#include "crypto_openssl.h"
#include "basic.h"
#include "buffer.h"

Include dependency graph for crypto_backend.h:

This graph shows which files directly or indirectly include this file:

Data Structures
struct	cipher_name_pair
	Struct used in cipher name translation table. More...

Macros
#define	OPENVPN_AEAD_TAG_LENGTH 16

#define	OPENVPN_MAX_CIPHER_BLOCK_SIZE 32

#define	OPENVPN_MAX_HMAC_SIZE 64

#define	MAX_CIPHER_KEY_LENGTH 64

#define	MAX_HMAC_KEY_LENGTH 64

Enumerations
enum	hash_algo_type { MD_SHA1, MD_SHA256 }
	Types referencing specific message digest hashing algorithms. More...

Functions
void	crypto_init_lib (void)

void	crypto_uninit_lib (void)

void	crypto_clear_error (void)

void	crypto_init_lib_engine (const char *engine_name)

const char *	translate_cipher_name_from_openvpn (const char *cipher_name)
	Translate a data channel cipher name from the OpenVPN config file 'language' to the crypto library specific name. More...

void	show_available_ciphers (void)

void	show_available_digests (void)

void	show_available_engines (void)

bool	crypto_pem_encode (const char name, struct buffer dst, const struct buffer src, struct gc_arena gc)
	Encode binary data as PEM. More...

bool	crypto_pem_decode (const char name, struct buffer dst, const struct buffer *src)
	Decode a PEM buffer to binary data. More...

int	rand_bytes (uint8_t *output, int len)
	Wrapper for secure random number generator. More...

int	key_des_num_cblocks (const cipher_kt_t *kt)
	Return number of DES cblocks (1 cblock = length of a single-DES key) for the current key type or 0 if not a DES cipher. More...

bool	key_des_check (uint8_t *key, int key_len, int ndc)

void	key_des_fixup (uint8_t *key, int key_len, int ndc)

void	cipher_des_encrypt_ecb (const unsigned char key[DES_KEY_LENGTH], unsigned char src[DES_KEY_LENGTH], unsigned char dst[DES_KEY_LENGTH])
	Encrypt the given block, using DES ECB mode. More...

const cipher_kt_t *	cipher_kt_get (const char *ciphername)
	Return cipher parameters, based on the given cipher name. More...

const char *	cipher_kt_name (const cipher_kt_t *cipher_kt)
	Retrieve a string describing the cipher (e.g. More...

int	cipher_kt_key_size (const cipher_kt_t *cipher_kt)
	Returns the size of keys used by the cipher, in bytes. More...

int	cipher_kt_iv_size (const cipher_kt_t *cipher_kt)
	Returns the size of the IV used by the cipher, in bytes, or 0 if no IV is used. More...

int	cipher_kt_block_size (const cipher_kt_t *cipher_kt)
	Returns the block size of the cipher, in bytes. More...

int	cipher_kt_tag_size (const cipher_kt_t *cipher_kt)
	Returns the MAC tag size of the cipher, in bytes. More...

bool	cipher_kt_insecure (const cipher_kt_t *cipher)
	Returns true if we consider this cipher to be insecure. More...

int	cipher_kt_mode (const cipher_kt_t *cipher_kt)
	Returns the mode that the cipher runs in. More...

bool	cipher_kt_mode_cbc (const cipher_kt_t *cipher)
	Check if the supplied cipher is a supported CBC mode cipher. More...

bool	cipher_kt_mode_ofb_cfb (const cipher_kt_t *cipher)
	Check if the supplied cipher is a supported OFB or CFB mode cipher. More...

bool	cipher_kt_mode_aead (const cipher_kt_t *cipher)
	Check if the supplied cipher is a supported AEAD mode cipher. More...

cipher_ctx_t *	cipher_ctx_new (void)
	Generic cipher functions. More...

void	cipher_ctx_free (cipher_ctx_t *ctx)
	Cleanup and free a cipher context. More...

void	cipher_ctx_init (cipher_ctx_t ctx, const uint8_t key, int key_len, const cipher_kt_t *kt, int enc)
	Initialise a cipher context, based on the given key and key type. More...

int	cipher_ctx_iv_length (const cipher_ctx_t *ctx)
	Returns the size of the IV used by the cipher, in bytes, or 0 if no IV is used. More...

int	cipher_ctx_get_tag (cipher_ctx_t ctx, uint8_t tag, int tag_len)
	Gets the computed message authenticated code (MAC) tag for this cipher. More...

int	cipher_ctx_block_size (const cipher_ctx_t *ctx)
	Returns the block size of the cipher, in bytes. More...

int	cipher_ctx_mode (const cipher_ctx_t *ctx)
	Returns the mode that the cipher runs in. More...

const cipher_kt_t *	cipher_ctx_get_cipher_kt (const cipher_ctx_t *ctx)
	Returns the static cipher parameters for this context. More...

