OpenVPN
crypto_openssl.c
Go to the documentation of this file.
1 /*
2  * OpenVPN -- An application to securely tunnel IP networks
3  * over a single TCP/UDP port, with support for SSL/TLS-based
4  * session authentication and key exchange,
5  * packet encryption, packet authentication, and
6  * packet compression.
7  *
8  * Copyright (C) 2002-2018 OpenVPN Inc <sales@openvpn.net>
9  * Copyright (C) 2010-2018 Fox Crypto B.V. <openvpn@fox-it.com>
10  *
11  * This program is free software; you can redistribute it and/or modify
12  * it under the terms of the GNU General Public License version 2
13  * as published by the Free Software Foundation.
14  *
15  * This program is distributed in the hope that it will be useful,
16  * but WITHOUT ANY WARRANTY; without even the implied warranty of
17  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18  * GNU General Public License for more details.
19  *
20  * You should have received a copy of the GNU General Public License along
21  * with this program; if not, write to the Free Software Foundation, Inc.,
22  * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
23  */
24 
29 #ifdef HAVE_CONFIG_H
30 #include "config.h"
31 #elif defined(_MSC_VER)
32 #include "config-msvc.h"
33 #endif
34 
35 #include "syshead.h"
36 
37 #if defined(ENABLE_CRYPTO_OPENSSL)
38 
39 #include "basic.h"
40 #include "buffer.h"
41 #include "integer.h"
42 #include "crypto.h"
43 #include "crypto_backend.h"
44 #include "openssl_compat.h"
45 
46 #include <openssl/conf.h>
47 #include <openssl/des.h>
48 #include <openssl/err.h>
49 #include <openssl/evp.h>
50 #include <openssl/objects.h>
51 #include <openssl/rand.h>
52 #include <openssl/ssl.h>
53 
54 /*
55  * Check for key size creepage.
56  */
57 
58 #if MAX_CIPHER_KEY_LENGTH < EVP_MAX_KEY_LENGTH
59 #warning Some OpenSSL EVP ciphers now support key lengths greater than MAX_CIPHER_KEY_LENGTH -- consider increasing MAX_CIPHER_KEY_LENGTH
60 #endif
61 
62 #if MAX_HMAC_KEY_LENGTH < EVP_MAX_MD_SIZE
63 #warning Some OpenSSL HMAC message digests now support key lengths greater than MAX_HMAC_KEY_LENGTH -- consider increasing MAX_HMAC_KEY_LENGTH
64 #endif
65 
66 #if HAVE_OPENSSL_ENGINE
67 #include <openssl/ui.h>
68 #include <openssl/engine.h>
69 
70 static bool engine_initialized = false; /* GLOBAL */
71 
72 static ENGINE *engine_persist = NULL; /* GLOBAL */
73 
74 /* Try to load an engine in a shareable library */
75 static ENGINE *
76 try_load_engine(const char *engine)
77 {
78  ENGINE *e = ENGINE_by_id("dynamic");
79  if (e)
80  {
81  if (!ENGINE_ctrl_cmd_string(e, "SO_PATH", engine, 0)
82  || !ENGINE_ctrl_cmd_string(e, "LOAD", NULL, 0))
83  {
84  ENGINE_free(e);
85  e = NULL;
86  }
87  }
88  return e;
89 }
90 
91 static ENGINE *
92 setup_engine(const char *engine)
93 {
94  ENGINE *e = NULL;
95 
96  ENGINE_load_builtin_engines();
97 
98  if (engine)
99  {
100  if (strcmp(engine, "auto") == 0)
101  {
102  msg(M_INFO, "Initializing OpenSSL auto engine support");
103  ENGINE_register_all_complete();
104  return NULL;
105  }
106  if ((e = ENGINE_by_id(engine)) == NULL
107  && (e = try_load_engine(engine)) == NULL)
108  {
109  crypto_msg(M_FATAL, "OpenSSL error: cannot load engine '%s'",
110  engine);
111  }
112 
113  if (!ENGINE_set_default(e, ENGINE_METHOD_ALL))
114  {
116  "OpenSSL error: ENGINE_set_default failed on engine '%s'",
117  engine);
118  }
119 
120  msg(M_INFO, "Initializing OpenSSL support for engine '%s'",
121  ENGINE_get_id(e));
122  }
123  return e;
124 }
125 
126 #endif /* HAVE_OPENSSL_ENGINE */
127 
128 void
130 {
131 #if HAVE_OPENSSL_ENGINE
132  if (!engine_initialized)
133  {
134  ASSERT(engine_name);
135  ASSERT(!engine_persist);
136  engine_persist = setup_engine(engine_name);
137  engine_initialized = true;
138  }
139 #else /* if HAVE_OPENSSL_ENGINE */
140  msg(M_WARN, "Note: OpenSSL hardware crypto engine functionality is not available");
141 #endif
142 }
143 
144 /*
145  *
146  * Functions related to the core crypto library
147  *
148  */
149 
150 void
152 {
153 #if (OPENSSL_VERSION_NUMBER >= 0x10100000L)
154  OPENSSL_init_crypto(OPENSSL_INIT_LOAD_CONFIG, NULL);
155 #else
156  OPENSSL_config(NULL);
157 #endif
158  /*
159  * If you build the OpenSSL library and OpenVPN with
160  * CRYPTO_MDEBUG, you will get a listing of OpenSSL
161  * memory leaks on program termination.
