OpenVPN
crypto.h
Go to the documentation of this file.
1 /*
2  * OpenVPN -- An application to securely tunnel IP networks
3  * over a single TCP/UDP port, with support for SSL/TLS-based
4  * session authentication and key exchange,
5  * packet encryption, packet authentication, and
6  * packet compression.
7  *
8  * Copyright (C) 2002-2018 OpenVPN Inc <sales@openvpn.net>
9  * Copyright (C) 2010-2018 Fox Crypto B.V. <openvpn@fox-it.com>
10  *
11  * This program is free software; you can redistribute it and/or modify
12  * it under the terms of the GNU General Public License version 2
13  * as published by the Free Software Foundation.
14  *
15  * This program is distributed in the hope that it will be useful,
16  * but WITHOUT ANY WARRANTY; without even the implied warranty of
17  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18  * GNU General Public License for more details.
19  *
20  * You should have received a copy of the GNU General Public License along
21  * with this program; if not, write to the Free Software Foundation, Inc.,
22  * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
23  */
24 
122 #ifndef CRYPTO_H
123 #define CRYPTO_H
124 
125 #include "crypto_backend.h"
126 #include "basic.h"
127 #include "buffer.h"
128 #include "packet_id.h"
129 #include "mtu.h"
130 
134 };
135 
136 /*
137  * Defines a key type and key length for both cipher and HMAC.
138  */
139 struct key_type
140 {
144  const md_kt_t *digest;
145 };
146 
151 struct key
152 {
157 };
158 
159 
164 struct key_ctx
165 {
171 };
172 
173 #define KEY_DIRECTION_BIDIRECTIONAL 0 /* same keys for both directions */
174 #define KEY_DIRECTION_NORMAL 1 /* encrypt with keys[0], decrypt with keys[1] */
175 #define KEY_DIRECTION_INVERSE 2 /* encrypt with keys[1], decrypt with keys[0] */
176 
181 struct key2
182 {
183  int n;
185  struct key keys[2];
187 };
188 
199 {
200  int out_key;
202  int in_key;
204  int need_keys;
212 };
213 
220 {
221  struct key_ctx encrypt;
223  struct key_ctx decrypt;
226 };
227 
233 {
245 #define CO_PACKET_ID_LONG_FORM (1<<0)
246 
248 #define CO_IGNORE_PACKET_ID (1<<1)
249 
254 #define CO_MUTE_REPLAY_WARNINGS (1<<2)
255 
257  unsigned int flags;
259 };
260 
261 #define CRYPT_ERROR(format) \
262  do { msg(D_CRYPT_ERRORS, "%s: " format, error_prefix); goto error_exit; } while (false)
263 
268 #define OPENVPN_AEAD_MIN_IV_LEN (sizeof(packet_id_type) + 8)
269 
270 #define RKF_MUST_SUCCEED (1<<0)
271 #define RKF_INLINE (1<<1)
272 void read_key_file(struct key2 *key2, const char *file, const unsigned int flags);
273 
279 int write_key_file(const int nkeys, const char *filename);
280 
281 int read_passphrase_hash(const char *passphrase_file,
282  const md_kt_t *digest,
283  uint8_t *output,
284  int len);
285 
286 void generate_key_random(struct key *key, const struct key_type *kt);
287 
288 void check_replay_consistency(const struct key_type *kt, bool packet_id);
289 
290 bool check_key(struct key *key, const struct key_type *kt);
291 
292 void fixup_key(struct key *key, const struct key_type *kt);
293 
294 bool write_key(const struct key *key, const struct key_type *kt,
295  struct buffer *buf);
296 
297 int read_key(struct key *key, const struct key_type *kt, struct buffer *buf);
298 
311 void init_key_type(struct key_type *kt, const char *ciphername,
312  const char *authname, int keysize, bool tls_mode, bool warn);
313 
314 /*
315  * Key context functions
316  */
317 
318 void init_key_ctx(struct key_ctx *ctx, const struct key *key,
319  const struct key_type *kt, int enc,
320  const char *prefix);
321 
322 void free_key_ctx(struct key_ctx *ctx);
323 
324 void init_key_ctx_bi(struct key_ctx_bi *ctx, const struct key2 *key2,
325  int key_direction, const struct key_type *kt,
326  const char *name);
327 
328 void free_key_ctx_bi(struct key_ctx_bi *ctx);
329 
330 
331 /**************************************************************************/
361 void openvpn_encrypt(struct buffer *buf, struct buffer work,
362  struct crypto_options *opt);
363 
364 
398 bool openvpn_decrypt(struct buffer *buf, struct buffer work,
399  struct crypto_options *opt, const struct frame *frame,
400  const uint8_t *ad_start);
401 
414 bool crypto_check_replay(struct crypto_options *opt,
415  const struct packet_id_net *pin, const char *error_prefix,
416  struct gc_arena *gc);
417 
418 
421  const struct key_type *kt,
422  bool packet_id,
423  bool packet_id_long_form);
424 
426 size_t crypto_max_overhead(void);
427 
428 /* Minimum length of the nonce used by the PRNG */
429 #define NONCE_SECRET_LEN_MIN 16
430 
431 /* Maximum length of the nonce used by the PRNG */
432 #define NONCE_SECRET_LEN_MAX 64
433 
435 #define PRNG_NONCE_RESET_BYTES 1024
436 
444 void prng_init(const char *md_name, const int nonce_secret_len_parm);
445 
446 /*
447  * Message digest-based pseudo random number generator.
