OpenVPN
test_crypto.c
Go to the documentation of this file.
1/*
2 * OpenVPN -- An application to securely tunnel IP networks
3 * over a single UDP port, with support for SSL/TLS-based
4 * session authentication and key exchange,
5 * packet encryption, packet authentication, and
6 * packet compression.
7 *
8 * Copyright (C) 2016-2021 Fox Crypto B.V. <openvpn@foxcrypto.com>
9 *
10 * This program is free software; you can redistribute it and/or modify
11 * it under the terms of the GNU General Public License version 2
12 * as published by the Free Software Foundation.
13 *
14 * This program is distributed in the hope that it will be useful,
15 * but WITHOUT ANY WARRANTY; without even the implied warranty of
16 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 * GNU General Public License for more details.
18 *
19 * You should have received a copy of the GNU General Public License along
20 * with this program; if not, see <https://www.gnu.org/licenses/>.
21 */
22
23#ifdef HAVE_CONFIG_H
24#include "config.h"
25#endif
26
27#include "syshead.h"
28
29#include <stdio.h>
30#include <stdlib.h>
31#include <stdarg.h>
32#include <string.h>
33#include <setjmp.h>
34#include <cmocka.h>
35
36#include "crypto.h"
37#include "crypto_epoch.h"
38#include "options.h"
39#include "ssl_backend.h"
40
41#include "mss.h"
42#include "test_common.h"
43
44
45#if defined(OPENSSL_VERSION_NUMBER) && OPENSSL_VERSION_NUMBER >= 0x30000000L
46#include <openssl/core_names.h>
47#include <openssl/kdf.h>
48#endif
49
50static const char testtext[] = "Dummy text to test PEM encoding";
51
52static void
53crypto_pem_encode_decode_loopback(void **state)
54{
55 struct gc_arena gc = gc_new();
56 struct buffer src_buf;
57 buf_set_read(&src_buf, (void *)testtext, sizeof(testtext));
58
59 uint8_t dec[sizeof(testtext)];
60 struct buffer dec_buf;
61 buf_set_write(&dec_buf, dec, sizeof(dec));
62
63 struct buffer pem_buf;
64
65 assert_true(crypto_pem_encode("TESTKEYNAME", &pem_buf, &src_buf, &gc));
66 assert_true(BLEN(&src_buf) < BLEN(&pem_buf));
67
68 /* Wrong key name */
69 assert_false(crypto_pem_decode("WRONGNAME", &dec_buf, &pem_buf));
70
71 assert_true(crypto_pem_decode("TESTKEYNAME", &dec_buf, &pem_buf));
72 assert_int_equal(BLEN(&src_buf), BLEN(&dec_buf));
73 assert_memory_equal(BPTR(&src_buf), BPTR(&dec_buf), BLEN(&src_buf));
74
75 gc_free(&gc);
76}
77
78static void
79test_translate_cipher(const char *ciphername, const char *openvpn_name)
80{
81 bool cipher = cipher_valid(ciphername);
82
83 /* Empty cipher is fine */
84 if (!cipher)
85 {
86 return;
87 }
88
89 const char *kt_name = cipher_kt_name(ciphername);
90
91 assert_string_equal(kt_name, openvpn_name);
92}
93
94static void
95test_cipher_names(const char *ciphername, const char *openvpn_name)
96{
97 struct gc_arena gc = gc_new();
98 /* Go through some variants, if the cipher library accepts these, they
99 * should be normalised to the openvpn name */
100 char *upper = string_alloc(ciphername, &gc);
101 char *lower = string_alloc(ciphername, &gc);
102 char *random_case = string_alloc(ciphername, &gc);
103
104 for (int i = 0; i < strlen(ciphername); i++)
105 {
106 upper[i] = (char)toupper((unsigned char)ciphername[i]);
107 lower[i] = (char)tolower((unsigned char)ciphername[i]);
108 if (rand() & 0x1)
109 {
110 random_case[i] = upper[i];
111 }
112 else
113 {
114 random_case[i] = lower[i];
115 }
116 }
117
118 if (!openvpn_name)
119 {
120 openvpn_name = upper;
121 }
122
123 test_translate_cipher(upper, openvpn_name);
124 test_translate_cipher(lower, openvpn_name);
125 test_translate_cipher(random_case, openvpn_name);
126 test_translate_cipher(ciphername, openvpn_name);
127
128
129 gc_free(&gc);
130}
131
132static void
133crypto_translate_cipher_names(void **state)
134{
135 /* Test that a number of ciphers to see that they turn out correctly */
136 test_cipher_names("BF-CBC", NULL);
137 test_cipher_names("BLOWFISH-CBC", "BF-CBC");
138 test_cipher_names("Chacha20-Poly1305", NULL);
139 test_cipher_names("AES-128-GCM", NULL);
140 test_cipher_names("AES-128-CBC", NULL);
141 test_cipher_names("CAMELLIA-128-CFB128", "CAMELLIA-128-CFB");
142 test_cipher_names("id-aes256-GCM", "AES-256-GCM");
143}
144
145
146static const char *ipsumlorem = "Lorem ipsum dolor sit amet, consectetur "
147 "adipisici elit, sed eiusmod tempor incidunt "
148 "ut labore et dolore magna aliqua.";
149
150static void
151crypto_test_tls_prf(void **state)
152{
153 const char *seedstr = "Quis aute iure reprehenderit in voluptate "
154 "velit esse cillum dolore";
155 const unsigned char *seed = (const unsigned char *)seedstr;
156 const size_t seed_len = strlen(seedstr);
157
158
159 const unsigned char *secret = (const unsigned char *)ipsumlorem;
160 size_t secret_len = strlen((const char *)secret);
161
162
163 uint8_t out[32];
164 bool ret = ssl_tls1_PRF(seed, seed_len, secret, secret_len, out, sizeof(out));
165
166#if defined(LIBRESSL_VERSION_NUMBER) || defined(ENABLE_CRYPTO_WOLFSSL)
167 /* No TLS1 PRF support in these libraries */
168 assert_false(ret);
169#else
170 assert_true(ret);
171 uint8_t good_prf[32] = { 0xd9, 0x8c, 0x85, 0x18, 0xc8, 0x5e, 0x94, 0x69, 0x27, 0x91, 0x6a,
172 0xcf, 0xc2, 0xd5, 0x92, 0xfb, 0xb1, 0x56, 0x7e, 0x4b, 0x4b, 0x14,
173 0x59, 0xe6, 0xa9, 0x04, 0xac, 0x2d, 0xda, 0xb7, 0x2d, 0x67 };
174 assert_memory_equal(good_prf, out, sizeof(out));
175#endif
176}
177
178static uint8_t testkey[20] = { 0x0b, 0x00 };
179static uint8_t goodhash[20] = { 0x58, 0xea, 0x5a, 0xf0, 0x42, 0x94, 0xe9, 0x17, 0xed, 0x84,
180 0xb9, 0xf0, 0x83, 0x30, 0x23, 0xae, 0x8b, 0xa7, 0x7e, 0xb8 };
