OpenVPN
tls_crypt.c
Go to the documentation of this file.
1 /*
2  * OpenVPN -- An application to securely tunnel IP networks
3  * over a single TCP/UDP port, with support for SSL/TLS-based
4  * session authentication and key exchange,
5  * packet encryption, packet authentication, and
6  * packet compression.
7  *
8  * Copyright (C) 2016-2018 Fox Crypto B.V. <openvpn@fox-it.com>
9  *
10  * This program is free software; you can redistribute it and/or modify
11  * it under the terms of the GNU General Public License version 2
12  * as published by the Free Software Foundation.
13  *
14  * This program is distributed in the hope that it will be useful,
15  * but WITHOUT ANY WARRANTY; without even the implied warranty of
16  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17  * GNU General Public License for more details.
18  *
19  * You should have received a copy of the GNU General Public License along
20  * with this program; if not, write to the Free Software Foundation, Inc.,
21  * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
22  */
23 
24 #ifdef HAVE_CONFIG_H
25 #include "config.h"
26 #elif defined(_MSC_VER)
27 #include "config-msvc.h"
28 #endif
29 
30 #include "syshead.h"
31 
32 #include "argv.h"
33 #include "base64.h"
34 #include "crypto.h"
35 #include "platform.h"
36 #include "run_command.h"
37 #include "session_id.h"
38 #include "ssl.h"
39 
40 #include "tls_crypt.h"
41 
42 const char *tls_crypt_v2_cli_pem_name = "OpenVPN tls-crypt-v2 client key";
43 const char *tls_crypt_v2_srv_pem_name = "OpenVPN tls-crypt-v2 server key";
44 
49 
50 static struct key_type
52 {
53  struct key_type kt;
54  kt.cipher = cipher_kt_get("AES-256-CTR");
55  kt.digest = md_kt_get("SHA256");
56 
57  if (!kt.cipher)
58  {
59  msg(M_WARN, "ERROR: --tls-crypt requires AES-256-CTR support.");
60  return (struct key_type) { 0 };
61  }
62  if (!kt.digest)
63  {
64  msg(M_WARN, "ERROR: --tls-crypt requires HMAC-SHA-256 support.");
65  return (struct key_type) { 0 };
66  }
67 
69  kt.hmac_length = md_kt_size(kt.digest);
70 
71  return kt;
72 }
73 
74 int
76 {
78 }
79 
80 void
81 tls_crypt_init_key(struct key_ctx_bi *key, const char *key_file,
82  const char *key_inline, bool tls_server)
83 {
84  const int key_direction = tls_server ?
86  struct key_type kt = tls_crypt_kt();
87  if (!kt.cipher || !kt.digest)
88  {
89  msg(M_FATAL, "ERROR: --tls-crypt not supported");
90  }
91  crypto_read_openvpn_key(&kt, key, key_file, key_inline, key_direction,
92  "Control Channel Encryption", "tls-crypt");
93 }
94 
95 void
97 {
99 
100  msg(D_MTU_DEBUG, "%s: Adjusting frame parameters for tls-crypt by %i bytes",
101  __func__, tls_crypt_buf_overhead());
102 }
103 
104 
105 bool
106 tls_crypt_wrap(const struct buffer *src, struct buffer *dst,
107  struct crypto_options *opt)
108 {
109  const struct key_ctx *ctx = &opt->key_ctx_bi.encrypt;
110  struct gc_arena gc;
111 
112  /* IV, packet-ID and implicit IV required for this mode. */
113  ASSERT(ctx->cipher);
114  ASSERT(ctx->hmac);
116  ASSERT(hmac_ctx_size(ctx->hmac) == 256/8);
117 
118  gc_init(&gc);
119 
120  dmsg(D_PACKET_CONTENT, "TLS-CRYPT WRAP FROM: %s",
121  format_hex(BPTR(src), BLEN(src), 80, &gc));
122 
123  /* Get packet ID */
124  if (!packet_id_write(&opt->packet_id.send, dst, true, false))
125  {
126  msg(D_CRYPT_ERRORS, "TLS-CRYPT ERROR: packet ID roll over.");
127  goto err;
128  }
129 
130  dmsg(D_PACKET_CONTENT, "TLS-CRYPT WRAP AD: %s",
131  format_hex(BPTR(dst), BLEN(dst), 0, &gc));
132 
133  /* Buffer overflow check */
135  {
136  msg(D_CRYPT_ERRORS, "TLS-CRYPT WRAP: buffer size error, "
137  "sc=%d so=%d sl=%d dc=%d do=%d dl=%d", src->capacity, src->offset,
138  src->len, dst->capacity, dst->offset, dst->len);
139  goto err;
