1 /* 2 * OpenVPN -- An application to securely tunnel IP networks 3 * over a single TCP/UDP port, with support for SSL/TLS-based 4 * session authentication and key exchange, 5 * packet encryption, packet authentication, and 6 * packet compression. 7 * 8 * Copyright (C) 2002-2018 OpenVPN Inc <sales@openvpn.net> 9 * Copyright (C) 2010-2018 Fox Crypto B.V. <openvpn@fox-it.com> 10 * 11 * This program is free software; you can redistribute it and/or modify 12 * it under the terms of the GNU General Public License version 2 13 * as published by the Free Software Foundation. 14 * 15 * This program is distributed in the hope that it will be useful, 16 * but WITHOUT ANY WARRANTY; without even the implied warranty of 17 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 18 * GNU General Public License for more details. 19 * 20 * You should have received a copy of the GNU General Public License along 21 * with this program; if not, write to the Free Software Foundation, Inc., 22 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. 23 */ 24 25 /** 26 * @file Control Channel SSL/Data dynamic negotion Module 27 * This file is split from ssl.h to be able to unit test it. 28 */ 29 30 #ifndef OPENVPN_SSL_NCP_H 31 #define OPENVPN_SSL_NCP_H 32 33 #include "buffer.h" 34 #include "options.h" 35 36 /** 37 * Returns whether the client supports NCP either by 38 * announcing IV_NCP>=2 or the IV_CIPHERS list 39 */ 40 bool 41 tls_peer_supports_ncp(const char *peer_info); 42 43 /* forward declaration to break include dependency loop */ 44 struct context; 45 46 /** 47 * Checks whether the cipher negotiation is in an acceptable state 48 * and we continue to connect or should abort. 49 * 50 * @return Wether the client NCP process suceeded or failed 51 */ 52 bool 53 check_pull_client_ncp(struct context *c, int found); 54 55 /** 56 * Iterates through the ciphers in server_list and return the first 57 * cipher that is also supported by the peer according to the IV_NCP 58 * and IV_CIPHER values in peer_info. 59 * 60 * We also accept a cipher that is the remote cipher of the client for 61 * "Poor man's NCP": Use peer cipher if it is an allowed (NCP) cipher. 62 * Allows non-NCP peers to upgrade their cipher individually. 63 * 64 * Make sure to call tls_session_update_crypto_params() after calling this 65 * function. 66 * 67 * @param gc gc arena that is ONLY used to allocate the returned string 68 * 69 * @returns NULL if no common cipher is available, otherwise the best common 70 * cipher 71 */ 72 char * 73 ncp_get_best_cipher(const char *server_list, const char *peer_info, 74 const char *remote_cipher, struct gc_arena *gc); 75 76 77 /** 78 * Returns the support cipher list from the peer according to the IV_NCP 79 * and IV_CIPHER values in peer_info. 80 * 81 * @returns Either a string containing the ncp list that is either static 82 * or allocated via gc. If no information is available an empty string 83 * ("") is returned. 84 */ 85 const char * 86 tls_peer_ncp_list(const char *peer_info, struct gc_arena *gc); 87 88 /** 89 * Check whether the ciphers in the supplied list are supported. 90 * 91 * @param list Colon-separated list of ciphers 92 * @parms gc gc_arena to allocate the returned string 93 * 94 * @returns colon separated string of normalised (via 95 * translate_cipher_name_from_openvpn) and 96 * zero terminated string iff all ciphers 97 * in list are supported and the total length 98 * is short than MAX_NCP_CIPHERS_LENGTH. NULL 99 * otherwise. 100 */ 101 char * 102 mutate_ncp_cipher_list(const char *list, struct gc_arena *gc); 103 104 /** 105 * Return true iff item is present in the colon-separated zero-terminated 106 * cipher list. 107 */ 108 bool tls_item_in_cipher_list(const char *item, const char *list); 109 110 /** 111 * The maximum length of a ncp-cipher string that is accepted. 112 * 113 * Since this list needs to be pushed as IV_CIPHERS, we are conservative 114 * about its length. 115 */ 116 #define MAX_NCP_CIPHERS_LENGTH 127 117 118 #endif /* ifndef OPENVPN_SSL_NCP_H */ 119