From patchwork Mon Nov 11 02:00:09 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "plaisthos (Code Review)" X-Patchwork-Id: 3937 Return-Path: Delivered-To: patchwork@openvpn.net Received: by 2002:a05:7000:41ba:b0:5d9:9f4c:3bc7 with SMTP id a26csp2278300mad; Sun, 10 Nov 2024 18:00:38 -0800 (PST) X-Forwarded-Encrypted: i=2; AJvYcCVMuHznc/VhfDBQfrU3H8YrmSRxbIFv1wt0AtkacueVl53EriRCuANiZMTb2STgtzdbo0A6lhqcSeA=@openvpn.net X-Google-Smtp-Source: AGHT+IE0WIahle6pSm318Gj1EP9aGhk8sBGVySHRnLa7Ro+htVVl7Py7z7wP7Qsl4t5mlFWPEcxp X-Received: by 2002:a05:6808:1701:b0:3e6:28c2:8b45 with SMTP id 5614622812f47-3e794653d81mr10168506b6e.5.1731290438354; Sun, 10 Nov 2024 18:00:38 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1731290438; cv=none; d=google.com; s=arc-20240605; b=SQSeK4v+1P8w8ZhKKO3iHxwd0cUw89Z20tM4W24mFWViAjxa+6LQElj+QbFi4gHs+0 xq8ZjGW6Sa9k99HZPILhAiXxQTX8tnAMeiShY7vHDsBsVNLxr9OgwAWjdq5N1L0JmJ1m ltu2I59Orf3N6xoLAzk4gHgEOt4zj+x674Ss+ORz68WTEMxzSDTK4i8QaNmOzZDtehve RE0TT/GEY2bdG4oePa1HzWIy5fjd3m2zucy/XthwhucVobCe35NjIELzcOu1S3Q+Qqwf nIB+re7qSREtBtuxqxSYm9DOE8sJGn/GZCLRf6o7cK4jyY7GBTQzM+AEpzH2vE+lyuvI iCAA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=errors-to:cc:reply-to:list-subscribe:list-help:list-post :list-archive:list-unsubscribe:list-id:precedence:subject:user-agent :mime-version:message-id:references:auto-submitted:to:date:from :dkim-signature:dkim-signature:dkim-signature; bh=9GmDXHV4Qc8m5pR4Zmc/eYyCe3GLO3YMGfOGfdpHqrw=; fh=lm0MLPW7DntlrDqRECIiC9JlE1uPxhepE0URYHIf+eE=; b=FG+8J80cGzHZB4j/yso3DLv+ahXwiLvUl3zuLIbgn5DqTSAw5uZvaNQ6aZPV689Jjg qbQNkaW9dqHwe/2eP0FHjuwgmeHUkkSk1q4CEqv4lJb8dLbZjB/h0UM8Xrh3sXYkYAGb 62/yFZMuCmMehuuU39JWwDjBhHFno0UGVxTSKcoY/knIyOmwp//WPbFApEL2yoyoo9M6 67IOtfkWOz0cBZBlOl6iNeA41hKELgv+q2vLPe/pHclJ5qIVlF2YUTaCkXAKtO6185Mh lxlloGUpLJm0y7IUY3ZSKGspWmlH6WX0p2JB6C6A4iIcAPkEvpcYVrGFvum3nfuRJpwt I93w==; dara=google.com ARC-Authentication-Results: i=1; mx.google.com; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=NC4RIN7J; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=Iejf6wJY; dkim=neutral (body hash did not verify) header.i=@openvpn.net header.s=google header.b=Fu3dAmHG; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=openvpn.net; dara=fail header.i=@openvpn.net Received: from lists.sourceforge.net (lists.sourceforge.net. [216.105.38.7]) by mx.google.com with ESMTPS id 5614622812f47-3e78cd82929si5853781b6e.288.2024.11.10.18.00.38 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Sun, 10 Nov 2024 18:00:38 -0800 (PST) Received-SPF: pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) client-ip=216.105.38.7; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=NC4RIN7J; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=Iejf6wJY; dkim=neutral (body hash did not verify) header.i=@openvpn.net header.s=google header.b=Fu3dAmHG; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=openvpn.net; dara=fail header.i=@openvpn.net Received: from [127.0.0.1] (helo=sfs-ml-2.v29.lw.sourceforge.com) by sfs-ml-2.v29.lw.sourceforge.com with esmtp (Exim 4.95) (envelope-from ) id 1tAJjA-0005Q7-L8; Mon, 11 Nov 2024 02:00:28 +0000 Received: from [172.30.29.66] (helo=mx.sourceforge.net) by sfs-ml-2.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95) (envelope-from ) id 1tAJj9-0005Pt-NZ for openvpn-devel@lists.sourceforge.net; Mon, 11 Nov 2024 02:00:27 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Type:Content-Transfer-Encoding:MIME-Version :Message-ID:Reply-To:References:Subject:List-Unsubscribe:List-Id:Cc:To:Date: From:Sender:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:List-Help: List-Subscribe:List-Post:List-Owner:List-Archive; bh=ZlyqJ9JJHVmTZhB9QzshH3LAvBHLIkCMVDwnwkGGsoM=; b=NC4RIN7J91dQFGREDO5U0kQEE2 CzNkwmboQiejGq/d5JGAunBMbjJBY+08ZfrASdZi3JdxSPuYsLcFZOsXIMYnkn2HR6L9waX0eRdDO F1GTRnf+USdE6HL8Qjd00YtylJkeJKVOWL1OagEbMPlJW0a2T7UJZ6NgIC3guCIuEi8A=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Type:Content-Transfer-Encoding:MIME-Version:Message-ID:Reply-To: References:Subject:List-Unsubscribe:List-Id:Cc:To:Date:From:Sender:Content-ID :Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To: Resent-Cc:Resent-Message-ID:In-Reply-To:List-Help:List-Subscribe:List-Post: List-Owner:List-Archive; bh=ZlyqJ9JJHVmTZhB9QzshH3LAvBHLIkCMVDwnwkGGsoM=; b=I ejf6wJYJ+EjiTtvWK7L7oi0kXp3YXOazav8QKfD38AKdbS34ufYCXUqwmYYDsHX/edVtr2FJpxG0K v9IUvr2PeuwznIkdSROVk/ToIgJEGqadQUbZXGXps3RaSr61ZvTy/rnIFgwTVA0BMg+DMMzirWhyX 1wP+fgzr+y0N6gk4=; Received: from mail-wm1-f46.google.com ([209.85.128.46]) by sfi-mx-2.v28.lw.sourceforge.com with esmtps (TLS1.2:ECDHE-RSA-AES128-GCM-SHA256:128) (Exim 4.95) id 1tAJj5-0001bG-TO for openvpn-devel@lists.sourceforge.net; Mon, 11 Nov 2024 02:00:27 +0000 Received: by mail-wm1-f46.google.com with SMTP id 5b1f17b1804b1-431ac30d379so34322265e9.1 for ; Sun, 10 Nov 2024 18:00:22 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=openvpn.net; s=google; t=1731290411; x=1731895211; darn=lists.sourceforge.net; h=user-agent:content-disposition:content-transfer-encoding :mime-version:message-id:reply-to:references:subject :list-unsubscribe:list-id:auto-submitted:cc:to:date:from:from:to:cc :subject:date:message-id:reply-to; bh=ZlyqJ9JJHVmTZhB9QzshH3LAvBHLIkCMVDwnwkGGsoM=; b=Fu3dAmHGWsmg26sQWIp9QykTbCQviQGRA+MqGslZgwJ521E581aVkxTS3S22nOWbQe T9WezGPG42Q3+7L5kyT41lyKvCd3PRMneuiNhFQ5OBlKoW1WoKMkAIDpDfUJJ0cPxhlN Mcy5Li/0psh9EycET4Vs2HnuvtmH5UQVhAnZVKx5JwQjKfWC4LhFKdc86+boup6RyLOE jRlhnvnumrSoeiq2e9MFAPDr82/AcztiD6bB5HYL6lIWNL+fR4BLzHWQqGTtLIceb7ca liKngUa2hYcmszgrb9rN/SbIwq9Qr6miDGXYMCZn+D6Mn6pV8Mo6lZeRtsadpZoxtuqX Kpgg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1731290411; x=1731895211; h=user-agent:content-disposition:content-transfer-encoding :mime-version:message-id:reply-to:references:subject :list-unsubscribe:list-id:auto-submitted:cc:to:date:from :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=ZlyqJ9JJHVmTZhB9QzshH3LAvBHLIkCMVDwnwkGGsoM=; b=rQKPQZFvNKhP/WvnqwUYJTe/Y+5cprBcSFNSTt3a7S2mWGbyPg94VWOOPVTzEZ2lEg XkrwaTqqBSqQD8GCUeaaibMBGAha5dwLfAmmeHzPqhPgOBSuWxRR7sSERzxboItx3Xnc HiOzj6DWSZNcBcEjm+9UxjCz9A8MSfBlFp8DGD1fY/cWHHmxN64pK8mZzOyzdy53z2IP e4uDqj24PJ2z0wCobplBUZ3ippwfIELrI4Y75JuDHC6dAd7THCHfkoFmYg5HTf+ybTT+ Pk+aPVaLfGWsm/bFa1kCd/Han/UzLSjMgyYvoWAy9iUt0bfg1BoaMeNesh6tm0ALqeaw cA5A== X-Gm-Message-State: AOJu0YydBO6UtxZYGts+N7/Sw5NxUdCyZCLHJgI3Ffv+KNQuuVQcxJ1X 8YMEAvkAClP++O8vv40mXg/txj7jn5nL9WrHGwX9yJoQnsnDgZ3ouaobznwbnp1wtL1W2WU5cAh h X-Received: by 2002:a05:600c:8715:b0:426:602d:a246 with SMTP id 5b1f17b1804b1-432b75199famr82327345e9.32.1731290410306; Sun, 10 Nov 2024 18:00:10 -0800 (PST) Received: from gerrit.openvpn.in (ec2-18-159-0-78.eu-central-1.compute.amazonaws.com. [18.159.0.78]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-432b04753d5sm165530225e9.0.2024.11.10.18.00.09 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 10 Nov 2024 18:00:09 -0800 (PST) From: "plaisthos (Code Review)" X-Google-Original-From: "plaisthos (Code Review)" X-Gerrit-PatchSet: 1 Date: Mon, 11 Nov 2024 02:00:09 +0000 To: flichtenheld Auto-Submitted: auto-generated X-Gerrit-MessageType: newchange X-Gerrit-Change-Id: I00751c42cb04e30205ba8e6584530831e0d143c5 X-Gerrit-Change-Number: 806 X-Gerrit-Project: openvpn X-Gerrit-ChangeURL: X-Gerrit-Commit: c728823e14163bec77e267694a36412571afc543 References: Message-ID: MIME-Version: 1.0 User-Agent: Gerrit/3.8.2 X-Spam-Score: -0.9 (/) X-Spam-Report: Spam detection software, running on the system "util-spamd-1.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: Attention is currently required from: flichtenheld. Hello flichtenheld, I'd like you to do a code review. Please visit Content analysis details: (-0.9 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at https://www.dnswl.org/, no trust [209.85.128.46 listed in list.dnswl.org] -0.7 RCVD_IN_MSPIKE_H2 RBL: Average reputation (+2) [209.85.128.46 listed in wl.mailspike.net] -0.0 SPF_PASS SPF: sender matches SPF record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record 0.0 WEIRD_PORT URI: Uses non-standard port number for HTTP 0.0 HTML_MESSAGE BODY: HTML included in message -0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from envelope-from domain -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain 0.0 T_KAM_HTML_FONT_INVALID Test for Invalidly Named or Formatted Colors in HTML X-Headers-End: 1tAJj5-0001bG-TO Subject: [Openvpn-devel] [L] Change in openvpn[master]: Implement epoch key data format X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: arne-openvpn@rfc2549.org, openvpn-devel@lists.sourceforge.net, frank@lichtenheld.com Cc: openvpn-devel Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox X-GMAIL-THRID: =?utf-8?q?1815389602738902963?= X-GMAIL-MSGID: =?utf-8?q?1815389602738902963?= X-getmail-filter-classifier: gerrit message type newchange Attention is currently required from: flichtenheld. Hello flichtenheld, I'd like you to do a code review. Please visit http://gerrit.openvpn.net/c/openvpn/+/806?usp=email to review the following change. Change subject: Implement epoch key data format ...................................................................... Implement epoch key data format With DCO and possible future hardware assisted OpenVPN acceleration we are approaching the point where 32 bit IVs are not cutting it any more, especially if we are limiting the IVs to the safe limits of AES-GCM where the limit is more 2^29. To illustrate the problem, some back of the envelope math here: If we want to keep the current 3600s renegotiation interval and have a safety margin of 25% (when we trigger renegotiation) we have about 3.2 million packets (2*32 * 0.7) to work with. That translates to about 835k packets per second. Currently, implementation trigger the renegotiation at 0xff00000000 or at 7/8 of the AEAD usage limit. With 1300 Byte packets that translates into 8-9 Gbit/s. That is far from