140  }
141 
142  /* Calculate auth tag and synthetic IV */
143  {
144  uint8_t *tag = NULL;
145  hmac_ctx_reset(ctx->hmac);
146  hmac_ctx_update(ctx->hmac, BPTR(dst), BLEN(dst));
147  hmac_ctx_update(ctx->hmac, BPTR(src), BLEN(src));
148 
150  hmac_ctx_final(ctx->hmac, tag);
151 
152  dmsg(D_PACKET_CONTENT, "TLS-CRYPT WRAP TAG: %s",
153  format_hex(tag, TLS_CRYPT_TAG_SIZE, 0, &gc));
154 
155  /* Use the 128 most significant bits of the tag as IV */
156  ASSERT(cipher_ctx_reset(ctx->cipher, tag));
157  }
158 
159  /* Encrypt src */
160  {
161  int outlen = 0;
162  ASSERT(cipher_ctx_update(ctx->cipher, BEND(dst), &outlen,
163  BPTR(src), BLEN(src)));
164  ASSERT(buf_inc_len(dst, outlen));
165  ASSERT(cipher_ctx_final(ctx->cipher, BPTR(dst), &outlen));
166  ASSERT(buf_inc_len(dst, outlen));
167  }
168 
169  dmsg(D_PACKET_CONTENT, "TLS-CRYPT WRAP TO: %s",
170  format_hex(BPTR(dst), BLEN(dst), 80, &gc));
171 
172  gc_free(&gc);
173  return true;
174 
175 err:
177  dst->len = 0;
178  gc_free(&gc);
179  return false;
180 }
181 
182 bool
183 tls_crypt_unwrap(const struct buffer *src, struct buffer *dst,
184  struct crypto_options *opt)
185 {
186  static const char error_prefix[] = "tls-crypt unwrap error";
187  const struct key_ctx *ctx = &opt->key_ctx_bi.decrypt;
188  struct gc_arena gc;
189 
190  gc_init(&gc);
191 
192  ASSERT(opt);
193  ASSERT(src->len > 0);
194  ASSERT(ctx->cipher);
196  || (opt->flags & CO_IGNORE_PACKET_ID));
197 
198  dmsg(D_PACKET_CONTENT, "TLS-CRYPT UNWRAP FROM: %s",
199  format_hex(BPTR(src), BLEN(src), 80, &gc));
200 
201  if (buf_len(src) < TLS_CRYPT_OFF_CT)
202  {
203  CRYPT_ERROR("packet too short");
204  }
205 
206  /* Decrypt cipher text */
207  {
208  int outlen = 0;
209 
210  /* Buffer overflow check (should never fail) */
212  {
213  CRYPT_ERROR("potential buffer overflow");
214  }
215 
216  if (!cipher_ctx_reset(ctx->cipher, BPTR(src) + TLS_CRYPT_OFF_TAG))
217  {
218  CRYPT_ERROR("cipher reset failed");
219  }
220  if (!cipher_ctx_update(ctx->cipher, BPTR(dst), &outlen,
221  BPTR(src) + TLS_CRYPT_OFF_CT, BLEN(src) - TLS_CRYPT_OFF_CT))
222  {
223  CRYPT_ERROR("cipher update failed");
224  }
225  ASSERT(buf_inc_len(dst, outlen));
226  if (!cipher_ctx_final(ctx->cipher, BPTR(dst), &outlen))
227  {
228  CRYPT_ERROR("cipher final failed");
229  }
230  ASSERT(buf_inc_len(dst, outlen));
231  }
232 
233  /* Check authentication */
234  {
235  const uint8_t *tag = BPTR(src) + TLS_CRYPT_OFF_TAG;
236  uint8_t tag_check[TLS_CRYPT_TAG_SIZE] = { 0 };
237 
238  dmsg(D_PACKET_CONTENT, "TLS-CRYPT UNWRAP AD: %s",
239  format_hex(BPTR(src), TLS_CRYPT_OFF_TAG, 0, &gc));
240  dmsg(D_PACKET_CONTENT, "TLS-CRYPT UNWRAP TO: %s",
241  format_hex(BPTR(dst), BLEN(dst), 80, &gc));
242 
243  hmac_ctx_reset(ctx->hmac);
245  hmac_ctx_update(ctx->hmac, BPTR(dst), BLEN(dst));
246  hmac_ctx_final(ctx->hmac, tag_check);
247 
248  if (memcmp_constant_time(tag, tag_check, sizeof(tag_check)))
249  {
250  dmsg(D_CRYPTO_DEBUG, "tag : %s",
251  format_hex(tag, sizeof(tag_check), 0, &gc));
252  dmsg(D_CRYPTO_DEBUG, "tag_check: %s",
253  format_hex(tag_check, sizeof(tag_check), 0, &gc));
254  CRYPT_ERROR("packet authentication failed");
255  }
256  }
257 
258  /* Check replay */
259  if (!(opt->flags & CO_IGNORE_PACKET_ID))
260  {
261  struct packet_id_net pin;
262  struct buffer tmp = *src;
264  ASSERT(packet_id_read(&pin, &tmp, true));
265  if (!crypto_check_replay(opt, &pin, error_prefix, &gc))
266  {
267  CRYPT_ERROR("packet replay");
268  }
269  }
270 
271  gc_free(&gc);
272  return true;
273 
274 error_exit:
276  dst->len = 0;
277  gc_free(&gc);
278  return false;
279 }
280 
281 static inline void
283  bool tls_server)
284 {
285  const int key_direction = tls_server ?
