forked from OpenVPN/openvpn3
-
Notifications
You must be signed in to change notification settings - Fork 0
/
crypto_aead.hpp
350 lines (295 loc) · 8.95 KB
/
crypto_aead.hpp
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
// OpenVPN -- An application to securely tunnel IP networks
// over a single port, with support for SSL/TLS-based
// session authentication and key exchange,
// packet encryption, packet authentication, and
// packet compression.
//
// Copyright (C) 2012-2017 OpenVPN Technologies, Inc.
//
// This program is free software: you can redistribute it and/or modify
// it under the terms of the GNU General Public License Version 3
// as published by the Free Software Foundation.
//
// This program is distributed in the hope that it will be useful,
// but WITHOUT ANY WARRANTY; without even the implied warranty of
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
// GNU General Public License for more details.
//
// You should have received a copy of the GNU General Public License
// along with this program in the COPYING file.
// If not, see <http://www.gnu.org/licenses/>.
// OpenVPN AEAD data channel interface
#ifndef OPENVPN_CRYPTO_CRYPTO_AEAD_H
#define OPENVPN_CRYPTO_CRYPTO_AEAD_H
#include <cstring> // for std::memcpy, std::memset
#include <openvpn/common/size.hpp>
#include <openvpn/common/exception.hpp>
#include <openvpn/buffer/buffer.hpp>
#include <openvpn/frame/frame.hpp>
#include <openvpn/crypto/static_key.hpp>
#include <openvpn/crypto/packet_id.hpp>
#include <openvpn/log/sessionstats.hpp>
#include <openvpn/crypto/cryptodc.hpp>
// Sample AES-GCM head:
// 48000001 00000005 7e7046bd 444a7e28 cc6387b1 64a4d6c1 380275a...
// [ OP32 ] [seq # ] [ auth tag ] [ payload ... ]
// [4-byte
// IV head]
namespace openvpn {
namespace AEAD {
OPENVPN_EXCEPTION(aead_error);
template <typename CRYPTO_API>
class Crypto : public CryptoDCInstance
{
class Nonce {
public:
Nonce()
{
static_assert(4 + CRYPTO_API::CipherContextGCM::IV_LEN == sizeof(data),
"AEAD IV_LEN inconsistency");
ad_op32 = false;
std::memset(data, 0, sizeof(data));
}
// setup
void set_tail(const StaticKey& sk)
{
if (sk.size() < 8)
throw aead_error("insufficient key material for nonce tail");
std::memcpy(data + 8, sk.data(), 8);
}
// for encrypt
Nonce(const Nonce& ref, PacketIDSend& pid_send, const PacketID::time_t now,
const unsigned char *op32)
{
std::memcpy(data, ref.data, sizeof(data));
Buffer buf(data + 4, 4, false);
pid_send.write_next(buf, false, now);
if (op32)
{
ad_op32 = true;
std::memcpy(data, op32, 4);
}
else
ad_op32 = false;
}
// for encrypt
void prepend_ad(Buffer& buf) const
{
buf.prepend(data + 4, 4);
}
// for decrypt
Nonce(const Nonce& ref, Buffer& buf, const unsigned char *op32)
{
std::memcpy(data, ref.data, sizeof(data));
buf.read(data + 4, 4);
if (op32)
{
ad_op32 = true;
std::memcpy(data, op32, 4);
}
else
ad_op32 = false;
}
// for decrypt
bool verify_packet_id(PacketIDReceive& pid_recv, const PacketID::time_t now)
{
Buffer buf(data + 4, 4, true);
const PacketID pid = pid_recv.read_next(buf);
return pid_recv.test_add(pid, now, true); // verify packet ID
}
const unsigned char *iv() const
{
return data + 4;
}
const unsigned char *ad() const
{
return ad_op32 ? data : data + 4;
}
const size_t ad_len() const
{
return ad_op32 ? 8 : 4;
}
private:
bool ad_op32; // true if AD includes op32 opcode
// Sample data:
// [ OP32 (optional) ] [ pkt ID ] [ nonce tail ]
// [ 48 00 00 01 ] [ 00 00 00 05 ] [ 7f 45 64 db 33 5b 6c 29 ]
unsigned char data[16];
};
struct Encrypt {
typename CRYPTO_API::CipherContextGCM impl;
Nonce nonce;
PacketIDSend pid_send;
BufferAllocated work;
};
struct Decrypt {
typename CRYPTO_API::CipherContextGCM impl;
Nonce nonce;
PacketIDReceive pid_recv;
BufferAllocated work;
};
public:
typedef CryptoDCInstance Base;
Crypto(const CryptoAlgs::Type cipher_arg,
const Frame::Ptr& frame_arg,
const SessionStats::Ptr& stats_arg)
: cipher(cipher_arg),
frame(frame_arg),
stats(stats_arg)
{
}
// Encrypt/Decrypt
// returns true if packet ID is close to wrapping
virtual bool encrypt(BufferAllocated& buf, const PacketID::time_t now, const unsigned char *op32)
