OpenVPN
crypto.h
Go to the documentation of this file.
1 /*
2  * OpenVPN -- An application to securely tunnel IP networks
3  * over a single TCP/UDP port, with support for SSL/TLS-based
4  * session authentication and key exchange,
5  * packet encryption, packet authentication, and
6  * packet compression.
7  *
8  * Copyright (C) 2002-2017 OpenVPN Technologies, Inc. <sales@openvpn.net>
9  * Copyright (C) 2010-2017 Fox Crypto B.V. <openvpn@fox-it.com>
10  *
11  * This program is free software; you can redistribute it and/or modify
12  * it under the terms of the GNU General Public License version 2
13  * as published by the Free Software Foundation.
14  *
15  * This program is distributed in the hope that it will be useful,
16  * but WITHOUT ANY WARRANTY; without even the implied warranty of
17  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18  * GNU General Public License for more details.
19  *
20  * You should have received a copy of the GNU General Public License along
21  * with this program; if not, write to the Free Software Foundation, Inc.,
22  * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
23  */
24 
122 #ifndef CRYPTO_H
123 #define CRYPTO_H
124 
125 #ifdef ENABLE_CRYPTO
126 
127 #include "crypto_backend.h"
128 #include "basic.h"
129 #include "buffer.h"
130 #include "packet_id.h"
131 #include "mtu.h"
132 
136 };
137 
138 /*
139  * Defines a key type and key length for both cipher and HMAC.
140  */
141 struct key_type
142 {
146  const md_kt_t *digest;
147 };
148 
153 struct key
154 {
159 };
160 
161 
166 struct key_ctx
167 {
173 };
174 
175 #define KEY_DIRECTION_BIDIRECTIONAL 0 /* same keys for both directions */
176 #define KEY_DIRECTION_NORMAL 1 /* encrypt with keys[0], decrypt with keys[1] */
177 #define KEY_DIRECTION_INVERSE 2 /* encrypt with keys[1], decrypt with keys[0] */
178 
183 struct key2
184 {
185  int n;
187  struct key keys[2];
189 };
190 
201 {
202  int out_key;
204  int in_key;
206  int need_keys;
214 };
215 
222 {
223  struct key_ctx encrypt;
225  struct key_ctx decrypt;
228 };
229 
235 {
247 #define CO_PACKET_ID_LONG_FORM (1<<0)
248 
250 #define CO_IGNORE_PACKET_ID (1<<1)
251 
256 #define CO_MUTE_REPLAY_WARNINGS (1<<2)
257 
259  unsigned int flags;
261 };
262 
263 #define CRYPT_ERROR(format) \
264  do { msg(D_CRYPT_ERRORS, "%s: " format, error_prefix); goto error_exit; } while (false)
265 
270 #define OPENVPN_AEAD_MIN_IV_LEN (sizeof(packet_id_type) + 8)
271 
272 #define RKF_MUST_SUCCEED (1<<0)
273 #define RKF_INLINE (1<<1)
274 void read_key_file(struct key2 *key2, const char *file, const unsigned int flags);
275 
276 int write_key_file(const int nkeys, const char *filename);
277 
278 int read_passphrase_hash(const char *passphrase_file,
279  const md_kt_t *digest,
280  uint8_t *output,
281  int len);
282 
283 void generate_key_random(struct key *key, const struct key_type *kt);
284 
285 void check_replay_consistency(const struct key_type *kt, bool packet_id);
286 
287 bool check_key(struct key *key, const struct key_type *kt);
288 
289 void fixup_key(struct key *key, const struct key_type *kt);
290 
291 bool write_key(const struct key *key, const struct key_type *kt,
292  struct buffer *buf);
293 
294 int read_key(struct key *key, const struct key_type *kt, struct buffer *buf);
295 
308 void init_key_type(struct key_type *kt, const char *ciphername,
309  const char *authname, int keysize, bool tls_mode, bool warn);
310 
311 /*
312  * Key context functions
313  */
314 
315 void init_key_ctx(struct key_ctx *ctx, const struct key *key,
316  const struct key_type *kt, int enc,
317  const char *prefix);
318 
319 void free_key_ctx(struct key_ctx *ctx);
320 
321 void init_key_ctx_bi(struct key_ctx_bi *ctx, const struct key2 *key2,
322  int key_direction, const struct key_type *kt,
323  const char *name);
324 
325 void free_key_ctx_bi(struct key_ctx_bi *ctx);
326 
327 
328 /**************************************************************************/
358 void openvpn_encrypt(struct buffer *buf, struct buffer work,
359  struct crypto_options *opt);
360 
361 
395 bool openvpn_decrypt(struct buffer *buf, struct buffer work,
396  struct crypto_options *opt, const struct frame *frame,
397  const uint8_t *ad_start);
398 
411 bool crypto_check_replay(struct crypto_options *opt,
412  const struct packet_id_net *pin, const char *error_prefix,
413  struct gc_arena *gc);
414 
415 
418  const struct key_type *kt,
419  bool packet_id,
420  bool packet_id_long_form);
421 
423 size_t crypto_max_overhead(void);
424 
425 /* Minimum length of the nonce used by the PRNG */
426 #define NONCE_SECRET_LEN_MIN 16
427 
428 /* Maximum length of the nonce used by the PRNG */
429 #define NONCE_SECRET_LEN_MAX 64
430 
432 #define PRNG_NONCE_RESET_BYTES 1024
433 
441 void prng_init(const char *md_name, const int nonce_secret_len_parm);
442 
443 /*
444  * Message digest-based pseudo random number generator.
