From patchwork Tue Jul 7 02:16:14 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Arne Schwabe X-Patchwork-Id: 1213 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director12.mail.ord1d.rsapps.net ([172.27.255.55]) by backend30.mail.ord1d.rsapps.net with LMTP id WBS1JNBnBF+OIgAAIUCqbw for ; Tue, 07 Jul 2020 08:17:20 -0400 Received: from proxy19.mail.iad3a.rsapps.net ([172.27.255.55]) by director12.mail.ord1d.rsapps.net with LMTP id kERyItBnBF/BJAAAIasKDg ; Tue, 07 Jul 2020 08:17:20 -0400 Received: from smtp51.gate.iad3a ([172.27.255.55]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy19.mail.iad3a.rsapps.net with LMTP id oOTqHNBnBF8jFAAAXy6Yeg ; Tue, 07 Jul 2020 08:17:20 -0400 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp51.gate.iad3a.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dmarc=none (p=nil; dis=none) header.from=rfc2549.org X-Suspicious-Flag: YES X-Classification-ID: cd169fd4-c04b-11ea-902d-525400aaff7b-1-1 Received: from [216.105.38.7] ([216.105.38.7:57674] helo=lists.sourceforge.net) by smtp51.gate.iad3a.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id 4D/42-05432-EC7640F5; Tue, 07 Jul 2020 08:17:19 -0400 Received: from [127.0.0.1] (helo=sfs-ml-1.v29.lw.sourceforge.com) by sfs-ml-1.v29.lw.sourceforge.com with esmtp (Exim 4.90_1) (envelope-from ) id 1jsmWX-0005fX-2j; Tue, 07 Jul 2020 12:16:33 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-1.v29.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.90_1) (envelope-from ) id 1jsmWV-0005fK-SX for openvpn-devel@lists.sourceforge.net; Tue, 07 Jul 2020 12:16:31 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=References:In-Reply-To:Message-Id:Date:Subject:To: From:Sender:Reply-To:Cc:MIME-Version:Content-Type:Content-Transfer-Encoding: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=Gbx3vKIJE0W6JFmpLxdZMVQoTUbskAus6IkodUtPCOo=; b=nGJxZG8WTMmuJ11y1+gXlynx4E nw1kDT9iadCLfWujXRmX8hQ+RkyrV9QpWzz2va8Yyqb5hoCvEWehNJxSh55dj/Yytgy6CTG7THwKu 0aUs6QFgeO+47ZRlvR0MEkEdcFD7OsigrcV3T8hmiBKpTTYYPuftKeec059q1fNhGAmw=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=References:In-Reply-To:Message-Id:Date:Subject:To:From:Sender:Reply-To:Cc :MIME-Version:Content-Type:Content-Transfer-Encoding:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=Gbx3vKIJE0W6JFmpLxdZMVQoTUbskAus6IkodUtPCOo=; b=V0a8d94puM4TfTHQ5DO9Te7WIR xSOJjgT+xfNqPVMqCi6H2yOQaS6zvu/9eBtMraM3aRVp5ADeWaPA48iGaVsetEqMEZSRfIWbFp9Dw cQo4rbmFzRXUp60NFa5kFmLvDXJMTMi++CS/DjRS0Ktigccc7PcQ0p5HT5euKUjoaRbc=; Received: from mail.blinkt.de ([192.26.174.232]) by sfi-mx-1.v28.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.92.2) id 1jsmWU-00G8Ch-Nq for openvpn-devel@lists.sourceforge.net; Tue, 07 Jul 2020 12:16:31 +0000 Received: from kamera.blinkt.de ([2001:638:502:390:20c:29ff:fec8:535c]) by mail.blinkt.de with smtp (Exim 4.92.3 (FreeBSD)) (envelope-from ) id 1jsmWG-000O24-5h for openvpn-devel@lists.sourceforge.net; Tue, 07 Jul 2020 14:16:16 +0200 Received: (nullmailer pid 15791 invoked by uid 10006); Tue, 07 Jul 2020 12:16:16 -0000 From: Arne Schwabe To: openvpn-devel@lists.sourceforge.net Date: Tue, 7 Jul 2020 14:16:14 +0200 Message-Id: <20200707121615.15736-4-arne@rfc2549.org> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20200707121615.15736-1-arne@rfc2549.org> References: <20200707121615.15736-1-arne@rfc2549.org> X-Spam-Report: Spam Filtering performed by mx.sourceforge.net. See http://spamassassin.org/tag/ for more details. 0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [URIs: rfc2549.org] 0.2 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail domains are different 0.0 SPF_NONE SPF: sender does not publish an SPF Record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record X-Headers-End: 1jsmWU-00G8Ch-Nq Subject: [Openvpn-devel] [PATCH 2/3] Cleanup: Remove unused code of old poor man's NCP. X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox Ever since the NCPv2 the ncp_get_best_cipher uses the global options->ncp_enabled option and ignore the tls_session->ncp_enabled option. The server side's poor man's NCP is implemented as seeing the list of supported ciphers from the peer as just one cipher so this special handling for poor man's NCP of the older NCP here is not needed anymore. Theoretically we can now get rid of tls_session->ncp_enabled but doing so requires more refactoring since options is not available in the methods that still use it. And when we remove ncp-disable the variable will be removed anyway. Also document the remaining usage of tls_poor_mans_ncp better. Signed-off-by: Arne Schwabe --- src/openvpn/init.c | 2 ++ src/openvpn/ssl.c | 15 +-------------- 2 files changed, 3 insertions(+), 14 deletions(-) diff --git a/src/openvpn/init.c b/src/openvpn/init.c index 91b919d5..e9c01629 100644 --- a/src/openvpn/init.c +++ b/src/openvpn/init.c @@ -2376,6 +2376,8 @@ do_deferred_options(struct context *c, const unsigned int found) } else if (c->options.ncp_enabled) { + /* If the server did not push a --cipher, we will switch to the + * remote cipher if it is in our ncp-ciphers list */ tls_poor_mans_ncp(&c->options, c->c2.tls_multi->remote_ciphername); } struct frame *frame_fragment = NULL; diff --git a/src/openvpn/ssl.c b/src/openvpn/ssl.c index 9df7552d..71565dd3 100644 --- a/src/openvpn/ssl.c +++ b/src/openvpn/ssl.c @@ -2463,8 +2463,7 @@ key_method_2_write(struct buffer *buf, struct tls_session *session) * generation is postponed until after the pull/push, so we can process pushed * cipher directives. */ - if (session->opt->server && !(session->opt->ncp_enabled - && session->opt->mode == MODE_SERVER && ks->key_id <= 0)) + if (session->opt->server && !(session->opt->mode == MODE_SERVER && ks->key_id <= 0)) { if (ks->authenticated != KS_AUTH_FALSE) { @@ -2616,18 +2615,6 @@ key_method_2_read(struct buffer *buf, struct tls_multi *multi, struct tls_sessio multi->remote_ciphername = options_string_extract_option(options, "cipher", NULL); - if (!tls_peer_supports_ncp(multi->peer_info)) - { - /* Peer does not support NCP, but leave NCP enabled if the local and - * remote cipher do not match to attempt 'poor-man's NCP'. - */ - if (multi->remote_ciphername == NULL - || 0 == strcmp(multi->remote_ciphername, multi->opt.config_ciphername)) - { - session->opt->ncp_enabled = false; - } - } - if (tls_session_user_pass_enabled(session)) { /* Perform username/password authentication */