X-Git-Url: https://www.tinc-vpn.org/git/browse?a=blobdiff_plain;f=src%2Fopenssl%2Fcipher.c;h=e362325a36c6988efffcf6d60852900978884268;hb=979acc48aded5bb04f1574128d174d56550be302;hp=ae9640f0d6b5ed6f59ebcac50aa6f7412bab8bd5;hpb=323c17e232539f3f06e7cebc664ab48f60127e0e;p=tinc

diff --git a/src/openssl/cipher.c b/src/openssl/cipher.c
index ae9640f0..e362325a 100644
--- a/src/openssl/cipher.c
+++ b/src/openssl/cipher.c
@@ -1,6 +1,6 @@
 /*
     cipher.c -- Symmetric block cipher handling
-    Copyright (C) 2007-2013 Guus Sliepen <guus@tinc-vpn.org>
+    Copyright (C) 2007-2016 Guus Sliepen <guus@tinc-vpn.org>
 
     This program is free software; you can redistribute it and/or modify
     it under the terms of the GNU General Public License as published by
@@ -62,10 +62,6 @@ cipher_t *cipher_open_by_nid(int nid) {
 	return cipher_open(evp_cipher);
 }
 
-cipher_t *cipher_open_blowfish_ofb(void) {
-	return cipher_open(EVP_bf_ofb());
-}
-
 void cipher_close(cipher_t *cipher) {
 	if(!cipher)
 		return;
@@ -81,6 +77,24 @@ size_t cipher_keylength(const cipher_t *cipher) {
 	return EVP_CIPHER_key_length(cipher->cipher) + EVP_CIPHER_iv_length(cipher->cipher);
 }
 
+uint64_t cipher_budget(const cipher_t *cipher) {
+	/* Hopefully some failsafe way to calculate the maximum amount of bytes to
+	   send/receive with a given cipher before we might run into birthday paradox
+	   attacks. Because we might use different modes, the block size of the mode
+	   might be 1 byte. In that case, use the IV length. Ensure the whole thing
+	   is limited to what can be represented with a 64 bits integer.
+	 */
+
+	if(!cipher || !cipher->cipher)
+		return UINT64_MAX; // NULL cipher
+
+	int ivlen = EVP_CIPHER_iv_length(cipher->cipher);
+	int blklen = EVP_CIPHER_block_size(cipher->cipher);
+	int len = blklen > 1 ? blklen : ivlen > 1 ? ivlen : 8;
+	int bits = len * 4 - 1;
+	return bits < 64 ? UINT64_C(1) << bits : UINT64_MAX;
+}
+
 size_t cipher_blocksize(const cipher_t *cipher) {
 	if(!cipher || !cipher->cipher)
 		return 1;