#include "syshead.h"#include <string.h>#include "crypto.h"#include "error.h"#include "integer.h"#include "platform.h"#include "memdbg.h"
Go to the source code of this file.
Macros | |
| #define | PARSE_INITIAL 0 |
| #define | PARSE_HEAD 1 |
| #define | PARSE_DATA 2 |
| #define | PARSE_DATA_COMPLETE 3 |
| #define | PARSE_FOOT 4 |
| #define | PARSE_FINISHED 5 |
Functions | |
| static void | openvpn_encrypt_aead (struct buffer *buf, struct buffer work, struct crypto_options *opt) |
| static void | openvpn_encrypt_v1 (struct buffer *buf, struct buffer work, struct crypto_options *opt) |
| void | openvpn_encrypt (struct buffer *buf, struct buffer work, struct crypto_options *opt) |
| Encrypt and HMAC sign a packet so that it can be sent as a data channel VPN tunnel packet to a remote OpenVPN peer. More... | |
| bool | crypto_check_replay (struct crypto_options *opt, const struct packet_id_net *pin, const char *error_prefix, struct gc_arena *gc) |
| Check packet ID for replay, and perform replay administration. More... | |
| static bool | openvpn_decrypt_aead (struct buffer *buf, struct buffer work, struct crypto_options *opt, const struct frame *frame, const uint8_t *ad_start) |
| Unwrap (authenticate, decrypt and check replay protection) AEAD-mode data channel packets. More... | |
| static bool | openvpn_decrypt_v1 (struct buffer *buf, struct buffer work, struct crypto_options *opt, const struct frame *frame) |
| bool | openvpn_decrypt (struct buffer *buf, struct buffer work, struct crypto_options *opt, const struct frame *frame, const uint8_t *ad_start) |
| HMAC verify and decrypt a data channel packet received from a remote OpenVPN peer. More... | |
| unsigned int | calculate_crypto_overhead (const struct key_type *kt, unsigned int pkt_id_size, bool occ) |
| Calculate the maximum overhead that our encryption has on a packet. More... | |
| unsigned int | crypto_max_overhead (void) |
| Return the worst-case OpenVPN crypto overhead (in bytes) More... | |
| static void | warn_insecure_key_type (const char *ciphername) |
| void | init_key_type (struct key_type *kt, const char *ciphername, const char *authname, bool tls_mode, bool warn) |
| Initialize a key_type structure with. More... | |
| void | init_key_ctx (struct key_ctx *ctx, const struct key *key, const struct key_type *kt, int enc, const char *prefix) |
| void | init_key_ctx_bi (struct key_ctx_bi *ctx, const struct key2 *key2, int key_direction, const struct key_type *kt, const char *name) |
| void | free_key_ctx (struct key_ctx *ctx) |
| void | free_key_ctx_bi (struct key_ctx_bi *ctx) |
| static bool | key_is_zero (struct key *key, const struct key_type *kt) |
| bool | check_key (struct key *key, const struct key_type *kt) |
| static void | generate_key_random (struct key *key) |
| static void | key_print (const struct key *key, const struct key_type *kt, const char *prefix) |
| void | key2_print (const struct key2 *k, const struct key_type *kt, const char *prefix0, const char *prefix1) |
| Prints the keys in a key2 structure. More... | |
| void | test_crypto (struct crypto_options *co, struct frame *frame) |
| const char * | print_key_filename (const char *str, bool is_inline) |
| To be used when printing a string that may contain inline data. More... | |
| void | crypto_read_openvpn_key (const struct key_type *key_type, struct key_ctx_bi *ctx, const char *key_file, bool key_inline, const int key_direction, const char *key_name, const char *opt_name, struct key2 *keydata) |
| void | read_key_file (struct key2 *key2, const char *file, const unsigned int flags) |
| int | write_key_file (const int nkeys, const char *filename) |
| Write nkeys 1024-bits keys to file. More... | |
| void | must_have_n_keys (const char *filename, const char *option, const struct key2 *key2, int n) |
