#include "syshead.h"#include "crypto.h"#include "error.h"#include "integer.h"#include "platform.h"#include "memdbg.h"
Go to the source code of this file.
Macros | |
| #define | PARSE_INITIAL 0 |
| #define | PARSE_HEAD 1 |
| #define | PARSE_DATA 2 |
| #define | PARSE_DATA_COMPLETE 3 |
| #define | PARSE_FOOT 4 |
| #define | PARSE_FINISHED 5 |
Functions | |
| static void | openvpn_encrypt_aead (struct buffer *buf, struct buffer work, struct crypto_options *opt) |
| static void | openvpn_encrypt_v1 (struct buffer *buf, struct buffer work, struct crypto_options *opt) |
| void | openvpn_encrypt (struct buffer *buf, struct buffer work, struct crypto_options *opt) |
| Encrypt and HMAC sign a packet so that it can be sent as a data channel VPN tunnel packet to a remote OpenVPN peer. More... | |
| bool | crypto_check_replay (struct crypto_options *opt, const struct packet_id_net *pin, const char *error_prefix, struct gc_arena *gc) |
| Check packet ID for replay, and perform replay administration. More... | |
| static bool | openvpn_decrypt_aead (struct buffer *buf, struct buffer work, struct crypto_options *opt, const struct frame *frame, const uint8_t *ad_start) |
| Unwrap (authenticate, decrypt and check replay protection) AEAD-mode data channel packets. More... | |
| static bool | openvpn_decrypt_v1 (struct buffer *buf, struct buffer work, struct crypto_options *opt, const struct frame *frame) |
| bool | openvpn_decrypt (struct buffer *buf, struct buffer work, struct crypto_options *opt, const struct frame *frame, const uint8_t *ad_start) |
| HMAC verify and decrypt a data channel packet received from a remote OpenVPN peer. More... | |
| void | crypto_adjust_frame_parameters (struct frame *frame, const struct key_type *kt, bool packet_id, bool packet_id_long_form) |
| Calculate crypto overhead and adjust frame to account for that. More... | |
| unsigned int | crypto_max_overhead (void) |
| Return the worst-case OpenVPN crypto overhead (in bytes) More... | |
| static void | warn_insecure_key_type (const char *ciphername, const cipher_kt_t *cipher) |
| void | init_key_type (struct key_type *kt, const char *ciphername, const char *authname, bool tls_mode, bool warn) |
| Initialize a key_type structure with. More... | |
| void | init_key_ctx (struct key_ctx *ctx, const struct key *key, const struct key_type *kt, int enc, const char *prefix) |
| void | init_key_ctx_bi (struct key_ctx_bi *ctx, const struct key2 *key2, int key_direction, const struct key_type *kt, const char *name) |
| void | free_key_ctx (struct key_ctx *ctx) |
| void | free_key_ctx_bi (struct key_ctx_bi *ctx) |
| static bool | key_is_zero (struct key *key, const struct key_type *kt) |
| bool | check_key (struct key *key, const struct key_type *kt) |
| void | fixup_key (struct key *key, const struct key_type *kt) |
| void | check_replay_consistency (const struct key_type *kt, bool packet_id) |
| void | generate_key_random (struct key *key, const struct key_type *kt) |
| void | key2_print (const struct key2 *k, const struct key_type *kt, const char *prefix0, const char *prefix1) |
| void | test_crypto (struct crypto_options *co, struct frame *frame) |
| const char * | print_key_filename (const char *str, bool is_inline) |
| To be used when printing a string that may contain inline data. More... | |
| void | crypto_read_openvpn_key (const struct key_type *key_type, struct key_ctx_bi *ctx, const char *key_file, bool key_inline, const int key_direction, const char *key_name, const char *opt_name) |
| void | read_key_file (struct key2 *key2, const char *file, const unsigned int flags) |
| int | write_key_file (const int nkeys, const char *filename) |
| Write nkeys 1024-bits keys to file. More... | |
| void | must_have_n_keys (const char *filename, const char *option, const struct key2 *key2, int n) |
| int | ascii2keydirection (int msglevel, const char *str) |
| const char * | keydirection2ascii (int kd, bool remote, bool humanreadable) |
| void | key_direction_state_init (struct key_direction_state *kds, int key_direction) |
