Merge commit '86cc97e55fe346502462284d2e636a2b3708163e' as 'Sources/OpenVPN3'

2026-04-24 00:00:05 +08:00 · 2020-02-24 14:43:11 +03:00
parent 133b3756e6 86cc97e55f
commit 32f1555929
655 changed files with 146468 additions and 0 deletions
@@ -0,0 +1,350 @@
+//    OpenVPN -- An application to securely tunnel IP networks
+//               over a single port, with support for SSL/TLS-based
+//               session authentication and key exchange,
+//               packet encryption, packet authentication, and
+//               packet compression.
+//
+//    Copyright (C) 2012-2017 OpenVPN Inc.
+//
+//    This program is free software: you can redistribute it and/or modify
+//    it under the terms of the GNU Affero General Public License Version 3
+//    as published by the Free Software Foundation.
+//
+//    This program is distributed in the hope that it will be useful,
+//    but WITHOUT ANY WARRANTY; without even the implied warranty of
+//    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+//    GNU Affero General Public License for more details.
+//
+//    You should have received a copy of the GNU Affero General Public License
+//    along with this program in the COPYING file.
+//    If not, see <http://www.gnu.org/licenses/>.
+
+// OpenVPN AEAD data channel interface
+
+#ifndef OPENVPN_CRYPTO_CRYPTO_AEAD_H
+#define OPENVPN_CRYPTO_CRYPTO_AEAD_H
+
+#include <cstring>           // for std::memcpy, std::memset
+
+#include <openvpn/common/size.hpp>
+#include <openvpn/common/exception.hpp>
+#include <openvpn/buffer/buffer.hpp>
+#include <openvpn/frame/frame.hpp>
+#include <openvpn/crypto/static_key.hpp>
+#include <openvpn/crypto/packet_id.hpp>
+#include <openvpn/log/sessionstats.hpp>
+#include <openvpn/crypto/cryptodc.hpp>
+
+// Sample AES-GCM head:
+//   48000001 00000005 7e7046bd 444a7e28 cc6387b1 64a4d6c1 380275a...
+//   [ OP32 ] [seq # ] [             auth tag            ] [ payload ... ]
+//            [4-byte
+//            IV head]
+
+namespace openvpn {
+  namespace AEAD {
+
+    OPENVPN_EXCEPTION(aead_error);
+
+    template <typename CRYPTO_API>
+    class Crypto : public CryptoDCInstance
+    {
+      class Nonce {
+      public:
+	Nonce()
+	{
+	  static_assert(4 + CRYPTO_API::CipherContextGCM::IV_LEN == sizeof(data),
+			"AEAD IV_LEN inconsistency");
+	  ad_op32 = false;
+	  std::memset(data, 0, sizeof(data));
+	}
+
+	// setup
+	void set_tail(const StaticKey& sk)
+	{
+	  if (sk.size() < 8)
+	    throw aead_error("insufficient key material for nonce tail");
+	  std::memcpy(data + 8, sk.data(), 8);
+	}
+
+	// for encrypt
+	Nonce(const Nonce& ref, PacketIDSend& pid_send, const PacketID::time_t now,
+	      const unsigned char *op32)
+	{
+	  std::memcpy(data, ref.data, sizeof(data));
+	  Buffer buf(data + 4, 4, false);
+	  pid_send.write_next(buf, false, now);
+	  if (op32)
+	    {
+	      ad_op32 = true;
+	      std::memcpy(data, op32, 4);
+	    }
+	  else
+	    ad_op32 = false;
+	}
+
+	// for encrypt
+	void prepend_ad(Buffer& buf) const
+	{
+	  buf.prepend(data + 4, 4);
+	}
+
+	// for decrypt
+	Nonce(const Nonce& ref, Buffer& buf, const unsigned char *op32)
+	{
+	  std::memcpy(data, ref.data, sizeof(data));
+	  buf.read(data + 4, 4);
+	  if (op32)
+	    {
+	      ad_op32 = true;
