#define ENABLE_DEF_AUTH 1
#define ENABLE_PF 1
#define ENABLE_CRYPTO_OPENSSL 1
-#define HAVE_AEAD_CIPHER_MODES 1
#define ENABLE_DEBUG 1
#define ENABLE_EUREPHIA 1
#define ENABLE_FRAGMENT 1
AC_DEFINE([HAVE_OPENSSL_ENGINE], [1], [OpenSSL engine support available])
fi
- have_crypto_aead_modes="yes"
AC_CHECK_FUNC(
[EVP_aes_256_gcm],
,
- [have_crypto_aead_modes="no"]
+ [AC_MSG_ERROR([OpenSSL check for AES-256-GCM support failed])]
)
# All supported OpenSSL version (>= 1.0.2)
[AC_MSG_ERROR([mbed TLS 2.y.z required])]
)
- have_crypto_aead_modes="yes"
AC_CHECK_FUNCS(
[ \
mbedtls_cipher_write_tag \
mbedtls_cipher_check_tag \
],
,
- [have_crypto_aead_modes="no"; break]
+ [AC_MSG_ERROR([mbed TLS check for AEAD support failed])]
)
have_export_keying_material="yes"
test "${enable_strict_options}" = "yes" && AC_DEFINE([ENABLE_STRICT_OPTIONS_CHECK], [1], [Enable strict options check between peers])
test "${enable_crypto_ofb_cfb}" = "yes" && AC_DEFINE([ENABLE_OFB_CFB_MODE], [1], [Enable OFB and CFB cipher modes])
-test "${have_crypto_aead_modes}" = "yes" && AC_DEFINE([HAVE_AEAD_CIPHER_MODES], [1], [Use crypto library])
if test "${have_export_keying_material}" = "yes"; then
AC_DEFINE(
[HAVE_EXPORT_KEYING_MATERIAL], [1],
openvpn_encrypt_aead(struct buffer *buf, struct buffer work,
struct crypto_options *opt)
{
-#ifdef HAVE_AEAD_CIPHER_MODES
struct gc_arena gc;
int outlen = 0;
const struct key_ctx *ctx = &opt->key_ctx_bi.encrypt;
buf->len = 0;
gc_free(&gc);
return;
-#else /* HAVE_AEAD_CIPHER_MODES */
- ASSERT(0);
-#endif /* ifdef HAVE_AEAD_CIPHER_MODES */
}
static void
struct crypto_options *opt, const struct frame *frame,
const uint8_t *ad_start)
{
-#ifdef HAVE_AEAD_CIPHER_MODES
static const char error_prefix[] = "AEAD Decrypt error";
struct packet_id_net pin = { 0 };
const struct key_ctx *ctx = &opt->key_ctx_bi.decrypt;
buf->len = 0;
gc_free(&gc);
return false;
-#else /* HAVE_AEAD_CIPHER_MODES */
- ASSERT(0);
- return false;
-#endif /* ifdef HAVE_AEAD_CIPHER_MODES */
}
/*
/* init work */
ASSERT(buf_init(&work, FRAME_HEADROOM(frame)));
-#ifdef HAVE_AEAD_CIPHER_MODES
/* init implicit IV */
{
const cipher_kt_t *cipher =
co->key_ctx_bi.decrypt.implicit_iv_len = impl_iv_len;
}
}
-#endif /* ifdef HAVE_AEAD_CIPHER_MODES */
msg(M_INFO, "Entering " PACKAGE_NAME " crypto self-test mode.");
for (i = 1; i <= TUN_MTU_SIZE(frame); ++i)
int
cipher_kt_tag_size(const mbedtls_cipher_info_t *cipher_kt)
{
-#ifdef HAVE_AEAD_CIPHER_MODES
if (cipher_kt && cipher_kt_mode_aead(cipher_kt))
{
return OPENVPN_AEAD_TAG_LENGTH;
}
-#endif
return 0;
}
int
cipher_ctx_get_tag(cipher_ctx_t *ctx, uint8_t *tag, int tag_len)
{
-#ifdef HAVE_AEAD_CIPHER_MODES
if (tag_len > SIZE_MAX)
{
return 0;
}
return 1;
-#else /* ifdef HAVE_AEAD_CIPHER_MODES */
- ASSERT(0);
-#endif /* HAVE_AEAD_CIPHER_MODES */
}
int
int
cipher_ctx_update_ad(cipher_ctx_t *ctx, const uint8_t *src, int src_len)
{
-#ifdef HAVE_AEAD_CIPHER_MODES
if (src_len > SIZE_MAX)
{
return 0;
}
return 1;
-#else /* ifdef HAVE_AEAD_CIPHER_MODES */
- ASSERT(0);