| void | verify_fix_key2 (struct key2 *key2, const struct key_type *kt, const char *shared_secret_file) |
| bool | write_key (const struct key *key, const struct key_type *kt, struct buffer *buf) |
| int | read_key (struct key *key, const struct key_type *kt, struct buffer *buf) |
| static void | prng_reset_nonce (void) |
| void | prng_init (const char *md_name, const int nonce_secret_len_parm) |
| Pseudo-random number generator initialisation. More... | |
| void | prng_uninit (void) |
| void | prng_bytes (uint8_t *output, int len) |
| long int | get_random (void) |
| void | print_cipher (const cipher_kt_t *cipher) |
| Print a cipher list entry. More... | |
| static const cipher_name_pair * | get_cipher_name_pair (const char *cipher_name) |
| const char * | translate_cipher_name_from_openvpn (const char *cipher_name) |
| Translate a data channel cipher name from the crypto library specific name to the OpenVPN config file 'language'. More... | |
| const char * | translate_cipher_name_to_openvpn (const char *cipher_name) |
| Translate a crypto library cipher name to an OpenVPN cipher name. More... | |
| void | write_pem_key_file (const char *filename, const char *pem_name) |
| Generate a server key with enough randomness to fill a key struct and write to file. More... | |
| bool | generate_ephemeral_key (struct buffer *key, const char *key_name) |
| Generate ephermal key material into the key structure. More... | |
| bool | read_pem_key_file (struct buffer *key, const char *pem_name, const char *key_file, bool key_inline) |
| Read key material from a PEM encoded files into the key structure. More... | |
Variables | |
| static const char | static_key_head [] = "-----BEGIN OpenVPN Static key V1-----" |
| static const char | static_key_foot [] = "-----END OpenVPN Static key V1-----" |
| static const char | printable_char_fmt [] |
| static const char | unprintable_char_fmt [] |
| static uint8_t * | nonce_data = NULL |
| static const md_kt_t * | nonce_md = NULL |
| static int | nonce_secret_len = 0 |
Macro Definition Documentation
◆ PARSE_DATA
| #define PARSE_DATA 2 |
Referenced by read_key_file().
◆ PARSE_DATA_COMPLETE
| #define PARSE_DATA_COMPLETE 3 |
Referenced by read_key_file().
◆ PARSE_FINISHED
| #define PARSE_FINISHED 5 |
Referenced by read_key_file().
◆ PARSE_FOOT
| #define PARSE_FOOT 4 |
Referenced by read_key_file().
◆ PARSE_HEAD
| #define PARSE_HEAD 1 |
Referenced by read_key_file().
◆ PARSE_INITIAL
| #define PARSE_INITIAL 0 |
Referenced by read_key_file().
Function Documentation
◆ ascii2keydirection()
| int ascii2keydirection | ( | int | msglevel, |
| const char * | str | ||
| ) |
Definition at line 1505 of file crypto.c.
References KEY_DIRECTION_BIDIRECTIONAL, KEY_DIRECTION_INVERSE, KEY_DIRECTION_NORMAL, and msg.
Referenced by add_option().
◆ check_key()
Definition at line 929 of file crypto.c.
References key_type::cipher, key::cipher, key_type::cipher_length, key_des_check(), key_des_num_cblocks(), and key_is_zero().
Referenced by generate_key_expansion(), generate_key_random(), and verify_fix_key2().
◆ check_replay_consistency()
| void check_replay_consistency | ( | const struct key_type * | kt, |
| bool | packet_id | ||
| ) |
Definition at line 999 of file crypto.c.
References ASSERT, key_type::cipher, cipher_kt_mode_aead(), cipher_kt_mode_ofb_cfb(), M_FATAL, and msg.
Referenced by do_init_crypto_static(), and do_init_crypto_tls().
◆ crypto_adjust_frame_parameters()
| void crypto_adjust_frame_parameters | ( | struct frame * | frame, |
| const struct key_type * | kt, | ||
| bool | packet_id, | ||
| bool | packet_id_long_form | ||
| ) |
Calculate crypto overhead and adjust frame to account for that.
Definition at line 682 of file crypto.c.
References key_type::cipher, cipher_kt_block_size(), cipher_kt_iv_size(), cipher_kt_mode_aead(), cipher_kt_tag_size(), D_MTU_DEBUG, frame_add_to_extra_frame(), key_type::hmac_length, msg, and packet_id_size().
Referenced by calc_options_string_link_mtu(), do_init_crypto_static(), do_init_crypto_tls(), and tls_session_update_crypto_params().
