#include <inttypes.h>#include "syshead.h"#include <string.h>#include "crypto.h"#include "crypto_epoch.h"#include "packet_id.h"#include "error.h"#include "integer.h"#include "platform.h"#include "memdbg.h"
Go to the source code of this file.
Macros | |
| #define | PARSE_INITIAL 0 |
| #define | PARSE_HEAD 1 |
| #define | PARSE_DATA 2 |
| #define | PARSE_DATA_COMPLETE 3 |
| #define | PARSE_FOOT 4 |
| #define | PARSE_FINISHED 5 |
Functions | |
| static void | openvpn_encrypt_aead (struct buffer *buf, struct buffer work, struct crypto_options *opt) |
| static void | openvpn_encrypt_v1 (struct buffer *buf, struct buffer work, struct crypto_options *opt) |
| void | openvpn_encrypt (struct buffer *buf, struct buffer work, struct crypto_options *opt) |
| Encrypt and HMAC sign a packet so that it can be sent as a data channel VPN tunnel packet to a remote OpenVPN peer. | |
| uint64_t | cipher_get_aead_limits (const char *ciphername) |
| Check if the cipher is an AEAD cipher and needs to be limited to a certain number of number of blocks + packets. | |
| bool | crypto_check_replay (struct crypto_options *opt, const struct packet_id_net *pin, uint16_t epoch, const char *error_prefix, struct gc_arena *gc) |
| Check packet ID for replay, and perform replay administration. | |
| static bool | openvpn_decrypt_aead (struct buffer *buf, struct buffer work, struct crypto_options *opt, const struct frame *frame, const uint8_t *ad_start) |
| Unwrap (authenticate, decrypt and check replay protection) AEAD-mode data channel packets. | |
| static bool | openvpn_decrypt_v1 (struct buffer *buf, struct buffer work, struct crypto_options *opt, const struct frame *frame) |
| bool | openvpn_decrypt (struct buffer *buf, struct buffer work, struct crypto_options *opt, const struct frame *frame, const uint8_t *ad_start) |
| HMAC verify and decrypt a data channel packet received from a remote OpenVPN peer. | |
| unsigned int | calculate_crypto_overhead (const struct key_type *kt, unsigned int pkt_id_size, bool occ) |
| Calculate the maximum overhead that our encryption has on a packet. | |
| unsigned int | crypto_max_overhead (void) |
| Return the worst-case OpenVPN crypto overhead (in bytes) | |
| static void | warn_insecure_key_type (const char *ciphername) |
| void | init_key_type (struct key_type *kt, const char *ciphername, const char *authname, bool tls_mode, bool warn) |
| Initialize a key_type structure with. | |
| static void | key_ctx_update_implicit_iv (struct key_ctx *ctx, const struct key_parameters *key) |
| Update the implicit IV for a key_ctx based on TLS session ids and cipher used. | |
| void | init_key_ctx (struct key_ctx *ctx, const struct key_parameters *key, const struct key_type *kt, int enc, const char *prefix) |
| void | init_key_bi_ctx_send (struct key_ctx *ctx, const struct key_parameters *key_params, const struct key_type *kt, const char *name) |
| void | init_key_bi_ctx_recv (struct key_ctx *ctx, const struct key_parameters *key_params, const struct key_type *kt, const char *name) |
| void | init_key_ctx_bi (struct key_ctx_bi *ctx, const struct key2 *key2, int key_direction, const struct key_type *kt, const char *name) |
| void | free_key_ctx (struct key_ctx *ctx) |
| void | free_key_ctx_bi (struct key_ctx_bi *ctx) |
| static bool | key_is_zero (struct key *key, const struct key_type *kt) |
| bool | check_key (struct key *key, const struct key_type *kt) |
| static void | generate_key_random (struct key *key) |
| static void | key_print (const struct key *key, const struct key_type *kt, const char *prefix) |
| void | key2_print (const struct key2 *k, const struct key_type *kt, const char *prefix0, const char *prefix1) |
| Prints the keys in a key2 structure. | |
| void | key_parameters_from_key (struct key_parameters *key_params, const struct key *key) |
| Converts a struct key representation into a struct key_parameters representation. | |
| void | test_crypto (struct crypto_options *co, struct frame *frame) |
| const char * | print_key_filename (const char *str, bool is_inline) |
| To be used when printing a string that may contain inline data. | |
| void | crypto_read_openvpn_key (const struct key_type *key_type, struct key_ctx_bi *ctx, const char *key_file, bool key_inline, const int key_direction, const char *key_name, const char *opt_name, struct key2 *keydata) |
| void | read_key_file (struct key2 *key2, const char *file, const unsigned int flags) |