int	cipher_ctx_reset (cipher_ctx_t ctx, const uint8_t iv_buf)
	Resets the given cipher context, setting the IV to the specified value. More...

int	cipher_ctx_update_ad (cipher_ctx_t ctx, const uint8_t src, int src_len)
	Updates the given cipher context, providing additional data (AD) for authenticated encryption with additional data (AEAD) cipher modes. More...

int	cipher_ctx_update (cipher_ctx_t ctx, uint8_t dst, int dst_len, uint8_t src, int src_len)
	Updates the given cipher context, encrypting data in the source buffer, and placing any complete blocks in the destination buffer. More...

int	cipher_ctx_final (cipher_ctx_t ctx, uint8_t dst, int *dst_len)
	Pads the final cipher block using PKCS padding, and output to the destination buffer. More...

int	cipher_ctx_final_check_tag (cipher_ctx_t ctx, uint8_t dst, int dst_len, uint8_t tag, size_t tag_len)
	Like `cipher_ctx_final`, but check the computed authentication tag against the supplied (expected) tag. More...

const md_kt_t *	md_kt_get (const char *digest)
	Return message digest parameters, based on the given digest name. More...

const char *	md_kt_name (const md_kt_t *kt)
	Retrieve a string describing the digest digest (e.g. More...

unsigned char	md_kt_size (const md_kt_t *kt)
	Returns the size of the message digest, in bytes. More...

int	md_full (const md_kt_t kt, const uint8_t src, int src_len, uint8_t *dst)

md_ctx_t *	md_ctx_new (void)

void	md_ctx_free (md_ctx_t *ctx)

void	md_ctx_init (md_ctx_t ctx, const md_kt_t kt)

void	md_ctx_cleanup (md_ctx_t *ctx)

int	md_ctx_size (const md_ctx_t *ctx)

void	md_ctx_update (md_ctx_t ctx, const uint8_t src, int src_len)

void	md_ctx_final (md_ctx_t ctx, uint8_t dst)

hmac_ctx_t *	hmac_ctx_new (void)

void	hmac_ctx_free (hmac_ctx_t *ctx)

void	hmac_ctx_init (hmac_ctx_t ctx, const uint8_t key, int key_length, const md_kt_t *kt)

void	hmac_ctx_cleanup (hmac_ctx_t *ctx)

int	hmac_ctx_size (const hmac_ctx_t *ctx)

void	hmac_ctx_reset (hmac_ctx_t *ctx)

void	hmac_ctx_update (hmac_ctx_t ctx, const uint8_t src, int src_len)

void	hmac_ctx_final (hmac_ctx_t ctx, uint8_t dst)

const char *	translate_cipher_name_to_openvpn (const char *cipher_name)
	Translate a crypto library cipher name to an OpenVPN cipher name. More...

Variables
const cipher_name_pair	cipher_name_translation_table []
	Cipher name translation table. More...

const size_t	cipher_name_translation_table_count

Macro Definition Documentation

◆ MAX_CIPHER_KEY_LENGTH

#define MAX_CIPHER_KEY_LENGTH 64

Definition at line 222 of file crypto_backend.h.

Referenced by add_option(), cipher_kt_get(), generate_key_random(), init_key_type(), and write_key().

◆ MAX_HMAC_KEY_LENGTH

#define MAX_HMAC_KEY_LENGTH 64

Definition at line 500 of file crypto_backend.h.

Referenced by generate_key_random(), init_key_contexts(), md_kt_get(), openvpn_decrypt_v1(), protocol_dump(), tls1_P_hash(), and write_key().

◆ OPENVPN_AEAD_TAG_LENGTH

#define OPENVPN_AEAD_TAG_LENGTH 16

Definition at line 42 of file crypto_backend.h.

Referenced by cipher_kt_tag_size(), and crypto_max_overhead().

◆ OPENVPN_MAX_CIPHER_BLOCK_SIZE

#define OPENVPN_MAX_CIPHER_BLOCK_SIZE 32

Definition at line 45 of file crypto_backend.h.

Referenced by crypto_max_overhead(), and init_key_type().

◆ OPENVPN_MAX_HMAC_SIZE

#define OPENVPN_MAX_HMAC_SIZE 64

Definition at line 48 of file crypto_backend.h.

Referenced by crypto_max_overhead().

Enumeration Type Documentation

◆ hash_algo_type

enum hash_algo_type

Types referencing specific message digest hashing algorithms.

Enumerator
MD_SHA1
MD_SHA256

Definition at line 51 of file crypto_backend.h.

Function Documentation

◆ cipher_ctx_block_size()

int cipher_ctx_block_size ( const cipher_ctx_t * ctx )

Returns the block size of the cipher, in bytes.

Parameters

ctx	The cipher's context

Returns: Block size, in bytes, or 0 if ctx was NULL.

