OpenVPN
test_crypto.c
Go to the documentation of this file.
1/*
2 * OpenVPN -- An application to securely tunnel IP networks
3 * over a single UDP port, with support for SSL/TLS-based
4 * session authentication and key exchange,
5 * packet encryption, packet authentication, and
6 * packet compression.
7 *
8 * Copyright (C) 2016-2021 Fox Crypto B.V. <openvpn@foxcrypto.com>
9 *
10 * This program is free software; you can redistribute it and/or modify
11 * it under the terms of the GNU General Public License version 2
12 * as published by the Free Software Foundation.
13 *
14 * This program is distributed in the hope that it will be useful,
15 * but WITHOUT ANY WARRANTY; without even the implied warranty of
16 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 * GNU General Public License for more details.
18 *
19 * You should have received a copy of the GNU General Public License along
20 * with this program; if not, write to the Free Software Foundation, Inc.,
21 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
22 */
23
24#ifdef HAVE_CONFIG_H
25#include "config.h"
26#endif
27
28#include "syshead.h"
29
30#include <stdio.h>
31#include <stdlib.h>
32#include <stdarg.h>
33#include <string.h>
34#include <setjmp.h>
35#include <cmocka.h>
36
37#include "crypto.h"
38#include "crypto_epoch.h"
39#include "options.h"
40#include "ssl_backend.h"
41
42#include "mss.h"
43#include "test_common.h"
44
45
46#if defined(OPENSSL_VERSION_NUMBER) && OPENSSL_VERSION_NUMBER >= 0x30000000L
47#include <openssl/core_names.h>
48#include <openssl/kdf.h>
49#endif
50
51static const char testtext[] = "Dummy text to test PEM encoding";
52
53static void
54crypto_pem_encode_decode_loopback(void **state)
55{
56 struct gc_arena gc = gc_new();
57 struct buffer src_buf;
58 buf_set_read(&src_buf, (void *)testtext, sizeof(testtext));
59
60 uint8_t dec[sizeof(testtext)];
61 struct buffer dec_buf;
62 buf_set_write(&dec_buf, dec, sizeof(dec));
63
64 struct buffer pem_buf;
65
66 assert_true(crypto_pem_encode("TESTKEYNAME", &pem_buf, &src_buf, &gc));
67 assert_true(BLEN(&src_buf) < BLEN(&pem_buf));
68
69 /* Wrong key name */
70 assert_false(crypto_pem_decode("WRONGNAME", &dec_buf, &pem_buf));
71
72 assert_true(crypto_pem_decode("TESTKEYNAME", &dec_buf, &pem_buf));
73 assert_int_equal(BLEN(&src_buf), BLEN(&dec_buf));
74 assert_memory_equal(BPTR(&src_buf), BPTR(&dec_buf), BLEN(&src_buf));
75
76 gc_free(&gc);
77}
78
79static void
80test_translate_cipher(const char *ciphername, const char *openvpn_name)
81{
82 bool cipher = cipher_valid(ciphername);
83
84 /* Empty cipher is fine */
85 if (!cipher)
86 {
87 return;
88 }
89
90 const char *kt_name = cipher_kt_name(ciphername);
91
92 assert_string_equal(kt_name, openvpn_name);
93}
94
95static void
96test_cipher_names(const char *ciphername, const char *openvpn_name)
97{
98 struct gc_arena gc = gc_new();
99 /* Go through some variants, if the cipher library accepts these, they
100 * should be normalised to the openvpn name */
101 char *upper = string_alloc(ciphername, &gc);
102 char *lower = string_alloc(ciphername, &gc);
103 char *random_case = string_alloc(ciphername, &gc);
104
105 for (int i = 0; i < strlen(ciphername); i++)
106 {
107 upper[i] = (char)toupper((unsigned char)ciphername[i]);
108 lower[i] = (char)tolower((unsigned char)ciphername[i]);
109 if (rand() & 0x1)
110 {
111 random_case[i] = upper[i];
112 }
113 else
114 {
115 random_case[i] = lower[i];
116 }
117 }
118
119 if (!openvpn_name)
120 {
121 openvpn_name = upper;
122 }
123
124 test_translate_cipher(upper, openvpn_name);
125 test_translate_cipher(lower, openvpn_name);
126 test_translate_cipher(random_case, openvpn_name);
127 test_translate_cipher(ciphername, openvpn_name);
128
129
130 gc_free(&gc);
131}
132
133static void
134crypto_translate_cipher_names(void **state)
135{
136 /* Test that a number of ciphers to see that they turn out correctly */
137 test_cipher_names("BF-CBC", NULL);
138 test_cipher_names("BLOWFISH-CBC", "BF-CBC");
139 test_cipher_names("Chacha20-Poly1305", NULL);
140 test_cipher_names("AES-128-GCM", NULL);
141 test_cipher_names("AES-128-CBC", NULL);
142 test_cipher_names("CAMELLIA-128-CFB128", "CAMELLIA-128-CFB");
143 test_cipher_names("id-aes256-GCM", "AES-256-GCM");
144}
145
146
147static const char *ipsumlorem = "Lorem ipsum dolor sit amet, consectetur "
148 "adipisici elit, sed eiusmod tempor incidunt "
149 "ut labore et dolore magna aliqua.";
150
151static void
152crypto_test_tls_prf(void **state)
153{
154 const char *seedstr = "Quis aute iure reprehenderit in voluptate "
155 "velit esse cillum dolore";
156 const unsigned char *seed = (const unsigned char *)seedstr;
157 const size_t seed_len = strlen(seedstr);
158
159
160 const unsigned char *secret = (const unsigned char *) ipsumlorem;
161 size_t secret_len = strlen((const char *)secret);
162
163
164 uint8_t out[32];
165 bool ret = ssl_tls1_PRF(seed, (int)seed_len, secret, (int)secret_len, out, sizeof(out));
166
167#if defined(LIBRESSL_VERSION_NUMBER) || defined(ENABLE_CRYPTO_WOLFSSL)
168 /* No TLS1 PRF support in these libraries */
169 assert_false(ret);
170#else
171 assert_true(ret);
172 uint8_t good_prf[32] = {0xd9, 0x8c, 0x85, 0x18, 0xc8, 0x5e, 0x94, 0x69,
173 0x27, 0x91, 0x6a, 0xcf, 0xc2, 0xd5, 0x92, 0xfb,
174 0xb1, 0x56, 0x7e, 0x4b, 0x4b, 0x14, 0x59, 0xe6,
175 0xa9, 0x04, 0xac, 0x2d, 0xda, 0xb7, 0x2d, 0x67};
176 assert_memory_equal(good_prf, out, sizeof(out));
177#endif
178}
179
180static uint8_t testkey[20] = {0x0b, 0x00};
181static uint8_t goodhash[20] = {0x58, 0xea, 0x5a, 0xf0, 0x42, 0x94, 0xe9, 0x17,
