Migrated data structures needed by verification functions to ssl_common.h

Signed-off-by: Adriaan de Jong <dejong@fox-it.com>
Acked-by: James Yonan <james@openvpn.net>
Signed-off-by: David Sommerseth <davids@redhat.com>

1 files changed, 187 insertions, 0 deletions

diff --git a/ssl_common.h b/ssl_common.h
index 02193bd..408744c 100644
--- a/ssl_common.h
+++ b/ssl_common.h
@@ -249,4 +249,191 @@ struct tls_options
   int gremlin;
 };
 
+/** @addtogroup control_processor
+ *  @{ */
+/** @name Index of key_state objects within a tls_session structure
+ *
+ *  This is the index of \c tls_session.key
+ *
+ *  @{ */
+#define KS_PRIMARY    0         /**< Primary %key state index. */
+#define KS_LAME_DUCK  1         /**< %Key state index that will retire
+                                 *   soon. */
+#define KS_SIZE       2         /**< Size of the \c tls_session.key array. */
+/** @} name Index of key_state objects within a tls_session structure */
+/** @} addtogroup control_processor */
+
+
+/**
+ * Security parameter state of a single session within a VPN tunnel.
+ * @ingroup control_processor
+ *
+ * This structure represents an OpenVPN peer-to-peer control channel
+ * session.
+ *
+ * A \c tls_session remains over soft resets, but a new instance is
+ * initialized for each hard reset.
+ *
+ * @see
+ *  - This structure should be initialized using the \c tls_session_init()
+ *    function.
+ *  - This structure should be cleaned up using the \c tls_session_free()
+ *    function.
+ */
+struct tls_session
+{
+  /* const options and config info */
+  struct tls_options *opt;
+
+  /* during hard reset used to control burst retransmit */
+  bool burst;
+
+  /* authenticate control packets */
+  struct crypto_options tls_auth;
+  struct packet_id tls_auth_pid;
+
+  int initial_opcode;		/* our initial P_ opcode */
+  struct session_id session_id;	/* our random session ID */
+  int key_id;			/* increments with each soft reset (for key renegotiation) */
+
+  int limit_next;               /* used for traffic shaping on the control channel */
+
+  int verify_maxlevel;
+
+  char *common_name;
+
+  struct cert_hash_set *cert_hash_set;
+
+#ifdef ENABLE_PF
+  uint32_t common_name_hashval;
+#endif
+
+  bool verified;                /* true if peer certificate was verified against CA */
+
+  /* not-yet-authenticated incoming client */
+  struct link_socket_actual untrusted_addr;
+
+  struct key_state key[KS_SIZE];
+};
+
+/** @addtogroup control_processor
+ *  @{ */
+/** @name Index of tls_session objects within a tls_multi structure
+ *
+ *  This is the index of \c tls_multi.session
+ *
+ *  Normally three tls_session objects are maintained by an active openvpn
+ *  session.  The first is the current, TLS authenticated session, the
+ *  second is used to process connection requests from a new client that
+ *  would usurp the current session if successfully authenticated, and the
+ *  third is used as a repository for a "lame-duck" %key in the event that
+ *  the primary session resets due to error while the lame-duck %key still
+ *  has time left before its expiration.  Lame duck keys are used to
+ *  maintain the continuity of the data channel connection while a new %key
+ *  is being negotiated.
+ *
+ *  @{ */
+#define TM_ACTIVE    0          /**< Active \c tls_session. */
+#define TM_UNTRUSTED 1          /**< As yet un-trusted \c tls_session
+                                 *   being negotiated. */
+#define TM_LAME_DUCK 2          /**< Old \c tls_session. */
+#define TM_SIZE      3          /**< Size of the \c tls_multi.session
+                                 *   array. */
+/** @} name Index of tls_session objects within a tls_multi structure */
+/** @} addtogroup control_processor */
+
+
+/*
+ * The number of keys we will scan on encrypt or decrypt.  The first
+ * is the "active" key.  The second is the lame_duck or retiring key
+ * associated with the active key's session ID.  The third is a detached
+ * lame duck session that only occurs in situations where a key renegotiate
+ * failed on the active key, but a lame duck key was still valid.  By
+ * preserving the lame duck session, we can be assured of having a data
+ * channel key available even when network conditions are so bad that
+ * we can't negotiate a new key within the time allotted.
+ */
+#define KEY_SCAN_SIZE 3
+
+
+/**
+ * Security parameter state for a single VPN tunnel.
+ * @ingroup control_processor
+ *
+ * An active VPN tunnel running with TLS enabled has one \c tls_multi
+ * object, in which it stores all control channel and data channel
+ * security parameter state.  This structure can contain multiple,
+ * possibly simultaneously active, \c tls_context objects to allow for
+ * interruption-less transitions during session renegotiations.  Each \c
+ * tls_context represents one control channel session, which can span
+ * multiple data channel security parameter sessions stored in \c
+ * key_state structures.
+ */
+struct tls_multi
+{
+  /* used to coordinate access between main thread and TLS thread */
+  /*MUTEX_PTR_DEFINE (mutex);*/
+
+  /* const options and config info */
+  struct tls_options opt;
+
+  struct key_state* key_scan[KEY_SCAN_SIZE];
+                                /**< List of \c key_state objects in the
+                                 *   order they should be scanned by data
+                                 *   channel modules. */
+
+  /*
+   * used by tls_pre_encrypt to communicate the encrypt key
+   * to tls_post_encrypt()
+   */
+  struct key_state *save_ks;	/* temporary pointer used between pre/post routines */
+
+  /*
+   * Used to return outgoing address from
+   * tls_multi_process.
+   */
+  struct link_socket_actual to_link_addr;
+
+  int n_sessions;               /**< Number of sessions negotiated thus
+                                 *   far. */
+
+  /*
+   * Number of errors.
+   */
+  int n_hard_errors;   /* errors due to TLS negotiation failure */
+  int n_soft_errors;   /* errors due to unrecognized or failed-to-authenticate incoming packets */
+
+  /*
+   * Our locked common name, username, and cert hashes (cannot change during the life of this tls_multi object)
+   */
+  char *locked_cn;
+  char *locked_username;
+  struct cert_hash_set *locked_cert_hash_set;
+
+#ifdef ENABLE_DEF_AUTH
+  /*
+   * An error message to send to client on AUTH_FAILED
+   */
+  char *client_reason;
+
+  /*
+   * A multi-line string of general-purpose info received from peer
+   * over control channel.
+   */
+  char *peer_info;
+
+  /* Time of last call to tls_authentication_status */
+  time_t tas_last;
+#endif
+
+  /*
+   * Our session objects.
+   */
+  struct tls_session session[TM_SIZE];
+                                /**< Array of \c tls_session objects
+                                 *   representing control channel
+                                 *   sessions with the remote peer. */
+};
+
+
 #endif /* SSL_COMMON_H_ */