unrealistic any more. Current DCO implementations are already in spitting distance to that or might even reach (for a single client connection) that if you have extremely fast single core performance CPU. With the AEAD usage limit, these limits are almost a factor of 8 lower so with the limit becomes 1-2 GBit/s. This is already reached without DCO on some platforms. This introduces the epoch data format for AEAD data channel ciphers in TLS mode ciphers. No effort has been made to support larger packet counters in any other scenario since those are all legacy. This uses the same approach of epoch keys as (D)TLS 1.3 does and switches the data channel regularly for affected AEAD ciphers when reaching the usage limit. For Chacha20-Poly1305, which does not suffer the same problems as AES-GCM, the full 48 bit of packet counter are used only after that the same logic to switch to a new key as with AES-GCM is done. Change-Id: I00751c42cb04e30205ba8e6584530831e0d143c5 Signed-off-by: Arne Schwabe --- M CMakeLists.txt M src/openvpn/crypto.c M src/openvpn/crypto.h M src/openvpn/crypto_backend.h M src/openvpn/dco.h M src/openvpn/init.c M src/openvpn/multi.c M src/openvpn/ssl.c M src/openvpn/ssl_common.h M src/openvpn/ssl_ncp.c M src/openvpn/tls_crypt.c M tests/Makefile.am M tests/unit_tests/openvpn/Makefile.am M tests/unit_tests/openvpn/test_ssl.c 14 files changed, 443 insertions(+), 60 deletions(-) git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/06/806/1 diff --git a/CMakeLists.txt b/CMakeLists.txt index cbc93cd..6daeaea 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -705,6 +705,7 @@ target_sources(test_auth_token PRIVATE src/openvpn/base64.c + src/openvpn/crypto_epoch.c src/openvpn/crypto_mbedtls.c src/openvpn/crypto_openssl.c src/openvpn/crypto.c @@ -733,9 +734,10 @@ tests/unit_tests/openvpn/mock_win32_execve.c src/openvpn/argv.c src/openvpn/base64.c - src/openvpn/crypto.c + src/openvpn/crypto_epoch.c src/openvpn/crypto_mbedtls.c src/openvpn/crypto_openssl.c + src/openvpn/crypto.c src/openvpn/cryptoapi.c src/openvpn/env_set.c src/openvpn/mss.c @@ -761,6 +763,7 @@ ) target_sources(test_ncp PRIVATE + src/openvpn/crypto_epoch.c src/openvpn/crypto_mbedtls.c src/openvpn/crypto_openssl.c src/openvpn/crypto.c @@ -782,6 +785,7 @@ tests/unit_tests/openvpn/mock_win32_execve.c src/openvpn/argv.c src/openvpn/base64.c + src/openvpn/crypto_epoch.c src/openvpn/crypto_mbedtls.c src/openvpn/crypto_openssl.c src/openvpn/crypto.c @@ -835,9 +839,11 @@ target_compile_options(test_networking PRIVATE -UNDEBUG) target_sources(test_networking PRIVATE src/openvpn/networking_sitnl.c + src/openvpn/crypto_epoch.c src/openvpn/crypto_mbedtls.c src/openvpn/crypto_openssl.c src/openvpn/crypto.c + src/openvpn/crypto_epoch.c src/openvpn/otime.c src/openvpn/packet_id.c ) @@ -853,6 +859,7 @@ tests/unit_tests/openvpn/mock_win32_execve.c src/openvpn/argv.c src/openvpn/base64.c + src/openvpn/crypto_epoch.c src/openvpn/crypto_mbedtls.c src/openvpn/crypto_openssl.c src/openvpn/crypto.c diff --git a/src/openvpn/crypto.c b/src/openvpn/crypto.c index 996830c..f239282 100644 --- a/src/openvpn/crypto.c +++ b/src/openvpn/crypto.c @@ -32,6 +32,8 @@ #include #include "crypto.h" +#include "crypto_epoch.h" +#include "packet_id.h" #include "error.h" #include "integer.h" #include "platform.h" @@ -68,7 +70,15 @@ { struct gc_arena gc; int outlen = 0; + const bool use_epoch_data_format = opt->flags & CO_EPOCH_DATA_KEY_FORMAT; + + if (use_epoch_data_format) + { + epoch_check_send_iterate(opt); + } + const struct key_ctx *ctx = &opt->key_ctx_bi.encrypt; + uint8_t *mac_out = NULL; const int mac_len = OPENVPN_AEAD_TAG_LENGTH; @@ -89,14 +99,24 @@ buf_set_write(&iv_buffer, iv, iv_len); /* IV starts with packet id to make the IV unique for packet */ - if (!packet_id_write(&opt->packet_id.send, &iv_buffer, false, false)) + if (use_epoch_data_format) { - msg(D_CRYPT_ERRORS, "ENCRYPT ERROR: packet ID roll over"); - goto err; + if (!packet_id_write_epoch(&opt->packet_id.send, ctx->epoch, &iv_buffer)) + { + msg(D_CRYPT_ERRORS, "ENCRYPT ERROR: packet ID roll over"); + goto err; + } } - + else + { + if (!packet_id_write(&opt->packet_id.send, &iv_buffer, false, false)) + { + msg(D_CRYPT_ERRORS, "ENCRYPT ERROR: packet ID roll over"); + goto err; + } + } /* Write packet id part of IV to work buffer */ - ASSERT(buf_write(&work, iv, packet_id_size(false))); + ASSERT(buf_write(&work, iv, buf_len(&iv_buffer))); /* Remainder of IV consists of implicit part (unique per session) * XOR of packet and implicit IV */ @@ -128,7 +148,7 @@ dmsg(D_PACKET_CONTENT, "ENCRYPT AD: %s", format_hex(BPTR(&work), BLEN(&work), 0, &gc)); - if (!