182 0xed, 0x84, 0xb9, 0xf0, 0x83, 0x30, 0x23, 0xae,
183 0x8b, 0xa7, 0x7e, 0xb8};
184
185static void
186crypto_test_hmac(void **state)
187{
188 hmac_ctx_t *hmac = hmac_ctx_new();
189
190 assert_int_equal(md_kt_size("SHA1"), 20);
191
192 uint8_t key[20];
193 memcpy(key, testkey, sizeof(key));
194
195 hmac_ctx_init(hmac, key, "SHA1");
196 hmac_ctx_update(hmac, (const uint8_t *)ipsumlorem, (int) strlen(ipsumlorem));
197 hmac_ctx_update(hmac, (const uint8_t *)ipsumlorem, (int) strlen(ipsumlorem));
198
199 uint8_t hash[20];
200 hmac_ctx_final(hmac, hash);
201
202 assert_memory_equal(hash, goodhash, sizeof(hash));
203 memset(hash, 0x00, sizeof(hash));
204
205 /* try again */
206 hmac_ctx_reset(hmac);
207 hmac_ctx_update(hmac, (const uint8_t *)ipsumlorem, (int) strlen(ipsumlorem));
208 hmac_ctx_update(hmac, (const uint8_t *)ipsumlorem, (int) strlen(ipsumlorem));
209 hmac_ctx_final(hmac, hash);
210
211 assert_memory_equal(hash, goodhash, sizeof(hash));
212
213 /* Fill our key with random data to ensure it is not used by hmac anymore */
214 memset(key, 0x55, sizeof(key));
215
216 hmac_ctx_reset(hmac);
217 hmac_ctx_update(hmac, (const uint8_t *)ipsumlorem, (int) strlen(ipsumlorem));
218 hmac_ctx_update(hmac, (const uint8_t *)ipsumlorem, (int) strlen(ipsumlorem));
219 hmac_ctx_final(hmac, hash);
220
221 assert_memory_equal(hash, goodhash, sizeof(hash));
222 hmac_ctx_cleanup(hmac);
223 hmac_ctx_free(hmac);
224}
225
226/* This test is in test_crypto as it calls into the functions that calculate
227 * the crypto overhead */
228static void
229test_occ_mtu_calculation(void **state)
230{
231 struct gc_arena gc = gc_new();
232
233 struct frame f = { 0 };
234 struct options o = { 0 };
235 size_t linkmtu;
236
237 /* common defaults */
238 o.ce.tun_mtu = 1400;
239 o.ce.proto = PROTO_UDP;
240
241 /* No crypto at all */
242 o.ciphername = "none";
243 o.authname = "none";
244 linkmtu = calc_options_string_link_mtu(&o, &f);
245 assert_int_equal(linkmtu, 1400);
246
247 /* Static key OCC examples */
248 o.shared_secret_file = "not null";
249
250 /* secret, auth none, cipher none */
251 o.ciphername = "none";
252 o.authname = "none";
253 linkmtu = calc_options_string_link_mtu(&o, &f);
254 assert_int_equal(linkmtu, 1408);
255
256 /* secret, cipher AES-128-CBC, auth none */
257 o.ciphername = "AES-128-CBC";
258 o.authname = "none";
259 linkmtu = calc_options_string_link_mtu(&o, &f);
260 assert_int_equal(linkmtu, 1440);
261
262 /* secret, cipher none, auth SHA256 */
263 o.ciphername = "none";
264 o.authname = "SHA256";
265 linkmtu = calc_options_string_link_mtu(&o, &f);
266 assert_int_equal(linkmtu, 1440);
267
268 /* secret, cipher BF-CBC, auth SHA1 */
269 o.ciphername = "BF-CBC";
270 o.authname = "SHA1";
271 linkmtu = calc_options_string_link_mtu(&o, &f);
272 assert_int_equal(linkmtu, 1444);
273
274 /* secret, cipher BF-CBC, auth SHA1, tcp-client */
275 o.ce.proto = PROTO_TCP_CLIENT;
276 linkmtu = calc_options_string_link_mtu(&o, &f);
277 assert_int_equal(linkmtu, 1446);
278
279 o.ce.proto = PROTO_UDP;
280
281#if defined(USE_COMP)
282 o.comp.alg = COMP_ALG_LZO;
283
284 /* secret, comp-lzo yes, cipher BF-CBC, auth SHA1 */
285 linkmtu = calc_options_string_link_mtu(&o, &f);
286 assert_int_equal(linkmtu, 1445);
287
288#if defined(ENABLE_FRAGMENT)
289 /* secret, comp-lzo yes, cipher BF-CBC, auth SHA1, fragment 1200 */
290 o.ce.fragment = 1200;
291 linkmtu = calc_options_string_link_mtu(&o, &f);
292 assert_int_equal(linkmtu, 1449);
293 o.ce.fragment = 0;
294#endif
295
296 o.comp.alg = COMP_ALG_UNDEF;
297#endif
298
299 /* TLS mode */
300 o.shared_secret_file = NULL;
301 o.tls_client = true;
302 o.pull = true;
303
304 /* tls client, cipher AES-128-CBC, auth SHA1, tls-auth */
305 o.authname = "SHA1";
306 o.ciphername = "AES-128-CBC";
307 o.tls_auth_file = "dummy";
308
309 linkmtu = calc_options_string_link_mtu(&o, &f);
310 assert_int_equal(linkmtu, 1457);
311
312 /* tls client, cipher AES-128-CBC, auth SHA1 */
313 o.tls_auth_file = NULL;
314
315 linkmtu = calc_options_string_link_mtu(&o, &f);
316 assert_int_equal(linkmtu, 1457);
317
318 /* tls client, cipher none, auth none */
319 o.authname = "none";
320 o.ciphername = "none";
321
322 linkmtu = calc_options_string_link_mtu(&o, &f);
323 assert_int_equal(linkmtu, 1405);
324
325 /* tls client, auth SHA1, cipher AES-256-GCM */
326 o.authname = "SHA1";
327 o.ciphername = "AES-256-GCM";
328 linkmtu = calc_options_string_link_mtu(&o, &f);
329 assert_int_equal(linkmtu, 1449);
330
331
332#if defined(USE_COMP) && defined(ENABLE_FRAGMENT)
333 o.comp.alg = COMP_ALG_LZO;
334
335 /* tls client, auth SHA1, cipher AES-256-GCM, fragment, comp-lzo yes */
336 o.ce.fragment = 1200;
337 linkmtu = calc_options_string_link_mtu(&o, &f);
338 assert_int_equal(linkmtu, 1454);
339
340 /* tls client, auth SHA1, cipher AES-256-GCM, fragment, comp-lzo yes, socks */
341 o.ce.socks_proxy_server = "socks.example.com";
342 linkmtu = calc_options_string_link_mtu(&o, &f);
343 assert_int_equal(linkmtu, 1464);
344#endif
345
346 gc_free(&gc);
347}
348
349static void
350test_mssfix_mtu_calculation(void **state)
351{
352 struct gc_arena gc = gc_new();
353
354 struct frame f = { 0 };
355 struct options o = { 0 };
356
357 /* common defaults */
358 o.ce.tun_mtu = 1400;
359 o.ce.mssfix = 1000;
360 o.ce.proto = PROTO_UDP;
361
362 /* No crypto at all */
363 o.ciphername = "none";
364 o.authname = "none";
365 struct key_type kt;
366 init_key_type(&kt, o.ciphername, o.authname, false, false);
367
368 /* No encryption, just packet id (8) + TCP payload(20) + IP payload(20) */
369 frame_calculate_dynamic(&f, &kt, &o, NULL);
