OpenVPN 3 Core Library
Loading...
Searching...
No Matches
cryptodc.hpp
Go to the documentation of this file.
1// OpenVPN -- An application to securely tunnel IP networks
2// over a single port, with support for SSL/TLS-based
3// session authentication and key exchange,
4// packet encryption, packet authentication, and
5// packet compression.
6//
7// Copyright (C) 2012- OpenVPN Inc.
8//
9// SPDX-License-Identifier: MPL-2.0 OR AGPL-3.0-only WITH openvpn3-openssl-exception
10//
11
12// Base class for OpenVPN data channel encryption/decryption
13
14#ifndef OPENVPN_CRYPTO_CRYPTODC_H
15#define OPENVPN_CRYPTO_CRYPTODC_H
16
17#include <utility> // for std::move
18#include <cstdint> // for std::uint32_t, etc.
19
20#include <openvpn/common/exception.hpp>
21#include <openvpn/buffer/buffer.hpp>
22#include <openvpn/error/error.hpp>
23#include <openvpn/common/rc.hpp>
24#include <openvpn/frame/frame.hpp>
25#include <openvpn/crypto/static_key.hpp>
26#include <openvpn/crypto/packet_id_control.hpp>
27#include <openvpn/crypto/cryptoalgs.hpp>
28#include <openvpn/compress/compress.hpp>
29
30namespace openvpn {
31
32// Base class for encryption/decryption of data channel
33class CryptoDCInstance : public RC<thread_unsafe_refcount>
34{
35 public:
36 using Ptr = RCPtr<CryptoDCInstance>;
37
38 // Encrypt/Decrypt
39
40 // returns true if packet ID is close to wrapping
41 virtual bool encrypt(BufferAllocated &buf, const unsigned char *op32) = 0;
42
43 virtual Error::Type decrypt(BufferAllocated &buf, std::time_t now, const unsigned char *op32) = 0;
44
45 // Initialization
46
47 // return value of defined()
48 enum
49 {
50 CIPHER_DEFINED = (1 << 0), // may call init_cipher method
51 HMAC_DEFINED = (1 << 1), // may call init_hmac method
52 CRYPTO_DEFINED = (1 << 2), // may call encrypt or decrypt methods
53 EXPLICIT_EXIT_NOTIFY_DEFINED = (1 << 3) // may call explicit_exit_notify method
54 };
55 virtual unsigned int defined() const = 0;
56
57
62 virtual void init_cipher(StaticKey &&encrypt_key,
63 StaticKey &&decrypt_key) = 0;
64
65 virtual void init_hmac(StaticKey &&encrypt_key,
66 StaticKey &&decrypt_key) = 0;
67
68 virtual void init_pid(const char *recv_name,
69 const int recv_unit,
70 const SessionStats::Ptr &recv_stats_arg) = 0;
71
72 virtual void init_remote_peer_id(const int remote_peer_id)
73 {
74 }
75
76 virtual bool consider_compression(const CompressContext &comp_ctx) = 0;
77
78 virtual void explicit_exit_notify()
79 {
80 }
81
82 // Rekeying
83
93
94 virtual void rekey(const RekeyType type) = 0;
95};
96
98class CryptoDCSettingsData
99{
100 public:
101 OPENVPN_SIMPLE_EXCEPTION(no_data_channel_factory);
102
107
112
113 void set_use_epoch_keys(bool use_epoch)
114 {
115 use_epoch_keys = use_epoch;
116 }
117
118 CryptoAlgs::Type cipher() const
119 {
120 return cipher_;
121 }
122
134
135 bool useEpochKeys() const
136 {
137 return use_epoch_keys;
138 }
139
140 void set_key_derivation(CryptoAlgs::KeyDerivation method)
141 {
142 key_derivation_ = method;
143 }
144
149
150
151 private:
152 CryptoAlgs::Type cipher_ = CryptoAlgs::NONE;
153 CryptoAlgs::Type digest_ = CryptoAlgs::NONE;
154 CryptoAlgs::KeyDerivation key_derivation_ = CryptoAlgs::KeyDerivation::OPENVPN_PRF;
155 bool use_epoch_keys = false;
156};
157
158// Factory for CryptoDCInstance objects
159class CryptoDCContext : public RC<thread_unsafe_refcount>
160{
161 public:
162 explicit CryptoDCContext(const CryptoAlgs::KeyDerivation method)
163 : key_derivation(method)
164 {
165 }
166
167 using Ptr = RCPtr<CryptoDCContext>;
168
169 virtual CryptoDCInstance::Ptr new_obj(const unsigned int key_id) = 0;
170
171 virtual CryptoDCSettingsData crypto_info() = 0;
172
173 // Info for ProtoContext::link_mtu_adjust
174 virtual size_t encap_overhead() const = 0;
175
176 protected:
177 CryptoAlgs::KeyDerivation key_derivation = CryptoAlgs::KeyDerivation::OPENVPN_PRF;
178};
179
180// Factory for CryptoDCContext objects
181class CryptoDCFactory : public RC<thread_unsafe_refcount>
182{
183 public:
184 using Ptr = RCPtr<CryptoDCFactory>;
185
186 virtual CryptoDCContext::Ptr new_obj(const CryptoDCSettingsData) = 0;
187};
188
189
190// Manage cipher/digest settings, DC factory, and DC context.
