OpenVPN
Data Structures | Macros | Enumerations | Functions | Variables
crypto_backend.h File Reference
#include "crypto_openssl.h"
#include "basic.h"
#include "buffer.h"
Include dependency graph for crypto_backend.h:
This graph shows which files directly or indirectly include this file:

Go to the source code of this file.

Data Structures

struct  cipher_name_pair
 Struct used in cipher name translation table. More...
 

Macros

#define OPENVPN_AEAD_TAG_LENGTH   16
 
#define OPENVPN_MAX_CIPHER_BLOCK_SIZE   32
 
#define OPENVPN_MAX_HMAC_SIZE   64
 
#define MAX_CIPHER_KEY_LENGTH   64
 
#define MAX_HMAC_KEY_LENGTH   64
 

Enumerations

enum  hash_algo_type { MD_SHA1, MD_SHA256 }
 Types referencing specific message digest hashing algorithms. More...
 

Functions

void crypto_init_lib (void)
 
void crypto_uninit_lib (void)
 
void crypto_clear_error (void)
 
void crypto_init_lib_engine (const char *engine_name)
 
provider_tcrypto_load_provider (const char *provider)
 Load the given (OpenSSL) providers. More...
 
void crypto_unload_provider (const char *provname, provider_t *provider)
 Unloads the given (OpenSSL) provider. More...
 
void show_available_ciphers (void)
 
void show_available_digests (void)
 
void show_available_engines (void)
 
bool crypto_pem_encode (const char *name, struct buffer *dst, const struct buffer *src, struct gc_arena *gc)
 Encode binary data as PEM. More...
 
bool crypto_pem_decode (const char *name, struct buffer *dst, const struct buffer *src)
 Decode a PEM buffer to binary data. More...
 
int rand_bytes (uint8_t *output, int len)
 Wrapper for secure random number generator. More...
 
bool cipher_valid_reason (const char *ciphername, const char **reason)
 Returns if the cipher is valid, based on the given cipher name and provides a reason if invalid. More...
 
static bool cipher_valid (const char *ciphername)
 Returns if the cipher is valid, based on the given cipher name. More...
 
static bool cipher_defined (const char *ciphername)
 Checks if the cipher is defined and is not the null (none) cipher. More...
 
const char * cipher_kt_name (const char *ciphername)
 Retrieve a normalised string describing the cipher (e.g. More...
 
int cipher_kt_key_size (const char *ciphername)
 Returns the size of keys used by the cipher, in bytes. More...
 
int cipher_kt_iv_size (const char *ciphername)
 Returns the size of the IV used by the cipher, in bytes, or 0 if no IV is used. More...
 
int cipher_kt_block_size (const char *ciphername)
 Returns the block size of the cipher, in bytes. More...
 
int cipher_kt_tag_size (const char *ciphername)
 Returns the MAC tag size of the cipher, in bytes. More...
 
bool cipher_kt_insecure (const char *ciphername)
 Returns true if we consider this cipher to be insecure. More...
 
bool cipher_kt_mode_cbc (const char *ciphername)
 Check if the supplied cipher is a supported CBC mode cipher. More...
 
bool cipher_kt_mode_ofb_cfb (const char *ciphername)
 Check if the supplied cipher is a supported OFB or CFB mode cipher. More...
 
bool cipher_kt_mode_aead (const char *ciphername)
 Check if the supplied cipher is a supported AEAD mode cipher. More...
 
cipher_ctx_tcipher_ctx_new (void)
 Generic cipher functions. More...
 
void cipher_ctx_free (cipher_ctx_t *ctx)
 Cleanup and free a cipher context. More...
 
void cipher_ctx_init (cipher_ctx_t *ctx, const uint8_t *key, const char *cipername, int enc)
 Initialise a cipher context, based on the given key and key type. More...
 
int cipher_ctx_iv_length (const cipher_ctx_t *ctx)
 Returns the size of the IV used by the cipher, in bytes, or 0 if no IV is used. More...
 
int cipher_ctx_get_tag (cipher_ctx_t *ctx, uint8_t *tag, int tag_len)
 Gets the computed message authenticated code (MAC) tag for this cipher. More...
 
int cipher_ctx_block_size (const cipher_ctx_t *ctx)
 Returns the block size of the cipher, in bytes. More...
 
int cipher_ctx_mode (const cipher_ctx_t *ctx)
 Returns the mode that the cipher runs in. More...
 
bool cipher_ctx_mode_cbc (const cipher_ctx_t *ctx)
 Check if the supplied cipher is a supported CBC mode cipher. More...
 
bool cipher_ctx_mode_ofb_cfb (const cipher_ctx_t *ctx)
 Check if the supplied cipher is a supported OFB or CFB mode cipher. More...
 
bool cipher_ctx_mode_aead (const cipher_ctx_t *ctx)
 Check if the supplied cipher is a supported AEAD mode cipher. More...
 
