#include "syshead.h"#include "crypto.h"#include "error.h"#include "integer.h"#include "platform.h"#include "memdbg.h"
Go to the source code of this file.
Macros | |
| #define | PARSE_INITIAL 0 |
| #define | PARSE_HEAD 1 |
| #define | PARSE_DATA 2 |
| #define | PARSE_DATA_COMPLETE 3 |
| #define | PARSE_FOOT 4 |
| #define | PARSE_FINISHED 5 |
Functions | |
| static void | openvpn_encrypt_aead (struct buffer *buf, struct buffer work, struct crypto_options *opt) |
| static void | openvpn_encrypt_v1 (struct buffer *buf, struct buffer work, struct crypto_options *opt) |
| void | openvpn_encrypt (struct buffer *buf, struct buffer work, struct crypto_options *opt) |
| Encrypt and HMAC sign a packet so that it can be sent as a data channel VPN tunnel packet to a remote OpenVPN peer. More... | |
| bool | crypto_check_replay (struct crypto_options *opt, const struct packet_id_net *pin, const char *error_prefix, struct gc_arena *gc) |
| Check packet ID for replay, and perform replay administration. More... | |
| static bool | openvpn_decrypt_aead (struct buffer *buf, struct buffer work, struct crypto_options *opt, const struct frame *frame, const uint8_t *ad_start) |
| Unwrap (authenticate, decrypt and check replay protection) AEAD-mode data channel packets. More... | |
| static bool | openvpn_decrypt_v1 (struct buffer *buf, struct buffer work, struct crypto_options *opt, const struct frame *frame) |
| bool | openvpn_decrypt (struct buffer *buf, struct buffer work, struct crypto_options *opt, const struct frame *frame, const uint8_t *ad_start) |
| HMAC verify and decrypt a data channel packet received from a remote OpenVPN peer. More... | |
| void | crypto_adjust_frame_parameters (struct frame *frame, const struct key_type *kt, bool packet_id, bool packet_id_long_form) |
| Calculate crypto overhead and adjust frame to account for that. More... | |
| unsigned int | crypto_max_overhead (void) |
| Return the worst-case OpenVPN crypto overhead (in bytes) More... | |
| void | init_key_type (struct key_type *kt, const char *ciphername, const char *authname, int keysize, bool tls_mode, bool warn) |
| Initialize a key_type structure with. More... | |
| void | init_key_ctx (struct key_ctx *ctx, const struct key *key, const struct key_type *kt, int enc, const char *prefix) |
| void | init_key_ctx_bi (struct key_ctx_bi *ctx, const struct key2 *key2, int key_direction, const struct key_type *kt, const char *name) |
| void | free_key_ctx (struct key_ctx *ctx) |
| void | free_key_ctx_bi (struct key_ctx_bi *ctx) |
| static bool | key_is_zero (struct key *key, const struct key_type *kt) |
| bool | check_key (struct key *key, const struct key_type *kt) |
| void | fixup_key (struct key *key, const struct key_type *kt) |
| void | check_replay_consistency (const struct key_type *kt, bool packet_id) |
| void | generate_key_random (struct key *key, const struct key_type *kt) |
| void | key2_print (const struct key2 *k, const struct key_type *kt, const char *prefix0, const char *prefix1) |
| void | test_crypto (struct crypto_options *co, struct frame *frame) |
| void | crypto_read_openvpn_key (const struct key_type *key_type, struct key_ctx_bi *ctx, const char *key_file, const char *key_inline, const int key_direction, const char *key_name, const char *opt_name) |
| void | read_key_file (struct key2 *key2, const char *file, const unsigned int flags) |
| int | write_key_file (const int nkeys, const char *filename) |
| Write nkeys 1024-bits keys to file. More... | |
| void | must_have_n_keys (const char *filename, const char *option, const struct key2 *key2, int n) |
| int | ascii2keydirection (int msglevel, const char *str) |
| const char * | keydirection2ascii (int kd, bool remote, bool humanreadable) |
| void | key_direction_state_init (struct key_direction_state *kds, int key_direction) |
