Attention is currently required from: flichtenheld.
Hello flichtenheld,
I'd like you to do a code review.
Please visit
http://gerrit.openvpn.net/c/openvpn/+/799?usp=email
to review the following change.
Change subject: Split init_key_ctx_bi into send/recv init
......................................................................
Split init_key_ctx_bi into send/recv init
This allows for only initialising one of the keys. This is needed
for epoch keys where key rotation of send/recv key can happen at
different time points.
Change-Id: If9e029bdac264dcc05b2d256c4d323315904a92b
Signed-off-by: Arne Schwabe <[email protected]>
---
M src/openvpn/crypto.c
M src/openvpn/crypto.h
2 files changed, 38 insertions(+), 5 deletions(-)
git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/99/799/1
diff --git a/src/openvpn/crypto.c b/src/openvpn/crypto.c
index a366474..f0b60a3 100644
--- a/src/openvpn/crypto.c
+++ b/src/openvpn/crypto.c
@@ -939,8 +939,8 @@
}
void
-init_key_ctx_bi(struct key_ctx_bi *ctx, const struct key2 *key2,
- int key_direction, const struct key_type *kt, const char *name)
+init_key_bi_ctx_send(struct key_ctx *ctx, const struct key2 *key2,
+ int key_direction, const struct key_type *kt, const char
*name)
{
char log_prefix[128] = { 0 };
struct key_direction_state kds;
@@ -948,13 +948,32 @@
key_direction_state_init(&kds, key_direction);
snprintf(log_prefix, sizeof(log_prefix), "Outgoing %s", name);
- init_key_ctx(&ctx->encrypt, &key2->keys[kds.out_key], kt,
+ init_key_ctx(ctx, &key2->keys[kds.out_key], kt,
OPENVPN_OP_ENCRYPT, log_prefix);
+}
+
+void
+init_key_bi_ctx_recv(struct key_ctx *ctx, const struct key2 *key2,
+ int key_direction, const struct key_type *kt, const char
*name)
+{
+ char log_prefix[128] = { 0 };
+ struct key_direction_state kds;
+
+ key_direction_state_init(&kds, key_direction);
+
snprintf(log_prefix, sizeof(log_prefix), "Incoming %s", name);
- init_key_ctx(&ctx->decrypt, &key2->keys[kds.in_key], kt,
+ init_key_ctx(ctx, &key2->keys[kds.in_key], kt,
OPENVPN_OP_DECRYPT, log_prefix);
+}
+
+void
+init_key_ctx_bi(struct key_ctx_bi *ctx, const struct key2 *key2,
+ int key_direction, const struct key_type *kt, const char *name)
+{
+ init_key_bi_ctx_send(&ctx->encrypt, key2, key_direction, kt, name);
+ init_key_bi_ctx_recv(&ctx->decrypt, key2, key_direction, kt, name);
ctx->initialized = true;
}
@@ -972,6 +991,8 @@
hmac_ctx_free(ctx->hmac);
ctx->hmac = NULL;
}
+ CLEAR(ctx->implicit_iv);
+ ctx->plaintext_blocks = 0;
}
void
diff --git a/src/openvpn/crypto.h b/src/openvpn/crypto.h
index 0ae86f4..3331672 100644
--- a/src/openvpn/crypto.h
+++ b/src/openvpn/crypto.h
@@ -189,7 +189,9 @@
int n; /**< The number of \c key objects stored
* in the \c key2.keys array. */
struct key keys[2]; /**< Two unidirectional sets of %key
- * material. */
+ * material. The first key is the client
+ * (encrypts) to server (decrypts), the
+ * second the server to client key. */
};
/**
@@ -342,6 +344,16 @@
const struct key_type *kt, int enc,
const char *prefix);
+void
+init_key_bi_ctx_send(struct key_ctx *ctx, const struct key2 *key2,
+ int key_direction, const struct key_type *kt,
+ const char *name);
+
+void
+init_key_bi_ctx_recv(struct key_ctx *ctx, const struct key2 *key2,
+ int key_direction, const struct key_type *kt,
+ const char *name);
+
void free_key_ctx(struct key_ctx *ctx);
void init_key_ctx_bi(struct key_ctx_bi *ctx, const struct key2 *key2,
--
To view, visit http://gerrit.openvpn.net/c/openvpn/+/799?usp=email
To unsubscribe, or for help writing mail filters, visit
http://gerrit.openvpn.net/settings
Gerrit-Project: openvpn
Gerrit-Branch: master
Gerrit-Change-Id: If9e029bdac264dcc05b2d256c4d323315904a92b
Gerrit-Change-Number: 799
Gerrit-PatchSet: 1
Gerrit-Owner: plaisthos <[email protected]>
Gerrit-Reviewer: flichtenheld <[email protected]>
Gerrit-CC: openvpn-devel <[email protected]>
Gerrit-Attention: flichtenheld <[email protected]>
Gerrit-MessageType: newchange
_______________________________________________
Openvpn-devel mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
