transform: Pass a direction flag to the transform

The same transform is used for inbound and outbound packets.

The transform should know which direction these packets are flowing
in; that (a) allows a transform to reject packets which are "looping
back" so to speak, and (b) makes it easier for a transform to generate
unique nonces.

This will be used by the forthcoming EAX transform.  It is combined
with the sequence number (the same values of which are used by both
ends) to make the nonce, which must be unique across the single shared
key, ie unique across both flows.

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>

diff --git a/secnet.h b/secnet.h
index 7d7eb4ff4b97c9b3f2334a6bf02626d9d2a49995..5e66a175348c9bf6ccc84969a4e1a1632bd1d0ec 100644 (file)
--- a/secnet.h
+++ b/secnet.h
@@ -368,10 +368,13 @@ struct site_if {
    also depend on internal factors (eg. time) and keep internal
    state. A struct transform_if only represents a particular type of
    transformation; instances of the transformation (eg. with
    also depend on internal factors (eg. time) and keep internal
    state. A struct transform_if only represents a particular type of
    transformation; instances of the transformation (eg. with

-   particular key material) have a different C type. */
+   particular key material) have a different C type. The same
+   secret key will be used in opposite directions between a pair of
+   secnets; one of these pairs will get direction==False, the other True. */

 
 typedef struct transform_inst_if *transform_createinstance_fn(void *st);
 
 typedef struct transform_inst_if *transform_createinstance_fn(void *st);

-typedef bool_t transform_setkey_fn(void *st, uint8_t *key, int32_t keylen);
+typedef bool_t transform_setkey_fn(void *st, uint8_t *key, int32_t keylen,
+                                  bool_t direction);

 typedef bool_t transform_valid_fn(void *st); /* 0: no key; 1: ok */
 typedef void transform_delkey_fn(void *st);
 typedef void transform_destroyinstance_fn(void *st);
 typedef bool_t transform_valid_fn(void *st); /* 0: no key; 1: ok */
 typedef void transform_delkey_fn(void *st);
 typedef void transform_destroyinstance_fn(void *st);

diff --git a/site.c b/site.c
index 566b215d3bcc416fd4ff80d5b70213cf5b557cc8..f1a03179603f4f9b402b5d10b0986b7c6af98722 100644 (file)
--- a/site.c
+++ b/site.c
@@ -566,7 +566,7 @@ static bool_t process_msg3(struct site *st, struct buffer_if *msg3,
 
     /* Set up the transform */
     st->new_transform->setkey(st->new_transform->st,st->sharedsecret,
 
     /* Set up the transform */
     st->new_transform->setkey(st->new_transform->st,st->sharedsecret,

-                             st->sharedsecretlen);
+                             st->sharedsecretlen,st->setup_priority);

 
     return True;
 }
 
     return True;
 }


@@ -613,7 +613,7 @@ static bool_t process_msg4(struct site *st, struct buffer_if *msg4,
                       st->sharedsecret,st->sharedsecretlen);
     /* Set up the transform */
     st->new_transform->setkey(st->new_transform->st,st->sharedsecret,
                       st->sharedsecret,st->sharedsecretlen);
     /* Set up the transform */
     st->new_transform->setkey(st->new_transform->st,st->sharedsecret,

-                             st->sharedsecretlen);
+                             st->sharedsecretlen,st->setup_priority);

 
     return True;
 }
 
     return True;
 }

diff --git a/transform-cbcmac.c b/transform-cbcmac.c
index 1e8a5e9b8acc4bc181f3b9cdbff5b32a2142abb9..5fb66ba4728bee7b0502202450de42ac4d42309f 100644 (file)
--- a/transform-cbcmac.c
+++ b/transform-cbcmac.c
@@ -40,7 +40,8 @@ struct transform_inst {
 
 #define PKCS5_MASK 15
 
 
 #define PKCS5_MASK 15
 

-static bool_t transform_setkey(void *sst, uint8_t *key, int32_t keylen)
+static bool_t transform_setkey(void *sst, uint8_t *key, int32_t keylen,
+                              bool_t direction)

 {
     struct transform_inst *ti=sst;
 
 {
     struct transform_inst *ti=sst;