370 assert_int_equal(f.mss_fix, 952);
371
372 /* Static key OCC examples */
373 o.shared_secret_file = "not null";
374
375 /* secret, auth none, cipher none */
376 o.ciphername = "none";
377 o.authname = "none";
378 init_key_type(&kt, o.ciphername, o.authname, false, false);
379 frame_calculate_dynamic(&f, &kt, &o, NULL);
380 assert_int_equal(f.mss_fix, 952);
381
382 /* secret, cipher AES-128-CBC, auth none */
383 o.ciphername = "AES-128-CBC";
384 o.authname = "none";
385 init_key_type(&kt, o.ciphername, o.authname, false, false);
386
387 for (int i = 990; i <= 1010; i++)
388 {
389 /* 992 - 1008 should end up with the same mssfix value all they
390 * all result in the same CBC block size/padding and <= 991 and >=1008
391 * should be one block less and more respectively */
392 o.ce.mssfix = i;
393 frame_calculate_dynamic(&f, &kt, &o, NULL);
394 if (i <= 991)
395 {
396 assert_int_equal(f.mss_fix, 911);
397 }
398 else if (i >= 1008)
399 {
400 assert_int_equal(f.mss_fix, 943);
401 }
402 else
403 {
404 assert_int_equal(f.mss_fix, 927);
405 }
406 }
407#ifdef USE_COMP
408 o.comp.alg = COMP_ALG_LZO;
409
410 /* Same but with compression added. Compression adds one byte extra to the
411 * payload so the payload should be reduced by compared to the no
412 * compression calculation before */
413 for (int i = 990; i <= 1010; i++)
414 {
415 /* 992 - 1008 should end up with the same mssfix value all they
416 * all result in the same CBC block size/padding and <= 991 and >=1008
417 * should be one block less and more respectively */
418 o.ce.mssfix = i;
419 frame_calculate_dynamic(&f, &kt, &o, NULL);
420 if (i <= 991)
421 {
422 assert_int_equal(f.mss_fix, 910);
423 }
424 else if (i >= 1008)
425 {
426 assert_int_equal(f.mss_fix, 942);
427 }
428 else
429 {
430 assert_int_equal(f.mss_fix, 926);
431 }
432 }
433 o.comp.alg = COMP_ALG_UNDEF;
434#endif /* ifdef USE_COMP */
435
436 /* tls client, auth SHA1, cipher AES-256-GCM */
437 o.authname = "SHA1";
438 o.ciphername = "AES-256-GCM";
439 o.tls_client = true;
440 o.peer_id = 77;
441 o.use_peer_id = true;
442 init_key_type(&kt, o.ciphername, o.authname, true, false);
443
444 for (int i = 900; i <= 1200; i++)
445 {
446 /* For stream ciphers, the value should not be influenced by block
447 * sizes or similar but always have the same difference */
448 o.ce.mssfix = i;
449 frame_calculate_dynamic(&f, &kt, &o, NULL);
450
451 /* 4 byte opcode/peerid, 4 byte pkt ID, 16 byte tag, 40 TCP+IP */
452 assert_int_equal(f.mss_fix, i - 4 - 4 - 16 - 40);
453 }
454
455 gc_free(&gc);
456}
457
458void
459crypto_test_aead_limits(void **state)
460{
461 /* if ChaCha20-Poly1305 is not supported by the crypto library or in the
462 * current mode (FIPS), this will still return -1 */
463 assert_int_equal(cipher_get_aead_limits("CHACHA20-POLY1305"), 0);
464
465 int64_t aeslimit = cipher_get_aead_limits("AES-128-GCM");
466
467 assert_int_equal(aeslimit, (1ull << 36) - 1);
468
469 /* Check if this matches our exception for 1600 size packets assuming
470 * AEAD_LIMIT_BLOCKSIZE (128 bits/ 16 bytes). Gives us 100 blocks
471 * + 1 for the packet */
472 int64_t L = 101;
473 /* 2 ^ 29.34, using the result here to avoid linking to libm */
474 assert_int_equal(aeslimit / L, 680390858);
475
476 /* and for 9000, 2^26.86 */
477 L = 563;
478 assert_int_equal(aeslimit / L, 122059461);
479}
480
481void
482crypto_test_hkdf_expand_testa1(void **state)
483{
484 /* RFC 5889 A.1 Test Case 1 */
485 uint8_t prk[32] =
486 {0x07, 0x77, 0x09, 0x36, 0x2c, 0x2e, 0x32, 0xdf,
487 0x0d, 0xdc, 0x3f, 0x0d, 0xc4, 0x7b, 0xba, 0x63,
488 0x90, 0xb6, 0xc7, 0x3b, 0xb5, 0x0f, 0x9c, 0x31,
489 0x22, 0xec, 0x84, 0x4a, 0xd7, 0xc2, 0xb3, 0xe5};
490
491 uint8_t info[10] = {0xf0, 0xf1, 0xf2, 0xf3, 0xf4, 0xf5,
492 0xf6, 0xf7, 0xf8, 0xf9};
493
494 uint8_t okm[42] =
495 {0x3c, 0xb2, 0x5f, 0x25, 0xfa, 0xac, 0xd5, 0x7a,
496 0x90, 0x43, 0x4f, 0x64, 0xd0, 0x36, 0x2f, 0x2a,
497 0x2d, 0x2d, 0x0a, 0x90, 0xcf, 0x1a, 0x5a, 0x4c,
498 0x5d, 0xb0, 0x2d, 0x56, 0xec, 0xc4, 0xc5, 0xbf,
499 0x34, 0x00, 0x72, 0x08, 0xd5, 0xb8, 0x87, 0x18,
500 0x58, 0x65};
501
502 uint8_t out[42];
503 ovpn_hkdf_expand(prk, info, sizeof(info), out, sizeof(out));
504
505 assert_memory_equal(out, okm, sizeof(out));
506}
507
508void
509crypto_test_hkdf_expand_testa2(void **state)
510{
511 /* RFC 5889 A.2 Test Case 2 */
512 uint8_t prk[32] =
513 {0x06, 0xa6, 0xb8, 0x8c, 0x58, 0x53, 0x36, 0x1a,
514 0x06, 0x10, 0x4c, 0x9c, 0xeb, 0x35, 0xb4, 0x5c,
515 0xef, 0x76, 0x00, 0x14, 0x90, 0x46, 0x71, 0x01,
516 0x4a, 0x19, 0x3f, 0x40, 0xc1, 0x5f, 0xc2, 0x44};
517
518 uint8_t info[80] =
519 {0xb0, 0xb1, 0xb2, 0xb3, 0xb4, 0xb5, 0xb6, 0xb7,
520 0xb8, 0xb9, 0xba, 0xbb, 0xbc, 0xbd, 0xbe, 0xbf,
521 0xc0, 0xc1, 0xc2, 0xc3, 0xc4, 0xc5, 0xc6, 0xc7,
522 0xc8, 0xc9, 0xca, 0xcb, 0xcc, 0xcd, 0xce, 0xcf,
523 0xd0, 0xd1, 0xd2, 0xd3, 0xd4, 0xd5, 0xd6, 0xd7,
524 0xd8, 0xd9, 0xda, 0xdb, 0xdc, 0xdd, 0xde, 0xdf,
525 0xe0, 0xe1, 0xe2, 0xe3, 0xe4, 0xe5, 0xe6, 0xe7,
526 0xe8, 0xe9, 0xea, 0xeb, 0xec, 0xed, 0xee, 0xef,
527 0xf0, 0xf1, 0xf2, 0xf3, 0xf4, 0xf5, 0xf6, 0xf7,
528 0xf8, 0xf9, 0xfa, 0xfb, 0xfc, 0xfd, 0xfe, 0xff};
529
530 const int L = 82;
531 uint8_t okm[82] =
532 {0xb1, 0x1e, 0x39, 0x8d, 0xc8, 0x03, 0x27, 0xa1,
533 0xc8, 0xe7, 0xf7, 0x8c, 0x59, 0x6a, 0x49, 0x34,
534 0x4f, 0x01, 0x2e, 0xda, 0x2d, 0x4e, 0xfa, 0xd8,
535 0xa0, 0x50, 0xcc, 0x4c, 0x19, 0xaf, 0xa9, 0x7c,
536 0x59, 0x04, 0x5a, 0x99, 0xca, 0xc7, 0x82, 0x72,
537 0x71, 0xcb, 0x41, 0xc6, 0x5e, 0x59, 0x0e, 0x09,
538 0xda, 0x32, 0x75, 0x60, 0x0c, 0x2f, 0x09, 0xb8,
539 0x36, 0x77, 0x93, 0xa9, 0xac, 0xa3, 0xdb, 0x71,