| void | verify_fix_key2 (struct key2 *key2, const struct key_type *kt, const char *shared_secret_file) |
| bool | write_key (const struct key *key, const struct key_type *kt, struct buffer *buf) |
| int | read_key (struct key *key, const struct key_type *kt, struct buffer *buf) |
| static void | prng_reset_nonce (void) |
| void | prng_init (const char *md_name, const int nonce_secret_len_parm) |
| Pseudo-random number generator initialisation. More... | |
| void | prng_uninit (void) |
| void | prng_bytes (uint8_t *output, int len) |
| long int | get_random (void) |
| void | print_cipher (const cipher_kt_t *cipher) |
| Print a cipher list entry. More... | |
| static const cipher_name_pair * | get_cipher_name_pair (const char *cipher_name) |
| const char * | translate_cipher_name_from_openvpn (const char *cipher_name) |
| Translate a data channel cipher name from the crypto library specific name to the OpenVPN config file 'language'. More... | |
| const char * | translate_cipher_name_to_openvpn (const char *cipher_name) |
| Translate a crypto library cipher name to an OpenVPN cipher name. More... | |
| void | write_pem_key_file (const char *filename, const char *pem_name) |
| Generate a server key with enough randomness to fill a key struct and write to file. More... | |
| bool | read_pem_key_file (struct buffer *key, const char *pem_name, const char *key_file, const char *key_inline) |
| Read key material from a PEM encoded files into the key structure. More... | |
Variables | |
| static const char | static_key_head [] = "-----BEGIN OpenVPN Static key V1-----" |
| static const char | static_key_foot [] = "-----END OpenVPN Static key V1-----" |
| static const char | printable_char_fmt [] |
| static const char | unprintable_char_fmt [] |
| static uint8_t * | nonce_data = NULL |
| static const md_kt_t * | nonce_md = NULL |
| static int | nonce_secret_len = 0 |
Macro Definition Documentation
◆ PARSE_DATA
| #define PARSE_DATA 2 |
Referenced by read_key_file().
◆ PARSE_DATA_COMPLETE
| #define PARSE_DATA_COMPLETE 3 |
Referenced by read_key_file().
◆ PARSE_FINISHED
| #define PARSE_FINISHED 5 |
Referenced by read_key_file().
◆ PARSE_FOOT
| #define PARSE_FOOT 4 |
Referenced by read_key_file().
◆ PARSE_HEAD
| #define PARSE_HEAD 1 |
Referenced by read_key_file().
◆ PARSE_INITIAL
| #define PARSE_INITIAL 0 |
Referenced by read_key_file().
Function Documentation
◆ ascii2keydirection()
| int ascii2keydirection | ( | int | msglevel, |
| const char * | str | ||
| ) |
Definition at line 1497 of file crypto.c.
References KEY_DIRECTION_BIDIRECTIONAL, KEY_DIRECTION_INVERSE, KEY_DIRECTION_NORMAL, and msg.
Referenced by add_option().
◆ check_key()
Definition at line 937 of file crypto.c.
References key_type::cipher, key::cipher, key_type::cipher_length, key_des_check(), key_des_num_cblocks(), and key_is_zero().
Referenced by generate_key_expansion(), generate_key_random(), key_method_1_read(), key_method_1_write(), and verify_fix_key2().
◆ check_replay_consistency()
Definition at line 1007 of file crypto.c.
References ASSERT, key_type::cipher, cipher_kt_mode_aead(), cipher_kt_mode_ofb_cfb(), M_FATAL, and msg.
Referenced by do_init_crypto_static(), and do_init_crypto_tls().
◆ crypto_adjust_frame_parameters()
| void crypto_adjust_frame_parameters | ( | struct frame * | frame, |
| const struct key_type * | kt, | ||
| bool | packet_id, | ||
| bool | packet_id_long_form | ||
| ) |
Calculate crypto overhead and adjust frame to account for that.
Definition at line 698 of file crypto.c.
References key_type::cipher, cipher_kt_block_size(), cipher_kt_iv_size(), cipher_kt_mode_aead(), cipher_kt_tag_size(), D_MTU_DEBUG, frame_add_to_extra_frame(), key_type::hmac_length, msg, and packet_id_size().
Referenced by calc_options_string_link_mtu(), do_init_crypto_static(), do_init_crypto_tls(), and tls_session_update_crypto_params().
