-
Notifications
You must be signed in to change notification settings - Fork 408
/
Copy pathcrypto_aead_epoch.hpp
278 lines (221 loc) · 8.71 KB
/
crypto_aead_epoch.hpp
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
// OpenVPN -- An application to securely tunnel IP networks
// over a single port, with support for SSL/TLS-based
// session authentication and key exchange,
// packet encryption, packet authentication, and
// packet compression.
//
// Copyright (C) 2012- OpenVPN Inc.
//
// SPDX-License-Identifier: MPL-2.0 OR AGPL-3.0-only WITH openvpn3-openssl-exception
//
// OpenVPN AEAD data channel interface
#ifndef OPENVPN_CRYPTO_CRYPTO_AEAD_EPOCH_H
#define OPENVPN_CRYPTO_CRYPTO_AEAD_EPOCH_H
#include <array>
#include <openvpn/common/size.hpp>
#include <openvpn/common/exception.hpp>
#include <openvpn/common/clamp_typerange.hpp>
#include <openvpn/buffer/buffer.hpp>
#include <openvpn/frame/frame.hpp>
#include <openvpn/crypto/static_key.hpp>
#include <openvpn/crypto/packet_id_data.hpp>
#include <openvpn/log/sessionstats.hpp>
#include <openvpn/crypto/cryptodc.hpp>
#include <openvpn/crypto/data_epoch.hpp>
namespace openvpn::AEADEpoch {
OPENVPN_EXCEPTION(aead_epoch_error);
template <typename CRYPTO_API>
class Crypto : public CryptoDCInstance
{
BufferAllocated work_encrypt;
BufferAllocated work_decrypt;
public:
Crypto(SSLLib::Ctx libctx_arg,
CryptoDCSettingsData dc_settings_data,
const Frame::Ptr &frame_arg,
const SessionStats::Ptr &stats_arg)
: dc_settings(dc_settings_data),
frame(frame_arg),
stats(stats_arg),
libctx(libctx_arg)
{
}
// Encrypt/Decrypt
// returns true if packet ID is close to wrapping
bool encrypt(BufferAllocated &buf, const unsigned char *op32) override
{
// only process non-null packets
if (buf.empty())
{
return false;
}
dce.check_send_iterate();
auto &encrypt_ctx = dce.encrypt();
/* header of the packet. op32 (opcode + peer-id) + 8 byte of epoch + epoch counter */
BufferAllocated pkt_header{4 + 8, 0};
pkt_header.write(op32, 4);
encrypt_ctx.pid.write_next(pkt_header);
std::array<uint8_t, EpochDataChannelCryptoContext::IV_SIZE> calculated_iv{};
encrypt_ctx.calculate_iv(pkt_header.data() + 4, calculated_iv);
// encrypt to work buf
frame->prepare(Frame::ENCRYPT_WORK, work_encrypt);
if (work_encrypt.max_size() < buf.size())
throw aead_epoch_error("encrypt work buffer too small");
unsigned char *work_data = work_encrypt.write_alloc(buf.size());
// alloc auth tag in buffer where it needs to be
uint8_t *auth_tag = work_encrypt.write_alloc(CRYPTO_API::CipherContextAEAD::AUTH_TAG_LEN);
// encrypt. Epoch data always uses full header for authenticated data
encrypt_ctx.cipher.encrypt(buf.data(), work_data, buf.size(), calculated_iv.data(), auth_tag, pkt_header.data(), pkt_header.size());
buf.swap(work_encrypt);
// prepend additional data from the pkt_header but without the opcode and peer-id (first 4 bytes)
buf.prepend(pkt_header.c_data() + 4, pkt_header.size() - 4);
return dce.should_renegotiate();
}
Error::Type decrypt(BufferAllocated &buf, const std::time_t now, const unsigned char *op32) override
{
// only process non-null packets but report empty packets as success
if (buf.empty())
{
return Error::SUCCESS;
}
if (buf.size() < PacketIDData::size(true))
{
/* Packet is too small to even have a packet id */
return Error::DECRYPT_ERROR;
}
// Reconstruct header since we don't get the continuous memory that we received from wire but already
// split into op32 and the rest of the packet.