181
182static void
183crypto_test_hmac(void **state)
184{
185 hmac_ctx_t *hmac = hmac_ctx_new();
186
187 assert_int_equal(md_kt_size("SHA1"), 20);
188
189 uint8_t key[20];
190 memcpy(key, testkey, sizeof(key));
191
192 hmac_ctx_init(hmac, key, "SHA1");
193 hmac_ctx_update(hmac, (const uint8_t *)ipsumlorem, (int)strlen(ipsumlorem));
194 hmac_ctx_update(hmac, (const uint8_t *)ipsumlorem, (int)strlen(ipsumlorem));
195
196 uint8_t hash[20];
197 hmac_ctx_final(hmac, hash);
198
199 assert_memory_equal(hash, goodhash, sizeof(hash));
200 memset(hash, 0x00, sizeof(hash));
201
202 /* try again */
203 hmac_ctx_reset(hmac);
204 hmac_ctx_update(hmac, (const uint8_t *)ipsumlorem, (int)strlen(ipsumlorem));
205 hmac_ctx_update(hmac, (const uint8_t *)ipsumlorem, (int)strlen(ipsumlorem));
206 hmac_ctx_final(hmac, hash);
207
208 assert_memory_equal(hash, goodhash, sizeof(hash));
209
210 /* Fill our key with random data to ensure it is not used by hmac anymore */
211 memset(key, 0x55, sizeof(key));
212
213 hmac_ctx_reset(hmac);
214 hmac_ctx_update(hmac, (const uint8_t *)ipsumlorem, (int)strlen(ipsumlorem));
215 hmac_ctx_update(hmac, (const uint8_t *)ipsumlorem, (int)strlen(ipsumlorem));
216 hmac_ctx_final(hmac, hash);
217
218 assert_memory_equal(hash, goodhash, sizeof(hash));
219 hmac_ctx_cleanup(hmac);
220 hmac_ctx_free(hmac);
221}
222
223/* This test is in test_crypto as it calls into the functions that calculate
224 * the crypto overhead */
225static void
226test_occ_mtu_calculation(void **state)
227{
228 struct gc_arena gc = gc_new();
229
230 struct frame f = { 0 };
231 struct options o = { 0 };
232 size_t linkmtu;
233
234 /* common defaults */
235 o.ce.tun_mtu = 1400;
236 o.ce.proto = PROTO_UDP;
237
238 /* No crypto at all */
239 o.ciphername = "none";
240 o.authname = "none";
241 linkmtu = calc_options_string_link_mtu(&o, &f);
242 assert_int_equal(linkmtu, 1400);
243
244 /* Static key OCC examples */
245 o.shared_secret_file = "not null";
246
247 /* secret, auth none, cipher none */
248 o.ciphername = "none";
249 o.authname = "none";
250 linkmtu = calc_options_string_link_mtu(&o, &f);
251 assert_int_equal(linkmtu, 1408);
252
253 /* secret, cipher AES-128-CBC, auth none */
254 o.ciphername = "AES-128-CBC";
255 o.authname = "none";
256 linkmtu = calc_options_string_link_mtu(&o, &f);
257 assert_int_equal(linkmtu, 1440);
258
259 /* secret, cipher none, auth SHA256 */
260 o.ciphername = "none";
261 o.authname = "SHA256";
262 linkmtu = calc_options_string_link_mtu(&o, &f);
263 assert_int_equal(linkmtu, 1440);
264
265 /* secret, cipher BF-CBC, auth SHA1 */
266 o.ciphername = "BF-CBC";
267 o.authname = "SHA1";
268 linkmtu = calc_options_string_link_mtu(&o, &f);
269 assert_int_equal(linkmtu, 1444);
270
271 /* secret, cipher BF-CBC, auth SHA1, tcp-client */
272 o.ce.proto = PROTO_TCP_CLIENT;
273 linkmtu = calc_options_string_link_mtu(&o, &f);
274 assert_int_equal(linkmtu, 1446);
275
276 o.ce.proto = PROTO_UDP;
277
278#if defined(USE_COMP)
279 o.comp.alg = COMP_ALG_LZO;
280
281 /* secret, comp-lzo yes, cipher BF-CBC, auth SHA1 */
282 linkmtu = calc_options_string_link_mtu(&o, &f);
283 assert_int_equal(linkmtu, 1445);
284
285#if defined(ENABLE_FRAGMENT)
286 /* secret, comp-lzo yes, cipher BF-CBC, auth SHA1, fragment 1200 */
287 o.ce.fragment = 1200;
288 linkmtu = calc_options_string_link_mtu(&o, &f);
289 assert_int_equal(linkmtu, 1449);
290 o.ce.fragment = 0;
291#endif
292
293 o.comp.alg = COMP_ALG_UNDEF;
294#endif
295
296 /* TLS mode */
297 o.shared_secret_file = NULL;
298 o.tls_client = true;
299 o.pull = true;
300
301 /* tls client, cipher AES-128-CBC, auth SHA1, tls-auth */
302 o.authname = "SHA1";
303 o.ciphername = "AES-128-CBC";
304 o.tls_auth_file = "dummy";
305
306 linkmtu = calc_options_string_link_mtu(&o, &f);
307 assert_int_equal(linkmtu, 1457);
308
309 /* tls client, cipher AES-128-CBC, auth SHA1 */
310 o.tls_auth_file = NULL;
311
312 linkmtu = calc_options_string_link_mtu(&o, &f);
313 assert_int_equal(linkmtu, 1457);
314
315 /* tls client, cipher none, auth none */
316 o.authname = "none";
317 o.ciphername = "none";
318
319 linkmtu = calc_options_string_link_mtu(&o, &f);
320 assert_int_equal(linkmtu, 1405);
321
322 /* tls client, auth SHA1, cipher AES-256-GCM */
323 o.authname = "SHA1";
324 o.ciphername = "AES-256-GCM";
325 linkmtu = calc_options_string_link_mtu(&o, &f);
326 assert_int_equal(linkmtu, 1449);
327
328
329#if defined(USE_COMP) && defined(ENABLE_FRAGMENT)
330 o.comp.alg = COMP_ALG_LZO;
331
332 /* tls client, auth SHA1, cipher AES-256-GCM, fragment, comp-lzo yes */
333 o.ce.fragment = 1200;
334 linkmtu = calc_options_string_link_mtu(&o, &f);
335 assert_int_equal(linkmtu, 1454);
336
337 /* tls client, auth SHA1, cipher AES-256-GCM, fragment, comp-lzo yes, socks */
338 o.ce.socks_proxy_server = "socks.example.com";
339 linkmtu = calc_options_string_link_mtu(&o, &f);
340 assert_int_equal(linkmtu, 1464);
341#endif
342
343 gc_free(&gc);
344}
345
346static void
347test_mssfix_mtu_calculation(void **state)
348{
349 struct gc_arena gc = gc_new();
350
351 struct frame f = { 0 };
352 struct options o = { 0 };
353
354 /* common defaults */
355 o.ce.tun_mtu = 1400;
356 o.ce.mssfix = 1000;
357 o.ce.proto = PROTO_UDP;
358
359 /* No crypto at all */
360 o.ciphername = "none";
361 o.authname = "none";
362 struct key_type kt;
363 init_key_type(&kt, o.ciphername, o.authname, false, false);
364
365 /* No encryption, just packet id (8) + TCP payload(20) + IP payload(20) */
366 frame_calculate_dynamic(&f, &kt, &o, NULL);