162  */
163 
164 #ifdef CRYPTO_MDEBUG
165  CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_ON);
166 #endif
167 }
168 
169 void
171 {
172 #ifdef CRYPTO_MDEBUG
173  FILE *fp = fopen("sdlog", "w");
174  ASSERT(fp);
175  CRYPTO_mem_leaks_fp(fp);
176  fclose(fp);
177 #endif
178 
179 #if HAVE_OPENSSL_ENGINE
180  if (engine_initialized)
181  {
182  ENGINE_cleanup();
183  engine_persist = NULL;
184  engine_initialized = false;
185  }
186 #endif
187 }
188 
189 void
191 {
192  ERR_clear_error();
193 }
194 
195 void
197 {
198  size_t err = 0;
199 
200  while ((err = ERR_get_error()))
201  {
202  /* Be more clear about frequently occurring "no shared cipher" error */
203  if (ERR_GET_REASON(err) == SSL_R_NO_SHARED_CIPHER)
204  {
205  msg(D_CRYPT_ERRORS, "TLS error: The server has no TLS ciphersuites "
206  "in common with the client. Your --tls-cipher setting might be "
207  "too restrictive.");
208  }
209  else if (ERR_GET_REASON(err) == SSL_R_UNSUPPORTED_PROTOCOL)
210  {
211  msg(D_CRYPT_ERRORS, "TLS error: Unsupported protocol. This typically "
212  "indicates that client and server have no common TLS version enabled. "
213  "This can be caused by mismatched tls-version-min and tls-version-max "
214  "options on client and server. "
215  "If your OpenVPN client is between v2.3.6 and v2.3.2 try adding "
216  "tls-version-min 1.0 to the client configuration to use TLS 1.0+ "
217  "instead of TLS 1.0 only");
218  }
219  msg(flags, "OpenSSL: %s", ERR_error_string(err, NULL));
220  }
221 }
222 
223 
224 /*
225  *
226  * OpenSSL memory debugging. If dmalloc debugging is enabled, tell
227  * OpenSSL to use our private malloc/realloc/free functions so that
228  * we can dispatch them to dmalloc.
229  *
230  */
231 
232 #ifdef DMALLOC
233 static void *
234 crypto_malloc(size_t size, const char *file, int line)
235 {
236  return dmalloc_malloc(file, line, size, DMALLOC_FUNC_MALLOC, 0, 0);
237 }
238 
239 static void *
240 crypto_realloc(void *ptr, size_t size, const char *file, int line)
241 {
242  return dmalloc_realloc(file, line, ptr, size, DMALLOC_FUNC_REALLOC, 0);
243 }
244 
245 static void
246 crypto_free(void *ptr)
247 {
248  dmalloc_free(__FILE__, __LINE__, ptr, DMALLOC_FUNC_FREE);
249 }
250 
251 void
252 crypto_init_dmalloc(void)
253 {
254  CRYPTO_set_mem_ex_functions(crypto_malloc,
255  crypto_realloc,
256  crypto_free);
257 }
258 #endif /* DMALLOC */
259 
261  { "AES-128-GCM", "id-aes128-GCM" },
262  { "AES-192-GCM", "id-aes192-GCM" },
263  { "AES-256-GCM", "id-aes256-GCM" },
264  { "CHACHA20-POLY1305", "ChaCha20-Poly1305" },
265 };
267  sizeof(cipher_name_translation_table) / sizeof(*cipher_name_translation_table);
268 
269 
270 static int
271 cipher_name_cmp(const void *a, const void *b)
272 {
273  const EVP_CIPHER *const *cipher_a = a;
274  const EVP_CIPHER *const *cipher_b = b;
275 
276  return strcmp(cipher_kt_name(*cipher_a), cipher_kt_name(*cipher_b));
277 }
278 
279 void
281 {
282  int nid;
283  size_t i;
284 
285  /* If we ever exceed this, we must be more selective */
286  const EVP_CIPHER *cipher_list[1000];
287  size_t num_ciphers = 0;
288 #ifndef ENABLE_SMALL
289  printf("The following ciphers and cipher modes are available for use\n"
290  "with " PACKAGE_NAME ". Each cipher shown below may be used as a\n"
291  "parameter to the --data-ciphers (or --cipher) option. The\n"
292  "default key size is shown as well as whether or not it can be\n"
293  "changed with the --keysize directive. Using a GCM or CBC mode\n"
294  "is recommended. In static key mode only CBC mode is allowed.\n\n");
295 #endif
296 
297  for (nid = 0; nid < 10000; ++nid)
298  {
299  const EVP_CIPHER *cipher = EVP_get_cipherbynid(nid);
300  if (cipher && (cipher_kt_mode_cbc(cipher)
301 #ifdef ENABLE_OFB_CFB_MODE
302  || cipher_kt_mode_ofb_cfb(cipher)
303 #endif
304  || cipher_kt_mode_aead(cipher)
305  ))
306  {
307  cipher_list[num_ciphers++] = cipher;
308  }
309  if (num_ciphers == (sizeof(cipher_list)/sizeof(*cipher_list)))
310  {
311  msg(M_WARN, "WARNING: Too many ciphers, not showing all");
312  break;
313  }
314  }
315 
316  /* cast to non-const to prevent warning */
