OpenVPN
Functions | Variables
crypto_openssl.c File Reference
#include "syshead.h"
#include "basic.h"
#include "buffer.h"
#include "integer.h"
#include "crypto.h"
#include "crypto_backend.h"
#include "openssl_compat.h"
#include <openssl/des.h>
#include <openssl/err.h>
#include <openssl/evp.h>
#include <openssl/objects.h>
#include <openssl/rand.h>
#include <openssl/ssl.h>
Include dependency graph for crypto_openssl.c:

Go to the source code of this file.

Functions

void crypto_init_lib_engine (const char *engine_name)
 
void crypto_init_lib (void)
 
void crypto_uninit_lib (void)
 
void crypto_clear_error (void)
 
void crypto_print_openssl_errors (const unsigned int flags)
 Retrieve any occurred OpenSSL errors and print those errors. More...
 
static int cipher_name_cmp (const void *a, const void *b)
 
void show_available_ciphers (void)
 
void show_available_digests (void)
 
void show_available_engines (void)
 
bool crypto_pem_encode (const char *name, struct buffer *dst, const struct buffer *src, struct gc_arena *gc)
 Encode binary data as PEM. More...
 
bool crypto_pem_decode (const char *name, struct buffer *dst, const struct buffer *src)
 Decode a PEM buffer to binary data. More...
 
int rand_bytes (uint8_t *output, int len)
 Wrapper for secure random number generator. More...
 
int key_des_num_cblocks (const EVP_CIPHER *kt)
 
bool key_des_check (uint8_t *key, int key_len, int ndc)
 
void key_des_fixup (uint8_t *key, int key_len, int ndc)
 
const EVP_CIPHER * cipher_kt_get (const char *ciphername)
 Return cipher parameters, based on the given cipher name. More...
 
const char * cipher_kt_name (const EVP_CIPHER *cipher_kt)
 
int cipher_kt_key_size (const EVP_CIPHER *cipher_kt)
 
int cipher_kt_iv_size (const EVP_CIPHER *cipher_kt)
 
int cipher_kt_block_size (const EVP_CIPHER *cipher)
 
int cipher_kt_tag_size (const EVP_CIPHER *cipher_kt)
 
bool cipher_kt_insecure (const EVP_CIPHER *cipher)
 
int cipher_kt_mode (const EVP_CIPHER *cipher_kt)
 
bool cipher_kt_mode_cbc (const cipher_kt_t *cipher)
 Check if the supplied cipher is a supported CBC mode cipher. More...
 
bool cipher_kt_mode_ofb_cfb (const cipher_kt_t *cipher)
 Check if the supplied cipher is a supported OFB or CFB mode cipher. More...
 
bool cipher_kt_mode_aead (const cipher_kt_t *cipher)
 Check if the supplied cipher is a supported AEAD mode cipher. More...
 
cipher_ctx_tcipher_ctx_new (void)
 Generic cipher functions. More...
 
void cipher_ctx_free (EVP_CIPHER_CTX *ctx)
 
void cipher_ctx_init (EVP_CIPHER_CTX *ctx, const uint8_t *key, int key_len, const EVP_CIPHER *kt, int enc)
 
void cipher_ctx_cleanup (EVP_CIPHER_CTX *ctx)
 
int cipher_ctx_iv_length (const EVP_CIPHER_CTX *ctx)
 
int cipher_ctx_get_tag (EVP_CIPHER_CTX *ctx, uint8_t *tag_buf, int tag_size)
 
int cipher_ctx_block_size (const EVP_CIPHER_CTX *ctx)
 
int cipher_ctx_mode (const EVP_CIPHER_CTX *ctx)
 
const cipher_kt_tcipher_ctx_get_cipher_kt (const cipher_ctx_t *ctx)
 Returns the static cipher parameters for this context. More...
 
