search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
OpenVPN: Update to version 2.3.2. Solves TLS security bug.
[tomato.git] / release / src / router / openvpn / src / openvpn / crypto_polarssl.c
blob1f27d6ca11438346438040f8abd25505aabf9a25
1 /*
2 * OpenVPN -- An application to securely tunnel IP networks
3 * over a single TCP/UDP port, with support for SSL/TLS-based
4 * session authentication and key exchange,
5 * packet encryption, packet authentication, and
6 * packet compression.
7 *
8 * Copyright (C) 2002-2010 OpenVPN Technologies, Inc. <sales@openvpn.net>
9 * Copyright (C) 2010 Fox Crypto B.V. <openvpn@fox-it.com>
10 *
11 * This program is free software; you can redistribute it and/or modify
12 * it under the terms of the GNU General Public License version 2
13 * as published by the Free Software Foundation.
14 *
15 * This program is distributed in the hope that it will be useful,
16 * but WITHOUT ANY WARRANTY; without even the implied warranty of
17 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 * GNU General Public License for more details.
19 *
20 * You should have received a copy of the GNU General Public License
21 * along with this program (see the file COPYING included with this
22 * distribution); if not, write to the Free Software Foundation, Inc.,
23 * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
24 */
25
26 /**
27 * @file Data Channel Cryptography PolarSSL-specific backend interface
28 */
29
30 #ifdef HAVE_CONFIG_H
31 #include "config.h"
32 #elif defined(_MSC_VER)
33 #include "config-msvc.h"
34 #endif
35
36 #include "syshead.h"
37
38 #if defined(ENABLE_CRYPTO) && defined(ENABLE_CRYPTO_POLARSSL)
39
40 #include "errlevel.h"
41 #include "basic.h"
42 #include "buffer.h"
43 #include "integer.h"
44 #include "crypto_backend.h"
45 #include "otime.h"
46 #include "misc.h"
47
48 #include <polarssl/des.h>
49 #include <polarssl/md5.h>
50 #include <polarssl/cipher.h>
51 #include <polarssl/havege.h>
52
53 #include <polarssl/entropy.h>
54
55 /*
56 *
57 * Hardware engine support. Allows loading/unloading of engines.
58 *
59 */
60
61 void
62 crypto_init_lib_engine (const char *engine_name)
63 {
64 msg (M_WARN, "Note: PolarSSL hardware crypto engine functionality is not "
65 "available");
66 }
67
68 /*
69 *
70 * Functions related to the core crypto library
71 *
72 */
73
74 void
75 crypto_init_lib (void)
76 {
77 }
78
79 void
80 crypto_uninit_lib (void)
81 {
82 }
83
84 void
85 crypto_clear_error (void)
86 {
87 }
88
89 #ifdef DMALLOC
90 void
91 crypto_init_dmalloc (void)
92 {
93 msg (M_ERR, "Error: dmalloc support is not available for PolarSSL.");
94 }
95 #endif /* DMALLOC */
96
97 typedef struct { const char * openvpn_name; const char * polarssl_name; } cipher_name_pair;
98 cipher_name_pair cipher_name_translation_table[] = {
99 { "BF-CBC", "BLOWFISH-CBC" },
100 { "BF-CFB", "BLOWFISH-CFB64" },
101 { "CAMELLIA-128-CFB", "CAMELLIA-128-CFB128" },
102 { "CAMELLIA-192-CFB", "CAMELLIA-192-CFB128" },
103 { "CAMELLIA-256-CFB", "CAMELLIA-256-CFB128" }
104 };
105
106 const cipher_name_pair *
107 get_cipher_name_pair(const char *cipher_name) {
108 cipher_name_pair *pair;
109 size_t i = 0;
110
111 /* Search for a cipher name translation */
112 for (; i < sizeof (cipher_name_translation_table) / sizeof (*cipher_name_translation_table); i++)
