OpenVPN
test_crypto.c
Go to the documentation of this file.
1 /*
2  * OpenVPN -- An application to securely tunnel IP networks
3  * over a single UDP port, with support for SSL/TLS-based
4  * session authentication and key exchange,
5  * packet encryption, packet authentication, and
6  * packet compression.
7  *
8  * Copyright (C) 2016-2021 Fox Crypto B.V. <openvpn@foxcrypto.com>
9  *
10  * This program is free software; you can redistribute it and/or modify
11  * it under the terms of the GNU General Public License version 2
12  * as published by the Free Software Foundation.
13  *
14  * This program is distributed in the hope that it will be useful,
15  * but WITHOUT ANY WARRANTY; without even the implied warranty of
16  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17  * GNU General Public License for more details.
18  *
19  * You should have received a copy of the GNU General Public License along
20  * with this program; if not, write to the Free Software Foundation, Inc.,
21  * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
22  */
23 
24 #ifdef HAVE_CONFIG_H
25 #include "config.h"
26 #endif
27 
28 #include "syshead.h"
29 
30 #include <stdio.h>
31 #include <stdlib.h>
32 #include <stdarg.h>
33 #include <string.h>
34 #include <setjmp.h>
35 #include <cmocka.h>
36 
37 #include "crypto.h"
38 #include "crypto_epoch.h"
39 #include "options.h"
40 #include "ssl_backend.h"
41 
42 #include "mss.h"
43 #include "test_common.h"
44 
45 
46 #if defined(OPENSSL_VERSION_NUMBER) && OPENSSL_VERSION_NUMBER >= 0x30000000L
47 #include <openssl/core_names.h>
48 #include <openssl/kdf.h>
49 #endif
50 
51 static const char testtext[] = "Dummy text to test PEM encoding";
52 
53 static void
54 crypto_pem_encode_decode_loopback(void **state)
55 {
56  struct gc_arena gc = gc_new();
57  struct buffer src_buf;
58  buf_set_read(&src_buf, (void *)testtext, sizeof(testtext));
59 
60  uint8_t dec[sizeof(testtext)];
61  struct buffer dec_buf;
62  buf_set_write(&dec_buf, dec, sizeof(dec));
63 
64  struct buffer pem_buf;
65 
66  assert_true(crypto_pem_encode("TESTKEYNAME", &pem_buf, &src_buf, &gc));
67  assert_true(BLEN(&src_buf) < BLEN(&pem_buf));
68 
69  /* Wrong key name */
70  assert_false(crypto_pem_decode("WRONGNAME", &dec_buf, &pem_buf));
71 
72  assert_true(crypto_pem_decode("TESTKEYNAME", &dec_buf, &pem_buf));
73  assert_int_equal(BLEN(&src_buf), BLEN(&dec_buf));
74  assert_memory_equal(BPTR(&src_buf), BPTR(&dec_buf), BLEN(&src_buf));
75 
76  gc_free(&gc);
77 }
78 
79 static void
80 test_translate_cipher(const char *ciphername, const char *openvpn_name)
81 {
82  bool cipher = cipher_valid(ciphername);
83 
84  /* Empty cipher is fine */
85  if (!cipher)
86  {
87  return;
88  }
89 
90  const char *kt_name = cipher_kt_name(ciphername);
91 
92  assert_string_equal(kt_name, openvpn_name);
93 }
94 
95 static void
96 test_cipher_names(const char *ciphername, const char *openvpn_name)
97 {
98  struct gc_arena gc = gc_new();
99  /* Go through some variants, if the cipher library accepts these, they
100  * should be normalised to the openvpn name */
101  char *upper = string_alloc(ciphername, &gc);
102  char *lower = string_alloc(ciphername, &gc);
103  char *random_case = string_alloc(ciphername, &gc);
104 
105  for (int i = 0; i < strlen(ciphername); i++)
106  {
107  upper[i] = (char)toupper((unsigned char)ciphername[i]);
108  lower[i] = (char)tolower((unsigned char)ciphername[i]);
109  if (rand() & 0x1)
110  {
111  random_case[i] = upper[i];
112  }
113  else
114  {
115  random_case[i] = lower[i];
116  }
117  }
118 
119  if (!openvpn_name)
120  {
121  openvpn_name = upper;
122  }
123 
124  test_translate_cipher(upper, openvpn_name);
125  test_translate_cipher(lower, openvpn_name);
126  test_translate_cipher(random_case, openvpn_name);
127  test_translate_cipher(ciphername, openvpn_name);
128 
129 
130  gc_free(&gc);
131 }
132 
133 static void
134 crypto_translate_cipher_names(void **state)
135 {
136  /* Test that a number of ciphers to see that they turn out correctly */
137  test_cipher_names("BF-CBC", NULL);
138  test_cipher_names("BLOWFISH-CBC", "BF-CBC");
139  test_cipher_names("Chacha20-Poly1305", NULL);
140  test_cipher_names("AES-128-GCM", NULL);
141  test_cipher_names("AES-128-CBC", NULL);
142  test_cipher_names("CAMELLIA-128-CFB128", "CAMELLIA-128-CFB");
143  test_cipher_names("id-aes256-GCM", "AES-256-GCM");
144 }
145 
146 
147 static const char *ipsumlorem = "Lorem ipsum dolor sit amet, consectetur "
148  "adipisici elit, sed eiusmod tempor incidunt "
149  "ut labore et dolore magna aliqua.";
150 
151 static void
152 crypto_test_tls_prf(void **state)
153 {
154  const char *seedstr = "Quis aute iure reprehenderit in voluptate "
155  "velit esse cillum dolore";
156  const unsigned char *seed = (const unsigned char *)seedstr;
157  const size_t seed_len = strlen(seedstr);
158 
159 
160  const unsigned char *secret = (const unsigned char *) ipsumlorem;
161  size_t secret_len = strlen((const char *)secret);
162 
163 
164  uint8_t out[32];
165  bool ret = ssl_tls1_PRF(seed, (int)seed_len, secret, (int)secret_len, out, sizeof(out));
166 
167 #if defined(LIBRESSL_VERSION_NUMBER) || defined(ENABLE_CRYPTO_WOLFSSL)
168  /* No TLS1 PRF support in these libraries */
169  assert_false(ret);
170 #else
171  assert_true(ret);
172  uint8_t good_prf[32] = {0xd9, 0x8c, 0x85, 0x18, 0xc8, 0x5e, 0x94, 0x69,
173  0x27, 0x91, 0x6a, 0xcf, 0xc2, 0xd5, 0x92, 0xfb,
174  0xb1, 0x56, 0x7e, 0x4b, 0x4b, 0x14, 0x59, 0xe6,
175  0xa9, 0x04, 0xac, 0x2d, 0xda, 0xb7, 0x2d, 0x67};
176  assert_memory_equal(good_prf, out, sizeof(out));
177 #endif
178 }
179 
180 static uint8_t testkey[20] = {0x0b, 0x00};
