github/OpenVPNAdapter
4
0
Fork 0
mirror of https://github.com/deneraraujo/OpenVPNAdapter.git synced 2026-04-24 00:00:05 +08:00
Code Issues Packages Projects Releases Wiki Activity

Squashed 'Sources/OpenVPNAdapter/Libraries/Vendors/openvpn/' content from commit 554d8b888

Browse Source 
git-subtree-dir: Sources/OpenVPNAdapter/Libraries/Vendors/openvpn
git-subtree-split: 554d8b88817d3a7b836e78940ed61bb11ed2bd9b
This commit is contained in:
Sergey Abramchuk
2018-07-27 18:08:58 +03:00
commit e2ad2ab5d5
585 changed files with 101725 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
openvpn/openssl/bio/bio_memq_dgram.hpp
+245
View File
@@ -0,0 +1,245 @@
// OpenVPN -- An application to securely tunnel IP networks
// over a single port, with support for SSL/TLS-based
// session authentication and key exchange,
// packet encryption, packet authentication, and
// packet compression.
//
// Copyright (C) 2012-2017 OpenVPN Inc.
//
// This program is free software: you can redistribute it and/or modify
// it under the terms of the GNU Affero General Public License Version 3
// as published by the Free Software Foundation.
//
// This program is distributed in the hope that it will be useful,
// but WITHOUT ANY WARRANTY; without even the implied warranty of
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
// GNU Affero General Public License for more details.
//
// You should have received a copy of the GNU Affero General Public License
// along with this program in the COPYING file.
// If not, see <http://www.gnu.org/licenses/>.
// This code implements an OpenSSL BIO object for datagrams based on the
// MemQ buffer queue object.
#ifndef OPENVPN_OPENSSL_BIO_BIO_MEMQ_DGRAM_H
#define OPENVPN_OPENSSL_BIO_BIO_MEMQ_DGRAM_H
#include <cstring> // for std::strlen
#include <openssl/err.h>
#include <openssl/bio.h>
#include <openvpn/common/size.hpp>
#include <openvpn/common/exception.hpp>
#include <openvpn/frame/frame.hpp>
#include <openvpn/frame/memq_dgram.hpp>
namespace openvpn {
namespace bmq_dgram {
class MemQ : public MemQDgram {
public:
MemQ()
{
mtu = 0;
query_mtu_return = 0;
std::memset(&next_timeout, 0, sizeof(next_timeout));
}
void set_mtu(long mtu) { query_mtu_return = mtu; }
const struct timeval *get_next_timeout(void) const { return &next_timeout; }
long ctrl (BIO *b, int cmd, long num, void *ptr)
{
long ret = 1;
switch (cmd)
{
case BIO_CTRL_RESET:
clear();
break;
case BIO_CTRL_EOF:
ret = (long)empty();
break;
case BIO_C_SET_BUF_MEM_EOF_RETURN:
b->num = (int)num;
break;
case BIO_CTRL_GET_CLOSE:
ret = (long)b->shutdown;
break;
case BIO_CTRL_SET_CLOSE:
b->shutdown = (int)num;
break;
case BIO_CTRL_WPENDING:
ret = 0L;
break;
case BIO_CTRL_PENDING:
ret = (long)pending();
break;
case BIO_CTRL_DUP:
case BIO_CTRL_FLUSH:
ret = 1;
break;
case BIO_CTRL_DGRAM_QUERY_MTU:
ret = mtu = query_mtu_return;
break;
case BIO_CTRL_DGRAM_GET_MTU:
ret = mtu;
break;
case BIO_CTRL_DGRAM_SET_MTU:
ret = mtu = num;
break;
case BIO_CTRL_DGRAM_SET_NEXT_TIMEOUT:
std::memcpy(&next_timeout, ptr, sizeof(struct timeval));
break;
default:
//OPENVPN_LOG("*** MemQ-dgram unimplemented ctrl method=" << cmd);
ret = 0;
break;
}
return (ret);
}
private:
long mtu;
long query_mtu_return;
struct timeval next_timeout;
};
namespace bio_memq_internal {
enum {
BIO_TYPE_MEMQ = (94|BIO_TYPE_SOURCE_SINK) // make sure type 94 doesn't collide with anything in bio.h
};
inline int memq_new (BIO *b)
{
MemQ *bmq = new MemQ();
if (!bmq)
return 0;
b->shutdown = 1;
b->init = 1;
b->num = -1;
b->ptr = (void *)bmq;
return 1;
}
inline int memq_free (BIO *b)
{
if (b == nullptr)
return (0);
if (b->shutdown)
{
if ((b->init) && (b->ptr != nullptr))
{
MemQ *bmq = (MemQ*)b->ptr;
delete bmq;
b->ptr = nullptr;
}
}
return 1;
}
inline int memq_write (BIO *b, const char *in, int len)
{
MemQ *bmq = (MemQ*)b->ptr;
if (in)
{
BIO_clear_retry_flags (b);
try {
if (len)
bmq->write((const unsigned char *)in, (size_t)len);
return len;
}
catch (...)
{
BIOerr(BIO_F_MEM_WRITE, BIO_R_INVALID_ARGUMENT);
return -1;
}
}
else
{
BIOerr(BIO_F_MEM_WRITE, BIO_R_NULL_PARAMETER);
return -1;
}
}
inline int memq_read (BIO *b, char *out, int size)
{
MemQ *bmq = (MemQ*)b->ptr;
int ret = -1;
BIO_clear_retry_flags (b);
if (!bmq->empty())
{
try {
ret = (int)bmq->read((unsigned char *)out, (size_t)size);
}
catch (...)
{
BIOerr(BIO_F_MEM_READ, BIO_R_INVALID_ARGUMENT);
return -1;
}
}
else
{
ret = b->num;
if (ret != 0)
BIO_set_retry_read (b);
}
return ret;
}
inline long memq_ctrl (BIO *b, int cmd, long arg1, void *arg2)
{
MemQ *bmq = (MemQ*)b->ptr;
return bmq->ctrl(b, cmd, arg1, arg2);
}
inline int memq_puts (BIO *b, const char *str)
{
const int len = std::strlen (str);
const int ret = memq_write (b, str, len);
return ret;
}
BIO_METHOD memq_method =
{
BIO_TYPE_MEMQ,
"datagram memory queue",
memq_write,
memq_read,
memq_puts,
nullptr, /* memq_gets */
memq_ctrl,
memq_new,
memq_free,
nullptr,
};
} // namespace bio_memq_internal
inline BIO_METHOD *BIO_s_memq(void)
{
return (&bio_memq_internal::memq_method);
}
inline MemQ *memq_from_bio(BIO *b)
{
if (b->method->type == bio_memq_internal::BIO_TYPE_MEMQ)
return (MemQ *)b->ptr;
else
return nullptr;
}
inline const MemQ *const_memq_from_bio(const BIO *b)
{
if (b->method->type == bio_memq_internal::BIO_TYPE_MEMQ)
return (const MemQ *)b->ptr;
else
return nullptr;
}
} // namespace bmq_dgram
} // namespace openvpn
#endif // OPENVPN_OPENSSL_BIO_BIO_MEMQ_DGRAM_H
openvpn/openssl/bio/bio_memq_stream.hpp
+220
View File
@@ -0,0 +1,220 @@
// OpenVPN -- An application to securely tunnel IP networks
// over a single port, with support for SSL/TLS-based
// session authentication and key exchange,
// packet encryption, packet authentication, and
// packet compression.
//
// Copyright (C) 2012-2017 OpenVPN Inc.
//
// This program is free software: you can redistribute it and/or modify
// it under the terms of the GNU Affero General Public License Version 3
// as published by the Free Software Foundation.
//
// This program is distributed in the hope that it will be useful,
// but WITHOUT ANY WARRANTY; without even the implied warranty of
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
// GNU Affero General Public License for more details.
//
// You should have received a copy of the GNU Affero General Public License
// along with this program in the COPYING file.
// If not, see <http://www.gnu.org/licenses/>.
// This code implements an OpenSSL BIO object for streams based on the
// MemQ buffer queue object.
#ifndef OPENVPN_OPENSSL_BIO_BIO_MEMQ_STREAM_H
#define OPENVPN_OPENSSL_BIO_BIO_MEMQ_STREAM_H
#include <cstring> // for std::strlen and others
#include <openssl/err.h>
#include <openssl/bio.h>
#include <openvpn/common/size.hpp>
#include <openvpn/common/exception.hpp>
#include <openvpn/frame/frame.hpp>
#include <openvpn/frame/memq_stream.hpp>
namespace openvpn {
namespace bmq_stream {
class MemQ : public MemQStream {
public:
MemQ() {}
long ctrl (BIO *b, int cmd, long num, void *ptr)
{
long ret = 1;
switch (cmd)
{
case BIO_CTRL_RESET:
clear();
break;
case BIO_CTRL_EOF:
ret = (long)empty();
break;
case BIO_C_SET_BUF_MEM_EOF_RETURN:
b->num = (int)num;
break;
case BIO_CTRL_GET_CLOSE:
ret = (long)b->shutdown;
break;
case BIO_CTRL_SET_CLOSE:
b->shutdown = (int)num;
break;
case BIO_CTRL_WPENDING:
ret = 0L;
break;
case BIO_CTRL_PENDING:
ret = (long)pending();
break;
case BIO_CTRL_DUP:
case BIO_CTRL_FLUSH:
ret = 1;
break;
default:
//OPENVPN_LOG("*** MemQ-stream unimplemented ctrl method=" << cmd);
ret = 0;
break;
}
return (ret);
}
};
namespace bio_memq_internal {
enum {
BIO_TYPE_MEMQ = (95|BIO_TYPE_SOURCE_SINK) // make sure type 95 doesn't collide with anything in bio.h
};
inline int memq_new (BIO *b)
{
MemQ *bmq = new MemQ();
if (!bmq)
return 0;
b->shutdown = 1;
b->init = 1;
b->num = -1;
b->ptr = (void *)bmq;
return 1;
}
inline int memq_free (BIO *b)
{
if (b == nullptr)
return (0);
if (b->shutdown)
{
if ((b->init) && (b->ptr != nullptr))
{
MemQ *bmq = (MemQ*)b->ptr;
delete bmq;
b->ptr = nullptr;
}
}
return 1;
}
inline int memq_write (BIO *b, const char *in, int len)
{
MemQ *bmq = (MemQ*)b->ptr;
if (in)
{
BIO_clear_retry_flags (b);
try {
if (len)
bmq->write((const unsigned char *)in, (size_t)len);
return len;
}
catch (...)
