OpenVPN
|
#include "crypto_backend.h"
#include "basic.h"
#include "buffer.h"
#include "packet_id.h"
#include "mtu.h"
Go to the source code of this file.
Data Structures | |
struct | sha256_digest |
Wrapper struct to pass around SHA256 digests. More... | |
struct | key_type |
struct | key |
Container for unidirectional cipher and HMAC key material. More... | |
struct | key_ctx |
Container for one set of cipher and/or HMAC contexts. More... | |
struct | key2 |
Container for bidirectional cipher and HMAC key material. More... | |
struct | key_direction_state |
Key ordering of the key2.keys array. More... | |
struct | key_ctx_bi |
Container for two sets of OpenSSL cipher and/or HMAC contexts for both sending and receiving directions. More... | |
struct | crypto_options |
Security parameter state for processing data channel packets. More... | |
Macros | |
#define | KEY_DIRECTION_BIDIRECTIONAL 0 /* same keys for both directions */ |
#define | KEY_DIRECTION_NORMAL 1 /* encrypt with keys[0], decrypt with keys[1] */ |
#define | KEY_DIRECTION_INVERSE 2 /* encrypt with keys[1], decrypt with keys[0] */ |
#define | CO_PACKET_ID_LONG_FORM (1<<0) |
Bit-flag indicating whether to use OpenVPN's long packet ID format. More... | |
#define | CO_IGNORE_PACKET_ID (1<<1) |
Bit-flag indicating whether to ignore the packet ID of a received packet. More... | |
#define | CO_MUTE_REPLAY_WARNINGS (1<<2) |
Bit-flag indicating not to display replay warnings. More... | |
#define | CO_USE_TLS_KEY_MATERIAL_EXPORT (1<<3) |
Bit-flag indicating that data channel key derivation is done using TLS keying material export [RFC5705]. More... | |
#define | CRYPT_ERROR(format) do { msg(D_CRYPT_ERRORS, "%s: " format, error_prefix); goto error_exit; } while (false) |
#define | OPENVPN_AEAD_MIN_IV_LEN (sizeof(packet_id_type) + 8) |
Minimal IV length for AEAD mode ciphers (in bytes): 4-byte packet id + 8 bytes implicit IV. More... | |
#define | RKF_MUST_SUCCEED (1<<0) |
#define | RKF_INLINE (1<<1) |
#define | NONCE_SECRET_LEN_MIN 16 |
#define | NONCE_SECRET_LEN_MAX 64 |
#define | PRNG_NONCE_RESET_BYTES 1024 |
Number of bytes of random to allow before resetting the nonce. More... | |
Functions | |
void | read_key_file (struct key2 *key2, const char *file, const unsigned int flags) |
int | write_key_file (const int nkeys, const char *filename) |
Write nkeys 1024-bits keys to file. More... | |
void | generate_key_random (struct key *key, const struct key_type *kt) |
void | check_replay_consistency (const struct key_type *kt, bool packet_id) |
bool | check_key (struct key *key, const struct key_type *kt) |
void | fixup_key (struct key *key, const struct key_type *kt) |
bool | write_key (const struct key *key, const struct key_type *kt, struct buffer *buf) |
int | read_key (struct key *key, const struct key_type *kt, struct buffer *buf) |
void | init_key_type (struct key_type *kt, const char *ciphername, const char *authname, bool tls_mode, bool warn) |
Initialize a key_type structure with. More... | |
void | init_key_ctx (struct key_ctx *ctx, const struct key *key, const struct key_type *kt, int enc, const char *prefix) |
void | free_key_ctx (struct key_ctx *ctx) |
void | init_key_ctx_bi (struct key_ctx_bi *ctx, const struct key2 *key2, int key_direction, const struct key_type *kt, const char *name) |
void | free_key_ctx_bi (struct key_ctx_bi *ctx) |
bool | crypto_check_replay (struct crypto_options *opt, const struct packet_id_net *pin, const char *error_prefix, struct gc_arena *gc) |
Check packet ID for replay, and perform replay administration. More... | |
void | crypto_adjust_frame_parameters (struct frame *frame, const struct key_type *kt, bool packet_id, bool packet_id_long_form) |
Calculate crypto overhead and adjust frame to account for that. More... | |
unsigned int | crypto_max_overhead (void) |
Return the worst-case OpenVPN crypto overhead (in bytes) More... | |
void | write_pem_key_file (const char *filename, const char *key_name) |
