diff options
Diffstat (limited to 'src/openvpn/ssl.h')
-rw-r--r-- | src/openvpn/ssl.h | 165 |
1 files changed, 86 insertions, 79 deletions
diff --git a/src/openvpn/ssl.h b/src/openvpn/ssl.h index c971b75..ed1344e 100644 --- a/src/openvpn/ssl.h +++ b/src/openvpn/ssl.h @@ -5,8 +5,8 @@ * packet encryption, packet authentication, and * packet compression. * - * Copyright (C) 2002-2010 OpenVPN Technologies, Inc. <sales@openvpn.net> - * Copyright (C) 2010 Fox Crypto B.V. <openvpn@fox-it.com> + * Copyright (C) 2002-2017 OpenVPN Technologies, Inc. <sales@openvpn.net> + * Copyright (C) 2010-2017 Fox Crypto B.V. <openvpn@fox-it.com> * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License version 2 @@ -87,7 +87,7 @@ */ #define TLS_MULTI_REFRESH 15 /* call tls_multi_process once every n seconds */ #define TLS_MULTI_HORIZON 2 /* call tls_multi_process frequently for n seconds after - every packet sent/received action */ + * every packet sent/received action */ /* * The SSL/TLS worker thread will wait at most this many seconds for the @@ -129,25 +129,25 @@ */ struct tls_auth_standalone { - struct tls_wrap_ctx tls_wrap; - struct frame frame; + struct tls_wrap_ctx tls_wrap; + struct frame frame; }; /* * Prepare the SSL library for use */ -void init_ssl_lib (void); +void init_ssl_lib(void); /* * Free any internal state that the SSL library might have */ -void free_ssl_lib (void); +void free_ssl_lib(void); /** * Build master SSL context object that serves for the whole of OpenVPN * instantiation */ -void init_ssl (const struct options *options, struct tls_root_ctx *ctx); +void init_ssl(const struct options *options, struct tls_root_ctx *ctx); /** @addtogroup control_processor * @{ */ @@ -169,7 +169,7 @@ void init_ssl (const struct options *options, struct tls_root_ctx *ctx); * * @return A newly allocated and initialized \c tls_multi structure. */ -struct tls_multi *tls_multi_init (struct tls_options *tls_options); +struct tls_multi *tls_multi_init(struct tls_options *tls_options); /** * Finalize initialization of a \c tls_multi structure. @@ -186,28 +186,28 @@ struct tls_multi *tls_multi_init (struct tls_options *tls_options); * @param frame - The data channel's \c frame structure. */ void tls_multi_init_finalize(struct tls_multi *multi, - const struct frame *frame); + const struct frame *frame); /* * Initialize a standalone tls-auth verification object. */ -struct tls_auth_standalone *tls_auth_standalone_init (struct tls_options *tls_options, - struct gc_arena *gc); +struct tls_auth_standalone *tls_auth_standalone_init(struct tls_options *tls_options, + struct gc_arena *gc); /* * Finalize a standalone tls-auth verification object. */ -void tls_auth_standalone_finalize (struct tls_auth_standalone *tas, - const struct frame *frame); +void tls_auth_standalone_finalize(struct tls_auth_standalone *tas, + const struct frame *frame); /* * Set local and remote option compatibility strings. * Used to verify compatibility of local and remote option * sets. */ -void tls_multi_init_set_options(struct tls_multi* multi, - const char *local, - const char *remote); +void tls_multi_init_set_options(struct tls_multi *multi, + const char *local, + const char *remote); /** * Cleanup a \c tls_multi structure and free associated memory @@ -221,7 +221,7 @@ void tls_multi_init_set_options(struct tls_multi* multi, * @param clear - Whether the memory allocated for the \a multi * object should be overwritten with 0s. */ -void tls_multi_free (struct tls_multi *multi, bool clear); +void tls_multi_free(struct tls_multi *multi, bool clear); /** @} name Functions for initialization and cleanup of tls_multi structures */ @@ -237,11 +237,11 @@ void tls_multi_free (struct tls_multi *multi, bool clear); * Basically decides if we should call tls_process for * the active or untrusted sessions. */ -int tls_multi_process (struct tls_multi *multi, - struct buffer *to_link, - struct link_socket_actual **to_link_addr, - struct link_socket_info *to_link_socket_info, - interval_t *wakeup); +int tls_multi_process(struct tls_multi *multi, + struct buffer *to_link, + struct link_socket_actual **to_link_addr, + struct link_socket_info *to_link_socket_info, + interval_t *wakeup); /**************************************************************************/ @@ -296,12 +296,12 @@ int tls_multi_process (struct tls_multi *multi, * @li False if the packet is a data channel packet, or if an error * occurred during processing of a control channel packet. */ -bool tls_pre_decrypt (struct tls_multi *multi, - const struct link_socket_actual *from, - struct buffer *buf, - struct crypto_options **opt, - bool floated, - const uint8_t **ad_start); +bool tls_pre_decrypt(struct tls_multi *multi, + const struct link_socket_actual *from, + struct buffer *buf, + struct crypto_options **opt, + bool floated, + const uint8_t **ad_start); /**************************************************************************/ @@ -339,9 +339,9 @@ bool tls_pre_decrypt (struct tls_multi *multi, * @li False if the packet is not valid, did not pass the HMAC firewall * test, or some other error occurred. */ -bool tls_pre_decrypt_lite (const struct tls_auth_standalone *tas, - const struct link_socket_actual *from, - const struct buffer *buf); +bool tls_pre_decrypt_lite(const struct tls_auth_standalone *tas, + const struct link_socket_actual *from, + const struct buffer *buf); /** @@ -357,8 +357,8 @@ bool tls_pre_decrypt_lite (const struct tls_auth_standalone *tas, * @param buf - The buffer containing the outgoing packet. * @param opt - Returns a crypto options structure with the security parameters. */ -void tls_pre_encrypt (struct tls_multi *multi, - struct buffer *buf, struct crypto_options **opt); +void tls_pre_encrypt(struct tls_multi *multi, + struct buffer *buf, struct crypto_options **opt); /** @@ -374,7 +374,7 @@ void tls_pre_encrypt (struct tls_multi *multi, * @ingroup data_crypto */ void -tls_prepend_opcode_v1 (const struct tls_multi *multi, struct buffer *buf); +tls_prepend_opcode_v1(const struct tls_multi *multi, struct buffer *buf); /** * Prepend an OpenVPN data channel P_DATA_V2 header to the packet. The @@ -393,7 +393,7 @@ tls_prepend_opcode_v1 (const struct tls_multi *multi, struct buffer *buf); * @ingroup data_crypto */ void -tls_prepend_opcode_v2 (const struct tls_multi *multi, struct buffer *buf); +tls_prepend_opcode_v2(const struct tls_multi *multi, struct buffer *buf); /** * Perform some accounting for the key state used. @@ -402,7 +402,7 @@ tls_prepend_opcode_v2 (const struct tls_multi *multi, struct buffer *buf); * @param multi - The TLS state for this packet's destination VPN tunnel. * @param buf - The buffer containing the outgoing packet. */ -void tls_post_encrypt (struct tls_multi *multi, struct buffer *buf); +void tls_post_encrypt(struct tls_multi *multi, struct buffer *buf); /** @} name Functions for managing security parameter state for data channel packets */ @@ -410,26 +410,26 @@ void tls_post_encrypt (struct tls_multi *multi, struct buffer *buf); * Setup private key file password. If auth_file is given, use the * credentials stored in the file. */ -void pem_password_setup (const char *auth_file); +void pem_password_setup(const char *auth_file); /* * Setup authentication username and password. If auth_file is given, use the * credentials stored in the file. */ -void auth_user_pass_setup (const char *auth_file, const struct static_challenge_info *sc_info); +void auth_user_pass_setup(const char *auth_file, const struct static_challenge_info *sc_info); /* * Ensure that no caching is performed on authentication information */ -void ssl_set_auth_nocache (void); +void ssl_set_auth_nocache(void); /* * Purge any stored authentication information, both for key files and tunnel * authentication. If PCKS #11 is enabled, purge authentication for that too. */ -void ssl_purge_auth (const bool auth_user_pass_only); +void ssl_purge_auth(const bool auth_user_pass_only); -void ssl_set_auth_token (const char *token); +void ssl_set_auth_token(const char *token); #ifdef ENABLE_CLIENT_CR /* @@ -437,8 +437,10 @@ void ssl_set_auth_token (const char *token); * reason string and return a dynamically allocated * auth_challenge_info struct. */ -void ssl_purge_auth_challenge (void); -void ssl_put_auth_challenge (const char *cr_str); +void ssl_purge_auth_challenge(void); + +void ssl_put_auth_challenge(const char *cr_str); + #endif /* @@ -449,15 +451,15 @@ void tls_adjust_frame_parameters(struct frame *frame); /* * Send a payload over the TLS control channel */ -bool