| int | write_key_file (const int nkeys, const char *filename) |
| Write nkeys 1024-bits keys to file. | |
| void | must_have_n_keys (const char *filename, const char *option, const struct key2 *key2, int n) |
| int | ascii2keydirection (int msglevel, const char *str) |
| const char * | keydirection2ascii (int kd, bool remote, bool humanreadable) |
| void | key_direction_state_init (struct key_direction_state *kds, int key_direction) |
| void | verify_fix_key2 (struct key2 *key2, const struct key_type *kt, const char *shared_secret_file) |
| void | prng_bytes (uint8_t *output, int len) |
| long int | get_random (void) |
| void | print_cipher (const char *ciphername) |
| Print a cipher list entry. | |
| static const cipher_name_pair * | get_cipher_name_pair (const char *cipher_name) |
| const char * | translate_cipher_name_from_openvpn (const char *cipher_name) |
| Translate an OpenVPN cipher name to a crypto library cipher name. | |
| const char * | translate_cipher_name_to_openvpn (const char *cipher_name) |
| Translate a crypto library cipher name to an OpenVPN cipher name. | |
| void | write_pem_key_file (const char *filename, const char *pem_name) |
| Generate a server key with enough randomness to fill a key struct and write to file. | |
| bool | generate_ephemeral_key (struct buffer *key, const char *key_name) |
| Generate ephermal key material into the key structure. | |
| bool | read_pem_key_file (struct buffer *key, const char *pem_name, const char *key_file, bool key_inline) |
| Read key material from a PEM encoded files into the key structure. | |
| bool | check_tls_prf_working (void) |
| Checks if the current TLS library supports the TLS 1.0 PRF with MD5+SHA1 that OpenVPN uses when TLS Keying Material Export is not available. | |
Variables | |
| static const char | static_key_head [] = "-----BEGIN OpenVPN Static key V1-----" |
| static const char | static_key_foot [] = "-----END OpenVPN Static key V1-----" |
| static const char | printable_char_fmt [] |
| static const char | unprintable_char_fmt [] |
Macro Definition Documentation
◆ PARSE_DATA
| #define PARSE_DATA 2 |
◆ PARSE_DATA_COMPLETE
| #define PARSE_DATA_COMPLETE 3 |
◆ PARSE_FINISHED
| #define PARSE_FINISHED 5 |
◆ PARSE_FOOT
| #define PARSE_FOOT 4 |
◆ PARSE_HEAD
| #define PARSE_HEAD 1 |
◆ PARSE_INITIAL
| #define PARSE_INITIAL 0 |
Function Documentation
◆ ascii2keydirection()
| int ascii2keydirection | ( | int | msglevel, |
| const char * | str | ||
| ) |
Definition at line 1653 of file crypto.c.
References KEY_DIRECTION_BIDIRECTIONAL, KEY_DIRECTION_INVERSE, KEY_DIRECTION_NORMAL, and msg.
Referenced by add_option().
◆ calculate_crypto_overhead()
| unsigned int calculate_crypto_overhead | ( | const struct key_type * | kt, |
| unsigned int | pkt_id_size, | ||
| bool | occ | ||
| ) |
Calculate the maximum overhead that our encryption has on a packet.
This does not include needed additional buffer size
This does NOT include the padding and rounding of CBC size as the users (mssfix/fragment) of this function need to adjust for this and add it themselves.
- Parameters
-
kt Struct with the crypto algorithm to use pkt_id_size Size of the packet id occ if true calculates the overhead for crypto in the same incorrect way as all previous OpenVPN versions did, to end up with identical numbers for OCC compatibility
Definition at line 819 of file crypto.c.
References key_type::cipher, cipher_defined(), cipher_kt_block_size(), cipher_kt_iv_size(), cipher_kt_mode_aead(), cipher_kt_mode_cbc(), cipher_kt_tag_size(), key_type::digest, buffer::len, md_defined(), and md_kt_size().
Referenced by frame_calculate_protocol_header_size().
◆ check_key()
Definition at line 1151 of file crypto.c.
References key_type::cipher, cipher_defined(), and key_is_zero().
Referenced by generate_key_expansion(), and verify_fix_key2().
◆ check_tls_prf_working()
| bool check_tls_prf_working | ( | void | ) |
Checks if the current TLS library supports the TLS 1.0 PRF with MD5+SHA1 that OpenVPN uses when TLS Keying Material Export is not available.
- Returns
- true if supported, false otherwise.
Definition at line 1941 of file crypto.c.
References ssl_tls1_PRF().
Referenced by options_process_mutate_prf().
◆ cipher_get_aead_limits()
| uint64_t cipher_get_aead_limits | ( | const char * | ciphername | ) |
Check if the cipher is an AEAD cipher and needs to be limited to a certain number of number of blocks + packets.