445  *
446  * If the PRNG was initialised with a certain message digest, uses the digest
447  * to calculate the next random number, and prevent depletion of the entropy
448  * pool.
449  *
450  * This PRNG is aimed at IV generation and similar miscellaneous tasks. Use
451  * \c rand_bytes() for higher-assurance functionality.
452  *
453  * Retrieves len bytes of pseudo random data, and places it in output.
454  *
455  * @param output Output buffer
456  * @param len Length of the output buffer
457  */
458 void prng_bytes(uint8_t *output, int len);
459 
460 void prng_uninit(void);
461 
462 void test_crypto(struct crypto_options *co, struct frame *f);
463 
464 
465 /* key direction functions */
466 
467 void key_direction_state_init(struct key_direction_state *kds, int key_direction);
468 
469 void verify_fix_key2(struct key2 *key2, const struct key_type *kt, const char *shared_secret_file);
470 
471 void must_have_n_keys(const char *filename, const char *option, const struct key2 *key2, int n);
472 
473 int ascii2keydirection(int msglevel, const char *str);
474 
475 const char *keydirection2ascii(int kd, bool remote);
476 
477 /* print keys */
478 void key2_print(const struct key2 *k,
479  const struct key_type *kt,
480  const char *prefix0,
481  const char *prefix1);
482 
483 void crypto_read_openvpn_key(const struct key_type *key_type,
484  struct key_ctx_bi *ctx, const char *key_file, const char *key_inline,
485  const int key_direction, const char *key_name, const char *opt_name);
486 
487 /*
488  * Inline functions
489  */
490 
495 static inline int
496 memcmp_constant_time(const void *a, const void *b, size_t size)
497 {
498  const uint8_t *a1 = a;
499  const uint8_t *b1 = b;
500  int ret = 0;
501  size_t i;
502 
503  for (i = 0; i < size; i++) {
504  ret |= *a1++ ^ *b1++;
505  }
506 
507  return ret;
508 }
509 
510 static inline bool
512 {
513  return key->encrypt.cipher || key->encrypt.hmac || key->decrypt.cipher || key->decrypt.hmac;
514 }
515 
516 
517 #endif /* ENABLE_CRYPTO */
518 #endif /* CRYPTO_H */
void free_key_ctx_bi(struct key_ctx_bi *ctx)
Definition: crypto.c:914
void key_direction_state_init(struct key_direction_state *kds, int key_direction)
Definition: crypto.c:1572
bool crypto_check_replay(struct crypto_options *opt, const struct packet_id_net *pin, const char *error_prefix, struct gc_arena *gc)
Check packet ID for replay, and perform replay administration.
Definition: crypto.c:325
size_t implicit_iv_len
The length of implicit_iv.
Definition: crypto.h:172
Security parameter state for processing data channel packets.
Definition: crypto.h:234
mbedtls_cipher_context_t cipher_ctx_t
Generic cipher context.
void init_key_ctx(struct key_ctx *ctx, const struct key *key, const struct key_type *kt, int enc, const char *prefix)
Definition: crypto.c:823
uint8_t hmac_length
HMAC length, in bytes.
Definition: crypto.h:144
void verify_fix_key2(struct key2 *key2, const struct key_type *kt, const char *shared_secret_file)
Definition: crypto.c:1601
unsigned int flags
Bit-flags determining behavior of security operation functions.
Definition: crypto.h:259
Key ordering of the key2.keys array.
Definition: crypto.h:200
struct packet_id_persist * pid_persist
Persistent packet ID state for keeping state between successive OpenVPN process startups.
Definition: crypto.h:242
const char * keydirection2ascii(int kd, bool remote)
Definition: crypto.c:1550
Packet geometry parameters.
Definition: mtu.h:93
#define OPENVPN_MAX_IV_LENGTH
Maximum length of an IV.
int n
The number of key objects stored in the key2.keys array.
Definition: crypto.h:185
bool write_key(const struct key *key, const struct key_type *kt, struct buffer *buf)
Definition: crypto.c:1621
int out_key
Index into the key2.keys array for the sending direction.
