summaryrefslogtreecommitdiff
path: root/main/openvpn/src/openvpn/crypto_polarssl.c
diff options
context:
space:
mode:
Diffstat (limited to 'main/openvpn/src/openvpn/crypto_polarssl.c')
-rw-r--r--main/openvpn/src/openvpn/crypto_polarssl.c199
1 files changed, 66 insertions, 133 deletions
diff --git a/main/openvpn/src/openvpn/crypto_polarssl.c b/main/openvpn/src/openvpn/crypto_polarssl.c
index c7a41baf..1a986dbd 100644
--- a/main/openvpn/src/openvpn/crypto_polarssl.c
+++ b/main/openvpn/src/openvpn/crypto_polarssl.c
@@ -46,7 +46,6 @@
#include "misc.h"
#include <polarssl/des.h>
-#include <polarssl/error.h>
#include <polarssl/md5.h>
#include <polarssl/cipher.h>
#include <polarssl/havege.h>
@@ -87,32 +86,6 @@ crypto_clear_error (void)
{
}
-bool polar_log_err(unsigned int flags, int errval, const char *prefix)
-{
- if (0 != errval)
- {
- char errstr[256];
- polarssl_strerror(errval, errstr, sizeof(errstr));
-
- if (NULL == prefix) prefix = "PolarSSL error";
- msg (flags, "%s: %s", prefix, errstr);
- }
-
- return 0 == errval;
-}
-
-bool polar_log_func_line(unsigned int flags, int errval, const char *func,
- int line)
-{
- char prefix[256];
-
- if (!openvpn_snprintf(prefix, sizeof(prefix), "%s:%d", func, line))
- return polar_log_err(flags, errval, func);
-
- return polar_log_err(flags, errval, prefix);
-}
-
-
#ifdef DMALLOC
void
crypto_init_dmalloc (void)
@@ -121,15 +94,52 @@ crypto_init_dmalloc (void)
}
#endif /* DMALLOC */
-const cipher_name_pair cipher_name_translation_table[] = {
+typedef struct { const char * openvpn_name; const char * polarssl_name; } cipher_name_pair;
+cipher_name_pair cipher_name_translation_table[] = {
{ "BF-CBC", "BLOWFISH-CBC" },
{ "BF-CFB", "BLOWFISH-CFB64" },
{ "CAMELLIA-128-CFB", "CAMELLIA-128-CFB128" },
{ "CAMELLIA-192-CFB", "CAMELLIA-192-CFB128" },
{ "CAMELLIA-256-CFB", "CAMELLIA-256-CFB128" }
};
-const size_t cipher_name_translation_table_count =
- sizeof (cipher_name_translation_table) / sizeof (*cipher_name_translation_table);
+
+const cipher_name_pair *
+get_cipher_name_pair(const char *cipher_name) {
+ cipher_name_pair *pair;
+ size_t i = 0;
+
+ /* Search for a cipher name translation */
+ for (; i < sizeof (cipher_name_translation_table) / sizeof (*cipher_name_translation_table); i++)
+ {
+ pair = &cipher_name_translation_table[i];
+ if (0 == strcmp (cipher_name, pair->openvpn_name) ||
+ 0 == strcmp (cipher_name, pair->polarssl_name))
+ return pair;
+ }
+
+ /* Nothing found, return null */
+ return NULL;
+}
+
+const char *
+translate_cipher_name_from_openvpn (const char *cipher_name) {
+ const cipher_name_pair *pair = get_cipher_name_pair(cipher_name);
+
+ if (NULL == pair)
+ return cipher_name;
+
+ return pair->polarssl_name;
+}
+
+const char *
+translate_cipher_name_to_openvpn (const char *cipher_name) {
+ const cipher_name_pair *pair = get_cipher_name_pair(cipher_name);
+
+ if (NULL == pair)
+ return cipher_name;
+
+ return pair->openvpn_name;
+}
void
show_available_ciphers ()
@@ -137,28 +147,21 @@ show_available_ciphers ()
const int *ciphers = cipher_list();
#ifndef ENABLE_SMALL
- printf ("The following ciphers and cipher modes are available for use\n"
- "with " PACKAGE_NAME ". Each cipher shown below may be used as a\n"
- "parameter to the --cipher option. Using a CBC or GCM mode is\n"
- "recommended. In static key mode only CBC mode is allowed.\n\n");
+ printf ("The following ciphers and cipher modes are available\n"
+ "for use with " PACKAGE_NAME ". Each cipher shown below may be\n"
+ "used as a parameter to the --cipher option. The default\n"
+ "key size is shown as well as whether or not it can be\n"
+ "changed with the --keysize directive. Using a CBC mode\n"
+ "is recommended.\n\n");
#endif
while (*ciphers != 0)
{
- const cipher_kt_t *info = cipher_info_from_type(*ciphers);
-
- if (info && (cipher_kt_mode_cbc(info)
-#ifdef HAVE_AEAD_CIPHER_MODES
- || cipher_kt_mode_aead(info)
-#endif
- ))
- {
- const char *ssl_only = cipher_kt_mode_cbc(info) ?
