Browse code
tls-crypt: introduce tls_crypt_kt()
Reduces code duplication (and prepares for tls-crypt-v2, which needs the
same functionality at more places).
Because tls_crypt_kt() is a static function we now need to include
tls_crypt.c from the tests, rather than tls_crypt.h.
Signed-off-by: Steffan Karger <steffan.karger@fox-it.com>
Acked-by: Antonio Quartulli <a@unstable.cc>
Message-Id: <1502531632-16833-1-git-send-email-steffan.karger@fox-it.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg15229.html
Signed-off-by: David Sommerseth <davids@openvpn.net>
Steffan Karger authored on 2017/08/12 18:53:52Showing 3 changed files
- src/openvpn/tls_crypt.c
- tests/unit_tests/openvpn/Makefile.am
- tests/unit_tests/openvpn/test_tls_crypt.c
| ... | ... |
@@ -35,35 +35,47 @@ |
| 35 | 35 |
|
| 36 | 36 |
#include "tls_crypt.h" |
| 37 | 37 |
|
| 38 |
-int |
|
| 39 |
-tls_crypt_buf_overhead(void) |
|
| 40 |
-{
|
|
| 41 |
- return packet_id_size(true) + TLS_CRYPT_TAG_SIZE + TLS_CRYPT_BLOCK_SIZE; |
|
| 42 |
-} |
|
| 43 |
- |
|
| 44 |
-void |
|
| 45 |
-tls_crypt_init_key(struct key_ctx_bi *key, const char *key_file, |
|
| 46 |
- const char *key_inline, bool tls_server) |
|
| 38 |
+static struct key_type |
|
| 39 |
+tls_crypt_kt(void) |
|
| 47 | 40 |
{
|
| 48 |
- const int key_direction = tls_server ? |
|
| 49 |
- KEY_DIRECTION_NORMAL : KEY_DIRECTION_INVERSE; |
|
| 50 |
- |
|
| 51 | 41 |
struct key_type kt; |
| 52 | 42 |
kt.cipher = cipher_kt_get("AES-256-CTR");
|
| 53 | 43 |
kt.digest = md_kt_get("SHA256");
|
| 54 | 44 |
|
| 55 | 45 |
if (!kt.cipher) |
| 56 | 46 |
{
|
| 57 |
- msg(M_FATAL, "ERROR: --tls-crypt requires AES-256-CTR support."); |
|
| 47 |
+ msg(M_WARN, "ERROR: --tls-crypt requires AES-256-CTR support."); |
|
| 48 |
+ return (struct key_type) { 0 };
|
|
| 58 | 49 |
} |
| 59 | 50 |
if (!kt.digest) |
| 60 | 51 |
{
|
| 61 |
- msg(M_FATAL, "ERROR: --tls-crypt requires HMAC-SHA-256 support."); |
|
| 52 |
+ msg(M_WARN, "ERROR: --tls-crypt requires HMAC-SHA-256 support."); |
|
| 53 |
+ return (struct key_type) { 0 };
|
|
| 62 | 54 |
} |
| 63 | 55 |
|
| 64 | 56 |
kt.cipher_length = cipher_kt_key_size(kt.cipher); |
| 65 | 57 |
kt.hmac_length = md_kt_size(kt.digest); |
| 66 | 58 |
|
| 59 |
+ return kt; |
|
| 60 |
+} |
|
| 61 |
+ |
|
| 62 |
+int |
|
| 63 |
+tls_crypt_buf_overhead(void) |
|
| 64 |
+{
|
|
| 65 |
+ return packet_id_size(true) + TLS_CRYPT_TAG_SIZE + TLS_CRYPT_BLOCK_SIZE; |
|
| 66 |
+} |
|
| 67 |
+ |
|
| 68 |
+void |
|
| 69 |
+tls_crypt_init_key(struct key_ctx_bi *key, const char *key_file, |
|
| 70 |
+ const char *key_inline, bool tls_server) |
|
| 71 |
+{
|
|
| 72 |
+ const int key_direction = tls_server ? |
|
| 73 |
+ KEY_DIRECTION_NORMAL : KEY_DIRECTION_INVERSE; |
|
| 74 |
+ struct key_type kt = tls_crypt_kt(); |
|
| 75 |
+ if (!kt.cipher || !kt.digest) |
|
| 76 |
+ {
|
|
| 77 |
+ msg (M_FATAL, "ERROR: --tls-crypt not supported"); |
|
| 78 |
+ } |
|
| 67 | 79 |
crypto_read_openvpn_key(&kt, key, key_file, key_inline, key_direction, |
| 68 | 80 |
"Control Channel Encryption", "tls-crypt"); |
| 69 | 81 |
} |
| ... | ... |
@@ -54,5 +54,4 @@ tls_crypt_testdriver_SOURCES = test_tls_crypt.c mock_msg.c \ |
| 54 | 54 |
$(openvpn_srcdir)/crypto_openssl.c \ |
| 55 | 55 |
$(openvpn_srcdir)/otime.c \ |
| 56 | 56 |
$(openvpn_srcdir)/packet_id.c \ |
| 57 |
- $(openvpn_srcdir)/platform.c \ |
|
| 58 |
- $(openvpn_srcdir)/tls_crypt.c |
|
| 57 |
+ $(openvpn_srcdir)/platform.c |
| ... | ... |
@@ -39,7 +39,7 @@ |
| 39 | 39 |
#include <setjmp.h> |
| 40 | 40 |
#include <cmocka.h> |
| 41 | 41 |
|
| 42 |
-#include "tls_crypt.h" |
|
| 42 |
+#include "tls_crypt.c" |
|
| 43 | 43 |
|
| 44 | 44 |
#include "mock_msg.h" |
| 45 | 45 |
|
| ... | ... |
@@ -60,23 +60,13 @@ setup(void **state) {
|
| 60 | 60 |
struct test_context *ctx = calloc(1, sizeof(*ctx)); |
| 61 | 61 |
*state = ctx; |
| 62 | 62 |
|
| 63 |
- ctx->kt.cipher = cipher_kt_get("AES-256-CTR");
|
|
| 64 |
- ctx->kt.digest = md_kt_get("SHA256");
|
|
| 65 |
- if (!ctx->kt.cipher) |
|
| 66 |
- {
|
|
| 67 |
- printf("No AES-256-CTR support, skipping test.\n");
|
|
| 68 |
- return 0; |
|
| 69 |
- } |
|
| 70 |
- if (!ctx->kt.digest) |
|
| 63 |
+ struct key key = { 0 };
|
|
| 64 |
+ |
|
| 65 |
+ ctx->kt = tls_crypt_kt(); |
|
| 66 |
+ if (!ctx->kt.cipher || !ctx->kt.digest) |
|
| 71 | 67 |
{
|
| 72 |
- printf("No HMAC-SHA256 support, skipping test.\n");
|
|
| 73 | 68 |
return 0; |
| 74 | 69 |
} |
| 75 |
- ctx->kt.cipher_length = cipher_kt_key_size(ctx->kt.cipher); |
|
| 76 |
- ctx->kt.hmac_length = md_kt_size(ctx->kt.digest); |
|
| 77 |
- |
|
| 78 |
- struct key key = { 0 };
|
|
| 79 |
- |
|
| 80 | 70 |
init_key_ctx(&ctx->co.key_ctx_bi.encrypt, &key, &ctx->kt, true, "TEST"); |
| 81 | 71 |
init_key_ctx(&ctx->co.key_ctx_bi.decrypt, &key, &ctx->kt, false, "TEST"); |
| 82 | 72 |
|