From: Steffan Karger <stef...@karger.me>
Instead of always initialize the encrypt and decrypt keys separately,
implement an helper function init_key_ctx_bi() that takes care of
both of them for us.
Reduces code duplication and improves readability.
Acked-by: Antonio Quartulli <anto...@openvpn.net>
Signed-off-by: Steffan Karger <stef...@karger.me>
---
src/openvpn/crypto.c | 29 +++++++++++++++++++++--------
src/openvpn/crypto.h | 4 ++++
src/openvpn/ssl.c | 17 ++---------------
3 files changed, 27 insertions(+), 23 deletions(-)
diff --git a/src/openvpn/crypto.c b/src/openvpn/crypto.c
index 78ca4197..4ea0af09 100644
--- a/src/openvpn/crypto.c
+++ b/src/openvpn/crypto.c
@@ -873,6 +873,26 @@ init_key_ctx(struct key_ctx *ctx, const struct key *key,
}
void
+init_key_ctx_bi(struct key_ctx_bi *ctx, const struct key2 *key2,
+ int key_direction, const struct key_type *kt, const char *name)
+{
+ char log_prefix[128] = { 0 };
+ struct key_direction_state kds;
+
+ key_direction_state_init(&kds, key_direction);
+
+ openvpn_snprintf(log_prefix, sizeof(log_prefix), "Outgoing %s", name);
+ init_key_ctx(&ctx->encrypt, &key2->keys[kds.out_key], kt,
+ OPENVPN_OP_ENCRYPT, log_prefix);
+
+ openvpn_snprintf(log_prefix, sizeof(log_prefix), "Incoming %s", name);
+ init_key_ctx(&ctx->decrypt, &key2->keys[kds.in_key], kt,
+ OPENVPN_OP_DECRYPT, log_prefix);
+
+ ctx->initialized = true;
+}
+
+void
free_key_ctx(struct key_ctx *ctx)
{
if (ctx->cipher)
@@ -1161,7 +1181,6 @@ crypto_read_openvpn_key(const struct key_type *key_type,
{
struct key2 key2;
struct key_direction_state kds;
- char log_prefix[128] = { 0 };
if (key_inline)
{
@@ -1186,13 +1205,7 @@ crypto_read_openvpn_key(const struct key_type *key_type,
must_have_n_keys(key_file, opt_name, &key2, kds.need_keys);
/* initialize key in both directions */
- openvpn_snprintf(log_prefix, sizeof(log_prefix), "Outgoing %s", key_name);
- init_key_ctx(&ctx->encrypt, &key2.keys[kds.out_key], key_type,
- OPENVPN_OP_ENCRYPT, log_prefix);
- openvpn_snprintf(log_prefix, sizeof(log_prefix), "Incoming %s", key_name);
- init_key_ctx(&ctx->decrypt, &key2.keys[kds.in_key], key_type,
- OPENVPN_OP_DECRYPT, log_prefix);
-
+ init_key_ctx_bi(ctx, &key2, key_direction, key_type, key_name);
secure_memzero(&key2, sizeof(key2));
}
diff --git a/src/openvpn/crypto.h b/src/openvpn/crypto.h
index fec2eea7..86d2cfcc 100644
--- a/src/openvpn/crypto.h
+++ b/src/openvpn/crypto.h
@@ -318,6 +318,10 @@ void init_key_ctx(struct key_ctx *ctx, const struct key
*key,
void free_key_ctx(struct key_ctx *ctx);
+void init_key_ctx_bi(struct key_ctx_bi *ctx, const struct key2 *key2,
+ int key_direction, const struct key_type *kt,
+ const char *name);
+
void free_key_ctx_bi(struct key_ctx_bi *ctx);
diff --git a/src/openvpn/ssl.c b/src/openvpn/ssl.c
index df232894..56daec38 100644
--- a/src/openvpn/ssl.c
+++ b/src/openvpn/ssl.c
@@ -1840,20 +1840,8 @@ generate_key_expansion(struct key_ctx_bi *key,
}
/* Initialize OpenSSL key contexts */
-
- ASSERT(server == true || server == false);
-
- init_key_ctx(&key->encrypt,
- &key2.keys[(int)server],
- key_type,
- OPENVPN_OP_ENCRYPT,
- "Data Channel Encrypt");
-
- init_key_ctx(&key->decrypt,
- &key2.keys[1-(int)server],
- key_type,
- OPENVPN_OP_DECRYPT,
- "Data Channel Decrypt");
+ int key_direction = server ? KEY_DIRECTION_INVERSE : KEY_DIRECTION_NORMAL;
+ init_key_ctx_bi(key, &key2, key_direction, key_type, "Data Channel");
/* Initialize implicit IVs */
key_ctx_update_implicit_iv(&key->encrypt, key2.keys[(int)server].hmac,
@@ -1861,7 +1849,6 @@ generate_key_expansion(struct key_ctx_bi *key,
key_ctx_update_implicit_iv(&key->decrypt, key2.keys[1-(int)server].hmac,
MAX_HMAC_KEY_LENGTH);
- key->initialized = true;
ret = true;
exit:
--
2.13.2
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