Definition: crypto.h:202
void prng_uninit(void)
Definition: crypto.c:1747
#define MAX_CIPHER_KEY_LENGTH
void generate_key_random(struct key *key, const struct key_type *kt)
Definition: crypto.c:1023
int read_passphrase_hash(const char *passphrase_file, const md_kt_t *digest, uint8_t *output, int len)
mbedtls_md_context_t hmac_ctx_t
Generic HMAC context.
bool initialized
Definition: crypto.h:227
void crypto_read_openvpn_key(const struct key_type *key_type, struct key_ctx_bi *ctx, const char *key_file, const char *key_inline, const int key_direction, const char *key_name, const char *opt_name)
Definition: crypto.c:1178
static bool key_ctx_bi_defined(const struct key_ctx_bi *key)
Definition: crypto.h:511
void check_replay_consistency(const struct key_type *kt, bool packet_id)
Definition: crypto.c:1007
string f
Definition: http-client.py:6
uint8_t cipher_length
Cipher length, in bytes.
Definition: crypto.h:143
cipher_ctx_t * cipher
Generic cipher context.
Definition: crypto.h:168
void init_key_ctx_bi(struct key_ctx_bi *ctx, const struct key2 *key2, int key_direction, const struct key_type *kt, const char *name)
Definition: crypto.c:876
mbedtls_md_info_t md_kt_t
Generic message digest key type context.
uint8_t digest[SHA256_DIGEST_LENGTH]
Definition: crypto.h:135
bool check_key(struct key *key, const struct key_type *kt)
Definition: crypto.c:937
int in_key
Index into the key2.keys array for the receiving direction.
Definition: crypto.h:204
Container for one set of cipher and/or HMAC contexts.
Definition: crypto.h:166
mbedtls_cipher_info_t cipher_kt_t
Generic cipher key type context.
struct key_ctx encrypt
Cipher and/or HMAC contexts for sending direction.
Definition: crypto.h:223
const char * filename
Definition: packet_id.h:154
hmac_ctx_t * hmac
Generic HMAC context.
Definition: crypto.h:169
void crypto_adjust_frame_parameters(struct frame *frame, const struct key_type *kt, bool packet_id, bool packet_id_long_form)
Calculate crypto overhead and adjust frame to account for that.
Definition: crypto.c:700
void read_key_file(struct key2 *key2, const char *file, const unsigned int flags)
Definition: crypto.c:1225
struct key_ctx decrypt
cipher and/or HMAC contexts for receiving direction.
Definition: crypto.h:225
int write_key_file(const int nkeys, const char *filename)
Definition: crypto.c:1439
#define MAX_HMAC_KEY_LENGTH
void openvpn_encrypt(struct buffer *buf, struct buffer work, struct crypto_options *opt)
Encrypt and HMAC sign a packet so that it can be sent as a data channel VPN tunnel packet to a remote...
Definition: crypto.c:305
Container for bidirectional cipher and HMAC key material.
Definition: crypto.h:183
void free_key_ctx(struct key_ctx *ctx)
Definition: crypto.c:896
int need_keys
The number of key objects necessary to support both sending and receiving.
Definition: crypto.h:206
bool openvpn_decrypt(struct buffer *buf, struct buffer work, struct crypto_options *opt, const struct frame *frame, const uint8_t *ad_start)
HMAC verify and decrypt a data channel packet received from a remote OpenVPN peer.
Definition: crypto.c:674
unsigned __int8 uint8_t
Definition: config-msvc.h:123
void fixup_key(struct key *key, const struct key_type *kt)
Definition: crypto.c:976
void key2_print(const struct key2 *k, const struct key_type *kt, const char *prefix0, const char *prefix1)
Definition: crypto.c:1067
const md_kt_t * digest
Message digest static parameters.
Definition: crypto.h:146
Wrapper structure for dynamically allocated memory.
Definition: buffer.h:60
int ascii2keydirection(int msglevel, const char *str)
Definition: crypto.c:1527
static int memcmp_constant_time(const void *a, const void *b, size_t size)
As memcmp(), but constant-time.
Definition: crypto.h:496
#define SHA256_DIGEST_LENGTH
void test_crypto(struct crypto_options *co, struct frame *f)
Definition: crypto.c:1090
void init_key_type(struct key_type *kt, const char *ciphername, const char *authname, int keysize, bool tls_mode, bool warn)
Initialize a key_type structure with.
Definition: crypto.c:745
Garbage collection arena used to keep track of dynamically allocated memory.
Definition: buffer.h:116
void prng_init(const char *md_name, const int nonce_secret_len_parm)
Pseudo-random number generator initialisation.
Definition: crypto.c:1728
void prng_bytes(uint8_t *output, int len)
Definition: crypto.c:1756
const cipher_kt_t * cipher
Cipher static parameters.
Definition: crypto.h:145
Wrapper struct to pass around SHA256 digests.
Definition: crypto.h:134
size_t crypto_max_overhead(void)
Return the worst-case OpenVPN crypto overhead (in bytes)
Definition: crypto.c:734
void must_have_n_keys(const char *filename, const char *option, const struct key2 *key2, int n)
Definition: crypto.c:1514
int read_key(struct key *key, const struct key_type *kt, struct buffer *buf)
Definition: crypto.c:1654
Container for two sets of OpenSSL cipher and/or HMAC contexts for both sending and receiving directio...
Definition: crypto.h:221
Container for unidirectional cipher and HMAC key material.
Definition: crypto.h:153