181 static uint8_t goodhash[20] = {0x58, 0xea, 0x5a, 0xf0, 0x42, 0x94, 0xe9, 0x17,
182  0xed, 0x84, 0xb9, 0xf0, 0x83, 0x30, 0x23, 0xae,
183  0x8b, 0xa7, 0x7e, 0xb8};
184 
185 static void
186 crypto_test_hmac(void **state)
187 {
188  hmac_ctx_t *hmac = hmac_ctx_new();
189 
190  assert_int_equal(md_kt_size("SHA1"), 20);
191 
192  uint8_t key[20];
193  memcpy(key, testkey, sizeof(key));
194 
195  hmac_ctx_init(hmac, key, "SHA1");
196  hmac_ctx_update(hmac, (const uint8_t *)ipsumlorem, (int) strlen(ipsumlorem));
197  hmac_ctx_update(hmac, (const uint8_t *)ipsumlorem, (int) strlen(ipsumlorem));
198 
199  uint8_t hash[20];
200  hmac_ctx_final(hmac, hash);
201 
202  assert_memory_equal(hash, goodhash, sizeof(hash));
203  memset(hash, 0x00, sizeof(hash));
204 
205  /* try again */
206  hmac_ctx_reset(hmac);
207  hmac_ctx_update(hmac, (const uint8_t *)ipsumlorem, (int) strlen(ipsumlorem));
208  hmac_ctx_update(hmac, (const uint8_t *)ipsumlorem, (int) strlen(ipsumlorem));
209  hmac_ctx_final(hmac, hash);
210 
211  assert_memory_equal(hash, goodhash, sizeof(hash));
212 
213  /* Fill our key with random data to ensure it is not used by hmac anymore */
214  memset(key, 0x55, sizeof(key));
215 
216  hmac_ctx_reset(hmac);
217  hmac_ctx_update(hmac, (const uint8_t *)ipsumlorem, (int) strlen(ipsumlorem));
218  hmac_ctx_update(hmac, (const uint8_t *)ipsumlorem, (int) strlen(ipsumlorem));
219  hmac_ctx_final(hmac, hash);
220 
221  assert_memory_equal(hash, goodhash, sizeof(hash));
222  hmac_ctx_cleanup(hmac);
223  hmac_ctx_free(hmac);
224 }
225 
226 /* This test is in test_crypto as it calls into the functions that calculate
227  * the crypto overhead */
228 static void
229 test_occ_mtu_calculation(void **state)
230 {
231  struct gc_arena gc = gc_new();
232 
233  struct frame f = { 0 };
234  struct options o = { 0 };
235  size_t linkmtu;
236 
237  /* common defaults */
238  o.ce.tun_mtu = 1400;
239  o.ce.proto = PROTO_UDP;
240 
241  /* No crypto at all */
242  o.ciphername = "none";
243  o.authname = "none";
244  linkmtu = calc_options_string_link_mtu(&o, &f);
245  assert_int_equal(linkmtu, 1400);
246 
247  /* Static key OCC examples */
248  o.shared_secret_file = "not null";
249 
250  /* secret, auth none, cipher none */
251  o.ciphername = "none";
252  o.authname = "none";
253  linkmtu = calc_options_string_link_mtu(&o, &f);
254  assert_int_equal(linkmtu, 1408);
255 
256  /* secret, cipher AES-128-CBC, auth none */
257  o.ciphername = "AES-128-CBC";
258  o.authname = "none";
259  linkmtu = calc_options_string_link_mtu(&o, &f);
260  assert_int_equal(linkmtu, 1440);
261 
262  /* secret, cipher none, auth SHA256 */
263  o.ciphername = "none";
264  o.authname = "SHA256";
265  linkmtu = calc_options_string_link_mtu(&o, &f);
266  assert_int_equal(linkmtu, 1440);
267 
268  /* secret, cipher BF-CBC, auth SHA1 */
269  o.ciphername = "BF-CBC";
270  o.authname = "SHA1";
271  linkmtu = calc_options_string_link_mtu(&o, &f);
272  assert_int_equal(linkmtu, 1444);
273 
274  /* secret, cipher BF-CBC, auth SHA1, tcp-client */
275  o.ce.proto = PROTO_TCP_CLIENT;
276  linkmtu = calc_options_string_link_mtu(&o, &f);
277  assert_int_equal(linkmtu, 1446);
278 
279  o.ce.proto = PROTO_UDP;
280 
281 #if defined(USE_COMP)
282  o.comp.alg = COMP_ALG_LZO;
283 
284  /* secret, comp-lzo yes, cipher BF-CBC, auth SHA1 */
285  linkmtu = calc_options_string_link_mtu(&o, &f);
286  assert_int_equal(linkmtu, 1445);
287 
288 #if defined(ENABLE_FRAGMENT)
289  /* secret, comp-lzo yes, cipher BF-CBC, auth SHA1, fragment 1200 */
290  o.ce.fragment = 1200;
291  linkmtu = calc_options_string_link_mtu(&o, &f);
292  assert_int_equal(linkmtu, 1449);
293  o.ce.fragment = 0;
294 #endif
295 
296  o.comp.alg = COMP_ALG_UNDEF;
297 #endif
298 
299  /* TLS mode */
300  o.shared_secret_file = NULL;
301  o.tls_client = true;
302  o.pull = true;
303 
304  /* tls client, cipher AES-128-CBC, auth SHA1, tls-auth */
305  o.authname = "SHA1";
306  o.ciphername = "AES-128-CBC";
307  o.tls_auth_file = "dummy";
308 
309  linkmtu = calc_options_string_link_mtu(&o, &f);
310  assert_int_equal(linkmtu, 1457);
311 
312  /* tls client, cipher AES-128-CBC, auth SHA1 */
313  o.tls_auth_file = NULL;
314 
315  linkmtu = calc_options_string_link_mtu(&o, &f);
316  assert_int_equal(linkmtu, 1457);
317 
318  /* tls client, cipher none, auth none */
319  o.authname = "none";
320  o.ciphername = "none";
321 
322  linkmtu = calc_options_string_link_mtu(&o, &f);
323  assert_int_equal(linkmtu, 1405);
324 
325  /* tls client, auth SHA1, cipher AES-256-GCM */
326  o.authname = "SHA1";
327  o.ciphername = "AES-256-GCM";
328  linkmtu = calc_options_string_link_mtu(&o, &f);
329  assert_int_equal(linkmtu, 1449);
330 
331 
332 #if defined(USE_COMP) && defined(ENABLE_FRAGMENT)
333  o.comp.alg = COMP_ALG_LZO;
334 
335  /* tls client, auth SHA1, cipher AES-256-GCM, fragment, comp-lzo yes */
336  o.ce.fragment = 1200;
337  linkmtu = calc_options_string_link_mtu(&o, &f);
338  assert_int_equal(linkmtu, 1454);
339 
340  /* tls client, auth SHA1, cipher AES-256-GCM, fragment, comp-lzo yes, socks */
341  o.ce.socks_proxy_server = "socks.example.com";
342  linkmtu = calc_options_string_link_mtu(&o, &f);
343  assert_int_equal(linkmtu, 1464);
344 #endif
345 
346  gc_free(&gc);
347 }
348 
349 static void
350 test_mssfix_mtu_calculation(void **state)
351 {
352  struct gc_arena gc = gc_new();
353 
354  struct frame f = { 0 };
355  struct options o = { 0 };
356 
357  /* common defaults */
358  o.ce.tun_mtu = 1400;
359  o.ce.mssfix = 1000;
360  o.ce.proto = PROTO_UDP;
361 
362  /* No crypto at all */
363  o.ciphername = "none";
364  o.authname = "none";
