summaryrefslogtreecommitdiff
path: root/src/openvpn/ssl.h
diff options
context:
space:
mode:
authorAlberto Gonzalez Iniesta <agi@inittab.org>2016-12-27 18:25:47 +0100
committerAlberto Gonzalez Iniesta <agi@inittab.org>2016-12-27 18:25:47 +0100
commit3a2bbdb05ca6a6996e424c9fb225cb0d53804125 (patch)
treef29063da5bec4caf3853d49a22a09c8619eebd21 /src/openvpn/ssl.h
parentd53dba59e78da865c4fe820386ff2f4f76925f3b (diff)
New upstream version 2.4.0upstream/2.4.0
Diffstat (limited to 'src/openvpn/ssl.h')
-rw-r--r--src/openvpn/ssl.h165
1 files changed, 86 insertions, 79 deletions
diff --git a/src/openvpn/ssl.h b/src/openvpn/ssl.h
index c971b75..ed1344e 100644
--- a/src/openvpn/ssl.h
+++ b/src/openvpn/ssl.h
@@ -5,8 +5,8 @@
* packet encryption, packet authentication, and
* packet compression.
*
- * Copyright (C) 2002-2010 OpenVPN Technologies, Inc. <sales@openvpn.net>
- * Copyright (C) 2010 Fox Crypto B.V. <openvpn@fox-it.com>
+ * Copyright (C) 2002-2017 OpenVPN Technologies, Inc. <sales@openvpn.net>
+ * Copyright (C) 2010-2017 Fox Crypto B.V. <openvpn@fox-it.com>
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License version 2
@@ -87,7 +87,7 @@
*/
#define TLS_MULTI_REFRESH 15 /* call tls_multi_process once every n seconds */
#define TLS_MULTI_HORIZON 2 /* call tls_multi_process frequently for n seconds after
- every packet sent/received action */
+ * every packet sent/received action */
/*
* The SSL/TLS worker thread will wait at most this many seconds for the
@@ -129,25 +129,25 @@
*/
struct tls_auth_standalone
{
- struct tls_wrap_ctx tls_wrap;
- struct frame frame;
+ struct tls_wrap_ctx tls_wrap;
+ struct frame frame;
};
/*
* Prepare the SSL library for use
*/
-void init_ssl_lib (void);
+void init_ssl_lib(void);
/*
* Free any internal state that the SSL library might have
*/
-void free_ssl_lib (void);
+void free_ssl_lib(void);
/**
* Build master SSL context object that serves for the whole of OpenVPN
* instantiation
*/
-void init_ssl (const struct options *options, struct tls_root_ctx *ctx);
+void init_ssl(const struct options *options, struct tls_root_ctx *ctx);
/** @addtogroup control_processor
* @{ */
@@ -169,7 +169,7 @@ void init_ssl (const struct options *options, struct tls_root_ctx *ctx);
*
* @return A newly allocated and initialized \c tls_multi structure.
*/
-struct tls_multi *tls_multi_init (struct tls_options *tls_options);
+struct tls_multi *tls_multi_init(struct tls_options *tls_options);
/**
* Finalize initialization of a \c tls_multi structure.
@@ -186,28 +186,28 @@ struct tls_multi *tls_multi_init (struct tls_options *tls_options);
* @param frame - The data channel's \c frame structure.
*/
void tls_multi_init_finalize(struct tls_multi *multi,
- const struct frame *frame);
+ const struct frame *frame);
/*
* Initialize a standalone tls-auth verification object.
*/
-struct tls_auth_standalone *tls_auth_standalone_init (struct tls_options *tls_options,
- struct gc_arena *gc);
+struct tls_auth_standalone *tls_auth_standalone_init(struct tls_options *tls_options,
+ struct gc_arena *gc);
/*
* Finalize a standalone tls-auth verification object.
*/
-void tls_auth_standalone_finalize (struct tls_auth_standalone *tas,
- const struct frame *frame);
+void tls_auth_standalone_finalize(struct tls_auth_standalone *tas,
+ const struct frame *frame);
/*
* Set local and remote option compatibility strings.
* Used to verify compatibility of local and remote option
* sets.
*/
-void tls_multi_init_set_options(struct tls_multi* multi,
- const char *local,
- const char *remote);
+void tls_multi_init_set_options(struct tls_multi *multi,
+ const char *local,
+ const char *remote);
/**
* Cleanup a \c tls_multi structure and free associated memory
@@ -221,7 +221,7 @@ void tls_multi_init_set_options(struct tls_multi* multi,
* @param clear - Whether the memory allocated for the \a multi
* object should be overwritten with 0s.
*/
-void tls_multi_free (struct tls_multi *multi, bool clear);
+void tls_multi_free(struct tls_multi *multi, bool clear);
/** @} name Functions for initialization and cleanup of tls_multi structures */
@@ -237,11 +237,11 @@ void tls_multi_free (struct tls_multi *multi, bool clear);
* Basically decides if we should call tls_process for
* the active or untrusted sessions.