◆ crypto_check_replay()
| bool crypto_check_replay | ( | struct crypto_options * | opt, |
| const struct packet_id_net * | pin, | ||
| const char * | error_prefix, | ||
| struct gc_arena * | gc | ||
| ) |
Check packet ID for replay, and perform replay administration.
- Parameters
-
opt Crypto options for this packet, contains replay state. pin Packet ID read from packet. error_prefix Prefix to use when printing error messages. gc Garbage collector to use.
- Returns
- true if packet ID is validated to be not a replay, false otherwise.
Definition at line 319 of file crypto.c.
References CO_MUTE_REPLAY_WARNINGS, CO_PACKET_ID_LONG_FORM, D_REPLAY_ERRORS, crypto_options::flags, msg, crypto_options::packet_id, packet_id_add(), packet_id_net_print(), packet_id_persist_save_obj(), packet_id_reap_test(), packet_id_test(), crypto_options::pid_persist, and packet_id::rec.
Referenced by openvpn_decrypt_aead(), openvpn_decrypt_v1(), and tls_crypt_unwrap().
◆ crypto_max_overhead()
| unsigned int crypto_max_overhead | ( | void | ) |
Return the worst-case OpenVPN crypto overhead (in bytes)
Definition at line 716 of file crypto.c.
References max_int(), OPENVPN_AEAD_TAG_LENGTH, OPENVPN_MAX_CIPHER_BLOCK_SIZE, OPENVPN_MAX_HMAC_SIZE, OPENVPN_MAX_IV_LENGTH, and packet_id_size().
Referenced by calc_options_string_link_mtu(), do_init_crypto_tls(), and tls_session_update_crypto_params().
◆ crypto_read_openvpn_key()
| void crypto_read_openvpn_key | ( | const struct key_type * | key_type, |
| struct key_ctx_bi * | ctx, | ||
| const char * | key_file, | ||
| bool | key_inline, | ||
| const int | key_direction, | ||
| const char * | key_name, | ||
| const char * | opt_name | ||
| ) |
Definition at line 1179 of file crypto.c.
References flags, init_key_ctx_bi(), key_direction_state_init(), M_ERR, msg, must_have_n_keys(), key2::n, key_direction_state::need_keys, print_key_filename(), read_key_file(), RKF_INLINE, RKF_MUST_SUCCEED, secure_memzero(), and verify_fix_key2().
Referenced by do_init_crypto_static(), do_init_tls_wrap_key(), and tls_crypt_init_key().
◆ fixup_key()
Definition at line 968 of file crypto.c.
References check_debug_level(), key_type::cipher, key::cipher, key_type::cipher_length, D_CRYPTO_DEBUG, dmsg, format_hex(), gc_free(), gc_new(), key_des_fixup(), and key_des_num_cblocks().
Referenced by generate_key_expansion_openvpn_prf(), generate_key_random(), and verify_fix_key2().
◆ free_key_ctx()
| void free_key_ctx | ( | struct key_ctx * | ctx | ) |
Definition at line 887 of file crypto.c.
References key_ctx::cipher, cipher_ctx_free(), key_ctx::hmac, hmac_ctx_cleanup(), hmac_ctx_free(), and key_ctx::implicit_iv_len.
Referenced by auth_token_fail_invalid_key(), auth_token_test_key_load(), auth_token_test_random_keys(), do_close_free_key_schedule(), free_key_ctx_bi(), teardown(), tls_crypt_fail_invalid_key(), and tls_crypt_v2_write_client_key_file().
◆ free_key_ctx_bi()
| void free_key_ctx_bi | ( | struct key_ctx_bi * | ctx | ) |
Definition at line 904 of file crypto.c.
References key_ctx_bi::decrypt, key_ctx_bi::encrypt, and free_key_ctx().
Referenced by do_close_free_key_schedule(), key_schedule_free(), key_state_free(), test_tls_crypt_teardown(), test_tls_crypt_v2_teardown(), tls_crypt_v2_wrap_unwrap_wrong_key(), tls_crypt_v2_write_client_key_file(), tls_pre_decrypt_lite(), and tls_wrap_free().
◆ generate_ephemeral_key()
| bool generate_ephemeral_key | ( | struct buffer * | key, |
| const char * | pem_name | ||
| ) |
Generate ephermal key material into the key structure.
- Parameters
-
key the key structure that will hold the key material pem_name the name used for logging
- Returns
- true if key generation was successful
Definition at line 1899 of file crypto.c.
References BCAP, BEND, buf_inc_len(), buffer::len, M_INFO, M_WARN, msg, and rand_bytes().
Referenced by auth_token_init_secret().