{
BIOerr(BIO_F_MEM_WRITE, BIO_R_INVALID_ARGUMENT);
return -1;
}
}
else
{
BIOerr(BIO_F_MEM_WRITE, BIO_R_NULL_PARAMETER);
return -1;
}
}
inline int memq_read (BIO *b, char *out, int size)
{
MemQ *bmq = (MemQ*)b->ptr;
int ret = -1;
BIO_clear_retry_flags (b);
if (!bmq->empty())
{
try {
ret = (int)bmq->read((unsigned char *)out, (size_t)size);
}
catch (...)
{
BIOerr(BIO_F_MEM_READ, BIO_R_INVALID_ARGUMENT);
return -1;
}
}
else
{
ret = b->num;
if (ret != 0)
BIO_set_retry_read (b);
}
return ret;
}
inline long memq_ctrl (BIO *b, int cmd, long arg1, void *arg2)
{
MemQ *bmq = (MemQ*)b->ptr;
return bmq->ctrl(b, cmd, arg1, arg2);
}
inline int memq_puts (BIO *b, const char *str)
{
const int len = std::strlen (str);
const int ret = memq_write (b, str, len);
return ret;
}
BIO_METHOD memq_method =
{
BIO_TYPE_MEMQ,
"stream memory queue",
memq_write,
memq_read,
memq_puts,
nullptr, /* memq_gets */
memq_ctrl,
memq_new,
memq_free,
nullptr,
};
} // namespace bio_memq_internal
inline BIO_METHOD *BIO_s_memq(void)
{
return (&bio_memq_internal::memq_method);
}
inline MemQ *memq_from_bio(BIO *b)
{
if (b->method->type == bio_memq_internal::BIO_TYPE_MEMQ)
return (MemQ *)b->ptr;
else
return nullptr;
}
inline const MemQ *const_memq_from_bio(const BIO *b)
{
if (b->method->type == bio_memq_internal::BIO_TYPE_MEMQ)
return (const MemQ *)b->ptr;
else
return nullptr;
}
} // namespace bmq_dgram
} // namespace openvpn
#endif // OPENVPN_OPENSSL_BIO_BIO_MEMQ_STREAM_H
openvpn/openssl/crypto/api.hpp
+46
View File
@@ -0,0 +1,46 @@
// OpenVPN -- An application to securely tunnel IP networks
// over a single port, with support for SSL/TLS-based
// session authentication and key exchange,
// packet encryption, packet authentication, and
// packet compression.
//
// Copyright (C) 2012-2017 OpenVPN Inc.
//
// This program is free software: you can redistribute it and/or modify
// it under the terms of the GNU Affero General Public License Version 3
// as published by the Free Software Foundation.
//
// This program is distributed in the hope that it will be useful,
// but WITHOUT ANY WARRANTY; without even the implied warranty of
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
// GNU Affero General Public License for more details.
//
// You should have received a copy of the GNU Affero General Public License
// along with this program in the COPYING file.
// If not, see <http://www.gnu.org/licenses/>.
#ifndef OPENVPN_OPENSSL_CRYPTO_API_H
#define OPENVPN_OPENSSL_CRYPTO_API_H
#include <openvpn/openssl/crypto/cipher.hpp>
#include <openvpn/openssl/crypto/ciphergcm.hpp>
#include <openvpn/openssl/crypto/digest.hpp>
#include <openvpn/openssl/crypto/hmac.hpp>
namespace openvpn {
// type container for OpenSSL Crypto-level API
struct OpenSSLCryptoAPI {
// cipher
typedef OpenSSLCrypto::CipherContext CipherContext;
typedef OpenSSLCrypto::CipherContextGCM CipherContextGCM;
// digest
typedef OpenSSLCrypto::DigestContext DigestContext;
// HMAC
typedef OpenSSLCrypto::HMACContext HMACContext;
};
}
#endif
openvpn/openssl/crypto/cipher.hpp
+198
View File
@@ -0,0 +1,198 @@
// OpenVPN -- An application to securely tunnel IP networks
// over a single port, with support for SSL/TLS-based
// session authentication and key exchange,
// packet encryption, packet authentication, and
// packet compression.
//
// Copyright (C) 2012-2017 OpenVPN Inc.
//
// This program is free software: you can redistribute it and/or modify
// it under the terms of the GNU Affero General Public License Version 3
// as published by the Free Software Foundation.
//
// This program is distributed in the hope that it will be useful,
// but WITHOUT ANY WARRANTY; without even the implied warranty of
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
// GNU Affero General Public License for more details.
//
// You should have received a copy of the GNU Affero General Public License
// along with this program in the COPYING file.
// If not, see <http://www.gnu.org/licenses/>.
// Wrap the OpenSSL cipher API defined in <openssl/evp.h> so
// that it can be used as part of the crypto layer of the OpenVPN core.
#ifndef OPENVPN_OPENSSL_CRYPTO_CIPHER_H
#define OPENVPN_OPENSSL_CRYPTO_CIPHER_H
#include <string>
#include <openssl/objects.h>
#include <openssl/evp.h>
#include <openvpn/common/size.hpp>
#include <openvpn/common/exception.hpp>
#include <openvpn/crypto/static_key.hpp>
#include <openvpn/crypto/cryptoalgs.hpp>
#include <openvpn/openssl/util/error.hpp>
namespace openvpn {
namespace OpenSSLCrypto {
class CipherContext
{
CipherContext(const CipherContext&) = delete;
CipherContext& operator=(const CipherContext&) = delete;
public:
OPENVPN_SIMPLE_EXCEPTION(openssl_cipher_mode_error);
OPENVPN_SIMPLE_EXCEPTION(openssl_cipher_uninitialized);
OPENVPN_EXCEPTION(openssl_cipher_error);
// mode parameter for constructor
enum {
MODE_UNDEF = -1,
ENCRYPT = 1,
DECRYPT = 0
};
// OpenSSL cipher constants
enum {
MAX_IV_LENGTH = EVP_MAX_IV_LENGTH,
CIPH_CBC_MODE = EVP_CIPH_CBC_MODE
};
CipherContext()
: initialized(false)
{
}
~CipherContext() { erase() ; }
void init(const CryptoAlgs::Type alg, const unsigned char *key, const int mode)
{
// check that mode is valid
if (!(mode == ENCRYPT || mode == DECRYPT))
throw openssl_cipher_mode_error();
erase();
EVP_CIPHER_CTX_init (&ctx);
if (!EVP_CipherInit_ex (&ctx, cipher_type(alg), nullptr, key, nullptr, mode))
{
openssl_clear_error_stack();
throw openssl_cipher_error("EVP_CipherInit_ex (init)");
}
initialized = true;
}
void reset(const unsigned char *iv)
{
check_initialized();
if (!EVP_CipherInit_ex (&ctx, nullptr, nullptr, nullptr, iv, -1))
{
openssl_clear_error_stack();
throw openssl_cipher_error("EVP_CipherInit_ex (reset)");
}
}
bool update(unsigned char *out, const size_t max_out_size,
const unsigned char *in, const size_t in_size,
size_t& out_acc)
{
check_initialized();
int outlen;
if (EVP_CipherUpdate (&ctx, out, &outlen, in, int(in_size)))
{
out_acc += outlen;
return true;
}
else
{
openssl_clear_error_stack();
return false;
}
}
bool final(unsigned char *out, const size_t max_out_size, size_t& out_acc)
{
check_initialized();
int outlen;
if (EVP_CipherFinal_ex (&ctx, out, &outlen))
{
out_acc += outlen;
return true;
}
else
{
openssl_clear_error_stack();
return false;
}
}
bool is_initialized() const { return initialized; }
size_t iv_length() const
{
check_initialized();
return EVP_CIPHER_CTX_iv_length (&ctx);
}
size_t block_size() const
{
check_initialized();
return EVP_CIPHER_CTX_block_size (&ctx);
}
// return cipher mode (such as CIPH_CBC_MODE, etc.)
int cipher_mode() const
{
check_initialized();
return EVP_CIPHER_CTX_mode (&ctx);
}
private:
static const EVP_CIPHER *cipher_type(const CryptoAlgs::Type alg)
{
switch (alg)
{
case CryptoAlgs::AES_128_CBC:
return EVP_aes_128_cbc();
case CryptoAlgs::AES_192_CBC:
return EVP_aes_192_cbc();
case CryptoAlgs::AES_256_CBC:
return EVP_aes_256_cbc();
case CryptoAlgs::AES_256_CTR:
return EVP_aes_256_ctr();
case CryptoAlgs::DES_CBC:
return EVP_des_cbc();
case CryptoAlgs::DES_EDE3_CBC:
return EVP_des_ede3_cbc();
case CryptoAlgs::BF_CBC:
return EVP_bf_cbc();
default:
OPENVPN_THROW(openssl_cipher_error, CryptoAlgs::name(alg) << ": not usable");
}
}
void erase()
{
if (initialized)
{
EVP_CIPHER_CTX_cleanup(&ctx);
initialized = false;
}
}
void check_initialized() const
{
#ifdef OPENVPN_ENABLE_ASSERT
if (!initialized)
throw openssl_cipher_uninitialized();
#endif
}
bool initialized;
EVP_CIPHER_CTX ctx;
};
}
}
#endif
openvpn/openssl/crypto/ciphergcm.hpp
+242
View File
@@ -0,0 +1,242 @@
// OpenVPN -- An application to securely tunnel IP networks
// over a single port, with support for SSL/TLS-based
// session authentication and key exchange,
// packet encryption, packet authentication, and
// packet compression.
