Go to the documentation of this file.
70 #if defined(ENABLE_CRYPTO_OPENSSL) && (OPENSSL_VERSION_NUMBER > 0x30000000L)
71 #define HAVE_OPENSSL_STORE
88 "-----BEGIN CERTIFICATE-----\n"
89 "MIIDYzCCAkugAwIBAgIRALrXTx4lqa8QgF7uGjISxmcwDQYJKoZIhvcNAQELBQAw\n"
90 "GDEWMBQGA1UEAwwNT1ZQTiBURVNUIENBMTAgFw0yMzAzMTMxNjA5MThaGA8yMTIz\n"
91 "MDIxNzE2MDkxOFowGTEXMBUGA1UEAwwOb3Zwbi10ZXN0LXJzYTEwggEiMA0GCSqG\n"
92 "SIb3DQEBAQUAA4IBDwAwggEKAoIBAQC7xFoR6fmoyfsJIQDKKgbYgFw0MzVuDAmp\n"
93 "Rx6KTEihgTchkQx9fHddWbKiOUbcEnQi3LNux7P4QVl/4dRR3skisBug6Vd5LXeB\n"
94 "GZqmpu5XZiF4DgLz1lX21G0aOogFWkie2qGEcso40159x9FBDl5A3sLP18ubeex0\n"
95 "pd/BzDFv6SLOTyVWO/GCNc8IX/i0uN4mLvoVU00SeqwTPnS+CRXrSq4JjGDJLsXl\n"
96 "0/PlxkjsgU0yOOA0Z2d8Fzk3wClwP6Hc49BOMWKstUIhLbG2DcIv8l29EuEj2w3j\n"
97 "u/7gkewol96XQ2twpPvpoVAaiVh/m7hQUcQORQCD6eJcDjOZVCArAgMBAAGjgaQw\n"
98 "gaEwCQYDVR0TBAIwADAdBgNVHQ4EFgQUqYnRaBHrZmKLtMZES5AuwqzJkGYwUwYD\n"
99 "VR0jBEwwSoAU3MLDNDOK13DqflQ8ra7FeGBXK06hHKQaMBgxFjAUBgNVBAMMDU9W\n"
100 "UE4gVEVTVCBDQTGCFD55ErHXpK2JXS3WkfBm0NB1r3vKMBMGA1UdJQQMMAoGCCsG\n"
101 "AQUFBwMCMAsGA1UdDwQEAwIHgDANBgkqhkiG9w0BAQsFAAOCAQEAZVcXrezA9Aby\n"
102 "sfUNHAsMxrex/EO0PrIPSrmSmc9sCiD8cCIeB6kL8c5iPPigoWW0uLA9zteDRFes\n"
103 "ez+Z8wBY6g8VQ0tFPURDooUg5011GZPDcuw7/PsI4+I2J9q6LHEp+6Oo4faSn/kl\n"
104 "yWYCLjM4FZdGXbOijDacQJiN6HcRv0UdodBrEVRf7YHJJmMCbCI7ZUGW2zef/+rO\n"
105 "e4Lkxh0MLYqCkNKH5ZfoGTC4Oeb0xKykswAanqgR60r+upaLU8PFuI2L9M3vc6KU\n"
106 "F6MgVGSxl6eylJgDYckvJiAbmcp2PD/LRQQOxQA0yqeAMg2cbdvclETuYD6zoFfu\n"
108 "-----END CERTIFICATE-----\n";
111 "-----BEGIN PRIVATE KEY-----\n"
112 "MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQC7xFoR6fmoyfsJ\n"
113 "IQDKKgbYgFw0MzVuDAmpRx6KTEihgTchkQx9fHddWbKiOUbcEnQi3LNux7P4QVl/\n"
114 "4dRR3skisBug6Vd5LXeBGZqmpu5XZiF4DgLz1lX21G0aOogFWkie2qGEcso40159\n"
115 "x9FBDl5A3sLP18ubeex0pd/BzDFv6SLOTyVWO/GCNc8IX/i0uN4mLvoVU00SeqwT\n"
116 "PnS+CRXrSq4JjGDJLsXl0/PlxkjsgU0yOOA0Z2d8Fzk3wClwP6Hc49BOMWKstUIh\n"