(opt->flags & CO_EPOCH_DATA_KEY_FORMAT)) + if (!use_epoch_data_format) { /* Reserve space for authentication tag */ mac_out = buf_write_alloc(&work, mac_len); @@ -149,7 +169,7 @@ ASSERT(buf_inc_len(&work, outlen)); /* if the tag is at end the end, allocate it now */ - if (opt->flags & CO_EPOCH_DATA_KEY_FORMAT) + if (use_epoch_data_format) { /* Reserve space for authentication tag */ mac_out = buf_write_alloc(&work, mac_len); @@ -365,14 +385,35 @@ bool crypto_check_replay(struct crypto_options *opt, - const struct packet_id_net *pin, const char *error_prefix, + const struct packet_id_net *pin, uint16_t epoch, + const char *error_prefix, struct gc_arena *gc) { bool ret = false; - packet_id_reap_test(&opt->packet_id.rec); - if (packet_id_test(&opt->packet_id.rec, pin)) + struct packet_id_rec *recv; + + if (epoch == 0 || opt->key_ctx_bi.decrypt.epoch == epoch) { - packet_id_add(&opt->packet_id.rec, pin); + recv = &opt->packet_id.rec; + } + else if (epoch == opt->epoch_retiring_data_receive_key.epoch) + { + recv = &opt->epoch_retiring_key_pid_recv; + } + else + { + /* We have an epoch that is neither current or old recv key but + * is authenticated, ie we need to move to a new current recv key */ + msg(D_GENKEY, "Received data packet with new epoch %d. Updating " + "receive key", epoch); + epoch_replace_update_recv_key(opt, epoch); + recv = &opt->packet_id.rec; + } + + packet_id_reap_test(recv); + if (packet_id_test(recv, pin)) + { + packet_id_add(recv, pin); if (opt->pid_persist && (opt->flags & CO_PACKET_ID_LONG_FORM)) { packet_id_persist_save_obj(opt->pid_persist, &opt->packet_id); @@ -408,8 +449,9 @@ static const char error_prefix[] = "AEAD Decrypt error"; struct packet_id_net pin = { 0 }; const struct key_ctx *ctx = &opt->key_ctx_bi.decrypt; - int outlen; struct gc_arena gc; + const bool use_epoch_data_format = opt->flags & CO_EPOCH_DATA_KEY_FORMAT; + const int tag_size = OPENVPN_AEAD_TAG_LENGTH; gc_init(&gc); @@ -428,20 +470,58 @@ /* IV and Packet ID required for this mode */ ASSERT(packet_id_initialized(&opt->packet_id)); + /* Ensure that the packet size is long enough */ + int min_packet_len = packet_id_size(false) + tag_size + 1; + + if (use_epoch_data_format) + { + min_packet_len += sizeof(uint32_t); + } + + if (buf->len < min_packet_len) + { + CRYPT_ERROR("missing IV info, missing tag or no payload"); + } + + uint16_t epoch = 0; /* Combine IV from explicit part from packet and implicit part from context */ { uint8_t iv[OPENVPN_MAX_IV_LENGTH] = { 0 }; const int iv_len = cipher_ctx_iv_length(ctx->cipher); - const size_t packet_iv_len = packet_id_size(false); - if (buf->len < packet_id_size(false)) + /* Read packet id. For epoch data format also lookup the epoch key + * to be able to use the implicit IV of the correct decryption key */ + if (use_epoch_data_format) { - CRYPT_ERROR("missing IV info"); + /* packet ID format is 16 bit epoch + 48 per epoch packet-counter */ + const size_t packet_iv_len = sizeof(uint64_t); + + /* copy the epoch-counter part into the IV */ + memcpy(iv, BPTR(buf), packet_iv_len); + + epoch = packet_id_read_epoch(&pin, buf); + if (epoch == 0) + { + CRYPT_ERROR("error reading packet-id"); + } + ctx = epoch_lookup_decrypt_key(opt, epoch); + if (!ctx) + { + CRYPT_ERROR("data packet with unknown epoch"); + } + } + else + { + const size_t packet_iv_len = packet_id_size(false); + /* Packet ID form is a 32 bit packet counter */ + memcpy(iv, BPTR(buf), packet_iv_len); + if (!packet_id_read(&pin, buf, false)) + { + CRYPT_ERROR("error reading packet-id"); + } } - memcpy(iv, BPTR(buf), packet_iv_len); - - /* Remainder of IV consists of implicit part (unique per session) + /* Remainder of IV consists of implicit part (unique per session/epoch key) * XOR of packet counter and implicit IV */ for (int i = 0; i < iv_len; i++) { @@ -457,25 +537,12 @@ } } - /* Read packet ID from packet */ - if (!packet_id_read(&pin, buf, false)) - { - CRYPT_ERROR("error reading packet-id"); - } - - /* keep the tag value to feed in later */ - const int tag_size = OPENVPN_AEAD_TAG_LENGTH; - if (buf->len < tag_size + 1) - { - CRYPT_ERROR("missing tag or no payload"); - } - const int ad_size = BPTR(buf) - ad_start; uint8_t *tag_ptr = NULL; int data_len = 0; - if (opt->flags & CO_EPOCH_DATA_KEY_FORMAT) + if (use_epoch_data_format) { data_len = BLEN(buf) - tag_size; tag_ptr = BPTR(buf) + data_len; @@ -496,13 +563,13 @@ CRYPT_ERROR("potential buffer overflow"); } - /* feed in tag and the authenticated data */ ASSERT(cipher_ctx_update_ad(ctx->cipher, ad_start, ad_size)); dmsg(D_PACKET_CONTENT, "DECRYPT AD: %s", format_hex(ad_start, ad_size, 0, &gc)); /* Decrypt and authenticate packet */ + int outlen; if (!cipher_ctx_update(ctx->cipher, BPTR(&work), &outlen, BPTR(buf), data_len)) { @@ -525,7 +592,7 @@ dmsg(D_PACKET_CONTENT, "DECRYPT TO: %s", format_hex(BPTR(&work), BLEN(&work), 80, &gc)); - if (!crypto_check_replay(opt, &pin, error_prefix, &gc)) + if (!crypto_check_replay(opt, &pin, epoch, error_prefix, &gc)) { goto error_exit; } @@ -696,7 +763,7 @@ } } - if (have_pin && !crypto_check_replay(opt, &pin, error_prefix, &gc)) + if (have_pin && !crypto_check_replay(opt, &pin, 0, error_prefix, &gc)) { goto error_exit; } diff --git a/src/openvpn/crypto.h b/src/openvpn/crypto.h