//
// Copyright (C) 2012-2017 OpenVPN Inc.
//
// This program is free software: you can redistribute it and/or modify
// it under the terms of the GNU Affero General Public License Version 3
// as published by the Free Software Foundation.
//
// This program is distributed in the hope that it will be useful,
// but WITHOUT ANY WARRANTY; without even the implied warranty of
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
// GNU Affero General Public License for more details.
//
// You should have received a copy of the GNU Affero General Public License
// along with this program in the COPYING file.
// If not, see <http://www.gnu.org/licenses/>.
// Wrap the OpenSSL GCM API.
#ifndef OPENVPN_OPENSSL_CRYPTO_CIPHERGCM_H
#define OPENVPN_OPENSSL_CRYPTO_CIPHERGCM_H
#include <string>
#include <openssl/objects.h>
#include <openssl/evp.h>
#include <openvpn/common/size.hpp>
#include <openvpn/common/exception.hpp>
#include <openvpn/common/likely.hpp>
#include <openvpn/crypto/static_key.hpp>
#include <openvpn/crypto/cryptoalgs.hpp>
#include <openvpn/openssl/util/error.hpp>
namespace openvpn {
namespace OpenSSLCrypto {
class CipherContextGCM
{
CipherContextGCM(const CipherContextGCM&) = delete;
CipherContextGCM& operator=(const CipherContextGCM&) = delete;
public:
OPENVPN_EXCEPTION(openssl_gcm_error);
// mode parameter for constructor
enum {
MODE_UNDEF = -1,
ENCRYPT = 1,
DECRYPT = 0
};
// OpenSSL cipher constants
enum {
IV_LEN = 12,
AUTH_TAG_LEN = 16,
SUPPORTS_IN_PLACE_ENCRYPT = 0,
};
CipherContextGCM()
: initialized(false)
{
}
~CipherContextGCM() { erase() ; }
void init(const CryptoAlgs::Type alg,
const unsigned char *key,
const unsigned int keysize,
const int mode)
{
erase();
unsigned int ckeysz = 0;
const EVP_CIPHER *ciph = cipher_type(alg, ckeysz);
if (ckeysz > keysize)
throw openssl_gcm_error("insufficient key material");
EVP_CIPHER_CTX_init(&ctx);
switch (mode)
{
case ENCRYPT:
if (!EVP_EncryptInit_ex(&ctx, ciph, nullptr, key, nullptr))
{
openssl_clear_error_stack();
throw openssl_gcm_error("EVP_EncryptInit_ex (init)");
}
break;
case DECRYPT:
if (!EVP_DecryptInit_ex(&ctx, ciph, nullptr, key, nullptr))
{
openssl_clear_error_stack();
throw openssl_gcm_error("EVP_DecryptInit_ex (init)");
}
break;
default:
throw openssl_gcm_error("bad mode");
}
if (EVP_CIPHER_CTX_ctrl(&ctx, EVP_CTRL_GCM_SET_IVLEN, IV_LEN, nullptr) != 1)
{
openssl_clear_error_stack();
throw openssl_gcm_error("EVP_CIPHER_CTX_ctrl set IV len");
}
initialized = true;
}
void encrypt(const unsigned char *input,
unsigned char *output,
size_t length,
const unsigned char *iv,
unsigned char *tag,
const unsigned char *ad,
size_t ad_len)
{
int len;
int ciphertext_len;
check_initialized();
if (!EVP_EncryptInit_ex(&ctx, nullptr, nullptr, nullptr, iv))
{
openssl_clear_error_stack();
throw openssl_gcm_error("EVP_EncryptInit_ex (reset)");
}
if (!EVP_EncryptUpdate(&ctx, nullptr, &len, ad, int(ad_len)))
{
openssl_clear_error_stack();
throw openssl_gcm_error("EVP_EncryptUpdate AD");
}
if (!EVP_EncryptUpdate(&ctx, output, &len, input, int(length)))
{
openssl_clear_error_stack();
throw openssl_gcm_error("EVP_EncryptUpdate data");
}
ciphertext_len = len;
if (!EVP_EncryptFinal_ex(&ctx, output+len, &len))
{
openssl_clear_error_stack();
throw openssl_gcm_error("EVP_EncryptFinal_ex");
}
ciphertext_len += len;
if (ciphertext_len != length)
{
throw openssl_gcm_error("encrypt size inconsistency");
}
if (!EVP_CIPHER_CTX_ctrl(&ctx, EVP_CTRL_GCM_GET_TAG, AUTH_TAG_LEN, tag))
{
openssl_clear_error_stack();
throw openssl_gcm_error("EVP_CIPHER_CTX_ctrl get tag");
}
}
bool decrypt(const unsigned char *input,
unsigned char *output,
size_t length,
const unsigned char *iv,
unsigned char *tag,
const unsigned char *ad,
size_t ad_len)
{
int len;
int plaintext_len;
check_initialized();
if (!EVP_DecryptInit_ex(&ctx, nullptr, nullptr, nullptr, iv))
{
openssl_clear_error_stack();
throw openssl_gcm_error("EVP_DecryptInit_ex (reset)");
}
if (!EVP_DecryptUpdate(&ctx, nullptr, &len, ad, int(ad_len)))
{
openssl_clear_error_stack();
throw openssl_gcm_error("EVP_DecryptUpdate AD");
}
if (!EVP_DecryptUpdate(&ctx, output, &len, input, int(length)))
{
openssl_clear_error_stack();
throw openssl_gcm_error("EVP_DecryptUpdate data");
}
plaintext_len = len;
if (!EVP_CIPHER_CTX_ctrl(&ctx, EVP_CTRL_GCM_SET_TAG, AUTH_TAG_LEN, tag))
{
openssl_clear_error_stack();
throw openssl_gcm_error("EVP_CIPHER_CTX_ctrl set tag");
}
if (!EVP_DecryptFinal_ex(&ctx, output+len, &len))
{
openssl_clear_error_stack();
return false;
}
plaintext_len += len;
if (plaintext_len != length)
{
throw openssl_gcm_error("decrypt size inconsistency");
}
return true;
}
bool is_initialized() const { return initialized; }
private:
static const EVP_CIPHER *cipher_type(const CryptoAlgs::Type alg,
unsigned int& keysize)
{
switch (alg)
{
case CryptoAlgs::AES_128_GCM:
keysize = 16;
return EVP_aes_128_gcm();
case CryptoAlgs::AES_192_GCM:
keysize = 24;
return EVP_aes_192_gcm();
case CryptoAlgs::AES_256_GCM:
keysize = 32;
return EVP_aes_256_gcm();
default:
OPENVPN_THROW(openssl_gcm_error, CryptoAlgs::name(alg) << ": not usable");
}
}
void erase()
{
if (initialized)
{
EVP_CIPHER_CTX_cleanup(&ctx);
initialized = false;
}
}
void check_initialized() const
{
if (unlikely(!initialized))
throw openssl_gcm_error("uninitialized");
}
bool initialized;
EVP_CIPHER_CTX ctx;
};
}
}
#endif
openvpn/openssl/crypto/digest.hpp
+162
View File
@@ -0,0 +1,162 @@
// OpenVPN -- An application to securely tunnel IP networks
// over a single port, with support for SSL/TLS-based
// session authentication and key exchange,
// packet encryption, packet authentication, and
// packet compression.
//
// Copyright (C) 2012-2017 OpenVPN Inc.
//
// This program is free software: you can redistribute it and/or modify
// it under the terms of the GNU Affero General Public License Version 3
// as published by the Free Software Foundation.
//
// This program is distributed in the hope that it will be useful,
// but WITHOUT ANY WARRANTY; without even the implied warranty of
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
// GNU Affero General Public License for more details.
//
// You should have received a copy of the GNU Affero General Public License
// along with this program in the COPYING file.
// If not, see <http://www.gnu.org/licenses/>.
// Wrap the OpenSSL digest API defined in <openssl/evp.h>
// so that it can be used as part of the crypto layer of the OpenVPN core.
