35 #if defined(ENABLE_CRYPTO_OPENSSL)
44 #include <openssl/conf.h>
45 #include <openssl/des.h>
46 #include <openssl/err.h>
47 #include <openssl/evp.h>
48 #include <openssl/objects.h>
49 #include <openssl/rand.h>
50 #include <openssl/ssl.h>
52 #if (OPENSSL_VERSION_NUMBER >= 0x10100000L) && !defined(LIBRESSL_VERSION_NUMBER)
53 #include <openssl/kdf.h>
55 #if OPENSSL_VERSION_NUMBER >= 0x30000000L
56 #include <openssl/provider.h>
59 #if defined(_WIN32) && defined(OPENSSL_NO_EC)
60 #error Windows build with OPENSSL_NO_EC: disabling EC key is not supported.
65 #pragma warning(disable: 4996)
72 #if MAX_CIPHER_KEY_LENGTH < EVP_MAX_KEY_LENGTH
73 #warning Some OpenSSL EVP ciphers now support key lengths greater than MAX_CIPHER_KEY_LENGTH -- consider increasing MAX_CIPHER_KEY_LENGTH
76 #if MAX_HMAC_KEY_LENGTH < EVP_MAX_MD_SIZE
77 #warning Some OpenSSL HMAC message digests now support key lengths greater than MAX_HMAC_KEY_LENGTH -- consider increasing MAX_HMAC_KEY_LENGTH
80 #if HAVE_OPENSSL_ENGINE
81 #include <openssl/ui.h>
82 #include <openssl/engine.h>
84 static bool engine_initialized =
false;
86 static ENGINE *engine_persist = NULL;
90 try_load_engine(
const char *engine)
92 ENGINE *e = ENGINE_by_id(
"dynamic");
95 if (!ENGINE_ctrl_cmd_string(e,
"SO_PATH", engine, 0)
96 || !ENGINE_ctrl_cmd_string(e,
"LOAD", NULL, 0))
106 setup_engine(
const char *engine)
110 ENGINE_load_builtin_engines();
114 if (strcmp(engine,
"auto") == 0)
116 msg(
M_INFO,
"Initializing OpenSSL auto engine support");
117 ENGINE_register_all_complete();
120 if ((e = ENGINE_by_id(engine)) == NULL
121 && (e = try_load_engine(engine)) == NULL)
127 if (!ENGINE_set_default(e, ENGINE_METHOD_ALL))
130 "OpenSSL error: ENGINE_set_default failed on engine '%s'",
134 msg(
M_INFO,
"Initializing OpenSSL support for engine '%s'",
145 #if HAVE_OPENSSL_ENGINE
146 if (!engine_initialized)
150 engine_persist = setup_engine(engine_name);
151 engine_initialized =
true;
154 msg(
M_WARN,
"Note: OpenSSL hardware crypto engine functionality is not available");
161 #if OPENSSL_VERSION_NUMBER >= 0x30000000L
170 msg(
M_WARN,
"Note: OpenSSL provider functionality is not available");
178 #if OPENSSL_VERSION_NUMBER >= 0x30000000L
179 if (!OSSL_PROVIDER_unload(provider))
195 #if (OPENSSL_VERSION_NUMBER >= 0x10100000L)
196 OPENSSL_init_crypto(OPENSSL_INIT_LOAD_CONFIG, NULL);
198 OPENSSL_config(NULL);
207 CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_ON);
215 FILE *fp = fopen(
"sdlog",
"w");
217 CRYPTO_mem_leaks_fp(fp);
221 #if HAVE_OPENSSL_ENGINE
222 if (engine_initialized)
225 engine_persist = NULL;
226 engine_initialized =
false;
240 unsigned long err = 0;
242 const char *file, *data, *func;
246 if (!(errflags & ERR_TXT_STRING))
252 if (ERR_GET_REASON(err) == SSL_R_NO_SHARED_CIPHER)
