[Openvpn-devel] Simplify key material exporter backend API

Message ID	20201009144755.39719-1-steffan@karger.me
State	Accepted
Headers	show Return-Path: <openvpn-devel-bounces@lists.sourceforge.net> From: Steffan Karger <steffan@karger.me> To: openvpn-devel@lists.sourceforge.net Date: Fri, 9 Oct 2020 16:47:55 +0200 Message-Id: <20201009144755.39719-1-steffan@karger.me> MIME-Version: 1.0 NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [URIs: karger.me] -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at https://www.dnswl.org/, no trust [209.85.218.66 listed in list.dnswl.org] 0.0 RCVD_IN_MSPIKE_H3 RBL: Good reputation (+3) [209.85.218.66 listed in wl.mailspike.net] -0.0 SPF_PASS SPF: sender matches SPF record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid 0.0 RCVD_IN_MSPIKE_WL Mailspike good senders Subject: [Openvpn-devel] [PATCH] Simplify key material exporter backend API Precedence: list Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox
Series	[Openvpn-devel] Simplify key material exporter backend API \| expand [Openvpn-devel] Simplify key material exporter backend API

Message ID

20201009144755.39719-1-steffan@karger.me

State

Accepted

Headers

From: Steffan Karger <steffan@karger.me>
To: openvpn-devel@lists.sourceforge.net
Date: Fri,  9 Oct 2020 16:47:55 +0200
Message-Id: <20201009144755.39719-1-steffan@karger.me>
MIME-Version: 1.0
Subject: [Openvpn-devel] [PATCH] Simplify key material exporter backend API
Precedence: list
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: openvpn-devel-bounces@lists.sourceforge.net

Series

[Openvpn-devel] Simplify key material exporter backend API | expand

Commit Message

Steffan Karger Oct. 9, 2020, 3:47 a.m. UTC

Just pass pointer and length, instead of a gc and return (possibly)
allocated memory. Saves us some gc instantiations and memcpy()s. Exact
same functionality, 19 lines less code.

(Didn't want to delay the TLS EKM reviews for this, so submitted as a
patch afterwards.)

Signed-off-by: Steffan Karger <steffan@karger.me>
---
 src/openvpn/ssl.c         | 26 ++++++++------------------
 src/openvpn/ssl_backend.h | 14 +++++---------
 src/openvpn/ssl_mbedtls.c | 12 +++++-------
 src/openvpn/ssl_openssl.c | 11 ++++-------
 4 files changed, 22 insertions(+), 41 deletions(-)

Comments

Arne Schwabe Oct. 9, 2020, 4:38 a.m. UTC | #1

Am 09.10.20 um 16:47 schrieb Steffan Karger:
> Just pass pointer and length, instead of a gc and return (possibly)
> allocated memory. Saves us some gc instantiations and memcpy()s. Exact
> same functionality, 19 lines less code.
> 
> (Didn't want to delay the TLS EKM reviews for this, so submitted as a
> patch afterwards.)
> 
Acked-By: Arne Schwabe <arne@rfc2549.org>

Gert Doering Oct. 9, 2020, 7:55 a.m. UTC | #2

I have stared at the code a bit ("amazingly straightforward, no crypto
convolutions at all :-)") and tortured the result a bit on the server 
and client test bed.  No complaints.

(I have excercised the "key-derivation tls-ekm" path, but not the 
generic EKM path - no test case for that one yet... need to add one,
it seems)

Your patch has been applied to the master branch.

commit f0734e499562175a6ebbefbfa12b730c976e2507
Author: Steffan Karger
Date:   Fri Oct 9 16:47:55 2020 +0200

     Simplify key material exporter backend API

     Signed-off-by: Steffan Karger <steffan@karger.me>
     Acked-by: Arne Schwabe <arne@rfc2549.org>
     Message-Id: <20201009144755.39719-1-steffan@karger.me>
     URL: https://www.mail-archive.com/search?l=mid&q=20201009144755.39719-1-steffan@karger.me
     Signed-off-by: Gert Doering <gert@greenie.muc.de>


--
kind regards,

Gert Doering

diff --git a/src/openvpn/ssl.c b/src/openvpn/ssl.c
index b572b7b8..87b51d96 100644
--- a/src/openvpn/ssl.c
+++ b/src/openvpn/ssl.c
@@ -1786,23 +1786,14 @@  init_key_contexts(struct key_ctx_bi *key,
 static bool
 generate_key_expansion_tls_export(struct tls_session *session, struct key2 *key2)
 {
-    struct gc_arena gc = gc_new();
-    unsigned char *key2data;
-
-    key2data = key_state_export_keying_material(session,
-                                                EXPORT_KEY_DATA_LABEL,
-                                                strlen(EXPORT_KEY_DATA_LABEL),
-                                                sizeof(key2->keys),
-                                                &gc);
-    if (!key2data)
+    if (!key_state_export_keying_material(session, EXPORT_KEY_DATA_LABEL,
+                                          strlen(EXPORT_KEY_DATA_LABEL),
+                                          key2->keys, sizeof(key2->keys)))
     {
         return false;
     }
-    memcpy(key2->keys, key2data, sizeof(key2->keys));
-    secure_memzero(key2data, sizeof(key2->keys));
     key2->n = 2;
 
