static bool
tls_crypt_v2_wrap_client_key(struct buffer *wkc,
const struct key2 *src_key,
const struct buffer *src_metadata,
struct key_ctx *server_key, struct gc_arena *gc)
{
cipher_ctx_t *cipher_ctx = server_key->cipher;
struct buffer work = alloc_buf_gc(TLS_CRYPT_V2_MAX_WKC_LEN
+ cipher_ctx_block_size(cipher_ctx), gc);
/* Calculate auth tag and synthetic IV */
uint8_t *tag = buf_write_alloc(&work, TLS_CRYPT_TAG_SIZE);
if (!tag)
{
msg(M_WARN, "ERROR: could not write tag");
return false;
}
uint16_t net_len = htons(sizeof(src_key->keys) + BLEN(src_metadata)
+ TLS_CRYPT_V2_TAG_SIZE + sizeof(uint16_t));
hmac_ctx_t *hmac_ctx = server_key->hmac;
hmac_ctx_reset(hmac_ctx);
hmac_ctx_update(hmac_ctx, (void *)&net_len, sizeof(net_len));
hmac_ctx_update(hmac_ctx, (void *)src_key->keys, sizeof(src_key->keys));
hmac_ctx_update(hmac_ctx, BPTR(src_metadata), BLEN(src_metadata));
hmac_ctx_final(hmac_ctx, tag);
dmsg(D_CRYPTO_DEBUG, "TLS-CRYPT WRAP TAG: %s",
format_hex(tag, TLS_CRYPT_TAG_SIZE, 0, gc));
/* Use the 128 most significant bits of the tag as IV */
ASSERT(cipher_ctx_reset(cipher_ctx, tag));
/* Overflow check (OpenSSL requires an extra block in the dst buffer) */
if (buf_forward_capacity(&work) < (sizeof(src_key->keys)
+ BLEN(src_metadata)
+ sizeof(net_len)
+ cipher_ctx_block_size(cipher_ctx)))
{
msg(M_WARN, "ERROR: could not crypt: insufficient space in dst");
return false;
}
/* Encrypt */
int outlen = 0;
ASSERT(cipher_ctx_update(cipher_ctx, BEND(&work), &outlen,
(void *)src_key->keys, sizeof(src_key->keys)));
ASSERT(buf_inc_len(&work, outlen));
ASSERT(cipher_ctx_update(cipher_ctx, BEND(&work), &outlen,
BPTR(src_metadata), BLEN(src_metadata)));
ASSERT(buf_inc_len(&work, outlen));
ASSERT(cipher_ctx_final(cipher_ctx, BEND(&work), &outlen));
ASSERT(buf_inc_len(&work, outlen));
ASSERT(buf_write(&work, &net_len, sizeof(net_len)));
return buf_copy(wkc, &work);
}
int
stream_decrypt_all(buffer_t *ciphertext, cipher_t *cipher, size_t capacity)
{
size_t nonce_len = cipher->nonce_len;
int err = CRYPTO_OK;
if (ciphertext->len <= nonce_len) {
return CRYPTO_ERROR;
}
cipher_ctx_t cipher_ctx;
stream_ctx_init(cipher, &cipher_ctx, 0);
static buffer_t tmp = { 0, 0, 0, NULL };
brealloc(&tmp, ciphertext->len, capacity);
buffer_t *plaintext = &tmp;
plaintext->len = ciphertext->len - nonce_len;
uint8_t *nonce = cipher_ctx.nonce;
memcpy(nonce, ciphertext->data, nonce_len);
if (ppbloom_check((void *)nonce, nonce_len) == 1) {
LOGE("crypto: stream: repeat IV detected");
return CRYPTO_ERROR;
}
cipher_ctx_set_nonce(&cipher_ctx, nonce, nonce_len, 0);
if (cipher->method >= SALSA20) {
crypto_stream_xor_ic((uint8_t *)plaintext->data,
(const uint8_t *)(ciphertext->data + nonce_len),
(uint64_t)(ciphertext->len - nonce_len),
(const uint8_t *)nonce, 0, cipher->key, cipher->method);
} else {
err = cipher_ctx_update(&cipher_ctx, (uint8_t *)plaintext->data, &plaintext->len,
(const uint8_t *)(ciphertext->data + nonce_len),
ciphertext->len - nonce_len);
}
stream_ctx_release(&cipher_ctx);
if (err)
return CRYPTO_ERROR;
#ifdef SS_DEBUG
dump("PLAIN", plaintext->data, plaintext->len);