113 {
114 pair = &cipher_name_translation_table[i];
115 if (0 == strcmp (cipher_name, pair->openvpn_name) ||
116 0 == strcmp (cipher_name, pair->polarssl_name))
117 return pair;
118 }
119
120 /* Nothing found, return null */
121 return NULL;
122 }
123
124 const char *
125 translate_cipher_name_from_openvpn (const char *cipher_name) {
126 const cipher_name_pair *pair = get_cipher_name_pair(cipher_name);
127
128 if (NULL == pair)
129 return cipher_name;
130
131 return pair->polarssl_name;
132 }
133
134 const char *
135 translate_cipher_name_to_openvpn (const char *cipher_name) {
136 const cipher_name_pair *pair = get_cipher_name_pair(cipher_name);
137
138 if (NULL == pair)
139 return cipher_name;
140
141 return pair->openvpn_name;
142 }
143
144 void
145 show_available_ciphers ()
146 {
147 const int *ciphers = cipher_list();
148
149 #ifndef ENABLE_SMALL
150 printf ("The following ciphers and cipher modes are available\n"
151 "for use with " PACKAGE_NAME ". Each cipher shown below may be\n"
152 "used as a parameter to the --cipher option. The default\n"
153 "key size is shown as well as whether or not it can be\n"
154 "changed with the --keysize directive. Using a CBC mode\n"
155 "is recommended.\n\n");
156 #endif
157
158 while (*ciphers != 0)
159 {
160 const cipher_info_t *info = cipher_info_from_type(*ciphers);
161
162 if (info && info->mode == POLARSSL_MODE_CBC)
163 printf ("%s %d bit default key\n",
164 cipher_kt_name(info), cipher_kt_key_size(info) * 8);
165
166 ciphers++;
167 }
168 printf ("\n");
169 }
170
171 void
172 show_available_digests ()
173 {
174 const int *digests = md_list();
175
176 #ifndef ENABLE_SMALL
177 printf ("The following message digests are available for use with\n"
178 PACKAGE_NAME ". A message digest is used in conjunction with\n"
179 "the HMAC function, to authenticate received packets.\n"
180 "You can specify a message digest as parameter to\n"
181 "the --auth option.\n\n");
182 #endif
183
184 while (*digests != 0)
185 {
186 const md_info_t *info = md_info_from_type(*digests);
187
188 if (info)
189 printf ("%s %d bit default key\n",
190 info->name, info->size * 8);
191 digests++;
192 }
193 printf ("\n");
194 }
195
196 void
197 show_available_engines ()
198 {
199 printf ("Sorry, PolarSSL hardware crypto engine functionality is not "
200 "available\n");
201 }
202
203 /*
204 *
205 * Random number functions, used in cases where we want
206 * reasonably strong cryptographic random number generation
207 * without depleting our entropy pool. Used for random
208 * IV values and a number of other miscellaneous tasks.
209 *
210 */
211
212 /*
213 * Initialise the given ctr_drbg context, using a personalisation string and an
214 * entropy gathering function.
215 */
216 ctr_drbg_context * rand_ctx_get()
217 {
218 static entropy_context ec = {0};
219 static ctr_drbg_context cd_ctx = {0};
220 static bool rand_initialised = false;
221
222 if (!rand_initialised)
223 {
224 struct gc_arena gc = gc_new();
225 struct buffer pers_string = alloc_buf_gc(100, &gc);
226
227 /*
228 * Personalisation string, should be as unique as possible (see NIST
229 * 800-90 section 8.7.1). We have very little information at this stage.
230 * Include Program Name, memory address of the context and PID.
