void
crypto_adjust_frame_parameters(struct frame *frame,
const struct key_type* kt,
- bool cipher_defined,
bool use_iv,
bool packet_id,
bool packet_id_long_form)
if (packet_id)
crypto_overhead += packet_id_size (packet_id_long_form);
- if (cipher_defined)
+ if (kt->cipher)
{
if (use_iv)
crypto_overhead += cipher_kt_iv_size (kt->cipher);
*/
void
init_key_type (struct key_type *kt, const char *ciphername,
- bool ciphername_defined, const char *authname,
- bool authname_defined, int keysize,
- bool tls_mode, bool warn)
+ const char *authname, int keysize, bool tls_mode, bool warn)
{
bool aead_cipher = false;
CLEAR (*kt);
- if (ciphername && ciphername_defined)
+ if (ciphername)
{
kt->cipher = cipher_kt_get (translate_cipher_name_from_openvpn(ciphername));
kt->cipher_length = cipher_kt_key_size (kt->cipher);
if (warn)
msg (M_WARN, "******* WARNING *******: null cipher specified, no encryption will be used");
}
- if (authname && authname_defined)
+ if (authname)
{
if (!aead_cipher) { /* Ignore auth for AEAD ciphers */
kt->digest = md_kt_get (authname);
int read_key (struct key *key, const struct key_type *kt, struct buffer *buf);
+/**
+ * Initialize a key_type structure with.
+ *
+ * @param kt The struct key_type to initialize
+ * @param ciphername The name of the cipher to use
+ * @param authname The name of the HMAC digest to use
+ * @param keysize The length of the cipher key to use, in bytes. Only valid
+ * for ciphers that support variable length keys.
+ * @param tls_mode Specifies wether we are running in TLS mode, which allows
+ * more ciphers than static key mode.
+ * @param warn Print warnings when null cipher / auth is used.
+ */
void init_key_type (struct key_type *kt, const char *ciphername,
- bool ciphername_defined, const char *authname, bool authname_defined,
- int keysize, bool tls_mode, bool warn);
+ const char *authname, int keysize, bool tls_mode, bool warn);
/*
* Key context functions
/** Calculate crypto overhead and adjust frame to account for that */
void crypto_adjust_frame_parameters(struct frame *frame,
const struct key_type* kt,
- bool cipher_defined,
bool use_iv,
bool packet_id,
bool packet_id_long_form);
struct key_direction_state kds;
/* Get cipher & hash algorithms */
- init_key_type (&c->c1.ks.key_type, options->ciphername,
- options->ciphername_defined, options->authname,
- options->authname_defined, options->keysize,
- options->test_crypto, true);
+ init_key_type (&c->c1.ks.key_type, options->ciphername, options->authname,
+ options->keysize, options->test_crypto, true);
/* Read cipher and hmac keys from shared secret file */
{
/* Compute MTU parameters */
crypto_adjust_frame_parameters (&c->c2.frame,
&c->c1.ks.key_type,
- options->ciphername_defined,
options->use_iv, options->replay, true);
/* Sanity check on IV, sequence number, and cipher mode options */
}
/* Get cipher & hash algorithms */
- init_key_type (&c->c1.ks.key_type, options->ciphername,
- options->ciphername_defined, options->authname,
- options->authname_defined, options->keysize, true, true);
+ init_key_type (&c->c1.ks.key_type, options->ciphername, options->authname,
+ options->keysize, true, true);
/* Initialize PRNG with config-specified digest */
prng_init (options->prng_hash, options->prng_nonce_secret_len);
/* Initialize key_type for tls-auth with auth only */
CLEAR (c->c1.ks.tls_auth_key_type);
- if (options->authname && options->authname_defined)
+ if (options->authname)
{
c->c1.ks.tls_auth_key_type.digest = md_kt_get (options->authname);
c->c1.ks.tls_auth_key_type.hmac_length =
else
{
crypto_adjust_frame_parameters(&c->c2.frame, &c->c1.ks.key_type,
- options->ciphername_defined, options->use_iv, options->replay,
- packet_id_long_form);
+ options->use_iv, options->replay, packet_id_long_form);
}
tls_adjust_frame_parameters (&c->c2.frame);
to.tls_auth.flags |= CO_PACKET_ID_LONG_FORM;
crypto_adjust_frame_parameters (&to.frame,
