Newer
Older
XinYang_IOS / Carthage / Checkouts / OpenVPNAdapter / Sources / OpenVPN3 / openvpn / ssl / proto.hpp
@zhangfeng zhangfeng on 7 Dec 2023 112 KB 1.8.0
//    OpenVPN -- An application to securely tunnel IP networks
//               over a single port, with support for SSL/TLS-based
//               session authentication and key exchange,
//               packet encryption, packet authentication, and
//               packet compression.
//
//    Copyright (C) 2012-2020 OpenVPN Inc.
//
//    This program is free software: you can redistribute it and/or modify
//    it under the terms of the GNU Affero General Public License Version 3
//    as published by the Free Software Foundation.
//
//    This program is distributed in the hope that it will be useful,
//    but WITHOUT ANY WARRANTY; without even the implied warranty of
//    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
//    GNU Affero General Public License for more details.
//
//    You should have received a copy of the GNU Affero General Public License
//    along with this program in the COPYING file.
//    If not, see <http://www.gnu.org/licenses/>.

// ProtoContext, the fundamental OpenVPN protocol implementation.
// It can be used by OpenVPN clients, servers, or unit tests.

#ifndef OPENVPN_SSL_PROTO_H
#define OPENVPN_SSL_PROTO_H

#include <cstring>
#include <string>
#include <sstream>
#include <algorithm>                  // for std::min
#include <cstdint>                    // for std::uint32_t, etc.
#include <memory>

#include <openvpn/common/exception.hpp>
#include <openvpn/common/size.hpp>
#include <openvpn/common/version.hpp>
#include <openvpn/common/platform_name.hpp>
#include <openvpn/common/rc.hpp>
#include <openvpn/common/hexstr.hpp>
#include <openvpn/common/options.hpp>
#include <openvpn/common/mode.hpp>
#include <openvpn/common/socktypes.hpp>
#include <openvpn/common/number.hpp>
#include <openvpn/common/likely.hpp>
#include <openvpn/common/string.hpp>
#include <openvpn/common/to_string.hpp>
#include <openvpn/buffer/buffer.hpp>
#include <openvpn/buffer/safestr.hpp>
#include <openvpn/buffer/bufcomposed.hpp>
#include <openvpn/ip/ip4.hpp>
#include <openvpn/ip/ip6.hpp>
#include <openvpn/ip/udp.hpp>
#include <openvpn/ip/tcp.hpp>
#include <openvpn/time/time.hpp>
#include <openvpn/time/durhelper.hpp>
#include <openvpn/frame/frame.hpp>
#include <openvpn/random/randapi.hpp>
#include <openvpn/crypto/cryptoalgs.hpp>
#include <openvpn/crypto/cryptodc.hpp>
#include <openvpn/crypto/cipher.hpp>
#include <openvpn/crypto/ovpnhmac.hpp>
#include <openvpn/crypto/tls_crypt.hpp>
#include <openvpn/crypto/tls_crypt_v2.hpp>
#include <openvpn/crypto/packet_id.hpp>
#include <openvpn/crypto/static_key.hpp>
#include <openvpn/crypto/bs64_data_limit.hpp>
#include <openvpn/log/sessionstats.hpp>
#include <openvpn/ssl/protostack.hpp>
#include <openvpn/ssl/psid.hpp>
#include <openvpn/ssl/tlsprf.hpp>
#include <openvpn/ssl/datalimit.hpp>
#include <openvpn/ssl/mssparms.hpp>
#include <openvpn/transport/mssfix.hpp>
#include <openvpn/transport/protocol.hpp>
#include <openvpn/tun/layer.hpp>
#include <openvpn/tun/tunmtu.hpp>
#include <openvpn/compress/compress.hpp>
#include <openvpn/ssl/proto_context_options.hpp>
#include <openvpn/ssl/peerinfo.hpp>
#include <openvpn/ssl/ssllog.hpp>
#include <openvpn/crypto/crypto_aead.hpp>


#if OPENVPN_DEBUG_PROTO >= 1
#define OPENVPN_LOG_PROTO(x) OPENVPN_LOG(x)
#define OPENVPN_LOG_STRING_PROTO(x) OPENVPN_LOG_STRING(x)
#else
#define OPENVPN_LOG_PROTO(x)
#define OPENVPN_LOG_STRING_PROTO(x)
#endif

#if OPENVPN_DEBUG_PROTO >= 2
#define OPENVPN_LOG_PROTO_VERBOSE(x) OPENVPN_LOG(x)
#else
#define OPENVPN_LOG_PROTO_VERBOSE(x)
#endif

/*

ProtoContext -- OpenVPN protocol implementation

Protocol negotiation states:

Client:

1. send client reset to server
2. wait for server reset from server AND ack from 1 (C_WAIT_RESET, C_WAIT_RESET_ACK)
3. start SSL handshake
4. send auth message to server
5. wait for server auth message AND ack from 4 (C_WAIT_AUTH, C_WAIT_AUTH_ACK)
6. go active (ACTIVE)

Server:

1. wait for client reset (S_WAIT_RESET)
2. send server reset to client
3. wait for ACK from 2 (S_WAIT_RESET_ACK)
4. start SSL handshake
5. wait for auth message from client (S_WAIT_AUTH)
6. send auth message to client
7. wait for ACK from 6 (S_WAIT_AUTH_ACK)
8. go active (ACTIVE)

*/

namespace openvpn {

  // utility namespace for ProtoContext
  namespace proto_context_private {
    namespace {
      const unsigned char auth_prefix[] = { 0, 0, 0, 0, 2 }; // CONST GLOBAL

      const unsigned char keepalive_message[] = {    // CONST GLOBAL
	0x2a, 0x18, 0x7b, 0xf3, 0x64, 0x1e, 0xb4, 0xcb,
	0x07, 0xed, 0x2d, 0x0a, 0x98, 0x1f, 0xc7, 0x48
      };

      enum {
	KEEPALIVE_FIRST_BYTE = 0x2a  // first byte of keepalive message
      };

      inline bool is_keepalive(const Buffer& buf)
      {
	return buf.size() >= sizeof(keepalive_message)
	  && buf[0] == KEEPALIVE_FIRST_BYTE
	  && !std::memcmp(keepalive_message, buf.c_data(), sizeof(keepalive_message));
      }

      const unsigned char explicit_exit_notify_message[] = {    // CONST GLOBAL
	0x28, 0x7f, 0x34, 0x6b, 0xd4, 0xef, 0x7a, 0x81,
	0x2d, 0x56, 0xb8, 0xd3, 0xaf, 0xc5, 0x45, 0x9c,
	6 // OCC_EXIT
      };

      enum {
	EXPLICIT_EXIT_NOTIFY_FIRST_BYTE = 0x28  // first byte of exit message
      };
    }
  }

  class ProtoContext
  {
  protected:
    static constexpr size_t APP_MSG_MAX = 65536;

    enum {
      // packet opcode (high 5 bits) and key-id (low 3 bits) are combined in one byte
      KEY_ID_MASK =             0x07,
      OPCODE_SHIFT =            3,

      // packet opcodes -- the V1 is intended to allow protocol changes in the future
      //CONTROL_HARD_RESET_CLIENT_V1 = 1,   // (obsolete) initial key from client, forget previous state
      //CONTROL_HARD_RESET_SERVER_V1 = 2,   // (obsolete) initial key from server, forget previous state
      CONTROL_SOFT_RESET_V1 =        3,   // new key, graceful transition from old to new key
      CONTROL_V1 =                   4,   // control channel packet (usually TLS ciphertext)
      ACK_V1 =                       5,   // acknowledgement for packets received
      DATA_V1 =                      6,   // data channel packet with 1-byte header
      DATA_V2 =                      9,   // data channel packet with 4-byte header

      // indicates key_method >= 2
      CONTROL_HARD_RESET_CLIENT_V2 = 7,   // initial key from client, forget previous state
      CONTROL_HARD_RESET_CLIENT_V3 = 10,  // initial key from client, forget previous state
      CONTROL_HARD_RESET_SERVER_V2 = 8,   // initial key from server, forget previous state

      // define the range of legal opcodes
      FIRST_OPCODE =                3,
      LAST_OPCODE =                 9,
      INVALID_OPCODE =              0,

      // DATA_V2 constants
      OP_SIZE_V2 = 4,                // size of initial packet opcode
      OP_PEER_ID_UNDEF = 0x00FFFFFF, // indicates that Peer ID is undefined

      // states
      // C_x : client states
      // S_x : server states

      // ACK states -- must be first before other states
      STATE_UNDEF=-1,
      C_WAIT_RESET_ACK=0,
      C_WAIT_AUTH_ACK=1,
      S_WAIT_RESET_ACK=2,
      S_WAIT_AUTH_ACK=3,
      LAST_ACK_STATE=3, // all ACK states must be <= this value

      // key negotiation states (client)
      C_INITIAL=4,
      C_WAIT_RESET=5,   // must be C_INITIAL+1
      C_WAIT_AUTH=6,

      // key negotiation states (server)
      S_INITIAL=7,
      S_WAIT_RESET=8,   // must be S_INITIAL+1
      S_WAIT_AUTH=9,

      // key negotiation states (client and server)
      ACTIVE=10,
    };

    enum iv_proto_flag: unsigned int
      {
      // See ssl.h in openvpn2 for detailed documentation of IV_PROTO
       IV_PROTO_DATA_V2=(1<<1),
       IV_PROTO_REQUEST_PUSH=(1<<2),
       IV_PROTO_TLS_KEY_EXPORT=(1<<3),
       IV_PROTO_AUTH_PENDING_KW=(1<<4)
    };
    static unsigned int opcode_extract(const unsigned int op)
    {
      return op >> OPCODE_SHIFT;
    }

    static unsigned int key_id_extract(const unsigned int op)
    {
      return op & KEY_ID_MASK;
    }

    static size_t op_head_size(const unsigned int op)
    {
      return opcode_extract(op) == DATA_V2 ? OP_SIZE_V2 : 1;
    }

    static unsigned int op_compose(const unsigned int opcode, const unsigned int key_id)
    {
      return (opcode << OPCODE_SHIFT) | key_id;
    }

    static unsigned int op32_compose(const unsigned int opcode,
				     const unsigned int key_id,
				     const int op_peer_id)
    {
      return (op_compose(opcode, key_id) << 24) | (op_peer_id & 0x00FFFFFF);
    }

  public:
    OPENVPN_EXCEPTION(proto_error);
    OPENVPN_EXCEPTION(process_server_push_error);
    OPENVPN_EXCEPTION_INHERIT(option_error, proto_option_error);

    // configuration data passed to ProtoContext constructor
    class Config : public RCCopyable<thread_unsafe_refcount>
    {
    public:
      typedef RCPtr<Config> Ptr;

      // master SSL context factory
      SSLFactoryAPI::Ptr ssl_factory;

      // data channel
      CryptoDCSettings dc;

      // TLSPRF factory
      TLSPRFFactory::Ptr tlsprf_factory;

      // master Frame object
      Frame::Ptr frame;

      // (non-smart) pointer to current time
      TimePtr now;

      // Random number generator.
      // Use-cases demand highest cryptographic strength
      // such as key generation.
      RandomAPI::Ptr rng;

      // Pseudo-random number generator.
      // Use-cases demand cryptographic strength
      // combined with high performance.  Used for
      // IV and ProtoSessionID generation.
      RandomAPI::Ptr prng;

      // If relay mode is enabled, connect to a special OpenVPN
      // server that acts as a relay/proxy to a second server.
      bool relay_mode = false;

      // defer data channel initialization until after client options pull
      bool dc_deferred = false;

      // transmit username/password creds to server (client-only)
      bool xmit_creds = true;

      // Transport protocol, i.e. UDPv4, etc.
      Protocol protocol; // set with set_protocol()

      // OSI layer
      Layer layer;

      // compressor
      CompressContext comp_ctx;

      // tls_auth/crypt parms
      OpenVPNStaticKey tls_key; // leave this undefined to disable tls_auth/crypt
      bool tls_crypt_v2 = false; // needed to distinguish between tls-crypt and tls-crypt-v2 server mode
      BufferAllocated wkc; // leave this undefined to disable tls-crypt-v2 on client

      OvpnHMACFactory::Ptr tls_auth_factory;
      OvpnHMACContext::Ptr tls_auth_context;
      int key_direction = -1;        // 0, 1, or -1 for bidirectional

      TLSCryptFactory::Ptr tls_crypt_factory;
      TLSCryptContext::Ptr tls_crypt_context;

      TLSCryptMetadataFactory::Ptr tls_crypt_metadata_factory;

      // reliability layer parms
      reliable::id_t reliable_window = 0;
      size_t max_ack_list = 0;

      // packet_id parms for both data and control channels
      int pid_mode = 0;                // PacketIDReceive::UDP_MODE or PacketIDReceive::TCP_MODE

      // timeout parameters, relative to construction of KeyContext object
      Time::Duration handshake_window; // SSL/TLS negotiation must complete by this time
      Time::Duration become_primary;   // KeyContext (that is ACTIVE) becomes primary at this time
      Time::Duration renegotiate;      // start SSL/TLS renegotiation at this time
      Time::Duration expire;           // KeyContext expires at this time
      Time::Duration tls_timeout;      // Packet retransmit timeout on TLS control channel

      // keepalive parameters
      Time::Duration keepalive_ping;
      Time::Duration keepalive_timeout;

      // extra peer info key/value pairs generated by client app
      PeerInfo::Set::Ptr extra_peer_info;

      // op header
      bool enable_op32 = false;
      int remote_peer_id = -1; // -1 to disable
      int local_peer_id = -1;  // -1 to disable

      // MTU
      unsigned int tun_mtu = 1500;
      MSSParms mss_parms;
      unsigned int mss_inter = 0;

      // Debugging
      int debug_level = 1;

      // For compatibility with openvpn2 we send initial options on rekeying,
      // instead of possible modifications caused by NCP
      std::string initial_options;

      void load(const OptionList& opt, const ProtoContextOptions& pco,
		const int default_key_direction, const bool server)
      {
	// first set defaults
	reliable_window = 4;
	max_ack_list = 4;
	handshake_window = Time::Duration::seconds(60);
	renegotiate = Time::Duration::seconds(3600);
	tls_timeout = Time::Duration::seconds(1);
	keepalive_ping = Time::Duration::seconds(8);
	keepalive_timeout = Time::Duration::seconds(40);
	comp_ctx = CompressContext(CompressContext::NONE, false);
	protocol = Protocol();
	pid_mode = PacketIDReceive::UDP_MODE;
	key_direction = default_key_direction;

	// layer
	{
	  const Option* dev = opt.get_ptr("dev-type");
	  if (!dev)
	    dev = opt.get_ptr("dev");
	  if (!dev)
	    throw proto_option_error("missing dev-type or dev option");
	  const std::string& dev_type = dev->get(1, 64);
	  if (string::starts_with(dev_type, "tun"))
	    layer = Layer(Layer::OSI_LAYER_3);
	  else if (string::starts_with(dev_type, "tap"))
	    throw proto_option_error("TAP mode is not supported");
	  else
	    throw proto_option_error("bad dev-type");
	}

	// cipher/digest/tls-auth/tls-crypt
	{
	  CryptoAlgs::Type cipher = CryptoAlgs::NONE;
	  CryptoAlgs::Type digest = CryptoAlgs::NONE;

	  // data channel cipher
	  {
	    const Option *o = opt.get_ptr("cipher");
	    if (o)
	      {
		const std::string& cipher_name = o->get(1, 128);
		if (cipher_name != "none")
		  cipher = CryptoAlgs::lookup(cipher_name);
	      }
	    else
	      cipher = CryptoAlgs::lookup("BF-CBC");
	  }

	  // data channel HMAC
	  {
	    const Option *o = opt.get_ptr("auth");
	    if (o)
	      {
		const std::string& auth_name = o->get(1, 128);
		if (auth_name != "none")
		  digest = CryptoAlgs::lookup(auth_name);
	      }
	    else
	      digest = CryptoAlgs::lookup("SHA1");
	  }
	  dc.set_cipher(cipher);
	  dc.set_digest(digest);