- "" : " (TLS client/server mode)";
+ const cipher_info_t *info = cipher_info_from_type(*ciphers);
- printf ("%s %d bit default key%s\n",
- cipher_kt_name(info), cipher_kt_key_size(info) * 8, ssl_only);
- }
+ if (info && info->mode == POLARSSL_MODE_CBC)
+ printf ("%s %d bit default key\n",
+ cipher_kt_name(info), cipher_kt_key_size(info) * 8);
ciphers++;
}
@@ -231,8 +234,7 @@ ctr_drbg_context * rand_ctx_get()
/* Initialise PolarSSL RNG, and built-in entropy sources */
entropy_init(&ec);
- if (!polar_ok(ctr_drbg_init(&cd_ctx, entropy_func, &ec,
- BPTR(&pers_string), BLEN(&pers_string))))
+ if (0 != ctr_drbg_init(&cd_ctx, entropy_func, &ec, BPTR(&pers_string), BLEN(&pers_string)))
msg (M_FATAL, "Failed to initialize random generator");
gc_free(&gc);
@@ -408,16 +410,6 @@ cipher_kt_block_size (const cipher_info_t *cipher_kt)
}
int
-cipher_kt_tag_size (const cipher_info_t *cipher_kt)
-{
-#ifdef HAVE_AEAD_CIPHER_MODES
- if (cipher_kt && cipher_kt_mode_aead(cipher_kt))
- return OPENVPN_AEAD_TAG_LENGTH;
-#endif
- return 0;
-}
-
-int
cipher_kt_mode (const cipher_info_t *cipher_kt)
{
ASSERT(NULL != cipher_kt);
@@ -437,12 +429,6 @@ cipher_kt_mode_ofb_cfb(const cipher_kt_t *cipher)
cipher_kt_mode(cipher) == OPENVPN_MODE_CFB);
}
-bool
-cipher_kt_mode_aead(const cipher_kt_t *cipher)
-{
- return cipher_kt_mode(cipher) == OPENVPN_MODE_GCM;
-}
-
/*
*
@@ -459,10 +445,10 @@ cipher_ctx_init (cipher_context_t *ctx, uint8_t *key, int key_len,
CLEAR (*ctx);
- if (!polar_ok(cipher_init_ctx(ctx, kt)))
+ if (0 != cipher_init_ctx(ctx, kt))
msg (M_FATAL, "PolarSSL cipher context init #1");
- if (!polar_ok(cipher_setkey(ctx, key, key_len*8, enc)))
+ if (0 != cipher_setkey(ctx, key, key_len*8, enc))
msg (M_FATAL, "PolarSSL cipher set key");
/* make sure we used a big enough key */
@@ -471,7 +457,7 @@ cipher_ctx_init (cipher_context_t *ctx, uint8_t *key, int key_len,
void cipher_ctx_cleanup (cipher_context_t *ctx)
{
- ASSERT (polar_ok(cipher_free_ctx(ctx)));
+ cipher_free_ctx(ctx);
}
int cipher_ctx_iv_length (const cipher_context_t *ctx)
@@ -479,21 +465,6 @@ int cipher_ctx_iv_length (const cipher_context_t *ctx)
return cipher_get_iv_size(ctx);
}
-int cipher_ctx_get_tag (cipher_ctx_t *ctx, uint8_t* tag, int tag_len)
-{
-#ifdef HAVE_AEAD_CIPHER_MODES
- if (tag_len > SIZE_MAX)
- return 0;
-
- if (!polar_ok(cipher_write_tag(ctx, (unsigned char *) tag, tag_len)))
