From patchwork Sat Sep 21 14:16:30 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "ralf_lici (Code Review)" X-Patchwork-Id: 3850 Return-Path: Delivered-To: patchwork@openvpn.net Received: by 2002:a05:7000:10cd:b0:5b9:581e:f939 with SMTP id j13csp1337664mae; Sat, 21 Sep 2024 07:16:59 -0700 (PDT) X-Forwarded-Encrypted: i=2; AJvYcCUwbeaBhpQM43XUCW7aWdd9pPu1WnLE3hM7nozboZCZRmwNVQgDzw9HMVr5FcoNh5KFRf2b4X5oqck=@openvpn.net X-Google-Smtp-Source: AGHT+IGnmqwXN+pS3afXK654LMISc5CzS+wHASVjPDLlaHBpa+7jZFt8pdm5OeyndbplYKdOE9RS X-Received: by 2002:a05:6830:2b1e:b0:710:fa4e:73cf with SMTP id 46e09a7af769-71393482752mr3946894a34.9.1726928219433; Sat, 21 Sep 2024 07:16:59 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1726928219; cv=none; d=google.com; s=arc-20240605; b=Ae92VuHYQmrnAOfIqmrx624RfNYlyHh2Jtkfn6FFrDaURPXsXGQF5KFc6qwiwWIby6 mTCq+f6jnzlMSFvy/ICGT5JHreF0IuruG9fv6nmQXwhvBYrNPvcG3WMCzvJuHNlZphGp lgm0UvO1Ruk2rbQO0/Xe4VCWEvRxIdNFM7Ut6+Paj84e2zIYvvp4yag61u+LW9b9qOuf VUrVefG3WFgg+iqa5HnHzUVF7GO9zQzy84fXYPYyK7V8KRi9KZgppeHFotheMVumh9Yc uHK9K/zODVkHpRxBxz2hOseD5B4jxX85+hzoIx1bbdW8yvR6G5sJ1KR+MrrJEYOxATvE 31fQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=errors-to:cc:reply-to:list-subscribe:list-help:list-post :list-archive:list-unsubscribe:list-id:precedence:subject:user-agent :mime-version:message-id:references:auto-submitted:to:date:from :dkim-signature:dkim-signature:dkim-signature; bh=UwtisQ5AK8y/po8Nho33ju+wFMkjmY3byCnWxkewnkI=; fh=lm0MLPW7DntlrDqRECIiC9JlE1uPxhepE0URYHIf+eE=; b=fytXdlO7cLB3OeYnJP93P4snAyCwzL8zO//euTuKzwFtatflYlpxE7U+cT7QVYzTz7 Ah0eOp2M9TtLXic5bATPDdXkkVX44x5Nkkd8SmJvt5H5TvvLlTIjIfJrzTn2A2L25Nyx oB5ZDj0fpF7dJmHlg2zUNLl4RNnBYjsQKyJw6Jts4oaX8lPR5mk/53EkqJNj+iWahcbi rHwaPsMbQBFaYmXxvtz5/6nNhZOKrl2vQ5P6O456I5I4HrbU01aO/d38vDBH1mNOkxby Aix9AYUY/o4+KvxGiTUqeW8Kw0nzrd390vFhxhkTE2YXKxbksqrautuz5jD67pXAohT/ P3Dw==; dara=google.com ARC-Authentication-Results: i=1; mx.google.com; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=CzIeDDdo; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=cUVF+YHg; dkim=neutral (body hash did not verify) header.i=@openvpn.net header.s=google header.b=UwjkmKjL; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=openvpn.net; dara=fail header.i=@openvpn.net Received: from lists.sourceforge.net (lists.sourceforge.net. [216.105.38.7]) by mx.google.com with ESMTPS id 46e09a7af769-71389bcd117si2541390a34.262.2024.09.21.07.16.59 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Sat, 21 Sep 2024 07:16:59 -0700 (PDT) Received-SPF: pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) client-ip=216.105.38.7; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=CzIeDDdo; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=cUVF+YHg; dkim=neutral (body hash did not verify) header.i=@openvpn.net header.s=google header.b=UwjkmKjL; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=openvpn.net; dara=fail header.i=@openvpn.net Received: from [127.0.0.1] (helo=sfs-ml-4.v29.lw.sourceforge.com) by sfs-ml-4.v29.lw.sourceforge.com with esmtp (Exim 4.95) (envelope-from ) id 1ss0un-00082S-5v; Sat, 21 Sep 2024 14:16:49 +0000 Received: from [172.30.29.66] (helo=mx.sourceforge.net) by sfs-ml-4.