The encrypt and decrypt routines use struct crypto_options as their main
information source. A struct crypto_options would have a pointer to a
struct key_ctx_bi, which had to be updated at the correct moments to keep
them correct. Instead of doing this administration, just put the struct
key_ctx_bi inside crypto_options. Makes the code a little simpler too.
Signed-off-by: Steffan Karger <steffan@karger.me>
Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <1454874438-5081-5-git-send-email-steffan@karger.me>
URL: http://article.gmane.org/gmane.network.openvpn.devel/11078
Signed-off-by: Gert Doering <gert@greenie.muc.de>
... | ... |
@@ -91,9 +91,9 @@ openvpn_encrypt (struct buffer *buf, struct buffer work, |
91 | 91 |
struct gc_arena gc; |
92 | 92 |
gc_init (&gc); |
93 | 93 |
|
94 |
- if (buf->len > 0 && opt->key_ctx_bi) |
|
94 |
+ if (buf->len > 0 && opt) |
|
95 | 95 |
{ |
96 |
- struct key_ctx *ctx = &opt->key_ctx_bi->encrypt; |
|
96 |
+ const struct key_ctx *ctx = &opt->key_ctx_bi.encrypt; |
|
97 | 97 |
|
98 | 98 |
/* Do Encrypt from buf -> work */ |
99 | 99 |
if (ctx->cipher) |
... | ... |
@@ -240,9 +240,9 @@ openvpn_decrypt (struct buffer *buf, struct buffer work, |
240 | 240 |
struct gc_arena gc; |
241 | 241 |
gc_init (&gc); |
242 | 242 |
|
243 |
- if (buf->len > 0 && opt->key_ctx_bi) |
|
243 |
+ if (buf->len > 0 && opt) |
|
244 | 244 |
{ |
245 |
- struct key_ctx *ctx = &opt->key_ctx_bi->decrypt; |
|
245 |
+ const struct key_ctx *ctx = &opt->key_ctx_bi.decrypt; |
|
246 | 246 |
struct packet_id_net pin; |
247 | 247 |
bool have_pin = false; |
248 | 248 |
|
... | ... |
@@ -2134,7 +2134,7 @@ do_init_crypto_static (struct context *c, const unsigned int flags) |
2134 | 2134 |
} |
2135 | 2135 |
|
2136 | 2136 |
/* Get key schedule */ |
2137 |
- c->c2.crypto_options.key_ctx_bi = &c->c1.ks.static_key; |
|
2137 |
+ c->c2.crypto_options.key_ctx_bi = c->c1.ks.static_key; |
|
2138 | 2138 |
|
2139 | 2139 |
/* Compute MTU parameters */ |
2140 | 2140 |
crypto_adjust_frame_parameters (&c->c2.frame, |
... | ... |
@@ -2388,7 +2388,7 @@ do_init_crypto_tls (struct context *c, const unsigned int flags) |
2388 | 2388 |
/* TLS handshake authentication (--tls-auth) */ |
2389 | 2389 |
if (options->tls_auth_file) |
2390 | 2390 |
{ |
2391 |
- to.tls_auth_key = c->c1.ks.tls_auth_key; |
|
2391 |
+ to.tls_auth.key_ctx_bi = c->c1.ks.tls_auth_key; |
|
2392 | 2392 |
to.tls_auth.pid_persist = &c->c1.pid_persist; |
2393 | 2393 |
to.tls_auth.flags |= CO_PACKET_ID_LONG_FORM; |
2394 | 2394 |
crypto_adjust_frame_parameters (&to.frame, |
... | ... |
@@ -786,7 +786,6 @@ key_state_init (struct tls_session *session, struct key_state *ks) |
786 | 786 |
session->opt->replay_time, |
787 | 787 |
"SSL", ks->key_id); |
788 | 788 |
|
789 |
- ks->crypto_options.key_ctx_bi = &ks->key; |
|
790 | 789 |
ks->crypto_options.packet_id = session->opt->replay ? &ks->packet_id : NULL; |
791 | 790 |
ks->crypto_options.pid_persist = NULL; |
792 | 791 |
ks->crypto_options.flags = session->opt->crypto_flags; |
... | ... |
@@ -819,7 +818,7 @@ key_state_free (struct key_state *ks, bool clear) |
819 | 819 |
|
820 | 820 |
