36 #if defined(ENABLE_CRYPTO_OPENSSL)
45 #include <openssl/conf.h>
46 #include <openssl/des.h>
47 #include <openssl/err.h>
48 #include <openssl/evp.h>
49 #include <openssl/objects.h>
50 #include <openssl/rand.h>
51 #include <openssl/ssl.h>
53 #if !defined(LIBRESSL_VERSION_NUMBER)
54 #include <openssl/kdf.h>
56 #if OPENSSL_VERSION_NUMBER >= 0x30000000L
57 #include <openssl/provider.h>
58 #include <openssl/core_names.h>
61 #if defined(_WIN32) && defined(OPENSSL_NO_EC)
62 #error Windows build with OPENSSL_NO_EC: disabling EC key is not supported.
67 #pragma warning(disable: 4996)
74 #if MAX_CIPHER_KEY_LENGTH < EVP_MAX_KEY_LENGTH
75 #warning Some OpenSSL EVP ciphers now support key lengths greater than MAX_CIPHER_KEY_LENGTH -- consider increasing MAX_CIPHER_KEY_LENGTH
78 #if MAX_HMAC_KEY_LENGTH < EVP_MAX_MD_SIZE
79 #warning Some OpenSSL HMAC message digests now support key lengths greater than MAX_HMAC_KEY_LENGTH -- consider increasing MAX_HMAC_KEY_LENGTH
82 #if HAVE_OPENSSL_ENGINE
83 #include <openssl/ui.h>
84 #include <openssl/engine.h>
86 static bool engine_initialized =
false;
88 static ENGINE *engine_persist = NULL;
92 try_load_engine(
const char *engine)
94 ENGINE *e = ENGINE_by_id(
"dynamic");
97 if (!ENGINE_ctrl_cmd_string(e,
"SO_PATH", engine, 0)
98 || !ENGINE_ctrl_cmd_string(e,
"LOAD", NULL, 0))
108 setup_engine(
const char *engine)
112 ENGINE_load_builtin_engines();
116 if (strcmp(engine,
"auto") == 0)
118 msg(
M_INFO,
"Initializing OpenSSL auto engine support");
119 ENGINE_register_all_complete();
122 if ((e = ENGINE_by_id(engine)) == NULL
123 && (e = try_load_engine(engine)) == NULL)
129 if (!ENGINE_set_default(e, ENGINE_METHOD_ALL))
132 "OpenSSL error: ENGINE_set_default failed on engine '%s'",
136 msg(
M_INFO,
"Initializing OpenSSL support for engine '%s'",
147 #if HAVE_OPENSSL_ENGINE
148 if (!engine_initialized)
152 engine_persist = setup_engine(engine_name);
153 engine_initialized =
true;
156 msg(
M_WARN,
"Note: OpenSSL hardware crypto engine functionality is not available");
163 #if OPENSSL_VERSION_NUMBER >= 0x30000000L
172 msg(
M_WARN,
"Note: OpenSSL provider functionality is not available");
180 #if OPENSSL_VERSION_NUMBER >= 0x30000000L
181 if (!OSSL_PROVIDER_unload(provider))
197 OPENSSL_init_crypto(OPENSSL_INIT_LOAD_CONFIG, NULL);
205 CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_ON);
213 FILE *fp = fopen(
"sdlog",
"w");
215 CRYPTO_mem_leaks_fp(fp);
219 #if HAVE_OPENSSL_ENGINE
220 if (engine_initialized)
223 engine_persist = NULL;
224 engine_initialized =
false;
238 unsigned long err = 0;
240 const char *file, *data, *func;
244 if (!(errflags & ERR_TXT_STRING))
250 if (ERR_GET_REASON(err) == SSL_R_NO_SHARED_CIPHER)
253 "in common with the client. Your --tls-cipher setting might be "
256 else if (ERR_GET_REASON(err) == SSL_R_UNSUPPORTED_PROTOCOL)