365  struct key_type kt;
366  init_key_type(&kt, o.ciphername, o.authname, false, false);
367 
368  /* No encryption, just packet id (8) + TCP payload(20) + IP payload(20) */
369  frame_calculate_dynamic(&f, &kt, &o, NULL);
370  assert_int_equal(f.mss_fix, 952);
371 
372  /* Static key OCC examples */
373  o.shared_secret_file = "not null";
374 
375  /* secret, auth none, cipher none */
376  o.ciphername = "none";
377  o.authname = "none";
378  init_key_type(&kt, o.ciphername, o.authname, false, false);
379  frame_calculate_dynamic(&f, &kt, &o, NULL);
380  assert_int_equal(f.mss_fix, 952);
381 
382  /* secret, cipher AES-128-CBC, auth none */
383  o.ciphername = "AES-128-CBC";
384  o.authname = "none";
385  init_key_type(&kt, o.ciphername, o.authname, false, false);
386 
387  for (int i = 990; i <= 1010; i++)
388  {
389  /* 992 - 1008 should end up with the same mssfix value all they
390  * all result in the same CBC block size/padding and <= 991 and >=1008
391  * should be one block less and more respectively */
392  o.ce.mssfix = i;
393  frame_calculate_dynamic(&f, &kt, &o, NULL);
394  if (i <= 991)
395  {
396  assert_int_equal(f.mss_fix, 911);
397  }
398  else if (i >= 1008)
399  {
400  assert_int_equal(f.mss_fix, 943);
401  }
402  else
403  {
404  assert_int_equal(f.mss_fix, 927);
405  }
406  }
407 #ifdef USE_COMP
408  o.comp.alg = COMP_ALG_LZO;
409 
410  /* Same but with compression added. Compression adds one byte extra to the
411  * payload so the payload should be reduced by compared to the no
412  * compression calculation before */
413  for (int i = 990; i <= 1010; i++)
414  {
415  /* 992 - 1008 should end up with the same mssfix value all they
416  * all result in the same CBC block size/padding and <= 991 and >=1008
417  * should be one block less and more respectively */
418  o.ce.mssfix = i;
419  frame_calculate_dynamic(&f, &kt, &o, NULL);
420  if (i <= 991)
421  {
422  assert_int_equal(f.mss_fix, 910);
423  }
424  else if (i >= 1008)
425  {
426  assert_int_equal(f.mss_fix, 942);
427  }
428  else
429  {
430  assert_int_equal(f.mss_fix, 926);
431  }
432  }
433  o.comp.alg = COMP_ALG_UNDEF;
434 #endif /* ifdef USE_COMP */
435 
436  /* tls client, auth SHA1, cipher AES-256-GCM */
437  o.authname = "SHA1";
438  o.ciphername = "AES-256-GCM";
439  o.tls_client = true;
440  o.peer_id = 77;
441  o.use_peer_id = true;
442  init_key_type(&kt, o.ciphername, o.authname, true, false);
443 
444  for (int i = 900; i <= 1200; i++)
445  {
446  /* For stream ciphers, the value should not be influenced by block
447  * sizes or similar but always have the same difference */
448  o.ce.mssfix = i;
449  frame_calculate_dynamic(&f, &kt, &o, NULL);
450 
451  /* 4 byte opcode/peerid, 4 byte pkt ID, 16 byte tag, 40 TCP+IP */
452  assert_int_equal(f.mss_fix, i - 4 - 4 - 16 - 40);
453  }
454 
455  gc_free(&gc);
456 }
457 
458 void
459 crypto_test_aead_limits(void **state)
460 {
461  /* if ChaCha20-Poly1305 is not supported by the crypto library or in the
462  * current mode (FIPS), this will still return -1 */
463  assert_int_equal(cipher_get_aead_limits("CHACHA20-POLY1305"), 0);
464 
465  int64_t aeslimit = cipher_get_aead_limits("AES-128-GCM");
466 
467  assert_int_equal(aeslimit, (1ull << 36) - 1);
468 
469  /* Check if this matches our exception for 1600 size packets assuming
470  * AEAD_LIMIT_BLOCKSIZE (128 bits/ 16 bytes). Gives us 100 blocks
471  * + 1 for the packet */
472  int64_t L = 101;
473  /* 2 ^ 29.34, using the result here to avoid linking to libm */
474  assert_int_equal(aeslimit / L, 680390858);
475 
476  /* and for 9000, 2^26.86 */
477  L = 563;
478  assert_int_equal(aeslimit / L, 122059461);
479 }
480 
481 void
482 crypto_test_hkdf_expand_testa1(void **state)
483 {
484  /* RFC 5889 A.1 Test Case 1 */
485  uint8_t prk[32] =
486  {0x07, 0x77, 0x09, 0x36, 0x2c, 0x2e, 0x32, 0xdf,
487  0x0d, 0xdc, 0x3f, 0x0d, 0xc4, 0x7b, 0xba, 0x63,
488  0x90, 0xb6, 0xc7, 0x3b, 0xb5, 0x0f, 0x9c, 0x31,
489  0x22, 0xec, 0x84, 0x4a, 0xd7, 0xc2, 0xb3, 0xe5};
490 
491  uint8_t info[10] = {0xf0, 0xf1, 0xf2, 0xf3, 0xf4, 0xf5,
492  0xf6, 0xf7, 0xf8, 0xf9};
493 
494  uint8_t okm[42] =
495  {0x3c, 0xb2, 0x5f, 0x25, 0xfa, 0xac, 0xd5, 0x7a,
496  0x90, 0x43, 0x4f, 0x64, 0xd0, 0x36, 0x2f, 0x2a,
497  0x2d, 0x2d, 0x0a, 0x90, 0xcf, 0x1a, 0x5a, 0x4c,
498  0x5d, 0xb0, 0x2d, 0x56, 0xec, 0xc4, 0xc5, 0xbf,
499  0x34, 0x00, 0x72, 0x08, 0xd5, 0xb8, 0x87, 0x18,
500  0x58, 0x65};
501 
502  uint8_t out[42];
503  ovpn_hkdf_expand(prk, info, sizeof(info), out, sizeof(out));
504 
505  assert_memory_equal(out, okm, sizeof(out));
506 }
507 
508 void
509 crypto_test_hkdf_expand_testa2(void **state)
510 {
511  /* RFC 5889 A.2 Test Case 2 */
512  uint8_t prk[32] =
513  {0x06, 0xa6, 0xb8, 0x8c, 0x58, 0x53, 0x36, 0x1a,
514  0x06, 0x10, 0x4c, 0x9c, 0xeb, 0x35, 0xb4, 0x5c,
515  0xef, 0x76, 0x00, 0x14, 0x90, 0x46, 0x71, 0x01,
516  0x4a, 0x19, 0x3f, 0x40, 0xc1, 0x5f, 0xc2, 0x44};
517 
518  uint8_t info[80] =
519  {0xb0, 0xb1, 0xb2, 0xb3, 0xb4, 0xb5, 0xb6, 0xb7,
520  0xb8, 0xb9, 0xba, 0xbb, 0xbc, 0xbd, 0xbe, 0xbf,
521  0xc0, 0xc1, 0xc2, 0xc3, 0xc4, 0xc5, 0xc6, 0xc7,
522  0xc8, 0xc9, 0xca, 0xcb, 0xcc, 0xcd, 0xce, 0xcf,
523  0xd0, 0xd1, 0xd2, 0xd3, 0xd4, 0xd5, 0xd6, 0xd7,
524  0xd8, 0xd9, 0xda, 0xdb, 0xdc, 0xdd, 0xde, 0xdf,
525  0xe0, 0xe1, 0xe2, 0xe3, 0xe4, 0xe5, 0xe6, 0xe7,
526  0xe8, 0xe9, 0xea, 0xeb, 0xec, 0xed, 0xee, 0xef,
527  0xf0, 0xf1, 0xf2, 0xf3, 0xf4, 0xf5, 0xf6, 0xf7,
528  0xf8, 0xf9, 0xfa, 0xfb, 0xfc, 0xfd, 0xfe, 0xff};
529 
530  const int L = 82;
531  uint8_t okm[82] =
532  {0xb1, 0x1e, 0x39, 0x8d, 0xc8, 0x03, 0x27, 0xa1,
533  0xc8, 0xe7, 0xf7, 0x8c, 0x59, 0x6a, 0x49, 0x34,