*/
-int tls_multi_process (struct tls_multi *multi,
- struct buffer *to_link,
- struct link_socket_actual **to_link_addr,
- struct link_socket_info *to_link_socket_info,
- interval_t *wakeup);
+int tls_multi_process(struct tls_multi *multi,
+ struct buffer *to_link,
+ struct link_socket_actual **to_link_addr,
+ struct link_socket_info *to_link_socket_info,
+ interval_t *wakeup);
/**************************************************************************/
@@ -296,12 +296,12 @@ int tls_multi_process (struct tls_multi *multi,
* @li False if the packet is a data channel packet, or if an error
* occurred during processing of a control channel packet.
*/
-bool tls_pre_decrypt (struct tls_multi *multi,
- const struct link_socket_actual *from,
- struct buffer *buf,
- struct crypto_options **opt,
- bool floated,
- const uint8_t **ad_start);
+bool tls_pre_decrypt(struct tls_multi *multi,
+ const struct link_socket_actual *from,
+ struct buffer *buf,
+ struct crypto_options **opt,
+ bool floated,
+ const uint8_t **ad_start);
/**************************************************************************/
@@ -339,9 +339,9 @@ bool tls_pre_decrypt (struct tls_multi *multi,
* @li False if the packet is not valid, did not pass the HMAC firewall
* test, or some other error occurred.
*/
-bool tls_pre_decrypt_lite (const struct tls_auth_standalone *tas,
- const struct link_socket_actual *from,
- const struct buffer *buf);
+bool tls_pre_decrypt_lite(const struct tls_auth_standalone *tas,
+ const struct link_socket_actual *from,
+ const struct buffer *buf);
/**
@@ -357,8 +357,8 @@ bool tls_pre_decrypt_lite (const struct tls_auth_standalone *tas,
* @param buf - The buffer containing the outgoing packet.
* @param opt - Returns a crypto options structure with the security parameters.
*/
-void tls_pre_encrypt (struct tls_multi *multi,
- struct buffer *buf, struct crypto_options **opt);
+void tls_pre_encrypt(struct tls_multi *multi,
+ struct buffer *buf, struct crypto_options **opt);
/**
@@ -374,7 +374,7 @@ void tls_pre_encrypt (struct tls_multi *multi,
* @ingroup data_crypto
*/
void
-tls_prepend_opcode_v1 (const struct tls_multi *multi, struct buffer *buf);
+tls_prepend_opcode_v1(const struct tls_multi *multi, struct buffer *buf);
/**
* Prepend an OpenVPN data channel P_DATA_V2 header to the packet. The
@@ -393,7 +393,7 @@ tls_prepend_opcode_v1 (const struct tls_multi *multi, struct buffer *buf);
* @ingroup data_crypto
*/
void
-tls_prepend_opcode_v2 (const struct tls_multi *multi, struct buffer *buf);
+tls_prepend_opcode_v2(const struct tls_multi *multi, struct buffer *buf);
/**
* Perform some accounting for the key state used.
@@ -402,7 +402,7 @@ tls_prepend_opcode_v2 (const struct tls_multi *multi, struct buffer *buf);
* @param multi - The TLS state for this packet's destination VPN tunnel.
* @param buf - The buffer containing the outgoing packet.
*/
-void tls_post_encrypt (struct tls_multi *multi, struct buffer *buf);
+void tls_post_encrypt(struct tls_multi *multi, struct buffer *buf);
/** @} name Functions for managing security parameter state for data channel packets */
@@ -410,26 +410,26 @@ void tls_post_encrypt (struct tls_multi *multi, struct buffer *buf);
* Setup private key file password. If auth_file is given, use the
* credentials stored in the file.
*/
-void pem_password_setup (const char *auth_file);
+void pem_password_setup(const char *auth_file);
/*
* Setup authentication username and password. If auth_file is given, use the
* credentials stored in the file.
*/
-void auth_user_pass_setup (const char *auth_file, const struct static_challenge_info *sc_info);
+void auth_user_pass_setup(const char *auth_file, const struct static_challenge_info *sc_info);
/*
* Ensure that no caching is performed on authentication information
*/
-void ssl_set_auth_nocache (void);
+void ssl_set_auth_nocache(void);
/*
* Purge any stored authentication information, both for key files and tunnel
* authentication. If PCKS #11 is enabled, purge authentication for that too.
*/
-void ssl_purge_auth (const bool auth_user_pass_only);
+void ssl_purge_auth(const bool auth_user_pass_only);
-void ssl_set_auth_token (const char *token);
+void ssl_set_auth_token(const char *token);
#ifdef ENABLE_CLIENT_CR
/*
@@ -437,8 +437,10 @@ void ssl_set_auth_token (const char *token);
* reason string and return a dynamically allocated
* auth_challenge_info struct.