◆ generate_key_random()
Definition at line 1015 of file crypto.c.
References check_key(), key_type::cipher, key::cipher, key_type::cipher_length, CLEAR, D_SHOW_KEY_SOURCE, key_type::digest, dmsg, fixup_key(), format_hex(), gc_free(), gc_new(), key::hmac, key_type::hmac_length, M_FATAL, MAX_CIPHER_KEY_LENGTH, MAX_HMAC_KEY_LENGTH, msg, and rand_bytes().
Referenced by write_key_file().
◆ get_cipher_name_pair()
|
static |
Definition at line 1814 of file crypto.c.
References cipher_name_translation_table, cipher_name_translation_table_count, cipher_name_pair::lib_name, and cipher_name_pair::openvpn_name.
Referenced by translate_cipher_name_from_openvpn(), and translate_cipher_name_to_openvpn().
◆ get_random()
| long int get_random | ( | void | ) |
Definition at line 1775 of file crypto.c.
Referenced by check_send_occ_msg_dowork(), check_timeout_random_component_dowork(), do_init_crypto_tls(), fragment_init(), gen_nonce(), hash_iterator_delete_element(), init_connection_list(), multi_init(), packet_id_add(), platform_create_temp_file(), route_quota_exceeded(), and schedule_remove_entry().
◆ init_key_ctx()
| void init_key_ctx | ( | struct key_ctx * | ctx, |
| const struct key * | key, | ||
| const struct key_type * | kt, | ||
| int | enc, | ||
| const char * | prefix | ||
| ) |
Definition at line 819 of file crypto.c.
References key_type::cipher, key::cipher, key_ctx::cipher, cipher_ctx_init(), cipher_ctx_new(), cipher_kt_block_size(), cipher_kt_iv_size(), cipher_kt_name(), key_type::cipher_length, CLEAR, D_CRYPTO_DEBUG, D_HANDSHAKE, D_SHOW_KEYS, key_type::digest, dmsg, format_hex(), gc_free(), gc_new(), key::hmac, key_ctx::hmac, hmac_ctx_init(), hmac_ctx_new(), hmac_ctx_size(), key_type::hmac_length, md_kt_name(), md_kt_size(), msg, and warn_insecure_key_type().
Referenced by auth_token_fail_invalid_key(), auth_token_init_secret(), init_key_ctx_bi(), setup(), test_tls_crypt_setup(), tls_crypt_fail_invalid_key(), and tls_crypt_v2_init_server_key().
◆ init_key_ctx_bi()
| void init_key_ctx_bi | ( | struct key_ctx_bi * | ctx, |
| const struct key2 * | key2, | ||
| int | key_direction, | ||
| const struct key_type * | kt, | ||
| const char * | name | ||
| ) |
Definition at line 867 of file crypto.c.
References key_ctx_bi::decrypt, key_ctx_bi::encrypt, key_direction_state::in_key, init_key_ctx(), key_ctx_bi::initialized, key_direction_state_init(), key2::keys, OPENVPN_OP_DECRYPT, OPENVPN_OP_ENCRYPT, openvpn_snprintf(), and key_direction_state::out_key.
Referenced by crypto_read_openvpn_key(), init_key_contexts(), test_tls_crypt_v2_setup(), tls_crypt_v2_load_client_key(), and tls_crypt_v2_wrap_unwrap_wrong_key().
◆ init_key_type()
| void init_key_type | ( | struct key_type * | kt, |
| const char * | ciphername, | ||
| const char * | authname, | ||
| bool | tls_mode, | ||
| bool | warn | ||
| ) |
Initialize a key_type structure with.
- Parameters
-
kt The struct key_type to initialize ciphername The name of the cipher to use authname The name of the HMAC digest to use tls_mode Specifies whether we are running in TLS mode, which allows more ciphers than static key mode. warn Print warnings when null cipher / auth is used.
Definition at line 741 of file crypto.c.
References ASSERT, key_type::cipher, cipher_kt_block_size(), cipher_kt_get(), cipher_kt_key_size(), cipher_kt_mode_aead(), cipher_kt_mode_cbc(), cipher_kt_mode_ofb_cfb(), key_type::cipher_length, CLEAR, key_type::digest, ENABLE_OFB_CFB_MODE, key_type::hmac_length, M_FATAL, M_WARN, md_kt_get(), md_kt_size(), msg, OPENVPN_MAX_CIPHER_BLOCK_SIZE, and warn_insecure_key_type().