BufferAllocated pkt_header{4 + 8, 0};
pkt_header.write(op32, 4);
auto *packet_id = pkt_header.write_alloc(8);
buf.read(packet_id, 8);
// Extract epoch from packet
ConstBuffer packet_id_buf{packet_id, 8, true};
PacketIDData pid{true};
pid.read(packet_id_buf);
auto *decrypt_ctx = dce.lookup_decrypt_key(pid.get_epoch());
if (!decrypt_ctx)
{
// failed to look up the epoch. Report error.
return Error::DECRYPT_ERROR;
}
// calculate IV from implicit IV and packet ID
std::array<uint8_t, EpochDataChannelCryptoContext::IV_SIZE> calculated_iv{};
decrypt_ctx->calculate_iv(packet_id, calculated_iv);
// initialize work buffer.
frame->prepare(Frame::DECRYPT_WORK, work_decrypt);
if (work_decrypt.max_size() < buf.size())
throw aead_epoch_error("decrypt work buffer too small");
// decrypt from buf -> work
if (!decrypt_ctx->cipher.decrypt(buf.c_data(), work_decrypt.data(), buf.size(), calculated_iv.data(), nullptr, pkt_header.data(), pkt_header.size()))
{
buf.reset_size();
return Error::DECRYPT_ERROR;
}
work_decrypt.set_size(buf.size() - CRYPTO_API::CipherContextAEAD::AUTH_TAG_LEN);
// verify packet ID
if (!decrypt_ctx->pid.test_add(pid, now, stats))
{
buf.reset_size();
return Error::REPLAY_ERROR;
}
// Check if the other side has moved its epoch send key further
// and we need to adjust our active recv key and generate new future keys
dce.replace_update_recv_key(decrypt_ctx->epoch, stats);
// return cleartext result in buf
buf.swap(work_decrypt);
return Error::SUCCESS;
}
// Initialization
void init_cipher(StaticKey &&encrypt_key, StaticKey &&decrypt_key) override
{
if (!dc_settings.useEpochKeys())
{
throw aead_epoch_error("AEAD Epoch requires epoch keys to be in use");
}
/* Initialise the epoch key management with the encrypt and decrypt key as epoch 1 keys */
dce = {dc_settings.cipher(), std::move(encrypt_key), std::move(decrypt_key), libctx};
}
void init_hmac(StaticKey &&encrypt_key,
StaticKey &&decrypt_key) override
{
/* Implicit IVs are derived in DataChannelEpoch class and AEAD does not use
* a separate HMAC, so this is just a dummy that does nothing.*/
}
void init_pid(const char *recv_name,
const int recv_unit,
const SessionStats::Ptr &recv_stats_arg) override
{
}
unsigned int defined() const override
{
unsigned int ret = CRYPTO_DEFINED;
if (CryptoAlgs::defined(dc_settings.cipher()))
ret |= CIPHER_DEFINED;
return ret;
}
bool consider_compression([[maybe_unused]] const CompressContext &comp_ctx) override
{
return true;
}
void rekey(const RekeyType type) override
{
}
// Force using a new epoch on send. Currently mainly used for unit testing
void increase_send_epoch()
{
dce.iterate_send_key();
}
private:
CryptoDCSettingsData dc_settings;
Frame::Ptr frame;
SessionStats::Ptr stats;
SSLLib::Ctx libctx;
DataChannelEpoch dce;
};
template <typename CRYPTO_API>
class CryptoContext : public CryptoDCContext
{
public:
typedef RCPtr<CryptoContext> Ptr;
CryptoContext(SSLLib::Ctx libctx_arg,
CryptoDCSettingsData dc_settings_data,
const Frame::Ptr &frame_arg,
const SessionStats::Ptr &stats_arg)
: CryptoDCContext(dc_settings_data.key_derivation()),
dc_settings(std::move(dc_settings_data)),
frame(frame_arg),
stats(stats_arg),
libctx(libctx_arg)
{
/* Check if the cipher is legal for AEAD and otherwise throw */
legal_dc_cipher(dc_settings.cipher());
dc_settings.set_digest(CryptoAlgs::NONE);
}
CryptoDCInstance::Ptr new_obj([[maybe_unused]] const unsigned int key_id) override
{
return new Crypto<CRYPTO_API>(libctx, dc_settings, frame, stats);
}
// cipher/HMAC/key info
CryptoDCSettingsData crypto_info() override
{
return dc_settings;
}
// Info for ProtoContext::link_mtu_adjust
size_t encap_overhead() const override
{
/* encap_overhead does not really return the encapsulation overhead of this channel as it ignores
* the packet-id and 4 byte opcode.
*
* We keep this in line with the normal AEAD data channel defined in crypto_aead_epoch.hpp, and the
* keep the difference to that correct. The difference in overhead are the 4 bytes in the larger packet counter/epoch */
return CRYPTO_API::CipherContextAEAD::AUTH_TAG_LEN + 4;
}
private:
CryptoDCSettingsData dc_settings;
Frame::Ptr frame;
SessionStats::Ptr stats;
SSLLib::Ctx libctx;
};
} // namespace openvpn::AEADEpoch
#endif