Return 0 if ciphername is not an AEAD cipher or no limit (e.g. Chacha20-Poly1305) is needed. (Or the limit is larger than 2^64)
For reference see the OpenVPN RFC draft and https://www.ietf.org/archive/id/draft-irtf-cfrg-aead-limits-08.html
Definition at line 353 of file crypto.c.
References cipher_kt_mode_aead(), cipher_kt_name(), and buffer::len.
Referenced by crypto_test_aead_limits(), epoch_init_key_ctx(), and tls_get_limit_aead().
◆ crypto_check_replay()
| bool crypto_check_replay | ( | struct crypto_options * | opt, |
| const struct packet_id_net * | pin, | ||
| uint16_t | epoch, | ||
| const char * | error_prefix, | ||
| struct gc_arena * | gc | ||
| ) |
Check packet ID for replay, and perform replay administration.
- Parameters
-
opt Crypto options for this packet, contains replay state. pin Packet ID read from packet. epoch Epoch read from packet or 0 when epoch is not used. error_prefix Prefix to use when printing error messages. gc Garbage collector to use.
- Returns
- true if packet ID is validated to be not a replay, false otherwise.
Definition at line 384 of file crypto.c.
References CO_MUTE_REPLAY_WARNINGS, CO_PACKET_ID_LONG_FORM, D_GENKEY, D_REPLAY_ERRORS, key_ctx_bi::decrypt, key_ctx::epoch, epoch_replace_update_recv_key(), crypto_options::epoch_retiring_data_receive_key, crypto_options::epoch_retiring_key_pid_recv, crypto_options::flags, gc, crypto_options::key_ctx_bi, msg, crypto_options::packet_id, packet_id_add(), packet_id_net_print(), packet_id_persist_save_obj(), packet_id_reap_test(), packet_id_test(), crypto_options::pid_persist, and packet_id::rec.
Referenced by openvpn_decrypt_aead(), openvpn_decrypt_v1(), and tls_crypt_unwrap().
◆ crypto_max_overhead()
| unsigned int crypto_max_overhead | ( | void | ) |
Return the worst-case OpenVPN crypto overhead (in bytes)
Definition at line 868 of file crypto.c.
References max_int(), OPENVPN_AEAD_TAG_LENGTH, OPENVPN_MAX_CIPHER_BLOCK_SIZE, OPENVPN_MAX_HMAC_SIZE, OPENVPN_MAX_IV_LENGTH, and packet_id_size().
Referenced by frame_finalize_options().
◆ crypto_read_openvpn_key()
| void crypto_read_openvpn_key | ( | const struct key_type * | key_type, |
| struct key_ctx_bi * | ctx, | ||
| const char * | key_file, | ||
| bool | key_inline, | ||
| const int | key_direction, | ||
| const char * | key_name, | ||
| const char * | opt_name, | ||
| struct key2 * | keydata | ||
| ) |
Definition at line 1321 of file crypto.c.
References init_key_ctx_bi(), key2, key_direction_state_init(), M_ERR, msg, must_have_n_keys(), key2::n, key_direction_state::need_keys, print_key_filename(), read_key_file(), RKF_INLINE, RKF_MUST_SUCCEED, secure_memzero(), and verify_fix_key2().
Referenced by do_init_crypto_static(), do_init_tls_wrap_key(), init_tas_auth(), and tls_crypt_init_key().
◆ free_key_ctx()
| void free_key_ctx | ( | struct key_ctx * | ctx | ) |
Definition at line 1106 of file crypto.c.
References key_ctx::cipher, cipher_ctx_free(), CLEAR, key_ctx::epoch, key_ctx::hmac, hmac_ctx_cleanup(), hmac_ctx_free(), key_ctx::implicit_iv, and key_ctx::plaintext_blocks.
Referenced by auth_token_fail_invalid_key(), auth_token_test_key_load(), auth_token_test_random_keys(), crypto_test_epoch_key_generation(), do_close_free_key_schedule(), epoch_generate_future_receive_keys(), epoch_iterate_send_key(), epoch_replace_update_recv_key(), free_epoch_key_ctx(), free_key_ctx_bi(), key_schedule_free(), teardown(), tls_crypt_fail_invalid_key(), and tls_crypt_v2_write_client_key_file().
◆ free_key_ctx_bi()
| void free_key_ctx_bi | ( | struct key_ctx_bi * | ctx | ) |
Definition at line 1125 of file crypto.c.
References key_ctx_bi::decrypt, key_ctx_bi::encrypt, free_key_ctx(), and key_ctx_bi::initialized.