259 "indicates that client and server have no common TLS version enabled. "
260 "This can be caused by mismatched tls-version-min and tls-version-max "
261 "options on client and server. "
262 "If your OpenVPN client is between v2.3.6 and v2.3.2 try adding "
263 "tls-version-min 1.0 to the client configuration to use TLS 1.0+ "
264 "instead of TLS 1.0 only");
270 msg(flags,
"OpenSSL: %s:%s", ERR_error_string(err, NULL), data);
274 msg(flags,
"OpenSSL: %s:%s:%s:%d:%s", ERR_error_string(err, NULL),
275 data, file, line, func);
291 crypto_malloc(
size_t size,
const char *file,
int line)
293 return dmalloc_malloc(file, line, size, DMALLOC_FUNC_MALLOC, 0, 0);
297 crypto_realloc(
void *ptr,
size_t size,
const char *file,
int line)
299 return dmalloc_realloc(file, line, ptr, size, DMALLOC_FUNC_REALLOC, 0);
303 crypto_free(
void *ptr)
305 dmalloc_free(__FILE__, __LINE__, ptr, DMALLOC_FUNC_FREE);
309 crypto_init_dmalloc(
void)
311 CRYPTO_set_mem_ex_functions(crypto_malloc,
318 {
"AES-128-GCM",
"id-aes128-GCM" },
319 {
"AES-192-GCM",
"id-aes192-GCM" },
320 {
"AES-256-GCM",
"id-aes256-GCM" },
321 {
"CHACHA20-POLY1305",
"ChaCha20-Poly1305" },
330 const EVP_CIPHER *
const *cipher_a = a;
331 const EVP_CIPHER *
const *cipher_b = b;
352 msg(
M_WARN,
"WARNING: Too many ciphers, not showing all");
365 cipher_list->
list[cipher_list->
num++] = cipher;
375 printf(
"The following ciphers and cipher modes are available for use\n"
376 "with " PACKAGE_NAME ". Each cipher shown below may be used as a\n"
377 "parameter to the --data-ciphers (or --cipher) option. In static \n"
378 "key mode only CBC mode is allowed.\n");
379 printf(
"See also openssl list -cipher-algorithms\n\n");
382 #if OPENSSL_VERSION_NUMBER >= 0x30000000L
385 for (
int nid = 0; nid < 10000; ++nid)
387 #if defined(LIBRESSL_VERSION_NUMBER)
391 const EVP_CIPHER *cipher = NULL;
392 const char *name = OBJ_nid2sn(nid);
395 cipher = EVP_get_cipherbyname(name);
398 const EVP_CIPHER *cipher = EVP_get_cipherbynid(nid);
409 for (
size_t i = 0; i < cipher_list.
num; i++)
417 printf(
"\nThe following ciphers have a block size of less than 128 bits, \n"
418 "and are therefore deprecated. Do not use unless you have to.\n\n");
419 for (
int i = 0; i < cipher_list.
num; i++)
433 EVP_MD_size(digest) * 8);
440 printf(
"The following message digests are available for use with\n"
441 PACKAGE_NAME ". A message digest is used in conjunction with\n"
442 "the HMAC function, to authenticate received packets.\n"
443 "You can specify a message digest as parameter to\n"
444 "the --auth option.\n");
445 printf(
"See also openssl list -digest-algorithms\n\n");
448 #if OPENSSL_VERSION_NUMBER >= 0x30000000L
451 for (
int nid = 0; nid < 10000; ++nid)
456 #ifdef LIBRESSL_VERSION_NUMBER
457 const EVP_MD *digest = NULL;
458 const char *name = OBJ_nid2sn(nid);
461 digest = EVP_get_digestbyname(name);
