From 1079962e4c06f88a54e50d997c1b7e84303d30b4 Mon Sep 17 00:00:00 2001 From: Bernhard Schmidt Date: Sat, 15 Aug 2020 21:29:50 +0200 Subject: New upstream version 2.5~beta1 --- src/openvpn/ssl_common.h | 111 ++++++++++++++++++++++++++++++----------------- 1 file changed, 70 insertions(+), 41 deletions(-) (limited to 'src/openvpn/ssl_common.h') diff --git a/src/openvpn/ssl_common.h b/src/openvpn/ssl_common.h index ac25ffa..96897e4 100644 --- a/src/openvpn/ssl_common.h +++ b/src/openvpn/ssl_common.h @@ -64,8 +64,7 @@ * material. * -# \c S_GOT_KEY, have received remote part of \c key_source2 random * material. - * -# \c S_ACTIVE, normal operation during remaining handshake window. - * -# \c S_NORMAL_OP, normal operation. + * -# \c S_ACTIVE, normal operation * * Servers follow the same order, except for \c S_SENT_KEY and \c * S_GOT_KEY being reversed, because the server first receives the @@ -94,9 +93,9 @@ * immediately after negotiation has * completed while still within the * handshake window. */ -/* ready to exchange data channel packets */ -#define S_NORMAL_OP 7 /**< Normal operational \c key_state - * state. */ +/* Note that earlier versions also had a S_OP_NORMAL state that was + * virtually identical with S_ACTIVE and the code still assumes everything + * >= S_ACTIVE to be fully operational */ /** @} name Control channel negotiation states */ /** @} addtogroup control_processor */ @@ -127,6 +126,25 @@ struct key_source2 { struct key_source server; /**< Random provided by server. */ }; + +/** + * This reflects the (server side) authentication state after the TLS + * session has been established and key_method_2_read is called. If async auth + * is enabled the state will first move to KS_AUTH_DEFERRED before eventually + * being set to KS_AUTH_TRUE or KS_AUTH_FALSE + * Only KS_AUTH_TRUE is fully authenticated + */ +enum ks_auth_state { + KS_AUTH_FALSE, /**< Key state is not authenticated */ + KS_AUTH_DEFERRED, /**< Key state authentication is being deferred, + * by async auth */ + KS_AUTH_TRUE /**< Key state is authenticated. TLS and user/pass + * succeeded. This includes AUTH_PENDING/OOB + * authentication as those hold the + * connection artificially in KS_AUTH_DEFERRED + */ +}; + /** * Security parameter state of one TLS and data channel %key session. * @ingroup control_processor @@ -185,12 +203,9 @@ struct key_state /* * If bad username/password, TLS connection will come up but 'authenticated' will be false. */ - bool authenticated; + enum ks_auth_state authenticated; time_t auth_deferred_expire; -#ifdef ENABLE_DEF_AUTH - /* If auth_deferred is true, authentication is being deferred */ - bool auth_deferred; #ifdef MANAGEMENT_DEF_AUTH unsigned int mda_key_id; unsigned int mda_status; @@ -200,7 +215,6 @@ struct key_state time_t acf_last_mod; char *auth_control_file; #endif -#endif }; /** Control channel wrapping (--tls-auth/--tls-crypt) context */ @@ -213,6 +227,12 @@ struct tls_wrap_ctx } mode; /**< Control channel wrapping mode */ struct crypto_options opt; /**< Crypto state */ struct buffer work; /**< Work buffer (only for --tls-crypt) */ + struct key_ctx tls_crypt_v2_server_key; /**< Decrypts client keys */ + const struct buffer *tls_crypt_v2_wkc; /**< Wrapped client key, + * sent to server */ + struct buffer tls_crypt_v2_metadata; /**< Received from client */ + bool cleanup_key_ctx; /**< opt.key_ctx_bi is owned by + * this context */ }; /* @@ -233,25 +253,18 @@ struct tls_options /* if true, don't xmit until first packet from peer is received */ bool xmit_hold; -#ifdef ENABLE_OCC /* local and remote options strings * that must match between client and server */ const char *local_options; const char *remote_options; -#endif /* from command line */ - int key_method; bool replay; bool single_session; -#ifdef ENABLE_OCC bool disable_occ; -#endif int mode; bool pull; -#ifdef ENABLE_PUSH_PEER_INFO int push_peer_info_detail; -#endif int transition_window; int handshake_window; interval_t packet_timeout; @@ -265,7 +278,7 @@ struct