From patchwork Tue Aug 13 12:00:16 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "cron2 (Code Review)" X-Patchwork-Id: 3786 Return-Path: Delivered-To: patchwork@openvpn.net Received: by 2002:a05:7000:77d2:b0:5a1:d4fc:4ac6 with SMTP id r18csp182576mau; Tue, 13 Aug 2024 05:01:06 -0700 (PDT) X-Forwarded-Encrypted: i=2; AJvYcCUv0djkZ4LB8Bdrcwn44fMMSiSncIIJ8kTipc5RqqbypuGWMEXqGn4g7C1DtRlgUadagynuEdC7H99UzON7UiLt4d1iRX0= X-Google-Smtp-Source: AGHT+IHyChSE3cptIysr1SRbnyneo6CbfP4oZUYS0F47pIDZ83TQhLWkzf+/O1MYT2uthNktZ65s X-Received: by 2002:a05:6a20:3946:b0:1c4:d267:76ca with SMTP id adf61e73a8af0-1c8dde10923mr1254489637.7.1723550466259; Tue, 13 Aug 2024 05:01:06 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1723550466; cv=none; d=google.com; s=arc-20160816; b=YATSLRQFl3ZzRapPk1PbAOr4dadr/IkscEYlBe6wpyjLCnsPBaThRbfzV0a521gJaq HHZ7u/s4mt2/WM3LtwsrkyOCRxw25Hi6COSGXwFw5IudhxrYFyv8KOA5U0pt1UozAI79 Tqm7mmWj9VZaUqvBgims/tEroFgKsCB3kQnvlS78yJJRhcNPta+UK2ubZRlvyu10E0yV IcZtH3bVDdK6x2NMqBC8peU6vRh60w6btsbaNPo8sTOQgdq2c09zqGLbbWS3Oj2soQhe dbzGkzRFr/NY8k5xJ9MgA4hFiLRRaBghyoz0Y8rps8QfwkxbXaM0PQwVCP6vwRAla3/D mNXw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=errors-to:cc:reply-to:list-subscribe:list-help:list-post :list-archive:list-unsubscribe:list-id:precedence:subject:user-agent :mime-version:message-id:references:auto-submitted:to:date:from :dkim-signature:dkim-signature:dkim-signature; bh=u3caCbDIXjcqS0dlOqlDfL8/LmUYVJ9cXW+4sysClug=; fh=U7wEyxtwz2o5+UdevFSA47vNeG9knhWH0KV//QhD5a0=; b=QaraPf/xvSvIuTXIJ4ea0wf0OaYXSRjsIth8VmlHGH8sdxvHX2A85V5lrnhFoN/g3D naKlpTsrddGXwqjRBoyZBrQ6KFxc5W3GTIoAFn0MC3F1uTwtYRek7Ci3lloIQ6a9ZHA+ zWpDuEEyMG42ofM8oDWIWN+hwW8g+1j3zpsMxPe11F5xOiVOZ27N1M2b5RXqXIwXgGCh FtcG7d8onKxhod5iutsZTOEYoVfz6k8rwsBEVs8SrbZAIJ3mqU+lLc9x2EFy96UZpu2X VVD5c+kxF+hWi+TuxSFC+tMrCRYVP9yWaa1dFjdKGyNujYLCkgBKg/pSlK2VMlLGdg7n nREQ==; dara=google.com ARC-Authentication-Results: i=1; mx.google.com; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=JWdiboy3; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=mjYOVH9x; dkim=neutral (body hash did not verify) header.i=@openvpn.net header.s=google header.b=AOQxwVDN; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=openvpn.net; dara=fail header.i=@openvpn.net Received: from lists.sourceforge.net (lists.sourceforge.net. [216.105.38.7]) by mx.google.com with ESMTPS id d9443c01a7336-201cd1ab43csi16485605ad.233.2024.08.13.05.01.05 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Tue, 13 Aug 2024 05:01:05 -0700 (PDT) Received-SPF: pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) client-ip=216.105.38.7; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=JWdiboy3; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=mjYOVH9x; dkim=neutral (body hash did not verify) header.i=@openvpn.net header.s=google header.b=AOQxwVDN; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=openvpn.net; dara=fail header.i=@openvpn.net Received: from [127.0.0.1] (helo=sfs-ml-2.v29.lw.sourceforge.com) by sfs-ml-2.v29.lw.sourceforge.com with esmtp (Exim 4.95) (envelope-from ) id 1sdqCX-0007Cp-7Y; Tue, 13 Aug 2024 12:00:33 +0000 Received: from [172.30.29.66] (helo=mx.sourceforge.net) by sfs-ml-2.