2 * OpenVPN -- An application to securely tunnel IP networks
3 * over a single TCP/UDP port, with support for SSL/TLS-based
4 * session authentication and key exchange,
5 * packet encryption, packet authentication, and
8 * Copyright (C) 2002-2010 OpenVPN Technologies, Inc. <sales@openvpn.net>
9 * Copyright (C) 2010 Fox Crypto B.V. <openvpn@fox-it.com>
11 * This program is free software; you can redistribute it and/or modify
12 * it under the terms of the GNU General Public License version 2
13 * as published by the Free Software Foundation.
15 * This program is distributed in the hope that it will be useful,
16 * but WITHOUT ANY WARRANTY; without even the implied warranty of
17 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 * GNU General Public License for more details.
20 * You should have received a copy of the GNU General Public License
21 * along with this program (see the file COPYING included with this
22 * distribution); if not, write to the Free Software Foundation, Inc.,
23 * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
27 * @file Data Channel Cryptography PolarSSL-specific backend interface
32 #elif defined(_MSC_VER)
33 #include "config-msvc.h"
38 #if defined(ENABLE_CRYPTO) && defined(ENABLE_CRYPTO_POLARSSL)
44 #include "crypto_backend.h"
48 #include <polarssl/des.h>
49 #include <polarssl/md5.h>
50 #include <polarssl/cipher.h>
51 #include <polarssl/havege.h>
53 #include <polarssl/entropy.h>
57 * Hardware engine support. Allows loading/unloading of engines.
62 crypto_init_lib_engine (const char *engine_name
)
64 msg (M_WARN
, "Note: PolarSSL hardware crypto engine functionality is not "
70 * Functions related to the core crypto library
75 crypto_init_lib (void)
80 crypto_uninit_lib (void)
85 crypto_clear_error (void)
91 crypto_init_dmalloc (void)
93 msg (M_ERR
, "Error: dmalloc support is not available for PolarSSL.");
97 typedef struct { const char * openvpn_name
; const char * polarssl_name
; } cipher_name_pair
;
98 cipher_name_pair cipher_name_translation_table
[] = {
99 { "BF-CBC", "BLOWFISH-CBC" },
100 { "BF-CFB", "BLOWFISH-CFB64" },
101 { "CAMELLIA-128-CFB", "CAMELLIA-128-CFB128" },
102 { "CAMELLIA-192-CFB", "CAMELLIA-192-CFB128" },
103 { "CAMELLIA-256-CFB", "CAMELLIA-256-CFB128" }
106 const cipher_name_pair
*
107 get_cipher_name_pair(const char *cipher_name
) {
108 cipher_name_pair
*pair
;
111 /* Search for a cipher name translation */
112 for (; i
< sizeof (cipher_name_translation_table
) / sizeof (*cipher_name_translation_table
); i
++)
114 pair
= &cipher_name_translation_table
[i
];
115 if (0 == strcmp (cipher_name
, pair
->openvpn_name
) ||
116 0 == strcmp (cipher_name
, pair
->polarssl_name
))
120 /* Nothing found, return null */
125 translate_cipher_name_from_openvpn (const char *cipher_name
) {
126 const cipher_name_pair
*pair
= get_cipher_name_pair(cipher_name
);
131 return pair
->polarssl_name
;
135 translate_cipher_name_to_openvpn (const char *cipher_name
) {
136 const cipher_name_pair
*pair
= get_cipher_name_pair(cipher_name
);
141 return pair
->openvpn_name
;
145 show_available_ciphers ()
147 const int *ciphers
= cipher_list();
150 printf ("The following ciphers and cipher modes are available\n"
151 "for use with " PACKAGE_NAME
". Each cipher shown below may be\n"
152 "used as a parameter to the --cipher option. The default\n"
153 "key size is shown as well as whether or not it can be\n"
154 "changed with the --keysize directive. Using a CBC mode\n"
155 "is recommended.\n\n");
158 while (*ciphers
!= 0)
160 const cipher_info_t
*info
= cipher_info_from_type(*ciphers
);
162 if (info
&& info
->mode
== POLARSSL_MODE_CBC
)
163 printf ("%s %d bit default key\n",
164 cipher_kt_name(info
), cipher_kt_key_size(info
) * 8);
172 show_available_digests ()
174 const int *digests
= md_list();
177 printf ("The following message digests are available for use with\n"
178 PACKAGE_NAME
". A message digest is used in conjunction with\n"
179 "the HMAC function, to authenticate received packets.\n"
180 "You can specify a message digest as parameter to\n"
181 "the --auth option.\n\n");
184 while (*digests
!= 0)
186 const md_info_t
*info
= md_info_from_type(*digests
);
189 printf ("%s %d bit default key\n",
190 info
->name
, info
->size
* 8);
197 show_available_engines ()
199 printf ("Sorry, PolarSSL hardware crypto engine functionality is not "
205 * Random number functions, used in cases where we want
206 * reasonably strong cryptographic random number generation
207 * without depleting our entropy pool. Used for random
208 * IV values and a number of other miscellaneous tasks.