317  qsort((EVP_CIPHER *)cipher_list, num_ciphers, sizeof(*cipher_list), cipher_name_cmp);
318 
319  for (i = 0; i < num_ciphers; i++)
320  {
321  if (!cipher_kt_insecure(cipher_list[i]))
322  {
323  print_cipher(cipher_list[i]);
324  }
325  }
326 
327  printf("\nThe following ciphers have a block size of less than 128 bits, \n"
328  "and are therefore deprecated. Do not use unless you have to.\n\n");
329  for (i = 0; i < num_ciphers; i++)
330  {
331  if (cipher_kt_insecure(cipher_list[i]))
332  {
333  print_cipher(cipher_list[i]);
334  }
335  }
336  printf("\n");
337 }
338 
339 void
341 {
342  int nid;
343 
344 #ifndef ENABLE_SMALL
345  printf("The following message digests are available for use with\n"
346  PACKAGE_NAME ". A message digest is used in conjunction with\n"
347  "the HMAC function, to authenticate received packets.\n"
348  "You can specify a message digest as parameter to\n"
349  "the --auth option.\n\n");
350 #endif
351 
352  for (nid = 0; nid < 10000; ++nid)
353  {
354  const EVP_MD *digest = EVP_get_digestbynid(nid);
355  if (digest)
356  {
357  printf("%s %d bit digest size\n",
358  OBJ_nid2sn(nid), EVP_MD_size(digest) * 8);
359  }
360  }
361  printf("\n");
362 }
363 
364 void
366 {
367 #if HAVE_OPENSSL_ENGINE /* Only defined for OpenSSL */
368  ENGINE *e;
369 
370  printf("OpenSSL Crypto Engines\n\n");
371 
372  ENGINE_load_builtin_engines();
373 
374  e = ENGINE_get_first();
375  while (e)
376  {
377  printf("%s [%s]\n",
378  ENGINE_get_name(e),
379  ENGINE_get_id(e));
380  e = ENGINE_get_next(e);
381  }
382  ENGINE_cleanup();
383 #else /* if HAVE_OPENSSL_ENGINE */
384  printf("Sorry, OpenSSL hardware crypto engine functionality is not available.\n");
385 #endif
386 }
387 
388 
389 bool
390 crypto_pem_encode(const char *name, struct buffer *dst,
391  const struct buffer *src, struct gc_arena *gc)
392 {
393  bool ret = false;
394  BIO *bio = BIO_new(BIO_s_mem());
395  if (!bio || !PEM_write_bio(bio, name, "", BPTR(src), BLEN(src)))
396  {
397  ret = false;
398  goto cleanup;
399  }
400 
401  BUF_MEM *bptr;
402  BIO_get_mem_ptr(bio, &bptr);
403 
404  *dst = alloc_buf_gc(bptr->length, gc);
405  ASSERT(buf_write(dst, bptr->data, bptr->length));
406 
407  ret = true;
408 cleanup:
409  if (!BIO_free(bio))
410  {
411  ret = false;
412  }
413 
414  return ret;
415 }
416 
417 bool
418 crypto_pem_decode(const char *name, struct buffer *dst,
419  const struct buffer *src)
420 {
421  bool ret = false;
422 
423  BIO *bio = BIO_new_mem_buf((char *)BPTR(src), BLEN(src));
424  if (!bio)
425  {
426  crypto_msg(M_FATAL, "Cannot open memory BIO for PEM decode");
427  }
428 
429  char *name_read = NULL;
430  char *header_read = NULL;
431  uint8_t *data_read = NULL;
432  long data_read_len = 0;
433  if (!PEM_read_bio(bio, &name_read, &header_read, &data_read,
434  &data_read_len))
435  {
436  dmsg(D_CRYPT_ERRORS, "%s: PEM decode failed", __func__);
437  goto cleanup;
438  }
439 
440  if (strcmp(name, name_read))
441  {
443  "%s: unexpected PEM name (got '%s', expected '%s')",
444  __func__, name_read, name);
445  goto cleanup;
446  }
447 
448  uint8_t *dst_data = buf_write_alloc(dst, data_read_len);
449  if (!dst_data)
450  {
451  dmsg(D_CRYPT_ERRORS, "%s: dst too small (%i, needs %li)", __func__,
452  BCAP(dst), data_read_len);
453  goto cleanup;
454  }
455  memcpy(dst_data, data_read, data_read_len);
456 
457  ret = true;
458 cleanup:
459  OPENSSL_free(name_read);
460  OPENSSL_free(header_read);
461  OPENSSL_free(data_read);
462  if (!BIO_free(bio))
463  {
464  ret = false;
465  }
466 
467  return ret;
468 }
469 
470 /*
471  *
472  * Random number functions, used in cases where we want
473  * reasonably strong cryptographic random number generation
474  * without depleting our entropy pool. Used for random
475  * IV values and a number of other miscellaneous tasks.
476  *
477  */
478 
479 int
480 rand_bytes(uint8_t *output, int len)
481 {
482  if (unlikely(1 != RAND_bytes(output, len)))
483  {
484  crypto_msg(D_CRYPT_ERRORS, "RAND_bytes() failed");
485  return 0;
486  }
487  return 1;
488 }
489 
490 /*
491  *
492  * Key functions, allow manipulation of keys.