int cipher_ctx_reset (EVP_CIPHER_CTX *ctx, const uint8_t *iv_buf)
 
int cipher_ctx_update_ad (EVP_CIPHER_CTX *ctx, const uint8_t *src, int src_len)
 
int cipher_ctx_update (EVP_CIPHER_CTX *ctx, uint8_t *dst, int *dst_len, uint8_t *src, int src_len)
 
int cipher_ctx_final (EVP_CIPHER_CTX *ctx, uint8_t *dst, int *dst_len)
 
int cipher_ctx_final_check_tag (EVP_CIPHER_CTX *ctx, uint8_t *dst, int *dst_len, uint8_t *tag, size_t tag_len)
 
void cipher_des_encrypt_ecb (const unsigned char key[DES_KEY_LENGTH], unsigned char *src, unsigned char *dst)
 
const EVP_MD * md_kt_get (const char *digest)
 Return message digest parameters, based on the given digest name. More...
 
const char * md_kt_name (const EVP_MD *kt)
 
int md_kt_size (const EVP_MD *kt)
 
int md_full (const EVP_MD *kt, const uint8_t *src, int src_len, uint8_t *dst)
 
EVP_MD_CTX * md_ctx_new (void)
 
void md_ctx_free (EVP_MD_CTX *ctx)
 
void md_ctx_init (EVP_MD_CTX *ctx, const EVP_MD *kt)
 
void md_ctx_cleanup (EVP_MD_CTX *ctx)
 
int md_ctx_size (const EVP_MD_CTX *ctx)
 
void md_ctx_update (EVP_MD_CTX *ctx, const uint8_t *src, int src_len)
 
void md_ctx_final (EVP_MD_CTX *ctx, uint8_t *dst)
 
HMAC_CTX * hmac_ctx_new (void)
 
void hmac_ctx_free (HMAC_CTX *ctx)
 
void hmac_ctx_init (HMAC_CTX *ctx, const uint8_t *key, int key_len, const EVP_MD *kt)
 
void hmac_ctx_cleanup (HMAC_CTX *ctx)
 
int hmac_ctx_size (const HMAC_CTX *ctx)
 
void hmac_ctx_reset (HMAC_CTX *ctx)
 
void hmac_ctx_update (HMAC_CTX *ctx, const uint8_t *src, int src_len)
 
void hmac_ctx_final (HMAC_CTX *ctx, uint8_t *dst)
 

Variables

const cipher_name_pair cipher_name_translation_table []
 Cipher name translation table. More...
 
const size_t cipher_name_translation_table_count
 

Function Documentation

◆ cipher_ctx_block_size()

int cipher_ctx_block_size ( const EVP_CIPHER_CTX *  ctx)

Definition at line 818 of file crypto_openssl.c.

◆ cipher_ctx_cleanup()

void cipher_ctx_cleanup ( EVP_CIPHER_CTX *  ctx)

Definition at line 796 of file crypto_openssl.c.

◆ cipher_ctx_final()

int cipher_ctx_final ( EVP_CIPHER_CTX *  ctx,
uint8_t dst,
int *  dst_len 
)

Definition at line 869 of file crypto_openssl.c.

Referenced by cipher_ctx_final_check_tag().

◆ cipher_ctx_final_check_tag()

int cipher_ctx_final_check_tag ( EVP_CIPHER_CTX *  ctx,
uint8_t dst,
int *  dst_len,
uint8_t tag,
size_t  tag_len 
)

Definition at line 875 of file crypto_openssl.c.

References ASSERT, and cipher_ctx_final().

◆ cipher_ctx_free()

void cipher_ctx_free ( EVP_CIPHER_CTX *  ctx)

Definition at line 764 of file crypto_openssl.c.

◆ cipher_ctx_get_cipher_kt()

const cipher_kt_t* cipher_ctx_get_cipher_kt ( const cipher_ctx_t ctx)

Returns the static cipher parameters for this context.

Parameters
ctxCipher's context.
Returns
Static cipher parameters for the supplied context, or NULL if unable to determine cipher parameters.

Definition at line 830 of file crypto_openssl.c.

Referenced by key_ctx_update_implicit_iv(), openvpn_decrypt(), openvpn_decrypt_aead(), openvpn_decrypt_v1(), openvpn_encrypt(), openvpn_encrypt_aead(), openvpn_encrypt_v1(), and test_crypto().