448  *
449  * If the PRNG was initialised with a certain message digest, uses the digest
450  * to calculate the next random number, and prevent depletion of the entropy
451  * pool.
452  *
453  * This PRNG is aimed at IV generation and similar miscellaneous tasks. Use
454  * \c rand_bytes() for higher-assurance functionality.
455  *
456  * Retrieves len bytes of pseudo random data, and places it in output.
457  *
458  * @param output Output buffer
459  * @param len Length of the output buffer
460  */
461 void prng_bytes(uint8_t *output, int len);
462 
463 void prng_uninit(void);
464 
465 void test_crypto(struct crypto_options *co, struct frame *f);
466 
467 
468 /* key direction functions */
469 
470 void key_direction_state_init(struct key_direction_state *kds, int key_direction);
471 
472 void verify_fix_key2(struct key2 *key2, const struct key_type *kt, const char *shared_secret_file);
473 
474 void must_have_n_keys(const char *filename, const char *option, const struct key2 *key2, int n);
475 
476 int ascii2keydirection(int msglevel, const char *str);
477 
478 const char *keydirection2ascii(int kd, bool remote, bool humanreadable);
479 
480 /* print keys */
481 void key2_print(const struct key2 *k,
482  const struct key_type *kt,
483  const char *prefix0,
484  const char *prefix1);
485 
486 void crypto_read_openvpn_key(const struct key_type *key_type,
487  struct key_ctx_bi *ctx, const char *key_file, const char *key_inline,
488  const int key_direction, const char *key_name, const char *opt_name);
489 
490 /*
491  * Inline functions
492  */
493 
498 static inline int
499 memcmp_constant_time(const void *a, const void *b, size_t size)
500 {
501  const uint8_t *a1 = a;
502  const uint8_t *b1 = b;
503  int ret = 0;
504  size_t i;
505 
506  for (i = 0; i < size; i++) {
507  ret |= *a1++ ^ *b1++;
508  }
509 
510  return ret;
511 }
512 
513 static inline bool
515 {
516  return key->encrypt.cipher || key->encrypt.hmac || key->decrypt.cipher || key->decrypt.hmac;
517 }
518 
519 #endif /* CRYPTO_H */
void free_key_ctx_bi(struct key_ctx_bi *ctx)
Definition: crypto.c:912
void key_direction_state_init(struct key_direction_state *kds, int key_direction)
Definition: crypto.c:1545
bool crypto_check_replay(struct crypto_options *opt, const struct packet_id_net *pin, const char *error_prefix, struct gc_arena *gc)
Check packet ID for replay, and perform replay administration.
Definition: crypto.c:323
size_t implicit_iv_len
The length of implicit_iv.
Definition: crypto.h:170
Security parameter state for processing data channel packets.
Definition: crypto.h:232
mbedtls_cipher_context_t cipher_ctx_t
Generic cipher context.
void init_key_ctx(struct key_ctx *ctx, const struct key *key, const struct key_type *kt, int enc, const char *prefix)
Definition: crypto.c:821
uint8_t hmac_length
HMAC length, in bytes.
Definition: crypto.h:142
void verify_fix_key2(struct key2 *key2, const struct key_type *kt, const char *shared_secret_file)
Definition: crypto.c:1574
unsigned int flags
Bit-flags determining behavior of security operation functions.
Definition: crypto.h:257
Key ordering of the key2.keys array.
Definition: crypto.h:198
struct packet_id_persist * pid_persist
Persistent packet ID state for keeping state between successive OpenVPN process startups.
Definition: crypto.h:240
Packet geometry parameters.
Definition: mtu.h:93
#define OPENVPN_MAX_IV_LENGTH
Maximum length of an IV.
int n
The number of key objects stored in the key2.keys array.
Definition: crypto.h:183
bool write_key(const struct key *key, const struct key_type *kt, struct buffer *buf)
Definition: crypto.c:1594
int out_key
Index into the key2.keys array for the sending direction.
Definition: crypto.h:200
void prng_uninit(void)
Definition: crypto.c:1720
#define MAX_CIPHER_KEY_LENGTH
void generate_key_random(struct key *key, const struct key_type *kt)
Definition: crypto.c:1021
int read_passphrase_hash(const char *passphrase_file, const md_kt_t *digest, uint8_t *output, int len)
mbedtls_md_context_t hmac_ctx_t
Generic HMAC context.
bool initialized
Definition: crypto.h:225
list flags
void crypto_read_openvpn_key(const struct key_type *key_type, struct key_ctx_bi *ctx, const char *key_file, const char *key_inline, const int key_direction, const char *key_name, const char *opt_name)
Definition: crypto.c:1176
static bool key_ctx_bi_defined(const struct key_ctx_bi *key)
Definition: crypto.h:514
void check_replay_consistency(const struct key_type *kt, bool packet_id)
Definition: crypto.c:1005
string f
Definition: http-client.py:6
uint8_t cipher_length
Cipher length, in bytes.
