Browse code
Move key_ctx_bi into crypto_options
The encrypt and decrypt routines use struct crypto_options as their main
information source. A struct crypto_options would have a pointer to a
struct key_ctx_bi, which had to be updated at the correct moments to keep
them correct. Instead of doing this administration, just put the struct
key_ctx_bi inside crypto_options. Makes the code a little simpler too.
Signed-off-by: Steffan Karger <steffan@karger.me>
Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <1454874438-5081-5-git-send-email-steffan@karger.me>
URL: http://article.gmane.org/gmane.network.openvpn.devel/11078
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Steffan Karger authored on 2016/02/08 04:47:12Showing 6 changed files
- src/openvpn/crypto.c
- src/openvpn/crypto.h
- src/openvpn/init.c
- src/openvpn/ssl.c
- src/openvpn/ssl.h
- src/openvpn/ssl_common.h
| ... | ... |
@@ -91,9 +91,9 @@ openvpn_encrypt (struct buffer *buf, struct buffer work, |
| 91 | 91 |
struct gc_arena gc; |
| 92 | 92 |
gc_init (&gc); |
| 93 | 93 |
|
| 94 |
- if (buf->len > 0 && opt->key_ctx_bi) |
|
| 94 |
+ if (buf->len > 0 && opt) |
|
| 95 | 95 |
{
|
| 96 |
- struct key_ctx *ctx = &opt->key_ctx_bi->encrypt; |
|
| 96 |
+ const struct key_ctx *ctx = &opt->key_ctx_bi.encrypt; |
|
| 97 | 97 |
|
| 98 | 98 |
/* Do Encrypt from buf -> work */ |
| 99 | 99 |
if (ctx->cipher) |
| ... | ... |
@@ -240,9 +240,9 @@ openvpn_decrypt (struct buffer *buf, struct buffer work, |
| 240 | 240 |
struct gc_arena gc; |
| 241 | 241 |
gc_init (&gc); |
| 242 | 242 |
|
| 243 |
- if (buf->len > 0 && opt->key_ctx_bi) |
|
| 243 |
+ if (buf->len > 0 && opt) |
|
| 244 | 244 |
{
|
| 245 |
- struct key_ctx *ctx = &opt->key_ctx_bi->decrypt; |
|
| 245 |
+ const struct key_ctx *ctx = &opt->key_ctx_bi.decrypt; |
|
| 246 | 246 |
struct packet_id_net pin; |
| 247 | 247 |
bool have_pin = false; |
| 248 | 248 |
|
| ... | ... |
@@ -2134,7 +2134,7 @@ do_init_crypto_static (struct context *c, const unsigned int flags) |
| 2134 | 2134 |
} |
| 2135 | 2135 |
|
| 2136 | 2136 |
/* Get key schedule */ |
| 2137 |
- c->c2.crypto_options.key_ctx_bi = &c->c1.ks.static_key; |
|
| 2137 |
+ c->c2.crypto_options.key_ctx_bi = c->c1.ks.static_key; |
|
| 2138 | 2138 |
|
| 2139 | 2139 |
/* Compute MTU parameters */ |
| 2140 | 2140 |
crypto_adjust_frame_parameters (&c->c2.frame, |
| ... | ... |
@@ -2388,7 +2388,7 @@ do_init_crypto_tls (struct context *c, const unsigned int flags) |
| 2388 | 2388 |
/* TLS handshake authentication (--tls-auth) */ |
| 2389 | 2389 |
if (options->tls_auth_file) |
| 2390 | 2390 |
{
|
| 2391 |
- to.tls_auth_key = c->c1.ks.tls_auth_key; |
|
| 2391 |
+ to.tls_auth.key_ctx_bi = c->c1.ks.tls_auth_key; |
|
| 2392 | 2392 |
to.tls_auth.pid_persist = &c->c1.pid_persist; |
| 2393 | 2393 |
to.tls_auth.flags |= CO_PACKET_ID_LONG_FORM; |
| 2394 | 2394 |
crypto_adjust_frame_parameters (&to.frame, |
| ... | ... |
@@ -786,7 +786,6 @@ key_state_init (struct tls_session *session, struct key_state *ks) |
| 786 | 786 |
session->opt->replay_time, |
| 787 | 787 |
"SSL", ks->key_id); |
| 788 | 788 |
|
| 789 |
- ks->crypto_options.key_ctx_bi = &ks->key; |
|
| 790 | 789 |
ks->crypto_options.packet_id = session->opt->replay ? &ks->packet_id : NULL; |
| 791 | 790 |
ks->crypto_options.pid_persist = NULL; |
| 792 | 791 |