287  struct key_type kt = tls_crypt_kt();
288  if (!kt.cipher || !kt.digest)
289  {
290  msg(M_FATAL, "ERROR: --tls-crypt-v2 not supported");
291  }
292  init_key_ctx_bi(key, key2, key_direction, &kt,
293  "Control Channel Encryption");
294 }
295 
296 void
298  const char *key_file, const char *key_inline)
299 {
300  struct buffer client_key = alloc_buf(TLS_CRYPT_V2_CLIENT_KEY_LEN
302 
304  key_file, key_inline))
305  {
306  msg(M_FATAL, "ERROR: invalid tls-crypt-v2 client key format");
307  }
308 
309  struct key2 key2;
310  if (!buf_read(&client_key, &key2.keys, sizeof(key2.keys)))
311  {
312  msg(M_FATAL, "ERROR: not enough data in tls-crypt-v2 client key");
313  }
314 
315  tls_crypt_v2_load_client_key(key, &key2, false);
316  secure_memzero(&key2, sizeof(key2));
317 
318  *wkc_buf = client_key;
319 }
320 
321 void
323  const char *key_file, const char *key_inline)
324 {
325  struct key srv_key;
326  struct buffer srv_key_buf;
327 
328  buf_set_write(&srv_key_buf, (void *)&srv_key, sizeof(srv_key));
329  if (!read_pem_key_file(&srv_key_buf, tls_crypt_v2_srv_pem_name,
330  key_file, key_inline))
331  {
332  msg(M_FATAL, "ERROR: invalid tls-crypt-v2 server key format");
333  }
334 
335  struct key_type kt = tls_crypt_kt();
336  if (!kt.cipher || !kt.digest)
337  {
338  msg(M_FATAL, "ERROR: --tls-crypt-v2 not supported");
339  }
340  init_key_ctx(key_ctx, &srv_key, &kt, encrypt, "tls-crypt-v2 server key");
341  secure_memzero(&srv_key, sizeof(srv_key));
342 }
343 
344 static bool
346  const struct key2 *src_key,
347  const struct buffer *src_metadata,
348  struct key_ctx *server_key, struct gc_arena *gc)
349 {
350  cipher_ctx_t *cipher_ctx = server_key->cipher;
352  + cipher_ctx_block_size(cipher_ctx), gc);
353 
354  /* Calculate auth tag and synthetic IV */
356  if (!tag)
357  {
358  msg(M_WARN, "ERROR: could not write tag");
359  return false;
360  }
361  uint16_t net_len = htons(sizeof(src_key->keys) + BLEN(src_metadata)
362  + TLS_CRYPT_V2_TAG_SIZE + sizeof(uint16_t));
363  hmac_ctx_t *hmac_ctx = server_key->hmac;
364  hmac_ctx_reset(hmac_ctx);
365  hmac_ctx_update(hmac_ctx, (void *)&net_len, sizeof(net_len));
366  hmac_ctx_update(hmac_ctx, (void *)src_key->keys, sizeof(src_key->keys));
367  hmac_ctx_update(hmac_ctx, BPTR(src_metadata), BLEN(src_metadata));
368  hmac_ctx_final(hmac_ctx, tag);
369 
370  dmsg(D_CRYPTO_DEBUG, "TLS-CRYPT WRAP TAG: %s",
371  format_hex(tag, TLS_CRYPT_TAG_SIZE, 0, gc));
372 
373  /* Use the 128 most significant bits of the tag as IV */
374  ASSERT(cipher_ctx_reset(cipher_ctx, tag));
375 
376  /* Overflow check (OpenSSL requires an extra block in the dst buffer) */
377  if (buf_forward_capacity(&work) < (sizeof(src_key->keys)
378  + BLEN(src_metadata)
379  + sizeof(net_len)
380  + cipher_ctx_block_size(cipher_ctx)))
381  {
382  msg(M_WARN, "ERROR: could not crypt: insufficient space in dst");
383  return false;
384  }
385 
386  /* Encrypt */
387  int outlen = 0;
388  ASSERT(cipher_ctx_update(cipher_ctx, BEND(&work), &outlen,
389  (void *)src_key->keys, sizeof(src_key->keys)));
390  ASSERT(buf_inc_len(&work, outlen));
391  ASSERT(cipher_ctx_update(cipher_ctx, BEND(&work), &outlen,
392  BPTR(src_metadata), BLEN(src_metadata)));
393  ASSERT(buf_inc_len(&work, outlen));
394  ASSERT(cipher_ctx_final(cipher_ctx, BEND(&work), &outlen));
395  ASSERT(buf_inc_len(&work, outlen));
396  ASSERT(buf_write(&work, &net_len, sizeof(net_len)));
397 
398  return buf_copy(wkc, &work);
399 }
400 
401 static bool
402 tls_crypt_v2_unwrap_client_key(struct key2 *client_key, struct buffer *metadata,
403  struct buffer wrapped_client_key,
404  struct key_ctx *server_key)
405 {
406  const char *error_prefix = __func__;
407  bool ret = false;
408  struct gc_arena gc = gc_new();
409  /* The crypto API requires one extra cipher block of buffer head room when
410  * decrypting, which nicely matches the tag size of WKc. So
411  * TLS_CRYPT_V2_MAX_WKC_LEN is always large enough for the plaintext. */
412  uint8_t plaintext_buf_data[TLS_CRYPT_V2_MAX_WKC_LEN] = { 0 };
413  struct buffer plaintext = { 0 };
414 
415  dmsg(D_TLS_DEBUG_MED, "%s: unwrapping client key (len=%d): %s", __func__,
416  BLEN(&wrapped_client_key), format_hex(BPTR(&wrapped_client_key),
417  BLEN(&wrapped_client_key),
418  0, &gc));
419 
420  if (TLS_CRYPT_V2_MAX_WKC_LEN < BLEN(&wrapped_client_key))
421  {
422  CRYPT_ERROR("wrapped client key too big");
423  }
424 
425  /* Decrypt client key and metadata */
426  uint16_t net_len = 0;
427  const uint8_t *tag = BPTR(&wrapped_client_key);
428 
429  if (BLEN(&wrapped_client_key) < sizeof(net_len))
430  {
431  CRYPT_ERROR("failed to read length");
432  }