534  0x4f, 0x01, 0x2e, 0xda, 0x2d, 0x4e, 0xfa, 0xd8,
535  0xa0, 0x50, 0xcc, 0x4c, 0x19, 0xaf, 0xa9, 0x7c,
536  0x59, 0x04, 0x5a, 0x99, 0xca, 0xc7, 0x82, 0x72,
537  0x71, 0xcb, 0x41, 0xc6, 0x5e, 0x59, 0x0e, 0x09,
538  0xda, 0x32, 0x75, 0x60, 0x0c, 0x2f, 0x09, 0xb8,
539  0x36, 0x77, 0x93, 0xa9, 0xac, 0xa3, 0xdb, 0x71,
540  0xcc, 0x30, 0xc5, 0x81, 0x79, 0xec, 0x3e, 0x87,
541  0xc1, 0x4c, 0x01, 0xd5, 0xc1, 0xf3, 0x43, 0x4f,
542  0x1d, 0x87};
543 
544  uint8_t out[82] = {0xaa};
545  ovpn_hkdf_expand(prk, info, sizeof(info), out, L);
546 
547  assert_memory_equal(out, okm, L);
548 }
549 
550 void
551 crypto_test_hkdf_expand_testa3(void **state)
552 {
553  /* RFC 5889 A.3 Test Case 3 */
554  uint8_t prk[32] =
555  {0x19, 0xef, 0x24, 0xa3, 0x2c, 0x71, 0x7b, 0x16,
556  0x7f, 0x33, 0xa9, 0x1d, 0x6f, 0x64, 0x8b, 0xdf,
557  0x96, 0x59, 0x67, 0x76, 0xaf, 0xdb, 0x63, 0x77,
558  0xac, 0x43, 0x4c, 0x1c, 0x29, 0x3c, 0xcb, 0x04};
559 
560  uint8_t info[] = {};
561 
562  int L = 42;
563  uint8_t okm[42] =
564  {0x8d, 0xa4, 0xe7, 0x75, 0xa5, 0x63, 0xc1, 0x8f,
565  0x71, 0x5f, 0x80, 0x2a, 0x06, 0x3c, 0x5a, 0x31,
566  0xb8, 0xa1, 0x1f, 0x5c, 0x5e, 0xe1, 0x87, 0x9e,
567  0xc3, 0x45, 0x4e, 0x5f, 0x3c, 0x73, 0x8d, 0x2d,
568  0x9d, 0x20, 0x13, 0x95, 0xfa, 0xa4, 0xb6, 0x1a,
569  0x96, 0xc8};
570 
571  uint8_t out[42];
572  ovpn_hkdf_expand(prk, info, 0, out, L);
573 
574  assert_memory_equal(out, okm, L);
575 }
576 
577 void
578 crypto_test_hkdf_expand_test_ovpn(void **state)
579 {
580  /* tests the HDKF with a label/okm that OpenVPN itself uses in OpenSSL 3
581  * HDKF unit test*/
582 
583  uint8_t prk[32] =
584  {0x07, 0x77, 0x09, 0x36, 0x2c, 0x2e, 0x32, 0xdf,
585  0x0d, 0xdc, 0x3f, 0x0d, 0xc4, 0x7b, 0xba, 0x63,
586  0x90, 0xb6, 0xc7, 0x3b, 0xb5, 0x0f, 0x9c, 0x31,
587  0x22, 0xec, 0x84, 0x4a, 0xd7, 0xc2, 0xb3, 0xe5};
588 
589  uint8_t info[18] =
590  {0x00, 0x1b, 0x0e, 0x6f, 0x76, 0x70, 0x6e, 0x20,
591  0x75, 0x6e, 0x69, 0x74, 0x20, 0x74, 0x65, 0x73,
592  0x74, 0x00};
593 
594  int L = 27;
595  uint8_t okm[27] =
596  {0x87, 0x5a, 0x8e, 0xec, 0x18, 0x55, 0x63, 0x80,
597  0xb8, 0xd9, 0x33, 0xed, 0x32, 0x3c, 0x2d, 0xf8,
598  0xe8, 0xec, 0xcf, 0x49, 0x72, 0xe6, 0x83, 0xf0,
599  0x6a, 0x83, 0xac };
600 
601  uint8_t out[27];
602  ovpn_hkdf_expand(prk, info, sizeof(info), out, L);
603 
604  assert_memory_equal(out, okm, L);
605 }
606 
607 void
608 crypto_test_ovpn_label_expand(void **state)
609 {
610  uint8_t secret[32] =
611  {0x07, 0x77, 0x09, 0x36, 0x2c, 0x2e, 0x32, 0xdf,
612  0x0d, 0xdc, 0x3f, 0x0d, 0xc4, 0x7b, 0xba, 0x63,
613  0x90, 0xb6, 0xc7, 0x3b, 0xb5, 0x0f, 0x9c, 0x31,
614  0x22, 0xec, 0x84, 0x4a, 0xd7, 0xc2, 0xb3, 0xe5};
615 
616  const uint8_t *label = (const uint8_t *) ("unit test");
617  uint8_t out[16];
618  ovpn_expand_label(secret, sizeof(secret), label, 9, NULL, 0, out, sizeof(out));
619 
620  uint8_t out_expected[16] =
621  {0x18, 0x5e, 0xaa, 0x1c, 0x7f, 0x22, 0x8a, 0xb8,
622  0xeb, 0x29, 0x77, 0x32, 0x14, 0xd9, 0x20, 0x46};
623 
624  assert_memory_equal(out, out_expected, 16);
625 }
626 
627 #if defined(OPENSSL_VERSION_NUMBER) && OPENSSL_VERSION_NUMBER >= 0x30000000L
628 /* We have OpenSSL 3.0+, we test if their implementation matches our
629  * implementation. We currently do not use this code from the crypto library
630  * in the main code yet as we don't want to repeat the mess that the current
631  * openvpn_PRF ifdef maze */
632 
633 bool
634 ossl_expand_label(const uint8_t *secret, size_t secret_len,
635  const uint8_t *label, size_t label_len,
636  const uint8_t *context, size_t context_len,
637  uint8_t *out, uint16_t out_len)
638 {
639  OSSL_LIB_CTX *libctx = NULL;
640  const char *properties = NULL;
641 
642  const uint8_t *label_prefix = (const uint8_t *) ("ovpn ");
643  const size_t label_prefix_len = 5;
644 
645  EVP_KDF *kdf = EVP_KDF_fetch(libctx, OSSL_KDF_NAME_TLS1_3_KDF, properties);
646  assert_non_null(kdf);
647 
648  const char *mdname = "SHA-256";
649 
650  size_t hashlen = SHA256_DIGEST_LENGTH;
651 
652  EVP_KDF_CTX *kctx = EVP_KDF_CTX_new(kdf);
653  assert_non_null(kctx);
654 
655  OSSL_PARAM params[7];
656  OSSL_PARAM *p = params;
657 
658  int mode = EVP_PKEY_HKDEF_MODE_EXPAND_ONLY;
659 
660  *p++ = OSSL_PARAM_construct_int(OSSL_KDF_PARAM_MODE, &mode);
661  *p++ = OSSL_PARAM_construct_utf8_string(OSSL_KDF_PARAM_DIGEST,
662  (char *) mdname, 0);
663  *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_KEY,
664  (unsigned char *) secret, hashlen);
665  *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_PREFIX,
666  (unsigned char *) label_prefix,
667  label_prefix_len);
668  *p++ = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_LABEL,
669  (unsigned char *) label, label_len);
670 
671  *p++ = OSSL_PARAM_construct_end();
672 
673  int ret = EVP_KDF_derive(kctx, out, out_len, params);
674  EVP_KDF_CTX_free(kctx);
675  EVP_KDF_free(kdf);
676 
677  assert_int_equal(ret, 1);
678  return true;
679 }
680 
681 void
682 crypto_test_ovpn_expand_openssl3(void **state)
683 {
684  uint8_t secret[32] =
685  {0x07, 0x77, 0x09, 0x36, 0x2c, 0x2e, 0x32, 0xdf,
686  0x0d, 0xdc, 0x3f, 0x0d, 0xc4, 0x7b, 0xba, 0x63,
687  0x90, 0xb6, 0xc7, 0x3b, 0xb5, 0x0f, 0x9c, 0x31,
688  0x22, 0xec, 0x84, 0x4a, 0xd7, 0xc2, 0xb3, 0xe5};
689 
690  const uint8_t *label = (const uint8_t *) ("unit test");
691  const size_t labellen = 9;
692  uint8_t out[27];
693 
694  ossl_expand_label(secret, sizeof(secret), label, labellen, NULL, 0, out, sizeof(out));
695 
696  /* Do the same derivation with our own function */
697  uint8_t out_ovpn[27];
698 
699  ovpn_expand_label(secret, sizeof(secret), label, 9, NULL, 0, out_ovpn, sizeof(out_ovpn));
700  assert_memory_equal(out_ovpn, out, sizeof(out_ovpn));