int cipher_ctx_reset (cipher_ctx_t *ctx, const uint8_t *iv_buf)
 Resets the given cipher context, setting the IV to the specified value. More...
 
int cipher_ctx_update_ad (cipher_ctx_t *ctx, const uint8_t *src, int src_len)
 Updates the given cipher context, providing additional data (AD) for authenticated encryption with additional data (AEAD) cipher modes. More...
 
int cipher_ctx_update (cipher_ctx_t *ctx, uint8_t *dst, int *dst_len, uint8_t *src, int src_len)
 Updates the given cipher context, encrypting data in the source buffer, and placing any complete blocks in the destination buffer. More...
 
int cipher_ctx_final (cipher_ctx_t *ctx, uint8_t *dst, int *dst_len)
 Pads the final cipher block using PKCS padding, and output to the destination buffer. More...
 
int cipher_ctx_final_check_tag (cipher_ctx_t *ctx, uint8_t *dst, int *dst_len, uint8_t *tag, size_t tag_len)
 Like cipher_ctx_final, but check the computed authentication tag against the supplied (expected) tag. More...
 
static bool md_defined (const char *mdname)
 Checks if the cipher is defined and is not the null (none) cipher. More...
 
bool md_valid (const char *digest)
 Return if a message digest parameters is valid given the name of the digest. More...
 
const char * md_kt_name (const char *mdname)
 Retrieve a string describing the digest digest (e.g. More...
 
unsigned char md_kt_size (const char *mdname)
 Returns the size of the message digest, in bytes. More...
 
int md_full (const char *mdname, const uint8_t *src, int src_len, uint8_t *dst)
 Calculates the message digest for the given buffer. More...
 
md_ctx_tmd_ctx_new (void)
 
void md_ctx_free (md_ctx_t *ctx)
 
void md_ctx_init (md_ctx_t *ctx, const char *mdname)
 Initialises the given message digest context. More...
 
void md_ctx_cleanup (md_ctx_t *ctx)
 
int md_ctx_size (const md_ctx_t *ctx)
 
void md_ctx_update (md_ctx_t *ctx, const uint8_t *src, int src_len)
 
void md_ctx_final (md_ctx_t *ctx, uint8_t *dst)
 
hmac_ctx_thmac_ctx_new (void)
 
void hmac_ctx_free (hmac_ctx_t *ctx)
 
void hmac_ctx_init (hmac_ctx_t *ctx, const uint8_t *key, const char *mdname)
 
void hmac_ctx_cleanup (hmac_ctx_t *ctx)
 
int hmac_ctx_size (hmac_ctx_t *ctx)
 
void hmac_ctx_reset (hmac_ctx_t *ctx)
 
void hmac_ctx_update (hmac_ctx_t *ctx, const uint8_t *src, int src_len)
 
void hmac_ctx_final (hmac_ctx_t *ctx, uint8_t *dst)
 
const char * translate_cipher_name_from_openvpn (const char *cipher_name)
 Translate an OpenVPN cipher name to a crypto library cipher name. More...
 
const char * translate_cipher_name_to_openvpn (const char *cipher_name)
 Translate a crypto library cipher name to an OpenVPN cipher name. More...
 
bool ssl_tls1_PRF (const uint8_t *seed, int seed_len, const uint8_t *secret, int secret_len, uint8_t *output, int output_len)
 Calculates the TLS 1.0-1.1 PRF function. More...
 

Variables

const cipher_name_pair cipher_name_translation_table []
 Cipher name translation table. More...
 
const size_t cipher_name_translation_table_count
 

Macro Definition Documentation

◆ MAX_CIPHER_KEY_LENGTH

#define MAX_CIPHER_KEY_LENGTH   64

Definition at line 177 of file crypto_backend.h.

◆ MAX_HMAC_KEY_LENGTH

#define MAX_HMAC_KEY_LENGTH   64

Definition at line 495 of file crypto_backend.h.

◆ OPENVPN_AEAD_TAG_LENGTH

#define OPENVPN_AEAD_TAG_LENGTH   16

Definition at line 42 of file crypto_backend.h.

◆ OPENVPN_MAX_CIPHER_BLOCK_SIZE

#define OPENVPN_MAX_CIPHER_BLOCK_SIZE   32

Definition at line 45 of file crypto_backend.h.

◆ OPENVPN_MAX_HMAC_SIZE

#define OPENVPN_MAX_HMAC_SIZE   64

Definition at line 48 of file crypto_backend.h.

Enumeration Type Documentation

◆ hash_algo_type

enum hash_algo_type

Types referencing specific message digest hashing algorithms.

Enumerator
MD_SHA1 
MD_SHA256 

Definition at line 51 of file crypto_backend.h.

Function Documentation

◆ cipher_ctx_block_size()

int cipher_ctx_block_size ( const cipher_ctx_t ctx)

Returns the block size of the cipher, in bytes.

Parameters
ctxThe cipher's context
Returns
Block size, in bytes, or 0 if ctx was NULL.