Referenced by crypto_test_epoch_teardown(), do_close_free_key_schedule(), free_tas(), free_tls_pre_decrypt_state(), key_schedule_free(), key_state_free(), test_tls_crypt_teardown(), test_tls_crypt_v2_teardown(), test_tls_decrypt_lite_auth(), test_tls_decrypt_lite_crypt(), tls_crypt_v2_wrap_unwrap_wrong_key(), tls_crypt_v2_write_client_key_file(), tls_wrap_free(), and uninit_crypto_options().
◆ generate_ephemeral_key()
| bool generate_ephemeral_key | ( | struct buffer * | key, |
| const char * | pem_name | ||
| ) |
Generate ephermal key material into the key structure.
- Parameters
-
key the key structure that will hold the key material pem_name the name used for logging
- Returns
- true if key generation was successful
Definition at line 1884 of file crypto.c.
References BCAP, BEND, buf_inc_len(), buffer::len, M_INFO, M_WARN, msg, and rand_bytes().
Referenced by auth_token_init_secret().
◆ generate_key_random()
|
static |
Definition at line 1170 of file crypto.c.
References key::cipher, CLEAR, D_SHOW_KEY_SOURCE, dmsg, format_hex(), gc, gc_free(), gc_new(), key::hmac, M_FATAL, MAX_CIPHER_KEY_LENGTH, MAX_HMAC_KEY_LENGTH, msg, and rand_bytes().
Referenced by write_key_file().
◆ get_cipher_name_pair()
|
static |
Definition at line 1799 of file crypto.c.
References cipher_name_translation_table, cipher_name_translation_table_count, cipher_name_pair::lib_name, and cipher_name_pair::openvpn_name.
Referenced by translate_cipher_name_from_openvpn(), and translate_cipher_name_to_openvpn().
◆ get_random()
| long int get_random | ( | void | ) |
Definition at line 1757 of file crypto.c.
References prng_bytes().
Referenced by check_send_occ_msg_dowork(), check_timeout_random_component_dowork(), do_init_crypto_tls(), fragment_init(), gen_nonce(), init_connection_list(), multi_init(), packet_id_add(), and platform_create_temp_file().
◆ init_key_bi_ctx_recv()
| void init_key_bi_ctx_recv | ( | struct key_ctx * | ctx, |
| const struct key_parameters * | key_params, | ||
| const struct key_type * | kt, | ||
| const char * | name | ||
| ) |
Definition at line 1075 of file crypto.c.
References key_parameters::epoch, key_ctx::epoch, init_key_ctx(), key_ctx_update_implicit_iv(), and OPENVPN_OP_DECRYPT.
Referenced by epoch_init_recv_key(), and init_key_ctx_bi().
◆ init_key_bi_ctx_send()
| void init_key_bi_ctx_send | ( | struct key_ctx * | ctx, |
| const struct key_parameters * | key_params, | ||
| const struct key_type * | kt, | ||
| const char * | name | ||
| ) |
Definition at line 1063 of file crypto.c.
References key_parameters::epoch, key_ctx::epoch, init_key_ctx(), key_ctx_update_implicit_iv(), and OPENVPN_OP_ENCRYPT.
Referenced by epoch_init_send_key_ctx(), and init_key_ctx_bi().
◆ init_key_ctx()
| void init_key_ctx | ( | struct key_ctx * | ctx, |
| const struct key_parameters * | key, | ||
| const struct key_type * | kt, | ||
| int | enc, | ||
| const char * | prefix | ||
| ) |
Definition at line 1015 of file crypto.c.
References ASSERT, key_type::cipher, key::cipher, key_ctx::cipher, cipher_ctx_init(), cipher_ctx_new(), cipher_defined(), cipher_kt_block_size(), cipher_kt_iv_size(), cipher_kt_key_size(), cipher_kt_name(), CLEAR, D_CIPHER_INIT, D_CRYPTO_DEBUG, D_SHOW_KEYS, key_type::digest, dmsg, key_ctx::epoch, format_hex(), gc, gc_free(), gc_new(), key::hmac, key_ctx::hmac, hmac_ctx_init(), hmac_ctx_new(), hmac_ctx_size(), md_defined(), md_kt_name(), md_kt_size(), msg, and warn_insecure_key_type().
Referenced by auth_token_fail_invalid_key(), auth_token_init_secret(), init_key_bi_ctx_recv(), init_key_bi_ctx_send(), setup(), test_tls_crypt_setup(), tls_crypt_fail_invalid_key(), and tls_crypt_v2_init_server_key().
◆ init_key_ctx_bi()
| void init_key_ctx_bi | ( | struct key_ctx_bi * | ctx, |
| const struct key2 * | key2, | ||
| int | key_direction, | ||
| const struct key_type * | kt, | ||
| const char * | name | ||
| ) |
Definition at line 1087 of file crypto.c.
