dual mode

Author: Jon Chiappetta

src/openvpn/auth_token.c

@@ -35,15 +35,15 @@ auth_token_kt(void)
 }
 
 void
-add_session_token_env(struct tls_session *session, struct tls_multi *multi,
-                      const struct user_pass *up)
+add_session_token_env(struct tls_session *session, struct tls_multi *multi, const struct user_pass *up)
 {
     if (!multi->opt.auth_token_generate)
     {
         return;
     }
 
-    int auth_token_state_flags = session->key[KS_PRIMARY].auth_token_state_flags;
+    struct key_state *ks = tls_select_encryption_key_init(multi);
+    int auth_token_state_flags = ks->auth_token_state_flags;
 
     const char *state;
 
@@ -81,7 +81,7 @@ add_session_token_env(struct tls_session *session, struct tls_multi *multi,
         state = "Invalid";
     }
 
-    setenv_str(session->opt->es, "session_state", state);
+    setenv_str(multi->opt.es, "session_state", state);
 
     /* We had a valid session id before */
     const char *session_id_source;
@@ -111,7 +111,7 @@ add_session_token_env(struct tls_session *session, struct tls_multi *multi,
     memcpy(session_id, session_id_source + strlen(SESSION_ID_PREFIX),
            AUTH_TOKEN_SESSION_ID_LEN * 8 / 6);
 
-    setenv_str(session->opt->es, "session_id", session_id);
+    setenv_str(multi->opt.es, "session_id", session_id);
 }
 
 void
@@ -217,8 +217,8 @@ generate_auth_token(const struct user_pass *up, struct tls_multi *multi)
      * a new token with the empty username since we do not want to loose
      * the information that the username cannot be trusted
      */
-    struct key_state *ks = &multi->session[TM_ACTIVE].key[KS_PRIMARY];
-    if (ks->auth_token_state_flags & AUTH_TOKEN_VALID_EMPTYUSER)
+    struct key_state *ks = tls_select_encryption_key_init(multi);
+    if (ks && ks->auth_token_state_flags & AUTH_TOKEN_VALID_EMPTYUSER)
     {
         hmac_ctx_update(ctx, (const uint8_t *)"", 0);
     }
@@ -415,10 +415,15 @@ void
 check_send_auth_token(struct context *c)
 {
     struct tls_multi *multi = c->c2.tls_multi;
-    struct tls_session *session = &multi->session[TM_ACTIVE];
 
-    if (get_primary_key(multi)->state < S_GENERATED_KEYS
-        || get_primary_key(multi)->authenticated != KS_AUTH_TRUE)
+    if (!multi)
+    {
+        return;
+    }
+
+    struct key_state *ks = tls_select_encryption_key_init(multi);
+
+    if (ks->state < S_GENERATED_KEYS || ks->authenticated != KS_AUTH_TRUE)
     {
         /* the currently active session is still in renegotiation or another
          * not fully authorized state. We are either very close to a
@@ -447,11 +452,11 @@ check_send_auth_token(struct context *c)
 
     generate_auth_token(&up, multi);
 
-    resend_auth_token_renegotiation(multi, session);
+    resend_auth_token_renegotiation(multi);
 }
 
 void
-resend_auth_token_renegotiation(struct tls_multi *multi, struct tls_session *session)
+resend_auth_token_renegotiation(struct tls_multi *multi)
 {
     /*
      * Auth token already sent to client, update auth-token on client.

src/openvpn/auth_token.h

@@ -128,7 +128,7 @@ is_auth_token(const char *password)
  * @param multi     Pointer the multi object of the TLS session
  * @param session   Pointer to the TLS session itself
  */
-void resend_auth_token_renegotiation(struct tls_multi *multi, struct tls_session *session);
+void resend_auth_token_renegotiation(struct tls_multi *multi);
 
 
 /**

src/openvpn/buffer.h

@@ -413,9 +413,7 @@ has_digit(const char *src)
 static inline void
 secure_memzero(void *data, size_t len)
 {
-#if defined(_WIN32)
-    SecureZeroMemory(data, len);
-#elif defined(__GNUC__) || defined(__clang__)
+#if defined(__GNUC__) || defined(__clang__)
     memset(data, 0, len);
     __asm__ __volatile__("" : : "r"(data) : "memory");
 #else

src/openvpn/common.h

@@ -35,11 +35,7 @@ typedef uint64_t counter_type;
  * Time intervals
  */
 typedef int interval_t;
-
-/*
- * Used as an upper bound for timeouts.
- */
-#define BIG_TIMEOUT (60 * 60 * 24 * 7) /* one week (in seconds) */
+#define LOOP_WAIT 7
 