◆ crypto_check_replay()
| bool crypto_check_replay | ( | struct crypto_options * | opt, |
| const struct packet_id_net * | pin, | ||
| const char * | error_prefix, | ||
| struct gc_arena * | gc | ||
| ) |
Check packet ID for replay, and perform replay administration.
- Parameters
-
opt Crypto options for this packet, contains replay state. pin Packet ID read from packet. error_prefix Prefix to use when printing error messages. gc Garbage collector to use.
- Returns
- true if packet ID is validated to be not a replay, false otherwise.
Definition at line 323 of file crypto.c.
References CO_MUTE_REPLAY_WARNINGS, CO_PACKET_ID_LONG_FORM, D_REPLAY_ERRORS, crypto_options::flags, msg, crypto_options::packet_id, packet_id_add(), packet_id_net_print(), packet_id_persist_save_obj(), packet_id_reap_test(), packet_id_test(), crypto_options::pid_persist, and packet_id::rec.
Referenced by openvpn_decrypt_aead(), openvpn_decrypt_v1(), and tls_crypt_unwrap().
◆ crypto_max_overhead()
| unsigned int crypto_max_overhead | ( | void | ) |
Return the worst-case OpenVPN crypto overhead (in bytes)
Definition at line 732 of file crypto.c.
References max_int(), OPENVPN_AEAD_TAG_LENGTH, OPENVPN_MAX_CIPHER_BLOCK_SIZE, OPENVPN_MAX_HMAC_SIZE, OPENVPN_MAX_IV_LENGTH, and packet_id_size().
Referenced by calc_options_string_link_mtu(), do_init_crypto_tls(), and tls_session_update_crypto_params().
◆ crypto_read_openvpn_key()
| void crypto_read_openvpn_key | ( | const struct key_type * | key_type, |
| struct key_ctx_bi * | ctx, | ||
| const char * | key_file, | ||
| const char * | key_inline, | ||
| const int | key_direction, | ||
| const char * | key_name, | ||
| const char * | opt_name | ||
| ) |
Definition at line 1178 of file crypto.c.
References init_key_ctx_bi(), key_direction_state_init(), M_ERR, msg, must_have_n_keys(), key2::n, key_direction_state::need_keys, read_key_file(), RKF_INLINE, RKF_MUST_SUCCEED, secure_memzero(), and verify_fix_key2().
Referenced by do_init_crypto_static(), do_init_tls_wrap_key(), and tls_crypt_init_key().
◆ fixup_key()
Definition at line 976 of file crypto.c.
References check_debug_level(), key_type::cipher, key::cipher, key_type::cipher_length, D_CRYPTO_DEBUG, dmsg, format_hex(), gc_free(), gc_new(), key_des_fixup(), and key_des_num_cblocks().
Referenced by generate_key_expansion(), generate_key_random(), and verify_fix_key2().
◆ free_key_ctx()
| void free_key_ctx | ( | struct key_ctx * | ctx | ) |
Definition at line 894 of file crypto.c.
References key_ctx::cipher, cipher_ctx_cleanup(), cipher_ctx_free(), key_ctx::hmac, hmac_ctx_cleanup(), hmac_ctx_free(), and key_ctx::implicit_iv_len.
Referenced by free_key_ctx_bi(), key_schedule_free(), tls_crypt_fail_invalid_key(), and tls_crypt_v2_write_client_key_file().
◆ free_key_ctx_bi()
| void free_key_ctx_bi | ( | struct key_ctx_bi * | ctx | ) |
Definition at line 912 of file crypto.c.
References key_ctx_bi::decrypt, key_ctx_bi::encrypt, and free_key_ctx().
Referenced by do_close_free_key_schedule(), key_schedule_free(), key_state_free(), test_tls_crypt_teardown(), test_tls_crypt_v2_teardown(), tls_crypt_v2_wrap_unwrap_wrong_key(), tls_crypt_v2_write_client_key_file(), tls_pre_decrypt_lite(), and tls_wrap_free().
◆ generate_key_random()
Definition at line 1023 of file crypto.c.
References check_key(), key_type::cipher, key::cipher, key_type::cipher_length, CLEAR, D_SHOW_KEY_SOURCE, key_type::digest, dmsg, fixup_key(), format_hex(), gc_free(), gc_new(), key::hmac, key_type::hmac_length, M_FATAL, MAX_CIPHER_KEY_LENGTH, MAX_HMAC_KEY_LENGTH, msg, and rand_bytes().