	  // tls-auth
	  {
	    const Option *o = opt.get_ptr(relay_prefix("tls-auth"));
	    if (o)
	      {
		if (tls_crypt_context)
		  throw proto_option_error("tls-auth and tls-crypt are mutually exclusive");

		tls_key.parse(o->get(1, 0));

		const Option *tad = opt.get_ptr(relay_prefix("tls-auth-digest"));
		if (tad)
		  digest = CryptoAlgs::lookup(tad->get(1, 128));
		if (digest != CryptoAlgs::NONE)
		  set_tls_auth_digest(digest);
	      }
	  }

	  // tls-crypt
	  {
	    const Option *o = opt.get_ptr(relay_prefix("tls-crypt"));
	    if (o)
	      {
		if (tls_auth_context)
		  throw proto_option_error("tls-auth and tls-crypt are mutually exclusive");
		if (tls_crypt_context)
		  throw proto_option_error("tls-crypt and tls-crypt-v2 are mutually exclusive");

		tls_key.parse(o->get(1, 0));

		digest = CryptoAlgs::lookup("SHA256");
		cipher = CryptoAlgs::lookup("AES-256-CTR");

		if ((digest == CryptoAlgs::NONE) || (cipher == CryptoAlgs::NONE))
		  throw proto_option_error("missing support for tls-crypt algorithms");

		set_tls_crypt_algs(digest, cipher);
	      }
	  }

	  // tls-crypt-v2
	  {
	    const Option *o = opt.get_ptr(relay_prefix("tls-crypt-v2"));
	    if (o)
	      {
		if (tls_auth_context)
		  throw proto_option_error("tls-auth and tls-crypt-v2 are mutually exclusive");
		if (tls_crypt_context)
		  throw proto_option_error("tls-crypt and tls-crypt-v2 are mutually exclusive");

		digest = CryptoAlgs::lookup("SHA256");
		cipher = CryptoAlgs::lookup("AES-256-CTR");

		if ((digest == CryptoAlgs::NONE) || (cipher == CryptoAlgs::NONE))
		  throw proto_option_error("missing support for tls-crypt-v2 algorithms");

		// initialize tls_crypt_context
		set_tls_crypt_algs(digest, cipher);

		std::string keyfile = o->get(1, 0);

		if (opt.exists("client"))
		  {
		    // in client mode expect the key to be a PEM encoded tls-crypt-v2 client key (key + WKc)
		    TLSCryptV2ClientKey tls_crypt_v2_key(tls_crypt_context);
		    tls_crypt_v2_key.parse(keyfile);
		    tls_crypt_v2_key.extract_key(tls_key);
		    tls_crypt_v2_key.extract_wkc(wkc);
		  }
		else
		  {
		    // in server mode this is a PEM encoded tls-crypt-v2 server key
		    TLSCryptV2ServerKey tls_crypt_v2_key;
		    tls_crypt_v2_key.parse(keyfile);
		    tls_crypt_v2_key.extract_key(tls_key);
		  }
		tls_crypt_v2 = true;
	      }
	  }
	}

	// key-direction
	{
	  if (key_direction >= -1 && key_direction <= 1)
	    {
	      const Option *o = opt.get_ptr(relay_prefix("key-direction"));
	      if (o)
		{
		  const std::string& dir = o->get(1, 16);
		  if (dir == "0")
		    key_direction = 0;
		  else if (dir == "1")
		    key_direction = 1;
		  else if (dir == "bidirectional" || dir == "bi")
		    key_direction = -1;
		  else
		    throw proto_option_error("bad key-direction parameter");
		}
	    }
	  else
	    throw proto_option_error("bad key-direction default");
	}

	// compression
	{
	  const Option *o = opt.get_ptr("compress");
	  if (o)
	    {
	      if (o->size() >= 2)
		{
		  const std::string meth_name = o->get(1, 128);
		  CompressContext::Type meth = CompressContext::parse_method(meth_name);
		  if (meth == CompressContext::NONE)
		    OPENVPN_THROW(proto_option_error, "Unknown compressor: '" << meth_name << '\'');
		  comp_ctx = CompressContext(pco.is_comp() ? meth : CompressContext::stub(meth), pco.is_comp_asym());
		}
	      else
		comp_ctx = CompressContext(pco.is_comp() ? CompressContext::ANY : CompressContext::COMP_STUB, pco.is_comp_asym());
	    }
	  else
	    {
	      o = opt.get_ptr("comp-lzo");
	      if (o)
		{
		  if (o->size() == 2 && o->ref(1) == "no")
		    {
		      // On the client, by using ANY instead of ANY_LZO, we are telling the server
		      // that it's okay to use any of our supported compression methods.
		      comp_ctx = CompressContext(pco.is_comp() ? CompressContext::ANY : CompressContext::LZO_STUB, pco.is_comp_asym());
		    }
		  else
		    {
		      comp_ctx = CompressContext(pco.is_comp() ? CompressContext::LZO : CompressContext::LZO_STUB, pco.is_comp_asym());
		    }
		}
	    }
	}

	// tun-mtu
	tun_mtu = parse_tun_mtu(opt, tun_mtu);

	// mssfix
	mss_parms.parse(opt, true);

	// load parameters that can be present in both config file or pushed options
	load_common(opt, pco, server ? LOAD_COMMON_SERVER : LOAD_COMMON_CLIENT);
      }

      // load options string pushed by server
      void process_push(const OptionList& opt, const ProtoContextOptions& pco)
      {
	// data channel
	{
	  // cipher
	  std::string new_cipher;
	  try {
	    const Option *o = opt.get_ptr("cipher");
	    if (o)
	      {
		new_cipher = o->get(1, 128);
		if (new_cipher != "none")
		  dc.set_cipher(CryptoAlgs::lookup(new_cipher));
	      }
	  }
	  catch (const std::exception& e)
	    {
	      OPENVPN_THROW(process_server_push_error, "Problem accepting server-pushed cipher '" << new_cipher << "': " << e.what());
	    }

	  // digest
	  std::string new_digest;
	  try {
	    const Option *o = opt.get_ptr("auth");
	    if (o)
	      {
		new_digest = o->get(1, 128);
		if (new_digest != "none")
		  dc.set_digest(CryptoAlgs::lookup(new_digest));
	      }
	  }
	  catch (const std::exception& e)
	    {
	      OPENVPN_THROW(process_server_push_error, "Problem accepting server-pushed digest '" << new_digest << "': " << e.what());
	    }


	  // tls key-derivation method
	  std::string key_method;
	  try {
	      const Option *o = opt.get_ptr("key-derivation");
	      if (o)
		{
		  key_method = o->get(1, 128);
		  if (key_method == "tls-ekm")
		    dc.set_key_derivation(CryptoAlgs::KeyDerivation::TLS_EKM);
		  else
		    OPENVPN_THROW(process_server_push_error, "Problem accepting key-derivation method '" << key_method << "'");
		}
	      else
		dc.set_key_derivation(CryptoAlgs::KeyDerivation::OPENVPN_PRF);
	    }
	  catch (const std::exception& e)
	    {
	      OPENVPN_THROW(process_server_push_error, "Problem accepting key-derivation method '" << key_method << "': " << e.what());
	    }
	}
	// compression
	std::string new_comp;
	try {
	  const Option *o;
	  o = opt.get_ptr("compress");
	  if (o)
	    {
	      new_comp = o->get(1, 128);
	      CompressContext::Type meth = CompressContext::parse_method(new_comp);
	      if (meth != CompressContext::NONE)
		{
		  // if compression is not availabe, CompressContext ctor throws an exception
		  if (pco.is_comp())
		    comp_ctx = CompressContext(meth, pco.is_comp_asym());
		  else
		    {
		      // server pushes compression but client has compression disabled
		      // degrade to asymmetric compression (downlink only)
		      comp_ctx = CompressContext(meth, true);
		      if (!comp_ctx.is_any_stub(meth))
		        {
			  OPENVPN_LOG("Server has pushed compressor "
				      << comp_ctx.str()
			              << ", but client has disabled compression, switching to asymmetric");
		        }
		    }
		}
	    }
	  else
	    {
	      o = opt.get_ptr("comp-lzo");
	      if (o)
		{
		  if (o->size() == 2 && o->ref(1) == "no")
		    {
		      comp_ctx = CompressContext(CompressContext::LZO_STUB, false);
		    }
		  else
		    {
		      comp_ctx = CompressContext(pco.is_comp() ? CompressContext::LZO : CompressContext::LZO_STUB, pco.is_comp_asym());
		    }
		}
	    }
	}
	catch (const std::exception& e)
	  {
	    OPENVPN_THROW(process_server_push_error, "Problem accepting server-pushed compressor '" << new_comp << "': " << e.what());
	  }

	// peer ID
	try {
	  const Option *o = opt.get_ptr("peer-id");
	  if (o)
	    {
	      bool status = parse_number_validate<int>(o->get(1, 16),
						       16,
						       -1,
						       0xFFFFFE,
						       &remote_peer_id);
	      if (!status)
		throw Exception("parse/range issue");
	      enable_op32 = true;
	    }
	}
	catch (const std::exception& e)
	  {
	    OPENVPN_THROW(process_server_push_error, "Problem accepting server-pushed peer-id: " << e.what());
	  }

	try {
	  // load parameters that can be present in both config file or pushed options
	  load_common(opt, pco, LOAD_COMMON_CLIENT_PUSHED);
	}
	catch (const std::exception& e)
	  {
	    OPENVPN_THROW(process_server_push_error, "Problem accepting server-pushed parameter: " << e.what());
	  }

	// show negotiated options
	OPENVPN_LOG_STRING_PROTO(show_options());
      }

      std::string show_options() const
      {
	std::ostringstream os;
	os << "PROTOCOL OPTIONS:" << std::endl;
	os << "  cipher: " << CryptoAlgs::name(dc.cipher()) << std::endl;
	os << "  digest: " << CryptoAlgs::name(dc.digest()) << std::endl;
	os << "  key-derivation: " << CryptoAlgs::name(dc.key_derivation()) << std::endl;
	os << "  compress: " << comp_ctx.str() << std::endl;
	os << "  peer ID: " << remote_peer_id << std::endl;
	if (tls_auth_enabled())
	  {
	    os << "  control channel: tls-auth enabled" << std::endl;
	  }
	else if (tls_crypt_v2_enabled())
	  {
	    os << "  control channel: tls-crypt v2 enabled" << std::endl;
	  }
	else if (tls_crypt_enabled())
	  {
	    os << "  control channel: tls-crypt enabled" << std::endl;
	  }
	return os.str();
      }

      void set_pid_mode(const bool tcp_linear)
      {
	if (protocol.is_udp() || !tcp_linear)
	  pid_mode = PacketIDReceive::UDP_MODE;
	else if (protocol.is_tcp())
	  pid_mode = PacketIDReceive::TCP_MODE;
	else
	  throw proto_option_error("transport protocol undefined");
      }

      void set_protocol(const Protocol& p)
      {
	// adjust options for new transport protocol
	protocol = p;
	set_pid_mode(false);
      }

      void set_tls_auth_digest(const CryptoAlgs::Type digest)
      {
	tls_auth_context = tls_auth_factory->new_obj(digest);
      }

      void set_tls_crypt_algs(const CryptoAlgs::Type digest,
			      const CryptoAlgs::Type cipher)
      {
	tls_crypt_context = tls_crypt_factory->new_obj(digest, cipher);
      }

      void set_xmit_creds(const bool xmit_creds_arg)
      {
	xmit_creds = xmit_creds_arg;
      }

      bool tls_auth_enabled() const
      {
	return tls_key.defined() && tls_auth_context;
      }

      bool tls_crypt_enabled() const
      {
	return tls_key.defined() && tls_crypt_context;
      }

      bool tls_crypt_v2_enabled() const
      {
	return tls_crypt_enabled() && tls_crypt_v2;
      }

      // generate a string summarizing options that will be
      // transmitted to peer for options consistency check
      std::string options_string()
      {
	if (!initial_options.empty())
	  return initial_options;

	std::ostringstream out;

	const bool server = ssl_factory->mode().is_server();
	const unsigned int l2extra = (layer() == Layer::OSI_LAYER_2 ? 32 : 0);

	out << "V4";

	out << ",dev-type " << layer.dev_type();
	out << ",link-mtu " << tun_mtu + link_mtu_adjust() + l2extra;
	out << ",tun-mtu " << tun_mtu + l2extra;
	out << ",proto " << protocol.str_client(true);

	{
	  const char *compstr = comp_ctx.options_string();
	  if (compstr)
	    out << ',' << compstr;
	}

	if (tls_auth_context && (key_direction >= 0))
	  out << ",keydir " << key_direction;

	out << ",cipher " << CryptoAlgs::name(dc.cipher(), "[null-cipher]");
	out << ",auth " << CryptoAlgs::name(dc.digest(), "[null-digest]");
	out << ",keysize " << (CryptoAlgs::key_length(dc.cipher()) * 8);

	if (tls_auth_context)
	  out << ",tls-auth";

	// sending tls-crypt does not make sense. If we got to this point it
	// means that tls-crypt was already there and it worked fine.
	// tls-auth has to be kept for backward compatibility as it is there
	// since a bit.

	out << ",key-method 2";

	if (server)
	  out << ",tls-server";
	else
	  out << ",tls-client";

	initial_options = out.str();

	return initial_options;
      }

      // generate a string summarizing information about the client
      // including capabilities
      std::string peer_info_string() const
      {
	std::ostringstream out;
	const char *compstr = nullptr;

	// supports op32 and P_DATA_V2 and expects a push reply

	unsigned int iv_proto = IV_PROTO_DATA_V2
	  | IV_PROTO_REQUEST_PUSH
	  | IV_PROTO_AUTH_PENDING_KW;

	if (SSLLib::SSLAPI::support_key_material_export())
	  {
	    iv_proto |= IV_PROTO_TLS_KEY_EXPORT;
	  }

	out << "IV_VER=" << OPENVPN_VERSION << '\n';
	out << "IV_PLAT=" << platform_name() << '\n';
	out << "IV_NCP=2\n"; // negotiable crypto parameters V2
	out << "IV_TCPNL=1\n"; // supports TCP non-linear packet ID
	out << "IV_PROTO=" << std::to_string(iv_proto) << '\n';
	/*
	 * OpenVPN3 allows to be pushed any cipher that it supports as it
	 * only implements secure ones and BF-CBC for backwards
	 * compatibility and generally adopts the concept of the server being
	 * responsible for sensible choices. Include the cipher here since
	 * OpenVPN 2.5 will otherwise ignore it and break on conrer cases
	 * like --cipher AES-128-CBC on client and --data-ciphers "AES-128-CBC"
	 * on server.
	 *
	 */
	out << "IV_CIPHERS=AES-256-GCM:AES-128-GCM";
	if (openvpn::AEAD::is_algorithm_supported<SSLLib::CryptoAPI>(CryptoAlgs::CHACHA20_POLY1305))
	  {
	   out << ":CHACHA20-POLY1305";
	  }

	if (openvpn::CryptoAlgs::defined(dc.cipher()) &&
		      dc.cipher() != CryptoAlgs::AES_128_GCM &&
		      dc.cipher() != CryptoAlgs::AES_256_GCM &&
		      dc.cipher() != CryptoAlgs::CHACHA20_POLY1305)
	  {
	    out << ":" << openvpn::CryptoAlgs::name(dc.cipher());
	  }
	out << "\n";

	compstr = comp_ctx.peer_info_string();

	if (compstr)
	  out << compstr;
	if (extra_peer_info)
	  out << extra_peer_info->to_string();
	if (is_bs64_cipher(dc.cipher()))
	  out << "IV_BS64DL=1\n"; // indicate support for data limits when using 64-bit block-size ciphers, version 1 (CVE-2016-6329)
	if (relay_mode)
	  out << "IV_RELAY=1\n";
	const std::string ret = out.str();
	OPENVPN_LOG_PROTO("Peer Info:" << std::endl << ret);
	return ret;
      }