117 "LbG2DcIv8l29EuEj2w3ju/7gkewol96XQ2twpPvpoVAaiVh/m7hQUcQORQCD6eJc\n"
118 "DjOZVCArAgMBAAECggEACqkuWAAJ3cyCBVWrXs8eDmLTWV9i9DmYvtS75ixIn2rf\n"
119 "v3cl12YevN0f6FgKLuqZT3Vqdqq+DCVhuIIQ9QkKMH8BQpSdE9NCCsFyZ23o8Gtr\n"
120 "EQ7ymfecb+RFwYx7NpqWrvZI32VJGArgPZH/zorLTTGYrAZbmBtHEqRsXOuEDw97\n"
121 "slwwcWaa9ztaYC8/N/7fgsnydaCFSaOByRlWuyvSmHvn6ZwLv8ANOshY6fstC0Jb\n"
122 "BW0GpSe9eZPjpl71VT2RtpghqLV5+iAoFDHoT+eZvBospcUGtfcZSU7RrBjKB8+a\n"
123 "U1d6hwKhduVs2peIQzl+FiOSdWriLcsZv79q4sBhsQKBgQDUDVTf5BGJ8apOs/17\n"
124 "YVk+Ad8Ey8sXvsfk49psmlCRa8Z4g0LVXfrP94qzhtl8U5kE9hs3nEF4j/kX1ZWG\n"
125 "k11tdsNTZN5x5bbAgEgPA6Ap6J/uto0HS8G0vSv0lyBymdKA3p/i5Dx+8Nc9cGns\n"
126 "LGI9MvviLX7pQFIkvbaCkdKwYwKBgQDirowjWZnm7BgVhF0G1m3DY9nQTYYU185W\n"
127 "UESaO5/nVzwUrA+FypJamD+AvmlSuY8rJeQAGAS6nQr9G8/617r+GwJnzRtxC6Vl\n"
128 "4OF5BJRsD70oX4CFOOlycMoJ8tzcYVH7NI8KVocjxb+QW82hqSvEwSsvnwwn3eOW\n"
129 "nr5u5vIHmQKBgCuc3lL6Dl1ntdZgEIdau0cUjXDoFUo589TwxBDIID/4gaZxoMJP\n"
130 "hPFXAVDxMDPw4azyjSB/47tPKTUsuYcnMfT8kynIujOEwnSPLcLgxQU5kgM/ynuw\n"
131 "qhNpQOwaVRMc7f2RTCMXPBYDpNE/GJn5eu8JWGLpZovEreBeoHX0VffvAoGAVrWn\n"
132 "+3mxykhzaf+oyg3KDNysG+cbq+tlDVVE+K5oG0kePVYX1fjIBQmJ+QhdJ3y9jCbB\n"
133 "UVveqzeZVXqHEw/kgoD4aZZmsdZfnVnpRa5/y9o1ZDUr50n+2nzUe/u/ijlb77iK\n"
134 "Is04gnGJNoI3ZWhdyrSNfXjcYH+bKClu9OM4n7kCgYAorc3PAX7M0bsQrrqYxUS8\n"
135 "56UU0YdhAgYitjM7Fm/0iIm0vDpSevxL9js4HnnsSMVR77spCBAGOCCZrTcI3Ejg\n"
136 "xKDYzh1xlfMRjJBuBu5Pd55ZAv9NXFGpsX5SO8fDZQJMwpcbQH36+UdqRRFDpjJ0\n"
137 "ZbX6nKcJ7jciJVKJds59Jg==\n"
138 "-----END PRIVATE KEY-----\n";
149 assert_non_null(ret);
170 if (certfd < 0 || keyfd < 0)
172 fail_msg(
"make tmpfile for certificate or key data failed (error = %d)", errno);
204 #ifdef ENABLE_CRYPTO_OPENSSL
205 cert = SSL_CTX_get0_certificate(
ctx.ctx);
206 #elif defined(ENABLE_CRYPTO_MBEDTLS)
207 cert =
ctx.crt_chain;
248 #if !defined(HAVE_OPENSSL_STORE)
261 const char *lead =
"";
352 memcpy(buf_p,
BPTR(&src),
BLEN(&src));
364 assert_int_equal(buf.