References key_ctx_bi::decrypt, key_ctx_bi::encrypt, key_direction_state::in_key, init_key_bi_ctx_recv(), init_key_bi_ctx_send(), key_ctx_bi::initialized, key_direction_state_init(), key_parameters_from_key(), key2::keys, and key_direction_state::out_key.
Referenced by crypto_read_openvpn_key(), init_crypto_options(), init_key_contexts(), test_tls_crypt_v2_setup(), tls_crypt_v2_load_client_key(), tls_crypt_v2_wrap_unwrap_wrong_key(), and tls_session_generate_dynamic_tls_crypt_key().
◆ init_key_type()
| void init_key_type | ( | struct key_type * | kt, |
| const char * | ciphername, | ||
| const char * | authname, | ||
| bool | tls_mode, | ||
| bool | warn | ||
| ) |
Initialize a key_type structure with.
- Parameters
-
kt The struct key_type to initialize ciphername The name of the cipher to use authname The name of the HMAC digest to use tls_mode Specifies whether we are running in TLS mode, which allows more ciphers than static key mode. warn Print warnings when null cipher / auth is used.
Definition at line 893 of file crypto.c.
References ASSERT, key_type::cipher, cipher_kt_block_size(), cipher_kt_mode_aead(), cipher_kt_mode_cbc(), cipher_kt_mode_ofb_cfb(), cipher_valid(), CLEAR, key_type::digest, buffer::len, M_FATAL, M_WARN, md_kt_size(), msg, OPENVPN_MAX_CIPHER_BLOCK_SIZE, OPENVPN_MAX_HMAC_SIZE, and warn_insecure_key_type().
Referenced by calc_options_string_link_mtu(), crypto_test_epoch_setup(), do_init_crypto_none(), do_init_crypto_static(), do_init_crypto_tls_c1(), epoch_test_derive_data_key(), init_tas_auth(), options_string(), test_mssfix_mtu_calculation(), and tls_session_update_crypto_params_do_work().
◆ key2_print()
| void key2_print | ( | const struct key2 * | k, |
| const struct key_type * | kt, | ||
| const char * | prefix0, | ||
| const char * | prefix1 | ||
| ) |
Prints the keys in a key2 structure.
Definition at line 1208 of file crypto.c.
References ASSERT, key_print(), key2::keys, and key2::n.
Referenced by generate_key_expansion().
◆ key_ctx_update_implicit_iv()
|
static |
Update the implicit IV for a key_ctx based on TLS session ids and cipher used.
Note that the implicit IV is based on the HMAC key of the key parameter, but only in AEAD modes where the HMAC key is not used for an actual HMAC.
- Parameters
-
ctx Encrypt/decrypt key context key key parameters holding the key and hmac/ implicit iv used to calculate implicit IV
Definition at line 983 of file crypto.c.
References ASSERT, key_ctx::cipher, cipher_ctx_iv_length(), cipher_ctx_mode_aead(), CLEAR, key::hmac, key_ctx::implicit_iv, buffer::len, MAX_HMAC_KEY_LENGTH, OPENVPN_AEAD_MIN_IV_LEN, and OPENVPN_MAX_IV_LENGTH.
Referenced by init_key_bi_ctx_recv(), and init_key_bi_ctx_send().
◆ key_direction_state_init()
| void key_direction_state_init | ( | struct key_direction_state * | kds, |
| int | key_direction | ||
| ) |
Definition at line 1705 of file crypto.c.
References ASSERT, CLEAR, key_direction_state::in_key, KEY_DIRECTION_BIDIRECTIONAL, KEY_DIRECTION_INVERSE, KEY_DIRECTION_NORMAL, key_direction_state::need_keys, and key_direction_state::out_key.
Referenced by crypto_read_openvpn_key(), init_epoch_keys(), init_key_ctx_bi(), and tls_session_generate_dynamic_tls_crypt_key().
◆ key_is_zero()
Definition at line 1133 of file crypto.c.
References key_type::cipher, key::cipher, cipher_kt_key_size(), D_CRYPT_ERRORS, and msg.
Referenced by check_key().
◆ key_parameters_from_key()
| void key_parameters_from_key | ( | struct key_parameters * | key_params, |
| const struct key * | key | ||
| ) |
Converts a struct key representation into a struct key_parameters representation.
- Parameters
-
key_params destination for the converted struct key source of the conversion
Definition at line 1219 of file crypto.c.
References key::cipher, key_parameters::cipher, key_parameters::cipher_size, CLEAR, key::hmac, key_parameters::hmac, key_parameters::hmac_size, MAX_CIPHER_KEY_LENGTH, and MAX_HMAC_KEY_LENGTH.
Referenced by auth_token_init_secret(), init_key_ctx_bi(), and tls_crypt_v2_init_server_key().
◆ key_print()
|
static |
Definition at line 1191 of file crypto.c.