dump("CIPHER", ciphertext->data + nonce_len, ciphertext->len - nonce_len);
dump("NONCE", ciphertext->data, nonce_len);
#endif
ppbloom_add((void *)nonce, nonce_len);
brealloc(ciphertext, plaintext->len, capacity);
memcpy(ciphertext->data, plaintext->data, plaintext->len);
ciphertext->len = plaintext->len;
return CRYPTO_OK;
}
int
stream_encrypt_all(buffer_t *plaintext, cipher_t *cipher, size_t capacity)
{
cipher_ctx_t cipher_ctx;
stream_ctx_init(cipher, &cipher_ctx, 1);
size_t nonce_len = cipher->nonce_len;
int err = CRYPTO_OK;
static buffer_t tmp = { 0, 0, 0, NULL };
brealloc(&tmp, nonce_len + plaintext->len, capacity);
buffer_t *ciphertext = &tmp;
ciphertext->len = plaintext->len;
uint8_t *nonce = cipher_ctx.nonce;
cipher_ctx_set_nonce(&cipher_ctx, nonce, nonce_len, 1);
memcpy(ciphertext->data, nonce, nonce_len);
if (cipher->method >= SALSA20) {
crypto_stream_xor_ic((uint8_t *)(ciphertext->data + nonce_len),
(const uint8_t *)plaintext->data, (uint64_t)(plaintext->len),
(const uint8_t *)nonce,
0, cipher->key, cipher->method);
} else {
err = cipher_ctx_update(&cipher_ctx, (uint8_t *)(ciphertext->data + nonce_len),
&ciphertext->len, (const uint8_t *)plaintext->data,
plaintext->len);
}
stream_ctx_release(&cipher_ctx);
if (err)
return CRYPTO_ERROR;
#ifdef SS_DEBUG
dump("PLAIN", plaintext->data, plaintext->len);
dump("CIPHER", ciphertext->data + nonce_len, ciphertext->len);
dump("NONCE", ciphertext->data, nonce_len);
#endif
brealloc(plaintext, nonce_len + ciphertext->len, capacity);
memcpy(plaintext->data, ciphertext->data, nonce_len + ciphertext->len);
plaintext->len = nonce_len + ciphertext->len;
return CRYPTO_OK;
}
int
stream_decrypt(buffer_t *ciphertext, cipher_ctx_t *cipher_ctx, size_t capacity)
{
if (cipher_ctx == NULL)
return CRYPTO_ERROR;
cipher_t *cipher = cipher_ctx->cipher;
static buffer_t tmp = { 0, 0, 0, NULL };
int err = CRYPTO_OK;
brealloc(&tmp, ciphertext->len, capacity);
buffer_t *plaintext = &tmp;
plaintext->len = ciphertext->len;
if (!cipher_ctx->init) {
if (cipher_ctx->chunk == NULL) {
cipher_ctx->chunk = (buffer_t *)ss_malloc(sizeof(buffer_t));
memset(cipher_ctx->chunk, 0, sizeof(buffer_t));
balloc(cipher_ctx->chunk, cipher->nonce_len);
}
size_t left_len = min(cipher->nonce_len - cipher_ctx->chunk->len,
ciphertext->len);
if (left_len > 0) {
memcpy(cipher_ctx->chunk->data + cipher_ctx->chunk->len, ciphertext->data, left_len);
memmove(ciphertext->data, ciphertext->data + left_len,
ciphertext->len - left_len);
cipher_ctx->chunk->len += left_len;
ciphertext->len -= left_len;
}
if (cipher_ctx->chunk->len < cipher->nonce_len)
return CRYPTO_NEED_MORE;
uint8_t *nonce = cipher_ctx->nonce;
size_t nonce_len = cipher->nonce_len;
plaintext->len -= left_len;
memcpy(nonce, cipher_ctx->chunk->data, nonce_len);
cipher_ctx_set_nonce(cipher_ctx, nonce, nonce_len, 0);
cipher_ctx->counter = 0;
cipher_ctx->init = 1;
if (cipher->method >= RC4_MD5) {
if (ppbloom_check((void *)nonce, nonce_len) == 1) {
LOGE("crypto: stream: repeat IV detected");
return CRYPTO_ERROR;
}
}
}
if (ciphertext->len <= 0)
return CRYPTO_NEED_MORE;
if (cipher->method >= SALSA20) {