len, src.
len);
365 assert_memory_equal(
BPTR(&src),
BPTR(&buf), i);
398 memcpy(buf_p,
BPTR(&src),
BLEN(&src));
407 assert_int_equal(buf.
len, src.
len);
427 int expected_epoch = epoch ? 4 : 0;
438 if (epoch && !chachapoly)
469 struct key2 *statickey)
525 bool ischacha = !strcmp(cipher,
"ChaCha20-Poly1305");
536 bool ischacha = !strcmp(cipher,
"ChaCha20-Poly1305");
639 const uint8_t
key[] =
640 {
'a',
'b',
'c',
'd',
'e',
'f',
'g',
'h',
'0',
'1',
'2',
'3',
'4',
'5',
'6',
'7',
'A',
'B',
'C',
'D',
'E',
'F',
641 'G',
'H',
'j',
'k',
'u',
'c',
'h',
'e',
'n',
'l'};
649 for (
int i = 0; i <
sizeof(
key2.
keys); i++)
651 keydata[i] = (uint8_t) (
key[i %
sizeof(
key)] ^ i);
692 const char *plaintext =
"The quick little fox jumps over the bureaucratic hurdles";
700 memcpy(buf_p,
BPTR(&src),
BLEN(&src));
715 uint8_t *ad_start =
BPTR(&buf);
720 uint8_t packetid1[8] = {0, 0x04, 0, 0, 0, 0, 0, 1};
721 assert_memory_equal(
BPTR(&buf), packetid1, 8);
725 uint8_t packetid1[4] = {0, 0, 0, 1};
726 assert_memory_equal(
BPTR(&buf), packetid1, 4);
732 const uint8_t exp_tag_epoch[16] =
733 {0x0f, 0xff, 0xf5, 0x91, 0x3d, 0x39, 0xd7, 0x5b,
734 0x18, 0x57, 0x3b, 0x57, 0x48, 0x58, 0x9a, 0x7d};
740 uint8_t *tag_location =
BPTR(&buf) + 4;
741 const uint8_t exp_tag_noepoch[16] =
742 {0x1f, 0xdd, 0x90, 0x8f, 0x0e, 0x9d, 0xc2, 0x5e, 0x79, 0xd8, 0x32, 0x02, 0x0d, 0x58, 0xe7, 0x3f};
749 const uint8_t bytesat14[6] = {0x36, 0xaa, 0xb4, 0xd4, 0x9c, 0xe6};
750 assert_memory_equal(
BPTR(&buf) + 14, bytesat14,
sizeof(bytesat14));
754 const uint8_t bytesat30[6] = {0xa8, 0x2e, 0x6b, 0x17, 0x06, 0xd9};
755 assert_memory_equal(
BPTR(&buf) + 30, bytesat30,
sizeof(bytesat30));
762 assert_int_equal(buf.
len, strlen(plaintext));
763 assert_memory_equal(
BPTR(&buf), plaintext, strlen(plaintext));
787 const struct CMUnitTest tests[] = {
807 #if defined(ENABLE_CRYPTO_OPENSSL)
811 int ret = cmocka_run_group_tests_name(
"ssl tests", tests,
init,
cleanup);
813 #if defined(ENABLE_CRYPTO_OPENSSL)
struct buffer buffer_read_from_file(const char *filename, struct gc_arena *gc)
buffer_read_from_file - copy the content of a file into a buffer
void free_epoch_key_ctx(struct crypto_options *co)
Frees the extra data structures used by epoch keys in crypto_options.
