Security parameter state for processing data channel packets. More...
#include <crypto.h>
Data Fields | |
| struct key_ctx_bi | key_ctx_bi |
| OpenSSL cipher and HMAC contexts for both sending and receiving directions. | |
| struct epoch_key | epoch_key_send |
| last epoch_key used for generation of the current send data keys. | |
| struct epoch_key | epoch_key_recv |
| epoch_key used for the highest receive epoch keys | |
| struct key_type | epoch_key_type |
| the key_type that is used to generate the epoch keys | |
| uint64_t | aead_usage_limit |
| The limit for AEAD cipher, this is the sum of packets + blocks that are allowed to be used. | |
| struct key_ctx * | epoch_data_keys_future |
| Keeps the future epoch data keys for decryption. | |
| uint16_t | epoch_data_keys_future_count |
number of keys stored in epoch_data_keys_future | |
| struct key_ctx | epoch_retiring_data_receive_key |
| The old key before the sender switched to a new epoch data key. | |
| struct packet_id_rec | epoch_retiring_key_pid_recv |
| struct packet_id | packet_id |
| Current packet ID state for both sending and receiving directions. | |
| struct packet_id_persist * | pid_persist |
| Persistent packet ID state for keeping state between successive OpenVPN process startups. | |
| unsigned int | flags |
| Bit-flags determining behavior of security operation functions. | |
Detailed Description
Security parameter state for processing data channel packets.
Field Documentation
◆ aead_usage_limit
| uint64_t crypto_options::aead_usage_limit |
The limit for AEAD cipher, this is the sum of packets + blocks that are allowed to be used.
Will switch to a new epoch if this limit is reached
Definition at line 312 of file crypto.h.
Referenced by epoch_check_send_iterate(), and epoch_init_key_ctx().
◆ epoch_data_keys_future
| struct key_ctx* crypto_options::epoch_data_keys_future |
Keeps the future epoch data keys for decryption.
The current one that is expected to be used is stored in key_ctx_bi.
for encryption keys this is not needed as we only need the current and move to another key by iteration and we never need to go back to an older key.
Definition at line 321 of file crypto.h.
Referenced by crypto_test_epoch_key_generation(), crypto_test_epoch_key_overflow(), epoch_generate_future_receive_keys(), epoch_init_key_ctx(), epoch_lookup_decrypt_key(), epoch_replace_update_recv_key(), and free_epoch_key_ctx().
◆ epoch_data_keys_future_count
| uint16_t crypto_options::epoch_data_keys_future_count |
number of keys stored in epoch_data_keys_future
Definition at line 324 of file crypto.h.
Referenced by crypto_test_epoch_key_overflow(), epoch_generate_future_receive_keys(), epoch_init_key_ctx(), epoch_lookup_decrypt_key(), epoch_replace_update_recv_key(), and free_epoch_key_ctx().
◆ epoch_key_recv
| struct epoch_key crypto_options::epoch_key_recv |
epoch_key used for the highest receive epoch keys
Definition at line 304 of file crypto.h.
Referenced by crypto_test_epoch_key_generation(), crypto_test_epoch_key_overflow(), epoch_generate_future_receive_keys(), epoch_init_key_ctx(), epoch_init_recv_key(), and free_epoch_key_ctx().
◆ epoch_key_send
| struct epoch_key crypto_options::epoch_key_send |
last epoch_key used for generation of the current send data keys.
As invariant, the epoch of epoch_key_send is always kept >= the epoch of epoch_key_recv
Definition at line 301 of file crypto.h.
Referenced by crypto_test_epoch_key_generation(), crypto_test_epoch_key_overflow(), crypto_test_epoch_key_rotation(), epoch_check_send_iterate(), epoch_init_key_ctx(), epoch_init_send_key_ctx(), epoch_iterate_send_key(), epoch_replace_update_recv_key(), free_epoch_key_ctx(), and should_trigger_renegotiation().
◆ epoch_key_type
| struct key_type crypto_options::epoch_key_type |
the key_type that is used to generate the epoch keys
Definition at line 307 of file crypto.h.
Referenced by epoch_init_key_ctx(), epoch_init_recv_key(), and epoch_init_send_key_ctx().
◆ epoch_retiring_data_receive_key
| struct key_ctx crypto_options::epoch_retiring_data_receive_key |
The old key before the sender switched to a new epoch data key.
Definition at line 327 of file crypto.h.
