From 878991b69afa012362b50d2c8b697bb77a264ccf Mon Sep 17 00:00:00 2001
From: Steffan Karger <steffan@karger.me>
Date: Wed, 7 Dec 2016 00:00:31 +0100
Subject: [PATCH] XXX fix (and cleanup) crypto flags setting
Should fix bug with CFB/OFB modes and NCP from trac #784.
---
src/openvpn/init.c | 4 ++--
src/openvpn/ssl.c | 8 +++-----
src/openvpn/ssl_common.h | 2 --
3 files changed, 5 insertions(+), 9 deletions(-)
diff --git a/src/openvpn/init.c b/src/openvpn/init.c
index 18a0d70..7e4f40c 100644
a
|
b
|
do_init_crypto_tls (struct context *c, const unsigned int flags) |
2334 | 2334 | if (options->mute_replay_warnings) |
2335 | 2335 | to.crypto_flags |= CO_MUTE_REPLAY_WARNINGS; |
2336 | 2336 | |
2337 | | to.crypto_flags_and = ~(CO_PACKET_ID_LONG_FORM); |
| 2337 | to.crypto_flags &= ~(CO_PACKET_ID_LONG_FORM); |
2338 | 2338 | if (packet_id_long_form) |
2339 | | to.crypto_flags_or = CO_PACKET_ID_LONG_FORM; |
| 2339 | to.crypto_flags |= CO_PACKET_ID_LONG_FORM; |
2340 | 2340 | |
2341 | 2341 | to.ssl_ctx = c->c1.ks.ssl_ctx; |
2342 | 2342 | to.key_type = c->c1.ks.key_type; |
diff --git a/src/openvpn/ssl.c b/src/openvpn/ssl.c
index 91c7787..f42c1ed 100644
a
|
b
|
key_state_init (struct tls_session *session, struct key_state *ks) |
881 | 881 | } |
882 | 882 | |
883 | 883 | ks->crypto_options.pid_persist = NULL; |
884 | | ks->crypto_options.flags = session->opt->crypto_flags; |
885 | | ks->crypto_options.flags &= session->opt->crypto_flags_and; |
886 | | ks->crypto_options.flags |= session->opt->crypto_flags_or; |
887 | 884 | |
888 | 885 | #ifdef MANAGEMENT_DEF_AUTH |
889 | 886 | ks->mda_key_id = session->opt->mda_context->mda_key_id_counter++; |
… |
… |
tls_session_generate_data_channel_keys(struct tls_session *session) |
1821 | 1818 | |
1822 | 1819 | ASSERT (ks->authenticated); |
1823 | 1820 | |
| 1821 | ks->crypto_options.flags = session->opt->crypto_flags; |
1824 | 1822 | if (!generate_key_expansion (&ks->crypto_options.key_ctx_bi, |
1825 | 1823 | &session->opt->key_type, ks->key_src, client_sid, server_sid, |
1826 | 1824 | session->opt->server)) |
… |
… |
tls_session_update_crypto_params(struct tls_session *session, |
1855 | 1853 | options->authname, options->keysize, true, true); |
1856 | 1854 | |
1857 | 1855 | bool packet_id_long_form = cipher_kt_mode_ofb_cfb (session->opt->key_type.cipher); |
1858 | | session->opt->crypto_flags_and &= ~(CO_PACKET_ID_LONG_FORM); |
| 1856 | session->opt->crypto_flags &= ~(CO_PACKET_ID_LONG_FORM); |
1859 | 1857 | if (packet_id_long_form) |
1860 | | session->opt->crypto_flags_and = CO_PACKET_ID_LONG_FORM; |
| 1858 | session->opt->crypto_flags |= CO_PACKET_ID_LONG_FORM; |
1861 | 1859 | |
1862 | 1860 | /* Update frame parameters: undo worst-case overhead, add actual overhead */ |
1863 | 1861 | frame_add_to_extra_frame (frame, -(crypto_max_overhead())); |
diff --git a/src/openvpn/ssl_common.h b/src/openvpn/ssl_common.h
index 7938f41..8164bbc 100644
a
|
b
|
struct tls_options |
279 | 279 | |
280 | 280 | /* struct crypto_option flags */ |
281 | 281 | unsigned int crypto_flags; |
282 | | unsigned int crypto_flags_and; |
283 | | unsigned int crypto_flags_or; |
284 | 282 | |
285 | 283 | int replay_window; /* --replay-window parm */ |
286 | 284 | int replay_time; /* --replay-window parm */ |