      // Used to generate link_mtu option sent to peer.
      // Not const because dc.context() caches the DC context.
      unsigned int link_mtu_adjust()
      {
	const size_t adj = protocol.extra_transport_bytes() + // extra 2 bytes for TCP-streamed packet length
          (enable_op32 ? 4 : 1) +                        // leading op
	  comp_ctx.extra_payload_bytes() +               // compression header
	  PacketID::size(PacketID::SHORT_FORM) +         // sequence number
	  dc.context().encap_overhead();                 // data channel crypto layer overhead
	return (unsigned int)adj;
      }

    private:
      enum LoadCommonType {
	LOAD_COMMON_SERVER,
	LOAD_COMMON_CLIENT,
	LOAD_COMMON_CLIENT_PUSHED,
      };

      // load parameters that can be present in both config file or pushed options
      void load_common(const OptionList& opt, const ProtoContextOptions& pco,
		       const LoadCommonType type)
      {
	// duration parms
	load_duration_parm(renegotiate, "reneg-sec", opt, 10, false, false);
	expire = renegotiate;
	load_duration_parm(expire, "tran-window", opt, 10, false, false);
	expire += renegotiate;
	load_duration_parm(handshake_window, "hand-window", opt, 10, false, false);
	if (is_bs64_cipher(dc.cipher())) // special data limits for 64-bit block-size ciphers (CVE-2016-6329)
	  {
	    become_primary = Time::Duration::seconds(5);
	    tls_timeout = Time::Duration::milliseconds(1000);
	  }
	else
	  become_primary = Time::Duration::seconds(std::min(handshake_window.to_seconds(),
							    renegotiate.to_seconds() / 2));
	load_duration_parm(become_primary, "become-primary", opt, 0, false, false);
	load_duration_parm(tls_timeout, "tls-timeout", opt, 100, false, true);

	if (type == LOAD_COMMON_SERVER)
	  renegotiate += handshake_window; // avoid renegotiation collision with client

	// keepalive, ping, ping-restart
	{
	  const Option *o = opt.get_ptr("keepalive");
	  if (o)
	    {
	      set_duration_parm(keepalive_ping, "keepalive ping", o->get(1, 16), 1, false, false);
	      set_duration_parm(keepalive_timeout, "keepalive timeout", o->get(2, 16), 1, type == LOAD_COMMON_SERVER, false);
	    }
	  else
	    {
	      load_duration_parm(keepalive_ping, "ping", opt, 1, false, false);
	      load_duration_parm(keepalive_timeout, "ping-restart", opt, 1, false, false);
	    }
	}
      }

      std::string relay_prefix(const char *optname) const
      {
	std::string ret;
	if (relay_mode)
	  ret = "relay-";
	ret += optname;
	return ret;
      }
    };

    // Used to describe an incoming network packet
    class PacketType
    {
      friend class ProtoContext;

      enum {
	DEFINED=1<<0,     // packet is valid (otherwise invalid)
	CONTROL=1<<1,     // packet for control channel (otherwise for data channel)
	SECONDARY=1<<2,   // packet is associated with secondary KeyContext (otherwise primary)
	SOFT_RESET=1<<3,  // packet is a CONTROL_SOFT_RESET_V1 msg indicating a request for SSL/TLS renegotiate
      };

    public:
      bool is_defined() const { return flags & DEFINED; }
      bool is_control() const { return (flags & (CONTROL|DEFINED)) == (CONTROL|DEFINED); }
      bool is_data()    const { return (flags & (CONTROL|DEFINED)) == DEFINED; }
      bool is_soft_reset() const { return (flags & (CONTROL|DEFINED|SECONDARY|SOFT_RESET))
	                                        == (CONTROL|DEFINED|SECONDARY|SOFT_RESET); }
      int peer_id() const { return peer_id_; }

    private:
      PacketType(const Buffer& buf, class ProtoContext& proto)
	: flags(0), opcode(INVALID_OPCODE), peer_id_(-1)
      {
	if (likely(buf.size()))
	  {
	    // get packet header byte
	    const unsigned int op = buf[0];

	    // examine opcode
	    {
	      const unsigned int opc = opcode_extract(op);
	      switch (opc)
		{
		case CONTROL_SOFT_RESET_V1:
		case CONTROL_V1:
		case ACK_V1:
		  {
		    flags |= CONTROL;
		    opcode = opc;
		    break;
		  }
		case DATA_V2:
		  {
		    if (unlikely(buf.size() < 4))
		      return;
		    const int opi = ntohl(*(const std::uint32_t *)buf.c_data()) & 0x00FFFFFF;
		    if (opi != OP_PEER_ID_UNDEF)
		      peer_id_ = opi;
		    opcode = opc;
		    break;
		  }
		case DATA_V1:
		  {
		    opcode = opc;
		    break;
		  }
		case CONTROL_HARD_RESET_CLIENT_V2:
		case CONTROL_HARD_RESET_CLIENT_V3:
		  {
		    if (!proto.is_server())
		      return;
		    flags |= CONTROL;
		    opcode = opc;
		    break;
		  }
		case CONTROL_HARD_RESET_SERVER_V2:
		  {
		    if (proto.is_server())
		      return;
		    flags |= CONTROL;
		    opcode = opc;
		    break;
		  }
		default:
		  return;
		}
	    }

	    // examine key ID
	    {
	      const unsigned int kid = key_id_extract(op);
	      if (proto.primary && kid == proto.primary->key_id())
		flags |= DEFINED;
	      else if (proto.secondary && kid == proto.secondary->key_id())
		flags |= (DEFINED | SECONDARY);
	      else if (opcode == CONTROL_SOFT_RESET_V1 && kid == proto.upcoming_key_id)
		flags |= (DEFINED | SECONDARY | SOFT_RESET);
	    }
	  }
      }

      unsigned int flags;
      unsigned int opcode;
      int peer_id_;
    };

    static const char *opcode_name(const unsigned int opcode)
    {
      switch (opcode)
	{
	case CONTROL_SOFT_RESET_V1:
	  return "CONTROL_SOFT_RESET_V1";
	case CONTROL_V1:
	  return "CONTROL_V1";
	case ACK_V1:
	  return "ACK_V1";
	case DATA_V1:
	  return "DATA_V1";
	case DATA_V2:
	  return "DATA_V2";
	case CONTROL_HARD_RESET_CLIENT_V2:
	  return "CONTROL_HARD_RESET_CLIENT_V2";
	case CONTROL_HARD_RESET_CLIENT_V3:
	  return "CONTROL_HARD_RESET_CLIENT_V3";
	case CONTROL_HARD_RESET_SERVER_V2:
	  return "CONTROL_HARD_RESET_SERVER_V2";
	}
      return nullptr;
    }

    std::string dump_packet(const Buffer& buf)
    {
      std::ostringstream out;
      try {
	Buffer b(buf);
	const size_t orig_size = b.size();
	const unsigned int op = b.pop_front();

	const unsigned int opcode = opcode_extract(op);
	const char *op_name = opcode_name(opcode);
	if (op_name)
	  out << op_name << '/' << key_id_extract(op);
	else
	  return "BAD_PACKET";

	if (opcode == DATA_V1 || opcode == DATA_V2)
	  {
	    if (opcode == DATA_V2)
	      {
		const unsigned int p1 = b.pop_front();
		const unsigned int p2 = b.pop_front();
		const unsigned int p3 = b.pop_front();
		const unsigned int peer_id = (p1<<16) + (p2<<8) + p3;
		if (peer_id != 0xFFFFFF)
		  out << " PEER_ID=" << peer_id;
	      }
	    out << " SIZE=" << b.size() << '/' << orig_size;
	  }
	else
	  {
	    {
	      ProtoSessionID src_psid(b);
	      out << " SRC_PSID=" << src_psid.str();
	    }

	    if (tls_wrap_mode == TLS_CRYPT)
	      {
		PacketID pid;
		pid.read(b, PacketID::LONG_FORM);
		out << " PID=" << pid.str();

		const unsigned char *hmac = b.read_alloc(hmac_size);
		out << " HMAC=" << render_hex(hmac, hmac_size);

		// nothing else to print as the content is encrypted beyond this point
		out << " TLS-CRYPT ENCRYPTED";
	      }
	    else
	      {
		if (tls_wrap_mode == TLS_AUTH)
	          {
		    const unsigned char *hmac = b.read_alloc(hmac_size);
		    out << " HMAC=" << render_hex(hmac, hmac_size);

		    PacketID pid;
		    pid.read(b, PacketID::LONG_FORM);
		    out << " PID=" << pid.str();
	          }

	        ReliableAck ack(0);
	        ack.read(b);
	        const bool dest_psid_defined = !ack.empty();
	        out << " ACK=[";
	        while (!ack.empty())
	          {
		    out << " " << ack.front();
		    ack.pop_front();
	          }
	        out << " ]";

	        if (dest_psid_defined)
	          {
		    ProtoSessionID dest_psid(b);
		    out << " DEST_PSID=" << dest_psid.str();
	          }

	        if (opcode != ACK_V1)
	          out << " MSG_ID=" << ReliableAck::read_id(b);
	      }
	    if (opcode != ACK_V1)
	      out << " SIZE=" << b.size() << '/' << orig_size;
	  }
#ifdef OPENVPN_DEBUG_PROTO_DUMP
	out << '\n' << string::trim_crlf_copy(dump_hex(buf));
#endif
      }
      catch (const std::exception& e)
	{
	  out << " EXCEPTION: " << e.what();
	}
      return out.str();
    }

  protected:

    // used for reading/writing authentication strings (username, password, etc.)

    static void write_string_length(const size_t size, Buffer& buf)
    {
      if (size > 0xFFFF)
	throw proto_error("auth_string_overflow");
      const std::uint16_t net_size = htons(size);
      buf.write((const unsigned char *)&net_size, sizeof(net_size));
    }

    static size_t read_string_length(Buffer& buf)
    {
      if (buf.size())
	{
	  std::uint16_t net_size;
	  buf.read((unsigned char *)&net_size, sizeof(net_size));
	  return ntohs(net_size);
	}
      else
	return 0;
    }

    template <typename S>
    static void write_auth_string(const S& str, Buffer& buf)
    {
      const size_t len = str.length();
      if (len)
	{
	  write_string_length(len+1, buf);
	  buf.write((const unsigned char *)str.c_str(), len);
	  buf.null_terminate();
	}
      else
	write_string_length(0, buf);
    }

    template <typename S>
    static S read_auth_string(Buffer& buf)
    {
      const size_t len = read_string_length(buf);
      if (len)
	{
	  const char *data = (const char *) buf.read_alloc(len);
	  if (len > 1)
	    return S(data, len-1);
	}
      return S();
    }

    template <typename S>
    static void write_control_string(const S& str, Buffer& buf)
    {
      const size_t len = str.length();
      buf.write((const unsigned char *)str.c_str(), len);
      buf.null_terminate();
    }

    template <typename S>
    static S read_control_string(const Buffer& buf)
    {
      size_t size = buf.size();
      if (size)
	{
	  if (buf[size-1] == 0)
	    --size;
	  if (size)
	    return S((const char *)buf.c_data(), size);
	}
      return S();
    }

    template <typename S>
    void write_control_string(const S& str)
    {
      const size_t len = str.length();
      BufferPtr bp = new BufferAllocated(len+1, 0);
      write_control_string(str, *bp);
      control_send(std::move(bp));
    }

    static unsigned char *skip_string(Buffer& buf)
    {
      const size_t len = read_string_length(buf);
      return buf.read_alloc(len);
    }

    static void write_empty_string(Buffer& buf)
    {
      write_string_length(0, buf);
    }

    // Packet structure for managing network packets, passed as a template
    // parameter to ProtoStackBase
    class Packet
    {
      friend class ProtoContext;

    public:
      Packet()
      {
	reset_non_buf();
      }

      Packet(BufferPtr&& buf_arg, const unsigned int opcode_arg = CONTROL_V1)
	: opcode(opcode_arg), buf(std::move(buf_arg))
      {
      }

      void reset()
      {
	reset_non_buf();
	buf.reset();
      }

      void frame_prepare(const Frame& frame, const unsigned int context)
      {
	if (!buf)
	  buf.reset(new BufferAllocated());
	frame.prepare(context, *buf);
      }

      bool is_raw() const { return opcode != CONTROL_V1; }
      operator bool() const { return bool(buf); }
      const BufferPtr& buffer_ptr() { return buf; }
      const Buffer& buffer() const { return *buf; }

    private:
      void reset_non_buf()
      {
	opcode = INVALID_OPCODE;
      }

      unsigned int opcode;
      BufferPtr buf;
    };

    // KeyContext encapsulates a single SSL/TLS session.
    // ProtoStackBase uses CRTP-based static polymorphism for method callbacks.
    class KeyContext : ProtoStackBase<Packet, KeyContext>, public RC<thread_unsafe_refcount>
    {
      typedef ProtoStackBase<Packet, KeyContext> Base;
      friend Base;
      typedef Base::ReliableSend ReliableSend;
      typedef Base::ReliableRecv ReliableRecv;

      // ProtoStackBase protected vars
      using Base::now;
      using Base::rel_recv;
      using Base::rel_send;
      using Base::xmit_acks;

      // ProtoStackBase member functions
      using Base::start_handshake;
      using Base::raw_send;
      using Base::send_pending_acks;

      // Helper for handling deferred data channel setup,
      // for example if cipher/digest are pushed.
      struct DataChannelKey
      {
	DataChannelKey() : rekey_defined(false) {}

	OpenVPNStaticKey key;
	bool rekey_defined;
	CryptoDCInstance::RekeyType rekey_type;
      };

    public:
      typedef RCPtr<KeyContext> Ptr;

      OPENVPN_SIMPLE_EXCEPTION(tls_crypt_unwrap_wkc_error);

      // KeyContext events occur on two basic key types:
      //   Primary Key -- the key we transmit/encrypt on.
      //   Secondary Key -- new keys and retiring keys.
      //
      // The very first key created (key_id == 0) is a
      // primary key.  Subsequently created keys are always,
      // at least initially, secondary keys.  Secondary keys
      // promote to primary via the KEV_BECOME_PRIMARY event
      // (actually KEV_BECOME_PRIMARY swaps the primary and
      // secondary keys, so the old primary is demoted
      // to secondary and marked for expiration).
      //
      // Secondary keys are created by:
      // 1. locally-generated soft renegotiation requests, and
      // 2. peer-requested soft renegotiation requests.
      // In each case, any previous secondary key will be
      // wiped (including a secondary key that exists due to
      // demotion of a previous primary key that has been marked
      // for expiration).
      enum EventType {
	KEV_NONE,

	// KeyContext has reached the ACTIVE state, occurs on both
	// primary and secondary.
	KEV_ACTIVE,

	// SSL/TLS negotiation must complete by this time.  If this
	// event is hit on the first primary (i.e. first KeyContext
	// with key_id == 0), it is fatal to the session and will
	// trigger a disconnect/reconnect.  If it's hit on the
	// secondary, it will trigger a soft renegotiation.
	KEV_NEGOTIATE,

	// When a KeyContext (normally the secondary) is scheduled
	// to transition to the primary state.
	KEV_BECOME_PRIMARY,

	// Waiting for condition on secondary (usually
	// dataflow-based) to trigger KEV_BECOME_PRIMARY.
	KEV_PRIMARY_PENDING,

	// Start renegotiating a new KeyContext on secondary
	// (ignored unless originating on primary).
	KEV_RENEGOTIATE,

	// Trigger a renegotiation originating from either
	// primary or secondary.
	KEV_RENEGOTIATE_FORCE,

	// Queue delayed renegotiation request from secondary
	// to take effect after KEV_BECOME_PRIMARY.
	KEV_RENEGOTIATE_QUEUE,

	// Expiration of KeyContext.
	KEV_EXPIRE,
      };

      // for debugging
      static const char *event_type_string(const EventType et)
      {
	switch (et)
	  {
	  case KEV_NONE:
	    return "KEV_NONE";
	  case KEV_ACTIVE:
	    return "KEV_ACTIVE";
	  case KEV_NEGOTIATE:
	    return "KEV_NEGOTIATE";
	  case KEV_BECOME_PRIMARY:
	    return "KEV_BECOME_PRIMARY";
	  case KEV_PRIMARY_PENDING:
	    return "KEV_PRIMARY_PENDING";
	  case KEV_RENEGOTIATE:
	    return "KEV_RENEGOTIATE";
	  case KEV_RENEGOTIATE_FORCE:
	    return "KEV_RENEGOTIATE_FORCE";
	  case KEV_RENEGOTIATE_QUEUE:
	    return "KEV_RENEGOTIATE_QUEUE";
	  case KEV_EXPIRE:
	    return "KEV_EXPIRE";
	  default:
	    return "KEV_?";
	  }
      }

