| Message ID | 20220425122709.4148015-1-arne@rfc2549.org |
|---|---|
| State | Accepted |
| Headers |
Return-Path: <openvpn-devel-bounces@lists.sourceforge.net> Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director7.mail.ord1d.rsapps.net ([172.30.191.6]) by backend41.mail.ord1d.rsapps.net with LMTP id 0Li0Jt6TZmJkOAAAqwncew (envelope-from <openvpn-devel-bounces@lists.sourceforge.net>) for <patchwork@openvpn.net>; Mon, 25 Apr 2022 08:28:14 -0400 Received: from proxy3.mail.ord1d.rsapps.net ([172.30.191.6]) by director7.mail.ord1d.rsapps.net with LMTP id UAYiCt+TZmICHwAAovjBpQ (envelope-from <openvpn-devel-bounces@lists.sourceforge.net>) for <patchwork@openvpn.net>; Mon, 25 Apr 2022 08:28:15 -0400 Received: from smtp29.gate.ord1d ([172.30.191.6]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy3.mail.ord1d.rsapps.net with LMTPS id qAv8Cd+TZmIXGwAA7WKfLA (envelope-from <openvpn-devel-bounces@lists.sourceforge.net>) for <patchwork@openvpn.net>; Mon, 25 Apr 2022 08:28:15 -0400 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp29.gate.ord1d.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dmarc=none (p=nil; dis=none) header.from=rfc2549.org X-Suspicious-Flag: YES X-Classification-ID: 2d5a00c8-c493-11ec-8ce6-525400f257a9-1-1 Received: from [216.105.38.7] ([216.105.38.7:46356] helo=lists.sourceforge.net) by smtp29.gate.ord1d.rsapps.net (envelope-from <openvpn-devel-bounces@lists.sourceforge.net>) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id EF/F6-16728-ED396626; Mon, 25 Apr 2022 08:28:14 -0400 Received: from [127.0.0.1] (helo=sfs-ml-1.v29.lw.sourceforge.com) by sfs-ml-1.v29.lw.sourceforge.com with esmtp (Exim 4.94.2) (envelope-from <openvpn-devel-bounces@lists.sourceforge.net>) id 1nixoK-0002P4-Mi; Mon, 25 Apr 2022 12:27:23 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-1.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from <arne@kamera.blinkt.de>) id 1nixoJ-0002Oq-Fq for openvpn-devel@lists.sourceforge.net; Mon, 25 Apr 2022 12:27:22 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References: In-Reply-To:Message-Id:Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=5ag6N0ca8FEoUMn1OFSXv+ooIOsWlQVyVVnvuivs+iU=; b=AGbrLkbXAyBiMlcBWStey9+DTD 7cI8Tjvf1RyM2AYmkT7YiDT4tjHv8m0cZZ8KdHhmhXc+K/0mA+UbSmZ2dmpva31gqGH243Vp7P7vY aL3hVG/LiKog+NM+NBmrmhehYEcq+wvXLiAVKcZn9oHDYXuozktYtyVkCcmfyrRXJuIY=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-Id: Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=5ag6N0ca8FEoUMn1OFSXv+ooIOsWlQVyVVnvuivs+iU=; b=YwmhPnwn/+eUJ2f/dyJVgpT3DT 9aGVTRHFoYGbCWXNtuwh8D1QHjiqTrYpozislMp7MKae7TQpygeAVgqbCNrcZmVBffdqyc7c9UahU kI4y0zvwV5veyeoec94HOc4BIuZDGgnF35qYzFC7A3TgH+rvl1yHkNrcJelFiqe6nUc4=; Received: from mail.blinkt.de ([192.26.174.232]) by sfi-mx-2.v28.lw.sourceforge.com with esmtps (TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.94.2) id 1nixoH-0006kE-SL for openvpn-devel@lists.sourceforge.net; Mon, 25 Apr 2022 12:27:22 +0000 Received: from kamera.blinkt.de ([2001:638:502:390:20c:29ff:fec8:535c]) by mail.blinkt.de with smtp (Exim 4.95 (FreeBSD)) (envelope-from <arne@kamera.blinkt.de>) id 1nixo6-00003E-2k for openvpn-devel@lists.sourceforge.net; Mon, 25 Apr 2022 14:27:10 +0200 Received: (nullmailer pid 4148061 invoked by uid 10006); Mon, 25 Apr 2022 12:27:09 -0000 From: Arne Schwabe <arne@rfc2549.org> To: openvpn-devel@lists.sourceforge.net Date: Mon, 25 Apr 2022 14:27:09 +0200 Message-Id: <20220425122709.4148015-1-arne@rfc2549.org> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20220422134038.3801239-4-arne@rfc2549.org> References: <20220422134038.3801239-4-arne@rfc2549.org> MIME-Version: 1.0 X-Spam-Report: Spam detection software, running on the system "util-spamd-2.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: This prepares for extending this function with the HMAC based session ID check. Replace the check for m->top.c2.tls_auth_standalone with an ASSERT as this code path is only used in multi udp server and OpenVPN initialises the tls_auth_standalone always for the TOP context (CF_INI [...] Content analysis details: (0.2 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record 0.0 SPF_NONE SPF: sender does not publish an SPF Record 0.2 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail domains are different X-Headers-End: 1nixoH-0006kE-SL Subject: [Openvpn-devel] [PATCH v2] Move pre decrypt lite check to its own function X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: <openvpn-devel.lists.sourceforge.net> List-Unsubscribe: <https://lists.sourceforge.net/lists/options/openvpn-devel>, <mailto:openvpn-devel-request@lists.sourceforge.net?subject=unsubscribe> List-Archive: <http://sourceforge.net/mailarchive/forum.php?forum_name=openvpn-devel> List-Post: <mailto:openvpn-devel@lists.sourceforge.net> List-Help: <mailto:openvpn-devel-request@lists.sourceforge.net?subject=help> List-Subscribe: <https://lists.sourceforge.net/lists/listinfo/openvpn-devel>, <mailto:openvpn-devel-request@lists.sourceforge.net?subject=subscribe> Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox |
| Series |
[Openvpn-devel,v2] Move pre decrypt lite check to its own function
|
|
Commit Message
Arne Schwabe
April 25, 2022, 2:27 a.m. UTC
This prepares for extending this function with the HMAC based session ID
check.