493  *
494  */
495 
496 
497 int
498 key_des_num_cblocks(const EVP_CIPHER *kt)
499 {
500  int ret = 0;
501  const char *name = OBJ_nid2sn(EVP_CIPHER_nid(kt));
502  if (name)
503  {
504  if (!strncmp(name, "DES-", 4))
505  {
506  ret = EVP_CIPHER_key_length(kt) / sizeof(DES_cblock);
507  }
508  else if (!strncmp(name, "DESX-", 5))
509  {
510  ret = 1;
511  }
512  }
513  dmsg(D_CRYPTO_DEBUG, "CRYPTO INFO: n_DES_cblocks=%d", ret);
514  return ret;
515 }
516 
517 bool
518 key_des_check(uint8_t *key, int key_len, int ndc)
519 {
520  int i;
521  struct buffer b;
522 
523  buf_set_read(&b, key, key_len);
524 
525  for (i = 0; i < ndc; ++i)
526  {
527  DES_cblock *dc = (DES_cblock *) buf_read_alloc(&b, sizeof(DES_cblock));
528  if (!dc)
529  {
531  "CRYPTO INFO: check_key_DES: insufficient key material");
532  goto err;
533  }
534  if (DES_is_weak_key(dc))
535  {
537  "CRYPTO INFO: check_key_DES: weak key detected");
538  goto err;
539  }
540  if (!DES_check_key_parity(dc))
541  {
543  "CRYPTO INFO: check_key_DES: bad parity detected");
544  goto err;
545  }
546  }
547  return true;
548 
549 err:
550  ERR_clear_error();
551  return false;
552 }
553 
554 void
555 key_des_fixup(uint8_t *key, int key_len, int ndc)
556 {
557  int i;
558  struct buffer b;
559 
560  buf_set_read(&b, key, key_len);
561  for (i = 0; i < ndc; ++i)
562  {
563  DES_cblock *dc = (DES_cblock *) buf_read_alloc(&b, sizeof(DES_cblock));
564  if (!dc)
565  {
566  msg(D_CRYPT_ERRORS, "CRYPTO INFO: fixup_key_DES: insufficient key material");
567  ERR_clear_error();
568  return;
569  }
570  DES_set_odd_parity(dc);
571  }
572 }
573 
574 
575 /*
576  *
577  * Generic cipher key type functions
578  *
579  */
580 
581 
582 const EVP_CIPHER *
583 cipher_kt_get(const char *ciphername)
584 {
585  const EVP_CIPHER *cipher = NULL;
586 
587  ASSERT(ciphername);
588 
589  ciphername = translate_cipher_name_from_openvpn(ciphername);
590  cipher = EVP_get_cipherbyname(ciphername);
591 
592  if (NULL == cipher)
593  {
594  crypto_msg(D_LOW, "Cipher algorithm '%s' not found", ciphername);
595  return NULL;
596  }
597 
598 
599  if (EVP_CIPHER_key_length(cipher) > MAX_CIPHER_KEY_LENGTH)
600  {
601  msg(D_LOW, "Cipher algorithm '%s' uses a default key size (%d bytes) "
602  "which is larger than " PACKAGE_NAME "'s current maximum key size "
603  "(%d bytes)", ciphername, EVP_CIPHER_key_length(cipher),
605  return NULL;
606  }
607 
608  return cipher;
609 }
610 
611 const char *
612 cipher_kt_name(const EVP_CIPHER *cipher_kt)
613 {
614  if (NULL == cipher_kt)
615  {
616  return "[null-cipher]";
617  }
618 
619  const char *name = EVP_CIPHER_name(cipher_kt);
621 }
622 
623 int
624 cipher_kt_key_size(const EVP_CIPHER *cipher_kt)
625 {
626  return EVP_CIPHER_key_length(cipher_kt);
627 }
628 
629 int
630 cipher_kt_iv_size(const EVP_CIPHER *cipher_kt)
631 {
632  return EVP_CIPHER_iv_length(cipher_kt);
633 }
634 
635 int
636 cipher_kt_block_size(const EVP_CIPHER *cipher)
637 {
638  /*
639  * OpenSSL reports OFB/CFB/GCM cipher block sizes as '1 byte'. To work
640  * around that, try to replace the mode with 'CBC' and return the block size
641  * reported for that cipher, if possible. If that doesn't work, just return
642  * the value reported by OpenSSL.
643  */
644  char *name = NULL;
645  char *mode_str = NULL;
646  const char *orig_name = NULL;
647  const EVP_CIPHER *cbc_cipher = NULL;
648 
649  int block_size = EVP_CIPHER_block_size(cipher);
650 
651  orig_name = EVP_CIPHER_name(cipher);
652  if (!orig_name)
653  {
654  goto cleanup;
655  }
656 
657  name = string_alloc(translate_cipher_name_to_openvpn(orig_name), NULL);
658  mode_str = strrchr(name, '-');
659  if (!mode_str || strlen(mode_str) < 4)
660  {
661  goto cleanup;
662  }
663 
664  strcpy(mode_str, "-CBC");
665 
666  cbc_cipher = EVP_get_cipherbyname(translate_cipher_name_from_openvpn(name));
667  if (cbc_cipher)
668  {
669  block_size = EVP_CIPHER_block_size(cbc_cipher);
670  }
671 
672 cleanup:
673  free(name);
674  return block_size;
675 }
676 
677 int
678 cipher_kt_tag_size(const EVP_CIPHER *cipher_kt)
679 {
680  if (cipher_kt_mode_aead(cipher_kt))
681  {
683  }
684  else
685  {
686  return 0;
687  }
688 }
689 
690 bool
691 cipher_kt_insecure(const EVP_CIPHER *cipher)