Generate a server key with enough randomness to fill a key struct and write to file. More... | |
bool | generate_ephemeral_key (struct buffer *key, const char *pem_name) |
Generate ephermal key material into the key structure. More... | |
bool | read_pem_key_file (struct buffer *key, const char *pem_name, const char *key_file, bool key_inline) |
Read key material from a PEM encoded files into the key structure. More... | |
void | prng_init (const char *md_name, const int nonce_secret_len_parm) |
Pseudo-random number generator initialisation. More... | |
void | prng_bytes (uint8_t *output, int len) |
void | prng_uninit (void) |
long int | get_random (void) |
void | print_cipher (const cipher_kt_t *cipher) |
Print a cipher list entry. More... | |
void | test_crypto (struct crypto_options *co, struct frame *f) |
void | key_direction_state_init (struct key_direction_state *kds, int key_direction) |
void | verify_fix_key2 (struct key2 *key2, const struct key_type *kt, const char *shared_secret_file) |
void | must_have_n_keys (const char *filename, const char *option, const struct key2 *key2, int n) |
int | ascii2keydirection (int msglevel, const char *str) |
const char * | keydirection2ascii (int kd, bool remote, bool humanreadable) |
void | key2_print (const struct key2 *k, const struct key_type *kt, const char *prefix0, const char *prefix1) |
void | crypto_read_openvpn_key (const struct key_type *key_type, struct key_ctx_bi *ctx, const char *key_file, bool key_inline, const int key_direction, const char *key_name, const char *opt_name) |
int | memcmp_constant_time (const void *a, const void *b, size_t size) |
As memcmp(), but constant-time. More... | |
static bool | key_ctx_bi_defined (const struct key_ctx_bi *key) |
const char * | print_key_filename (const char *str, bool is_inline) |
To be used when printing a string that may contain inline data. More... | |
Functions for performing security operations on data channel packets | |
void | openvpn_encrypt (struct buffer *buf, struct buffer work, struct crypto_options *opt) |
Encrypt and HMAC sign a packet so that it can be sent as a data channel VPN tunnel packet to a remote OpenVPN peer. More... | |
bool | openvpn_decrypt (struct buffer *buf, struct buffer work, struct crypto_options *opt, const struct frame *frame, const uint8_t *ad_start) |
HMAC verify and decrypt a data channel packet received from a remote OpenVPN peer. More... | |
#define CO_IGNORE_PACKET_ID (1<<1) |
Bit-flag indicating whether to ignore the packet ID of a received packet.
This flag is used during processing of the first packet received from a client.
Definition at line 248 of file crypto.h.
Referenced by openvpn_decrypt_v1(), tls_auth_standalone_init(), tls_crypt_ignore_replay(), and tls_crypt_unwrap().
#define CO_MUTE_REPLAY_WARNINGS (1<<2) |
Bit-flag indicating not to display replay warnings.
Definition at line 254 of file crypto.h.
Referenced by crypto_check_replay(), do_init_crypto_static(), and do_init_crypto_tls().
#define CO_PACKET_ID_LONG_FORM (1<<0) |
Bit-flag indicating whether to use OpenVPN's long packet ID format.
Definition at line 245 of file crypto.h.
Referenced by crypto_check_replay(), do_init_crypto_static(), do_init_crypto_tls(), openvpn_decrypt_v1(), openvpn_encrypt_v1(), tls_crypt_v2_extract_client_key(), and tls_session_update_crypto_params_do_work().
#define CO_USE_TLS_KEY_MATERIAL_EXPORT (1<<3) |
Bit-flag indicating that data channel key derivation is done using TLS keying material export [RFC5705].
Definition at line 257 of file crypto.h.
Referenced by add_option(), generate_key_expansion(), multi_client_set_protocol_options(), p2p_mode_ncp(), p2p_ncp_set_options(), and prepare_push_reply().
#define CRYPT_ERROR | ( | format | ) | do { msg(D_CRYPT_ERRORS, "%s: " format, error_prefix); goto error_exit; } while (false) |
Definition at line 265 of file crypto.h.
Referenced by openvpn_decrypt_aead(), openvpn_decrypt_v1(), tls_crypt_unwrap(), and tls_crypt_v2_unwrap_client_key().
