diff options
| author | Christian Pointner <equinox@anytun.org> | 2009-01-14 17:21:36 +0000 |
|---|---|---|
| committer | Christian Pointner <equinox@anytun.org> | 2009-01-14 17:21:36 +0000 |
| commit | 19eca1e03c84d8cf4bcc1f5e0b24a34671545d29 (patch) | |
| tree | 3f569f3795769c0e5d6d66cd20804bd642f83bb5 | |
| parent | fixed auth_algo length check (diff) | |
change dual kd to single kd with 2 key storages
| -rw-r--r-- | src/auth_algo.c | 16 | ||||
| -rw-r--r-- | src/auth_algo.h | 8 | ||||
| -rw-r--r-- | src/cipher.c | 18 | ||||
| -rw-r--r-- | src/cipher.h | 8 | ||||
| -rw-r--r-- | src/key_derivation.c | 62 | ||||
| -rw-r--r-- | src/key_derivation.h | 10 | ||||
| -rw-r--r-- | src/uanytun.c | 40 |
7 files changed, 79 insertions, 83 deletions
diff --git a/src/auth_algo.c b/src/auth_algo.c index b842dd9..f5aef0f 100644 --- a/src/auth_algo.c +++ b/src/auth_algo.c @@ -85,7 +85,7 @@ void auth_algo_close(auth_algo_t* aa) free(aa->key_.buf_); } -void auth_algo_generate(auth_algo_t* aa, key_derivation_t* kd, encrypted_packet_t* packet) +void auth_algo_generate(auth_algo_t* aa, key_derivation_t* kd, key_store_dir_t dir, encrypted_packet_t* packet) { if(!aa) return; @@ -94,14 +94,14 @@ void auth_algo_generate(auth_algo_t* aa, key_derivation_t* kd, encrypted_packet_ if(aa->type_ == aa_null) return; else if(aa->type_ == aa_sha1) - auth_algo_sha1_generate(aa, kd, packet); + auth_algo_sha1_generate(aa, kd, dir, packet); else { log_printf(ERR, "unknown auth algo type"); return; } } -int auth_algo_check_tag(auth_algo_t* aa, key_derivation_t* kd, encrypted_packet_t* packet) +int auth_algo_check_tag(auth_algo_t* aa, key_derivation_t* kd, key_store_dir_t dir, encrypted_packet_t* packet) { if(!aa) return; @@ -110,7 +110,7 @@ int auth_algo_check_tag(auth_algo_t* aa, key_derivation_t* kd, encrypted_packet_ if(aa->type_ == aa_null) return 1; else if(aa->type_ == aa_sha1) - return auth_algo_sha1_check_tag(aa, kd, packet); + return auth_algo_sha1_check_tag(aa, kd, dir, packet); else { log_printf(ERR, "unknown auth algo type"); return; @@ -174,7 +174,7 @@ void auth_algo_sha1_close(auth_algo_t* aa) } -void auth_algo_sha1_generate(auth_algo_t* aa, key_derivation_t* kd, encrypted_packet_t* packet) +void auth_algo_sha1_generate(auth_algo_t* aa, key_derivation_t* kd, key_store_dir_t dir, encrypted_packet_t* packet) { encrypted_packet_add_auth_tag(packet); if(!encrypted_packet_get_auth_tag_length(packet)) @@ -190,7 +190,7 @@ void auth_algo_sha1_generate(auth_algo_t* aa, key_derivation_t* kd, encrypted_pa } auth_algo_sha1_param_t* params = aa->params_; - int ret = key_derivation_generate(kd, LABEL_SATP_MSG_AUTH, encrypted_packet_get_seq_nr(packet), aa->key_.buf_, aa->key_.length_); + int ret = key_derivation_generate(kd, dir, LABEL_SATP_MSG_AUTH, encrypted_packet_get_seq_nr(packet), aa->key_.buf_, aa->key_.length_); if(ret < 0) return; if(ret) { // a new key got generated @@ -230,7 +230,7 @@ void auth_algo_sha1_generate(auth_algo_t* aa, key_derivation_t* kd, encrypted_pa } -int auth_algo_sha1_check_tag(auth_algo_t* aa, key_derivation_t* kd, encrypted_packet_t* packet) +int auth_algo_sha1_check_tag(auth_algo_t* aa, key_derivation_t* kd, key_store_dir_t dir, encrypted_packet_t* packet) { if(!encrypted_packet_get_auth_tag_length(packet)) return 1; @@ -245,7 +245,7 @@ int auth_algo_sha1_check_tag(auth_algo_t* aa, key_derivation_t* kd, encrypted_pa } auth_algo_sha1_param_t* params = aa->params_; - int ret = key_derivation_generate(kd, LABEL_SATP_MSG_AUTH, encrypted_packet_get_seq_nr(packet), aa->key_.buf_, aa->key_.length_); + int ret = key_derivation_generate(kd, dir, LABEL_SATP_MSG_AUTH, encrypted_packet_get_seq_nr(packet), aa->key_.buf_, aa->key_.length_); if(ret < 0) return 0; if(ret) { // a new key got generated diff --git a/src/auth_algo.h b/src/auth_algo.h index 3c00dd6..1575dc1 100644 --- a/src/auth_algo.h +++ b/src/auth_algo.h @@ -55,8 +55,8 @@ typedef struct auth_algo_struct auth_algo_t; int auth_algo_init(auth_algo_t* aa, const char* type); void auth_algo_close(auth_algo_t* aa); -void auth_algo_generate(auth_algo_t* aa, key_derivation_t* kd, encrypted_packet_t* packet); -int auth_algo_check_tag(auth_algo_t* aa, key_derivation_t* kd, encrypted_packet_t* packet); +void auth_algo_generate(auth_algo_t* aa, key_derivation_t* kd, key_store_dir_t dir, encrypted_packet_t* packet); +int auth_algo_check_tag(auth_algo_t* aa, key_derivation_t* kd, key_store_dir_t dir, encrypted_packet_t* packet); #define SHA1_LENGTH 20 @@ -72,7 +72,7 @@ typedef struct auth_algo_sha1_param_struct auth_algo_sha1_param_t; int auth_algo_sha1_init(auth_algo_t* aa); void auth_algo_sha1_close(auth_algo_t* aa); -void auth_algo_sha1_generate(auth_algo_t* aa, key_derivation_t* kd, encrypted_packet_t* packet); -int auth_algo_sha1_check_tag(auth_algo_t* aa, key_derivation_t* kd, encrypted_packet_t* packet); +void auth_algo_sha1_generate(auth_algo_t* aa, key_derivation_t* kd, key_store_dir_t dir, encrypted_packet_t* packet); +int auth_algo_sha1_check_tag(auth_algo_t* aa, key_derivation_t* kd, key_store_dir_t dir, encrypted_packet_t* packet); #endif diff --git a/src/cipher.c b/src/cipher.c index 3efe26a..2066d1f 100644 --- a/src/cipher.c +++ b/src/cipher.c @@ -110,7 +110,7 @@ void cipher_close(cipher_t* c) } -int cipher_encrypt(cipher_t* c, key_derivation_t* kd, plain_packet_t* in, encrypted_packet_t* out, seq_nr_t seq_nr, sender_id_t sender_id, mux_t mux) +int cipher_encrypt(cipher_t* c, key_derivation_t* kd, key_store_dir_t dir, plain_packet_t* in, encrypted_packet_t* out, seq_nr_t seq_nr, sender_id_t sender_id, mux_t mux) { if(!c) return -1; @@ -121,7 +121,7 @@ int cipher_encrypt(cipher_t* c, key_derivation_t* kd, plain_packet_t* in, encryp encrypted_packet_get_payload(out), encrypted_packet_get_payload_length(out)); #ifndef NO_CRYPT else if(c->type_ == c_aes_ctr) - len = cipher_aesctr_crypt(c, kd, plain_packet_get_packet(in), plain_packet_get_length(in), + len = cipher_aesctr_crypt(c, kd, dir, plain_packet_get_packet(in), plain_packet_get_length(in), encrypted_packet_get_payload(out), encrypted_packet_get_payload_length(out), seq_nr, sender_id, mux); #endif @@ -142,7 +142,7 @@ int cipher_encrypt(cipher_t* c, key_derivation_t* kd, plain_packet_t* in, encryp return 0; } -int cipher_decrypt(cipher_t* c, key_derivation_t* kd, encrypted_packet_t* in, plain_packet_t* out) +int cipher_decrypt(cipher_t* c, key_derivation_t* kd, key_store_dir_t dir, encrypted_packet_t* in, plain_packet_t* out) { if(!c) return -1; @@ -153,7 +153,7 @@ int cipher_decrypt(cipher_t* c, key_derivation_t* kd, encrypted_packet_t* in, pl plain_packet_get_packet(out), plain_packet_get_length(out)); #ifndef NO_CRYPT else if(c->type_ == c_aes_ctr) - len = cipher_aesctr_crypt(c, kd, encrypted_packet_get_payload(in), encrypted_packet_get_payload_length(in), + len = cipher_aesctr_crypt(c, kd, dir, encrypted_packet_get_payload(in), encrypted_packet_get_payload_length(in), plain_packet_get_packet(out), plain_packet_get_length(out), encrypted_packet_get_seq_nr(in), encrypted_packet_get_sender_id(in), encrypted_packet_get_mux(in)); @@ -250,14 +250,14 @@ void cipher_aesctr_close(cipher_t* c) } } -int cipher_aesctr_calc_ctr(cipher_t* c, key_derivation_t* kd, seq_nr_t seq_nr, sender_id_t sender_id, mux_t mux) +int cipher_aesctr_calc_ctr(cipher_t* c, key_derivation_t* kd, key_store_dir_t dir, seq_nr_t seq_nr, sender_id_t sender_id, mux_t mux) { if(!c || !c->params_) return -1; cipher_aesctr_param_t* params = c->params_; - int ret = key_derivation_generate(kd, LABEL_SATP_SALT, seq_nr, c->salt_.buf_, C_AESCTR_SALT_LENGTH); + int ret = key_derivation_generate(kd, dir, LABEL_SATP_SALT, seq_nr, c->salt_.buf_, C_AESCTR_SALT_LENGTH); if(ret < 0) return ret; @@ -275,7 +275,7 @@ int cipher_aesctr_calc_ctr(cipher_t* c, key_derivation_t* kd, seq_nr_t seq_nr, s return 0; } -int32_t cipher_aesctr_crypt(cipher_t* c, key_derivation_t* kd, u_int8_t* in, u_int32_t ilen, u_int8_t* out, u_int32_t olen, seq_nr_t seq_nr, sender_id_t sender_id, mux_t mux) +int32_t cipher_aesctr_crypt(cipher_t* c, key_derivation_t* kd, key_store_dir_t dir, u_int8_t* in, u_int32_t ilen, u_int8_t* out, u_int32_t olen, seq_nr_t seq_nr, sender_id_t sender_id, mux_t mux) { if(!c || !c->params_) { log_printf(ERR, "cipher not initialized"); @@ -289,7 +289,7 @@ int32_t cipher_aesctr_crypt(cipher_t* c, key_derivation_t* kd, u_int8_t* in, u_i cipher_aesctr_param_t* params = c->params_; - int ret = key_derivation_generate(kd, LABEL_SATP_ENCRYPTION, seq_nr, c->key_.buf_, c->key_.length_); + int ret = key_derivation_generate(kd, dir, LABEL_SATP_ENCRYPTION, seq_nr, c->key_.buf_, c->key_.length_); if(ret < 0) return ret; @@ -316,7 +316,7 @@ int32_t cipher_aesctr_crypt(cipher_t* c, key_derivation_t* kd, u_int8_t* in, u_i #endif } - ret = cipher_aesctr_calc_ctr(c, kd, seq_nr, sender_id, mux); + ret = cipher_aesctr_calc_ctr(c, kd, dir, seq_nr, sender_id, mux); if(ret < 0) { log_printf(ERR, "failed to calculate cipher CTR"); return ret; diff --git a/src/cipher.h b/src/cipher.h index 3ec4980..995315b 100644 --- a/src/cipher.h +++ b/src/cipher.h @@ -61,8 +61,8 @@ typedef struct cipher_struct cipher_t; int cipher_init(cipher_t* c, const char* type); void cipher_close(cipher_t* c); -int cipher_encrypt(cipher_t* c, key_derivation_t* kd, plain_packet_t* in, encrypted_packet_t* out, seq_nr_t seq_nr, sender_id_t sender_id, mux_t mux); -int cipher_decrypt(cipher_t* c, key_derivation_t* kd, encrypted_packet_t* in, plain_packet_t* out); +int cipher_encrypt(cipher_t* c, key_derivation_t* kd, key_store_dir_t dir, plain_packet_t* in, encrypted_packet_t* out, seq_nr_t seq_nr, sender_id_t sender_id, mux_t mux); +int cipher_decrypt(cipher_t* c, key_derivation_t* kd, key_store_dir_t dir, encrypted_packet_t* in, plain_packet_t* out); int32_t cipher_null_crypt(u_int8_t* in, u_int32_t ilen, u_int8_t* out, u_int32_t olen); @@ -103,8 +103,8 @@ typedef struct cipher_aesctr_param_struct cipher_aesctr_param_t; int cipher_aesctr_init(cipher_t* c); void cipher_aesctr_close(cipher_t* c); -int cipher_aesctr_calc_ctr(cipher_t* c, key_derivation_t* kd, seq_nr_t seq_nr, sender_id_t sender_id, mux_t mux); -int32_t cipher_aesctr_crypt(cipher_t* c, key_derivation_t* kd, u_int8_t* in, u_int32_t ilen, u_int8_t* out, u_int32_t olen, seq_nr_t seq_nr, sender_id_t sender_id, mux_t mux); +int cipher_aesctr_calc_ctr(cipher_t* c, key_derivation_t* kd, key_store_dir_t dir, seq_nr_t seq_nr, sender_id_t sender_id, mux_t mux); +int32_t cipher_aesctr_crypt(cipher_t* c, key_derivation_t* kd, key_store_dir_t dir, u_int8_t* in, u_int32_t ilen, u_int8_t* out, u_int32_t olen, seq_nr_t seq_nr, sender_id_t sender_id, mux_t mux); #endif #endif diff --git a/src/key_derivation.c b/src/key_derivation.c index 60d1921..0283a7c 100644 --- a/src/key_derivation.c +++ b/src/key_derivation.c @@ -78,11 +78,13 @@ int key_derivation_init(key_derivation_t* kd, const char* type, int8_t ld_kdr, c kd->params_ = NULL; - int i; - for(i = 0; i<KD_LABEL_COUNT; ++i) { - kd->key_store_[i].key_.buf_ = NULL; - kd->key_store_[i].key_.length_ = 0; - kd->key_store_[i].r_ = 0; + int d, i; + for(d = 0; d<2; ++d) { + for(i = 0; i<KD_LABEL_COUNT; ++i) { + kd->key_store_[d][i].key_.buf_ = NULL; + kd->key_store_[d][i].key_.length_ = 0; + kd->key_store_[d][i].r_ = 0; + } } if(!key) { @@ -248,14 +250,16 @@ void key_derivation_close(key_derivation_t* kd) if(kd->master_salt_.buf_) free(kd->master_salt_.buf_); - int i; - for(i = 0; i<KD_LABEL_COUNT; ++i) { - if(kd->key_store_[i].key_.buf_) - free(kd->key_store_[i].key_.buf_); + int d, i; + for(d = 0; d<2; ++d) { + for(i = 0; i<KD_LABEL_COUNT; ++i) { + if(kd->key_store_[d][i].key_.buf_) + free(kd->key_store_[d][i].key_.buf_); + } } } -int