231 */
232 buf_printf(&pers_string, "OpenVPN %0u %p %s", platform_getpid(), &cd_ctx, time_string(0, 0, 0, &gc));
233
234 /* Initialise PolarSSL RNG, and built-in entropy sources */
235 entropy_init(&ec);
236
237 if (0 != ctr_drbg_init(&cd_ctx, entropy_func, &ec, BPTR(&pers_string), BLEN(&pers_string)))
238 msg (M_FATAL, "Failed to initialize random generator");
239
240 gc_free(&gc);
241 rand_initialised = true;
242 }
243
244 return &cd_ctx;
245 }
246
247 #ifdef ENABLE_PREDICTION_RESISTANCE
248 void rand_ctx_enable_prediction_resistance()
249 {
250 ctr_drbg_context *cd_ctx = rand_ctx_get();
251
252 ctr_drbg_set_prediction_resistance(cd_ctx, 1);
253 }
254 #endif /* ENABLE_PREDICTION_RESISTANCE */
255
256 int
257 rand_bytes (uint8_t *output, int len)
258 {
259 ctr_drbg_context *rng_ctx = rand_ctx_get();
260
261 while (len > 0)
262 {
263 const size_t blen = min_int (len, CTR_DRBG_MAX_REQUEST);
264 if (0 != ctr_drbg_random(rng_ctx, output, blen))
265 return 0;
266
267 output += blen;
268 len -= blen;
269 }
270
271 return 1;
272 }
273
274 /*
275 *
276 * Key functions, allow manipulation of keys.
277 *
278 */
279
280
281 int
282 key_des_num_cblocks (const cipher_info_t *kt)
283 {
284 int ret = 0;
285 if (kt->type == POLARSSL_CIPHER_DES_CBC)
286 ret = 1;
287 if (kt->type == POLARSSL_CIPHER_DES_EDE_CBC)
288 ret = 2;
289 if (kt->type == POLARSSL_CIPHER_DES_EDE3_CBC)
290 ret = 3;
291
292 dmsg (D_CRYPTO_DEBUG, "CRYPTO INFO: n_DES_cblocks=%d", ret);
293 return ret;
294 }
295
296 bool
297 key_des_check (uint8_t *key, int key_len, int ndc)
298 {
299 int i;
300 struct buffer b;
301
302 buf_set_read (&b, key, key_len);
303
304 for (i = 0; i < ndc; ++i)
305 {
306 unsigned char *key = buf_read_alloc(&b, DES_KEY_SIZE);
307 if (!key)
308 {
309 msg (D_CRYPT_ERRORS, "CRYPTO INFO: check_key_DES: insufficient key material");
310 goto err;
311 }
312 if (0 != des_key_check_weak(key))
313 {
314 msg (D_CRYPT_ERRORS, "CRYPTO INFO: check_key_DES: weak key detected");
315 goto err;
316 }
317 if (0 != des_key_check_key_parity(key))
318 {
319 msg (D_CRYPT_ERRORS, "CRYPTO INFO: check_key_DES: bad parity detected");
320 goto err;
321 }
322 }
323 return true;
324
325 err:
326 return false;
327 }
328
329 void
330 key_des_fixup (uint8_t *key, int key_len, int ndc)
331 {
332 int i;
333 struct buffer b;
334
335 buf_set_read (&b, key, key_len);
336 for (i = 0; i < ndc; ++i)
337 {
338 unsigned char *key = buf_read_alloc(&b, DES_KEY_SIZE);
339 if (!key)
340 {
341 msg (D_CRYPT_ERRORS, "CRYPTO INFO: fixup_key_DES: insufficient key material");
342 return;
343 }
344 des_key_set_parity(key);
345 }
346 }
347
348 /*
349 *
350 * Generic cipher key type functions
351 *
352 */
353
354
355 const cipher_info_t *
356 cipher_kt_get (const char *ciphername)
357 {
358 const cipher_info_t *cipher = NULL;
359
360 ASSERT (ciphername);
361
362 cipher = cipher_info_from_string(ciphername);
363
364 if (NULL == cipher)
365 msg (M_FATAL, "Cipher algorithm '%s' not found", ciphername);
366
367 if (cipher->key_length/8 > MAX_CIPHER_KEY_LENGTH)