◆ cipher_ctx_get_tag()

int cipher_ctx_get_tag ( EVP_CIPHER_CTX *  ctx,
uint8_t tag_buf,
int  tag_size 
)

Definition at line 808 of file crypto_openssl.c.

References ASSERT.

◆ cipher_ctx_init()

void cipher_ctx_init ( EVP_CIPHER_CTX *  ctx,
const uint8_t key,
int  key_len,
const EVP_CIPHER *  kt,
int  enc 
)

Definition at line 770 of file crypto_openssl.c.

References ASSERT, crypto_msg, and M_FATAL.

◆ cipher_ctx_iv_length()

int cipher_ctx_iv_length ( const EVP_CIPHER_CTX *  ctx)

Definition at line 802 of file crypto_openssl.c.

◆ cipher_ctx_mode()

int cipher_ctx_mode ( const EVP_CIPHER_CTX *  ctx)

Definition at line 824 of file crypto_openssl.c.

◆ cipher_ctx_new()

cipher_ctx_t* cipher_ctx_new ( void  )

Generic cipher functions.

Allocate a new cipher context

Returns
a new cipher context

Definition at line 756 of file crypto_openssl.c.

References check_malloc_return().

Referenced by init_key_ctx().

◆ cipher_ctx_reset()

int cipher_ctx_reset ( EVP_CIPHER_CTX *  ctx,
const uint8_t iv_buf 
)

Definition at line 837 of file crypto_openssl.c.

◆ cipher_ctx_update()

int cipher_ctx_update ( EVP_CIPHER_CTX *  ctx,
uint8_t dst,
int *  dst_len,
uint8_t src,
int  src_len 
)

Definition at line 858 of file crypto_openssl.c.

References crypto_msg, and M_FATAL.

◆ cipher_ctx_update_ad()

int cipher_ctx_update_ad ( EVP_CIPHER_CTX *  ctx,
const uint8_t src,
int  src_len 
)

Definition at line 843 of file crypto_openssl.c.

References ASSERT, crypto_msg, buffer::len, and M_FATAL.

◆ cipher_des_encrypt_ecb()

void cipher_des_encrypt_ecb ( const unsigned char  key[DES_KEY_LENGTH],
unsigned char *  src,
unsigned char *  dst 
)

Definition at line 892 of file crypto_openssl.c.

◆ cipher_kt_block_size()

int cipher_kt_block_size ( const EVP_CIPHER *  cipher)

◆ cipher_kt_get()

const EVP_CIPHER* cipher_kt_get ( const char *  ciphername)

Return cipher parameters, based on the given cipher name.

The contents of these parameters are library-specific, and can be used to initialise encryption/decryption.

Parameters
ciphernameName of the cipher to retrieve parameters for (e.g. AES-128-CBC).
Returns
A statically allocated structure containing parameters for the given cipher, or NULL if no matching parameters were found.

Definition at line 583 of file crypto_openssl.c.

References ASSERT, crypto_msg, D_LOW, MAX_CIPHER_KEY_LENGTH, msg, and PACKAGE_NAME.

Referenced by init_key_type(), tls_check_ncp_cipher_list(), and tls_crypt_kt().

◆ cipher_kt_insecure()

bool cipher_kt_insecure ( const EVP_CIPHER *  cipher)

Definition at line 688 of file crypto_openssl.c.

References cipher_kt_block_size().

Referenced by show_available_ciphers().

◆ cipher_kt_iv_size()

int cipher_kt_iv_size ( const EVP_CIPHER *  cipher_kt)

Definition at line 627 of file crypto_openssl.c.

◆ cipher_kt_key_size()

int cipher_kt_key_size ( const EVP_CIPHER *  cipher_kt)

Definition at line 621 of file crypto_openssl.c.

◆ cipher_kt_mode()

int cipher_kt_mode ( const EVP_CIPHER *  cipher_kt)

Definition at line 698 of file crypto_openssl.c.

References ASSERT.

Referenced by cipher_kt_mode_cbc(), and cipher_kt_mode_ofb_cfb().

◆ cipher_kt_mode_aead()

bool cipher_kt_mode_aead ( const cipher_kt_t cipher)

Check if the supplied cipher is a supported AEAD mode cipher.