int padding = cipher_ctx->counter % SODIUM_BLOCK_SIZE;
brealloc(plaintext, (plaintext->len + padding) * 2, capacity);
if (padding) {
brealloc(ciphertext, ciphertext->len + padding, capacity);
memmove(ciphertext->data + padding, ciphertext->data,
ciphertext->len);
sodium_memzero(ciphertext->data, padding);
}
crypto_stream_xor_ic((uint8_t *)plaintext->data,
(const uint8_t *)(ciphertext->data),
(uint64_t)(ciphertext->len + padding),
(const uint8_t *)cipher_ctx->nonce,
cipher_ctx->counter / SODIUM_BLOCK_SIZE, cipher->key,
cipher->method);
cipher_ctx->counter += ciphertext->len;
if (padding) {
memmove(plaintext->data, plaintext->data + padding, plaintext->len);
}
} else {
err = cipher_ctx_update(cipher_ctx, (uint8_t *)plaintext->data, &plaintext->len,
(const uint8_t *)(ciphertext->data),
ciphertext->len);
}
if (err)
return CRYPTO_ERROR;
#ifdef SS_DEBUG
dump("PLAIN", plaintext->data, plaintext->len);
dump("CIPHER", ciphertext->data, ciphertext->len);
#endif
brealloc(ciphertext, plaintext->len, capacity);
memcpy(ciphertext->data, plaintext->data, plaintext->len);
ciphertext->len = plaintext->len;
// Add to bloom filter
if (cipher_ctx->init == 1) {
if (cipher->method >= RC4_MD5) {
ppbloom_add((void *)cipher_ctx->nonce, cipher->nonce_len);
cipher_ctx->init = 2;
}
}
return CRYPTO_OK;
}
int
stream_encrypt(buffer_t *plaintext, cipher_ctx_t *cipher_ctx, size_t capacity)
{
if (cipher_ctx == NULL)
return CRYPTO_ERROR;
cipher_t *cipher = cipher_ctx->cipher;
static buffer_t tmp = { 0, 0, 0, NULL };
int err = CRYPTO_OK;
size_t nonce_len = 0;
if (!cipher_ctx->init) {
nonce_len = cipher_ctx->cipher->nonce_len;
}
brealloc(&tmp, nonce_len + plaintext->len, capacity);
buffer_t *ciphertext = &tmp;
ciphertext->len = plaintext->len;
if (!cipher_ctx->init) {
cipher_ctx_set_nonce(cipher_ctx, cipher_ctx->nonce, nonce_len, 1);
memcpy(ciphertext->data, cipher_ctx->nonce, nonce_len);
cipher_ctx->counter = 0;
cipher_ctx->init = 1;
}
if (cipher->method >= SALSA20) {
int padding = cipher_ctx->counter % SODIUM_BLOCK_SIZE;
brealloc(ciphertext, nonce_len + (padding + ciphertext->len) * 2, capacity);
if (padding) {
brealloc(plaintext, plaintext->len + padding, capacity);
memmove(plaintext->data + padding, plaintext->data, plaintext->len);
sodium_memzero(plaintext->data, padding);
}
crypto_stream_xor_ic((uint8_t *)(ciphertext->data + nonce_len),
(const uint8_t *)plaintext->data,
(uint64_t)(plaintext->len + padding),
(const uint8_t *)cipher_ctx->nonce,
cipher_ctx->counter / SODIUM_BLOCK_SIZE, cipher->key,
cipher->method);
cipher_ctx->counter += plaintext->len;
if (padding) {
memmove(ciphertext->data + nonce_len,
ciphertext->data + nonce_len + padding, ciphertext->len);
}
} else {
err = cipher_ctx_update(cipher_ctx,
(uint8_t *)(ciphertext->data + nonce_len),
&ciphertext->len, (const uint8_t *)plaintext->data,
plaintext->len);
if (err) {
return CRYPTO_ERROR;
}
}
#ifdef SS_DEBUG
dump("PLAIN", plaintext->data, plaintext->len);
dump("CIPHER", ciphertext->data + nonce_len, ciphertext->len);
#endif
brealloc(plaintext, nonce_len + ciphertext->len, capacity);