| int | ascii2keydirection (int msglevel, const char *str) |
| const char * | keydirection2ascii (int kd, bool remote, bool humanreadable) |
| void | key_direction_state_init (struct key_direction_state *kds, int key_direction) |
| void | verify_fix_key2 (struct key2 *key2, const struct key_type *kt, const char *shared_secret_file) |
| bool | write_key (const struct key *key, const struct key_type *kt, struct buffer *buf) |
| int | read_key (struct key *key, const struct key_type *kt, struct buffer *buf) |
| void | prng_bytes (uint8_t *output, int len) |
| long int | get_random (void) |
| void | print_cipher (const char *ciphername) |
| Print a cipher list entry. More... | |
| static const cipher_name_pair * | get_cipher_name_pair (const char *cipher_name) |
| const char * | translate_cipher_name_from_openvpn (const char *cipher_name) |
| Translate an OpenVPN cipher name to a crypto library cipher name. More... | |
| const char * | translate_cipher_name_to_openvpn (const char *cipher_name) |
| Translate a crypto library cipher name to an OpenVPN cipher name. More... | |
| void | write_pem_key_file (const char *filename, const char *pem_name) |
| Generate a server key with enough randomness to fill a key struct and write to file. More... | |
| bool | generate_ephemeral_key (struct buffer *key, const char *key_name) |
| Generate ephermal key material into the key structure. More... | |
| bool | read_pem_key_file (struct buffer *key, const char *pem_name, const char *key_file, bool key_inline) |
| Read key material from a PEM encoded files into the key structure. More... | |
| bool | check_tls_prf_working (void) |
| Checks if the current TLS library supports the TLS 1.0 PRF with MD5+SHA1 that OpenVPN uses when TLS Keying Material Export is not available. More... | |
Variables | |
| static const char | static_key_head [] = "-----BEGIN OpenVPN Static key V1-----" |
| static const char | static_key_foot [] = "-----END OpenVPN Static key V1-----" |
| static const char | printable_char_fmt [] |
| static const char | unprintable_char_fmt [] |
Macro Definition Documentation
◆ PARSE_DATA
| #define PARSE_DATA 2 |
◆ PARSE_DATA_COMPLETE
| #define PARSE_DATA_COMPLETE 3 |
◆ PARSE_FINISHED
| #define PARSE_FINISHED 5 |
◆ PARSE_FOOT
| #define PARSE_FOOT 4 |
◆ PARSE_HEAD
| #define PARSE_HEAD 1 |
◆ PARSE_INITIAL
| #define PARSE_INITIAL 0 |
Function Documentation
◆ ascii2keydirection()
| int ascii2keydirection | ( | int | msglevel, |
| const char * | str | ||
| ) |
Definition at line 1426 of file crypto.c.
References KEY_DIRECTION_BIDIRECTIONAL, KEY_DIRECTION_INVERSE, KEY_DIRECTION_NORMAL, and msg.
Referenced by add_option().
◆ calculate_crypto_overhead()
| unsigned int calculate_crypto_overhead | ( | const struct key_type * | kt, |
| unsigned int | pkt_id_size, | ||
| bool | occ | ||
| ) |
Calculate the maximum overhead that our encryption has on a packet.
This does not include needed additional buffer size
This does NOT include the padding and rounding of CBC size as the users (mssfix/fragment) of this function need to adjust for this and add it themselves.
- Parameters
-
kt Struct with the crypto algorithm to use packet_id_size Size of the packet id occ if true calculates the overhead for crypto in the same incorrect way as all previous OpenVPN versions did, to end up with identical numbers for OCC compatibility
Definition at line 670 of file crypto.c.
References key_type::cipher, cipher_defined(), cipher_kt_block_size(), cipher_kt_iv_size(), cipher_kt_mode_aead(), cipher_kt_mode_cbc(), cipher_kt_tag_size(), key_type::digest, md_defined(), and md_kt_size().
Referenced by frame_calculate_protocol_header_size().
◆ check_key()
Definition at line 931 of file crypto.c.
References key_type::cipher, cipher_defined(), and key_is_zero().
Referenced by generate_key_expansion(), and verify_fix_key2().