464 const EVP_MD *digest = EVP_get_digestbynid(nid);
480 #if HAVE_OPENSSL_ENGINE
483 printf(
"OpenSSL Crypto Engines\n\n");
485 ENGINE_load_builtin_engines();
487 e = ENGINE_get_first();
493 e = ENGINE_get_next(e);
497 printf(
"Sorry, OpenSSL hardware crypto engine functionality is not available.\n");
507 BIO *bio = BIO_new(BIO_s_mem());
508 if (!bio || !PEM_write_bio(bio, name,
"",
BPTR(src),
BLEN(src)))
515 BIO_get_mem_ptr(bio, &bptr);
536 BIO *bio = BIO_new_mem_buf((
char *)
BPTR(src),
BLEN(src));
542 char *name_read = NULL;
543 char *header_read = NULL;
544 uint8_t *data_read = NULL;
545 long data_read_len = 0;
546 if (!PEM_read_bio(bio, &name_read, &header_read, &data_read,
553 if (strcmp(name, name_read))
556 "%s: unexpected PEM name (got '%s', expected '%s')",
557 __func__, name_read, name);
565 BCAP(dst), data_read_len);
568 memcpy(dst_data, data_read, data_read_len);
572 OPENSSL_free(name_read);
573 OPENSSL_free(header_read);
574 OPENSSL_free(data_read);
595 if (
unlikely(1 != RAND_bytes(output, len)))
626 *reason =
"disabled because unknown";
634 if (FIPS_mode() && !(EVP_CIPHER_flags(cipher) & EVP_CIPH_FLAG_FIPS))
636 msg(
D_LOW,
"Cipher algorithm '%s' is known by OpenSSL library but "
637 "currently disabled by running in FIPS mode.", ciphername);
638 *reason =
"disabled by FIPS mode";
644 msg(
D_LOW,
"Cipher algorithm '%s' uses a default key size (%d bytes) "
645 "which is larger than " PACKAGE_NAME "'s current maximum key size "
646 "(%d bytes)", ciphername, EVP_CIPHER_key_length(cipher),
648 *reason =
"disabled due to key size too large";
663 if (strcmp(
"none", ciphername) == 0)
665 return "[null-cipher]";
674 const char *name = EVP_CIPHER_name(cipher_kt);
683 int size = EVP_CIPHER_key_length(cipher);
692 int ivsize = EVP_CIPHER_iv_length(cipher);
707 char *mode_str = NULL;
708 const char *orig_name = NULL;
716 int block_size = EVP_CIPHER_block_size(cipher);
718 orig_name = EVP_CIPHER_name(cipher);
725 mode_str = strrchr(name,
'-');
726 if (!mode_str || strlen(mode_str) < 4)
731 strcpy(mode_str,
"-CBC");
736 block_size = EVP_CIPHER_block_size(cbc_cipher);
767 #ifdef NID_chacha20_poly1305
771 bool ischachapoly = (EVP_CIPHER_nid(cipher) == NID_chacha20_poly1305);
785 ASSERT(NULL != cipher_kt);
786 return EVP_CIPHER_mode(cipher_kt);
796 #ifdef EVP_CIPH_FLAG_CTS
797 && !(EVP_CIPHER_flags(cipher) & EVP_CIPH_FLAG_CTS)
799 && !(EVP_CIPHER_flags(cipher) & EVP_CIPH_FLAG_AEAD_CIPHER));
811 && !(EVP_CIPHER_flags(cipher) & EVP_CIPH_FLAG_AEAD_CIPHER);
829 #ifdef NID_chacha20_poly1305
830 if (EVP_CIPHER_nid(cipher) == NID_chacha20_poly1305)
851 EVP_CIPHER_CTX *ctx = EVP_CIPHER_CTX_new();
859 EVP_CIPHER_CTX_free(ctx);
866 ASSERT(NULL != ciphername && NULL != ctx);
869 EVP_CIPHER_CTX_reset(ctx);
870 if (!EVP_CipherInit_ex(ctx, kt, NULL,
key, NULL, enc))