Referenced by openvpn_decrypt_aead(), openvpn_decrypt_v1(), openvpn_encrypt_aead(), openvpn_encrypt_v1(), and tls_crypt_v2_wrap_client_key().

◆ cipher_ctx_final()

int cipher_ctx_final ( cipher_ctx_t ctx,
uint8_t *  dst,
int *  dst_len 
)

Pads the final cipher block using PKCS padding, and output to the destination buffer.

Parameters
ctxCipher's context. May not be NULL.
dstDestination buffer
dst_lenLength of the destination buffer, in bytes
Returns
0 on failure, 1 on success.

Referenced by openvpn_decrypt_v1(), openvpn_encrypt_aead(), openvpn_encrypt_v1(), tls_crypt_unwrap(), tls_crypt_v2_unwrap_client_key(), tls_crypt_v2_wrap_client_key(), and tls_crypt_wrap().

◆ cipher_ctx_final_check_tag()

int cipher_ctx_final_check_tag ( cipher_ctx_t ctx,
uint8_t *  dst,
int *  dst_len,
uint8_t *  tag,
size_t  tag_len 
)

Like cipher_ctx_final, but check the computed authentication tag against the supplied (expected) tag.

This function reports failure when the tags don't match.

Parameters
ctxCipher's context. May not be NULL.
dstDestination buffer.
dst_lenLength of the destination buffer, in bytes.
tagThe expected authentication tag.
tag_lenThe length of tag, in bytes.
Returns
0 on failure, 1 on success.

Referenced by openvpn_decrypt_aead().

◆ cipher_ctx_free()

void cipher_ctx_free ( cipher_ctx_t ctx)

Cleanup and free a cipher context.

Parameters
ctxCipher context.

Referenced by free_key_ctx().

◆ cipher_ctx_get_tag()

int cipher_ctx_get_tag ( cipher_ctx_t ctx,
uint8_t *  tag,
int  tag_len 
)

Gets the computed message authenticated code (MAC) tag for this cipher.

Parameters
ctxThe cipher's context
tagThe buffer to write computed tag in.
tag_sizeThe tag buffer size, in bytes.

Referenced by openvpn_encrypt_aead().

◆ cipher_ctx_init()

void cipher_ctx_init ( cipher_ctx_t ctx,
const uint8_t *  key,
const char *  cipername,
int  enc 
)

Initialise a cipher context, based on the given key and key type.

Parameters
ctxCipher context. May not be NULL
keyBuffer containing the key to use
ciphernameCiphername of the cipher to use
encWhether to encrypt or decrypt (either MBEDTLS_OP_ENCRYPT or MBEDTLS_OP_DECRYPT).

Referenced by init_key_ctx().

◆ cipher_ctx_iv_length()

int cipher_ctx_iv_length ( const cipher_ctx_t ctx)

Returns the size of the IV used by the cipher, in bytes, or 0 if no IV is used.

Parameters
ctxThe cipher's context
Returns
Size of the IV, in bytes, or 0 if the cipher does not use an IV.

Referenced by key_ctx_update_implicit_iv(), openvpn_decrypt_aead(), openvpn_decrypt_v1(), openvpn_encrypt_aead(), openvpn_encrypt_v1(), and test_crypto().

◆ cipher_ctx_mode()

int cipher_ctx_mode ( const cipher_ctx_t ctx)

Returns the mode that the cipher runs in.

Parameters
ctxCipher's context. May not be NULL.
Returns
Cipher mode, either OPENVPN_MODE_CBC, OPENVPN_MODE_OFB or OPENVPN_MODE_CFB

Referenced by openvpn_encrypt_v1().

◆ cipher_ctx_mode_aead()

bool cipher_ctx_mode_aead ( const cipher_ctx_t ctx)

Check if the supplied cipher is a supported AEAD mode cipher.

Parameters
ctxCipher's context. May not be NULL.
Returns
true iff the cipher is a AEAD mode cipher.

Definition at line 922 of file crypto_openssl.c.

Referenced by key_ctx_update_implicit_iv(), openvpn_decrypt(), openvpn_encrypt(), and test_crypto().

◆ cipher_ctx_mode_cbc()

bool cipher_ctx_mode_cbc ( const cipher_ctx_t ctx)

Check if the supplied cipher is a supported CBC mode cipher.

Parameters
ctxCipher's context. May not be NULL.
Returns
true iff the cipher is a CBC mode cipher.

Definition at line 888 of file crypto_openssl.c.

Referenced by openvpn_decrypt_v1(), and openvpn_encrypt_v1().

◆ cipher_ctx_mode_ofb_cfb()

bool cipher_ctx_mode_ofb_cfb ( const cipher_ctx_t ctx)

Check if the supplied cipher is a supported OFB or CFB mode cipher.

Parameters
ctxCipher's context. May not be NULL.
Returns
true iff the cipher is a OFB or CFB mode cipher.