367 assert_int_equal(f.mss_fix, 952);
368
369 /* Static key OCC examples */
370 o.shared_secret_file = "not null";
371
372 /* secret, auth none, cipher none */
373 o.ciphername = "none";
374 o.authname = "none";
375 init_key_type(&kt, o.ciphername, o.authname, false, false);
376 frame_calculate_dynamic(&f, &kt, &o, NULL);
377 assert_int_equal(f.mss_fix, 952);
378
379 /* secret, cipher AES-128-CBC, auth none */
380 o.ciphername = "AES-128-CBC";
381 o.authname = "none";
382 init_key_type(&kt, o.ciphername, o.authname, false, false);
383
384 for (int i = 990; i <= 1010; i++)
385 {
386 /* 992 - 1008 should end up with the same mssfix value all they
387 * all result in the same CBC block size/padding and <= 991 and >=1008
388 * should be one block less and more respectively */
389 o.ce.mssfix = i;
390 frame_calculate_dynamic(&f, &kt, &o, NULL);
391 if (i <= 991)
392 {
393 assert_int_equal(f.mss_fix, 911);
394 }
395 else if (i >= 1008)
396 {
397 assert_int_equal(f.mss_fix, 943);
398 }
399 else
400 {
401 assert_int_equal(f.mss_fix, 927);
402 }
403 }
404#ifdef USE_COMP
405 o.comp.alg = COMP_ALG_LZO;
406
407 /* Same but with compression added. Compression adds one byte extra to the
408 * payload so the payload should be reduced by compared to the no
409 * compression calculation before */
410 for (int i = 990; i <= 1010; i++)
411 {
412 /* 992 - 1008 should end up with the same mssfix value all they
413 * all result in the same CBC block size/padding and <= 991 and >=1008
414 * should be one block less and more respectively */
415 o.ce.mssfix = i;
416 frame_calculate_dynamic(&f, &kt, &o, NULL);
417 if (i <= 991)
418 {
419 assert_int_equal(f.mss_fix, 910);
420 }
421 else if (i >= 1008)
422 {
423 assert_int_equal(f.mss_fix, 942);
424 }
425 else
426 {
427 assert_int_equal(f.mss_fix, 926);
428 }
429 }
430 o.comp.alg = COMP_ALG_UNDEF;
431#endif /* ifdef USE_COMP */
432
433 /* tls client, auth SHA1, cipher AES-256-GCM */
434 o.authname = "SHA1";
435 o.ciphername = "AES-256-GCM";
436 o.tls_client = true;
437 o.peer_id = 77;
438 o.use_peer_id = true;
439 init_key_type(&kt, o.ciphername, o.authname, true, false);
440
441 for (int i = 900; i <= 1200; i++)
442 {
443 /* For stream ciphers, the value should not be influenced by block
444 * sizes or similar but always have the same difference */
445 o.ce.mssfix = i;
446 frame_calculate_dynamic(&f, &kt, &o, NULL);
447
448 /* 4 byte opcode/peerid, 4 byte pkt ID, 16 byte tag, 40 TCP+IP */
449 assert_int_equal(f.mss_fix, i - 4 - 4 - 16 - 40);
450 }
451
452 gc_free(&gc);
453}
454
455void
456crypto_test_aead_limits(void **state)
457{
458 /* if ChaCha20-Poly1305 is not supported by the crypto library or in the
459 * current mode (FIPS), this will still return -1 */
460 assert_int_equal(cipher_get_aead_limits("CHACHA20-POLY1305"), 0);
461
462 int64_t aeslimit = cipher_get_aead_limits("AES-128-GCM");
463
464 assert_int_equal(aeslimit, (1ull << 36) - 1);
465
466 /* Check if this matches our exception for 1600 size packets assuming
467 * AEAD_LIMIT_BLOCKSIZE (128 bits/ 16 bytes). Gives us 100 blocks
468 * + 1 for the packet */
469 int64_t L = 101;
470 /* 2 ^ 29.34, using the result here to avoid linking to libm */
471 assert_int_equal(aeslimit / L, 680390858);
472
473 /* and for 9000, 2^26.86 */
474 L = 563;
475 assert_int_equal(aeslimit / L, 122059461);
476}
477
478void
479crypto_test_hkdf_expand_testa1(void **state)
480{
481 /* RFC 5889 A.1 Test Case 1 */
482 uint8_t prk[32] = { 0x07, 0x77, 0x09, 0x36, 0x2c, 0x2e, 0x32, 0xdf, 0x0d, 0xdc, 0x3f,
483 0x0d, 0xc4, 0x7b, 0xba, 0x63, 0x90, 0xb6, 0xc7, 0x3b, 0xb5, 0x0f,
484 0x9c, 0x31, 0x22, 0xec, 0x84, 0x4a, 0xd7, 0xc2, 0xb3, 0xe5 };
485
486 uint8_t info[10] = { 0xf0, 0xf1, 0xf2, 0xf3, 0xf4, 0xf5, 0xf6, 0xf7, 0xf8, 0xf9 };
487
488 uint8_t okm[42] = { 0x3c, 0xb2, 0x5f, 0x25, 0xfa, 0xac, 0xd5, 0x7a, 0x90, 0x43, 0x4f,
489 0x64, 0xd0, 0x36, 0x2f, 0x2a, 0x2d, 0x2d, 0x0a, 0x90, 0xcf, 0x1a,
490 0x5a, 0x4c, 0x5d, 0xb0, 0x2d, 0x56, 0xec, 0xc4, 0xc5, 0xbf, 0x34,
491 0x00, 0x72, 0x08, 0xd5, 0xb8, 0x87, 0x18, 0x58, 0x65 };
492
493 uint8_t out[42];
494 ovpn_hkdf_expand(prk, info, sizeof(info), out, sizeof(out));
495
496 assert_memory_equal(out, okm, sizeof(out));
497}
498
499void
500crypto_test_hkdf_expand_testa2(void **state)
501{
502 /* RFC 5889 A.2 Test Case 2 */
503 uint8_t prk[32] = { 0x06, 0xa6, 0xb8, 0x8c, 0x58, 0x53, 0x36, 0x1a, 0x06, 0x10, 0x4c,
504 0x9c, 0xeb, 0x35, 0xb4, 0x5c, 0xef, 0x76, 0x00, 0x14, 0x90, 0x46,
505 0x71, 0x01, 0x4a, 0x19, 0x3f, 0x40, 0xc1, 0x5f, 0xc2, 0x44 };
506
507 uint8_t info[80] = { 0xb0, 0xb1, 0xb2, 0xb3, 0xb4, 0xb5, 0xb6, 0xb7, 0xb8, 0xb9, 0xba, 0xbb,
508 0xbc, 0xbd, 0xbe, 0xbf, 0xc0, 0xc1, 0xc2, 0xc3, 0xc4, 0xc5, 0xc6, 0xc7,
509 0xc8, 0xc9, 0xca, 0xcb, 0xcc, 0xcd, 0xce, 0xcf, 0xd0, 0xd1, 0xd2, 0xd3,
510 0xd4, 0xd5, 0xd6, 0xd7, 0xd8, 0xd9, 0xda, 0xdb, 0xdc, 0xdd, 0xde, 0xdf,
511 0xe0, 0xe1, 0xe2, 0xe3, 0xe4, 0xe5, 0xe6, 0xe7, 0xe8, 0xe9, 0xea, 0xeb,
512 0xec, 0xed, 0xee, 0xef, 0xf0, 0xf1, 0xf2, 0xf3, 0xf4, 0xf5, 0xf6, 0xf7,
513 0xf8, 0xf9, 0xfa, 0xfb, 0xfc, 0xfd, 0xfe, 0xff };
514
515 const int L = 82;
516 uint8_t okm[82] = { 0xb1, 0x1e, 0x39, 0x8d, 0xc8, 0x03, 0x27, 0xa1, 0xc8, 0xe7, 0xf7, 0x8c,
517 0x59, 0x6a, 0x49, 0x34, 0x4f, 0x01, 0x2e, 0xda, 0x2d, 0x4e, 0xfa, 0xd8,
518 0xa0, 0x50, 0xcc, 0x4c, 0x19, 0xaf, 0xa9, 0x7c, 0x59, 0x04, 0x5a, 0x99,
519 0xca, 0xc7, 0x82, 0x72, 0x71, 0xcb, 0x41, 0xc6, 0x5e, 0x59, 0x0e, 0x09,
520 0xda, 0x32, 0x75, 0x60, 0x0c, 0x2f, 0x09, 0xb8, 0x36, 0x77, 0x93, 0xa9,