memcpy(plaintext->data, ciphertext->data, nonce_len + ciphertext->len);
plaintext->len = nonce_len + ciphertext->len;
return CRYPTO_OK;
}
static bool
tls_crypt_v2_unwrap_client_key(struct key2 *client_key, struct buffer *metadata,
struct buffer wrapped_client_key,
struct key_ctx *server_key)
{
const char *error_prefix = __func__;
bool ret = false;
struct gc_arena gc = gc_new();
/* The crypto API requires one extra cipher block of buffer head room when
* decrypting, which nicely matches the tag size of WKc. So
* TLS_CRYPT_V2_MAX_WKC_LEN is always large enough for the plaintext. */
uint8_t plaintext_buf_data[TLS_CRYPT_V2_MAX_WKC_LEN] = { 0 };
struct buffer plaintext = { 0 };
dmsg(D_TLS_DEBUG_MED, "%s: unwrapping client key (len=%d): %s", __func__,
BLEN(&wrapped_client_key), format_hex(BPTR(&wrapped_client_key),
BLEN(&wrapped_client_key),
0, &gc));
if (TLS_CRYPT_V2_MAX_WKC_LEN < BLEN(&wrapped_client_key))
{
CRYPT_ERROR("wrapped client key too big");
}
/* Decrypt client key and metadata */
uint16_t net_len = 0;
const uint8_t *tag = BPTR(&wrapped_client_key);
if (BLEN(&wrapped_client_key) < sizeof(net_len))
{
CRYPT_ERROR("failed to read length");
}
memcpy(&net_len, BEND(&wrapped_client_key) - sizeof(net_len),
sizeof(net_len));
if (ntohs(net_len) != BLEN(&wrapped_client_key))
{
dmsg(D_TLS_DEBUG_LOW, "%s: net_len=%u, BLEN=%i", __func__,
ntohs(net_len), BLEN(&wrapped_client_key));
CRYPT_ERROR("invalid length");
}
buf_inc_len(&wrapped_client_key, -(int)sizeof(net_len));
if (!buf_advance(&wrapped_client_key, TLS_CRYPT_TAG_SIZE))
{
CRYPT_ERROR("failed to read tag");
}
if (!cipher_ctx_reset(server_key->cipher, tag))
{
CRYPT_ERROR("failed to initialize IV");
}
buf_set_write(&plaintext, plaintext_buf_data, sizeof(plaintext_buf_data));
int outlen = 0;
if (!cipher_ctx_update(server_key->cipher, BPTR(&plaintext), &outlen,
BPTR(&wrapped_client_key),
BLEN(&wrapped_client_key)))
{
CRYPT_ERROR("could not decrypt client key");
}
ASSERT(buf_inc_len(&plaintext, outlen));
if (!cipher_ctx_final(server_key->cipher, BEND(&plaintext), &outlen))
{
CRYPT_ERROR("cipher final failed");
}
ASSERT(buf_inc_len(&plaintext, outlen));
/* Check authentication */
uint8_t tag_check[TLS_CRYPT_TAG_SIZE] = { 0 };
hmac_ctx_reset(server_key->hmac);
hmac_ctx_update(server_key->hmac, (void *)&net_len, sizeof(net_len));
hmac_ctx_update(server_key->hmac, BPTR(&plaintext),
BLEN(&plaintext));
hmac_ctx_final(server_key->hmac, tag_check);
if (memcmp_constant_time(tag, tag_check, sizeof(tag_check)))
{
dmsg(D_CRYPTO_DEBUG, "tag : %s",
format_hex(tag, sizeof(tag_check), 0, &gc));
dmsg(D_CRYPTO_DEBUG, "tag_check: %s",
format_hex(tag_check, sizeof(tag_check), 0, &gc));
CRYPT_ERROR("client key authentication error");
}
if (buf_len(&plaintext) < sizeof(client_key->keys))
{
CRYPT_ERROR("failed to read client key");
}
memcpy(&client_key->keys, BPTR(&plaintext), sizeof(client_key->keys));
ASSERT(buf_advance(&plaintext, sizeof(client_key->keys)));
if (!buf_copy(metadata, &plaintext))
{
CRYPT_ERROR("metadata too large for supplied buffer");
}
ret = true;
error_exit:
if (!ret)
{
secure_memzero(client_key, sizeof(*client_key));
