}
/**
- * Update the implicit IV for a key_ctx_bi based on TLS session ids and cipher
+ * Update the implicit IV for a key_ctx based on TLS session ids and cipher
* used.
*
- * Note that the implicit IV is based on the HMAC key, but only in AEAD modes
- * where the HMAC key is not used for an actual HMAC.
+ * Note that the implicit IV is based on the HMAC key of the \c key parameter,
+ * but only in AEAD modes where the HMAC key is not used for an actual HMAC.
*
* @param ctx Encrypt/decrypt key context
- * @param key key, hmac part used to calculate implicit IV
+ * @param key key parameters holding the key and hmac/
+ * implicit iv used to calculate implicit IV
*/
static void
-key_ctx_update_implicit_iv(struct key_ctx *ctx, const struct key *key)
+key_ctx_update_implicit_iv(struct key_ctx *ctx, const struct key_parameters *key)
{
/* Only use implicit IV in AEAD cipher mode, where HMAC key is not used */
if (cipher_ctx_mode_aead(ctx->cipher))
impl_iv_len = cipher_ctx_iv_length(ctx->cipher) - sizeof(packet_id_type);
ASSERT(impl_iv_len + sizeof(packet_id_type) <= OPENVPN_MAX_IV_LENGTH);
ASSERT(impl_iv_len <= MAX_HMAC_KEY_LENGTH);
+ ASSERT(impl_iv_len <= key->hmac_size);
CLEAR(ctx->implicit_iv);
/* The first bytes of the IV are filled with the packet id */
memcpy(ctx->implicit_iv + sizeof(packet_id_type), key->hmac, impl_iv_len);
/* given a key and key_type, build a key_ctx */
void
-init_key_ctx(struct key_ctx *ctx, const struct key *key,
+init_key_ctx(struct key_ctx *ctx, const struct key_parameters *key,
const struct key_type *kt, int enc,
const char *prefix)
{
CLEAR(*ctx);
if (cipher_defined(kt->cipher))
{
-
+ ASSERT(key->cipher_size >= cipher_kt_key_size(kt->cipher));
ctx->cipher = cipher_ctx_new();
cipher_ctx_init(ctx->cipher, key->cipher, kt->cipher, enc);
cipher_kt_iv_size(kt->cipher));
warn_insecure_key_type(ciphername);
}
+
if (md_defined(kt->digest))
{
+ ASSERT(key->hmac_size >= md_kt_size(kt->digest));
ctx->hmac = hmac_ctx_new();
hmac_ctx_init(ctx->hmac, key->hmac, kt->digest);
}
void
-init_key_bi_ctx_send(struct key_ctx *ctx, const struct key2 *key2,
- int key_direction, const struct key_type *kt, const char *name)
+init_key_bi_ctx_send(struct key_ctx *ctx, const struct key_parameters *key_params,
+ const struct key_type *kt, const char *name)
{
char log_prefix[128] = { 0 };
- struct key_direction_state kds;
-
- key_direction_state_init(&kds, key_direction);
snprintf(log_prefix, sizeof(log_prefix), "Outgoing %s", name);
- init_key_ctx(ctx, &key2->keys[kds.out_key], kt,
- OPENVPN_OP_ENCRYPT, log_prefix);
- key_ctx_update_implicit_iv(ctx, &key2->keys[kds.out_key]);
+ init_key_ctx(ctx, key_params, kt, OPENVPN_OP_ENCRYPT, log_prefix);
+ key_ctx_update_implicit_iv(ctx, key_params);
}
void
-init_key_bi_ctx_recv(struct key_ctx *ctx, const struct key2 *key2,
- int key_direction, const struct key_type *kt, const char *name)
+init_key_bi_ctx_recv(struct key_ctx *ctx, const struct key_parameters *key_params,
+ const struct key_type *kt, const char *name)
{
char log_prefix[128] = { 0 };
- struct key_direction_state kds;
-
- key_direction_state_init(&kds, key_direction);
snprintf(log_prefix, sizeof(log_prefix), "Incoming %s", name);
- init_key_ctx(ctx, &key2->keys[kds.in_key], kt,
- OPENVPN_OP_DECRYPT, log_prefix);
- key_ctx_update_implicit_iv(ctx, &key2->keys[kds.in_key]);
+ init_key_ctx(ctx, key_params, kt, OPENVPN_OP_DECRYPT, log_prefix);
+ key_ctx_update_implicit_iv(ctx, key_params);
}
void
init_key_ctx_bi(struct key_ctx_bi *ctx, const struct key2 *key2,
int key_direction, const struct key_type *kt, const char *name)
{
- init_key_bi_ctx_send(&ctx->encrypt, key2, key_direction, kt, name);
- init_key_bi_ctx_recv(&ctx->decrypt, key2, key_direction, kt, name);
+ struct key_direction_state kds;
+
+ key_direction_state_init(&kds, key_direction);
+
+ struct key_parameters send_key;
+ struct key_parameters recv_key;
+
+ key_parameters_from_key(&send_key, &key2->keys[kds.out_key]);
+ key_parameters_from_key(&recv_key, &key2->keys[kds.in_key]);
+
+ init_key_bi_ctx_send(&ctx->encrypt, &send_key, kt, name);
+ init_key_bi_ctx_recv(&ctx->decrypt, &recv_key, kt, name);
ctx->initialized = true;
}
key_print(&k->keys[1], kt, prefix1);
}
+void
+key_parameters_from_key(struct key_parameters *key_params, const struct key *key)
+{
+ CLEAR(*key_params);
+ memcpy(key_params->cipher, key->cipher, MAX_CIPHER_KEY_LENGTH);
+ key_params->cipher_size = MAX_CIPHER_KEY_LENGTH;
+ memcpy(key_params->hmac, key->hmac, MAX_HMAC_KEY_LENGTH);
+ key_params->hmac_size = MAX_HMAC_KEY_LENGTH;
+}
+
void
test_crypto(struct crypto_options *co, struct frame *frame)
{
/**
* Container for unidirectional cipher and HMAC %key material.