      KeyContext(ProtoContext& p, const bool initiator)
	: Base(*p.config->ssl_factory,
	       p.config->now, p.config->tls_timeout,
	       p.config->frame, p.stats,
	       p.config->reliable_window, p.config->max_ack_list),
	  proto(p),
	  state(STATE_UNDEF),
	  crypto_flags(0),
	  dirty(0),
	  key_limit_renegotiation_fired(false),
	  tlsprf(p.config->tlsprf_factory->new_obj(p.is_server()))
      {
	// reliable protocol?
	set_protocol(proto.config->protocol);

	// get key_id from parent
	key_id_ = proto.next_key_id();

	// set initial state
	set_state((proto.is_server() ? S_INITIAL : C_INITIAL) + (initiator ? 0 : 1));

	// cache stuff that we need to access in hot path
	cache_op32();

	// remember when we were constructed
	construct_time = *now;

	// set must-negotiate-by time
	set_event(KEV_NONE, KEV_NEGOTIATE, construct_time + proto.config->handshake_window);
      }

      void set_protocol(const Protocol& p)
      {
	is_reliable = p.is_reliable(); // cache is_reliable state locally
      }

      uint32_t get_tls_warnings() const
      {
	return Base::get_tls_warnings();
      }

      // need to call only on the initiator side of the connection
      void start()
      {
	if (state == C_INITIAL || state == S_INITIAL)
	  {
	    send_reset();
	    set_state(state+1);
	    dirty = true;
	  }
      }

      // control channel flush
      void flush()
      {
	if (dirty)
	  {
	    post_ack_action();
	    Base::flush();
	    send_pending_acks();
	    dirty = false;
	  }
      }

      void invalidate(const Error::Type reason)
      {
	Base::invalidate(reason);
      }

      // retransmit packets as part of reliability layer
      void retransmit()
      {
	// note that we don't set dirty here
	Base::retransmit();
      }

      // when should we next call retransmit method
      Time next_retransmit() const
      {
	const Time t = Base::next_retransmit();
	if (t <= next_event_time)
	  return t;
	else
	  return next_event_time;
      }

      void app_send_validate(BufferPtr&& bp)
      {
	if (bp->size() > APP_MSG_MAX)
	  throw proto_error("app_send: sent control message is too large");
	Base::app_send(std::move(bp));
      }

      // send app-level cleartext data to peer via SSL
      void app_send(BufferPtr&& bp)
      {
	if (state >= ACTIVE)
	  {
	    app_send_validate(std::move(bp));
	    dirty = true;
	  }
	else
	  app_pre_write_queue.push_back(bp);
      }

      // pass received ciphertext packets on network to SSL/reliability layers
      bool net_recv(Packet&& pkt)
      {
	const bool ret = Base::net_recv(std::move(pkt));
	dirty = true;
	return ret;
      }

      // data channel encrypt
      void encrypt(BufferAllocated& buf)
      {
	if (state >= ACTIVE
	    && (crypto_flags & CryptoDCInstance::CRYPTO_DEFINED)
	    && !invalidated())
	  {
	    // compress and encrypt packet and prepend op header
	    const bool pid_wrap = do_encrypt(buf, true);

	    // Trigger a new SSL/TLS negotiation if packet ID (a 32-bit unsigned int)
	    // is getting close to wrapping around.  If it wraps back to 0 without
	    // a renegotiation, it would cause the replay protection logic to wrongly
	    // think that all further packets are replays.
	    if (pid_wrap)
	      schedule_key_limit_renegotiation();
	  }
	else
	  buf.reset_size(); // no crypto context available
      }

      // data channel decrypt
      void decrypt(BufferAllocated& buf)
      {
	try {
	  if (state >= ACTIVE
	      && (crypto_flags & CryptoDCInstance::CRYPTO_DEFINED)
	      && !invalidated())
	    {
	      // Knock off leading op from buffer, but pass the 32-bit version to
	      // decrypt so it can be used as Additional Data for packet authentication.
	      const size_t head_size = op_head_size(buf[0]);
	      const unsigned char *op32 = (head_size == OP_SIZE_V2) ? buf.c_data() : nullptr;
	      buf.advance(head_size);

	      // decrypt packet
	      const Error::Type err = crypto->decrypt(buf, now->seconds_since_epoch(), op32);
	      if (err)
		{
		  proto.stats->error(err);
		  if (proto.is_tcp() && (err == Error::DECRYPT_ERROR || err == Error::HMAC_ERROR))
		    invalidate(err);
		}

	      // trigger renegotiation if we hit decrypt data limit
	      if (data_limit)
		data_limit_add(DataLimit::Decrypt, buf.size());

	      // decompress packet
	      if (compress)
		compress->decompress(buf);

	      // set MSS for segments server can receive
	      if (proto.config->mss_inter > 0)
		MSSFix::mssfix(buf, proto.config->mss_inter);
	    }
	  else
	    buf.reset_size(); // no crypto context available
	}
	catch (BufferException&)
	  {
	    proto.stats->error(Error::BUFFER_ERROR);
	    buf.reset_size();
	    if (proto.is_tcp())
	      invalidate(Error::BUFFER_ERROR);
	  }
      }

      // usually called by parent ProtoContext object when this KeyContext
      // has been retired.
      void prepare_expire(const EventType current_ev = KeyContext::KEV_NONE)
      {
	set_event(current_ev,
		  KEV_EXPIRE,
		  key_limit_renegotiation_fired ? data_limit_expire() : construct_time + proto.config->expire);
      }

      // set a default next event, if unspecified
      void set_next_event_if_unspecified()
      {
	if (next_event == KEV_NONE && !invalidated())
	  prepare_expire();
      }

      // set a key limit renegotiation event at time t
      void key_limit_reneg(const EventType ev, const Time& t)
      {
	if (t.defined())
	  set_event(KEV_NONE, ev, t + Time::Duration::seconds(proto.is_server() ? 2 : 1));
      }

      // return time of upcoming KEV_BECOME_PRIMARY event
      Time become_primary_time()
      {
	if (next_event == KEV_BECOME_PRIMARY)
	  return next_event_time;
	else
	  return Time();
      }

      // is an KEV_x event pending?
      bool event_pending()
      {
	if (current_event == KEV_NONE && *now >= next_event_time)
	  process_next_event();
	return current_event != KEV_NONE;
      }

      // get KEV_x event
      EventType get_event() const { return current_event; }

      // clear KEV_x event
      void reset_event() { current_event = KEV_NONE; }

      // was session invalidated by an exception?
      bool invalidated() const { return Base::invalidated(); }

      // Reason for invalidation
      Error::Type invalidation_reason() const { return Base::invalidation_reason(); }

      // our Key ID in the OpenVPN protocol
      unsigned int key_id() const { return key_id_; }

      // indicates that data channel is keyed and ready to encrypt/decrypt packets
      bool data_channel_ready() const { return state >= ACTIVE; }

      bool is_dirty() const { return dirty; }

      // notification from parent of rekey operation
      void rekey(const CryptoDCInstance::RekeyType type)
      {
	if (crypto)
	  crypto->rekey(type);
	else if (data_channel_key)
	  {
	    // save for deferred processing
	    data_channel_key->rekey_type = type;
	    data_channel_key->rekey_defined = true;
	  }
      }

      // time that our state transitioned to ACTIVE
      Time reached_active() const { return reached_active_time_; }

      // transmit a keepalive message to peer
      void send_keepalive()
      {
	send_data_channel_message(proto_context_private::keepalive_message,
				  sizeof(proto_context_private::keepalive_message));
      }

      // send explicit-exit-notify message to peer
      void send_explicit_exit_notify()
      {
#ifndef OPENVPN_DISABLE_EXPLICIT_EXIT // explicit exit should always be enabled in production
	if (crypto_flags & CryptoDCInstance::EXPLICIT_EXIT_NOTIFY_DEFINED)
	  crypto->explicit_exit_notify();
	else
	  send_data_channel_message(proto_context_private::explicit_exit_notify_message,
				    sizeof(proto_context_private::explicit_exit_notify_message));
#endif
      }

      // general purpose method for sending constant string messages
      // to peer via data channel
      void send_data_channel_message(const unsigned char *data, const size_t size)
      {
	if (state >= ACTIVE
	    && (crypto_flags & CryptoDCInstance::CRYPTO_DEFINED)
	    && !invalidated())
	  {
	    // allocate packet
	    Packet pkt;
	    pkt.frame_prepare(*proto.config->frame, Frame::WRITE_DC_MSG);

	    // write keepalive message
	    pkt.buf->write(data, size);

	    // process packet for transmission
	    do_encrypt(*pkt.buf, false); // set compress hint to "no"

	    // send it
	    proto.net_send(key_id_, pkt);
	  }
      }

      // validate the integrity of a packet
      static bool validate(const Buffer& net_buf, ProtoContext& proto, TimePtr now)
      {
	try {
	  Buffer recv(net_buf);

	  switch (proto.tls_wrap_mode)
	  {
	    case TLS_AUTH:
	      return validate_tls_auth(recv, proto, now);
	    case TLS_CRYPT_V2:
	      if (opcode_extract(recv[0]) == CONTROL_HARD_RESET_CLIENT_V3)
		{
		  // skip validation of HARD_RESET_V3 because the tls-crypt
		  // engine has not been initialized yet
		  OPENVPN_LOG_PROTO_VERBOSE("SKIPPING VALIDATION OF HARD_RESET_V3");
		  return true;
		}
	      /* no break */
	    case TLS_CRYPT:
	      return validate_tls_crypt(recv, proto, now);
	    case TLS_PLAIN:
	      return validate_tls_plain(recv, proto, now);
	    }
	}
	catch (BufferException& e)
	  {
	    OPENVPN_LOG_PROTO_VERBOSE("validate() exception: " << e.what());
	  }
	return false;
      }

      void generate_datachannel_keys()
      {
	std::unique_ptr<DataChannelKey> dck(new DataChannelKey());


	if(proto.config->dc.key_derivation() == CryptoAlgs::KeyDerivation::TLS_EKM)
	  {
	    // USE RFC 5705 key material export
	    export_key_material(dck->key);
	  }
	else
	  {
	    // use the TLS PRF construction to exchange session keys for building
	    // the data channel crypto context
	    tlsprf->generate_key_expansion(dck->key, proto.psid_self, proto.psid_peer);
	  }
	tlsprf->erase();
	OPENVPN_LOG_PROTO_VERBOSE(proto.debug_prefix() << " KEY " << CryptoAlgs::name(proto.config->dc.key_derivation())
					<< " " << proto.mode().str() << ' ' << dck->key.render());

	if (data_channel_key)
	  {
	    dck->rekey_defined = data_channel_key->rekey_defined;
	    dck->rekey_type = data_channel_key->rekey_type;
	  }
	dck.swap(data_channel_key);
      }

      // Initialize the components of the OpenVPN data channel protocol
      void init_data_channel()
      {
	// set up crypto for data channel
	if (!data_channel_key || !data_channel_key->key.defined())
	  {
	    generate_datachannel_keys();
	  }
	bool enable_compress = true;
	Config& c = *proto.config;
	const unsigned int key_dir = proto.is_server() ? OpenVPNStaticKey::INVERSE : OpenVPNStaticKey::NORMAL;
	const OpenVPNStaticKey& key = data_channel_key->key;

	// special data limits for 64-bit block-size ciphers (CVE-2016-6329)
	if (is_bs64_cipher(c.dc.cipher()))
	  {
	    DataLimit::Parameters dp;
	    dp.encrypt_red_limit = OPENVPN_BS64_DATA_LIMIT;
	    dp.decrypt_red_limit = OPENVPN_BS64_DATA_LIMIT;
	    OPENVPN_LOG_PROTO("Per-Key Data Limit: " << dp.encrypt_red_limit << '/' << dp.decrypt_red_limit);
	    data_limit.reset(new DataLimit(dp));
	  }

	// build crypto context for data channel encryption/decryption
	crypto = c.dc.context().new_obj(key_id_);
	crypto_flags = crypto->defined();

	if (crypto_flags & CryptoDCInstance::CIPHER_DEFINED)
	  crypto->init_cipher(key.slice(OpenVPNStaticKey::CIPHER | OpenVPNStaticKey::ENCRYPT | key_dir),
			      key.slice(OpenVPNStaticKey::CIPHER | OpenVPNStaticKey::DECRYPT | key_dir));

	if (crypto_flags & CryptoDCInstance::HMAC_DEFINED)
	  crypto->init_hmac(key.slice(OpenVPNStaticKey::HMAC | OpenVPNStaticKey::ENCRYPT | key_dir),
			    key.slice(OpenVPNStaticKey::HMAC | OpenVPNStaticKey::DECRYPT | key_dir));

	crypto->init_pid(PacketID::SHORT_FORM,
			 c.pid_mode,
			 PacketID::SHORT_FORM,
			 "DATA", int(key_id_),
			 proto.stats);

	crypto->init_remote_peer_id(c.remote_peer_id);

	enable_compress = crypto->consider_compression(proto.config->comp_ctx);

	if (data_channel_key->rekey_defined)
	  crypto->rekey(data_channel_key->rekey_type);
	data_channel_key.reset();

	// set up compression for data channel
	if (enable_compress)
	  compress = proto.config->comp_ctx.new_compressor(proto.config->frame, proto.stats);
	else
	  compress.reset();

	// cache op32 for hot path in do_encrypt
	cache_op32();

	int crypto_encap = (enable_op32 ? OP_SIZE_V2 : 1) +
			   c.comp_ctx.extra_payload_bytes() +
			   PacketID::size(PacketID::SHORT_FORM) +
			   c.dc.context().encap_overhead();

	int transport_encap = 0;
	if (c.mss_parms.mtu)
	  {
	    if (proto.is_tcp())
	      transport_encap += sizeof(struct TCPHeader);
	    else
	      transport_encap += sizeof(struct UDPHeader);

	    if (c.protocol.is_ipv6())
	      transport_encap += sizeof(struct IPv6Header);
	    else
	      transport_encap += sizeof(struct IPv4Header);

	    transport_encap += c.protocol.extra_transport_bytes();
	  }

	if (c.mss_parms.mssfix != 0)
	  {
	    OPENVPN_LOG_PROTO("MTU mssfix=" << c.mss_parms.mssfix <<
			      " crypto_encap=" << crypto_encap <<
			      " transport_encap=" << transport_encap);
	    c.mss_inter = c.mss_parms.mssfix - (crypto_encap + transport_encap);
	  }
      }

      void data_limit_notify(const DataLimit::Mode cdl_mode,
			     const DataLimit::State cdl_status)
      {
	if (data_limit)
	  data_limit_event(cdl_mode, data_limit->update_state(cdl_mode, cdl_status));
      }

    private:
      static bool validate_tls_auth(Buffer &recv, ProtoContext& proto, TimePtr now)
      {
	const unsigned char *orig_data = recv.data();
	const size_t orig_size = recv.size();

	// advance buffer past initial op byte
	recv.advance(1);

	// get source PSID
	ProtoSessionID src_psid(recv);

	// verify HMAC
	{
	  recv.advance(proto.hmac_size);
	  if (!proto.ta_hmac_recv->ovpn_hmac_cmp(orig_data, orig_size,
						 1 + ProtoSessionID::SIZE,
						 proto.hmac_size,
						 PacketID::size(PacketID::LONG_FORM)))
	    return false;
	}

	// verify source PSID
	if (!proto.psid_peer.match(src_psid))
	  return false;

	// read tls_auth packet ID
	const PacketID pid = proto.ta_pid_recv.read_next(recv);

	// get current time_t
	const PacketID::time_t t = now->seconds_since_epoch();

	// verify tls_auth packet ID
	const bool pid_ok = proto.ta_pid_recv.test_add(pid, t, false);