key_state_ssl_free(&ks->ks_ssl); |
821 | 821 |
|
822 |
- free_key_ctx_bi (&ks->key); |
|
822 |
+ free_key_ctx_bi (&ks->crypto_options.key_ctx_bi); |
|
823 | 823 |
free_buf (&ks->plaintext_read_buf); |
824 | 824 |
free_buf (&ks->plaintext_write_buf); |
825 | 825 |
free_buf (&ks->ack_write_buf); |
... | ... |
@@ -1072,9 +1071,6 @@ tls_multi_init (struct tls_options *tls_options) |
1072 | 1072 |
/* get command line derived options */ |
1073 | 1073 |
ret->opt = *tls_options; |
1074 | 1074 |
|
1075 |
- /* set up pointer to HMAC object for TLS packet authentication */ |
|
1076 |
- ret->opt.tls_auth.key_ctx_bi = &ret->opt.tls_auth_key; |
|
1077 |
- |
|
1078 | 1075 |
/* set up list of keys to be scanned by data channel encrypt and decrypt routines */ |
1079 | 1076 |
ASSERT (SIZE (ret->key_scan) == 3); |
1080 | 1077 |
ret->key_scan[0] = &ret->session[TM_ACTIVE].key[KS_PRIMARY]; |
... | ... |
@@ -1113,8 +1109,7 @@ tls_auth_standalone_init (struct tls_options *tls_options, |
1113 | 1113 |
ALLOC_OBJ_CLEAR_GC (tas, struct tls_auth_standalone, gc); |
1114 | 1114 |
|
1115 | 1115 |
/* set up pointer to HMAC object for TLS packet authentication */ |
1116 |
- tas->tls_auth_key = tls_options->tls_auth_key; |
|
1117 |
- tas->tls_auth_options.key_ctx_bi = &tas->tls_auth_key; |
|
1116 |
+ tas->tls_auth_options.key_ctx_bi = tls_options->tls_auth.key_ctx_bi; |
|
1118 | 1117 |
tas->tls_auth_options.flags |= CO_PACKET_ID_LONG_FORM; |
1119 | 1118 |
|
1120 | 1119 |
/* get initial frame parms, still need to finalize */ |
... | ... |
@@ -1197,11 +1192,11 @@ tls_multi_free (struct tls_multi *multi, bool clear) |
1197 | 1197 |
static bool |
1198 | 1198 |
swap_hmac (struct buffer *buf, const struct crypto_options *co, bool incoming) |
1199 | 1199 |
{ |
1200 |
- struct key_ctx *ctx; |
|
1200 |
+ const struct key_ctx *ctx; |
|
1201 | 1201 |
|
1202 | 1202 |
ASSERT (co); |
1203 | 1203 |
|
1204 |
- ctx = (incoming ? &co->key_ctx_bi->decrypt : &co->key_ctx_bi->encrypt); |
|
1204 |
+ ctx = (incoming ? &co->key_ctx_bi.decrypt : &co->key_ctx_bi.encrypt); |
|
1205 | 1205 |
ASSERT (ctx->hmac); |
1206 | 1206 |
|
1207 | 1207 |
{ |
... | ... |
@@ -1265,7 +1260,7 @@ write_control_auth (struct tls_session *session, |
1265 | 1265 |
ASSERT (session_id_write_prepend (&session->session_id, buf)); |
1266 | 1266 |
ASSERT (header = buf_prepend (buf, 1)); |
1267 | 1267 |
*header = ks->key_id | (opcode << P_OPCODE_SHIFT); |
1268 |
- if (session->tls_auth.key_ctx_bi->encrypt.hmac) |
|
1268 |
+ if (session->tls_auth.key_ctx_bi.encrypt.hmac) |
|
1269 | 1269 |
{ |
1270 | 1270 |
/* no encryption, only write hmac */ |
1271 | 1271 |
openvpn_encrypt (buf, null, &session->tls_auth, NULL); |
... | ... |
@@ -1284,7 +1279,7 @@ read_control_auth (struct buffer *buf, |
1284 | 1284 |
{ |
1285 | 1285 |
struct gc_arena gc = gc_new (); |
1286 | 1286 |
|
1287 |
- if (co->key_ctx_bi->decrypt.hmac) |
|
1287 |
+ if (co->key_ctx_bi.decrypt.hmac) |
|
1288 | 1288 |
{ |
1289 | 1289 |
struct buffer null = clear_buf (); |
1290 | 1290 |
|
... | ... |
@@ -1707,7 +1702,6 @@ key_state_soft_reset (struct tls_session *session) |
1707 | 1707 |