#define KEY_DIRECTION_BIDIRECTIONAL 0 /* same keys for both directions */ |
Definition at line 173 of file crypto.h.
Referenced by add_option(), ascii2keydirection(), init_options(), key_direction_state_init(), keydirection2ascii(), test_tls_crypt_v2_setup(), and tls_crypt_v2_wrap_unwrap_wrong_key().
#define KEY_DIRECTION_INVERSE 2 /* encrypt with keys[1], decrypt with keys[0] */ |
Definition at line 175 of file crypto.h.
Referenced by ascii2keydirection(), init_key_contexts(), key_direction_state_init(), keydirection2ascii(), tls_crypt_init_key(), and tls_crypt_v2_load_client_key().
#define KEY_DIRECTION_NORMAL 1 /* encrypt with keys[0], decrypt with keys[1] */ |
Definition at line 174 of file crypto.h.
Referenced by ascii2keydirection(), init_key_contexts(), key_direction_state_init(), keydirection2ascii(), tls_crypt_init_key(), and tls_crypt_v2_load_client_key().
#define NONCE_SECRET_LEN_MAX 64 |
Definition at line 463 of file crypto.h.
Referenced by add_option(), and prng_init().
#define NONCE_SECRET_LEN_MIN 16 |
Definition at line 460 of file crypto.h.
Referenced by add_option(), and prng_init().
#define OPENVPN_AEAD_MIN_IV_LEN (sizeof(packet_id_type) + 8) |
Minimal IV length for AEAD mode ciphers (in bytes): 4-byte packet id + 8 bytes implicit IV.
Definition at line 272 of file crypto.h.
Referenced by key_ctx_update_implicit_iv(), openvpn_encrypt_aead(), and test_crypto().
#define PRNG_NONCE_RESET_BYTES 1024 |
Number of bytes of random to allow before resetting the nonce.
Definition at line 466 of file crypto.h.
Referenced by prng_bytes().
#define RKF_INLINE (1<<1) |
Definition at line 275 of file crypto.h.
Referenced by crypto_read_openvpn_key(), and read_key_file().
#define RKF_MUST_SUCCEED (1<<0) |
Definition at line 274 of file crypto.h.
Referenced by crypto_read_openvpn_key(), and read_key_file().
int ascii2keydirection | ( | int | msglevel, |
const char * | str | ||
) |
Definition at line 1505 of file crypto.c.
References KEY_DIRECTION_BIDIRECTIONAL, KEY_DIRECTION_INVERSE, KEY_DIRECTION_NORMAL, and msg.
Referenced by add_option().
Definition at line 929 of file crypto.c.
References key_type::cipher, key::cipher, key_type::cipher_length, key_des_check(), key_des_num_cblocks(), and key_is_zero().
Referenced by generate_key_expansion(), generate_key_random(), and verify_fix_key2().
void check_replay_consistency | ( | const struct key_type * | kt, |
bool | packet_id | ||
) |
Definition at line 999 of file crypto.c.
References ASSERT, key_type::cipher, cipher_kt_mode_aead(), cipher_kt_mode_ofb_cfb(), M_FATAL, and msg.
Referenced by do_init_crypto_static(), and do_init_crypto_tls().
void crypto_adjust_frame_parameters | ( | struct frame * | frame, |
const struct key_type * | kt, | ||
bool | packet_id, | ||
bool | packet_id_long_form | ||
) |
Calculate crypto overhead and adjust frame to account for that.
Definition at line 682 of file crypto.c.
References key_type::cipher, cipher_kt_block_size(), cipher_kt_iv_size(), cipher_kt_mode_aead(), cipher_kt_tag_size(), D_MTU_DEBUG, frame_add_to_extra_frame(), key_type::hmac_length, msg, and packet_id_size().
Referenced by calc_options_string_link_mtu(), do_init_crypto_static(), do_init_crypto_tls(), and tls_session_update_crypto_params_do_work().
bool crypto_check_replay | ( | struct crypto_options * | opt, |
const struct packet_id_net * | pin, | ||
const char * | error_prefix, | ||
struct gc_arena * | gc | ||
) |
Check packet ID for replay, and perform replay administration.
opt | Crypto options for this packet, contains replay state. |
pin | Packet ID read from packet. |
error_prefix | Prefix to use when printing error messages. |
gc | Garbage collector to use. |
Definition at line 319 of file crypto.c.
