From patchwork Mon Nov 11 01:59:53 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "flichtenheld (Code Review)" X-Patchwork-Id: 3932 Return-Path: Delivered-To: patchwork@openvpn.net Received: by 2002:a05:7000:41ba:b0:5d9:9f4c:3bc7 with SMTP id a26csp2278126mad; Sun, 10 Nov 2024 18:00:19 -0800 (PST) X-Forwarded-Encrypted: i=2; AJvYcCUFY+/QN88QE/KE1qTWDam7ojeel1hBEvkY+rAO6HlSRFOQAwkNryMXSOLrp3Z+Kn5PvUab5h3Ayks=@openvpn.net X-Google-Smtp-Source: AGHT+IE76SpTml10tYPLSSoX0rmJNszRSq1u1iVYwYZLbnHgSITJw4KULJ0Qf6Ymi64TppmGsH0e X-Received: by 2002:a05:6870:828f:b0:254:7f9f:3f21 with SMTP id 586e51a60fabf-2956032d907mr8868910fac.27.1731290418764; Sun, 10 Nov 2024 18:00:18 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1731290418; cv=none; d=google.com; s=arc-20240605; b=VgNqLuhzEYi90i6AExO/He5mWcO2o4FIGLdrRJaxzU5qdsaYc/1UPAzj8BU3QxVbku hpr21Cww5KFevYjeEoCqv8I5w797G1bDtODVzFgdw1Pd+mzLemZ0wny7poi4jsqXMThr MpZqKAGB2+NohiMQepWICq0AxFazBMqfcvWEd/dJ9nXvDcUxwbxPt/RqdQvWAMFriCZB mMOGqJzk4WRHGjkpYAx3fbtNrKhkEQWRJnlmpX1YlhbK3o/vPs/VIlPSA6LUuBk4Y8uX WI1Kn0E9xXRTWGSLmd8FoMIHom/g/x2s/Cmcg/2EfA3bI+clFSmq7L4AqQaocx8YFPhK WkGw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=errors-to:cc:reply-to:list-subscribe:list-help:list-post :list-archive:list-unsubscribe:list-id:precedence:subject:user-agent :mime-version:message-id:references:auto-submitted:to:date:from :dkim-signature:dkim-signature:dkim-signature; bh=9HpCJ8vTeSFZaGny8fPWAe2SXzLdgRgaApQ4DR6nMLg=; fh=lm0MLPW7DntlrDqRECIiC9JlE1uPxhepE0URYHIf+eE=; b=APnge6u3VdsjsBYfQgeaY0uT626PG9r6/HEFO0W0q8g+pBpYM1z+kPKEdfizNnUT7w jvb82j9wtB7kBroOPzZDgsD61gKcPkmThk/9Fbuc9lghogs79f/difKphiCr4CP3GS8v n55ejUoTA8qs3FCPKKT2VODLGHn63ucAQS9vyjIrAALFPAdSc0pfjDcNoFi7EEKssgO2 uyq5OJl0oMo2ykEkmEyWnMZFCNVoWZNW1kx8bkYS+quMgJkRilLzEnGMzEXJgFZ5Pa/h 30LgQnfjtYpTAOhNXkuBTbXVU8pCnk8rxiIl6T3b0k+PKFMJOXo/KR5eAAbhIJ7DUW1E 3KZw==; dara=google.com ARC-Authentication-Results: i=1; mx.google.com; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=lDYFQNmd; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=dufoCzgv; dkim=neutral (body hash did not verify) header.i=@openvpn.net header.s=google header.b=JOa358N8; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=openvpn.net; dara=fail header.i=@openvpn.net Received: from lists.sourceforge.net (lists.sourceforge.net. [216.105.38.7]) by mx.google.com with ESMTPS id 586e51a60fabf-29546c545a7si486280fac.59.2024.11.10.18.00.18 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Sun, 10 Nov 2024 18:00:18 -0800 (PST) Received-SPF: pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) client-ip=216.105.38.7; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=lDYFQNmd; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=dufoCzgv; dkim=neutral (body hash did not verify) header.i=@openvpn.net header.s=google header.b=JOa358N8; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=openvpn.net; dara=fail header.i=@openvpn.net Received: from [127.0.0.1] (helo=sfs-ml-3.v29.lw.sourceforge.com) by sfs-ml-3.v29.lw.sourceforge.com with esmtp (Exim 4.95) (envelope-from ) id 1tAJit-0003ZH-7z; Mon, 11 Nov 2024 02:00:10 +0000 Received: from [172.30.29.66] (helo=mx.sourceforge.net) by sfs-ml-3.