blob: c4b13b7b058b888c11f401fd0e9954572f7160c5 [file] [log] [blame]
/*
* OpenVPN -- An application to securely tunnel IP networks
* over a single TCP/UDP port, with support for SSL/TLS-based
* session authentication and key exchange,
* packet encryption, packet authentication, and
* packet compression.
*
* Copyright (C) 2002-2018 OpenVPN Inc <sales@openvpn.net>
* Copyright (C) 2010-2018 Fox Crypto B.V. <openvpn@fox-it.com>
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License version 2
* as published by the Free Software Foundation.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License along
* with this program; if not, write to the Free Software Foundation, Inc.,
* 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
*/
/**
* @file Data Channel Cryptography mbed TLS-specific backend interface
*/
#ifndef CRYPTO_MBEDTLS_H_
#define CRYPTO_MBEDTLS_H_
#include <mbedtls/cipher.h>
#include <mbedtls/md.h>
#include <mbedtls/ctr_drbg.h>
/** Generic cipher key type %context. */
typedef mbedtls_cipher_info_t cipher_kt_t;
/** Generic message digest key type %context. */
typedef mbedtls_md_info_t md_kt_t;
/** Generic cipher %context. */
typedef mbedtls_cipher_context_t cipher_ctx_t;
/** Generic message digest %context. */
typedef mbedtls_md_context_t md_ctx_t;
/** Generic HMAC %context. */
typedef mbedtls_md_context_t hmac_ctx_t;
/** Maximum length of an IV */
#define OPENVPN_MAX_IV_LENGTH MBEDTLS_MAX_IV_LENGTH
/** Cipher is in CBC mode */
#define OPENVPN_MODE_CBC MBEDTLS_MODE_CBC
/** Cipher is in OFB mode */
#define OPENVPN_MODE_OFB MBEDTLS_MODE_OFB
/** Cipher is in CFB mode */
#define OPENVPN_MODE_CFB MBEDTLS_MODE_CFB
/** Cipher is in GCM mode */
#define OPENVPN_MODE_GCM MBEDTLS_MODE_GCM
/** Cipher should encrypt */
#define OPENVPN_OP_ENCRYPT MBEDTLS_ENCRYPT
/** Cipher should decrypt */
#define OPENVPN_OP_DECRYPT MBEDTLS_DECRYPT
#define MD4_DIGEST_LENGTH 16
#define MD5_DIGEST_LENGTH 16
#define SHA_DIGEST_LENGTH 20
#define SHA256_DIGEST_LENGTH 32
#define DES_KEY_LENGTH 8
/**
* Returns a singleton instance of the mbed TLS random number generator.
*
* For PolarSSL/mbed TLS 1.1+, this is the CTR_DRBG random number generator. If it
* hasn't been initialised yet, the RNG will be initialised using the default
* entropy sources. Aside from the default platform entropy sources, an
* additional entropy source, the HAVEGE random number generator will also be
* added. During initialisation, a personalisation string will be added based
* on the time, the PID, and a pointer to the random context.
*/
mbedtls_ctr_drbg_context *rand_ctx_get(void);
#ifdef ENABLE_PREDICTION_RESISTANCE
/**
* Enable prediction resistance on the random number generator.
*/
void rand_ctx_enable_prediction_resistance(void);
#endif
/**
* Log the supplied mbed TLS error, prefixed by supplied prefix.
*
* @param flags Flags to indicate error type and priority.
* @param errval mbed TLS error code to convert to error message.
* @param prefix Prefix to mbed TLS error message.
*
* @returns true if no errors are detected, false otherwise.
*/
bool mbed_log_err(unsigned int flags, int errval, const char *prefix);
/**
* Log the supplied mbed TLS error, prefixed by function name and line number.
*
* @param flags Flags to indicate error type and priority.
* @param errval mbed TLS error code to convert to error message.
* @param func Function name where error was reported.
* @param line Line number where error was reported.
*
* @returns true if no errors are detected, false otherwise.
*/
bool mbed_log_func_line(unsigned int flags, int errval, const char *func,
int line);
/** Wraps mbed_log_func_line() to prevent function calls for non-errors */
static inline bool
mbed_log_func_line_lite(unsigned int flags, int errval,
const char *func, int line)
{
if (errval)
{
return mbed_log_func_line(flags, errval, func, line);
}
return true;
}
/**
* Check errval and log on error.
*
* Convenience wrapper to put around mbed TLS library calls, e.g.
* if (!mbed_ok (mbedtls_ssl_func())) return 0;
* or
* ASSERT (mbed_ok (mbedtls_ssl_func()));
*
* @param errval mbed TLS error code to convert to error message.
*
* @returns true if no errors are detected, false otherwise.
*/
#define mbed_ok(errval) \
mbed_log_func_line_lite(D_CRYPT_ERRORS, errval, __func__, __LINE__)
static inline bool
cipher_kt_var_key_size(const cipher_kt_t *cipher)
{
return cipher->flags & MBEDTLS_CIPHER_VARIABLE_KEY_LEN;
}
#endif /* CRYPTO_MBEDTLS_H_ */