Parameters
cipherStatic cipher parameters.
Returns
true iff the cipher is a AEAD mode cipher.

Definition at line 728 of file crypto_openssl.c.

Referenced by check_replay_consistency(), cipher_kt_tag_size(), crypto_adjust_frame_parameters(), init_key_type(), key_ctx_update_implicit_iv(), openvpn_decrypt(), openvpn_decrypt_aead(), openvpn_encrypt(), openvpn_encrypt_aead(), show_available_ciphers(), and test_crypto().

◆ cipher_kt_mode_cbc()

bool cipher_kt_mode_cbc ( const cipher_kt_t cipher)

Check if the supplied cipher is a supported CBC mode cipher.

Parameters
cipherStatic cipher parameters.
Returns
true iff the cipher is a CBC mode cipher.

Definition at line 705 of file crypto_openssl.c.

References cipher_kt_mode(), and OPENVPN_MODE_CBC.

Referenced by init_key_type(), openvpn_decrypt_v1(), openvpn_encrypt_v1(), print_cipher(), and show_available_ciphers().

◆ cipher_kt_mode_ofb_cfb()

bool cipher_kt_mode_ofb_cfb ( const cipher_kt_t cipher)

Check if the supplied cipher is a supported OFB or CFB mode cipher.

Parameters
cipherStatic cipher parameters.
Returns
true iff the cipher is a OFB or CFB mode cipher.

Definition at line 716 of file crypto_openssl.c.

References cipher_kt_mode(), OPENVPN_MODE_CFB, and OPENVPN_MODE_OFB.

Referenced by calc_options_string_link_mtu(), check_replay_consistency(), do_init_crypto_tls(), init_key_type(), openvpn_decrypt_v1(), openvpn_encrypt_v1(), show_available_ciphers(), and tls_session_update_crypto_params().

◆ cipher_kt_name()

const char* cipher_kt_name ( const EVP_CIPHER *  cipher_kt)

Definition at line 611 of file crypto_openssl.c.

Referenced by cipher_kt_block_size().

◆ cipher_kt_tag_size()

int cipher_kt_tag_size ( const EVP_CIPHER *  cipher_kt)

Definition at line 675 of file crypto_openssl.c.

References cipher_kt_mode_aead(), and OPENVPN_AEAD_TAG_LENGTH.

◆ cipher_name_cmp()

static int cipher_name_cmp ( const void *  a,
const void *  b 
)
static

Definition at line 264 of file crypto_openssl.c.

References translate_cipher_name_to_openvpn().

Referenced by show_available_ciphers().

◆ crypto_clear_error()

void crypto_clear_error ( void  )

◆ crypto_init_lib()

void crypto_init_lib ( void  )

Definition at line 149 of file crypto_openssl.c.

Referenced by init_ssl_lib().

◆ crypto_init_lib_engine()

void crypto_init_lib_engine ( const char *  engine_name)

Definition at line 127 of file crypto_openssl.c.

References ASSERT, M_WARN, and msg.

Referenced by init_crypto_pre().

◆ crypto_pem_decode()

bool crypto_pem_decode ( const char *  name,
struct buffer dst,
const struct buffer src 
)

Decode a PEM buffer to binary data.

Parameters
nameThe name expected in the PEM header/footer.
dstDestination buffer for decoded data.
srcSource buffer (PEM data).
Returns
true iff PEM decode succeeded.

Definition at line 418 of file crypto_openssl.c.

References BCAP, BLEN, BPTR, buf_write_alloc(), crypto_msg, D_CRYPT_ERRORS, dmsg, and M_FATAL.

Referenced by crypto_pem_encode_decode_loopback(), and read_pem_key_file().

◆ crypto_pem_encode()

bool crypto_pem_encode ( const char *  name,
struct buffer dst,
const struct buffer src,
struct gc_arena gc 
)

Encode binary data as PEM.

