This is not a full update, but just updates some data channel-related docs
I came across. Other pages probably need a bit of attention too.
Stuff that was changed:
* Explain data channel crypto format in crypto.h
* Add P_DATA_V1 and P_DATA_V2 packet format spec
* Remove '2.1' from title
* Update some OpenSSL-specific text
Signed-off-by: Steffan Karger <steffan@karger.me>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1417978095-19427-1-git-send-email-steffan@karger.me>
URL: http://article.gmane.org/gmane.network.openvpn.devel/9318
Signed-off-by: Gert Doering <gert@greenie.muc.de>
... | ... |
@@ -69,7 +69,5 @@ |
69 | 69 |
* |
70 | 70 |
* @par Crypto algorithms |
71 | 71 |
* This module uses the crypto algorithm implementations of the external |
72 |
- * OpenSSL library. More precisely, it uses the OpenSSL library's \c |
|
73 |
- * EVP_Cipher* and \c HMAC_* set of functions to perform cryptographic |
|
74 |
- * operations on data channel packets. |
|
72 |
+ * crypto library (currently either OpenSSL (default), or PolarSSL). |
|
75 | 73 |
*/ |
... | ... |
@@ -29,7 +29,7 @@ |
29 | 29 |
*/ |
30 | 30 |
|
31 | 31 |
/** |
32 |
- * @mainpage OpenVPN v2.1 source code documentation |
|
32 |
+ * @mainpage OpenVPN source code documentation |
|
33 | 33 |
* |
34 | 34 |
* This documentation describes the internal structure of OpenVPN. It was |
35 | 35 |
* automatically generated from specially formatted comment blocks in |
... | ... |
@@ -5,7 +5,7 @@ |
5 | 5 |
* packet encryption, packet authentication, and |
6 | 6 |
* packet compression. |
7 | 7 |
* |
8 |
- * Copyright (C) 2010 Fox Crypto B.V. <openvpn@fox-it.com> |
|
8 |
+ * Copyright (C) 2010-2014 Fox Crypto B.V. <openvpn@fox-it.com> |
|
9 | 9 |
* |
10 | 10 |
* |
11 | 11 |
* This program is free software; you can redistribute it and/or modify |
... | ... |
@@ -61,24 +61,26 @@ |
61 | 61 |
* following describes the various opcodes available. |
62 | 62 |
* |
63 | 63 |
* - Control channel messages: |
64 |
- * - \c P_CONTROL_HARD_RESET_CLIENT_V1 -- %Key method 1, initial %key |
|
64 |
+ * - \ref P_CONTROL_HARD_RESET_CLIENT_V1 -- %Key method 1, initial %key |
|
65 | 65 |
* from client, forget previous state. |
66 |
- * - \c P_CONTROL_HARD_RESET_SERVER_V1 -- %Key method 1, initial %key |
|
66 |
+ * - \ref P_CONTROL_HARD_RESET_SERVER_V1 -- %Key method 1, initial %key |
|
67 | 67 |
* from server, forget previous state. |
68 |
- * - \c P_CONTROL_HARD_RESET_CLIENT_V2 -- %Key method 2, initial %key |
|
68 |
+ * - \ref P_CONTROL_HARD_RESET_CLIENT_V2 -- %Key method 2, initial %key |
|
69 | 69 |
* from client, forget previous state. |
70 |
- * - \c P_CONTROL_HARD_RESET_SERVER_V2 -- %Key method 2, initial %key |
|
70 |
+ * - \ref P_CONTROL_HARD_RESET_SERVER_V2 -- %Key method 2, initial %key |
|
71 | 71 |
* from server, forget previous state. |
72 |
- * - \c P_CONTROL_SOFT_RESET_V1 -- New %key, with a graceful |
|
72 |
+ * - \ref P_CONTROL_SOFT_RESET_V1 -- New %key, with a graceful |
|
73 | 73 |
* transition from old to new %key in the sense that a transition |
74 | 74 |
