#include "syshead.h"#include "argv.h"#include "base64.h"#include "crypto.h"#include "platform.h"#include "run_command.h"#include "session_id.h"#include "ssl.h"#include "tls_crypt.h"
Go to the source code of this file.
Functions | |
| static struct key_type | tls_crypt_kt (void) |
| int | tls_crypt_buf_overhead (void) |
| Returns the maximum overhead (in bytes) added to the destination buffer by tls_crypt_wrap(). More... | |
| void | tls_crypt_init_key (struct key_ctx_bi *key, struct key2 *keydata, const char *key_file, bool key_inline, bool tls_server) |
| Initialize a key_ctx_bi structure for use with –tls-crypt. More... | |
| static void | xor_key2 (struct key2 *key, const struct key2 *other) |
| Will produce key = key XOR other. More... | |
| bool | tls_session_generate_dynamic_tls_crypt_key (struct tls_multi *multi, struct tls_session *session) |
| Generates a TLS-Crypt key to be used with dynamic tls-crypt using the TLS EKM exporter function. More... | |
| bool | tls_crypt_wrap (const struct buffer *src, struct buffer *dst, struct crypto_options *opt) |
| Wrap a control channel packet (both authenticates and encrypts the data). More... | |
| bool | tls_crypt_unwrap (const struct buffer *src, struct buffer *dst, struct crypto_options *opt) |
| Unwrap a control channel packet (decrypts, authenticates and performs replay checks). More... | |
| static void | tls_crypt_v2_load_client_key (struct key_ctx_bi *key, const struct key2 *key2, bool tls_server) |
| void | tls_crypt_v2_init_client_key (struct key_ctx_bi *key, struct key2 *original_key, struct buffer *wkc_buf, const char *key_file, bool key_inline) |
| Initialize a tls-crypt-v2 client key. More... | |
| void | tls_crypt_v2_init_server_key (struct key_ctx *key_ctx, bool encrypt, const char *key_file, bool key_inline) |
| Initialize a tls-crypt-v2 server key (used to encrypt/decrypt client keys). More... | |
| static bool | tls_crypt_v2_wrap_client_key (struct buffer *wkc, const struct key2 *src_key, const struct buffer *src_metadata, struct key_ctx *server_key, struct gc_arena *gc) |
| static bool | tls_crypt_v2_unwrap_client_key (struct key2 *client_key, struct buffer *metadata, struct buffer wrapped_client_key, struct key_ctx *server_key) |
| static bool | tls_crypt_v2_verify_metadata (const struct tls_wrap_ctx *ctx, const struct tls_options *opt) |
| bool | tls_crypt_v2_extract_client_key (struct buffer *buf, struct tls_wrap_ctx *ctx, const struct tls_options *opt) |
| Extract a tls-crypt-v2 client key from a P_CONTROL_HARD_RESET_CLIENT_V3 message, and load the key into the supplied tls wrap context. More... | |
| void | tls_crypt_v2_write_server_key_file (const char *filename) |
| Generate a tls-crypt-v2 server key, and write to file. More... | |
| void | tls_crypt_v2_write_client_key_file (const char *filename, const char *b64_metadata, const char *server_key_file, bool server_key_inline) |
| Generate a tls-crypt-v2 client key, and write to file. More... | |
Variables | |
| const char * | tls_crypt_v2_cli_pem_name = "OpenVPN tls-crypt-v2 client key" |
| const char * | tls_crypt_v2_srv_pem_name = "OpenVPN tls-crypt-v2 server key" |
| static const uint8_t | TLS_CRYPT_METADATA_TYPE_USER = 0x00 |
| Metadata contains user-specified data. More... | |
| static const uint8_t | TLS_CRYPT_METADATA_TYPE_TIMESTAMP = 0x01 |
| Metadata contains a 64-bit unix timestamp in network byte order. More... | |
Function Documentation
◆ tls_crypt_kt()
|
static |
Definition at line 49 of file tls_crypt.c.
References create_kt().
Referenced by init_tas_auth(), test_tls_crypt_setup(), test_tls_crypt_v2_setup(), tls_crypt_init_key(), tls_crypt_v2_init_server_key(), tls_crypt_v2_load_client_key(), tls_crypt_v2_wrap_unwrap_wrong_key(), and tls_session_generate_dynamic_tls_crypt_key().
◆ tls_crypt_v2_load_client_key()
|
inlinestatic |
Definition at line 321 of file tls_crypt.c.
References key_type::cipher, key_type::digest, init_key_ctx_bi(), KEY_DIRECTION_INVERSE, KEY_DIRECTION_NORMAL, M_FATAL, msg, and tls_crypt_kt().
Referenced by tls_crypt_v2_extract_client_key(), and tls_crypt_v2_init_client_key().