255 "in common with the client. Your --tls-cipher setting might be "
258 else if (ERR_GET_REASON(err) == SSL_R_UNSUPPORTED_PROTOCOL)
261 "indicates that client and server have no common TLS version enabled. "
262 "This can be caused by mismatched tls-version-min and tls-version-max "
263 "options on client and server. "
264 "If your OpenVPN client is between v2.3.6 and v2.3.2 try adding "
265 "tls-version-min 1.0 to the client configuration to use TLS 1.0+ "
266 "instead of TLS 1.0 only");
272 msg(flags,
"OpenSSL: %s:%s", ERR_error_string(err, NULL), data);
276 msg(flags,
"OpenSSL: %s:%s:%s:%d:%s", ERR_error_string(err, NULL),
277 data, file, line, func);
293 crypto_malloc(
size_t size,
const char *file,
int line)
295 return dmalloc_malloc(file, line, size, DMALLOC_FUNC_MALLOC, 0, 0);
299 crypto_realloc(
void *ptr,
size_t size,
const char *file,
int line)
301 return dmalloc_realloc(file, line, ptr, size, DMALLOC_FUNC_REALLOC, 0);
305 crypto_free(
void *ptr)
307 dmalloc_free(__FILE__, __LINE__, ptr, DMALLOC_FUNC_FREE);
311 crypto_init_dmalloc(
void)
313 CRYPTO_set_mem_ex_functions(crypto_malloc,
320 {
"AES-128-GCM",
"id-aes128-GCM" },
321 {
"AES-192-GCM",
"id-aes192-GCM" },
322 {
"AES-256-GCM",
"id-aes256-GCM" },
323 {
"CHACHA20-POLY1305",
"ChaCha20-Poly1305" },
332 const EVP_CIPHER *
const *cipher_a = a;
333 const EVP_CIPHER *
const *cipher_b = b;
354 msg(
M_WARN,
"WARNING: Too many ciphers, not showing all");
367 cipher_list->
list[cipher_list->
num++] = cipher;
377 printf(
"The following ciphers and cipher modes are available for use\n"
378 "with " PACKAGE_NAME ". Each cipher shown below may be used as a\n"
379 "parameter to the --data-ciphers (or --cipher) option. In static \n"
380 "key mode only CBC mode is allowed.\n");
381 printf(
"See also openssl list -cipher-algorithms\n\n");
384 #if OPENSSL_VERSION_NUMBER >= 0x30000000L
387 for (
int nid = 0; nid < 10000; ++nid)
389 const EVP_CIPHER *cipher = EVP_get_cipherbynid(nid);
399 for (
size_t i = 0; i < cipher_list.
num; i++)
407 printf(
"\nThe following ciphers have a block size of less than 128 bits, \n"
408 "and are therefore deprecated. Do not use unless you have to.\n\n");
409 for (
int i = 0; i < cipher_list.
num; i++)
423 EVP_MD_size(digest) * 8);
430 printf(
"The following message digests are available for use with\n"
431 PACKAGE_NAME ". A message digest is used in conjunction with\n"
432 "the HMAC function, to authenticate received packets.\n"
433 "You can specify a message digest as parameter to\n"
434 "the --auth option.\n");
435 printf(
"See also openssl list -digest-algorithms\n\n");
438 #if OPENSSL_VERSION_NUMBER >= 0x30000000L
441 for (
int nid = 0; nid < 10000; ++nid)
443 const EVP_MD *digest = EVP_get_digestbynid(nid);
458 #if HAVE_OPENSSL_ENGINE
461 printf(
"OpenSSL Crypto Engines\n\n");
463 ENGINE_load_builtin_engines();