#ifndef OPENVPN_OPENSSL_CRYPTO_DIGEST_H
#define OPENVPN_OPENSSL_CRYPTO_DIGEST_H
#include <string>
#include <openssl/objects.h>
#include <openssl/evp.h>
#include <openssl/md4.h>
#include <openssl/md5.h>
#include <openssl/sha.h>
#include <openssl/hmac.h>
#include <openvpn/common/size.hpp>
#include <openvpn/common/exception.hpp>
#include <openvpn/crypto/cryptoalgs.hpp>
#include <openvpn/openssl/util/error.hpp>
namespace openvpn {
namespace OpenSSLCrypto {
class HMACContext;
class DigestContext
{
DigestContext(const DigestContext&) = delete;
DigestContext& operator=(const DigestContext&) = delete;
public:
friend class HMACContext;
OPENVPN_SIMPLE_EXCEPTION(openssl_digest_uninitialized);
OPENVPN_EXCEPTION(openssl_digest_error);
enum {
MAX_DIGEST_SIZE = EVP_MAX_MD_SIZE
};
DigestContext()
: initialized(false)
{
}
DigestContext(const CryptoAlgs::Type alg)
: initialized(false)
{
init(alg);
}
~DigestContext() { erase() ; }
void init(const CryptoAlgs::Type alg)
{
erase();
if (!EVP_DigestInit(&ctx, digest_type(alg)))
{
openssl_clear_error_stack();
throw openssl_digest_error("EVP_DigestInit");
}
initialized = true;
}
void update(const unsigned char *in, const size_t size)
{
check_initialized();
if (!EVP_DigestUpdate(&ctx, in, int(size)))
{
openssl_clear_error_stack();
throw openssl_digest_error("EVP_DigestUpdate");
}
}
size_t final(unsigned char *out)
{
check_initialized();
unsigned int outlen;
if (!EVP_DigestFinal(&ctx, out, &outlen))
{
openssl_clear_error_stack();
throw openssl_digest_error("EVP_DigestFinal");
}
return outlen;
}
size_t size() const
{
check_initialized();
return EVP_MD_CTX_size(&ctx);
}
bool is_initialized() const { return initialized; }
private:
static const EVP_MD *digest_type(const CryptoAlgs::Type alg)
{
switch (alg)
{
case CryptoAlgs::MD4:
return EVP_md4();
case CryptoAlgs::MD5:
return EVP_md5();
case CryptoAlgs::SHA1:
return EVP_sha1();
case CryptoAlgs::SHA224:
return EVP_sha224();
case CryptoAlgs::SHA256:
return EVP_sha256();
case CryptoAlgs::SHA384:
return EVP_sha384();
case CryptoAlgs::SHA512:
return EVP_sha512();
default:
OPENVPN_THROW(openssl_digest_error, CryptoAlgs::name(alg) << ": not usable");
}
}
void erase()
{
if (initialized)
{
EVP_MD_CTX_cleanup(&ctx);
initialized = false;
}
}
void check_initialized() const
{
#ifdef OPENVPN_ENABLE_ASSERT
if (!initialized)
throw openssl_digest_uninitialized();
#endif
}
bool initialized;
EVP_MD_CTX ctx;
};
}
}
#endif
openvpn/openssl/crypto/hmac.hpp
+159
View File
@@ -0,0 +1,159 @@
// OpenVPN -- An application to securely tunnel IP networks
// over a single port, with support for SSL/TLS-based
// session authentication and key exchange,
// packet encryption, packet authentication, and
// packet compression.
//
// Copyright (C) 2012-2017 OpenVPN Inc.
//
// This program is free software: you can redistribute it and/or modify
// it under the terms of the GNU Affero General Public License Version 3
// as published by the Free Software Foundation.
//
// This program is distributed in the hope that it will be useful,
// but WITHOUT ANY WARRANTY; without even the implied warranty of
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
// GNU Affero General Public License for more details.
//
// You should have received a copy of the GNU Affero General Public License
// along with this program in the COPYING file.
// If not, see <http://www.gnu.org/licenses/>.
// Wrap the OpenSSL HMAC API defined in <openssl/hmac.h> so
// that it can be used as part of the crypto layer of the OpenVPN core.
#ifndef OPENVPN_OPENSSL_CRYPTO_HMAC_H
#define OPENVPN_OPENSSL_CRYPTO_HMAC_H
#include <string>
#include <openvpn/common/size.hpp>
#include <openvpn/common/exception.hpp>
#include <openvpn/openssl/crypto/digest.hpp>
namespace openvpn {
namespace OpenSSLCrypto {
class HMACContext
{
HMACContext(const HMACContext&) = delete;
HMACContext& operator=(const HMACContext&) = delete;
public:
OPENVPN_SIMPLE_EXCEPTION(openssl_hmac_uninitialized);
OPENVPN_EXCEPTION(openssl_hmac_error);
enum {
MAX_HMAC_SIZE = EVP_MAX_MD_SIZE
};
HMACContext()
: initialized(false)
{
}
HMACContext(const CryptoAlgs::Type digest, const unsigned char *key, const size_t key_size)
: initialized(false)
{
init(digest, key, key_size);
}
~HMACContext() { erase() ; }
void init(const CryptoAlgs::Type digest, const unsigned char *key, const size_t key_size)
{
erase();
HMAC_CTX_init (&ctx);
#if SSLEAY_VERSION_NUMBER >= 0x10000000L
if (!HMAC_Init_ex (&ctx, key, int(key_size), DigestContext::digest_type(digest), nullptr))
{
openssl_clear_error_stack();
throw openssl_hmac_error("HMAC_Init_ex (init)");
}
#else
HMAC_Init_ex (&ctx, key, int(key_size), DigestContext::digest_type(digest), nullptr);
#endif
initialized = true;
}
void reset()
{
check_initialized();
#if SSLEAY_VERSION_NUMBER >= 0x10000000L
if (!HMAC_Init_ex (&ctx, nullptr, 0, nullptr, nullptr))
{
openssl_clear_error_stack();
throw openssl_hmac_error("HMAC_Init_ex (reset)");
}
#else
HMAC_Init_ex (&ctx, nullptr, 0, nullptr, nullptr);
#endif
}
void update(const unsigned char *in, const size_t size)
{
check_initialized();
#if SSLEAY_VERSION_NUMBER >= 0x10000000L
if (!HMAC_Update(&ctx, in, int(size)))
{
openssl_clear_error_stack();
throw openssl_hmac_error("HMAC_Update");
}
#else
HMAC_Update(&ctx, in, int(size));
#endif
}
size_t final(unsigned char *out)
{
check_initialized();
unsigned int outlen;
#if SSLEAY_VERSION_NUMBER >= 0x10000000L
if (!HMAC_Final(&ctx, out, &outlen))
{
openssl_clear_error_stack();
throw openssl_hmac_error("HMAC_Final");
}
#else
HMAC_Final(&ctx, out, &outlen);
#endif
return outlen;
}
size_t size() const
{
check_initialized();
return size_();
}
bool is_initialized() const { return initialized; }
private:
void erase()
{
if (initialized)
{
HMAC_CTX_cleanup(&ctx);
initialized = false;
}
}
size_t size_() const
{
return HMAC_size(&ctx);
}
void check_initialized() const
{
#ifdef OPENVPN_ENABLE_ASSERT
if (!initialized)
throw openssl_hmac_uninitialized();
#endif
}
bool initialized;
HMAC_CTX ctx;
};
}
}
#endif
openvpn/openssl/pki/crl.hpp
+160
View File
@@ -0,0 +1,160 @@
// OpenVPN -- An application to securely tunnel IP networks
// over a single port, with support for SSL/TLS-based
// session authentication and key exchange,
// packet encryption, packet authentication, and
// packet compression.
//
// Copyright (C) 2012-2017 OpenVPN Inc.
//
// This program is free software: you can redistribute it and/or modify
// it under the terms of the GNU Affero General Public License Version 3
// as published by the Free Software Foundation.
//
// This program is distributed in the hope that it will be useful,
// but WITHOUT ANY WARRANTY; without even the implied warranty of
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
// GNU Affero General Public License for more details.
//
// You should have received a copy of the GNU Affero General Public License
// along with this program in the COPYING file.
// If not, see <http://www.gnu.org/licenses/>.