◆ check_tls_prf_working()
| bool check_tls_prf_working | ( | void | ) |
Checks if the current TLS library supports the TLS 1.0 PRF with MD5+SHA1 that OpenVPN uses when TLS Keying Material Export is not available.
- Returns
- true if supported, false otherwise.
Definition at line 1795 of file crypto.c.
References ssl_tls1_PRF().
Referenced by options_process_mutate_prf().
◆ crypto_check_replay()
| bool crypto_check_replay | ( | struct crypto_options * | opt, |
| const struct packet_id_net * | pin, | ||
| const char * | error_prefix, | ||
| struct gc_arena * | gc | ||
| ) |
Check packet ID for replay, and perform replay administration.
- Parameters
-
opt Crypto options for this packet, contains replay state. pin Packet ID read from packet. error_prefix Prefix to use when printing error messages. gc Garbage collector to use.
- Returns
- true if packet ID is validated to be not a replay, false otherwise.
Definition at line 312 of file crypto.c.
References CO_MUTE_REPLAY_WARNINGS, CO_PACKET_ID_LONG_FORM, D_REPLAY_ERRORS, crypto_options::flags, msg, crypto_options::packet_id, packet_id_add(), packet_id_net_print(), packet_id_persist_save_obj(), packet_id_reap_test(), packet_id_test(), crypto_options::pid_persist, and packet_id::rec.
Referenced by openvpn_decrypt_aead(), openvpn_decrypt_v1(), and tls_crypt_unwrap().
◆ crypto_max_overhead()
| unsigned int crypto_max_overhead | ( | void | ) |
Return the worst-case OpenVPN crypto overhead (in bytes)
Definition at line 719 of file crypto.c.
References max_int(), OPENVPN_AEAD_TAG_LENGTH, OPENVPN_MAX_CIPHER_BLOCK_SIZE, OPENVPN_MAX_HMAC_SIZE, OPENVPN_MAX_IV_LENGTH, and packet_id_size().
Referenced by frame_finalize_options().
◆ crypto_read_openvpn_key()
| void crypto_read_openvpn_key | ( | const struct key_type * | key_type, |
| struct key_ctx_bi * | ctx, | ||
| const char * | key_file, | ||
| bool | key_inline, | ||
| const int | key_direction, | ||
| const char * | key_name, | ||
| const char * | opt_name, | ||
| struct key2 * | keydata | ||
| ) |
Definition at line 1094 of file crypto.c.
References init_key_ctx_bi(), key2, key_direction_state_init(), M_ERR, msg, must_have_n_keys(), key2::n, key_direction_state::need_keys, print_key_filename(), read_key_file(), RKF_INLINE, RKF_MUST_SUCCEED, secure_memzero(), and verify_fix_key2().
Referenced by do_init_crypto_static(), do_init_tls_wrap_key(), init_tas_auth(), and tls_crypt_init_key().
◆ free_key_ctx()
| void free_key_ctx | ( | struct key_ctx * | ctx | ) |
Definition at line 889 of file crypto.c.
References key_ctx::cipher, cipher_ctx_free(), key_ctx::hmac, hmac_ctx_cleanup(), hmac_ctx_free(), and key_ctx::implicit_iv_len.
Referenced by auth_token_fail_invalid_key(), auth_token_test_key_load(), auth_token_test_random_keys(), do_close_free_key_schedule(), free_key_ctx_bi(), key_schedule_free(), teardown(), tls_crypt_fail_invalid_key(), and tls_crypt_v2_write_client_key_file().
◆ free_key_ctx_bi()
| void free_key_ctx_bi | ( | struct key_ctx_bi * | ctx | ) |
Definition at line 906 of file crypto.c.
References key_ctx_bi::decrypt, key_ctx_bi::encrypt, and free_key_ctx().
Referenced by do_close_free_key_schedule(), free_tas(), free_tls_pre_decrypt_state(), key_schedule_free(), key_state_free(), test_tls_crypt_teardown(), test_tls_crypt_v2_teardown(), test_tls_decrypt_lite_auth(), test_tls_decrypt_lite_crypt(), tls_crypt_v2_wrap_unwrap_wrong_key(), tls_crypt_v2_write_client_key_file(), and tls_wrap_free().
