diff options
Diffstat (limited to 'packet.c')
-rw-r--r-- | packet.c | 106 |
1 files changed, 12 insertions, 94 deletions
@@ -115,8 +115,6 @@ static int interactive_mode = 0; /* Session key information for Encryption and MAC */ Newkeys *newkeys[MODE_MAX]; -static u_int32_t read_seqnr = 0; -static u_int32_t send_seqnr = 0; /* roundup current message to extra_pad bytes */ static u_char extra_pad = 0; @@ -173,87 +171,6 @@ packet_connection_is_on_socket(void) return 1; } -/* - * Exports an IV from the CipherContext required to export the key - * state back from the unprivileged child to the privileged parent - * process. - */ - -void -packet_get_keyiv(int mode, u_char *iv, u_int len) -{ - CipherContext *cc; - - if (mode == MODE_OUT) - cc = &send_context; - else - cc = &receive_context; - - cipher_get_keyiv(cc, iv, len); -} - -int -packet_get_keycontext(int mode, u_char *dat) -{ - int plen; - CipherContext *cc; - - if (mode == MODE_OUT) - cc = &send_context; - else - cc = &receive_context; - -#if OPENSSL_VERSION_NUMBER < 0x00907000L - plen = sizeof(cc->evp.c); -#else - plen = cc->evp.cipher->ctx_size; -#endif - - if (dat == NULL) - return (plen); - -#if OPENSSL_VERSION_NUMBER < 0x00907000L - memcpy(dat, &cc->evp.c, sizeof(cc->evp.c)); -#else - memcpy(dat, &cc->evp.cipher_data, plen); -#endif - return (plen); -} - -void -packet_set_keycontext(int mode, u_char *dat) -{ - CipherContext *cc; - - if (mode == MODE_OUT) - cc = &send_context; - else - cc = &receive_context; - -#if OPENSSL_VERSION_NUMBER < 0x00907000L - memcpy(&cc->evp.c, dat, sizeof(cc->evp.c)); -#else - memcpy(&cc->evp.cipher_data, dat, cc->evp.cipher->ctx_size); -#endif -} - -u_int32_t -packet_get_seqnr(int mode) -{ - return (mode == MODE_IN ? read_seqnr : send_seqnr); -} - -void -packet_set_seqnr(int mode, u_int32_t seqnr) -{ - if (mode == MODE_IN) - read_seqnr = seqnr; - else if (mode == MODE_OUT) - send_seqnr = seqnr; - else - fatal("%s: bad mode %d", __FUNCTION__, mode); -} - /* returns 1 if connection is via ipv4 */ int @@ -516,7 +433,7 @@ packet_send1(void) */ } -void +static void set_newkeys(int mode) { Enc *enc; @@ -560,9 +477,8 @@ set_newkeys(int mode) DBG(debug("cipher_init_context: %d", mode)); cipher_init(cc, enc->cipher, enc->key, enc->key_len, enc->iv, enc->block_size, encrypt); - /* Deleting the keys does not gain extra security */ - /* memset(enc->iv, 0, enc->block_size); - memset(enc->key, 0, enc->key_len); */ + memset(enc->iv, 0, enc->block_size); + memset(enc->key, 0, enc->key_len); if (comp->type != 0 && comp->enabled == 0) { packet_init_compression(); if (mode == MODE_OUT) @@ -579,6 +495,7 @@ set_newkeys(int mode) static void packet_send2(void) { + static u_int32_t seqnr = 0; u_char type, *cp, *macbuf = NULL; u_char padlen, pad; u_int packet_length = 0; @@ -659,10 +576,10 @@ packet_send2(void) /* compute MAC over seqnr and packet(length fields, payload, padding) */ if (mac && mac->enabled) { - macbuf = mac_compute(mac, send_seqnr, + macbuf = mac_compute(mac, seqnr, buffer_ptr(&outgoing_packet), buffer_len(&outgoing_packet)); - DBG(debug("done calc MAC out #%d", send_seqnr)); + DBG(debug("done calc MAC out #%d", seqnr)); } /* encrypt packet and append to output buffer. */ cp = buffer_append_space(&output, buffer_len(&outgoing_packet)); @@ -676,7 +593,7 @@ packet_send2(void) buffer_dump(&output); #endif /* increment sequence number for outgoing packets */ - if (++send_seqnr == 0) + if (++seqnr == 0) log("outgoing seqnr wraps around"); buffer_clear(&outgoing_packet); @@ -866,6 +783,7 @@ packet_read_poll1(void) static int packet_read_poll2(u_int32_t *seqnr_p) { + static u_int32_t seqnr = 0; static u_int packet_length = 0; u_int padlen, need; u_char *macbuf, *cp, type; @@ -927,17 +845,17 @@ packet_read_poll2(u_int32_t *seqnr_p) * increment sequence number for incoming packet */ if (mac && mac->enabled) { - macbuf = mac_compute(mac, read_seqnr, + macbuf = mac_compute(mac, seqnr, buffer_ptr(&incoming_packet), buffer_len(&incoming_packet)); if (memcmp(macbuf, buffer_ptr(&input), mac->mac_len) != 0) packet_disconnect("Corrupted MAC on input."); - DBG(debug("MAC #%d ok", read_seqnr)); + DBG(debug("MAC #%d ok", seqnr)); buffer_consume(&input, mac->mac_len); } if (seqnr_p != NULL) - *seqnr_p = read_seqnr; - if (++read_seqnr == 0) + *seqnr_p = seqnr; + if (++seqnr == 0) log("incoming seqnr wraps around"); /* get padlen */ |