521 0xac, 0xa3, 0xdb, 0x71, 0xcc, 0x30, 0xc5, 0x81, 0x79, 0xec, 0x3e, 0x87,
522 0xc1, 0x4c, 0x01, 0xd5, 0xc1, 0xf3, 0x43, 0x4f, 0x1d, 0x87 };
523
524 uint8_t out[82] = { 0xaa };
525 ovpn_hkdf_expand(prk, info, sizeof(info), out, L);
526
527 assert_memory_equal(out, okm, L);
528}
529
530void
531crypto_test_hkdf_expand_testa3(void **state)
532{
533 /* RFC 5889 A.3 Test Case 3 */
534 uint8_t prk[32] = { 0x19, 0xef, 0x24, 0xa3, 0x2c, 0x71, 0x7b, 0x16, 0x7f, 0x33, 0xa9,
535 0x1d, 0x6f, 0x64, 0x8b, 0xdf, 0x96, 0x59, 0x67, 0x76, 0xaf, 0xdb,
536 0x63, 0x77, 0xac, 0x43, 0x4c, 0x1c, 0x29, 0x3c, 0xcb, 0x04 };
537
538 uint8_t info[] = {};
539
540 int L = 42;
541 uint8_t okm[42] = { 0x8d, 0xa4, 0xe7, 0x75, 0xa5, 0x63, 0xc1, 0x8f, 0x71, 0x5f, 0x80,
542 0x2a, 0x06, 0x3c, 0x5a, 0x31, 0xb8, 0xa1, 0x1f, 0x5c, 0x5e, 0xe1,
543 0x87, 0x9e, 0xc3, 0x45, 0x4e, 0x5f, 0x3c, 0x73, 0x8d, 0x2d, 0x9d,
544 0x20, 0x13, 0x95, 0xfa, 0xa4, 0xb6, 0x1a, 0x96, 0xc8 };
545
546 uint8_t out[42];
547 ovpn_hkdf_expand(prk, info, 0, out, L);
548
549 assert_memory_equal(out, okm, L);
550}
551
552void
553crypto_test_hkdf_expand_test_ovpn(void **state)
554{
555 /* tests the HDKF with a label/okm that OpenVPN itself uses in OpenSSL 3
556 * HDKF unit test*/
557
558 uint8_t prk[32] = { 0x07, 0x77, 0x09, 0x36, 0x2c, 0x2e, 0x32, 0xdf, 0x0d, 0xdc, 0x3f,
559 0x0d, 0xc4, 0x7b, 0xba, 0x63, 0x90, 0xb6, 0xc7, 0x3b, 0xb5, 0x0f,
560 0x9c, 0x31, 0x22, 0xec, 0x84, 0x4a, 0xd7, 0xc2, 0xb3, 0xe5 };
561
562 uint8_t info[18] = { 0x00, 0x1b, 0x0e, 0x6f, 0x76, 0x70, 0x6e, 0x20, 0x75,
563 0x6e, 0x69, 0x74, 0x20, 0x74, 0x65, 0x73, 0x74, 0x00 };
564
565 int L = 27;
566 uint8_t okm[27] = { 0x87, 0x5a, 0x8e, 0xec, 0x18, 0x55, 0x63, 0x80, 0xb8,
567 0xd9, 0x33, 0xed, 0x32, 0x3c, 0x2d, 0xf8, 0xe8, 0xec,
568 0xcf, 0x49, 0x72, 0xe6, 0x83, 0xf0, 0x6a, 0x83, 0xac };
569
570 uint8_t out[27];
571 ovpn_hkdf_expand(prk, info, sizeof(info), out, L);
572
573 assert_memory_equal(out, okm, L);
574}
575
576void
577crypto_test_ovpn_label_expand(void **state)
578{
579 uint8_t secret[32] = { 0x07, 0x77, 0x09, 0x36, 0x2c, 0x2e, 0x32, 0xdf, 0x0d, 0xdc, 0x3f,
580 0x0d, 0xc4, 0x7b, 0xba, 0x63, 0x90, 0xb6, 0xc7, 0x3b, 0xb5, 0x0f,
581 0x9c, 0x31, 0x22, 0xec, 0x84, 0x4a, 0xd7, 0xc2, 0xb3, 0xe5 };
582
583 const uint8_t *label = (const uint8_t *)("unit test");
584 uint8_t out[16];
585 ovpn_expand_label(secret, sizeof(secret), label, 9, NULL, 0, out, sizeof(out));
586
587 uint8_t out_expected[16] = { 0x18, 0x5e, 0xaa, 0x1c, 0x7f, 0x22, 0x8a, 0xb8,
588 0xeb, 0x29, 0x77, 0x32, 0x14, 0xd9, 0x20, 0x46 };
589
590 assert_memory_equal(out, out_expected, 16);
591}
592
593#if defined(OPENSSL_VERSION_NUMBER) && OPENSSL_VERSION_NUMBER >= 0x30000000L
594/* We have OpenSSL 3.0+, we test if their implementation matches our
595 * implementation. We currently do not use this code from the crypto library
596 * in the main code yet as we don't want to repeat the mess that the current
597 * openvpn_PRF ifdef maze */
598
599bool
600ossl_expand_label(const uint8_t *secret, size_t secret_len, const uint8_t *label, size_t label_len,
601 const uint8_t *context, size_t context_len, uint8_t *out, uint16_t out_len)
602{
603 OSSL_LIB_CTX *libctx = NULL;
604 const char *properties = NULL;
605
606 const uint8_t *label_prefix = (const uint8_t *)("ovpn ");
607 const size_t label_prefix_len = 5;
608
609 EVP_KDF *kdf = EVP_KDF_fetch(libctx, OSSL_KDF_NAME_TLS1_3_KDF, properties);
610 assert_non_null(kdf);
611
612 const char *mdname = "SHA-256";
613
614 size_t hashlen = SHA256_DIGEST_LENGTH;
615
616 EVP_KDF_CTX *kctx = EVP_KDF_CTX_new(kdf);
617 assert_non_null(kctx);
618
619 OSSL_PARAM params[7];
620 OSSL_PARAM *p = params;
621
622 int mode = EVP_PKEY_HKDEF_MODE_EXPAND_ONLY;
623
624 *p++ = OSSL_PARAM_construct_int(OSSL_KDF_PARAM_MODE, &mode);
625 *p++ = OSSL_PARAM_construct_utf8_string(OSSL_KDF_PARAM_DIGEST, (char *)mdname, 0);
626 *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_KEY, (unsigned char *)secret, hashlen);
627 *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_PREFIX, (unsigned char *)label_prefix,
628 label_prefix_len);
629 *p++ =
630 OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_LABEL, (unsigned char *)label, label_len);
631
632 *p++ = OSSL_PARAM_construct_end();
633
634 int ret = EVP_KDF_derive(kctx, out, out_len, params);
635 EVP_KDF_CTX_free(kctx);
636 EVP_KDF_free(kdf);
637
638 assert_int_equal(ret, 1);
639 return true;
640}
641
642void
643crypto_test_ovpn_expand_openssl3(void **state)
644{
645 uint8_t secret[32] = { 0x07, 0x77, 0x09, 0x36, 0x2c, 0x2e, 0x32, 0xdf, 0x0d, 0xdc, 0x3f,
646 0x0d, 0xc4, 0x7b, 0xba, 0x63, 0x90, 0xb6, 0xc7, 0x3b, 0xb5, 0x0f,
647 0x9c, 0x31, 0x22, 0xec, 0x84, 0x4a, 0xd7, 0xc2, 0xb3, 0xe5 };
648
649 const uint8_t *label = (const uint8_t *)("unit test");
650 const size_t labellen = 9;
651 uint8_t out[27];
652
653 ossl_expand_label(secret, sizeof(secret), label, labellen, NULL, 0, out, sizeof(out));
654
655 /* Do the same derivation with our own function */
656 uint8_t out_ovpn[27];
657
658 ovpn_expand_label(secret, sizeof(secret), label, 9, NULL, 0, out_ovpn, sizeof(out_ovpn));
659 assert_memory_equal(out_ovpn, out, sizeof(out_ovpn));
660}
661
662#else /* if defined(OPENSSL_VERSION_NUMBER) && OPENSSL_VERSION_NUMBER >= 0x30000000L */
663void
664crypto_test_ovpn_expand_openssl3(void **state)
665{
666 skip();
667}
668#endif /* if defined(OPENSSL_VERSION_NUMBER) && OPENSSL_VERSION_NUMBER >= 0x30000000L */
669
670struct epoch_test_state
671{
672 struct key_type kt;
673 struct gc_arena gc;
674 struct crypto_options co;
675};
676
