summaryrefslogtreecommitdiff
path: root/main/openvpn/src/openvpn/init.c
diff options
context:
space:
mode:
Diffstat (limited to 'main/openvpn/src/openvpn/init.c')
-rw-r--r--main/openvpn/src/openvpn/init.c126
1 files changed, 72 insertions, 54 deletions
diff --git a/main/openvpn/src/openvpn/init.c b/main/openvpn/src/openvpn/init.c
index 6380719f..af517ee9 100644
--- a/main/openvpn/src/openvpn/init.c
+++ b/main/openvpn/src/openvpn/init.c
@@ -1719,7 +1719,7 @@ pull_permission_mask (const struct context *c)
| OPT_P_EXPLICIT_NOTIFY
| OPT_P_ECHO
| OPT_P_PULL_MODE
- | OPT_P_SESSION_ID;
+ | OPT_P_PEER_ID;
if (!c->options.route_nopull)
flags |= (OPT_P_ROUTE | OPT_P_IPWIN32);
@@ -1797,11 +1797,11 @@ do_deferred_options (struct context *c, const unsigned int found)
if (found & OPT_P_SETENV)
msg (D_PUSH, "OPTIONS IMPORT: environment modified");
- if (found & OPT_P_SESSION_ID)
+ if (found & OPT_P_PEER_ID)
{
- msg (D_PUSH, "OPTIONS IMPORT: session-id set");
- c->c2.tls_multi->use_session_id = true;
- c->c2.tls_multi->vpn_session_id = c->options.vpn_session_id;
+ msg (D_PUSH, "OPTIONS IMPORT: peer-id set");
+ c->c2.tls_multi->use_peer_id = true;
+ c->c2.tls_multi->peer_id = c->options.peer_id;
}
}
@@ -1893,39 +1893,38 @@ do_startup_pause (struct context *c)
* Finalize MTU parameters based on command line or config file options.
*/
static void
-frame_finalize_options (struct context *c, const struct options *o)
+frame_finalize_options (struct frame *frame, const struct options *o,
+ bool cipher_enabled)
{
- if (!o)
- o = &c->options;
+ ASSERT(o);
/*
* Set adjustment factor for buffer alignment when no
* cipher is used.
*/
- if (!CIPHER_ENABLED (c))
+ if (!cipher_enabled)
{
- frame_align_to_extra_frame (&c->c2.frame);
- frame_or_align_flags (&c->c2.frame,
+ frame_align_to_extra_frame (frame);
+ frame_or_align_flags (frame,
FRAME_HEADROOM_MARKER_FRAGMENT
|FRAME_HEADROOM_MARKER_READ_LINK
|FRAME_HEADROOM_MARKER_READ_STREAM);
}
- frame_finalize (&c->c2.frame,
+ frame_finalize (frame,
o->ce.link_mtu_defined,
o->ce.link_mtu,
o->ce.tun_mtu_defined,
o->ce.tun_mtu);
}
+#ifdef ENABLE_CRYPTO
/*
* Free a key schedule, including OpenSSL components.
*/
static void
key_schedule_free (struct key_schedule *ks, bool free_ssl_ctx)
{
-#ifdef ENABLE_CRYPTO
- free_key_ctx_bi (&ks->static_key);
#ifdef ENABLE_SSL
if (tls_ctx_initialised(&ks->ssl_ctx) && free_ssl_ctx)
{
@@ -1933,12 +1932,9 @@ key_schedule_free (struct key_schedule *ks, bool free_ssl_ctx)
free_key_ctx_bi (&ks->tls_auth_key);
}
#endif /* ENABLE_SSL */
-#endif /* ENABLE_CRYPTO */
CLEAR (*ks);
}
-#ifdef ENABLE_CRYPTO
-
static void
init_crypto_pre (struct context *c, const unsigned int flags)
{
@@ -1952,14 +1948,6 @@ init_crypto_pre (struct context *c, const unsigned int flags)
packet_id_persist_load (&c->c1.pid_persist, c->options.packet_id_file);
}
- /* Initialize crypto options */
-
- if (c->options.use_iv)
- c->c2.crypto_options.flags |= CO_USE_IV;
-
- if (c->options.mute_replay_warnings)
- c->c2.crypto_options.flags |= CO_MUTE_REPLAY_WARNINGS;
-
#ifdef ENABLE_PREDICTION_RESISTANCE
if (c->options.use_prediction_resistance)
rand_ctx_enable_prediction_resistance();