Referenced by key_method_1_write(), and write_key_file().
◆ get_cipher_name_pair()
|
static |
Definition at line 1806 of file crypto.c.
References cipher_name_translation_table, cipher_name_translation_table_count, cipher_name_pair::lib_name, and cipher_name_pair::openvpn_name.
Referenced by translate_cipher_name_from_openvpn(), and translate_cipher_name_to_openvpn().
◆ get_random()
| long int get_random | ( | void | ) |
Definition at line 1767 of file crypto.c.
Referenced by check_send_occ_msg_dowork(), check_timeout_random_component_dowork(), do_init_crypto_tls(), fragment_init(), gen_nonce(), hash_iterator_delete_element(), init_connection_list(), multi_init(), packet_id_add(), platform_create_temp_file(), route_quota_exceeded(), and schedule_remove_entry().
◆ init_key_ctx()
| void init_key_ctx | ( | struct key_ctx * | ctx, |
| const struct key * | key, | ||
| const struct key_type * | kt, | ||
| int | enc, | ||
| const char * | prefix | ||
| ) |
Definition at line 821 of file crypto.c.
References key_type::cipher, key::cipher, key_ctx::cipher, cipher_ctx_init(), cipher_ctx_new(), cipher_kt_block_size(), cipher_kt_insecure(), cipher_kt_iv_size(), cipher_kt_name(), key_type::cipher_length, CLEAR, D_CRYPTO_DEBUG, D_HANDSHAKE, D_SHOW_KEYS, key_type::digest, dmsg, format_hex(), gc_free(), gc_new(), key::hmac, key_ctx::hmac, hmac_ctx_init(), hmac_ctx_new(), hmac_ctx_size(), key_type::hmac_length, M_WARN, md_kt_name(), md_kt_size(), msg, and translate_cipher_name_to_openvpn().
Referenced by init_key_ctx_bi(), key_method_1_read(), key_method_1_write(), test_tls_crypt_setup(), tls_crypt_fail_invalid_key(), and tls_crypt_v2_init_server_key().
◆ init_key_ctx_bi()
| void init_key_ctx_bi | ( | struct key_ctx_bi * | ctx, |
| const struct key2 * | key2, | ||
| int | key_direction, | ||
| const struct key_type * | kt, | ||
| const char * | name | ||
| ) |
Definition at line 874 of file crypto.c.
References key_ctx_bi::decrypt, key_ctx_bi::encrypt, key_direction_state::in_key, init_key_ctx(), key_ctx_bi::initialized, key_direction_state_init(), key2::keys, OPENVPN_OP_DECRYPT, OPENVPN_OP_ENCRYPT, openvpn_snprintf(), and key_direction_state::out_key.
Referenced by crypto_read_openvpn_key(), generate_key_expansion(), test_tls_crypt_v2_setup(), tls_crypt_v2_load_client_key(), and tls_crypt_v2_wrap_unwrap_wrong_key().
◆ init_key_type()
| void init_key_type | ( | struct key_type * | kt, |
| const char * | ciphername, | ||
| const char * | authname, | ||
| int | keysize, | ||
| bool | tls_mode, | ||
| bool | warn | ||
| ) |
Initialize a key_type structure with.
- Parameters
-
kt The struct key_type to initialize ciphername The name of the cipher to use authname The name of the HMAC digest to use keysize The length of the cipher key to use, in bytes. Only valid for ciphers that support variable length keys. tls_mode Specifies whether we are running in TLS mode, which allows more ciphers than static key mode. warn Print warnings when null cipher / auth is used.
Definition at line 743 of file crypto.c.
References ASSERT, key_type::cipher, cipher_kt_block_size(), cipher_kt_get(), cipher_kt_key_size(), cipher_kt_mode_aead(), cipher_kt_mode_cbc(), cipher_kt_mode_ofb_cfb(), key_type::cipher_length, CLEAR, key_type::digest, ENABLE_OFB_CFB_MODE, key_type::hmac_length, M_FATAL, M_WARN, MAX_CIPHER_KEY_LENGTH, md_kt_get(), md_kt_size(), msg, OPENVPN_MAX_CIPHER_BLOCK_SIZE, and translate_cipher_name_from_openvpn().
