summaryrefslogtreecommitdiff
path: root/src/openvpn/tls_crypt.c
diff options
context:
space:
mode:
Diffstat (limited to 'src/openvpn/tls_crypt.c')
-rw-r--r--src/openvpn/tls_crypt.c24
1 files changed, 13 insertions, 11 deletions
diff --git a/src/openvpn/tls_crypt.c b/src/openvpn/tls_crypt.c
index c227b09..e13bb4e 100644
--- a/src/openvpn/tls_crypt.c
+++ b/src/openvpn/tls_crypt.c
@@ -16,10 +16,9 @@
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
- * You should have received a copy of the GNU General Public License
- * along with this program (see the file COPYING included with this
- * distribution); if not, write to the Free Software Foundation, Inc.,
- * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
*/
#ifdef HAVE_CONFIG_H
@@ -44,15 +43,14 @@ tls_crypt_buf_overhead(void)
void
tls_crypt_init_key(struct key_ctx_bi *key, const char *key_file,
- const char *key_inline, bool tls_server) {
+ const char *key_inline, bool tls_server)
+{
const int key_direction = tls_server ?
KEY_DIRECTION_NORMAL : KEY_DIRECTION_INVERSE;
struct key_type kt;
kt.cipher = cipher_kt_get("AES-256-CTR");
- kt.cipher_length = cipher_kt_key_size(kt.cipher);
kt.digest = md_kt_get("SHA256");
- kt.hmac_length = md_kt_size(kt.digest);
if (!kt.cipher)
{
@@ -63,6 +61,9 @@ tls_crypt_init_key(struct key_ctx_bi *key, const char *key_file,
msg(M_FATAL, "ERROR: --tls-crypt requires HMAC-SHA-256 support.");
}
+ kt.cipher_length = cipher_kt_key_size(kt.cipher);
+ kt.hmac_length = md_kt_size(kt.digest);
+
crypto_read_openvpn_key(&kt, key, key_file, key_inline, key_direction,
"Control Channel Encryption", "tls-crypt");
}
@@ -79,7 +80,8 @@ tls_crypt_adjust_frame_parameters(struct frame *frame)
bool
tls_crypt_wrap(const struct buffer *src, struct buffer *dst,
- struct crypto_options *opt) {
+ struct crypto_options *opt)
+{
const struct key_ctx *ctx = &opt->key_ctx_bi.encrypt;
struct gc_arena gc;
@@ -95,10 +97,10 @@ tls_crypt_wrap(const struct buffer *src, struct buffer *dst,
format_hex(BPTR(src), BLEN(src), 80, &gc));
/* Get packet ID */
+ if (!packet_id_write(&opt->packet_id.send, dst, true, false))
{
- struct packet_id_net pin;
- packet_id_alloc_outgoing(&opt->packet_id.send, &pin, true);
- packet_id_write(&pin, dst, true, false);
+ msg(D_CRYPT_ERRORS, "TLS-CRYPT ERROR: packet ID roll over.");
+ goto err;
}
dmsg(D_PACKET_CONTENT, "TLS-CRYPT WRAP AD: %s",