Referenced by crypto_check_replay(), crypto_test_epoch_key_receive_lookup(), crypto_test_epoch_key_rotation(), epoch_lookup_decrypt_key(), epoch_replace_update_recv_key(), and free_epoch_key_ctx().
◆ epoch_retiring_key_pid_recv
| struct packet_id_rec crypto_options::epoch_retiring_key_pid_recv |
Definition at line 328 of file crypto.h.
Referenced by crypto_check_replay(), epoch_replace_update_recv_key(), and free_epoch_key_ctx().
◆ flags
| unsigned int crypto_options::flags |
Bit-flags determining behavior of security operation functions.
Definition at line 383 of file crypto.h.
Referenced by cc_exit_notify_enabled(), check_aead_limits(), control_packet_needs_wkc(), crypto_check_replay(), do_init_crypto_static(), do_init_crypto_tls(), do_pre_decrypt_check(), init_crypto_options(), init_tas_auth(), init_tas_crypt(), openvpn_decrypt_aead(), openvpn_decrypt_v1(), openvpn_encrypt_aead(), openvpn_encrypt_v1(), parse_early_negotiation_tlvs(), should_trigger_renegotiation(), tls_auth_standalone_init(), tls_crypt_ignore_replay(), tls_crypt_unwrap(), tls_crypt_v2_extract_client_key(), and tls_session_generate_data_channel_keys().
◆ key_ctx_bi
| struct key_ctx_bi crypto_options::key_ctx_bi |
OpenSSL cipher and HMAC contexts for both sending and receiving directions.
Definition at line 293 of file crypto.h.
Referenced by check_aead_limits(), crypto_check_replay(), crypto_test_epoch_key_generation(), crypto_test_epoch_key_overflow(), crypto_test_epoch_key_rotation(), crypto_test_epoch_teardown(), do_init_crypto_static(), do_init_crypto_tls(), epoch_check_send_iterate(), epoch_generate_future_receive_keys(), epoch_init_key_ctx(), epoch_init_send_key_ctx(), epoch_iterate_send_key(), epoch_lookup_decrypt_key(), epoch_replace_update_recv_key(), free_tas(), free_tls_pre_decrypt_state(), generate_key_expansion(), handle_data_channel_packet(), init_crypto_options(), init_key_contexts(), init_tas_auth(), init_tas_crypt(), key_state_free(), multi_client_set_protocol_options(), openvpn_decrypt(), openvpn_decrypt_aead(), openvpn_decrypt_v1(), openvpn_encrypt(), openvpn_encrypt_aead(), openvpn_encrypt_v1(), should_trigger_renegotiation(), swap_hmac(), test_crypto(), test_tls_crypt_setup(), test_tls_crypt_teardown(), tls_crypt_fail_invalid_key(), tls_crypt_unwrap(), tls_crypt_v2_extract_client_key(), tls_crypt_wrap(), tls_process(), tls_select_encryption_key(), tls_wrap_free(), and uninit_crypto_options().
◆ packet_id
| struct packet_id crypto_options::packet_id |
Current packet ID state for both sending and receiving directions.
This contains the packet id that is used for replay protection.
The packet id also used as the IV for AEAD/OFB/CFG ciphers.
Definition at line 330 of file crypto.h.
Referenced by check_aead_limits(), crypto_check_replay(), do_close_packet_id(), do_init_crypto_static(), epoch_check_send_iterate(), epoch_init_send_key_ctx(), epoch_replace_update_recv_key(), init_crypto_options(), key_state_free(), key_state_init(), openvpn_decrypt_aead(), openvpn_decrypt_v1(), openvpn_encrypt_aead(), openvpn_encrypt_v1(), send_hmac_reset_packet(), should_trigger_renegotiation(), test_crypto_thread(), test_generate_reset_packet_tls_auth(), test_tls_crypt_setup(), tls_auth_standalone_free(), tls_auth_standalone_init(), tls_crypt_unwrap(), tls_crypt_wrap(), tls_wrap_free(), and uninit_crypto_options().
◆ pid_persist
| struct packet_id_persist* crypto_options::pid_persist |
Persistent packet ID state for keeping state between successive OpenVPN process startups.
Definition at line 339 of file crypto.h.
Referenced by crypto_check_replay(), do_init_crypto_static(), do_init_crypto_tls(), and key_state_init().
The documentation for this struct was generated from the following file:
- src/openvpn/crypto.h