Referenced by openvpn_decrypt_aead(), openvpn_decrypt_v1(), openvpn_encrypt_aead(), openvpn_encrypt_v1(), and tls_crypt_v2_wrap_client_key().

◆ cipher_ctx_final()

int cipher_ctx_final	(	cipher_ctx_t *	ctx,
		uint8_t *	dst,
		int *	dst_len
	)

Pads the final cipher block using PKCS padding, and output to the destination buffer.

Parameters

ctx	Cipher's context. May not be NULL.
dst	Destination buffer
dst_len	Length of the destination buffer, in bytes

Returns: 0 on failure, 1 on success.

Referenced by openvpn_decrypt_v1(), openvpn_encrypt_aead(), openvpn_encrypt_v1(), tls_crypt_unwrap(), tls_crypt_v2_unwrap_client_key(), tls_crypt_v2_wrap_client_key(), and tls_crypt_wrap().

◆ cipher_ctx_final_check_tag()

int cipher_ctx_final_check_tag	(	cipher_ctx_t *	ctx,
		uint8_t *	dst,
		int *	dst_len,
		uint8_t *	tag,
		size_t	tag_len
	)

Like cipher_ctx_final, but check the computed authentication tag against the supplied (expected) tag.

This function reports failure when the tags don't match.

Parameters

ctx	Cipher's context. May not be NULL.
dst	Destination buffer.
dst_len	Length of the destination buffer, in bytes.
tag	The expected authentication tag.
tag_len	The length of tag, in bytes.

Returns: 0 on failure, 1 on success.

Referenced by openvpn_decrypt_aead().

◆ cipher_ctx_free()

void cipher_ctx_free ( cipher_ctx_t * ctx )

Cleanup and free a cipher context.

Parameters

ctx	Cipher context.

Referenced by free_key_ctx().

◆ cipher_ctx_get_cipher_kt()

const cipher_kt_t* cipher_ctx_get_cipher_kt ( const cipher_ctx_t * ctx )

Returns the static cipher parameters for this context.

Parameters

ctx	Cipher's context.

Returns: Static cipher parameters for the supplied context, or NULL if unable to determine cipher parameters.

Definition at line 815 of file crypto_openssl.c.

Referenced by key_ctx_update_implicit_iv(), openvpn_decrypt(), openvpn_decrypt_aead(), openvpn_decrypt_v1(), openvpn_encrypt(), openvpn_encrypt_aead(), openvpn_encrypt_v1(), and test_crypto().

◆ cipher_ctx_get_tag()

int cipher_ctx_get_tag	(	cipher_ctx_t *	ctx,
		uint8_t *	tag,
		int	tag_len
	)

Gets the computed message authenticated code (MAC) tag for this cipher.

Parameters

ctx	The cipher's context
tag	The buffer to write computed tag in.
tag_size	The tag buffer size, in bytes.

Referenced by openvpn_encrypt_aead().

◆ cipher_ctx_init()

void cipher_ctx_init	(	cipher_ctx_t *	ctx,
		const uint8_t *	key,
		int	key_len,
		const cipher_kt_t *	kt,
		int	enc
	)

Initialise a cipher context, based on the given key and key type.

Parameters

ctx	Cipher context. May not be NULL
key	Buffer containing the key to use
key_len	Length of the key, in bytes
kt	Static cipher parameters to use
enc	Whether to encrypt or decrypt (either `MBEDTLS_OP_ENCRYPT` or `MBEDTLS_OP_DECRYPT`).

Referenced by init_key_ctx().

◆ cipher_ctx_iv_length()

int cipher_ctx_iv_length ( const cipher_ctx_t * ctx )

Returns the size of the IV used by the cipher, in bytes, or 0 if no IV is used.

Parameters

ctx	The cipher's context

Returns: Size of the IV, in bytes, or 0 if the cipher does not use an IV or ctx was NULL.

Referenced by openvpn_decrypt_aead(), openvpn_decrypt_v1(), openvpn_encrypt_aead(), and openvpn_encrypt_v1().

◆ cipher_ctx_mode()

int cipher_ctx_mode ( const cipher_ctx_t * ctx )

Returns the mode that the cipher runs in.

Parameters

ctx	Cipher's context. May not be NULL.

Returns: Cipher mode, either OPENVPN_MODE_CBC, OPENVPN_MODE_OFB or OPENVPN_MODE_CFB

◆ cipher_ctx_new()

cipher_ctx_t* cipher_ctx_new ( void )

Generic cipher functions.

Allocate a new cipher context

Returns: a new cipher context

Definition at line 751 of file crypto_openssl.c.

References check_malloc_return().

Referenced by init_key_ctx().

◆ cipher_ctx_reset()

int cipher_ctx_reset	(	cipher_ctx_t *	ctx,
		const uint8_t *	iv_buf
	)

Resets the given cipher context, setting the IV to the specified value.