191class CryptoDCSettings : public CryptoDCSettingsData
192{
193 public:
194 OPENVPN_SIMPLE_EXCEPTION(no_data_channel_factory);
195
196 void set_factory(const CryptoDCFactory::Ptr &factory)
197 {
198 factory_ = factory;
199 context_.reset();
200 dirty = false;
201 }
202
203 void set_cipher(const CryptoAlgs::Type new_cipher)
204 {
205 if (new_cipher != cipher())
206 {
207 CryptoDCSettingsData::set_cipher(new_cipher);
208 dirty = true;
209 }
210 }
211
212 void set_digest(const CryptoAlgs::Type new_digest)
213 {
214 if (new_digest != digest())
215 {
216 CryptoDCSettingsData::set_digest(new_digest);
217 dirty = true;
218 }
219 }
220
221 void set_use_epoch_keys(bool at_the_end)
222 {
223 if (at_the_end != useEpochKeys())
224 {
225 CryptoDCSettingsData::set_use_epoch_keys(at_the_end);
226 dirty = true;
227 }
228 }
229
230 CryptoDCContext &context()
231 {
232 if (!context_ || dirty)
233 {
234 if (!factory_)
235 throw no_data_channel_factory();
236 context_ = factory_->new_obj(*this);
237 dirty = false;
238 }
239 return *context_;
240 }
241
242 void reset()
243 {
244 factory_.reset();
245 context_.reset();
246 dirty = false;
247 }
248
249 [[nodiscard]] CryptoDCFactory::Ptr factory() const
250 {
251 return factory_;
252 }
253
254 private:
255 bool dirty = false;
256 CryptoDCFactory::Ptr factory_;
257 CryptoDCContext::Ptr context_;
258};
259} // namespace openvpn
260
261#endif
openvpn::CryptoDCContext::crypto_info
virtual CryptoDCSettingsData crypto_info()=0
openvpn::CryptoDCContext::new_obj
virtual CryptoDCInstance::Ptr new_obj(const unsigned int key_id)=0
openvpn::CryptoDCContext::CryptoDCContext
CryptoDCContext(const CryptoAlgs::KeyDerivation method)
Definition cryptodc.hpp:162
openvpn::CryptoDCContext::key_derivation
CryptoAlgs::KeyDerivation key_derivation
Definition cryptodc.hpp:177
openvpn::CryptoDCContext::encap_overhead
virtual size_t encap_overhead() const =0
openvpn::CryptoDCFactory::new_obj
virtual CryptoDCContext::Ptr new_obj(const CryptoDCSettingsData)=0
openvpn::CryptoDCInstance::explicit_exit_notify
virtual void explicit_exit_notify()
Definition cryptodc.hpp:78
openvpn::CryptoDCInstance::init_pid
virtual void init_pid(const char *recv_name, const int recv_unit, const SessionStats::Ptr &recv_stats_arg)=0
openvpn::CryptoDCInstance::defined
virtual unsigned int defined() const =0
openvpn::CryptoDCInstance::init_remote_peer_id
virtual void init_remote_peer_id(const int remote_peer_id)
Definition cryptodc.hpp:72
openvpn::CryptoDCInstance::init_hmac
virtual void init_hmac(StaticKey &&encrypt_key, StaticKey &&decrypt_key)=0
openvpn::CryptoDCInstance::rekey
virtual void rekey(const RekeyType type)=0
openvpn::CryptoDCInstance::encrypt
virtual bool encrypt(BufferAllocated &buf, const unsigned char *op32)=0