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95) (envelope-from ) id 1sdqCV-0007CB-EK for openvpn-devel@lists.sourceforge.net; Tue, 13 Aug 2024 12:00:31 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Type:Content-Transfer-Encoding:MIME-Version :Message-ID:Reply-To:References:Subject:List-Unsubscribe:List-Id:Cc:To:Date: From:Sender:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:List-Help: List-Subscribe:List-Post:List-Owner:List-Archive; bh=F/EojYWZO8r0gnmNyAK9xd5qcbOUsTiCuFtjWBCNOBU=; b=JWdiboy3HOZMAZH3AImX9sll+n ga1PuqJpI3YNHEnKbfbpQe3QsP6eiTTfgl+/mKnvRJmDYNCb3Jd9GlHvjLkjVoOCaTi3IP84m6Kof WAF/TcXTJrX4m8YjjI9pN6HYHgjLziV/ptdGo6XPd4P+NO0v3c/UqBQtZCXW/lJnqemc=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Type:Content-Transfer-Encoding:MIME-Version:Message-ID:Reply-To: References:Subject:List-Unsubscribe:List-Id:Cc:To:Date:From:Sender:Content-ID :Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To: Resent-Cc:Resent-Message-ID:In-Reply-To:List-Help:List-Subscribe:List-Post: List-Owner:List-Archive; bh=F/EojYWZO8r0gnmNyAK9xd5qcbOUsTiCuFtjWBCNOBU=; b=m jYOVH9x0yYV4BKheQXp/S9En3QfBwZAlI/G+8X5LEe9bzuVkvO6N8a8S1CNGh+eK5NOlt5jeNSI+n ei+iR3TSzKieW9127sNUxY8UOA9fFbIOaTjjF+UA0fo+/pa/T58P6KJbmSM2Segmc60eeQr3jXRWA M4LjNWyjyGxzYoOk=; Received: from mail-wr1-f45.google.com ([209.85.221.45]) by sfi-mx-2.v28.lw.sourceforge.com with esmtps (TLS1.2:ECDHE-RSA-AES128-GCM-SHA256:128) (Exim 4.95) id 1sdqCT-00008o-Dy for openvpn-devel@lists.sourceforge.net; Tue, 13 Aug 2024 12:00:31 +0000 Received: by mail-wr1-f45.google.com with SMTP id ffacd0b85a97d-367990aaef3so3058032f8f.0 for ; Tue, 13 Aug 2024 05:00:29 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=openvpn.net; s=google; t=1723550418; x=1724155218; darn=lists.sourceforge.net; h=user-agent:content-disposition:content-transfer-encoding :mime-version:message-id:reply-to:references:subject :list-unsubscribe:list-id:auto-submitted:cc:to:date:from:from:to:cc :subject:date:message-id:reply-to; bh=F/EojYWZO8r0gnmNyAK9xd5qcbOUsTiCuFtjWBCNOBU=; b=AOQxwVDNw2MDzVEy/Fp6V/Zdk+bBWw+nbc85YbsrykSMRGcrWA86JVwijIL1o+8+F4 fLVrHGbD7b9OWGR9LX9FbgTSBh2iyTxLRrJ6lp1noPi8lFTCoQqJ21BEz/vgRXbiGF4G CsoW6uAJSfhoDRaEvbSftBRWu4gn+W6gBycyEK3BB4yAjLWXxI1fJtqac+tfaW52s7wO eQnSbo2kUXbQnIDnALCXRamciHTByyM6TcwbsfHzhudLAUPRyPNkL3Ld1rafm6LHiXd0 aTz5YDGAv2IuJYP0V+o2yfcx735djaEgMQuiaTjKD8E+8DPP76O4j1QAPpm3lJUgTiXY