tls_send_payload (struct tls_multi *multi, - const uint8_t *data, - int size); +bool tls_send_payload(struct tls_multi *multi, + const uint8_t *data, + int size); /* * Receive a payload through the TLS control channel */ -bool tls_rec_payload (struct tls_multi *multi, - struct buffer *buf); +bool tls_rec_payload(struct tls_multi *multi, + struct buffer *buf); /** * Updates remote address in TLS sessions. @@ -465,22 +467,22 @@ bool tls_rec_payload (struct tls_multi *multi, * @param multi - Tunnel to update * @param addr - new address */ -void tls_update_remote_addr (struct tls_multi *multi, - const struct link_socket_actual *addr); +void tls_update_remote_addr(struct tls_multi *multi, + const struct link_socket_actual *addr); /** * Update TLS session crypto parameters (cipher and auth) and derive data * channel keys based on the supplied options. * - * @param session The TLS session to update. - * @param options The options to use when updating session. - * @param frame The frame options for this session (frame overhead is - * adjusted based on the selected cipher/auth). + * @param session The TLS session to update. + * @param options The options to use when updating session. + * @param frame The frame options for this session (frame overhead is + * adjusted based on the selected cipher/auth). * * @return true if updating succeeded, false otherwise. */ bool tls_session_update_crypto_params(struct tls_session *session, - const struct options *options, struct frame *frame); + const struct options *options, struct frame *frame); /** * "Poor man's NCP": Use peer cipher if it is an allowed (NCP) cipher. @@ -495,7 +497,7 @@ void tls_poor_mans_ncp(struct options *o, const char *remote_ciphername); static inline char * tls_get_peer_info(const struct tls_multi *multi) { - return multi->peer_info; + return multi->peer_info; } #endif @@ -508,7 +510,7 @@ int tls_peer_info_ncp_ver(const char *peer_info); /** * Check whether the ciphers in the supplied list are supported. * - * @param list Colon-separated list of ciphers + * @param list Colon-separated list of ciphers * * @returns true iff all ciphers in list are supported. */ @@ -526,39 +528,43 @@ bool tls_item_in_cipher_list(const char *item, const char *list); */ static inline bool -tls_initial_packet_received (const struct tls_multi *multi) +tls_initial_packet_received(const struct tls_multi *multi) { - return multi->n_sessions > 0; + return multi->n_sessions > 0; } static inline bool -tls_test_auth_deferred_interval (const struct tls_multi *multi) +tls_test_auth_deferred_interval(const struct tls_multi *multi) { - if (multi) + if (multi) { - const struct key_state *ks = &multi->session[TM_ACTIVE].key[KS_PRIMARY]; - return now < ks->auth_deferred_expire; + const struct key_state *ks = &multi->session[TM_ACTIVE].key[KS_PRIMARY]; + return now < ks->auth_deferred_expire; } - return false; + return false; } static inline int -tls_test_payload_len (const struct tls_multi *multi) +tls_test_payload_len(const struct tls_multi *multi) { - if (multi) + if (multi) { - const struct key_state *ks = &multi->session[TM_ACTIVE].key[KS_PRIMARY]; - if (ks->state >= S_ACTIVE) - return BLEN (&ks->plaintext_read_buf); + const struct key_state *ks = &multi->session[TM_ACTIVE].key[KS_PRIMARY]; + if (ks->state >= S_ACTIVE) + { + return BLEN(&ks->plaintext_read_buf); + } } - return 0; + return 0; } static inline void -tls_set_single_session (struct tls_multi *multi) +tls_set_single_session(struct tls_multi *multi) { - if (multi) - multi->opt.single_session = true; + if (multi) + { + multi->opt.single_session = true; + } } /* @@ -569,9 +575,9 @@ tls_set_single_session (struct tls_multi *multi) #define PD_TLS (1<<9) #define PD_VERBOSE (1<<10) -const char *protocol_dump (struct buffer *buffer, - unsigned int flags, - struct gc_arena *gc); +const char *protocol_dump(struct buffer *buffer, + unsigned int flags, + struct gc_arena *gc); /* * debugging code @@ -579,11 +585,12 @@ const char *protocol_dump (struct buffer *buffer, #ifdef MEASURE_TLS_HANDSHAKE_STATS void show_tls_performance_stats(void); + #endif /*#define EXTRACT_X509_FIELD_TEST*/ -void extract_x509_field_test (void); +void extract_x509_field_test(void); #endif /* ENABLE_CRYPTO */ -#endif +#endif /* ifndef OPENVPN_SSL_H */ |