openvpn3/decrypt__chm_8hpp_source.html

//    OpenVPN -- An application to securely tunnel IP networks

//               over a single port, with support for SSL/TLS-based

//               session authentication and key exchange,

//               packet encryption, packet authentication, and

//               packet compression.

//

//    Copyright (C) 2012- OpenVPN Inc.

//

//    SPDX-License-Identifier: MPL-2.0 OR AGPL-3.0-only WITH openvpn3-openssl-exception

//


// General-purpose OpenVPN protocol decrypt method (CBC/HMAC) that is independent of the underlying CRYPTO_API


#ifndef OPENVPN_CRYPTO_DECRYPT_CHM_H

#define OPENVPN_CRYPTO_DECRYPT_CHM_H


#include <cstring>


#include <openvpn/common/size.hpp>

#include <openvpn/common/exception.hpp>

#include <openvpn/common/memneq.hpp>

#include <openvpn/buffer/buffer.hpp>

#include <openvpn/frame/frame.hpp>

#include <openvpn/crypto/cipher.hpp>

#include <openvpn/crypto/ovpnhmac.hpp>

#include <openvpn/crypto/static_key.hpp>

#include <openvpn/crypto/packet_id_control.hpp>

#include <openvpn/log/sessionstats.hpp>


namespace openvpn {


template <typename CRYPTO_API>


class DecryptCHM

{

  public:

    OPENVPN_SIMPLE_EXCEPTION(chm_unsupported_cipher_mode);


    Error::Type decrypt(BufferAllocated &buf, const std::time_t now)

    {

        // skip null packets

        if (!buf.size())

            return Error::SUCCESS;


        // verify the HMAC

        if (hmac.defined())

        {

            unsigned char local_hmac[CRYPTO_API::HMACContext::MAX_HMAC_SIZE];

            const size_t hmac_size = hmac.output_size();

            const unsigned char *packet_hmac = buf.read_alloc(hmac_size);

            hmac.hmac(local_hmac, hmac_size, buf.c_data(), buf.size());

            if (crypto::memneq(local_hmac, packet_hmac, hmac_size))

            {

                buf.reset_size();

                return Error::HMAC_ERROR;

            }

        }


        // decrypt packet ID + payload

        if (cipher.defined())

        {

            unsigned char iv_buf[CRYPTO_API::CipherContext::MAX_IV_LENGTH];

            const size_t iv_length = cipher.iv_length();


            // extract IV from head of packet

            buf.read(iv_buf, iv_length);


            // initialize work buffer

            frame->prepare(Frame::DECRYPT_WORK, work);


            // decrypt from buf -> work

            const size_t decrypt_bytes = cipher.decrypt(iv_buf, work.data(), work.max_size(), buf.c_data(), buf.size());

            if (!decrypt_bytes)

            {

                buf.reset_size();

                return Error::DECRYPT_ERROR;

            }

            work.set_size(decrypt_bytes);


            // handle different cipher modes

            const int cipher_mode = cipher.cipher_mode();

            if (cipher_mode == CRYPTO_API::CipherContext::CIPH_CBC_MODE)

            {

                if (!verify_packet_id(work, now))

                {

                    buf.reset_size();

                    return Error::REPLAY_ERROR;

                }

            }

            else

            {

                throw chm_unsupported_cipher_mode();

            }


            // return cleartext result in buf

            buf.swap(work);

        }

        else // no encryption

        {

            if (!verify_packet_id(buf, now))

            {

                buf.reset_size();

                return Error::REPLAY_ERROR;

            }

        }

        return Error::SUCCESS;

    }


    Frame::Ptr frame;

    CipherContext<CRYPTO_API> cipher;

    OvpnHMAC<CRYPTO_API> hmac;

    PacketIDDataReceive pid_recv;

    SessionStats::Ptr stats;


  private:


    bool verify_packet_id(BufferAllocated &buf, const std::time_t now)

    {

        const PacketIDData pid = pid_recv.read_next(buf);

        return pid_recv.test_add(pid, now, stats);

    }


    BufferAllocated work;

};