465 e = ENGINE_get_first();
471 e = ENGINE_get_next(e);
475 printf(
"Sorry, OpenSSL hardware crypto engine functionality is not available.\n");
485 BIO *bio = BIO_new(BIO_s_mem());
486 if (!bio || !PEM_write_bio(bio, name,
"",
BPTR(src),
BLEN(src)))
493 BIO_get_mem_ptr(bio, &bptr);
514 BIO *bio = BIO_new_mem_buf((
char *)
BPTR(src),
BLEN(src));
520 char *name_read = NULL;
521 char *header_read = NULL;
522 uint8_t *data_read = NULL;
523 long data_read_len = 0;
524 if (!PEM_read_bio(bio, &name_read, &header_read, &data_read,
531 if (strcmp(name, name_read))
534 "%s: unexpected PEM name (got '%s', expected '%s')",
535 __func__, name_read, name);
543 BCAP(dst), data_read_len);
546 memcpy(dst_data, data_read, data_read_len);
550 OPENSSL_free(name_read);
551 OPENSSL_free(header_read);
552 OPENSSL_free(data_read);
573 if (
unlikely(1 != RAND_bytes(output, len)))
604 *reason =
"disabled because unknown";
612 if (FIPS_mode() && !(EVP_CIPHER_flags(cipher) & EVP_CIPH_FLAG_FIPS))
614 msg(
D_LOW,
"Cipher algorithm '%s' is known by OpenSSL library but "
615 "currently disabled by running in FIPS mode.", ciphername);
616 *reason =
"disabled by FIPS mode";
622 msg(
D_LOW,
"Cipher algorithm '%s' uses a default key size (%d bytes) "
623 "which is larger than " PACKAGE_NAME "'s current maximum key size "
624 "(%d bytes)", ciphername, EVP_CIPHER_key_length(cipher),
626 *reason =
"disabled due to key size too large";
641 if (strcmp(
"none", ciphername) == 0)
643 return "[null-cipher]";
652 const char *name = EVP_CIPHER_name(cipher_kt);
661 int size = EVP_CIPHER_key_length(cipher);
670 int ivsize = EVP_CIPHER_iv_length(cipher);
685 char *mode_str = NULL;
686 const char *orig_name = NULL;
694 int block_size = EVP_CIPHER_block_size(cipher);
696 orig_name = EVP_CIPHER_name(cipher);
703 mode_str = strrchr(name,
'-');
704 if (!mode_str || strlen(mode_str) < 4)
709 strcpy(mode_str,
"-CBC");
714 block_size = EVP_CIPHER_block_size(cbc_cipher);
745 #ifdef NID_chacha20_poly1305
749 bool ischachapoly = (EVP_CIPHER_nid(cipher) == NID_chacha20_poly1305);
763 ASSERT(NULL != cipher_kt);
764 return EVP_CIPHER_mode(cipher_kt);
774 #ifdef EVP_CIPH_FLAG_CTS
775 && !(EVP_CIPHER_flags(cipher) & EVP_CIPH_FLAG_CTS)
777 && !(EVP_CIPHER_flags(cipher) & EVP_CIPH_FLAG_AEAD_CIPHER));
789 && !(EVP_CIPHER_flags(cipher) & EVP_CIPH_FLAG_AEAD_CIPHER);
807 #ifdef NID_chacha20_poly1305
808 if (EVP_CIPHER_nid(cipher) == NID_chacha20_poly1305)
829 EVP_CIPHER_CTX *ctx = EVP_CIPHER_CTX_new();
837 EVP_CIPHER_CTX_free(ctx);
842 const char *ciphername,
int enc)
844 ASSERT(NULL != ciphername && NULL != ctx);
848 if (!EVP_CipherInit(ctx, kt, NULL, NULL, enc))
852 if (!EVP_CipherInit_ex(ctx, NULL, NULL,
key, NULL, enc))
858 ASSERT(EVP_CIPHER_CTX_key_length(ctx) <= EVP_CIPHER_key_length(kt));
