summaryrefslogtreecommitdiff
path: root/src/openvpn/crypto_mbedtls.h
blob: 019de01d17b3e06bdab9cb5fdaf209d1b9f0e305 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
/*
 *  OpenVPN -- An application to securely tunnel IP networks
 *             over a single TCP/UDP port, with support for SSL/TLS-based
 *             session authentication and key exchange,
 *             packet encryption, packet authentication, and
 *             packet compression.
 *
 *  Copyright (C) 2002-2021 OpenVPN Inc <sales@openvpn.net>
 *  Copyright (C) 2010-2021 Fox Crypto B.V. <openvpn@foxcrypto.com>
 *
 *  This program is free software; you can redistribute it and/or modify
 *  it under the terms of the GNU General Public License version 2
 *  as published by the Free Software Foundation.
 *
 *  This program is distributed in the hope that it will be useful,
 *  but WITHOUT ANY WARRANTY; without even the implied warranty of
 *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 *  GNU General Public License for more details.
 *
 *  You should have received a copy of the GNU General Public License along
 *  with this program; if not, write to the Free Software Foundation, Inc.,
 *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 */

/**
 * @file Data Channel Cryptography mbed TLS-specific backend interface
 */

#ifndef CRYPTO_MBEDTLS_H_
#define CRYPTO_MBEDTLS_H_

#include <mbedtls/cipher.h>
#include <mbedtls/md.h>
#include <mbedtls/ctr_drbg.h>

/** Generic cipher key type %context. */
typedef mbedtls_cipher_info_t cipher_kt_t;

/** Generic message digest key type %context. */
typedef mbedtls_md_info_t md_kt_t;

/** Generic cipher %context. */
typedef mbedtls_cipher_context_t cipher_ctx_t;

/** Generic message digest %context. */
typedef mbedtls_md_context_t md_ctx_t;

/** Generic HMAC %context. */
typedef mbedtls_md_context_t hmac_ctx_t;

/** Maximum length of an IV */
#define OPENVPN_MAX_IV_LENGTH   MBEDTLS_MAX_IV_LENGTH

/** Cipher is in CBC mode */
#define OPENVPN_MODE_CBC        MBEDTLS_MODE_CBC

/** Cipher is in OFB mode */
#define OPENVPN_MODE_OFB        MBEDTLS_MODE_OFB

/** Cipher is in CFB mode */
#define OPENVPN_MODE_CFB        MBEDTLS_MODE_CFB

/** Cipher is in GCM mode */
#define OPENVPN_MODE_GCM        MBEDTLS_MODE_GCM

/** Cipher should encrypt */
#define OPENVPN_OP_ENCRYPT      MBEDTLS_ENCRYPT

/** Cipher should decrypt */
#define OPENVPN_OP_DECRYPT      MBEDTLS_DECRYPT

#define MD4_DIGEST_LENGTH       16
#define MD5_DIGEST_LENGTH       16
#define SHA_DIGEST_LENGTH       20
#define SHA256_DIGEST_LENGTH    32
#define DES_KEY_LENGTH 8

/**
 * Returns a singleton instance of the mbed TLS random number generator.
 *
 * For PolarSSL/mbed TLS 1.1+, this is the CTR_DRBG random number generator. If it
 * hasn't been initialised yet, the RNG will be initialised using the default
 * entropy sources. Aside from the default platform entropy sources, an
 * additional entropy source, the HAVEGE random number generator will also be
 * added. During initialisation, a personalisation string will be added based
 * on the time, the PID, and a pointer to the random context.
 */
mbedtls_ctr_drbg_context *rand_ctx_get(void);

#ifdef ENABLE_PREDICTION_RESISTANCE
/**
 * Enable prediction resistance on the random number generator.
 */
void rand_ctx_enable_prediction_resistance(void);

#endif

/**
 * Log the supplied mbed TLS error, prefixed by supplied prefix.
 *
 * @param flags         Flags to indicate error type and priority.
 * @param errval        mbed TLS error code to convert to error message.
 * @param prefix        Prefix to mbed TLS error message.
 *
 * @returns true if no errors are detected, false otherwise.
 */
bool mbed_log_err(unsigned int flags, int errval, const char *prefix);

/**
 * Log the supplied mbed TLS error, prefixed by function name and line number.
 *
 * @param flags         Flags to indicate error type and priority.
 * @param errval        mbed TLS error code to convert to error message.
 * @param func          Function name where error was reported.
 * @param line          Line number where error was reported.
 *
 * @returns true if no errors are detected, false otherwise.
 */
bool mbed_log_func_line(unsigned int flags, int errval, const char *func,
                        int line);

/** Wraps mbed_log_func_line() to prevent function calls for non-errors */
static inline bool
mbed_log_func_line_lite(unsigned int flags, int errval,
                        const char *func, int line)
{
    if (errval)
    {
        return mbed_log_func_line(flags, errval, func, line);
    }
    return true;
}

/**
 * Check errval and log on error.
 *
 * Convenience wrapper to put around mbed TLS library calls, e.g.
 *   if (!mbed_ok (mbedtls_ssl_func())) return 0;
 * or
 *   ASSERT (mbed_ok (mbedtls_ssl_func()));
 *
 * @param errval        mbed TLS error code to convert to error message.
 *
 * @returns true if no errors are detected, false otherwise.
 */
#define mbed_ok(errval) \
    mbed_log_func_line_lite(D_CRYPT_ERRORS, errval, __func__, __LINE__)

static inline bool
cipher_kt_var_key_size(const cipher_kt_t *cipher)
{
    return cipher->flags & MBEDTLS_CIPHER_VARIABLE_KEY_LEN;
}

#endif /* CRYPTO_MBEDTLS_H_ */