-    gc_free(&gc);
     return true;
 }
 
@@ -2499,12 +2490,11 @@  export_user_keying_material(struct key_state_ssl *ssl,
         unsigned int size = session->opt->ekm_size;
         struct gc_arena gc = gc_new();
 
-        unsigned char *ekm;
-        if ((ekm = key_state_export_keying_material(session,
-                                                    session->opt->ekm_label,
-                                                    session->opt->ekm_label_size,
-                                                    session->opt->ekm_size,
-                                                    &gc)))
+        unsigned char *ekm = gc_malloc(session->opt->ekm_size, true, &gc);
+        if (key_state_export_keying_material(session,
+                                             session->opt->ekm_label,
+                                             session->opt->ekm_label_size,
+                                             ekm, session->opt->ekm_size))
         {
             unsigned int len = (size * 2) + 2;
 
diff --git a/src/openvpn/ssl_backend.h b/src/openvpn/ssl_backend.h
index 4bcb3181..c3d12e5b 100644
--- a/src/openvpn/ssl_backend.h
+++ b/src/openvpn/ssl_backend.h
@@ -398,18 +398,14 @@  void backend_tls_ctx_reload_crl(struct tls_root_ctx *ssl_ctx,
  * @param session      The session associated with the given key_state
  * @param label        The label to use when exporting the key
  * @param label_size   The size of the label to use when exporting the key
- * @param ekm_size     THe size of the exported/returned key material
- * @param gc           gc_arena that might be used to allocate the string
- *                     returned
- * @returns            The exported key material, the caller may zero the
- *                     string but should not free it
+ * @param ekm          Buffer to return the exported key material in
+ * @param ekm_size     The size of ekm, in bytes
+ * @returns            true if exporting succeeded, false otherwise
  */
-
-unsigned char*
+bool
 key_state_export_keying_material(struct tls_session *session,
                                  const char* label, size_t label_size,
-                                 size_t ekm_size,
-                                 struct gc_arena *gc) __attribute__((nonnull));
+                                 void *ekm, size_t ekm_size);
 
 /**************************************************************************/
 /** @addtogroup control_tls
diff --git a/src/openvpn/ssl_mbedtls.c b/src/openvpn/ssl_mbedtls.c
index f375e957..bb5633b7 100644
--- a/src/openvpn/ssl_mbedtls.c
+++ b/src/openvpn/ssl_mbedtls.c
@@ -219,11 +219,10 @@  mbedtls_ssl_export_keys_cb(void *p_expkey, const unsigned char *ms,
     return true;
 }
 
-unsigned char *
+bool
 key_state_export_keying_material(struct tls_session *session,
                                  const char* label, size_t label_size,
-                                 size_t ekm_size,
-                                 struct gc_arena *gc)
+                                 void *ekm, size_t ekm_size)
 {
     ASSERT(strlen(label) == label_size);
 
@@ -233,10 +232,9 @@  key_state_export_keying_material(struct tls_session *session,
      * there is no PRF, in both cases we cannot generate key material */
     if (cache->tls_prf_type == MBEDTLS_SSL_TLS_PRF_NONE)
     {
-        return NULL;
+        return false;
     }
 
-    unsigned char *ekm = (unsigned char *) gc_malloc(ekm_size, true, gc);
     int ret = mbedtls_ssl_tls_prf(cache->tls_prf_type, cache->master_secret,
                                   sizeof(cache->master_secret),
                                   label, cache->client_server_random,
@@ -245,12 +243,12 @@  key_state_export_keying_material(struct tls_session *session,
 
     if (mbed_ok(ret))
     {
-        return ekm;
+        return true;
     }
     else
     {
         secure_memzero(ekm, session->opt->ekm_size);
-        return  NULL;
+        return  false;
     }
 }
 #else
diff --git a/src/openvpn/ssl_openssl.c b/src/openvpn/ssl_openssl.c
index f52c7c39..122083a8 100644
--- a/src/openvpn/ssl_openssl.c
+++ b/src/openvpn/ssl_openssl.c
@@ -158,26 +158,23 @@  tls_ctx_initialised(struct tls_root_ctx *ctx)
     return NULL != ctx->ctx;
 }
 
-unsigned char*
+bool
 key_state_export_keying_material(struct tls_session *session,
                                  const char* label, size_t label_size,
-                                 size_t ekm_size,
-                                 struct gc_arena *gc)
+                                 void *ekm, size_t ekm_size)
 
 {
-    unsigned char *ekm = (unsigned char *) gc_malloc(ekm_size, true, gc);
-
     SSL* ssl = session->key[KS_PRIMARY].ks_ssl.ssl;
 
     if (SSL_export_keying_material(ssl, ekm, ekm_size, label,
                                    label_size, NULL, 0, 0) == 1)
     {
-        return ekm;
+        return true;
     }
     else
     {
         secure_memzero(ekm, ekm_size);
-        return NULL;
+        return false;
     }
 }

[Openvpn-devel] Simplify key material exporter backend API

Commit Message

Comments

Patch