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95) (envelope-from ) id 1tAJin-0003Z1-HK for openvpn-devel@lists.sourceforge.net; Mon, 11 Nov 2024 02:00:04 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Type:Content-Transfer-Encoding:MIME-Version :Message-ID:Reply-To:References:Subject:List-Unsubscribe:List-Id:Cc:To:Date: From:Sender:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:List-Help: List-Subscribe:List-Post:List-Owner:List-Archive; bh=L0TVNNwp+er+iqWiz6gHYUv94gch5hT1GggCZ53zueY=; b=lDYFQNmdDiyRQy5wyxPO4Cx6VX 8TKPORU8zDsbdkr4gs5o3yLLHDgUqNFQgPu2P5jWzpHnNaLfF2uDgc5zZ4aGFAoSrzoQ3vJwuCqJ2 bqp5i0dHAisVCqiQZe7HlkSXMlqaJxD9XGLj7SzAJA9hg/7rI3nhh7Xc+9dPZ3HjNLVw=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Type:Content-Transfer-Encoding:MIME-Version:Message-ID:Reply-To: References:Subject:List-Unsubscribe:List-Id:Cc:To:Date:From:Sender:Content-ID :Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To: Resent-Cc:Resent-Message-ID:In-Reply-To:List-Help:List-Subscribe:List-Post: List-Owner:List-Archive; bh=L0TVNNwp+er+iqWiz6gHYUv94gch5hT1GggCZ53zueY=; b=d ufoCzgvkZUxqB0CQg/6mha8+YPoox2LRJ03bd7/Ed9ya++gk8Ln0zqMQO3I6o8MrtWIChJLbz8VCs STaR3JppfzkPP+2Iv/C4n+NV9XA6A3hmOS3mZvP/qHlR9GRj/Eq1CfZOmcAvpIzOUsTc3hoMPGduy HZNYKb6oiTUDeCQ8=; Received: from mail-wr1-f46.google.com ([209.85.221.46]) by sfi-mx-2.v28.lw.sourceforge.com with esmtps (TLS1.2:ECDHE-RSA-AES128-GCM-SHA256:128) (Exim 4.95) id 1tAJik-0001Z5-Sx for openvpn-devel@lists.sourceforge.net; Mon, 11 Nov 2024 02:00:04 +0000 Received: by mail-wr1-f46.google.com with SMTP id ffacd0b85a97d-382026ba43eso72585f8f.1 for ; Sun, 10 Nov 2024 18:00:02 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=openvpn.net; s=google; t=1731290396; x=1731895196; darn=lists.sourceforge.net; h=user-agent:content-disposition:content-transfer-encoding :mime-version:message-id:reply-to:references:subject :list-unsubscribe:list-id:auto-submitted:cc:to:date:from:from:to:cc :subject:date:message-id:reply-to; bh=L0TVNNwp+er+iqWiz6gHYUv94gch5hT1GggCZ53zueY=; b=JOa358N8S5lz0BQKSpA6344czlqeJh5DuQ6JEJEEVlyAkjUMwiezDJbVoQ13eit9uL wJL5A3bgG/iiEysZWqg0cXSr/eH80PyoJr7B5gHu9JdWF/2ublCO6ZkRCbe7ZzU7Zmsi ezSWnexdg3Be69XoLak4A7xa+rLrh95hE29iOM2RUDCDUl587JmcMmZu7EBXa1FHzznN VIHpL0Fyyg8n4+P/7+J8PmElFzj7K4mz6rETG4zgqDkhgjbkgrRqoHWGmszHdWMf+oux dXOoqlb6jQUCmAv4lYMAPYpLiiYv8gLuqCmcY9mRzWpD/utVFWCC/3qunGlN0b+TnrNI SAhg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1731290396; x=1731895196; h=user-agent:content-disposition:content-transfer-encoding :mime-version:message-id:reply-to:references:subject :list-unsubscribe:list-id:auto-submitted:cc:to:date:from :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=L0TVNNwp+er+iqWiz6gHYUv94gch5hT1GggCZ53zueY=; b=fFTr5J5FAcsmmcCJ4Hi82Vrz1tfJC0RT5n9DBjLA2quTeSdW2VRqCID66XCjg/anCq qfKLnnh9v0ch9NZFoY3MIEAnqIYjkOx+tYcHFCcRIHqqsVLcGGEfiYSnPfZscHC2WEIA rBJQirFpri47YDDA836oHjC/CerwjY+keDnlVBvQq3oVPmYUQ6UoZOpd6HzPuL6RTkuv Hpr3iHxQhmxnZfJePjPfJfBZj81lE3fbMXBYFRkjvO+QtPMNS4ymLz8Ht/IL0UGr5A61 kskP7uWtKiwf9Z5F2sAPciSvyJw0ca7oa7vK9AVy8ROdQddDXa6oixq9vkJiCAxs7oXZ Tjcw== X-Gm-Message-State: AOJu0YwGv2e6oCXrvoIQRmDd9fQP/sEU/8g6ETWZh9TuFDyh3Nd2ZZC+ ICLHoCxbk5vkbJvbYpGl2FTFdCDTjc33bU/e+DUhN3bZVjzSNXDWPFanMOm7JK2C3jWeW0M3L2M 3 X-Received: by 