/* true if we are a TLS server, client otherwise */  bool server;  /* local and remote options strings     that must match between client and server */  const char *local_options;  const char *remote_options;  /* from command line */  int key_method;  bool replay;  bool single_session;  bool disable_occ;  int transition_window;  int handshake_window;  interval_t packet_timeout;  int renegotiate_bytes;  int renegotiate_packets;  interval_t renegotiate_seconds;  /* cert verification parms */  const char *verify_command;  const char *verify_x509name;  const char *crl_file;  /* allow openvpn config info to be     passed over control channel */  bool pass_config_info;  /* use 32 bit or 64 bit packet-id? */  bool packet_id_long_form;  int replay_window;                   /* --replay-window parm */  int replay_time;                     /* --replay-window parm */  /* packet authentication for TLS handshake */  struct crypto_options tls_auth;  struct key_ctx_bi tls_auth_key;  /* frame parameters for TLS control channel */  struct frame frame;};/* index into tls_session.key */#define KS_PRIMARY    0		/* the primary key */#define KS_LAME_DUCK  1		/* the key that's going to retire soon */#define KS_SIZE       2/* * A tls_session lives through multiple key_state life-cycles.  Soft resets * will reuse a tls_session object, but hard resets or errors will require * that a fresh object be built.  Normally three tls_session objects are maintained * by an active openvpn session.  The first is the current, TLS authenticated * session, the second is used to process connection requests from a new * client that would usurp the current session if successfully authenticated, * and the third is used as a repository for a "lame-duck" key in the event * that the primary session resets due to error while the lame-duck key still * has time left before its expiration.  Lame duck keys are used to maintain * the continuity of the data channel connection while a new key is being * negotiated. */struct tls_session{  /* const options and config info */  const struct tls_options *opt;  /* during hard reset used to control burst retransmit */  bool burst;  /* authenticate control packets */  struct crypto_options tls_auth;  struct packet_id tls_auth_pid;  int initial_opcode;		/* our initial P_ opcode */  struct session_id session_id;	/* our random session ID */  int key_id;			/* increments with each soft reset (for key renegotiation) */  int limit_next;               /* used for traffic shaping on the control channel */  int verify_maxlevel;  char *common_name;  /* not-yet-authenticated incoming client */  struct sockaddr_in untrusted_sockaddr;  struct key_state key[KS_SIZE];};/* index into tls_multi.session */#define TM_ACTIVE    0#define TM_UNTRUSTED 1#define TM_LAME_DUCK 2#define TM_SIZE      3/* * The number of keys we will scan on encrypt or decrypt.  The first * is the "active" key.  The second is the lame_duck or retiring key * associated with the active key's session ID.  The third is a detached * lame duck session that only occurs in situations where a key renegotiate * failed on the active key, but a lame duck key was still valid.  By * preserving the lame duck session, we can be assured of having a data * channel key available even when network conditions are so bad that * we can't negotiate a new key within the time allotted. */#define KEY_SCAN_SIZE 3/* * An openvpn session running with TLS enabled has one tls_multi object. */struct tls_multi{  /* used to coordinate access between main thread and TLS thread */  //MUTEX_PTR_DEFINE (mutex);  /* const options and config info */  struct tls_options opt;  /*   * A list of key_state objects in the order they should be   * scanned by data channel encrypt and decrypt routines.   */  struct key_state* key_scan[KEY_SCAN_SIZE];  /*   * used by tls_pre_encrypt to communicate the encrypt key   * to tls_post_encrypt()   */  struct key_state *save_ks;	/* temporary pointer used between pre/post routines */  /*   * Number of sessions negotiated thus far.   */  int n_sessions;  /*   * Number of errors.   *   * Includes:   *   (a) errors due to TLS negotiation failure   *   (b) errors due to unrecognized or failed-to-authenticate   *       incoming packets   */  int n_errors;  /*   * Our session objects.   */  struct tls_session session[TM_SIZE];};/* * Used in --mode server mode to check tls-auth signature on initial * packets received from new clients. */struct tls_auth_standalone{  struct key_ctx_bi tls_auth_key;  struct crypto_options tls_auth_options;  struct frame frame;};void init_ssl_lib (void);void free_ssl_lib (void);/* Build master SSL_CTX object that serves for the whole of openvpn instantiation */SSL_CTX *init_ssl (bool server,		   const char *ca_file,		   const char *dh_file,		   const char *cert_file,		   const char *priv_key_file, const char *cipher_list);struct tls_multi *tls_multi_init (struct tls_options *tls_options);struct tls_auth_standalone *tls_auth_standalone_init (struct tls_options *tls_options,						      struct gc_arena *gc);void tls_auth_standalone_finalize (struct tls_auth_standalone *tas,				   const struct frame *frame);void tls_multi_init_finalize(struct tls_multi *multi,			     const struct frame *frame);void tls_multi_init_set_options(struct tls_multi* multi,				const char *local,				const char *remote);bool tls_multi_process (struct tls_multi *multi,			struct buffer *to_link,			struct sockaddr_in *to_link_addr,			struct link_socket_info *to_link_socket_info,			interval_t *wakeup);void tls_multi_free (struct tls_multi *multi, bool clear);bool tls_pre_decrypt (struct tls_multi *multi,		      struct sockaddr_in *from,		      struct buffer *buf,		      struct crypto_options *opt);bool tls_pre_decrypt_lite (const struct tls_auth_standalone *tas,			   const struct sockaddr_in *from,			   const struct buffer *buf);void tls_pre_encrypt (struct tls_multi *multi,		      struct buffer *buf, struct crypto_options *opt);void tls_post_encrypt (struct tls_multi *multi, struct buffer *buf);void show_available_tls_ciphers (void);void get_highest_preference_tls_cipher (char *buf, int size);int pem_password_callback (char *buf, int size, int rwflag, void *u);void tls_set_verify_command (const char *cmd);void tls_set_crl_verify (const char *crl);void tls_set_verify_x509name (const char *x509name);int get_max_tls_verify_id (struct tls_multi* multi);const char *tls_common_name (struct tls_multi* multi, bool null);void tls_adjust_frame_parameters(struct frame *frame);bool tls_send_payload (struct tls_multi *multi,		       const struct buffer *buf);bool tls_rec_payload (struct tls_multi *multi,		      struct buffer *buf);/* * inline functions */static inline inttls_test_payload_len (const struct tls_multi *multi){  if (multi)    {      const struct key_state *ks = &multi->session[TM_ACTIVE].key[KS_PRIMARY];      if (ks->state >= S_ACTIVE)	return BLEN (&ks->plaintext_read_buf);    }  return 0;}/* * protocol_dump() flags */#define PD_TLS_AUTH_HMAC_SIZE_MASK 0xFF#define PD_SHOW_DATA               (1<<8)#define PD_TLS                     (1<<9)#define PD_VERBOSE                 (1<<10)const char *protocol_dump (struct buffer *buffer,			   unsigned int flags,			   struct gc_arena *gc);/* * debugging code */#ifdef MEASURE_TLS_HANDSHAKE_STATSvoid show_tls_performance_stats(void);#endif#endif /* USE_CRYPTO && USE_SSL */#endif