ks->crypto_options.flags = session->opt->crypto_flags; |
| ... | ... |
@@ -819,7 +818,7 @@ key_state_free (struct key_state *ks, bool clear) |
| 819 | 819 |
|
| 820 | 820 |
key_state_ssl_free(&ks->ks_ssl); |
| 821 | 821 |
|
| 822 |
- free_key_ctx_bi (&ks->key); |
|
| 822 |
+ free_key_ctx_bi (&ks->crypto_options.key_ctx_bi); |
|
| 823 | 823 |
free_buf (&ks->plaintext_read_buf); |
| 824 | 824 |
free_buf (&ks->plaintext_write_buf); |
| 825 | 825 |
free_buf (&ks->ack_write_buf); |
| ... | ... |
@@ -1072,9 +1071,6 @@ tls_multi_init (struct tls_options *tls_options) |
| 1072 | 1072 |
/* get command line derived options */ |
| 1073 | 1073 |
ret->opt = *tls_options; |
| 1074 | 1074 |
|
| 1075 |
- /* set up pointer to HMAC object for TLS packet authentication */ |
|
| 1076 |
- ret->opt.tls_auth.key_ctx_bi = &ret->opt.tls_auth_key; |
|
| 1077 |
- |
|
| 1078 | 1075 |
/* set up list of keys to be scanned by data channel encrypt and decrypt routines */ |
| 1079 | 1076 |
ASSERT (SIZE (ret->key_scan) == 3); |
| 1080 | 1077 |
ret->key_scan[0] = &ret->session[TM_ACTIVE].key[KS_PRIMARY]; |
| ... | ... |
@@ -1113,8 +1109,7 @@ tls_auth_standalone_init (struct tls_options *tls_options, |
| 1113 | 1113 |
ALLOC_OBJ_CLEAR_GC (tas, struct tls_auth_standalone, gc); |
| 1114 | 1114 |
|
| 1115 | 1115 |
/* set up pointer to HMAC object for TLS packet authentication */ |
| 1116 |
- tas->tls_auth_key = tls_options->tls_auth_key; |
|
| 1117 |
- tas->tls_auth_options.key_ctx_bi = &tas->tls_auth_key; |
|
| 1116 |
+ tas->tls_auth_options.key_ctx_bi = tls_options->tls_auth.key_ctx_bi; |
|
| 1118 | 1117 |
tas->tls_auth_options.flags |= CO_PACKET_ID_LONG_FORM; |
| 1119 | 1118 |
|
| 1120 | 1119 |
/* get initial frame parms, still need to finalize */ |
| ... | ... |
@@ -1197,11 +1192,11 @@ tls_multi_free (struct tls_multi *multi, bool clear) |
| 1197 | 1197 |
static bool |
| 1198 | 1198 |
swap_hmac (struct buffer *buf, const struct crypto_options *co, bool incoming) |
| 1199 | 1199 |
{
|
| 1200 |
- struct key_ctx *ctx; |
|
| 1200 |
+ const struct key_ctx *ctx; |
|
| 1201 | 1201 |
|
| 1202 | 1202 |
ASSERT (co); |
| 1203 | 1203 |
|
| 1204 |
- ctx = (incoming ? &co->key_ctx_bi->decrypt : &co->key_ctx_bi->encrypt); |
|
| 1204 |
+ ctx = (incoming ? &co->key_ctx_bi.decrypt : &co->key_ctx_bi.encrypt); |
|
| 1205 | 1205 |
ASSERT (ctx->hmac); |
| 1206 | 1206 |
|
| 1207 | 1207 |
{
|
| ... | ... |
@@ -1265,7 +1260,7 @@ write_control_auth (struct tls_session *session, |
| 1265 | 1265 |
ASSERT (session_id_write_prepend (&session->session_id, buf)); |
| 1266 | 1266 |
ASSERT (header = buf_prepend (buf, 1)); |
| 1267 | 1267 |
*header = ks->key_id | (opcode << P_OPCODE_SHIFT); |
| 1268 |
- if (session->tls_auth.key_ctx_bi->encrypt.hmac) |
|
| 1268 |
+ if (session->tls_auth.key_ctx_bi.encrypt.hmac) |
|
| 1269 | 1269 |
{
|
| 1270 | 1270 |
/* no encryption, only write hmac */ |
| 1271 | 1271 |
openvpn_encrypt (buf, null, &session->tls_auth, NULL); |
| ... | ... |
@@ -1284,7 +1279,7 @@ read_control_auth (struct buffer *buf, |
| 1284 | 1284 |
{
|
| 1285 | 1285 |
struct gc_arena gc = gc_new (); |
| 1286 | 1286 |
|
| 1287 |
- if (co->key_ctx_bi->decrypt.hmac) |
|
| 1287 |
+ if (co->key_ctx_bi.decrypt.hmac) |
|
| 1288 | 1288 |
{
|
| 1289 | 1289 |
struct buffer null = clear_buf (); |
| 1290 | 1290 |
|
| ... | ... |