openvpn::CryptoDCInstance::decrypt
virtual Error::Type decrypt(BufferAllocated &buf, std::time_t now, const unsigned char *op32)=0
openvpn::CryptoDCInstance::consider_compression
virtual bool consider_compression(const CompressContext &comp_ctx)=0
openvpn::CryptoDCInstance::init_cipher
virtual void init_cipher(StaticKey &&encrypt_key, StaticKey &&decrypt_key)=0
openvpn::CryptoDCSettingsData::OPENVPN_SIMPLE_EXCEPTION
OPENVPN_SIMPLE_EXCEPTION(no_data_channel_factory)
openvpn::CryptoDCSettingsData::set_digest
void set_digest(CryptoAlgs::Type digest)
Definition cryptodc.hpp:108
openvpn::CryptoDCSettingsData::cipher
CryptoAlgs::Type cipher() const
Definition cryptodc.hpp:118
openvpn::CryptoDCSettingsData::set_cipher
void set_cipher(CryptoAlgs::Type cipher)
Definition cryptodc.hpp:103
openvpn::CryptoDCSettingsData::key_derivation
CryptoAlgs::KeyDerivation key_derivation() const
Definition cryptodc.hpp:145
openvpn::CryptoDCSettingsData::digest
CryptoAlgs::Type digest() const
Definition cryptodc.hpp:130
openvpn::CryptoDCSettingsData::key_derivation_
CryptoAlgs::KeyDerivation key_derivation_
Definition cryptodc.hpp:154
openvpn::CryptoDCSettingsData::set_key_derivation
void set_key_derivation(CryptoAlgs::KeyDerivation method)
Definition cryptodc.hpp:140
openvpn::CryptoDCSettingsData::set_use_epoch_keys
void set_use_epoch_keys(bool use_epoch)
Definition cryptodc.hpp:113
openvpn::CryptoDCSettings::context
CryptoDCContext & context()
Definition cryptodc.hpp:230
openvpn::CryptoDCSettings::set_use_epoch_keys
void set_use_epoch_keys(bool at_the_end)
Definition cryptodc.hpp:221
openvpn::CryptoDCSettings::factory_
CryptoDCFactory::Ptr factory_
Definition cryptodc.hpp:256
openvpn::CryptoDCSettings::OPENVPN_SIMPLE_EXCEPTION
OPENVPN_SIMPLE_EXCEPTION(no_data_channel_factory)
openvpn::CryptoDCSettings::context_
CryptoDCContext::Ptr context_
Definition cryptodc.hpp:257
openvpn::CryptoDCSettings::set_digest
void set_digest(const CryptoAlgs::Type new_digest)
Definition cryptodc.hpp:212
openvpn::CryptoDCSettings::set_factory
void set_factory(const CryptoDCFactory::Ptr &factory)
Definition cryptodc.hpp:196
openvpn::CryptoDCSettings::factory
CryptoDCFactory::Ptr factory() const
Definition cryptodc.hpp:249
openvpn::CryptoDCSettings::set_cipher
void set_cipher(const CryptoAlgs::Type new_cipher)
Definition cryptodc.hpp:203
openvpn::RCPtr::reset
void reset() noexcept
Points this RCPtr<T> to nullptr safely.
Definition rc.hpp:290
openvpn::RC
Reference count base class for objects tracked by RCPtr. Disallows copying and assignment.
Definition rc.hpp:912
openvpn::CryptoAlgs::use_cipher_digest
bool use_cipher_digest(const Type type)
Definition cryptoalgs.hpp:398
packet_id_control.hpp
static_key.hpp