From patchwork Mon Oct 22 00:45:13 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steffan Karger X-Patchwork-Id: 569 X-Patchwork-Delegate: davids@openvpn.net Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director10.mail.ord1d.rsapps.net ([172.28.255.1]) by backend30.mail.ord1d.rsapps.net with LMTP id qPJ/Dba4zVvEfQAAIUCqbw for ; Mon, 22 Oct 2018 07:47:02 -0400 Received: from proxy2.mail.ord1c.rsapps.net ([172.28.255.1]) by director10.mail.ord1d.rsapps.net with LMTP id WKlBDba4zVtRFwAApN4f7A ; Mon, 22 Oct 2018 07:47:02 -0400 Received: from smtp33.gate.ord1c ([172.28.255.1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy2.mail.ord1c.rsapps.net with LMTP id yNQUDba4zVvzLwAA311kuQ ; Mon, 22 Oct 2018 07:47:02 -0400 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp33.gate.ord1c.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dmarc=none (p=nil; dis=none) header.from=fox-it.com X-Suspicious-Flag: YES X-Classification-ID: 302a75a2-d5f0-11e8-bd8b-54520067fec4-1-1 Received: from [216.105.38.7] ([216.105.38.7:4139] helo=lists.sourceforge.net) by smtp33.gate.ord1c.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id F6/99-28206-5B8BDCB5; Mon, 22 Oct 2018 07:47:01 -0400 Received: from [127.0.0.1] (helo=sfs-ml-1.v29.lw.sourceforge.com) by sfs-ml-1.v29.lw.sourceforge.com with esmtp (Exim 4.90_1) (envelope-from ) id 1gEYeq-00034a-JE; Mon, 22 Oct 2018 11:46:04 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-1.v29.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.90_1) (envelope-from ) id 1gEYeo-00034E-JO for openvpn-devel@lists.sourceforge.net; Mon, 22 Oct 2018 11:46:02 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Type:MIME-Version:References:In-Reply-To: Message-ID:Date:Subject:CC:To:From:Sender:Reply-To:Content-Transfer-Encoding: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=9Ia2NnbuOXwvBvqXMpLUUPfQJv1WQGoNXVXatIyFT1A=; b=JvPaskOMhEX7GLnyFNgtN1OyEo ybH57sePvrQOc6tmdi621QQ3AuqRHB9tifstVnEVn+OEBGOHLwkKcGeR0fOSTH7QA8PrZPaCVtsrC rgSOGqCCpwvDY5Y5zafYrLZeJXxu3LuC8HgQxwOS9JuwbpGKgfZODAcnX99QMmox4+O4=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Type:MIME-Version:References:In-Reply-To:Message-ID:Date:Subject: CC:To:From:Sender:Reply-To:Content-Transfer-Encoding:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=9Ia2NnbuOXwvBvqXMpLUUPfQJv1WQGoNXVXatIyFT1A=; b=RGvLx/PYb0X8rlRtsnY4cqtVUB F+Cw8efGhia2Hg6fMPvr9iZ8aMNshF/MYcB9A6tXvUkeoUUJLg4mhYRnB46GNSexi+AGlMFI4+Nb0 QfIWuUTw4lnvPDgayVpWut4qGQrsnQa7wTIh3vJjrWTxTxTNIK7W85k/l/ErVfYyyl2g=; Received: from ns2.fox-it.com ([178.250.144.131]) by sfi-mx-4.v28.lw.sourceforge.com with esmtps (TLSv1:ECDHE-RSA-AES256-SHA:256) (Exim 4.90_1) id 1gEYej-007cjT-Ro for openvpn-devel@lists.sourceforge.net; Mon, 22 Oct 2018 11:46:02 +0000 Received: from FOXDFT52.FOX.local (unknown [10.0.0.129]) by ns2.fox-it.com (Postfix) with ESMTPS id 6F10C1AF8A9 for ; Mon, 22 Oct 2018 13:45:51 +0200 (CEST) Received: from steffan-fox.fox.local (10.0.3.178) by FOXDFT52.FOX.local (10.0.0.129) with Microsoft SMTP Server (TLS) id 15.0.1367.3; Mon, 22 Oct 2018 13:45:51 +0200 From: Steffan Karger To: Date: Mon, 22 Oct 2018 13:45:13 +0200 Message-ID: <1540208715-14044-4-git-send-email-steffan.karger@fox-it.com> X-Mailer: git-send-email 2.7.4 In-Reply-To: <1512734870-17133-1-git-send-email-steffan.karger@fox-it.com> References: <1512734870-17133-1-git-send-email-steffan.karger@fox-it.com> MIME-Version: 1.0 X-ClientProxiedBy: FOXDFT52.FOX.local (10.0.0.129) To FOXDFT52.FOX.local (10.0.0.129) X-Spam-Report: Spam Filtering performed by mx.sourceforge.net. See http://spamassassin.org/tag/ for more details. -0.0 SPF_PASS SPF: sender matches SPF record X-Headers-End: 1gEYej-007cjT-Ro Subject: [Openvpn-devel] [PATCH v7 5/7] tls-crypt-v2: add P_CONTROL_HARD_RESET_CLIENT_V3 opcode X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox Not used