692 {
693  return !(cipher_kt_block_size(cipher) >= 128 / 8
694 #ifdef NID_chacha20_poly1305
695  || EVP_CIPHER_nid(cipher) == NID_chacha20_poly1305
696 #endif
697  );
698 }
699 
700 int
701 cipher_kt_mode(const EVP_CIPHER *cipher_kt)
702 {
703  ASSERT(NULL != cipher_kt);
704  return EVP_CIPHER_mode(cipher_kt);
705 }
706 
707 bool
709 {
710  return cipher && cipher_kt_mode(cipher) == OPENVPN_MODE_CBC
711  /* Exclude AEAD cipher modes, they require a different API */
712  && !(EVP_CIPHER_flags(cipher) & EVP_CIPH_FLAG_AEAD_CIPHER);
713 }
714 
715 bool
717 {
718  return cipher && (cipher_kt_mode(cipher) == OPENVPN_MODE_OFB
719  || cipher_kt_mode(cipher) == OPENVPN_MODE_CFB)
720  /* Exclude AEAD cipher modes, they require a different API */
721  && !(EVP_CIPHER_flags(cipher) & EVP_CIPH_FLAG_AEAD_CIPHER);
722 }
723 
724 bool
726 {
727  if (cipher)
728  {
729  switch (EVP_CIPHER_nid(cipher))
730  {
731  case NID_aes_128_gcm:
732  case NID_aes_192_gcm:
733  case NID_aes_256_gcm:
734 #ifdef NID_chacha20_poly1305
735  case NID_chacha20_poly1305:
736 #endif
737  return true;
738  }
739  }
740 
741  return false;
742 }
743 
744 /*
745  *
746  * Generic cipher context functions
747  *
748  */
749 
750 cipher_ctx_t *
752 {
753  EVP_CIPHER_CTX *ctx = EVP_CIPHER_CTX_new();
754  check_malloc_return(ctx);
755  return ctx;
756 }
757 
758 void
759 cipher_ctx_free(EVP_CIPHER_CTX *ctx)
760 {
761  EVP_CIPHER_CTX_free(ctx);
762 }
763 
764 void
765 cipher_ctx_init(EVP_CIPHER_CTX *ctx, const uint8_t *key, int key_len,
766  const EVP_CIPHER *kt, int enc)
767 {
768  ASSERT(NULL != kt && NULL != ctx);
769 
771  if (!EVP_CipherInit(ctx, kt, NULL, NULL, enc))
772  {
773  crypto_msg(M_FATAL, "EVP cipher init #1");
774  }
775 #ifdef HAVE_EVP_CIPHER_CTX_SET_KEY_LENGTH
776  if (!EVP_CIPHER_CTX_set_key_length(ctx, key_len))
777  {
778  crypto_msg(M_FATAL, "EVP set key size");
779  }
780 #endif
781  if (!EVP_CipherInit_ex(ctx, NULL, NULL, key, NULL, enc))
782  {
783  crypto_msg(M_FATAL, "EVP cipher init #2");
784  }
785 
786  /* make sure we used a big enough key */
787  ASSERT(EVP_CIPHER_CTX_key_length(ctx) <= key_len);
788 }
789 
790 int
791 cipher_ctx_iv_length(const EVP_CIPHER_CTX *ctx)
792 {
793  return EVP_CIPHER_CTX_iv_length(ctx);
794 }
795 
796 int
797 cipher_ctx_get_tag(EVP_CIPHER_CTX *ctx, uint8_t *tag_buf, int tag_size)
798 {
799  return EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_GCM_GET_TAG, tag_size, tag_buf);
800 }
801 
802 int
803 cipher_ctx_block_size(const EVP_CIPHER_CTX *ctx)
804 {
805  return EVP_CIPHER_CTX_block_size(ctx);
806 }
807 
808 int
809 cipher_ctx_mode(const EVP_CIPHER_CTX *ctx)
810 {
811  return EVP_CIPHER_CTX_mode(ctx);
812 }
813 
814 const cipher_kt_t *
816 {
817  return ctx ? EVP_CIPHER_CTX_cipher(ctx) : NULL;
818 }
819 
820 
821 int
822 cipher_ctx_reset(EVP_CIPHER_CTX *ctx, const uint8_t *iv_buf)
823 {
824  return EVP_CipherInit_ex(ctx, NULL, NULL, NULL, iv_buf, -1);
825 }
826 
827 int
828 cipher_ctx_update_ad(EVP_CIPHER_CTX *ctx, const uint8_t *src, int src_len)
829 {
830  int len;
831  if (!EVP_CipherUpdate(ctx, NULL, &len, src, src_len))
832  {
833  crypto_msg(M_FATAL, "%s: EVP_CipherUpdate() failed", __func__);
834  }
835  return 1;
836 }
837 
838 int
839 cipher_ctx_update(EVP_CIPHER_CTX *ctx, uint8_t *dst, int *dst_len,
840  uint8_t *src, int src_len)
841 {
842  if (!EVP_CipherUpdate(ctx, dst, dst_len, src, src_len))
843  {
844  crypto_msg(M_FATAL, "%s: EVP_CipherUpdate() failed", __func__);
845  }
846  return 1;
847 }
848 
849 int
850 cipher_ctx_final(EVP_CIPHER_CTX *ctx, uint8_t *dst, int *dst_len)
851 {
852  return EVP_CipherFinal(ctx, dst, dst_len);
853 }
854 
855 int
856 cipher_ctx_final_check_tag(EVP_CIPHER_CTX *ctx, uint8_t *dst, int *dst_len,
857  uint8_t *tag, size_t tag_len)
858 {
859  ASSERT(tag_len < SIZE_MAX);
860  if (!EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_GCM_SET_TAG, tag_len, tag))
861  {
862  return 0;
863  }
864 
865  return cipher_ctx_final(ctx, dst, dst_len);
866 }
867 
868 void
870  unsigned char *src,
871  unsigned char *dst)
872 {
873  DES_key_schedule sched;
874 
875  DES_set_key_unchecked((DES_cblock *)key, &sched);
876  DES_ecb_encrypt((DES_cblock *)src, (DES_cblock *)dst, &sched, DES_ENCRYPT);
