ks->session_id_remote))
+ {
+ if (multi->opt.single_session && multi->n_sessions)
+ {
+ msg (D_TLS_ERRORS,
+ "TLS Error: Cannot accept new session request from %s due to --single-session [1]",
+ print_sockaddr (from, &gc));
+ goto error;
+ }
+
+#ifdef ENABLE_MANAGEMENT
+ if (management)
+ {
+ management_set_state (management,
+ OPENVPN_STATE_AUTH,
+ NULL,
+ 0);
+ }
+#endif
+
+ msg (D_TLS_DEBUG_LOW,
+ "TLS: Initial packet from %s, sid=%s",
+ print_sockaddr (from, &gc),
+ session_id_print (&sid, &gc));
+
+ do_burst = true;
+ new_link = true;
+ i = TM_ACTIVE;
+ session->untrusted_sockaddr = *from;
+ }
+ }
+
+ if (i == TM_SIZE && is_hard_reset (op, 0))
+ {
+ /*
+ * No match with existing sessions,
+ * probably a new session.
+ */
+ struct tls_session *session = &multi->session[TM_UNTRUSTED];
+
+ /*
+ * If --single-session, don't allow any hard-reset connection request
+ * unless it the the first packet of the session.
+ */
+ if (multi->opt.single_session)
+ {
+ msg (D_TLS_ERRORS,
+ "TLS Error: Cannot accept new session request from %s due to --single-session [2]",
+ print_sockaddr (from, &gc));
+ goto error;
+ }
+
+ if (!is_hard_reset (op, multi->opt.key_method))
+ {
+ msg (D_TLS_ERRORS, "TLS ERROR: new session local/remote key_method mismatch, local key_method=%d, op=%s",
+ multi->opt.key_method,
+ packet_opcode_name (op));
+ goto error;
+ }
+
+ if (!read_control_auth (buf, &session->tls_auth, from))
+ goto error;
+
+ /*
+ * New session-initiating control packet is authenticated at this point,
+ * assuming that the --tls-auth command line option was used.
+ *
+ * Without --tls-auth, we leave authentication entirely up to TLS.
+ */
+ msg (D_TLS_DEBUG_LOW,
+ "TLS: new session incoming connection from %s",
+ print_sockaddr (from, &gc));
+
+ new_link = true;
+ i = TM_UNTRUSTED;
+ session->untrusted_sockaddr = *from;
+ }
+ else
+ {
+ struct tls_session *session = &multi->session[i];
+ struct key_state *ks = &session->key[KS_PRIMARY];
+
+ /*
+ * Packet must belong to an existing session.
+ */
+ if (i != TM_ACTIVE && i != TM_UNTRUSTED)
+ {
+ msg (D_TLS_ERRORS,
+ "TLS Error: Unroutable control packet received from %s (si=%d op=%s)",
+ print_sockaddr (from, &gc),
+ i,
+ packet_opcode_name (op));
+ goto error;
+ }
+
+ /*
+ * Verify remote IP address
+ */
+ if (!new_link && !addr_port_match (&ks->remote_addr, from))
+ {
+ msg (D_TLS_ERRORS, "TLS Error: Received control packet from unexpected IP addr: %s",
+ print_sockaddr (from, &gc));
+ goto error;
+ }
+
+ /*
+ * Remote is requesting a key renegotiation
+ */
+ if (op == P_CONTROL_SOFT_RESET_V1
+ && DECRYPT_KEY_ENABLED (multi, ks))
+ {
+ if (!read_control_auth (buf, &session->tls_auth, from))
+ goto error;
+
+ key_state_soft_reset (session);
+
+ dmsg (D_TLS_DEBUG,
+ "TLS: received P_CONTROL_SOFT_RESET_V1 s=%d sid=%s",
+ i, session_id_print (&sid, &gc));
+ }
+ else
+ {
+ /*
+ * Remote responding to our key renegotiation request?
+ */
+ if (op == P_CONTROL_SOFT_RESET_V1)
+ do_burst = true;
+
+ if (!read_control_auth (buf, &session->tls_auth, from))
+ goto error;
+
+ dmsg (D_TLS_DEBUG,
+ "TLS: received control channel packet s#=%d sid=%s",
+ i, session_id_print (&sid, &gc));
+ }
+ }
+
+ /*
+ * We have an authenticated packet (if --tls-auth was set).
+ * Now pass to our reliability level which deals with
+ * packet acknowledgements, retransmits, sequencing, etc.