◆ generate_ephemeral_key()
| bool generate_ephemeral_key | ( | struct buffer * | key, |
| const char * | pem_name | ||
| ) |
Generate ephermal key material into the key structure.
- Parameters
-
key the key structure that will hold the key material pem_name the name used for logging
- Returns
- true if key generation was successful
Definition at line 1738 of file crypto.c.
References BCAP, BEND, buf_inc_len(), buffer::len, M_INFO, M_WARN, msg, and rand_bytes().
Referenced by auth_token_init_secret().
◆ generate_key_random()
|
static |
Definition at line 950 of file crypto.c.
References key::cipher, CLEAR, D_SHOW_KEY_SOURCE, dmsg, format_hex(), gc_free(), gc_new(), key::hmac, M_FATAL, MAX_CIPHER_KEY_LENGTH, MAX_HMAC_KEY_LENGTH, msg, and rand_bytes().
Referenced by write_key_file().
◆ get_cipher_name_pair()
|
static |
Definition at line 1653 of file crypto.c.
References cipher_name_translation_table, cipher_name_translation_table_count, cipher_name_pair::lib_name, and cipher_name_pair::openvpn_name.
Referenced by translate_cipher_name_from_openvpn(), and translate_cipher_name_to_openvpn().
◆ get_random()
| long int get_random | ( | void | ) |
Definition at line 1611 of file crypto.c.
Referenced by check_send_occ_msg_dowork(), check_timeout_random_component_dowork(), do_init_crypto_tls(), fragment_init(), gen_nonce(), init_connection_list(), multi_init(), packet_id_add(), and platform_create_temp_file().
◆ init_key_ctx()
| void init_key_ctx | ( | struct key_ctx * | ctx, |
| const struct key * | key, | ||
| const struct key_type * | kt, | ||
| int | enc, | ||
| const char * | prefix | ||
| ) |
Definition at line 824 of file crypto.c.
References key_type::cipher, key::cipher, key_ctx::cipher, cipher_ctx_init(), cipher_ctx_new(), cipher_defined(), cipher_kt_block_size(), cipher_kt_iv_size(), cipher_kt_key_size(), cipher_kt_name(), CLEAR, D_CIPHER_INIT, D_CRYPTO_DEBUG, D_SHOW_KEYS, key_type::digest, dmsg, format_hex(), gc_free(), gc_new(), key::hmac, key_ctx::hmac, hmac_ctx_init(), hmac_ctx_new(), hmac_ctx_size(), md_defined(), md_kt_name(), md_kt_size(), msg, and warn_insecure_key_type().
Referenced by auth_token_fail_invalid_key(), auth_token_init_secret(), init_key_ctx_bi(), setup(), test_tls_crypt_setup(), tls_crypt_fail_invalid_key(), and tls_crypt_v2_init_server_key().
◆ init_key_ctx_bi()
| void init_key_ctx_bi | ( | struct key_ctx_bi * | ctx, |
| const struct key2 * | key2, | ||
| int | key_direction, | ||
| const struct key_type * | kt, | ||
| const char * | name | ||
| ) |
Definition at line 869 of file crypto.c.
References key_ctx_bi::decrypt, key_ctx_bi::encrypt, key_direction_state::in_key, init_key_ctx(), key_ctx_bi::initialized, key_direction_state_init(), key2::keys, OPENVPN_OP_DECRYPT, OPENVPN_OP_ENCRYPT, openvpn_snprintf(), and key_direction_state::out_key.
Referenced by crypto_read_openvpn_key(), init_key_contexts(), test_tls_crypt_v2_setup(), tls_crypt_v2_load_client_key(), tls_crypt_v2_wrap_unwrap_wrong_key(), and tls_session_generate_dynamic_tls_crypt_key().
◆ init_key_type()
| void init_key_type | ( | struct key_type * | kt, |
| const char * | ciphername, | ||
| const char * | authname, | ||
| bool | tls_mode, | ||
| bool | warn | ||
| ) |
Initialize a key_type structure with.