Referenced by calc_options_string_link_mtu(), do_init_crypto_static(), do_init_crypto_tls_c1(), options_string(), and tls_session_update_crypto_params().
◆ key2_print()
| void key2_print | ( | const struct key2 * | k, |
| const struct key_type * | kt, | ||
| const char * | prefix0, | ||
| const char * | prefix1 | ||
| ) |
Definition at line 1067 of file crypto.c.
References ASSERT, key::cipher, key_type::cipher_length, D_SHOW_KEY_SOURCE, dmsg, format_hex(), gc_free(), gc_new(), key::hmac, key_type::hmac_length, key2::keys, and key2::n.
Referenced by generate_key_expansion().
◆ key_direction_state_init()
| void key_direction_state_init | ( | struct key_direction_state * | kds, |
| int | key_direction | ||
| ) |
Definition at line 1549 of file crypto.c.
References ASSERT, CLEAR, key_direction_state::in_key, KEY_DIRECTION_BIDIRECTIONAL, KEY_DIRECTION_INVERSE, KEY_DIRECTION_NORMAL, key_direction_state::need_keys, and key_direction_state::out_key.
Referenced by crypto_read_openvpn_key(), and init_key_ctx_bi().
◆ key_is_zero()
Definition at line 919 of file crypto.c.
References key::cipher, key_type::cipher_length, D_CRYPT_ERRORS, and msg.
Referenced by check_key().
◆ keydirection2ascii()
Definition at line 1520 of file crypto.c.
References ASSERT, KEY_DIRECTION_BIDIRECTIONAL, KEY_DIRECTION_INVERSE, and KEY_DIRECTION_NORMAL.
Referenced by options_string(), show_connection_entry(), and show_settings().
◆ must_have_n_keys()
| void must_have_n_keys | ( | const char * | filename, |
| const char * | option, | ||
| const struct key2 * | key2, | ||
| int | n | ||
| ) |
◆ openvpn_decrypt_aead()
|
static |
Unwrap (authenticate, decrypt and check replay protection) AEAD-mode data channel packets.
Set buf->len to 0 and return false on decrypt error.
On success, buf is set to point to plaintext, true is returned.
Definition at line 360 of file crypto.c.
References ASSERT, BLEN, BPTR, buf_advance(), buf_inc_len(), buf_init, buf_safe(), key_ctx::cipher, cipher_ctx_block_size(), cipher_ctx_final_check_tag(), cipher_ctx_get_cipher_kt(), cipher_ctx_iv_length(), cipher_ctx_reset(), cipher_ctx_update(), cipher_ctx_update_ad(), cipher_kt_mode_aead(), cipher_kt_tag_size(), CRYPT_ERROR, crypto_check_replay(), crypto_clear_error(), D_PACKET_CONTENT, buffer::data, key_ctx_bi::decrypt, dmsg, format_hex(), FRAME_HEADROOM_ADJ, FRAME_HEADROOM_MARKER_DECRYPT, gc_free(), gc_init(), key_ctx::implicit_iv, key_ctx::implicit_iv_len, crypto_options::key_ctx_bi, buffer::len, OPENVPN_MAX_IV_LENGTH, crypto_options::packet_id, packet_id_initialized(), and packet_id_read().
Referenced by openvpn_decrypt().
◆ openvpn_decrypt_v1()
|
static |
Definition at line 507 of file crypto.c.
References ASSERT, BLEN, BOOL_CAST, BPTR, buf_advance(), buf_inc_len(), buf_init, buf_safe(), buf_set_read(), key_ctx::cipher, cipher_ctx_block_size(), cipher_ctx_final(), cipher_ctx_get_cipher_kt(), cipher_ctx_iv_length(), cipher_ctx_reset(), cipher_ctx_update(), cipher_kt_mode_cbc(), cipher_kt_mode_ofb_cfb(), CO_IGNORE_PACKET_ID, CO_PACKET_ID_LONG_FORM, CRYPT_ERROR, crypto_check_replay(), crypto_clear_error(), D_PACKET_CONTENT, key_ctx_bi::decrypt, dmsg, crypto_options::flags, format_hex(), FRAME_HEADROOM_ADJ, FRAME_HEADROOM_MARKER_DECRYPT, gc_free(), gc_init(), key_ctx::hmac, hmac_ctx_final(), hmac_ctx_reset(), hmac_ctx_size(), hmac_ctx_update(), crypto_options::key_ctx_bi, buffer::len, MAX_HMAC_KEY_LENGTH, memcmp_constant_time(), OPENVPN_MAX_IV_LENGTH, crypto_options::packet_id, packet_id_initialized(), and packet_id_read().
