@@ -36,6 +36,7 @@

 #include "crypto_mbedtls.h"

 #endif

 #include "basic.h"

+#include "buffer.h"

 /* TLS uses a tag of 128 bytes, let's do the same for OpenVPN */

 #define OPENVPN_AEAD_TAG_LENGTH 16

@@ -105,6 +106,34 @@ void show_available_digests(void);

 void show_available_engines(void);

+/**

+ * Encode binary data as PEM.

+ *

+ * @param name      The name to use in the PEM header/footer.

+ * @param dst       Destination buffer for PEM-encoded data.  Must be a valid

+ *                  pointer to an uninitialized buffer structure.  Iff this

+ *                  function returns true, the buffer will contain memory

+ *                  allocated through the supplied gc.

+ * @param src       Source buffer.

+ * @param gc        The garbage collector to use when allocating memory for dst.

+ *

+ * @return true iff PEM encode succeeded.

+ */

+bool crypto_pem_encode(const char *name, struct buffer *dst,

+                       const struct buffer *src, struct gc_arena *gc);

+

+/**

+ * Decode a PEM buffer to binary data.

+ *

+ * @param name      The name expected in the PEM header/footer.

+ * @param dst       Destination buffer for decoded data.

+ * @param src       Source buffer (PEM data).

+ *

+ * @return true iff PEM decode succeeded.

+ */

+bool crypto_pem_decode(const char *name, struct buffer *dst,

+                       const struct buffer *src);

+

 /*

  *

  * Random number functions, used in cases where we want

@@ -44,11 +44,13 @@

 #include "otime.h"

 #include "misc.h"

+#include <mbedtls/base64.h>

 #include <mbedtls/des.h>

 #include <mbedtls/error.h>

 #include <mbedtls/md5.h>

 #include <mbedtls/cipher.h>

 #include <mbedtls/havege.h>

+#include <mbedtls/pem.h>

 #include <mbedtls/entropy.h>

@@ -229,6 +231,79 @@ show_available_engines(void)

            "available\n");

 }

+bool

+crypto_pem_encode(const char *name, struct buffer *dst,

+                  const struct buffer *src, struct gc_arena *gc)

+{

+    /* 1000 chars is the PEM line length limit (+1 for tailing NUL) */

+    char header[1000+1] = { 0 };

+    char footer[1000+1] = { 0 };

+

+    if (!openvpn_snprintf(header, sizeof(header), "-----BEGIN %s-----\n", name))

+    {

+        return false;

+    }

+    if (!openvpn_snprintf(footer, sizeof(footer), "-----END %s-----\n", name))

+    {

+        return false;

+    }

+

+    size_t out_len = 0;

+    if (MBEDTLS_ERR_BASE64_BUFFER_TOO_SMALL !=

+            mbedtls_pem_write_buffer(header, footer, BPTR(src), BLEN(src),

+                                     NULL, 0, &out_len))

+    {

+        return false;

+    }

+

+    *dst = alloc_buf_gc(out_len, gc);

+    if (!mbed_ok(mbedtls_pem_write_buffer(header, footer, BPTR(src), BLEN(src),

+                                          BPTR(dst), BCAP(dst), &out_len))

+        || !buf_inc_len(dst, out_len))

+    {

+        CLEAR(*dst);

+        return false;

+    }

+

+    return true;

+}

+

+bool

+crypto_pem_decode(const char *name, struct buffer *dst,

+                  const struct buffer *src)

+{

+    /* 1000 chars is the PEM line length limit (+1 for tailing NUL) */

+    char header[1000+1] = { 0 };

+    char footer[1000+1] = { 0 };

+

+    if (*(BLAST(src)) != '\0')

+    {

+        msg(M_WARN, "PEM decode error: source buffer not null-terminated");

+        return false;

+    }

+    if (!openvpn_snprintf(header, sizeof(header), "-----BEGIN %s-----", name))

+    {

+        return false;

+    }

+    if (!openvpn_snprintf(footer, sizeof(footer), "-----END %s-----", name))

+    {

+        return false;