213 * Initialise the given ctr_drbg context, using a personalisation string and an
214 * entropy gathering function.
216 ctr_drbg_context
* rand_ctx_get()
218 static entropy_context ec
= {0};
219 static ctr_drbg_context cd_ctx
= {0};
220 static bool rand_initialised
= false;
222 if (!rand_initialised
)
224 struct gc_arena gc
= gc_new();
225 struct buffer pers_string
= alloc_buf_gc(100, &gc
);
228 * Personalisation string, should be as unique as possible (see NIST
229 * 800-90 section 8.7.1). We have very little information at this stage.
230 * Include Program Name, memory address of the context and PID.
232 buf_printf(&pers_string
, "OpenVPN %0u %p %s", platform_getpid(), &cd_ctx
, time_string(0, 0, 0, &gc
));
234 /* Initialise PolarSSL RNG, and built-in entropy sources */
237 if (0 != ctr_drbg_init(&cd_ctx
, entropy_func
, &ec
, BPTR(&pers_string
), BLEN(&pers_string
)))
238 msg (M_FATAL
, "Failed to initialize random generator");
241 rand_initialised
= true;
247 #ifdef ENABLE_PREDICTION_RESISTANCE
248 void rand_ctx_enable_prediction_resistance()
250 ctr_drbg_context
*cd_ctx
= rand_ctx_get();
252 ctr_drbg_set_prediction_resistance(cd_ctx
, 1);
254 #endif /* ENABLE_PREDICTION_RESISTANCE */
257 rand_bytes (uint8_t *output
, int len
)
259 ctr_drbg_context
*rng_ctx
= rand_ctx_get();
263 const size_t blen
= min_int (len
, CTR_DRBG_MAX_REQUEST
);
264 if (0 != ctr_drbg_random(rng_ctx
, output
, blen
))
276 * Key functions, allow manipulation of keys.