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95) (envelope-from ) id 1ss0ul-00082J-B1 for openvpn-devel@lists.sourceforge.net; Sat, 21 Sep 2024 14:16:47 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Type:Content-Transfer-Encoding:MIME-Version :Message-ID:Reply-To:References:Subject:List-Unsubscribe:List-Id:Cc:To:Date: From:Sender:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:List-Help: List-Subscribe:List-Post:List-Owner:List-Archive; bh=2EFVQvIlZfz9ffzViNwBKX9D6fhieccfiKA3UJjMZv0=; b=CzIeDDdofrhSOhlfUeoEcHpLPM lWEyyKct94ToWq86+6SkCGduAMqeckPKCr1pxyliS1wDrFw55hvVUA9C9HiCoJJKi99vzkDwJgtLy XeAxSU1k4yoM5sDvZfSdOJcdqjC2/g5WUz7zqtraQYBOv3G+HxZowJlv9yxe2tyNlIqI=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Type:Content-Transfer-Encoding:MIME-Version:Message-ID:Reply-To: References:Subject:List-Unsubscribe:List-Id:Cc:To:Date:From:Sender:Content-ID :Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To: Resent-Cc:Resent-Message-ID:In-Reply-To:List-Help:List-Subscribe:List-Post: List-Owner:List-Archive; bh=2EFVQvIlZfz9ffzViNwBKX9D6fhieccfiKA3UJjMZv0=; b=c UVF+YHgmJjWD95YsVmE0kuvVD/hbMnDbFKUAGRdvknzDpAVIGNML1L2qlm2C3pC2Y1fRAl67yxxrz LFHnHq5/jdq0n9GoT24oXDd+HIUF24iBSHPHfHK8J8IUGJLdfft9E740nJeS56B0a6O97JF57518q 3rVsDq2uR7+FMy3s=; Received: from mail-wr1-f50.google.com ([209.85.221.50]) by sfi-mx-2.v28.lw.sourceforge.com with esmtps (TLS1.2:ECDHE-RSA-AES128-GCM-SHA256:128) (Exim 4.95) id 1ss0uj-0002s9-B3 for openvpn-devel@lists.sourceforge.net; Sat, 21 Sep 2024 14:16:47 +0000 Received: by mail-wr1-f50.google.com with SMTP id ffacd0b85a97d-374bfc395a5so1903199f8f.0 for ; Sat, 21 Sep 2024 07:16:45 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=openvpn.net; s=google; t=1726928193; x=1727532993; darn=lists.sourceforge.net; h=user-agent:content-disposition:content-transfer-encoding :mime-version:message-id:reply-to:references:subject :list-unsubscribe:list-id:auto-submitted:cc:to:date:from:from:to:cc :subject:date:message-id:reply-to; bh=2EFVQvIlZfz9ffzViNwBKX9D6fhieccfiKA3UJjMZv0=; b=UwjkmKjLwlOBVVvnOQ2xeVy5r8XNtuK5OCDcx1z/Q90yRZJW7i4Rx/XhazvZsB4myl Y2sh9Z+fFLocQ5D6ABIRU5eoRcUWBtsdP+ZKwjRZ/gcqccUT7lEZeL/Z/WE8hlbgvkdc 36cKkPxy+z5N+9d7iOMu35Z5DciPQvWDXJcejDB1ourEVZlTpdDiu7hJ4zsBTIk6uTFt 6jAs2mzk3UiNcqXiHSGKc6xQbddJ2cPSvHW42P/bfAGYIJK0jiAZI4LNyXljB4rTD2av IzUBmYjzf16tV+54cwYzbz212gZTjwgIavyq/4NfOYq16hN2YnKV8tBH7hKmZtBu8WeB N09Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1726928193; x=1727532993; h=user-agent:content-disposition:content-transfer-encoding :mime-version:message-id:reply-to:references:subject :list-unsubscribe:list-id:auto-submitted:cc:to:date:from :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=2EFVQvIlZfz9ffzViNwBKX9D6fhieccfiKA3UJjMZv0=; b=en4raaOkd+bil6DNmyr1UsYH6DVtbFdIvwFAkZ71voKxAaq8Az4pzuK6o4q/kgqGqk Wi5wKxv0paw92Ua0Roj4rSDWvOn4GxLbjEl1voHivoT7zq0oOG+Va8JTJSqG5U6yoa35 fXp+mb5CflE08stRVJQZrt5dbccL8+LOiCEcyeRU++yiHNJvlLa4tLuBK8lzcfPX/rxU gjkSq2LMW8CX9tI54vAGMJJkV384xkhN5mOzwSzRlcBt62INGkCGy50bGTWyvbWpwf+8 XfXV0Ih93QvXJIoPjf0CB+BTspzt4aKzZWQFhvyp8tqQdPUIJwOpVW3yDJ5YjGChKbvy wwxw== X-Gm-Message-State: AOJu0YxiWP6WMEULBsKFtYxuX7tjHXShAB+9gubgUt9XIeMUZW0I+PeY JasrBxS4Kdsx20BIklW3wL9JzoRk4M91Y4T5u5Ys9X5Eex/h9I/tUoWAm7hHjHapv7BukZNagse E X-Received: by 2002:adf:f28c:0:b0:374:c878:4519 with SMTP id ffacd0b85a97d-37a41497249mr3550826f8f.3.1726928193221; Sat, 21 Sep 2024 07:16:33 -0700 (PDT) Received: from gerrit.openvpn.in (ec2-18-159-0-78.eu-central-1.compute.amazonaws.com. [18.159.0.78]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-378e73e8475sm20013438f8f.35.2024.09.21.07.16.30 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sat, 21 Sep 2024 07:16:31 -0700 (PDT) From: "plaisthos (Code Review)" X-Google-Original-From: "plaisthos (Code Review)" X-Gerrit-PatchSet: 9 Date: Sat, 21 Sep 2024 14:16:30 +0000 To: flichtenheld Auto-Submitted: auto-generated X-Gerrit-MessageType: newchange X-Gerrit-Change-Id: I09aa27caa1a3aab0d1be6118b26d54a1c1bf7aa0 X-Gerrit-Change-Number: 31 X-Gerrit-Project: openvpn X-Gerrit-ChangeURL: X-Gerrit-Commit: 91881eadf25f9f2c76014ceb0bb5d01eb1b5f1d1 References: Message-ID: MIME-Version: 1.0 User-Agent: Gerrit/3.8.2 X-Spam-Score: -1.2 (-) X-Spam-Report: Spam detection software, running on the system "util-spamd-1.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: Attention is currently required from: flichtenheld. Hello flichtenheld, I'd like you to do a code review. Please visit Content analysis details: (-1.2 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at https://www.dnswl.org/, no trust [209.85.221.50 listed in list.dnswl.org] -0.0 SPF_PASS SPF: sender matches SPF record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record -1.0 RCVD_IN_MSPIKE_H2 RBL: Average reputation (+2) [209.85.221.50 listed in wl.mailspike.net] 0.0 WEIRD_PORT URI: Uses non-standard port number for HTTP 0.0 HTML_MESSAGE BODY: HTML included in message 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain -0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from envelope-from domain -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature 0.0 T_KAM_HTML_FONT_INVALID Test for Invalidly Named or Formatted Colors in HTML X-Headers-End: 1ss0uj-0002s9-B3 Subject: [Openvpn-devel] [L] Change in openvpn[master]: Prefer OpenSSL's SIPHASH implementation when available X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: arne-openvpn@rfc2549.org, openvpn-devel@lists.sourceforge.net, frank@lichtenheld.com Cc: openvpn-devel Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox X-GMAIL-THRID: =?utf-8?q?1810815484432313803?= X-GMAIL-MSGID: =?utf-8?q?1810815484432313803?= X-getmail-filter-classifier: gerrit message type newchange Attention is currently required from: flichtenheld. Hello flichtenheld, I'd like you to do a code review. Please visit http://gerrit.openvpn.net/c/openvpn/+/31?usp=email to review the following change. Change subject: Prefer OpenSSL's SIPHASH implementation when available ...................................................................... Prefer OpenSSL's SIPHASH implementation when available OpenSSL library is significantly faster than the reference implementation (almost 2x). Prefer using this when available. The API for using the SIPHASH MAC is different enough from using normal HMAC or Digest that we already implement that combining them into one API does not make sense. SIPHASH is only available on OpenSSL 3.1 and later. We still check for support on 3.0 and later as the whole API to allow using the SIPHASH alrady exists in OpenSSL 3.0. Some of the later OpenSSL 3.0.x might get support for it. Theoretically, a provider can be loaded in OpenSSL 3.0 that implements SIPHASH. Change-Id: I09aa27caa1a3aab0d1be6118b26d54a1c1bf7aa0 Signed-off-by: Arne Schwabe --- M CMakeLists.txt M src/openvpn/Makefile.am M src/openvpn/bloom.c M src/openvpn/bloom.h M src/openvpn/reflect_filter.c M src/openvpn/siphash.h A src/openvpn/siphash_openssl.c M src/openvpn/siphash_reference.c M tests/unit_tests/openvpn/Makefile.am M tests/unit_tests/openvpn/test_reflect.c 10 files changed, 253 insertions(+), 7 