- Parameters
-
kt The struct key_type to initialize ciphername The name of the cipher to use authname The name of the HMAC digest to use tls_mode Specifies whether we are running in TLS mode, which allows more ciphers than static key mode. warn Print warnings when null cipher / auth is used.
Definition at line 744 of file crypto.c.
References ASSERT, key_type::cipher, cipher_kt_block_size(), cipher_kt_mode_aead(), cipher_kt_mode_cbc(), cipher_kt_mode_ofb_cfb(), cipher_valid(), CLEAR, key_type::digest, ENABLE_OFB_CFB_MODE, M_FATAL, M_WARN, md_kt_size(), msg, OPENVPN_MAX_CIPHER_BLOCK_SIZE, OPENVPN_MAX_HMAC_SIZE, and warn_insecure_key_type().
Referenced by calc_options_string_link_mtu(), do_init_crypto_none(), do_init_crypto_static(), do_init_crypto_tls_c1(), init_tas_auth(), options_string(), test_mssfix_mtu_calculation(), and tls_session_update_crypto_params_do_work().
◆ key2_print()
| void key2_print | ( | const struct key2 * | k, |
| const struct key_type * | kt, | ||
| const char * | prefix0, | ||
| const char * | prefix1 | ||
| ) |
Prints the keys in a key2 structure.
Definition at line 988 of file crypto.c.
References ASSERT, key_print(), key2::keys, and key2::n.
Referenced by generate_key_expansion().
◆ key_direction_state_init()
| void key_direction_state_init | ( | struct key_direction_state * | kds, |
| int | key_direction | ||
| ) |
Definition at line 1478 of file crypto.c.
References ASSERT, CLEAR, key_direction_state::in_key, KEY_DIRECTION_BIDIRECTIONAL, KEY_DIRECTION_INVERSE, KEY_DIRECTION_NORMAL, key_direction_state::need_keys, and key_direction_state::out_key.
Referenced by crypto_read_openvpn_key(), init_key_ctx_bi(), and tls_session_generate_dynamic_tls_crypt_key().
◆ key_is_zero()
Definition at line 913 of file crypto.c.
References key_type::cipher, key::cipher, cipher_kt_key_size(), D_CRYPT_ERRORS, and msg.
Referenced by check_key().
◆ key_print()
|
static |
Definition at line 971 of file crypto.c.
References key_type::cipher, key::cipher, cipher_kt_key_size(), cipher_kt_name(), D_SHOW_KEY_SOURCE, key_type::digest, dmsg, format_hex(), gc_free(), gc_new(), key::hmac, md_kt_name(), and md_kt_size().
Referenced by key2_print().
◆ keydirection2ascii()
| const char* keydirection2ascii | ( | int | kd, |
| bool | remote, | ||
| bool | humanreadable | ||
| ) |
Definition at line 1449 of file crypto.c.
References ASSERT, KEY_DIRECTION_BIDIRECTIONAL, KEY_DIRECTION_INVERSE, and KEY_DIRECTION_NORMAL.
Referenced by options_string(), show_connection_entry(), and show_settings().
◆ must_have_n_keys()
| void must_have_n_keys | ( | const char * | filename, |
| const char * | option, | ||
| const struct key2 * | key2, | ||
| int | n | ||
| ) |
◆ openvpn_decrypt_aead()
|
static |
Unwrap (authenticate, decrypt and check replay protection) AEAD-mode data channel packets.
Set buf->len to 0 and return false on decrypt error.
On success, buf is set to point to plaintext, true is returned.
Definition at line 349 of file crypto.c.
References ASSERT, BLEN, BPTR, frame::buf, buf_advance(), buf_inc_len(), buf_init, buf_safe(), key_ctx::cipher, cipher_ctx_block_size(), cipher_ctx_final_check_tag(), cipher_ctx_iv_length(), cipher_ctx_reset(), cipher_ctx_update(), cipher_ctx_update_ad(), CRYPT_ERROR, crypto_check_replay(), crypto_clear_error(), D_PACKET_CONTENT, buffer::data, key_ctx_bi::decrypt, dmsg, format_hex(), gc_free(), gc_init(), frame::headroom, key_ctx::implicit_iv, key_ctx::implicit_iv_len, crypto_options::key_ctx_bi, buffer::len, OPENVPN_AEAD_TAG_LENGTH, OPENVPN_MAX_IV_LENGTH, crypto_options::packet_id, packet_id_initialized(), and packet_id_read().