865 return EVP_CIPHER_CTX_iv_length(ctx);
877 return EVP_CIPHER_CTX_block_size(ctx);
883 return EVP_CIPHER_CTX_mode(ctx);
895 int flags = EVP_CIPHER_CTX_flags(ctx);
896 int mode = EVP_CIPHER_CTX_mode(ctx);
898 return mode == EVP_CIPH_CBC_MODE
900 #ifdef EVP_CIPH_FLAG_CTS
901 && !(flags & EVP_CIPH_FLAG_CTS)
903 && !(flags & EVP_CIPH_FLAG_AEAD_CIPHER);
916 return (mode == EVP_CIPH_OFB_MODE || mode == EVP_CIPH_CFB_MODE)
918 && !(EVP_CIPHER_CTX_flags(ctx) & EVP_CIPH_FLAG_AEAD_CIPHER);
926 int flags = EVP_CIPHER_CTX_flags(ctx);
927 if (flags & EVP_CIPH_FLAG_AEAD_CIPHER)
932 #if defined(NID_chacha20_poly1305) && OPENSSL_VERSION_NUMBER < 0x30000000L
933 if (EVP_CIPHER_CTX_nid(ctx) == NID_chacha20_poly1305)
947 return EVP_CipherInit_ex(ctx, NULL, NULL, NULL, iv_buf, -1);
954 if (!EVP_CipherUpdate(ctx, NULL, &len, src, src_len))
963 uint8_t *src,
int src_len)
965 if (!EVP_CipherUpdate(ctx, dst, dst_len, src, src_len))
975 return EVP_CipherFinal(ctx, dst, dst_len);
980 uint8_t *tag,
size_t tag_len)
982 ASSERT(tag_len < SIZE_MAX);
1012 "size (%d bytes) which is larger than " PACKAGE_NAME "'s current "
1013 "maximum hash size (%d bytes)",
1024 bool valid = (md != NULL);
1037 {
"BLAKE2s256",
"BLAKE2S-256"},
1038 {
"BLAKE2b512",
"BLAKE2B-512"},
1039 {
"RIPEMD160",
"RIPEMD-160" },
1040 {
"SHA224",
"SHA2-224"},
1041 {
"SHA256",
"SHA2-256"},
1042 {
"SHA384",
"SHA2-384"},
1043 {
"SHA512",
"SHA2-512"},
1044 {
"SHA512-224",
"SHA2-512/224"},
1045 {
"SHA512-256",
"SHA2-512/256"},
1046 {
"SHAKE128",
"SHAKE-128"},
1047 {
"SHAKE256",
"SHAKE-256"},
1055 if (!strcmp(
"none", mdname))
1057 return "[null-digest]";
1079 if (!strcmp(
"none", mdname))
1084 unsigned char size = (
unsigned char)EVP_MD_size(kt);
1097 md_full(
const char *mdname,
const uint8_t *src,
int src_len, uint8_t *dst)
1099 unsigned int in_md_len = 0;
1102 int ret = EVP_Digest(src, src_len, dst, &in_md_len, kt, NULL);
1125 ASSERT(NULL != ctx && NULL != kt);
1127 EVP_MD_CTX_init(ctx);
1128 if (!EVP_DigestInit(ctx, kt))
1144 return EVP_MD_CTX_size(ctx);
1150 EVP_DigestUpdate(ctx, src, src_len);
1156 unsigned int in_md_len = 0;
1158 EVP_DigestFinal(ctx, dst, &in_md_len);
1167 #if OPENSSL_VERSION_NUMBER < 0x30000000L
1186 ASSERT(NULL != kt && NULL != ctx);
1188 int key_len = EVP_MD_size(kt);
1190 if (!HMAC_Init_ex(ctx,
key, key_len, kt, NULL))
1196 ASSERT(HMAC_size(ctx) <= key_len);
1208 return HMAC_size(ctx);
1214 if (!HMAC_Init_ex(ctx, NULL, 0, NULL, NULL))
1223 HMAC_Update(ctx, src, src_len);
1229 unsigned int in_hmac_len = 0;
1231 HMAC_Final(ctx, dst, &in_hmac_len);
1239 EVP_MAC *hmac = EVP_MAC_fetch(NULL,
"HMAC", NULL);
1240 ctx->ctx = EVP_MAC_CTX_new(hmac);
1251 EVP_MAC_CTX_free(ctx->ctx);
1260 ASSERT(NULL != kt && NULL != ctx && ctx->ctx != NULL);
1264 memcpy(ctx->key,
key, EVP_MD_size(kt));
1272 ctx->params[0] = OSSL_PARAM_construct_utf8_string(
