summaryrefslogtreecommitdiff
path: root/src/openvpn/crypto.h
diff options
context:
space:
mode:
authorBernhard Schmidt <berni@debian.org>2020-09-01 16:52:17 +0200
committerBernhard Schmidt <berni@debian.org>2020-09-01 16:52:17 +0200
commit9fc3b98112217f2d92a67977dbde0987cc7a1803 (patch)
tree29fcc8654ee65d9dd89ade797bea2f3d9dfd9cfd /src/openvpn/crypto.h
parenta8758c0e03eed188dcb9da0e4fd781a67c25bf1e (diff)
parent69b02b1f7fd609d84ace13ab04697158de2418a9 (diff)
Merge branch 'debian/experimental-2.5'
Diffstat (limited to 'src/openvpn/crypto.h')
-rw-r--r--src/openvpn/crypto.h102
1 files changed, 66 insertions, 36 deletions
diff --git a/src/openvpn/crypto.h b/src/openvpn/crypto.h
index 185bfd3..999f643 100644
--- a/src/openvpn/crypto.h
+++ b/src/openvpn/crypto.h
@@ -38,8 +38,7 @@
* - \b HMAC, covering the ciphertext IV + ciphertext. The HMAC size depends
* on the \c \-\-auth option. If \c \-\-auth \c none is specified, there is no
* HMAC at all.
- * - \b Ciphertext \b IV, if not disabled by \c \-\-no-iv. The IV size depends on
- * the \c \-\-cipher option.
+ * - \b Ciphertext \b IV. The IV size depends on the \c \-\-cipher option.
* - \b Packet \b ID, a 32-bit incrementing packet counter that provides replay
* protection (if not disabled by \c \-\-no-replay).
* - \b Timestamp, a 32-bit timestamp of the current time.
@@ -123,8 +122,6 @@
#ifndef CRYPTO_H
#define CRYPTO_H
-#ifdef ENABLE_CRYPTO
-
#include "crypto_backend.h"
#include "basic.h"
#include "buffer.h"
@@ -248,17 +245,13 @@ struct crypto_options
#define CO_PACKET_ID_LONG_FORM (1<<0)
/**< Bit-flag indicating whether to use
* OpenVPN's long packet ID format. */
-#define CO_USE_IV (1<<1)
- /**< Bit-flag indicating whether to
- * generate a pseudo-random IV for each
- * packet being encrypted. */
-#define CO_IGNORE_PACKET_ID (1<<2)
+#define CO_IGNORE_PACKET_ID (1<<1)
/**< Bit-flag indicating whether to ignore
* the packet ID of a received packet.
* This flag is used during processing
* of the first packet received from a
* client. */
-#define CO_MUTE_REPLAY_WARNINGS (1<<3)
+#define CO_MUTE_REPLAY_WARNINGS (1<<2)
/**< Bit-flag indicating not to display
* replay warnings. */
unsigned int flags; /**< Bit-flags determining behavior of
@@ -278,16 +271,16 @@ struct crypto_options
#define RKF_INLINE (1<<1)
void read_key_file(struct key2 *key2, const char *file, const unsigned int flags);
+/**
+ * Write nkeys 1024-bits keys to file.
+ *
+ * @returns number of random bits written, or -1 on failure.
+ */
int write_key_file(const int nkeys, const char *filename);
-int read_passphrase_hash(const char *passphrase_file,
- const md_kt_t *digest,
- uint8_t *output,
- int len);
-
void generate_key_random(struct key *key, const struct key_type *kt);
-void check_replay_iv_consistency(const struct key_type *kt, bool packet_id, bool use_iv);
+void check_replay_consistency(const struct key_type *kt, bool packet_id);
bool check_key(struct key *key, const struct key_type *kt);
@@ -306,7 +299,7 @@ int read_key(struct key *key, const struct key_type *kt, struct buffer *buf);
* @param authname The name of the HMAC digest to use
* @param keysize The length of the cipher key to use, in bytes. Only valid
* for ciphers that support variable length keys.
- * @param tls_mode Specifies wether we are running in TLS mode, which allows
+ * @param tls_mode Specifies whether we are running in TLS mode, which allows
* more ciphers than static key mode.
* @param warn Print warnings when null cipher / auth is used.