Referenced by calc_options_string_link_mtu(), do_init_crypto_static(), do_init_crypto_tls_c1(), options_string(), and tls_session_update_crypto_params().
◆ key2_print()
| void key2_print | ( | const struct key2 * | k, |
| const struct key_type * | kt, | ||
| const char * | prefix0, | ||
| const char * | prefix1 | ||
| ) |
Definition at line 1059 of file crypto.c.
References ASSERT, key::cipher, key_type::cipher_length, D_SHOW_KEY_SOURCE, dmsg, format_hex(), gc_free(), gc_new(), key::hmac, key_type::hmac_length, key2::keys, and key2::n.
Referenced by generate_key_expansion().
◆ key_direction_state_init()
| void key_direction_state_init | ( | struct key_direction_state * | kds, |
| int | key_direction | ||
| ) |
Definition at line 1557 of file crypto.c.
References ASSERT, CLEAR, key_direction_state::in_key, KEY_DIRECTION_BIDIRECTIONAL, KEY_DIRECTION_INVERSE, KEY_DIRECTION_NORMAL, key_direction_state::need_keys, and key_direction_state::out_key.
Referenced by crypto_read_openvpn_key(), and init_key_ctx_bi().
◆ key_is_zero()
Definition at line 911 of file crypto.c.
References key::cipher, key_type::cipher_length, D_CRYPT_ERRORS, and msg.
Referenced by check_key().
◆ keydirection2ascii()
| const char* keydirection2ascii | ( | int | kd, |
| bool | remote, | ||
| bool | humanreadable | ||
| ) |
Definition at line 1528 of file crypto.c.
References ASSERT, KEY_DIRECTION_BIDIRECTIONAL, KEY_DIRECTION_INVERSE, and KEY_DIRECTION_NORMAL.
Referenced by options_string(), show_connection_entry(), and show_settings().
◆ must_have_n_keys()
| void must_have_n_keys | ( | const char * | filename, |
| const char * | option, | ||
| const struct key2 * | key2, | ||
| int | n | ||
| ) |
◆ openvpn_decrypt_aead()
|
static |
Unwrap (authenticate, decrypt and check replay protection) AEAD-mode data channel packets.
Set buf->len to 0 and return false on decrypt error.
On success, buf is set to point to plaintext, true is returned.
Definition at line 356 of file crypto.c.
References ASSERT, BLEN, BPTR, buf_advance(), buf_inc_len(), buf_init, buf_safe(), key_ctx::cipher, cipher_ctx_block_size(), cipher_ctx_final_check_tag(), cipher_ctx_get_cipher_kt(), cipher_ctx_iv_length(), cipher_ctx_reset(), cipher_ctx_update(), cipher_ctx_update_ad(), cipher_kt_mode_aead(), cipher_kt_tag_size(), CRYPT_ERROR, crypto_check_replay(), crypto_clear_error(), D_PACKET_CONTENT, buffer::data, key_ctx_bi::decrypt, dmsg, format_hex(), FRAME_HEADROOM_ADJ, FRAME_HEADROOM_MARKER_DECRYPT, gc_free(), gc_init(), key_ctx::implicit_iv, key_ctx::implicit_iv_len, crypto_options::key_ctx_bi, buffer::len, OPENVPN_MAX_IV_LENGTH, crypto_options::packet_id, packet_id_initialized(), and packet_id_read().
Referenced by openvpn_decrypt().
◆ openvpn_decrypt_v1()
|
static |
Definition at line 491 of file crypto.c.
References ASSERT, BLEN, BOOL_CAST, BPTR, buf_advance(), buf_inc_len(), buf_init, buf_safe(), buf_set_read(), key_ctx::cipher, cipher_ctx_block_size(), cipher_ctx_final(), cipher_ctx_get_cipher_kt(), cipher_ctx_iv_length(), cipher_ctx_reset(), cipher_ctx_update(), cipher_kt_mode_cbc(), cipher_kt_mode_ofb_cfb(), CO_IGNORE_PACKET_ID, CO_PACKET_ID_LONG_FORM, CRYPT_ERROR, crypto_check_replay(), crypto_clear_error(), D_PACKET_CONTENT, key_ctx_bi::decrypt, dmsg, crypto_options::flags, format_hex(), FRAME_HEADROOM_ADJ, FRAME_HEADROOM_MARKER_DECRYPT, gc_free(), gc_init(), key_ctx::hmac, hmac_ctx_final(), hmac_ctx_reset(), hmac_ctx_size(), hmac_ctx_update(), crypto_options::key_ctx_bi, buffer::len, MAX_HMAC_KEY_LENGTH, memcmp_constant_time(), OPENVPN_MAX_IV_LENGTH, crypto_options::packet_id, packet_id_initialized(), and packet_id_read().