701 }
702 
703 #else /* if defined(OPENSSL_VERSION_NUMBER) && OPENSSL_VERSION_NUMBER >= 0x30000000L */
704 void
705 crypto_test_ovpn_expand_openssl3(void **state)
706 {
707  skip();
708 }
709 #endif /* if defined(OPENSSL_VERSION_NUMBER) && OPENSSL_VERSION_NUMBER >= 0x30000000L */
710 
711 struct epoch_test_state
712 {
713  struct key_type kt;
714  struct gc_arena gc;
715  struct crypto_options co;
716 };
717 
718 static int
719 crypto_test_epoch_setup(void **state)
720 {
721  int *num_future_keys = (int *)*state;
722  struct epoch_test_state *data = calloc(1, sizeof(struct epoch_test_state));
723 
724  data->gc = gc_new();
725 
726  init_key_type(&data->kt, "AES-128-GCM", "none", true, false);
727 
728  /* have an epoch key that uses 0x23 for the key for all bytes */
729  struct epoch_key epoch1send = { .epoch = 1, .epoch_key = {0x23} };
730  struct epoch_key epoch1recv = { .epoch = 1, .epoch_key = {0x27} };
731 
732  epoch_init_key_ctx(&data->co, &data->kt, &epoch1send,
733  &epoch1recv, *num_future_keys);
734 
735  *state = data;
736  return 0;
737 }
738 
739 static int
740 crypto_test_epoch_teardown(void **state)
741 {
742  struct epoch_test_state *data = *state;
743  free_epoch_key_ctx(&data->co);
744  free_key_ctx_bi(&data->co.key_ctx_bi);
745  gc_free(&data->gc);
746  free(*state);
747  return 0;
748 }
749 
750 void
751 crypto_test_epoch_key_generation(void **state)
752 {
753  struct epoch_test_state *data = *state;
754  struct crypto_options *co = &data->co;
755 
756  /* check the keys look like expect */
757  assert_int_equal(co->epoch_data_keys_future[0].epoch, 2);
758  assert_int_equal(co->epoch_data_keys_future[15].epoch, 17);
759  assert_int_equal(co->epoch_key_send.epoch, 1);
760  assert_int_equal(co->epoch_key_recv.epoch, 17);
761 
762  /* Now replace the recv key with the 6th future key (epoch = 8) */
763  free_key_ctx(&co->key_ctx_bi.decrypt);
764  assert_int_equal(co->epoch_data_keys_future[6].epoch, 8);
765  co->key_ctx_bi.decrypt = co->epoch_data_keys_future[6];
766  CLEAR(co->epoch_data_keys_future[6]);
767 
768  epoch_generate_future_receive_keys(co);
769  assert_int_equal(co->epoch_data_keys_future[0].epoch, 9);
770  assert_int_equal(co->epoch_data_keys_future[15].epoch, 24);
771 }
772 
773 
774 void
775 crypto_test_epoch_key_rotation(void **state)
776 {
777  struct epoch_test_state *data = *state;
778  struct crypto_options *co = &data->co;
779 
780  /* should replace send + key recv */
781  epoch_replace_update_recv_key(co, 9);
782 
783  assert_int_equal(co->key_ctx_bi.decrypt.epoch, 9);
784  assert_int_equal(co->key_ctx_bi.encrypt.epoch, 9);
785  assert_int_equal(co->epoch_key_send.epoch, 9);
786  assert_int_equal(co->epoch_retiring_data_receive_key.epoch, 1);
787 
788  /* Iterate the data send key four times to get it to 13 */
789  for (int i = 0; i < 4; i++)
790  {
791  epoch_iterate_send_key(co);
792  }
793  assert_int_equal(co->key_ctx_bi.encrypt.epoch, 13);
794 
795  epoch_replace_update_recv_key(co, 10);
796  assert_int_equal(co->key_ctx_bi.decrypt.epoch, 10);
797  assert_int_equal(co->key_ctx_bi.encrypt.epoch, 13);
798  assert_int_equal(co->epoch_key_send.epoch, 13);
799  assert_int_equal(co->epoch_retiring_data_receive_key.epoch, 9);
800 
801  epoch_replace_update_recv_key(co, 12);
802  assert_int_equal(co->key_ctx_bi.decrypt.epoch, 12);
803  assert_int_equal(co->key_ctx_bi.encrypt.epoch, 13);
804  assert_int_equal(co->epoch_key_send.epoch, 13);
805  assert_int_equal(co->epoch_retiring_data_receive_key.epoch, 10);
806 
807  epoch_iterate_send_key(co);
808  assert_int_equal(co->key_ctx_bi.encrypt.epoch, 14);
809 }
810 
811 void
812 crypto_test_epoch_key_receive_lookup(void **state)
813 {
814  struct epoch_test_state *data = *state;
815  struct crypto_options *co = &data->co;
816 
817  /* lookup some wacky things that should fail */
818  assert_null(epoch_lookup_decrypt_key(co, 2000));
819  assert_null(epoch_lookup_decrypt_key(co, -1));
820  assert_null(epoch_lookup_decrypt_key(co, 0xefff));
821 
822  /* Lookup the edges of the current window */
823  assert_null(epoch_lookup_decrypt_key(co, 0));
824  assert_int_equal(co->epoch_retiring_data_receive_key.epoch, 0);
825  assert_int_equal(epoch_lookup_decrypt_key(co, 1)->epoch, 1);
826  assert_int_equal(epoch_lookup_decrypt_key(co, 2)->epoch, 2);
827  assert_int_equal(epoch_lookup_decrypt_key(co, 13)->epoch, 13);
828  assert_int_equal(epoch_lookup_decrypt_key(co, 14)->epoch, 14);
829  assert_null(epoch_lookup_decrypt_key(co, 15));
830 
831  /* Should move 1 to retiring key but leave 2-6 undefined, 7 as
832  * active and 8-20 as future keys*/
833  epoch_replace_update_recv_key(co, 7);
834 
835  assert_null(epoch_lookup_decrypt_key(co, 0));
836  assert_int_equal(epoch_lookup_decrypt_key(co, 1)->epoch, 1);
837  assert_ptr_equal(epoch_lookup_decrypt_key(co, 1), &co->epoch_retiring_data_receive_key);
838 
839  assert_null(epoch_lookup_decrypt_key(co, 2));
840  assert_null(epoch_lookup_decrypt_key(co, 3));
841  assert_null(epoch_lookup_decrypt_key(co, 4));
842  assert_null(epoch_lookup_decrypt_key(co, 5));
843  assert_null(epoch_lookup_decrypt_key(co, 6));
844  assert_int_equal(epoch_lookup_decrypt_key(co, 7)->epoch, 7);
845  assert_int_equal(epoch_lookup_decrypt_key(co, 8)->epoch, 8);
846  assert_int_equal(epoch_lookup_decrypt_key(co, 20)->epoch, 20);
847  assert_null(epoch_lookup_decrypt_key(co, 21));
848  assert_null(epoch_lookup_decrypt_key(co, 22));
849 
850 
851  /* Should move 7 to retiring key and have 8 as active key and
852  * 9-21 as future keys */
853  epoch_replace_update_recv_key(co, 8);
854  assert_null(epoch_lookup_decrypt_key(co, 0));
