Move tls_select_primary_key into its own function

tls_pre_encrypt mainly performs the task of selecting the primary
encryption key but also performs other minor tasks. To allow only
querying for the key that should be used for encryption extract this
part of the function into its own function.

Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Antonio Quartulli <antonio@openvpn.net>
Message-Id: <20210422151724.2132573-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg22198.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>

diff --git a/src/openvpn/ssl.c b/src/openvpn/ssl.c
index 97a460e1bb5ea8cdab280713941b9ac2163ab1c2..39c6cdc1851d318991a26e3ce99c0becb9d4b310 100644 (file)
--- a/src/openvpn/ssl.c
+++ b/src/openvpn/ssl.c
@@ -3798,27 +3798,15 @@ error:
     return false;
 }
 
-/* Choose the key with which to encrypt a data packet */
-void
-tls_pre_encrypt(struct tls_multi *multi,
-                struct buffer *buf, struct crypto_options **opt)
+struct key_state *tls_select_encryption_key(struct tls_multi *multi)
 {
-    multi->save_ks = NULL;
-    if (buf->len <= 0)
-    {
-        buf->len = 0;
-        *opt = NULL;
-        return;
-    }
-
     struct key_state *ks_select = NULL;
     for (int i = 0; i < KEY_SCAN_SIZE; ++i)
     {
         struct key_state *ks = get_key_scan(multi, i);
         if (ks->state >= S_ACTIVE
-            && (ks->authenticated == KS_AUTH_TRUE)
-            && ks->crypto_options.key_ctx_bi.initialized
-            )
+            && ks->authenticated == KS_AUTH_TRUE
+            && ks->crypto_options.key_ctx_bi.initialized)
         {
             if (!ks_select)
             {
@@ -3831,6 +3819,24 @@ tls_pre_encrypt(struct tls_multi *multi,
             }
         }
     }
+    return ks_select;
+}
+
+
+/* Choose the key with which to encrypt a data packet */
+void
+tls_pre_encrypt(struct tls_multi *multi,
+                struct buffer *buf, struct crypto_options **opt)
+{
+    multi->save_ks = NULL;
+    if (buf->len <= 0)
+    {
+        buf->len = 0;
+        *opt = NULL;
+        return;
+    }
+
+    struct key_state *ks_select = tls_select_encryption_key(multi);
 
     if (ks_select)
     {

diff --git a/src/openvpn/ssl.h b/src/openvpn/ssl.h
index 45ebe720b4bb966bd64d885fcf8c6aaf3788f677..ffd2679e89aa4c7b6e78bf618b84dfe22b7e898b 100644 (file)
--- a/src/openvpn/ssl.h
+++ b/src/openvpn/ssl.h
@@ -372,6 +372,16 @@ bool tls_pre_decrypt_lite(const struct tls_auth_standalone *tas,
 void tls_pre_encrypt(struct tls_multi *multi,
                      struct buffer *buf, struct crypto_options **opt);
 
+/**
+ * Selects the primary encryption that should be used to encrypt data of an
+ * outgoing packet.
+ * @ingroup data_crypto
+ *
+ * If no key is found NULL is returned instead.
+ *
+ * @param multi - The TLS state for this packet's destination VPN tunnel.
+ */
+struct key_state *tls_select_encryption_key(struct tls_multi *multi);
 
 /**
  * Prepend a one-byte OpenVPN data channel P_DATA_V1 opcode to the packet.