tls_options int verify_x509_type; const char *verify_x509_name; const char *crl_file; - const char *crl_file_inline; + bool crl_file_inline; int ns_cert_type; unsigned remote_cert_ku[MAX_PARMS]; const char *remote_cert_eku; @@ -285,13 +298,15 @@ struct tls_options bool tcp_mode; const char *config_ciphername; - const char *config_authname; + const char *config_ncp_ciphers; bool ncp_enabled; + bool tls_crypt_v2; + const char *tls_crypt_v2_verify_script; + /** TLS handshake wrapping state */ struct tls_wrap_ctx tls_wrap; - /* frame parameters for TLS control channel */ struct frame frame; /* used for username/password authentication */ @@ -299,15 +314,21 @@ struct tls_options bool auth_user_pass_verify_script_via_file; const char *tmp_dir; const char *auth_user_pass_file; - bool auth_token_generate; /**< Generate auth-tokens on successful user/pass auth, - * set via options->auth_token_generate. */ + + bool auth_token_generate; /**< Generate auth-tokens on successful + * user/pass auth,seet via + * options->auth_token_generate. */ + bool auth_token_call_auth; /**< always call normal authentication */ unsigned int auth_token_lifetime; + struct key_ctx auth_token_key; + /* use the client-config-dir as a positive authenticator */ const char *client_config_dir_exclusive; /* instance-wide environment variable set */ struct env_set *es; + openvpn_net_ctx_t *net_ctx; const struct plugin_list *plugins; /* compression parms */ @@ -334,7 +355,7 @@ struct tls_options const struct x509_track *x509_track; -#ifdef ENABLE_CLIENT_CR +#ifdef ENABLE_MANAGEMENT const struct static_challenge_info *sci; #endif @@ -361,10 +382,6 @@ struct tls_options /** @} name Index of key_state objects within a tls_session structure */ /** @} addtogroup control_processor */ -#define AUTH_TOKEN_SIZE 32 /**< Size of server side generated auth tokens. - * 32 bytes == 256 bits - */ - /** * Security parameter state of a single session within a VPN tunnel. * @ingroup control_processor @@ -461,7 +478,6 @@ struct tls_session */ #define KEY_SCAN_SIZE 3 - /** * Security parameter state for a single VPN tunnel. * @ingroup control_processor @@ -517,22 +533,42 @@ struct tls_multi struct cert_hash_set *locked_cert_hash_set; #ifdef ENABLE_DEF_AUTH + /* Time of last call to tls_authentication_status */ + time_t tas_last; +#endif + /* * An error message to send to client on AUTH_FAILED */ char *client_reason; - /* Time of last call to tls_authentication_status */ - time_t tas_last; -#endif - -#if P2MP_SERVER /* * A multi-line string of general-purpose info received from peer * over control channel. */ char *peer_info; -#endif + char *auth_token; /**< If server sends a generated auth-token, + * this is the token to use for future + * user/pass authentications in this session. + */ + char *auth_token_initial; + /**< The first auth-token we sent to a client, for clients that do + * not update their auth-token (older OpenVPN3 core versions) + */ +#define AUTH_TOKEN_HMAC_OK (1<<0) + /**< Auth-token sent from client has valid hmac */ +#define AUTH_TOKEN_EXPIRED (1<<1) + /**< Auth-token sent from client has expired */ +#define AUTH_TOKEN_VALID_EMPTYUSER (1<<2) + /**< + * Auth-token is only valid for an empty username + * and not the username actually supplied from the client + * + * OpenVPN 3 clients sometimes wipes or replaces the username with a + * username hint from their config. + */ + int auth_token_state_flags; + /**< The state of the auth-token sent from the client last time */ /* For P_DATA_V2 */ uint32_t peer_id; @@ -540,13 +576,6 @@ struct tls_multi char *remote_ciphername; /**< cipher specified in peer's config file */ - char *auth_token; /**< If server sends a generated auth-token, - * this is the token to use for future - * user/pass authentications in this session. - */ - time_t auth_token_tstamp; /**< timestamp of the generated token */ - bool auth_token_sent; /**< If server uses --auth-gen-token and - * token has been sent to client */ /* * Our session objects. */ -- cgit v1.2.3