	// make sure that our own PSID is contained in packet received from peer
	if (ReliableAck::ack_skip(recv))
	  {
	    ProtoSessionID dest_psid(recv);
	    if (!proto.psid_self.match(dest_psid))
	      return false;
	  }

	return pid_ok;
      }

      static bool validate_tls_crypt(Buffer& recv, ProtoContext& proto, TimePtr now)
       {
	const unsigned char *orig_data = recv.data();
	const size_t orig_size = recv.size();

	// advance buffer past initial op byte
	recv.advance(1);
	// get source PSID
	ProtoSessionID src_psid(recv);
	// read tls_auth packet ID
	const PacketID pid = proto.ta_pid_recv.read_next(recv);

	recv.advance(proto.hmac_size);

	const size_t head_size = 1 + ProtoSessionID::SIZE + PacketID::size(PacketID::LONG_FORM);
	const size_t data_offset = head_size + proto.hmac_size;
	if (orig_size < data_offset)
	  return false;

	// we need a buffer to perform the payload decryption and being this a static
	// function we can't use the instance member like in decapsulate_tls_crypt()
	BufferAllocated work;
	proto.config->frame->prepare(Frame::DECRYPT_WORK, work);

	// decrypt payload from 'recv' into 'work'
	const size_t decrypt_bytes = proto.tls_crypt_recv->decrypt(orig_data + head_size,
								   work.data(), work.max_size(),
								   recv.c_data(), recv.size());
	if (!decrypt_bytes)
	  return false;

	work.inc_size(decrypt_bytes);

	// verify HMAC
	if (!proto.tls_crypt_recv->hmac_cmp(orig_data,
					    TLSCryptContext::hmac_offset,
					    work.c_data(), work.size()))
	  return false;

	// verify source PSID
	if (proto.psid_peer.defined())
	  {
	    if (!proto.psid_peer.match(src_psid))
	      return false;
	  }
	else
	  {
	    proto.psid_peer = src_psid;
	  }

	// get current time_t
	const PacketID::time_t t = now->seconds_since_epoch();

	// verify tls_auth packet ID
	const bool pid_ok = proto.ta_pid_recv.test_add(pid, t, false);
	// make sure that our own PSID is contained in packet received from peer
	if (ReliableAck::ack_skip(work))
	  {
	    ProtoSessionID dest_psid(work);
	    if (!proto.psid_self.match(dest_psid))
	      return false;
	  }

	return pid_ok;
       }

      static bool validate_tls_plain(Buffer& recv, ProtoContext& proto, TimePtr now)
      {
	// advance buffer past initial op byte
	recv.advance(1);

	// verify source PSID
	ProtoSessionID src_psid(recv);
	if (!proto.psid_peer.match(src_psid))
	  return false;

	// make sure that our own PSID is contained in packet received from peer
	if (ReliableAck::ack_skip(recv))
	  {
	    ProtoSessionID dest_psid(recv);
	    if (!proto.psid_self.match(dest_psid))
	      return false;
	  }
	return true;
      }

      bool do_encrypt(BufferAllocated& buf, const bool compress_hint)
      {
	bool pid_wrap;

	// set MSS for segments client can receive
	if (proto.config->mss_inter > 0)
	  MSSFix::mssfix(buf, proto.config->mss_inter);

	// compress packet
	if (compress)
	  compress->compress(buf, compress_hint);

	// trigger renegotiation if we hit encrypt data limit
	if (data_limit)
	  data_limit_add(DataLimit::Encrypt, buf.size());

	if (enable_op32)
	  {
	    const std::uint32_t op32 = htonl(op32_compose(DATA_V2, key_id_, remote_peer_id));

	    static_assert(sizeof(op32) == OP_SIZE_V2, "OP_SIZE_V2 inconsistency");

	    // encrypt packet
	    pid_wrap = crypto->encrypt(buf, now->seconds_since_epoch(), (const unsigned char *)&op32);

	    // prepend op
	    buf.prepend((const unsigned char *)&op32, sizeof(op32));
	  }
	else
	  {
	    // encrypt packet
	    pid_wrap = crypto->encrypt(buf, now->seconds_since_epoch(), nullptr);

	    // prepend op
	    buf.push_front(op_compose(DATA_V1, key_id_));
	  }
	return pid_wrap;
      }

      // cache op32 and remote_peer_id
      void cache_op32()
      {
	enable_op32 = proto.config->enable_op32;
	remote_peer_id = proto.config->remote_peer_id;
      }

      void set_state(const int newstate)
      {
	OPENVPN_LOG_PROTO_VERBOSE(proto.debug_prefix() << " KeyContext[" << key_id_ << "] " << state_string(state) << " -> " << state_string(newstate));
	state = newstate;
      }

      void set_event(const EventType current)
      {
	OPENVPN_LOG_PROTO_VERBOSE(proto.debug_prefix() << " KeyContext[" << key_id_ << "] " << event_type_string(current));
	current_event = current;
      }

      void set_event(const EventType current, const EventType next, const Time& next_time)
      {
	OPENVPN_LOG_PROTO_VERBOSE(proto.debug_prefix() << " KeyContext[" << key_id_ << "] " << event_type_string(current) << " -> " << event_type_string(next) << '(' << seconds_until(next_time) << ')');
	current_event = current;
	next_event = next;
	next_event_time = next_time;
      }

      void invalidate_callback() // called by ProtoStackBase when session is invalidated
      {
	reached_active_time_ = Time();
	next_event = KEV_NONE;
	next_event_time = Time::infinite();
      }

      // Trigger a renegotiation based on data flow condition such
      // as per-key data limit or packet ID approaching wraparound.
      void schedule_key_limit_renegotiation()
      {
	if (!key_limit_renegotiation_fired && state >= ACTIVE && !invalidated())
	  {
	    OPENVPN_LOG_PROTO_VERBOSE(proto.debug_prefix() << " SCHEDULE KEY LIMIT RENEGOTIATION");

	    key_limit_renegotiation_fired = true;
	    proto.stats->error(Error::N_KEY_LIMIT_RENEG);

	    // If primary, renegotiate now (within a second or two).
	    // If secondary, queue the renegotiation request until
	    // key reaches primary.
	    if (next_event == KEV_BECOME_PRIMARY) // secondary key before transition to primary?
	      set_event(KEV_RENEGOTIATE_QUEUE);   // reneg request crosses over to primary, doesn't wipe next_event (KEV_BECOME_PRIMARY)
	    else
	      key_limit_reneg(KEV_RENEGOTIATE, *now);
	  }
      }

      // Handle data-limited keys such as Blowfish and other 64-bit block-size ciphers.
      void data_limit_add(const DataLimit::Mode mode, const size_t size)
      {
	const DataLimit::State state = data_limit->add(mode, size);
	if (state > DataLimit::None)
	  data_limit_event(mode, state);
      }

      // Handle a DataLimit event.
      void data_limit_event(const DataLimit::Mode mode, const DataLimit::State state)
      {
	OPENVPN_LOG_PROTO_VERBOSE(proto.debug_prefix() << " DATA LIMIT " << DataLimit::mode_str(mode) << ' ' << DataLimit::state_str(state) << " key_id=" << key_id_);

	// State values:
	//   DataLimit::Green -- first packet received and decrypted.
	//   DataLimit::Red -- data limit has been exceeded, so trigger a renegotiation.
	if (state == DataLimit::Red)
	  schedule_key_limit_renegotiation();

	// When we are in KEV_PRIMARY_PENDING state, we must receive at least
	// one packet from the peer on this key before we transition to
	// KEV_BECOME_PRIMARY so we can transmit on it.
	if (next_event == KEV_PRIMARY_PENDING && data_limit->is_decrypt_green())
	  set_event(KEV_NONE, KEV_BECOME_PRIMARY, *now + Time::Duration::seconds(1));
      }

      // Should we enter KEV_PRIMARY_PENDING state?  Do it if:
      // 1. we are a client,
      // 2. data limit is enabled,
      // 3. this is a renegotiated key in secondary context, i.e. not the first key, and
      // 4. no data received yet from peer on this key.
      bool data_limit_defer() const
      {
	return !proto.is_server() && data_limit && key_id_ && !data_limit->is_decrypt_green();
      }

      // General expiration set when key hits data limit threshold.
      Time data_limit_expire() const
      {
	return *now + (proto.config->handshake_window * 2);
      }

      void active_event()
      {
	set_event(KEV_ACTIVE, KEV_BECOME_PRIMARY, reached_active() + proto.config->become_primary);
      }

      void process_next_event()
      {
	if (*now >= next_event_time)
	  {
	    switch (next_event)
	      {
	      case KEV_BECOME_PRIMARY:
		if (data_limit_defer())
		  set_event(KEV_NONE, KEV_PRIMARY_PENDING, data_limit_expire());
		else
		  set_event(KEV_BECOME_PRIMARY, KEV_RENEGOTIATE, construct_time + proto.config->renegotiate);
		break;
	      case KEV_RENEGOTIATE:
	      case KEV_RENEGOTIATE_FORCE:
		prepare_expire(next_event);
		break;
	      case KEV_NEGOTIATE:
		kev_error(KEV_NEGOTIATE, Error::KEV_NEGOTIATE_ERROR);
		break;
	      case KEV_PRIMARY_PENDING:
		kev_error(KEV_PRIMARY_PENDING, Error::KEV_PENDING_ERROR);
		break;
	      case KEV_EXPIRE:
		kev_error(KEV_EXPIRE, Error::N_KEV_EXPIRE);
		break;
	      default:
		break;
	      }
	  }
      }

      void kev_error(const EventType ev, const Error::Type reason)
      {
	proto.stats->error(reason);
	invalidate(reason);
	set_event(ev);
      }

      unsigned int initial_op(const bool sender, const bool tls_crypt_v2) const
      {
	if (key_id_)
	  {
	    return CONTROL_SOFT_RESET_V1;
	  }
	else
	  {
	    if (proto.is_server() == sender)
	      return CONTROL_HARD_RESET_SERVER_V2;

	    if (!tls_crypt_v2)
	      return CONTROL_HARD_RESET_CLIENT_V2;
	    else
	      return CONTROL_HARD_RESET_CLIENT_V3;
	  }
      }

      void send_reset()
      {
	Packet pkt;
	pkt.opcode = initial_op(true, proto.tls_wrap_mode == TLS_CRYPT_V2);
	pkt.frame_prepare(*proto.config->frame, Frame::WRITE_SSL_INIT);
	raw_send(std::move(pkt));
      }

      void raw_recv(Packet&& raw_pkt)  // called by ProtoStackBase
      {
	if (raw_pkt.buf->empty() &&
	    raw_pkt.opcode == initial_op(false, proto.tls_wrap_mode == TLS_CRYPT_V2))
	  {
	    switch (state)
	      {
	      case C_WAIT_RESET:
		//send_reset(); // fixme -- possibly not needed
		set_state(C_WAIT_RESET_ACK);
		break;
	      case S_WAIT_RESET:
		send_reset();
		set_state(S_WAIT_RESET_ACK);
		break;
	      }
	  }
      }

      void app_recv(BufferPtr&& to_app_buf) // called by ProtoStackBase
      {
	app_recv_buf.put(std::move(to_app_buf));
	if (app_recv_buf.size() > APP_MSG_MAX)
	  throw proto_error("app_recv: received control message is too large");
	BufferComposed::Complete bcc = app_recv_buf.complete();
	switch (state)
	  {
	  case C_WAIT_AUTH:
	    if (recv_auth_complete(bcc))
	      {
		recv_auth(bcc.get());
		set_state(C_WAIT_AUTH_ACK);
	      }
	    break;
	  case S_WAIT_AUTH:
	    if (recv_auth_complete(bcc))
	      {
		recv_auth(bcc.get());
		send_auth();
		set_state(S_WAIT_AUTH_ACK);
	      }
	    break;
	  case S_WAIT_AUTH_ACK: // rare case where client receives auth, goes ACTIVE, but the ACK response is dropped
	  case ACTIVE:
	    if (bcc.advance_to_null()) // does composed buffer contain terminating null char?
	      proto.app_recv(key_id_, bcc.get());
	    break;
	  }
      }

      void net_send(const Packet& net_pkt, const Base::NetSendType nstype)  // called by ProtoStackBase
      {
	if (!is_reliable || nstype != Base::NET_SEND_RETRANSMIT) // retransmit packets on UDP only, not TCP
	  proto.net_send(key_id_, net_pkt);
      }

      void post_ack_action()
      {
	if (state <= LAST_ACK_STATE && !rel_send.n_unacked())
	  {
	    switch (state)
	      {
	      case C_WAIT_RESET_ACK:
		start_handshake();
		send_auth();
		set_state(C_WAIT_AUTH);
		break;
	      case S_WAIT_RESET_ACK:
		start_handshake();
		set_state(S_WAIT_AUTH);
		break;
	      case C_WAIT_AUTH_ACK:
		active();
		set_state(ACTIVE);
		break;
	      case S_WAIT_AUTH_ACK:
		active();
		set_state(ACTIVE);
		break;
	      }
	  }
      }

      void send_auth()
      {
	BufferPtr buf = new BufferAllocated();
	proto.config->frame->prepare(Frame::WRITE_SSL_CLEARTEXT, *buf);
	buf->write(proto_context_private::auth_prefix, sizeof(proto_context_private::auth_prefix));
	tlsprf->self_randomize(*proto.config->rng);
	tlsprf->self_write(*buf);
	const std::string options = proto.config->options_string();
	write_auth_string(options, *buf);
	if (!proto.is_server())
	  {
	    OPENVPN_LOG_PROTO("Tunnel Options:" << options);
	    buf->or_flags(BufferAllocated::DESTRUCT_ZERO);
	    if (proto.config->xmit_creds)
	      proto.client_auth(*buf);
	    else
	      {
		write_empty_string(*buf); // username
		write_empty_string(*buf); // password
	      }
	    const std::string peer_info = proto.config->peer_info_string();
	    write_auth_string(peer_info, *buf);
	  }
	app_send_validate(std::move(buf));
	dirty = true;
      }

      void recv_auth(BufferPtr buf)
      {
	const unsigned char *buf_pre = buf->read_alloc(sizeof(proto_context_private::auth_prefix));
	if (std::memcmp(buf_pre, proto_context_private::auth_prefix, sizeof(proto_context_private::auth_prefix)))
	  throw proto_error("bad_auth_prefix");
	tlsprf->peer_read(*buf);
	const std::string options = read_auth_string<std::string>(*buf);
	if (proto.is_server())
	  {
	    const std::string username = read_auth_string<std::string>(*buf);
	    const SafeString password = read_auth_string<SafeString>(*buf);
	    const std::string peer_info = read_auth_string<std::string>(*buf);
	    proto.server_auth(username, password, peer_info, Base::auth_cert());
	  }
      }

      // return true if complete recv_auth message is contained in buffer
      bool recv_auth_complete(BufferComplete& bc) const
      {
	if (!bc.advance(sizeof(proto_context_private::auth_prefix)))
	  return false;
	if (!tlsprf->peer_read_complete(bc))
	  return false;
	if (!bc.advance_string()) // options
	  return false;
	if (proto.is_server())
	  {
	    if (!bc.advance_string()) // username
	      return false;
	    if (!bc.advance_string()) // password
	      return false;
	    if (!bc.advance_string()) // peer_info
	      return false;
	  }
	return true;
      }

      void active()
      {
	if (proto.config->debug_level >= 1)
	  OPENVPN_LOG_SSL("SSL Handshake: " << Base::ssl_handshake_details());
	/*  Our internal state machine only decides after push request what protocol
	 * options we want to use. Therefore we also have to postpone data key
	 * generation until this happens, create a empty DataChannelKey as
	 * placeholder */
	data_channel_key.reset(new DataChannelKey());

	if (!proto.dc_deferred)
	  {
	    init_data_channel();
	  }

	while (!app_pre_write_queue.empty())
	  {
	    app_send_validate(std::move(app_pre_write_queue.front()));
	    app_pre_write_queue.pop_front();
	    dirty = true;
	  }
	reached_active_time_ = *now;
	proto.slowest_handshake_.max(reached_active_time_ - construct_time);
	active_event();
      }

      void prepend_dest_psid_and_acks(Buffer& buf)
      {
	// if sending ACKs, prepend dest PSID
	if (!xmit_acks.empty())
	  {
	    if (proto.psid_peer.defined())
	      proto.psid_peer.prepend(buf);
	    else
	      {
		proto.stats->error(Error::CC_ERROR);
		throw proto_error("peer_psid_undef");
	      }
	  }