EqNA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1723550418; x=1724155218; h=user-agent:content-disposition:content-transfer-encoding :mime-version:message-id:reply-to:references:subject :list-unsubscribe:list-id:auto-submitted:cc:to:date:from :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=F/EojYWZO8r0gnmNyAK9xd5qcbOUsTiCuFtjWBCNOBU=; b=ZFLul0xQfN8mtqjj5CpiPRhc+ks1eRozovQy+/J20UWoEGdkfrK3UedV3I+0XhNjNo uPMuiLzcT4VGWk1geDwezSkHxVNs2BiqAbGsUMDCv4fWraERlFj7QUtzhjhVSNA9mJWU 2c5y8uruL1WvetaR0hIQiM/fpJsluwJAeqiIatTOsNUxsoETDtKUs1iAeHINI29LC30Q bIwkQjwsg356v8TOLfl4I08AUaLZe/ZHS1FSRDiKGW2Ep2FNAaUvE4pDDDpsrpZCocQs ypA/n1mvZe6H38GR3OHT3C7PK4kZfID/VhGHpICfERSmm3o3m5W00MmFW1Y8rQeQlWCU dLpA== X-Gm-Message-State: AOJu0YwGawWcr98F6l1XPkyt10AYhpTEM3ZlYb3LPiQLKBYWODybLakp IOBKWxUlWlr8QjTwfKswhEnsArrnxS3RZdh1oaSm2aj060weaIYWDDNfRwdX7kU= X-Received: by 2002:adf:f950:0:b0:368:420e:b790 with SMTP id ffacd0b85a97d-3716ccf5185mr2299469f8f.14.1723550417517; Tue, 13 Aug 2024 05:00:17 -0700 (PDT) Received: from gerrit.openvpn.in (ec2-18-159-0-78.eu-central-1.compute.amazonaws.com. [18.159.0.78]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-36e4c93802fsm10117261f8f.33.2024.08.13.05.00.16 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 13 Aug 2024 05:00:17 -0700 (PDT) From: "stipa (Code Review)" X-Google-Original-From: "stipa (Code Review)" X-Gerrit-PatchSet: 1 Date: Tue, 13 Aug 2024 12:00:16 +0000 To: plaisthos , flichtenheld Auto-Submitted: auto-generated X-Gerrit-MessageType: newchange X-Gerrit-Change-Id: I2e0c50d33f8a57c023120cf348f95d34acbfcde5 X-Gerrit-Change-Number: 725 X-Gerrit-Project: openvpn X-Gerrit-ChangeURL: X-Gerrit-Commit: c2f19403d691089ae4ca93f76ec63f29305110ba References: Message-ID: <745968f942b781cf635cdb858743aad06f6218ea-HTML@gerrit.openvpn.net> MIME-Version: 1.0 User-Agent: Gerrit/3.8.2 X-Spam-Score: -5.2 (-----) X-Spam-Report: Spam detection software, running on the system "util-spamd-2.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: Attention is currently required from: flichtenheld, plaisthos. Hello plaisthos, flichtenheld, I'd like you to do a code review. Please visit Content analysis details: (-5.2 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [URIs: openvpn.net] -5.0 RCVD_IN_DNSWL_HI RBL: Sender listed at https://www.dnswl.org/, high trust [209.85.221.45 listed in list.dnswl.org] -0.0 RCVD_IN_MSPIKE_H2 RBL: Average reputation (+2) [209.85.221.45 listed in wl.mailspike.net] 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record -0.0 SPF_PASS SPF: sender matches SPF record 0.0 WEIRD_PORT URI: Uses non-standard port number for HTTP 0.0 HTML_MESSAGE BODY: HTML included in message 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain -0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from envelope-from domain -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature 0.0 T_KAM_HTML_FONT_INVALID