+ */
+ {
+ struct tls_session *session = &multi->session[i];
+ struct key_state *ks = &session->key[KS_PRIMARY];
+
+ /* Make sure we were initialized and that we're not in an error state */
+ ASSERT (ks->state != S_UNDEF);
+ ASSERT (ks->state != S_ERROR);
+ ASSERT (session_id_defined (&session->session_id));
+
+ /* Let our caller know we processed a control channel packet */
+ ret = true;
+
+ /*
+ * Set our remote address and remote session_id
+ */
+ if (new_link)
+ {
+ ks->session_id_remote = sid;
+ ks->remote_addr = *from;
+ ++multi->n_sessions;
+ }
+ else if (!addr_port_match (&ks->remote_addr, from))
+ {
+ msg (D_TLS_ERRORS,
+ "TLS Error: Existing session control channel packet from unknown IP address: %s",
+ print_sockaddr (from, &gc));
+ goto error;
+ }
+
+ /*
+ * Should we do a retransmit of all unacknowledged packets in
+ * the send buffer? This improves the start-up efficiency of the
+ * initial key negotiation after the 2nd peer comes online.
+ */
+ if (do_burst && !session->burst)
+ {
+ reliable_schedule_now (ks->send_reliable);
+ session->burst = true;
+ }
+
+ /* Check key_id */
+ if (ks->key_id != key_id)
+ {
+ msg (D_TLS_ERRORS,
+ "TLS ERROR: local/remote key IDs out of sync (%d/%d) ID: %s",
+ ks->key_id, key_id, print_key_id (multi, &gc));
+ goto error;
+ }
+
+ /*
+ * Process incoming ACKs for packets we can now
+ * delete from reliable send buffer
+ */
+ {
+ /* buffers all packet IDs to delete from send_reliable */
+ struct reliable_ack send_ack;
+
+ send_ack.len = 0;
+ if (!reliable_ack_read (&send_ack, buf, &session->session_id))
+ {
+ msg (D_TLS_ERRORS,
+ "TLS Error: reading acknowledgement record from packet");
+ goto error;
+ }
+ reliable_send_purge (ks->send_reliable, &send_ack);
+ }
+
+ if (op != P_ACK_V1 && reliable_can_get (ks->rec_reliable))
+ {
+ packet_id_type id;
+
+ /* Extract the packet ID from the packet */
+ if (reliable_ack_read_packet_id (buf, &id))
+ {
+ /* Avoid deadlock by rejecting packet that would de-sequentialize receive buffer */
+ if (reliable_wont_break_sequentiality (ks->rec_reliable, id))
+ {
+ if (reliable_not_replay (ks->rec_reliable, id))
+ {
+ /* Save incoming ciphertext packet to reliable buffer */
+ struct buffer *in = reliable_get_buf (ks->rec_reliable);
+ ASSERT (in);
+ ASSERT (buf_copy (in, buf));
+ reliable_mark_active_incoming (ks->rec_reliable, in, id, op);
+ }
+
+ /* Process outgoing acknowledgment for packet just received, even if it's a replay */
+ reliable_ack_acknowledge_packet_id (ks->rec_ack, id);
+ }
+ }
+ }
+ }
+ }
+ }
+
+ done:
+ buf->len = 0;
+ opt->key_ctx_bi = NULL;
+ opt->packet_id = NULL;
+ opt->pid_persist = NULL;
+ opt->flags &= multi->opt.crypto_flags_and;
+ gc_free (&gc);
+ return ret;
+
+ error:
+ ERR_clear_error ();
+ ++multi->n_soft_errors;
+ goto done;
+}
+
+/*
+ * This function is similar to tls_pre_decrypt, except it is called
+ * when we are in server mode and receive an initial incoming
+ * packet. Note that we don't modify
+ * any state in our parameter objects. The purpose is solely to
+ * determine whether we should generate a client instance
+ * object, in which case true is returned.
+ *
+ * This function is essentially the first-line HMAC firewall
+ * on the UDP port listener in --mode server mode.
+ */
+bool
+tls_pre_decrypt_lite (const struct tls_auth_standalone *tas,
+ const struct sockaddr_in *from,
+ const struct buffer *buf)
+{
+ struct gc_arena gc = gc_new ();
+ bool ret = false;
+
+ if (buf->len > 0)
+ {
+ int op;
+ int key_id;
+
+ /* get opcode and key ID */
+ {
+ uint8_t c = *BPTR (buf);
+ op = c >> P_OPCODE_SHIFT;
+ key_id = c & P_KEY_ID_MASK;
+ }
+
+ /* this packet is from an as-yet untrusted source, so
+ scrutinize carefully */
+
+ if (op != P_CONTROL_HARD_RESET_CLIENT_V2)
+ {
+ /*
+ * This can occur due to bogus data or DoS packets.