Referenced by openvpn_decrypt().
◆ openvpn_encrypt_aead()
|
static |
Definition at line 64 of file crypto.c.
References ASSERT, BEND, BLEN, BPTR, buf_inc_len(), buf_safe(), buf_set_write(), buf_write(), buf_write_alloc(), buffer::capacity, key_ctx::cipher, cipher_ctx_block_size(), cipher_ctx_final(), cipher_ctx_get_cipher_kt(), cipher_ctx_get_tag(), cipher_ctx_iv_length(), cipher_ctx_reset(), cipher_ctx_update(), cipher_ctx_update_ad(), cipher_kt_mode_aead(), cipher_kt_tag_size(), crypto_clear_error(), D_CRYPT_ERRORS, D_PACKET_CONTENT, dmsg, key_ctx_bi::encrypt, format_hex(), gc_free(), gc_init(), key_ctx::implicit_iv, key_ctx::implicit_iv_len, crypto_options::key_ctx_bi, buffer::len, msg, buffer::offset, OPENVPN_AEAD_MIN_IV_LEN, OPENVPN_MAX_IV_LENGTH, crypto_options::packet_id, packet_id_initialized(), packet_id_write(), and packet_id::send.
Referenced by openvpn_encrypt().
◆ openvpn_encrypt_v1()
|
static |
Definition at line 161 of file crypto.c.
References ASSERT, BEND, BLEN, BPTR, buf_inc_len(), buf_prepend(), buf_safe(), buf_set_write(), buf_write(), buf_write_alloc(), buf_write_prepend(), buffer::capacity, key_ctx::cipher, cipher_ctx_block_size(), cipher_ctx_final(), cipher_ctx_get_cipher_kt(), cipher_ctx_iv_length(), cipher_ctx_reset(), cipher_ctx_update(), cipher_kt_mode(), cipher_kt_mode_cbc(), cipher_kt_mode_ofb_cfb(), CO_PACKET_ID_LONG_FORM, crypto_clear_error(), D_CRYPT_ERRORS, D_PACKET_CONTENT, dmsg, key_ctx_bi::encrypt, crypto_options::flags, format_hex(), gc_free(), gc_init(), key_ctx::hmac, hmac_ctx_final(), hmac_ctx_reset(), hmac_ctx_size(), hmac_ctx_update(), crypto_options::key_ctx_bi, buffer::len, msg, buffer::offset, OPENVPN_MAX_IV_LENGTH, OPENVPN_MODE_CBC, crypto_options::packet_id, packet_id_initialized(), packet_id_write(), prng_bytes(), and packet_id::send.
Referenced by openvpn_encrypt().
◆ print_cipher()
| void print_cipher | ( | const cipher_kt_t * | cipher | ) |
Print a cipher list entry.
Definition at line 1779 of file crypto.c.
References cipher_kt_block_size(), cipher_kt_key_size(), cipher_kt_mode_cbc(), cipher_kt_name(), cipher_kt_var_key_size(), and translate_cipher_name_to_openvpn().
Referenced by show_available_ciphers().
◆ prng_bytes()
| void prng_bytes | ( | uint8_t * | output, |
| int | len | ||
| ) |
Definition at line 1735 of file crypto.c.
References ASSERT, md_full(), md_kt_size(), min_int(), nonce_data, nonce_md, nonce_secret_len, PRNG_NONCE_RESET_BYTES, prng_reset_nonce(), and rand_bytes().
Referenced by get_random(), hostname_randomize(), init_static(), openvpn_encrypt_v1(), schedule_remove_entry(), and session_id_random().
◆ prng_init()
| void prng_init | ( | const char * | md_name, |
| const int | nonce_secret_len_parm | ||
| ) |
Pseudo-random number generator initialisation.