677static int
678crypto_test_epoch_setup(void **state)
679{
680 int *num_future_keys = (int *)*state;
681 struct epoch_test_state *data = calloc(1, sizeof(struct epoch_test_state));
682
683 data->gc = gc_new();
684
685 init_key_type(&data->kt, "AES-128-GCM", "none", true, false);
686
687 /* have an epoch key that uses 0x23 for the key for all bytes */
688 struct epoch_key epoch1send = { .epoch = 1, .epoch_key = { 0x23 } };
689 struct epoch_key epoch1recv = { .epoch = 1, .epoch_key = { 0x27 } };
690
691 epoch_init_key_ctx(&data->co, &data->kt, &epoch1send, &epoch1recv, *num_future_keys);
692
693 *state = data;
694 return 0;
695}
696
697static int
698crypto_test_epoch_teardown(void **state)
699{
700 struct epoch_test_state *data = *state;
701 free_epoch_key_ctx(&data->co);
702 free_key_ctx_bi(&data->co.key_ctx_bi);
703 gc_free(&data->gc);
704 free(*state);
705 return 0;
706}
707
708void
709crypto_test_epoch_key_generation(void **state)
710{
711 struct epoch_test_state *data = *state;
712 struct crypto_options *co = &data->co;
713
714 /* check the keys look like expect */
715 assert_int_equal(co->epoch_data_keys_future[0].epoch, 2);
716 assert_int_equal(co->epoch_data_keys_future[15].epoch, 17);
717 assert_int_equal(co->epoch_key_send.epoch, 1);
718 assert_int_equal(co->epoch_key_recv.epoch, 17);
719
720 /* Now replace the recv key with the 6th future key (epoch = 8) */
721 free_key_ctx(&co->key_ctx_bi.decrypt);
722 assert_int_equal(co->epoch_data_keys_future[6].epoch, 8);
723 co->key_ctx_bi.decrypt = co->epoch_data_keys_future[6];
724 CLEAR(co->epoch_data_keys_future[6]);
725
726 epoch_generate_future_receive_keys(co);
727 assert_int_equal(co->epoch_data_keys_future[0].epoch, 9);
728 assert_int_equal(co->epoch_data_keys_future[15].epoch, 24);
729}
730
731
732void
733crypto_test_epoch_key_rotation(void **state)
734{
735 struct epoch_test_state *data = *state;
736 struct crypto_options *co = &data->co;
737
738 /* should replace send + key recv */
739 epoch_replace_update_recv_key(co, 9);
740
741 assert_int_equal(co->key_ctx_bi.decrypt.epoch, 9);
742 assert_int_equal(co->key_ctx_bi.encrypt.epoch, 9);
743 assert_int_equal(co->epoch_key_send.epoch, 9);
744 assert_int_equal(co->epoch_retiring_data_receive_key.epoch, 1);
745
746 /* Iterate the data send key four times to get it to 13 */
747 for (int i = 0; i < 4; i++)
748 {
749 epoch_iterate_send_key(co);
750 }
751 assert_int_equal(co->key_ctx_bi.encrypt.epoch, 13);
752
753 epoch_replace_update_recv_key(co, 10);
754 assert_int_equal(co->key_ctx_bi.decrypt.epoch, 10);
755 assert_int_equal(co->key_ctx_bi.encrypt.epoch, 13);
756 assert_int_equal(co->epoch_key_send.epoch, 13);
757 assert_int_equal(co->epoch_retiring_data_receive_key.epoch, 9);
758
759 epoch_replace_update_recv_key(co, 12);
760 assert_int_equal(co->key_ctx_bi.decrypt.epoch, 12);
761 assert_int_equal(co->key_ctx_bi.encrypt.epoch, 13);
762 assert_int_equal(co->epoch_key_send.epoch, 13);
763 assert_int_equal(co->epoch_retiring_data_receive_key.epoch, 10);
764
765 epoch_iterate_send_key(co);
766 assert_int_equal(co->key_ctx_bi.encrypt.epoch, 14);
767}
768
769void
770crypto_test_epoch_key_receive_lookup(void **state)
771{
772 struct epoch_test_state *data = *state;
773 struct crypto_options *co = &data->co;
774
775 /* lookup some wacky things that should fail */
776 assert_null(epoch_lookup_decrypt_key(co, 2000));
777 assert_null(epoch_lookup_decrypt_key(co, -1));
778 assert_null(epoch_lookup_decrypt_key(co, 0xefff));
779
780 /* Lookup the edges of the current window */
781 assert_null(epoch_lookup_decrypt_key(co, 0));
782 assert_int_equal(co->epoch_retiring_data_receive_key.epoch, 0);
783 assert_int_equal(epoch_lookup_decrypt_key(co, 1)->epoch, 1);
784 assert_int_equal(epoch_lookup_decrypt_key(co, 2)->epoch, 2);
785 assert_int_equal(epoch_lookup_decrypt_key(co, 13)->epoch, 13);
786 assert_int_equal(epoch_lookup_decrypt_key(co, 14)->epoch, 14);
787 assert_null(epoch_lookup_decrypt_key(co, 15));
788
789 /* Should move 1 to retiring key but leave 2-6 undefined, 7 as
790 * active and 8-20 as future keys*/
791 epoch_replace_update_recv_key(co, 7);
792
793 assert_null(epoch_lookup_decrypt_key(co, 0));
794 assert_int_equal(epoch_lookup_decrypt_key(co, 1)->epoch, 1);
795 assert_ptr_equal(epoch_lookup_decrypt_key(co, 1), &co->epoch_retiring_data_receive_key);
796
797 assert_null(epoch_lookup_decrypt_key(co, 2));
798 assert_null(epoch_lookup_decrypt_key(co, 3));
799 assert_null(epoch_lookup_decrypt_key(co, 4));
800 assert_null(epoch_lookup_decrypt_key(co, 5));
801 assert_null(epoch_lookup_decrypt_key(co, 6));
802 assert_int_equal(epoch_lookup_decrypt_key(co, 7)->epoch, 7);
803 assert_int_equal(epoch_lookup_decrypt_key(co, 8)->epoch, 8);
804 assert_int_equal(epoch_lookup_decrypt_key(co, 20)->epoch, 20);
805 assert_null(epoch_lookup_decrypt_key(co, 21));
806 assert_null(epoch_lookup_decrypt_key(co, 22));
807
808
809 /* Should move 7 to retiring key and have 8 as active key and
810 * 9-21 as future keys */
811 epoch_replace_update_recv_key(co, 8);
812 assert_null(epoch_lookup_decrypt_key(co, 0));
813 assert_null(epoch_lookup_decrypt_key(co, 1));
814 assert_null(epoch_lookup_decrypt_key(co, 2));
815 assert_null(epoch_lookup_decrypt_key(co, 3));
816 assert_null(epoch_lookup_decrypt_key(co, 4));
817 assert_null(epoch_lookup_decrypt_key(co, 5));
818 assert_null(epoch_lookup_decrypt_key(co, 6));
819 assert_int_equal(epoch_lookup_decrypt_key(co, 7)->epoch, 7);
820 assert_ptr_equal(epoch_lookup_decrypt_key(co, 7), &co->epoch_retiring_data_receive_key);