Definition: crypto.h:141
cipher_ctx_t * cipher
Generic cipher context.
Definition: crypto.h:166
void init_key_ctx_bi(struct key_ctx_bi *ctx, const struct key2 *key2, int key_direction, const struct key_type *kt, const char *name)
Definition: crypto.c:874
mbedtls_md_info_t md_kt_t
Generic message digest key type context.
uint8_t digest[SHA256_DIGEST_LENGTH]
Definition: crypto.h:133
bool check_key(struct key *key, const struct key_type *kt)
Definition: crypto.c:935
int in_key
Index into the key2.keys array for the receiving direction.
Definition: crypto.h:202
Container for one set of cipher and/or HMAC contexts.
Definition: crypto.h:164
mbedtls_cipher_info_t cipher_kt_t
Generic cipher key type context.
struct key_ctx encrypt
Cipher and/or HMAC contexts for sending direction.
Definition: crypto.h:221
const char * filename
Definition: packet_id.h:152
hmac_ctx_t * hmac
Generic HMAC context.
Definition: crypto.h:167
void crypto_adjust_frame_parameters(struct frame *frame, const struct key_type *kt, bool packet_id, bool packet_id_long_form)
Calculate crypto overhead and adjust frame to account for that.
Definition: crypto.c:698
void read_key_file(struct key2 *key2, const char *file, const unsigned int flags)
Definition: crypto.c:1223
struct key_ctx decrypt
cipher and/or HMAC contexts for receiving direction.
Definition: crypto.h:223
int write_key_file(const int nkeys, const char *filename)
Write nkeys 1024-bits keys to file.
Definition: crypto.c:1422
#define MAX_HMAC_KEY_LENGTH
void openvpn_encrypt(struct buffer *buf, struct buffer work, struct crypto_options *opt)
Encrypt and HMAC sign a packet so that it can be sent as a data channel VPN tunnel packet to a remote...
Definition: crypto.c:303
Container for bidirectional cipher and HMAC key material.
Definition: crypto.h:181
void free_key_ctx(struct key_ctx *ctx)
Definition: crypto.c:894
int need_keys
The number of key objects necessary to support both sending and receiving.
Definition: crypto.h:204
const char * keydirection2ascii(int kd, bool remote, bool humanreadable)
Definition: crypto.c:1516
bool openvpn_decrypt(struct buffer *buf, struct buffer work, struct crypto_options *opt, const struct frame *frame, const uint8_t *ad_start)
HMAC verify and decrypt a data channel packet received from a remote OpenVPN peer.
Definition: crypto.c:672
unsigned __int8 uint8_t
Definition: config-msvc.h:122
void fixup_key(struct key *key, const struct key_type *kt)
Definition: crypto.c:974
void key2_print(const struct key2 *k, const struct key_type *kt, const char *prefix0, const char *prefix1)
Definition: crypto.c:1065
const md_kt_t * digest
Message digest static parameters.
Definition: crypto.h:144
Wrapper structure for dynamically allocated memory.
Definition: buffer.h:60
int ascii2keydirection(int msglevel, const char *str)
Definition: crypto.c:1493
static int memcmp_constant_time(const void *a, const void *b, size_t size)
As memcmp(), but constant-time.
Definition: crypto.h:499
#define SHA256_DIGEST_LENGTH
void test_crypto(struct crypto_options *co, struct frame *f)
Definition: crypto.c:1088
void init_key_type(struct key_type *kt, const char *ciphername, const char *authname, int keysize, bool tls_mode, bool warn)
Initialize a key_type structure with.
Definition: crypto.c:743
Garbage collection arena used to keep track of dynamically allocated memory.
Definition: buffer.h:116
void prng_init(const char *md_name, const int nonce_secret_len_parm)
Pseudo-random number generator initialisation.
Definition: crypto.c:1701
void prng_bytes(uint8_t *output, int len)
Definition: crypto.c:1729
const cipher_kt_t * cipher
Cipher static parameters.
Definition: crypto.h:143
Wrapper struct to pass around SHA256 digests.
Definition: crypto.h:132
size_t crypto_max_overhead(void)
Return the worst-case OpenVPN crypto overhead (in bytes)
Definition: crypto.c:732
void must_have_n_keys(const char *filename, const char *option, const struct key2 *key2, int n)
Definition: crypto.c:1480
int read_key(struct key *key, const struct key_type *kt, struct buffer *buf)
Definition: crypto.c:1627
Container for two sets of OpenSSL cipher and/or HMAC contexts for both sending and receiving directio...
Definition: crypto.h:219
Container for unidirectional cipher and HMAC key material.
Definition: crypto.h:151