	// prepend ACKs for messages received from peer
	xmit_acks.prepend(buf);
      }

      bool verify_src_psid(const ProtoSessionID& src_psid)
      {
	if (proto.psid_peer.defined())
	  {
	    if (!proto.psid_peer.match(src_psid))
	      {
		proto.stats->error(Error::CC_ERROR);
		if (proto.is_tcp())
		  invalidate(Error::CC_ERROR);
		return false;
	      }
	  }
	else
	  {
	    proto.psid_peer = src_psid;
	  }
	return true;
      }

      bool verify_dest_psid(Buffer& buf)
      {
	ProtoSessionID dest_psid(buf);
	if (!proto.psid_self.match(dest_psid))
	  {
	    proto.stats->error(Error::CC_ERROR);
	    if (proto.is_tcp())
	      invalidate(Error::CC_ERROR);
	    return false;
	  }
	return true;
      }

      void gen_head_tls_auth(const unsigned int opcode, Buffer& buf)
      {
	// write tls-auth packet ID
	proto.ta_pid_send.write_next(buf, true, now->seconds_since_epoch());

	// make space for tls-auth HMAC
	buf.prepend_alloc(proto.hmac_size);

	// write source PSID
	proto.psid_self.prepend(buf);

	// write opcode
	buf.push_front(op_compose(opcode, key_id_));

	// write hmac
	proto.ta_hmac_send->ovpn_hmac_gen(buf.data(), buf.size(),
					  1 + ProtoSessionID::SIZE,
					  proto.hmac_size,
					  PacketID::size(PacketID::LONG_FORM));
      }

      void gen_head_tls_crypt(const unsigned int opcode, BufferAllocated& buf)
      {
	// in 'work' we store all the fields that are not supposed to be encrypted
	proto.config->frame->prepare(Frame::ENCRYPT_WORK, work);
	// make space for HMAC
	work.prepend_alloc(proto.hmac_size);
	// write tls-crypt packet ID
	proto.ta_pid_send.write_next(work, true, now->seconds_since_epoch());
	// write source PSID
	proto.psid_self.prepend(work);
	// write opcode
	work.push_front(op_compose(opcode, key_id_));

	// compute HMAC using header fields (from 'work') and plaintext
	// payload (from 'buf')
	proto.tls_crypt_send->hmac_gen(work.data(), TLSCryptContext::hmac_offset,
				       buf.c_data(), buf.size());

	const size_t data_offset = TLSCryptContext::hmac_offset + proto.hmac_size;

	// encrypt the content of 'buf' (packet payload) into 'work'
	const size_t decrypt_bytes = proto.tls_crypt_send->encrypt(work.c_data() + TLSCryptContext::hmac_offset,
								   work.data() + data_offset,
								   work.max_size() - data_offset,
								   buf.c_data(), buf.size());
	if (!decrypt_bytes)
	  {
	    buf.reset_size();
	    return;
	  }
	work.inc_size(decrypt_bytes);

	// append WKc to wrapped packet for tls-crypt-v2
	if ((opcode == CONTROL_HARD_RESET_CLIENT_V3)
	    && (proto.tls_wrap_mode == TLS_CRYPT_V2))
	  proto.tls_crypt_append_wkc(work);

	// 'work' now contains the complete packet ready to go. swap it with 'buf'
	buf.swap(work);
      }

      void gen_head_tls_plain(const unsigned int opcode, Buffer& buf)
      {
	// write source PSID
        proto.psid_self.prepend(buf);
	// write opcode
	buf.push_front(op_compose(opcode, key_id_));
      }

      void gen_head(const unsigned int opcode, BufferAllocated& buf)
      {
	switch (proto.tls_wrap_mode)
	  {
	    case TLS_AUTH:
	      gen_head_tls_auth(opcode, buf);
	      break;
	    case TLS_CRYPT:
	    case TLS_CRYPT_V2:
	      gen_head_tls_crypt(opcode, buf);
	      break;
	    case TLS_PLAIN:
	      gen_head_tls_plain(opcode, buf);
	      break;
	  }
      }

      void encapsulate(id_t id, Packet& pkt) // called by ProtoStackBase
      {
	BufferAllocated& buf = *pkt.buf;

	// prepend message sequence number
	ReliableAck::prepend_id(buf, id);

	// prepend dest PSID and ACKs to reply to peer
	prepend_dest_psid_and_acks(buf);

	// generate message head
	gen_head(pkt.opcode, buf);
      }

      void generate_ack(Packet& pkt) // called by ProtoStackBase
      {
	BufferAllocated& buf = *pkt.buf;

	// prepend dest PSID and ACKs to reply to peer
	prepend_dest_psid_and_acks(buf);

	gen_head(ACK_V1, buf);
      }

      bool decapsulate_post_process(Packet& pkt, ProtoSessionID& src_psid, const PacketID pid)
      {
	Buffer& recv = *pkt.buf;

	// update our last-packet-received time
	proto.update_last_received();

	// verify source PSID
	if (!verify_src_psid(src_psid))
	  return false;

	// get current time_t
	const PacketID::time_t t = now->seconds_since_epoch();
	// verify tls_auth/crypt packet ID
	const bool pid_ok = proto.ta_pid_recv.test_add(pid, t, false);

	// process ACKs sent by peer (if packet ID check failed,
	// read the ACK IDs, but don't modify the rel_send object).
	if (ReliableAck::ack(rel_send, recv, pid_ok))
	  {
	    // make sure that our own PSID is contained in packet received from peer
	    if (!verify_dest_psid (recv))
	      return false;
	  }

	// for CONTROL packets only, not ACK
	if (pkt.opcode != ACK_V1)
	  {
	    // get message sequence number
	    const id_t id = ReliableAck::read_id (recv);

	    if (pid_ok)
	      {
		// try to push message into reliable receive object
		const unsigned int rflags = rel_recv.receive (pkt, id);

		// should we ACK packet back to sender?
		if (rflags & ReliableRecv::ACK_TO_SENDER)
		  xmit_acks.push_back (id); // ACK packet to sender

		// was packet accepted by reliable receive object?
		if (rflags & ReliableRecv::IN_WINDOW)
		  {
		    proto.ta_pid_recv.test_add (pid, t, true); // remember tls_auth packet ID so that it can't be replayed
		    return true;
		  }
	      }
	    else // treat as replay
	      {
		proto.stats->error (Error::REPLAY_ERROR);
		if (pid.is_valid ())
		  xmit_acks.push_back (id); // even replayed packets must be ACKed or protocol could deadlock
	      }
	  }
	else
	  {
	    if (pid_ok)
	      proto.ta_pid_recv.test_add (pid, t, true); // remember tls_auth packet ID of ACK packet to prevent replay
	    else
	      proto.stats->error (Error::REPLAY_ERROR);
	  }
	return false;

      }

      bool decapsulate_tls_auth(Packet &pkt)
      {
	Buffer& recv = *pkt.buf;
	const unsigned char *orig_data = recv.data ();
	const size_t orig_size = recv.size ();

	// advance buffer past initial op byte
	recv.advance (1);

	// get source PSID
	ProtoSessionID src_psid (recv);

	// verify HMAC
	{
	  recv.advance (proto.hmac_size);
	  if (!proto.ta_hmac_recv->ovpn_hmac_cmp(orig_data, orig_size,
						 1 + ProtoSessionID::SIZE,
						 proto.hmac_size,
						 PacketID::size (PacketID::LONG_FORM)))
	    {
	      proto.stats->error(Error::HMAC_ERROR);
	      if (proto.is_tcp())
		invalidate(Error::HMAC_ERROR);
	      return false;
	    }
	}

	// read tls_auth packet ID
	const PacketID pid = proto.ta_pid_recv.read_next(recv);

	return decapsulate_post_process(pkt, src_psid, pid);
      }

      bool decapsulate_tls_crypt(Packet &pkt)
      {
	BufferAllocated& recv = *pkt.buf;
	const unsigned char *orig_data = recv.data();
	const size_t orig_size = recv.size();

	// advance buffer past initial op byte
	recv.advance(1);
	// get source PSID
	ProtoSessionID src_psid(recv);
	// get tls-crypt packet ID
	const PacketID pid = proto.ta_pid_recv.read_next(recv);
	// skip the hmac
	recv.advance(proto.hmac_size);

	const size_t data_offset = TLSCryptContext::hmac_offset + proto.hmac_size;
	if (orig_size < data_offset)
	  return false;

	// decrypt payload
	proto.config->frame->prepare(Frame::DECRYPT_WORK, work);

	const size_t decrypt_bytes = proto.tls_crypt_recv->decrypt(orig_data + TLSCryptContext::hmac_offset,
								   work.data(), work.max_size(),
								   recv.c_data(), recv.size());
	if (!decrypt_bytes)
	  {
	    proto.stats->error(Error::DECRYPT_ERROR);
	    if (proto.is_tcp())
	      invalidate(Error::DECRYPT_ERROR);
	    return false;
	  }

	work.inc_size(decrypt_bytes);

	// verify HMAC
	if (!proto.tls_crypt_recv->hmac_cmp(orig_data, TLSCryptContext::hmac_offset,
					    work.c_data(), work.size()))
	  {
	    proto.stats->error(Error::HMAC_ERROR);
	    if (proto.is_tcp())
	      invalidate(Error::HMAC_ERROR);
	    return false;
	  }

	// move the decrypted payload to 'recv', so that the processing of the
	// packet can continue
	recv.swap(work);

	return decapsulate_post_process(pkt, src_psid, pid);
      }

      bool decapsulate_tls_plain(Packet &pkt)
      {
	Buffer& recv = *pkt.buf;

	// update our last-packet-received time
	proto.update_last_received();

	// advance buffer past initial op byte
	recv.advance(1);

	// verify source PSID
	ProtoSessionID src_psid(recv);
	if (!verify_src_psid(src_psid))
	  return false;

	// process ACKs sent by peer
	if (ReliableAck::ack(rel_send, recv, true))
	  {
	    // make sure that our own PSID is in packet received from peer
	    if (!verify_dest_psid(recv))
	      return false;
	  }

	// for CONTROL packets only, not ACK
	if (pkt.opcode != ACK_V1)
	  {
	    // get message sequence number
	    const id_t id = ReliableAck::read_id(recv);

	    // try to push message into reliable receive object
	    const unsigned int rflags = rel_recv.receive(pkt, id);

	    // should we ACK packet back to sender?
	    if (rflags & ReliableRecv::ACK_TO_SENDER)
	      xmit_acks.push_back(id); // ACK packet to sender

	    // was packet accepted by reliable receive object?
	    if (rflags & ReliableRecv::IN_WINDOW)
	      return true;
	  }
	return false;
      }

      bool unwrap_tls_crypt_wkc(Buffer &recv)
      {
	// the ``WKc`` is located at the end of the packet, after the tls-crypt
	// payload.
	// Format is as follows (as documented by Steffan Krager):
	//
	// ``len = len(WKc)`` (16 bit, network byte order)
	// ``T = HMAC-SHA256(Ka, len || Kc || metadata)``
	// ``IV = 128 most significant bits of T``
	// ``WKc = T || AES-256-CTR(Ke, IV, Kc || metadata) || len``

	const unsigned char *orig_data = recv.data();
	const size_t orig_size = recv.size();
	const size_t hmac_size = proto.config->tls_crypt_context->digest_size();
	const size_t tls_frame_size = 1 + ProtoSessionID::SIZE +
				      PacketID::size(PacketID::LONG_FORM) +
				      hmac_size +
				      // the following is the tls-crypt payload
				      sizeof(char) +  // length of ACK array
				      sizeof(id_t); // reliable ID

	// check that at least the authentication tag ``T`` is present
	if (orig_size < (tls_frame_size + hmac_size))
	  return false;

	// the ``WKc`` is just appended after the standard tls-crypt frame
	const unsigned char *wkc_raw = orig_data + tls_frame_size;
	const size_t wkc_raw_size = orig_size - tls_frame_size - sizeof(uint16_t);
	// retrieve the ``WKc`` len from the bottom of the packet and convert it to Host Order
	uint16_t wkc_len = ntohs(*(uint16_t *)(wkc_raw + wkc_raw_size));
	// length sanity check (the size of the ``len`` field is included in the value)
	if ((wkc_len - sizeof(uint16_t)) != wkc_raw_size)
	  return false;

	BufferAllocated plaintext(wkc_len, BufferAllocated::CONSTRUCT_ZERO);
	// plaintext will be used to compute the Auth Tag, therefore start by prepnding
	// the WKc length in network order
	wkc_len = htons(wkc_len);
	plaintext.write(&wkc_len, sizeof(wkc_len));
	const size_t decrypt_bytes = proto.tls_crypt_server->decrypt(wkc_raw,
								     plaintext.data() + 2,
								     plaintext.max_size() - 2,
								     wkc_raw + hmac_size,
								     wkc_raw_size - hmac_size);
	plaintext.inc_size(decrypt_bytes);
	// decrypted data must at least contain a full 2048bits client key
	// (metadata is optional)
	if (plaintext.size() < OpenVPNStaticKey::KEY_SIZE)
	  {
	    proto.stats->error(Error::DECRYPT_ERROR);
	    if (proto.is_tcp())
	      invalidate(Error::DECRYPT_ERROR);
	    return false;
	  }

	if (!proto.tls_crypt_server->hmac_cmp(wkc_raw, 0,
					      plaintext.c_data(),
					      plaintext.size()))
	  {
	    proto.stats->error(Error::HMAC_ERROR);
	    if (proto.is_tcp())
	      invalidate(Error::HMAC_ERROR);
	    return false;
	  }

	// we can now remove the WKc length from the plaintext, as it is not
	// really part of the key material
	plaintext.advance(sizeof(wkc_len));

	// WKc has been authenticated: it contains the client key followed
	// by the optional metadata. Let's initialize the tls-crypt context
	// with the client key

	OpenVPNStaticKey client_key;
	plaintext.read(client_key.raw_alloc(), OpenVPNStaticKey::KEY_SIZE);
	proto.reset_tls_crypt(*proto.config, client_key);

	// verify metadata
	int metadata_type = -1;
	if (!plaintext.empty())
	  metadata_type = plaintext.pop_front();

	if (!proto.tls_crypt_metadata->verify(metadata_type, plaintext))
	  {
	    proto.stats->error(Error::TLS_CRYPT_META_FAIL);
	    return false;
	  }

	// virtually remove the WKc from the packet
	recv.set_size(tls_frame_size);

	return true;
      }

      bool decapsulate(Packet& pkt) // called by ProtoStackBase
      {
	try {
	  switch (proto.tls_wrap_mode)
	  {
	    case TLS_AUTH:
	      return decapsulate_tls_auth(pkt);
	    case TLS_CRYPT_V2:
	      if (pkt.opcode == CONTROL_HARD_RESET_CLIENT_V3)
		{
		  // unwrap WKc and extract Kc (client key) from packet.
		  // This way we can initialize the tls-crypt per-client contexts
		  // (this happens on the server side only)
		  if (!unwrap_tls_crypt_wkc(*pkt.buf))
		  {
		    return false;
		  }
		}
	      // now that the tls-crypt contexts have been initialized it is
	      // possible to proceed with the standard tls-crypt decapsulation
	      /* no break */
	    case TLS_CRYPT:
	      return decapsulate_tls_crypt(pkt);
	    case TLS_PLAIN:
	      return decapsulate_tls_plain(pkt);
	    }
	}
	catch (BufferException&)
	  {
	    proto.stats->error(Error::BUFFER_ERROR);
	    if (proto.is_tcp())
	      invalidate(Error::BUFFER_ERROR);
	  }
	return false;
      }

