summaryrefslogtreecommitdiff
path: root/src/openvpn/crypto.c
diff options
context:
space:
mode:
authorBernhard Schmidt <berni@debian.org>2018-03-04 22:22:32 +0100
committerBernhard Schmidt <berni@debian.org>2018-03-04 22:22:32 +0100
commitcf55ab99392458e723c7ebcc32c19bbd225b1f4b (patch)
treeb895b41b7629c9a31de5cc15e7aa7805ddac87ce /src/openvpn/crypto.c
parent9683f890944ffb114f5f8214f694e0b339cf5a5a (diff)
New upstream version 2.4.5
Diffstat (limited to 'src/openvpn/crypto.c')
-rw-r--r--src/openvpn/crypto.c62
1 files changed, 41 insertions, 21 deletions
diff --git a/src/openvpn/crypto.c b/src/openvpn/crypto.c
index 5f482d0..dba3aa5 100644
--- a/src/openvpn/crypto.c
+++ b/src/openvpn/crypto.c
@@ -5,8 +5,8 @@
* packet encryption, packet authentication, and
* packet compression.
*
- * Copyright (C) 2002-2017 OpenVPN Technologies, Inc. <sales@openvpn.net>
- * Copyright (C) 2010-2017 Fox Crypto B.V. <openvpn@fox-it.com>
+ * Copyright (C) 2002-2018 OpenVPN Inc <sales@openvpn.net>
+ * Copyright (C) 2010-2018 Fox Crypto B.V. <openvpn@fox-it.com>
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License version 2
@@ -842,7 +842,7 @@ init_key_type(struct key_type *kt, const char *ciphername,
/* given a key and key_type, build a key_ctx */
void
-init_key_ctx(struct key_ctx *ctx, struct key *key,
+init_key_ctx(struct key_ctx *ctx, const struct key *key,
const struct key_type *kt, int enc,
const char *prefix)
{
@@ -895,6 +895,26 @@ init_key_ctx(struct key_ctx *ctx, struct key *key,
}
void
+init_key_ctx_bi(struct key_ctx_bi *ctx, const struct key2 *key2,
+ int key_direction, const struct key_type *kt, const char *name)
+{
+ char log_prefix[128] = { 0 };
+ struct key_direction_state kds;
+
+ key_direction_state_init(&kds, key_direction);
+
+ openvpn_snprintf(log_prefix, sizeof(log_prefix), "Outgoing %s", name);
+ init_key_ctx(&ctx->encrypt, &key2->keys[kds.out_key], kt,
+ OPENVPN_OP_ENCRYPT, log_prefix);
+
+ openvpn_snprintf(log_prefix, sizeof(log_prefix), "Incoming %s", name);
+ init_key_ctx(&ctx->decrypt, &key2->keys[kds.in_key], kt,
+ OPENVPN_OP_DECRYPT, log_prefix);
+
+ ctx->initialized = true;
+}
+
+void
free_key_ctx(struct key_ctx *ctx)
{
if (ctx->cipher)
@@ -1184,7 +1204,6 @@ crypto_read_openvpn_key(const struct key_type *key_type,
{
struct key2 key2;
struct key_direction_state kds;
- char log_prefix[128] = { 0 };
if (key_inline)
{
@@ -1209,13 +1228,7 @@ crypto_read_openvpn_key(const struct key_type *key_type,
must_have_n_keys(key_file, opt_name, &key2, kds.need_keys);
/* initialize key in both directions */
- openvpn_snprintf(log_prefix, sizeof(log_prefix), "Outgoing %s", key_name);
- init_key_ctx(&ctx->encrypt, &key2.keys[kds.out_key], key_type,
- OPENVPN_OP_ENCRYPT, log_prefix);
- openvpn_snprintf(log_prefix, sizeof(log_prefix), "Incoming %s", key_name);
- init_key_ctx(&ctx->decrypt, &key2.keys[kds.in_key], key_type,
- OPENVPN_OP_DECRYPT, log_prefix);
-
+ init_key_ctx_bi(ctx, &key2, key_direction, key_type, key_name);
secure_memzero(&key2, sizeof(key2));
}
@@ -1284,7 +1297,7 @@ read_key_file(struct key2 *key2, const char *file, const unsigned int flags)
fd = platform_open(file, O_RDONLY, 0);
if (fd == -1)
{
- msg(M_ERR, "Cannot open file key file '%s'", file);
+ msg(M_ERR, "Cannot open key file '%s'", file);
}
size = read(fd, in.data, in.capacity);
if (size < 0)
@@ -1557,11 +1570,18 @@ ascii2keydirection(int msglevel, const char *str)
}
const char *
-keydirection2ascii(int kd, bool remote)
+keydirection2ascii(int kd, bool remote, bool humanreadable)
{
if (kd == KEY_DIRECTION_BIDIRECTIONAL)
{
- return NULL;
+ if (humanreadable)
+ {
+ return "not set";
+ }
+ else
+ {
+ return NULL;
+ }
}
else if (kd == KEY_DIRECTION_NORMAL)
{
@@ -1676,6 +1696,11 @@ read_key(struct key *key, const struct key_type *kt, struct buffer *buf)
goto read_err;
}
+ if (cipher_length != kt->cipher_length || hmac_length != kt->hmac_length)
+ {
+ goto key_len_err;
+ }
+
if (!buf_read(buf, key->cipher, cipher_length))
{
goto read_err;
@@ -1685,11 +1710,6 @@ read_key(struct key *key, const struct key_type *kt, struct buffer *buf)
goto read_err;
}
- if (cipher_length != kt->cipher_length || hmac_length != kt->hmac_length)
- {
- goto key_len_err;
- }
-
return 1;
read_err:
@@ -1716,7 +1736,7 @@ static int nonce_secret_len = 0; /* GLOBAL */
/* Reset the nonce value, also done periodically to refresh entropy */
static void
-prng_reset_nonce()
+prng_reset_nonce(void)
{
const int size = md_kt_size(nonce_md) + nonce_secret_len;
#if 1 /* Must be 1 for real usage */
@@ -1795,7 +1815,7 @@ prng_bytes(uint8_t *output, int len)
/* an analogue to the random() function, but use prng_bytes */
long int
-get_random()
+get_random(void)
{
long int l;
prng_bytes((unsigned char *)&l, sizeof(l));