Parameters
nameThe name to use in the PEM header/footer.
dstDestination buffer for PEM-encoded data. Must be a valid pointer to an uninitialized buffer structure. Iff this function returns true, the buffer will contain memory allocated through the supplied gc.
srcSource buffer.
gcThe garbage collector to use when allocating memory for dst.
Returns
true iff PEM encode succeeded.

Definition at line 389 of file crypto_openssl.c.

References alloc_buf_gc(), ASSERT, BLEN, BPTR, buf_null_terminate(), buf_write(), and buffer::data.

Referenced by crypto_pem_encode_decode_loopback(), tls_crypt_v2_write_client_key_file(), and write_pem_key_file().

◆ crypto_print_openssl_errors()

void crypto_print_openssl_errors ( const unsigned int  flags)

Retrieve any occurred OpenSSL errors and print those errors.

Note that this function uses the not thread-safe OpenSSL error API.

Parameters
flagsFlags to indicate error type and priority.

Definition at line 189 of file crypto_openssl.c.

References D_CRYPT_ERRORS, and msg.

◆ crypto_uninit_lib()

void crypto_uninit_lib ( void  )

Definition at line 163 of file crypto_openssl.c.

References ASSERT.

Referenced by free_ssl_lib().

◆ hmac_ctx_cleanup()

void hmac_ctx_cleanup ( HMAC_CTX *  ctx)

Definition at line 1044 of file crypto_openssl.c.

References HMAC_CTX_reset().

◆ hmac_ctx_final()

void hmac_ctx_final ( HMAC_CTX *  ctx,
uint8_t dst 
)

Definition at line 1068 of file crypto_openssl.c.

◆ hmac_ctx_free()

void hmac_ctx_free ( HMAC_CTX *  ctx)

Definition at line 1025 of file crypto_openssl.c.

References HMAC_CTX_free().

◆ hmac_ctx_init()

void hmac_ctx_init ( HMAC_CTX *  ctx,
const uint8_t key,
int  key_len,
const EVP_MD *  kt 
)

Definition at line 1031 of file crypto_openssl.c.

References ASSERT, and HMAC_CTX_reset().

◆ hmac_ctx_new()

HMAC_CTX* hmac_ctx_new ( void  )

Definition at line 1017 of file crypto_openssl.c.

References check_malloc_return(), and HMAC_CTX_new().

Referenced by gen_hmac_md5(), init_key_ctx(), and tls1_P_hash().

◆ hmac_ctx_reset()

void hmac_ctx_reset ( HMAC_CTX *  ctx)

Definition at line 1056 of file crypto_openssl.c.

◆ hmac_ctx_size()

int hmac_ctx_size ( const HMAC_CTX *  ctx)

Definition at line 1050 of file crypto_openssl.c.

◆ hmac_ctx_update()

void hmac_ctx_update ( HMAC_CTX *  ctx,
const uint8_t src,
int  src_len 
)

Definition at line 1062 of file crypto_openssl.c.

◆ key_des_check()

bool key_des_check ( uint8_t key,
int  key_len,
int  ndc 
)

Definition at line 518 of file crypto_openssl.c.

References buf_read_alloc(), buf_set_read(), crypto_msg, and D_CRYPT_ERRORS.

Referenced by check_key().

◆ key_des_fixup()

void key_des_fixup ( uint8_t key,
int  key_len,
int  ndc 
)

Definition at line 555 of file crypto_openssl.c.

References buf_read_alloc(), buf_set_read(), D_CRYPT_ERRORS, and msg.

Referenced by create_des_keys(), and fixup_key().

◆ key_des_num_cblocks()

int key_des_num_cblocks ( const EVP_CIPHER *  kt)

Definition at line 498 of file crypto_openssl.c.

References D_CRYPTO_DEBUG, and dmsg.

◆ md_ctx_cleanup()

void md_ctx_cleanup ( EVP_MD_CTX *  ctx)

Definition at line 984 of file crypto_openssl.c.

References EVP_MD_CTX_reset().

◆ md_ctx_final()

void md_ctx_final ( EVP_MD_CTX *  ctx,
uint8_t dst 
)

Definition at line 1002 of file crypto_openssl.c.

◆ md_ctx_free()

void md_ctx_free ( EVP_MD_CTX *  ctx)

Definition at line 969 of file crypto_openssl.c.