key_derivation_generate(key_derivation_t* kd, satp_prf_label_t label, seq_nr_t seq_nr, u_int8_t* key, u_int32_t len) +int key_derivation_generate(key_derivation_t* kd, key_store_dir_t dir, satp_prf_label_t label, seq_nr_t seq_nr, u_int8_t* key, u_int32_t len) { if(!kd || !key) return -1; @@ -269,7 +273,7 @@ int key_derivation_generate(key_derivation_t* kd, satp_prf_label_t label, seq_nr if(kd->type_ == kd_null) ret = key_derivation_null_generate(key, len); else if(kd->type_ == kd_aes_ctr) - ret = key_derivation_aesctr_generate(kd, label, seq_nr, key, len); + ret = key_derivation_aesctr_generate(kd, dir, label, seq_nr, key, len); else { log_printf(ERR, "unknown key derivation type"); return -1; @@ -365,7 +369,7 @@ void key_derivation_aesctr_close(key_derivation_t* kd) } } -int key_derivation_aesctr_calc_ctr(key_derivation_t* kd, seq_nr_t* r, satp_prf_label_t label, seq_nr_t seq_nr) +int key_derivation_aesctr_calc_ctr(key_derivation_t* kd, key_store_dir_t dir, seq_nr_t* r, satp_prf_label_t label, seq_nr_t seq_nr) { if(!kd || !kd->params_ || !r) return -1; @@ -376,7 +380,7 @@ int key_derivation_aesctr_calc_ctr(key_derivation_t* kd, seq_nr_t* r, satp_prf_l if(kd->ld_kdr_ >= 0) *r = seq_nr >> kd->ld_kdr_; - if(kd->key_store_[label].key_.buf_ && kd->key_store_[label].r_ == *r) { + if(kd->key_store_[dir][label].key_.buf_ && kd->key_store_[dir][label].r_ == *r) { if(!(*r) || (seq_nr % (*r))) return 0; } @@ -398,7 +402,7 @@ int key_derivation_aesctr_calc_ctr(key_derivation_t* kd, seq_nr_t* r, satp_prf_l return 1; } -int key_derivation_aesctr_generate(key_derivation_t* kd, satp_prf_label_t label, seq_nr_t seq_nr, u_int8_t* key, u_int32_t len) +int key_derivation_aesctr_generate(key_derivation_t* kd, key_store_dir_t dir, satp_prf_label_t label, seq_nr_t seq_nr, u_int8_t* key, u_int32_t len) { if(!kd || !kd->params_ || !kd->master_key_.buf_ || !kd->master_salt_.buf_) { log_printf(ERR, "key derivation not initialized or no key or salt set"); @@ -408,18 +412,18 @@ int key_derivation_aesctr_generate(key_derivation_t* kd, satp_prf_label_t label, key_derivation_aesctr_param_t* params = kd->params_; seq_nr_t r; - int ret = key_derivation_aesctr_calc_ctr(kd, &r, label, seq_nr); + int ret = key_derivation_aesctr_calc_ctr(kd, dir, &r, label, seq_nr); if(ret < 0) { log_printf(ERR, "failed to calculate key derivation CTR"); return -1; } else if(!ret) { - if(len > kd->key_store_[label].key_.length_) { + if(len > kd->key_store_[dir][label].key_.length_) { log_printf(WARNING, "stored (old) key for label 0x%02X is too short, filling with zeros", label); memset(key, 0, len); - len = kd->key_store_[label].key_.length_; + len = kd->key_store_[dir][label].key_.length_; } - memcpy(key, kd->key_store_[label].key_.buf_, len); + memcpy(key, kd->key_store_[dir][label].key_.buf_, len); return 0; } @@ -456,25 +460,25 @@ int