◆ tls_crypt_v2_unwrap_client_key()
|
static |
Definition at line 442 of file tls_crypt.c.
References ASSERT, BEND, BLEN, BPTR, buf_advance(), buf_clear(), buf_copy(), buf_inc_len(), buf_len(), buf_set_write(), key_ctx::cipher, cipher_ctx_final(), cipher_ctx_reset(), cipher_ctx_update(), CRYPT_ERROR, D_CRYPTO_DEBUG, D_TLS_DEBUG_LOW, D_TLS_DEBUG_MED, dmsg, format_hex(), gc_free(), gc_new(), key_ctx::hmac, hmac_ctx_final(), hmac_ctx_reset(), hmac_ctx_update(), key2::keys, memcmp_constant_time(), msg, key2::n, secure_memzero(), TLS_CRYPT_TAG_SIZE, and TLS_CRYPT_V2_MAX_WKC_LEN.
Referenced by tls_crypt_v2_extract_client_key(), tls_crypt_v2_wrap_unwrap_dst_too_small(), tls_crypt_v2_wrap_unwrap_max_metadata(), tls_crypt_v2_wrap_unwrap_no_metadata(), tls_crypt_v2_wrap_unwrap_wrong_key(), and tls_crypt_v2_write_client_key_file().
◆ tls_crypt_v2_verify_metadata()
|
static |
Definition at line 554 of file tls_crypt.c.
References argv_free(), argv_msg_prefix(), argv_new(), argv_parse_cmd(), buf_read_u8(), buffer_write_file(), cleanup(), D_HANDSHAKE, D_TLS_DEBUG, env_set_create(), env_set_destroy(), es, argv::gc, gc_free(), gc_new(), M_WARN, msg, openvpn_run_script(), openvpn_snprintf(), platform_create_temp_file(), platform_unlink(), setenv_str(), tls_wrap_ctx::tls_crypt_v2_metadata, tls_options::tls_crypt_v2_verify_script, and tls_options::tmp_dir.
Referenced by tls_crypt_v2_extract_client_key().
◆ tls_crypt_v2_wrap_client_key()
|
static |
Definition at line 385 of file tls_crypt.c.
References alloc_buf_gc(), ASSERT, BEND, BLEN, BPTR, buf_copy(), buf_forward_capacity(), buf_inc_len(), buf_write(), buf_write_alloc(), key_ctx::cipher, cipher_ctx_block_size(), cipher_ctx_final(), cipher_ctx_reset(), cipher_ctx_update(), D_CRYPTO_DEBUG, dmsg, format_hex(), key_ctx::hmac, hmac_ctx_final(), hmac_ctx_reset(), hmac_ctx_update(), key2::keys, M_WARN, msg, TLS_CRYPT_TAG_SIZE, TLS_CRYPT_V2_MAX_WKC_LEN, and TLS_CRYPT_V2_TAG_SIZE.
Referenced by tls_crypt_v2_wrap_too_long_metadata(), tls_crypt_v2_wrap_unwrap_dst_too_small(), tls_crypt_v2_wrap_unwrap_max_metadata(), tls_crypt_v2_wrap_unwrap_no_metadata(), tls_crypt_v2_wrap_unwrap_wrong_key(), and tls_crypt_v2_write_client_key_file().
◆ xor_key2()
Will produce key = key XOR other.
Definition at line 79 of file tls_crypt.c.
References ASSERT, key::cipher, key::hmac, key2::keys, MAX_CIPHER_KEY_LENGTH, MAX_HMAC_KEY_LENGTH, and key2::n.
Referenced by tls_session_generate_dynamic_tls_crypt_key().
Variable Documentation
◆ TLS_CRYPT_METADATA_TYPE_TIMESTAMP
|
static |
Metadata contains a 64-bit unix timestamp in network byte order.
Definition at line 46 of file tls_crypt.c.
Referenced by tls_crypt_v2_write_client_key_file().
◆ TLS_CRYPT_METADATA_TYPE_USER
|
static |
Metadata contains user-specified data.
Definition at line 44 of file tls_crypt.c.
Referenced by tls_crypt_v2_write_client_key_file().
◆ tls_crypt_v2_cli_pem_name
| const char* tls_crypt_v2_cli_pem_name = "OpenVPN tls-crypt-v2 client key" |
Definition at line 40 of file tls_crypt.c.
Referenced by tls_crypt_v2_init_client_key(), and tls_crypt_v2_write_client_key_file().
◆ tls_crypt_v2_srv_pem_name
| const char* tls_crypt_v2_srv_pem_name = "OpenVPN tls-crypt-v2 server key" |
Definition at line 41 of file tls_crypt.c.
Referenced by tls_crypt_v2_init_server_key(), and tls_crypt_v2_write_server_key_file().