- return 0;
-
- return 1;
-#else
- ASSERT(0);
-#endif /* HAVE_AEAD_CIPHER_MODES */
-}
-
int cipher_ctx_block_size(const cipher_context_t *ctx)
{
return cipher_get_block_size(ctx);
@@ -516,74 +487,36 @@ cipher_ctx_get_cipher_kt (const cipher_ctx_t *ctx)
int cipher_ctx_reset (cipher_context_t *ctx, uint8_t *iv_buf)
{
- if (!polar_ok(cipher_reset(ctx)))
- return 0;
-
- if (!polar_ok(cipher_set_iv(ctx, iv_buf, ctx->cipher_info->iv_size)))
- return 0;
-
- return 1;
-}
-
-int cipher_ctx_update_ad (cipher_ctx_t *ctx, uint8_t *src, int src_len)
-{
- if (src_len > SIZE_MAX)
- return 0;
+ int retval = cipher_reset(ctx);
- if (!polar_ok(cipher_update_ad(ctx, src, src_len)))
- return 0;
+ if (0 == retval)
+ retval = cipher_set_iv(ctx, iv_buf, ctx->cipher_info->iv_size);
- return 1;
+ return 0 == retval;
}
int cipher_ctx_update (cipher_context_t *ctx, uint8_t *dst, int *dst_len,
uint8_t *src, int src_len)
{
+ int retval = 0;
size_t s_dst_len = *dst_len;
- if (!polar_ok(cipher_update(ctx, src, (size_t)src_len, dst, &s_dst_len)))
- return 0;
+ retval = cipher_update(ctx, src, (size_t)src_len, dst, &s_dst_len);
*dst_len = s_dst_len;
- return 1;
+ return 0 == retval;
}
int cipher_ctx_final (cipher_context_t *ctx, uint8_t *dst, int *dst_len)
{
+ int retval = 0;
size_t s_dst_len = *dst_len;
- if (!polar_ok(cipher_finish(ctx, dst, &s_dst_len)))
- return 0;
-
+ retval = cipher_finish(ctx, dst, &s_dst_len);
*dst_len = s_dst_len;
- return 1;
-}
-
-int cipher_ctx_final_check_tag (cipher_context_t *ctx, uint8_t *dst, int *dst_len,
- const uint8_t *tag, size_t tag_len)
-{
-#ifdef HAVE_AEAD_CIPHER_MODES
- if (POLARSSL_DECRYPT != ctx->operation)
- return 0;
-
- if (tag_len > SIZE_MAX)
- return 0;
-
- if (!cipher_ctx_final(ctx, dst, dst_len))
- {
- msg(D_CRYPT_ERRORS, "%s: cipher_ctx_final() failed", __func__);
- return 0;
- }
-
- if (!polar_ok(cipher_check_tag(ctx, (const unsigned char *) tag, tag_len)))
- return 0;
-
- return 1;
-#else
- ASSERT(0);
-#endif /* HAVE_AEAD_CIPHER_MODES */
+ return 0 == retval;
}
void
@@ -593,8 +526,8 @@ cipher_des_encrypt_ecb (const unsigned char key[DES_KEY_LENGTH],
{
des_context ctx;
- ASSERT (polar_ok(des_setkey_enc(&ctx, key)));
- ASSERT (polar_ok(des_crypt_ecb(&ctx, src, dst)));
+ des_setkey_enc(&ctx, key);
+ des_crypt_ecb(&ctx, src, dst);
}
generated by cgit v1.2.3 (git 2.25.1) at 2024-08-16 10:47:30 +0000