876 ASSERT(EVP_CIPHER_CTX_key_length(ctx) <= EVP_CIPHER_key_length(kt));
883 return EVP_CIPHER_CTX_iv_length(ctx);
889 return EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_GET_TAG, tag_size, tag_buf);
895 return EVP_CIPHER_CTX_block_size(ctx);
901 return EVP_CIPHER_CTX_mode(ctx);
913 int flags = EVP_CIPHER_CTX_flags(ctx);
914 int mode = EVP_CIPHER_CTX_mode(ctx);
916 return mode == EVP_CIPH_CBC_MODE
918 #ifdef EVP_CIPH_FLAG_CTS
919 && !(flags & EVP_CIPH_FLAG_CTS)
921 && !(flags & EVP_CIPH_FLAG_AEAD_CIPHER);
934 return (mode == EVP_CIPH_OFB_MODE || mode == EVP_CIPH_CFB_MODE)
936 && !(EVP_CIPHER_CTX_flags(ctx) & EVP_CIPH_FLAG_AEAD_CIPHER);
944 int flags = EVP_CIPHER_CTX_flags(ctx);
945 if (flags & EVP_CIPH_FLAG_AEAD_CIPHER)
950 #if defined(NID_chacha20_poly1305) && OPENSSL_VERSION_NUMBER < 0x30000000L
951 if (EVP_CIPHER_CTX_nid(ctx) == NID_chacha20_poly1305)
965 return EVP_CipherInit_ex(ctx, NULL, NULL, NULL, iv_buf, -1);
972 if (!EVP_CipherUpdate(ctx, NULL, &len, src, src_len))
981 uint8_t *src,
int src_len)
983 if (!EVP_CipherUpdate(ctx, dst, dst_len, src, src_len))
993 return EVP_CipherFinal(ctx, dst, dst_len);
998 uint8_t *tag,
size_t tag_len)
1000 ASSERT(tag_len < SIZE_MAX);
1001 if (!EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_SET_TAG, tag_len, tag))
1030 "size (%d bytes) which is larger than " PACKAGE_NAME "'s current "
1031 "maximum hash size (%d bytes)",
1042 bool valid = (md != NULL);
1055 {
"BLAKE2s256",
"BLAKE2S-256"},
1056 {
"BLAKE2b512",
"BLAKE2B-512"},
1057 {
"RIPEMD160",
"RIPEMD-160" },
1058 {
"SHA224",
"SHA2-224"},
1059 {
"SHA256",
"SHA2-256"},
1060 {
"SHA384",
"SHA2-384"},
1061 {
"SHA512",
"SHA2-512"},
1062 {
"SHA512-224",
"SHA2-512/224"},
1063 {
"SHA512-256",
"SHA2-512/256"},
1064 {
"SHAKE128",
"SHAKE-128"},
1065 {
"SHAKE256",
"SHAKE-256"},
1073 if (!strcmp(
"none", mdname))
1075 return "[null-digest]";
1097 if (!strcmp(
"none", mdname))
1102 unsigned char size = (
unsigned char)EVP_MD_size(kt);
1115 md_full(
const char *mdname,
const uint8_t *src,
int src_len, uint8_t *dst)
1117 unsigned int in_md_len = 0;
1120 int ret = EVP_Digest(src, src_len, dst, &in_md_len, kt, NULL);
1128 EVP_MD_CTX *ctx = EVP_MD_CTX_new();
1136 EVP_MD_CTX_free(ctx);
1143 ASSERT(NULL != ctx && NULL != kt);
1145 EVP_MD_CTX_init(ctx);
1146 if (!EVP_DigestInit(ctx, kt))
1156 EVP_MD_CTX_reset(ctx);
1162 return EVP_MD_CTX_size(ctx);
1168 EVP_DigestUpdate(ctx, src, src_len);
1174 unsigned int in_md_len = 0;
1176 EVP_DigestFinal(ctx, dst, &in_md_len);
1185 #if OPENSSL_VERSION_NUMBER < 0x30000000L
1189 HMAC_CTX *ctx = HMAC_CTX_new();
1204 ASSERT(NULL != kt && NULL != ctx);
1206 int key_len = EVP_MD_size(kt);
1207 HMAC_CTX_reset(ctx);
1208 if (!HMAC_Init_ex(ctx,
key, key_len, kt, NULL))
1214 ASSERT(HMAC_size(ctx) <= key_len);
1220 HMAC_CTX_reset(ctx);
1226 return HMAC_size(ctx);
1232 if (!HMAC_Init_ex(ctx, NULL, 0, NULL, NULL))