@@ -1978,22 +1966,28 @@ do_init_crypto_static (struct context *c, const unsigned int flags)
init_crypto_pre (c, flags);
+ /* Initialize flags */
+ if (c->options.use_iv)
+ c->c2.crypto_options.flags |= CO_USE_IV;
+
+ if (c->options.mute_replay_warnings)
+ c->c2.crypto_options.flags |= CO_MUTE_REPLAY_WARNINGS;
+
/* Initialize packet ID tracking */
if (options->replay)
{
- packet_id_init (&c->c2.packet_id,
+ packet_id_init (&c->c2.crypto_options.packet_id,
link_socket_proto_connection_oriented (options->ce.proto),
options->replay_window,
options->replay_time,
"STATIC", 0);
- c->c2.crypto_options.packet_id = &c->c2.packet_id;
c->c2.crypto_options.pid_persist = &c->c1.pid_persist;
c->c2.crypto_options.flags |= CO_PACKET_ID_LONG_FORM;
packet_id_persist_load_obj (&c->c1.pid_persist,
- c->c2.crypto_options.packet_id);
+ &c->c2.crypto_options.packet_id);
}
- if (!key_ctx_bi_defined (&c->c1.ks.static_key))
+ if (!key_ctx_bi_defined (&c->c2.crypto_options.key_ctx_bi))
{
struct key2 key2;
struct key_direction_state kds;
@@ -2025,10 +2019,12 @@ do_init_crypto_static (struct context *c, const unsigned int flags)
key_direction_state_init (&kds, options->key_direction);
must_have_n_keys (options->shared_secret_file, "secret", &key2,
kds.need_keys);
- init_key_ctx (&c->c1.ks.static_key.encrypt, &key2.keys[kds.out_key],
- &c->c1.ks.key_type, OPENVPN_OP_ENCRYPT, "Static Encrypt");
- init_key_ctx (&c->c1.ks.static_key.decrypt, &key2.keys[kds.in_key],
- &c->c1.ks.key_type, OPENVPN_OP_DECRYPT, "Static Decrypt");
+ init_key_ctx (&c->c2.crypto_options.key_ctx_bi.encrypt,
+ &key2.keys[kds.out_key], &c->c1.ks.key_type,
+ OPENVPN_OP_ENCRYPT, "Static Encrypt");
+ init_key_ctx (&c->c2.crypto_options.key_ctx_bi.decrypt,
+ &key2.keys[kds.in_key], &c->c1.ks.key_type,
+ OPENVPN_OP_DECRYPT, "Static Decrypt");
/* Erase the temporary copy of key */
CLEAR (key2);
@@ -2038,9 +2034,6 @@ do_init_crypto_static (struct context *c, const unsigned int flags)
msg (M_INFO, "Re-using pre-shared static key");
}
- /* Get key schedule */
- c->c2.crypto_options.key_ctx_bi = &c->c1.ks.static_key;
-
/* Compute MTU parameters */
crypto_adjust_frame_parameters (&c->c2.frame,
&c->c1.ks.key_type,
@@ -2112,11 +2105,22 @@ do_init_crypto_tls_c1 (struct context *c)
flags |= GHK_INLINE;
file = options->tls_auth_file_inline;
}
- get_tls_handshake_key (&c->c1.ks.key_type,
- &c->c1.ks.tls_auth_key,
- file,
- options->key_direction,
- flags);
+
+ /* Initialize key_type for tls-auth with auth only */
+ CLEAR (c->c1.ks.tls_auth_key_type);
+ if (options->authname && options->authname_defined)
+ {
+ c->c1.ks.tls_auth_key_type.digest = md_kt_get (options->authname);
+ c->c1.ks.tls_auth_key_type.hmac_length =
+ md_kt_size (c->c1.ks.tls_auth_key_type.digest);
+ }
+ else
+ {
+ msg (M_FATAL, "ERROR: tls-auth specified, but no valid auth");
+ }
+
+ get_tls_handshake_key (&c->c1.ks.tls_auth_key_type,
+ &c->c1.ks.tls_auth_key, file, options->key_direction, flags);
}
#if 0 /* was: #if ENABLE_INLINE_FILES -- Note that enabling this code will break restarts */
@@ -2171,6 +2175,12 @@ do_init_crypto_tls (struct context *c, const unsigned int flags)
/* Set all command-line TLS-related options */