Referenced by openvpn_decrypt().
◆ openvpn_decrypt_v1()
|
static |
Definition at line 481 of file crypto.c.
References ASSERT, BLEN, BOOL_CAST, BPTR, frame::buf, buf_advance(), buf_inc_len(), buf_init, buf_safe(), buf_set_read(), key_ctx::cipher, cipher_ctx_block_size(), cipher_ctx_final(), cipher_ctx_iv_length(), cipher_ctx_mode_cbc(), cipher_ctx_mode_ofb_cfb(), cipher_ctx_reset(), cipher_ctx_update(), CO_IGNORE_PACKET_ID, CO_PACKET_ID_LONG_FORM, CRYPT_ERROR, crypto_check_replay(), crypto_clear_error(), D_PACKET_CONTENT, key_ctx_bi::decrypt, dmsg, crypto_options::flags, format_hex(), gc_free(), gc_init(), frame::headroom, key_ctx::hmac, hmac_ctx_final(), hmac_ctx_reset(), hmac_ctx_size(), hmac_ctx_update(), crypto_options::key_ctx_bi, buffer::len, MAX_HMAC_KEY_LENGTH, memcmp_constant_time(), OPENVPN_MAX_IV_LENGTH, crypto_options::packet_id, packet_id_initialized(), and packet_id_read().
Referenced by openvpn_decrypt().
◆ openvpn_encrypt_aead()
|
static |
Definition at line 63 of file crypto.c.
References ASSERT, BEND, BLEN, BPTR, buf_inc_len(), buf_safe(), buf_set_write(), buf_write(), buf_write_alloc(), buffer::capacity, key_ctx::cipher, cipher_ctx_block_size(), cipher_ctx_final(), cipher_ctx_get_tag(), cipher_ctx_iv_length(), cipher_ctx_reset(), cipher_ctx_update(), cipher_ctx_update_ad(), crypto_clear_error(), D_CRYPT_ERRORS, D_PACKET_CONTENT, dmsg, key_ctx_bi::encrypt, format_hex(), gc_free(), gc_init(), key_ctx::implicit_iv, key_ctx::implicit_iv_len, crypto_options::key_ctx_bi, buffer::len, msg, buffer::offset, OPENVPN_AEAD_MIN_IV_LEN, OPENVPN_AEAD_TAG_LENGTH, OPENVPN_MAX_IV_LENGTH, crypto_options::packet_id, packet_id_initialized(), packet_id_write(), and packet_id::send.
Referenced by openvpn_encrypt().
◆ openvpn_encrypt_v1()
|
static |
Definition at line 154 of file crypto.c.
References ASSERT, BEND, BLEN, BPTR, buf_inc_len(), buf_prepend(), buf_safe(), buf_set_write(), buf_write(), buf_write_alloc(), buf_write_prepend(), buffer::capacity, key_ctx::cipher, cipher_ctx_block_size(), cipher_ctx_final(), cipher_ctx_iv_length(), cipher_ctx_mode(), cipher_ctx_mode_cbc(), cipher_ctx_mode_ofb_cfb(), cipher_ctx_reset(), cipher_ctx_update(), CO_PACKET_ID_LONG_FORM, crypto_clear_error(), D_CRYPT_ERRORS, D_PACKET_CONTENT, dmsg, key_ctx_bi::encrypt, crypto_options::flags, format_hex(), gc_free(), gc_init(), key_ctx::hmac, hmac_ctx_final(), hmac_ctx_reset(), hmac_ctx_size(), hmac_ctx_update(), crypto_options::key_ctx_bi, buffer::len, msg, buffer::offset, OPENVPN_MAX_IV_LENGTH, OPENVPN_MODE_CBC, crypto_options::packet_id, packet_id_initialized(), packet_id_write(), prng_bytes(), and packet_id::send.
Referenced by openvpn_encrypt().