@@ -1707,7 +1702,6 @@ key_state_soft_reset (struct tls_session *session) |
| 1707 | 1707 |
ks->must_die = now + session->opt->transition_window; /* remaining lifetime of old key */ |
| 1708 | 1708 |
key_state_free (ks_lame, false); |
| 1709 | 1709 |
*ks_lame = *ks; |
| 1710 |
- ks_lame->crypto_options.key_ctx_bi = &ks_lame->key; |
|
| 1711 | 1710 |
ks_lame->crypto_options.packet_id = &ks_lame->packet_id; |
| 1712 | 1711 |
|
| 1713 | 1712 |
key_state_init (session, ks); |
| ... | ... |
@@ -1806,8 +1800,9 @@ key_method_1_write (struct buffer *buf, struct tls_session *session) |
| 1806 | 1806 |
return false; |
| 1807 | 1807 |
} |
| 1808 | 1808 |
|
| 1809 |
- init_key_ctx (&ks->key.encrypt, &key, &session->opt->key_type, |
|
| 1810 |
- OPENVPN_OP_ENCRYPT, "Data Channel Encrypt"); |
|
| 1809 |
+ init_key_ctx (&ks->crypto_options.key_ctx_bi.encrypt, &key, |
|
| 1810 |
+ &session->opt->key_type, OPENVPN_OP_ENCRYPT, |
|
| 1811 |
+ "Data Channel Encrypt"); |
|
| 1811 | 1812 |
CLEAR (key); |
| 1812 | 1813 |
|
| 1813 | 1814 |
/* send local options string */ |
| ... | ... |
@@ -1969,7 +1964,7 @@ key_method_2_write (struct buffer *buf, struct tls_session *session) |
| 1969 | 1969 |
{
|
| 1970 | 1970 |
if (ks->authenticated) |
| 1971 | 1971 |
{
|
| 1972 |
- if (!generate_key_expansion (&ks->key, |
|
| 1972 |
+ if (!generate_key_expansion (&ks->crypto_options.key_ctx_bi, |
|
| 1973 | 1973 |
&session->opt->key_type, |
| 1974 | 1974 |
ks->key_src, |
| 1975 | 1975 |
&ks->session_id_remote, |
| ... | ... |
@@ -2040,8 +2035,9 @@ key_method_1_read (struct buffer *buf, struct tls_session *session) |
| 2040 | 2040 |
|
| 2041 | 2041 |
buf_clear (buf); |
| 2042 | 2042 |
|
| 2043 |
- init_key_ctx (&ks->key.decrypt, &key, &session->opt->key_type, |
|
| 2044 |
- OPENVPN_OP_DECRYPT, "Data Channel Decrypt"); |
|
| 2043 |
+ init_key_ctx (&ks->crypto_options.key_ctx_bi.decrypt, &key, |
|
| 2044 |
+ &session->opt->key_type, OPENVPN_OP_DECRYPT, |
|
| 2045 |
+ "Data Channel Decrypt"); |
|
| 2045 | 2046 |
CLEAR (key); |
| 2046 | 2047 |
ks->authenticated = true; |
| 2047 | 2048 |
return true; |
| ... | ... |
@@ -2189,7 +2185,7 @@ key_method_2_read (struct buffer *buf, struct tls_multi *multi, struct tls_sessi |
| 2189 | 2189 |
*/ |
| 2190 | 2190 |
if (!session->opt->server) |
| 2191 | 2191 |
{
|
| 2192 |
- if (!generate_key_expansion (&ks->key, |
|
| 2192 |
+ if (!generate_key_expansion (&ks->crypto_options.key_ctx_bi, |
|
| 2193 | 2193 |
&session->opt->key_type, |
| 2194 | 2194 |
ks->key_src, |
| 2195 | 2195 |
&session->session_id, |
| ... | ... |
@@ -163,7 +163,6 @@ struct key_state |
| 163 | 163 |
struct packet_id packet_id; /* for data channel, to prevent replay attacks */ |
| 164 | 164 |
|
| 165 | 165 |
struct crypto_options crypto_options;/* data channel crypto options */ |
| 166 |
- struct key_ctx_bi key; /* data channel keys for encrypt/decrypt/hmac */ |
|
| 167 | 166 |
|
| 168 | 167 |
struct key_source2 *key_src; /* source entropy for key expansion */ |
| 169 | 168 |
|
| ... | ... |
@@ -270,7 +269,6 @@ struct tls_options |
| 270 | 270 |
|
| 271 | 271 |
/* packet authentication for TLS handshake */ |
| 272 | 272 |
struct crypto_options tls_auth; |
| 273 |
- struct key_ctx_bi tls_auth_key; |
|
| 274 | 273 |
|
| 275 | 274 |
/* frame parameters for TLS control channel */ |
| 276 | 275 |
struct frame frame; |