855  assert_null(epoch_lookup_decrypt_key(co, 1));
856  assert_null(epoch_lookup_decrypt_key(co, 2));
857  assert_null(epoch_lookup_decrypt_key(co, 3));
858  assert_null(epoch_lookup_decrypt_key(co, 4));
859  assert_null(epoch_lookup_decrypt_key(co, 5));
860  assert_null(epoch_lookup_decrypt_key(co, 6));
861  assert_int_equal(epoch_lookup_decrypt_key(co, 7)->epoch, 7);
862  assert_ptr_equal(epoch_lookup_decrypt_key(co, 7), &co->epoch_retiring_data_receive_key);
863  assert_int_equal(epoch_lookup_decrypt_key(co, 8)->epoch, 8);
864  assert_int_equal(epoch_lookup_decrypt_key(co, 20)->epoch, 20);
865  assert_int_equal(epoch_lookup_decrypt_key(co, 21)->epoch, 21);
866  assert_null(epoch_lookup_decrypt_key(co, 22));
867  assert_null(epoch_lookup_decrypt_key(co, 23));
868 }
869 
870 void
871 crypto_test_epoch_key_overflow(void **state)
872 {
873  struct epoch_test_state *data = *state;
874  struct crypto_options *co = &data->co;
875 
876  /* Modify the receive epoch and keys to have a very high epoch to test
877  * the end of array. Iterating through all 65k keys takes a 2-3s, so we
878  * avoid this for the unit test */
879  co->key_ctx_bi.decrypt.epoch = 65500;
880  co->key_ctx_bi.encrypt.epoch = 65500;
881 
882  co->epoch_key_send.epoch = 65500;
883  co->epoch_key_recv.epoch = 65500 + co->epoch_data_keys_future_count;
884 
885  for (uint16_t i = 0; i < co->epoch_data_keys_future_count; i++)
886  {
887  co->epoch_data_keys_future[i].epoch = 65501 + i;
888  }
889 
890  /* Move the last few keys until we are close to the limit */
891  while (co->key_ctx_bi.decrypt.epoch < (UINT16_MAX - 40))
892  {
893  epoch_replace_update_recv_key(co, co->key_ctx_bi.decrypt.epoch + 10);
894  }
895 
896  /* Looking up this key should still work as it will not break the limit
897  * when generating keys */
898  assert_int_equal(epoch_lookup_decrypt_key(co, UINT16_MAX - 34)->epoch, UINT16_MAX - 34);
899  assert_int_equal(epoch_lookup_decrypt_key(co, UINT16_MAX - 33)->epoch, UINT16_MAX - 33);
900 
901  /* This key is no longer eligible for decrypting as the 32 future keys
902  * would be larger than uint16_t maximum */
903  assert_int_equal(co->epoch_data_keys_future_count, 32);
904  assert_null(epoch_lookup_decrypt_key(co, UINT16_MAX - co->epoch_data_keys_future_count));
905  assert_null(epoch_lookup_decrypt_key(co, UINT16_MAX));
906 
907  /* Check that moving to the last possible epoch works */
908  epoch_replace_update_recv_key(co, UINT16_MAX - 33);
909  assert_int_equal(epoch_lookup_decrypt_key(co, UINT16_MAX - 33)->epoch, UINT16_MAX - 33);
910  assert_null(epoch_lookup_decrypt_key(co, UINT16_MAX - 32));
911  assert_null(epoch_lookup_decrypt_key(co, UINT16_MAX));
912 }
913 
914 void
915 epoch_test_derive_data_key(void **state)
916 {
917  struct epoch_key e17 = { .epoch = 17, .epoch_key = { 19, 12 }};
918  struct key_type kt = { 0 };
919  struct key_parameters key_parameters = { 0 };
920  init_key_type(&kt, "AES-192-GCM", "none", true, false);
921 
922 
923  epoch_data_key_derive(&key_parameters, &e17, &kt);
924 
925  assert_int_equal(key_parameters.cipher_size, 24);
926  assert_int_equal(key_parameters.hmac_size, 12);
927 
928  uint8_t exp_cipherkey[24] =
929  {0xed, 0x85, 0x33, 0xdb, 0x1c, 0x28, 0xac, 0xe4,
930  0x18, 0xe9, 0x00, 0x6a, 0xb2, 0x9c, 0x17, 0x41,
931  0x7d, 0x60, 0xeb, 0xe6, 0xcd, 0x90, 0xbf, 0x0a};
932 
933  uint8_t exp_impl_iv[12] =
934  {0x86, 0x89, 0x0a, 0xab, 0xf0, 0x32, 0xcb, 0x59, 0xf4, 0xcf, 0xa3, 0x4e};
935 
936  assert_memory_equal(key_parameters.cipher, exp_cipherkey, sizeof(exp_cipherkey));
937  assert_memory_equal(key_parameters.hmac, exp_impl_iv, sizeof(exp_impl_iv));
938 }
939 
940 int
941 main(void)
942 {
943  int prestate_num13 = 13;
944  int prestate_num16 = 16;
945  int prestate_num32 = 32;
946 
947  openvpn_unit_test_setup();
948  const struct CMUnitTest tests[] = {
949  cmocka_unit_test(crypto_pem_encode_decode_loopback),
950  cmocka_unit_test(crypto_translate_cipher_names),
951  cmocka_unit_test(crypto_test_tls_prf),
952  cmocka_unit_test(crypto_test_hmac),
953  cmocka_unit_test(test_occ_mtu_calculation),
954  cmocka_unit_test(test_mssfix_mtu_calculation),
955  cmocka_unit_test(crypto_test_aead_limits),
956  cmocka_unit_test(crypto_test_hkdf_expand_testa1),
957  cmocka_unit_test(crypto_test_hkdf_expand_testa2),
958  cmocka_unit_test(crypto_test_hkdf_expand_testa3),
959  cmocka_unit_test(crypto_test_hkdf_expand_test_ovpn),
960  cmocka_unit_test(crypto_test_ovpn_label_expand),
961  cmocka_unit_test(crypto_test_ovpn_expand_openssl3),
962  cmocka_unit_test_prestate_setup_teardown(crypto_test_epoch_key_generation,
963  crypto_test_epoch_setup,
964  crypto_test_epoch_teardown,
965  &prestate_num16),
966  cmocka_unit_test_prestate_setup_teardown(crypto_test_epoch_key_rotation,
967  crypto_test_epoch_setup,
968  crypto_test_epoch_teardown,
969  &prestate_num13),
970  cmocka_unit_test_prestate_setup_teardown(crypto_test_epoch_key_receive_lookup,
971  crypto_test_epoch_setup,
972  crypto_test_epoch_teardown,
973  &prestate_num13),
974  cmocka_unit_test_prestate_setup_teardown(crypto_test_epoch_key_overflow,
975  crypto_test_epoch_setup,
976  crypto_test_epoch_teardown,
977  &prestate_num32),
978  cmocka_unit_test(epoch_test_derive_data_key)
979  };
980 
981 #if defined(ENABLE_CRYPTO_OPENSSL)
982  OpenSSL_add_all_algorithms();
983 #endif
984 
985  int ret = cmocka_run_group_tests_name("crypto tests", tests, NULL, NULL);
986 
987 #if defined(ENABLE_CRYPTO_OPENSSL)
988  EVP_cleanup();
989 #endif
990 
991  return ret;
992 }
crypto_options::epoch_data_keys_future
struct key_ctx * epoch_data_keys_future
Keeps the future epoch data keys for decryption.
