openvpn/crypto__epoch_8h_source.html

/*

 *  OpenVPN -- An application to securely tunnel IP networks

 *             over a single TCP/UDP port, with support for SSL/TLS-based

 *             session authentication and key exchange,

 *             packet encryption, packet authentication, and

 *             packet compression.

 *

 *  Copyright (C) 2024 OpenVPN Inc <sales@openvpn.net>

 *  Copyright (C) 2024 Arne Schwabe <arne@rfc2549.org>

 *

 *

 *  This program is free software; you can redistribute it and/or modify

 *  it under the terms of the GNU General Public License version 2

 *  as published by the Free Software Foundation.

 *

 *  This program is distributed in the hope that it will be useful,

 *  but WITHOUT ANY WARRANTY; without even the implied warranty of

 *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the

 *  GNU General Public License for more details.

 *

 *  You should have received a copy of the GNU General Public License along

 *  with this program; if not, write to the Free Software Foundation, Inc.,

 *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.

 */


#ifndef CRYPTO_EPOCH_H

#define CRYPTO_EPOCH_H


void

ovpn_hkdf_expand(const uint8_t *secret,

                 const uint8_t *info, int info_len,

                 uint8_t *out, int out_len);


bool

ovpn_expand_label(const uint8_t *secret, size_t secret_len,

                  const uint8_t *label, size_t label_len,

                  const uint8_t *context, size_t context_len,

                  uint8_t *out, uint16_t out_len);


void

epoch_data_key_derive(struct key_parameters *key,

                      const struct epoch_key *epoch_key,

                      const struct key_type *kt);


void

epoch_generate_future_receive_keys(struct crypto_options *co);


void

epoch_replace_update_recv_key(struct crypto_options *co,

                              uint16_t new_epoch);


void

epoch_iterate_send_key(struct crypto_options *co);


void

free_epoch_key_ctx(struct crypto_options *co);


void

epoch_init_key_ctx(struct crypto_options *co, const struct key_type *key_type,

                   const struct epoch_key *e1_send, const struct epoch_key *e1_recv,

                   uint16_t future_key_count);


struct key_ctx *

epoch_lookup_decrypt_key(struct crypto_options *opt, uint16_t epoch);


void

epoch_check_send_iterate(struct crypto_options *opt);


#endif /* ifndef CRYPTO_EPOCH_H */

ovpn_expand_label
bool ovpn_expand_label(const uint8_t *secret, size_t secret_len, const uint8_t *label, size_t label_len, const uint8_t *context, size_t context_len, uint8_t *out, uint16_t out_len)
Variant of the RFC 8446 TLS 1.3 HKDF-Expand-Label function with the following differences/restriction...
Definition crypto_epoch.c:78

epoch_generate_future_receive_keys
void epoch_generate_future_receive_keys(struct crypto_options *co)
Generates and fills the epoch_data_keys_future with next valid future keys in crypto_options using th...
Definition crypto_epoch.c:213

epoch_replace_update_recv_key
void epoch_replace_update_recv_key(struct crypto_options *co, uint16_t new_epoch)
This is called when the peer uses a new send key that is not the default key.
Definition crypto_epoch.c:284

free_epoch_key_ctx
void free_epoch_key_ctx(struct crypto_options *co)
Frees the extra data structures used by epoch keys in crypto_options.
Definition crypto_epoch.c:338

epoch_check_send_iterate
void epoch_check_send_iterate(struct crypto_options *opt)
Checks if we need to iterate the send epoch key.
Definition crypto_epoch.c:414

epoch_lookup_decrypt_key
struct key_ctx * epoch_lookup_decrypt_key(struct crypto_options *opt, uint16_t epoch)
Using an epoch, this function will try to retrieve a decryption key context that matches that epoch f...
Definition crypto_epoch.c:375

epoch_init_key_ctx
void epoch_init_key_ctx(struct crypto_options *co, const struct key_type *key_type, const struct epoch_key *e1_send, const struct epoch_key *e1_recv, uint16_t future_key_count)
Initialises data channel keys and internal structures for epoch data keys using the provided E0 epoch...
Definition crypto_epoch.c:353

epoch_data_key_derive
void epoch_data_key_derive(struct key_parameters *key, const struct epoch_key *epoch_key, const struct key_type *kt)
Generate a data channel key pair from the epoch key.
Definition crypto_epoch.c:145

ovpn_hkdf_expand
void ovpn_hkdf_expand(const uint8_t *secret, const uint8_t *info, int info_len, uint8_t *out, int out_len)
Implementation of the RFC5869 HKDF-Expand function with the following restrictions.
Definition crypto_epoch.c:43

epoch_iterate_send_key
void epoch_iterate_send_key(struct crypto_options *co)
Updates the send key and send_epoch_key in cryptio_options->key_ctx_bi to use the next epoch.
Definition crypto_epoch.c:275

context
Contains all state information for one tunnel.
Definition openvpn.h:474

crypto_options
Security parameter state for processing data channel packets.
Definition crypto.h:292

epoch_key
Definition crypto.h:191

key_ctx
Container for one set of cipher and/or HMAC contexts.
Definition crypto.h:201

key_ctx::epoch
uint16_t epoch
OpenVPN data channel epoch, this variable holds the epoch number this key belongs to.
Definition crypto.h:227

key_parameters
internal structure similar to struct key that holds key information but is not represented on wire an...
Definition crypto.h:162

key_type
Definition crypto.h:141

key
Container for unidirectional cipher and HMAC key material.
Definition crypto.h:152