Test for Invalidly Named or Formatted Colors in HTML -0.0 T_SCC_BODY_TEXT_LINE No description available. X-Headers-End: 1sdqCT-00008o-Dy Subject: [Openvpn-devel] [M] Change in openvpn[master]: dco-win: support for data_v3 features X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: lstipakov@gmail.com, arne-openvpn@rfc2549.org, openvpn-devel@lists.sourceforge.net, frank@lichtenheld.com Cc: openvpn-devel Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox X-GMAIL-THRID: =?utf-8?q?1807273653440386310?= X-GMAIL-MSGID: =?utf-8?q?1807273653440386310?= X-getmail-filter-classifier: gerrit message type newchange Attention is currently required from: flichtenheld, plaisthos. Hello plaisthos, flichtenheld, I'd like you to do a code review. Please visit http://gerrit.openvpn.net/c/openvpn/+/725?usp=email to review the following change. Change subject: dco-win: support for data_v3 features ...................................................................... dco-win: support for data_v3 features Since version 1.4, dco-win drivere supports data_v3 features such as: - AEAD tag at the end - 64bit pktid We have to: - check in runtime if driver supports data_v3 features (we might be running with the older driver) - if those features are negotiated, we pass them to the driver as bit flags via the (newly added) NEW_KEY_V2 ioctl Introduce NEW_KEY_V2 ioctl, which accepts a new OVPN_CRYPTO_DATA_V2 structure, which includes a field for bit flags for the new crypto options. Make dco_supports_data_v3() implementation platform-dependend (as it should be) and indicate data_v3 support by dco-win if the driver version is at least 1.4. Extend the Windows-specific struct dco_context and store data_v3 support there so that when dco_new_key() is called, we know which API to use. Change the dco internal API and pass crypto options flags to dco_new_key(). Change-Id: I2e0c50d33f8a57c023120cf348f95d34acbfcde5 Signed-off-by: Lev Stipakov --- M src/openvpn/dco.c M src/openvpn/dco.h M src/openvpn/dco_freebsd.c M src/openvpn/dco_internal.h M src/openvpn/dco_linux.c M src/openvpn/dco_win.c M src/openvpn/dco_win.h M src/openvpn/ovpn_dco_win.h 8 files changed, 141 insertions(+), 45 deletions(-) git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/25/725/1 diff --git a/src/openvpn/dco.c b/src/openvpn/dco.c index 7f0d53d..baaeb95 100644 --- a/src/openvpn/dco.c +++ b/src/openvpn/dco.c @@ -70,7 +70,7 @@ int ret = dco_new_key(multi->dco, multi->dco_peer_id, ks->key_id, slot, encrypt_key, encrypt_iv, decrypt_key, decrypt_iv, - ciphername); + ciphername, ks->crypto_options.flags); if ((ret == 0) && (multi->dco_keys_installed < 2)) { multi->dco_keys_installed++; diff --git a/src/openvpn/dco.h b/src/openvpn/dco.h index 3ce2c31..ec4ec42 100644 --- a/src/openvpn/dco.h +++ b/src/openvpn/dco.h @@ -253,11 +253,7 @@ * Return whether the dco implementation supports the new protocol features of * a 64 bit packet counter and AEAD tag at the end. */ -static inline bool -dco_supports_data_v3(struct context *c) -{ - return false; -} +bool dco_supports_data_v3(struct context *c); #else /* if defined(ENABLE_DCO) */ diff --git a/src/openvpn/dco_freebsd.c b/src/openvpn/dco_freebsd.c index 9a90f5c..0c5e157 100644 --- a/src/openvpn/dco_freebsd.c +++ b/src/openvpn/dco_freebsd.c @@ -415,14 +415,14 @@ dco_key_slot_t slot, const uint8_t *encrypt_key, const uint8_t *encrypt_iv, const uint8_t *decrypt_key, const uint8_t *decrypt_iv, - const char *ciphername) + const char *ciphername, int co_flags) { struct ifdrv drv; nvlist_t *nvl; int ret; - msg(D_DCO_DEBUG, "%s: slot %d, key-id %d, peer-id %d, cipher %s", - __func__, slot, keyid, peerid, ciphername); + msg(D_DCO_DEBUG, "%s: slot %d, key-id %d, peer-id %d, cipher %s, co_flags %d", + __func__, slot, keyid, peerid, ciphername, co_flags); nvl = nvlist_create(0); @@ -778,4 +778,11 @@ return "none:AES-256-GCM:AES-192-GCM:AES-128-GCM:CHACHA20-POLY1305"; } +bool +dco_supports_data_v3(struct context *c) +{ + /* not implemented */ + return false; +} + #endif /* defined(ENABLE_DCO) && defined(TARGET_FREEBSD) */ diff --git a/src/openvpn/dco_internal.h b/src/openvpn/dco_internal.h index 624c110..90d383b 100644 --- a/src/openvpn/dco_internal.h +++ b/src/openvpn/dco_internal.h @@ -70,7 +70,7 @@ dco_key_slot_t slot, const uint8_t *encrypt_key, const uint8_t *encrypt_iv, const uint8_t *decrypt_key, const uint8_t *decrypt_iv, - const char *ciphername); + const char *ciphername, int co_flags); int dco_del_key(dco_context_t *dco, unsigned int peerid, dco_key_slot_t slot); diff --git a/src/openvpn/dco_linux.c b/src/openvpn/dco_linux.c index 277cd64..25603e6 100644 --- a/src/openvpn/dco_linux.c +++ b/src/openvpn/dco_linux.c @@ -557,10 +557,10 @@ dco_key_slot_t slot, const uint8_t *encrypt_key, const uint8_t *encrypt_iv, const uint8_t *decrypt_key, const uint8_t *decrypt_iv, - const char *ciphername) + const char *ciphername, int co_flags) { - msg(D_DCO_DEBUG, "%s: slot %d, key-id %d, peer-id %d, cipher %s", - __func__, slot, keyid, peerid, ciphername); + msg(D_DCO_DEBUG, "%s: slot %d, key-id %d, peer-id %d, cipher %s, co_flags %d", + __func__, slot, keyid, peerid, ciphername, co_flags); const size_t key_len = cipher_kt_key_size(ciphername); const int nonce_tail_len = 8; @@ -1058,4 +1058,11 @@ return "AES-128-GCM:AES-256-GCM:AES-192-GCM:CHACHA20-POLY1305"; } +bool +dco_supports_data_v3(struct context *c) +{ + /* not implemented */ + return false; +} + #endif /* defined(ENABLE_DCO) && defined(TARGET_LINUX) */ diff --git a/src/openvpn/dco_win.c b/src/openvpn/dco_win.c index 3ec946f..06e3545 100644 --- a/src/openvpn/dco_win.c +++ b/src/openvpn/dco_win.c @@ -55,6 +55,9 @@ bool ovpn_dco_init(int mode, dco_context_t *dco) { + dco->supports_data_v3 = dco_supports_data_v3(NULL); + msg(D_DCO_DEBUG, "dco supports data_v3: %d", dco->supports_data_v3); + return true; } @@ -291,47 +294,85 @@ return 0; } -int -dco_new_key(dco_context_t *dco, unsigned int peerid, int keyid, - dco_key_slot_t slot, - const uint8_t *encrypt_key, const uint8_t *encrypt_iv, - const uint8_t *decrypt_key, const uint8_t *decrypt_iv, - const char *ciphername) +static int +dco_new_key_v1(HANDLE handle, OVPN_CRYPTO_DATA *crypto_data) { - msg(D_DCO_DEBUG, "%s: slot %d, key-id %d, peer-id %d, cipher %s", - __func__, slot, keyid, peerid, ciphername); - - const int nonce_len = 8; - size_t key_len = cipher_kt_key_size(ciphername); - - OVPN_CRYPTO_DATA crypto_data; - ZeroMemory(&crypto_data, sizeof(crypto_data)); - - crypto_data.CipherAlg = dco_get_cipher(ciphername); - crypto_data.KeyId = keyid; - crypto_data.PeerId = peerid; - crypto_data.KeySlot = slot; - - CopyMemory(crypto_data.Encrypt.Key, encrypt_key, key_len); - crypto_data.Encrypt.KeyLen = (char)key_len; - CopyMemory(crypto_data.Encrypt.NonceTail, encrypt_iv, nonce_len); - - CopyMemory(crypto_data.Decrypt.Key, decrypt_key, key_len); - crypto_data.Decrypt.KeyLen = (char)key_len; - CopyMemory(crypto_data.Decrypt.NonceTail, decrypt_iv, nonce_len); - - ASSERT(crypto_data.CipherAlg > 0); - DWORD bytes_returned = 0; - if (!DeviceIoControl(dco->tt->hand, OVPN_IOCTL_NEW_KEY, &crypto_data, - sizeof(crypto_data), NULL, 0, &bytes_returned, NULL)) + if (!DeviceIoControl(handle, OVPN_IOCTL_NEW_KEY, crypto_data, sizeof(*crypto_data), NULL, 0, &bytes_returned, NULL)) { msg(M_ERR, "DeviceIoControl(OVPN_IOCTL_NEW_KEY) failed"); return -1; } return 0; } + +static int +dco_new_key_v2(HANDLE handle, OVPN_CRYPTO_DATA_V2 *crypto_data, int co_flags) +{ + if (co_flags & CO_AEAD_TAG_AT_THE_END) + { + crypto_data->CryptoOptions |= CRYPTO_OPTIONS_AEAD_TAG_END; + } + + if (co_flags & CO_64_BIT_PKT_ID) + { + crypto_data->CryptoOptions |= CRYPTO_OPTIONS_64BIT_PKTID; + } + + DWORD bytes_returned = 0; + if (!DeviceIoControl(handle, OVPN_IOCTL_NEW_KEY_V2, crypto_data, sizeof(*crypto_data), NULL, 0, &bytes_returned, NULL)) + { + msg(M_ERR, "DeviceIoControl(OVPN_IOCTL_NEW_KEY_V2) failed"); + return -1; + } + + return 0; +} + +int +dco_new_key(dco_context_t *dco, unsigned int peerid, int keyid, + dco_key_slot_t slot, + const uint8_t *encrypt_key, const uint8_t *encrypt_iv, + const uint8_t *decrypt_key, const uint8_t *decrypt_iv, + const char *ciphername, int co_flags) +{ + msg(D_DCO_DEBUG, "%s: slot %d, key-id %d, peer-id %d, cipher %s, co_flags %d", + __func__, slot, keyid, peerid, ciphername, co_flags); + + const int nonce_len = 8; + size_t key_len = cipher_kt_key_size(ciphername); + + OVPN_CRYPTO_DATA_V2 