540 0xcc, 0x30, 0xc5, 0x81, 0x79, 0xec, 0x3e, 0x87,
541 0xc1, 0x4c, 0x01, 0xd5, 0xc1, 0xf3, 0x43, 0x4f,
542 0x1d, 0x87};
543
544 uint8_t out[82] = {0xaa};
545 ovpn_hkdf_expand(prk, info, sizeof(info), out, L);
546
547 assert_memory_equal(out, okm, L);
548}
549
550void
551crypto_test_hkdf_expand_testa3(void **state)
552{
553 /* RFC 5889 A.3 Test Case 3 */
554 uint8_t prk[32] =
555 {0x19, 0xef, 0x24, 0xa3, 0x2c, 0x71, 0x7b, 0x16,
556 0x7f, 0x33, 0xa9, 0x1d, 0x6f, 0x64, 0x8b, 0xdf,
557 0x96, 0x59, 0x67, 0x76, 0xaf, 0xdb, 0x63, 0x77,
558 0xac, 0x43, 0x4c, 0x1c, 0x29, 0x3c, 0xcb, 0x04};
559
560 uint8_t info[] = {};
561
562 int L = 42;
563 uint8_t okm[42] =
564 {0x8d, 0xa4, 0xe7, 0x75, 0xa5, 0x63, 0xc1, 0x8f,
565 0x71, 0x5f, 0x80, 0x2a, 0x06, 0x3c, 0x5a, 0x31,
566 0xb8, 0xa1, 0x1f, 0x5c, 0x5e, 0xe1, 0x87, 0x9e,
567 0xc3, 0x45, 0x4e, 0x5f, 0x3c, 0x73, 0x8d, 0x2d,
568 0x9d, 0x20, 0x13, 0x95, 0xfa, 0xa4, 0xb6, 0x1a,
569 0x96, 0xc8};
570
571 uint8_t out[42];
572 ovpn_hkdf_expand(prk, info, 0, out, L);
573
574 assert_memory_equal(out, okm, L);
575}
576
577void
578crypto_test_hkdf_expand_test_ovpn(void **state)
579{
580 /* tests the HDKF with a label/okm that OpenVPN itself uses in OpenSSL 3
581 * HDKF unit test*/
582
583 uint8_t prk[32] =
584 {0x07, 0x77, 0x09, 0x36, 0x2c, 0x2e, 0x32, 0xdf,
585 0x0d, 0xdc, 0x3f, 0x0d, 0xc4, 0x7b, 0xba, 0x63,
586 0x90, 0xb6, 0xc7, 0x3b, 0xb5, 0x0f, 0x9c, 0x31,
587 0x22, 0xec, 0x84, 0x4a, 0xd7, 0xc2, 0xb3, 0xe5};
588
589 uint8_t info[18] =
590 {0x00, 0x1b, 0x0e, 0x6f, 0x76, 0x70, 0x6e, 0x20,
591 0x75, 0x6e, 0x69, 0x74, 0x20, 0x74, 0x65, 0x73,
592 0x74, 0x00};
593
594 int L = 27;
595 uint8_t okm[27] =
596 {0x87, 0x5a, 0x8e, 0xec, 0x18, 0x55, 0x63, 0x80,
597 0xb8, 0xd9, 0x33, 0xed, 0x32, 0x3c, 0x2d, 0xf8,
598 0xe8, 0xec, 0xcf, 0x49, 0x72, 0xe6, 0x83, 0xf0,
599 0x6a, 0x83, 0xac };
600
601 uint8_t out[27];
602 ovpn_hkdf_expand(prk, info, sizeof(info), out, L);
603
604 assert_memory_equal(out, okm, L);
605}
606
607void
608crypto_test_ovpn_label_expand(void **state)
609{
610 uint8_t secret[32] =
611 {0x07, 0x77, 0x09, 0x36, 0x2c, 0x2e, 0x32, 0xdf,
612 0x0d, 0xdc, 0x3f, 0x0d, 0xc4, 0x7b, 0xba, 0x63,
613 0x90, 0xb6, 0xc7, 0x3b, 0xb5, 0x0f, 0x9c, 0x31,
614 0x22, 0xec, 0x84, 0x4a, 0xd7, 0xc2, 0xb3, 0xe5};
615
616 const uint8_t *label = (const uint8_t *) ("unit test");
617 uint8_t out[16];
618 ovpn_expand_label(secret, sizeof(secret), label, 9, NULL, 0, out, sizeof(out));
619
620 uint8_t out_expected[16] =
621 {0x18, 0x5e, 0xaa, 0x1c, 0x7f, 0x22, 0x8a, 0xb8,
622 0xeb, 0x29, 0x77, 0x32, 0x14, 0xd9, 0x20, 0x46};
623
624 assert_memory_equal(out, out_expected, 16);
625}
626
627#if defined(OPENSSL_VERSION_NUMBER) && OPENSSL_VERSION_NUMBER >= 0x30000000L
628/* We have OpenSSL 3.0+, we test if their implementation matches our
629 * implementation. We currently do not use this code from the crypto library
630 * in the main code yet as we don't want to repeat the mess that the current
631 * openvpn_PRF ifdef maze */
632
633bool
634ossl_expand_label(const uint8_t *secret, size_t secret_len,
635 const uint8_t *label, size_t label_len,
636 const uint8_t *context, size_t context_len,
637 uint8_t *out, uint16_t out_len)
638{
639 OSSL_LIB_CTX *libctx = NULL;
640 const char *properties = NULL;
641
642 const uint8_t *label_prefix = (const uint8_t *) ("ovpn ");
643 const size_t label_prefix_len = 5;
644
645 EVP_KDF *kdf = EVP_KDF_fetch(libctx, OSSL_KDF_NAME_TLS1_3_KDF, properties);
646 assert_non_null(kdf);
647
648 const char *mdname = "SHA-256";
649
650 size_t hashlen = SHA256_DIGEST_LENGTH;
651
652 EVP_KDF_CTX *kctx = EVP_KDF_CTX_new(kdf);
653 assert_non_null(kctx);
654
655 OSSL_PARAM params[7];
656 OSSL_PARAM *p = params;
657
658 int mode = EVP_PKEY_HKDEF_MODE_EXPAND_ONLY;
659
660 *p++ = OSSL_PARAM_construct_int(OSSL_KDF_PARAM_MODE, &mode);
661 *p++ = OSSL_PARAM_construct_utf8_string(OSSL_KDF_PARAM_DIGEST,
662 (char *) mdname, 0);
663 *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_KEY,
664 (unsigned char *) secret, hashlen);
665 *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_PREFIX,
666 (unsigned char *) label_prefix,
667 label_prefix_len);
668 *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_LABEL,
669 (unsigned char *) label, label_len);
670
671 *p++ = OSSL_PARAM_construct_end();
672
673 int ret = EVP_KDF_derive(kctx, out, out_len, params);
674 EVP_KDF_CTX_free(kctx);
675 EVP_KDF_free(kdf);
676
677 assert_int_equal(ret, 1);
678 return true;
679}
680
681void
682crypto_test_ovpn_expand_openssl3(void **state)
683{
684 uint8_t secret[32] =
685 {0x07, 0x77, 0x09, 0x36, 0x2c, 0x2e, 0x32, 0xdf,
686 0x0d, 0xdc, 0x3f, 0x0d, 0xc4, 0x7b, 0xba, 0x63,
687 0x90, 0xb6, 0xc7, 0x3b, 0xb5, 0x0f, 0x9c, 0x31,
688 0x22, 0xec, 0x84, 0x4a, 0xd7, 0xc2, 0xb3, 0xe5};
689
690 const uint8_t *label = (const uint8_t *) ("unit test");
691 const size_t labellen = 9;
692 uint8_t out[27];
693
694 ossl_expand_label(secret, sizeof(secret), label, labellen, NULL, 0, out, sizeof(out));
695
696 /* Do the same derivation with our own function */
697 uint8_t out_ovpn[27];
698
699 ovpn_expand_label(secret, sizeof(secret), label, 9, NULL, 0, out_ovpn, sizeof(out_ovpn));
700 assert_memory_equal(out_ovpn, out, sizeof(out_ovpn));
701}
702
703#else /* if defined(OPENSSL_VERSION_NUMBER) && OPENSSL_VERSION_NUMBER >= 0x30000000L */
704void
705crypto_test_ovpn_expand_openssl3(void **state)
706{
707 skip();
708}
709#endif /* if defined(OPENSSL_VERSION_NUMBER) && OPENSSL_VERSION_NUMBER >= 0x30000000L */
710
711struct epoch_test_state
712{
713 struct key_type kt;