◆ print_cipher()
| void print_cipher | ( | const char * | ciphername | ) |
Print a cipher list entry.
Definition at line 1623 of file crypto.c.
References cipher_kt_block_size(), cipher_kt_key_size(), cipher_kt_mode_cbc(), cipher_kt_name(), and cipher_valid_reason().
Referenced by show_available_ciphers().
◆ print_key_filename()
| const char* print_key_filename | ( | const char * | str, |
| bool | is_inline | ||
| ) |
To be used when printing a string that may contain inline data.
If "is_inline" is true, return the inline tag. If "is_inline" is false and "str" is not NULL, return "str". Return the constant string "[NULL]" otherwise.
- Parameters
-
str the original string to return when is_inline is false is_inline true when str contains an inline data of some sort
Definition at line 1083 of file crypto.c.
References np().
Referenced by backend_tls_ctx_reload_crl(), crypto_read_openvpn_key(), read_key_file(), tls_ctx_load_ca(), tls_ctx_load_dh_params(), tls_ctx_load_extra_certs(), and tls_ctx_load_priv_file().
◆ prng_bytes()
| void prng_bytes | ( | uint8_t * | output, |
| int | len | ||
| ) |
Definition at line 1604 of file crypto.c.
Referenced by get_random(), hostname_randomize(), openvpn_encrypt_v1(), and session_id_random().
◆ read_key()
Definition at line 1561 of file crypto.c.
References buf_read(), key_type::cipher, key::cipher, cipher_kt_key_size(), CLEAR, D_TLS_ERRORS, key_type::digest, key::hmac, md_kt_size(), and msg.
◆ read_key_file()
| void read_key_file | ( | struct key2 * | key2, |
| const char * | file, | ||
| const unsigned int | flags | ||
| ) |
Definition at line 1146 of file crypto.c.
References ASSERT, buf_clear(), buf_set_read(), buf_valid(), buffer_read_from_file(), CLEAR, buffer::data, format_hex_ex(), gc_free(), gc_new(), key2::keys, buffer::len, M_FATAL, M_INFO, msg, key2::n, PARSE_DATA, PARSE_DATA_COMPLETE, PARSE_FINISHED, PARSE_FOOT, PARSE_HEAD, PARSE_INITIAL, print_key_filename(), printable_char_fmt, RKF_INLINE, RKF_MUST_SUCCEED, SIZE, static_key_foot, static_key_head, and unprintable_char_fmt.
Referenced by crypto_read_openvpn_key().
◆ read_pem_key_file()
| bool read_pem_key_file | ( | struct buffer * | key, |
| const char * | pem_name, | ||
| const char * | key_file, | ||
| bool | key_inline | ||
| ) |
Read key material from a PEM encoded files into the key structure.
- Parameters
-
key the key structure that will hold the key material pem_name the name used in the pem encoding start/end lines key_file name of the file to read or the key itself if key_inline is true key_inline True if key_file contains an inline key, False otherwise.
- Returns
- true if reading into key was successful
Definition at line 1756 of file crypto.c.
References buf_clear(), buf_set_read(), buf_valid(), buffer_read_from_file(), cleanup(), crypto_pem_decode(), gc_free(), gc_new(), M_WARN, and msg.
Referenced by auth_token_init_secret(), tls_crypt_v2_init_client_key(), and tls_crypt_v2_init_server_key().
◆ test_crypto()
| void test_crypto | ( | struct crypto_options * | co, |
| struct frame * | frame | ||
| ) |
Definition at line 999 of file crypto.c.
References alloc_buf_gc(), ASSERT, BLEN, BPTR, frame::buf, buf_init, BUF_SIZE, buf_write_alloc(), buffer::capacity, key_ctx::cipher, cipher_ctx_iv_length(), cipher_ctx_mode_aead(), clear_buf(), key_ctx_bi::decrypt, key_ctx_bi::encrypt, gc_free(), gc_new(), frame::headroom, key_ctx::implicit_iv, key_ctx::implicit_iv_len, crypto_options::key_ctx_bi, buffer::len, M_FATAL, M_INFO, msg, OPENVPN_AEAD_MIN_IV_LEN, openvpn_decrypt(), openvpn_encrypt(), OPENVPN_MAX_IV_LENGTH, PACKAGE_NAME, frame::payload_size, rand_bytes(), and update_time().