crypto_data_v2; + ZeroMemory(&crypto_data_v2, sizeof(crypto_data_v2)); + + OVPN_CRYPTO_DATA *crypto_data = &crypto_data_v2.V1; + + crypto_data->CipherAlg = dco_get_cipher(ciphername); + crypto_data->KeyId = keyid; + crypto_data->PeerId = peerid; + crypto_data->KeySlot = slot; + + CopyMemory(crypto_data->Encrypt.Key, encrypt_key, key_len); + crypto_data->Encrypt.KeyLen = (char)key_len; + CopyMemory(crypto_data->Encrypt.NonceTail, encrypt_iv, nonce_len); + + CopyMemory(crypto_data->Decrypt.Key, decrypt_key, key_len); + crypto_data->Decrypt.KeyLen = (char)key_len; + CopyMemory(crypto_data->Decrypt.NonceTail, decrypt_iv, nonce_len); + + ASSERT(crypto_data->CipherAlg > 0); + + if (dco->supports_data_v3) + { + return dco_new_key_v2(dco->tt->hand, &crypto_data_v2, co_flags); + } + else + { + return dco_new_key_v1(dco->tt->hand, crypto_data); + } +} + int dco_del_key(dco_context_t *dco, unsigned int peerid, dco_key_slot_t slot) { @@ -494,4 +535,39 @@ } } +bool +dco_supports_data_v3(struct context *c) +{ + bool res = false; + + HANDLE h = CreateFile("\\\\.\\ovpn-dco-ver", GENERIC_READ, + 0, NULL, OPEN_EXISTING, 0, NULL); + + if (h == INVALID_HANDLE_VALUE) + { + goto done; + } + + OVPN_VERSION version; + ZeroMemory(&version, sizeof(OVPN_VERSION)); + + DWORD bytes_returned = 0; + if (!DeviceIoControl(h, OVPN_IOCTL_GET_VERSION, NULL, 0, + &version, sizeof(version), &bytes_returned, NULL)) + { + goto done; + } + + /* data_v3 is supported starting from 1.4 */ + res = (version.Major > 1) || (version.Minor >= 4); + +done: + if (h != INVALID_HANDLE_VALUE) + { + CloseHandle(h); + } + + return res; +} + #endif /* defined(_WIN32) */ diff --git a/src/openvpn/dco_win.h b/src/openvpn/dco_win.h index 4883629..f58488f 100644 --- a/src/openvpn/dco_win.h +++ b/src/openvpn/dco_win.h @@ -33,6 +33,7 @@ struct dco_context { struct tuntap *tt; + bool supports_data_v3; }; typedef struct dco_context dco_context_t; diff --git a/src/openvpn/ovpn_dco_win.h b/src/openvpn/ovpn_dco_win.h index ea2a733..9e437f0 100644 --- a/src/openvpn/ovpn_dco_win.h +++ b/src/openvpn/ovpn_dco_win.h @@ -94,6 +94,14 @@ int PeerId; } OVPN_CRYPTO_DATA, * POVPN_CRYPTO_DATA; +#define CRYPTO_OPTIONS_AEAD_TAG_END (1<<1) +#define CRYPTO_OPTIONS_64BIT_PKTID (1<<2) + +typedef struct _OVPN_CRYPTO_DATA_V2 { + OVPN_CRYPTO_DATA V1; + UINT32 CryptoOptions; +} OVPN_CRYPTO_DATA_V2, * POVPN_CRYPTO_DATA_V2; + typedef struct _OVPN_SET_PEER { LONG KeepaliveInterval; LONG KeepaliveTimeout; @@ -114,3 +122,4 @@ #define OVPN_IOCTL_START_VPN CTL_CODE(FILE_DEVICE_UNKNOWN, 6, METHOD_BUFFERED, FILE_ANY_ACCESS) #define OVPN_IOCTL_DEL_PEER CTL_CODE(FILE_DEVICE_UNKNOWN, 7, METHOD_BUFFERED, FILE_ANY_ACCESS) #define OVPN_IOCTL_GET_VERSION CTL_CODE(FILE_DEVICE_UNKNOWN, 8, METHOD_BUFFERED, FILE_ANY_ACCESS) +#define OVPN_IOCTL_NEW_KEY_V2 CTL_CODE(FILE_DEVICE_UNKNOWN, 9, METHOD_BUFFERED, FILE_ANY_ACCESS)