OpenVPN 3 Core Library
Loading...
Searching...
No Matches
kocrypto.hpp
Go to the documentation of this file.
1// OpenVPN -- An application to securely tunnel IP networks
2// over a single port, with support for SSL/TLS-based
3// session authentication and key exchange,
4// packet encryption, packet authentication, and
5// packet compression.
6//
7// Copyright (C) 2012- OpenVPN Inc.
8//
9// SPDX-License-Identifier: MPL-2.0 OR AGPL-3.0-only WITH openvpn3-openssl-exception
10//
11
12// kovpn crypto wrappers
13
14#pragma once
15
16#include <cstring> // for std::memset, std::memcpy
17#include <utility> // for std::move
18
19#include <openvpn/common/size.hpp>
20#include <openvpn/common/exception.hpp>
21#include <openvpn/common/rc.hpp>
22#include <openvpn/frame/frame.hpp>
23#include <openvpn/crypto/cryptodc.hpp>
24#include <openvpn/crypto/bs64_data_limit.hpp>
25
26namespace openvpn::KoRekey {
27
28OPENVPN_EXCEPTION(korekey_error);
29
30struct Info
31{
32 Info()
33 {
34 }
35
36 Info(const CryptoDCContext::Ptr &dc_context_delegate_arg,
37 const unsigned int key_id_arg,
38 const Frame::Ptr &frame_arg)
39 : dc_context_delegate(dc_context_delegate_arg),
40 key_id(key_id_arg),
41 frame(frame_arg)
42 {
43 }
44
45 CryptoDCContext::Ptr dc_context_delegate;
46 CompressContext comp_ctx;
47 unsigned int key_id = 0;
48 int remote_peer_id = -1;
49 StaticKey encrypt_cipher;
50 StaticKey encrypt_hmac;
51 StaticKey decrypt_cipher;
52 StaticKey decrypt_hmac;
53 Frame::Ptr frame;
54};
55
56class Key
57{
58 // noncopyable because of "opk.primary = &key" below
59 Key(const Key &) = delete;
60 Key &operator=(const Key &) = delete;
61
62 public:
63 static void validate(const CryptoAlgs::Type cipher,
64 const CryptoAlgs::Type digest)
65 {
66 const CryptoAlgs::Alg &calg = CryptoAlgs::get(cipher);
67 const CryptoAlgs::Alg &halg = CryptoAlgs::get(digest);
68
69 switch (cipher)
70 {
71 case CryptoAlgs::AES_128_GCM:
72 case CryptoAlgs::AES_192_GCM:
73 case CryptoAlgs::AES_256_GCM:
74 case CryptoAlgs::AES_128_CBC:
75 case CryptoAlgs::AES_192_CBC:
76 case CryptoAlgs::AES_256_CBC:
77 case CryptoAlgs::BF_CBC:
78 case CryptoAlgs::CHACHA20_POLY1305:
79#ifdef ENABLE_OVPNDCO
80 case CryptoAlgs::NONE:
81#endif
82 break;
83 default:
84 OPENVPN_THROW(korekey_error, "cipher alg " << calg.name() << " is not currently supported by kovpn");
85 }
86
87 if (calg.mode() == CryptoAlgs::CBC_HMAC)
88 {
89 switch (digest)
90 {
91 case CryptoAlgs::SHA1:
92 case CryptoAlgs::SHA256:
93#ifdef ENABLE_OVPNDCO
94 case CryptoAlgs::NONE:
95#endif
96 break;
97 default:
98 OPENVPN_THROW(korekey_error, "HMAC alg " << halg.name() << " is not currently supported by kovpn");
99 }
100 }
101 }
102
103 Key()
104 {
105 }
106
107 protected:
108 const unsigned char *verify_key(const char *title, const StaticKey &sk, const size_t size_required)
109 {
110 if (sk.size() < size_required)
111 OPENVPN_THROW(korekey_error, title << ": insufficient key material, provided=" << sk.size() << " required=" << size_required);
112 return sk.data();
113 }
114
115 void set_nonce_tail(const char *title, unsigned char *dest, const size_t dest_size, const StaticKey &src)
116 {
117 const int NONCE_TAIL_SIZE = CryptoAlgs::AEAD_NONCE_TAIL_SIZE;
118
119 const unsigned char *k = verify_key(title, src, NONCE_TAIL_SIZE);
120 if (dest_size < NONCE_TAIL_SIZE)
121 OPENVPN_THROW(korekey_error, title << ": cannot set");
122 std::memcpy(dest, k, NONCE_TAIL_SIZE);
123
124 // if dest is larger than NONCE_TAIL_SIZE, zero remaining bytes
125 if (dest_size > NONCE_TAIL_SIZE)
126 std::memset(dest + NONCE_TAIL_SIZE, 0, dest_size - NONCE_TAIL_SIZE);
127 }
128};
129} // namespace openvpn::KoRekey
130
131#ifdef ENABLE_KOVPN
132#include <openvpn/kovpn/kovpnkocrypto.hpp>
133#elif defined(ENABLE_OVPNDCO) || defined(ENABLE_OVPNDCOWIN)
134#include <openvpn/dco/ovpndcokocrypto.hpp>
135#else
136#error either ENABLE_KOVPN, ENABLE_OVPNDCO or ENABLE_OVPNDCOWIN must be defined
137#endif
bs64_data_limit.hpp
openvpn::CryptoAlgs::Alg::name
const char * name() const
Definition cryptoalgs.hpp:130
openvpn::KoRekey::Key::verify_key
const unsigned char * verify_key(const char *title, const StaticKey &sk, const size_t size_required)
Definition kocrypto.hpp:108
openvpn::KoRekey::Key::validate
static void validate(const CryptoAlgs::Type cipher, const CryptoAlgs::Type digest)
Definition kocrypto.hpp:63
openvpn::KoRekey::Key::set_nonce_tail
void set_nonce_tail(const char *title, unsigned char *dest, const size_t dest_size, const StaticKey &src)
Definition kocrypto.hpp:115
openvpn::KoRekey::Key::operator=
Key & operator=(const Key &)=delete
openvpn::KoRekey::Key::Key
Key(const Key &)=delete
openvpn::StaticKey::data
const unsigned char * data() const
Definition static_key.hpp:54
openvpn::StaticKey::size
size_t size() const
Definition static_key.hpp:50
OPENVPN_EXCEPTION
#define OPENVPN_EXCEPTION(C)
Definition exception.hpp:100
OPENVPN_THROW
#define OPENVPN_THROW(exc, stuff)
Definition exception.hpp:175
openvpn::CryptoAlgs::get
const Alg & get(const Type type)
Definition cryptoalgs.hpp:237
openvpn::KoRekey::Info::key_id
unsigned int key_id
Definition kocrypto.hpp:47
openvpn::KoRekey::Info::comp_ctx
CompressContext comp_ctx
Definition kocrypto.hpp:46
openvpn::KoRekey::Info::dc_context_delegate
CryptoDCContext::Ptr dc_context_delegate
Definition kocrypto.hpp:45
openvpn::KoRekey::Info::Info
Info(const CryptoDCContext::Ptr &dc_context_delegate_arg, const unsigned int key_id_arg, const Frame::Ptr &frame_arg)
Definition kocrypto.hpp:36