diff options
| author | Bernhard Schmidt <berni@debian.org> | 2018-03-04 22:22:32 +0100 |
|---|---|---|
| committer | Bernhard Schmidt <berni@debian.org> | 2018-03-04 22:22:32 +0100 |
| commit | cf55ab99392458e723c7ebcc32c19bbd225b1f4b (patch) | |
| tree | b895b41b7629c9a31de5cc15e7aa7805ddac87ce /src/openvpn/tls_crypt.c | |
| parent | 9683f890944ffb114f5f8214f694e0b339cf5a5a (diff) | |
New upstream version 2.4.5
Diffstat (limited to 'src/openvpn/tls_crypt.c')
| -rw-r--r-- | src/openvpn/tls_crypt.c | 42 |
1 files changed, 27 insertions, 15 deletions
diff --git a/src/openvpn/tls_crypt.c b/src/openvpn/tls_crypt.c index e13bb4e..ecc654e 100644 --- a/src/openvpn/tls_crypt.c +++ b/src/openvpn/tls_crypt.c @@ -5,7 +5,7 @@ * packet encryption, packet authentication, and * packet compression. * - * Copyright (C) 2016-2017 Fox Crypto B.V. <openvpn@fox-it.com> + * Copyright (C) 2016-2018 Fox Crypto B.V. <openvpn@fox-it.com> * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License version 2 @@ -35,35 +35,47 @@ #include "tls_crypt.h" -int -tls_crypt_buf_overhead(void) -{ - return packet_id_size(true) + TLS_CRYPT_TAG_SIZE + TLS_CRYPT_BLOCK_SIZE; -} - -void -tls_crypt_init_key(struct key_ctx_bi *key, const char *key_file, - const char *key_inline, bool tls_server) +static struct key_type +tls_crypt_kt(void) { - const int key_direction = tls_server ? - KEY_DIRECTION_NORMAL : KEY_DIRECTION_INVERSE; - struct key_type kt; kt.cipher = cipher_kt_get("AES-256-CTR"); kt.digest = md_kt_get("SHA256"); if (!kt.cipher) { - msg(M_FATAL, "ERROR: --tls-crypt requires AES-256-CTR support."); + msg(M_WARN, "ERROR: --tls-crypt requires AES-256-CTR support."); + return (struct key_type) { 0 }; } if (!kt.digest) { - msg(M_FATAL, "ERROR: --tls-crypt requires HMAC-SHA-256 support."); + msg(M_WARN, "ERROR: --tls-crypt requires HMAC-SHA-256 support."); + return (struct key_type) { 0 }; } kt.cipher_length = cipher_kt_key_size(kt.cipher); kt.hmac_length = md_kt_size(kt.digest); + return kt; +} + +int +tls_crypt_buf_overhead(void) +{ + return packet_id_size(true) + TLS_CRYPT_TAG_SIZE + TLS_CRYPT_BLOCK_SIZE; +} + +void +tls_crypt_init_key(struct key_ctx_bi *key, const char *key_file, + const char *key_inline, bool tls_server) +{ + const int key_direction = tls_server ? + KEY_DIRECTION_NORMAL : KEY_DIRECTION_INVERSE; + struct key_type kt = tls_crypt_kt(); + if (!kt.cipher || !kt.digest) + { + msg (M_FATAL, "ERROR: --tls-crypt not supported"); + } crypto_read_openvpn_key(&kt, key, key_file, key_inline, key_direction, "Control Channel Encryption", "tls-crypt"); } |