key_derivation_aesctr_generate(key_derivation_t* kd, satp_prf_label_t label, if(!kd->ld_kdr_) return 1; - if(!kd->key_store_[label].key_.buf_) { - kd->key_store_[label].key_.length_ = 0; - kd->key_store_[label].key_.buf_ = malloc(len); - if(!kd->key_store_[label].key_.buf_) + if(!kd->key_store_[dir][label].key_.buf_) { + kd->key_store_[dir][label].key_.length_ = 0; + kd->key_store_[dir][label].key_.buf_ = malloc(len); + if(!kd->key_store_[dir][label].key_.buf_) return -2; - kd->key_store_[label].key_.length_ = len; + kd->key_store_[dir][label].key_.length_ = len; } - else if(kd->key_store_[label].key_.length_ < len) { - u_int8_t* tmp = realloc(kd->key_store_[label].key_.buf_, len); + else if(kd->key_store_[dir][label].key_.length_ < len) { + u_int8_t* tmp = realloc(kd->key_store_[dir][label].key_.buf_, len); if(!tmp) return -2; - kd->key_store_[label].key_.buf_ = tmp; - kd->key_store_[label].key_.length_ = len; + kd->key_store_[dir][label].key_.buf_ = tmp; + kd->key_store_[dir][label].key_.length_ = len; } - memcpy(kd->key_store_[label].key_.buf_, key, len); - kd->key_store_[label].r_ = r; + memcpy(kd->key_store_[dir][label].key_.buf_, key, len); + kd->key_store_[dir][label].r_ = r; return 1; } diff --git a/src/key_derivation.h b/src/key_derivation.h index 6cec9c9..1e849af 100644 --- a/src/key_derivation.h +++ b/src/key_derivation.h @@ -51,6 +51,8 @@ typedef enum satp_prf_label_enum satp_prf_label_t; enum key_derivation_type_enum { kd_unknown, kd_null, kd_aes_ctr }; typedef enum key_derivation_type_enum key_derivation_type_t; +enum key_store_dir_enum { kd_inbound = 0, kd_outbound = 1 }; +typedef enum key_store_dir_enum key_store_dir_t; struct key_store_struct { buffer_t key_; @@ -64,7 +66,7 @@ struct key_derivation_struct { int8_t ld_kdr_; buffer_t master_key_; buffer_t master_salt_; - key_store_t key_store_[KD_LABEL_COUNT]; + key_store_t key_store_[2][KD_LABEL_COUNT]; void* params_; }; typedef struct key_derivation_struct key_derivation_t; @@ -75,7 +77,7 @@ int key_derivation_generate_master_key(key_derivation_t* kd, const char* passphr int key_derivation_generate_master_salt(key_derivation_t* kd, const char* passphrase, u_int16_t salt_length); #endif void key_derivation_close(key_derivation_t* kd); -int key_derivation_generate(key_derivation_t* kd, satp_prf_label_t label, seq_nr_t seq_nr, u_int8_t* key, u_int32_t len); +int key_derivation_generate(key_derivation_t* kd, key_store_dir_t dir, satp_prf_label_t label, seq_nr_t seq_nr, u_int8_t* key, u_int32_t len); int key_derivation_null_generate(u_int8_t* key, u_int32_t len); @@ -122,7 +124,7 @@ typedef struct key_derivation_aesctr_param_struct key_derivation_aesctr_param_t; int key_derivation_aesctr_init(key_derivation_t* kd, const char* passphrase); void key_derivation_aesctr_close(key_derivation_t* kd); -int key_derivation_aesctr_calc_ctr(key_derivation_t* kd, seq_nr_t* r, satp_prf_label_t label, seq_nr_t seq_nr); -int