877 }
878 
879 /*
880  *
881  * Generic message digest information functions
882  *
883  */
884 
885 
886 const EVP_MD *
887 md_kt_get(const char *digest)
888 {
889  const EVP_MD *md = NULL;
890  ASSERT(digest);
891  md = EVP_get_digestbyname(digest);
892  if (!md)
893  {
894  crypto_msg(M_FATAL, "Message hash algorithm '%s' not found", digest);
895  }
896  if (EVP_MD_size(md) > MAX_HMAC_KEY_LENGTH)
897  {
898  crypto_msg(M_FATAL, "Message hash algorithm '%s' uses a default hash "
899  "size (%d bytes) which is larger than " PACKAGE_NAME "'s current "
900  "maximum hash size (%d bytes)",
901  digest, EVP_MD_size(md), MAX_HMAC_KEY_LENGTH);
902  }
903  return md;
904 }
905 
906 const char *
907 md_kt_name(const EVP_MD *kt)
908 {
909  if (NULL == kt)
910  {
911  return "[null-digest]";
912  }
913  return EVP_MD_name(kt);
914 }
915 
916 unsigned char
917 md_kt_size(const EVP_MD *kt)
918 {
919  return (unsigned char)EVP_MD_size(kt);
920 }
921 
922 
923 /*
924  *
925  * Generic message digest functions
926  *
927  */
928 
929 int
930 md_full(const EVP_MD *kt, const uint8_t *src, int src_len, uint8_t *dst)
931 {
932  unsigned int in_md_len = 0;
933 
934  return EVP_Digest(src, src_len, dst, &in_md_len, kt, NULL);
935 }
936 
937 EVP_MD_CTX *
939 {
940  EVP_MD_CTX *ctx = EVP_MD_CTX_new();
941  check_malloc_return(ctx);
942  return ctx;
943 }
944 
945 void
946 md_ctx_free(EVP_MD_CTX *ctx)
947 {
948  EVP_MD_CTX_free(ctx);
949 }
950 
951 void
952 md_ctx_init(EVP_MD_CTX *ctx, const EVP_MD *kt)
953 {
954  ASSERT(NULL != ctx && NULL != kt);
955 
956  EVP_MD_CTX_init(ctx);
957  if (!EVP_DigestInit(ctx, kt))
958  {
959  crypto_msg(M_FATAL, "EVP_DigestInit failed");
960  }
961 }
962 
963 void
964 md_ctx_cleanup(EVP_MD_CTX *ctx)
965 {
966  EVP_MD_CTX_reset(ctx);
967 }
968 
969 int
970 md_ctx_size(const EVP_MD_CTX *ctx)
971 {
972  return EVP_MD_CTX_size(ctx);
973 }
974 
975 void
976 md_ctx_update(EVP_MD_CTX *ctx, const uint8_t *src, int src_len)
977 {
978  EVP_DigestUpdate(ctx, src, src_len);
979 }
980 
981 void
982 md_ctx_final(EVP_MD_CTX *ctx, uint8_t *dst)
983 {
984  unsigned int in_md_len = 0;
985 
986  EVP_DigestFinal(ctx, dst, &in_md_len);
987 }
988 
989 
990 /*
991  *
992  * Generic HMAC functions
993  *
994  */
995 
996 HMAC_CTX *
998 {
999  HMAC_CTX *ctx = HMAC_CTX_new();
1000  check_malloc_return(ctx);
1001  return ctx;
1002 }
1003 
1004 void
1005 hmac_ctx_free(HMAC_CTX *ctx)
1006 {
1007  HMAC_CTX_free(ctx);
1008 }
1009 
1010 void
1011 hmac_ctx_init(HMAC_CTX *ctx, const uint8_t *key, int key_len,
1012  const EVP_MD *kt)
1013 {
1014  ASSERT(NULL != kt && NULL != ctx);
1015 
1016  HMAC_CTX_reset(ctx);
1017  if (!HMAC_Init_ex(ctx, key, key_len, kt, NULL))
1018  {
1019  crypto_msg(M_FATAL, "HMAC_Init_ex failed");
1020  }
1021 
1022  /* make sure we used a big enough key */
1023  ASSERT(HMAC_size(ctx) <= key_len);
1024 }
1025 
1026 void
1027 hmac_ctx_cleanup(HMAC_CTX *ctx)
1028 {
1029  HMAC_CTX_reset(ctx);
1030 }
1031 
1032 int
1033 hmac_ctx_size(const HMAC_CTX *ctx)
1034 {
1035  return HMAC_size(ctx);
1036 }
1037 
1038 void
1039 hmac_ctx_reset(HMAC_CTX *ctx)
1040 {
1041  if (!HMAC_Init_ex(ctx, NULL, 0, NULL, NULL))
1042  {
1043  crypto_msg(M_FATAL, "HMAC_Init_ex failed");
1044  }
1045 }
1046 
1047 void
1048 hmac_ctx_update(HMAC_CTX *ctx, const uint8_t *src, int src_len)
1049 {
1050  HMAC_Update(ctx, src, src_len);
1051 }
1052 
1053 void
1054 hmac_ctx_final(HMAC_CTX *ctx, uint8_t *dst)
1055 {
1056  unsigned int in_hmac_len = 0;
1057 
1058  HMAC_Final(ctx, dst, &in_hmac_len);
1059 }
1060 
1061 int
1062 memcmp_constant_time(const void *a, const void *b, size_t size)
1063 {
1064  return CRYPTO_memcmp(a, b, size);
1065 }
1066 
1067 #if HAVE_OPENSSL_ENGINE
1068 static int
1069 ui_reader(UI *ui, UI_STRING *uis)
1070 {
1071  SSL_CTX *ctx = UI_get0_user_data(ui);
1072 
1073  if (UI_get_string_type(uis) == UIT_PROMPT)
1074  {
1075  pem_password_cb *cb = SSL_CTX_get_default_passwd_cb(ctx);
1077  char password[64];
1078 
1079  cb(password, sizeof(password), 0, d);
1080  UI_set_result(ui, uis, password);
1081 
1082  return 1;
1083  }
1084  return 0;
1085 }
1086 #endif
1087 
1088 EVP_PKEY *
1089 engine_load_key(const char *file, SSL_CTX *ctx)
1090 {
1091 #if HAVE_OPENSSL_ENGINE
