diff options
| author | Steffan Karger | 2016-06-28 23:33:55 +0200 |
|---|---|---|
| committer | Gert Doering | 2016-07-11 20:29:17 +0200 |
| commit | 97894360fa537945e07fd6a85d0659e094b693a5 (patch) | |
| tree | 3ef2bb0b0b8c802a279ce1113f6740c1dca2070e /src/openvpn/ssl_common.h | |
| parent | 6dd307c8640d851c6241a27f434c53a6aee0cace (diff) | |
| download | openvpn-97894360fa537945e07fd6a85d0659e094b693a5.zip openvpn-97894360fa537945e07fd6a85d0659e094b693a5.tar.gz | |
Add client-side support for cipher negotiation
Based on the 'IV_NCP=2' mechanism described in
http://permalink.gmane.org/gmane.network.openvpn.devel/9385.
This is the first patch of a set that adds support for cipher negotiation.
Follow-up patches will add ways to restrict or disable the mechanism, and
add server-side support.
v2:
* Account for crypto overhead through struct frame. This is less
transparant, but the code has been built to work this way. The
previous approach didn't work with TCP mode (or --port-share).
* Calculate the link-mtu sent in the options string based on the crypto
parameters specified in the config file (prevents link-mtu warnings in
older peers when connecting).
v3:
* Use existing max_int() function, instead of new MAX() macro.
* Fix typo in comment.
* Do not regenerate keys if the server sends a second push msg
* Only push IV_NCP if we're pull-client (and thus can do NCP)
v4:
* Fix rebase errors (OPT_P_NCP sneaked in, but is not introduced till 4/5,
and tls_peer_info_ncp_ver() is not needed until 5/5).
* Don't remove comment about key_id increment behaviour in init.c (but
still add the extra comments in the .h files).
Signed-off-by: Steffan Karger <steffan@karger.me>
Acked-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1467149635-9726-1-git-send-email-steffan@karger.me>
URL: http://article.gmane.org/gmane.network.openvpn.devel/12007
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Diffstat (limited to 'src/openvpn/ssl_common.h')
| -rw-r--r-- | src/openvpn/ssl_common.h | 16 |
1 files changed, 14 insertions, 2 deletions
diff --git a/src/openvpn/ssl_common.h b/src/openvpn/ssl_common.h index a0df0ff..9183dab 100644 --- a/src/openvpn/ssl_common.h +++ b/src/openvpn/ssl_common.h @@ -149,7 +149,12 @@ struct key_source2 { struct key_state { int state; - int key_id; /* inherited from struct tls_session below */ + + /** + * Key id for this key_state, inherited from struct tls_session. + * @see tls_session::key_id. + */ + int key_id; struct key_state_ssl ks_ssl; /* contains SSL object and BIOs for the control channel */ @@ -231,6 +236,7 @@ struct tls_options #ifdef ENABLE_OCC bool disable_occ; #endif + bool pull; #ifdef ENABLE_PUSH_PEER_INFO int push_peer_info_detail; #endif @@ -367,7 +373,13 @@ struct tls_session int initial_opcode; /* our initial P_ opcode */ struct session_id session_id; /* our random session ID */ - int key_id; /* increments with each soft reset (for key renegotiation) */ + + /** + * The current active key id, used to keep track of renegotiations. + * key_id increments with each soft reset to KEY_ID_MASK then recycles back + * to 1. This way you know that if key_id is 0, it is the first key. + */ + int key_id; int limit_next; /* used for traffic shaping on the control channel */ |