+	      std::memcpy(data, op32, 4);
+	    }
+	  else
+	    ad_op32 = false;
+	}
+
+	// for decrypt
+	bool verify_packet_id(PacketIDReceive& pid_recv, const PacketID::time_t now)
+	{
+	  Buffer buf(data + 4, 4, true);
+	  const PacketID pid = pid_recv.read_next(buf);
+	  return pid_recv.test_add(pid, now, true); // verify packet ID
+	}
+
+	const unsigned char *iv() const
+	{
+	  return data + 4;
+	}
+
+	const unsigned char *ad() const
+	{
+	  return ad_op32 ? data : data + 4;
+	}
+
+	const size_t ad_len() const
+	{
+	  return ad_op32 ? 8 : 4;
+	}
+
+      private:
+	bool ad_op32; // true if AD includes op32 opcode
+
+	// Sample data:
+	//   [ OP32 (optional) ] [  pkt ID     ] [     nonce tail          ]
+	//   [ 48 00 00 01     ] [ 00 00 00 05 ] [ 7f 45 64 db 33 5b 6c 29 ]
+	unsigned char data[16];
+      };
+
+      struct Encrypt {
+	typename CRYPTO_API::CipherContextGCM impl;
+	Nonce nonce;
+	PacketIDSend pid_send;
+	BufferAllocated work;
+      };
+
+      struct Decrypt {
+	typename CRYPTO_API::CipherContextGCM impl;
+	Nonce nonce;
+	PacketIDReceive pid_recv;
+	BufferAllocated work;
+      };
+    public:
+      typedef CryptoDCInstance Base;
+
+      Crypto(const CryptoAlgs::Type cipher_arg,
+	     const Frame::Ptr& frame_arg,
+	     const SessionStats::Ptr& stats_arg)
+	: cipher(cipher_arg),
+	  frame(frame_arg),
+	  stats(stats_arg)
+      {
+      }
+
+      // Encrypt/Decrypt
+
+      // returns true if packet ID is close to wrapping
+      virtual bool encrypt(BufferAllocated& buf, const PacketID::time_t now, const unsigned char *op32)
+      {
+	// only process non-null packets
+	if (buf.size())
+	  {
+	    // build nonce/IV/AD
+	    Nonce nonce(e.nonce, e.pid_send, now, op32);
+
+	    if (CRYPTO_API::CipherContextGCM::SUPPORTS_IN_PLACE_ENCRYPT)
+	      {
+		unsigned char *data = buf.data();
+		const size_t size = buf.size();
+
+		// alloc auth tag in buffer
+		unsigned char *auth_tag = buf.prepend_alloc(CRYPTO_API::CipherContextGCM::AUTH_TAG_LEN);
+
+		// encrypt in-place
+		e.impl.encrypt(data, data, size, nonce.iv(), auth_tag, nonce.ad(), nonce.ad_len());
+	      }
+	    else
+	      {
+		// encrypt to work buf
+		frame->prepare(Frame::ENCRYPT_WORK, e.work);
+		if (e.work.max_size() < buf.size())
+		  throw aead_error("encrypt work buffer too small");
+
+		// alloc auth tag in buffer
+		unsigned char *auth_tag = e.work.prepend_alloc(CRYPTO_API::CipherContextGCM::AUTH_TAG_LEN);
+
+		// prepare output buffer
+		unsigned char *work_data = e.work.write_alloc(buf.size());
+
+		// encrypt
+		e.impl.encrypt(buf.data(), work_data, buf.size(), nonce.iv(), auth_tag, nonce.ad(), nonce.ad_len());
+		buf.swap(e.work);
+	      }
+
+	    // prepend additional data
+	    nonce.prepend_ad(buf);
+	  }
+	return e.pid_send.wrap_warning();
+      }
+
+      virtual Error::Type decrypt(BufferAllocated& buf, const PacketID::time_t now, const unsigned char *op32)
+      {
+	// only process non-null packets
+	if (buf.size())
+	  {
+	    // get nonce/IV/AD
+	    Nonce nonce(d.nonce, buf, op32);
+
+	    // get auth tag
+	    unsigned char *auth_tag = buf.read_alloc(CRYPTO_API::CipherContextGCM::AUTH_TAG_LEN);
+
+	    // initialize work buffer
+	    frame->prepare(Frame::DECRYPT_WORK, d.work);