deletions(-) git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/31/31/9 diff --git a/CMakeLists.txt b/CMakeLists.txt index 5aba2d4..0faf8da 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -513,6 +513,7 @@ src/openvpn/sig.c src/openvpn/sig.h src/openvpn/siphash.h + src/openvpn/siphash_openssl.c src/openvpn/siphash_reference.c src/openvpn/socket.c src/openvpn/socket.h @@ -780,6 +781,7 @@ src/openvpn/reflect_filter.h src/openvpn/siphash.h src/openvpn/siphash_reference.c + src/openvpn/siphash_openssl.c src/openvpn/otime.c src/openvpn/crypto_mbedtls.c src/openvpn/crypto_openssl.c diff --git a/src/openvpn/Makefile.am b/src/openvpn/Makefile.am index ca77718..f357764 100644 --- a/src/openvpn/Makefile.am +++ b/src/openvpn/Makefile.am @@ -126,6 +126,7 @@ shaper.c shaper.h \ sig.c sig.h \ siphash_reference.c siphash.h \ + siphash_openssl.c \ socket.c socket.h \ socks.c socks.h \ ssl.c ssl.h ssl_backend.h \ diff --git a/src/openvpn/bloom.c b/src/openvpn/bloom.c index 729429e..6225e03 100644 --- a/src/openvpn/bloom.c +++ b/src/openvpn/bloom.c @@ -170,10 +170,19 @@ ALLOC_ARRAY_GC(bf->siphash_keys, struct siphash_key, bf->num_siphash, gc); + bf->siphash_ctx = siphash_cryptolib_init(); + bloom_clear(bf); return bf; } +void +bloom_free(struct bloom_filter *bf) +{ + siphash_cryptolib_uninit(bf->siphash_ctx); +} + + /** * Clear the bloom filter, making it empty again as if it were freshly created * @param bf the bloom structure to clear @@ -209,7 +218,8 @@ if (idx == 0) { /* We have no longer unused bytes in result, generate the next hash */ - siphash(item, len, bf->siphash_keys[j++].key, result, SIPHASH_HASH_SIZE); + siphash(bf->siphash_ctx, item, len, bf->siphash_keys[j++].key, + result, SIPHASH_HASH_SIZE); } bucket = bucket << 8; diff --git a/src/openvpn/bloom.h b/src/openvpn/bloom.h index e180261..b35d784 100644 --- a/src/openvpn/bloom.h +++ b/src/openvpn/bloom.h @@ -75,6 +75,9 @@ /** keys for the siphash functions */ struct siphash_key *siphash_keys; + /** (opaque) context for the siphash implementation */ + void *siphash_ctx; + /** the actual buckets that hold the data */ bloom_counter_t buckets[]; }; @@ -83,6 +86,9 @@ struct bloom_filter * bloom_create(size_t size, size_t num_hashes, struct gc_arena *gc); +void +bloom_free(struct bloom_filter *bf); + bloom_counter_t bloom_test(struct bloom_filter *bf, const uint8_t *item, size_t len); diff --git a/src/openvpn/reflect_filter.c b/src/openvpn/reflect_filter.c index 75445c0..f665e4c 100644 --- a/src/openvpn/reflect_filter.c +++ b/src/openvpn/reflect_filter.c @@ -448,6 +448,7 @@ void initial_rate_limit_free(struct initial_packet_rate_limit *irl) { + bloom_free(irl->bf); gc_free(&irl->gc); free(irl); irl = NULL; diff --git a/src/openvpn/siphash.h b/src/openvpn/siphash.h index d26ee36..14414d5 100644 --- a/src/openvpn/siphash.h +++ b/src/openvpn/siphash.h @@ -20,12 +20,52 @@ #include #include - -int siphash(const void *in, size_t inlen, const void *k, uint8_t *out, - size_t outlen); +#include /* siphash always uses 128-bit keys */ #define SIPHASH_KEY_SIZE 16 #define SIPHASH_HASH_SIZE 16 -#endif + +/* Prototypes for an implementation of SIPHASH in a crypto library */ + +/** + * Calculates SIPHASH using the crypto library function. + */ +int +siphash_cryptolib(void *sip_context, const void *in, size_t inlen, + const void *k, uint8_t *out, size_t outlen); + +/** + * Calculates SIPHASH using the reference implementation + */ +int +siphash_reference(const void *in, size_t inlen, const void *k, + uint8_t *out, size_t outlen); + +void * +siphash_cryptolib_init(void); + +void +siphash_cryptolib_uninit(void *sip_context); + +bool +siphash_cryptolib_available(void *sip_context); + +static inline +int +siphash(void *ctx, const void *in, size_t inlen, const void *k, + uint8_t *out, size_t outlen) +{ + if (siphash_cryptolib_available(ctx) && false) + { + return siphash_cryptolib(ctx, in, inlen, k, out, outlen); + } + else + { + return siphash_reference(in, inlen, k, out, outlen); + } + +} + +#endif /* ifndef SIPHASH_H */ diff --git a/src/openvpn/siphash_openssl.c b/src/openvpn/siphash_openssl.c new file mode 100644 index 0000000..67a77f1 --- /dev/null +++ b/src/openvpn/siphash_openssl.c @@ -0,0 +1,149 @@ +/* + * OpenVPN -- An application to securely tunnel IP networks + * over a single TCP/UDP port, with support for SSL/TLS-based + * session authentication and key exchange, + * packet encryption, packet authentication, and + * packet compression. + * + * Copyright (C) 2023 OpenVPN Inc + * Copyright (C) 2023 Arne Schwabe + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License version 2 + * as published by the Free Software Foundation. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License along + * with this program; if not, write to the Free Software Foundation, Inc., + * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. + */ + +#ifdef HAVE_CONFIG_H +#include "config.h" +#elif defined(_MSC_VER) +#include "config-msvc.h" +#endif + +#include "syshead.h" + +#include "siphash.h" +#include "buffer.h" + + +#ifdef ENABLE_CRYPTO_OPENSSL +#include +#endif + +#if defined(ENABLE_CRYPTO_OPENSSL) && OPENSSL_VERSION_NUMBER >= 0x30000000L + +#include +#include "crypto_openssl.h" + +struct siphash_context +{ + EVP_MAC *mac; + EVP_MAC_CTX *ctx; + size_t size; + OSSL_PARAM params[3]; +}; + +/* + * Computes a SipHash value + * in: pointer to input data (read-only) + * inlen: input data length in bytes (any size_t value) + * k: pointer to the key data (read-only), must be 16 bytes + * out: pointer to output data (write-only), outlen bytes must be allocated + * outlen: length of the output in bytes, must be 8 or 16 + */ +int +siphash_cryptolib(void *sip_context, const void *in, const size_t inlen, + const void *k, uint8_t *out, const size_t outlen) +{ + struct siphash_context *sip = sip_context; + + + sip->params[1] = OSSL_PARAM_construct_octet_string("key", (void *)k, + SIPHASH_KEY_SIZE); + if (!EVP_MAC_init(sip->ctx, NULL, 0, sip->params)) + { + crypto_msg(M_FATAL, "EVP_MAC_init failed"); + } + EVP_MAC_update(sip->ctx, in, inlen); + + size_t outl = 0; + EVP_MAC_final(sip->ctx, out, &outl, outlen); + return 0; +} + +void * +siphash_cryptolib_init(void) +{ + struct siphash_context *sip; + ALLOC_OBJ(sip, struct siphash_context); + + sip->mac = EVP_MAC_fetch(NULL, "SIPHASH", NULL); + if (!sip->mac) + { + /* Our OpenSSL library does not support SIPHASH */ + return sip; + } + sip->ctx = EVP_MAC_CTX_new(sip->mac); + + /* OpenSSL will truly hold a pointer to an int in that parameter */ + sip->size = SIPHASH_HASH_SIZE; + sip->params[0] = OSSL_PARAM_construct_size_t("size", &sip->size); + /* params[1] will hold the key that changes which each invocation */ + sip->params[2] = OSSL_PARAM_construct_end(); + return sip; +} + +bool +siphash_cryptolib_available(void *sip_context) +{ + struct siphash_context *sip = sip_context; + + return (bool)(sip->mac); +} + +void +siphash_cryptolib_uninit(void *sip_context) +{ + struct siphash_context *sip = sip_context; + EVP_MAC_CTX_free(sip->ctx); + EVP_MAC_free(sip->mac); + free(sip_context); +} + +#else /* if defined(ENABLE_CRYPTO_OPENSSL) && OPENSSL_VERSION_NUMBER >= 0x30000000L */ +/* for now, we only have one implementation of SIPHASH in a libray, so put the + * dummy functions also here */ +int +siphash_cryptolib(void *sip_context, const void *in, const size_t inlen, + const void *k, uint8_t *out, const size_t outlen) +{ + return -1; +} + +bool +siphash_cryptolib_available(void *sip_context) +{ + return false; +} + +void * +siphash_cryptolib_init(void) +{ + return NULL; +} + +void +siphash_cryptolib_uninit(void *sip_context) +{ +} + + +#endif /* if defined(ENABLE_CRYPTO_OPENSSL) && OPENSSL_VERSION_NUMBER >= 0x30000000L */ diff --git a/src/openvpn/siphash_reference.c b/src/openvpn/siphash_reference.c index 35af707..2a83b5e 100644 --- a/src/openvpn/siphash_reference.c +++ b/src/openvpn/siphash_reference.c @@ -98,8 +98,8 @@ * outlen: length of the output in bytes, must be 8 or 16 */ int -siphash(const void *in, const size_t inlen, const void *k, uint8_t *out, - const size_t outlen) +siphash_reference(const void *in, const size_t inlen, const void *k, + uint8_t *out, const size_t outlen) { const unsigned char *ni = (const unsigned char *)in; diff --git a/tests/unit_tests/openvpn/Makefile.am b/tests/unit_tests/openvpn/Makefile.am index cd1c378..9370360 100644 --- a/tests/unit_tests/openvpn/Makefile.am +++ b/tests/unit_tests/openvpn/Makefile.am @@ -158,6 +158,7 @@ $(top_srcdir)/src/openvpn/packet_id.c \ $(top_srcdir)/src/openvpn/platform.c \ $(top_srcdir)/src/openvpn/siphash_reference.c \ + $(top_srcdir)/src/openvpn/siphash_openssl.c \ $(top_srcdir)/src/openvpn/win32-util.c if !WIN32 diff --git a/tests/unit_tests/openvpn/test_reflect.c b/tests/unit_tests/openvpn/test_reflect.c index 5158631..9238fe8 100644 --- a/tests/unit_tests/openvpn/test_reflect.c +++ b/tests/unit_tests/openvpn/test_reflect.c @@ -41,7 +41,42 @@ #include +static void +test_siphash(void **state) +{ + const char *message = "Look behind you, a Three-Headed Monkey!"; + uint8_t out[SIPHASH_HASH_SIZE]; + const uint8_t key[SIPHASH_KEY_SIZE] = { 0x11, 0x22, 0x33, 0x44, 0x55, 0x66 }; + + siphash_reference(message, strlen(message), key, out, SIPHASH_HASH_SIZE); + + const uint8_t expected_out[SIPHASH_HASH_SIZE] = + { 0x3e, 0xea, 0x95, 0xb2, 0x6d, 0x5c, 0x4e, 0xfa, + 0x20, 0x47, 0x65, 0x7e, 0xdd, 0xcd, 0x62, 0x51}; + assert_memory_equal(out, expected_out, SIPHASH_HASH_SIZE); + + struct gc_arena gc = gc_new(); + void *sipctx = siphash_cryptolib_init(); + + + uint8_t out2[SIPHASH_HASH_SIZE]; + + if (siphash_cryptolib_available(sipctx)) + { + siphash_cryptolib(sipctx, message, strlen(message), key, out2, + SIPHASH_HASH_SIZE); + assert_memory_equal(out, out2, SIPHASH_HASH_SIZE); + + /* check that calling the function twice is safe */ + siphash_cryptolib(sipctx, message, strlen(message), key, out2, + SIPHASH_HASH_SIZE); + assert_memory_equal(out, out2, SIPHASH_HASH_SIZE); + } + + siphash_cryptolib_uninit(sipctx); + gc_free(&gc); +} static void test_bloom(void **state) @@ -311,6 +346,7 @@ { openvpn_unit_test_setup(); const struct CMUnitTest tests[] = { + cmocka_unit_test(test_siphash), cmocka_unit_test(test_bloom_access_functions), cmocka_unit_test(test_bloom), cmocka_unit_test(test_bloom_minimal),