2002:a05:6000:18af:b0:37c:d11e:949 with SMTP id ffacd0b85a97d-381f1834506mr9419797f8f.28.1731290395865; Sun, 10 Nov 2024 17:59:55 -0800 (PST) Received: from gerrit.openvpn.in (ec2-18-159-0-78.eu-central-1.compute.amazonaws.com. [18.159.0.78]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-381ed9f8f0asm11905582f8f.79.2024.11.10.17.59.53 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 10 Nov 2024 17:59:54 -0800 (PST) From: "plaisthos (Code Review)" X-Google-Original-From: "plaisthos (Code Review)" X-Gerrit-PatchSet: 1 Date: Mon, 11 Nov 2024 01:59:53 +0000 To: flichtenheld Auto-Submitted: auto-generated X-Gerrit-MessageType: newchange X-Gerrit-Change-Id: I4a981c5a70717e2276d89bf83a06c7fdbe6712d7 X-Gerrit-Change-Number: 801 X-Gerrit-Project: openvpn X-Gerrit-ChangeURL: X-Gerrit-Commit: 14c09b40a8c359b53ed9b0788a1334ef4f65dd9a References: Message-ID: <8225d8826baedeb4f58e8c6fa268d12bcfcce7d2-HTML@gerrit.openvpn.net> MIME-Version: 1.0 User-Agent: Gerrit/3.8.2 X-Spam-Score: -0.9 (/) X-Spam-Report: Spam detection software, running on the system "util-spamd-1.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: Attention is currently required from: flichtenheld. Hello flichtenheld, I'd like you to do a code review. Please visit Content analysis details: (-0.9 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at https://www.dnswl.org/, no trust [209.85.221.46 listed in list.dnswl.org] -0.7 RCVD_IN_MSPIKE_H2 RBL: Average reputation (+2) [209.85.221.46 listed in wl.mailspike.net] -0.0 SPF_PASS SPF: sender matches SPF record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record 0.0 WEIRD_PORT URI: Uses non-standard port number for HTTP 0.0 HTML_MESSAGE BODY: HTML included in message -0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from envelope-from domain -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain 0.0 T_KAM_HTML_FONT_INVALID Test for Invalidly Named or Formatted Colors in HTML X-Headers-End: 1tAJik-0001Z5-Sx Subject: [Openvpn-devel] [M] Change in openvpn[master]: Change API of init_key_ctx to use struct key_paramters X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: arne-openvpn@rfc2549.org, openvpn-devel@lists.sourceforge.net, frank@lichtenheld.com Cc: openvpn-devel Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox X-GMAIL-THRID: =?utf-8?q?1815389582592307956?= X-GMAIL-MSGID: =?utf-8?q?1815389582592307956?= X-getmail-filter-classifier: gerrit message type newchange Attention is currently required from: flichtenheld. Hello flichtenheld, I'd like you to do a code review. Please visit http://gerrit.openvpn.net/c/openvpn/+/801?usp=email to review the following change. Change subject: Change API of init_key_ctx to use struct key_paramters ...................................................................... Change API of init_key_ctx to use struct key_paramters This introduces a new structure key_paramters. The reason is that the current struct serves both as an internal struct as well as an on-wire/in-file format. Separate these two different usages to allow extending the struct. Change-Id: I4a981c5a70717e2276d89bf83a06c7fdbe6712d7 Signed-off-by: Arne Schwabe --- M src/openvpn/auth_token.c M src/openvpn/crypto.c M src/openvpn/crypto.h