}
buf_clear(&plaintext);
gc_free(&gc);
return ret;
}
bool
tls_crypt_unwrap(const struct buffer *src, struct buffer *dst,
struct crypto_options *opt)
{
static const char error_prefix[] = "tls-crypt unwrap error";
const struct key_ctx *ctx = &opt->key_ctx_bi.decrypt;
struct gc_arena gc;
gc_init(&gc);
ASSERT(opt);
ASSERT(src->len > 0);
ASSERT(ctx->cipher);
ASSERT(packet_id_initialized(&opt->packet_id)
|| (opt->flags & CO_IGNORE_PACKET_ID));
dmsg(D_PACKET_CONTENT, "TLS-CRYPT UNWRAP FROM: %s",
format_hex(BPTR(src), BLEN(src), 80, &gc));
if (buf_len(src) < TLS_CRYPT_OFF_CT)
{
CRYPT_ERROR("packet too short");
}
/* Decrypt cipher text */
{
int outlen = 0;
/* Buffer overflow check (should never fail) */
if (!buf_safe(dst, BLEN(src) - TLS_CRYPT_OFF_CT + TLS_CRYPT_BLOCK_SIZE))
{
CRYPT_ERROR("potential buffer overflow");
}
if (!cipher_ctx_reset(ctx->cipher, BPTR(src) + TLS_CRYPT_OFF_TAG))
{
CRYPT_ERROR("cipher reset failed");
}
if (!cipher_ctx_update(ctx->cipher, BPTR(dst), &outlen,
BPTR(src) + TLS_CRYPT_OFF_CT, BLEN(src) - TLS_CRYPT_OFF_CT))
{
CRYPT_ERROR("cipher update failed");
}
ASSERT(buf_inc_len(dst, outlen));
if (!cipher_ctx_final(ctx->cipher, BPTR(dst), &outlen))
{
CRYPT_ERROR("cipher final failed");
}
ASSERT(buf_inc_len(dst, outlen));
}
/* Check authentication */
{
const uint8_t *tag = BPTR(src) + TLS_CRYPT_OFF_TAG;
uint8_t tag_check[TLS_CRYPT_TAG_SIZE] = { 0 };
dmsg(D_PACKET_CONTENT, "TLS-CRYPT UNWRAP AD: %s",
format_hex(BPTR(src), TLS_CRYPT_OFF_TAG, 0, &gc));
dmsg(D_PACKET_CONTENT, "TLS-CRYPT UNWRAP TO: %s",
format_hex(BPTR(dst), BLEN(dst), 80, &gc));
hmac_ctx_reset(ctx->hmac);
hmac_ctx_update(ctx->hmac, BPTR(src), TLS_CRYPT_OFF_TAG);
hmac_ctx_update(ctx->hmac, BPTR(dst), BLEN(dst));
hmac_ctx_final(ctx->hmac, tag_check);
if (memcmp_constant_time(tag, tag_check, sizeof(tag_check)))
{
dmsg(D_CRYPTO_DEBUG, "tag : %s",
format_hex(tag, sizeof(tag_check), 0, &gc));
dmsg(D_CRYPTO_DEBUG, "tag_check: %s",
format_hex(tag_check, sizeof(tag_check), 0, &gc));
CRYPT_ERROR("packet authentication failed");
}
}
/* Check replay */
if (!(opt->flags & CO_IGNORE_PACKET_ID))
{
struct packet_id_net pin;
struct buffer tmp = *src;
ASSERT(buf_advance(&tmp, TLS_CRYPT_OFF_PID));
ASSERT(packet_id_read(&pin, &tmp, true));
if (!crypto_check_replay(opt, &pin, error_prefix, &gc))
{
CRYPT_ERROR("packet replay");
}
}
gc_free(&gc);
return true;
error_exit:
crypto_clear_error();
dst->len = 0;
gc_free(&gc);
return false;
}
bool
tls_crypt_wrap(const struct buffer *src, struct buffer *dst,
struct crypto_options *opt)
{
const struct key_ctx *ctx = &opt->key_ctx_bi.encrypt;
struct gc_arena gc;
/* IV, packet-ID and implicit IV required for this mode. */
ASSERT(ctx->cipher);
ASSERT(ctx->hmac);
ASSERT(packet_id_initialized(&opt->packet_id));
ASSERT(hmac_ctx_size(ctx->hmac) == 256/8);
gc_init(&gc);
dmsg(D_PACKET_CONTENT, "TLS-CRYPT WRAP FROM: %s",
format_hex(BPTR(src), BLEN(src), 80, &gc));
/* Get packet ID */
if (!packet_id_write(&opt->packet_id.send, dst, true, false))
{
msg(D_CRYPT_ERRORS, "TLS-CRYPT ERROR: packet ID roll over.");
goto err;
}