Definition at line 907 of file crypto_openssl.c.

References EVP_CIPHER_CTX_get_mode.

Referenced by openvpn_decrypt_v1(), and openvpn_encrypt_v1().

◆ cipher_ctx_new()

cipher_ctx_t* cipher_ctx_new ( void  )

Generic cipher functions.

Allocate a new cipher context

Returns
a new cipher context

Definition at line 827 of file crypto_openssl.c.

References check_malloc_return().

Referenced by init_key_ctx().

◆ cipher_ctx_reset()

int cipher_ctx_reset ( cipher_ctx_t ctx,
const uint8_t *  iv_buf 
)

Resets the given cipher context, setting the IV to the specified value.

Preserves the associated key information.

Parameters
ctxCipher's context. May not be NULL.
iv_bufThe IV to use.
Returns
0 on failure, 1 on success.

Referenced by openvpn_decrypt_aead(), openvpn_decrypt_v1(), openvpn_encrypt_aead(), openvpn_encrypt_v1(), tls_crypt_unwrap(), tls_crypt_v2_unwrap_client_key(), tls_crypt_v2_wrap_client_key(), and tls_crypt_wrap().

◆ cipher_ctx_update()

int cipher_ctx_update ( cipher_ctx_t ctx,
uint8_t *  dst,
int *  dst_len,
uint8_t *  src,
int  src_len 
)

Updates the given cipher context, encrypting data in the source buffer, and placing any complete blocks in the destination buffer.

Note that if a complete block cannot be written, data is cached in the context, and emitted at a later call to cipher_ctx_update, or by a call to cipher_ctx_final(). This implies that dst should have enough room for src_len + cipher_ctx_block_size().

Parameters
ctxCipher's context. May not be NULL.
dstDestination buffer
dst_lenLength of the destination buffer, in bytes
srcSource buffer
src_lenLength of the source buffer, in bytes
Returns
0 on failure, 1 on success.

Referenced by openvpn_decrypt_aead(), openvpn_decrypt_v1(), openvpn_encrypt_aead(), openvpn_encrypt_v1(), tls_crypt_unwrap(), tls_crypt_v2_unwrap_client_key(), tls_crypt_v2_wrap_client_key(), and tls_crypt_wrap().

◆ cipher_ctx_update_ad()

int cipher_ctx_update_ad ( cipher_ctx_t ctx,
const uint8_t *  src,
int  src_len 
)

Updates the given cipher context, providing additional data (AD) for authenticated encryption with additional data (AEAD) cipher modes.

Parameters
ctxCipher's context. May not be NULL.
srcSource buffer
src_lenLength of the source buffer, in bytes
Returns
0 on failure, 1 on success.

Referenced by openvpn_decrypt_aead(), and openvpn_encrypt_aead().

◆ cipher_defined()

static bool cipher_defined ( const char *  ciphername)
inlinestatic

Checks if the cipher is defined and is not the null (none) cipher.

Parameters
ciphernameName of the cipher to check if it is defined, may not be NULL
Returns
The cipher is defined and not the null (none) cipher

Definition at line 218 of file crypto_backend.h.

References ASSERT.

Referenced by calculate_crypto_overhead(), check_key(), create_kt(), init_key_ctx(), options_string(), and p2p_mode_ncp().

◆ cipher_kt_block_size()

int cipher_kt_block_size ( const char *  ciphername)

Returns the block size of the cipher, in bytes.

Parameters
ciphernamecipher name
Returns
Block size, in bytes.

Definition at line 676 of file crypto_openssl.c.

References cipher_get(), cleanup(), EVP_CIPHER_fetch(), EVP_CIPHER_free(), evp_cipher_type, string_alloc(), translate_cipher_name_from_openvpn(), and translate_cipher_name_to_openvpn().

Referenced by adjust_payload_max_cbc(), calculate_crypto_overhead(), cipher_kt_insecure(), init_key_ctx(), init_key_type(), print_cipher(), and warn_insecure_key_type().

◆ cipher_kt_insecure()

bool cipher_kt_insecure ( const char *  ciphername)

Returns true if we consider this cipher to be insecure.

Definition at line 738 of file crypto_openssl.c.

References cipher_get(), cipher_kt_block_size(), EVP_CIPHER_free(), and evp_cipher_type.

Referenced by show_available_ciphers(), tls_limit_reneg_bytes(), and warn_insecure_key_type().

◆ cipher_kt_iv_size()

int cipher_kt_iv_size ( const char *  ciphername)

Returns the size of the IV used by the cipher, in bytes, or 0 if no IV is used.

Parameters
ciphernamecipher name to lookup
Returns
Size of the IV, in bytes, or 0 if the cipher does not use an IV.

Definition at line 667 of file crypto_openssl.c.

References cipher_get(), EVP_CIPHER_free(), and evp_cipher_type.

Referenced by calculate_crypto_overhead(), and init_key_ctx().