#define CC_BACKSLASH
backslash
void tls_ctx_load_cert_file(struct tls_root_ctx *ctx, const char *cert_file, bool cert_file_inline)
Load certificate file into the given TLS context.
static bool cipher_valid(const char *ciphername)
Returns if the cipher is valid, based on the given cipher name.
int n
The number of key objects stored in the key2.keys array.
void epoch_init_key_ctx(struct crypto_options *co, const struct key_type *key_type, const struct epoch_key *e1_send, const struct epoch_key *e1_recv, uint16_t future_key_count)
Initialises data channel keys and internal structures for epoch data keys using the provided E0 epoch...
static struct key2 create_key(void)
#define KEY_DIRECTION_BIDIRECTIONAL
static struct gc_arena gc_new(void)
void epoch_iterate_send_key(struct crypto_options *co)
Updates the send key and send_epoch_key in cryptio_options->key_ctx_bi to use the next epoch.
void tls_init_lib(void)
Perform any static initialisation necessary by the library.
#define RELIABLE_ACK_SIZE
The maximum number of packet IDs waiting to be acknowledged which can be stored in one reliable_ack s...
int tls_ctx_load_priv_file(struct tls_root_ctx *ctx, const char *priv_key_file, bool priv_key_file_inline)
Load private key file into the given TLS context.
int len
Length in bytes of the actual content within the allocated memory.
void packet_id_init(struct packet_id *p, int seq_backtrack, int time_backtrack, const char *name, int unit)
uint8_t epoch_key[SHA256_DIGEST_LENGTH]
static void check_aead_limits(struct crypto_options *co, bool chachapoly)
static void test_data_channel_roundtrip_aes_128_gcm_epoch(void **state)
static void test_data_channel_roundtrip_bf_cbc(void **state)
#define buf_init(buf, offset)
static struct @27 global_state
#define static_assert(expr, diagnostic)
static void test_data_channel_roundtrip_aes_128_gcm(void **state)
void tls_ctx_client_new(struct tls_root_ctx *ctx)
Initialises a library-specific TLS context for a client.
int capacity
Size in bytes of memory allocated by malloc().
struct buffer alloc_buf_gc(size_t size, struct gc_arena *gc)
void throw_signal(const int signum)
Throw a hard signal.
#define CO_EPOCH_DATA_KEY_FORMAT
Bit-flag indicating the epoch the data format.
int tailroom
the tailroom in the buffer.
static bool aead_usage_limit_reached(const uint64_t limit, const struct key_ctx *key_ctx, int64_t higest_pid)
Checks if the usage limit for an AEAD cipher is reached.
struct key_ctx encrypt
Cipher and/or HMAC contexts for sending direction.
void tls_free_lib(void)
Free any global SSL library-specific data structures.
static struct buffer clear_buf(void)
Return an empty struct buffer.
static void run_data_channel_with_cipher_epoch(const char *cipher)
uint8_t hmac[MAX_HMAC_KEY_LENGTH]
Key material for HMAC operations.
Packet geometry parameters.
static struct crypto_options init_crypto_options(const char *cipher, const char *auth, bool epoch, struct key2 *statickey)
result_t backend_x509_write_pem(openvpn_x509_cert_t *cert, const char *filename)
static void crypto_pem_encode_certificate(void **state)
static const char * get_tmp_dir(void)
static void test_data_channel_roundtrip_aes_256_gcm_epoch(void **state)
void init_key_ctx_bi(struct key_ctx_bi *ctx, const struct key2 *key2, int key_direction, const struct key_type *kt, const char *name)
Container for unidirectional cipher and HMAC key material.
static void test_data_channel_known_vectors_epoch(void **state)
static void test_data_channel_roundtrip_aes_192_gcm(void **state)
void free_key_ctx_bi(struct key_ctx_bi *ctx)
uint16_t epoch
OpenVPN data channel epoch, this variable holds the epoch number this key belongs to.
static bool buf_advance(struct buffer *buf, int size)
#define OPENVPN_AEAD_TAG_LENGTH
static bool buf_write_u8(struct buffer *dest, uint8_t data)
int payload_size
the maximum size that a payload that our buffers can hold from either tun device or network link.