Referenced by show_settings(), and test_crypto_thread().
◆ translate_cipher_name_from_openvpn()
| const char* translate_cipher_name_from_openvpn | ( | const char * | cipher_name | ) |
Translate an OpenVPN cipher name to a crypto library cipher name.
- Parameters
-
cipher_name An OpenVPN cipher name
- Returns
- The corresponding crypto library cipher name, or NULL if no matching cipher name was found.
Definition at line 1674 of file crypto.c.
References get_cipher_name_pair(), and cipher_name_pair::lib_name.
Referenced by cipher_get(), and cipher_kt_block_size().
◆ translate_cipher_name_to_openvpn()
| const char* translate_cipher_name_to_openvpn | ( | const char * | cipher_name | ) |
Translate a crypto library cipher name to an OpenVPN cipher name.
- Parameters
-
cipher_name A crypto library cipher name
- Returns
- The corresponding OpenVPN cipher name, or NULL if no matching cipher name was found.
Definition at line 1687 of file crypto.c.
References get_cipher_name_pair(), and cipher_name_pair::openvpn_name.
Referenced by cipher_kt_block_size(), cipher_kt_name(), and multi_print_status().
◆ verify_fix_key2()
| void verify_fix_key2 | ( | struct key2 * | key2, |
| const struct key_type * | kt, | ||
| const char * | shared_secret_file | ||
| ) |
Definition at line 1507 of file crypto.c.
References check_key(), key2::keys, M_FATAL, msg, and key2::n.
Referenced by crypto_read_openvpn_key().
◆ warn_insecure_key_type()
|
static |
Definition at line 727 of file crypto.c.
References cipher_kt_block_size(), cipher_kt_insecure(), M_WARN, and msg.
Referenced by init_key_ctx(), and init_key_type().
◆ write_key()
Definition at line 1524 of file crypto.c.
References ASSERT, buf_write(), key_type::cipher, key::cipher, cipher_kt_key_size(), key_type::digest, key::hmac, MAX_CIPHER_KEY_LENGTH, MAX_HMAC_KEY_LENGTH, and md_kt_size().
◆ write_key_file()
| int write_key_file | ( | const int | nkeys, |
| const char * | filename | ||
| ) |
Write nkeys 1024-bits keys to file.
- Returns
- number of random bits written, or -1 on failure.
Definition at line 1350 of file crypto.c.
References alloc_buf_gc(), BLEN, BPTR, buf_clear(), buf_printf(), buffer_write_file(), format_hex_ex(), gc_free(), gc_new(), generate_key_random(), secure_memzero(), static_key_foot, and static_key_head.
Referenced by do_genkey().
◆ write_pem_key_file()
| void write_pem_key_file | ( | const char * | filename, |
| const char * | key_name | ||
| ) |
Generate a server key with enough randomness to fill a key struct and write to file.
- Parameters
-
filename Filename of the server key file to create. pem_name The name to use in the PEM header/footer.
Definition at line 1700 of file crypto.c.
References BLEN, BPTR, buf_clear(), buf_set_read(), buffer_write_file(), cleanup(), clear_buf(), crypto_pem_encode(), gc_free(), gc_new(), M_ERR, M_NONFATAL, M_WARN, msg, rand_bytes(), and secure_memzero().
Referenced by auth_token_write_server_key_file(), and tls_crypt_v2_write_server_key_file().
Variable Documentation
◆ printable_char_fmt
|
static |
Definition at line 1137 of file crypto.c.
Referenced by read_key_file().
◆ static_key_foot
|
static |
Definition at line 1135 of file crypto.c.
Referenced by read_key_file(), and write_key_file().
◆ static_key_head
|
static |
Definition at line 1134 of file crypto.c.
Referenced by read_key_file(), and write_key_file().
◆ unprintable_char_fmt
|
static |
Definition at line 1140 of file crypto.c.
Referenced by read_key_file().