* window exists where both the old or new key_id can be used. |
75 |
- * - \c P_CONTROL_V1 -- Control channel packet (usually TLS |
|
75 |
+ * - \ref P_CONTROL_V1 -- Control channel packet (usually TLS |
|
76 | 76 |
* ciphertext). |
77 |
- * - \c P_ACK_V1 -- Acknowledgement for control channel packets |
|
77 |
+ * - \ref P_ACK_V1 -- Acknowledgement for control channel packets |
|
78 | 78 |
* received. |
79 | 79 |
* - Data channel messages: |
80 |
- * - \c P_DATA_V1 -- Data channel packet containing data channel |
|
80 |
+ * - \ref P_DATA_V1 -- Data channel packet containing data channel |
|
81 | 81 |
* ciphertext. |
82 |
+ * - \ref P_DATA_V2 -- Data channel packet containing peer-id and data |
|
83 |
+ * channel ciphertext. |
|
82 | 84 |
* |
83 | 85 |
* @subsection network_protocol_external_key_id Session IDs and Key IDs |
84 | 86 |
* |
... | ... |
@@ -139,10 +141,10 @@ |
139 | 139 |
* channel is used to exchange random %key material for bidirectional |
140 | 140 |
* cipher and HMAC keys which will be used to secure data channel packets. |
141 | 141 |
* OpenVPN currently implements two %key methods. %Key method 1 directly |
142 |
- * derives keys using random bits obtained from the \c RAND_bytes() |
|
143 |
- * OpenSSL function. %Key method 2 mixes random %key material from both |
|
144 |
- * sides of the connection using the TLS PRF mixing function. %Key method |
|
145 |
- * 2 is the preferred method and is the default for OpenVPN 2.0. |
|
142 |
+ * derives keys using random bits obtained from the \c rand_bytes() function. |
|
143 |
+ * %Key method 2 mixes random %key material from both sides of the connection |
|
144 |
+ * using the TLS PRF mixing function. %Key method 2 is the preferred method and |
|
145 |
+ * is the default for OpenVPN 2.0+. |
|
146 | 146 |
* |
147 | 147 |
* The @ref key_generation "Data channel key generation" related page |
148 | 148 |
* describes the %key methods in more detail. |
... | ... |
@@ -173,27 +175,22 @@ |
173 | 173 |
* |
174 | 174 |
* @section network_protocol_data Structure of data channel messages |
175 | 175 |
* |
176 |
- * @subsection network_protocol_data_ciphertext Structure of ciphertext data channel messages |
|
177 |
- * |
|
178 |
- * The P_DATA_* payload represents encrypted, encapsulated tunnel packets |
|
179 |
- * which tend to be either IP packets or Ethernet frames. This is |
|
180 |
- * essentially the "payload" of the VPN. |
|
181 |
- * |
|
182 |
- * Data channel packets in ciphertext form consist of the following parts: |
|
183 |
- * - HMAC of ciphertext IV + ciphertext (if not disabled by \c --auth |
|
184 |
- * none). |
|
185 |
- * - Ciphertext IV (size is cipher-dependent, if not disabled by \c |
|
186 |
- * --no-iv). |
|
187 |
- * - Tunnel packet ciphertext. |
|
188 |
- * |
|
189 |
- * @subsection network_protocol_data_plaintext Structure of plaintext data channel messages |
|
190 |
- * |
|
191 |
- * Data channel packets in plaintext form consist of the following parts: |
|
192 |
- * - packet-id (4 or 8 bytes, if not disabled by --no-replay). |