1241 HMAC_Update(ctx, src, src_len);
1247 unsigned int in_hmac_len = 0;
1249 HMAC_Final(ctx, dst, &in_hmac_len);
1257 EVP_MAC *hmac = EVP_MAC_fetch(NULL,
"HMAC", NULL);
1258 ctx->ctx = EVP_MAC_CTX_new(hmac);
1269 EVP_MAC_CTX_free(ctx->ctx);
1278 ASSERT(NULL != kt && NULL != ctx && ctx->ctx != NULL);
1282 memcpy(ctx->key,
key, EVP_MD_size(kt));
1290 ctx->params[0] = OSSL_PARAM_construct_utf8_string(
"digest",
1292 ctx->params[1] = OSSL_PARAM_construct_octet_string(
"key",
1293 ctx->key, EVP_MD_size(kt));
1294 ctx->params[2] = OSSL_PARAM_construct_end();
1296 if (!EVP_MAC_init(ctx->ctx, NULL, 0, ctx->params))
1307 EVP_MAC_init(ctx->ctx, NULL, 0, NULL);
1313 return (
int)EVP_MAC_CTX_get_mac_size(ctx->ctx);
1322 if (!EVP_MAC_init(ctx->ctx, NULL, 0, ctx->params))
1331 EVP_MAC_update(ctx->ctx, src, src_len);
1339 size_t in_hmac_len = EVP_MAC_CTX_get_mac_size(ctx->ctx);
1341 EVP_MAC_final(ctx->ctx, dst, &in_hmac_len, in_hmac_len);
1348 return CRYPTO_memcmp(a, b, size);
1350 #if (OPENSSL_VERSION_NUMBER >= 0x30000000L) && !defined(LIBRESSL_VERSION_NUMBER)
1352 ssl_tls1_PRF(
const uint8_t *seed,
int seed_len,
const uint8_t *secret,
1353 int secret_len, uint8_t *output,
int output_len)
1356 EVP_KDF_CTX *kctx = NULL;
1359 EVP_KDF *kdf = EVP_KDF_fetch(NULL,
"TLS1-PRF", NULL);
1365 kctx = EVP_KDF_CTX_new(kdf);
1372 OSSL_PARAM params[4];
1376 params[0] = OSSL_PARAM_construct_utf8_string(OSSL_KDF_PARAM_DIGEST,
1377 SN_md5_sha1, strlen(SN_md5_sha1));
1378 params[1] = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_SECRET,
1379 (uint8_t *) secret, (
size_t) secret_len);
1380 params[2] = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_SEED,
1381 (uint8_t *) seed, (
size_t) seed_len);
1382 params[3] = OSSL_PARAM_construct_end();
1384 if (EVP_KDF_derive(kctx, output, output_len, params) <= 0)
1387 "EVP_KDF_derive failed");
1396 EVP_KDF_CTX_free(kctx);
1401 #elif defined(OPENSSL_IS_AWSLC)
1403 ssl_tls1_PRF(
const uint8_t *label,
int label_len,
const uint8_t *sec,
1404 int slen, uint8_t *out1,
int olen)
1406 CRYPTO_tls1_prf(EVP_md5_sha1(), out1, olen, sec, slen, label, label_len, NULL, 0, NULL, 0);
1408 #elif !defined(LIBRESSL_VERSION_NUMBER) && !defined(ENABLE_CRYPTO_WOLFSSL)
1411 int secret_len, uint8_t *output,
int output_len)
1413 EVP_PKEY_CTX *pctx = EVP_PKEY_CTX_new_id(EVP_PKEY_TLS1_PRF, NULL);
1420 if (!EVP_PKEY_derive_init(pctx))
1425 if (!EVP_PKEY_CTX_set_tls1_prf_md(pctx, EVP_md5_sha1()))
1430 if (!EVP_PKEY_CTX_set1_tls1_prf_secret(pctx, secret, secret_len))
1435 if (!EVP_PKEY_CTX_add1_tls1_prf_seed(pctx, seed, seed_len))
1440 size_t out_len = output_len;
1441 if (!EVP_PKEY_derive(pctx, output, &out_len))
1445 if (out_len != output_len)
1451 EVP_PKEY_CTX_free(pctx);
1459 ssl_tls1_PRF(
const uint8_t *label,
int label_len,
const uint8_t *sec,
1460 int slen, uint8_t *out1,
int olen)