Preserves the associated key information.

Parameters

ctx	Cipher's context. May not be NULL.
iv_buf	The IV to use.

Returns: 0 on failure, 1 on success.

Referenced by openvpn_decrypt_aead(), openvpn_decrypt_v1(), openvpn_encrypt_aead(), openvpn_encrypt_v1(), tls_crypt_unwrap(), tls_crypt_v2_unwrap_client_key(), tls_crypt_v2_wrap_client_key(), and tls_crypt_wrap().

◆ cipher_ctx_update()

int cipher_ctx_update	(	cipher_ctx_t *	ctx,
		uint8_t *	dst,
		int *	dst_len,
		uint8_t *	src,
		int	src_len
	)

Updates the given cipher context, encrypting data in the source buffer, and placing any complete blocks in the destination buffer.

Note that if a complete block cannot be written, data is cached in the context, and emitted at a later call to cipher_ctx_update, or by a call to cipher_ctx_final(). This implies that dst should have enough room for src_len + cipher_ctx_block_size().

Parameters

ctx	Cipher's context. May not be NULL.
dst	Destination buffer
dst_len	Length of the destination buffer, in bytes
src	Source buffer
src_len	Length of the source buffer, in bytes

Returns: 0 on failure, 1 on success.

Referenced by openvpn_decrypt_aead(), openvpn_decrypt_v1(), openvpn_encrypt_aead(), openvpn_encrypt_v1(), tls_crypt_unwrap(), tls_crypt_v2_unwrap_client_key(), tls_crypt_v2_wrap_client_key(), and tls_crypt_wrap().

◆ cipher_ctx_update_ad()

int cipher_ctx_update_ad	(	cipher_ctx_t *	ctx,
		const uint8_t *	src,
		int	src_len
	)

Updates the given cipher context, providing additional data (AD) for authenticated encryption with additional data (AEAD) cipher modes.

Parameters

ctx	Cipher's context. May not be NULL.
src	Source buffer
src_len	Length of the source buffer, in bytes

Returns: 0 on failure, 1 on success.

Referenced by openvpn_decrypt_aead(), and openvpn_encrypt_aead().

◆ cipher_des_encrypt_ecb()

void cipher_des_encrypt_ecb	(	const unsigned char	key[DES_KEY_LENGTH],
		unsigned char	src[DES_KEY_LENGTH],
		unsigned char	dst[DES_KEY_LENGTH]
	)

Encrypt the given block, using DES ECB mode.

Parameters

key	DES key to use.
src	Buffer containing the 8-byte source.
dst	Buffer containing the 8-byte destination

Referenced by ntlm_phase_3().

◆ cipher_kt_block_size()

int cipher_kt_block_size ( const cipher_kt_t * cipher_kt )

Returns the block size of the cipher, in bytes.

Parameters

cipher_kt Static cipher parameters

Returns: Block size, in bytes.

Referenced by crypto_adjust_frame_parameters(), init_key_ctx(), init_key_type(), print_cipher(), and warn_insecure_key_type().

◆ cipher_kt_get()

const cipher_kt_t* cipher_kt_get ( const char * ciphername )

Return cipher parameters, based on the given cipher name.

The contents of these parameters are library-specific, and can be used to initialise encryption/decryption.

Parameters

ciphername Name of the cipher to retrieve parameters for (e.g. AES-128-CBC). Will be translated to the library name from the openvpn config name if needed.

Returns: A statically allocated structure containing parameters for the given cipher, or NULL if no matching parameters were found.

Definition at line 583 of file crypto_openssl.c.

References ASSERT, crypto_msg, D_LOW, MAX_CIPHER_KEY_LENGTH, msg, PACKAGE_NAME, and translate_cipher_name_from_openvpn().

Referenced by init_key_type(), mutate_ncp_cipher_list(), test_check_ncp_ciphers_list(), test_translate_cipher(), and tls_crypt_kt().

◆ cipher_kt_insecure()

bool cipher_kt_insecure ( const cipher_kt_t * cipher )

Returns true if we consider this cipher to be insecure.

Referenced by tls_limit_reneg_bytes(), and warn_insecure_key_type().

◆ cipher_kt_iv_size()

int cipher_kt_iv_size ( const cipher_kt_t * cipher_kt )

Returns the size of the IV used by the cipher, in bytes, or 0 if no IV is used.

Parameters

cipher_kt Static cipher parameters

Returns: Size of the IV, in bytes, or 0 if the cipher does not use an IV.

Referenced by crypto_adjust_frame_parameters(), init_key_ctx(), key_ctx_update_implicit_iv(), and test_crypto().

◆ cipher_kt_key_size()

int cipher_kt_key_size ( const cipher_kt_t * cipher_kt )

Returns the size of keys used by the cipher, in bytes.

If the cipher has a variable key size, return the default key size.