*/
@@ -325,7 +318,7 @@ void free_key_ctx(struct key_ctx *ctx);
void init_key_ctx_bi(struct key_ctx_bi *ctx, const struct key2 *key2,
int key_direction, const struct key_type *kt,
- const char *name);
+ const char *name);
void free_key_ctx_bi(struct key_ctx_bi *ctx);
@@ -421,13 +414,46 @@ bool crypto_check_replay(struct crypto_options *opt,
/** Calculate crypto overhead and adjust frame to account for that */
void crypto_adjust_frame_parameters(struct frame *frame,
const struct key_type *kt,
- bool use_iv,
bool packet_id,
bool packet_id_long_form);
/** Return the worst-case OpenVPN crypto overhead (in bytes) */
unsigned int crypto_max_overhead(void);
+/**
+ * Generate a server key with enough randomness to fill a key struct
+ * and write to file.
+ *
+ * @param filename Filename of the server key file to create.
+ * @param pem_name The name to use in the PEM header/footer.
+ */
+void
+write_pem_key_file(const char *filename, const char *key_name);
+
+/**
+ * Generate ephermal key material into the key structure
+ *
+ * @param key the key structure that will hold the key material
+ * @param pem_name the name used for logging
+ * @return true if key generation was successful
+ */
+bool
+generate_ephemeral_key(struct buffer *key, const char *pem_name);
+
+/**
+ * Read key material from a PEM encoded files into the key structure
+ * @param key the key structure that will hold the key material
+ * @param pem_name the name used in the pem encoding start/end lines
+ * @param key_file name of the file to read or the key itself if
+ * key_inline is true
+ * @param key_inline True if key_file contains an inline key, False
+ * otherwise.
+ * @return true if reading into key was successful
+ */
+bool
+read_pem_key_file(struct buffer *key, const char *pem_name,
+ const char *key_file, bool key_inline);
+
/* Minimum length of the nonce used by the PRNG */
#define NONCE_SECRET_LEN_MIN 16
@@ -465,6 +491,12 @@ void prng_bytes(uint8_t *output, int len);
void prng_uninit(void);
+/* an analogue to the random() function, but use prng_bytes */
+long int get_random(void);
+
+/** Print a cipher list entry */
+void print_cipher(const cipher_kt_t *cipher);
+
void test_crypto(struct crypto_options *co, struct frame *f);
@@ -487,8 +519,9 @@ void key2_print(const struct key2 *k,
const char *prefix1);
void crypto_read_openvpn_key(const struct key_type *key_type,
- struct key_ctx_bi *ctx, const char *key_file, const char *key_inline,
- const int key_direction, const char *key_name, const char *opt_name);
+ struct key_ctx_bi *ctx, const char *key_file,
+ bool key_inline, const int key_direction,
+ const char *key_name, const char *opt_name);
/*
* Inline functions
@@ -498,20 +531,7 @@ void crypto_read_openvpn_key(const struct key_type *key_type,
* As memcmp(), but constant-time.
* Returns 0 when data is equal, non-zero otherwise.
*/
-static inline int
-memcmp_constant_time(const void *a, const void *b, size_t size)
-{
- const uint8_t *a1 = a;
- const uint8_t *b1 = b;
- int ret = 0;
- size_t i;
-
- for (i = 0; i < size; i++) {
- ret |= *a1++ ^ *b1++;
- }
-
- return ret;
-}
+int memcmp_constant_time(const void *a, const void *b, size_t size);
static inline bool
key_ctx_bi_defined(const struct key_ctx_bi *key)
@@ -519,6 +539,16 @@ key_ctx_bi_defined(const struct key_ctx_bi *key)
return key->encrypt.cipher || key->encrypt.hmac || key->decrypt.cipher || key->decrypt.hmac;
}
+/**
+ * To be used when printing a string that may contain inline data.
+ *
+ * If "is_inline" is true, return the inline tag.
+ * If "is_inline" is false and "str" is not NULL, return "str".
+ * Return the constant string "[NULL]" otherwise.
+ *
+ * @param str the original string to return when is_inline is false
+ * @param is_inline true when str contains an inline data of some sort
+ */
+const char *print_key_filename(const char *str, bool is_inline);
-#endif /* ENABLE_CRYPTO */
#endif /* CRYPTO_H */