*/
-void ssl_purge_auth_challenge (void);
-void ssl_put_auth_challenge (const char *cr_str);
+void ssl_purge_auth_challenge(void);
+
+void ssl_put_auth_challenge(const char *cr_str);
+
#endif
/*
@@ -449,15 +451,15 @@ void tls_adjust_frame_parameters(struct frame *frame);
/*
* Send a payload over the TLS control channel
*/
-bool tls_send_payload (struct tls_multi *multi,
- const uint8_t *data,
- int size);
+bool tls_send_payload(struct tls_multi *multi,
+ const uint8_t *data,
+ int size);
/*
* Receive a payload through the TLS control channel
*/
-bool tls_rec_payload (struct tls_multi *multi,
- struct buffer *buf);
+bool tls_rec_payload(struct tls_multi *multi,
+ struct buffer *buf);
/**
* Updates remote address in TLS sessions.
@@ -465,22 +467,22 @@ bool tls_rec_payload (struct tls_multi *multi,
* @param multi - Tunnel to update
* @param addr - new address
*/
-void tls_update_remote_addr (struct tls_multi *multi,
- const struct link_socket_actual *addr);
+void tls_update_remote_addr(struct tls_multi *multi,
+ const struct link_socket_actual *addr);
/**
* Update TLS session crypto parameters (cipher and auth) and derive data
* channel keys based on the supplied options.
*
- * @param session The TLS session to update.
- * @param options The options to use when updating session.
- * @param frame The frame options for this session (frame overhead is
- * adjusted based on the selected cipher/auth).
+ * @param session The TLS session to update.
+ * @param options The options to use when updating session.
+ * @param frame The frame options for this session (frame overhead is
+ * adjusted based on the selected cipher/auth).
*
* @return true if updating succeeded, false otherwise.
*/
bool tls_session_update_crypto_params(struct tls_session *session,
- const struct options *options, struct frame *frame);
+ const struct options *options, struct frame *frame);
/**
* "Poor man's NCP": Use peer cipher if it is an allowed (NCP) cipher.
@@ -495,7 +497,7 @@ void tls_poor_mans_ncp(struct options *o, const char *remote_ciphername);
static inline char *
tls_get_peer_info(const struct tls_multi *multi)
{
- return multi->peer_info;
+ return multi->peer_info;
}
#endif
@@ -508,7 +510,7 @@ int tls_peer_info_ncp_ver(const char *peer_info);
/**
* Check whether the ciphers in the supplied list are supported.
*
- * @param list Colon-separated list of ciphers
+ * @param list Colon-separated list of ciphers
*
* @returns true iff all ciphers in list are supported.
*/
@@ -526,39 +528,43 @@ bool tls_item_in_cipher_list(const char *item, const char *list);
*/
static inline bool
-tls_initial_packet_received (const struct tls_multi *multi)
+tls_initial_packet_received(const struct tls_multi *multi)
{
- return multi->n_sessions > 0;
+ return multi->n_sessions > 0;
}
static inline bool
-tls_test_auth_deferred_interval (const struct tls_multi *multi)
+tls_test_auth_deferred_interval(const struct tls_multi *multi)
{
- if (multi)
+ if (multi)
{
- const struct key_state *ks = &multi->session[TM_ACTIVE].key[KS_PRIMARY];
- return now < ks->auth_deferred_expire;
+ const struct key_state *ks = &multi->session[TM_ACTIVE].key[KS_PRIMARY];
+ return now < ks->auth_deferred_expire;
}
- return false;
+ return false;
}
static inline int
-tls_test_payload_len (const struct tls_multi *multi)
+tls_test_payload_len(const struct tls_multi *multi)
{
- if (multi)
+ if (multi)
{
- const struct key_state *ks = &multi->session[TM_ACTIVE].key[KS_PRIMARY];
- if (ks->state >= S_ACTIVE)
- return BLEN (&ks->plaintext_read_buf);
+ const struct key_state *ks = &multi->session[TM_ACTIVE].key[KS_PRIMARY];
+ if (ks->state >= S_ACTIVE)
+ {
+ return BLEN(&ks->plaintext_read_buf);
+ }
}
- return 0;
+ return 0;
}
static inline void
-tls_set_single_session (struct tls_multi *multi)
+tls_set_single_session(struct tls_multi *multi)
{
- if (multi)
- multi->opt.single_session = true;
+ if (multi)
+ {
+ multi->opt.single_session = true;
+ }
}
/*
@@ -569,9 +575,9 @@ tls_set_single_session (struct tls_multi *multi)
#define PD_TLS (1<<9)
#define PD_VERBOSE (1<<10)
-const char *protocol_dump (struct buffer *buffer,
- unsigned int flags,
- struct gc_arena *gc);
+const char *protocol_dump(struct buffer *buffer,
+ unsigned int flags,
+ struct gc_arena *gc);
/*
* debugging code
@@ -579,11 +585,12 @@ const char *protocol_dump (struct buffer *buffer,
#ifdef MEASURE_TLS_HANDSHAKE_STATS
void show_tls_performance_stats(void);
+
#endif
/*#define EXTRACT_X509_FIELD_TEST*/
-void extract_x509_field_test (void);
+void extract_x509_field_test(void);
#endif /* ENABLE_CRYPTO */
-#endif
+#endif /* ifndef OPENVPN_SSL_H */