1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
|
// OpenVPN -- An application to securely tunnel IP networks
// over a single port, with support for SSL/TLS-based
// session authentication and key exchange,
// packet encryption, packet authentication, and
// packet compression.
//
// Copyright (C) 2012-2022 OpenVPN Inc.
// Copyright (C) 2020-2022 Lev Stipakov <lev@openvpn.net>
//
// This program is free software: you can redistribute it and/or modify
// it under the terms of the GNU Affero General Public License Version 3
// as published by the Free Software Foundation.
//
// This program is distributed in the hope that it will be useful,
// but WITHOUT ANY WARRANTY; without even the implied warranty of
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
// GNU Affero General Public License for more details.
//
// You should have received a copy of the GNU Affero General Public License
// along with this program in the COPYING file.
// If not, see <http://www.gnu.org/licenses/>.
// ovpn-dco crypto wrappers
#pragma once
namespace openvpn {
namespace KoRekey {
/**
* @brief Parses key information into format consumed by ovpn-dco.
*
*/
class OvpnDcoKey : public Key
{
public:
OvpnDcoKey(const CryptoDCInstance::RekeyType rktype, const Info &rkinfo)
{
std::memset(&kc, 0, sizeof(kc));
kc.remote_peer_id = rkinfo.remote_peer_id;
const CryptoDCContext::Info ci = rkinfo.dc_context_delegate->crypto_info();
const CryptoAlgs::Alg &calg = CryptoAlgs::get(ci.cipher_alg);
switch (ci.cipher_alg)
{
case CryptoAlgs::NONE:
kc.cipher_alg = OVPN_CIPHER_ALG_NONE;
kc.encrypt.cipher_key_size = 0;
break;
case CryptoAlgs::AES_128_GCM:
kc.cipher_alg = OVPN_CIPHER_ALG_AES_GCM;
kc.encrypt.cipher_key_size = 128 / 8;
break;
case CryptoAlgs::AES_192_GCM:
kc.cipher_alg = OVPN_CIPHER_ALG_AES_GCM;
kc.encrypt.cipher_key_size = 192 / 8;
break;
case CryptoAlgs::AES_256_GCM:
kc.cipher_alg = OVPN_CIPHER_ALG_AES_GCM;
kc.encrypt.cipher_key_size = 256 / 8;
break;
case CryptoAlgs::CHACHA20_POLY1305:
kc.cipher_alg = OVPN_CIPHER_ALG_CHACHA20_POLY1305;
kc.encrypt.cipher_key_size = 256 / 8;
break;
default:
OPENVPN_THROW(korekey_error,
"cipher alg " << calg.name()
<< " is not currently supported by ovpn-dco");
break;
}
kc.decrypt.cipher_key_size = kc.encrypt.cipher_key_size;
if (calg.mode() == CryptoAlgs::AEAD)
{
kc.encrypt.cipher_key = verify_key("cipher encrypt",
rkinfo.encrypt_cipher,
kc.encrypt.cipher_key_size);
kc.decrypt.cipher_key = verify_key("cipher decrypt",
rkinfo.decrypt_cipher,
kc.decrypt.cipher_key_size);
set_nonce_tail("AEAD nonce tail encrypt",
kc.encrypt.nonce_tail,
sizeof(kc.encrypt.nonce_tail),
rkinfo.encrypt_hmac);
set_nonce_tail("AEAD nonce tail decrypt",
kc.decrypt.nonce_tail,
sizeof(kc.decrypt.nonce_tail),
rkinfo.decrypt_hmac);
}
kc.key_id = rkinfo.key_id;
}
const struct KeyConfig *operator()() const
{
return &kc;
}
private:
struct KeyConfig kc;
};
} // namespace KoRekey
} // namespace openvpn
|