+ */
+ dmsg (D_TLS_STATE_ERRORS,
+ "TLS State Error: No TLS state for client %s, opcode=%d",
+ print_sockaddr (from, &gc),
+ op);
+ goto error;
+ }
+
+ if (key_id != 0)
+ {
+ dmsg (D_TLS_STATE_ERRORS,
+ "TLS State Error: Unknown key ID (%d) received from %s -- 0 was expected",
+ key_id,
+ print_sockaddr (from, &gc));
+ goto error;
+ }
+
+ if (buf->len > EXPANDED_SIZE_DYNAMIC (&tas->frame))
+ {
+ dmsg (D_TLS_STATE_ERRORS,
+ "TLS State Error: Large packet (size %d) received from %s -- a packet no larger than %d bytes was expected",
+ buf->len,
+ print_sockaddr (from, &gc),
+ EXPANDED_SIZE_DYNAMIC (&tas->frame));
+ goto error;
+ }
+
+ {
+ struct buffer newbuf = clone_buf (buf);
+ struct crypto_options co = tas->tls_auth_options;
+ bool status;
+
+ /*
+ * We are in read-only mode at this point with respect to TLS
+ * control channel state. After we build a new client instance
+ * object, we will process this session-initiating packet for real.
+ */
+ co.flags |= CO_IGNORE_PACKET_ID;
+
+ /* HMAC test, if --tls-auth was specified */
+ status = read_control_auth (&newbuf, &co, from);
+ free_buf (&newbuf);
+ if (!status)
+ goto error;
+
+ /*
+ * At this point, if --tls-auth is being used, we know that
+ * the packet has passed the HMAC test, but we don't know if
+ * it is a replay yet. We will attempt to defeat replays
+ * by not advancing to the S_START state until we
+ * receive an ACK from our first reply to the client
+ * that includes an HMAC of our randomly generated 64 bit
+ * session ID.
+ *
+ * On the other hand if --tls-auth is not being used, we
+ * will proceed to begin the TLS authentication
+ * handshake with only cursory integrity checks having
+ * been performed, since we will be leaving the task
+ * of authentication solely up to TLS.
+ */
+
+ ret = true;
+ }
+ }
+ gc_free (&gc);
+ return ret;
+
+ error:
+ ERR_clear_error ();
+ gc_free (&gc);
+ return ret;
+}
+
+/* Choose the key with which to encrypt a data packet */
+void
+tls_pre_encrypt (struct tls_multi *multi,
+ struct buffer *buf, struct crypto_options *opt)
+{
+ multi->save_ks = NULL;
+ if (buf->len > 0)
+ {
+ int i;
+ for (i = 0; i < KEY_SCAN_SIZE; ++i)
+ {
+ struct key_state *ks = multi->key_scan[i];
+ if (ks->state >= S_ACTIVE && ks->authenticated)
+ {
+ opt->key_ctx_bi = &ks->key;
+ opt->packet_id = multi->opt.replay ? &ks->packet_id : NULL;
+ opt->pid_persist = NULL;
+ opt->flags &= multi->opt.crypto_flags_and;
+ opt->flags |= multi->opt.crypto_flags_or;
+ multi->save_ks = ks;
+ dmsg (D_TLS_DEBUG, "TLS: tls_pre_encrypt: key_id=%d", ks->key_id);
+ return;
+ }
+ }
+
+ {
+ struct gc_arena gc = gc_new ();
+ dmsg (D_TLS_NO_SEND_KEY, "TLS Warning: no data channel send key available: %s",
+ print_key_id (multi, &gc));
+ gc_free (&gc);
+ }
+ }
+
+ buf->len = 0;
+ opt->key_ctx_bi = NULL;
+ opt->packet_id = NULL;
+ opt->pid_persist = NULL;
+ opt->flags &= multi->opt.crypto_flags_and;
+}
+
+/* Prepend the appropriate opcode to encrypted buffer prior to TCP/UDP send */
+void
+tls_post_encrypt (struct tls_multi *multi, struct buffer *buf)
+{
+ struct key_state *ks;
+ uint8_t *op;
+
+ ks = multi->save_ks;
+ multi->save_ks = NULL;
+ if (buf->len > 0)
+ {
+ ASSERT (ks);
+ ASSERT (op = buf_prepend (buf, 1));
+ *op = (P_DATA_V1 << P_OPCODE_SHIFT) | ks->key_id;
+ ++ks->n_packets;
+ ks->n_bytes += buf->len;
+ }
+}
+
+/*
+ * Send a payload over the TLS control channel.
+ * Called externally.