Referenced by openvpn_decrypt().
◆ openvpn_encrypt_aead()
|
static |
Definition at line 64 of file crypto.c.
References ASSERT, BEND, BLEN, BPTR, buf_inc_len(), buf_safe(), buf_set_write(), buf_write(), buf_write_alloc(), buffer::capacity, key_ctx::cipher, cipher_ctx_block_size(), cipher_ctx_final(), cipher_ctx_get_cipher_kt(), cipher_ctx_get_tag(), cipher_ctx_iv_length(), cipher_ctx_reset(), cipher_ctx_update(), cipher_ctx_update_ad(), cipher_kt_mode_aead(), cipher_kt_tag_size(), crypto_clear_error(), D_CRYPT_ERRORS, D_PACKET_CONTENT, dmsg, key_ctx_bi::encrypt, format_hex(), gc_free(), gc_init(), key_ctx::implicit_iv, key_ctx::implicit_iv_len, crypto_options::key_ctx_bi, buffer::len, msg, buffer::offset, OPENVPN_AEAD_MIN_IV_LEN, OPENVPN_MAX_IV_LENGTH, crypto_options::packet_id, packet_id_initialized(), packet_id_write(), and packet_id::send.
Referenced by openvpn_encrypt().
◆ openvpn_encrypt_v1()
|
static |
Definition at line 157 of file crypto.c.
References ASSERT, BEND, BLEN, BPTR, buf_inc_len(), buf_prepend(), buf_safe(), buf_set_write(), buf_write(), buf_write_alloc(), buf_write_prepend(), buffer::capacity, key_ctx::cipher, cipher_ctx_block_size(), cipher_ctx_final(), cipher_ctx_get_cipher_kt(), cipher_ctx_iv_length(), cipher_ctx_reset(), cipher_ctx_update(), cipher_kt_mode(), cipher_kt_mode_cbc(), cipher_kt_mode_ofb_cfb(), CO_PACKET_ID_LONG_FORM, crypto_clear_error(), D_CRYPT_ERRORS, D_PACKET_CONTENT, dmsg, key_ctx_bi::encrypt, crypto_options::flags, format_hex(), gc_free(), gc_init(), key_ctx::hmac, hmac_ctx_final(), hmac_ctx_reset(), hmac_ctx_size(), hmac_ctx_update(), crypto_options::key_ctx_bi, buffer::len, msg, buffer::offset, OPENVPN_MAX_IV_LENGTH, OPENVPN_MODE_CBC, crypto_options::packet_id, packet_id_initialized(), packet_id_write(), prng_bytes(), and packet_id::send.
Referenced by openvpn_encrypt().
◆ print_cipher()
| void print_cipher | ( | const cipher_kt_t * | cipher | ) |
Print a cipher list entry.
Definition at line 1787 of file crypto.c.
References cipher_kt_block_size(), cipher_kt_key_size(), cipher_kt_mode_cbc(), cipher_kt_name(), and cipher_kt_var_key_size().
Referenced by show_available_ciphers().
◆ print_key_filename()
| const char* print_key_filename | ( | const char * | str, |
| bool | is_inline | ||
| ) |
To be used when printing a string that may contain inline data.
If "is_inline" is true, return the inline tag. If "is_inline" is false and "str" is not NULL, return "str". Return the constant string "[NULL]" otherwise.
- Parameters
-
str the original string to return when is_inline is false is_inline true when str contains an inline data of some sort
Definition at line 1168 of file crypto.c.
References np().
Referenced by backend_tls_ctx_reload_crl(), crypto_read_openvpn_key(), key_ctx_bi_defined(), read_key_file(), tls_ctx_load_ca(), tls_ctx_load_dh_params(), tls_ctx_load_extra_certs(), and tls_ctx_load_priv_file().
◆ prng_bytes()
| void prng_bytes | ( | uint8_t * | output, |
| int | len | ||
| ) |
Definition at line 1743 of file crypto.c.
References ASSERT, md_full(), md_kt_size(), min_int(), nonce_data, nonce_md, nonce_secret_len, PRNG_NONCE_RESET_BYTES, prng_reset_nonce(), and rand_bytes().
