summaryrefslogtreecommitdiff
path: root/src/openvpn/tls_crypt.c
diff options
context:
space:
mode:
authorJörg Frings-Fürst <debian@jff-webhosting.net>2017-10-02 06:57:11 +0200
committerJörg Frings-Fürst <debian@jff-webhosting.net>2017-10-02 06:57:11 +0200
commit5196d94f84f23057406cb15be7c49a39a05f912d (patch)
treea47dad26e006bd9aa52e7de32c39d75965a2a98d /src/openvpn/tls_crypt.c
parent1cc61feca65e1593f3cbe69af692e31c3042a8a6 (diff)
parenta6daf938f5f616a4a67caa6580b0c99e9a8c3779 (diff)
Updated version 2.4.4 from 'upstream/2.4.4'
with Debian dir 140f8169d27cc56f891366cfbea8aff1659cd942
Diffstat (limited to 'src/openvpn/tls_crypt.c')
-rw-r--r--src/openvpn/tls_crypt.c40
1 files changed, 26 insertions, 14 deletions
diff --git a/src/openvpn/tls_crypt.c b/src/openvpn/tls_crypt.c
index e13bb4e..403060d 100644
--- a/src/openvpn/tls_crypt.c
+++ b/src/openvpn/tls_crypt.c
@@ -35,35 +35,47 @@
#include "tls_crypt.h"
-int
-tls_crypt_buf_overhead(void)
-{
- return packet_id_size(true) + TLS_CRYPT_TAG_SIZE + TLS_CRYPT_BLOCK_SIZE;
-}
-
-void
-tls_crypt_init_key(struct key_ctx_bi *key, const char *key_file,
- const char *key_inline, bool tls_server)
+static struct key_type
+tls_crypt_kt(void)
{
- const int key_direction = tls_server ?
- KEY_DIRECTION_NORMAL : KEY_DIRECTION_INVERSE;
-
struct key_type kt;
kt.cipher = cipher_kt_get("AES-256-CTR");
kt.digest = md_kt_get("SHA256");
if (!kt.cipher)
{
- msg(M_FATAL, "ERROR: --tls-crypt requires AES-256-CTR support.");
+ msg(M_WARN, "ERROR: --tls-crypt requires AES-256-CTR support.");
+ return (struct key_type) { 0 };
}
if (!kt.digest)
{
- msg(M_FATAL, "ERROR: --tls-crypt requires HMAC-SHA-256 support.");
+ msg(M_WARN, "ERROR: --tls-crypt requires HMAC-SHA-256 support.");
+ return (struct key_type) { 0 };
}
kt.cipher_length = cipher_kt_key_size(kt.cipher);
kt.hmac_length = md_kt_size(kt.digest);
+ return kt;
+}
+
+int
+tls_crypt_buf_overhead(void)
+{
+ return packet_id_size(true) + TLS_CRYPT_TAG_SIZE + TLS_CRYPT_BLOCK_SIZE;
+}
+
+void
+tls_crypt_init_key(struct key_ctx_bi *key, const char *key_file,
+ const char *key_inline, bool tls_server)
+{
+ const int key_direction = tls_server ?
+ KEY_DIRECTION_NORMAL : KEY_DIRECTION_INVERSE;
+ struct key_type kt = tls_crypt_kt();
+ if (!kt.cipher || !kt.digest)
+ {
+ msg (M_FATAL, "ERROR: --tls-crypt not supported");
+ }
crypto_read_openvpn_key(&kt, key, key_file, key_inline, key_direction,
"Control Channel Encryption", "tls-crypt");
}