crypto: create function to initialize encrypt and decrypt key

Instead of always initialize the encrypt and decrypt keys separately,
implement an helper function init_key_ctx_bi() that takes care of
both of them for us.

Reduces code duplication and improves readability.

Signed-off-by: Steffan Karger <steffan@karger.me>
Acked-by: Antonio Quartulli <a@unstable.cc>
Message-Id: <20170707044704.7239-1-a@unstable.cc>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg15011.html
Signed-off-by: David Sommerseth <davids@openvpn.net>

diff --git a/src/openvpn/crypto.c b/src/openvpn/crypto.c
index cc3c7b63875dbe84bb1c84d7ac28440111b0ffa3..131257e5272833483a6f86652846cafa1568e048 100644 (file)
--- a/src/openvpn/crypto.c
+++ b/src/openvpn/crypto.c
@@ -872,6 +872,26 @@ init_key_ctx(struct key_ctx *ctx, const struct key *key,
     gc_free(&gc);
 }
 
+void
+init_key_ctx_bi(struct key_ctx_bi *ctx, const struct key2 *key2,
+                int key_direction, const struct key_type *kt, const char *name)
+{
+    char log_prefix[128] = { 0 };
+    struct key_direction_state kds;
+
+    key_direction_state_init(&kds, key_direction);
+
+    openvpn_snprintf(log_prefix, sizeof(log_prefix), "Outgoing %s", name);
+    init_key_ctx(&ctx->encrypt, &key2->keys[kds.out_key], kt,
+                 OPENVPN_OP_ENCRYPT, log_prefix);
+
+    openvpn_snprintf(log_prefix, sizeof(log_prefix), "Incoming %s", name);
+    init_key_ctx(&ctx->decrypt, &key2->keys[kds.in_key], kt,
+                 OPENVPN_OP_DECRYPT, log_prefix);
+
+    ctx->initialized = true;
+}
+
 void
 free_key_ctx(struct key_ctx *ctx)
 {
@@ -1161,7 +1181,6 @@ crypto_read_openvpn_key(const struct key_type *key_type,
 {
     struct key2 key2;
     struct key_direction_state kds;
-    char log_prefix[128] = { 0 };
 
     if (key_inline)
     {
@@ -1186,13 +1205,7 @@ crypto_read_openvpn_key(const struct key_type *key_type,
     must_have_n_keys(key_file, opt_name, &key2, kds.need_keys);
 
     /* initialize key in both directions */
-    openvpn_snprintf(log_prefix, sizeof(log_prefix), "Outgoing %s", key_name);
-    init_key_ctx(&ctx->encrypt, &key2.keys[kds.out_key], key_type,
-                 OPENVPN_OP_ENCRYPT, log_prefix);
-    openvpn_snprintf(log_prefix, sizeof(log_prefix), "Incoming %s", key_name);
-    init_key_ctx(&ctx->decrypt, &key2.keys[kds.in_key], key_type,
-                 OPENVPN_OP_DECRYPT, log_prefix);
-
+    init_key_ctx_bi(ctx, &key2, key_direction, key_type, key_name);
     secure_memzero(&key2, sizeof(key2));
 }
 

diff --git a/src/openvpn/crypto.h b/src/openvpn/crypto.h
index 5dae383c55bb09be3d1747a6f5980e740a6c0a34..6d60ef8c266995aec199e9c837c3770b08c3e6bd 100644 (file)
--- a/src/openvpn/crypto.h
+++ b/src/openvpn/crypto.h
@@ -318,6 +318,10 @@ void init_key_ctx(struct key_ctx *ctx, const struct key *key,
 
 void free_key_ctx(struct key_ctx *ctx);
 
+void init_key_ctx_bi(struct key_ctx_bi *ctx, const struct key2 *key2,
+                     int key_direction, const struct key_type *kt,
+                    const char *name);
+
 void free_key_ctx_bi(struct key_ctx_bi *ctx);
 
 

diff --git a/src/openvpn/ssl.c b/src/openvpn/ssl.c
index 2a4768001112d5455e49abdd321159ffa9acf8ad..48051481edf1103dcc771059ec1e3978446a53dd 100644 (file)
--- a/src/openvpn/ssl.c
+++ b/src/openvpn/ssl.c
@@ -1840,20 +1840,8 @@ generate_key_expansion(struct key_ctx_bi *key,
     }
 
     /* Initialize OpenSSL key contexts */
-
-    ASSERT(server == true || server == false);
-
-    init_key_ctx(&key->encrypt,
-                 &key2.keys[(int)server],
-                 key_type,
-                 OPENVPN_OP_ENCRYPT,
-                 "Data Channel Encrypt");
-
-    init_key_ctx(&key->decrypt,
-                 &key2.keys[1-(int)server],
-                 key_type,
-                 OPENVPN_OP_DECRYPT,
-                 "Data Channel Decrypt");
+    int key_direction = server ? KEY_DIRECTION_INVERSE : KEY_DIRECTION_NORMAL;
+    init_key_ctx_bi(key, &key2, key_direction, key_type, "Data Channel");
 
     /* Initialize implicit IVs */
     key_ctx_update_implicit_iv(&key->encrypt, key2.keys[(int)server].hmac,
@@ -1861,7 +1849,6 @@ generate_key_expansion(struct key_ctx_bi *key,
     key_ctx_update_implicit_iv(&key->decrypt, key2.keys[1-(int)server].hmac,
                                MAX_HMAC_KEY_LENGTH);
 
-    key->initialized = true;
     ret = true;
 
 exit: