| 53f97e1e |
/*
* OpenVPN -- An application to securely tunnel IP networks
* over a single TCP/UDP port, with support for SSL/TLS-based
* session authentication and key exchange,
* packet encryption, packet authentication, and
* packet compression.
* |
| 49979459 |
* Copyright (C) 2002-2018 OpenVPN Inc <sales@openvpn.net>
* Copyright (C) 2010-2018 Fox Crypto B.V. <openvpn@fox-it.com> |
| 53f97e1e |
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License version 2
* as published by the Free Software Foundation.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
* |
| caa54ac3 |
* You should have received a copy of the GNU General Public License along
* with this program; if not, write to the Free Software Foundation, Inc.,
* 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. |
| 53f97e1e |
*/
/** |
| 86d8cd68 |
* @file Data Channel Cryptography mbed TLS-specific backend interface |
| 53f97e1e |
*/
|
| 86d8cd68 |
#ifndef CRYPTO_MBEDTLS_H_
#define CRYPTO_MBEDTLS_H_ |
| 53f97e1e |
|
| 86d8cd68 |
#include <mbedtls/cipher.h>
#include <mbedtls/md.h>
#include <mbedtls/ctr_drbg.h> |
| 6efeaa2e |
|
| 53f97e1e |
/** Generic cipher key type %context. */ |
| 86d8cd68 |
typedef mbedtls_cipher_info_t cipher_kt_t; |
| 53f97e1e |
/** Generic message digest key type %context. */ |
| 86d8cd68 |
typedef mbedtls_md_info_t md_kt_t; |
| 53f97e1e |
/** Generic cipher %context. */ |
| 86d8cd68 |
typedef mbedtls_cipher_context_t cipher_ctx_t; |
| 53f97e1e |
/** Generic message digest %context. */ |
| 86d8cd68 |
typedef mbedtls_md_context_t md_ctx_t; |
| 53f97e1e |
/** Generic HMAC %context. */ |
| 86d8cd68 |
typedef mbedtls_md_context_t hmac_ctx_t; |
| 53f97e1e |
/** Maximum length of an IV */ |
| 81d882d5 |
#define OPENVPN_MAX_IV_LENGTH MBEDTLS_MAX_IV_LENGTH |
| 53f97e1e |
/** Cipher is in CBC mode */ |
| 81d882d5 |
#define OPENVPN_MODE_CBC MBEDTLS_MODE_CBC |
| 53f97e1e |
/** Cipher is in OFB mode */ |
| 81d882d5 |
#define OPENVPN_MODE_OFB MBEDTLS_MODE_OFB |
| 53f97e1e |
/** Cipher is in CFB mode */ |
| 81d882d5 |
#define OPENVPN_MODE_CFB MBEDTLS_MODE_CFB |
| 53f97e1e |
|
| 66407e11 |
/** Cipher is in GCM mode */ |
| 81d882d5 |
#define OPENVPN_MODE_GCM MBEDTLS_MODE_GCM |
| 66407e11 |
|
| 53f97e1e |
/** Cipher should encrypt */ |
| 81d882d5 |
#define OPENVPN_OP_ENCRYPT MBEDTLS_ENCRYPT |
| 53f97e1e |
/** Cipher should decrypt */ |
| 81d882d5 |
#define OPENVPN_OP_DECRYPT MBEDTLS_DECRYPT |
| 53f97e1e |
|
| 81d882d5 |
#define MD4_DIGEST_LENGTH 16
#define MD5_DIGEST_LENGTH 16
#define SHA_DIGEST_LENGTH 20 |
| 5b48e8c9 |
#define SHA256_DIGEST_LENGTH 32 |
| 9788322b |
#define DES_KEY_LENGTH 8 |
| 53f97e1e |
|
| 6efeaa2e |
/** |
| 86d8cd68 |
* Returns a singleton instance of the mbed TLS random number generator. |
| 6efeaa2e |
* |
| 86d8cd68 |
* For PolarSSL/mbed TLS 1.1+, this is the CTR_DRBG random number generator. If it |
| 6efeaa2e |
* hasn't been initialised yet, the RNG will be initialised using the default
* entropy sources. Aside from the default platform entropy sources, an
* additional entropy source, the HAVEGE random number generator will also be
* added. During initialisation, a personalisation string will be added based
* on the time, the PID, and a pointer to the random context.
*/ |
| e2a0cad4 |
mbedtls_ctr_drbg_context *rand_ctx_get(void); |
| 6efeaa2e |
|
| 0f25d296 |
#ifdef ENABLE_PREDICTION_RESISTANCE
/**
* Enable prediction resistance on the random number generator.
*/ |
| e2a0cad4 |
void rand_ctx_enable_prediction_resistance(void); |
| 81d882d5 |
|
| 0f25d296 |
#endif
|
| 6ef5df14 |
/** |
| 86d8cd68 |
* Log the supplied mbed TLS error, prefixed by supplied prefix. |
| 6ef5df14 |
* |
| 81d882d5 |
* @param flags Flags to indicate error type and priority.
* @param errval mbed TLS error code to convert to error message.
* @param prefix Prefix to mbed TLS error message. |
| 6ef5df14 |
*
* @returns true if no errors are detected, false otherwise.
*/ |
| 86d8cd68 |
bool mbed_log_err(unsigned int flags, int errval, const char *prefix); |
| 6ef5df14 |
/** |
| 86d8cd68 |
* Log the supplied mbed TLS error, prefixed by function name and line number. |
| 6ef5df14 |
* |
| 81d882d5 |
* @param flags Flags to indicate error type and priority.
* @param errval mbed TLS error code to convert to error message.
* @param func Function name where error was reported.
* @param line Line number where error was reported. |
| 6ef5df14 |
*
* @returns true if no errors are detected, false otherwise.
*/ |
| 86d8cd68 |
bool mbed_log_func_line(unsigned int flags, int errval, const char *func, |
| 81d882d5 |
int line); |
| 6ef5df14 |
|
| 86d8cd68 |
/** Wraps mbed_log_func_line() to prevent function calls for non-errors */ |
| 81d882d5 |
static inline bool
mbed_log_func_line_lite(unsigned int flags, int errval, |
| 4cd4899e |
const char *func, int line)
{ |
| 81d882d5 |
if (errval)
{
return mbed_log_func_line(flags, errval, func, line);
}
return true; |
| 3a39bf7d |
}
|
| 6ef5df14 |
/**
* Check errval and log on error.
* |
| 86d8cd68 |
* Convenience wrapper to put around mbed TLS library calls, e.g.
* if (!mbed_ok (mbedtls_ssl_func())) return 0; |
| 6ef5df14 |
* or |
| 86d8cd68 |
* ASSERT (mbed_ok (mbedtls_ssl_func())); |
| 6ef5df14 |
* |
| 81d882d5 |
* @param errval mbed TLS error code to convert to error message. |
| 6ef5df14 |
*
* @returns true if no errors are detected, false otherwise.
*/ |
| 86d8cd68 |
#define mbed_ok(errval) \ |
| 81d882d5 |
mbed_log_func_line_lite(D_CRYPT_ERRORS, errval, __func__, __LINE__) |
| 6ef5df14 |
|
| 447997dd |
static inline bool cipher_kt_var_key_size(const cipher_kt_t *cipher)
{
return cipher->flags & MBEDTLS_CIPHER_VARIABLE_KEY_LEN;
} |
| 6ef5df14 |
|
| 86d8cd68 |
#endif /* CRYPTO_MBEDTLS_H_ */ |