714 struct gc_arena gc;
715 struct crypto_options co;
716};
717
718static int
719crypto_test_epoch_setup(void **state)
720{
721 int *num_future_keys = (int *)*state;
722 struct epoch_test_state *data = calloc(1, sizeof(struct epoch_test_state));
723
724 data->gc = gc_new();
725
726 init_key_type(&data->kt, "AES-128-GCM", "none", true, false);
727
728 /* have an epoch key that uses 0x23 for the key for all bytes */
729 struct epoch_key epoch1send = { .epoch = 1, .epoch_key = {0x23} };
730 struct epoch_key epoch1recv = { .epoch = 1, .epoch_key = {0x27} };
731
732 epoch_init_key_ctx(&data->co, &data->kt, &epoch1send,
733 &epoch1recv, *num_future_keys);
734
735 *state = data;
736 return 0;
737}
738
739static int
740crypto_test_epoch_teardown(void **state)
741{
742 struct epoch_test_state *data = *state;
743 free_epoch_key_ctx(&data->co);
744 free_key_ctx_bi(&data->co.key_ctx_bi);
745 gc_free(&data->gc);
746 free(*state);
747 return 0;
748}
749
750void
751crypto_test_epoch_key_generation(void **state)
752{
753 struct epoch_test_state *data = *state;
754 struct crypto_options *co = &data->co;
755
756 /* check the keys look like expect */
757 assert_int_equal(co->epoch_data_keys_future[0].epoch, 2);
758 assert_int_equal(co->epoch_data_keys_future[15].epoch, 17);
759 assert_int_equal(co->epoch_key_send.epoch, 1);
760 assert_int_equal(co->epoch_key_recv.epoch, 17);
761
762 /* Now replace the recv key with the 6th future key (epoch = 8) */
763 free_key_ctx(&co->key_ctx_bi.decrypt);
764 assert_int_equal(co->epoch_data_keys_future[6].epoch, 8);
765 co->key_ctx_bi.decrypt = co->epoch_data_keys_future[6];
766 CLEAR(co->epoch_data_keys_future[6]);
767
768 epoch_generate_future_receive_keys(co);
769 assert_int_equal(co->epoch_data_keys_future[0].epoch, 9);
770 assert_int_equal(co->epoch_data_keys_future[15].epoch, 24);
771}
772
773
774void
775crypto_test_epoch_key_rotation(void **state)
776{
777 struct epoch_test_state *data = *state;
778 struct crypto_options *co = &data->co;
779
780 /* should replace send + key recv */
781 epoch_replace_update_recv_key(co, 9);
782
783 assert_int_equal(co->key_ctx_bi.decrypt.epoch, 9);
784 assert_int_equal(co->key_ctx_bi.encrypt.epoch, 9);
785 assert_int_equal(co->epoch_key_send.epoch, 9);
786 assert_int_equal(co->epoch_retiring_data_receive_key.epoch, 1);
787
788 /* Iterate the data send key four times to get it to 13 */
789 for (int i = 0; i < 4; i++)
790 {
791 epoch_iterate_send_key(co);
792 }
793 assert_int_equal(co->key_ctx_bi.encrypt.epoch, 13);
794
795 epoch_replace_update_recv_key(co, 10);
796 assert_int_equal(co->key_ctx_bi.decrypt.epoch, 10);
797 assert_int_equal(co->key_ctx_bi.encrypt.epoch, 13);
798 assert_int_equal(co->epoch_key_send.epoch, 13);
799 assert_int_equal(co->epoch_retiring_data_receive_key.epoch, 9);
800
801 epoch_replace_update_recv_key(co, 12);
802 assert_int_equal(co->key_ctx_bi.decrypt.epoch, 12);
803 assert_int_equal(co->key_ctx_bi.encrypt.epoch, 13);
804 assert_int_equal(co->epoch_key_send.epoch, 13);
805 assert_int_equal(co->epoch_retiring_data_receive_key.epoch, 10);
806
807 epoch_iterate_send_key(co);
808 assert_int_equal(co->key_ctx_bi.encrypt.epoch, 14);
809}
810
811void
812crypto_test_epoch_key_receive_lookup(void **state)
813{
814 struct epoch_test_state *data = *state;
815 struct crypto_options *co = &data->co;
816
817 /* lookup some wacky things that should fail */
818 assert_null(epoch_lookup_decrypt_key(co, 2000));
819 assert_null(epoch_lookup_decrypt_key(co, -1));
820 assert_null(epoch_lookup_decrypt_key(co, 0xefff));
821
822 /* Lookup the edges of the current window */
823 assert_null(epoch_lookup_decrypt_key(co, 0));
824 assert_int_equal(co->epoch_retiring_data_receive_key.epoch, 0);
825 assert_int_equal(epoch_lookup_decrypt_key(co, 1)->epoch, 1);
826 assert_int_equal(epoch_lookup_decrypt_key(co, 2)->epoch, 2);
827 assert_int_equal(epoch_lookup_decrypt_key(co, 13)->epoch, 13);
828 assert_int_equal(epoch_lookup_decrypt_key(co, 14)->epoch, 14);
829 assert_null(epoch_lookup_decrypt_key(co, 15));
830
831 /* Should move 1 to retiring key but leave 2-6 undefined, 7 as
832 * active and 8-20 as future keys*/
833 epoch_replace_update_recv_key(co, 7);
834
835 assert_null(epoch_lookup_decrypt_key(co, 0));
836 assert_int_equal(epoch_lookup_decrypt_key(co, 1)->epoch, 1);
837 assert_ptr_equal(epoch_lookup_decrypt_key(co, 1), &co->epoch_retiring_data_receive_key);
838
839 assert_null(epoch_lookup_decrypt_key(co, 2));
840 assert_null(epoch_lookup_decrypt_key(co, 3));
841 assert_null(epoch_lookup_decrypt_key(co, 4));
842 assert_null(epoch_lookup_decrypt_key(co, 5));
843 assert_null(epoch_lookup_decrypt_key(co, 6));
844 assert_int_equal(epoch_lookup_decrypt_key(co, 7)->epoch, 7);
845 assert_int_equal(epoch_lookup_decrypt_key(co, 8)->epoch, 8);
846 assert_int_equal(epoch_lookup_decrypt_key(co, 20)->epoch, 20);
847 assert_null(epoch_lookup_decrypt_key(co, 21));
848 assert_null(epoch_lookup_decrypt_key(co, 22));
849
850
851 /* Should move 7 to retiring key and have 8 as active key and
852 * 9-21 as future keys */
853 epoch_replace_update_recv_key(co, 8);
854 assert_null(epoch_lookup_decrypt_key(co, 0));
855 assert_null(epoch_lookup_decrypt_key(co, 1));
856 assert_null(epoch_lookup_decrypt_key(co, 2));
857 assert_null(epoch_lookup_decrypt_key(co, 3));
858 assert_null(epoch_lookup_decrypt_key(co, 4));
859 assert_null(epoch_lookup_decrypt_key(co, 5));
860 assert_null(epoch_lookup_decrypt_key(co, 6));
861 assert_int_equal(epoch_lookup_decrypt_key(co, 7)->epoch, 7);
862 assert_ptr_equal(epoch_lookup_decrypt_key(co, 7), &co->epoch_retiring_data_receive_key);