+	    if (d.work.max_size() < buf.size())
+	      throw aead_error("decrypt work buffer too small");
+
+	    // decrypt from buf -> work
+	    if (!d.impl.decrypt(buf.c_data(), d.work.data(), buf.size(), nonce.iv(), auth_tag,
+				nonce.ad(), nonce.ad_len()))
+	      {
+		buf.reset_size();
+		return Error::DECRYPT_ERROR;
+	      }
+	    d.work.set_size(buf.size());
+
+	    // verify packet ID
+	    if (!nonce.verify_packet_id(d.pid_recv, now))
+	      {
+		buf.reset_size();
+		return Error::REPLAY_ERROR;
+	      }
+
+	    // return cleartext result in buf
+	    buf.swap(d.work);
+	  }
+	return Error::SUCCESS;
+      }
+
+      // Initialization
+
+      virtual void init_cipher(StaticKey&& encrypt_key,
+			       StaticKey&& decrypt_key)
+      {
+	e.impl.init(cipher, encrypt_key.data(), encrypt_key.size(), CRYPTO_API::CipherContextGCM::ENCRYPT);
+	d.impl.init(cipher, decrypt_key.data(), decrypt_key.size(), CRYPTO_API::CipherContextGCM::DECRYPT);
+      }
+
+      virtual void init_hmac(StaticKey&& encrypt_key,
+			     StaticKey&& decrypt_key)
+      {
+	e.nonce.set_tail(encrypt_key);
+	d.nonce.set_tail(decrypt_key);
+      }
+
+      virtual void init_pid(const int send_form,
+			    const int recv_mode,
+			    const int recv_form,
+			    const char *recv_name,
+			    const int recv_unit,
+			    const SessionStats::Ptr& recv_stats_arg)
+      {
+	e.pid_send.init(send_form);
+	d.pid_recv.init(recv_mode, recv_form, recv_name, recv_unit, recv_stats_arg);
+      }
+
+      // Indicate whether or not cipher/digest is defined
+
+      virtual unsigned int defined() const
+      {
+	unsigned int ret = CRYPTO_DEFINED;
+
+	// AEAD mode doesn't use HMAC, but we still indicate HMAC_DEFINED
+	// because we want to use the HMAC keying material for the AEAD nonce tail.
+	if (CryptoAlgs::defined(cipher))
+	  ret |= (CIPHER_DEFINED|HMAC_DEFINED);
+	return ret;
+      }
+
+      virtual bool consider_compression(const CompressContext& comp_ctx)
+      {
+	return true;
+      }
+
+      // Rekeying
+
+      virtual void rekey(const typename Base::RekeyType type)
+      {
+      }
+
+    private:
+      CryptoAlgs::Type cipher;
+      Frame::Ptr frame;
+      SessionStats::Ptr stats;
+      Encrypt e;
+      Decrypt d;
+    };
+
+    template <typename CRYPTO_API>
+    class CryptoContext : public CryptoDCContext
+    {
+    public:
+      typedef RCPtr<CryptoContext> Ptr;
+
+      CryptoContext(const CryptoAlgs::Type cipher_arg,
+		    const Frame::Ptr& frame_arg,
+		    const SessionStats::Ptr& stats_arg)
+	: cipher(CryptoAlgs::legal_dc_cipher(cipher_arg)),
+	  frame(frame_arg),
+	  stats(stats_arg)
+      {
+      }
+
+      virtual CryptoDCInstance::Ptr new_obj(const unsigned int key_id)
+      {
+	return new Crypto<CRYPTO_API>(cipher, frame, stats);
+      }
+
+      // cipher/HMAC/key info
+      virtual Info crypto_info()
+      {
+	Info ret;
+	ret.cipher_alg = cipher;
+	ret.hmac_alg = CryptoAlgs::NONE;
+	return ret;
+      }
+
+      // Info for ProtoContext::link_mtu_adjust
+
+      virtual size_t encap_overhead() const
+      {
+	return CRYPTO_API::CipherContextGCM::AUTH_TAG_LEN;
+      }
+
+    private:
+      CryptoAlgs::Type cipher;
+      Frame::Ptr frame;
+      SessionStats::Ptr stats;
+    };
+  }
+}
+
+#endif