static char * auth_challenge
static void update_time(void)
static void test_data_channel_roundtrip_aes_256_cbc(void **state)
static void test_load_certificate_and_key(void **state)
bool string_mod(char *str, const unsigned int inclusive, const unsigned int exclusive, const char replace)
Modifies a string in place by replacing certain classes of characters of it with a specified characte...
void openvpn_encrypt(struct buffer *buf, struct buffer work, struct crypto_options *opt)
Encrypt and HMAC sign a packet so that it can be sent as a data channel VPN tunnel packet to a remote...
static void test_data_channel_roundtrip_chacha20_poly1305(void **state)
struct signal_info siginfo_static
static int cleanup(void **state)
static void test_data_channel_roundtrip_chacha20_poly1305_epoch(void **state)
void tls_ctx_free(struct tls_root_ctx *ctx)
Frees the library-specific TLSv1 context.
#define PACKET_ID_EPOCH_MAX
static void test_data_channel_roundtrip_aes_192_gcm_epoch(void **state)
void purge_user_pass(struct user_pass *up, bool force)
bool openvpn_decrypt(struct buffer *buf, struct buffer work, struct crypto_options *opt, const struct frame *frame, const uint8_t *ad_start)
HMAC verify and decrypt a data channel packet received from a remote OpenVPN peer.
Wrapper structure for dynamically allocated memory.
static void test_data_channel_roundtrip_aes_256_gcm(void **state)
int rand_bytes(uint8_t *output, int len)
Wrapper for secure random number generator.
static bool buf_write(struct buffer *dest, const void *src, size_t size)
const char * strerror_win32(DWORD errnum, struct gc_arena *gc)
#define CC_ANY
any character
static int init(void **state)
static struct key_type create_kt(const char *cipher, const char *md, const char *optname)
Creates and validates an instance of struct key_type with the provided algs.
static void encrypt_one_packet(struct crypto_options *co, int len)
Garbage collection arena used to keep track of dynamically allocated memory.
const char * cipher
const name of the cipher
static void init_frame_parameters(struct frame *frame)
static void do_data_channel_round_trip(struct crypto_options *co)
static void openvpn_unit_test_setup(void)
Sets up the environment for unit tests like making both stderr and stdout non-buffered to avoid messa...
uint64_t plaintext_blocks
Counter for the number of plaintext block encrypted using this cipher with the current key in number ...
static const char *const unittest_key
static const char *const unittest_cert
static void test_data_channel_known_vectors_run(bool epoch)
static void test_data_channel_known_vectors_shortpktid(void **state)
Structure that wraps the TLS context.
struct packet_id_send send
static void gc_free(struct gc_arena *a)
const char * win_get_tempdir(void)
uint8_t cipher[MAX_CIPHER_KEY_LENGTH]
Key material for cipher operations.
struct key_ctx_bi key_ctx_bi
OpenSSL cipher and HMAC contexts for both sending and receiving directions.
static uint8_t * buf_write_alloc(struct buffer *buf, size_t size)
static void run_data_channel_with_cipher(const char *cipher, const char *auth)
static void test_data_channel_roundtrip_aes_128_cbc(void **state)
static void test_data_channel_roundtrip_aes_192_cbc(void **state)
Container for bidirectional cipher and HMAC key material.
static void test_load_certificate_and_key_uri(void **state)
struct packet_id packet_id
Current packet ID state for both sending and receiving directions.
unsigned int flags
Bit-flags determining behavior of security operation functions.
struct key keys[2]
Two unidirectional sets of key material.
void packet_id_free(struct packet_id *p)
static void uninit_crypto_options(struct crypto_options *co)
int tun_mtu
the (user) configured tun-mtu.
bool buf_printf(struct buffer *buf, const char *format,...)
bool get_user_pass_cr(struct user_pass *up, const char *auth_file, const char *prefix, const unsigned int flags, const char *auth_challenge)
Retrieves the user credentials from various sources depending on the flags.
int headroom
the headroom in the buffer, this is choosen to allow all potential header to be added before the pack...
Security parameter state for processing data channel packets.