Parameters

cipher_kt Static cipher parameters

Returns: (Default) size of keys used by the cipher, in bytes.

Referenced by init_key_type(), print_cipher(), and tls_crypt_kt().

◆ cipher_kt_mode()

int cipher_kt_mode ( const cipher_kt_t * cipher_kt )

Returns the mode that the cipher runs in.

Parameters

cipher_kt Static cipher parameters. May not be NULL.

Returns: Cipher mode, either OPENVPN_MODE_CBC, OPENVPN_MODE_OFB or OPENVPN_MODE_CFB

Referenced by openvpn_encrypt_v1().

◆ cipher_kt_mode_aead()

bool cipher_kt_mode_aead ( const cipher_kt_t * cipher )

Check if the supplied cipher is a supported AEAD mode cipher.

Parameters

cipher Static cipher parameters.

Returns: true iff the cipher is a AEAD mode cipher.

Definition at line 725 of file crypto_openssl.c.

Referenced by check_replay_consistency(), cipher_kt_tag_size(), crypto_adjust_frame_parameters(), init_key_type(), key_ctx_update_implicit_iv(), openvpn_decrypt(), openvpn_decrypt_aead(), openvpn_encrypt(), openvpn_encrypt_aead(), show_available_ciphers(), and test_crypto().

◆ cipher_kt_mode_cbc()

bool cipher_kt_mode_cbc ( const cipher_kt_t * cipher )

Check if the supplied cipher is a supported CBC mode cipher.

Parameters

cipher Static cipher parameters.

Returns: true iff the cipher is a CBC mode cipher.

Definition at line 708 of file crypto_openssl.c.

References cipher_kt_mode(), and OPENVPN_MODE_CBC.

Referenced by init_key_type(), openvpn_decrypt_v1(), openvpn_encrypt_v1(), print_cipher(), and show_available_ciphers().

◆ cipher_kt_mode_ofb_cfb()

bool cipher_kt_mode_ofb_cfb ( const cipher_kt_t * cipher )

Check if the supplied cipher is a supported OFB or CFB mode cipher.

Parameters

cipher Static cipher parameters.

Returns: true iff the cipher is a OFB or CFB mode cipher.

Definition at line 716 of file crypto_openssl.c.

References cipher_kt_mode(), OPENVPN_MODE_CFB, and OPENVPN_MODE_OFB.

Referenced by calc_options_string_link_mtu(), check_replay_consistency(), do_init_crypto_tls(), init_key_type(), openvpn_decrypt_v1(), openvpn_encrypt_v1(), show_available_ciphers(), and tls_session_update_crypto_params().

◆ cipher_kt_name()

const char* cipher_kt_name ( const cipher_kt_t * cipher_kt )

Retrieve a string describing the cipher (e.g.

AES-128-CBC). The returned name is normalised to the OpenVPN config name in case the name differs from the name used by the crypto library.

Parameters

cipher_kt Static cipher parameters

Returns: a statically allocated string describing the cipher.

Referenced by init_key_ctx(), mutate_ncp_cipher_list(), options_string(), print_cipher(), and test_translate_cipher().

◆ cipher_kt_tag_size()

int cipher_kt_tag_size ( const cipher_kt_t * cipher_kt )

Returns the MAC tag size of the cipher, in bytes.

Parameters

ctx	Static cipher parameters.

Returns: Tag size in bytes, or 0 if the tag size could not be determined.

Referenced by crypto_adjust_frame_parameters(), openvpn_decrypt_aead(), and openvpn_encrypt_aead().

◆ crypto_clear_error()

void crypto_clear_error ( void )

Definition at line 190 of file crypto_openssl.c.

Referenced by openvpn_decrypt_aead(), openvpn_decrypt_v1(), openvpn_encrypt_aead(), openvpn_encrypt_v1(), tls_crypt_unwrap(), and tls_crypt_wrap().

◆ crypto_init_lib()

void crypto_init_lib ( void )

Definition at line 151 of file crypto_openssl.c.

Referenced by init_ssl_lib().

◆ crypto_init_lib_engine()

void crypto_init_lib_engine ( const char * engine_name )

Definition at line 129 of file crypto_openssl.c.

References ASSERT, M_WARN, and msg.

Referenced by init_crypto_pre().

◆ crypto_pem_decode()

bool crypto_pem_decode	(	const char *	name,
		struct buffer *	dst,
		const struct buffer *	src
	)

Decode a PEM buffer to binary data.

Parameters

name	The name expected in the PEM header/footer.
dst	Destination buffer for decoded data.
src	Source buffer (PEM data).

Returns: true iff PEM decode succeeded.

Definition at line 418 of file crypto_openssl.c.

References BCAP, BLEN, BPTR, buf_write_alloc(), crypto_msg, D_CRYPT_ERRORS, dmsg, and M_FATAL.

