tls_crypt.h

Go to the documentation of this file.

/*
 *  OpenVPN -- An application to securely tunnel IP networks
 *             over a single TCP/UDP port, with support for SSL/TLS-based
 *             session authentication and key exchange,
 *             packet encryption, packet authentication, and
 *             packet compression.
 *
 *  Copyright (C) 2016-2021 Fox Crypto B.V. <openvpn@foxcrypto.com>
 *
 *  This program is free software; you can redistribute it and/or modify
 *  it under the terms of the GNU General Public License version 2
 *  as published by the Free Software Foundation.
 *
 *  This program is distributed in the hope that it will be useful,
 *  but WITHOUT ANY WARRANTY; without even the implied warranty of
 *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 *  GNU General Public License for more details.
 *
 *  You should have received a copy of the GNU General Public License along
 *  with this program; if not, write to the Free Software Foundation, Inc.,
 *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 */
 
#ifndef TLSCRYPT_H
#define TLSCRYPT_H
 
#include "base64.h"
#include "buffer.h"
#include "crypto.h"
#include "session_id.h"
#include "ssl_common.h"
 
#define TLS_CRYPT_TAG_SIZE (256/8)
#define TLS_CRYPT_PID_SIZE (sizeof(packet_id_type) + sizeof(net_time_t))
#define TLS_CRYPT_BLOCK_SIZE (128/8)
 
#define TLS_CRYPT_OFF_PID (1 + SID_SIZE)
#define TLS_CRYPT_OFF_TAG (TLS_CRYPT_OFF_PID + TLS_CRYPT_PID_SIZE)
#define TLS_CRYPT_OFF_CT (TLS_CRYPT_OFF_TAG + TLS_CRYPT_TAG_SIZE)
 
#define TLS_CRYPT_V2_MAX_WKC_LEN (1024)
#define TLS_CRYPT_V2_CLIENT_KEY_LEN (2048 / 8)
#define TLS_CRYPT_V2_SERVER_KEY_LEN (sizeof(struct key))
#define TLS_CRYPT_V2_TAG_SIZE (TLS_CRYPT_TAG_SIZE)
#define TLS_CRYPT_V2_MAX_METADATA_LEN (unsigned)(TLS_CRYPT_V2_MAX_WKC_LEN \
                                                 - (TLS_CRYPT_V2_CLIENT_KEY_LEN + TLS_CRYPT_V2_TAG_SIZE \
                                                    + sizeof(uint16_t)))
 
void tls_crypt_init_key(struct key_ctx_bi *key, struct key2 *keydata,
                        const char *key_file, bool key_inline, bool tls_server);
 
bool
tls_session_generate_dynamic_tls_crypt_key(struct tls_session *session);
 
int tls_crypt_buf_overhead(void);
 
bool tls_crypt_wrap(const struct buffer *src, struct buffer *dst,
                    struct crypto_options *opt);
 
bool tls_crypt_unwrap(const struct buffer *src, struct buffer *dst,
                      struct crypto_options *opt);
 
void tls_crypt_v2_init_server_key(struct key_ctx *key_ctx, bool encrypt,
                                  const char *key_file, bool key_inline);
 
void tls_crypt_v2_init_client_key(struct key_ctx_bi *key,
                                  struct key2 *original_key,
                                  struct buffer *wrapped_key_buf,
                                  const char *key_file, bool key_inline);
 
bool tls_crypt_v2_extract_client_key(struct buffer *buf,
                                     struct tls_wrap_ctx *ctx,
                                     const struct tls_options *opt);
 
void tls_crypt_v2_write_server_key_file(const char *filename);
 
void tls_crypt_v2_write_client_key_file(const char *filename,
                                        const char *b64_metadata,
                                        const char *key_file, bool key_inline);
 
#endif /* TLSCRYPT_H */