-#endif /* HAVE_AEAD_CIPHER_MODES */
}
int
cipher_ctx_final_check_tag(mbedtls_cipher_context_t *ctx, uint8_t *dst,
int *dst_len, uint8_t *tag, size_t tag_len)
{
-#ifdef HAVE_AEAD_CIPHER_MODES
size_t olen = 0;
if (MBEDTLS_DECRYPT != ctx->operation)
}
return 1;
-#else /* ifdef HAVE_AEAD_CIPHER_MODES */
- ASSERT(0);
-#endif /* HAVE_AEAD_CIPHER_MODES */
}
void
#ifdef ENABLE_OFB_CFB_MODE
|| cipher_kt_mode_ofb_cfb(cipher)
#endif
-#ifdef HAVE_AEAD_CIPHER_MODES
|| cipher_kt_mode_aead(cipher)
-#endif
))
{
cipher_list[num_ciphers++] = cipher;
cipher_kt_mode_cbc(const cipher_kt_t *cipher)
{
return cipher && cipher_kt_mode(cipher) == OPENVPN_MODE_CBC
-#ifdef EVP_CIPH_FLAG_AEAD_CIPHER
/* Exclude AEAD cipher modes, they require a different API */
- && !(EVP_CIPHER_flags(cipher) & EVP_CIPH_FLAG_AEAD_CIPHER)
-#endif
- ;
+ && !(EVP_CIPHER_flags(cipher) & EVP_CIPH_FLAG_AEAD_CIPHER);
}
bool
{
return cipher && (cipher_kt_mode(cipher) == OPENVPN_MODE_OFB
|| cipher_kt_mode(cipher) == OPENVPN_MODE_CFB)
-#ifdef EVP_CIPH_FLAG_AEAD_CIPHER
/* Exclude AEAD cipher modes, they require a different API */
- && !(EVP_CIPHER_flags(cipher) & EVP_CIPH_FLAG_AEAD_CIPHER)
-#endif
- ;
+ && !(EVP_CIPHER_flags(cipher) & EVP_CIPH_FLAG_AEAD_CIPHER);
}
bool
cipher_kt_mode_aead(const cipher_kt_t *cipher)
{
-#ifdef HAVE_AEAD_CIPHER_MODES
if (cipher)
{
switch (EVP_CIPHER_nid(cipher))
return true;
}
}
-#endif
return false;
}
int
cipher_ctx_get_tag(EVP_CIPHER_CTX *ctx, uint8_t *tag_buf, int tag_size)
{
-#ifdef HAVE_AEAD_CIPHER_MODES
return EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_GCM_GET_TAG, tag_size, tag_buf);
-#else
- ASSERT(0);
-#endif
}
int
int
cipher_ctx_update_ad(EVP_CIPHER_CTX *ctx, const uint8_t *src, int src_len)
{
-#ifdef HAVE_AEAD_CIPHER_MODES
int len;
if (!EVP_CipherUpdate(ctx, NULL, &len, src, src_len))
{
crypto_msg(M_FATAL, "%s: EVP_CipherUpdate() failed", __func__);
}
return 1;
-#else /* ifdef HAVE_AEAD_CIPHER_MODES */
- ASSERT(0);
-#endif
}
int
cipher_ctx_final_check_tag(EVP_CIPHER_CTX *ctx, uint8_t *dst, int *dst_len,
uint8_t *tag, size_t tag_len)
{
-#ifdef HAVE_AEAD_CIPHER_MODES
ASSERT(tag_len < SIZE_MAX);
if (!EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_GCM_SET_TAG, tag_len, tag))
{
}
return cipher_ctx_final(ctx, dst, dst_len);
-#else /* ifdef HAVE_AEAD_CIPHER_MODES */
- ASSERT(0);
-#endif
}
void
/** Cipher is in CFB mode */
#define OPENVPN_MODE_CFB EVP_CIPH_CFB_MODE
-#ifdef HAVE_AEAD_CIPHER_MODES
-
/** Cipher is in GCM mode */
#define OPENVPN_MODE_GCM EVP_CIPH_GCM_MODE
-#endif /* HAVE_AEAD_CIPHER_MODES */
-
/** Cipher should encrypt */
#define OPENVPN_OP_ENCRYPT 1
" [MH/RECVDA]"
#endif
#endif
-#ifdef HAVE_AEAD_CIPHER_MODES
" [AEAD]"
-#endif
" built on " __DATE__
;
o->scheduled_exit_interval = 5;
#endif
o->ciphername = "BF-CBC";
-#ifdef HAVE_AEAD_CIPHER_MODES /* IV_NCP=2 requires GCM support */
o->ncp_enabled = true;
-#else
- o->ncp_enabled = false;
-#endif
o->ncp_ciphers = "AES-256-GCM:AES-128-GCM";
o->authname = "SHA1";
o->prng_hash = "SHA1";
projects / thirdparty / openvpn.git / commitdiff