References EVP_MD_CTX_free().

◆ md_ctx_init()

void md_ctx_init ( EVP_MD_CTX *  ctx,
const EVP_MD *  kt 
)

Definition at line 975 of file crypto_openssl.c.

References ASSERT.

◆ md_ctx_new()

EVP_MD_CTX* md_ctx_new ( void  )

◆ md_ctx_size()

int md_ctx_size ( const EVP_MD_CTX *  ctx)

Definition at line 990 of file crypto_openssl.c.

◆ md_ctx_update()

void md_ctx_update ( EVP_MD_CTX *  ctx,
const uint8_t src,
int  src_len 
)

Definition at line 996 of file crypto_openssl.c.

◆ md_full()

int md_full ( const EVP_MD *  kt,
const uint8_t src,
int  src_len,
uint8_t dst 
)

Definition at line 953 of file crypto_openssl.c.

◆ md_kt_get()

const EVP_MD* md_kt_get ( const char *  digest)

Return message digest parameters, based on the given digest name.

The contents of these parameters are library-specific, and can be used to initialise HMAC or message digest operations.

Parameters
digestName of the digest to retrieve parameters for (e.g. MD5).
Returns
A statically allocated structure containing parameters for the given message digest.

Definition at line 910 of file crypto_openssl.c.

References ASSERT, crypto_msg, M_FATAL, MAX_HMAC_KEY_LENGTH, and PACKAGE_NAME.

Referenced by DigestCalcHA1(), DigestCalcResponse(), do_init_tls_wrap_key(), gen_hmac_md5(), gen_md4_hash(), init_key_type(), prng_init(), process_incoming_push_msg(), tls1_PRF(), and tls_crypt_kt().

◆ md_kt_name()

const char* md_kt_name ( const EVP_MD *  kt)

Definition at line 930 of file crypto_openssl.c.

◆ md_kt_size()

int md_kt_size ( const EVP_MD *  kt)

Definition at line 940 of file crypto_openssl.c.

◆ rand_bytes()

int rand_bytes ( uint8_t output,
int  len 
)

Wrapper for secure random number generator.

Retrieves len bytes of random data, and places it in output.

Parameters
outputOutput buffer
lenLength of the output buffer, in bytes
Returns
1 on success, 0 on failure

Definition at line 480 of file crypto_openssl.c.

References crypto_msg, D_CRYPT_ERRORS, and unlikely.

Referenced by establish_http_proxy_passthru(), generate_key_random(), init_static(), prng_bytes(), prng_reset_nonce(), random_bytes_to_buf(), test_crypto(), test_tls_crypt_v2_setup(), tls_crypt_v2_wrap_unwrap_dst_too_small(), tls_crypt_v2_wrap_unwrap_max_metadata(), tls_crypt_v2_write_client_key_file(), verify_user_pass(), and write_pem_key_file().

◆ show_available_ciphers()

void show_available_ciphers ( void  )

◆ show_available_digests()

void show_available_digests ( void  )

Definition at line 339 of file crypto_openssl.c.

References PACKAGE_NAME.

Referenced by print_openssl_info().

◆ show_available_engines()

void show_available_engines ( void  )

Definition at line 364 of file crypto_openssl.c.

Referenced by print_openssl_info().

Variable Documentation

◆ cipher_name_translation_table

const cipher_name_pair cipher_name_translation_table[]
Initial value:
= {
{ "AES-128-GCM", "id-aes128-GCM" },
{ "AES-192-GCM", "id-aes192-GCM" },
{ "AES-256-GCM", "id-aes256-GCM" },
{ "CHACHA20-POLY1305", "ChaCha20-Poly1305" },
}

Cipher name translation table.

Definition at line 253 of file crypto_openssl.c.

Referenced by get_cipher_name_pair().

◆ cipher_name_translation_table_count

const size_t cipher_name_translation_table_count
Initial value:
=
const cipher_name_pair cipher_name_translation_table[]
Cipher name translation table.

Definition at line 259 of file crypto_openssl.c.

Referenced by get_cipher_name_pair().