} // namespace openvpn


#endif // OPENVPN_CRYPTO_DECRYPT_H

buffer.hpp

openvpn::BufferAllocatedType< unsigned char >

openvpn::BufferAllocatedType::swap
void swap(BufferAllocatedType< T_ > &other)
Swaps the contents of this BufferAllocatedType object with another BufferAllocatedType object.
Definition buffer.hpp:1799

openvpn::CipherContext
Definition cipher.hpp:28

openvpn::ConstBufferType::c_data
const T * c_data() const
Returns a const pointer to the start of the buffer.
Definition buffer.hpp:1194

openvpn::ConstBufferType::max_size
size_t max_size() const
Return the maximum allowable size value in T objects given the current offset (without considering re...
Definition buffer.hpp:1377

openvpn::ConstBufferType::size
size_t size() const
Returns the size of the buffer in T objects.
Definition buffer.hpp:1242

openvpn::ConstBufferType::data
T * data()
Get a mutable pointer to the start of the array.
Definition buffer.hpp:1450

openvpn::ConstBufferType::read_alloc
auto * read_alloc(const size_t size)
Allocate memory and read data from the buffer into the allocated memory.
Definition buffer.hpp:1343

openvpn::ConstBufferType::set_size
void set_size(const size_t size)
After an external method, operating on the array as a mutable unsigned char buffer,...
Definition buffer.hpp:1384

openvpn::ConstBufferType::reset_size
void reset_size()
Resets the size of the buffer to zero.
Definition buffer.hpp:1170

openvpn::ConstBufferType::read
void read(NCT *data, const size_t size)
Read data from the buffer into the specified memory location.
Definition buffer.hpp:1331

openvpn::DecryptCHM
Definition decrypt_chm.hpp:34

openvpn::DecryptCHM::stats
SessionStats::Ptr stats
Definition decrypt_chm.hpp:112

openvpn::DecryptCHM::OPENVPN_SIMPLE_EXCEPTION
OPENVPN_SIMPLE_EXCEPTION(chm_unsupported_cipher_mode)

openvpn::DecryptCHM::verify_packet_id
bool verify_packet_id(BufferAllocated &buf, const std::time_t now)
Definition decrypt_chm.hpp:115

openvpn::DecryptCHM::hmac
OvpnHMAC< CRYPTO_API > hmac
Definition decrypt_chm.hpp:110

openvpn::DecryptCHM::decrypt
Error::Type decrypt(BufferAllocated &buf, const std::time_t now)
Definition decrypt_chm.hpp:38

openvpn::DecryptCHM::cipher
CipherContext< CRYPTO_API > cipher
Definition decrypt_chm.hpp:109

openvpn::DecryptCHM::frame
Frame::Ptr frame
Definition decrypt_chm.hpp:108

openvpn::DecryptCHM::pid_recv
PacketIDDataReceive pid_recv
Definition decrypt_chm.hpp:111

openvpn::DecryptCHM::work
BufferAllocated work
Definition decrypt_chm.hpp:121

openvpn::Frame::DECRYPT_WORK
@ DECRYPT_WORK
Definition frame.hpp:34

openvpn::Frame::prepare
size_t prepare(const unsigned int context, Buffer &buf) const
Definition frame.hpp:266

openvpn::OvpnHMAC
Definition ovpnhmac.hpp:32

openvpn::PacketIDDataReceiveType< 8, 30 >

openvpn::PacketIDDataReceiveType::read_next
PacketIDData read_next(Buffer &buf) const
Definition packet_id_data.hpp:456

openvpn::PacketIDDataReceiveType::test_add
bool test_add(const PacketIDData &pin, const Time::base_type now, const SessionStats::Ptr &stats)
Definition packet_id_data.hpp:359

openvpn::RCPtr< Frame >

cipher.hpp

exception.hpp

frame.hpp

memneq.hpp

openvpn::Error::Type
Type
Definition error.hpp:22

openvpn::Error::HMAC_ERROR
@ HMAC_ERROR
Definition error.hpp:29

openvpn::Error::REPLAY_ERROR
@ REPLAY_ERROR
Definition error.hpp:30

openvpn::Error::SUCCESS
@ SUCCESS
Definition error.hpp:23

openvpn::Error::DECRYPT_ERROR
@ DECRYPT_ERROR
Definition error.hpp:28

openvpn::crypto::memneq
bool memneq(const void *a, const void *b, size_t size)
Definition memneq.hpp:79

openvpn
Definition ovpncli.cpp:97

ovpnhmac.hpp

packet_id_control.hpp

sessionstats.hpp

size.hpp

static_key.hpp

openvpn::PacketIDData
Definition packet_id_data.hpp:51