// Wrap an OpenSSL X509_CRL object
#ifndef OPENVPN_OPENSSL_PKI_CRL_H
#define OPENVPN_OPENSSL_PKI_CRL_H
#include <string>
#include <vector>
#include <openssl/ssl.h>
#include <openssl/bio.h>
#include <openvpn/common/size.hpp>
#include <openvpn/common/exception.hpp>
#include <openvpn/common/rc.hpp>
#include <openvpn/openssl/util/error.hpp>
namespace openvpn {
namespace OpenSSLPKI {
class CRL : public RC<thread_unsafe_refcount>
{
public:
CRL() : crl_(nullptr) {}
explicit CRL(const std::string& crl_txt)
: crl_(nullptr)
{
parse_pem(crl_txt);
}
CRL(const CRL& other)
: crl_(nullptr)
{
assign(other.crl_);
}
void operator=(const CRL& other)
{
assign(other.crl_);
}
bool defined() const { return crl_ != nullptr; }
X509_CRL* obj() const { return crl_; }
void parse_pem(const std::string& crl_txt)
{
BIO *bio = BIO_new_mem_buf(const_cast<char *>(crl_txt.c_str()), crl_txt.length());
if (!bio)
throw OpenSSLException();
X509_CRL *crl = PEM_read_bio_X509_CRL(bio, nullptr, nullptr, nullptr);
BIO_free(bio);
if (!crl)
throw OpenSSLException("CRL::parse_pem");
erase();
crl_ = crl;
}
std::string render_pem() const
{
if (crl_)
{
BIO *bio = BIO_new(BIO_s_mem());
const int ret = PEM_write_bio_X509_CRL(bio, crl_);
if (ret == 0)
{
BIO_free(bio);
throw OpenSSLException("CRL::render_pem");
}
{
char *temp;
const int buf_len = BIO_get_mem_data(bio, &temp);
std::string ret = std::string(temp, buf_len);
BIO_free(bio);
return ret;
}
}
else
return "";
}
void erase()
{
if (crl_)
{
X509_CRL_free(crl_);
crl_ = nullptr;
}
}
~CRL()
{
erase();
}
private:
static X509_CRL *dup(const X509_CRL *crl)
{
if (crl)
{
return X509_CRL_dup(const_cast<X509_CRL *>(crl));
}
else
return nullptr;
}
void assign(const X509_CRL *crl)
{
erase();
crl_ = dup(crl);
}
X509_CRL *crl_;
};
typedef RCPtr<CRL> CRLPtr;
class CRLList : public std::vector<CRLPtr>
{
public:
typedef CRL Item;
typedef CRLPtr ItemPtr;
bool defined() const { return !empty(); }
std::string render_pem() const
{
std::string ret;
for (const_iterator i = begin(); i != end(); ++i)
ret += (*i)->render_pem();
return ret;
}
};
}
} // namespace openvpn
#endif // OPENVPN_OPENSSL_PKI_CRL_H
openvpn/openssl/pki/dh.hpp
+148
View File
@@ -0,0 +1,148 @@
// OpenVPN -- An application to securely tunnel IP networks
// over a single port, with support for SSL/TLS-based
// session authentication and key exchange,
// packet encryption, packet authentication, and
// packet compression.
//
// Copyright (C) 2012-2017 OpenVPN Inc.
//
// This program is free software: you can redistribute it and/or modify
// it under the terms of the GNU Affero General Public License Version 3
// as published by the Free Software Foundation.
//
// This program is distributed in the hope that it will be useful,
// but WITHOUT ANY WARRANTY; without even the implied warranty of
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
// GNU Affero General Public License for more details.
//
// You should have received a copy of the GNU Affero General Public License
// along with this program in the COPYING file.
// If not, see <http://www.gnu.org/licenses/>.
// Wrap an OpenSSL DH object
#ifndef OPENVPN_OPENSSL_PKI_DH_H
#define OPENVPN_OPENSSL_PKI_DH_H
#include <string>
#include <openssl/ssl.h>
#include <openssl/bio.h>
#include <openvpn/common/size.hpp>
#include <openvpn/common/exception.hpp>
#include <openvpn/openssl/util/error.hpp>
// workaround for bug in DHparams_dup macro on OpenSSL 0.9.8 and lower
#if SSLEAY_VERSION_NUMBER <= 0x00908000L
#undef CHECKED_PTR_OF
#define CHECKED_PTR_OF(type, p) ((char*) (1 ? p : (type*)0))
#endif
namespace openvpn {
namespace OpenSSLPKI {
namespace DH_private {
// defined outside of DH class to avoid symbol collision in way
// that DHparams_dup macro is defined
inline ::DH *dup(const ::DH *dh)
{
if (dh)
return DHparams_dup(const_cast< ::DH * >(dh));
else
return nullptr;
}
}
class DH
{
public:
DH() : dh_(nullptr) {}
explicit DH(const std::string& dh_txt)
: dh_(nullptr)
{
parse_pem(dh_txt);
}
DH(const DH& other)
: dh_(nullptr)
{
assign(other.dh_);
}
void operator=(const DH& other)
{
assign(other.dh_);
}
bool defined() const { return dh_ != nullptr; }
::DH* obj() const { return dh_; }
void parse_pem(const std::string& dh_txt)
{
BIO *bio = BIO_new_mem_buf(const_cast<char *>(dh_txt.c_str()), dh_txt.length());
if (!bio)
throw OpenSSLException();
::DH *dh = PEM_read_bio_DHparams(bio, nullptr, nullptr, nullptr);
BIO_free(bio);
if (!dh)
throw OpenSSLException("DH::parse_pem");
erase();
dh_ = dh;
}
std::string render_pem() const
{
if (dh_)
{
BIO *bio = BIO_new(BIO_s_mem());
const int ret = PEM_write_bio_DHparams(bio, dh_);
if (ret == 0)
{
BIO_free(bio);
throw OpenSSLException("DH::render_pem");
}
{
char *temp;
const int buf_len = BIO_get_mem_data(bio, &temp);
std::string ret = std::string(temp, buf_len);
BIO_free(bio);
return ret;
}
}
else
return "";
}
void erase()
{
if (dh_)
{
DH_free(dh_);
dh_ = nullptr;
}
}
~DH()
{
erase();
}
private:
void assign(const ::DH *dh)
{
erase();
dh_ = DH_private::dup(dh);
}
::DH *dh_;
};
}
} // namespace openvpn
#endif // OPENVPN_OPENSSL_PKI_DH_H
openvpn/openssl/pki/pkey.hpp
+197
View File
@@ -0,0 +1,197 @@
// OpenVPN -- An application to securely tunnel IP networks
// over a single port, with support for SSL/TLS-based
// session authentication and key exchange,
// packet encryption, packet authentication, and
// packet compression.
//
// Copyright (C) 2012-2017 OpenVPN Inc.
//
// This program is free software: you can redistribute it and/or modify
// it under the terms of the GNU Affero General Public License Version 3
// as published by the Free Software Foundation.
//
// This program is distributed in the hope that it will be useful,
// but WITHOUT ANY WARRANTY; without even the implied warranty of
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
// GNU Affero General Public License for more details.
//
// You should have received a copy of the GNU Affero General Public License
// along with this program in the COPYING file.
// If not, see <http://www.gnu.org/licenses/>.
// Wrap an OpenSSL EVP_PKEY object
#ifndef OPENVPN_OPENSSL_PKI_PKEY_H
#define OPENVPN_OPENSSL_PKI_PKEY_H
#include <string>
#include <openssl/ssl.h>
#include <openssl/bio.h>
#include <openvpn/common/size.hpp>
#include <openvpn/common/exception.hpp>
#include <openvpn/openssl/util/error.hpp>
namespace openvpn {
namespace OpenSSLPKI {
class PKey
{
public:
PKey() : pkey_(nullptr) {}
PKey(const std::string& pkey_txt, const std::string& title)
: pkey_(nullptr)
{
parse_pem(pkey_txt, title);
}
PKey(const PKey& other)
: pkey_(nullptr)
{
assign(other.pkey_);
}
void operator=(const PKey& other)
{
assign(other.pkey_);
priv_key_pwd = other.priv_key_pwd;
}
bool defined() const { return pkey_ != nullptr; }
EVP_PKEY* obj() const { return pkey_; }
SSLConfigAPI::PKType key_type() const
{
switch (EVP_PKEY_id(pkey_))
{
case EVP_PKEY_RSA:
case EVP_PKEY_RSA2:
return SSLConfigAPI::PK_RSA;
case EVP_PKEY_EC:
return SSLConfigAPI::PK_EC;
case EVP_PKEY_DSA:
case EVP_PKEY_DSA1:
case EVP_PKEY_DSA2:
case EVP_PKEY_DSA3:
case EVP_PKEY_DSA4:
return SSLConfigAPI::PK_DSA;
case EVP_PKEY_NONE:
return SSLConfigAPI::PK_NONE;
default:
return SSLConfigAPI::PK_UNKNOWN;
}
}
size_t key_length() const
{
int ret = i2d_PrivateKey(pkey_, NULL);
if (ret < 0)
return 0;
/* convert to bits */
return ret * 8;
}
void set_private_key_password(const std::string& pwd)
{
priv_key_pwd = pwd;
}
void parse_pem(const std::string& pkey_txt, const std::string& title)
{
BIO *bio = BIO_new_mem_buf(const_cast<char *>(pkey_txt.c_str()), pkey_txt.length());
if (!bio)
throw OpenSSLException();
EVP_PKEY *pkey = PEM_read_bio_PrivateKey(bio, nullptr, pem_password_callback, this);
BIO_free(bio);
if (!pkey)
throw OpenSSLException(std::string("PKey::parse_pem: error in ") + title + std::string(":"));
erase();
pkey_ = pkey;
}
std::string render_pem() const
{
if (pkey_)
{
BIO *bio = BIO_new(BIO_s_mem());
const int ret = PEM_write_bio_PrivateKey(bio, pkey_, nullptr, nullptr, 0, nullptr, nullptr);
if (ret == 0)
{
BIO_free(bio);
throw OpenSSLException("PKey::render_pem");
}
{
char *temp;
const int buf_len = BIO_get_mem_data(bio, &temp);
std::string ret = std::string(temp, buf_len);
BIO_free(bio);
return ret;
}
}
else
return "";
}
void erase()
{
if (pkey_)
{
EVP_PKEY_free(pkey_);
pkey_ = nullptr;
}
}
~PKey()
{
erase();
}
private:
static int pem_password_callback (char *buf, int size, int rwflag, void *userdata)
{
// get this
const PKey* self = (PKey*) userdata;
if (buf)
{
string::strncpynt(buf, self->priv_key_pwd.c_str(), size);
return std::strlen(buf);
}
return 0;
}
static EVP_PKEY *dup(const EVP_PKEY *pkey)
{
// No OpenSSL EVP_PKEY_dup method so we roll our own
if (pkey)
{
EVP_PKEY* pDupKey = EVP_PKEY_new();
RSA* pRSA = EVP_PKEY_get1_RSA(const_cast<EVP_PKEY *>(pkey));
RSA* pRSADupKey = RSAPrivateKey_dup(pRSA);
RSA_free(pRSA);
EVP_PKEY_set1_RSA(pDupKey, pRSADupKey);
RSA_free(pRSADupKey);
return pDupKey;
}
else
return nullptr;
}
void assign(const EVP_PKEY *pkey)
{
erase();
pkey_ = dup(pkey);
}
std::string priv_key_pwd;
EVP_PKEY *pkey_;
};
}
} // namespace openvpn
#endif // OPENVPN_OPENSSL_PKI_PKEY_H
openvpn/openssl/pki/x509.hpp
+168
View File
@@ -0,0 +1,168 @@
// OpenVPN -- An application to securely tunnel IP networks
// over a single port, with support for SSL/TLS-based
// session authentication and key exchange,
// packet encryption, packet authentication, and
// packet compression.