Referenced by get_random(), hostname_randomize(), init_static(), openvpn_encrypt_v1(), schedule_remove_entry(), and session_id_random().
◆ prng_init()
| void prng_init | ( | const char * | md_name, |
| const int | nonce_secret_len_parm | ||
| ) |
Pseudo-random number generator initialisation.
(see prng_rand_bytes())
- Parameters
-
md_name Name of the message digest to use nonce_secret_len_param Length of the nonce to use
Definition at line 1715 of file crypto.c.
References ASSERT, check_malloc_return(), D_CRYPTO_DEBUG, dmsg, malloc, md_kt_get(), md_kt_name(), md_kt_size(), nonce_data, nonce_md, nonce_secret_len, NONCE_SECRET_LEN_MAX, NONCE_SECRET_LEN_MIN, prng_reset_nonce(), and prng_uninit().
Referenced by do_init_crypto_tls_c1(), and init_static().
◆ prng_reset_nonce()
|
static |
Definition at line 1694 of file crypto.c.
References M_FATAL, md_kt_size(), msg, nonce_data, nonce_md, nonce_secret_len, and rand_bytes().
Referenced by prng_bytes(), and prng_init().
◆ prng_uninit()
| void prng_uninit | ( | void | ) |
Definition at line 1734 of file crypto.c.
References free, nonce_data, nonce_md, and nonce_secret_len.
Referenced by free_ssl_lib(), init_static(), and prng_init().
◆ read_key()
Definition at line 1639 of file crypto.c.
References buf_read(), key::cipher, key_type::cipher_length, CLEAR, D_TLS_ERRORS, key::hmac, key_type::hmac_length, and msg.
◆ read_key_file()
| void read_key_file | ( | struct key2 * | key2, |
| const char * | file, | ||
| const unsigned int | flags | ||
| ) |
Definition at line 1226 of file crypto.c.
References ASSERT, buf_clear(), buf_set_read(), buf_valid(), buffer_read_from_file(), CLEAR, buffer::data, format_hex_ex(), gc_free(), gc_new(), key2::keys, buffer::len, M_FATAL, M_INFO, msg, key2::n, PARSE_DATA, PARSE_DATA_COMPLETE, PARSE_FINISHED, PARSE_FOOT, PARSE_HEAD, PARSE_INITIAL, print_key_filename(), printable_char_fmt, RKF_INLINE, RKF_MUST_SUCCEED, SIZE, static_key_foot, static_key_head, and unprintable_char_fmt.
Referenced by crypto_read_openvpn_key().
◆ read_pem_key_file()
| bool read_pem_key_file | ( | struct buffer * | key, |
| const char * | pem_name, | ||
| const char * | key_file, | ||
| bool | key_inline | ||
| ) |
Read key material from a PEM encoded files into the key structure.
- Parameters
-
key the key structure that will hold the key material pem_name the name used in the pem encoding start/end lines key_file name of the file to read or the key itself if key_inline is true key_inline True if key_file contains an inline key, False otherwise.
- Returns
- true if reading into key was successful
Definition at line 1917 of file crypto.c.
References buf_clear(), buf_set_read(), buf_valid(), buffer_read_from_file(), crypto_pem_decode(), gc_free(), gc_new(), M_WARN, and msg.
Referenced by auth_token_init_secret(), tls_crypt_v2_init_client_key(), and tls_crypt_v2_init_server_key().
◆ test_crypto()
| void test_crypto | ( | struct crypto_options * | co, |
| struct frame * | frame | ||
| ) |
Definition at line 1082 of file crypto.c.
References alloc_buf_gc(), ASSERT, BLEN, BPTR, buf_init, BUF_SIZE, buf_write_alloc(), buffer::capacity, key_ctx::cipher, cipher_ctx_get_cipher_kt(), cipher_kt_iv_size(), cipher_kt_mode_aead(), clear_buf(), key_ctx_bi::decrypt, key_ctx_bi::encrypt, FRAME_HEADROOM, gc_free(), gc_new(), key_ctx::implicit_iv, key_ctx::implicit_iv_len, crypto_options::key_ctx_bi, buffer::len, M_FATAL, M_INFO, msg, OPENVPN_AEAD_MIN_IV_LEN, openvpn_decrypt(), openvpn_encrypt(), OPENVPN_MAX_IV_LENGTH, PACKAGE_NAME, rand_bytes(), TUN_MTU_SIZE, and update_time().
Referenced by show_settings(), and test_crypto_thread().