 /*
  * Printf formats for special types

src/openvpn/console_builtin.c

@@ -41,101 +41,6 @@
 #include <termios.h>
 #endif
 
-#ifdef _WIN32
-
-#include "win32.h"
-
-/**
- * Get input from a Windows console.
- *
- * @param prompt    Prompt to display to the user
- * @param echo      Should the user input be displayed in the console
- * @param input     Pointer to the buffer the user input will be saved
- * @param capacity  Size of the buffer for the user input
- *
- * @return Return false on input error, or if service
- *         exit event is signaled.
- */
-static bool
-get_console_input_win32(const char *prompt, const bool echo, char *input, const int capacity)
-{
-    ASSERT(prompt);
-    ASSERT(input);
-    ASSERT(capacity > 0);
-
-    input[0] = '\0';
-
-    HANDLE in = GetStdHandle(STD_INPUT_HANDLE);
-    int orig_stderr = get_orig_stderr(); /* guaranteed to be always valid */
-    if ((in == INVALID_HANDLE_VALUE) || win32_service_interrupt(&win32_signal)
-        || (_write(orig_stderr, prompt, (unsigned int)strlen(prompt)) == -1))
-    {
-        msg(M_WARN | M_ERRNO, "get_console_input_win32(): unexpected error");
-        return false;
-    }
-
-    bool is_console = (GetFileType(in) == FILE_TYPE_CHAR);
-    DWORD flags_save = 0;
-    int status = 0;
-    WCHAR *winput;
-
-    if (is_console)
-    {
-        if (GetConsoleMode(in, &flags_save))
-        {
-            DWORD flags = ENABLE_LINE_INPUT | ENABLE_PROCESSED_INPUT;
-            if (echo)
-            {
-                flags |= ENABLE_ECHO_INPUT;
-            }
-            SetConsoleMode(in, flags);
-        }
-        else
-        {
-            is_console = 0;
-        }
-    }
-
-    DWORD len = 0;
-
-    if (is_console)
-    {
-        winput = malloc(capacity * sizeof(WCHAR));
-        if (winput == NULL)
-        {
-            return false;
-        }
-
-        status = ReadConsoleW(in, winput, capacity, &len, NULL);
-        WideCharToMultiByte(CP_UTF8, 0, winput, len, input, capacity, NULL, NULL);
-        free(winput);
-    }
-    else
-    {
-        status = ReadFile(in, input, capacity, &len, NULL);
-    }
-
-    string_null_terminate(input, (int)len, capacity);
-    chomp(input);
-
-    if (!echo)
-    {
-        _write(orig_stderr, "\r\n", 2);
-    }
-    if (is_console)
-    {
-        SetConsoleMode(in, flags_save);
-    }
-    if (status && !win32_service_interrupt(&win32_signal))
-    {
-        return true;
-    }
-
-    return false;
-}
-
-#endif /* _WIN32 */
-
 
 #ifdef HAVE_TERMIOS_H
 
@@ -198,9 +103,7 @@ get_console_input(const char *prompt, const bool echo, char *input, const int ca
     ASSERT(capacity > 0);
     input[0] = '\0';
 
-#if defined(_WIN32)
-    return get_console_input_win32(prompt, echo, input, capacity);
-#elif defined(HAVE_TERMIOS_H)
+#if defined(HAVE_TERMIOS_H)
     bool restore_tty = false;
     struct termios tty_tmp, tty_save;
 
@@ -258,9 +161,9 @@ get_console_input(const char *prompt, const bool echo, char *input, const int ca
     }
 
     close_tty(fp);
-#else  /* if defined(_WIN32) */
+#else
     msg(M_FATAL, "Sorry, but I can't get console input on this OS (%s)", prompt);
-#endif /* if defined(_WIN32) */
+#endif
     return ret;
 }
 

src/openvpn/crypto_backend.h

@@ -32,9 +32,6 @@
 #ifdef ENABLE_CRYPTO_OPENSSL
 #include "crypto_openssl.h"
 #endif
-#ifdef ENABLE_CRYPTO_MBEDTLS
-#include "crypto_mbedtls.h"
-#endif
 #include "basic.h"
 #include "buffer.h"
 

src/openvpn/crypto_epoch.c

@@ -304,6 +304,9 @@ epoch_replace_update_recv_key(struct crypto_options *co, uint16_t new_epoch)
         {
             epoch_key_iterate(&co->epoch_key_send);
         }
+
+        msg(M_INFO, "INFO epoch_replace_update_recv_key: epoch < new_epoch");
+
         epoch_init_send_key_ctx(co);
     }
 
@@ -402,14 +405,15 @@ epoch_check_send_iterate(struct crypto_options *opt)
 {
     if (opt->epoch_key_send.epoch == UINT16_MAX)
     {
+        msg(M_INFO, "INFO epoch_check_send_iterate: epoch == UINT16_MAX");
         /* limit of epoch keys reached, cannot move to a newer key anymore */
         return;
     }
     if (opt->aead_usage_limit)
     {
-        if (aead_usage_limit_reached(opt->aead_usage_limit, &opt->key_ctx_bi.encrypt,
-                                     opt->packet_id.send.id))
+        if (aead_usage_limit_reached(opt->aead_usage_limit, &opt->key_ctx_bi.encrypt, opt->packet_id.send.id))
         {
+            msg(M_INFO, "INFO epoch_check_send_iterate: aead_usage_limit_reached");
             /* Send key limit reached */
             epoch_iterate_send_key(opt);
         }
@@ -429,10 +433,10 @@ epoch_check_send_iterate(struct crypto_options *opt)
          * decryption fail warn limit.
          * */
         else if (opt->key_ctx_bi.encrypt.epoch == opt->key_ctx_bi.decrypt.epoch
-                 && (aead_usage_limit_reached(opt->aead_usage_limit, &opt->key_ctx_bi.decrypt,
-                                              opt->packet_id.rec.id)
+                 && (aead_usage_limit_reached(opt->aead_usage_limit, &opt->key_ctx_bi.decrypt, opt->packet_id.rec.id)
                      || cipher_decrypt_verify_fail_warn(&opt->key_ctx_bi.decrypt)))
         {
+            msg(M_INFO, "INFO epoch_check_send_iterate: cipher_decrypt_verify_fail_warn");
             /* Receive key limit reached. Increase our own send key to signal
              * that we want to use a new epoch. Peer should then also move its
              * key but is not required to do this */
@@ -442,6 +446,7 @@ epoch_check_send_iterate(struct crypto_options *opt)
 
     if (opt->packet_id.send.id == PACKET_ID_EPOCH_MAX)
     {
+        msg(M_INFO, "INFO epoch_check_send_iterate: send.id == PACKET_ID_EPOCH_MAX");
         epoch_iterate_send_key(opt);
     }
 }