Referenced by crypto_pem_encode_decode_loopback(), and read_pem_key_file().

◆ crypto_pem_encode()

bool crypto_pem_encode	(	const char *	name,
		struct buffer *	dst,
		const struct buffer *	src,
		struct gc_arena *	gc
	)

Encode binary data as PEM.

Parameters

name	The name to use in the PEM header/footer.
dst	Destination buffer for PEM-encoded data. Must be a valid pointer to an uninitialized buffer structure. Iff this function returns true, the buffer will contain memory allocated through the supplied gc.
src	Source buffer.
gc	The garbage collector to use when allocating memory for dst.

Returns: true iff PEM encode succeeded.

Definition at line 390 of file crypto_openssl.c.

References alloc_buf_gc(), ASSERT, BLEN, BPTR, buf_write(), and buffer::data.

Referenced by crypto_pem_encode_decode_loopback(), tls_crypt_v2_write_client_key_file(), and write_pem_key_file().

◆ crypto_uninit_lib()

void crypto_uninit_lib ( void )

Definition at line 170 of file crypto_openssl.c.

References ASSERT.

Referenced by free_ssl_lib().

◆ hmac_ctx_cleanup()

void hmac_ctx_cleanup ( hmac_ctx_t * ctx )

Referenced by free_key_ctx(), gen_hmac_md5(), and tls1_P_hash().

◆ hmac_ctx_final()

void hmac_ctx_final	(	hmac_ctx_t *	ctx,
		uint8_t *	dst
	)

Referenced by check_hmac_token(), gen_hmac_md5(), generate_auth_token(), openvpn_decrypt_v1(), openvpn_encrypt_v1(), tls1_P_hash(), tls_crypt_unwrap(), tls_crypt_v2_unwrap_client_key(), tls_crypt_v2_wrap_client_key(), and tls_crypt_wrap().

◆ hmac_ctx_free()

void hmac_ctx_free ( hmac_ctx_t * ctx )

Referenced by free_key_ctx(), gen_hmac_md5(), and tls1_P_hash().

◆ hmac_ctx_init()

void hmac_ctx_init	(	hmac_ctx_t *	ctx,
		const uint8_t *	key,
		int	key_length,
		const md_kt_t *	kt
	)

Referenced by gen_hmac_md5(), init_key_ctx(), and tls1_P_hash().

◆ hmac_ctx_new()

hmac_ctx_t* hmac_ctx_new ( void )

Definition at line 997 of file crypto_openssl.c.

References check_malloc_return(), and HMAC_CTX_new().

Referenced by gen_hmac_md5(), init_key_ctx(), and tls1_P_hash().

◆ hmac_ctx_reset()

void hmac_ctx_reset ( hmac_ctx_t * ctx )

Referenced by check_hmac_token(), generate_auth_token(), openvpn_decrypt_v1(), openvpn_encrypt_v1(), tls1_P_hash(), tls_crypt_unwrap(), tls_crypt_v2_unwrap_client_key(), tls_crypt_v2_wrap_client_key(), and tls_crypt_wrap().

◆ hmac_ctx_size()

int hmac_ctx_size ( const hmac_ctx_t * ctx )

Referenced by check_hmac_token(), generate_auth_token(), init_key_ctx(), openvpn_decrypt_v1(), openvpn_encrypt_v1(), swap_hmac(), and tls_crypt_wrap().

◆ hmac_ctx_update()

void hmac_ctx_update	(	hmac_ctx_t *	ctx,
		const uint8_t *	src,
		int	src_len
	)

Referenced by check_hmac_token(), gen_hmac_md5(), generate_auth_token(), openvpn_decrypt_v1(), openvpn_encrypt_v1(), tls1_P_hash(), tls_crypt_unwrap(), tls_crypt_v2_unwrap_client_key(), tls_crypt_v2_wrap_client_key(), and tls_crypt_wrap().

◆ key_des_check()

bool key_des_check	(	uint8_t *	key,
		int	key_len,
		int	ndc
	)

Definition at line 518 of file crypto_openssl.c.

References buf_read_alloc(), buf_set_read(), crypto_msg, and D_CRYPT_ERRORS.

Referenced by check_key().

◆ key_des_fixup()

void key_des_fixup	(	uint8_t *	key,
		int	key_len,
		int	ndc
	)

Definition at line 555 of file crypto_openssl.c.

References buf_read_alloc(), buf_set_read(), D_CRYPT_ERRORS, and msg.

Referenced by create_des_keys(), and fixup_key().

◆ key_des_num_cblocks()

int key_des_num_cblocks ( const cipher_kt_t * kt )

Return number of DES cblocks (1 cblock = length of a single-DES key) for the current key type or 0 if not a DES cipher.

Parameters

kt	Type of key

Returns: Number of DES cblocks that the key consists of, or 0.

Referenced by check_key(), and fixup_key().

