Moving interpretation of the flags into the class in preparation
of submitting only supported data channel ciphers in IV_CIPHERS.
Signed-off-by: Heiko Hund <heiko@openvpn.net>
DCO only supports a limited set of ciphers, currently it is
discovered quite late if a unsupported algorithm is configured
(or pushed).
This introduces CryptoAlgs::allow_dc_algs() with which the
supported set of data channel algorithms can be specified.
The DCO code makes use of this, at the time a new_controller()
is created.
Signed-off-by: Heiko Hund <heiko@openvpn.net>
Remove constexpr in preparation for making it possible to modify the
data channel ciphers. Use std::array so the SIZE can be specified.
Remove the unused CryptoAlgs:get_index_ptr() function.
Signed-off-by: Heiko Hund <heiko@openvpn.net>
This also changes the mbed TLS implementation from using the AES GCM
specific API to the generic AEAD API in mbed TLS. As result we can
refactor the commonly used parts of AEAD and normal cipher into a
common class.
Signed-off-by: Arne Schwabe <arne@openvpn.net>
The CryptoDCSettings::digest() method returns SHA1 digest when the
cipher is an AEAD cipher. This is incorrect, as AEAD ciphers does not
use digests for authentication at all; the authentication is an
integral part of the AEAD cipher itself.
To solve this, the CryptoAlgs::AlgFlags has been extended with a new
F_NO_CIPHER_DIGEST flag which is expected to be set on ciphers not
depending on any digests for authentication, like AES-GCM/AEAD
ciphers. A new method, use_cipher_digest(), will return True if
the cipher depends on a digest for authentication.
Signed-off-by: David Sommerseth <davids@openvpn.net>
Add support for AES-256-CTR (used by tls-crypt) in the crypto
layer and make sure that each SSL library plugin is aware of it.
Signed-off-by: Antonio Quartulli <antonio@openvpn.net>
* Make class Route standalone, moving it out of namespace
CIDRMap.
CryptoAlgs:
* Added comments
* For type-safety, mode() now returns a Mode rather than an
int.
CryptoDC:
* Added CRYPTO_DEFINED flag to indicate when encrypt() and
decrypt() methods are implemented by a data channel
provider.
Manage:
* Implemented skeleton management API for server-side client
authentication and managing client-instance properties.
Proto:
* Added Config::update_dc_factory() method.
* Support new CryptoDCInstance::CRYPTO_DEFINED flag.
* Updated server_auth() method to support SafeString transit
of client-provided auth-user-pass password to management
layer.
* control_send now does a reset() on the provided
Ptr reference before returning to reflect the
transfer-of-ownership of the underlying buffer.
* Implemented disable_keepalive() and override_dc_factory
methods.
Transbase (server) new methods:
// disable keepalive for rest of session
virtual void disable_keepalive() = 0;
// override the data channel factory
virtual void override_dc_factory(const CryptoDCFactory::Ptr& dc_factory) = 0;
// override the tun provider
virtual TunClientInstanceRecv* override_tun(TunClientInstanceSend* tun) = 0;
ServProto:
* Added abstract base classes for Tun factories and client instance
sender/receivers.
* Added Tun and Management linkages.
* Added new receiver methods for overriding the data channel
factory, Tun factory, and keepalive config.
* Added AuthCreds support.
underlying crypto implementation.
Modified proto.hpp to use the new CryptoAlgs types for
cipher/digest selection.
Added initial PolarSSL implementation for cipher/digest
selection using CryptoAlgs types.
Note: this implementation is incomplete, see fixmes.