1092  UI_METHOD *ui;
1093  EVP_PKEY *pkey;
1094 
1095  if (!engine_persist)
1096  {
1097  return NULL;
1098  }
1099 
1100  /* this will print out the error from BIO_read */
1101  crypto_msg(M_INFO, "PEM_read_bio failed, now trying engine method to load private key");
1102 
1103  ui = UI_create_method("openvpn");
1104  if (!ui)
1105  {
1106  crypto_msg(M_FATAL, "Engine UI creation failed");
1107  return NULL;
1108  }
1109 
1110  UI_method_set_reader(ui, ui_reader);
1111 
1112  ENGINE_init(engine_persist);
1113  pkey = ENGINE_load_private_key(engine_persist, file, ui, ctx);
1114  ENGINE_finish(engine_persist);
1115  if (!pkey)
1116  {
1117  crypto_msg(M_FATAL, "Engine could not load key file");
1118  }
1119 
1120  UI_destroy_method(ui);
1121  return pkey;
1122 #else /* if HAVE_OPENSSL_ENGINE */
1123  return NULL;
1124 #endif /* if HAVE_OPENSSL_ENGINE */
1125 }
1126 
1127 #endif /* ENABLE_CRYPTO_OPENSSL */
int cipher_kt_tag_size(const EVP_CIPHER *cipher_kt)
void md_ctx_cleanup(EVP_MD_CTX *ctx)
#define D_CRYPT_ERRORS
Definition: errlevel.h:58
int md_ctx_size(const EVP_MD_CTX *ctx)
EVP_PKEY * engine_load_key(const char *file, SSL_CTX *ctx)
Load a key file from an engine.
mbedtls_cipher_context_t cipher_ctx_t
Generic cipher context.
bool cipher_kt_insecure(const EVP_CIPHER *cipher)
static void * SSL_CTX_get_default_passwd_cb_userdata(SSL_CTX *ctx)
Fetch the default password callback user data from the SSL context.
char * string_alloc(const char *str, struct gc_arena *gc)
Definition: buffer.c:685
#define D_CRYPTO_DEBUG
Definition: errlevel.h:146
int hmac_ctx_size(const HMAC_CTX *ctx)
#define M_INFO
Definition: errlevel.h:55
const size_t cipher_name_translation_table_count
int cipher_ctx_iv_length(const EVP_CIPHER_CTX *ctx)
static pem_password_cb * SSL_CTX_get_default_passwd_cb(SSL_CTX *ctx)
Fetch the default password callback from the SSL context.
void crypto_print_openssl_errors(const unsigned int flags)
Retrieve any occurred OpenSSL errors and print those errors.
bool crypto_pem_encode(const char *name, struct buffer *dst, const struct buffer *src, struct gc_arena *gc)
Encode binary data as PEM.
#define dmsg
Definition: error.h:174
static uint8_t * buf_read_alloc(struct buffer *buf, int size)
Definition: buffer.h:675
#define unlikely(x)
Definition: syshead.h:36
static uint8_t * buf_write_alloc(struct buffer *buf, int size)
Definition: buffer.h:656
#define OPENVPN_MODE_OFB
Cipher is in OFB mode.
void hmac_ctx_reset(HMAC_CTX *ctx)
static int cipher_name_cmp(const void *a, const void *b)
#define OPENVPN_MODE_CFB
Cipher is in CFB mode.
void show_available_ciphers(void)
int rand_bytes(uint8_t *output, int len)
Wrapper for secure random number generator.
int md_full(const EVP_MD *kt, const uint8_t *src, int src_len, uint8_t *dst)
const EVP_CIPHER * cipher_kt_get(const char *ciphername)
Return cipher parameters, based on the given cipher name.
#define crypto_msg(flags,...)
Retrieve any OpenSSL errors, then print the supplied error message.
void hmac_ctx_final(HMAC_CTX *ctx, uint8_t *dst)
void crypto_init_lib_engine(const char *engine_name)
cipher_ctx_t * cipher_ctx_new(void)
Generic cipher functions.
const cipher_kt_t * cipher_ctx_get_cipher_kt(const cipher_ctx_t *ctx)
Returns the static cipher parameters for this context.
static int EVP_MD_CTX_reset(EVP_MD_CTX *ctx)
Reset a message digest context.
void md_ctx_final(EVP_MD_CTX *ctx, uint8_t *dst)
int cipher_kt_block_size(const EVP_CIPHER *cipher)
#define MAX_CIPHER_KEY_LENGTH
int cipher_ctx_final(EVP_CIPHER_CTX *ctx, uint8_t *dst, int *dst_len)
void hmac_ctx_cleanup(HMAC_CTX *ctx)
int cipher_ctx_update_ad(EVP_CIPHER_CTX *ctx, const uint8_t *src, int src_len)
void md_ctx_update(EVP_MD_CTX *ctx, const uint8_t *src, int src_len)
#define ASSERT(x)
Definition: error.h:221
int memcmp_constant_time(const void *a, const void *b, size_t size)
As memcmp(), but constant-time.
#define D_LOW
Definition: errlevel.h:98
void cipher_ctx_free(EVP_CIPHER_CTX *ctx)
static char * engine_name
Definition: libtestengine.c:7
#define BCAP(buf)
Definition: buffer.h:130
list flags
int len
Length in bytes of the actual content within the allocated memory.
Definition: buffer.h:66
static HMAC_CTX * HMAC_CTX_new(void)
Allocate a new HMAC context object.
