OpenVPN uses a idiosyncrasy that all ciphers are uppercase but none is
spelt lowercase and excepts this idiosyncrasy also in IV_CIPHERS
Signed-off-by: Arne Schwabe <arne@openvpn.net>
We need to ensure that there is only one copy of these algorithms defined
as we modify them with the method allow_default_dc_algs to set the
F_DC_ALLOW flag on. Having more than one copy means that we have different
copies with different flags which we want to avoid.
The use of inline to a normal variable is a C++17 feature.
From https://en.cppreference.com/w/cpp/language/inline
An inline function or variable (since C++17) with external linkage
(e.g. not declared static) has the following additional properties:
There may be more than one definition of an inline function or variable
(since C++17) in the program as long as each definition appears in a
different translation unit and (for non-static inline functions and
variables (since C++17)) all definitions are identical. For example,
an inline function or an inline variable (since C++17) may be defined
in a header file that is included in multiple source files.
Signed-off-by: Arne Schwabe <arne@openvpn.net>
While there should be no problem of having these basically static
definition multiple times, avoiding multiple copies of it is a good
thing.
Signed-off-by: Arne Schwabe <arne@openvpn.net>
This is the result after running 'clang-format -i' on all C++ files and
headers, with the defined formatting rules in .clang-format.
Only the openvpn/common/unicode-impl.hpp has been excluded, as that is
mostly a copy of an external project.
Signed-off-by: David Sommerseth <davids@openvpn.net>
Probe cipher support in runtime (works in Windows Server 2022 and Windows 11)
and add it to the list of allowed ciphers.
White on it, add missing halt check in dco-win client code.
Signed-off-by: Lev Stipakov <lev@openvpn.net>
With OpenSSL3, these algorithms are no longer allowed. With this change
we do the same regardless of the crypto library. Note that in contrast
to OpenSSL3, we include here 3DES into the legacy algorithms.
Signed-off-by: Arne Schwabe <arne@openvpn.net>
Moving interpretation of the flags into the class in preparation
of submitting only supported data channel ciphers in IV_CIPHERS.
Signed-off-by: Heiko Hund <heiko@openvpn.net>
DCO only supports a limited set of ciphers, currently it is
discovered quite late if a unsupported algorithm is configured
(or pushed).
This introduces CryptoAlgs::allow_dc_algs() with which the
supported set of data channel algorithms can be specified.
The DCO code makes use of this, at the time a new_controller()
is created.
Signed-off-by: Heiko Hund <heiko@openvpn.net>
Remove constexpr in preparation for making it possible to modify the
data channel ciphers. Use std::array so the SIZE can be specified.
Remove the unused CryptoAlgs:get_index_ptr() function.
Signed-off-by: Heiko Hund <heiko@openvpn.net>
This also changes the mbed TLS implementation from using the AES GCM
specific API to the generic AEAD API in mbed TLS. As result we can
refactor the commonly used parts of AEAD and normal cipher into a
common class.
Signed-off-by: Arne Schwabe <arne@openvpn.net>
The CryptoDCSettings::digest() method returns SHA1 digest when the
cipher is an AEAD cipher. This is incorrect, as AEAD ciphers does not
use digests for authentication at all; the authentication is an
integral part of the AEAD cipher itself.
To solve this, the CryptoAlgs::AlgFlags has been extended with a new
F_NO_CIPHER_DIGEST flag which is expected to be set on ciphers not
depending on any digests for authentication, like AES-GCM/AEAD
ciphers. A new method, use_cipher_digest(), will return True if
the cipher depends on a digest for authentication.
Signed-off-by: David Sommerseth <davids@openvpn.net>
Add support for AES-256-CTR (used by tls-crypt) in the crypto
layer and make sure that each SSL library plugin is aware of it.
Signed-off-by: Antonio Quartulli <antonio@openvpn.net>
* Make class Route standalone, moving it out of namespace
CIDRMap.
CryptoAlgs:
* Added comments
* For type-safety, mode() now returns a Mode rather than an
int.
CryptoDC:
* Added CRYPTO_DEFINED flag to indicate when encrypt() and
decrypt() methods are implemented by a data channel
provider.
Manage:
* Implemented skeleton management API for server-side client
authentication and managing client-instance properties.
Proto:
* Added Config::update_dc_factory() method.
* Support new CryptoDCInstance::CRYPTO_DEFINED flag.
* Updated server_auth() method to support SafeString transit
of client-provided auth-user-pass password to management
layer.
* control_send now does a reset() on the provided
Ptr reference before returning to reflect the
transfer-of-ownership of the underlying buffer.
* Implemented disable_keepalive() and override_dc_factory
methods.
Transbase (server) new methods:
// disable keepalive for rest of session
virtual void disable_keepalive() = 0;
// override the data channel factory
virtual void override_dc_factory(const CryptoDCFactory::Ptr& dc_factory) = 0;
// override the tun provider
virtual TunClientInstanceRecv* override_tun(TunClientInstanceSend* tun) = 0;
ServProto:
* Added abstract base classes for Tun factories and client instance
sender/receivers.
* Added Tun and Management linkages.
* Added new receiver methods for overriding the data channel
factory, Tun factory, and keepalive config.
* Added AuthCreds support.
underlying crypto implementation.
Modified proto.hpp to use the new CryptoAlgs types for
cipher/digest selection.
Added initial PolarSSL implementation for cipher/digest
selection using CryptoAlgs types.
Note: this implementation is incomplete, see fixmes.