References CO_MUTE_REPLAY_WARNINGS, CO_PACKET_ID_LONG_FORM, D_REPLAY_ERRORS, crypto_options::flags, msg, crypto_options::packet_id, packet_id_add(), packet_id_net_print(), packet_id_persist_save_obj(), packet_id_reap_test(), packet_id_test(), crypto_options::pid_persist, and packet_id::rec.
Referenced by openvpn_decrypt_aead(), openvpn_decrypt_v1(), and tls_crypt_unwrap().
unsigned int crypto_max_overhead | ( | void | ) |
Return the worst-case OpenVPN crypto overhead (in bytes)
Definition at line 716 of file crypto.c.
References max_int(), OPENVPN_AEAD_TAG_LENGTH, OPENVPN_MAX_CIPHER_BLOCK_SIZE, OPENVPN_MAX_HMAC_SIZE, OPENVPN_MAX_IV_LENGTH, and packet_id_size().
Referenced by calc_options_string_link_mtu(), do_init_crypto_tls(), and tls_session_update_crypto_params_do_work().
void crypto_read_openvpn_key | ( | const struct key_type * | key_type, |
struct key_ctx_bi * | ctx, | ||
const char * | key_file, | ||
bool | key_inline, | ||
const int | key_direction, | ||
const char * | key_name, | ||
const char * | opt_name | ||
) |
Definition at line 1179 of file crypto.c.
References flags, init_key_ctx_bi(), key_direction_state_init(), M_ERR, msg, must_have_n_keys(), key2::n, key_direction_state::need_keys, print_key_filename(), read_key_file(), RKF_INLINE, RKF_MUST_SUCCEED, secure_memzero(), and verify_fix_key2().
Referenced by do_init_crypto_static(), do_init_tls_wrap_key(), and tls_crypt_init_key().
Definition at line 968 of file crypto.c.
References check_debug_level(), key_type::cipher, key::cipher, key_type::cipher_length, D_CRYPTO_DEBUG, dmsg, format_hex(), gc_free(), gc_new(), key_des_fixup(), and key_des_num_cblocks().
Referenced by generate_key_expansion_openvpn_prf(), generate_key_random(), and verify_fix_key2().
void free_key_ctx | ( | struct key_ctx * | ctx | ) |
Definition at line 887 of file crypto.c.
References key_ctx::cipher, cipher_ctx_free(), key_ctx::hmac, hmac_ctx_cleanup(), hmac_ctx_free(), and key_ctx::implicit_iv_len.
Referenced by auth_token_fail_invalid_key(), auth_token_test_key_load(), auth_token_test_random_keys(), do_close_free_key_schedule(), free_key_ctx_bi(), key_schedule_free(), teardown(), tls_crypt_fail_invalid_key(), and tls_crypt_v2_write_client_key_file().
void free_key_ctx_bi | ( | struct key_ctx_bi * | ctx | ) |
Definition at line 904 of file crypto.c.
References key_ctx_bi::decrypt, key_ctx_bi::encrypt, and free_key_ctx().
Referenced by do_close_free_key_schedule(), key_schedule_free(), key_state_free(), test_tls_crypt_teardown(), test_tls_crypt_v2_teardown(), tls_crypt_v2_wrap_unwrap_wrong_key(), tls_crypt_v2_write_client_key_file(), tls_pre_decrypt_lite(), and tls_wrap_free().
bool generate_ephemeral_key | ( | struct buffer * | key, |
const char * | pem_name | ||
) |
Generate ephermal key material into the key structure.
key | the key structure that will hold the key material |
pem_name | the name used for logging |
Definition at line 1905 of file crypto.c.
References BCAP, BEND, buf_inc_len(), buffer::len, M_INFO, M_WARN, msg, and rand_bytes().
Referenced by auth_token_init_secret().
Definition at line 1015 of file crypto.c.
References check_key(), key_type::cipher, key::cipher, key_type::cipher_length, CLEAR, D_SHOW_KEY_SOURCE, key_type::digest, dmsg, fixup_key(), format_hex(), gc_free(), gc_new(), key::hmac, key_type::hmac_length, M_FATAL, MAX_CIPHER_KEY_LENGTH, MAX_HMAC_KEY_LENGTH, msg, and rand_bytes().
Referenced by write_key_file().
long int get_random | ( | void | ) |
Definition at line 1775 of file crypto.c.