dmsg(D_PACKET_CONTENT, "TLS-CRYPT WRAP AD: %s",
format_hex(BPTR(dst), BLEN(dst), 0, &gc));
/* Buffer overflow check */
if (!buf_safe(dst, BLEN(src) + TLS_CRYPT_BLOCK_SIZE + TLS_CRYPT_TAG_SIZE))
{
msg(D_CRYPT_ERRORS, "TLS-CRYPT WRAP: buffer size error, "
"sc=%d so=%d sl=%d dc=%d do=%d dl=%d", src->capacity, src->offset,
src->len, dst->capacity, dst->offset, dst->len);
goto err;
}
/* Calculate auth tag and synthetic IV */
{
uint8_t *tag = NULL;
hmac_ctx_reset(ctx->hmac);
hmac_ctx_update(ctx->hmac, BPTR(dst), BLEN(dst));
hmac_ctx_update(ctx->hmac, BPTR(src), BLEN(src));
ASSERT(tag = buf_write_alloc(dst, TLS_CRYPT_TAG_SIZE));
hmac_ctx_final(ctx->hmac, tag);
dmsg(D_PACKET_CONTENT, "TLS-CRYPT WRAP TAG: %s",
format_hex(tag, TLS_CRYPT_TAG_SIZE, 0, &gc));
/* Use the 128 most significant bits of the tag as IV */
ASSERT(cipher_ctx_reset(ctx->cipher, tag));
}
/* Encrypt src */
{
int outlen = 0;
ASSERT(cipher_ctx_update(ctx->cipher, BEND(dst), &outlen,
BPTR(src), BLEN(src)));
ASSERT(buf_inc_len(dst, outlen));
ASSERT(cipher_ctx_final(ctx->cipher, BPTR(dst), &outlen));
ASSERT(buf_inc_len(dst, outlen));
}
dmsg(D_PACKET_CONTENT, "TLS-CRYPT WRAP TO: %s",
format_hex(BPTR(dst), BLEN(dst), 80, &gc));
gc_free(&gc);
return true;
err:
crypto_clear_error();
dst->len = 0;
gc_free(&gc);
return false;
}
void
openvpn_encrypt (struct buffer *buf, struct buffer work,
const struct crypto_options *opt,
const struct frame* frame)
{
struct gc_arena gc;
gc_init (&gc);
if (buf->len > 0 && opt->key_ctx_bi)
{
struct key_ctx *ctx = &opt->key_ctx_bi->encrypt;
/* Do Encrypt from buf -> work */
if (ctx->cipher)
{
uint8_t iv_buf[OPENVPN_MAX_IV_LENGTH];
const int iv_size = cipher_ctx_iv_length (ctx->cipher);
const cipher_kt_t *cipher_kt = cipher_ctx_get_cipher_kt (ctx->cipher);
int outlen;
if (cipher_kt_mode_cbc(cipher_kt))
{
CLEAR (iv_buf);
/* generate pseudo-random IV */
if (opt->flags & CO_USE_IV)
prng_bytes (iv_buf, iv_size);
/* Put packet ID in plaintext buffer or IV, depending on cipher mode */
if (opt->packet_id)
{
struct packet_id_net pin;
packet_id_alloc_outgoing (&opt->packet_id->send, &pin, BOOL_CAST (opt->flags & CO_PACKET_ID_LONG_FORM));
ASSERT (packet_id_write (&pin, buf, BOOL_CAST (opt->flags & CO_PACKET_ID_LONG_FORM), true));
}
}
else if (cipher_kt_mode_ofb_cfb(cipher_kt))
{
struct packet_id_net pin;
struct buffer b;
ASSERT (opt->flags & CO_USE_IV); /* IV and packet-ID required */
ASSERT (opt->packet_id); /* for this mode. */
packet_id_alloc_outgoing (&opt->packet_id->send, &pin, true);
memset (iv_buf, 0, iv_size);
buf_set_write (&b, iv_buf, iv_size);
ASSERT (packet_id_write (&pin, &b, true, false));
}
else /* We only support CBC, CFB, or OFB modes right now */
{
ASSERT (0);
}
/* initialize work buffer with FRAME_HEADROOM bytes of prepend capacity */
ASSERT (buf_init (&work, FRAME_HEADROOM (frame)));
/* set the IV pseudo-randomly */
if (opt->flags & CO_USE_IV)
dmsg (D_PACKET_CONTENT, "ENCRYPT IV: %s", format_hex (iv_buf, iv_size, 0, &gc));
dmsg (D_PACKET_CONTENT, "ENCRYPT FROM: %s",
format_hex (BPTR (buf), BLEN (buf), 80, &gc));
/* cipher_ctx was already initialized with key & keylen */