433  memcpy(&net_len, BEND(&wrapped_client_key) - sizeof(net_len),
434  sizeof(net_len));
435 
436  if (ntohs(net_len) != BLEN(&wrapped_client_key))
437  {
438  dmsg(D_TLS_DEBUG_LOW, "%s: net_len=%u, BLEN=%i", __func__,
439  ntohs(net_len), BLEN(&wrapped_client_key));
440  CRYPT_ERROR("invalid length");
441  }
442 
443  buf_inc_len(&wrapped_client_key, -(int)sizeof(net_len));
444 
445  if (!buf_advance(&wrapped_client_key, TLS_CRYPT_TAG_SIZE))
446  {
447  CRYPT_ERROR("failed to read tag");
448  }
449 
450  if (!cipher_ctx_reset(server_key->cipher, tag))
451  {
452  CRYPT_ERROR("failed to initialize IV");
453  }
454  buf_set_write(&plaintext, plaintext_buf_data, sizeof(plaintext_buf_data));
455  int outlen = 0;
456  if (!cipher_ctx_update(server_key->cipher, BPTR(&plaintext), &outlen,
457  BPTR(&wrapped_client_key),
458  BLEN(&wrapped_client_key)))
459  {
460  CRYPT_ERROR("could not decrypt client key");
461  }
462  ASSERT(buf_inc_len(&plaintext, outlen));
463 
464  if (!cipher_ctx_final(server_key->cipher, BEND(&plaintext), &outlen))
465  {
466  CRYPT_ERROR("cipher final failed");
467  }
468  ASSERT(buf_inc_len(&plaintext, outlen));
469 
470  /* Check authentication */
471  uint8_t tag_check[TLS_CRYPT_TAG_SIZE] = { 0 };
472  hmac_ctx_reset(server_key->hmac);
473  hmac_ctx_update(server_key->hmac, (void *)&net_len, sizeof(net_len));
474  hmac_ctx_update(server_key->hmac, BPTR(&plaintext),
475  BLEN(&plaintext));
476  hmac_ctx_final(server_key->hmac, tag_check);
477 
478  if (memcmp_constant_time(tag, tag_check, sizeof(tag_check)))
479  {
480  dmsg(D_CRYPTO_DEBUG, "tag : %s",
481  format_hex(tag, sizeof(tag_check), 0, &gc));
482  dmsg(D_CRYPTO_DEBUG, "tag_check: %s",
483  format_hex(tag_check, sizeof(tag_check), 0, &gc));
484  CRYPT_ERROR("client key authentication error");
485  }
486 
487  if (buf_len(&plaintext) < sizeof(client_key->keys))
488  {
489  CRYPT_ERROR("failed to read client key");
490  }
491  memcpy(&client_key->keys, BPTR(&plaintext), sizeof(client_key->keys));
492  ASSERT(buf_advance(&plaintext, sizeof(client_key->keys)));
493 
494  if (!buf_copy(metadata, &plaintext))
495  {
496  CRYPT_ERROR("metadata too large for supplied buffer");
497  }
498 
499  ret = true;
500 error_exit:
501  if (!ret)
502  {
503  secure_memzero(client_key, sizeof(*client_key));
504  }
505  buf_clear(&plaintext);
506  gc_free(&gc);
507  return ret;
508 }
509 
510 static bool
512  const struct tls_options *opt)
513 {
514  bool ret = false;
515  struct gc_arena gc = gc_new();
516  const char *tmp_file = NULL;
517  struct buffer metadata = ctx->tls_crypt_v2_metadata;
518  int metadata_type = buf_read_u8(&metadata);
519  if (metadata_type < 0)
520  {
521  msg(M_WARN, "ERROR: no metadata type");
522  goto cleanup;
523  }
524 
525  tmp_file = platform_create_temp_file(opt->tmp_dir, "tls_crypt_v2_metadata_",
526  &gc);
527  if (!tmp_file || !buffer_write_file(tmp_file, &metadata))
528  {
529  msg(M_WARN, "ERROR: could not write metadata to file");
530  goto cleanup;
531  }
532 
533  char metadata_type_str[4] = { 0 }; /* Max value: 255 */
534  openvpn_snprintf(metadata_type_str, sizeof(metadata_type_str),
535  "%i", metadata_type);
536  struct env_set *es = env_set_create(NULL);
537  setenv_str(es, "script_type", "tls-crypt-v2-verify");
538  setenv_str(es, "metadata_type", metadata_type_str);
539  setenv_str(es, "metadata_file", tmp_file);
540 
541  struct argv argv = argv_new();
543  argv_msg_prefix(D_TLS_DEBUG, &argv, "Executing tls-crypt-v2-verify");
544 
545  ret = openvpn_run_script(&argv, es, 0, "--tls-crypt-v2-verify");
546 
547  argv_reset(&argv);
548  env_set_destroy(es);
549 
550  if (!platform_unlink(tmp_file))
551  {
552  msg(M_WARN, "WARNING: failed to remove temp file '%s", tmp_file);
553  }
554 
555  if (ret)
556  {
557  msg(D_HANDSHAKE, "TLS CRYPT V2 VERIFY SCRIPT OK");
558  }
559  else
560  {
561  msg(D_HANDSHAKE, "TLS CRYPT V2 VERIFY SCRIPT ERROR");
562  }
563 
564 cleanup:
565  gc_free(&gc);
566  return ret;
567 }
568 
569 bool
571  struct tls_wrap_ctx *ctx,
572  const struct tls_options *opt)
573 {
575  {
577  "Client wants tls-crypt-v2, but no server key present.");
578  return false;
579  }
580 
581  msg(D_HANDSHAKE, "Control Channel: using tls-crypt-v2 key");
582 
583  struct buffer wrapped_client_key = *buf;
584  uint16_t net_len = 0;
585 
586  if (BLEN(&wrapped_client_key) < sizeof(net_len))
587  {
588  msg(D_TLS_ERRORS, "failed to read length");
589  }
590  memcpy(&net_len, BEND(&wrapped_client_key) - sizeof(net_len),
591  sizeof(net_len));
592 
593  size_t wkc_len = ntohs(net_len);
594  if (!buf_advance(&wrapped_client_key, BLEN(&wrapped_client_key) - wkc_len))
