1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
|
/*
* OpenVPN -- An application to securely tunnel IP networks
* over a single TCP/UDP port, with support for SSL/TLS-based
* session authentication and key exchange,
* packet encryption, packet authentication, and
* packet compression.
*
* Copyright (C) 2002-2018 OpenVPN Inc <sales@openvpn.net>
* Copyright (C) 2010-2018 Fox Crypto B.V. <openvpn@fox-it.com>
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License version 2
* as published by the Free Software Foundation.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License along
* with this program; if not, write to the Free Software Foundation, Inc.,
* 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
*/
/**
* @file Control Channel SSL/Data dynamic negotion Module
* This file is split from ssl.h to be able to unit test it.
*/
#ifndef OPENVPN_SSL_NCP_H
#define OPENVPN_SSL_NCP_H
#include "buffer.h"
#include "options.h"
/**
* Returns whether the client supports NCP either by
* announcing IV_NCP>=2 or the IV_CIPHERS list
*/
bool
tls_peer_supports_ncp(const char *peer_info);
/* forward declaration to break include dependency loop */
struct context;
/**
* Checks whether the cipher negotiation is in an acceptable state
* and we continue to connect or should abort.
*
* @return Wether the client NCP process suceeded or failed
*/
bool
check_pull_client_ncp(struct context *c, int found);
/**
* Iterates through the ciphers in server_list and return the first
* cipher that is also supported by the peer according to the IV_NCP
* and IV_CIPHER values in peer_info.
*
* We also accept a cipher that is the remote cipher of the client for
* "Poor man's NCP": Use peer cipher if it is an allowed (NCP) cipher.
* Allows non-NCP peers to upgrade their cipher individually.
*
* Make sure to call tls_session_update_crypto_params() after calling this
* function.
*
* @param gc gc arena that is ONLY used to allocate the returned string
*
* @returns NULL if no common cipher is available, otherwise the best common
* cipher
*/
char *
ncp_get_best_cipher(const char *server_list, const char *peer_info,
const char *remote_cipher, struct gc_arena *gc);
/**
* Returns the support cipher list from the peer according to the IV_NCP
* and IV_CIPHER values in peer_info.
*
* @returns Either a string containing the ncp list that is either static
* or allocated via gc. If no information is available an empty string
* ("") is returned.
*/
const char *
tls_peer_ncp_list(const char *peer_info, struct gc_arena *gc);
/**
* Check whether the ciphers in the supplied list are supported.
*
* @param list Colon-separated list of ciphers
* @parms gc gc_arena to allocate the returned string
*
* @returns colon separated string of normalised (via
* translate_cipher_name_from_openvpn) and
* zero terminated string iff all ciphers
* in list are supported and the total length
* is short than MAX_NCP_CIPHERS_LENGTH. NULL
* otherwise.
*/
char *
mutate_ncp_cipher_list(const char *list, struct gc_arena *gc);
/**
* Return true iff item is present in the colon-separated zero-terminated
* cipher list.
*/
bool tls_item_in_cipher_list(const char *item, const char *list);
/**
* The maximum length of a ncp-cipher string that is accepted.
*
* Since this list needs to be pushed as IV_CIPHERS, we are conservative
* about its length.
*/
#define MAX_NCP_CIPHERS_LENGTH 127
#endif /* ifndef OPENVPN_SSL_NCP_H */
|