CLEAR (to);
+ if (options->use_iv)
+ to.crypto_flags |= CO_USE_IV;
+
+ if (options->mute_replay_warnings)
+ to.crypto_flags |= CO_MUTE_REPLAY_WARNINGS;
+
to.crypto_flags_and = ~(CO_PACKET_ID_LONG_FORM);
if (packet_id_long_form)
to.crypto_flags_or = CO_PACKET_ID_LONG_FORM;
@@ -2260,11 +2270,11 @@ do_init_crypto_tls (struct context *c, const unsigned int flags)
/* TLS handshake authentication (--tls-auth) */
if (options->tls_auth_file)
{
- to.tls_auth_key = c->c1.ks.tls_auth_key;
+ to.tls_auth.key_ctx_bi = c->c1.ks.tls_auth_key;
to.tls_auth.pid_persist = &c->c1.pid_persist;
to.tls_auth.flags |= CO_PACKET_ID_LONG_FORM;
crypto_adjust_frame_parameters (&to.frame,
- &c->c1.ks.key_type,
+ &c->c1.ks.tls_auth_key_type,
false, false, true, true);
}
@@ -2407,7 +2417,7 @@ do_init_frame (struct context *c)
* Fill in the blanks in the frame parameters structure,
* make sure values are rational, etc.
*/
- frame_finalize_options (c, NULL);
+ frame_finalize_options (&c->c2.frame, &c->options, CIPHER_ENABLED (c));
#ifdef USE_COMP
/*
@@ -2843,8 +2853,13 @@ do_close_tls (struct context *c)
static void
do_close_free_key_schedule (struct context *c, bool free_ssl_ctx)
{
+#ifdef ENABLE_CRYPTO
if (!(c->sig->signal_received == SIGUSR1 && c->options.persist_key))
- key_schedule_free (&c->c1.ks, free_ssl_ctx);
+ {
+ key_schedule_free (&c->c1.ks, free_ssl_ctx);
+ free_key_ctx_bi (&c->c2.crypto_options.key_ctx_bi);
+ }
+#endif /* ENABLE_CRYPTO */
}
/*
@@ -2893,7 +2908,7 @@ static void
do_close_packet_id (struct context *c)
{
#ifdef ENABLE_CRYPTO
- packet_id_free (&c->c2.packet_id);
+ packet_id_free (&c->c2.crypto_options.packet_id);
packet_id_persist_save (&c->c1.pid_persist);
if (!(c->sig->signal_received == SIGUSR1))
packet_id_persist_close (&c->c1.pid_persist);
@@ -3187,7 +3202,7 @@ managmenet_callback_network_change (void *arg)
reestablishing the connection is required */
socketfd = c->c2.link_socket->sd;
- if (!c->options.pull || c->c2.tls_multi->use_session_id)
+ if (!c->options.pull || c->c2.tls_multi->use_peer_id)
return socketfd;
else
return -2;
@@ -3780,7 +3795,6 @@ close_context (struct context *c, int sig, unsigned int flags)
}
#ifdef ENABLE_CRYPTO
-
/*
* Do a loopback test
* on the crypto subsystem.
@@ -3797,23 +3811,21 @@ test_crypto_thread (void *arg)
next_connection_entry(c);
do_init_crypto_static (c, 0);
- frame_finalize_options (c, options);
+ frame_finalize_options (&c->c2.frame, options, CIPHER_ENABLED (c));
test_crypto (&c->c2.crypto_options, &c->c2.frame);
key_schedule_free (&c->c1.ks, true);
- packet_id_free (&c->c2.packet_id);
+ free_key_ctx_bi (&c->c2.crypto_options.key_ctx_bi);
+ packet_id_free (&c->c2.crypto_options.packet_id);
context_gc_free (c);
return NULL;
}
-#endif
-
bool
do_test_crypto (const struct options *o)
{
-#ifdef ENABLE_CRYPTO
if (o->test_crypto)
{
struct context c;
@@ -3828,6 +3840,12 @@ do_test_crypto (const struct options *o)
test_crypto_thread ((void *) &c);
return true;
}
-#endif
return false;
}
+#else
+bool
+do_test_crypto (const struct options *o)
+{
+ return false;
+}
+#endif /* ENABLE_CRYPTO */
generated by cgit v1.2.3 (git 2.25.1) at 2024-08-15 21:44:18 +0000