595  {
596  msg(D_TLS_ERRORS, "Can not locate tls-crypt-v2 client key");
597  return false;
598  }
599 
600  struct key2 client_key = { 0 };
602  if (!tls_crypt_v2_unwrap_client_key(&client_key,
603  &ctx->tls_crypt_v2_metadata,
604  wrapped_client_key,
606  {
607  msg(D_TLS_ERRORS, "Can not unwrap tls-crypt-v2 client key");
608  secure_memzero(&client_key, sizeof(client_key));
609  return false;
610  }
611 
612  /* Load the decrypted key */
613  ctx->mode = TLS_WRAP_CRYPT;
614  ctx->cleanup_key_ctx = true;
616  memset(&ctx->opt.key_ctx_bi, 0, sizeof(ctx->opt.key_ctx_bi));
617  tls_crypt_v2_load_client_key(&ctx->opt.key_ctx_bi, &client_key, true);
618  secure_memzero(&client_key, sizeof(client_key));
619 
620  /* Remove client key from buffer so tls-crypt code can unwrap message */
621  ASSERT(buf_inc_len(buf, -(BLEN(&wrapped_client_key))));
622 
623  if (opt && opt->tls_crypt_v2_verify_script)
624  {
625  return tls_crypt_v2_verify_metadata(ctx, opt);
626  }
627 
628  return true;
629 }
630 
631 void
633 {
635 }
636 
637 void
639  const char *b64_metadata,
640  const char *server_key_file,
641  const char *server_key_inline)
642 {
643  struct gc_arena gc = gc_new();
644  struct key_ctx server_key = { 0 };
645  struct buffer client_key_pem = { 0 };
647  + TLS_CRYPT_V2_MAX_WKC_LEN, &gc);
648  struct key2 client_key = { 2 };
649 
650  if (!rand_bytes((void *)client_key.keys, sizeof(client_key.keys)))
651  {
652  msg(M_FATAL, "ERROR: could not generate random key");
653  goto cleanup;
654  }
655  ASSERT(buf_write(&dst, client_key.keys, sizeof(client_key.keys)));
656 
657  struct buffer metadata = alloc_buf_gc(TLS_CRYPT_V2_MAX_METADATA_LEN, &gc);
658  if (b64_metadata)
659  {
660  if (TLS_CRYPT_V2_MAX_B64_METADATA_LEN < strlen(b64_metadata))
661  {
662  msg(M_FATAL,
663  "ERROR: metadata too long (%d bytes, max %u bytes)",
664  (int)strlen(b64_metadata), TLS_CRYPT_V2_MAX_B64_METADATA_LEN);
665  }
667  int decoded_len = openvpn_base64_decode(b64_metadata, BPTR(&metadata),
668  BCAP(&metadata));
669  if (decoded_len < 0)
670  {
671  msg(M_FATAL, "ERROR: failed to base64 decode provided metadata");
672  goto cleanup;
673  }
674  ASSERT(buf_inc_len(&metadata, decoded_len));
675  }
676  else
677  {
678  int64_t timestamp = htonll((uint64_t)now);
680  ASSERT(buf_write(&metadata, &timestamp, sizeof(timestamp)));
681  }
682 
683  tls_crypt_v2_init_server_key(&server_key, true, server_key_file,
684  server_key_inline);
685  if (!tls_crypt_v2_wrap_client_key(&dst, &client_key, &metadata, &server_key,
686  &gc))
687  {
688  msg(M_FATAL, "ERROR: could not wrap generated client key");
689  goto cleanup;
690  }
691 
692  /* PEM-encode Kc || WKc */
693  if (!crypto_pem_encode(tls_crypt_v2_cli_pem_name, &client_key_pem, &dst,
694  &gc))
695  {
696  msg(M_FATAL, "ERROR: could not PEM-encode client key");
697  goto cleanup;
698  }
699 
700  const char *client_filename = filename;
701  const char *client_inline = NULL;
702 
703  if (!filename || streq(filename, ""))
704  {
705  printf("%s\n", BPTR(&client_key_pem));
706  client_filename = INLINE_FILE_TAG;
707  client_inline = (const char *)BPTR(&client_key_pem);
708  }
709  else if (!buffer_write_file(filename, &client_key_pem))
710  {
711  msg(M_FATAL, "ERROR: could not write client key file");
712  goto cleanup;
713  }
714 
715  /* Sanity check: load client key (as "client") */
716  struct key_ctx_bi test_client_key;
717  struct buffer test_wrapped_client_key;
718  msg(D_GENKEY, "Testing client-side key loading...");
719  tls_crypt_v2_init_client_key(&test_client_key, &test_wrapped_client_key,
720  client_filename, client_inline);
721  free_key_ctx_bi(&test_client_key);
722 
723  /* Sanity check: unwrap and load client key (as "server") */
724  struct buffer test_metadata = alloc_buf_gc(TLS_CRYPT_V2_MAX_METADATA_LEN,
725  &gc);
726  struct key2 test_client_key2 = { 0 };
727  free_key_ctx(&server_key);
728  tls_crypt_v2_init_server_key(&server_key, false, server_key_file,
729  server_key_inline);
730  msg(D_GENKEY, "Testing server-side key loading...");
731  ASSERT(tls_crypt_v2_unwrap_client_key(&test_client_key2, &test_metadata,
732  test_wrapped_client_key, &server_key));
733  secure_memzero(&test_client_key2, sizeof(test_client_key2));
734  free_buf(&test_wrapped_client_key);
735 
736 cleanup:
737  secure_memzero(&client_key, sizeof(client_key));
738  free_key_ctx(&server_key);
739  buf_clear(&client_key_pem);
740  buf_clear(&dst);
741 
742  gc_free(&gc);
743 }
const char * tls_crypt_v2_srv_pem_name
Definition: tls_crypt.c:43
#define D_CRYPT_ERRORS
Definition: errlevel.h:58
Security parameter state for processing data channel packets.