HMAC_CTX * hmac_ctx_new(void)
void print_cipher(const cipher_kt_t *cipher)
Print a cipher list entry.
Definition: crypto.c:1791
static bool buf_write(struct buffer *dest, const void *src, int size)
Definition: buffer.h:689
void md_ctx_init(EVP_MD_CTX *ctx, const EVP_MD *kt)
#define BPTR(buf)
Definition: buffer.h:124
void show_available_engines(void)
bool crypto_pem_decode(const char *name, struct buffer *dst, const struct buffer *src)
Decode a PEM buffer to binary data.
#define OPENVPN_MODE_CBC
Cipher is in CBC mode.
const EVP_MD * md_kt_get(const char *digest)
Return message digest parameters, based on the given digest name.
#define PACKAGE_NAME
Definition: config.h:730
const char * md_kt_name(const EVP_MD *kt)
void hmac_ctx_free(HMAC_CTX *ctx)
bool key_des_check(uint8_t *key, int key_len, int ndc)
void hmac_ctx_init(HMAC_CTX *ctx, const uint8_t *key, int key_len, const EVP_MD *kt)
void cipher_des_encrypt_ecb(const unsigned char key[DES_KEY_LENGTH], unsigned char *src, unsigned char *dst)
mbedtls_cipher_info_t cipher_kt_t
Generic cipher key type context.
void hmac_ctx_update(HMAC_CTX *ctx, const uint8_t *src, int src_len)
static void EVP_MD_CTX_free(EVP_MD_CTX *ctx)
Free an existing message digest context.
int cipher_ctx_block_size(const EVP_CIPHER_CTX *ctx)
bool cipher_kt_mode_aead(const cipher_kt_t *cipher)
Check if the supplied cipher is a supported AEAD mode cipher.
#define msg
Definition: error.h:173
const char * cipher_kt_name(const EVP_CIPHER *cipher_kt)
int cipher_kt_iv_size(const EVP_CIPHER *cipher_kt)
uint8_t * data
Pointer to the allocated memory.
Definition: buffer.h:68
#define ENABLE_OFB_CFB_MODE
Definition: config.h:65
void key_des_fixup(uint8_t *key, int key_len, int ndc)
void cipher_ctx_init(EVP_CIPHER_CTX *ctx, const uint8_t *key, int key_len, const EVP_CIPHER *kt, int enc)
#define MAX_HMAC_KEY_LENGTH
int cipher_ctx_mode(const EVP_CIPHER_CTX *ctx)
static int HMAC_CTX_reset(HMAC_CTX *ctx)
Reset a HMAC context.
#define BLEN(buf)
Definition: buffer.h:127
unsigned char md_kt_size(const EVP_MD *kt)
void md_ctx_free(EVP_MD_CTX *ctx)
unsigned __int8 uint8_t
Definition: config-msvc.h:159
static EVP_MD_CTX * EVP_MD_CTX_new(void)
Allocate a new message digest object.
static void HMAC_CTX_free(HMAC_CTX *ctx)
Cleanup and free an existing HMAC context.
static void check_malloc_return(const void *p)
Definition: buffer.h:1093
const cipher_name_pair cipher_name_translation_table[]
Cipher name translation table.
int cipher_ctx_final_check_tag(EVP_CIPHER_CTX *ctx, uint8_t *dst, int *dst_len, uint8_t *tag, size_t tag_len)
EVP_MD_CTX * md_ctx_new(void)
Struct used in cipher name translation table.
Wrapper structure for dynamically allocated memory.
Definition: buffer.h:60
#define M_FATAL
Definition: error.h:94
const char * translate_cipher_name_to_openvpn(const char *cipher_name)
Translate a crypto library cipher name to an OpenVPN cipher name.
Definition: crypto.c:1852
int cipher_kt_key_size(const EVP_CIPHER *cipher_kt)
void crypto_clear_error(void)
const char * translate_cipher_name_from_openvpn(const char *cipher_name)
Translate a data channel cipher name from the crypto library specific name to the OpenVPN config file...
Definition: crypto.c:1839
struct buffer alloc_buf_gc(size_t size, struct gc_arena *gc)
Definition: buffer.c:90
int cipher_ctx_get_tag(EVP_CIPHER_CTX *ctx, uint8_t *tag_buf, int tag_size)
#define M_WARN
Definition: error.h:96
#define free
Definition: cmocka.c:1850
void crypto_init_lib(void)
Garbage collection arena used to keep track of dynamically allocated memory.
Definition: buffer.h:116
#define OPENVPN_AEAD_TAG_LENGTH
int cipher_ctx_reset(EVP_CIPHER_CTX *ctx, const uint8_t *iv_buf)
char * dst
Definition: compat-lz4.h:712
bool cipher_kt_mode_cbc(const cipher_kt_t *cipher)
Check if the supplied cipher is a supported CBC mode cipher.
void crypto_uninit_lib(void)
int key_des_num_cblocks(const EVP_CIPHER *kt)
#define EVP_CIPHER_CTX_reset
#define DES_KEY_LENGTH
void show_available_digests(void)
static void buf_set_read(struct buffer *buf, const uint8_t *data, int size)
Definition: buffer.h:335
int cipher_kt_mode(const EVP_CIPHER *cipher_kt)
bool cipher_kt_mode_ofb_cfb(const cipher_kt_t *cipher)
Check if the supplied cipher is a supported OFB or CFB mode cipher.
Container for unidirectional cipher and HMAC key material.
Definition: crypto.h:151
int cipher_ctx_update(EVP_CIPHER_CTX *ctx, uint8_t *dst, int *dst_len, uint8_t *src, int src_len)