ASSERT (cipher_ctx_reset(ctx->cipher, iv_buf));
/* Buffer overflow check */
if (!buf_safe (&work, buf->len + cipher_ctx_block_size(ctx->cipher)))
{
msg (D_CRYPT_ERRORS, "ENCRYPT: buffer size error, bc=%d bo=%d bl=%d wc=%d wo=%d wl=%d cbs=%d",
buf->capacity,
buf->offset,
buf->len,
work.capacity,
work.offset,
work.len,
cipher_ctx_block_size (ctx->cipher));
goto err;
}
/* Encrypt packet ID, payload */
ASSERT (cipher_ctx_update (ctx->cipher, BPTR (&work), &outlen, BPTR (buf), BLEN (buf)));
ASSERT (buf_inc_len(&work, outlen));
/* Flush the encryption buffer */
ASSERT (cipher_ctx_final(ctx->cipher, BPTR (&work) + outlen, &outlen));
ASSERT (buf_inc_len(&work, outlen));
/* For all CBC mode ciphers, check the last block is complete */
ASSERT (cipher_kt_mode (cipher_kt) != OPENVPN_MODE_CBC ||
outlen == iv_size);
/* prepend the IV to the ciphertext */
if (opt->flags & CO_USE_IV)
{
uint8_t *output = buf_prepend (&work, iv_size);
ASSERT (output);
memcpy (output, iv_buf, iv_size);
}
dmsg (D_PACKET_CONTENT, "ENCRYPT TO: %s",
format_hex (BPTR (&work), BLEN (&work), 80, &gc));
}
else /* No Encryption */
{
if (opt->packet_id)
{
struct packet_id_net pin;
packet_id_alloc_outgoing (&opt->packet_id->send, &pin, BOOL_CAST (opt->flags & CO_PACKET_ID_LONG_FORM));
ASSERT (packet_id_write (&pin, buf, BOOL_CAST (opt->flags & CO_PACKET_ID_LONG_FORM), true));
}
work = *buf;
}
/* HMAC the ciphertext (or plaintext if !cipher) */
if (ctx->hmac)
{
uint8_t *output = NULL;
hmac_ctx_reset (ctx->hmac);
hmac_ctx_update (ctx->hmac, BPTR(&work), BLEN(&work));
output = buf_prepend (&work, hmac_ctx_size(ctx->hmac));
ASSERT (output);
hmac_ctx_final (ctx->hmac, output);
}
*buf = work;
}
gc_free (&gc);
return;
err:
crypto_clear_error();
buf->len = 0;
gc_free (&gc);
return;
}
/*
* If (opt->flags & CO_USE_IV) is not NULL, we will read an IV from the packet.
*
* Set buf->len to 0 and return false on decrypt error.
*
* On success, buf is set to point to plaintext, true
* is returned.
*/
bool
openvpn_decrypt (struct buffer *buf, struct buffer work,
const struct crypto_options *opt,
const struct frame* frame)
{
static const char error_prefix[] = "Authenticate/Decrypt packet error";
struct gc_arena gc;
gc_init (&gc);
if (buf->len > 0 && opt->key_ctx_bi)
{
struct key_ctx *ctx = &opt->key_ctx_bi->decrypt;
struct packet_id_net pin;
bool have_pin = false;
/* Verify the HMAC */
if (ctx->hmac)
{
int hmac_len;
uint8_t local_hmac[MAX_HMAC_KEY_LENGTH]; /* HMAC of ciphertext computed locally */
hmac_ctx_reset(ctx->hmac);
/* Assume the length of the input HMAC */
hmac_len = hmac_ctx_size (ctx->hmac);
/* Authentication fails if insufficient data in packet for HMAC */
if (buf->len < hmac_len)
CRYPT_ERROR ("missing authentication info");
hmac_ctx_update (ctx->hmac, BPTR (buf) + hmac_len, BLEN (buf) - hmac_len);
hmac_ctx_final (ctx->hmac, local_hmac);
/* Compare locally computed HMAC with packet HMAC */
if (memcmp_constant_time (local_hmac, BPTR (buf), hmac_len))
CRYPT_ERROR ("packet HMAC authentication failed");
ASSERT (buf_advance (buf, hmac_len));
}
/* Decrypt packet ID + payload */
if (ctx->cipher)
