Browse code
crypto: create function to initialize encrypt and decrypt key
Instead of always initialize the encrypt and decrypt keys separately,
implement an helper function init_key_ctx_bi() that takes care of
both of them for us.
Reduces code duplication and improves readability.
Signed-off-by: Steffan Karger <steffan@karger.me>
Acked-by: Antonio Quartulli <a@unstable.cc>
Message-Id: <20170707044704.7239-1-a@unstable.cc>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg15011.html
Signed-off-by: David Sommerseth <davids@openvpn.net>
Steffan Karger authored on 2017/07/07 13:47:04Showing 3 changed files
| ... | ... |
@@ -873,6 +873,26 @@ init_key_ctx(struct key_ctx *ctx, const struct key *key, |
| 873 | 873 |
} |
| 874 | 874 |
|
| 875 | 875 |
void |
| 876 |
+init_key_ctx_bi(struct key_ctx_bi *ctx, const struct key2 *key2, |
|
| 877 |
+ int key_direction, const struct key_type *kt, const char *name) |
|
| 878 |
+{
|
|
| 879 |
+ char log_prefix[128] = { 0 };
|
|
| 880 |
+ struct key_direction_state kds; |
|
| 881 |
+ |
|
| 882 |
+ key_direction_state_init(&kds, key_direction); |
|
| 883 |
+ |
|
| 884 |
+ openvpn_snprintf(log_prefix, sizeof(log_prefix), "Outgoing %s", name); |
|
| 885 |
+ init_key_ctx(&ctx->encrypt, &key2->keys[kds.out_key], kt, |
|
| 886 |
+ OPENVPN_OP_ENCRYPT, log_prefix); |
|
| 887 |
+ |
|
| 888 |
+ openvpn_snprintf(log_prefix, sizeof(log_prefix), "Incoming %s", name); |
|
| 889 |
+ init_key_ctx(&ctx->decrypt, &key2->keys[kds.in_key], kt, |
|
| 890 |
+ OPENVPN_OP_DECRYPT, log_prefix); |
|
| 891 |
+ |
|
| 892 |
+ ctx->initialized = true; |
|
| 893 |
+} |
|
| 894 |
+ |
|
| 895 |
+void |
|
| 876 | 896 |
free_key_ctx(struct key_ctx *ctx) |
| 877 | 897 |
{
|
| 878 | 898 |
if (ctx->cipher) |
| ... | ... |
@@ -1161,7 +1181,6 @@ crypto_read_openvpn_key(const struct key_type *key_type, |
| 1161 | 1161 |
{
|
| 1162 | 1162 |
struct key2 key2; |
| 1163 | 1163 |
struct key_direction_state kds; |
| 1164 |
- char log_prefix[128] = { 0 };
|
|
| 1165 | 1164 |
|
| 1166 | 1165 |
if (key_inline) |
| 1167 | 1166 |
{
|
| ... | ... |
@@ -1186,13 +1205,7 @@ crypto_read_openvpn_key(const struct key_type *key_type, |
| 1186 | 1186 |
must_have_n_keys(key_file, opt_name, &key2, kds.need_keys); |
| 1187 | 1187 |
|
| 1188 | 1188 |
/* initialize key in both directions */ |
| 1189 |
- openvpn_snprintf(log_prefix, sizeof(log_prefix), "Outgoing %s", key_name); |
|
| 1190 |
- init_key_ctx(&ctx->encrypt, &key2.keys[kds.out_key], key_type, |
|
| 1191 |
- OPENVPN_OP_ENCRYPT, log_prefix); |
|
| 1192 |
- openvpn_snprintf(log_prefix, sizeof(log_prefix), "Incoming %s", key_name); |
|
| 1193 |
- init_key_ctx(&ctx->decrypt, &key2.keys[kds.in_key], key_type, |
|
| 1194 |
- OPENVPN_OP_DECRYPT, log_prefix); |
|
| 1195 |
- |
|
| 1189 |
+ init_key_ctx_bi(ctx, &key2, key_direction, key_type, key_name); |
|
| 1196 | 1190 |
secure_memzero(&key2, sizeof(key2)); |
| 1197 | 1191 |
} |
| 1198 | 1192 |
|
| ... | ... |
@@ -318,6 +318,10 @@ void init_key_ctx(struct key_ctx *ctx, const struct key *key, |
| 318 | 318 |
|
| 319 | 319 |
void free_key_ctx(struct key_ctx *ctx); |
| 320 | 320 |
|
| 321 |
+void init_key_ctx_bi(struct key_ctx_bi *ctx, const struct key2 *key2, |
|
| 322 |
+ int key_direction, const struct key_type *kt, |
|
| 323 |
+ const char *name); |
|
| 324 |
+ |
|
| 321 | 325 |
void free_key_ctx_bi(struct key_ctx_bi *ctx); |
| 322 | 326 |
|
| 323 | 327 |
|
| ... | ... |
@@ -1840,20 +1840,8 @@ generate_key_expansion(struct key_ctx_bi *key, |
| 1840 | 1840 |
} |
| 1841 | 1841 |
|
| 1842 | 1842 |
/* Initialize OpenSSL key contexts */ |
| 1843 |
- |
|
| 1844 |
- ASSERT(server == true || server == false); |
|
| 1845 |
- |
|
| 1846 |
- init_key_ctx(&key->encrypt, |
|
| 1847 |
- &key2.keys[(int)server], |
|
| 1848 |
- key_type, |
|
| 1849 |
- OPENVPN_OP_ENCRYPT, |
|
| 1850 |
- "Data Channel Encrypt"); |
|
| 1851 |
- |
|
| 1852 |
- init_key_ctx(&key->decrypt, |
|
| 1853 |
- &key2.keys[1-(int)server], |
|
| 1854 |
- key_type, |
|
| 1855 |
- OPENVPN_OP_DECRYPT, |
|
| 1856 |
- "Data Channel Decrypt"); |
|
| 1843 |
+ int key_direction = server ? KEY_DIRECTION_INVERSE : KEY_DIRECTION_NORMAL; |
|
| 1844 |
+ init_key_ctx_bi(key, &key2, key_direction, key_type, "Data Channel"); |
|
| 1857 | 1845 |
|
| 1858 | 1846 |
/* Initialize implicit IVs */ |
| 1859 | 1847 |
key_ctx_update_implicit_iv(&key->encrypt, key2.keys[(int)server].hmac, |
| ... | ... |
@@ -1861,7 +1849,6 @@ generate_key_expansion(struct key_ctx_bi *key, |
| 1861 | 1861 |
key_ctx_update_implicit_iv(&key->decrypt, key2.keys[1-(int)server].hmac, |
| 1862 | 1862 |
MAX_HMAC_KEY_LENGTH); |
| 1863 | 1863 |
|
| 1864 |
- key->initialized = true; |
|
| 1865 | 1864 |
ret = true; |
| 1866 | 1865 |
|
| 1867 | 1866 |
exit: |