From 0118121ae6578c69527fb80a60294c48663033b7 Mon Sep 17 00:00:00 2001 From: Ian Jackson Date: Thu, 25 Jul 2013 18:30:49 +0100 Subject: [PATCH] transform: Pass a direction flag to the transform The same transform is used for inbound and outbound packets. The transform should know which direction these packets are flowing in; that (a) allows a transform to reject packets which are "looping back" so to speak, and (b) makes it easier for a transform to generate unique nonces. This will be used by the forthcoming EAX transform. It is combined with the sequence number (the same values of which are used by both ends) to make the nonce, which must be unique across the single shared key, ie unique across both flows. Signed-off-by: Ian Jackson --- secnet.h | 7 +++++-- site.c | 4 ++-- transform-cbcmac.c | 3 ++- 3 files changed, 9 insertions(+), 5 deletions(-) diff --git a/secnet.h b/secnet.h index 7d7eb4f..5e66a17 100644 --- a/secnet.h +++ b/secnet.h @@ -368,10 +368,13 @@ struct site_if { also depend on internal factors (eg. time) and keep internal state. A struct transform_if only represents a particular type of transformation; instances of the transformation (eg. with - particular key material) have a different C type. */ + particular key material) have a different C type. The same + secret key will be used in opposite directions between a pair of + secnets; one of these pairs will get direction==False, the other True. */ typedef struct transform_inst_if *transform_createinstance_fn(void *st); -typedef bool_t transform_setkey_fn(void *st, uint8_t *key, int32_t keylen); +typedef bool_t transform_setkey_fn(void *st, uint8_t *key, int32_t keylen, + bool_t direction); typedef bool_t transform_valid_fn(void *st); /* 0: no key; 1: ok */ typedef void transform_delkey_fn(void *st); typedef void transform_destroyinstance_fn(void *st); diff --git a/site.c b/site.c index 566b215..f1a0317 100644 --- a/site.c +++ b/site.c @@ -566,7 +566,7 @@ static bool_t process_msg3(struct site *st, struct buffer_if *msg3, /* Set up the transform */ st->new_transform->setkey(st->new_transform->st,st->sharedsecret, - st->sharedsecretlen); + st->sharedsecretlen,st->setup_priority); return True; } @@ -613,7 +613,7 @@ static bool_t process_msg4(struct site *st, struct buffer_if *msg4, st->sharedsecret,st->sharedsecretlen); /* Set up the transform */ st->new_transform->setkey(st->new_transform->st,st->sharedsecret, - st->sharedsecretlen); + st->sharedsecretlen,st->setup_priority); return True; } diff --git a/transform-cbcmac.c b/transform-cbcmac.c index 1e8a5e9..5fb66ba 100644 --- a/transform-cbcmac.c +++ b/transform-cbcmac.c @@ -40,7 +40,8 @@ struct transform_inst { #define PKCS5_MASK 15 -static bool_t transform_setkey(void *sst, uint8_t *key, int32_t keylen) +static bool_t transform_setkey(void *sst, uint8_t *key, int32_t keylen, + bool_t direction) { struct transform_inst *ti=sst; -- 2.30.2