Temporarily revert to old crypto code

(The new code is still segfaulting for me, and I'd like to proceed with other
work.)

This largely rolls back to the revision 1545 state of the existing code
(new crypto layer is still there with no callers), though I reintroduced
the segfault fix of revision 1562.

src/net_packet.c

@@ -22,15 +22,18 @@
 
 #include "system.h"
 
+#include <openssl/rand.h>
+#include <openssl/err.h>
+#include <openssl/evp.h>
+#include <openssl/pem.h>
+#include <openssl/hmac.h>
+
 #include <zlib.h>
 #include LZO1X_H
 
 #include "splay_tree.h"
-#include "cipher.h"
 #include "conf.h"
 #include "connection.h"
-#include "crypto.h"
-#include "digest.h"
 #include "device.h"
 #include "ethernet.h"
 #include "graph.h"
@@ -49,6 +52,7 @@
 #endif
 
 int keylifetime = 0;
+EVP_CIPHER_CTX packet_ctx;
 static char lzo_wrkmem[LZO1X_999_MEM_COMPRESS > LZO1X_1_MEM_COMPRESS ? LZO1X_999_MEM_COMPRESS : LZO1X_1_MEM_COMPRESS];
 
 static void send_udppacket(node_t *, vpn_packet_t *);
@@ -81,7 +85,7 @@ static void send_mtu_probe_handler(int fd, short events, void *data) {
 			len = 64;
 		
 		memset(packet.data, 0, 14);
-		randomize(packet.data + 14, len - 14);
+		RAND_pseudo_bytes(packet.data + 14, len - 14);
 		packet.len = len;
 
 		ifdebug(TRAFFIC) logger(LOG_INFO, _("Sending MTU probe length %d to %s (%s)"), len, n->name, n->hostname);
@@ -164,14 +168,15 @@ static void receive_udppacket(node_t *n, vpn_packet_t *inpkt) {
 	vpn_packet_t *pkt[] = { &pkt1, &pkt2, &pkt1, &pkt2 };
 	int nextpkt = 0;
 	vpn_packet_t *outpkt = pkt[0];
-	size_t outlen;
+	int outlen, outpad;
+	unsigned char hmac[EVP_MAX_MD_SIZE];
 	int i;
 
 	cp();
 
 	/* Check packet length */
 
-	if(inpkt->len < sizeof(inpkt->seqno) + digest_length(&myself->digest)) {
+	if(inpkt->len < sizeof(inpkt->seqno) + myself->maclength) {
 		ifdebug(TRAFFIC) logger(LOG_DEBUG, _("Got too short packet from %s (%s)"),
 					n->name, n->hostname);
 		return;
@@ -179,23 +184,33 @@ static void receive_udppacket(node_t *n, vpn_packet_t *inpkt) {
 
 	/* Check the message authentication code */
 
-	if(digest_active(&myself->digest) && !digest_verify(&myself->digest, &inpkt->seqno, inpkt->len, &inpkt->seqno + inpkt->len)) {
-		ifdebug(TRAFFIC) logger(LOG_DEBUG, _("Got unauthenticated packet from %s (%s)"), n->name, n->hostname);
-		return;
+	if(myself->digest && myself->maclength) {
+		inpkt->len -= myself->maclength;
+		HMAC(myself->digest, myself->key, myself->keylength,
+			 (unsigned char *) &inpkt->seqno, inpkt->len, (unsigned char *)hmac, NULL);
+
+		if(memcmp(hmac, (char *) &inpkt->seqno + inpkt->len, myself->maclength)) {
+			ifdebug(TRAFFIC) logger(LOG_DEBUG, _("Got unauthenticated packet from %s (%s)"),
+					   n->name, n->hostname);
+			return;
+		}
 	}
 
 	/* Decrypt the packet */
 
-	if(cipher_active(&myself->cipher)) {
+	if(myself->cipher) {
 		outpkt = pkt[nextpkt++];
-		outlen = MAXSIZE;
 
-		if(!cipher_decrypt(&myself->cipher, &inpkt->seqno, inpkt->len, &outpkt->seqno, &outlen, true)) {
-			ifdebug(TRAFFIC) logger(LOG_DEBUG, _("Error decrypting packet from %s (%s)"), n->name, n->hostname);
+		if(!EVP_DecryptInit_ex(&packet_ctx, NULL, NULL, NULL, NULL)
+				|| !EVP_DecryptUpdate(&packet_ctx, (unsigned char *) &outpkt->seqno, &outlen,
+					(unsigned char *) &inpkt->seqno, inpkt->len)
+				|| !EVP_DecryptFinal_ex(&packet_ctx, (unsigned char *) &outpkt->seqno + outlen, &outpad)) {
+			ifdebug(TRAFFIC) logger(LOG_DEBUG, _("Error decrypting packet from %s (%s): %s"),
+						n->name, n->hostname, ERR_error_string(ERR_get_error(), NULL));
 			return;
 		}
 		
-		outpkt->len = outlen;
+		outpkt->len = outlen + outpad;
 		inpkt = outpkt;
 	}
 
@@ -268,7 +283,7 @@ static void send_udppacket(node_t *n, vpn_packet_t *origpkt) {
 	int nextpkt = 0;
 	vpn_packet_t *outpkt;
 	int origlen;
-	size_t outlen;
+	int outlen, outpad;
 	vpn_packet_t *copy;
 	static int priority = 0;
 	int origpriority;
@@ -324,24 +339,28 @@ static void send_udppacket(node_t *n, vpn_packet_t *origpkt) {
 
 	/* Encrypt the packet */
 
-	if(cipher_active(&n->cipher)) {
+	if(n->cipher) {
 		outpkt = pkt[nextpkt++];
-		outlen = MAXSIZE;
 
-		if(!cipher_encrypt(&n->cipher, &inpkt->seqno, inpkt->len, &outpkt->seqno, &outlen, true)) {
-			ifdebug(TRAFFIC) logger(LOG_ERR, _("Error while encrypting packet to %s (%s)"), n->name, n->hostname);
+		if(!EVP_EncryptInit_ex(&n->packet_ctx, NULL, NULL, NULL, NULL)
+				|| !EVP_EncryptUpdate(&n->packet_ctx, (unsigned char *) &outpkt->seqno, &outlen,
+					(unsigned char *) &inpkt->seqno, inpkt->len)
+				|| !EVP_EncryptFinal_ex(&n->packet_ctx, (unsigned char *) &outpkt->seqno + outlen, &outpad)) {
+			ifdebug(TRAFFIC) logger(LOG_ERR, _("Error while encrypting packet to %s (%s): %s"),
+						n->name, n->hostname, ERR_error_string(ERR_get_error(), NULL));
 			goto end;
 		}
 
-		outpkt->len = outlen;
+		outpkt->len = outlen + outpad;
 		inpkt = outpkt;
 	}
 
 	/* Add the message authentication code */
 
-	if(digest_active(&n->digest)) {
-		digest_create(&n->digest, &inpkt->seqno, inpkt->len, &inpkt->seqno + inpkt->len);
-		inpkt->len += digest_length(&n->digest);
+	if(n->digest && n->maclength) {
+		HMAC(n->digest, n->key, n->keylength, (unsigned char *) &inpkt->seqno,
+			 inpkt->len, (unsigned char *) &inpkt->seqno + inpkt->len, NULL);
+		inpkt->len += n->maclength;
 	}
 
 	/* Determine which socket we have to use */