key_derivation_aesctr_generate(key_derivation_t* kd, satp_prf_label_t label, seq_nr_t seq_nr, u_int8_t* key, u_int32_t len); +int key_derivation_aesctr_calc_ctr(key_derivation_t* kd, key_store_dir_t dir, seq_nr_t* r, satp_prf_label_t label, seq_nr_t seq_nr); +int key_derivation_aesctr_generate(key_derivation_t* kd, key_store_dir_t dir, satp_prf_label_t label, seq_nr_t seq_nr, u_int8_t* key, u_int32_t len); #endif diff --git a/src/uanytun.c b/src/uanytun.c index 15e3238..6854200 100644 --- a/src/uanytun.c +++ b/src/uanytun.c @@ -97,7 +97,7 @@ int init_libgcrypt() typedef u_int8_t auth_algo_t; #endif -int init_main_loop(options_t* opt, cipher_t* c, auth_algo_t* aa, key_derivation_t* kd_in, key_derivation_t* kd_out, seq_win_t* seq_win) +int init_main_loop(options_t* opt, cipher_t* c, auth_algo_t* aa, key_derivation_t* kd, seq_win_t* seq_win) { int ret = cipher_init(c, opt->cipher_); if(ret) { @@ -113,22 +113,14 @@ int init_main_loop(options_t* opt, cipher_t* c, auth_algo_t* aa, key_derivation_ return ret; } - ret = key_derivation_init(kd_in, opt->kd_prf_, opt->ld_kdr_, opt->passphrase_, opt->key_.buf_, opt->key_.length_, opt->salt_.buf_, opt->salt_.length_); + ret = key_derivation_init(kd, opt->kd_prf_, opt->ld_kdr_, opt->passphrase_, opt->key_.buf_, opt->key_.length_, opt->salt_.buf_, opt->salt_.length_); if(ret) { - log_printf(ERR, "could not initialize inbound key derivation of type %s", opt->kd_prf_); + log_printf(ERR, "could not initialize key derivation of type %s", opt->kd_prf_); cipher_close(c); auth_algo_close(aa); return ret; } - ret = key_derivation_init(kd_out, opt->kd_prf_, opt->ld_kdr_, opt->passphrase_, opt->key_.buf_, opt->key_.length_, opt->salt_.buf_, opt->salt_.length_); - if(ret) { - log_printf(ERR, "could not initialize outbound key derivation of type %s", opt->kd_prf_); - cipher_close(c); - auth_algo_close(aa); - key_derivation_close(kd_in); - return ret; - } #endif ret = seq_win_init(seq_win, opt->seq_window_size_); @@ -137,8 +129,7 @@ int init_main_loop(options_t* opt, cipher_t* c, auth_algo_t* aa, key_derivation_ cipher_close(c); #ifndef NO_CRYPT auth_algo_close(aa); - key_derivation_close(kd_in); - key_derivation_close(kd_out); + key_derivation_close(kd); #endif return ret; } @@ -146,7 +137,7 @@ int init_main_loop(options_t* opt, cipher_t* c, auth_algo_t* aa, key_derivation_ } int process_tun_data(tun_device_t* dev, udp_socket_t* sock, options_t* opt, plain_packet_t* plain_packet, encrypted_packet_t* encrypted_packet, - cipher_t* c, auth_algo_t* aa, key_derivation_t* kd_out, seq_nr_t seq_nr) + cipher_t* c, auth_algo_t* aa, key_derivation_t* kd, seq_nr_t seq_nr) { plain_packet_set_payload_length(plain_packet, -1); encrypted_packet_set_length(encrypted_packet, -1); @@ -166,10 +157,10 @@ int process_tun_data(tun_device_t* dev, udp_socket_t* sock, options_t* opt, plai else