◆ md_ctx_cleanup()

void md_ctx_cleanup ( md_ctx_t * ctx )

Referenced by DigestCalcHA1(), DigestCalcResponse(), do_close_tls(), and process_incoming_push_reply().

◆ md_ctx_final()

void md_ctx_final	(	md_ctx_t *	ctx,
		uint8_t *	dst
	)

Referenced by DigestCalcHA1(), DigestCalcResponse(), and process_incoming_push_reply().

◆ md_ctx_free()

void md_ctx_free ( md_ctx_t * ctx )

Referenced by DigestCalcHA1(), DigestCalcResponse(), do_close_tls(), and process_incoming_push_reply().

◆ md_ctx_init()

void md_ctx_init	(	md_ctx_t *	ctx,
		const md_kt_t *	kt
	)

Referenced by DigestCalcHA1(), DigestCalcResponse(), and process_incoming_push_reply().

◆ md_ctx_new()

md_ctx_t* md_ctx_new ( void )

Definition at line 938 of file crypto_openssl.c.

References check_malloc_return(), and EVP_MD_CTX_new().

Referenced by DigestCalcHA1(), DigestCalcResponse(), and process_incoming_push_reply().

◆ md_ctx_size()

int md_ctx_size ( const md_ctx_t * ctx )

◆ md_ctx_update()

void md_ctx_update	(	md_ctx_t *	ctx,
		const uint8_t *	src,
		int	src_len
	)

Referenced by DigestCalcHA1(), DigestCalcResponse(), and push_update_digest().

◆ md_full()

int md_full	(	const md_kt_t *	kt,
		const uint8_t *	src,
		int	src_len,
		uint8_t *	dst
	)

Referenced by gen_md4_hash(), and prng_bytes().

◆ md_kt_get()

const md_kt_t* md_kt_get ( const char * digest )

Return message digest parameters, based on the given digest name.

The contents of these parameters are library-specific, and can be used to initialise HMAC or message digest operations.

Parameters

digest Name of the digest to retrieve parameters for (e.g. MD5).

Returns: A statically allocated structure containing parameters for the given message digest.

Definition at line 887 of file crypto_openssl.c.

References ASSERT, crypto_msg, M_FATAL, MAX_HMAC_KEY_LENGTH, and PACKAGE_NAME.

Referenced by auth_token_kt(), DigestCalcHA1(), DigestCalcResponse(), do_init_tls_wrap_key(), gen_hmac_md5(), gen_md4_hash(), init_key_type(), prng_init(), process_incoming_push_reply(), tls1_PRF(), and tls_crypt_kt().

◆ md_kt_name()

const char* md_kt_name ( const md_kt_t * kt )

Retrieve a string describing the digest digest (e.g.

SHA1).

Parameters

kt	Static message digest parameters

Returns: Statically allocated string describing the message digest.

Referenced by init_key_ctx(), options_string(), and prng_init().

◆ md_kt_size()

unsigned char md_kt_size ( const md_kt_t * kt )

Returns the size of the message digest, in bytes.

Parameters

kt	Static message digest parameters

Returns: Message digest size, in bytes, or 0 if ctx was NULL.

Referenced by auth_token_kt(), do_init_tls_wrap_key(), init_key_ctx(), init_key_type(), prng_bytes(), prng_init(), prng_reset_nonce(), tls1_P_hash(), and tls_crypt_kt().

◆ rand_bytes()

int rand_bytes	(	uint8_t *	output,
		int	len
	)

Wrapper for secure random number generator.

Retrieves len bytes of random data, and places it in output.

Parameters

output	Output buffer
len	Length of the output buffer, in bytes

Returns: 1 on success, 0 on failure

Definition at line 480 of file crypto_openssl.c.

References crypto_msg, D_CRYPT_ERRORS, and unlikely.

Referenced by establish_http_proxy_passthru(), generate_auth_token(), generate_ephemeral_key(), generate_key_random(), init_static(), prng_bytes(), prng_reset_nonce(), random_bytes_to_buf(), test_crypto(), test_tls_crypt_v2_setup(), tls_crypt_v2_wrap_unwrap_dst_too_small(), tls_crypt_v2_wrap_unwrap_max_metadata(), tls_crypt_v2_write_client_key_file(), and write_pem_key_file().

◆ show_available_ciphers()

void show_available_ciphers ( void )

Definition at line 280 of file crypto_openssl.c.

References cipher_kt_insecure(), cipher_kt_mode_aead(), cipher_kt_mode_cbc(), cipher_kt_mode_ofb_cfb(), cipher_name_cmp(), ENABLE_OFB_CFB_MODE, M_WARN, msg, PACKAGE_NAME, and print_cipher().

Referenced by print_openssl_info().

◆ show_available_digests()

void show_available_digests ( void )

Definition at line 340 of file crypto_openssl.c.

References PACKAGE_NAME.