863 assert_int_equal(epoch_lookup_decrypt_key(co, 8)->epoch, 8);
864 assert_int_equal(epoch_lookup_decrypt_key(co, 20)->epoch, 20);
865 assert_int_equal(epoch_lookup_decrypt_key(co, 21)->epoch, 21);
866 assert_null(epoch_lookup_decrypt_key(co, 22));
867 assert_null(epoch_lookup_decrypt_key(co, 23));
868}
869
870void
871crypto_test_epoch_key_overflow(void **state)
872{
873 struct epoch_test_state *data = *state;
874 struct crypto_options *co = &data->co;
875
876 /* Modify the receive epoch and keys to have a very high epoch to test
877 * the end of array. Iterating through all 65k keys takes a 2-3s, so we
878 * avoid this for the unit test */
879 co->key_ctx_bi.decrypt.epoch = 65500;
880 co->key_ctx_bi.encrypt.epoch = 65500;
881
882 co->epoch_key_send.epoch = 65500;
883 co->epoch_key_recv.epoch = 65500 + co->epoch_data_keys_future_count;
884
885 for (uint16_t i = 0; i < co->epoch_data_keys_future_count; i++)
886 {
887 co->epoch_data_keys_future[i].epoch = 65501 + i;
888 }
889
890 /* Move the last few keys until we are close to the limit */
891 while (co->key_ctx_bi.decrypt.epoch < (UINT16_MAX - 40))
892 {
893 epoch_replace_update_recv_key(co, co->key_ctx_bi.decrypt.epoch + 10);
894 }
895
896 /* Looking up this key should still work as it will not break the limit
897 * when generating keys */
898 assert_int_equal(epoch_lookup_decrypt_key(co, UINT16_MAX - 34)->epoch, UINT16_MAX - 34);
899 assert_int_equal(epoch_lookup_decrypt_key(co, UINT16_MAX - 33)->epoch, UINT16_MAX - 33);
900
901 /* This key is no longer eligible for decrypting as the 32 future keys
902 * would be larger than uint16_t maximum */
903 assert_int_equal(co->epoch_data_keys_future_count, 32);
904 assert_null(epoch_lookup_decrypt_key(co, UINT16_MAX - co->epoch_data_keys_future_count));
905 assert_null(epoch_lookup_decrypt_key(co, UINT16_MAX));
906
907 /* Check that moving to the last possible epoch works */
908 epoch_replace_update_recv_key(co, UINT16_MAX - 33);
909 assert_int_equal(epoch_lookup_decrypt_key(co, UINT16_MAX - 33)->epoch, UINT16_MAX - 33);
910 assert_null(epoch_lookup_decrypt_key(co, UINT16_MAX - 32));
911 assert_null(epoch_lookup_decrypt_key(co, UINT16_MAX));
912}
913
914void
915epoch_test_derive_data_key(void **state)
916{
917 struct epoch_key e17 = { .epoch = 17, .epoch_key = { 19, 12 }};
918 struct key_type kt = { 0 };
919 struct key_parameters key_parameters = { 0 };
920 init_key_type(&kt, "AES-192-GCM", "none", true, false);
921
922
923 epoch_data_key_derive(&key_parameters, &e17, &kt);
924
925 assert_int_equal(key_parameters.cipher_size, 24);
926 assert_int_equal(key_parameters.hmac_size, 12);
927
928 uint8_t exp_cipherkey[24] =
929 {0xed, 0x85, 0x33, 0xdb, 0x1c, 0x28, 0xac, 0xe4,
930 0x18, 0xe9, 0x00, 0x6a, 0xb2, 0x9c, 0x17, 0x41,
931 0x7d, 0x60, 0xeb, 0xe6, 0xcd, 0x90, 0xbf, 0x0a};
932
933 uint8_t exp_impl_iv[12] =
934 {0x86, 0x89, 0x0a, 0xab, 0xf0, 0x32, 0xcb, 0x59, 0xf4, 0xcf, 0xa3, 0x4e};
935
936 assert_memory_equal(key_parameters.cipher, exp_cipherkey, sizeof(exp_cipherkey));
937 assert_memory_equal(key_parameters.hmac, exp_impl_iv, sizeof(exp_impl_iv));
938}
939
940int
941main(void)
942{
943 int prestate_num13 = 13;
944 int prestate_num16 = 16;
945 int prestate_num32 = 32;
946
947 openvpn_unit_test_setup();
948 const struct CMUnitTest tests[] = {
949 cmocka_unit_test(crypto_pem_encode_decode_loopback),
950 cmocka_unit_test(crypto_translate_cipher_names),
951 cmocka_unit_test(crypto_test_tls_prf),
952 cmocka_unit_test(crypto_test_hmac),
953 cmocka_unit_test(test_occ_mtu_calculation),
954 cmocka_unit_test(test_mssfix_mtu_calculation),
955 cmocka_unit_test(crypto_test_aead_limits),
956 cmocka_unit_test(crypto_test_hkdf_expand_testa1),
957 cmocka_unit_test(crypto_test_hkdf_expand_testa2),
958 cmocka_unit_test(crypto_test_hkdf_expand_testa3),
959 cmocka_unit_test(crypto_test_hkdf_expand_test_ovpn),
960 cmocka_unit_test(crypto_test_ovpn_label_expand),
961 cmocka_unit_test(crypto_test_ovpn_expand_openssl3),
962 cmocka_unit_test_prestate_setup_teardown(crypto_test_epoch_key_generation,
963 crypto_test_epoch_setup,
964 crypto_test_epoch_teardown,
965 &prestate_num16),
966 cmocka_unit_test_prestate_setup_teardown(crypto_test_epoch_key_rotation,
967 crypto_test_epoch_setup,
968 crypto_test_epoch_teardown,
969 &prestate_num13),
970 cmocka_unit_test_prestate_setup_teardown(crypto_test_epoch_key_receive_lookup,
971 crypto_test_epoch_setup,
972 crypto_test_epoch_teardown,
973 &prestate_num13),
974 cmocka_unit_test_prestate_setup_teardown(crypto_test_epoch_key_overflow,
975 crypto_test_epoch_setup,
976 crypto_test_epoch_teardown,
977 &prestate_num32),
978 cmocka_unit_test(epoch_test_derive_data_key)
979 };
980
981#if defined(ENABLE_CRYPTO_OPENSSL)
982 OpenSSL_add_all_algorithms();
983#endif
984
985 int ret = cmocka_run_group_tests_name("crypto tests", tests, NULL, NULL);
986
987#if defined(ENABLE_CRYPTO_OPENSSL)
988 EVP_cleanup();
989#endif
990
991 return ret;
992}
string_alloc
char * string_alloc(const char *str, struct gc_arena *gc)
Definition buffer.c:649
BPTR
#define BPTR(buf)
Definition buffer.h:124
buf_set_write
static void buf_set_write(struct buffer *buf, uint8_t *data, int size)
Definition buffer.h:331
buf_set_read
static void buf_set_read(struct buffer *buf, const uint8_t *data, size_t size)
Definition buffer.h:348
BLEN
#define BLEN(buf)
Definition buffer.h:127
gc_free
static void gc_free(struct gc_arena *a)
Definition buffer.h:1033
gc_new
static struct gc_arena gc_new(void)
Definition buffer.h:1025
COMP_ALG_LZO
#define COMP_ALG_LZO
LZO algorithm.