368 msg (M_FATAL, "Cipher algorithm '%s' uses a default key size (%d bytes) which is larger than " PACKAGE_NAME "'s current maximum key size (%d bytes)",
369 ciphername,
370 cipher->key_length/8,
371 MAX_CIPHER_KEY_LENGTH);
372
373 return cipher;
374 }
375
376 const char *
377 cipher_kt_name (const cipher_info_t *cipher_kt)
378 {
379 if (NULL == cipher_kt)
380 return "[null-cipher]";
381
382 return translate_cipher_name_to_openvpn(cipher_kt->name);
383 }
384
385 int
386 cipher_kt_key_size (const cipher_info_t *cipher_kt)
387 {
388 if (NULL == cipher_kt)
389 return 0;
390 if (POLARSSL_CIPHER_ID_BLOWFISH == cipher_kt->base->cipher)
391 return 128/8; /* Override PolarSSL 32 bit default key size with sane 128 bit default */
392
393 return cipher_kt->key_length/8;
394 }
395
396 int
397 cipher_kt_iv_size (const cipher_info_t *cipher_kt)
398 {
399 if (NULL == cipher_kt)
400 return 0;
401 return cipher_kt->iv_size;
402 }
403
404 int
405 cipher_kt_block_size (const cipher_info_t *cipher_kt)
406 {
407 if (NULL == cipher_kt)
408 return 0;
409 return cipher_kt->block_size;
410 }
411
412 int
413 cipher_kt_mode (const cipher_info_t *cipher_kt)
414 {
415 ASSERT(NULL != cipher_kt);
416 return cipher_kt->mode;
417 }
418
419
420 /*
421 *
422 * Generic cipher context functions
423 *
424 */
425
426
427 void
428 cipher_ctx_init (cipher_context_t *ctx, uint8_t *key, int key_len,
429 const cipher_info_t *kt, int enc)
430 {
431 ASSERT(NULL != kt && NULL != ctx);
432
433 CLEAR (*ctx);
434
435 if (0 != cipher_init_ctx(ctx, kt))
436 msg (M_FATAL, "PolarSSL cipher context init #1");
437
438 if (0 != cipher_setkey(ctx, key, key_len*8, enc))
439 msg (M_FATAL, "PolarSSL cipher set key");
440
441 /* make sure we used a big enough key */
442 ASSERT (ctx->key_length <= key_len*8);
443 }
444
445 void cipher_ctx_cleanup (cipher_context_t *ctx)
446 {
447 cipher_free_ctx(ctx);
448 }
449
450 int cipher_ctx_iv_length (const cipher_context_t *ctx)
451 {
452 return cipher_get_iv_size(ctx);
453 }
454
455 int cipher_ctx_block_size(const cipher_context_t *ctx)
456 {
457 return cipher_get_block_size(ctx);
458 }
459
460 int cipher_ctx_mode (const cipher_context_t *ctx)
461 {
462 ASSERT(NULL != ctx);
463
464 return cipher_kt_mode(ctx->cipher_info);
465 }
466
467 int cipher_ctx_reset (cipher_context_t *ctx, uint8_t *iv_buf)
468 {
469 return 0 == cipher_reset(ctx, iv_buf);
470 }
471
472 int cipher_ctx_update (cipher_context_t *ctx, uint8_t *dst, int *dst_len,
473 uint8_t *src, int src_len)
474 {
475 int retval = 0;
476 size_t s_dst_len = *dst_len;
477
478 retval = cipher_update(ctx, src, (size_t)src_len, dst, &s_dst_len);
479
480 *dst_len = s_dst_len;
481
482 return 0 == retval;
483 }
484
485 int cipher_ctx_final (cipher_context_t *ctx, uint8_t *dst, int *dst_len)
486 {
487 int retval = 0;
488 size_t s_dst_len = *dst_len;
489
490 retval = cipher_finish(ctx, dst, &s_dst_len);
491 *dst_len = s_dst_len;
492
493 return 0 == retval;
494 }
495
496 void
497 cipher_des_encrypt_ecb (const unsigned char key[DES_KEY_LENGTH],
498 unsigned char *src,
499 unsigned char *dst)
500 {
501 des_context ctx;
502