821 assert_int_equal(epoch_lookup_decrypt_key(co, 8)->epoch, 8);
822 assert_int_equal(epoch_lookup_decrypt_key(co, 20)->epoch, 20);
823 assert_int_equal(epoch_lookup_decrypt_key(co, 21)->epoch, 21);
824 assert_null(epoch_lookup_decrypt_key(co, 22));
825 assert_null(epoch_lookup_decrypt_key(co, 23));
826}
827
828void
829crypto_test_epoch_key_overflow(void **state)
830{
831 struct epoch_test_state *data = *state;
832 struct crypto_options *co = &data->co;
833
834 /* Modify the receive epoch and keys to have a very high epoch to test
835 * the end of array. Iterating through all 65k keys takes a 2-3s, so we
836 * avoid this for the unit test */
837 co->key_ctx_bi.decrypt.epoch = 65500;
838 co->key_ctx_bi.encrypt.epoch = 65500;
839
840 co->epoch_key_send.epoch = 65500;
841 co->epoch_key_recv.epoch = 65500 + co->epoch_data_keys_future_count;
842
843 for (uint16_t i = 0; i < co->epoch_data_keys_future_count; i++)
844 {
845 co->epoch_data_keys_future[i].epoch = 65501 + i;
846 }
847
848 /* Move the last few keys until we are close to the limit */
849 while (co->key_ctx_bi.decrypt.epoch < (UINT16_MAX - 40))
850 {
851 epoch_replace_update_recv_key(co, co->key_ctx_bi.decrypt.epoch + 10);
852 }
853
854 /* Looking up this key should still work as it will not break the limit
855 * when generating keys */
856 assert_int_equal(epoch_lookup_decrypt_key(co, UINT16_MAX - 34)->epoch, UINT16_MAX - 34);
857 assert_int_equal(epoch_lookup_decrypt_key(co, UINT16_MAX - 33)->epoch, UINT16_MAX - 33);
858
859 /* This key is no longer eligible for decrypting as the 32 future keys
860 * would be larger than uint16_t maximum */
861 assert_int_equal(co->epoch_data_keys_future_count, 32);
862 assert_null(epoch_lookup_decrypt_key(co, UINT16_MAX - co->epoch_data_keys_future_count));
863 assert_null(epoch_lookup_decrypt_key(co, UINT16_MAX));
864
865 /* Check that moving to the last possible epoch works */
866 epoch_replace_update_recv_key(co, UINT16_MAX - 33);
867 assert_int_equal(epoch_lookup_decrypt_key(co, UINT16_MAX - 33)->epoch, UINT16_MAX - 33);
868 assert_null(epoch_lookup_decrypt_key(co, UINT16_MAX - 32));
869 assert_null(epoch_lookup_decrypt_key(co, UINT16_MAX));
870}
871
872void
873epoch_test_derive_data_key(void **state)
874{
875 struct epoch_key e17 = { .epoch = 17, .epoch_key = { 19, 12 } };
876 struct key_type kt = { 0 };
877 struct key_parameters key_parameters = { 0 };
878 init_key_type(&kt, "AES-192-GCM", "none", true, false);
879
880
881 epoch_data_key_derive(&key_parameters, &e17, &kt);
882
883 assert_int_equal(key_parameters.cipher_size, 24);
884 assert_int_equal(key_parameters.hmac_size, 12);
885
886 uint8_t exp_cipherkey[24] = { 0xed, 0x85, 0x33, 0xdb, 0x1c, 0x28, 0xac, 0xe4,
887 0x18, 0xe9, 0x00, 0x6a, 0xb2, 0x9c, 0x17, 0x41,
888 0x7d, 0x60, 0xeb, 0xe6, 0xcd, 0x90, 0xbf, 0x0a };
889
890 uint8_t exp_impl_iv[12] = { 0x86, 0x89, 0x0a, 0xab, 0xf0, 0x32,
891 0xcb, 0x59, 0xf4, 0xcf, 0xa3, 0x4e };
892
893 assert_memory_equal(key_parameters.cipher, exp_cipherkey, sizeof(exp_cipherkey));
894 assert_memory_equal(key_parameters.hmac, exp_impl_iv, sizeof(exp_impl_iv));
895}
896
897int
898main(void)
899{
900 int prestate_num13 = 13;
901 int prestate_num16 = 16;
902 int prestate_num32 = 32;
903
904 openvpn_unit_test_setup();
905 const struct CMUnitTest tests[] = {
906 cmocka_unit_test(crypto_pem_encode_decode_loopback),
907 cmocka_unit_test(crypto_translate_cipher_names),
908 cmocka_unit_test(crypto_test_tls_prf),
909 cmocka_unit_test(crypto_test_hmac),
910 cmocka_unit_test(test_occ_mtu_calculation),
911 cmocka_unit_test(test_mssfix_mtu_calculation),
912 cmocka_unit_test(crypto_test_aead_limits),
913 cmocka_unit_test(crypto_test_hkdf_expand_testa1),
914 cmocka_unit_test(crypto_test_hkdf_expand_testa2),
915 cmocka_unit_test(crypto_test_hkdf_expand_testa3),
916 cmocka_unit_test(crypto_test_hkdf_expand_test_ovpn),
917 cmocka_unit_test(crypto_test_ovpn_label_expand),
918 cmocka_unit_test(crypto_test_ovpn_expand_openssl3),
919 cmocka_unit_test_prestate_setup_teardown(crypto_test_epoch_key_generation,
920 crypto_test_epoch_setup,
921 crypto_test_epoch_teardown, &prestate_num16),
922 cmocka_unit_test_prestate_setup_teardown(crypto_test_epoch_key_rotation,
923 crypto_test_epoch_setup,
924 crypto_test_epoch_teardown, &prestate_num13),
925 cmocka_unit_test_prestate_setup_teardown(crypto_test_epoch_key_receive_lookup,
926 crypto_test_epoch_setup,
927 crypto_test_epoch_teardown, &prestate_num13),
928 cmocka_unit_test_prestate_setup_teardown(crypto_test_epoch_key_overflow,
929 crypto_test_epoch_setup,
930 crypto_test_epoch_teardown, &prestate_num32),
931 cmocka_unit_test(epoch_test_derive_data_key)
932 };
933
934#if defined(ENABLE_CRYPTO_OPENSSL)
935 OpenSSL_add_all_algorithms();
936#endif
937
938 int ret = cmocka_run_group_tests_name("crypto tests", tests, NULL, NULL);
939
940#if defined(ENABLE_CRYPTO_OPENSSL)
941 EVP_cleanup();
942#endif
943
944 return ret;
945}
string_alloc
char * string_alloc(const char *str, struct gc_arena *gc)
Definition buffer.c:649
BPTR
#define BPTR(buf)
Definition buffer.h:123
buf_set_write
static void buf_set_write(struct buffer *buf, uint8_t *data, int size)
Definition buffer.h:331
buf_set_read
static void buf_set_read(struct buffer *buf, const uint8_t *data, size_t size)
Definition buffer.h:348
BLEN
#define BLEN(buf)
Definition buffer.h:126
gc_free
static void gc_free(struct gc_arena *a)
Definition buffer.h:1015
gc_new
static struct gc_arena gc_new(void)
Definition buffer.h:1007
COMP_ALG_LZO
#define COMP_ALG_LZO
LZO algorithm.
