OpenVPN 3 Core Library
Loading...
Searching...
No Matches
kocrypto.hpp
Go to the documentation of this file.
1// OpenVPN -- An application to securely tunnel IP networks
2// over a single port, with support for SSL/TLS-based
3// session authentication and key exchange,
4// packet encryption, packet authentication, and
5// packet compression.
6//
7// Copyright (C) 2012- OpenVPN Inc.
8//
9// SPDX-License-Identifier: MPL-2.0 OR AGPL-3.0-only WITH openvpn3-openssl-exception
10//
11
12// kovpn crypto wrappers
13
14#pragma once
15
16#include <cstring> // for std::memset, std::memcpy
17#include <utility> // for std::move
18
19#include <openvpn/common/size.hpp>
20#include <openvpn/common/exception.hpp>
21#include <openvpn/common/rc.hpp>
22#include <openvpn/frame/frame.hpp>
23#include <openvpn/crypto/cryptodc.hpp>
24#include <openvpn/crypto/bs64_data_limit.hpp>
25
26namespace openvpn::KoRekey {
27
28OPENVPN_EXCEPTION(korekey_error);
29
30struct Info
31{
32 Info() = default;
33
34 Info(const CryptoDCContext::Ptr &dc_context_delegate_arg,
35 const unsigned int key_id_arg,
36 const Frame::Ptr &frame_arg)
37 : dc_context_delegate(dc_context_delegate_arg),
38 key_id(key_id_arg),
39 frame(frame_arg)
40 {
41 }
42
43 CryptoDCContext::Ptr dc_context_delegate;
44 CompressContext comp_ctx;
45 unsigned int key_id = 0;
46 int remote_peer_id = -1;
47 StaticKey encrypt_cipher;
48 StaticKey encrypt_hmac;
49 StaticKey decrypt_cipher;
50 StaticKey decrypt_hmac;
51 Frame::Ptr frame;
52};
53
54class Key
55{
56 // noncopyable because of "opk.primary = &key" below
57 Key(const Key &) = delete;
58 Key &operator=(const Key &) = delete;
59
60 public:
61 static void validate(const CryptoAlgs::Type cipher,
62 const CryptoAlgs::Type digest)
63 {
64 const CryptoAlgs::Alg &calg = CryptoAlgs::get(cipher);
65 const CryptoAlgs::Alg &halg = CryptoAlgs::get(digest);
66
67 switch (cipher)
68 {
69 case CryptoAlgs::AES_128_GCM:
70 case CryptoAlgs::AES_192_GCM:
71 case CryptoAlgs::AES_256_GCM:
72 case CryptoAlgs::AES_128_CBC:
73 case CryptoAlgs::AES_192_CBC:
74 case CryptoAlgs::AES_256_CBC:
75 case CryptoAlgs::BF_CBC:
76 case CryptoAlgs::CHACHA20_POLY1305:
77#ifdef ENABLE_OVPNDCO
78 case CryptoAlgs::NONE:
79#endif
80 break;
81 default:
82 OPENVPN_THROW(korekey_error, "cipher alg " << calg.name() << " is not currently supported by kovpn");
83 }
84
85 if (calg.mode() == CryptoAlgs::CBC_HMAC)
86 {
87 switch (digest)
88 {
89 case CryptoAlgs::SHA1:
90 case CryptoAlgs::SHA256:
91#ifdef ENABLE_OVPNDCO
92 case CryptoAlgs::NONE:
93#endif
94 break;
95 default:
96 OPENVPN_THROW(korekey_error, "HMAC alg " << halg.name() << " is not currently supported by kovpn");
97 }
98 }
99 }
100
101 Key() = default;
102
103 protected:
104 const unsigned char *verify_key(const char *title, const StaticKey &sk, const size_t size_required)
105 {
106 if (sk.size() < size_required)
107 OPENVPN_THROW(korekey_error, title << ": insufficient key material, provided=" << sk.size() << " required=" << size_required);
108 return sk.data();
109 }
110
111 void set_nonce_tail(const char *title, unsigned char *dest, const size_t dest_size, const StaticKey &src)
112 {
113 const int NONCE_TAIL_SIZE = CryptoAlgs::AEAD_NONCE_TAIL_SIZE;
114
115 const unsigned char *k = verify_key(title, src, NONCE_TAIL_SIZE);
116 if (dest_size < NONCE_TAIL_SIZE)
117 OPENVPN_THROW(korekey_error, title << ": cannot set");
118 std::memcpy(dest, k, NONCE_TAIL_SIZE);
119
120 // if dest is larger than NONCE_TAIL_SIZE, zero remaining bytes
121 if (dest_size > NONCE_TAIL_SIZE)
122 std::memset(dest + NONCE_TAIL_SIZE, 0, dest_size - NONCE_TAIL_SIZE);
123 }
124};
125} // namespace openvpn::KoRekey
126
127#ifdef ENABLE_KOVPN
128#include <openvpn/kovpn/kovpnkocrypto.hpp>
129#elif defined(ENABLE_OVPNDCO) || defined(ENABLE_OVPNDCOWIN)
130#include <openvpn/dco/ovpndcokocrypto.hpp>
131#else
132#error either ENABLE_KOVPN, ENABLE_OVPNDCO or ENABLE_OVPNDCOWIN must be defined
133#endif
bs64_data_limit.hpp
openvpn::CryptoAlgs::Alg::name
const char * name() const
Definition cryptoalgs.hpp:130
openvpn::KoRekey::Key::verify_key
const unsigned char * verify_key(const char *title, const StaticKey &sk, const size_t size_required)
Definition kocrypto.hpp:104
openvpn::KoRekey::Key::validate
static void validate(const CryptoAlgs::Type cipher, const CryptoAlgs::Type digest)
Definition kocrypto.hpp:61
openvpn::KoRekey::Key::set_nonce_tail
void set_nonce_tail(const char *title, unsigned char *dest, const size_t dest_size, const StaticKey &src)
Definition kocrypto.hpp:111
openvpn::KoRekey::Key::operator=
Key & operator=(const Key &)=delete
openvpn::KoRekey::Key::Key
Key(const Key &)=delete
openvpn::StaticKey::data
const unsigned char * data() const
Definition static_key.hpp:54
openvpn::StaticKey::size
size_t size() const
Definition static_key.hpp:50
OPENVPN_EXCEPTION
#define OPENVPN_EXCEPTION(C)
Definition exception.hpp:99
OPENVPN_THROW
#define OPENVPN_THROW(exc, stuff)
Definition exception.hpp:174
openvpn::CryptoAlgs::get
const Alg & get(const Type type)
Definition cryptoalgs.hpp:237
openvpn::KoRekey::Info::key_id
unsigned int key_id
Definition kocrypto.hpp:45
openvpn::KoRekey::Info::comp_ctx
CompressContext comp_ctx
Definition kocrypto.hpp:44
openvpn::KoRekey::Info::dc_context_delegate
CryptoDCContext::Ptr dc_context_delegate
Definition kocrypto.hpp:43
openvpn::KoRekey::Info::Info
Info(const CryptoDCContext::Ptr &dc_context_delegate_arg, const unsigned int key_id_arg, const Frame::Ptr &frame_arg)
Definition kocrypto.hpp:34