282 key_des_num_cblocks (const cipher_info_t
*kt
)
285 if (kt
->type
== POLARSSL_CIPHER_DES_CBC
)
287 if (kt
->type
== POLARSSL_CIPHER_DES_EDE_CBC
)
289 if (kt
->type
== POLARSSL_CIPHER_DES_EDE3_CBC
)
292 dmsg (D_CRYPTO_DEBUG
, "CRYPTO INFO: n_DES_cblocks=%d", ret
);
297 key_des_check (uint8_t *key
, int key_len
, int ndc
)
302 buf_set_read (&b
, key
, key_len
);
304 for (i
= 0; i
< ndc
; ++i
)
306 unsigned char *key
= buf_read_alloc(&b
, DES_KEY_SIZE
);
309 msg (D_CRYPT_ERRORS
, "CRYPTO INFO: check_key_DES: insufficient key material");
312 if (0 != des_key_check_weak(key
))
314 msg (D_CRYPT_ERRORS
, "CRYPTO INFO: check_key_DES: weak key detected");
317 if (0 != des_key_check_key_parity(key
))
319 msg (D_CRYPT_ERRORS
, "CRYPTO INFO: check_key_DES: bad parity detected");
330 key_des_fixup (uint8_t *key
, int key_len
, int ndc
)
335 buf_set_read (&b
, key
, key_len
);
336 for (i
= 0; i
< ndc
; ++i
)
338 unsigned char *key
= buf_read_alloc(&b
, DES_KEY_SIZE
);
341 msg (D_CRYPT_ERRORS
, "CRYPTO INFO: fixup_key_DES: insufficient key material");
344 des_key_set_parity(key
);
350 * Generic cipher key type functions
355 const cipher_info_t
*
356 cipher_kt_get (const char *ciphername
)
358 const cipher_info_t
*cipher
= NULL
;
362 cipher
= cipher_info_from_string(ciphername
);
365 msg (M_FATAL
, "Cipher algorithm '%s' not found", ciphername
);
367 if (cipher
->key_length
/8 > MAX_CIPHER_KEY_LENGTH
)
368 msg (M_FATAL
, "Cipher algorithm '%s' uses a default key size (%d bytes) which is larger than " PACKAGE_NAME
"'s current maximum key size (%d bytes)",
370 cipher
->key_length
/8,
371 MAX_CIPHER_KEY_LENGTH
);
377 cipher_kt_name (const cipher_info_t
*cipher_kt
)
379 if (NULL
== cipher_kt
)
380 return "[null-cipher]";
382 return translate_cipher_name_to_openvpn(cipher_kt
->name
);
386 cipher_kt_key_size (const cipher_info_t
*cipher_kt
)
388 if (NULL
== cipher_kt
)
390 if (POLARSSL_CIPHER_ID_BLOWFISH
== cipher_kt
->base
->cipher
)
391 return 128/8; /* Override PolarSSL 32 bit default key size with sane 128 bit default */
393 return cipher_kt
->key_length
/8;
397 cipher_kt_iv_size (const cipher_info_t
*cipher_kt
)
399 if (NULL
== cipher_kt
)
401 return cipher_kt
->iv_size
;
405 cipher_kt_block_size (const cipher_info_t
*cipher_kt
)
407 if (NULL
== cipher_kt
)
409 return cipher_kt
->block_size
;
413 cipher_kt_mode (const cipher_info_t
*cipher_kt
)
415 ASSERT(NULL
!= cipher_kt
);
416 return cipher_kt
->mode
;
422 * Generic cipher context functions
428 cipher_ctx_init (cipher_context_t
*ctx
, uint8_t *key
, int key_len
,
429 const cipher_info_t
*kt
, int enc
)
431 ASSERT(NULL
!= kt
&& NULL
!= ctx
);
435 if (0 != cipher_init_ctx(ctx
, kt
))
436 msg (M_FATAL
, "PolarSSL cipher context init #1");
438 if (0 != cipher_setkey(ctx
, key
, key_len
*8, enc
))
439 msg (M_FATAL
, "PolarSSL cipher set key");
441 /* make sure we used a big enough key */
442 ASSERT (ctx
->key_length
<= key_len
*8);
445 void cipher_ctx_cleanup (cipher_context_t
*ctx
)
447 cipher_free_ctx(ctx
);
450 int cipher_ctx_iv_length (const cipher_context_t
*ctx
)
452 return cipher_get_iv_size(ctx
);
455 int cipher_ctx_block_size(const cipher_context_t