Definition comp.h:57
COMP_ALG_UNDEF
#define COMP_ALG_UNDEF
Definition comp.h:54
free_key_ctx_bi
void free_key_ctx_bi(struct key_ctx_bi *ctx)
Definition crypto.c:1094
init_key_type
void init_key_type(struct key_type *kt, const char *ciphername, const char *authname, bool tls_mode, bool warn)
Initialize a key_type structure with.
Definition crypto.c:869
cipher_get_aead_limits
uint64_t cipher_get_aead_limits(const char *ciphername)
Check if the cipher is an AEAD cipher and needs to be limited to a certain number of number of blocks...
Definition crypto.c:338
free_key_ctx
void free_key_ctx(struct key_ctx *ctx)
Definition crypto.c:1075
crypto.h
Data Channel Cryptography Module.
ssl_tls1_PRF
bool ssl_tls1_PRF(const uint8_t *seed, size_t seed_len, const uint8_t *secret, size_t secret_len, uint8_t *output, size_t output_len)
Calculates the TLS 1.0-1.1 PRF function.
Definition crypto_openssl.c:1402
hmac_ctx_update
void hmac_ctx_update(hmac_ctx_t *ctx, const uint8_t *src, int src_len)
hmac_ctx_new
hmac_ctx_t * hmac_ctx_new(void)
Definition crypto_openssl.c:1181
hmac_ctx_reset
void hmac_ctx_reset(hmac_ctx_t *ctx)
hmac_ctx_init
void hmac_ctx_init(hmac_ctx_t *ctx, const uint8_t *key, const char *mdname)
hmac_ctx_final
void hmac_ctx_final(hmac_ctx_t *ctx, uint8_t *dst)
crypto_pem_decode
bool crypto_pem_decode(const char *name, struct buffer *dst, const struct buffer *src)
Decode a PEM buffer to binary data.
Definition crypto_openssl.c:524
cipher_valid
static bool cipher_valid(const char *ciphername)
Returns if the cipher is valid, based on the given cipher name.
Definition crypto_backend.h:205
hmac_ctx_free
void hmac_ctx_free(hmac_ctx_t *ctx)
cipher_kt_name
const char * cipher_kt_name(const char *ciphername)
Retrieve a normalised string describing the cipher (e.g.
Definition crypto_openssl.c:653
hmac_ctx_cleanup
void hmac_ctx_cleanup(hmac_ctx_t *ctx)
md_kt_size
unsigned char md_kt_size(const char *mdname)
Returns the size of the message digest, in bytes.
Definition crypto_openssl.c:1089
crypto_pem_encode
bool crypto_pem_encode(const char *name, struct buffer *dst, const struct buffer *src, struct gc_arena *gc)
Encode binary data as PEM.
Definition crypto_openssl.c:496
ovpn_expand_label
bool ovpn_expand_label(const uint8_t *secret, size_t secret_len, const uint8_t *label, size_t label_len, const uint8_t *context, size_t context_len, uint8_t *out, uint16_t out_len)
Variant of the RFC 8446 TLS 1.3 HKDF-Expand-Label function with the following differences/restriction...
Definition crypto_epoch.c:76
epoch_generate_future_receive_keys
void epoch_generate_future_receive_keys(struct crypto_options *co)
Generates and fills the epoch_data_keys_future with next valid future keys in crypto_options using th...
Definition crypto_epoch.c:201
epoch_replace_update_recv_key
void epoch_replace_update_recv_key(struct crypto_options *co, uint16_t new_epoch)
This is called when the peer uses a new send key that is not the default key.
Definition crypto_epoch.c:272
free_epoch_key_ctx
void free_epoch_key_ctx(struct crypto_options *co)
Frees the extra data structures used by epoch keys in crypto_options.
Definition crypto_epoch.c:325
epoch_lookup_decrypt_key
struct key_ctx * epoch_lookup_decrypt_key(struct crypto_options *opt, uint16_t epoch)
Using an epoch, this function will try to retrieve a decryption key context that matches that epoch f...
Definition crypto_epoch.c:361
epoch_init_key_ctx
void epoch_init_key_ctx(struct crypto_options *co, const struct key_type *key_type, const struct epoch_key *e1_send, const struct epoch_key *e1_recv, uint16_t future_key_count)
Initialises data channel keys and internal structures for epoch data keys using the provided E0 epoch...
Definition crypto_epoch.c:340
epoch_data_key_derive
void epoch_data_key_derive(struct key_parameters *key, const struct epoch_key *epoch_key, const struct key_type *kt)
Generate a data channel key pair from the epoch key.
Definition crypto_epoch.c:138
ovpn_hkdf_expand
void ovpn_hkdf_expand(const uint8_t *secret, const uint8_t *info, int info_len, uint8_t *out, int out_len)
Implementation of the RFC5869 HKDF-Expand function with the following restrictions.
Definition crypto_epoch.c:42
epoch_iterate_send_key
void epoch_iterate_send_key(struct crypto_options *co)
Updates the send key and send_epoch_key in cryptio_options->key_ctx_bi to use the next epoch.
Definition crypto_epoch.c:263
crypto_epoch.h
hmac_ctx_t
mbedtls_md_context_t hmac_ctx_t
Generic HMAC context.
Definition crypto_mbedtls.h:47
SHA256_DIGEST_LENGTH
#define SHA256_DIGEST_LENGTH
Definition crypto_mbedtls.h:78
frame_calculate_dynamic
void frame_calculate_dynamic(struct frame *frame, struct key_type *kt, const struct options *options, struct link_socket_info *lsi)
Set the –mssfix option.
Definition mss.c:322
calc_options_string_link_mtu
size_t calc_options_string_link_mtu(const struct options *o, const struct frame *frame)
Calculate the link-mtu to advertise to our peer.
Definition mtu.c:147
OSSL_LIB_CTX
void OSSL_LIB_CTX
Definition openssl_compat.h:127
CLEAR
#define CLEAR(x)
Definition basic.h:32
PROTO_UDP
@ PROTO_UDP
Definition socket_util.h:177
PROTO_TCP_CLIENT
@ PROTO_TCP_CLIENT
Definition socket_util.h:180
ssl_backend.h
Control Channel SSL library backend module.
buffer
Wrapper structure for dynamically allocated memory.
Definition buffer.h:60
buffer::len
int len
Length in bytes of the actual content within the allocated memory.