+    }

+

+    size_t use_len = 0;

+    mbedtls_pem_context ctx = { 0 };

+    bool ret = mbed_ok(mbedtls_pem_read_buffer(&ctx, header, footer, BPTR(src),

+                                               NULL, 0, &use_len));

+    if (ret && !buf_write(dst, ctx.buf, ctx.buflen))

+    {

+        ret = false;

+        msg(M_WARN, "PEM decode error: destination buffer too small");

+    }

+

+    mbedtls_pem_free(&ctx);

+    return ret;

+}

+

 /*

  *

  * Random number functions, used in cases where we want

@@ -387,6 +387,88 @@ show_available_engines(void)

 #endif

 }

+

+bool

+crypto_pem_encode(const char *name, struct buffer *dst,

+                  const struct buffer *src, struct gc_arena *gc)

+{

+    bool ret = false;

+    BIO *bio = BIO_new(BIO_s_mem());

+    if (!bio || !PEM_write_bio(bio, name, "", BPTR(src), BLEN(src)))

+    {

+        ret = false;

+        goto cleanup;

+    }

+

+    BUF_MEM *bptr;

+    BIO_get_mem_ptr(bio, &bptr);

+

+    *dst = alloc_buf_gc(bptr->length, gc);

+    ASSERT(buf_write(dst, bptr->data, bptr->length));

+

+    ret = true;

+cleanup:

+    if (!BIO_free(bio))

+    {

+        ret = false;;

+    }

+

+    return ret;

+}

+

+bool

+crypto_pem_decode(const char *name, struct buffer *dst,

+                  const struct buffer *src)

+{

+    bool ret = false;

+

+    BIO *bio = BIO_new_mem_buf((char *)BPTR(src), BLEN(src));

+    if (!bio)

+    {

+        crypto_msg(M_FATAL, "Cannot open memory BIO for PEM decode");

+    }

+

+    char *name_read = NULL;

+    char *header_read = NULL;

+    uint8_t *data_read = NULL;

+    long data_read_len = 0;

+    if (!PEM_read_bio(bio, &name_read, &header_read, &data_read,

+                      &data_read_len))

+    {

+        dmsg(D_CRYPT_ERRORS, "%s: PEM decode failed", __func__);

+        goto cleanup;

+    }

+

+    if (strcmp(name, name_read))

+    {

+        dmsg(D_CRYPT_ERRORS,

+             "%s: unexpected PEM name (got '%s', expected '%s')",

+             __func__, name_read, name);

+        goto cleanup;

+    }

+

+    uint8_t *dst_data = buf_write_alloc(dst, data_read_len);

+    if (!dst_data)

+    {

+        dmsg(D_CRYPT_ERRORS, "%s: dst too small (%i, needs %li)", __func__,

+             BCAP(dst), data_read_len);

+        goto cleanup;

+    }

+    memcpy(dst_data, data_read, data_read_len);

+

+    ret = true;

+cleanup:

+    OPENSSL_free(name_read);

+    OPENSSL_free(header_read);

+    OPENSSL_free(data_read);

+    if (!BIO_free(bio))

+    {

+        ret = false;;

+    }

+

+    return ret;

+}

+

 /*

  *

  * Random number functions, used in cases where we want

@@ -6,7 +6,7 @@ if HAVE_LD_WRAP_SUPPORT

 check_PROGRAMS += argv_testdriver buffer_testdriver

 endif

-check_PROGRAMS += packet_id_testdriver tls_crypt_testdriver

+check_PROGRAMS += crypto_testdriver packet_id_testdriver tls_crypt_testdriver

 TESTS = $(check_PROGRAMS)

@@ -31,6 +31,20 @@ buffer_testdriver_SOURCES = test_buffer.c mock_msg.c \

 	$(openvpn_srcdir)/buffer.c \

 	$(openvpn_srcdir)/platform.c

+crypto_testdriver_CFLAGS  = @TEST_CFLAGS@ \

+	-I$(openvpn_includedir) -I$(compat_srcdir) -I$(openvpn_srcdir) \

+	$(OPTIONAL_CRYPTO_CFLAGS)

