OpenVPN
tls_crypt.h
Go to the documentation of this file.
1 /*
2  * OpenVPN -- An application to securely tunnel IP networks
3  * over a single TCP/UDP port, with support for SSL/TLS-based
4  * session authentication and key exchange,
5  * packet encryption, packet authentication, and
6  * packet compression.
7  *
8  * Copyright (C) 2016-2018 Fox Crypto B.V. <openvpn@fox-it.com>
9  *
10  * This program is free software; you can redistribute it and/or modify
11  * it under the terms of the GNU General Public License version 2
12  * as published by the Free Software Foundation.
13  *
14  * This program is distributed in the hope that it will be useful,
15  * but WITHOUT ANY WARRANTY; without even the implied warranty of
16  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17  * GNU General Public License for more details.
18  *
19  * You should have received a copy of the GNU General Public License along
20  * with this program; if not, write to the Free Software Foundation, Inc.,
21  * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
22  */
23 
80 #ifndef TLSCRYPT_H
81 #define TLSCRYPT_H
82 
83 #include "base64.h"
84 #include "buffer.h"
85 #include "crypto.h"
86 #include "session_id.h"
87 #include "ssl_common.h"
88 
89 #define TLS_CRYPT_TAG_SIZE (256/8)
90 #define TLS_CRYPT_PID_SIZE (sizeof(packet_id_type) + sizeof(net_time_t))
91 #define TLS_CRYPT_BLOCK_SIZE (128/8)
92 
93 #define TLS_CRYPT_OFF_PID (1 + SID_SIZE)
94 #define TLS_CRYPT_OFF_TAG (TLS_CRYPT_OFF_PID + TLS_CRYPT_PID_SIZE)
95 #define TLS_CRYPT_OFF_CT (TLS_CRYPT_OFF_TAG + TLS_CRYPT_TAG_SIZE)
96 
97 #define TLS_CRYPT_V2_MAX_WKC_LEN (1024)
98 #define TLS_CRYPT_V2_CLIENT_KEY_LEN (2048 / 8)
99 #define TLS_CRYPT_V2_SERVER_KEY_LEN (sizeof(struct key))
100 #define TLS_CRYPT_V2_TAG_SIZE (TLS_CRYPT_TAG_SIZE)
101 #define TLS_CRYPT_V2_MAX_METADATA_LEN (unsigned)(TLS_CRYPT_V2_MAX_WKC_LEN \
102  - (TLS_CRYPT_V2_CLIENT_KEY_LEN + TLS_CRYPT_V2_TAG_SIZE \
103  + sizeof(uint16_t)))
104 #define TLS_CRYPT_V2_MAX_B64_METADATA_LEN \
105  OPENVPN_BASE64_LENGTH(TLS_CRYPT_V2_MAX_METADATA_LEN - 1)
106 
117 void tls_crypt_init_key(struct key_ctx_bi *key, const char *key_file,
118  const char *key_inline, bool tls_server);
119 
124 int tls_crypt_buf_overhead(void);
125 
130 
142 bool tls_crypt_wrap(const struct buffer *src, struct buffer *dst,
143  struct crypto_options *opt);
144 
156 bool tls_crypt_unwrap(const struct buffer *src, struct buffer *dst,
157  struct crypto_options *opt);
158 
168 void tls_crypt_v2_init_server_key(struct key_ctx *key_ctx, bool encrypt,
169  const char *key_file, const char *key_inline);
170 
183  struct buffer *wrapped_key_buf,
184  const char *key_file,
185  const char *key_inline);
186 
197 bool tls_crypt_v2_extract_client_key(struct buffer *buf,
198  struct tls_wrap_ctx *ctx,
199  const struct tls_options *opt);
200 
206 void tls_crypt_v2_write_server_key_file(const char *filename);
207 
218 void tls_crypt_v2_write_client_key_file(const char *filename,
219  const char *b64_metadata,
220  const char *key_file,
221  const char *key_inline);
222 
225 #endif /* TLSCRYPT_H */
Security parameter state for processing data channel packets.
Definition: crypto.h:232
Packet geometry parameters.
Definition: mtu.h:93
void tls_crypt_init_key(struct key_ctx_bi *key, const char *key_file, const char *key_inline, bool tls_server)
Initialize a key_ctx_bi structure for use with –tls-crypt.
Definition: tls_crypt.c:81
int tls_crypt_buf_overhead(void)
Returns the maximum overhead (in bytes) added to the destination buffer by tls_crypt_wrap().
Definition: tls_crypt.c:75
void tls_crypt_v2_init_client_key(struct key_ctx_bi *key, struct buffer *wrapped_key_buf, const char *key_file, const char *key_inline)
Initialize a tls-crypt-v2 client key.
Definition: tls_crypt.c:297
Control channel wrapping (–tls-auth/–tls-crypt) context.
Definition: ssl_common.h:220
void tls_crypt_v2_init_server_key(struct key_ctx *key_ctx, bool encrypt, const char *key_file, const char *key_inline)
Initialize a tls-crypt-v2 server key (used to encrypt/decrypt client keys).
Definition: tls_crypt.c:322
bool tls_crypt_wrap(const struct buffer *src, struct buffer *dst, struct crypto_options *opt)
Wrap a control channel packet (both authenticates and encrypts the data).
Definition: tls_crypt.c:106
Container for one set of cipher and/or HMAC contexts.
Definition: crypto.h:164
void tls_crypt_adjust_frame_parameters(struct frame *frame)
Adjust frame parameters for –tls-crypt overhead.
Definition: tls_crypt.c:96
void tls_crypt_v2_write_client_key_file(const char *filename, const char *b64_metadata, const char *key_file, const char *key_inline)
Generate a tls-crypt-v2 client key, and write to file.
Definition: tls_crypt.c:638
Wrapper structure for dynamically allocated memory.
Definition: buffer.h:60
bool tls_crypt_v2_extract_client_key(struct buffer *buf, struct tls_wrap_ctx *ctx, const struct tls_options *opt)
Extract a tls-crypt-v2 client key from a P_CONTROL_HARD_RESET_CLIENT_V3 message, and load the key int...
Definition: tls_crypt.c:570
bool tls_crypt_unwrap(const struct buffer *src, struct buffer *dst, struct crypto_options *opt)
Unwrap a control channel packet (decrypts, authenticates and performs replay checks).
Definition: tls_crypt.c:183
void tls_crypt_v2_write_server_key_file(const char *filename)
Generate a tls-crypt-v2 server key, and write to file.
Definition: tls_crypt.c:632
char * dst
Definition: compat-lz4.h:455
Container for two sets of OpenSSL cipher and/or HMAC contexts for both sending and receiving directio...
Definition: crypto.h:219
Container for unidirectional cipher and HMAC key material.
Definition: crypto.h:151