{
const int iv_size = cipher_ctx_iv_length (ctx->cipher);
const cipher_kt_t *cipher_kt = cipher_ctx_get_cipher_kt (ctx->cipher);
uint8_t iv_buf[OPENVPN_MAX_IV_LENGTH];
int outlen;
/* initialize work buffer with FRAME_HEADROOM bytes of prepend capacity */
ASSERT (buf_init (&work, FRAME_HEADROOM_ADJ (frame, FRAME_HEADROOM_MARKER_DECRYPT)));
/* use IV if user requested it */
CLEAR (iv_buf);
if (opt->flags & CO_USE_IV)
{
if (buf->len < iv_size)
CRYPT_ERROR ("missing IV info");
memcpy (iv_buf, BPTR (buf), iv_size);
ASSERT (buf_advance (buf, iv_size));
}
/* show the IV's initial state */
if (opt->flags & CO_USE_IV)
dmsg (D_PACKET_CONTENT, "DECRYPT IV: %s", format_hex (iv_buf, iv_size, 0, &gc));
if (buf->len < 1)
CRYPT_ERROR ("missing payload");
/* ctx->cipher was already initialized with key & keylen */
if (!cipher_ctx_reset (ctx->cipher, iv_buf))
CRYPT_ERROR ("cipher init failed");
/* Buffer overflow check (should never happen) */
if (!buf_safe (&work, buf->len + cipher_ctx_block_size(ctx->cipher)))
CRYPT_ERROR ("potential buffer overflow");
/* Decrypt packet ID, payload */
if (!cipher_ctx_update (ctx->cipher, BPTR (&work), &outlen, BPTR (buf), BLEN (buf)))
CRYPT_ERROR ("cipher update failed");
ASSERT (buf_inc_len(&work, outlen));
/* Flush the decryption buffer */
if (!cipher_ctx_final (ctx->cipher, BPTR (&work) + outlen, &outlen))
CRYPT_ERROR ("cipher final failed");
ASSERT (buf_inc_len(&work, outlen));
dmsg (D_PACKET_CONTENT, "DECRYPT TO: %s",
format_hex (BPTR (&work), BLEN (&work), 80, &gc));
/* Get packet ID from plaintext buffer or IV, depending on cipher mode */
{
if (cipher_kt_mode_cbc(cipher_kt))
{
if (opt->packet_id)
{
if (!packet_id_read (&pin, &work, BOOL_CAST (opt->flags & CO_PACKET_ID_LONG_FORM)))
CRYPT_ERROR ("error reading CBC packet-id");
have_pin = true;
}
}
else if (cipher_kt_mode_ofb_cfb(cipher_kt))
{
struct buffer b;
ASSERT (opt->flags & CO_USE_IV); /* IV and packet-ID required */
ASSERT (opt->packet_id); /* for this mode. */
buf_set_read (&b, iv_buf, iv_size);
if (!packet_id_read (&pin, &b, true))
CRYPT_ERROR ("error reading CFB/OFB packet-id");
have_pin = true;
}
else /* We only support CBC, CFB, or OFB modes right now */
{
ASSERT (0);
}
}
}
else
{
work = *buf;
if (opt->packet_id)
{
if (!packet_id_read (&pin, &work, BOOL_CAST (opt->flags & CO_PACKET_ID_LONG_FORM)))
CRYPT_ERROR ("error reading packet-id");
have_pin = !BOOL_CAST (opt->flags & CO_IGNORE_PACKET_ID);
}
}
if (have_pin)
{
packet_id_reap_test (&opt->packet_id->rec);
if (packet_id_test (&opt->packet_id->rec, &pin))
{
packet_id_add (&opt->packet_id->rec, &pin);
if (opt->pid_persist && (opt->flags & CO_PACKET_ID_LONG_FORM))
packet_id_persist_save_obj (opt->pid_persist, opt->packet_id);
}
else
{
if (!(opt->flags & CO_MUTE_REPLAY_WARNINGS))
msg (D_REPLAY_ERRORS, "%s: bad packet ID (may be a replay): %s -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings",
error_prefix, packet_id_net_print (&pin, true, &gc));
goto error_exit;
}
}
*buf = work;
}
gc_free (&gc);
return true;
error_exit:
crypto_clear_error();
buf->len = 0;
gc_free (&gc);
return false;
}
