[PATCH 18/41] transform: Pass a direction flag to the transform

[Ian Jackson]

The same transform is used for inbound and outbound packets.

The transform should know which direction these packets are flowing
in; that (a) allows a transform to reject packets which are "looping
back" so to speak, and (b) makes it easier for a transform to generate
unique nonces.

This will be used by the forthcoming EAX transform.  It is combined
with the sequence number (the same values of which are used by both
ends) to make the nonce, which must be unique across the single shared
key, ie unique across both flows.

Signed-off-by: Ian Jackson <ijackson at chiark.greenend.org.uk>
---
 secnet.h           |    7 +++++--
 site.c             |    4 ++--
 transform-cbcmac.c |    3 ++-
 3 files changed, 9 insertions(+), 5 deletions(-)

diff --git a/secnet.h b/secnet.h
index 7d7eb4f..5e66a17 100644
--- a/secnet.h
+++ b/secnet.h
@@ -368,10 +368,13 @@ struct site_if {
    also depend on internal factors (eg. time) and keep internal
    state. A struct transform_if only represents a particular type of
    transformation; instances of the transformation (eg. with
-   particular key material) have a different C type. */
+   particular key material) have a different C type. The same
+   secret key will be used in opposite directions between a pair of
+   secnets; one of these pairs will get direction==False, the other True. */
 
 typedef struct transform_inst_if *transform_createinstance_fn(void *st);
-typedef bool_t transform_setkey_fn(void *st, uint8_t *key, int32_t keylen);
+typedef bool_t transform_setkey_fn(void *st, uint8_t *key, int32_t keylen,
+				   bool_t direction);
 typedef bool_t transform_valid_fn(void *st); /* 0: no key; 1: ok */
 typedef void transform_delkey_fn(void *st);
 typedef void transform_destroyinstance_fn(void *st);
diff --git a/site.c b/site.c
index 566b215..f1a0317 100644
--- a/site.c
+++ b/site.c
@@ -566,7 +566,7 @@ static bool_t process_msg3(struct site *st, struct buffer_if *msg3,
 
     /* Set up the transform */
     st->new_transform->setkey(st->new_transform->st,st->sharedsecret,
-			      st->sharedsecretlen);
+			      st->sharedsecretlen,st->setup_priority);
 
     return True;
 }
@@ -613,7 +613,7 @@ static bool_t process_msg4(struct site *st, struct buffer_if *msg4,
 		       st->sharedsecret,st->sharedsecretlen);
     /* Set up the transform */
     st->new_transform->setkey(st->new_transform->st,st->sharedsecret,
-			      st->sharedsecretlen);
+			      st->sharedsecretlen,st->setup_priority);
 
     return True;
 }
diff --git a/transform-cbcmac.c b/transform-cbcmac.c
index 1e8a5e9..5fb66ba 100644
--- a/transform-cbcmac.c
+++ b/transform-cbcmac.c
@@ -40,7 +40,8 @@ struct transform_inst {
 
 #define PKCS5_MASK 15
 
-static bool_t transform_setkey(void *sst, uint8_t *key, int32_t keylen)
+static bool_t transform_setkey(void *sst, uint8_t *key, int32_t keylen,
+			       bool_t direction)
 {
     struct transform_inst *ti=sst;
 
-- 
1.7.2.5