(see prng_rand_bytes())
- Parameters
-
md_name Name of the message digest to use nonce_secret_len_param Length of the nonce to use
Definition at line 1707 of file crypto.c.
References ASSERT, check_malloc_return(), D_CRYPTO_DEBUG, dmsg, malloc, md_kt_get(), md_kt_name(), md_kt_size(), nonce_data, nonce_md, nonce_secret_len, NONCE_SECRET_LEN_MAX, NONCE_SECRET_LEN_MIN, prng_reset_nonce(), and prng_uninit().
Referenced by do_init_crypto_tls_c1(), and init_static().
◆ prng_reset_nonce()
|
static |
Definition at line 1686 of file crypto.c.
References M_FATAL, md_kt_size(), msg, nonce_data, nonce_md, nonce_secret_len, and rand_bytes().
Referenced by prng_bytes(), and prng_init().
◆ prng_uninit()
| void prng_uninit | ( | void | ) |
Definition at line 1726 of file crypto.c.
References free, nonce_data, nonce_md, and nonce_secret_len.
Referenced by free_ssl_lib(), init_static(), and prng_init().
◆ read_key()
Definition at line 1631 of file crypto.c.
References buf_read(), key::cipher, key_type::cipher_length, CLEAR, D_TLS_ERRORS, key::hmac, key_type::hmac_length, and msg.
Referenced by key_method_1_read().
◆ read_key_file()
| void read_key_file | ( | struct key2 * | key2, |
| const char * | file, | ||
| const unsigned int | flags | ||
| ) |
Definition at line 1225 of file crypto.c.
References ASSERT, buf_clear(), buf_set_read(), buf_valid(), buffer_read_from_file(), CLEAR, buffer::data, format_hex_ex(), gc_free(), gc_new(), INLINE_FILE_TAG, key2::keys, buffer::len, M_FATAL, M_INFO, match(), msg, key2::n, PARSE_DATA, PARSE_DATA_COMPLETE, PARSE_FINISHED, PARSE_FOOT, PARSE_HEAD, PARSE_INITIAL, printable_char_fmt, RKF_INLINE, RKF_MUST_SUCCEED, SIZE, static_key_foot, static_key_head, and unprintable_char_fmt.
Referenced by crypto_read_openvpn_key().
◆ read_pem_key_file()
| bool read_pem_key_file | ( | struct buffer * | key, |
| const char * | pem_name, | ||
| const char * | key_file, | ||
| const char * | key_inline | ||
| ) |
Read key material from a PEM encoded files into the key structure.
- Parameters
-
key the key structure that will hold the key material pem_name the name used in the pem encoding start/end lines key_file name of the file to read key_inline a string holding the data in case of an inline key
- Returns
- true if reading into key was successful
Definition at line 1887 of file crypto.c.
References buf_clear(), buf_set_read(), buf_valid(), buffer_read_from_file(), crypto_pem_decode(), gc_free(), gc_new(), INLINE_FILE_TAG, M_WARN, and msg.
Referenced by tls_crypt_v2_init_client_key(), and tls_crypt_v2_init_server_key().
◆ test_crypto()
| void test_crypto | ( | struct crypto_options * | co, |
| struct frame * | frame | ||
| ) |
Definition at line 1090 of file crypto.c.
References alloc_buf_gc(), ASSERT, BLEN, BPTR, buf_init, BUF_SIZE, buf_write_alloc(), buffer::capacity, key_ctx::cipher, cipher_ctx_get_cipher_kt(), cipher_kt_iv_size(), cipher_kt_mode_aead(), clear_buf(), key_ctx_bi::decrypt, key_ctx_bi::encrypt, FRAME_HEADROOM, gc_free(), gc_new(), key_ctx::implicit_iv, key_ctx::implicit_iv_len, crypto_options::key_ctx_bi, buffer::len, M_FATAL, M_INFO, msg, OPENVPN_AEAD_MIN_IV_LEN, openvpn_decrypt(), openvpn_encrypt(), OPENVPN_MAX_IV_LENGTH, PACKAGE_NAME, rand_bytes(), TUN_MTU_SIZE, and update_time().
Referenced by show_settings(), and test_crypto_thread().