◆ cipher_kt_key_size()

int cipher_kt_key_size ( const char *  ciphername)

Returns the size of keys used by the cipher, in bytes.

If the cipher has a variable key size, return the default key size.

Parameters
ciphernameCipher name to lookup
Returns
(Default) size of keys used by the cipher, in bytes.

Definition at line 658 of file crypto_openssl.c.

References cipher_get(), EVP_CIPHER_free(), and evp_cipher_type.

Referenced by dco_new_key(), init_key_ctx(), key_is_zero(), key_print(), options_string(), print_cipher(), read_key(), and write_key().

◆ cipher_kt_mode_aead()

bool cipher_kt_mode_aead ( const char *  ciphername)

Check if the supplied cipher is a supported AEAD mode cipher.

Parameters
ciphernamename of the cipher
Returns
true iff the cipher is a AEAD mode cipher.

Definition at line 795 of file crypto_openssl.c.

References cipher_get(), EVP_CIPHER_free(), evp_cipher_type, and OPENVPN_MODE_GCM.

Referenced by calculate_crypto_overhead(), cipher_kt_tag_size(), collect_ciphers(), init_key_type(), mutate_ncp_cipher_list(), and tls_print_deferred_options_results().

◆ cipher_kt_mode_cbc()

bool cipher_kt_mode_cbc ( const char *  ciphername)

Check if the supplied cipher is a supported CBC mode cipher.

Parameters
ciphernamecipher name
Returns
true iff the cipher is a CBC mode cipher.

Definition at line 768 of file crypto_openssl.c.

References cipher_get(), cipher_kt_mode(), EVP_CIPHER_free(), evp_cipher_type, and OPENVPN_MODE_CBC.

Referenced by adjust_payload_max_cbc(), calculate_crypto_overhead(), collect_ciphers(), frame_calculate_fragment(), frame_calculate_payload_overhead(), init_key_type(), mutate_ncp_cipher_list(), and print_cipher().

◆ cipher_kt_mode_ofb_cfb()

bool cipher_kt_mode_ofb_cfb ( const char *  ciphername)

Check if the supplied cipher is a supported OFB or CFB mode cipher.

Parameters
ciphernamecipher name
Returns
true iff the cipher is a OFB or CFB mode cipher.

Definition at line 783 of file crypto_openssl.c.

References cipher_get(), cipher_kt_mode(), EVP_CIPHER_free(), evp_cipher_type, OPENVPN_MODE_CFB, and OPENVPN_MODE_OFB.

Referenced by calc_packet_id_size_dc(), collect_ciphers(), do_init_crypto_tls(), init_key_type(), mutate_ncp_cipher_list(), and tls_session_update_crypto_params_do_work().

◆ cipher_kt_name()

const char* cipher_kt_name ( const char *  ciphername)

Retrieve a normalised string describing the cipher (e.g.

AES-128-CBC). The returned name is normalised to the OpenVPN config name in case the name differs from the name used by the crypto library.

Returns [null-cipher] in case the ciphername is none. NULL if the cipher is not valid.

Parameters
ciphernameName of the cipher
Returns
a statically allocated string describing the cipher.

Definition at line 638 of file crypto_openssl.c.

References ASSERT, cipher_get(), EVP_CIPHER_free(), evp_cipher_type, and translate_cipher_name_to_openvpn().

Referenced by init_key_ctx(), key_print(), mutate_ncp_cipher_list(), options_string(), p2p_mode_ncp(), print_cipher(), test_translate_cipher(), and tls_print_deferred_options_results().

◆ cipher_kt_tag_size()

int cipher_kt_tag_size ( const char *  ciphername)

Returns the MAC tag size of the cipher, in bytes.

Parameters
ciphernameName of the cipher
Returns
Tag size in bytes, or 0 if the tag size could not be determined.

Definition at line 725 of file crypto_openssl.c.

References cipher_kt_mode_aead(), and OPENVPN_AEAD_TAG_LENGTH.

Referenced by calculate_crypto_overhead().

◆ cipher_valid()

static bool cipher_valid ( const char *  ciphername)
inlinestatic

Returns if the cipher is valid, based on the given cipher name.

Parameters
ciphernameName of the cipher to check for validity (e.g. AES-128-CBC). Will be translated to the library name from the openvpn config name if needed.
Returns
if the cipher is valid

Definition at line 204 of file crypto_backend.h.

References cipher_valid_reason().

Referenced by create_kt(), init_key_type(), mutate_ncp_cipher_list(), options_postprocess_setdefault_ncpciphers(), test_check_ncp_ciphers_list(), and test_translate_cipher().

◆ cipher_valid_reason()

bool cipher_valid_reason ( const char *  ciphername,
const char **  reason 
)

Returns if the cipher is valid, based on the given cipher name and provides a reason if invalid.

Parameters
ciphernameName of the cipher to check for validity (e.g. AES-128-CBC). Will be translated to the library name from the openvpn config name if needed.
reasonPointer where a static string indicating the reason for rejecting the cipher should be stored. It is set to NULL if the cipher is valid.
Returns
if the cipher is valid

Definition at line 597 of file crypto_openssl.c.