References prng_bytes().
Referenced by check_send_occ_msg_dowork(), check_timeout_random_component_dowork(), do_init_crypto_tls(), fragment_init(), gen_nonce(), hash_iterator_delete_element(), init_connection_list(), multi_init(), packet_id_add(), platform_create_temp_file(), route_quota_exceeded(), and schedule_remove_entry().
void init_key_ctx | ( | struct key_ctx * | ctx, |
const struct key * | key, | ||
const struct key_type * | kt, | ||
int | enc, | ||
const char * | prefix | ||
) |
Definition at line 819 of file crypto.c.
References key_type::cipher, key::cipher, key_ctx::cipher, cipher_ctx_init(), cipher_ctx_new(), cipher_kt_block_size(), cipher_kt_iv_size(), cipher_kt_name(), key_type::cipher_length, CLEAR, D_CRYPTO_DEBUG, D_HANDSHAKE, D_SHOW_KEYS, key_type::digest, dmsg, format_hex(), gc_free(), gc_new(), key::hmac, key_ctx::hmac, hmac_ctx_init(), hmac_ctx_new(), hmac_ctx_size(), key_type::hmac_length, md_kt_name(), md_kt_size(), msg, and warn_insecure_key_type().
Referenced by auth_token_fail_invalid_key(), auth_token_init_secret(), init_key_ctx_bi(), setup(), test_tls_crypt_setup(), tls_crypt_fail_invalid_key(), and tls_crypt_v2_init_server_key().
void init_key_ctx_bi | ( | struct key_ctx_bi * | ctx, |
const struct key2 * | key2, | ||
int | key_direction, | ||
const struct key_type * | kt, | ||
const char * | name | ||
) |
Definition at line 867 of file crypto.c.
References key_ctx_bi::decrypt, key_ctx_bi::encrypt, key_direction_state::in_key, init_key_ctx(), key_ctx_bi::initialized, key_direction_state_init(), key2::keys, OPENVPN_OP_DECRYPT, OPENVPN_OP_ENCRYPT, openvpn_snprintf(), and key_direction_state::out_key.
Referenced by crypto_read_openvpn_key(), init_key_contexts(), test_tls_crypt_v2_setup(), tls_crypt_v2_load_client_key(), and tls_crypt_v2_wrap_unwrap_wrong_key().
void init_key_type | ( | struct key_type * | kt, |
const char * | ciphername, | ||
const char * | authname, | ||
bool | tls_mode, | ||
bool | warn | ||
) |
Initialize a key_type structure with.
kt | The struct key_type to initialize |
ciphername | The name of the cipher to use |
authname | The name of the HMAC digest to use |
tls_mode | Specifies whether we are running in TLS mode, which allows more ciphers than static key mode. |
warn | Print warnings when null cipher / auth is used. |
Definition at line 741 of file crypto.c.
References ASSERT, key_type::cipher, cipher_kt_block_size(), cipher_kt_get(), cipher_kt_key_size(), cipher_kt_mode_aead(), cipher_kt_mode_cbc(), cipher_kt_mode_ofb_cfb(), key_type::cipher_length, CLEAR, key_type::digest, ENABLE_OFB_CFB_MODE, key_type::hmac_length, M_FATAL, M_WARN, md_kt_get(), md_kt_size(), msg, OPENVPN_MAX_CIPHER_BLOCK_SIZE, and warn_insecure_key_type().
Referenced by calc_options_string_link_mtu(), do_init_crypto_static(), do_init_crypto_tls_c1(), options_string(), and tls_session_update_crypto_params_do_work().
void key2_print | ( | const struct key2 * | k, |
const struct key_type * | kt, | ||
const char * | prefix0, | ||
const char * | prefix1 | ||
) |
Definition at line 1059 of file crypto.c.
References ASSERT, key::cipher, key_type::cipher_length, D_SHOW_KEY_SOURCE, dmsg, format_hex(), gc_free(), gc_new(), key::hmac, key_type::hmac_length, key2::keys, and key2::n.
Referenced by generate_key_expansion().
|
inlinestatic |
Definition at line 539 of file crypto.h.
References key_ctx::cipher, key_ctx_bi::decrypt, key_ctx_bi::encrypt, key_ctx::hmac, and print_key_filename().