Definition: crypto.h:232
mbedtls_cipher_context_t cipher_ctx_t
Generic cipher context.
#define CO_PACKET_ID_LONG_FORM
Bit-flag indicating whether to use OpenVPN&#39;s long packet ID format.
Definition: crypto.h:245
#define CRYPT_ERROR(format)
Definition: crypto.h:261
const char * tmp_dir
Definition: ssl_common.h:320
struct env_set * env_set_create(struct gc_arena *gc)
Definition: env_set.c:158
struct packet_id packet_id
Current packet ID state for both sending and receiving directions.
Definition: crypto.h:238
void free_key_ctx(struct key_ctx *ctx)
Definition: crypto.c:894
uint8_t hmac_length
HMAC length, in bytes.
Definition: crypto.h:142
#define TLS_CRYPT_TAG_SIZE
Definition: tls_crypt.h:89
void free_buf(struct buffer *buf)
Definition: buffer.c:185
#define D_TLS_DEBUG_LOW
Definition: errlevel.h:77
unsigned int flags
Bit-flags determining behavior of security operation functions.
Definition: crypto.h:257
static int buf_len(const struct buffer *buf)
Definition: buffer.h:240
#define D_TLS_DEBUG
Definition: errlevel.h:160
#define D_CRYPTO_DEBUG
Definition: errlevel.h:145
struct key keys[2]
Two unidirectional sets of key material.
Definition: crypto.h:185
struct buffer tls_crypt_v2_metadata
Received from client.
Definition: ssl_common.h:232
struct argv argv_new(void)
Definition: argv.c:52
void init_key_ctx(struct key_ctx *ctx, const struct key *key, const struct key_type *kt, int enc, const char *prefix)
Definition: crypto.c:821
const char * tls_crypt_v2_verify_script
Definition: ssl_common.h:309
#define streq(x, y)
Definition: options.h:642
static void secure_memzero(void *data, size_t len)
Securely zeroise memory.
Definition: buffer.h:401
static bool buf_advance(struct buffer *buf, int size)
Definition: buffer.h:639
Packet geometry parameters.
Definition: mtu.h:93
void crypto_read_openvpn_key(const struct key_type *key_type, struct key_ctx_bi *ctx, const char *key_file, const char *key_inline, const int key_direction, const char *key_name, const char *opt_name)
Definition: crypto.c:1177
int cipher_ctx_final(cipher_ctx_t *ctx, uint8_t *dst, int *dst_len)
Pads the final cipher block using PKCS padding, and output to the destination buffer.
void tls_crypt_init_key(struct key_ctx_bi *key, const char *key_file, const char *key_inline, bool tls_server)
Initialize a key_ctx_bi structure for use with –tls-crypt.
Definition: tls_crypt.c:81
static bool tls_crypt_v2_unwrap_client_key(struct key2 *client_key, struct buffer *metadata, struct buffer wrapped_client_key, struct key_ctx *server_key)
Definition: tls_crypt.c:402
static void gc_free(struct gc_arena *a)
Definition: buffer.h:1023
static void frame_add_to_extra_frame(struct frame *frame, const unsigned int increment)
Definition: mtu.h:274
#define dmsg
Definition: error.h:174
#define D_TLS_ERRORS
Definition: errlevel.h:59
static bool buf_safe(const struct buffer *buf, int len)
Definition: buffer.h:541
static uint8_t * buf_write_alloc(struct buffer *buf, int size)
Definition: buffer.h:656
struct buffer alloc_buf(size_t size)
Definition: buffer.c:64
struct crypto_options opt
Crypto state.
Definition: ssl_common.h:227
#define TLS_CRYPT_OFF_TAG
Definition: tls_crypt.h:94
int cipher_ctx_reset(cipher_ctx_t *ctx, const uint8_t *iv_buf)
Resets the given cipher context, setting the IV to the specified value.
static char * format_hex(const uint8_t *data, int size, int maxoutput, struct gc_arena *gc)
Definition: buffer.h:526
#define D_GENKEY
Definition: errlevel.h:79
void setenv_str(struct env_set *es, const char *name, const char *value)
Definition: env_set.c:285
static int buf_read_u8(struct buffer *buf)
Definition: buffer.h:812
static void tls_crypt_v2_load_client_key(struct key_ctx_bi *key, const struct key2 *key2, bool tls_server)
Definition: tls_crypt.c:282
#define TLS_CRYPT_V2_MAX_WKC_LEN
Definition: tls_crypt.h:97
bool packet_id_read(struct packet_id_net *pin, struct buffer *buf, bool long_form)
Definition: packet_id.c:301
bool buffer_write_file(const char *filename, const struct buffer *buf)
Write buffer contents to file.
Definition: buffer.c:372
#define ASSERT(x)
Definition: error.h:221
static bool packet_id_initialized(const struct packet_id *pid)
Is this struct packet_id initialized?
Definition: packet_id.h:274
bool platform_unlink(const char *filename)
Definition: platform.c:287
#define TLS_CRYPT_BLOCK_SIZE
Definition: tls_crypt.h:91
mbedtls_md_context_t hmac_ctx_t
Generic HMAC context.
int tls_crypt_buf_overhead(void)
Returns the maximum overhead (in bytes) added to the destination buffer by tls_crypt_wrap().
