OpenVPN
crypto_epoch.h
Go to the documentation of this file.
1 /*
2  * OpenVPN -- An application to securely tunnel IP networks
3  * over a single TCP/UDP port, with support for SSL/TLS-based
4  * session authentication and key exchange,
5  * packet encryption, packet authentication, and
6  * packet compression.
7  *
8  * Copyright (C) 2024 OpenVPN Inc <sales@openvpn.net>
9  * Copyright (C) 2024 Arne Schwabe <arne@rfc2549.org>
10  *
11  *
12  * This program is free software; you can redistribute it and/or modify
13  * it under the terms of the GNU General Public License version 2
14  * as published by the Free Software Foundation.
15  *
16  * This program is distributed in the hope that it will be useful,
17  * but WITHOUT ANY WARRANTY; without even the implied warranty of
18  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
19  * GNU General Public License for more details.
20  *
21  * You should have received a copy of the GNU General Public License along
22  * with this program; if not, write to the Free Software Foundation, Inc.,
23  * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
24  */
25 
26 #ifndef CRYPTO_EPOCH_H
27 #define CRYPTO_EPOCH_H
28 
42 void
43 ovpn_hkdf_expand(const uint8_t *secret,
44  const uint8_t *info, int info_len,
45  uint8_t *out, int out_len);
46 
64 bool
65 ovpn_expand_label(const uint8_t *secret, size_t secret_len,
66  const uint8_t *label, size_t label_len,
67  const uint8_t *context, size_t context_len,
68  uint8_t *out, uint16_t out_len);
69 
76 void
77 epoch_data_key_derive(struct key_parameters *key,
78  const struct epoch_key *epoch_key,
79  const struct key_type *kt);
80 
94 void
95 epoch_generate_future_receive_keys(struct crypto_options *co);
96 
97 
106 void
107 epoch_replace_update_recv_key(struct crypto_options *co,
108  uint16_t new_epoch);
109 
113 void
114 epoch_iterate_send_key(struct crypto_options *co);
115 
119 void
120 free_epoch_key_ctx(struct crypto_options *co);
121 
135 void
136 epoch_init_key_ctx(struct crypto_options *co, const struct key_type *key_type,
137  const struct epoch_key *e1_send, const struct epoch_key *e1_recv,
138  uint16_t future_key_count);
139 
147 struct key_ctx *
148 epoch_lookup_decrypt_key(struct crypto_options *opt, uint16_t epoch);
149 
157 void
158 epoch_check_send_iterate(struct crypto_options *opt);
159 
160 
161 #endif /* ifndef CRYPTO_EPOCH_H */
ovpn_hkdf_expand
void ovpn_hkdf_expand(const uint8_t *secret, const uint8_t *info, int info_len, uint8_t *out, int out_len)
Implementation of the RFC5869 HKDF-Expand function with the following restrictions.
Definition: crypto_epoch.c:43
epoch_generate_future_receive_keys
void epoch_generate_future_receive_keys(struct crypto_options *co)
Generates and fills the epoch_data_keys_future with next valid future keys in crypto_options using th...
Definition: crypto_epoch.c:213
context
Contains all state information for one tunnel.
Definition: openvpn.h:473
key
Container for unidirectional cipher and HMAC key material.
Definition: crypto.h:151
epoch_iterate_send_key
void epoch_iterate_send_key(struct crypto_options *co)
Updates the send key and send_epoch_key in cryptio_options->key_ctx_bi to use the next epoch.
Definition: crypto_epoch.c:275
key_ctx::epoch
uint16_t epoch
OpenVPN data channel epoch, this variable holds the epoch number this key belongs to.
Definition: crypto.h:227
ovpn_expand_label
bool ovpn_expand_label(const uint8_t *secret, size_t secret_len, const uint8_t *label, size_t label_len, const uint8_t *context, size_t context_len, uint8_t *out, uint16_t out_len)
Variant of the RFC 8446 TLS 1.3 HKDF-Expand-Label function with the following differences/restriction...
Definition: crypto_epoch.c:78
key_ctx
Container for one set of cipher and/or HMAC contexts.
Definition: crypto.h:200
epoch_replace_update_recv_key
void epoch_replace_update_recv_key(struct crypto_options *co, uint16_t new_epoch)
This is called when the peer uses a new send key that is not the default key.
Definition: crypto_epoch.c:284
key_type
Definition: crypto.h:140
epoch_init_key_ctx
void epoch_init_key_ctx(struct crypto_options *co, const struct key_type *key_type, const struct epoch_key *e1_send, const struct epoch_key *e1_recv, uint16_t future_key_count)
Initialises data channel keys and internal structures for epoch data keys using the provided E0 epoch...
Definition: crypto_epoch.c:353
key_parameters
internal structure similar to struct key that holds key information but is not represented on wire an...
Definition: crypto.h:162
epoch_key
Definition: crypto.h:191
epoch_check_send_iterate
void epoch_check_send_iterate(struct crypto_options *opt)
Checks if we need to iterate the send epoch key.
Definition: crypto_epoch.c:414
epoch_data_key_derive
void epoch_data_key_derive(struct key_parameters *key, const struct epoch_key *epoch_key, const struct key_type *kt)
Generate a data channel key pair from the epoch key.
Definition: crypto_epoch.c:145
free_epoch_key_ctx
void free_epoch_key_ctx(struct crypto_options *co)
Frees the extra data structures used by epoch keys in crypto_options.
Definition: crypto_epoch.c:338
crypto_options
Security parameter state for processing data channel packets.
Definition: crypto.h:291
epoch_lookup_decrypt_key
struct key_ctx * epoch_lookup_decrypt_key(struct crypto_options *opt, uint16_t epoch)
Using an epoch, this function will try to retrieve a decryption key context that matches that epoch f...
Definition: crypto_epoch.c:375
Generated by   doxygen 1.8.17