References cipher_get(), crypto_msg, D_LOW, EVP_CIPHER_free(), evp_cipher_type, MAX_CIPHER_KEY_LENGTH, msg, and PACKAGE_NAME.

Referenced by cipher_valid(), and print_cipher().

◆ crypto_clear_error()

void crypto_clear_error ( void  )

Definition at line 232 of file crypto_openssl.c.

Referenced by openvpn_decrypt_aead(), openvpn_decrypt_v1(), openvpn_encrypt_aead(), openvpn_encrypt_v1(), tls_crypt_unwrap(), and tls_crypt_wrap().

◆ crypto_init_lib()

void crypto_init_lib ( void  )

Definition at line 193 of file crypto_openssl.c.

Referenced by init_ssl_lib().

◆ crypto_init_lib_engine()

void crypto_init_lib_engine ( const char *  engine_name)

Definition at line 143 of file crypto_openssl.c.

References ASSERT, M_WARN, and msg.

Referenced by init_crypto_pre().

◆ crypto_load_provider()

provider_t* crypto_load_provider ( const char *  provider)

Load the given (OpenSSL) providers.

Parameters
providername of providers to load
Returns
reference to the loaded provider

Definition at line 159 of file crypto_openssl.c.

References crypto_msg, M_FATAL, M_WARN, and msg.

Referenced by init_early().

◆ crypto_pem_decode()

bool crypto_pem_decode ( const char *  name,
struct buffer dst,
const struct buffer src 
)

Decode a PEM buffer to binary data.

Parameters
nameThe name expected in the PEM header/footer.
dstDestination buffer for decoded data.
srcSource buffer (PEM data).
Returns
true iff PEM decode succeeded.

Definition at line 509 of file crypto_openssl.c.

References BCAP, BLEN, BPTR, buf_write_alloc(), cleanup(), crypto_msg, D_CRYPT_ERRORS, dmsg, and M_FATAL.

Referenced by crypto_pem_encode_decode_loopback(), and read_pem_key_file().

◆ crypto_pem_encode()

bool crypto_pem_encode ( const char *  name,
struct buffer dst,
const struct buffer src,
struct gc_arena gc 
)

Encode binary data as PEM.

Parameters
nameThe name to use in the PEM header/footer.
dstDestination buffer for PEM-encoded data. Must be a valid pointer to an uninitialized buffer structure. Iff this function returns true, the buffer will contain memory allocated through the supplied gc.
srcSource buffer.
gcThe garbage collector to use when allocating memory for dst.
Returns
true iff PEM encode succeeded.

Definition at line 481 of file crypto_openssl.c.

References alloc_buf_gc(), ASSERT, BLEN, BPTR, buf_write(), cleanup(), and buffer::data.

Referenced by crypto_pem_encode_decode_loopback(), tls_crypt_v2_write_client_key_file(), and write_pem_key_file().

◆ crypto_uninit_lib()

void crypto_uninit_lib ( void  )

Definition at line 212 of file crypto_openssl.c.

References ASSERT.

Referenced by free_ssl_lib().

◆ crypto_unload_provider()

void crypto_unload_provider ( const char *  provname,
provider_t provider 
)

Unloads the given (OpenSSL) provider.

Parameters
provnamename of the provider to unload
providerpointer to the provider to unload

Definition at line 176 of file crypto_openssl.c.

References crypto_msg, and M_FATAL.

Referenced by uninit_early().

◆ hmac_ctx_cleanup()

void hmac_ctx_cleanup ( hmac_ctx_t ctx)

Referenced by crypto_test_hmac(), free_key_ctx(), gen_hmac_md5(), test_calc_session_id_hmac_static(), test_verify_hmac_none(), and test_verify_hmac_tls_auth().

◆ hmac_ctx_final()

void hmac_ctx_final ( hmac_ctx_t ctx,
uint8_t *  dst 
)

Referenced by calculate_session_id_hmac(), check_hmac_token(), crypto_test_hmac(), gen_hmac_md5(), generate_auth_token(), openvpn_decrypt_v1(), openvpn_encrypt_v1(), tls_crypt_unwrap(), tls_crypt_v2_unwrap_client_key(), tls_crypt_v2_wrap_client_key(), and tls_crypt_wrap().

◆ hmac_ctx_free()

void hmac_ctx_free ( hmac_ctx_t ctx)

Referenced by crypto_test_hmac(), free_key_ctx(), gen_hmac_md5(), test_calc_session_id_hmac_static(), test_verify_hmac_none(), and test_verify_hmac_tls_auth().

◆ hmac_ctx_init()

void hmac_ctx_init ( hmac_ctx_t ctx,
const uint8_t *  key,
const char *  mdname 
)

Referenced by crypto_test_hmac(), gen_hmac_md5(), init_key_ctx(), init_static_hmac(), and session_id_hmac_init().