Definition buffer.h:65
compress_options::alg
int alg
Definition comp.h:76
connection_entry::mssfix
int mssfix
Definition options.h:141
connection_entry::socks_proxy_server
const char * socks_proxy_server
Definition options.h:120
connection_entry::fragment
int fragment
Definition options.h:138
connection_entry::proto
int proto
Definition options.h:106
connection_entry::tun_mtu
int tun_mtu
Definition options.h:124
context
Contains all state information for one tunnel.
Definition openvpn.h:474
crypto_options
Security parameter state for processing data channel packets.
Definition crypto.h:293
crypto_options::epoch_key_send
struct epoch_key epoch_key_send
last epoch_key used for generation of the current send data keys.
Definition crypto.h:302
crypto_options::epoch_retiring_data_receive_key
struct key_ctx epoch_retiring_data_receive_key
The old key before the sender switched to a new epoch data key.
Definition crypto.h:328
crypto_options::epoch_data_keys_future
struct key_ctx * epoch_data_keys_future
Keeps the future epoch data keys for decryption.
Definition crypto.h:322
crypto_options::key_ctx_bi
struct key_ctx_bi key_ctx_bi
OpenSSL cipher and HMAC contexts for both sending and receiving directions.
Definition crypto.h:294
crypto_options::epoch_data_keys_future_count
uint16_t epoch_data_keys_future_count
number of keys stored in epoch_data_keys_future
Definition crypto.h:325
crypto_options::epoch_key_recv
struct epoch_key epoch_key_recv
epoch_key used for the highest receive epoch keys
Definition crypto.h:305
epoch_key
Definition crypto.h:192
epoch_key::epoch
uint16_t epoch
Definition crypto.h:194
epoch_test_state
Definition test_crypto.c:671
epoch_test_state::co
struct crypto_options co
Definition test_crypto.c:674
epoch_test_state::kt
struct key_type kt
Definition test_crypto.c:672
epoch_test_state::gc
struct gc_arena gc
Definition test_crypto.c:673
frame
Packet geometry parameters.
Definition mtu.h:103
frame::mss_fix
uint16_t mss_fix
The actual MSS value that should be written to the payload packets.
Definition mtu.h:124
gc_arena
Garbage collection arena used to keep track of dynamically allocated memory.
Definition buffer.h:116
hash
Definition list.h:56
key_ctx_bi::decrypt
struct key_ctx decrypt
cipher and/or HMAC contexts for receiving direction.
Definition crypto.h:283
key_ctx_bi::encrypt
struct key_ctx encrypt
Cipher and/or HMAC contexts for sending direction.
Definition crypto.h:281
key_ctx::epoch
uint16_t epoch
OpenVPN data channel epoch, this variable holds the epoch number this key belongs to.
Definition crypto.h:228
key_parameters
internal structure similar to struct key that holds key information but is not represented on wire an...
Definition crypto.h:163
key_parameters::hmac_size
int hmac_size
Number of bytes set in the HMac key material.
Definition crypto.h:174
key_parameters::cipher_size
int cipher_size
Number of bytes set in the cipher key material.
Definition crypto.h:168
key_parameters::hmac
uint8_t hmac[MAX_HMAC_KEY_LENGTH]
Key material for HMAC operations.
Definition crypto.h:171
key_parameters::cipher
uint8_t cipher[MAX_CIPHER_KEY_LENGTH]
Key material for cipher operations.
Definition crypto.h:165
key_type
Definition crypto.h:141
key
Container for unidirectional cipher and HMAC key material.
Definition crypto.h:152
options::comp
struct compress_options comp
Definition options.h:413
options::tls_auth_file
const char * tls_auth_file
Definition options.h:666
options::use_peer_id
bool use_peer_id
Definition options.h:704
options::authname
const char * authname
Definition options.h:582
options::peer_id
uint32_t peer_id
Definition options.h:705
options::ce
struct connection_entry ce
Definition options.h:290
options::ciphername
const char * ciphername
Definition options.h:576
options::pull
bool pull
Definition options.h:559
options::tls_client
bool tls_client
Definition options.h:596
options::shared_secret_file
const char * shared_secret_file
Definition options.h:572
test_common.h
openvpn_unit_test_setup
static void openvpn_unit_test_setup(void)
Sets up the environment for unit tests like making both stderr and stdout non-buffered to avoid messa...
Definition test_common.h:35
crypto_test_ovpn_label_expand
void crypto_test_ovpn_label_expand(void **state)
Definition test_crypto.c:577
crypto_test_hkdf_expand_testa2
void crypto_test_hkdf_expand_testa2(void **state)
Definition test_crypto.c:500
test_mssfix_mtu_calculation
static void test_mssfix_mtu_calculation(void **state)
Definition test_crypto.c:347
crypto_test_hkdf_expand_testa1
void crypto_test_hkdf_expand_testa1(void **state)
Definition test_crypto.c:479
testkey
static uint8_t testkey[20]
Definition test_crypto.c:178
test_cipher_names
static void test_cipher_names(const char *ciphername, const char *openvpn_name)
Definition test_crypto.c:95
crypto_test_hkdf_expand_testa3
void crypto_test_hkdf_expand_testa3(void **state)
Definition test_crypto.c:531
crypto_test_ovpn_expand_openssl3
void crypto_test_ovpn_expand_openssl3(void **state)
Definition test_crypto.c:664
test_translate_cipher
static void test_translate_cipher(const char *ciphername, const char *openvpn_name)
Definition test_crypto.c:79
crypto_translate_cipher_names
static void crypto_translate_cipher_names(void **state)
Definition test_crypto.c:133
crypto_test_epoch_key_receive_lookup
void crypto_test_epoch_key_receive_lookup(void **state)
Definition test_crypto.c:770
crypto_test_epoch_key_rotation
void crypto_test_epoch_key_rotation(void **state)
Definition test_crypto.c:733
goodhash
static uint8_t goodhash[20]
Definition test_crypto.c:179
testtext
static const char testtext[]
Definition test_crypto.c:50
crypto_test_epoch_teardown
static int crypto_test_epoch_teardown(void **state)
Definition test_crypto.c:698
crypto_test_hmac
static void crypto_test_hmac(void **state)
Definition test_crypto.c:183
crypto_test_aead_limits
void crypto_test_aead_limits(void **state)
Definition test_crypto.c:456
main
int main(void)
Definition test_crypto.c:898
crypto_pem_encode_decode_loopback
static void crypto_pem_encode_decode_loopback(void **state)
Definition test_crypto.c:53
crypto_test_epoch_key_generation
void crypto_test_epoch_key_generation(void **state)
Definition test_crypto.c:709
ipsumlorem
static const char * ipsumlorem
Definition test_crypto.c:146
crypto_test_epoch_setup
static int crypto_test_epoch_setup(void **state)
Definition test_crypto.c:678
epoch_test_derive_data_key
void epoch_test_derive_data_key(void **state)
Definition test_crypto.c:873
crypto_test_epoch_key_overflow
void crypto_test_epoch_key_overflow(void **state)
Definition test_crypto.c:829
crypto_test_tls_prf
static void crypto_test_tls_prf(void **state)
Definition test_crypto.c:151
test_occ_mtu_calculation
static void test_occ_mtu_calculation(void **state)
Definition test_crypto.c:226
crypto_test_hkdf_expand_test_ovpn
void crypto_test_hkdf_expand_test_ovpn(void **state)
Definition test_crypto.c:553
i
int i
Definition test_push_update_msg.c:120
gc
struct gc_arena gc
Definition test_ssl.c:154
Generated by doxygen 1.9.8