From 9683f890944ffb114f5f8214f694e0b339cf5a5a Mon Sep 17 00:00:00 2001
From: Alberto Gonzalez Iniesta <agi@inittab.org>
Date: Thu, 22 Jun 2017 13:16:46 +0200
Subject: New upstream version 2.4.3

---
 src/openvpn/tls_crypt.c | 24 +++++++++++++-----------
 1 file changed, 13 insertions(+), 11 deletions(-)

(limited to 'src/openvpn/tls_crypt.c')

diff --git a/src/openvpn/tls_crypt.c b/src/openvpn/tls_crypt.c
index c227b09..e13bb4e 100644
--- a/src/openvpn/tls_crypt.c
+++ b/src/openvpn/tls_crypt.c
@@ -16,10 +16,9 @@
  *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  *  GNU General Public License for more details.
  *
- *  You should have received a copy of the GNU General Public License
- *  along with this program (see the file COPYING included with this
- *  distribution); if not, write to the Free Software Foundation, Inc.,
- *  59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
+ *  You should have received a copy of the GNU General Public License along
+ *  with this program; if not, write to the Free Software Foundation, Inc.,
+ *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
  */
 
 #ifdef HAVE_CONFIG_H
@@ -44,15 +43,14 @@ tls_crypt_buf_overhead(void)
 
 void
 tls_crypt_init_key(struct key_ctx_bi *key, const char *key_file,
-                   const char *key_inline, bool tls_server) {
+                   const char *key_inline, bool tls_server)
+{
     const int key_direction = tls_server ?
                               KEY_DIRECTION_NORMAL : KEY_DIRECTION_INVERSE;
 
     struct key_type kt;
     kt.cipher = cipher_kt_get("AES-256-CTR");
-    kt.cipher_length = cipher_kt_key_size(kt.cipher);
     kt.digest = md_kt_get("SHA256");
-    kt.hmac_length = md_kt_size(kt.digest);
 
     if (!kt.cipher)
     {
@@ -63,6 +61,9 @@ tls_crypt_init_key(struct key_ctx_bi *key, const char *key_file,
         msg(M_FATAL, "ERROR: --tls-crypt requires HMAC-SHA-256 support.");
     }
 
+    kt.cipher_length = cipher_kt_key_size(kt.cipher);
+    kt.hmac_length = md_kt_size(kt.digest);
+
     crypto_read_openvpn_key(&kt, key, key_file, key_inline, key_direction,
                             "Control Channel Encryption", "tls-crypt");
 }
@@ -79,7 +80,8 @@ tls_crypt_adjust_frame_parameters(struct frame *frame)
 
 bool
 tls_crypt_wrap(const struct buffer *src, struct buffer *dst,
-               struct crypto_options *opt) {
+               struct crypto_options *opt)
+{
     const struct key_ctx *ctx = &opt->key_ctx_bi.encrypt;
     struct gc_arena gc;
 
@@ -95,10 +97,10 @@ tls_crypt_wrap(const struct buffer *src, struct buffer *dst,
          format_hex(BPTR(src), BLEN(src), 80, &gc));
 
     /* Get packet ID */
+    if (!packet_id_write(&opt->packet_id.send, dst, true, false))
     {
-        struct packet_id_net pin;
-        packet_id_alloc_outgoing(&opt->packet_id.send, &pin, true);
-        packet_id_write(&pin, dst, true, false);
+        msg(D_CRYPT_ERRORS, "TLS-CRYPT ERROR: packet ID roll over.");
+        goto err;
     }
 
     dmsg(D_PACKET_CONTENT, "TLS-CRYPT WRAP AD: %s",
-- 
cgit v1.2.3