◆ translate_cipher_name_from_openvpn()
| const char * translate_cipher_name_from_openvpn | ( | const char * | cipher_name | ) |
Translate a data channel cipher name from the crypto library specific name to the OpenVPN config file 'language'.
Translate a data channel cipher name from the OpenVPN config file 'language' to the crypto library specific name.
Translate an OpenVPN cipher name to a crypto library cipher name.
- Parameters
-
cipher_name An OpenVPN cipher name
- Returns
- The corresponding crypto library cipher name, or NULL if no matching cipher name was found.
Definition at line 1835 of file crypto.c.
References get_cipher_name_pair(), and cipher_name_pair::lib_name.
Referenced by cipher_kt_block_size(), and cipher_kt_get().
◆ translate_cipher_name_to_openvpn()
| const char* translate_cipher_name_to_openvpn | ( | const char * | cipher_name | ) |
Translate a crypto library cipher name to an OpenVPN cipher name.
- Parameters
-
cipher_name A crypto library cipher name
- Returns
- The corresponding OpenVPN cipher name, or NULL if no matching cipher name was found.
Definition at line 1848 of file crypto.c.
References get_cipher_name_pair(), and cipher_name_pair::openvpn_name.
Referenced by cipher_kt_block_size(), cipher_kt_name(), and multi_print_status().
◆ verify_fix_key2()
| void verify_fix_key2 | ( | struct key2 * | key2, |
| const struct key_type * | kt, | ||
| const char * | shared_secret_file | ||
| ) |
Definition at line 1586 of file crypto.c.
References check_key(), fixup_key(), key2::keys, M_FATAL, msg, and key2::n.
Referenced by crypto_read_openvpn_key().
◆ warn_insecure_key_type()
|
static |
Definition at line 724 of file crypto.c.
References cipher_kt_block_size(), cipher_kt_insecure(), M_WARN, and msg.
Referenced by init_key_ctx(), and init_key_type().
◆ write_key()
Definition at line 1606 of file crypto.c.
References ASSERT, buf_write(), key::cipher, key_type::cipher_length, key::hmac, key_type::hmac_length, MAX_CIPHER_KEY_LENGTH, and MAX_HMAC_KEY_LENGTH.
◆ write_key_file()
| int write_key_file | ( | const int | nkeys, |
| const char * | filename | ||
| ) |
Write nkeys 1024-bits keys to file.
- Returns
- number of random bits written, or -1 on failure.
Definition at line 1429 of file crypto.c.
References alloc_buf_gc(), BLEN, BPTR, buf_clear(), buf_printf(), buffer_write_file(), format_hex_ex(), gc_free(), gc_new(), generate_key_random(), secure_memzero(), static_key_foot, and static_key_head.
Referenced by do_genkey().
◆ write_pem_key_file()
| void write_pem_key_file | ( | const char * | filename, |
| const char * | key_name | ||
| ) |
Generate a server key with enough randomness to fill a key struct and write to file.
- Parameters
-
filename Filename of the server key file to create. pem_name The name to use in the PEM header/footer.
Definition at line 1861 of file crypto.c.
References BLEN, BPTR, buf_clear(), buf_set_read(), buffer_write_file(), clear_buf(), crypto_pem_encode(), gc_free(), gc_new(), M_ERR, M_NONFATAL, M_WARN, msg, rand_bytes(), and secure_memzero().
Referenced by auth_token_write_server_key_file(), and tls_crypt_v2_write_server_key_file().
Variable Documentation
◆ nonce_data
|
static |
Definition at line 1688 of file crypto.c.
Referenced by prng_bytes(), prng_init(), prng_reset_nonce(), and prng_uninit().
◆ nonce_md
|
static |
Definition at line 1689 of file crypto.c.
Referenced by prng_bytes(), prng_init(), prng_reset_nonce(), and prng_uninit().
◆ nonce_secret_len
|
static |
Definition at line 1690 of file crypto.c.
Referenced by prng_bytes(), prng_init(), prng_reset_nonce(), and prng_uninit().
◆ printable_char_fmt
|
static |
Definition at line 1217 of file crypto.c.
Referenced by read_key_file().
◆ static_key_foot
|
static |
Definition at line 1215 of file crypto.c.
Referenced by read_key_file(), and write_key_file().
◆ static_key_head
|
static |
Definition at line 1214 of file crypto.c.
Referenced by read_key_file(), and write_key_file().
◆ unprintable_char_fmt
|
static |
Definition at line 1220 of file crypto.c.
Referenced by read_key_file().
