OpenVPN
tls_crypt.h
Go to the documentation of this file.
1 /*
2  * OpenVPN -- An application to securely tunnel IP networks
3  * over a single TCP/UDP port, with support for SSL/TLS-based
4  * session authentication and key exchange,
5  * packet encryption, packet authentication, and
6  * packet compression.
7  *
8  * Copyright (C) 2016-2021 Fox Crypto B.V. <openvpn@foxcrypto.com>
9  *
10  * This program is free software; you can redistribute it and/or modify
11  * it under the terms of the GNU General Public License version 2
12  * as published by the Free Software Foundation.
13  *
14  * This program is distributed in the hope that it will be useful,
15  * but WITHOUT ANY WARRANTY; without even the implied warranty of
16  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17  * GNU General Public License for more details.
18  *
19  * You should have received a copy of the GNU General Public License along
20  * with this program; if not, write to the Free Software Foundation, Inc.,
21  * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
22  */
23 
80 #ifndef TLSCRYPT_H
81 #define TLSCRYPT_H
82 
83 #include "base64.h"
84 #include "buffer.h"
85 #include "crypto.h"
86 #include "session_id.h"
87 #include "ssl_common.h"
88 
89 #define TLS_CRYPT_TAG_SIZE (256/8)
90 #define TLS_CRYPT_PID_SIZE (sizeof(packet_id_type) + sizeof(net_time_t))
91 #define TLS_CRYPT_BLOCK_SIZE (128/8)
92 
93 #define TLS_CRYPT_OFF_PID (1 + SID_SIZE)
94 #define TLS_CRYPT_OFF_TAG (TLS_CRYPT_OFF_PID + TLS_CRYPT_PID_SIZE)
95 #define TLS_CRYPT_OFF_CT (TLS_CRYPT_OFF_TAG + TLS_CRYPT_TAG_SIZE)
96 
97 #define TLS_CRYPT_V2_MAX_WKC_LEN (1024)
98 #define TLS_CRYPT_V2_CLIENT_KEY_LEN (2048 / 8)
99 #define TLS_CRYPT_V2_SERVER_KEY_LEN (sizeof(struct key))
100 #define TLS_CRYPT_V2_TAG_SIZE (TLS_CRYPT_TAG_SIZE)
101 #define TLS_CRYPT_V2_MAX_METADATA_LEN (unsigned)(TLS_CRYPT_V2_MAX_WKC_LEN \
102  - (TLS_CRYPT_V2_CLIENT_KEY_LEN + TLS_CRYPT_V2_TAG_SIZE \
103  + sizeof(uint16_t)))
104 
116 void tls_crypt_init_key(struct key_ctx_bi *key, struct key2 *keydata,
117  const char *key_file, bool key_inline, bool tls_server);
118 
129 bool
131  struct tls_session *session);
132 
137 int tls_crypt_buf_overhead(void);
138 
150 bool tls_crypt_wrap(const struct buffer *src, struct buffer *dst,
151  struct crypto_options *opt);
152 
164 bool tls_crypt_unwrap(const struct buffer *src, struct buffer *dst,
165  struct crypto_options *opt);
166 
179 void tls_crypt_v2_init_server_key(struct key_ctx *key_ctx, bool encrypt,
180  const char *key_file, bool key_inline);
181 
198  struct key2 *original_key,
199  struct buffer *wrapped_key_buf,
200  const char *key_file, bool key_inline);
201 
212 bool tls_crypt_v2_extract_client_key(struct buffer *buf,
213  struct tls_wrap_ctx *ctx,
214  const struct tls_options *opt);
215 
221 void tls_crypt_v2_write_server_key_file(const char *filename);
222 
233 void tls_crypt_v2_write_client_key_file(const char *filename,
234  const char *b64_metadata,
235  const char *key_file, bool key_inline);
236 
239 #endif /* TLSCRYPT_H */
tls_crypt_v2_init_server_key
void tls_crypt_v2_init_server_key(struct key_ctx *key_ctx, bool encrypt, const char *key_file, bool key_inline)
Initialize a tls-crypt-v2 server key (used to encrypt/decrypt client keys).
Definition: tls_crypt.c:362
tls_crypt_unwrap
bool tls_crypt_unwrap(const struct buffer *src, struct buffer *dst, struct crypto_options *opt)
Unwrap a control channel packet (decrypts, authenticates and performs replay checks).
Definition: tls_crypt.c:222
tls_crypt_v2_init_client_key
void tls_crypt_v2_init_client_key(struct key_ctx_bi *key, struct key2 *original_key, struct buffer *wrapped_key_buf, const char *key_file, bool key_inline)
Initialize a tls-crypt-v2 client key.
Definition: tls_crypt.c:336
tls_crypt_v2_write_client_key_file
void tls_crypt_v2_write_client_key_file(const char *filename, const char *b64_metadata, const char *key_file, bool key_inline)
Generate a tls-crypt-v2 client key, and write to file.
Definition: tls_crypt.c:681
session_id.h
tls_crypt_buf_overhead
int tls_crypt_buf_overhead(void)
Returns the maximum overhead (in bytes) added to the destination buffer by tls_crypt_wrap().
Definition: tls_crypt.c:55
tls_multi
Security parameter state for a single VPN tunnel.
Definition: ssl_common.h:590
key
Container for unidirectional cipher and HMAC key material.
Definition: crypto.h:149
key_ctx_bi
Container for two sets of OpenSSL cipher and/or HMAC contexts for both sending and receiving directio...
Definition: crypto.h:217
tls_options
Definition: ssl_common.h:296
tls_wrap_ctx
Control channel wrapping (–tls-auth/–tls-crypt) context.
Definition: ssl_common.h:266
tls_crypt_wrap
bool tls_crypt_wrap(const struct buffer *src, struct buffer *dst, struct crypto_options *opt)
Wrap a control channel packet (both authenticates and encrypts the data).
Definition: tls_crypt.c:145
key_ctx
Container for one set of cipher and/or HMAC contexts.
Definition: crypto.h:162
crypto.h
base64.h
tls_crypt_init_key
void tls_crypt_init_key(struct key_ctx_bi *key, struct key2 *keydata, const char *key_file, bool key_inline, bool tls_server)
Initialize a key_ctx_bi structure for use with –tls-crypt.
Definition: tls_crypt.c:61
buffer
Wrapper structure for dynamically allocated memory.
Definition: buffer.h:60
tls_session
Security parameter state of a single session within a VPN tunnel.
Definition: ssl_common.h:471
buffer.h
tls_crypt_v2_extract_client_key
bool tls_crypt_v2_extract_client_key(struct buffer *buf, struct tls_wrap_ctx *ctx, const struct tls_options *opt)
Extract a tls-crypt-v2 client key from a P_CONTROL_HARD_RESET_CLIENT_V3 message, and load the key int...
Definition: tls_crypt.c:613
ssl_common.h
key2
Container for bidirectional cipher and HMAC key material.
Definition: crypto.h:179
session
Definition: keyingmaterialexporter.c:56
tls_session_generate_dynamic_tls_crypt_key
bool tls_session_generate_dynamic_tls_crypt_key(struct tls_multi *multi, struct tls_session *session)
Generates a TLS-Crypt key to be used with dynamic tls-crypt using the TLS EKM exporter function.
Definition: tls_crypt.c:98
crypto_options
Security parameter state for processing data channel packets.
Definition: crypto.h:230
tls_crypt_v2_write_server_key_file
void tls_crypt_v2_write_server_key_file(const char *filename)
Generate a tls-crypt-v2 server key, and write to file.
Definition: tls_crypt.c:675