|
193 |
- * - In TLS mode, 4 bytes are used because the implementation can |
|
194 |
- * force a TLS renegotation before \c 2^32 packets are sent. |
|
195 |
- * - In pre-shared %key mode, 8 bytes are used (sequence number and \c |
|
196 |
- * time_t value) to allow long-term %key usage without packet-id |
|
197 |
- * collisions. |
|
198 |
- * - User plaintext (n bytes). |
|
176 |
+ * The P_DATA_* payload represents encapsulated tunnel packets which tend to be |
|
177 |
+ * either IP packets or Ethernet frames. This is essentially the "payload" of |
|
178 |
+ * the VPN. Data channel packets consist of a data channel header, and a |
|
179 |
+ * payload. There are two possible formats: |
|
180 |
+ * |
|
181 |
+ * @par P_DATA_V1 |
|
182 |
+ * P_DATA_V1 packets have a 1-byte header, carrying the \ref P_DATA_V1 \c opcode |
|
183 |
+ * and \c key_id, followed by the payload:\n |
|
184 |
+ * <tt> [ 5-bit opcode | 3-bit key_id ] [ payload ] </tt> |
|
185 |
+ * |
|
186 |
+ * @par P_DATA_V2 |
|
187 |
+ * P_DATA_V2 packets have the same 1-byte opcode/key_id, but carrying the \ref |
|
188 |
+ * P_DATA_V2 opcode, followed by a 3-byte peer-id, which uniquely identifies |
|
189 |
+ * the peer:\n |
|
190 |
+ * <tt> [ 5-bit opcode | 3-bit key_id ] [ 24-bit peer-id ] [ payload ] </tt> |
|
191 |
+ * |
|
192 |
+ * See @ref data_crypto for details on the data channel payload format. |
|
193 |
+ * |
|
199 | 194 |
*/ |
... | ... |
@@ -6,7 +6,7 @@ |
6 | 6 |
* packet compression. |
7 | 7 |
* |
8 | 8 |
* Copyright (C) 2002-2010 OpenVPN Technologies, Inc. <sales@openvpn.net> |
9 |
- * Copyright (C) 2010 Fox Crypto B.V. <openvpn@fox-it.com> |
|
9 |
+ * Copyright (C) 2010-2014 Fox Crypto B.V. <openvpn@fox-it.com> |
|
10 | 10 |
* |
11 | 11 |
* This program is free software; you can redistribute it and/or modify |
12 | 12 |
* it under the terms of the GNU General Public License version 2 |
... | ... |
@@ -25,6 +25,76 @@ |
25 | 25 |
|
26 | 26 |
/** |
27 | 27 |
* @file Data Channel Cryptography Module |
28 |
+ * |
|
29 |
+ * @addtogroup data_crypto Data Channel Crypto module |
|
30 |
+ * |
|
31 |
+ * @par Crypto packet formats |
|
32 |
+ * The Data Channel Crypto module supports a number of crypto modes and |
|
33 |
+ * configurable options. The actual packet format depends on these options. A |
|
34 |
+ * Data Channel packet can consist of: |
|
35 |
+ * - \b Opcode, one byte specifying the packet type (see @ref network_protocol |
|
36 |
+ * "Network protocol"). |
|
37 |
+ * - \b Peer-id, if using the v2 data channel packet format (see @ref |
|
38 |
+ * network_protocol "Network protocol"). |
|
39 |
+ * - \b HMAC, covering the ciphertext IV + ciphertext. The HMAC size depends |
|
40 |
+ * on the \c \-\-auth option. If \c \-\-auth \c none is specified, there is no |
|
41 |
+ * HMAC at all. |
|
42 |
+ * - \b Ciphertext \b IV, if not disabled by \c \-\-no-iv. The IV size depends on |
|
43 |
+ * the \c \-\-cipher option. |
|
44 |
+ * - \b Packet \b ID, a 32-bit incrementing packet counter that provides replay |
|
45 |