Definition comp.h:57
COMP_ALG_UNDEF
#define COMP_ALG_UNDEF
Definition comp.h:54
free_key_ctx_bi
void free_key_ctx_bi(struct key_ctx_bi *ctx)
Definition crypto.c:1125
init_key_type
void init_key_type(struct key_type *kt, const char *ciphername, const char *authname, bool tls_mode, bool warn)
Initialize a key_type structure with.
Definition crypto.c:893
cipher_get_aead_limits
uint64_t cipher_get_aead_limits(const char *ciphername)
Check if the cipher is an AEAD cipher and needs to be limited to a certain number of number of blocks...
Definition crypto.c:353
free_key_ctx
void free_key_ctx(struct key_ctx *ctx)
Definition crypto.c:1106
crypto.h
Data Channel Cryptography Module.
hmac_ctx_update
void hmac_ctx_update(hmac_ctx_t *ctx, const uint8_t *src, int src_len)
hmac_ctx_new
hmac_ctx_t * hmac_ctx_new(void)
Definition crypto_openssl.c:1187
hmac_ctx_reset
void hmac_ctx_reset(hmac_ctx_t *ctx)
hmac_ctx_init
void hmac_ctx_init(hmac_ctx_t *ctx, const uint8_t *key, const char *mdname)
hmac_ctx_final
void hmac_ctx_final(hmac_ctx_t *ctx, uint8_t *dst)
ssl_tls1_PRF
bool ssl_tls1_PRF(const uint8_t *seed, int seed_len, const uint8_t *secret, int secret_len, uint8_t *output, int output_len)
Calculates the TLS 1.0-1.1 PRF function.
Definition crypto_openssl.c:1410
crypto_pem_decode
bool crypto_pem_decode(const char *name, struct buffer *dst, const struct buffer *src)
Decode a PEM buffer to binary data.
Definition crypto_openssl.c:531
cipher_valid
static bool cipher_valid(const char *ciphername)
Returns if the cipher is valid, based on the given cipher name.
Definition crypto_backend.h:205
hmac_ctx_free
void hmac_ctx_free(hmac_ctx_t *ctx)
cipher_kt_name
const char * cipher_kt_name(const char *ciphername)
Retrieve a normalised string describing the cipher (e.g.
Definition crypto_openssl.c:660
hmac_ctx_cleanup
void hmac_ctx_cleanup(hmac_ctx_t *ctx)
md_kt_size
unsigned char md_kt_size(const char *mdname)
Returns the size of the message digest, in bytes.
Definition crypto_openssl.c:1095
crypto_pem_encode
bool crypto_pem_encode(const char *name, struct buffer *dst, const struct buffer *src, struct gc_arena *gc)
Encode binary data as PEM.
Definition crypto_openssl.c:503
ovpn_expand_label
bool ovpn_expand_label(const uint8_t *secret, size_t secret_len, const uint8_t *label, size_t label_len, const uint8_t *context, size_t context_len, uint8_t *out, uint16_t out_len)
Variant of the RFC 8446 TLS 1.3 HKDF-Expand-Label function with the following differences/restriction...
Definition crypto_epoch.c:78
epoch_generate_future_receive_keys
void epoch_generate_future_receive_keys(struct crypto_options *co)
Generates and fills the epoch_data_keys_future with next valid future keys in crypto_options using th...
Definition crypto_epoch.c:213
epoch_replace_update_recv_key
void epoch_replace_update_recv_key(struct crypto_options *co, uint16_t new_epoch)
This is called when the peer uses a new send key that is not the default key.
Definition crypto_epoch.c:284
free_epoch_key_ctx
void free_epoch_key_ctx(struct crypto_options *co)
Frees the extra data structures used by epoch keys in crypto_options.
Definition crypto_epoch.c:338
epoch_lookup_decrypt_key
struct key_ctx * epoch_lookup_decrypt_key(struct crypto_options *opt, uint16_t epoch)
Using an epoch, this function will try to retrieve a decryption key context that matches that epoch f...
Definition crypto_epoch.c:375
epoch_init_key_ctx
void epoch_init_key_ctx(struct crypto_options *co, const struct key_type *key_type, const struct epoch_key *e1_send, const struct epoch_key *e1_recv, uint16_t future_key_count)
Initialises data channel keys and internal structures for epoch data keys using the provided E0 epoch...
Definition crypto_epoch.c:353
epoch_data_key_derive
void epoch_data_key_derive(struct key_parameters *key, const struct epoch_key *epoch_key, const struct key_type *kt)
Generate a data channel key pair from the epoch key.
Definition crypto_epoch.c:145
ovpn_hkdf_expand
void ovpn_hkdf_expand(const uint8_t *secret, const uint8_t *info, int info_len, uint8_t *out, int out_len)
Implementation of the RFC5869 HKDF-Expand function with the following restrictions.
Definition crypto_epoch.c:43
epoch_iterate_send_key
void epoch_iterate_send_key(struct crypto_options *co)
Updates the send key and send_epoch_key in cryptio_options->key_ctx_bi to use the next epoch.
Definition crypto_epoch.c:275
crypto_epoch.h
hmac_ctx_t
mbedtls_md_context_t hmac_ctx_t
Generic HMAC context.
Definition crypto_mbedtls.h:48
SHA256_DIGEST_LENGTH
#define SHA256_DIGEST_LENGTH
Definition crypto_mbedtls.h:79
frame_calculate_dynamic
void frame_calculate_dynamic(struct frame *frame, struct key_type *kt, const struct options *options, struct link_socket_info *lsi)
Set the –mssfix option.
Definition mss.c:335
calc_options_string_link_mtu
size_t calc_options_string_link_mtu(const struct options *o, const struct frame *frame)
Calculate the link-mtu to advertise to our peer.
Definition mtu.c:152
OSSL_LIB_CTX
void OSSL_LIB_CTX
Definition openssl_compat.h:130
CLEAR
#define CLEAR(x)
Definition basic.h:33
PROTO_UDP
@ PROTO_UDP
Definition socket.h:568
PROTO_TCP_CLIENT
@ PROTO_TCP_CLIENT
Definition socket.h:571
ssl_backend.h
Control Channel SSL library backend module.
buffer
Wrapper structure for dynamically allocated memory.