◆ hmac_ctx_new()

hmac_ctx_t* hmac_ctx_new ( void  )

Definition at line 1169 of file crypto_openssl.c.

References check_malloc_return(), and HMAC_CTX_new().

Referenced by crypto_test_hmac(), gen_hmac_md5(), init_key_ctx(), init_static_hmac(), and session_id_hmac_init().

◆ hmac_ctx_reset()

void hmac_ctx_reset ( hmac_ctx_t ctx)

Referenced by calculate_session_id_hmac(), check_hmac_token(), crypto_test_hmac(), generate_auth_token(), openvpn_decrypt_v1(), openvpn_encrypt_v1(), tls_crypt_unwrap(), tls_crypt_v2_unwrap_client_key(), tls_crypt_v2_wrap_client_key(), and tls_crypt_wrap().

◆ hmac_ctx_size()

int hmac_ctx_size ( hmac_ctx_t ctx)

Referenced by calc_control_channel_frame_overhead(), check_hmac_token(), generate_auth_token(), init_key_ctx(), openvpn_decrypt_v1(), openvpn_encrypt_v1(), swap_hmac(), and tls_crypt_wrap().

◆ hmac_ctx_update()

void hmac_ctx_update ( hmac_ctx_t ctx,
const uint8_t *  src,
int  src_len 
)

Referenced by calculate_session_id_hmac(), check_hmac_token(), crypto_test_hmac(), gen_hmac_md5(), generate_auth_token(), openvpn_decrypt_v1(), openvpn_encrypt_v1(), tls_crypt_unwrap(), tls_crypt_v2_unwrap_client_key(), tls_crypt_v2_wrap_client_key(), and tls_crypt_wrap().

◆ md_ctx_cleanup()

void md_ctx_cleanup ( md_ctx_t ctx)

Referenced by DigestCalcHA1(), DigestCalcResponse(), do_close_tls(), and process_incoming_push_reply().

◆ md_ctx_final()

void md_ctx_final ( md_ctx_t ctx,
uint8_t *  dst 
)

Referenced by DigestCalcHA1(), DigestCalcResponse(), and process_incoming_push_reply().

◆ md_ctx_free()

void md_ctx_free ( md_ctx_t ctx)

Referenced by DigestCalcHA1(), DigestCalcResponse(), do_close_tls(), and process_incoming_push_reply().

◆ md_ctx_init()

void md_ctx_init ( md_ctx_t ctx,
const char *  mdname 
)

Initialises the given message digest context.

Parameters
ctxMessage digest context
mdnameMessage digest name

Referenced by DigestCalcHA1(), DigestCalcResponse(), and process_incoming_push_reply().

◆ md_ctx_new()

md_ctx_t* md_ctx_new ( void  )

Definition at line 1108 of file crypto_openssl.c.

References check_malloc_return(), and EVP_MD_CTX_new().

Referenced by DigestCalcHA1(), DigestCalcResponse(), process_incoming_push_reply(), and tls1_P_hash().

◆ md_ctx_size()

int md_ctx_size ( const md_ctx_t ctx)

◆ md_ctx_update()

void md_ctx_update ( md_ctx_t ctx,
const uint8_t *  src,
int  src_len 
)

Referenced by DigestCalcHA1(), DigestCalcResponse(), and push_update_digest().

◆ md_defined()

static bool md_defined ( const char *  mdname)
inlinestatic

Checks if the cipher is defined and is not the null (none) cipher.

Parameters
mdnameName of the digest
Returns

Definition at line 504 of file crypto_backend.h.

Referenced by calculate_crypto_overhead(), create_kt(), and init_key_ctx().

◆ md_full()

int md_full ( const char *  mdname,
const uint8_t *  src,
int  src_len,
uint8_t *  dst 
)

Calculates the message digest for the given buffer.

Parameters
mdnamemessage digest name
srcBuffer to digest. May not be NULL.
src_lenThe length of the incoming buffer.
dstBuffer to write the message digest to. May not be NULL.
Returns
1 on success, 0 on failure

Definition at line 1097 of file crypto_openssl.c.

References EVP_MD_free(), evp_md_type, and md_get().

Referenced by gen_md4_hash().

◆ md_kt_name()

const char* md_kt_name ( const char *  mdname)

Retrieve a string describing the digest digest (e.g.

SHA1).

Parameters
mdnameMessage digest name
Returns
Statically allocated string describing the message digest.

Definition at line 1053 of file crypto_openssl.c.

References digest_name_translation_table, digest_name_translation_table_count, EVP_MD_free(), EVP_MD_get0_name, evp_md_type, cipher_name_pair::lib_name, md_get(), and cipher_name_pair::openvpn_name.

Referenced by init_key_ctx(), key_print(), options_string(), print_digest(), and tls_print_deferred_options_results().

◆ md_kt_size()

unsigned char md_kt_size ( const char *  mdname)

Returns the size of the message digest, in bytes.