*ctx
)
457 return cipher_get_block_size(ctx
);
460 int cipher_ctx_mode (const cipher_context_t
*ctx
)
464 return cipher_kt_mode(ctx
->cipher_info
);
467 int cipher_ctx_reset (cipher_context_t
*ctx
, uint8_t *iv_buf
)
469 return 0 == cipher_reset(ctx
, iv_buf
);
472 int cipher_ctx_update (cipher_context_t
*ctx
, uint8_t *dst
, int *dst_len
,
473 uint8_t *src
, int src_len
)
476 size_t s_dst_len
= *dst_len
;
478 retval
= cipher_update(ctx
, src
, (size_t)src_len
, dst
, &s_dst_len
);
480 *dst_len
= s_dst_len
;
485 int cipher_ctx_final (cipher_context_t
*ctx
, uint8_t *dst
, int *dst_len
)
488 size_t s_dst_len
= *dst_len
;
490 retval
= cipher_finish(ctx
, dst
, &s_dst_len
);
491 *dst_len
= s_dst_len
;
497 cipher_des_encrypt_ecb (const unsigned char key
[DES_KEY_LENGTH
],
503 des_setkey_enc(&ctx
, key
);
504 des_crypt_ecb(&ctx
, src
, dst
);
511 * Generic message digest information functions
517 md_kt_get (const char *digest
)
519 const md_info_t
*md
= NULL
;
522 md
= md_info_from_string(digest
);
524 msg (M_FATAL
, "Message hash algorithm '%s' not found", digest
);
525 if (md
->size
> MAX_HMAC_KEY_LENGTH
)
526 msg (M_FATAL
, "Message hash algorithm '%s' uses a default hash size (%d bytes) which is larger than " PACKAGE_NAME
"'s current maximum hash size (%d bytes)",
529 MAX_HMAC_KEY_LENGTH
);
534 md_kt_name (const md_info_t
*kt
)
537 return "[null-digest]";
538 return md_get_name (kt
);
542 md_kt_size (const md_info_t
*kt
)
546 return md_get_size(kt
);
551 * Generic message digest functions
556 md_full (const md_kt_t
*kt
, const uint8_t *src
, int src_len
, uint8_t *dst
)
558 return 0 == md(kt
, src
, src_len
, dst
);
563 md_ctx_init (md_context_t
*ctx
, const md_info_t
*kt
)
565 ASSERT(NULL
!= ctx
&& NULL
!= kt
);
569 ASSERT(0 == md_init_ctx(ctx
, kt
));
570 ASSERT(0 == md_starts(ctx
));
574 md_ctx_cleanup(md_context_t
*ctx
)
579 md_ctx_size (const md_context_t
*ctx
)
583 return md_get_size(ctx
->md_info
);
587 md_ctx_update (md_context_t
*ctx
, const uint8_t *src
, int src_len
)
589 ASSERT(0 == md_update(ctx
, src
, src_len
));
593 md_ctx_final (md_context_t
*ctx
, uint8_t *dst
)
595 ASSERT(0 == md_finish(ctx
, dst
));
596 ASSERT(0 == md_free_ctx(ctx
));
602 * Generic HMAC functions
608 * TODO: re-enable dmsg for crypto debug
611 hmac_ctx_init (md_context_t
*ctx
, const uint8_t *key
, int key_len
, const md_info_t
*kt
)
613 ASSERT(NULL
!= kt
&& NULL
!= ctx
);
617 ASSERT(0 == md_init_ctx(ctx
, kt
));
618 ASSERT(0 == md_hmac_starts(ctx
, key
, key_len
));
620 /* make sure we used a big enough key */
621 ASSERT (md_get_size(kt
) <= key_len
);
625 hmac_ctx_cleanup(md_context_t
*ctx
)
627 ASSERT(0 == md_free_ctx(ctx
));
631 hmac_ctx_size (const md_context_t
*ctx
)
635 return md_get_size(ctx
->md_info
);
639 hmac_ctx_reset (md_context_t
*ctx
)
641 ASSERT(0 == md_hmac_reset(ctx
));
645 hmac_ctx_update (md_context_t
*ctx
, const uint8_t *src
, int src_len
)
647 ASSERT(0 == md_hmac_update(ctx
, src
, src_len
));
651 hmac_ctx_final (md_context_t
*ctx
, uint8_t *dst
)
653 ASSERT(0 == md_hmac_finish(ctx
, dst
));
656 #endif /* ENABLE_CRYPTO && ENABLE_CRYPTO_POLARSSL */