Referenced by do_init_crypto_static().
void key_direction_state_init | ( | struct key_direction_state * | kds, |
int | key_direction | ||
) |
Definition at line 1557 of file crypto.c.
References ASSERT, CLEAR, key_direction_state::in_key, KEY_DIRECTION_BIDIRECTIONAL, KEY_DIRECTION_INVERSE, KEY_DIRECTION_NORMAL, key_direction_state::need_keys, and key_direction_state::out_key.
Referenced by crypto_read_openvpn_key(), and init_key_ctx_bi().
const char* keydirection2ascii | ( | int | kd, |
bool | remote, | ||
bool | humanreadable | ||
) |
Definition at line 1528 of file crypto.c.
References ASSERT, KEY_DIRECTION_BIDIRECTIONAL, KEY_DIRECTION_INVERSE, and KEY_DIRECTION_NORMAL.
Referenced by options_string(), show_connection_entry(), and show_settings().
int memcmp_constant_time | ( | const void * | a, |
const void * | b, | ||
size_t | size | ||
) |
As memcmp(), but constant-time.
Returns 0 when data is equal, non-zero otherwise.
Definition at line 1071 of file crypto_openssl.c.
References SSL_CTX_get_default_passwd_cb(), and SSL_CTX_get_default_passwd_cb_userdata().
Referenced by check_hmac_token(), is_auth_token(), openvpn_decrypt_v1(), tls_crypt_unwrap(), tls_crypt_v2_unwrap_client_key(), verify_auth_token(), and verify_cert().
void must_have_n_keys | ( | const char * | filename, |
const char * | option, | ||
const struct key2 * | key2, | ||
int | n | ||
) |
void print_cipher | ( | const cipher_kt_t * | cipher | ) |
Print a cipher list entry.
Definition at line 1787 of file crypto.c.
References cipher_kt_block_size(), cipher_kt_key_size(), cipher_kt_mode_cbc(), cipher_kt_name(), and cipher_kt_var_key_size().
Referenced by show_available_ciphers().
const char* print_key_filename | ( | const char * | str, |
bool | is_inline | ||
) |
To be used when printing a string that may contain inline data.
If "is_inline" is true, return the inline tag. If "is_inline" is false and "str" is not NULL, return "str". Return the constant string "[NULL]" otherwise.
str | the original string to return when is_inline is false |
is_inline | true when str contains an inline data of some sort |
Definition at line 1168 of file crypto.c.
References np().
Referenced by backend_tls_ctx_reload_crl(), crypto_read_openvpn_key(), key_ctx_bi_defined(), read_key_file(), tls_ctx_load_ca(), tls_ctx_load_dh_params(), tls_ctx_load_extra_certs(), and tls_ctx_load_priv_file().
void prng_bytes | ( | uint8_t * | output, |
int | len | ||
) |
Definition at line 1743 of file crypto.c.
References ASSERT, md_full(), md_kt_size(), min_int(), nonce_data, nonce_md, nonce_secret_len, PRNG_NONCE_RESET_BYTES, prng_reset_nonce(), and rand_bytes().
Referenced by get_random(), hostname_randomize(), init_static(), openvpn_encrypt_v1(), schedule_remove_entry(), and session_id_random().
void prng_init | ( | const char * | md_name, |
const int | nonce_secret_len_parm | ||
) |
Pseudo-random number generator initialisation.
(see prng_rand_bytes()
)
md_name | Name of the message digest to use |
nonce_secret_len_param | Length of the nonce to use |
Definition at line 1715 of file crypto.c.
References ASSERT, check_malloc_return(), D_CRYPTO_DEBUG, dmsg, malloc, md_kt_get(), md_kt_name(), md_kt_size(), nonce_data, nonce_md, nonce_secret_len, NONCE_SECRET_LEN_MAX, NONCE_SECRET_LEN_MIN, prng_reset_nonce(), and prng_uninit().
Referenced by do_init_crypto_tls_c1(), and init_static().
void prng_uninit | ( | void | ) |
Definition at line 1734 of file crypto.c.
References free, nonce_data, nonce_md, and nonce_secret_len.
Referenced by free_ssl_lib(), init_static(), and prng_init().
Definition at line 1639 of file crypto.c.
References buf_read(), key::cipher, key_type::cipher_length, CLEAR, D_TLS_ERRORS, key::hmac, key_type::hmac_length, and msg.
void read_key_file | ( | struct key2 * | key2, |
const char * | file, | ||
const unsigned int | flags | ||
) |
Definition at line 1226 of file crypto.c.