Parameters
mdnameMessage digest name
Returns
Message digest size, in bytes, or 0 if ctx was NULL.

Definition at line 1077 of file crypto_openssl.c.

References EVP_MD_free(), evp_md_type, and md_get().

Referenced by calculate_crypto_overhead(), crypto_test_hmac(), init_key_ctx(), init_key_type(), key_print(), read_key(), and write_key().

◆ md_valid()

bool md_valid ( const char *  digest)

Return if a message digest parameters is valid given the name of the digest.

Parameters
digestName of the digest to verify, e.g. MD5).
Returns
Whether a digest of the given name is available

Definition at line 1021 of file crypto_openssl.c.

References EVP_MD_fetch(), EVP_MD_free(), and evp_md_type.

Referenced by create_kt(), do_init_tls_wrap_key(), init_static_hmac(), and session_id_hmac_init().

◆ rand_bytes()

int rand_bytes ( uint8_t *  output,
int  len 
)

Wrapper for secure random number generator.

Retrieves len bytes of random data, and places it in output.

Parameters
outputOutput buffer
lenLength of the output buffer, in bytes
Returns
1 on success, 0 on failure

Definition at line 571 of file crypto_openssl.c.

References crypto_msg, D_CRYPT_ERRORS, and unlikely.

Referenced by establish_http_proxy_passthru(), generate_auth_token(), generate_ephemeral_key(), generate_key_random(), prng_bytes(), random_bytes_to_buf(), session_id_hmac_init(), test_crypto(), test_tls_crypt_v2_setup(), tls_crypt_v2_wrap_unwrap_dst_too_small(), tls_crypt_v2_wrap_unwrap_max_metadata(), tls_crypt_v2_write_client_key_file(), and write_pem_key_file().

◆ show_available_ciphers()

void show_available_ciphers ( void  )

Definition at line 372 of file crypto_openssl.c.

References cipher_kt_insecure(), cipher_name_cmp(), collect_ciphers(), EVP_CIPHER_get0_name, collect_ciphers::list, collect_ciphers::num, PACKAGE_NAME, and print_cipher().

Referenced by print_openssl_info().

◆ show_available_digests()

void show_available_digests ( void  )

Definition at line 427 of file crypto_openssl.c.

References PACKAGE_NAME, and print_digest().

Referenced by print_openssl_info().

◆ show_available_engines()

void show_available_engines ( void  )

Definition at line 456 of file crypto_openssl.c.

Referenced by print_openssl_info().

◆ ssl_tls1_PRF()

bool ssl_tls1_PRF ( const uint8_t *  seed,
int  seed_len,
const uint8_t *  secret,
int  secret_len,
uint8_t *  output,
int  output_len 
)

Calculates the TLS 1.0-1.1 PRF function.

For the exact specification of the function definition see the TLS RFCs like RFC 4346.

Parameters
seedseed to use
seed_lenlength of the seed
secretsecret to use
secret_lenlength of the secret
outputoutput destination
output_lenlength of output/number of bytes to generate
Returns
true if successful, false on any error

Definition at line 1518 of file crypto_openssl.c.

References D_SHOW_KEY_SOURCE, dmsg, format_hex(), gc_free(), gc_malloc(), gc_new(), secure_memzero(), and tls1_P_hash().

Referenced by check_tls_prf_working(), crypto_test_tls_prf(), and openvpn_PRF().

◆ translate_cipher_name_from_openvpn()

const char* translate_cipher_name_from_openvpn ( const char *  cipher_name)

Translate an OpenVPN cipher name to a crypto library cipher name.

Parameters
cipher_nameAn OpenVPN cipher name
Returns
The corresponding crypto library cipher name, or NULL if no matching cipher name was found.

Definition at line 1674 of file crypto.c.

References get_cipher_name_pair(), and cipher_name_pair::lib_name.

Referenced by cipher_get(), and cipher_kt_block_size().

◆ translate_cipher_name_to_openvpn()

const char* translate_cipher_name_to_openvpn ( const char *  cipher_name)

Translate a crypto library cipher name to an OpenVPN cipher name.

Parameters
cipher_nameA crypto library cipher name
Returns
The corresponding OpenVPN cipher name, or NULL if no matching cipher name was found.

Definition at line 1687 of file crypto.c.

References get_cipher_name_pair(), and cipher_name_pair::openvpn_name.

Referenced by cipher_kt_block_size(), cipher_kt_name(), and multi_print_status().

Variable Documentation

◆ cipher_name_translation_table

const cipher_name_pair cipher_name_translation_table[]

Cipher name translation table.

Definition at line 319 of file crypto_openssl.c.

Referenced by get_cipher_name_pair().

◆ cipher_name_translation_table_count

const size_t cipher_name_translation_table_count

Definition at line 325 of file crypto_openssl.c.

Referenced by get_cipher_name_pair().

Generated by   doxygen 1.8.17