yet, but prepare for sending and receiving tls-crypt-v2 handshake messages. Signed-off-by: Steffan Karger Acked-by: Antonio Quartulli --- v3: rebase on curent master / v3 patch set v4: rebase on v4 patch set v5: rebase on v5 patch set v6: rebase on v6 patch set v7: rebase on v7 patch set src/openvpn/ps.c | 3 ++- src/openvpn/ssl.c | 23 ++++++++++++++++++----- src/openvpn/ssl.h | 5 ++++- src/openvpn/ssl_common.h | 2 ++ 4 files changed, 26 insertions(+), 7 deletions(-) diff --git a/src/openvpn/ps.c b/src/openvpn/ps.c index 25ab374..2089e6b 100644 --- a/src/openvpn/ps.c +++ b/src/openvpn/ps.c @@ -985,7 +985,8 @@ is_openvpn_protocol(const struct buffer *buf) { return p[0] == 0 && p[1] >= 14 - && p[2] == (P_CONTROL_HARD_RESET_CLIENT_V2<= 2) { diff --git a/src/openvpn/ssl.c b/src/openvpn/ssl.c index 52ed2ad..cdabaeb 100644 --- a/src/openvpn/ssl.c +++ b/src/openvpn/ssl.c @@ -785,6 +785,9 @@ packet_opcode_name(int op) case P_CONTROL_HARD_RESET_SERVER_V2: return "P_CONTROL_HARD_RESET_SERVER_V2"; + case P_CONTROL_HARD_RESET_CLIENT_V3: + return "P_CONTROL_HARD_RESET_CLIENT_V3"; + case P_CONTROL_SOFT_RESET_V1: return "P_CONTROL_SOFT_RESET_V1"; @@ -857,7 +860,8 @@ is_hard_reset(int op, int key_method) if (!key_method || key_method >= 2) { - if (op == P_CONTROL_HARD_RESET_CLIENT_V2 || op == P_CONTROL_HARD_RESET_SERVER_V2) + if (op == P_CONTROL_HARD_RESET_CLIENT_V2 || op == P_CONTROL_HARD_RESET_SERVER_V2 + || op == P_CONTROL_HARD_RESET_CLIENT_V3) { return true; } @@ -1088,8 +1092,15 @@ tls_session_init(struct tls_multi *multi, struct tls_session *session) } else /* session->opt->key_method >= 2 */ { - session->initial_opcode = session->opt->server ? - P_CONTROL_HARD_RESET_SERVER_V2 : P_CONTROL_HARD_RESET_CLIENT_V2; + if (session->opt->server) + { + session->initial_opcode = P_CONTROL_HARD_RESET_SERVER_V2; + } + else + { + session->initial_opcode = session->opt->tls_crypt_v2 ? + P_CONTROL_HARD_RESET_CLIENT_V3 : P_CONTROL_HARD_RESET_CLIENT_V2; + } } /* Initialize control channel authentication parameters */ @@ -3420,7 +3431,8 @@ tls_pre_decrypt(struct tls_multi *multi, { /* verify client -> server or server -> client connection */ if (((op == P_CONTROL_HARD_RESET_CLIENT_V1 - || op == P_CONTROL_HARD_RESET_CLIENT_V2) && !multi->opt.server) + || op == P_CONTROL_HARD_RESET_CLIENT_V2 + || op == P_CONTROL_HARD_RESET_CLIENT_V3) && !multi->opt.server) || ((op == P_CONTROL_HARD_RESET_SERVER_V1 || op == P_CONTROL_HARD_RESET_SERVER_V2) && multi->opt.server)) { @@ -3805,7 +3817,8 @@ tls_pre_decrypt_lite(const struct tls_auth_standalone *tas, /* this packet is from an as-yet untrusted source, so * scrutinize carefully */ - if (op != P_CONTROL_HARD_RESET_CLIENT_V2) + if (op != P_CONTROL_HARD_RESET_CLIENT_V2 + && op != P_CONTROL_HARD_RESET_CLIENT_V3) { /* * This can occur due to bogus data or DoS packets. diff --git a/src/openvpn/ssl.h b/src/openvpn/ssl.h index d412dc0..023330c 100644 --- a/src/openvpn/ssl.h +++ b/src/openvpn/ssl.h @@ -63,9 +63,12 @@ #define P_CONTROL_HARD_RESET_CLIENT_V2 7 /* initial key from client, forget previous state */ #define P_CONTROL_HARD_RESET_SERVER_V2 8 /* initial key from server, forget previous state */ +/* indicates key_method >= 2 and client-specific tls-crypt key */ +#define P_CONTROL_HARD_RESET_CLIENT_V3 10 /* initial key from client, forget previous state */ + /* define the range of legal opcodes */ #define P_FIRST_OPCODE 1 -#define P_LAST_OPCODE 9 +#define P_LAST_OPCODE 10 /* * Set the max number of acknowledgments that can "hitch a ride" on an outgoing diff --git a/src/openvpn/ssl_common.h b/src/openvpn/ssl_common.h index e5c2850..ffc8ded 100644 --- a/src/openvpn/ssl_common.h +++ b/src/openvpn/ssl_common.h @@ -286,6 +286,8 @@ struct tls_options const char *config_authname; bool ncp_enabled; + bool tls_crypt_v2; + /** TLS handshake wrapping state */ struct tls_wrap_ctx tls_wrap;