◆ translate_cipher_name_from_openvpn()
| const char * translate_cipher_name_from_openvpn | ( | const char * | cipher_name | ) |
Translate a data channel cipher name from the crypto library specific name to the OpenVPN config file 'language'.
Translate a data channel cipher name from the OpenVPN config file 'language' to the crypto library specific name.
Translate an OpenVPN cipher name to a crypto library cipher name.
- Parameters
-
cipher_name An OpenVPN cipher name
- Returns
- The corresponding crypto library cipher name, or NULL if no matching cipher name was found.
Definition at line 1827 of file crypto.c.
References get_cipher_name_pair(), and cipher_name_pair::lib_name.
Referenced by cipher_kt_block_size(), init_key_type(), and tls_check_ncp_cipher_list().
◆ translate_cipher_name_to_openvpn()
| const char* translate_cipher_name_to_openvpn | ( | const char * | cipher_name | ) |
Translate a crypto library cipher name to an OpenVPN cipher name.
- Parameters
-
cipher_name A crypto library cipher name
- Returns
- The corresponding OpenVPN cipher name, or NULL if no matching cipher name was found.
Definition at line 1840 of file crypto.c.
References get_cipher_name_pair(), and cipher_name_pair::openvpn_name.
Referenced by cipher_kt_block_size(), cipher_name_cmp(), init_key_ctx(), multi_print_status(), options_string(), and print_cipher().
◆ verify_fix_key2()
| void verify_fix_key2 | ( | struct key2 * | key2, |
| const struct key_type * | kt, | ||
| const char * | shared_secret_file | ||
| ) |
Definition at line 1578 of file crypto.c.
References check_key(), fixup_key(), key2::keys, M_FATAL, msg, and key2::n.
Referenced by crypto_read_openvpn_key().
◆ write_key()
Definition at line 1598 of file crypto.c.
References ASSERT, buf_write(), key::cipher, key_type::cipher_length, key::hmac, key_type::hmac_length, MAX_CIPHER_KEY_LENGTH, and MAX_HMAC_KEY_LENGTH.
Referenced by key_method_1_write().
◆ write_key_file()
| int write_key_file | ( | const int | nkeys, |
| const char * | filename | ||
| ) |
Write nkeys 1024-bits keys to file.
- Returns
- number of random bits written, or -1 on failure.
Definition at line 1426 of file crypto.c.
References alloc_buf_gc(), buf_clear(), buf_printf(), buffer_write_file(), format_hex_ex(), gc_free(), gc_new(), generate_key_random(), secure_memzero(), static_key_foot, and static_key_head.
Referenced by do_genkey().
◆ write_pem_key_file()
| void write_pem_key_file | ( | const char * | filename, |
| const char * | pem_name | ||
| ) |
Generate a server key with enough randomness to fill a key struct and write to file.
- Parameters
-
filename Filename of the server key file to create. pem_name The name to use in the PEM header/footer.
Definition at line 1853 of file crypto.c.
References buf_clear(), buf_set_read(), buffer_write_file(), clear_buf(), crypto_pem_encode(), gc_free(), gc_new(), M_ERR, M_NONFATAL, M_WARN, msg, rand_bytes(), and secure_memzero().
Referenced by tls_crypt_v2_write_server_key_file().
Variable Documentation
◆ nonce_data
|
static |
Definition at line 1680 of file crypto.c.
Referenced by prng_bytes(), prng_init(), prng_reset_nonce(), and prng_uninit().
◆ nonce_md
|
static |
Definition at line 1681 of file crypto.c.
Referenced by prng_bytes(), prng_init(), prng_reset_nonce(), and prng_uninit().
◆ nonce_secret_len
|
static |
Definition at line 1682 of file crypto.c.
Referenced by prng_bytes(), prng_init(), prng_reset_nonce(), and prng_uninit().
◆ printable_char_fmt
|
static |
Definition at line 1216 of file crypto.c.
Referenced by read_key_file().
◆ static_key_foot
|
static |
Definition at line 1214 of file crypto.c.
Referenced by read_key_file(), and write_key_file().
◆ static_key_head
|
static |
Definition at line 1213 of file crypto.c.
Referenced by read_key_file(), and write_key_file().
◆ unprintable_char_fmt
|
static |
Definition at line 1219 of file crypto.c.
Referenced by read_key_file().