+crypto_testdriver_LDFLAGS = @TEST_LDFLAGS@ \

+	$(OPTIONAL_CRYPTO_LIBS)

+crypto_testdriver_SOURCES = test_crypto.c mock_msg.c \

+	$(openvpn_srcdir)/buffer.c \

+	$(openvpn_srcdir)/crypto.c \

+	$(openvpn_srcdir)/crypto_mbedtls.c \

+	$(openvpn_srcdir)/crypto_openssl.c \

+	$(openvpn_srcdir)/otime.c \

+	$(openvpn_srcdir)/packet_id.c \

+	$(openvpn_srcdir)/platform.c

+

 packet_id_testdriver_CFLAGS  = @TEST_CFLAGS@ \

 	-I$(openvpn_includedir) -I$(compat_srcdir) -I$(openvpn_srcdir) \

 	$(OPTIONAL_CRYPTO_CFLAGS)

new file mode 100644

@@ -0,0 +1,88 @@

+/*

+ *  OpenVPN -- An application to securely tunnel IP networks

+ *             over a single UDP port, with support for SSL/TLS-based

+ *             session authentication and key exchange,

+ *             packet encryption, packet authentication, and

+ *             packet compression.

+ *

+ *  Copyright (C) 2016-2018 Fox Crypto B.V. <openvpn@fox-it.com>

+ *

+ *  This program is free software; you can redistribute it and/or modify

+ *  it under the terms of the GNU General Public License version 2

+ *  as published by the Free Software Foundation.

+ *

+ *  This program is distributed in the hope that it will be useful,

+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of

+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the

+ *  GNU General Public License for more details.

+ *

+ *  You should have received a copy of the GNU General Public License along

+ *  with this program; if not, write to the Free Software Foundation, Inc.,

+ *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.

+ */

+

+#ifdef HAVE_CONFIG_H

+#include "config.h"

+#elif defined(_MSC_VER)

+#include "config-msvc.h"

+#endif

+

+#include "syshead.h"

+

+#include <stdio.h>

+#include <unistd.h>

+#include <stdlib.h>

+#include <stdarg.h>

+#include <string.h>

+#include <setjmp.h>

+#include <cmocka.h>

+

+#include "crypto.h"

+

+#include "mock_msg.h"

+

+static const char testtext[] = "Dummy text to test PEM encoding";

+

+static void

+crypto_pem_encode_decode_loopback(void **state) {

+    struct gc_arena gc = gc_new();

+    struct buffer src_buf;

+    buf_set_read(&src_buf, (void *)testtext, sizeof(testtext));

+

+    uint8_t dec[sizeof(testtext)];

+    struct buffer dec_buf;

+    buf_set_write(&dec_buf, dec, sizeof(dec));

+

+    struct buffer pem_buf;

+

+    assert_true(crypto_pem_encode("TESTKEYNAME", &pem_buf, &src_buf, &gc));

+    assert_true(BLEN(&src_buf) < BLEN(&pem_buf));

+

+    /* Wrong key name */

+    assert_false(crypto_pem_decode("WRONGNAME", &dec_buf, &pem_buf));

+

+    assert_true(crypto_pem_decode("TESTKEYNAME", &dec_buf, &pem_buf));

+    assert_int_equal(BLEN(&src_buf), BLEN(&dec_buf));

+    assert_memory_equal(BPTR(&src_buf), BPTR(&dec_buf), BLEN(&src_buf));

+

+    gc_free(&gc);

+}

+

+int

+main(void) {

+    const struct CMUnitTest tests[] = {

+        cmocka_unit_test(crypto_pem_encode_decode_loopback),

+    };

+

+#if defined(ENABLE_CRYPTO_OPENSSL)

+    OpenSSL_add_all_algorithms();

+#endif

+

+    int ret = cmocka_run_group_tests_name("crypto tests", tests, NULL, NULL);

+

+#if defined(ENABLE_CRYPTO_OPENSSL)

+    EVP_cleanup();

+#endif

+

+    return ret;

+}