Referenced by print_openssl_info().

◆ show_available_engines()

void show_available_engines ( void )

Definition at line 365 of file crypto_openssl.c.

Referenced by print_openssl_info().

◆ translate_cipher_name_from_openvpn()

const char* translate_cipher_name_from_openvpn ( const char * cipher_name )

Translate a data channel cipher name from the OpenVPN config file 'language' to the crypto library specific name.

Translate an OpenVPN cipher name to a crypto library cipher name.

Translate a data channel cipher name from the crypto library specific name to the OpenVPN config file 'language'.

Parameters

cipher_name An OpenVPN cipher name

Returns: The corresponding crypto library cipher name, or NULL if no matching cipher name was found.

Translate a data channel cipher name from the OpenVPN config file 'language' to the crypto library specific name.

Translate an OpenVPN cipher name to a crypto library cipher name.

Parameters

cipher_name An OpenVPN cipher name

Returns: The corresponding crypto library cipher name, or NULL if no matching cipher name was found.

Definition at line 1839 of file crypto.c.

References get_cipher_name_pair(), and cipher_name_pair::lib_name.

Referenced by cipher_kt_block_size(), and cipher_kt_get().

◆ translate_cipher_name_to_openvpn()

const char* translate_cipher_name_to_openvpn ( const char * cipher_name )

Translate a crypto library cipher name to an OpenVPN cipher name.

Parameters

cipher_name A crypto library cipher name

Returns: The corresponding OpenVPN cipher name, or NULL if no matching cipher name was found.

Definition at line 1852 of file crypto.c.

References get_cipher_name_pair(), and cipher_name_pair::openvpn_name.

Referenced by cipher_kt_block_size(), cipher_kt_name(), and multi_print_status().

Variable Documentation

◆ cipher_name_translation_table

const cipher_name_pair cipher_name_translation_table[]

Cipher name translation table.

Definition at line 260 of file crypto_openssl.c.

Referenced by get_cipher_name_pair().

◆ cipher_name_translation_table_count

const size_t cipher_name_translation_table_count

Definition at line 266 of file crypto_openssl.c.

Referenced by get_cipher_name_pair().

Data Structures

Macros

Enumerations

Functions

Variables

Macro Definition Documentation

◆ MAX_CIPHER_KEY_LENGTH

◆ MAX_HMAC_KEY_LENGTH

◆ OPENVPN_AEAD_TAG_LENGTH

◆ OPENVPN_MAX_CIPHER_BLOCK_SIZE

◆ OPENVPN_MAX_HMAC_SIZE

Enumeration Type Documentation

◆ hash_algo_type

Function Documentation

◆ cipher_ctx_block_size()

◆ cipher_ctx_final()

◆ cipher_ctx_final_check_tag()

◆ cipher_ctx_free()

◆ cipher_ctx_get_cipher_kt()

◆ cipher_ctx_get_tag()

◆ cipher_ctx_init()

◆ cipher_ctx_iv_length()

◆ cipher_ctx_mode()

◆ cipher_ctx_new()

◆ cipher_ctx_reset()

◆ cipher_ctx_update()

◆ cipher_ctx_update_ad()

◆ cipher_des_encrypt_ecb()

◆ cipher_kt_block_size()

◆ cipher_kt_get()

◆ cipher_kt_insecure()

◆ cipher_kt_iv_size()

◆ cipher_kt_key_size()

◆ cipher_kt_mode()

◆ cipher_kt_mode_aead()

◆ cipher_kt_mode_cbc()

◆ cipher_kt_mode_ofb_cfb()

◆ cipher_kt_name()

◆ cipher_kt_tag_size()

◆ crypto_clear_error()

◆ crypto_init_lib()

◆ crypto_init_lib_engine()

◆ crypto_pem_decode()

◆ crypto_pem_encode()

◆ crypto_uninit_lib()

◆ hmac_ctx_cleanup()

◆ hmac_ctx_final()

◆ hmac_ctx_free()

◆ hmac_ctx_init()

◆ hmac_ctx_new()

◆ hmac_ctx_reset()

◆ hmac_ctx_size()

◆ hmac_ctx_update()

◆ key_des_check()

◆ key_des_fixup()

◆ key_des_num_cblocks()

◆ md_ctx_cleanup()

◆ md_ctx_final()

◆ md_ctx_free()

◆ md_ctx_init()

◆ md_ctx_new()

◆ md_ctx_size()

◆ md_ctx_update()

◆ md_full()

◆ md_kt_get()

◆ md_kt_name()

◆ md_kt_size()

◆ rand_bytes()

◆ show_available_ciphers()

◆ show_available_digests()

◆ show_available_engines()

◆ translate_cipher_name_from_openvpn()

◆ translate_cipher_name_to_openvpn()

Variable Documentation

◆ cipher_name_translation_table

◆ cipher_name_translation_table_count