Definition: tls_crypt.c:75
static bool buf_read(struct buffer *src, void *dest, int size)
Definition: buffer.h:800
int offset
Offset in bytes of the actual content within the allocated memory.
Definition: buffer.h:64
#define BCAP(buf)
Definition: buffer.h:130
int capacity
Size in bytes of memory allocated by malloc().
Definition: buffer.h:62
int len
Length in bytes of the actual content within the allocated memory.
Definition: buffer.h:66
bool cleanup_key_ctx
opt.key_ctx_bi is owned by this context
Definition: ssl_common.h:233
static bool buf_write(struct buffer *dest, const void *src, int size)
Definition: buffer.h:689
bool packet_id_write(struct packet_id_send *p, struct buffer *buf, bool long_form, bool prepend)
Write a packet ID to buf, and update the packet ID state.
Definition: packet_id.c:349
bool read_pem_key_file(struct buffer *key, const char *pem_name, const char *key_file, const char *key_inline)
Read key material from a PEM encoded files into the key structure.
Definition: crypto.c:1913
#define BPTR(buf)
Definition: buffer.h:124
#define KEY_DIRECTION_NORMAL
Definition: crypto.h:174
void tls_crypt_v2_init_client_key(struct key_ctx_bi *key, struct buffer *wkc_buf, const char *key_file, const char *key_inline)
Initialize a tls-crypt-v2 client key.
Definition: tls_crypt.c:297
Control channel wrapping (–tls-auth/–tls-crypt) context.
Definition: ssl_common.h:220
void crypto_clear_error(void)
bool openvpn_snprintf(char *str, size_t size, const char *format,...)
Definition: buffer.c:299
int md_kt_size(const md_kt_t *kt)
Returns the size of the message digest, in bytes.
void tls_crypt_v2_init_server_key(struct key_ctx *key_ctx, bool encrypt, const char *key_file, const char *key_inline)
Initialize a tls-crypt-v2 server key (used to encrypt/decrypt client keys).
Definition: tls_crypt.c:322
bool crypto_pem_encode(const char *name, struct buffer *dst, const struct buffer *src, struct gc_arena *gc)
Encode binary data as PEM.
#define TLS_CRYPT_OFF_PID
Definition: tls_crypt.h:93
static struct key_type tls_crypt_kt(void)
Definition: tls_crypt.c:51
int rand_bytes(uint8_t *output, int len)
Wrapper for secure random number generator.
static struct gc_arena gc_new(void)
Definition: buffer.h:1015
bool tls_crypt_wrap(const struct buffer *src, struct buffer *dst, struct crypto_options *opt)
Wrap a control channel packet (both authenticates and encrypts the data).
Definition: tls_crypt.c:106
time_t now
Definition: otime.c:36
static bool tls_crypt_v2_verify_metadata(const struct tls_wrap_ctx *ctx, const struct tls_options *opt)
Definition: tls_crypt.c:511
uint8_t cipher_length
Cipher length, in bytes.
Definition: crypto.h:141
void hmac_ctx_update(hmac_ctx_t *ctx, const uint8_t *src, int src_len)
static void gc_init(struct gc_arena *a)
Definition: buffer.h:1002
#define KEY_DIRECTION_INVERSE
Definition: crypto.h:175
#define INLINE_FILE_TAG
Definition: common.h:95
int openvpn_base64_decode(const char *str, void *data, int size)
Definition: base64.c:160
cipher_ctx_t * cipher
Generic cipher context.
Definition: crypto.h:166
void write_pem_key_file(const char *filename, const char *pem_name)
Generate a server key with enough randomness to fill a key struct and write to file.
Definition: crypto.c:1857
Container for one set of cipher and/or HMAC contexts.
Definition: crypto.h:164
void argv_msg_prefix(const int msglev, const struct argv *a, const char *prefix)
Definition: argv.c:214
struct key_ctx encrypt
Cipher and/or HMAC contexts for sending direction.
Definition: crypto.h:221
void init_key_ctx_bi(struct key_ctx_bi *ctx, const struct key2 *key2, int key_direction, const struct key_type *kt, const char *name)
Definition: crypto.c:874
static int buf_forward_capacity(const struct buffer *buf)
Definition: buffer.h:562
int hmac_ctx_size(const hmac_ctx_t *ctx)
void buf_clear(struct buffer *buf)
Definition: buffer.c:164
const md_kt_t * md_kt_get(const char *digest)
Return message digest parameters, based on the given digest name.
void argv_parse_cmd(struct argv *a, const char *s)
Definition: argv.c:337
static bool buf_copy(struct buffer *dest, const struct buffer *src)
Definition: buffer.h:734
#define msg
Definition: error.h:173
hmac_ctx_t * hmac
Generic HMAC context.
Definition: crypto.h:167
void free_key_ctx_bi(struct key_ctx_bi *ctx)
Definition: crypto.c:911
#define CO_IGNORE_PACKET_ID
Bit-flag indicating whether to ignore the packet ID of a received packet.
Definition: crypto.h:248
int cipher_ctx_update(cipher_ctx_t *ctx, uint8_t *dst, int *dst_len, uint8_t *src, int src_len)
Updates the given cipher context, encrypting data in the source buffer, and placing any complete bloc...
struct packet_id_send send
Definition: packet_id.h:207
#define htonll(x)
Definition: integer.h:30
int cipher_kt_key_size(const cipher_kt_t *cipher_kt)
Returns the size of keys used by the cipher, in bytes.
#define TLS_CRYPT_V2_CLIENT_KEY_LEN
Definition: tls_crypt.h:98
struct key_ctx decrypt
cipher and/or HMAC contexts for receiving direction.