+ * protection (if not disabled by \c \-\-no-replay). |
|
46 |
+ * - \b Timestamp, a 32-bit timestamp of the current time. |
|
47 |
+ * - \b Payload, the plain text network packet to be encrypted (unless |
|
48 |
+ * encryption is disabled by using \c \-\-cipher \c none). The payload might |
|
49 |
+ * already be compressed (see @ref compression "Compression module"). |
|
50 |
+ * |
|
51 |
+ * @par |
|
52 |
+ * This section does not discuss the opcode and peer-id, since those do not |
|
53 |
+ * depend on the data channel crypto. See @ref network_protocol |
|
54 |
+ * "Network protocol" for more information on those. |
|
55 |
+ * |
|
56 |
+ * @par |
|
57 |
+ * \e Legenda \n |
|
58 |
+ * <tt>[ xxx ]</tt> = unprotected \n |
|
59 |
+ * <tt>[ - xxx - ]</tt> = authenticated \n |
|
60 |
+ * <tt>[ * xxx * ]</tt> = encrypted and authenticated |
|
61 |
+ * |
|
62 |
+ * @par |
|
63 |
+ * <b>CBC data channel cypto format</b> \n |
|
64 |
+ * In CBC mode, both TLS-mode and static key mode are supported. The IV |
|
65 |
+ * consists of random bits to provide unpredictable IVs. \n |
|
66 |
+ * <i>CBC IV format:</i> \n |
|
67 |
+ * <tt> [ - random - ] </tt> \n |
|
68 |
+ * <i>CBC data channel crypto format in TLS-mode:</i> \n |
|
69 |
+ * <tt> [ HMAC ] [ - IV - ] [ * packet ID * ] [ * packet payload * ] </tt> \n |
|
70 |
+ * <i>CBC data channel crypto format in static key mode:</i> \n |
|
71 |
+ * <tt> [ HMAC ] [ - IV - ] [ * packet ID * ] [ * timestamp * ] |
|
72 |
+ * [ * packet payload * ] </tt> |
|
73 |
+ * |
|
74 |
+ * @par |
|
75 |
+ * <b>CFB/OFB data channel crypto format</b> \n |
|
76 |
+ * CFB and OFB modes are only supported in TLS mode. In these modes, the IV |
|
77 |
+ * consists of the packet counter and a timestamp. If the IV is more than 8 |
|
78 |
+ * bytes long, the remaining space is filled with zeroes. The packet counter may |
|
79 |
+ * not roll over within a single TLS sessions. This results in a unique IV for |
|
80 |
+ * each packet, as required by the CFB and OFB cipher modes. |
|
81 |
+ * |
|
82 |
+ * @par |
|
83 |
+ * <i>CFB/OFB IV format:</i> \n |
|
84 |
+ * <tt> [ - packet ID - ] [ - timestamp - ] [ - opt: zero-padding - ] </tt>\n |
|
85 |
+ * <i>CFB/OFB data channel crypto format:</i> \n |
|
86 |
+ * <tt> [ HMAC ] [ - IV - ] [ * packet payload * ] </tt> |
|
87 |
+ * |
|
88 |
+ * @par |
|
89 |
+ * <b>No-crypto data channel format</b> \n |
|
90 |
+ * In no-crypto mode (\c \-\-cipher \c none is specified), both TLS-mode and |
|
91 |
+ * static key mode are supported. No encryption will be performed on the packet, |
|
92 |
+ * but packets can still be authenticated. This mode does not require an IV.\n |
|
93 |
+ * <i>No-crypto data channel crypto format in TLS-mode:</i> \n |
|
94 |
+ * <tt> [ HMAC ] [ - packet ID - ] [ - packet payload - ] </tt> \n |
|
95 |
+ * <i>No-crypto data channel crypto format in static key mode:</i> \n |
|
96 |
+ * <tt> [ HMAC ] [ - packet ID - ] [ - timestamp - ] [ - packet payload - ] </tt> |
|
97 |
+ * |
|
28 | 98 |
*/ |
29 | 99 |
|
30 | 100 |
#ifndef CRYPTO_H |