References key_type::cipher, key::cipher, cipher_kt_key_size(), cipher_kt_name(), D_SHOW_KEY_SOURCE, key_type::digest, dmsg, format_hex(), gc, gc_free(), gc_new(), key::hmac, md_kt_name(), and md_kt_size().
Referenced by key2_print().
◆ keydirection2ascii()
| const char * keydirection2ascii | ( | int | kd, |
| bool | remote, | ||
| bool | humanreadable | ||
| ) |
Definition at line 1676 of file crypto.c.
References ASSERT, KEY_DIRECTION_BIDIRECTIONAL, KEY_DIRECTION_INVERSE, and KEY_DIRECTION_NORMAL.
Referenced by options_string(), show_connection_entry(), and show_settings().
◆ must_have_n_keys()
| void must_have_n_keys | ( | const char * | filename, |
| const char * | option, | ||
| const struct key2 * | key2, | ||
| int | n | ||
| ) |
◆ openvpn_decrypt_aead()
|
static |
Unwrap (authenticate, decrypt and check replay protection) AEAD-mode data channel packets.
Set buf->len to 0 and return false on decrypt error.
On success, buf is set to point to plaintext, true is returned.
Definition at line 442 of file crypto.c.
References AEAD_LIMIT_BLOCKSIZE, ASSERT, BLEN, BPTR, frame::buf, buf_advance(), buf_inc_len(), buf_init, buf_safe(), key_ctx::cipher, cipher_ctx_block_size(), cipher_ctx_final_check_tag(), cipher_ctx_iv_length(), cipher_ctx_reset(), cipher_ctx_update(), cipher_ctx_update_ad(), cipher_decrypt_verify_fail_exceeded(), CO_EPOCH_DATA_KEY_FORMAT, CRYPT_DROP, CRYPT_ERROR, crypto_check_replay(), crypto_clear_error(), D_PACKET_CONTENT, buffer::data, key_ctx_bi::decrypt, dmsg, key_ctx::epoch, epoch_lookup_decrypt_key(), key_ctx::failed_verifications, crypto_options::flags, format_hex(), gc, gc_free(), gc_init(), frame::headroom, key_ctx::implicit_iv, crypto_options::key_ctx_bi, buffer::len, OPENVPN_AEAD_TAG_LENGTH, OPENVPN_MAX_IV_LENGTH, crypto_options::packet_id, packet_id_initialized(), packet_id_read(), packet_id_read_epoch(), packet_id_size(), and key_ctx::plaintext_blocks.
Referenced by openvpn_decrypt().
◆ openvpn_decrypt_v1()
|
static |
Definition at line 630 of file crypto.c.
References ASSERT, BLEN, BOOL_CAST, BPTR, frame::buf, buf_advance(), buf_inc_len(), buf_init, buf_safe(), buf_set_read(), key_ctx::cipher, cipher_ctx_block_size(), cipher_ctx_final(), cipher_ctx_iv_length(), cipher_ctx_mode_cbc(), cipher_ctx_mode_ofb_cfb(), cipher_ctx_reset(), cipher_ctx_update(), CO_IGNORE_PACKET_ID, CO_PACKET_ID_LONG_FORM, CRYPT_DROP, CRYPT_ERROR, crypto_check_replay(), crypto_clear_error(), D_PACKET_CONTENT, key_ctx_bi::decrypt, dmsg, crypto_options::flags, format_hex(), gc, gc_free(), gc_init(), frame::headroom, key_ctx::hmac, hmac_ctx_final(), hmac_ctx_reset(), hmac_ctx_size(), hmac_ctx_update(), crypto_options::key_ctx_bi, buffer::len, MAX_HMAC_KEY_LENGTH, memcmp_constant_time(), OPENVPN_MAX_IV_LENGTH, crypto_options::packet_id, packet_id_initialized(), and packet_id_read().
Referenced by openvpn_decrypt().
◆ openvpn_encrypt_aead()
|
static |
Definition at line 67 of file crypto.c.
References AEAD_LIMIT_BLOCKSIZE, ASSERT, BEND, BLEN, BPTR, buf_inc_len(), buf_len(), buf_safe(), buf_set_write(), buf_write(), buf_write_alloc(), buffer::capacity, key_ctx::cipher, cipher_ctx_block_size(), cipher_ctx_final(), cipher_ctx_get_tag(), cipher_ctx_iv_length(), cipher_ctx_reset(), cipher_ctx_update(), cipher_ctx_update_ad(), CO_EPOCH_DATA_KEY_FORMAT, crypto_clear_error(), D_CRYPT_ERRORS, D_PACKET_CONTENT, dmsg, key_ctx_bi::encrypt, key_ctx::epoch, epoch_check_send_iterate(), crypto_options::flags, format_hex(), gc, gc_free(), gc_init(), key_ctx::implicit_iv, crypto_options::key_ctx_bi, buffer::len, msg, buffer::offset, OPENVPN_AEAD_MIN_IV_LEN, OPENVPN_AEAD_TAG_LENGTH, OPENVPN_MAX_IV_LENGTH, crypto_options::packet_id, packet_id_initialized(), packet_id_write(), packet_id_write_epoch(), key_ctx::plaintext_blocks, and packet_id::send.