- * @ingroup control_processor
+ * @ingroup control_processor. This is used as a wire format/file format
+ * key, so it cannot be changed to add fields or change the length of fields
*/
struct key
{
/**< %Key material for HMAC operations. */
};
+/** internal structure similar to struct key that holds key information
+ * but is not represented on wire and can be changed/extended
+ */
+struct key_parameters {
+ /** %Key material for cipher operations. */
+ uint8_t cipher[MAX_CIPHER_KEY_LENGTH];
+
+ /** Number of bytes set in the cipher key material */
+ int cipher_size;
+
+ /** %Key material for HMAC operations. */
+ uint8_t hmac[MAX_HMAC_KEY_LENGTH];
+
+ /** Number of bytes set in the HMac key material */
+ int hmac_size;
+};
+
+/**
+ * Converts a struct key representation into a struct key_parameters
+ * representation.
+ *
+ * @param key_params destination for the converted struct
+ * @param key source of the conversion
+ */
+void
+key_parameters_from_key(struct key_parameters *key_params, const struct key *key);
/**
* Container for one set of cipher and/or HMAC contexts.
* Key context functions
*/
-void init_key_ctx(struct key_ctx *ctx, const struct key *key,
+void init_key_ctx(struct key_ctx *ctx, const struct key_parameters *key,
const struct key_type *kt, int enc,
const char *prefix);
void
-init_key_bi_ctx_send(struct key_ctx *ctx, const struct key2 *key2,
- int key_direction, const struct key_type *kt,
- const char *name);
+init_key_bi_ctx_send(struct key_ctx *ctx, const struct key_parameters *key,
+ const struct key_type *kt, const char *name);
void
-init_key_bi_ctx_recv(struct key_ctx *ctx, const struct key2 *key2,
- int key_direction, const struct key_type *kt,
- const char *name);
+init_key_bi_ctx_recv(struct key_ctx *ctx, const struct key_parameters *key,
+ const struct key_type *kt, const char *name);
void free_key_ctx(struct key_ctx *ctx);
struct test_context *ctx = calloc(1, sizeof(*ctx));
*state = ctx;
- struct key key = { 0 };
+ struct key_parameters key = { 0 };
+ key.hmac_size = MAX_HMAC_KEY_LENGTH; /* 64 byte of 0 */
ctx->kt = auth_token_kt();
if (!ctx->kt.digest)
AUTH_TOKEN_HMAC_OK);
/* Change auth-token key */
- struct key key;
- memset(&key, '1', sizeof(key));
+ struct key_parameters key;
+ memset(key.hmac, '1', sizeof(key.hmac));
+ key.hmac_size = MAX_HMAC_KEY_LENGTH;
+
free_key_ctx(&ctx->multi.opt.auth_token_key);
init_key_ctx(&ctx->multi.opt.auth_token_key, &key, &ctx->kt, false, "TEST");
assert_int_equal(verify_auth_token(&ctx->up, &ctx->multi, ctx->session), 0);
/* Load original test key again */
- memset(&key, 0, sizeof(key));
+ memset(&key.hmac, 0, sizeof(key.hmac));
free_key_ctx(&ctx->multi.opt.auth_token_key);
init_key_ctx(&ctx->multi.opt.auth_token_key, &key, &ctx->kt, false, "TEST");
assert_int_equal(verify_auth_token(&ctx->up, &ctx->multi, ctx->session),
projects / thirdparty / openvpn.git / commitdiff