Definition: crypto.h:223
void env_set_destroy(struct env_set *es)
Definition: env_set.c:168
unsigned __int64 uint64_t
Definition: config-msvc.h:120
Container for bidirectional cipher and HMAC key material.
Definition: crypto.h:181
#define BLEN(buf)
Definition: buffer.h:127
void tls_crypt_adjust_frame_parameters(struct frame *frame)
Adjust frame parameters for –tls-crypt overhead.
Definition: tls_crypt.c:96
int cipher_ctx_block_size(const cipher_ctx_t *ctx)
Returns the block size of the cipher, in bytes.
#define D_HANDSHAKE
Definition: errlevel.h:72
static const uint8_t TLS_CRYPT_METADATA_TYPE_TIMESTAMP
Metadata contains a 64-bit unix timestamp in network byte order.
Definition: tls_crypt.c:48
__int64 int64_t
Definition: config-msvc.h:124
unsigned __int8 uint8_t
Definition: config-msvc.h:123
void tls_crypt_v2_write_client_key_file(const char *filename, const char *b64_metadata, const char *server_key_file, const char *server_key_inline)
Generate a tls-crypt-v2 client key, and write to file.
Definition: tls_crypt.c:638
static bool buf_inc_len(struct buffer *buf, int inc)
Definition: buffer.h:611
const md_kt_t * digest
Message digest static parameters.
Definition: crypto.h:144
struct key_ctx_bi key_ctx_bi
OpenSSL cipher and HMAC contexts for both sending and receiving directions.
Definition: crypto.h:234
#define TLS_CRYPT_V2_MAX_METADATA_LEN
Definition: tls_crypt.h:101
#define TLS_CRYPT_OFF_CT
Definition: tls_crypt.h:95
#define D_MTU_DEBUG
Definition: errlevel.h:123
Wrapper structure for dynamically allocated memory.
Definition: buffer.h:60
#define M_FATAL
Definition: error.h:94
#define TLS_CRYPT_V2_MAX_B64_METADATA_LEN
Definition: tls_crypt.h:104
bool tls_crypt_v2_extract_client_key(struct buffer *buf, struct tls_wrap_ctx *ctx, const struct tls_options *opt)
Extract a tls-crypt-v2 client key from a P_CONTROL_HARD_RESET_CLIENT_V3 message, and load the key int...
Definition: tls_crypt.c:570
#define D_TLS_DEBUG_MED
Definition: errlevel.h:152
#define TLS_CRYPT_V2_TAG_SIZE
Definition: tls_crypt.h:100
struct buffer alloc_buf_gc(size_t size, struct gc_arena *gc)
Definition: buffer.c:90
static int memcmp_constant_time(const void *a, const void *b, size_t size)
As memcmp(), but constant-time.
Definition: crypto.h:532
bool tls_crypt_unwrap(const struct buffer *src, struct buffer *dst, struct crypto_options *opt)
Unwrap a control channel packet (decrypts, authenticates and performs replay checks).
Definition: tls_crypt.c:183
#define M_WARN
Definition: error.h:96
unsigned __int16 uint16_t
Definition: config-msvc.h:122
Garbage collection arena used to keep track of dynamically allocated memory.
Definition: buffer.h:116
void tls_crypt_v2_write_server_key_file(const char *filename)
Generate a tls-crypt-v2 server key, and write to file.
Definition: tls_crypt.c:632
const char * platform_create_temp_file(const char *directory, const char *prefix, struct gc_arena *gc)
Create a temporary file in directory, returns the filename of the created file.
Definition: platform.c:342
static bool tls_crypt_v2_wrap_client_key(struct buffer *wkc, const struct key2 *src_key, const struct buffer *src_metadata, struct key_ctx *server_key, struct gc_arena *gc)
Definition: tls_crypt.c:345
void argv_reset(struct argv *a)
Definition: argv.c:60
char * dst
Definition: compat-lz4.h:455
#define BEND(buf)
Definition: buffer.h:125
Definition: argv.h:35
static void buf_set_write(struct buffer *buf, uint8_t *data, int size)
Definition: buffer.h:318
const char * tls_crypt_v2_cli_pem_name
Definition: tls_crypt.c:42
void hmac_ctx_final(hmac_ctx_t *ctx, uint8_t *dst)
const cipher_kt_t * cipher
Cipher static parameters.
Definition: crypto.h:143
struct key_ctx tls_crypt_v2_server_key
Decrypts client keys.
Definition: ssl_common.h:229
static bool openvpn_run_script(const struct argv *a, const struct env_set *es, const unsigned int flags, const char *hook)
Definition: run_command.h:57
static int packet_id_size(bool long_form)
Definition: packet_id.h:305
const cipher_kt_t * cipher_kt_get(const char *ciphername)
Return cipher parameters, based on the given cipher name.
void hmac_ctx_reset(hmac_ctx_t *ctx)
bool crypto_check_replay(struct crypto_options *opt, const struct packet_id_net *pin, const char *error_prefix, struct gc_arena *gc)
Check packet ID for replay, and perform replay administration.
Definition: crypto.c:323
Container for two sets of OpenSSL cipher and/or HMAC contexts for both sending and receiving directio...
Definition: crypto.h:219
Container for unidirectional cipher and HMAC key material.
Definition: crypto.h:151
static const uint8_t TLS_CRYPT_METADATA_TYPE_USER
Metadata contains user-specified data.
Definition: tls_crypt.c:46
enum tls_wrap_ctx::@9 mode
Control channel wrapping mode.
#define D_PACKET_CONTENT
Definition: errlevel.h:163