diff options
Diffstat (limited to 'src/openvpn/tls_crypt.c')
| -rw-r--r-- | src/openvpn/tls_crypt.c | 24 |
1 files changed, 13 insertions, 11 deletions
diff --git a/src/openvpn/tls_crypt.c b/src/openvpn/tls_crypt.c index c227b09..e13bb4e 100644 --- a/src/openvpn/tls_crypt.c +++ b/src/openvpn/tls_crypt.c @@ -16,10 +16,9 @@ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * - * You should have received a copy of the GNU General Public License - * along with this program (see the file COPYING included with this - * distribution); if not, write to the Free Software Foundation, Inc., - * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + * You should have received a copy of the GNU General Public License along + * with this program; if not, write to the Free Software Foundation, Inc., + * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ #ifdef HAVE_CONFIG_H @@ -44,15 +43,14 @@ tls_crypt_buf_overhead(void) void tls_crypt_init_key(struct key_ctx_bi *key, const char *key_file, - const char *key_inline, bool tls_server) { + const char *key_inline, bool tls_server) +{ const int key_direction = tls_server ? KEY_DIRECTION_NORMAL : KEY_DIRECTION_INVERSE; struct key_type kt; kt.cipher = cipher_kt_get("AES-256-CTR"); - kt.cipher_length = cipher_kt_key_size(kt.cipher); kt.digest = md_kt_get("SHA256"); - kt.hmac_length = md_kt_size(kt.digest); if (!kt.cipher) { @@ -63,6 +61,9 @@ tls_crypt_init_key(struct key_ctx_bi *key, const char *key_file, msg(M_FATAL, "ERROR: --tls-crypt requires HMAC-SHA-256 support."); } + kt.cipher_length = cipher_kt_key_size(kt.cipher); + kt.hmac_length = md_kt_size(kt.digest); + crypto_read_openvpn_key(&kt, key, key_file, key_inline, key_direction, "Control Channel Encryption", "tls-crypt"); } @@ -79,7 +80,8 @@ tls_crypt_adjust_frame_parameters(struct frame *frame) bool tls_crypt_wrap(const struct buffer *src, struct buffer *dst, - struct crypto_options *opt) { + struct crypto_options *opt) +{ const struct key_ctx *ctx = &opt->key_ctx_bi.encrypt; struct gc_arena gc; @@ -95,10 +97,10 @@ tls_crypt_wrap(const struct buffer *src, struct buffer *dst, format_hex(BPTR(src), BLEN(src), 80, &gc)); /* Get packet ID */ + if (!packet_id_write(&opt->packet_id.send, dst, true, false)) { - struct packet_id_net pin; - packet_id_alloc_outgoing(&opt->packet_id.send, &pin, true); - packet_id_write(&pin, dst, true, false); + msg(D_CRYPT_ERRORS, "TLS-CRYPT ERROR: packet ID roll over."); + goto err; } dmsg(D_PACKET_CONTENT, "TLS-CRYPT WRAP AD: %s", |