summaryrefslogtreecommitdiff
path: root/main/openvpn/src/openvpn/crypto.c
diff options
context:
space:
mode:
Diffstat (limited to 'main/openvpn/src/openvpn/crypto.c')
-rw-r--r--main/openvpn/src/openvpn/crypto.c66
1 files changed, 18 insertions, 48 deletions
diff --git a/main/openvpn/src/openvpn/crypto.c b/main/openvpn/src/openvpn/crypto.c
index 69df29de..ef2bde1d 100644
--- a/main/openvpn/src/openvpn/crypto.c
+++ b/main/openvpn/src/openvpn/crypto.c
@@ -223,30 +223,6 @@ err:
return;
}
-int verify_hmac(struct buffer *buf, struct key_ctx *ctx, int offset)
-{
- uint8_t local_hmac[MAX_HMAC_KEY_LENGTH]; /* HMAC of ciphertext computed locally */
- int hmac_len = 0;
-
- hmac_ctx_reset(ctx->hmac);
- /* Assume the length of the input HMAC */
- hmac_len = hmac_ctx_size (ctx->hmac);
-
- /* Authentication fails if insufficient data in packet for HMAC */
- if (buf->len - offset < hmac_len)
- return 0;
-
- hmac_ctx_update (ctx->hmac, BPTR (buf) + hmac_len + offset,
- BLEN (buf) - hmac_len - offset);
- hmac_ctx_final (ctx->hmac, local_hmac);
-
- /* Compare locally computed HMAC with packet HMAC */
- if (memcmp_constant_time (local_hmac, BPTR (buf) + offset, hmac_len) == 0)
- return hmac_len;
-
- return 0;
-}
-
/*
* If (opt->flags & CO_USE_IV) is not NULL, we will read an IV from the packet.
*
@@ -273,9 +249,25 @@ openvpn_decrypt (struct buffer *buf, struct buffer work,
/* Verify the HMAC */
if (ctx->hmac)
{
- int hmac_len = verify_hmac(buf, ctx, 0);
- if (hmac_len == 0)
+ int hmac_len;
+ uint8_t local_hmac[MAX_HMAC_KEY_LENGTH]; /* HMAC of ciphertext computed locally */
+
+ hmac_ctx_reset(ctx->hmac);
+
+ /* Assume the length of the input HMAC */
+ hmac_len = hmac_ctx_size (ctx->hmac);
+
+ /* Authentication fails if insufficient data in packet for HMAC */
+ if (buf->len < hmac_len)
+ CRYPT_ERROR ("missing authentication info");
+
+ hmac_ctx_update (ctx->hmac, BPTR (buf) + hmac_len, BLEN (buf) - hmac_len);
+ hmac_ctx_final (ctx->hmac, local_hmac);
+
+ /* Compare locally computed HMAC with packet HMAC */
+ if (memcmp_constant_time (local_hmac, BPTR (buf), hmac_len))
CRYPT_ERROR ("packet HMAC authentication failed");
+
ASSERT (buf_advance (buf, hmac_len));
}
@@ -400,28 +392,6 @@ openvpn_decrypt (struct buffer *buf, struct buffer work,
}
/*
- * This verifies if a packet and its HMAC fit to a crypto context.
- *
- * On success true is returned.
- */
-bool
-crypto_test_hmac (struct buffer *buf, const struct crypto_options *opt)
-{
- if (buf->len > 0 && opt->key_ctx_bi)
- {
- struct key_ctx *ctx = &opt->key_ctx_bi->decrypt;
-
- /* Verify the HMAC */
- if (ctx->hmac)
- {
- /* sizeof(uint32_t) comes from peer_id (3 bytes) and opcode (1 byte) */
- return verify_hmac(buf, ctx, sizeof(uint32_t)) != 0;
- }
- }
- return false;
-}
-
-/*
* How many bytes will we add to frame buffer for a given
* set of crypto options?
*/
generated by cgit v1.2.3 (git 2.25.1) at 2024-08-02 06:40:31 +0000