M src/openvpn/tls_crypt.c M tests/unit_tests/openvpn/test_auth_token.c M tests/unit_tests/openvpn/test_tls_crypt.c 6 files changed, 85 insertions(+), 37 deletions(-) git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/01/801/1 diff --git a/src/openvpn/auth_token.c b/src/openvpn/auth_token.c index 192c7c2..3cf55e8 100644 --- a/src/openvpn/auth_token.c +++ b/src/openvpn/auth_token.c @@ -152,7 +152,10 @@ { msg(M_FATAL, "ERROR: not enough data in auth-token secret"); } - init_key_ctx(key_ctx, &key, &kt, false, "auth-token secret"); + + struct key_parameters key_params; + key_parameters_from_key(&key_params, &key); + init_key_ctx(key_ctx, &key_params, &kt, false, "auth-token secret"); free_buf(&server_secret_key); } diff --git a/src/openvpn/crypto.c b/src/openvpn/crypto.c index 44c226c..f4453d8 100644 --- a/src/openvpn/crypto.c +++ b/src/openvpn/crypto.c @@ -903,7 +903,7 @@ * @param key key, hmac part used to calculate implicit IV */ static void -key_ctx_update_implicit_iv(struct key_ctx *ctx, const struct key *key) +key_ctx_update_implicit_iv(struct key_ctx *ctx, const struct key_parameters *key) { /* Only use implicit IV in AEAD cipher mode, where HMAC key is not used */ if (cipher_ctx_mode_aead(ctx->cipher)) @@ -913,6 +913,7 @@ impl_iv_len = cipher_ctx_iv_length(ctx->cipher) - sizeof(packet_id_type); ASSERT(impl_iv_len <= OPENVPN_MAX_IV_LENGTH); ASSERT(impl_iv_len <= MAX_HMAC_KEY_LENGTH); + ASSERT(key->hmac_size >= impl_iv_len); CLEAR(ctx->implicit_iv); /* The first bytes of the IV are filled with the packet id */ memcpy(ctx->implicit_iv + sizeof(packet_id_type), key->hmac, impl_iv_len); @@ -921,7 +922,7 @@ /* given a key and key_type, build a key_ctx */ void -init_key_ctx(struct key_ctx *ctx, const struct key *key, +init_key_ctx(struct key_ctx *ctx, const struct key_parameters *key, const struct key_type *kt, int enc, const char *prefix) { @@ -929,7 +930,7 @@ CLEAR(*ctx); if (cipher_defined(kt->cipher)) { - + ASSERT(key->cipher_size >= cipher_kt_key_size(kt->cipher)); ctx->cipher = cipher_ctx_new(); cipher_ctx_init(ctx->cipher, key->cipher, kt->cipher, enc); @@ -944,8 +945,10 @@ cipher_kt_iv_size(kt->cipher)); warn_insecure_key_type(ciphername); } + if (md_defined(kt->digest)) { + ASSERT(key->hmac_size >= md_kt_size(kt->digest)); ctx->hmac = hmac_ctx_new(); hmac_ctx_init(ctx->hmac, key->hmac, kt->digest); @@ -966,41 +969,43 @@ } void -init_key_bi_ctx_send(struct key_ctx *ctx, const struct key2 *key2, - int key_direction, const struct key_type *kt, const char *name) +init_key_bi_ctx_send(struct key_ctx *ctx, const struct key_parameters *key_params, + const struct key_type *kt, const char *name) { char log_prefix[128] = { 0 }; - struct key_direction_state kds; - - key_direction_state_init(&kds, key_direction); snprintf(log_prefix, sizeof(log_prefix), "Outgoing %s", name); - init_key_ctx(ctx, &key2->keys[kds.out_key], kt, - OPENVPN_OP_ENCRYPT, log_prefix); - key_ctx_update_implicit_iv(ctx, &key2->keys[kds.out_key]); + init_key_ctx(ctx, key_params, kt, OPENVPN_OP_ENCRYPT, log_prefix); + key_ctx_update_implicit_iv(ctx, key_params); } void -init_key_bi_ctx_recv(struct key_ctx *ctx, const struct key2 *key2, - int key_direction, const struct key_type *kt, const char *name) +init_key_bi_ctx_recv(struct key_ctx *ctx, const struct key_parameters *key_params, + const struct key_type *kt, const char *name) { char log_prefix[128] = { 0 }; - struct key_direction_state kds; - - key_direction_state_init(&kds, key_direction); snprintf(log_prefix, sizeof(log_prefix), "Incoming %s", name); - init_key_ctx(ctx, &key2->keys[kds.in_key], kt, - OPENVPN_OP_DECRYPT, log_prefix); - key_ctx_update_implicit_iv(ctx, &key2->keys[kds.in_key]); + init_key_ctx(ctx, key_params, kt, OPENVPN_OP_DECRYPT, log_prefix); + key_ctx_update_implicit_iv(ctx, key_params); } void init_key_ctx_bi(struct key_ctx_bi *ctx, const struct key2 *key2, int key_direction, const struct key_type *kt, const char *name) { - init_key_bi_ctx_send(&ctx->encrypt, key2, key_direction, kt, name); - init_key_bi_ctx_recv(&ctx->decrypt, key2, key_direction, kt, name); + struct key_direction_state kds; + + key_direction_state_init(&kds, key_direction); + + struct key_parameters send_key; + struct key_parameters recv_key; + + key_parameters_from_key(&send_key, &key2->keys[kds.out_key]); + key_parameters_from_key(&recv_key, &key2->keys[kds.in_key]); + + init_key_bi_ctx_send(&ctx->encrypt, &send_key, kt, name); + init_key_bi_ctx_recv(&ctx->decrypt, &recv_key, kt, name); ctx->initialized = true; } @@ -1117,6 +1122,16 @@ } void +key_parameters_from_key(struct key_parameters *key_params, const struct key *key) +{ + CLEAR(*key_params); + memcpy(key_params->cipher, key->cipher, MAX_CIPHER_KEY_LENGTH); + key_params->cipher_size = MAX_HMAC_KEY_LENGTH; + memcpy(key_params->hmac, key->hmac, MAX_CIPHER_KEY_LENGTH); + key_params->hmac_size = MAX_HMAC_KEY_LENGTH; +} + +void test_crypto(struct crypto_options *co, struct frame *frame) { int i, j; diff --git a/src/openvpn/crypto.h b/src/openvpn/crypto.h index 3331672..ff24f87 100644 --- a/src/openvpn/crypto.h +++ b/src/openvpn/crypto.h @@ -144,7 +144,8 @@ /** * Container for unidirectional cipher and HMAC %key material. - * @ingroup control_processor + * @ingroup control_processor. This is used as a wire format/file format + * key, so it cannot be changed to add fields or change the length of fields */ struct key { @@ -154,6 +155,30 @@ /**< %Key material for HMAC operations. */ }; +/** internal structure similar to struct key that hold key information + * but is not represented on wire and can be changed/extended + */ +struct key_parameters { + /** %Key material for cipher operations. */ + uint8_t cipher[MAX_CIPHER_KEY_LENGTH]; + + /** Number of bytes set in the cipher key material */ + int cipher_size; + + /** %Key material for HMAC operations. */ + uint8_t hmac[MAX_HMAC_KEY_LENGTH]; + + /** Number of bytes set in the HMac key material */ + int hmac_size; +}; + +/** + * Converts a struct key representation into a struct key_params representation. + * @param key_params destination for the converted struct + * @param key source of the conversion + */ +void +key_parameters_from_key(struct key_parameters *key_params, const struct key *key); /** * Container for one set of cipher and/or HMAC contexts. @@ -340,19 +365,17 @@ * Key context functions */ -void init_key_ctx(struct key_ctx *ctx, const struct key *key, +void init_key_ctx(struct key_ctx *ctx, const struct key_parameters *key, const struct key_type *kt, int enc, const char *prefix); void -init_key_bi_ctx_send(struct key_ctx *ctx, const struct key2 *key2, - int key_direction, const struct key_type *kt, - const char *name); +init_key_bi_ctx_send(struct key_ctx *ctx, const struct key_parameters *key, + const struct key_type *kt, const char *name); void -init_key_bi_ctx_recv(struct key_ctx *ctx, const struct key2 *key2, - int key_direction, const struct key_type *kt, - const char *name); +init_key_bi_ctx_recv(struct key_ctx *ctx, const struct key_parameters *key, + const struct key_type *kt, const char *name); void free_key_ctx(struct key_ctx *ctx); diff --git a/src/openvpn/tls_crypt.c b/src/openvpn/tls_crypt.c index b8894db..76f06bc 100644 --- a/src/openvpn/tls_crypt.c +++ b/src/openvpn/tls_crypt.c @@ -377,7 +377,11 @@ { msg(M_FATAL, "ERROR: --tls-crypt-v2 not supported"); } - init_key_ctx(key_ctx, &srv_key, &kt, encrypt, "tls-crypt-v2 server key"); + struct key_parameters srv_key_params; + + key_parameters_from_key(&srv_key_params, &srv_key); + + init_key_ctx(key_ctx, &srv_key_params, &kt, encrypt, "tls-crypt-v2 server key"); secure_memzero(&srv_key, sizeof(srv_key)); } diff --git a/tests/unit_tests/openvpn/test_auth_token.c b/tests/unit_tests/openvpn/test_auth_token.c index 8a0c16a..9a21abf 100644 --- a/tests/unit_tests/openvpn/test_auth_token.c +++ b/tests/unit_tests/openvpn/test_auth_token.c @@ -87,7 +87,8 @@ struct test_context *ctx = calloc(1, sizeof(*ctx)); *state = ctx; - struct key key = { 0 }; + struct key_parameters key = { 0 }; + key.hmac_size = 64; /* 64 byte of 0 */ ctx->kt = auth_token_kt(); if (!ctx->kt.digest) @@ -148,15 +149,17 @@ AUTH_TOKEN_HMAC_OK); /* Change auth-token key */ - struct key key; - memset(&key, '1', sizeof(key)); + struct key_parameters key; + memset(key.hmac, '1', sizeof(key.hmac)); + key.hmac_size = MAX_HMAC_KEY_LENGTH; + free_key_ctx(&ctx->multi.opt.auth_token_key); init_key_ctx(&ctx->multi.opt.auth_token_key, &key, &ctx->kt, false, "TEST"); assert_int_equal(verify_auth_token(&ctx->up, &ctx->multi, ctx->session), 0); /* Load original test key again */ - memset(&key, 0, sizeof(key)); + memset(&key.hmac, 0, sizeof(key.hmac)); free_key_ctx(&ctx->multi.opt.auth_token_key); init_key_ctx(&ctx->multi.opt.auth_token_key, &key, &ctx->kt, false, "TEST"); assert_int_equal(verify_auth_token(&ctx->up, &ctx->multi, ctx->session), diff --git a/tests/unit_tests/openvpn/test_tls_crypt.c b/tests/unit_tests/openvpn/test_tls_crypt.c index 4f12f88..f4b30b7 100644 --- a/tests/unit_tests/openvpn/test_tls_crypt.c +++ b/tests/unit_tests/openvpn/test_tls_crypt.c @@ -157,7 +157,7 @@ struct test_tls_crypt_context *ctx = calloc(1, sizeof(*ctx)); *state = ctx; - struct key key = { 0 }; + struct key_parameters key = { .cipher = { 0 }, .hmac = { 0 }, .hmac_size = 64, .cipher_size = 64 }; ctx->kt = tls_crypt_kt(); if (!ctx->kt.cipher || !ctx->kt.digest) @@ -367,7 +367,7 @@ skip_if_tls_crypt_not_supported(ctx); /* Change decrypt key */ - struct key key = { { 1 } }; + struct key_parameters key = { .cipher = { 1 }, .hmac = { 1 }, .cipher_size = 64, .hmac_size = 64 }; free_key_ctx(&ctx->co.key_ctx_bi.decrypt); init_key_ctx(&ctx->co.key_ctx_bi.decrypt, &key, &ctx->kt, false, "TEST");