      // for debugging
      static const char *state_string(const int s)
      {
	switch (s)
	  {
	  case C_WAIT_RESET_ACK:
	    return "C_WAIT_RESET_ACK";
	  case C_WAIT_AUTH_ACK:
	    return "C_WAIT_AUTH_ACK";
	  case S_WAIT_RESET_ACK:
	    return "S_WAIT_RESET_ACK";
	  case S_WAIT_AUTH_ACK:
	    return "S_WAIT_AUTH_ACK";
	  case C_INITIAL:
	    return "C_INITIAL";
	  case C_WAIT_RESET:
	    return "C_WAIT_RESET";
	  case C_WAIT_AUTH:
	    return "C_WAIT_AUTH";
	  case S_INITIAL:
	    return "S_INITIAL";
	  case S_WAIT_RESET:
	    return "S_WAIT_RESET";
	  case S_WAIT_AUTH:
	    return "S_WAIT_AUTH";
	  case ACTIVE:
	    return "ACTIVE";
	  default:
	    return "STATE_UNDEF";
	  }
      }

      // for debugging
      int seconds_until(const Time& next_time)
      {
	Time::Duration d = next_time - *now;
	if (d.is_infinite())
	  return -1;
	else
	  return d.to_seconds();
      }

      // BEGIN KeyContext data members

      ProtoContext& proto; // parent
      int state;
      unsigned int key_id_;
      unsigned int crypto_flags;
      int remote_peer_id; // -1 to disable
      bool enable_op32;
      bool dirty;
      bool key_limit_renegotiation_fired;
      bool is_reliable;
      Compress::Ptr compress;
      CryptoDCInstance::Ptr crypto;
      TLSPRFInstance::Ptr tlsprf;
      Time construct_time;
      Time reached_active_time_;
      Time next_event_time;
      EventType current_event;
      EventType next_event;
      std::deque<BufferPtr> app_pre_write_queue;
      std::unique_ptr<DataChannelKey> data_channel_key;
      BufferComposed app_recv_buf;
      std::unique_ptr<DataLimit> data_limit;
      BufferAllocated work;

      // static member used by validate_tls_crypt()
      static BufferAllocated static_work;
    };

  public:
    class TLSWrapPreValidate : public RC<thread_unsafe_refcount>
    {
    public:
      typedef RCPtr<TLSWrapPreValidate> Ptr;

      virtual bool validate(const BufferAllocated& net_buf) = 0;
    };

    // Validate the integrity of a packet, only considering tls-auth HMAC.
    class TLSAuthPreValidate : public TLSWrapPreValidate
    {
    public:
      OPENVPN_SIMPLE_EXCEPTION(tls_auth_pre_validate);

      TLSAuthPreValidate(const Config& c, const bool server)
      {
	if (!c.tls_auth_enabled())
	  throw tls_auth_pre_validate();

	// save hard reset op we expect to receive from peer
	reset_op = server ? CONTROL_HARD_RESET_CLIENT_V2 : CONTROL_HARD_RESET_SERVER_V2;

	// init OvpnHMACInstance
	ta_hmac_recv = c.tls_auth_context->new_obj();

	// init tls_auth hmac
	if (c.key_direction >= 0)
	  {
	    // key-direction is 0 or 1
	    const unsigned int key_dir = c.key_direction ? OpenVPNStaticKey::INVERSE : OpenVPNStaticKey::NORMAL;
	    ta_hmac_recv->init(c.tls_key.slice(OpenVPNStaticKey::HMAC | OpenVPNStaticKey::DECRYPT | key_dir));
	  }
	else
	  {
	    // key-direction bidirectional mode
	    ta_hmac_recv->init(c.tls_key.slice(OpenVPNStaticKey::HMAC));
	  }
      }

      bool validate(const BufferAllocated& net_buf)
      {
	try
	{
	    if (!net_buf.size())
	      return false;

	    const unsigned int op = net_buf[0];
	    if (opcode_extract(op) != reset_op || key_id_extract(op) != 0)
	      return false;

	    return ta_hmac_recv->ovpn_hmac_cmp(net_buf.c_data(), net_buf.size(),
					       1 + ProtoSessionID::SIZE,
					       ta_hmac_recv->output_size(),
					       PacketID::size(PacketID::LONG_FORM));
	}
	catch (BufferException&)
	{
	}

	return false;
      }

    private:
      OvpnHMACInstance::Ptr ta_hmac_recv;
      unsigned int reset_op;
    };

    class TLSCryptPreValidate : public TLSWrapPreValidate
    {
    public:
      OPENVPN_SIMPLE_EXCEPTION(tls_crypt_pre_validate);

      TLSCryptPreValidate(const Config& c, const bool server)
      {
	if (!c.tls_crypt_enabled())
	  throw tls_crypt_pre_validate();

	// save hard reset op we expect to receive from peer
	reset_op = server ? CONTROL_HARD_RESET_CLIENT_V2 : CONTROL_HARD_RESET_SERVER_V2;

	tls_crypt_recv = c.tls_crypt_context->new_obj_recv();

	// static direction assignment - not user configurable
	const unsigned int key_dir = server ? OpenVPNStaticKey::NORMAL : OpenVPNStaticKey::INVERSE;
	tls_crypt_recv->init(c.tls_key.slice(OpenVPNStaticKey::HMAC | OpenVPNStaticKey::DECRYPT | key_dir),
			     c.tls_key.slice(OpenVPNStaticKey::CIPHER | OpenVPNStaticKey::DECRYPT | key_dir));

	// needed to create the decrypt buffer during validation
	frame = c.frame;
      }

      bool validate(const BufferAllocated& net_buf)
      {
	try
	{
	    if (!net_buf.size())
	      return false;

	    const unsigned int op = net_buf[0];
	    if (opcode_extract(op) != reset_op || key_id_extract(op) != 0)
	      return false;

	    const size_t data_offset = TLSCryptContext::hmac_offset + tls_crypt_recv->output_hmac_size();
	    if (net_buf.size() < data_offset)
	      return false;

	    frame->prepare(Frame::DECRYPT_WORK, work);

	    // decrypt payload from 'net_buf' into 'work'
	    const size_t decrypt_bytes = tls_crypt_recv->decrypt(net_buf.c_data() + TLSCryptContext::hmac_offset,
								 work.data(), work.max_size(),
								 net_buf.c_data() + data_offset,
								 net_buf.size() - data_offset);
	    if (!decrypt_bytes)
	      return false;

	    work.inc_size(decrypt_bytes);

	    // verify HMAC
	    return tls_crypt_recv->hmac_cmp(net_buf.c_data(),
					    TLSCryptContext::hmac_offset,
					    work.data(), work.size());
	}
	catch (BufferException&)
	{
	}
	return false;
      }

    protected:
      unsigned int reset_op;

    private:
      TLSCryptInstance::Ptr tls_crypt_recv;
      Frame::Ptr frame;
      BufferAllocated work;
    };

    class TLSCryptV2PreValidate : public TLSCryptPreValidate
    {
        public:
          OPENVPN_SIMPLE_EXCEPTION(tls_crypt_v2_pre_validate);

          TLSCryptV2PreValidate(const Config& c, const bool server)
	    : TLSCryptPreValidate(c, server)
          {
            if (!c.tls_crypt_v2_enabled())
              throw tls_crypt_v2_pre_validate();

            // in case of server peer, we expect the new v3 packet type
            if (server)
              reset_op = CONTROL_HARD_RESET_CLIENT_V3;
          }
    };

    OPENVPN_SIMPLE_EXCEPTION(select_key_context_error);

    ProtoContext(const Config::Ptr& config_arg,             // configuration
		 const SessionStats::Ptr& stats_arg)        // error stats
      : config(config_arg),
	stats(stats_arg),
	mode_(config_arg->ssl_factory->mode()),
	n_key_ids(0),
	now_(config_arg->now)
    {
      const Config& c = *config;

      // tls-auth setup
      if (c.tls_crypt_v2_enabled())
	{
	  tls_wrap_mode = TLS_CRYPT_V2;

	  // get HMAC size from Digest object
	  hmac_size = c.tls_crypt_context->digest_size();
	}
      else if (c.tls_crypt_enabled())
	{
	  tls_wrap_mode = TLS_CRYPT;

	  // get HMAC size from Digest object
	  hmac_size = c.tls_crypt_context->digest_size();
	}
      else if (c.tls_auth_enabled())
	{
	  tls_wrap_mode = TLS_AUTH;

	  // get HMAC size from Digest object
	  hmac_size = c.tls_auth_context->size();
	}
      else
	{
	  tls_wrap_mode = TLS_PLAIN;
	  hmac_size = 0;
	}
    }

    uint32_t get_tls_warnings() const
    {
      if (primary)
	return primary->get_tls_warnings();

      OPENVPN_LOG("TLS: primary key context uninitialized. Can't retrieve TLS warnings");
      return 0;
    }

    bool uses_bs64_cipher() const
    {
      return is_bs64_cipher(conf().dc.cipher());
    }

    void reset_tls_crypt(const Config& c, const OpenVPNStaticKey& key)
    {
      tls_crypt_send = c.tls_crypt_context->new_obj_send();
      tls_crypt_recv = c.tls_crypt_context->new_obj_recv();

      // static direction assignment - not user configurable
      unsigned int key_dir = is_server() ?
			     OpenVPNStaticKey::NORMAL :
			     OpenVPNStaticKey::INVERSE;

      tls_crypt_send->init(key.slice(OpenVPNStaticKey::HMAC |
				     OpenVPNStaticKey::ENCRYPT | key_dir),
			   key.slice(OpenVPNStaticKey::CIPHER |
				     OpenVPNStaticKey::ENCRYPT | key_dir));
      tls_crypt_recv->init(key.slice(OpenVPNStaticKey::HMAC |
				     OpenVPNStaticKey::DECRYPT | key_dir),
			   key.slice(OpenVPNStaticKey::CIPHER |
				     OpenVPNStaticKey::DECRYPT | key_dir));
    }

    void reset_tls_crypt_server(const Config& c)
    {
      //tls-crypt session key is derived later from WKc received from the client
      tls_crypt_send.reset();
      tls_crypt_recv.reset();

      //server context is used only to process incoming WKc's
      tls_crypt_server = c.tls_crypt_context->new_obj_recv();

      //the server key is composed by one key set only, therefore direction and
      //mode should not be specified when slicing
      tls_crypt_server->init(c.tls_key.slice(OpenVPNStaticKey::HMAC),
			     c.tls_key.slice(OpenVPNStaticKey::CIPHER));

      tls_crypt_metadata = c.tls_crypt_metadata_factory->new_obj();
    }

    void reset()
    {
      const Config& c = *config;

      // defer data channel initialization until after client options pull?
      dc_deferred = c.dc_deferred;

      // clear key contexts
      reset_all();

      // start with key ID 0
      upcoming_key_id = 0;

      unsigned int key_dir;

      // tls-auth initialization
      switch (tls_wrap_mode)
	{
	  case TLS_CRYPT:
	    reset_tls_crypt(c, c.tls_key);
	    // init tls_crypt packet ID
	    ta_pid_send.init(PacketID::LONG_FORM);
	    ta_pid_recv.init(c.pid_mode, PacketID::LONG_FORM, "SSL-CC", 0, stats);
	    break;
	  case TLS_CRYPT_V2:
	    if (is_server())
	      // setup key to be used to unwrap WKc upon client connection.
	      // tls-crypt session key setup is postponed to reception of WKc
	      // from client
	      reset_tls_crypt_server(c);
	    else
	      reset_tls_crypt(c, c.tls_key);
	    // init tls_crypt packet ID
	    ta_pid_send.init(PacketID::LONG_FORM);
	    ta_pid_recv.init(c.pid_mode, PacketID::LONG_FORM, "SSL-CC", 0, stats);
	    break;
	  case TLS_AUTH:
	    // init OvpnHMACInstance
	    ta_hmac_send = c.tls_auth_context->new_obj();
	    ta_hmac_recv = c.tls_auth_context->new_obj();

	    // init tls_auth hmac
	    if (c.key_direction >= 0)
	      {
	        // key-direction is 0 or 1
	        key_dir = c.key_direction ? OpenVPNStaticKey::INVERSE : OpenVPNStaticKey::NORMAL;
	        ta_hmac_send->init(c.tls_key.slice(OpenVPNStaticKey::HMAC | OpenVPNStaticKey::ENCRYPT | key_dir));
	        ta_hmac_recv->init(c.tls_key.slice(OpenVPNStaticKey::HMAC | OpenVPNStaticKey::DECRYPT | key_dir));
	      }
	    else
	      {
	        // key-direction bidirectional mode
	        ta_hmac_send->init(c.tls_key.slice(OpenVPNStaticKey::HMAC));
	        ta_hmac_recv->init(c.tls_key.slice(OpenVPNStaticKey::HMAC));
	      }

	    // init tls_auth packet ID
	    ta_pid_send.init(PacketID::LONG_FORM);
	    ta_pid_recv.init(c.pid_mode, PacketID::LONG_FORM, "SSL-CC", 0, stats);
	    break;
	  case TLS_PLAIN:
	    break;
      }

      // initialize proto session ID
      psid_self.randomize(*c.prng);
      psid_peer.reset();

      // initialize key contexts
      primary.reset(new KeyContext(*this, is_client()));
      OPENVPN_LOG_PROTO_VERBOSE(debug_prefix() << " New KeyContext PRIMARY id=" << primary->key_id());

      // initialize keepalive timers
      keepalive_expire = Time::infinite();   // initially disabled
      update_last_sent();                    // set timer for initial keepalive send
    }

    void set_protocol(const Protocol& p)
    {
      config->set_protocol(p);
      if (primary)
	primary->set_protocol(p);
      if (secondary)
	secondary->set_protocol(p);
    }

    // Free up space when parent object has been halted but
    // object destruction is not immediately scheduled.
    void pre_destroy()
    {
      reset_all();
    }

    // Is primary key defined
    bool primary_defined()
    {
      return bool(primary);
    }

    virtual ~ProtoContext() {}

    // return the PacketType of an incoming network packet
    PacketType packet_type(const Buffer& buf)
    {
      return PacketType(buf, *this);
    }

    // start protocol negotiation
    void start()
    {
      if (!primary)
	throw proto_error("start: no primary key");
      primary->start();
      update_last_received(); // set an upper bound on when we expect a response
    }

    // trigger a protocol renegotiation
    void renegotiate()
    {
      // initialize secondary key context
      new_secondary_key(true);
      secondary->start();
    }

    // Should be called at the end of sequence of send/recv
    // operations on underlying protocol object.
    // If control_channel is true, do a full flush.
    // If control_channel is false, optimize flush for data
    // channel only.
    void flush(const bool control_channel)
    {
      if (control_channel || process_events())
	{
	  do {
	    if (primary)
	      primary->flush();
	    if (secondary)
	      secondary->flush();
	  } while (process_events());
	}
    }

    // Perform various time-based housekeeping tasks such as retransmiting
    // unacknowleged packets as part of the reliability layer and testing
    // for keepalive timouts.
    // Should be called at the time returned by next_housekeeping.
    void housekeeping()
    {
      // handle control channel retransmissions on primary
      if (primary)
	primary->retransmit();

      // handle control channel retransmissions on secondary
      if (secondary)
	secondary->retransmit();

      // handle possible events
      flush(false);

      // handle keepalive/expiration
      keepalive_housekeeping();
    }

    // When should we next call housekeeping?
    // Will return a time value for immediate execution
    // if session has been invalidated.
    Time next_housekeeping() const
    {
      if (!invalidated())
	{
	  Time ret = Time::infinite();
	  if (primary)
	    ret.min(primary->next_retransmit());
	  if (secondary)
	    ret.min(secondary->next_retransmit());
	  ret.min(keepalive_xmit);
	  ret.min(keepalive_expire);
	  return ret;
	}
      else
	return Time();
    }

    // send app-level cleartext to remote peer

    void control_send(BufferPtr&& app_bp)
    {
      select_control_send_context().app_send(std::move(app_bp));
    }

    void control_send(BufferAllocated&& app_buf)
    {
      control_send(app_buf.move_to_ptr());
    }

    // validate a control channel network packet
    bool control_net_validate(const PacketType& type, const Buffer& net_buf)
    {
      return type.is_defined() && KeyContext::validate(net_buf, *this, now_);
    }

    // pass received control channel network packets (ciphertext) into protocol object

    bool control_net_recv(const PacketType& type, BufferAllocated&& net_buf)
    {
      Packet pkt(net_buf.move_to_ptr(), type.opcode);
      if (type.is_soft_reset() && !renegotiate_request(pkt))
	return false;
      return select_key_context(type, true).net_recv(std::move(pkt));
    }

    bool control_net_recv(const PacketType& type, BufferPtr&& net_bp)
    {
      Packet pkt(std::move(net_bp), type.opcode);
      if (type.is_soft_reset() && !renegotiate_request(pkt))
	return false;
      return select_key_context(type, true).net_recv(std::move(pkt));
    }

    // encrypt a data channel packet using primary KeyContext
    void data_encrypt(BufferAllocated& in_out)
    {
      //OPENVPN_LOG_PROTO_VERBOSE(debug_prefix() << " DATA ENCRYPT size=" << in_out.size());
      if (!primary)
	throw proto_error("data_encrypt: no primary key");
      primary->encrypt(in_out);
    }

    // decrypt a data channel packet (automatically select primary
    // or secondary KeyContext based on packet content)
    bool data_decrypt(const PacketType& type, BufferAllocated& in_out)
    {
      bool ret = false;

      //OPENVPN_LOG_PROTO_VERBOSE(debug_prefix() << " DATA DECRYPT key_id=" << select_key_context(type, false).key_id() << " size=" << in_out.size());

      select_key_context(type, false).decrypt(in_out);

      // update time of most recent packet received
      if (in_out.size())
	{
	  update_last_received();
	  ret = true;
	}

      // discard keepalive packets
      if (proto_context_private::is_keepalive(in_out))
	{
	  in_out.reset_size();
	}

      return ret;
    }

    // enter disconnected state
    void disconnect(const Error::Type reason)
    {
      if (primary)
	primary->invalidate(reason);
      if (secondary)
	secondary->invalidate(reason);
    }

    // normally used by UDP clients to tell the server that
    // they are disconnecting
    void send_explicit_exit_notify()
    {
      if (is_client() && is_udp() && primary)
	primary->send_explicit_exit_notify();
    }

    // should be called after a successful network packet transmit
    void update_last_sent()
    {
      keepalive_xmit = *now_ + config->keepalive_ping;
    }

    // can we call data_encrypt or data_decrypt yet?
    bool data_channel_ready() const { return primary && primary->data_channel_ready(); }

    // total number of SSL/TLS negotiations during lifetime of ProtoContext object
    unsigned int negotiations() const { return n_key_ids; }

    // worst-case handshake time
    const Time::Duration& slowest_handshake() { return slowest_handshake_; }

    // was primary context invalidated by an exception?
    bool invalidated() const { return primary && primary->invalidated(); }

    // reason for invalidation if invalidated() above returns true
    Error::Type invalidation_reason() const { return primary->invalidation_reason(); }

    // Do late initialization of data channel, for example
    // on client after server push, or on server after client
    // capabilities are known.
    void init_data_channel()
    {
      dc_deferred = false;

      // initialize data channel (crypto & compression)
      if (primary)
	primary->init_data_channel();
      if (secondary)
	secondary->init_data_channel();
    }

    // Call on client with server-pushed options
    void process_push(const OptionList& opt, const ProtoContextOptions& pco)
    {
      // modify config with pushed options
      config->process_push(opt, pco);

      // in case keepalive parms were modified by push
      keepalive_parms_modified();
    }

    // Return the current transport alignment adjustment
    size_t align_adjust_hint() const
    {
      return config->enable_op32 ? 0 : 1;
    }

    // Return true if keepalive parameter(s) are enabled
    bool is_keepalive_enabled() const
    {
      return config->keepalive_ping.enabled()
	  || config->keepalive_timeout.enabled();
    }

    // Disable keepalive for rest of session,
    // but return the previous keepalive parameters.
    void disable_keepalive(unsigned int& keepalive_ping,
			   unsigned int& keepalive_timeout)
    {
      keepalive_ping = config->keepalive_ping.enabled() ? config->keepalive_ping.to_seconds() : 0;
      keepalive_timeout = config->keepalive_timeout.enabled() ? config->keepalive_timeout.to_seconds() : 0;
      config->keepalive_ping = Time::Duration::infinite();
      config->keepalive_timeout = Time::Duration::infinite();
      keepalive_parms_modified();
    }

    // Notify our component KeyContext when per-key Data Limits have been reached
    void data_limit_notify(const unsigned int key_id,
			   const DataLimit::Mode cdl_mode,
			   const DataLimit::State cdl_status)
    {
      if (primary && key_id == primary->key_id())
	primary->data_limit_notify(cdl_mode, cdl_status);
      else if (secondary && key_id == secondary->key_id())
	secondary->data_limit_notify(cdl_mode, cdl_status);
    }

    // access the data channel settings
    CryptoDCSettings& dc_settings()
    {
      return config->dc;
    }

    // reset the data channel factory
    void reset_dc_factory()
    {
      config->dc.reset();
    }

    // set the local peer ID (or -1 to disable)
    void set_local_peer_id(const int local_peer_id)
    {
      config->local_peer_id = local_peer_id;
    }

    // current time
    const Time& now() const { return *now_; }
    void update_now() { now_->update(); }

    // frame
    const Frame& frame() const { return *config->frame; }
    const Frame::Ptr& frameptr() const { return config->frame; }

    // client or server?
    const Mode& mode() const { return mode_; }
    bool is_server() const { return mode_.is_server(); }
    bool is_client() const { return mode_.is_client(); }

    // tcp/udp mode
    bool is_tcp() { return config->protocol.is_tcp(); }
    bool is_udp() { return config->protocol.is_udp(); }

    // configuration
    const Config& conf() const { return *config; }
    Config& conf() { return *config; }
    Config::Ptr conf_ptr() const { return config; }

    // stats
    SessionStats& stat() const { return *stats; }

  private:

    // TLS wrapping mode for the control channel
    enum TLSWrapMode {
      TLS_PLAIN,
      TLS_AUTH,
      TLS_CRYPT,
      TLS_CRYPT_V2
    };

    void reset_all()
    {
      if (primary)
	primary->rekey(CryptoDCInstance::DEACTIVATE_ALL);
      primary.reset();
      secondary.reset();
    }

    virtual void control_net_send(const Buffer& net_buf) = 0;

    // app may take ownership of app_bp via std::move
    virtual void control_recv(BufferPtr&& app_bp) = 0;

    // Called on client to request username/password credentials.
    // Should be overriden by derived class if credentials are required.
    // username and password should be written into buf with write_auth_string().
    virtual void client_auth(Buffer& buf)
    {
      write_empty_string(buf); // username
      write_empty_string(buf); // password
    }

    // Called on server with credentials and peer info provided by client.
    // Should be overriden by derived class if credentials are required.
    virtual void server_auth(const std::string& username,
			     const SafeString& password,
			     const std::string& peer_info,
			     const AuthCert::Ptr& auth_cert)
    {
    }

    // Called when initial KeyContext transitions to ACTIVE state
    virtual void active()
    {
    }

    void update_last_received()
    {
      keepalive_expire = *now_ + config->keepalive_timeout;
    }

    void net_send(const unsigned int key_id, const Packet& net_pkt)
    {
      control_net_send(net_pkt.buffer());
    }

    void app_recv(const unsigned int key_id, BufferPtr&& to_app_buf)
    {
      control_recv(std::move(to_app_buf));
    }

    // we're getting a request from peer to renegotiate.
    bool renegotiate_request(Packet& pkt)
    {
      if (KeyContext::validate(pkt.buffer(), *this, now_))
	{
	  new_secondary_key(false);
	  return true;
	}
      else
	return false;
    }

    // select a KeyContext (primary or secondary) for received network packets
    KeyContext& select_key_context(const PacketType& type, const bool control)
    {
      const unsigned int flags = type.flags & (PacketType::DEFINED|PacketType::SECONDARY|PacketType::CONTROL);
      if (!control)
	{
	  if (flags == (PacketType::DEFINED) && primary)
	    return *primary;
	  else if (flags == (PacketType::DEFINED|PacketType::SECONDARY) && secondary)
	    return *secondary;
	}
      else
	{
	  if (flags == (PacketType::DEFINED|PacketType::CONTROL) && primary)
	    return *primary;
	  else if (flags == (PacketType::DEFINED|PacketType::SECONDARY|PacketType::CONTROL) && secondary)
	    return *secondary;
	}
      throw select_key_context_error();
    }

    // Select a KeyContext (primary or secondary) for control channel sends.
    // Even after new key context goes active, we still wait for
    // KEV_BECOME_PRIMARY event (controlled by the become_primary duration
    // in Config) before we use it for app-level control-channel
    // transmissions.  Simulations have found this method to be more reliable
    // than the immediate rollover practiced by OpenVPN 2.x.
    KeyContext& select_control_send_context()
    {
      OPENVPN_LOG_PROTO_VERBOSE(debug_prefix() << " CONTROL SEND");
      if (!primary)
	throw proto_error("select_control_send_context: no primary key");
      return *primary;
    }

    // Possibly send a keepalive message, and check for expiration
    // of session due to lack of received packets from peer.
    void keepalive_housekeeping()
    {
      const Time now = *now_;

      // check for keepalive timeouts
      if (now >= keepalive_xmit && primary)
	{
	  primary->send_keepalive();
	  update_last_sent();
	}
      if (now >= keepalive_expire)
	{
	  // no contact with peer, disconnect
	  stats->error(Error::KEEPALIVE_TIMEOUT);
	  disconnect(Error::KEEPALIVE_TIMEOUT);
	}
    }

    // Process KEV_x events
    // Return true if any events were processed.
    bool process_events()
    {
      bool did_work = false;

      // primary
      if (primary && primary->event_pending())
	{
	  process_primary_event();
	  did_work = true;
	}

      // secondary
      if (secondary && secondary->event_pending())
	{
	  process_secondary_event();
	  did_work = true;
	}

      return did_work;
    }

    // Create a new secondary key.
    // initiator --
    //   false : remote renegotiation request
    //   true  : local renegotiation request
    void new_secondary_key(const bool initiator)
    {
      // Create the secondary
      secondary.reset(new KeyContext(*this, initiator));
      OPENVPN_LOG_PROTO_VERBOSE(debug_prefix() << " New KeyContext SECONDARY id=" << secondary->key_id() << (initiator ? " local-triggered" : " remote-triggered"));
    }

    // Promote a newly renegotiated KeyContext to primary status.
    // This is usually triggered by become_primary variable (Time::Duration)
    // in Config.
    void promote_secondary_to_primary()
    {
      primary.swap(secondary);
      if (primary)
	primary->rekey(CryptoDCInstance::PRIMARY_SECONDARY_SWAP);
      if (secondary)
	secondary->prepare_expire();
      OPENVPN_LOG_PROTO_VERBOSE(debug_prefix() << " PRIMARY_SECONDARY_SWAP");
    }

    void process_primary_event()
    {
      const KeyContext::EventType ev = primary->get_event();
      if (ev != KeyContext::KEV_NONE)
	{
	  primary->reset_event();
	  switch (ev)
	    {
	    case KeyContext::KEV_ACTIVE:
	      OPENVPN_LOG_PROTO_VERBOSE(debug_prefix() << " SESSION_ACTIVE");
	      primary->rekey(CryptoDCInstance::ACTIVATE_PRIMARY);
	      active();
	      break;
	    case KeyContext::KEV_RENEGOTIATE:
	    case KeyContext::KEV_RENEGOTIATE_FORCE:
	      renegotiate();
	      break;
	    case KeyContext::KEV_EXPIRE:
	      if (secondary && !secondary->invalidated())
		promote_secondary_to_primary();
	      else
		{
		  stats->error(Error::PRIMARY_EXPIRE);
		  disconnect(Error::PRIMARY_EXPIRE); // primary context expired and no secondary context available
		}
	      break;
	    case KeyContext::KEV_NEGOTIATE:
	      stats->error(Error::HANDSHAKE_TIMEOUT);
	      disconnect(Error::HANDSHAKE_TIMEOUT);   // primary negotiation failed
	      break;
	    default:
	      break;
	    }
	}
      primary->set_next_event_if_unspecified();
    }

    void process_secondary_event()
    {
      const KeyContext::EventType ev = secondary->get_event();
      if (ev != KeyContext::KEV_NONE)
	{
	  secondary->reset_event();
	  switch (ev)
	    {
	    case KeyContext::KEV_ACTIVE:
	      secondary->rekey(CryptoDCInstance::NEW_SECONDARY);
	      if (primary)
		primary->prepare_expire();
	      break;
	    case KeyContext::KEV_BECOME_PRIMARY:
	      if (!secondary->invalidated())
		promote_secondary_to_primary();
	      break;
	    case KeyContext::KEV_EXPIRE:
	      secondary->rekey(CryptoDCInstance::DEACTIVATE_SECONDARY);
	      secondary.reset();
	      break;
	    case KeyContext::KEV_RENEGOTIATE_QUEUE:
	      if (primary)
		primary->key_limit_reneg(KeyContext::KEV_RENEGOTIATE_FORCE, secondary->become_primary_time());
	      break;
	    case KeyContext::KEV_NEGOTIATE:
	      stats->error(Error::HANDSHAKE_TIMEOUT);
	    case KeyContext::KEV_PRIMARY_PENDING:
	    case KeyContext::KEV_RENEGOTIATE_FORCE:
	      renegotiate();
	      break;
	    default:
	      break;
	    }
	}
      if (secondary)
	secondary->set_next_event_if_unspecified();
    }

    std::string debug_prefix()
    {
      std::string ret = openvpn::to_string(now_->raw());
      ret += is_server() ? " SERVER[" : " CLIENT[";
      if (primary)
	ret += openvpn::to_string(primary->key_id());
      if (secondary)
	{
	  ret += '/';
	  ret += openvpn::to_string(secondary->key_id());
	}
      ret += ']';
      return ret;
    }

    // key_id starts at 0, increments to KEY_ID_MASK, then recycles back to 1.
    // Therefore, if key_id is 0, it is the first key.
    unsigned int next_key_id()
    {
      ++n_key_ids;
      unsigned int ret = upcoming_key_id;
      if ((upcoming_key_id = (upcoming_key_id + 1) & KEY_ID_MASK) == 0)
	upcoming_key_id = 1;
      return ret;
    }

    // call whenever keepalive parms are modified,
    // to reset timers
    void keepalive_parms_modified()
    {
      update_last_received();

      // For keepalive_xmit timer, don't reschedule current cycle
      // unless it would fire earlier.  Subsequent cycles will
      // time according to new keepalive_ping value.
      const Time kx = *now_ + config->keepalive_ping;
      if (kx < keepalive_xmit)
	keepalive_xmit = kx;
    }

    void tls_crypt_append_wkc(BufferAllocated& dst)
    {
      if (!config->wkc.defined())
	throw proto_error("Client Key Wrapper undefined");
      dst.append(config->wkc);
    }

    // BEGIN ProtoContext data members

    Config::Ptr config;
    SessionStats::Ptr stats;

    size_t hmac_size;
    TLSWrapMode tls_wrap_mode;
    Mode mode_;                        // client or server
    unsigned int upcoming_key_id;
    unsigned int n_key_ids;

    TimePtr now_;                      // pointer to current time (a clone of config->now)
    Time keepalive_xmit;               // time in future when we will transmit a keepalive (subject to continuous change)
    Time keepalive_expire;             // time in future when we must have received a packet from peer or we will timeout session

    Time::Duration slowest_handshake_; // longest time to reach a successful handshake

    OvpnHMACInstance::Ptr ta_hmac_send;
    OvpnHMACInstance::Ptr ta_hmac_recv;

    TLSCryptInstance::Ptr tls_crypt_send;
    TLSCryptInstance::Ptr tls_crypt_recv;

    TLSCryptInstance::Ptr tls_crypt_server;
    TLSCryptMetadata::Ptr tls_crypt_metadata;

    PacketIDSend ta_pid_send;
    PacketIDReceive ta_pid_recv;

    ProtoSessionID psid_self;
    ProtoSessionID psid_peer;

    KeyContext::Ptr primary;
    KeyContext::Ptr secondary;
    bool dc_deferred;

    // END ProtoContext data members
  };

} // namespace openvpn

#endif //OPENVPN_SSL_PROTO_H