503 des_setkey_enc(&ctx, key);
504 des_crypt_ecb(&ctx, src, dst);
505 }
506
507
508
509 /*
510 *
511 * Generic message digest information functions
512 *
513 */
514
515
516 const md_info_t *
517 md_kt_get (const char *digest)
518 {
519 const md_info_t *md = NULL;
520 ASSERT (digest);
521
522 md = md_info_from_string(digest);
523 if (!md)
524 msg (M_FATAL, "Message hash algorithm '%s' not found", digest);
525 if (md->size > MAX_HMAC_KEY_LENGTH)
526 msg (M_FATAL, "Message hash algorithm '%s' uses a default hash size (%d bytes) which is larger than " PACKAGE_NAME "'s current maximum hash size (%d bytes)",
527 digest,
528 md->size,
529 MAX_HMAC_KEY_LENGTH);
530 return md;
531 }
532
533 const char *
534 md_kt_name (const md_info_t *kt)
535 {
536 if (NULL == kt)
537 return "[null-digest]";
538 return md_get_name (kt);
539 }
540
541 int
542 md_kt_size (const md_info_t *kt)
543 {
544 if (NULL == kt)
545 return 0;
546 return md_get_size(kt);
547 }
548
549 /*
550 *
551 * Generic message digest functions
552 *
553 */
554
555 int
556 md_full (const md_kt_t *kt, const uint8_t *src, int src_len, uint8_t *dst)
557 {
558 return 0 == md(kt, src, src_len, dst);
559 }
560
561
562 void
563 md_ctx_init (md_context_t *ctx, const md_info_t *kt)
564 {
565 ASSERT(NULL != ctx && NULL != kt);
566
567 CLEAR(*ctx);
568
569 ASSERT(0 == md_init_ctx(ctx, kt));
570 ASSERT(0 == md_starts(ctx));
571 }
572
573 void
574 md_ctx_cleanup(md_context_t *ctx)
575 {
576 }
577
578 int
579 md_ctx_size (const md_context_t *ctx)
580 {
581 if (NULL == ctx)
582 return 0;
583 return md_get_size(ctx->md_info);
584 }
585
586 void
587 md_ctx_update (md_context_t *ctx, const uint8_t *src, int src_len)
588 {
589 ASSERT(0 == md_update(ctx, src, src_len));
590 }
591
592 void
593 md_ctx_final (md_context_t *ctx, uint8_t *dst)
594 {
595 ASSERT(0 == md_finish(ctx, dst));
596 ASSERT(0 == md_free_ctx(ctx));
597 }
598
599
600 /*
601 *
602 * Generic HMAC functions
603 *
604 */
605
606
607 /*
608 * TODO: re-enable dmsg for crypto debug
609 */
610 void
611 hmac_ctx_init (md_context_t *ctx, const uint8_t *key, int key_len, const md_info_t *kt)
612 {
613 ASSERT(NULL != kt && NULL != ctx);
614
615 CLEAR(*ctx);
616
617 ASSERT(0 == md_init_ctx(ctx, kt));
618 ASSERT(0 == md_hmac_starts(ctx, key, key_len));
619
620 /* make sure we used a big enough key */
621 ASSERT (md_get_size(kt) <= key_len);
622 }
623
624 void
625 hmac_ctx_cleanup(md_context_t *ctx)
626 {
627 ASSERT(0 == md_free_ctx(ctx));
628 }
629
630 int
631 hmac_ctx_size (const md_context_t *ctx)
632 {
633 if (NULL == ctx)
634 return 0;
635 return md_get_size(ctx->md_info);
636 }
637
638 void
639 hmac_ctx_reset (md_context_t *ctx)
640 {
641 ASSERT(0 == md_hmac_reset(ctx));
642 }
643
644 void
645 hmac_ctx_update (md_context_t *ctx, const uint8_t *src, int src_len)
646 {
647 ASSERT(0 == md_hmac_update(ctx, src, src_len));
648 }
649
650 void
651 hmac_ctx_final (md_context_t *ctx, uint8_t *dst)
652 {
653 ASSERT(0 == md_hmac_finish(ctx, dst));
654 }
655
656 #endif /* ENABLE_CRYPTO && ENABLE_CRYPTO_POLARSSL */
Tomato firmware and modifications.