Replace the check for m->top.c2.tls_auth_standalone with an ASSERT as this
code path is only used in multi udp server and OpenVPN initialises the
tls_auth_standalone always for the TOP context (CF_INIT_TLS_AUTH_STANDALONE),
even for the tcp m2mp server that does not use it).
Patch v2: replace if with ASSERT
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
---
src/openvpn/mudp.c | 14 ++++++++++++--
1 file changed, 12 insertions(+), 2 deletions(-)
Comments
> Arne Schwabe <arne@rfc2549.org> hat am 25.04.2022 14:27 geschrieben: [...] > diff --git a/src/openvpn/mudp.c b/src/openvpn/mudp.c > index 4fbe3c1a3..780ca171d 100644 > --- a/src/openvpn/mudp.c > +++ b/src/openvpn/mudp.c > @@ -39,6 +39,17 @@ > #include <sys/inotify.h> > #endif > > +static bool > +do_pre_decrypt_check(struct multi_context *m) > +{ > + ASSERT(m->top.c2.tls_auth_standalone); > + if (!tls_pre_decrypt_lite(m->top.c2.tls_auth_standalone, &m->top.c2.from, &m->top.c2.buf)) > + { > + return false; > + } > + return true; You could replace four lines with one: return tls_pre_decrypt_lite(m->top.c2.tls_auth_standalone, &m->top.c2.from, &m->top.c2.buf)); But that might not make sense due to changes in later patches? Haven't checked. Regards, -- Frank Lichtenheld
Am 25.04.22 um 15:08 schrieb Frank Lichtenheld: >> Arne Schwabe <arne@rfc2549.org> hat am 25.04.2022 14:27 geschrieben: > [...] >> diff --git a/src/openvpn/mudp.c b/src/openvpn/mudp.c >> index 4fbe3c1a3..780ca171d 100644 >> --- a/src/openvpn/mudp.c >> +++ b/src/openvpn/mudp.c >> @@ -39,6 +39,17 @@ >> #include <sys/inotify.h> >> #endif >> >> +static bool >> +do_pre_decrypt_check(struct multi_context *m) >> +{ >> + ASSERT(m->top.c2.tls_auth_standalone); >> + if (!tls_pre_decrypt_lite(m->top.c2.tls_auth_standalone, &m->top.c2.from, &m->top.c2.buf)) >> + { >> + return false; >> + } >> + return true; > > You could replace four lines with one: > > return tls_pre_decrypt_lite(m->top.c2.tls_auth_standalone, &m->top.c2.from, &m->top.c2.buf)); > > But that might not make sense due to changes in later patches? Haven't checked. > The function grows to a 70 line function over the course of the patches. :) Arne
Acked-By: Frank Lichtenheld <frank@lichtenheld.com> > Arne Schwabe <arne@rfc2549.org> hat am 25.04.2022 15:12 geschrieben: > Am 25.04.22 um 15:08 schrieb Frank Lichtenheld: [...] > > You could replace four lines with one: > > > > return tls_pre_decrypt_lite(m->top.c2.tls_auth_standalone, &m->top.c2.from, &m->top.c2.buf)); > > > > But that might not make sense due to changes in later patches? Haven't checked. > > > > The function grows to a 70 line function over the course of the patches. :) Fair enough. Acked. Regards, -- Frank Lichtenheld
Your patch has been applied to the master branch.
commit 73713debf56c06ed54a378f9b3d1d742c5f1ed45
Author: Arne Schwabe
Date: Mon Apr 25 14:27:09 2022 +0200
Move pre decrypt lite check to its own function
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Message-Id: <20220425122709.4148015-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg24193.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
--
kind regards,
Gert Doering
diff --git a/src/openvpn/mudp.c b/src/openvpn/mudp.c index 4fbe3c1a3..780ca171d 100644 --- a/src/openvpn/mudp.c +++ b/src/openvpn/mudp.c @@ -39,6 +39,17 @@ #include <sys/inotify.h> #endif +static bool +do_pre_decrypt_check(struct multi_context *m) +{ + ASSERT(m->top.c2.tls_auth_standalone); + if (!tls_pre_decrypt_lite(m->top.c2.tls_auth_standalone, &m->top.c2.from, &m->top.c2.buf)) + { + return false; + } + return true; +} + /* * Get a client instance based on real address. If * the instance doesn't exist, create it while @@ -95,8 +106,7 @@ multi_get_create_instance_udp(struct multi_context *m, bool *floated) } if (!mi) { - if (!m->top.c2.tls_auth_standalone - || tls_pre_decrypt_lite(m->top.c2.tls_auth_standalone, &m->top.c2.from, &m->top.c2.buf)) + if (do_pre_decrypt_check(m)) { if (frequency_limit_event_allowed(m->new_connection_limiter)) {