1. openvpn
  2. src
  3. openvpn
  4. crypto_mbedtls.h
Raw Blame History 
/*
 *  OpenVPN -- An application to securely tunnel IP networks
 *             over a single TCP/UDP port, with support for SSL/TLS-based
 *             session authentication and key exchange,
 *             packet encryption, packet authentication, and
 *             packet compression.
 *
 *  Copyright (C) 2002-2018 OpenVPN Inc <sales@openvpn.net>
 *  Copyright (C) 2010-2018 Fox Crypto B.V. <openvpn@fox-it.com>
 *
 *  This program is free software; you can redistribute it and/or modify
 *  it under the terms of the GNU General Public License version 2
 *  as published by the Free Software Foundation.
 *
 *  This program is distributed in the hope that it will be useful,
 *  but WITHOUT ANY WARRANTY; without even the implied warranty of
 *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 *  GNU General Public License for more details.
 *
 *  You should have received a copy of the GNU General Public License along
 *  with this program; if not, write to the Free Software Foundation, Inc.,
 *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 */

/**
 * @file Data Channel Cryptography mbed TLS-specific backend interface
 */

#ifndef CRYPTO_MBEDTLS_H_
#define CRYPTO_MBEDTLS_H_

#include <mbedtls/cipher.h>
#include <mbedtls/md.h>
#include <mbedtls/ctr_drbg.h>

/** Generic cipher key type %context. */
typedef mbedtls_cipher_info_t cipher_kt_t;

/** Generic message digest key type %context. */
typedef mbedtls_md_info_t md_kt_t;

/** Generic cipher %context. */
typedef mbedtls_cipher_context_t cipher_ctx_t;

/** Generic message digest %context. */
typedef mbedtls_md_context_t md_ctx_t;

/** Generic HMAC %context. */
typedef mbedtls_md_context_t hmac_ctx_t;

/** Maximum length of an IV */
#define OPENVPN_MAX_IV_LENGTH   MBEDTLS_MAX_IV_LENGTH

/** Cipher is in CBC mode */
#define OPENVPN_MODE_CBC        MBEDTLS_MODE_CBC

/** Cipher is in OFB mode */
#define OPENVPN_MODE_OFB        MBEDTLS_MODE_OFB

/** Cipher is in CFB mode */
#define OPENVPN_MODE_CFB        MBEDTLS_MODE_CFB

/** Cipher is in GCM mode */
#define OPENVPN_MODE_GCM        MBEDTLS_MODE_GCM

/** Cipher should encrypt */
#define OPENVPN_OP_ENCRYPT      MBEDTLS_ENCRYPT

/** Cipher should decrypt */
#define OPENVPN_OP_DECRYPT      MBEDTLS_DECRYPT

#define MD4_DIGEST_LENGTH       16
#define MD5_DIGEST_LENGTH       16
#define SHA_DIGEST_LENGTH       20
#define SHA256_DIGEST_LENGTH    32
#define DES_KEY_LENGTH 8

/**
 * Returns a singleton instance of the mbed TLS random number generator.
 *
 * For PolarSSL/mbed TLS 1.1+, this is the CTR_DRBG random number generator. If it
 * hasn't been initialised yet, the RNG will be initialised using the default
 * entropy sources. Aside from the default platform entropy sources, an
 * additional entropy source, the HAVEGE random number generator will also be
 * added. During initialisation, a personalisation string will be added based
 * on the time, the PID, and a pointer to the random context.
 */
mbedtls_ctr_drbg_context *rand_ctx_get(void);

#ifdef ENABLE_PREDICTION_RESISTANCE
/**
 * Enable prediction resistance on the random number generator.
 */
void rand_ctx_enable_prediction_resistance(void);

#endif

/**
 * Log the supplied mbed TLS error, prefixed by supplied prefix.
 *
 * @param flags         Flags to indicate error type and priority.
 * @param errval        mbed TLS error code to convert to error message.
 * @param prefix        Prefix to mbed TLS error message.
 *
 * @returns true if no errors are detected, false otherwise.
 */
bool mbed_log_err(unsigned int flags, int errval, const char *prefix);

/**
 * Log the supplied mbed TLS error, prefixed by function name and line number.
 *
 * @param flags         Flags to indicate error type and priority.
 * @param errval        mbed TLS error code to convert to error message.
 * @param func          Function name where error was reported.
 * @param line          Line number where error was reported.
 *
 * @returns true if no errors are detected, false otherwise.
 */
bool mbed_log_func_line(unsigned int flags, int errval, const char *func,
                        int line);

/** Wraps mbed_log_func_line() to prevent function calls for non-errors */
static inline bool
mbed_log_func_line_lite(unsigned int flags, int errval,
                        const char *func, int line)
{
    if (errval)
    {
        return mbed_log_func_line(flags, errval, func, line);
    }
    return true;
}

/**
 * Check errval and log on error.
 *
 * Convenience wrapper to put around mbed TLS library calls, e.g.
 *   if (!mbed_ok (mbedtls_ssl_func())) return 0;
 * or
 *   ASSERT (mbed_ok (mbedtls_ssl_func()));
 *
 * @param errval        mbed TLS error code to convert to error message.
 *
 * @returns true if no errors are detected, false otherwise.
 */
#define mbed_ok(errval) \
    mbed_log_func_line_lite(D_CRYPT_ERRORS, errval, __func__, __LINE__)

static inline bool cipher_kt_var_key_size(const cipher_kt_t *cipher)
{
    return cipher->flags & MBEDTLS_CIPHER_VARIABLE_KEY_LEN;
}

#endif /* CRYPTO_MBEDTLS_H_ */