Definition: crypto.h:321
free_epoch_key_ctx
void free_epoch_key_ctx(struct crypto_options *co)
Frees the extra data structures used by epoch keys in crypto_options.
Definition: crypto_epoch.c:338
main
int main(void)
Definition: test_crypto.c:941
cipher_valid
static bool cipher_valid(const char *ciphername)
Returns if the cipher is valid, based on the given cipher name.
Definition: crypto_backend.h:205
hmac_ctx_cleanup
void hmac_ctx_cleanup(hmac_ctx_t *ctx)
crypto_test_aead_limits
void crypto_test_aead_limits(void **state)
Definition: test_crypto.c:459
epoch_init_key_ctx
void epoch_init_key_ctx(struct crypto_options *co, const struct key_type *key_type, const struct epoch_key *e1_send, const struct epoch_key *e1_recv, uint16_t future_key_count)
Initialises data channel keys and internal structures for epoch data keys using the provided E0 epoch...
Definition: crypto_epoch.c:353
connection_entry::mssfix
int mssfix
Definition: options.h:142
compress_options::alg
int alg
Definition: comp.h:68
options::use_peer_id
bool use_peer_id
Definition: options.h:701
ssl_backend.h
gc_new
static struct gc_arena gc_new(void)
Definition: buffer.h:1025
hmac_ctx_t
mbedtls_md_context_t hmac_ctx_t
Generic HMAC context.
Definition: crypto_mbedtls.h:48
epoch_iterate_send_key
void epoch_iterate_send_key(struct crypto_options *co)
Updates the send key and send_epoch_key in cryptio_options->key_ctx_bi to use the next epoch.
Definition: crypto_epoch.c:275
crypto_test_epoch_teardown
static int crypto_test_epoch_teardown(void **state)
Definition: test_crypto.c:740
connection_entry::socks_proxy_server
const char * socks_proxy_server
Definition: options.h:121
crypto_test_tls_prf
static void crypto_test_tls_prf(void **state)
Definition: test_crypto.c:152
epoch_replace_update_recv_key
void epoch_replace_update_recv_key(struct crypto_options *co, uint16_t new_epoch)
This is called when the peer uses a new send key that is not the default key.
Definition: crypto_epoch.c:284
context
Contains all state information for one tunnel.
Definition: openvpn.h:473
hash
Definition: list.h:56
test_common.h
epoch_test_state
Definition: test_crypto.c:711
options::authname
const char * authname
Definition: options.h:579
options::tls_client
bool tls_client
Definition: options.h:593
options::shared_secret_file
const char * shared_secret_file
Definition: options.h:569
testtext
static const char testtext[]
Definition: test_crypto.c:51
crypto_test_hkdf_expand_test_ovpn
void crypto_test_hkdf_expand_test_ovpn(void **state)
Definition: test_crypto.c:578
crypto_options::epoch_data_keys_future_count
uint16_t epoch_data_keys_future_count
number of keys stored in epoch_data_keys_future
Definition: crypto.h:324
key_ctx_bi::encrypt
struct key_ctx encrypt
Cipher and/or HMAC contexts for sending direction.
Definition: crypto.h:280
options::ce
struct connection_entry ce
Definition: options.h:288
epoch_data_key_derive
void epoch_data_key_derive(struct key_parameters *key, const struct epoch_key *epoch_key, const struct key_type *kt)
Generate a data channel key pair from the epoch key.
Definition: crypto_epoch.c:145
hmac_ctx_update
void hmac_ctx_update(hmac_ctx_t *ctx, const uint8_t *src, int src_len)
crypto_options::epoch_retiring_data_receive_key
struct key_ctx epoch_retiring_data_receive_key
The old key before the sender switched to a new epoch data key.
Definition: crypto.h:327
crypto_test_hkdf_expand_testa2
void crypto_test_hkdf_expand_testa2(void **state)
Definition: test_crypto.c:509
key_parameters::hmac_size
int hmac_size
Number of bytes set in the HMac key material.
Definition: crypto.h:173
options.h
cipher_kt_name
const char * cipher_kt_name(const char *ciphername)
Retrieve a normalised string describing the cipher (e.g.
Definition: crypto_openssl.c:660
frame
Packet geometry parameters.
Definition: mtu.h:98
test_occ_mtu_calculation
static void test_occ_mtu_calculation(void **state)
Definition: test_crypto.c:229
key
Container for unidirectional cipher and HMAC key material.
Definition: crypto.h:151
crypto_options::epoch_key_send
struct epoch_key epoch_key_send
last epoch_key used for generation of the current send data keys.
Definition: crypto.h:301
epoch_test_state::kt
struct key_type kt
Definition: test_crypto.c:713
epoch_lookup_decrypt_key
struct key_ctx * epoch_lookup_decrypt_key(struct crypto_options *opt, uint16_t epoch)
Using an epoch, this function will try to retrieve a decryption key context that matches that epoch f...
Definition: crypto_epoch.c:375
CLEAR
#define CLEAR(x)
Definition: basic.h:33
ipsumlorem
static const char * ipsumlorem
Definition: test_crypto.c:147
free_key_ctx_bi
void free_key_ctx_bi(struct key_ctx_bi *ctx)
Definition: crypto.c:1125
key_ctx::epoch
uint16_t epoch
OpenVPN data channel epoch, this variable holds the epoch number this key belongs to.
Definition: crypto.h:227
string_alloc
char * string_alloc(const char *str, struct gc_arena *gc)
Definition: buffer.c:649
test_translate_cipher
static void test_translate_cipher(const char *ciphername, const char *openvpn_name)
Definition: test_crypto.c:80
testkey
static uint8_t testkey[20]
Definition: test_crypto.c:180
PROTO_TCP_CLIENT
@ PROTO_TCP_CLIENT
Definition: socket.h:571
crypto_options::epoch_key_recv
struct epoch_key epoch_key_recv
epoch_key used for the highest receive epoch keys
Definition: crypto.h:304
crypto_test_epoch_key_overflow
void crypto_test_epoch_key_overflow(void **state)
Definition: test_crypto.c:871
test_cipher_names
static void test_cipher_names(const char *ciphername, const char *openvpn_name)
Definition: test_crypto.c:96
BLEN
#define BLEN(buf)
Definition: buffer.h:127
epoch_generate_future_receive_keys
void epoch_generate_future_receive_keys(struct crypto_options *co)
Generates and fills the epoch_data_keys_future with next valid future keys in crypto_options using th...
Definition: crypto_epoch.c:213
options::comp
struct compress_options comp
Definition: options.h:411
calc_options_string_link_mtu
size_t calc_options_string_link_mtu(const struct options *o, const struct frame *frame)
Calculate the link-mtu to advertise to our peer.
Definition: mtu.c:152
frame_calculate_dynamic
void frame_calculate_dynamic(struct frame *frame, struct key_type *kt, const struct options *options, struct link_socket_info *lsi)
Set the –mssfix option.