//
// Copyright (C) 2012-2017 OpenVPN Inc.
//
// This program is free software: you can redistribute it and/or modify
// it under the terms of the GNU Affero General Public License Version 3
// as published by the Free Software Foundation.
//
// This program is distributed in the hope that it will be useful,
// but WITHOUT ANY WARRANTY; without even the implied warranty of
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
// GNU Affero General Public License for more details.
//
// You should have received a copy of the GNU Affero General Public License
// along with this program in the COPYING file.
// If not, see <http://www.gnu.org/licenses/>.
// Wrap an OpenSSL X509 object
#ifndef OPENVPN_OPENSSL_PKI_X509_H
#define OPENVPN_OPENSSL_PKI_X509_H
#include <string>
#include <vector>
#include <openssl/ssl.h>
#include <openssl/bio.h>
#include <openvpn/common/size.hpp>
#include <openvpn/common/exception.hpp>
#include <openvpn/common/rc.hpp>
#include <openvpn/openssl/util/error.hpp>
namespace openvpn {
namespace OpenSSLPKI {
class X509;
class X509Base
{
public:
X509Base() : x509_(nullptr) {}
explicit X509Base(::X509 *x509) : x509_(x509) {}
bool defined() const { return x509_ != nullptr; }
::X509* obj() const { return x509_; }
::X509* obj_dup() const { return dup(x509_); }
std::string render_pem() const
{
if (x509_)
{
BIO *bio = BIO_new(BIO_s_mem());
const int ret = PEM_write_bio_X509(bio, x509_);
if (ret == 0)
{
BIO_free(bio);
throw OpenSSLException("X509::render_pem");
}
{
char *temp;
const int buf_len = BIO_get_mem_data(bio, &temp);
std::string ret = std::string(temp, buf_len);
BIO_free(bio);
return ret;
}
}
else
return "";
}
private:
static ::X509 *dup(const ::X509 *x509)
{
if (x509)
return X509_dup(const_cast< ::X509 * >(x509));
else
return nullptr;
}
friend class X509;
::X509 *x509_;
};
class X509 : public X509Base, public RC<thread_unsafe_refcount>
{
public:
X509() {}
X509(const std::string& cert_txt, const std::string& title)
{
parse_pem(cert_txt, title);
}
X509(const X509& other)
{
assign(other.x509_);
}
void operator=(const X509& other)
{
assign(other.x509_);
}
void parse_pem(const std::string& cert_txt, const std::string& title)
{
BIO *bio = BIO_new_mem_buf(const_cast<char *>(cert_txt.c_str()), cert_txt.length());
if (!bio)
throw OpenSSLException();
::X509 *cert = PEM_read_bio_X509(bio, nullptr, nullptr, nullptr);
BIO_free(bio);
if (!cert)
throw OpenSSLException(std::string("X509::parse_pem: error in ") + title + std::string(":"));
erase();
x509_ = cert;
}
void erase()
{
if (x509_)
{
X509_free(x509_);
x509_ = nullptr;
}
}
~X509()
{
erase();
}
private:
void assign(const ::X509 *x509)
{
erase();
x509_ = dup(x509);
}
};
typedef RCPtr<X509> X509Ptr;
class X509List : public std::vector<X509Ptr>
{
public:
typedef X509 Item;
typedef X509Ptr ItemPtr;
bool defined() const { return !empty(); }
std::string render_pem() const
{
std::string ret;
for (const_iterator i = begin(); i != end(); ++i)
ret += (*i)->render_pem();
return ret;
}
};
}
} // namespace openvpn
#endif // OPENVPN_OPENSSL_PKI_X509_H
openvpn/openssl/pki/x509store.hpp
+104
View File
@@ -0,0 +1,104 @@
// OpenVPN -- An application to securely tunnel IP networks
// over a single port, with support for SSL/TLS-based
// session authentication and key exchange,
// packet encryption, packet authentication, and
// packet compression.
//
// Copyright (C) 2012-2017 OpenVPN Inc.
//
// This program is free software: you can redistribute it and/or modify
// it under the terms of the GNU Affero General Public License Version 3
// as published by the Free Software Foundation.
//
// This program is distributed in the hope that it will be useful,
// but WITHOUT ANY WARRANTY; without even the implied warranty of
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
// GNU Affero General Public License for more details.
//
// You should have received a copy of the GNU Affero General Public License
// along with this program in the COPYING file.
// If not, see <http://www.gnu.org/licenses/>.
// Wrap an OpenSSL X509Store object
#ifndef OPENVPN_OPENSSL_PKI_X509STORE_H
#define OPENVPN_OPENSSL_PKI_X509STORE_H
#include <openvpn/common/size.hpp>
#include <openvpn/common/exception.hpp>
#include <openvpn/common/rc.hpp>
#include <openvpn/pki/cclist.hpp>
#include <openvpn/openssl/util/error.hpp>
#include <openvpn/openssl/pki/x509.hpp>
#include <openvpn/openssl/pki/crl.hpp>
namespace openvpn {
namespace OpenSSLPKI {
class X509Store : public RC<thread_unsafe_refcount>
{
public:
OPENVPN_SIMPLE_EXCEPTION(x509_store_init_error);
OPENVPN_SIMPLE_EXCEPTION(x509_store_add_cert_error);
OPENVPN_SIMPLE_EXCEPTION(x509_store_add_crl_error);
typedef CertCRLListTemplate<X509List, CRLList> CertCRLList;
X509Store() : x509_store_(nullptr) {}
explicit X509Store(const CertCRLList& cc)
{
init();
// Load cert list
{
for (X509List::const_iterator i = cc.certs.begin(); i != cc.certs.end(); ++i)
{
if (!X509_STORE_add_cert(x509_store_, (*i)->obj()))
throw x509_store_add_cert_error();
}
}
// Load CRL list
{
if (cc.crls.defined())
{
X509_STORE_set_flags(x509_store_, X509_V_FLAG_CRL_CHECK | X509_V_FLAG_CRL_CHECK_ALL);
for (CRLList::const_iterator i = cc.crls.begin(); i != cc.crls.end(); ++i)
{
if (!X509_STORE_add_crl(x509_store_, (*i)->obj()))
throw x509_store_add_crl_error();
}
}
}
}
X509_STORE* obj() const { return x509_store_; }
X509_STORE* move()
{
X509_STORE* ret = x509_store_;
x509_store_ = nullptr;
return ret;
}
~X509Store()
{
if (x509_store_)
X509_STORE_free(x509_store_);
}
private:
void init()
{
x509_store_ = X509_STORE_new();
if (!x509_store_)
throw x509_store_init_error();
}
X509_STORE* x509_store_;
};
}
} // namespace openvpn
#endif // OPENVPN_OPENSSL_PKI_X509STORE_H
openvpn/openssl/sign/pkcs7verify.hpp
+87
View File
@@ -0,0 +1,87 @@
// OpenVPN -- An application to securely tunnel IP networks
// over a single port, with support for SSL/TLS-based
// session authentication and key exchange,
// packet encryption, packet authentication, and
// packet compression.
//
// Copyright (C) 2012-2017 OpenVPN Inc.
//
// This program is free software: you can redistribute it and/or modify
// it under the terms of the GNU Affero General Public License Version 3
// as published by the Free Software Foundation.
//
// This program is distributed in the hope that it will be useful,
// but WITHOUT ANY WARRANTY; without even the implied warranty of
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
// GNU Affero General Public License for more details.
//
// You should have received a copy of the GNU Affero General Public License
// along with this program in the COPYING file.
// If not, see <http://www.gnu.org/licenses/>.
// Verify a PKCS7 signature
#ifndef OPENVPN_OPENSSL_SIGN_PKCS7VERIFY_H
#define OPENVPN_OPENSSL_SIGN_PKCS7VERIFY_H
#include <string>
#include <openssl/ssl.h>
#include <openssl/bio.h>
#include <openssl/pkcs7.h>
#include <openvpn/common/cleanup.hpp>
#include <openvpn/openssl/pki/x509.hpp>
#include <openvpn/openssl/util/error.hpp>
namespace openvpn {
namespace OpenSSLSign {
/*
* Verify PKCS7 signature.
* On success, return.
* On fail, throw exception.