&c->c1.ks.tls_auth_key_type,
- false, false, true, true);
+ false, true, true);
}
/* If we are running over TCP, allow for
#endif
#ifdef ENABLE_CRYPTO
o->ciphername = "BF-CBC";
- o->ciphername_defined = true;
#ifdef HAVE_AEAD_CIPHER_MODES /* IV_NCP=2 requires GCM support */
o->ncp_enabled = true;
#else
#endif
o->ncp_ciphers = "AES-256-GCM:AES-128-GCM";
o->authname = "SHA1";
- o->authname_defined = true;
o->prng_hash = "SHA1";
o->prng_nonce_secret_len = 16;
o->replay = true;
#ifdef ENABLE_CRYPTO
SHOW_STR (shared_secret_file);
SHOW_INT (key_direction);
- SHOW_BOOL (ciphername_defined);
SHOW_STR (ciphername);
- SHOW_BOOL (authname_defined);
SHOW_STR (authname);
SHOW_STR (prng_hash);
SHOW_INT (prng_nonce_secret_len);
{
struct frame fake_frame = *frame;
struct key_type fake_kt;
- init_key_type (&fake_kt, o->ciphername, o->ciphername_defined,
- o->authname, o->authname_defined, o->keysize, true, false);
+ init_key_type (&fake_kt, o->ciphername, o->authname, o->keysize, true,
+ false);
frame_add_to_extra_frame (&fake_frame, -(crypto_max_overhead()));
- crypto_adjust_frame_parameters (&fake_frame, &fake_kt,
- o->ciphername_defined, o->use_iv, o->replay,
- cipher_kt_mode_ofb_cfb (fake_kt.cipher));
+ crypto_adjust_frame_parameters (&fake_frame, &fake_kt, o->use_iv,
+ o->replay, cipher_kt_mode_ofb_cfb (fake_kt.cipher));
frame_finalize(&fake_frame, o->ce.link_mtu_defined, o->ce.link_mtu,
o->ce.tun_mtu_defined, o->ce.tun_mtu);
msg (D_MTU_DEBUG, "%s: link-mtu %zu -> %d", __func__, link_mtu,
+ (TLS_SERVER == true)
<= 1);
- init_key_type (&kt, o->ciphername, o->ciphername_defined,
- o->authname, o->authname_defined,
- o->keysize, true, false);
+ init_key_type (&kt, o->ciphername, o->authname, o->keysize, true,
+ false);
buf_printf (&out, ",cipher %s",
translate_cipher_name_to_openvpn(cipher_kt_name (kt.cipher)));
else if (streq (p[0], "auth") && p[1] && !p[2])
{
VERIFY_PERMISSION (OPT_P_GENERAL);
- options->authname_defined = true;
options->authname = p[1];
if (streq (options->authname, "none"))
{
- options->authname_defined = false;
options->authname = NULL;
}
}
- else if (streq (p[0], "auth") && !p[1])
- {
- VERIFY_PERMISSION (OPT_P_GENERAL);
- options->authname_defined = true;
- }
else if (streq (p[0], "cipher") && p[1] && !p[2])
{
VERIFY_PERMISSION (OPT_P_NCP);
- options->ciphername_defined = true;
options->ciphername = p[1];
if (streq (options->ciphername, "none"))
{
- options->ciphername_defined = false;
options->ciphername = NULL;
}
}
- else if (streq (p[0], "cipher") && !p[1])
- {
- VERIFY_PERMISSION (OPT_P_GENERAL);
- options->ciphername_defined = true;
- }
else if (streq (p[0], "ncp-ciphers") && p[1] && !p[2])
{
VERIFY_PERMISSION (OPT_P_GENERAL|OPT_P_INSTANCE);
const char *shared_secret_file;
const char *shared_secret_file_inline;
int key_direction;
- bool ciphername_defined;
const char *ciphername;
bool ncp_enabled;
const char *ncp_ciphers;
- bool authname_defined;
const char *authname;
int keysize;
const char *prng_hash;
}
init_key_type (&session->opt->key_type, options->ciphername,
- options->ciphername_defined, options->authname, options->authname_defined,
- options->keysize, true, true);
+ options->authname, options->keysize, true, true);
bool packet_id_long_form = cipher_kt_mode_ofb_cfb (session->opt->key_type.cipher);
session->opt->crypto_flags_and &= ~(CO_PACKET_ID_LONG_FORM);
/* Update frame parameters: undo worst-case overhead, add actual overhead */
frame_add_to_extra_frame (frame, -(crypto_max_overhead()));
crypto_adjust_frame_parameters (frame, &session->opt->key_type,
- options->ciphername_defined, options->use_iv, options->replay,
- packet_id_long_form);
+ options->use_iv, options->replay, packet_id_long_form);
frame_finalize(frame, options->ce.link_mtu_defined, options->ce.link_mtu,
options->ce.tun_mtu_defined, options->ce.tun_mtu);
frame_print (frame, D_MTU_INFO, "Data Channel MTU parms");
projects / thirdparty / openvpn.git / commitdiff