Referenced by openvpn_encrypt().
◆ openvpn_encrypt_v1()
|
static |
Definition at line 195 of file crypto.c.
References ASSERT, BEND, BLEN, BPTR, buf_inc_len(), buf_prepend(), buf_safe(), buf_set_write(), buf_write(), buf_write_alloc(), buf_write_prepend(), buffer::capacity, key_ctx::cipher, cipher_ctx_block_size(), cipher_ctx_final(), cipher_ctx_iv_length(), cipher_ctx_mode(), cipher_ctx_mode_cbc(), cipher_ctx_mode_ofb_cfb(), cipher_ctx_reset(), cipher_ctx_update(), CO_PACKET_ID_LONG_FORM, crypto_clear_error(), D_CRYPT_ERRORS, D_PACKET_CONTENT, dmsg, key_ctx_bi::encrypt, crypto_options::flags, format_hex(), gc, gc_free(), gc_init(), key_ctx::hmac, hmac_ctx_final(), hmac_ctx_reset(), hmac_ctx_size(), hmac_ctx_update(), crypto_options::key_ctx_bi, buffer::len, msg, buffer::offset, OPENVPN_MAX_IV_LENGTH, OPENVPN_MODE_CBC, crypto_options::packet_id, packet_id_initialized(), packet_id_write(), prng_bytes(), and packet_id::send.
Referenced by openvpn_encrypt().
◆ print_cipher()
| void print_cipher | ( | const char * | ciphername | ) |
Print a cipher list entry.
Definition at line 1769 of file crypto.c.
References cipher_kt_block_size(), cipher_kt_key_size(), cipher_kt_mode_cbc(), cipher_kt_name(), and cipher_valid_reason().
Referenced by show_available_ciphers().
◆ print_key_filename()
| const char * print_key_filename | ( | const char * | str, |
| bool | is_inline | ||
| ) |
To be used when printing a string that may contain inline data.
If "is_inline" is true, return the inline tag. If "is_inline" is false and "str" is not NULL, return "str". Return the constant string "[NULL]" otherwise.
- Parameters
-
str the original string to return when is_inline is false is_inline true when str contains an inline data of some sort
Definition at line 1310 of file crypto.c.
References buffer::len, and np().
Referenced by backend_tls_ctx_reload_crl(), crypto_read_openvpn_key(), read_key_file(), tls_ctx_load_ca(), tls_ctx_load_dh_params(), tls_ctx_load_extra_certs(), and tls_ctx_load_priv_file().
◆ prng_bytes()
| void prng_bytes | ( | uint8_t * | output, |
| int | len | ||
| ) |
Definition at line 1750 of file crypto.c.
References ASSERT, and rand_bytes().
Referenced by get_random(), hostname_randomize(), openvpn_encrypt_v1(), and session_id_random().
◆ read_key_file()
| void read_key_file | ( | struct key2 * | key2, |
| const char * | file, | ||
| const unsigned int | flags | ||
| ) |
Definition at line 1373 of file crypto.c.
References ASSERT, buf_clear(), buf_set_read(), buf_valid(), buffer_read_from_file(), CLEAR, buffer::data, format_hex_ex(), gc, gc_free(), gc_new(), key2::keys, buffer::len, M_FATAL, M_INFO, msg, key2::n, PARSE_DATA, PARSE_DATA_COMPLETE, PARSE_FINISHED, PARSE_FOOT, PARSE_HEAD, PARSE_INITIAL, print_key_filename(), printable_char_fmt, RKF_INLINE, RKF_MUST_SUCCEED, SIZE, static_key_foot, static_key_head, and unprintable_char_fmt.
Referenced by crypto_read_openvpn_key().
◆ read_pem_key_file()
| bool read_pem_key_file | ( | struct buffer * | key, |
| const char * | pem_name, | ||
| const char * | key_file, | ||
| bool | key_inline | ||
| ) |
Read key material from a PEM encoded files into the key structure.
- Parameters
-
key the key structure that will hold the key material pem_name the name used in the pem encoding start/end lines key_file name of the file to read or the key itself if key_inline is true key_inline True if key_file contains an inline key, False otherwise.
- Returns
- true if reading into key was successful
Definition at line 1902 of file crypto.c.
References buf_clear(), buf_set_read(), buf_valid(), buffer_read_from_file(), cleanup(), crypto_pem_decode(), gc, gc_free(), gc_new(), buffer::len, M_WARN, and msg.
Referenced by auth_token_init_secret(), tls_crypt_v2_init_client_key(), and tls_crypt_v2_init_server_key().
◆ test_crypto()
| void test_crypto | ( | struct crypto_options * | co, |
| struct frame * | frame | ||
| ) |
Definition at line 1229 of file crypto.c.
References alloc_buf_gc(), ASSERT, BLEN, BPTR, frame::buf, buf_init, BUF_SIZE, buf_write_alloc(), key_ctx::cipher, cipher_ctx_iv_length(), cipher_ctx_mode_aead(), clear_buf(), key_ctx_bi::decrypt, key_ctx_bi::encrypt, gc, gc_free(), gc_new(), frame::headroom, key_ctx::implicit_iv, crypto_options::key_ctx_bi, buffer::len, M_FATAL, M_INFO, msg, OPENVPN_AEAD_MIN_IV_LEN, openvpn_decrypt(), openvpn_encrypt(), OPENVPN_MAX_IV_LENGTH, frame::payload_size, rand_bytes(), and update_time().
Referenced by show_settings(), and test_crypto_thread().
◆ translate_cipher_name_from_openvpn()
| const char * translate_cipher_name_from_openvpn | ( | const char * | cipher_name | ) |
Translate an OpenVPN cipher name to a crypto library cipher name.
- Parameters
-
cipher_name An OpenVPN cipher name
- Returns
- The corresponding crypto library cipher name, or NULL if no matching cipher name was found.
Definition at line 1820 of file crypto.c.
References get_cipher_name_pair(), and cipher_name_pair::lib_name.
Referenced by cipher_get(), and cipher_kt_block_size().
◆ translate_cipher_name_to_openvpn()
| const char * translate_cipher_name_to_openvpn | ( | const char * | cipher_name | ) |
Translate a crypto library cipher name to an OpenVPN cipher name.
- Parameters
-
cipher_name A crypto library cipher name
- Returns
- The corresponding OpenVPN cipher name, or NULL if no matching cipher name was found.
Definition at line 1833 of file crypto.c.
References get_cipher_name_pair(), and cipher_name_pair::openvpn_name.
Referenced by cipher_kt_block_size(), cipher_kt_name(), and multi_print_status().
◆ verify_fix_key2()
| void verify_fix_key2 | ( | struct key2 * | key2, |
| const struct key_type * | kt, | ||
| const char * | shared_secret_file | ||
| ) |
Definition at line 1734 of file crypto.c.
References check_key(), key2::keys, M_FATAL, msg, and key2::n.
Referenced by crypto_read_openvpn_key().
◆ warn_insecure_key_type()
|
static |
Definition at line 876 of file crypto.c.
References cipher_kt_block_size(), cipher_kt_insecure(), M_WARN, and msg.
Referenced by init_key_ctx(), and init_key_type().
◆ write_key_file()
| int write_key_file | ( | const int | nkeys, |
| const char * | filename | ||
| ) |
Write nkeys 1024-bits keys to file.
- Returns
- number of random bits written, or -1 on failure.
Definition at line 1577 of file crypto.c.
References alloc_buf_gc(), BLEN, BPTR, buf_clear(), buf_printf(), buffer_write_file(), format_hex_ex(), gc, gc_free(), gc_new(), generate_key_random(), buffer::len, secure_memzero(), static_key_foot, and static_key_head.
Referenced by do_genkey().
◆ write_pem_key_file()
| void write_pem_key_file | ( | const char * | filename, |
| const char * | key_name | ||
| ) |
Generate a server key with enough randomness to fill a key struct and write to file.
- Parameters
-
filename Filename of the server key file to create. key_name The name to use in the PEM header/footer.
Definition at line 1846 of file crypto.c.
References BLEN, BPTR, buf_clear(), buf_set_read(), buffer_write_file(), cleanup(), clear_buf(), crypto_pem_encode(), gc, gc_free(), gc_new(), buffer::len, M_ERR, M_NONFATAL, M_WARN, msg, rand_bytes(), and secure_memzero().
Referenced by auth_token_write_server_key_file(), and tls_crypt_v2_write_server_key_file().
Variable Documentation
◆ printable_char_fmt
|
static |
Definition at line 1364 of file crypto.c.
Referenced by read_key_file().
◆ static_key_foot
|
static |
Definition at line 1362 of file crypto.c.
Referenced by read_key_file(), and write_key_file().
◆ static_key_head
|
static |
Definition at line 1361 of file crypto.c.
Referenced by read_key_file(), and write_key_file().
◆ unprintable_char_fmt
|
static |
Definition at line 1367 of file crypto.c.
Referenced by read_key_file().