Definition buffer.h:61
buffer::len
int len
Length in bytes of the actual content within the allocated memory.
Definition buffer.h:66
compress_options::alg
int alg
Definition comp.h:76
connection_entry::mssfix
int mssfix
Definition options.h:142
connection_entry::socks_proxy_server
const char * socks_proxy_server
Definition options.h:121
connection_entry::fragment
int fragment
Definition options.h:139
connection_entry::proto
int proto
Definition options.h:107
connection_entry::tun_mtu
int tun_mtu
Definition options.h:125
context
Contains all state information for one tunnel.
Definition openvpn.h:476
crypto_options
Security parameter state for processing data channel packets.
Definition crypto.h:292
crypto_options::epoch_key_send
struct epoch_key epoch_key_send
last epoch_key used for generation of the current send data keys.
Definition crypto.h:301
crypto_options::epoch_retiring_data_receive_key
struct key_ctx epoch_retiring_data_receive_key
The old key before the sender switched to a new epoch data key.
Definition crypto.h:327
crypto_options::epoch_data_keys_future
struct key_ctx * epoch_data_keys_future
Keeps the future epoch data keys for decryption.
Definition crypto.h:321
crypto_options::key_ctx_bi
struct key_ctx_bi key_ctx_bi
OpenSSL cipher and HMAC contexts for both sending and receiving directions.
Definition crypto.h:293
crypto_options::epoch_data_keys_future_count
uint16_t epoch_data_keys_future_count
number of keys stored in epoch_data_keys_future
Definition crypto.h:324
crypto_options::epoch_key_recv
struct epoch_key epoch_key_recv
epoch_key used for the highest receive epoch keys
Definition crypto.h:304
epoch_key
Definition crypto.h:191
epoch_key::epoch
uint16_t epoch
Definition crypto.h:193
epoch_test_state
Definition test_crypto.c:712
epoch_test_state::co
struct crypto_options co
Definition test_crypto.c:715
epoch_test_state::kt
struct key_type kt
Definition test_crypto.c:713
epoch_test_state::gc
struct gc_arena gc
Definition test_crypto.c:714
frame
Packet geometry parameters.
Definition mtu.h:98
gc_arena
Garbage collection arena used to keep track of dynamically allocated memory.
Definition buffer.h:117
hash
Definition list.h:57
key_ctx_bi::decrypt
struct key_ctx decrypt
cipher and/or HMAC contexts for receiving direction.
Definition crypto.h:282
key_ctx_bi::encrypt
struct key_ctx encrypt
Cipher and/or HMAC contexts for sending direction.
Definition crypto.h:280
key_ctx::epoch
uint16_t epoch
OpenVPN data channel epoch, this variable holds the epoch number this key belongs to.
Definition crypto.h:227
key_parameters
internal structure similar to struct key that holds key information but is not represented on wire an...
Definition crypto.h:162
key_parameters::hmac_size
int hmac_size
Number of bytes set in the HMac key material.
Definition crypto.h:173
key_parameters::cipher_size
int cipher_size
Number of bytes set in the cipher key material.
Definition crypto.h:167
key_parameters::hmac
uint8_t hmac[MAX_HMAC_KEY_LENGTH]
Key material for HMAC operations.
Definition crypto.h:170
key_parameters::cipher
uint8_t cipher[MAX_CIPHER_KEY_LENGTH]
Key material for cipher operations.
Definition crypto.h:164
key_type
Definition crypto.h:141
key
Container for unidirectional cipher and HMAC key material.
Definition crypto.h:152
options::comp
struct compress_options comp
Definition options.h:411
options::tls_auth_file
const char * tls_auth_file
Definition options.h:663
options::use_peer_id
bool use_peer_id
Definition options.h:701
options::authname
const char * authname
Definition options.h:579
options::peer_id
uint32_t peer_id
Definition options.h:702
options::ce
struct connection_entry ce
Definition options.h:288
options::ciphername
const char * ciphername
Definition options.h:573
options::pull
bool pull
Definition options.h:556
options::tls_client
bool tls_client
Definition options.h:593
options::shared_secret_file
const char * shared_secret_file
Definition options.h:569
test_common.h
openvpn_unit_test_setup
static void openvpn_unit_test_setup(void)
Sets up the environment for unit tests like making both stderr and stdout non-buffered to avoid messa...
Definition test_common.h:36
crypto_test_ovpn_label_expand
void crypto_test_ovpn_label_expand(void **state)
Definition test_crypto.c:608
crypto_test_hkdf_expand_testa2
void crypto_test_hkdf_expand_testa2(void **state)
Definition test_crypto.c:509
test_mssfix_mtu_calculation
static void test_mssfix_mtu_calculation(void **state)
Definition test_crypto.c:350
crypto_test_hkdf_expand_testa1
void crypto_test_hkdf_expand_testa1(void **state)
Definition test_crypto.c:482
testkey
static uint8_t testkey[20]
Definition test_crypto.c:180
test_cipher_names
static void test_cipher_names(const char *ciphername, const char *openvpn_name)
Definition test_crypto.c:96
crypto_test_hkdf_expand_testa3
void crypto_test_hkdf_expand_testa3(void **state)
Definition test_crypto.c:551
crypto_test_ovpn_expand_openssl3
void crypto_test_ovpn_expand_openssl3(void **state)
Definition test_crypto.c:705
test_translate_cipher
static void test_translate_cipher(const char *ciphername, const char *openvpn_name)
Definition test_crypto.c:80
crypto_translate_cipher_names
static void crypto_translate_cipher_names(void **state)
Definition test_crypto.c:134
crypto_test_epoch_key_receive_lookup
void crypto_test_epoch_key_receive_lookup(void **state)
Definition test_crypto.c:812
crypto_test_epoch_key_rotation
void crypto_test_epoch_key_rotation(void **state)
Definition test_crypto.c:775
goodhash
static uint8_t goodhash[20]
Definition test_crypto.c:181
testtext
static const char testtext[]
Definition test_crypto.c:51
crypto_test_epoch_teardown
static int crypto_test_epoch_teardown(void **state)
Definition test_crypto.c:740
crypto_test_hmac
static void crypto_test_hmac(void **state)
Definition test_crypto.c:186
crypto_test_aead_limits
void crypto_test_aead_limits(void **state)
Definition test_crypto.c:459
main
int main(void)
Definition test_crypto.c:941
crypto_pem_encode_decode_loopback
static void crypto_pem_encode_decode_loopback(void **state)
Definition test_crypto.c:54
crypto_test_epoch_key_generation
void crypto_test_epoch_key_generation(void **state)
Definition test_crypto.c:751
ipsumlorem
static const char * ipsumlorem
Definition test_crypto.c:147
crypto_test_epoch_setup
static int crypto_test_epoch_setup(void **state)
Definition test_crypto.c:719
epoch_test_derive_data_key
void epoch_test_derive_data_key(void **state)
Definition test_crypto.c:915
crypto_test_epoch_key_overflow
void crypto_test_epoch_key_overflow(void **state)
Definition test_crypto.c:871
crypto_test_tls_prf
static void crypto_test_tls_prf(void **state)
Definition test_crypto.c:152
test_occ_mtu_calculation
static void test_occ_mtu_calculation(void **state)
Definition test_crypto.c:229
crypto_test_hkdf_expand_test_ovpn
void crypto_test_hkdf_expand_test_ovpn(void **state)
Definition test_crypto.c:578
gc
struct gc_arena gc
Definition test_ssl.c:155
Generated by doxygen 1.9.8