crypto: create function to initialize encrypt and decrypt key

Instead of always initialize the encrypt and decrypt keys separately,
implement an helper function init_key_ctx_bi() that takes care of
both of them for us.

Reduces code duplication and improves readability.

Signed-off-by: Steffan Karger <steffan@karger.me>
Acked-by: Antonio Quartulli <a@unstable.cc>
Message-Id: <20170707044704.7239-1-a@unstable.cc>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg15011.html
Signed-off-by: David Sommerseth <davids@openvpn.net>
(cherry picked from commit 974513ea64020c956b531b1cabd76fdbac6655d8)

diff --git a/src/openvpn/crypto.c b/src/openvpn/crypto.c
index fbc73442d532603cf9a6905348a1fe1f4d292b2d..33d6fe1ad1c10a05173114a695c5e14bb579ceb4 100644 (file)
--- a/src/openvpn/crypto.c
+++ b/src/openvpn/crypto.c
@@ -894,6 +894,26 @@ init_key_ctx(struct key_ctx *ctx, struct key *key,
     gc_free(&gc);
 }
 
+void
+init_key_ctx_bi(struct key_ctx_bi *ctx, const struct key2 *key2,
+                int key_direction, const struct key_type *kt, const char *name)
+{
+    char log_prefix[128] = { 0 };
+    struct key_direction_state kds;
+
+    key_direction_state_init(&kds, key_direction);
+
+    openvpn_snprintf(log_prefix, sizeof(log_prefix), "Outgoing %s", name);
+    init_key_ctx(&ctx->encrypt, &key2->keys[kds.out_key], kt,
+                 OPENVPN_OP_ENCRYPT, log_prefix);
+
+    openvpn_snprintf(log_prefix, sizeof(log_prefix), "Incoming %s", name);
+    init_key_ctx(&ctx->decrypt, &key2->keys[kds.in_key], kt,
+                 OPENVPN_OP_DECRYPT, log_prefix);
+
+    ctx->initialized = true;
+}
+
 void
 free_key_ctx(struct key_ctx *ctx)
 {
@@ -1184,7 +1204,6 @@ crypto_read_openvpn_key(const struct key_type *key_type,
 {
     struct key2 key2;
     struct key_direction_state kds;
-    char log_prefix[128] = { 0 };
 
     if (key_inline)
     {
@@ -1209,13 +1228,7 @@ crypto_read_openvpn_key(const struct key_type *key_type,
     must_have_n_keys(key_file, opt_name, &key2, kds.need_keys);
 
     /* initialize key in both directions */
-    openvpn_snprintf(log_prefix, sizeof(log_prefix), "Outgoing %s", key_name);
-    init_key_ctx(&ctx->encrypt, &key2.keys[kds.out_key], key_type,
-                 OPENVPN_OP_ENCRYPT, log_prefix);
-    openvpn_snprintf(log_prefix, sizeof(log_prefix), "Incoming %s", key_name);
-    init_key_ctx(&ctx->decrypt, &key2.keys[kds.in_key], key_type,
-                 OPENVPN_OP_DECRYPT, log_prefix);
-
+    init_key_ctx_bi(ctx, &key2, key_direction, key_type, key_name);
     secure_memzero(&key2, sizeof(key2));
 }
 

diff --git a/src/openvpn/crypto.h b/src/openvpn/crypto.h
index 501d96783bb19c1d8ffe9a6bae061336a3526f6c..0cdd30fcd4b5e8bf32adab0da42c8404378e2673 100644 (file)
--- a/src/openvpn/crypto.h
+++ b/src/openvpn/crypto.h
@@ -323,6 +323,10 @@ void init_key_ctx(struct key_ctx *ctx, struct key *key,
 
 void free_key_ctx(struct key_ctx *ctx);
 
+void init_key_ctx_bi(struct key_ctx_bi *ctx, const struct key2 *key2,
+                     int key_direction, const struct key_type *kt,
+                    const char *name);
+
 void free_key_ctx_bi(struct key_ctx_bi *ctx);
 
 

diff --git a/src/openvpn/ssl.c b/src/openvpn/ssl.c
index 1aad09d7890ba12aefb683798e8a7172fdab4f57..bbc117c6d217a491a715903648fc422e9476eea5 100644 (file)
--- a/src/openvpn/ssl.c
+++ b/src/openvpn/ssl.c
@@ -1840,20 +1840,8 @@ generate_key_expansion(struct key_ctx_bi *key,
     }
 
     /* Initialize OpenSSL key contexts */
-
-    ASSERT(server == true || server == false);
-
-    init_key_ctx(&key->encrypt,
-                 &key2.keys[(int)server],
-                 key_type,
-                 OPENVPN_OP_ENCRYPT,
-                 "Data Channel Encrypt");
-
-    init_key_ctx(&key->decrypt,
-                 &key2.keys[1-(int)server],
-                 key_type,
-                 OPENVPN_OP_DECRYPT,
-                 "Data Channel Decrypt");
+    int key_direction = server ? KEY_DIRECTION_INVERSE : KEY_DIRECTION_NORMAL;
+    init_key_ctx_bi(key, &key2, key_direction, key_type, "Data Channel");
 
     /* Initialize implicit IVs */
     key_ctx_update_implicit_iv(&key->encrypt, key2.keys[(int)server].hmac,
@@ -1861,7 +1849,6 @@ generate_key_expansion(struct key_ctx_bi *key,
     key_ctx_update_implicit_iv(&key->decrypt, key2.keys[1-(int)server].hmac,
                                MAX_HMAC_KEY_LENGTH);
 
-    key->initialized = true;
     ret = true;
 
 exit: