diff options
-rw-r--r-- | ssl.h | 187 | ||||
-rw-r--r-- | ssl_common.h | 187 |
2 files changed, 187 insertions, 187 deletions
@@ -248,193 +248,6 @@ void x509_track_add (const struct x509_track **ll_head, const char *name, int ms #endif -/** @addtogroup control_processor - * @{ */ -/** @name Index of key_state objects within a tls_session structure - * - * This is the index of \c tls_session.key - * - * @{ */ -#define KS_PRIMARY 0 /**< Primary %key state index. */ -#define KS_LAME_DUCK 1 /**< %Key state index that will retire - * soon. */ -#define KS_SIZE 2 /**< Size of the \c tls_session.key array. */ -/** @} name Index of key_state objects within a tls_session structure */ -/** @} addtogroup control_processor */ - - -/** - * Security parameter state of a single session within a VPN tunnel. - * @ingroup control_processor - * - * This structure represents an OpenVPN peer-to-peer control channel - * session. - * - * A \c tls_session remains over soft resets, but a new instance is - * initialized for each hard reset. - * - * @see - * - This structure should be initialized using the \c tls_session_init() - * function. - * - This structure should be cleaned up using the \c tls_session_free() - * function. - */ -struct tls_session -{ - /* const options and config info */ - const struct tls_options *opt; - - /* during hard reset used to control burst retransmit */ - bool burst; - - /* authenticate control packets */ - struct crypto_options tls_auth; - struct packet_id tls_auth_pid; - - int initial_opcode; /* our initial P_ opcode */ - struct session_id session_id; /* our random session ID */ - int key_id; /* increments with each soft reset (for key renegotiation) */ - - int limit_next; /* used for traffic shaping on the control channel */ - - int verify_maxlevel; - - char *common_name; - - struct cert_hash_set *cert_hash_set; - -#ifdef ENABLE_PF - uint32_t common_name_hashval; -#endif - - bool verified; /* true if peer certificate was verified against CA */ - - /* not-yet-authenticated incoming client */ - struct link_socket_actual untrusted_addr; - - struct key_state key[KS_SIZE]; -}; - - - -/** @addtogroup control_processor - * @{ */ -/** @name Index of tls_session objects within a tls_multi structure - * - * This is the index of \c tls_multi.session - * - * Normally three tls_session objects are maintained by an active openvpn - * session. The first is the current, TLS authenticated session, the - * second is used to process connection requests from a new client that - * would usurp the current session if successfully authenticated, and the - * third is used as a repository for a "lame-duck" %key in the event that - * the primary session resets due to error while the lame-duck %key still - * has time left before its expiration. Lame duck keys are used to - * maintain the continuity of the data channel connection while a new %key - * is being negotiated. - * - * @{ */ -#define TM_ACTIVE 0 /**< Active \c tls_session. */ -#define TM_UNTRUSTED 1 /**< As yet un-trusted \c tls_session - * being negotiated. */ -#define TM_LAME_DUCK 2 /**< Old \c tls_session. */ -#define TM_SIZE 3 /**< Size of the \c tls_multi.session - * array. */ -/** @} name Index of tls_session objects within a tls_multi structure */ -/** @} addtogroup control_processor */ - - -/* - * The number of keys we will scan on encrypt or decrypt. The first - * is the "active" key. The second is the lame_duck or retiring key - * associated with the active key's session ID. The third is a detached - * lame duck session that only occurs in situations where a key renegotiate - * failed on the active key, but a lame duck key was still valid. By - * preserving the lame duck session, we can be assured of having a data - * channel key available even when network conditions are so bad that - * we can't negotiate a new key within the time allotted. - */ -#define KEY_SCAN_SIZE 3 - -/** @name Functions for initialization and cleanup of tls_multi structures - * @{ */ - -/** - * Security parameter state for a single VPN tunnel. - * @ingroup control_processor - * - * An active VPN tunnel running with TLS enabled has one \c tls_multi - * object, in which it stores all control channel and data channel - * security parameter state. This structure can contain multiple, - * possibly simultaneously active, \c tls_context objects to allow for - * interruption-less transitions during session renegotiations. Each \c - * tls_context represents one control channel session, which can span - * multiple data channel security parameter sessions stored in \c - * key_state structures. - */ -struct tls_multi -{ - /* const options and config info */ - struct tls_options opt; - - struct key_state* key_scan[KEY_SCAN_SIZE]; - /**< List of \c key_state objects in the - * order they should be scanned by data - * channel modules. */ - - /* - * used by tls_pre_encrypt to communicate the encrypt key - * to tls_post_encrypt() - */ - struct key_state *save_ks; /* temporary pointer used between pre/post routines */ - - /* - * Used to return outgoing address from - * tls_multi_process. - */ - struct link_socket_actual to_link_addr; - - int n_sessions; /**< Number of sessions negotiated thus - * far. */ - - /* - * Number of errors. - */ - int n_hard_errors; /* errors due to TLS negotiation failure */ - int n_soft_errors; /* errors due to unrecognized or failed-to-authenticate incoming packets */ - - /* - * Our locked common name, username, and cert hashes (cannot change during the life of this tls_multi object) - */ - char *locked_cn; - char *locked_username; - struct cert_hash_set *locked_cert_hash_set; - -#ifdef ENABLE_DEF_AUTH - /* - * An error message to send to client on AUTH_FAILED - */ - char *client_reason; - - /* - * A multi-line string of general-purpose info received from peer - * over control channel. - */ - char *peer_info; - - /* Time of last call to tls_authentication_status */ - time_t tas_last; -#endif - - /* - * Our session objects. - */ - struct tls_session session[TM_SIZE]; - /**< Array of \c tls_session objects - * representing control channel - * sessions with the remote peer. */ -}; - /* * Used in --mode server mode to check tls-auth signature on initial * packets received from new clients. diff --git a/ssl_common.h b/ssl_common.h index 02193bd..408744c 100644 --- a/ssl_common.h +++ b/ssl_common.h @@ -249,4 +249,191 @@ struct tls_options int gremlin; }; +/** @addtogroup control_processor + * @{ */ +/** @name Index of key_state objects within a tls_session structure + * + * This is the index of \c tls_session.key + * + * @{ */ +#define KS_PRIMARY 0 /**< Primary %key state index. */ +#define KS_LAME_DUCK 1 /**< %Key state index that will retire + * soon. */ +#define KS_SIZE 2 /**< Size of the \c tls_session.key array. */ +/** @} name Index of key_state objects within a tls_session structure */ +/** @} addtogroup control_processor */ + + +/** + * Security parameter state of a single session within a VPN tunnel. + * @ingroup control_processor + * + * This structure represents an OpenVPN peer-to-peer control channel + * session. + * + * A \c tls_session remains over soft resets, but a new instance is + * initialized for each hard reset. + * + * @see + * - This structure should be initialized using the \c tls_session_init() + * function. + * - This structure should be cleaned up using the \c tls_session_free() + * function. + */ +struct tls_session +{ + /* const options and config info */ + struct tls_options *opt; + + /* during hard reset used to control burst retransmit */ + bool burst; + + /* authenticate control packets */ + struct crypto_options tls_auth; + struct packet_id tls_auth_pid; + + int initial_opcode; /* our initial P_ opcode */ + struct session_id session_id; /* our random session ID */ + int key_id; /* increments with each soft reset (for key renegotiation) */ + + int limit_next; /* used for traffic shaping on the control channel */ + + int verify_maxlevel; + + char *common_name; + + struct cert_hash_set *cert_hash_set; + +#ifdef ENABLE_PF + uint32_t common_name_hashval; +#endif + + bool verified; /* true if peer certificate was verified against CA */ + + /* not-yet-authenticated incoming client */ + struct link_socket_actual