+ */
+
+bool
+tls_send_payload (struct tls_multi *multi,
+ const uint8_t *data,
+ int size)
+{
+ struct tls_session *session;
+ struct key_state *ks;
+ bool ret = false;
+
+ ERR_clear_error ();
+
+ ASSERT (multi);
+
+ session = &multi->session[TM_ACTIVE];
+ ks = &session->key[KS_PRIMARY];
+
+ if (ks->state >= S_ACTIVE)
+ {
+ if (key_state_write_plaintext_const (multi, ks, data, size) == 1)
+ ret = true;
+ }
+
+ ERR_clear_error ();
+
+ return ret;
+}
+
+bool
+tls_rec_payload (struct tls_multi *multi,
+ struct buffer *buf)
+{
+ struct tls_session *session;
+ struct key_state *ks;
+ bool ret = false;
+
+ ERR_clear_error ();
+
+ ASSERT (multi);
+
+ session = &multi->session[TM_ACTIVE];
+ ks = &session->key[KS_PRIMARY];
+
+ if (ks->state >= S_ACTIVE && BLEN (&ks->plaintext_read_buf))
+ {
+ if (buf_copy (buf, &ks->plaintext_read_buf))
+ ret = true;
+ ks->plaintext_read_buf.len = 0;
+ }
+
+ ERR_clear_error ();
+
+ return ret;
+}
+
+/*
+ * Dump a human-readable rendition of an openvpn packet
+ * into a garbage collectable string which is returned.
+ */
+const char *
+protocol_dump (struct buffer *buffer, unsigned int flags, struct gc_arena *gc)
+{
+ struct buffer out = alloc_buf_gc (256, gc);
+ struct buffer buf = *buffer;
+
+ uint8_t c;
+ int op;
+ int key_id;
+
+ int tls_auth_hmac_size = (flags & PD_TLS_AUTH_HMAC_SIZE_MASK);
+
+ if (buf.len <= 0)
+ {
+ buf_printf (&out, "DATA UNDEF len=%d", buf.len);
+ goto done;
+ }
+
+ if (!(flags & PD_TLS))
+ goto print_data;
+
+ /*
+ * Initial byte (opcode)
+ */
+ if (!buf_read (&buf, &c, sizeof (c)))
+ goto done;
+ op = (c >> P_OPCODE_SHIFT);
+ key_id = c & P_KEY_ID_MASK;
+ buf_printf (&out, "%s kid=%d", packet_opcode_name (op), key_id);
+
+ if (op == P_DATA_V1)
+ goto print_data;
+
+ /*
+ * Session ID
+ */
+ {
+ struct session_id sid;
+
+ if (!session_id_read (&sid, &buf))
+ goto done;
+ if (flags & PD_VERBOSE)
+ buf_printf (&out, " sid=%s", session_id_print (&sid, gc));
+ }
+
+ /*
+ * tls-auth hmac + packet_id
+ */
+ if (tls_auth_hmac_size)
+ {
+ struct packet_id_net pin;
+ uint8_t tls_auth_hmac[MAX_HMAC_KEY_LENGTH];
+
+ ASSERT (tls_auth_hmac_size <= MAX_HMAC_KEY_LENGTH);
+
+ if (!buf_read (&buf, tls_auth_hmac, tls_auth_hmac_size))
+ goto done;
+ if (flags & PD_VERBOSE)
+ buf_printf (&out, " tls_hmac=%s", format_hex (tls_auth_hmac, tls_auth_hmac_size, 0, gc));
+
+ if (!packet_id_read (&pin, &buf, true))
+ goto done;
+ buf_printf(&out, " pid=%s", packet_id_net_print (&pin, (flags & PD_VERBOSE), gc));
+ }
+
+ /*
+ * ACK list
+ */
+ buf_printf (&out, " %s", reliable_ack_print(&buf, (flags & PD_VERBOSE), gc));
+
+ if (op == P_ACK_V1)
+ goto done;
+
+ /*
+ * Packet ID
+ */
+ {
+ packet_id_type l;
+ if (!buf_read (&buf, &l, sizeof (l)))
+ goto done;
+ l = ntohpid (l);
+ buf_printf (&out, " pid=" packet_id_format, (packet_id_print_type)l);
+ }
+
+print_data:
+ if (flags & PD_SHOW_DATA)
+ buf_printf (&out, " DATA %s", format_hex (BPTR (&buf), BLEN (&buf), 80, gc));
+ else
+ buf_printf (&out, " DATA len=%d", buf.len);
+
+done:
+ return BSTR (&out);
+}
+
+#ifdef EXTRACT_X509_FIELD_TEST
+
+void
+extract_x509_field_test (void)
+{
+ char line[8];
+ char field[4];
+ static const char field_name[] = "CN";
+
+ while (fgets (line, sizeof (line), stdin))
+ {
+ chomp (line);
+ extract_x509_field (line, field_name, field, sizeof (field));
+ printf ("CN: '%s'\n", field);
+ }
+}
+
+#endif
+
+#else
+static void dummy(void) {}
+#endif /* USE_CRYPTO && USE_SSL*/