{
// only process non-null packets
if (buf.size())
{
// build nonce/IV/AD
Nonce nonce(e.nonce, e.pid_send, now, op32);
if (CRYPTO_API::CipherContextGCM::SUPPORTS_IN_PLACE_ENCRYPT)
{
unsigned char *data = buf.data();
const size_t size = buf.size();
// alloc auth tag in buffer
unsigned char *auth_tag = buf.prepend_alloc(CRYPTO_API::CipherContextGCM::AUTH_TAG_LEN);
// encrypt in-place
e.impl.encrypt(data, data, size, nonce.iv(), auth_tag, nonce.ad(), nonce.ad_len());
}
else
{
// encrypt to work buf
frame->prepare(Frame::ENCRYPT_WORK, e.work);
if (e.work.max_size() < buf.size())
throw aead_error("encrypt work buffer too small");
// alloc auth tag in buffer
unsigned char *auth_tag = e.work.prepend_alloc(CRYPTO_API::CipherContextGCM::AUTH_TAG_LEN);
// prepare output buffer
unsigned char *work_data = e.work.write_alloc(buf.size());
// encrypt
e.impl.encrypt(buf.data(), work_data, buf.size(), nonce.iv(), auth_tag, nonce.ad(), nonce.ad_len());
buf.swap(e.work);
}
// prepend additional data
nonce.prepend_ad(buf);
}
return e.pid_send.wrap_warning();
}
virtual Error::Type decrypt(BufferAllocated& buf, const PacketID::time_t now, const unsigned char *op32)
{
// only process non-null packets
if (buf.size())
{
// get nonce/IV/AD
Nonce nonce(d.nonce, buf, op32);
// get auth tag
unsigned char *auth_tag = buf.read_alloc(CRYPTO_API::CipherContextGCM::AUTH_TAG_LEN);
// initialize work buffer
frame->prepare(Frame::DECRYPT_WORK, d.work);
if (d.work.max_size() < buf.size())
throw aead_error("decrypt work buffer too small");
// decrypt from buf -> work
if (!d.impl.decrypt(buf.c_data(), d.work.data(), buf.size(), nonce.iv(), auth_tag,
nonce.ad(), nonce.ad_len()))
{
buf.reset_size();
return Error::DECRYPT_ERROR;
}
d.work.set_size(buf.size());
// verify packet ID
if (!nonce.verify_packet_id(d.pid_recv, now))
{
buf.reset_size();
return Error::REPLAY_ERROR;
}
// return cleartext result in buf
buf.swap(d.work);
}
return Error::SUCCESS;
}
// Initialization
virtual void init_cipher(StaticKey&& encrypt_key,
StaticKey&& decrypt_key)
{
e.impl.init(cipher, encrypt_key.data(), encrypt_key.size(), CRYPTO_API::CipherContextGCM::ENCRYPT);
d.impl.init(cipher, decrypt_key.data(), decrypt_key.size(), CRYPTO_API::CipherContextGCM::DECRYPT);
}
virtual void init_hmac(StaticKey&& encrypt_key,
StaticKey&& decrypt_key)
{
e.nonce.set_tail(encrypt_key);
d.nonce.set_tail(decrypt_key);
}
virtual void init_pid(const int send_form,
const int recv_mode,
const int recv_form,
const char *recv_name,
const int recv_unit,
const SessionStats::Ptr& recv_stats_arg)
{
e.pid_send.init(send_form);
d.pid_recv.init(recv_mode, recv_form, recv_name, recv_unit, recv_stats_arg);
}
// Indicate whether or not cipher/digest is defined
virtual unsigned int defined() const
{
unsigned int ret = CRYPTO_DEFINED;
// AEAD mode doesn't use HMAC, but we still indicate HMAC_DEFINED
// because we want to use the HMAC keying material for the AEAD nonce tail.
if (CryptoAlgs::defined(cipher))
ret |= (CIPHER_DEFINED|HMAC_DEFINED);
return ret;
}
virtual bool consider_compression(const CompressContext& comp_ctx)
{
return true;
}
// Rekeying
virtual void rekey(const typename Base::RekeyType type)
{
}
private:
CryptoAlgs::Type cipher;
Frame::Ptr frame;
SessionStats::Ptr stats;
Encrypt e;
Decrypt d;
};
template <typename CRYPTO_API>
class CryptoContext : public CryptoDCContext
{
public:
typedef RCPtr<CryptoContext> Ptr;
CryptoContext(const CryptoAlgs::Type cipher_arg,
const Frame::Ptr& frame_arg,
const SessionStats::Ptr& stats_arg)
: cipher(CryptoAlgs::legal_dc_cipher(cipher_arg)),
frame(frame_arg),
stats(stats_arg)
{
}
virtual CryptoDCInstance::Ptr new_obj(const unsigned int key_id)
{
return new Crypto<CRYPTO_API>(cipher, frame, stats);
}
// cipher/HMAC/key info
virtual Info crypto_info()
{
Info ret;
ret.cipher_alg = cipher;
ret.hmac_alg = CryptoAlgs::NONE;
return ret;
}
// Info for ProtoContext::link_mtu_adjust
virtual size_t encap_overhead() const
{
return CRYPTO_API::CipherContextGCM::AUTH_TAG_LEN;
}
private:
CryptoAlgs::Type cipher;
Frame::Ptr frame;
SessionStats::Ptr stats;
};
}
}
#endif