plain_packet_set_type(plain_packet, PAYLOAD_TYPE_UNKNOWN); - cipher_encrypt(c, kd_out, plain_packet, encrypted_packet, seq_nr, opt->sender_id_, opt->mux_); + cipher_encrypt(c, kd, kd_outbound, plain_packet, encrypted_packet, seq_nr, opt->sender_id_, opt->mux_); #ifndef NO_CRYPT - auth_algo_generate(aa, kd_out, encrypted_packet); + auth_algo_generate(aa, kd, kd_outbound, encrypted_packet); #endif len = udp_write(sock, encrypted_packet_get_packet(encrypted_packet), encrypted_packet_get_length(encrypted_packet)); @@ -180,7 +171,7 @@ int process_tun_data(tun_device_t* dev, udp_socket_t* sock, options_t* opt, plai } int process_sock_data(tun_device_t* dev, udp_socket_t* sock, options_t* opt, plain_packet_t* plain_packet, encrypted_packet_t* encrypted_packet, - cipher_t* c, auth_algo_t* aa, key_derivation_t* kd_in, seq_win_t* seq_win) + cipher_t* c, auth_algo_t* aa, key_derivation_t* kd, seq_win_t* seq_win) { plain_packet_set_payload_length(plain_packet, -1); encrypted_packet_set_length(encrypted_packet, -1); @@ -196,7 +187,7 @@ int process_sock_data(tun_device_t* dev, udp_socket_t* sock, options_t* opt, pla encrypted_packet_set_length(encrypted_packet, len); #ifndef NO_CRYPT - if(!auth_algo_check_tag(aa, kd_in, encrypted_packet)) { + if(!auth_algo_check_tag(aa, kd, kd_inbound, encrypted_packet)) { log_printf(WARNING, "wrong authentication tag, discarding packet"); return 0; } @@ -224,7 +215,7 @@ int process_sock_data(tun_device_t* dev, udp_socket_t* sock, options_t* opt, pla free(addrstring); } - int ret = cipher_decrypt(c, kd_in, encrypted_packet, plain_packet); + int ret = cipher_decrypt(c, kd, kd_inbound, encrypted_packet, plain_packet); if(ret) return ret; @@ -249,10 +240,10 @@ int main_loop(tun_device_t* dev, udp_socket_t* sock, options_t* opt) cipher_t c; auth_algo_t aa; - key_derivation_t kd_in, kd_out; + key_derivation_t kd; seq_win_t seq_win; - int ret = init_main_loop(opt, &c, &aa, &kd_in, &kd_out, &seq_win); + int ret = init_main_loop(opt, &c, &aa, &kd, &seq_win); if(ret) return ret; @@ -278,14 +269,14 @@ int main_loop(tun_device_t* dev, udp_socket_t* sock, options_t* opt) } if(FD_ISSET(dev->fd_, &readfds)) { - return_value = process_tun_data(dev, sock, opt, &plain_packet, &encrypted_packet, &c, &aa, &kd_out, seq_nr); + return_value = process_tun_data(dev, sock, opt, &plain_packet, &encrypted_packet, &c, &aa, &kd, seq_nr); seq_nr++; if(return_value) break; } if(FD_ISSET(sock->fd_, &readfds)) { - return_value = process_sock_data(dev, sock, opt, &plain_packet, &encrypted_packet, &c, &aa, &kd_in, &seq_win); + return_value = process_sock_data(dev, sock, opt, &plain_packet, &encrypted_packet, &c, &aa, &kd, &seq_win); if(return_value) break; } @@ -294,8 +285,7 @@ int main_loop(tun_device_t* dev, udp_socket_t* sock, options_t* opt) cipher_close(&c); #ifndef NO_CRYPT auth_algo_close(&aa); - key_derivation_close(&kd_out); - key_derivation_close(&kd_in); + key_derivation_close(&kd); #endif seq_win_clear(&seq_win); |