ks->must_die = now + session->opt->transition_window; /* remaining lifetime of old key */ |
1708 | 1708 |
key_state_free (ks_lame, false); |
1709 | 1709 |
*ks_lame = *ks; |
1710 |
- ks_lame->crypto_options.key_ctx_bi = &ks_lame->key; |
|
1711 | 1710 |
ks_lame->crypto_options.packet_id = &ks_lame->packet_id; |
1712 | 1711 |
|
1713 | 1712 |
key_state_init (session, ks); |
... | ... |
@@ -1806,8 +1800,9 @@ key_method_1_write (struct buffer *buf, struct tls_session *session) |
1806 | 1806 |
return false; |
1807 | 1807 |
} |
1808 | 1808 |
|
1809 |
- init_key_ctx (&ks->key.encrypt, &key, &session->opt->key_type, |
|
1810 |
- OPENVPN_OP_ENCRYPT, "Data Channel Encrypt"); |
|
1809 |
+ init_key_ctx (&ks->crypto_options.key_ctx_bi.encrypt, &key, |
|
1810 |
+ &session->opt->key_type, OPENVPN_OP_ENCRYPT, |
|
1811 |
+ "Data Channel Encrypt"); |
|
1811 | 1812 |
CLEAR (key); |
1812 | 1813 |
|
1813 | 1814 |
/* send local options string */ |
... | ... |
@@ -1969,7 +1964,7 @@ key_method_2_write (struct buffer *buf, struct tls_session *session) |
1969 | 1969 |
{ |
1970 | 1970 |
if (ks->authenticated) |
1971 | 1971 |
{ |
1972 |
- if (!generate_key_expansion (&ks->key, |
|
1972 |
+ if (!generate_key_expansion (&ks->crypto_options.key_ctx_bi, |
|
1973 | 1973 |
&session->opt->key_type, |
1974 | 1974 |
ks->key_src, |
1975 | 1975 |
&ks->session_id_remote, |
... | ... |
@@ -2040,8 +2035,9 @@ key_method_1_read (struct buffer *buf, struct tls_session *session) |
2040 | 2040 |
|
2041 | 2041 |
buf_clear (buf); |
2042 | 2042 |
|
2043 |
- init_key_ctx (&ks->key.decrypt, &key, &session->opt->key_type, |
|
2044 |
- OPENVPN_OP_DECRYPT, "Data Channel Decrypt"); |
|
2043 |
+ init_key_ctx (&ks->crypto_options.key_ctx_bi.decrypt, &key, |
|
2044 |
+ &session->opt->key_type, OPENVPN_OP_DECRYPT, |
|
2045 |
+ "Data Channel Decrypt"); |
|
2045 | 2046 |
CLEAR (key); |
2046 | 2047 |
ks->authenticated = true; |
2047 | 2048 |
return true; |
... | ... |
@@ -2189,7 +2185,7 @@ key_method_2_read (struct buffer *buf, struct tls_multi *multi, struct tls_sessi |
2189 | 2189 |
*/ |
2190 | 2190 |
if (!session->opt->server) |
2191 | 2191 |
{ |
2192 |
- if (!generate_key_expansion (&ks->key, |
|
2192 |
+ if (!generate_key_expansion (&ks->crypto_options.key_ctx_bi, |
|
2193 | 2193 |
&session->opt->key_type, |
2194 | 2194 |
ks->key_src, |
2195 | 2195 |
&session->session_id, |
... | ... |
@@ -163,7 +163,6 @@ struct key_state |
163 | 163 |
struct packet_id packet_id; /* for data channel, to prevent replay attacks */ |
164 | 164 |
|
165 | 165 |
struct crypto_options crypto_options;/* data channel crypto options */ |
166 |
- struct key_ctx_bi key; /* data channel keys for encrypt/decrypt/hmac */ |
|
167 | 166 |
|
168 | 167 |
struct key_source2 *key_src; /* source entropy for key expansion */ |
169 | 168 |
|
... | ... |
@@ -270,7 +269,6 @@ struct tls_options |
270 | 270 |
|
271 | 271 |
/* packet authentication for TLS handshake */ |
272 | 272 |
struct crypto_options tls_auth; |
273 |
- struct key_ctx_bi tls_auth_key; |
|
274 | 273 |
|
275 | 274 |
/* frame parameters for TLS control channel */ |
276 | 275 |
struct frame frame; |