*/
inline void verify_pkcs7(const OpenSSLPKI::X509Base& cert,
const std::string& sig,
const std::string& data)
{
STACK_OF(X509) *x509_stack = nullptr;
BIO *in = nullptr;
PKCS7 *p7 = nullptr;
auto clean = Cleanup([&]() {
if (x509_stack)
sk_X509_free(x509_stack);
if (in)
BIO_free(in);
if (p7)
PKCS7_free(p7);
});
/* create x509_stack from cert */
x509_stack = sk_X509_new_null();
sk_X509_push(x509_stack, cert.obj());
/* get signature */
in = BIO_new_mem_buf(sig.c_str(), sig.length());
p7 = PEM_read_bio_PKCS7(in, NULL, NULL, NULL);
if (!p7)
throw OpenSSLException("OpenSSLSign::verify_pkcs7: failed to parse pkcs7 signature");
BIO_free(in);
in = nullptr;
/* get data */
in = BIO_new_mem_buf(data.c_str(), data.length());
/* OpenSSL 1.0.2e and higher no longer allows calling PKCS7_verify
with both data and content. Empty out the content. */
p7->d.sign->contents->d.ptr = 0;
/* do the verify */
if (PKCS7_verify(p7, x509_stack, NULL, in, NULL, PKCS7_NOVERIFY) != 1)
throw OpenSSLException("OpenSSLSign::verify_pkcs7: verification failed");
}
}
}
#endif
openvpn/openssl/sign/verify.hpp
+91
View File
@@ -0,0 +1,91 @@
// OpenVPN -- An application to securely tunnel IP networks
// over a single port, with support for SSL/TLS-based
// session authentication and key exchange,
// packet encryption, packet authentication, and
// packet compression.
//
// Copyright (C) 2012-2017 OpenVPN Inc.
//
// This program is free software: you can redistribute it and/or modify
// it under the terms of the GNU Affero General Public License Version 3
// as published by the Free Software Foundation.
//
// This program is distributed in the hope that it will be useful,
// but WITHOUT ANY WARRANTY; without even the implied warranty of
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
// GNU Affero General Public License for more details.
//
// You should have received a copy of the GNU Affero General Public License
// along with this program in the COPYING file.
// If not, see <http://www.gnu.org/licenses/>.
// Verify a signature using OpenSSL EVP interface
#ifndef OPENVPN_OPENSSL_SIGN_VERIFY_H
#define OPENVPN_OPENSSL_SIGN_VERIFY_H
#include <string>
#include <openssl/ssl.h>
#include <openssl/bio.h>
#include <openvpn/common/cleanup.hpp>
#include <openvpn/common/base64.hpp>
#include <openvpn/openssl/pki/x509.hpp>
#include <openvpn/openssl/util/error.hpp>
namespace openvpn {
namespace OpenSSLSign {
/*
* Verify signature.
* On success, return.
* On fail, throw exception.
*/
inline void verify(const OpenSSLPKI::X509Base& cert,
const std::string& sig,
const std::string& data,
const std::string& digest)
{
const EVP_MD *dig;
EVP_MD_CTX md_ctx;
bool md_ctx_initialized = false;
EVP_PKEY *pkey = nullptr;
auto clean = Cleanup([&]() {
if (pkey)
EVP_PKEY_free(pkey);
if (md_ctx_initialized)
EVP_MD_CTX_cleanup(&md_ctx);
});
// get digest
dig = EVP_get_digestbyname(digest.c_str());
if (!dig)
throw Exception("OpenSSLSign::verify: unknown digest: " + digest);
// get public key
pkey = X509_get_pubkey(cert.obj());
if (!pkey)
throw Exception("OpenSSLSign::verify: no public key");
// convert signature from base64 to binary
BufferAllocated binsig(1024, 0);
try {
base64->decode(binsig, sig);
}
catch (const std::exception& e)
{
throw Exception(std::string("OpenSSLSign::verify: base64 decode error on signature: ") + e.what());
}
// verify signature
EVP_VerifyInit (&md_ctx, dig);
md_ctx_initialized = 1;
EVP_VerifyUpdate(&md_ctx, data.c_str(), data.length());
if (EVP_VerifyFinal(&md_ctx, binsig.c_data(), binsig.length(), pkey) != 1)
throw OpenSSLException("OpenSSLSign::verify: verification failed");
}
}
}
#endif
openvpn/openssl/ssl/sslctx.hpp
+1542
View File
File diff suppressed because it is too large Load Diff
openvpn/openssl/util/engine.hpp
+61
View File
@@ -0,0 +1,61 @@
// OpenVPN -- An application to securely tunnel IP networks
// over a single port, with support for SSL/TLS-based
// session authentication and key exchange,
// packet encryption, packet authentication, and
// packet compression.
//
// Copyright (C) 2012-2017 OpenVPN Inc.
//
// This program is free software: you can redistribute it and/or modify
// it under the terms of the GNU Affero General Public License Version 3
// as published by the Free Software Foundation.
//
// This program is distributed in the hope that it will be useful,
// but WITHOUT ANY WARRANTY; without even the implied warranty of
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
// GNU Affero General Public License for more details.
//
// You should have received a copy of the GNU Affero General Public License
// along with this program in the COPYING file.
// If not, see <http://www.gnu.org/licenses/>.
// Method to set up a particular OpenSSL engine type
#ifndef OPENVPN_OPENSSL_UTIL_ENGINE_H
#define OPENVPN_OPENSSL_UTIL_ENGINE_H
#include <string>
#ifndef OPENSSL_NO_ENGINE
#include <openssl/engine.h>
#endif
#include <openvpn/common/exception.hpp>
#include <openvpn/openssl/util/error.hpp>
namespace openvpn {
OPENVPN_EXCEPTION(openssl_engine_error);
inline void openssl_setup_engine (const std::string& engine)
{
#ifndef OPENSSL_NO_ENGINE
ENGINE_load_builtin_engines ();
if (engine == "auto")
{
ENGINE_register_all_complete ();
return;
}
ENGINE *e = ENGINE_by_id (engine.c_str());
if (!e)
throw openssl_engine_error();
if (!ENGINE_set_default (e, ENGINE_METHOD_ALL))
throw openssl_engine_error();
#endif
}
} // namespace openvpn
#endif // OPENVPN_OPENSSL_UTIL_ENGINE_H
openvpn/openssl/util/error.hpp
+200
View File
@@ -0,0 +1,200 @@
// OpenVPN -- An application to securely tunnel IP networks
// over a single port, with support for SSL/TLS-based
// session authentication and key exchange,
// packet encryption, packet authentication, and
// packet compression.
//
// Copyright (C) 2012-2017 OpenVPN Inc.
//
// This program is free software: you can redistribute it and/or modify
// it under the terms of the GNU Affero General Public License Version 3
// as published by the Free Software Foundation.
//
// This program is distributed in the hope that it will be useful,
// but WITHOUT ANY WARRANTY; without even the implied warranty of
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
// GNU Affero General Public License for more details.
//
// You should have received a copy of the GNU Affero General Public License
// along with this program in the COPYING file.
// If not, see <http://www.gnu.org/licenses/>.
// OpenSSL exception class that allows a full OpenSSL error stack
// to be represented.
#ifndef OPENVPN_OPENSSL_UTIL_ERROR_H
#define OPENVPN_OPENSSL_UTIL_ERROR_H
#include <string>
#include <openssl/err.h>
#include <openssl/ssl.h>
#include <openvpn/common/exception.hpp>
#include <openvpn/error/error.hpp>
#include <openvpn/error/excode.hpp>
namespace openvpn {
// string exception class
class OpenSSLException : public ExceptionCode
{
public:
OPENVPN_EXCEPTION(ssl_exception_index);
enum {
MAX_ERRORS = 8
};
OpenSSLException()
{
ssl_err = -1;
init_error("OpenSSL");
}
explicit OpenSSLException(const std::string& error_text)
{
ssl_err = -1;
init_error(error_text.c_str());
}
explicit OpenSSLException(const int ssl_error)
{
init_ssl_error(ssl_error, "OpenSSL");
}
explicit OpenSSLException(const std::string& error_text, const int ssl_error)
{
init_ssl_error(ssl_error, error_text.c_str());
}
virtual const char* what() const throw() { return errtxt.c_str(); }
std::string what_str() const { return errtxt; }
size_t len() const { return n_err; }
unsigned long operator[](const size_t i) const
{
if (i < n_err)
return errstack[i];
else
throw ssl_exception_index();
}
int ssl_error() const { return ssl_err; }
virtual ~OpenSSLException() throw() {}
static const char *ssl_error_text(const int ssl_error, bool *unknown = nullptr)
{
switch (ssl_error)
{
case SSL_ERROR_NONE:
return "SSL_ERROR_NONE";
case SSL_ERROR_ZERO_RETURN:
return "SSL_ERROR_ZERO_RETURN";
case SSL_ERROR_WANT_READ:
return "SSL_ERROR_WANT_READ";
case SSL_ERROR_WANT_WRITE:
return "SSL_ERROR_WANT_WRITE";
case SSL_ERROR_WANT_CONNECT:
return "SSL_ERROR_WANT_CONNECT";
case SSL_ERROR_WANT_ACCEPT:
return "SSL_ERROR_WANT_ACCEPT";
case SSL_ERROR_WANT_X509_LOOKUP:
return "SSL_ERROR_WANT_X509_LOOKUP";
case SSL_ERROR_SYSCALL:
return "SSL_ERROR_SYSCALL";
case SSL_ERROR_SSL:
return "SSL_ERROR_SSL";
default:
if (unknown)
*unknown = true;
return "(unknown SSL error)";
}
}
private:
void init_error(const char *error_text)
{
const char *prefix = ": ";
std::ostringstream tmp;
char buf[256];
tmp << error_text;
n_err = 0;
while (unsigned long err = ERR_get_error())
{
if (n_err < MAX_ERRORS)
errstack[n_err++] = err;
ERR_error_string_n(err, buf, sizeof(buf));
tmp << prefix << buf;
prefix = " / ";
// for certain OpenSSL errors, translate them to an OpenVPN error code,
// so they can be propagated up to the higher levels (such as UI level)
switch (ERR_GET_REASON(err))
{
case SSL_R_CERTIFICATE_VERIFY_FAILED:
set_code(Error::CERT_VERIFY_FAIL, true);
break;
case PEM_R_BAD_PASSWORD_READ:
case PEM_R_BAD_DECRYPT:
set_code(Error::PEM_PASSWORD_FAIL, true);
break;
case SSL_R_UNSUPPORTED_PROTOCOL:
set_code(Error::TLS_VERSION_MIN, true);
break;
}
}
errtxt = tmp.str();
}
void init_ssl_error(const int ssl_error, const char *error_text)
{
bool unknown = false;
ssl_err = ssl_error;
const char *text = ssl_error_text(ssl_error, &unknown);
if (unknown || ssl_error == SSL_ERROR_SYSCALL || ssl_error == SSL_ERROR_SSL)
{
init_error(error_text);
errtxt += " (";
errtxt += text;
errtxt += ")";
}
else
{
errtxt = error_text;
errtxt += ": ";
errtxt += text;
}
}
size_t n_err;
unsigned long errstack[MAX_ERRORS];
std::string errtxt;
int ssl_err;
};
// return an OpenSSL error string
inline std::string openssl_error()
{
OpenSSLException err;
return err.what_str();
}
inline std::string openssl_error(const int ssl_error)
{
OpenSSLException err(ssl_error);
return err.what_str();
}
inline void openssl_clear_error_stack()
{
while (ERR_get_error())
;
}
} // namespace openvpn
#endif // OPENVPN_OPENSSL_UTIL_ERROR_H
openvpn/openssl/util/init.hpp
+40
View File
@@ -0,0 +1,40 @@
// OpenVPN -- An application to securely tunnel IP networks
// over a single port, with support for SSL/TLS-based
// session authentication and key exchange,
// packet encryption, packet authentication, and
// packet compression.