index 933bc2f..369d19f 100644 --- a/src/openvpn/crypto.h +++ b/src/openvpn/crypto.h @@ -518,6 +518,7 @@ */ bool crypto_check_replay(struct crypto_options *opt, const struct packet_id_net *pin, + uint16_t epoch, const char *error_prefix, struct gc_arena *gc); diff --git a/src/openvpn/crypto_backend.h b/src/openvpn/crypto_backend.h index c454c64..de74def 100644 --- a/src/openvpn/crypto_backend.h +++ b/src/openvpn/crypto_backend.h @@ -38,7 +38,7 @@ #include "basic.h" #include "buffer.h" -/* TLS uses a tag of 128 bytes, let's do the same for OpenVPN */ +/* TLS uses a tag of 128 bits, let's do the same for OpenVPN */ #define OPENVPN_AEAD_TAG_LENGTH 16 /* Maximum cipher block size (bytes) */ diff --git a/src/openvpn/dco.h b/src/openvpn/dco.h index 035474f..c3e05a8 100644 --- a/src/openvpn/dco.h +++ b/src/openvpn/dco.h @@ -249,6 +249,15 @@ */ const char *dco_get_supported_ciphers(void); +/** + * Return whether the dco implementation supports the new protocol features of + * a 64 bit packet counter and AEAD tag at the end. + */ +static inline bool +dco_supports_epoch_data(struct context *c) +{ + return false; +} #else /* if defined(ENABLE_DCO) */ typedef void *dco_context_t; @@ -380,5 +389,10 @@ return ""; } +static inline bool +dco_supports_epoch_data(struct context *c) +{ + return false; +} #endif /* defined(ENABLE_DCO) */ #endif /* ifndef DCO_H */ diff --git a/src/openvpn/init.c b/src/openvpn/init.c index 2c831fe..387d895 100644 --- a/src/openvpn/init.c +++ b/src/openvpn/init.c @@ -2761,6 +2761,19 @@ } } + /* Ensure that for epoch data format is only enabled if also data v2 + * is enabled */ + bool epoch_data = (c->options.imported_protocol_flags & CO_EPOCH_DATA_KEY_FORMAT); + bool datav2_enabled = (c->options.peer_id >= 0 && c->options.peer_id < MAX_PEER_ID); + + if (epoch_data && !datav2_enabled) + { + msg(D_PUSH_ERRORS, "OPTIONS ERROR: Epoch key data format tag requires " + "data v2 (peer-id) to be enabled."); + return false; + } + + if (found & OPT_P_PUSH_MTU) { /* MTU has changed, check that the pushed MTU is small enough to @@ -3357,6 +3370,15 @@ to.push_peer_info_detail = 1; } + /* Check if the DCO drivers support the epoch data format */ + if (dco_enabled(options)) + { + to.data_epoch_supported = dco_supports_epoch_data(c); + } + else + { + to.data_epoch_supported = true; + } /* should we not xmit any packets until we get an initial * response from client? */ diff --git a/src/openvpn/multi.c b/src/openvpn/multi.c index 45b3cfa..8a6887a 100644 --- a/src/openvpn/multi.c +++ b/src/openvpn/multi.c @@ -1849,6 +1849,12 @@ } #endif + if (tls_multi->session[TM_ACTIVE].opt->data_epoch_supported + && (proto & IV_PROTO_DATA_EPOCH)) + { + o->imported_protocol_flags |= CO_EPOCH_DATA_KEY_FORMAT; + } + if (proto & IV_PROTO_CC_EXIT_NOTIFY) { o->imported_protocol_flags |= CO_USE_CC_EXIT_NOTIFY; diff --git a/src/openvpn/ssl.c b/src/openvpn/ssl.c index 9eaf3ac..d2d862f 100644 --- a/src/openvpn/ssl.c +++ b/src/openvpn/ssl.c @@ -54,6 +54,7 @@ #include "route.h" #include "tls_crypt.h" +#include "crypto_epoch.h" #include "ssl.h" #include "ssl_verify.h" #include "ssl_backend.h" @@ -912,6 +913,7 @@ key_state_ssl_free(&ks->ks_ssl); free_key_ctx_bi(&ks->crypto_options.key_ctx_bi); + free_epoch_key_ctx(&ks->crypto_options); free_buf(&ks->plaintext_read_buf); free_buf(&ks->plaintext_write_buf); free_buf(&ks->ack_write_buf); @@ -1359,6 +1361,48 @@ } static void +init_epoch_keys(struct key_state *ks, + struct tls_multi *multi, + const struct key_type *key_type, + bool server, + struct key2 *key2) +{ + /* For now we hardcode this to be 16 for the software based data channel + * DCO based implementations/HW implementation might adjust this number + * based on their expected speed */ + const int future_key_count = 16; + + int key_direction = server ? KEY_DIRECTION_INVERSE : KEY_DIRECTION_NORMAL; + struct key_direction_state kds; + key_direction_state_init(&kds, key_direction); + + struct crypto_options *co = &ks->crypto_options; + + /* For the epoch key we use the first 32 bytes of key2 cipher keys + * for the initial secret */ + struct epoch_key e1_send = { 0 }; + e1_send.epoch = 1; + memcpy(&e1_send.epoch_key, key2->keys[kds.out_key].cipher, sizeof(e1_send.epoch_key)); + + struct epoch_key e1_recv = { 0 }; + e1_recv.epoch = 1; + memcpy(&e1_recv.epoch_key, key2->keys[kds.in_key].cipher, sizeof(e1_recv.epoch_key)); + + /* DCO implementations have two choices at this point. + * + * a) (more likely) they probably to pass E1 directly to kernel + * space at this point and do all the other key derivation in kernel + * + * b) They let userspace do the key derivation and pass all the individual + * keys to the DCO layer. + * */ + epoch_init_key_ctx(co, key_type, &e1_send, &e1_recv, future_key_count); + + secure_memzero(&e1_send, sizeof(e1_send)); + secure_memzero(&e1_recv, sizeof(e1_recv)); +} + +static void init_key_contexts(struct key_state *ks, struct tls_multi *multi, const struct