References ASSERT, buf_clear(), buf_set_read(), buf_valid(), buffer_read_from_file(), CLEAR, buffer::data, format_hex_ex(), gc_free(), gc_new(), key2::keys, buffer::len, M_FATAL, M_INFO, msg, key2::n, PARSE_DATA, PARSE_DATA_COMPLETE, PARSE_FINISHED, PARSE_FOOT, PARSE_HEAD, PARSE_INITIAL, print_key_filename(), printable_char_fmt, RKF_INLINE, RKF_MUST_SUCCEED, SIZE, static_key_foot, static_key_head, and unprintable_char_fmt.
Referenced by crypto_read_openvpn_key().
bool read_pem_key_file | ( | struct buffer * | key, |
const char * | pem_name, | ||
const char * | key_file, | ||
bool | key_inline | ||
) |
Read key material from a PEM encoded files into the key structure.
key | the key structure that will hold the key material |
pem_name | the name used in the pem encoding start/end lines |
key_file | name of the file to read or the key itself if key_inline is true |
key_inline | True if key_file contains an inline key, False otherwise. |
Definition at line 1923 of file crypto.c.
References buf_clear(), buf_set_read(), buf_valid(), buffer_read_from_file(), crypto_pem_decode(), gc_free(), gc_new(), M_WARN, and msg.
Referenced by auth_token_init_secret(), tls_crypt_v2_init_client_key(), and tls_crypt_v2_init_server_key().
void test_crypto | ( | struct crypto_options * | co, |
struct frame * | f | ||
) |
Definition at line 1082 of file crypto.c.
References alloc_buf_gc(), ASSERT, BLEN, BPTR, buf_init, BUF_SIZE, buf_write_alloc(), buffer::capacity, key_ctx::cipher, cipher_ctx_get_cipher_kt(), cipher_kt_iv_size(), cipher_kt_mode_aead(), clear_buf(), key_ctx_bi::decrypt, key_ctx_bi::encrypt, FRAME_HEADROOM, gc_free(), gc_new(), key_ctx::implicit_iv, key_ctx::implicit_iv_len, crypto_options::key_ctx_bi, buffer::len, M_FATAL, M_INFO, msg, OPENVPN_AEAD_MIN_IV_LEN, openvpn_decrypt(), openvpn_encrypt(), OPENVPN_MAX_IV_LENGTH, PACKAGE_NAME, rand_bytes(), TUN_MTU_SIZE, and update_time().
Referenced by show_settings(), and test_crypto_thread().
void verify_fix_key2 | ( | struct key2 * | key2, |
const struct key_type * | kt, | ||
const char * | shared_secret_file | ||
) |
Definition at line 1586 of file crypto.c.
References check_key(), fixup_key(), key2::keys, M_FATAL, msg, and key2::n.
Referenced by crypto_read_openvpn_key().
Definition at line 1606 of file crypto.c.
References ASSERT, buf_write(), key::cipher, key_type::cipher_length, key::hmac, key_type::hmac_length, MAX_CIPHER_KEY_LENGTH, and MAX_HMAC_KEY_LENGTH.
int write_key_file | ( | const int | nkeys, |
const char * | filename | ||
) |
Write nkeys 1024-bits keys to file.
Definition at line 1429 of file crypto.c.
References alloc_buf_gc(), BLEN, BPTR, buf_clear(), buf_printf(), buffer_write_file(), format_hex_ex(), gc_free(), gc_new(), generate_key_random(), secure_memzero(), static_key_foot, and static_key_head.
Referenced by do_genkey().
void write_pem_key_file | ( | const char * | filename, |
const char * | key_name | ||
) |
Generate a server key with enough randomness to fill a key struct and write to file.
filename | Filename of the server key file to create. |
pem_name | The name to use in the PEM header/footer. |
Definition at line 1867 of file crypto.c.
References BLEN, BPTR, buf_clear(), buf_set_read(), buffer_write_file(), clear_buf(), crypto_pem_encode(), gc_free(), gc_new(), M_ERR, M_NONFATAL, M_WARN, msg, rand_bytes(), and secure_memzero().
Referenced by auth_token_write_server_key_file(), and tls_crypt_v2_write_server_key_file().