//
// Copyright (C) 2012-2017 OpenVPN Inc.
//
// This program is free software: you can redistribute it and/or modify
// it under the terms of the GNU Affero General Public License Version 3
// as published by the Free Software Foundation.
//
// This program is distributed in the hope that it will be useful,
// but WITHOUT ANY WARRANTY; without even the implied warranty of
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
// GNU Affero General Public License for more details.
//
// You should have received a copy of the GNU Affero General Public License
// along with this program in the COPYING file.
// If not, see <http://www.gnu.org/licenses/>.
#ifndef OPENVPN_OPENSSL_UTIL_INIT_H
#define OPENVPN_OPENSSL_UTIL_INIT_H
#ifdef USE_ASIO
#include <asio/ssl/detail/openssl_init.hpp>
#endif
namespace openvpn {
#ifdef USE_ASIO
// Instantiate this object to ensure openssl is initialised.
typedef openvpn_io::ssl::detail::openssl_init<> openssl_init;
#else
#error no OpenSSL init code
#endif
} // namespace openvpn
#endif // OPENVPN_OPENSSL_UTIL_INIT_H
openvpn/openssl/util/rand.hpp
+78
View File
@@ -0,0 +1,78 @@
// OpenVPN -- An application to securely tunnel IP networks
// over a single port, with support for SSL/TLS-based
// session authentication and key exchange,
// packet encryption, packet authentication, and
// packet compression.
//
// Copyright (C) 2012-2017 OpenVPN Inc.
//
// This program is free software: you can redistribute it and/or modify
// it under the terms of the GNU Affero General Public License Version 3
// as published by the Free Software Foundation.
//
// This program is distributed in the hope that it will be useful,
// but WITHOUT ANY WARRANTY; without even the implied warranty of
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
// GNU Affero General Public License for more details.
//
// You should have received a copy of the GNU Affero General Public License
// along with this program in the COPYING file.
// If not, see <http://www.gnu.org/licenses/>.
// Wrap the OpenSSL Cryptographic Random API defined in <openssl/rand.h>
// so that it can be used as the primary source of cryptographic entropy by
// the OpenVPN core.
#ifndef OPENVPN_OPENSSL_UTIL_RAND_H
#define OPENVPN_OPENSSL_UTIL_RAND_H
#include <openssl/rand.h>
#include <openvpn/random/randapi.hpp>
namespace openvpn {
class OpenSSLRandom : public RandomAPI
{
public:
OPENVPN_EXCEPTION(rand_error_openssl);
typedef RCPtr<OpenSSLRandom> Ptr;
OpenSSLRandom(const bool prng)
{
}
virtual std::string name() const
{
return "OpenSSLRandom";
}
// Return true if algorithm is crypto-strength
virtual bool is_crypto() const
{
return true;
}
// Fill buffer with random bytes
virtual void rand_bytes(unsigned char *buf, size_t size)
{
if (!rndbytes(buf, size))
throw rand_error_openssl("rand_bytes");
}
// Like rand_bytes, but don't throw exception.
// Return true on successs, false on fail.
virtual bool rand_bytes_noexcept(unsigned char *buf, size_t size)
{
return rndbytes(buf, size);
}
private:
bool rndbytes(unsigned char *buf, size_t size)
{
return RAND_bytes(buf, size) == 1;
}
};
}
#endif
openvpn/openssl/util/tokenencrypt.hpp
+115
View File
@@ -0,0 +1,115 @@
// OpenVPN -- An application to securely tunnel IP networks
// over a single port, with support for SSL/TLS-based
// session authentication and key exchange,
// packet encryption, packet authentication, and
// packet compression.
//
// Copyright (C) 2012-2017 OpenVPN Inc.
//
// This program is free software: you can redistribute it and/or modify
// it under the terms of the GNU Affero General Public License Version 3
// as published by the Free Software Foundation.
//
// This program is distributed in the hope that it will be useful,
// but WITHOUT ANY WARRANTY; without even the implied warranty of
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
// GNU Affero General Public License for more details.
//
// You should have received a copy of the GNU Affero General Public License
// along with this program in the COPYING file.
// If not, see <http://www.gnu.org/licenses/>.
#ifndef OPENVPN_CRYPTO_TOKENENCRYPT_H
#define OPENVPN_CRYPTO_TOKENENCRYPT_H
#include <string>
#include <atomic>
#include <cstdint> // for std::uint8_t
#include <openssl/evp.h>
#include <openvpn/common/size.hpp>
#include <openvpn/common/exception.hpp>
#include <openvpn/common/base64.hpp>
#include <openvpn/buffer/buffer.hpp>
#include <openvpn/random/randapi.hpp>
#include <openvpn/openssl/util/error.hpp>
namespace openvpn {
class TokenEncrypt
{
public:
class Key
{
public:
static constexpr size_t SIZE = 16;
Key(RandomAPI& rng)
{
rng.assert_crypto();
rng.rand_bytes(data, sizeof(data));
}
private:
friend class TokenEncrypt;
std::uint8_t data[SIZE];
};
// mode parameter for constructor
enum {
ENCRYPT = 1,
DECRYPT = 0
};
TokenEncrypt(const Key& key, const int mode)
{
EVP_CIPHER_CTX_init(&ctx);
if (!EVP_CipherInit_ex(&ctx, EVP_aes_128_ecb(), nullptr, key.data, nullptr, mode))
throw OpenSSLException("TokenEncrypt: EVP_CipherInit_ex[1] failed");
EVP_CIPHER_CTX_set_padding(&ctx, 0);
}
~TokenEncrypt()
{
EVP_CIPHER_CTX_cleanup(&ctx);
}
// Do the encrypt/decrypt
void operator()(std::uint8_t* dest, const std::uint8_t* src, const size_t size)
{
// NOTE: since this algorithm uses the ECB block cipher mode,
// it should only be used to encrypt/decrypt a message which
// is exactly equal to the AES block size (16 bytes).
if (size != EVP_CIPHER_CTX_block_size(&ctx))
throw Exception("TokenEncrypt: encrypt/decrypt data must be equal to AES block size");
int outlen=0;
if (!EVP_CipherInit_ex(&ctx, nullptr, nullptr, nullptr, nullptr, -1))
throw OpenSSLException("TokenEncrypt: EVP_CipherInit_ex[2] failed");
if (!EVP_CipherUpdate(&ctx, dest, &outlen, src, size))
throw OpenSSLException("TokenEncrypt: EVP_CipherUpdate failed");
// NOTE: we skip EVP_CipherFinal_ex because we are running in ECB mode without padding
if (outlen != size)
throw Exception("TokenEncrypt: unexpected output length=" + std::to_string(outlen) + " expected=" + std::to_string(size));
}
private:
TokenEncrypt(const TokenEncrypt&) = delete;
TokenEncrypt& operator=(const TokenEncrypt&) = delete;
EVP_CIPHER_CTX ctx;
};
struct TokenEncryptDecrypt
{
TokenEncryptDecrypt(const TokenEncrypt::Key& key)
: encrypt(key, TokenEncrypt::ENCRYPT),
decrypt(key, TokenEncrypt::DECRYPT)
{
}
TokenEncrypt encrypt;
TokenEncrypt decrypt;
};
}
#endif