key_type *key_type, @@ -1391,6 +1435,16 @@ CLEAR(key->decrypt); key->initialized = true; } + else if (multi->opt.crypto_flags & CO_EPOCH_DATA_KEY_FORMAT) + { + if (!cipher_kt_mode_aead(key_type->cipher)) + { + msg(M_FATAL, "AEAD cipher (currently %s) " + "required for epoch data format.", + cipher_kt_name(key_type->cipher)); + } + init_epoch_keys(ks, multi, key_type, server, key2); + } else { init_key_ctx_bi(key, key2, key_direction, key_type, "Data Channel"); @@ -1966,6 +2020,11 @@ iv_proto |= IV_PROTO_NCP_P2P; } + if (session->opt->data_epoch_supported) + { + iv_proto |= IV_PROTO_DATA_EPOCH; + } + buf_printf(&out, "IV_CIPHERS=%s\n", session->opt->config_ncp_ciphers); #ifdef HAVE_EXPORT_KEYING_MATERIAL @@ -2975,13 +3034,29 @@ return true; } + if (ks->crypto_options.flags & CO_EPOCH_DATA_KEY_FORMAT) + { + /* We only need to check the send key as we always keep send + * key epoch >= recv key epoch in \c epoch_replace_update_recv_key */ + if (ks->crypto_options.epoch_key_send.epoch >= 0xF000) + { + return true; + } + else + { + return false; + } + } + + /* Packet id approach the limit of the packet id */ if (packet_id_close_to_wrapping(&ks->crypto_options.packet_id.send)) { return true; } - /* Check the AEAD usage limit of cleartext blocks + packets */ + /* Check the AEAD usage limit of cleartext blocks + packets. + * When epoch are in use the crypto layer will handle this internally */ const struct key_ctx_bi *key_ctx_bi = &ks->crypto_options.key_ctx_bi; const int64_t usage_limit = session->opt->aead_usage_limit; diff --git a/src/openvpn/ssl_common.h b/src/openvpn/ssl_common.h index 511127d..6a4b39d 100644 --- a/src/openvpn/ssl_common.h +++ b/src/openvpn/ssl_common.h @@ -314,7 +314,6 @@ /* from command line */ bool single_session; - bool disable_occ; int mode; bool pull; /** @@ -367,6 +366,12 @@ const char *config_ciphername; const char *config_ncp_ciphers; + /** whether our underlying data channel supports new data channel + * features (epoch keys with AEAD tag at the end). This is always true + * for the internal implementation but can be false for DCO + * implementations */ + bool data_epoch_supported; + bool tls_crypt_v2; const char *tls_crypt_v2_verify_script; @@ -496,8 +501,6 @@ */ int key_id; - int limit_next; /* used for traffic shaping on the control channel */ - int verify_maxlevel; char *common_name; diff --git a/src/openvpn/ssl_ncp.c b/src/openvpn/ssl_ncp.c index 968858e..00be96d 100644 --- a/src/openvpn/ssl_ncp.c +++ b/src/openvpn/ssl_ncp.c @@ -430,6 +430,11 @@ session->opt->crypto_flags |= CO_USE_CC_EXIT_NOTIFY; } + if (session->opt->data_epoch_supported && (iv_proto_peer & IV_PROTO_DATA_EPOCH)) + { + session->opt->crypto_flags |= CO_EPOCH_DATA_KEY_FORMAT; + } + #if defined(HAVE_EXPORT_KEYING_MATERIAL) if (iv_proto_peer & IV_PROTO_TLS_KEY_EXPORT) { @@ -499,9 +504,12 @@ } msg(D_TLS_DEBUG_LOW, "P2P mode NCP negotiation result: " - "TLS_export=%d, DATA_v2=%d, peer-id %d, cipher=%s", + "TLS_export=%d, DATA_v2=%d, peer-id %d, epoch=%d, cipher=%s", (bool)(session->opt->crypto_flags & CO_USE_TLS_KEY_MATERIAL_EXPORT), - multi->use_peer_id, multi->peer_id, common_cipher); + multi->use_peer_id, + multi->peer_id, + (bool)(session->opt->crypto_flags & CO_EPOCH_DATA_KEY_FORMAT), + common_cipher); gc_free(&gc); } diff --git a/src/openvpn/tls_crypt.c b/src/openvpn/tls_crypt.c index 76f06bc..7c5eb01 100644 --- a/src/openvpn/tls_crypt.c +++ b/src/openvpn/tls_crypt.c @@ -301,7 +301,7 @@ struct buffer tmp = *src; ASSERT(buf_advance(&tmp, TLS_CRYPT_OFF_PID)); ASSERT(packet_id_read(&pin, &tmp, true)); - if (!crypto_check_replay(opt, &pin, error_prefix, &gc)) + if (!crypto_check_replay(opt, &pin, 0, error_prefix, &gc)) { CRYPT_ERROR("packet replay"); } diff --git a/tests/Makefile.am b/tests/Makefile.am index f26b3b8..3246e34 100644 --- a/tests/Makefile.am +++ b/tests/Makefile.am @@ -52,6 +52,7 @@ unit_tests/openvpn/mock_msg.c unit_tests/openvpn/mock_msg.h \ $(top_srcdir)/src/openvpn/buffer.c \ $(top_srcdir)/src/openvpn/crypto.c \ + $(top_srcdir)/src/openvpn/crypto_epoch.c \ $(top_srcdir)/src/openvpn/crypto_openssl.c \ $(top_srcdir)/src/openvpn/crypto_mbedtls.c \ $(top_srcdir)/src/openvpn/otime.c \ diff --git a/tests/unit_tests/openvpn/Makefile.am b/tests/unit_tests/openvpn/Makefile.am index 307f9ed..471389b 100644 --- a/tests/unit_tests/openvpn/Makefile.am +++ b/tests/unit_tests/openvpn/Makefile.am @@ -86,6 +86,7 @@ $(top_srcdir)/src/compat/compat-strsep.c \ $(top_srcdir)/src/openvpn/crypto.c \ $(top_srcdir)/src/openvpn/cryptoapi.c \ + $(top_srcdir)/src/openvpn/crypto_epoch.c \ $(top_srcdir)/src/openvpn/crypto_mbedtls.c \ $(top_srcdir)/src/openvpn/crypto_openssl.c \ $(top_srcdir)/src/openvpn/env_set.c \ @@ -132,6 +133,7 @@ $(top_srcdir)/src/openvpn/base64.c \ $(top_srcdir)/src/openvpn/buffer.c \ $(top_srcdir)/src/openvpn/crypto.c \ + $(top_srcdir)/src/openvpn/crypto_epoch.c \ $(top_srcdir)/src/openvpn/crypto_mbedtls.c \ $(top_srcdir)/src/openvpn/crypto_openssl.c \ $(top_srcdir)/src/openvpn/env_set.c \ @@ -160,6 +162,7 @@ $(top_srcdir)/src/openvpn/base64.c \ $(top_srcdir)/src/openvpn/buffer.c \ $(top_srcdir)/src/openvpn/crypto.c \ + $(top_srcdir)/src/openvpn/crypto_epoch.c \ $(top_srcdir)/src/openvpn/crypto_mbedtls.c \ $(top_srcdir)/src/openvpn/crypto_openssl.c \ $(top_srcdir)/src/openvpn/env_set.c \ @@ -179,6 +182,7 @@ $(top_srcdir)/src/openvpn/networking_sitnl.c \ $(top_srcdir)/src/openvpn/buffer.c \ $(top_srcdir)/src/openvpn/crypto.c \ + $(top_srcdir)/src/openvpn/crypto_epoch.c \ $(top_srcdir)/src/openvpn/crypto_mbedtls.c \ $(top_srcdir)/src/openvpn/crypto_openssl.c \ $(top_srcdir)/src/openvpn/otime.c \ @@ -250,6 +254,7 @@ auth_token_testdriver_SOURCES = test_auth_token.c mock_msg.c \ $(top_srcdir)/src/openvpn/buffer.c \ $(top_srcdir)/src/openvpn/crypto.c \ + $(top_srcdir)/src/openvpn/crypto_epoch.c \ $(top_srcdir)/src/openvpn/crypto_mbedtls.c \ $(top_srcdir)/src/openvpn/crypto_openssl.c \ $(top_srcdir)/src/openvpn/otime.c \ @@ -285,6 +290,7 @@ ncp_testdriver_SOURCES = test_ncp.c mock_msg.c \ $(top_srcdir)/src/openvpn/buffer.c \ $(top_srcdir)/src/openvpn/crypto.c \ + $(top_srcdir)/src/openvpn/crypto_epoch.c \ $(top_srcdir)/src/openvpn/crypto_mbedtls.c \ $(top_srcdir)/src/openvpn/crypto_openssl.c \ $(top_srcdir)/src/openvpn/otime.c \ diff --git a/tests/unit_tests/openvpn/test_ssl.c b/tests/unit_tests/openvpn/test_ssl.c index 845ca56..93b3094 100644 --- a/tests/unit_tests/openvpn/test_ssl.c +++ b/tests/unit_tests/openvpn/test_ssl.c @@ -35,6 +35,7 @@ #include #include "crypto.h" +#include "crypto_epoch.h" #include "options.h" #include "ssl_backend.h" #include "options_util.h" @@ -370,22 +371,46 @@ struct crypto_options -init_crypto_options(const char *cipher, const char *auth) +init_crypto_options(const char *cipher, const char *auth, bool epoch, + struct key2 *statickey) { struct key2 key2 = { .n = 2}; - ASSERT(rand_bytes(key2.keys[0].cipher, sizeof(key2.keys[0].cipher))); - ASSERT(rand_bytes(key2.keys[0].hmac, sizeof(key2.keys[0].hmac))); - ASSERT(rand_bytes(key2.keys[1].cipher, sizeof(key2.keys[1].cipher))); - ASSERT(rand_bytes(key2.keys[1].hmac, sizeof(key2.keys)[1].hmac)); + if (statickey) + { + /* Use chosen static key instead of random key when defined */ + key2 = *statickey; + } + else + { + ASSERT(rand_bytes(key2.keys[0].cipher, sizeof(key2.keys[0].cipher))); + ASSERT(rand_bytes(key2.keys[0].hmac, sizeof(key2.keys[0].hmac))); + ASSERT(rand_bytes(key2.keys[1].cipher, sizeof(key2.keys[1].cipher))); + ASSERT(rand_bytes(key2.keys[1].hmac, sizeof(key2.keys)[1].hmac)); + } struct crypto_options co = { 0 }; struct key_type kt = create_kt(cipher, auth, "ssl-test"); - init_key_ctx_bi(&co.key_ctx_bi, &key2, 0, &kt, "unit-test-ssl"); - packet_id_init(&co.packet_id, 5, 5, "UNITTEST", 0); + if (epoch) + { + struct epoch_key e1 = { .epoch = 1, .epoch_key = { 0 }}; + memcpy(e1.epoch_key, key2.keys[0].cipher, sizeof(e1.epoch_key)); + co.flags |= CO_EPOCH_DATA_KEY_FORMAT; + epoch_init_key_ctx(&co, &kt, &e1, &e1, 5); + /* Do a little of dancing for the epoch_send_key_iterate to test + * that this works too */ + epoch_iterate_send_key(&co); + epoch_iterate_send_key(&co); + epoch_iterate_send_key(&co); + } + else + { + init_key_ctx_bi(&co.key_ctx_bi, &key2, KEY_DIRECTION_BIDIRECTIONAL, &kt, "unit-test-ssl"); + } + packet_id_init(&co.packet_id, 5, 5, "UNITTEST", 0); return co; } @@ -394,17 +419,16 @@ { packet_id_free(&co->packet_id); free_key_ctx_bi(&co->key_ctx_bi); - + free_epoch_key_ctx(co); } /* This adds a few more methods than strictly necessary but this allows * us to see which exact test was run from the backtrace of the test * when it fails */ static void -run_data_channel_with_cipher_end(const char *cipher) +run_data_channel_with_cipher_epoch(const char *cipher) { - struct crypto_options co = init_crypto_options(cipher, "none"); - co.flags |= CO_EPOCH_DATA_KEY_FORMAT; + struct crypto_options co = init_crypto_options(cipher, "none", true, NULL); do_data_channel_round_trip(&co); uninit_crypto_options(&co); } @@ -412,7 +436,7 @@ static void run_data_channel_with_cipher(const char *cipher, const char *auth) { - struct crypto_options co = init_crypto_options(cipher, auth); + struct crypto_options co = init_crypto_options(cipher, auth, false, NULL); do_data_channel_round_trip(&co); uninit_crypto_options(&co); } @@ -421,21 +445,21 @@ static void test_data_channel_roundtrip_aes_128_gcm(void **state) { - run_data_channel_with_cipher_end("AES-128-GCM"); + run_data_channel_with_cipher_epoch("AES-128-GCM"); run_data_channel_with_cipher("AES-128-GCM", "none"); } static void test_data_channel_roundtrip_aes_192_gcm(void **state) { - run_data_channel_with_cipher_end("AES-192-GCM"); + run_data_channel_with_cipher_epoch("AES-192-GCM"); run_data_channel_with_cipher("AES-192-GCM", "none"); } static void test_data_channel_roundtrip_aes_256_gcm(void **state) { - run_data_channel_with_cipher_end("AES-256-GCM"); + run_data_channel_with_cipher_epoch("AES-256-GCM"); run_data_channel_with_cipher("AES-256-GCM", "none"); } @@ -466,7 +490,7 @@ return; } - run_data_channel_with_cipher_end("ChaCha20-Poly1305"); + run_data_channel_with_cipher_epoch("ChaCha20-Poly1305"); run_data_channel_with_cipher("ChaCha20-Poly1305", "none"); } @@ -482,6 +506,153 @@ } +static struct key2 +create_key(void) +{ + struct key2 key2 = {.n = 2}; + + const uint8_t key[] = + {'a', 'b', 'c', 'd', 'e', 'f', 'g', 'h', '0', '1', '2', '3', '4', '5', '6', '7', 'A', 'B', 'C', 'D', 'E', 'F', + 'G', 'H', 'j', 'k', 'u', 'c', 'h', 'e', 'n', 'l'}; + + static_assert(sizeof(key) == 32, "Size of key should be 32 bytes"); + + /* copy the key a few times to ensure to have the size we need for + * Statickey but XOR it to not repeat it */ + uint8_t keydata[sizeof(key2.keys)]; + + for (int i = 0; i < sizeof(key2.keys); i++) + { + keydata[i] = (uint8_t) (key[i % sizeof(key)] ^ i); + } + + ASSERT(memcpy(key2.keys[0].cipher, keydata, sizeof(key2.keys[0].cipher))); + ASSERT(memcpy(key2.keys[0].hmac, keydata + 64, sizeof(key2.keys[0].hmac))); + ASSERT(memcpy(key2.keys[1].cipher, keydata + 128, sizeof(key2.keys[1].cipher))); + ASSERT(memcpy(key2.keys[1].hmac, keydata + 192, sizeof(key2.keys)[1].hmac)); + + return key2; +} + +static void +test_data_channel_known_vectors_run(bool epoch) +{ + struct key2 key2 = create_key(); + + struct crypto_options co = init_crypto_options("AES-256-GCM", "none", epoch, + &key2); + + struct gc_arena gc = gc_new(); + + /* initialise frame for the test */ + struct frame frame; + init_frame_parameters(&frame); + + struct buffer src = alloc_buf_gc(frame.buf.payload_size, &gc); + struct buffer work = alloc_buf_gc(BUF_SIZE(&frame), &gc); + struct buffer encrypt_workspace = alloc_buf_gc(BUF_SIZE(&frame), &gc); + struct buffer decrypt_workspace = alloc_buf_gc(BUF_SIZE(&frame), &gc); + struct buffer buf = clear_buf(); + void *buf_p; + + /* init work */ + ASSERT(buf_init(&work, frame.buf.headroom)); + + now = 0; + + /* + * Load src with known data. + */ + ASSERT(buf_init(&src, 0)); + const char *plaintext = "The quick little fox jumps over the bureaucratic hurdles"; + + ASSERT(buf_write(&src, plaintext, strlen(plaintext))); + + /* copy source to input buf */ + buf = work; + buf_p = buf_write_alloc(&buf, BLEN(&src)); + ASSERT(buf_p); + memcpy(buf_p, BPTR(&src), BLEN(&src)); + + /* initialize work buffer with buf.headroom bytes of prepend capacity */ + ASSERT(buf_init(&encrypt_workspace, frame.buf.headroom)); + + /* add packet opcode and peer id */ + buf_write_u8(&encrypt_workspace, 7); + buf_write_u8(&encrypt_workspace, 0); + buf_write_u8(&encrypt_workspace, 0); + buf_write_u8(&encrypt_workspace, 23); + + /* encrypt */ + openvpn_encrypt(&buf, encrypt_workspace, &co); + + /* separate buffer in authenticated data and encrypted data */ + uint8_t *ad_start = BPTR(&buf); + buf_advance(&buf, 4); + + if (epoch) + { + uint8_t packetid1[8] = {0, 0x04, 0, 0, 0, 0, 0, 1}; + assert_memory_equal(BPTR(&buf), packetid1, 8); + } + else + { + uint8_t packetid1[4] = {0, 0, 0, 1}; + assert_memory_equal(BPTR(&buf), packetid1, 4); + } + + if (epoch) + { + uint8_t *tag_location = BEND(&buf) - OPENVPN_AEAD_TAG_LENGTH; + const uint8_t exp_tag_long[16] = + {0x86, 0x20, 0xfe, 0xc6, 0x65, 0xa6, 0xab, 0x2a, + 0x34, 0xa6, 0xb8, 0xd4, 0xb4, 0xa9, 0x00, 0x9e}; + assert_memory_equal(tag_location, exp_tag_long, OPENVPN_AEAD_TAG_LENGTH); + } + else + { + uint8_t *tag_location = BPTR(&buf) + 4; + const uint8_t exp_tag_short[16] = + {0x1f, 0xdd, 0x90, 0x8f, 0x0e, 0x9d, 0xc2, 0x5e, 0x79, 0xd8, 0x32, 0x02, 0x0d, 0x58, 0xe7, 0x3f}; + assert_memory_equal(tag_location, exp_tag_short, OPENVPN_AEAD_TAG_LENGTH); + } + + /* Check some bytes at the beginning of the encrypted part */ + if (epoch) + { + const uint8_t bytesat14[6] = {0x62, 0xa9, 0xe3, 0x7a, 0xa7, 0xf0}; + assert_memory_equal(BPTR(&buf) + 14, bytesat14, sizeof(bytesat14)); + } + else + { + const uint8_t bytesat30[6] = {0xa8, 0x2e, 0x6b, 0x17, 0x06, 0xd9}; + assert_memory_equal(BPTR(&buf) + 30, bytesat30, sizeof(bytesat30)); + } + + /* decrypt */ + openvpn_decrypt(&buf, decrypt_workspace, &co, &frame, ad_start); + + /* compare */ + assert_int_equal(buf.len, strlen(plaintext)); + assert_memory_equal(BPTR(&buf), plaintext, strlen(plaintext)); + + uninit_crypto_options(&co); + gc_free(&gc); +} + +static void +test_data_channel_known_vectors_epoch(void **state) +{ + test_data_channel_known_vectors_run(true); +} + +static void +test_data_channel_known_vectors_shortpktid(void **state) +{ + test_data_channel_known_vectors_run(false); +} + + int main(void) { @@ -499,6 +670,8 @@ cmocka_unit_test(test_data_channel_roundtrip_aes_192_cbc), cmocka_unit_test(test_data_channel_roundtrip_aes_256_cbc), cmocka_unit_test(test_data_channel_roundtrip_bf_cbc), + cmocka_unit_test(test_data_channel_known_vectors_epoch), + cmocka_unit_test(test_data_channel_known_vectors_shortpktid) }; #if defined(ENABLE_CRYPTO_OPENSSL)