untrusted_addr; + + struct key_state key[KS_SIZE]; +}; + +/** @addtogroup control_processor + * @{ */ +/** @name Index of tls_session objects within a tls_multi structure + * + * This is the index of \c tls_multi.session + * + * Normally three tls_session objects are maintained by an active openvpn + * session. The first is the current, TLS authenticated session, the + * second is used to process connection requests from a new client that + * would usurp the current session if successfully authenticated, and the + * third is used as a repository for a "lame-duck" %key in the event that + * the primary session resets due to error while the lame-duck %key still + * has time left before its expiration. Lame duck keys are used to + * maintain the continuity of the data channel connection while a new %key + * is being negotiated. + * + * @{ */ +#define TM_ACTIVE 0 /**< Active \c tls_session. */ +#define TM_UNTRUSTED 1 /**< As yet un-trusted \c tls_session + * being negotiated. */ +#define TM_LAME_DUCK 2 /**< Old \c tls_session. */ +#define TM_SIZE 3 /**< Size of the \c tls_multi.session + * array. */ +/** @} name Index of tls_session objects within a tls_multi structure */ +/** @} addtogroup control_processor */ + + +/* + * The number of keys we will scan on encrypt or decrypt. The first + * is the "active" key. The second is the lame_duck or retiring key + * associated with the active key's session ID. The third is a detached + * lame duck session that only occurs in situations where a key renegotiate + * failed on the active key, but a lame duck key was still valid. By + * preserving the lame duck session, we can be assured of having a data + * channel key available even when network conditions are so bad that + * we can't negotiate a new key within the time allotted. + */ +#define KEY_SCAN_SIZE 3 + + +/** + * Security parameter state for a single VPN tunnel. + * @ingroup control_processor + * + * An active VPN tunnel running with TLS enabled has one \c tls_multi + * object, in which it stores all control channel and data channel + * security parameter state. This structure can contain multiple, + * possibly simultaneously active, \c tls_context objects to allow for + * interruption-less transitions during session renegotiations. Each \c + * tls_context represents one control channel session, which can span + * multiple data channel security parameter sessions stored in \c + * key_state structures. + */ +struct tls_multi +{ + /* used to coordinate access between main thread and TLS thread */ + /*MUTEX_PTR_DEFINE (mutex);*/ + + /* const options and config info */ + struct tls_options opt; + + struct key_state* key_scan[KEY_SCAN_SIZE]; + /**< List of \c key_state objects in the + * order they should be scanned by data + * channel modules. */ + + /* + * used by tls_pre_encrypt to communicate the encrypt key + * to tls_post_encrypt() + */ + struct key_state *save_ks; /* temporary pointer used between pre/post routines */ + + /* + * Used to return outgoing address from + * tls_multi_process. + */ + struct link_socket_actual to_link_addr; + + int n_sessions; /**< Number of sessions negotiated thus + * far. */ + + /* + * Number of errors. + */ + int n_hard_errors; /* errors due to TLS negotiation failure */ + int n_soft_errors; /* errors due to unrecognized or failed-to-authenticate incoming packets */ + + /* + * Our locked common name, username, and cert hashes (cannot change during the life of this tls_multi object) + */ + char *locked_cn; + char *locked_username; + struct cert_hash_set *locked_cert_hash_set; + +#ifdef ENABLE_DEF_AUTH + /* + * An error message to send to client on AUTH_FAILED + */ + char *client_reason; + + /* + * A multi-line string of general-purpose info received from peer + * over control channel. + */ + char *peer_info; + + /* Time of last call to tls_authentication_status */ + time_t tas_last; +#endif + + /* + * Our session objects. + */ + struct tls_session session[TM_SIZE]; + /**< Array of \c tls_session objects + * representing control channel + * sessions with the remote peer. */ +}; + + #endif /* SSL_COMMON_H_ */ |