"digest",
1274 ctx->params[1] = OSSL_PARAM_construct_octet_string(
"key",
1275 ctx->key, EVP_MD_size(kt));
1276 ctx->params[2] = OSSL_PARAM_construct_end();
1278 if (!EVP_MAC_init(ctx->ctx, NULL, 0, ctx->params))
1289 EVP_MAC_init(ctx->ctx, NULL, 0, NULL);
1295 return (
int)EVP_MAC_CTX_get_mac_size(ctx->ctx);
1304 if (!EVP_MAC_init(ctx->ctx, NULL, 0, ctx->params))
1313 EVP_MAC_update(ctx->ctx, src, src_len);
1321 size_t in_hmac_len = EVP_MAC_CTX_get_mac_size(ctx->ctx);
1323 EVP_MAC_final(ctx->ctx, dst, &in_hmac_len, in_hmac_len);
1330 return CRYPTO_memcmp(a, b, size);
1333 #if (OPENSSL_VERSION_NUMBER >= 0x10100000L) && !defined(LIBRESSL_VERSION_NUMBER)
1335 ssl_tls1_PRF(
const uint8_t *seed,
int seed_len,
const uint8_t *secret,
1336 int secret_len, uint8_t *output,
int output_len)
1338 EVP_PKEY_CTX *pctx = EVP_PKEY_CTX_new_id(EVP_PKEY_TLS1_PRF, NULL);
1345 if (!EVP_PKEY_derive_init(pctx))
1350 if (!EVP_PKEY_CTX_set_tls1_prf_md(pctx, EVP_md5_sha1()))
1355 if (!EVP_PKEY_CTX_set1_tls1_prf_secret(pctx, secret, secret_len))
1360 if (!EVP_PKEY_CTX_add1_tls1_prf_seed(pctx, seed, seed_len))
1365 size_t out_len = output_len;
1366 if (!EVP_PKEY_derive(pctx, output, &out_len))
1370 if (out_len != output_len)
1376 EVP_PKEY_CTX_free(pctx);
1401 int sec_len,
const void *seed,
int seed_len,
1402 unsigned char *out,
int olen)
1406 EVP_MD_CTX *ctx, *ctx_tmp, *ctx_init;
1408 unsigned char A1[EVP_MAX_MD_SIZE];
1409 size_t A1_len = EVP_MAX_MD_SIZE;
1412 chunk = EVP_MD_size(md);
1413 OPENSSL_assert(chunk >= 0);
1418 EVP_MD_CTX_set_flags(ctx_init, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
1419 mac_key = EVP_PKEY_new_mac_key(EVP_PKEY_HMAC, NULL, sec, sec_len);
1424 if (!EVP_DigestSignInit(ctx_init, NULL, md, NULL, mac_key))
1428 if (!EVP_MD_CTX_copy_ex(ctx, ctx_init))
1432 if (!EVP_DigestSignUpdate(ctx, seed, seed_len))
1436 if (!EVP_DigestSignFinal(ctx, A1, &A1_len))
1444 if (!EVP_MD_CTX_copy_ex(ctx, ctx_init))
1448 if (!EVP_DigestSignUpdate(ctx, A1, A1_len))
1452 if (olen > chunk && !EVP_MD_CTX_copy_ex(ctx_tmp, ctx))
1456 if (!EVP_DigestSignUpdate(ctx, seed, seed_len))
1464 if (!EVP_DigestSignFinal(ctx, out, &j))
1471 if (!EVP_DigestSignFinal(ctx_tmp, A1, &A1_len))
1478 A1_len = EVP_MAX_MD_SIZE;
1480 if (!EVP_DigestSignFinal(ctx, A1, &A1_len))
1484 memcpy(out, A1, olen);
1490 EVP_PKEY_free(mac_key);
1494 OPENSSL_cleanse(A1,
sizeof(A1));
1519 int slen, uint8_t *out1,
int olen)
1524 const EVP_MD *md5 = EVP_md5();
1525 const EVP_MD *sha1 = EVP_sha1();
1527 uint8_t *out2 = (uint8_t *)
gc_malloc(olen,
false, &gc);
1530 const uint8_t *S1 = sec;
1531 const uint8_t *S2 = &(sec[len]);
1534 if (!
tls1_P_hash(md5, S1, len, label, label_len, out1, olen))
1540 if (!
tls1_P_hash(sha1, S2, len, label, label_len, out2, olen))
1546 for (
int i = 0; i < olen; i++)