Definition: mss.c:335
COMP_ALG_UNDEF
#define COMP_ALG_UNDEF
Definition: comp.h:47
crypto_translate_cipher_names
static void crypto_translate_cipher_names(void **state)
Definition: test_crypto.c:134
options::tls_auth_file
const char * tls_auth_file
Definition: options.h:663
crypto_test_ovpn_expand_openssl3
void crypto_test_ovpn_expand_openssl3(void **state)
Definition: test_crypto.c:705
goodhash
static uint8_t goodhash[20]
Definition: test_crypto.c:181
options
Definition: options.h:249
crypto.h
crypto_test_epoch_key_receive_lookup
void crypto_test_epoch_key_receive_lookup(void **state)
Definition: test_crypto.c:812
key_parameters::cipher
uint8_t cipher[MAX_CIPHER_KEY_LENGTH]
Key material for cipher operations.
Definition: crypto.h:164
md_kt_size
unsigned char md_kt_size(const char *mdname)
Returns the size of the message digest, in bytes.
Definition: crypto_openssl.c:1095
crypto_pem_encode_decode_loopback
static void crypto_pem_encode_decode_loopback(void **state)
Definition: test_crypto.c:54
hmac_ctx_final
void hmac_ctx_final(hmac_ctx_t *ctx, uint8_t *dst)
buffer
Wrapper structure for dynamically allocated memory.
Definition: buffer.h:60
epoch_test_state::co
struct crypto_options co
Definition: test_crypto.c:715
hmac_ctx_reset
void hmac_ctx_reset(hmac_ctx_t *ctx)
hmac_ctx_free
void hmac_ctx_free(hmac_ctx_t *ctx)
key_type
Definition: crypto.h:140
crypto_test_hkdf_expand_testa1
void crypto_test_hkdf_expand_testa1(void **state)
Definition: test_crypto.c:482
syshead.h
BPTR
#define BPTR(buf)
Definition: buffer.h:124
crypto_test_epoch_key_rotation
void crypto_test_epoch_key_rotation(void **state)
Definition: test_crypto.c:775
gc_arena
Garbage collection arena used to keep track of dynamically allocated memory.
Definition: buffer.h:116
crypto_pem_encode
bool crypto_pem_encode(const char *name, struct buffer *dst, const struct buffer *src, struct gc_arena *gc)
Encode binary data as PEM.
Definition: crypto_openssl.c:503
buf_set_write
static void buf_set_write(struct buffer *buf, uint8_t *data, int size)
Definition: buffer.h:331
cipher_get_aead_limits
uint64_t cipher_get_aead_limits(const char *ciphername)
Check if the cipher is an AEAD cipher and needs to be limited to a certain number of number of blocks...
Definition: crypto.c:353
key_parameters::hmac
uint8_t hmac[MAX_HMAC_KEY_LENGTH]
Key material for HMAC operations.
Definition: crypto.h:170
openvpn_unit_test_setup
static void openvpn_unit_test_setup(void)
Sets up the environment for unit tests like making both stderr and stdout non-buffered to avoid messa...
Definition: test_common.h:36
free_key_ctx
void free_key_ctx(struct key_ctx *ctx)
Definition: crypto.c:1106
key_parameters
internal structure similar to struct key that holds key information but is not represented on wire an...
Definition: crypto.h:162
epoch_key
Definition: crypto.h:191
epoch_test_state::gc
struct gc_arena gc
Definition: test_crypto.c:714
options::peer_id
uint32_t peer_id
Definition: options.h:702
SHA256_DIGEST_LENGTH
#define SHA256_DIGEST_LENGTH
Definition: crypto_mbedtls.h:79
crypto_test_epoch_setup
static int crypto_test_epoch_setup(void **state)
Definition: test_crypto.c:719
crypto_pem_decode
bool crypto_pem_decode(const char *name, struct buffer *dst, const struct buffer *src)
Decode a PEM buffer to binary data.
Definition: crypto_openssl.c:531
gc_free
static void gc_free(struct gc_arena *a)
Definition: buffer.h:1033
crypto_test_epoch_key_generation
void crypto_test_epoch_key_generation(void **state)
Definition: test_crypto.c:751
epoch_key::epoch
uint16_t epoch
Definition: crypto.h:193
mss.h
crypto_test_ovpn_label_expand
void crypto_test_ovpn_label_expand(void **state)
Definition: test_crypto.c:608
crypto_options::key_ctx_bi
struct key_ctx_bi key_ctx_bi
OpenSSL cipher and HMAC contexts for both sending and receiving directions.
Definition: crypto.h:293
ovpn_hkdf_expand
void ovpn_hkdf_expand(const uint8_t *secret, const uint8_t *info, int info_len, uint8_t *out, int out_len)
Implementation of the RFC5869 HKDF-Expand function with the following restrictions.
Definition: crypto_epoch.c:43
config.h
hmac_ctx_new
hmac_ctx_t * hmac_ctx_new(void)
Definition: crypto_openssl.c:1187
connection_entry::fragment
int fragment
Definition: options.h:139
connection_entry::proto
int proto
Definition: options.h:107
epoch_test_derive_data_key
void epoch_test_derive_data_key(void **state)
Definition: test_crypto.c:915
hmac_ctx_init
void hmac_ctx_init(hmac_ctx_t *ctx, const uint8_t *key, const char *mdname)
init_key_type
void init_key_type(struct key_type *kt, const char *ciphername, const char *authname, bool tls_mode, bool warn)
Initialize a key_type structure with.
Definition: crypto.c:893
ovpn_expand_label
bool ovpn_expand_label(const uint8_t *secret, size_t secret_len, const uint8_t *label, size_t label_len, const uint8_t *context, size_t context_len, uint8_t *out, uint16_t out_len)
Variant of the RFC 8446 TLS 1.3 HKDF-Expand-Label function with the following differences/restriction...
Definition: crypto_epoch.c:78
crypto_epoch.h
crypto_test_hkdf_expand_testa3
void crypto_test_hkdf_expand_testa3(void **state)
Definition: test_crypto.c:551
crypto_test_hmac
static void crypto_test_hmac(void **state)
Definition: test_crypto.c:186
COMP_ALG_LZO
#define COMP_ALG_LZO
Definition: comp.h:49
connection_entry::tun_mtu
int tun_mtu
Definition: options.h:125
options::ciphername
const char * ciphername
Definition: options.h:573
OSSL_LIB_CTX
void OSSL_LIB_CTX
Definition: openssl_compat.h:130
key_ctx_bi::decrypt
struct key_ctx decrypt
cipher and/or HMAC contexts for receiving direction.
Definition: crypto.h:282
http-client.f
string f
Definition: http-client.py:6
test_mssfix_mtu_calculation
static void test_mssfix_mtu_calculation(void **state)
Definition: test_crypto.c:350
ssl_tls1_PRF
bool ssl_tls1_PRF(const uint8_t *seed, int seed_len, const uint8_t *secret, int secret_len, uint8_t *output, int output_len)
Calculates the TLS 1.0-1.1 PRF function.
Definition: crypto_openssl.c:1410
key_parameters::cipher_size
int cipher_size
Number of bytes set in the cipher key material.
Definition: crypto.h:167
buf_set_read
static void buf_set_read(struct buffer *buf, const uint8_t *data, size_t size)
Definition: buffer.h:348
options::pull
bool pull
Definition: options.h:556
crypto_options
Security parameter state for processing data channel packets.
Definition: crypto.h:291
PROTO_UDP
@ PROTO_UDP
Definition: socket.h:568
gc
struct gc_arena gc
Definition: test_ssl.c:155
Generated by   doxygen 1.8.17